Netfilter/iptables Firewall

Source: Internet
Author: User
Tags save file stateful firewall


"51CTO exclusive feature" Linux system administrators have been exposed to netfilter/iptables, this is the Linux system comes with a free firewall, the function is very powerful. In the following "Netfilter/iptables Firewall Framework" series, 51CTO security/linux experts Li Yang will be netfilter/iptables for detailed, organized introduction. This article is the basic article, first introduces the principle of netfilter/iptables framework.

1, Netfilter/iptables Framework Introduction

The netfilter/iptables can fine-tune the incoming and outgoing information, and can operate well on a low-profile machine, and is considered the fourth-generation application that implements packet filtering functionality in Linux. The netfilter/iptables is included in the kernel after Linux 2.4, enabling the ability to partition firewalls, NAT (network address translation), and data packets. NetFilter work inside the kernel, while iptables is the table structure that lets the user define the rule set. The netfilter/iptables evolved from IPChains and IPWADFM (IP Firewall Management) and are more powerful.

The iptables described here is a successor to the IPChains, but with greater extensibility. The kernel module can register a new rule table (table) and require that the packet flow through the specified rule table. This packet selection is used to implement datagram filtering (filter table), Network address translation (NAT table), and datagram processing (mangle table). The three types of datagram processing provided by the Linux 2.4 kernel and above are based on the NetFilter hook function and the IP table, all of which are separate modules that are perfectly integrated into the framework provided by NetFilter, as shown in 1. NetFilter provides the following three functions:

    1. Packet filtering: The filter table does not modify the datagram, but only filters the datagram. One aspect of iptables better than IPChains is that it is much smaller and faster. It is through the hook function nf_ip_local_in, Nf_ip_forward and Nf_ip_local_out access NetFilter framework.
    2. The Nat:nat table listens for three netfilter hook functions: nf_ip_pre_routing, Nf_ip_post_routing, and Nf_ip_local_out. The nf_ip_pre_routing implements the address translation of the source address that needs to forward the datagram, while the Nf_ip_post_routing addresses the destination address of the datagram that needs to be forwarded. The conversion of the destination address for the local datagram is implemented by Nf_ip_local_out.
    3. Datagram Processing: The mangle table is registered in the nf_ip_pre_routing and nf_ip_local_out hooks. Using the Mangle table, you can make changes to the datagram or attach some takeaway data to the datagram. The current Mangle table supports modifying the TOS bit and setting the Nfmard field of the SKB.

Figure 1 Netfilter/iptables Frame structure

According to the actual situation, the flexible use of the netfilter/iptables framework, the creation of corresponding firewall rules can be easily and efficiently block some network attacks and illegal datagrams (see Figure 2, the working principle). However, due to the configuration of firewalls, such as FTP, QQ, MSN and other protocols and software can not be used or some features are not working properly, it may also cause RPC (Remote procedure Call) can not be executed, which requires the user to configure the appropriate service agent according to the actual situation to open these services. It is important to note that firewalls can also be internally attacked, that they are not omnipotent and require a combination of other safeguards. Insiders may be dissatisfied with the firewall and possibly attack and destroy them because they cannot browse messages via Telnet or use FTP to send out information. Moreover, the target of the attack is often the operating system running on the firewall or firewall, which greatly harms the security of the firewall system and even the critical information system.

Figure 2 schematic diagram of netfilter/iptables frame operation

2, Iptables basic principle

Rules control packet filtering by providing the firewall with instructions on what to do with packets from a source, to a destination, or to a specific protocol type. By using the special command iptables provided by the Netfilter/iptables system, these rules are established and added to the chain within a particular packet filter table in the kernel space. The general syntax for commands to add/remove/edit rules is as follows:

iptables [-t table] command [match] [target]

It is not difficult to see that a iptables rule consists of the following 4 basic elements:

    1. Table
    2. Command
    3. The
    4. Goal

1) tables (table)

The [-t table] option allows you to use any table other than the standard table. A table is a packet filter table that contains rules and chains that handle only certain types of packets. There are three table options available: Filter, Nat, and mangle. This option is not required, and if not specified, filter is used as the default table. The filter table is used for general packet filtering, including input, output, and Forwar chains. The NAT table is used for packets to be forwarded, which contains prerouting, output, and postrouting chains. If any changes are made to the packet and its head, the mangle table is used. The table contains rules for tagging packets for advanced routing as well as prerouting and output chains.

2) Order (command)

The command section is the most important part of the iptables command, which tells the iptables command what to do, such as inserting a rule, adding a rule to the end of a chain, or deleting a rule. The main commands are shown in table 1.

Table 1 iptables Common commands

life  & nbsp;  say    
-A or--append the command attaches a rule to the end of the chain
-D or--delete removes the rule from the chain by specifying the rule to match or by specifying the position number of the rule in the chain
-P or--policy This command sets the default target for the chain, which is the policy. All packets that do not match any rule in the chain will be forced to use this chain's policy
-N or--new-chain create a new chain with the name specified in the command
-F or--flush If you specify a chain name, the command deletes all rules in the chain, and if you do not specify a chain name, the command removes all rules from all chains. This parameter is used to quickly clear
-L or--list list all rules in a specified chain
-R or--replace Replace a matching rule in the specified chain
-X or--delete-chain deletes the defined chain for the specified user, and removes all user chains if no chain is specified
-C or--check Check if the packet matches the rules for the specified chain
-Z or--zero to specify a byte counter for all rules in the chain 0

3) matching (match)

The optional Match section of the iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that packets should have to match the rule. The match is divided into two main categories: generic matching and protocol-specific matching. Here, you will look at the generic matching of packets that can be used with any protocol. Here are some important and common common matches and their descriptions, as shown in table 2.

Table 2 General matching instructions

Generic match Description
-P or--protocol This generic protocol match is used to check for certain protocols. Examples of protocols are TCP, UDP, ICMP, a comma-delimited list of any of these three Protocols, and all (for all protocols). All is the default match. You can use it! The symbol indicates that the item does not match
-S or--source This source match is used to match packets based on their source IP address. The match also allows a range of IP addresses to be matched, using the! symbol, which indicates that the item does not match. The default source match matches all IP addresses
-D or--destination This destination match is used to match packets based on their destination IP address. The match also allows a range of IP addresses to be matched, and can be used! The symbol indicates that the item does not match
--sport Specify the source port or port range of the matching rule
--dport Specify the destination port or port range for the matching rule
-I. Match individual network interfaces or some type of interface setting filtering rules

4) goal (target)

As already mentioned, the target is the action specified by the rule, which performs these operations on packets that match those rules. In addition to allowing user-defined targets, there are many target options available. Here are some common goals and their examples and descriptions, as shown in table 3.

Table 3 Target Item description

Target Item Description
ACCEPT When the packet matches the rule with the accept target exactly, it is accepted (allowing it to go to the destination)
DROP When the packet matches the rule with the drop target exactly, it blocks the packet and does not further process it. The target is designated as-j DROP
REJECT The target works the same way as the drop target, but it is better than drop. Unlike drop, reject does not leave dead sockets on both the server and the client. Additionally, reject sends the error message back to the sender of the packet. The target is designated as-j REJECT
RETURN The return target set in the rule allows packets that match the rule to stop traversing the chain that contains the rule. If the chain is a primary chain such as input, the packet is processed using the default policy for that chain. It is designated as-jump RETURN
LOG Indicates that information about the package is recorded in the log
TOS The TOS value that represents the Overwrite packet

Next: In layman Netfilter/iptables Firewall Framework (introductory article)

Netfilter/iptables Firewall Framework (introductory article)


"51CTO exclusive feature" Linux system administrators have been exposed to netfilter/iptables, this is the Linux system comes with a free firewall, the function is very powerful. In this "in-depth Netfilter/iptables Firewall Framework" series, 51CTO security/linux expert Li Yang will be a detailed, organized introduction to Netfilter/iptables. Previous (basic) introduced the principle of netfilter/iptables, this article is an introductory chapter, introduces the installation, start-up and simple application of the Netfilter/iptables framework.

1. Installing and starting the Netfilter/iptables system

Because netfilter/ The NetFilter components of iptables are integrated with the kernel 2.4.x, and the high-version Linux is equipped with the NetFilter kernel tool, so it is generally not necessary to download and install the source code package for the Iptables User Space tool:/HTTP// Currently, the latest source code installation package is: IPTABLES-1.4.10.TAR.BZ2.

Before you start installing the Iptables User space tool, make some modifications to the system, with the following options for configuration modifications:

    1. Config_packet: This option is useful if you want to enable applications and programs to use certain network devices directly.
    2. Config_ip_nf_match_state: This option is important and useful if you are configuring a stateful firewall. Such firewalls will remember the previous decisions about packet filtering and make new decisions based on them.
    3. Config_ip_nf_filter: This option provides a basic packet filtering framework. If this option is turned on, a basic filter table (with built-in input, forward, and output chains) is added to the kernel space.
    4. Config_ip_nf_target_reject: This option allows you to specify that ICMP error messages should be sent in response to inbound packets that have been dropped, rather than simply killing those packets.

Install the source code package:

Unzip the source code file #bzip2-d iptables-1.4.10-tar.bz2#tar-xvf iptables 1.4.10.tar//switch directory #cd iptables 1.4.10//Compile the tool to specify that the compiled kernel directory is/ Usr/src/linux-2.6.4-8#make kernel_dir=/usr/src/linux-2.4.16-8//Execute the Make install command, also set the kernel directory to/usr/src/linux-2.6.4-8# Make install Kernel_dir=/usr/src/linux-2.6.4-8

Once the installation is complete, you can start the firewall:

Manually start the # service iptables start using the service command

If you want to start the Firewall service when the system starts, you can use the Setup command and then go to the System service option and select the Iptables daemon.

2, Iptables simple application

1) Basic Rule application

Here are some simple examples of using the framework theory to form rules for the reader to imitate and use in the actual application process:

(1) Accept all incoming packets from the specified IP address:

#iptables-A input-s ACCEPT

(2) Only accept packets from the specified port (service):

#iptables-D INPUT--dport 80-j DROP

(3) Allow forwarding of all packets to the local ( SMTP server:

#iptables-A forward-p tcp-d smtp-i eth0-j ACCEPT

(4) Allow forwarding of all UDP packets to the local (such as instant communication and other software-generated packets):

#iptables-A forward-p udp-d eth0-j ACCEPT

(5) Deny request packets to clients that are destined for the WWW server:

#iptables-A forward-p tcp-d www-i eth0-j REJECT

(6) Allow TCP packets for the specified port to enter:

#iptables-A input-p tcp-m multiport--destination-port 21,53,80,25,110 ACCEPT

(7) Allow incoming TCP packets from the source to the specified port:

#iptables-A input-p tcp-m multiport--source-port 21,53,80,25,110 ACCEPT

(8) Drop packets with the SYN and ACK flag position bits:

#iptables-A input-p tcp--tcp-flags all Syn,ack DROP

2) Debris detection and flow control

(1) Check IP fragmentation: In a TCP/IP network, the link layer has the Maximum Transmission Unit MTU, which limits the maximum length of the data frame, and has a maximum value for different network types. The MTU of the Ethernet is 1500. If the IP layer has packets to be transmitted, and the packet length exceeds the MTU, then the IP layer will be fragmented (fragmentation) operation of the packet, so that each piece is less than or equal to the MTU, the fragmented fragments become IP fragments. Then, if there is no special processing of IP fragments at the firewall, then it is possible that some of the IP fragments will be blocked by the firewall, thus affecting the receiving end of the restoration of these fragments, and ultimately affect the integrity of the information and usability issues, so the following example gives the firewall allowed IP fragmentation rules:

#iptables-A forward-p tcp-f-S ACCEPT

You need to pay special attention to the-f option in the above rule, which specifies that the second and future IP fragments will be handled by the firewall, otherwise, consider the following rule, the firewall may intercept its second and subsequent IP fragments, thus affecting the normal flow of information:

#iptables-A forward-p tcp-s ACCEPT

(2) Rate limit: Iptables provides a very robust rate control mechanism, which is mainly used to limit the number of packets that pass through the unit time in the outside, and a direct benefit of this is to suppress as many of the previously mentioned denial of service attacks or distributed denial of service attacks as possible. Because a very typical manifestation of these two attacks is that there are a lot of packets rushing to the destination within a unit of time. Therefore, we can use the following rules to limit the number of packets allowed through the firewall within a unit of time to enter the protected network:

#iptables-A input-m limit--limit 200/second#iptables-a input-m limit--limit 10000/minute

The above two rules limit the number of packets that pass within 1 seconds and 1 minutes, respectively, to no more than 200 and 10,000. Of course, in the actual application, can also be set through the time interval/second,/minute,/hour,/day, and, among them, such as 200 and 10000 of the specific value of the setting needs the user according to the specific circumstances and experience to set, there is no specified value to follow.

In addition, after setting the rate limit, you can also set a number of processing events triggered by the limit, such as direct discard. The following rule indicates that subsequent packets will be discarded directly when the rate exceeds the 200 limit:

#iptables-A input-m limit--limit-burst 200

Basic knowledge of Iptables-iptables packet forwarding process


iptables Packet forwarding process: How does the package go in iptables?

When a package enters or sends out or is forwarded, what is the basis? What tables and what chains will pass through?

There are three tables in the Iptabeles, respectively, Mangle,nat,filter, and when the rule table is not specified, the default is the FILTER table, which is indicated with-t if you want to add rule to other tables.

There is a table called mangle, the word is difficult to express, I can only write my understanding. This means that some of the transmission characteristics of the packet are modified, and the operations allowed in the Mangle table are TOS, TTL, MARK. In other words, as long as we see this word can understand its role in the future.

It is highly recommended that you do not make any filtering in this table, whether Dant,snat or masquerade.

Nat table is the address translation, can do dnat,snat, can do one-to-many, many pairs of conversion, the table has prerouting and postrouting two rules chain. Dnat operations are primarily used in situations where you have a legitimate IP address that redirects access to the firewall to other machines (such as the DMZ). In other words, we are changing the destination address so that the packet can be rerouted to a host. Snat Change the source address of the package, which can hide your local network or DMZ to a great extent. A good example is that we know the external address of the firewall, but we must replace the local network address with this address. With this operation, the firewall can automatically SNAT and de-snat the package (that is, the reverse SNAT) so that the LAN can connect to the Internet. If you use an address like, you won't get any response from the Internet. Because the IANA defines these networks (and others) as private, it can only be used inside the LAN. The role of Masquerade is exactly the same as Snat, except that the load on the computer is slightly more. Because for each matching package, Masquerade is looking for an available IP address, not the IP address that is configured as Snat. Of course, this is also good, that is, we can use the PPP, PPPOE, slip and other dial-up address, these addresses are randomly assigned by the ISP's DHCP

Filter table is our most commonly used, Iptables packet filter on this, the system is built by default three chain, Input,output and forward, this table is used for packet filtering processing (such as: Drop,accept,log,reject, Ulog, etc.), the basic rules are built into this table.

Note: The so-called chain is a collection of rules, you can also customize the chain

When the packet arrives at the firewall, if the MAC address matches, it is received by the appropriate driver in the kernel, and then a series of actions are taken to determine whether to send to the local program, or to the other machine, or something else.

Local-targeted iptables package (It's our own machine)

Step (step) Table (table) Chain (chain) Comment (note)

1 transmission on the line (e.g., Internet)

2 entering the interface (e.g., eth0)

3 Mangle prerouting This chain is used to Mangle packets, such as changing the TOS, etc.

4 Nat prerouting This chain is mainly used to make dnat. Do not worry about this chain, because in some cases the package will slip past.

5 route judgment, for example, Iptables packet is sent to the local, or to be forwarded.

6 Mangle INPUT After routing, Mangle the packet before being sent to the local program.

7 Filter INPUT all local-iptables packets go through this chain, and no matter where they come from, the filter conditions for these iptables packets are set here.

8 arrived at local program (for example, service program or client program)

Now let's see what steps the source address is for the package of the local device to go through:

Iptables Package with local source

Step Table Chain Comment

1 local programs (e.g., service programs or client programs)

2 route judgment, to use the source address, out of the interface, there are some other information.

3 mangle OUTPUT Here you can mangle the package. It is recommended not to filter here, there may be side effects oh.

4 Nat OUTPUT This chain dnat operations on packets emitted from the firewall itself.

5 Filter OUTPUT Filters the iptables packets sent locally.

6 mangle postrouting This chain is mainly after the package Dnat (translator Note: The author calls this one dnat the actual route, although there is a route in front. For a local package, once it has been generated, it must be handled by the routing code, but where the package is specifically to be processed by the NAT code before it can be determined. So call this the actual route. ), before leaving the local, to the Iptables package mangle. There are two types of packages that pass through here, the packets that the firewall itself produces, and the packets that are forwarded.

7 Nat Postrouting is doing snat here. But do not filter here, because there are side effects, and some iptables packets will slip past, even if you use the drop strategy.

8 Leaving the interface (for example: eth0)

9 Transmission on the line (e.g., Internet)

In this table there is a place to note that the packets emitted from this machine go through the output in NAT.

In this example, we assume that a iptables package is intended to be a machine in another network. Let's take a look at this iptables package journey:

Forward Iptables Package

Step Table Chain Comment

1 transmission on the line (e.g., Internet)

2 entering the interface (e.g., eth0)

3 mangle prerouting mangle packets, such as changing the TOS.

4 Nat Prerouting This chain is mainly used to make dnat. Do not worry about this chain, because in some cases the package will slip past. Will do Snat later.

5 The route is judged, for example, if the packet is destined for local or forwarded.

The 6 mangle FORWARD package continues to be sent to the FORWARD chain of the mangle table, which is very special for the case. Here, the bag is mangle (remember the meaning of mangle). This mangle occurs after the initial routing decision, before the purpose of the last change package (translator Note: is the following forward chain, because its filtering function, may change the destination of some packages, such as discarded packets).

The 7 filter FORWARD package continues to be sent to this FORWARD chain. Only packets that need to be forwarded will come here, and all filtering for those packages is also done here. Note that all the packets to be forwarded through here, whether outside the network to the intranet or intranet to the outside network. Take this into account when you write your own rules.

8 mangle postrouting This chain is also for some special types of packages (translator Note: Refer to the 6th step, we can find that in the forwarding package, the mangle table of the two chains are used in a special application). This step mangle is done after all changes to the destination address of the package have been completed, but the package is still local.

9 Nat Postrouting This chain is used to do snat, of course, including masquerade (camouflage). But do not filter here, because some packages will pass even if they do not meet the conditions.

10 leaving the interface (for example: eth0)

11 again on the line (for example, LAN)

As you can see, packages go through a lot of steps, and they could be blocked on any chain, or in any problematic place. All packets to be forwarded through the firewall go through the forward chain.

As can be seen from the table and figure above, the flow of the Iptables processing package is described as follows:

Input: Only the packet to this machine will be processed by INPUT, so it will let the packet from the internal network unconditional release, and from the external packet filtering, whether it is a response packet, if the release.

Prerouting: Packets that require forwarding processing are processed to do the translation of the destination IP (DNAT).

FORWARD: Both the source IP and the destination IP are not native, they are forwarded, all packets to be forwarded are handled here, and the filtering rules in this section are the most complex.

Postrouting: Before forwarding packets are sent, this is the same as the translation of the source IP (SNAT).

OUTPUT: Packets sent from this machine have this processing, usually releasing all packets.

From the top, for iptables, the decision is based on the IP address, which means that the IP address in the package determines the flow of a packet.

Entering the Forwrad will not enter input and output.

In the course of processing, if a rule is complied with, the handling action will be in addition to the Accept, REJECT, DROP, REDIRECT and Masquerade, as well as log, Ulog, DNAT, SNAT, MIRROR, QUEUE, RETURN, TOS , TTL, MARK, and so on.

We can use < iptables save File > Save the results to the specified file and then use < iptables restore file > Load the contents of the specified file, or write the script, then execute the script. I recommend using scripts because you can use shell programming to write powerful, flexible scripts. The forwarding process for the iptables package is here.

The solution of Iptables port forwarding function under Linux

The solution of iptables port forwarding function under Linux :

First from an example, said: There is one enterprise on a server software to do the test. Based on Win2K, the port number is 881, the server connects directly to the external network, and the client is accessed through the service IP. Excluding windows, if you are using Linux, then how to resolve the issue of iptables port forwarding. After data access, Iptables port forwarding function can be resolved, the following is the Linux iptables port forwarding function of the workaround:

Target: With port forwarding, when the server receives a 881 port request, it goes to and the data back to the request connection.

Eth0: Connect ADSL, i.e. Ppp0 interface

ETH1: Connect to Internal network, IP is is a Win2K server, and its port 881 provides network services.

Iptbles script:

    1. Iptables-t nat-a prerouting-p tcp-m tcp--dport 881-j DNAT--to-destination

Sending 881 requests to the port

    1. Iptables-t nat-a postrouting-s tcp-m tcp--dport 881-j SNAT--to-source; Returns A.B.B.D when the data source is from the same subnet, change its source address to, issued from eth0 and isolated in the connection tracking table A.B.C.D

From Ppp0, the data is sent by Ppp0.

Of course, don't forget to add a statement that allows 881 port access.

    1. Iptables–a input–p tcp–dport 881–i ppp0–j ACCEPT

Can not put the server in the local area, with port forwarding to achieve it? The answer is certainly, since can be 881 port forwarding, then 21,80 these ports more not talk, and many server software can customize the port, it is necessary to play, as long as there is a suitable port, It is possible to open an FTP server for each user of a LAN. Whatever service you want to implement can be, of course, based on port forwarding.

Lan is Win2K, provides WWW service, port is 800. Accessed through the server http://serverip:800.

    1. Iptables-t nat-a prerouting-p tcp-m tcp--dport 800-j DNAT--to-destination
    2. Iptables-t nat-a postrouting-s tcp-m tcp--dport 800-j SNAT--to-source
    4. Iptables–a input–p tcp–dport 800–i ppp0–j ACCEPT

Because it is based on port forwarding implementation, so the server only need to install a iptables to forward the data on the line, all services are done by the internal server, so that the Linux server is really a firewall, Linux under the Iptables port forwarding function is realized.

Netfilter/iptables Firewall

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.