Linux iptables Configuration

Firewall
Hardware firewall
Software firewall:
Application Layer Firewall
Network layer firewall: Linux packet filtering firewall
Linux Packet filtering firewall
NetFilter: Packet filtering system in the Linux kernel, called "kernel State" of the Linux firewall
Iptables: A tool for managing rules in/sbin/iptables, called the Linux Firewall "user state"

iptables table, Chain structure:
—————————————————————————————
Raw Table | mangle Table | Nat Table | Filter Table |
prerouting | prerouting | prerouting | First Rule |
OUTPUT | postrouting | postrouting | Rule Number Two |
| INPUT | OUTPUT | INPUT |
| OUTPUT | | FORWARD |
| FORWARD | | OUTPUT |
—————————————————————————————
Rule Table parsing:
Purpose of the table: store different chain of rules
Table classification by: Firewall rules function similarly
Includes four rule tables
Raw table: Determine if the packet is being tracked for status
Mangle table: Setting Tags for packets
NAT table: Modifying the source/destination address or port of a packet
Filter Table: Determines whether the packet is released

Rule chain Resolution:
The purpose of the chain: to store a firewall rule
chain based on: different timing of processing packets
By default includes five rule chains
INPUT: Processing Inbound packets
OUTPUT: Processing Outbound packets
FORWARD: Processing forward packet
Postrouting: Routing after processing
Prerouting: route selection before processing

Packet filtering matching process
order between rules table
raw----mangle--nat--dilter
Rule chain Order
Inbound: prerouting--"INPUT
Outbound: output--" Postrouting
Forward: prerouting--"forward--" postrouting
The matching order in the chain of rules
Sequential alignment, matching stop (except log)
If there is no match, the default policy of the chain is processed
——————————————————————————————————————————
iptables basic usage
hypervisor location:/sbin/iptables
Precautions/Overall rules
can not specify a table , the default is the filter table
can not specify a chain, default to all chains of the corresponding table
unless you set a default policy, you must specify a matching condition
option/chain name/target action, uppercase, and the remaining lowercase
directives make up the
iptables[-t table name option [ Link name] [condition] [-j target operation]
-P: Protocol number or protocol name
[[email protected] ~]# iptables-t filter-a input-p tcp-j ACCEPT (add a rule at the end to make TC P can be passed)
[[email protected] ~]# iptables-t filter-i input-p udp-j ACCEPT
[[email protected] ~]# iptables -T Filter-i input 2-p icmp-j accept
[[email protected] ~]# iptables-l
Chain INPUT (Policy ACCEPT)
Targe T prot opt source destination
Accept UDP-anywhere anywhere
accept ICMP-anywhere anywhere
accept TCP-A Nywhere Anywhere

Basic target Operations
Accept: Allow Pass/release
Drop: Discard directly, without giving any response
REJECT: Refuse to pass, give a hint when necessary
LOG: Logs are recorded and then passed to the next rule (the only exception to the rule is stop matching)

Set default rules
The initial default rule for all chains is accept, and the default rule can be reset by the-p option
-accept or Drop
[Email protected] ~]# iptables-t filter-p INPUT DROP

Common management options:
——————————————————————————————————————
Category Options Purpose |
Add rule-A to append a rule to the end of the chain |
-I inserts a rule at the beginning of a chain (or a specified ordinal number) |
|
View rules-l list all rule entries |
-n displays information such as address, port, etc. in digital form |
--line-numbers Display the sequence number of a rule when viewing a rule |
|
Delete rule-D deletes a rule for the specified ordinal (or content) within the chain |
-F Clears all rules |
|
Default Policy-P sets default rules for the specified chain |
——————————————————————————————————————
Filter Table Control
Host/network protection, differentiated by object (native, other host)
Main model Firewall
Outbound Data-"firewall
Inbound Data-"firewall

Network-based Firewalls
Forwarding data--"firewall

Basic matching Criteria
Generic match:
Can be used directly, independent of other conditions or extensions,
Including network protocol, IP address, network interface and other conditions
Implicit matching:
Requires a specific protocol match as a precondition
Include port, TCP tag, ICMP type

———————————————————————————————————
Category Options Usage |
Generic matching protocol matching-P protocol name |
Address matching-s source address,-D Destination Address |
Interface matching-I receive data network card,-o Data network card |
|
Implied matching port matches--sport Source port,--dport destination Port |
ICMP type matching--icmp-type ICMP type |
TCP tags match--tcp-flags check which bits are set |
———————————————————————————————————
(If you need to reverse the conditions, use an exclamation mark!)
Real columns:
Disable remote access from client 174.16.16.120 to native
Iptable-t filter-a input-s 174.16.16.120-p tcp--dport 22-j DROP
Prohibit access to any service on SVR5 from client 174.16.16.120
Iptable-t filter-a forward-s 174.16.16.120-d 192.168.4.30-j DROP

Protect Specific Network services
Restricting access to a specified service port
Iptable-t filter-a forward-s 174.16.16.120-p tcp--dport 20:50-j DROP
(consecutive port ranges can be separated by colons)

Real columns
Allow access to the WBE service
[[email protected] ~]# iptables-a input-p TCP--dport 80-j ACCEPT
Allow access to the FTP service
[[email protected] ~]# iptables-a input-p TCP--dport 20:21-j ACCEPT
Allow 174.16.16.0 network segment remote login 192.168.4.30 access SSH
[[email protected] ~]# iptables-a input-s 174.16.16.0/24-p tcp--dport 22-j ACCEPT
Deny any other inbound access
[Email protected] ~]# iptables-p INPUT DROP

Forbidden Ping related policy processing
Temporary:
Echo 1 >/prot/sys/net/ipv4/icmp_echo_ignore_all
Or
Sysctl-w net.ipv4.icmp_echo_ignore_all=1
Permanent:
Vim/etc/sysctl.conf
Net.ipv4.icmp_echo_ignore_all=1

Allow native Ping to other hosts, prevent other hosts from pinging the machine
[[email protected] ~]# iptables-a input-p ICMP--icmp-type echo-request-j DROP
[[email protected] ~]# iptables-a input-p ICMP! --icmp-type echo-request-j ACCEPT

Extended Match
Prerequisites: There is a corresponding firewall module support
Basic usage:
-M expansion module--Extended condition condition value
Real column-M mac--mac-source 00:0c:29:74:be:21
Common types of extended conditions
—————————————————————————————————
Category Options Usage |
Extended match state match-m state--state status value |
MAC address matching-M Mac--mac-source MAC address |
|
Multi-port matching-m multiport--sport Source Port list |
-M multiport--dport target Port list |
|
IP range Matching-m iprange--src-range ip1-ip2 |
-M iprange--dst-range ip1-ip2 |
—————————————————————————————————

Packet status tracking
Five Status of Network connections
NEW: request to establish a connected package, a completely unfamiliar package
Established: A package that will or has already established a connection
Related: A package that is associated with a known connection
INVALID: No corresponding connection, and invalid connection package
Untracked: Package for tracking status

Discard the unfamiliar TCP response packet
Anti-bounce attacks
Iptables-a input-m State--state new-p TCP! --syn-j DROP
Iptables-a forward-m State--state new-p TCP! --syn-j DROP

Iptables when forwarding FTP connections
Release the passive mode packet
Enable the status trace module nf_conntrack_ftp
Modprobe-a nf_conntrack_ftp

Securing communication within the internal network
Services that allow extranet access from the Intranet
Iptable-a forward-s 192.168.4.0/24-o eth0-j ACCEPT
Iptable-a forward-s 192.168.4.0/24-o eth0-m State--state established,related-j ACCEPT
Prohibit access to intranet from outside network
Iptables-a forward-d 192.168.4.0/24-i eth0-m State--state new-j DROP

——————————————————————————————————————————————————————

Linux iptables Configuration