Iptables-1.1.9 Guide (Classic) (4)

Iptables-1.1.9 Guide (Classic) (4)-Linux Enterprise Application-Linux server application information, which is described below. The meaning of [UNREPLIED] is the same as that in the previous section. It indicates that the number is transmitted only in one direction, that is, no response is received. Next, there are three new fields, namely the Source and Destination Address of the response packet. Note that the type and code change with the response packet, the id is the same as that of the Request package.

As before, the response packet is considered ESTABLISHED. However, after the response packet, the ICMP Connection will no longer have data transmission. Therefore, once the response packet passes through the firewall, the ICMP Connection trace records are destroyed.

In the above cases, the request is regarded as NEW and the response is ESTABLISHED. In other words, when the firewall sees a request packet, it considers the connection to be in the NEW State. When there is a response, it is in the ESTABLISHED state.

Note

Note: The response packet must comply with certain standards before it can be considered as an established connection. This applies to each transmission type.

The default ICMP timeout is 30 seconds. You can modify it in/proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. This value is suitable for most cases.

Another important role of ICMP is to tell UDP, TCP connection, or what is happening in the connection being established. In this case, the ICMP response is considered as RELATED. The following is an example of inaccessible host and network. When an attempt to connect to a certain machine fails (the machine may be shut down), the last router to which the data packet arrives will return the above ICMP information, which is RELATED, for example:

We sent a SYN packet to a certain address, and the firewall considers it to be in the NEW status. However, if there is a problem with the target network, the router will return the information that is inaccessible to the network, which is RELATED. The connection trace identifies the connection with the error message, the connection is interrupted, and the corresponding records are deleted.

When a UDP connection encounters a problem, the corresponding ICMP information will also be returned, of course, their status is also RELATED, such:

We send a UDP packet, of course, it is NEW. However, the target network is forbidden by some firewalls or routers. Our firewall will receive information about the network being disabled. The firewall knows which UDP connection is connected to, sends this information (the status is RELATED) to it, and deletes the corresponding records. When the client receives a forbidden message from the network, the connection will be interrupted.
4.7. Default connection operations

Sometimes, the conntrack mechanism does not know how to handle a special protocol, especially when it does not know the protocol or how it works, such as NETBLT, MUX, and EGP. In this case, conntrack uses the default operation. This operation is like an operation on a UDP connection, that is, the first packet is regarded as NEW, and the subsequent response packet and other data are all ESTABLISHED.

The timeout value of the default operation package is the same, 600 seconds, that is, 10 minutes. Of course, this value can be changed through/proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout to adapt to your traffic, especially when it is time-consuming and traffic-intensive, for example, satellites are used.
4.8. Complex protocols and Connection Tracking

Some protocols are more complex than other protocols, which means that the Connection Tracing Mechanism is difficult to track them correctly, such as ICQ, IRC, and FTP, they all carry certain information in the data domain of the data packet, which is used to establish other connections. Therefore, some special helper is required to complete the work.

The following uses FTP as an example. Set up a separate connection-FTP control session. We use this connection to publish commands, and other ports will be opened to transfer data related to this command. There are two ways to establish these connections: Active Mode and passive mode. First look at the active mode, the FTP client sends port and IP address information to the server, then, the client opens this port, the server from its own port 20 (FTP-Data port number) establish a connection with this port, and then you can use this connection to send data.

The problem is that the firewall does not know these extra connections (relative to the control session) because the negotiation information when these connections are established is in the data domain of the Protocol packet, rather than in the header of the analyzed protocol. Therefore, the firewall does not know whether to pass the connection from the server to the client.

The solution is to add a special helper for the Connection Tracing module to detect the information. In this way, the connections from the FTP server to the client can be tracked and the status is RELATED, as shown in the process:

In the Passive FTP mode, the data connection establishment process is opposite to the active FTP. When the client tells the server that some data is required, the server sends the address and port back to the client, and the client establishes a connection to accept the data. If the FTP server is behind the firewall or you have strict User restrictions, only allow them to access HTTP and FTP, and close all other ports, to allow a client on the Internet to access FTP, add the helper mentioned above. The following describes how to establish a data connection in passive mode:

Some conntrack helper has been included in the kernel. At the time of writing this article, FTP and IRC already have the corresponding conntrack helper. If you do not have the desired helper in the kernel, you can go to the patch-o-matic directory of the iptables user space and check that there are many helper, such as for ntalk or H.323 Protocols. If you cannot find them, you can check the CVS of iptables or contact Netfilter-devel to find out if you want them. If this is not the case, you can write it on your own. I can introduce you TO a good article, Rusty Russell's Unreliable Netfilter Hacking HOW-TO, and store connections TO other resources and links in the appendix.

Conntrack helper can be statically compiled into the kernel or used as a module, but it should be loaded using the following command:

Modprobe ip_conntrack _*

Note that Connection Tracing does not process NAT. Therefore, you need to add a corresponding module to perform NAT on the connection. For example, if you want to perform NAT and track FTP connections, in addition to the corresponding FTP module, you also need a NAT module. All NAT helper names start with ip_nat _. This is a naming convention: ftp nat helper is called ip_nat_ftp, and the corresponding module of IRC is ip_nat_irc. The name of conntrack helper follows the same habit: for IRC, conntrack helper is called ip_conntrack_irc, and for FTP, it is called ip_conntrack_ftp.
Chapter 5. Save and restore rules

Iptables provides two useful tools for processing large rule sets: iptables-save and iptables-restore, they store the rules in a file that is in a special format with the standard script code, or restore the rules from it.
5.1. Speed

One of the most important reasons for using iptables-save and iptables-restore is that they can increase the speed of loading and saving rules to a considerable extent. When you use a script to change a rule, you must run the iptables command to modify each rule. When you call iptables, you must extract the entire rule set in the Netfilter kernel space, then insert or append the rule set, or make other changes. Finally, insert the new rule set from its memory space to the kernel space. This takes a lot of time.

To solve this problem, you can use the command iptables-save and restore. Iptables-save is used to save the rule set to a text file in a special format, while iptables-restore is used to reload the file into the kernel space. The best thing about these two commands is that you can load and save the rule set after one call, instead of calling iptables once for every rule in the script. Iptables-save can extract the entire rule set from the kernel and save it to the file once it runs, while iptables-restore loads a rule table each time. In other words, for a large rule set, IF configured with a script, these rules will be repeatedly uninstalled and installed many times, now we can save the entire rule set once and install it as a table, which saves a lot of time.

If you work with a huge set of rules, these two tools are the obvious choice. Of course, they also have shortcomings. The following sections will explain in detail.
5.2. Limitations of restore

Can iptables-restore set rules in place of all scripts? No, not until now. It is likely that it will never work. Iptables-restore cannot be used for complex rule sets. For example, we want to obtain the dynamically allocated IP address of the connection when the computer starts, and then use it in the script. This is achieved using iptables-restore, which is more or less impossible.

One possible solution is to write a script to get the IP address, set the corresponding keyword in the configuration file called by iptables-restore, and then replace the keyword with the obtained IP value. You can save the changed configuration file to a temporary file and use it by iptables-restore. However, this will cause many problems, and you cannot use iptables-save to save configuration files with keywords. This method is stupid.

Another method is to load the iptables-restore file first, and then run a specific script to load dynamic rules. In fact, this is also a stupid method. Iptables-restore is not suitable for the use of dynamic IP addresses. If you want to use options in the configuration file to meet different requirements, iptables-restore is not applicable.

Iptables-restore and iptables-save are not fully functional. Because there are not many users, there are not many people who find this problem, and some match and target are not carefully considered when being referenced. This may lead to unexpected behavior. Despite these problems, I strongly recommend that you use them because they work well for most rule sets, as long as the Rules do not contain those New match and target that do not know how to use them.
5.3. iptables-save

Iptables-save is used to save the current rule to a file for use in iptables-restore. It is easy to use and has only two parameters:

Iptables-save [-c] [-t table]

Parameter-c is used to save the value of the package and byte counter. This prevents packet and byte statistics from being lost after the firewall is restarted. The iptables-save command with the-c parameter makes it possible to restart the firewall without interrupting the counting program. This parameter is not used by default.

The-t parameter specifies the table to be saved. By default, all tables are saved. The following shows the output of iptables-save without loading any rules.

# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
* Filter
: Input accept [404: 19766]
: Forward accept [0: 0]
: Output accept [530: 43376]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
* Mangle
: Prerouting accept [451: 22060]
: Input accept [451: 22060]
: Forward accept [0: 0]
: Output accept [594: 47151]
: Postrouting accept [594: 47151]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
* Nat
: Prerouting accept [0: 0]
: Postrouting accept [:450]
: Output accept [:450]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002

Let's explain the output format. # The following is a comment. Tables start with *, for example, * mangle. Each table contains links and rules. The chain details are: [:]. For example, the chain name is PREROUTING, the policy is ACCEPT, and then the package counter and the byte counter. The two counters are the same as the counters used in the iptables-L-v output. The description of each table ends with the keyword COMMIT. It indicates that the rule should be loaded into the kernel.

The above example is the most basic. I would like to use a short example to illustrate better, including a very small rule set Iptables-save ruleset. The output of iptables-save is as follows:

# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
* Filter
: Input drop [:229]
: Forward drop [0: 0]
: Output drop [0: 0]
-A input-m state -- state RELATED, ESTABLISHED-j ACCEPT
-A forward-I eth0-m state -- state RELATED, ESTABLISHED-j ACCEPT
-A forward-I eth1-m state -- state NEW, RELATED, ESTABLISHED-j ACCEPT
-A output-m state -- state NEW, RELATED, ESTABLISHED-j ACCEPT
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
* Mangle
: Prerouting accept [658: 32445]
: Input accept [658: 32445]
: Forward accept [0: 0]
: Output accept [891: 68234]
: Postrouting accept [891: 68234]
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
* Nat
: Prerouting accept [:229]
: Postrouting accept [:450]
: Output accept [:450]
-A postrouting-o eth0-j SNAT -- to-source 195.233.192.1
COMMIT
# Completed on Wed Apr 24 10:19:55 2002

Each Command has a packet and a byte counter, which indicates that the-c parameter is used. In addition to counters, others are the same as normal scripts. The question is how to save the output to a file. It's very simple. Since linux is used, you should have known it for a long time. Use redirection:

Iptables-save-c>/etc/iptables-save

This saves the rule set to/etc/iptables-save and has counters.
5.4. iptables-restore

Iptables-restore is used to load the Rule Set saved by iptables-save. Unfortunately, it can only accept input from standard input, not from file. The following is how it works:

Iptables-restore [-c] [-n]

The-c parameter requires package loading and byte counters. If you use iptables-save to save the counter and want to reload it, you must use this parameter. Another long form of it is -- counters.

Parameter-n tells iptables-restore not to overwrite the rules in an existing table or table. By default, all existing rules are cleared. The long form of this parameter is -- noflush.

There are several methods to load rules using iptables-restore. Let's take a look at the simplest and most general:

In this way, the Rule Set should be correctly loaded into the kernel and work properly. If there is a problem, you have to take measures.
Chapter 6. How rules are developed

This chapter discusses in detail how to build your own rules. The rule is to refer to where different connections and packets are blocked or permitted on a chain. Each row of the inserted chain is a rule. We will also discuss the basic matche and its usage, as well as various targets, and how to build our own targets (such as a new sub-chain ).
6.1. Basics

We have explained what a rule is. In the kernel, a rule is a statement that determines how to process a package. If a package meets all the conditions (that is, the matche statement), we will run the target or jump command. The syntax format of the writing rule is:

Iptables [-t table] command [match] [target/jump]

There is nothing to say about this syntax, but note that the target command must be at the end. This syntax is generally used for ease of reading. In short, most of the rules you will see are written in this syntax. Therefore, if you see rules written by others, you may find that this syntax is also used, and of course it is easy to understand those rules.

If you do not want to use a standard table, you must specify the table name in [table. Generally, you do not need to specify the table to use, because iptables uses the filter table by default to execute all the commands. There is no need to specify the table name here. In fact, the table name can be almost anywhere in the rule. Of course, table names are already the standard at the beginning.

Although the command is always placed at the beginning or directly behind the table name, we should also consider where it is easy to read. Command tells the program what to do, such as inserting a rule, adding a rule at the end of the chain, or deleting a rule. The following will be a detailed introduction.

Match describes a specific feature of a package in detail to distinguish it from all other packages. Here, we can specify the package's source IP address, network interface, port, protocol type, or something else. Below we will see many different matches.

Finally, the destination of the data packet. If the packet matches all the matches, the kernel uses the target to process it, or sends the packet to the target. For example, we can let the kernel send the package to other chains in the current table (which may be created by ourselves), or discard the package without any processing, or return a special response to the sender. The following is a detailed discussion.
6.2. Tables

Option-t is used to specify which table to use. It can be any of the tables described below. The default table is filter. Note: The following is only a summary of Chapter tables and links.

Table 6-1. Tables
Table (Table Name) Explanation (comment)
The nat table is mainly used for Network Address Translation, that is, Network Address Translation, abbreviated as nat. The address of the data packet that has done NAT operations is changed. Of course, this change is based on our rules. The package that belongs to a stream will only pass through this table once. If the first package is allowed for NAT or Masqueraded, the remaining packages will be automatically operated the same way. That is to say, the rest of the packages will not be automatically completed through this table and will be NAT one by one. This is the main reason why we should not filter this table. We will discuss this in more detail later. The role of the PREROUTING chain is to change the destination address of a package when it reaches the firewall, if necessary. The OUTPUT chain changes the destination address of the locally generated package. The POSTROUTING chain changes its source address before the package leaves the firewall.
The mangle table is mainly used for mangle data packets. We can change the content of different packages and headers, such as TTL, TOS, or MARK. Note that MARK does not actually change the data packet. It only sets a flag for the package in the kernel space. Other rules or programs (such as tc) in the firewall can use this flag to filter packets or perform advanced routing. This table has five built-in links: PREROUTING, POSTROUTING, OUTPUT, INPUT, and FORWARD. PREROUTING changes the packet after the packet enters the firewall and before the route judgment. POSTROUTING is performed after all the routes are determined. OUTPUT changes the data packet before determining the target of the package. After the INPUT package is routed to the local device, the package is changed before the user space program sees it. FORWARD mangle package after the original route judgment and before the last change of the package's destination. Note: the mangle table cannot be used for any NAT. It only changes the TTL, TOS, or MARK of the data packet, rather than the source address. NAT is performed in the nat table.
The filter table is used to filter packets. Three Links are built in the table. You can perform DROP, LOG, ACCEPT, and REJECT operations on packets without any problem. The FORWARD chain filters out all packets that are not locally generated and whose destination is not local (the so-called local is the firewall), while the INPUT is for those packets whose destination is local. OUTPUT is used to filter all locally generated packages.

The most basic content of the three different tables is described above. You should know that they are used for completely different purposes, but also the use of each chain. If you don't know, you may leave vulnerabilities on the firewall to give people a chance. In Chapter tables and links, we have discussed in detail the necessary tables and links. If you do not fully understand how a package uses these tables and links, I suggest you go back and take a closer look.
6.3. Commands

In this section, we will introduce all commands and their usage. Command specifies what operations iptables performs on the rules we submit. These operations may be to add or delete something in a table, or to do something else. The following are available commands for iptables (note that, if not described, the default table is the filter table .) :

Table 6-2. Commands
Command-A, -- append
Example iptables-a input...
Explanation adds rules at the end of the selected chain. When the source address or destination address appears in the form of a name rather than an IP address, if these names can be resolved to multiple addresses, this rule will be combined with all available addresses.
Command-D, -- delete
Example iptables-d input -- dport 80-j DROP or iptables-d input 1
Explain deletes a rule from the selected chain. There are two ways to specify the rule to be deleted: one is to completely write the rule, then, specify the sequence number of the rule in the selected chain (each chain rule is numbered from 1 ).
Command-R, -- replace
Example iptables-r input 1-s 192.168.0.1-j DROP
Explain replaces the rule with the specified row in the selected chain (each chain rule is numbered from 1. It is mainly used to test different rules. When the source address or destination address appears in the form of a name rather than an IP address, if these names can be resolved to multiple addresses, this command will fail.
Command-I, -- insert
Example iptables-I INPUT 1 -- dport 80-j ACCEPT
Explanation inserts rules into the selected Chain Based on the given rule sequence number. If the serial number is 1, the rule will be inserted into the chain's header. In fact, the default serial number is 1.
Command-L, -- list
Example iptables-L INPUT
The explain Operation displays all the rules of the selected chain. If no chain is specified, all chains in the specified table are displayed. If nothing is specified, all links in the default table are displayed. Precise output is affected by other parameters, such as-n and-v.
Command-F, -- flush
Example iptables-F INPUT
Explain to clear the selected chain. If no chain is specified, all chains in the specified table are cleared. If nothing is specified, all links in the default table are cleared. Of course, it can also be deleted one by one, but using this command will be faster.
Command-Z, -- zero
Example iptables-Z INPUT
Explanation returns all counters of a specified chain (if not specified, it is regarded as all chains) to zero.
Command-N, -- new-chain
Example iptables-N allowed
Explanation creates a new chain based on the name specified by the user. The preceding example creates a chain named allowed. Note: The name used cannot be the same as the existing chain or target.
Command-X, -- delete-chain
Example iptables-X allowed
Explanation deletes the specified user-defined chain. This chain must not be referenced. If it is referenced, you must delete or replace the relevant rules before deleting it. If no parameter is provided, this command deletes all non-built-in chains in the default table.
Command-P, -- policy
Example iptables-P INPUT DROP
Explanation sets the default target for the chain (available are DROP and ACCEPT. If there are other available, please let me know). This target is called a policy. All packages that do not comply with the rules are forced to use this policy. Only built-in chains can use rules. However, both built-in and user-defined chains cannot be used as policies, that is, they cannot be used as follows: iptables-p input allowed (or built-in chain ).
Command-E, -- rename-chain
Example iptables-E allowed disallowed
Explanation renames the custom chain. The original name is in the front and the new name is in the back. As shown above, replace allowed with disallowed. This is just to change the chain name and has no impact on the structure and work of the entire table.