Linux firewall iptables

Professional hardware firewall: host some firewalls. Network function Firewall

Work on the edge of a host or network, and check for incoming and outgoing messages according to pre-defined rules, and the components that can be processed by the messages matched by the rules.

Network firewall: Host: iptables: Program iptables: Rule authoring Tool NetFilter: Network filter, kernel working on the TCP/IP network protocol stack framework; Hooks function:prerouting: Before going into this machine by function

Input: Arrives inside the machine

Output: Issued by this machine. The location of the message: to the internal: prerouting, input issued by the machine: output, strouting by the native forwarding: prerouting, forward,postrouing

The function of the address:

Filtration: Firewall,

Address Translation: NAT Server

Network Address Translation

Mangle: Modifying some information in the header of a message

Raw: Turn off the connection tracking feature enabled on the NAT table

Iptables: N rules can be placed on each hook function, and multiple rules corresponding to each hook are called a chain (CHAIN)

Each function has multiple chains, so it is called a table; Iptables/netfilternetfilter:framework in KERNELTCP/IP protocol stack iptables has four tables five chains filter:input, forward, When output adds a rule, consider the following: (1) The function to be implemented: to determine which table to add, (2) The flow of the message and the path through which it is added; Remember: The message cannot be passed through a custom chain, only the reference on the built-in chain will take effect (custom target)

iptables command generation rules, sent to NetFilter;

Rules are sent directly to the kernel via the kernel interface, so it takes effect immediately. but not permanently effective;

If it is expected to be permanently valid and need to be saved to the configuration file, this file is also loaded when it is powered on and manually loaded by the user;

Keep in mind: 1. The order of the rules is critical, and the stricter the rules, the more forward they should be, and the check of the rules by the way they go from the top down.

2. Often used in front, you can save too many rules to judge the waste of time

iptables [-t TABLE] subcommand CHAIN creteria-jtarget

-T TABLE:

The default is filter, a total of filter, NAT, Mangle,raw four are available;

Example: Show all rules for NAT

Iptables-t nat-l-n-v

Show all rules for filter

Iptables-l-n-v

Subcommand:

Chain: Definition

-f:flush, clears all rules for the specified chain on the specified table, and clears all the chains in the table when the chain name is omitted;

-n:new, create a new user-defined chain; a custom chain can only be used as a jump object on the default chain, that is, the default chain by reference to take effect on the custom chain;

-x:drop, delete user-defined empty chain, non-empty custom chain and built-in chain cannot be deleted;

-z:zero, place the counter of the rule 0;

-p:policy, set the default processing mechanism of the chain, when all cannot match or have a match can not make effective processing mechanism, the default policy is effective;

Available policies for the filter table: ACCEPT, DROP, REJECT

-e:rename, rename the custom chain;

Note: The chain that is referenced cannot be deleted and renamed

Example: emptying the input rule on the filter

Iptables-f INPUT

Empty the output rule on a NAT

Iptables-t nat-f OUTPUT

The rules are as follows:

-a:append, append a rule at the end of the chain;

-i:insert, inserts a rule at the specified position;

-d:delete, delete the specified rule;

-r:replace, replacing the specified rule;

Pkts

The number of packages that are matched to this rule;

bytes

The sum of the sizes of the packets that are matched to this rule;

Target

Processing target (the target can be a user-defined chain)

Prot

Protocol {TCP, UDP, ICMP}

Opt

Options available

Inch

Packet Inflow Interface

Out

Packet Egress Interface

Source

Source Address

Destination

Target address;

Creteria: Matching Criteria

Check the IP header to check for TCP, UDP, or ICMP headers;

Additional checks can also be performed based on the extension mechanism, such as connection tracking;

Remember: Multiple conditions can be specified at the same time, the default multi-criteria to be satisfied at the same time;

Match condition [!]-S,--SRC,--source ip| Network: Check the source IP address in the message;! -S 172.16.100.1 means that except for this IP

-D,--DST,--destination: Check the destination IP address in the message;

-P,--protocol: Check the protocol in the message, which is the protocol identified by the protocols in the IP header; one of TCP, UDP, or ICMP;

-I,--in-interface: The incoming interface of the data message, usually only for prerouting, INPUT, forward the rules on the chain;-I eth0

-O,--out-interface: Check the outgoing interface of the message, usually only for forward, OUTPUT, postrouting the rules on the chain;-O eth0

# iptables-p INPUT DROP

# iptables-p OUTPUT DROP

Extended match: Implement extensibility check mechanism using Iptables's module

Implicit extension: If the protocol is indicated by using the-p option on a generic match, the-m option is used to indicate that the extension to its protocol becomes optional;

Tcp:

--dport Port[-port] Destination port

--sport Source Port

--tcp-flags LIST1 LIST2

LIST1: The mark to be checked;

LIST2: Appears in the LIST1 and must be a 1 mark, while the remainder must be 0;

Example:--tcp-flags syn,ack,fin,rst syn

--syn: The first time to match the three-time handshake of a TCP session;

Udp:

--sport Destination Port

--dport Source Port

Icmp:

--icmp-types

8:echo Request Requests

0:echo Reply Answer

Example: Open 172.16.37.1 ping response to native 172.16.37.10, and ping request; Note: If the default input/ouput is drop, the request and response are turned on to ping

# iptables-a input-s 172.16.37.1-d 172.16.37.10-picmp--icmp-type 8-j ACCEPT

# iptables-a output-s 172.16.37.10-d 172.16.37.1-picmp--icmp-type 0-j ACCEPT

# iptables-p INPUT DROP

# iptables-p OUTPUT DROP

Explicit extension: You must indicate the extension mechanism used;

-M Module name

Each module will introduce a new matching mechanism;

Want to know which modules are available:

RPM-QL iptables

lowercase letters, ending with. so;

Multiport extension: Multi-port matching with discrete definition; specify up to 15 ports;

Dedicated options:

--source-ports,--sports Port[,port,...]

--destination-ports,--dports Port[,port,...]

--portsport[,port,...]

IPRange extension: Specifies a contiguous range of IP addresses, which is used when matching a non-entire network address;

Dedicated options: [!]--src-range ip[-ip][!]--dst-range Ip[-ip]

Allow 172.16.100.1-100 to telnet23 port access to 172.16.100.11

Iptables-a input-d 172.16.100.11-p tcp--dport 23-miprange--src-range172.16.100.1-172.16.100.100-j ACCEPT

Iptables-a output-s 172.16.100.11-p tcp--sport 23-m iprange--dst-range 172.16.100.1-172.16.100.100-j ACCEPT

String extension: Checks the string that appears in the message to match the given string; string matching check algorithm: KMP,BM

Private option: Algo

--algo {KMP|BM}: Specifying algorithm

--string "string": the string to match is automatically encoded

--hex-string "hex_string": hex_string as a string encoded in 16 binary format; high efficiency

Check the string containing sex in the response message and reject it

Iptables-i OUTPUT 1-s 172.16.100.11-p tcp--sport80-m string--string "Sex"--algo kmp-j REJECT

Time extension: Times-based access control

Dedicated options:

--DATESTARTYYYY[-MM][-DD][HH[:MM[:SS]] [Start date]

--dattestop Stop Date

--timestart Start time

--timestop Stop Time

--weekdays Day1[,day2,...]

Dedicated options:

--connlimit-above [n] Connections of more than n

! --connlimit-above[n] Connections of no more than n

Example: When the number of SSH connected 172.16.100.11 is greater than 5 o'clock [including 5] Deny

Iptables-i INPUT 2-d 172.16.100.11-p tcp--dport 22-m connlimit--connlimit-above 5-j REJECT

Iptables-p INPUT ACCEPT

Example: Configuring the native Telnet service, requires only the host access from the 172.16.0.0/16 network, and only allow working time access, and the maximum number of concurrent connections per source IP can not exceed 2;

Method 1:iptables-a input-s 172.16.0.0/16-d 172.16.37.10-p tcp--dport 23-m time--timestart 01:00--timestop 20:00-MCONNL Imit! --connlimit-above 2-j ACCEPT

Iptables-p DROP

Method 2: First reject the Allow

Iptables-i INPUT 1-p tcp-dport 23-m connlimit--connlimit-above 2-jdrop

Iptables-i INPUT 2-p tcp-dport 23-j ACCEPT

Limit extension: Based on the rate of the packet;

Private options: Token bucket algorithm

--limit N[/second|/minit|/hour|/day] Example--limit 10/minit indicates that 10 packets per minute are allowed

--limit-burst N Peak is a few, that is, the maximum burst is a few

The following rules: Iptables-a input-p ICMP--icmp-type 8-m limit--limit 6/m--limit-burst 5-j ACCEPT, iptables-p INPUT drop

To ping this host from another host, the following behavior occurs:

First we can see that the first four packets respond very normally, and then starting with the fifth package, we get a normal response every 10 seconds. This is because we have set the number of packets per minute (in this case per minute) that are allowed to pass through 6, or every 10 seconds, and then we set the event trigger threshold to 5, so our first four packages are normal, just start with the fifth package, the restriction rules start to take effect, Therefore only a normal response can be received every 10 seconds.

Let's say we stop ping,30 seconds and start pinging again, and that's what happens:

The first two packages are normal, starting from the third package to drop packets, this is because I allow a packet through the cycle is 10 seconds, if the system does not receive a qualifying package in a cycle, the system's trigger value will be restored 1, so if we do not have a qualifying package within 30 seconds passed, the system's trigger value will be restored to 3, If there are no qualifying packages passed in 5 cycles, the system will fully recover the trigger values.

State extension: Enables the connection tracking template to record the connection and match the extension of the connection status according to the connection;

Before enabling the Connection tracking feature: simple packet filtering firewall;

Enable connection tracking: Packet filtering firewall with stateful detection;

Private options:--state state, type of state: NEW: A newly established connection, a request made by the client for the first time when there is no corresponding entry in the connection tracking template, and after the Established:new status, the entries in the margin tracking template are removed before the communication process, are called established;

Related: The associated connection, such as the command connection of the FTP protocol, is associated with the data connection;

Invalied: Unrecognized state;

Example: Release output the SSH service that has established a connection

Iptables-a output-p tcp-sport 22-m--state established-j ACCEPT

Adjust the maximum number of connections that the connection tracking function can hold:

/proc/sys/net/nf_conntrack_max

All connections currently being traced:

/proc/net/nf_conntrack

Time-length properties when tracking different protocols or connection types:

/proc/sys/net/netfilter/

How to release the FTP service in passive mode:

(1) Loading module:

#modprobe nf_conntrack_ftp

(2) Release Request message

Release the request message of the inbound request port to 21, and release the inbound message with all status establishedrelated status; Accept: Receive, Drop: Discard reject: Deny Snat. DNAT

NAT Server: Can implement so-called Snat, Dnat or pnat as needed;

It is not the process of user space running to complete the conversion function, relying on the address translation rules in the kernel;

Snat:cip--SNAT (PIP)--SIP

CIP: Local client IP SIP: server IP

Access Internet method:

Altogether two

(1) SNAT, (2) Proxy

SNAT: Mainly used to enable intranet clients to access external hosts;

Iptables-t Nat-apostrouting-s an intranet or host address-j SNAT a network address on a NAT server

Another target:masquerade: address masquerading, self-determining which source address to turn to, but consuming resources.

IPTABLES-T nat-apostrouting-s Intranet network or host address-j Masquerade

Iptables-t nat-aprerouting-d NAT Server an extranet address-P protocol--dport a port-j DNAT--to-destination Intranet server address [:P ORT]

Example: Access to 172.16.37.10 Web services requires 192.168.1.1

Iptables-t nat-aprerouting-d 192.168.1.1-p tcp--dport 80-j DNAT--to-destination172.16.37.10

Fullnat: Full Address Translation

When requesting a message: Modify both the source address and the destination address

How to save and reload rules: Save: (1) Service iptables Save (2) iptables-save>/path/to/somefile

Overload: (1) Service iptables Reload

This article is from the "Lu Hang @ blog" blog, please be sure to keep this source http://10116624.blog.51cto.com/10106624/1656863

Linux firewall iptables