Introduction to iptables kernel configuration

To run iptables, you need to select the following options during kernel configuration, whether you use makeconfig or other commands. CONFIG_PACKET-allow the program to directly access the network device (note: The most common is the network card), such as tcpdump and snort need to use this function. Strictly speaking, iptables does not need CONFIG_PACKET, IptablesYou need to select the following options during kernel configuration, whether you use make config or other commands.
CONFIG_PACKET-allow the program to directly access the network device. TcpdumpAnd snort must use this function.
Strictly speaking, iptables does not need CONFIG_PACKET, but it has a lot of use (Note: Other programs need it), so it is selected. Of course, you don't want it. you just don't want it. (Recommended)
CONFIG_NETFILTER-allows computers to act as gateways or firewalls. This is necessary because this function is required throughout the article. I think you need this too. who told you to learn iptables :)
Of course, you need to install the correct driver for the network device, such as the Ethernet NIC, PPP, and SLIP. The above option only sets up a framework in the kernel. iptables can indeed run, but cannot do any substantive work. We need more options. The following describes the kernel 2.4.9 options and simple descriptions:
CONFIG_IP_NF_CONNTRACK-connection tracking module for NAT (network address translation) and Masquerading (IP address disguise). of course, there are other applications. If you want to use a machine in the LAN as a firewall, you have selected this module correctly. Script rc.firewall.txt must exist to work properly.
CONFIG_IP_NF_FTP-This option provides the connection tracking function for FTP connections. In general, it is very difficult to track connections to FTP connections. to do this, a dynamic link library named helper is required. This option is used to compile helper. Without this function, you cannot use FTP through the firewall or gateway.
CONFIG_IP_NF_IPTABLES-with it, you can use filtering, camouflage, and NAT. It adds the iptables identification framework to the kernel. Without it, iptables is useless.
CONFIG_IP_NF_MATCH_LIMIT-this token is not required in 10 minutes, but it is used in rc.firewall.txt. It provides the ability to match LIMIT, so that you can use an appropriate rule to control the number of packets to be matched per minute. For example,-m limit -- limit 3/minute is used to match up to three packets per minute. This function can also be used to eliminate some DoS attacks.
CONFIG_IP_NF_MATCH_MAC-select this module to match data packets based on the MAC address. For example, it is easy to block packets that use certain MAC addresses or intercommunication between some computers. Because each Ethernet adapter has its own MAC address, and almost never changes. However, this function is not used in rc.firewall.txt, and is not used in other examples. (Note: This shows that learning is the foundation for the future :))
CONFIG_IP_NF_MATCH_MARK-This option is used to mark data packets. MARK the data packet. we can use this MARK in the following table to match the data packet. The following is a detailed description.
CONFIG_IP_NF_MATCH_MULTIPORT-if this module is selected, we can use the port range to match the data packet. without it, this cannot be done.
CONFIG_IP_NF_MATCH_TOS-enables you to set the Type Of Service (TOS) Of data packets ). You can also use the command ip/tc to complete this operation, or use some rules in the mangle table.
CONFIG_IP_NF_MATCH_TCPMSS-TCP packets can be matched based on MSS.
CONFIG_IP_NF_MATCH_STATE-compared with ipchains, this is the largest update. With this update, we can match the status of the data packet. For example, if there is communication between the two directions of a TCP connection, the data packets on the connection are considered as ESTABLISHED (ESTABLISHED connection. The functions of this module are widely used in rc.firewall.txt.
CONFIG_IP_NF_MATCH_UNCLEAN-match the P, TCP, UDP, and ICMP data packets that do not conform to the type standard or are invalid, any package that is not in the correct mode is dirty. This is like the "dirty page" in the memory management of the operating system. it can be called "dirty package" here, and it is naturally UNCLEAN ). We usually discard such a package, but I don't know if this is correct. In addition, this matching function is still in the experimental stage and may cause some problems.
CONFIG_IP_NF_MATCH_OWNER-matches data packets based on the socket owner. For example, we only allow root users to access the Internet. In iptables, this module initially uses an example to describe its functions. This module is also in the experimental stage and cannot be used.
CONFIG_IP_NF_FILTER-this module adds basic filter tables for iptables, including the INPUT, FORWARD, and OUTPUT chains. The filter table can be used to completely Filter IP addresses. This module is required to filter data packets, whether they are received or sent or not.
CONFIG_IP_NF_TARGET_REJECT-this operation allows us to use the ICMP error message to receive the packet instead of simply dropping it. In some cases, a response is required. for example, a TCPRST packet is always required to reset or reject TCP connections relative to ICMP and UDP.
CONFIG_IP_NF_TARGET_MIRROR-this operation causes the data packet to be returned to the computer that sent it. For example, we set the MIRROR operation for the HTTP packet on the destination port in the INPUT chain. When someone accesses HTTP, the packet is sent back to the original computer. finally, he may access his home page. (Note: it is difficult to understand why it is called MIRROR)
CONFIG_IP_NF_NAT-as the name suggests, this module provides the NAT function. This option gives us the right to access the nat table. This module is required for port forwarding and disguise. Of course, if all the computers in your LAN have a unique valid IP address, this option is not required for firewall or disguise. Rc.firewall.txt is required :)
CONFIG_IP_NF_TARGET_MASQUERADE-provides MASQUERADE (camouflage) operations. If we do not know the IP address used to connect to the Internet, the preferred method is to use MASQUERADE instead of DNAT or SNAT. In other words, it is better to use SNAT if we connect to the Internet using PPP or SLIP, and IP addresses are allocated by DHCP or other services. Because MASQUERADE does not need to know the IP address connected to the Internet in advance, although it is slightly higher than the NAT load for computers.
CONFIG_IP_NF_TARGET_REDIRECT-this operation is useful with the agent. It does not allow data packets to pass through directly, but remaps the packets to the local host, that is, transparent proxy.
CONFIG_IP_NF_TARGET_LOG-added the LOG operation for iptables. You can use the system log service to record certain data packets, so that we can understand what happened on the package. This is invaluable for our security review and script debugging.
CONFIG_IP_NF_TARGET_TCPMSS-This option can be used by some ISPs (service providers) or services that block ICMP segment information. There is no ICMP segment information, and some webpages and large emails cannot pass. although small emails are acceptable, there are also. after handshaking, ssh works, but scp does not work. We can use TCPMSS to solve this problem, that is, the MSS (MaximumSegment Size) is pinned on PMTU (Path Maximum TransmitUnit ). This method can be used to handle the problem that Netfilter developers refer to as "criminally brain-dead ISPsor servers" in kernel configuration help.
CONFIG_IP_NF_COMPAT_IPCHAINS-ipchains, which is only used to convert the kernel from 2.2 to 2.4 and will be deleted in 2.6.
CONFIG_IP_NF_COMPAT_IPFWADM-the same as above. this is only the compatibility mode currently used by ipfwadm.
I briefly introduced many options above, but this is only in kernel 2.4.9. For more options, we recommend that you use Netfilter to check the patch-o-matic. There are some other options. POM may be added to the kernel. of course, it is not yet available. There are many reasons for this. for example, LinusTorvalds has no plans or insists on putting these patches into the mainstream kernel because they are still being tested.
Compile the following statement into an internal statement or compile it into an example. rc.firewall.txt can be used.
CONFIG_PACKET
CONFIG_NETFILTER
CONFIG_IP_NF_CONNTRACK
CONFIG_IP_NF_FTP
CONFIG_IP_NF_IRC
CONFIG_IP_NF_IPTABLES
CONFIG_IP_NF_FILTER
CONFIG_IP_NF_NAT
CONFIG_IP_NF_MATCH_STATE
CONFIG_IP_NF_TARGET_LOG
CONFIG_IP_NF_MATCH_LIMIT
CONFIG_IP_NF_TARGET_MASQUERADE
The above are the minimum options required to ensure the normal operation of rc.firewall.txt. The iptables kernel configuration is described here.