| |
One, Iptables principle
Firewalls are now divided into the following three types: packet filtering, application proxies, stateful inspection
Packet filtering firewall: now the market has been static packet filtering firewall can not see, and replaced by a dynamic packet filtering firewall technology Ha ~
Proxy Firewall: Because some special packet attack can easily break through packet filtering firewall protection, such as we know SYN attack, ICMP flood attack, so with the proxy server as specifically for the user confidentiality or break access restricted data forwarding channel application proxy firewall appeared ha ~ the use of a new technology application protocol analysis.
Stateful inspection firewall: Dynamic packet filtering based on its technology evolved, adding a state detection module, developed into a little conversation filtering, session state retention is limited in time, this firewall can also be content package analysis, thus avoiding excessive open ports.
netfilter / iptables IP packet filtering system actually consists of two components netfilter and iptables. netfilter is part of the integrated in the kernel, and its role is to define, save the corresponding rules, and iptables is a tool used to modify the filter rules and other configuration information, we can be set by iptables for some of the needs of our business environment Ha ~ rules, and these rules are stored in the kernel space.
netfilter is a Linux kernel in a common framework, which provides a series of tables (tables), each table by a number of chains (chains) composed of each chain which may be made of one or several of the rules (rules) components. In fact netfilter is a container table, the table is a chain container, chain is the rule container.
Built chain iptables
Before the packet enters the machine, enter the router: PREROUTING
INPUT: through the destination routing table based machine
FORWARDING: routing table, the destination is not native
OUTPUT: The machine produced by the outward forwarding
POSTROUTIONG: through the routing table, before the card is sent to the interface
Two, iptables basic usage
The basic syntax:
iptables [-t table] COMMAND CHAIN CRETIRIA -j TARGET
-t table:
net, mangle, raw, filter
Default filter
COMMAND:
chain:
-F: (Flush) Clear rules chain
-N: (New) one strand of self
-X: (Delete) to delete a custom empty chain
-Z: (Zero) counter to zero
-P: (Policy) to set the default policy, in terms of the filter table, the default rule for the ACCEPT or DROP
-E: Rename a custom chain
CHAIN: Specifies the next rule in the end you're on a chain which
CRETIRIA: Specifies the matching criteria
ACTION: Specifies how to deal with
Common commands
DROP: silently discarded; Usually we use DROP more to hide our identity and hide our list
REJECT: expressly rejected
ACCEPT: to accept
DNAT: explicitly stated do is destination address translation operation
SNAT: clearly stated to do is to translate the source address Operation
MASQUERADE: Source Address Masquerading
REDIRECT: Redirection: it is mainly used for port redirection
MARK: playing firewall marks
RETURN: Return used after custom chain execution is completed, to return to the original rules chain
Chain rule
-A: (Append) at the end of the selected chain to add one or more rules
-I: (Insert) to insert one or more rules in the selected chain according to the rules given number
-D: (Delete) to delete one or more rules from the selected chain
-R: (Replace) substituted a rule from the selected chain
Common query command
-L
-n: number format displays the host address port
-v: Displays detailed format information
-vv
-vvv: The more the more detailed display
--line-numbers: numbers show rules
-x: exactly, do not do the counting result of the counter unit conversion, and display its exact value
pkts bytes target prot opt in out source destination
The number of packets, this rule is to match packets: pkts
bytes: this is in terms of the size of the rule to match all packets and will execute unit
target: objective, namely handling mechanism
prot: protocol, typically {TCP | UDP | ICMP}
opt: Optional
in: incoming interface packet
Outgoing interface packet: out
source: source address
destination: destination address
Third, the matching criteria
Universal matching
-s address: Specifies the packets that match the source IP address range; can be IP, or network address; you can use! Negate
--src, --source
-d Address: Specify the packet destination IP address matches the scope
--dst, --destination
-p Protocol: Specifies the match protocol type packets, there are three general tcp, udp, icmp
-i ethX: data packets enter interface: PREROUTING, INPUT, FORWARD
-o ethX: data packets enter interface: OUTPUT, FORWARD, POSTROUTING
Expanded matches
Implicit Match: When using the -p {tcp | udp | icmp} when one can use a straightforward extension specific options
-p tcp
--sport PORT [-PORT]: Specifies the source port, multiple ports
--dport PORT [-PORT]: Specifies the destination port, which can be multiple contiguous ports
--tcp-flag: Bit list of TCP flags (separated by commas)
Flag must list 1
eg: - tcp-flags syn, ack, rst, fin syn
-p udp
--sport PORT [-PORT]: Specifies the source port, multiple ports
--dport PORT [-PORT]: Specifies the destination port, which can be multiple contiguous ports
-p icmp
--icmp-type:
echo-request (Echo Request), generally used to represent 8
echo-reply (response packet) is generally used to indicate 0
Show Extended -m must specify the name you want to extend the expansion module
multiport: multi-port match
It can be used to match a non-continuous or continuous port; specify up to 15 ports; separated by a colon
eg:
iptables -I INPUT -d 172.16.100.7 -p tcp -m multiport --dports 22,80 -j ACCEPT
iptables -I OUTPUT -s 172.16.100.7 -p tcp -m multiport --sports 22,80 -j ACCEPT
iprange: addresses that match the specified range
Rather than the entire network useful when matching a stretch of consecutive addresses;
Specific options:
[!] --src-Ragne IP [-IP]
[!] --dst-Range
iptables -A INPUT -d 172.16.100.7 -p tcp --dport 23 -m iprange --src-range 172.16.100.1-172.16.100.100 -j ACCEPT
iptables -A OUTPUT -s 172.16.100.7 -p tcp --sport 23 -m iprange --dst-range 172.16.100.1-172.16.100.100 -j ACCEPT
string: string matching, application layer packets can be detected in a string
Check character matches Efficient Algorithm
kmp, bm
Specific options:
--algo {kmp | bm}
--string "STRING"
--hex-string "HEX_STRING": HEX_STRING is encoded into a string of hexadecimal format;
eg:
iptables -I OUTPUT -m string --algo kmp --string "sex" -j DROP
time: time-based access control to do
Specific options:
--datestart YYYY [-MM] [- DD [Thh [: mm [: ss]]]]
--datestop
--timestart hh: mm [: ss]
--timestop hh: mm [: ss]
--weekdays day [, day] Mon, Tue,
eg:
iptables -I INPUT -d 172.16.100.7 -p tcp --dport 80 -m time --timestart 08:20 --timestop 18:40 --weekdays Mon, Tue, Thu, Fri -j REJECT
connlimit: limit the number of connections for each IP number of concurrent connections that can initiate restrictions do;
Specific options:
[!] --connlimit-Above [n]
eg:
iptables -A INPUT -d 172.16.100.7 -p tcp --dport 22 -m connlimit --connlimit-above 2 -j DROP
limit: limit rate
Specific options:
--limit n [/ second | / minute | / hour | / day]
--limit-burst n
eg:
iptables -A INPUT -d 172.16.100.7 -p icmp --icmp-type 8 -m limit --limit 20 / minute --limit-burst 5 -j ACCEPT
state: state check
Specific options:
--state
Tracking the status of the connection:
NEW: establishing a new session
ESTABLISHED: already established connection
RELATED: en affiliated
INVALID: Unrecognized connection
Adjust the maximum number of connections that can accommodate tracking connections:
/ Proc / sys / net / nf_conntrack_max
All current connection tracking
/ Proc / net / nf_conntrack
Different type of connection tracking protocols or property when:
/ Proc / sys / net / netfilter directory:
Release passive mode FTP service:
1, the load module / lib / modules / KERNEL_VERSION / kernel / net / netfilter /
Module: nf_conntrack_ftp
2, release request message:
(1) Release NEW state of the port 21 request packets;
(2) Release ESTABLISHED and RELATED states packets
3, travel response packet:
(1) Release ESTABLISHED and RELATED states packets
Fourth, write rules
First determine the function (table) to determine the flow of packets to determine the objectives to be achieved, it is determined matching condition
Flow
Communicate with native processes:
Inflow: -> PREROUTING -> INPUT
Outflow: -> OUTPUT -> POSTROUTING
The machine via forwarding:
Request: -> PREROUTING -> FORWARD -> POSTROUTING
Response: -> PREROUTING -> FORWARD -> POSTROUTING
When writing rules to note:
Server: last out
Client: last in, first-out
Client port is random, so in most scenarios should not be qualified
Rules file: / etc / sysconfig / iptables
Save Enable rule in the rule file:
1, iptables-save> / etc / sysconfig / iptables
2, service iptables save
Entry into force of the rules file rules:
1, iptables-restore < / etc / sysconfig / iptables
2, service iptables restart
Action: Empty the existing rules, read and entered into force rules file rules
Common Syntax
To delete a rule:
iptables [-t table] -D chain rulenum
Set policies:
iptables [-t table] -P chain target
Modify the rule:
iptables [-t table] -R chain rulenum rule-specification
Insert a rule:
iptables [-t table] -I chain [rulenum] rule-specification
Create a custom link:
iptables [-t table] -N chain
Remove Custom and 0 references empty chain
iptables [-t table] -X chain
To rename a custom chain:
iptables [-t table] -E old_name new_name
Five examples
1, SNAT address based on the original conversion
Based on the conversion of the original address is generally used in many of our internal network users outside the network through a port when the Internet, then we will convert our network address to an external IP network, we can connect to other external network IP function.
For example, we now want all IP network 192.168.10.0 After all, when converted into 172.16.100.1 this assumption out of the external address:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 172.16.200.1
So long as it is from the local network tries to access the network through a network card, it will be converted into 172.16.100.1 all this IP.
We all know that when we use the China Unicom or Telecom Internet time, usually it will generate a random external network IP every time you boot time, meaning that outside the network address is dynamic transformation. Then we will replace the external network address MASQUERADE (dynamic camouflage): It can automatically find the address outside the network, and automatically to the correct external network address. So, we need this setting:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Here we must note: masquerading does not apply to all the places.
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to 1.1.1.1
2, DNAT target address translation
For destination address translation, data flow is from the outside, the outside of the client, which is the server-side
By destination address translation, we can make out through our external ip ip outside the network to access our servers on different servers, and our services are on different servers within the network server.
iptables -t nat -A PREROUTING -d 192.168.1.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.200.7
Destination address translation to be done before reaching the conversion card, do so at this position PREROUTING
3, only allow SSH access to the server 192.168.1.3
iptables -A INPUT -s 192.168.1.3 -p tcp --dport 22 -j ACCEPT
4, shielding IP from 192.168.1.0 to 192.168.1.1254
iptables -I INPUT -s 192.168.1.0/24 -j DROP
5, discarded illegal connections
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables-A FORWARD -m state --state INVALID -j DROP
6, allows ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
7, prevent DOS attacks
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25 / minute --limit-burst 100 -j ACCEPT |
|
|
|