SELinux, Firewalld, NetFilter and 5 table 5 chains

What is a firewall

A firewall is a combination of components set up between different networks or network security domains, which enhances the security of the internal network of the organization.
The firewall passes the access control mechanism, which decides:

• Which internal requests allow access to external services (that is, packages that go out),
• Which external requests allow access to internal services (that is, incoming packages).
  Depending on the type of network transmission, it determines whether IP packets can be passed into or out of the intranet.
  The following features can be implemented by using firewalls:
• can protect vulnerable services;
• Control access to network systems between intranet and Internet;
• Centralized management of intranet security, reduce management costs;
• Improve the confidentiality and privacy of the network;
• Record the usage status of the network and provide the basis for security planning and network maintenance.

1. SELinux command

SELinux is a unique security mechanism for Redhat/centos systems. But because this thing is too restrictive, the configuration is so cumbersome that almost no one really applies it. Therefore, we usually have to close the selinux to avoid causing unnecessary trouble. The way to turn off SELinux is to make "selinux=disabled", which defaults to enforcing.
Enter command Vi/etc/selinux/config, enter, see,

After changing the contents of the Red box to disable, save the exit. After you save the profile, restart the machine before it takes effect. We can use the Getenforce command to get the status of the current SELinux, see,

2. NetFilter Firewall

NetFilter is a subsystem introduced by Linux 2.4.x, which serves as a generic, abstract framework that provides a set of management mechanisms for hook functions, making it possible to track such things as packet filtering, network address translation (NAT), and protocol type-based connection tracking.
The architecture of NetFilter is to place some detection points (hooks) in a number of locations throughout the network process, while some processing functions are registered on each detection point.
CENTOS6 and Centos7 have iptables, here the iptables is a tool (or command), on the CENTOS6 firewall called Netfilter,centos7 on the firewall called FIREWALLD, And they are based on iptables. The concrete relation of the three, see,

How to close the FIREWALLD firewall, see,

The systemctl disable FIREWALLD command indicates that the Firewall service is stopped first, and then the Systemctl Stop FIREWALLD command indicates that the Firewall service is turned off.
Then open NetFilter Firewall, before opening, you need to install a package, enter the command yum install-y iptables-services, enter, see,


After the installation is complete, you can turn on the Iptables service, that is, open the NetFilter Firewall service, see,

Using the command IPTABLES-NVL, you can view the default rules for Iptables, see,

3, the NetFilter 5 table 5 Chain

First man iptables view, enter, see,

Turn down, see,

The above is the NetFilter firewall of the 5 tables, filter,nat,mangle,raw,security (CENTOS7 before the table).
Filter table for filtering packages, most commonly used tables, with input, FORWARD, output three chains
NAT table for network address translation, with prerouting, OUTPUT, postrouting three chains
The Managle table is used to mark the packets and then manipulate them according to the tag, almost without
Raw tables can be implemented without tracing certain packets, almost without
Security tables are not available in CENTOS6, and network rules for mandatory access control (MAC) are almost

Five chains: prerouting,input,forward,output,postrouting
Prerouting: The function is to change the destination address of the package just before it arrives at the firewall, if necessary
INPUT: A package that acts on the native
FORWARD: Acting on packages that are not related to this machine
OUTPUT: A package that acts on a native, changing the destination address of a locally generated package
Postrouting: Change the source address before the package leaves the firewall

Iptables Introduction
Netfilter/iptables (referred to as iptables) constitutes a packet filtering firewall under the Linux platform, and like most Linux software, this packet filtering firewall is free, It can replace expensive commercial firewall solutions, complete packet filtering, packet redirection, and network address translation (NAT) capabilities. The
iptables base
rule is actually a predefined condition for the network administrator, and the rule is generally defined as "if the packet header conforms to such a condition, it will handle the packet". Rules are stored in the packet-filtering tables of the kernel space, which specify the source address, destination address, transport protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When a packet matches a rule, iptables processes the packets according to the method defined by the rule, such as release (accept), Deny (reject), and drop (drop). The primary task of configuring a firewall is to add, modify, and delete these rules.
Iptables and NetFilter relationships:
This is the first place to say that the relationship between Iptables and NetFilter is a very confusing problem. A lot of know iptables but don't know netfilter. In fact, Iptables is just a Linux firewall management tool, located in/sbin/iptables. The real firewall function is NetFilter, which is the internal structure of implementing packet filtering in the Linux kernel.
Iptables The process of transmitting a packet
① when a packet enters the network card, it first enters the prerouting chain, and the kernel determines whether it needs to be forwarded based on the packet's destination IP.
② If the packet is in the native, it will move down the graph to reach the input chain. After the packet has been sent to the input chain, any process will receive it. Programs running on this computer can send packets that go through the output chain and then reach the postrouting chain.
③ If the packet is to be forwarded, and the kernel allows forwarding, the packet moves to the right, through the forward chain, and then to the postrouting chain output.

The following statement is 4 table 5 chain of content, now is 5 table 5 chain, the more out of the table is almost useless.
Iptables rules tables and chains:
Table (tables) provides specific functionality, the Iptables contains 4 tables, the filter table, the NAT table, the Mangle table, and the raw table, respectively, to implement packet filtering, network address translation, packet refactoring (modification), and data tracking processing.
Chain (chains) is the path of packet propagation, each chain is actually a checklist in many rules, each chain can have one or several rules. When a packet arrives at a chain, the iptables starts checking from the first rule in the chain to see if the packet satisfies the conditions defined by the rule. If satisfied, the system processes the packet according to the method defined by the rule, otherwise iptables will continue to check the next rule, and if the packet does not conform to any of the rules in the chain, Iptables will process the packet based on the default policy defined by the chain.
Iptables uses a hierarchical structure of "table" and "chain". See specifically,

Rules table:
1.filter table--Three chains: INPUT, FORWARD, OUTPUT
Function: Filter the packet kernel module: Iptables_filter.
2.Nat table--Three chains: Prerouting, Postrouting, OUTPUT
Function: For network address translation (IP, port) kernel module: Iptable_nat
3.Mangle table--Five chains: prerouting, Postrouting, INPUT, OUTPUT, FORWARD
Function: Modify the service type of the packet, TTL, and can configure the route to implement the QoS kernel module: iptable_mangle (although this watch is so troublesome, we don't use it when we set up our strategy)
4.Raw table--Two chains: OUTPUT, prerouting
Function: Determines whether the packet is handled by the state tracking mechanism kernel module: Iptable_raw

Rule chain:
1.input--incoming packets Apply the policy in this rule chain
2.output--outgoing packets Apply policies in this rule chain
3.forward--policies in this rule chain are applied when forwarding packets
4.prerouting--apply rules in this chain before routing packets to a packet
Remember All data packets are processed by this chain when they come in.
5.postrouting--apply the rules in this chain after the packet is routed
(All data packets are processed by this chain first)
Order of precedence between rule tables:
Raw--mangle--nat--filter
Order of precedence between rule chains (in three cases):
First case: Inbound Data flow
Packets arriving from the outside of the firewall are first processed by the prerouting rule chain (whether to modify the packet address, etc.), followed by a routing (which determines where the packet should be sent), if the packet The target host is the firewall native (for example, Internet users access the Web server in the firewall host packet), then the kernel will pass it to the input chain for processing (decide whether to allow the pass, etc.), and later to the system to the upper layer of the application (such as Apache server) to respond.
Second flush situation: forwarding Data flow
When the packet arrives at the firewall, it is first processed by the prerouting rule chain, and then routed, if the destination address of the packet is a different external address (for example, the LAN user accesses the QQ site's packet through the gateway), The kernel passes it to the forward chain for processing (forwarding or blocking) and then handing it over to the postrouting rule chain (whether to modify the address of the packet).
Third case: Outbound Data flow
When a firewall sends packets to an external address (for example, when a public DNS server is tested in a firewall host), it is first processed by the output rule chain, followed by routing, and then passed to the postrouting rule chain (whether to modify the address of the packet) for processing.

For more information, see http://www.cnblogs.com/metoy/p/4320813.html

Summarize:
Getenforce View the status of the current SELinux, enforcing indicates on, Permissive indicates off.
Setenforce 0 temporarily close SELinux
Vi/etc/selinux/config go to configure SELinux file, change selinux=disabled, can close SELinux permanently
Systemctl Disable FIREWALLD means stop Firewall service first
Systemctl Stop FIREWALLD indicates shutting down the firewall service
5 Tables: Filter,nat,mangle,raw,security
5 Chains: Prerouting,input,forward,output,postrouting
This machine: prerouting→input→output→postrouting
Non-native: prerouting→forward→postrouting

SELinux, Firewalld, NetFilter and 5 table 5 chains