Programming and implementation of firewall in Linux (1) Example

Programming and implementation of firewall in Linux (1)

--- Excerpted from <lvmeng monthly> the Ninth Issue

◆ Programming implementation of firewall in linux

Author: flag <flag@isbase.com>
Home: http://www.isbase.com
Date: 2000-05-10

Preface

Linux comes with ipchains as its own firewall tool. There are many articles about how to use ipchains
Linux machines are configured as firewalls, but few articles seem to introduce how ipchains are implemented, that is, how linux
Implement firewall functions. Linux does have its own practice. It defines its own interface library for firewall implementation, including
The ip layer in the core implements the firewall. The following is my understanding of linux Firewall from the programming perspective.

I. Introduction to ipchains

Ipchains is a firewall configuration tool for linux. It was previously called ipfwadm. The version is updated very quickly. The current version number is
1.3.9. The security Digest on our website contains ipchains parameter introduction, which introduces the usage of ipchains.
Home reference. It defines three links, ipput, forward, and output chain, and then operates the chain, as shown in figure
Add, delete, and so on. It has powerful functions and allows users to define rules in a very detailed manner. This document does not describe ipchains usage,
Please read this article by yourself.

Ii. linux Firewall Implementation Analysis

1. Basic Knowledge

The TCP/IP Protocol processes incoming packets by placing the interface incoming packets in a buffer zone, which is processed by the IP process. In the IP address
Layer to determine whether the packet is routed or sent to a set of interfaces for processing. For outgoing packets, an interface is provided
Put it in the buffer, and the IP process then processes it and decides to send it from that interface. These tasks are completed by the kernel. Yes TCPIP
The process of processing packets.

2. Linux Firewall Analysis

Linux firewall is written in the kernel, specifically in the IP protocol, ipchains is just a command line program, it
The role is to write the rule table into the structure recognized by the system and then pass it to the kernel. This is a work done by Linux itself, because
This is not allowed in general set interface programming.

Static int ipfwc_init ()
{
Ipfwc_fn = ipfwc_init;
Init = 1;
Return (sockfd = socket (af_inet, sock_raw, ipproto_raw ))! =-1 );
}
You can see that this is an original set of interfaces, But please note that the third parameter of socket, the third parameter is created
When the original set of interfaces is not 0, it is a constant value, representing the protocol name, telling the system what protocol packages this set of interfaces accept. By RFC
Definition. in Linux, this constant is defined in <netinet/in. h>. However, the ipproto_raw used in this article represents a constant of 255,
The definition in RFC is a reserved item, which is used by linux. After IPPROTO_RAW is used to initiate an interface set;

Static int
Do_setsockopt (int cmd, const void * data, int length)
{
Return setsockopt (sockfd, IPPROTO_IP, cmd, (char *) data, length )! =-1;
}

Setsockopt can be used to set Interface Options. Here, it is used to pass a specific structure to the system. Its meaning is,
Linux defines an interface library that allows us to perform operations on the kernel to filter packets. This implementation greatly
It simplifies ipchains and makes the firewall more efficient.

3. Example

To verify the above view, I provide a small example,

# Include <stdio. h>
# Include <errno. h>
# Include <sys/socket. h>
# Include <linux/in. h>
# Include <linux/if. h>
Typedef char ip_chainlabel [9];

Struct ip_fw
{
Struct in_addr fw_src, fw_dst;/* Source and destination IP addr */
Struct in_addr fw_smsk, fw_dmsk;/* Mask for src and dest IP addr */
_ U32 fw_mark;/* ID to stamp on packet */
_ 2010fw_proto;/* Protocol, 0 = ANY */
_ 2010fw_flg;/* Flags word */
_ 2010fw_invflg;/* Inverse flags */
_ 2010fw_spts [2];/* Source port range .*/
_ 2010fw_dpts [2];/* Destination port range .*/
_ 2010fw_redirpt;/* Port to redirect .*/
_ 16fw_outputsize;/* Max amount to output
NETLINK */
Char fw_vianame [IFNAMSIZ];/* name of interface ""*/
_ U8 fw_tosand, fw_tosxor;/* Revised packet priority */
};
Struct ip_fwuser
{
Struct ip_fw ipfw;
Ip_chainlabel label;
};
Struct ip_fwchange
{
Struct ip_fwuser fwc_rule;
Ip_chainlabel fwc_label;
};

Main (int argc, char ** argv)
{
Static struct ip_fwchange new;
Struct ip_fwchange * new1;
Const char * srcpts = NULL, * dstpts = NULL;
Static int sockfd =-1;
New1 = & new;
If (argc! = 2)
{
Printf ("usage: <ipaddress>/n ");
Exit (1 );
}
If (sockfd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW) =-1)
{
Printf ("init error! /N ");
Exit (1 );
}
Memcpy (new. fwc_rule.label, "DENY", sizeof (new. fwc_rule.label ));
Memcpy (new. fwc_label, "input", sizeof (new. fwc_label ));
If (inet_aton (argv [1], & new. fwc_rule.ipf1_fw_src.s_addr) = 0)
{
Printf ("aton err! /N ");
Exit (1 );
}
New. fwc_rule.ipf1_fw_smsk.s_addr = 0 xffffffff;
New. fwc_rule.ipf1_fw_dst.s_addr = 0x00000000;
New. fwc_rule.ipf1_fw_dmsk.s_addr = 0x00000000;
New. fwc_rule.ipf1_fw_spts [0] = 0;
New. fwc_rule.ipf1_fw_spts [1] = 0 xFFFF;
New. fwc_rule.ipf1_fw_dpts [0] = 0;
New. fwc_rule.ipf1_fw_dpts [1] = 0 xFFFF;
If (setsockopt (sockfd, IPPROTO_IP, 64, & new, sizeof (new) =-1)
Perror ("setsockopt err! ");
Else
Printf ("OK! /N ");
Exit (1 );
}

For your convenience, I listed the structures used. These structures are defined by the system. As mentioned above, I started
The third parameter is the original set interface of IPPROTO_RAW, and then start packaging. The source address is set to the argv parameter, and the source address mask
Set to 255.255.255.255, the destination address and Destination Address Mask are not limited, and the source port and destination port are both set to 0-65535.
The rule is set to "DENY" and the chain is set to "input". You can see that there are many items in the structure that can be set, which are omitted here. Setsockopt
The third item 64 is the system-defined constant, which means "append". For specific definitions, refer to ipfw (4 ). In this example
This means that the IP address package of the command line parameter is prohibited from entering the linux machine. The applet is compiled on radhat 6.1.
You can experiment with your own IP address, but you must run it with the root permission, because you need the root permission to set the original interface. After running you
You cannot even access your linux server. The most convenient solution is to run ipchains-F under root. As you can see
This applet implements Part of ipchains functions.
With this method, we can build our own interface as a firewall. However, this is not easy to use and has too many limitations. Because most
You can also create a graphical interface, which is easier to use than ipchains. If you want to implement your own ideas, you must change the kernel. So
How does the Kernel Handle the rules we pass in? Let's talk about it later.

Reference: Richard. Steven S's classic
Ipchains 1.3.9 source code
Linux 2.2.12 IPv4 source code