Iptables-1.1.9 Guide (Classic) (1)

Source: Internet
Author: User
Iptables-1.1.9 Guide (Super classic) (1) -- Linux Enterprise Application-Linux server application information, below is read details. Iptables guide 1.1.19
Oskar Andreasson

Blueflux@koffein.net

Copyright©2001-2003 by Oskar Andreasson

This article can be copied, distributed, and changed in accordance with the GNU Free Documentation License version 1.1. However, the introductions and all chapters must be retained. For example, if printed into a book, the cover should include "original book: oskar Andreasson ", and the book cannot contain any text. The appendix of this article contains the details of "GNU Free Documentation License.

All scripts in this article are placed under GNU General Public License version 2, which can be freely distributed and changed.

Given these scripts is intended to be useful, but there is no guarantee or internal guarantee of commercial availability or some special purposes. See GNU General Public License

This article comes with a GNU General Public License, which is in the "GNU Free Documentation License" section. If not, contact the Free Software Foundation, Inc ., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Comments

First of all, I want to dedicate this article to Ninel, my wonderful girlfriend (she gave me more help than I gave her): I hope I can make you happy, just like you gave me. (Translator's note: I didn't think of a proper word to express the wonderful of my girlfriend. You just want to do it yourself. Also, I wonder if they are married now :))

Secondly, I want to dedicate this article to all Linux developers and maintainers, that is, they have completed incredible and difficult work to make such an excellent operating system possible.

Directory
Translator's preface
About the author
How to read
Required knowledge
Conventions
1. Preface

1.1. Why write this guide?
1.2. How to Write the guide
1.3. terms in the text

2. preparation phase

2.1. Where can I obtain iptables?
2.2. Kernel configuration
2.3. Compilation and Installation

2.3.1. Compile
2.3.2. install on Red Hat 7.1

3. Tables and links

3.1. Overview
3.2. mangle table
3.3. nat table
3.4. Filter table

4. Status Mechanism

4.1. Overview
4.2. conntrack records
4.3. Status of data packets in user space
4.4. TCP Connection
4.5. UDP connection
4.6. ICMP Connection
4.7. Default connection operations
4.8. Complex protocols and Connection Tracking

5. Save and restore Data Management Rules

5.1. Speed
5.2. Limitations of restore
5.3. iptables-save
5.4. iptables-restore

6. How rules are developed

6.1. Basics
6.2. Tables
6.3. Commands
6.4. Matches

6.4.1. General match
6.4.2. Implicit match
6.4.3. Explicit match
6.4.4. Abnormal package matching

6.5. Targets/Jumps

6.5.1. ACCEPT target
6.5.2. DNAT target
6.5.3. DROP target
6.5.4. LOG target
6.5.5. MARK target
6.5.6. MASQUERADE target
6.5.7. MIRROR target
6.5.8. QUEUE target
6.5.9. REDIRECT target
6.5.10. REJECT target
6.5.11. RETURN target
6.5.12. SNAT target
6.5.13. TOS target
6.5.14. TTL target
6.5.15. ULOG target

7. configure the firewall instance rc. firewall

7.1. About rc. firewall
7.2. rc. firewall

7.2.1. parameter configuration
7.2.2. External module Loading
7.2.3. proc settings
7.2.4. Rule Location Optimization
7.2.5. settings of the Default policy
7.2.6. Custom link settings
7.2.7. INPUT chain
7.2.8. FORWARD chain
7.2.9. OUTPUT chain
7.2.10. PREROUTING chain
7.2.11. POSTROUTING chain

8. Example

8.1. Structure of rc.firewall.txt script

8.1.1. Script Structure

8.2. rc.firewall.txt
8.3. rc.DMZ.firewall.txt
8.4. rc.DHCP.firewall.txt
8.5. rc.UTIN.firewall.txt
8.6. rc.test-iptables.txt
8.7. rc.flush-iptables.txt
8.8. Limit-match.txt
8.9. Pid-owner.txt
8.10. Sid-owner.txt
8.11. Ttl-inc.txt
8.12. Iptables-save ruleset

A. Explanation of Common commands

A.1. view the current rule set command
A.2. command for correcting and clearing iptables

B. FAQs

B .1. module Loading Problems
B .2. NEW status package with no SYN set
B .3. NEW SYN/ACK packets
B .4. ISP with private IP Address
B .5. allow DHCP data
B .6. questions about mIRC DCC

C. ICMP Type
D. Other resources and links
E. Thanks
F. History
G. GNU Free Documentation License

0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents ents

H. GNU General Public License

0. Preamble
1. terms and conditions for copying, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs

I. sample script code

I .1. rc. firewall script code
I .2. rc. DMZ. firewall script code
I .3. rc. UTIN. firewall script code
I .4. rc. DHCP. firewall script code
I .5. rc. flush-iptables script code
I .6. rc. test-iptables script code

List of Tables
3-1. A local package (that is, our own machine)
3-2. Local-based packages
3-3. forwarded packets
4-1. The status of the data packet in the user space
4-2. Internal status
6-1. Tables
6-2. Commands
6-3. Options
6-4. Generic matches
6-5. TCP matches
6-6. UDP matches
6-7. ICMP matches
6-8. Limit match options
6-9. MAC match options
6-10. Mark match options
6-11. Multiport match options
6-12. Owner match options
6-13. State matches
6-14. TOS matches
6-15. TTL matches
6-16. DNAT target
6-17. LOG target options
6-18. MARK target options
6-19. MASQUERADE target
6-20. REDIRECT target
6-21. REJECT target
6-22. SNAT target
6-23. TOS target
6-24. TTL target
6-25. ULOG target
C-1. ICMP Type

Translator's preface

Sllscn is a "new Linux member" in the Linux community in China. A Linux enthusiast, when using iptables to build a firewall in practice, found that there are too few Chinese documents on iptables, therefore, you have to refer to the materials in English version. For the convenience of future reference, and for the majority of users, I did not fear that my English level is too poor, And I translated this article through a dictionary. Translation can only be understood, but it cannot be "nice-looking!

In the preface of chapter 1, except for the terms described in section 3, there is nothing else. The second chapter is helpful to those who want to compile iptables. Chapter 3 and Chapter 4 allow us to understand and master iptables work methods and processes. Chapter 5 and chapter 6 are detailed descriptions of iptables command usage. Chapter 7 and chapter 8 are examples, which are of great guiding significance for us to write our own rules. We strongly recommend that you take a look. Some resource links in the appendix are good. I believe you will like them.

For the sake of terminology, some contents in the directory are not translated, but all contents in the body are translated. Appendix F is the update history of this Article. Appendix G is the GNU Free Documentation License, and Appendix H is the GNU General Public License. They have no effect on understanding iptables, so they are not translated.

When reading this article, you may find that there are duplicates. This is not because the level of the original author is not high, but the result he considers for us. You can extract any chapter of this article and read it without referring to other chapters. I would like to pay tribute to the author again!

Due to the limited level of the translator, the understanding of the original cannot guarantee completely correct, if you have any opinions or suggestions, you can contact the translator slcl@sohu.com

Solemnly declare: the translation was approved by the original author Oskar Andreasson. This article (not the original article) can be freely used, modified, disseminated, reproduced, but reserved for use for profit purposes.
About the author

I have many "old" computers in my lan. They also want to connect to the Internet and ensure security. To achieve this, iptables is a good upgrade of ipchains. Using ipchains, You can discard all the packets with "the destination port is not a specific port" to establish a secure network. But this will lead to some service problems, such as Passive FTP and DCC flowing out in IRC. They allocate ports on the server, notify the client, and then connect the client. However, iptables Code also has some minor issues. In some aspects, I found that these codes are not ready for release as a complete product, however, I still recommend that people using ipchains or older ipfwadm upgrade unless they are satisfied with the code they are using or they are sufficient to meet their needs.
How to read

This article introduces iptables so that you can understand the highlights of iptables. This article does not contain iptables or Netfilter security bugs. If you find any bug or special behavior in iptables (or its components), contact Netfilter mailing lists and they will tell you if it is a bug or how to solve it. There are almost no security bugs in iptables or Netfilter. Of course, some problems may occur occasionally. They can be found on the Netfilter homepage.

The scripts used in this article cannot solve the internal bug of Netfilter. They are provided to demonstrate how to construct rules so that we can solve the problem of data stream management. However, this article does not cover issues such as "how to disable the HTTP port because Apache 1.2.12 is occasionally attacked. This guide will show you how to disable the HTTP port through iptables, not because Apache is occasionally attacked.

This article is suitable for beginners, but it is also perfect as much as possible. Because there are too many targets or matches, they are not fully indexed. If you need this information, visit the Netfilter homepage.
Required knowledge

To read this article, you must have some basic knowledge, such as Linux/Unix, shell script writing, kernel compilation, and some simple kernel knowledge.

I try to make the reader understand this article as much as possible without this knowledge, but it is impossible to understand the extended part. So it should be a bit basic :)
Conventions

The following conventions are used in this document:

*

The code and command output should use the font width and the command should be in bold.

[Blueflux @ work1 neigh] $ ls
Default eth0 lo
[Blueflux @ work1 neigh] $

*

All commands and program names are in bold.
*

All system components, such as hardware, kernel components, and loopback, are italic.
*

This font is used for computer text output.
*

The file name and path name are like this:/usr/local/bin/iptables.

1. Preface
1.1. Why write this guide?

I found that all HOWTO currently lacks information about Iptables and Netfilter functions in Linux 2.4.x kernel, so I tried to answer some questions, such as status matching. I will illustrate it with illustrations and examples rc.firewall.txt. The example here can be used in your/etc/rc. d. This article was originally written in the form of HOWTO documents, because many people only accept HOWTO documents.

There is also a small script rc.flush-iptables.txt, which I wrote to make you feel as successful as I did when configuring it.
1.2. How to Write the guide

I consulted Marc Boucher and other core members of the netfilter team. I am very grateful for their work and their help in writing this guide for boingworld.com. Now this guide is maintained on my own site frozentux.net. This document will teach you the setup process step by step, so that you can learn more about the iptables package. Most of these things are based on the rc. firewall file example, because I found this is a good way to learn iptables. I decided to follow the rc. firewall file from top to bottom to learn iptables. Although this is difficult, it is more logical. Check this file again when you encounter something you don't understand.
1.3. terms in the text

This article contains some terms that you should understand. Here are some explanations and instructions on how to use them.

DNAT-Destination Network Address Translation. DNAT is a technology used to change the destination IP address of a data packet. It is often used in conjunction with SNAT to enable multiple servers to share an IP address and connect to the Internet to continue the service. The data flow is determined by allocating different ports to the same IP address.

Stream-Stream is a connection that is related to both the sent and received packets and the communication parties, streams represent two-way connections ). Generally, this term is used to describe the connection to send two or three packets in two directions. For TCP, the stream means a connection. It sends a SYN and then replies to SYN/ACK. However, it may also mean that the connection sends a SYN and replies to the ICMP Host's inaccessible information. In other words, I use this word casually.

SNAT-Source Network Address Translation Source Network Address conversion. This is a technology that changes the source IP address of a data packet and is often used to allow multiple computers to share an Internet address. This is only used in IPv4, because the IPv4 address is almost used up, IPv6 will solve this problem.

State-State indicates the status of the data packet. The status is defined in RFC 793-Transmission Control Protocol or in Netfilter/iptables. Note that Netfilter sets the connection and packet status, but does not fully use RFC 793.

User space-User space refers to anything that occurs outside the kernel or outside the kernel. For example, calling iptables-h occurs outside the kernel, but iptables-a forward-p tcp-j ACCEPT (partially) occurs inside the kernel, because a new rule is added to the rule set.

Kernel space-the Kernel space, which is opposite to the user space, refers to those that occur inside the Kernel.

Userland-see user space

The target-word is widely used in later versions. It indicates operations performed on matched data packets.
2. preparation phase

This chapter begins with learning iptables and helps you understand the roles of Netfilter and iptables in Linux. It will show you how to configure and install the firewall, and your experience will grow. Of course, it takes time and perseverance to achieve your goal. (Translator's note: It sounds scary :))
2.1. Where can I obtain iptables?

Iptables can be downloaded from www.netfilter.org. FAQs on the website is also a good tutorial. Iptables also uses some kernel space. You can use make configure to configure the kernel. The following describes the necessary steps.
2.2. Kernel configuration

To run iptables, You need to select the following options during Kernel configuration, whether you use make config or other commands.

CONFIG_PACKET-allow the program to directly access the network device (Note: The most common is the network card), such as tcpdump and snort need to use this function.

Note

Strictly speaking, iptables does not need CONFIG_PACKET, but it has a lot of use (Note: Other programs need it), so it is selected. Of course, you don't want it. You just don't want it. (Recommended)

CONFIG_NETFILTER-allows computers to act as gateways or firewalls. This is necessary because this function is required throughout the article. I think you need this too. Who told you to learn iptables :)

Of course, you need to install the correct driver for the network device, such as the Ethernet NIC, PPP, and SLIP. The above option only sets up a framework in the kernel. iptables can indeed run, but cannot do any substantive work. We need more options. The following describes the kernel 2.4.9 options and simple descriptions:

CONFIG_IP_NF_CONNTRACK-connection tracking module for NAT (Network Address Translation) and Masquerading (IP address disguise). Of course, there are other applications. If you want to use a machine in the LAN as a firewall, you have selected this module correctly. The script rc.firewall.txt must exist to work properly.

CONFIG_IP_NF_FTP-This option provides the connection tracking function for FTP connections. In general, it is very difficult to track connections to FTP connections. To do this, a dynamic link library named helper is required. This option is used to compile helper. Without this function, you cannot use FTP through the firewall or gateway.

CONFIG_IP_NF_IPTABLES-with it, you can use filtering, camouflage, and NAT. It adds the iptables identification framework to the kernel. Without it, iptables is useless.

CONFIG_IP_NF_MATCH_LIMIT-this token is not required in 10 minutes, but it is used in rc.firewall.txt. It provides the ability to match LIMIT, so that you can use an appropriate rule to control the number of packets to be matched per minute. For example,-m limit -- limit 3/minute is used to match up to three packets per minute. This function can also be used to eliminate some DoS attacks.

CONFIG_IP_NF_MATCH_MAC-select this module to match data packets based on the MAC address. For example, it is easy to block packets that use certain MAC addresses or intercommunication between some computers. Because each Ethernet Adapter has its own MAC address, and almost never changes. However, this function is not used in rc.firewall.txt and is not used in other examples. (Note: This shows that learning is the foundation for the future :))

CONFIG_IP_NF_MATCH_MARK-this option is used to mark data packets. MARK the data packet. We can use this MARK in the following table to match the data packet. The following is a detailed description.

CONFIG_IP_NF_MATCH_MULTIPORT-if this module is selected, we can use the port range to match the data packet. Without it, this cannot be done.

CONFIG_IP_NF_MATCH_TOS-enables you to set the Type Of Service (TOS) Of data packets ). You can also use the command ip/tc to complete this operation, or use some rules in the mangle table.

CONFIG_IP_NF_MATCH_TCPMSS-TCP packets can be matched based on MSS.

CONFIG_IP_NF_MATCH_STATE-compared with ipchains, this is the largest update. With this update, we can match the status of the data packet. For example, if there is communication between the two directions of a TCP connection, the data packets on the connection are considered as ESTABLISHED (ESTABLISHED connection. The functions of this module are widely used in rc.firewall.txt.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.