提供了编程的基础技术教程

zl程序教程

您现在的位置是:首页 >  系统

当前栏目

linux-iptable防火墙- 基本认识

Linux防火墙 基本 认识 iptable
2023-06-13 09:15:42 时间
2.1 Netfilter

Linux防火墙是由Netfilter组件提供的,Netfilter工作在内核空间,集成在linux内核中

Netfilter 是Linux2.4.x之后新一代的Linux防火墙机制,是linux内核的一个子系统。Netfilter采用模块化设计,具有良好的可扩充性,提供扩展各种网络服务的结构化底层框架。Netfilter与IP协议栈是无缝契合,并允许对数据报进行过滤、地址转换、处理等操作

Netfilter官网文档:https://netfilter.org/documentation/

2.2 防火墙工具介绍 2.2.1 iptables

由软件包iptables提供的命令行工具,工作在用户空间,用来编写规则,写好的规则被送往netfilter,告诉内核如何去处理信息包

[root@centos8 ~]#rpm -qi iptables

Name       : iptables

Version     : 1.8.2

Release     : 9.el8

Architecture: x86_64

Install Date: Wed 25 Sep 2019 09:29:06 PM CST

Group       : Unspecified

Size       : 2050086

License     : GPLv2 and Artistic 2.0 and ISC

Signature   : RSA/SHA256, Tue 02 Jul 2019 06:50:00 AM CST, Key ID 05b555b38483c65d

Source RPM : iptables-1.8.2-9.el8.src.rpm

Build Date : Sat 11 May 2019 10:21:57 PM CST

Build Host : x86-01.mbox.centos.org

Relocations : (not relocatable)

Packager   : CentOS Buildsys bugs@centos.org 

Vendor     : CentOS

URL         : http://www.netfilter.org/

Summary     : Tools for managing Linux kernel packet filtering capabilities

Description :

The iptables utility controls the network packet filtering code in the

Linux kernel. If you need to set up firewalls and/or IP masquerading,

you should either install nftables or this package.

Note: This package contains the nftables-based variants of iptables and

ip6tables, which are drop-in replacements of the legacy tools.

[root@centos8 ~]# iptables --version

iptables v1.8.2 (nf_tables)

[root@centos8 ~]#ll /usr/sbin/iptables

lrwxrwxrwx. 1 root root 17 May 11 2019 /usr/sbin/iptables - xtables-nft-multi

[root@centos7 ~]#ll /usr/sbin/iptables

lrwxrwxrwx. 1 root root 13 Dec 9 2018 /usr/sbin/iptables - xtables-multi

[root@centos7 ~]# iptables --version

iptables v1.4.21

[root@centos6 ~]#iptables --version

iptables v1.4.7

[root@centos6 ~]#ll /sbin/iptables

lrwxrwxrwx. 1 root root 33 Dec 12 2018 /sbin/iptables - /etc/alternatives/iptables.x86_64

[root@centos6 ~]#ll /etc/alternatives/iptables.x86_64

lrwxrwxrwx. 1 root root 20 Dec 12 2018 /etc/alternatives/iptables.x86_64 - /sbin/iptables-1.4.7

[root@centos6 ~]#ll /sbin/iptables

lrwxrwxrwx. 1 root root 33 Dec 12 2018 /sbin/iptables - /etc/alternatives/iptables.x86_64

范例:安装iptables的service包

[root@centos8 ~]#dnf -y install iptables-services

[root@centos8 ~]#rpm -ql iptables-services

/etc/sysconfig/ip6tables

/etc/sysconfig/iptables

/usr/lib/systemd/system/ip6tables.service

/usr/lib/systemd/system/iptables.service

/usr/libexec/initscripts/legacy-actions/ip6tables

/usr/libexec/initscripts/legacy-actions/ip6tables/panic

/usr/libexec/initscripts/legacy-actions/ip6tables/save

/usr/libexec/initscripts/legacy-actions/iptables

/usr/libexec/initscripts/legacy-actions/iptables/panic

/usr/libexec/initscripts/legacy-actions/iptables/save

/usr/libexec/iptables

/usr/libexec/iptables/ip6tables.init

/usr/libexec/iptables/iptables.init
2.2.2 firewalld

从CentOS 7 版开始引入了新的前端管理工具

软件包:


2.2.3 nftables

此软件是CentOS 8 新特性,Nftables最初在法国巴黎的Netfilter Workshop 2008上发表,然后由长期的netfilter核心团队成员和项目负责人Patrick McHardy于2009年3月发布。它在2013年末合并到Linux内核中,自2014年以来已在内核3.13中可用。

它重用了netfilter框架的许多部分,例如连接跟踪和NAT功能。它还保留了命名法和基本iptables设计的几个部分,例如表,链和规则。就像iptables一样,表充当链的容器,并且链包含单独的规则,这些规则可以执行操作,例如丢弃数据包,移至下一个规则或跳至新链。

从用户的角度来看,nftables添加了一个名为nft的新工具,该工具替代了iptables,arptables和ebtables中的所有其他工具。从体系结构的角度来看,它还替换了内核中处理数据包过滤规则集运行时评估的那些部分。

范例:查看软件包

[root@centos8 ~]#rpm -qi nftables

Name       : nftables

Epoch       : 1

Version     : 0.9.0

Release     : 8.el8

Architecture: x86_64

Install Date: Wed 25 Sep 2019 09:29:06 PM CST

Group       : Unspecified

Size       : 758622

License     : GPLv2

Signature   : RSA/SHA256, Tue 02 Jul 2019 08:19:09 AM CST, Key ID 05b555b38483c65d

Source RPM : nftables-0.9.0-8.el8.src.rpm

Build Date : Sat 11 May 2019 11:06:46 PM CST

Build Host : x86-01.mbox.centos.org

Relocations : (not relocatable)

Packager   : CentOS Buildsys bugs@centos.org 

Vendor     : CentOS

URL         : http://netfilter.org/projects/nftables/

Summary     : Netfilter Tables userspace utillites

Description :

Netfilter Tables userspace utilities.

范例:CentOS 8 支持三种防火墙工具

[root@centos8 ~]#systemctl status iptables.service 

● iptables.service - IPv4 firewall with iptables

   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)

   Active: inactive (dead)

[root@centos8 ~]#systemctl status firewalld.service 

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)

   Active: inactive (dead)

     Docs: man:firewalld(1)

[root@centos8 ~]#systemctl status nftables.service 

● nftables.service - Netfilter Tables

   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)

   Active: inactive (dead)

     Docs: man:nft(8)
2.3 netfilter 中五个勾子函数和报文流向

Netfilter在内核中选取五个位置放了五个hook(勾子) function(INPUT、OUTPUT、FORWARD、PREROUTING、POSTROUTING),而这五个hook function向用户开放,用户可以通过一个命令工具(iptables)向其写入规则 由信息过滤表(table)组成,包含控制IP包处理的规则集(rules),规则被分组放在链(chain)上

image-20191112223543391

提示:从 Linux kernel 4.2 版以后,Netfilter 在prerouting 前加了一个 ingress 勾子函数。可以使用这个新的入口挂钩来过滤来自第2层的流量,这个新挂钩比预路由要早,基本上是 tc 命令(流量控制工具)的替代品

三种报文流向


iptables由五个表table和五个链chain以及一些规则组成

五个表table:filter、nat、mangle、raw、security

filter表:过滤规则表,根据预定义的规则过滤符合条件的数据包 nat表:network address translation 地址转换规则表 mangle:修改数据标记位规则表 raw:关闭启用的连接跟踪机制,加快封包穿越防火墙速度 security:用于强制访问控制(MAC)网络规则,由Linux安全模块(如SELinux)实现

优先级由高到低的顺序为:

security -- raw-- mangle-- nat-- filter

五个内置链chain:

INPUT,OUTPUT,FORWARD,PREROUTING,POSTROUTING

链 chain:


自定义链:用于对内置链进行扩展或补充,可实现更灵活的规则组织管理机制;只有Hook钩子调用自定义链时,才生效


当一个数据包进入网卡时,数据包首先进入PREROUTING链,内核根据数据包目的IP判断是否需要转送出去


如果数据包是进入本机的,数据包就会沿着图向下移动,到达INPUT链。数据包到达INPUT链后,任何进程都会收到它。本机上运行的程序可以发送数据包,这些数据包经过OUTPUT链,然后到达POSTROUTING链输出


如果数据包是要转发出去的,且内核允许转发,数据包就会向右移动,经过FORWARD链,然后到达POSTROUTING链输出


root@centos8 ~]#iptables -vnL -t filter

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

      

[root@centos8 ~]#iptables -vnL -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination    

[root@centos8 ~]#iptables -vnL -t mangle

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination    

[root@centos8 ~]#iptables -vnL -t raw

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination   

[root@centos8 ~]#iptables -vnL -t security

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

[root@centos8 ~]#

#CentOS 6 nat表不支持INPUT链

[root@centos6 ~]#iptables -vnL -t nat

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination
2.5 netfilter 完整流程

iptables

本文链接:http://www.yunweipai.com/34204.html

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/52544.html

centosiptableslinux

相关文章