Firewall in Linux: Introduction to netfilter and use of iptables (I)

What is a firewall?

Firewalls can be software such as 360, Jinshan, Kaspersky, or hardware. We can use the OSI Layer-7 model to divide the firewall. It can be divided:

1. layer-3 firewall: It is only responsible for checking whether the data flows from the entry to the layer-3 and from the layer-3 to meet the requirements set by the firewall. If yes, it is allowed, and vice versa, it is intercepted.

2. 7. Firewall: It is responsible for data input to Layer 7, and from Layer 7 to outbound. It has a wider range of checks, but consumes more system resources. This is why most of the firewall solutions on the market are combined.

How does the firewall take effect?

As we have just learned, firewalls are divided into three layers and seven layers. To make them take effect, we must place them in a specific place. For example, your purpose is to prevent intrusion and damage, if you place the firewall where data is transmitted, it will not work because your system has been damaged. For example:

What is the firewall in Linux?

Linux1.0 age
Ipfw: Early FreeBSD with limited functions. The defined rules are based on the kernel. To make it take effect, you must restart it.
The kernel is to restart the OS.

Later development of linux2.0: software-based firewall
Ipchains: a lot of improvements have been made. You can define n rules to work as a chain.

Iptables: Now, with the development of ipchains, you can define a table based on the chain, which contains multiple chains.

Note: ipchains and iptables work in user space and are user-defined rules. They do not belong to the firewall based on ports and can implement the fire prevention function.

Netfilter: firewall in the true sense

So to make the firewall take effect, we need to place it in several special locations of the TCP/IP stack. The author designed five locations: define interception in these five locations to implement firewall functions. These five locations are

Input (Data inflow)

Prerouting (before routing)

Postrouting (after routing)

Forward)

Output (Data outflow)

I have understood the concept of firewall. Now I want to learn more about iptables and iptables. Due to the long usage, I will put it in the following article:

Iptables detailed usage: http://blog.csdn.net/deansrk/article/details/6704170

1. Assume that a host only allows the network segment 172.16.0.0 and can be remotely connected to the local host using SSH. How can this problem be achieved?

Analysis:

1) The best definition of access to the local machine is input.

2) it is best to define the output

iptables -t filter -A INPUT -s 172.16.0.0/16 172.16.100.1 -p tcp --dport 22 -j ACCEPTiptables -t filter -A OUTPUT -s 172.16.100.1 -d 172.16.0.0/16 -p tcp iptables -P INPUT DROPiptables -P OUTPUT DROPiptables -P FORWARD DROP

2. A server 172.16.14.1 only allows 172.16.0.0/16 to access 80: 22, and does not allow 172.16.0.1 to access 80: 22, and only allows data after the connection is established. (Anti-elastic Trojan)

ptabels -A INPUT -s 172.16.0.1 -p tcp --dport 22 -j DROP ptabels -A INPUT -s 172.16.0.1 -p tcp --dport 80 -j DROP ptabels -A INPUT -s 172.16.0.0/16 -p tcp --dport 22 -j ACCEPT iptabels -A INPUT -s 172.16.0.0/16 -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPTiptables -P INPUT DROPiptables -P OUTPUT DROPiptables -L -n -vChain INPUT (policy DROP 7013 packets, 660K bytes) pkts bytes target     prot opt in     out     source               destination             0     0 DROP       tcp  --  *      *       172.16.0.1           0.0.0.0/0           tcp dpt:22     0     0 DROP       tcp  --  *      *       172.16.0.1           0.0.0.0/0           tcp dpt:80  2548  200K ACCEPT     tcp  --  *      *       172.16.0.0/16        0.0.0.0/0           tcp dpt:22     0     0 ACCEPT     tcp  --  *      *       172.16.0.0/16        0.0.0.0/0           tcp dpt:80     3   484 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           Chain FORWARD (policy ACCEPT 4180 packets, 4043K bytes) pkts bytes target     prot opt in     out     source               destination         Chain OUTPUT (policy DROP 6381 packets, 577K bytes) pkts bytes target     prot opt in     out     source               destination           556 64420            all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 

3. server A and client C must be forwarded by firewall B for access. The following table shows the relationship between server a and client C, which requires that C be able to access the 172 CIDR block. Server B has two addresses 192.168.0.28 and 172.16.14.10, only 192.168.0.48 is allowed to access port 80 and port 22 of server. (Three VMS need to be enabled)

Server A, firewall B, client C
172.16.14.10: 80 forward C 80: 22 192.168.0.48
172.16.14.10: 22 forward policy drop

1) set the default gateway of C to 192.168.0.28.

route add default gw 192.168.0.28

2) Enable httpd and sshd services of A. If not, install

service httpd startservice sshd start

3) Configure iptables of B

iptables -A FORWARD -c 192.168.0.48 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -c 192.168.0.48 -p tcp --dport 80 -j ACCEPTiptables -P FORWARD DROP iptables -L -nChain INPUT (policy ACCEPT)target     prot opt source               destination    Chain FORWARD (policy DROP)target     prot opt source               destination         ACCEPT     tcp  --  192.168.0.48         172.16.14.10        tcp dpt:80 ACCEPT     tcp  --  192.168.0.48         172.16.14.10        tcp dpt:22 Chain OUTPUT (policy ACCEPT)target     prot opt source               destination    

4) Ping 172.16.14.10 on C and connect to a via ssh. Then use elinks to test whether HTTPd service of A is normal.

SSH 172.16.1410elinsk http: // 172.16.14.10 # normal if you can connect to the test page

5) change the IP address of C to 192.168.0.58 to check whether SSH or the test page can be accessed.

Ifconfig eth0 192.168.0.58ssh 172.16.1410 # It should not face elinsk http: // 172.16.14.10 # It should not display any content. If both of them meet the requirements, the firewall will take effect.