Principle and usage of firewall iptables under Linux

Iptables Introduction

Netfilter/iptables (referred to as iptables) constitutes a packet filtering firewall under the Linux platform, like most Linux software, this packet filtering firewall is free, it can replace expensive commercial firewall solution, complete packet filtering, Features such as packet redirection and network address translation (NAT).

Iptables Foundation

A rule is a predefined condition for a network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet." Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.

The relationship between Iptables and NetFilter:

This is the first place to say that the relationship between Iptables and NetFilter is a problem that is easily confusing. A lot of know iptables but don't know netfilter. In fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.

Iptables the process of transmitting packets

① when a packet enters the network card, it first enters the prerouting chain, and the kernel determines whether it needs to be forwarded based on the packet destination IP.
② if the packet is in the native, it will move down the graph to reach the input chain. After the packet has been sent to the input chain, any process will receive it. Programs running on this computer can send packets that go through the output chain and then reach the postrouting chain.
③ if the packet is to be forwarded out and the kernel allows forwarding, the packet will move to the right, through the forward chain, and then to the postrouting chain output.

Iptables rules tables and chains:

Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.

Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.

Iptables uses a hierarchical structure of "table" and "chain". In REHL4 is three sheets of five chains. Now REHL5 into four table five chain, but the more out of the table with not too much, so basically still the same as before. Here is a list of these four tables and five chains. Note that the relationships and roles of these tables and chains must be understood.

Rules table:

1.filter table--Three chains: INPUT, FORWARD, OUTPUT
Function: Filter the packet kernel module: Iptables_filter.
2.Nat table--Three chains: Prerouting, Postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
3.Mangle table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Function: Modify the service type of the packet, TTL, and can configure the route to implement the QoS kernel module: iptable_mangle (although this watch is so troublesome, we don't use it when we set up our strategy)
4.Raw table--Two chains: OUTPUT, prerouting
Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw
(This is REHL4 not, but don't be afraid, use not much)

Rule chain:

1.input--incoming packets Apply the policy in this rule chain
2.output--outgoing packets Apply policies in this rule chain
3.forward--policies in this rule chain are applied when forwarding packets
4.prerouting--apply rules in this chain before routing packets to a packet
Remember All data packets are processed by this chain when they come in.
5.postrouting--apply the rules in this chain after the packet is routed
(All data packets are processed by this chain first)

Order of precedence between rule tables:

Raw--mangle--nat--filter
Order of precedence between rule chains (in three cases):

First case: Inbound Data flow

Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent), if the packet The target host is the firewall native (for example, Internet users access the Web server in the firewall host packet), then the kernel will pass it to the input chain for processing (decide whether to allow the pass, etc.), and later to the system to the upper layer of the application (such as Apache server) to respond.

Second flush situation: forwarding Data flow

When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).

Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

Managing and setting Iptables rules

basic syntax format for iptables

iptables [-t table name] command options [link name] [conditional match] [-j target action or jump]
Description: The table name, the chain name is used to specify the tables and chains that the Iptables command operates on, and the command options are used to specify how the Iptables rules are managed (such as INSERT, add, delete, view, etc.), which specifies the processing of the packets that match the criteria The target action or jump is used to specify how the packet is handled (such as allowing pass, deny, discard, jump) to other chain processing.

administrative control options for the iptables command-a adds (append) a new rule at the end of the specified chain-d Delete (delete) A rule in the specified chain, which can be deleted by the rule ordinal and content-I inserts a new rule in the specified chain, by default in the first row add-r modification, Replace (replace) a rule in the specified chain that can be viewed by the rule ordinal and the contents of the-l list (list) for all rules in the specified chain
-e renames a user-defined chain, does not change the chain itself-f flush (flush)-N New (New-chain) a user-defined rule chain-x deletes a user-defined rule chain in the specified table (delete-chain)-P sets the default policy for the specified chain
-Z Clear all the chain bytes and packet counters for all tables 0-N use digital form (numeric) to display output-V View rule table details (verbose) Information-V View version (version)-H get Help

  Four ways the firewall handles packets

Accept allows packets to pass through
Drop drops the packet directly without giving any response information
REJECT rejects the packet passing, and, if necessary, sends a response message to the data sender.
Log logs information in the/var/log/messages file, and then passes the packet to the next rule

iptables the preservation and recovery of firewall rules

Iptables-save saves the rules to a file and is automatically loaded by the script under directory Rc.d (/etc/rc.d/init.d/iptables)

Use the command Iptables-save to save the rule. General use

Iptables-save >/etc/sysconfig/iptables

Generate the file/etc/sysconfig/iptables that holds the rule,

can also be used

Service Iptables Save

It can automatically save the rules in/etc/sysconfig/iptables.

When the computer starts, the script under RC.D will invoke the file with the command Iptables-restore, which automatically restores the rule.

Delete the first rule of the input chainiptables-d INPUT 1

common strategies for iptables firewalls

1. All ICMP protocol packets that are denied access to the firewall

Iptables-i input-p icmp-j REJECT

2. Allow the firewall to forward all packets except the ICMP protocol

Iptables-a forward-p! Icmp-j ACCEPT

Description: Use "! "The condition can be reversed.

3. Refuse to forward data from 192.168.1.10 hosts, allowing the forwarding of data from the 192.168.0.0/24 network segment

Iptables-a forward-s 192.168.1.11-j REJECT
Iptables-a forward-s 192.168.0.0/24-j ACCEPT

Note: Pay attention to the refusal to put in front or it will not work ah.

4. Discard packets from the External network interface (ETH1) into the firewall native source address for the private network address

Iptables-a input-i eth1-s 192.168.0.0/16-j DROP
Iptables-a input-i eth1-s 172.16.0.0/12-j DROP
Iptables-a input-i eth1-s 10.0.0.0/8-j DROP

5. Block the network segment (192.168.1.0/24), two hours after the closure.

# iptables-i Input-s 10.20.30.0/24-j DROP
# iptables-i Forward-s 10.20.30.0/24-j DROP
# at now 2 hours at> iptables-d INPUT 1 at> iptables-d FORWARD 1

Description: This strategy we have to use Crond planning task to complete, it is no better.
[1] Stopped at now 2 hours

6. Only allow administrators to Telnet to the firewall host from the 202.13.0.0/16 network segment using SSH.

Iptables-a input-p TCP--dport 22-s 202.13.0.0/16-j ACCEPT
Iptables-a input-p TCP--dport 22-j DROP

Description: This usage is more suitable for remote management of the device, such as the SQL Server located in the branch office needs to be managed by the Administrator of the head office.

7. Allow the native to open application services from TCP port 20-1024.

Iptables-a input-p TCP--dport 20:1024-j ACCEPT
Iptables-a output-p TCP--sport 20:1024-j ACCEPT

8. Allow forwarding of DNS resolution request packets from the 192.168.0.0/24 LAN segment.

Iptables-a forward-s 192.168.0.0/24-p UDP--dport 53-j ACCEPT
Iptables-a forward-d 192.168.0.0/24-p UDP--sport 53-j ACCEPT

9. Prevent other hosts from pinging the firewall host, but allow other hosts to be ping from the firewall

Iptables-i input-p ICMP--icmp-type echo-request-j DROP
Iptables-i input-p ICMP--icmp-type echo-reply-j ACCEPT
Iptables-i input-p ICMP--icmp-type destination-unreachable-j ACCEPT

10. Disable forwarding of packets from the MAC address 00:0c:29:27:55:3f and the host

Iptables-a Forward-m mac--mac-source 00:0c:29:27:55:3f-j DROP

Description: A display match was called using the form "-M module keyword" in iptables. Here we use "-M mac–mac-source" to represent the source MAC address of the packet.

11. Allow firewall native to open to TCP ports 20, 21, 25, 110, and Passive mode FTP port 1250-1280

Iptables-a input-p tcp-m multiport--dport 20,21,25,110,1250:1280-j ACCEPT

Description: Use "-M multiport–dport" to specify the destination port and range

12. Disable forwarding of TCP packets with a source IP address of 192.168.1.20-192.168.1.99.

Iptables-a forward-p tcp-m iprange--src-range 192.168.1.20-192.168.1.99-j DROP

Description: The IP range is specified here with "-m–iprange–src-range".

13. Disable forwarding of non--syn request packets unrelated to the normal TCP connection.

Iptables-a forward-m State--state new-p TCP! --syn-j DROP

Description: "-M state" indicates the connection status of the packet, and "new" indicates that it is not related to any connection.

14. Deny access to new packets for the firewall, but allow responses to connections or packets related to existing connections

Iptables-a input-p tcp-m State--state new-j DROP
Iptables-a input-p tcp-m State--state established,related-j ACCEPT

Note: "Established" indicates a packet that has already responded to a request or has established a connection, and "related" indicates that it is relevant to an established connection, such as an FTP data connection.

15. Only open the local Web service (80), FTP (20, 21, 20450-20480), release the external host to send the other port of the server reply packet, the other inbound packets are discarded processing.

Iptables-i input-p tcp-m multiport--dport 20,21,80-j ACCEPT
Iptables-i input-p TCP--dport 20450:20480-j ACCEPT
Iptables-i input-p tcp-m State--state established-j ACCEPT
Iptables-p INPUT DROP


article Reference

Http://netfilter.org/iptables official website
http://www.linux.gov.cn/netweb/iptables.htm iptables Configuration Manual
http://man.chinaunix.net/
http://man.chinaunix.net/network/iptables-tutorial-cn-1.1.19.html iptables Configuration Manual
Http://blog.csdn.net/thmono/archive/2010/04/08/5462043.aspx
Http://netsecurity.51cto.com/art/200512/14457.htm
Http://blog.sina.com.cn/s/blog_40ba724c0100jz12.html
http://qiliuping.blog.163.com/blog/static/1023829320105245337799/

This digest from http://www.cnblogs.com/ggjucheng/archive/2012/08/19/2646466.html

Principle and usage of firewall iptables under Linux