当前位置：网站首页>[iptables & ICMP] description of ICMP Protocol in iptables default policy

[iptables & ICMP] description of ICMP Protocol in iptables default policy

2022-06-28 03:11:00 【HunterMichaelG】

One 、 Default iptables Strategy

Linux Kernel integrated IP Packet filtering system ,linux The packet filtering function of , namely linux A firewall , It consists of netfilter and iptables Two components make up .

When the firewall makes packet filtering decisions , A set of rules to follow and compose , These rules are stored in a dedicated packet filtering table , And these tables are integrated in Linux The kernel . In the packet filter table , The rules are grouped in what we call a chain （chain） in .

netfilter/iptables IP Packet filtering system is a powerful tool , Can be used to add 、 Edit and remove rules .

netfilter Components are also called kernel Spaces , It's part of the kernel , Consists of several packet filtering tables , These tables contain the set of rules that the kernel USES to control packet filtering processing .iptables A component is a tool , Also called user space （userspace）, It causes the insertion 、 It's easy to modify and remove the rules in the packet filter table .

CentOS7 No, iptables, By default firewalld .
iptables Default cannot be systemctl control , Need to install iptables-services、iptables-devel These two dependency packages .

# yum -y install iptables iptables-services
# yum info iptables-services

# systemctl  status iptables
# cat /usr/lib/systemd/system/iptables.service
# rpm -qf /usr/lib/systemd/system/iptables.service
# cat /etc/sysconfig/iptables

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

iptables Default policy interpretation

:INPUT ACCEPT [0:0]
#  The rule says INPUT Table default policy is ACCEPT

:FORWARD ACCEPT [0:0]
#  The rule says FORWARD Table default policy is ACCEPT

:OUTPUT ACCEPT [0:0]
#  The rule says OUTPUT Table default policy is ACCEPT

-A INPUT -p icmp -j ACCEPT
#  The rule says  OUTPUT Table pair  icmp The default test for the protocol is  ACCEPT

-A INPUT -i lo -j ACCEPT
#  -i  The parameter is the specified interface , The interface here is lo ,lo Namely loopback（ Local loopback interface ）, This allows the local loopback interface to be in INPUT All data communication of the table .

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#  The data packets allowed to enter can only be the response of the data packet I just sent out 
# ESTABLISHED： Established link status 
# RELATED： The packet is related to the packet sent by the machine 

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

#  according to  iptables  Policy match stop policy 
#  These two lines are expressed in INPUT Table and FORWARD All other packets that do not conform to any of the above rules are rejected in the table , And send a message host prohibited To the rejected host

The configuration file /etc/sysconfig/iptables Medium iptables Default policy , You can also delete these , In addition, establish strategies that meet your own needs .

Two 、 ICMP agreement

Background of the agreement

ICMP, The full name is Internet Control Message Protocol, Internet control message protocol , The so-called control , It is to sense and control the network environment by issuing instructions , So it must work with a protocol that cannot perceive the network environment , This agreement is IP（ Include IPv4 and IPv6）.

ICMP It's usually thought of as IP Part of the agreement , It's encapsulated in IP Layer , Use IP Protocol for transmission . therefore , Strictly speaking ,ICMP It is not a network layer protocol , Nor is it a transport layer protocol , But an agreement between the two .

Its main function is to transmit network diagnosis information , There are two main types of information ：

One is Query message ： It is mainly used for information query and collection , For example, who is each router on the acquisition transmission path , Whether the message transmitted this time has reached the destination, etc .
The other is Error diagnosis message ： It is mainly used to diagnose network faults , For example, what is the reason that the transmission message is discarded .

We all know ,IP The protocol is an unreliable protocol , If IP An error occurred during the transmission of the package , such as checksum Not right , congestion , Timeout and so on , that IP Packets are discarded directly , There will be no further effort to correct it .

This is a IP A design criterion of the protocol determines , That is to say best effort, Do my best , The advantage is that IP Keep the agreement as simple as possible , Only responsible for efficient data transmission , More quality control is left to the high-level agreement （ such as TCP）.

But after all, there are only a few high-level agreements that can provide quality control , Therefore, it is necessary to have a protocol at the lower level to assist IP Complete necessary network quality management ,ICMP The agreement was naturally put forward .

adopt ICMP agreement , When IP When a package error occurs , The upper layer sends IP The host or router of the packet does not know that an error has occurred in the lower layer , This is the time , The host or router at the lower level can send ICMP package , Report the error information to the upper level , So that the upper host or router can be adjusted .

But here's the thing ,ICMP Only certain types of error messages can be reported , It doesn't help IP Protocols become reliable protocols , What it can do is still limited , But it is enough for basic network quality management .

ICMP Message format

As shown in the figure below ,ICMP The message is encapsulated in IP Transmitted in datagrams .

IP In the newspaper Protocol Field is 1 This means that the message carries ICMP message .
（ This is just to illustrate the problem , therefore IP The header is simplified ）

A further look ,ICMP The header is 4 Bytes ：

type type： Occupy 1 Bytes , Representing a wide range of type classifications ICMP message
Code code： Occupy 1 Bytes , That represents a small range of type classifications ICMP message （type Subdivision of ）
The checksum checksum： Occupy 2 Bytes ,ICMP checksum The calculation method of is similar to IP checksum, But here's the difference IP Check head only ,ICMP Verify the head + Data section
Followed by ICMP Data section , Depending on the type and code fields above , Have different content .

ICMP Message type

ICMP There are many message types supported , See the table below for details ：

The type field （type） It refers to a large class , Code fields （code） It is subdivided into several large and small categories .

It may not be clear enough , Let's use the following two tables to list , Because there are too many types , And some are very rare , therefore , Here we just list some common types .

The first table ： Type table
notes ：R Indicates a query message ,E Indicates an error message

further , For each type , You can also subdivide multiple subtypes according to code fields .

Second sheet ： Type breakdown table

Through these two tables , Every type of ICMP The meaning of the package should be quite clear .

ICMP Related kernel parameters

ICMP Related kernel parameters , What is commonly used is net.ipv4.icmp_echo_ignore_all, This is forbidden ping A parameter of , Forbid ping There are several ways .
You can also have a look at other parameters if you are interested , If you don't understand it, just look up the diagram .