Firewall principles and Iptables

This article mainly introduces the firewall tool iptables on Linux, by the way, introduces the hardware firewall

What is a firewall

• A network security technique used to protect the internal network from malicious attacks and intrusions by external networks, usually the boundaries of the internal network and the external network, to analyze and filter packets within the managed network according to defined rules, restricting access

Divided into hardware firewall and software firewall

• Hardware firewall is a host device designed by the manufacturer

• A software firewall is a set of tool software to protect the system network, such as Iptables and TCP Wrappers under Linux

Hardware firewall

Specific functions

• Security isolation, access control, VPN, content filtering, virus protection

Three different types

• Packet filtering firewall (routing)

• Application Proxy: Proxy service

• Status detection: Based on stateful detection

Five types of models

• Transparent mode (Swap mode)

• Audit mode

• Route mode

• Multi-mode: Multi-instance firewall, mainly used in IDC data center

• Failover: Stateful switchover, backup

Regional deployment

• Two-zone

• Three zones: Inside, outside, DMZ

Software firewall

iptables: NetFilter provides a mechanism for network resource access Control , a tool for writing firewalls that appears after the kernel version of CentOS 2.4, a similar mechanism formerly known as IPChains

NetFilter: Packet filtering mechanism

• is a packet filtering mechanism that works on kernel TCP/IP: the so-called packet filtering is to extract the packet header data for analysis

The default five built-in chains (chain) and multiple tables (table) are defined in the NetFilter framework

• Five built-in chains as a point for packet filtering

prerouting

INPUT

FORWARD

OUTPUT

Postrouting

• Common tables

Filter : Filtering (INPUT, FORWARD, OUTPUT)

NAT: For NAT address Translation (Prerouting, postrouting, OUTPUT)

Mangle: Modify the Wen yuan data (which can be used on all chains), modify the TTL or make a firewall tag using mangle

Access and forward plots

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/6E/E5/wKiom1WKs8fyonnRAAD00bv35VI006.jpg "style=" float: none; "title=" Image.png "alt=" Wkiom1wks8fyonnraad00bv35vi006.jpg "/>

Packet filtering rules

• Match from first to last in order according to predefined rules

• If the packet data matches the rule, the action is performed, and the next rule is compared by a mismatch.

• If they do not match, the default policy action is used

Syntax and use of iptables

Iptables can be matched and filtered based on port, IP, protocol, interface, Mac module, status, time, packet rate, etc., and can also achieve NAT function (good water depth)

View

• iptables [-l Lists table rules, default filter] [-t specifies table] [-N does not perform IP and hostname is fast] [-v lists more details]

• Iptables-save lists the complete rules (the commands we write are listed)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/6E/E2/wKioL1WKtYLRWPkdAAIoTSx0H3I400.jpg "title=" Image1.png "style=" Float:none; "alt=" wkiol1wktylrwpkdaaiotsx0h3i400.jpg "/>

Delete

• iptables [-t table] [-F clears all rules] [-X clears the custom table] [-Z All chain traffic statistics and counts are 0]

Define default Policy

• iptables [-t table]-P [chain] [policy ACCEPT DROP REJECT LOG]

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/6E/E5/wKiom1WKs8ehMgrBAAIGPxqbbd0178.jpg "style=" float: none; "title=" Image2.png "alt=" Wkiom1wks8ehmgrbaaigpxqbbd0178.jpg "/>

Save

• /etc/init.d/iptables Save

Add rule

• iptables [-t table] [-A at the end of the current add] [-I add the rule at the top] [-P protocol TCP/UDP] [-I interface] [-O out interface] [-s source IP] [-D Destination IP] [--sport Source port number protocol name] [-- Dport] [-j operation]

• IP format: 192.168.0.1 192.168.0.0/24

• Counterpart format: Single 23 consecutive 1024:65,535 direct name ssh

• Action:ACCEPT DROP REJECT LOG

Mac and State status module

• [-M State Mac] [--state status]

• -M Mac Aa:bb:cc:dd:ee:ff

• -M State--state [INVALID Invalid package] [new new connected packet] [established connected successfully] [related Indicates that it is associated with the packet sent to the host)

ICMP type

• [-P ICMP] [--icmp-type Type]: Type 8 is the Echo request, the general host is not as a router (do not need to ping test) can remove the reply

Time-based module

• -M time [--timestart start] [--timestop end time] [--days Date]-j action (simple introduction to these parameters)

• Example: Open network from 12:00 to 14:00 every Monday to Friday

iptables-t filter-a FORWARD- m time--timestart---timestop ---day Mon,tue,wed,thu,fri-M STA Te--state established,related-j ACCEPT

Recent module based on packet rate matching

• -M recent [--name set list name] [--resource Source address] [--rdest target address] [--second time] [--hitcount hit Count] [--set add address to list and update including timestamp] [--r Check whether the address is in the list, from the first match starting time] [--update and Rcheck from the last match start time] [--remove remove the address from the list, followed by the table name and address]

Nat feature

SNAT: Modify the source IP (IP address translation) of the packet to map the private network address to the public address in the network exit

Process (forward)/PROC/SYS/NET/IPV4/IP_forward

• The packet arrives at the host and enters the NAT prerouting chain

• Forward chain through the filter

• Through the NAT postrouting chain, on this chain, the source IP of the packet is modified to the public IP, and the corresponding relationship is cached record

• When a host on the Internet Returns a packet, the destination IP of the packet is modified from the public IP based on the previous record on the prerouting chain

• Example 1:192.168.1.0/24 doing port conversions

iptables-t nat-a postrouting-s 192.168.1.0/24-o eth1-j Masquerade

• Example 2:web Server has 192.168.1.10 to 1.15 Six addresses need to be switched to public ip,public IP settings on eth1 (directly specified modification)

Iptables-t nat-a postrouting-o eth1 -j SNAT--to-source 192.168.1.10-192.168.1.15

DNAT: Mainly used for external active access internal server (DMZ area), basically is the inverse process of snat

• You can do the port mapping, hide the actual port, for example: Open the Web Service with 8080来, and then turn to port 80 on the output/prerouting chain on the forwarded Linux host

• Example: Open Web server address 192.168.1.10,linux edge device public IP setting on eth1 NIC, forwarding external access via NAT to internal server

iptables-nat-a prerouting-i eth1 -P TCP --dport -j DNAT--to-destinatio n 192.168.1.10 : 80//can modify this port into other unknown ports

This article is from the "Call Me boxin" blog, so be sure to keep this source http://boxinknown.blog.51cto.com/10435935/1665238

Firewall principles and Iptables