当前位置：网站首页>Firewall introduction

In order to prevent malicious intrusion in our work 、 Attack and break the ring , We all use firewalls for physical protection , His presence has greatly ensured the safety of our equipment , So it is very necessary to study firewall .

One .iptables A firewall

summary ：

Linux The firewall of the system ：IP Packet filtering system , It actually consists of two components netfilter and iptables form
The main work is in the network layer , in the light of IP Data packets . This is reflected in the IP Address 、 Port and other information processing .

1.netfilter

be located linux Packet filtering function system in kernel
be called linux The kernel state of firewall

2.iptables

be located /sbin/iptables Tools for managing firewall rules
be called linux User state of firewall

notes ：netfilter/iptables Both forms of address can mean linux A firewall , Later referred to as iptables.

Two . Four tables and five chains

The role of the rule table ： To accommodate all kinds of rule chains
The role of the rule chain ： Accommodate all kinds of firewall rules

summary ： There is a chain in the watch , There are rules in the chain

2.1 beyond the limits of the visible world

raw surface ： Determine whether to track the status of the packet . Contains two rule chains ,OUTPUT、PREROUTING.
mangle surface ： Modify package contents , Used for flow shaping , Set a flag for the packet . Contains five rule chains ,INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING.
nat surface ： Responsible for network address translation , Used to modify the source in the packet 、 The goal is IP Address or port . Contains three rule chains ,OUTPUT、PREROUTING、POSTROUTING.
filter surface ： Responsible for filtering packets , Determine whether to release the packet （ Filter ）. Contains three rule chains ,INPUT、FORWARD、OUTPUT.

notes ： stay iptables Of the four rule tables ,mangle Table and raw The application of tables is relatively reduced .

2.2 Five chains

INPUT： Processing inbound packets , Match the target IP For native packets .
OUTPUT： Processing outbound packets , Generally, it is not configured on this chain .
FORWARD： Processing forwarding packets , Match packets flowing through the machine .
PREROUTING chain ： Process packets before routing , Used to modify the destination address , Used to do DNAT. It's equivalent to... In the intranet 80 The port is mapped to the external network port of the router .
POSTROUTING chain ： Process packets after routing , Used to modify the source address , Used to do SNAT. Equivalent to the intranet through the router NAT The conversion function enables the intranet host to pass through a public network IP Address online .

2.3 Matching order of rule table

2.4 Matching order between rule chains

Host firewall

Inbound data （ Packets from the outside , And the target address is the firewall native ） PREROUTING--> INPUT --> Native applications
Outbound data （ Packets sent locally from the firewall to external addresses ） Native applications --> OUTPUT --> POSTROUTING

Network firewall

Forward data （ Packets that need to be forwarded through the firewall ） PREROUTING -->FORWARD --> POSTROUTING

The order of matching within the chain of rules

Check from top to bottom , Find a matching rule and stop （LOG The policy exception , Indicates that relevant logs are recorded ）
If no matching rule is found in the chain , Then the default policy of the chain is used （ Without modification , The default policy is to allow ）

3、 ... and iptables Configuration method of firewall

1. Format

iptables [-t Table name ] Management options [ Chain name ] [ Matching condition ] [-j Type of control ]
When the table name is not specified , Default finger filter surface
When the chain name is not specified , By default, all chains in the table
Unless you set the default policy for the chain , Otherwise, you must specify the matching condition
Options 、 Chain name 、 Control types use uppercase letters , The rest are in lowercase

2. Common control types

 Type of control 	       effect 
ACCEPT	      Allow packets to pass .
DROP	      Discard packets directly , Don't give any response information .
REJECT	      Reject packet pass , It will send a response message to the data sender .
SNAT	      Modify the source address of the packet .
DNAT	      Modify the destination address of the packet .
MASQUERADE	  Disguised as an unfixed public network IP Address .
LOG	          stay /var/log/messages Log information in the file , Then pass the packet to the next rule .LOG It's just an aid  
              action , Not really processing packets .

3. Common management options

 Options 	 explain 
-A	 Append... At the end of the specified chain （–append） A new rule 
-I	 Insert... At the beginning of the specified chain （–insert） A new rule , If no sequence number is specified, it is the first rule by default 
-R	 modify 、 Replace （–replace） Specify a rule in the chain , The rule number or specific content can be specified 
-P	 Set the default policy for the specified chain （–policy）
-D	 Delete （–delete） Specify a rule in the chain , The rule number or specific content can be specified 
-F	 Empty （–flush） Specify all rules in the chain , If no chain name is specified , Then clear all the chains in the table 
-L	 List （–list） Specify all rules in the chain , If no chain name is specified , List all the chains in the table 
-n	 Use digital form （–numeric） Display output results , If displayed  IP  Address, not hostname 
-v	 Show details , Including the number of matching packets and bytes of each rule 
–line-numbers	 When looking at the rules , Display the sequence number of the rule

3.1 Add new rules

When using management options “I” when , It is allowed to specify the sequence number of the newly added rule at the same time , If no serial number is specified, it will be the first item by default
When adding new firewall rules , Use management options “-A”、“-I”, The former is used to append rules , The latter is used to insert rules

3.2 Look at the rule table

When viewing existing firewall rules , Use management options “-L”, combination “–line-numbers” Option can also display the sequence number of each rule in the chain
```
 The basic format ：
iptables [-t  Table name ] -n -L [ Chain name ] [--line-numbers]
# or 
iptables - [vn]L
```
When the number of firewall rules is large , If address and port information can be displayed in digital form , It can reduce the link of address resolution , Speed up the execution of commands to a certain extent

3.3 Delete 、 Clear rules

When deleting a firewall rule , Use management options “-D”
Clear all firewall rules in the specified chain or table , Use management options “-F”

notes ： If there are multiple same rules in the rule list , Match by content and delete only the one with the smallest sequence number

When deleting by number matching , Ensure that the rule number is less than or equal to the number of existing rules , Otherwise, the report will be wrong

When matching the number of deletions by content , Make sure the rules exist , Otherwise, the report will be wrong

Use management options “-F” when , It is allowed to omit the chain name , All rules for clearing all chains of the table by default
To modify the default policy , You must use the management option “-P” Reset

3.4 Set default policy

iptables In the chain of , The default policy is the last step of rule matching —— When no rule can be found that matches a packet , The default policy is executed
The control type of the default policy is ACCEPT（ allow ）、DROP（ discarded ） Two kinds of

# The basic format 
iptables [-t  Table name ] -p < Chain name > < Type of control >

4. Matching condition

 Matching condition 	 explain 
-p	 Specify the protocol type of the packet to match 
-s	 Specify the source of the packet to match IP Address 
-d	 Specify the destination of the packet to match IP Address 
-i	 Specifies the network interface for the packet to enter the local computer 
-o	 Specifies the network interface where the packet leaves the local machine for use 
–sport	 Specify the source port number 
–dport	 Specify the destination port number

When writing firewall rules , The setting of matching conditions plays a decisive role
Only clear 、 Accurately set the matching conditions , Only then does the firewall know what conditions to process packets that meet , avoid “ Manslaughter ”
For the same firewall rule , You can specify multiple matching criteria , Indicates that these conditions must be met before the rule will take effect

The setting of matching criteria includes the following three categories ：

1. Universal matching

2. Implicit matches

3. Show match

Universal matching

General matching is also called general matching , This matching method can be used alone , Not dependent on other conditions or extension modules
Common common matching includes protocol matching 、 Address matching 、 Network interface matching

 Protocol matching : -p The name of the agreement 
 Address matching : -S source address 、-d Destination address 
# It can be IP、 Network segment 、 domain name 、 empty ( Any address )
 Interface matching : -i Inbound NIC 、-o Outbound NIC

Implicit matches

This matching method requires the specified protocol matching as a prerequisite , Equivalent to sub condition , Therefore, it cannot be used alone , The corresponding functions are provided by iptables Automatically when needed （ Implication ） Load kernel
It requires a specific protocol matching as the premise , Including ports 、TCP Mark 、ICMP Type, etc
Port matching : --sport Source port 、–dport Destination port # It can be an individual port 、 Port range

–sport 1000  The matching source port is 1000 Data packets of 
–sport 1000:3000  The matching source port is 1000-3000 Data packets of 
–sport :3000  The matching source port is 3000 And the following packets 
–sport 1000:  The matching source port is 1000 And above 

 Be careful : --sport and –dport  Must cooperate -p < Protocol type > Use

Show match

Asked to “-m Extension module ” The form clearly indicates the type , Including multiple ports 、MAC Address 、IP Range 、 Packet status and other conditions
Multi port matching ： To write iptables Rules are used when ：

“-m multiport --dports  Port list ”  
“-m multiport --sports  Port list ”

Check the source port of the packet in the above two ways 、 Target port , Multiple ports are separated by commas

P Range match

-m iprang --src-rang IP Range

MAC Address matching

iptables -A FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP（MAC Address ）
# Prohibit from MAC Address packets are forwarded locally

State matching

-m state --state  Connection status

Common connection states are ：

NEW : Independent of any connection , Haven't started connecting yet
ESTABLISHED : Responding to a request or having established a connection , Connective state
RELATED : Related to existing connections ( Such as FTP Active and passive data connection ), Derivative ecology , One - General and ESTABLISHED In combination with
INVALID: Can't be identified which connection it belongs to or has no state

Four .SNAT Principle and Application

Application environment ： LAN hosts share a single public network IP Address access Internet

principle ： Modify the source address of the packet .

SNAT Conversion prerequisites ：

LAN hosts have been set correctly IP Address 、 Subnet mask
Linux Gateway on IP Routing and forwarding
Each host of the LAN has correctly set the default gateway address

Realization way ：

iptables -t nat -A POSTROUTING -s 192.168.80.0/24 -o ens33 -j SNAT --to-source 12.0.0.1-12.0.0.10
									 Intranet IP	       Departure   The network card                     Extranet IP Or address pool

5、 ... and .DNAT Principle and Application

Application environment ： stay Internet Publish servers located in the LAN

principle ： Modify the destination address of the packet

Conversion prerequisites ：

LAN servers can access Internet
The gateway's Internet address is correct DNS Parsing records
Linux Gateway on IP Routing and forwarding

Realization way


iptables -t nat -A PREROUTING -i ens33 -d 12.0.0.1 -p tcp --dport 80 -j DNAT --to-
                              Inbound   The network card    Extranet IP

destination 192.168.80.11
              Intranet server IP

6、 ... and . Backup and restore of firewall rules

1. export （ Backup ） Rules for all tables

iptables-save > /opt/ipt.txt

2. Import （ Restore ） The rules

iptables-restore < /opt/ipt.txt

 take iptables The rule file is saved in  /etc/sysconfig/iptables  in ,iptables The rules will be automatically restored when the service starts 
iptables-save > /etc/sysconfig/iptables
systemctl stop iptables			# stop it iptables The service will clear the rules of all tables 
systemctl start iptables			# start-up iptables The service will automatically restore /etc/sysconfig/iptables  The rules in the

summary ：

netfilter/iptables Both forms of address can mean linux A firewall , Later referred to as iptables, The firewall mainly works in the network layer , in the light of IP Data packets . This is reflected in the IP Address 、 Port and other information processing .

原网站

版权声明
本文为[C chord~]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/177/202206261227385895.html