The implementation of security groups in openstack neutron is based on iptables (of course it also supports openflow flow tables), so I want to deepen my understanding of iptables. Many people know iptables but not netfilter. iptables is essentially just a firewall management tool on Linux, located in /sbin/iptables. Netfilter is the real implementation of firewall. netfilter/iptables (hereinafter referred to as iptables) constitutes a packet filtering firewall under the Linux platform. Like most Linux software, this packet filtering firewall is free. It can replace expensive commercial firewall solutions to complete packet filtering and packet sealing. Features such as redirection and Network Address Translation (NAT).
1. Tables and chains of iptables
| Table | Chains | Function |
|---|---|---|
| filter | INPUT, FORWARD, OUTPUT | Default table, filter data packets, decide whether to release the data packet |
| nat | PREROUTING, OUTPUT, POSTROUTING | Network address translation (IP, port) |
| mangle | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING | Modify the service type and TTL of the data packet, and configure routing to implement the QOS kernel module |
| raw | OUTPUT, PREROUTING | Advanced functions to determine whether the data packet is processed by the status tracking mechanism |
Prioritization between rule tables: Raw > mangle > nat > filter
2. iptables data packet transmission process
① When a data packet enters the network card, it first enters the PREROUTING chain, and the kernel determines whether it is sent to the local machine based on the destination IP of the data packet.
② If the data packet enters the local machine, it will move down along the graph and reach the INPUT chain. After the data packet reaches the INPUT chain, any process will receive it. Programs running on this machine can send data packets, which will pass through the OUTPUT chain and then reach the POSTROUTING chain output.
③ If the data packet is to be forwarded and the kernel allows forwarding, the data packet will flow to the FORWARD chain for processing (whether to forward or intercept), and then reach the POSTROUTING chain (whether to modify the address of the data packet, etc.) for processing.
Chain flow of messages:
- Messages to a process on this machine:
PREROUTING --> INPUT - Messages forwarded by this machine:
PREROUTING --> FORWARD --> POSTROUTING - A message (usually a response message) is sent by a process on the local machine:
OUTPUT --> POSTROUTING
3. iptables usage
Command input usage
#iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o network card name> -p protocol name <-s source IP/source subnet> -- sport source port <-d target IP/destination subnet> --dport target port -j action
Related options
-t, --table table operates on the specified table, which must be one of raw, nat, filter, and mangle. If this option is not specified, the default is the filter table. #Universal matching: matching of source address and target address -p: Specifies the packet protocol type to be matched; -s, --source [!] address[/mask]: Use the specified address/group of addresses as the source address and filter according to this rule. When there is no mask following, address is an address, such as: 192.168.1.1; when mask is specified, it can represent a range of addresses, such as: 192.168.1.0/255.255.255.0. -d, --destination [!] address[/mask]: The address format is the same as above, but here the address is specified as the destination address, and filtering is performed according to this. -i, --in-interface [!] <network interface name>: Specifies the network interface from which the data packet comes, such as the most common eth0. Note: It only works on the three chains INPUT, FORWARD and PREROUTING. If this option is not specified, instructions can come from any network interface. Similar to the previous one, "!" means negation. -o, --out-interface [!] <network interface name>: Specify the network interface through which data packets go out. Only works on three chains: OUTPUT, FORWARD, and POSTROUTING. # View management commands -L, --list [chain] List all rules on chain chain, or if no chain is specified, list all rules on all chains in the table. #Rule management commands -A, --append chain rule-specification Inserts the specified rule at the end of the specified chain chain, that is, this rule will be placed at the end and will be executed last. Rules are specified by subsequent matches. -I, --insert chain [rulenum] rule-specification Inserts one or more rules at the specified position in chain chain. If the specified rule number is 1, it is inserted at the head of the chain. This is also the default case if no rule number is specified. -D, --delete chain rule-specification -D, --delete chain rulenum Delete one or more specified rules in the specified chain. -R num: Replays replace/modify which rule #Chain management commands (this takes effect immediately) -P, --policy chain target: Set the policy target for the specified chain. Note that only built-in chains are allowed to have strategies, user-defined ones are not allowed. -F, --flush [chain] Clear all rules on the specified chain chain. If no chain is specified, clears all rules for all chains in the table. -N, --new-chain chain Create a new chain with the specified name. -X, --delete-chain [chain]: Delete the specified chain. This chain must not be referenced by any other rules, and there must be no rules on this chain. If no link name is specified, all non-built-in links in the table will be deleted. -E, --rename-chain old-chain new-chain: Rename the specified chain with the specified new name. This will not have any impact within the chain. -Z, --zero [chain]: Clear all counters on the specified chain or all chains in the table. -j, --jump target <specified target>: that is, what action should be performed when a certain condition is met. The target can be a built-in target, such as ACCEPT, or a user-defined chain. -h: Display help information;
| Rule action | Function |
|---|---|
| ACCEPT | Allow the data packet to pass |
| DROP | Drop the data packet directly without giving any response information. At this time, the client will not respond until the timeout period has passed. reaction. |
| REJECT | Reject the data packet to pass. If necessary, a response message will be sent to the data sender. The client will receive the rejection message as soon as it makes a request. . |
| SNAT | Source address translation solves the problem of intranet users using the same public address to access the Internet. |
| DNAT | Destination address translation |
| MASQUERADE | is SNAT A special form suitable for dynamic and temporary IP addresses. |
| REDIRECT | Do port mapping on the local machine |
| LOG | Record the log information in the /var/log/messages file, and then pass the data packet to the next rule. That is to say, do not do any other operations on the data packet except recording, and still let the next rule match. |
| MARK | Mark the packet with a code to provide a basis for subsequent filtering conditions. After this processing is completed, it will continue Compare to other rules. |
| RETURN | Ends the filtering process in the current rule chain and returns to the main rule chain to continue filtering. If the custom rule chain is regarded as a sub program, then this action is equivalent to ending the subroutine early and returning to the main program. |
4. iptables instance command
-
Clear all current rules and counts
iptables -F # Clear all firewall rules iptables -X # Delete user-defined empty links iptables -Z # Clear count
-
Set default rules
iptables -P INPUT DROP # Configure the default to deny entry iptables -P FORWARD DROP #Default does not allow forwarding iptables -P OUTPUT ACCEPT # The default is to go out
-
Allow local loopback addresses to be used normally
iptables -A INPUT -i lo -j ACCEPT #The local ring address is the one 127.0.0.1, which is used on this machine. Its entry and exit are set to allow iptables -A OUTPUT -o lo -j ACCEPT
-
Enable SNAT network forwarding
iptables -t nat -A POSTROUTING -s 192.168.188.0/24 -j SNAT --to-source 210.14.67.127
-
DNAT port forwarding
iptables -t nat -A PREROUTING -d 210.14.67.127 -p tcp --dport 2222 -j DNAT --to-dest 192.168.188.115:22
-
Open specified port
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow local loopback interface (that is, run the local machine to access the local machine) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or related traffic iptables -A OUTPUT -j ACCEPT #Allow all external access from this machine iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80 iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21 of ftp service iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 for FTP service iptables -A INPUT -j reject #Prohibit access by other rules that are not allowed iptables -A FORWARD -j REJECT #Prohibit access by other rules that are not allowed
-
View added rules
iptables-nvL iptables -t filter -nvL iptables -t nat -nvL
Extended ipset
? ipset is an extension of iptables that allows you to create rules that match an entire set of addresses. Unlike ordinary iptables chains that can only match a single IP, the IP set is stored in an indexed data structure. This structure can perform efficient searches even if the set is large, except for some common situations, such as preventing access to some dangerous hosts. native, thus reducing system resource usage or network congestion. IPsets also has some new firewall design methods and simplifies configuration. Official website: http://ipset.netfilter.org/