firewall of iptables, SNAT, DNAT

Others 2019-06-26 22:29:44 views: null
Brief Firewall A firewall is simply isolated from the role of network defense mechanisms, it is divided into software firewalls and hardware firewalls. No matter what kind of work are at the edge of the network. So how does a firewall isolation, and isolation do what? Firewall are generally divided into kernel space and user space applications are in user space. For client access, access to the kernel space, then enter the user space. For the host firewall, it must set the matching rules in the kernel space. General access to the client host sends packets, packets first into kernel space through an inlet, and then enter the user space, user space detection packet, re-enter the kernel space, away from the exit of the core, leaving the firewall, returned to the client. For network firewall client to send messages through the inlet into kernel space and kernel space that is forwarded by a FORWARD, through export access to the network, it does not pass the user space. There are layers of checkpoints inside the firewall, we are divided into five chain: PREROUTING, INPUT, OUTPUT, POSTROUTING, FORWARD. Depending on the features we divided into four tables, which are raw, mangle, nat, filter. The priority is raw, mangle, nat, filter, and we are the most commonly used filter followed by nat, after mangle, generally not used raw. filter has INPUT, FORWARD, OUTPUT have three chain nat PREROUTING, INPUT, OUTPUT, POSTROUTING chain mangle four have PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING only raw whole chain PREROUTING, consider the point at which the OUTPUT chain add a rule: (1 ) to achieve what functions: to determine what added to the tables; (2) the packets flowing through the path: Add judgment on which chain; iptables is provided in the user space tool tools use a firewall chain management command (this is effective immediately) -P: Set the default policy (the default setting door is closed or open) default policy is generally only two iptables -P INPUT (DROP | ACCEPT) default is off / default is ON for example: iptables -P INPUT DROP This to put the default rule refused. And there is no definition of what action, so all the rules on external connections include Xshell connection and the like, remote connections are refused. -F: FLASH, empty the chain rule (note that administrative permissions on each chain) iptables -t nat -F PREROUTING iptables -t nat -F nat table emptied all the chain -N: NEW support user creates a chain iptables -N inbound_tcp_web tcp attached table indicates for inspecting the web. -X: used to remove a user-defined method empty chain with -N same, but the inside of the chain must want to delete before emptying the expensive -E: Rename chain is mainly used for user-defined chain rename -E oldname newname -Z: empty chain, and the chain default rule counter (two counters, is matched to the number of packets, number of bytes) iptables -Z: empty rule management command -A: append a new rule at the end of the current chain -I num: insert, the current rule is inserted as the first few. -I 3: num is inserted Article -R: Replays replace / modify the format of a few rules: iptables -R 3 ............ -D num: delete, delete the first few rules explicitly Management Command View "-L "additional subcommand -n: display ip digitally, it will display ip directly, if not -n, it will reverse the ip resolved to host names. -v: Displays detailed information -vv -vvv: the more the more detailed the -x: displays the exact value on the counter, do not do unit conversions --line-numbers: display the line number rule -t nat: Displays information of all levels of Detailed match standard Generalized match: -s match the source address of the destination address: designated as the source address matching, there can not specify a host name, it must be IP IP | IP / MASK | 0.0.0.0/0.0.0. "!" Address 0 and can be inverted, which means that in addition a plus IP -d: indicates the matching destination address -p: for matching protocol (protocol where usually there are three kinds, TCP / UDP / ICMP) -i eth0: this card data flowing from the inflow generally used in the INPUT and PREROUTING -o eth0: effluent flowing from this card data typically spread over the expanded matching implicit OUTPUT and POSTROUTING: -p tcp extension of the protocol: TCP extension protocol. There are three general extension --dport XX-XX: target port, a plurality of discontinuous port can not be specified, can specify a single port, such --dport 21 or --dport 21-23 (this time represented 21,22,23 ) --sport: source port --tcp-fiags: TCP flags (SYN, ACK, FIN, PSH, RST, URG) for it, generally keep two parameters: a flag bit must be checked flag 1 bit --tcpflags syn, ack, fin, rst syn = --syn represents four check bits, these four bits must syn 1, the other must be zero. So this means that for the detection of the first three-way handshake packets. For such special packet matches the first SYN packet is 1, there is a shorthand called --syn -p udp: Extended UDP protocol --dport --sport -p icmp: icmp packets extended - -icmp-type: echo-request (echo request), it is represented generally --icmp-type 8 echo request packet matching echo-reply (response packet) is generally represented by 0 explicitly spreading 8 ( -m) the expansion of various modules -m multiport: after express enabled multi-port expansion we can enable such --dports 21,23, 80 Detailed -j ACTION common ACTION: DROP: silently discarded general we multipurpose DROP to hide our identity and hide our list REJECT: explicitly rejected ACCEPT: to accept custom_chain: steering chain DNAT SNAT MASQUERADE a custom: the source address masquerading rEDIRECT: redirect: mainly used for port redirection mARK: playing firewall marks rETURN: to return the custom chain finished use return to return to the original rules chain. State detection: an explicit extension to the connection between the detection of the session, with the detection we can extend the functionality between sessions to achieve what is state detection? For the entire TCP protocol is concerned, it is a connectionless protocol, three-way handshake, the handshake for the first time, we called NEW connection, and from the subsequent second handshake, ack is 1, which is the normal data transmission , and the second three-way handshake sequence tcp connection (eSTABLISHED), there is a state called the established, more bizarre, such as: SYN = 1 ACK = 1 RST = 1, for which we do not recognize that we are INVALID called unrecognized. There is a fourth, FTP this ancient features have, each port is independent, No. 21 and No. 20 is a port to go back, there is a relationship between them, we call this relationship as RELATED. So our state a total of four: NEW ESTABLISHED RELATED INVALID so we just now exercises can increase state detection. For example, only allow incoming state NEW and ESTABLISHED come in, go out only allowed to go out of state ESTABLISHED, which may be the more common type Trojan rally has good control mechanisms. Development: refused to allow to come out, and come only allow ESTABLISHED come out only allow ESTABLISHED out. Using default rule refuse iptables -L -n --line-number: Rule View previous lines located on the rewritable INPUT iptables -R INPUT 2 -s 172.16.0.0/16 -d 172.16.100. 1 -p tcp --dport 22 -m state --state NEW, ESTABLISHED -j ACCEPT iptables -R OUTPUT 1 -m state --state ESTABLISHED -j ACCEPT If you want this time to release a 80-port how to release it? iptables -A INPUT -d 172.16.100.1 -p tcp --dport 80 -m state --state NEW, ESTABLISHED -j ACCEPT iptables -R INPUT 1 -d 172.16.100.1 -p udp --dport 53 -j ACCEPT extension: for 127.0.0.1 rather special, we need to clearly define which iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT NAT 1. needs 3 client-side virtual machine static NIC configuration, ip 192.168.20.2; server side card static, ip 172.16.100.2; a virtual machine as a firewall requires two NICs, NICs static, ip 192.168.20.1 and 172.16.100.1 Note that need to verify port 80, so that the virtual machine is turned httpd, client and server firewall turned off, the firewall needs to open the firewall, it is best to delete chains and tables to the most simple. 2, two kinds modify kernel parameters: 1), directly using the additional contribution to the echo value document such as echo "1"> / proc / sys / net / ipv4 / tcp_syn_retries, but this method of apparatus restart after return to the default value 2), to add parameters to the /etc/sysctl.conf then execute sysctl -p enable the parameters, permanent SNAT disposed in the firewall: iptables -t nat -A POSTROUTING -s 192.168.20.

Guess you like

Origin www.cnblogs.com/1011cjk/p/11093174.html
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com