This is the 13th day of my participation in the August More Text Challenge.More challenges in August

First, firewall introduction

1. Functions:

1) through the source port, the source IP address, the source MAC address, package in particular tag and the target port, IP, MAC to determine whether packets can be through the internal network and external network firewall 2) segmentation 3) with the function of the router 】 【 partition servers to be protected If Linux server firewall enabled SELinux protective measures, such as So, his security level would be B2.Copy the code

2, firewall classification

1) Packet filtering [most firewalls] Analyze whether THE IP address, port and MAC meet the rules, if so, accept the proxy serverCopy the code

3, firewall restrictions

1) the firewall can not effectively prevent viruses, so the firewall is basically ineffective to virus attacks, but there are certain restrictions on Trojan horses. 2) Firewall generally does not set access rules for internal [server native], so it is invalid for internal attacksCopy the code

[Attachment] Nowadays, the recognition rate of virus by anti-virus software is about 30%. That is to say, most of the virus is anti-virus software does not know!

4. Firewall configuration principles [Cross use]

Deny all, one by one allow allow all, one by one denyCopy the code

Firewall rules: who configures first, who applies first!

5, Linux common firewall

2.4/2.6 kernel IPtables # now commonly used 2.2 kernel IPChainsCopy the code

Iptables firewall

1, structure: table ——- chain ——– rules

2. Tables: Iptables has the following three tables by default

Filter Table Data filtering table #filter, filter NAT table Intranet and extranet ADDRESS translation Mangle special packet flagCopy the code

3, chain

In the filter table: INPUT OUTPUT FORWARDCopy the code

Iptables basic syntax

1, the rules of view and clear

Iptables [-t table name] [Options] Options: -l View -f Clear all rules -x Clear user-defined chains -z Clear all chain statistics -n Display by port and IP addressCopy the code

Example:

Iptables -t NAT -l # Iptables -l # iptables -t NAT -l #Copy the code

2. Define the default policy

Iptables - t table name - P chain name ACCEPT | DROP # - P (big) defines the default policyCopy the code

Example:

    iptables -t filter -P INPUT DROP
Copy the code

Note: Do not kick yourself off the server, so this rule should be set last.

3. Specify THE IP address and nic interface Settings

Iptables [-AI chain] [-io NIC interface] [-p protocol] [-s source IP address] [-d target IP address] -j ActionCopy the code

Description:

-a append chain rule # Add this rule at the end of the chain rule -i INPUT 2 # Insert this rule into the INPUT chain as the second rule -d number of links # Delete the specified number of links firewallCopy the code

Example:

Iptables -d INPUT 2 # delete from INPUT chain To define on the OUTPUT chain - p agreement # TCP/udp/icmp/all action - j # [ACCEPT | DROP]Copy the code

Example:

      iptables -A INPUT -i lo -j ACCEPT
Copy the code

Allows native loopback nic communication in the INPUT chain

Iptables -a INPUT -i eth0 -s 192.168.140.254 -j ACCEPTCopy the code

Allow 254 to enter eth0

Iptables -a INPUT -i eth0 -s 192.168.140.0/24 -j DROPCopy the code

Network segment 140 access denied

4. Set port access

Iptables -a INPUT -i eth0 -p all -s source IP address --sport Source port -d target IP address --dport Target port -j ActionCopy the code

Example:

Iptables -a INPUT -i eth0 -p TCP -s 192.168.140.0/24 --dport 22 -j DROP iptables -a INPUT -i eth0 -p TCP -s 192.168.140.0/24 --dport 137:139 -j ACCEPT # Allow access to ports 137 to 139Copy the code

Note: When specifying the port, do not use all. Specify the exact protocol, such as TCP

5. Module call

-m Module name Module Option Loads the iptables function module

1) -m state --state ESTABLISHED,RELATED iptables -a INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #state indicates the status of the package ESTABLISHED.Copy the code

2) -m MAC –mac-source Restricts access by MAC address

Iptables -a INPUT -m MAC --mac-source aa:bb:cc:dd:ee:ff -j DROP # Deny access to A MACCopy the code

3) -mString –string “String in the packet you want to match”

Iptables -a FORWARD -p udp --dport 53 -m string --string "Tencent "--algo KMP -j DROP Supports KMP and BM string search algorithms. You can specify either oneCopy the code

6, simple firewall example

iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -s <IP address >-j ACCEPT iptables -a INPUT -p TCP --dport 873 -j ACCEPT iptables -a INPUT -p TCP --dport 139 -j ACCEPT iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -P INPUT DROPCopy the code

7. The firewall service starts automatically upon startup

chkconfig iptables on
Copy the code

8. Firewall rules start automatically

1) Service iptables save saves the rules to the /etc/sysconfig/iptables file, which will be read automatically after restartCopy the code

2) a. Write the firewall script manually

For example, vi /root/iptables. Rule iptables -a INPUT -i LO -j ACCEPT iptables -a INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport80 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 873 -j ACCEPT

iptables -A INPUT -p tcp --dport 139 -j ACCEPT

iptables -A INPUT -p tcp --dport 21-j ACCEPT iptables -P INPUT DROP b. Grant the execute permission chmod755/root/iptables.rule c. Run the vi/etc/rc.local command upon startup d. Write/root/iptables. RuleCopy the code