Oskar Andreasson
Oan@frozentux.net
copyright©2001-2003 by Oskar Andreasson
This article, in accordance with the GNU Free Documentation License version 1.1, can be copied, distributed, changed, but must retain introduction and all chapters, such as printed book, cover to include "Original: Oskar Andreasson", and the back is not allowed text. The details of the GNU Free documentation License are included in the appendix.
All scripts in this article are placed under GNU General Public License version 2 and are freely distributed and changed.
These scripts are given in the hope that they will work, but there is no guarantee, there is no warranty of commercial availability or some special purpose. See GNU General public License
This article is accompanied by a GNU General public License, in the section "GNU Free Documentation License", if not, please contact the Foundation, Inc. Place, Suite, Boston, MA 02111-1307 USA
Dedication
First of all, I would like to give this document to my wonderful girlfriend Ninel (she helped me far more than I gave her): I hope I can make you happy, as you gave me. (Translator Note: I did not think the right word to express the author's girlfriend's wonderful, you want to go.) Also, I wonder if they are married now: )
Second, I want to dedicate this article to all Linux developers and maintainers who have done unbelievable hard work to make such a good operating system possible.Directory A preface to the author's understanding of how to read the necessary knowledge This article is agreed 1. Preamble 1.1. Why write this guide 1.2. The guide is how to write 1.3. The term 2 appears in the article. Preparation Stage 2.1. Where can I get iptables 2.2. Kernel configuration 2.3. Compile and install 2.3.1. Compile 2.3.2. Install 3 on Red Hat 7.1. Tables and Chains 3.1. Overview 3.2. Mangle Table 3.3. NAT Table 3.4. Filter table 4. State mechanism 4.1. Overview 4.2. Conntrack record 4.3. The packet is in user-space state 4.4. TCP connection 4.5. UDP Connection 4.6. ICMP Connection 4.7. The default connection Operation 4.8. Complex protocols and connection tracking 5. Save and restore data Management Rule 5.1. Speed 5.2. The deficiencies of restore 5.3. Iptables-save 5.4. Iptables-restore 6. The rule is how to practice 6.1. Foundation 6.2. Tables 6.3. Commands 6.4. Matches 6.4.1. Universal matching 6.4.2. Implicitly matching 6.4.3. An explicit match 6.4.4. Match for an abnormal packet 6.5. Targets/jumps 6.5.1. ACCEPT Target 6.5.2. Dnat Target 6.5.3. DROP Target 6.5.4. LOG Target 6.5.5. MARK Target 6.5.6. Masquerade Target 6.5.7. MIRROR Target 6.5.8. QUEUE Target 6.5.9. REDIRECT Target 6.5.10. REJECT Target 6.5.11. return target 6.5.12. SNAT Target 6.5.13. TOS Target 6.5.14. TTL Target 6.5.15. Ulog Target 7. Firewall configuration Instance Rc.firewall 7.1. About Rc.firewall 7.2. Rc.firewall detailed 7.2.1. Parameter configuration 7.2.2. The load 7.2.3 of the external module. The setting of the proc 7.2.4. Optimization 7.2.5 of rule position. The default policy setting is 7.2.6. The settings of the custom chain 7.2.7. InpUT chain 7.2.8. Forward chain 7.2.9. Output chain 7.2.10. Prerouting chain 7.2.11. Postrouting chain 8. Example Introduction 8.1. Rc.firewall.txt the structure of the script 8.1.1. Script Structure 8.2. Rc.firewall.txt 8.3. Rc. DMZ.firewall.txt 8.4. Rc. DHCP.firewall.txt 8.5. Rc. UTIN.firewall.txt 8.6. Rc.test-iptables.txt 8.7. Rc.flush-iptables.txt 8.8. Limit-match.txt 8.9. Pid-owner.txt 8.10. Sid-owner.txt 8.11. Ttl-inc.txt 8.12. Iptables-save ruleset A. General Instructions A.1. View the command A.2 for the current rule set. Correcting and emptying the iptables command B. Frequently asked questions and answers B.1. Module load Problem B.2. The new state packet b.3 for SYN is not set. Syn/ack Package b.4 for new state. ISP b.5 with a private IP address. Release DHCP data b.6. On the issue of mIRC DCC C. ICMP type D. Other resources and Links E. Acknowledgements F. History G. GNU Free Documentation License 0. Preamble 1. Applicability and Definitions 2. Verbatim copying 3. Copying in QUANTITY 4. Modifications 5. Combining DOCUMENTS 6. Collections of DOCUMENTS 7. AGGREGATION with independent works 8. Translation 9. Termination 10. FUTURE revisions of this LICENSE you to use this LICENSE for your documents H. GNU general public LICENSE 0. Preamble 1. TERMS and CONDITIONS for copying, DISTRibution and Modification 2. How to Apply this Terms to Your the code I.1 for the New Programs I. Sample script. Rc.firewall script code I.2. Rc. Dmz.firewall script code I.3. Rc. Utin.firewall script code I.4. Rc. Dhcp.firewall script code I.5. Rc.flush-iptables script code I.6. Rc.test-iptables Script codeList of Tables3-1. Package 3-2 for local Target (which is our own machine). Local-source package 3-3. The packet forwarded 4-1. The packet is in user-space state 4-2. Internal state 6-1. Tables 6-2. Commands 6-3. Options 6-4. Generic matches 6-5. TCP matches 6-6. UDP matches 6-7. ICMP matches 6-8. Limit Match Options 6-9. MAC Match Options 6-10. Mark Match Options 6-11. Multiport match Options 6-12. Owner Match Options 6-13. State matches 6-14. TOS matches 6-15. TTL matches 6-16. Dnat Target 6-17. LOG target Options 6-18. MARK target Options 6-19. Masquerade Target 6-20. REDIRECT Target 6-21. REJECT Target 6-22. SNAT Target 6-23. TOS Target 6-24. TTL Target 6-25. Ulog Target C-1. ICMP typeTranslator Preface
Translator SLLSCN is a "Linux fresh member" in China's Linux commune, a Linux enthusiast, in the actual work using iptables construction firewall, found that the Chinese information about iptables is too little, and therefore had to refer to the English version of the material. For the convenience of the future reference, but also for the majority of users, not afraid of their English level is too poor, turned the dictionary translated this article. Only in order to be able to read, can not achieve "good-looking", do not blame.
The preamble to the first chapter, in addition to the terminology introduced in the third subsection, is nothing else. Chapter Two is helpful to the brothers who want to compile iptables in person. Chapter 42 can enable us to understand and master iptables working methods and processes. The fifth chapter and the sixth chapter are the detailed introduction of the iptables command usage method. The seventh chapter and the eighth chapter is the example explanation, has the instruction significance to us to write own rule, strongly recommends that you take a look. There are some resource links in the Appendix are very good, I believe you will like.
Because of the terminology, there are some untranslated parts of the catalogue, but the contents of the text are translated. Appendix F is the update history of this article, Appendix G is GNU Free Documentation License, and Appendix H is the GNU General public License, they have no effect on understanding iptables, so they are not translated.
When reading this article, you may find that there is a repetition of the place, this is not the original author's level is not high, but it is precisely his consideration for our results. You can read any chapter of this article without having to refer to other chapters over and over again. Here, once again to pay tribute to the author.
Due to the limited level of translators, the understanding of the original text is not guaranteed to be completely correct, if you have comments or suggestions, you can contact the translator slcl@sohu.com
Solemn statement: Translation obtained the original author Oskar Andreasson's permission. For this article (not the original text), can be free to use, modify, disseminate, reprint, but for the purpose of profit for the use of all rights reserved. about the author
My local area network has a lot of "old" computers, and they want to connect to the Internet and be secure. To do this, iptables is a good upgrade for IPChains. With IPChains you can build a secure network by discarding all the "destination ports that are not specific ports" packages. But this will cause problems with some services, such as passive FTP, and DCC streaming out of IRC. They assign ports on the server, inform the client, and then let the customer connect. However, there are a few bugs in Iptables's code, and in some ways I find that the code is not ready for a complete product release, but I still recommend that people with ipchains or older ipfwadm be upgraded, unless they are satisfied with the code in use, Or they are sufficient to meet their needs. How to read
This article introduces iptables so that you can comprehend Iptables's wonderful, the article does not contain iptables or netfilter bugs in security. If you find Iptables (or its components) of any bugs or special behaviors, please contact NetFilter mailing lists and they will tell you whether it is a bug or how to fix it. There are few security bugs in iptables or netfilter, and occasionally there are problems that can be found in the NetFilter home page.
The scripts used in this article do not solve the bugs within the netfilter, give them, just to demonstrate how to construct the rules so that we can solve the problem of data flow management encountered. But this article does not include an issue like "How to turn off HTTP ports because Apache 1.2.12 are occasionally attacked". This guide will show you how to turn off the HTTP port via iptables, but not because Apache is occasionally attacked.
This article is suitable for beginners, but also as perfect as possible. Because there are too many targets or matches, so not fully included. If you need this information, you can visit the NetFilter homepage. Essential Knowledge
Read this article, to have some basic knowledge, such as Linux/unix,shell script writing, kernel compilation, and preferably some simple kernel knowledge.
I try to make sure that the reader doesn't need the knowledge to understand this article as much as possible, but it doesn't work to understand the extension part. So there's a basis for that: This article agreed
The following conventions are used in the article:
The code and command output uses a fixed-width font, and the command is bold.
ls
Default eth0 lo
[Blueflux@work1 neigh]$
All commands and program names are in bold.
All system components, such as hardware, kernel parts, loopback use italic.
This font is used for computer text output.
The file name and path name are/usr/local/bin/iptables like this. 1. Preamble 1.1. Why do you write this guide ?
I found that all of the current howto lacked information on the iptables and NetFilter functions in the Linux 2.4.x kernel, so I tried to answer some questions, such as state matching. I will use illustrations and examples rc.firewall.txt to illustrate that the examples here can be used in your/etc/rc.d/. Originally this article was written in the form of a howto document, because many people only accept howto documents.
There is also a small script rc.flush-iptables.txt, I write it just so that you can configure it in the same way as I have the feeling of success. 1.2. How the guide is written
I consulted with the other core members of Marc Boucher and the NetFilter team. I am very grateful for their work and for the help I have made in writing this guide for boingworld.com, and now this guide is being maintained on my own site frozentux.net. This document will take you step-by-step through the setup process, giving you a better understanding of the iptables package. Most of these things are based on examples rc.firewall files, because I find this is a good way to learn iptables. I decided to follow the Rc.firewall file from top to bottom to learn iptables. Although this will be difficult, but more logical. When you come across something you don't understand, look at the file. 1.3. Terminology appearing in the text
The article contains some terms that you should know about. Here are some explanations and instructions on how to use them in this article.
Dnat-destination Network address translation destination network addresses translation. Dnat is a technology that changes the IP address of a packet destination, often with snat, so that multiple servers can share an IP address into the Internet and continue to serve. The flow of data is determined by assigning a different port to the same IP address.
Stream-Stream is a connection between the sending and receiving of packets and both sides of the communication (Translator Note: In this article, the author regards the connection as one-way and the stream represents a two-way connection). Generally, the term is used to describe a connection that sends two or three packets in two directions. For TCP, the stream means a connection, it sends a SYN, and then replies to Syn/ack. But may also refer to such a connection, send a SYN, reply ICMP host unreachable information. In other words, I use the word very casually.
Snat-source network addresses translation source network address translation. This is a technology that changes the source IP address of a packet, and is often used to share an Internet address with multiple computers. This is only used in IPv4, because the IPV4 address is running out, IPV6 will solve the problem.
State-Status indicates what state the packet is in. Status in