For systems on the Internet, it is important to be clear about the situation: the network is not secure. Therefore, although creating a firewall does not guarantee 100% security, it is absolutely necessary. Linux provides a very good firewall tool —netfilter/iptables. It's completely free, powerful, flexible, and provides granular control over incoming and outgoing information and works well on a low-profile machine. This article will briefly introduce applications such as firewall setup and Internet connection sharing using netfilter/iptables.
The netfilter/iptabels application is considered to be the fourth generation of applications that implement packet filtering in Linux. Netfilter/iptables is included in the kernel after 2.4, which can implement firewall, NAT (network address translation) and packet splitting. Netfilter works inside the kernel, while iptables is a table structure that lets users define rule sets. Netfilter/iptables evolved from ipchains and ipwadfm (IP Firewall Management) and is more powerful. Netfilter/iptabels is collectively referred to as iptables below.
You can use iptables to create a firewall for Unix, Linux, and BSD personal workstations, or you can create a firewall for one subnet to protect other system platforms. Iptales only reads the packet header, which does not burden the information flow and does not require verification. For better security, you can combine it with a proxy server such as Squid.
Basic Concepts
A typical firewall setup has two network cards: one inflow and one outflow. Iptables reads the headers of incoming and outgoing packets, compares them to a rule set, and forwards acceptable packets from one network card to another. The rejected packets can be discarded or as defined. The way to handle it.
The rule controls the filtering of packets by providing the firewall with instructions on what to do from a source address, to a destination, or to a packet with a specific protocol type. These rules are established by using the special command iptables provided by the iptables system and added to the chain within the kernel space specific packet filtering table. The general syntax for adding, removing, and editing rules is as follows:
iptables [-t table] command [match] [target]
1. The table
[-t table] option allows the use of any table other than the standard table. A table is a packet filtering table that contains rules and chains that only process specific types of packets. There are three table options available: filter, nat, and mangle. This option is not required. If not specified, filter is the default table. The functions implemented by each table are shown in Table 1.
types of tables Table 1 realize the function
2. The command (command)
command part is the most important part of the iptables command. It tells the iptables what to do, such as inserting a rule, adding a rule to the end of a chain, or deleting a rule. Table 2 is the most commonly used commands and examples.
Table 2 command functions and sample
3. Match
The optional match part of the iptables command specifies the characteristics (such as source address, destination address, protocol, etc.) that the packet should match with the rule. The matching is divided into two categories: universal matching and protocol-specific matching. A generic match for packets that can be used with any protocol is described here. Table 3 is a list of important and commonly used generic matches and examples. Table 3 General
matching and illustration
4. The target
target is the operation specified by the rule that performs these operations on packets that match those rules. In addition to allowing user-defined goals, there are many target options available. Table 4 is a list of commonly used goals and examples.
In addition to Table 4, there are many other goals for establishing advanced rules, such as LOG, REDIRECT, MARK, MIRROR, and MASQUERADE.
Table 4 goals and illustration