firewall
Function: isolation function; firewalls are generally deployed at the edge of the network, or the edge of the host (the entrance and exit of a network as a whole)
main effect:
Used to determine which data can be accessed by the external network and which data can be accessed by the internal network
Security technologies used:
1. Intrusion detection system: When detecting multiple threats (such as Trojan horses, viruses, etc.), it will not immediately block network access, but will report to the police and monitor after a while
2. Intrusion prevention system: Once a threat is detected, it will block it immediately, protect network security in a proactive manner, work in a transparent mode, and generally adopt an online deployment method (that is, all data in and out will go through this detection)
Special: water wall
Role: prevent information leakage
Software firewall: iptables, firewall, Tinder, 360...
Hardware firewall: routers, switches, Layer 3 switches...
How Firewalls Are Divided
1. Scope of protection
Host Firewall: Serving the current own host
Network firewalls: the way to go
2. Implementation method
Hardware firewall: It has both professional hardware to realize functions and software to configure
Software Firewall: Using Code to Realize, Judgment
3. Network protocol division
Network layer: Packet (packet) filtering firewall
Application layer (proxy server): set data in and out
Linux firewall
CentOS 7 comes with
firewall firewall
iptables packet filtering firewall
selinux comes with security tools
All three of the above are integrated in one kernel: the netfilter component
iptables packet filtering firewall
Works at the network layer; filters and limits packets
iptables belongs to user mode
Filter packets: IP address, port, and protocol can all be configured in iptables, and the page can be restricted or released at the same time
Main role protocol: TCP
The composition and working mechanism of iptables
component:
Four tables and five links; (Special: selinux is also a table, but it is the fifth table outside the scope of discussion)
Four tables:
raw table: connection tracking mechanism; can speed up the speed of packets passing through the firewall; packet tracking
mangle table: data markers
nat table: address translation table
filter table: filter rule table; define or filter qualified packets according to the rules; default table
Priority of the four tables
security——>raw ——>mangle ——>nat ——>filter
five chains
INPUT: processing data packets, entering the rules of this machine
OUTPUT: Handle data packets and send out the rules of this machine
Prerouting: rules for processing incoming packets
postrouting: Handle the rules after the data packet leaves the machine
FORWARD: rules for handling packet forwarding
iptables rules
There are chains in the table (each table can have five chains), and there are rules in the chain (rules: custom control commands for data packets)
matching order
1. Match according to the priority of the table; check from top to bottom in the table, stop immediately after finding a matching rule, do not continue to search down from the table, if no rule is matched, follow the default rules of the chain deal with
2. Message flow direction
Flow into the machine: prerouting ——> INPUT chain —> user process —> request —> response —> data returned to the user
Outflow of this machine: example httpd—>response (message)—>OUTPUT chain—>postrouting (whether to perform address translation)—>user
Forwarding: data packets come in, they must come from a different network segment, route forwarding --> FORWARD chain --> data packets go out
(If forwarding is not allowed, the packet will be discarded directly)
iptables command format
iptables [-t table name] (if you do not use -t to specify the table, the filter table will be specified by default) management options [chain name] [matching condition] [-j control type]
A field can be added at the end --line-number : Indicates the number of the custom condition
management options
-A: Append one at the end of the chain; add a rule
-I: Insert a new rule in the chain; specify the sequence number to be inserted after -I specify the sequence number
-P: modify the default policy (chain)
-D: delete rule; you can specify the serial number to delete
-R: replace, modify rules (generally not used)
-L: view the rules in the chain; generally with v: show details, and n: display the rules in numerical form -vnL
-F: Clear all rules in the chain; use with caution! ! ! !
matching conditions
-p: Specifies the matching protocol type
-s: Specifies the matching source IP address (packet)
------ The specified IP address must be written before the specified protocol; specifying multiple IP addresses needs to be separated by ","
-d: Specify the matching destination IP address (packet)
-i: Specify the network interface where the data packet enters the machine
-o: Specify the network interface where the data packet leaves the machine
--sport: specify the source port number
------- The specified port number should be written after the specified protocol; at the same time, multiple port numbers must be separated by ":", pay attention to the writing format from small to large, for example: 22:80:443
--dport: Specify the destination port number
control type
ACCEPT: Allow the packet to pass
DROP: Reject, and discard the data packet directly, without giving any information response to the host
REJECT: Reject, but respond to the host
SNAT: Modify the source IP address of the packet
DNAT: modify the destination IP address of the packet
In production, the default rule for all chains in iptables is DROP
hidden module
When -p specifies the protocol, if the protocol has been specified, there is no need to use -m to specify the control module; when specifying the port number, you can use the form of a colon, or you can use -m so the module is implemented
-m can be used to indicate the type, multi-port, mac address, IP address, packet status in a clear form
Usage: -p tcp -m multiport --dport 22,20,3306,80 -j ACCEPT
It can be seen that when using -m multiport to specify multiple ports, use "." to separate them, and do not need to consider the size sorting
IP range
-m iprange --src-range source ip range
-m iprange --dst-range destination IP range
Usage: -p icmp -m iprange --src-range 20.0.0.10-20.0.0.20 -j ACCEPT
mac address range
-m mac --mac-source
Backup and restore of iptables
1. The iptables configuration in the command line is temporary, that is, restarting the service will invalidate it
2. Permanent configuration
step:
First, back up all policies --> iptables-save > /opt/iptables.bak
Then redirect the backup policy to the default permanent configuration file /etc/sysconfig/iptables of iptables
Another Temporary Configuration Format
iptables-restore < /opt/iptables.bak
Create a custom chain
iptables -N custom chain name
If no chain name is specified (-t chain name), it will be created in the filter table by default
Change the chain name in the table
iptables -E original chain name new chain name
Rules created in the custom chain need to be added to the default chain to be enabled
iptables -I INPUT -p icmp -j custom chain name
delete custom chain
iptables -X custom chain name
Note: If the rules of the custom chain have been referenced in the default chain, you need to delete the reference rules in the default chain first, then delete the rules in the custom chain, and finally delete the custom chain
How to implement packet capture in Linux system
Use tcpdump to capture Linux packets; tcpdump is a tool that comes with Linux
Command example:
tcpdump protocol -i device name (such as ens33) -t -s0 -c 10 (specify packet capture times) and dst port 80 and src net 20.0.0.0/24 -w (save) ./ens33.cap
-i ens33: only capture packets passing ens33
-t: do not display timestamp
-s0: capture complete packets
and dst port 80 : the destination port is 80
and src net 20.0.0.0/24 : Specify the network segment as the source address of the packet
-w : Save the content of the data package; ./ indicates that the save location is the current directory; or /../.. directly specify the exact save file
Dynamic packet capture (that is, capture all the time, stop manually)
tcpdump tcp -i ens33 -s0 -w ./ens33.acp
Note: The package captured by this tool cannot be directly parsed in Linux, but the saved .cap package should be opened directly in winshark