The firewall in Linux is a packet filtering firewall implemented by the netfilter/iptables network architecture. it can implement most of the hardware firewall functions. Therefore, it can be used as a substitute for the hardware firewall in enterprise application solutions. If the Linux kernel is later than 2.4, you can use iptables to implement firewall functions. Because the firewall in Linux is built by netfilter/
IptablesThe packet filtering firewall implemented by the network architecture can implement most of the functions of the hardware firewall, so it can be used as a substitute for the hardware firewall in enterprise application solutions.
If the Linux kernel is later than 2.4, you can use iptables to implement firewall functions. Because the Linux firewall is implemented in the Linux kernel, and the netfilter architecture is used in the kernel to implement the firewall function, iptables is actually a tool for managing netfilter, therefore, we generally use iptables to manage the firewall.
---------------------------
Iptables rule chain
As shown in:
The role of iptables rule chain is to provide relevant rules for the processing of netfilter. these rules tell netfilter where the received data comes from, where the target is, and what protocol of data packets they receive, what kind of processing should be done. If an accepted packet meets the requirements in the rule chain, netfilter processes the packet according to these rules.
Iptables has a total of rule chains. let's take a look at the functions of these rule chains:
1. local input rule chain: data packets sent to the local machine
2. forwarding rule chain: packets transmitted to others through local routes
3. local output rule chain: packets transmitted from the local machine
4. input rule chain: all received packets, including packets sent to the local machine and transmitted to others through the local route. After receiving the data packet, the destination data packet has not been determined.
5. output rule chain: All data packets sent from the local machine, including data packets transmitted from the local machine and data packets transmitted to others through the local route.
To use iptables to process these data packets, we generally use:
1. INPUT: indicates the local INPUT rule chain
2. FORWARD: indicates the forwarding rule chain.
3. OUTPUT: indicates the local OUTPUT rule chain.
4. PREROUTING: indicates the input rule chain
5. POSTROUTING: indicates the output rule chain.
------------------------------
Rule Table
The rule chain of iptable is organized in three different rule tables. these three rule tables and their functions are as follows:
1. filter: filter data packets
2. nat: Network address translation
3. mangle: change the data packet content
Iptables uses different rule tables based on different data packet filtering processing functions. the following shows which data packets can be filtered in these three tables:
Filter: The function of filtering data packets can be targeted:
INPUT: packets sent to the local machine
OUTPUT: packets transmitted from the local machine
FORWARD: packets transmitted to others through local routes
Set filtering conditions for three rule chains
Nat: the network address translation function can be used:
PREROUTING: all received packets, including packets sent to the local machine and transmitted to others through the local route.
OUTPUT: data packets transmitted from the local machine
POSTROUTING: All data packets sent from the local machine and packets sent to others through the local route
Set filtering conditions for three rule chains
Mangle: changes the content of a data packet:
PREROUTING: all packets received, including packets sent to the local machine and transmitted to others through the local route
OUTPUT: packets transmitted from the local machine
Set filtering conditions for the three rule chains to set the content of the packets to be changed
-----------------------------
After understanding the above rule chain, let's take a look at the netfilter packet filtering process.
When a data packet enters from the network adapter, it will first pass through PREROUTING. after the data packet passes through PREROUTING, the system will judge the destination of the data packet. Whether it is a data packet sent to the local machine or a data packet routed through the local machine.
1. if you want to route packets to other hosts, you can pass through the FORWARD statement and determine whether there are any filtering conditions in the FORWARD statement. after the packets are processed by the FORWARD statement, they are sent to the POSTROUTING, determine whether there are any filtering conditions in POSTROUTING. after POSTROUTING is processed, data packets are transmitted from another network card.
As shown in:
2. if the data packet is sent to the local machine, it passes through the INPUT and determines whether there are any filtering conditions in the INPUT. based on the content of the data packet, it is sent to the port used by the relevant server, after the data packet is processed, the system returns a packet to the source host. at this time, the system passes through the OUTPUT and determines whether there are any corresponding filtering conditions in the OUTPUT. after the OUTPUT is processed, after being sent to POSTROUTING and determining whether there are any filtering conditions in POSTROUTING, the packets are transmitted from another network adapter after POSTROUTING processing.
As shown in:
-----------------------------
Rules
After learning about the data processing process of netfilter, we need to add rules for data packet processing. rules are the most basic settings in the firewall and are used to set firewall policies, when a data link passes through, it must be filtered by rules according to the order in the data link.
As shown in, a data packet filtering rule:
-------------------------------
The basic configuration of iptable is in the management of the network firewall in Linux. the functions of the firewall are implemented by the kernel, and iptables is required for management. Therefore, the iptables package is installed by default.
In RHEL5.1, the program runs on iptables by default. The service startup script is the/etc/rc. d/init. d/iptables file, as shown in:
View the startup status of iptables, as shown in:
Indicates that the current iptables service is running.
In some cases, you need to temporarily disable the firewall. you can set it through the start and stop of the iptables service:
As shown in, disable the firewall:
As shown in, enable the firewall:
You can also enable or disable the firewall through the graphic interface:
As shown in: execution command: system-config-securitylevel
Or run the command: system-config-securitylevel-tui, as shown in:
Can be used to start and close the firewall.
The above are some basic configurations of iptables.
Now let's take a look at some basic running statuses of the firewall. at this time, we will use the iptables command to display the content of the default filter rule table using the iptables-L command, as shown in:
---------------------------------
Firewall configuration
Now that you are familiar with the above basic operations, you can configure the firewall. If the server is local, you can directly use the command system-config-securitylevel to enable the graphical configuration interface, as shown in:
If you need to enable some services for client access, you can select the service to be enabled in the trusted service. If the provided service is no longer in this list, you can add corresponding ports to other ports.
Here we mainly configure the firewall by using the iptables command on the text interface. This method is usually used for remote configuration, but there are some minor problems, that is, it is possible to block yourself from the outside, and you cannot access it. if so, the general principle is to make some basic configurations locally,
1. clear all information about the firewall. run the command iptable-F, as shown in:
Use the iptables-L command to display the content of the default filter rule table.
Because the host security mainly involves several INPUT and OUTPUT rule chains in the filter table, most of the following are configured for this table.
Iptables syntax:
Iptables [-t tables]-[L/F/X] [chain] [options]
By default, if you do not use the-t parameter to specify a table, the filter operation is performed by default. you can follow the table description after the-t parameter to specify an operation for a table. You can keep up with the filters, nat, and mangle tables.
-L: displays the content of the rule table.
-F: clears all firewall information.
-X: deletes all custom rule chains.
China: operation on the rule chain in the rule table.
Options: it can be a process of operations on the Datagram, or not.
--------------------------------------
Add the first rule
As shown in:
Iptales-a input-I lo-j ACCEPT analyzes the following statement:
-AINPUT: indicates that a rule is added to the rule chain. when adding a rule, you must specify that the rule is added to the rule chain. Therefore, IUPUT, add rules to the IUPUT rule chain. If it is-D, the rule in the rule chain is deleted.
-I lo: indicates the inbound network interface of the data packet, and lo indicates the local network loopback interface. If it is a physical Nic, it is eth0.
-J ACCEPT: indicates that the data packet is allowed to pass through. if it is-j DROP, the data packet is discarded.
Iptables-L-v: displays detailed information in the filter table.
As shown in:
Indicates that the eth0 network interface accepts all packets from the network segment 192.168.0.0/24.
If we need the network service provided by RHEL5.1 to provide some client services, we must open the corresponding port, so we need to specify the protocol and port in iptables. As shown in:
-P tcp: indicates the protocol used by the data packet.
-- Dport 80: port 80 is opened, that is, the web service. you can change the port as needed.
The complete settings are as follows: to reject data packets destined for the IP address range 192.168.0.0/24, you can process the data packets as follows:
Iptables-t filter-a input-s 192.168.0.0/24-d 127.0.0.1-jDROP
-T: table
Filter: sets this policy in the fulter table.
-S: source: Data packet source
-D: data packet target
-------------------------------
Default policy
For example, in the packet filtering rule, there is generally a default policy. when all policies do not comply with the packet content, the default policy is used.
You can use-P to specify the default rule of the rule chain, as shown in:
In this way, this packet is denied when all policies are not met.
The last step is to save these settings. if they are not saved, these policies will not be available at the next restart.
As shown in, all policies are saved in the configuration file.
Tip: when setting a policy, setting a policy one by one is very troublesome. generally, all policies are placed in a script file. in this way, every time you set a firewall, modify the script file first, and then execute the script file. for example, the sample of a script file is as follows:
#! /Bin/bash
Iptables-F
Iptables-X
Iptables-P INPUT DROP
Iptables-a input-I lo-j ACCEPT
Iptables-a input-I eth0-s 192.168.0.0/24-j ACCEPT
Iptables-a input-I eth0-p tcp -- dport 80-j ACCEPT
Iptables-save
Change the script to an executable file and then execute it.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.