Iptabls details

Currently on the market more common 3、4Layer firewalls,Called the network layer firewalls,There Layer 7 firewall,In fact, the gateway proxy layer

forTCP/IPofSeven-layer modelSpeaking,The third layer is the network layer,Three-layer firewall in this layer of the source and destination addresses for testing。But for the seven firewalls,Whether you source port or destination port,What is the source or destination address,We will have to check all your stuff。So,For the design principles in terms of,Seven more secure firewall,But this has brought lower efficiency。So the market generally firewall program,It is a combination of both。But because we all need to access from the firewall controls this mouth,One of the most important control of the efficiency of the firewall so that users can access data has become how much,Configuration is not good evenIt may become a bottleneck in the flow of

 

5 position of the flow control

  1. Kernel space:Came from a network interface,Go to another network interface
  2. Incoming packets from user space to the kernel
  3. Data packets flowing from user space
  4. Entering / leaving the external interface of the machine
  5. Entering / leaving the network adapter of the machine

In fact, before the three positions have been basically able to completely blocked the path,But why then has set up checkpoints in and out of the mouth but also in the interior of the card it? Since the data packet routing decisions yet,Data do not know where to go,So there is no way to achieve import and export data filtering。So to set the forwarding of checkpoints in the kernel space,User space into the checkpoint,From user space out points。Then,Since they are of no use,Why do we want to place them? Because weAnd when do NAT DNAT,Destination address translation must be converted before routing。So we have to set up checkpoints outside interface within the network and then network。

This position is also known as five five hook function(hook functions),Also known asFive rules chain

  1. PREROUTING (Before routing)
  2. INPUT (Packet flow inlet)
  3. FORWARD (Forwarding pipe card)
  4. OUTPUT(Packet exports)
  5. POSTROUTING (after routing)

this isNetFilterFive rules prescribed chain,Any packet,As long as after the machine,It will go through five chains one chain。

Firewall Policy

Firewall policies are generally divided into two,Called "through"Strategy,Called "Blocking"Strategy:

Through policy:

The default door was shut,Who can enter must be defined。

Blocking tactics:

The door is wide open,But you must have authentication,Or can not enter。

 

So we have to define,Let come in come in,Let's go out,So pass,To all-pass,The block,It is to be selected。When the filtering function of filter,The definition of address translation function is nat option。To make these features work alternately,We worked out. "table"This definition,To define、To distinguish the various work functions and handling。

 

We now compare multiple functions - there are three:

  1. a filter definition allows or does not allow
  2. nat defined address translation
  3. mangle function:Modify the original data packets

For the filter in terms of the general can only do on the three chains:INPUT ,FORWARD ,OUTPUT

For nat speaking generally only done in the three chain:PREROUTING ,OUTPUT ,POSTROUTING

The mangle is five chains can do:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING

iptables rules defined way more complicated:

Chain management commands (which are effective immediately)

-P :Set the default policy (the default setting door is closed or open)

such as:

-F: FLASH,Clear rules chain(Note that each chain management authority)

-N:NEW allows users to create a new chain

-X: For empty delete user-defined chain

-FROM:Clear chain,The default rule and chain counter (two counters,It is matched to the number of data packets,How many bytes)

Rules Management Command

View Management Command "-L"

Additional sub-command

Detailed matching criteria

1.General match:Matching the source address of the destination address

-s:Designated as the source address matches,There can not specify a host name,IP must be

IP | IP/MASK | 0.0.0.0/0.0.0.0

And the address can be inverted,Plus a "!"In addition to indicate which IP

-d:It means to match the target address

-p:For matching protocol (protocol where usually there are three,TCP/UDP/ICMP)

-i eth0:Data flows from this card

Flows generally used in the INPUT and PREROUTING

-eth0:Data from this card out of the

Outflow usually in the OUTPUT and POSTROUTING

2.Extended match

2.1Implicit extension:Extension of the agreement

-p tcp :Extended TCP protocol。There are three general extension

–dport XX-XX:Specify the destination port,A plurality of ports can not specify non-continuous,You can specify only a single port,such as

–dport 21 or –dport 21-23 (In this case represents 21, 22,)

–sport:Specify the source port

–tcp-fiags:TCP flags (SYN,ACK,END,PA,RST,URG)

For it,Generally keep two parameters:

1.Check the flag

2.Flag must be 1

–tcpflags syn,ack,end,rst syn = –syn

Check this represents 4 bits,This 4 bits syn must be 1,Others must be 0。So this means that for the detection of the first three-way handshake packets。For such a specially matched to the first SYN packet of the packet 1,There is also a shorthand way,Be called–syn

-p udp:Extended UDP protocol

–dport

–sport

-p icmp:icmp packets expansion

–icmp-type:

echo-request(Echo Request),Generally denoted by 8

So –icmp-type 8 Echo Request packet matches

echo-reply (response packet) is generally represented by 0

2.2Explicit extension (-m)

The expansion of various modules

-m multiport:It represents enable multi-port expansion

Then we can enable such –dports 21,23,80

six:Detailed -j ACTION

 

Common ACTION:

DROP:Silently discarded

Generally, we use multi-DROP to hide our identity,And hide our list

REJECT:Expressly excluded

ACCEPT:accept

custom_chain:A steering chain custom

DNAT

Sanat

MASQUERADE:Source address masquerading

REDIRECT:Redirection:Mainly used for port redirection

MARK:Playing firewall marks

RETURN:return

After finished using custom return strand,To return to the original rules chain。

Original article written by Gerber drop-off:R0uter's Blog » Iptabls details

Reproduced Please keep the source and description link:https://www.logcg.com/archives/541.html

Leave a comment

Your email address will not be published. Required fields are marked *