Abstract: Worried about basic network security? Iptables Bagua array for you! This article walks you through iptables.
The network world and the real world are the same, there will always be some malicious “people” appear, sweep your port ah, detection detection of your application, to see what vulnerabilities ah, and then take advantage of the situation into……
He looked here and there like a thief, whether the door was locked, whether the Windows were secured, and then crept in at the right time.
So in order to ensure the security of the network environment, we have to “armed”, guard each entrance.
How to “arm”?
You can do this by using Iptables. You can design your own “bagua array” according to your business needs. Each packet must pass the obstacles in the “Bagua array” before coming in or going out.
What is iptables?
Iptables is a user space management tool of the Linux firewall. It is part of the NetFilter /iptablesIP packet filtering system and is used to set, maintain, and check IP packet filtering rules of the Linux kernel. It is free and can replace expensive commercial firewall solutions with packet filtering, packet redirection, and network address translation (NAT).
Features: Iptables is a powerful kernel-based firewall. Iptables has four built-in tables filter, NAT, Mangle and RAW. After all rules are configured, they take effect immediately without service restart.
The iptables component
Iptables is made up of tables, which are made up of chains, which are made up of specific rules. So when we write our iptables rules, we specify the table first and then the chain. Tables is used to distinguish rules for different functions and store them.
Iptables has four tables and five chains
The four tables include raw table, MANgle table, NAT table, and filter table.
Raw is not used very often, and the main functions are implemented in the other three tables. You can set more than one chain per table.
-
Mangle: used to modify data packets. The table contains PREROUTING, POSTROUTING, INPUT, OUTPUT, and FORWARD chains
-
** NAT: ** does not go through the kernel and is used for network address translation (IP and port). The table contains three chains: PREROUTING, POSTROUTING, and OUTPUT
-
**filter: ** The data that passes through the native kernel is responsible for filtering packets. The table contains three chains: INPUT, FORWARD, and OUTPUT
The five chains are as follows:
-
INPUT: filters all packets whose destination address is the local host.
-
FORWARD: filters all packets passing the local device.
-
OUTPUT: filters all packets generated by the local host.
-
PREROUTING: Before routing, you can change the destination address when packets arrive at the firewall.
-
POSTROUTING: After routing, the source address of the packet is changed when the packet leaves the firewall.
Iptables processes data packets
There are two types of packets: packets whose destination address is the native kernel and packets that pass through the native kernel.
-
When packets enter, the PREROUTING chain is first entered, and the local kernel determines whether packets need to be forwarded based on the destination address.
-
If the packet goes into the native kernel, it goes into the INPUT chain. After packets arrive at the INPUT chain, they are restricted by conditional filtering.
-
After that, it enters the local kernel, then enters the OUTPUT chain, filters out according to the conditions, and then reaches the OUTPUT of POSTROUTING chain.
-
If the packet only passes through the local kernel and needs to be forwarded out, and the local kernel allows forwarding, the packet will enter the FORWARD chain, restrict forwarding according to conditional filtering, and then reach the output of the POSTROUTING chain.
The iptables command
Iptables [-t table name] management options [chain name] [conditional matching] [-j target action or jump]
Note:
1. If the table name is not specified, the filter table is displayed by default.
2. If the chain name is not specified, all the chains in the table are specified by default. Unless the default policy of the regular chain is set, matching conditions must be specified
For example, you need to deny access to the host whose IP address is 10.10.10.8.
Iptables -a INPUT -s 10.10.10.8 -j DROP
For details about the commands, see iptables commands.
Classroom practice
Iptables rules can be configured in the cloud server. However, if there are a large number of cloud servers that need to be configured for each one, it will be too cumbersome. How do you implement the same iptables rules for cloud servers with the same requirements?
The security group? Network ACL?
Yes!!
They control the data packets entering and leaving cloud servers or user networks by controlling Linux Iptables. Different methods are used in different locations to achieve different purposes. Network ACLs and security groups can be deployed at the same time to achieve dual protection.
Security group Add trusted cloud servers that have the same security protection requirements to a security group. The security group filters the access between VMS in different security groups and VMS from the Internet.
Network ACLs work on subnets to isolate malicious external traffic before security groups and filter incoming and outgoing traffic on user networks.
So, put it into practice and set up a “bagua array” for your elastic cloud server
Configure security groups and network ACLs for cloud servers.
Share this article from huawei cloud community the basic network security cloud small classes | worry? Iptables wuzhuang guardian “for you, the original author: cloud small sprout.
Click to follow, the first time to learn about Huawei cloud fresh technology ~