Netfilter's advanced use
Creation time: 2001-08-24
Article properties: reprint
Article Source:
Santa2001@263.net
Article submission:
INBURST (Inburst_AT_263.NET)
Netfilter's advanced use
Santa
Santa2001@263.net
Netfilter has some features that are not included in the LINUX kernel of the standard, such as time-based control, Dropped-Table, anti-port scan, and more. Most of these features will slowly join the Linux kernel in the future, but they have not been tested carefully, so they should be used with caution.
To use these features, please download the latest iptables source code first. After decompression, execute
Make Pending-Patches Kernel_Dir = << Where-Your-kernel-IS >> Look at your kernel is too old, then make patch-o-matic, follow the prompts to select the new feature you want to install. Here is some of the features I think useful:
1. AH-ESP adds two extensions to allow a section of the SPI (Security Parameters INDEX) in the AH or ESP header in the IPSEC package.
2. The CT-NetLink user spatial program can obtain a status of connection tracking through NetLink, and can change the connection status via the user space. This patch conflicts with most other patches.
3. Dropped-table adds a DROP table and is traversed by Drop. Conflicts with most of the other patches.
4. FTOS extension TOS can set any value between TOS 0x0 to 0xFF for simple QoS.
5. IPLIMIT limits the number of concurrent connections per customer to the host or network. E.g:
iptables -p tcp --syn --dport 23 -M iplimit - IPLIMIT-ABOVE 2 -J REJECT
(2 Telnet connections per customer), equivalent to iptables -p tcp --syn --dport 23 -m iplimit! --IPLIMIT-ABOVE 2 -J ACCEPT
Limited to 16 HTTP connections per C network network
iptables -p tcp --syn --dport 80 -M iPlimit - IPLIMIT-ABOVE 16 /
- IPLIMIT-MASK 24 -J Reject
6. IPv4Options match IP operations, using this feature to filter out source routing, log routing, timestamp and other IP operations. Iptables -M IPv4Options -help can be used in detail. For example, iptables -a INPUT -M IPv4Options --Rr -j DROP Filters the package of records, iptables -a input -m ipv4Options - TS -J DROP filters offs the IP package with timestamp operation.
7. IRC-Conntrack-Nat supports support for IRC's DCC (Direct Client-to-Client) protocol.
8. Length allows the length of the package to be matched in a specified value or a specified range. For example, the big pack such as POD can DROP. The minimum bag is 0, the maximum is 0xffff.
9. MPORT enhancements to MultiPort feature. The specified specified can be mixed with a single port and a continuous port. It seems to be very good, but this feature cannot be used when I test (2.4.6 & 2.4.9 core).
10. NetLink user space can receive packets via NetLink. A available user spatial program fwmon (http://firestorm.geek-ware.co.uk). This patch is basically similar to the -o operation of Ipchains.
11. NetMap adds a NETMAP target for the NAT table. Provide one-to-one network mapping support. It can change the target address of the inflow package in the preording chain, and change the source address of the output package in the postrol chain. Use examples as follows:
iptables -t nat -a preording -d 1.2.3.0/24 -J NetMap - TO 5.6.7.0/24
iptables -t nat -a postrouting -s 5.6.7.0/24 -j Netmap - TO 1.2.3.0/24
12. NTH provides matching of the nth package.
13. PKTTYPE matches the package by class. For example, Broadcast, MultiCast, etc. Use examples as follows:
Iptables -a INPUT -M PKTTYPE - PKT-TYPE BROADCAST -J LOG.
14. Pool provides a method that represents an address using each bit in the bitmap, and a user spatial program IPPool is required.
15. PSD port scanning, design ideas come from ScanLogD of Solar Designer. Support as follows:
a. - psd-weight-threshold
How many packages are sent to the same host to different target ports
b. --PSD-delay-threshold
How much time is matched to the same host to different target ports
C. --PSD-LO-PORTS-Weight
How many privileged target ports are accessed
d. --psd-hi-ports-weight
How many non-privileged ports are accessed.
16. Realm Requires the config_net_cls_route4 in the QoS configuration before use, allowing the use of Realm Key in iptables, and can classify the output package according to the matching routing table item.
17. Record-RPC adds two modules ip_conntrack_rpc_udp and ip_conntrack_rpc_tcp, record TCP and UDP portMAP requests, increase the RECORD-RPC module, which can identify an RPC connection to a map request or a portmap mapping. Use this method to easily implement RPC filtering.
18. SAME is similar to the standard SNAT, but the same IP address is provided for each connection of the client. At the same time provide the -nodst option, the IP address will not be used when selecting the source IP. Not compatible with Dropped-Table.
19. SNMP-NAT This module implements the ALC (application layer gateway) of the SNMP load, combined with NAT, which allows network management systems to access multiple private networks, even if their IP address conflict does not matter. He matches the NAT mapping of the IP layer by changing the IP address in the SNMP load. This is the basic form of SNMP-ALG, which has a detailed description in RFC 2962.
20. String allows you to match packets with specific strings. Can be a simple IDS.
twenty one. TCP-MSS increases TCP-MSS targets. Allow adjustment of the MSS domain in the TCP SYN package to control the maximum length of the connection package.
Some firewalls or hosts will filter out the ICMP package of Type 3, Code 4 (requires fragmentation). The phenomenon shown is as follows: a. When browsing the web, it hangs anything.
b. Small emails can be received, and the big mail is not received.
C. SSH works very well, but SCP hangs after the handshake is successful.
TCP-MSS objectives are used to solve such problems. This patch has been included from 2.4.7 from 2.4.7.
twenty two. TCP-WINDOW-TRACKING This patch is a TCP connection tracking record that is implemented according to the papers written by Guido Van Rooij [1], which can be connected to the established TCP connection. Added Window Scaling Support.
[1]
http://www.iae.nl/Users/guido/papers/tcp_filtering.ps.gz
twenty three. Time increases the matching of time, can specify when a rule is triggered, during which time is invalid. Iptables -m Time -help can be used in detail. This patch adds the following parameters:
a. --TimeStart HH: mm
When to trigger
b. --TimeStop HH: mm
When is invalid
C. - Days Tue, Mon ...
A few days in a week
For example -m time - TimeStart 8:00 - TimeStop 18:00 - Days Mon, Tue, Wed, Thu, Fri is valid from 8:00 to 18:00 from 8:00 to 18:00 per week.
It should be noted that this patch does not currently handle the time zone, only UTC time can be used when used.
twenty four. TTL adds a TTL target. You can use the user to increase or decrease the TTL value with the specified value.
25. ULOG adds a ULOG target. Bags jumped to this target Use NetLink MultiCast Sockets to the user space daemon. Unlike the log target, the latter can only look at syslog. Libipulog directory is a library file that receives ULOG information. One implementation of Ulogd from the user space daemon
Http://www.gnumonks.org/projects/ulogd is obtained.
Because the conditions are limited, most of the above has not been tested, and the words are missed, welcome to correct.