How to Use netfilter/iptables to build a firewall (1)

ExploitationNetfilterAndIptablesBuilding a firewall is not an easy task. Let's take a look at its specific operation process!

For systems on the Internet, make it clear that the network is not secure. Therefore, although creating a firewall does not guarantee 100% system security, it is absolutely necessary. Linux provides a very good firewall tool-netfilter/iptables. It is completely free, powerful, flexible, and can be used to precisely control inbound and outbound information, and can run well on a low-configuration machine. This article briefly introduces the use of netfilter/iptables for firewall setup, Internet Connection Sharing, and other applications.

The netfilter/iptabels application is considered the fourth-generation application in Linux to implement the packet filtering function. Netfilter/iptables is included in the kernel after 2.4. It can implement functions such as firewall, NAT (Network Address Translation), and data packet splitting. Netfilter works inside the kernel, while iptables allows you to define the table structure of the rule set. Netfilter/iptables evolved from ipchains and ipwadfm (IP firewall management), providing more powerful functions. In the following section, netfilter/iptabels are collectively referred to as iptables.

You can use iptables to create a firewall for individual workstations of Unix, Linux, and BSD, or create a firewall for a subnet to protect other system platforms. Iptales only reads data headers. It does not burden the information flow and does not require verification. For better security, you can combine it with a proxy server (such as squid.

Basic Concepts

A typical firewall has two NICs: One inbound and the other outbound. Iptables reads the inbound and outbound packet headers and compares them with the Rule Set to forward acceptable packets from one network adapter to another, it can be discarded or processed as defined.

By providing the firewall with instructions on how to filter information packets from a source address, to a destination, or with a specific protocol type. Use the Special Command iptables provided by the iptables system to create these rules and add them to the chain in the kernel space-specific information package filtering table. The general syntax for adding, removing, and editing rules is as follows:

Iptables [-t table] command [match] [target]

1. table)

The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. There are three available table options: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table. The functions of each table are shown in table 1.

Table 1 functions of three types of tables

2. command)

Command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. Table 2 is the most common command and example.

Table 2 Functions and Examples

3. match)

The optional match part of the iptables command specifies the characteristics (such as the source address, destination address, and Protocol) that the information package and rule match should have ). Matching can be classified into general matching and protocol-specific matching. This section describes general matching of information packages that can be used in any protocol. Table 3 is an important and common matching and example description.

Table 3 General matching and example

4. target)

The target is the operation specified by the rule, and these operations are performed on the information packages that match the rule. In addition to allowing users to define targets, there are also many available target options. Table 4 provides common objectives and examples.

In addition to table 4, there are many other targets for creating advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.

Table 4 Objectives and Examples