Linux firewall system as long as the work in the network layer, for TCP/IP packet Implementation filtering restrictions, a typical packet filter firewall (or called Network layer Anti-firewall)
- Net filter refers to the overall implementation of the kernel of Linux, packet header filtering does not exist in the form of programs or files.
- iptables refers to the user-managed Linux firewall Chitian program, usually located in the/sbin/iptables directory under the Rules table
- Filter table used to filter packets, according to the specific rules of the requirements of the decision to handle a packet. Three chains are included in the table. That is, input, Forward,output
- NAT table: Mainly used to modify the packet IP address, the Port information table contains three chains, prerouting postrouting OUTPUT
- mangle table with To modify the TOS service TTL lifetime for the packet, or to set the mark tag for the packet. The table contains five chain prerouting postrouting INPUT OUTPUT FORWARD.
The
- raw table is a new version of Iptables from 1.2.9, as long as it is used to determine whether the packet tracking table contains two chain OUTPUT prerouting rule chains
- INPUT applies rules from the link when it receives access to the firewall native address packet (inbound).
- OUTPUT applies the rules in the secondary chain when the firewall sends packets outward (outbound) natively. The
- FORWARD applies the rules in this link when it receives packets that need to be forwarded to other addresses through the firewall.
- prerouting Apply the rules in this chain before the packet makes a routing selection
- postrouting after the packet has been selected, apply the order between the rules
rules table in this chain when the packet arrives at the firewall, the raw table is applied one time , the Mangle table, the NAT table, and the corresponding rules in the filter table (if present) are applied in the order raw=> mangle=>nat=>filter. Basic Syntax
- accept allows you to DROP straight through
- No response is given to the
- REJECT deny Packet pass, and if necessary, a corresponding
for the data sender
Option Name |
Functions and Characteristics |
-A |
Add at the end of the specified chain |
-D |
Delete Mo One |
-I. |
Inserts a rule in the specified chain |
-R |
Modify Replace |
-L |
Lists all specified rules at the end specified as all |
-F |
Empty chain rules are specified at the end of all |
-P |
Specify a default chain |
-N |
Use the digital mind to display output results |
-V |
View the list of rules to display detailed information |
-H |
Production See Chitian Help information |
--line-numbers |
When you view the list of rules, it also shows the sequential number in the chain |
The experiment started with the goal of providing access to the Web services provided by Linux without having to allow ping to implement NAT snt conversion and DNAT
Experiment prepare two Linux which Linux 1 provides HTTP service Linux 2 acting as router one client
- Linux 1 only need to turn on the httpd service, but let the network card information to be clear
- Linux 2 acts as a router dual NIC configuration one for 192.168.100.1 a 12.0.0.1
- One client IP address is 12.0.0.33 Start the experiment
- Interconnection, of course, can only be flat-pass Gateway
- [[email protected] ~]# iptables-f Clear all chains
- [[email protected] ~]# vim/etc/sysctl.conf Modify configuration file
- Net.ipv4.ip_forward = 1 Change 0 to 1 This will enable access from the client to the HTTPD service provided by Linux 1
- [Email protected] ~]# iptables-a forward-s 12.0.0.33-p icmp-j DROP
Insert in the last row of the specified list (this looks at the environment because I have all the conditions not in order) FORWARD (outbound) Prohibit source address-s 12.0.0.33 access-P ICMP protocol-j perform Operation drop Discard (note case)
- [Email protected] ~]# Cat/etc/httpd/logs/access_log
12.0.0.33--[12/may/2018:07:59:27 +0800] "View httpd access log
- [Email protected] ~]# iptables-t nat-a postrouting-s 12.0.0.0/24-o eth0-j SNAT--to-source 192.168.100.1
Intranet access public network-t specify table NAT table-a insert into the postrouting rule chain after selecting the source address of the packet-o exit eth0-j use SNAT--to-source to convert to an extranet exit
- [Email protected] ~]# iptables-t nat-a prerouting-s 192.168.100.1-i eth0-j DNAT--to-destination 12.0.0.33 This is the PRE ROUTING before a packet makes a routing selection
Firewall in Linux Redhat 6.5