The principle and function of iptables firewall and access control

iptables firewall

Article directory

  • iptables firewall
      • Starting and stopping the firewall
      • netfilter
      • View firewall default rules
      • Rule table
      • Matching process
          • The firewall matching rules are four tables and five links.
      • basic grammar
      • Common control types
      • monitor
      • implicit match
      • Ban ping host ip
      • delete rule
      • Enable forwarding
      • Export firewall rules Backup rules
      • Import firewall backup rules
      • Case

Network transmission quintuple

  • Source IP
  • destination ip
  • source port
  • target port
  • protocol
    • tcp
      • There are 6 flags
    • udp
    • icmp

Firewalls can be managed through five-tuple

physical layer

  • Source address: This end of the network cable
  • Destination address: the end of the network cable

data link layer

  • Source address: MAC address
    • The MAC address is a 42-bit binary number
  • Destination address: MAC address

Network layer

  • Source address: IP address
    • An IP address is a logical address
  • Destination address: IP address

transport layer

  • Source address:port
  • Destination address:port

Application layer

Start and stop firewall

Start firewall
systemctl start firewalld.service
Turn off firewall
systemctl stop firewalld.service
This command is applicable to the current version of centos
Start old version
systemctl start iptables.service

netfilter

  • netfilter is the packet filtering function system located in the Linux kernel, which is called the “kernel state” of the Linux firewall. It is based on the Linux kernel and cannot be uninstalled.
  • iptables is located in /sbin/iptables. It is a tool used to manage firewall rules. It is called the “user mode” of Linux firewall.
  • Both of the above names can identify the Linux firewall, and the firewall can be managed through the service name firewalld.service.

View firewall default rules

The default configuration file (old version) of the firewall is under /etc/sysconfig/iptables
iptables -nvl

< /table>

The principle of firewall is packet filtering

Rule table

raw traffic tracking determines whether to perform status tracking on this packet
mangle traffic “grooming” setting tags for packets
NAT address translation modifies the source and destination IP addresses or ports in the data packet
filter filter, filter to determine whether to release the data packet

chain of rules

Service or action Before turning on the firewall After turning on the firewall
ping Can ping Can ping
DHCP Yes Get IP address Can get IP address
DNS Can resolve Cannot resolve
SSH Can log in remotely Can log in remotely
Windows access external network Accessible Inaccessible
Nginx Load Balancing Accessible Unable to access
Routing and forwarding Accessible Accessible
Rule chain name Function Description
INPUT Processing inbound data packets The writing location of the rules that restrict data access to the local machine
PREROUTING Process packets before routing
FORWARD Process forwarding packets Do you allow data to be forwarded through me
POSTROUTING Process data packets after routing
OUTPUT Processing outbound data packets Rule restrictions for outgoing data packets (generally no rules are written)

Matching process

The order between rule tables: raw->mangle->nat->filter.

The order between rule chains.

  • Inbound: PREROUTING INPUT
  • Outbound: OUTPUT POSTROUTING
  • Forward: PREROUTING FORWARD POSTROUTING

The order of matching within the rule chain:

  • Check in order, stop when matching
  • If no matching rule is found, it will be processed according to the default policy of the chain.
The firewall matching rule is four tables and five links

Basic syntax

iptables -t table name option [number] chain name [matching condition] [-j control type]

Precautions:

  • When the table name is not specified, it defaults to the filter table;
  • When no chain name is specified, the default value is all chains in the table;
  • Unless the chain’s default policy is set, matching conditions must be specified;
  • Use uppercase letters for options, chain names, and control types, and the rest are lowercase;
  • When no sequence number is specified, the first rule is defaulted;
  • From top to bottom, match in order;
  • If the rule is matched, the action (control type) is executed immediately and the matching ends;
  • If no rule is matched, the default action is performed.

basic logic

If the first rule is matched, it will not match the second, third, and fourth rules.

If no rule is matched after the rule is matched, the default rule will be executed.

iptables -t nat -I POSTROUTING -p all -s 0.0.0.0/0 -o ens32 -j SNAT –to-source 0.0.0.0/0

-t table name

-I insert

-source source address

-o outbound interface network card

-j control type

General control types

Control type Action description
ACCEPT Allow pass.
DROP Discard directly without giving any response.
REJECT Reject the pass and give a prompt if necessary.
LOG Record the log information, and then pass it to the next rule to continue matching.

Monitoring

watch -nl iptables -nvL -t filter --line-numbers

View once per second

Implicit matching

Requires specific protocol matching as a prerequisite, including port, TCP flag, ICMP type conditions.

Commonly used implicit matching conditions:

Matching method Options Description
Port matching –sport source port–dport destination port
TCP tag type –tcp-flags Check the range of flags set
ICMP type –icmp-type ICMP type {8|0|3} 
--icmp-type ICMP type
iptables -A FORWARD -s 192.168.4.0/24 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j DROP # request
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT # echo
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT # Unreachable
iptables -A INPUT -p icmp -j DROP

Ban ping host ip

If we want our host not to be pinged by others, we need to do access control.
Disable ping ip using filter table terminal input chain

iptables -t filter -I INPUT -p icmp -s 0.0.0.0/0 -j REJECT

INPUT handles inbound packets

Result when being pinged: The target port is unreachable

iptables -t filter -I INPUT -p icmp -s 0.0.0.0/0 -j DROP

Result when being pinged: Request timeout

Delete rules

iptables -t filter -D INPUT 1Delete the rule with serial number 1 in the filter table

Enable forwarding

Enable NAT address translation to allow other hosts in the LAN to access the Internet

iptables -t nat -I POSTROUTING -p all -s 0.0.0.0/0 -o ens32 -j SNAT --to-source 0.0.0.0/0

Open DNS service

iptables -t filter -I INPUT -p udp -s 0.0.0.0/0 –dport 53 -j ACCEPT

Every time you add a rule it will be the first one

Firewall matching is from top to bottom, so go to the first one first every time.

If you want to allow only one and deny all

When adding a rule, deny it first and then allow it.

Export firewall rules backup rules

iptables-save >/tmp/iprules_all.txt

Import firewall backup rules

iptables-restore < /tmp/iprules_all.txt

Case

1 Disable all addresses from pinging themselves iptables -t filter -p icmp -I INPUT -j REJECT -s 0.0.0.0/0

  • Before setting rules
  • Set rules
  • After setting

2 Only allow srv1 ping to ping itself.
Because we have just set up a ban on ping for all IPs from top to bottom, we are now adding a rule that allows this IP to ping us. It will be rejected first and then passed.

  • Before setting rules

  • Set rules

  • After setting

3 Open dns service iptables -t filter -I INPUT -p udp -s 0.0.0.0/0 --dport 53 -j ACCEPT

4 Firewall rules backup iptables-save >/etc/sysconfig/iptables

5Restart the firewall systemctl restart firewalld.service

6 Firewall rule restoration iptables-restore < /etc/sysconfig/iptables


Import successful