Netfilter/iptables Full Guide

Content Introduction
Overview of Firewalls
Iptables Introduction
Iptables Foundation
iptables syntax
Iptables instances
The case explanation

Introduction to Firewalls
A firewall is a combination of components set up between different networks or network security domains, which enhances the security of the internal network of the organization. It uses access control mechanisms to determine which internal services allow external access, and which external requests can access internal services. Depending on the type of network transmission, it determines whether IP packets can be passed into or out of the intranet.
The firewall examines each packet that passes through, determines if it has a matching filter rule, makes one by one comparisons according to the order of the rules, until one of the rules is satisfied, and then makes the corresponding action according to the control mechanism. If none are satisfied, the packet is discarded to secure the network.
Firewalls can be thought of as a pair of mechanisms: one mechanism is to block the flow of traffic, and the other is to allow the transmission of traffic. Some firewalls are heavily blocking traffic, while others are more inclined to allow traffic to flow.

By using a firewall, you can protect vulnerable services, control access to network systems between networks, centralize the security of the intranet, reduce management costs, improve the confidentiality and privacy of the network, and record the use status of the network to provide a basis for security planning and network maintenance. (Fig. 1)

Classification of firewalls
Firewall technology is divided into many types according to the different ways and emphases of prevention, but it can be divided into two types: packet filtering firewall and proxy server.

How the Firewall works
1. How packet filtering firewalls work (Figure 2)

2. How proxy-Service firewalls work
The Proxy service firewall implements the firewall function on the application layer. It provides a partial transport-related state, provides full application-related state and partial transmission of information, and can process and manage information.

Iptables Introduction
Netfilter/iptables (referred to as iptables) constitutes a packet filtering firewall under the Linux platform, like most Linux software, this packet filtering firewall is free, it can replace expensive commercial firewall solution, complete packet filtering, Features such as packet redirection and network address translation (NAT).

Iptables Foundation
A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.
Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.
Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.

iptables tables, chains, rules (Fig. 3)

Iptables the process of transmitting packets
① when a packet enters the network card, it first enters the prerouting chain, and the kernel determines whether it needs to be forwarded based on the packet destination IP.
② if the packet is in the native, it will move down the graph to reach the input chain. After the packet has been sent to the input chain, any process will receive it. Programs running on this computer can send packets that go through the output chain and then reach the postrouting chain.
③ if the packet is to be forwarded out and the kernel allows forwarding, the packet will move to the right, through the forward chain, and then to the postrouting chain output. (Fig. 4)

iptables command format

iptables command format is more complex, the general format is as follows:
iptables [-t table] command [chain] [rules] [-j target]
table--Specifies that
Command--operation command of the chain
chain--Chain Name
rules--rules
How the target--moves
1. Table Options
The table option is used to specify which iptables built-in table the command applies to, and Iptables includes the filter table, NAT table, mangle table, and raw table.
2. Command Options iptables command format

Command description
-P or--policy < chain name > define default Policy
-L or--list < chain name > View iptables rule list
-A or-append < chain name > Add 1 rule at the end of the rule list
-I or--insert < chain name > Insert 1 rule at specified location
-D or--delete < chain name > Remove 1 Rules from the list of rules
-R or--replace < chain name > A rule in the list of substitution rules
-F or--flush < chain name > Delete all rules in table
-Z or--zero < chain name > zeroing the packet counter and traffic counter in the table

3. Matching options
Match description
-I or--in-interface < network interface name > specify the network interface from which the packets are entered, such as Ppp0, eth0, and eth1
-O or--out-interface < network interface name > specifies which network interface the packet is exported from, such as Ppp0, eth0, and eth1
-P or---Proto Protocol type < protocol type > specify protocol for packet matching, such as TCP, UDP, and ICMP
-S or--source < source address or subnet > specified packet matching source address
--sport < source port number > Specify the source port number for packet matching, you can specify a range of ports using the format "start port number: End Port number"
-D or--destination < destination address or subnet > Specify Destination address for packet matching
--dport Destination port number Specifies the destination port number of the packet match, you can specify a range of ports using the format "start port number: End Port number"

4. Action Options
Action Description
Accept Packet
Drop Drop Packet
REDIRECT is basically the same as drop, except that it also returns an error message to the sender in addition to blocking the packet.
SNAT Source address translation, which changes the source address of the packet
DNAT Destination address translation, that is, changing the destination address of the packet
Masquerade IP Camouflage, that is often said Nat technology, masquerade can only be used for ADSL and other dial-up Internet IP camouflage, that is, the host IP is assigned by the ISP dynamic; If the IP address of the host is static, use the Snat
Log log feature that records information about rules-compliant packets in the logs for administrator analysis and troubleshooting

iptables command Format (Figure 5)

iptables filter conditions (Fig. 6)

The syntax of iptables

1. Define a default Policy
When a packet does not conform to any rule in the chain, iptables processes the packet according to the default policy defined by the chain, and the default policy is defined in the following format.
iptables [-t table name] <-P> < chain name > < action >? parameters are described below.
[-t table name]: refers to which table the default policy will be applied to, you can use filter, NAT, and mangle, and if you do not specify which table to use, Iptables uses the filter table by default.
<-p>: Defines the default policy.
< chain name: refers to which chain the default policy will be applied to, and can use input, output, FORWARD, prerouting, output, and postrouting.
< action: Handle the action of the packet, you can use the Accept (receive packet) and drop (drop packet).

2. View Iptables Rules
The command format for viewing iptables rules is:
iptables [-t table name] <-L> [chain name]
The parameters are described below.
[-t table name]: refers to the list of rules for which table to view, table names can use filter, NAT, and mangle, and if no table is specified, iptables will view the list of rules for the filter table by default.
<-l>: View a list of rules for a specified table and a specified chain.
[Chain name]: Refers to a list of rules that look at which chain in the specified table, you can use input, output, FORWARD, prerouting, output, and postrouting, and if you don't specify which chain, you'll see a list of rules for all the chains in a table.

3. Add, insert, delete, and replace rules
The format of the related rule definition is:
iptables  [-t table name]  <-a | I | D | r> chain name [rule number] [-i | o network card name] [-P protocol type] [-s Source IP address | source subnet] [--sport source port number] [-D Destination IP address | target subnet] [--dport destination port number] <-j action;
The number is described below.
[-t table name]: Define which table the default policy will apply to, use filter, Nat, and mangle, or use the filter table by default if you do not specify which table to use.
-A: Adds a new rule that will be added to the last line of the list of rules, which cannot use the rule number.
-I: Inserts a rule that the rules at that location will be moved backwards, and if no rule number is specified, insert before the first rule.
-D: Deletes a rule from the list of rules, either by entering the full rule or by specifying the rule number directly.
-R: Replaces a rule, the rule is replaced and does not change the order, you must specify the replacement rule number.
< chain name;: Specifies a list of rules that view which chains in the specified table can use input, output, FORWARD, prerouting, output, and postrouting.
[rule number]: When the rule number is used for inserting, deleting, and replacing rules, the numbering is arranged in the order of the list of rules, and the first rule in the rule list is numbered 1.
[-i | o network card name]:I is the specified packet from which Nic enters, O is the specified packet from which NIC output. Network card names can use Ppp0, eth0, eth1, and so on.
[-P protocol type]: You can specify the protocol that the rule applies to, including TCP, UDP, and ICMP.
[-S Source IP address | Source subnet]: The IP address or subnet address of the source host.
[--sport Source port number]: The source port number of the IP for the packet.
[-D Destination IP address | destination Subnet]: The IP address or subnet address of the destination host.
[--dport Destination port number]: The destination port number of the IP for the packet.
<-j Action: Handle the action of the packet, the detailed description of each action can refer to the previous description.

4. Purge rules and counters
When creating a new rule, it is often necessary to clear the old rules so that they do not affect the new set of rules. If the rule is more, the deletion will be very troublesome,? You can use the purge rule parameters provided by iptables to quickly delete all the rules.
The format of the definition parameter is:
iptables [-t table name] <-f | Z>
The parameters are described below.
[-t table name]: Specifies which table the default policy will apply to, use filter, Nat, and mangle, and if no table is specified, Iptables uses the filter table by default.
-F: Deletes all rules in the specified table.
-Z: The packet counters and traffic counters in the specified table are zeroed.

Definition of NAT
The English full name of NAT is Network address translation, which is known as the Web addresses translation, which is an IETF standard that allows an organization to appear on the Internet with an address. Nat translates the address of each LAN node to an IP address, and vice versa. It can also be applied to the firewall technology, the individual IP address is hidden from the outside world, so that the outside world can not directly access the internal network equipment, while it also helps the network beyond the limits of the address, reasonably arrange the network of public Internet address and private IP address use.

Types of NAT

Static NAT (statically NAT)
Static NAT is the simplest and easiest to implement, and each host in the internal network is permanently mapped to a legitimate address in the external network.

Dynamic address NAT (pooled NAT)
Dynamic address Nat is a series of legal addresses defined in an external network, which is mapped to an internal network using a dynamic allocation method.
Dynamic address Nat is simply a translation of an IP address, which assigns a temporary external IP address to each internal IP address, is primarily used for dialing, and can also be used for frequent remote joins with dynamic Nat.

Network address port Conversion napt (Port-level NAT)
NAPT is a different port that maps an internal address to an IP address on an external network.
One of the most familiar ways to convert. NAPT is commonly used in access devices, which can hide small and medium-sized networks behind a legitimate IP address. Unlike dynamic address NAT, NAPT maps An internal connection to a separate IP address in the external network, adding a TCP port number selected by the NAT device to the address.

Iptables instances

Prohibit clients from accessing unhealthy websites
Example 1 adds a iptables rule that prohibits a user from accessing a website with a domain name of www.sexy.com.
Iptables-i forward-d www.sexy.com-j DROP
Example 2 adds a iptables rule that prohibits a user from accessing a Web site with an IP address of 20.20.20.20.
Iptables-i forward-d 20.20.20.20-j DROP

Prohibit certain clients from surfing the internet
"Example 1" adds a iptables rule to prohibit a client with an IP address of 192.168.1.X from surfing the internet.
Iptables-i forward-s 192.168.1.x-j DROP
"Example 2" adds a iptables rule that prohibits 192.168.1.0 subnets in which all the clients are surfing the web.
Iptables-i forward-s 192.168.1.0/24-j DROP

Prohibit clients from accessing certain services
"Example 1" prohibits 192.168.1.0 all clients in the subnet are downloaded using the FTP protocol.
Iptables-i forward-s 192.168.1.0/24-p TCP--dport 21-j DROP
"Example 2" prohibits 192.168.1.0 all clients in the subnet use the Telnet protocol to connect to the remote computer.
Iptables-i forward-s 192.168.1.0/24-p TCP--dport 23-j DROP

Force access to the specified site
"Example" forces all clients to access 192.168.1.x this Web server.
Iptables-t nat-i prerouting-i eth0-p tcp--dport 80-j DNAT--to-destination 192.168.1.x:80

Prohibit the use of ICMP protocol
"Example" prevents computers on the Internet from pinging the Ppp0 interface of the NAT server through the ICMP protocol, but allows the computers on the intranet to ping the client over the ICMP protocol.
Iptables-i input-i ppp0-p icmp-j DROP

Publishing an internal network server
"Example 1" publishes Web services for intranet 10.0.0.3 hosts, and Internet users can access the Web services of a firewall by accessing the IP address of that host.
Iptables-t nat-i prerouting-p tcp--dport 80-j DNAT--to-destination 10.0.0.3:80
"Example 2" publishes the Terminal Services of the intranet 10.0.0.3 host (using the TCP protocol's 3389 port), and Internet users access the Terminal Services of the machine by accessing the IP address of the firewall.
Iptables-t nat-i prerouting-p tcp--dport 3389-j DNAT--to-destination 10.0.0.3:3389

The case explanation
"Case 1" as the basic configuration of the client/terminal? DNS PING LO
"Case 2" as the basic configuration of the server: SSH DNS WWW FTP EMAIL (Figure 7)

"Case 3" as the basic configuration of the gateway: SSH DNS WWW FTP EMAIL NAT) SNAT DNAT) speed limit (Figure 8)

"Case 4" status detection (Figure 9)

★★★★★★★★★★★★★★★★★ Video Viewing address ★★★★★★★★★★★★★★★★★★
http://www.boobooke.com/v/bbk3903
http://www.boobooke.com/v/bbk3904
http://www.boobooke.com/v/bbk3905
http://www.boobooke.com/v/bbk3906
http://www.boobooke.com/v/bbk3907
http://www.boobooke.com/v/bbk3930

Netfilter/iptables Full Guide