当前位置:网站首页>Iptables firewall

Iptables firewall

2022-07-28 06:53:00 [dissimilarity space]

IPTABLES A firewall

The premise to prepare

  • host
hostnameinet1inet2 System other
firewalld192.168.72.201202.207.240.201CentOS7.5.1804
  • close CentOS7 Default security components 
systemctl stop firewalld
systemctl disable firewalld

setenforce 0
sed -ri "s|(SELINUX=)(.*)|\1disabled|g" /etc/selinux/config
  • To configure Base Source 
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-vault-6.10.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo

yum clean all
yum makecache fast
  • install iptables
yum install iptables iptables-services -y

cat >>/etc/rc.d/rc.local <<EOF modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp modprobe ipt_state EOF

chmod +x /etc/rc.d/rc.local

systemctl start iptables.service 
systemctl enable iptables.service 

reboot

Insert picture description here

iptables Basics

iptables Four tables

The name of the table effect Inclusion chain
filter Decide how to process a packet according to specific rules ( Realize the real firewall function )INPUT 、FORWARD、OUTPUT
nat Used to modify packets ip Address , Port number and other information ( Share the Internet 、 Inside and outside IP mapping 、 Port mapping )OUTPUT、PREROUTING、POSTROUTING
mangle Used to modify the service type of the packet 、 Life cycle , Or set up mark Mark to realize advanced applications such as traffic shaping ( Rarely used )
raw It is mainly used to decide whether to track the status of packets ( Rarely used )

iptables Five chains of

Chain name effect
INPUT When you receive a packet that accesses the firewall's local address , Apply the rules in this chain
OUTPUT When the firewall sends packets to the outside world , Apply the rules in this chain
FORWARD When receiving data packets that need to be sent to other addresses through firewall , Apply the rules in this chain (LVS NAT In the pattern net.ipv4.ip_forward=0) sysctl -p Make the kernel parameters effective
PREROUTING Before routing packets , Apply the rules in this chain ( Realization Port forwarding mapping , If you can put 80 Convert to LAN server 9000 On port )
POSTROUTING After routing packets , Apply the rules in this chain ( Realization Share the Internet

Matching process of packet filtering

  1. Application order of rule table :raw→mangle→nat→filter

  2. The application order of rule chain depends on the flow direction of data :

    Inbound data flow :PREROUTING→ Routing →INPUT→ Applications
    Forward data to :PREROUTING→ Routing →FORWARD→POSTROUTING
    Outbound data flow :OUTPUT→ Routing →POSTROUTING

  3. Processing rules inside the rule chain :

    The order is matched from the beginning of the table , Until the matching rule is met, stop .( Match stops )

    Once a matching rule is found, subsequent other rules will not be checked , If you can't find a matching rule , Just follow the default rules .

iptables Basic grammar

Basic grammar

Command format effect
iptables [-t table] -A chain rule-specification-A chain Append a rule at the end of the specified rule chain ;
iptables [-t table] -I chain [rulenum] rule-specification Insert a rule at the beginning of the specified rule chain
iptables [-t table] -R chain rulenum rule-specification Modify the rules in the specified rule chain
iptables [-t table] -D chain rulenum Delete the rule sequence number in the specified rule chain rulenum The rules of
iptables [-t table] -S [chain [rulenum]] Print assignments { surface | Rule chain } All the rules in
```iptables [-t table] {-F-L
iptables [-t table] -N chain Create a user-defined rule chain
iptables [-t table] -X [chain] Delete user-defined rule chain ( All non built-in rule chains are deleted by default )
iptables [-t table] -P chain target Set the policy of the rule chain as the given goal (ACCEPT|DENY) For built-in
iptables [-t table] -E old-chain-name new-chain-name Rename the user-defined rule chain 
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]				# -m {multiport|state|limit...}
target = -j targetname [per-target-options]				# -j {ACCEPT|DROP|REJECT|LOG}

Management options (commands)

Management options meaning Example
-A Append a... At the end of the specified chain iptables -A INPUT
-I Insert a new... In the specified chain , If no serial number is specified, it will be the first item by default iptables -I INPUT
-R modify 、 Replace a rule iptables -t nat -R INPUT
-D Delete iptables -t nat -D INPUT
-L see iptables -L -t nat
-F Clear all rules iptables -F
-P Specify the default rule iptables -P
-n To display in digital form iptables -nL
-n -line-number The rules are numbered iptables -nL --line-number -t nat

Parameter options (parameters)

Parameter options effect
-p {tcp/udp/icmp} The protocol that specifies the rule application is tcp、udp or icmp
--dport Goal slogan Specify the target port in the rule
--sport Source port number Specify the source port in the rule
-s Source IP Specify the source in the rule IP Address
-d Purpose IP Specify the purpose in the rule IP Address
-m Module name Specify the module name to be used in the rule , If included {multiport | limit | state …}
-i adapter name When data enters , Through which network card
-o adapter name When data flows out , Through which network card

Control options (targetname)

Control options meaning
ACCEPT Allow packets to pass
REJECT Reject packet pass , If necessary, a response message will be sent to the sender of the packet
DROP Discard packets directly , No response
LOG stay /var/log/messages Log information in the file , Then give the packet to the next rule , It does not process packets by itself

Common commands 

iptables -L -n --line-number 					#  Look at the rules 
iptables -D INPUT 3								#  Delete INPPUT The third rule in the chain 
iptables -F										#  Clear rules 
iptables -X										#  Delete user-defined rule chain 
iptables -P INPUT ACCEPT						#  Configure default rules , Allow all ports to access 
iptables -P INPUT DROP							#  Configure default rules , Do not allow all ports to access 
iptables -Z DOCKER								#  Clear the user-defined chain (INPUT) The rules in the 


iptables-save >/etc/sysconfig/iptables			#  Save firewall rules 
iptables-restore </etc/sysconfig/iptables		#  Load firewall rules

Case configuration

  • Refuse IP The address is 192.168.72.131 Host for remote connection 
iptables -I INPUT -s 192.168.72.131 -p tcp --dport 22 -j REJECT

  1. Check the rules of the firewall

  2. Insert picture description here
    Host computer 192.168.72.131 Remote connection on , Test whether the rules work

Insert picture description here

  • Only 192.168.72.0 Access the port of the network segment 
iptables -A INPUT ! -s 192.168.72.0/24 -j REJECT

Be careful : Here we use the inverse method , First configure the network segment to deny access , Then add ! Let the rule be reversed

  1. View firewall rules

Insert picture description here

  1. Verify whether it is effective before fire prevention

Insert picture description here

  • Users are not allowed to access 1024-65535 Port of range / Users are not allowed to access 80 and 443 port 
iptables -I INPUT -p tcp --dport 1024:65535 -j REJECT					#  Specified scope 
iptables -I INPUT -p tcp -m multiport --dport 81,444 -j REJECT			#  Specify several ports , You need to specify additional modules  -m multiport
  1. Look at the rules

Insert picture description here

  1. Validation rule

Verification method : Use nc Command in firewalld The main engine is on 8888 Port services , Use another host to access 8888 port

firewalld End :

nc -l 8888

Test client :

nc 192.168.72.201 8888
nc 202.207.240.201 8888

Insert picture description here

  • Prohibit users from ping A firewall

    • Method 1 : Modify kernel parameters 

      echo 'net.ipv4.icmp_echo_ignore_all = 1' >>/etc/sysctl.conf

sysctl -p

    • Method 2 : Firewall rules 

      iptables -I INPUT -p icmp --icmp-type 8 -j REJECT

      1. Look at the rules

        Insert picture description here

      2. Validation rule

        Insert picture description here

  • Match network status
    -m state --state
    NEW: A new connection has been or will be started
    ESTABLISHED: Established connection ( Allow by default )
    RELATED: Starting new connection ( Allow by default )
    INVALID: Illegal or unrecognized 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  • Limit concurrency and rate ( Displays the rate at which packets are sent )

    -m limit --limit n/{second/minute/hour}: ( Specify the sending rate )
    explain : The rate of requests over a specified period of time ”n” For rate , The following are the times : second branch when
    –limit-burst [n] ( Specify the number of concurrent )
    explain : Requests that are allowed to pass at the same time ”n” Is the number , Do not specify default as 5

iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -I INPUT -p icmp --icmp-type 8 -m limit --limit 6/min --limit-burst 5 -j ACCEPT

Production environment configuration

  • Clear rules 

    iptables -F
iptables -X
iptables -Z

  • allow 22 Port access 

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  • Allow this machine lo Interface data flow outflow and inflow 

    iptables -A INPUT -i lo -j ACCEPT 
iptables -A OUTPUT -o lo -j ACCEPT

  • release 80 and 443 port 

    iptables -I INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT

  • Configure default rules 

    iptables -P INPUT DROP
iptables -P FORWARD DROP			#  If shared Internet access is configured , Forwarding needs to be set to  ACCEPT
iptables -P OUTPUT ACCEPT

  • Add whitelist 

    iptables -I INPUT -s 192.168.72.0/24 -j ACCEPT
iptables -I INPUT -s 202.207.240.0/24 -j ACCEPT

Share the Internet , Port mapping and IP Schematic diagram of mapping

Insert picture description here

Share the Internet

explain : The host only has intranet IP(202.207.240.0/24), Only the firewall is equipped with dual network cards Public network IP(192.168.72.201) Intranet IP(202.207.240.201), Use nat Forwarding mode , Let the intranet host gateway point to the firewall , Sharing the Internet

Schematic diagram :

firewalld End configuration

  1. Turn on the network card forwarding mode 
echo 'net.ipv4.ip_forward = 1' >>/etc/sysctl.conf
sysctl -p
  1. To configure nat The rules 
iptables -t nat -A POSTROUTING -s 202.207.240.0/24 -j SNAT --to-source 192.168.72.201		#  Applicable to the public network IP Fix 
iptables -t nat -A POSTROUTING -s 202.207.240.0/24 -j SNAT --to-source MASQUERADE	#  Applicable to the public network IP Unfixed

Be careful :FORWARD The default rule of the chain must be ACCEPT

Intranet host configuration

Modify the network card configuration file , Point the gateway to the intranet of the firewall IP Address

Insert picture description here

Insert picture description here

Port mapping

Case study : Accessing the firewall 9000 port , In fact, I visited 202.207.240.133:22 port ( namely ssh Sign in 202.207.240.136)

firewalld End configuration 

iptables -t nat -A PREROUTING -d 192.168.72.201 -p tcp --dport 9000 -j DNAT --to-destination 202.207.240.133:22

echo 'net.ipv4.ip_forward = 1' >>/etc/sysctl.conf
sysctl -p

Insert picture description here

Be careful :FORWARD The default rule of the chain must be ACCEPT

Client side test 

ssh -p 9000 [email protected]

Insert picture description here

IP mapping

explain : Similar to port mapping

firewalld End configuration

  1. Add public network IP
ip addr add 192.168.72.150/24 dev ens33 label ens33:0

Insert picture description here

  1. Configure firewall rules 
iptables -t nat -A PREROUTING -d 192.168.72.150 -j DNAT --to-destination 202.207.240.133

Insert picture description here

Client side test

Test instructions : adopt ssh Remote login 192.168.72.150, In fact, the login is the intranet host 202.207.240.133 host

Insert picture description here

原网站

版权声明
本文为[[dissimilarity space]]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/209/202207280520246089.html

边栏推荐

猜你喜欢

随机推荐