catalogue
1, Relationship between netfilter and iptables
2, Four tables and five chains
(3) Matching order between rule chains
(4) Matching order within the rule chain
3, Installation and usage of iptables
(1) Configuration method of iptables firewall
(2) iptables command line configuration method
preface
Firewall of Linux system - netfilter/iptables: IP packet filtering system, which is actually composed of two components, netfilter and iptables.
It mainly works at the network layer for IP packets. It is reflected in the processing of IP address, port and other information in the packet.
1, Relationship between netfilter and iptables
(1)netfilter
netfilter: it belongs to the firewall functional system of "Kernel Space" (also known as Kernel Space). It is a part of the kernel and consists of some packet filtering tables. These tables contain the rule set used by the kernel to control packet filtering processing.
(2)iptables
Iptables: belongs to the firewall management system of "User Space" (also known as User Space). It is a command program used to manage Linux firewall. It makes it easy to insert, modify and delete rules in packet filtering table. It is usually located in / sbin/iptables directory.
netfilter/iptables is later referred to as iptables. Iptables is a kernel based firewall with built-in four rule tables: raw, mangle, nat and filter. After all the rules in the table are configured, they will take effect immediately without restarting the service.
2, Four tables and five chains
Function of rule table: to accommodate various rule chains
Role of rule chain: accommodate various firewall rules
There are chains in the table and rules in the chain
(1) Four tables
raw Table: determine whether to track the status of the packet. Contains two rule chains, OUTPUT,PREROUTING. mangle Table: modify the content of the data packet for traffic shaping, and set the flag for the data packet. Contains five rule chains, INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING. nat Table: responsible for network address translation, used to modify the source and destination in the packet IP Address or port. Contains three rule chains, OUTPUT,PREROUTING,POSTROUTING. filter Table: responsible for filtering the data packet and determining whether to release the data packet (filtering). Contains three rule chains, INPUT,FORWARD,OUTPUT. #Among the four rule tables of iptables, mangle table and raw table are less used.
(2) Five chain
INPUT: Process inbound packets to match destination IP Is a packet for this machine. OUTPUT: Processing outbound packets is generally not configured on this chain. FORWARD: Process and forward data packets and match the data packets flowing through the machine. PREROUTING Chain: process packets before routing to modify the destination address, used to DNAT. It is equivalent to mapping port 80 in the intranet to the router's extranet port. POSTROUTING Chain: process packets after routing, which is used to modify the source address, used to SNAT. Equivalent to intranet through router NAT The conversion function enables the intranet host to pass through a public network IP Address online.
(3) Matching order between rule chains
Inbound data (packets from the outside, and the destination address is firewall local) : PREROUTING --> INPUT --> Native applications
Outbound data (packets sent from firewall native to external address) : Native applications --> OUTPUT --> POSTROUTING
Forward data (packets that need to be forwarded through the firewall) : PREROUTING --> FORWARD --> POSTROUTING
(4) Matching order within the rule chain
Check in order from top to bottom, and stop when a matching rule is found (LOG Policy Exception means that relevant logs are recorded)
If no matching rule is found in the chain, it will be handled according to the default policy of the chain (if it is not modified, the default policy is allowed)
3, Installation and usage of iptables
Installation command yum -y install iptables iptables-services systemctl start iptables.service
(1) Configuration method of iptables firewall
1,use iptables Command line. 2,use system-config-firewall (Desktop environment)
(2) iptables command line configuration method
iptables [-t Table name] Management options [Chain name] [Matching conditions] [-j control type]
matters needing attention:
When the table name is not specified, it refers to the filter table by default
When the chain name is not specified, it refers to all chains in the table by default
You must specify matching criteria unless you set the default policy for the chain
Options, chain names and control types use uppercase letters, and the rest are lowercase
Common control types:
ACCEPT: allow packets to pass.
DROP: directly discard the data packet without giving any response information.
REJECT: if the packet is rejected, a response message will be sent to the data sender.
SNAT: modify the source address of the packet.
DNAT: modify the destination address of the packet.
MASQUERADE: disguised as a non fixed public IP address.
Common management options
| -A | Append (– append) a new rule to the end of the specified chain |
| -l | Insert (– insert) a new rule at the beginning of the specified chain. If no sequence number is specified, it will be the first rule by default |
| -R | Modify, replace (– replace) specifies a rule in the chain. You can specify the rule sequence number or specific content |
| -P | Sets the default policy for the specified chain (– Policy) |
| -D | Delete (– delete) a rule in the specified chain. You can specify the rule sequence number or specific content |
| -F | Clear (– flush) all rules in the specified chain. If no chain name is specified, all chains in the table will be cleared |
| -L | List (– list) all rules in the specified chain. If no chain name is specified, all chains in the table will be listed |
| -n | Display the output in numeric form (– numeric), such as IP address instead of host name |
| -v | Displays details, including the number of matching packets and bytes per rule |
| –line-number | When viewing a rule, the sequence number of the rule is displayed |
Add new rule: iptables -t filter -A INPUT -p icmp -j REJECT iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
To view a list of rules: iptables [-t Table name] -n -L [Chain name] [–line-numbers] or iptables -[vn]L #Note: it cannot be written as - Ln iptables -n -L --line-numbers
Set default policy: iptables [-t Table name] -P <Chain name> <control type> iptables -P INPUT DROP iptables -P FORWARD DROP #Generally, when setting network firewall and host firewall in the production environment, the default rule should be DROP and the white list should be set
Delete rule: iptables -D INPUT 2 iptables -t filter -D INPUT -p icmp -j REJECT
(3) Rule matching
It can be used directly without relying on other conditions or extensions, including network protocol, IP address, network interface and other conditions.
Protocol matching:-p Protocol name Address match:-s Source address-d Destination address #Can be IP, network segment, domain name, empty (any address) Interface matching:-i Inbound network card-o Outbound network card
example iptables -A FORWARD ! -p icmp -j ACCEPT iptables -A INPUT -s 192.168.80.11 -j DROP iptables -I INPUT -i ens33 -s 192.168.80.0/24 -j DROP
ICMP type matching
ICMP Type matching:--icmp-type ICMP type #Can be string, numeric code,, target unreachable "Echo-Request"(Code 8) indicates a request "Echo-Reply"(Code 0) indicates echo "Destination-Unreachable"(Code 3) indicates that the target is unreachable About other available ICMP Protocol type, executable“ iptables -p icmp -h"Commands, viewing help information
iptables -A INPUT -p icmp --icmp-type 8 -j DROP #Prohibit other hosts from ping ing this machine iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT #Allow this machine to ping other hosts iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT #When the local machine cannot ping other hosts, it will prompt that the target is unreachable iptables -A INPUT -p icmp -j REJECT #At this time, other hosts need to configure the control type of icmp Protocol as REJECT
State matching
Status matching:-m state --state Connection status Common connection states: NEW : It has nothing to do with any connection. The connection has not started yet ESTABLISHED : In response to a request or a connection has been established, it is in the connected state RELATED : Related to existing connections (e.g FTP Data connection in active and passive mode), Derivative ecology, general and ESTABLISHED Use together INVALID : It cannot be recognized which connection it belongs to or has no state iptables -A FORWARD -m state --state NEW -p tcp ! --syn -j DROP Forwarding forbidden and normal TCP Connection independent non--syn Request packets (e.g. forged network attack packets)