TEXT   93
Firewall Netfilter
Guest on 11th May 2022 01:50:54 AM

  1. Firewall:
  2. (1) Netfilter
  3. Use the built-in software IPTables to manage, mainly to analyze the 234 layers of OSI (MAC, IP, TCP, UDP, ICMP, etc.)
  4. Common method
  5. (a) Controlled by the port, refusing port 80, 21, 20 and other packets to enter and exit
  6. (b) Controlled by IP
  7. (c) Controlled by flag, such as rejecting active connection with flag with SYN
  8. (d) Controlled by MAC
  9. (2) TCPWrapper
  10. It has nothing to do with the port, only the name.
  11. Through the file name of the program that the client wants to connect to, and then analyze the IP of the client to see if it needs to be released.
  12. Firewall rule order: compare /etc/hosts.allow first and then compare /etc/hosts.deny
  13. (3)Proxy
  14. Manage all incoming and outgoing LAN packets in proxy, generally only open ports 80, 21, 20
  16. DMZ, Demilitarized Zone, places web servers between two firewalls, thereby
  17. Separate the LAN and the Internet to avoid two-way attacks, two firewalls, refer to the right
  18. Internal LAN firewall, and external Internet firewall.
  20. iptables
  21. The order of comparison and analysis, if the rules are met, the action is taken,
  22. If the rule is not met, continue to compare to the next rule.
  23. There are three main tables:
  24. filter (manage the entry and exit of the machine), nat (manage the back-end host, that is, inside the firewall), mangle (manage special flags).
  26. filter (preset):
  27. INPUT: The packet you want to enter the local machine
  28. OUTPUT: the packet that the machine wants to send
  29. FORWARD: NAT that forwards the packet to the backend
  31. nat (convert source and destination IP or port):
  32. PREROUTING: Rules before routing judgment (DNAT/REDIRECT)
  33. POSTROUTING: The rules after routing (SNAT/MASQUERADE)
  34. OUTPUT: the packet sent out
  36. iptables [-t tables] [-L] [-nw]
  37. -t : followed by table, such as nat or filter, if this item is omitted, the default filter will be used
  38. -L : list the rules for the current table
  39. -n : Do not perform reverse check of IP and HOSTNAME, the speed of displaying messages will be much faster!
  40. -v : List more information, including the total number of packets passed through the rule, the associated network interface, etc.
  41. target: represents the action, ACCEPT is to release, and REJECT is to reject, in addition, there are still DROP (discarded) items!
  42. prot: represents the packet protocol used, mainly tcp, udp and icmp three packet formats;
  43. opt: additional option description
  44. source: Indicates which "source IP" is restricted by this rule?
  45. destination: Indicates which "destination IP" this rule is restricted for?
  47. iptables [-t tables] [-FXZ]
  48. -F : clear all the established rules;
  49. -X : Kill all user "customized" chains (should say tables);
  50. -Z : reset all chain counts and traffic statistics to zero
  52. iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
  53. -P : Define the policy (Policy). Note that this P is capitalized! (The policy is the default, if the packet does not conform to the rule, it will be processed according to the policy)
  54. ACCEPT : the packet is acceptable
  55. DROP: The packet is dropped directly without letting the client know why it was dropped.
  57. iptables [-AI chainname] [-io network interface] [-p protocol] [-s source IP/domain] [-d destination IP/domain] -j [ACCEPT|DROP|REJECT|LOG]
  58. -AI chain name: "insert" or "accumulate" rules for a certain chain
  59.     -A : A new rule is added, which is added at the end of the original rule. For example, there are already four rules,
  60.          Use -A to add the fifth rule!
  61.     -I : Insert a rule. If no order for this rule is specified, the default is that the insertion becomes the first rule.
  62.          For example, there were originally four rules. If -I is used, the rule becomes the first rule, and the original four rules become No. 2~5.
  63.     Chain: There are INPUT, OUTPUT, FORWARD, etc. The name of this chain is related to -io, please see below.
  64. -io network interface: set the interface specification for incoming and outgoing packets
  65.     -i : The network interface that the packet enters, such as eth0, lo and other interfaces. Need to cooperate with INPUT chain;
  66.     -o : The network interface from which the packet is sent, it needs to cooperate with the OUTPUT chain;
  67. -p contract: set which packet format this rule applies to
  68.    The main packet formats are: tcp, udp, icmp and all.
  69. -s source IP/domain: Set the source item of the packet of this rule, you can specify pure IP or include domain, for example:
  70.    IP:
  71.    Domain:, can be used.
  72.    If the specification is "not allowed", add !, for example:
  73.    -s ! means that the packet source of is not allowed;
  74. -d target IP/domain: same as -s, but here it refers to the target IP or domain.
  75. -j : Followed by actions, the main actions are accept (ACCEPT), discard (DROP), reject (REJECT) and record (LOG)
  76. ##『If there is no specified item, it means that the item is fully accepted』
  77. ##LOG is to write the relevant information of the packet into the core message, /var/log/messages, which is only a record and will not affect the rule comparison of the packet
  79. iptables [-AI chain] [-io network interface] [-p tcp,udp] [-s source IP/domain] [--sport port range] [-d destination IP/domain] [--dport port range] -j [ACCEPT|DROP|REJECT]
  80. --sport port range: limit the port number of the source, the port number can be continuous, such as 1024:65535
  81. --dport port range: limit the port number of the target.
  82. For example: as long as the packets from the 1024:65535 port of, and want to connect to the local ssh port
  83. to resist, you can do this:
  84. # iptables -A INPUT -i eth0 -p tcp -s --sport 1024:65534 --dport ssh -j DROP
  86. In addition to ports, there are special flags in TCP! The most common one is the actively connected SYN flag.
  87. We also support the processing method of " --syn " in iptables. Let's illustrate it with the following example:
  88. Example: Discard the active connection from port 1:1023 of any source to the 1:1023 connection on the local side
  89. # iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP
  91. iptable is better than ipchain, because it can be set without a rule corresponding to a port, etc.
  92. stateful module
  93. iptables -A INPUT [-m state] [--state state]
  94. -m : Some iptables plug-in modules, the main ones are:
  95.      state : state module
  96.      mac: network card hardware address (hardware address)
  97. --state : The state of some packets, mainly:
  98.      INVALID : Invalid packet, such as data corrupted packet status
  99.      ESTABLISHED: The connection status that has been successfully connected;
  100.      NEW : The packet status of the newly established connection;
  101.      RELATED: This is the most commonly used! Indicates that this packet is related to the packet sent by our host
  102. --mac-source : It is the MAC of the source host!
  103. Example: Pass as long as established or related packets, discard as long as illegal packets
  104. # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  105. # iptables -A INPUT -m state --state INVALID -j DROP
  106. Example: Open the connection for the aa:bb:cc:dd:ee:ff host in the LAN
  107. # iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
  109. iptables -A INPUT [-p icmp] [--icmp-type type] -j ACCEPT
  110. --icmp-type : The packet type that must be followed by ICMP, or the code name can be used,
  111.               For example, 8 means echo request.
  112. Example: Let the ICMP type of 0,3,4,11,12,14,16,18 enter the local machine:
  113. # vi somefile
  114.         #!/bin/bash
  115.         icmp_type="0 3 4 11 12 14 16 18"
  116.         for typeicmp in $icmp_type
  117.         do
  118.                 iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
  119.         done
  120. # sh somefile
  122. In fact, the firewall is also a service, you can check it through "chkconfig --list iptables".
  123. Therefore, the various settings you modified this time want to be saved in the next boot.
  124. Then you have to add parameters to the command "/etc/init.d/iptables save".
  125. /etc/init.d/iptables save to save the result to /etc/sysconfig/iptables!
  127. iptables-save
  128. Completely show the firewall rules, note that accept all packet may refer to lo
  135. What is NAT? Simply put, you can call it the "IP sharer" of the internal LAN host!
  136. Two important chains of NAT table: PREROUTING and POSTROUTING.
  137. So what are the important functions of these two chains? The point is to modify the IP! But the modified IPs of these two chains are different!
  138. POSTROUTING is modifying the source IP, and PREROUTING is modifying the target IP.  
  139. Since the modified IPs are different, they are called source NAT (Source NAT, SNAT) and destination NAT (Destination NAT, DNAT).
  140. (a)
  141. Source NAT, SNAT: Modify the "Source" item of the packet header
  142. SNAT is mainly to deal with the use of internal LAN connection to the Internet
  143. (b)
  144. Target NAT, DNAT: Modify the "target" item of the packet header
  145. DNAT is mainly used when the internal host wants to set up a server that can be accessed by the Internet!
  147. iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
  148. # This line is the most critical! Is to join the nat table packet camouflage! In this example $innet is
  149. # And $EXTIF is the external interface, in this case eth1
  150. "MASQUERADE"! This setting is "IP masquerading as the IP on the device from which the packet was sent out (-o)"!
  151. In the above example, it is $EXTIF, which is eth1!
  153. Assuming that the external IP is fixed at, what should I do if I don't want to use masquerading?
  154. answer:
  155. iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
  157. Assume that there is a host in the intranet whose IP is, which is a WWW server that can be opened to the Internet.
  158. How do you pass the WWW packet to the host through the NAT mechanism?
  159. answer:
  160. Assuming that the interface where the public IP is located is eth1, then your rule is:
  161. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination
  162. That "-j DNAT --to-destination IP[:port]" is the essence!
  163. Represents incoming from the eth1 interface and wants to use port 80 services,
  164. Retransmit the packet to the IP and port of! Can modify IP and port at the same t

Raw Paste

Login or Register to edit or fork this paste. It's free.