Firewall: Firewall, isolation tool
Operating in the host or network edge, and out of this for the host or network packet according to pre-defined rules for checking match detection, for the rule to be matched to the respective packet assembly process to make
Host Firewall
Internet Firewall
IDS: Intrusion Detection System
HIDS: Host Intrusion Detection System
NIDS: Network Intrusion Detection System
IDS + Firewall linked together referred to as intrusion prevention system IPS
A, iptables / netfilter: packet filtering firewall
framework: netfilter --- implement firewall frame (frame with the kernel itself)
hooks function hooks
iptables: rule utils work tool in a user-space program
Note: Firewall service has never been, do not start the process, but in order to unified management, CentOS6 called the iptables service; really play a role in the start-up is nothing more than a rule (file) revalidated once, it does not run any process, because it does not process needs to play a role in the kernel.
1.1 features:
filter: filtering, firewall
nat: network address translation Network Address Translation
mangle: dismantling the message, make changes, and then encapsulated message
raw: Close the connection tracking mechanisms enabled on nat table
Connection tracking mechanisms: to identify previously visited packet is visited packets (able to identify this message had come)
1.2, chain (built-in) pentachain
Before routing PREROUTING
INPUT
FORWARD role - play network firewall
OUTPUT
After routing POSTROUTING
1.3, direction-:
Inflow: PREROUTING ------> INPUT
流出:OUTPUT----->POSTROUTING
Forwarding: PREROUTING ------> FORWARD -----> POSTROUTING
1.4, respectively, to achieve each function (four tables):
filter:INPUT、FROWARD、OUTPUT
nat: PREROUTING (DNAT destination address), OUTPUT, POSTROUTING (SNAT source address)
mangle:PREROUTING 、INPUT、FORWARD、OUTPU、POSTROUTING
raw :PREROUTING 、OUTPUT
1.5, the time of occurrence of the route:
After the packets enter the machine: Analyzing the target host
Before the message sent: judge sent the next via that interface
1.6, iptables: four tables pentachain
Consider the point of adding rules
a, that function to implement: determining which added to the tables;
b, flows through the path: determining which of the chain added to the
Chain: Order on the chain rule, is the examination of the order: therefore implies certain rules
(1) the same rules (access the same application), matching range of small to put above
Must: 22 release, but refused to 192.168.1.3:22
(2) different types of rules (access no application), the frequency of the packets to match the larger discharge above
(3) those described plurality of rules may be a rule into one
(4) Set the default policy
1.7, rule priority:
Data Sheet filter matching process established rules of entry into force of the law --- we have to prioritize
Priority order function: raw ---> mangle ---> nat ---> filter
1.9 Rules:
Components: the packet matching condition, the matching processing operation after
Matching conditions: The specified protocol packets wherein
Basic matching condition
Extended matching conditions
Actions:
Built-handling mechanism
Custom processing mechanism
Note: The message is not to take effect after the custom chain can only be referenced by rules on the built-in chain
Two, iptables: Rules Management Tools
Add, modify, delete, display:
All write iptables rules are sent to the kernel
There are rules and chain counter: showing the beginning until now matches the total from enabled to how many packets, each rule and each own a chain of defaults has two counters :
pkts :由规则或链所匹配到的报文的个数;
bytes:由规则和链匹配到的所有报文大小之和
2.1、iptables命令:
iptables [-t table] SUBCOMMAND(子命令) CHAIN CRETERIA (匹配标准) -j TARGET (匹配动作 )
SYNOPSIS iptables [-t table] {-A|-C|-D} chain rule-specification iptables [-t table] -I chain [rulenum] rule-specification iptables [-t table] -R chain rulenum rule-specification iptables [-t table] -D chain rulenum (不和-j组合使用) iptables [-t table] -S [chain [rulenum]] iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] iptables [-t table] -N chain iptables [-t table] -X [chain] iptables [-t table] -P chain target iptables [-t table] -E old-chain-name new-chain-name
-t table:有用性排序
table=filter , nat ,mangle , raw 省略时为filter
2.2、SUBCOMMAND(子命令)分两类
a、链管理
-F:flush 清空规则链,省略链,表示清空指定表上的所有的链 -N :new,创建新的自定义规则链 -X :drop , 删除用户自定义的空的规则链 -Z:zero,清零,置零规则计数器 -P:Policy,为指定链设置默认策略:对filter表中的链而言,默认策略通常有ACCEPT,DROP(悄悄丢弃),REJECT -E:rEname,重命名自定义链(引用计数不为0的自定义链,无法改名,无法删除)
b、链规则管理
-A:append,将新规则追加于指定链的尾部 -I:insert ,将新规则插入至指定链的指定位置 -D :delete,删除指定链上的指定规则 有两种方式: 指定匹配条件 指定规则编号 -R:replace,替换指定链上的指定规则
c、查看:
-L:list,列出指定链上的所有规则 (会反解析地址) -n :numberic ,以数字格式显示地址和端口号 -v:verbose,显示详细信息 --line-number :显示规则编号 -x:exactly,显示计数器计数结果的精确值
内置链显示policy ACCEPT
自定义链显示 references
某个链被引用了是不可以删除的,链不被引用它内部的规则是不会生效的
e.g
修改默认链
iptables -t filter -P FORWAED DROP
添加自定义链
iptables -t filter -N INPUT_HH
重命名自定义链
iptables -t filter -E INPUT_HH INPUT_HR
查看:
iptables -nvL --line-number
iptables -D FORWARD 9
2.4、匹配条件:
2.4.1、基本匹配:
[!]-s ,--src, IP|Netaddr 检查报文中源IP地址是否符合此处指定的地址范围 [!]-d ,--dst, IP|Netaddr 检查报文中目标IP地址是否符合此处指定的地址范围 -p, --protocol {tcp|udp|icmp} :检查报文中的协议(传输层),即ip首部中的protocols所标识的协议 -i , --in-interface IFACE :数据报文的流入接口---仅能用于PREROUTING,INPUT及FORWARD链上 -o, --out-interface IFACE :数据报文的流出接口---仅能用于FORWArD、OUTPUT 、POSTROUTING链上
2.4.2、扩展匹配:-m macth_name --spec_options
(1)隐式扩展:对-p protocol指明的协议进行的扩展,可省略-m选项
-p tcp --dport PORT :目标端口,可以是单个端口或连续多个端口; --dport PORT :源端口
--tcp-flags LIST1 LIST2:检查LIST1所指明的所有标志位,且这其中,LIST2所表示出的所有标记位必须为1;
而余下的必须为0,;没有LIST1中指明的,不作检查
SYN、ACK、FIN、RST、PSH、URG
--syn :相当于检查是否为新建tcp连接请求的第一次请求
e.g --tcp-flags SYN,ACK,FIN,RST SYN #检查SYN,ACK,FIN,RST 并且SYN=1,ACK,FIN,RST为0 == 请求连接
-p udp --dport
--sport -p icmp
--icmp-type
可用数字表示其类型
0:echo-reply 应答
8:echo-request 请求
e.g
iptables -I INPUT -d 192.168.1.101 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -s 192.168.1.101 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -s 192.168.1.101 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -d 192.168.1.101 -p icmp --icmp-type 0 -j ACCEPT
(2)显式扩展 :必须使用-m选项指定使用的扩展
必须显式指明使用的扩展模块(rpm -ql iptables|grep "\.so$") 注:大写代表TARGET,小写代表匹配条件扩展模块
CentOS 6: man iptables
CentOS 7:man iptables-extensions
a. multiport扩展
以离散方式定义多端口匹配:最多指定15个端口
[!] --source-port,--sports port [,port|,port:port] ... :指明多个源端口 [!] --destination-ports,--dports port[,port|,port:port]... :指明多个离散的目标端口 [!] --ports port[,port|,port:port]... (很少用)
e.g
iptables -I INPUT -s 192.168.0.0/16 -d 192.168.1.101 -p tcp -m multiport --dports 22,80 -j ACCEPT
iptables -I OUTPUT -d 192.168.0.0/16 -s 192.168.1.101 -p tcp -m multiport --sports 22,80 -j ACCEPT
b. iprange扩展
指明连续的(但一般是不能扩展为整个网络)ip地址访问使用
[!] --src-range from [-to] :指明连续的源IP地址范围 [!] --dst-range from [-to] :指明连续的目标IP地址范围
e.g
iptables -I INTPUT -d 192.168.1.101 -p tcp -m multiport --dports 22:35,80 -m iprange --src-range 192.168.1.20-192.168.1.200 -j ACCEPT
iptables -I OUTPUT -s 192.168.1.101 -p tcp -m multiport --sports 22:35,80 -m iprange --dst-range 192.168.1.20-192.168.1.200 -j ACCEPT
c、string扩展 :检查报文中出现的字符串
--alog(bm|kmp) 字符串比对算法 注:string扩展中alog是必选项
[!]--string pattern 从头到尾匹配
[!]--hex-string pattern 16格式编码以后的字符串
e.g
iptables -I OUTPUT -m string --alog bm --string 'movie' -j REJECT
d、time扩展 :根据报文到达的时间与指定的时间范围进行匹配 注:UTC时间为标准与CST有时差
--datestart
--datestop
--timestart
--timestop
e.g
iptables -I INPUT -d 192.168.1.101 -p tcp --dport 80 -m time --timestart 14:00 --timestop 16:00 -j REJECT
e、connlimit扩展 :根据客户端IP(也可以做块)做并发连接数数量匹配
--connlimit-above n :连接的数量大于n 拒绝 --connlimit-upto n :连接的数量小于等于n e.g iptables -I INPUT -p tcp --dport 22 -m connlimit --limits-above 3 -j REJECT
f、limit 扩展 : 基于收发报文的速率做检查
令牌桶过滤器:摩天轮例子 --limit rate[/second|/minute|/hour|/day] --limit-burst n : 空闲时最大接受容量 e.g iptables -A INPUT -d 192.168.1.101 -p icmp --icmp-type 8 -m limit --limit-burst 5 --limit 30/minute -j ACCEPT iptables -A OUTPUT -s 192.168.1.101 -p icmp --icmp-type 0 -j ACCEPT
g 、state扩展: 根据连接追踪机制检查连接的状态 (重点)
不管是tcp/udp/icmp协议,这种连接追踪机制跟tcp自己的状态(即有限状态机)没有关系;这是iptables自己所附加的一种去追踪连接,去记录连接此前曾经是否来过的一种或者是否访问过的一种机制 (事例:店主或店员记录是否此人曾经来过本店)
选项: --state STATE1,STATE2,.... 可追踪的链接状态: NEW:新发出的请求:连接追踪模板中不存在此连接相关的信息条目,因此,将其识别为第一次发出的请求; ESTABLISHED:NEW状态之后,连接追踪模板中为其建立的条目失效之前 期间内所进行的通信的状态; RELATED:相关的连接 -----如ftp协议的命令连接(有请求报文和响应报文)与数据连接(有请求报文和响应报文)之间的关系,所有数据连接应该是命令连接建立起来的 INVALIED:无法识别的连接
注:需要内核装载内核专用的模块,这些模块都是自动装载完成的
调整连接追踪功能所能够容纳的最大连接数量:
/proc/sys/net/nf_conntrack_max 默认65536
已经追踪到并记录下的所有连接:
/proc/net/nf_conntrack
修改不同协议或连接类型追踪的时长:(tcp会话超时时间计数器是2个小时)
/proc/sys/net/netfilter/
注:只有第一发出请求才叫做NEW ,哪怕对第一次请求的响应也叫ESTABLISHED;后续的再请求再响应都是ESTABLISHED
e.g
iptables -I INPUT -d 192.168.1.101 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -s 192.168.1.101 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -d 192.168.1.101 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 192.168.1.101 -p icmp --icmp-type 0 -m state --state ESTABLISHED -j ACCEPT
即只要能连接进来的,让所有链接都能安全出去,但不会有新链接出去
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT #只要已建立的连接都通通放行
iptables -I INPUT 2 -d 192.168.1.101 -p tcp -m --multiport --dports 22,80,3306 -m state --state NEW -j ACCEPT #80,22,3306新的请求
iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT
问题:如何开发被动模式的ftp服务?
2.5、目标:
-j TARGET:jump至指定的TARGET
ACCEPT:接受
DROP:丢弃
REJECT : 拒绝
RETURN :返回调用链
REDIRECTC 端口重定向
LOG 记录日志
MARK 做防火墙标记
DNAT 目标地址转换
SNAT 源地址转换
MASQUERADE :地址伪装
.....
自定义链 :由自定义链上的规则进行匹配检查
凡是访问本机的tcp报文统统都放行(过滤)
iptables -t filter -A INPUT -p tcp -d 192.168.1.101 -j ACCEPT
iptables -t filter -A OUPUT -p tcp -s 192.168.1.1.101 -j ACCEPT
ping本机的规则
iptables -t filter -A INPUT -p icmp -d 192.168.1.101 -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -s 192.168.1.101 -j ACCEPT
指定网卡流入流出
iptables -t filter -A INPUT -d 192.168.1.101 -i eth0 -j ACCEPT
iptables -t filter -A OUTPUT -s 192.168.1.101 -o eth0 -j ACCEPT