Two ways to enable firewall in Linux service

There are two ways:

1. Service method

Check the firewall status:

[root@centos6 ~]# service iptables status

iptables: No firewall running.

Enable the firewall:

[root@centos6 ~]# service iptables start

Turn off the firewall:

[root@centos6 ~]# service iptables stop

2. iptables method

First enter the init.d directory, the command is as follows:

[root@centos6 ~]# cd /etc/init.d/

[root@centos6 init.d]#

Then

Check the firewall status:

[root@centos6 init.d]# /etc/init.d/iptables status

Temporarily disable the firewall:

[root@centos6 init.d]# /etc/init.d/iptables stop

Restart iptables:

[root@centos6 init.d]# /etc/init.d/iptables restart

Let's take a look at the basic knowledge of Linux firewall

1. Classification of Firewalls

(1) Packet filtering firewall.

Packet filtering technology is to select data packets at the network layer. The selection is based on the filtering logic set in the system, which is called access control list (ACL). By checking the source address and destination address of each data packet in the data stream, the port number used and the protocol status, or their combination, it is determined whether the data packet is allowed to pass.
The advantages of packet filtering firewall are that it is transparent to users, fast in processing and easy to maintain. The disadvantages are: once illegal access breaks through the firewall, it can attack the software and configuration vulnerabilities on the host; the source address, destination address and IP port number of the data packet are all in the header of the data packet and can be easily forged. "IP address spoofing" is a common attack method used by hackers against this type of firewall.

(II) Proxy service firewall

Proxy service is also called link-level gateway or TCP channel. It is a firewall technology introduced to address the shortcomings of packet filtering and application gateway technologies. Its characteristic is that it divides all network communication links that cross the firewall into two sections. When the proxy server receives a user's access request to a site, it checks whether the request complies with the control rules. If the rules allow the user to access the site, the proxy server will go to that site to retrieve the required information on behalf of the user and then forward it to the user. Access by internal and external network users is achieved through the "link" on the proxy server, thereby isolating computer systems inside and outside the firewall.
In addition, the proxy service also analyzes and registers past data packets and generates reports. When signs of an attack are found, it will warn the network administrator and keep records of the attack to help with evidence collection and network maintenance.

2. How Firewalls Work

(I) Working principle of packet filtering firewall

Packet filtering is implemented at the IP layer, so it can be done using only routers. Packet filtering determines whether to allow a packet to pass based on the packet's source IP address, destination IP address, source port, destination port, and packet transmission direction header information, filtering user-defined content such as IP addresses. How it works is that the system inspects packets at the network layer, independent of the application layer. Packet filters are widely used because the CPU time used to process packet filtering is negligible. Moreover, this protection measure is transparent to users. Legitimate users cannot feel its existence when entering and exiting the network, so it is very convenient to use. In this way, the system has good transmission performance and is easy to expand.
However, such firewalls are not very secure because the systems are unaware of application layer information - that is, they do not understand the content of communications and cannot filter at the user level, that is, they cannot identify different users and prevent address theft. If an attacker sets the IP address of his own host to the IP address of a legitimate host, he can easily pass through the packet filter, making it easier for hackers to break through. Based on this working mechanism, packet filtering firewalls have the following defects:
1. Communication information: Packet filtering firewalls can only access the header information of some data packets.
2. Communication and application status information: Packet filtering firewall is stateless, so it is impossible to save status information from communications and applications.
3. Information processing: The ability of packet filtering firewalls to process information is limited.

(II) Working Principle of Proxy Service Firewall

Proxy service firewall implements firewall functions at the application layer. It can provide some transmission-related status, can provide application-related status and some transmission information, and can also process and manage information.

3. Using iptables to implement packet filtering firewall

(I) Overview and Principles of iptables

Since kernel 2.4, a new kernel packet filtering management tool, iptables, has been used. This tool makes it easier for users to understand its working principles, is easier to use, and has more powerful functions.

Iptables is just a tool for managing kernel packet filtering. It can add, insert or delete rules in the core packet filtering table (chain). In fact, it is netfilter (a common architecture in the Linux kernel) and its related modules (such as iptables module and nat module) that actually execute these filtering rules.
Netfilter is a common architecture in the Linux kernel. It provides a series of "tables", each of which consists of several "chains", and each chain can consist of one or more rules. It can be understood that netfilter is a container for tables, tables are containers for chains, and chains are containers for rules.
The system default table is "filter", which contains three chains: INPUT, FORWARD and OUTPUT. Each chain can have one or more rules, and each rule is defined as follows: "If the packet header meets this condition, process the packet in this way." When a data packet arrives at a chain, the system will start checking from the first rule to see if it meets the conditions defined by the rule. If it does, the system will process the data packet according to the method defined by the rule; if it does not, it will continue to check the next rule; finally, if the data packet does not meet any rule in the chain, the system will process the data packet according to the pre-defined policy of the chain.

(II) The process of iptables transmitting data packets

When a data packet enters the system, the system first decides which chain to send the data packet to based on the routing table. There may be three situations:

1. If the destination address of the data packet is the local machine, the system will send the data packet to the INPUT chain. If it passes the rule check, the packet will be sent to the corresponding local process for processing; if it does not pass the rule check, the system will discard the packet.

2. The address on the data packet is not the local machine, that is, the packet will be forwarded, then the system will send the data packet to the FORWARD chain. If it passes the rule check, the packet will be sent to the corresponding local process for processing; if it does not pass the rule check, the system will discard the packet.

3. If the data packet is generated by the local system process, the system will send it to the OUTPUT chain. If it passes the rule check, the packet will be sent to the corresponding local process for processing; if it does not pass the rule check, the system will discard the packet.

Users can define rules for each chain. When a data packet reaches each chain, iptables will process the packet according to the rules defined in the chain. iptables compares the packet's header information to each rule in the chain it is passed to, to see if it matches each rule exactly. If a packet matches a rule, iptables performs the action specified by the rule on the packet. For example, if a rule in a chain decides to DROP a packet, the packet will be dropped at that chain; if a rule in the chain accepts the packet, the packet can continue to move forward; however, if the packet does not match this rule, it will be compared with the next rule in the chain. If the packet does not match any of the rules in the chain, iptables will decide how to handle the packet based on the default policy pre-defined for the chain. The ideal default policy should tell iptables to discard (DROP) the packet.

(III) Advantages of iptables

The biggest advantage of netfilter/iptables is that it can configure a stateful firewall, which is an important function that previous tools such as ipfwadm and ipchains cannot provide. A stateful firewall is able to specify and remember the state of the connections established to send or receive packets. The firewall can obtain this information from the connection tracking state of the packet. This state information used by the firewall increases its efficiency and speed when making decisions about new packets to filter. There are 4 valid states named ESTABLISHED, INVALID, NEW and RELATED.

The state ESTABLISHED indicates that the packet belongs to an established connection, which has been used to send and receive packets and is fully functional. The INVALID state indicates that the packet is not associated with any known stream or connection and may contain erroneous data or headers. The state NEW indicates that the packet has or will start a new connection, or that it is associated with a connection that has not yet been used to send and receive packets. Finally, RELATED indicates that the packet is starting a new connection and that it is associated with an already established connection.

Another important advantage of netflter/iptables is that it gives the user complete control over firewall configuration and packet filtering. You can customize your own rules to meet specific needs, allowing only the desired network traffic to enter the system.

(IV) Basic knowledge of iptables

1. Rule

A rule is a condition preset by a network administrator. A rule is generally defined as "if the packet header meets such conditions, process the packet in this way." The rules are stored in the packet filter table in the kernel space. These rules specify the source address, destination address, transport protocol (TCP, UDP, ICMP) and service type (such as HTTP, FTP, SMTP). When data packets match the rules, iptables processes them according to the methods defined by the rules, such as allowing (ACCEPT), rejecting (REJECT), or discarding (DROP). The main principle of configuring the firewall is to add, modify and delete these rules.

2. Chains

Chains are the paths along which packets travel. Each chain is actually a checklist of rules. Each chain can have one or more rules. When a data packet arrives at a chain, iptables will start checking from the first rule in the chain to see if the data packet meets the conditions defined by the rule. If it does, the system will process the data packet according to the method defined in the rule. Otherwise, iptables will continue to check the next rule. If the packet does not match any rule in the chain, iptables will process the packet according to the default policy predefined for the chain.

3. Tables

Tables provide specific functions. Iptables has three built-in tables, namely filter table, nat table and mangle table, which are used to implement packet filtering, network address translation and packet reconstruction respectively.

(1)Filter table. The filter table is mainly used to filter data packets. This table filters qualified data packets according to a set of rules predefined by the system administrator. For firewalls, a series of rules are specified in the filter table to filter data packets.
The filter table is the default table of iptables. If no table is specified, iptables uses the filter table to execute all commands by default. The filter table contains the INPUT chain

(handles incoming packets), the FORWARD chain (handles forwarded packets), and the OUTPUT chain (handles locally generated packets). In the filter table, only accepting or discarding data packets is allowed, and data packets cannot be modified.

(2) NAT table. natqing is mainly used for network address translation NAT. This table can realize one-to-one, one-to-many and many-to-many NAT work. iptables uses this table to realize the shared Internet access function. The nat table contains the PREROUTING chain (modifies incoming packets), the OUTPUT chain (modifies locally generated packets before routing), and the POSTROUTING chain (modifies outgoing packets).

(3) mangle table. The mangle table is mainly used to modify specified packets, because some special applications may rewrite some transmission characteristics of data packets, such as TTL and TOS of rational data packets, but the usage rate of this table is not high in actual applications.

(V) Turn off the system firewall

Since the system's firewall function is also implemented using iptables, conflicts are likely to occur if users set rules on top of the system's iptables. Therefore, it is recommended to turn off the system's firewall function before learning iptables.

(VI) iptables command format
The command format of iptables is relatively complex, and the general format is as follows:

#iptables [-t table] -command matching operation

Note: iptables is case sensitive for all options and parameters!

1. Table options

The table option is used to specify which iptables built-in table the command applies to. The built-in tables of iptables include filter table, nat table and mangle table.

2. Command options

Command options are used to specify the execution mode of iptables, including inserting rules, deleting rules, and adding rules:

-P or --policy defines the default policy
-L or --list View the iptables rule list
-A or --append adds a rule to the end of the rule list
-I or --insert inserts a rule at the specified position
-D or --delete Delete a rule from the rule list
-R or --replace replaces a rule in the rule list
-F or --flush deletes all rules in the table
-Z or --zero clears all chain counts and traffic counters in the table to zero

3. Matching options

Match options specify the characteristics that a packet should have to match a rule, including source address, destination address, transport protocol (such as TCP, UDP, ICMP), and port number (such as 80, 21, 110).
-i or --in-interface specifies the network interface from which the packet enters
-o or --out-interface specifies the network interface from which the packet is output
-p or --porto specifies the protocol that the packet matches, such as TCP, UDP
-s or --source specifies the source address of the packet to match
--sport specifies the source port number that the packet matches. You can use the format of "starting port number: ending port number" to specify a range of ports.
-d or --destination specifies the destination address that the packet matches
--dport specifies the destination port number that the packet matches. You can use the format of "starting port number: ending port number" to specify a range of ports.

4. Action options

The action option specifies what action should be taken when a packet matches the rule, such as accept or discard.

ACCEPT Accept the data packet
DROP drops the packet
REDIRECT redirects the data packet to a port on the local host or another host. This function is usually used to implement transparent proxy or open certain services on the internal network to the outside world.
SNAT source address translation, that is, changing the source address of the data packet
DNAT Destination Address Translation, which changes the destination address of the data packet
MASQUERADE IP masquerade, commonly known as NAT technology. MASQUERADE can only be used for IP masquerading in dial-up Internet access such as ADSL, that is, the host's IP address is dynamically assigned by the ISP; if the host's IP address is statically fixed, SNAT should be used
LOG function records the relevant information of the data packets that meet the rules in the log so that the administrator can analyze and troubleshoot

(VII) Use of iptables command

1. Check iptables rules

The initial iptables has no rules, but if you choose to automatically install the firewall during installation, there will be default rules in the system. You can first view the default firewall rules:

#iptables [-t table name]
[-t table name]: Defines the table to be checked. The table name can be filter, nat, and mangle. If no table name is determined, the filter table is used by default.
: List the rules for the specified table and the specified chain
: Defines the rules of which chain in the specified table to view. If no chain is specified, the rules of all chains in a table will be viewed
#iptables -L -n (view the rules of all chains in the filter table)
Note: Adding the -n parameter at the end will not convert IP and HOSTNAME, and the display speed will be much faster.
#iptables -t nat -L OUTPUT (view the rules of the OUTPUT chain in the nat table)

2. Define the default policy

When a data packet does not match any rule in a chain, iptables will process the data packet according to the default policy of the chain. The default policy is defined as follows

#iptables [-t table name]
[-t table name]: defines the table to be viewed. The table name can be filter, nat, and mangle. If there is no table name, the filter table is used by default.
: Define the default policy
: Defines the rules of which chain in the specified table to view. If not specified, the rules of all chains in a table will be viewed
: Action for processing data packets, you can use ACCEPT (accept) and DROP (discard)
#iptables -P INPUT ACCEPT (define the default policy of the filter table INPUT chain to accept)
#iptables -t nat -P OUTPUT DROP (define the default policy of the OUTPUT chain of the nat table as discard)
Create a simple rule example. For users who have no experience and time, it is necessary to set a simple and practical rule. The most basic principle is "deny all data packets first, and then allow the required data packets", which is usually defined as the chain of the filter table. Generally, INPUT is defined as DROP, so that any data packets can be blocked from entering, and other items are defined as ACCEPT, so that data sent to the outside can go out.
#iptables -P INPUT DROP
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT

3. Add, insert, delete and replace rules

#iptables [-t table name] chain name [rule number] [-i | o network card] [-p protocol type] [-s source IP | source subnet] [--sport source port number] [-d target IP | target subnet] [--dport target port number]
[-t table name]: defines the table to be viewed. The table name can be filter, nat, and mangle. If not defined, the filter table is used by default.
-A: Add a new rule. This rule will be added to the last line of the rule list. This parameter cannot use the rule number.
-I: insert a rule, the original rule at that position will be moved to the back in sequence. If no rule number is specified, it will be inserted before the first rule.
-D: Delete a rule. You can enter the complete rule or specify the rule number directly.
-R: Replace a rule. The order of the rule will not change after it is replaced. The rule number to be replaced must be specified.
: Specify the rules for viewing a chain in the specified table. You can use INPUT, OUTPUT, FORWARD, PREROUTING, OUTPUT, POSTROUTIN
[Rule Number]: The rule number is used when inserting, deleting, and replacing rules. The numbers are arranged in the order of the rule list. The first rule is numbered 1.
[-i | o NIC name]: i refers to the NIC from which the data packet is input, and o refers to the NIC from which the batch of data packets is output
[-p protocol type]: You can specify the protocol to which the rule applies, including TCP, UDP, ICMP, etc.
[-s source IP | source subnet]: Source IP or subnet of the packet
[--sport source port number]: Source port number of the packet
[-d Target IP | Target Subnet]: The target IP or subnet of the packet
[--dport destination port number]: Destination port number of the data packet
: Action to process data packets
#iptables -A INPUT -i lo -j ACCEPT (append a rule to accept all packets from the lo interface)
#iptables -A INPUT -s 192.168.0.44 -j ACCEPT (add a rule to accept all packets from 192.168.0.44)
#iptables -A INPUT -s 192.168.0.44 -j DROP (append a rule to drop all packets from 192.168.0.44)
Note: iptables reads rules in order. If two rules conflict, the first rule will prevail.
#iptables -I INPUT 3 -s 192.168.1.0/24 -j DROP (Insert a rule before the third rule in the INPUT chain to drop all packets from 192.168.1.0/24)
Note: If the -I parameter does not specify the insertion position, it will be inserted at the beginning of all rules
#iptables -D INPUT 2 (delete the second rule in the INPUT chain in the filter table)
#iptables -R INPUT 2 -s 192.168.10.0/24 -p tcp --dport 80 -j DROP (Replace the second rule in the filter table INPUT chain to prohibit 192.168.10.0/24 from accessing TCP port 80)

4. Clear rules and counters

When creating new rules, you often need to clear existing or old rules to avoid affecting the new rules. If there are many rules and it is troublesome to delete them one by one, you can use the clear rule parameter to quickly delete all rules.
#iptables [-t table name]
[-t table name]: Specifies which table the policy will be applied to. You can use filter, nat, and mangle. If not specified, the filter table is used by default.
-F: Delete all rules in the specified table
-Z: reset the packet counters and flow counters in the specified table to zero
#iptables -Z (set the packet counter and flow counter in the filter table to zero)
#iptables -F (delete all rules in the filter table)

5. Record and restore firewall rules

You can use the record and restore firewall rules command to copy the existing firewall mechanism and restore it directly when needed.
#iptables-save > file name (record current firewall rules)
#iptables-restore > file name (restore firewall rules to the current host environment)

Summarize

The above are two ways to enable the firewall in Linux services introduced by the editor. I hope it will be helpful to everyone. If you have any questions, please leave me a message and the editor will reply to you in time. I would also like to thank everyone for their support of the 123WORDPRESS.COM website!