Enterprise iptalbes firewall (1)
One, IPtables introduction
Netfilter/Iptables (hereinafter referred to as Iptables) is an excellent and open source completely free packet filtering-based firewall tool that comes with unix/linux. It is very powerful and flexible in use. It can be used for incoming and outgoing servers. Data packets are very finely controlled.
netfilter:内核态,即不以文件和形式存在(kernal space)的防火墙。--是实现防火墙的功能
iptables:用户态,在/sbin/iptables存在(User space)的防火墙。操作上二者没有区分。
用户和内核交互的一个工具就是iptables。
**Note: **iptables mainly works on the 3.4 layer of OSI seven layers. The seven-layer control can use squid proxy + iptables.
In the actual production environment:
Turn off Linux's own firewall. (To solve the security problem, try not to configure the external IP for the server. If you need to access, use proxy forwarding.) Because of the high concurrency, iptables will increase the delay.
Unless the concurrency is small, the server must be on the public network. Consider turning on the firewall.
In the case of large concurrency, iptables cannot be opened, which affects performance, and uses hardware firewalls to improve architecture security
1.Classification of iptables working principle:
主机防火墙:主要是用来防范单台主机的进出报文;
网络防火墙:工作与一个网络的边缘,能够实现对进出本网络的所有主机报文加以防护;
================================================================================
iptables缺点:
(1)防火墙虽然可以过滤互联网的数据包,但却无法过滤内部网络的数据包。因此若有人从内部网络攻击时,防火墙没有作用。
(2)电脑本身的操作系统亦可能因一些系统漏洞,使入侵者可以利用这些漏洞绕过防火墙过滤,从而入侵电脑。
(3)防火墙无法有效阻挡病毒攻击,尤其是隐藏在数据中的病毒。
(4)正常状况下,所有互联网的数据包软件都应经过防火墙的过滤,这将造成网络交通的瓶颈。例如在攻击性数据包出现时,攻击者会不时寄出数据包,让防火墙疲于过滤数据包,而使一些合法数据包软件亦无法正常进出防火墙。
PS:没有绝对安全的操作系统,虽然防火墙有这些缺点,但还是能阻挡大多数来自于外网的攻击!
2. iptables workflow
1. The firewall is filtering layer by layer. In fact, filtering is performed from top to bottom and from front to back according to the order of configuration rules.
2. If the rule is matched, it is clearly indicated whether it is blocked or passed, and the data packet will not match the new rule downward.
3. If all the rules do not clearly indicate whether to block or pass the data packet, that is, there is no matching rule, the matching will be performed downwards until the default rule is matched and it is clearly blocked or passed.
4. The default rule of the firewall is executed after all the rules of the corresponding chain are executed (the last executed rule).
Two, iptables concept
One, iptables terms and terms
1. What is Netfilter/iptables?
For example, if you think of Netfilter as a building in a certain community. Then tables are one of the houses in the building. This house "tables" belongs to this "Netfilter/iptables".
2. What is a table (tables)?
Tables are containers of chains, that is, all chains belong to their corresponding tables. As above, if Netfilter is regarded as a building in a certain district, then tables are the buildings One of the houses.
3 What are chains?
Chains are containers for policies. Next, if you consider tables as having a house, then chains can be said to be furniture (cabinet, etc.) in the house.
4 What is a policy (Policy)?
The rules (Policy) are easier to understand, that is, the specifications and specific method clauses of the iptables series of filtering information. It can be understood as how to add and place the cabinets.
The basic terms are shown in the following table:
| Netfilter/iptables | Tables (tables **) ** | Chains (chains **)** | Rules (Policy **)** |
|---|---|---|---|
| one building | House in the building | Cabinet in the house | The clothes in the cabinet, the rules |
Three, iptables table and chain
By default, iptables contains three tables according to the definition of functions and tables, filter, nat, and mangle. Each table contains different operation chains (chains). The actual iptables contains 4 tables and five chains, so you can remember the filter.
1. Four tables:
必须是小写
raw ------------追踪数据包, ----此表用处较少,可以忽略不计
mangle -------- 给数据打标记,做标记
nat ---------网络地址转换即来源与目的的IP地址和port的转换。应用:和主机本身无关
filter --------做过滤的,防火墙里面用的最多的表。
表的应用顺序:raw-》mangle-》nat-》filter
2. Five chains
五链:(必须是大写)链里面写的是规则。
PREROUTING ---------------------进路由之前数据包
INPUT -----------------就是过滤进来的数据包(输入)
FORWARD -----------------转发
OUTPUT ---------------发出去的数据包
POSTROUTING --------------路由之后修改数据包
所有的访问都是按顺序:
入站:比如访问自身的web服务流量。先PREROUTING(是否改地址),再INPUT(是否允许)到达程序。
转发:经过linux网关的流量.先PREROUTING(是否改地址),然后路由。转发给FORWARD(转发或者丢弃),最后经过POSTROUTING(看看改不改地址。)
出站:源自linux自身的流量.先OUTPUT,然后路由。再给POSTROUTING(是否改IP)。
规则顺序:ACL逐条匹配,匹配即停止。
3. Four watches and five chains
raw表里面:
PREROUTING
OUTPUT
总结:数据包跟踪 内核模块iptables_raw
===============================================
mangel表里面有5个链:
PREROUTING
INPUT
FORWARD
OUTPUT
POSTROUTING
路由标记用的表。内核模块iptables_mangle
=====================================================
nat表里面的链:
PREROUTING
INPUT
OUTPUT
POSTROUTING
转换地址的表(改IP,改端口。当网关使用的linux。保护内外网流量。内核模块叫iptable_nat)
==========================================
filter表有三个链:重点
INPUT #负责过滤所有目标是本机地址的数据包通俗来说:就是过滤进入主机的数据包
FORWARD #负责转发流经主机的数据包。起到转发的作用
OUTPUT #处理所有源地址是本机地址的数据包通俗的讲:就是处理从主机发出的数据包
总结:根据规则来处理数据包,如转或者丢。就是实现主机型防火墙的主要表。
内核模块 iptable_filter