safety technology
Intrusion detection and management system IDS (Intrusion Detection Systems): feature is not blocking any network access, quantify, locate threats from inside and outside the network, mainly to provide reports and post-supervision mainly to provide targeted guidance and safety measures basis for decision making. Generally use bypass deployment.
Intrusion Prevention System IPS (Intrusion Prevention System): work in transparent mode, content analysis of data packets such as: overflow attacks, denial of service attacks, Trojans, worms, system vulnerabilities such as accurate analysis and judgment, after it is determined that the attacks immediately It is blocked, safe and effective initiative to protect the network, the general online deployment.
firewall (FireWall): isolation, working in a network or host edge, and out of the network or host data packets based on certain rule checking, and the component group of functions handled by the rules defined behavior when matching a rule, the implementation is basically shut down all access by type by default, only open to allow access strategy.
Category Firewall
Category Firewall
(1) host firewall: Services of the current host network firewall: Services LAN firewall side (2) hardware firewall: Firewall implement some functions in dedicated hardware level; another portion of software-based functions, such as: Checkpoint, NetScreen software firewall: running on hardware platform software firewall (3) network layer firewalls: four layers of the OSI model at the application layer firewall / proxy server: proxy gateway, OSI seven layer model
Network layer firewalls
packet filtering firewall network layer packets are selected based on the filter selection logic provided in the system, is called an access control list (the ACL), by examining a data stream of source address, destination address of each data, used port number and protocol status and other factors, or a combination thereof to determine whether to allow the packet to pass advantages: it is transparent to the user, the processing speed is fast and easy to maintain disadvantages: the application layer data can not be checked, such as viruses,
Application-layer firewall
Application-layer firewall / proxy services firewall (Proxy Service) all across the firewall network communication link is divided into two sections internal and external network users to access are achieved through the "link" on the proxy server advantages: the application layer checking the data, safer disadvantages: increase the load on the firewall
Real production environment used firewalls are generally a combination of both
i.e., check the network data, and then after passing to the application layer to check
Basic knowledge of iptables
Netfilter components
Ø kernel space, integrated in the linux kernel Ø document official website: HTTPS: //netfilter.org/documentation/ Ø expandable structure of the underlying framework various network services Ø kernel select five positions put five Hook (hook) function (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING), which is open to a user five hook function, the user can write to the rules via a command tools (iptables) Ø information filtering by the table (table) composition, comprising a control IP set of packet processing rules (rules), the rules are grouped in chains (catena alberghiera) on
three packet flows:
flow into the machine: PREROUTING -> INPUT -> user-space process out of the machine: user-space process -> the OUTPUT -> POSTROUTING forward: PREROUTING -> FORWARD -> POSTROUTING
When accessing HTTPD service, the need for security control of HTTPD service: No. 1 machine requires only allow access, and 2 machines can not access?
The most reasonable position is to set the settings INPUT 1 position allowing access to the machine, the machine refused to 2, and if the set prerouting position, if the machine 2 through linux system needs to reach another host can not reach, this configuration is unreasonable, when you configure the OUTPUT position, you HTTPD service can not access the host 2.
Firewall tools
iptables
command-line tool, work in user space used to write the rules, written rules was sent to netfilter, how to tell the kernel packet processing
firewalld
CentOS 7 introduces a new front-end management tools
Management Tools:
firewall-cmd command line firewall-config graphics
iptables composition
iptables five tables and five chains as well as some of rules
Five tables table: filter, nat, mangle, raw, security
filter table: filtering rule table according to a predefined rule filter qualified data packet nat table: network address translation address translation rule table the mangle: modifying the data flag rule table raw: Close Connection Tracking enable the NAT table, to speed up the packet speed through the firewall security: for mandatory access control (MAC) network rules, implemented by a Linux security module (e.g. SELinux) a descending order of priority: security -> raw -> mangle -> nat-- > filter
Five built-in chain chain
INPUT OUTPUT FORWARD PREROUTING POSTROUTING
Netfilter correspondence relation table and a chain
In linux Display There are several types of chains, can use the tab key to view the supplemental information link.
Packet filtering matching process
IPTABLES和路由
路由功能发生的时间点
报文进入本机后
•判断目标主机是否为本机 是:INPUT 否:FORWARD
报文离开本机之前
•判断由哪个接口送往下一跳
内核中数据包的传输过程
内核中数据包的传输过程
当一个数据包进入网卡时,数据包首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去 如果数据包就是进入本机的,数据包就会沿着图向下移动,到达INPUT链。数据包到达INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包经过OUTPUT链,然后到达POSTROUTING链输出 如果数据包是要转发出去的,且内核允许转发,数据包就会向右移动,经过FORWARD链,然后到达POSTROUTING链输出
iptables规则
规则rule:根据规则的匹配条件尝试匹配报文,对匹配成功的报文根据规则定义的处理动作作出处理
匹配条件:默认为与条件,同时满足
基本匹配:IP,端口,TCP的Flags(SYN,ACK等) 扩展匹配:通过复杂高级功能匹配
处理动作:称为target,跳转目标
内建处理动作:ACCEPT,DROP,REJECT,SNAT,DNATMASQUERADE,MARK,LOG... 自定义处理动作:自定义chain,利用分类管理复杂情形
规则要添加在链上,才生效;添加在自定义上不会自动生效
链chain: 内置链:每个内置链对应于一个钩子函数 自定义链:用于对内置链进行扩展或补充,可实现更灵活的规则组织管理机制;只有Hook钩子调用自定义链时,才生效
iptables添加要点
iptables规则添加时考量点
要实现哪种功能:判断添加在哪张表上 报文流经的路径:判断添加在哪个链上 报文的流向:判断源和目的 匹配规则:业务需要
实验环境准备:
Centos7:
systemctl stop firewalld.service systemctl disable firewalld. service
Centos6:
service iptables stop chkconfig iptables off
查看防火墙规则是否清干净?此时没有清干净,是因为有虚拟网卡存在导致(virbr0驱动存在,需要卸载)
[root@centos777~]#iptables -vnL 查看表所有链内容,还有其他部分信息 Chain INPUT (policy ACCEPT 1289 packets, 127K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 1018 packets, 103K bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68 [root@centos777~]#ip a 可以看到有virbr0的虚拟网卡驱动 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:f4:9f:15 brd ff:ff:ff:ff:ff:ff inet 192.168.34.102/24 brd 192.168.34.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fef4:9f15/64 scope link valid_lft forever preferred_lft forever 4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 52:54:00:9d:62:0a brd ff:ff:ff:ff:ff:ff inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 valid_lft forever preferred_lft forever 5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000 link/ether 52:54:00:9d:62:0a brd ff:ff:ff:ff:ff:ff
卸载虚拟网卡驱动,卸载完之后LINUX系统重新启动
[root@centos777~]#yum remove libvirt-daemon -y [root@centos777~]#reboot
此时查看防火墙情况,已经全部清空。
iptables命令
man 8 iptables iptables [-t table] {-A|-C|-D} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum iptables [-t table] -S [chain [rulenum]] iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target iptables [-t table] -E old-chain-name new-chain-name rule-specification = [matches...] [target] match = -m matchname [per-match-options] target = -j targetname [per-target-options]
简单示例
Filter表中INPUT规则
规则格式:iptables [-t table] SUBCOMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]
-t table:
raw, mangle, nat, [filter]默认
SUBCOMMAND:
1、链管理:
-N:new, 自定义一条新的规则链 -X:delete,删除自定义的空的规则链 -P:Policy,设置默认策略;对filter表中的链而言,其默认策略有: ACCEPT:接受 DROP:丢弃 -E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除
示例:
A主机:192.168.34.101
B主机:192.168.34.102
(1)在A主机设置防火墙功能,丢弃掉B主机的访问信息
[root@centos7]#iptables -t filter -A INPUT -s 192.168.34.102 -j DROP
(2)在B主机pingA主机,此时无反应,可以怀疑是A主机配置规则问题
[root@centos777~]#ping 192.168.34.101 PING 192.168.34.101 (192.168.34.101) 56(84) bytes of data.
(3)在A主机开始进行抓包排错,可以看到只有B主机pingA主机的信息,没有A主机回B主机的信息,如果B主机PING的时候A主机未收到,就是中间网络问题,可以判断问题出在哪里
[root@centos7network-scripts]#tcpdump -i ens33 -nn host 192.168.34.102 此时只可以看到只有B主机Ping到A主机的信息,没有A主机到B主机的信息,就可以怀疑是B主机设置规则问题 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes 14:45:54.717118 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 197, length 64 14:45:55.717241 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 198, length 64 14:45:56.717162 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 199, length 64 14:45:57.717258 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 200, length 64 14:45:58.717378 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 201, length 64
(4)已经排查出是A主机规则问题,没有返回给B主机内容,清空A主机的防火墙规则
[root@centos7network-scripts]#iptables -F
(5)此时B主机就可以ping通
[root@centos777~]#ping 192.168.34.101 PING 192.168.34.101 (192.168.34.101) 56(84) bytes of data. 64 bytes from 192.168.34.101: icmp_seq=721 ttl=64 time=0.721 ms 64 bytes from 192.168.34.101: icmp_seq=722 ttl=64 time=0.429 ms 64 bytes from 192.168.34.101: icmp_seq=723 ttl=64 time=0.477 ms 64 bytes from 192.168.34.101: icmp_seq=724 ttl=64 time=0.630 ms 64 bytes from 192.168.34.101: icmp_seq=725 ttl=64 time=0.424 ms
2、查看:
-L:list, 列出指定鏈上的所有规则,本选项须置后 -n:numberic,以数字格式显示地址和端口号 -v:verbose,详细信息 -vv 更详细 -x:exactly,显示计数器结果的精确值,而非单位转换后的易读值 --line-numbers:显示规则的序号
常用组合:
-vnL -vvnxL --line-numbers -S selected,以iptables-save 命令格式显示链上规则
3、规则管理:
-A:append,追加 -I:insert, 插入,要指明插入至的规则编号,默认为第一条 -D:delete,删除 (1) 指明规则序号 (2) 指明规则本身 -R:replace,替换指定链上的指定规则编号 -F:flush,清空指定的规则链 -Z:zero,置零
iptables的每条规则都有两个计数器
(1) 匹配到的报文的个数
(2) 匹配到的所有报文的大小之和
chain:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
示例:
(1)定义三条防火墙规则
[root@centos7~]#iptables -A INPUT -s 192.168.34.102 -j REJECT [root@centos7~]#iptables -A INPUT -s 192.168.34.100 -j REJECT [root@centos7~]#iptables -A INPUT -s 192.168.34.103 -j REJECT
(2)删除第一条规则
[root@centos7~]#iptables -vnL --line-numbers 查看防火墙规则全部信息 Chain INPUT (policy ACCEPT 76 packets, 5484 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.34.102 0.0.0.0/0 reject-with icmp-port-unreachable 2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 49 packets, 5340 bytes) num pkts bytes target prot opt in out source destination [root@centos7~]#iptables -D INPUT 1 删除第一条规则 [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 5 packets, 356 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable 2 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes) num pkts bytes target prot opt in out source destination
(3)插入一个防火墙规则,默认插入到第一条规则上
[root@centos7~]#iptables -I INPUT -s 192.168.34.105 -j REJECT [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 50 packets, 3648 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.34.105 0.0.0.0/0 reject-with icmp-port-unreachable 192.168.34.105禁止的规则在第一条 2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 34 packets, 3040 bytes) num pkts bytes target prot opt in out source destination
(4)追加一条防火墙规则,默认加在最后一条
[root@centos7~]#iptables -A INPUT -s 192.168.34.8 -j REJECT [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 53 packets, 4044 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.34.105 0.0.0.0/0 reject-with icmp-port-unreachable 2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable 4 0 0 REJECT all -- * * 192.168.34.8 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 38 packets, 3512 bytes) num pkts bytes target prot opt in out source destination
插入到指定的编号,默认的编号1会自动下调,将访问频次高的放前面,此项比较重要,如果192.168.34.0/24网段被拒绝,就无法远程连接,加上此选项:windows远程就能连接
[root@centos7~]#iptables -I INPUT 1 -s 192.168.34.1 -j ACCEPT
替换之前写错指定编号的内容,可以重新写
[root@centos7~]#iptables -R INPUT 2 -s 192.168.34.8 -j REJECT
清空计数规则
[root@centos7~]#iptables -Z INPUT
匹配条件
基本:通用的,PARAMETERS 扩展:需加载模块,MATCH EXTENTIONS
1、基本匹配条件:无需加载模块,由iptables/netfilter自行提供
[!] -s, --source address[/mask][,...]:源IP地址或范围 [!] -d, --destination address[/mask][,...]:目标IP地址或范围 [!] -p, --protocol protocol:指定协议,可使用数字如0(all) protocol: tcp, udp, icmp, icmpv6, udplite,esp, ah, sctp, mh or“all“
参看:/etc/protocols
[!] -i, --in-interface name:报文流入的接口;只能应用于数据报文流入环节,只应用于INPUT、FORWARD、PREROUTING链 [!] -o, --out-interface name:报文流出的接口;只能应用于数据报文流出的环节,只应用于FORWARD、OUTPUT、POSTROUTING链
示例:
(1)一次可以插入两条规则
[root@centos7~]#iptables -I INPUT 3 -s 192.168.34.8,192.168.34.45 -j REJECT 插入了一个编号的规则,实际显示的是两个规则 [root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 59 packets, 4232 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.34.105 0.0.0.0/0 reject-with icmp-port-unreachable 2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable 3 0 0 REJECT all -- * * 192.168.34.45 0.0.0.0/0 reject-with icmp-port-unreachable 显示3和4规则 4 0 0 REJECT all -- * * 192.168.34.8 0.0.0.0/0 reject-with icmp-port-unreachable 5 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable 6 0 0 REJECT all -- * * 192.168.34.8 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 39 packets, 3748 bytes) num pkts bytes target prot opt in out source destination
(2)全部拒绝访问规则,允许规则内的IP地址访问
[root@centos7~]#iptables -A INPUT -s 192.168.34.1 -j ACCEPT 加入本地windows系统的IP地址,否则无法远程连接 [root@centos7~]#iptables -A INPUT -s 192.168.34.102 -j ACCEPT [root@centos7~]#iptables -A INPUT -s 192.168.34.101 -j ACCEPT [root@centos777~]#iptables -A INPUT -j REJECT 拒绝所有的IP地址访问,只有在规则内的IP地址才能访问 [root@centos777~]#iptables -I INPUT 5 -s 192.168.34.102,127.0.0.1 -j ACCEPT 可以允许192.168.34.102和回环网卡访问 [root@centos777~]#iptables -A INPUT -i lo -j ACCEPT 加上回环网卡IP地址,需要自己连接上,避免自己无法连接
查看规则信息
[root@centos7~]#iptables -vnL --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 277 20776 ACCEPT all -- * * 192.168.34.1 0.0.0.0/0 2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 1 67 ACCEPT all -- * * 192.168.34.102 0.0.0.0/0 4 1 67 ACCEPT all -- * * 192.168.34.101 0.0.0.0/0 5 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
(3)清除OUTPUT规则
[root@centos777~]#iptables -F OUTPUT