Security Gateway 3: IPTables

IPtables is a packet-based firewall software that runs well on low-configuration servers. All Linux distributions contain it.

Security rules on network devices are usually sequential matching, such as the ACL of a Cisco device. The core of IPTables is Table Chain and Rules. In addition to sequential matching of data packets, you can also set the target Chain to jump freely. Describes the sequence of data packets passing through Table and Chain.

650) this. width = 650; "style =" width: 600px; height: 400px; "src =" http://www.bkjia.com/uploads/allimg/140110/0416341B8-0.jpg "title =" iptables.jpg "alt =" wKiom1LM7XjTXm6rAAHJVCI5mNk932.jpg "border =" 0 "height =" 400 "hspace =" 0 "vspace =" 0 "width =" 600 "/>

• The Table priority is RAW> MANGLE> NAT> FILTER.

• The data packet's Chain flow is: PREROUTING-> INPUT-> FORWARD-> OUT-> POSTROUTING.

• Each Chain contains several rules. These rules are matched sequentially from top to bottom.

• Once the rule is matched, the data packet will flow to the next Table and Chain.

The basic process for users to access the online environment is as follows:

• The user logs on to the OpenVPN system. After the system passes verification, the user obtains a private IP address and records the account name.

• After the connection is established, the OpenVPN system calls the Connect script.

• IPtables adds the user's IP address to the corresponding rule group Chain.

• The user obtains the corresponding access permissions.

• The user completes the access and disconnects. IPTables removes the IP addresses occupied by the user from the rule group Chain.

Because the security gateway mainly needs to FORWARD and restrict the network between the Intranet of the company and the Intranet of the online environment, this article mainly uses Table FILTER and Chain FORWARD. Filter is the default Table.

A general rule is as follows:

Iptables-a forward-s 1.1.1.1-d 2.2.2.2-p tcp -- dport 80-j DROP

At the beginning of this solution, I tried to write a rule, but when I started to import the rule, I encountered a lot of trouble.

When I import 100 users, there are 50 destination CIDR blocks, and each CIDR Block needs to access 10 ports. I found that I got 100*50*10 rules, that is, 50000 rules, and the length of the FORWARD chain became very long. In extreme cases, user data packets are matched only after 50000 rules.

To solve the problem above, I introduced the concept of group in the system and used a custom Chain to redirect rules:

• All objects are configured in groups, such as user groups, network address groups, and port groups. IPTables itself does not differentiate the user or user group mechanism of data packets. To determine the user and user group, an additional script program and configuration database are required. This solution establishes an additional configuration database and uses the ing relationship between the OpenVPN User Account and the user IP address, to set user permissions.

• In the FORWARD Chain, the rule is iptables-a forward-s 1.1.1.1-j USERGROUP_1. Assume that each user belongs to 20 groups at the same time. The number of FORWARD rules is 2000.

• The rules in USERGROUP_1 Chain are iptables-A USERGROUP_1-j RULE_1. Assume that each group has 20 rules at the same time, and the number of rules in USERGROUP_1 is 20.

• In RULE_1 Chain, the rule is iptables-A RULE_1-d 1.0.0.0/8-j PORT_1. Assume that 10 ports of different combinations are opened for each network segment, and the number of SG_1 rules is: 50*10 = 500 rules.

• In PORT_1 Chain, the rules are iptables-A PORT_1-p tcp -- dport 80-j ACCEPT, and the number of PORT_1 rules is 10.

In this way, users with the source address 1.1.1.1 can access the online system through a maximum of 2000 + 20 + 500 + 10 = 2530 rules. This length has been greatly improved.

This article is from the "computer art" blog!