Iptables/netfilter, Tcp_wrapper?

Iptables/netfilter:

Firewall: The firewall, the isolation tool, works on the host or the network edge, for the access to this host or the network's message according to the pre-defined check rule makes the matching detection, for can the rule match to the message to make the corresponding processing component;
Host firewall
Network firewall

Software firewall (software logic):
Hardware firewall (Hardware and software logic): Netscreen,checkpoint, ...

Iptables (NetFilter)
Netfilter:kernel
Hooks function (Hook functions):
Iptables:cli
Rules Untility

Hooks function (Hook functions):
Input
Output
Forward
Prerouting
Postrouting

Message Flow:
Flow into the machine: prerouting----INPUT ==> user space process;
Outflow by native: User-space process ==> OUTPUT---postrouting;
Forward: prerouting-FORWARD-postrouting

Functions: Tables (table)
Filter: filtering, Firewall;
Nat:network address translation, which is used to modify the source IP or destination IP, or to change the port;
Mangle: Disassemble the message and modify it as needed;
Raw: Turn off the connection tracking mechanism enabled on the NAT table;

? iptables:
1, built-in chain: Prerouting, INPUT, FORWARD, OUTPUT, postrouting; corresponds to a hook function (hook functions);
2, custom chain: For the built-in chain extension and supplement, can achieve more flexible rules management mechanism;

Table <==> Chain:
Filter:input,forward,output
Nat:prerouting, INPUT, OUTPUT, postrouting
Mangle:prerouting, INPUT, FORWARD, OUTPUT, postrouting
Raw:prerouting, OUTPUT

Priority: Application priority for rules of different tables on the same chain (high-to-low): Raw>managle>nat>filter

When the routing function occurs:

1, the message into the machine after: To determine whether the target host is the local machine? Yes: INPUT; No: FORWARD (whether or not it really takes effect depends on whether to turn on route forwarding)

2, the message before leaving the machine: Determine which interface to send the next hop?

Rules:
Component: Try to match the message according to the rule matching condition, once the match is successful, the processing action defined by the rule is processed;
A, matching conditions:
1. Basic matching conditions
2. Extended match conditions
B, processing action (target):
1. Basic Processing action
2. Extended Processing action
3. Custom processing mechanism

Points to consider when adding a rule:
(1) What kind of function to implement: Decide which table to add to;
(2) The path through which the message flows: Determine which chain to add;
The order of the rules on the chain: that is, the order of the checks, and therefore implies a certain law: top-down inspection

1, similar rules (access to the same application), the matching range of small put above;

2, different classes of rules (access to different applications), matching to the higher the frequency of the message on top;

3. Combine multiple rules that can be described by one rule into one;

4, set the default policy;

Centos 7
~]# Systemctl Stop Firewalld.service
~]# systemctl Disable Firewalld.service

Note: When modifying the iptables rule, avoid an error that causes remote access to block, define an at or crontab task before applying the rule, clear the rule, and ensure that remote access can be accessed normally

Rule format: Iptables? [-t table]? Subcommand? Chain? [-M MatchName [per-match-options]]? -j TargetName [Per-target-options]

-T table:
Raw, Mangle, NAT, [filter]

Subcommand:
Chain Management:
-n:new, added a custom chain;
-f:flush, emptying the specified chain of rules;
-x:delete, delete the custom empty chain;
-z:zero, set 0 rule counter, iptables each rule has two counters: (1) The number of packets matched to, (2) The sum of the size of all packets matched;
-p:policy, the default policy is set, and the default policy for the chain in the filter table is: Accept, drop: Discard, REJECT: Deny
-e:rename, rename the custom unreferenced chain; a custom chain with a reference count of not 0 can not be renamed or deleted;

Rule management:
-a:append, appended at last;
-i:insert, inserted, to indicate position, omitted to denote the first article;
-d:delete, delete the specified rule;
-r:replace, replacing the specified rule on the specified chain;
Two specified ways: (1) Specify the sequence number and (2) specify the rule itself;
-s:selected, show the rules on the chain in the format of the Iptables-save command;

View:
-l:list, List all rules on the specified chain;
-n:numeric, displaying addresses and ports in digital format;
-v:verbose, detailed information;
-VV,-VVV
-x:exactly, displays the exact value of the counter result rather than the converted result;
--line-numbers: Shows the number of rules on the chain;

Chain
Prerouting,input,forward,output,postrouting

Matching Criteria:
Basic matching condition: No modules need to be loaded, provided by Iptables/netfilter;
[!] -S,--source? address[/mask][,...] : Check whether the source IP address in the message conforms to the address or range specified here;
[!] -D,--destination address[/mask][,...] : Check if the destination IP address in the message matches the address or range specified here;
[!] -P,--protocol protocol
PROTOCOL:TCP, UDP, Udplite, ICMP, Icmpv6,esp, Ah, SCTP, MH or? " All
{TCP|UDP|ICMP}
[!] -I,--in-interface name: Data packet inflow interface, can only be used for data packet inflow, can only be applied to prerouting,input and forward chain;
[!] -O,--out-interface name: The interface of data packet outflow, can only be used for data packet outflow, can only be applied to forward, output and postrouting chain;

Extended match condition: the extension module needs to be loaded before it can take effect; its module directory is/usr/lib64/xtables/
Implicit extension: The module can be loaded without using the-m option, provided that the-p option is used to match which protocol;
[!] -P,--protocol protocol
Protocol protocol:tcp, UDP, Udplite, ICMP, Icmpv6,esp, Ah, SCTP, MH or? " All
{TCP|UDP|ICMP}
1.-P TCP: implicitly indicates "-M TCP" with dedicated options:
[!] --source-port,--sport port[:p ort]: The source port that matches the TCP header of the packet, which can be a port range;
[!] --destination-port,--dport port[:p ORT]: The destination port of the TCP header that matches the packet;
[!] --tcp-flags? LIST1? LIST2: Check all the flags specified by LIST1, and wherein the LIST2 indicates that all mark bits must be 1, while the remaining must be 0; not specified in the LIST1, no inspection;
Syn,ack,fin,rst,psh,urg

For example: "--tcp-flags?" Syn,ack,fin,rst?? SYN "indicates that
The flag to be checked is Syn,ack,fin,rst four, where SYN must be 1 and the remaining must be 0;
[!] --syn: Used to match the first handshake, the equivalent of "--tcp-flags?" Syn,ack,fin,rst? SYN ";

2.-P UDP: implicitly indicates "-M UDP" with dedicated options:
[!] --source-port,--sport port[:p ort]: The source port to match the message;
[!] --destination-port,--dport port[:p ORT]: The target port to match the message, can be a port range;

3.-P ICMP: implicitly indicates "-M ICMP" with dedicated options:
[!] --icmp-type {Type[/code]|typename}
Echo-request:8/0echo Request
echo-reply:0/0 echo Response

Explicit extension: You must manually load the extension module [-M matchname [per-match-options]];

Use Help:
CentOS 6:man iptables
CentOS 7:man iptables-extensions

1. multiport extension
Define multi-port matching in a discrete way; specify up to 15 ports;

[!] --source-ports,--Sports Port[,port|,port:port] ... : Specify multiple source ports;
[!] --destination-ports,--dports Port[,port|,port:port] ... : Specify multiple destination ports;
[!] --ports Port[,port|,port:port] ... : Specify multiple ports;

~]# iptables-a input-s 172.16.0.0/16-d 172.16.100.67-p tcp-m multiport--dports 22,80-j ACCEPT

2. iprange Extension
Specifies the range of IP addresses that are contiguous (but generally not extended to the entire network);

[!] --src-range from[-to]: source IP address range;
[!] --dst-range from[-to]: Destination IP address range;

~]# iptables-a input-d 172.16.100.67-p tcp--dport 80-m iprange--src-range 172.16.100.5-172.16.100.10-j DROP

3. String extension
The string pattern matching detection is done for the application layer data in the message;

--algo {BM|KMP}: string matching detection algorithm;
Bm:boyer-moore
Kmp:knuth-pratt-morris
[!] --string pattern: Given the string pattern to be detected;
[!] --hex-string pattern: Given the string pattern to be detected, the 16 binary format;

~]# iptables-a output-s 172.16.100.67-d 172.16.0.0/16-p tcp--sport 80-m string--algo bm--string ' gay '-j REJECT

4. Time extension
Match the time of arrival of the message to the specified time and date range;

--datestart Yyyy[-mm[-dd[thh[:mm[:ss]] []: Start date Time
--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]: End Date Time

--timestart Hh:mm[:ss]: Start time (daily)
--timestop Hh:mm[:ss]: End Time (daily)

[!] --monthdays Day[,day ...] : Matches which days of the one month
[!] --weekdays Day[,day ...] : Match those days of the week

--kerneltz: Use the time zone on the kernel, not the default UTC;

~]# iptables-a input-s 172.16.0.0/16-d 172.16.100.67-p tcp--dport 80-m time--timestart 14:30--timestop 18:30--wee Kdays Sat,sun--kerneltz-j DROP

5. connlimit Extension
The number of concurrent connections is matched according to each client IP;

--connlimit-upto N: The number of connections is less than or equal to N;
--connlimit-above N: Match when the number of connections is greater than n;

~]# iptables-a input-d 172.16.100.67-p tcp--dport 21-m connlimit--connlimit-above 8?-j REJECT

6. Limit Extension
Based on the token bucket filter algorithm, the rate of sending and receiving packets is matched;

Token bucket filter;

--limit Rate[/second|/minute|/hour|/day]: Average rate
--limit-burst number?: Burst rate

~]# iptables-i input-d 172.16.100.67-p ICMP--icmp-type 8-m limit--limit 3/minute--limit-burst 5-j ACCEPT
~]# iptables-i INPUT 2-p icmp-j REJECT

7. State extension
Check the status of the connection according to the "Connection tracking mechanism";

Conntrack mechanism: Tracks the relationship between requests and responses on the local machine, as in the following situations:
NEW: a request is made; The connection tracking template does not have an associated information entry for this connection, so it is identified as a request for the first time;
After the Established:new state, the communication status in the connection tracking template for which the entry is established before it expires;
Related: An associated connection, such as the relationship between a data connection and a command connection in an FTP protocol;
INVALID: Invalid connection;
Untracked: A connection that has not been traced, and usually requires the ability to turn off connection tracking at the front of the load balancer.

[!] --state State

~]#? iptables-a input-d 172.16.100.67-p tcp-m multiport--dports 22,80-m State--state new,established-j ACCEPT
~]# iptables-a output-s 172.16.100.67-p tcp-m multiport--sports 22,80-m State--state established-j ACCEPT

Maximum number of connections that can be accommodated by the connection tracking function (adjustable):
/proc/sys/net/nf_contrack_max

Sysctl-w Net.nf_contrack_max 300000
echo "300000" >/proc/sys/net/nf_contrack_max

Note: The maximum value that the Conntrack can track depends on the/proc/sys/net/nf_contrack_max setting; The connection that has been traced to and recorded is located in the/proc/net/nf_conntrack file. The time-out connection will be deleted, and when the template is full, subsequent new connections may time out; Workaround:
(1) Increase the value of Nf_contrack_max;
(2) Reduce the time-to-nf_contrack_max of the entry;
Connection tracking duration settings for different protocols are located in the/proc/sys/net/netfilter/directory

The connections that have been traced and recorded:
/proc/net/nf_conntrack

Connection tracking duration for different protocols:
/proc/sys/net/netfilter/

Iptables's Link Tracking table has a maximum capacity of/proc/sys/net/ipv4/ip_conntrack_max, which is removed from the table when the link encounters various state timeouts, and subsequent connections may time out when the template is full

There are generally two solutions: the 1th method is usually used
(1) Increase Nf_conntrack_max value
Vi/etc/sysctl.conf
Net.ipv4.nf_conntrack_max = 393216
Net.ipv4.netfilter.nf_conntrack_max = 393216

(2) Reduce Nf_conntrack timeout time
Vi/etc/sysctl.conf
net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 300
net.ipv4.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
Net.ipv4.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120

Iptables-t nat-l-N

How to open the passive mode FTP service?
(1) Dedicated module for loading FTP connection tracking:
~]# modprobe? nf_conntrack_ftp

(2) Release command connection (assuming server address is 172.16.100.67):
~]# iptables-a input-d 172.16.100.67-p TCP--dport 21-m State--state new,established-j ACCEPT
~]# iptables-a output-s 172.16.100.67-p TCP--sport 21-m State--state established-j ACCEPT

(3) Release data connection (assuming server address is 172.16.100.67):
~]# iptables-a input-d 172.16.100.67-p tcp-m State--state related,established-j ACCEPT
~]# iptables-i output-s 172.16.100.67-m State--state established-j ACCEPT

Rule optimization:
Server-side rule setting: Any disallowed access should be denied upon arrival of the request;
(1) Can safely release all inbound status of the established state of the connection;
(2) can safely release all the outbound status of the established state of the connection;
(3) Careful release of incoming new requests
(4) A special purpose limited access function, to be rejected before the release rules;

How to use a custom chain:
Custom chain: Need to be called to take effect, custom chain finally need to define the return rule;

The return rule uses the target called return;

Validity period of the rule:
The rules defined using the iptables command are manually deleted before the expiration date is kernel survival period;

Save rule:
Save the rule to the specified file:
CentOS 6:
~]# service? iptables? Save
Save the rules to the/etc/sysconfig/iptables file;

~]# iptables-save?>?/path/to/some_rules_file

CentOS 7:
~]# iptables-save?>?/path/to/some_rules_file

Reload rules in the stored rules file:
~]# Iptables-restore </path/from/some_rules_file

CentOS 6:
~]# service? iptables restart
Rules are automatically loaded from the/etc/sysconfig/iptables file

Rules in the Auto-effective rule file:
(1) Save each iptables command with a script, and let the script run automatically after booting;
Add a script path to the/etc/rc.d/rc.local file;
/path/to/some_script_file

(2) Save the rules with the rules file, and automatically load the rules in this rule file at boot time;
/etc/rc.d/rc.local file Add:
Iptables-restore </path/from/iptables_rules_file

CentOS 7:
Introduced a new iptables front-end management tool FIREWALLD, the management of which are: Firewalld-cmd,? firewalld-config

About FIREWALLD:
Https://www.ibm.com/developerworks/cn/linux/1507_caojh/index.html

Handling actions:
-j TargetName [Per-target-options]
ACCEPT
DROP
REJECT
Return: Returns the chain of calls;
REDIRECT: Port redirection;
LOG: Logging;
Mark: do a firewall tag;
DNAT: Destination address translation;
SNAT: Source address translation;
Masquerade: Address camouflage;

LOG: Turn on kernel log for matching packets
--log-level level?? Log levels
Emerg, alert, Crit, error, warning, notice, info, Debug.
--log-prefix prefix? journal line prefix

Iptables-i forward-s 10.0.1.0/24-p tcp-m multiport--dports 80,21,22,23-m State--state new-j LOG--log-prefix "(NEW Connctions) "

RETURN:
Returns the caller;

REDIRECT:
Can only be used on the prerouting and postrouting chains of the NAT table, port redirection (that is, port mapping)
--to-ports

Iptables-t nat-a prerouting-d 172.18.100.67-p tcp--dport 80-j REDIRECT--to-ports 8080

Nat:network Address translation: Network addresses translation, network Layer + transport layer implementation
Snat:source NAT
Modify the source IP address in the IP message;
So that the host in the local network can use the same address to communicate with the external host, so as to achieve address spoofing;
Request: Initiated by the intranet host, modify the source IP, how to modify by the administrator definition;
Response: Modify the target IP, the NAT automatically according to the tracking mechanism of the session table to implement the corresponding modification;

Dnat:destination NAT
Modify the destination IP address in the IP message;
Let the server in the local network use a unified address to provide services, but hide their real address;
Request: Initiated by the external network host, modify its destination address, how to modify the definition by the administrator;
Response: Modify the source IP, the NAT automatically according to the tracking mechanism of the session table to implement the corresponding modification;

Pnat:port Nat (Port translation)

Snat:postrouting
When a host on the local network accesses an external network through a specific address;
Dnat:prerouting
To open a service on a host in a local network to a user in an external network;

Target of the NAT table:
SNAT
--to-source [ipaddr[-ipaddr]][:p Ort[-port]]
--random
DNAT
--to-destination [ipaddr[-ipaddr]][:p Ort[-port]]
--random
Masquerade
--to-ports Port[-port]
--random

Snat Example:
~]# iptables-t nat-a postrouting-s 192.168.12.0/24-j SNAT--to-source 172.16.100.67

Masquerade: Can only be used in the postrouting chain of the NAT table, when implementing the IP to be converted to a dynamic address;
Source Address Translation: When the source address is a dynamically acquired address, Masquerade can determine the address to be converted to;

~]# iptables-t nat-a postrouting-s 192.168.12.0/24-j Masquerade

Dnat Example:
~]# iptables-t nat-a prerouting-d 172.16.100.67-p tcp--dport 80-j DNAT--to-destination 192.168.12.77

~]# iptables-t nat-a prerouting-d 172.16.100.67-p tcp--dport 80-j DNAT--to-destination 192.168.12.77:8080
~]# iptables-t nat-a prerouting-d 172.16.100.67-p tcp--dport 22012-j DNAT--to-destination 192.168.12.78:22

REDIRECT: Port redirection;
web:8080
8080---

Source Address Translation:
Iptables-t nat-a postrouting-s localnet! -D localnet-j SNAT--to-source Extip
Iptables-t nat-a postrouting-s localnet! -D Localnet-j Masquerade

Destination Address Translation:
Iptables-t nat-a prerouting-d extip-p tcp|udp--dport port-j? DNAT--to-destination? interserverip[:P ORT]

Add: Use Iptables's recent module to defend against dosxxx: 22, create a list of all client IPs that have access to the specified service
SSH: Remote connection,

Iptables-i input-p TCP--dport 22-m connlimit--connlimit-above 3-j DROP

Iptables-i INPUT-P TCP--dport 22-m State--state new-m recent--set--name SSH
Iptables-i INPUT?-p TCP--dport 22-m State--state new-m recent--update--seconds--hitcount 3--name ssh-j LOG --log-prefix "SSH Attach:"
Iptables-i INPUT?-p TCP--dport 22-m State--state new-m recent--update--seconds--hitcount 3--name ssh-j DROP

1. Use the Connlimit module to set the concurrency of the single IP to 3; The user who uses NAT to go online can increase the value according to the actual situation.

2. Use the recent and state modules to limit the single IP to only 2 new connections to the native within 300s. Access can be resumed after five minutes of restriction.

Here is a description of the last two sentences:

1. The second sentence is to record a new connection to the TCP 22 port, with the record name SSH
--set record the source IP of the packet, if the IP already exists will update an entry that already exists

2. The third sentence refers to a connection that denies this IP if more than 3 connections are initiated within the ip,300s in the SSH record.
--update is a list of updates that are updated each time a connection is established;
--seconds must be used in conjunction with--rcheck or--update
--hitcount must be used in conjunction with--rcheck or--update

Record for 3.iptables:/proc/net/xt_recent/ssh

You can also use the following sentence to log:
Iptables-a input-p TCP--dport 22-m State--state new-m recent--update--name SSH--second--hitcount 3-j LOG-- Log-prefix "SSH Attack"

Third-party modules:
Layer7: Identify the most common application layer protocols, such as HTTP, QQ, and other protocols;

CentOS 6:

http://ftp.redhat.com/redhat/linux/enterprise/6Server/en/os/SRPMS/

Layer7: third-party extensions;

Iptables implements seven-tier access filtering:

Module: Layer7
Identify application layer protocols

Iptables/netfilter
Iptables-m State,
NetFilter State

NetFilter in kernel, patch Layer7, recompile kernel
Iptables Patch, fill up the Layer7 module, re-iptables

Diff/patch: Text Manipulation tool

Diff is a very important tool program for UNIX systems. It is used to compare the differences of two text files and is one of the core tools of code versioning. The usage is simple:
# diff < pre-change files > < changed files >

For historical reasons, diff has three different formats:
　　Regular format (normal diff)
　　Contextual formatting (context diff)
* Merge Format (Unified diff)

1, the normal format of the diff
For example, comparisons of file1 (pre-change files) and file2 (changed files) can be made using the following command:
# diff File1 File2
In the result, the first line is a hint that shows where the change is. It is divided into three parts: The preceding number indicates that the nth line of file1 is changed, the middle "c" means that the change mode is the content change, and the other modes are "added" (A, representing addition) and "deleted" (d, representing deletion);

2. diff in context format
In the early 80, when the University of California, Berkeley introduced the BSD version of UNIX, it found the diff display to be too simple, preferably in context, to understand the changes. Therefore, a diff in context format is introduced. It is used by adding the-C option (that is, context).
# DIFF-C F1 F2
The results are divided into four parts. The first part of the two lines, showing the basic situation of two files: file name and time information, "* * *" represents a change before the file, "---" represents the changed file. The second part is 15 asterisks, which separate the basic situation of the file from the change content. The third part shows the document before the change, namely File1.
In addition, each line of the file content is preceded by a marker bit. If empty, indicates that the row has no change, and if it is an exclamation point (!), it indicates that the row has been changed, and if it is a minus sign (-), the row is deleted, or a plus sign (+) indicates that the behavior is new.
Part IV shows the document after the change, namely File2.

3. diff in merged format
If the two file similarity is very high, then the context format diff, will show a lot of duplicate content, it is a waste of space. In 1990, GNU diff pioneered the "Merge format" diff, which combines the context of F1 and F2.
It is used by adding U parameters (representing unified).
# Diff-u F1 f2br/> The first part of the result, is also the basic information of the file. "---" means the document before the change, and "+ + +" means the document after the change. The second part, the position of the change with two @ as the first and end. The third part is the concrete content of the change.
< p="">

Diff
-U

Patch

Although patch and diff relationships are not specified, patches usually use the result of diff to do the patching work, which is very much related to the fact that the patch itself supports a variety of diff output file formats. Patches Modify the target file by reading into the patch command file (which can be entered from standard). Usually the diff command is used to compare the old and new versions, and the patch command file uses the diff output file to keep the original version consistent with the new version.

The standard format for patches is
patch [Options] [Originalfile] [Patchfile]

If Patchfile is empty, read the Patchfile content from the standard input, and if Originalfile is also empty, read the file name that needs to be patched from Patchfile (which is definitely from standard input). Therefore, if you need to modify the directory, you will generally have to record the file name under the directory in Patchfile. In most cases, patches are used in the following simple way:

The patch command ignores the redundant information in the file, extracts the diff format, and the file name of the patch required, and the file name is determined by the order of the files specified in the "source", "Destination", and "Index:" lines in the diff parameter.

The-p parameter determines whether to use the read-out prefix directory information for the source file name, does not provide the-p parameter, ignores all directory information,-p0 (or-P 0) means that all the path information is used,-P1 ignores the first "/" previous directory, and so on. For file names such as/usr/src/linux-2.4.15/makefile, Linux-2.4.15/makefile is used as the file to be patch when the-P3 parameter is supplied.

Patch
-P
-R

Mockbuild

Summary: Operation steps

1. Get and compile the kernel

Useradd MOCKBUILDRPM-IVH kernel-2.6.32-431.5.1.x86_64.el6.src.rpmcd Rpmbuild/sourcestar linux-2.6.32-*.tar.gz-c/ Usr/srccd/usr/srcln-sv

2. Patching the kernel

Tar XF Netfilter-layer7-v2.23.tar.bz2cd/usr/src/linuxpatch-p1 </root/netfilter-layer7-v2.23/ Kernel-2.6.32-layer7-2.23.patchcp/boot/config-*?. Configmake Menuconfig

To enable the Layer7 module, follow these steps
Networking support→networking options→network Packet filtering Framework→core netfilter Configuration
<M>? " Layer7 "Match support

3. Compile and install the kernel

Makemake Modules_installmake Install

4. Restart the system to enable the new kernel

5. Compiling iptables

Tar XF iptables-1.4.20.tar.gzcp/root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/*/ Root/iptables-1.4.20/extensions/cp/etc/rc.d/init.d/iptales/rootcp/etc/sysconfig/iptables-config/rootrpm-e Iptables Iptables-ipv6--nodeps./configure?--prefix=/usr?--with-ksource=/usr/src/linuxmake && make Installcp/root/iptables/etc/rc.d/init.dcp/root/iptables-config/etc/sysconfig

6. Provide the signature of the Protocol identified by the Layer7 module

Tar zxvf l7-protocols-2009-05-28.tar.gzcd l7-protocols-2009-05-28make Install

7. How to use the Layer7 module

The functionality of the Acct can be enabled or disabled on demand in the kernel parameters. This parameter requires loading the Nf_conntrack module before it can take effect.
NET.NETFILTER.NF_CONNTRACK_ACCT = 1

L7-filter uses the standard iptables extension syntax

iptables [Specify table & Chain]-M layer7--l7proto [protocol name]-j [action]iptables-a forward-m layer7--l7prot o qq-j REJECT

Compile kernel:
Make Menuconfig
MAKE-J #
Make Modules_install
Make install

Clean up the kernel source tree:

Tip: Xt_layer7.ko relies on the Nf_conntrack.ko module

? TCP_WRAPPER:TCP Packaging Device
A layer of access control tools for applications that are developed and serviced based on the TCP protocol; Implement its functions based on library calls: LibWrap

A method for determining whether a service can be accessed by Tcp_wrapper:
(1) Dynamic compilation: LDD command;
LDD $ (which COMMAND) | grep libwrap
(2) Static compilation: Strings command to view the application files, the results of the presence of Hosts.allow and Hosts.deny files;
Strings $ (which COMMAND)

Note: The Super daemon xinetd link to libwrap.so;

The service completes the access control process based on LibWrap:
First check that the/etc/hosts.allow file has no explicit authorization for the current requestor to access:
is: Direct authorization of client access;
No: Then check to see if the/etc/hosts.deny file explicitly denies the current requestor access:
is: Directly deny access to the current requestor;
No: Allow the requestor to access;

Configuration file Syntax:
daemon_list:client_list [: Options]

Daemon_list:
(1) The file name of a single application, not the service name; for example, vsftpd;
(2) comma-delimited list of application file names;
Example: sshd, VSFTPD
(3) All: Any program that accepts Tcp_wrapper control;

Client_list:
(1) IP address or host name;
(2) Network address: You must use a full-format mask (172.18.0.0/255.255.0.0), or a short-form network address: For example, 172.16. denotes 172.16.0.0/255.255.0.0; cannot use prefix format mask;
(3) All: all hosts;
(4) Known (positive solution and Inverse solution): unknown:paranoid (Inverse solution mismatch):
(5) EXCEPT: except;
For example: Contains 172.18 network, except 172.18.100 network segment, but contains 172.18.100.68 host; (double except Rep)
vsftpd:172.18. EXCEPT 172.18.100.0/255.255.255.0 EXCEPT 172.18.100.68

: Options
Deny: Reject, mainly used for hosts.allow files;
Allow: Allowed, mainly for hosts.deny files;
Spawn: Launches the specified application;
Example: Sshd:all:spawn/bin/echo $ (date) login attempt from%c to%s,%d >>/var/log/sshd.log

Available extensions:
%c:client IP
%s: [email protected]_ IP
%d:daemon Name
%p:daemon Process ID
Get all Help information manual: Man hosts_access

For example: VSFTPD is only open to host access in 172.16.0.0/255.255.0.0;
? SSHD is only open to host access in 172.16.0.0/255.255.0.0, but does not contain 172.16.100.6;
/etc/hosts.allow:
sshd:172.16. ? EXCEPT? 172.16.100.6
vsftpd:172.16.

/etc/hosts.deny:
Sshd:all
Vsftpd:all

Iptables/netfilter, Tcp_wrapper?