[Original author is unknown, may be MugDhavairagade] Netfilter / iptables is an IP packet filtering system integrated with the latest 2.4.x version Linux kernel. If the Linux system is connected to the Internet or a LAN server or a proxy server connected to the LAN and the Internet, the system facilitates better control of the IP packet filtering and firewall configuration on the Linux system. This article will introduce the Netfilter / Iptables system, how is it works, its advantages, and how to use it to configure the firewall on the Linux system to filter the IP packet. Note: If the reader has the intermediate level of Linux OS, and the experience of configuring the Linux kernel will help the understanding of this article. Linux security and Netfilter / iptableslinux have become very popular in IT industry due to their robust, reliability, flexibility, and as unlimited range. Linux has many built-in capabilities, developers can customize their tools, behaviors and appearances according to their needs without expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or a proxy server that connects to the LAN and the Internet, the built-in ability to be used is the firewall configuration for Linux systems on the network. This capability can be used with the help system (which integrates in a 2.4.x version of the Linux kernel). In the Linux packet filtering solution such as IPFWADM and IPChains, the Netfilter / Iptables IP packet filtering system is the latest solution, and is also the first solution integrated into the Linux kernel. For Linux system administrators, network administrators, and home users (they want to configure firewalls according to their own specific needs, the Netfilter / Iptables system is saved in the firewall solution and has full control over IP packet filtering). Very ideal. Understanding firewall configuration and packet filtering For Linux systems connected to the network, firewalls are essential defense mechanisms, which only allows legitimate network traffic to enter and exit system, but disable any other network traffic. In order to determine if the network traffic is legal, the firewall relies on a set of rules that are predefined by the network or system administrator. These rules tell the firewall to be legitimate and what is done for network traffic from a source, to a destination or having some protocol type. The term "configuring firewall" refers to adding, modifying, and removing these rules. Later, I will discuss these rules in detail. Network traffic is transmitted from source systems to some small block data of the destination system from the source system in the form of the IP packet (or, the abbreviation). These packets have heads, namely some of the data bits included in front of each package, which contain information about the source, destination, and protocol type of the packet. The firewall checks these heads according to a set of rules to determine which packet accepts and reject which packet. We will refer to this process as a packet filtering. Why configure your own firewall? For various factors and reasons, the firewall is required to be configured according to specific needs. Perhaps, the most important reason is safety. Administrators may want their firewall to prevent unauthorized sources from accessing their Linux systems, such as through Telnet. They may still want to limit network traffic to their system, so that only traffic from the trusted source can enter its system, and only authorized traffic can be out. Home users may pass through allowing all outbound packets to be passed, configure the firewall to a lower security level. The reason behind it is that the bandwidth can be saved by blocking excess traffic from the source from similar ad sites. Thus, the firewall configuration can be customized to meet any specific needs and any security level requirements. This is the use of the Netfilter / iptables system.
How is the Netfilter / IPTables system work? The Netfilter / Iptables IP packet filtering system is a powerful tool that can be used to add, edit, and remove rules. These rules are rules followed and consisting of firewalls when making packet filtering decisions. These rules are stored in a dedicated packet filtering table, and these tables are integrated in the Linux kernel. In the packet filtering table, the packet is placed in our so-called chain. I will immediately discuss these rules and how to build these rules and group them in the chain. Although the Netfilter / Iptables IP packet filtering system is called a single entity, it is actually composed of two components Netfilter and iptables. Netfilter components are also known as kernel spaces, part of the kernel, consisting of some packet filtering tables, which contains rule sets for controlling packet filtering. The iptables component is a tool, also known as user space (UserSpace), which makes it easy to insert, modify, and remove the rules in the packet filtering table. Unless you are using Red Hat Linux 7.1 or higher, you need to download the tool from Netfilter.org and install it using it. By using user space, you can build your own custom rules, which store the packet filtering table in kernel space. These rules have a goal that tells the kernel to the kernel to some sources and go to some destination or some packets with certain protocol types. If a packet matches the rule, use the target Accept to allow the packet to pass. You can also use target DROP or REJECT to block and kill the packet. There are many other objectives for other operations that can be performed on the packet. The rule group can be packet in the chain based on the type of packet processed by the rule. The rules that process the inbound packet are added to the INPUT chain. The rules that handle the outbound information package are added to the OUTPUT chain. Processing the rules that are forwarding the packets are added to the Forward chain. These three chains are the default main chain built in the basic packet filtering table. In addition, there are many types of many available chains (such as preording and postrouting), as well as providing user-defined chains. Every chain can have a strategy, which is "default target", which is the default operation to be executed, and do this when the packet does not match any rules in the chain. Establish rules and place the chain in an appropriate location, you can start the real packet filtering. At this time, kernel space is taken over from the user's space. When the packet reaches the firewall, the header information of the packet is first verified, especially the destination of the packet. We call this process as routing. If the information package is from the outside and travels to the system, and the firewall is open, the kernel passes it to the INPUT chain of the filter table. If the information package source is self-located inside or the internal network connected to the system, and this packet is to another external system, the packet is passed to the OUTPUT chain. Similarly, the packet derived from the external system and travels to the external system is passed to the Forward chain. Next, compare the header information of the packet with each rule in the chain it passes to see if it is fully matched with a rule. If the packet matches a rule, the kernel performs the operation specified by the target of the rule. However, if the packet does not match this rule, it will compare with the next rule in the chain. Finally, if the packet does not match any of the rules in the chain, the kernel will refer to the strategy of the chain to determine how to handle the packet. The ideal strategy should tell the kernel DROP this packet. Establishing rules and chains Provides a filter for information packets to the firewall to provide information about a source, to a destination or a specific protocol type.
These rules are created by using the special command iptables provided by the Netfilter / iptables system, and it is added to the chain in the specific packet filtering table of the kernel space. The general grammar on the order of the order of adding / removing / editing rules is as follows: $ iptables [-t table] Command [Match] [TABLE) table (Table) [- T Table] option Allows any table outside of the standard table. Table is that the information packet filtering table containing only the rules and chains that handle specific type packets. There are three types of table options: Filter, Nat and Mangle. This option is not required, if not specified, the Filter is used as the default table. The Filter Table is used for the general packet filtering, which contains the INPUT, OUTPUT and Forward chains. The NAT meter is used to forward the packet, which contains prerouting, output, and postrouting chains. If any changes have been made in the packet and its head, use the mangle table. The table contains some rules to mark packets for advanced routing, which contains the preloading and Output chains. Note: The preording chain is made up of the specified packet to change their rules, while the PostRouting chain intends to change their rules by specifying the authentication packets to leave the firewall. The mandatory Command section of the command (Command) is the most important part of the iptables command. It tells the iptables command what to do, for example, insert rules, add rules to the end of the chain or delete rules. The following is the most common command: -a or --append: This command adds a rule to the end of the chain. Example: $ iptables -a input -s 205.168.0.1 -j accept This sample command is attached to the end of the INPUT chain to determine the packet from source address 205.168.0.1 can be accept. -D or -delete: By specifying the rules you want to match with -d or the position number in the chain is numbered, the command deletes the rule from the chain. The following example shows these two methods. Example: $ iptables -d input --dport 80 -j drop $ iptables -d output 3 The first command removes the rule from the input link, specifying the DROP to the port 80 packet. The second order is just a rule from the OUTPUT chain to delete the number 3. -P or --policy: This command sets the default target of the chain, that is, the policy. All packets that do not match any rules in the chain will be enforced with this chain policy. Example: $ iptables -p INPUT DROP This command specifies the default target of the INPUT chain as a DROP. This means that all packets that do not match any rules in the Input chain will be discarded. -N or --new-chain: Create a new chain with the name specified in the command. Example: $ iptables -n allowed-chain-f or --flush: If the chain name is specified, the command deletes all rules in the chain, if the chain name is not specified, the command deletes all rules in all chains. This parameter is used to quickly clear. Example: $ iptables -f forward $ iptables -f-l or --List: Lists all rules in the specified chain.
Example: $ iptables -l allowed-chain $ iptables -l rh-firewall-1-input match (Match) iptables command Optional Match section specifies the features of the packet and rule matching, such as the source and destination address, Agreement, etc.). Matching is divided into two categories: universal matching and protocol matching. Here, I will study the universal matching of the packets that use any protocol. Here are some important and common generic matching and examples of examples and descriptions :-P or --Protocol: This general protocol matches the inspection of certain specific protocols. The protocol example has a combination list of TCP, UDP, ICMP, any three protocols separated by commas, and all protocols. All is the default match. You can use! Symbol, it does not match the item. Example: $ iptables -a input -p tcp, UDP $ iptables -a input -p! ICMP In the above example, both commands perform the same task - they specify that all TCP and UDP packets will match the rule. By specifying! ICMP, we intend to allow all other protocols (in this case TCP and UDP), and exclude ICMP. -S or - Source: This source matches them to them based on the source IP address of the packet. This match also allows you to match the IP address within a range, you can use! Symbol, indicating that it does not match the item. The default source match matches all IP addresses. Example: $ iptables -a output -s 192.168.1.1.1.1.168.0.0.0/24 $ iptables -a output -s! 203.16.1.89 2 Commands Specifies the rules and all from 192.168.0 to 192.168 The packet of the IP address range of .0.24. Article 3 Commands Specify that the rule will match any packets from source address 203.16.1.89. -d or -destination: This destination matches them to them according to the destination IP address of the packet. This match also allows you to match an IP address within a range, you can use! Symbol, indicating that it is not matched with the item. Example: $ iptables -a input -d 192.168.1.1.1.168.0.0.0.0.0.04 $ iptables -a output -d! 203.16.1.89 Targets We already know that the goal is the operation specified by the rule These operations are performed on packets that match those rules. In addition to allowing user-defined targets, there are many optional target options. The following is some of the common goals and examples and descriptions: Accept: When the packet is fully matched with the rules with the Accept target, it will be accepted (allowing it to go to the destination), and it will stop trailing chains (although the information package may Traverse other chains in another table and may be discarded there). This goal is specified as -j accept. DROP: When the packet is fully matched with the rules with the DROP target, it will block the packet and do not process it. This goal is specified as -j DROP. Reject: This goal is working with the DROP target, but it is better than Drop. Unlike DROP, Reject does not leave dead sleeve (socket) on the server and client. In addition, the REJECT sends the error message back to the sender of the packet. This goal is designated as -j reject.
Example: $ iptables -a forward -p tcp --dport 22 -j resptruction: The Return target set in the rule allows the packet that matches the rule to the chain containing the rule. If the chain is the main chain such as Input, the default policy processing packet for this chain is used. It is specified as -jump return. Example: $ iptables -a forward -d 203.16.1.89 -jump Return also has many other objectives for establishing advanced rules, such as log, redirect, mark, mirror, and masquerade, etc. Saving Rules Now, you have learned how to create basic rules and chains and how to add or remove them from packet filtering tables. However, you should remember that the rules established by the above method will be saved to the kernel, and these rules will be lost when the system is rebooted. So, if you add an error-free and valid rule set to the packet filter table, you want to use these rules again after rebooting, you must save the rule set in the file. You can use the iptables-save command to do this: $ iptables-save> iptables-script Now all rules in the packet filtering table are saved in the file iptables-script. You can use the iptables-restore command to restore the rule set from the script file to the packet filter sheet using the iptables-restore command, as follows: $ iptables-restore iptables-script If you are willing to automatically recover each time you boot your system This rule set can put the commands specified above in any one of the initial shell scripts. [PIZZ Note] Need to note that in Redhat 9 and higher, we can use the command find / etc -name "iptable *" to find the default configuration file (/ etc / sysconfig / iptables-config, / etc / sysconfig / iptables) and launch scripts (/etc/rc.d/init.d/iptables), but Redhat indicates that the user is not recommended to modify the file. The advantage of the Netfilter / Iptables system Netfilter / iptables is that it can be configured with stateless firewalls, which is an important feature that IPFWADM and IPChains are unable to provide. A stateful firewall can specify and remember to send or receive the status established by the packet. The firewall can obtain this information from the connection status of the packet, when the new packet is filtered, the status information used by the firewall can increase its efficiency and speed. There are four valid states here, named Establish, Invalid, New and Related, respectively. Status ESTABLISHED indicates that the packet is established, which is used to send and receive packets and fully valid. The Invalid status indicates that the packet is not associated with any known stream or connection, which may contain errors or headers. Status NEW means that the packet has or will start a new connection, or it is associated with a connection that has not been used to send and receive packets. Finally, Related Indicates that the packet is starting a new connection, and it is associated with established connections. Another important advantage of Netfilter / iptables is that it allows users to fully control the firewall configuration and packet filtering. You can customize your rules to meet your specific needs, allowing only the network traffic you want to enter the system. In addition, Netfilter / iptables are free, which is very ideal for those who want to save costs, which can replace expensive firewall solutions.
The latest Linux kernel 2.4.x has the built-in IP packet filtering tool with Netfilter / Iptables system, which makes it easy and convenient to configure firewall and packet filtering. The Netfilter / Iptables system allows their users to fully control the firewall configuration and packet filtering. It allows the firewall to establish a customizable rules to control the packet filtering. It also allows a stateless firewall. [Appendix] Netfilter / iptables system installation Because Netfilter / iptables, Netfilter components are integrated with kernel 2.4.x, so you only need to download and install iptables user space. Demand The following is the need to install the Netfilter / Iptables system: Hardware: To use Netfilter / iptables, you need to have a system running Linux OS and connect to the Internet, LAN or WAN. Software: any version of Linux OS with kernel 2.4 or higher. You can download the latest version of the kernel from http://www.kernel.org. It also needs to be downloaded from http://www.netfilter.org to download the IPTables this user space tool because this tool is not part of the kernel. But for Redhat Linux version 7.1 or higher, this tool is not required because this tool is included in the standard installation in version 7.1 or later. User: At least a medium-level understanding of Linux OS and has experience in configuring Linux kernels. Preparing before installation requires some modifications to the system before you start installing the IPTables user space tool. First, you need to use the make config command to configure the kernel options. During configuration, you must open them by setting the config_netfilter and config_iple_nf_iptables options to Y, because this is necessary to make NetFilter / iptables work. Below is other options that might want to open: config_packet: This option is useful if you want to use some network devices directly to your applications and programs. CONFIG_IP_NF_MATCH_STATE: If you want to configure a stateless firewall, then this option is very important and useful. Such firewalls remember the decision made by the previous packet filtering and made new decisions according to them. I will further discuss this problem in the Advancement of Netfilter / Iptables systems. CONFIG_IP_NF_FILTER: This option provides a basic packet filtering frame. If you open this option, a basic filtering table (with built-in INPUT, Forward, and Output chain) is added to the kernel space. Config_ip_nf_target_reject: This option allows specified: ICMP error messages should be sent to respond to the inbound packets that have been dropped by DROP, rather than simply killing them. Now, you can prepare to install this user space tool. Installing the User Space Tool After downloading the source code of the iptables user space tool (which is similar to iptables-1.2.6a.tar.bz2), you can start installation. You need to log in as root to perform the installation. Listing 1 gives an example that indicates the commands required to install the tool, and its necessary order and its description.
Listing 1. User Space Tools Installation Example First, Unpack The Tool Package Into A Directory: # bzip2 -d iptables-1.2.6a.tar.bz2 # tar -xvf iptables-1.2.6a.tarthis will unpack the Tool Source Into A directory named iptables-1.2.6a.Now change to the iptables-1.2.6a directory: # cd iptables-1.2.6aThe INSTALL file in this directory contains a lot of useful informationon compiling and installing this tool.Now compile the userspace tool using the following command: # make KERNEL_DIR = / usr / src / linux / Here the KERNEL_DIR = / usr / src / linux / specifies the path to the kernel'sdirectory If the directory of kernel happens to be different on somesystems, the appropriate directory path. should be substituted for / usr / src / linux.Now install the source binaries using the following command: # make install KERNEL_DIR = / usr / src / linux / Now the installation is complete. Note: If you have a RedHat Linux version 7.1 or higher High versions, there is no need to perform the first two steps herein. As we know, the standard installation of the Linux distribution (Distribution) contains the IPTables user space tool. But in the default, this tool is closed.
