当前位置:网站首页>Iptables firewall
Iptables firewall
2022-07-28 06:53:00 【[dissimilarity space]】
IPTABLES A firewall
The premise to prepare
- host
| hostname | inet1 | inet2 | System | other |
|---|---|---|---|---|
| firewalld | 192.168.72.201 | 202.207.240.201 | CentOS7.5.1804 |
- close CentOS7 Default security components
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -ri "s|(SELINUX=)(.*)|\1disabled|g" /etc/selinux/config
- To configure Base Source
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache fast
- install iptables
yum install iptables iptables-services -y
cat >>/etc/rc.d/rc.local <<EOF modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state EOF
chmod +x /etc/rc.d/rc.local
systemctl start iptables.service
systemctl enable iptables.service
reboot
iptables Basics
iptables Four tables
| The name of the table | effect | Inclusion chain |
|---|---|---|
| filter | Decide how to process a packet according to specific rules ( Realize the real firewall function ) | INPUT 、FORWARD、OUTPUT |
| nat | Used to modify packets ip Address , Port number and other information ( Share the Internet 、 Inside and outside IP mapping 、 Port mapping ) | OUTPUT、PREROUTING、POSTROUTING |
| mangle | Used to modify the service type of the packet 、 Life cycle , Or set up mark Mark to realize advanced applications such as traffic shaping ( Rarely used ) | |
| raw | It is mainly used to decide whether to track the status of packets ( Rarely used ) |
iptables Five chains of
| Chain name | effect |
|---|---|
| INPUT | When you receive a packet that accesses the firewall's local address , Apply the rules in this chain |
| OUTPUT | When the firewall sends packets to the outside world , Apply the rules in this chain |
| FORWARD | When receiving data packets that need to be sent to other addresses through firewall , Apply the rules in this chain (LVS NAT In the pattern net.ipv4.ip_forward=0) sysctl -p Make the kernel parameters effective |
| PREROUTING | Before routing packets , Apply the rules in this chain ( Realization Port forwarding mapping , If you can put 80 Convert to LAN server 9000 On port ) |
| POSTROUTING | After routing packets , Apply the rules in this chain ( Realization Share the Internet ) |
Matching process of packet filtering
Application order of rule table :raw→mangle→nat→filter
The application order of rule chain depends on the flow direction of data :
Inbound data flow :PREROUTING→ Routing →INPUT→ Applications
Forward data to :PREROUTING→ Routing →FORWARD→POSTROUTING
Outbound data flow :OUTPUT→ Routing →POSTROUTINGProcessing rules inside the rule chain :
The order is matched from the beginning of the table , Until the matching rule is met, stop .( Match stops )
Once a matching rule is found, subsequent other rules will not be checked , If you can't find a matching rule , Just follow the default rules .
iptables Basic grammar
Basic grammar
| Command format | effect |
|---|---|
iptables [-t table] -A chain rule-specification | -A chain Append a rule at the end of the specified rule chain ; |
iptables [-t table] -I chain [rulenum] rule-specification | Insert a rule at the beginning of the specified rule chain |
iptables [-t table] -R chain rulenum rule-specification | Modify the rules in the specified rule chain |
iptables [-t table] -D chain rulenum | Delete the rule sequence number in the specified rule chain rulenum The rules of |
iptables [-t table] -S [chain [rulenum]] | Print assignments { surface | Rule chain } All the rules in |
| ```iptables [-t table] {-F | -L |
iptables [-t table] -N chain | Create a user-defined rule chain |
iptables [-t table] -X [chain] | Delete user-defined rule chain ( All non built-in rule chains are deleted by default ) |
iptables [-t table] -P chain target | Set the policy of the rule chain as the given goal (ACCEPT|DENY) For built-in |
iptables [-t table] -E old-chain-name new-chain-name | Rename the user-defined rule chain |
rule-specification = [matches...] [target]
match = -m matchname [per-match-options] # -m {multiport|state|limit...}
target = -j targetname [per-target-options] # -j {ACCEPT|DROP|REJECT|LOG}
Management options (commands)
| Management options | meaning | Example |
|---|---|---|
| -A | Append a... At the end of the specified chain | iptables -A INPUT |
| -I | Insert a new... In the specified chain , If no serial number is specified, it will be the first item by default | iptables -I INPUT |
| -R | modify 、 Replace a rule | iptables -t nat -R INPUT |
| -D | Delete | iptables -t nat -D INPUT |
| -L | see | iptables -L -t nat |
| -F | Clear all rules | iptables -F |
| -P | Specify the default rule | iptables -P |
| -n | To display in digital form | iptables -nL |
| -n -line-number | The rules are numbered | iptables -nL --line-number -t nat |
Parameter options (parameters)
| Parameter options | effect |
|---|---|
-p {tcp/udp/icmp} | The protocol that specifies the rule application is tcp、udp or icmp |
--dport Goal slogan | Specify the target port in the rule |
--sport Source port number | Specify the source port in the rule |
-s Source IP | Specify the source in the rule IP Address |
-d Purpose IP | Specify the purpose in the rule IP Address |
-m Module name | Specify the module name to be used in the rule , If included {multiport | limit | state …} |
-i adapter name | When data enters , Through which network card |
-o adapter name | When data flows out , Through which network card |
Control options (targetname)
| Control options | meaning |
|---|---|
| ACCEPT | Allow packets to pass |
| REJECT | Reject packet pass , If necessary, a response message will be sent to the sender of the packet |
| DROP | Discard packets directly , No response |
| LOG | stay /var/log/messages Log information in the file , Then give the packet to the next rule , It does not process packets by itself |
Common commands
iptables -L -n --line-number # Look at the rules
iptables -D INPUT 3 # Delete INPPUT The third rule in the chain
iptables -F # Clear rules
iptables -X # Delete user-defined rule chain
iptables -P INPUT ACCEPT # Configure default rules , Allow all ports to access
iptables -P INPUT DROP # Configure default rules , Do not allow all ports to access
iptables -Z DOCKER # Clear the user-defined chain (INPUT) The rules in the
iptables-save >/etc/sysconfig/iptables # Save firewall rules
iptables-restore </etc/sysconfig/iptables # Load firewall rules
Case configuration
- Refuse IP The address is 192.168.72.131 Host for remote connection
iptables -I INPUT -s 192.168.72.131 -p tcp --dport 22 -j REJECT
Check the rules of the firewall
Host computer 192.168.72.131 Remote connection on , Test whether the rules work
- Only 192.168.72.0 Access the port of the network segment
iptables -A INPUT ! -s 192.168.72.0/24 -j REJECT
Be careful : Here we use the inverse method , First configure the network segment to deny access , Then add ! Let the rule be reversed
- View firewall rules
- Verify whether it is effective before fire prevention
- Users are not allowed to access 1024-65535 Port of range / Users are not allowed to access 80 and 443 port
iptables -I INPUT -p tcp --dport 1024:65535 -j REJECT # Specified scope
iptables -I INPUT -p tcp -m multiport --dport 81,444 -j REJECT # Specify several ports , You need to specify additional modules -m multiport
- Look at the rules
- Validation rule
Verification method : Use nc Command in firewalld The main engine is on 8888 Port services , Use another host to access 8888 port
firewalld End :
nc -l 8888
Test client :
nc 192.168.72.201 8888
nc 202.207.240.201 8888
Prohibit users from ping A firewall
Method 1 : Modify kernel parameters
echo 'net.ipv4.icmp_echo_ignore_all = 1' >>/etc/sysctl.conf sysctl -pMethod 2 : Firewall rules
iptables -I INPUT -p icmp --icmp-type 8 -j REJECTLook at the rules
Validation rule
Match network status
-m state --state
NEW: A new connection has been or will be started
ESTABLISHED: Established connection ( Allow by default )
RELATED: Starting new connection ( Allow by default )
INVALID: Illegal or unrecognized
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Limit concurrency and rate ( Displays the rate at which packets are sent )
-m limit --limit n/{second/minute/hour}: ( Specify the sending rate )
explain : The rate of requests over a specified period of time ”n” For rate , The following are the times : second branch when
–limit-burst [n] ( Specify the number of concurrent )
explain : Requests that are allowed to pass at the same time ”n” Is the number , Do not specify default as 5
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j ACCEPT
Production environment configuration
Clear rules
iptables -F iptables -X iptables -Zallow 22 Port access
iptables -A INPUT -p tcp --dport 22 -j ACCEPTAllow this machine lo Interface data flow outflow and inflow
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPTrelease 80 and 443 port
iptables -I INPUT -p tcp -m multiport --dport 80,443 -j ACCEPTConfigure default rules
iptables -P INPUT DROP iptables -P FORWARD DROP # If shared Internet access is configured , Forwarding needs to be set to ACCEPT iptables -P OUTPUT ACCEPTAdd whitelist
iptables -I INPUT -s 192.168.72.0/24 -j ACCEPT iptables -I INPUT -s 202.207.240.0/24 -j ACCEPT
Share the Internet , Port mapping and IP Schematic diagram of mapping
Share the Internet
explain : The host only has intranet IP(202.207.240.0/24), Only the firewall is equipped with dual network cards Public network IP(192.168.72.201) Intranet IP(202.207.240.201), Use nat Forwarding mode , Let the intranet host gateway point to the firewall , Sharing the Internet
Schematic diagram :
firewalld End configuration
- Turn on the network card forwarding mode
echo 'net.ipv4.ip_forward = 1' >>/etc/sysctl.conf
sysctl -p
- To configure nat The rules
iptables -t nat -A POSTROUTING -s 202.207.240.0/24 -j SNAT --to-source 192.168.72.201 # Applicable to the public network IP Fix
iptables -t nat -A POSTROUTING -s 202.207.240.0/24 -j SNAT --to-source MASQUERADE # Applicable to the public network IP Unfixed
Be careful :FORWARD The default rule of the chain must be ACCEPT
Intranet host configuration
Modify the network card configuration file , Point the gateway to the intranet of the firewall IP Address
Port mapping
Case study : Accessing the firewall 9000 port , In fact, I visited 202.207.240.133:22 port ( namely ssh Sign in 202.207.240.136)
firewalld End configuration
iptables -t nat -A PREROUTING -d 192.168.72.201 -p tcp --dport 9000 -j DNAT --to-destination 202.207.240.133:22
echo 'net.ipv4.ip_forward = 1' >>/etc/sysctl.conf
sysctl -p
Be careful :FORWARD The default rule of the chain must be ACCEPT
Client side test
ssh -p 9000 [email protected]
IP mapping
explain : Similar to port mapping
firewalld End configuration
- Add public network IP
ip addr add 192.168.72.150/24 dev ens33 label ens33:0
- Configure firewall rules
iptables -t nat -A PREROUTING -d 192.168.72.150 -j DNAT --to-destination 202.207.240.133
Client side test
Test instructions : adopt ssh Remote login 192.168.72.150, In fact, the login is the intranet host 202.207.240.133 host
边栏推荐
- Redis cache design and performance optimization
- MySQL master-slave
- Which is the best and most cost-effective air conduction headset recommended
- mongoDB快速入门
- Fermat's theorem
- Test interview questions collection (III) | computer network and database (with answers)
- 遍历 二叉树
- Question brushing record ---- reverse the linked list (reverse the whole linked list)
- 搭建PHP7私有仓库
- Technology sharing | sending requests using curl
猜你喜欢
Lancher deployment practice
VMware Workstation 配置net模式
Analysis of the semaphore source code of AQS
Redis implementation of distributed lock and analysis of the main process of redismission distributed lock
Which brand of air conduction earphones is better? These four should not be missed
![[C language] dynamic memory management](/img/bb/2ec65b38e85f53269dc03d885d70f4.png)
[C language] dynamic memory management
Analysis of cyclicbarrier source code of AQS
Mongodb replica set and partitioned cluster
Rain Scene Effect (I)
Graphic pipeline foundation (I)
随机推荐
[the beginning of self redemption]
Rain Scene Effect (I)
Mongo SSL configuration practice
[C language] custom structure type
Analysis of reentrantlock source code of AQS
Question skimming record - hash table
SSAO by computer shader (I)
How to store floating point data in memory
How to simulate the implementation of strcpy library functions
Array solution script
Optimization ideas from ordinary query commodities to highly concurrent query commodities
DNS正向解析实验
prometheus监控nacos
DHCP原理与配置
Fermat's theorem
测试面试题集锦(三)| 计算机网络和数据库篇(附答案)
Hdu-5783 divide the sequence (greedy water question)
DNS domain name resolution service
Build php7 private warehouse
Using C language to realize three piece chess games