Linux iptables firewall, linuxiptables
Content summary
- Firewall
- Firewall Definition
- Firewall category
- Netfilter/iptables
- Netfilter design architecture
- Brief description of iptables
- Iptables command details
- Command syntax
- Table Parameters
- Command Parameters
- Match Parameter
- Target Parameter
- Match Extension
- Command example
- Firewall Management
1. Firewall (Firewall) 1.1 Firewall Definition
A firewall is a protection barrier formed by a combination of software and hardware devices and constructed between the Intranet and the external network, and between the private network and the public network. it is an image of a Security method. It is a combination of computer hardware and software, enabling the establishment of a Security Gateway between the Internet and the Intranet ), this protects the Intranet from illegal user intrusion. The firewall consists of service access rules, verification tools, packet filtering, and application gateway, A firewall is a software or hardware located between a computer and the network connected to it. All inbound and outbound network traffic and data packets from the computer must go through the firewall.
In a network, the so-called "firewall" refers to a method to separate the Intranet from the Public Access Network (such as the Internet). It is actually an isolation technology. A firewall is executed during communication between two networks.Access ControlScale, which allows you to "agree" people and data into your network, while rejecting people and data that you "disagree, prevent hackers from accessing your network to the maximum extent. In other words, people inside the company cannot access the Internet without passing through the firewall, and people on the Internet cannot communicate with people inside the company.
1.2 firewall Classification
1) Network Firewall
The network layer firewall can be viewed as an IP packet filter that operates on the underlying TCP/IP protocol stack. We can only allow packets that comply with specific rules to pass through the firewall in an enumeration mode, and the rest are prohibited from crossing the firewall (except for viruses, the firewall cannot prevent viruses from intruding ). These rules can be defined or modified by the administrator, but some firewall devices may only apply built-in rules.
We can also develop firewall rules from another loose perspective, as long as the packets do not comply with any "negative rules", they will be released. Most operating systems and network devices have built-in firewall functions
2) Application Firewall
The application layer firewall operates on the "Application Layer" of the TCP/IP stack. The data streams generated when you use the browser or when you use FTP belong to this layer. The application layer firewall can intercept all packets in and out of an application and block other packets (usually directly discards the packets ). Theoretically, this type of firewall can completely block external data streams into protected machines.
By monitoring all packets and finding out content that does not conform to the rules, the firewall can prevent the rapid spread of computer worms or Trojans. But in terms of implementation, this method is both annoying and complex (there are thousands of hundreds of software), so most firewalls will not consider designing this method.
XML Firewall is a new type of application layer firewall.
Based on different focuses, it can be divided into: packet filter firewall, application layer gateway firewall, and server-type firewall.
3) Database Firewall
Database Firewall is a database security protection system based on database protocol analysis and control technology. Based on the active defense mechanism, database access behavior control, dangerous operation blocking, and suspicious behavior audit are implemented.
Through SQL protocol analysis, the database firewall blocks illegal and illegal operations based on predefined prohibitions and licensing policies to form a perimeter protection circle for the database, SQL dangerous operations can be actively prevented and audited in real time.
In the face of external intrusion, the database firewall provides SQL Injection prevention and Database Virtual patch packages.
2. netfilter/iptables
In Linux, a framework called netfilter is provided for data management.
Netfilter Official Website: http://www.netfilter.org.
1) NetfilterDesign Architecture
NetFilter provides a series of hook functions.
In the figure 1, 2, 3, 4, and 5 are the locations of the hook function. There are three paths:
1, 2: indicates the packets sent to the local machine.
5, 4: indicates the packets sent by the local machine.
1, 3, 4: indicates the packets to be forwarded.
2) Iptables
Based on the netfilter framework, Iptables implements related hook functions to provide functions such as firewall (packet filter), Network Address Translation (NAT), and package mangle:
In the figure, the following functions are involved: Filter, Connection Track, NAT, and Mangle. In fact, there are two more functions: raw and Security.
Connection Track is actually part of NAT.
It can also be seen that there are three data flows, corresponding to: the packets for the local machine, the packets sent by the local machine, and the forwarded packets.
Iptables implements the netfilter hook function to provide these functions. During the implementation of the hook, a series of rule chains are used, and the packet is checked on the corresponding rule chain. After the inspection is passed, the packet will arrive at the final destination.
Function and rule chain table
Function (table) |
Chain |
Filter |
INPUT, FORWARD, OUTPUT |
Nat |
PREROUTING, OUTPUT, and POSTROUTING |
Mangle |
PREROUTING, INPUT, OUTPUT, and POSTROUTING |
Raw |
PREROUTING and OUTPUT |
Security |
INPUT, FORWARD, OUTPUT |
The table also shows that the rule chain exactly corresponds to the location of the hook function.
If multiple functions are used in the system, that is, how does one work with multiple rule chains configured?
Is the process of processing packets in these rule chains.
3. Explanation of iptables commands
Use man iptables on the terminal to view the command description. You can also view online: http://ipset.netfilter.org/iptables.man.html.
3.1 command syntax
Iptables[-T Table] {-|-C|-D}Chain Rule-specification Iptables[-T Table]-I Chain[Rulenum]Rule-specification Iptables[-T Table]-R Chain rulenum rule-specification Iptables[-T Table]-D Chain rulenum Iptables[-T Table]-S[Chain[Rulenum] Iptables[-T Table] {-F|-L|-Z}[Chain[Rulenum] [Options...] Iptables[-T Table]-N Chain Iptables[-T Table]-X[Chain] Iptables[-T Table]-P Chain target Iptables[-T Table]-E Old-chain-name new-chain-name Rule-specification = [Matches...] [Target] Match =-M Matchname[Per-match-options] Target =-J Targetname[Per-target-options] |
The most common rules are:
Iptables-t command match_parameters-j target |
The following example describes the parameters:
Example: Allow SSH connection to the local machine:
Iptables-t filter-a input-p tcp-m tcp -- dport 22-j ACCEPT |
1) TableParameters
-T: Table name. Iptables provides multiple functions. The table parameter is actually the function name.
In the above example, the firewall function (filter) is used, so the value of-t is filter. For optional table values, see the function and rule chain table.
The default value of this parameter is filter. Therefore, you can leave the table name unspecified When configuring the firewall.
2) CommandParameters
The command parameter is used to operate the rule chain, for example, adding a rule. Iptables provides the following commands.
-, -- AppendChain rule-specification adds a rule.
-C, -- CheckChain rule-specification check whether the rule you entered already exists in the rule chain.
-D, -- Delete(Chain rule-specification | chain rulenum) deletes the specified rule in the specified rule chain.
-I, -- InsertChain [rulenum] rule-specification inserts rules into the specified rule chain.
-L, -- List[Chain] lists all the rules in the specified rule chain.
-R, -- ReplaceChain rulenum rule-specification replacement rule.
-S, -- List-rules[Chain] All rules in the specified chain are played.
-N, -- New-chainChain to customize a rule chain.
-X, -- Delete-chain[Chain] deletes a specified custom rule chain.
-P, -- PolicyChain target sets the default value of the target parameter of the specified chain.
-E, -- Rename-chainOld-chain new-chain rename the rule chain.
-F: Clear the rule.
-HView help.
4) Match paramtes
[!] -P, -- ProtocolProtocol
Used to determine whether a packet adopts the specified protocol.
The parameter values can be tcp, udp, udplit, icmp, esp, sh, sctp, all (all protocols), or numbers. The number 0 is equivalent to all.
If there is a parameter value before !, The opposite is true. That is, it is determined that packet does not adopt the specified protocol.
[!] -S, -- SourceAddress [/mask] [,...]
It is used to match the source of a packet, that is, to determine whether a packet comes from a specified address.
The parameter value can be a network name, host name, or IP address (with a subnet mask ). If there is a parameter value before !, The opposite is true.
[!] -D, -- destinationAddress [/mask] [,…]
It is used to match the destination address of a packet, that is, to determine whether a packet must arrive at the specified address.
The parameter value is similar to-s.
-M, -- MatchExpression extension matching
-J, -- JumpTarget is the rule to be executed when the packet matches the above rules. The rules to be executed are specified by the target parameter.
[!] -I, -- In-interfaceName indicates the network interface used for receiving
When a packet enters the INPUT, FORWARD, and PREROUTING chains, it determines whether the packet is received by the specified network interface.
If there is a parameter value before !, The opposite is true.
If the parameter value ends with +, it indicates that all network interfaces starting with the specified interface will be matched.
[!] -O, -- Out-interfaceName indicates the network interface used for sending.
This corresponds-- In-interfaceIs the same.
-G, -- GotoChain
Packet continues to be processed by the specified chain.
4) TargetRule name
In firewall rules, not only the matching of packet is limited, but also the target is limited. If packet does not match the specified rule, the next rule is executed. If yes, execute the next rule represented by target.
That is to say, target is the name of the rule to be executed next. In addition, several specific values are provided.
ACCEPT: receives the package and passes the packet.
DROP: DROP the package at the underlying layer. The package is discarded.
QUEUE: Pass the package to the user space.
RETURN: Stop transmission on the chain. Continue to execute the next rule on the previous chain.
5) match extension matching extension
In the matching parameters, only the protocol, source address, target address, and network interface can be matched. For more detailed matching (for example, matching the target port), there is nothing to do. There is a-m in the matching parameter, which can provide more detailed matching.
For example, to enable a packet sent by an SSH client, you need to use tcp extension. You can specify the Packet target address:
Use-m tcp-dport.
Iptables-t filter-a input-p tcp-m tcp-dport 22-j ACCEPT |
To specify multiple ports at a time, use the multiport extension:
Iptables-t filter-a input-p tcp-m tcp -- dport,-j ACCEPT |
For details about the extension matching, refer:
Http://ipset.netfilter.org/iptables-extensions.man.html
3.2 examples
There are many examples on the Internet. For details, refer:
Http://www.cnblogs.com/argb/p/3535179.html
4. Firewall Management
service iptables {start|restart|stop|condrestart|status|panic|save}
Start: start
Stop: stop
Restart: restart
Status: view the status
Save: save it to the configuration file.
When configuring a firewall, the following operations are usually performed:
1. servic iptables start2, use the iptables command to configure Rules 3, service iptables save, and save the configuration to the configuration file
If you are remotely configuring the firewall, remember to configure port 22 (SSH). Otherwise, you cannot log on to the firewall.