Linux security iptables Firewall detailed 1

Before we introduce the Iptables firewall, we first understand the format of IP TCP messages, because the rules of Iptables firewall are basically based on the field information in these messages to match, so the format of the message is very important.

IP header information

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/68/wKiom1eitjvSzeFHAAlmD7VxkIg632.png "title=" 1.png " alt= "Wkiom1eitjvszefhaalmd7vxkig632.png"/>

Grab package information as follows

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/68/wKioL1eitmKBp-YHAANc7XJPZXw038.png "title=" 2.png " alt= "Wkiol1eitmkbp-yhaanc7xjpzxw038.png"/>

The TCP header information is as follows

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/68/wKioL1eitomzX-7uAAkbeJAdo-M436.png "title=" 3.png " alt= "Wkiol1eitomzx-7uaakbejado-m436.png"/>

Grab package information as follows

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/68/wKioL1eitrDh8yhMAALrmy1A8gE490.png "title=" 4.png " alt= "Wkiol1eitrdh8yhmaalrmy1a8ge490.png"/>

You can compare the image and the grasp of the meaning of each field, it will be more convenient to understand, well, the following formally began to introduce our iptables, with the first piece of simple instructions under

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/69/wKiom1eitvyB0kIrAAApBADZnQ8598.png "title=" 5.png " alt= "Wkiom1eitvyb0kiraaapbadznq8598.png"/>

Iptables/netfiter

Iptables: Command-line authoring rules tool

Netfiter: In the kernel

Chain (built-in): equivalent to 5 valves, corresponding to the 5 boxes in the 5 chain is very important, we need to understand clearly

1. prerouting before routing

2. INPUT

3. FORWARD Forwarding Chain

4. OUTPUT

5. After postrouing routing

Function:

Filter: Filtering table

Nat: Network address Translation table

Mangle: Disassemble the message, make changes (such as modifying the TTL value, adding a marker, etc.), and reseal

Raw: Turn off the connection tracking feature enabled on the NAT table

Priority: Raw-->mangle-->nat-->filter

In the above table, the most commonly used is the input table, in fact, is the NAT table, but in the cloud computing platform OpenStack, if the network components neutron using the Virtualization network technology Openvswitch, these four tables will be used, and very complex, we will briefly look at the following

Data flow: And its important

Into the machine: Prerouting-->input

Native Outflow: output-->postrouting

Forward: prerouting-->forward-->postrouting

When the routing function occurs:

The moment the message has just entered the machine, judge the target host is? If it is your own, send to input, if not yourself, send to forward

Before the message leaves the machine, determine which interface to send to the next station

The writing of rules

1. Matching conditions

Basic matching Criteria

Extended Match criteria

2. Handling Actions

Basic processing action

Extended processing actions

Custom processing mechanism

Iptables chain: Built-in chains and custom chains

Custom chaining: User-defined for built-in chain extensions and additions for a more flexible rules management mechanism

The custom chain is heavily used in the cloud computing platform OpenStack, so there's a high level of attention here, and we'll use a simple example to illustrate

Need to be associated with a built-in chain, forwarded by a built-in chain to a custom chain

Basic Match (-s-d-p–i-o)

-I data packet inflow interface, can only be applied to prerouting INPUT forward chain

-O data packet outflow interface, can only be applied to forward OUTPUT postrouing chain

-P (TCP, UDP, Udplite, ICMP, ESP, ah, SCTP or all) does not refer to the protocol of the application layer

Iptables–t filter–a input–s 172.16.80.1–d 172.16.80.5–p icmp–j DROP

Iptables-l-n-v--line-numbers View rules

Extended match: The extension module needs to be loaded before the –M option can be applied

Hermit extension: No need to manually load extension modules

TCP--source-port,--Sport port[:p ort]--destination-port,--dport port[:p ort]

--tcp-flags Mask Comp--syn--tcp-option number

Iptables–a input–d 172.16.80.5–p ICMP –icmp-type 8 –j DROP limit others ping themselves

Iptables-a forward-p TCP--tcp-flags Syn,ack,fin,rst SYN

Represents the flag to check is Syn,ack,fin,rst, where SYN must be set to 1 and the remaining 0

Display extension: You must manually load the extension module

Multiport extension

Iptables-a input-s 1.1.1.1/24-d 172.16.80.116-p tcp-m multiport--dports 22,80-j ACCEPT

IPRange extension

Iptables-a input-d 172.16.80.116-p tcp--dport 80-m iprange--src-range 172.16.80.90-172.16.80.95-j ACCEPT

String extension

string pattern matching detection for application layer data in messages

--algo String Matching algorithm

--string pattern of strings to be detected

Iptables-a output-d 172.16.80.116-p tcp--sport 80-m string--algo BM--string "gay"-j REJECT

Time extension

Match a specified time range according to the time the message arrives

--datestart Yyyy[-mm[-dd[thh[:mm[:ss]]

--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]

Iptables-a output-d 172.16.80.116-p TCP--dport 80-m time--timestart 14:30--timestop 18:30--weekdays Sat,sun–kerne Ltz-j DROP

Connlimit extension

Number of concurrent connections to match per client IP

--connlimit-upto n matches when number of connections is less than n (Default policy requirement is drop)

--connlimit-above n matches when number of connections is greater than n (default policy requirement is accept)

Iptables-a input-d 172.16.80.116-p tcp--dport 22-m connlimit--connlimit-above 2-j REJECT

State extension (Conntrack, implemented at the IP layer)

Check the status of the connection based on the connection tracking mechanism

Conntrack mechanism: Can track the request and response directly on the local relationship, the status of the following several

NEW: Newly issued request, the connection tracking template does not have an associated information entry for this connection, so it is identified as the first request

Established: After the new state, the communication status in the connection tracking template for the entry that was established during the period before it was invalidated

Related: Associated connections, such as the relationship between a command connection and a data connection in FTP

INVALID: Invalid Connection

Iptables-a input-d 172.16.80.116-p TCP--dport 80-m State--state new-j ACCEPT

Iptables-a input-d 172.16.80.116-p tcp-m multiport--dports 22,80-m State--state new,established-j ACCEPT

Iptables-a output-d 172.16.80.116-p tcp-m multiport--sports 22,80-m State--state established-j ACCEPT

Adjust the maximum number of connections the connection tracking function can hold

[Email protected] ~]# Cat/proc/sys/net/nf_conntrack_max

31636

[[email protected] ~]# Cat/proc/net/nf_conntrack has tracked and recorded the connection

Iptables–z emptying counter

Finally, let's do a little experiment, a custom chain and openstack part of the rule chain, NAT table we'll introduce later.

[Email protected] ~]# iptables-a input-d 172.16.80.116-p tcp-m multiport--dports 22,80-m State--state New,establis Hed-j ACCEPT on target host 172.16.80.116 Release 22 80 port

[[email protected] ~]# iptables-p INPUT drop Change the default policy is drop

At this time we ping 172.16.80.116 from the client is unable to communicate

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/85/69/wKiom1eiufmBdz1iAAAaiKwMFHo690.png "title=" 1.png " alt= "Wkiom1eiufmbdz1iaaaaikwmfho690.png"/>

Then we'll come from the definition chain to release the ICMP rule.

Iptables-n ICMP new definition a chain ICMP (name random)

Iptables-a icmp-d 172.16.80.116-p ICMP--icmp-type 8-mstate--state new-j ACCEPT

Iptables-a icmp-j RETURN

Make a default jump to a custom chain ICMP (that is, if there is no match in this ICMP chain, it is returned by default to the link input in the previous association)

Iptables-a Input-j ICMP associates the custom chain ICMP with the built-in link INPUT so that the built-in chain takes effect

Then we can ping the host from the client.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/69/wKioL1eivGOA7sYGAABie4KIbZA674.png "title=" 1.png " alt= "Wkiol1eivgoa7sygaabie4kibza674.png"/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/69/wKiom1eivIqwZKiiAAAqW2WFz2U540.png "title=" 2.png " alt= "Wkiom1eiviqwzkiiaaaqw2wfz2u540.png"/>

At the end of the OpenStack related section, everyone is interested in looking at the next chapter of the NAT section below

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/69/wKiom1eivavg4YeTAADwUBdhg44153.png "title=" 1.png " alt= "Wkiom1eivavg4yetaadwubdhg44153.png"/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/69/wKioL1eivUDAoO_WAADhhMvYd0g241.png "title=" 2.png " alt= "Wkiol1eivudaoo_waadhhmvyd0g241.png"/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/69/wKiom1eivVXjWOXqAADi5wIi7A8040.png "title=" 3.png " alt= "Wkiom1eivvxjwoxqaadi5wii7a8040.png"/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/69/wKioL1eivW_RA5K7AADi5wIi7A8761.png "title=" 3.png " alt= "Wkiol1eivw_ra5k7aadi5wii7a8761.png"/>

This article from "Thick tak" blog, declined reprint!

Linux security iptables Firewall detailed 1