Linux firewall strategy

1. iptables command

-T	Specify Table name	DROP	Discarded
-N	No parsing.	-N	Add Chain
-L	List policies for a specified table	-E	Modify Chain Name
-A	Add Policy	-X	Delete Chain
--dport	Port	-D	Delete the specified policy
-S	Data sources	-I.	Insert
-j	Action	-R	Modify Policy
ACCEPT	Allow	-P (uppercase)	Modify the default Policy
REJECT	Refused	-P (lowercase)	Port

For example, the following basic Operations command

iptables  -t filter -nl     #查看filter表中的策略iptable   -F                  #刷掉filter表中的所有策略, When the table name is not specified with-T, the default is filterservice iptables save       #保存当前策略iptables  - a input -i lo -j accept     #允许loiptables  -A INPUT  -p tcp --dport 22 -j accept    # #允许访问22端口iptables  -A  input -s 172.25.254.231 -j accept    # #允许250主机访问本机所有端口iptables  -a  input -j reject  # #拒绝所有主机的数据来源iptables  -N redhat            # #增加链redhatiptables  -E redhat westos     # #改变链名称iptables  -x westos    # #删除westos链iptable  -d input  2    # #删除INPUT链中的第二条策略iptables  -i input  -p tcp --dport 80  -j  reject    # #插入策略到INPUT中的第一条iptables  -R INPUT 1 -p tcp  --dport 80 -j accept    # #修改第一条策略iptable  -P INPUT DROP  # #把INPUT表中的默认策略改为drop

2.iptables Firewall Strategy

2.1 Speed up data transfer

That is, when the first data transfer is received by the server, after the same type, then for the related and established two types, the following is a simple example of this firewall strategy.

Related: Second time

Established: The connection is being established

Iptables-a input-m State--state related,established-j acceptiptables-a input-i lo-m State--state new-j ACCEPT IP Tables-a input-p TCP--dport 22-m State--state new-j acceptiptables-a input-p TCP--dport 80-m State--state NEW- J acceptiptables-a input-p TCP--dport 443-m State--state new-j acceptiptables-a input-p TCP--dport 53-m State-- State new-j acceptiptables-a Input-j REJECT

2.2 SANT Firewall strategy

Sant is the equivalent of a leaky function, which is to use the server as a bridge. Quite different from the intranet (client) and the external network, there is a drain (server) can be connected to the external network (that is, the 172.25.254 in the following network segment)

Make the following configuration on the server

Configure the server's NIC with two blocks, one for the private segment: Eth0:172.25.254.231eth1:172.25.31.231[[email protected] ~]# sysctl-a | grep Forwardnet.ipv4.ip_forward = 0# This is the leakage function of the host, write the following statement to/etc/sysctl.conf, equivalent to open the host's leakage function [[email protected] ~]# echo "  Net.ipv4.ip_forward = 1 ">>/etc/sysctl.conf[[email protected] ~]# sysctl-p[[email protected] ~]# iptables-t nat-a Postrouting-o eth1-j SNAT--to-source 172.25.254.231

Make the following configuration on the client

The NIC with the client adds a gateway to the private segment for 172.25.31.131:172.25.31.231

Test: When you do not make this firewall strategy, you ping does not pass 172.25.254 this network segment. In addition to the IP of the server.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/00/2D/wKiom1mYE-KikJycAACot95VCVo920.png "title=" Screenshot from 2017-08-19 09-41-32.png "width=" "height=" 94 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:94px; "alt=" Wkiom1mye-kikjycaacot95vcvo920.png "/>

After you finish the Snat strategy you can ping the network segment of the IP of the 172.25.254 network segment, and you can see that he is out of 172.25.254.231.

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9E/DD/wKioL1mYFCjgJiTJAACqCHMmPcY636.png "title=" Screenshot from 2017-08-19 10-04-49.png "width=", "height=" border= "0" hspace= "0" vspace= "0" style= "width:500px; height:87px; "alt=" Wkiol1myfcjgjitjaacqchmmpcy636.png "/>

When you connect 172.25.254.31 with your client, you will be shown that you are connecting with 172.25.254.231, not your client.

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M01/9E/DD/wKioL1mYFLqyRkfwAAHqpt1c5ZE438.png "title=" Screenshot from 2017-08-19 10-08-05.png "width=" "height=" 174 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:174px; "alt=" Wkiol1myflqyrkfwaahqpt1c5ze438.png "/>

2.3 DNAT Firewall Strategy

Dnat is when someone connects to your host, if you do not want him to connect, you can directly connect to other hosts, that is, the target address of the request to the other destination address

Iptables-t nat-a prerouting-i eth0-j DNAT--to-dest 172.25.31.131# that is when someone connects me to the server above eth0 I let him connect my client.

Connect your server with 172.25.254.31, and he will connect to 172.25.31.131, which is your client.

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/9E/DD/wKioL1mYFemSBrRqAAGELrCrgss248.png "title=" Screenshot from 2017-08-19 10-10-45.png "width=" "height=" 171 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px; height:171px; "alt=" Wkiol1myfemsbrrqaagelrcrgss248.png "/>

2.firewall Firewall Strategy

Classification of Zone of 2.1 firewall

Drop	Discard all incoming packets without giving any response
Block	Deny all externally initiated connections, allow internally initiated connections
Public	Allows the specified entry connection
External	Out of the IPv4 network connection is spoofed and forwarded through this zone and only accepts SSH service connections
Dmz	Accept SSH Service Connections only
Work	Generally used in the work area, only ssh ipp-client Samba-client are accepted dhcpv6-client
Home	Ditto, similar for home networking
Internal	Ditto, similar, for internal networks
Trusted	Trust all connections

2.2 Files Add a basic Firewall strategy

    The/etc/firewalld/zones/public.xml in the file is the service you open with the firewall, such as the following example

[[email protected] ~]# firewall-cmd --list-allpublic  (default, active)    interfaces: eth0  sources:   services: dhcpv6-client ssh   ports:   masquerade: no  forward-ports:   icmp-blocks:    rich rules:  #这时我们查看/etc/firewalld/zones/public.xml The contents of this file [[email protected]  ~]# cat  /etc/firewalld/zones/public.xml<?xml version= "1.0"  encoding= "Utf-8" ? ><zone>  <short>public</short>  <description>for use  in public areas. You do not trust the other computers  On networks to not harm your computer. only selected incoming  connections are accepted.</description>  <service name= "Dhcpv6-client" />  <service&nbsP;name= "ssh"/>   #这里就只允许ssh服务, if we add a service, HTTP writes this directly to this file   <service name= "http"/ ></zone>

    If we turn on the HTTP service, firewall will load the file in this directory love.

In the  /usr/lib/firewalld/services/directory there are a lot of service configuration files, here is not listed, with HTTP as an example [[email protected] ~]# ll  /usr/lib/firewalld/services/ |grep http-rw-r-----.  1 root root 448 feb  28  2014 https.xml-rw-r-----.  1 root root 353 Feb 28   2014 http.xml-rw-r-----.  1 root root 310 Feb 28  2014  wbem-https.xml[[email protected] ~]# cat  /usr/lib/firewalld/services/http.xml  <?xml version= "1.0"  encoding= "Utf-8"?><service>  <short>www  (HTTP) </short>  <description>http is the protocol used to serve  Web pages. If you plan to make your Web server  publicly available, enable this option. this option is not  Required for viewing&nBsp;pages locally or developing web pages.</description>  <port  protocol= "TCP"  port= "/></service>" #这里面指明了http的端口和所使用的通信协议.

[[email protected] ~]# firewall-cmd --get-zonesrol block dmz drop  external home internal public trusted work# View Firewall's zone[[email protected]  ~]# firewall-cmd --set-default-zone=trustedsuccess# Modify the default firewall zone[[email protected]  ~]# firewall-cmd --list-alltrusted  (default, active)   interfaces:  eth0  sources:   services:   ports:   masquerade:  no  forward-ports:   icmp-blocks:   rich rules: # View firewall's firewall policy [[email protected] ~]# firewall-cmd --reload success# Reload Firewall's firewall policy [[email protected] ~]# firewall-cmd --complete-reload success# He is also reloading the firewall strategy, that is, he is in immediate effect.] [[email protected] ~]# firewall-cmd --permanent --add-port=8080/tcpsuccess# The TCP protocol's 8080 port is permanently added to the firewall policy #--permanent is permanently modified to mean [[Email protected] ~]# firewall-cmd --permanent --add-source=172.25.254.231 --zone =trustedsuccess  all requests for #接受来自172.25.254.231 [[email protected] ~]# firewall-cmd -- permanent --add-interface=eth0 --zone=publicsuccess# permanently modifies the zone type of the eth0 NIC to the public type [[email  Protected]  ~]# firewall-cmd --permanent  --remove-rich-rule= "rule family= Ipv4 source address=172.25.254.31 forward-port port=22 protocol=tcp to-port=22  to-addr=172.25.254.131 "#永久删除一条rich  rule strategy

2.4 Firewall Direct Rules tool Add Firewall policy

[Email protected] ~]# firewall-cmd--permanent--direct--add-rule IPv4 filter INPUT 0! -S 172.25.254.231-p TCP--dport 22-j acceptsuccess# accepts all TCP protocol requests from Port 22, except for the host from 172.25.254.231, but does not deny this host, # This strategy doesn't matter to him.

2.4 Firewall's rich Rules (that is, Iptables's Snat and Dnat are no longer spoken here)

[Email protected] ~]# firewall-cmd--permanent--add-rich-rule= ' rule Family=ipv4 source address=172.25.254.231 Masquerade ' success# to get all the nets into the client out of 172.25.254.231 [[email protected] ~]# firewall-cmd--permanent--add-rich-rule= " Rule Family=ipv4 Source address=172.25.254.31 forward-port port=22 protocol=tcp to-port=22 to-addr=172.25.254.131 " success# the TCP protocol request from the 22 port of 172.25.254.31来, forward this request to TCP for 172.25.254.131 22 port.

This article is from the "13122323" blog, please be sure to keep this source http://13132323.blog.51cto.com/13122323/1957669

Linux firewall strategy