Linux firewall

Organize network packet flow and firewall related functions and operations in Linux

The routing table

The routing table specifies the direction of network packets. Run the route command to view the routing table. The result is as follows

Destination Destination address (host address or network address) Gateway Destination Gateway Genmask Address mask used by Iface

Based on address types, routing entries can be classified into the following types: Host address (specific IP address), network address (network segment), and default address (0.0.0.0) When packets need to be routed, the routing table is matched in descending order: First match the specific host address. If there is no match, then match the network address. If there is no match, use the default route.

Packet direction

When the packet reaches the host, it is sent in the following direction:

1. Firewall: The default firewall has two separate mechanisms,NetFilterandTCPWrappers
2. Service Settings: Enter the service process after passing through the firewall. Normally, the service approach controls its permissions (for example, the HTTPD service can control certain IP permissions by configuring the httpD. conf file).
3. On the basis of the second step, SELinux can set some rules for web services to limit the permissions of the services (for example, the HTTPD service is limited to a certain range of permissions to prevent the security of the host when the service appears vulnerabilities).
4. File permissions: Finally, when the network service needs to obtain certain resources (files), it still needs to have permissions to the corresponding files, otherwise it will not be able to access them

A firewall

Firewall also has hardware firewall and software firewall; Hardware firewall is a hardware device that deals with packet filtering. It is built on the network node as a special filter device to use, often to remove some other unnecessary functions of specialized hardware; Software firewalls are applications that can filter packets. This article will focus on software firewalls. Linux default firewall mechanisms include NetFilter and TCPWrappers; These are two separate mechanisms. NetFilter is packet filtering and TCPWrappers are service management. Through these two mechanisms, Linux can filter out most of the malicious packets, as well as some other unwanted packets (some multi-process services may need to filter some specific packets in the networking of multi-host environment).

Netfilter

After the packet arrives at the host, it first passes through the first gate Netfilter, which is a packet filtering mechanism. It extracts the header data of the packet for analysis to decide the behavior to be taken for this packet. This is a built-in mechanism on Linux, along with iptables software to manage packet filtering rules

Although Linux firewalls include NetFilter and TCPWrappers, TCPWrappers are usually used only to manage access sources for specific services, not as firewalls. Therefore, generally speaking, the firewall mainly refers to NetFilter, which is the kernel version above 2.4. Iptabls is used as the firewall software. Iptabls specifies some rules. The processing of the packet is complete; As you can see, the order of rules is very important. When a certain rule is matched, other rules will not be matched

To facilitate the management of these rules, IPTabls provides two concepts: tables and chains; Tables are used to manage different function items; By default, ipTabls has at least three tables. Each table has the following functions and chains:

• Filter: indicates the packets that enter or leave the local device
  1. INPUT chain: The entry path
  2. OUTPUT chain: send path
  3. FORWARD chain: FORWARD path
• NAT: Mainly used to translate IP addresses and ports. It has little to do with the local host and is mostly used to manage the LOCAL area network (LAN) behind the host
  1. PREROUTING: Path before route determination
  2. POSTROUTING: path after route determination
  3. OUTPUT: indicates the OUTPUT path
• Mangle: This is mainly related to specific packet routing
  1. INPUT chain: The entry path
  2. OUTPUT chain: send path
  3. FORWARD chain: FORWARD path
  4. PREROUTING: Path before route determination

When there are packets to be processed, the packets will flow in a predetermined order through the chains in each table to match the rules in the chains. The relationships of the built-in tables and chains (flow maps) are shown below

Mangle tables are rarely used, whereas NAT is used for routing, and filters are usually sufficient for single machines; This article only uses the Filter table as an example to illustrate the relevant usage. The principle of different tables is the same

View the rules

Iptables [-t table] -l [-n][-v] Option: -t is followed by a table name, such as filter. If not specified, filter is specified by default. -l Lists the current rules. Check the current rules of the NAT table: iptables -t NAT -l Output (including the following fields) : Target Operation to be performed Prot Data packet protocol OPT Additional option Source Source IP Destination Destination IP addressCopy the code

In addition, you can use the iptables-save command to display all the current rules and redirect them to a file. You can use the iptables-restore command to import the exported files

Iptables -save [-t table] Option: -t Displays only the specified tables. To export the current rules to a file, run the iptables-save > iptables.rule commandCopy the code

When a piece of data does not match any rules (or if no rules are defined when the firewall is not enabled), the default policy action is taken (when viewing the rules, the policy after the chain name).

Iptables [-t table] -p chain name -p Specifies the default policy chain name, including actions such as INPUT and OUTPUT. ACCEPT Rejects DROP. For example, to specify the default INPUT chain policy of a filter table as ACCEPT: iptables -P INPUT ACCEPTCopy the code

Adding rules Adding rules, the basic mode is to specify what actions to use under what circumstances

Iptables [-t table] [related options] [-j action] -t is followed by a table name, such as filter. If not specified, filter -j specifies the action to be taken when the match occurs. -a Adds A rule at the end of the specified chain. -I Adds A rule at the beginning of the specified chain. -I Indicates the name of the incoming network interface (such as eth0). TCP UDP ICMP all -s Indicates the source. The source can be a specific IP address or a network segment (subnet mask). -d Indicates that the destination can use [!]. --sport source port, which can be specified by [:] --dport, which is the same as above, specifying both protocols (-p TCP or -p UDP) For example, status module State MAC address of the hardware module --state Indicates the data packet status. NEW RELATED to outgoing packets RELATED --mac-source Used with the source MAC address --icmp-type Icmp packet type needs to be specified. [-p icmp] Iptables -a INPUT -i lo -j ACCEPT All data packets from 192.168.17.178: iptables -a INPUT -i lo -j ACCEPT All data packets from 192.168.17.178: Iptables -a INPUT -s 192.168.17.178 -j ACCEPT Record all data packets sent to ports 5000 to 6000: Iptables -a OUTPUT -p TCP --dport 5000:6000 -j LOG Iptables -a INPUT -m state --state INVALID -j DROP Iptables -a INPUT -m MAC --mac-source AA :bb:cc:dd:ee:ff -j ACCEPT Discard packets of ICMP type 8: iptables -A INPUT -p icmp --icmp-type 8 -j DROPCopy the code

Delete rules Said above, the order of the rules is very important, because after the match to a rule, the chain the other rules are no longer in the judgement (either discarded or into the back of the chain), so, when I do not know the rules or the rules too much, first remove the rules to redefine it may be better

Iptables [-t table] [-fxz] Option: -t is followed by a table name, such as filter. If not specified, filter is specified by default. -f Clears all established rules. Clear all rules of the NAT table: iptables -t NAT -fCopy the code

Add custom chain When there are too many rules, you can also use custom chain to deal with them separately for convenient management

Iptables [-t table] [-n chain name] [-j chain name] Option: -t is followed by a table name, such as filter. If no action is specified, filter is specified by default. -n Creates a custom chain. Create a new chain: iptables -n NEW_CHAIN Add a rule: iptables -i NEW_CHAIN -s 127.0.0.1 -j ACCEPT Reference a new chain: iptables -i INPUT -p TCP -j NEW_CHAINCopy the code

TCPWrappers

TCPWrappers this is a service management mechanism. It is used to manage service programs and decide which source can access which service. Linux also provides two configuration files /etc/hosts.allow and etc/hosts.deny to control service management. This rule is relatively simple, however, not all services support TCPWrappers, You can check whether the libwrap library is supported in the following ways (because you need to support libwrap) :

$ ldd /usr/sbin/sshd | grep libwrap
    libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007eff072ec000)
Copy the code

Allow is matched. Deny is matched with /etc/hosts.deny. If matching items are matched, the system discards them

Matching rule The file formats of the two rules are the same: Service list: Host list: Option The service list is the name of the service to be specified, separated by commas (,). The host list is the allowed request source. The host list can be a specific host address, a network segment with a mask, or a domain name. The host list is separated by commas. Options are additional actions that can be performed

Common macros ALL ALL hosts LOCAL LOCAL hosts KNOWN ALL hosts that can be resolved in the DNS UNKNOWN ALL hosts that cannot be resolved in the DNS PARANOID ALL hosts that do not match the forward resolution and reverse resolution in the DNS EXCEPT Except (used to exclude part of the host list)

The common option allow is used to allow access to certain hosts in the /etc/hosts.deny configuration. Deny is used to deny access to certain hosts in the /etc/hosts.allow configuration. Spawn is used to use additional commands (usually to write some logs).

A few examples: SSHD :ALL EXCEPT 192.168.17.0/24 This rule is configured in the deny configuration. None of the hosts can access the SSH service. SSHD :192.168.17.178:deny Configure this rule in the allow configuration. Specify host can’t SSH access service SSHD 192.168.17.178:192.168.17.178: spawn echo ‘XXX’ > > / var/log/example. The log configuration in the configuration of allow this rule, Write a log when there is an access to the SSH service from the 192.168.17.178 host

That’s all for this post

References, Blog posts: Linux TcpWrappers-Mariadb- Linux access control order -CSDN blog Linux tcp_wrappers details – Dus – blog garden (cnblogs.com) TCP Wrappers – ArongH – Cnblogs.com (CNblogs.com) Iptables custom chain – Wanstack – Cnblogs.com