I. Overview
Linux has already had the packet filtering function since the 1.1 kernel. In the 2.0 kernel, we use ipfwadm to operate on the kernel packet filtering rules. Later, we used ipchains in the 2.2 kernel to control kernel packet filtering rules. In the 2.4 kernel, we no longer use ipchains, but use iptables, a brand new kernel package filtering management tool. This new kernel package filtering tool will make it easier for users to understand how it works and how it is easy to use. Of course, it will also have more powerful functions.
We have said that iptables is only a tool for managing kernel package filtering. iptables can be used to add, insert, or delete rules in the core package filtering table (chain. In fact, netfilter (a general architecture in the core of Linux) and its related modules (such as the iptables module and nat module) are actually implemented. Let's take a look at the working principles of netfilter.
Ii. Principles
Netfilter is a general architecture at the core of Linux. It provides a series of "tables" (tables). Each table consists of several "chains" (chains, each chain can contain one or more rules. We can understand that netfilter is a table container, a table is a chain container, and a chain is a rule container (1 ).
The default table is "filter", which contains three links: INPUT, FORWARD, and OUTPUT. There can be one or several rules in each chain, and each rule is defined as "if the data packet header meets this condition, it will process this packet ". When a packet arrives at a chain, the system checks from the first rule to see if it meets the conditions defined by the rule: if yes, the system processes the data packet according to the method defined by the rule. If the data packet does not meet the requirements, the system checks the next rule. Finally, if the packet does not comply with any rule in the chain, the system processes the packet according to the pre-defined policy of the chain.
Process 2 of the data packet in the filter table is shown. When a packet enters the system, the system first determines which chain the packet is sent to based on the route table. There may be three situations:
1. if the destination address of the data packet is local, the system sends the data packet to the INPUT chain. If the data packet passes the rule check, the data packet is sent to the corresponding local process for processing. If the data packet does not pass the rule check, the system will discard the package;
2. if the destination address of the packet is not the local machine, that is, the packet will be forwarded, the system sends the packet to the FORWARD chain. If the packet passes the rule check, the packet will be sent to the corresponding local process for processing; if the rule check fails, the system will discard the package;
3. if a packet is generated by a local system process, the system sends it to the OUTPUT chain. If the packet passes the rule check, the packet is sent to the corresponding local process for processing. If the packet does not pass the rule check, the system will discard this package.
From the above, we can see that netfilter is much clearer than ipfwadm and ipchains in the past, and it also understands a lot, this is undoubtedly a good news for users who have always been confused about ipfwadm and ipchains.
Iii. Preparations
1. System Requirements
Netfilter requires that the kernel version be no less than 2.3.5. When compiling a new kernel, You must select a project related to netfilter. These items are usually located under the "Networking options" subitem. Taking the 2.4.0 kernel as an example, we should select the following items:
[*] Kernel/User netlink socket[ ] Routing messages<*> Netlink device emulation[*] Network packet filtering (replaces ipchains) |
Then, select "IP: Netfilter Configuration ---->:
Connection tracking (required for masq/NAT)FTP protocol supportIP tables support (required for filtering/masq/NAT)limit match supportMAC address match supportNetfilter MARK match supportMultiple port match supportTOS match supportConnection state match supportPacket filteringREJECT target supportFull NATMASQUERADE target supportREDIRECT target supportPacket manglingTOS target supportMARK target supportLOG target supportipchains (2.2-style) supportipfwadm (2.0-style) support |
The last two items can be deselected, but if you miss ipchains or ipfwadm, you can also select it to use ipchians or ipfwadm in the 2.4 kernel. However, you must note that iptables is consistent with ipchians/ipfwadm. ipchains/ipfwadm cannot be used simultaneously when iptables is used. After compilation is successful, these module files are located in the following directory
/lib/modules/2.4.0/kernel/net/ipv4/netfilter |
When compiling the new kernel of 2.4.0, you should also be aware to select the correct CPU option corresponding to your CPU in "Processor type and features". Otherwise, the new kernel may not work properly.
2. Load Module
To use iptables, you must also load the relevant modules. Run the following command to load the relevant modules:
The modprobe command automatically loads the specified module and its related modules. The iptables_filter module is automatically loaded at runtime.
Iv. Syntax
1. Chain Operations
Create a new chain (-N ).
Delete an empty chain (-X ).
Change the principle of a built-in chain (-P ).
Lists the rules (-L) in a chain ).
Clear all rules (-F) in a chain ).
Zero is the packet byte counter (-Z) of all rules in a chain ).
2. Operations on Rules
Add (append) A new rule to the end of A chain (-.
Insert a new rule (-I) at a location in the chain, usually at the beginning.
Replace a rule (-R) at a certain position in the chain ).
Delete a rule (-D) at a location in the chain ).
Delete the first rule (-D) in the chain ).
3. Specify the source address and Destination Address
Use -- source/-- src/-s to specify the source address (here/Represents or means, the same below), and use -- destination/-- dst/-s to specify the destination address. You can use the following four methods to specify an IP Address:
A. Use a complete domain name, such as "www.linuxaid.com.cn ";
B. Use an IP address, such as "192.168.1.1 ";
C. Use x. x/x. x to specify a network address, such as "192.168.1.0/255.255.255.0 ";
D. use x. x. x. x/x specifies a network address. For example, "192.168.1.0/24" indicates the number of valid digits of the subnet mask, which is usually used in UNIX environments.
The default subnet mask number is 32, that is, specifying 192.168.1.1 is equivalent to 192.168.1.1/32.
4. Specify the Protocol
You can use the -- protocol/-p option to specify the protocol, such as-p tcp.
5. Specify Network Interfaces
You can use -- in-interface/-I or -- out-interface/-o to specify network interfaces. It should be noted that for the INPUT chain, there may only be-I, that is, only the incoming package. For the OUTPUT chain, there may only be-o, that is, only outgoing packages are available. Only the FORWARD chain can have both-I network interfaces and-o network interfaces. You can also specify an existing network interface, such as ppp0. This rule is valid only after successful dialing.
6. Specify ip fragmentation
During TCP/IP communication, each network interface has a maximum transmission unit (MTU). This parameter defines the maximum size of data packets that can be passed. If a data packet exceeds this parameter value, the system divides it into several smaller data packets (called ip fragmentation) for transmission, the receiver reassembles the ip fragments to restore the entire package.
However, when packet filtering is performed, ip fragmentation may cause the following problem: when the system divides large data packets into ip fragmentation for transmission, the first fragmentation contains the complete packet header information, however, the subsequent fragments only contain part of the packet header, such as the source address and target address. Therefore, if we have such a rule:
Iptables-a forward-p tcp-s 192.168.1.0/24-d 192.168.2.100 -- dport 80-j ACCEPT
In this case, when the FORWARD policy is DROP, the system will only let the first ip Fragment pass, and the rest of the ip fragment will be lost, because the first fragment contains the complete packet header information, the rules can be met, and the remaining parts cannot pass because the Baotou information is incomplete and cannot meet the rules defined conditions.
We can use the -- fragment/-f option to specify the second and later ip fragmentation. For example, in the preceding example, we can add such a rule to solve this problem:
Iptables-a forward-f-s 192.168.1.0/24-d 192.168.2.100-j ACCEPT
However, it should be noted that there are already a lot of instances that are launching ip fragmentation attacks (for example, sending a large number of ip fragments to Win98 NT4/SP5, 6 Win2K for DoS attacks ), therefore, it is a security risk to allow ip fragmentation. We can use iptables matching extension to limit this, but this will affect the service quality, we will discuss this issue below.
7. Specify non-
Can be added before some options! To indicate unspecified values, such as "-s -! 192.168.1.1/32 indicates the IP address other than 192.168.1.1, "-p -! Tcp indicates a Protocol other than tcp.
8. TCP matching Extension
You can use the -- tcp-flags option to filter packets based on the flag bit of the tcp package. This option is followed by two parameters: the first parameter is the flag bit to be checked, which can be SYN, ACK, A combination of FIN, RST, URG, and PSH. You can use ALL to specify ALL flag spaces.
Related Articles]
- Firewall Configuration in Linux-Basics
- Linux-based Router and firewall configuration
- Comparison and Analysis of mainstream firewall Performance
