Firewall iptables under Linux

The firewall (firewall), also known as the protective wall, was invented by Check Point founder Gil Shwed in 1993 and introduced to the Internet. It is an information security protection system that allows or restricts the transmission of data according to specific rules.

• Brief introduction

When a firewall makes packet filtering decisions, it has a set of rules that are followed and composed, which are stored in a dedicated packet filter table, which is integrated into the Linux kernel. In packet-filtering tables, rules are grouped in our so-called chain (chain), and

The Netfilter/iptables IP packet filtering system is a powerful tool for adding, editing, and removing rules.

Although the Netfilter/iptables IP packet filtering system is called a single entity, it actually consists of two components NetFilter and iptables.

The NetFilter component, also known as kernel space, is part of the kernel and consists of packet filtering tables that contain the set of rules that the kernel uses to control packet filtering processing.

The Iptables component is a tool, also known as user space, that makes it easy to insert, modify, and remove rules from packet filtering tables.

• System Benefits

The biggest advantage of netfilter/iptables is that it can be configured with stateful firewalls. Stateful firewalls can specify and remember the state of the connection established for sending or receiving packets. The firewall can obtain this information from the connection tracking state of the packet. When deciding on new packet filtering, these state information used by the firewall can increase its efficiency and speed. There are four valid states, named established, INVALID, new, and related, respectively.

State established indicates that the packet belongs to an established connection that has been used to send and receive packets and is fully valid.

State invalid indicates that the packet is not associated with any known stream or connection, and it may contain incorrect data or headers.

The state new means that the packet has been or will start a new connection, or it is associated with a connection that has not been used to send and receive packets.

Finally, the state related indicates that the packet is starting a new connection and that it is associated with the established connection.

Another important advantage of netfilter/iptables is that it gives users full control over firewall configuration and packet filtering. You can customize your own rules to meet your specific needs, allowing only the network traffic you want to enter the system.

• Command description

Iptables is used to set up, maintain, and check the IP packet filtering rules of the Linux kernel.

You can define different tables, each containing several internal chains, or a user-defined chain. Each chain is a list of rules that match the package that corresponds to it: Each rule specifies how the package that matches it should be handled. This is referred to as "target", or you can jump to a user-defined chain within the same table.

Targets

The rules of the firewall specify the characteristics and targets of the checked package. If the package does not match, it is sent to the next rule check in the chain, and if it matches, then the following rule is determined by the target value. The target value can be a user-defined chain name, or a private value, such as accept[by],drop[delete],queue[queue], or return[return].

ACCEPT means let this package pass.

Drop indicates that the package is discarded.

The queue indicates that the package is passed to the user space.

Return means to stop the matching of this chain and start the rule again to the previous chain. If a built-in chain is reached (the end), or if the rule that encounters the built-in chain is return, the fate of the package is determined by the goal specified by the chain criteria.

Tables

There are currently three tables. (which table is the current table depends on the kernel configuration option and the current module)

The-t option of the iptables command specifies the matching table to manipulate. If the kernel is configured to load the module automatically, then if no module is loaded, the (System) will attempt to load the appropriate module (for that table). These tables are as follows:

Filter, which is the default table that contains the built-in chain input, forward, and output.

NAT, this table is queried to indicate that it has encountered a package that generates a new connection, consisting of three built-in chains: prerouting, Output, postrouting.

Mangle This table is used to modify the specified package. He has two built-in rules: prerouting and output.

IP packet flow to flow

iptables syntax

iptables [-t table] {-a|-d|-r|-e|...| ACTION} chain Rule-specification

Iptables followed by the name of the table that needs to be manipulated, followed by the chain name, but the action of the chain operation needs to be specified, then the team's designation, which is a collection of various command options.

Turn from: Baidu Encyclopedia Iptables

Firewall iptables under Linux