iptables.htm

这是我对防火墙技术的一些见解

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0056)http://www.sns.ias.edu/~jns/security/iptables/index.html -->
<HTML><HEAD><TITLE>IPtables</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR>
<META content="security, telnet, hijacking, netcat, hunt" name=KeyWords>
<META content="iptables, ipchains" name=Keywords></HEAD>
<BODY>
<CENTER><IMG height=10 src="IPtables.files/blue_marble.gif" width=556 
align=center> 
<P><B><U><FONT size=+3>Iptables</FONT></U></B></CENTER>
<P><B><U><FONT size=+1>Foreword</FONT></U></B> 
<P>Welcome to my pages on iptables. Let me say that I never thought when I put 
this stuff out there it would be so popular. Almost every day I receive email 
from people who found this information useful. Thankyou. I haven't responded to 
all of you. Sorry. 
<P>I am very very glad to have been able to put something back into a community 
of people excited about Linux. 
<P>You are welcome to email me with questions but I can't promise an answer. If 
it's 10pm and I happen to have a moment I might feel inclined. If you send me 
100+ lines of ruleset to debug for you (and this has happened countless times) 
then please don't expect an answer. I have my own network to run which requires 
constant thought and attention. <BR>&nbsp; 
<P><B><U><FONT size=+1>What is it?</FONT></U></B> 
<P>Iptables is the replacement for the userspace tool ipchains in the Linux 2.4 
kernel and beyond. It is part of the kernelspace <A 
href="http://www.netfilter.org/">netfilter</A> project. Iptables has many more 
features than ipchains and is also structured more sensibly. The main points of 
note are as follows: 
<UL>
  <LI>Connection tracking capability, i.e. the ability to do stateful packet 
  inspection. This works for icmp and udp as well as tcp connections. For 
  instance, stateful icmp filtering allows you to only allow an icmp echo-reply 
  in if an echo-request went out. This is something you couldn't do with 
  ipchains ....... most people would block echo-requests but blindly accept 
  echo-replies with the assumption that they would always be in response to 
  their own pings. Not true. Unsolicited echo-replies can be a sign of a <FONT 
  color=#000066><A 
  href="http://www.cert.org/advisories/CA-1998-01.html">Smurf</A></FONT> 
  amplification attack, a <A 
  href="http://www.cert.org/incident_notes/IN-99-07.html">Tribe Flood 
  Network</A> communication between master and daemon, or a <A 
  href="http://www.phrack.org/phrack/51/P51-06">Loki 2</A> back-door. <BR>&nbsp; 

  <LI>Simplified behaviour of packets negotiating the built-in chains (INPUT, 
  OUTPUT and FORWARD). On multi-homed hosts, packets travelling between 
  interfaces negotiate only the FORWARD chain rather than all three built-in 
  chains as they did before (providing packet forwarding is enabled of course). 
  <BR>&nbsp; 
  <LI>A clean separation of packet filtering and network address translation 
  (NAT). This is very nice; in ipchains masquerading was done as part of the 
  packet-filtering, but in iptables masquerading is treated as a particular type 
  of source NAT (SNAT) as it should be. Redirection, in turn, is treated as a 
  particular type of destination NAT (DNAT). SNAT is done after routing and DNAT 
  is done before routing, which makes it easy to define your rulebase and add 
  NAT as an afterthought. <BR>&nbsp; 
  <LI>Rate-limited connection and logging capability. Now you can limit both 
  connection attempts, as in <A 
  href="http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html">SYN-flooding</A> 
  Denial of Service (DOS) attacks, and also prevent your logs being flooded, as 
  happened in the <A 
  href="http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html">Jolt2</A> 
  fragment-driven DOS attack against Checkpoint's Firewall-1. Another very nice 
  feature. <BR>&nbsp; 
  <LI>The ability to filter on tcp flags and tcp options, and also MAC 
  addresses. </LI></UL>There are other things you can do with kernel patches via 
the <A 
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html">patch-o-matic</A> 
tool. 
<P>Feel free to take a look at the slides from a <A 
href="http://www.sns.ias.edu/~jns/security/iptables/iptables_talk/t1.htm">seminar</A> 
I gave on iptables. 
<P><B><U><FONT size=+1>Before you get started</FONT></U></B> 
<P>To use the iptables userspace packet filtering tool at all you need the 
kernel level component, netfilter. 
<P>The home page for the netfilter project is <A 
href="http://www.netfilter.org/">http://www.netfilter.org/</A>. There are useful 
HOWTO's off the main page regarding Packet Filtering and NAT in the 2.4 kernel 
that are a good read. 
<P>Have a read of Dave Wreski's nice overview article on <A 
href="http://www.linuxsecurity.com/feature_stories/kernel-netfilter.html">netfilter</A> 
for linuxsecurity.com. 
<P>Here is a copy of the networking and netfilter <A 
href="http://www.sns.ias.edu/~jns/security/iptables/kernel_netfilter.txt">configuration</A> 
of a sample kernel. Almost everything is compiled as modules. All the necessary 
configuration is in place to do connection tracking, NAT etc. 
<P><B><U><FONT size=+1>Connection tracking</FONT></U></B> 
<P>Learn more about connection tracking <A 
href="http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html">here</A>, 
or more specifically with respect to 
<UL>
  <LI><A 
  href="http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html#UDP">UDP</A> 

  <LI><A 
  href="http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html#TCP">TCP</A> 

  <LI><A 
  href="http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html#ICMP">ICMP</A> 

  <LI><A 
  href="http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html#FTP">FTP</A> 
  </LI></UL><B><U><FONT size=+1>Example script</FONT></U></B> 
<P>I thought it would be nice to put my iptables configuration script out there 
for all to peruse. My configuration is pretty simple .......... just a laptop 
with one interface, so there may be lots of people that can just take this and 
use it with only small modification. The configuration is deny-based, so all 
packets are denied unless specifically allowed, and utilizes the new stateful 
inspection feature of iptables for all connections. The configuration is 
relatively long, both because I think I have been very thorough, and also 
because my preference is to consider individual services in turn and be as 
restrictive for each one as I can be. To my mind the overall effect is simpler 
and easier to understand. The script is pretty well commented for ease of 
viewing/understanding. 
<P>The original script, well documented for beginners is available <A 
href="http://www.sns.ias.edu/~jns/security/iptables/rules.html">here</A> (the 
iptables <A 
href="http://www.sns.ias.edu/~jns/security/iptables/iptables_manpage.txt">manpage</A> 
will help you decode it). <A name=STARTUP></A>Here is a sample <A 
href="http://www.sns.ias.edu/~jns/security/iptables/startup_script.html">startup 
script</A> (to be placed somewhere like <CODE>/etc/rc.d/init.d/iptables</CODE>). 
<BR>
<P>An improved, semi-automated script can now be found at this <FONT size=+1><A 
href="https://hermes.sns.ias.edu/horde/chora/cvs.php?login=2&amp;rt=Iptables">primary 
cvs repository</A></FONT> and this <FONT size=+1><A 
href="http://www.math.ias.edu/horde/chora/cvs.php?rt=iptables">secondary 
repository</A></FONT> (the latter is rsynced from the former once per day). It 
is based on the scripts below, combining both the startup script and 
configuration scipt into a single entity, but more than that it stops ipchains 
if it is running, auto-detects your ip address and allows nfs if there are nfs 
mounts in fstab (yes, nfs can be firewalled pretty well if you do things 
carefully). Because it uses variables that define the services you wish to 
allow, it is easier to configure. Beware though ... you might have to fine tune 
aspects of the auto-detection for your system. 
<P>If you find any mistakes or any stale links, please let <A 
href="mailto:jns@ias.edu">me</A> know. <BR><A name=CONFIG></A><BR>
<CENTER>
<P><IMG height=10 src="IPtables.files/blue_marble.gif" width=556 
align=center></CENTER>
<P><I>Prepared by James C. Stephens</I> <BR><I>(jns@ias.edu)</I> <BR><I>Last 
updated: Fri Sep 5th 2003</I> </P></BODY></HTML>