当前位置:网站首页>Basic principle and application of iptables

Basic principle and application of iptables

2020-11-06 01:15:23 Dapeng sp

Concept introduction

name

Netfilter/iptables The module consists of two parts :

Netfilter Framework and iptables,iptables It is divided into iptables( Kernel space ) and iptables Command line tools ( User space );

Netfilter/iptables modular In the eyes of ordinary users, it is abbreviated to iptables, But in fact, in the eyes of relevant developers, they prefer to call it Netfilter, From the official website address of the project, we can see that : https://netfilter.org/

effect

For packet processing , such as : Forwarding of messages 、 Filter 、 modify , Network address translation and other functions , It's a software firewall .

iptables The basic principle

Basic workflow

Basic work flow chart

​ Packets travel along the chain ,iptables Yes 5 A chain :PREROUTING, INPUT, FORWORD, OUTPUT, POSTROUTING, It can be thought of as 5 A level , Every level has a lot of rules , There may be no rules .

The workflow is as follows :

1、 When a packet enters the network card , It will enter first PREROUTING, Then the routing decision is made according to the destination address , If the destination address is local , Then go INPUT, If it's not the machine, it's going FORWARD, And then go POSTROUTING Turn around .

2、 Get into INPUT The data packets of will be transferred to the local process , After process processing , New packets will be sent , go OUTPUT, And then pass by POSTROUTING Turn around .

3、 Of course, the above process goes through a chain , Match the rules in the chain according to the order of the rules in the chain , Whenever a matching rule is encountered, it will be handled according to this rule , The latter rules no longer work on this data .

Simple rules to add

​ Only local socket It's user mode , The rest is kernel processing . We usually add iptables The rules , That's what's added to each chain , We create a container to test , I've installed it in the container iptables, Use it directly iptables Command is enough :

# Start a container first 
[root@kube-master ~]# docker run -itd --name "cos8_test" --cap-add=NET_ADMIN centos:base /bin/bash
bd0c29186387b01ae64514050b3b4b804babc988f3dbc52c0cfe6eeac115d1b2

notes : To modify the container network , The container should be started with --cap-add=NET_ADMIN, Otherwise, execute in the container iptables The command will report an error :

(nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

see iptables The rules , You can see that there is no strategy at present

[root@kube-master ~]# docker ps | grep cos8
bd0c29186387        centos:base                                                     "/bin/bash"              21 hours ago        Up 21 hours                             cos8_test
[root@kube-master ~]# docker exec -it bd0 bash
[root@bd0c29186387 /]#
[root@bd0c29186387 /]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Create a rule : Deny all access to this machine 80 Port of tcp Data packets .

[root@bd0c29186387 /]# iptables -A INPUT -p tcp --dport 80 -j DROP
[root@bd0c29186387 /]#
[root@bd0c29186387 /]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Here's an episode : You can see that I'm only in INPUT Added rules to the chain , But how FORWARD and OUTPUT There's also this rule in the chain , Then I deleted it manually INPUT The rules in the chain , then FORWARD and OUTPUT The rules in the chain disappear , Of this container OS The version and kernel information is as follows

[root@bd0c29186387 /]# cat /etc/redhat-release
CentOS Linux release 8.2.2004 (Core)
[root@bd0c29186387 /]#
[root@bd0c29186387 /]# uname -a
Linux bd0c29186387 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

I haven't used it before centos8, Considering that it might be OS Updated netfilter modular , So it was replaced by a centos7.8.2003 The container tested , It is found that the addition rule is as expected , as follows

[root@kube-master /]# docker run -itd --name "cos7" --cap-add=NET_ADMIN centos7:base /bin/bash
c951c0a9d34d8e43a56e43872294ab5ab6a1504b365721238178de134e8d3bde
[root@kube-master /]#
[root@kube-master /]# docker exec -it cos7 bash
[root@c951c0a9d34d /]#
[root@c951c0a9d34d /]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@c951c0a9d34d /]#
[root@c951c0a9d34d /]# iptables -A INPUT -p tcp --dport 80 -j DROP
[root@c951c0a9d34d /]#
[root@c951c0a9d34d /]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Refuse can be used DROP, You can also use REJECT keyword ,DROP No information will be returned to the client , So what the client sees is the connection timeout , It's hard to judge whether it's the firewall or the network equipment failure .

and REJECT Then a rejection message is explicitly returned to the client , The client will know that I was rejected by the firewall .

It can be used according to the scene ,REJECT More suitable for debugging ,DROP It's safer to resist attacks .

Use... In the back centos7 As a test , I don't care centos8 What's new .

Four tables and five chains

The rule command I added above is as follows :

iptables -A INPUT -p tcp --dport 80 -j DROP

But it's just short form , Write a little bit more completely as follows , In fact, it can be more complete , Don't say for the moment .

iptables -t filter -A INPUT -s 0.0.0.0/0 -p tcp -d 0.0.0.0/0 --dport 80 -j DROP

-t : Designated table , Here is filter surface , Rules will be added to filter In the table .

-s : Specify the source address ,0.0.0.0/0 It means everything IP.

-d : Specify the destination address .

--dport : Specify the destination port .

-j : Specify the processing action , Here is DROP, That is to throw away .

The concept of table

It's mentioned above that filter surface , What is a watch ?

​ We add rules , Add to each chain , There are many rules in each chain , Some of the rules are similar , such as , Part of it is port filtering , Some of them are modification of messages , According to the type of rules , Put similar rules together , The set of rules put together is called a table .

​ The different sets of rules are placed in different tables , All in all 4 Kind of watch , That is to say 4 Rules :

filter surface : Responsible for the filtering function ;

nat surface :network address translation, Network address translation function ;

mangle surface : Take apart 、 modify 、 And re encapsulate the message ;

raw surface : close nat The connection tracing mechanism enabled on the table ;

Because there are different rules in each chain , So tables exist in every chain , But not every chain has this 4 Kind of watch ,

PREROUTING The rules of can exist in :raw surface ,mangle surface ,nat surface .

INPUT The rules of can exist in :mangle surface ,filter surface ,nat surface (centos7 There is nat surface ,centos6 There is no ).

FORWARD The rules of can exist in :mangle surface ,filter surface .

OUTPUT The rules of can exist in :raw surface mangle surface ,nat surface ,filter surface .

POSTROUTING The rules of can exist in :mangle surface ,nat surface .

Table processing priorities are as follows :

raw --> mangle --> nat --> filter

So we started with iptables The basic work flow chart can be more detailed

In fact, it can be more detailed , Let's take a chain alone , such as PREROUTING chain , It's probably the following , Together, these rules form a chain .

​ therefore , We have added a ban on access to this machine 80 Port rules are stored in filter In the table , Let's take a look at filter The rules in the table , You can see the rules we added ,netfilter By default 80 Port binding is http.

[root@c951c0a9d34d /]# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables Examples of common commands are

Look at the rules

 View by table : iptables -L -t table
 Follow the chain to see : iptables -nL INPUT

Set the default rules for the chain

#INPUT The chain rejects all packets by default 
iptables -P INPUT DROP
#OUTPUT All packets are allowed to go out by default 
iptables -P INPUT ACCEPT

Clear the rules in the table

# Empty nat In the table PREROUTING The rules of the chain 
iptables -t nat -F PREROUTING
# Empty filter Rules for all chains in the table 
iptables -t filter -F
# Clear user-defined table rules 
iptables -X

Delete a rule

# You can delete by number 
#--line-number The number is shown in front of the rule 
[root@c951c0a9d34d /]# iptables -nL --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
[root@c951c0a9d34d /]#
[root@c951c0a9d34d /]# iptables -D INPUT 1

# You can also delete rules directly 
# In the following order ,-D The following are all matching conditions , Delete everything that matches these in a rule 
[root@c951c0a9d34d /]# iptables -D INPUT -p tcp --dport 80 -j DROP

Forbid ping

# Forbid others to ping own , But I can ping others 
#type 8:  Express ping Packet request traffic 
#type 0:  Express ping Packet response traffic 
iptables -A INPUT -p icmp --icmp-type 0 -j DROP
iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

# Forbid others to ping own , And forbid yourself ping others 
iptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP

# You can also change the parameters to achieve the ban ping
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

forward

# Turn on forwarding 
echo 1 > /proc/sys/net/ipv4/ip_forward

# For external access to yourself 80 All the traffic on the port goes to 172.17.0.4 Of 80 port ,
#xxx.xxx.xxx.xx On behalf of the machine IP
iptables -t nat -I PREROUTING -d xxx.xxx.xxx.xx -p tcp --dport 80 -j DNAT --to-destination 172.17.0.4:80

# For traffic coming out of this machine , Source ip All converted to 172.17.0.4
iptables -t nat -A POSTROUTING -p tcp -j SNAT --to-source 172.17.0.4

Make rules for link status

#NEW  The user initiates a new request 
#ESTABLISHED  Respond to a new request 
#RELATED  The relationship between two complete connections , A complete connection , Need to rely on another complete connection .
#INVALID  Unrecognized state .
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

First of all .

版权声明
本文为[Dapeng sp]所创,转载请带上原文链接,感谢