Linux firewall basics and how to manage settings iptables rules

First, the Linux Firewall Foundation

Firewalls are divided into hardware firewalls and software firewalls.

1. Overview

Linux firewall system mainly works in the network layer, for TCP/IP packet implementation of filtering and restrictions, belong to a typical packet filter firewall.

Packet filtration mechanism: NetFilter

Manage firewall Rules command tool: Iptables

NetFilter refers to the Linux kernel in the implementation of packet filtering firewall internal structure, does not exist in the form of procedures or files, belonging to the "core State" firewall function system

Iptables refers to the command tool that manages Linux firewall, belongs to "User State" firewall management system

2.iptables rules table, chain structure

The function of iptables is to provide rules for the implementation of packet filtration mechanism, and to make different reactions through different rules.

Iptables manages 4 tables, and their chain of rules

Filter, which is used to route network packets.

INPUT network packet flow to server

OUTPUT network packets streaming out of the server

FORWARD network packets routed through the server

NAT, for NAT tables. NAT (Net address translation) is a way to convert IP addresses.

Prerouting network packets can be modified when they reach the server

Postrouting network packets can be modified when they are about to be issued from the server

OUTPUT network packets streaming out of the server

Mangle, a table for modifying network packets, such as TOS (Type of Service), TTL (Time to Live), etc.

INPUT network packet flow to server

OUTPUT network packets streaming out of the server

FORWARD network packets are forwarded via the server

Prerouting network packets can be modified when they reach the server

Postrouting network packets can be modified when they are about to be issued from the server

Raw, used to determine whether the packet is being tracked by the mechanism

OUTPUT network packets streaming out of the server

Prerouting network packets can be modified when they reach the server

3. Packet filter Matching process

1> order of precedence between rules tables

Applied sequentially: Raw, mangle, NAT, filter table

2> Order of precedence between chain of rules

Inbound Data Flow

Forwarding Data Flow

Outbound Data Flow

3> Precedence of each firewall rule within a chain of rules

Ii. managing and configuring Iptables rules

Basic syntax format for 1.iptables

iptables [-t table name] command options [chain name] [conditional match] [-] target action or jump

This article URL address: http://www.bianceng.cn/OS/Linux/201410/45496.htm

The table name chain name is used to specify the object that the Iptables command does, the default filter table is not specified, and the command option refers to how the Iptables rule is managed (insert, delete · ); Conditional matching Specifies how the condition is met; the target action or jump specifies how the packet is handled.

2. Managing Iptables Rules

Control options

-A To add a rule at the end of the chain

-D Delete a rule from the chain

-I inserts a rule in the chain

-R modifies or replaces a rule in a chain

-l list rules on a chain

-F empty Chain, delete all rules on chain

-N Creates a new chain

-X Delete a chain of rules

-P defines the default policy for a chain

-N numeric Form displays results

-V View rule list details

-V View iptables command tool version

-H View command Help information

-line-numbers View the list of rules, displaying order numbers

Add, insert, delete, and replace rules

The format of the related rule definition is:

iptables [-t table name] <-a | I | D | r> chain name [rule number] [-i | o network card name] [-P protocol type] [-s Source IP address | source subnet] [--sport source port number] [-D Destination IP address | target subnet] [--dport target port number] <-j action >

The parameters are described below.

[-t table name]: Define which table the default policy will apply to, use filter, Nat, and mangle, and iptables use the filter table by default if you do not specify which table to use.

-A: Add a new rule that will be added to the last row of the rule list, which cannot use the rule number.

-I: Inserts a rule where the rules will move in the back order, and if no rule number is specified, insert before the first rule.

-D: Removes a rule from the list of rules, either by entering the full rule or by specifying the rule number directly to delete it.

-R: Replace a rule where the rule is replaced without changing the order, and you must specify a replacement rule number.

< chain name: Specifies which chain in the specified table to view the list of rules, using input, output, FORWARD, prerouting, output, and postrouting.

[Rule number]: The rule number is used for inserting, deleting, and replacing rules, which are listed in the order of the list of rules, with the number of the first rule in the list of rules numbered 1.

[-i | o nic name]:I is the specified packet from which card to enter, O is the specified packet from which network card output. The network adapter name can be used ppp0, eth0, and eth1.

[-P protocol type]: You can specify protocols that are applied by rules, including TCP, UDP, and ICMP.

[-S Source IP address | Source subnet]: The IP address or subnet address of the source host.

[--sport Source port number]: The IP Source port number of the packet.

[-D Destination IP address | destination Subnet]: The IP address or subnet address of the destination host.

[--dport Target port number]: The destination port number for the IP of the packet.

<-J Action: Handle the action of the packet, the detailed description of each action can refer to table 10-3.

1> adding and inserting rules

Add a protective wall rule at the end of the input chain of the filter table

[Root@s2 ~]# iptables-t filter-a input-p tcp-j

Insert a protective wall rule in the input chain of the filter table

[Root@s2 ~]# iptables-i input-p udp-j ACCEPT

Inserts a protective wall rule in the input chain of the filter table (for the second rule in the chain)

[Root@s2 ~]# iptables-i INPUT 2-p icmp-j ACCEPT

2> View Rules table

View all rules in the input chain of the filter table, displaying sequential numbers

[Root@s2 ~]# iptables-l INPUT--line-numbers

Chain INPUT (Policy ACCEPT)

Num Target prot opt source destination

1 ACCEPT UDP-anywhere anywhere

2 ACCEPT ICMP-anywhere anywhere

3 REJECT ICMP-anywhere anywhere

View details of all rules in each chain of the filter table, displaying address and port information in digital form

[Root@s2 ~]# IPTABLES-VNL

Chain INPUT (Policy ACCEPT 0 packets, 0 bytes)

Pkts bytes Target prot opt in Out source destination

1189 154K ACCEPT UDP--* * 0.0.0.0/0 0.0.0.0/0

0 0 ACCEPT ICMP--* * 0.0.0.0/0 0.0.0.0/0

0 0 REJECT ICMP--* * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable