Iptables Tutorial 1.2.2
Добавить в закладки К обложке
- Dedications - Страница 2
- About the author - Страница 3
- How to read - Страница 4
- Prerequisites - Страница 5
- Conventions used in this document - Страница 6
- Chapter 1. Introduction - Страница 7
- How it was written - Страница 8
- Terms used in this document - Страница 9
- What's next? - Страница 10
- Chapter 2. TCP/IP repetition - Страница 11
- TCP/IP Layers - Страница 12
- IP characteristics - Страница 14
- IP headers - Страница 16
- TCP characteristics - Страница 19
- TCP headers - Страница 20
- UDP characteristics - Страница 22
- UDP headers - Страница 23
- ICMP characteristics - Страница 24
- ICMP headers - Страница 25
- ICMP Echo Request/Reply - Страница 26
- ICMP Destination Unreachable - Страница 27
- Source Quench - Страница 28
- Redirect - Страница 29
- TTL equals 0 - Страница 30
- Parameter problem - Страница 31
- Timestamp request/reply - Страница 32
- Information request/reply - Страница 33
- SCTP Characteristics - Страница 34
- Initialization and association - Страница 35
- Data sending and control session - Страница 36
- Shutdown and abort - Страница 37
- SCTP Headers - Страница 38
- SCTP Generic header format - Страница 39
- SCTP Common and generic headers - Страница 40
- SCTP ABORT chunk - Страница 42
- SCTP COOKIE ACK chunk - Страница 43
- SCTP COOKIE ECHO chunk - Страница 44
- SCTP DATA chunk - Страница 45
- SCTP ERROR chunk - Страница 46
- SCTP HEARTBEAT chunk - Страница 47
- SCTP HEARTBEAT ACK chunk - Страница 48
- SCTP INIT chunk - Страница 49
- SCTP INIT ACK chunk - Страница 51
- SCTP SACK chunk - Страница 52
- SCTP SHUTDOWN chunk - Страница 53
- SCTP SHUTDOWN ACK chunk - Страница 54
- SCTP SHUTDOWN COMPLETE chunk - Страница 55
- TCP/IP destination driven routing - Страница 56
- What's next? - Страница 57
- Chapter 3. IP filtering introduction - Страница 58
- What is an IP filter - Страница 59
- IP filtering terms and expressions - Страница 61
- How to plan an IP filter - Страница 63
- What's next? - Страница 65
- Chapter 4. Network Address Translation Introduction - Страница 66
- What NAT is used for and basic terms and expressions - Страница 67
- Caveats using NAT - Страница 68
- Example NAT machine in theory - Страница 69
- What is needed to build a NAT machine - Страница 70
- Placement of NAT machines - Страница 71
- How to place proxies - Страница 72
- The final stage of our NAT machine - Страница 73
- What's next? - Страница 74
- Chapter 5. Preparations - Страница 75
- Where to get iptables - Страница 76
- Kernel setup - Страница 77
- User-land setup - Страница 80
- Compiling the user-land applications - Страница 81
- Installation on Red Hat 7.1 - Страница 82
- What's next? - Страница 84
- Chapter 6. Traversing of tables and chains - Страница 85
- General - Страница 86
- Mangle table - Страница 89
- Nat table - Страница 90
- Raw table - Страница 91
- Filter table - Страница 92
- User specified chains - Страница 93
- What's next? - Страница 94
- Chapter 7. The state machine - Страница 95
- Introduction - Страница 96
- The conntrack entries - Страница 97
- User-land states - Страница 99
- TCP connections - Страница 100
- UDP connections - Страница 102
- ICMP connections - Страница 103
- Default connections - Страница 105
- Untracked connections and the raw table - Страница 106
- Complex protocols and connection tracking - Страница 107
- What's next? - Страница 109
- Chapter 8. Saving and restoring large rule-sets - Страница 110
- Speed considerations - Страница 111
- Drawbacks with restore - Страница 112
- iptables-save - Страница 113
- iptables-restore - Страница 115
- What's next? - Страница 116
- Chapter 9. How a rule is built - Страница 117
- Basics of the iptables command - Страница 118
- Tables - Страница 119
- Commands - Страница 120
- What's next? - Страница 122
- Chapter 10. Iptables matches - Страница 123
- Generic matches - Страница 124
- Implicit matches - Страница 125
- TCP matches - Страница 126
- UDP matches - Страница 127
- ICMP matches - Страница 128
- SCTP matches - Страница 129
- Explicit matches - Страница 131
- Addrtype match - Страница 132
- AH/ESP match - Страница 133
- Comment match - Страница 134
- Connmark match - Страница 135
- Conntrack match - Страница 136
- Dscp match - Страница 137
- Ecn match - Страница 138
- Hashlimit match - Страница 139
- Helper match - Страница 140
- IP range match - Страница 141
- Length match - Страница 142
- Limit match - Страница 143
- Mac match - Страница 144
- Mark match - Страница 145
- Multiport match - Страница 146
- Owner match - Страница 147
- Packet type match - Страница 148
- Realm match - Страница 149
- Recent match - Страница 150
- State match - Страница 152
- Tcpmss match - Страница 153
- Tos match - Страница 154
- Ttl match - Страница 155
- Unclean match - Страница 156
- What's next? - Страница 157
- Chapter 11. Iptables targets and jumps - Страница 158
- ACCEPT target - Страница 159
- CLASSIFY target - Страница 160
- CLUSTERIP target - Страница 161
- CONNMARK target - Страница 163
- CONNSECMARK target - Страница 164
- DNAT target - Страница 165
- DROP target - Страница 168
- DSCP target - Страница 169
- ECN target - Страница 170
- LOG target options - Страница 171
- MARK target - Страница 172
- MASQUERADE target - Страница 173
- MIRROR target - Страница 174
- NETMAP target - Страница 175
- NFQUEUE target - Страница 176
- NOTRACK target - Страница 177
- QUEUE target - Страница 178
- REDIRECT target - Страница 179
- REJECT target - Страница 180
- RETURN target - Страница 181
- SAME target - Страница 182
- SECMARK target - Страница 183
- SNAT target - Страница 184
- TCPMSS target - Страница 185
- TOS target - Страница 186
- TTL target - Страница 187
- ULOG target - Страница 188
- What's next? - Страница 189
- Chapter 12. Debugging your scripts - Страница 190
- Debugging, a necessity - Страница 191
- Bash debugging tips - Страница 192
- System tools used for debugging - Страница 194
- Iptables debugging - Страница 195
- Other debugging tools - Страница 196
- Nmap - Страница 197
- Nessus - Страница 198
- What's next? - Страница 199
- Chapter 13. rc.firewall file - Страница 200
- example rc.firewall - Страница 201
- explanation of rc.firewall - Страница 202
- Initial loading of extra modules - Страница 203
- proc set up - Страница 205
- Displacement of rules to different chains - Страница 206
- Setting up default policies - Страница 208
- Setting up user specified chains in the filter table - Страница 209
- INPUT chain - Страница 212
- FORWARD chain - Страница 214
- OUTPUT chain - Страница 215
- PREROUTING chain of the nat table - Страница 216
- Starting SNAT and the POSTROUTING chain - Страница 217
- What's next? - Страница 218
- Chapter 14. Example scripts - Страница 219
- rc.firewall.txt script structure - Страница 220
- The structure - Страница 221
- rc.firewall.txt - Страница 224
- rc.DMZ.firewall.txt - Страница 225
- rc.DHCP.firewall.txt - Страница 226
- rc.UTIN.firewall.txt - Страница 228
- rc.test-iptables.txt - Страница 229
- rc.flush-iptables.txt - Страница 230
- Limit-match.txt - Страница 231
- Pid-owner.txt - Страница 232
- Recent-match.txt - Страница 233
- Sid-owner.txt - Страница 234
- Ttl-inc.txt - Страница 235
- Iptables-save ruleset - Страница 236
- What's next? - Страница 237
- Chapter 15. Graphical User Interfaces for Iptables/netfilter - Страница 238
- fwbuilder - Страница 239
- Turtle Firewall Project - Страница 240
- Integrated Secure Communications System - Страница 241
- IPMenu - Страница 242
- Easy Firewall Generator - Страница 243
- What's next? - Страница 244
- Chapter 16. Commercial products based on Linux, iptables and netfilter - Страница 245
- Ingate Firewall 1200 - Страница 246
- What's next? - Страница 247
- Appendix A. Detailed explanations of special commands - Страница 248
- Listing your active rule-set - Страница 249
- Updating and flushing your tables - Страница 250
- Appendix B. Common problems and questions - Страница 251
- Problems loading modules - Страница 252
- State NEW packets but no SYN bit set - Страница 253
- SYN/ACK and NEW packets - Страница 254
- Internet Service Providers who use assigned IP addresses - Страница 255
- Letting DHCP requests through iptables - Страница 256
- mIRC DCC problems - Страница 257
- Appendix C. ICMP types - Страница 258
- Appendix D. TCP options - Страница 259
- Appendix E. Other resources and links - Страница 260
- Appendix F. Acknowledgments - Страница 264
- Appendix G. History - Страница 265
- Appendix H. GNU Free Documentation License - Страница 267
- 0. PREAMBLE - Страница 268
- 1. APPLICABILITY AND DEFINITIONS - Страница 269
- 2. VERBATIM COPYING - Страница 270
- 3. COPYING IN QUANTITY - Страница 271
- 4. MODIFICATIONS - Страница 272
- 5. COMBINING DOCUMENTS - Страница 274
- 6. COLLECTIONS OF DOCUMENTS - Страница 275
- 7. AGGREGATION WITH INDEPENDENT WORKS - Страница 276
- 8. TRANSLATION - Страница 277
- 9. TERMINATION - Страница 278
- 10. FUTURE REVISIONS OF THIS LICENSE - Страница 279
- How to use this License for your documents - Страница 280
- Appendix I. GNU General Public License - Страница 281
- 0. Preamble - Страница 282
- 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - Страница 283
- 2. How to Apply These Terms to Your New Programs - Страница 286
- Appendix J. Example scripts code-base - Страница 287
- Example rc.firewall script - Страница 288
- Example rc.DMZ.firewall script - Страница 291
- Example rc.UTIN.firewall script - Страница 294
- Example rc.DHCP.firewall script - Страница 297
- Example rc.flush-iptables script - Страница 300
- Example rc.test-iptables script - Страница 301
- Index - Страница 302
- A - Страница 306
- B - Страница 307
- C - Страница 308
- D - Страница 312
- E - Страница 315
- F - Страница 318
- G - Страница 319
- H - Страница 320
- I - Страница 321
- J - Страница 325
- K - Страница 326
- L - Страница 327
- M - Страница 328
- N - Страница 331
- O - Страница 332
- P - Страница 333
- Q - Страница 335
- R - Страница 336
- S - Страница 339
- T - Страница 347
- U - Страница 352
- V - Страница 354
- W - Страница 355
- X - Страница 356
CLUSTERIP target
The CLUSTERIP target is used to create simple clusters of nodes answering to the same IP and MAC address in a round robin fashion. This is a simple form of clustering where you set up a Virtual IP (VIP) on all hosts participating in the cluster, and then use the CLUSTERIP on each host that is supposed to answer the requests. The CLUSTERIP match requires no special load balancing hardware or machines, it simply does its work on each host part of the cluster of machines. It is a very simple clustering solution and not suited for large and complex clusters, neither does it have built in heartbeat handling, but it should be easily implemented as a simple script.
All servers in the cluster uses a common Multicast MAC for a VIP, and then a special hash algorithm is used within the CLUSTERIP target to figure out who of the cluster participants should respond to each connection. A Multicast MAC is a MAC address starting with 01:00:5e as the first 24 bits. an example of a Multicast MAC would be 01:00:5e:00:00:20. The VIP can be any IP address, but must be the same on all hosts as well.
Important Remember that the CLUSTERIP might break protocols such as SSH et cetera. The connection will go through properly, but if you try the same time again to the same host, you might be connected to another machine in the cluster, with a different keyset, and hence your ssh client might refuse to connect or give you errors. For this reason, this will not work very well with some protocols, and it might be a good idea to add separate addresses that can be used for maintenance and administration. Another solution is to use the same SSH keys on all hosts participating in the cluster.
The cluster can be loadbalanced with three kinds of hashmodes. The first one is only source IP (sourceip), the second is source IP and source port (sourceip-sourceport) and the third one is source IP, source port and destination port (sourceip-sourceport-destport). The first one might be a good idea where you need to remember states between connections, for example a webserver with a shopping cart that keeps state between connections, this load-balancing might become a little bit uneven -- different machines might get a higher loads than others, et cetera -- since connections from the same source IP will go to the same server. The sourceip-sourceport hash might be a good idea where you want to get the load-balancing a little bit more even, and where state does not have to be kept between connections on each server. For example, a large informational webpage with perhaps a simple search engine might be a good idea here. The third and last hashmode, sourceip-sourceport-destport, might be a good idea where you have a host with several services running that does not require any state to be preserved between connections. This might for example be a simple ntp, dns and www server on the same host. Each connection to each new destination would hence be "renegotiated" -- actually no negotiation goes on, it is basically just a round robin system and each host receives one connection each.
Each CLUSTERIP cluster gets a separate file in the /proc/net/ipt_CLUSTERIP directory, based on the VIP of the cluster. If the VIP is 192.168.0.5 for example, you could cat /proc/net/ipt_CLUSTERIP/192.168.0.5 to see which nodes this machine is answering for. To make the machine answer for another machine, lets say node 2, add it using echo "+2" >> /proc/net/ipt_CLUSTERIP/192.168.0.5. To remove it, run echo "-2" >> /proc/net/ipt_CLUSTERIP/192.168.0.5.
Table 11-2. CLUSTERIP target options
Option | --new |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 80 -j CLUSTERIP --new ... |
Explanation | This creates a new CLUSTERIP entry. It must be set on the first rule for a VIP, and is used to create a new cluster. If you have several rules connecting to the same CLUSTERIP you can omit the --new keyword in any secondary references to the same VIP. |
Option | --hashmode |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 443 -j CLUSTERIP --new --hashmode sourceip ... |
Explanation | The --hashmode keyword specifies the kind of hash that should be created. The hashmode can be any of the following three. |
• sourceip | |
• sourceip-sourceport | |
• sourceip-sourceport-destport | |
The hashmodes has been extensively explained above. Basically, sourceip will give better performance and simpler states between connections, but not as good load-balancing between the machines. sourceip-sourceport will give a slightly slower hashing and not as good to maintain states between connections, but will give better load-balancing properties. The last one may create very slow hashing that consumes a lot of memory, but will on the other hand also create very good load-balancing properties. | |
Option | --clustermac |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 80 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 ... |
Explanation | The MAC address that the cluster is listening to for new connections. This is a shared Multicast MAC address that all the hosts are listening to. See above for a deeper explanation of this. |
Option | --total-nodes |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 80 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 --total-nodes 2 ... |
Explanation | The --total-nodes keyword specifies how many hosts are participating in the cluster and that will answer to requests. See above for a deeper explanation. |
Option | --local-node |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 80 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 |
Explanation | This is the number that this machine has in the cluster. The cluster answers in a round-robin fashion, so once a new connection is made to the cluster, the next machine answers, and then the next after that, and so on. |
Option | --hash-init |
Example | iptables -A INPUT -p tcp -d 192.168.0.5 --dport 80 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5e:00:00:20 --hash-init 1234 |
Explanation | Specifies a random seed for hash initialization. |
Warning This target is in violation of the RFC 1812 - Requirements for IP Version 4 Routers RFC, so be wary of any problems that may arise. Specifically, section 3.3.2 which specifies that a router must never trust another host or router that says that it is using a multicast mac.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356