linux firewall and iptables

Keywords: Linux


  • What is a firewall

      A firewall is a combination of hardware and software components located between the internal and external networks.`The primary purpose is to protect the security of data flow between the internal and external networks`,When an external network accesses an internal network, the packets sent must go through the firewall of the internal network to verify that they comply with the rules.
  • Effect

    Prevent traffic attacks

  • Firewall Classification

    • Hardware Firewall: F5

    • Software Firewall: iptables, firwalld, netfilter

      • iptables

        • Firewall management system belonging to User Space
      • firwalld

      • netfiter

        • Firewall functionality that belongs to the KernelSpace (also known as kernel space)
    • Cloud Firewall: Security Lock of Ali Cloud

Four Tables and Five Chains

  • Table: Collections/containers for storing and managing chains

  • Chain: Collection/container holding rules

  • Role of rule tables: to accommodate a variety of rule chains

  • Role of the rule chain: accommodates a variety of firewall rules

  • Table priority: raw--"mangle--"nat--"filter

  • The default table for iptables is filter

Table NamefunctionChain of Management
Nat<br> (Network Address Translation) table For network address translation (IP, port) PREROUTING INPUT<br>OUTPUT POSTROUTING
raw table Packet Tracking PREROUTING OUTPUT
  • Five Chains

    1. PREROUTING: Host message entry location, allowed table mangle, nat (target address translation, converting native address to true target address, usually response message)

    2. INPUT: Message enters local user space location, table filter, mangle allowed

    3. OUTPUT: The location where the message goes out of the native user space, allowing filter, mangle, nat

    4. FOWARD: The message is routed and found not to access the local machine, but to forward traffic through the local machine, allowing filter, mangle

    5. POSTROUTING: The message is routed and forwarded, allowing mangle, nat (source address translation, converting the original address to the forwarding host export network card address)

Firewall process

Firewalls are layer-by-layer filtered, actually filtering from top to bottom and from front to back in the order of configuration rules.

If a rule is matched, that is, whether it is explicitly expressed as yes or no, the packet no longer matches the new rule downward.

If no rule is matched, match down until the default rule is matched.

The default rule for firewalls is that all rules are executed before they are executed.

Rule management for iptables


Format: iptables -t Table Name Option Chain Name Conditional Action


-t:         Tables that specify operations, not defaults filter
-A, --append    Append a rule to the chain
-D, --delete    Delete Rules in Chain
-I, --insert    Insert a rule to the top
-R, --replace    modify
-L, --list      List current rules
-S, --list-rules  List all rules
-F, --flush      empty
-Z, --zero      Empty counter (including number, size)
-N, --new-chain    Create a custom chain
-X, --delete-chain  Delete a custom chain
-P, --policy    Specify the default policy for the chain,(Default Rules)  
-p  --Specified agreements usually have TCP,UDP,ICMP,ALL
-n  --Non-Inverse Solution ip    
-s  --source address
-d  --Destination Address
--sport  --Source Port 
--dport  --Target Port


ICMP  #Ban ping 


ACCEPT    Release the data package and, after this processing, skip directly to the next rule chain instead of comparing other rules.
REJECT     Block the packet and send it to notify the other party.
DROP     The discarded package is not processed, and after this processing action, the filter will no longer be directly interrupted compared to other rules.
REDIRECT  Redirect the package to another port, and after this processing action, it will continue to compare with the other rules.

-i : Inbound Network Card
-o : Outgoing Network Card
-m : Specify modules
-j : Forwarding mode
 [root@lb01-5 ~]# iptables  -n -L
Chain INPUT (policy ACCEPT)<============Default Rules
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
#Prohibit access to port 22
[root@lb01-5 ~] # iptables -A INPUT -p tcp --dport 22 -j DROP
#Delete the previous rule
[root@lb01-5 ~]# iptables -D INPUT 1
 Only 192 allowed.168.230.3 Visit Port 80, all others refused.

  1,Allow Visit 
  2,Reject all requests
iptables -t filter -I INPUT -p tcp -s -d --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp -j DROP

 All sent by this machine TCP Protocol messages are allowed, other protocols are not (accessible) baidu But not ping Baidu)
  1,allow TCP Agreement
  2,Reject all agreements
  iptables -t filetr -I OUTPUT -p tcp -j ACCEPT
  iptables -t filter -A OUTPUT -j DROP

Release all agreements on a previous basis
  [root@lb01 ~]# iptables -t filter -R OUTPUT 2  -j ACCEPT

Only 192 allowed.168.230.3 Link 192 through port
  Allow before reject
  iptables -t filter -I INPUT -p tcp -s  --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -J DROP

Only 192 allowed.168.230.3 Visit Ports 20 to 90
  Allow before reject
  iptables -t filter -I INPUT -p tcp -s  --dport 20:90 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -J DROP

Common enterprise extensions

1,multiport Modular
  Allow matching of multiple discontinuous ports
  Only 192 allowed.168.230.3 Visit Ports 22, 80, 3306, 2379, 8080, 8090
   iptables -t filter -I INPUT -p tcp -s -m multiport --dports 22,80,3306,2379,8080,8090 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -J DROP

2,iprange Modular
  Specify a continuous segment ip Address Range
       --src-range from[-to]:  Source address range
       --dst-range from[-to]  Target Address Range Address segments are not allowed ping
  iptables -t filter -I INPUT -p icmp -m iprange --src-range -j DROP

3,string Modular
  Filter packet contains a string 
        --string pattern  # Specify a string to match
        --algo {bm|kmp}    # Matching query algorithm
 Filter access to your own host hello
 iptables -t filter -I INPUT -p tcp -m string --string "hello" --algo bm -j DROP

Posted by Peredy on Tue, 09 Nov 2021 09:50:07 -0800