Firewall for Linux

Tag: ROC res indicates process reject profile learning commit open

Firewall for Linux

1. SELinux

SELinux is a unique security mechanism for Redhat/centos systems. But because this thing is too restrictive, the configuration is so cumbersome that almost no one really applies it. Therefore, we usually have to close the selinux to avoid causing unnecessary trouble. The way to turn off SELINUX is to make "selinux=disabled", which defaults to enforcing

[Email protected] ~]# Vim/etc/selinux/config

# This file controls the state of the SELinux on the system.
# selinux= can take one of these three values:
# Enforcing-selinux security policy is enforced.
# Permissive-selinux Prints warnings instead of enforcing.
# disabled-no SELinux policy is loaded.
Selinux=disabled
# selinuxtype= can take one of these the values:
# targeted-targeted processes is protected,
# Mls-multi level Security protection.
selinuxtype=targeted
After saving the configuration file, restart the machine to take effect, temporarily shut down the SELinux command is:

[Email protected] ~]# Setenforce 0
We can use the Getenforce command to get the status of the current SELinux:

[Email protected] ~]# Getenforce
Disabled
Amin SELinux is already closed, the default output "enforcing", when using Setenforce 0 command, then getenforce output "permissive"

2. iptables

Iptables is a unique firewall mechanism on Linux, its function is very powerful, however, Amin in daily management work only one or two applications, which does not mean that iptables is not important. As a network administrator, iptables is necessary to master. But as a system administrator, we should also be the most basic iptables operation, understand the basic rules of iptables.

CentOS on the default is the Iptables rules, although the rule is very safe, but for us no use, but it will cause some impact, so Amin recommend you clear the rules first, and then save the rules after the purge:

[Email protected] ~]# IPTABLES-NVL
Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source
Destination
176K ACCEPT All--* * 0.0.0.0/0 0.0.0.0/0
State related,established
0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT All-Lo * 0.0.0.0/0 0.0.0.0/0
1 * ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0
State NEW TCP Dpt:22
3 234 REJECT All--* * * 0.0.0.0/0 0.0.0.0/0
Reject-with icmp-host-prohibited

Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source
Destination
0 0 REJECT All--* * 0.0.0.0/0 0.0.0.0/0
Reject-with icmp-host-prohibited

Chain OUTPUT (Policy ACCEPT 167 packets, 16963 bytes)
Pkts bytes Target prot opt in Out source
Destination
[Email protected] ~]# iptables-f; /etc/init.d/iptables Save
Iptables: Save firewall Rules to/etc/sysconfig/iptables: [OK]
-NVL is to check the rules,-f is to clear the current rules, but this is only temporary, restart the system or restart the Iptalbes service will also load the saved rules, so you need to use/etc/init.d/iptables save the Rules, With the command output above we can also see that the firewall rules are saved in the/etc/sysconfig/iptables you can view this file.

1) Iptalbes of three tables

Filter This table is mainly used to filter the package, is the System preset table, this table is Amin used the most. Built-in three chains of input, output, and forward. Input acts on the package that enters the machine; the output acts on the packet sent by the machine; forward acts on packets that are not related to the machine.

The main use of NAT is Network address translation, and there are three of chains. The purpose of the prerouting chain is to change the destination address of a package just as it arrives at the firewall, if necessary. The output chain changes the destination address of the locally generated package. The postrouting chain changes its source address before the package leaves the firewall. The table Amin used a little, but sometimes it is used.

Mangle This table is primarily used to mark packets, and then to manipulate which packages according to the tag. The table is hardly used. Unless you want to be a senior network engineer, you don't need to spend a lot of effort on it.

2) iptables Basic grammar

A. Viewing rules and clearing rules

[Email protected] ~]# iptables-t NAT-NVL
Chain prerouting (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain postrouting (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain OUTPUT (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination
-T followed by the table name,-NVL is the rule that looks at the table, where-n means that the host name is not parsed for IP,-L is the listed meaning, and-V indicates that the information listed is more detailed. If you do not add-t, information about the filter table is printed:

[Email protected] ~]# IPTABLES-NVL
Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain FORWARD (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination

Chain OUTPUT (Policy ACCEPT 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination
This is the same information as the-t filter prints.

For the command to purge a rule, Amin uses the most:

[Email protected] ~]# iptables-f
[Email protected] ~]# iptables-z
No-t defaults to the table filter to operate,-F means all the rules are deleted;-Z means to set the packet and traffic counter 0 (this Amin is considered useful).

B. Adding/deleting a rule

# iptables-a input-s 10.72.11.12-p tcp--sport 1234-d 10.72.137.159--dport 80-j DROP
This is the addition of a rule that omits-t so it is for the filter table. -a means adding a rule, plus-I to insert a rule,-D to delete a rule, the following input is the chain name, can also be output or forword;-s followed by the source address;-P protocol (TCP, UDP, ICMP);--sport/--dport followed by the source port/destination port, and-D followed by the destination IP (mainly for intranet or extranet);-j Heel action (drop will discard the package, reject is the packet rejection; accept is allowed). This may be very messy, so Ah Ming to give a few examples to help you understand:

[Email protected] ~]# iptables-i input-s 1.1.1.1-j DROP
The above example says: Insert a rule to discard all packets from 1.1.1.1.

[Email protected] ~]# iptables-d input-s 1.1.1.1-j DROP
Delete the rule you just inserted. Note that when you delete a rule, you must agree with the inserted rule, that is, the two iptables command, except for-I and-D, are the same everywhere else.

[[email protected] ~]# iptables-i input-s 2.2.2.2-p tcp--dport 80-j DROP
The above example discards packets from 2.2.2.2 and is a TCP protocol to the 80 port of the native. The point here is that the--dport/--sport must be used with the-p option, or there will be an error.

[[email protected] ~]# iptables-i output-p tcp--dport 22-d 10.0.2.34-j DROP
This rule indicates that the packet sent to the 10.0.2.34 22 port is discarded.

As for the application of ForWord chain Amin almost no use, so no longer an example. Let's summarize the functions of each option:

-a/-d: Add a rule to delete;

-I: Inserting a rule is actually the same as the effect of-A;

-P: Specifies the protocol, which can be tcp,udp or ICMP;

--dport: Used with-P, specify the target port;

--sport: Used with-P, specify the source port;

-S: Specifies the source IP (which can be an IP segment);

-D: Specify the destination IP (can be an IP segment);

-j: followed by the action, where accept means to allow the package, drop means to discard the package, reject to reject the package;

-I: Specify a network card (not commonly used, but sometimes used);

[Email protected] ~]# iptables-a input-s 192.168.1.0/24-i eth0-j ACCEPT
[Email protected] ~]# iptables-nvl |grep ' 192.168.1.0/24 '
0 0 ACCEPT All--eth0 * 192.168.1.0/24 0.0.0.0/0
In the above example, the packet from the 192.168.1.0/24 segment and the Eth0 is released. Sometimes you have too much iptables on your server, and when you want to delete a rule, it is not easy to master the rules at the time of creation. In fact, there is a relatively simple method:

[Email protected] ~]# IPTABLES-NVL--line-numbers
Chain INPUT (Policy ACCEPT 133 packets, 9740 bytes)
Num pkts bytes target prot opt in Out source destination
1 0 0 ACCEPT All--eth0 * 192.168.1.0/24 0.0.0.0/0
To delete a rule, use the following command:

[[email protected] ~]# iptables-d INPUT 1
-D followed by the chain name, then the rule num, which is the value of the first column when viewing the iptables rule. Look again at the rules just now, no more:

[Email protected] ~]# IPTABLES-NVL--line-numbers
Iptables also has an option that often uses the-p (uppercase) option, which represents a preset policy. Use the following:

[Email protected] ~]# iptables-p INPUT DROP
-P followed by the chain name, the policy content is either drop or accept, the default is accept. Note: If you're connecting to a remote server, don't just knock on the command, because once you hit the carriage return you'll be broken.

Once this strategy is set, only iptables-p INPUT ACCEPT can be used to revert to the original state, not the-f parameter. The following Amin describes how this iptables rule is set for a small need.

Requirements: Only for the filter table, the default policy input chain drop, the other two chain accept, then open 22 for 192.168.137.0/24, 80 ports for all network segments, open 21 ports for all network segments. This requirement is not complicated, but because there are many rules, it is best to write in the form of a script. The script reads as follows:

[Email protected] ~]# cat/usr/local/sbin/iptables.sh
#! /bin/bash

ipt= "/sbin/iptables"
$ipt-F
$ipt-P INPUT DROP
$ipt-P OUTPUT ACCEPT
$ipt-P FORWARD ACCEPT
$ipt-A input-s 192.168.137.0/24-p TCP--dport 22-j ACCEPT
$ipt-A input-p TCP--dport 80-j ACCEPT
$ipt-A input-p TCP--dport 21-j ACCEPT
Once the script is written, run/bin/sh/usr/local/sbin/iptables.sh directly. If you want to initialize a firewall rule when booting up, you need to add a line "/bin/sh/usr/local/sbin/iptables.sh" to/etc/rc.d/rc.local

[Email protected] ~]# sh/usr/local/sbin/iptables.sh
[Email protected] ~]# IPTABLES-NVL
Chain INPUT (Policy DROP 0 packets, 0 bytes)
Pkts bytes Target prot opt in Out source destination
1580 ACCEPT TCP--* * 192.168.137.0/24 0.0.0.0/0 TCP dpt:22
0 0 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 TCP dpt:80
0 0 ACCEPT TCP--* * 0.0.0.0/0 0.0.0.0/0 TCP dpt:21
After you run the script, review the rules and see that the first rule in Amin has 20 packages (the first column) that have been released.

The packet on ICMP has a more common application:

[[email protected] ~]# iptables-i input-p ICMP--icmp-type 8-j DROP
--icmp-type This option is to be used with-p ICMP, followed by the type number specified. This 8 refers to the ability to ping the other machine on the machine, while the other machine can not ping the machine. It's worth remembering.

C. Application of NAT tables

In fact, the iptables function of Linux is very powerful, Amin once a teacher described the network function of Linux: Only unexpectedly did not do! That is, if you can think of a network of applications, Linux can help you achieve. In daily life believe that you touch the router, its function is to share the Internet. Originally a network cable came over (in fact, only a public IP), through the router, the router assigned a network segment (private network IP), so that the router connected to a number of PCs can connect intnet and the remote device think your IP is the connection router of the public network IP. The function of this router is actually implemented by Linux iptables, and iptables is the function of the NAT table.

As to the specific principles and processes, Amin does not elaborate, please check the relevant information. Here is an example to illustrate how iptables can be implemented in this function. Suppose you have two NICs on your machine eth0 and eth1, where eth0 IP is 10.0.2.68 and eth1 IP is 192.168.1.1. Eth0 Connected Intnet But eth1 is not connected, now there is another machine (192.168.1.2) and eth1 is interoperability, then how to set up can also be connected to eth1 this machine can connect intnet (i.e. can and 10.0.2.68 interoperability)?

[[email protected] ~]# echo "1" >/proc/sys/net/ipv4/ip_forward
[Email protected] ~]# iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j Masquerade
It is this simple two command that can achieve the above requirements. The first command involves the configuration file of the kernel parameter, which is designed to open the routing forwarding function, otherwise it will not be able to implement our application. The second command is iptables to the NAT table to do an IP forwarding operation, the-o option followed by the device name, indicating the exit of the network card, masquerade means camouflage. With respect to the NAT table, Amin doesn't want to talk too much, you just have to learn this route to forward. Other things to the network engineer to learn it, after all, you will be a Linux system engineer.

D. Saving and backing up iptalbes rules

Just now in the above content Amin also mentioned, we set the firewall rules are only saved in memory, and did not save to a certain file, also said that when the system restarts after the previous set of rules are not, so set the rules to be saved first.

[[Email protected] ~]# service Iptables Save
Iptables: Save firewall Rules to/etc/sysconfig/iptables: [OK]
It prompts the firewall rules to be stored in the/etc/sysconfig/iptables file, which is the iptables configuration file. So in the future, if you run into the task of backing up a firewall rule, you're actually copying a copy of the file.

Sometimes, we will need to clear all the firewall rules, using the iptables-f command although yes, but the best way is to stop the Firewall service:

[[Email protected] ~]# service iptables stop
Iptables: Clear Firewall rule: [OK]
Iptables: Set the chain to policy accept:nat filter [OK]
Iptables: Uninstalling module: [OK]
This will invalidate the firewall, but once the rules are reset (even if there is only one), the Firewall service will automatically open. The following Amin introduces you to a command to back up firewall rules:

[Email protected] ~]# sh/usr/local/sbin/iptables.sh
[Email protected] ~]# iptables-save > Myipt.rule
[email protected] ~]# cat Myipt.rule
# Generated by Iptables-save v1.4.7 on Sat June 1 18:14:03 2013
*filter
: INPUT DROP [0:0]
: FORWARD ACCEPT [0:0]
: OUTPUT ACCEPT [50:4,528]
-A input-s 192.168.137.0/24-p tcp-m tcp--dport 22-j ACCEPT
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-p tcp-m tcp--dport 21-j ACCEPT
COMMIT
# completed on Sat June 1 18:14:03 2013
First execute the Iptables script we wrote earlier, and redirect to a file using the Iptables-save command. To restore these rules, use the following command:

[Email protected] ~]# Iptables-restore < Myipt.rule

Firewall for Linux