The iptables of the Linux firewall

Brief

The Linux firewall mainly works at the network layer, filtering and restricting for TCP/IP packets, belonging to a typical packet filtering firewall (or network layer firewall). The firewall system of Linux system is based on kernel coding, which has very stable performance and very high efficiency.

The relationship between NetFilter and iptables

NetFilter: refers to a framework in the Linux kernel that can be used to apply certain hook functions (hooks) to the network protocol stack at different stages. The netfilter itself does not filter packets, it simply allows the functions that can filter packets or modify the packets to connect to the appropriate locations in the Kernel network protocol stack, which are customizable and belong to the "kernel State" of the firewall function system.

iptables: is the user layer of the tool, it provides a command line interface, can be added to the NetFilter rules policy, so that the message filtering, modification and other functions. Linux systems do not have iptables to generate firewall rules, and other tools such as FIREWALLD can achieve similar functions. It is usually located in the/sbin/iptables directory, which belongs to the "user-state" firewall system.

Iptables Four table five chain

Iptables's role is to provide rules for the implementation of packet filtering mechanisms, and to tell NetFilter what to do with packets from certain sources, to certain purposes, or to certain protocol features, through a variety of rules. To facilitate the organization and management of firewall rules, Iptables uses a hierarchical structure of "tables" and "chains", where each rule table corresponds to a container of kernel space, divided into four default tables according to the different uses of the ruleset, and contains different chains within each table container. According to the different time of the packet divided into five kinds of chains, and decide whether to filter or process the various rules of the packet, in order to store in sequence in the chain of rules.

Iptables rules Table

Iptables According to functional classification, there are 4 tables in Iptables: Filter, Nat, mangle, and raw;

Filter table: The main implementation of filtering functions, according to the specific requirements of the rules to decide how to process a packet. The corresponding kernel module for the filter table is Iptable_filter, which contains three chains, input, FORWARD, and OUTPUT.

NAT Table: The implementation of NAT function, mainly used to modify the packet IP address, port number and other information. The NAT table corresponding to the kernel module is Iptable_nat, the table contains three chains, that is, prerouting/postrouting/output.

mangle table: used to modify the packet data, the mangle table corresponding to the kernel module Iptable_managle, the table contains five chains, namely Prerouting, postrouting, INPUT, OUTPUT, FORWARD.

Raw table: used to determine whether a packet is being tracked for status. The kernel module for the raw table is Iptable_raw, with two chains in the table, output, prerouting.

Iptables rule Chain

Each table has a set of built-in chains, and the user can add a custom chain, the most important built-in chain being the amount of input, output, and forward chains in the filter table.

• prerouting chain: processing packets before routing is selected
• input chain: processing incoming packets
• output chain: Processing Outgoing packets
• forward chain: Processing forwarded packets
• postrouting chain: processing packets after routing is selected

Generally from the intranet to the outgoing traffic is generally controllable and benign, so we use the most is the input rule chain, the rule chain can increase the damage from the external network XXX intranet difficulty.

Among them, INPUT, output chain is mainly used in "host-type Firewall", mainly for the server itself to protect the firewall, and forward, prerouting, postrouting chain used in "network Firewall", mainly for the gateway server, Security controls between the corporate intranet and the Internet.

Shows how a packet is passed through the net table and the filter table in the kernel:

Matching procedure 1. Order between rule tables

When the packet arrives at the firewall, the corresponding rules in the raw table, the Mangle table, the NAT table, and the filter table are applied in turn;

2. Order of rules between chains

• Inbound Data flow: when a packet from the outside reaches the firewall, it is first prerouting (whether to modify the packet address, etc.) and then routing (to determine where the packet is sent) If the destination address of the packet is a firewall (such as the Web service port of the Internet User Access Gateway), then the kernel passes it to the input chain for processing (deciding whether to allow the pass, etc.), and then to the application on the upper layer of the system (such as the httpd server);
• Forwarding Data flow: from the outside of the packet to the firewall, the first is prerouting chain processing, and then routing, how the destination address of the packet is another external address (such as LAN users through the gateway user QQ server), The kernel passes it to the forward chain for processing (allowing forwarding or interception, discarding), and finally handing over to the postrouting chain for processing (whether to modify the address of the packet);
• Outbound Data Flow: The firewall native to the external address sent packets (such as in the firewall host to test the public DNS service), first by the output chain processing, and then routing, and then to the Postrouting chain processing (whether to process the address of the packet).

3. Order of the firewall rules within the rule chain

When the packet passes through each rule chain, it is followed by the first rule, the second rule ... To match and process in a sequential order. The filter in the chain follows the principle of "match and stop", and once a matching rule is found, no further rules are checked in the chain. If the entire chain is compared and no rules matching the packet are found, it is processed according to the default policy of the rule chain.

Write firewall rules basic command format

iptables [-t 表名] 管理项目 [链名] [匹配条件] [-j 控制类型]

In the Iptables firewall system, the most common types of control are:

• Accept: Allow packets to pass;
• Drop: Discards the packet directly, and does not give any response information;
• REJECT: Reject the packet pass, and if necessary, give a response message to the data sending side;
• LOG: Logging information is logged in the/var/log/message file, and then the packet is passed to the next rule, and the "match-stop" firewall rule is a special case for the log operation because log is a secondary action and does not actually process the packet.

Managing rules basic operations

Option Name	Functions and Characteristics
-A	Adds a new rule at the end of the specified chain (append)
-I.	Inserts a new rule in the specified chain, default as the first rule when no ordinal is specified
-D	Deletes a rule in a specified chain, specifying the sequence number or specific content
-R	Modify or replace a rule in a specified chain to specify a sequence number or specific content
-L	Lists all the rules in the specified chain and, if no chain name is specified, lists all the chains in the table
-F	Clears all rules in the specified chain, and clears all chains in the table if no chain name is specified
-P	Set the default policy for a specified chain
--line-numbers	When you view the list of rules, the sequence number of the rule in the chain is also displayed

Example:

1. Add a new rule that allows the TCP protocol to pass

2. View the Rules table

3. Delete Rule

4. Purge rule

5. Set Default Policy
   The default policy is to execute a default policy when no rule can be found that matches a packet. The default policy control type is accept, drop two kinds.

Match condition for rule 1. Generic match

can be used independently and not dependent on other conditions or extension modules. The following three types are common:

1) Protocol Matching

Use the "-P protocol name" designation to check the network protocol used by the packet, such as TCP, UDP, ICMP, and all, and the support protocol can query the/etc/protocols file.

Examples:
Discard packets that access the firewall's native through the ICMP protocol, allowing forwarding of packets that pass through the firewall in addition to the ICMP protocol?

2) Address matching

Use the "-s source Address" or "-D destination Address" specified to check the source address or destination address of the packet, IP address, network segment address, etc. are supported, but the host name, domain name is not recommended, because the parsing process can affect efficiency.

Examples:
Refuse to transfer data from the origin site to 192.168.100.10, allowing the forwarding of the data to the 192.168.1.0/24 network segment?

3) network Interface Matching

The "-I Interface Name" and "-O Interface name" are used to check which interface of a packet is entered or emitted from the firewall, respectively, corresponding to the inbound network card and the outbound network card.

Examples:
Discard packets from the External network interface (ETH1) that access the firewall native and the source address is private address?

2. Implicit matching

cannot be used independently, requires a specified protocol match as a precondition, equivalent to a sub-condition, and its corresponding function is automatically (implicitly) loaded into the kernel when needed by iptables. The following three types are common:

1) Port Matching

Use "--sport Source port" or "--dport destination port" specified, mainly for TCP, UDP protocol, with love to check the source port of the packet, the destination port, a single port number or a colon ":" Interval port continuous port range is acceptable.

Examples:
Allow forwarding network segments to forward DNS query packets for 192.168.1.0/24

2) ICMP type match

Using the form "--icmp-type ICMP type", the protocol is ICMP, used to check the type of ICMP packet (--icmp-type), the ICMP type is represented by a string or numeric code, such as the request is "Echo-request (code 8)", echoing as "Echo-reply (code 0)", the target is not reached as "Destination-unreachable (Code 3)".

Examples:
Disable pinging the machine from other hosts, but allow native ping to other hosts?

3. Show matching

Additional kernel modules are required to provide support, and the corresponding modules must be called in the form of "-M module name" and then set the matching criteria. The following six types are common:

1) multi-port matching

Using the form "-M multiport--dports port list", "-M multiport--sports", check the source port of the packet, the destination port, and the multi-port with a comma interval.
Examples:
Allow the machine to open 25, 80, 110, 143 ports to provide e-mail services?

2) IP range matching

Use the form "-m iprange--src-range IP", "-m iprange--dst-range IP" to check the source address and destination address of the packet.

Examples:
Disable forwarding of TCP packets with source IP address between 192.168.1.10 ~ 192.168.1.20?

3) MAC address matching

Use the form "-M Mac--mac-source mac address" to check the source MAC address of the packet.

Examples:
Block the host from the MAC address and disable access to any of the apps on this computer?

4) Status Matching

Using the "-M state--state connection state" form, the iptables-based status tracking mechanism is used to check the connection status of the packet.

Examples:
Only the native Web service (80 ports) is open, but the TCP reply packets sent to this computer are released, and the other inbound packets are discarded.

5) Limit of connections

Use "-M connlimit [!]--connlimit-above N" To limit the number of simultaneous connections

6) Time-based control

Use "-M Time"

#匹配起始时间与结束时间
--datestart Yyyy[-mm[[-dd[thh[:mm[:ss]]
--datestop Yyyy[-mm[-dd[thh[:mm[:ss]]

#根据时间和星期几来匹配
--timestart Hh:mm[:ss]
--timestop Hh:mm[:ss]
[!] --monthdays Day[,day ...]
[!] --weekdays Day[,day ...]

Snat Policy (source address translation)

Snat is an address translation operation for the Linux firewall and a type of packet control in the iptables command that modifies the source IP address of the packet according to the specified conditions.

The Snat policy can be applied in the gateway to solve the problem of LAN sharing, while the server in the Internet does not know the actual IP address of the LAN PC, the intermediate conversion is completely done by the gateway, to some extent, the function of the internal network is protected.

Snat applications

To be continued in writing ...

Dnat Policy (Destination address translation)

Dnat is another type of address translation for the Linux firewall, which is also a kind of packet control in the Iptables command, which modifies the destination IP address and destination port of the packet according to the specified conditions.

Can be applied to the publishing enterprise internal Web server.

Dnat applications

To be continued in writing ...

Rule export, Import

The Iptables rules provide bulk export and import command functions, namely Iptables-save and Iptables-restore.

1. Rule Export

Iptables-save #规则将被保存至/etc/sysconfig/iptables

Iptables-save >/opt/iptables.20180613

2. Rule Import

#iptables-restore #规则将被保存至/etc/sysconfig/iptables

#iptables-restore </opt/iptables.20180613

The iptables of the Linux firewall