Iptables firewall applications

Security Service-iptables

I. Network Security Access Control
We all know that Linux is generally used as a server and provides some network-based services. Generally, we need to perform some network control on the server,
Similar to firewall functions,
Common Access control includes IP addresses that can access servers, protocols that can be used, and interfaces. Whether the ports need to modify the data packets.
If a server is under attack, or the region or IP address from the Internet, access from the IP address should be prohibited.
The underlying Linux kernel integrates network access control and is implemented through the netfilter module.
Iptables: 1. Blocking basic attacks 2. Simulating IP segments
Iptables is a program, and netfilter is a control module.
Ii. iptables
The Linux kernel uses the netfilter module to implement network access control,
At the user layer, we can use the iptables program to control and manage netfiter.
Netfilter supports data packet classification in the following ways:
-Source IP Address
-Target IP Address
-Interfaces used
-Protocol used (TCP, UDP, ICMP, etc)
-Port Number
-Connection status (new, established, related, and invalid)
Iii. netfilter Concept
External access uses input
Prerouting
Netfileter is divided into five links and three tables.
Chain table (filter table, NAT table, mangle table)
Input (input data) only supports filter and mangle tables
Forward only supports filter and mangle tables.
Output (output data) supports filter Nat and mangle tables.
Prerouting (DNAT) should convert others' public IP addresses into your internal IP addresses, and data inflows must pass through pre) Support NAT and mangle tables
Postrouting (SNAT) converts an internal private address to a public address, and data outflow must go through POS) supports Nat and mangle tables.

Filter table -- used to filter data
NAT table-used to modify the source and target locations of data packets
Mangle table-used for advanced modification of data

Another statement: There are four tables and five chains.
Tables are differentiated by data packet operations. links are differentiated by different hook points. Tables and links are actually two dimensions of Netfilter.
Four tables: filter, Nat, mangle, and raw. The default table is filter (the filter table is used when no table is specified ). Table processing priority: Raw> mangle> Nat> filter.
Filter: general filtering function
NAT: used for NAT (Port ing, address ing, etc)
Mangle: used to modify a specific data packet
Raw: the highest limit. When raw is set, it is generally used to stop iptables from tracking data packets and improve performance.
Five Links: prerouting, input, forward, output, and postrouting.
Prerouting: Before the data packet enters the route table
Input: the destination is the local machine after the route table is passed
Forwarding: After the route table is passed, the destination is not the Local Machine
Output: generated by the local machine and forwarded externally
Postroutiong: before it is sent to the NIC interface.

1: Filter table function: filter data packets kernel module: iptables_filter.
**************************************** ***********************************
Input chain: data packets sent to the Local Machine
Output chain: Used to route data packets that pass through the local network.
Forward chain: locally generated data packets
**************************************** ***********************************
2: NAT table function: used for network address translation (IP address, Port) kernel module: iptable_nat
Prerouting chain: Modify the data packets that arrive
Output chain: modify local data packets before routing
Postrouting chain: Before a packet is sent, modify the package
**************************************** ************************************
3: Role of the mangle table: Modify the service type and TTL of data packets, and configure routes to implement QoS kernel module: iptable_mangle (although this table is so troublesome, we hardly use it when setting a policy)
Prerouting chain: (DNAT) to convert others' public IP addresses into your internal IP addresses, data inflows must pass through pre
Input chain: data packets sent to the Local Machine
Forward chain: modifies the packets that pass through the local route.
Output chain: modify local data packets before routing
Postrouting chain: (SNAT) converts an internal private address to a public address, and data outflow must go through post
**************************************** **************
4. Raw table -- two links: Output and prerouting
Function: determines whether a data packet is processed by the status tracking mechanism. kernel module: iptable_raw
(This is not available in rehl4, but you don't have to worry about it. It's not used much)

Iv. Common functions
Iptbales is used as the server;
(1) filter traffic to the local machine-input chain, filter table
(2) filter the traffic to the local machine-output chain and filter table
Use iptbales as a router:
(1) filter forwarded traffic-forward chain and filter table
(2) modify the source and target IP addresses of the forwarded data (NAT Function)-forward chain and NAT table
Iptables rule attributes
Iptables-T filter-A input-s 10.0.0.201-J Drop
|
Table link matching attribute action
Basic syntax format of iptables:
Iptables [-T table name] Command Option [Chain name] [condition match] [-J target action or jump]
Description: The table name and chain name are used to specify the tables and chains operated by the iptables command. Command Options are used to specify the methods for managing iptables rules (such as insert, add, delete, and view; the condition match is used to specify the packet that meets the condition. The target action or redirect is used to specify the packet processing method (for example, allow passing, rejecting, dropping, and redirecting (jump) process other links.

One iptables command creates a rule. It mainly includes the following parts:
Table: Required tables (filter Nat mangle, different tables have different functions)
Link: specified filtering point
Matching attribute: specifying the characteristics of matching data packets
Action after matching: Allow, discard, and record
5. iptables Parameter Definition
Configuration parameters can be freely combined
-V: display port traffic
-All abbreviations of
-D Delete
-I insert to the first entry of all rules
-S source IP address
-- Sport Source Port
-D target IP Address
-- Dport Target Port
-I input
Interface eth0
-O output
Interface eth0

-A adds a policy.
-P specifies the matching Protocol
-J action: whether to discard or use drop (discard packet) reject (block this packet) accept (allow) log (record log information in the/var/log/messages file, then pass the data packet to the next rule)

The firewall can process data packets in four ways:
Accept allows data packets to pass through
Drop directly discards data packets without any response information
The reject rejects data packets and sends a response to the data sender if necessary.
Log records the log information in the/var/log/messages file, and then transmits the data packet to the next rule.

Save and restore iptables firewall rules
/Etc/sysconfig/iptables configuration file
Service iptables save rules
-- Line-numbers: Display rule numbers
Management and control options of the iptables command: (-A append rule,-D Delete rule,-r modify rule,-I insert rule,-l view rule)
-A adds a new rule (append) to the end of the specified chain.
-N: displays the output result in the numeric format (numeric ).
-V view the details of the rule table (verbose)
-V view version)
-H for help)
Command-D, -- delete Delete rule, example iptables-D input 1 (rule number)
Command-R, -- replace modify rule, example iptables-r input 1-s 192.168.0.1-J Drop
Command-I, -- insert rule, example iptables-I input 1 -- dport 80-J accept, insert a rule, the original location (here is 1) the rule on will move a single digit in the future.
Command-L, -- list, sample iptables-l input, lists all rules in a rule chain.
Command-F, -- flush, sample iptables-F input, delete all rules in a rule chain (here is the input rule chain.
Run the command-Z, -- zero, iptables-Z input, and return the packet counter to zero. The packet counter is used to calculate the number of occurrences of the same packet and is an indispensable tool for filtering block attacks.
Command-N, -- New-chain, sample iptables-N allowed, define a new rule chain.
Command-X, -- delete-chain, sample iptables-x allowed, delete a rule chain.
Command-P, -- Policy, sample iptables-P input drop, defines the filtering policy, that is, the packet that does not meet the filtering conditions, the preset processing method.
Command-E, -- rename-chain, sample iptables-e allowed disallowed, modify the name of a custom rule chain.

Vi. iptbales case
Enable iptables and use/etc/init. d/iptables start or service iptables start.
Save iptables configuration with/etc/init. d/iptables save or service iptables save

If you want to clear it, run/sbin/iptables-P input accept first.
Then run/sbin/iptables-F
You can see the following information through iptables-l:
Note: Fire prevention is first allowed and then rejected, if first rejected. This will not take effect later.

Filter table operations
(1) Allow 10.0.0.254 to ping my host 10.0.0.201
# Iptables-T filter-I input 2-s 10.0.0.254-D 10.0.0.201-P ICMP-J accept
(2) prohibit everyone from pinging my host 10.0.0.201
# Iptables-T filter-A input-D 10.0.0.201-p icmp-J Drop
(3) Allow 10.0.0.254 and my laptop to access port 80 and SSH
# Iptables-T filter-A input-s 10.0.0.254-D 10.0.0.201-p tcp -- dport 22-J accept
# Iptables-T filter-A input-s 10.0.0.3-D 10.0.0.201-p tcp -- dport 22-J accept

# Iptables-T filter-A input-s 10.0.0.254-D 10.0.0.201-p tcp -- dport 80-J accept
# Iptables-T filter-A input-s 10.0.0.3-D 10.0.0.201-p tcp -- dport 80-J accept
(4) All others refuse to connect to the SSH port number.
# Iptables-T filter-A input-D 10.0.0.201-p tcp -- dport 22-J Drop

NAT table operations
The postrouting chain disguise a local IP address as a public IP address <source>
-O eth0 is short for-output eth0.
-I eth0 is short for-input eth0.
The prerouting link converts an Internet address IP address to an intranet address. <target>
DNAT conversion target address
SNAT conversion Source Address
1024: 65535 port conversion range Middle Section
Write the last section of the 1024-65535 port conversion range
Any/0 all IP addresses, no restriction range-D any/0-s any/0

(1) Start internal external address translation
Disguise 10.0.0.0 as 118.251.117.250. This IP address is the firewall's Internet IP address.
(DNAT) to convert others' public IP addresses into your internal IP addresses, data inflows must pass through pre
# Iptables-T Nat-A postrouting-O eth0-s 10.0.0.0/16-j snat -- to-source 118.251.117.250
# View iptables-l-T Nat
-----
| Public IP address of the network port.
Iptables
|
|
LVS
\
WEB WE
\ Redis
\ Mysql
\
(2) Start internal external address translation
Convert the IP address range 10.0.0.0/16 to the Internet port HTTP 80 and convert it to 118.251.117.250.
# Iptables-T Nat-A postrouting-O eth1-p tcp-s 10.0.0.0/16 -- dport 80-j snat -- to-source 118.251.117.250
(3) Launch port shot
Publish port 80 of the Intranet web server 10.0.0.201
When the Internet address accesses port 80 of $ fw_ip, it is forwarded to 10.0.0.201
#: $ Fw_ip = "118.251.117.250"
# Iptables-T Nat-A prerouting-I eth1-P TCP-D 118.251.117.250 -- dport 80-J DNAT -- to-destination 10.0.0.201




VII. iptbales assignments in this Chapter
(1) Allow 10.0.2.254 to ping your address. All others do not.
# Iptables-T filter-I input 2-s 10.0.0.254-D 10.0.0.201-P ICMP-J accept
# Iptables-T filter-A input-D 10.0.0.201-p icmp-J Drop
(2) allow 10.0.2.254 and the real machine you are currently using to log on to your machine through SSH. All other machines are not allowed.
# Iptables-T filter-A input-s 10.0.0.254-D 10.0.0.201-p tcp -- dport 22-J accept
# Iptables-T filter-A input-s 10.0.0.3-D 10.0.0.201-p tcp -- dport 22-J accept
# Iptables-T filter-A input-D 10.0.0.201-p tcp -- dport 22-J Drop
(3) Allow 10.0.2.254 to access your ports 20 and 21. All others are prohibited.
# Iptables-T filter-A input-s 10.0.0.254-D 10.0.0.201-p tcp -- dport 21-J accept
# Iptables-T filter-A input-s 10.0.0.254-D 10.0.0.201-p tcp -- dport 20-J accept
# Iptables-T filter-A input-D 10.0.0.201-p tcp -- dport 20-J Drop
# Iptables-T filter-A input-D 10.0.0.201-p tcp -- dport 21-J Drop
(4) Disable 10.0.2.254 from accessing port 53. All others are allowed
# Iptables-a forward-s 10.0.2.254-p tcp -- dport 53-J Drop
# Iptables-a forward-D 10.0.0.201-p tcp -- dport 53-J accept
(5) prohibit 10.0.2.254 from accessing your port 80. All others allow
# Iptables-a forward-s 10.0.2.254-p tcp -- dport 80-J Drop
# Iptables-a forward-D 10.0.0.201-p tcp -- dport 80-J accept
(6) Allow 10.0.0.2.254 to access your port 23. All others are prohibited
# Iptables-a forward-s 10.0.2.254-p tcp -- dport 23-J accept
# Iptables-a forward-D 10.0.0.201-p tcp -- dport 23-J Drop
(7) publish it through port 80 of the NAT table Web Server 10.0.2.231.

(8) publish it through Port 20 21 of 10.0.2.20.of the FTP server in the NAT table

1. Deny all ICMP protocol packets entering the Firewall
Iptables-I input-P ICMP-J reject
2. Allow the firewall to forward all data packets except the ICMP protocol
Iptables-a forward-P! ICMP-J accept
Note: Use "!" The condition can be reversed.
3. Refuse to forward data from the host 192.168.1.10 and allow data from the CIDR Block 192.168.0.0/24.
Iptables-a forward-s 192.168.1.11-J reject
Iptables-a forward-s 192.168.0.0/24-J accept
Note: Put the rejected content in front of it, otherwise it will not work.
4. Discard data packets whose source address is private network address from the external network interface (eth1) to the local firewall
Iptables-A input-I eth1-s 192.168.0.0/16-J Drop
Iptables-A input-I eth1-s 172.16.0.0/12-J Drop
Iptables-A input-I eth1-s 10.0.0.0/8-J Drop
5. Block the CIDR Block (192.168.1.0/24) and unseal it two hours later.
[[Email protected] ~] # Iptables-I input-s 10.20.30.0/24-J Drop
[[Email protected] ~] # Iptables-I forward-s 10.20.30.0/24-J Drop
[[Email protected] ~] # At now + 2 hours
At> iptables-D input 1
At> iptables-D forward 1
Note: It would be better to use crond to schedule tasks.
[1] + stopped at now + 2 hours
6. Only the Administrator is allowed to remotely log on to the firewall host using SSH from the CIDR Block 202.13.0.0/16.
Iptables-A input-p tcp -- dport 22-s 202.13.0.0/16-J accept
Iptables-A input-p tcp -- dport 22-J Drop
Note: This method is suitable for remote device management. For example, if the SQL server in the branch needs to be managed by the administrator of the company.
7. Allow the local machine to open application services provided from TCP port 20.
Iptables-A input-p tcp -- dport 20:1024-J accept
Iptables-A output-p tcp -- Sport 20:1024-J accept
8. allows forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment.
Iptables-a forward-s 192.168.0.0/24-p udp -- dport 53-J accept
Iptables-a forward-D 192.168.0.0/24-p udp -- Sport 53-J accept
9. Do not allow other hosts to ping the firewall host, but allow other hosts to be pinged from the firewall.
Iptables-I input-P ICMP -- ICMP-type echo-request-J Drop
Iptables-I input-P ICMP -- ICMP-type echo-reply-J accept
Iptables-I input-P ICMP -- ICMP-type destination-unreachable-J accept
10. Do not forward packets from hosts and from the MAC address 00: 0C: 29: 27: 55: 3f.
Iptables-a forward-M Mac -- Mac-source 00: 0C: 29: 27: 55: 3f-J Drop
Note: iptables uses the "-M module keyword" form to call display matching. Here we use "-M Mac-source" to represent the source MAC address of the packet.
11. Allow the firewall machine to open TCP ports 20, 21, 25, 110, and passive mode FTP ports 1250-1280
Iptables-A input-p tcp-M multiport -- dport 20, 21, 25,110,125 0: 1280-J accept
Note: "-M multiport-dport" is used to specify the destination port and range.
12. Disable the conversion of TCP packets whose source IP address is 192.168.1.20-192.168.1.99.
Iptables-a forward-p tcp-M iprange -- Src-range 192.168.1.20-192.168.1.99-J Drop
Note: "-m-iprange-Src-range" is used to specify the IP range.
13. Forwarding of non-Syn request data packets unrelated to normal TCP connections is prohibited.
Iptables-a forward-M state -- state new-p tcp! -- Syn-J Drop
Note: "-M state" indicates the connection status of the data packet, and "new" indicates that it is irrelevant to any connection. What is new!
14. Access to new data packets from the firewall is denied, but responses to data packets related to connections or existing connections are allowed
Iptables-A input-p tcp-M state -- state new-J Drop
Iptables-A input-p tcp-M state -- State established, related-J accept
Note: "established" indicates the data packets that have responded to the request or established a connection. "related" indicates that the data packets are related to established connections, such as FTP data connections.
15. only the Web Services (80) and FTP (20, 21, 20450-20480) of the local machine are enabled, and the external host is allowed to send response packets from other ports of the server, discard all other inbound packets.
Iptables-I input-P TCP-M multiport -- dport 20, 21, 80-J accept
Iptables-I input-P TCP -- dport 20450: 20480-J accept
Iptables-I input-P TCP-M state -- State established-J accept
Iptables-P input drop