The firewall, in fact, is used to realize the Linux access control function, it is divided into hardware or software firewall two kinds. Regardless of the network in which the firewall works, it must be at the edge of the network. And our task is to define exactly how the firewall works, this is the firewall policy, rules, in order to allow it to access the network of IP, data detection, it is very powerful, use very flexible, no less than some enterprise-class firewall.
Two The relationship between netfilter, table, chains, and policy.The NetFilter is the container of the table, and the table is the container of the chains (chain), and the policy (rule) belongs to the chain (chain).
To make it easier for the reader to understand, for example: if you compare netfilter to a building, then their relationship is as follows:
Matching rules schematic diagram
The default order of the firewall rules is from the front to the back, after encountering a matching rule (either deny or accept) and then no further checks, if the rule that does not meet the match will continue to check down until a matching rule is encountered, if you check all the rules do not match the default rules will be used to match.
The correspondence between the Iptable table and the chain
The firewall defaults to using the Fileter table, which is responsible for filtering the incoming and outgoing packets from the machine.
INPUT: The packet that is responsible for filtering all destination addresses that are native addresses
FORWARD: Responsible for forwarding the packets that flow through the machine but not into the machine, the role of forwarding
OUTPUT: Handles all packets that are sent from the local computer.
Proward: When a packet arrives at the firewall, the rules that are executed before the route is determined, the destination address (DNAT) of the packet is changed, the port, and so on, is typically used for port mapping, such as mapping the public IP address or port to an IP address or port on an intranet.
Postrouting: Rules that are executed after the packet leaves the firewall, change the source address (SNAT), port, etc. of the packet, and usually apply to the LAN-shared extranet IP network. For example, all local area network IP is converted into a public network IP to achieve Internet access.
Work flow chart for chains and tables
Four Detailed command:1. Chain management commands (which are immediately effective)2. Rule Management Commands-P :设置默认策略的(设定默认门是关着的还是开着的) 默认策略一般只有两种 iptables -P INPUT (DROP|ACCEPT) 默认是关的/默认是开的 比如: iptables -P INPUT DROP 这就把默认规则给拒绝了。并且没有定义哪个动作,所以关于外界连接的所有规则包括Xshell连接之类的,远程连接都被拒绝了。 -F: FLASH,清空规则链的(注意每个链的管理权限) iptables -t nat -F PREROUTING iptables -t nat -F 清空nat表的所有链 -N:NEW 支持用户新建一个链 iptables -N inbound_tcp_web 表示附在tcp表上用于检查web的。 -X: 用于删除用户自定义的空链 使用方法跟-N相同,但是在删除之前必须要将里面的链给清空了 -E:用来Rename chain主要是用来给用户自定义的链重命名 -E oldname newname -Z:清空链,及链中默认规则的计数器的(有两个计数器,被匹配到多少个数据包,多少个字节) iptables -Z :清空
3. View the admin command "-l"-A:追加,在当前链的最后新增一个规则 -I num : 插入,把当前规则插入为第几条。 -I 3 :插入为第三条 -R num:Replays替换/修改第几条规则 格式:iptables -R 3 ………… -D num:删除,明确指定删除第几条规则
Five Detailed matching criteria 1. Generic match: Match of source address destination address附加子命令 -n:以数字的方式显示ip,它会将ip直接显示出来,如果不加-n,则会将ip反向解析成主机名。 -v:显示详细信息 -vv -vvv :越多越详细 -x:在计数器上显示精确值,不做单位换算 --line-numbers : 显示规则的行号 -t nat:显示所有的关卡的信息
2. Extended Match 2.1 implied extension: extension of protocol-s:指定作为源地址匹配,这里不能指定主机名称,必须是IP IP | IP/MASK | 0.0.0.0/0.0.0.0 而且地址可以取反,加一个“!”表示除了哪个IP之外 -d:表示匹配目标地址 -p:用于匹配协议的(这里的协议通常有3种,TCP/UDP/ICMP) -i eth0:从这块网卡流入的数据 流入一般用在INPUT和PREROUTING上 -o eth0:从这块网卡流出的数据 流出一般在OUTPUT和POSTROUTING上
2.2 Explicit expansion (-m)-p tcp :TCP协议的扩展。一般有三种扩展--dport XX-XX:指定目标端口,不能指定多个非连续端口,只能指定单个端口,比如--dport 21 或者 --dport 21-23 (此时表示21,22,23)--sport:指定源端口--tcp-fiags:TCP的标志位(SYN,ACK,FIN,PSH,RST,URG) 对于它,一般要跟两个参数: 1.检查的标志位 2.必须为1的标志位 --tcpflags syn,ack,fin,rst syn = --syn 表示检查这4个位,这4个位中syn必须为1,其他的必须为0。所以这个意思就是用于检测三次握手的第一次包的。对于这种专门匹配第一包的SYN为1的包,还有一种简写方式,叫做--syn-p udp:UDP协议的扩展 --dport --sport-p icmp:icmp数据报文的扩展 --icmp-type: echo-request(请求回显),一般用8 来表示 所以 --icmp-type 8 匹配请求回显数据包 echo-reply (响应的数据包)一般用0来表示
Six Detailed-j ACTION扩展各种模块 -m multiport:表示启用多端口扩展 之后我们就可以启用比如 --dports 21,23,80
Seven Iptable Rule Combat 1. View all current iptables configurations常用的ACTION: DROP:悄悄丢弃 一般我们多用DROP来隐藏我们的身份,以及隐藏我们的链表 REJECT:明示拒绝 ACCEPT:接受 custom_chain:转向一个自定义的链 DNAT SNAT MASQUERADE:源地址伪装 REDIRECT:重定向:主要用于实现端口重定向 MARK:打防火墙标记的 RETURN:返回 在自定义链执行完毕后使用返回,来返回原规则链。
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT All – 0.0.0.0/0 0.0.0.0/0 State related,established
ACCEPT ICMP--0.0.0.0/0 0.0.0.0/0
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT TCP--0.0.0.0/0 0.0.0.0/0 state NEW TCP dpt:22
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
REJECT All--0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
[[email protected] ~]# iptables-f//Clear All rules
[[email protected] ~]# iptables–x//delete user-defined rules
[[email protected] ~]# iptables–z//Chain counter zeroing
Let's check the results.
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
For example, a remote main clause is forbidden to connect using SSH and the local 22 port
[[email protected] ~]# iptables-a input-p TCP--dport 22-j DROP
4. How to delete a ruleMethod One:
You can remove a rule by switching a rule order to D, for example:
[[email protected] ~]# iptables-d input-p TCP--dport 22-j DROP
Method Two:
View iptables list Get the rule number that you want to delete the command, delete the rule number
View Rule number
[Email protected] ~]# iptables-l-N--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
1 DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpt:22
Chain FORWARD (Policy ACCEPT)
Num Target prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Num Target prot opt source destination
Like I'm going to delete the rule number 1.
[[email protected] ~]# iptables-d INPUT 1
[Email protected] ~]# iptables-l-N--line-number
Chain INPUT (Policy ACCEPT)
Num Target prot opt source destination
Chain FORWARD (Policy ACCEPT)
Num Target prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Num Target prot opt source destination
You can see that the rule has been deleted.
5. Prohibit a network segment from accessing my eth0 network card, such as 10.10.10.0/24[Email protected] ~]# iptables-a input-i eth0-s 10.10.10.0/24-j DROP
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
DROP All--10.10.10.0/24 0.0.0.0/0
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
Note: The parameter does not add-I defaults to all interfaces in effect
6. Control of multiple discontinuous portsNo 80, 445, 3306 ports on this machine are available for external service
[Email protected] ~]# iptables-a input-p tcp-m multiport--dport 80,445,3389-j DROP
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
DROP All--10.10.10.0/24 0.0.0.0/0
DROP TCP--0.0.0.0/0 0.0.0.0/0 multiport dports 80,445,3389
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
Control of port range for multiple contiguous ports
[[email protected] ~]# iptables-a input-p TCP--dport 25:30-j DROP
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
DROP All--10.10.10.0/24 0.0.0.0/0
DROP TCP--0.0.0.0/0 0.0.0.0/0 multiport dports 80,445,3389
DROP TCP--0.0.0.0/0 0.0.0.0/0 TCP dpts:25:30
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
1) Clear all rules of the firewall
[Email protected] ~]#
Iptables-f
Iptables-z
Iptables–x
2) allow the management network 192.168.10.0/24 SSH Login
[Email protected] ~]#
Iptables-a input-p tcp-s 192.168.10.0/24--dport 22-j ACCEPT
3) allow the LO interface to flow into and out
[Email protected] ~]# iptables-a input-i lo-j ACCEPT
4) Strict control of default firewall rejection rules
View default rules for firewalls all chains default to accept
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy ACCEPT)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
Chain FORWARD (Policy ACCEPT)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
The next step is tight control.
[Email protected] ~]# iptables-p FORWARD DROP
[[email protected] ~]# iptables-p OUTPUT ACCEPT
[Email protected] ~]# iptables-l-N
Chain INPUT (Policy DROP)
Target Prot opt source destination
ACCEPT All--0.0.0.0/0 0.0.0.0/0
ACCEPT TCP--192.168.10.0/24 0.0.0.0/0 TCP dpt:22
ACCEPT All--0.0.0.0/0 0.0.0.0/0
Chain FORWARD (Policy DROP)
Target Prot opt source destination
Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
You can see that the default rules for nput chains and forward chains are deny all, whereas the output chain defaults to allow all.
5) Open the trusted IP segment, such as Allow office network IP segment 172.16.10.0/24, 192.168.1.0/24
[Email protected] ~]# iptables-a input-s 172.16.10.0/24-j ACCEPT
[Email protected] ~]# iptables-a input-s 192.168.1.0/24-j ACCEPT
6) Allow HTTP service to pass unconditionally
[[email protected] ~]# iptables-a input-p TCP--dport 80-j ACCEPT
7) Allow ICMP protocol to pass
Allow a specific IP segment to ping the host
[Email protected] ~]# iptables-a input-p icmp-s 192.168.10.0/24-icmp--icmp-type any-j ACCEPT
Allow all IPs to ping the host
[Email protected] ~]# iptables-a input-p icmp-icmp--icmp-type any-j ACCEPT
8) allow the associated state pack to pass through
[Email protected] ~]# iptables-a input-m State--state established,related-j ACCEPT
[Email protected] ~]# iptables-a output-m State--state established,related-j ACCEPT
Note: The usual rules for the above configuration can be modified or added to other rules as needed.
9) Ensure that the Iptables configuration file is a permanent profile
[Email protected] ~]# iptables-save >/etc/sysconfig/iptables
Check Results
[Email protected] ~]# Cat/etc/sysconfig/iptables
Generated by Iptables-save v1.4.21 on Sun Apr 22 00:45:14 2018
*filter
: INPUT DROP [23:3,864]
: FORWARD DROP [0:0]
: OUTPUT ACCEPT [4:620]
-A input-i lo-j ACCEPT
-A input-s 192.168.10.0/24-p tcp-m tcp--dport 22-j ACCEPT
-A input-i lo-j ACCEPT
-A input-s 172.16.10.0/24-j ACCEPT
-A input-s 192.168.1.0/24-j ACCEPT
-A input-p tcp-m tcp--dport 80-j ACCEPT
-A input-s 192.168.10.0/24-p icmp-j ACCEPT
-A input-s 192.168.10.0/24-i cmp-p icmp-m ICMP--icmp-type any-j ACCEPT
-A input-m state--state related,established-j ACCEPT
-A output-m state--state related,established-j ACCEPT
COMMIT
#Completed on Sun Apr 22 00:45:14 2018
Tip: Iptables default configuration file is/etc/sysconfig/iptables
Later add or modify firewall rules can be directly in the configuration file to modify or add
Dnat is called the destination network address translation, meaning for the purpose of the translation, Dnat is a technology that can change the destination IP address of the packet, it can enable multiple servers to share an IP address connected to the Internet , and continue to provide services, through the same external IP address assigned to different ports mapped to the internal server different IP addresses and ports, so that the internal server for external service purposes.
For example:
[Email protected] ~]#
Iptables-t nat-a prerouting-d 203.85.14.11-p tcp--dport 80-j DNAT--to-destination 192.168.10.136:80
The purpose of providing external services to internal servers is to map the addresses to the 80 ports of the internal 192.168.10.136 by 203.85.14.11 all access destinations to 80 ports.
2. SNATThe Snat full name is the source network address translation, which is a technology for changing the IP address of a packet source, which is a technique used to change packets from one or more Internet addresses to the Internet for multiple internal computers. This enables internal servers to share the Internet.
For example:
[Email protected] ~]#
Iptables-t nat-a postrouting-s 192.168.10.0/24-o eth0-j SNAT--to-source 203.85.14.11
The data packet with the source address of 192.168.10.0 network segment is converted to the 203.85.14.11 out network, which realizes the shared Internet of the internal server.
3. MasqueradeMasquerade is a dynamic address translation, which is a frequently used option when external IP is not fixed, such as ADSL dial-up Internet. For the case of single or multiple external IP addresses, the purpose of sharing the Internet can also be realized.
For example
[Email protected] ~]#
Iptables-t nat-a postrouting-s 192.168.10.0/24-j Masquerade
The internal network source address for the 192.168.10.0/24 network segment of the packet to camouflage, this command can realize ADSL line multiple computers sharing Internet.
Linux Note Firewall iptables Getting Started
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
