IMCAFS

 Home

build kernel level firewall

Posted by fierce at 2020-02-27
all

Iptables is an IP packet filtering mechanism firewall integrated with Linux kernel. Because of open source, iptables can replace expensive commercial firewall solutions to complete packet filtering, redirection, network address and port conversion and other functions.

Through iptables, we can customize the rules of the packet filter table of the kernel. According to the rules, the kernel can match the source address, target address, protocol and service of the packet, and then accept, reject and drop the packet. When matching packets, check them one by one according to the rule table order. When matching the matching rules, directly execute the rule processing method. If there is no matching rule, process the packets according to the default policy.  

Iptables packet filtering process:

Command syntax:

iptables [-t table] command [NO.] [match] [-j target]

Iptables parameter table: (network map)

 

Common iptables command parameters:

Table: the default is filter table. You can also specify NAT and mangle tables.

Command:

-A: Add a rule at the end of the chain.

-D: Specifies that the chain deletes the number sequence.

-P: Configure chain default rules.

-F: Clear all rules in the chain.

-50: Lists all rules in the chain.

Match: specify protocol, source address, target address, etc.

-p: Specify ICMP, TCP, UDP and other protocols.

-s: Specify the source address.

-d: Specify the destination address.

Target: Specifies the processing method for the hit data table.

Accept: allow packets to pass

Drop: drop the packet directly

Reject: reject and return error message

Details of configuration file iptables config parameters:

IPTABLES_MODULES=""

-------------When the firewall is activated, a set of space independent additional iptables modules are specified to load. This can include connection tracking and NAT helper

IPTABLES_MODULES_UNLOAD="yes"

-------------Modules uninstalled on restart and stop. Yes - (default) this option must be set to achieve the correct state when starting and stopping a firewall. No - this option should only be set if there is a problem uninstalling the Netfilter module.

IPTABLES_SAVE_ON_STOP="no"

-------------When the firewall stops, save the current firewall rules.

Yes: when the firewall stops, save the existing rules to / etc / sysconfig / iptables. The old version is saved as / etc / sysconfig / iptables.save.

No: (default) does not save the current rule when the firewall stops.

IPTABLES_SAVE_ON_RESTART="no"

-------------When the firewall restarts, save the current firewall rules.

Yes: when the firewall is restarted, save the existing rules to / etc / sysconfig / iptables. The old version is saved as / etc / sysconfig / iptables.save.

No: (default) existing rules are not saved when the firewall is restarted.

IPTABLES_SAVE_COUNTER="no"

-------- save and recover all packets and byte counters in chain and rules.

Yes: save the value of the counter.

No: (default) the counter value is not saved.

IPTABLES_STATUS_NUMERIC="yes"

------ the output IP address is in the form of number, not domain name and host name.

Yes: (default) only IP address is included in the status output.

No: returns the domain name or host name in the status output.

IPTABLES_STATUS_VERBOSE="no"

-------- whether to include input and output devices when outputting iptables status.

Yes: is

No: no

IPTABLES_STATUS_LINENUMBERS="yes"

-------- whether to output the number of matches for each rule at the same time when outputting iptables status.

Yes: is

No: No.

Firewall configuration instance (take port 22 of SSH as an example):

Show existing rules:

iptables –L -n

Empty existing rule table:

Iptables -F

Blacklist: allow all packets to pass first, and then add blacklist rules one by one.

iptables –A INPUT–p tcp --dport 22 –j ACCEPT

Whitelist: first add the rule of whitelist one by one, and then forbid all packets to pass.

iptables –A INPUT–p tcp --dport 22 –j DROP

Add rule details: add trusted sources to the end of the rule table

iptables –A INPUT–s 192.168.100.1 –p tcp --dport 22 –j ACCEPT

iptables –A INPUT–s 192.168.200.1 –p tcp --dport 22 –j DROP

Insert rule: Specifies the rule adding location, which is added to the beginning of the rule table by default

iptables –I INPUT–s 192.168.100.1 –p tcp --dport 22 –j ACCEPT

iptables –I INPUT2 –s 192.168.100.1 –p tcp --dport 22 –j ACCEPT

Delete rule: delete the specified rule:

iptables –D INPUT3

Modify rule: modify the rule of the specified line, and change the rule of the third line of input to the drop processing method

iptables –R INPUT3 –j DROP

Modify the default rule:

iptables –P INPUTDROP

Specify the physical interface:

iptables -A INPUT -i eth0 –j DROP

Jing Ping:

iptables –A INPUT-p icmp --icmp-type 8 –j DROP

Operation failure cases:

1. Apply iptables firewall rules: badargument ` commit '

  Error occurred at line: 25

  Try `iptables-restore -h' or 'iptables-restore--help' for more information.  

------ the last line of the iptables configuration file must have the end of commit. It can't be commented out.  

2. If iptables save reports an error

  iptables:saving firewall rules to/etc/sysconfig/iptables: /etc/init.d/iptables: line 268: restorecon:command notfound

The policycoreutils package needs to be installed.

  3.  Setting chains to policy ACCEPT : raw nat mangle filter[FAILED]

------ the kernel version needs to be modified, such as: latest 2.6 paravirt to latest 2.6 stable (2.6.18.8-linode 22)

  4.  iptables v1.3.8: Couldn't load target`ACCET':/lib/iptables

  /libipt_ACCET.so: cannot open shared object file: No suchfile or directory

------- compile the kernel to enable IPtable

  5.  iptables: No chain/target/match by that name

------ iptables is missing a module and needs to be recompiled.

© 2023