Introduction to Netfilter / iptables
English original
content:
Linux Security and NetFilter / iptables Understanding Firewall Configuration and Packet Filter Why configure your own firewall? How is the Netfilter / IPTables system work? Installing Netfilter / iptables System Establish Rules and Chain Netfilter / Iptables System Advantages Connection Reference Information About The Author's Evaluation
In the Linux area:
Tutorial Tools & Product Codes & Component Articles
Configuring firewall Mugdha vairagade (Vmugdha@indiatimes.com) Independent Developer September 2002 using Netfilter / iptables for Linux (kernel 2.4.x)
Netfilter / iptables is an IP packet filtering system integrated with the latest 2.4.x version Linux kernel. If the Linux system is connected to the Internet or LAN, server, or a proxy server that connects to the LAN and the Internet, the system facilitates better control of the IP packet filtering and firewall configuration on the Linux system. Mugdha Vairagade will introduce the Netfilter / Iptables system, how is it works, its advantages, installation, and configurations, and how to use it to configure a firewall on the Linux system to filter IP packets.
Note: At least the intermediate level knowledge of Linux OS, as well as the experience of configuring the Linux kernel, will help to understand this paper. For this article, we will use the IPTables user space tool version 1.2.6A and kernel version 2.4.9. Linux security and Netfilter / iptableslinux have become very popular in IT industry due to their robust, reliability, flexibility, and as unlimited range. Linux has many built-in capabilities that make developers can customize their tools, behaviors, and appearance according to their needs without expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or a proxy server that connects to the LAN and the Internet, the built-in ability to be used is the firewall configuration for Linux systems on the network. This capability can be used with the help system (which integrates in a 2.4.x version of the Linux kernel). In the Linux packet filtering solution such as IPFWADM and IPChains, the Netfilter / Iptables IP packet filtering system is the latest solution, and is also the first solution integrated into the Linux kernel. For Linux system administrators, network administrators, and home users (they want to configure firewalls according to their own specific needs, the Netfilter / Iptables system is saved in the firewall solution and has full control over IP packet filtering). Very ideal. Understanding firewall configuration and packet filtering For Linux systems connected to the network, firewalls are essential defense mechanisms, which only allows legitimate network traffic to enter and exit system, but disable any other network traffic. In order to determine if the network traffic is legal, the firewall relies on a set of rules that are predefined by the network or system administrator. These rules tell the firewall to be legitimate and what is done for network traffic from a source, to a destination or having some protocol type. The term "configuring firewall" refers to adding, modifying, and removing these rules. Later, I will discuss these rules in detail. Network traffic is transmitted from source systems to some small block data of the destination system from the source system in the form of the IP packet (or, the abbreviation). These packets have heads, namely some of the data bits included in front of each package, which contain information about the source, destination, and protocol type of the packet. The firewall checks these heads based on a set of rules to determine which packet accepts and reject which packet. We will refer to this process as a packet filtering. Why configure your own firewall? For various factors and reasons, the firewall is required to be configured according to specific needs. Perhaps, the most important reason is safety. Administrators may want their firewall to prevent unauthorized sources from accessing their Linux systems, such as through Telnet. They may still want to limit network traffic to their system, so that only traffic from the trusted source can enter its system, and only authorized traffic can be out. Home users may pass through allowing all outbound packets to be passed, configure the firewall to a lower security level. The reason behind it is that the bandwidth can be saved by blocking excess traffic from the source from similar ad sites. Thus, the firewall configuration can be customized to meet any specific needs and any security level requirements. This is the use of the Netfilter / iptables system. How is the Netfilter / IPTables system work? Netfilter / IPTables IP Packet Filtering System is a powerful tool that can be used to add, edit, and remove rules. These rules are rules followed and composed when making packet filtration determinations. These rules are stored in a dedicated packet filtering table, and these tables are integrated in the Linux kernel. In the packet filtering table, the rule is poured in the chain of our so-called chain.
I will immediately discuss these rules and how to build these rules and group them in the chain. Although the Netfilter / Iptables IP packet filtering system is called a single entity, it is actually composed of two components Netfilter and iptables. Netfilter components are also known as kernel spaces, part of the kernel, consisting of some packet filtering tables, which contains rule sets for controlling packet filtering. The iptables component is a tool, also known as user space (UserSpace), which makes it easy to insert, modify, and remove the rules in the packet filtering table. Unless you are using Red Hat Linux 7.1 or higher, you need to download the tool from Netfilter.org and install it using it. By using user space, you can build your own custom rules, which store the packet filtering table in kernel space. These rules have a goal that tells the kernel to the kernel to some sources and go to some destination or some packets with certain protocol types. If a packet matches the rule, use the target Accept to allow the packet to pass. You can also use target DROP or REJECT to block and kill the packet. There are many other objectives for other operations that can be performed on the packet. The rule group can be packet in the chain based on the type of packet processed by the rule. The rules that process the inbound packet are added to the INPUT chain. The rules that handle the outbound information package are added to the OUTPUT chain. Processing the rules that are forwarding the packets are added to the Forward chain. These three chains are the default main chain built in the basic packet filtering table. In addition, there are many types of many available chains (such as preording and postrouting), as well as providing user-defined chains. Each chain can have a policy that defines the "default target", which is the default operation to be executed, and do this operation when the packet does not match any rules in the chain. Establish rules and place the chain in an appropriate location, you can start the real packet filtering. At this time, kernel space is taken over from the user's space. When the packet reaches the firewall, the header information of the packet is first verified, especially the destination of the packet. We call this process as routing. If the information package is from the outside and travels to the system, and the firewall is open, the kernel passes it to the INPUT chain of the filter table. If the information package source is self-located inside or the internal network connected to the system, and this packet is to another external system, the packet is passed to the OUTPUT chain. Similarly, the packet derived from the external system and travels to the external system is passed to the Forward chain. Next, compare the header information of the packet with each rule in the chain it passes to see if it is fully matched with a rule. If the packet matches a rule, the kernel performs the operation specified by the target of the rule. However, if the packet does not match this rule, it will compare with the next rule in the chain. Finally, if the packet does not match any of the rules in the chain, the kernel will refer to the strategy of the chain to determine how to handle the packet. The ideal strategy should tell the kernel DROP this packet. Figure 1 illustrates this packet filtering process with graphics. Figure 1. Packet filtering process Installing the Netfilter / Iptables system Because Netfilter / iptables, Netfilter components are integrated with kernel 2.4.x, so you only need to download and install the iptables user space tool. Demand The following is the need to install the Netfilter / Iptables system:
Hardware: To use Netfilter / iptables, you need to have a system running Linux OS and connect to the Internet, LAN or WAN. Software: any version of Linux OS with kernel 2.4 or higher. You can download the latest version of the kernel from http://www.kernel.org. It also needs to be downloaded from http://www.netfilter.org to download the IPTables this user space tool because this tool is not part of the kernel. But for Redhat Linux version 7.1 or higher, this tool is not required because this tool is included in the standard installation in version 7.1 or later. User: At least a medium-level understanding of Linux OS and has experience in configuring Linux kernels. Preparing before installation requires some modifications to the system before you start installing the IPTables user space tool. First, you need to use the make config command to configure the kernel options. During configuration, you must open them by setting the config_netfilter and config_iple_nf_iptables options to Y, because this is necessary to make NetFilter / iptables work. Below is other options that might want to open: config_packet: This option is useful if you want to use some network devices directly to your applications and programs. CONFIG_IP_NF_MATCH_STATE: If you want to configure a stateless firewall, then this option is very important and useful. Such firewalls remember the decision made by the previous packet filtering and made new decisions according to them. I will further discuss this problem in the Advancement of Netfilter / Iptables systems. CONFIG_IP_NF_FILTER: This option provides a basic packet filtering frame. If you open this option, a basic filtering table (with built-in INPUT, Forward, and Output chain) is added to the kernel space. Config_ip_nf_target_reject: This option allows specified: ICMP error messages should be sent to respond to the inbound packets that have been dropped by DROP, rather than simply killing them. Now, you can prepare to install this user space tool. Installing the User Space Tool After downloading the source code of the iptables user space tool (which is similar to iptables-1.2.6a.tar.bz2), you can start installation. You need to log in as root to perform the installation. Listing 1 gives an example that indicates the commands required to install the tool, and its necessary order and its description. Listing 1. Example of User Space Tool Installation
First, Unpack The Tool Package Into A Directory:
# bzip2 -d iptables-1.2.6a.tar.bz2
# TAR-XVF iptables-1.2.6a.tar
This will Unpack The Tool Source Into A Directory Named iptables-1.2.6a.
Now change to the iptables-1.2.6a Directory:
# CD iptables-1.2.6a
The Install File in THIS DIRECTORY Contains a Lot of Useful Information
On Compiableing and Installing this Tool.
Now Compile The UserSpace Tool Using The Following Command:
# make kernel_dir = / usr / src / linux /
Here the kernel_dir = / usr / src / linux / specifies the path to the kernel'sdirectory. If The Directory of Kernel Happens To Be Different On Some
Systems, The Appropriate Directory Path Should Be Substitude Directory
/ usr / src / linux.
Now Install The Source Binaries Using The Following Command:
# make install kernel_dir = / usr / src / linux /
Now the installation is completion.
Note: If you have Redhat Linux version 7.1 or higher, you do not need to perform the first two steps herein. As we know, the standard installation of the Linux Distribution (Distribution) contains the iptables user space tool. But in the default, this tool is closed. In order to run the tool, you need to perform the following steps (Listing 2): Listing 2. Example of setting a user space tool on the Redhat 7.1 system
First You'll Have To Turn Off The Old Ipchains Module (Predessor of
Iptables) Available in this Os package.
This Can Be Done Using The Following Command:
# chkconfig --level 0123456 ipchains off
Next, to Completely Stop The Ipchains Module from Running, So That IT
Doesn't conflict with the iptables tool, you will have to stop the ipchains
Service sale the folowing command:
# Service ipchains stop
Now if you don't want to keep this old ipchains module on your system,
Uninstall it's FOLLOWING COMMAND:
# rpm -e ipchains
Now you can turn on The iptables UserSpace Tool with the folload command:
# chkconfig --level 235 iptables on
Finally, You'll Have to Activate the iptables service to make the userSpace
Tool Work by Using this Command:
# Service iptables start
Now The Userspace Tool Is Ready to Work On A Redhat 7.1 or Higher System.
Now, everything is already proper, and the Netfilter / Iptables system should be running, then, some rules and chains need to be created. Establishing rules and chains Provides a filter for information packets to the firewall to provide information about a source, to a destination or a specific protocol type. These rules are created by using the special command iptables provided by the Netfilter / iptables system, and it is added to the chain in the specific packet filtering table of the kernel space. The general grammar on the order of the order of adding / removing / editing rules is as follows: $ iptables [-t table] Command [Match] [TABLE) table (Table) [- T Table] option Allows any table outside of the standard table. Table is that the information packet filtering table containing only the rules and chains that handle specific type packets. There are three types of table options: Filter, Nat and Mangle. This option is not required, if not specified, the Filter is used as the default table. The Filter Table is used for the general packet filtering, which contains the INPUT, OUTPUT and Forward chains. The NAT meter is used to forward the packet, which contains prerouting, output, and postrouting chains. If any changes have been made in the packet and its head, use the mangle table. The table contains some rules to mark packets for advanced routing, which contains the preloading and Output chains. Note: The preording chain changes the rules of their rules from the specified packet to the firewall, and the PostRouting chain is constructed by the specified legitimate packet intended to change their rules when you plan to leave the firewall. The mandatory Command section of the command (Command) is the most important part of the iptables command. It tells the iptables command what to do, for example, insert rules, add rules to the end of the chain or delete rules. The following is some of the most common commands:
-A or --append: This command attaches a rule to the end of the chain. Example: $ iptables -a input -s 205.168.0.1 -j accept This sample command is attached to the end of the INPUT chain to determine the packet from source address 205.168.0.1 can be accept. -D or -delete: By specifying the rules you want to match with -d or the position number in the chain is numbered, the command deletes the rule from the chain. The following example shows these two methods. Example: $ iptables -d input --dport 80 -j drop $ iptables -d output 3 The first command removes the rule from the input link, specifying the DROP to the port 80 packet. The second order is just a rule from the OUTPUT chain to delete the number 3. -P or --policy: This command sets the default target of the chain, that is, the policy. All packets that do not match any rules in the chain will be enforced with this chain policy. Example: $ iptables -p INPUT DROP This command specifies the default target of the INPUT chain as a DROP. This means that all packets that do not match any rules in the Input chain will be discarded. -N or --new-chain: Create a new chain with the name specified in the command. Example: $ iptables -n allowed-chain -f or --flush: If the chain name is specified, the command deletes all rules in the chain. If the chain name is not specified, the command deletes all the rules in all chains. This parameter is used to quickly clear. Example: $ iptables -f forward $ iptables -fl or --list: lists all rules in the specified chain. Example: $ iptables -l allowed-chain matching (Match) iptables command Optional Match section Specify features (such as source and destination address, protocol, etc.). Matching is divided into two categories: universal matching and protocol matching. Here, I will study the universal matching of the packets that use any protocol. Here are some important and commonly used universal matching and examples and descriptions:
-p or --Protocol: This general protocol matches to check some specific protocols. The protocol example has a combination list of TCP, UDP, ICMP, any three protocols separated by commas, and all protocols. All is the default match. You can use! Symbol, it does not match the item. Example: $ iptables -a input -p tcp, UDP $ iptables -a input -p! ICMP In the above example, both commands perform the same task - they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case TCP and UDP), and exclude ICMP. -S or - Source: This source matches them to them based on the source IP address of the packet. This match also allows you to match the IP address within a range, you can use! Symbol, indicating that it does not match the item. The default source match matches all IP addresses. Example: $ iptables -a output -s 192.168.1.1.1.1.168.0.0.0/24 $ iptables -a output -s! 203.16.1.89 2 Commands Specifies the rules and all from 192.168.0 to 192.168 The packet of the IP address range of .0.24. Article 3 Commands Specify that the rule will match any packets except from source address 203.16.1.89. -d or -destination: This destination matches them to them according to the destination IP address of the packet. This match also allows you to match an IP address within a range, you can use! Symbol, indicating that it is not matched with the item. Example: $ iptables -a input -d 192.168.1.1.1.168.0.0.0.0.0.04 $ iptables -a output -d! 203.16.1.89 Targets We already know that the goal is the operation specified by the rule These operations are performed on packets that match those rules. In addition to allowing user-defined targets, there are many available target options. Here are some of the common goals and examples and descriptions:
Accept: When the packet is fully matched with the rules with the Accept target, it is accepted (allowing it to go to the destination), and it will stop trailing chains (although the packet may traverse other chains in another table, and it is possible There was been discarded there). This goal is specified as -j accept. DROP: When the packet is fully matched with the rules with the DROP target, it will block the packet and do not process it. This goal is specified as -j DROP. Reject: This goal is working with the DROP target, but it is better than Drop. Unlike DROP, Reject does not leave a dead sleeve on the server and client. In addition, the REJECT sends the error message back to the sender of the packet. This goal is designated as -j reject. Example: $ iptables -a forward -p tcp --dport 22 -j resptruction: The Return target set in the rule allows the packet that matches the rule to the chain containing the rule. If the chain is the main chain such as Input, the default policy processing packet for this chain is used. It is specified as -jump return. Example: $ iptables -a forward -d 203.16.1.89 -jump Return also has many other objectives for establishing advanced rules, such as log, redirect, mark, mirror, and masquerade, etc. Saving Rules Now, you have learned how to create basic rules and chains and how to add or remove them from packet filtering tables. However, you should remember that the rules established by the above method will be saved to the kernel, and these rules will be lost when the system is rebooted. So, if you add an error-free and valid rule set to the packet filter table, you want to use these rules again after rebooting, you must save the rule set in the file. You can use the iptables-save command to do this: $ iptables-save> iptables-script Now all rules in the packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the packet filter sheet using the iptables-restore command, as follows: $ iptables-restore iptables-script If you are willing to automatically recover each time you boot your system This rule set can put the commands specified above in any one of the initial shell scripts. The advantage of the Netfilter / Iptables system Netfilter / iptables is that it can be configured with stateless firewalls, which is an important feature that IPFWADM and IPChains are unable to provide. A stateful firewall can specify and remember to send or receive the status established by the packet. The firewall can obtain this information from the connection tracking state of the packet. These status information used by the firewall can increase their efficiency and speed when the new packet is filtered. There are four valid states here, named Establish, Invalid, New and Related, respectively. Status ESTABLISHED indicates that the packet is established, which is used to send and receive packets and fully valid. The Invalid status indicates that the packet is not associated with any known stream or connection, which may contain errors or headers. Status NEW means that the packet has or will start a new connection, or it is associated with a connection that has not been used to send and receive packets. Finally, Related Indicates that the packet is starting a new connection, and it is associated with established connections.
Another important advantage of Netfilter / iptables is that it allows users to fully control the firewall configuration and packet filtering. You can customize your rules to meet your specific needs, allowing only the network traffic you want to enter the system. In addition, Netfilter / iptables are free, which is very ideal for those who want to save costs, which can replace expensive firewall solutions. The latest Linux kernel 2.4.x has a built-in IP packet filtering tool with Netfilter / Iptables system, which makes it easy and convenient to configure firewall and packet filtering. The Netfilter / Iptables system allows their users to fully control the firewall configuration and packet filtering. It allows the firewall to establish a customizable rules to control the packet filtering. It also allows a stateless firewall. References You get the latest information about the Netfilter / Iptables system from the Netfilter website and download the iptables user space tool. Please visit the Linux 2.4 Packet Filtering Howto web page for quick references about Netfilter / iptables. Please refer to this detailed tutorial for Netfilter / iptables (iptables tutorial 1.1.9). Get any answers to Netfilter / iptables issues from Netfilter / Iptables FAQ.
About the author Mugdha Vairagade is a developer with experience in multiple organizations. In terms of wireless applications, she has a considerable experience and specializing in the work of the component architecture. She is particularly interested in Open Source projects and is involved in the work of Linux Documentation Project, Forum Nokia (WAP Developer Forum) and W3C. She also wrote technical articles about Linux and XML technology. You can contact Mugdha through vmugdha@indiatimes.com.