Iptables Tutorial 1.2.2
Добавить в закладки К обложке
- Dedications - Страница 2
- About the author - Страница 3
- How to read - Страница 4
- Prerequisites - Страница 5
- Conventions used in this document - Страница 6
- Chapter 1. Introduction - Страница 7
- How it was written - Страница 8
- Terms used in this document - Страница 9
- What's next? - Страница 10
- Chapter 2. TCP/IP repetition - Страница 11
- TCP/IP Layers - Страница 12
- IP characteristics - Страница 14
- IP headers - Страница 16
- TCP characteristics - Страница 19
- TCP headers - Страница 20
- UDP characteristics - Страница 22
- UDP headers - Страница 23
- ICMP characteristics - Страница 24
- ICMP headers - Страница 25
- ICMP Echo Request/Reply - Страница 26
- ICMP Destination Unreachable - Страница 27
- Source Quench - Страница 28
- Redirect - Страница 29
- TTL equals 0 - Страница 30
- Parameter problem - Страница 31
- Timestamp request/reply - Страница 32
- Information request/reply - Страница 33
- SCTP Characteristics - Страница 34
- Initialization and association - Страница 35
- Data sending and control session - Страница 36
- Shutdown and abort - Страница 37
- SCTP Headers - Страница 38
- SCTP Generic header format - Страница 39
- SCTP Common and generic headers - Страница 40
- SCTP ABORT chunk - Страница 42
- SCTP COOKIE ACK chunk - Страница 43
- SCTP COOKIE ECHO chunk - Страница 44
- SCTP DATA chunk - Страница 45
- SCTP ERROR chunk - Страница 46
- SCTP HEARTBEAT chunk - Страница 47
- SCTP HEARTBEAT ACK chunk - Страница 48
- SCTP INIT chunk - Страница 49
- SCTP INIT ACK chunk - Страница 51
- SCTP SACK chunk - Страница 52
- SCTP SHUTDOWN chunk - Страница 53
- SCTP SHUTDOWN ACK chunk - Страница 54
- SCTP SHUTDOWN COMPLETE chunk - Страница 55
- TCP/IP destination driven routing - Страница 56
- What's next? - Страница 57
- Chapter 3. IP filtering introduction - Страница 58
- What is an IP filter - Страница 59
- IP filtering terms and expressions - Страница 61
- How to plan an IP filter - Страница 63
- What's next? - Страница 65
- Chapter 4. Network Address Translation Introduction - Страница 66
- What NAT is used for and basic terms and expressions - Страница 67
- Caveats using NAT - Страница 68
- Example NAT machine in theory - Страница 69
- What is needed to build a NAT machine - Страница 70
- Placement of NAT machines - Страница 71
- How to place proxies - Страница 72
- The final stage of our NAT machine - Страница 73
- What's next? - Страница 74
- Chapter 5. Preparations - Страница 75
- Where to get iptables - Страница 76
- Kernel setup - Страница 77
- User-land setup - Страница 80
- Compiling the user-land applications - Страница 81
- Installation on Red Hat 7.1 - Страница 82
- What's next? - Страница 84
- Chapter 6. Traversing of tables and chains - Страница 85
- General - Страница 86
- Mangle table - Страница 89
- Nat table - Страница 90
- Raw table - Страница 91
- Filter table - Страница 92
- User specified chains - Страница 93
- What's next? - Страница 94
- Chapter 7. The state machine - Страница 95
- Introduction - Страница 96
- The conntrack entries - Страница 97
- User-land states - Страница 99
- TCP connections - Страница 100
- UDP connections - Страница 102
- ICMP connections - Страница 103
- Default connections - Страница 105
- Untracked connections and the raw table - Страница 106
- Complex protocols and connection tracking - Страница 107
- What's next? - Страница 109
- Chapter 8. Saving and restoring large rule-sets - Страница 110
- Speed considerations - Страница 111
- Drawbacks with restore - Страница 112
- iptables-save - Страница 113
- iptables-restore - Страница 115
- What's next? - Страница 116
- Chapter 9. How a rule is built - Страница 117
- Basics of the iptables command - Страница 118
- Tables - Страница 119
- Commands - Страница 120
- What's next? - Страница 122
- Chapter 10. Iptables matches - Страница 123
- Generic matches - Страница 124
- Implicit matches - Страница 125
- TCP matches - Страница 126
- UDP matches - Страница 127
- ICMP matches - Страница 128
- SCTP matches - Страница 129
- Explicit matches - Страница 131
- Addrtype match - Страница 132
- AH/ESP match - Страница 133
- Comment match - Страница 134
- Connmark match - Страница 135
- Conntrack match - Страница 136
- Dscp match - Страница 137
- Ecn match - Страница 138
- Hashlimit match - Страница 139
- Helper match - Страница 140
- IP range match - Страница 141
- Length match - Страница 142
- Limit match - Страница 143
- Mac match - Страница 144
- Mark match - Страница 145
- Multiport match - Страница 146
- Owner match - Страница 147
- Packet type match - Страница 148
- Realm match - Страница 149
- Recent match - Страница 150
- State match - Страница 152
- Tcpmss match - Страница 153
- Tos match - Страница 154
- Ttl match - Страница 155
- Unclean match - Страница 156
- What's next? - Страница 157
- Chapter 11. Iptables targets and jumps - Страница 158
- ACCEPT target - Страница 159
- CLASSIFY target - Страница 160
- CLUSTERIP target - Страница 161
- CONNMARK target - Страница 163
- CONNSECMARK target - Страница 164
- DNAT target - Страница 165
- DROP target - Страница 168
- DSCP target - Страница 169
- ECN target - Страница 170
- LOG target options - Страница 171
- MARK target - Страница 172
- MASQUERADE target - Страница 173
- MIRROR target - Страница 174
- NETMAP target - Страница 175
- NFQUEUE target - Страница 176
- NOTRACK target - Страница 177
- QUEUE target - Страница 178
- REDIRECT target - Страница 179
- REJECT target - Страница 180
- RETURN target - Страница 181
- SAME target - Страница 182
- SECMARK target - Страница 183
- SNAT target - Страница 184
- TCPMSS target - Страница 185
- TOS target - Страница 186
- TTL target - Страница 187
- ULOG target - Страница 188
- What's next? - Страница 189
- Chapter 12. Debugging your scripts - Страница 190
- Debugging, a necessity - Страница 191
- Bash debugging tips - Страница 192
- System tools used for debugging - Страница 194
- Iptables debugging - Страница 195
- Other debugging tools - Страница 196
- Nmap - Страница 197
- Nessus - Страница 198
- What's next? - Страница 199
- Chapter 13. rc.firewall file - Страница 200
- example rc.firewall - Страница 201
- explanation of rc.firewall - Страница 202
- Initial loading of extra modules - Страница 203
- proc set up - Страница 205
- Displacement of rules to different chains - Страница 206
- Setting up default policies - Страница 208
- Setting up user specified chains in the filter table - Страница 209
- INPUT chain - Страница 212
- FORWARD chain - Страница 214
- OUTPUT chain - Страница 215
- PREROUTING chain of the nat table - Страница 216
- Starting SNAT and the POSTROUTING chain - Страница 217
- What's next? - Страница 218
- Chapter 14. Example scripts - Страница 219
- rc.firewall.txt script structure - Страница 220
- The structure - Страница 221
- rc.firewall.txt - Страница 224
- rc.DMZ.firewall.txt - Страница 225
- rc.DHCP.firewall.txt - Страница 226
- rc.UTIN.firewall.txt - Страница 228
- rc.test-iptables.txt - Страница 229
- rc.flush-iptables.txt - Страница 230
- Limit-match.txt - Страница 231
- Pid-owner.txt - Страница 232
- Recent-match.txt - Страница 233
- Sid-owner.txt - Страница 234
- Ttl-inc.txt - Страница 235
- Iptables-save ruleset - Страница 236
- What's next? - Страница 237
- Chapter 15. Graphical User Interfaces for Iptables/netfilter - Страница 238
- fwbuilder - Страница 239
- Turtle Firewall Project - Страница 240
- Integrated Secure Communications System - Страница 241
- IPMenu - Страница 242
- Easy Firewall Generator - Страница 243
- What's next? - Страница 244
- Chapter 16. Commercial products based on Linux, iptables and netfilter - Страница 245
- Ingate Firewall 1200 - Страница 246
- What's next? - Страница 247
- Appendix A. Detailed explanations of special commands - Страница 248
- Listing your active rule-set - Страница 249
- Updating and flushing your tables - Страница 250
- Appendix B. Common problems and questions - Страница 251
- Problems loading modules - Страница 252
- State NEW packets but no SYN bit set - Страница 253
- SYN/ACK and NEW packets - Страница 254
- Internet Service Providers who use assigned IP addresses - Страница 255
- Letting DHCP requests through iptables - Страница 256
- mIRC DCC problems - Страница 257
- Appendix C. ICMP types - Страница 258
- Appendix D. TCP options - Страница 259
- Appendix E. Other resources and links - Страница 260
- Appendix F. Acknowledgments - Страница 264
- Appendix G. History - Страница 265
- Appendix H. GNU Free Documentation License - Страница 267
- 0. PREAMBLE - Страница 268
- 1. APPLICABILITY AND DEFINITIONS - Страница 269
- 2. VERBATIM COPYING - Страница 270
- 3. COPYING IN QUANTITY - Страница 271
- 4. MODIFICATIONS - Страница 272
- 5. COMBINING DOCUMENTS - Страница 274
- 6. COLLECTIONS OF DOCUMENTS - Страница 275
- 7. AGGREGATION WITH INDEPENDENT WORKS - Страница 276
- 8. TRANSLATION - Страница 277
- 9. TERMINATION - Страница 278
- 10. FUTURE REVISIONS OF THIS LICENSE - Страница 279
- How to use this License for your documents - Страница 280
- Appendix I. GNU General Public License - Страница 281
- 0. Preamble - Страница 282
- 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - Страница 283
- 2. How to Apply These Terms to Your New Programs - Страница 286
- Appendix J. Example scripts code-base - Страница 287
- Example rc.firewall script - Страница 288
- Example rc.DMZ.firewall script - Страница 291
- Example rc.UTIN.firewall script - Страница 294
- Example rc.DHCP.firewall script - Страница 297
- Example rc.flush-iptables script - Страница 300
- Example rc.test-iptables script - Страница 301
- Index - Страница 302
- A - Страница 306
- B - Страница 307
- C - Страница 308
- D - Страница 312
- E - Страница 315
- F - Страница 318
- G - Страница 319
- H - Страница 320
- I - Страница 321
- J - Страница 325
- K - Страница 326
- L - Страница 327
- M - Страница 328
- N - Страница 331
- O - Страница 332
- P - Страница 333
- Q - Страница 335
- R - Страница 336
- S - Страница 339
- T - Страница 347
- U - Страница 352
- V - Страница 354
- W - Страница 355
- X - Страница 356
INPUT chain
The INPUT chain, as I have written it, uses mostly other chains to do the hard work. This way we do not get too much load from iptables, and it will work much better on slow machines which might otherwise drop packets at high loads. This is done by checking for specific details that should be the same for a lot of different packets, and then sending those packets into specific user specified chains. By doing this, we can split down our rule-set to contain much less rules that need to be traversed by each packet and hence the firewall will be put through a lot less overhead by packet filtering.
First of all we do certain checks for bad packets. This is done by sending all TCP packets to the bad_tcp_packets chain. This chain contains a few rules that will check for badly formed packets or other anomalies that we do not want to accept. For a full explanation of the bad_tcp_packets chain, take a look in the The bad_tcp_packets chain section in this chapter.
At this point we start looking for traffic from generally trusted networks. These include the local network adapter and all traffic coming from there, all traffic to and from our loopback interface, including all our currently assigned IP addresses (this means all of them, including our Internet IP address). As it is, we have chosen to put the rule that allows LAN activity to the firewall at the top, since our local network generates more traffic than the Internet connection. This allows for less overhead used to try and match each packet with each rule and it is always a good idea to look through what kind of traffic mostly traverses the firewall. By doing this, we can shuffle around the rules to be more efficient, leading to less overhead on the firewall and less congestion on your network.
Before we start touching the "real" rules which decide what we allow from the Internet interface and not, we have a related rule set up to reduce our overhead. This is a state rule which allows all packets part of an already ESTABLISHED or RELATED stream to the Internet IP address. This rule has an equivalent rule in the allowed chain, which are made rather redundant by this rule, which will be evaluated before the allowed ones are. However, the --state ESTABLISHED,RELATED rule in the allowed chain has been retained for several reasons, such as people wanting to cut and paste the function.
After this, we match all TCP packets in the INPUT chain that comes in on the $INET_IFACE interface, and send those to the tcp_packets, which was previously described. Now we do the same match for UDP packets on the $INET_IFACE and send those to the udp_packets chain, and after this all ICMP packets are sent to the icmp_packets chain. Normally, a firewall would be hardest hit by TCP packets, than UDP and last of them all ICMP packets. This is in normal case, mind you, and it may be wrong for you. The absolute same thing should be looked upon here, as with the network specific rules. Which causes the most traffic? Should the rules be thrown around to generate less overhead? On networks sending huge amounts of data, this is an absolute necessity since a Pentium III equivalent machine may be brought to its knees by a simple rule-set containing 100 rules and a single 100mbit Ethernet card running at full capacity if the rule-set is badly written. This is an important piece to look at when writing a rule-set for your own local network.
At this point we have one extra rule, that is per default opted out, that can be used to get rid of some excessive logging in case we have some Microsoft network on the outside of our Linux firewall. Microsoft clients have a bad habit of sending out tons of multicast packets to the 224.0.0.0/8 range, and hence we have the opportunity to block those packets here so we don't fill our logs with them. There are also two more rules doing something similar to tasks in the udp_packets chain described in the The UDP chain.
Before we hit the default policy of the INPUT chain, we log it so we may be able to find out about possible problems and/or bugs. Either it might be a packet that we just do not want to allow or it might be someone who is doing something bad to us, or finally it might be a problem in our firewall not allowing traffic that should be allowed. In either case we want to know about it so it can be dealt with. Though, we do not log more than 3 packets per minute as we do not want to flood our logs with crap which in turn may fill up our whole logging partition, also we set a prefix to all log entries so we know where it came from.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356