Linux firewall iptables (Part 1)

What is a firewall

Firewall (English: Firewall) technology helps computer networks connect internal and external networks by organically combining various software and hardware devices for security management and screening. A technology that builds a relatively isolated protective barrier to protect the security of user data and information.

Classification of security technologies

1. Intrusion detection mechanism Features: Block, quantify, and locate threats to the network from both inside and outside.

Provide alarm and time supervision, similar to monitoring.

2. Intrusion prevention works in transparent mode, analyzes the contents of data packets, and protects everything that enters the machine. Trojans, worms, and system vulnerabilities are analyzed and judged, and then blocked, which is an active protection mechanism. Deployed throughout the architecture or at the entrance to the cluster. (The only way to go)

3. Firewall: Isolation function, working at the edge of the network or host.

Detect the data packets entering and exiting the network or host according to certain rules. (Packets forwarded by the network layer)

At work, we generally set the firewall to a whitelist (deny all, allow some)

4. Waterproof wall, transparent mode, Huawei’s ensp monitoring is a firewall. Everything is transparent to the waterproof wall.

Testing can be done before, during, and after the event.

Types of firewalls

Firewalls can be divided into two categories by protection scope:

Host firewall (firewalld) only serves the current host

Network firewall (iptables)Packet filtering firewall. Access control, combined monitoring of each data packet’s source IP address, destination IP address, port number, protocol, etc., to monitor whether the data packet is allowed to pass.

What are the five elements and four elements of communication? ? ?

Five elements: source/destination IP source/destination port protocol

Four elements: source/destination IP source/destination port

Introduction to iptables

IPTABLES is an IP packet filtering system integrated with the latest version 3.5 Linux kernel. This system facilitates better control over IP packet filtering and firewall configuration on Linux systems if they are connected to the Internet or LAN, a server, or a proxy server that connects the LAN to the Internet.

Four tables and five chains of Iptables

Four tables:

Table name Function
raw Connection tracking, a mechanism for tracking data. After configuration, you can speed up the firewall traversal (turn off tracking in raw)
mangle Modify the marking bit rules of data packets
nat Address translation Rule table
filter Packet filtering rule table. Filter qualified data packets according to predefined rules and manually set rules, which is also the default table of iptables

The four tables have priority:

raw—>mangle—>nat—>filter

Five chains

Chain name Function

prerouting chain:

 Rules for processing data packets entering the local machine

input chain:

 Rules for processing data packets entering the machine

FORWARD:

 Rules for handling packet forwarding to other hosts

output:

Rules for processing data packets sent by this machine, generally not processed

Generally no restrictions on exports

postouting:

 NAT rules for processing data packets after they leave the machine

Matching process

The role of the rule table: to accommodate various rule chains

The role of the rule chain: to accommodate the rules of various firewalls

Simple memory is: there are chains in the table and rules in the chains

iptables management options

Format:

Command format:
iptables [-t table name] management options [chain name] [matching conditions] [-j control type]

Management Options Function
-A Append at the end of the specified chain
-I Insert a new rule at the line of the specified chain. You can specify where to insert the rule.
-P Modify the default strategy (chain strategy)
-D Delete
-R Modify, replace rules
-L View the rules of the specified chain
-n Show rules as numbers
-v View details
–line-numbers Number the rules in each chain to view.
-F Clear the rules in the specified chain (use with caution)
-X Clear from Rules for defining chains
-t Specify table name

Matching conditions

Matching conditions Function
-p Specify the protocol type of the packet
-s Specify the source IP address of the packet
-d Specify the destination IP address of the packet
-i Specify the network interface through which data packets enter the machine
-o Specify the network interface used when the data packet leaves the machine
–sporrt Specify source port
–dport Specify the destination port number

iptables control type (all uppercase)

Format:

-j: control type

< /table>

The difference between DROP and REJECT: The former directly discards the transmitted data packets and does not give a response, causing the access host to be stuck on the access page without any prompt. The latter denies the passage of the data packet and prompts the access host that the access is denied.

Browse the default rules

iptables -L

[root@hj opt]# iptables -nL
Digital display

Note: When -nL is used at the same time, n must be in front of L, otherwise an error will be reported. The same is true when using -vnL, L must be at the end

View entrance rules

View the specified table (view the chain in the specified table) 

[root@hj opt]# iptables -vnL
#The default display is the filter table

[root@hj opt]# iptables -t nat -vnL

Number the table

[root@hj opt]# iptables -t filter -vnL --line-numbers

iptable command matching rules:

Match in order from top to bottom. Once a rule is matched, subsequent rules will no longer match

Here I first turn off the icmp protocol, and then turn it on again, but I still can’t ping. This is because the matching rules are matched from top to bottom. After the first match is successful, the following rules will no longer match< /strong>

Viewed through iptables -vnL INPUT –line-numbers, the first matching rule is REJECT. If the match is successful, the following rules will no longer be executed, that is, the ACCEPT command will no longer be executed.

In the above situation, you can use -d to clear all the rules, and then enter the required rules, but it is too troublesome. There is a better solution: insert , that is, iptables -I

iptables -I INPUT 1 -p icmp -j ACCPET
#The 1 here means inserting the rule before INPUT (serial number 1), which will take effect immediately

Delete the specified number

iptables -D INPUT 2

Code logic:

Check first—>According to the number—>Specify delete

Modify the row number (not recommended)

To be on the safe side, we can try to add a new rule first to ensure that the new rule will not bring any adverse effects before deleting the old rule (which can also achieve the effect of replacement)

iptables -R INPUT 1 -p icmp -j ACCEPT

Search—>Number—>Modify

As shown in the figure, change the rule REJECT in the first line to ACCEPT

The aboveare all IP + port matches

The following introduces IP + port + network segment + interface (network card device)

Match based on mac address

[root@hj ~]# iptables -A INPUT -i ens33 -s 20.0.0.0/24 -j DROP

Data in the entire 20.0.0.0 network segment cannot be transferred from the ens33 device

The entire network segment 192.168.233.0 cannot use tcp.

When there are two ports, the smaller port is in front and the larger port is in the back

-m: Extension module, clearly specified type, multi-port MAC address, IP range

[root@hj ~]# iptables -A INPUT -p tcp -m multiport ==dport 80,22,21,53 -j REJECT
# Separate with commas

Match based on range

Match based on IP range

Custom chain

Usually five chains, but Linux can customize the chain

#1. Add a custom chain
iptables -Nzzr
#zzr is a custom chain name
iptables-vnL
#View it
iptables -I zzr 1 -p icmp -j ACCEPT

Customized chains cannot be used, and custom chains need to be added to the system

It can only be used after adding it to the system

iptables -I INPUT 1 -p icmp -j zzr

In this way, custom chains added to the system can be used.

Delete custom chain

Because when you create a custom chain, you create it first and then add it to the system. If you want to delete it, follow the above steps and reverse it. Delete the custom chain in the system first, and then delete the custom chain

iptables -D INPUT 1

Delete custom chain

That’s it

syntaxbug.com © 2021 All Rights Reserved.
Control type Function
ACCEPT Allow packets to pass
DROP Reject the passage of data packets, discard the data packets directly, and do not give any response information< /strong>
REJECT Reject, refuse the data packet to pass, but will give an echo message (response message)
SNAT Modify the source address of the packet
DNAT Modify the destination address of the data packet