In ancient times, Zhuge Liang bagua array blocked the enemy, but now there are iptables to protect the network

Abstract: To ensure the security of the network environment, we have to “armed” up, guard each entrance. How to “arm”?

The network world and the real world are the same, there will always be some malicious “people” appear, sweep your port ah, detection detection of your application, to see what vulnerabilities ah, and then take advantage of the situation into……

He looked here and there like a thief, whether the door was locked, whether the Windows were secured, and then crept in at the right time.

So in order to ensure the security of the network environment, we have to “armed”, guard each entrance.

How to “arm”?

You can do this by using Iptables. You can design your own “bagua array” according to your business needs. Each packet must pass the obstacles in the “Bagua array” before coming in or going out.

What is iptables?

Iptables is a user space management tool of the Linux firewall. It is part of the NetFilter /iptablesIP packet filtering system and is used to set, maintain, and check IP packet filtering rules of the Linux kernel. It is free and can replace expensive commercial firewall solutions with packet filtering, packet redirection, and network address translation (NAT).

Features: Iptables is a powerful kernel-based firewall. Iptables has four built-in tables filter, NAT, Mangle and RAW. After all rules are configured, they take effect immediately without service restart.

The iptables component

Iptables is made up of tables, which are made up of chains, which are made up of specific rules. So when we write our iptables rules, we specify the table first and then the chain. Tables is used to distinguish rules for different functions and store them.

Iptables has four tables and five chains

The four tables include raw table, MANgle table, NAT table, and filter table.

Raw is not used very often, and the main functions are implemented in the other three tables. You can set more than one chain per table.

• Mangle: used to modify data packets. The table contains PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD chains
• NAT: without the kernel, it is used for network address translation (IP address and port). The table contains PREROUTING, POSTROUTING, and OUTPUT chains
• Filter: data passing through the local kernel, which is responsible for filtering data packets. The table contains three chains: INPUT, FORWARD, and OUTPUT

The five chains are as follows:

• INPUT: filters all packets whose destination address is the local host.
• FORWARD: filters all packets passing the local device.
• OUTPUT: filters all packets generated by the local host.
• PREROUTING: Before routing, you can change the destination address when packets arrive at the firewall.
• POSTROUTING: After routing, the source address of the packet is changed when the packet leaves the firewall.

Iptables processes data packets

There are two types of packets: packets whose destination address is the native kernel and packets that pass through the native kernel.

1. When packets enter, the PREROUTING chain is first entered. The local kernel determines whether packets need to be forwarded based on the destination address.

2. If the packet enters the native kernel, it enters the INPUT chain. After packets arrive at the INPUT chain, they are restricted by conditional filtering.

3. After entering the local kernel, enter the OUTPUT chain, limit the OUTPUT according to the condition filtering, and then reach the OUTPUT of POSTROUTING chain.

4. If the packet only passes through the local kernel and needs to be forwarded out, and the local kernel allows forwarding, the packet will enter the FORWARD chain, restrict forwarding according to conditional filtering, and then reach the output of POSTROUTING chain.

The iptables command

Iptables [-t table name] management options [chain name] [conditional matching] [-j target action or jump]

Note:

1. If the table name is not specified, the filter table is displayed by default.

2. If the chain name is not specified, all the chains in the table are specified by default. Unless the default policy of the regular chain is set, matching conditions must be specified.

For example, you need to deny access to the host whose IP address is 10.10.10.8.

Iptables -a INPUT -s 10.10.10.8 -j DROP

For details about the commands, see iptables commands.

Iptables rules can be configured in the cloud server. However, if there are a large number of cloud servers that need to be configured for each one, it will be too cumbersome. How do you implement the same iptables rules for cloud servers with the same requirements?

The security group? Network ACL?

Yes!!

They control the data packets entering and leaving cloud servers or user networks by controlling Linux Iptables. Different methods are used in different locations to achieve different purposes. Network ACLs and security groups can be deployed at the same time to achieve dual protection.

Security group Add trusted cloud servers that have the same security protection requirements to a security group. The security group filters the access between VMS in different security groups and VMS from the Internet.

Network ACLs work on subnets to isolate malicious external traffic before security groups and filter incoming and outgoing traffic on user networks.

So, put it into practice and set up a “bagua array” for your elastic cloud server

Configure a security group for the cloud server. For details, see Introduction to security Groups.

Control the data flow to and from a subnet. For details, see Introduction to Network ACLs.

Iptables Eight-trigram array is for you to protect the basic security of the network.

Click to follow, the first time to learn about Huawei cloud fresh technology ~