Article Directory
- 1. Introduction to Fire Wall
- 2. Firewall management tool switch
- 3. Four tables and five chains of iptables
- 4. Permanent preservation of iptables
- 5. iptables command
- 6. Firewall optimized deployment
- 7. SNAT in nat table (intranet access to external network)
- 8. DNAT in nat table (external network access internal network)
1. Introduction to Fire Wall
A firewall refers to a protective barrier constructed on the boundary between the internal network and the external network, and between the private network and the public network, which is a combination of software and hardware equipment. It is an image term for obtaining security. It is a combination of computer hardware and software to establish a security gateway (Security Gateway) between the Internet and the Intranet to protect the intranet from unauthorized users. The firewall is mainly composed of service access rules, authentication tools, packet filtering and The application gateway consists of 4 parts. The firewall is a piece of software or hardware located between the computer and the network to which it is connected. All network communications and data packets flowing into and out of this computer must pass through this firewall.
1.1 Introduction to iptables
IPTABLES is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. If the Linux system is connected to the Internet or LAN, a server or a proxy server that connects the LAN and the Internet, the system is conducive to better control of IP packet filtering and firewall configuration on the Linux system
iptables is actually not a real firewall. We can understand it as a client proxy. The user implements the user’s security settings into the corresponding "security framework" through the iptables proxy. This "security framework" is the real firewall. , The name of this framework is netfilter . Netfilter is the real security framework of the firewall, and netfilter is located in the kernel space.
iptables is actually a command line tool located in the user space. We use this tool to operate the real framework. netfilter/iptables (hereinafter referred to as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering and sealing Functions such as redirection and network address translation (NAT).
Netfilter is a packet processing module in the core layer of the Linux operating system. It has the following functions:
- Network Address Translate
- Data package content modification
- And the firewall function of packet filtering
2. Firewall management tool switch
2.1 firewalld switch to iptables
- Close firewalld
systemctl disable --now firewalld.service
systemctl mask firewalld.service
- Open iptables
dnf install iptables-services.x86_64 -y
systemctl unmask iptables.service
systemctl enable --now iptables.service
2.2 Switch iptables to firewalld
- Close iptables
systemctl disable --now iptables.service
systemctl mask iptables.service
- Open firewalld
dnf install firewalld -y #安装firewalld(rhel8中默认已安装)
systemctl unmask firewalld.service
systemctl enable --now firewalld.service
3. Four tables and five chains of iptables
Each rule table is actually equivalent to a container in the kernel space. It is divided into four default tables according to the different purposes of the rule set. Each rule table contains different rule chains, and different timings of processing data packets are divided into Five kinds of chains, various rules that determine whether to filter or process data packets, and are stored in each rule chain in order.
- The role of rules: filtering or processing data packets;
- The role of the chain: to accommodate multiple firewall rules;
Rule table : iptables manages four different rule tables, which are implemented by independent kernel modules
- filterTable: The data passing through the native kernel is used to filter data packets. Specific rules require determining how to process a data packet. The corresponding kernel module is: iptable_filter, and its table includes three chains: input , forward , output ;
- natTable: (network address translation) does not go through the kernel and is mainly used to modify the IP address and port number information of the data packet. Corresponding kernel modules: iptable_nat, within its table comprising three chains: PREROUTING , POSTROUTING , Output ;
- mangleTable: When the fileter and nat tables are not enough, they are mainly used to modify the service type and life cycle of the data packet, set tags for the data packet, realize traffic shaping, policy routing, etc. Corresponding kernel modules: iptable_mangle, including its table within five chains: PREROUTING , POSTROUTING , INPUT , Output , Forward ;
- rawTable: Mainly used to determine whether to track the status of the data packet. The corresponding kernel module is: iptable_raw, and its table includes two chains: output and prerouting ;
Rule chain
- input chain: input (when a data packet accessing the firewall's local address is received, the rules in this chain will be applied;)
- output chain: output (when the firewall sends data packets out of this machine, the rules in this chain will be applied;)
- forward chain: forwarding (when receiving a data packet that needs to be forwarded to other addresses through fire protection, the rules in this chain will be applied;)
- prerouting chain: before routing ( before routing data packets, the rules in this chain will be applied;)
- postrouting chain: After routing ( after routing data packets, the rules in this chain will be applied;)
Packet status
| RELATED | Connected |
| ESTABLISHED | Connecting |
| NEW | New |
4. Permanent preservation of iptables
iptables policy record file:/etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
service iptables save
5. iptables command
iptables [-t table name] management options [chain name] [condition matching] [-j target action or jump]
Note:
1. When the table name is not specified, it means the filter table by default.
2. When the chain name is not specified, it means all chains in the table by default. Unless the default policy of the rule chain is set, the matching conditions need to be specified.
|
|
|||||
|---|---|---|---|---|---|
| -N | Increase chain | -X | Delete chain | -E | Rename chain |
|
|
|||
|---|---|---|---|
| -F | Empty rules | -A | Increase strategy |
| -D | Delete rule | -I | Insert rule |
| -R | Modify the rules | -P | Modify the default rules |
|
|
|||
|---|---|---|---|
| -t | Specify table name | -n | Do not parse |
| -L | List the strategy for the specified table | --dport | Destination port |
| -s | Data Sources | -p | protocol |
| -O | Output Interface | -i | input interface |
| ACCEPT | allow | DROP | throw away |
| REJECT | Refuse | -SNAT | Source address translation |
| DNAT | Destination address translation | -j | action |
6. Firewall optimized deployment
允许ESTABLISHED与RELATED状态的数据连接:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
允许回环接口中NEW状态的数据连接:
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
允许状态为NEW的数据访问80端口:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
允许172.25.254.10中状态为NEW的数据访问22端口:
iptables -A INPUT -s 172.25.254.10 -p tcp --dport 22 -m state --state NEW -j ACCEPT
其余访问一概拒绝:
iptables -A INPUT -j REJECT
#最后必须保存
service iptables save
7. SNAT in nat table (intranet access to external network)
lab environment:
- Dual network card host (route): 192.168.43.101; 1.1.1.101
- Single network card host (intranet): 1.1.1.111 (gateway is set to dual network card 1 segment IP)
- Single network card host (external network): 192.168.43.121
7.1 Router side
- Open iptables service
systemctl disable --now firewalld.service
systemctl mask firewalld.service 上锁
dnf install iptables-services.x86_64 -y
systemctl enable --now iptables.service
iptables -F: Clear the default table (filter)- Check basic configuration
sysctl -a | grep ip_forward
vim /etc/sysctl.conf ===> net.ipv4.ip_forward = 1 #可以ping
sysctl -p
iptables -t nat -A POSTROUTING -o ens160 -j SNAT --to-source 192.168.43.101: Convert the IP through this route that the internal network accesses the external network to 192.168.43.101service iptables save:Save changesiptables -t nat -nL: View nat table
7.2 Client configuration
Intranet host
External host
7.3 Client test
Access the external network (192.168.43.121) from the internal host (1.1.1.111)
Check the registrant in the external host (192.168.43.121), but the router IP is displayed
8. DNAT in nat table (external network access internal network)
lab environment:
- Dual network card host (route): 192.168.43.101; 1.1.1.101
- Single network card host (intranet): 1.1.1.111 (gateway is set to dual network card 1 segment IP)
- Single network card host (external network): 192.168.43.121
8.1 Router side
-
iptables -t nat -A PREROUTING -i ens160 -j DNAT --to-dest 1.1.1.111: Convert the IP through this route that the external network accesses the internal network to 1.1.1.111 -
service iptables save:Save changes
8.2 Client configuration
Intranet host
External host
8.3 Client test
Log in to the router node1 in the external host node3, and display the login on node2
Check and log in to your own host in node2, it shows that it is the host of node3
