In-depth analysis of Linux firewall

In the research and analysis on network security, Firewall is a frequent emphasis, its basic function is to filter and possibly block data transmission (packets) between a part of the local network or network and the Internet ). Data packets are actually data in the forward segment, which also include the data used to send them to their respective purposes.

In the research and analysis on network security, Firewall is a frequent emphasis, its basic function is to filter and possibly block data transmission (packets) between a part of the local network or network and the Internet ). Data packets are actually data in the segment, including the information required to send them to their respective destinations.

You can think of a packet as a package: the packet itself is the data in the package, and the envelope is all the mail headers used to send the information to the correct machine and the correct program, it also contains the reply address and other information. In the specific filtering process, the firewall will take over the routing settings for accessing the Internet from inside the network and accessing the internal network from the Internet before.

We feel that the previous firewall was used to filter some illegal data packets, or why is one of them called the Packet Filter Firewall? Since its development, it has been increasingly used to filter data packets, convert network addresses, and act as proxies. In Linux kernel 2.4, the firewall implements NetFilter.

Let's take a look at the location of the firewall. my understanding is that either it is installed on a machine as a personal firewall, or it is installed on a machine to provide the gateway function for a LAN, as shown in the following situations:

 

This figure summarizes the framework structure of NetFilter installed on the Gateway and shows the possible path of a data packet. the expanded [] is called a checkpoint. when the data packet arrives at this point, we need to stop and perform some checks. Here, the checkpoint name uses the name in iptables, which may be changed to the so-called Hook functions in NetFilter.

NetFilter has the following basic functions:

1. data filtering (filter table)

2. network address translation (nat table)

3. data packet processing (mangle table)

Based on these three functions, the preceding five checkpoints are classified by function. Because each function corresponds to a table in NetFilter, and each checkpoint has several matching rules, these rules form a chain, so we have the following statement: "NetFilter is the table container, the table is the container of the chain, and the chain is the container of the rule"

A chain is actually a checklist among many rules ). There can be one or several rules in each chain, and each rule is defined as "if the data packet header meets this condition, it will process this packet ". When a packet arrives at a chain, the system checks from the first rule to see if it meets the conditions defined by the rule: If yes, the system processes the data packet according to the method defined by the rule. if the data packet does not meet the requirements, the system checks the next rule. Finally, if the packet does not comply with any rule in the chain, the system processes the packet according to the pre-defined policy of the chain.

An iptables command basically contains the following five parts: the table on which you want to work, the chain on which you want to use the table, and the operations (insert, add, delete, and modify) target action of a specific rule and packet matching condition.

The basic syntax is iptables-t table-Operation chain-j target match (es) (the system default table is "filter ")

The basic operations are as follows:

-A adds A rule at the end of the chain

-I insert rules

-D. delete a rule.

-R replaces a rule.

-L list rules

Basic target action, applicable to all links:

ACCEPT receives this packet

DROP discards this packet

QUEUE queues the data packet to the user space

RETURN to the chain called earlier

Foobar user-defined chain

The basic match condition applies to all links:

-P specifies the Protocol (tcp/icmp/udp /...)

-S source address (ip address/masklen)

-D destination address (ip address/masklen)

-I packet input interface

-O packet output interface

Matching Condition extension:

TCP ----- match the source port, destination port, any combination of tcp tags, and tcp options.

UPD ----- match source port and destination port

ICMP ---- match the ICMP type

MAC ----- match the mac address of the received data

MARK ---- match nfmark

OWNE ---- (only applicable to locally generated data packets) to match the user ID, group ID, process ID, and session ID

LIMIT --- limits on matching data packets within a specific period of time. This extension match is very useful for limiting dos attack data streams.

STATE --- match data packets in a specific STATE (the STATE is determined by the connection tracing subsystem). possible states include:

INVALID (does not match any connection)

ESTABLISHED (a data packet with a ESTABLISHED link)

NEW (establish a connection packet)

RELATED (data packets RELATED to a established connection, such as an ICMP error message or an ftp data connection)

TOS -- the value of the TOS field matching the IP header.