iptables firewall
Article directory
- iptables firewall
-
-
- Starting and stopping the firewall
- netfilter
- View firewall default rules
- Rule table
- Matching process
-
-
- The firewall matching rules are four tables and five links.
-
- basic grammar
- Common control types
- monitor
- implicit match
- Ban ping host ip
- delete rule
- Enable forwarding
- Export firewall rules Backup rules
- Import firewall backup rules
- Case
-
Network transmission quintuple
- Source IP
- destination ip
- source port
- target port
- protocol
- tcp
- There are 6 flags
- udp
- icmp
- tcp
Firewalls can be managed through five-tuple
physical layer
- Source address: This end of the network cable
- Destination address: the end of the network cable
data link layer
- Source address: MAC address
- The MAC address is a 42-bit binary number
- Destination address: MAC address
Network layer
- Source address: IP address
- An IP address is a logical address
- Destination address: IP address
transport layer
- Source address:port
- Destination address:port
Application layer
Start and stop firewall
Start firewall
systemctl start firewalld.service
Turn off firewall
systemctl stop firewalld.service
This command is applicable to the current version of centos
Start old version
systemctl start iptables.service
netfilter
- netfilter is the packet filtering function system located in the Linux kernel, which is called the “kernel state” of the Linux firewall. It is based on the Linux kernel and cannot be uninstalled.
- iptables is located in /sbin/iptables. It is a tool used to manage firewall rules. It is called the “user mode” of Linux firewall.
- Both of the above names can identify the Linux firewall, and the firewall can be managed through the service name firewalld.service.
View firewall default rules
The default configuration file (old version) of the firewall is under /etc/sysconfig/iptables
iptables -nvl
Service or action | Before turning on the firewall | After turning on the firewall |
---|---|---|
ping | Can ping | Can ping |
DHCP | Yes Get IP address | Can get IP address |
DNS | Can resolve | Cannot resolve |
SSH | Can log in remotely | Can log in remotely |
Windows access external network | Accessible | Inaccessible |
Nginx Load Balancing | Accessible | Unable to access |
Routing and forwarding | Accessible | Accessible |
Rule chain name | Function | Description |
---|---|---|
INPUT | Processing inbound data packets | The writing location of the rules that restrict data access to the local machine |
PREROUTING | Process packets before routing | |
FORWARD | Process forwarding packets | Do you allow data to be forwarded through me |
POSTROUTING | Process data packets after routing | |
OUTPUT | Processing outbound data packets | Rule restrictions for outgoing data packets (generally no rules are written) |
Matching process
The order between rule tables: raw->mangle->nat->filter.
The order between rule chains.
- Inbound: PREROUTING INPUT
- Outbound: OUTPUT POSTROUTING
- Forward: PREROUTING FORWARD POSTROUTING
The order of matching within the rule chain:
- Check in order, stop when matching
- If no matching rule is found, it will be processed according to the default policy of the chain.
The firewall matching rule is four tables and five links
Basic syntax
iptables -t table name option [number] chain name [matching condition] [-j control type]
Precautions:
- When the table name is not specified, it defaults to the filter table;
- When no chain name is specified, the default value is all chains in the table;
- Unless the chain’s default policy is set, matching conditions must be specified;
- Use uppercase letters for options, chain names, and control types, and the rest are lowercase;
- When no sequence number is specified, the first rule is defaulted;
- From top to bottom, match in order;
- If the rule is matched, the action (control type) is executed immediately and the matching ends;
- If no rule is matched, the default action is performed.
basic logic
If the first rule is matched, it will not match the second, third, and fourth rules.
If no rule is matched after the rule is matched, the default rule will be executed.
iptables -t nat -I POSTROUTING -p all -s 0.0.0.0/0 -o ens32 -j SNAT –to-source 0.0.0.0/0
-t table name
-I insert
-source source address
-o outbound interface network card
-j control type
General control types
Control type | Action description |
---|---|
ACCEPT | Allow pass. |
DROP | Discard directly without giving any response. |
REJECT | Reject the pass and give a prompt if necessary. |
LOG | Record the log information, and then pass it to the next rule to continue matching. |
Monitoring
watch -nl iptables -nvL -t filter --line-numbers
View once per second
Implicit matching
Requires specific protocol matching as a prerequisite, including port, TCP flag, ICMP type conditions.
Commonly used implicit matching conditions:
Matching method | Options | Description |
---|---|---|
Port matching | –sport source port–dport destination port | |
TCP tag type | –tcp-flags Check the range of flags set | |
ICMP type | –icmp-type ICMP type | {8|0|3} |
--icmp-type ICMP type iptables -A FORWARD -s 192.168.4.0/24 -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -j DROP # request iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT # echo iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT # Unreachable iptables -A INPUT -p icmp -j DROP
Ban ping host ip
If we want our host not to be pinged by others, we need to do access control.
Disable ping ip using filter table terminal input chain
iptables -t filter -I INPUT -p icmp -s 0.0.0.0/0 -j REJECT
INPUT handles inbound packets
Result when being pinged: The target port is unreachable
iptables -t filter -I INPUT -p icmp -s 0.0.0.0/0 -j DROP
Result when being pinged: Request timeout
Delete rules
iptables -t filter -D INPUT 1
Delete the rule with serial number 1 in the filter table
Enable forwarding
Enable NAT address translation to allow other hosts in the LAN to access the Internet
iptables -t nat -I POSTROUTING -p all -s 0.0.0.0/0 -o ens32 -j SNAT --to-source 0.0.0.0/0
Open DNS service
iptables -t filter -I INPUT -p udp -s 0.0.0.0/0 –dport 53 -j ACCEPT
Every time you add a rule it will be the first one
Firewall matching is from top to bottom, so go to the first one first every time.
If you want to allow only one and deny all
When adding a rule, deny it first and then allow it.
Export firewall rules backup rules
iptables-save >/tmp/iprules_all.txt
Import firewall backup rules
iptables-restore < /tmp/iprules_all.txt
Case
1 Disable all addresses from pinging themselves iptables -t filter -p icmp -I INPUT -j REJECT -s 0.0.0.0/0
- Before setting rules
- Set rules
- After setting
–
2 Only allow srv1 ping to ping itself.
Because we have just set up a ban on ping for all IPs from top to bottom, we are now adding a rule that allows this IP to ping us. It will be rejected first and then passed.
-
Before setting rules
-
Set rules
-
After setting
3 Open dns service iptables -t filter -I INPUT -p udp -s 0.0.0.0/0 --dport 53 -j ACCEPT
4 Firewall rules backup iptables-save >/etc/sysconfig/iptables
5Restart the firewall systemctl restart firewalld.service
6 Firewall rule restoration iptables-restore < /etc/sysconfig/iptables
Import successful