table of Contents
Basic control type of data packet
SNAT mode (source address translation)
DNAT mode (target address translation)
Firewall iptables
iptables tool
4 functions (table):
- raw is not often configured
- Mangle is not often configured
- nat
- filter
filter
Packet filtering firewall
View detailed rules of filter
- iptables -t filter -nvL
3 chains of filter
Each table has a place to write rules (chain)
INPUT inbound chain
Note: The rule is to match from top to bottom one by one.
FORWARD forwarding rule chain
(When the source address 192.168.1.1 and the destination address 172.16.1.20 are not local)
For iptables -t filter -nvl
- watch -n1 iptables -t filter -nvl
OUTPUT outbound chain
filter rule write
format
- iptables -t filter -I INPUT -p tcp --dport 90 -j ACCEPT
View the filter rule table:
In this way, we can access this server's website externally.
Basic syntax of iptables
Precautions:
- When the table name is not specified, it points to the filter table by default
- When no chain name is specified, all chains in the default table
- Unless the default policy of the chain is set, the matching conditions must be specified
- Use small and large letters for options, chain names, and control types, and the rest are lowercase
Basic control type of data packet
- ACCEPT is allowed to pass
- DOROP drops directly without giving any prompt
- REJECT refuses to pass, give a prompt if necessary
- LOG records log information, and then passes to the next rule to continue matching
We can actually operate (icmp protocol PING) to see the difference of DOROP REJECT
REJECT
Write rule
- iptables -I FORWARD -s 0.0.0.0/0 -d 0.0.0.0/0 -j DROP
DROP
Note: The same rule takes effect at the top
Add new rules
- -A append a rule at the end of the chain
- -I Insert a rule at the beginning of the chain (or specify the serial number)
E.g:
View rule list
- -L List all rule entries
- -n Display address and port information in the form of numbers
- -v Display rule information in a more detailed way
- -line-number When viewing rules, display the rule number
Delete, clear rules
- -D delete a rule with a specified sequence number (or content) in the chain
- -F Clear all rules
Delete the rule corresponding to sequence number 2 in the EORWARD chain
- iptables -D FORWARD 2
Clear all the rules in the FORFARD chain
- iptables -F FORWARD
When we emptied, did the rules disappear?
The firewall saves its original configuration by default, as long as the service of the iptables firewall is restarted, its previous rules will come out
- service iptables restart
Specify the default policy
- -P
Note: The only choices for the default strategy are DROP and ACCEPT
Change FORWARD's default strategy to DROP
iptables -P FORWARD DROP
Match condition
Common universal matching conditions
- Protocol match -p [protocol name]
- Address match -s [source address] -d [destination address]
- Interface matching -i [inbound network card], -o [outbound network card]
Common implicit matching conditions
- Port matching --sport [source port], --dport [destination port]
- TCP flag port --tcp-flags [check range] [flag set]
- ICMP type matching --icmp-type [ICMP type]
E.g:
ICMP type: 8 requests 0 echo 3 unreachable
Common display matching conditions
- Multi-port matching -m multiport-sport [source port list], -m multiport-sport [destination port list]
- IP range matching -m iprange --src-range [IP range]
- MAC address matching -m mac --mac-source [MAC address]
Export backup rules
- iptables-save tool
- Can be combined with redirected output to save to a specified file
Save the current state to a desktop file
Export:
- iptables-save > /root/Desktop/ipt.txt
Import:
- iptables-restore < /root/Desktop/ipt.txt
Save current state as default rule
- service iptables save
No matter how many times you restart, it will always exist
nat
Network address translation
For more information about NAT bridging, see my blog:
SNAT mode (source address translation)
experiment
Linux gateway server
View nat table
- iptables -t nat -nvL
- iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.1.0/24 -j SNAT --to-source 12.34.56.78
Write successful
Configure FORWARD
Just clear FORWARD
- iptables -F FORWARD
PC access successful
If the IP address of the Linux gateway server changes,
Here we can see that the PC is inaccessible
Write new rules
- iptables -t nat -A POSTROUTING -p tcp -o eth1 -s 192.168.1.0/24 -j MASQUERADE
Write successful
You can see that -A here is not effective
Delete the rules above it to make it effective
- iptables -t nat -D POSTROUTING 1
PC can be successfully accessed
DNAT mode (target address translation)
experiment
Experimental principle:
Confirm that the PC on the external network accesses the 80 port
If not, throw it to the INPUT chain of the filter table
Note: There is a priority order, the priority of the chain in our nat table is higher than the chain in the filterl table
Linux gateway server
Set pre-routing rules
- iptables -t nat -A PREROUTONG -i eth1 -d 12.34.56.80 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:8080
Combined with the rules after the routing we configured in the previous experiment
The external PC successfully accesses the internal server's port 8080 through port 80
references:
Qianfeng Network Security Video Notes: https://www.bilibili.com/video/BV1i7411G7vm?p=152