New features of iptables in Linux2.4 kernel

I. The purpose of this article is to discuss various new features and usage methods of iptables in the Linux2.4 kernel, and how to effectively use these new features to set firewall rules for enterprises, an example shows the application of the new feature in the enterprise. 2. the RedhatLinux7.1 built-in modular kernel, leased line connection to the Internet, two network card protection

I purpose of this article

This article mainly discussesIptablesHow to effectively use these new features to set firewall rules for the enterprise. The example shows the application of the new features in the enterprise.

2. Operating Environment

Redhat Linux 7.1 comes with a modular kernel that connects to the Internet through a leased line. the firewall of two NICS has an intranet segment of 10.0.0.0/255.255.255.0 and the interface address of the firewall's external Nic is 1.2.3.4.

Differences between iptables and ipchains

1. the built-in rules are redefined to simplify the management of the built-in INPUT, OUTPUT, and FORWARD rules in the new iptables in the Linux kernel, any package is only applied to any of the three rules, hit by the INPUT rule, or hit by the FORWARD rule or OUTPUT rule, unlike in ipchains, if any package passes through this firewall, it always hits three rules at the same time.

To illustrate this change, see. ()

Incoming/Outgoing

--> [Routing] ---> | FORWARD | ------->

[Demo-] _____/^

|

V ____

___/

/Linux firewall | OUTPUT |

| INPUT | ____/

___/^

|

----> Local Process ----

A. First, when a packet comes in, that is, entering the firewall from the Ethernet card, the kernel first sets the packet target according to the route voting.

B. If the target host is a local host, the local host directly enters the INPUT chain and waits for the packets to be received and ends.

C. otherwise, if the packet from the Ethernet card is not the local machine, check whether the kernel allows forwarding packets (use echo 1>/proc/sys/net/ipv4/ip_forward to enable the forwarding function) if forwarding is not permitted, the packets are dropped. if forwarding is permitted, the packets are sent to the local machine and the packets are stopped. In this case, no INPUT or OUTPUT chain is passed, because the route destination is not the local machine and is only applied by forwarding rules.

D. at last, the Linux firewall host can generate packages, which are only linked out of the OUTPUT chain.

Note: echo 1> the difference between/proc/sys/net/ipv4/ip_forward and FORWARD chains

The former indicates whether to enable the forwarding function of the kernel. The latter means that only when the kernel enables the forwarding function of the forwarding chain rule can a package be sent to the forwarding chain to check the rules one by one. If a firewall does not enable the IP forwarding function of the former, the network on both sides of the root firewall is completely isolated. if one end is connected to the internet, you can only ask the internet via proxy, it is impossible to prevent the problem through IP address disguise.

In this way, any package can only apply one rule in INPUT/OUTPUT/FORWARD. this huge improvement also simplifies firewall rule management.

2. iptables is stateful (stateful ).

Stateful means that if a packet is a response to the packet originally sent from the firewall, the system automatically allows the reply packet to enter and return it to the requester without checking any rules, in this way, we do not need to set many rule definitions to implement the desired functions. using this stateful capability in the new kernel is strongly recommended. how can we enable and use this feature? See. ()

Assume that a company has a typical internet connection solution as shown in the following figure:

_______

10.0.0.2 |

| PC | (10.0.0.1) eth1 | eth0 (1.2.3.4)

B | ___ | _ _______________ | firewall | --------- Internet

(LAN: 10.0.0.0/24) | A |

| _______ |

You can use the following rule set to use the stateful capabilities of iptables and enable the IP camouflage function.

1 modprobe ip_tables

2 echo 1>/proc/sys/net/ipv4/ip_forward

3 iptables-F INPUT

4 iptables-F FORWARD

5 iptables-f postrouting-t nat

6 iptables-P FORWARD DROP

7 iptables-a forward-s 10.0.0.0/24-j ACCEPT

8 iptables-a forward-I eth0-m state -- stateESTABLISHED, RELATED-j

ACCEPT

9 iptables-t nat-a postrouting-o eth0-s 10.0.0.0/24-jMASQUERADE

10 iptables-a input-p tcp-I eth0 -- syn -- dport 80-jACCEPT

11 iptables-a input-p tcp-I eth0 -- syn-j DROP

Note:

1. when the redhat modular kernel is used, after the ip_tables module is loaded, future commands will load the required modules as needed. In addition, if you have installed the ipchains or ipfwadm module, you cannot mount the iptables module any more. you can run the rmmod command to remove them and then load them into the iptables module. In redhat, you can use ntsysv to remove ipchains and iptables to mark the restart and then run the preceding command. Or put it in/etc/rc. d/rc. local to run automatically.

2. enable the IP forwarding function in the second line.

3. clear the INPUT, FORWARD, and POSTROUTING key rules in the third or fourth row.

4. in row 6, the default forwarding policy is set to DROP. when a packet is forwarded to the application but cannot be applied to any forwarding rule, the default rule is applied.

5. row 7 forwards packets from machines in this segment to any place.

6. row 8 utilizes stateful capabilities, as long as it is a response to the request packet that was previously sent out of the firewall's external interface.