Firewall (iptables)
First season
-----------------------Understanding Firewalls
NetFilter and Iptables
What is netfilter, in fact, it is a firewall module, and iptables is the management of NetFilter software, here to clarify the relationship between NetFilter and iptables;
There are many policies inside the firewall, which can be defined, mainly for security, when the firewall is turned on, is the default block a lot of services, the following can be used System-config-firewall to open the graphical interface
From here, I can see that my firewall is open, and then there are a lot of options on the service, by default no tick, that is, when you configure the server, the default is blocked by the firewall, others are unable to access your service!
Here we can "close" the firewall through the graphical interface.
Here you can order disable, then click "Close" in apply, it is important to apply (application) to take effect
Note: Here to pay attention, the above closed is quoted, why to quote, because the closure is not like other services, such as the shutdown, the general shutdown of a service, the service is completely stopped, but the firewall is really just emptied the inside of all the policy, is the firewall into allow all, But the function of the firewall is not closed!! Because Iptables is a kernel-based
Second quarter
---------------------into Iptables
The following is the composition of iptables, it is composed of 3 table Filter,nat,mangle, of course, there are some chains in each table, note that the table is a chain, that is, we are in the table to write the chain definition strategy.
Filter
First, the filter table, which is used to filter the packet
There are 3 links in this table, input, OUTPUT, FORWARD (and, of course, a custom chain).
Input chain: Filter the packet destination is its own. This means that when there are packets sent to us, we can define the input chain to write some policies to take some action on these packets.
Output chain: Filters The source address of the packet is its own. This means that when a packet goes out of its own, we can write a strategy to take some action on these packets.
Forward chain: Filter through your own packets. This means that some actions are taken on some of their own packets (the source of the data and the purpose are not themselves).
Here we can see through iptables–t filter–l.
Note that the table is not specified as filter when it is viewed, because it is considered a filter table when the table is not specified by default.
Third quarter
--------------------------understand the relationship of 3 chains
We can see that when the packet comes over the backbone of the diamond frame, by judging if it is forwad to go Forad chain, if it is input to walk the input chain, the figure here can explain a lot of problems are not detailed said,
Here the main thing to pay attention to a problem, the 3 chain is like 3 doors, if a chain refused to pass, but someone is a bit confused with forwad and input chain, they will ask if I input rejected, and then Forwad is allowed to pass, then through my data package how can I pass? Was it rejected by input before it was passed? In fact, this is not the case, as said above, 3 chain is 3 Independent 3 doors, I turned off the input door, but Forwad door is not closed ah, if the packet matches my action, then the packet will go through the Forwad chain!
Fourth quarter
The action after----------------------------chain
Here for each of our strategy will have action, such as walking the input chain of packets, if the match, we are the packet discarded or released? That's what we call the strategy action.
Here are a few actions: Accept,drop,reject,log, custom Chain
ACCEPT: Packets that satisfy the policy are allowed through
Drop: Drops the packet without returning any information
REJECT: Drops the packet, but returns the denied information
LOG: Writes the passed packet to the log (equivalent to a gatekeeper checking in the person)
Here, we first understand the log this action, in fact, this action has no effect on the packet, but only recorded in the log (/var/log/messages), if there is a log action chain after another chain, Then the packet passes through the log chain, or it passes behind the chain, remembering that this is just for logging.
Fifth Quarter
----------------------------Configuration commands for firewalls
To configure the firewall:
There's a fixed format here.
Iptables table name Link name match condition action
Parameter description:
-T (table) specifies the table
For the parameters of the chain
-A (append) append, where this parameter is used, the written policy is added to the back of the table
-I (insert) inserts the chain, if no number, the default is to add the written policy to all the policies in the table before, but we want to specify to insert into the corresponding row, we can
Iptables–t filter–i INPUT 2 ... Here's the second one.
Note: It is important to note that the packets are going through the firewall in order to match the policy, from the top down to the next,
If our first strategy is to deny 192.168.0.0 access to the FTP policy, and then write 192.168.0.1 can access FTP, then 192.168.0.1 is not accessible, because in front of this network segment of the IP has been rejected, so be sure to pay attention to the order of the policy.
-L (List) View policy: If you look at the filter's policy, you can: Iptables–t filter–l, of course, in order to see in more detail, you can add the parameter-V and-N, for the understanding of V and N to illustrate the effect of the diagram:
After-----plus vn
-F (Flush) Clear all the policies, note that this is just to clear all the policies in the corresponding table, but cannot delete a chain of the default policy, what is the chain of the default policy?
We can see
This is followed by the default policy of the chain, where it is allowed by default, for the default policy it is always the last execution, that is, when the packet matching all previous policies, the default policy of the chain, of course, the chain's default policy can be changed.
-P chain action with this parameter can change the default policy of a chain
such as: Iptables–t filter–p INPUT DROP
Here we change the default policy for the input chain.
So what should we do if we want to clear the default policy for the (restore) chain?
Here with service iptables stop is possible, it can clear all policies and chains of the default policy.
The-Z counter is zeroed, and we can see that there is a pkts and bytes at the top of each entry, which is used to clear 0 of this counter.
-D (delete) to delete a policy, where you need to specify that you want to delete the policy is the first, generally a table of the strategy is from top to bottom 11 of the arrangement
We can specify this when we delete: Iptables–t filter–d INPUT 1 This is the deletion of the first policy
As you can see, when we look at it, we add the parameter-line-numbers to view it in a numerically sorted way.
Match condition parameters
-I network adapter for packet access
-O network card out of
-S IP Source IP
-D IP Destination IP
-P Protocol
--dport port number Destination port number
--sport port number Source port number
Here are some examples to understand each parameter:
Deny 192.168.0.0 network segment of PC access to their own HTTP service
Iptables-t filter-a input–s 192.168.0.0/24-p tcp--dport 80–j REJECT
When writing here, be sure to pay attention to what the chain, because others are visiting me, so is input
Allow 192.168.1.1 to access my FTP service
Iptables–t filter-a input–s 192.168.1.1-p tcp–dport 21-j ACCEPT
3, all allow for themselves, because their own access to the use of the interface loopback, so
Iptables-a input-i lo-j ACCEPT
Iptabls-a Output-o lo-j ACCEPT
Pay special attention here, because the Iptables configuration is written in memory, if you reboot, iptables some of the strategy will disappear, so need service iptables save, so that your written strategy is saved to the/etc/sysconfig/ Iptables inside.
Fifth Quarter
----------------------------the use of some of the details and parameters in Iptabes
1,! usage, here! is to take the opposite meaning
Iptables–a INPUT '! '-S 192.168.0.1-p tcp–dport 21-j REJECT
This means that except 192.168.0.1 can access the local FTP service, others deny
Port, note that to specify the port, the front must have a protocol, or specify the port will be error, that is, the protocol and port is bound to use the
Iptables-a input-s 192.168.0.1-p TCP--dport 20:80-j ACCEPT
This is meant to allow access to the TCP protocol from 20 to 80 ports
Iptables–a input-s 192.168.0.1-m multiport–p tcp--dport 20,21-j REJECT
This means that the Deny access port is 20 and 21
If you want to deny Ping, pay attention here, it's not the same as other
Iptables–a input–s 192.168.0.1-p icmp–icmp-type 8–j REJECT
Seventh Quarter
-----------------use iptables for flow control, this is cool!!
Here are some parameters to use, of course, these parameters can use the man iptables to see
Here, I'll explain the experiment.
Here we use 192.168.0.254 this machine's HTTP to share a 100M file, and then let another pc to download, through the speed limit and unlimited speed to compare the effect
There is a 100M file in the HTML directory of the HTTP server test
And then use 192.168.0.1 to download the machine.
Here we can see the download speed is about 15M
Below, the speed limit is iptables on 254 machines.
Here the-M is the match matches the meaning, then-limit 10/s is limited to only 10 packets per second
Then call 0.1 on this machine to download
Here you can see the download speed is only about 7KB
Eighth Quarter
------------Use of custom chains
When do I use a custom chain? Generally to the enterprise, will find the firewall will write a lot of strategies, but in order to add the strategy does not affect the previous written strategy, we can use a custom policy;
-N Custom chain name add custom chain
-X Custom Joint Delete custom chain
Below we can define our own chain:
Iptables–n RHCE
Iptables-a rhce-s 192.168.0.1-p tcp–dport 80–j REJECT
Of course, after this, there is no reason to let the packet go from RHCE this custom chain
But do not forget, in the previous action, we can not only use the accept can also be used to customize the chain, so we can let the packet to go our custom chain
Iptables–a input–j RHCE
So the packet goes to our custom chain.
But here's the problem.
If we let the packet go through the custom chain, and then walk through the custom chain, will the packet go back to our input chain?
The answer is yes, if the data goes through the custom chain if it does not match, then he will return to the input chain to continue to match down!
Here's an experiment, add a custom chain RHCE and then allow 192.168.0.1 to access the FTP service, and then use input to reject the 192.168.0.1ping254
Here you can see that the FTP is accessible
Here you see the denial of access to HTTP services, which proves the above conclusion!!
Nineth Quarter
-------------A firewall's status tracking
What will state tracking, here we use the TCP three handshake connection to illustrate it, when the establishment of three handshake, will send a connection, and then negotiated to build three handshake will establish success, this is the establish state. This three-time handshake and some other connection problems are not much to say.
Let's start by introducing the 4 states that can be traced here.
NEW: The state of the packet that initiates the connection for the first time
Establish: Establishing the status of a connected packet
Related: Responding to the status of a packet
INVALID: Invalid packet status
Why do we use packet status tracking here?
We take the FTP service as an example to illustrate, we all know that FTP has 2 modes, active mode and passive mode; (First of all, note that, regardless of the service, the general client to connect to the server side, will use a port greater than 1024 to connect, and is random, you can not know, Unless you are connected with network monitoring netstat can be seen)
Active mode (port): After establishing the command channel with the server side 21 port, the FTP client tells the server side, I opened a port 1234, you can connect me, and then FTP server side with 20 port active to connect the client 1234 port, set up the data channel
Passive mode (passive): After establishing a command channel with the server-side port 21, the server will tell the client that I have opened Port 2222 and you are connecting to my 2222 port so that the client will use a random port greater than 1024 to connect to server 2222 port and establish a data channel
Understanding the 2 modes of FTP, we have to consider, if the use of active mode, then we can control 20 and 21 port to filter some of the FTP connection, but if it is passive mode? We do not know the port to set up the data channel, it can not be filtered, but in the process of establishing a connection, they will always have a connection state, so here we can use packet status tracking to solve the FTP passive mode problem.
Note that the connection to the General FTP service is in passive mode (passive), so let's experiment to prove
First build the FTP server on 254, and then run 0.1 this machine can access the FTP server through 20 and 21 ports, but deny everything else
254-Terminal
Client Visits:
Notice, here we start to log in. Success is because I opened the firewall policy 21 port, but I opened the 20 port, and why not even LS after entering, this is because the default mode is passive mode, which
We input passive into the active mode, so we can be ls or download;
At this point we use packet status tracking to deal with, if the status tracking is successful, then start to log in to be able to download data:
Here you can see the status of the packet when the TCP connection was successful: established,related
Then be sure not to forget to load IP_CONNTRACK_FTP this module!!!
Test:
This has proved to be a success;
Routip as a firewall
This article is from the "pincer" blog, make sure to keep this source http://pincer.blog.51cto.com/5759011/1617391
Linux Iptables detailed