Firewall in Linux

Firewall in Linux
Introduction to Linux Firewall: first, network packets need to enter your host through the firewall, server software program (Verification account), SELinux and File System (permission rwx, etc. Main firewall categories: 1, Netfilter (packet filtering mechanism), 2, TCP Wrappers (program control), 3, Proxy (Proxy server ). What Netfilter can do: 1. refuse to allow Internet packets to enter some port ports of the host; 2. REJECT packets from some source IP addresses. 3. REJECT packets with some special flag labels. 4. Analyze the hardware address (MAC) to determine whether the packets are online or not.
TCP Wrappers: Through/etc/hosts. allow,/etc/hosts. deny is a firewall-like mechanism managed by the two babies, but not all software can be controlled through these two files, only the software below can manage firewall rules through these two files: 1. services managed by super daemon (xinetd); 2. Support for libwrap. so module service.
Proxy:

Netfilter: iptables mechanism because iptables is more widely used, so here we only detail Netfilter: iptables firewall, the other two, please Want To Know More About Baidu.
Iptables Introduction: Note: Before a network packet enters the host, it will first check through NetFilter, which is the iptables rule. If the check succeeds, ACCEPT (ACCEPT) enters the local machine to obtain the resource. If the check fails, it may be dropped )! The main purpose is to tell you: "The rules are ordered 』! For example, when the network packet enters the comparison of Rule 1, if the comparison result matches Rule 1, the network packet will perform Action 1 instead of the subsequent Rule 2, rule 3 .... and other rules.

Linux iptables has at least three tables, including filter for local access and backend host Management (other computers inside the firewall) nat, manage the mangle used by the special flag (rarely used ). Here I will only introduce filter: 1. INPUT: mainly related to the packets that want to enter our Linux host; 2. OUTPUT: mainly related to the packets to be sent from our Linux host; 3. FORWARD: this stuff has nothing to do with the Linux machine. It can "transfer packets" to the back-end computer, and has a high correlation with nat table.
Iptables Syntax: Observe and clear rules: View:

[Root @ www ~] # Iptables [-t tables] [-L] [-nv] Options and parameters:-t: Followed by a table, such as nat or filter. If this item is omitted, use the default filter-L: to list the current table rules-n: do not check the IP address and HOSTNAME, the display speed will be much faster! -V: lists more information, including the total number of packets and related network interfaces.

For example, the iptables-L-n iptables-save command can also observe firewall rules.
Clear:

[Root @ www ~] # Iptables [-t tables] [-FXZ] Options and parameters:-F: Clear all predefined rules;-X: kill all user-defined chains (tables).-Z: returns the count and traffic statistics of all chains to zero.

Define preset policies ):

[Root @ www ~] # Iptables [-t nat]-P [INPUT, OUTPUT, FORWARD] [ACCEPT, DROP] Options and parameters:-P: define Policy ). Note: P is in uppercase! ACCEPT: This packet can accept drop: the packet is directly discarded, so that the client does not know why it is discarded.

In the local preset policy, if you have confidence in internal users, the INPUT chain in the filter can be defined more strictly, while FORWARD and OUTPUT can be set loosely!

Example: Set the INPUT of the Local Machine to DROP, and the other to ACCEPT [root @ www ~]. # Iptables-p input drop [root @ www ~] # Iptables-p output accept [root @ www ~] # Iptables-P FORWARD ACCEPT

Basic packet comparison: IP, domain, and interface device:

[Root @ www ~] # Iptables [-AI chain name] [-io network interface] [-p Protocol] [-s source IP/domain] [-d target IP/domain]-j [ACCEPT | DROP | REJECT | LOG] Options and parameters: -AI chain name: "insert" or "accumulate"-A: adds A rule to the end of the original rule. For example, if you already have four rules, use-A to add the Fifth rule! -I: Insert a rule. If the sequence of the rule is not specified, insert is the first rule by default. For example, if there are four rules, use-I to change the rule to the first one, and the original four rules to the second one ~ Chain 5: There are INPUT, OUTPUT, FORWARD, etc. The chain name is related to-io, please refer to below. -I/O network interface: Set the packet inbound and outbound interface specification-I: the network interface that the packet enters, such as eth0 and lo. -O: the network interface sent out by the packet. It must be used with the OUTPUT chain.-p protocol: this rule is applicable to the following packet formats: tcp, udp, icmp, and all. -S source IP/domain: Set the source project of the packet for this rule. You can specify a pure IP address or a domain, for example, IP: 192.168.0.100 domain: 192.168.0.0/24,192.168 .0.0/255.255.255.0. If the rule is "not allowed", add it! -S! 192.168.100.0/24 indicates that no packet source of 192.168.100.0/24 is allowed;-d target IP Address/domain: Same as-s, but here it refers to the target IP address or domain. -J: The following actions: ACCEPT, DROP, REJECT, and LOG)

Comparison of TCP and UDP rules: for port settings:

[Root @ www ~] # Iptables [-AI chain] [-io network interface] [-p tcp, udp] [-s source IP/domain] [-- sport port range] [-d target IP/domain] [-- dport port range]-j [ACCEPT | DROP | REJECT] Option and parameters: -- sport port range: Specifies the port number of the source port. The port number can be continuous, for example, 1024: 65535 -- dport range: Specifies the port number of the target port.

Note: Because only tcp and udp packets have ports, you must add the-p tcp or-p udp parameter when you want to use -- dport and -- sport.
Iptables plug-in module: mac and state:

[Root @ www ~] # Iptables-a input [-m state] [-- state] Options and parameters:-m: Some plug-ins of iptables, including: state: Status Module -- state: the status of some packets mainly includes: INVALID Packets, for example, the status of the damaged data package ESTABLISHED: the online status of the online success; NEW: the status of the packets to be ESTABLISHED online; RELATED: This is the most common one! This indicates that the packet is related to the packet sent from our host. mac: hardware address of the network card (hardware address) -- mac-source: the MAC of the source host!

ICMP packet rule comparison: designed to determine whether to respond to ping: Knowledge: In the ICMP protocol, we know that there are many ICMP types, in addition, many ICMP packets are used for network detection! So it is best not to discard all ICMP packets! If it is not used as a router host, we usually remove ICMP type 8 (echo request), so that the remote host does not know whether or not we exist and does not accept the ping response.

[Root @ www ~] # Iptables-a input [-p icmp] [-- icmp-type]-j ACCEPT options and parameters: -- icmp-type: the type of the packet that must be followed by ICMP, you can also use the Code. For example, 8 indicates the meaning of echo request.

Core IPv4 management functions:/proc/sys/net/ipv4 /*

Echo "1"> one of the methods of/proc/sys/net/ipv4/tcp_syncookies blocking service (DoS) attack, it is achieved by using the SYN three-way handshake principle of TCP packets. This method is called SYN Flooding. The above command is to enable the core SYN Cookie module to prevent this situation. Echo "1">/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts enables the core to automatically cancel the ping response. Icmp_echo_ignore_broadcasts in/proc/sys/net/ipv4 (the ping response is canceled only when the broadcast address is pinged) and icmp_echo_ignore_all (all ping requests do not respond ).

/Proc/sys/net/ipv4/conf/Network Interface /*

Rp_filter: Reverse Path Filtering. You can analyze whether the packet is reasonable by analyzing the route information of the network interface and the source address of the packet. For example, you have two NICs, eth0 is 192.168.1.10/24, and eth1 is public IP. If a packet claimed to be from eth1 but its IP source is 192.168.1.200, the packet is unreasonable and should be discarded. We recommend that you start this setting. Log_martians: The set data can be used to start an invalid IP source for the record, for example, the source is 0.0.0.0, 127. x. x. x, and Class e ip sources, because these source IP addresses should not be applied to the Internet. The recorded data is stored in the logon file/var/log/messages of the core by default. Accept_source_route. Accept_redirects: when you set up a router in the same physical domain, but this physical domain has two IP domains, such as 192.168.0.0/24,192.168 .1.0/24. At this time, when your 192.168.0.100 wants to send a message to 192.168.1.100, the router may send an ICMP redirect packet to inform 192.168.0.100 to directly send data to 192.168.1.100, instead of using the router. Because 192.168.0.100 and 192.168.1.100 are indeed on the same physical line (the two can communicate directly), the router will inform the source IP address to transmit data using the shortest path. However, the two hosts cannot actually transmit messages in different IP segments! This setting may also cause some minor security risks, so we recommend that you disable it. Send_redirects: similar to the previous one, but this value is used to send an ICMP redirect packet. We recommend that you disable it.

The example below is based on a server with the system centos7:

#! /Bin/bash # Nic information, environment Variable EXTIF = "eno1" # public network interface INIF = "eno16777736" # Internal LAN interface INNET = "192.168.1.0/24" # Intranet FILEDIR = "/usr/local/erdangjiade/iptables /"# Storage path of allow and deny files export extif inif innet filedir # Set the core network function echo" 1 ">/proc/sys/net/ipv4/tcp_syncookiesecho" 1 "> /proc/sys/net/ipv4/icmp_echo_ignore_broadcastsfor I in/proc/sys/net/ipv4/conf/*/{rp_filter, log_martians}; doecho "1"> $ idonefor I in/proc/sys/net/ipv4/conf/*/{accept_source_route, accept_redirects, send_redirects }; doecho "0"> $ idone # Set the rule PATH =/sbin:/usr/sbin:/bin:/usr/local/sbin: /usr/local/bin; export PATHiptables-Fiptables-Xiptables-Ziptables-p input DROPiptables-p output ACCEPTiptables-p forward ACCEPTiptables-a input-I lo-j ACCEPTiptables-A INPUT-p TCP-m state -- state NEW-I $ INIF-j ACCEPTiptables-A INPUT-m state -- state RELATED, ESTABLISHED-j ACCEPT # Allow Intranet pingiptables-a input-I $ INIF-p icmp-j ACCEPT # individually set if [-f $ {FILEDIR} iptables. deny]; thensh $ {FILEDIR} iptables. denyfiif [-f $ {FILEDIR} iptables. allow]; thensh $ {FILEDIR} iptables. allowfi # prevent large volumes of ping # AICMP = "0 3 3/4 4 11 12 14 16 18" # for tyicmp in $ AICMP # do # iptables-a input-I $ EXTIF-p icmp -- icmp-type $ tyicmp-j ACCEPT # done # open ports for certain services # SSHiptables-a input-p TCP-I $ EXTIF -- dport 22 -- sport 1024: 65534-j ACCEPT # WWWiptables-a input-p TCP-I $ EXTIF -- dport 80 -- sport 1024: 65534-j ACCEPT # save the preceding modification service iptables save

Reference: laruence's private kitchen, Server
Reprinted please indicate the original source: http://blog.csdn.net/u012367513/article/details/40628197