Article Title: New features and usage in Linux2.4 kernel. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
I purpose of this article
This article mainly discusses various new features and usage methods of iptables in Linux 2.4 kernel, how to effectively use these new features to set firewall rules for enterprises, and illustrates the application of new features in enterprises.
2. Operating Environment
Redhat Linux 7.1 comes with a modular kernel that connects to the Internet through a leased line. the firewall of two NICS has an intranet segment of 10.0.0.0/255.255.255.0 and the interface address of the firewall's external Nic is 1.2.3.4.
Differences between iptables and ipchains
1. the built-in rules are redefined to simplify the management of built-in INPUT, OUTPUT, and FORWARD rules in the new iptables in Linux kernel, any package is only applied to any of the three rules, hit by the INPUT rule, or hit by the FORWARD rule or OUTPUT rule, unlike in ipchains, if any package passes through this firewall, it always hits three rules at the same time.
To illustrate this change, please refer to the following code.
Incoming/Outgoing
--> [Routing] ---> | FORWARD | ------->
[Demo-] _____/^
|
V ____
___/
/Linux firewall | OUTPUT |
| INPUT | ____/
___/^
|
----> Local Process ----
A. First, when a packet comes in, that is, entering the firewall from the Ethernet card, the kernel first determines the packet target according to the route table.
B. If the target host is a local host, the local host directly enters the INPUT chain and waits for the packets to be received and ends.
C. otherwise, if the packet from the Ethernet card is not the local machine, check whether the kernel allows forwarding packets (use echo 1>/proc/sys/net/ipv4/ip_forward to enable the forwarding function) if forwarding is not permitted, the packets are dropped. if forwarding is permitted, the packets are sent to the local machine and the packets are stopped. In this case, no INPUT or OUTPUT chain is passed, because the route destination is not the local machine and is only applied by forwarding rules.
D. at last, the linux firewall host can generate packages, which are only linked out of the OUTPUT chain.
Note: echo 1> the difference between/proc/sys/net/ipv4/ip_forward and FORWARD chains
The former indicates whether to enable the forwarding function of the kernel. The latter means that only when the kernel enables the forwarding function of the forwarding chain rule can a package be sent to the forwarding chain to check the rules one by one.
If a firewall does not enable the IP forwarding function of the former, the network on both sides of the root firewall is completely isolated. if one end is connected to the internet, you can only ask the internet via proxy, it is impossible to prevent the problem through IP address disguise.
In this way, any package can only apply one rule in INPUT/OUTPUT/FORWARD. this huge improvement also simplifies firewall rule management.
2. iptables is stateful (stateful ).
Stateful means that if a packet is a response to the packet originally sent from the firewall, the system automatically allows the reply packet to enter and return it to the requester without checking any rules, in this way, we do not need to set many rule definitions to implement the desired functions. using this stateful capability in the new kernel is strongly recommended. how can we enable and use this feature?
Assume that a company has a typical internet connection solution as shown in the following figure:
_______
10.0.0.2 |
| PC | (10.0.0.1) eth1 | eth0 (1.2.3.4)
B | ___ | _ _______________ | firewall | --------- Internet
(LAN: 10.0.0.0/24) | A |
| _______ |
You can use the following rule set to use the stateful capabilities of iptables and enable the IP camouflage function.
1. when the redhat modular kernel is used, after the ip_tables module is loaded, future commands will load the required modules as needed.
In addition, if you have installed the ipchains or ipfwadm module, you cannot mount the iptables module any more. you can run the rmmod command to remove it and then mount the iptables module. In redhat, you can use ntsysv to remove ipchains and iptables to mark the restart and then run the preceding command.
Or put it in/etc/rc. d/rc. local to run automatically.
2. enable the IP forwarding function in the second line.
3. clear the INPUT, FORWARD, and POSTROUTING key rules in the third or fourth row.
4. in row 6, the default forwarding policy is set to DROP. when a packet is forwarded to the application but cannot be applied to any forwarding rule, the default rule is applied.
5. row 7 forwards packets from machines in this segment to any place.
6. row 8 utilizes stateful capabilities, as long as it is a response to the request packet that was previously sent out of the firewall's external interface.
ESTABLISHED refers to a TCP connection, and RELATED refers to an active FTP or ICMP ping request. when the reply packet arrives, it actually checks whether the file/proc/net/ip_conntrack is in it, if any chain is not checked in the table, the package can pass.
7. in the ninth line, the IP spoofing capability is enabled. the packet sent out of eth0 is overwritten and then disguised as the source address SNAT. Here, we should note that-o eth0, instead of-I eth0. in iptables, the packet from an interface is-o, and the incoming packet is-I
8. row 10 indicates that if this firewall is also a WEB server, new external requests and packets with the target Port 80 can enter
9. row 11th rejects incoming TCP connection request packets that are not requested by the target port 80.
Note: Relationship between NAT and FORWARD chains
A. regardless of any NAT, the source and destination addresses displayed in the packet filtering rule are the real source and destination addresses, even though the packet address is overwritten when the IP disguise (DNAT) is executed, you can see this in the file/proc/net/ip_conntrack.
B. if we do not use the stateful capabilities of iptables, as in the above case, if we allow machines in the network segment 10.0.0.0/24 to disguise IP addresses, we have to add a forwarding rule iptables-AFORWARD-d 10.0.0.0/24-j ACCEPT. Otherwise, the response to the disguised package will not be sent to the internal machine through the forwarding chain, because the reply packet must pass the forwarding link.
Note: how can I prove that only one rule chain has been applied?
In the previous ipchains, a package must pass the input, forward, and output chain before it can be sent from the firewall to the internet. now, using iptables, only one chain is applied. you can add the following rules to test.
Iptables-a input-s 10.0.0.2/24-j DROP
In iptables, the above line only indicates that any machine in this segment is rejected when the target is a firewall, but does not affect NAT and forwarding packets. this is impossible in the previous ipchains.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
