1. Terminology Explanation
Before introducing firewalls, let’s understand a few terms:
Container: A place to store items
Table: A container for chains
Chain: A container for rules
Rule (Policy): Permit or deny rules
These terms are nested like Russian dolls!
1.1 The iptables Execution Process
- NetFilter Framework
The lowest layer is the network interface layer. Above it lies the network layer, which implements the NetFilter (network filtering framework).
Above the network layer, you’ll find the TCP and UDP transport layer, which houses the Filter table, NAT table, and Mangle table. These tables contain conditions to check and operations. This is all within the kernel layer. Further up is the user layer, which allows the setup of iptables commands.
- Linux Server Dual NIC Router
Packets enter through the physical and data link layers via the PREROUTING chain. If routing is permissible, they proceed through the INPUT chain into TCP/UDP, and then into the application layer. They return to TCP/UDP through the OUTPUT chain, undergo routing again, and exit through the POSTROUTING chain to the physical and data link layers.
If packets are not permissible at the routing decision point, they move through the FORWARD chain to the router’s exit decision point and continue to the physical and data link layers through the POSTROUTING chain.
- Tables and Chains
iptables features 4 tables and 5 chains. The tables are the filter table, nat table, raw table, and mangle table. The chains are input, output, forward, prerouting, and postrouting.
The filter table incorporates input, output, and forward chains.
The nat table contains prerouting, output, and postrouting chains.
The mangle table holds prerouting, forward, input, output, and postrouting chains.
1.2 Filter Table
Handles traffic ingress and egress; blocks or permits port IP
|
Filter Table |
Primarily related to the host itself, truly responsible for the host firewall function (filtering inbound and outbound data packets). The filter table is the default table used by iptables, and it defines three chains. Business context: host firewall. |
|---|---|
|
INPUT |
Responsible for filtering all packets destined for the host address, simply put, filtering packets entering the host. |
|
FORWARD |
Handles the forwarding of packets flowing through the host, acting in forwarding, closely related to NAT, with a specialized LVS NAT mode, net.ipv4.ip_forward=0. |
|
OUTPUT |
Processes all packets with the host as the source address, basically packets sent out from the host. |
1.3 NAT Table
Responsible for dual NICs; receives and forwards, similar to a router; enables NAT functionalities: internet sharing (internal network server to public Internet), port mapping, and IP mapping.
|
NAT |
Manages network address translation, i.e., source and destination IP address and port conversion. Application: unrelated to the host itself, generally for LAN internet sharing or special port conversion services. Business context: 1. used for enterprise routing (zebra) or gateway (iptables), internet sharing (postrouting). 2. makes one-to-one mapping of internal and external IP addresses (dmz), hardware firewall maps IP to internal servers, FTP service (prerouting). 3. web, single-port mapping, direct mapping to port 80 (prerouting), this table defines 3 chains, NAT function similar to network ACL control, similar to network switch ACL. |
|---|---|
|
OUTPUT |
Related to packets leaving the host, alters the destination address of packets sent by the host. |
|
PREROUTING |
Executes rules before routing decision when a packet reaches the firewall, alters packet destination address, port etc., e.g., maps public IP to server inside a LAN, for web services, port 80 can be translated to LAN server port 9000 -> nat -> 10.0.0.7:22. |
|
POSTROUTING |
Executes rules after routing decision when a packet leaves the firewall, changes packet source address, port etc. Writing the sender’s address makes responses returnable to family, for example, default laptops and VMs use LAN addresses, modified to public addresses when going online. |
1.4 Mangle Table
Stores header information
2. Installing iptables
[root@~]# yum install -y iptables-services2.1 View iptables Service Configuration File
[root@env-test ~]#rpm -qi iptables
Name : iptables
Version : 1.4.21
Release : 35.el7
Architecture: x86_64
Install Date: Sat 01 Jul 2023 11:17:52 AM CST
Group : System Environment/Base
Size : 1556976
License : GPLv2
Signature : RSA/SHA256, Thu 15 Oct 2020 02:51:02 AM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : iptables-1.4.21-35.el7.src.rpm
Build Date : Fri 02 Oct 2020 12:52:54 AM CST
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.netfilter.org/
Summary : Tools for managing Linux kernel packet filtering capabilities
Description :
The iptables utility controls the network packet filtering code in the
Linux kernel. If you need to set up firewalls and/or IP masquerading,
you should install this package.
[root@zabbix-test ~]#rpm -ql iptables-services
/etc/sysconfig/ip6tables
/etc/sysconfig/iptables #Firewall configuration file
/usr/lib/systemd/system/ip6tables.service #Firewall service configuration file (command)
/usr/lib/systemd/system/iptables.service
/usr/libexec/initscripts/legacy-actions/ip6tables
/usr/libexec/initscripts/legacy-actions/ip6tables/panic
/usr/libexec/initscripts/legacy-actions/ip6tables/save
/usr/libexec/initscripts/legacy-actions/iptables
/usr/libexec/initscripts/legacy-actions/iptables/panic
/usr/libexec/initscripts/legacy-actions/iptables/save
/usr/libexec/iptables
/usr/libexec/iptables/ip6tables.init
/usr/libexec/iptables/iptables.init[root@~]# modprobe ip_tables
[root@~]# modprobe iptable_filter
[root@~]# modprobe iptable_nat
[root@~]# modprobe ip_conntrack
[root@~]# modprobe ip_conntrack_ftp
[root@~]# modprobe ip_nat_ftp
[root@~]# modprobe ipt_state
2.3 Permanently Add and Write to Startup
cat >>/etc/rc.local<2.4 List Kernel Modules Related to the Three Tables, lsmod Lists All Kernel Modules Currently Loaded into the System
[root@zabbix-test ~]#lsmod | grep -E 'filter|nat|itp'
nf_nat_ftp 12809 0
nf_conntrack_ftp 18478 1 nf_nat_ftp
iptable_nat 12875 0
nf_nat_ipv4 14115 1 iptable_nat
nf_nat 26583 2 nf_nat_ftp,nf_nat_ipv4
nf_conntrack 143360 6 nf_nat_ftp,nf_nat,xt_state,nf_nat_ipv4,nf_conntrack_ftp,nf_conntrack_ipv4
iptable_filter 12810 0
ip_tables 27126 2 iptable_filter,iptable_nat
br_netfilter 22256 0
bridge 155432 1 br_netfilter
libcrc32c 12644 3 xfs,nf_nat,nf_conntrack2.5 Disable firewalld, Enable iptables, and Set It to Start on Boot
systemctl stop firewalld && systemctl disable firewalld
systemctl start iptables.service && systemctl enable iptables.service
2.6 List All iptables Rules
[root@env-test ~]#iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination2.7 iptables Command Parameters
Defining rules in iptables is relatively complex:
Format: iptables [-t table] COMMAND chain CRITERIA -j ACTION
-t table: 3 tables - filter, nat, mangle
COMMAND: Defines how to manage the rules
chain: Specifies the chain on which the following rules will operate; when defining a policy, it can be omitted.
CRITERIA: Specifies matching criteria
-j ACTION: Specifies how to processFor example: Disallow access from 172.16.0.0/24.
iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp –dport 53 -j DROP
And if you want a more thorough denial:
iptables -t filter -R INPUT 1 -s 172.16.0.0/16 -p udp –dport 53 -j REJECT
iptables -L -n -v #View detailed information about defined rules
iptables -t [table name] management options [chain name] [match conditions] [-j action]
iptables -t [table name] <-A/I/D/R> rule chain name [rule number] <-i/o interface name> -p protocol name <-s source IP/source subnet> –sport source port <-d destination IP/destination subnet> –sport destination port -j action
Rule management commands:
-A: Append, add a rule at the end of the current chain
-I num: Insert, inserting the current rule at the specified position
-I 3: Insert as the third rule
-R num: Replace/Modify the specified rule
Format: iptables -R 3 …
-D num: Delete, explicitly specify removing of specific rule number
Chain management commands (these take effect immediately):
-P: Set the default policy (the default door is closed or open)
The default policy generally is of two types
iptables -P INPUT (DROP|ACCEPT) Default is closed/open
For example:
iptables -P INPUT DROP sets the default rule to reject. Also, no action is defined, so all rules regarding external connections, including Xshell connections and remote connections, will be denied.
-F: FLASH, clears the rule chain (note the management permissions of each chain)
iptables -t nat -F PREROUTING
iptables -t nat -F Clears all chains of the nat table
-N: NEW creates a new chain for users
iptables -N inbound_tcp_web indicates attachment on the tcp table for checking web connections.
-X: Deletes an empty user-defined chain
The usage method is the same as -N, but before deleting, ensure to clear out the chain.
-E: Rename chain to rename a user-defined chain
-E oldname newname
-Z: Clears the chain and the counter of the default rules in the chain (there are two counters, how many packets and bytes match)
iptables -Z: Clear
General matching: Matching source and destination addresses
-s: Specify as a source address match, here you cannot specify a host name, only an IP
IP | IP/MASK | 0.0.0.0/0.0.0.0
Moreover, addresses can be negated by adding “!” to indicate exclusion of that IP
-d: Indicates matching of destination address
-p: Used for matching protocol (typically there are 3 types: TCP/UDP/ICMP)
-i eth0: Data entering from this interface
Typically used in INPUT and PREROUTING
-o eth0: Data leaving from this interface
Typically used in OUTPUT and POSTROUTING
Extended matching
1.1 Implicit extension: Extension for protocols
-p tcp: TCP protocol extension, generally has three extensions
–dport XX-XX: Specifies the destination port; cannot specify multiple non-continuous ports, can only specify a single port, for example
–dport 21 or –dport 21-23 (This indicates 21,22,23)
–sport: Specify the source port
–tcp-flags: TCP flags (SYN,ACK,FIN,PSH,RST,URG)
For it, generally need two parameters:
1.2.0 Flags to be checked
1.2.1 Must-have flag
–tcpflags syn,ack,fin,rst syn = –syn
Indicates checking these 4 flags, from these 4 flags syn must be 1, others must be 0. This is essentially for checking the first packet in a three-way handshake. For matching the first packet with SYN set to 1, there is shorthand notation, called –syn
-p udp: UDP protocol extension
–dport
–sport
-p icmp: icmp data packet extension
–icmp-type:
echo-request (ping), generally represented as 8
So –icmp-type 8 matches echo request packets
echo-reply (echo reply packet) generally represented as 0
1.3 Explicit extension (-m)
Extends various modules
-m multiport: Indicates enabling a multiport extension
Subsequently, you may use options like –dports 21,23,80
Detailed explanation of -j ACTION
Common ACTION:
DROP: Silently discard
Usually, we use DROP to hide our identity and hide our chain list.
REJECT: Explicitly reject
ACCEPT: Accept
custom_chain: Forward to a user-defined chain
DNAT
SNAT
MASQUERADE: Source address masquerading
REDIRECT: Redirection, mainly used for port redirection
MARK: Mark firewall
RETURN: Return
After executing a custom chain, return can be used to return to the original rule chain.
Continue with similar translations for further sections about iptables configuration practices, NAT table setup, and various iptables examples. Ensure the sequence and nature of processes and command outputs are intact, focusing on translating explanatory text while preserving code snippets, HTML structure, and important details.