Linux 2.4 Packet Filtering HOWTO Simplified Chinese version
Rusty Russell, Mailing List Netfilter@lisms.samba.org owe $Revision: 1.3 $ date: 2002/06/05 13:21:56 $ 简体 中文: Ocean Ghost · Netsnake Thanks Netmanforever@yahoo.com Traditional references This document describes how to filter incorrectly in the Linux2.4 core (Translator: packet in many professional books in many professional books), which is still translated as packaged in accordance with most people's habits
1. Introduction 2. Official Site and Mail List 3. So, what is packet filter? 3.1 Why do I need packet filter? 3.2 How to make a package under Linux? 3.2.1 iptables3.2.2 Creating a permanent rule 4. Do you make a few, how do you get my kernel? 5. Rusty's true package filtering fast guide 6. How to pass through the filter 7. Using iptables7.1 When the computer is started, you will see 7.2 Operation 7.3 Filter Specification 7.3.1 Specified Source and Destination IP Address 7.3.2 Reverse Designation 7.3.3 Protocol Designation 7.3.4 Interface Specify 7.3.5 Split Specify 7.3.6 Iptables Extensions: New Match 7.3.6.1 TCP Extensions 7.3.6.1.1 Interpretation of TCP Signs 7.3. 6.2 UDP Extensions 7.3.6.3 ICMP Extensions 7.3.6.4 Other Match Extensions 7.3.6.5 Status Matching 7.4 Target Specifications 7.4.1 User Defined Chains 7.4.2 Iptables Extensions: New Target 7.4.3 Special Built Out of Built 7.5 Pair of Whole Chains Operation 7.5.1 Creating a new chain 7.5.2 Deleting Chain 7.5.3 Clearing a chain 7.5.4 List 7.5.5 Reset (Clear) Counter 7.5.6 Settings (Default Rules) 8. Use Ipchains and IPFWADM9 NAT and package filtration mix use 10. IPTables and IPChains Differences 11. Suggestions for the development of package filters 1. Introduction, dear readers. This article assumes that you know about IP addresses, network addresses, network masks, selection and DNS. If you don't know, I suggest you read the HOWTO (Network Concepts Howto) of the Network Concept. This HOWTO is not a brief introduction (you will make you fever, hair, no security), and is not a complete original disclosure (the most hard-working person will be stunned, but it will definitely won something). Your network is not safe. The problem is that the fast, concise communication must be obtained, but it must be limited to good, no malicious behavior, just in the noisy big theater, you can talk about it, but you can't shout: I am full of fire! . This HOWTO cannot solve this problem. (Translator: All security is just relative, otherwise it will not generate this kind of thing) therefore, you can only decide which aspect of compromise. I want to help you use some available tools and some vulnerabilities that usually need to pay, I hope you use them in a good side, not for malicious purposes - another equally important issue. (C) 2000 Paul `Rusty 'Russell. Licenced Under The GNU GPL.
2, official site and email list location There are three official sites here: o THANKS to FileWatcher http: //netfilter.filewatcher.org.o Thanks to the Samba Team and sgi http: //netfilter.samba.org.o Thanks to HARALD Welte http://netfilter.gnumonks.org. You can access all relevant sites through the following sites. Http://www.netfilter.org and http://www.iptables.org The following are the NetFilter official mailing list http://www.netfilter.org/contact.html#list.3. So what is a pack filter? ? The package filter is such a software: it checks the head of each package passed, and then determines how to dispose of them. It can be treated like this: Discard (that is, if this package has never been accepted, then discard it), pass (that is, let the package pass), or more complex (operation). Under Linux, the built-in built-in built into the kernel (kernel module, or built), and we have some techniques for processing packages, but the general principles of the head and handling package are still here.
3.1 Why do I have a package filter? Control, safety, and warning. Control: When you use your Linux server to connect your internal network and another network (that is, the Internet Bar), you can decide which communication is allowed, which is not allowed. For example, the header contains the target address of the package, you can block several external networks determined by the package (you), another example, I connect to Dilbert Archives with Netscape. There is an ad from DoubleClick.net, then Netscape wasts my time to download them. Tell the package filter to prohibit any packages from or sent to the DoubleClick.net address, the problem is solved. (Of course, there is a better way, see Junkbuster). Safety: When the Linux server is a chaotic Internet and your good, ordered networks, you can best know what you can enter your door. For example, you can allow all (package) from your network, but you might be anxious for famous "ping of death" from the outside. Another example, you don't want outsiders telnet to your Linux server, although all accounts have passwords. Perhaps you just want (like the vast majority) becomes the bystander of the Internet, not its server (or maybe it). Simply not allow anyone to access, set the package filter to reject all entered packets (good way). Alert: Sometimes, the machine on the local network may spray a large number of packages externally. It is best to let the package filter tell you when any abnormal phenomenon occurs (in the network). This, you may be able to do something, or you are very curious.
3.2 How to make a package under Linux? The Linux kernel has a package filtering function in its 1.1 series. The first generation, was transplanted with the IPFW of BSD from Alan Cox in 1994. This is strengthened by JOS VOS and others in Linux 2.0; user space tool 'ipfwadm' can be used to control kernel filtering rules. In 1998, with the help of Michael Neuling, I rewritten for Linux 2.2 and launched the user space tool 'ipchains'. Finally, in 1999, based on the fourth-generation tool of Linux 2.4, 'iptables', and other kernel rewritments were officially launched. This is the location of this iptables's HOWTO document. Translator: UserSpace According to the Taiwan compatriots, users are used to distinguish the scope of application in system memory, divided into core space and user space, do not have to be refreshed), you need to include the core of the Netfilter architecture. Netfilter is a universal framework in Linux, or inserts other contents (such as the iptables module). That is to say that you need 2.3.15 and later, and answer 'y' for the config_netfilter when configuring the kernel. IPTables This tool is used to interact with the kernel and tell it which packages should filter. Unless you are a programmer or especially curious, this is what you use to control the package filter. 3.2.1. Insert and delete rules in the package filter table of the iptablesiptables tool. This means that there is no matter how settings, the information will be lost, please see "Making Rules Permanent" to determine how to ensure that these rules will be restored next time. iptables are alternatives to IPFWADM and IPChains. If you are their users, please see "Using Ipchains and IPFWADM", how to easily use iptables.
3.2.2 Creating a Permanent Rule Your current firewall setting is saved in the kernel, so it will be lost after restarting. You can try to save them with iptables-save and iptables-restore scripts and recover by a file.
4. Do you make a few a few, how do you play my kernel? I am Rusty Russell. The maintainer of the Linux IP firewall is also an appropriate place to appear in the appropriate place. I wrote Ipchains (see "How to pack filtering under Linux?" Take a look at which people are actually completed), and hope to learn enough things to fix this package filter. Watchguard, a very good firewall company, in summary, omitted a thousand words ... here, I want to clarify a misunderstanding: I am not a kernel expert, I understand it, because my core work makes me contact. They: David S. Miller, Alexey Kuznetsov, Andi Kleen, Alan Cox. In any case, they have done the deepest work, and they are very safe and easy.
5. Rusty's true package filter fast guide Most people only have a PPP to connect to the Internet, and do not want someone to enter their network or firewall: # Insert the connection-tracking module (such as domestic built in the kernel. ) # InSMOD ip_conntrack # insmod ip_conntrack_ftp # Create a chain to create a large number of new connections unless these connections come from the inside. # iptables -n block # iptables -a block -m state --state established, Related -j accept # iptables -a block -m state --state new -i! ppp0 -j account # iptables -a block -j drop # iptables -a block -j drop # iptables The chain is jumped by Input and Forward link (just created). # iptables -a input -j block # iptables -a forward -j block6. The package is starting through the filter of the filter by the following three rules in the 'filter' table. These are called firewall chains or call chains. These three chains are INPUT, OUTPUT and FORWARD, respectively. For ASCII artists, the chain is like this: (Note: This is very different from the 2.0 and 2.2 kernels) translator: ASCII art, here is the use of pure ASCII text mapping _____
Incoming / / Outgoing
-> [Routing] ---> | Forward | ------->
[Decision] / _____ / ^
| | |
v ____
___ / /
/ / | OUTPUT |
| Infut | / ____ / /
/ ___ / ^
| | |
----> Local process ---- Three circles represent three chains said above. When the package arrives in a circle in the figure, the chain checks and determines the fate of the package. If the chain determines the DROP package, the package is killed there. But if the chain decides to make the package accept, the package continues to advance in the figure. A chain is a list of rules. Each rule will say: 'If the header looks like this, then do this. If the rules and packets do not match, the next rules in the chain are processed. Finally, if there is no rule to be processed, the kernel determines how to do it according to the principle of the chain (policy, sometimes called the default rule). In a secure system, the principle is usually discarded by the kernel. 1. When a package enters (that is, the Ethernet card), the kernel first checks the destination of the package. This is called "selection". 2. If it is to enter the unit, the package will move below the figure to reach the Input chain. If it is here, any process waiting for this package will receive it. 3. Otherwise, if the kernel is not permitted, or if you don't know how to forward this package, it will be discarded. If the forwarding is allowed, and the destination of the package is another network interface (if you have another one), then you go to the right side of our chart to reach the Forward chain. If it is allowed to pass (accept), it is sent out. 4. Finally, programs running on the server can send a network package. These packages immediately pass the Output chain. If it is allowed (Accept), the package continues to send to network interfaces that can reach its destination. 7. Use iptablesiptables with a very detailed manual, and if you need an option to introduce more detailed. Take a look at "IPTables and IPChains" may be very useful to you. You can do a lot of differences using iptables. The starting built-in three chains INPUT, OUTPUT and FORWARD are not deleted. Let's take a look at the management of the entire chain. 1. Create a new chain (-N). 2. Delete an empty chain (-x). 3. Modify the principles of the internal chain (-P). 4. The rules in the chain (Table) (- L) are displayed. 5. Clear a chain (-f). 6. Clear zero (-z) all rules in the chain (-Z). There are several ways to operate the rules in the chain: 1. Add a new rule (-a) to the chain. 2. Insert a new rule (-i) in a certain location in the chain. 3. Replace the rules (-R) of a location. 4. Delete the rules for a location in the chain, or the first matched. (-D).
7.1. When the computer starts, the PTables you will see can be used as a module, called 'iptables_filter.o, which can be automatically loaded when IPTABLES is first run. It is also possible to permanently edit the kernel. Before all iptables commands are executed ("Whey: Some release will run iptables in the initialization script), there is no rules in all built-in chains ('Input', 'Forward' and 'Output'), all chain principles It is accept. You can provide the 'Forward = 0' option to modify the default principles of Forward when loading the IPTable_filter module.
7.2. Operation for a single rule This is the basic package filter: management rules, add (-A) and delete (-D) commands may be most common. Other (-i insertion and -r replacement) is just a simple extension. Each rule has a set of conditions to match the package, and if it matches what it does. For example, you might want to discard all ICMP packages from 127.0.0.1. So our condition is that the agreement must be ICMP, and the source address must be 127.0.0.1, and our goal is to discard (DROP). 127.0.0.1 is a return interface, even if you don't have a real network connection, it will exist. You can generate such packages with a ping program (it simply sends ICMP Type 8 (Echo Request), all hosts that are willing to respond with ICMP Type 0 (echo reply). This is very useful for testing. # ping -c 1 127.0.0.1Ping 127.0.0.1 (127.0.0.1): 56 Data bytes64 bytes from 127.0.0.1: ICMP_SEQ = 0 TTL = 64 TIME = 0.2 MS --- 127.0.0.1 Ping Statistics --- 1 Packets Transmitted, 1 Packets Received, 0% Packet Lossround-Trip Min / AVG / MAX = 0.2 / 0.2 / 0.2 MS # iptables -a input -s 127.0.0.1 -p icmp -j drop # ping -c 1 127.0.0.1ping 127.0 .0.1 (127.0.0.1): 56 Data Bytes --- 127.0.0.1 Ping Statistics --- 1 Packets Transmitted, 0 Packets Received, 100% Packet LOSS, the first ping is successful ('-C 1' tells Ping only sends a package) and then we can add (-A) a rule to the 'Input' chain to develop the ICMP protocol from 127.0.0.1 ('- s 127.0.0.1') ('-P ICMP') package Discard ('-J DROP'). Then we test our rules and use the second ping. Before the program waits, you will be suspended before the response is never possible. We can use any of two ways to delete rules. First of all, because this is the unique rule in the input chain, we use the number to delete: # iptables -d input 1 Delete the number of rules in the INPUT chain is the second method of -A command, but use -D replacement -A. This is very useful when the rules in your chain are complicated, and you don't want to calculate their numbers. In this case, we can use: # iptables -d input -s 127.0.0.1 -p ICMP -J DROP-D The syntax must be as accurate as -A (or -i or -r). If there are multiple identical rules in the chain, only the first one will be deleted. 7.3 Filtering Specifications We have already seen, use '-p' to specify the protocol, specify the source address with '-s', but there are other options we can use to specify the feature of the package. Here is a detailed manual.
7.3.1 Specify the source and destination IP address source ('-s', '- source' or '--src') and purpose ('-d', '- destination' or '--dst') IP address You can specify four ways. The most common method is to use full name, just like 'localhost' or 'www.linuxhq.com'. The second way is to specify an IP address, such as '127.0.0.1'. Third and fourth methods allow the designation of a set of IP addresses, just like '199.95.207.0/24' or '199.95.07.0/255.255.255.0'. This specifies all IP addresses from 199.95.207.0 to 199.95.207.255. The number behind '/' indicates which part of the IP address is valid. '32' or '255.255.255.255' is the default (matching the entire IP address). Use '/ 0' to specify any IP address, like this: # '-s 0/0' here is excess # iptables -a input -s 0/0 -j drop This is rarely used, this is above The result is exactly the result of '-s'. 7.3.2 Reversely specifying a lot of tags, including '-s' (or' - Source ') and' -d '(' - destination ') tag can add'! 'Flag (read "not' ) To match all and give the address of the NOT. For example, '-s! Localhost' matches all packets from this unit.
7.3.3 The protocol specifies the specified protocol with '-p' (or '--Protocol'). The protocol can be a number (if you know the value of the IP's protocol value) or the name like 'TCP', 'UDP' or 'ICMP'. In case, it doesn't matter, so 'TCP' and 'TCP' are the same. You can add '!' Before the agreement name, explain it in reverse, for example '-P! Tcp' will match all packets that are not TCP.
