Linux Firewall Netfilter/iptables

I recently read some network security things and think that the world of the network is far less simple than we think. Last year, I simply read some simple rules for using iptables. Of course, I am only familiar with iptables, the purpose of writing this article is just a simple science popularization. Many things can only be simply mentioned, because there are too many things to list them one by one.

Iptables is a method used by Linux to process underlying network data. Many people refer to iptables as the firewall of Linux ), however, I think the most appropriate name should be Netfilter/iptables, which forms the true firewall of the Linux system and is used to filter IP information packets of the Linux system. Although the netfilter/iptablesIP information package filtering system is called a single entity, it actually consists of two components: netfilter and iptables. The netfilter component is also calledKernel space)Is a part of the kernel, which consists of some information packet filtering tables that contain the rule set used by the kernel to control information packet filtering. The iptables component is a tool, also known as userspace, which makes it easy to insert, modify, and remove rules from the information package filter table. If the Linux system is connected to the Internet or LAN, server, or a proxy server connected to the LAN and Internet, the system facilitates better control of IP packet filtering and firewall configuration on the Linux system.

Before iptables, you must mention Netfilter, which is part of the kernel. However, Netfilter is not provided by professional kernel development institutions. It is a project launched by an open-source organization in the Community www.netfilter.org, www.kernel.org regularly updates Netfilter patches and new features in the kernel and adds them to the kernel. Netfilter exists in the kernel as a module. If Netfilter has one more feature module, of course, firewall of Linux has one more feature. Now let's stop talking about these relationships. You can Google the content of these relationships.

The Netfilter module only provides some data packet filtering and matching functions. If we want Netfilter to do something, we must set some rules for it so that it can know that those packets must be discarded, those are forwarded, and those must be accepted. For Netfilter, it contains four tables: filter, nat, mangle, and raw. The specific usage of red energy is as follows:

Filter: is the most important mechanism in Netfilter. Its task is to Filter the execution package and is also the main function of the firewall.

Nat: the IP address sharing and forwarding proxy on the firewall. It can forward data at the IP address and port level. (At present, some of our labs and small companies basically use Nat technology to access the Internet, because a total of IP addresses are rare, and SNAT and DNAT technologies are used for packet forwarding and hiding IP addresses, here, you only need to have a simple concept)

Mangle: allows you to modify the content of data packets passing through the firewall.

Raw: accelerates the speed of packets passing through the firewall, thereby improving the firewall performance.

(If you do not understand the purpose at this time, we will discuss it later)

These four tables have structures and are chained data paths. Each table contains the following links:

Table Chain

Filter INPUT, FORWARD, OUTPUT.

Nat PREROUTING, POSTROUTING, OUTPUT

Mangle PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING

Raw PREROUTING, OUTPUT

The chain (which can be understood as the channel and level through which data packets pass) must be explained as follows:

INPUT type: refers to the data packets sent from other hosts on the network to the local machine, that is, the data of the local machine.

OUTPUT type: refers to the data packets generated when the local program accesses other hosts on the network, that is, the OUTPUT data.

FORWARD Type: when the local machine is used as the router, that is, the data packet passes through the local machine and such a packet is generated.

PREROUTING and POSTROUTING are also often used for NAT Gateway configuration for Network Address Translation (I can only briefly explain this, because after you understand it, you will know what it means, you can simply understand the data packets used by the bit nat technology through two channels ).

In Netfilter, each table has a corresponding module that restricts the data passing through the chain of the table (I may say this is a bit difficult ). Those modules are the underlying data processing programs written by developers. As a. ko file, they can be added to the kernel and put into use. (This can only be simply said here .)

Now let's talk about iptables. As mentioned above, Netfilter requires some rules to implement the functions we need. Here iptables is the operation tool for setting rules. These rules are created through iptables, and add it to the chain in the kernel space's specific information package filtering table to complete by providing the firewall with information packages from a source, to a destination or with a specific protocol type to do some commands, filter rule control information packages.

The general syntax of the command for adding, removing, and editing rules is as follows:

$ Iptables [-t table] command [match] [target]

The [-ttable] Option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. If not specified, the filter is used as the default table.

The filter table is used for filtering information packets. It contains the INPUT, OUTPUT, and FORWARD chains. The nat table is used to forward information packets. It contains PREROUTING, OUTPUT, and POSTROUTING chains. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark the information packages used for advanced routing. This table contains PREROUTING and OUTPUT chains.

Note:The PREROUTING chain is composed of rules that change a specified information package once it reaches the firewall, and the POSTROUTING chain is composed of rules that change a specified legitimate information package when it intends to leave the firewall.

The mandatory command section in the preceding command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The following are the most common commands:

-Or-- Append:This command attaches a rule to the end of the chain.
Example:

$ Iptables-a input-s 205.168.0.1-j ACCEPT

The command in this example attaches a rule to the end of the INPUT chain, and determines that the information package from the source address 205.168.0.1 can be ACCEPT.

-DOr-- Delete:Use-D to specify the rule to be matched or the location number of the rule in the chain to delete the rule from the chain. The following example shows the two methods.
Example:

$ Iptables-d input -- dport 80-j DROP
$ Iptables-d output 3

The first command deletes the rule from the INPUT chain, which specifies to DROP the information packet to port 80. The second command only deletes the rule 3 from the OUTPUT chain.

-POr-- Policy:This command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy.
Example:

$ Iptables-P INPUT DROP

This command specifies the default target of the INPUT chain as DROP. This means that all information packets that do not match any rules in the INPUT chain will be discarded.

-NOr-- New-chain:Create a new chain with the name specified in the command.
Example:

$ Iptables-N allowed-chain

-FOr-- Flush:If the chain name is specified, this command deletes all rules in the chain. If the chain name is not specified, this command deletes all rules in all chains. This parameter is used for quick clearing.
Example:

$ Iptables-F FORWARD
$ Iptables-F

-LOr-- List:Lists All rules in a chain.
Example:

$ Iptables-L allowed-chain

The above rules are set for iptables. The match part specifies the characteristics (such as source and destination addresses and protocols) that the information package should have when matching the rules ). Matching can be divided into two categories:General matchAndProtocol-specific matching. Here, I will study generic matching that can be used for information packages that use any protocol.

-POr-- Protocol:This generic Protocol match is used to check certain protocols. The Protocol examples include a list of combinations of TCP, UDP, ICMP, and any three Protocols separated by commas (,) and ALL (for ALL protocols ). ALL is the default match. Available! Symbol, indicating that it does not match the item.
Example:

$ Iptables-a input-p TCP, UDP
$ Iptables-a input-p! ICMP

In the preceding example, both commands run the same task-they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case, TCP and UDP) and exclude ICMP.

-SOr-- Source:This source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. The default source match matches all IP addresses.
Example:

$ Iptables-a output-s 192.168.1.1
$ Iptables-a output-s192.168.0.0/24
$ Iptables-a output-s! 203.16.1.89

The second command specifies that the rule matches all information packets from the IP address range 192.168.0.0 to 192.168.0.24. The third command specifies that this rule will match any information package except the source address 203.16.1.89.

-DOr-- Destination:This destination match is used to match the destination IP addresses of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item.
Example:

$ Iptables-a input-d 192.168.1.1
$ Iptables-a input-d192.168.0.0/24
$ Iptables-a output-d! 203.16.1.89

The corresponding TARGET is the operation specified by the rule, and these operations are performed on the information packages that match the rule.

ACCEPT:When the information package exactly matches the rule with an ACCEPT target, it will be accepted (allow it to go to the destination ), and it will stop the traversal chain (although the information package may traverse other chains in another table and may be discarded there ). The target is specified as-jACCEPT.

DROP:When the information package exactly matches the rule with the DROP target, it will block the information package and will not be further processed. The target is specified as-jDROP.

REJECT:This target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. The target is specified as-jREJECT.
Example:

$ Iptables-a forward-p TCP -- dport 22-j REJECT

RETURN:The RETURN target set in the rule makes the information package matched by the rule stop traversing the chain containing the rule. If a chain is a main chain such as INPUT, use the Default policy of the chain to process information packets. It is specified as-jumpRETURN. Example:

$ Iptables-a forward-d 203.16.1.89-jump RETURN

(It should be noted that RETURN can be used in a custom rule chain, but Google is required ).

After creating basic rules and links, we need to save them to the kernel. However, after the system restarts, these rules will disappear. Of course, you can save the rule set to a file. AvailableServiceiptables saveCommand to save all the rules to/etc/sysconfig/iptables. then, use chkconfigiptables on to set the system. Now, all the rules in the information packet filtering table are saved in the file/etc/sysconfig/iptables. The firewall rule will exist whenever the system is booted again. But I don't think this is very good. Suppose every entry in your rule involves the-d192.168.0.100 condition. If this host changes the IP address, do you need to manually modify it? I recommend that you use a simple shell script to execute the shell file in the system startup script. In this way, we can use shell sed and other text editing tools for batch modification.

I don't know how to write this article because there is too much content. I think it is very bad and there is no way to explain many problems, I didn't take some actual operation images, let alone the details, SNAT, DNAT rules, mangle functions, and raw speed improvement (mentioned at the beginning) the reason is that it can reduce the nf_conntrack module's tracking of data packets (this module will connect and track the data packets that pass through firewall by default and record them to its database, all connections will be recorded in the/proc/net/nf_conntrack file) and many other things have not been mentioned. Of course, I just read it and understand the specific mechanism, maybe this is why it is confusing to write it here. Please try again later. I found a picture on the Internet that I think is most appropriate to the entire structure of Netfiler, which shows the process of data packets passing through each table chain in Netfilter, if you are interested in these things, take a look at the Google-related content.