Iptables detailed tutorial

The packet filtering firewall uses a software to view the packet header, which determines the fate of the entire package. It may decide to DROP the package, ACCEPT the (ACCEPT) package (let this package pass), or perform other more complex actions. Chapter 2 router-based packet filtering firewall 1st packet filtering firewall general concept package filtering firewall is to use a software to view the packet header that flows through ), this determines the fate of the entire package. It may decide to DROP the package, ACCEPT the (ACCEPT) package (let this package pass), or perform other more complex actions. Chapter 2 router-based packet filtering firewall
The general concept of 1.1 Packet filtering firewall
1.1.1 What is a packet filtering firewall?
The packet filtering firewall uses a software to view the packet header, which determines the fate of the entire package. It may decide to DROP the package, ACCEPT the (ACCEPT) package (let this package pass), or perform other more complex actions.
In Linux, the package filtering function is built on the core (as a core module or directly built in), and there are also some techniques that can be used on data packets, however, the most common practice is to check the Baotou to determine the fate of the packet.
1.1.2 package filtering firewall work level
Packet filtering is a firewall type built on the Linux kernel routing function. its firewall works at the network layer.
1.1.3 How WAF works
(1) use a filter. Data packet filtering is used between an internal host and an external host. the filtering system is a router or a host. The filtering system determines whether to allow data packets to pass according to the filtering rules. A router used to filter data packets is called a router filter.
Packet filtering is achieved by checking the IP address and TCP or UDP header of the data packet. the main information is as follows:
* IP source address
* IP destination address
* Protocol (TCP, UDP, and ICMP packets)
* Source port of a TCP or UDP packet
* Destination port of the TCP or UDP packet
* ICMP message type
* ACK bit in the TCP packet header
* Port on which data packets arrive
* Port for outgoing data packets
Some standard service port numbers exist in TCP/IP. for example, the HTTP port number is 80. You can disable specific services by blocking specific ports. The packet filtering system can block the connection between the internal host and the external host or another network, for example, it can block some hosts or networks that are considered hostile or untrusted to connect to the internal network.
(2) implement the filter. Packet filtering is generally implemented using a router filter, which is different from a common router.
A normal router only checks the destination address of the data packet and selects an optimal path to the destination address. It processes data packets based on the target address, and there are two possibilities: If the router can find a path to reach the target address, it will be sent out; if the router does not know how to send a data packet, the sender of the notification data packet "the data packet is not reachable ".
The filter router checks the data packets more carefully. in addition to determining whether there is a path to the target address, it also determines whether to send data packets. "Whether or not" is determined by the router's filtering policy and enforced.
Vro filtering policies mainly include:
* Deny all connections from a host or network segment.
* Allow all connections from a host or network segment.
* Reject a connection from a host or a specified port of a network segment.
* Allows connections from a host or a specified port of a network segment.
* Deny all connections between the local host or local network and other hosts or networks.
* Allow all connections between the local host or local network and other hosts or networks.
* Deny the connection between the local host or local network and the specified port of other hosts or other networks.
* Allows the connection between the local host or local network and the specified port of other hosts or other networks.
1.1.4 basic process of packet filter operations
The following is a simple description:
(1) the packet filtering rule must be stored by the device port of the packet filtering device.
(2) when the packet arrives at the port, the packet header is analyzed in syntax. Most packet filtering devices only check fields in the IP, TCP, or UDP header.
(3) packet filtering rules are stored in special ways. The order of rules applied to the package must be the same as the storage order of the package filter rule.
(4) If a rule prevents packets from being transmitted or received, this package is not allowed.
(5) If a rule allows a packet to be transmitted or received, the packet can be processed.
(6) If the package does not meet any rule, the package will be blocked.
1.1.5 advantages and disadvantages of packet filtering technology
(1) advantages:
→ Package filtering is easy to implement for a small and not complex site.
→Because the filter router works on the IP and TCP layers, the processing speed of packets is faster than that of the proxy server.
→ The filter router provides users with a transparent service. users do not need to change any client applications or learn anything new. Because the filter router works on the IP layer and the TCP layer, the IP layer and the TCP layer are irrelevant to the application layer. Therefore, a router filter is also called a "packet filter gateway" or a "transparent Gateway". it is called a gateway because the packet filter router is different from a traditional router and involves a transport layer.
→ Filter routers are generally cheaper than proxy servers.
(2) disadvantages:
→ Some packet filtering gateways do not support valid user authentication.
→ The rule table will soon become very large and complex, making it difficult to test the rules. As the table grows and the complexity increases, the possibility of a rule structure vulnerability also increases.
→The biggest drawback of this firewall is that it relies on a single component to protect the system. If a problem occurs in this part, the network door will be opened, and the user may not know yet.
→ In general, if an external user is allowed to access an internal host, it can access any host on the intranet.
→ The packet filtering firewall can only prevent one type of IP spoofing, that is, the external host disguise the IP address of the internal host, but cannot block the IP spoofing of the external host disguise the external host, it cannot prevent DNS spoofing.
Although the packet filtering firewall has the disadvantages described above, it can play its role normally in a well-managed small-scale network. Generally, a packet filtering gateway is used together with other devices (such as a bastion host) instead of a packet filtering gateway.
1.2 Netfilter/ IptablesArchitecture
1.2.1 package filtering firewall management tool in Linux
Since the 1.1 kernel, the Linux system has already had the package filtering function. as the Linux kernel version continues to upgrade, the package filtering system in Linux has gone through the following three phases:
→ Ipfwadm is used in the 2.0 kernel to operate kernel packet filtering rules.
→ Ipchains are used in the 2.2 kernel to control kernel packet filtering rules.
→ In the 2.4 kernel, a brand new kernel package filtering management tool-iptables.
Linux has become very popular in the IT field for its robustness, reliability, flexibility, and almost unlimited customization. Linux has many built-in capabilities that allow developers to customize their tools, behaviors, and appearances based on their own needs, without the need for expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or proxy server connected to the LAN and Internet, a built-in capability is to configure the firewall for the Linux system on the network. This capability can be used with the help of the Netfilter/iptablesIP information package filtering system (which is integrated in Linux kernel 2.4.x. Netfilter/iptables is an IP information packet filtering system integrated with the latest Linux kernel version 2.4.x.
Compared with Linux information packet filtering solutions such as ipfwadm and ipchains, the Netfilter/iptables information packet filtering system is the latest solution, making it easier for users to understand how it works, it also has more powerful functions. For Linux system administrators, network administrators, and home users (they want to configure the firewall according to their specific needs, save costs on the firewall solution, and have full control over IP information packet filtering, the Netfilter/iptables system is ideal and easy to use.
1.2.2 next-generation underlying Netfilter network architecture
Netfilter is a structured underlying architecture used in the kernel to expand various network services. Netfilter is designed to generate a module structure that can be easily expanded. Adding new features to the kernel does not require restarting the kernel. In this way, you can simply construct a kernel module to expand new network features. This greatly facilitates the expansion of underlying network features, enabling more people engaged in bottom-layer network R & D to concentrate on new network features.
In fact, we can regard Netfilter as a series of "hooks" in the network protocol stack that allow other modules to operate network data packets. on some specific points in the protocol stack, the Netfilter framework allows a module to forward or discard data packets, change data packets in some way, and queue packets in the user space (non-kernel mode). of course, it can also not interfere with it at all.
(1) Netfilter/iptables system description. In the Linux2.4 kernel, Netfilter is a new filter used to implement the firewall. Iptables is a user tool used to specify Netfilter rules.
Iptables is just a tool for managing kernel packet filtering. It provides users with convenient configuration of firewall rules.
Iptables can be used to add, insert, or delete rules in the core package filter table (chain. In fact, netfilter and its related modules (such as the iptables module and nat module) that actually execute these rules ).
Therefore, to use the Netfilter/iptables system, you must first have support for the 2.4 kernel and install the iptables software package. In RedHat9.0 release, this system is the default configuration.
(2) use Netfilter/iptables to replace ipchains:
→ Connection tracking
→ Automatic fragment reinstallation
→ Improved matching rules
→ Enhanced log functions
→ Any information in the tear package is allowed
→ User queue allows user space to program packages
→ Support built-in packet forwarding without IPMASQANDM
(3) main functions of the Netfilter/iptables system
→ Status package filtering (connection tracking)
→ Translation of various network addresses
→ Flexible and scalable quick intelligence mechanism
→ A large number of enhanced patch packages
(4) Use of Netfilter/iptables
→ Establish an Internet firewall and status-based packet filtering
→ Use NAT and masquerading to share the Internet
→ Implement transparent proxy using NAT
→ Use the ToS field of the IP address header to implement more complex functions
→ Use with tc + iprouter2 to implement QoS routing
(5) advantages of the Netfilter/iptables system. The biggest advantage of Netfilter/iptables is that it can be configured with a stateful firewall, which is an important feature that previous tools such as ipfwadm and ipchains cannot provide. A stateful firewall can specify and remember the status of the connection established for sending or receiving information packets. The firewall can obtain this information from the connection tracing status of the information package. When determining the filtering of new information packets, the status information used by the firewall can increase the efficiency and speed. There are four valid states: ESTABLISHED, INVALID, NEW, and RELATED. Where:
→ Status ESTABLISHED indicates that the information package is a ESTABLISHED connection, which is used to send and receive information packets and is fully valid.
→ INVALID indicates that the information package is not associated with any known stream or connection. it may contain incorrect data or headers.
→ Status NEW indicates that the information package has or will start a NEW connection, or it is associated with a connection that is used to send and receive information packets.
→ Status RELATED indicates that the information package is starting a new connection and is associated with the established connection.
Another important advantage of Netfilter/iptables is that it allows users to fully control firewall configurations and information packet filtering. You can customize your own rules to meet your specific needs, so that only the network traffic you want can enter the system.
In addition, Netfilter/iptables is free, which is ideal for those who want to save money. it can replace expensive firewall solutions.
In short, the latest Linux kernel 2.4.x has a built-in IP information package filtering tool, Netfilter/iptables, which makes configuration firewall and information package filtering cheap and convenient. The Netfilter/iptables system allows users to fully control firewall configurations and information packet filtering. It allows you to create customizable rules for the firewall to control information packet filtering. It also allows you to configure stateful firewalls.
1.2.3 kernel space and user space of Netfilter/iptables
Although the netfilter/iptablesIP information package filtering system is called a single entity, it actually consists of two components: netfilter and iptables.
(1) kernel space. The Netfilter component, also known as the kernel space (KernelSpace), is a part of the kernel and consists of some "tables". Each table is composed of several "chains, each chain can have one or more rules ).
(2) User space. The Iptables component is a tool, also known as userspace, which makes it easy to insert, modify, and remove rules from the information package filter table.
1.2.4 how the Netfilter/iptables filter system works
The Netfilter/iptablesIP information package filtering system is a powerful tool that can be used to add, edit, and remove rules. these rules are the basis for determining how to filter packets. These rules are stored in a dedicated information packet filtering table, which is integrated into the Linux kernel. In the information packet filtering table, rules are grouped in the chain.
(1) you can use the iptables command to set filtering rules in the user space. You can use the user space to create custom filtering rules that are stored in the information packet filtering table of the kernel space. These rules have goals that tell the kernel what to do with information packages from certain sources, to certain destinations, or with certain protocol types. If an information package matches the rule, use the target ACCEPT to allow the information package to pass through. You can also use the target DROP or REJECT to block and kill information packets. There are many other targets for other operations that can be performed on the information package.
Based on the type of information package processed by the rule, you can group the rule in the chain.
→ Rules for processing the inbound information package are added to the INPUT chain.
→ Rules for processing outbound information packets are added to the OUTPUT chain.
→ Rules for processing information packets being forwarded are added to the FORWARD chain.
These three chains are the three default chains built in the system's default table (filter. Each chain has a policy that defines the default target, that is, the default operation to be performed. when the information package does not match any rule in the chain, this operation is performed.
(2) the kernel space takes over filtering. After the rule is created and the chain is placed in the filter table, you can start to perform real information packet filtering. At this time, the kernel space takes over the work from the user space.
To filter packets, follow these steps:
1) routing. When the information package arrives at the firewall, the kernel first checks the header information of the information package, especially the destination of the information package. We call this process a route.
2) Send data packets to different chains of the packet filtering table (filter) as needed.
→ If the information packet comes from the outside world and the destination address of the packet is local and the firewall is on, the kernel will pass it to the INPUT chain of the kernel space information packet filtering table.
→ If the information package comes from the system's local machine and needs to go to another system, the information package is transmitted to the OUTPUT chain.
→ The Information Package is transmitted from the wan to the LAN or from the opposite direction to the FORWARD chain.
3) Check the rules. Compare the header information of the information package with each rule passed to the chain to see if it matches a rule completely.
→ If the information package matches a rule, the kernel executes the operation specified by the target of the rule on the information package.
& If the target is ACCEPT, the information package is allowed to pass and the package is sent to the corresponding local process for processing.
& If the target is DROP or REJECT, the information packet is not allowed to pass through, and the packet is blocked and killed.
→ If the information package does not match this rule, it will be compared with the next rule in the chain.
→ Finally, if the information package does not match any rule in the chain, the kernel will refer to the chain policy to determine how to process the information package. The ideal policy should tell the kernel to DROP the information package.
1.2.5 Netfilter/iptables in Red Hat linux 9
RedHatlinux9 uses the 2.4 kernel, and the kernel compilation options include support for Netfilter. The iptables package is installed by default, so it can be used directly.
In addition, to complete the forwarding function, you must enable the IP forwarding function of the system kernel. Change Linux to a vro.
There are two methods in Red Hat:
(1) modify the kernel variable ip_forward
# Echo "1">;/proc/sys/net/ipv4/ip_forward
(2) modify the script/etc/sysconfig/network.
Set FORWARD_IPV4 = false
Changed to FORWARD_IPV4 = true.
Chapter 2. use the User space command iptables to implement package filtering
2.1 TCP/IP knowledge
2.1.1 establish a TCP connection (implemented through three handshakes)
Assume that server A communicates with client B.
(1) B->;. When B wants to communicate with A, B first sends A SYN packet to A, telling A request to establish A connection. Only when A Receives a syn packet from B can A connection be established. Therefore, if your firewall discards all SYN packets sent to the internet interface, you cannot allow any external host to establish a connection.
(2) B <-. Then, after receiving the SYN packet, A will send A confirmation packet (SYN/ACK) back to confirm the first SYN packet and continue the handshake operation.
(3) B->;. After B receives the SYN/ACK packet, B sends A confirmation packet (ACK) to notify A that the connection has been established. So far, three handshakes are completed, and one TCP connection is completed.
Note that when three handshakes are completed and the connection is established, each packet of the TCP connection sets an ACK bit. This is why connection tracing is very important. without connection tracing, the firewall will not be able to determine whether the ACK packet received belongs to a established connection.
2.1.2 terminate the TCP connection (implemented through 4 handshakes)
Assume that server A communicates with client B. Note that because the TCP connection is a two-way connection, closing the connection requires two directions.
(1) B->;. When B wants to end the communication with A, B first sends A FIN packet to A, telling A request to end the connection. Since the connection has not been closed, the FIN package is always marked with an ACK. Packets without the ACK tag and with only the FIN tag are not legal packages and are generally considered malicious.
(2) B <-. A sends an ACK packet to B, indicating that B-> is successfully aborted. A transmission channel. But A->; B may still have data packets to be transmitted, so A->; B transmission channel continues to flow until the transmission is complete.
(3) B <-. When A completes the transfer of B <-A, it sends an ACK/FIN packet.
(4) B->;. B sends an ACK packet to A for confirmation.
2.1.3 send a connection reset packet to end the TCP connection
A four-way handshake is not the only way to end a TCP connection. Sometimes, if the host needs to close the connection as soon as possible (or the connection times out, the port or host cannot be reached), the RST package will be sent. Note: Because the RST package is not a required part of the TCP connection, you can only send the RST package (that is, without the ACK mark ). However, in a normal TCP connection, the RST package can be labeled with ACK validation. Note that the RST package may not be confirmed by the recipient.
2.1.4 invalid TCP flag
Now, we have seen SYN, ACK, FIN, and RST tags. In addition, there are PSH and URG tags.
The most common illegal combination is SYN/FIN packets. Note that because the SYN packet is used to initialize the connection, it cannot appear together with the FIN and RST tags, which is also a malicious attack.
When some other combinations (such as SYN/FIN/PSH, SYN/FIN/RST, SYN/FIN/RST/PSH) appear in the network, it is obvious that the network is under attack.
In addition, known illegal packages include FIN (without the ACK mark) and "NULL. As discussed earlier, because ACK/FIN packets are generated to end a TCP connection, normal FIN packets are always labeled with ACK. "NULL" is a packet without any TCP flag (URG, ACK, PSH, RST, SYN, and FIN are all 0 ).
In normal network activity, the TCP protocol stack has not been able to generate any TCP packet with any tag combination mentioned above. When you find these abnormal packages, someone will be unfriendly to your network.
2.1.5 ICMP type
ICMP is a message protocol used to control messages between hosts and routers. ICMP packets can contain diagnostic information (ping, tracerouter), Error Information (inaccessible network/host/port), information (timestamp, address mask addressmask, etc), or control information (sourcequench, redirect, etc ).
You can use packet filtering to reject the specified ICMP type.
We recommend that you discard ICMP information of the following types.
Redirect (5), AlternateHostAddress (6), and RouterAdvertisement (9) can be used to forward communication.
Echo (8), Timestamp (13), and AddressMaskRequest (17) can be used to determine whether the host is started, local time, and address mask. They are related to the returned information category. They cannot be exploited, but the information they leak is useful to attackers. Therefore, we recommend that you discard these types of ICMP.
For more details about the ICMP type, see RFC792.
2.2 iptables syntax
2.2.1 Advantages of Iptables
→ Iptables allows the establishment of a state firewall, that is, to save each connection that passes through the firewall in the memory. This mode is necessary to effectively configure FTP, DNS, and other network services.
→ Iptables can filter any combination of TCP flag messages and MAC addresses.
→ System logs are easier to configure and have better scalability than ipchains.
→Netfilter is more powerful and easy to use for NetworkAddressTranslation and transparent proxy.
→ Iptables can prevent some DoS attacks, such as SYS flood attacks.
2.2.2 rules of Iptables
An iptables rule should basically contain five elements:
→ Specify a table)
→ Command)
→ Chain (chains)
→ Specify the rule matcher)
→ Specify the target action)
(1) table. Iptables is named after the three tables they use, namely filter, nat, and mangle. Only filter tables are used for the packet filtering firewall. Table filter is the default table. no instructions are required.
(2) Operation Commands. Including adding, deleting, and updating.
(3) chain. The packet filtering firewall can operate the INPUT chain, OUTPUT chain, and FORWARD chain in the filter table. You can also operate custom chains defined by users.
(4) rule matching. You can specify various rule matches, such as IP addresses, ports, and packet types.
Target action. When a rule matches a package, the task to be executed is identified by the target. The most common built-in goals are:
→ ACCEPT indicates that the package is allowed to pass
→ DROP indicates that the object is discarded.
In addition, the packet filtering firewall can also use the following extended targets:
→ REJECT indicates that the packet is rejected. if the packet is discarded, an unaccepted notification is sent to the sender.
→ LOG indicates that the information about the package is logged.
→ TOS indicates the value of the ToS of the rewrite package.
To use the above extension targets, you must activate the corresponding options in the kernel or load the corresponding kernel module.
2.2.3 call syntax of Iptables
The syntax of Iptables is very complex. to view the complete syntax of this tool, you should check its manual page.
The syntax of Iptables can be simplified as follows:
Iptables [-t table] CMD [chain] [rule-matcher] [-j target]
Here, tables is the table name, CMD is the operation command, chain is the chain name, rule-matcher is the rule matcher, and target is the target action.
2.2.4 develop permanent rules
The iptables package provides two commands for saving and restoring the rule set. You can use the following command to dump the kernel rule set in the memory. Here,/etc/sysconfig/iptables is the default rule set file called by the iptables daemon:
#/Sbin/iptables-save>;/etc/sysconfig/iptables
To restore the original rule repository, run the following command:
#/Sbin/iptables-restore </etc/sysconfig/iptables
There are two main methods to enable the rules configured with the iptables command to be used when the machine is started next time.
(1) use the iptables startup script. Iptables startup script/etc/rc. d/init. d/iptables use the rules provided by/etc/sysconfig/iptables to restore the rules at each startup. you can use the following command to save the rules:
# Service iptables save
(2) use the iptables command in the custom script to directly create a rule set. You can directly use the iptables command to write a rule script and execute it at startup.
For example, if the name of the rule script is/etc/fw/rules, you can add the following code to the startup script/etc/rd. d/init. d/rc. local:
If [-x/etc/fw/rules]; then/etc/fw/rules; fi;
In this way, the rule script can be executed every time the machine starts.
If you use this method, we recommend that you use the ntsysv command to disable the iptables daemon.
2.3 iptables command example
2.3.1 Basic chain operations
(1) clear all rules. Generally, all the rules are cleared at the beginning of the configuration of the packet filtering firewall, and the configuration is re-started, so that the original rules do not affect the new settings. Run the following command:
1) clear all rules in the rule chain in the filter of the preset table.
# Iptables-F
2) clear the rules in the user-defined chain in the filter of the preset table.
# Iptables-X
3) clears the byte counter of all rules of the specified chain.
# Iptables-Z
(2) set the default chain policy. Generally, there are two methods to configure the chain's default policy.
1) allow all packages first, and then prohibit dangerous packages from passing through the firewall. That is, "allow all rejected ". This method is flexible and convenient for users, but it may cause serious security problems for the system.
Therefore, use the following initialization command:
# Iptables-P INPUT ACCEPT
# Iptables-P OUTPUT ACCEPT
# Iptables-P FORWARD ACCEPT
2) deny all packages first, and then allow specific packages to pass through the firewall according to the required services. That is, "none explicitly permitted are rejected ". This method is the safest, but not very convenient. This policy is generally used to configure the iptables firewall to ensure sufficient security of the system.
Therefore, use the following initialization command:
# Iptables-P INPUT DROP
# Iptables-P OUTPUT DROP
# Iptables-P FORWAED DROP
3) list all rules in a table or chain. The packet filtering firewall only uses the filter table, which is the default table. Therefore, you can use the following command to list all the rules in the filter table:
# Iptables-L
When the above command is used, iptables will reverse parse the IP address, which will be a lot of time, resulting in a very slow information. To solve this problem, you can use the following command with the-n parameter (the-n parameter is used to display the digital address and port ):
# Iptables-L-n
4) Add rules to the chain. The following statement is used to open a network interface:
# Iptables-a input-I lo-j ACCEPT
# Iptables-a output-o lo-j ACCEPT
# Iptables-a input-I eth0-j ACCEPT
# Iptables-a output-o eth0-j ACCEPT
# Iptables-a forward-I eth0-j ACCEPT
# Iptables-a fprwaed-o eth0-j ACCEPT
5) use user-defined links. The following is a simple command sequence for creating, modifying, and calling a custom chain:
# Iptables-N custom
# Iptables-A custom-s 0/0-d 0/0-p icmp-j DROP
# Iptables-a input-s 0/0-d 0/0-j custom
First, use the iptables command with the-N parameter to create a custom chain named custom. Then, A custom interception rule is added using the command with the-A parameter, which discards all ICMP packets. Add a rule to the default INPUT chain so that all packages are processed by the custom chain. All ICMP packets are discarded.
2.3.2 set basic rule matching
The following example shows how to match basic rules of iptables (ignore the target action ):
(1) protocol matching
1) match the specified protocol
# Iptables-a input-p tcp
2) match all protocols other than the specified protocol
# Iptables-a input-p! Tcp
(2) specified address match
1) specify the matched host
# Iptables-a input-s 192.168.1.1
2) specify the matched network
# Iptables-a input-s 192.168.1.0/24
3) match the address other than the specified host.
# Iptables-a forward-s! 192.168.0.1
4) match networks outside the specified network
# Iptables-a forward-s! 192.168.0.0/24
(3) match the specified network interface.
1) specify a single network interface match.
# Iptables-a input-I eth0
# Iptables-a forward-o eth0
2) network interface matching of the same type
# Iptables-a forward-o ppp +
(4) specified port match
1) specify a single port match.
# Iptables-a input-p tcp-sport www
# Iptables-a input-p tcp-sport 80
# Iptables-a input-p tcp-sport 53
# Iptables-a input-p udp-dport 53
2) match the port other than the specified port.
# Iptables-a input-p tcp-dport! 22
3) match the specified port range.
# Iptables-a input-p tcp-soprt 22: 80
4) match the ICMP port and ICMP type.
# Iptables-a input-p icmp -- icmp-type 8
5) specify ip fragmentation
During TCP/IP communication, each network interface has a maximum transmission unit (MTU). This parameter defines the maximum size of data packets that can be passed. If a data packet exceeds this parameter value, the system divides it into several smaller data packets (called ip fragmentation) for transmission, the receiver reassembles the ip fragments to restore the entire package.
However, when filtering packets, ip fragmentation can lead to the following problem: when the system divides large data packets into ip fragmentation for transmission, the first part contains the complete packet header information (IP + TCP, UDP, and ICMP), but the subsequent parts only contain part of the packet header information (such as the source address and destination address ). Therefore, it is impossible to check the ip fragment header (just like TCP, UDP, and ICMP. Suppose there is such a rule:
# Iptables-a forward-p tcp-s 192.168.1.0/24-d192.168.2.100 -- dport 80-j ACCEPT
In this case, when the FORWARD policy is DROP, the system will only let the first ip fragment pass, and the rest of the ip fragment will be lost, because the first fragment contains the complete packet header information, the rules can be met, and the remaining parts cannot pass because the Baotou information is incomplete and cannot meet the rules defined conditions.
You can use the-fragment/-f option to specify the second and later ip fragments. in the preceding example, we can add such a rule to solve this problem:
# Iptables-a forward-f-s 192.168.1.0/24-d192.168.2.100-jACCEPT
However, you must note that there are already many instances of ip fragmentation attacks (for example, sending a large number of ip fragments to Win98NT4SP5 and 6Win2K for DoS attacks ), therefore, it is a security risk to allow ip fragmentation. you can use iptables matching extension to limit this.
2.3.3 set extended rule matching
To get a brief description of the matching, you can use the following command:
# Iptables-m name_of_match-help
The following is an example of iptables extension rule matching (ignoring the target action ):
(1) multi-port matching extension.
1) match multiple source ports.
# Iptables-a input-p tcp-mmultiport-source-port22, 110
2) match multiple destination ports
# Iptables-a input-p tcp-mmultiport-destionation-port22, 110
3) match multiple ports (whether the source port or destination port ).
# Iptables-a input-p tcp-m multiport-port 80,110
(2) specify TCP matching extension
You can use the-tcp-flags option to filter the flag of the tcp packet. this option is followed by two parameters: the first parameter is the flag to be checked, it can be a combination of SYN, ACK, FIN, URG, and PSH. you can use ALL to specify ALL flag bits. The second parameter is a flag with a flag value of 1.
# Iptables-a input-p tcp-flags SYN, FIN, ACK SYN
Indicates that the SYN, ACK, and FIN flags must be checked, but only the SYN set matches.
# Iptables-a input-p tcp-flags all syn, ACK
The ALL (SYN, ACK, FIN, RST, URG, PSH) flag must be checked, but only the SYN and ACK are set to match.
Option-syn is a special case above. it is equivalent to the abbreviation of "-- tcp-flags SYN, RST, ack syn.
# Iptables-p tc-syn
(3) expansion of limit rate matching.
1) number of data packets allowed to pass per unit time.
The unit time can be/second,/minute,/hour,/day, or use the first letter. For example:
# Iptables-a input-m limit-limit 300/hour
Indicates that 300 packets are allowed per hour.
2) specify the threshold value for the trigger event.
Use-limit-burst to specify the threshold value for the trigger event (default value: 5) to compare the quantity of large data packets in an instant.
# Iptables-a input-m limit-burst 10
The above example is used to compare whether more than 10 packets flood at a time. packets exceeding this limit will be discarded directly.
3) specify both the speed limit and trigger threshold values.
# Iptables-a input-p icmp-m limit-limit 3/m-limit-burst3
Assuming that the request passes through evenly and the request has an average of three packets per minute, the trigger threshold burst is kept as three. if the number of packets passing through each minute is less than three, the trigger threshold value burst will add 1 after each cycle (if three values are allowed per minute, the number of weeks is 20 seconds), but the maximum value is 3. If the number of packages to pass per minute exceeds 3, the trigger threshold burst will be reduced to an excess value. for example, if there are four packages in the next minute, the trigger threshold burst will be changed to 2, at the same time, four packages can be passed. if there are six packages in the third minute, only five packages can be passed. the trigger threshold value burst will be 0. Then, if the number of packets per minute is less than or equal to 3, the trigger threshold burst will add 1. if the number of packets per minute is greater than 3, the trigger threshold burst will gradually decrease to 0.
That is, the maximum number of packets per minute is the maximum rate (3 in this example) plus the current trigger threshold value burst. In any case, three packages can pass through, and the trigger threshold burst is equivalent to the number of additional packages allowed.
(4) state-based scaling (connection tracking ).
Each network connection includes the following information: source address, destination address, source port, and destination port, known as socket pair (socketpairs), protocol type, connection status (TCP protocol), and timeout time. The firewall calls this information stateful. a firewall that can detect each connection status is called a status packet filtering firewall. In addition to completing the packet filtering of the simple packet filtering firewall, it also maintains a table that tracks the connection status in its own memory, which is more secure than the simple packet filtering firewall. The difference between iptables and ipchains is that iptables can use the connection status information to create rule matching based on the package status.
The command format for creating rules based on status matching is as follows:
Iptables-m state-state [!] State [, state]
The state table is a list separated by commas (,). The Connection states can be as follows:
→ NEW: This package wants to start a connection (reconnect or redirect the connection ).
→ RELATED: The package is a new connection established by a established connection. For example, there is a RELATED relationship between the FTP data transmission connection and the control connection.
→ ESTABLISHED: the package belongs to a ESTABLISHED connection.
→ INVALID: this package does not match any connections. Usually these packages are dropped.
For example:
1) add a rule in the INPUT chain to match established connections or new connections established by established connections. That is, all TCP response packets are matched.
# Iptables-a input-m state-state RELATED, ESTABLISHED
2) add a rule in the INPUTP chain to match all connection request packets from non-eth0 interfaces.
# Iptables-a input-m state-state NEW-I! Eth0
For another example, you can use the following connection trace for an ftp connection: 1) Passive ftp connection mode.
# Iptables-a input-p tcp-sport 1024: -- dport 1024:-mstate-stateESTABLES-j ACCEPT
# Iptables-a output-p tcp-sport 1024: -- dport1024:-mstate-state ESTABLISHED, RELATED-j ACCEPT
2) active ftp connection mode.
# Iptables-a input-p tcp-sport 20