Firewall, in fact, plainly speaking, is under Linux for implementing access control functions, it is divided into two kinds of firewall hardware or software. Whether in which network, the local firewall must be working at the edge of the network. And our task is the need to define how the firewall work in the end, this is the policy of the firewall rules, in order to achieve it to access the network IP, data for testing.
Currently on the market the more common 3,4 layer firewalls, called the network layer firewall, as well as Layer 7 firewall, in fact, is the gateway proxy layer.
For TCP / IP in terms of the seven-layer model, we know that the third layer is a network layer, three-layer firewall in this layer of the source and destination addresses for testing. But for the seven firewalls, regardless of your source port or destination port, source or destination address what is, we will have to check all your stuff. Therefore, in terms of design principles, seven more secure firewall, but this has brought less efficient. So the market generally firewall programs are a combination of both. But because we all need to access from the firewall controls this port, so the efficiency of the firewall has become the user can access a number of the most important control data, configuration is not good even may become a bottleneck traffic.
Two: iptables history and works
Formerly called iptables ipfirewall (kernel 1.x era), this is a transplant from the author freeBSD over, able to work in the kernel among the data packet for detecting a simple access control tools. But ipfirewall work function is extremely limited (it requires all the rules into the kernel which such rules to be able to run up, and into the kernel, this approach is generally extremely difficult). When the kernel development to the 2.x series, the software was renamed ipchains, which can define multiple rules, they will string together, work together, and now it is called iptables, you can compose a list of rules to achieve absolute detail access control function.
They are working in user space, defined rules tool itself is not considered a firewall. They define the rules that allows netfilter kernel space in which to read, and work to achieve the firewall. And must put in place the core if the specific location must be tcp / ip protocol stack through the place. And this tcp / ip protocol stack must be the place where the rules can be read called netfilter. (Network filters)
On selected a total of five positions in kernel space:
1. kernel space: an interface came from one network to another network interface go
2. The packet flow into user space from the kernel
3. packets flowing from user space
4. enter / leave the machine's external network adapter
5. entering / leaving the machine network adapter
2.iptables working mechanism
From the above we know that the development of the authors selected five locations as local control, but you have not found, in fact, the first three positions have been able to substantially completely blocked the path, but why has been in and out of the mouth set after level but also in the internal card it? Since the data packet routing decisions have not been, do not know where the data you want to go, so there is no way for data import and export filters. So to set up forwarding in the kernel space barriers, checkpoints into the user space from user space out levels. Well, since they are of no use, why should we place them? Because we do NAT and DNAT when the destination address translation must be converted before routing. So we have the external interface of the network and then the network will be set up checkpoints.
This position is also called five five hook (hook functions), also called the five rule chains.
2.INPUT (packet flow inlet)
3.FORWARD (pipe forwarding card)
4.OUTPUT (packet data export)
5.POSTROUTING (after routing)
This is the chain NetFilter five rules stipulated that any data packet, as long as through the machine, which will go through five chains one chain.
3. Policy Firewall
Firewall policy is generally divided into two types, one is called "pass" strategy, called "blocking" strategy, through the policy, the default door is closed, we must define who can enter. Blocking strategy is, the door is wide open, but you have to have identity, or can not enter. So we have to define, let come in, let's go out, so on, to all-pass, and blocking, it is to be selected. When we define the strategy, to define a plurality of functions, including: the definition of the data packet is allowed or disallowed policy, filter filtering function, defined address translation function is nat option. To make these features work alternately, we worked out a "form" this definition to define, distinguish between the various work functions and handling.
We now compare multiple functions used are three:
1.filter define allowed or not allowed
2.nat defined address translation
3.mangle function: to modify the original data packet
We modify the original data packet is to modify the TTL. Enables metadata packets apart, inside mark / edit content. The firewall marks, in fact, achieved by mangle.
For the filter in terms of the general can only do the three chains: INPUT, FORWARD, OUTPUT
For nat speaking generally only do the three chains: PREROUTING, OUTPUT, POSTROUTING
The mangle is a five chains can do: PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING
iptables / netfilter (the software) is working in user space, it can make the rules in force, in itself not a service, but the rule is effective immediately. And now we iptables was made into a service, you can start and stop. Start, then direct rule take effect, stop, then the rules revoked.
iptables also supports its own definition chain. But the chain's own definition, must be associated with a particular chain together. In a set level, when there is data to specify the time devoted to find a particular chain to handle, when the chain has been processed, and then returned. Then continue to check in a particular chain.
Note: The order of the rules is critical, more stringent rules for who should put more forward, and checking rules, in accordance with the top-down approach to inspections.
three. Writing rules
iptables rules to define more complex way:
Format: iptables [-t table] COMMAND chain CRETIRIA -j ACTION
-t table: table is one of the three filter nat mangle, if omitted the filter.
COMMAND: define how management rules
chain: specify your next rule in the end on which the chain is operating, when the definition of strategy, may be omitted
CRETIRIA: Specifies the matching criteria
-j ACTION: Specifies how to deal with
For example: do not allow access to the 172.16.0.0/24.
iptables -t filter -A INPUT -s 172.16.0.0/24 -p udp --dport 53 -j DROP
Of course, if you want to reject more thoroughly:
iptables -t filter -R INPUT 1 -s 172.16.0.0/24 -p udp --dport 53 -j REJECT
iptables -L -n -v # View details defined rules
Four: Detailed COMMAND
1. chain management commands (which are effective immediately)
-P: Set the default policy (default setting door is closed or open)
The default policy is generally only two
iptables -P INPUT (DROP | ACCEPT) The default is off (packet discards) / default is ON (packet received)
iptables -P INPUT DROP This is the default rule to refused. And there is no definition of what action, so all the rules on external connections include Xshell connection and the like, remote connections are refused.
-F: FLASH, empty the chain rule (note management authority per chain)
iptables -t nat -F PREROUTING
iptables -t nat -F all chains of nat table empty
-N: NEW, allows users to create a chain
iptables -N inbound_tcp_web tcp represents attached table is used to check the web.
-X: Empty chain for deleting user-defined
Use -N with the same, but you want to be before you delete inside the chain to the empty Aung
-E: Rename chain is mainly used to give a user-defined chain rename
-E Oldname newname
-Z: Empty the chain, and the chain of default rules counter (two counters, is matched to the number of packets, number of bytes)
iptables -Z: Empty
2. Rule Management Command
-A: Append a new rule at the end of the current chain
-I Num: insert, the current rule is inserted as the first few.
-I 3: Insert as Article
-R Num: Replays replace / modify the first few rules
Format: iptables -R 3 ............
-D Num: delete, delete the first few explicitly rule
3. Check Management Command "-L"
-n: digitally display ip, ip it will be displayed directly, if not -n, it will reverse the ip resolve host names.
-v: Show Details
-vvv: the more details
-x: Display the exact value on the counter, do not do unit conversion
--line-numbers: display the line number rule
-t nat: Displays all levels of information
Five: Detailed match criteria
1. General Match: Match the source address of the destination address
-s: Specifies the match as the source address, there can not specify a host name, IP must be
IP | IP / MASK | 0.0.0.0/0.0.0.0
And the address can be inverted, add a "!" Indicates that in addition to outside which IP
-d: indicates matches the target address
-p: for matching protocol (here there are three kinds of agreements typically, TCP / UDP / ICMP)
-i eth0: this card data flowing from the inflow generally used in the INPUT and PREROUTING
-o eth0: this card out of the data from the general outflow on the OUTPUT and POSTROUTING
2. expanded matches
2.1 Implied Extension: an extension of the agreement
-p tcp: Extended TCP protocol. There are three general expansion
--dport XX-XX: Specifies the destination port, you can not specify more than one non-contiguous port, specify only a single port, such as
--dport 21 or --dport 21-23 (this time represented 21,22,23)
--sport: Specifies the source port
--tcp-fiags: TCP flags (SYN, ACK, FIN, PSH, RST, URG)
For it, usually keep two parameters:
1. Check the flag
2. The flag must be 1
--tcpflags syn, ack, fin, rst syn = --syn
Check this represents four bits, four bits syn must be 1, the other must be zero. So this means that for the detection of the first three-way handshake packets. For this special match for the first SYN packet of 1 packet, there is a shorthand way, called --syn
Extended UDP protocol: -p udp
-p icmp: icmp packets extension
echo-request (Echo Request), generally used to represent 8
So --icmp-type 8 echo request packet matches
echo-reply (response packet) is generally used to indicate 0
2.2 explicitly extended (-m)
The expansion of various modules
-m multiport: showing enable multi-port expansion
Then we can enable such --dports 21,23,80
Six: Detailed -j ACTION
DROP: silently discarded
Generally, we use multi-DROP to hide our identity and hide our list
REJECT: expressly rejected
ACCEPT: to accept
custom_chain: a custom steering chain
MASQUERADE: Source Address Masquerading
REDIRECT: Redirection: it is mainly used for port redirection
MARK: playing firewall marks
Back in the chain is finished using a custom, to return to the original rules chain.
Just from 172.16.0.0/16 network are allowed to access my native 172.16.100.1 the SSHD service
Analysis: First, be sure to allow table is defined. Because you do not like to do NAT, then see our SSHD service on port 22, the processing mechanism is accepted, for this table, the need for a return to the two rules, if we allow or refuse for access to the machine services, we are best defined in the INPUT chain, and OUTPUT then be defined like. (End of the initial session to define), so the rule is applied:
Definitions came: iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.100.1 -p tcp --dport 22 -j ACCEPT
Defined out: iptables -t filter -A OUTPUT -s 172.16.100.1 -d 172.16.0.0/16 -p tcp --dport 22 -j ACCEPT
The default policy changed to DROP:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Seven: Status detection:
It is an explicit extension for connecting the relationship between the detection of the session, with the detection we can extend the functionality between sessions
What is the state detection? For the entire TCP protocol is concerned, it is a connectionless protocol, three-way handshake, the first handshake, we called NEW connection, and from the second handshake later, ack is 1, which is the normal data transmission and a second three-way handshake sequence tcp connection (eSTABLISHED), there is a state called the established, more strange, for example: SYN = 1 ACK = 1 RST = 1, for this we do not recognize that we are unrecognized called INVALID. There is a fourth, FTP has this ancient features, each port is independent, 21 and 20 ports are a go back, there is a relationship between them, we call this relationship as RELATED.
So our state a total of four: NEW, ESTABLISHED, RELATED, INVALID.
We are just so exercises can increase state testing. For example, only allow incoming state NEW and ESTABLISHED come in, allowed out only to go out of state ESTABLISHED, which may be the more common type Trojan rally has good control mechanisms.
For extended practice problems:
Refused to come out of the allowed incoming only allow ESTABLISHED come out only allow ESTABLISHED out. Refused to use the default rule
iptables -L -n --line-number: View previous rules are in the first few lines
iptables -R INPUT 2 -s 172.16.0.0/16 -d 172.16.100.1 -p tcp --dport 22 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -R OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT
At this point, if you want to release a 80-port how to release it?
iptables -A INPUT -d 172.16.100.1 -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT
iptables -R INPUT 1 -d 172.16.100.1 -p udp --dport 53 -j ACCEPT
If we allow ourselves to ping others, but others ping ping nowhere themselves how to achieve it?
Analysis: For ping this agreement, come to 8 (ping), out of 0 (response) in order to achieve our purpose, requires 8 out, allowing 0 in.
On the out port: iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
On incoming ports: iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
Extent: 127.0.0.1 for special, we need to clearly define it
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
Eight: SNAT and DNAT implementation
Because we are now very tight IP address has been allocated over, which leads us to have to address translation, to save our remaining point IP resources. So how to achieve through iptables NAT address translation of it?
1.SNAT based on the conversion of the original address
Based on the conversion of the original address is generally used in many of our internal network users outside the network through a port when the Internet, then we will convert our network address to an external IP network, we can connect to other external network IP function.
So in the end we have to define how to convert in the iptables:
For example, we now want all IP network 192.168.10.0 After all, when converted into 172.16.100.1 this assumption out of the external address:
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 172.16.100.1
So long as it is from the local network tries to access the network through a network card, it will be converted into 172.16.100.1 all this IP.
So, if 172.16.100.1 not fixed how to do?
We all know that when we use the China Unicom or Telecom Internet time, usually it will generate a random external network IP every time you boot time, meaning that outside the network address is dynamic transformation. Then we will replace the external network address MASQUERADE (dynamic camouflage): It can automatically find the address outside the network, and automatically to the correct external network address. So, we need this setting:
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
Here we must note: masquerading does not apply to all the places.
2.DNAT destination address translation
For destination address translation, data flow is from the outside, the outside of the client, which is the server through the target address translation, we can make out ip through our external external network ip access our servers on different servers, our services are on different servers within the network server.
How do NAT target it? :
iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp --dport 80 -j DNAT --todestination 172.16.100.2
Destination address translation to be done before reaching the conversion card, do so at this position PREROUTING
Nine: storage control rules and open
Note: All content that you define when you reboot will fail, in order that we can take effect, you need to use a command to save it
1.service iptables save command
It will be stored in / etc / sysconfig / iptables this document
iptables-save> / etc / sysconfig / iptables
1) boot time, it will automatically load the / etc / sysconfig / iptabels
If the power can not be loaded or not loaded, and you want to write a configuration file (assumed to be iptables.
2) manual entry into force of the words:
The completion of the entry into force of the rules defined in the manual iptables
iptables is a very important tool, it is almost necessary every firewall settings, is what we do when a large network, for many reasons but must be set. Learn Iptables, we can make the structure of the entire network have a more profound understanding of, and we will also be able to go and secure linux kernel space data to grasp very thorough. We learn, we try to be able to combine a variety of projects, experiments to complete, so you deepen iptables configuration, and various techniques have a very big help.