Linux firewall Iptables/netfilter (ii)

In the previous article we said some basic knowledge of iptables/netfilter, this article we will introduce the rules of iptables writing. The rule of iptables can be divided into two aspects: 1, the matching condition of the message, 2, the processing action after matching. The matching condition is divided into the basic matching condition and the extended matching condition, and the processing action is divided into the internal processing mechanism and the custom processing mechanism. One thing to note here is that the custom processing mechanism (custom chain) is not in the kernel so the message is not going through a custom chain, it can only be referenced by the built-in mechanism as a sub-target of processing.

Iptables plainly is a rule management tool for generating, checking, and automating rules. Rules and chains have their own counters for counting the number of messages that are matched. There is a default policy on the general chain, the default default policy is to allow all, if we want to block a message to define a blocking policy can be, like a blacklist, you can change the default default policy, instead of rejecting all, and then open the content we want to open, similar to the white list. Since 5 chains work on top of the kernel, once the policy is enabled it will take effect immediately, but it will not be permanently valid and will need to be written to the configuration file permanently. Next we look at the command structure of iptables:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/13/wKioL1XEymmxxmLXAAIcIW0RxL4926.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/17/wKiom1XEyG-Td81XAAM8hnx2ErA763.jpg "/>

Basic syntax format for iptables:

iptables [-t table name] command options [link name] [conditional match] [-j target action or jump]

Description: The table name, the chain name is used to specify the tables and chains that the Iptables command operates on (the four table five-chain mentioned in our previous blog), and the command options are used to specify how the Iptables rules are managed (such as INSERT, add, delete, view, etc.), which specifies which packets are eligible for processing The target action or jump is used to specify how the packet is handled (such as allowing pass, deny, discard, jump) to other chain processing.

Management control options for the iptables command:-A adds a new rule to the end of the specified chain (append) A rule in the specified chain, which can be deleted by the rule number and content-I inserts a new rule in the specified chain, By default in the first row, add-R modifies, replaces (replace) a rule in the specified chain, can be replaced by the rule number and Content-l list (list) specify all the rules in the chain to view-e rename user-defined chain, do not change the chain itself-f empty (flush)-N New (New-chain) a user-defined rule chain-x deletes a user-defined rule chain in the specified table (delete-chain)-P sets the default policy for the specified chain (policy)-Z to clear all the chain bytes and packet counters of all tables by 0-n Display the output as a number (numeric)-V View the information for Rule table details (verbose)-V View version (version)-H get Help

Four ways the firewall handles packets:

ACCEPT allows packets to drop packets directly through the drop, without giving any response information reject reject the packet through, and if necessary, a response message to the data sender. Log logs information in the/var/log/messages file, and then passes the packet to the next rule

The following two methods can be used to solve the problem that the rules written by iptables cannot be permanently applied:

Iptables-save >/etc/sysconfig/iptablesservice iptables Save

It can automatically save the rules in/etc/sysconfig/iptables.

When the computer starts, the script under RC.D will invoke the file with the command Iptables-restore, which automatically restores the rule.

Next we look at some specific cases to get a deeper look at the use of iptables:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/13/wKioL1XEymvzxUQ5AACGwKGcrKM023.jpg "/>

-l:list, lists all rules on the specified chain,-n:numeric, displays the address and port number in the number format, i.e. no inverse,-v:verbose, verbose format, display the details of the rule, including the rule counter,-vv:-vvv:--line-numbers: Display the rule number;-x:exactly, displays the exact value of the counter pkts bytes target prot opt in Out Source destinationpkts: The package to which this rule is matched Bytes: The sum of the sizes of the packets that are matched by this rule; target: processing the target (the destination can be a user-defined chain) Prot: protocol {TCP, UDP, icmp}opt: Optional in: Packet inflow interface out: Packet outflow interface Source: Source Address destination: Destination address;

In rule matching, it is divided into:

Generic match

[!] -S,--SRC,--source ip| Network: Check the source IP address in the message, the exclamation mark is reversed, the following can use-D,--DST,--destination: Check the destination IP address in the message;-P,--protocol: Check the protocol in the message, The protocol identified by protocols in the IP header, one of TCP, UDP, or ICMP;-I,--in-interface: The incoming interface of the data message, usually only for prerouting, INPUT, forward rules on the chain;-O,-- Out-interface: Check the outgoing interface of the message, usually only for forward, OUTPUT, postrouting the rules on the chain;

Extended match: Further checks implemented using the Iptables module

Implicit extension: The protocol type is specified using-p on a generic match basis, and the-M option indicates that the module can be omitted

Tcp:--dport Port[-port] #可以指定连续端口, but can not specify a discrete port, UDP is the same--sport--tcp-flags LIST1 List2list1: To check the flag bit; LIST2: appeared in LIST1, and must be a 1 mark bit, while the remainder must be 0; For example:--tcp-flags syn,ack,fin,rst Syn--syn: The first time to match a TCP session three handshake; udp:--sport--dporticmp:-- Icmp-types8:echo request0:echo reply[[email protected] ~]# iptables-i INPUT 1-s 192.168.1.103-d 192.168.1.109-p TCP- M TCP--dport 80-j DROP #这里的-M TCP can be omitted so it is called implicit extension [[email protected] ~]# iptables-i INPUT 1-s 192.168.1.103-d 192.168.1.1 09-p TCP--dport 22-j ACCEPT

Explicit extension: You must use-m to indicate the expansion module, using RPM-QL iptables to see the functions of modules such as/lib64/xtables/libxt_iprange.so

Multiport: Simultaneous matching of multiple discrete ports,--dports,--sports,--ports, specifying up to 15 ports at the same time IPRange: address range Matching (not written as network address);--src-range,-- Dst-rangestring: string matching;--string,--algo {KMP|BM},--hex-string "hex_string": hex_string for strings encoded in 16 binary format; Algorithms is the meaning of the algorithm, KMP|BM is the two encoding algorithms time: Based on the timing of matching;--datestart,--datestop,--timestart,--timestop,--weekdaysconnlimit: To make a connection number limit, the number of concurrent connections per IP can be initiated to match;--limit-abovelimit: do rate matching, token bucket algorithm,--limit,--limit-burst# idle burst traffic limit

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/17/wKiom1XEyHDS3u5rAARz-Vky51U431.jpg "/>

This is my demonstration of the above several extensions, and let's see if we can see what the corresponding Iptables command is.

An ICMP type table is attached:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/71/13/wKioL1XEym6wQS7FAAcx5ZBElCo131.jpg "/>

Before we talk about the next extended match, we need to talk about the finite state machine of TCP, the finite state machine is a mathematical model of the behavior of the finite state and the transfer and movement between these states.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/71/17/wKiom1XEyHSgGuXpAAE__WbXbD8834.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/13/wKioL1XEynGAZeuOAAJdplKTScU240.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/17/wKiom1XEyHeh_Lc1AALpXuOiPyE179.jpg "/>

The above three graphs have described in detail the TCP three handshake and the four waves and the finite state machine, which I will no longer explain. We know that the IP protocol is stateless, how can we tell which IP a connection comes from when there are many IPs connected to our host? This requires netfilter to keep a table record in memory to track each connection's information, but if the space is filled then the request will be rejected, so high concurrency is prudent.

Connection Template: Connection tracking templates for recording each connection and related status, based on IP implementation, and whether it is not related to TCP protocol, by countdown to delete entries;

Record the status of the connection:

NEW: A newly established connection, when there is no corresponding entry in the connection tracking template, the client makes the first request; After the Established:new state, the communication process that was made before the entry in the margin tracking template was deleted is called established;related: Associated Connection , such as the FTP protocol command connection and the data connection is the associated connection; invalied: Unrecognized state;

We have said so many principles, is to illustrate the iptables in the state extension, this extension has a big use is to stop the rebound Trojan, bounce-type Trojan is what we can go to understand, We can simply say that it is possible to connect a remote host from a host firewall with an open listening port as the client port to control the compromised broiler. For example, a 80-port outgoing connection must be a response to a client request and not a new connection.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/13/wKioL1XEynPDBsTIAAI5pv2_QBU110.jpg "/>

This is what I do with the state module: a network Epel source that can use SSH login and yum features, open HTTP, HTTPS, FTP service (passive connection, need to install an FTP module). With these several enable connection tracking, packet filtering firewalls with stateful detection have completed a whole bunch of functions.

Okay, so here's our filter table, so let's talk about the NAT table. NAT is called network address translation, which is to change the original address or destination address in the IP header to achieve the desired destination. The early invention of NAT is to hide their true IP in the network, to achieve a certain security protection function, and then when the IPV4 address is exhausted, inadvertently inserted willow, solve the problem of IPv4 address shortage. NAT is broadly divided into four scenarios: Source address translation, destination address translation, port translation, and full address translation.

Source Address Translation: Convert intranet address to public address via NAT server to access Internet Destination Address translation: Convert Internet access NAT server's public address to private address port translation for internal server: Internet access NAT based on Destination address translation The port of the server is converted to the port full address translation that the internal server is really listening on: it is both the source address and the destination address translation, similar to the proxy server, but not the same.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/17/wKiom1XEyHjAUa4OAACMUfE-uw4780.jpg "/>

The above topology diagram in the 192.168.1.0/24 network segment is an external address, 192.168.80.0/24 network segment is the intranet address.

Source Address Translation Test:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/71/13/wKioL1XEynSQgr0WAACMte552yg978.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/71/17/wKiom1XEyHiDShBhAAGpzLTcu4k171.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/13/wKioL1XEynTTz78wAAEm5BVn1Mk094.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/13/wKioL1XEynWSxoUNAAHePJQwL_s380.jpg "/>

Destination Address Translation test:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/17/wKiom1XEyHnQmKuYAACSg_fgbAA684.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/13/wKioL1XEynWh3c7_AACsME0pr3w985.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/17/wKiom1XEyHnjmO2_AAEt-u7uoVk449.jpg "/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/17/wKiom1XEyXejE1NqAABks7Dmjm4582.jpg "title=" 1.png " alt= "Wkiom1xeyxeje1nqaabks7dmjm4582.jpg"/>

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/71/13/wKioL1XEy3PRemw_AAJJWnDi6hA649.jpg "title=" 2.png " alt= "Wkiol1xey3premw_aajjwndi6ha649.jpg"/>

OK, the Basic applicationof our iptables/netfilter here, iptables mainly work in the network layer, then there is a Linux called tcp_ Wrapper 's control tool component, which he used some Tcp_wrapper library to complete the data filtering in the transport layer, interested friends can go to understand some, I will no longer introduce too much. Please correct me if there is any mistake.

This article is from the "Linuxlove" blog, make sure to keep this source http://linuxlover.blog.51cto.com/2470728/1682810

Linux firewall Iptables/netfilter (ii)