1. Overview of iptables
Firewall of Linux system: IP packet filtering system, which actually consists of two components netfilter and iptables.
It mainly works at the network layer, targeting IP data packets. It is reflected in the processing of information such as IP addresses, ports, and protocols in the packets.
1, netfilter/iptables relationship
netfilter: A firewall function system belonging to the “kernel space” (Kernel Space, also known as kernel space).
Is the part of the kernel that consists of packet filtering tables that contain the set of rules used by the kernel to control packet filtering processing.
iptables: A firewall management system that belongs to the “User Space” (User Space, also known as user space).
Is a command program used to manage the Linux firewall, which makes it easy to insert, modify, and delete rules in the packet filtering table, usually located under the /sbin/iptables file.
Netfilter/iptables is later referred to as iptables for short. iptables is a kernel-based firewall, which has four built-in rule tables of raw, mangle, nat and filter. After all the rules in the table are configured, they will take effect immediately without restarting the service.
Relationship between the two:
IPtable and netfilter together form a firewall system. iptables is just a management tool for Linux firewalls-command line tools, or a client agent. Netfilter is a security framework, and it is netfilter that actually implements the firewall function. part of the kernel. These two parts together constitute the packet filtering firewall, which is free to use, and can realize functions such as packet filtering, packet redirection, and network address translation (NAT).
2, four tables and five chains
The role of the rule table: to accommodate various rule chains
The role of the rule chain: accommodate various firewall rules
Summary: There are chains in tables, and rules in chains
1) Four tables in iptables
table name strong> | Function |
raw | OK Whether to perform state tracking on this packet. Contains two rule chains, OUTPUT, PREROUTING |
mangle | Modify the content of the data packet, It is used for traffic shaping to set a mark on the data packet. Contains five rule chains, INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING |
nat | Responsible for network address translation, used to modify the source, destination IP address or port in the data packet (communication five elements). Contains three rule chains, OUTPUT, PREROUTING, POSTROUTING |
filter | is responsible for filtering data Packet, determine whether to release the data packet (filtering). Contains three rule chains, INPUT, FORWARD, OUTPUT |
The use of raw and mangle tables in iptables is relatively small
2) Five chains in iptables
chain name strong> | Function |
INPUT | Processing Inbound data packets, match the data packets whose destination IP is this machine. |
OUTPUT | Process outbound data packets, generally not configured on this chain. |
FORWARD | Process forwarding data packets and match data packets flowing through this machine< /strong> |
PREROUTING | Process data packets before routing to modify the destination address, Used for DNAT. It is equivalent to mapping the IP and port of the internal network server to the external network IP and port of the router. |
POSTROUTING | Process packets after routing to modify source address , used for SNAT. It is equivalent to the internal network through the router NAT conversion function to realize the internal network host to access the Internet through a public network IP address. |
3, when the packet arrives at the firewall, the priority order between the rule tables
Order of precedence in rule table: raw >mangle>nat>filter
4, the matching order of the rule chain
1) Matching order between rule chains
Host-based firewall:
Inbound data (data packets from the outside world, and the destination address is the firewall local machine): PREROUTING –> INPUT –> local application
Outbound data (data packets sent from the firewall local machine to the external address): Local application program –> OUTPUT –> POSTROUTING
Network-type firewall:
Forwarding data (data packets that need to be forwarded through the firewall): PREROUTING –> FORWARD –> POSTROUTING
2) Matching order within the rule chain
Check from top to bottom in order, and stop when a matching rule is found (LOG policy is an exception, indicating that relevant logs are recorded)
If no matching rule is found in the chain, it will be processed according to the default policy of the chain (unmodified, the default policy is allow)
3) The transmission process of data packets in the kernel
1. When a data packet enters the network card, the data packet first enters the PREROUTING chain, and the kernel judges whether it needs to be forwarded according to the destination IP of the data packet.
2. If the data packet enters the machine, the data packet will reach the INPUT chain. After a packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send packets of data, which go through the OUTPUT chain and return to the sender.
3. If the data packet is to be forwarded, and the kernel allows forwarding, the data packet will pass through the FORWARD chain, and then reach the output of the POSTROUTING chain.
2. How to configure iptables firewall
1, use the iptables command line
1) iptables installation
Close firewalld, and set it not to start automatically when booting
Centos 7 uses firewalld firewall by default, and iptables is not installed. If you want to use iptables firewall. The firewalld firewall must be closed before installing iptables.
Install iptables, start the service
[root@localhost ~]#systemctl start iptables
2, use iptables command line configuration rules
Command format:
iptables [-t table name] management options [chain name] [matching condition] [-j control type]
Notes:
- When the table name is not specified, it defaults to the filter table
- When no chain name is specified, it defaults to all chains in the table
- Unless you set the chain’s default policy, you must specify a matching condition
- Use uppercase letters for the control type, and the rest are all lowercase
1) Common control types
Control type strong> | Action |
ACCEPT | Allow Packets are dropped directly by (default) |
DROP | without giving Any response message |
REJECT | Rejecting the data packet through, will give the data sender a Response information |
SNAT | Modify the source address of the packet |
DNAT | Modify the destination address of the data packet |
MASQUERADE | Masquerading as a non-fixed public IP address |
< strong>LOG | Record log information in the /var/log/messages file, and then pass the packet to the next rule. LOG is just an auxiliary action, and does not really process data packets |
Difference between DROP and REJECT: The former is to directly discard the transmitted data packets without giving a response, so that the access host is stuck on the access page without any prompt. The latter is to deny the passage of the data packet, and give the access host a prompt that the access is denied.
2) Common management options
Common management options | Action |
-A | < strong>Append (–append) a new rule at the end of the specified chain |
-I (capital i) | Insert (–insert) a new rule at the beginning of the specified chain, if no serial number is specified, it will be the first rule by default |
-R | Modify, replace (–replace) a rule in the specified chain, you can specify the rule number or specific content |
-P | Set the default policy of the specified chain (–policy) |
-D | Delete (–delete) a rule in the specified chain, you can specify the rule number or specific content |
-F | Empty (–flush) all rules in the specified chain, If no link name is specified, all links in the table are cleared |
-L | List (–list) all rules in the specified chain, if no chain name is specified, list all chains in the table |
– n | Use numeric form (–numeric) to display output results, such as displaying IP addresses instead of hostnames |
-v | Display detailed information, including the number of matched packets and the number of matched bytes for each rule |
–line-numbers | When viewing rules, display the serial number of the rule |
3) Matching conditions
Matching conditions | Function |
-p | Specify the protocol type of the packet to be matched |
-s | Specify the source IP address of the packet to match |
-d | Specify the destination IP address of the packet to be matched |
-i | Specify the network interface where the data packet enters the machine |
-o | Specify the network interface that the data packet leaves the machine for use |
–sport | Specify source port number |
–dport | Specify the destination port number |
3, the rule configuration application of iptables command
1) View iptables rules
2) View the specified table (view the links in the specified table)
3) Add rules
Two common options for adding rules:
-A, append rules at the end.
-I, insert the rule before the specified position. If not specified, inserts at the first row.
Append rules at the end (in specified tables and chains)
Note: Although it is convenient to clear iptables -F, it must be used when the default policy of the rule table is allowed. If
The default is drop, which will cause the remote connection to be terminated, which can only be resolved by restarting the original server
If you only need to clear the rules of one chain and save the rules of other chains, you must specify the chain to clear (-t)
Test results:
Append rules to the sequence number of the specified chain
Test: use icmp protocol to ping the firewall host
Reverse the order of the rules and test again
4) Delete rules
Delete:
1. Delete content according to serial number
2. Delete according to the rules set by the exact match, and delete according to the content. If there are two duplicate rules, delete the one with the smaller serial number
Serial number deletion
Note: When deleting according to the serial number, you must ensure that the deleted serial number is the existing serial number, otherwise an error will be reported
Content matching deletion (if there are two identical ones, it will act as deduplication)
5) Modify rules (not recommended)
-R Modify directly.
To be on the safe side, we can first add a new rule to ensure that the new rule will not bring any adverse effects and then delete the old rule (also achieve the effect of replacement)
6) Modify strategy
The default strategy refers to the default strategy of the chain in the four tables and five chains, as shown in the figure, the default value of the three chains of INPUT, FORWARD, OUTPUT, and filter is ACCEPT
Just like setting a blacklist, other protocol operations are allowed by default, and only those that are specified to join and declare permissions (DROP or REJECT) are rejected.
And when we modify it to REJECT or DROP, it is similar to the white list (as long as it is added and the authority is declared as ACCEPT), it is a protocol object that allows operations, and others are forbidden objects
There are three solutions at this point:
First method: My firewall settings are only temporary settings, and to save them, just restart the server
The second method: operate the server and restart the iptables service
Third method: Enter the computer room to operate the server (restore the settings and re-modify the rules)