A firewall is a way for users to restrict access to certain ip or users to their hosts. There are two types of firewalls, hardware firewalls and software firewalls. Software firewalls are mainly used to filter data packets, and hardware firewalls are mainly used to protect against malicious attacks and filter data packets, such as DDOS attacks. Here, let’s explain the software firewall under linux-iptables.
iptables and firewalld
Under centOS6, the default software firewall is iptables, and in centos7, it is firewalld. What is the connection between them? In fact, firewalld is a newly packaged software on the original iptables.
When learning iptables, it is recommended to close firewalld first, and open iptables
yum install iptables-services systemctl stop firewalld systemctl start iptables
table and chain of iptables
Different of iptables Tables represent different functions, there are 4 tables by default
-
filter (filter) nat (address translation) mangle raw
Under different tables, they have their own rule chains:
-
filter (INPUT/OUTPUT/FORWARD)
-
nat (prerouting/output/postouting)
The meaning of these chains As follows:
-
INPUT chain – incoming data packets apply the rules in this rule chain
-
OUTPUT chain – apply the rules in this rule chain to outgoing packets
-
FORWARD chain – apply the rules in this rule chain when forwarding packets
-
PREROUTING chain – apply the rules in this chain before routing packets
-
POSTROUTING chain – right Apply the rules in this chain after the data packet is routed
iptables rule view and clear
Rule View
Example of usage: iptables [-t tables] -L [-nv]
Options and parameters:
-
-t Followed by the table type, if this option is omitted, it defaults to the filter table.
-
-L lists the rules of the current table
-
-n does not perform domain name and ip reverse check
-
-v show more information
# View the rules of the filter table # iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 67 4444 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 2 286 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 38 packets, 4664 bytes) pkts bytes target prot opt in out source destination # View the rules of the nat table iptables -t nat -L -nv
The meaning of the rule options under the chain is as follows:
-
target : Represents the operation performed, ACCEPT release, drop discard, reject rejection
-
prot: Represents the packet protocol used, including tcp, udp and icmp
-
opt: description information
-
source: restrict a source host
-
destination: yes A target host is restricted
The five rules of the INPUT chain shown above have the following meanings:
-
As long as the status of the data packet is RELATED, ESTABLISHED, it is accepted
-
As long as it is an icmp packet, it is accepted
-
As long as it is a local loopback network card, all data is accepted
-
As long as the TCP data packet sent to the active connection of port 22 is accepted.
-
Reject all packets
Know the rules of iptables
After installing centOS7 by default, the system already has many iptables rules. Here I will teach you how to clear these rules.
Usage example: iptables [-t tables] [-FXZ]
Options and parameters:
-
-F clears all customized rules
-
-X Clear all user-defined rules
-
-Z Set all statistics to zero
# iptables -F #iptables -X # iptables -Z
View specific rules
Use iptables-save You can view the specific rules
Usage: iptables-save [-t tables]
# iptables-save -t filter # Generated by iptables-save v1.4.21 on Sat Nov 14 21:51:56 2020 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [56:7196] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited # Completed on Sat Nov 14 21:51:56 2020
Define Default Policy
When we are clear about the rules, only the default strategy is left. What is the default strategy is that when any of our rules are not met, the default rule is adopted. The default policies are ACCEPT (accept packets) and DROP (drop packets)
Usage: iptables [-t tables] -P [INPUT|OUTPUT|FORWARD…] [ACCEPT|DROP]
Now, we try to modify the default INPUT chain of filter to DROP, OUTPUT and FORWARD chain to ACCETP
iptables -t filter - P INPUT DROP # Note that after typing this command, your terminal may be disconnected iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT