Linux Firewall IPtables settings and usage (1)

ExploitationIPtablesSetLinuxOfFirewallThe procedure is as follows:

A typical firewall configuration includes two NICs, One inbound and the other outbound. Iptables reads the headers of inbound and outbound packets, compares them with the planning set, and forwards acceptable packets from one network adapter to another. Rejected data packets can be discarded or processed as defined.

You can control the filtering of information packets by providing rules to the firewall about instructions to be performed on information packets from a source, to a destination, or with a specific protocol type. Use the Special Command iptables provided by the iptables system to create these rules and add them to the chain in the specific information package filtering table of the kernel space. The general syntax for adding, removing, and editing rules is as follows:

Iptables [-t table] command [match] [target]

In reality, we generally use this syntax to make it easier to read. Most rules are written in this syntax. Therefore, if you see rules written by others, you may find that this syntax is also used.

If you do not want to use a standard table, you must specify the table name in [table. Generally, you do not need to specify the table to use, because iptables uses the filter table by default to execute all the commands. There is no need to specify the table name here. In fact, you can specify the table name almost anywhere in the rule. Of course, putting the table name at the beginning is already a common standard. Although the command is always placed at the beginning or directly behind the table name, we should also consider where it is easy to read.

"Command" tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule. The following is a detailed description.

"Match" describes a specific feature of a package in detail to distinguish it from all other packages. Here, we can specify the package's source IP address, network interface, port, protocol type, or something else. Below we will see many different matches.

Finally, the target of the data packet is "target ". If the packet matches all the matches, the kernel uses the target to process it, or sends the packet to the target. For example, we can let the kernel send the package to other chains in the current table (which may be created by ourselves), or discard the package without any processing, or return a special response to the sender. Next we will discuss these options one by one:

Table)

The [-t table] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table. The following describes the functions of each table.

Filter

The filter table is used to filter data packets. We can match and filter packets at any time. Here, we will DROP or ACCEPT the package based on the package content. Of course, we can also do some filtering in advance in other places, but this table is designed for filtering. Almost all targets can be used here.

Nat

Nat table is mainly used for Network Address Translation, that is, Network Address Translation, abbreviated as NAT. The address of the data packet that has done NAT operations is changed. Of course, this change is based on our rules. The package that belongs to a stream will only pass through this table once.

If the first package is allowed for NAT or Masqueraded, the remaining packages will be automatically operated the same way. That is to say, the rest of the packages will not be automatically completed through this table and will be NAT one by one. This is the main reason why we should not filter this table. The role of the PREROUTING chain is to change the destination address of a package when it reaches the firewall, if necessary. The OUTPUT chain changes the destination address of the locally generated package.

POSTROUTING chain changes its source address before the package leaves the firewall. This table is only used for NAT, that is, the source or target address of the conversion package. Note that only the first package of the stream will be matched by this link, and the subsequent package will be automatically processed in the same way. The actual operations are divided into the following types:

◆ DNAT

◆ SNAT

◆ MASQUERADE

DNAT operations are mainly used in this case. You have a valid IP address, and you need to redirect access to the firewall to other hosts (such as DMZ ). That is to say, we changed the destination address so that the packet can be rerouted to a host.

SNAT changes the source address of the package, which can greatly hide your local network or DMZ. A good example is that we know the external address of the firewall, but we must replace the local network address with this address. With this operation, the firewall can automatically perform SNAT and De-SNAT (reverse SNAT) on the packet so that the LAN can be connected to the Internet.

If you use an address like 192.168.0.0/24, you will not receive any response from the Internet. Because IANA defines these networks (and others) as private, they can only be used inside the LAN.

The role of MASQUERADE is exactly the same as that of MASQUERADE, but the computer load is a little more. For each matching packet, MASQUERADE needs to find available IP addresses, unlike the IP addresses used by SNAT. Of course, this also has the advantage that we can use addresses obtained through dialing such as PPP, PPPOE, and SLIP. These addresses are randomly allocated by the ISP's DHCP.

Mangle

This table is mainly used for mangle data packets. We can change the content of different packages and headers, such as TTL, TOS, or MARK. Note that MARK does not actually change the data packet. It only sets a flag for the package in the kernel space. Other rules or programs (such as tc) in the firewall can use this flag to filter packets or perform advanced routing. This table has five built-in links: PREROUTING, POSTROUTING, OUTPUT, INPUT, and FORWARD.