One 、Linux Firewall Foundation

1.1 Linux Packet filtering firewall Overview -1

■ netfilter

be located Linux Packet filtering function system in kernel
be called LinuxP Construction of square fire wall " Kernel mode "

■ iptables

be located /sbin/iptables, Tools for managing firewall rules
be called LinuxP Construction of square fire wall " User mode "

—— Above 2 All kinds of address can express Linux A firewall

1.2 Linux Packet filtering firewall Overview -2

■ The working level of packet filtering

 It's mainly the network layer , in the light of ip Data packets
This is reflected in the IP Address 、 Port and other information processing 

 Insert picture description here

1.3 iptables Table of 、 Chain structure -1

■ Rule chain

 The role of rules : To filter or process packets
The role of the chain : Accommodate all kinds of firewall rules
The classification of chain is based on : Different times to process packets 

■ The default include 5 It's a chain of rules

INPUT: Processing inbound packets
OUTPUT: Processing outbound packets
FORWARD: Processing forwarding packets
POSTROUTING chain : Process packets after routing
PREROUTING chain : Process packets before routing 

1.4 iptables Table of 、 Chain structure -2

■ Rule table

 Function of table : To accommodate all kinds of rule chains
The table is divided according to : The role of firewall rules is similar 

■ The default include 4 A rule table

raw surface : Determine whether to track the status of the packet
mangle surface : Set tags for packets
nat surface : Modify the source in the packet 、 The goal is IP Address or port
filter surface : Determine whether to release the packet ( Filter )

1.5 iptables Table of 、 Chain structure -3

■ Default table 、 Chain structure diagram

 Insert picture description here

1.6 The matching process of packet filtering -1

■ Order between rule tables

rwa→mangle→nat→filter

■ The order between the chains of rules

Inbound :PREROUTING → INPUT
Departure : OUTPUT → POSTROUTING
forward :PREROUTING → FORWARD → POSTROUTING

■ The order of matching within the chain of rules

Check in order , Match stops (LOG The policy exception )
If no matching rule is found , Then the default policy of the chain is used

1.7 The matching process of packet filtering -2

■ Matching process diagram

 Insert picture description here

Two 、 Write firewall rules

2.1 iptables install

■ close firewalld A firewall

[[email protected] 〜]# systemctl stop firewalld.service [[email protected] 〜]# systemctl disable firewalld.service

■ install iptables A firewall

[[email protected] 〜]# yum -y install iptables iptables-services

■ Set up iptables Boot up

[[email protected] 〜]# systemctl start iptables.service
[[email protected] 〜]# systemctl enable iptables.service

2.2 iptables Basic syntax -1

■ Grammatical structure

iptables [-t Table name ] Options [ Chain name ][ Conditions ][-j Type of control ]

[[email protected] 〜]#iptables -t filter -I INPUT -p icmp -j REJECT

■ matters needing attention

When the table name is not specified , Default finger filter surface
When the chain name is not specified , By default, all chains in the table
Unless you set the default policy for the chain , Otherwise, you must specify the matching condition
Options 、 Chain name 、 Control types use uppercase letters , The rest are in lowercase

2.3 iptables Basic syntax -2

■ Common control types for packets

ACCEPT: Allowed to pass through
DROP: Just throw it away , No response
REJECT: Refuse to pass , Give tips when necessary
LOG: Logging information , Then pass on to the next rule to continue matching

2.4 iptables Management options for -1

■ Add new rules

-A: Add a rule to the end of the chain
-I: At the beginning of the chain ( Or specify the serial number ) Insert a rule 

[[email protected] 〜]# iptables -t filter -A INPUT -p tcp -j ACCEPT [[email protected] 〜]# iptables -I PUT -p udp -j ACCEPT [[email protected] 〜]# iptables -I INPUT 2 -p icmp -j ACCEPT

2.5 iptables Management options for -2

■ Look at the list of rules

-L: List all rule entries
-n: Show the address in digital form 、 Port and other information
-V: Display rule information in a more detailed way
–line-numbers: When looking at the rules , Display the sequence number of the rule

[[email protected]  ]  # iptables -L INPUT -line-numbers[[email protected]  ]# iptables -n -L INPUT

2.6 iptables Management options for -3

■ Delete 、 Clear rules

-D: Delete the specified sequence number in the chain ( Or content ) One of the rules of
-F: Clear all the rules

[[email protected]  ]# iptables -D INPUT 3[[email protected]  ]# iptables -F [[email protected]  ]# iptables -t nat -F [[email protected]  ]# iptabled -t mangle -F [[email protected]  ]# iptables -t raw -F

2.7 iptables Management options for -4

■ Set default policy

-P: Set default rules for the specified chain

[[email protected] 〜]# iptables -t filter -P FORWARD DROP [[email protected] 〜]# iptables -P OUTPUT ACCEPT

2.8 iptables Management options for -5

■ Summary of common management options

 Insert picture description here

2.9 The matching conditions of rules -1

■ Universal matching

 Can be used directly , Not dependent on other conditions or extensions
Including network protocol 、IP Address 、 Network interface and other conditions 

■ Implicit matches

 It requires a specific protocol matching as the premise
Including ports 、TCP Mark 、ICMP Type, etc 

■ Explicit matching

 Asked to "-m Extension module 〃 The form clearly indicates the type
Including multiple ports 、MAC Address 、IP Range 、 Packet status and other conditions 

2.10 The matching conditions of rules -2

■ Common general matching conditions

Protocol matching :-P The name of the agreement
Address matching :-S source address 、-d Destination address
The interface matches you :-i Inbound NIC 、-o Outbound NIC

[[email protected] 〜]# iptables -I INPUT -p icmp -j DROP [[email protected] 〜]# iptables -A FORWARD ! -p icmp -j ACCEPT[[email protected] 〜]# iptables -A FORWARD _s 192.168.1.11 -j REJECT [[email protected] 〜]# iptables -I INPUT -s 10.20.30.0/24 -j DROP[[email protected] 〜]# iptables -A INPUT-i ens33 -s 192.168.0.0/16-J DROP [[email protected] 〜]# iptables -A INPUT-i ens33 -s 10.0.0.0/8 -j DROP [[email protected] 〜]# iptables -A INPUT-i ens33 -s 172.16.0.0/12-j DROP

2.11 The matching conditions of rules -3

■ Common implicit matching conditions

Port matching :-sport Source port 、-dport Destination port
ICMP Type match :—icmp-type ICMP type

[[email protected] 〜]# iptables -A FORWARD -s 192.168.4.0/24 -p udp - dport 53 -j ACCEPT [[email protected] 〜]# iptables -A INPUT -p tcp -dport 20:21 -j ACCEPT[[email protected] 〜]# iptables -A INPUT -p icmp -icmp-type 8 -j DROP [[email protected] 〜]# iptables -A INPUT -p icmp -icmp-type 0 -j ACCEPT [[email protected] 〜]# iptables -A INPUT -p icmp -icmp-type 3 -j ACCEPT [[email protected] 〜]# iptables -A INPUT -p icmp -j DROP

2.12 The matching conditions of rules -4

■ Common explicit matching conditions

Multi port matching :-m multiport -sports Source port list
-m multiport -dports Destination port list
IP Range match :-m iprange One src-range IP Range
MAC± It also matches :-m mac One mac-source MAC Address
State matching :-m state-state Connection status

[[email protected] 〜]# iptables -P INPUT DROP [[email protected] ~]# iptables -I INPUT -p tcp -m multiport -dport 80 -j ACCEPT [[email protected] 〜]# iptables -I INPUT -p tcp -m state -stgte ESTABLISHED -j ACCEPT