Firewall Netfilter- for Sharing Code and Text.

TEXT 93

Firewall Netfilter

Guest on 11th May 2022 01:50:54 AM

Firewall:
(1) Netfilter
Use the built-in software IPTables to manage, mainly to analyze the 234 layers of OSI (MAC, IP, TCP, UDP, ICMP, etc.)
Common method
(a) Controlled by the port, refusing port 80, 21, 20 and other packets to enter and exit
(b) Controlled by IP
(c) Controlled by flag, such as rejecting active connection with flag with SYN
(d) Controlled by MAC
(2) TCPWrapper
It has nothing to do with the port, only the name.
Through the file name of the program that the client wants to connect to, and then analyze the IP of the client to see if it needs to be released.
Firewall rule order: compare /etc/hosts.allow first and then compare /etc/hosts.deny
(3)Proxy
Manage all incoming and outgoing LAN packets in proxy, generally only open ports 80, 21, 20
DMZ, Demilitarized Zone, places web servers between two firewalls, thereby
Separate the LAN and the Internet to avoid two-way attacks, two firewalls, refer to the right
Internal LAN firewall, and external Internet firewall.
iptables
The order of comparison and analysis, if the rules are met, the action is taken,
If the rule is not met, continue to compare to the next rule.
There are three main tables:
filter (manage the entry and exit of the machine), nat (manage the back-end host, that is, inside the firewall), mangle (manage special flags).
filter (preset):
INPUT: The packet you want to enter the local machine
OUTPUT: the packet that the machine wants to send
FORWARD: NAT that forwards the packet to the backend
nat (convert source and destination IP or port):
PREROUTING: Rules before routing judgment (DNAT/REDIRECT)
POSTROUTING: The rules after routing (SNAT/MASQUERADE)
OUTPUT: the packet sent out
iptables [-t tables] [-L] [-nw]
-t : followed by table, such as nat or filter, if this item is omitted, the default filter will be used
-L : list the rules for the current table
-n : Do not perform reverse check of IP and HOSTNAME, the speed of displaying messages will be much faster!
-v : List more information, including the total number of packets passed through the rule, the associated network interface, etc.
target: represents the action, ACCEPT is to release, and REJECT is to reject, in addition, there are still DROP (discarded) items!
prot: represents the packet protocol used, mainly tcp, udp and icmp three packet formats;
opt: additional option description
source: Indicates which "source IP" is restricted by this rule?
destination: Indicates which "destination IP" this rule is restricted for?
iptables [-t tables] [-FXZ]
-F : clear all the established rules;
-X : Kill all user "customized" chains (should say tables);
-Z : reset all chain counts and traffic statistics to zero
iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
-P : Define the policy (Policy). Note that this P is capitalized! (The policy is the default, if the packet does not conform to the rule, it will be processed according to the policy)
ACCEPT : the packet is acceptable
DROP: The packet is dropped directly without letting the client know why it was dropped.
iptables [-AI chainname] [-io network interface] [-p protocol] [-s source IP/domain] [-d destination IP/domain] -j [ACCEPT|DROP|REJECT|LOG]
-AI chain name: "insert" or "accumulate" rules for a certain chain
-A : A new rule is added, which is added at the end of the original rule. For example, there are already four rules,
Use -A to add the fifth rule!
-I : Insert a rule. If no order for this rule is specified, the default is that the insertion becomes the first rule.
For example, there were originally four rules. If -I is used, the rule becomes the first rule, and the original four rules become No. 2~5.
Chain: There are INPUT, OUTPUT, FORWARD, etc. The name of this chain is related to -io, please see below.
-io network interface: set the interface specification for incoming and outgoing packets
-i : The network interface that the packet enters, such as eth0, lo and other interfaces. Need to cooperate with INPUT chain;
-o : The network interface from which the packet is sent, it needs to cooperate with the OUTPUT chain;
-p contract: set which packet format this rule applies to
The main packet formats are: tcp, udp, icmp and all.
-s source IP/domain: Set the source item of the packet of this rule, you can specify pure IP or include domain, for example:
IP: 192.168.0.100
Domain: 192.168.0.0/24, 192.168.0.0/255.255.255.0 can be used.
If the specification is "not allowed", add !, for example:
-s ! 192.168.100.0/24 means that the packet source of 192.168.100.0/24 is not allowed;
-d target IP/domain: same as -s, but here it refers to the target IP or domain.
-j : Followed by actions, the main actions are accept (ACCEPT), discard (DROP), reject (REJECT) and record (LOG)
##『If there is no specified item, it means that the item is fully accepted』
##LOG is to write the relevant information of the packet into the core message, /var/log/messages, which is only a record and will not affect the rule comparison of the packet
iptables [-AI chain] [-io network interface] [-p tcp,udp] [-s source IP/domain] [--sport port range] [-d destination IP/domain] [--dport port range] -j [ACCEPT|DROP|REJECT]
--sport port range: limit the port number of the source, the port number can be continuous, such as 1024:65535
--dport port range: limit the port number of the target.
For example: as long as the packets from the 1024:65535 port of 192.168.1.0/24, and want to connect to the local ssh port
to resist, you can do this:
# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65534 --dport ssh -j DROP
In addition to ports, there are special flags in TCP! The most common one is the actively connected SYN flag.
We also support the processing method of " --syn " in iptables. Let's illustrate it with the following example:
Example: Discard the active connection from port 1:1023 of any source to the 1:1023 connection on the local side
# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP
iptable is better than ipchain, because it can be set without a rule corresponding to a port, etc.
stateful module
iptables -A INPUT [-m state] [--state state]
-m : Some iptables plug-in modules, the main ones are:
state : state module
mac: network card hardware address (hardware address)
--state : The state of some packets, mainly:
INVALID : Invalid packet, such as data corrupted packet status
ESTABLISHED: The connection status that has been successfully connected;
NEW : The packet status of the newly established connection;
RELATED: This is the most commonly used! Indicates that this packet is related to the packet sent by our host
--mac-source : It is the MAC of the source host!
Example: Pass as long as established or related packets, discard as long as illegal packets
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -m state --state INVALID -j DROP
Example: Open the connection for the aa:bb:cc:dd:ee:ff host in the LAN
# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT
iptables -A INPUT [-p icmp] [--icmp-type type] -j ACCEPT
--icmp-type : The packet type that must be followed by ICMP, or the code name can be used,
For example, 8 means echo request.
Example: Let the ICMP type of 0,3,4,11,12,14,16,18 enter the local machine:
# vi somefile
#!/bin/bash
icmp_type="0 3 4 11 12 14 16 18"
for typeicmp in $icmp_type
do
iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
done
# sh somefile
In fact, the firewall is also a service, you can check it through "chkconfig --list iptables".
Therefore, the various settings you modified this time want to be saved in the next boot.
Then you have to add parameters to the command "/etc/init.d/iptables save".
/etc/init.d/iptables save to save the result to /etc/sysconfig/iptables!
iptables-save
Completely show the firewall rules, note that accept all packet may refer to lo
What is NAT? Simply put, you can call it the "IP sharer" of the internal LAN host!
Two important chains of NAT table: PREROUTING and POSTROUTING.
So what are the important functions of these two chains? The point is to modify the IP! But the modified IPs of these two chains are different!
POSTROUTING is modifying the source IP, and PREROUTING is modifying the target IP.
Since the modified IPs are different, they are called source NAT (Source NAT, SNAT) and destination NAT (Destination NAT, DNAT).
(a)
Source NAT, SNAT: Modify the "Source" item of the packet header
SNAT is mainly to deal with the use of internal LAN connection to the Internet
(b)
Target NAT, DNAT: Modify the "target" item of the packet header
DNAT is mainly used when the internal host wants to set up a server that can be accessed by the Internet!
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
# This line is the most critical! Is to join the nat table packet camouflage! In this example $innet is 192.168.1.0/24
# And $EXTIF is the external interface, in this case eth1
"MASQUERADE"! This setting is "IP masquerading as the IP on the device from which the packet was sent out (-o)"!
In the above example, it is $EXTIF, which is eth1!
Assuming that the external IP is fixed at 192.168.200.250, what should I do if I don't want to use masquerading?
answer:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.200.250
Assume that there is a host in the intranet whose IP is 192.168.1.210, which is a WWW server that can be opened to the Internet.
How do you pass the WWW packet to the host through the NAT mechanism?
answer:
Assuming that the interface where the public IP is located is eth1, then your rule is:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.210:80
That "-j DNAT --to-destination IP[:port]" is the essence!
Represents incoming from the eth1 interface and wants to use port 80 services,
Retransmit the packet to the IP and port of 192.168.1.210:80! Can modify IP and port at the same t

Raw Paste

Firewall:
(1) Netfilter
Use the built-in software IPTables to manage, mainly to analyze the 234 layers of OSI (MAC, IP, TCP, UDP, ICMP, etc.)
Common method
(a) Controlled by the port, refusing port 80, 21, 20 and other packets to enter and exit
(b) Controlled by IP
(c) Controlled by flag, such as rejecting active connection with flag with SYN
(d) Controlled by MAC
(2) TCPWrapper
It has nothing to do with the port, only the name.
Through the file name of the program that the client wants to connect to, and then analyze the IP of the client to see if it needs to be released.
Firewall rule order: compare /etc/hosts.allow first and then compare /etc/hosts.deny
(3)Proxy
Manage all incoming and outgoing LAN packets in proxy, generally only open ports 80, 21, 20

DMZ, Demilitarized Zone, places web servers between two firewalls, thereby
Separate the LAN and the Internet to avoid two-way attacks, two firewalls, refer to the right
Internal LAN firewall, and external Internet firewall.

iptables
The order of comparison and analysis, if the rules are met, the action is taken,
If the rule is not met, continue to compare to the next rule.
There are three main tables:
filter (manage the entry and exit of the machine), nat (manage the back-end host, that is, inside the firewall), mangle (manage special flags).

filter (preset):
INPUT: The packet you want to enter the local machine
OUTPUT: the packet that the machine wants to send
FORWARD: NAT that forwards the packet to the backend

nat (convert source and destination IP or port):
PREROUTING: Rules before routing judgment (DNAT/REDIRECT)
POSTROUTING: The rules after routing (SNAT/MASQUERADE)
OUTPUT: the packet sent out

iptables [-t tables] [-L] [-nw]
-t : followed by table, such as nat or filter, if this item is omitted, the default filter will be used
-L : list the rules for the current table
-n : Do not perform reverse check of IP and HOSTNAME, the speed of displaying messages will be much faster!
-v : List more information, including the total number of packets passed through the rule, the associated network interface, etc.
target: represents the action, ACCEPT is to release, and REJECT is to reject, in addition, there are still DROP (discarded) items!
prot: represents the packet protocol used, mainly tcp, udp and icmp three packet formats;
opt: additional option description
source: Indicates which "source IP" is restricted by this rule?
destination: Indicates which "destination IP" this rule is restricted for?

iptables [-t tables] [-FXZ]
-F : clear all the established rules;
-X : Kill all user "customized" chains (should say tables);
-Z : reset all chain counts and traffic statistics to zero

iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
-P : Define the policy (Policy). Note that this P is capitalized! (The policy is the default, if the packet does not conform to the rule, it will be processed according to the policy)
ACCEPT : the packet is acceptable
DROP: The packet is dropped directly without letting the client know why it was dropped.

iptables [-AI chainname] [-io network interface] [-p protocol] [-s source IP/domain] [-d destination IP/domain] -j [ACCEPT|DROP|REJECT|LOG]
-AI chain name: "insert" or "accumulate" rules for a certain chain
    -A : A new rule is added, which is added at the end of the original rule. For example, there are already four rules,
         Use -A to add the fifth rule!
    -I : Insert a rule. If no order for this rule is specified, the default is that the insertion becomes the first rule.
         For example, there were originally four rules. If -I is used, the rule becomes the first rule, and the original four rules become No. 2~5.
    Chain: There are INPUT, OUTPUT, FORWARD, etc. The name of this chain is related to -io, please see below.
-io network interface: set the interface specification for incoming and outgoing packets
    -i : The network interface that the packet enters, such as eth0, lo and other interfaces. Need to cooperate with INPUT chain;
    -o : The network interface from which the packet is sent, it needs to cooperate with the OUTPUT chain;
-p contract: set which packet format this rule applies to
   The main packet formats are: tcp, udp, icmp and all.
-s source IP/domain: Set the source item of the packet of this rule, you can specify pure IP or include domain, for example:
   IP: 192.168.0.100
   Domain: 192.168.0.0/24, 192.168.0.0/255.255.255.0 can be used.
   If the specification is "not allowed", add !, for example:
   -s ! 192.168.100.0/24 means that the packet source of 192.168.100.0/24 is not allowed;
-d target IP/domain: same as -s, but here it refers to the target IP or domain.
-j : Followed by actions, the main actions are accept (ACCEPT), discard (DROP), reject (REJECT) and record (LOG)
##『If there is no specified item, it means that the item is fully accepted』
##LOG is to write the relevant information of the packet into the core message, /var/log/messages, which is only a record and will not affect the rule comparison of the packet

iptables [-AI chain] [-io network interface] [-p tcp,udp] [-s source IP/domain] [--sport port range] [-d destination IP/domain] [--dport port range] -j [ACCEPT|DROP|REJECT]
--sport port range: limit the port number of the source, the port number can be continuous, such as 1024:65535
--dport port range: limit the port number of the target.
For example: as long as the packets from the 1024:65535 port of 192.168.1.0/24, and want to connect to the local ssh port
to resist, you can do this:
# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65534 --dport ssh -j DROP

In addition to ports, there are special flags in TCP! The most common one is the actively connected SYN flag.
We also support the processing method of " --syn " in iptables. Let's illustrate it with the following example:
Example: Discard the active connection from port 1:1023 of any source to the 1:1023 connection on the local side
# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP

iptable is better than ipchain, because it can be set without a rule corresponding to a port, etc.
stateful module
iptables -A INPUT [-m state] [--state state]
-m : Some iptables plug-in modules, the main ones are:
     state : state module
     mac: network card hardware address (hardware address)
--state : The state of some packets, mainly:
     INVALID : Invalid packet, such as data corrupted packet status
     ESTABLISHED: The connection status that has been successfully connected;
     NEW : The packet status of the newly established connection;
     RELATED: This is the most commonly used! Indicates that this packet is related to the packet sent by our host
--mac-source : It is the MAC of the source host!
Example: Pass as long as established or related packets, discard as long as illegal packets
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -m state --state INVALID -j DROP
Example: Open the connection for the aa:bb:cc:dd:ee:ff host in the LAN
# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

iptables -A INPUT [-p icmp] [--icmp-type type] -j ACCEPT
--icmp-type : The packet type that must be followed by ICMP, or the code name can be used,
              For example, 8 means echo request.
Example: Let the ICMP type of 0,3,4,11,12,14,16,18 enter the local machine:
# vi somefile
	#!/bin/bash
	icmp_type="0 3 4 11 12 14 16 18"
	for typeicmp in $icmp_type
	do
   		iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
	done
# sh somefile

In fact, the firewall is also a service, you can check it through "chkconfig --list iptables".
Therefore, the various settings you modified this time want to be saved in the next boot.
Then you have to add parameters to the command "/etc/init.d/iptables save".
/etc/init.d/iptables save to save the result to /etc/sysconfig/iptables!

iptables-save
Completely show the firewall rules, note that accept all packet may refer to lo

What is NAT? Simply put, you can call it the "IP sharer" of the internal LAN host!
Two important chains of NAT table: PREROUTING and POSTROUTING.
So what are the important functions of these two chains? The point is to modify the IP! But the modified IPs of these two chains are different!
POSTROUTING is modifying the source IP, and PREROUTING is modifying the target IP.  
Since the modified IPs are different, they are called source NAT (Source NAT, SNAT) and destination NAT (Destination NAT, DNAT).
(a)
Source NAT, SNAT: Modify the "Source" item of the packet header
SNAT is mainly to deal with the use of internal LAN connection to the Internet
(b)
Target NAT, DNAT: Modify the "target" item of the packet header
DNAT is mainly used when the internal host wants to set up a server that can be accessed by the Internet!

iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
# This line is the most critical! Is to join the nat table packet camouflage! In this example $innet is 192.168.1.0/24
# And $EXTIF is the external interface, in this case eth1
"MASQUERADE"! This setting is "IP masquerading as the IP on the device from which the packet was sent out (-o)"!
In the above example, it is $EXTIF, which is eth1!

Assuming that the external IP is fixed at 192.168.200.250, what should I do if I don't want to use masquerading?
answer:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.200.250

Assume that there is a host in the intranet whose IP is 192.168.1.210, which is a WWW server that can be opened to the Internet.
How do you pass the WWW packet to the host through the NAT mechanism?
answer:
Assuming that the interface where the public IP is located is eth1, then your rule is:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.210:80
That "-j DNAT --to-destination IP[:port]" is the essence!
Represents incoming from the eth1 interface and wants to use port 80 services,
Retransmit the packet to the IP and port of 192.168.1.210:80! Can modify IP and port at the same time!