iptables firewall (1)

iptables firewall

  • 1. Overview of iptables
  • Two, netfilter/iptables relationship
  • Three, four tables and five chains
    • 1. Four tables
    • 2. Five chains
  • 4. Matching order between rule chains
  • 5. Matching order in the rule chain
  • Six, iptables installation and configuration
  • 7. Commonly used control types
  • Eight, commonly used management options
  • 9. Rules and Orders
    • 1. Add new rules
    • 2. View the list of rules
    • 3. Set the default policy
    • 4. Delete rules
    • 5. Clear rules
  • 10. Rule matching
    • 1. Universal match
    • 2. Implicit matching
    • 3. Explicit matching

1. Overview of iptables

  • Firewall of Linux system: IP packet filtering system, which actually consists of two components netfilter and iptables.
  • It mainly works at the network layer, targeting IP data packets. It is reflected in the processing of information such as IP addresses, ports, and protocols in the packets.

2. netfilter/iptables relationship

  • netfilter: A firewall function system belonging to the “kernel space” (Kernel Space, also known as kernel space).
    Is the part of the kernel that consists of packet filtering tables that contain the set of rules used by the kernel to control packet filtering processing.
  • iptables: A firewall management system that belongs to the “User Space” (User Space, also known as user space).
    Is a command program used to manage the Linux firewall, which makes it easy to insert, modify, and delete rules in the packet filtering table, usually located under the /sbin/iptables file.
  • Netfilter/iptables is later referred to as iptables for short. iptables is a kernel-based firewall, which has four built-in rule tables of raw, mangle, nat and filter. After all the rules in the table are configured, they will take effect immediately without restarting the service.

3. Four tables and five chains

  • The role of the rule table: to accommodate various rule chains
  • The role of the rule chain: accommodate various firewall rules
  • Summary: There are chains in the table and rules in the chain

1. Four tables

  • raw table: Determines whether to perform state tracking on the packet. Contains two rule chains, OUTPUT and PREROUTING.

  • mangle table: modify the content of the data packet, used for traffic shaping, and set the mark for the data packet. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING.

  • Nat table: responsible for network address translation, used to modify the source, destination IP address or port in the data packet. Contains three rule chains, OUTPUT, PREROUTING, POSTROUTING.

  • filter table: responsible for filtering data packets and determining whether to release the data packets (filtering). Contains three rule chains, INPUT, FORWARD, OUTPUT.

  • Among the four rule tables of iptables, mangle table and raw table are relatively less used.

    When the packet arrives at the firewall, the order of priority between the rule tables:
    raw > mangle > nat > filter

2. Five chains

  • INPUT: Process inbound data packets, matching data packets whose destination IP is this machine
  • OUTPUT: process outbound data packets, generally not configured on this chain
  • FORWARD: Process the forwarded data packets and match the data packets flowing through the machine
  • PREROUTING chain: Process data packets before routing to modify the destination address for DNAT. It is equivalent to mapping the IP and port of the internal network server to the external network IP and port of the router.
  • POSTROUTING chain: Process data packets after routing selection to modify the source address for SNAT. It is equivalent to the internal network through the router NAT conversion function to realize the internal network host to access the Internet through a public network IP address.

4. Matching order between rule chains

  • Host-based firewall:
    Inbound data (data packets from the outside world, and the destination address is the firewall local machine): PREROUTING –> INPUT –> local application
    Outbound data (data packets sent from the firewall local machine to the external address): local machine application –> OUTPUT –> POSTROUTING

  • Network firewall:
    Forwarding data (data packets that need to be forwarded through the firewall): PREROUTING –> FORWARD –> POSTROUTING

5. Matching order within the rule chain

Check in order from top to bottom, and stop when a matching rule is found (LOG policy is an exception, indicating that relevant logs are recorded)
If no matching rule is found in the chain, it will be processed according to the default policy of the chain (unmodified, the default policy is allow)

When the packet arrives at the firewall, the order of priority between the rule tables:
raw > mangle > nat > filter

6. iptables installation and configuration

iptables installation
CentOS 7 uses the firewalld firewall by default, without iptables installed, if you want to use the iptables firewall. The firewalld firewall must be turned off before installing iptables
systemctl stop firewalld.service
systemctl disable firewalld.service

yum -y install iptables iptables-services
systemctl start iptables.service

How to configure the iptables firewall:
1. Use the iptables command line.
2. Use system-config-firewall


iptables command line configuration method:
Command format:
iptables [-t table name] management option [chain name] [matching condition] [-j control type]

Precautions:
When the table name is not specified, it refers to the filter table by default
When no chain name is specified, it defaults to all chains in the table
Matching conditions must be specified unless the chain's default policy is set
Control type and chain name use uppercase letters, the rest are lowercase

7. Common control types

Common control types:
ACCEPT: Allow the packet to pass.
DROP: Drop the data packet directly without giving any response information.
REJECT: Reject the data packet to pass, and will send a response message to the data sender.
SNAT: Modify the source address of the packet.
DNAT: Modify the destination address of the packet.
MASQUERADE: Masquerade as a non-fixed public IP address.
LOG: Record log information in the /var/log/messages file, and then pass the packet to the next rule. LOG is just an auxiliary action, and does not really process the data packet.

8. Common management options

-A : Append (--append) a new rule at the end of the specified chain
-I : Insert (--insert) a new rule at the beginning of the specified chain. When no serial number is specified, it will be the first rule by default
-R : modify, replace (--replace) a rule in the specified chain, you can specify the rule number or specific content
-P : Set the default policy for the specified chain (--policy)
-D : Delete (--delete) a rule in the specified chain, you can specify the rule number or specific content
-F : Clear (--flush) all rules in the specified chain, if no chain name is specified, all chains in the table will be cleared
-L : List (--list) all rules in the specified chain, if no chain name is specified, all chains in the table are listed
-n : Use numeric form (--numeric) to display output, such as displaying IP addresses instead of hostnames
-v : Display detailed information, including the number of matched packets and the number of matched bytes for each rule
--line-numbers: When viewing rules, display the serial number of the rule

9. Rule command

1. Add a new rule

iptables -t filter -A INPUT -p icmp -j REJECT
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT

2. View the rule list

iptables [-t table name] -n -L [link name] [--line-numbers]
or
iptables -[vn]L #Note: Cannot be combined as -Ln
iptables -n -L --line-numbers

3. Set default policy

iptables [-t table name] -P <chain name> <control type>
iptables -P INPUT DROP
iptables -P FORWARD DROP
#Generally, when setting up network-type firewalls and host-type firewalls in a production environment, the default rule must be set to DROP, and a whitelist must be set

4. Delete rules

iptables -D INPUT 2
iptables -t filter -D INPUT -p icmp -j REJECT
Notice:
1. If there are multiple identical rules in the rule list, only delete the one with the smallest serial number according to content matching
2. When deleting by number matching, ensure that the rule number is less than or equal to the number of existing rules, otherwise an error will be reported
3. When deleting by content matching, ensure that the rules exist, otherwise an error will be reported

5. Clear rules

iptables [-t table name] -F [chain name]
iptables -F INPUT
iptables -F
Notice:
1. -F just clears the rules in the chain, and does not affect the default rules set by -P. The default rules need to be modified manually
2. After setting DROP with -P, be careful when using -F!
#Prevent the host from being unable to connect remotely after clearing the relevant rules that allow remote connections. In this case, if the rules are not saved, restart the host to solve the problem
3. If you do not write the table name and chain name, all rules in all chains in the filter table will be cleared by default

10. Rule matching

1. Universal match

It can be used directly without depending on other conditions or extensions, including network protocol, IP address, network interface and other conditions.

Protocol matching: -p protocol name
Address matching: -s source address, -d destination address #can be IP, network segment, domain name, empty (any address)
Interface matching: -i inbound NIC, -o outbound NIC

iptables -A FORWARD ! -p icmp -j ACCEPT
iptables -A INPUT -s 192.168.80.11 -j DROP
iptables -I INPUT -i ens33 -s 192.168.80.0/24 -j DROP

2. Implicit match

 requires specific protocol matching as a prerequisite, including port, TCP flag, ICMP type and other conditions.

Port matching: --sport source port, --dport destination port
# can be individual ports, port ranges
--sport 1000 match packets with source port 1000
--sport 1000:3000 matches packets whose source port is 1000-3000
--sport :3000 matches packets whose source port is 3000 and below
--sport 1000: match packets whose source port is 1000 and above
Note: --sport and --dport must be used with -p <protocol type>

iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -I FORWARD -d 192.168.80.0/24 -p tcp --dport 24500:24600 -j DROP

TCP flag bit matching: --tcp-flags TCP flag bit
iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN -j REJECT
iptables -I OUTPUT -p tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH SYN,ACK -j REJECT
iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,ACK,FIN,RST,URG,PSH ACK -j REJECT
#tcp The first handshake of the three-way handshake allows the SYN to be 1 data packet and rejects other packets; the second handshake allows the SYN and ACK to be 1 data packets and rejects other packets

ICMP type matching: --icmp-type ICMP type
# can be a string, a numeric code
"Echo-Request" (code 8) means request
"Echo-Reply" (code 0) means echo
"Destination-Unreachable" (code 3) means the destination is unreachable
For other available ICMP protocol types, you can execute the "iptables -p icmp -h" command to view the help information

iptables -A INPUT -p icmp --icmp-type 8 -j DROP #Prohibit other hosts from pinging this machine
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT #Allow this machine to ping other hosts

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT #When the machine cannot ping other hosts, it prompts that the target is unreachable
#At this time, other hosts need to configure the control type of the icmp protocol as REJECT
iptables -A INPUT -p icmp -j REJECT

3. Explicit match

It is required to clearly indicate the type in the form of "-m extension module", including conditions such as multi-port, MAC address, IP range, and data packet status.
Multiport matching: -m multiport --sport source port list
-m multiport --dport destination port list
\t\t\t
iptables -A INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53,67,68 -j ACCEPT
\t\t\t
IP range matching: -m iprange --src-range IP range
iptables -A FORWARD -p udp -m iprange --src-range 192.168.80.100-192.168.80.200 -j DROP
#Prohibit forwarding udp packets whose source address is 192.168.80.100-192.168.80.200

MAC address matching: -m mac --mac-source MAC address
iptables -A FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
#Forbid packets from a certain MAC address to be forwarded by this machine

State matching: -m state --state connection state
Common connection status:
NEW : The host connects to the target host, and the first packet to be connected is seen on the target host
ESTABLISHED: The host has communicated with the target host. As long as the target host responds to the first packet, it will enter this state
RELATED: The host has communicated with the target host, and the target host initiates a new connection method, generally used in conjunction with ESTABLISHED
INVALID: Invalid packet, such as packet status with corrupted data


iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 443,80,22,21,20,53 -j ACCEPT
iptables -A INPUT -p udp -m multiport --dport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
#Check the status of incoming packets. Packages that have established a tcp connection and packages related to the connection are allowed to pass. Simply put, only all packets sent by itself are allowed to come in.
#For example, if I do business with you, we have negotiated a business, and when it’s time to pay, you can directly call the payment function related to this business