Linux system administrators have been familiar with Netfilter/iptables, which is a free firewall provided by Linux and has powerful functions. In the next series of in-depth introduction to the Netfilter/iptables firewall framework, we will give a detailed and systematic introduction to Netfilter/iptables. This article is a basic article. First, we will introduce the principles of the Netfilter/iptables framework. (For more information, see http:// OS .51cto.com/art/201107/273443.htm)
1. Introduction to the Netfilter/iptables framework
Netfilter/iptables can be used to precisely control inbound and outbound information and can run well on a low-configuration machine. It is considered as the fourth-generation application that implements the packet filtering function in Linux. Netfilter/iptables is included in the kernel after Linux 2.4, which can implement firewall, NAT network address translation), data packet segmentation, and other functions. Netfilter works inside the kernel, while iptables allows you to define the table structure of the rule set. Netfilter/iptables evolved from ipchains and ipwadfmIP firewall management.
Iptables mentioned here is a successor tool of ipchains, but it has higher scalability. The kernel module can register a new rule table) and require that data packets flow through the specified rule table. This type of data packet is used to implement the data packet filter table), the Network Address Translation NAT table), and the data packet processing mangle table ). The three datagram processing functions provided by the Linux 2.4 kernel and later versions are based on the netfilter hook function and IP table. They are independent modules of each other, it is perfectly integrated into the framework provided by netfilter, as shown in 1. Netfilter provides the following functions:
650) this. width = 650; "class =" fit-image "alt =" Netfilter/Iptables Framework Structure "src =" http://www.bkjia.com/uploads/allimg/131227/0R91M038-0.jpg "width =" 460 "height =" 395 "/>
Figure 1 Netfilter/Iptables Framework Structure
Based on the actual situation, use the Netfilter/iptables framework flexibly to generate corresponding firewall rules that can easily and efficiently block some network attacks and illegal datagram. See the working principles shown in figure 2 ). However, if the firewall is configured, protocols and software such as FTP, QQ, and MSN may fail to be used, some functions may fail to be used, or RPC Remote Process calls may fail, this requires you to configure the corresponding service proxy program as needed to enable these services. Note that the firewall may also be attacked internally, but it is not omnipotent. Other protection measures must be used in combination. Internal personnel cannot use Telnet to browse emails or send messages to external users through FTP. Therefore, individuals who are dissatisfied with the firewall may attack and destroy the firewall. In addition, the target of the attack is often the operating system running on the firewall or firewall, which greatly harms the security of the firewall system and even key information systems.
650) this. width = 650; "class =" fit-image "alt =" Netfilter/Iptables Framework Working Principle schematic "src =" http://www.bkjia.com/uploads/allimg/131227/0R91G3M-1.jpg "width =" 480 "height =" 294 "/>
Figure 2 working principle of the Netfilter/Iptables framework
2. Basic principles of iptables
By providing a firewall with instructions on what to do for information packets from a source, to a destination, or with a specific protocol type, rules control the filtering of information packets. Use the Special Command iptables provided by the Netfilter/iptables system to create these rules and add them to the chain in the specific information package filter table of the kernel space. The general syntax of the command for adding, removing, and editing rules is as follows:
iptables [-t table] command [match] [target]
It is easy to see that an iptables rule contains the following four basic elements:
1) table)
The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table. The filter table is used for filtering information packets, including INPUT, OUTPUT, and FORWAR chains. The nat table is used to forward information packets. It contains PREROUTING, OUTPUT, and POSTROUTING chains. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark information packages for advanced routing, as well as PREROUTING and OUTPUT chains.
2) command)
Command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The command is shown in table 1.
Table 1 Common iptables commands
| Life order | Description |
| -A or -- append | This command attaches a rule to the end of the chain |
| -D or -- delete | Use-D to specify the rule to be matched or the location number of the rule in the chain. This command deletes the rule from the chain. |
| -P or -- policy | This command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy. |
| -N or -- new-chain | Create a new chain with the name specified in the command |
| -F or -- flush | If the chain name is specified, this command deletes all rules in the chain. If the chain name is not specified, this command deletes all rules in all chains. This parameter is used to quickly clear |
| -L or -- list | Lists All rules in a specified chain. |
| -R or -- replace | Replaces a matching rule in a specified chain. |
| -X or -- delete-chain | Deletes the defined chain of a specified user. If no chain is specified, all user chains are deleted. |
| -C or -- check | Check whether the data packet matches the rule of the specified chain. |
| -Z or -- zero | Clears byte counters of all rules in the specified chain |
3) match)
The optional match part of the iptables command specifies the characteristics of information packets matching rules, such as source and destination addresses, and protocols ). There are two types of matching: general matching and protocol-specific matching. Here, the research will be available for general matching of information packages using any protocol. The following are some important and commonly used generic matching and their descriptions, as shown in table 2.
Table 2 General matching description
| General match | Description |
| -P or -- protocol | This generic Protocol match is used to check certain protocols. The Protocol examples include a list of combinations of TCP, UDP, ICMP, and any three Protocols separated by commas (,), and ALL is used for ALL protocols ). ALL is the default match. Available! The symbol does not match this item. |
| -S or -- source | This source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. Default source match matches all IP addresses |
| -D or -- destination | This destination match is used to match the destination IP addresses of the information package. This match can also be used to match IP addresses in a certain range! The symbol does not match this item. |
| -- Sport | Specifies the source port or port range of the rule. |
| -- Dport | Specify the target port or port range for matching rules |
| -I | Match a single network interface or a type of interface to set filter rules |
4) target)
As mentioned earlier, the target operation is the operation specified by the rule, which is performed on the information packages that match the rule. In addition to allowing users to define targets, there are also many available target options. The following are common targets, examples, and descriptions, as shown in table 3.
Table 3 target items
| Item | Description |
| ACCEPT | When the information package exactly matches the rule with an ACCEPT target, it is accepted to allow it to go to the destination) |
| DROP | When the information package exactly matches the rule with the DROP target, it will block the information package and will not be further processed. This target is specified as-j DROP |
| REJECT | This target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. The target is specified as-j REJECT. |
| RETURN | The RETURN target set in the rule makes the information package matched by the rule stop traversing the chain containing the rule. If a chain is a main chain such as INPUT, use the Default policy of the chain to process the information package. It is specified as-jump RETURN |
| LOG | Indicates recording the information about the package into the log. |
| TOS | Indicates the TOS value of the rewrite data packet. |
This article is from the blog "excellence begins with the foot" and will not be reproduced!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
