linux firewall (a)

Others 2019-12-06 21:36:53 views: null

safety technology

    Intrusion detection and management system IDS (Intrusion Detection Systems): feature is not blocking any network access, quantify, locate threats from inside and outside the network, mainly to provide reports and post-supervision mainly to provide targeted guidance and safety measures basis for decision making. Generally use bypass deployment.

 Intrusion Prevention System IPS (Intrusion Prevention System): work in transparent mode, content analysis of data packets such as: overflow attacks, denial of service attacks, Trojans, worms, system vulnerabilities such as accurate analysis and judgment, after it is determined that the attacks immediately It is blocked, safe and effective initiative to protect the network, the general online deployment.

 firewall (FireWall): isolation, working in a network or host edge, and out of the network or host data packets based on certain rule checking, and the component group of functions handled by the rules defined behavior when matching a rule, the implementation is basically shut down all access by type by default, only open to allow access strategy.

Category Firewall

Category Firewall

(1) host firewall: Services of the current host 
    network firewall: Services LAN firewall side 
(2) hardware firewall: Firewall implement some functions in dedicated hardware level; another portion of software-based functions, such as: Checkpoint, NetScreen 
    software firewall: running on hardware platform software firewall 
(3) network layer firewalls: four layers of the OSI model at 
    the application layer firewall / proxy server: proxy gateway, OSI seven layer model

Network layer firewalls

 packet filtering firewall 
 network layer packets are selected based on the filter selection logic provided in the system, is called an access control list (the ACL), by examining a data stream of source address, destination address of each data, used port number and protocol status and other factors, or a combination thereof to determine whether to allow the packet to pass 
 advantages: it is transparent to the user, the processing speed is fast and easy to maintain 
 disadvantages: the application layer data can not be checked, such as viruses,

 

Application-layer firewall

Application-layer firewall / proxy services firewall (Proxy Service) 
 all across the firewall network communication link is divided into two sections 
 internal and external network users to access are achieved through the "link" on the proxy server 
    advantages: the application layer checking the data, safer 
    disadvantages: increase the load on the firewall

 

Real production environment used firewalls are generally a combination of both

 i.e., check the network data, and then after passing to the application layer to check

Basic knowledge of iptables

Netfilter components

Ø kernel space, integrated in the linux kernel 
Ø document official website: HTTPS: //netfilter.org/documentation/ 
Ø expandable structure of the underlying framework various network services 
Ø kernel select five positions put five Hook (hook) function (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING), which is open to a user five hook function, the user can write to the rules via a command tools (iptables) 
Ø information filtering by the table (table) composition, comprising a control IP set of packet processing rules (rules), the rules are grouped in chains (catena alberghiera) on

 three packet flows:

 flow into the machine: PREROUTING -> INPUT -> user-space process 
 out of the machine: user-space process -> the OUTPUT -> POSTROUTING 
 forward: PREROUTING -> FORWARD -> POSTROUTING

When accessing HTTPD service, the need for security control of HTTPD service: No. 1 machine requires only allow access, and 2 machines can not access?

The most reasonable position is to set the settings INPUT 1 position allowing access to the machine, the machine refused to 2, and if the set prerouting position, if the machine 2 through linux system needs to reach another host can not reach, this configuration is unreasonable, when you configure the OUTPUT position, you HTTPD service can not access the host 2.

Firewall tools

iptables

 command-line tool, work in user space 
 used to write the rules, written rules was sent to netfilter, how to tell the kernel packet processing

firewalld

CentOS 7 introduces a new front-end management tools

Management Tools:

firewall-cmd command line 
firewall-config graphics

iptables composition

iptables five tables and five chains as well as some of rules

Five tables table: filter, nat, mangle, raw, security

filter table: filtering rule table according to a predefined rule filter qualified data packet 
nat table: network address translation address translation rule table 
the mangle: modifying the data flag rule table 
raw: Close Connection Tracking enable the NAT table, to speed up the packet speed through the firewall 
security: for mandatory access control (MAC) network rules, implemented by a Linux security module (e.g. SELinux) 
a descending order of priority: security -> raw -> mangle -> nat-- > filter

Five built-in chain chain

INPUT
OUTPUT
FORWARD
PREROUTING
POSTROUTING

 Netfilter correspondence relation table and a chain 

 

 In linux Display There are several types of chains, can use the tab key to view the supplemental information link.

 Packet filtering matching process

 IPTABLES和路由

路由功能发生的时间点

报文进入本机后

      •判断目标主机是否为本机
            是:INPUT
            否:FORWARD

报文离开本机之前

•判断由哪个接口送往下一跳

内核中数据包的传输过程

内核中数据包的传输过程

    当一个数据包进入网卡时,数据包首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去
如果数据包就是进入本机的,数据包就会沿着图向下移动,到达INPUT链。数据包到达INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包经过OUTPUT链,然后到达POSTROUTING链输出
如果数据包是要转发出去的,且内核允许转发,数据包就会向右移动,经过FORWARD链,然后到达POSTROUTING链输出

iptables规则 

规则rule:根据规则的匹配条件尝试匹配报文,对匹配成功的报文根据规则定义的处理动作作出处理

匹配条件:默认为与条件,同时满足

基本匹配:IP,端口,TCP的Flags(SYN,ACK等)
扩展匹配:通过复杂高级功能匹配

处理动作:称为target,跳转目标

内建处理动作:ACCEPT,DROP,REJECT,SNAT,DNATMASQUERADE,MARK,LOG...
自定义处理动作:自定义chain,利用分类管理复杂情形

规则要添加在链上,才生效;添加在自定义上不会自动生效

链chain:
    内置链:每个内置链对应于一个钩子函数
    自定义链:用于对内置链进行扩展或补充,可实现更灵活的规则组织管理机制;只有Hook钩子调用自定义链时,才生效

iptables添加要点

iptables规则添加时考量点

 要实现哪种功能:判断添加在哪张表上
 报文流经的路径:判断添加在哪个链上
 报文的流向:判断源和目的
 匹配规则:业务需要

实验环境准备:

Centos7:

systemctl stop firewalld.service
systemctl disable firewalld. service

Centos6:

service iptables stop
chkconfig iptables off

查看防火墙规则是否清干净?此时没有清干净,是因为有虚拟网卡存在导致(virbr0驱动存在,需要卸载)

[root@centos777~]#iptables -vnL   查看表所有链内容,还有其他部分信息
Chain INPUT (policy ACCEPT 1289 packets, 127K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 1018 packets, 103K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
[root@centos777~]#ip a  可以看到有virbr0的虚拟网卡驱动
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:f4:9f:15 brd ff:ff:ff:ff:ff:ff
    inet 192.168.34.102/24 brd 192.168.34.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fef4:9f15/64 scope link 
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 52:54:00:9d:62:0a brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:9d:62:0a brd ff:ff:ff:ff:ff:ff

卸载虚拟网卡驱动,卸载完之后LINUX系统重新启动

[root@centos777~]#yum remove libvirt-daemon -y
[root@centos777~]#reboot

此时查看防火墙情况,已经全部清空。

iptables命令

man 8 iptables
iptables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]

简单示例  

Filter表中INPUT规则

规则格式:iptables [-t table] SUBCOMMAND chain [-m matchname [per-match-options]] -j targetname [per-target-options]

-t table:

 raw, mangle, nat, [filter]默认

SUBCOMMAND:

  1、链管理:

-N:new, 自定义一条新的规则链
-X:delete,删除自定义的空的规则链
-P:Policy,设置默认策略;对filter表中的链而言,其默认策略有:
ACCEPT:接受
DROP:丢弃
-E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除

示例:

A主机:192.168.34.101

B主机:192.168.34.102

(1)在A主机设置防火墙功能,丢弃掉B主机的访问信息

[root@centos7]#iptables -t filter -A INPUT -s 192.168.34.102 -j DROP

(2)在B主机pingA主机,此时无反应,可以怀疑是A主机配置规则问题

[root@centos777~]#ping 192.168.34.101
PING 192.168.34.101 (192.168.34.101) 56(84) bytes of data.

(3)在A主机开始进行抓包排错,可以看到只有B主机pingA主机的信息,没有A主机回B主机的信息,如果B主机PING的时候A主机未收到,就是中间网络问题,可以判断问题出在哪里

[root@centos7network-scripts]#tcpdump -i ens33 -nn host 192.168.34.102    此时只可以看到只有B主机Ping到A主机的信息,没有A主机到B主机的信息,就可以怀疑是B主机设置规则问题
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:45:54.717118 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 197, length 64
14:45:55.717241 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 198, length 64
14:45:56.717162 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 199, length 64
14:45:57.717258 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 200, length 64
14:45:58.717378 IP 192.168.34.102 > 192.168.34.101: ICMP echo request, id 7494, seq 201, length 64

(4)已经排查出是A主机规则问题,没有返回给B主机内容,清空A主机的防火墙规则

[root@centos7network-scripts]#iptables -F

(5)此时B主机就可以ping通

[root@centos777~]#ping 192.168.34.101
PING 192.168.34.101 (192.168.34.101) 56(84) bytes of data.
64 bytes from 192.168.34.101: icmp_seq=721 ttl=64 time=0.721 ms
64 bytes from 192.168.34.101: icmp_seq=722 ttl=64 time=0.429 ms
64 bytes from 192.168.34.101: icmp_seq=723 ttl=64 time=0.477 ms
64 bytes from 192.168.34.101: icmp_seq=724 ttl=64 time=0.630 ms
64 bytes from 192.168.34.101: icmp_seq=725 ttl=64 time=0.424 ms

2、查看:

-L:list, 列出指定鏈上的所有规则,本选项须置后
-n:numberic,以数字格式显示地址和端口号
-v:verbose,详细信息
-vv 更详细
-x:exactly,显示计数器结果的精确值,而非单位转换后的易读值
--line-numbers:显示规则的序号

常用组合:

-vnL
-vvnxL --line-numbers
-S selected,以iptables-save 命令格式显示链上规则

3、规则管理:

-A:append,追加
-I:insert, 插入,要指明插入至的规则编号,默认为第一条
-D:delete,删除
(1) 指明规则序号
(2) 指明规则本身
-R:replace,替换指定链上的指定规则编号
-F:flush,清空指定的规则链
-Z:zero,置零

iptables的每条规则都有两个计数器

     (1) 匹配到的报文的个数

     (2) 匹配到的所有报文的大小之和

chain:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

示例:

(1)定义三条防火墙规则

[root@centos7~]#iptables -A INPUT -s 192.168.34.102 -j REJECT
[root@centos7~]#iptables -A INPUT -s 192.168.34.100 -j REJECT
[root@centos7~]#iptables -A INPUT -s 192.168.34.103 -j REJECT

(2)删除第一条规则

[root@centos7~]#iptables -vnL --line-numbers  查看防火墙规则全部信息
Chain INPUT (policy ACCEPT 76 packets, 5484 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       192.168.34.102       0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       192.168.34.100       0.0.0.0/0            reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       192.168.34.103       0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 49 packets, 5340 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@centos7~]#iptables -D  INPUT  1   删除第一条规则
[root@centos7~]#iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 5 packets, 356 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       192.168.34.100       0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       192.168.34.103       0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 416 bytes)
num   pkts bytes target     prot opt in     out     source               destination

 (3)插入一个防火墙规则,默认插入到第一条规则上

[root@centos7~]#iptables -I INPUT -s 192.168.34.105 -j REJECT
[root@centos7~]#iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 50 packets, 3648 bytes)
num pkts bytes target prot opt in out source destination 
1 0 0 REJECT all -- * * 192.168.34.105 0.0.0.0/0 reject-with icmp-port-unreachable   192.168.34.105禁止的规则在第一条
2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable
3 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 34 packets, 3040 bytes)
num pkts bytes target prot opt in out source destination

(4)追加一条防火墙规则,默认加在最后一条

[root@centos7~]#iptables -A INPUT -s 192.168.34.8 -j REJECT
[root@centos7~]#iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 53 packets, 4044 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       192.168.34.105       0.0.0.0/0            reject-with icmp-port-unreachable
2        0     0 REJECT     all  --  *      *       192.168.34.100       0.0.0.0/0            reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  *      *       192.168.34.103       0.0.0.0/0            reject-with icmp-port-unreachable
4        0     0 REJECT     all  --  *      *       192.168.34.8         0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 38 packets, 3512 bytes)
num   pkts bytes target     prot opt in     out     source               destination

  插入到指定的编号,默认的编号1会自动下调,将访问频次高的放前面,此项比较重要,如果192.168.34.0/24网段被拒绝,就无法远程连接,加上此选项:windows远程就能连接

[root@centos7~]#iptables -I INPUT 1 -s 192.168.34.1 -j ACCEPT

  替换之前写错指定编号的内容,可以重新写

[root@centos7~]#iptables -R INPUT 2 -s 192.168.34.8 -j REJECT

 清空计数规则

[root@centos7~]#iptables -Z INPUT

匹配条件

基本:通用的,PARAMETERS
扩展:需加载模块,MATCH EXTENTIONS

1、基本匹配条件:无需加载模块,由iptables/netfilter自行提供

[!] -s, --source address[/mask][,...]:源IP地址或范围
[!] -d, --destination address[/mask][,...]:目标IP地址或范围
[!] -p, --protocol protocol:指定协议,可使用数字如0(all)
protocol: tcp, udp, icmp, icmpv6, udplite,esp, ah, sctp, mh or“all“

参看:/etc/protocols

[!] -i, --in-interface name:报文流入的接口;只能应用于数据报文流入环节,只应用于INPUT、FORWARD、PREROUTING链
[!] -o, --out-interface name:报文流出的接口;只能应用于数据报文流出的环节,只应用于FORWARD、OUTPUT、POSTROUTING链

示例:

(1)一次可以插入两条规则

[root@centos7~]#iptables -I INPUT 3 -s 192.168.34.8,192.168.34.45 -j REJECT  插入了一个编号的规则,实际显示的是两个规则
[root@centos7~]#iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 59 packets, 4232 bytes)
num pkts bytes target prot opt in out source destination 
1 0 0 REJECT all -- * * 192.168.34.105 0.0.0.0/0 reject-with icmp-port-unreachable
2 0 0 REJECT all -- * * 192.168.34.100 0.0.0.0/0 reject-with icmp-port-unreachable
3 0 0 REJECT all -- * * 192.168.34.45 0.0.0.0/0 reject-with icmp-port-unreachable  显示3和4规则
4 0 0 REJECT all -- * * 192.168.34.8 0.0.0.0/0 reject-with icmp-port-unreachable
5 0 0 REJECT all -- * * 192.168.34.103 0.0.0.0/0 reject-with icmp-port-unreachable
6 0 0 REJECT all -- * * 192.168.34.8 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 39 packets, 3748 bytes)
num pkts bytes target prot opt in out source destination

 (2)全部拒绝访问规则,允许规则内的IP地址访问

[root@centos7~]#iptables -A INPUT -s 192.168.34.1 -j ACCEPT  加入本地windows系统的IP地址,否则无法远程连接
[root@centos7~]#iptables -A INPUT -s 192.168.34.102 -j ACCEPT
[root@centos7~]#iptables -A INPUT -s 192.168.34.101 -j ACCEPT
[root@centos777~]#iptables -A INPUT -j REJECT           拒绝所有的IP地址访问,只有在规则内的IP地址才能访问
[root@centos777~]#iptables -I INPUT 5 -s 192.168.34.102,127.0.0.1 -j ACCEPT  可以允许192.168.34.102和回环网卡访问
[root@centos777~]#iptables -A INPUT -i lo -j ACCEPT    加上回环网卡IP地址,需要自己连接上,避免自己无法连接

   查看规则信息

[root@centos7~]#iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      277 20776 ACCEPT     all  --  *      *       192.168.34.1         0.0.0.0/0           
2        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
3        1    67 ACCEPT     all  --  *      *       192.168.34.102       0.0.0.0/0           
4        1    67 ACCEPT     all  --  *      *       192.168.34.101       0.0.0.0/0           
5        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

(3)清除OUTPUT规则

[root@centos777~]#iptables -F OUTPUT

  

  

  

  

  

  

 

 

  

 

  

  

 

  

  

  

  

 

 

 

 

 

 

 

 

Guess you like

Origin www.cnblogs.com/struggle-1216/p/11987538.html
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com