1. Security technology
1.1 Overview
1. Intrusion detection mechanism: It is characterized by blocking, quantifying, and locating network threats from inside and outside. Provide alarm and post-event supervision. Similar to monitoring.
2. Intrusion prevention: Works in transparent mode, analyzes the content of data packets, protects all content entering the machine, analyzes and determines Trojans, worms, and system vulnerabilities, and then blocks them, a proactive defense mechanism. Deployed throughout the architecture or at the entrance to the cluster.
3. Firewall: Isolation function, which works at the edge of the network or host. It checks the data packets entering and exiting the network or host based on certain rules, and processes them according to the behavior defined by the rule when a certain rule is matched. Basically, it is a set of functional components. The implementation closes all pass-through access by default, only opens policies that allow access, and puts hosts that want to be accessible from the outside network into the DMZ (demilitarized zone) network.
4. Waterproof wall: works in transparent mode. For example, Huawei’s ensp monitoring is a firewall. Everything is transparent to the waterproof wall.
Divided according to scope of protection:
Host firewall: only serves the current host
Network firewall: protects the LAN on the other side
By network protocol:
Network layer firewall: the lower four layers of the OSI model, also known as packet filtering firewall
Application layer firewall/proxy server: proxy gateway, OSI model layer seven
Packet Filtering Firewall
The network layer selects data packets based on the filtering logic set in the system, called an access control list (ACL), by checking the source address, destination address, port number and protocol status of each data in the data flow. factors, or a combination of them, to determine whether to allow the packet to pass.
1.2 iptables and firewalld firewall
ip tables: The system’s own packet filtering firewall
firewalld: Host firewall, it also has packet filtering function
2. Four tables and five links of iptables kernel firewall
2.1 Four tables
raw | Control the status tracking of data packets. After configuration, it can speed up the firewall traversal |
mangle | Modify the marking bit rules of data packets |
nat | Address translation rule table |
filter | Packet filtering rule table, Filter qualified data packets according to predefined and manually set rules, which is also the default table of iptables |
2.2 Five Chains
PREROUTING | NAT rules for processing data packets before they enter the machine |
INPUT | Rules for processing data packets before they enter the machine |
FORWORD | Processing rules for forwarding data packets to other hosts |
OUTPUT | Processing data sent by this machine Packet rules are generally not processed |
POSTROUTING | NAT rules for processing data packets after they leave the machine |
2.3 iptables table chain matching process
Summary:
- Usage of rule tables: accommodate various rule chains
- The role of the rule chain: to accommodate various firewall rules
- There are chains within the table, and there are rules within the chain
3. iptables configuration
3.1 Install iptables service
[root@pup1 ~]# systemctl stop firewalld.service [root@pup1 ~]# yum -y install iptables iptables-services [root@pup1 ~]# systemctl start iptables.service [root@pup1 ~]# systemctl enable iptables.service Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
3.2 Management Options
-A | Append at the end of the specified chain |
-I (capital i) | Insert a new rule in the specified chain, you can specify the location of the inserted rule |
-P | Modify the default policy (chain policy) |
-D | Delete |
-R | Modify and replace rules |
-L | View the rules in the specified chain |
-F | Clear the rules in the specified chain (use with caution) |
-n | Display rules in numerical form |
-v | View details |
–line-numbers | Number the rules in each chain to view |
-X | Clear the rules of the custom chain |
-t | Specify the table name |
3.3 Matching conditions
-p | Specify the protocol type of the data packet |
-s | Specify the source IP address of the data packet |
-d | Specify the destination IP address of the data packet |
-i | Specify the network interface through which the data packet enters the machine |
-o | Specify the network interface through which data packets leave the machine |
–sport | Specify the source port number |
–dport | Specify the destination port number |
3.4 Control Type
ACCEPT | Allow the data packet to pass |
DROP | Reject the data packet to pass, discard the data packet directly without giving any response information |
REJECT | Reject the data packet to pass and will give a response message |
SNAT | Modify the data The source address of the packet |
DNAT | Modify the destination address of the packet |
3.5 format
[root@pup1 ~]# iptables [-t table name] management options [chain name] [matching conditions] [-j control type] #When the table name is not specified, it defaults to the filter table. #When no chain name is specified, it defaults to all chains in the table
3. 6 Example Demonstration
View rule list
[root@pup1 ~]# iptables -t table name -vnL chain name --line-numbers
Explanation of the mark in the picture:
num: will be displayed after detailed display
pkts: the number of packets received by matching rules
bytes: Total size of the package
target: the action corresponding to the rule
prot: The protocol corresponding to the rule is tcp
Add rules
Example:
Reject other hosts to ping this machine
[root@pup1 ~]# iptables -F [root@pup1 ~]# iptables -t filter -A INPUT -p icmp -j REJECT
Perform release
[root@pup1 ~]# iptables -A INPUT -p icmp -j ACCEPT
Reason:
Strategy for matching rules: match in rule order from top to bottom. If a rule is matched, subsequent rules will no longer match. For the same rule type, subsequent rules will not take effect after matching
Solution:
Insert rules
[root@pup1 ~]# iptables -I INPUT 1 -p icmp -j ACCEPT
Delete rules
Check the rule number in the chain before deleting
[root@pup1 ~]# iptables -D INPUT 3
Modify rules
Temporary modification (generally not used)
[root@pup1 ~]# iptables -R INPUT 2 -p icmp -j ACCEPT
Permanently modified
Modify the default policy
[root@pup1 ~]# iptables -P INPUT DROP #Temporary modification
4. Matching of rules
4.1 Universal matching
Protocol matching | -p protocol name |
Address matching | -s source address, -d destination address #can be ip, network segment, domain name |
Interface matching | -i inbound network card, -o outbound network card |
Example 1: The host with the specified address 20.0.0.20 cannot ping the machine
[root@pup1 ~]# iptables -A INPUT -s 20.0.0.20 -p icmp -j REJECT
Example 2: The host with the specified address 20.0.0.20 cannot remotely connect to the machine through ssh
[root@pup1 ~]# iptables -A INPUT -s 20.0.0.20 -p tcp --dport 22 -j REJECT #ssh remote connection uses tcp protocol, the default port is 22
Example 3: The host with the specified address 20.0.0.20 cannot send an httpd request to this machine
[root@pup1 ~]# iptables -A INPUT -s 20.0.0.20 -p tcp --dport 80 -j REJECT
Example 4: No protocol specified
[root@pup1 ~]# iptables -A INPUT -s 20.0.0.20 -j DROP
Example 5: Specify that the data of the entire network segment cannot be accessed from the ens33 device (including this machine)
[root@pup1 ~]# iptables -A INPUT -i ens33 -s 20.0.0.0/24 -j DROP
Example 6: Specify that the entire network segment cannot access port 80 of this machine
[root@pup1 ~]# iptables -A INPUT -s 20.0.0.0/24 -p tcp --dport 80 -j REJECT
4.2 Implicit matching
When -p specifies the protocol, there is no need to use -m to specify the extension module
Example: Specifying multi-port matching
[root@pup1 ~]# iptables -A INPUT -p tcp --dport 22:80 -j REJECT #Write the smaller port number first, write the larger port number last, and separate them with colons
4.3 Display matches
-m plus expansion module can clearly specify the type, such as multi-port, mac address, IP range
Specify multiple ports using expansion modules
Example: [root@pup1 ~]# iptables -A INPUT -p tcp -m multiport --dport 80,22,21,20,53 -j REJECT
Specify IP address range
-m iprange --src-range source ip range -m iprange --dst-range destination ip range
Example: [root@pup1 ~]# iptables -A INPUT -p icmp -m iprange --src-range 20.0.0.20-20.0.0.30 -j REJECT
Specify mac address
Example: [root@pup1 ~]# iptables -A INPUT -m mac --mac-source 00:0c:29:29:ec:03 -j REJECT
4.4 Backup and Restore
Example: [root@pup1 ~]# iptables-save > /opt/iptables.bak [root@pup1 ~]# iptables-restore < /opt/iptables.bak
5. Custom chain
5.1 Add custom chain
5.2 Rename the custom chain
5.3 Create custom rules in custom chains
It is not available at this time. The added custom chain and rules must be added to the system chain so that the system can recognize it
5.4 Delete custom chains and rules
If the custom rule has been referenced by the system, first delete the custom rule under the system chain, then delete the custom rule under the custom chain, and finally delete the custom chain
6. SNAT and DNAT
6.1 Working Principle
SNAT: source address translation
DNAT: destination address translation
6.2 iptables implementation of address conversion experiment
Prepare three virtual machines:
Add network adapter to virtual machine 2 and view
Configure the network card of the gateway server
[root@pup2 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet DEVICE=ens33 ONBOOT=yes BOOTPROTO=static IPADDR=20.0.0.254 NETMASK=255.255.255.0 #GATEWAY=20.0.0.2 #DNS1=218.2.135.1 [root@pup2 network-scripts]# vim ifcfg-ens36 TYPE=Ethernet DEVICE=ens36 ONBOOT=yes BOOTPROTO=static IPADDR=12.0.0.254 NETMASK=255.255.255.0 #GATEWAY=20.0.0.2 #DNS1=218.2.135.1 [root@pup2 network-scripts]# systemctl restart network
Configure the network card of the intranet server
[root@pup1 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet DEVICE=ens33 ONBOOT=yes BOOTPROTO=static IPADDR=20.0.0.10 NETMASK=255.255.255.0 GATEWAY=20.0.0.254 #DNS1=218.2.135.1 [root@pup1 network-scripts]# systemctl restart network
Configure the network card of the external network server
[root@pup3 network-scripts]# vim ifcfg-ens33 TYPE=Ethernet DEVICE=ens33 ONBOOT=yes BOOTPROTO=static IPADDR=12.0.0.100 NETMASK=255.255.255.0 GATEWAY=20.0.0.254 #DNS1=218.2.135.1 [root@pup3 network-scripts]# systemctl restart network
The gateway server adds internal to external network address translation rules in the NAT table of iptables
[root@pup2 ~]# iptables -t nat -A POSTROUTING -s 20.0.0.0/24 -o ens36 -j SNAT --to 10.0.0.10
-t: Specify table name
nat: table name for address translation
-A: Append a new rule at the end of the line
POSTROUITING: Add an address translation rule when exiting the local machine
-s 20.0.0.0/24: Specify the source IP address
-o ens36: Data sent from the network card device ens36 will be converted
-j SNAT: Specify the control type and perform source address translation
–to 10.0.0.10: All source IPs belong to the 233.0 network segment. As long as the data comes from ens36, its address will be converted to 10.0.0.10
[root@pup2 network-scripts]# vim /etc/sysctl.conf #File to modify kernel parameters net.ipv4.ip_forward=1 [root@pup2 network-scripts]# sysctl -p #Effective immediately
The gateway server adds external network to internal network address translation rules in the NAT table of iptables
[root@pup2 network-scripts]# iptables -t nat -A PREROUTING -d 11.0.0.11 -i ens36 -p tcp --dport 80 -j DNAT --to 20.0.0.10:80
-t: Specify table name
nat: table name for address translation
-A: Append a new rule at the end of the line
PRWROUTING: Add an address translation rule after entering the local machine
-d 11.0.0.11: Specify the destination IP address
-i ens36: Device interface for entering the intranet
-p tcp: Specify protocol
–to 20.0.0.10:80: As long as you enter the IP address of the local intranet from the ens36 network interface and access port 80 of the intranet service http, the destination IP address can be converted to 11.0.0.11
7. Packet capture of linux system
tcpdump
tcpdump: Linux comes with a packet capture tool (wireshark is only applicable to Windows systems)
Packet capture method:
1. Specify packet capture–specify the number of packet captures
2. Dynamic packet capture–packets will always be captured unless stopped manually.
(The Linux system cannot parse and needs to be sent to the Windows system for parsing)
Specify packet capture
[root@pup1 opt]# tcpdump tcp -i ens33 -t -s0 -c 10 and dst port 80 and src net 20.0.0.0/24 -w ./target.cap [root@pup1 opt]# sz target.cap #Send
tcpdump: fixed beginning of packet capture command
tcp: protocol for packet capture
-i: Only capture data packets passing through the ens33 device
-t: Do not display timestamp
-s0: capture complete data packets
-c: Specify the number of captured packets, followed by a number
dst port 80: The destination port is 80
src net 20.0.0.0/24: destination address
-w: The storage location of the captured data
./: Save in the current directory
target.cap: package name
Dynamic packet capture
[root@pup1 opt]# tcpdump -i ens33 -s0 -w ./ens33.cap