About enterprise firewall Iptables and practical exercise

A, Iptables firewall Profile

• NetFilter / Iptables (referred Iptables) is an open source, free unix / linux operating system firewall software system, based packet filtering firewall tools, mainly working in the OSI seven-layer model: Layer (data link layer), layer 3 (network layer), four (the transport layer).
• NetFilter mainly work in kernel space (Kernel Space), belongs to the Linux kernel module built-in system, without having to install, the default integration, mainly by various filter information tables, the table is mainly used to store a variety of post-policy rules responsible for the rules, policy processing, packet filtering and so on.
• Iptables mainly work space user (User Space), the system tool is a Linux system comes (self-mounting) and is mainly used to manage the underlying Netfilter module, the default operation of the core module can not be directly, through iptables tool management module Netfilter the filter table, you can also add the policy rules in the table by iptables tool.
• In the daily business operation and maintenance, NetFilter and collectively referred to as Iptables Iptables firewall, iptables firewall default there are four tables: Raw, Mangle, NAT, Filter table, the default iptables is to manage and use the Filter table.
• Table 5 contains a total of four chains, can not rule on each strand, they can have a myriad of rules, the rules are intended to limit the policy definition allows client access server, there is no conflict between the rules and regulations, 5 chain:

Two, iptables command Detailed

1, illustrating the command:

2, the command arguments detailed

-A 	 #顺序添加，添加一条新规则
-I   #插入，插入一条新规则 -I 后面加一数字表示插入到哪行
-D   #删除，删除一条新规则 -D 后面加一数字表示删除哪行
-N   #新建一个链
-X   #删除一个自定义链,删除之前要保证次链是空的,而且没有被引用
-L   #查看
 iptables -L -n #以数字的方式显示
 iptables -L -v #显示详细信息
 iptables -L -x #显示精确信息
 
-E   #重命名链
-F   #清空链中的所有规则
-Z   #清除链中使用的规则
-P   #设置默认规则

2.匹配条件：
隐含匹配：
   -p  tcp udp icmp
   --sport #指定源端口
   --dport #指定目标端
   -s #源地址
   -d #目的地址
   -i #数据包进入的网卡
   -o #数据包出口的网卡
   
扩展匹配：
-m state --state   #匹配状态的
-m limit --limit 3/minute   #每三分种一次
-m mutiport --source-port   #端口匹配 ,指定一组端口
-m time --timestart 8:00 --timestop 12:00  #表示从哪个时间到哪个时间段
-m time --days    #表示那天
-m mac --mac-source xx:xx:xx:xx:xx:xx #匹配源MAC地址
-m layer7 --l7proto qq   #表示匹配腾讯qq的 当然也支持很多协议,这个默认是没有的,需要我们给内核打补丁并重新编译内核及iptables才可以使用 -m layer7 这个显示扩展匹配

#下面两个参数不知有何用途！
-m limit --limit-burst  5   只匹配5个数据包
-m string --string --algo bm|kmp --string"xxxx"  匹配字符串

3.动作：
-j
DROP   #直接丢掉
ACCEPT #允许通过
REJECT #丢掉，但是回复信息
LOG --log-prefix"说明信息,自己随便定义"  #记录日志

SNAT       #源地址转换,适用于多个内网用户使用一个公网地址
DNAT       #目标地址转换，SNAT的逆过程
#从内网访问外网服务器网关使用的是为SNAT，从外网服务器返回到内网用户使用的是DNAT！

REDIRECT   #重定向
MASQUERAED #地址伪装


#保存iptables规则
service iptables save
# 重启iptables服务
service iptables stop
service iptables start

3 Key reminder

(1) We need to open forwarding! firewalld, SElinux will need to close

 echo 1 > /proc/sys/net/ipv4/ip_forward

(2) NAT rule matching order
from top to bottom, in sequence, the matching is successful, no longer match down. Regardless of the precise extent of their match!

Three, Iptables Introduction of Filter table

Filter table indicates the default iptables, so if you do not have to customize a table, then the default filter table, which has three built-in chains:

• INPUT chain - processing data from the outside;
• OUTPUT chain - processing of outbound data;
• FORWARD chain - forwards the data to the other LAN equipment of the machine.

Practical exercise

#查看iptables规则并编号
iptables -L -n --line-numbers
#WEB服务器,开启80端口； 
iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT #这里-I参数指定了插入到第二条规则
#指定多端口,开启邮件服务器25,110端口；  
iptables -A INPUT -p tcp -m multiport --dport 110,25 -j ACCEPT
#允许icmp包通过,也就是允许ping
iptables -A OUTPUT -p icmp -j ACCEPT （Input方向也要做，此处省略）
#友好的拒绝其访问
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
#FORWARD链的作用：一般与nat表一起使用，这里开启forward转发，nat表再转发！
#规则删除
1、按表删除
iptables -t nat -F #清空nat表的所有链
2、按链的类型加编号删除 #先明确你要删除那个链里的那条规则！
iptables -D INPUT 1


#iptables规则配置文件中默认规则，最后匹配
:INPUT ACCEPT [0:0] 
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [602:39593]
			   [请求数：所有请求的数据包的总大小]

Four, Iptables Introduction of NAT table

1, NAT usage scenarios

NAT (network address translation) technology in peacetime is a lot to see, such as the home when using a router to share Internet access, usually with NAT technology is, it can achieve a number of IP within the network to share a single public IP Internet.

2, NAT principle

Simply means that when the external network hosts access network, when the host within the network data packets through the router, the data packet within the source IP address to the public IP address of the router, and record the data message packet;

3, SNAT, DNAT resolve

When external network server sent in response to this request or data exchange from the inside out, when the data packet outside the network sent by the server through the router, which was originally on the public network IP address to the network router is an IP router.
SNAT and DNAT are two important concepts in using iptables NAT rules related to the. As shown above, if the external and internal host routing through the visited network, the source IP will change, this behavior is to change the SNAT; the other hand, when the data of the external network passes through the route to the host within the network, the data packet the purpose IP (public IP on the router) will be modified to the internal network IP, this change behavior is DNAT.

4, NAT table there are three built-in chains

• POSTROUTING chain - processing packets leaving the machine. It translates the source IP address (source ip address) in the packet, typically for SNAT (source NAT).
• PREROUTING chain - processing machine and just before arriving in the packet forwarding route. It translates the destination IP address (destination ipaddress) packet, typically for DNAT (destination NAT).
• OUTPUT chain - packet processing locally generated.

5, NAT mapping combat exercise

内网主机IP：192.168.0.1:8080，本局域网网关主机IP：39.97.176.117，你要访问106.54.72.122:80,在网关处配置规则如下；

#--to-source指定转换后的源IP地址，如果是udp/tcp的报文，可以指定转换后的端口号
iptables -t nat -A POSTROUTING -s 192.168.0.1/32  -p tcp --sport 8080 -j SNAT --to-source 39.97.176.117:8080

#--to-destination指定转换后的目标ip地址，如果是udp/tcp的报文，可以指定转换后的端口号
iptables -t nat -A PREROUTING -d 39.96.176.117/32 -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.1:8080

#开启forward转发
iptables -A FORWARD -s 192.168.0.1 -p tcp --sport 8080 -j ACCEPT

6, iptables rules are stored online and Ali cloud server rules show

iptables-save >/root/iptables

# Generated by iptables-save v1.4.21 on Sun Mar 29 09:32:13 2020
*mangle
:PREROUTING ACCEPT [4956702:403757221]
:INPUT ACCEPT [4956702:403757221]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4951017:201160024]
:POSTROUTING ACCEPT [4951028:201162271]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 29 09:32:13 2020
# Generated by iptables-save v1.4.21 on Sun Mar 29 09:32:13 2020
*nat
:PREROUTING ACCEPT [4933337:295987301]
:INPUT ACCEPT [4933337:295987301]
:OUTPUT ACCEPT [3006:227717]
:POSTROUTING ACCEPT [3006:227717]
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Mar 29 09:32:13 2020
# Generated by iptables-save v1.4.21 on Sun Mar 29 09:32:13 2020
*filter
:INPUT ACCEPT [4956714:403758096]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4951029:201160679]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Sun Mar 29 09:32:13 2020

7, online server cloud Tencent iptables configuration instance

*nat
:PREROUTING ACCEPT [15:616]
:INPUT ACCEPT [15:616]
:OUTPUT ACCEPT [312:18734]
:POSTROUTING ACCEPT [312:18734]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-CDLPKQDAWGXXULF3 - [0:0]
:KUBE-SEP-WDXYE4D5Z7MA4KDL - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.21.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-CDLPKQDAWGXXULF3 -s 172.17.77.241/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-CDLPKQDAWGXXULF3 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-CDLPKQDAWGXXULF3 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 172.17.77.241:6443
-A KUBE-SEP-WDXYE4D5Z7MA4KDL -s 172.17.21.2/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-WDXYE4D5Z7MA4KDL -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 172.17.21.2:9090
-A KUBE-SERVICES -d 10.254.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.254.214.163/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-CDLPKQDAWGXXULF3 --mask 255.255.255.255 --rsource -j KUBE-SEP-CDLPKQDAWGXXULF3
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-CDLPKQDAWGXXULF3
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-WDXYE4D5Z7MA4KDL
COMMIT
# Completed on Sun Mar 29 09:41:43 2020
# Generated by iptables-save v1.4.21 on Sun Mar 29 09:41:43 2020
*filter
:INPUT ACCEPT [425:21221]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [401:28541]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -j KUBE-FIREWALL
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
COMMIT
# Completed on Sun Mar 29 09:41:43 2020