First Glimpse of Netfilter/iptables

Source: Internet
Author: User
Tags ssh server

It is too troublesome to do this thing, accidentally, I was closed outside.

----------------------------------------------

First, preface

Second, the environment

Third, the grammatical analysis

Iv. Configuration and Testing

1.SNAT case

2.DNAT case

3.SSH case

4.SSH in-depth cases (custom rules)

5.web and FTP (custom rules)

6.web and FTP (system default rules)

V. Preservation

----------------------------------------------



First, preface

Iptables is the Linux kernel integrated IP packet filtering system, which facilitates better control of IP packet filtering and firewall configuration on Linux systems if the Linux system is connected to the Internet or LAN, server, or proxy server connecting LAN and Internet.

Netfilter/iptables is packet filtering, which can only be applied at the network layer "source address, Destination address, Protocol (IP icmp arp rarp, etc.)" and Transport Layer "Protocol (TCP/UDP), port number (source port, Destination port), TCP flag bit (SYN ACK fin RST), status (established,new,invalid,related), if you want to use the L7 project in application layer filtering, you are now stopped maintenance.


Second, the environment

CentOS6.4 32-bit

Third, the grammatical analysis

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/28/5E/wKioL1N4H97ggF8GAAChzWLHBp8696.jpg "title=" 12345678.png "alt=" Wkiol1n4h97ggf8gaachzwlhbp8696.jpg "/>

NetFilter frame:

1.filter: Firewall Policy filtering

INPUT access to the firewall itself (e.g. intranet or extranet access to Web,mysql)

OUTPUT originates from Access to the firewall (for example, its own resources to access the intranet or the extranet)

FORWARD access through the firewall

2.nat:nat Conversion

postrouting SNAT Source Address translation (internal access external)

prerouting DNAT Destination Address translation (external access internal)

OUTPUT

3.mangle: QoS for packets (quality of service), infrequently used

INPUT

OUTPUT

FORWARD

Postrouting

Prerouting


Basic syntax:

IPTABLES-T table name Directive chain option parameter-j action


Table Name:

-T

Filter "INPUT OUTPUT FORWARD"

Nat "Postrouting prerouting OUTPUT"

Mangle "INPUT OUTPUT FORWARD postrouting prerouting"


Instructions:

-L--list View list of rules

-a--append added 1 rules at the end of the rule list

-D--delete Chain number removes the specified rule from the list of rules

-I--insert chain number inserts 1 rules at the specified location

-R--replace chain a rule in the list of number substitution rules

-P--policy Chain define default Policy

-N--new-chain user-defined chain name

-X--delete-chain Delete all user-defined chains in the filter table (the system's built-in chain cannot be cleared)

-F--flush chain clears all rules in the filter table (or in a chain) (including all rules on the system's built-in chain, and all rules on the user-defined chain)

-N--numeric display in an easy-to-read digital manner

-V--verbose More information

--line-numbers show the number of the rule

Option parameters:

Source-S--source address/subnet/network

-i specifies which network interface the packets are coming from, such as Ppp0, Eth0, and eth1 (Note: This parameter can only be used for input, FORWARD and prerouting three chains)

Target-D--destination address/subnet/network

-o Specifies the network interface from which the packet is exported, such as Ppp0, Eth0, and eth1 (Note: This parameter can only be used for output, postrouting these two chains)

Protocol-P TCP/UDP--sport Source port number--dport destination port number

ICMP--icmp-type

Module:

-M Module Name parameter


Action:

Accept Packet

Reject/drop drops the packet, REJECT is basically the same as the drop, except that it returns an error message to the sender in addition to blocking the packet

SNAT Source Address Translation

DNAT Destination Address Translation

REDIRECT redirection


The order in which rules are applied: top to bottom, and finally the default rule


Iv. Configuration and Testing

1.SNAT case

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/28/5E/wKiom1N4IGziKMe4AAGmsfOeE-Y401.jpg "title=" Tuopu.png "alt=" Wkiom1n4igzikme4aagmsfoee-y401.jpg "/>


# vim/etc/sysctl.conf 7 Net.ipv4.ip_forward = 1    //Turn on route forwarding function # sysctl-p# iptables-t nat-a postrouting-s 192.168.2.0/ 24-o eth2-j SNAT--to 192.168.1.105# iptables-t nat-l-n-v--line-numberchain prerouting (Policy ACCEPT packets, 5 606 bytes) num   pkts bytes target     prot opt in     out source               destinationchain postrouting (Policy ACCEPT 1 packets, bytes) num   pkts bytes target     prot opt in out     source               destination1        0     0 snat< C13/>all  --  *      eth1    192.168.2.0/24       0.0.0.0/0           to:192.168.1.105chain OUTPUT (Policy ACCEPT 1 packets, bytes) num   pkts bytes target     prot opt in out     source               destination


At this point, PC1 ping 192.168.1.1 (extranet gateway), may be different, display Destination Host prohibited,

The reason for this is because the forward chain in filter (access through the firewall) has a default rule that can be turned off.

# iptables-t Filter-lchain FORWARD (policy ACCEPT) target     prot opt source               destinationreject     all  --  anywhere             anywhere            reject-with icmp-host-prohibited# iptables-t filter-f FORWARD

At this point, the PC1 can be connected to the outside network.

If there is an FTP server on the outside network, access via the browser is not a problem, but command line access is no data, you need to load a module.

# modprobe  ip_nat_ftp

If the address of the eth2 is dynamic, then address spoofing is required.

# iptables-t Nat-r postrouting 1-s 192.168.2.0/24-o eth2-j Masquerade   //Address camouflage

Snat Summary

# iptables-t nat-a postrouting-s 192.168.2.0/24-o eth2-j SNAT--to 192.168.1.105   (WAN port address, Static) # Iptables-t Nat-a Postrouting-s 192.168.2.0/24-o Eth2-j Masquerade                 (WAN Port dynamic address)


2.DNAT case (more for server publishing)

# iptables-t nat-a prerouting-d 192.168.1.105-p tcp--dport 3389-j DNAT--to 192.168.2.100# iptables-t nat-l-vChai N prerouting (Policy ACCEPT packets, 3231 bytes) pkts bytes Target     prot opt in out     source               destination
   4   204 DNAT       TCP  --any any     anywhere             192.168.1.105       TCP dpt:ms-wbt-server to : 192.168.2.100

The external network can be remotely connected to the PC1 in the intranet, the connection address is 192.168.1.105.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/28/5E/wKiom1N4Jwfz-yGyAADNBef4nJE345.jpg "style=" float: none; "title=" 105.jpg "alt=" Wkiom1n4jwfz-ygyaadnbef4nje345.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/28/5E/wKioL1N4Jtzi7jFPAADam8plhFY210.jpg "style=" float: none; "title=" admin.jpg "alt=" Wkiol1n4jtzi7jfpaadam8plhfy210.jpg "/>


3. Firewall-to-SSH service settings

For input:

Both--dport and-D refer to their own ports and addresses

--sport and-S refers to the port and address of the initiating connector


For output:

Both--sport and-s refer to their own ports and addresses

--dport and-D refer to the port and address of the initiating connector

(1) Settings for SSH server

# iptables-a INPUT-  p tcp--dport 22-j accept# iptables-a output-p tcp--sport 22-j ACCEPT

(2) SSH service as Client connection

# iptables-a output-p TCP--dport 22-j accept# iptables-a INPUT-  p TCP--sport 22-j ACCEPT

Note: SSH connection to the native IP is a special case where the server is connected to the SSH service as a client.

The above rules on the SSH service is a loophole, if the hacker exploits the network packet spoofing, it can invade the service; only if the server iptables authenticates to the issuing packet, if it is a connected packet (established) that is already established, it is allowed to pass, otherwise drop.

4. (1) as an SSH server (drop all default rules)

# iptables-t filter-a input-s 192.168.2.0/24-p TCP--dport 22-m State--state new,established-j ACCEPT# iptables-t Filter-a output-d 192.168.2.0/24-p TCP--sport 22-m State--state established-j accept# iptables-l-nChain INPUT (PO Licy DROP) target     prot opt source               destination      ACCEPT     TCP  --  192.168.2.0/24       0.0.0.0/0           TCP dpt:22 State new,establishedchain FORWARD (policy DROP) target     prot opt source               destination      Chain OUTPUT (policy DROP) target     prot opt source               destination      ACCEPT     TCP  --  0.0.0.0/0            192.168.2.0/24      TCP SPT:22 State established

(2) Set as client to Ssh,dns

# iptables-a input-p TCP--sport 22-m State--state established-j ACCEPT

5.web and FTP (custom rules)

# Setup   //Turn off the firewall system default rule

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/28/62/wKiom1N4rcaRMQApAADaArvG8CM297.jpg "title=" Setup1.png "alt=" Wkiom1n4rcarmqapaadaarvg8cm297.jpg "/>

# iptables-l      //system default rule all off Chain INPUT (policy ACCEPT) target     prot opt source               destination      Chain FORWARD ( Policy accept) target     prot opt source               destination      Chain OUTPUT (policy accept) target     prot opt source               destination

(1) for Web server (80 port)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/28/62/wKiom1N4tKLwTB0MAADYUnQ1ma8924.jpg "title=" Tcp.png "alt=" Wkiom1n4tklwtb0maadyunq1ma8924.jpg "/>

# iptables-t filter-a INPUT-  p TCP--dport 80-m State--state new,established-j accept# iptables-t filter-a OUTP UT-  p TCP--sport 80-m state--state established-j ACCEPT

(2) for FTP server

# iptables-t filter-a INPUT-  p TCP--dport 21-m State--state new,established-j accept# iptables-t filter-a OUTP UT-  p TCP--sport 21-m State--state established-j accept# iptables-t filter-a INPUT-  p TCP--dport 20-m stat E--state  established-j accept# iptables-t filter-a OUTPUT  -P TCP--sport 20-m state--state new,established- J Accept#modprobe Ip_nat_ftp

6.web and FTP (system default rules)

# Setup   //Open firewall system default rule

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/28/62/wKiom1N4rq_h00ZiAADnfCZPvvM241.jpg "title=" Setup2.png "style=" Float:none; "alt=" wkiom1n4rq_h00ziaadnfczpvvm241.jpg "/>

# iptables-l    //system default all rules chain INPUT (policy ACCEPT) target     prot opt source               destination      ACCEPT     All --Anywhere anywhere state            related,establishedaccept     ICMP-  anywhere             anywhere         Accept     All  -anywhere             anywhere         ACCEPT     TCP  -  anywhere             Anywhere state            NEW TCP dpt:sshreject     all  -  anywhere             anywhere            Reject-with Icmp-host-prohibitedchain FORWARD (Policy ACCEPT) target     prot opt source               destination      REJECT     All  --  anywhere             anywhere            reject-with icmp-host-prohibitedchain OUTPUT (policy ACCEPT) target     Prot opt source               destination

Rules for opening FTP

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/28/62/wKioL1N4roPAmWF0AADOBRVZM0c196.jpg "style=" float: none; "title=" Ftp.png "alt=" Wkiol1n4ropamwf0aadobrvzm0c196.jpg "/>

Rules for opening the web

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/28/62/wKioL1N4roSzip9EAAD_a5_5yqw847.jpg "style=" float: none; "title=" Www.png "alt=" Wkiol1n4roszip9eaad_a5_5yqw847.jpg "/>

# IPTABLES-L-N--line-number//Open FTP and Web's overall default rule chain INPUT (policy ACCEPT) num Target prot opt source     Destination 1 Accept All – 0.0.0.0/0 0.0.0.0/0 State Related,established2 Accept ICMP--0.0.0.0/0 0.0.0.0/0 3 ACCEPT All--0.0.0.0/0 0.0.0.0/0 4 ACC            EPT TCP--0.0.0.0/0 0.0.0.0/0 State NEW TCP dpt:225 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state New TCP dpt:806 ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 State New TCP dpt:217 REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibitedchain FORWARD (Pol Icy ACCEPT) Num target prot opt source destination 1 REJECT All-0.0.0.0/0 0.               0.0.0/0 reject-with icmp-host-prohibitedchain OUTPUT (policy ACCEPT) num Target prot opt source Destination


V. Preservation

# service Iptables saveiptables:saving firewall rules to/etc/sysconfig/iptables:[  OK  ]

All rules are saved in/etc/sysconfig/iptables.

This article is from the "Promise" blog, make sure to keep this source http://yinuoqianjin.blog.51cto.com/8360868/1413060

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.