Linux security settings, network firewall

The following describes the Linux security settings, network firewalls (iptables, NAT, Layer7, diff, Patch, SELinux)

First, the firewall

1. Firewall Foundation

(1), firewall

Firewall, which is an isolation tool that works on the host and network edge. For messages that pass through the firewall, they are detected according to pre-arranged rules and, if matched, are processed according to specific regulations.

(2), firewall classification

The firewall is divided into two categories, software firewall, hardware firewall. Software firewall has iptables, netfilter, hardware firewall has pix, ASA.

At the same time, the firewall can be divided into categories, such as host firewall, network firewall.

(3), iptables

Iptables, a non-interactive command tool, is a user-space tool that is designed to write rules for NetFilter.

Iptables, including the chain and table, are explained in detail as follows:

Chain:prerouting, INPUT, OUTPUT, FORWARD, postrouting. ----------Class 5

Table:, Filter, Nat (Modify source address, destination address, port number), mangle (Modify package format), raw

Table Priority: Raw (high), mangle, NAT, filter

Raw table contains chain: Prerouting,output----------straight in straight out

Mangle table contains chain: prerouting,input,forward,output,postrouting---------via host, routing

Nat table contains chain: Prerouting,output,postrouting,input----------------through host

The filter table contains the chain: Input,forward,output----------Routed

Iptables the flow of data messages:

Incoming native access to a process: prerouting INPUT------------------into the host

The native process is sent out: prerouting-----------and postrouting----------the host

Forwarded via native: Prerouting---FORWARD-postrouting-----------Routed

2, iptables command-------------for the message, to determine the matching conditions (basic matching, extended match), and then the processing action (ACCEPT, DROP, REJECT)

Format (rule): iptables [-t table] COMMAND CHAIN [-M MatchName [per-match-options]]-j targetname [per-target-options]

TargetName:----------------Target

Accept-------------accepted, allow

Drop-------------Discard, deny

REJECT------------bounce back and refuse

Log-----------just open the kernel to make additional log records of matching packets

SNAT

DNAT

Masquerade

MARK

Common options:

-T table: Specifies the selection menu, which can be selected with raw, mangle, NAT, filter, the default is the filter table.

--set-----------------Record the source IP of the packet, if the IP already exists, the entry that already exists will be updated

# iptables-i input-p TCP--dport 22-m State--state new-m recent--set--name SSH

--update------------------refers to updating the list each time a connection is established

--seconds-----------------must be used in conjunction with--rcheck or--update for a few seconds

--hitcount----------------must be used in conjunction with--rcheck or--update, several times

# iptables-i input-p TCP--dport 22-m State--state new-m recent--update--seconds $--hitcount 3--name ssh-j LO G--log-prefix "SSH Attach:"

Command: Operation commands for---------------chains, action commands for rules, commands to view rules

-P-------------Define "default Policy" for the specified chain (ACCEPT, DROP)

-N------------"new" a custom rule chain

-X------------"Delete" a custom chain that is built-in chain "0 references"

-F------------"clear" all rules on the specified chain

-E------------"Renaming" a custom chain with 0 references to the built-in chain

-----------------------------------------------------------

-A-----------------append, append a rule at the end of the specified chain

-I [#]-------------insert, insert a rule at the specified position, omit the number to insert the rule into the first bar of the chain

-d [#]-------------Delete, delete the specified rule

-R-----------------Replace with the specified rule to replace the original rule in the target chain

-Z-----------------Reset the rule counter, set the counter of the specified table to the rule on the chain 0

-----------------------------------------------------------

-L-------------Lists all rules on the specified chain for the specified table

-N-------------rule digitization (hostname, port number)

-V-------------Detailed display

-X-------------Accurate display of counter results

--line-numbers--------------------Show the rule number in the rule chain

Basic matching Criteria:

-S-------------source IP address, matches

-D-------------Destination IP address, whether matching

-P-------------Package Packet protocol, whether it matches (TCP, UDP, IP, ICMP, ARP)

-I-------------data message "Inbound" interface, whether matching

-O-------------data message "Outbound" interface, whether matching

Cases:

# iptables-a input-s 172.16.0.0/16-d 172.16.72.1,172.16.72.101-j ACCEPT

# iptables-p INPUT DROP

# iptables-a input-s 172.16.0.0/16-d 172.16.72.101-j ACCEPT

# iptables-i input-s 172.16.0.1-d 172.16.72.1-p tcp--dport 22-j ACCEPT

# iptables-i input-s 172.16.0.0/16-d 172.16.72.101-p tcp--dport 80-j ACCEPT

# iptables-i INPUT 2-s 172.16.69.1-p ICMP--icmp-type 8-j ACCEPT

# iptables-i INPUT 172.16.0.0/16-p ICMP--icmp-type 0-j ACCEPT

Extended matching Criteria (7 types)----------multiport extension, IPRange Extension, string extension, time extension, Connlimit extension, limit extension, State extension

(1), multiport extension----------discrete or continuous "define multiple ports" match condition

Common options:

-M multiport--sports Port

-M multiport--dports Port

-M multiport--ports Port

Ports such as: 21,22,23,80,1000:2000

Cases:

# iptables-i input-d 172.16.72.1-s 172.16.0.0/16-p tcp-m multiport--dports 21,22,23,80-j ACCEPT

(2), IPRange extension--------------with "Continuous IP address range" indicates the matching conditions of multiple consecutive addresses

-M iprange--src-range From[-to]

-M iprange--dst-range From[-to]

Address range such as: 172.16.50.1-172.16.72.254

Cases:

# iptables-i INPUT 4-m iprange--src-range 172.16.0.1-172.16.72.254-p tcp-m multiport--dports 21,22,80-j ACCEPT

(3), String extension-------------the application layer data in the message to do "string matching" detection

-M string--algo {BM|KMP}--------------Select the algorithm to process the string

-M string--string pattern-------------indicates that a matching string is to be checked

Cases:

# iptables-a output-s 172.16.72.1-d 172.16.0.0/16-m string--string "admin"--algo kmp-j DROP

(4), Time extension---------------based on the "time of arrival" of the message and the specified "timeframe" for matching degree detection

-M time--datestart Yyyy[-mm[-dd[thh[:mm[:ss]] []

-M time--datestop Yyyy[-mm[-dd[thh[:mm[:ss]] []

-M time--timestart Hh:mm[:ss]--------------------timestart 09:00:00

-M time--timestop Hh:mm[:ss]----------------------timestop 17:00:00

-M time--monthdays day[,day ...]

-M time--weekdays day[,day ...]----------------------weekdays Sat,sun

Cases:

# iptables-i input-d 172.16.72.1-p tcp-m multiport--dports 21,23,80-m time--timestart 09:00:00--timestop 17:00:00 --weekdays Sat,sun--kerneltz-j ACCEPT

(5), Connlimit extension--------------based on the number of IP concurrent connections per client

-M connlimit--connlimit-upto N------------------number of connections is less than or equal to N, this time the rule should be set to allow

-M connlimit--connlimit-above N---------------number of connections is greater than n, when the rule should be set to deny

Cases:

# iptables-i input-d 172.16.72.1-p tcp--dport 23-m connlimit--connlimit-upto 2-j ACCEPT

(6), limit extension-------------------based on the "rate of sending and receiving messages" to match

-M limit--limit Rate[/second|/minute|/hour|/day]

-M limit--limit-burst number

Cases:

# iptables-a input-p ICMP--icmp-type 8-m limit--limit 20/minute--limit-burst 8-j ACCEPT

(7), State extension--------------status detection (based on connection tracking mechanism)

Format:-M State--state *

INVALID--------------Invalid state (unrecognized state)

Established--------------connection state (status of established connection)

New------------------The newly connected state (the status of the connection has not been established)

Related------------associated state (status associated with other established connections)

untracked-----------an untraceable connection

/proc/net/nf_conntrack----------------tracked to the location of "connection save", the module that tracks the FTP protocol

/proc/sys/net/nf_conntrack_max-------------------The maximum number of connections that can be traced

/proc/sys/net/netfilter/*timeout "Time-out" for connection tracking-------------different protocols

Cases:

# iptables-i input-d 172.16.72.1-m State--state established,related-j ACCEPT

# iptables-i INPUT 2-d 172.16.72.1-p tcp-m multiport--dports 21,22,23,80,3306-m State--state new-j ACCEPT

# iptables-a input-j DROP--------------------Default rule or last rule denies all host access

# iptables-a output-m State--state established-j ACCEPT

# iptables-a output-j DROP--------------------Default rule or last rule denies all host access

3. Network Firewall-------------------Filter table forward chain rule setting, NAT table related chain rule setting

(1), forward chain configuration is as follows:

Cases:

# iptables-a Forward-j DROP

# iptables-i forward-m State--state established,related-j ACCEPT

# iptables-i FORWARD 2-d 192.168.100.2-p tcp-m multiport--dports 21:23,80,3306-m State--state new-j ACCEPT

# iptables-i FORWARD 192.168.100.2-p UDP--dport 53-m State--state new-j ACCEPT

# iptables-i FORWARD 4-s 192.168.100.0/24-p ICMP--icmp-type 8-m State--state new-j ACCEPT

(2), custom chain:

The configuration of the custom chain is as follows:

Cases:

# iptables-n Udp_match-----------------Create a custom chain

# iptables-a Udp_match-j RETURN

# iptables-i udp_match-d 192.168.100.2-p UDP--dport 53-j ACCEPT

# iptables-i Udp_match 2-d 192.168.100.2-p UDP--dport 137-j ACCEPT

# iptables-i Udp_match 192.168.100.2-p UDP--dport 138-j ACCEPT

"Referencing" a custom chain on the main chain:

# iptables-i FORWARD 4-p udp-j udp_match

Change the name of a custom chain:-----------A custom chain cannot be referenced

# iptables-e Old_chain_name New_chain_name

Cases:

# IPTABLES-E Udp_match UDP

Delete a custom chain:---------------A chain with a reference count of 0, the custom chain must be empty

# iptables-x UDP

4. Nat table-------------SNAT, DNAT

NAT table Feature (two): Network address Translation (NAT), Port mapping (NAPT)

Network Address translation NAT (class two): SNAT (inbound, static address translation, address spoofing), DNAT (inbound, address translation, port mapping)

(1), SNAT----------Inbound, static address translation, address spoofing

Format:--to-source [ipaddr[-ipaddr]][:p Ort[-port]]

Cases:

# iptables-t Nat-r postrouting 1-s 192.168.100.0/24-j SNAT--to-source 172.16.72.50

(2), masquerade------------equivalent to substitute

Format:--to-ports Port[-port]

Cases:

# iptables-t Nat-r postrouting 1-s 192.168.100.0/24-j Masquerade

(3), DNAT---------------------External visit, address translation, port mapping

Format:--to-destination [ipaddr[-ipaddr]][:p Ort[-port]]

Cases:

# iptables-t nat-a prerouting-d 172.16.72.50-j DNAT--to-destination 192.168.100.2

# iptables-t nat-a prerouting-d 172.16.72.50-p tcp--dport 80-j DNAT--to-destination 192.168.100.2:8077

Note: When using iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8077 for port redirection, the true 80 port on the host cannot be monitored by httpd, otherwise there will be an error.

(4), REDIRECT-------------port redirection

Format:--to-ports Port[-port]

# iptables-t nat-a prerouting-p tcp--dport 80-j REDIRECT--to-ports 8077

(5), log-------------------only open the kernel to make additional log records of matching packets

Format:

--log-level level

--log-prefix Prefix

--log-ip-options

5. In the NAT table, save and reload rules

(1), CentOS 7 Save and reload

/etc/sysconfig/iptables-------------------Rule Save location

# Iptables-save >/path/to/some_rule_file

# Iptables-restore </path/from/some_rule_file

(2), CentOS 6 Save and reload

/etc/sysconfig/iptables-----------------Default Rule save location

# Iptables-save >/path/to/some_rule_file

# Iptables-restore </path/from/some_rule_file

# Service Iptables Save

# service Iptables Restore|restart

Second, Layer7 expansion module----------------------Application layer, iptables achieve seven-layer access filtering

Text Manipulation Tools: diff, Patch

1. diff command-----------Compare two text file differences

Format: diff < pre-change files > < changed files >

Three formats for diff: normal format, context format, merge format

(1), the normal format of the diff

# diff File1 File2--------------------results 3 part

In the result, the "first line" is a hint to indicate the position of the change.

The first line consists of three parts:

#------------indicates a change in line # of File1

C-------------The pattern of change is "change of content changes"

A-------------represents an increase in addition

D-------------on behalf of delete deletion

(2), contextual format diff

Common options:

-C---------------Context

# diff-c F1 F2--------------results 4 part

The four parts of the displayed results are as follows:

The first part:-----------two lines, showing the basic situation of two files, * before the table changes, after the table changes.

Part Two:-----------15 asterisks, separating the basic situation of the file from the change.

The third part:-----------Display the change "before" the document, namely File1.

Part IV:-----------Show the "after" file, that is, file2.

Note: Each line in the file's contents is preceded by a marker bit.

An empty------------indicates that the row has no change

! -------------indicates that the row has changed

--------------indicates that the row was deleted

+-------------indicates that the behavior is new

(3), merge format diff-----------------combine the context of F1 and F2 to display

Common options:

-U-------------Unified (Consolidated)

# diff-u F1 F2-----------------context display 3 rows

The three parts of the display result are as follows:

The first part: the basic information of the-----------file, the file before the table changes, and the document after the change of the table.

The second part: the position of-----------"change" with "two @" as the first and end.

The third part: the concrete content of-----------change.

Note: Each line in the file's contents is preceded by a marker bit.

An empty------------indicates that the row has no change

! -------------indicates that the row has changed

--------------indicates that the row was deleted

+-------------indicates that the behavior is new

2, the patch command--------------------support a variety of diff output file format, can ignore redundant information in the file

Format: patch [Options] [Originalfile] [Patchfile]

Common options:

-P--------------"prefix directory" information using source file names

-p0/-p 0-------------Use all the path information

-P1----------------Ignore the first "/" previous directory, the rest is similar.

Cases:

The/usr/src/linux-2.4.15/makefile file, which provides the-P3 parameter, uses Linux-2.4.15/makefile as the file you want to patch.

3, the implementation of LAYER7 operation steps, as follows:-------------------9 steps

(1), get and compile the kernel

# Useradd Mockbuild

# RPM-IVH kernel-2.6.32-431.5.1.x86_64.el6.src.rpm

# CD Rpmbuild/sources

# tar Linux-2.6.32-*.tar.gz-c/usr/src

# CD/USR/SRC

# LN-SV

(2), patching the kernel

# Tar XF netfilter-layer7-v2.23.tar.bz2

# Cd/usr/src/linux

# PATCH-P1 </root/netfilter-layer7-v2.23/kernel-2.6.32-layer7-2.23.patch

# cp/boot/config-*. config

# Make Menuconfig

To enable the Layer7 module step:

Networking support→networking options→network Packet filtering Framework→core netfilter Configuration

<M> "Layer7" match support

(3), compile and install the kernel

# make

# Make Modules_install

# make Install

(4), restart the system, enable the new kernel

(5), compiling iptables

# Tar XF iptables-1.4.20.tar.gz

# cp/root/netfilter-layer7-v2.23/iptables-1.4.3forward-for-kernel-2.6.20forward/*/root/iptables-1.4.20/ extensions/

# Cp/etc/rc.d/init.d/iptales/root

# Cp/etc/sysconfig/iptables-config/root

# rpm-e Iptables Iptables-ipv6--nodeps

#./configure--prefix=/usr--with-ksource=/usr/src/linux

# Make && make install

# CP/ROOT/IPTABLES/ETC/RC.D/INIT.D

# Cp/root/iptables-config/etc/sysconfig

(6), "signature" for the Layer7 module to provide the protocol it recognizes

# tar ZXVF l7-protocols-2009-05-28.tar.gz

# CD L7-protocols-2009-05-28

# make Install

(7), using Layer7 module

Set the acct parameter to load the Nf_conntrack module.

NET.NETFILTER.NF_CONNTRACK_ACCT = 1

L7-filter uses the standard iptables extension syntax

(8), compile the kernel:

# Make Menuconfig

# make-j #

# Make Modules_install

# make Install

(9), clean up the kernel source tree

4. Protection against Dos attacks on port 22-------------resolution

Use Iptables's "recent module" to protect against Dos attacks on Port 22, create a list of all client IPs that have access to the specified service.

# iptables-i input-p TCP--dport 22-m connlimit--connlimit-above 3-j DROP

# iptables-i input-p TCP--dport 22-m State--state new-m recent--set--name SSH

# iptables-i input-p TCP--dport 22-m State--state new-m recent--update--seconds $--hitcount 3--name ssh-j LO G--log-prefix "SSH Attach:"

Note: The connection to this IP is rejected in the SSH record where more than 3 connections are initiated in the ip,300s.

# iptables-i input-p TCP--dport 22-m State--state new-m recent--update--seconds $--hitcount 3--name ssh-j DR OP

Knowledge Points:

(1), using the Connlimit module to set the concurrency of the single IP to 3. Users who use NAT to go online will be able to increase the value according to the actual situation.

(2), the use of recent and state module limit the single IP within 300s can only establish 2 new connections with the local machine. Access can be resumed after a limit of "five minutes".

(3) 、--set--name ssh-----------------------record a new connection to the TCP 22 port, the record name is SSH

--set record the source IP of the packet, if the IP already exists will update an entry that already exists

(4), logging:

Use:

# iptables-i input-p TCP--dport 22-m State--state new-m recent--update--seconds $--hitcount 3--name ssh-j LO G--log-prefix "SSH Attach:"

You can also use:

# iptables-a input-p TCP--dport 22-m State--state new-m recent--update--name SSH--second--hitcount 3-j LOG --log-prefix "SSH Attack"

(5) Record of iptables:/proc/net/xt_recent/ssh

Third, SELinux

1, the operating system "security Level": (4)

1, D---------the lowest

2, C:C1, C2

3, B:B1, B2, B3 (B3 highest)

4, A:A1, A2

2, Selinxu "access control mechanism":

DAC---------------Autonomous access control (for user settings)

MAC---------------Mandatory access control (not for users)

3, two types of selinux "working level": strict, targeted (default)

Strict------------------each file is strictly controlled by SELinux

Targeted----------------Some files are subject to SELinux control (default level)

4. SELinux "Working mode": enforcing, permissive, disabled

# Setenforce 0------------Permissive

# setenforce 1------------enforcing

# Getenforce-----------View work levels

Make working mode permanent: Modify configuration file/etc/sysconfig/selinux

Selinux=enforcing

5, the security label of the file

(1), Security label View

# ls--context|-z [file ...]-------------files

# PS AUXZ-------------Process

(2), Chcon command----------------change the file security label

Format: Chcon [options] ... CONTEXT FILE ...

Common options:

-T type---------types

-R------------Recursive modification of files

--reference=file--------------Setting the same security context

Applicable: When the type of the destination paging file does not match the domain of the httpd process

(3), Restorecon command-------------Restore security context default value

Common options:

-R-----------Return the original file

6. Linux Boolean rules:

(1), Getsebool command

Common options:

-A-------------Show all Boolean rules that have been in effect

(2), Setsebool command

Common options:

-P--------Write policy file to make changes Permanent

Example 1:

FTP anonymous user "upload function":

# setsebool-p Ftpd_full_access=1

# setsebool-p Ftpd_anon_write=1

Example 2:

Samba users visit their home directory:

# setsebool-p Samba_enable_home_dirs=1

(3), Semanage command

# semanage Port-a-T http_port_t-p TCP 8077

Note: You need to install Policycoreutils-python

Linux security settings, network firewall