Article Directory
iptables overview
Linux system firewall: IP packet filtering system, which actually consists of two components netfilter and iptables.
Mainly work at the network layer, aiming at IP data packets. Reflected in the processing of information such as the IP address and port in the packet.
Kernel netfilter/user iptables relationship
netfilter: a firewall function system that belongs to the "kernel space" (Kernel Space, also known as the kernel space). It is part of the kernel and consists of some packet filtering tables. These tables contain the set of rules used by the kernel to control the processing of packet filtering.
iptables: A firewall management system that belongs to the "User Space" (User Space, also known as User Space). It is a command program used to manage the Linux firewall. It makes it easy to insert, modify and delete the rules in the packet filtering table. It is usually located in the /sbin/iptables directory.
Netfilter/iptables later referred to as iptables for short. iptables is a kernel-based firewall with built-in raw, mangle, nat and filter
Four tables and five chains in the firewall
The role of the rule table: to accommodate various rule chains
The role of the rule chain: to accommodate various firewall rules
There are chains in the table and rules in the chain
Four tables
raw table: Determine whether to track the status of the packet. Contains two rule chains, OUTPUT and PREROUTING.
Mangle table: modify the content of the data packet, which is used for traffic shaping, and set a mark for the data packet. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, and POSTROUTING.
nat table: responsible for network address translation, used to modify the source and destination IP address or port in the data packet. Contains three rule chains, OUTPUT, PREROUTING, and POTROUTING.
Filter table: Responsible for filtering data packets and determining whether to pass the data packets (filtering). Contains three rule chains, INPUT, FORWARD, and OUTPUT.
Among the four rule tables of iptables, the mangle table and the raw table have relatively few applications.
Five chains
INPUT: Process inbound data packets and match the data packets of the target IP to this machine.
OUTPUT: Process outbound data packets, generally do not configure on this chain.
FORWARD: Process and forward data packets, matching the data packets flowing through the machine.
PREROUTING chain: Process data packets before routing, used to modify the destination address, and used for DNAT. It is equivalent to mapping port 80 in the internal network to the external network port of the router.
POSTROUTING chain: Process data packets after routing selection, used to modify the source address, and used for SNAT. It is equivalent to the internal network through the router NAT conversion function to achieve the internal network host through a public network IP address to access the Internet.
Order of precedence of the rule table
raw > mangle > nat > filter
Matching order between rule chains
Host-based firewall:
Inbound data (data packets from the outside world, and the destination address is the firewall's local machine): PREROUTING --> INPUT --> the machine's application
outbound data (data sent from the firewall's local machine to the external address Package): native application --> OUTPUT --> POSTROUTING
network firewall:
forwarding data (data packets that need to be forwarded through the firewall): PREROUTING --> FORWARD --> POSTROUTING
Matching order within the rule chain
Check in order from top to bottom, and stop when a matching rule is found (except for the LOG policy, which means to record related logs).
If no matching rule is found in the chain, it will be processed according to the default policy of the chain (not Under the modified condition, the default policy is allowed)
iptables installation
CentOS 7 uses firewalld firewall by default, iptables is not installed, if you want to use iptables firewall. You must turn off the firewalld firewall before installing iptables
Configuration method of iptables firewall
1. Use system-config-firewall
CentOS 7 no longer has this software, CentOS 6 still retains this tool
2. Use the iptables command line.
iptables command line configuration method:
Command format
iptables [-t table name] management options [chain name] [matching conditions] [-j control type]
Precautions
When the table name is not specified, it refers to the filter table
by default. When the chain name is not specified, the default refers to all chains in the table.
Unless the default policy of the chain is set, the matching conditions must be specified. The
options, chain names, and control types are capitalized, and the rest are lowercase.
Commonly used control types:
ACCEPT: Allow data packets to pass.
DROP: Drop the data packet directly without giving any response information.
REJECT: Reject the data packet to pass, and a response message will be sent to the data sender.
SNAT: Modify the source address of the data packet.
DNAT: Modify the destination address of the data packet.
MASQUERADE: Disguised as a non-fixed public IP address.
LOG: Record log information in the /var/log/messages file, and then pass the data packet to the next rule. LOG is just an auxiliary action, and does not actually process data packets.
Common management options:
-A: Append (–append) a new rule at the end of the specified chain
-I: Insert (–insert) a new rule at the beginning of the specified chain. If the sequence number is not specified, it will default to the first rule
-R: modify, Replace (–replace) a rule in the specified chain, you can specify the rule number or specific content
-P: set the default policy of the specified chain (–policy)
-D: delete (–delete) a rule in the specified chain, you can Specify the sequence number or specific content of the rule
-F: Flush (–flush) all the rules in the specified chain, if the chain name is not specified, clear all the chains in the table
-L: List (–list) all the rules in the specified chain, If the chain name is not specified, all the chains in the table are listed
-n: Use numeric form (–numeric) to display the output result, such as displaying the IP address instead of the host name
-v: Display detailed information, including matching packets for each rule Number and number of matched bytes
– line-numbers: When viewing rules, display the sequence number of the rule
practice
Add new rules:
View the list of rules:
iptables [-t table name] -n -L [chain name] [–line-numbers]
or
iptables -[vn]L #Note: Can not be combined as -Ln
Experimental phenomenon
Set default strategy
Delete rule:
Note:
1. If there are multiple identical rules in the rule list, only the one with the smallest sequence number will be deleted according to the content match
2. When deleting by number match, make sure that the rule number is less than or equal to the number of existing rules, otherwise an error will be reported
3. Press content When matching and deleting the number, make sure that the rule exists, otherwise an error will be reported
Clear rules:
iptables [-t table name] -F [chain name]
Note:
1.-F only clears the rules in the chain, and does not affect the default rules set by -P, which need to be modified manually.
2. After setting DROP, use -F carefully!
#Prevent the remote connection of the host can not be connected to the host after clearing the relevant rules that allow remote connections. In this case, if the rules are not saved, the host can be restarted to solve the problem
. 3. If the table name and chain name are not written, all the rules in all chains in the filter table are cleared by default
Rule matching
1. Universal matching
It can be used directly and does not depend on other conditions or extensions, including conditions such as network protocols, IP addresses, and network interfaces.
Protocol matching: -p protocol name
Address matching: -s source address, -d destination address# can be IP, network segment, domain name, empty (any address)
Interface matching: -i inbound network card, -o outbound network card
2. Implicit matching
It requires a specific protocol match as a prerequisite, including conditions such as port, TCP tag, and ICMP type.
Port matching: –sport source port, –dport destination port
# can be individual ports, port range
–sport 1000 matches data packets whose source port is 1000 –
sport 1000:3000 matches data packets whose source port is 1000-3000
–sport:3000 Match the data packets whose source port is 3000 and below
–sport 1000: Match the data packets whose source port is 1000 and above
Note: –sport and --dport must be matched with -p <protocol type> Use
TCP flag to match: –tcp-flags TCP Mark
ICMP type matching: –icmp-type ICMP type
#Can be a string, a numeric code, and the destination is unreachable.
"Echo-Request" (code is 8) means request
"Echo-Reply" (code is 0) means echoing
"Destination-Unreachable" (code is 3) means target Unreachable For
other available ICMP protocol types, you can execute the "iptables -p icmp -h" command to view the help information
3. Explicit matching
It is required to clearly indicate the type in the form of "-m extension module", including conditions such as multi-port, MAC address, IP range, and packet status.
Multiport matching: -m multiport --sports source port list
-m multiport --dports destination port list
IP range matching: -m iprange --src-range IP range
MAC address matching: -m mac --mac-source MAC address
State matching: -m state --state connection state
Common connection status:
NEW: irrelevant to any connection, the connection has not yet started
ESTABLISHED: responding to the request or the connection has been established, the connection status
RELATED: related to the existing connection (such as FTP active and passive mode data connection), Derived state, generally used in conjunction with ESTABLISHED
INVALID: Can not be identified which connection belongs to or does not have any state
After connecting, all data is released
iptables -I INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
如果80接口连接上了,连接之后的所有数据都放通
#对进来的包的状态进行检测。已经建立tcp连接的包以及该连接相关的包允许通过。
For example, when I am doing business with you, we have negotiated a business. When it comes time to pay, you can directly call the payment function related to this business.