KERNEL has been updated to 2.4.X has a lot of people, but as Kernel changes to update, there is a lot of not known, this iptables is one of them. Kernel 2.4 has been launched for so long, but still someone asked: Why can't my ipchains can't be used? Everything is also his masterpiece because of Rusty Russell et al. (Ipchains, Kernel 2.2.x, is also his masterpiece!) Item Ipchains is still not perfect, so I decide to rewrite at Kernel 2.4, I hope to launch in Kernel 2.4. A stronger FireWall appears. Their heart blood is the iptables you need to introduce.
This iptables' predecessor is called NetFilter, and the author has not figured out why it suddenly rename, but the new name is about it in Kernel 2.3.99. The URL after the end of this chapter can also see the point.
When you say it back, why do you say that it is powerful? This is to be stated by the Stateless Firewall.
The so-called stateless firewall is existing in the popular ROUTER, which will be checked separately, and then determine whether it makes it pass, return error is still completely ignored. The point is "separate" two words. Here, TCP is taken here. All TCP Connection starts with three packet: First, send a set of SET to Server by the client (do not understand, but a special tag indicates the start of the connection), the second is sent by the server SET SYN and ACK BIT's Packet answer client, and finally, the client passed back to a set of SETs for the ACKET to Server.
The problem is coming. If someone is for no reason, a packet with ACK BIT, how can it be deliberate, or a normal connection? Stateless FireWall can't hold this, so let it pass. This technique is often used to SCAN network, because this method can deceive a lot of Firewall.
The STATEFUL FIREWALL and STATELESS FIREWALL are here. StateFull FIRWALL will remember every connection. If you have any packet, you will first look at this packet whether there is a part of the Connection. If there is no information in the Connection in the memory, you can affirm that this packet is fake. , Throw it into the trash! Of course, this is a simplified example, but it can be explained to everyone.
What is it benefited? The past ipchains only use a binary, it is very difficult to join other functions, you need to directly modify all relevant places related to the source code code and compile IPChains; but now iptables uses the modules, all addup features as long as you write a Module The developmentable features are not limited to only modifying the main Source Code to achieve, and the development speed is also accelerated.
Gone? Wait, the author has not finished yet; iptables can limit the rate of Connection - this is very effective in preventing system resources caused by long-term bombing. The last point is related to what SYN, ACK BIT, etc. mentioned by the author, collectively referred to as TCP Flag. Ipchains can only check one of several possible flags, so other abnormal packets or even certain normal Packet can pass unscrupulous. Now iptables can check any of these packets, making many scanning silence. Oh ... It seems to be teaching, and now it is still theory. However, the author will assume that the reader is a little concept of IP, TCP, Connection, etc., otherwise the whole book can't be put! And it will only simply explain some of the "Pediatrics" settings, I hope to have the opportunity to make the power of iptables in the future!
Installation instruction
There are LINKs in the URL of the IPTables master page, which is easy to see. Download the latest version (the latest version of the author can find is 1.2.1a), first so clear: What version is your kernel? If it is not 2.4.x, I am sorry! Still use ipchains!
In addition, you must know if your Kernel supports iptables. Judging from the following two points:
1. Does PROC / NET / IP_TABLES_NAMES exist? 2. /LIB/Modules/2.x.x/kernel/net/ipv4/netfilter/ip_tables.o does it exist?
As long as one of the answers is affirmative, it means that the following two paragraphs of Recompile Kernel can be skipped. Otherwise, let's see how Recompile Kernel ...
After downloading KERNEL (the latest still 2.4.2 before the cut, the privileged download of the Qing soldier download 2.4.3-pre4), select "NetWork packet filter (replaces ipchains" in "Networking Option", will be more Options of "IP: Netfilter Configuration --->" Under "TCP / IP Networking" MENU, you can start selecting the firewall feature you want to support there. Personal Proposal All options are "M" (ie Module), as this can not be wasting the memory in a place where the Boot can also reduce the time, and it is not afraid that some features will not be used without compile.
Start Compile Kernel and Reboot and use the new kernel. If there is a problem after compile or the decile step, it is definitely an error in the place for Netfilter (iptables), you can always choose the "Y" (ie, built in kernel) and re-compile, no questionable! (I tried it)
Next is Compile iptables. After extracting iptables-1.xxtar.gz, first open the text editor to see if there is any problem or to modify (for example, if you want to put all binary in / usr / sbin, set bindir as / usr / sbin, And so on). After the modification is completed, type
# Make All Experimental
I will start Compile ... 唷, out of Error? Is it like the following? Libipulog / libipulog.c: in function `ipulog_create_handle ':
Libipulog / libipulog.c: 142: `NetLink_nflog 'undeclared (first use in this function)
Libipulog / libipulog.c: 142: (Each undeclared identifier is reported Only ONCE
Libipulog / libipulog.c: 142: for Each Function IT APPEARS IN.
Make: *** [libipulog / libipulog.o] Error 1
Not tight, then edit once, Makefile, put a line of Copt_Flags
Copt_flags: = - O2 -DNDebug
become
Copt_flags: = - O2 -DNDebug-DNETLINK_NFLOG = 4
CoMPILE is once! Finally, enter
# Make Install Install-Experimental
It will copy iptables, iptables-save and iptables-restore to / usr / local / sbin. If you want to use, add / usr / local / sbin to your Path, which is not described in detail here.
If you have to try it, you can try the following:
# iptables -l -v -n
Whether Warn do you say not to support iptables? This seems that I don't know why, I can't load KERNEL MODULE, I need to join Module with human hand.
# Modprobe iptables
RUN once iptables, you should see the output like the following:
Chain INPUT (Policy Accept 0 Packets, 0 Bytes)
PKTS BYTES TARGET PROT OPT IN OUT SOURCE DESTINATION
Chain Forward (Policy Accept 0 Packets, 0 Bytes)
PKTS BYTES TARGET PROT OPT IN OUT SOURCE DESTINATION
Chain Output (Policy Accept 0 Packets, 0 Bytes)
PKTS BYTES TARGET PROT OPT IN OUT SOURCE DESTINATION
is it? That is successful! And take a look at the next chapter, teach you how to build simple firwall!
Set FireWall
Handling the option for FireWall Rule
And not to design anything, first to warm the body:
# iptables -a input -j acidpt
The size is not chaotic! After entering this Rule, use "iptables -l -v -n" to see the following results:
Chain INPUT (Policy Accept 2939 Packets, 1124863 BYTES)
PKTS BYTES TARGET PROT OPT IN OUT SOURCE DESTINATION
1 241 ACCEPT All - * * 0.0.0.0/0 0.0.0.0/0 What does it represent? -A is append, which will be in INPUT, Forward, Output One "chain" in one "chain" and this rule will see in the subsequent parameters. And -j, is the definition how those packet should be processed. Now is accept, that is, let it pass. If you don't want any packet to pass? Past:
# iptables -r INPUT 1 -J DROP
This time is changed by accept, there will be no packet can pass. But ... --r what? That is the meaning of Replace. The subsequent "Input 1" is the first chace, that is, the ACCEPT is one!
Of course, FireWall's function cannot be prohibited from any traffic! So let's clear it first ..
# iptables -d input 1
-D means that DELETE, usage, and -r above. In addition to -A, -R, -D, -i -i means INSERT; -A is a strip-by-one Rule plus, -i is incorporated in the middle of the entire rule plus a Rule, there is no other It is.
Finally, there are -f to say flush, as the name suggests, it will rush into the toilet!
Options for IP Address
Take more warm up, try it.
# iptables -a input -s 199.95.206.201 -j drop
Why use this IP to demonstrate? In short, it is a place to be annoying! Don't ask! It is said that Block is not allowed to have any traffic to enter his own site. Not only an IP, a Range IP is also:
# iptables -ainput -s 10.0.0.0/8 -j drop
If your LAN is used in 192.168.0.x, then of course don't want to have a 10.x.x.x address! Therefore, DROP has been normal.
The above two examples are using -s (ie Source IP), and look at its back, ie the example of -d (destination):
# iptables -ainput -d 192.168.0.1 -j drop
Suppose your IP is 192.168.0.2, then this Rule has no effect on you; the opposite, if your IP is 192.168.0.1, then any Packet to your machine will be Drop.
-s and -d can be used together, and they can put an exclamation mark (!) means "not" between the IP address. E.g︰
# iptables -p input drop
# iptables -a infut -s! 192.168.0.3 -d 192.168.0.0.0.04 -j accept
The author missed -p, that is the meaning of Default Policy, that is, predefined if rule does not determine the go of packet, will preset it to pass it, or the preset refusal to the door, or other actions. Here preset is DROP. Ok, the next sentence is that the author wants to say, meaning: If Source is not 192.168.0.3, Destination is 192.168.0.x any IP, will make it pass. That is to blocked 192.168.0.3! Before you look at the next section, you will first clear the old rubbish Rules:
# iptables -f
Specify the option for Network Interface
This type of option is very small, as in the above, only two:-i and -o. -i is the Input's Interface, which is only useful in Input Chain; in contrast, -o is Output Interface, which is only useful when Output. Let's take a look at the example:
# iptables -a input -i eth1 -s 192.168.0.0.0.0.0/24 -j accept
Very simple, accept all LAN traffi. However, "-i Eth1" is added, preventing LANs from deliberately sending some fake packet, and dressed as an internal traffic. But this is actually unnecessary. Because kernel itself has a mechanism to prevent this, enter the following sentence, explain is free. ^ _ ^
# echo '1'> / proc / sys / net / ipv4 / conf / ALL / RP_FILTER
There is also -O ... use a simple example.
# iptables -a output -o ppp0 -d 205.138.3.22 -j reject
In fact, it is not simple. First, the same thing in -j repject and -j drop is refused, but the DROP is when there is fine, and the reject is sending a response, this packet is reject. In addition, in keeporization:-o is used with Output Chain! As for that IP ... In short, this Rule can prevent your information from being sent to a company that collects online habits of all people in all the world without knowing!
This is probably a time for readers to learn for a while. As for other friends who have already understood knowledge in this area, I would like to apologize! In the future, I hope will have a chance to explore some deeper settings!
Iptables main website: http: //netfilter.kernelnotes.orghttp: //netfilter.filewatcher.orghttp: //netfilter.samba.org
Ipchains Website :Http: //netfilter.kernelnotes.org/ipchains/http: //netfilter.filewatcher.org/ipchains/http: //netfilter.samba.org/ipchains/
