Iptables route table overview and configuration methods

Before introducing iptables, let's first take a look at the knowledge of the firewall: the processing component that the firewall exists in the network boundary and checks the import and export routes through preset rules; firewalls are divided into packet filtering firewalls and procy firewalls. (The second type may not be suitable. You are welcome to give me some advice.) The first type of firewalls work faster, but they can only be introduced. IptablesBefore that, let's take a look at the knowledge of the firewall:
A firewall is a processing component that checks the import and export routes through preset rules. firewalls are divided into packet filtering firewalls and procy firewalls. (the second term may be inappropriate, you are welcome to give me some advice.) The first type of firewall works fast, but only layer-3 content can be checked. procy can check all content. Currently, when conditions permit, we usually combine the two to improve the efficiency of the firewall and check all content. this is a perfect method.
 
The kernel is divided into the kernel space and the user space. The two are usually not interconnected. to access each other, it must be called. in the kernel, TCP/IP selects five points and calls the hook function. when the data packet passes, the related items are checked ". Data packets must pass through a certain number of points in these five points.
 
Iptables is not a firewall, but a rule manager, and the netfilter architecture is a firewall. iptables is embedded in these five points to provide filtering rules.
 
The Iptables table is divided into four types: filer, nat, mangle, and raw. They have their own functions, such as filtering and address forwarding.
The five points mentioned above are called chains: chains
FORWARD: forwarding
PREROUTING: Before entering the firewall
POSTROUING: Before leaving the firewall
INPUT: enter the host
OUTPUT: leaves the host.
 
The following describes how to use iptables commands:
 
1: first, manage the rules in the chain
-A: append: add A rule at the end of the chain.
-I: [+ n] insert: insert a rule before Row n, which is inserted before Row n by default.
-R: + n replace: add a number after a new entry is replaced, that is, the serial number of the entry to be replaced.
-D: [+ n] delete: delete a rule
 
2: link settings:
-F: flush: Skip and clear. all links are deleted by default when no parameters are added.
-P: policy: set the default policy
-N: new: custom new chain
-X: deletes a custom new chain.
-Z: clears the counter.
-E: rename a custom chain.
 
3: matching options. There are two types of matching: General match and extended match:
General match:
-P: protocol specifies the protocol {tcp, udp, icmp, etc}
-S: src address specifies the source address
-D: dst address: specifies the destination address.
-I: in interface specifies the interface for accessing the NIC
-O: specifies the outbound Nic interface of the our interface.
-J: jump
DROP: quietly DROP
REJECT: explicit rejection
ACCEPT: ACCEPT
SNAT: indicates source address conversion.
DNAT: specifies the destination address translation
LOG: enable the kernel record for the matching package. After this option is set in the rule, the Linux kernel prints some information about all matching packages (such as the IP header field) through printk ). -- Log-level: record level.

-- Log-prefixprefix: add a specific prefix before the record information: a maximum of 14 letters long, used to distinguish from other information in the record.
REDIRECT: only applicable to PREROUTING and OUTPUT chains of nat tables, and user-defined chains that only call them. It modifies the target IP address of the package to send the package to the machine itself (the locally generated package is placed at 127.0.0.1 ). It contains an option:
MASQERADE: (it is used in the same way as SNAT, but SNAT is used for static source address Conversion. The latter is a dynamic disguise, which is equivalent to setting an image for the IP address of the interface through which the packet is sent)
-L: list iptables tables
-- Line-numbers: number the rule
-N: information is displayed in the ip address format without name resolution.
-V: show details
-X directly displays the exact value without converting the unit.

Extension matching. Extension matching is divided into implicit extension and display extension.
Implicit extension:
Tcp :? Dport? Sport -- tcp-flag (specify the destination port, source port, tcp flag respectively ,)
-- Syn -- only match TCP packets whose SYN bit is set and whose ACK and FIN bit are cleared. These packages are used to send requests during TCP connection initialization. for example, a large number of such packages will block the TCP connection when an interface is blocked, and the outgoing TCP connection will not be affected. This is equal to -- tcp-flags SYN, RST, and ACKSYN. If "-- syn" is preceded "! "Mark, indicating the opposite.
Udp: -- sport -- dport specifies the udp source port and destination port
Icmp: -- icmp-type 8 display request
-- Icmp-type 0: Display response
-- Icmp-type 3 host inaccessible
 
Explicit scaling:
-M state? State check status here state is a comma-separated list of matching connection statuses. The possible status is: INVALID indicates that the package is an unknown connection, ESTABLISHED indicates a two-way transmission connection, and NEW indicates that the package is a NEW connection. Otherwise, the package is not transmitted in two directions, RELATED indicates that the package starts from a new connection, but is connected with an existing connection, such as FTP data transmission or an ICMP error.

-M multport? Ports (port1, port2, port3 .....)
-- Source-ports (port1, port2, port3 ....)
-- Source-ports (port1, port2, port3 ....)
-M limit? Limit specified average rate
-- Limit burst specifies the maximum number.
-M mac? Mac-source (it is only used in the PREROUTING, FORWARD, and INPUT chains) to specify the mac address
 
To enable the firewall function and view the command:
# Vim/etc/sysctl. conf
# Sysctl-p
# Cat/proc/sys/net/ipv4/
 
Save the firewall configuration information:
Service iptables save
 
 
The following describes several services to understand the working principle of the firewall through instances:
Web service (listening port 80, tcp protocol)
Ftp service: (listening Port: The Port used in 21 and other passive modes, tcp protocol)
The ftp server can work in active and passive modes, while the passive mode is much safer than the active mode,
Ssh service: (port 22, tcp protocol)
Ping: (Type 8; 0; 3, icmp protocol)
 
Lab environment:
Intranet server: 10.0.2.2
Gateway Firewall: 10.0.2.1 (intranet NIC)
10.0.3.1 (internet nic)
Internet: 10.0.3.2
 
 
I. use route tracing to implement web communication between two networks:
Server configuration:
# Yum install httpd
# Service httpd start
Gateway firewall configuration:
# Enable the routing function in vim/etc/sysctl. conf
# Sysctl? P
# Iptables? P forward drop: set the default rule of the firewall's forward chain to drop
# Iptables? A forward? S 10.0.3.0/24? D 10.0.2.2? P tcp? Dport 80? M state? State NEW, ESTABLESHE? J ACCEPT
Iptables? A forward? D 10.0.3.0/24? S 10.0.2.2? P tcp? Sport80? M state? State ESTABLESHE? J ACCEPT
 
 
Client verification:
# Elinks 10.0.2.2
 
II. ssh service:
Server configuration:
# Yum install ssh
# Service ssh start
Configure the gateway firewall:
# Ipatables? AFORWARD? S 10.0.3.0/24? D 10.0.2.2? P tcp? Dport 22? M state? StateNEW, ESTABLISHED? J ACCEPT
# Ipatables? A forward? D10.0.3.0/24? S 10.0.2.2? P tcp? Sport 22? M state? StateESTABLISHED? J ACCEPT
Client Access:
# Ssh root@10.0.2.2
 
III. ftp service:
Server:
# Yum installvsftpd
# Service vsfstpdstart
Configure the gateway firewall:
# Iptables? A forward? S10.0.3.0/24? D 10.0.2.2? P tcp? Dport 21? M state? StateNEW, ESTABLISHED? J ACCEPT
 
# Iptables? A forward? D 10.0.3.0/24? S 10.0.2.2? P tcp? Sport21? M state? State ESTABLISHED? J ACCEPT
 
# Iptables? A forward? S 10.0.3.0/24? D 10.0.2.2? P tcp? Mstate? State