May 24, 2021 That's what Linux should learn
The firewall reads the configured policy rules from top to top, ending the matching work as soon as a match is found and performing the behavior defined in the match (i.e., release or block). I f there is no match after reading all the policy rules, execute the default policy. I n general, firewall policy rules are set up in two ways: "pass" (i.e., release) and "block" (i.e., block). When the default policy of the firewall is deny (blocking), it is necessary to set the allow rule (pass), otherwise no one can enter, if the default policy of the firewall is allowed, you should set the deny rule, otherwise everyone can come in, the firewall will lose the role of prevention.
The iptables service calls policy entries used to process or filter traffic a rule, and multiple rules can form a chain of rules that are classified according to where the packets are processed, as follows:
Process packets (PREROUTING) before routing;
Process inflowing packets (INPUT);
Processing out-of-pocket packets (OUTPUT);
Process forwarding packets (FORWARD);
Process packets (POSTROUTING) after routing.
Generally speaking, the traffic sent from the intranet to the external network is generally controllable and benign, so we use the MOST ISPUT rule chain, which can increase the difficulty of hackers from the external network to break into the intranet.
For example, in the community where you live, the property management company has two rules: prohibit small traders from entering the community; O bviously, these two provisions should be used at the main gate of the community (where traffic must pass) and not on the burglary door of every household. D epending on the order in which the firewall policies mentioned earlier are matched, there may be several situations. F or example, visitors are small traders who are directly turned away by the security guards of the property company and no longer need to register their vehicles. I f a visitor enters the community main gate in a car, the first rule of "no small traders from entering the community" is not matched, so the second strategy is matched sequentially, i.e. the vehicle needs to be registered. If a community resident wants to enter the front door, neither of these provisions will match, so the default release policy will be enforced.
However, policy rules alone do not guarantee the safety of the community, and security should know what actions are used to handle these matching traffic, such as Allow, Deny, Register, ignore it. T hese actions correspond to ACCEPT (allow traffic to pass through), REJECT (deny traffic to pass through), LOG (log information to be logged), and DROP (deny traffic to pass through) in terms of the iptables service. B oth "Allow traffic through" and "log information" are well understood, and the differences between REJECT and DROP need to be highlighted here. In the terms of DROP, it is a direct drop of traffic and no response; REJECT replies to a "your message has been received, but thrown away" message after the traffic is rejected, giving the traffic sender a clear view of the response message that the data was rejected.
Let's give you an example to give readers a more intuitive understanding of the differences between these two rejection actions. F or example, one day you are watching TV at home, suddenly heard someone knock on the door, you look through the anti-theft door cat's eye is to promote goods, you will open the door without the need and reject them (REJECT). But if you see a creditor with a dozen younger brothers to collect debt, not only do you have to refuse to open the door, but you also have to be silent and pretend to be out of the house (DROP).
When the firewall policy in the Linux system is set to REJECT to reject the action, the traffic sender sees an unresaable response from the port:
[root@linuxprobe ~]# ping -c 4 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data. F rom 192.168.10.10 icmp_seq=1 Destination Port Unreachable From 192.168.10.10 icmp_seq=2 Destination Port Unreachable From 192.168.10.10 icmp_seq=3 Destination Port Unreachable From 192.168.10.10 icmp_seq=4 Destination Port Unreachable --- 192.168.10.10 ping statistics --- 4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms W hen the firewall policy in the Linux system is modified to a DROP rejection action, the traffic sender sees a reminder that the response timed out. However, the traffic sender cannot determine whether the traffic is denied or whether the receiver host is not currently online:
[root@linuxprobe ~]# ping -c 4 192.168.10.10 PING 192.168.10.10 (192.168.10.10) 56(84) bytes of data.
--- 192.168.10.10 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3000ms