Author: Anton Chuvakin Introduction In the past few years, Linux as an application platform for significant growth firewall. From the IPFWADM of the Early 1.2 version of the kernel, Linux's firewall code has also gone through a long distance. In the version 2.4 version of the Linux kernel, the Netfilter system is used. In the latest version 2.4, Linux greatly enhances security, such as: better encryption support and NetFilter system. Netfilter has a complete backward compatibility. This article will make an overview of the configuration of iptables and focus on some IPTables configuration tools. The discussion of this paper will focus on the IP firewall of the Linux kernel and the configuration tools of its various interfaces, such as: GUI or script (Shell, Perl, or specific configuration language). Using these tools can simplify the configuration of the IPTables to reduce configuration errors. For knowledge about iptables, please refer to Linux Iptables HOWTO written by Rusty Russell. Use the command line to configure iptables that use iptables command line interface to configure the iptables firewall to a challenge for one person, and users are difficult to specify all IP packets. Users need to have a deep understanding of TCP / IP and application layer protocols. Like their seniors, iptables score the IP filtering rules into the chain, and IP packets traverses the rule link. It can also be sent to additional links, or finally processed by the default policy (ACCEPT, DROP, REIECT). Some web applications are easier to pass through the firewall than other programs, so you need to understand the establishment and disconnection of the network connection. Let's take a look at the POP3 protocol, which is one of the easiest agreements. Allow all inward target ports to be 110's packets by unable to solve all management problems, because this can only make the client to apply, but the server is unable to answer. In addition, there is a lot of problems if you use network address conversion (NAT) and other means of packets. Because the firewall configuration will affect the security of the entire company, it should be particularly careful. The following will now discuss the configuration of iptables. For more details, please refer to the command line option for Linux iptables howto iptables before entering this discussion, let's take a summary of the iptables command line option. Rules Chain Target Options 1. Create a new rule chain (-N) 2. Delete an empty rule chain (-x) 3. Change the policy (-P) of a built-in rule chain (-P) 4. List the rules in a rule chain (-L) 5. Rules (-f) rule maintenance in a rule chain 1. Add a new rule (-a) in a rule chain 2. Delete a certain location in a rule chain (- D) The advantage of iptables Before discussing the various iptables configuration tools, let's take a look at the advantages of iptables, especially the advantage of Netfilter than IPchains. IPTables allows the Stateful firewall, which is saved in memory through each connection through the firewall. This model is necessary to effectively configure FTP and DNS and other network services. iptables can filter the TCP flag arbitrarily combined packets, and can also filter the MAC address. System logs are easier to configure than IPchains, and the scalability is better. For Network Address Translation, NetFilter is more powerful and easy to use. IPTable prevents certain DOS attacks, such as SYS flood attacks. IPTables Configuration Tools now, let's take a look at some configuration tools for Linux iptables. I mainly pay attention to the characteristics, elasticity and ease of use of each tool.
We will discuss the following tools: MonMotha's Firewall 2.3.5 Author: MonMotha Firewallscript (iptables 4.4c-3 devel) Author: Patrik Hildingsson Ferm-0.0.18 Author: Auke Kok AGT-0.83 Author: Andy Gilligan Knetfilter-1.2.4 Author : Luigi Genoni gShield-2.0.2 author:. R Gregory MonMotha of Firewall 2.3.5 MonMotha written about 30K Firewall 2.3.5 is a shell script. At present, it is mainly suitable for host-based protection because some network-based option is under development. This script interface (for example: method for passing the IPTables Pass Configuration Option) is a bit confusing. However, it does not need to configure files and installation is easy to copy directly to anywhere. By default, it doesn't do anything at all. It doesn't actually do it, and the document is missing. This script may be a bit for dialing users. FireWallScript firewallscript is also a Bash script, about 85K. This script can be used for hosting and network protection. When you run, it will generate a profile directly. However, in the default, this file does not work, only test functions. This script can configure NAT and address camouflage. This script is very complicated, but lacks documentation, so it is best to read it carefully, using iptables -l command which strand has taken effect, what is allowed / refusal. This script's IP packet tracking feature can also provide you with entertainment. In addition, it will automatically detect and load the kernel modules required for iptables. This script and the previous script also have a cancel (UNDO) function, which can restore the original configuration files for iptables. FERM FERM is a Perl script that uses a configuration file written in a C language. This language is very easy to read and understand. This script has a good document and a rich example as a reference. This is an example: --------------------------------------------- -------------------------------- # Simple Workstation Example for Ferm Chain Input {IF PPP0 # PUT YOUR Outside Interface Here { proto tcp goto fw_tcp; proto udp goto fw_udp; proto icmp goto fw_icmp;}} chain fw_tcp proto tcp {dport ssh ACCEPT; syn DENY log; dport domain ACCEPT; dport 0: 1023 DENY log;} chain fw_udp proto udp {DENY log; } chain fw_icmp proto icmp {icmpty-unreachable time-exceeded) accept; deny log;} --------------------------------------------------------------------------- ------------------------------------------------ this configuration The file will cause the FERM to generate iptables as follows: Allows excessive SSH and DNS packets to pass through; block all UDP packets; only two types of ICMP messages are passed: the purpose is not accessible and timeout, and the other type of logs ICMP message. AGT AGT is a program written in C language.
