Author: Anton Chuvakin
Introduction
In the past few years, Linux grows significantly as a firewall platform. From the IPFWADM of the Early 1.2 version of the kernel, Linux's firewall code has also gone through a long distance. In the version 2.4 version of the Linux kernel, the Netfilter system is used. In the latest version 2.4, Linux greatly enhances security, such as: better encryption support and NetFilter system. Netfilter has a complete backward compatibility.
This article will make an overview of the configuration of iptables and focus on some IPTables configuration tools. The discussion of this paper will focus on the IP firewall of the Linux kernel and the configuration tools of its various interfaces, such as: GUI or script (Shell, Perl, or specific configuration language). Using these tools can simplify the configuration of the IPTables to reduce configuration errors. For knowledge about iptables, please refer to Linux Iptables HOWTO written by Rusty Russell.
Use the command line to configure the difficulties of iptables
Use the iptables command line interface to configure the iptables firewall to challenge one person, it is difficult for users to specify all IP packets. Users need to have a deep understanding of TCP / IP and application layer protocols. Like their seniors, iptables score the IP filtering rules into the chain, and IP packets traverses the rule link. It can also be sent to additional links, or finally processed by the default policy (ACCEPT, DROP, REIECT). Some web applications are easier to pass through the firewall than other programs, so you need to understand the establishment and disconnection of the network connection.
Let's take a look at the POP3 protocol, which is one of the easiest agreements. Allow all inward target ports to be 110's packets by unable to solve all management problems, because this can only make the client to apply, but the server is unable to answer. In addition, there is a lot of problems if you use network address conversion (NAT) and other means of packets. Because the firewall configuration will affect the security of the entire company, it should be particularly careful. The following will probably discuss the configuration of iptables, please refer to Linux Iptables HOWTO
Iptables command line options
Before entering this time, let's take a summary of the iptables command line option.
Rules chain dimension
1. Establish a new rule chain (-N)
2. Delete an empty rule chain (-X)
3. Change the strategy of a built-in rule chain (-P)
4. List the rules in a rule chain (-L)
5. Rules in a rule chain erased (-f)
Rule maintenance
1. Add a new rules in a rule chain (-a)
2. Delete the rules of a location in a rule chain (-D)
Advantages of iptables
Let's take a look at the advantages of iptables before discussing a variety of iptables configuration tools, especially the advantage of Netfilter than Ipchains.
IPTables allows the Stateful firewall, which is saved in memory through each connection through the firewall. This model is necessary to effectively configure FTP and DNS and other network services.
iptables can filter the TCP flag arbitrarily combined packets, and can also filter the MAC address.
System logs are easier to configure than IPchains, and the scalability is better.
For Network Address Translation, NetFilter is more powerful and easy to use.
IPTable prevents certain DOS attacks, such as SYS flood attacks.
Iptables Configuration Tools
Now let's take a look at some configuration tools for Linux iptables. I mainly pay attention to the characteristics, elasticity and ease of use of each tool. We will discuss the following tools:
MonMotha's Firewall 2.3.5 Author: MonMotha
Firewallscript (iptables 4.4c-3 devel) Author: Patrik HildingssonFerm-0.0.18 Author: Auke Kok
AGT-0.83 Author: Andy Gilligan
Knetfilter-1.2.4 Author: Luigi Genoni
gShield-2.0.2 Author: R Gregory.
Monmotha's FireWall 2.3.5
FireWall 2.3.5 written by Monmotha is a shell script. At present, it is mainly suitable for host-based protection because some network-based option is under development. This script interface (for example: method for passing the IPTables Pass Configuration Option) is a bit confusing. However, it does not need to configure files and installation is easy to copy directly to anywhere. By default, it doesn't do anything at all. It doesn't actually do it, and the document is missing. This script may be a bit for dialing users.
FireWallscript
Firewallscript is also a Bash script, about 85K. This script can be used for hosting and network protection. When you run, it will generate a profile directly. However, in the default, this file does not work, only test functions. This script can configure NAT and address camouflage. This script is very complicated, but lacks documentation, so it is best to read it carefully, using iptables -l command which strand has taken effect, what is allowed / refusal. This script's IP packet tracking feature can also provide you with entertainment. In addition, it will automatically detect and load the kernel modules required for iptables. This script and the previous script also have a cancel (UNDO) function, which can restore the original configuration files for iptables.
Ferm
FERM is a Perl script that uses a configuration file written in a C language. This language is very easy to read and understand. This script has a good document and a rich example as a reference.
This is an example:
-------------------------------------------------- ---------------------------
# Simple WorkStation Example for Ferm
CHAIN INPUT {
IF PPP0 # put your outside interface here
{
Proto TCP goto fw_tcp;
Proto UDP GOTO FW_UDP;
Proto ICMP goto fw_icmp;
}
}
Chain FW_TCP Proto TCP {
DPORT SSH Accept;
Syn deny log;
DPORT DOMAIN Accept;
DPORT 0: 1023 Deny log;
}
Chain FW_UDP Proto UDP {
Deny log;
}
Chain FW_ICMP Proto ICMP {
ICMPTYPE
Destination-unreachable time-exceeding
ACCEPT;
Deny log;
}
-------------------------------------------------- ---------------------------
This configuration file will cause the FERM to generate iptables as follows: Allows except for SSH and DNS packets to pass; block all UDP packets; only two types of ICMP messages are passed: the purpose is not arrogant and timeout, and the logs are rejected and the log Other types of ICMP messages.
AGT
AGT is a program written in C language. From its code, it is currently in the development phase. Automake is not supported, you need to manually edit your Makefile file, and the document is not very rich, but its configuration file is very simple. Below is a configuration file: new | from-int
New | reset
|| from-int | ICMP | accept |||||
|| from-int | TCP | ACCEPT ||||| POP3
|| from-int | TCP | ACCEPT ||||| IMAP
|| RESET | TCP | Reject --reject-with tcp-reset ||||
Such file formats, coupled with the lack of necessary documents, a big challenge for users. And it is best to spend more time learning iptables.
Knetfilter
Knetfilter is a great graphical iptables configuration tool, which is based on KDE (two versions of KDE1 and KDE2). Knetfilter is very easy to get started, you can easily use it to configure host-based rules and rules list; save and restore these rules and rule lists; test rules and rules list (run TCPDUMP network sniffer on the same panel It is possible if you have a few mice. It also supports the configuration of NAT and network addresses. However, for the dial-up workstation, KnetFilter works uncomfortable because it requires local IP, and only detects the ETH0 network interface without PPP detection. This project is also very small, but because it is based on a graphical interface, it can be used well even if you don't have a manual.
GShield
Gshield is a Bash Shell script that may be a current most mature tool. Its document is very rich, and the profile is also reasonable and intuitive, and NAT can be set. It not only can deactivate the statically IP address, but also handle dynamic IP addresses (for example: PPP).
GSHield also has a graphical interface. It is still in the early development phase, you can download from http://members.home.com/vhodges/gshieldconf.html. However, it seems to be just compatible with the earlier version of GSHIELD (1.x).
Below is an example profile:
FW_ROOT = "/ etc / firewall"
Iptables = `Which iptables`
Localif = "eth0"
DNS = "24.31.195.65"
LTIME = "20 / m"
ALLOW_DHCP_LEASES = "YES"
...
GSHield uses the default configuration very secure, especially suitable for users who are reluctant to make configuration files, but software editors suggest that users can read the entire configuration file. According to the README file, GSHield implements the "class TCPWrapPer service access control function". Using this feature user can easily block / allow a service, without considering the issue of the packet, just care about what customer connection It is possible to go to the server.
in conclusion
Although this paper introduces some firewall configuration tools, there is currently no ideal configuration tool. The best configuration tool or iptables command, these tools introduced here are only applicable to users who feel difficult to use the iptables command line.
Source: LinuxAid