| |
Linux iptables firewall concept
Iptalbes (IP packet filter management) is used to set up, maintain and inspect the Linux kernel IP packet filtering rules.
You can define different tables, each table contains several internal chains can contain user-defined chains. Each chain is a list of rules for the corresponding packet match: Every rule specifies how it should deal with a matching bag. This is called '' '' target '' '' (target), the user can jump to the same chain within the table definition.
By using the user space, you can build your own custom rules that are stored in the kernel space of packet filtering table. These rules have a goal, they tell the kernel what comes from some source, travel to certain destinations or have some type of protocol packets do. If a packet matches a rule, then use the target ACCEPT allows the packet through. You can also use the target DROP or REJECT packets to block and kill. For other operations, there are many other goals that can be performed on the packet.
Depending on the type of packet processing rules, and the rules can be grouped in the chain. Rule processing inbound packets are added to the INPUT chain. Rule processing outbound packets are added to the OUTPUT chain. Rule processing is forwarding packets are added to the FORWARD chain. The three chains are basic packet filtering table, built-in default backbone. In addition, there are many other types available chain (such as PREROUTING and POSTROUTING), as well as providing a user-defined chain. Each chain can have a policy that defines the "default target", that is the default action to be performed when a packet with any rule in the chain does not match, do this.
Establish rules and chain put in place, we are ready to begin the real work of packet filtering. Then take over the kernel space from user space. When the packet reaches the firewall, the kernel checks the packet header information, in particular the destination of the packet. We call this process is known as routing.
If the information packet from the outside world and to the system, and the firewall is turned on, the kernel will pass it to the INPUT chain kernel space packet filtering table. If the information packet from other internal sources within the system or online system is connected and this information packet to travel to another external system, then the packet is transmitted to the OUTPUT chain. Similarly, from the external system to the external system and the packet is passed to the FORWARD chain.
iptables Example 1:
#! / Bin / sh
# Packet forwarding function inhibiting system
echo 0> / proc / sys / net / ipv4 / ip_forward
# Iptables clear existing rules and set iptables default rule
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# In the input rules need to open the tcp, upd port
iptables -A INPUT -j ACCEPT -p tcp --dport 80
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 25
iptables -A INPUT -j ACCEPT -p tcp --dport 1352
iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
# Rule in the input state: STATE RELATED packets are accepted
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# Ip forwarding enabled system
echo 1> / proc / sys / net / ipv4 / ip_forward
< --end-->
iptables Example 2:
Note: this example, only need to set tcp, udp port and server network segment ip range to the other has good default settings.
#! / Bin / sh
# Make: yongzhang
# Time: 2004-06-18
# E-mail: yongzhang@wiscom.com.cn
PATH = / sbin: / bin: / usr / sbin: / usr / bin
## Tcp allow ports
TPORTS = "80 22"
## Udp allow ports
UPORTS = "53"
## Internal server_ip range
SERVER_IP = "172.18.10.0/24"
## Disable forwarding
echo 0> / proc / sys / net / ipv4 / ip_forward
## Reset default policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
## Del all iptables rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
## Clean all non-default chains
iptables -X
iptables -t nat -X
## Iptables default rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
## Allow ping packets
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#iptables -A INPUT -p ICMP -s 0/0 --icmp-type 11 -m limit --limit 5 / s -j ACCEPT
iptables -A FORWARD -p ICMP -j ACCEPT
## Enable forwarding
iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
## STATE RELATED for router
iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
## Accept internal packets on the internal i / f
iptables -A INPUT -s $ SERVER_IP -p tcp -j ACCEPT
## Open ports on router for server / services
## TCP PORTS
for ATP in $ TPORTS
do
iptables -A INPUT! -s $ SERVER_IP -d $ SERVER_IP -p tcp --destination-port $ ATP -j ACCEPT
iptables -A FORWARD -p tcp --destination-port $ ATP -j ACCEPT
done
## UDP PORTS
for AUP in $ UPORTS
do
iptables -A INPUT -p udp --destination-port $ AUP -j ACCEPT
iptables -A FORWARD -p udp --destination-port $ AUP -j ACCEPT
done
## Bad_packets chain
## Drop INVALID packets immediately
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
## Limit SYN flood
#iptables -A INPUT -f -m limit --limit 100 / s --limit-burst 100 -j ACCEPT
#iptables -A FORWARD -f -m limit --limit 100 / s --limit-burst 100 -j ACCEPT
## Deny all ICMP packets, eth0 is external net_eth
#iptables -A INPUT -i eth0 -s 0.0.0.0/0 -p ICMP -j DROP
## Allow loopback
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
## Enable forwarding
echo 1> / proc / sys / net / ipv4 / ip_forward
< --end-->
ipchains firewall type:
ipchains concepts:
Ipchains is used to install, maintain, check the Linux kernel firewall rules. Rules can be divided into four categories: IP input chain, IP output chain, IP forward chain, user defined chain.
A firewall rule specified package format and destination. When a packet comes in, the core using input chain to decide its fate. If it passes, then the kernel will decide where to send the packet next (this step is called routing). If it were sent to another machine, the core on the use of forward chain. If not, enter the designated target at a chain, it might be a user defined chain, or a particular value: ACCEPT, DENY, REJECT, MASQ, REDIRECT, RETURN.
ACCEPT means to allow packets to pass through, DENY throw away the package had not been the same as, REJECT also put the bag away, but (if it is not the ICMP packet) generates an ICMP reply to tell the developer who can not reach the destination address (please note DENY for ICMP packets and REJECT are the same).
MASQ tells the kernel camouflage this package, only to forward chain and user defined chain work, want it to work, you must allow IP Masquerading work when compiling the kernel.
REDIRECT only the input chain and user defined chain effect. It tells the kernel to wherever the reform package should be sent to a local port. Only TCP and UDP protocols can use this to specify arbitrary use '' '' -j REDIRECT '' '' to specify a port (name or number) You can make this package sent to be redirected to a particular port, even if it is marked as sent to other ports. We want it to work, when compiling the kernel, you must let CONFIG_IP_TRANSPARENT_PROXY work.
The final goal is to specify RETURN, it skips all the rules below it, until the end of the chain.
Any other targeting represents a user-defined chain. Package to be adopted at the chain. If that chain does not decide the fate of the packet, then the transmission chain is complete, the package will pass the next rule in the current chain.
ipchains examples:
## Clear rules input rules and changing the rules of the default input chain policy to REJECT
-F Input
-P Input REJECT
## The following are allowed to input chain of rules tcp port: 808,122,123
-A Input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A Input -s 0/0 -d 0/0 81 -p tcp -y -j ACCEPT
-A Input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A Input -s 0/0 -d 0/0 123 -p udp -j ACCEPT
## Set apart from the above input rules that allow the chain refused 0-1023,2049,6000-6009,7100 the tcp and upd port,
-A Input -p tcp -s 0/0 -d 0/0 0: 1023 -y -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A Input -p udp -s 0/0 -d 0/0 0: 1023 -j REJECT
-A Input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 6000: 6009 -y -j REJECT
-A Input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT
## Allow all packets occurring on the card-based system by itself
-A Input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A Input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A Input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
## Clear rules output rules, and change the default output rules chain strategy ACCEPT
-F Output
-P Output ACCEPT
## Clear rules forward rules, forward and change the default rule chain strategy DENY, set forward rules allow 10.10.11.0/24 chain network packets can be forwarded and do camouflage treatment.
-F Forward
-P Forward DENY
-A Forward -s 10.10.11.0/24 -j MASQ |
|
|
|