Linux's built-in firewall mechanism, through kernel netfilter modules in the implements (www.netfilter.ort).
Linuxkernel using netfilter packet to be filtered out, netfilter consists of three rules tables, each table also has many built-in chain. By using iptables command can watch for operations such as add, delete, and list the rules, etc. 1. Netfilter rule table — filter for routing filternatmangle network packets. Is the default, which means that if you do not specify the-t parameter, when you create a new rule, it will default to the table. INPUT OUTPUT network packets to the server from the server network packets flow out of the FORWARD network packets from the server routing table for nat, NAT .NAT (NetAddressTranslation) is an IP address translation method. PREROUTING network packet reaches the server OUTPUT can be modified by the server network packets flow out of the POSTROUTING network packets to be sent from the server can be modified when mangle, used to modify the network packets of sheets, such as TOS (TypeOfService), TTL (TimeToLive), and other INPUT network packets to the server OUTPUT network packets flow out of the server to FORWARD network packets from the server forwards the PREROUTING network packet reaches the server can be modified POSTROUTING network packets to be sent from the server can be modified when 1. configure Iptables when a packet enters the server, you will find the LinuxKernel chain until you find a rule matches with the packet. If the rule's target is to ACCEPT, you will skip the rest of the rules, the packet will be to continue to send. If the rule's target is to DROP the packets will be blocked off, the kernel does not refer to other rules. Note: If the beginning is not a rule and packet at the end of the match, but the table without dropall rules, then the packet will be accept. Cisco, on the contrary, the end of the table will contain denyall rules. 1.) Iptables command option iptables [-ttables] commandoptionparametertarget-add A tail in the chain rule-C add a rule to a user-defined chain before check-in from the chain D delete a rule-E to rename user-defined chain, does not change the chain itself-F flush chain, delete all of the rules on the chain-I in the chain into a rule-L to list a chain rules, such as iptables – LINPUT lists INPUT chain rule-n to create a new chain-P define a chain of default policy-R replace chain a rule-X delete a user-related chain-Z all tables of all chain of bytes and packets counters clear 2.) Iptables command parameters-p – protocol is applied to the packet's protocol type, can be TCPUDPICMP or ALL. ! You can also use. When you use-ptcp, also can use other options to allow further defined rules. Options include:-sport allows you to specify match the packet source port .port1: port, said port1 and all ports between port2--dport objectives port, and--the same sport. When you use the-p! udp, it also has special options for making include:--dport sport,-, and-the same, except for ptcp for UDP packets. When using the-picmp parameters, only one option available. — — Icmp-type, allows filtering icmp type specified in the rule. -S – source Specifies the source address for packets. This argument is followed by an IP address, a network address with sub-netmask, or a host name. (It is not recommended that you use hostname)-d,--destination destination address of packets, with-s. -J,--jump is used to specify a target, tell the matching rule will send the packet to the target. Target can be either ACCEPT, DROP, QUEUE, and RETURN without-j, you will not take any action on the packet, except that the counter is incremented. -I--in-interface, INPUTFORWARDPREROUTING chain, this parameter specifies the packet arrives at the server using the port. -O--out-interface, OUTPUTFORWARDPOSTROUTING chain, this parameter specifies the packet from the server using the port. 3.) the command target create Iptables rules the final step is to specify the action to the Iptables packet. As long as a certain rules match the packet, it will no longer have other rules of operation. Built-in target: ACCEPTDROPQUEUERETURN. ACCEPT: allows packets to pass through to reach their destination. DROP: reject packets to pass through, drop the package. QUEUE: packets sent back to the user application DepartmentReason. RETURN: no longer based on the current chain of other rules to check packets, but directly return, continue to be sent to their destination addresses, or the next chain.
No comments:
Post a Comment