1. Overview Starting from the 1.1 kernel, Linux has already had a package, and we use IPFWADM to operate the kernel package and exert rules in the kernel of 2.0. In the 2.2 kernel, you have used IPChains that everyone is not strange to control the rules of the kernel package. The latest Linux kernel version is now 2.4.1, we no longer use ipchains in the 2.4 kernel, but use a new core package management tool - Iptables. This new core package will make users easier to understand their working principles, and it is more likely to be used, and will of course have more powerful functions.
We said that iptables is just a tool for managing kernel packages, iptables can join, insert or delete rules in the core package filtering table (chain). It is actually true to implement these tax rules is Netfilter (a general architecture in Linux core) and its related modules (such as IPTables modules and NAT modules). Let's take a look at Netfilter's working principle.
Second, the principle
Netfilter is a universal architecture in the Linux core. It provides a series of "tables", each of which is composed of several "chains", and one or several rules can be made in each chain (Rule) composition. We can understand this, Netfilter is the container of the table, the table is the container of the chain, and the chain is the container of the rule (as shown in Figure 1).
The system default table "filter" contains 3 chains of INPUT, Forward, and Output. There can be one or several rules in each chain, each of which is defined as "If the data packet header meets such conditions, this data package is processed". When a packet reaches a chain, the system starts checking from the first rule to see if the conditions defined by this rule: If satisfaction, the system will process the data package according to the method defined by the rule; if not The satisfaction continues to check the next rule. Finally, if the data packet does not meet any of the rules in the chain, the system will process the packet based on the first defined policy (POLICY).
The flow of the packet in the FILTER table is shown in Figure 2. When there is a packet into the system, the system first determines which chain to send the data package according to the routing table, may have three cases:
1. If the destination address of the packet is this unit, the system is sent to the INPUT chain. If the rule check is passed, the package is sent to the corresponding local process; if it does not pass the rules, the system will The package is lost;
2. If the destination address of the packet is not a native, that is, this package will be forwarded, then the system is sent to the Forward chain. If the package is checked, the package is sent to the corresponding local process; if Didn't pass the rules, the system will lose this package;
3. If the packet is generated by the local system process, the system is sent to the OUTPUT chain. If the rule check is passed, the package is sent to the corresponding local process; if it is not checked, the system will use this The package is lost.
From the above we can see that Netfilter has clearly made a lot more than the previous IPFWADM and Ipchains idea, which is undoubtedly a gospel for users who originally felt a mist to Ipfwadm and Ipchains.
Third, prepare work
System demand
Netfilter requires that the core version is not less than 2.3.5, which requires selection and NetFilter-related items when compiling new kernels. These items are usually located under "NetWorking Options" subples. Take 2.4.0 kernel as an example, we should select the items:
[*] Kernel / user netlink socket
[] Routing Messages <*> NetLink Device Emulation
NetWork Packet Filtering (Replaces Ipchains)
.......
Then, in "IP: Netfilter Configuration ---->":
The last two items can be not selected, but if you miss Ipchains or IPFWADM, you can also select it in the 2.4 core to use ipchians or IPFWADM. However, it should be noted that iptables is relatively opposed to IPCHIANS / IPFWADM, while using iptables while using ipchains / ipfwadm at the same time. These module files are located in the following directory after successful compilation.
/LIB/Modules/2.4.0/kernel/net/ipv4/netfilter
Compile 2.4.0 The new kernel should also be aware that the correct CPU options corresponding to your CPU are selected in "Processor Type and Features", otherwise the new kernel may not work properly.
2. Loading module
To use iptables, you must also load related modules. You can use the following command to load related modules:
#modprobe iptable_tables
The ModProbe command automatically loads the specified module and its related modules. The iptables_filter module is automatically loaded at runtime.
Third, grammar
Operation of the chain
Create a new chain (-N).
Delete an empty chain (-X).
Change the principle of an internal chain (-P).
List rules (-L) in a chain.
Clear all rules (-f) in a chain.
Zero (ZERO) Packing byte (BYTE) (-Z) in a chain.
2. Operation of rules
Join (Append) a new rule to a chain (-A).
Insert a new rule (-i) in the chain, usually inserted to the front.
Replace a rule (-R) in a location in the chain.
Remove a rule (-d) in a location in the chain.
Delete the first rule (-d) in the DELETE.
3. Specify the source address and destination address
Specify the source address (/ said or meaning here, the same) by - Source / - SRC / -S, and the destination address is specified by -destination / - dst / -s. You can use the following four methods to specify an IP address: a. Use a complete domain name, such as "www.linuxaid.com.cn";
b. Use the IP address, such as "192.168.1.1";
c. Specify a network address with x.x.x.x / x.x.x, such as "192.168.1.0/255.255.255.0";
d. Specify a network address with X.x.x.x / x, such as "192.168.1.0/24" here, indicating the number of bits of the subnet mask, which is a representation method commonly used in the UNIX environment.
The default subnet mask is 32, that is, designated 192.168.1.1 is equivalent to 192.168.1.1/32.
4. Specify the protocol
Protocols can be specified by the -Protocol / -P option, such as the -p TCP.
5. Specify the network interface
You can use -in-interface / -i or -out-interface / -o to specify the network interface. It should be noted that for the INPUT chain, it may only have -i, that is, there will be accessible packages; the pendant, for the Output chain, only may have -O, which will only have a package. Only the Forward chain can have both the -i network interface, or there is a -o network interface. We can also specify a network interface that is currently not present, such as PPP0, which is only valid after the dial is successful.
6. Specify IP debris
During the TCP / IP communication process, each network interface has a maximum transfer unit (MTU), which defines the maximum size of the packets that can pass. If a packet is greater than this parameter value, it is divided into smaller numerous packets (called IP debris) to transmit, and the recipient will reorganize these IP fragments to restore the entire package.
However, when the package is filtered, IP debris can cause such a problem: When the system is divided into IP fragment transfer, the first fragment contains complete cladding information, but subsequent fragments have only partial information of the header, such as Source address, destination address. Therefore, if we have such a rule:
iptables -a forward -p tcp -s 192.168.1.0/24 -d 192.168.2.100 --dport 80 -j accept
And when a policy of Forward is a DROP, the system will only pass the first IP fragment, and the remaining IP fragments are thus throw away, because the first fragment contains a complete header information, which can meet the conditions of this rule, The remaining fragments cannot meet the rules defined because the header information is incomplete, and cannot be passed.
We can specify the second and future IP fragments through the -fragment / -f option, such as an example above, we can add such a rule to solve this problem:
Iptables -a forward -f -s 192.168.1.0/24 -d 192.168.2.100 -j accept
However, it should be noted that there are now many instances of IP fragment attacks (such as sending a large number of IP fragments to Win98 NT4 / SP5, 6 Win2k), so that IP debris is allowed to pass by security, for this We can use iptables' match extensions to limit, but this will affect service quality, we will discuss this issue below.
7. Specify
You can add a non-specified value before adding! . 8. TCP matching extension
By using the -TCP-Flags option, it can be filtered according to the flag of the TCP package. After the option, two parameters are connected: the first parameter is the flag to check, which can be SYN, ACK, FIN, RST, URG, PSH The combination can specify all flags with all; the second parameter is a flag of the flag bit value of 1. For example, you have to filter out all the TCP packages with all SYN flags, you can use the following rules:
iptables -a forward -p tcp --TCP-Flags All Syn -j Drop
Option - Syn is a special case of the above, equivalent to "- TCP-Flags Syn, RST, ACK SYN".
9. Mac matching extension
You can use the -m option to extend the matching content. Using -Match Mac / -M MAC matching extension can be used to check the source MAC address of the IP packet. Just keep up with the MAC address after - Mac-Source. such as:
iptables -a forward -m mac --MAC-Source 00: 00: Ba: a5: 7d: 12 -J Drop
It should be noted that an IP package has been forwarded after the router is forwarded, and its source MAC address has become the MAC address of the router.
10. LIMIT matching extension
LIMIT extension is a very useful matching extension. Use -m NAT to specify, thereafter, there are two options:
--Limit AVG: The number of packets allowed by the specified unit time. The unit time can be / second, / minute, / hour, / day, or the first letter, such as 5 / second, and 5 / s, are the default value, the default value is the 5 packets per second. 3 / hour.
--Limit-Burst Number: Specifies the threshold of the trigger event, the default value is 5.
It seems that it seems a bit complicated, let us look at an example:
Suppose it is also the following rules:
IPTABLES -A INPUT -P ICMP -M LIMIT --LIMIT 6 / M --LIMIT-BURST 5 -J ACCEPT
iptables -p input drop
Then, from another host, PING this host, the following phenomenon:
First we can see the response of the first four packs is normal, then start from the fifth package, we can receive a normal response every 10 seconds. This is because we set the number of packets allowed by the unit time (here every minute), which is 6, which is one minute, which is one minute; after we set the event trigger threshold 5, so our top four packs are normal, just starting from the fifth package, the restriction rules begin to take effect, so they can only receive a normal response every 10 seconds.
Suppose we stop ping, starting ping after 30 seconds, then the phenomenon is:
The first two packs are normal, start packet from the third package, because I am here to allow a bag to pass the cycle of 10 seconds, if the system does not receive the eligible package, the system is not received in one cycle The trigger value will be restored 1. Therefore, if we do not meet the conditions within 30 seconds, the system's trigger value will return to 3. If there is no eligible package in 5 cycles, the system trigger values will be completely restore. I don't know if you understand, you are welcome to discuss.
11. LOG target extension
Netfilter default goals (that is, once the system is met after the rule is met, the system's processing method for packets) is:
Aceept: Receive and forward packets DORP: Drop the packet
The target extension module provides an extension target. The LOG target provides the ability to record the packet. This target extension has the following parameters:
--Log-level: Specifies the level of the record information, and the levels of Debug, Info, Notice, Warning, Err, crit, Alert, and Emerg correspond to the number of 7 to 0, respectively. It is, please refer to the MAN manual of syslog.conf.
--Log-prefix: After connecting a string that is up to 30 characters, the string will appear in front of each log.
12. REJECT target extension
This target extension is completely in the same way, except for the ICMP information of "port unreachable" to the sender.
There are other extensions are common, if you want to know you can refer to Packet-filtering-howto. Of course, the most direct acquisition method is to view the online help of iptables. For example, you want to get the "iptables -m mac -help" command to get the "iptables -m mac -help" command, you want to get the help target extension can be executed "iptables -j log -help "command.
