iptables firewall content full solution

Introduction to iptables

Iptables is actually not a real firewall. We can understand it as a client proxy. The user implements the user’s security settings into the corresponding security framework through the iptables proxy. This security framework is the real firewall. The framework name: Netfilter .

Netfilter is the real security framework, located in the kernel space. Iptables is actually a command tool located in the user space. We use this tool to operate the real framework netfilter.

Netfilter/iptables constitutes a packet filtering firewall under the Linux platform, which is free and can replace expensive commercial firewall solutions to complete packet filtering, packet redirection, network address translation NAT and other functions.

Netfilter is a packet processing module in the core layer of the Linux operating system, which has the following functions:

• Network Address Translation NAT
• Data package content modification
• Firewall function for packet filtering

So: Although service iptables start is used to start the iptables service under Linux, to be precise, iptables does not have a daemon process, so it is not a service in the true sense, but a function provided by the kernel.

Iptables tables and chains

Rule table

The rule table contains various rule chains, and iptables manages four different rule tables, whose functions are implemented by independent kernel modules. The tables are explained as follows:

Table Name			Kernel module
filter table	It is mainly used to filter data packets and decide how to process a data packet according to specific rules.	Contains three rule chains: INPUT, FORWAED, and OUTPUT.	iptables_filter
nat table	It is mainly used to modify information such as the IP address and port number of the data packet, also known as network address translation.	Contains three rule chains: PREROUTING, POSTROUTING, and OUTPUT	iptables_nat
mangle table	It is mainly used to modify the TOS and TTL values ​​of the data packet, or to set the Mark mark for the data packet to realize advanced applications such as traffic shaping and policy routing.	Contains five rule chains, PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD.	iptables_mangle
raw表	Mainly used to decide whether to track the status of the data packet. When setting raw, it is generally to no longer let iptables do link tracking processing of data packets and improve performance.	Contains two rule chains, OUTPUT and PREROUTING.	iptables_raw

note:

• The default table is filter (if no table is specified, it is the filter table).

• Table processing priority: raw>mangle>nat>filter.

• In the iptables rule table, the filter table and the nat table are used more, while the other two tables are relatively less used. So we mostly use the rule chain in the filter table and nat table as a strategy.

2. Rule chain

The role of the rule chain is to accommodate various firewall rules. There are five types of rules, which process data packets at different times.

Table Name	Match object	Table
INPUT chain	Match the ip packet that enters the firewall.	mangle, filter table (there is also nat table in centos7)
OUTPUT链	Match the ip packet out of the firewall.	raw ， missing ， nat ， filter 表
FORWARD chain	Match the IP packet of the firewall host (the source address and destination address are not the firewall's local IP)	mangle, filter table
POSTROUTING chain	Process the packet after routing. Used for source address translation (SNAT)	mangle, nat table
PREROUTING chain	Process data packets before routing. Can be used for target address translation (DNAT)	raw，mangle，nat表

note:

• Each message passing through the rule table of this firewall must match all the rules on the chain of this table. If the rules meet the conditions, the corresponding action will be executed.

• Among them, INPUT and OUTPUT chains are mainly used in "host-type firewalls", and FORWARD, POSTROUTING and PREROUTING chains are mainly used in "gateway firewalls".

The matching process of packet filtering

Order between rule tables

When the packet arrives at the firewall, the rules (if any) in the corresponding chain in the raw, mangle, net and filter tables will be applied in sequence.

The order between the chain of rules.

• Inbound data flow direction: Data packets arriving at the firewall from the outside world are first processed by the PREROUTING rule chain (whether to modify the data packet address, etc.), and then route selection (to determine where the data packet should be sent), if the destination of the data packet The host is the firewall machine (for example, Internet users access the data packet of the web server in the firewall host), then the kernel will pass it to the INPUT chain for processing (decide whether to allow passage, etc.), and then pass it to the upper application of the system (Such as Apache server) to respond.

• Forwarding data flow direction: After the data packet from the outside reaches the firewall, it is first processed by the PREROUTING rule chain, and then route selection is performed. If the destination address of the data packet is another external address (such as a data packet for a LAN user to access a QQ site through a gateway), Then the kernel passes it to the FORWARD chain for processing (whether to forward or intercept), and then to the POSTROUTING rule chain (whether to modify the address of the data packet, etc.) for processing.

• Outbound data flow: The data packets sent by the firewall to the external address (for example, when testing the public network DNS server in the firewall host), are first processed by the OUTPUT rule chain, and then routed, and then passed to the POTROUTING rule chain (whether modified The address of the data packet, etc.) for processing.

The sequence between the firewall rules within the rule chain

• When the data packet passes through the rule chain, it is matched and processed in the order of the first rule, the second rule..., the filtering in the chain follows the principle of "match and stop", once a matching rule is found, it will not be checked The subsequent rules in this chain.

Firewall rules

The common management options of Iptables are shown in the following table:

Common syntax after iptables

iptables

• -t: Specify the rule table, the default is filter.
• -I: Add to the first position of the chain, followed by the regular chain.
• -A: Add to the tail position of the chain, followed by the regular chain.
• -s: Specify the original address (source) in the matching condition.
• -j: Specify the corresponding action when the matching condition is met, for example, DROP and ACCEPT pass.

The common control types of iptables are as follows:

Action type	Explanation
ACCEPT	Allow data packets to pass.
DROP	Drop the packet directly.
REJECT	Reject the packet to pass.
SNAT	Source address conversion solves the problem of Internet users going online with the same public address.
DNAT	Target address translation.
MASQUERADE	It is a special form of SNAT, suitable for dynamic and temporarily changing IP.
REDIRECT	Do port mapping on this machine.
LOG	Record the log information in the /var/log/messages file, and then pass the packet to the next rule. (Exception to the "match and stop" rule)

Check the fields in the iptables rules (heavy!)

Field	explain
Policy ACCEPT	Indicates that the default action of the INPUT chain is ACCEPT.
Pkts	The number of packets matched by the corresponding rule.
Bytes	Corresponds to the total size of matched packets.
Target	The target corresponding to the rule often represents the action corresponding to the rule, that is, the action that needs to be taken after the rule is successfully matched.
Prot	Indicates the protocol corresponding to the rule.
Opt	Indicates the option corresponding to the rule.
In	Indicates which interface the data packet flows into, and we can set which network card flows into the packet that needs to match the current rules.
OUT	Indicates the interface from which the data packet flows.
Source	Indicates the source address corresponding to the rule, which can be an IP or a network segment.
Destination	Indicates the target address corresponding to the rule.

Note:
Some source and destination addresses are displayed as: anywhere; it means that IPtables performs name resolution for us by default, but there are many rules; this resolution efficiency is very low, so use the -n option, which means that the IP address is not to be reversely resolved. .

Match conditions of iptables rules

Universal match

General matching is also called regular matching. This matching method can be used independently and does not depend on other conditions or extension modules. Common general matching includes protocol matching, address matching, and network interface matching.

• Protocol match

When writing iptables rules, use the "-p protocol name" form to specify to check the network protocol used by the data packet, such as tcp, udp, icmp, etc.

For example: write iptables to reject packets passing through icmp.

[root@localhost /]#iptables -A INPUT -p icmp -j DROP

• Address match

Use "-s source address" or "-d destination address" to specify when writing iptables rules to check the source address or destination address of the data packet.

列如：编写iptables拒绝转发192.168.1.0/24到202.106.123.0/24的数据包。

[root@localhost /]#iptables -A FORWARD -s 192.168.1.0/24 -d 202.106.123.0/24 -j DROP

• 网络接口匹配

编写iptables规则时使用“-i 接口名”和“-o 接口名”的形式，用于检查数据包从防火墙的哪一个接口进入或发出，分别对应入站网卡(–in-interface)，出站网卡(–out-interface)。

列如：拒绝从防火墙的eth1网卡接口ping防火墙主机。

[root@localhost /]#iptables -A INPUT -i eth1 -p icmp -j DROP

隐含匹配

这种匹配方式要求以指定的协议匹配作为前提条件，相当于子条件，因此无法独立使用，其对应的功能由iptables在需要时自动隐含载入内核。常见的隐含匹配包括端口匹配，TCP标记匹配，ICMP类型匹配。

• 端口匹配

编写iptable规则时使用“–sport 源端口”或“–dport”的形式，针对的协议为TCP或UDP，用来检查数据包的源端口或目标端口。单个端口或者以“：”分隔的端口范围都是可以接受的，但不支持多个不连续的端口号。

列如：编写iptables规则允许FTP数据包通过，则需要允许20,21和用于被动模式的24500-24600的端口范围。

[root@localhost /]#iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT

[root@localhost /]#iptables -A INPUT -p tcp --dport 24500:24600 -j ACCEPT

• TCP标记匹配

编写iptables规则时使用“–tcp-flags 检查范围 被设置的标记”的形式，针对的协议为TCP，用来检查数据包的标记位。其中“检查范围”指出需要检查数据包的那几个标记位，“被设置的标记”则明确匹配对应值为1的标记，多个标记之间以逗号进行分隔。

列如：若要拒绝外网卡接口(eth1)直接访问防火墙本机的TCP请求，但其他主机发给防火墙的TCP响应等数据包应允许，可执行如下操作。

[root@localhost /]#iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN，RST，ACK SYN -j DROP

• ICMP类型匹配

编写iptables规则时使用“–icmp-type ICMP类型”的形式，针对的协议为ICMP，用来检查ICMP数据包的类型。ICMP类型使用字符串或数字代码表示，如“Echo-quest”(代码为8)，“Echo-Reply”(代码为0)，“Destination-Unreachable”(代码为3)，分别对应ICMP协议的请求，回显，目标不可达。

列如：若要禁止从其他主机ping防火墙本机，但允许防火墙本机ping其他主机，可执行以下操作。

[root@localhost /]#iptables -A INPUT -p icmp --icmp-type 8 -j DROP

[root@localhost /]#iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

[root@localhost /]#iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

显示匹配

这种匹配方式要求有额外的内核模块提供支持，必须手动以“-m 模块名称”的形式调用相应的模块。然后方可设置匹配条件。常见的显示匹配包括多端口匹配，IP范围匹配，MAC地址匹配，状态匹配。

• 多端口匹配

编写iptables规则时使用“-m multiport --dport 端口列表”或“-m multiport --sport 端口列表”的形式，用来检查数据包的源端口，目标端口，多端口之间以逗号进行分隔。

列如：若允许本机开放25,80,110,143等端口，以便提供电子邮件服务，可执行如下操作。

[root@localhost /]#iptables -A INPUT -p tcp -m multiport --dport 25,80,110,143 -j ACCEPT

• IP地址范围匹配

编写iptables规则时使用“-m iprange --src-range IP范围”，“-m -iprange --dst-range IP地址范围”的形式，用来检查数据包的源地址，目标地址，其中IP范围采用“起始地址-结束地址”的形式表示。

列如：若要允许转发源地址IP位于192.168.4.21与192.168.4.28之间的TCP数据包，可执行如下操作。

[root@localhost /]#iptables -A FORWARD -p tcp -m iprange --src-range 192.168.4.21-192.168.4.28 -j ACCEPT

• MAC地址匹配

编写iptables规则时使用“-m mac --mac-source MAC地址”的形式，用来检查数据包的源MAC地址。由于MAC地址本身的局限性，此类匹配条件一般只适用于内部网络。

列如：若要根据MAC地址封锁主机，禁止其访问本机的任何应用，可以执行如下操作。

[root@localhost /]#iptables -A INPUT -m mac --mac-source 00:0c:29:c0:55:3f -j DROP

• 状态匹配

When writing iptables rules, use the form of "-m state --state connection state". The state tracking mechanism based on iptables is used to check the connection state of data packets. Common connection states include NEW (such as any connection irrelevant), ESTABLISHED (corresponding to a request or a connection established), RELATED (related to an existing connection, such as FTP data connection).

For example: write iptables rules, only open the port 80 service of the machine, and allow the TCP response packet sent to the machine, and reject all other inbound data packets. The following operations can be performed.

[root@localhost /]#iptables -A INPUT -p tcp -m multiport --dport 80 -j ACCEPT

[root@localhost /]#iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT