Currently on the market more common 3、4Layer firewalls,Called the network layer firewalls,There Layer 7 firewall,In fact, the gateway proxy layer
forTCP/IPofSeven-layer modelSpeaking,The third layer is the network layer,Three-layer firewall in this layer of the source and destination addresses for testing。But for the seven firewalls,Whether you source port or destination port,What is the source or destination address,We will have to check all your stuff。so,For the design principles in terms of,Seven more secure firewall,But this has brought lower efficiency。So the market generally firewall program,It is a combination of both。But because we all need to access from the firewall controls this mouth,One of the most important control of the efficiency of the firewall so that users can access data has become how much,Configuration is not good evenIt may become a bottleneck in the flow of。
5 position of the flow control
- Kernel space:Came from a network interface,Go to another network interface
- Incoming packets from user space to the kernel
- Data packets flowing from user space
- Entering / leaving the external interface of the machine
- Entering / leaving the network adapter of the machine
In fact, before the three positions have been basically able to completely blocked the path,But why then has set up checkpoints in and out of the mouth but also in the interior of the card it? Since the data packet routing decisions yet,Data do not know where to go,So there is no way to achieve import and export data filtering。So to set the forwarding of checkpoints in the kernel space,User space into the checkpoint,From user space out points。Then,Since they are of no use,Why do we want to place them? Because weAnd when do NAT DNAT,Destination address translation must be converted before routing。So we have to set up checkpoints outside interface within the network and then network。
This position is also known as five five hook function(hook functions),Also known asFive rules chain。
- PREROUTING (Before routing)
- INPUT (Packet flow inlet)
- FORWARD (Forwarding pipe card)
- OUTPUT(Packet exports)
- POSTROUTING (after routing)
this isNetFilterFive rules prescribed chain,Any packet,As long as after the machine,It will go through five chains one chain。
Firewall Policy
Firewall policies are generally divided into two,Called "through"Strategy,Called "Blocking"Strategy:
Through policy:
The default door was shut,Who can enter must be defined。
Blocking tactics:
The door is wide open,But you must have authentication,Or can not enter。
So we have to define,Let come in come in,Let's go out,So pass,To all-pass,The block,It is to be selected。When the filtering function of filter,The definition of address translation function is nat option。To make these features work alternately,We worked out. "table"This definition,To define、To distinguish the various work functions and handling。
We now compare multiple functions - there are three:
- a filter definition allows or does not allow
- nat defined address translation
- mangle function:Modify the original data packets
For the filter in terms of the general can only do on the three chains:INPUT ,FORWARD ,OUTPUT
For nat speaking generally only done in the three chain:PREROUTING ,OUTPUT ,POSTROUTING
The mangle is five chains can do:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
iptables rules defined way more complicated:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
格式: iptables [-t table] COMMAND chain CRETIRIA -j ACTION -t table :3个filter nat mangle COMMAND:定义如何对规则进行管理 chain:指定你接下来的规则到底是在哪个链上操作的,当定义策略的时候,是可以省略的 CRETIRIA:指定匹配标准 -j ACTION :指定如何进行处理 iptables -L -n -v#查看定义规则的详细信息 |
Chain management commands (which are effective immediately)
-P :Set the default policy (the default setting door is closed or open)
|
1 2 3 |
//默认策略一般只有两种 iptables -P INPUT (DROP|ACCEPT) 默认是关的/默认是开的 |
such as:
|
1 2 3 |
iptables -P INPUT DROP //这就把默认规则给拒绝了。并且没有定义哪个动作,所以关于外界连接的所有规则包括Xshell连接之类的,远程连接都被拒绝了。 |
-F: FLASH,Clear rules chain(Note that each chain management authority)
|
1 2 3 |
iptables -t nat -F PREROUTING iptables -t nat -F 清空nat表的所有链 |
-N:NEW allows users to create a new chain
|
1 |
iptables -N inbound_tcp_web //表示附在tcp表上用于检查web的。 |
-X: For empty delete user-defined chain
|
1 2 3 |
//使用方法跟-N相同,但是在删除之前必须要将里面的链给清空昂了 -E:用来Rename chain主要是用来给用户自定义的链重命名 -E oldname newname |
-FROM:Clear chain,The default rule and chain counter (two counters,It is matched to the number of data packets,How many bytes)
|
1 |
iptables -Z :清空 |
Rules Management Command
|
1 2 3 4 5 6 7 8 9 10 11 |
-A:追加,在当前链的最后新增一个规则 -I num : 插入,把当前规则插入为第几条。 -I 3 :插入为第三条 -R num:Replays替换/修改第几条规则 //格式:iptables -R 3 ………… -D num:删除,明确指定删除第几条规则 |
View Management Command "-L"
Additional sub-command
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
-n:以数字的方式显示ip,它会将ip直接显示出来,如果不加-n,则会将ip反向解析成主机名。 -v:显示详细信息 -vv -vvv :越多越详细 -x:在计数器上显示精确值,不做单位换算 --line-numbers : 显示规则的行号 -t nat:显示所有的关卡的信息 |
Detailed matching criteria
1.General match:Matching the source address of the destination address
-s:Designated as the source address matches,There can not specify a host name,IP must be
IP | IP/MASK | 0.0.0.0/0.0.0.0
And the address can be inverted,Plus a "!"In addition to indicate which IP
-d:It means to match the target address
-p:For matching protocol (protocol where usually there are three,TCP/UDP/ICMP)
-i eth0:Data flows from this card
Flows generally used in the INPUT and PREROUTING
-eth0:Data from this card out of the
Outflow usually in the OUTPUT and POSTROUTING
2.Extended match
2.1Implicit extension:Extension of the agreement
-p tcp :Extended TCP protocol。There are three general extension
–dport XX-XX:Specify the destination port,A plurality of ports can not specify non-continuous,You can specify only a single port,such as
–dport 21 or –dport 21-23 (In this case represents 21, 22,)
–sport:Specify the source port
–tcp-fiags:TCP flags (SYN,ACK,END,PA,RST,URG)
For it,Generally keep two parameters:
1.Check the flag
2.Flag must be 1
–tcpflags syn,ack,end,rst syn = –syn
Check this represents 4 bits,This 4 bits syn must be 1,Others must be 0。So this means that for the detection of the first three-way handshake packets。For such a specially matched to the first SYN packet of the packet 1,There is also a shorthand way,Be called–syn
-p udp:Extended UDP protocol
–dport
–sport
-p icmp:icmp packets expansion
–icmp-type:
echo-request(Echo Request),Generally denoted by 8
so –icmp-type 8 Echo Request packet matches
echo-reply (response packet) is generally represented by 0
2.2Explicit extension (-m)
The expansion of various modules
-m multiport:It represents enable multi-port expansion
Then we can enable such –dports 21,23,80
six:Detailed -j ACTION
Common ACTION:
DROP:Silently discarded
Generally, we use multi-DROP to hide our identity,And hide our list
REJECT:Expressly excluded
ACCEPT:accept
custom_chain:A steering chain custom
DNAT
Sanat
MASQUERADE:Source address masquerading
REDIRECT:Redirection:Mainly used for port redirection
MARK:Playing firewall marks
RETURN:return
After finished using custom return strand,To return to the original rules chain。
Original article written by LogStudio:R0uter's Blog » Iptabls details
Reproduced Please keep the source and description link:https://www.logcg.com/archives/541.html
