Download - ChinaNetCloud Training - iptables Intro
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
1
IP Tables Basics
June, 2014
By Steve Mushero
Copyright 2015 ChinaNetCloud
ChinaNetCloud
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 2
Introduction
● iptables is main server firewall● Layer 4 – all IP, Port, protocol-based
● Software-based● Built-into kernel● Powerful & fast● But difficult to use● We have a script :)
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 3
Basic Parts
● Kernel Module - netfilter● Kernel Module – conntrack
● Creates sysctrl items like conntrack_max
● Tool – iptables command● Run as root
● Save files – simple save file
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 4
Filtering Basics
● Filter on:● IP Address – Source or Destination● Ports – Source or Destination● Protocol – ICMP, UDP, TCP, etc.● Status – SYN, Established, Related
● Two main results – Allow or Block (drop)● Special functions
● Logging● Statistics
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 5
Tables
● Three Tables are built into kernel● Filter – Real firewall, always used● NAT – For NAT by Linux, rarely used● Mangle – Special use
● Filter is the default table, the one you will use● It’s the filter iptables shows/changes without -t
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 6
Chains
● Each Table has Chains● Three built-in Chains in Filter Table
● INPUT – For traffic coming INTO server● OUTPUT – For traffic LEAVING server● FORWARD – For routing, rarely used
● You can add more chains for ease of use● Such as logging, special protocols
● The Chains have the Rules● You will usually edit these
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 7
Chains
● That Chain can call other Chains● RedHat always includes a special RH chain● You can add more chains, such as for logging
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 8
Chains
● Iptables –vnL
Chain INPUT (policy ACCEPT )
Chain OUPPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 9
Tables & Chains & Rules
● Filter, NAT, Mangle Tables● Input and Output Chains in Filter Table
● Rules in Input Chain to protect server
● Firewall is a set of Tables, Chains, and Rules● Rules are most important
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 10
Basic Packet Flow
● Each input packet hits Filter Table, Input Chain● Packet is checked rule by rule, from top● If a rule is true, results happens
● Usually ACCEPT, DROP, or REJECT● Process ends (except for LOG result)● Statistic counters tell you which rules are hit/true
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 11
Basic Packet Flow
# Target prot in out source destination
1 ACCEPT all lo lo 0.0.0.0/0 0.0.0.0/0
2 ACCEPT TCP * * 1.2.3.4./32 0.0.0.0/0
3 DROP all * * 0.0.0.0/0 0.0.0.0/0
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 12
Basic Rule Structure
iptables -A INPUT -p tcp –i eth0 –s 0.0.0.0/0 -j ACCEPT
● Basic rule● Chain - INPUT● Protocol – TCP, UDP, IDCMP, ALL● Interface - * or lo or eth0, etc.● Action – ACCEPT, DROP, or REJECT
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 13
Basic Rule Options
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
● Ports and States● Destination Port – 22 (ssh)
● Very often used for services● Module – state (needed for next option)● Module Option – State NEW
● Always used for normal rules
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 14
Other Common Rule Options
● Logging – like -j LOG --log-prefix 'bad port: ’● Will log to syslog● Used to log bad or illegal packets
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 15
Accept Established / Related
iptables -I INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
● All systems have a rule like this● To pass ESTAB connections, always save● Managed by conntrack module● RELATED is for TCP like FTP or DNS UDP
● For DNS UDP it remembers out / in● Put this rule first in rule list, for better performance
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 16
Last Rule always Drop
● Always add -j DROP rule at end● So if we don't allow traffic, it's dropped● Even if Chain Policy is also DROP● Best practice is both DROP policy & Drop rule
● This ensures we drop everything we don’t want
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 17
Chain Policy
Chain INPUT (policy ACCEPT 7091K packets, 4852M bytes)
● Each Chain has a default action● Very important● Done automatically at end of Chain● Should be DROP on all major Chains● Should be ACCEPT for middle partial Chains
● To allow packets to continue to other chains
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 18
Using iptables command
● Can show, add, insert, delete rules● Easiest to show rules with numbers:
● iptables –vnL –line-numbers [Note L for list]● Will show current rules with numbers
● Other options to Add, Delete, Insert● Delete / Insert use line numbers
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 19
Iptables-save / restore
● Dump iptables in memory to file● Loaded by init when server starts
● Any changes not in file are LOST on reboot !!● File usually in /etc/sysconfig:
/etc/sysconfig/iptables
● Can be monitored by Zabbix, Nagios, etc.● Can run manually
● iptables-save > file
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 20
Iptables as a Service
● It's NOT a service, but looks like a service● Has init script to load save file on boot● Script just changes options
● Stop – Deletes all rules and allows all traffic● Start – Load iptables-save file /etc/sysconfig/iptables
● If you 'stop' iptables to test, don't forget to start
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 21
Advanced Use
● NAT● Used for ssh and Zabbix forwarding● Used as gateway for private LAN (DB, etc.)
● Port Changes● Can move port 80 traffic to 8080
● Routing between NIC● Xen Dom0 Use – Control VMs● Change packet data
● Quite Rare
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 22
Packet Flow
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 23
Summary
● Iptables very important● Used on every server● A bit complicated● Use a script to manage● Be careful
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
Copyright 2015 ChinaNetCloud 24
About ChinaNetCloud
ChinaNetCloudRunning All the World's Internet Servers管理全世界的网络服务器
ChinaNetCloud [email protected]
www.ChinaNetCloud.com
Beijing Office:
Lee World Business Building #305
57 Happiness Village Road,
Chaoyang District
Beijing, 100027 China
Silicon Valley Office:
California Avenue
Palo Alto, 94123 USA
Shanghai Headquarters:
X2 Space 1-601, 1238 Xietu Lu
Shanghai, 200032 China
T: +86-21-6422-1946 F: +86-21-6422-
4911