Introduction to firewall (1)-iptables firewall
One, iptables firewall
1. Overview of iptables
- Linux system firewall: IP packet filtering system, it actually consists of two components netfilter and iptables
- Mainly work at the network layer, aiming at IP data packets. Reflected in the processing of information such as the IP address and port in the packet.
2、netfilter 和 iptables
①、netfilter
- Netfilter belongs to the firewall function system of "Kernel Space" (Kernel Space, also known as kernel space).
- It is part of the kernel and consists of some packet filtering tables. These tables contain the set of rules used by the kernel to control the processing of packet filtering.
②、iptables
- Iptables belongs to the firewall management system of "User Space" (User Space, also known as User Space).
- It is a command program used to manage the Linux firewall. It makes it easy to insert, modify and delete the rules in the packet filtering table. It is usually located in the /sbin/iptables directory.
③、netfilter/iptables
- Netfilter/iptables later referred to as iptables for short.
- iptables is a kernel-based firewall with four built-in rule tables: raw, mangle, nat, and filter. After all the rules in the table are configured, they will take effect immediately without restarting the service.
3. Four watches and five chains
- The role of the rule table: to accommodate various rule chains
- The role of the rule chain: to accommodate various firewall rules
- Summary: There are chains in the table, and rules in the chain
①, four tables
-
raw table: Determine whether to track the status of the packet. Contains two rule chains, OUTPUT and PREROUTING.
-
Mangle table: modify the content of the data packet, which is used for traffic shaping, and set a mark for the data packet. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING.
-
nat table: responsible for network address translation, used to modify the source and destination IP address or port in the data packet. Contains three rule chains, OUTPUT, PREROUTING, and POTROUTING.
-
Filter table: Responsible for filtering data packets and determining whether to pass the data packets (filtering). Contains three rule chains, INPUT, FORWARD, and OUTPUT.
- Among the four rule tables of iptables, the application of mangle table and raw table is relatively reduced.
②, five chains
- INPUT: Process inbound data packets and match the data packets of the target IP to this machine.
- OUTPUT: Process outbound data packets, generally do not configure on this chain.
- FORWARD: Process and forward data packets, matching the data packets flowing through the machine.
- PREROUTING chain: Process data packets before routing, used to modify the destination address, and used for DNAT. It is equivalent to mapping port 80 in the internal network to the external network port of the router.
- POSTROUTING chain: Process data packets after routing selection, used to modify the source address, and used for SNAT. It is equivalent to the internal network through the router NAT conversion function to achieve the internal network host through a public IP address to access the Internet.
③, the matching order of the rule table
④, the matching order between the rule chains
-
Host-based firewall
- Inbound data (data packets from the outside world, and the destination address is the firewall's local machine)
- PREROUTING --> INPUT --> native application
- Outbound data (data packets sent from the firewall to the external address)
- Native application --> OUTPUT --> POSTROUTING
- Inbound data (data packets from the outside world, and the destination address is the firewall's local machine)
-
Network firewall
- Forwarding data (data packets that need to be forwarded through a firewall)
- PREROUTING --> FORWARD --> POSTROUTING
- Forwarding data (data packets that need to be forwarded through a firewall)
-
Matching order within the rule chain
- Check sequentially from top to bottom, and stop when a matching rule is found (except for the LOG policy, which means to record related logs)
- If no matching rule is found in the chain, it will be processed according to the default policy of the chain (unmodified, the default policy is allowed)
4. Installation of iptables
- CentOS 7 uses firewalld firewall by default, iptables is not installed, if you want to use iptables firewall. You must turn off the firewalld firewall before installing iptables
#关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
#安装并开启iptables服务
yum -y install iptables iptables-services
systemctl start iptables.service
5. Configuration method of iptables firewall
①, command line configuration format
②, matters needing attention
- When the table name is not specified, it refers to the filter table by default
- When the chain name is not specified, it refers to all chains in the table by default
- Unless the default policy of the chain is set, the matching conditions must be specified
- Use uppercase letters for options, chain names, and control types, and lowercase the rest
③、Commonly used control types
| Control type | effect |
|---|---|
| ACCEPT | Allow data packets to pass. |
| DROP | Drop the data packet directly without giving any response information. |
| REJECT | Refusing the data packet to pass will send a response message to the data sender. |
| SNAT | Modify the source address of the data packet. |
| DNAT | Modify the destination address of the data packet. |
| MASQUERADE | Disguised as a non-fixed public IP address. |
| LOG | Record the log information in the /var/log/messages file, and then pass the packet to the next rule. LOG is just an auxiliary action, and does not actually process data packets. |
④ Common management options
| Options | Description |
|---|---|
| -A | Append (–append) a new rule at the end of the specified chain |
| -I | Insert (–insert) a new rule at the beginning of the specified chain. If the sequence number is not specified, it will default to the first rule |
| -R | Modify, replace (-replace) a rule in the specified chain, you can specify the rule number or specific content |
| -P | Set the default policy of the specified chain (–policy) |
| -D | Delete (-delete) a rule in the specified chain, you can specify the rule number or specific content |
| -F | Flush (-flush) all the rules in the specified chain, if the chain name is not specified, all the chains in the table are cleared |
| -L | List (–list) all the rules in the specified chain, if no chain name is specified, all the chains in the table are listed |
| -n | Use numeric format (–numeric) to display output results, such as displaying IP addresses instead of host names |
| -v | Display detailed information, including the number of matched packets and the number of matched bytes for each rule |
| –line-numbers | When viewing a rule, the sequence number of the rule is displayed |
⑤, matching conditions
| Match condition | Description |
|---|---|
| -p | Specify the protocol type of the packet to be matched |
| -s | Specify the source IP address of the packet to be matched |
| -d | Specify the destination IP address of the packet to be matched |
| -i | Specify the data packet to enter the network interface of the machine |
| -The | Specify the network interface that the data packet leaves the machine for use |
| –sport | Specify the source port number |
| –Dport | Specify the destination port number |
- Direct use, does not depend on other conditions or extensions, including conditions such as network protocols, IP addresses, and network interfaces.
协议匹配:-p 协议名
地址匹配:-s 源地址、-d 目的地址 #可以是IP、网段、域名、空(任何地址)
接口匹配:-i 入站网卡、-o 出站网卡
例:
iptables -A FORWARD ! -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.80.11 -j DROP
iptables -I INPUT -i ens33 -s 192.168.80.0/24 -j DROP
- Use specific protocol matching as a prerequisite, including conditions such as port, TCP tag, and ICMP type.
- Port match
端口匹配:--sport 源端口、--dport 目的端口
#可以是个别端口、端口范围
--sport 1000 匹配源端口是1000的数据包
--sport 1000:3000 匹配源端口是1000-3000的数据包
--sport :3000 匹配源端口是3000及以下的数据包
--sport 1000: 匹配源端口是1000及以上的数据包
注意:--sport 和 --dport 必须配合 -p <协议类型> 使用
例:
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -I FORWARD -d 192.168.80.0/24 -p tcp --dport 24500:24600 -j DROP
- TCP tag matching
TCP标记匹配:--tcp-flags TCP标记
iptables -I INPUT -i ens33 -p tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
#丢弃SYN请求包,放行其他包
- ICMP type matching
ICMP类型匹配:--icmp-type ICMP类型
#可以是字符串、数字代码、、目标不可达
“Echo-Request”(代码为 8)表示 请求
“Echo-Reply”(代码为 0)表示 回显
“Destination-Unreachable”(代码为 3)表示 目标不可达
关于其它可用的 ICMP 协议类型,可以执行“iptables -p icmp -h”命令,查看帮助信息
iptables -A INPUT -p icmp --icmp-type 8 -j DROP #禁止其它主机ping 本机
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT #允许本机ping 其它主机
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT #当本机ping 不通其它主机时提示目标不可达
#此时其它主机需要配置关于icmp协议的控制类型为 REJECT
iptables -A INPUT -p icmp -j REJECT
- It is required to clearly indicate the type in the form of "-m extension module", including conditions such as multi-port, MAC address, IP range, and packet status.
- Multi-port matching
多端口匹配:-m multiport --sports 源端口列表
-m multiport --dports 目的端口列表
例:
iptables -A INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53 -j ACCEPT
- IP range matching
IP范围匹配:-m iprange --src-range IP范围
iptables -A FORWARD -p udp -m iprange --src-range 192.168.80.100-192.168.80.200 -j DROP
#禁止转发源地址位于192.168.80.100-192.168.80.200的udp数据包
- State match
状态匹配:-m state --state 连接状态
常见的连接状态:
NEW :与任何连接无关的,还没开始连接
ESTABLISHED :响应请求或者已建立连接的,连接态
RELATED :与已有连接有相关性的(如FTP 主被动模式的数据连接),衍生态,一般与ESTABLISHED 配合使用
INVALID :不能被识别属于哪个连接或没有任何状态
iptables -A FORWARD -m state --state NEW -p tcp ! --syn -j DROP
#禁止转发与正常 TCP 连接无关的非--syn 请求数据包(如伪造的网络攻击数据包)
6. SNAT principle and application
①, SNAT application environment
- LAN hosts share a single public IP address to access the Internet (private IP cannot be routed normally in the Internet)
② Principle of SNAT
- Modify the source address of the data packet.
③, SNAT conversion prerequisites
- The IP address, subnet mask, and default gateway address of each host in the LAN have been correctly set
- Linux gateway enables IP routing and forwarding
④, routing and forwarding opening method
临时打开:
echo 1 > /proc/sys/net/ipv4/ip_forward
或
sysctl -w net.ipv4.ip_forward=1
永久打开:
vim /etc/sysctl.conf
net.ipv4.ip_forward = 1 #将此行写入配置文件
sysctl -p #读取修改后的配置
⑤, SNAT conversion
SNAT转换1:固定的公网IP地址:
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens33 -j SNAT --to 12.0.0.1
或
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens33 -j SNAT --to-source 12.0.0.1-12.0.0.10
内网IP 出站 外网网卡 外网IP或地址池
SNAT转换2:非固定的公网IP地址(共享动态IP地址):
iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens33 -j MASQUERADE
⑥, small knowledge expansion
- SNAT conversion for an IP address generally allows 100 to 200 hosts on the intranet to access the Internet.
7. DNAT principle and application
① DNAT application environment
- Publish the server located in the local area network in the Internet
② Principle of DNAT
- Modify the destination address of the data packet.
③ Prerequisites for DNAT conversion
- The server in the local area network can access the Internet
- The external network address of the gateway has a correct DNS resolution record
- Linux gateway enables IP routing and forwarding
④ DNAT conversion
1、发布内网的Web服务
#把从ens33进来的要访问web服务的数据包目的地址转换为 192.168.80.11
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to 192.168.80.11
或
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.80.11
入站 外网网卡 外网IP 内网服务器IP
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j DNAT --to 192.168.80.11-192.168.80.20
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
2、发布时修改目标端口
#发布局域网内部的OpenSSH服务器,外网主机需使用250端口进行连接
iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 250 -j DNAT --to 192.168.80.11:22
#在外网环境中使用SSH测试
ssh -p 250 root@12.0.0.1
yum -y install net-tools #若没有 ifconfig 命令可提前使用 yum 进行安装
ifconfig ens33
⑤, small knowledge expansion
- Host-based firewall: mainly use INPUT and OUTPUT chains, and generally specify the port in detail when setting rules
- Network type firewall: The FORWARD chain is mainly used, and the port is rarely specified when setting the rules. Generally, specify the IP address or the network segment.
8. Backup and restore of firewall rules
①, export (backup) rules for all tables
iptables-save > /opt/ipt.txt
②. Import (restore) rules
iptables-restore < /opt/ipt.txt
将iptables规则文件保存在 /etc/sysconfig/iptables 中,iptables服务启动时会自动还原规则
iptables-save > /etc/sysconfig/iptables
systemctl stop iptables #停止iptables服务会清空掉所有表的规则
systemctl start iptables #启动iptables服务会自动还原/etc/sysconfig/iptables 中的规则