Iptables from getting started to giving up

Maintaining server security is a necessary function of our operations personnel, we maintain the security of the server has a relatively regular software, but also every computer must have a tool firewall, in The firewall we use in Linux is iptables, and his features are extremely powerful, and if you don't consider performance issues Iptables can basically do most of the network access control.

composition

Iptables works on the network layer, which means that the use of Iptables only enables IP and port access management. Working in the network layer there is a benefit that the data will not be sent to the user space,iptables processing performance will be extremely good. At the same time, there is a disadvantage, since it is working in the kernel space, it is either integrated into the kernel or called by the kernel, and the user is unable to directly interact with the kernel, then we define the iptables rules.

because of the above reasons iptables is divided into two parts, part of the kernel is the real implementation of access control functions of the netfileter, while there is a kernel communication to provide filtering rules of the user space components Iptables.

Realization ConceptFour table

with tools So how do we use tools, before we use them, we have to classify the packets and then provide the management of the packets according to the classification definition, which divides the data into four categories, for short, four tables

Fileter Table # implements the filtering function, and also our most commonly used features, such as we only provide HTTP services, then the extranet users to serve our sshd service When we put this request packet discarded or returned to reject.

Nat Table # address Translation, this feature is mainly used for routing functions, such as our intranet host access to Baidu, intranet host only private network address private network address is not public network transmission, then we need routers to convert our intranet address into a public address, And then communicate with Baidu , this conversion to public address is the process of net.

mangle# Content modification, you can tag the packet, for example, we can request our host and 443 packet to the same label, and then we can filter the packet based on this tag, of course, there are advanced features are difficult to use daily.

Raw # header modifications, such as modifying TTL values, hiding routes, and so on.

Five-strand

The operation of the packet has already been defined, so where our definition takes effect is a problem. Here you need to make a clear question about the flow of data packets. There are three types,1 packets to the inside of the host,2 packets from the host,3 packets forwarded by the host.

then the packet will have five states,1prerouting into the host before the packet,2input into the host packet, 3forward host forwarding packet,4output Packets sent by the host,5postrouting packets after sending

The following is a four-table five-chain relationship, which is what five chains and chains can do

Filter:input, forward, output nat:prerouting,input, output, postrouting mangle:prerouting, input , forward, output, postrouting raw:prerouting, output

Iptablesmanipulating the properties of the data

from the above principle we define the data guarantee control method, first to determine what we control the use of the data packet-four table, and then determine where the data guarantee control. And then what to do with the packet!

Stop in the configuration before there is a concept is the properties of the packet, which is what we want to control the root of the packet, of course, it is not necessary like learning the network as a packet of Baotou understanding here only need to understand TCP/IP,udp/ip Baotou can be, In fact, just know the address and port of various data communication protocols. The protocol mainly uses tcp,udp,icmp; Then the address, the packet must first have the source address and the destination address, the destination port and the source port. The source address and source port mean the IP address and port of the packet sender , destination address and destination port ...

IptablesUse of Commands

Let me give you an example .

Iptables-tfilter-a input-d 172.16.0.0/16-s 192.168.0.1/24-p tcp--dport 80-j ACCEPT

-T Filter # specifies which table to operate on

-A Input # Specifies that a rule be appended to the input chain

-D 172.16.29.2 # Destination Address

-S192.168.0.1/24 # Source Address

-P TCP # protocol

-dport # Destination Port

-j Accept # allows packets to pass through

with an example of the basics, here we can take a look at the use of the iptables command

1 Select the table on which to manage rules -t

2 then the right is to choose which chain on the management rules, management rules no more than increase-A, delete -D, change -R, check -l

3 The Destination address uses -d; The source address uses -S; The address can be either in thesame way as the address mask, or it can use the address to mask the number of bits. 172.16.0.0/255.255.0.0 and 172.16.0.0/16 mean the same. If the address is not filled in, then all addresses are used.

4 Specify the Protocol-P, the protocol you can choose here is all,TCP,UDP,ICMP,udplite, ICMPv6,esp,ah,SCTP,MH

5 Destination Port --dport port[:p ort]; source port --sport port[:p ort]; You can use colons to specify the port range, must be contiguous, and do not specify that the port represents all ports.

6 According to the above rules to match the data packet to take what kind of operation -j can use a lot of parameters, here only the usual ACCEPT allow,drop Discard,REDIRECT-- To-port 8081 Overwrite port,REJECT deny request,DNET--to-destination[ipaddr[-ipaddr]][:p Ort[-port]] Destination address translation also enables port translation,SNAT--to-source[ipaddr[-ipaddr]] Source address translation and also enables port conversions

IptablesExpansion Module

before --dport and --sport are used modules, but the way to load is implicitly loaded, implicit loading is when we specify -p load. Here are some of the modules that show loading

-mmoudlename [-M moudlename] ...

1,Multiport

in discrete or continuous The method defines multi-port matching criteria, up to a maximum of three;

[!] --source-ports,--Sports Port[,port|,port:port] ... : Specify multiple source ports;

[!] --destination-ports,--dports Port[,port|,port:port] ... : Specify multiple destination ports;

Iptables-i input-d 172.16.0.7-p tcp-mmultiport--dports 22,80,139,445,3306-j ACCEPT

2,IPRange

a contiguous block of addresses to indicate multiple IP address matching conditions;

[!] --src-range From[-to]

[!] --dst-range From[-to]

Iptables-i input-d 172.16.0.7-p tcp-mmultiport--dports 22,80,139,445,3306-m iprange--src-range172.16.0.61-172.16.0. 70-j REJECT

3,Time

configured packets to perform an action within a specified time

--TIMESTARTHH:MM[:SS]

--TIMESTOPHH:MM[:SS]

[!] --weekdays Day[,day ...]

[!] --monthdays Day[,day ...]

--datestart Yyyy[-mm[-dd[thh[:mm[:ss]]

--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]

--kerneltz: Use the kernel-configured time zone instead of the default UTC;

4,String

--ALGO{BM|KMP}

[!] --string pattern

[!] --hex-string pattern

--from Offset

--to Offset

Iptables-i output-m string--algo BM--string "gay"-j REJECT

5,Connlimit

allow several connections at a time

--connlimit-upton

--connlimit-aboven

Iptables-i input-d 172.16.0.7-p tcp--syn--dport 22-m connlimit--connlimit-above 2-j REJECT

6,Limit

limit the rate of a protocol package

--limitrate[/second|/minute|/hour|/day]

--limit-burstnumber

Iptables-i output-s 172.16.0.7-p ICMP--icmp-type 0-j ACCEPT

7,State

What state of the packet is allowed to pass through

[!] --state state can be selected with so many INVALID associated connections, the current connection is a new request, but attached to an existing connection;established connected;NEW New Connection; untracked non-tracked links

Tcp_wrapper

its function is to assist iptables to complete access control, and its definition rules are defined in /etc/hosts.allow and /etc/hosts.deny .

syntax format daemon_list:client_list[: Option:option ...]

Daemon_list: A list of program file names that can be separated by commas to fill in multiple program file names

(1) a single application file name;

(2) List of program file names, separated by commas;

(3) All: application files that are controlled by Tcp_wrapper;

Client_list: Access to the host IP or domain name, you can use EXCEPT meaning is EXCEPT after the IP and IP rules contrary

(1) single IP address or host name;

(2) Network address:N.N.N.N/M.M.M.M,n.n.n.;

(3) Built- in Acl:

all: client hosts;

[: Option:option ...]

Deny: Deny, mainly used to define " deny " rule in Hosts.allow file ;

allow: Allowed, primarily used to define " allow " rules in Hosts.deny files ;

Spawn: Generates, initiates, triggers execution of arbitrary commands specified by the user, typically used to log logs;

Here is a case, basically use cold

vsftpd:172.16. EXCEPT 172.16.29. Except172.16.29.2:spawn/bin/echo $ (date) login attempt from%c to%s >>/var/log/tcp_wrapper.log

Note :

When you define [option] in /etc/hosts.deny , using EXCEPT may cause spawn to log only records for access failures

Summary

I write this iptables simple Introduction simply, basically did not introduce too many cases, the most important is through the case to understand the use of iptables, unfortunately more lazy personally think iptables The most important thing is the ability to view the document . Man iptables-extensions and man iptables These two commands are the commands I use most ...

the prerequisite for viewing a document requires an overall understanding of the iptables, proficient in the first four parts of the theory, the first four parts of the content is actually very simple, is to help us to take a very long iptables command disassembly into a step by step selection operation. Follow The steps in the iptables command to achieve the required functionality. The Tcp_wrapper is too simple to master.

This article is from "Lao Wang Linux Journey" blog, please be sure to keep this source http://oldking.blog.51cto.com/10402759/1890608

Iptables from getting started to giving up