This article mainly introduces the firewall tool iptables on Linux, by the way, introduces the hardware firewall
What is a firewall
A network security technique used to protect the internal network from malicious attacks and intrusions by external networks, usually the boundaries of the internal network and the external network, to analyze and filter packets within the managed network according to defined rules, restricting access
Divided into hardware firewall and software firewall
Hardware firewall is a host device designed by the manufacturer
A software firewall is a set of tool software to protect the system network, such as Iptables and TCP Wrappers under Linux
Hardware firewall
Specific functions
Security isolation, access control, VPN, content filtering, virus protection
Three different types
Packet filtering firewall (routing)
Application Proxy: Proxy service
Status detection: Based on stateful detection
Five types of models
Transparent mode (Swap mode)
Audit mode
Route mode
Multi-mode: Multi-instance firewall, mainly used in IDC data center
Failover: Stateful switchover, backup
Regional deployment
Software firewall
iptables: NetFilter provides a mechanism for network resource access Control , a tool for writing firewalls that appears after the kernel version of CentOS 2.4, a similar mechanism formerly known as IPChains
NetFilter: Packet filtering mechanism
The default five built-in chains (chain) and multiple tables (table) are defined in the NetFilter framework
prerouting
INPUT
FORWARD
OUTPUT
Postrouting
Filter : Filtering (INPUT, FORWARD, OUTPUT)
NAT: For NAT address Translation (Prerouting, postrouting, OUTPUT)
Mangle: Modify the Wen yuan data (which can be used on all chains), modify the TTL or make a firewall tag using mangle
Access and forward plots
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/E5/wKiom1WKs8fyonnRAAD00bv35VI006.jpg "style=" float: none; "title=" Image.png "alt=" Wkiom1wks8fyonnraad00bv35vi006.jpg "/>
Packet filtering rules
Match from first to last in order according to predefined rules
If the packet data matches the rule, the action is performed, and the next rule is compared by a mismatch.
If they do not match, the default policy action is used
Syntax and use of iptables
Iptables can be matched and filtered based on port, IP, protocol, interface, Mac module, status, time, packet rate, etc., and can also achieve NAT function (good water depth)
View
iptables [-l Lists table rules, default filter] [-t specifies table] [-N does not perform IP and hostname is fast] [-v lists more details]
Iptables-save lists the complete rules (the commands we write are listed)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/E2/wKioL1WKtYLRWPkdAAIoTSx0H3I400.jpg "title=" Image1.png "style=" Float:none; "alt=" wkiol1wktylrwpkdaaiotsx0h3i400.jpg "/>
Delete
Define default Policy
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/E5/wKiom1WKs8ehMgrBAAIGPxqbbd0178.jpg "style=" float: none; "title=" Image2.png "alt=" Wkiom1wks8ehmgrbaaigpxqbbd0178.jpg "/>
Save
Add rule
iptables [-t table] [-A at the end of the current add] [-I add the rule at the top] [-P protocol TCP/UDP] [-I interface] [-O out interface] [-s source IP] [-D Destination IP] [--sport Source port number protocol name] [-- Dport] [-j operation]
IP format: 192.168.0.1 192.168.0.0/24
Counterpart format: Single 23 consecutive 1024:65,535 direct name ssh
Action:ACCEPT DROP REJECT LOG
Mac and State status module
[-M State Mac] [--state status]
-M Mac Aa:bb:cc:dd:ee:ff
-M State--state [INVALID Invalid package] [new new connected packet] [established connected successfully] [related Indicates that it is associated with the packet sent to the host)
ICMP type
Time-based module
iptables-t filter-a FORWARD-
m time--timestart---timestop ---day Mon,tue,wed,thu,fri-M STA Te--state established,related-j ACCEPT
Recent module based on packet rate matching
-M recent [--name set list name] [--resource Source address] [--rdest target address] [--second time] [--hitcount hit Count] [--set add address to list and update including timestamp] [--r Check whether the address is in the list, from the first match starting time] [--update and Rcheck from the last match start time] [--remove remove the address from the list, followed by the table name and address]
Nat feature
SNAT: Modify the source IP (IP address translation) of the packet to map the private network address to the public address in the network exit
Process (forward)/PROC/SYS/NET/IPV4/IP_forward
The packet arrives at the host and enters the NAT prerouting chain
Forward chain through the filter
Through the NAT postrouting chain, on this chain, the source IP of the packet is modified to the public IP, and the corresponding relationship is cached record
When a host on the Internet Returns a packet, the destination IP of the packet is modified from the public IP based on the previous record on the prerouting chain
Example 1:192.168.1.0/24 doing port conversions
iptables-t nat-a postrouting-s 192.168.1.0/24-o eth1-j
Masquerade
Iptables-t nat-a postrouting-o eth1 -j SNAT--to-source 192.168.1.10-192.168.1.15
DNAT: Mainly used for external active access internal server (DMZ area), basically is the inverse process of snat
You can do the port mapping, hide the actual port, for example: Open the Web Service with 8080来, and then turn to port 80 on the output/prerouting chain on the forwarded Linux host
Example: Open Web server address 192.168.1.10,linux edge device public IP setting on eth1 NIC, forwarding external access via NAT to internal server
iptables-nat-a prerouting-i
eth1 -P TCP
--dport
-j DNAT--to-destinatio
n 192.168.1.10
: 80//can modify this port into other unknown ports
This article is from the "Call Me boxin" blog, so be sure to keep this source http://boxinknown.blog.51cto.com/10435935/1665238
Firewall principles and Iptables