Firewall Basics
Linux firewall system mainly works in the network layer, filtering and restricting TCP/IP packets, belonging to the typical packet filtering firewall (or network layer firewall). Based on the Linux kernel encoding implementation, it has very stable performance and high efficiency, so it is widely used.
In Linux systems, NetFilter and iptables are used to refer to the Linux firewall.
NetFilter: Refers to the internal structure of the Linux kernel to implement the packet filtering firewall, not in the form of programs or files, belonging to the "kernel State" (Kernel space, also known as kernel spaces) firewall function system.
Iptables: Refers to the command program used to manage the Linux firewall, usually located in the/sbin/iptables directory, which belongs to the firewall management system of user space, also known as User room.
1.iptables table, chain structure
The role of iptables is to provide rules (or policies) for the implementation of the packet filtering mechanism, and to tell NetFilter how to handle packets from certain sources, to certain purposes, or to certain protocol features, through a variety of different rules. To make it easier to organize and manage firewall rules, Iptables uses a hierarchical structure of "tables" and "Chains" (four-sheet five-strand). 650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image002 "border=" 0 "alt=" clip_ image002 "src=" http://s3.51cto.com/wyfs02/M01/75/92/wKioL1Y8iBjRde0nAAHGf8EoKWg002.jpg "height=" 354 "/>
Each rule "table" is equivalent to a container of kernel space, divided into four default tables according to the different uses of the rule set, including different rules "chains" within each "table" container, divided into five chains according to the different timing of processing packets, and deciding whether to filter or process the various rules of the packet, In order to be stored in a variety of rules chain. 650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image004 "border=" 0 "alt=" clip_ image004 "src=" http://s3.51cto.com/wyfs02/M02/75/92/wKioL1Y8iBnxbIfmAAGoKxwQlG4366.jpg "height=" 366 "/>
1.1 Rules Table
In order to differentiate from the functionality of the ruleset, Iptables manages four different rules tables, which are implemented by separate kernel modules, which are designed to accommodate a variety of rule chains
The table is divided according to: the role of firewall rules similar.
Filter Table: The filter table is used to filter packets and decide how to process a packet according to the specific rule requirements. The corresponding kernel module for the filter table is Iptables_filter, which contains three chains, input, FORWARD, and OUTPUT.
Nat table: NAT (network address translation) table is mainly used to modify the IP address, port number and other information of the packet. The NAT table corresponding to the kernel module is Iptables_nat, the table contains three chains, namely Prerouting, Postrouting, OUTPUT.
Mangle table: The mangle table is used to modify the packet's TOS (Type of service, type of services), TTL (Time to Live, lifetime), or set the mark tag for the packet for advanced applications such as traffic shaping, policy routing, and so on. mangle table corresponding to the kernel module is iptables_mangle, the table contains five chains, namely Prerouting, postrouting, INPUT, OUTPUT, FORWARD.
Raw table: The raw table is a new table from the 1.2.9 later version of Iptables, which is used primarily to determine whether a packet is being tracked for status. The kernel module for the raw table is Iptables_raw, with two chains in the table, output, prerouteing.
Mangle and raw tables have fewer applications.
1.2 Rule Chain
When dealing with various packets, iptables is divided into five different rule chains by default, depending on the timing of the firewall rules. The role of rules: the filtering or processing of packets, the role of the chain: to accommodate various firewall rules, the classification of the chain based on: processing the different timing of the packet
INPUT: Processing Inbound packets
Output: Processing outbound Packets
FORWARD: Processing forward packets (the chain will not take effect until the value in the/proc/sys/net/ipv4/ip_forward file is 1 o'clock)
Postrouting chain: Processing packets after routing is selected
Prerouting chain: Processing packets before routing is selected
Among them, INPUT, output chain is mainly used in "host-type Firewall", mainly for the server to protect the firewall, and forward, Prerouting, postrouting, chain more used in "Network Firewall", Use a Linux firewall as a gateway server for security control between the company and Lnternet.
1.3 Matching process for packet filtering
1.3.1 Order between rule tables
When the packet arrives at the firewall, it applies the raw table, the Mangle table, the NAT table, and the relative chain rule in the filter table in turn.
1.3.2 The order between regular chains
According to the principle of rule chain, the processing time of different chains is relatively fixed, so the order of application between the rules chain depends on the flow of packets.
Inbound: Preroutingàinput
Outbound: Outputàpostrouting
Forward: preroutingàforwardàpostrouting
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image006 "border=" 0 "alt=" clip_ image006 "src=" http://s3.51cto.com/wyfs02/M00/75/95/wKiom1Y8h9vwhy0xAAFaTRcClE0843.jpg "height=" 309 "/>
1.3.3 The order of the firewall rules inside the rule chain
When the packet passes through each rule chain, it is followed by the first rule, the second rule ... To match and process in a sequential order. The filter in the chain follows the principle of "match-and-stop", and once a matching rule is found, the match is not continued (except for the log rule), and if a matching rule is not found for the entire chain, then the default policy processing is performed.
2.1iptables basic syntax, packet control type
The basic command format is as follows:
iptables [-t table name] management options [link name] [match condition] [-j control type]
The table name, the chain name is used to specify the tables and chains that the Iptables command operates on, the default filter table is not specified, and the administrative options indicate how the iptables rule works, such as Add, delete, check, etc. the match condition is used to specify the characteristics of the packet to be processed, and the non-conforming is not processed. Control types are how packets are handled, such as discard, deny, allow, and so on.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image008 "border=" 0 "alt=" clip_ image008 "src=" http://s3.51cto.com/wyfs02/M00/75/92/wKioL1Y8iB3BZPMZAAEL5DBPhdo300.jpg "height=" 164 "/>
A few things to note
Default refers to the filter table when you do not specify a table name
When you do not specify a chain name, the default refers to all the chains within the table
You must specify a match condition unless you set the default policy for the chain
Options, chain names, control types use uppercase letters, and the rest are lowercase
2.2 Basic operations such as adding, deleting, and viewing rules
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image010 "border=" 0 "alt=" clip_ image010 "src=" http://s3.51cto.com/wyfs02/M01/75/92/wKioL1Y8iB7ikn-BAAFk9WdORz0189.jpg "height=" 342 "/>
-A: Add (--append) a new rule at the end of the specified chain
-D: Delete (--delete) a rule for the specified chain, specifying the rule number or content
-I: Inserts a new rule in the specified chain (--insert), the first item is not specified
-R: Modify, replace (--replace) a rule of the specified chain, you can specify the rule number or the content
-L: Lists all the rules for the specified chain (--list), and lists all the rules in the table without specifying a chain name
-F: Empties (--flush) all rules in the specified chain and clears all
-P: Sets the default policy for the specified chain (--policy)
-N: Display output in digital form (--numeric)
-V: Show Details (--verbose)
-H: Help Command (--HELP)
--line-numbers: Shows the ordinal of a rule in a chain
2.2.1 Adding a new rule
Use the management option "-A", "-I", which is used to append the rule, which can use the ordinal to specify the rule position, the default is the first one. For example: Add a firewall rule at the end of the filter table input chain, as follows (-p is used to specify the protocol name as a match condition):
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image012 "border=" 0 "alt=" clip_ image012 "src=" http://s3.51cto.com/wyfs02/M02/75/92/wKioL1Y8iB6CvFHFAAAxxvhenWU468.jpg "height="/>
When you use the Manage option "-I", you are allowed to specify the order number of the new add rule at the same time, and default to the first rule if unspecified. For example, the following actions add two rules in the first and second of the filter table (where the "-t filter" option is omitted and the filter table is used by default):
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image014 "border=" 0 "alt=" clip_ image014 "src=" http://s3.51cto.com/wyfs02/M00/75/95/wKiom1Y8h92S94lAAABJVikH_GQ571.jpg "height="/>
2.2.2 Viewing the Rules table
When viewing existing firewall rules, use the Management option "-L" to list all the rules, combined with the "-line-numbers" option to display the rule sequence number, for example: View all the rules of the filter table input chain, and list the order number.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image016 "border=" 0 "alt=" clip_ image016 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h93CDKb6AADOpr0C5wA236.jpg "height=" 218 "/>
When the number of firewall rules, if you can display the address and port information in digital form, you can reduce the link of address resolution, in Chengdu, the speed of command execution. For example, view the rules in the filter table input chain as a digital form.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image018 "border=" 0 "alt=" clip_ image018 "src=" http://s3.51cto.com/wyfs02/M02/75/95/wKiom1Y8h97CLdE-AADjsTP4M_4668.jpg "height=" 244 "/>
2.2.3 Delete, empty rules
When you delete a firewall rule, you can use the management option "-D", for example, to delete the third rule of the filter table input chain, with the following command:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image020 "border=" 0 "alt=" clip_ image020 "src=" http://s3.51cto.com/wyfs02/M00/75/95/wKiom1Y8h97hyeiWAAEOMqV2mAM758.jpg "height=" 248 "/>
To empty all rules for a specified chain, you can use "-f". For example: Empty the input chain for all rules, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image022 "border=" 0 "alt=" clip_ image022 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h97QuqxRAACy-t9plpI272.jpg "height=" 164 "/>
Remove firewall all rules are as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image024 "border=" 0 "alt=" clip_ image024 "src=" http://s3.51cto.com/wyfs02/M02/75/95/wKiom1Y8h9_yUmNbAABiQPnTKzI924.jpg "height=" "/>650" this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image024[1] "border=" 0 "alt=" clip _IMAGE024[1] "src=" http://s3.51cto.com/wyfs02/M02/75/93/wKioL1Y8iCGBTWnFAABiQPnTKzI794.jpg "height="/>
2.2.4 Setting the default policy
Iptables in each chain, the default policy is the last link in the rule match, and the default policy is executed when no rule is found to match the packet rule. The control type of the default policy can only be both allow (ACCEPT) and drop (drop), for example: Do the following to set the default policy for the forward chain in the filter table to discard, and the default policy for the output chain is set to allow.
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image026 "border=" 0 "alt=" clip_ image026 "src=" http://s3.51cto.com/wyfs02/M00/75/93/wKioL1Y8iCHga4dyAACEpA-OK1M341.jpg "height=" 145 "/>
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image028 "border=" 0 "alt=" clip_ image028 "src=" http://s3.51cto.com/wyfs02/M01/75/93/wKioL1Y8iCKSCbncAAAnypgczsQ237.jpg "height="/>
3 Matching Criteria for rules
When writing firewall rules, the setting of matching conditions plays a decisive role, only the clear, accurate set of matching conditions, the firewall will know to meet the conditions of the packet processing, to avoid "manslaughter." For the same firewall rule, you can specify multiple matching criteria, indicating that the conditions are met to take effect, according to the various characteristics of the packet, combined with the Iptables module structure, the matching conditions are set up in three broad categories: general-purpose matching, implicit matching, explicit matching.
3.1 Generic match: Also known as regular match, this matching method can be used independently, not dependent on other conditions or extension modules. Common generic matches include protocol matching, address matching, and network interface matching.
3.1.1 Protocol Matching
Specified using the form "-P protocol name" (small p) to check the network protocol (--PROTOCOL) used by the packet, such as TCP, UDP, ICMP, and all (for all IP packets), the available protocol types are stored in the/etc/protocols file. For example, to discard packets that access the firewall's native packets over the ICMP protocol and allow forwarding of packets beyond the ICMP protocol through the firewall, you can do the following:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image030 "border=" 0 "alt=" clip_ image030 "src=" http://s3.51cto.com/wyfs02/M02/75/93/wKioL1Y8iCLQKXvVAABT-qwMUyY761.jpg "height="/>
3.1.2 Address Matching
When you write a rule, the "-s source Address", "-D Destination Address" is specified as the source address (--source) or Destination address (--destination) for the packet. IP address, network segment can be, do not recommend the use of host name, domain name address (resolution process impact efficiency). For example, to reject data that is 192.168.1.11 to the Origin address, allow the data to be transferred to the 192.168.2.0/24 segment as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image032 "border=" 0 "alt=" clip_ image032 "src=" http://s3.51cto.com/wyfs02/M00/75/95/wKiom1Y8h-HiF4P2AABNN-LU4Cs452.jpg "height="/>
When a small network scan or attack is encountered, blocking the IP address is a more efficient way. For example, if you detect a bad attempt such as frequent scanning from a certain network segment (192.168.1.0/24), login exhaustive, and so on, you can add the following firewall rules immediately:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image034 "border=" 0 "alt=" clip_ image034 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h-GgHQONAABISwXswis797.jpg "height="/>
3.1.3 Network Interface Matching
The iptables rule is written using the form of "-I Interface Name", "-O Interface Name", which is used to check which interface from the firewall is entered or emitted by the packet, corresponding to the inbound network card (--in-interface) and the outbound network card (--out-interface) respectively. For example, to discard packets from the External network interface (ETH1) that access the firewall native and the source address is the private address, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image036 "border=" 0 "alt=" clip_ image036 "src=" http://s3.51cto.com/wyfs02/M02/75/95/wKiom1Y8h-HjEXe-AABc9XVPFOc144.jpg "height="/>
3.2 Implicit matching
This matching method requires the protocol as a precondition, equivalent to sub-conditions, and therefore cannot be used independently, and its corresponding function is iptables automatically (implicitly) loaded into the kernel when needed. Common implicit matches: port matching, TCP tag matching, ICMP type matching.
3.2.1 Port Matching
Using the form "-sport Source port", "-dport Destination Port", the protocol is TCP or DUP, which is used to check the source port (--source-port) or destination port (--destination-port) of the packet. A single port, or either a range port separated by a colon ":", is available, but does not support disjoint ports. For example: To allow DNS packets to be queried for 192.168.1.1/24 forwarding, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image038 "border=" 0 "alt=" clip_ image038 "src=" http://s3.51cto.com/wyfs02/M00/75/95/wKiom1Y8h-KQaXBdAABa_wHMsJg270.jpg "height=" "/>"
For example: When building vsftpd, to open the 20,21 port and the port range 24,500:24,600 for passive mode, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image040 "border=" 0 "alt=" clip_ image040 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h-KB97yAAABJUvc8shg805.jpg "height="/>
3.2.2ICMP type Matching
The iptables rule is written using the form "-icmp-type ICMP type", which is used to check the type of ICMP protocol packets against the ICMP protocol. The ICMP type is represented by a string or numeric code, such as "Echo-request" (Code 8), "Echo-reply" (code 0), "destination-unreachable" (code 3), respectively, for request, ECHO, and destination host unreachable.
For example, to disable pinging from another host, but allow local pings to other hosts, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image042 "border=" 0 "alt=" clip_ image042 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h-OQzuCZAAB1fBETmww425.jpg "height=" "/>"
can perform "Iptables–p icmp-h" to view the ICMP protocol Help information
3.2.3 TCP Tag Matching
Matches the specified TCP token. There are two parameters, all of them are lists, and the list is delimited by commas in English, separated by spaces between the two lists. The first parameter specifies the tag we want to check (acting like a mask), and the second parameter specifies "the mark that has occurred in the first list and must be set to 1 (that is, the state is open)" (the other tokens in the first list must be 0). That is, the first parameter provides a check range, and the second parameter provides the condition that is set (that is, which position 1). This matching operation recognizes the following tokens: SYN, Ack,fin,rst, Urg,psh. There are also two words to use, namely all and none. As the name implies, all refers to all of the tags selected, none means no markers are selected. This match can also be reversed by adding an exclamation point in English before the parameter. For example:
1. Iptables-p tcp--tcp-flags Syn,fin,ack SYN indicates a package that matches those where the SYN tag is set and the FIN and ACK tags are not set, note that there is only one comma between the tags and no spaces.
2 、--tcp-flags All none matches all tags that have no 1 package.
3, iptables-p TCP--tcp-flags! The Syn,fin,ack SYN represents a package that matches those FIN and ACK tokens that are set while the SYN tag is not set, and note the comparison with example 1.
3.3 Explicit matching
This matching method requires additional kernel modules to provide support, you must manually call the "-M module name" In the form of the corresponding module, before you can set the matching criteria, add a rule with explicit matching criteria, you can execute the "lsmod | grep xt_ "command to see the relevant kernel extension modules (Xt_multiport, Xt_iprange, Xt_mac, xt_state) Common explicit matches: multi-port matching, IP range matching, MAC address matching, state matching.
3.3.1 Multi-port matching
The iptables rule is written using the form of "-M Multiport–dport Port list", "-M Multiport–sport Port list", which is used to check the destination port of the packet, the source port, and the multiple ports using a comma "," separated.
For example, to allow the machine to open 25, 80, 110, 143 ports to provide e-mail services, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image044 "border=" 0 "alt=" clip_ image044 "src=" http://s3.51cto.com/wyfs02/M02/75/95/wKiom1Y8h-OB34dyAABDaBINZB0591.jpg "height="/>
3.3.2IP Range Matching
The iptables rule is written using "-M iprange–src-range IP range", "-M iprange–dst-range IP range" to check the source address and destination port of the packet, where the IP range takes "start address-end Address" Representation in the form.
For example, to prevent the forwarding of TCP packets with the source IP address between 192.168.4.21 and 192.168.4.28, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image046 "border=" 0 "alt=" clip_ image046 "src=" http://s3.51cto.com/wyfs02/M02/75/95/wKiom1Y8h-Oxp_jdAABArKd9dQM515.jpg "height="/>
3.3.3MAC Address Matching
The iptables rule is written using the form of "-M Mac–mac-source mac address", which is used to check the source MAC address of the packet, which is used in the internal network. For example, to block a host based on your Mac, disable access to any of its native apps, with the following command:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;margin:0px;padding-left:0px ;p adding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image048 "border=" 0 "alt=" clip_ image048 "src=" http://s3.51cto.com/wyfs02/M01/75/93/wKioL1Y8iCXBqbU-AABCss3NbmU314.jpg "height="/>
3.3.4 Status Matching
The iptables rule is written using the form of "-M state–state connection state", which is used to check the connection status (state) of a packet based on the iptables state tracking mechanism. Common connection states are: NEW (unrelated to any connection), established (response request or established connection), and related (associated with an existing connection, such as an FTP data connection). For example, to disable forwarding of non--syn request packets (such as spoofed network attack packets) unrelated to a normal TCP connection, the command is as follows:
650) this.width=650; "Style=" background-image:none;border-bottom:0px;border-left:0px;padding-left:0px; padding-right:0px;border-top:0px;border-right:0px;padding-top:0px; "title=" clip_image050 "border=" 0 "alt=" clip_ image050 "src=" http://s3.51cto.com/wyfs02/M01/75/95/wKiom1Y8h-ezbkiCAABCas2aQNk126.jpg "height="/>
This article from "Wang Gaoli" blog, declined reprint!
The firewall for red Hat Enterprise Linux 6.5 is explained in detail, iptables (netfilter) Rules