Iptables configuration tool

IptablesAfter the configuration tool is used, it is easy to configure iptables.

In the past few years, Linux has grown significantly as a firewall platform. Since ipfwadm of the earlier version 1.2 kernel, the Linux Firewall code has gone a long way. The netfilter system is used in the 2.4 Linux kernel. In the latest version 2.4, Linux greatly enhances security, such as better encryption support and the use of the netfilter system. Netfilter has full backward compatibility.

This article will summarize iptables configuration and focus on some iptables configuration tools. This article will focus on the Linux kernel IP firewall and its various interface configuration tools, such as GUI or script (shell, Perl or specific configuration language ). Using these tools simplifies iptables configuration to reduce configuration errors. For more information about iptables, see Linux iptables HOWTO written by Rusty Russell.

Difficulties in using command line to configure iptables

Using the command line interface of iptables to configure iptables Firewall is a challenge for one person. It is difficult for users to specify the behavior of all IP packets. You need to have a deep understanding of TCP/IP and application layer protocols. Like its predecessor ipchains, iptables merges IP filtering rules into the chain. IP packet traversal rule links are processed and can be sent to another link for processing, or it is processed by the Default policy (ACCEPT, DROP, REJECT. Some network applications are easier to pass through the firewall than others, so you need to understand the establishment and disconnection of network connections.

Let's take a look at the POP3 protocol. This is one of the simplest protocols. Allow all packets whose inner port is 110 to solve all management problems through the request, because this only allows the client to send an application, but the server cannot respond. In addition, Network Address Translation (NAT) and other packet forwarding methods also have many problems. The firewall configuration will affect the security of the entire enterprise, so be careful. The configuration of iptables will be discussed below. For more details, see Linux iptables HOWTO

Command line options of iptables

Before proceeding to this discussion, let's take a look at a summary of the iptables command line options.

Rule chain maintenance options

1. Create a new rule chain (-N)

2. delete an empty rule chain (-X)

3. Change a built-in rule chain Policy (-P)

4. list rules in a rule chain (-L)

5. Erase a rule from the rule chain (-F)

Rule Maintenance

1. Add A new rule to A Rule chain (-)

2. delete a rule at a certain position in the Rule chain (-D)

Advantages of iptables

Before discussing various iptables configuration tools, let's take a look at the advantages of iptables, especially the advantages of netfilter over ipchains.

Iptables allows the establishment of a State firewall, that is, to save each connection that passes through the firewall in the memory. This mode is necessary to effectively Configure FTP, DNS, and other network services.

Iptables can filter any combination of TCP flag messages and MAC addresses.

System logs are easier to configure and more scalable than ipchains.

For Network Address Translation and transparent Proxy Support, netfilter is more powerful and easy to use.

Iptable can prevent some DOS attacks, such as SYS flood attacks.

Iptables configuration tool

Now, let's take a look at some Linux iptables configuration tools. I focus on the features, elasticity, and ease of use of each tool. We will discuss the following tools:

MonMotha's Firewall 2.3.5 by: MonMotha

Firewallscript (iptables 4.4c-3 devel) by Patrik Hildingsson

Auke Kok by Ferm-0.0.18

Andy Gilligan, AGT-0.83 author

Knetfilter-1.2.4 by Luigi Genoni

By gShield-2.0.2: R. Gregory

Firewall 2.3.5 of MonMotha

Firewall 2.3.5 written by MonMotha is a shell script of about 30 kb. Currently, it is mainly applicable to host-based protection because some network-based options are under development. The interface of this script (for example, the method for passing configuration options to iptables) is a bit messy. However, it does not require a configuration file and is easy to install. It can be copied directly to any location. By default, it does not do anything at all, in fact, it does not execute at all, and there is a lack of documentation. This script may be useful to dial-up users.

Firewallscript

Firewallscript (IFS 4.4d) is also a bash script, about 85 KB. This script can be used for host-and network-based protection. When it is run for the first time, it will generate a configuration file directly. However, by default, this file does not play any role, but only serves as a test. This script can configure NAT and address disguise. This script is very complex but lacks documentation, so it is best to read its code carefully and use the iptables-L command to determine which chain has taken effect and what is allowed/rejected. The IP packet tracking function of this script can also provide entertainment for you. In addition, it automatically detects and loads the kernel modules required by iptables. This script and the previous script also have the undo function to restore the original configuration file of iptables.

Ferm

Ferm is a Perl script that uses a configuration file written in C language. This language is easy to read and understand. This script provides good documentation and rich examples for reference.

This is an example:

-----------------------------------------------------------------------------

 
 

  
  
# simple workstation example for ferm  
  
  
 
  
  
chain input {  
  
  
 
  
  
if ppp0 # put your outside interface here  
  
  
 
  
  
{  
  
  
 
  
  
proto tcp goto fw_tcp;  
  
  
 
  
  
proto udp goto fw_udp;  
  
  
 
  
  
proto icmp goto fw_icmp;  
  
  
 
  
  
}  
  
  
 
  
  
}  
  
  
 
  
  
chain fw_tcp proto tcp {  
  
  
 
  
  
dport ssh ACCEPT;  
  
  
 
  
  
syn DENY log;  
  
  
 
  
  
dport domain ACCEPT;  
  
  
 
  
  
dport 0:1023 DENY log;  
  
  
 
  
  
}  
  
  
 
  
  
chain fw_udp proto udp {  
  
  
 
  
  
DENY log;  
  
  
 
  
  
}  
  
  
 
  
  
chain fw_icmp proto icmp {  
  
  
 
  
  
icmptype (  
  
  
 
  
  
destination-unreachable time-exceeded  
  
  
 
  
  
) ACCEPT;  
  
  
 
  
  
DENY log;  
  
  
 
  
  
}  
  
  
 
 
 

-----------------------------------------------------------------------------

This configuration file will generate iptables rules for ferm: Allow outbound ssh and DNS packets to pass, block all UDP packets, and allow only two types of ICMP messages to pass through: the target cannot be reached or timed out, and other types of ICMP messages in the log are rejected.

AGT

AGT is a program written in C language. From its code, it is still in the development stage. Automake is not supported. You need to manually edit the Makefile file. The file is not very rich, but its configuration file is very simple. The following is a configuration file:

NEW | FROM-INT

NEW | RESET

| FROM-INT | icmp | ACCEPT |

| FROM-INT | tcp | ACCEPT | pop3

| FROM-INT | tcp | ACCEPT | imap

| RESET | tcp | REJECT -- reject-with tcp-reset |

This file format, coupled with the lack of necessary documents, is a great challenge for users. And it is better to spend more time learning iptables.

Knetfilter

Knetfilter is a great graphical iptables configuration tool based on KDE (KDE1 and KDE2 ). Knetfilter is very easy to use. You can easily use it to configure host-protected rules and rule lists. You can save and restore these rules and rule lists; the test rules and rule list (run the tcpdump network sniffer on the same panel). You only need to click a few clicks. It also supports NAT and network address camouflage configurations. However, for a dial-up workstation, knetfilter does not work well because it requires a local IP address and only detects eth0 network interfaces without PPP detection. There are few documents for this project, but because it is based on the graphic interface, it can be used well even without a manual.

GShield

GShield is a bash shell script and may be the most mature tool at present. Its documentation is rich, its configuration files are also reasonable and intuitive, and NAT can be configured. It can handle both static IP addresses and dynamic IP addresses (for example, PPP ).

GShield also has a graphical interface, which is still in the early development stage and can be downloaded from http://members.home.com/vhodges/gshieldconf.html. However, it seems only compatible with earlier versions of gShield (1.x ).

The following is an example configuration file:

FW_ROOT = "/etc/firewall"

IPTABLES = 'which iptables'

LOCALIF = "eth0"

DNS = "24.31.195.65"

LTIME = "20/m"

ALLOW_DHCP_LEASES = "YES"

...

GShield uses safe default configurations, which are especially suitable for users who do not want to play with configuration files. However, the software editor recommends that users read the entire configuration file. According to the README file, gShield implements the "tcpwrapper-style service access control function". With this function, users can easily block/allow a service, you don't have to worry about packet direction or other issues. You only need to care about what customers connect to the server.

Conclusion

Although this article introduces some firewall configuration tools, there is no ideal Configuration tool yet. The best configuration tool is the iptables command. The tools described here are only applicable to users who are difficult to use the iptables command line.

Through the article, we can clearly know that the iptables configuration tool is actually very useful!