Currently, there are three main types of firewalls: packet filtering, application proxy, and status detection packet filtering firewalls: static packet filtering firewalls are no longer available in the market, replace it with the dynamic packet filtering firewall ~ Proxy firewall: because of some special packet attacks, you can easily break through the protection of the packet filtering firewall, such as SYN attacks, IC
Currently, firewalls are divided into three types: packet filtering, application proxy, and status detection.
Packet filtering firewall: the static packet filtering firewall is no longer available in the market. Instead, it is replaced by the dynamic packet filtering firewall ~
Proxy firewall: WAF protection can be easily broken through because of some special packet attacks, such as SYN attacks and ICMP flood attacks that everyone knows, therefore, the Application Proxy firewall that uses the proxy server as a dedicated data forwarding channel for user confidentiality or access restrictions has emerged ~ It uses a new technology for application protocol analysis. Status detection firewall: developed based on the dynamic packet filtering technology, it adds a status detection module and develops the session filtering function. the retention of session states is time-limited, this firewall can also analyze the package content to avoid opening too many ports.
Netfilter/IptablesThe IP packet filtering system is actually composed of netfilter andIptablesConsists of two components.
Netfilter is a part of the integration in the kernel. it defines and stores the corresponding rules. iptables is a tool used to modify information filtering rules and other configurations, we can use iptables to set rules that suit our enterprise's needs ~, These rules are stored in the kernel space. Netfilter is a general architecture in the Linux kernel. It provides a series of tables (tables). Each table is composed of several chains (chains, each chain can be composed of one or more rules. In fact, netfilter is a table container, a table is a chain container, and a chain is a rule container.
Filter table
Nat table
Mangle table
Iptables built-in chain
PREROUTING: Before a data packet enters the local machine
INPUT: the destination is the local machine after the route table is passed
FORWARDING: after the route table is passed, the destination is not the local machine
OUTPUT: generated by the local machine and forwarded externally
POSTROUTIONG: after the route table is passed, before the interface is sent to the NIC
Relationship between five netfilter chains, that is, iptables packet forwarding flowchart
Iptables workflow
Iptables has three tables and five links.
Iptables detailed parameter table
Basic Iptables syntax
Iptables [-t table name]-Command-match-j action/target
Iptables has three built-in tables: filter, nat, and mangle. we can use the-t parameter to set which table is effective ~ You can also omit the-t parameter. the filter table is operated by default.
You can use man iptables to query specific command parameters ~
Configure the basic syntax of the SNAT command
Iptables-t nat-a postrouting-o network interface-j SNAT -- to-source IP address
Configure the DNAT command syntax
Iptables-t nat-a prerouting-I network interface-p protocol -- dport-jDNAT
-- To-destination IP address
Enterprise environment and requirements
1. enterprise environment
230 clients, IP address range: 192.168.0.1 ~ 192.168.0.254, subnet mask 255.255.255.0
Mail Server: the IP address is 192.168. 1.1, and the subnet mask is 255.255.255.0.
FTP server: IP address: 192.168.1.2 subnet mask: 255.255.255.0
WEB server: IP address: 192.168.1.3 subnet mask: 255.255.255.0
The company's network topology is shown below:
2. configure the default policy
All intranet computers need to access the Internet frequently, and employees will use instant communication tools to communicate with customers. The DMZ isolation zone of the enterprise network is built with Mail, FTP, and Web servers, the Mail and FTP servers are open to internal staff. they only need to publish websites to external users, and the administrator can remotely manage them through the Internet. to ensure the security of the entire network, you need to add iptables firewall and configure corresponding policies.
Requirement Analysis
To ensure security, the enterprise's internal network first needs to delete all rule settings, set the default rule to DROP, and then enable the firewall to restrict access to the client, open the corresponding ports of WEB, MSN, QQ, and MAIL, and allow external clients to log on to ports 80 and 22 of the WEB server.
Solution
1. configure the default policy
The default iptables has been installed.
(1) deletion policy
Iptables-F: clears the rules of the selected chain. If no chain is specified, the rules of all chains in the specified table are cleared.
Iptables-X: clear the rules in the user-defined chain in the filter of the preset table.
Iptables-Z: clear the rules in the user-defined chain in the filter of the preset table.
(2) set the default policy
By default, the OUTPUT chain is enabled for INPPUT and FORWARD chains of the filter table. all three links PREROUTING, outp ut, and POSTROUTING of the nat table are enabled ~ All links are enabled by default, so some commands can be left empty. In addition, mangle tables are not used in this article, so mangle is not processed. mangle is mainly used for handling special changes to data packets, such as modifying features such as TOS.
2. set the loopback address
Some services need to use the loopback address for testing. to ensure the normal operation of each service, you need to allow loopback address communication, which has already been involved. if the loopback address is not set, some services cannot be started ~.
Iptables-a input-I lo-j ACCEPT
3. connection status settings
To simplify firewall configuration and improve inspection efficiency, you need to add connection status settings.
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEP T
Connection tracing has four data packet statuses
NEW: The data packet for the NEW connection
INVALID: INVALID data packets, such as corrupted or incomplete data packets
ESTABLISHED: the data packet that has been connected
RELATED: the data packet associated with the sent data packet.
4. configure port 80 forwarding
The company's website needs to be open to the outside world, so we need to open port 80
Iptables-a forward-p tcp -- dport 80-j ACCEPT
5. DNS settings
In order for the client to access the internet normally using the domain name, we also need to allow forwarding between the intranet computer and the external DNS server.
Enable DNS to use UDP and TCP ports 53
Iptables-a forward-p tcp -- dport 53-j ACCEPT
Iptables-a forward-p udp -- dport 53-j ACCEPT
6. SSH access to the server
The administrator performs remote management over the Internet, so we need to enable TCP port 22 used by SSH.
Iptables-a input-p tcp -- dport 22-j ACCEPT
7. allow Intranet hosts to log on to MSN and QQ settings
QQ can use TCP80, 8000, 443, UDP8000, 4000 to log on, while MSN is verified by TCP1863 and 443. Therefore
You only need to allow FORWARD forwarding of these ports to log on normally.
Iptables-a forward-p tcp -- dport 1863-j ACCEPT
Iptables-a forward-p tcp -- dport 443-j ACCEPT
Iptables-a forward-p tcp -- dport 8000-j ACCEPT
Iptables-a forward-p udp -- dport 8000-j ACCEPT
Iptables-a forward-p udp -- dport 4000-j ACCEPT
Note: Of course, if you want to restrict the use of such instant messaging tools, you only need to disable the forwarding of these ports ~
Special note: This guy is so bad ~ Hey ~, Ports are not fixed. QQ/V/I/P is a dedicated channel for members, proxy logon, etc ~, Therefore, we need to collect the full login port and QQ server address if we need to block the attack. according to the summary, it is best to combine the technology and administration in the actual configuration of the enterprise, so that the best effect can be achieved ~
8. allow Intranet hosts to send and receive emails
The client accesses Port TCP25 of the mail server when sending the mail. When receiving emails, there may be many ports used. UDP and TCP ports: 110, 143, 993, and 995
Smtp:
Iptables-a forward-p tcp -- dport 25-jACCEPT
Pop3:
Iptables-a forward-p tcp -- dport 110-jACCEPT
Iptables-a forward-p udp -- dport 110-jACCEPT
Imap:
Iptables-a forward-p tcp -- dport 143-jACCEPT
Iptables-a forward-p udp -- dport 143-jACCEPT
Imaps:
Iptables-a forward-p tcp -- dport 993-jACCEPT
Iptables-a forward-p udp -- dport 993-jACCEPT
Pop3s:
Iptables-a forward-p tcp -- dport 995-jACCEPT
Iptables-a forward-p udp -- dport 995-jACCEPT
9. NAT Port ing settings
Because the LAN address is a private address, it is invalid on the Internet ~ Therefore, you must convert the private IP address to the external IP address of the server for address ING ~ The connection to the internet interface is ppp0.
Iptables-t nat-a postrouting-o ppp0-s 192.168.0.0/24-j MASQUERADE
MASQUERADE works the same as SNAT ~ It is similar to the operation that provides source Address Conversion. However, MASQUERADE sets a drop for a dynamic IP address for an external interface and does not need to use -- to-source to specify the IP address to be converted. If the network uses a dial-up method to access the Internet without an external static IP address (mainly used for dynamic access to IP addresses, such as ADSL dialing and DHCP connections ), we recommend that you use MASQUERADE ~
Note: MASQUERADE is a special filtering rule. it can only map data from one interface to another ~
10. publish a WEB site on an intranet machine
The IP address of the intranet WEB server is 192.168.0.3. we need to configure the following ~, When a public network client accesses the server, the firewall maps requests to port 80 of 192.168.0.3 on the intranet.
Iptables-t nat-a prerouting-I ppp0-p tcp -- dport 80-j DNAT -- to-destination
192.168.1.3: 80
11. save and restore iptables configuration
Save: iptables-save
Iptables-save [-c] [-t table name]
-C: save the value of the package and byte counter. This prevents packet and byte statistics from being lost after the firewall is restarted.
-T: The rule used to save the table. if it is not followed by The-t parameter, all tables are saved.
You can use the redirection command to save these rule sets.
Iptables-save>/etc/iptables-save
Restore: iptables-restore
Iptables-restore [-c] [-n]
-C: If the-c parameter is added, the package and byte counter must be loaded.
-N: indicates that the existing rules are not overwritten. by default, all existing rules are cleared.
Use redirection to restore the rule set saved by iptables-save
Iptables-restore>/etc/iptables-save
If it takes effect after the service or system restart
12. Finally, you can view the following nat configurations on your own!
Note:
SNAT converts source network addresses and can only be used in the POSTROUTING chain of the nat table. if the first qualified packet to be connected is SNAT ~, All other data packets connected by this connection will be automatically SNAT. Corresponding to SNAT, DNAT converts the destination address and can only be used in the PREROUTIONG and OUTPUT chains of the nat table, or in the chains called by the two chains. A chain containing DNAT cannot be called by any other chain, such as the POSTROUTING chain.
Block access to a domain name and directly change the hosts file. I don't know how much it will be used !!!