Netfilter / iptables is an IP packet filtering system integrated with the latest 2.4.x version Linux kernel. If the Linux system is connected to the Internet or a LAN server or a proxy server connected to the LAN and the Internet, the system facilitates better control of the IP packet filtering and firewall configuration on the Linux system. This article will introduce the Netfilter / Iptables system, how is it works, its advantages, and how to use it to configure the firewall on the Linux system to filter the IP packet.
Note: If the reader has the intermediate level of Linux OS, and the experience of configuring the Linux kernel will help the understanding of this article.
Linux security and Netfilter / iptables
Linux has become very popular in IT industry due to its robust, reliability, flexibility, and as unlimited range. Linux has many built-in capabilities, developers can customize their tools, behaviors and appearances according to their needs without expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or a proxy server that connects to the LAN and the Internet, the built-in ability to be used is the firewall configuration for Linux systems on the network. This capability can be used with the help system (which integrates in a 2.4.x version of the Linux kernel).
In the Linux packet filtering solution such as IPFWADM and IPChains, the Netfilter / Iptables IP packet filtering system is the latest solution, and is also the first solution integrated into the Linux kernel. For Linux system administrators, network administrators, and home users (they want to configure firewalls according to their own specific needs, the Netfilter / Iptables system is saved in the firewall solution and has full control over IP packet filtering). Very ideal.
Understanding firewall configuration and packet filtering
For Linux systems connected to the network, firewalls are essential defense mechanisms, which only allows legitimate network traffic to enter and exit system, but disabling any other network traffic. In order to determine if the network traffic is legal, the firewall relies on a set of rules that are predefined by the network or system administrator. These rules tell the firewall to be legitimate and what is done for network traffic from a source, to a destination or having some protocol type. The term "configuring firewall" refers to adding, modifying, and removing these rules. Later, I will discuss these rules in detail.
Network traffic is transmitted from source systems to some small block data of the destination system from the source system in the form of the IP packet (or, the abbreviation). These packets have heads, namely some of the data bits included in front of each package, which contain information about the source, destination, and protocol type of the packet. The firewall checks these heads according to a set of rules to determine which packet accepts and reject which packet. We will refer to this process as a packet filtering.
Why configure your own firewall?
For various factors and reasons, the firewall is required to be configured according to specific needs. Perhaps, the most important reason is safety.
Administrators may want their firewall to prevent unauthorized sources from accessing their Linux systems, such as through Telnet. They may still want to limit network traffic to their system, so that only traffic from the trusted source can enter its system, and only authorized traffic can be out. Home users may pass through allowing all outbound packets to be passed, configure the firewall to a lower security level.
The reason behind it is that the bandwidth can be saved by blocking excess traffic from the source from similar ad sites.
Thus, the firewall configuration can be customized to meet any specific needs and any security level requirements. This is the use of the Netfilter / iptables system.
How is the Netfilter / IPTables system work?
The Netfilter / Iptables IP packet filtering system is a powerful tool that can be used to add, edit, and remove rules. These rules are rules followed and consisting of firewalls when making packet filtering decisions. These rules are stored in a dedicated packet filtering table, and these tables are integrated in the Linux kernel. In the packet filtering table, the packet is placed in our so-called chain. I will immediately discuss these rules and how to build these rules and group them in the chain. Although the Netfilter / Iptables IP packet filtering system is called a single entity, it is actually composed of two components Netfilter and iptables.
Netfilter components are also known as kernel spaces, part of the kernel, consisting of some packet filtering tables, which contains rule sets for controlling packet filtering.
The iptables component is a tool, also known as user space (UserSpace), which makes it easy to insert, modify, and remove the rules in the packet filtering table. Unless you are using Red Hat Linux 7.1 or higher, you need to download the tool from Netfilter.org and install it using it.
By using user space, you can build your own custom rules, which store the packet filtering table in kernel space. These rules have a goal that tells the kernel to the kernel to some sources and go to some destination or some packets with certain protocol types. If a packet matches the rule, use the target Accept to allow the packet to pass. You can also use target DROP or REJECT to block and kill the packet. There are many other objectives for other operations that can be performed on the packet.
The type of packet processed according to the rule,
The rules can be packet in the chain. The rules that process the inbound packet are added to the INPUT chain. The rules that handle the outbound information package are added to the OUTPUT chain. Processing the rules that are forwarding the packets are added to the Forward chain. These three chains are the default main chain built in the basic packet filtering table. In addition, there are many types of many available chains (such as preording and postrouting), as well as providing user-defined chains. Every chain can have a strategy, it
The "default target" is the default operation to be executed, and this will be performed when the packet does not match any rules in the chain.
Establish rules and place the chain in an appropriate location, you can start the real packet filtering. At this time, kernel space is taken over from the user's space. When the packet reaches the firewall, the header information of the packet is first verified, especially the destination of the packet. We call this process as routing.
If the information package is from the outside and travels to the system, and the firewall is open, the kernel passes it to the INPUT chain of the filter table. If the information package source is self-located inside or the internal network connected to the system, and this packet is to another external system, the packet is passed to the OUTPUT chain. Similarly, the packet derived from the external system and travels to the external system is passed to the Forward chain.
Next, compare the header information of the packet with each rule in the chain it passes to see if it is fully matched with a rule. If the packet matches a rule, the kernel performs the operation specified by the target of the rule. However, if the packet does not match this rule, it will compare with the next rule in the chain. Finally, if the packet does not match any of the rules in the chain, the kernel will refer to the strategy of the chain to determine how to handle the packet. The ideal strategy should tell the kernel DROP this packet.
Establish rules and chains
The rule control packet filtering is controlled by providing an instruction to the firewall to do anything about a source, to a destination or a specific protocol type. These rules are created by using the special command iptables provided by the Netfilter / iptables system, and it is added to the chain in the specific packet filtering table of the kernel space. The general grammar about the order of the order to add / remove / edit the rules is as follows: $ iptables [-t table] Command [Match] [TARGET]
Table [- T Table] option allows any tables outside of the standard table. Table is that the information packet filtering table containing only the rules and chains that handle specific type packets. There are three types of table options: Filter, Nat and Mangle. This option is not required, if not specified, the Filter is used as the default table.
The Filter Table is used for the general packet filtering, which contains the INPUT, OUTPUT and Forward chains. The NAT meter is used to forward the packet, which contains prerouting, output, and postrouting chains. If any changes have been made in the packet and its head, use the mangle table. The table contains some rules to mark packets for advanced routing, which contains the preloading and Output chains.
Note: The preording chain is made up of the specified packet to change their rules, while the PostRouting chain intends to change their rules by specifying the authentication packets to leave the firewall.
Command (Command)
The mandatory Command part in this command is the most important part of the iptables command. It tells the iptables command what to do, for example, insert rules, add rules to the end of the chain or delete rules. The following is some of the most common commands:
-A or --append: This command attaches a rule to the end of the chain.
Example:
$ Iptables -ainput -s 205.168.0.1 -j acceptpt
This sample command is attached to the end of the INPUT chain to determine the packet from source address 205.168.0.1 can be accept.
-D or -delete: By specifying the rules you want to match with -d or the position number in the chain is numbered, the command deletes the rule from the chain. The following example shows these two methods.
Example:
$ Iptables -din --dport 80 -j drop $ iptables -d output 3
The first command removes the rules from the input chain, specifying the DROP to the port 80. The second order is just a rule from the OUTPUT chain to delete the number 3.
-P or --policy: This command sets the default target of the chain, that is, the policy. All packets that do not match any rules in the chain will be enforced with this chain policy.
Example:
$ Iptables -p input drop
This command specifies the default target of the INPUT chain as a DROP. This means that all packets that do not match any rules in the Input chain will be discarded.
-N or --new-chain: Create a new chain with the name specified in the command.
Example:
$ Iptables -n allowed-chain
-F or -flush: If the chain name is specified, the command deletes all rules in the chain. If the chain name is not specified, the command deletes all rules in all chains. This parameter is used to quickly clear.
Example:
$ Iptables -f forward $ iptables -f
-L or --List: lists all rules in the specified chain.
Example:
$ Iptables -l allowed-chain $ iptables -l rh-firewall-1-input match (Match)
The optional Match section of the iptables command specifies the features that should have of the packet and rules (such as the source, and destination address, protocol, etc.). Matching is divided into two categories: universal matching and protocol matching. Here, I will study the universal matching of the packets that use any protocol. Here are some important and commonly used universal matching and examples and descriptions:
-p or --Protocol: This general protocol matches to check some specific protocols. The protocol example has a combination list of TCP, UDP, ICMP, any three protocols separated by commas, and all protocols. All is the default match. You can use! Symbol, it does not match the item.
Example:
$ Iptables -a INPUT -P TCP, UDP $ iptables -a input -p! ICMP
In the above example, both commands perform the same task - they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case TCP and UDP), and exclude ICMP.
-S or - Source: This source matches them to them based on the source IP address of the packet. This match also allows you to match the IP address within a range, you can use! Symbol, indicating that it does not match the item. The default source match matches all IP addresses.
Example:
$ Iptables -a output -s 192.168.1.1.11 $ iptables -a output -s 192.168.0.0.0/24 $ iptables -a output -s! 203.16.1.89
The second command specifies that the rule matches all packets from 192.168.0.0 to 192.168.0.24. Article 3 Commands Specify that the rule will match any packets from source address 203.16.1.89.
-d or -destination: This destination matches them to them according to the destination IP address of the packet. This match also allows you to match an IP address within a range, you can use! Symbol, indicating that it is not matched with the item.
Example:
$ Iptables -a input -d 192.168.1.1 $ iptables -a input -d 192.168.0.0.0/24 $ iptables -a output -d! 203.16.1.89
Target
We already know that the goal is to perform these actions by the operations specified by the rules. In addition to allowing user-defined targets, there are many optional target options. Here are some of the common goals and examples and descriptions:
Accept: When the packet is fully matched with the rules with the Accept target, it is accepted (allowing it to go to the destination), and it will stop trailing chains (although the packet may traverse other chains in another table, and it is possible There was been discarded there). This goal is specified as -j accept.
DROP: When the packet is fully matched with the rules with the DROP target, it will block the packet and do not process it. This goal is specified as -j DROP.
Reject: This goal is working with the DROP target, but it is better than Drop. Unlike DROP, Reject does not leave dead sleeve (socket) on the server and client. In addition, the REJECT sends the error message back to the sender of the packet. This goal is designated as -j reject. Example:
$ Iptables -a forward -p tcp --dport 22 -j reject
Return: The return target set in the rule allows the packet that matches the rule to the chain containing the rule. If the chain is the main chain such as Input, the default policy processing packet for this chain is used. It is specified as -jump return.
Example:
$ Iptables -a forward -d 203.16.1.89 -jump return
There are many other goals for establishing advanced rules, such as log, redirect, mark, mirror, and masquerade, etc.
Save the rules
Now, you have learned how to create basic rules and chains and how to add or delete them from the packet filtering table. However, you should remember that the rules established by the above method will be saved to the kernel, and these rules will be lost when the system is rebooted. So, if you add an error-free and valid rule set to the packet filter table, you want to use these rules again after rebooting, you must save the rule set in the file. You can use the iptables-save command to do this:
$ Iptables-save> iptables-script
Now, all rules in the packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the packet filter table using the iptables-restore command, as shown below:
$ Iptables-restore iptables-script
If you are willing to automatically recover the rule set each time you boot your system, you can put the commands specified above in any of the initial shell scripts.
[PIZZ Note] Need to note that in Redhat 9 and higher, we can use the command find / etc -name "iptable *" to find the default configuration file (/ etc / sysconfig / iptables-config, / etc / sysconfig / iptables) and launch scripts (/etc/rc.d/init.d/iptables), but Redhat indicates that the user is not recommended to modify the file.
Advantages of Netfilter / iptables system
The biggest advantage of Netfilter / iptables is that it can be configured with stateless firewalls, which is an important feature that IPFWADM and IPChains are unable to provide. A stateful firewall can specify and remember to send or receive the status established by the packet. The firewall can obtain this information from the connection status of the packet, when the new packet is filtered, the status information used by the firewall can increase its efficiency and speed. There are four valid states here, named Establish, Invalid, New and Related, respectively.
Status ESTABLISHED indicates that the packet is established, which is used to send and receive packets and fully valid. The Invalid status indicates that the packet is not associated with any known stream or connection, which may contain errors or headers. Status NEW means that the packet has or will start a new connection, or it is associated with a connection that has not been used to send and receive packets. Finally, Related Indicates that the packet is starting a new connection, and it is associated with established connections.
Another important advantage of Netfilter / iptables is that it allows users to fully control the firewall configuration and packet filtering. You can customize your rules to meet your specific needs, allowing only the network traffic you want to enter the system.
In addition, Netfilter / iptables are free, which is very ideal for those who want to save costs, which can replace expensive firewall solutions.
The latest Linux kernel 2.4.x has the built-in IP packet filtering tool with Netfilter / Iptables system, which makes it easy and convenient to configure firewall and packet filtering. The Netfilter / Iptables system allows their users to fully control the firewall configuration and packet filtering. It allows the firewall to establish a customizable rules to control the packet filtering. It also allows a stateless firewall.
[Appendix] Netfilter / iptables system installation Because Netfilter / iptables, Netfilter components are integrated with kernel 2.4.x, so you only need to download and install iptables user space. Demand The following is the need to install the Netfilter / Iptables system: Hardware: To use Netfilter / iptables, you need to have a system running Linux OS and connect to the Internet, LAN or WAN. Software: any version of Linux OS with kernel 2.4 or higher. You can download the latest version of the kernel from http://www.kernel.org. It also needs to be downloaded from http://www.netfilter.org to download the IPTables this user space tool because this tool is not part of the kernel. But for Redhat Linux version 7.1 or higher, this tool is not required because this tool is included in the standard installation in version 7.1 or later. User: At least a medium-level understanding of Linux OS and has experience in configuring Linux kernels. Preparing before installation requires some modifications to the system before you start installing the IPTables user space tool. First, you need to use the make config command to configure the kernel options. During configuration, you must open them by setting the config_netfilter and config_iple_nf_iptables options to Y, because this is necessary to make NetFilter / iptables work. Below is other options that might want to open: config_packet: This option is useful if you want to use some network devices directly to your applications and programs. CONFIG_IP_NF_MATCH_STATE: If you want to configure a stateless firewall, then this option is very important and useful. Such firewalls remember the decision made by the previous packet filtering and made new decisions according to them. I will further discuss this problem in the Advancement of Netfilter / Iptables systems. CONFIG_IP_NF_FILTER: This option provides a basic packet filtering frame. If you open this option, a basic filtering table (with built-in INPUT, Forward, and Output chain) is added to the kernel space. Config_ip_nf_target_reject: This option allows specified: ICMP error messages should be sent to respond to the inbound packets that have been dropped by DROP, rather than simply killing them. Now, you can prepare to install this user space tool. Installing the User Space Tool After downloading the source code of the iptables user space tool (which is similar to iptables-1.2.6a.tar.bz2), you can start installation. You need to log in as root to perform the installation. Listing 1 gives an example that indicates the commands required to install the tool, and its necessary order and its description.
Listing 1. User Space Tools Installation Example First, Unpack The Tool Package Into A Directory: # bzip2 -d iptables-1.2.6a.tar.bz2 # tar -xvf iptables-1.2.6a.tarthis will unpack the Tool Source Into A directory named iptables-1.2.6a.Now change to the iptables-1.2.6a directory: # cd iptables-1.2.6aThe INSTALL file in this directory contains a lot of useful informationon compiling and installing this tool.Now compile the userspace tool using the following command: # make KERNEL_DIR = / usr / src / linux / Here the KERNEL_DIR = / usr / src / linux / specifies the path to the kernel'sdirectory If the directory of kernel happens to be different on somesystems, the appropriate directory path. should be substituted for / usr / src / linux.Now install the source binaries using the following command: # make install KERNEL_DIR = / usr / src / linux / Now the installation is complete. Note: If you have a RedHat Linux version 7.1 or higher High versions, there is no need to perform the first two steps herein. As we know, the standard installation of the Linux distribution (Distribution) contains the IPTables user space tool. But in the default, this tool is closed.
In order to make this tool, you need to perform the following steps (Listing 2): Listing 2. Setting User Space Tools on Redhat 7.1 First You'll Have to Turn Off The Old Ipchains Module (Predecessor Ofiptables) Available In this OS Package .This can be done using the following command: # chkconfig --level 0123456 ipchains offNext, to completely stop the ipchains module from running, so that itdoesn't conflict with the iptables tool, you will have to stop the ipchainsservice using the following command : # service ipchains stopNow if you do not want to keep this old ipchains module on your system, uninstall it using the following command: # rpm -e ipchainsNow you can turn on the iptables userspace tool with the following command: # chkconfig - level 235 iptables onFinally, you'll have to activate the iptables service to make the userspacetool work by using this command: # service iptables startNow the userspace tool is ready to work on a RedHat 7.1 or higher system now, everything is proper. And the Netfilter / Iptables system should be running. [Related resources] 1, Red Hat Enterprise Linux 3: Safety Guide http://squidward.mit.edu/rhel-doc/rh-docs/rhel-sg-z_cn-3/s1-fireall-ipt-act.htmlipTables is Stateful.
The state means that if a package is a reply to the package originally issued from the firewall, it is automatically inspected.
The rules immediately allow the reply to enter and return to the requester, so that we don't have to set a number of rules definitions.
Some functions, using this stateful ability in the new kernel is strongly recommended, so how to open and use
This function? See below. (Figure II)
We assume that a company has a typical Internet connection scheme as shown below:
_______
10.0.0.2 | |
| PC | (10.0.0.1) Eth1 | | ETH0 (1.2.3.4)
B | ___ | _ ___________________ | firewall | --------- Internet
(LAN: 10.0.0.0/24) | A |
| ________ |
You can use the following rule set to use the status of iptables and open the IP camouflage feature.
1 modprobe ip_tables 2 Echo 1> / Proc / Sys / Net / IPv4 / IP_forward 3 iptables -f INPUT 4 iptables -f forward 5 iptables -f postrouting -t NAT 6 iptables -p Forward Drop 7 iptables -a forward -s 10.0. 0.0 / 24 -J ACCEPT 8 iptables -a forward -i eth0 -m state --state established, Related -j Accept 9 iptables -t nat -a postrouting -o eth0 -s 10.0.0.0.0.0.0.0/24 -j masquerade 10 iptables - A INPUT -P TCP -I Eth0 - Syn - Dport 80 -J Accept 11 iptables -a input -p tcp -i eth0 --Syn -j DROP Note: When using Redhat's modular core, load After the IP_TABLES module, the later command will be loaded into the required modules as needed. Also note that if you load an IPChains or IPFWADM module, you cannot load the iptables module again, and you can use the RMMOD command to remove them again into the iptables module. Under Redhat, you can use NTSYSV to remove the ipchains and iptables tags to restart the above command. Or put it automatically in /etc/rc.d/rc.local. 2. The second line opens the IP forwarding function. 3. Thirty-five lines Clear INPUT, Forward and PostRouting Key Rules 4. The sixth line setting default forwarding strategy is DROP, which applies the default rule when a package is forwarded to the rule, but applies the default rules. 5. The seventh line forwards the machine to the machine to anywhere. 6. The eighth line utilizes the status capability, as long as it is a reply to the request packet out of the front of the firewall, allowed. ESTABLISHED means the TCP connection, the related is an active FTP, ICMP PING request, etc. When the reply package arrives, it is actually checked whether the file / proc / net / ip_conntrack is inside, if in the table, if you check any Chain, package allows. 7. The ninth line opens the IP camouflage ability, and the package out of the ETH0 is rewritten after the source address, it is a special case of the source address SNAT. It should be noted here that -O ETH0, not -i eth0, in iptables, from the package out of the package -o, the package is used to use -i 8. Command, if this firewall is also a web server, then The package that allows the external newly established request and the target port is 80, can enter 9. The eleventh bank is not the target port is a TCP new connection request package for the target port, refuses to enter. Note: The relationship between the NAT and the Forward chain a. Regardless of any NAT, the source and destination address of the package filtering rules is a real source and destination address, although the package is rewritten on the package when the IP camouflage (DNAT) is executed. This can be seen from file / proc / net / ip_conntrack.
