TCP/IP protocol network on a node, door open, socket session, requires IP and port, check socket packet, socket and TCP/IP protocol differences. Host firewall, working on the host. Enter the network card, to the TCP/IP protocol stack in the kernel, work on the TCP/IP protocol stack, on some of the protocol stack on some locations placed on the card whistle, in the set check rules.
Network firewall, outside the network.
Firewall: Work with the host or network edge, for the incoming and outgoing messages according to the defined rules to check, and then the rules matched to the message most appropriate processing package;
Network layer firewall, check the message frame header, IP header, TCP header, the data content can not be checked.
Iptables/netfilter, NetFilter is the card whistle on the TCP/IP protocol stack, adding rules with iptables
The rule priority is high to low and can work in the position of the card whistle:
650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" 1 "border=" 0 "alt=" 1 "src=" http://s3.51cto.com/wyfs02/M01/70/21/ Wkiom1wx9e3z5y0daaq5e6typiu581.jpg "" 1028 "height=" 624 "/>
650) this.width=650; "Style=" border-bottom:0px; border-left:0px; border-top:0px; border-right:0px "title=" 212632317 "border=" 0 "alt=" 212632317 "src=" http://s3.51cto.com/wyfs02/M02/70/1E/ Wkiol1wx9jtqm3tnaambhek5jwa686.jpg "" 1028 "height="/>
Raw: The target is to turn off connection tracking on the NAT table, prerouting OUTPUT
mangle; Modify some features of the TCP/IP header, anywhere.
Nat: Address translation, postrouting prerouting OUTPUT
Filter INPUT ForWord OUTPUT
INPUT: The whistle that is set when the data enters the application space is also called a chain.
ForWord: The card whistle for the host routing process
OUTPUT: The card that the data passes through when it is emitted from the application
Prerouting: The card whistle before the data enters the network card for routing strategy
Postrouting: Data last select Nic to leave before the card whistle
Data message Flow: With native internal communication, prerouting INPUT OUTPUT postrouting
Data forwarded by this machine: Prerouting ForWord postrouting
Pay attention to the flow of data packets, determine the source IP destination IP.
Iptables: User space Tools, write rules, and automatically send to NetFilter, effective immediately.
Basic syntax
Iptables "-t TABLE" –A link name matching condition –j processing target
The default table filter
COMMAND: There are a few of the following questions
1. Some commands for the rules on the chain-a: Add a rule to the back
-I: Inserting a new rule
-D: Delete rule
-R: Substitution rules
-L: Query rule –l-n: Number format displays address and port. -L-V: Verbose format--line-numbers show Rule line number –x do not make unit conversions for counter count results, display exact values.
2. Some commands to the chain:-F: empty the rule chain
-N: Self-building a chain that can only be called
-X Delete a custom chain
-Z Counter zeroed
-P: Sets the default policy, for the filter table, the default rule is accept or drop
-E: Rename a custom chain
Iptables "-t TABLE" –A link name matching condition –j processing target
Match condition: Generic match
-S Address: Specify the source IP address matching range: can be IP or network address can be used! Reverse.
-D Address: Message Destination IP address
-P protocol, specifying the protocol type of the matching message, General TCP UDP ICMP
-I: Data packets into the network card: only in the first half of the data incoming prerouting INPUT ForWord
-O: Data Outflow network card: can only function in the second half of the data passed ForWord OUTPUT postrouting
Extended match call NetFilter with-M
Implicit extension: The corresponding module is called by default when using one of the-p {tcp|udp|icmp}, you can use the extended option directly
-p TCP to TCP/IP protocol effective:--sport Specify source port –dport destination port
--tcp-flags syn,ack,rst,fin syn All (select all, or value 1) None (value is 0)
--tcp-flags Syn,ack,rst,fin SYN This is the first time the TCP handshake is defined
--syn All can also define the TCP first handshake
-p ICMP main limit ping:--icmp-type 8 is able to request message type, 0 refers to the type of response message
Explicit extensions: You must explicitly indicate which module to use for scaling to use the extended options
-M Extension Module name (This module should be available on both iptables and NetFilter)
1) multiport is used to match non-contiguous or continuous ports, and to specify 15 more ports
--sports "Port,port:port" specifies the source port
--dports Destination Port
The--ports source and target all contain
192.168. 0.0/192.168. 147.128 A- J Accept is a host firewall, added on the target host, the implementation of a specific IP can connect to the host HTTP and SSH services do not specify a table on the filter table by default to implement filtering, On the input chain, from 192.168 segments to 192. 168.147. 128 TCP Messages use the Multiport module to specify 192. 168.147. 128 ports on the host can accept messages
2) IPRange: matches addresses within a specified range, matching a contiguous address rather than the entire network.
[!] --src-range Ip[-p]
[!] -dst-range Ip[-p]
3) String: Strings match to detect strings in the beginning text of the application. String algorithm, KMP, BM
Private Option--ALGO{KMP|BM}
--string
--hex-string 16 binary string
4) state: Status check requires the state connection function to be turned on, not for high concurrent servers.
--state
Status in a connection trace
NEW: Create a session
Established: Established connection
Related: Associated connection
INVALID: Unrecognized connection
Adjust the maximum number of connections that can be accommodated by the connection tracking function
/proc/sys/net/nf_conntrack_max
All connections currently being traced
/proc/net/nf_conntrack
Track properties when tracking different protocols or connection types
/proc/sys/net/netfilter Directory
Release the FTP service in passive mode
1. Install in module/lib/modules/kernel_version/kernel/net/netfilter/
Module: nf_conntrack_ftp
Modeprobe Loading Module
2. Release message request
A. Release the new status request for Port 21
B. Release all established and ralated status messages
3. Release response messages
Release all established and ralated status messages limit: rate limiting
--limit N [/second/minute/hour/day]
--limit-burst N: Can save up to a few
Time: Make access control based on times
--datestart
--datestop
--timestart
--timestop
--weeks
Connlimit; Number of connections limit, the number of concurrent connections per IP can be initiated
--connlimit-above N
Processing target:
Built-in targets:
Drop: Silently Discard
REJECT: Tough rejection
Accept: Acceptance
Write rules: First determine the function (table), determine the message flow, determine the target to achieve, determine the matching conditions
Flow direction: 1. Accessing the native process, prerouting INPUT
2. Outgoing messages, OUTPUT postrouting
3. Native forwarding, pretouting FORWARD postronting
4. Response, pretouting FORWARD postronting
iptables grammar Check NetFilter immediate effect
Remember: Before you write, add a session to release yourself
Permanent, rule file, or script rule file is/etc/sysconfig/iptables
Save Rules Iptables-save >/etc/sysconfig/iptables
Service Iptables Save
Effective Iptables-restore </etc/sysconfig/iptables
Service Iptables Restart
Set Default Policy
Iptables–p chain Target
modifying rules
Iptables–r OUTPUT 1 Specifies the first rule on the chain of that table, followed by the complete change rule
Optimization rules: Minimize rule entries, irrelevant rules put the traffic on the top, the matching specifications belonging to the same function strictly placed on top.
To better manage the rules, customize the chain;
Iptables–t Filter–n http_in
To delete an empty custom chain
Iptables–x http_in
Rename a custom chain
Iptables–e oldname newname
Address Translation Snat original address translation
--to-source
Masquerade: Automatically get the address of the transformation
DNAT Destination Address Translation
--to-destination
Pnat Port Conversion
Full NAT Conversion
Iptables–t nat–a postrouting 192.168. 1.0/172.16. 100.7 The original address is converted into 172. 16.100. 17 Host Address
Iptables generally understand