Linux Firewall and Security Management Tools Explained
1. Overview of Iptables
Iptables is a tool for controlling network traffic on Linux systems by defining rules to filter, forward, and modify packets. Its rules carefully manage the flow of data into and out of the system.
1.1 Three tables and five chains
1.1.1 Three tables
There are three main types of tables in Iptables, each used for different operations:
-
filter table
- corresponds English -ity, -ism, -ization: Responsible for the filtering of packets, deciding which packets are allowed to pass.
-
main chain:
- INPUT: Processes packets entering the firewall.
- OUTPUT: Processes packets from the firewall.
- FORWARD: Processes packets forwarded through the firewall.
-
nat table
- corresponds English -ity, -ism, -ization: Used for network address translation to modify the source or destination address of a packet.
-
main chain:
- PREROUTING: Processing packets before routing decisions are made.
- POSTROUTING: Processed before the packet leaves the firewall.
- OUTPUT: Processes packets generated by this machine.
-
mangle table
- corresponds English -ity, -ism, -ization: Used to modify certain characteristics of a packet, such as TOS, TTL, and marking.
-
main chain:
- PREROUTING: Processing before packet routing decisions.
- POSTROUTING: Processed before the packet leaves the firewall.
- INPUT: Processes packets entering the firewall.
- OUTPUT: Processes packets from the firewall.
- FORWARD: Processes forwarded packets.
1.1.2 Five chains
The five chains in Iptables are:
- INPUT: Processes incoming firewall traffic.
- OUTPUT: Handles traffic going out the firewall.
- FORWARD: Handles forwarded traffic.
- PREROUTING: All packets entering the firewall first pass through this chain.
- POSTROUTING: All packets going out of the firewall go through this chain.
1.2 Iptables Example
1.2.1 Allow SSH access and deny other traffic (filter table)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
Explanation: Allow SSH access, all other traffic will be denied.
1.2.2 Port Forwarding Example (nat table)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080
iptables -t nat -A POSTROUTING -j MASQUERADE
Explanation: Forward HTTP traffic from external access to the internal server.
1.2.3 Modifying the TOS example (mangle table)
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 0x10
Ans: Modify the TOS field of packets sent to HTTP.
2. UFW(Uncomplicated Firewall)
2.1 General
UFW is a firewall management tool to simplify Iptables operations, mainly for Ubuntu systems. It provides an easy-to-use command line and graphical interface.
2.2 Main features
Easy to use: Enables users to quickly set up firewall rules with simplified commands.
Default Policy: You can easily set the default allow or deny rules.
Status Management: Supports viewing firewall status and configured rules.
2.3 Examples
2.3.1 Enabling UFW
ufw enable
2.3.2 Allowing SSH
ufw allow ssh
2.3.3 Deny HTTP
ufw deny http
3. SELinux(Security-Enhanced Linux)
3.1 General
SELinux is a Mandatory Access Control (MAC) mechanism that provides an additional layer of security to control the interaction of processes and objects in the system. It was developed by NSA and is integrated into many Linux distributions.
3.2 Main features
Fine-grained control: Access rights can be precisely controlled according to the security policy.
Enforcement: Bypassing the set security policy is not allowed.
Context management: Each file and process has a security context to define access rights.
3.3 Examples
3.3.1 Viewing SELinux Status
sestatus
3.3.2 Setting SELinux to relaxed mode
setenforce 0
3.3.3 Setting SELinux to Force Mode
setenforce 1
4. Firewalld
4.1 General
Firewalld is a dynamic firewall management tool designed to replace Iptables. it uses the concepts of zones and services to manage rules, allowing users to dynamically add and remove rules.
4.2 Main features
Area management: Set different rules according to different areas of the network (e.g. internal, external).
Service Management: Instead of using port numbers, rules can be managed using service names.
Dynamic Updates: Support dynamic adding and deleting rules without restarting the firewall.
4.3 Examples
4.3.1 Starting Firewalld
systemctl start firewalld
4.3.2 Allowing SSH services
firewall-cmd --add-service=ssh --permanent
firewall-cmd --reload
4.3.3 Viewing current rules
firewall-cmd --list-all
Iptables, UFW, SELinux and Firewalld are important security management tools in Linux systems. Each of them has different application scenarios and characteristics, and can effectively protect the system security. By properly configuring these tools, you can realize a powerful network security policy.