iptables tutorial 1_1_19.htm

这是我对防火墙技术的一些见解

<H1 class=SECTION><A name=KERNELSETUP>2.2. Kernel setup</A></H1>
<P>To run the pure basics of <B class=COMMAND>iptables</B> you need to configure 
the following options into the kernel while doing <B class=COMMAND>make 
config</B> or one of its related commands: </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_PACKET</TT> - This option allows applications 
and utilities that needs to work directly to various network devices. Examples 
of such utilities are tcpdump or snort. </P>
<DIV class=NOTE>
<P></P>
<TABLE class=NOTE width="100%" border=0>
  <TBODY>
  <TR>
    <TD vAlign=top align=middle width=25><IMG alt=Note hspace=5 src=""></TD>
    <TD vAlign=top align=left>
      <P>CONFIG_PACKET is strictly speaking not needed for iptables to work, but 
      since it contains so many uses, I have chosen to include it here. If you 
      do not want it, don't include it. </P></TD></TR></TBODY></TABLE></DIV>
<P><TT class=COMPUTEROUTPUT>CONFIG_NETFILTER</TT> - This option is required if 
you're going to use your computer as a firewall or gateway to the Internet. In 
other words, this is most definitely required for anything in this tutorial to 
work at all. I assume you will want this, since you are reading this. </P>
<P>And of course you need to add the proper drivers for your interfaces to work 
properly, i.e. Ethernet adapter, <SPAN class=SYSTEMITEM>PPP</SPAN> and <SPAN 
class=SYSTEMITEM>SLIP</SPAN> interfaces. The above will only add some of the 
pure basics in iptables. You won't be able to do anything productive to be 
honest, it just adds the framework to the kernel. If you want to use the more 
advanced options in Iptables, you need to set up the proper configuration 
options in your kernel. Here we will show you the options available in a basic 
2.4.9 kernel and a brief explanation : </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_CONNTRACK</TT> - This module is needed 
to make connection tracking. Connection tracking is used by, among other things, 
<SPAN class=SYSTEMITEM>NAT</SPAN> and <SPAN 
class=SYSTEMITEM>Masquerading</SPAN>. If you need to firewall machines on a 
<SPAN class=SYSTEMITEM>LAN</SPAN> you most definitely should mark this option. 
For example, this module is required by the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
script to work. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_FTP</TT> - This module is required if 
you want to do connection tracking on <SPAN class=SYSTEMITEM>FTP</SPAN> 
connections. Since <SPAN class=SYSTEMITEM>FTP</SPAN> connections are quite hard 
to do connection tracking on in normal cases, conntrack needs a so called 
helper, this option compiles the helper. If you do not add this module you won't 
be able to FTP through a firewall or gateway properly. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_IPTABLES</TT> - This option is required 
if you want do any kind of filtering, <SPAN class=SYSTEMITEM>masquerading</SPAN> 
or <SPAN class=SYSTEMITEM>NAT</SPAN>. It adds the whole iptables identification 
framework to the kernel. Without this you won't be able to do anything at all 
with iptables. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_LIMIT</TT> - This module isn't 
exactly required but it's used in the example <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A>. 
This option provides the LIMIT match, that adds the possibility to control how 
many packets per minute that are to be matched, governed by an appropriate rule. 
For example, <B class=COMMAND>-m limit --limit 3/minute</B> would match a 
maximum of 3 packets per minute. This module can also be used to avoid certain 
Denial of Service attacks. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_MAC</TT> - This allows us to 
match packets based on <SPAN class=SYSTEMITEM>MAC</SPAN> addresses. Every 
Ethernet adapter has its own <SPAN class=SYSTEMITEM>MAC</SPAN> address. We could 
for instance block packets based on what <SPAN class=SYSTEMITEM>MAC</SPAN> 
address is used and block a certain computer pretty well since the <SPAN 
class=SYSTEMITEM>MAC</SPAN> address very seldom change. We don't use this option 
in the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
example or anywhere else. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_MARK</TT> - This allows us to use 
a <B class=COMMAND>MARK</B> match. For example, if we use the target <B 
class=COMMAND>MARK</B> we could mark a packet and then depending on if this 
packet is marked further on in the table, we can match based on this mark. This 
option is the actual match <B class=COMMAND>MARK</B>, and further down we will 
describe the actual target <B class=COMMAND>MARK</B>. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_MULTIPORT</TT> - This module 
allows us to match packets with a whole range of destination ports or source 
ports. Normally this wouldn't be possible, but with this match it is. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_TOS</TT> - With this match we can 
match packets based on their <SPAN class=SYSTEMITEM>TOS</SPAN> field. <SPAN 
class=SYSTEMITEM>TOS</SPAN> stands for <I class=EMPHASIS>Type Of Service</I>. 
<SPAN class=SYSTEMITEM>TOS</SPAN> can also be set by certain rules in the <SPAN 
class=SYSTEMITEM>mangle</SPAN> table and via the ip/tc commands. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_TCPMSS</TT> - This option adds 
the possibility for us to match <SPAN class=SYSTEMITEM>TCP</SPAN> packets based 
on their <SPAN class=SYSTEMITEM>MSS</SPAN> field. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_STATE</TT> - This is one of the 
biggest news in comparison to <B class=COMMAND>ipchains</B>. With this module we 
can do stateful matching on packets. For example, if we have already seen 
traffic in two directions in a <SPAN class=SYSTEMITEM>TCP</SPAN> connection, 
this packet will be counted as <B class=COMMAND>ESTABLISHED</B>. This module is 
used extensively in the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
example. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_UNCLEAN</TT> - This module will 
add the possibility for us to match <SPAN class=SYSTEMITEM>IP</SPAN>, <SPAN 
class=SYSTEMITEM>TCP</SPAN>, <SPAN class=SYSTEMITEM>UDP</SPAN> and <SPAN 
class=SYSTEMITEM>ICMP</SPAN> packets that don't conform to type or are invalid. 
We could for example drop these packets, but we never know if they are 
legitimate or not. Note that this match is still experimental and might not work 
perfectly in all cases. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_MATCH_OWNER</TT> - This option will add 
the possibility for us to do matching based on the owner of a socket. For 
example, we can allow only the user root to have Internet access. This module 
was originally just written as an example on what could be done with the new <B 
class=COMMAND>iptables</B>. Note that this match is still experimental and might 
not work for everyone. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_FILTER</TT> - This module will add the 
basic <SPAN class=SYSTEMITEM>filter</SPAN> table which will enable you to do 
<SPAN class=SYSTEMITEM>IP</SPAN> filtering at all. In the <SPAN 
class=SYSTEMITEM>filter</SPAN> table you'll find the <SPAN 
class=SYSTEMITEM>INPUT</SPAN>, <SPAN class=SYSTEMITEM>FORWARD</SPAN> and <SPAN 
class=SYSTEMITEM>OUTPUT</SPAN> chains. This module is required if you plan to do 
any kind of filtering on packets that you receive and send. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_REJECT</TT> - This target allows 
us to specify that an <SPAN class=SYSTEMITEM>ICMP</SPAN> error message should be 
sent in reply to incoming packets, instead of plainly dropping them dead to the 
floor. Keep in mind that <SPAN class=SYSTEMITEM>TCP</SPAN> connections, as 
opposed to <SPAN class=SYSTEMITEM>ICMP</SPAN> and <SPAN 
class=SYSTEMITEM>UDP</SPAN>, are always reset or refused with a <SPAN 
class=SYSTEMITEM>TCP RST</SPAN> packet. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_MIRROR</TT> - This allows 
packets to be bounced back to the sender of the packet. For example, if we set 
up a <SPAN class=SYSTEMITEM>MIRROR</SPAN> target on destination port <SPAN 
class=SYSTEMITEM>HTTP</SPAN> on our <SPAN class=SYSTEMITEM>INPUT</SPAN> chain 
and someone tries to access this port, we would bounce his packets back to him 
and finally he would probably see his own homepage. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_NAT</TT> - This module allows <SPAN 
class=SYSTEMITEM>network address translation</SPAN>, or <SPAN 
class=SYSTEMITEM>NAT</SPAN>, in its different forms. This option gives us access 
to the nat table in iptables. This option is required if we want to do port 
forwarding, masquerading, etc. Note that this option is not required for 
firewalling and masquerading of a <SPAN class=SYSTEMITEM>LAN</SPAN>, but you 
should have it present unless you are able to provide unique IP addresses for 
all hosts. Hence, this option is required for the example <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
script to work properly, and most definitely on your network if you do not have 
the ability to add unique IP addresses as specified above. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_MASQUERADE</TT> - This module 
adds the <B class=COMMAND>MASQUERADE</B> target. For instance if we don't know 
what IP we have to the Internet this would be the preferred way of getting the 
IP instead of using <SPAN class=SYSTEMITEM>DNAT</SPAN> or <SPAN 
class=SYSTEMITEM>SNAT</SPAN>. In other words, if we use <SPAN 
class=SYSTEMITEM>DHCP</SPAN>, <SPAN class=SYSTEMITEM>PPP</SPAN>, <SPAN 
class=SYSTEMITEM>SLIP</SPAN> or some other connection that assigns us an IP, we 
need to use this target instead of <SPAN class=SYSTEMITEM>SNAT</SPAN>. 
Masquerading gives a slightly higher load on the computer than <SPAN 
class=SYSTEMITEM>NAT</SPAN>, but will work without us knowing the IP address in 
advance. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_REDIRECT</TT> - This target is 
useful together with <SPAN class=SYSTEMITEM>application proxies</SPAN>, for 
example. Instead of letting a packet pass right through, we remap them to go to 
our local box instead. In other words, we have the possibility to make a <SPAN 
class=SYSTEMITEM>transparent proxy</SPAN> this way. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_LOG</TT> - This adds the <B 
class=COMMAND>LOG</B> target and its functionality to <B 
class=COMMAND>iptables</B>. We can use this module to log certain packets to 
syslogd and hence see what is happening to the packet. This is invaluable for 
security audits, forensics or debugging a script you are writing. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_TARGET_TCPMSS</TT> - This option can be 
used to counter Internet Service Providers and servers who block <SPAN 
class=SYSTEMITEM>ICMP Fragmentation Needed</SPAN> packets. This can result in 
web-pages not getting through, small mails getting through while larger mails 
don't, ssh works but scp dies after handshake, etc. We can then use the <SPAN 
class=SYSTEMITEM>TCPMSS</SPAN> target to overcome this by clamping our <SPAN 
class=SYSTEMITEM>MSS</SPAN> (Maximum Segment Size) to the <SPAN 
class=SYSTEMITEM>PMTU</SPAN> (Path Maximum Transmit Unit). This way, we'll be 
able to handle what the authors of Netfilter them selves call "criminally 
brain-dead ISPs or servers" in the kernel configuration help. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_COMPAT_IPCHAINS</TT> - Adds a 
compatibility mode with the obsolescent <B class=COMMAND>ipchains</B>. Do not 
look to this as any real long term solution for solving migration from Linux 2.2 
kernels to 2.4 kernels, since it may well be gone with kernel 2.6. </P>
<P><TT class=COMPUTEROUTPUT>CONFIG_IP_NF_COMPAT_IPFWADM</TT> - Compatibility 
mode with obsolescent <B class=COMMAND>ipfwadm</B>. Definitely don't look to 
this as a real long term solution. </P>
<P>As you can see, there is a heap of options. I have briefly explained here 
what kind of extra behaviors you can expect from each module. These are only the 
options available in a vanilla Linux 2.4.9 kernel. If you would like to take a 
look at more options, I suggest you look at the <SPAN 
class=SYSTEMITEM>patch-o-matic</SPAN> functions in <SPAN 
class=SYSTEMITEM>Netfilter</SPAN> user-land which will add heaps of other 
options in the kernel. <SPAN class=SYSTEMITEM>POM</SPAN> fixes are additions 
that are supposed to be added in the kernel in the future but has not quite 
reached the kernel yet. These functions should be added in the future, but has 
not quite made it in yet. This may be for various reasons - such as the patch 
not being stable yet, to Linus Torvalds being unable to keep up, or not wanting 
to let the patch in to the mainstream kernel yet since it is still experimental. 
</P>
<P>You will need the following options compiled into your kernel, or as modules, 
for the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
script to work. If you need help with the options that the other scripts need, 
look at the example firewall scripts section. </P>
<P></P>
<UL>
  <LI>
  <P>CONFIG_PACKET </P>
  <LI>
  <P>CONFIG_NETFILTER </P>
  <LI>
  <P>CONFIG_IP_NF_CONNTRACK </P>
  <LI>
  <P>CONFIG_IP_NF_FTP </P>
  <LI>
  <P>CONFIG_IP_NF_IRC </P>
  <LI>
  <P>CONFIG_IP_NF_IPTABLES </P>
  <LI>
  <P>CONFIG_IP_NF_FILTER </P>
  <LI>
  <P>CONFIG_IP_NF_NAT </P>
  <LI>
  <P>CONFIG_IP_NF_MATCH_STATE </P>
  <LI>
  <P>CONFIG_IP_NF_TARGET_LOG </P>
  <LI>
  <P>CONFIG_IP_NF_MATCH_LIMIT </P>
  <LI>
  <P>CONFIG_IP_NF_TARGET_MASQUERADE </P></LI></UL>
<P>At the very least the above will be required for the <A 
href="http://www.jollycom.ca/iptables-tutorial/iptables-tutorial.html#RCFIREWALLTXT"><I>rc.firewall.txt</I></A> 
script. In the other example scripts I will explain what requirements they have 
in their respective sections. For now, let's try to stay focused on the main 
script which you should be studying now. </P></DIV>
<DIV class=SECTION>
<HR>

<H1 class=SECTION><A name=USERLANDSETUP>2.3. User-land setup</A></H1>
<P>First of all, let's look at how we compile the <B class=COMMAND>iptables</B> 
package. It's important to realize that for most part configuration and 
compilation of iptables goes hand in hand with the kernel configuration and 
compilation. Certain distributions comes with the <B class=COMMAND>iptables</B> 
package preinstalled, one of these are Red Hat. However, in Red Hat it is 
disabled per default. We will check closer on how to enable it and take a look 
at other distributions further on in this chapter. </P>
<DIV class=SECTION>
<HR>