Hedhat firewall

The firewall will read the configured policy rules from top to bottom , Immediately after the match is found, the matching work is finished and the behavior defined in the match is executed （ To release or prevent ）. If there is no match after reading all the policy rules , Go ahead and implement the default strategy . generally speaking , There are two kinds of firewall policy rules ：“ through ”（ Let's go ） and “ Block up ”（ That is to prevent ）. When the default policy of firewall is reject （ Block up ）, It's about setting the allow rule （ through ）, Otherwise no one can come in ; If the default policy of the firewall is allow , It's about setting rejection rules , Otherwise everyone can come in , Firewall also lost the role of prevention .

iptables The service refers to the policy entries used to process or filter traffic as rules , Multiple rules can form a rule chain , The rule chain is classified according to the location of packet processing , As follows ：

Process packets before routing （PREROUTING）;

Process incoming packets （INPUT）;

Process outgoing packets （OUTPUT）;

Process forwarded packets （FORWARD）;

Process packets after routing （POSTROUTING）.

Generally speaking , The traffic sent from the intranet to the Internet is generally controllable and benign , So the most used is INPUT Rule chain , The rule chain can make it more difficult for hackers to invade the intranet from the external network .

For example, in the community where you live , Property management companies have two provisions ： Prohibit hawkers from entering the community ; All kinds of vehicles must be registered when entering the community . Obvious , These two rules should be applied to the front door of the community （ Where the flow must pass ）, Not on the security door of every house . According to the matching order of firewall policies mentioned above , There may be many situations . such as , The visitors are vendors , Will be directly rejected by the security of the property company , There is no need to register the vehicle . If visitors enter the main gate of the community in a car , be “ Prohibit hawkers from entering the community ” The first rule of is not matched , So match the second strategy in order , That is, the vehicle needs to be registered . If you are a community resident, you need to enter the main entrance , Then these two provisions will not match , Therefore, the default release policy will be implemented .

however , Only policy rules cannot guarantee the safety of the community , The security guard should also know what actions to take to deal with these matching traffic , such as “ allow ”“ Refuse ”“ registration ”“ Ignore it ”. These actions correspond to iptables The terms of service are ACCEPT（ Allow flow through ）、REJECT（ Reject traffic through ）、LOG（ Logging information ）、DROP（ Reject traffic through ）.“ Allow flow through ” and “ Logging information ” It's easy to understand , What needs to be emphasized here is REJECT and DROP The difference between . Just DROP Come on , It directly discards traffic and does not respond ;REJECT Then it will reply one more message after rejecting the traffic “ The message has been received , But it was thrown away ” Information , So that the traffic sender can clearly see the response information of data rejected .