📄 securityfocus home infocus a comparison of iptables automation tools.htm
字号:
<TABLE cellSpacing=0 cellPadding=0 width=854 border=0>
<TBODY>
<TR><!-- col1 -->
<TD width=1 bgColor=#cccccc><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=1></TD>
<TD vAlign=top width=661><!-- T2 -->
<TABLE height=2 cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD bgColor=#0d131b><IMG height=2 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=330></TD>
<TD height=2><IMG height=2 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/bottom_blue_navigation3.gif"></TD></TR></TBODY></TABLE><!-- T2 ends --><!-- T2 -->
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=8></TD>
<TD vAlign=top><BR><!-- Article begins -->
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD align=right><SPAN class=maintitle><FONT
class=arrwlink color=#990000><<</FONT> <A
class=continuelink
href="http://www.securityfocus.com/emailthis/infocus/1410">Email
article</A> <FONT class=arrwlink
color=#990000>>></FONT> <FONT
class=arrwlink color=#990000><<</FONT> <A
class=continuelink
href="http://www.securityfocus.com/printable/infocus/1410"
target=sfprintable>Printable version</A> <FONT
class=arrwlink color=#990000>>></FONT>
</SPAN> </TD></TR></TBODY></TABLE><BR>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD colSpan=2><IMG height=1 alt=""
src="SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files/1x1_spacer.gif"
width=5></TD></TR>
<TR>
<TD bgColor=#314a6b> <SPAN class=bodytext><B><FONT
color=#ffffff> INFOCUS</FONT></B></SPAN></TD>
<TD align=right
bgColor=#314a6b> </TD></TR></TBODY></TABLE>
<P>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD><IMG height=10 alt=""
src="C:\Documents and Settings\hlm\My Documents\文档\防火墙技术\SecurityFocus HOME Infocus A Comparison of iptables Automation Tools.files\1x1_spacer(1).gif"
width=10></TD>
<TD>
<TABLE cellSpacing=0 width="100%" border=0>
<TBODY>
<TR>
<TD><SPAN class=btitle>A Comparison of iptables
Automation Tools <BR></SPAN><SPAN class=author>by
<A href="mailto:anton@chuvakin.org">Anton
Chuvakin</A> <BR></SPAN><SPAN class=stext>last
updated April 23, 2001 <BR></SPAN>
<HR>
</TD></TR>
<TR>
<TD>
<P class=title><B>Introduction </B></P>
<P class=text>Over the past several years, the use
of Linux as a firewall platform has grown
significantly. Linux firewalling code has come a
long way since the time ipfwadm was introduced in
kernel 1.2. Recent changes in linux firewalling
code include netfilter architecture (controlled
from the command line by iptables utility), which
was introduced in stable kernel 2.4. The newest
version 2.4 of Linux kernel (first released in
January 2001) presents many new security
enhancements such as: <A
href="http://www.linuxsecurity.com/feature_stories/kernel-24-security-printer.html"
target=nonlocal>enhanced capabilities</A>, better
support for encryption (for VPN and encrypted file
systems) and netfilter architecture, which is a
re-implementation of Linux's firewalling code and
which remains fully backward-compatible due to the
use of ipchains and ipfwadm loadable kernel
modules. </P>
<P class=text>This article will offer a brief
overview of the means of configuring iptables and
will offer a brief review of some tools that have
been developed to automate the configuration of
iptables. This discussion will look at IP
firewalling code in Linux kernel and its
configuration via various interfaces such as GUIs
or scripts (written in shell scripting language,
Perl or special configuration language). Such
interfaces are, in my opinion, intended to
simplify the iptables configuration, make it more
intuitive and reduce the chances of system
administrator error. For the general information
on iptables look at Rusty Russell's <A
href="http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html"
target=nonlocal>Linux iptables HOWTO</A>. </P>
<P class=title><B>Difficulties of Configuring
iptables Via the Command Line Interface </B></P>
<P class=text>Configuring iptables through its own
command line interface (i.e. iptables command with
the corresponding options) presents a serious
challenge as one has to specify the behavior of
all IP packets that make up a connection both
inwards and outwards. It also requires an intimate
knowledge of TCP/IP and application protocols.
Also one should be aware that, as does its
predecessor - ipchains, iptables combines IP
filtering rules into chains that an IP packet
travels through until it matches rule that is
relevant to it, which might actually send it to
another chain for further processing, or until it
is processed by the default policy (say, ACCEPT,
DROP, REJECT etc). While it is much easier to
allow network applications through a firewall than
others ( for example, POP3 is much easier than
FTP), it still requires understanding of how the
network connections are established and broken.
</P>
<P class=text>As an example, lets take one of the
simplest protocols: POP3. Allowing incoming
traffic on port 110 (POP3) does not solve all of
an admin's problems - it only takes care of the
packets flowing from the client machine to your
server, not the other way. Furthermore, there are
also issues of configuring network address
translation (NAT) and various kinds of packet
forwarding. And since the firewall configuration
will affect the security of the entire enterprise,
all possible steps to eliminate errors must be
taken. This discussion will briefly cover how to
configure iptables in the next section. For a more
detailed explanation, refer to the iptables man
page ("man iptables" on your Linux system) or
Rusty Russell's <A
href="http://www.telematik.informatik.uni-karlsruhe.de/lehre/seminare/LinuxSem/downloads/netfilter/iptables-HOWTO.html"
target=nonlocal>Linux iptables HOWTO</A>. </P>
<P class=title><B>iptables Command Options
</B></P>
<P class=text>Before entering a discussion of the
configuration of iptables, it may be helpful to
undertake a *really* short summary of iptables
command options. </P>
<P class=text>Chain manipulation (three default
chains, INPUT, FORWARD, OUTPUT, are always
present): </P>
<OL>
<LI><SPAN class=text>Create a new chain (-N).
</SPAN>
<LI><SPAN class=text>Delete an empty chain (-X).
</SPAN>
<LI><SPAN class=text>Change the policy for a
built-in chain. (-P). </SPAN>
<LI><SPAN class=text>List the rules in a chain
(-L). </SPAN>
<LI><SPAN class=text>Flush the rules out of a
chain (-F). </SPAN></LI></OL>
<P class=text>Rule manipulation: </P>
<OL>
<LI><SPAN class=text>Append a new rule to a
chain (-A). </SPAN>
<LI><SPAN class=text>Delete a rule at some
position in a chain (-D). </SPAN></LI></OL>
<P class=text>These options allow the user to
define the behavior of each incoming or outgoing
packet for a simple 2 NIC firewall machine or
host-based protection. </P>
<P class=title><B>Benefits of iptables </B></P>
<P class=text>Prior to discussing the various
tools that have been developed to facilitate
configuration of ip tables, I will summarize the
important user-level benefits of iptables and,
indeed, the whole netfilter architecture as
opposed to the previous version of linux
firewalling - ipchains. </P>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -