Known for its powerful firewall capabilities, Linux relies heavily on iptables, a user-space application that manages the flow and forwarding of network packets by controlling the Linux kernel NetFilter module. It solves many attacks in the network, such as the common port scan in the network, the user password brute force hack and so on.
First, the firewall model
Host Communication Basic model: The message enters the host after the buffer buffer, the kernel to take the message processing, the data frame to detect whether the destination address when the local address, if it is then split TCP or UDP packets to find the corresponding destination port, sent to the registered in the kernel of the client process If the destination address is not a native address then check whether forwarding, can be forwarded to check the route, from that port, to encapsulate the IP packet again, encapsulate the data frame, into the physical layer of the signal sent to the corresponding network card; There are also outgoing packets, from the Application Layer program encapsulation application beginning to the kernel, The kernel is forwarded to the corresponding port via routing.
The NetFilter module controls the packets by adding hooks in the quantity packets that flow through each key. The NetFilter has five hooks built into the main:
1.input
2.output
3.forward
4.prerouting
5.postrouting
Three kinds of message flow:
Flow into the machine: prerouting---input==> user space process
Outflow by native: User space process ==>output--postrouting
Forward: prerouting-FORWARD-postrouting
Iptables (NetFilter): Four sheets, five chains
Function: corresponds to four tables (tables), wherein the main function base is the firewall function completed by filter
Filter: filtering, firewall function;
Nat:network address translation; Used to modify the source IP or destination IP, you can also change the source port or destination port;
Mangle: Disassemble the message, make changes, and re-encapsulate it;
Raw: Turn off the connection tracking mechanism enabled on the NAT table;
Iptables chain: Salutation in Iptables
Chain (built-in):
Prerouting
INPUT
FORWARD
OUTPUT
Postrouting
Custom Chaining: Manually add correlation relationships for built-in chain extensions and additions to enable more flexible rules management mechanisms;
function and chain corresponding implementation (table <--> chain):
Raw:prerouting, OUTPUT
Mangle:prerouting,input,forward,output,postrouting
Nat:prerouting,input,]output,postrouting
Filter:input,forward,output
Each function is prioritized, class-wise, such as output can define 5 functions: In order, the rules in the function are ordered, the application priority of different table rules on the same chain (from high to low)
When the routing function occurs:
After the message enters the machine:
Determine if the target host is native?
Yes: INPUT
No: FORWARD
Before the message leaves the machine:
Decide which interface to send to the next station?
The Iptables service is: iptables the script defined by the boot execution. Immediately after the rule is written, the kernel takes effect.
Ii. Rules of Iptables/netfilter
Rules:
Component: Match condition and processing action---try to match the message according to the rule matching condition, once the match is successful, the processing action defined by the rule is processed and no longer matches;
Match condition: match, multiple conditions default logic is--with
Basic matching Criteria
Extended match condition: Because the NetFilter is modular
Handling action: Target,
Basic processing action
Extended processing actions
Custom processing mechanism
The order of the rules on the chain, which is the order of inspection, implies a certain application law:
(1) Similar rules (access to the same application), the matching range of small placed above;
(2) Different classes of rules (access to different applications), matching to a larger frequency of the message on top;
(3) Merging multiple rules that can be described by a rule;
(4) Set the default policy;
To each other, whichever is the first match.
Points to consider when adding a rule:
(1) What kind of function to implement: Decide which table to add to;
(2) The path through which the message flows: Determine which chain to add;
Three, iptables command:
Iptables-administration tool for IPV4 packet filtering and NAT
iptables [-t table] {-a|-c|-d} chain rule-specification
iptables [-t table]-I chain [rulenum] Rule-specification
iptables [-T table]-R chain Rulenum rule-specification
iptables [-t table]-D chain Rulenum
iptables [-t table]-s [chain [Rulenum]]
iptables [-t table] {-f|-l|-z} [chain [Rulenum]] [options ...]
iptables [-t table]-n Chain
iptables [-T table]-X [chain]
iptables [-t table]-p chain Target
iptables [-t table]-e old-chain-name new-chain-name
Options:
Rule-specification = [matches ...] [Target]
Match =-M matchname [per-match-options]
target =-j TargetName [per-target-options
Main format: iptables [-t table] COMMAND chain [-M matchname [per-match-options]]-j targetname [per-target-options]
-T table:
Raw, Mangle, NAT, [filter]
COMMAND:
Chain Management:
-n:new, define a custom chain;
-x:delete, delete the custom empty chain;
-p:policy, set the default policy, and the default policy for the chain in the filter table is:
Accept: Acceptance
Drop: Discard does not return results
REJECT: Reject will return result
-E: Rename a custom, unreferenced chain; a custom chain that does not have a reference count of 0 can not be renamed or deleted;
Iptables-n testchain iptables-nliptables-e testchain mychainiptables-nliptables-x mychainiptables-nliptables-liptab Les-l |grep Policy
Rule management:
-a:append, append;
-i:insert, inserted, to indicate position, omitted to denote the first article;
-d:delete, delete;
(1) Specify the serial number of the rule;
(2) Specify the rules themselves;
-r:replace, replacing the specified rule on the specified chain;
-f:flush, emptying the specified chain of rules;
-z:zero, counter placed 0;
Each rule in the iptables has two counters:
(1) The packages of the packets to be matched;
(2) The bytes of all the packets to be matched;
# IPTABLES-NL Inputchain INPUT (policy ACCEPT) target prot opt source destination
-s:selected, displays the rules on the chain in the format of the Iptables-save command;
The command format for all commands can be used to save the rule to a file for recovery.
View:
-l:list, List all rules on the specified chain;
-n:numberic, displays the address and port number in a numeric format;
-v:verbose, detailed information;
-VV,-VVV
-x:exactly, displays the exact value of the counter result;
--line-numbers: Displays the sequence number of the rule;
Combination:-NVL, L can only be placed on the right side of the combination,-NL-NVL
Chain
Prerouting,input,forward,output,postrouting
Matching Criteria:
Basic matching Criteria
No need to load any modules, provided by Iptables/netfilter;
[!] -S,--source address[/mask][,...] : Check whether the source IP address in the message conforms to the address or range specified here;
[!] -D,--destination address[/mask][,...] : Check if the destination IP address in the message matches the address or range specified here;
[!] -P,--protocol protocol, limit protocol
PROTOCOL:TCP, UDP, Udplite, ICMP, Icmpv6,esp, Ah, SCTP, MH or "all"
{TCP|UDP|ICMP}
[!] -I,--in-interface name: Data packet inflow interface, can only be used for data packet inflow, can only be applied to prerouting,input and forward chain;
[!] -O,--out-interface name: The interface of data packet outflow, can only be applied to data packet outflow, can only be used in forward, output and postrouting chain.
Extended Match criteria
The extension module needs to be loaded before it can take effect; the matching mechanism introduced by the expansion module,-M matchname
Implicit extension
You can load the extension modules without the-m option, because they are extensions to the protocol, so whenever you specify the protocol using-p, it indicates that the module to be extended is indicated;
[!] -P,--protocol protocol
Protocol: TCP, UDP, Udplite, ICMP, ESP, ah, SCTP or all
TCP: Implicitly indicates "-M TCP" with special options:
[!] --source-port,--sport port[:p ort]: The source port that matches the TCP message, which can be the port range (start, end);
[!] --destination-port,--dport port[:p ORT]: The target port to match the message, can be a port range;
[!] --tcp-flags Mask Comp: Check the TCP flag bit of the mask flag in the message, and must be 1 in comp in these flags
Mask is the flags which we should examine, written as a comma-separated list,
For example: "--tcp-flags syn,ack,fin,rst SYN" indicates that the flag to be checked is Syn,ack,fin,rst four, where SYN must be 1 and the remaining must be 0;
"--tcp-flags Syn,ack,fin,rst Ack,fin" said, to check the mark is Syn,ack,fin,rst four, where Ack,fin must be 1, the remaining must be 0;
"--tcp-flags Syn,ack,fin,rst all NONE" indicates that the flag to be checked is syn,ack,fin,rst four and must be all 0;
"--tcp-flags Syn,ack,fin,rstsyn,ack,fin,rst All" indicates that the mark to be checked is syn,ack,fin,rst four and must be all 1;
[!] --syn: Used to match the first handshake, the equivalent of "--tcp-flags syn,ack,fin,rst syn";
UDP implicitly indicates "-M TCP" with special options:
[!] --source-port,--sport port[:p ort]: The source port to match the message;
[!] --destination-port,--dport port[:p ORT]: The target port to match the message, can be a port range;
Icmp
[!] --icmp-type {Type[/code]|typename}: You can specify only type when you use it. type0,8 also has only one code
echo-request:8/0 Ping Request
Echo-reply:0/0 each other to answer
Description: DNS server, serving clients: open their own port 53rd, recursive for clients, open peer port 53;
Ping someone is icmp8 out, 0 back
Others ping themselves is Icmp8 come in, 0 out
Explicit extension
The extension module must be manually loaded [-M matchname [per-match-options]];
Handling actions:
-j TargetName [Per-target-options]
ACCEPT
DROP
REJECT
Return: Returns the call chain;
REDIRECT: Port redirection;
LOG: Logging;
Mark: do a firewall tag;
DNAT: Destination address translation;
SNAT: Source address translation;
Masquerade: Address camouflage;
...
Custom chain:
Iv. Firewall Services
CentOS 6:
Service Iptables {Start|stop|restart|status}
Start: Read the pre-saved rules and apply them to the netfilter;
Stop: Clears the rules on the NetFilter, and restores the default policy, etc.;
Status: Shows the rules that are in effect;
Restart: Empty the rules on the NetFilter, then read the pre-saved rules and apply them to the netfilter;
Default rule file:/etc/sysconfig/iptables
CentOS 7:
Systemctl Start|stop|restart|status Firewalld.service
Systemctl Disable Firewalld.service
Systemctl Stop Firewalld.service
V. Simple examples
The firewall that opens the DNS service requires that the DNS service be provided normally, but no other ports are open.
First, modify the default policy, modify the Inut, output default policy to drop, discard all messages;
Iptables-p INPUT dropiptables-p OUTPUT DROP
Second, the host open DNS service
Iptables-a input-d 172.18.100.67-s 0/0-P TCP--dport 53-j acceptiptables-a output-s 172.18.100.67-d 0/0-P TCP--s Port 53-j ACCEPT
Again, consider that the DNS server may recursively query DNS for the host, so also open the DNS server as a DNS client to access the port of the root DNS server;
Iptables-a input-s 0/0-D 172.18.100.67-p TCP--sport 53-j acceptiptables-a output-s 172.18.100.67-p TCP--dport 53 -j ACCEPT
The SSHD service may also need to be turned on by default to add
Iptables-a input-d 172.18.100.67-s 0/0-P TCP--dport 22-j acceptiptables-a output-s 172.18.100.67-d 0/0-P TCP--s Port 22-j ACCEPT
Space relationship, here are just the basic host firewall settings, and the next blog post describes the host firewall Advanced extension application.
This article is from the "Deep Sea Fish" blog, please be sure to keep this source http://kingslanding.blog.51cto.com/9130940/1769431
Iptables Firewall's host firewall