Iptables details, iptables

Iptables details, iptables

Iptables Introduction

Netfilter/iptables (iptables for short) is a packet filtering firewall on the Linux platform. Like most Linux software, this packet filtering firewall is free of charge, it can replace expensive commercial firewall solutions to implement functions such as packet filtering, packet redirection, and network address translation (NAT.

 

Iptables Basics

A rule (rules) is actually a predefined condition of the network administrator. The rule is generally defined as "if the data packet header meets this condition, it will process this packet ". Rules are stored in the information packet filtering table of the kernel space. These rules specify the source address, destination address, and transmission protocol (such as TCP, UDP, and ICMP) and service types (such as HTTP, FTP, and SMTP. When a packet matches a rule, iptables processes these packets according to the rule-defined methods, such as accept, reject, and drop. The main task of configuring a firewall is to add, modify, and delete these rules.

 

Relationship between iptables and netfilter:

This is the first thing to talk about. The relationship between Iptables and netfilter is very confusing. Many users know iptables but do not know netfilter. In fact, iptables is only a management tool for Linux firewall, which is located in/sbin/iptables. Netfilter is the internal structure of the Linux kernel that implements packet filtering.

 

Iptables packet transmission process

① When a packet enters the NIC, it first enters the PREROUTING chain, and the kernel determines whether to forward the packet based on the destination IP address.
② If the data packet enters the local machine, it will move down the graph and reach the INPUT chain. After the packet arrives at the INPUT chain, any process will receive it. Programs running on the local machine can send data packets that pass through the OUTPUT chain and then reach the POSTROUTING chain OUTPUT.
③ If the packet is to be forwarded and the kernel allows forwarding, the packet will move to the right, go through the FORWARD chain, and then reach the POSTROUTING chain output.

 

Rules table and chain of iptables:

Table (tables) provides specific functions. iptables has four built-in tables: filter table, nat table, mangle table, and raw table, which are used for packet filtering respectively, network Address Translation, packet reconstruction (modification), and data tracking.

A chain is the path for packet propagation. Each chain is actually a check list among many rules. Each chain can have one or more rules. When a packet arrives at a chain, iptables checks the first rule in the chain to check whether the packet meets the conditions defined by the rule. If yes, the system will process the packet according to the method defined by the rule; otherwise, iptables will continue to check the next rule. If the packet does not comply with any rule in the chain, iptables processes data packets according to the predefined default policy of the chain.

Iptables uses the hierarchical structure of "table" and "chain. In REHL4, there are three tables and five chains. Now REHL5 has become five links for four tables, but the extra table is not used much, so it is basically the same as before. The following lists the four tables and five chains. Be sure to understand the relationships and functions of these tables and links.

Rule table:

1. filter table -- three chains: INPUT, FORWARD, and OUTPUT
Purpose: filter data packets. kernel module: iptables_filter.
2. Nat table-Three Links: PREROUTING, POSTROUTING, and OUTPUT
Role: used for network address translation (IP address, Port) kernel module: iptable_nat
3. Mangle table-Five Links: PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD
Purpose: Modify the service type and TTL of data packets, and configure routes to implement QOS kernel module: iptable_mangle (although this table is so troublesome, We will hardly use it when setting policies)
4. Raw table -- two links: OUTPUT and PREROUTING
Function: determines whether a data packet is processed by the status tracking mechanism. kernel module: iptable_raw
(This is not available in REHL4, but you don't have to worry about it. It's not used much)

 

Rule chain:

1. INPUT -- apply the policy in the Rule chain to incoming packets
2. OUTPUT -- apply the rule in the Rule chain to outgoing packets
3. FORWARD -- apply the rule in this rule chain when forwarding data packets
4. PREROUTING -- apply the rules in this chain before routing data packets.
(Remember! All data packets are first processed by this chain when they come in)
5. POSTROUTING -- apply the rules in this chain after the packet is selected as a route
(All data packets are first processed by this chain)

Priority between Rule tables:

Raw -- mangle -- nat -- filter
Priority between Rule chains (in three cases ):

First case: Inbound Data Flow

Packets that arrive at the firewall from the outside world are first processed by the PREROUTING rule chain (whether to modify the packet address or not), and then route selection (to determine where the packet should be sent ), if the destination host of the data packet is the firewall host (for example, the data packet from the web server in the firewall host accessed by Internet users), the kernel sends the data packet to the INPUT chain for processing (determines whether to allow the data packet passing ), the application (such as the Apache server) at the upper layer of the system will be handed over for response later.

Second condition: forwarding data flow direction

After packets from outside the firewall arrive, they are first processed by the PREROUTING rule chain, and then the routing is selected, if the destination address of a data packet is another external address (for example, a LAN User accesses a data packet from the QQ site through a netoff), the kernel will pass it to the FORWARD chain for processing (whether to FORWARD or intercept it ), then it is handed over to the POSTROUTING rule chain (whether to modify the address of the data packet, etc.) for processing.

Case 3: outbound data flow
Data packets sent from the firewall host to external addresses (for example, when the firewall host tests the public network DNS server) are first processed by the OUTPUT rule chain, and then the route is selected, then it is passed to the POSTROUTING rule chain (whether to modify the packet address, etc.) for processing.

Manage and set iptables rules

 

 

Basic syntax format of iptables

Iptables [-t table name] Command Option [Chain name] [condition match] [-j target action or jump]
Note: The table name and chain name are used to specify the tables and chains operated by the iptables command. Command Options are used to specify the methods for managing iptables rules (such as insert, add, delete, and view; condition matching is used to specify the data packet that meets the conditions. The target action or redirect is used to specify the data packet processing method (for example, allow passing, rejecting, dropping, and redirecting (Jump) process other links.

 

Iptables command Management Control Options

-A adds A new rule (append) to the end of the specified chain.
-D delete: Specifies a rule in the chain, which can be deleted according to the rule sequence number and content.
-I insert a new rule in the specified chain. By default
-R: modify or replace a rule in a specified chain, which can be replaced by the rule sequence number and content.
-L list all the rules in the specified chain for viewing
-E. Rename the User-Defined chain without changing the chain itself.
-F flush)
-N (new-chain) a custom rule chain
-X delete-chain)
-P: Set the Default policy for the specified chain)
-Z: clears the bytes and data packet counters of all links in all tables.
-N: displays the output result in the numeric format (numeric ).
-V view the details of the rule table (verbose)
-V view version)
-H for help)

Four Methods for firewall to process data packets

ACCEPT allows data packets to pass through
DROP directly discards data packets without any response information
The REJECT rejects data packets and sends a response to the data sender if necessary.
LOG records the log information in the/var/LOG/messages file, and then transmits the data packet to the next rule.

 

Save and restore iptables firewall rules

Iptables-save saves the rule to the file and then automatically loads it by the script (/etc/rc. d/init. d/iptables) under rc. d.

Use the command iptables-save to save the rule. Generally

Iptables-save>/etc/sysconfig/iptables

Generate the file/etc/sysconfig/iptables for saving the rule,

You can also use

Service iptables save

It can automatically save rules in/etc/sysconfig/iptables.

When the computer starts, the script under rc. d will use the command iptables-restore to call this file, so that the rules are automatically restored.

 

Delete the first rule of the INPUT chain

Iptables-d input 1

Common iptables firewall policies

1. Deny all ICMP protocol packets entering the Firewall

Iptables-I INPUT-p icmp-j REJECT

 

2. Allow the firewall to forward all data packets except the ICMP protocol

Iptables-a forward-p! Icmp-j ACCEPT

Note: Use "!" The condition can be reversed.

 

3. Refuse to forward data from the host 192.168.1.10 and allow data from the CIDR Block 192.168.0.0/24.

Iptables-a forward-s 192.168.1.11-j REJECT
Iptables-a forward-s 192.168.0.0/24-j ACCEPT

Note: Put the rejected content in front of it, otherwise it will not work.

 

4. Discard data packets whose source address is private network address from the external network interface (eth1) to the local firewall

Iptables-a input-I eth1-s 192.168.0.0/16-j DROP
Iptables-a input-I eth1-s 172.16.0.0/12-j DROP
Iptables-a input-I eth1-s 10.0.0.0/8-j DROP

 

5. Block the CIDR Block (192.168.1.0/24) and unseal it two hours later.

# Iptables-I INPUT-s 10.20.30.0/24-j DROP
# Iptables-I FORWARD-s 10.20.30.0/24-j DROP
# At now 2 hours at> iptables-d input 1 at> iptables-d forward 1

Note: It would be better to use crond to schedule tasks.
[1] Stopped at now 2 hours

 

6. Only the Administrator is allowed to remotely log on to the firewall host using SSH from the CIDR Block 202.13.0.0/16.

Iptables-a input-p tcp -- dport 22-s 202.13.0.0/16-j ACCEPT
Iptables-a input-p tcp -- dport 22-j DROP

Note: This method is suitable for remote device management. For example, if the SQL server in the branch needs to be managed by the administrator of the company.

 

7. Allow the local machine to open application services provided from TCP port 20.

Iptables-a input-p tcp -- dport 20:1024-j ACCEPT
Iptables-a output-p tcp -- sport 20:1024-j ACCEPT

 

8. allows forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment.

Iptables-a forward-s 192.168.0.0/24-p udp -- dport 53-j ACCEPT
Iptables-a forward-d 192.168.0.0/24-p udp -- sport 53-j ACCEPT

 

9. Do not allow other hosts to ping the firewall host, but allow other hosts to be pinged from the firewall.

Iptables-I INPUT-p icmp -- icmp-type Echo-Request-j DROP
Iptables-I INPUT-p icmp -- icmp-type Echo-Reply-j ACCEPT
Iptables-I INPUT-p icmp -- icmp-type destination-Unreachable-j ACCEPT

 

10. Do not forward packets from hosts and from the MAC address 00: 0C: 29: 27: 55: 3F.

Iptables-a forward-m mac -- mac-source 00: 0c: 29: 27: 55: 3F-j DROP

Note: iptables uses the "-m module keyword" form to call display matching. Here we use "-m mac-source" to represent the source MAC address of the packet.

 

11. Allow the firewall machine to open TCP ports 20, 21, 25, 110, and passive mode FTP ports 1250-1280

Iptables-a input-p tcp-m multiport -- dport 20, 21, 25,110,125 0: 1280-j ACCEPT

Note: "-m multiport-dport" is used to specify the destination port and range.

 

12. Disable the conversion of TCP packets whose source IP address is 192.168.1.20-192.168.1.99.

Iptables-a forward-p tcp-m iprange -- src-range 192.168.1.20-192.168.1.99-j DROP

Note: "-m-iprange-src-range" is used to specify the IP range.

 

13. Forwarding of non-syn request data packets unrelated to normal TCP connections is prohibited.

Iptables-a forward-m state -- state NEW-p tcp! -- Syn-j DROP

Note: "-m state" indicates the connection status of the data packet, and "NEW" indicates that it is irrelevant to any connection. What is NEW!

 

14. Access to new data packets from the firewall is denied, but responses to data packets related to connections or existing connections are allowed

Iptables-a input-p tcp-m state -- state NEW-j DROP
Iptables-a input-p tcp-m state -- state ESTABLISHED, RELATED-j ACCEPT

Note: "ESTABLISHED" indicates the data packets that have responded to the request or ESTABLISHED a connection. "RELATED" indicates that the data packets are RELATED to ESTABLISHED connections, such as FTP data connections.

 

15. only the web Services (80) and FTP (20, 21, 20450-20480) of the local machine are enabled, and the external host is allowed to send response packets from other ports of the server, discard all other inbound packets.

Iptables-I INPUT-p tcp-m multiport -- dport 20, 21, 80-j ACCEPT
Iptables-I INPUT-p tcp -- dport 20450: 20480-j ACCEPT
Iptables-I INPUT-p tcp-m state -- state ESTABLISHED-j ACCEPT
Iptables-P INPUT DROP


Reference

Http://netfilter.org/iptables Official Website
Http://www.linux.gov.cn/netweb/iptables.htm iptables configuration Manual
Http://man.chinaunix.net/
Http://man.chinaunix.net/network/iptables-tutorial-cn-1.1.19.html iptables configuration Manual
Http://blog.csdn.net/thmono/archive/2010/04/08/5462043.aspx
Http://netsecurity.51cto.com/art/200512/14457.htm
Http://blog.sina.com.cn/s/blog_40ba724c0100jz12.html
Http://qiliuping.blog.163.com/blog/static/1023829320105245337799/