Linux-basic firewall configuration

What is firewall technology? It is a component that works on the edge of the network and regulates and matches incoming and outgoing packets according to the rules defined by the administrator. Firewalls are divided into hardware and software firewalls. firewalls work on the edge of the network, and firewalls do not... information & n

Firewall technology
What is a firewall? It is a component that works on the edge of the network and regulates and matches incoming and outgoing packets according to the rules defined by the administrator.
Firewalls are divided into hardware and software firewalls. firewalls work on the edge of the network and do not act on themselves. firewalls are just a component.
Firewall policy
Rules (rule) policy
Firewall type
The market has two types of layer-3 and layer-4 firewalls working on layer-7 proxy gateways.
Working on three layers: working on all inbound and outbound ip addresses at the network layer
Working on layer-7: The firewall is relatively secure, but the efficiency is relatively low. as long as the target transmission packet rules are found, matching processing will be performed.
The layer-3 firewall only opens the layer-3 firewall and then encapsulates it and sends it. Layer-7 data packets are encapsulated and sent.
 
Built-in firewall on inux system
Iptables predecessor ipfwiptables-> write rules in the kernel to take effect
The TCP/IP stack protocol stack is placed in the kernel and takes effect in the kernel (rules ).
Files/proc/sys firewalls that can work with the kernel must be placed in the kernel space to take effect.
Iptables/netfilter network filters the trend of data packets filtered by five levels

--- Ssh ---
//\\
Internet --- server --- intranet

Address translation must be performed before routing
Different functions need to be implemented in different locations and different rule chains and processing mechanisms are used.
NETFILET has five locations for filtering
Hook functions hook function
Five built-in 5 levels of volume chains
The packet is like the moment when our network card is called
PREROUTING router
Inbound INPUT to the local machine
Forwarding level FORWARD
Outbound port output
POSTROUTING
Built-in five rule chains
 
Firewall policy
By default, the door is bare. no one will let us know who can enter the door.
By default, the door is open.
1. allow/disallow filter
2. address translation nat

Filtering and forwarding are separated. in order to avoid overlap, we define a single table to define rules that distinguish different functions on the same chain.
Table
3. modify the message source data mangle

(This table is mainly related to the route tag of special data packets)
Think about the ip address header format?
= Three tables and five chains =
The filter table can only be input forward output (uppercase) on three links)
Nat table prerouting output postrouting capital
Mangle table prerouting input forward OUTPUT POSTROUTING

Data packets are checked from top to bottom. Once a packet is matched, it will not be detected. Instead, it should be strictly put on the top,
The chain defined by the processing mechanism must be connected to the benchmark chain before it can work.
You can delete your own defined chains. you cannot delete internal chains.
How to write firewall rules
 

Iptables syntax rules
The iptables command filters and blocks network packets. Therefore, do not perform firewall exercises on remote hosts.
I ptables has at least three default tables (filter nat mangle). filter is commonly used. it is the default table, and the other is the net table, mangle is rarely used .................
The information above
1. rule clearing and observation
# Iptables [-t tables] [-L] [-nv]
-T: use the default filter if the following table is followed, for example, nat or filter.
-L: lists the current table rules.
-N: it is much faster to display information without reverse lookup of ip addresses and hostnames.
-V: lists more information, including the total number of data packets that pass the rule and related network interfaces.
=====
# Iptables [-t tables] [-FXZ]
Parameters
-F: clear all rules
-X: remove all "custom" chains (tables)
-Z; returns the count and traffic of all chains to zero.
...................
 
2. define the default policy
# Iptables [-t nat]-P [INPUT, OUTPUT, FORWARD] [ACCEPT, DROP]
-P defines the Policy. Note that this p-digit is capitalized.
ACCEPT: this packet is acceptable.
DROP: this packet is discarded directly so that the client does not know why it is discarded.
In this example, set the input of the local machine to DROP and set it to ACCEPT.
# Iptables-p INPUT DROP
# Iptables-p OUTPUT ACCEPT
# Iptables-p FORWARD ACCEPT
 
 

Iptables [-t table] COMMAND chain CRETIRIA-j actton
Column iptables-t filter-a input-s 1
View the defined rule iptables-L S

Chain specifies that the chain operation CRETIRIA matches the rule Standard-j specifies how to handle the rule is required
COMMAND:
Chain Management Command:
-
P: set whether the default policy is disabled or enabled. # iptables-p input (DROP | ACCEPT) is valid immediately.
Column # iptables-p input drop delete default rules
# Enable iptables-p INPUT ACCEPT
-F flash: clear all preset rules
# Iptable-t net-f prerouting clear the net table chain
-N create a custom rule chain
# Iptables-N inbound_tcp_web
-X deletes a custom empty rule chain.
-E: redefines the user's rule chain.
-Z: The default rules for clearing the chain and the receiver in the chain rules
Rule management command:
-Appended by
-I: Insert the rule to the nth number.
-R: modify rule NUM
-D. delete the rules.
View commands
-L view
-N data method
-V details-vv-more vvv, more detailed
-The exact value of-x is not converted in units.
-- Line-numbers: Display the row number column iptables-L-n -- line-number

 
Matching criteria:
General match
General match
-S, -- src indicates custom source address matching
IP, NETWORK/NETMASK, 0.0.0.0/0.0.0.0
-D: match the target address
-P-matching protocols generally use these three protocols (tcp | udp | icmp)
-I: The inbound interface etho for data
-O outbound interface

 
Implicit extension
Tcp utp rule comparison
Extensions of a specific protocol
-P tcp
-- Dport port range limits the source port number. the port number can be consecutively listed in 1024: 65535.
-- Sport port range limits the port number of the destination.
-- The standard bits for tcp-flags parameter check must be the standard bits of 1, with six flag SYN, ACK, FIN, HPA, RST, and URG.
: -- First match of tcp-flage syn, ack, fin, rst, syn three-way handshake = -- syn
-P udp
-- Dport
-- Sport
-P icmp
-- The type of the data packet that needs to be followed by icmp-types 8 can also use the code
Column 8 indicates the meaning of echo request.
For example, data packets of ICMP type, can enter the local machine.
-- Icmp-type
Echo-request 8 request echo
Echo-reply 0
 
Display Extension
Status module MAC and RELATED
-M indicates the display extension.
-P tcp-m multiport -- dports 21,23, 80
-M start status detection
-J ACTION
DROP quietly refuse
REJECT explicitly rejects
ACCRPT accept
Custom_chain
DNAT SNAT
MASQUERADE source address disguise
REDIRECT port redirection
|
RETUPN returned
Ipables-t filter-a input-s 172.16.0.0/16-d 172.16.100.1-p tcp-dport

RELATED
Status detection
NEW released link
ESTABLISHED
Link associated with ERLATED
INVALID unrecognized link

Iptables-L-n
Iptables-L-n -- line-number
Iptables-R

Save
Service iptables save
Under this file
/Etc/sysconfig/iptables
Iptable-sabe>/etc/syscnnfig/iptables.2
Iptables-restore </etc/sysconfig/iptables.2
 
 
 
--
NAT
Proxy Server
Address Translation
Iptables-t nat POSTROUTING-s 192.168.10.0/24-j SNAT -- to-source 172.16.100.1
MASQUERADE address disguise
This article is from the "blog world" blog