Interview questions and answers about Linux firewall iptables

Interview questions about the Linux firewall ' iptables '

Nishita Agarwal, a tecmint user, will share an interview experience with a company she has just experienced (Pune, a private company in India). She was asked many different questions during the interview, but she was an expert on iptables, so she wanted to share these questions about iptables and the answers to those who might be interviewing later.



All questions and corresponding answers are based on Nishita Agarwal's memory and are rewritten.

"Hi, friend!" My name nishita Agarwal. I have obtained a Bachelor of Science degree, and my major focuses on UNIX and its variants (Bsd,linux). They have always been a deep attraction to me. I have more than 1 years of experience in storage. I am looking for career changes and will be working for the Pune company in India. ”

Here is a collection of questions I have been asked in the interview. I have recorded the questions about Iptables and their answers in my memory. Hopefully this will help you with your future interview.

1. Have you ever heard of Iptables and Firewalld under Linux? Do you know what they are and what they are used for?

answer : iptables and Firewalld I know, and I've been using iptables for a while. Iptables is mainly written in C and issued under the GNU GPL license. It is written from the system administrator's point of view, the latest stable version is Iptables 1.4.21. Iptables is often used as a firewall in Unix-like systems, and more accurately, it can be called Iptables/netfilter. Administrators interact with Iptables through the terminal/gui tool to add and define firewall rules to predefined tables. NetFilter is a module in the kernel that performs packet filtering tasks.

FIREWALLD is the implementation of the latest filtering rules in Rhel/centos 7 (and perhaps other distributions, but I'm not quite sure). It has replaced the Iptables interface and is connected to the NetFilter.

2. Have you used some iptables GUI or command-line tools?

answer : Although I have used both GUI tools, such as Shorewall with Webmin, and access to iptables directly through the terminal, I must admit that direct access to iptables through the Linux terminal gives the user more advanced flexibility, and the ability to better understand the work behind it. The GUI is suitable for junior administrators, while the terminal is suitable for experienced administrators.

3. What is the basic difference between iptables and firewalld?

answer : iptables and FIREWALLD all have the same purpose (packet filtering), but they use a different approach. Unlike Firewalld, iptables refreshes the entire rule set each time a change occurs. Typically the Iptables configuration file is located in '/etc/sysconfig/iptables ', while the Firewalld configuration file is located in '/etc/firewalld/'. The FIREWALLD configuration file is a set of XML files. XML-based firewalld are easier to configure than iptables, but both can accomplish the same task. For example, FIREWALLD can use iptables under its own command-line interface and XML-based configuration files.

4. Will you replace iptables with FIREWALLD on all your servers if you have the opportunity?

answer : I am very familiar with iptables, it also works very well. There is no reason to move all configurations from iptables to FIREWALLD if there is no need for FIREWALLD dynamic features. Normally, so far, I haven't seen iptables causing any trouble. The general rule of it technology says, "why fix something that's not bad?" ”。 It's my own idea, but I don't mind if the organization is willing to replace iptables with FIREWALLD.

5. You seem to have confidence in iptables, and coincidentally, our servers are also using Iptables.

What are the tables used by iptables? Please briefly describe the tables used by iptables and the chains they support.

answer : Thank you for your appreciation. As for the question you asked, there are four tables used by Iptables, which are:

Nat table

Mangle table

Filter table

Raw table

Nat table: The NAT table is primarily used for network address translation. Modify the IP address of the network package according to each rule in the table. The package in the stream traverses the NAT table only once. For example, if a package passed through an interface is decorated (with an IP address modified), the remaining packets in the stream will no longer traverse the table. Filtering is generally not recommended in this table, the chain supported by the NAT table is called the prerouting chain, the postrouting chain, and the output chain.

Mangle table: Just like its name, this table is used to correct network packets. It is used to modify special packages. It can modify the headers and contents of different packages. The mangle table cannot be used for address spoofing. The supported chains include the Prerouting chain, the OUTPUT chain, the Forward chain, the Input chain, and the postrouting chain.

Filter Table: The filter table is the default table used in Iptables, which is used to filter network packets. If no rule is defined, the filter table is treated as the default table and filtered based on it. Support chain has input chain, OUTPUT chain, FORWARD chain.

Raw tables: Raw tables are used when we want to configure the packages that were previously exempted. It supports the prerouting chain and the output chain.

6. Briefly talk about what is the target value in Iptables (can be specified as the target), what are they used for?

answer : Here are the values that can be specified as targets in iptables:

Accept: Receive Package

QUEUE: Delivery of packages to user space (where applications and drivers reside)

Drop: Drop Package

Return: Returns control to the chain of calls and stops execution of the next call rule for the package in the current chain

7. Let's talk about iptables technical aspects of things that I mean to say the actual use aspect

How do you detect the iptables rpm required to install iptables in CentOS?

answer : Iptables has been installed by default in CentOS and we do not need to install it separately. However, RPM can be detected in this way:

# Rpm-qa Iptablesiptables-1.4.21-13.el7.x86_64

If you need to install it, you can use Yum to install it.

# yum Install Iptables-services

8. How do I detect and make sure that the Iptables service is running?

answer : You can run the following command in the terminal to detect the status of the iptables.

# Service Status Iptables [on CentOS 6/5]# systemctl status iptables [on CentOS 7]

If Iptables is not running, you can use the following statement

----------------under CentOS 6/5----------------# chkconfig--level iptables on# service iptables start---------------- Under CentOS 7----------------# Systemctl enable Iptables # Systemctl start iptables

We can also detect if the Iptables module is loaded:

# Lsmod | grep ip_tables

9. How do you check the rules currently defined in Iptables?

answer : The current rule can be simply viewed with the following command:

# iptables-l

Sample output

chain input  (policy accept) target     prot opt source                destination          ACCEPT     all  --   anywhere             anywhere              state RELATED,ESTABLISHEDACCEPT      icmp --  anywhere              anywhere            accept      all  --  anywhere              anywhere             ACCEPT     tcp  --  anywhere              anywhere              State new tcp dpt:sshreject     all  --  anywhere              anywhere              reject-with icmp-host-prohibitedchain forward   (policy accept) target     prot opt source                destination          REJECT     all  --  anywhere              anywhere              reject-with icmp-host-prohibitedchain output  (Policy ACCEPT) target     prot opt source                destination

10. How do you refresh all iptables rules or specific chains?

answer : You can use the following command to refresh a specific chain.

# iptables--flush OUTPUT

To refresh all the rules, you can use:

# iptables--flush

11. In iptables, add a rule that accepts all packets coming from a trusted IP address (for example, 192.168.0.7).

answer : The above scenario can be done by running the following command.

# iptables-a Input-s 192.168.0.7-j ACCEPT

We can also use standard slashes and subnet masks in the source IP:

# iptables-a Input-s 192.168.0.7/24-j Accept # iptables-a Input-s 192.168.0.7/255.255.255.0-j Accept

12. How do I add rules to accept,reject,deny and drop SSH services in iptables?

answer : I hope ssh is running on Port 22, and that is the default port of SSH, we can add a rule in iptables to accept SSH TCP packet (on port 22nd).

# iptables-a Input-s-P TCP--dport 22-j ACCEPT

TCP Packet for REJECT SSH service (port 22nd).

# iptables-a Input-s-P TCP--dport 22-j REJECT

The TCP packet for the DENY SSH service (port 22nd).

# iptables-a Input-s-P TCP--dport 22-j DENY

The TCP packet for the DROP SSH service (port 22nd).

# iptables-a Input-s-P TCP--dport 22-j DROP

13. Let me give you another scenario, if there is a computer with a local IP address of 192.168.0.6. You need to block connections on Ports 21, 22, 23 and 80th, what would you do?

answer : At this point, all I need is to use the ' multiport ' option in iptables and follow it with the port number that will be blocked. The above scenario can be done with one of the following statements:

# iptables-a input-s 192.168.0.6-p tcp-m multiport--dport 22,23,80,8080-j DROP

You can use the following statement to view the rules that are written.

# iptables -lchain input  (policy accept) Target     prot  opt source                destination         accept     all   --  anywhere              anywhere             state related ,establishedaccept     icmp --  anywhere              anywhere             ACCEPT     all  --  anywhere              anywhere            &nbsp accept     tcp  --  anywhere              anywhere              state new tcp dpt:sshreject     all  --   anywhere             anywhere              reject-with  icmp-host-prohibiteddrop       tcp  --  192.168.0.6           anywhere              multiport dports ssh,telnet,http,webcachechain forward   (policy accept) target     prot opt source                destination         REJECT      all  --  anywhere              anywhere              reject-with icmp-host-prohibitedChain OUTPUT  (policy accept) target      prot opt source                destination

interviewer : Well, that's all I'm asking. You are a very valuable employee and we will not miss you. I will recommend your name to HR. If you have any questions, please ask me.

As a candidate, I don't want to keep asking about future projects and other things in the company, and that will interrupt a pleasant conversation. Not to mention the HR wheel will be more difficult, in short, I got the opportunity.

At the same time I want to thank Avishek and Ravi (my friend) for taking the time to help me sort out my interview.

Friends! If you have a similar interview and would like to share your interview experience with millions of Tecmint readers, please send your questions and answers to [email protected].

Thank you! Keep in touch. If I can better answer the above questions, please remember to tell me.

Avishek Kumar Translator: Wwy-hust proofreading: Wxy

Reference Source:
Interview questions about the Linux firewall ' iptables '
Http://www.lai18.com/content/436918.html

Interview questions and answers about Linux firewall iptables