Linux under Firewall learning

1, the firewall shallow solution
The biggest advantage of iptables is that stateful firewalls can be configured, and firewalls with connection tracking are known as stateful firewalls, which are more secure than non-stateful firewalls because of the ability to write more rigorous security filtering policies.
Stateful firewalls can specify and remember the connection state that is established for sending or receiving packets, and the firewall is able to obtain that information from the connection tracking state of the packet. These state information used by the firewall can increase its efficiency and speed when deciding to filter new packets. There are four valid states: Established, INVALID, new, and related.
Established: means that the packet belongs to an established connection that is used to send and receive packets and is fully valid.
INVALID: The packet is not associated with any known stream or connection and may contain incorrect data or headers.
NEW: The packet has been or is about to be started, or it is associated with a connection that has not yet sent and received the packet.
Related: Indicates that the packet is starting a new connection, or that it is associated with an established connection.

2, Firewall basic syntax
For datagrams, there are two types of flow:
Prerouting? FORWARD? Postrouting (NAT router)
Prerouting? INPUT? Native output? Posrouting (host firewall)
Iptables will use different rules tables based on different packet processing capabilities. The main one is the following three:
Filter table: The default table that contains the true firewall rules. Built-in rule chains are: INPUT, OUTPUT, FORWARD
Nat table: Contains the rules used by the source address, destination address, and port translation. Built-in rule chains are: Prerouting, OUTPUT, postrouting
Mangle table: Contains rules for setting special packet routing flags that are checked by the rules in the filter table. The built-in rule chains are: Prerouting, INPUT, FORWARD, OUTPUT, postrouting.
Five rule chains:
Input chain: When a packet is determined to be a native system by a route calculation in the kernel, it is checked by the input chain
Output chain: Data packets reserved for the system itself
Forward chain: Packets routed through the Linux system
Prerouting chain: Used to modify the destination address (DNAT)
Postrouting chain: Used to modify the source address (SNAT)

The detailed syntax is as follows:
iptables [-t table name] <-a| D | I | r> chain name [rule number] [-i | o network card name] [-P protocol type] [-s Source address | source subnet] [--sport source port number] [-D Destination IP address | target subnet] [--dport destination port number] <-j action >

Parameter description:
[-t table name]: Defines which table the default policy will be applied to. Default is filter table not specified
-A: Add a rule to the list of rules,
-I: Insert a rule, you can specify the insertion position, no default is inserted before the first rule
-D: Delete the rule, which can be described with the complete rule, or with the rule number
-R: Replace a rule without changing the order of rules, but you must specify the replacement rule number
-L: Show firewall rules, do not specify default view filter table
-V: Show more information
-N: Displays the IP and port in digital form. Generally with-V
-F: Delete all rules in the specified table
-X: Delete the custom empty chain, if there are rules in the chain, you cannot delete
-Z: Zeroing the packet counters and traffic counters in the specified table
-P: Set Default Policy

Actions and instructions for handling packets:
Accept: Receive Packets
Drop: Drop Packet
REJECT: Intercepts the packet and notifies the other party that the packet is being sent back
REDIRECT: Re-steering a packet to a port on the local or another host
SNAT: Changing the packet source address
DNAT: Change Packet Destination Address
Masquerade:ip camouflage, only for ADSL and other dial-up network camouflage, if the host's IP address is static fixed, it is necessary to use Snat
LOG: Logging function to log data packets that conform to the rules in the journal to analyze troubleshooting

Practical Exercises:
Note: The firewall rules for the add-and-revise at the command line will expire after the server restarts, want to permanently and effectively write to the/etc/sysconfig/iptables file, and then restart the firewall. In the command line, service iptables save.
View:

View Filter table by default

View the rules within a chain in a table

Additions and deletions to check and change:
Iptables-a INPUT DROP
Discard all packets that will enter your host
Iptables-a input-m State--state new-j DROP
Discard all packets that have entered your host State as new and do not contain packets with established and related states. That is, no longer allow other machines to initiate connections to your host, but your host can actively connect to other machines, but only to connect
Iptables-a input-m State--state established,related-j ACCEPT
With this rule, the data generated by the connection of established and related are allowed to pass
Add to:

Delete:

Insert:

Modify:

After modification:

More detailed rules-writing
Iptables-a input-s 192.168.12.13-p tcp-dport 22-j ACCEPT
Indicates that only machines with IP address 192.168.12.13 are allowed to SSH to this machine
Limit a certain amount of IP can be used: 192.168.12.0/24, said, 192.168.12.1-255 this range of IP are limited to or not SSH connection to the machine

Using these basic Firewall knowledge, write a iptables script to realize that others can't ping themselves, but they can ping someone else's function:

9-13 rows: Use the modprobe command to load some Ip,iptables related modules in the kernel
15-16 rows: Set the default policy for all rule chains to drop
19: Set allow local loopback data to be received
20: Set the data that is sent to the native for connections that are allowed to receive states of established and related
21: Set allow to receive data from 22, 80 ports
22: Set the Allow to receive reply messages from the ping command. This confidential ping other host, other main opportunity to send a confirmation message, our host to receive and reply to confirm can ping through
24-27: Same as 19-22, but the target is the output chain.

In the ICMP protocol, Icmp-type is 8 for ping request, ping requests, imcp-type for Echo Relay, echoing reply, ICMP is also a TCP/IP and three handshake, in the code above, The machine can constantly send requests to ping others to receive the echo from the ping host at the same time, that can ping, but in the output chain is not set to send Echo relay, other hosts Ping the machine received no response, The three-time handshake was unsuccessful and the ping failed to execute.
In fact, under the Linux system, no ping has a simpler operation, here in order to use the firewall implementation so that the above content:
Disable ping operation:
Echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all
Sysctl-p
The above two operations can achieve the same functionality as the above code.

Rule extensions:
Iptables-a input-s 10.0.10.0/24-d 10.0.10.62-p tcp-m State--state new-m multiport--dport 21,22,80-j ACCEPT
Multi-port rule matching: Use the parameter-M multiport to specify a non-contiguous port within 15
The port matched to the above example is all released
Iptables-a input-s-m iprange--src-range 10.0.10.100-10.0.10.200
--dst-range: Destination IP segment
Specifies that contiguous IP segments are matched
Iptables-a input-s 10.150.133.141-d 10.18.8.193-p ICMP--icmp-type 8-m limit--limit 20/min--limit-burst 5-j ACCEPT
Limit the number of ping packets that can be sent for an ICMP one connection
--limit: Limit the incoming speed of a specified package
The above example is used to compare: whether the average traffic per minute exceeds 20 packets a time. There are/second per second,/hour per hour,/day every day.
--limit-burst: Limit the spikes that a particular package is passing in instantaneously
The above example is used to exceed 5 packets at a time, and packets exceeding this limit will be discarded directly.

Linux under Firewall learning