Linuxiptables architecture firewall

Linuxiptables architecture firewall netfilter/iptable allows installation, maintenance, and inspection. Its own module is filtertableinputforwardoutputNATtableoutputpreroutingpostroutingMangletableoutputprerouting.

LinuxIptablesArchitecture firewall

Netfilter/iptable allows installation, maintenance, and inspection.

Its module is

Filter table   Input  Forward   Output

NATTable      Output   Prerouting  Postrouting

Mangletable    Output  Prerouting   Processing of the packet data repair table

When learning iptables, you must first understand what is chain.

We all know that in the three tables, all data goes through one of the tables and then reaches the target. then we have a chain,

To put it simply, a chain is a rule used to check the data packets of a filter station !!!!!! These rules are manually defined.

The defined rule types depend on the number of chains.

For example, in the filter table, there are three chains: input forward output. at this time, we can define only three rules.

Inbound/forward/outbound

Nat can have three types of prerouting \ postrouting \ output

Before routing \ in routing \ after routing

The following are some parameters, but I think IPtable is not difficult to learn. The key is to understand the principle.

To really understand what is the chain of iptable and its meaning, if you look at several examples made by others and write a few more by yourself, IPtables is really simple.

Using iptables: # service ip tables status

The syntax of the iptables command is generally as follows:

Iptables [flag] [chain] [options] [extended functions] [Event items]

The practical tutorial is as follows:
1. basic iptables tutorial (go)
Establish rules and links
By providing a firewall with instructions on what to do for information packets from a source, to a destination, or with a specific protocol type, rules control the filtering of information packets. Use the special command iptables provided by the netfilter/iptables system to create these rules and add them to the chain in the specific information package filter table of the kernel space. The general syntax of the command for adding, removing, and editing rules is as follows:
$ Iptables [-t table] command [match] [target]
Table)
The [-t table] option allows any table outside the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available: filter, nat, and mangle. This option is not required. if not specified, the filter is used as the default table.
The filter table is used for filtering information packets. it contains the INPUT, OUTPUT, and FORWARD chains. The nat table is used to forward information packets. it contains PREROUTING, OUTPUT, and POSTROUTING chains. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark the information packages used for advanced routing. This table contains PREROUTING and OUTPUT chains.
Note: The PREROUTING chain is composed of rules that change a specified information package once it reaches the firewall, and the POSTROUTING chain is composed of rules that change a specified legitimate information package when it intends to leave the firewall.
Command)
The mandatory command section in the preceding command is the most important part of the iptables command. It tells the iptables command what to do, such as inserting rules, adding rules to the end of the chain, or deleting rules. The following are the most common commands:
-A or -- append: this command attaches A rule to the end of the chain.
Example:
$ Iptables-a input-s 205.168.0.1-j ACCEPT
The command in this example attaches a rule to the end of the INPUT chain, and determines that the information package from the source address 205.168.0.1 can be ACCEPT.
-D or -- delete: Use-D to specify the rule to be matched or specify the rule's position number in the chain. this command deletes the rule from the chain. The following example shows the two methods.
Example:
$ Iptables-d input -- dport 80-j DROP
$ Iptables-d output 3
The first command deletes the rule from the INPUT chain, which specifies to DROP the information packet to port 80. The second command only deletes the rule 3 from the OUTPUT chain.
-P or -- policy: this command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy.
Example:
$ Iptables-P INPUT DROP
This command specifies the default target of the INPUT chain as DROP. This means that all information packets that do not match any rules in the INPUT chain will be discarded.
-N or -- new-chain: create a new chain with the name specified in the command.
Example:
$ Iptables-N allowed-chain
-F or -- flush: if the chain name is specified, this command deletes all rules in the chain. if the chain name is not specified, this command deletes all rules in all chains. This parameter is used for quick clearing.
Example:
$ Iptables-F FORWARD
$ Iptables-F
-L or -- list: lists all rules in a specified chain.
Example:
$ Iptables-L allowed-chain
Match)
The optional match part of the iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that the information package matches with the rule ). There are two types of matching: General matching and protocol-specific matching. Here, I will study generic matching that can be used for information packages that use any protocol. Below are some important and commonly used general-purpose matching examples and descriptions:
-P or -- protocol: this generic protocol match is used to check certain protocols. The protocol examples include a list of combinations of TCP, UDP, ICMP, and any three protocols separated by commas (,) and ALL (for ALL protocols ). ALL is the default match. Available! Symbol, indicating that it does not match the item.
Example:
$ Iptables-a input-p TCP, UDP
$ Iptables-a input-p! ICMP
In the preceding example, both commands run the same task-they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case, TCP and UDP) and exclude ICMP.
-S or -- source: The source match is used to match the source IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item. The default source match matches all IP addresses.
Example:
$ Iptables-a output-s 192.168.1.1
$ Iptables-a output-s 192.168.0.0/24
$ Iptables-a output-s! 203.16.1.89
The second command specifies that the rule matches all information packets from the IP address range 192.168.0.0 to 192.168.0.24. The third command specifies that this rule will match any information package except the source address 203.16.1.89.
-D or -- destination: This destination match is used to match the destination IP address of the information package. This match can also be used to match IP addresses in a certain range! Symbol, indicating that it does not match this item.
Example:
$ Iptables-a input-d 192.168.1.1
$ Iptables-a input-d 192.168.0.0/24
$ Iptables-a output-d! 203.16.1.89
Target)
We already know that the target is the operation specified by the rule, and these operations are performed on the information packages that match those rules. In addition to allowing users to define targets, there are also many available target options. The following are common objectives, examples, and descriptions:
ACCEPT: when the information package exactly matches the rule with an ACCEPT target, it will be accepted (allow it to go to the destination ), and it will stop the traversal chain (although the information package may traverse other chains in another table and may be discarded there ). The target is specified as-j ACCEPT.
DROP: when the information package exactly matches the rule with the DROP target, the information package will be blocked and will not be further processed. The target is specified as-jDROP.
REJECT: the target works in the same way as the DROP target, but it is better than DROP. Unlike DROP, REJECT does not leave dead sockets on the server and client. In addition, the REJECT sends the error message back to the sender of the information package. The target is specified as-j REJECT.
Example:
$ Iptables-a forward-p TCP -- dport 22-j REJECT
RETURN: The RETURN target set in the rule allows the information package matching the rule to stop traversing the chain containing the rule. If a chain is a main chain such as INPUT, use the default policy of the chain to process information packets. It is specified as-jump RETURN. Example:
$ Iptables-a forward-d 203.16.1.89-jump RETURN
There are also many other goals for establishing advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.
Save rule
Now you have learned how to create basic rules and links and how to add or delete them from the information packet filtering table. However, you should remember that the rules created using the above method will be saved to the kernel and will be lost when the system is rebooted. Therefore, if you add a rule set that is not correct and valid to the information packet filtering table and want to use these rules again after the reboot, the rule set must be saved in the file. You can use the iptables-save command to do this:
$ Iptables-save> iptables-script
Now, all the rules in the information packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the information package filtering table at any time, as shown below:
$ Iptables-rest

 
2. how to create a personal firewall instance
 
   This part basically follows a buddy's example, but gives a specific test and corrects the mistake.
Use the iptables command on Linux to create a personal firewall (kernel 2.3 and later versions)
Note: If the kernel version is 2.3 or later, the command iptables is often used. Run the uname-r command to verify the kernel version before continuing this exercise.
1. start Linux and log on as root. Verify that this system can be interconnected with other systems on the Internet.
2. check whether the iptables module and command have been installed:
 Host # rpm-qa | grep iptab
  Iptables-1.2.9-90
 If iptablesRPM is not installed, obtain it from www.rpmfind.net. Make sure that the kernel version in use is 2.3 or higher.
3. to block icmp on all hosts, run the following command:
 Iptable-I input-I eth0-p icmp-s 0/0-d 0/0-jDROP
 Note: this command adds a rule to iptables to reject ICMP packets from all sources (-s 0/0) to all targets (-d0/0.
In iptables, The-I option specifies the input device. Note: You must specify the INPUT chain instead of the input chain. it is case sensitive.
4. now, record the rejection:
 Host # iptables-I input-I eth0-p icmp-s 0/0-d 0/0-j LOG

5. ping the first system in another system. no response information is received and an error message is displayed. In this case, do not stop the host by pressing crtl + c, so that the error information is displayed on the screen.
6. list all links in two systems:
 Host # iptables -- line-numbers-nL
You will see that the INPUT chain includes the created icmp rules, ending with a row number. This option is helpful when the rule list is very long.
7. on another independent system, execute the following command to refresh all rules from the INPUT chain:
 Host # iptables-F
8. after refresh the chain on the second system, you will be able to Ping the host again. Now, verify that all the iptables tables and links have been refreshed.
9. verify that the Web server is running on the first system and that it is using the Web page service provided by the second system. Then, to block the Web
The following command is used on the second server to transmit all data on the server:
Iptables-I input-I eth0-p tcp-s 0/0-d 0/0 -- dport 80-jDROP
Iptables-I input-I eth0-p tcp-s 0/0-d 0/0 -- dport 80-jLOG
Added: install the apache server in linux. the default path is/usr/local/Apache2. you can create an index.html file in the following Directory,
Enter the ip address through a browser on another machine to view the displayed page.
10. use a Web browser, such as Lynx, to access the second Web server.
11. add the following rules for Ftp transmission on any system:
Iptables-I input-I eth0-p tcp-s 0/0-d 0/0 -- dport 21-jDROP
Iptables-I input-I eth0-p tcp-s 0/0-d 0/0 -- dport 21-jLOG

12. after adding the above rules, run the following command to view the kernel output file:
Host # tail-f/var/log/messages
13. now, use the FTP client to test this rule.
> Enable server-u in windows
> Input ftp in shell to display ftp>
> Enter open hostname port
> Username
> Password
> Get file .*
After deleting these rules, you can use Step 1 to see how different the output results are.
14. you will see information about each received package. Together with the remote system, test whether the system can register icmp and send TCP packets to port 80.
15. list the created rules. Now, delete the FTP rule. For example, if the FTP rule is the third rule, enter the following command:
 Host # iptables-d input 3
16. before refreshing all rules, use the following command to save the existing rules to a text file:
 Host # iptables-save> iptablesrules.txt
17. in each system: when the end is reached, use the iptables-F command to delete all links. If this step fails, problems may occur in future operations.