Iptables Firewall's host firewall

Known for its powerful firewall capabilities, Linux relies heavily on iptables, a user-space application that manages the flow and forwarding of network packets by controlling the Linux kernel NetFilter module. It solves many attacks in the network, such as the common port scan in the network, the user password brute force hack and so on.

First, the firewall model

Host Communication Basic model: The message enters the host after the buffer buffer, the kernel to take the message processing, the data frame to detect whether the destination address when the local address, if it is then split TCP or UDP packets to find the corresponding destination port, sent to the registered in the kernel of the client process If the destination address is not a native address then check whether forwarding, can be forwarded to check the route, from that port, to encapsulate the IP packet again, encapsulate the data frame, into the physical layer of the signal sent to the corresponding network card; There are also outgoing packets, from the Application Layer program encapsulation application beginning to the kernel, The kernel is forwarded to the corresponding port via routing.

The NetFilter module controls the packets by adding hooks in the quantity packets that flow through each key. The NetFilter has five hooks built into the main:

1.input

2.output

3.forward

4.prerouting

5.postrouting

Three kinds of message flow:

Flow into the machine: prerouting---input==> user space process

Outflow by native: User space process ==>output--postrouting

Forward: prerouting-FORWARD-postrouting

Iptables (NetFilter): Four sheets, five chains

Function: corresponds to four tables (tables), wherein the main function base is the firewall function completed by filter

Filter: filtering, firewall function;

Nat:network address translation; Used to modify the source IP or destination IP, you can also change the source port or destination port;

Mangle: Disassemble the message, make changes, and re-encapsulate it;

Raw: Turn off the connection tracking mechanism enabled on the NAT table;

Iptables chain: Salutation in Iptables

Chain (built-in):

Prerouting

INPUT

FORWARD

OUTPUT

Postrouting

Custom Chaining: Manually add correlation relationships for built-in chain extensions and additions to enable more flexible rules management mechanisms;

function and chain corresponding implementation (table <--> chain):

Raw:prerouting, OUTPUT

Mangle:prerouting,input,forward,output,postrouting

Nat:prerouting,input,]output,postrouting

Filter:input,forward,output

Each function is prioritized, class-wise, such as output can define 5 functions: In order, the rules in the function are ordered, the application priority of different table rules on the same chain (from high to low)

When the routing function occurs:

After the message enters the machine:

Determine if the target host is native?

Yes: INPUT

No: FORWARD

Before the message leaves the machine:

Decide which interface to send to the next station?

The Iptables service is: iptables the script defined by the boot execution. Immediately after the rule is written, the kernel takes effect.

Ii. Rules of Iptables/netfilter

Rules:

Component: Match condition and processing action---try to match the message according to the rule matching condition, once the match is successful, the processing action defined by the rule is processed and no longer matches;

Match condition: match, multiple conditions default logic is--with

Basic matching Criteria

Extended match condition: Because the NetFilter is modular

Handling action: Target,

Basic processing action

Extended processing actions

Custom processing mechanism

The order of the rules on the chain, which is the order of inspection, implies a certain application law:

(1) Similar rules (access to the same application), the matching range of small placed above;

(2) Different classes of rules (access to different applications), matching to a larger frequency of the message on top;

(3) Merging multiple rules that can be described by a rule;

(4) Set the default policy;

To each other, whichever is the first match.

Points to consider when adding a rule:

(1) What kind of function to implement: Decide which table to add to;

(2) The path through which the message flows: Determine which chain to add;

Three, iptables command:

Iptables-administration tool for IPV4 packet filtering and NAT

iptables [-t table] {-a|-c|-d} chain rule-specification

iptables [-t table]-I chain [rulenum] Rule-specification

iptables [-T table]-R chain Rulenum rule-specification

iptables [-t table]-D chain Rulenum

iptables [-t table]-s [chain [Rulenum]]

iptables [-t table] {-f|-l|-z} [chain [Rulenum]] [options ...]

iptables [-t table]-n Chain

iptables [-T table]-X [chain]

iptables [-t table]-p chain Target

iptables [-t table]-e old-chain-name new-chain-name

Options:

Rule-specification = [matches ...] [Target]

Match =-M matchname [per-match-options]

target =-j TargetName [per-target-options

Main format: iptables [-t table] COMMAND chain [-M matchname [per-match-options]]-j targetname [per-target-options]

-T table:

Raw, Mangle, NAT, [filter]

COMMAND:

Chain Management:

-n:new, define a custom chain;

-x:delete, delete the custom empty chain;

-p:policy, set the default policy, and the default policy for the chain in the filter table is:

Accept: Acceptance

Drop: Discard does not return results

REJECT: Reject will return result

-E: Rename a custom, unreferenced chain; a custom chain that does not have a reference count of 0 can not be renamed or deleted;

Iptables-n testchain iptables-nliptables-e testchain mychainiptables-nliptables-x mychainiptables-nliptables-liptab Les-l |grep Policy

Rule management:

-a:append, append;

-i:insert, inserted, to indicate position, omitted to denote the first article;

-d:delete, delete;

(1) Specify the serial number of the rule;

(2) Specify the rules themselves;

-r:replace, replacing the specified rule on the specified chain;

-f:flush, emptying the specified chain of rules;

-z:zero, counter placed 0;

Each rule in the iptables has two counters:

(1) The packages of the packets to be matched;

(2) The bytes of all the packets to be matched;

# IPTABLES-NL Inputchain INPUT (policy ACCEPT) target prot opt source destination

-s:selected, displays the rules on the chain in the format of the Iptables-save command;

The command format for all commands can be used to save the rule to a file for recovery.

View:

-l:list, List all rules on the specified chain;

-n:numberic, displays the address and port number in a numeric format;

-v:verbose, detailed information;

-VV,-VVV

-x:exactly, displays the exact value of the counter result;

--line-numbers: Displays the sequence number of the rule;

Combination:-NVL, L can only be placed on the right side of the combination,-NL-NVL

Chain

Prerouting,input,forward,output,postrouting

Matching Criteria:

Basic matching Criteria

No need to load any modules, provided by Iptables/netfilter;

[!] -S,--source address[/mask][,...] : Check whether the source IP address in the message conforms to the address or range specified here;

[!] -D,--destination address[/mask][,...] : Check if the destination IP address in the message matches the address or range specified here;

[!] -P,--protocol protocol, limit protocol

PROTOCOL:TCP, UDP, Udplite, ICMP, Icmpv6,esp, Ah, SCTP, MH or "all"

{TCP|UDP|ICMP}

[!] -I,--in-interface name: Data packet inflow interface, can only be used for data packet inflow, can only be applied to prerouting,input and forward chain;

[!] -O,--out-interface name: The interface of data packet outflow, can only be applied to data packet outflow, can only be used in forward, output and postrouting chain.

Extended Match criteria

The extension module needs to be loaded before it can take effect; the matching mechanism introduced by the expansion module,-M matchname

Implicit extension

You can load the extension modules without the-m option, because they are extensions to the protocol, so whenever you specify the protocol using-p, it indicates that the module to be extended is indicated;

[!] -P,--protocol protocol

Protocol: TCP, UDP, Udplite, ICMP, ESP, ah, SCTP or all

TCP: Implicitly indicates "-M TCP" with special options:

[!] --source-port,--sport port[:p ort]: The source port that matches the TCP message, which can be the port range (start, end);

[!] --destination-port,--dport port[:p ORT]: The target port to match the message, can be a port range;

[!] --tcp-flags Mask Comp: Check the TCP flag bit of the mask flag in the message, and must be 1 in comp in these flags

Mask is the flags which we should examine, written as a comma-separated list,

For example: "--tcp-flags syn,ack,fin,rst SYN" indicates that the flag to be checked is Syn,ack,fin,rst four, where SYN must be 1 and the remaining must be 0;

"--tcp-flags Syn,ack,fin,rst Ack,fin" said, to check the mark is Syn,ack,fin,rst four, where Ack,fin must be 1, the remaining must be 0;

"--tcp-flags Syn,ack,fin,rst all NONE" indicates that the flag to be checked is syn,ack,fin,rst four and must be all 0;

"--tcp-flags Syn,ack,fin,rstsyn,ack,fin,rst All" indicates that the mark to be checked is syn,ack,fin,rst four and must be all 1;

[!] --syn: Used to match the first handshake, the equivalent of "--tcp-flags syn,ack,fin,rst syn";

UDP implicitly indicates "-M TCP" with special options:

[!] --source-port,--sport port[:p ort]: The source port to match the message;

[!] --destination-port,--dport port[:p ORT]: The target port to match the message, can be a port range;

Icmp

[!] --icmp-type {Type[/code]|typename}: You can specify only type when you use it. type0,8 also has only one code

echo-request:8/0 Ping Request

Echo-reply:0/0 each other to answer

Description: DNS server, serving clients: open their own port 53rd, recursive for clients, open peer port 53;

Ping someone is icmp8 out, 0 back

Others ping themselves is Icmp8 come in, 0 out

Explicit extension

The extension module must be manually loaded [-M matchname [per-match-options]];

Handling actions:

-j TargetName [Per-target-options]

ACCEPT

DROP

REJECT

Return: Returns the call chain;

REDIRECT: Port redirection;

LOG: Logging;

Mark: do a firewall tag;

DNAT: Destination address translation;

SNAT: Source address translation;

Masquerade: Address camouflage;

...

Custom chain:

Iv. Firewall Services

CentOS 6:

Service Iptables {Start|stop|restart|status}

Start: Read the pre-saved rules and apply them to the netfilter;

Stop: Clears the rules on the NetFilter, and restores the default policy, etc.;

Status: Shows the rules that are in effect;

Restart: Empty the rules on the NetFilter, then read the pre-saved rules and apply them to the netfilter;

Default rule file:/etc/sysconfig/iptables

CentOS 7:

Systemctl Start|stop|restart|status Firewalld.service

Systemctl Disable Firewalld.service

Systemctl Stop Firewalld.service

V. Simple examples

The firewall that opens the DNS service requires that the DNS service be provided normally, but no other ports are open.

First, modify the default policy, modify the Inut, output default policy to drop, discard all messages;

Iptables-p INPUT dropiptables-p OUTPUT DROP

Second, the host open DNS service

Iptables-a input-d 172.18.100.67-s 0/0-P TCP--dport 53-j acceptiptables-a output-s 172.18.100.67-d 0/0-P TCP--s Port 53-j ACCEPT

Again, consider that the DNS server may recursively query DNS for the host, so also open the DNS server as a DNS client to access the port of the root DNS server;

Iptables-a input-s 0/0-D 172.18.100.67-p TCP--sport 53-j acceptiptables-a output-s 172.18.100.67-p TCP--dport 53 -j ACCEPT

The SSHD service may also need to be turned on by default to add

Iptables-a input-d 172.18.100.67-s 0/0-P TCP--dport 22-j acceptiptables-a output-s 172.18.100.67-d 0/0-P TCP--s Port 22-j ACCEPT

Space relationship, here are just the basic host firewall settings, and the next blog post describes the host firewall Advanced extension application.

This article is from the "Deep Sea Fish" blog, please be sure to keep this source http://kingslanding.blog.51cto.com/9130940/1769431

Iptables Firewall's host firewall