Having covered the basic concepts of iptables and usage, here we began formal use iptables to create our firewall.
Start and stop the iptables method depends on the use of Linux distributions, you can see the Linux version of the document. On RedHat, start the iptables used: # serviceiptablesstart General, iptables already contains in the Linux release, you can run iptables--version to see whether the system is installed iptables. I use FedoraCore1, installed version is iptablesv1.2.8. If your system does not install iptables, you can download from the following address: http://www.netfilter.org/see rule set while the usage of iptables above for a simple presentation, but the reality of what we might want to know more complete information, we can run maniptables to view all commands and options for a complete description, you can also see a running iptableshelp quick help. To view system existing iptables programming set, you can run the following command: iptableslist below is not defined when planning the way: ChainINPUT iptables (policyACCEPT) target protoptsource destination ChainFORWARD (policyACCEPT) target protoptsource destination ChainOUTPUT (policyACCEPT) target protoptsource destination as shown in the example above, each packet must pass three built-in chain (INPUT, OUTPUT and FORWARD). Filter is the most commonly used tables, as shown above to set all the table basic syntax rules: iptables [-ttable] command [match] [target]. In reality, do not have to use here are listed all the options, it is not necessarily to this order. Of course, this is a practice because the rules are generally long, for the sake of clarity, it is best to follow this sequence. In the rules table is not specified, the default is to use the filter table. In the filter table of the most commonly used three goals is ACCEPT, DROP, and REJECT. DROP the packet is discarded and will no longer be any treatment. REJECT an error message will be sent to the host sending the packet. Although sometimes there will be some unexpected, but very often it is also very useful. Increase the rules in this case the rule will block messages from a specific IP range of packets, because the IP address range to be administrator of suspected there are a large number of malicious attackers activities: # iptables-tfilter-AINPUT-s123.456.789.0/24-jDROP to learn more about iptables detailed parameters and command format, use maniptables view. It can be said, now we are on the network, a malicious attacker already hate, but anyway, we can't because hate them in the same way to simple revenge, at least, this kind of thing can't be in your network. Therefore, we can easily block all flows towards the attacker IP address of the packet, the command is slightly different: # iptables-tfilter-AOUTPUT-d123.456.789.0/24-jDROP note here the A option, as mentioned earlier, it is added to the existing chain. Delete rule on the network, a malicious attacker always changing, so we have to constantly change IP. Assume that we know of an online attacker is transferred to the new IP address, and its old IP address is assigned to some innocent users, then the user cannot pass packets on your network. In this case, we can use with the-D option of the command to delete an existing rule: # iptables-tfilter-DOUTPUT-d123.456.789.0/24-jDROP default policy to create a very good flexibility, can withstand various unexpected events rules need to spend a lot of time. For those who do not wish to do so, the most basic principles is the "first deny all packets, and then allow needs." Here we come to each chain set the default rule: # iptables-PINPUTDROP # iptables-PFORWARDDROP # iptables-POUTPUTACCEPT here option-P to set chain strategy, only three built-in chain only policy. These strategies can make unrestricted flow of information, but does not allow information flows. But more often than not, we still need to receive external information. Then you can use the following command: # iptables-tfilter-AINPUT-s123.456.789.0/24-jACCEPT SYN usage we can't close all ports, it will be our own fully "isolation". We also cannot specify certain ports open, because we cannot foresee which port will beWill be used. In fact, simply allow the destination to a specific port data flow through to prevent malicious attacks. So how can we set a valid rule that allows ordinary users to normal by, and can prevent a malicious attacker to access our network? for the newly started using iptables, we can take full advantage of syn identity to prevent unauthorized access. Because the iptables only detects the packet header, so it will not increase payload. In fact, in addition to iptables, many other useful packet analysis are based on header. For example, in a Web surfing time, a request is sent from your PC to a local Web server, then the server will respond to your request and sends back a packet, and have your system on an ephemeral ports. And responding to the request, the server does not care about the contents of your transmission. This can use this feature to set a rule that blocks all without your system authorization of TCP connections: # iptables-tfilter-AINPUT-ieth0-ptcp--syn-jDROP here-I mean NIC,-p refers to the Protocol,--syn is expressed with syn identity settings for a TCP packet. From there we can see that, on the understanding of TCP/IP will be very beneficial to maintain network security. SYN is used to initialize a TCP connection, if you own a machine not running any server, people naturally will not send a SYN packet to you. In this connection, some people will say: why so indeed in trouble?, we have a simple way to create a firewall, there are also many good software can also help us to build your own set of rules, but we should be clear, the simplest solution is often not the best method. Since we have a better way to do it, why not use? sharing an Internet connection to the network address translation and IP masquerading can implement multiple hosts to share a single Internet connection and the LAN can be a Linux, and Windows system consisting of multiple local area network. Suppose we now have a machine with two network cards, where eth0 is the "public" network card eth1 is the "private" network adapter. In other words, eth0 is assigned a static, routable IP addresses, but eth1 is assigned to a private, non-routable IP, i.e. the IP belongs to the local subnet. To achieve the functionality described above, we need to nat and filter table add some chain: # iptables-tnat-APOSTROUTING-oeth0-jMASQUERADE # iptables-tfilter-AFORWARD-ieth0-oeth1-mstate--state RELATED, ESTABLISHED-jACCEPT # iptables-tfilter-AFORWARD-ieth1-oeth0-jACCEPT this shows the stateful packet inspection. Please note that we have here is how to implement into packets only belongs to an existing connection is allowed, but all from the LAN to the outside of the packets are allowed through (Note: this filter is the default table, but it's not necessary). The first rule that all the information seems to come from the firewall machine, but does not show a LAN behind the firewall. The following example is to FORWARD and POSTROUTING chain set a default policy, in the use of camouflage, with a default of POSTROUTINGDROP strategy is very important, otherwise, it is possible to have people with malicious user breakthrough gateway camouflaged its own identity. # Iptables-tfilter-PFORWARDDROP # iptables-tnat-PPOSTROUTINGDROP example below is for dial-up connection settings, it can dynamically assign an IP address: # iptables-tnat-APOSTROUTING-oppp0-jMASQUERADE rules saved use a script to change the rules in question are: changes to each rule to invoke the command iptables and iptables every call, it is first necessary to put the netfilter kernel space in the entire rule set are extracted, and then insert or attach, or make other changes, and finally, the new rule set from its memory space is inserted into the kernel space, this obviously spend a lot of time. To resolve this problem, you can use the command iptables-save and restore. Iptables-save used to put the rule set is saved to a special format text file, which is used to convert iptables-restore this file loaded into kernel space. Both commands the best place is one call can load and save the rule set, and not like script, each rule is called a iptables. Iptables-save runs one time you can put the entire rule set from the kernel was extracted and saved to a file, but each time an iptables-restore rules table. In other words, for a very large set of rules, if you use a script to set up, that these rules would repeatedly be uninstalled and installed again, but now we can put the entire rule set once saved, the installation is a table at a time, this is a huge time saver. Therefore, once the test results to satisfy you, you can save them as a script: # iptables-save > iptables-script nowThe packet filtering all the rules in the table are saved in the file iptables-script. Whenever you boot the system again, you can use iptables-restore command will rule sets from the script file to packet filtering tables, recovery instructions as follows: # iptables-restoreiptables-script if you want every time you boot your system to automatically restore the rule set, you can set the specified above command into a shell script initialization. In fact, the majority of releases are provides users with an automatic add-in file, lets the user edit rule sets, and most of the suites have a preconfigured firewall. Different releases of the configuration file location, we can use the command locateiptables to locate the configuration file. For RedHat or FedoraCore, this configuration file is located in/etc/sysconfig/iptables
No comments:
Post a Comment