How iptables works

Currently, there are three main types of firewalls: packet filtering, application proxy, and status detection packet filtering firewalls: static packet filtering firewalls are no longer available in the market, replace it with the dynamic packet filtering firewall ~ Proxy firewall: because of some special packet attacks, you can easily break through the protection of the packet filtering firewall, such as SYN attacks, IC

Currently, firewalls are divided into three types: packet filtering, application proxy, and status detection.

Packet filtering firewall: the static packet filtering firewall is no longer available in the market. Instead, it is replaced by the dynamic packet filtering firewall ~

Proxy firewall: WAF protection can be easily broken through because of some special packet attacks, such as SYN attacks and ICMP flood attacks that everyone knows, therefore, the Application Proxy firewall that uses the proxy server as a dedicated data forwarding channel for user confidentiality or access restrictions has emerged ~ It uses a new technology for application protocol analysis. Status detection firewall: developed based on the dynamic packet filtering technology, it adds a status detection module and develops the session filtering function. the retention of session states is time-limited, this firewall can also analyze the package content to avoid opening too many ports.

Netfilter/IptablesThe IP packet filtering system is actually composed of netfilter andIptablesConsists of two components.

Netfilter is a part of the integration in the kernel. it defines and stores the corresponding rules. iptables is a tool used to modify information filtering rules and other configurations, we can use iptables to set rules that suit our enterprise's needs ~, These rules are stored in the kernel space. Netfilter is a general architecture in the Linux kernel. It provides a series of tables (tables). Each table is composed of several chains (chains, each chain can be composed of one or more rules. In fact, netfilter is a table container, a table is a chain container, and a chain is a rule container.

Filter table

Nat table

Mangle table

Iptables built-in chain

PREROUTING: Before a data packet enters the local machine

INPUT: the destination is the local machine after the route table is passed

FORWARDING: after the route table is passed, the destination is not the local machine

OUTPUT: generated by the local machine and forwarded externally

POSTROUTIONG: after the route table is passed, before the interface is sent to the NIC

Relationship between five netfilter chains, that is, iptables packet forwarding flowchart

Iptables workflow

Iptables has three tables and five links.

Iptables detailed parameter table

Basic Iptables syntax

Iptables [-t table name]-Command-match-j action/target

Iptables has three built-in tables: filter, nat, and mangle. we can use the-t parameter to set which table is effective ~ You can also omit the-t parameter. the filter table is operated by default.

You can use man iptables to query specific command parameters ~

Configure the basic syntax of the SNAT command

Iptables-t nat-a postrouting-o network interface-j SNAT -- to-source IP address

Configure the DNAT command syntax

Iptables-t nat-a prerouting-I network interface-p protocol -- dport-jDNAT

-- To-destination IP address

Enterprise environment and requirements

1. enterprise environment

230 clients, IP address range: 192.168.0.1 ~ 192.168.0.254, subnet mask 255.255.255.0

Mail Server: the IP address is 192.168. 1.1, and the subnet mask is 255.255.255.0.

FTP server: IP address: 192.168.1.2 subnet mask: 255.255.255.0

WEB server: IP address: 192.168.1.3 subnet mask: 255.255.255.0

The company's network topology is shown below:

2. configure the default policy

All intranet computers need to access the Internet frequently, and employees will use instant communication tools to communicate with customers. The DMZ isolation zone of the enterprise network is built with Mail, FTP, and Web servers, the Mail and FTP servers are open to internal staff. they only need to publish websites to external users, and the administrator can remotely manage them through the Internet. to ensure the security of the entire network, you need to add iptables firewall and configure corresponding policies.

Requirement Analysis

To ensure security, the enterprise's internal network first needs to delete all rule settings, set the default rule to DROP, and then enable the firewall to restrict access to the client, open the corresponding ports of WEB, MSN, QQ, and MAIL, and allow external clients to log on to ports 80 and 22 of the WEB server.

Solution

1. configure the default policy

The default iptables has been installed.

(1) deletion policy

Iptables-F: clears the rules of the selected chain. If no chain is specified, the rules of all chains in the specified table are cleared.

Iptables-X: clear the rules in the user-defined chain in the filter of the preset table.

Iptables-Z: clear the rules in the user-defined chain in the filter of the preset table.

(2) set the default policy

By default, the OUTPUT chain is enabled for INPPUT and FORWARD chains of the filter table. all three links PREROUTING, outp ut, and POSTROUTING of the nat table are enabled ~ All links are enabled by default, so some commands can be left empty. In addition, mangle tables are not used in this article, so mangle is not processed. mangle is mainly used for handling special changes to data packets, such as modifying features such as TOS.

2. set the loopback address

Some services need to use the loopback address for testing. to ensure the normal operation of each service, you need to allow loopback address communication, which has already been involved. if the loopback address is not set, some services cannot be started ~.

Iptables-a input-I lo-j ACCEPT

3. connection status settings

To simplify firewall configuration and improve inspection efficiency, you need to add connection status settings.

Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEP T

Connection tracing has four data packet statuses

NEW: The data packet for the NEW connection

INVALID: INVALID data packets, such as corrupted or incomplete data packets

ESTABLISHED: the data packet that has been connected

RELATED: the data packet associated with the sent data packet.

4. configure port 80 forwarding

The company's website needs to be open to the outside world, so we need to open port 80

Iptables-a forward-p tcp -- dport 80-j ACCEPT

5. DNS settings

In order for the client to access the internet normally using the domain name, we also need to allow forwarding between the intranet computer and the external DNS server.

Enable DNS to use UDP and TCP ports 53

Iptables-a forward-p tcp -- dport 53-j ACCEPT

Iptables-a forward-p udp -- dport 53-j ACCEPT

6. SSH access to the server

The administrator performs remote management over the Internet, so we need to enable TCP port 22 used by SSH.

Iptables-a input-p tcp -- dport 22-j ACCEPT

7. allow Intranet hosts to log on to MSN and QQ settings

QQ can use TCP80, 8000, 443, UDP8000, 4000 to log on, while MSN is verified by TCP1863 and 443. Therefore

You only need to allow FORWARD forwarding of these ports to log on normally.

Iptables-a forward-p tcp -- dport 1863-j ACCEPT

Iptables-a forward-p tcp -- dport 443-j ACCEPT

Iptables-a forward-p tcp -- dport 8000-j ACCEPT

Iptables-a forward-p udp -- dport 8000-j ACCEPT

Iptables-a forward-p udp -- dport 4000-j ACCEPT

Note: Of course, if you want to restrict the use of such instant messaging tools, you only need to disable the forwarding of these ports ~

Special note: This guy is so bad ~ Hey ~, Ports are not fixed. QQ/V/I/P is a dedicated channel for members, proxy logon, etc ~, Therefore, we need to collect the full login port and QQ server address if we need to block the attack. according to the summary, it is best to combine the technology and administration in the actual configuration of the enterprise, so that the best effect can be achieved ~

8. allow Intranet hosts to send and receive emails

The client accesses Port TCP25 of the mail server when sending the mail. When receiving emails, there may be many ports used. UDP and TCP ports: 110, 143, 993, and 995

Smtp:

Iptables-a forward-p tcp -- dport 25-jACCEPT

Pop3:

Iptables-a forward-p tcp -- dport 110-jACCEPT

Iptables-a forward-p udp -- dport 110-jACCEPT

Imap:

Iptables-a forward-p tcp -- dport 143-jACCEPT

Iptables-a forward-p udp -- dport 143-jACCEPT

Imaps:

Iptables-a forward-p tcp -- dport 993-jACCEPT

Iptables-a forward-p udp -- dport 993-jACCEPT

Pop3s:

Iptables-a forward-p tcp -- dport 995-jACCEPT

Iptables-a forward-p udp -- dport 995-jACCEPT

9. NAT Port ing settings

Because the LAN address is a private address, it is invalid on the Internet ~ Therefore, you must convert the private IP address to the external IP address of the server for address ING ~ The connection to the internet interface is ppp0.

Iptables-t nat-a postrouting-o ppp0-s 192.168.0.0/24-j MASQUERADE

MASQUERADE works the same as SNAT ~ It is similar to the operation that provides source Address Conversion. However, MASQUERADE sets a drop for a dynamic IP address for an external interface and does not need to use -- to-source to specify the IP address to be converted. If the network uses a dial-up method to access the Internet without an external static IP address (mainly used for dynamic access to IP addresses, such as ADSL dialing and DHCP connections ), we recommend that you use MASQUERADE ~

Note: MASQUERADE is a special filtering rule. it can only map data from one interface to another ~

10. publish a WEB site on an intranet machine

The IP address of the intranet WEB server is 192.168.0.3. we need to configure the following ~, When a public network client accesses the server, the firewall maps requests to port 80 of 192.168.0.3 on the intranet.

Iptables-t nat-a prerouting-I ppp0-p tcp -- dport 80-j DNAT -- to-destination

192.168.1.3: 80

11. save and restore iptables configuration

Save: iptables-save

Iptables-save [-c] [-t table name]

-C: save the value of the package and byte counter. This prevents packet and byte statistics from being lost after the firewall is restarted.

-T: The rule used to save the table. if it is not followed by The-t parameter, all tables are saved.

You can use the redirection command to save these rule sets.

Iptables-save>/etc/iptables-save

Restore: iptables-restore

Iptables-restore [-c] [-n]

-C: If the-c parameter is added, the package and byte counter must be loaded.

-N: indicates that the existing rules are not overwritten. by default, all existing rules are cleared.

Use redirection to restore the rule set saved by iptables-save

Iptables-restore>/etc/iptables-save

If it takes effect after the service or system restart

12. Finally, you can view the following nat configurations on your own!

Note:

SNAT converts source network addresses and can only be used in the POSTROUTING chain of the nat table. if the first qualified packet to be connected is SNAT ~, All other data packets connected by this connection will be automatically SNAT. Corresponding to SNAT, DNAT converts the destination address and can only be used in the PREROUTIONG and OUTPUT chains of the nat table, or in the chains called by the two chains. A chain containing DNAT cannot be called by any other chain, such as the POSTROUTING chain.

Block access to a domain name and directly change the hosts file. I don't know how much it will be used !!!