📄 securityfocus home infocus a comparison of iptables automation tools.htm
字号:
<P class=text>
<OL>
<LI><SPAN class=text>iptables allows setup of
*stateful* firewalls. This means that the
firewall has a memory of each connection passing
through it. This mode is essential for effective
configuration of FTP (active ftp) and DNS as
well as many other network services. </SPAN>
<LI><SPAN class=text>iptables can filter packets
based on any combination of TCP flags and also
based on MAC (i.e. hardware) addresses, which
can be sometimes helpful for firewalls within
LANs </SPAN>
<LI><SPAN class=text>System logging is much more
configurable and flexible than with ipchains
</SPAN>
<LI><SPAN class=text>Netfilter now has more
powerful and easy to use support for network
address translation (NAT) and transparent
proxies. </SPAN>
<LI><SPAN class=text>iptables can help block
some DoS attacks by using the rate limiting for
user-defined packet types that can sometimes
block SYN floods (makes a nice addition for SYN
cookies for host-based protection)
</SPAN></LI></OL>
<P class=text>Some more details can be found in <A
href="http://www.linuxsecurity.com/feature_stories/netfilter-print.html"
target=nonlocal>"Linux Kernel 2.4 Firewalling
Matures: netfilter"</A> by Dave Wreski. </P>
<P class=title><B>iptables Configuration Tools
</B></P>
<P class=text>Now let's consider the tools that
are supposed to help configure Linux iptables
firewall. I will take a look at each tool, its
features, flexibility and ease of use. Also I will
comment on whether it does anything useful right
out of the box (knowing that some unfortunate
users will choose to just download it, run it and
hope for the best, which, needless to say, is a
completely wrong approach to applying security
measures). The following tools will be included in
the discussion: </P>
<OL>
<LI><SPAN class=text><A
href="http://mirkk.kurd.nu/~monmotha/firewall/index.php"
target=nonlocal>MonMotha's Firewall 2.3.5</A> by
MonMotha </SPAN>
<LI><SPAN class=text><A
href="http://my.netfilter.se/"
target=nonlocal>Firewallscript (iptables 4.4c-3
devel)</A> http://my.netfilter.se/ by Patrik
Hildingsson </SPAN>
<LI><SPAN class=text><A
href="http://www.geo.vu.nl/~koka/ferm/"
target=nonlocal>Ferm-0.0.18</A> by Auke Kok
</SPAN>
<LI><SPAN class=text><A
href="http://sourceforge.net/projects/agt"
target=nonlocal>AGT-0.83</A> by Andy Gilligan
</SPAN>
<LI><SPAN class=text><A
href="http://expansa.sns.it/knetfilter"
target=nonlocal>Knetfilter-1.2.4</A> by Luigi
Genoni </SPAN>
<LI><SPAN class=text><A
href="http://muse.linuxmafia.org/gshield.html"
target=nonlocal>gShield-2.0.2</A> by R. Gregory
</SPAN></LI></OL>
<P class=title><B>MonMotha's Firewall 2.3.5
</B></P>
<P class=text>MonMotha's Firewall is a
medium-sized (about 30k) bash shell script. It
seems that its best use is for host-based
protection, as many important netwrok-based
options are still under development. The interface
(i.e. the way to pass configuration options to
iptables) is a bit confusing, especially as it
pertains to understanding which connections will
be allowed and which ones denied. On the other
hand, there is no special configuration file and
installation is very easy (just copy the script
anywhere). Its default (out of the box or as
downloaded) does not do anything and in fact does
not run at all. The documentation is almost
nonexistent. The script might have some use for
dialup users protection or other standalone Linux
box that needs to have some firewalling if one is
willing to figure out how it works by
experimenting. </P>
<P class=title><B>Firewallscript </B></P>
<P class=text>Firewallscript (IFS 4.4d) is another
monster bash script (85k). This script seems to be
suitable for both host-based and network
protection. It autogenerates the sample
configuration files (which are far from being
intuitive) when run the first time. The default,
however, does not appear to be workable, at least
on the test system. The script allows the
configuration firewall together with NAT and
masquerading. Since the script is complex and the
documentation is lacking, precise tweaking
required a lot of reading of the code and running
of "iptables -L" to see which chains went up and
which were allowed/denied. For those whose
favorite pastime is IP-packet tracing, the script
will provide hours of quality fun and (wow!) it
might also help you with your firewall effort. On
the upside, this program will probe and load the
required kernel modules for iptables use (unlike
several others). This and the previous script
might certainly use an "undo" mode, which restores
the iptables configuration to the original state.
</P>
<P class=title><B>Ferm </B></P>
<P class=text>Ferm (which stands for "for easy
rule making") is a Perl script that parses the
configuration files written in its own C-like
language. This language is very easy to read and
understand. The script is well documented and the
examples provided (which include a number of
helpful comments) can be used and studied to make
custom rules. </P>
<P class=text>Here is the example rule: </P><PRE>-----------------------------------------------------------------------------
# simple workstation example for ferm
chain input {
if ppp0 # put your outside interface here
{
proto tcp goto fw_tcp;
proto udp goto fw_udp;
proto icmp goto fw_icmp;
}
}
chain fw_tcp proto tcp {
dport ssh ACCEPT;
syn DENY log;
dport domain ACCEPT;
dport 0:1023 DENY log;
}
chain fw_udp proto udp {
DENY log;
}
chain fw_icmp proto icmp {
icmptype (
destination-unreachable time-exceeded
) ACCEPT;
DENY log;
}
-----------------------------------------------------------------------------
</PRE>
<P class=text>This configuration file will cause
ferm to write iptables rules to allow outgoing ssh
and DNS to pass, block all UDP traffic and allow
in only 2 types of ICMP messages,
destination-unreachable and time-exceeded, and
deny and log the rest. It looks much nicer than
several lines of iptables but provides little
benefit beyond that. However, even this provides a
very important advantage for the complicated
rulesets, which do not look very intuitive and
which make pose difficulties in following the
packet as it travels through them. Configuration
files, such as the one above, can be used right
out of the box to provide some level of
protection.
<TABLE height=250 cellSpacing=0 cellPadding=4
width=300 align=right border=0>
<TBODY>
<TR>
<TD width=300><!------ OAS AD 'x32' begin ------>
<SCRIPT language=JavaScript><!--OAS_AD('x32');//--></SCRIPT>
<!------ OAS AD 'x32' end ------></TD></TR></TBODY></TABLE></P>
<P class=title><B>AGT </B></P>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -