iptables tutorial 1_1_19.htm

这是我对防火墙技术的一些见解

  <DT>6-10. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.MARKMATCH">Mark 
  match options</A>
  <DT>6-11. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.MULTIPORTMATCH">Multiport 
  match options</A>
  <DT>6-12. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.OWNERMATCH">Owner 
  match options</A>
  <DT>6-13. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.STATEMATCHES">State 
  matches</A>
  <DT>6-14. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.TOSMATCHES">TOS 
  matches</A>
  <DT>6-15. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.TTLMATCHES">TTL 
  matches</A>
  <DT>6-16. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.DNATTARGET">DNAT 
  target</A>
  <DT>6-17. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.LOGTARGET">LOG 
  target options</A>
  <DT>6-18. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.MARKTARGET">MARK 
  target options</A>
  <DT>6-19. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.MASQUERADETARGET">MASQUERADE 
  target</A>
  <DT>6-20. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.REDIRECTTARGET">REDIRECT 
  target</A>
  <DT>6-21. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.REJECTTARGET">REJECT 
  target</A>
  <DT>6-22. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.SNATTARGET">SNAT 
  target</A>
  <DT>6-23. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.TOSTARGET">TOS 
  target</A>
  <DT>6-24. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.TTLTARGET">TTL 
  target</A>
  <DT>6-25. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.ULOGTARGET">ULOG 
  target</A>
  <DT>C-1. <A 
  href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#TABLE.ICMPTYPES">ICMP 
  types</A></DT></DL></DIV>
<DIV class=PREFACE>
<HR>

<H1><A name=ABOUTTHEAUTHOR>About the author</A></H1>
<P>I am someone with too many old computers on his hands. I have my own <SPAN 
class=SYSTEMITEM>LAN</SPAN> and want all my machines to be connected to the 
Internet, whilst at the same time making my <SPAN class=SYSTEMITEM>LAN</SPAN> 
fairly secure. The new iptables is a good upgrade from the old ipchains in this 
regard. With ipchains, you could make a fairly secure network by dropping all 
incoming packages not destined for given ports. However, things like passive 
<SPAN class=SYSTEMITEM>FTP</SPAN> or outgoing <SPAN class=SYSTEMITEM>DCC</SPAN> 
in <SPAN class=SYSTEMITEM>IRC</SPAN> would cause problems. They assign ports on 
the server, tell the client about it, and then let the client connect. There 
were some teething problems in the iptables code that I ran into in the 
beginning, and in some respects I found the code not quite ready for release in 
full production. Today, I'd recommend everyone who uses ipchains or even older 
ipfwadm etc .,to upgrade - unless they are happy with what their current code is 
capable of and if it does what they need. </P></DIV>
<DIV class=PREFACE>
<HR>

<H1><A name=HOWTOREAD>How to read</A></H1>
<P>This document was written purely so people can start to grasp the wonderful 
world of iptables. It was never meant to contain information on specific 
security bugs in iptables or Netfilter. If you find peculiar bugs or behaviors 
in iptables or any of the subcomponents, you should contact the Netfilter 
mailing lists and tell them about the problem and they can tell you if this is a 
real bug or if it has already been fixed. There are very rarely actual security 
related bugs found in iptables or Netfilter, however, one or two do slip by once 
in a while. These are properly shown on the front page of the <A 
href="http://www.netfilter.org/" target=_top>Netfilter main page</A>, and that 
is where you should go to get information on such topics. </P>
<P>The above also implies that the rule-sets available with this tutorial are 
not written to deal with actual bugs inside Netfilter. The main goal of them is 
to simply show how to set up rules in a nice simple fashion that deals with all 
problems we may run into. For example, this tutorial will not cover how we would 
close down the HTTP port for the simple reason that Apache happens to be 
vulnerable in version 1.2.12 (This is covered really, though not for that 
reason). </P>
<P>This document was simply written to give everyone a good and simple primer at 
how to get started with iptables, but at the same time it was created to be as 
complete as possible. It does not contain any targets or matches that are in 
patch-o-matic for the simple reason that it would require too much effort to 
keep such a list updated. If you need information about the patch-o-matic 
updates, you should read the info that comes with it in patch-o-matic as well as 
the other documentations available on the <A href="http://www.netfilter.org/" 
target=_top>Netfilter main page</A>. </P></DIV>
<DIV class=PREFACE>
<HR>

<H1><A name=PREREQUISITES>Prerequisites</A></H1>
<P>This document requires some previous knowledge about Linux/Unix, shell 
scripting, as well as how to compile your own kernel, and some simple knowledge 
about the kernel internals. </P>
<P>I have tried as much as possible to eradicate all prerequisites needed before 
fully grasping this document, but to some extent it is simply impossible to not 
need some previous knowledge. </P></DIV>
<DIV class=PREFACE>
<HR>

<H1><A name=CONVENTIONSUSED>Conventions used in this document</A></H1>
<P>The following conventions are used in this document when it comes to 
commands, files and other specific information. </P>
<P></P>
<UL>
  <LI style="LIST-STYLE-TYPE: disc">
  <P>Code excerpts and command-outputs are printed like this, with all output in 
  fixed width font and user-written commands in bold typeface: </P><PRE class=SCREEN>[blueflux@work1 neigh]$ <B class=COMMAND>ls</B>
default  eth0  lo
[blueflux@work1 neigh]$
     </PRE>
  <LI style="LIST-STYLE-TYPE: disc">
  <P>All commands and program names in the tutorial are shown in <B 
  class=COMMAND>bold typeface</B>. </P>
  <LI style="LIST-STYLE-TYPE: disc">
  <P>All system items such as hardware, and also kernel internals or abstract 
  system items such as the loopback interface are all shown in an <SPAN 
  class=SYSTEMITEM>italic typeface</SPAN>. </P>
  <LI style="LIST-STYLE-TYPE: disc">
  <P>computer output is formatted in <TT class=COMPUTEROUTPUT>this way</TT> in 
  the text. </P>
  <LI style="LIST-STYLE-TYPE: disc">
  <P>filenames and paths in the file-system are shown like <TT 
  class=FILENAME>/usr/local/bin/iptables</TT>. </P></LI></UL></DIV>
<DIV class=CHAPTER>
<HR>

<H1><A name=INTRODUCTION>Chapter 1. Introduction</A></H1>
<DIV class=SECTION>
<H1 class=SECTION><A name=WHYTHISDOCUMENT>1.1. Why this document was 
written</A></H1>
<P>Well, I found a big empty space in the HOWTO's out there lacking in 
information about the iptables and Netfilter functions in the new Linux 2.4.x 
kernels. Among other things, I'm going to try to answer questions that some 
might have about the new possibilities like state matching. Most of this will be 
illustrated with an example <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
file that you can use in your <TT class=FILENAME>/etc/rc.d/</TT> scripts. Yes, 
this file was originally based upon the masquerading HOWTO for those of you who 
recognize it. </P>
<P>Also, there's a small script that I wrote just in case you screw up as much 
as I did during the configuration available as <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFLUSH-IPTABLESTXT"><I>rc.flush-iptables.txt</I></A>. 
</P></DIV>
<DIV class=SECTION>
<HR>

<H1 class=SECTION><A name=HOWITWAS>1.2. How it was written</A></H1>
<P>I've consulted Marc Boucher and others from the core Netfilter team. Many 
heartfelt thanks to them for their work and for their help on this tutorial, 
that I originally wrote for boingworld.com, and now maintain for my own site 
frozentux.net. This document will guide you through the setup process step by 
step and hopefully help you to understand some more about the iptables package. 
I will base most of the stuff here on the example rc.firewall file, since I find 
that example a good way to learn how to use iptables. I have decided to just 
follow the basic chains and from there go down into each and one of the chains 
traversed in each due order. That way the tutorial is a little bit harder to 
follow, though this way is more logical. Whenever you find something that's hard 
to understand, just come back to this tutorial. </P></DIV>
<DIV class=SECTION>
<HR>

<H1 class=SECTION><A name=TERMSUSED>1.3. Terms used in this document</A></H1>
<P>This document contains a few terms that may need more detailed explanations 
before you read them. This section will try to cover the most obvious ones and 
how I have chosen to use them within this document. </P>
<P>DNAT - Destination Network Address Translation. DNAT refers to the technique 
of translating the Destination IP address of a packet, or to change it simply 
put. This is used together with SNAT to allow several hosts to share a single 
Internet routable IP address, and to still provide Server Services. This is 
normally done by assigning different ports with a Internet routable IP address, 
and then tell the Linux router where to send the traffic. </P>
<P>Stream - This term refers to a connection that sends and receives packets 
that are related to each other in some fashion. Basically, I have used this term 
for any kind of connection that sends two or more packets in both directions. In 
TCP this may mean a connection that sends a SYN and then replies with an 
SYN/ACK, but it may also mean a connection that sends a SYN and then replies 
with an ICMP Host unreachable. In other words, I use this term very loosely. 
</P>
<P>SNAT - Source Network Address Translation. This refers to the techniques used 
to translate one source address to another in a packet. This is used to make it 
possible for several hosts to share a single Internet routable IP address, since 
there is currently a shortage of available IP addresses in IPv4 (IPv6 will solve 
this). </P>
<P>State - This term refers to which state the packet is in, either according to 
<A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RFC793"><I>RFC 
793 - Transmission Control Protocol</I></A> or according to userside states used 
in Netfilter/iptables. Note that the used states internally, and externally, do 
not fully follow the RFC 793 specification fully. The main reason is that 
Netfilter has to make several assumptions about the connections and packets. 
</P>
<P>User space - With this term I mean everything and anything that takes place 
outside the kernel. For example, invoking <B class=COMMAND>iptables -h</B> takes 
place outside the kernel, while <B class=COMMAND>iptables -A FORWARD -p tcp -j 
ACCEPT</B> takes place (partially) within the kernel, since a new rule is added 
to the ruleset. </P>
<P>Kernel space - This is more or less the opposite of User space. This implies 
the actions that take place within the kernel, and not outside of the kernel. 
</P>
<P>Userland - See User space. </P></DIV></DIV>
<DIV class=CHAPTER>
<HR>

<H1><A name=PREPARATIONS>Chapter 2. Preparations</A></H1>
<P>This chapter is aimed at getting you started and to help you understand the 
role Netfilter and <B class=COMMAND>iptables</B> play in Linux today. This 
chapter should hopefully get you set up and finished to go with your 
experimentation, and installation of your firewall. Given time and perseverance, 
you'll then get it to perform exactly as you want it to. </P>
<DIV class=SECTION>
<HR>

<H1 class=SECTION><A name=WHERETOGET>2.1. Where to get iptables</A></H1>
<P>The <B class=COMMAND>iptables</B> user-space package can be downloaded from 
the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#NETFILTER.ORG"><I><I>http://www.netfilter.org/documentation/index.html#FAQ</I> 
- The official <I>Netfilter</I> <I>Frequently Asked Questions</I>. Also a good 
place to start at when wondering what <I>iptables</I> and <I>Netfilter</I> is 
about.</I></A>. The <B class=COMMAND>iptables</B> package also makes use of 
kernel space facilities which can be configured into the kernel during <B 
class=COMMAND>make configure</B>. The necessary steps will be discussed a bit 
further down in this document. </P></DIV>
<DIV class=SECTION>
<HR>