Firewall: (1) Netfilter Use the built-in software IPTables to manage, mainly to analyze the 234 layers of OSI (MAC, IP, TCP, UDP, ICMP, etc.) Common method (a) Controlled by the port, refusing port 80, 21, 20 and other packets to enter and exit (b) Controlled by IP (c) Controlled by flag, such as rejecting active connection with flag with SYN (d) Controlled by MAC (2) TCPWrapper It has nothing to do with the port, only the name. Through the file name of the program that the client wants to connect to, and then analyze the IP of the client to see if it needs to be released. Firewall rule order: compare /etc/hosts.allow first and then compare /etc/hosts.deny (3)Proxy Manage all incoming and outgoing LAN packets in proxy, generally only open ports 80, 21, 20 DMZ, Demilitarized Zone, places web servers between two firewalls, thereby Separate the LAN and the Internet to avoid two-way attacks, two firewalls, refer to the right Internal LAN firewall, and external Internet firewall. iptables The order of comparison and analysis, if the rules are met, the action is taken, If the rule is not met, continue to compare to the next rule. There are three main tables: filter (manage the entry and exit of the machine), nat (manage the back-end host, that is, inside the firewall), mangle (manage special flags). filter (preset): INPUT: The packet you want to enter the local machine OUTPUT: the packet that the machine wants to send FORWARD: NAT that forwards the packet to the backend nat (convert source and destination IP or port): PREROUTING: Rules before routing judgment (DNAT/REDIRECT) POSTROUTING: The rules after routing (SNAT/MASQUERADE) OUTPUT: the packet sent out iptables [-t tables] [-L] [-nw] -t : followed by table, such as nat or filter, if this item is omitted, the default filter will be used -L : list the rules for the current table -n : Do not perform reverse check of IP and HOSTNAME, the speed of displaying messages will be much faster! -v : List more information, including the total number of packets passed through the rule, the associated network interface, etc. target: represents the action, ACCEPT is to release, and REJECT is to reject, in addition, there are still DROP (discarded) items! prot: represents the packet protocol used, mainly tcp, udp and icmp three packet formats; opt: additional option description source: Indicates which "source IP" is restricted by this rule? destination: Indicates which "destination IP" this rule is restricted for? iptables [-t tables] [-FXZ] -F : clear all the established rules; -X : Kill all user "customized" chains (should say tables); -Z : reset all chain counts and traffic statistics to zero iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP] -P : Define the policy (Policy). Note that this P is capitalized! (The policy is the default, if the packet does not conform to the rule, it will be processed according to the policy) ACCEPT : the packet is acceptable DROP: The packet is dropped directly without letting the client know why it was dropped. iptables [-AI chainname] [-io network interface] [-p protocol] [-s source IP/domain] [-d destination IP/domain] -j [ACCEPT|DROP|REJECT|LOG] -AI chain name: "insert" or "accumulate" rules for a certain chain -A : A new rule is added, which is added at the end of the original rule. For example, there are already four rules, Use -A to add the fifth rule! -I : Insert a rule. If no order for this rule is specified, the default is that the insertion becomes the first rule. For example, there were originally four rules. If -I is used, the rule becomes the first rule, and the original four rules become No. 2~5. Chain: There are INPUT, OUTPUT, FORWARD, etc. The name of this chain is related to -io, please see below. -io network interface: set the interface specification for incoming and outgoing packets -i : The network interface that the packet enters, such as eth0, lo and other interfaces. Need to cooperate with INPUT chain; -o : The network interface from which the packet is sent, it needs to cooperate with the OUTPUT chain; -p contract: set which packet format this rule applies to The main packet formats are: tcp, udp, icmp and all. -s source IP/domain: Set the source item of the packet of this rule, you can specify pure IP or include domain, for example: IP: 192.168.0.100 Domain: 192.168.0.0/24, 192.168.0.0/255.255.255.0 can be used. If the specification is "not allowed", add !, for example: -s ! 192.168.100.0/24 means that the packet source of 192.168.100.0/24 is not allowed; -d target IP/domain: same as -s, but here it refers to the target IP or domain. -j : Followed by actions, the main actions are accept (ACCEPT), discard (DROP), reject (REJECT) and record (LOG) ##『If there is no specified item, it means that the item is fully accepted』 ##LOG is to write the relevant information of the packet into the core message, /var/log/messages, which is only a record and will not affect the rule comparison of the packet iptables [-AI chain] [-io network interface] [-p tcp,udp] [-s source IP/domain] [--sport port range] [-d destination IP/domain] [--dport port range] -j [ACCEPT|DROP|REJECT] --sport port range: limit the port number of the source, the port number can be continuous, such as 1024:65535 --dport port range: limit the port number of the target. For example: as long as the packets from the 1024:65535 port of 192.168.1.0/24, and want to connect to the local ssh port to resist, you can do this: # iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65534 --dport ssh -j DROP In addition to ports, there are special flags in TCP! The most common one is the actively connected SYN flag. We also support the processing method of " --syn " in iptables. Let's illustrate it with the following example: Example: Discard the active connection from port 1:1023 of any source to the 1:1023 connection on the local side # iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP iptable is better than ipchain, because it can be set without a rule corresponding to a port, etc. stateful module iptables -A INPUT [-m state] [--state state] -m : Some iptables plug-in modules, the main ones are: state : state module mac: network card hardware address (hardware address) --state : The state of some packets, mainly: INVALID : Invalid packet, such as data corrupted packet status ESTABLISHED: The connection status that has been successfully connected; NEW : The packet status of the newly established connection; RELATED: This is the most commonly used! Indicates that this packet is related to the packet sent by our host --mac-source : It is the MAC of the source host! Example: Pass as long as established or related packets, discard as long as illegal packets # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # iptables -A INPUT -m state --state INVALID -j DROP Example: Open the connection for the aa:bb:cc:dd:ee:ff host in the LAN # iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT iptables -A INPUT [-p icmp] [--icmp-type type] -j ACCEPT --icmp-type : The packet type that must be followed by ICMP, or the code name can be used, For example, 8 means echo request. Example: Let the ICMP type of 0,3,4,11,12,14,16,18 enter the local machine: # vi somefile #!/bin/bash icmp_type="0 3 4 11 12 14 16 18" for typeicmp in $icmp_type do iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT done # sh somefile In fact, the firewall is also a service, you can check it through "chkconfig --list iptables". Therefore, the various settings you modified this time want to be saved in the next boot. Then you have to add parameters to the command "/etc/init.d/iptables save". /etc/init.d/iptables save to save the result to /etc/sysconfig/iptables! iptables-save Completely show the firewall rules, note that accept all packet may refer to lo What is NAT? Simply put, you can call it the "IP sharer" of the internal LAN host! Two important chains of NAT table: PREROUTING and POSTROUTING. So what are the important functions of these two chains? The point is to modify the IP! But the modified IPs of these two chains are different! POSTROUTING is modifying the source IP, and PREROUTING is modifying the target IP. Since the modified IPs are different, they are called source NAT (Source NAT, SNAT) and destination NAT (Destination NAT, DNAT). (a) Source NAT, SNAT: Modify the "Source" item of the packet header SNAT is mainly to deal with the use of internal LAN connection to the Internet (b) Target NAT, DNAT: Modify the "target" item of the packet header DNAT is mainly used when the internal host wants to set up a server that can be accessed by the Internet! iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE # This line is the most critical! Is to join the nat table packet camouflage! In this example $innet is 192.168.1.0/24 # And $EXTIF is the external interface, in this case eth1 "MASQUERADE"! This setting is "IP masquerading as the IP on the device from which the packet was sent out (-o)"! In the above example, it is $EXTIF, which is eth1! Assuming that the external IP is fixed at 192.168.200.250, what should I do if I don't want to use masquerading? answer: iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.200.250 Assume that there is a host in the intranet whose IP is 192.168.1.210, which is a WWW server that can be opened to the Internet. How do you pass the WWW packet to the host through the NAT mechanism? answer: Assuming that the interface where the public IP is located is eth1, then your rule is: iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.210:80 That "-j DNAT --to-destination IP[:port]" is the essence! Represents incoming from the eth1 interface and wants to use port 80 services, Retransmit the packet to the IP and port of 192.168.1.210:80! Can modify IP and port at the same time!