packet-filtering-howto.txt

这是我对防火墙技术的一些见解

  Linux 2.4 Packet Filtering HOWTO
  Rusty Russell, mailing list netfilter@lists.samba.org
  $Revision: 1.26 $ $Date: 2002/01/24 13:42:53 $

  This document describes how to use iptables to filter out bad packets
  for the 2.4 Linux kernels.
  ______________________________________________________________________

  Table of Contents


  1. Introduction
  2. Where is the official Web Site?  Is there a Mailing List?
  3. So What's A Packet Filter?
     3.1 Why Would I Want to Packet Filter?
     3.2 How Do I Packet Filter Under Linux?
        3.2.1 iptables
        3.2.2 Making Rules Permanent

  4. Who the hell are you, and why are you playing with my kernel?
  5. Rusty's Really Quick Guide To Packet Filtering
  6. How Packets Traverse The Filters
  7. Using iptables
     7.1 What You'll See When Your Computer Starts Up
     7.2 Operations on a Single Rule
     7.3 Filtering Specifications
        7.3.1 Specifying Source and Destination IP Addresses
        7.3.2 Specifying Inversion
        7.3.3 Specifying Protocol
        7.3.4 Specifying an Interface
        7.3.5 Specifying Fragments
        7.3.6 Extensions to iptables: New Matches
           7.3.6.1 TCP Extensions
              7.3.6.1.1 An Explanation of TCP Flags
           7.3.6.2 UDP Extensions
           7.3.6.3 ICMP Extensions
           7.3.6.4 Other Match Extensions
           7.3.6.5 The State Match
     7.4 Target Specifications
        7.4.1 User-defined chains
        7.4.2 Extensions to iptables: New Targets
        7.4.3 Special Built-In Targets
     7.5 Operations on an Entire Chain
        7.5.1 Creating a New Chain
        7.5.2 Deleting a Chain
        7.5.3 Flushing a Chain
        7.5.4 Listing a Chain
        7.5.5 Resetting (Zeroing) Counters
        7.5.6 Setting Policy

  8. Using ipchains and ipfwadm
  9. Mixing NAT and Packet Filtering
  10. Differences Between iptables and ipchains
  11. Advice on Packet Filter Design


  ______________________________________________________________________

  1.  Introduction

  Welcome, gentle reader.


  It is assumed you know what an IP address, a network address, a
  netmask, routing and DNS are.  If not, I recommend that you read the
  Network Concepts HOWTO.
  This HOWTO flips between a gentle introduction (which will leave you
  feeling warm and fuzzy now, but unprotected in the Real World) and raw
  full-disclosure (which would leave all but the hardiest souls
  confused, paranoid and seeking heavy weaponry).


  Your network is not secure.  The problem of allowing rapid, convenient
  communication while restricting its use to good, and not evil intents
  is congruent to other intractable problems such as allowing free
  speech while disallowing a call of ``Fire!'' in a crowded theater.  It
  will not be solved in the space of this HOWTO.


  So only you can decide where the compromise will be.  I will try to
  instruct you in the use of some of the tools available and some
  vulnerabilities to be aware of, in the hope that you will use them for
  good, and not evil purposes.  Another equivalent problem.


  (C) 2000 Paul `Rusty' Russell.  Licenced under the GNU GPL.


  2.  Where is the official Web Site?  Is there a Mailing List?

  There are three official sites:

  o  Thanks to Filewatcher <http://netfilter.filewatcher.org/>.

  o  Thanks to The Samba Team and SGI <http://netfilter.samba.org/>.

  o  Thanks to Harald Welte <http://netfilter.gnumonks.org/>.

  You can reach all of them using round-robin DNS via
  <http://www.netfilter.org/> and  <http://www.iptables.org/>


  For the official netfilter mailing list, see netfilter List
  <http://www.netfilter.org/contact.html#list>.


  3.  So What's A Packet Filter?

  A packet filter is a piece of software which looks at the header of
  packets as they pass through, and decides the fate of the entire
  packet.  It might decide to DROP the packet (i.e., discard the packet
  as if it had never received it), ACCEPT the packet (i.e., let the
  packet go through), or something more complicated.


  Under Linux, packet filtering is built into the kernel (as a kernel
  module, or built right in), and there are a few trickier things we can
  do with packets, but the general principle of looking at the headers
  and deciding the fate of the packet is still there.


  3.1.  Why Would I Want to Packet Filter?

  Control.  Security.  Watchfulness.



     Control:
        when you are using a Linux box to connect your internal network
        to another network (say, the Internet) you have an opportunity
        to allow certain types of traffic, and disallow others.  For
        example, the header of a packet contains the destination address
        of the packet, so you can prevent packets going to a certain
        part of the outside network.  As another example, I use Netscape
        to access the Dilbert archives.  There are advertisements from
        doubleclick.net on the page, and Netscape wastes my time by
        cheerfully downloading them.  Telling the packet filter not to
        allow any packets to or from the addresses owned by
        doubleclick.net solves that problem (there are better ways of
        doing this though: see Junkbuster).


     Security:
        when your Linux box is the only thing between the chaos of the
        Internet and your nice, orderly network, it's nice to know you
        can restrict what comes tromping in your door.  For example, you
        might allow anything to go out from your network, but you might
        be worried about the well-known `Ping of Death' coming in from
        malicious outsiders.  As another example, you might not want
        outsiders telnetting to your Linux box, even though all your
        accounts have passwords.  Maybe you want (like most people) to
        be an observer on the Internet, and not a server (willing or
        otherwise).  Simply don't let anyone connect in, by having the
        packet filter reject incoming packets used to set up
        connections.


     Watchfulness:
        sometimes a badly configured machine on the local network will
        decide to spew packets to the outside world.  It's nice to tell
        the packet filter to let you know if anything abnormal occurs;
        maybe you can do something about it, or maybe you're just
        curious by nature.


  3.2.  How Do I Packet Filter Under Linux?

  Linux kernels have had packet filtering since the 1.1 series.  The
  first generation, based on ipfw from BSD, was ported by Alan Cox in
  late 1994.  This was enhanced by Jos Vos and others for Linux 2.0; the
  userspace tool `ipfwadm' controlled the kernel filtering rules.  In
  mid-1998, for Linux 2.2, I reworked the kernel quite heavily, with the
  help of Michael Neuling, and introduced the userspace tool `ipchains'.
  Finally, the fourth-generation tool, `iptables', and another kernel
  rewrite occurred in mid-1999 for Linux 2.4.  It is this iptables which
  this HOWTO concentrates on.


  You need a kernel which has the netfilter infrastructure in it:
  netfilter is a general framework inside the Linux kernel which other
  things (such as the iptables module) can plug into.  This means you
  need kernel 2.3.15 or beyond, and answer `Y' to CONFIG_NETFILTER in
  the kernel configuration.


  The tool iptables talks to the kernel and tells it what packets to
  filter.  Unless you are a programmer, or overly curious, this is how
  you will control the packet filtering.


  3.2.1.  iptables

  The iptables tool inserts and deletes rules from the kernel's packet
  filtering table.  This means that whatever you set up, it will be lost
  upon reboot; see ``Making Rules Permanent'' for how to make sure they
  are restored the next time Linux is booted.


  iptables is a replacement for ipfwadm and ipchains: see ``Using
  ipchains and ipfwadm'' for how to painlessly avoid using iptables if
  you're using one of those tools.


  3.2.2.  Making Rules Permanent

  Your current firewall setup is stored in the kernel, and thus will be
  lost on reboot.  You can try the iptables-save and iptables-restore
  scripts to save them to, and restore them from a file.


  The other way is to put the commands required to set up your rules in
  an initialization script.  Make sure you do something intelligent if
  one of the commands should fail (usually `exec /sbin/sulogin').


  4.  Who the hell are you, and why are you playing with my kernel?

  I'm Rusty Russell; the Linux IP Firewall maintainer and just another
  working coder who happened to be in the right place at the right time.
  I wrote ipchains (see ``How Do I Packet Filter Under Linux?'' above
  for due credit to the people who did the actual work), and learnt
  enough to get packet filtering right this time.  I hope.


  WatchGuard <http://www.watchguard.com>, an excellent firewall company
  who sell the really nice plug-in Firebox, offered to pay me to do
  nothing, so I could spend all my time writing this stuff, and
  maintaining my previous stuff.  I predicted 6 months, and it took 12,
  but I felt by the end that it had been done Right.  Many rewrites, a
  hard-drive crash, a laptop being stolen, a couple of corrupted
  filesystems and one broken screen later, here it is.


  While I'm here, I want to clear up some people's misconceptions: I am
  no kernel guru.  I know this, because my kernel work has brought me
  into contact with some of them: David S. Miller, Alexey Kuznetsov,
  Andi Kleen, Alan Cox.  However, they're all busy doing the deep magic,
  leaving me to wade in the shallow end where it's safe.



  5.  Rusty's Really Quick Guide To Packet Filtering

  Most people just have a single PPP connection to the Internet, and
  don't want anyone coming back into their network, or the firewall:



       ## Insert connection-tracking modules (not needed if built into kernel).
       # insmod ip_conntrack
       # insmod ip_conntrack_ftp

       ## Create chain which blocks new connections, except if coming from inside.
       # iptables -N block
       # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
       # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
       # iptables -A block -j DROP

       ## Jump to that chain from INPUT and FORWARD chains.
       # iptables -A INPUT -j block
       # iptables -A FORWARD -j block



  6.  How Packets Traverse The Filters

  The kernel starts with three lists of rules in the `filter' table;
  these lists are called firewall chains or just chains.  The three
  chains are called INPUT, OUTPUT and FORWARD.


  For ASCII-art fans, the chains are arranged like so: (Note: this is a
  very different arrangement from the 2.0 and 2.2 kernels!)


                            _____
  Incoming                 /     \         Outgoing
         -->[Routing ]--->|FORWARD|------->
            [Decision]     \_____/        ^
                 |                        |
                 v                       ____
                ___                     /    \
               /   \                 |OUTPUT|
              |INPUT|                  \____/
               \___/                      ^
                 |                        |
                  ----> Local Process ----



  The three circles represent the three chains mentioned above.  When a
  packet reaches a circle in the diagram, that chain is examined to
  decide the fate of the packet.  If the chain says to DROP the packet,
  it is killed there, but if the chain says to ACCEPT the packet, it
  continues traversing the diagram.


  A chain is a checklist of rules.  Each rule says `if the packet header
  looks like this, then here's what to do with the packet'.  If the rule
  doesn't match the packet, then the next rule in the chain is
  consulted.  Finally, if there are no more rules to consult, then the
  kernel looks at the chain policy to decide what to do.  In a security-
  conscious system, this policy usually tells the kernel to DROP the
  packet.



  1. When a packet comes in (say, through the Ethernet card) the kernel
     first looks at the destination of the packet: this is called
     `routing'.

  2. If it's destined for this box, the packet passes downwards in the
     diagram, to the INPUT chain.  If it passes this, any processes
     waiting for that packet will receive it.

  3. Otherwise, if the kernel does not have forwarding enabled, or it
     doesn't know how to forward the packet, the packet is dropped.  If
     forwarding is enabled, and the packet is destined for another
     network interface (if you have another one), then the packet goes
     rightwards on our diagram to the FORWARD chain.  If it is ACCEPTed,
     it will be sent out.

  4. Finally, a program running on the box can send network packets.
     These packets pass through the OUTPUT chain immediately: if it says
     ACCEPT, then the packet continues out to whatever interface it is
     destined for.



  7.  Using iptables

  iptables has a fairly detailed manual page (man iptables), and if you
  need more detail on particulars.  Those of you familiar with ipchains
  may simply want to look at ``Differences Between iptables and
  ipchains''; they are very similar.


  There are several different things you can do with iptables.  You
  start with three built-in chains INPUT, OUTPUT and FORWARD which you
  can't delete.  Let's look at the operations to manage whole chains:


  1. Create a new chain (-N).

  2. Delete an empty chain (-X).

  3. Change the policy for a built-in chain. (-P).

  4. List the rules in a chain (-L).

  5. Flush the rules out of a chain (-F).

  6. Zero the packet and byte counters on all rules in a chain (-Z).

  There are several ways to manipulate rules inside a chain:


  1. Append a new rule to a chain (-A).

  2. Insert a new rule at some position in a chain (-I).

  3. Replace a rule at some position in a chain (-R).

  4. Delete a rule at some position in a chain, or the first that
     matches (-D).


  7.1.  What You'll See When Your Computer Starts Up

  iptables may be a module, called (`iptable_filter.o'), which should be
  automatically loaded when you first run iptables.  It can also be
  built into the kernel permenantly.