A firewall

linux Firewall Foundation

iptables Table of 、 Chain structure

Packet controlled matching process

Write firewall rules

Basic grammar 、 Type of control

add to 、 see 、 Deletion rule

The matching conditions of rules

linux Packet filtering firewall Overview

netfilter

be located linux Packet filtering function system in kernel

be called linux Firewall “ Kernel mode ”

iptables

be located /sbin/iptables, Tools for managing firewall rules

be called linux User state of firewall

The working level of packet filtering

It's mainly the network layer , in the light of IP Data packets

This is reflected in the IP Address 、 Port and other information processing

iptables Introduction to the four table five chain structure of

iptables The function of is to provide rules for the implementation of packet filtering mechanism , Through various rules , tell netfilter Yes, from some source , How should packets destined for certain purposes or with certain protocol characteristics be handled , In order to organize and manage firewall rules more conveniently ,iptables The hierarchical structure of table and chain is adopted
So it will analyze the header data of the requested packet , Match according to our preset rules to determine whether we can enter the host

among , Each rule table is equivalent to a container in kernel space , The rule set is divided into four default tables according to different purposes , Different rule chains are included in each table container , According to the different timing of processing data packets, it is divided into five chains

Four tables and five chains

• The role of the rule table : To accommodate all kinds of rule chains ; The table is divided according to ： The role of firewall rules is similar

• The role of the rule chain : Accommodate all kinds of firewall rules ; The role of rules ： To filter or process packets ; The classification of chain is based on ： Different times to process packets

• summary : There is a chain in the watch , There are rules in the chain

-nat： Responsible for network address translation , Used to modify the source in the packet 、 The goal is IP Address or port . Contains three rule chains ,OUTPUT、PREROUTING、POSTROUTING.

-filter： Responsible for filtering packets , Determine whether to release the packet ( Filter ). Contains three chains , namely INPUT、FORWARD、 OUTPUT

2.1.3 Five chains

• INPUT: Processing inbound packets , Match the target IP For native packets .

• OUTPUT: Processing outbound packets , Generally, it is not configured on this chain .

• FORWARD: Processing forwarding packets , Match packets flowing through the machine .

• PREROUTING chain : Process packets before routing , Used to modify the destination address , Used to do DNAT. It's equivalent to the of intranet server IP And port mapping to the router's external network IP And ports .

• POSTROUTING chain : Process packets after routing , Used to modify the source address , Used to do SNAT. Equivalent to the intranet through the router NAT The conversion function enables the intranet host to pass through a public network IP Address online .

Default table 、 Chain structure diagram

The matching process of packet filtering （ Packet to firewall ）

Priority order

Application order of rule table ：raw→mangle→nat→filter

The order between the chains of rules

Inbound ：PREROUTING——>INPUT

Departure ：OUTPUT——>POSTROUTING

forward ：PREROUTING——>FORWARD——>POSTROUTING

The order of matching within the chain of rules

Check in order , Match stops

If no matching rule is found , Then the default policy of the chain is used ( Without modification , The default policy is to allow )

The matching process of packet filtering

Matching process diagram

Inbound data flow ： After the packets from the outside arrive at the firewall , First by PREROUTING Chain processing （ yes

No, modify the packet address, etc ）, Then make routing （ Determine where the packet should be sent ）; If the packet's

The destination address is the firewall native （ Such as Internet The number of users accessing the gateway Web Service port ）, Then the kernel passes it

hand INPUT Chain （ To decide whether to allow passage, etc ）, Through the later to the upper application of the system

（ Such as httpd The server ） To respond .

• Forward data to ： After the packets from the outside arrive at the firewall , First by PREROUTING Chain processing , however

  Then route selection ; If the destination address of the packet is another external address （ For example, LAN users visit through the gateway

  ask QQ The server ）, Then the kernel passes it to FORWARD Chain （ Allow forwarding or blocking 、 discarded ）,

  At the end of the day POSTROUTING chain （ Whether to modify the address of the packet, etc ） To deal with .

• Outbound data flow ： Packets sent by the firewall to external addresses （ Such as testing the public network in the firewall host DNS

  The service ）, First, make routing , After determining the output path , Through the OUTPUT Chain processing , Finally,

  hand over POSTROUTING chain （ Whether to modify the address of the packet, etc ） To deal with .

Write firewall rules

iptabes install

CentOS7 By default firewalld A firewall , No installation iptables, If you want to use iptables A firewall . It must be closed first firewalld A firewall , Install again iptables

close firewalld A firewall

systemctl stop firewalld.service
systemctl disable firewalld.service

install iptables A firewall

yum -y install iptables iptables-services

Set up iptables Boot up

systemctl start iptables.service
systemctl enable iptables.service

iptables Configuration method of firewall :
1、 Use iptables Command line .
2、 Use system-config-firewall centso7 Out of commission centos 6 have access to

iptables Basic grammar 、 Packet control type

Grammatical structure

iptables [-t Table name ] Management options [ Chain name ] [ Matching condition ] [-j Type of control ]

among , Table name 、 The chain name is used to specify iptables Tables and chains operated by commands , When the table name is not specified,... Is used by default filter surface ;

Management options : Express iptables How rules work , If inserted 、 increase 、 Delete 、 Check, etc ;
Matching condition : Specify the characteristics of the data package to be processed , Packets that do not meet the specified criteria will not be processed ;
Control type refers to the processing of data packets , If permitted 、 Refuse 、 Discard, etc .

matters needing attention ：
When the table name is not specified , Default finger filter surface
When the chain name is not specified , By default, all chains in the table
Unless you set the default policy for the chain , Otherwise, you must specify the matching condition
Options 、 Chain name 、 Control types use uppercase letters , The rest are in lowercase

Common control types for packets

For firewalls , The control type of data packet is very critical , It is directly related to the release of data packets 、 Block and make corresponding log records . stay iptables In the firewall system , The most commonly used control types are as follows .

• ACCEPT： Allow packets to pass .
• DROP： Discard packets directly , Don't give any response information .
• REJECT： Reject packet pass , If necessary, a response message will be sent to the data sender .
• LOG： stay /var/log/messages Log information in the file , Then pass the packet to the next rule .
• SNAT: Modify the source address of the packet .
• DNAT: Modify the destination address of the packet .
• MASQUERADE: Disguised as an unfixed public network IP Address .

Firewall rules “ Match stops ” about LOG Operation is a special case , because LOG It's just an aid

action , Not really processing packets .

notes ： Need to be capitalized

add to 、 see 、 Delete rules and other basic operations

iptables Common management options for commands

| -F | Clear all rules in the chain iptables -F （ operation ） |
| -X | Clear custom chain rules , Does not affect other chains iptables -X |
| -Z | Clear the counter of the chain （ The size and sum of the matched packets ）iptables -Z |
| -S | View all the rules of a chain or the rules of a chain / A specific rule is followed by a number
iptables -t nat -S、iptables -t nat -S POSTROUTING 1 |

Add new rules

When adding new firewall rules , Use management options “-A”、“-I”, The former is used to append rules , The latter is used to insert rules .

for example , If you want to be in filter surface INPUT Add a firewall rule at the end of the chain , You can do the following （ among “-p The name of the agreement ” As a matching condition ）.

example 1

iptables -t filter -I INPUT -p icmp -j REJECT // No hosts are allowed ping This host

Restore the function of the handlebar -I Change the position to -D Just delete it

iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT // Allow hosts ssh port Entered my

other
iptables -t filter -A INPUT -p tcp -j ACCEPT // Allow any host tcp
iptables -I INPUT -p udp -j ACCEPT // Allow any host udp

Look at the list of rules

When viewing existing firewall rules , Use management options “-L”, combination “–line-numbers” Option can also display the sequence number of each rule in the chain . for example , To view filter surface INPUT All rules in the chain , And display the rule number , You can do the following
iptables [-t Table name ] -n -L [ Chain name ] |[-- line-numbers]
or
iptables - [vn]L

Be careful : Can't be written together as -Ln

Delete 、 Clear rules

When deleting a firewall rule , Use management options “-D”. for example , To delete filter surface INPUT The first in the chain

Five rules , You can do the following .

iptables -D INPUT 5

Set default policy

​ iptables In the chain of , The default policy is the last step of rule matching —— When no rule can be found to match the packet , The default policy is executed . The control type of the default policy is ACCEPT（ allow ）、DROP（ discarded ） Two kinds of . for example , Do the following to change filter In the table FORWARD The default policy of the chain is set to discard , OUTPUT The default policy of the chain is set to allow

iptables [-t Table name ] -P < Chain name > < Type of control >
iptables -P INPUT DROP       After input, it does not display    Take effect after clearing all rules , Because there is only DROP   Add remote port 22
 
iptables -P FORWARD DROP
# Generally, a network firewall is set in the production environment 、 The default rule should be set to when the host firewall is installed DROP, And set up a white list 
 
 
[[email protected] ~]# iptables -t filter -P FORWARD DROP
[[email protected] ~]# iptables -P OUTPUT ACCEPT

Match of rules

Universal matching

Can be used directly , Not dependent on other conditions or extensions , Including network protocol 、IP Address 、 Network interface and other conditions .

 Protocol matching : -p The name of the agreement  .
 Address matching : -s source address 、-d Destination address 					 It can be IP、 Network segment 、 domain name 、 empty ( Any address )
 Interface matching : -i Inbound NIC 、-o Outbound NIC 
iptables -A FORWARD ! -p icmp -j ACCEPT
iptables -I INPUT -s 192.168.80.11 -j DROP
 Don't let the above IP host ping General and remote practice 
iptables -I INPUT -i ens33 -s 192.168.91.0/24 -j DROP

iptables -I INPUT -p icmp -j DROP
iptables -A FORWARD ! -p icmp -j ACCEPT           // Exclamatory mark ”!” Representation inversion 

Implicit matches

It requires a specific protocol matching as the premise , Including ports 、TCP Mark 、ICMP class Type and other conditions . Port matching : --sport Source port 、–dport Destination port , It can be an individual port 、 Port range

<span style="background-color:#f8f8f8"><span style="color:#333333"><span style="color:#0000cc">--sport</span> <span style="color:#116644">1000</span>           The matching source port is 1000 Data packets of 
<span style="color:#0000cc">--sport</span> <span style="color:#116644">1000</span>:3000      The matching source port is 1000-3000 Data packets of 
<span style="color:#0000cc">--sport</span> :3000          The matching source port is 3000 And the following packets 
<span style="color:#0000cc">--sport</span> <span style="color:#116644">1000</span>:          The matching source port is 1000 And above </span></span>

Be careful :

• –sport and –dport Must cooperate -p < Protocol type > Use
• The range of ports that can be used 0-65535

iptables -A INPUT -P tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p tcp  --sport 10000:30000 -j REJECT 
#10000 To 30000  All rejected 

TCP Mark match : --tcp- flags TCP Mark

iptables -I INPUT -i ens33 -P tcp --tcp-flags SYN, RST,ACK SYN -j ACCEPT
 discarded SYN Request package ,  Release other packages 

ICMP Type match : --icmp-type ICMP type , Can be a string 、 Number code

"Echo-Request”( The code is 8) To express a request 
"Echo- -Reply”( The code is 0) Indicates echo 
"Dest ination-Unreachable" ( The code is 3) Indicates that the target is unreachable 
 About other available ICMP  Protocol type , It can be executed “iptables -P icmp -h” command , View help information 
iptables -A INPUT -P icmp -- icmp-type 8 -j DROP	 Prohibit other hosts ping This machine 
iptables -A INPUT -P icmp --icmp-type 0 -j ACCEPT	 Allow this machine ping Other hosts 
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT  	 When this machine ping Prompt that the target is unreachable when other hosts are unavailable 
iptables -A INPUT -P icmp -j REJECT				 At this time, other hosts need to be configured icmp The control type of the protocol is REJECT

Show match

Asked to “-m Extension module ” The form clearly indicates the type , Including multiple ports 、MAC Address 、IP Range 、 Packet status and other conditions

• * Multi port matching *

-m multiport --sport Source port list
-m multiport --dport Destination port list
iptables -A INPUT -P tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -P udp -m multiport --dport 53 -j ACCEPT

• *P Range match *

-m iprange --src- range IP Range 
iptables -A FORWARD -P udp -m iprange --src-range 192.168.80.100-192.168.80.200 -j DROP
 The forwarding origin address is located at 192.168.80.100-192.168.80.200 Of udp Data packets 

• *MAC Address matching *

-m mac -- -mac- source MAC Address 
iptables -A FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
 Prohibit from MAC Address packets are forwarded locally 

State matching

-m state --state Connection status

• * Common link status *

NEW:  Independent of any connection , Haven't started connecting yet 
ESTABLISHED:  Responding to a request or having established a connection , Connective state 
RELATED:  Related to existing connections (  Such as FTP Active and passive data connection ), Derivative ecology , Generally speaking, it is related to ESTABLISHED In combination with 
INVALID:  Can't be identified which connection it belongs to or has no state 
iptables -A FORWARD -m state --state NEW -P tcp ! --syn -j DROP
 No forwarding and normal TCP The connection has nothing to do with --syn Request packet ( Such as forged network attack packets )

iptables -I INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -P udp -m multiport --dport 53 -j ACCEPT
iptables -A INPUT -P tcp -m state --state ESTABLISHED, RELATED -j ACCEPT
 Detect the status of incoming packets . Has established tcp The connected package and the package related to the connection are allowed to pass through .
 For example, I do business with you , We made a deal , It's time to pay , You can directly call the payment function related to this business 
iptables -P INPUT DROP

DROP
No forwarding and normal TCP The connection has nothing to do with –syn Request packet ( Such as forged network attack packets )

iptables -I INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -P udp -m multiport --dport 53 -j ACCEPT
iptables -A INPUT -P tcp -m state --state ESTABLISHED, RELATED -j ACCEPT
Detect the status of incoming packets . Has established tcp The connected package and the package related to the connection are allowed to pass through .
For example, I do business with you , We made a deal , It's time to pay , You can directly call the payment function related to this business
iptables -P INPUT DROP