Linux 2.4 Packet Filtering HOWTO Simplified Chinese version
Rusty Russell, Mailing List Netfilter@lisms.samba.org owe $Revision: 1.3 $ date: 2002/06/05 13:21:56 $ 简体 中文: Ocean Ghost · Netsnake Thanks Netmanforever@yahoo.com Traditional reference
This document describes how to filter incorrectly in the Linux2.4 kernel (Translator: packet in many professional books, which is still translated as package according to most people's habits)
1. Introduction 2. Official Site and Mail List 3. So, what is packet filter? 3.1 Why do I need packet filter? 3.2 How to make a package under Linux? 3.2.1 iptables3.2.2 Creating a permanent rule 4. Do you make a few, how do you get my kernel? 5. Rusty's true package filtering fast guide 6. How to pass through the filter 7. Using iptables7.1 When the computer is started, you will see 7.2 Operation 7.3 Filter Specification 7.3.1 Specified Source and Destination IP Address 7.3.2 Reverse Designation 7.3.3 Protocol Designation 7.3.4 Interface Specify 7.3.5 Split Specify 7.3.6 Iptables Extensions: New Match 7.3.6.1 TCP Extensions 7.3.6.1.1 Interpretation of TCP Signs 7.3. 6.2 UDP Extensions 7.3.6.3 ICMP Extensions 7.3.6.4 Other Match Extensions 7.3.6.5 Status Matching 7.4 Target Specifications 7.4.1 User Defined Chains 7.4.2 Iptables Extensions: New Target 7.4.3 Special Built Out of Built 7.5 Pair of Whole Chains Operation 7.5.1 Creating a new chain 7.5.2 Deleting Chain 7.5.3 Clearing a chain 7.5.4 List 7.5.5 Reset (Clear) Counter 7.5.6 Settings (Default Rules) 8. Use Ipchains and IPFWADM9 NAT and package filtration mix use 10. IPTables and IPChains Differences 11. Suggestions for the development of package filters 1. Introduction, dear readers. This article assumes that you know about IP addresses, network addresses, network masks, selection and DNS. If you don't know, I suggest you read the HOWTO (Network Concepts Howto) of the Network Concept. This HOWTO is not a brief introduction (you will make you fever, hair, no security), and is not a complete original disclosure (the most hard-working person will be stunned, but it will definitely won something). Your network is not safe. The problem is that the fast, concise communication must be obtained, but it must be limited to good, no malicious behavior, just in the noisy big theater, you can talk about it, but you can't shout: I am full of fire! . This HOWTO cannot solve this problem. (Translator: All security is just relative, otherwise it will not generate this kind of thing) therefore, you can only decide which aspect of compromise. I want to help you use some available tools and some vulnerabilities that usually need to pay, I hope you use them in a good side, not for malicious purposes - another equally important issue. (C) 2000 Paul `Rusty 'Russell. Licenced Under The GNU GPL.
2, official site and email list location There are three official sites here: o THANKS to FileWatcher http: //netfilter.filewatcher.org.o Thanks to the Samba Team and sgi http: //netfilter.samba.org.o Thanks to HARALD Welte http://netfilter.gnumonks.org. You can access all relevant sites through the following sites. Http://www.netfilter.org and http://www.iptables.org The following are the NetFilter official mailing list http://www.netfilter.org/contact.html#list.3. So what is a pack filter? ? The package filter is such a software: it checks the head of each package passed, and then determines how to dispose of them. It can be treated like this: Discard (that is, if this package has never been accepted, then discard it), pass (that is, let the package pass), or more complex (operation). Under Linux, the built-in built-in built into the kernel (kernel module, or built), and we have some techniques for processing packages, but the general principles of the head and handling package are still here.
3.1 Why do I have a package filter? Control, safety, and warning. Control: When you use your Linux server to connect your internal network and another network (that is, the Internet Bar), you can decide which communication is allowed, which is not allowed. For example, the header contains the target address of the package, you can block several external networks determined by the package (you), another example, I connect to Dilbert Archives with Netscape. There is an ad from DoubleClick.net, then Netscape wasts my time to download them. Tell the package filter to prohibit any packages from or sent to the DoubleClick.net address, the problem is solved. (Of course, there is a better way, see Junkbuster). Safety: When the Linux server is a chaotic Internet and your good, ordered networks, you can best know what you can enter your door. For example, you can allow all (package) from your network, but you might be anxious for famous "ping of death" from the outside. Another example, you don't want outsiders telnet to your Linux server, although all accounts have passwords. Perhaps you just want (like the vast majority) becomes the bystander of the Internet, not its server (or maybe it). Simply not allow anyone to access, set the package filter to reject all entered packets (good way). Alert: Sometimes, the machine on the local network may spray a large number of packages externally. It is best to let the package filter tell you when any abnormal phenomenon occurs (in the network). This, you may be able to do something, or you are very curious.
3.2 How to make a package under Linux? The Linux kernel has a package filtering function in its 1.1 series. The first generation, was transplanted with the IPFW of BSD from Alan Cox in 1994. This is strengthened by JOS VOS and others in Linux 2.0; user space tool 'ipfwadm' can be used to control kernel filtering rules. In 1998, with the help of Michael Neuling, I rewritten for Linux 2.2 and launched the user space tool 'ipchains'. Finally, in 1999, based on the fourth-generation tool of Linux 2.4, 'iptables', and other kernel rewritments were officially launched. This is the location of this iptables's HOWTO document. Translator: UserSpace According to the Taiwan compatriots, users are used to distinguish the scope of application in system memory, divided into core space and user space, do not have to be refreshed), you need to include the core of the Netfilter architecture. Netfilter is a universal framework in Linux, or inserts other contents (such as the iptables module). That is to say that you need 2.3.15 and later, and answer 'y' for the config_netfilter when configuring the kernel. IPTables This tool is used to interact with the kernel and tell it which packages should filter. Unless you are a programmer or especially curious, this is what you use to control the package filter. 3.2.1. Insert and delete rules in the package filter table of the iptablesiptables tool. This means that there is no matter how settings, the information will be lost, please see "Making Rules Permanent" to determine how to ensure that these rules will be restored next time. iptables are alternatives to IPFWADM and IPChains. If you are their users, please see "Using Ipchains and IPFWADM", how to easily use iptables.
3.2.2 Creating a Permanent Rule Your current firewall setting is saved in the kernel, so it will be lost after restarting. You can try to save them with iptables-save and iptables-restore scripts and recover by a file.
4. Do you make a few a few, how do you play my kernel? I am Rusty Russell. The maintainer of the Linux IP firewall is also an appropriate place to appear in the appropriate place. I wrote Ipchains (see "How to pack filtering under Linux?" Take a look at which people are actually completed), and hope to learn enough things to fix this package filter. Watchguard, a very good firewall company, in summary, omitted a thousand words ... here, I want to clarify a misunderstanding: I am not a kernel expert, I understand it, because my core work makes me contact. They: David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox. In any case, they have done the deepest work, and they are very safe and easy.
5. Rusty's true package filter fast guide Most people only have a PPP to connect to the Internet, and do not want someone to enter their network or firewall: # Insert the connection-tracking module (such as domestic built in the kernel. ) # InSMOD ip_conntrack # insmod ip_conntrack_ftp # Create a chain to create a large number of new connections unless these connections come from the inside. # iptables -n block # iptables -a block -m state --state established, Related -j accept # iptables -a block -m state --state new -i! ppp0 -j account # iptables -a block -j drop # iptables -a block -j drop # iptables The chain is jumped by Input and Forward link (just created). # iptables -a input -j block # iptables -a forward -j block6. The package is starting through the filter of the filter by the following three rules in the 'filter' table. These are called firewall chains or call chains. These three chains are INPUT, OUTPUT and FORWARD, respectively. For ASCII artists, the chain is like this: (Note: This is very different from the 2.0 and 2.2 kernels) translator: ASCII art, here is the use of pure ASCII text mapping _____
Incoming / / Outgoing
-> [Routing] ---> | Forward | ------->
[Decision] / _____ / ^
| | |
v ____
___ / /
/ / | OUTPUT |
| Infut | / ____ / /
/ ___ / ^
| | |
----> Local process ---- Three circles represent three chains said above. When the package arrives in a circle in the figure, the chain checks and determines the fate of the package. If the chain determines the DROP package, the package is killed there. But if the chain decides to make the package accept, the package continues to advance in the figure. A chain is a list of rules. Each rule will say: 'If the header looks like this, then do this. If the rules and packets do not match, the next rules in the chain are processed. Finally, if there is no rule to be processed, the kernel determines how to do it according to the principle of the chain (policy, sometimes called the default rule). In a secure system, the principle is usually discarded by the kernel. 1. When a package enters (that is, the Ethernet card), the kernel first checks the destination of the package. This is called "selection". 2. If it is to enter the unit, the package will move below the figure to reach the Input chain. If it is here, any process waiting for this package will receive it. 3. Otherwise, if the kernel is not permitted, or if you don't know how to forward this package, it will be discarded. If the forwarding is allowed, and the destination of the package is another network interface (if you have another one), then you go to the right side of our chart to reach the Forward chain. If it is allowed to pass (accept), it is sent out. 4. Finally, programs running on the server can send a network package. These packages immediately pass the Output chain. If it is allowed (Accept), the package continues to send to network interfaces that can reach its destination. 7. Use iptablesiptables with a very detailed manual, and if you need an option to introduce more detailed. Take a look at "IPTables and IPChains" may be very useful to you. You can do a lot of differences using iptables. The starting built-in three chains INPUT, OUTPUT and FORWARD are not deleted. Let's take a look at the management of the entire chain. 1. Create a new chain (-N). 2. Delete an empty chain (-x). 3. Modify the principles of the internal chain (-P). 4. The rules in the chain (Table) (- L) are displayed. 5. Clear a chain (-f). 6. Clear zero (-z) all rules in the chain (-Z). There are several ways to operate the rules in the chain: 1. Add a new rule (-a) to the chain. 2. Insert a new rule (-i) in a certain location in the chain. 3. Replace the rules (-R) of a location. 4. Delete the rules for a location in the chain, or the first matched. (-D).
7.1. When the computer starts, the PTables you will see can be used as a module, called 'iptables_filter.o, which can be automatically loaded when IPTABLES is first run. It is also possible to permanently edit the kernel. Before all iptables commands are executed ("Whey: Some release will run iptables in the initialization script), there is no rules in all built-in chains ('Input', 'Forward' and 'Output'), all chain principles It is accept. You can provide the 'Forward = 0' option to modify the default principles of Forward when loading the IPTable_filter module.
7.2. Operation for a single rule This is the basic package filter: management rules, add (-A) and delete (-D) commands may be most common. Other (-i insertion and -r replacement) is just a simple extension. Each rule has a set of conditions to match the package, and if it matches what it does. For example, you might want to discard all ICMP packages from 127.0.0.1. So our condition is that the agreement must be ICMP, and the source address must be 127.0.0.1, and our goal is to discard (DROP). 127.0.0.1 is a return interface, even if you don't have a real network connection, it will exist. You can generate such packages with a ping program (it simply sends ICMP Type 8 (Echo Request), all hosts that are willing to respond with ICMP Type 0 (echo reply). This is very useful for testing. # ping -c 1 127.0.0.1Ping 127.0.0.1 (127.0.0.1): 56 Data bytes64 bytes from 127.0.0.1: ICMP_SEQ = 0 TTL = 64 TIME = 0.2 MS --- 127.0.0.1 Ping Statistics --- 1 Packets Transmitted, 1 Packets Received, 0% Packet Lossround-Trip Min / AVG / MAX = 0.2 / 0.2 / 0.2 MS # iptables -a input -s 127.0.0.1 -p icmp -j drop # ping -c 1 127.0.0.1ping 127.0 .0.1 (127.0.0.1): 56 Data Bytes --- 127.0.0.1 Ping Statistics --- 1 Packets Transmitted, 0 Packets Received, 100% Packet LOSS, the first ping is successful ('-C 1' tells Ping only sends a package) and then we can add (-A) a rule to the 'Input' chain to develop the ICMP protocol from 127.0.0.1 ('- s 127.0.0.1') ('-P ICMP') package Discard ('-J DROP'). Then we test our rules and use the second ping. Before the program waits, you will be suspended before the response is never possible. We can use any of two ways to delete rules. First of all, because this is the unique rule in the input chain, we use the number to delete: # iptables -d input 1 Delete the number of rules in the INPUT chain is the second method of -A command, but use -D replacement -A. This is very useful when the rules in your chain are complicated, and you don't want to calculate their numbers. In this case, we can use: # iptables -d input -s 127.0.0.1 -p ICMP -J DROP-D The syntax must be as accurate as -A (or -i or -r). If there are multiple identical rules in the chain, only the first one will be deleted. 7.3 Filtering Specifications We have already seen, use '-p' to specify the protocol, specify the source address with '-s', but there are other options we can use to specify the feature of the package. Here is a detailed manual.
7.3.1 Specify the source and destination IP address source ('-s', '- source' or '--src') and purpose ('-d', '- destination' or '--dst') IP address You can specify four ways. The most common method is to use full name, just like 'localhost' or 'www.linuxhq.com'. The second way is to specify an IP address, such as '127.0.0.1'. Third and fourth methods allow the designation of a set of IP addresses, just like '199.95.207.0/24' or '199.95.07.0/255.255.255.0'. This specifies all IP addresses from 199.95.207.0 to 199.95.207.255. The number behind '/' indicates which part of the IP address is valid. '32' or '255.255.255.255' is the default (matching the entire IP address). Use '/ 0' to specify any IP address, like this: # '-s 0/0' here is excess # iptables -a input -s 0/0 -j drop This is rarely used, this is above The result is exactly the result of '-s'. 7.3.2 Reversely specifying a lot of tags, including '-s' (or' - Source ') and' -d '(' - destination ') tag can add'! 'Flag (read "not' ) To match all and give the address of the NOT. For example, '-s! Localhost' matches all packets from this unit.
7.3.3 The protocol specifies the specified protocol with '-p' (or '--Protocol'). The protocol can be a number (if you know the value of the IP's protocol value) or the name like 'TCP', 'UDP' or 'ICMP'. In case, it doesn't matter, so 'TCP' and 'TCP' are the same. You can add '!' Before the agreement name, explain it in reverse, for example '-P! Tcp' will match all packets that are not TCP.
7.3.4 Interface Specify '-i' (or '--in-interface') and '-o' (or '--out-interface') option specifies the matching interface name. The interface can be an entry ('-i') or a physical device that is sent ('-o'). You can use the ifconfig command to list the current 'UP' interface. (That is to say, it is working). The package through the INPUT chain does not have the interface, so '-o' in this chain never matches. Similarly, the package through the OUTPUT chain has not entered the interface, and '-i' in this chain will not match. Only two interfaces are sent and sent out with the package through the Forward chain. You can specify an interface that is currently not present. Before this interface is available, the rules cannot match anything. This is very useful for dialing PPP connections (usually PPP0 interfaces). A special case, the interface name is a ' ', which will match all the interfaces starting with this string (regardless of whether it is present). For example, specify a rule that matches all PPP interfaces to use the -i PPP option. Interface names can also be inserted in front of '!' To match all packages different from the specified interface, such as -i! Ppp . 7.3.5 Split Specify Translator: To help you understand, attach the format of IP datagrams here, taken from "Internetworking with TCP / IP"
04816192431 version number header length Service Type Total length Sign Sign Split Offset Life Agreement Thermal Test and Source IP Address Destination IP Address IP Option Plip Data ......
Sometimes a bag is too big, it is impossible to suit all the lines. In this case, the package will be divided into pieces, and then it is sent as a plurality of packages. Finally recombine these fragments to rebuild the entire package. The problem of fragmentation is that the initial sheet checked contains the entire head field (IP TCP, UDP, and ICMP), but the subsequent package only has a header (IP without additional protocol fields), so check the back of the slice The head (like TCP, UDP, and ICMP) is impossible. If you are doing NAT or connection tracking, all slices are merged before packaging code processing, so you don't need to worry for shards. Also note that the package to the INPUT chain (or any table hooked by the NF_IP_LOCAL_IN hook program) in the Filter table is reached after the core IP stack is reorganized. Otherwise, it is very important to understand how the fragmentation is handled by filtering rules. Any filtering rule requires us nothing, will be considered mismatch. This means that the first piece of (fragment) is processed as a normal package. The second and back sheets will not. Therefore, the rule -P tcp --sport www will never match a fragment (package) (except for the first piece), the opposite rule -P tcp --sport! Www meeting. In any case, you can specify a rule that dedicates the second and subsequent fragmentation with the '-f' (or '--fragment') tag. Of course, you can also specify a rule that makes it unable to match the second and subsequent fragmentation, add '!' Before '-f'. Typically, the second and subsequent fractions are considered to be secure, because if the filtration processes the first piece, then the restructuring is made on the target host. However, known bugs may be easily crashing by sending a slice. I look at it yourself. Network masters Note: When this type of check is performed, the deformed package (the ICMP code and the type of TCP, UDP, and ICMP packages read) will be discarded. Therefore, the TCP fragment starts from position 8. (Translator: What does it mean? Probably refer to the header location in the IP package) For example, the following rules will discard any fragmentation to 192.168.1.1. # iptables -a output -f -d 192.168.1.1 -j drop
7.3.6 iptables Extensions: New Match iptables is scalable, that is, including kernel and iptables tools to expand new features. The following sections are standard, and others are derived. Others can make extended and released them to the right. The kernel extension is typically located in the kernel module subdirectory, such as /lib/modules/2.4.0-test10/kernel/net/ipv4/netfilter. If you use config_kmod settings to compile the kernel, they require being loaded, so you don't need manual insertion. The iptables program extension is usually a shared library in / usr / local / lib / iptables / under / lib / iptables or / usr / lib / iptables, specific to different distributions. There are two types of expansion: new goals, new match (we will talk about new goals right away). Some protocols automatically give new tests: As shown below, existing include TCP, UDP, and ICMP. In this way, you can specify a new test after the '-p' option in the command line, you can load the extension (module). When you are allowed to be extended, you can use the '-M' option to load the extension. Behind the option ('-P', '- j' or '-m') adds '-h' or '--help' to get the help of the extension. # iptables -p tcp --help7.3.6.1. TCP Extensions If '-P TCP' is specified, the TCP extension will be loaded automatically and provides the following options (mismatch). --TCP-FLAGS can add a '!'. There are two flag strings to be filtered through TCP tags. The first logo string is Mask: You want the test list. The second point indicates which will be set. For example: # iptables -a input --Protocol TCP --TCP-Flags All Syn, Ack -j DrOP Means All flags will be tested ('all' and 'SYN, ACK, FIN, RST, URG, PSH' Righteous), but only SYN and ACK are set. Of course, you can also use 'none'. - Syn! 'is optional, is' --TCP-Flags Syn, RST, ACK, SYN' Abbreviation - Source-port can be followed by one '!', can be a single TCP port, or A port. Can be port names or numbers in / etc / services. The port range format is a low-end name: a high-end name, or (specifying a port greater than or equal to the given port) is a port name :, or (specifying less than or equal to the given port) is: port name. --sport is '--source-port'. --Destination-port - DPORT is similar to the above, but it is specified to match the destination port (range). --TCP-Option can follow one '!' and a number, matching the TCP options and numbers. If you try to match a package with this TCP option to match a package without a complete TCP, then this package will be discarded.
7.3.6.1.1. Interpretation of the TCP logo sometimes only allows a one-way TCP connection to be useful. For example, you might allow access to an external WWW server, but will not allow connections from that server. The simplest move may be to block packages from that server, but unfortunately, TCP connections require packet two-way transmission (to work properly). The solution is that only the packages used to request the connection. These packages are SYN packs (OK, from technology, their SYN flags are set, without setting RST and ACK logo, but we are simple, called SYN packages). By blocking only this package, we can prevent connection attempt from those places. The '--syn' flag is used in this way: only valid for rules that specify the TCP protocol. For example, specify a connection request from 192.168.1.1. -p TCP -S 192.168.1.1 - Syn is of course also plus '!', meaning all packets that are not an initial connection. 7.3.6.2 UDP Extensions These extensions are automatically loaded when specifying '-p UDP'. Can provide '--Source-port', ',', '- destination-port' and '--dport', and TCP similar options.
7.3.6.3 ICMP Extended These extensions are automatically loaded when specifying '-P ICMP'. Just provide a new option: - ICMP-TYPE can be with '!', ICMP type name (such as 'Host-unreachable') or value (such as '3'), or numeric type / code (such as '3/3') ). Use '-P ICMP --HELP' to list the available ICMP type names.
7.3.6.4 Other Matching Extended These NetFilter packages are still in the presentation phase, (if installed) can be enabled with '-m'. Mac - Mac-Source can follow one '!', behind is the Ethernet address, with a colonally separated 16 clutch, such as `--MAC-Source 00: 60: 08: 91: CC: B7 '. LIMIT This module must specify '-M Limit' or '--match Limit'. The rate used to limit the match. Just like suppressing record information. Will only match a given number / per second (default is 3 match per hour, and 5 triggers). There are two parameters: - Limit followed by numbers: Specify the maximum average of the match per second per second. This number can specify a clear unit, use '/ second', `/ minute ',` / hour' or `/ day ', or only part of the part (such as' 5 / second' and the '5 / s'). --Limit-Burst follows a number, indicating the maximum trigger value before the LIMIT is role. This match (item) is usually used to use the log target to record the rate limit. To understand how it works, let's take a look at the rules below, it uses the default limit parameter record package. # iptables -a forward -m limit -j log When this rule is first enabled, the package begins to be recorded. In fact, because the default trigger is 5, the top five packs will be recorded. Then, a package is recorded every 20 minutes, regardless of how many packages arrive during this period. Moreover, a trigger (value) will be restored in each 20 minute interval of each mating package. If there is no package to reach this rule for 100 minutes, all triggers will be restored and return to the starting point. Tip: You don't currently create this rule at greater than 59 hours, so if you set a average rate for one day, then your trip rate must be less than 3. You can also use this module to avoid all kinds of denial of service attacks (DOS, Denial of Server) using the fast response rate. (Translator: The following is a more famous attack) SYN-FLOOD protection: # iptables -a forward -p tcp --syn -m limited --LIMIT 1 / S -J Accept Furtive Port Scanner: # iptables -a forward -p TCP - TCP-FLAGS SYN, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J ACCEPT PING OF DETH: # iptables -a forward -p icmp --ICMP-TYPE Echo-Request -m Limit - -limit 1 / s -j accept This module works similar to "throttle valve", the following is illustrated. Rate (pkt / s)
^ .---.
| / DOS /
| / /
Edge of dos - | .....: ......... / ..................... DOS border =
= (limited * | /: /
Limit-burst | /: / .-.
| /: / / /
| /: / / /
End of dos - | /....../.............:/......./..../. DOS end = limited |: : `- '` -'
------------- --- ----------------------------- ---> Time (s)
Logic => match | DIDN'T MATCH | MATCH
We match a package that triggered by five packages, but the fourth package per second begins to enter (this rule), for three seconds, then restart. <- flood 1 -> <--- flood 2 --->
Total ^ line __-- ynnn
Packets | Rate__-- YNNN
| MUM __ - YNNN
10 | MAXI __ - Y
| __ - Y
| __ - Y
| __ - YNNN
| - YNNN
5 | Y
| Y Key: Y -> matched rule
| Y n -> Didn't match rule
| Y
| Y
0 -------------------------------------------- -> Time (Seconds)
0 1 2 3 4 5 6 7 8 9 10 11 12
You can see that the top five packs are allowed to exceed a package / second (this rate), then start restrictions. If there is a pause, then another trigger is also allowed, but it cannot exceed the maximum rate of rule settings. Owner - Uid-Owner UserId Matches the creation process of the package based on the valid (value) user ID given. --Gid-owner GroupID matches the creation process of the package according to the valid (numeric) group ID given. --PID-OWNER ProcessID Matches the creation process of the package based on the process ID given. - Sid-Owner sessionID The creation process of the package will match the session group. Unclean This is a test module that must be explicitly specified to '-M unclean' or '-Match Unclean'. It performs various random judgments for the package. This module has not been reviewed, so don't be used on security facilities. (It may cause worse results, it may have bugs yourself). No options are available.
7.3.6.5 Status Match The most useful matching criterion is 'State' extension. It is responsible for explaining the connection-tracking analysis of the 'IP_CONNTRACK' module. This is recommended for use (good stuff). Match the status list ('!' Flag indicating that the status list ('! "Indicating that the status ('!" Indicating that the status ("status) is not conforming to those status (status)). NEW is created by the newly connected package Established belongs to the existing connections (that is, the packet) Related and an existing connection are related, but it is not part of its part. Such as ICMP errors, or (loaded FTP module) a package that establishes an FTP data connection. INVALID cannot be recognized by the following reasons: including internal memory and an ICMP error that is currently anywhere. Usually these packages will be discarded. An example of this powerful matching extension: # iptables -a forward -i ppp0 -m state! --State New -j DROP7.4 Target Specifications Now, we know how to test packages, but we also need to tell those matching How to do it. This is called the target of the rule. There are two very simple built-in objectives: DROP and Accept. We have seen it. If the package matches the rules, its goal is one of the two, then more rules are no longer considered: The fate of the package has decided. There are two goals other than this: extended and user-defined chains.
7.4.1 User-defined chain iptables A powerful feature is that IPChains is inherited to let users create new chains, attached to three built-in chains (INPUT, Forward, and Output). Follow the convention, the user-defined chain uses lowercase to distinguish them. (We will describe how to create a new user definition chain in "Operations On An entire Chains"). When the goal of the package matched the chain is a user-defined chain, the package is transferred to the rule in the user-defined chain. If there is no decision, the movement in the package is over (user-defined chain), and returns to the next rule of the current chain. Just engage in ASCII art. Consider two (idiot) chains: INPUT and TEST (user-defined). `Input '` Test'
------------------------------------------------ --------
Rule1: -p Icmp -j drop | | rule1: -s 192.168.1.1 |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----- |
Rule2: -p tcp -j test | | rule2: -d 192.168.1.1 |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------
| Rule3: -p UDP -J Drop |
---------------------------- Consider a TCP package from 192.168.1.1 to 1.2.3.4. It enters the Input chain, checked by Rule1 - mismatch. Rule2 matches, then its goal is TEST, so the next check starts by Test. The first rule rule1 in TEST is matched, but there is no specified target, so it is checked by the second rule rule2. The result is mismatched, and we reach the tail of the chain. So returned to the INPUT chain because it was just checked by Rule2, so it is now checked by Rule3 and still does not match. So the route of this package is: V _________________________ `input '| /` Test' V
------------------------------------------------------------------------------------------------------------------------------------------------------ - | ----
| Rule1 | / | | rule1 | |
| ----------------------- | / - | | --------------------- - | --- |
| Rule2 / | | rule2 | |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -v ----
| Rule3 / - __________________________ /
----------------------------
v
The user-defined chain can jump to another user-defined chain (but can not loop: if the loop is found, the package will be discarded).
7.4.2 iptables Extensions: The extension of other types of new targets is the target. The target extension consists of a kernel module, and an optional extension of iptables provides a new command line option. There are several extensions to be included in the default NetFilter release. LOG - LOG-Level follows a level name or number. The appropriate name is (ignore the case) 'debug', 'info', 'notice', 'Warning', 'Err', 'crit', 'Alert' and 'EMERG', equivalent to numbers 7 to 0. Please refer to the manual of Syslog.conf to get these levels of instructions. The default is 'Warning'. --Log-prefix is a string of up to 29 characters, which is written to the beginning of LOG information, which can be distinguished. The most useful thing this module is to follow the Limit Match so that you will not be overwhelmed by your log. REJECT This module is the same as the 'Drop', in addition to the ICMP error message of 'Port Unreachable'. Note If it belongs to the following, the ICMP error message will not send: the O-Pack is an ICMP error message, or an unknown ICMP type. The O package is filtered as a headless fragment. o We have sent too much ICMP error packet there (see / proc / sys / net / ipv4 / icmp rate).
7.4.3 Special built-in objectives have two special built-in objectives: Return and Queue. Return is like reaching the tail of this chain: if it is a built-in chain rule, then the default rule of this chain will be executed. If it is a user-defined chain, when this rule is jumped to this rule (containing returnium), it returns to the front chain to continue to match. Queue is a special goal that will queue this package for the user space process. To use it, it takes two parts: O A "Queue Handler" to process the mechanism between the user space and the kernel. O and a user space used to receive applications, which may be an operation, and a decision for packets. IPv4 iptables standard Queue Handler is an IP_QUEUE module that follows the kernel publishing and marked as experiment. Here is a quick example of how to use iptables for user space process queue packages: # modprobe iptable_filter # modprobe ip_queue # iptables -a output -p icmp -j queue In this example, local generated ICMP packets (eg, generated by ping) Arrive at the IP_QUEUE module, then the package is tried to be sent to the user's space application. If there is no user space application waiting (there) waiting, the package is discarded. To write a user space application, you need a libIPQ API. Published together with iptables. Related examples can be found in CVS TestSuite Tools (such as redirect.c). You can check the status of IP_QUEUE here: / proc / net / ip_queue queue maximum length (that is, the number of delivery to the user space package without the return package) can be controlled here: / proc / sys / net / ipv4 / ip_queue_maxlen default The queue length is 1024. Once this length is reached, the new package will be discarded until the queue length is less than this value. For a good agreement, such as TCP, it will make a crowded explanation on the discarded package, and it will be ideal after the queue is full. In any case, if the default is too small, it is best to have a multi-experiment to determine the maximum length of the queue. 7.5 Operation of the entire chain iptables A very useful feature is a group that can be associated with a rule in the chain. You can give the chain name, but I recommend using lowercase letters to avoid conflicts with built-in chains and goals. The name of the chain is up to 31 letters.
7.5.1 Creating a new chain allows us to create a new chain. Because I am an imaginative guy, I call it Test. Use '-n' or '--new-chain' options: # iptables -n test so simple, now you can put the rules like it is above.
7.5.2 Deleting Chains Delete a chain is equally simple, using '-X' or '--delete-chain' option. Why is '-X'? Well, because all suitable letters have been used. # iptables -x test There are several delete links: they must be empty (see "Flush a chain" below and they can't be the goal of any rules. You can't delete any built-in chain. If you don't specify a chain name, all user-defined chains that can be deleted will be deleted.
7.5.3 Clearing a chain This is a simple way to clear all rules in a chain, using the '-f' or '-flush' command. # iptables -f forward If you do not specify a chain, all chains will be emptied.
7.5.4 With the list of chain to use '-l' or '--list' command, you can list all rules in a chain. The 'refcnt' in the user-defined chain is how many chains of the chain point to it. This value must be 0 before you can delete this chain. If the chain name is ignored, all chains will be listed, even if it is empty. '-L' can have three options. '-n' (numbers) options are very useful for blocking iptables trying to find an IP address, because if you use DNS like most people) If your DNS setting is not suitable, you may cause long pauses, or You filter out the DNS request. It also allows TCP or UDP ports to be displayed in digital. The '-V' option displays details of all rules, including saturation byte counters, TOS comparisons, and interfaces. Otherwise these values are ignored. Note that the report and byte counters can be used to replace 1000, 1,000,000 and 1,000,000,000, respectively. Use the '-X' (extended number) flag to print the entire value, no matter how much it is. 7.5.5 Reset (Clear) Counters can be used to reset counters. Can be done with '-z' or '--Zero'. Consider the following: # iptables -l forward # iptables -z forwards In the above example, some packages are passed between the '-l' and '-z' commands. Therefore, you can use the '-l' and '-z' together, and the counter is emptied when reading it.
7.5.6 Setting Principles (Default Rules) We have explained what happens when the package arrives at the end of the bucks in the previous discussion package. At this time, the principle of the chain determines the fate of the package. Only the built-in chain (INPUT, OUTPUT, and Forward) are principled because if the package reaches the tail of the user-defined chain returns to the front chain. The principle can be accept or DROP, for example: # iptables -p forward drop
8. Use Ipchains and IpfwadMnetflter published in Ipchains.o and IPFWADM.O modules. Load one of them into your kernel (note: they are not compatible with IP_TABLES.O). Then you can use ipchains and ipfwadm as used before. This is still supported for a while. I think reasonable calculation methods are 2 * (replacement - initial stability versions), which exceeds this time, and should use alternative stable versions. This means that supports them in Linux 2.6 or 2.8 are likely to be abandoned.
9. NAT and package filtration mix Use it to do network address transformation (see NAT HOWTO) and package filtering. The good news is that they can be mixed and work very well. You can completely ignore your NAT to define your packing filter. The sources and goals of the package seen by the package filter are "real" source and goals. For example, if you put any packs DNAT to 10.1.1.1 to 10.1.1.1 to 10.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. The packing filter is seen by the 8080 port (real destination) of 10.1.1.1, not the 80-port of 1.2.3.4. Similarly, you can ignore the camouflage: See the real external IP address of the package (such as 10.1.1.1), and the response returns there. You can use 'State' matching extensions to make the package filter don't need any additional work, because, in any case, NAT will ask for connection to track. Extending the simple camouflage example in Nat Howto to prohibit any new connections from the PPP0 interface, you can do this: # # 至 至 0 0 0 i i i i ketles -t nat -a postrouting -o ppp0 -j masquerade # is disabled by PPP0 Enter new or unsuitable bag iptables -a input -i ppp0 -m state --state new, invalid -j dropipiptables -a forward -i ppp0 -m state --state new, invalid -j drop # turn on IP forwarding Echo 1> / PROC / SYS / NET / IPV4 / IP_FORWARD10. The difference between iptables and ipchains, first, the name of the built-in chain is changed from lowercase, because the current Input and Output chains only get to local and local buildings Pack. They are used to check all the packages that enter and send. o '-i' flags now indicate the meaning of the interface and is only available for the Input and Forword chains. The rules in the Forword or Output chain should change '-i' to '-o'. o TCP and UDP ports must now be spelled with - Source-Port or - Sport (or --Destination-port / - dport), and must be placed after '-p TCP' or '-P UDP' option, because TCP or UDP extensions are loaded separately. o TCP -Y flag is now - Syn, and must be after '-p TCP'. o Deny target is now Drop.O to a single chain, which can be cleared at the same time. o Clear the inner construction chain while clearing the principles counter. o List the chain gives a miniature snapshot of a counter. o REJECT and LOG are now extension targets, meaning they are independent kernel modules. The name of the O chain can be 31 characters. o Masq is now Masquerade and uses a different syntax. Redrirect, when retaining the same name, also experiencing a change in grammar. See NAT-HOWTO for more information to configure them. The O -O option is no longer used to pass the package to the user space device (see -i above). Now passed through the Queue target to the user space. o It is likely to have some I have forgotten.
11. Suggestions on the development of package filters In the field of computer security, the most sensible way is to block all things and then open them on it. This is often referred to as "all prohibits that are not clearly allowed". I suggest this if security is your most concerned. Don't run any services you don't need, even if you think you have hindered your access. If you create a dedicated firewall, do not run anything at the beginning, and block all packages, then add the service and make the needed package. I emphasize security: combine TCP-Wrappers (for the package filter itself), the agent (connected through the package filter), routing verification and packing filter. Routing verification is that if the package comes from unspecised interfaces, it will be deleted: For example, if your internal network address is 10.1.1.0/24, a package source address is your external interface, then it will be discarded. For an interface such as PPP0, you can do this: # echo 1> / proc / sys / net / ipv4 / conf / ppp0 / rp_filter or all existing or will have interfaces: # for f in / proc / sys / net / IPv4 / conf / * / rp_filter; do # echo 1> $ F # donedebian is set to default in a possible range. If you use asymmetric routes (such as you expect to pack from one other direction), you may need to disable this filter on these interfaces. Record is very useful for setting the firewall when operating abnormally, but in a firewall as a product, it should always match the 'limit' to prevent someone from being filled with your record. I highly recommend using connection tracking for security systems: it will cause burden because all connections are tracked. But it is very useful for access to your network. If your kernel is not loaded automatically and is not built, you need to load the 'IP_ConNTrack.o' module. If you want to accurately track complex protocols, you need to load the appropriate related modules (such as 'ip_conntrack_ftp.o'). # iptables -n no-connS-from-PPP0 # iptables -a no-connS-from-PPP0 -M State --State Established, Related -j Accept # iptables -a no-connS-from-PPP0 -M State - State new -i! PPP0 -J ACCEPT # iptables -a no-connS-from-PPP0 -I PPP0 -M Limit -j log --log-prefix "Bad Packet from PPP0:" # iptables -a no-connS-from -ppp0 -i! PPP0 -M Limit -j log --log-prefix "Bad packet not from PPP0:" # iptables -a no-connS-from-ppp0 -j drop # iptables -a input -j no-conn From-ppp0 # iptables -a forward -j no-connS-flom-PPP0 built a good firewall beyond the scope of this HOWTO, but my suggestion is "everything from strict". See Security Howto gets more information to test and explore your server. ALL PAGES Ended Here.
