table of Contents:
One, iptables introduction:
Iptables is not a firewall in the true sense. We can understand it as a client tool. Through the client of ipatbles, the user implements the user's security settings into the corresponding "security framework". This "security framework" is the real one. Firewall, the name of this framework is netfilter .
Netfilter is the real security framework of the firewall, and netfilter is located inKernel space.
iptables is a command line tool located atUser space, Operate netfilter through this command line tool.
- Kernel space : also called kernel mode, the memory area occupied by the operating system
- User space : also called user mode, the memory area where the user process is located
The hardware driver code runs in the kernel space, which runs in the same space as the kernel. Therefore, driver problems can easily cause system crashes. Separating the user space from the kernel space can reduce the possibility of system crashes and improve system stability. In a real environment, application crashes are much more likely than some hardware failures. So it is necessary to isolate user space and kernel space.
netfilter/iptables (referred to as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering and packet redirection. And network address translation (NAT) and other functions.
1. Firewall classification:
Logically classified:
classification Description Host firewall Protect against a single host Internet Firewall At the network entrance or edge, protect the network entrance and serve the local LAN behind the firewall Physically classified:
classification Description Hardware firewall Part of the firewall function is implemented at the hardware level, and the other part is based on software, with high performance and high cost Software firewall Application software processing logic runs on a firewall on a general hardware platform, with low performance and low cost
2. Detailed explanation of four tables and five chains:
Firewalls act according to rules. Let's talk about rules. Rules are actually conditions predefined by network administrators. Rules are generally defined as "if the header of a data packet meets such a condition, just process this data packet". The rules are stored in the packet filtering table in the kernel space. These rules specify the source address, destination address, transmission protocol (such as TCP, UDP, ICMP), and service type (such as HTTP, FTP, and SMTP). When the data packet matches the rule, iptables processes the data packet according to the method defined by the rule, such as accept, reject and drop. The main job of configuring the firewall is to add, modify and delete these rules.
When the client accesses the web service of the server, the client sends a message to the network card, and the tcp/ip protocol stack is part of the kernel, so the client's information will be transmitted to the web service in the user space through the TCP protocol of the kernel , And at this time, the target end of the client message is the socket (IP: Port) monitored by the web service. When the web service needs to respond to the client request, the target end of the response message sent by the web service is Client, at this time, the IP and port monitored by the web service have become the origin instead. As we said, netfilter is the real firewall, it is part of the kernel, so if we want the firewall to be "fireproof" Purpose, you need to set up checkpoints in the kernel. All incoming and outgoing messages must pass these checkpoints. After inspection, only those that meet the release conditions can be released, and those that meet the blocking conditions need to be blocked. Thus, input checkpoints and output appear. Levels, and these levels are not called "levels" in iptables, but are called "chains".
This is just a simple description. In addition to these two levels, we have other levels, that is, other chains. They are "pre-routing", "forwarding", and "post-routing". The corresponding English expressions are PREROUTING, FORWARD, POSTROUTING.
Message flow direction: Message to a certain process of this machine : PREROUTING --> INPUT Message forwarded by this machine : PREROUTING --> FORWARD--> POSTROUTING A message sent by a process of this machine (usually a response message) ): OUTPUT --> POSTROUTING
1. Chain:
The specific role of the five chains: prerouting: determine whether it is local—>①if it is local input—>②if not local—>forward (address conversion)—>postrouting
chain table PREROUTING raw table, mangle table, nat table INPUT Mangle table, filter table, (there is also the nat table in centos7, not in centos6 FORWARD mangle table, filter table OUTPUT raw table, mangle table, nat table, filter table POSTROUTING mangle table, nat table
2. Table:
table Description filter table Responsible for filtering function, firewall; kernel module: iptables_filter nat table network address translation, network address translation function; kernel module: iptable_nat mangle table The function of disassembling the message, making modifications, and re-encapsulating; iptable_mangle raw表 Turn off the connection tracking mechanism enabled on the nat table; iptable_raw
Table (function) Chain (hook) raw REROUTING,OUTPUT missing REROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING nat REROUTING, OUTPUT, POSTROUTING (INPUT in centos7, not in centos6) filter INPUT,FORWARD,OUTPUT iptables defines 4 "tables" for us. When they are in the same "chain", the execution priority is as follows.
Priority order (from high to low) :raw --> mangle --> nat --> filter
