Iptables Tutorial 1.2.2
Добавить в закладки К обложке
- Dedications - Страница 2
- About the author - Страница 3
- How to read - Страница 4
- Prerequisites - Страница 5
- Conventions used in this document - Страница 6
- Chapter 1. Introduction - Страница 7
- How it was written - Страница 8
- Terms used in this document - Страница 9
- What's next? - Страница 10
- Chapter 2. TCP/IP repetition - Страница 11
- TCP/IP Layers - Страница 12
- IP characteristics - Страница 14
- IP headers - Страница 16
- TCP characteristics - Страница 19
- TCP headers - Страница 20
- UDP characteristics - Страница 22
- UDP headers - Страница 23
- ICMP characteristics - Страница 24
- ICMP headers - Страница 25
- ICMP Echo Request/Reply - Страница 26
- ICMP Destination Unreachable - Страница 27
- Source Quench - Страница 28
- Redirect - Страница 29
- TTL equals 0 - Страница 30
- Parameter problem - Страница 31
- Timestamp request/reply - Страница 32
- Information request/reply - Страница 33
- SCTP Characteristics - Страница 34
- Initialization and association - Страница 35
- Data sending and control session - Страница 36
- Shutdown and abort - Страница 37
- SCTP Headers - Страница 38
- SCTP Generic header format - Страница 39
- SCTP Common and generic headers - Страница 40
- SCTP ABORT chunk - Страница 42
- SCTP COOKIE ACK chunk - Страница 43
- SCTP COOKIE ECHO chunk - Страница 44
- SCTP DATA chunk - Страница 45
- SCTP ERROR chunk - Страница 46
- SCTP HEARTBEAT chunk - Страница 47
- SCTP HEARTBEAT ACK chunk - Страница 48
- SCTP INIT chunk - Страница 49
- SCTP INIT ACK chunk - Страница 51
- SCTP SACK chunk - Страница 52
- SCTP SHUTDOWN chunk - Страница 53
- SCTP SHUTDOWN ACK chunk - Страница 54
- SCTP SHUTDOWN COMPLETE chunk - Страница 55
- TCP/IP destination driven routing - Страница 56
- What's next? - Страница 57
- Chapter 3. IP filtering introduction - Страница 58
- What is an IP filter - Страница 59
- IP filtering terms and expressions - Страница 61
- How to plan an IP filter - Страница 63
- What's next? - Страница 65
- Chapter 4. Network Address Translation Introduction - Страница 66
- What NAT is used for and basic terms and expressions - Страница 67
- Caveats using NAT - Страница 68
- Example NAT machine in theory - Страница 69
- What is needed to build a NAT machine - Страница 70
- Placement of NAT machines - Страница 71
- How to place proxies - Страница 72
- The final stage of our NAT machine - Страница 73
- What's next? - Страница 74
- Chapter 5. Preparations - Страница 75
- Where to get iptables - Страница 76
- Kernel setup - Страница 77
- User-land setup - Страница 80
- Compiling the user-land applications - Страница 81
- Installation on Red Hat 7.1 - Страница 82
- What's next? - Страница 84
- Chapter 6. Traversing of tables and chains - Страница 85
- General - Страница 86
- Mangle table - Страница 89
- Nat table - Страница 90
- Raw table - Страница 91
- Filter table - Страница 92
- User specified chains - Страница 93
- What's next? - Страница 94
- Chapter 7. The state machine - Страница 95
- Introduction - Страница 96
- The conntrack entries - Страница 97
- User-land states - Страница 99
- TCP connections - Страница 100
- UDP connections - Страница 102
- ICMP connections - Страница 103
- Default connections - Страница 105
- Untracked connections and the raw table - Страница 106
- Complex protocols and connection tracking - Страница 107
- What's next? - Страница 109
- Chapter 8. Saving and restoring large rule-sets - Страница 110
- Speed considerations - Страница 111
- Drawbacks with restore - Страница 112
- iptables-save - Страница 113
- iptables-restore - Страница 115
- What's next? - Страница 116
- Chapter 9. How a rule is built - Страница 117
- Basics of the iptables command - Страница 118
- Tables - Страница 119
- Commands - Страница 120
- What's next? - Страница 122
- Chapter 10. Iptables matches - Страница 123
- Generic matches - Страница 124
- Implicit matches - Страница 125
- TCP matches - Страница 126
- UDP matches - Страница 127
- ICMP matches - Страница 128
- SCTP matches - Страница 129
- Explicit matches - Страница 131
- Addrtype match - Страница 132
- AH/ESP match - Страница 133
- Comment match - Страница 134
- Connmark match - Страница 135
- Conntrack match - Страница 136
- Dscp match - Страница 137
- Ecn match - Страница 138
- Hashlimit match - Страница 139
- Helper match - Страница 140
- IP range match - Страница 141
- Length match - Страница 142
- Limit match - Страница 143
- Mac match - Страница 144
- Mark match - Страница 145
- Multiport match - Страница 146
- Owner match - Страница 147
- Packet type match - Страница 148
- Realm match - Страница 149
- Recent match - Страница 150
- State match - Страница 152
- Tcpmss match - Страница 153
- Tos match - Страница 154
- Ttl match - Страница 155
- Unclean match - Страница 156
- What's next? - Страница 157
- Chapter 11. Iptables targets and jumps - Страница 158
- ACCEPT target - Страница 159
- CLASSIFY target - Страница 160
- CLUSTERIP target - Страница 161
- CONNMARK target - Страница 163
- CONNSECMARK target - Страница 164
- DNAT target - Страница 165
- DROP target - Страница 168
- DSCP target - Страница 169
- ECN target - Страница 170
- LOG target options - Страница 171
- MARK target - Страница 172
- MASQUERADE target - Страница 173
- MIRROR target - Страница 174
- NETMAP target - Страница 175
- NFQUEUE target - Страница 176
- NOTRACK target - Страница 177
- QUEUE target - Страница 178
- REDIRECT target - Страница 179
- REJECT target - Страница 180
- RETURN target - Страница 181
- SAME target - Страница 182
- SECMARK target - Страница 183
- SNAT target - Страница 184
- TCPMSS target - Страница 185
- TOS target - Страница 186
- TTL target - Страница 187
- ULOG target - Страница 188
- What's next? - Страница 189
- Chapter 12. Debugging your scripts - Страница 190
- Debugging, a necessity - Страница 191
- Bash debugging tips - Страница 192
- System tools used for debugging - Страница 194
- Iptables debugging - Страница 195
- Other debugging tools - Страница 196
- Nmap - Страница 197
- Nessus - Страница 198
- What's next? - Страница 199
- Chapter 13. rc.firewall file - Страница 200
- example rc.firewall - Страница 201
- explanation of rc.firewall - Страница 202
- Initial loading of extra modules - Страница 203
- proc set up - Страница 205
- Displacement of rules to different chains - Страница 206
- Setting up default policies - Страница 208
- Setting up user specified chains in the filter table - Страница 209
- INPUT chain - Страница 212
- FORWARD chain - Страница 214
- OUTPUT chain - Страница 215
- PREROUTING chain of the nat table - Страница 216
- Starting SNAT and the POSTROUTING chain - Страница 217
- What's next? - Страница 218
- Chapter 14. Example scripts - Страница 219
- rc.firewall.txt script structure - Страница 220
- The structure - Страница 221
- rc.firewall.txt - Страница 224
- rc.DMZ.firewall.txt - Страница 225
- rc.DHCP.firewall.txt - Страница 226
- rc.UTIN.firewall.txt - Страница 228
- rc.test-iptables.txt - Страница 229
- rc.flush-iptables.txt - Страница 230
- Limit-match.txt - Страница 231
- Pid-owner.txt - Страница 232
- Recent-match.txt - Страница 233
- Sid-owner.txt - Страница 234
- Ttl-inc.txt - Страница 235
- Iptables-save ruleset - Страница 236
- What's next? - Страница 237
- Chapter 15. Graphical User Interfaces for Iptables/netfilter - Страница 238
- fwbuilder - Страница 239
- Turtle Firewall Project - Страница 240
- Integrated Secure Communications System - Страница 241
- IPMenu - Страница 242
- Easy Firewall Generator - Страница 243
- What's next? - Страница 244
- Chapter 16. Commercial products based on Linux, iptables and netfilter - Страница 245
- Ingate Firewall 1200 - Страница 246
- What's next? - Страница 247
- Appendix A. Detailed explanations of special commands - Страница 248
- Listing your active rule-set - Страница 249
- Updating and flushing your tables - Страница 250
- Appendix B. Common problems and questions - Страница 251
- Problems loading modules - Страница 252
- State NEW packets but no SYN bit set - Страница 253
- SYN/ACK and NEW packets - Страница 254
- Internet Service Providers who use assigned IP addresses - Страница 255
- Letting DHCP requests through iptables - Страница 256
- mIRC DCC problems - Страница 257
- Appendix C. ICMP types - Страница 258
- Appendix D. TCP options - Страница 259
- Appendix E. Other resources and links - Страница 260
- Appendix F. Acknowledgments - Страница 264
- Appendix G. History - Страница 265
- Appendix H. GNU Free Documentation License - Страница 267
- 0. PREAMBLE - Страница 268
- 1. APPLICABILITY AND DEFINITIONS - Страница 269
- 2. VERBATIM COPYING - Страница 270
- 3. COPYING IN QUANTITY - Страница 271
- 4. MODIFICATIONS - Страница 272
- 5. COMBINING DOCUMENTS - Страница 274
- 6. COLLECTIONS OF DOCUMENTS - Страница 275
- 7. AGGREGATION WITH INDEPENDENT WORKS - Страница 276
- 8. TRANSLATION - Страница 277
- 9. TERMINATION - Страница 278
- 10. FUTURE REVISIONS OF THIS LICENSE - Страница 279
- How to use this License for your documents - Страница 280
- Appendix I. GNU General Public License - Страница 281
- 0. Preamble - Страница 282
- 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - Страница 283
- 2. How to Apply These Terms to Your New Programs - Страница 286
- Appendix J. Example scripts code-base - Страница 287
- Example rc.firewall script - Страница 288
- Example rc.DMZ.firewall script - Страница 291
- Example rc.UTIN.firewall script - Страница 294
- Example rc.DHCP.firewall script - Страница 297
- Example rc.flush-iptables script - Страница 300
- Example rc.test-iptables script - Страница 301
- Index - Страница 302
- A - Страница 306
- B - Страница 307
- C - Страница 308
- D - Страница 312
- E - Страница 315
- F - Страница 318
- G - Страница 319
- H - Страница 320
- I - Страница 321
- J - Страница 325
- K - Страница 326
- L - Страница 327
- M - Страница 328
- N - Страница 331
- O - Страница 332
- P - Страница 333
- Q - Страница 335
- R - Страница 336
- S - Страница 339
- T - Страница 347
- U - Страница 352
- V - Страница 354
- W - Страница 355
- X - Страница 356
A connection may also enter the ESTABLISHED state, but not be[ASSURED]. This happens if we have connection pickup turned on (Requires the tcp-window-tracking patch, and the ip_conntrack_tcp_loose to be set to 1 or higher). The default, without the tcp-window-tracking patch, is to have this behaviour, and is not changeable.
When a TCP connection is closed down, it is done in the following way and takes the following states.
As you can see, the connection is never really closed until the last ACK is sent. Do note that this picture only describes how it is closed down under normal circumstances. A connection may also, for example, be closed by sending a RST(reset), if the connection were to be refused. In this case, the connection would be closed down immediately.
When the TCP connection has been closed down, the connection enters the TIME_WAIT state, which is per default set to 2 minutes. This is used so that all packets that have gotten out of order can still get through our rule-set, even after the connection has already closed. This is used as a kind of buffer time so that packets that have gotten stuck in one or another congested router can still get to the firewall, or to the other end of the connection.
If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default has 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly. There are also other states than the ones we have told you about so far. Here is the complete list of possible states that a TCP stream may take, and their timeout values.
Table 7-2. Internal states
State | Timeout value |
---|---|
NONE | 30 minutes |
ESTABLISHED | 5 days |
SYN_SENT | 2 minutes |
SYN_RECV | 60 seconds |
FIN_WAIT | 2 minutes |
TIME_WAIT | 2 minutes |
CLOSE | 10 seconds |
CLOSE_WAIT | 12 hours |
LAST_ACK | 30 seconds |
LISTEN | 2 minutes |
These values are most definitely not absolute. They may change with kernel revisions, and they may also be changed via the proc file-system in the /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* variables. The default values should, however, be fairly well established in practice. These values are set in seconds. Early versions of the patch used jiffies (which was a bug).
Note Also note that the User-land side of the state machine does not look at TCP flags (i.e., RST, ACK, and SYN are flags) set in the TCP packets. This is generally bad, since you may want to allow packets in the NEW state to get through the firewall, but when you specify the NEW flag, you will in most cases mean SYN packets.
This is not what happens with the current state implementation; instead, even a packet with no bit set or an ACK flag, will count as NEW. This can be used for redundant firewalling and so on, but it is generally extremely bad on your home network, where you only have a single firewall. To get around this behavior, you could use the command explained in the State NEW packets but no SYN bit set section of the Common problems and questions appendix. Another way is to install the tcp-window-tracking extension from patch-o-matic, and set the /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose to zero, which will make the firewall drop all NEW packets with anything but the SYN flag set.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356