Super Detailed introduction to Iptables

Iptables Guide 1.1.19 Oskar Andreasson

Oan@frozentux.net

copyright©2001-2003 by Oskar Andreasson

This article, in accordance with the GNU Free Documentation License version 1.1, can be copied, distributed, changed, but must retain introduction and all chapters, such as printed book, cover to include "Original: Oskar Andreasson", and the back is not allowed text. The details of the GNU Free documentation License are included in the appendix.

All scripts in this article are placed under GNU General Public License version 2 and are freely distributed and changed.

These scripts are given in the hope that they will work, but there is no guarantee, there is no warranty of commercial availability or some special purpose. See GNU General public License

This article is accompanied by a GNU General public License, in the section "GNU Free Documentation License", if not, please contact the Foundation, Inc. e Place, Suite, Boston, MA 02111-1307 USA

Dedication

First of all, I would like to give this document to my wonderful girlfriend Ninel (she helped me far more than I gave her): I hope I can make you happy, as you gave me. (Translator Note: I did not think the right word to express the author's girlfriend's wonderful, you want to go.) Also, I wonder if they are married now: ）

Second, I want to dedicate this article to all Linux developers and maintainers who have done unbelievable hard work to make such a good operating system possible.Directory A preface to the author's understanding of the necessary knowledge this article deals with the 1.  preface 1.1.  Why to write this guide 1.2.  how the Guide is written 1.3.  the terminology appearing in the text 2.  the preparation stage 2.1.  which Can get iptables 2.2.  kernel configuration 2.3.  compile and install 2.3.1.  compile 2.3.2.  install 3.  tables and Links 3.1.  Overview 3.2 on Red Hat 7.1.   mangle table 3.3.  NAT table 3.4.  Filter table 4.  State mechanism 4.1.  overview 4.2.  Conntrack records 4.3.  packets are empty in the user State 4.4.  TCP Connections 4.5.  UDP connections 4.6.  ICMP connections 4.7.  default connection operations 4.8.  complex protocols and connection tracking 5.  saving and restoring data management rules 5 The deficiencies of .1.  speed 5.2.  restore 5.3.  iptables-save 5.4.  iptables-restore 6.  rules are the basis of 6.1.  6.2.  Tables 6.3.  Commands 6.4.  matches 6.4.1.  Universal matching 6.4.2.  implicit matching 6.4.3.  explicit matching 6.4.4.&nbs P Matching for abnormal packets 6.5.  targets/jumps 6.5.1.  ACCEPT target 6.5.2.  dnat target 6.5.3.  DROP target 6.5.4.&nbs P LOG target 6.5.5.  MARK target 6.5.6.  masquerade target 6.5.7.  MIRROR target 6.5.8.  QUEUE target 6. 5.9.  REDIRECT Target 6.5.10.  REJECT target 6.5.11.  return target 6.5.12.  SNAT target 6.5.13.  TOS target 6.5.14.   TTL target 6.5.15.  ulog target 7.  firewall configuration instance rc.firewall 7.1.  about Rc.firewall 7.2.  Rc.firewall 7.2.1.  parameter configuration 7.2.2.  external module load 7.2.3.  proc settings 7.2.4.  Rule location Optimization 7.2.5.  default policy settings 7.2.6.  custom Chain 7.2.7.  input chain 7.2.8.  forward chain 7.2.9.  output chain 7.2.10.  prerouting chain 7.2.11.  postrouting chain 8.& nbsp The example introduces the structure of the 8.1.  rc.firewall.txt script 8.1.1.  script structure 8.2.  rc.firewall.txt 8.3.  RC. DMZ.firewall.txt 8.4.  RC. DHCP.firewall.txt 8.5.  RC. UTIN.firewall.txt 8.6.  rc.test-iptables.txt 8.7.  rc.flush-iptables.txt 8.8.  limit-match.txt 8.9.   Pid-owner.txt 8.10.  sid-owner.txt 8.11.  ttl-inc.txt 8.12.  iptables-save ruleset Common commands detailed a.1.  View the commands for the current rule set a.2.  fix and empty iptables commands b.  FAQ with answer b.1.  module mount problem b.2.  not set up SYN's new state package B.3.  the Syn/ack package in the new state b.4.  use the ISP b.5.  of the private IP address to release the DHCP data b.6.  on the MIRC DCC issue c.  ICMP type d.  other resources and links e.  Acknowledgements f.  History g.  GNU Free Documentation License 0.  Preamble 1.  applicability and Defi Nitions 2.  Verbatim copying 3.  copying in QUANTITY 4.  modifications 5.  combining DOCUMENTS 6.&nbsp ; Collections of DOCUMENTS 7.  AGGREGATION with independent works 8.  translation 9.  termination 10.  F Uture revisions of this LICENSE you to use this LICENSE for your documents h.  GNU general public LICENSE 0.  Pr Eamble 1.  TERMS and CONDITIONS for copying, distribution and modification-how-to Apply this 2.  to TERMS The code for the New Programs i.  Sample script i.1.  rc.firewall script code i.2.  RC. Dmz.firewall script code i.3.  RC. Utin.firewall script code i.4.  RC. Dhcp.firewall script code i.5.  rc.flush-iptables script code i.6.  rc.test-iptables script codeList of Tables3-1. Package 3-2 for local Target (which is our own machine).  Local-source package 3-3.  The packet forwarded 4-1.  The packet is in user-space state 4-2.  Internal state 6-1.  Tables 6-2.  Commands 6-3.  Options 6-4.  Generic matches 6-5.  TCP matches 6-6.  UDP matches 6-7.  ICMP matches 6-8.  Limit Match Options 6-9.  MAC Match Options 6-10.  Mark Match Options 6-11.  Multiport match Options 6-12.  Owner Match Options 6-13.  State matches 6-14.  TOS matches 6-15.  TTL matches 6-16.  Dnat Target 6-17.  LOG target Options 6-18.  MARK target Options 6-19.  Masquerade Target 6-20.  REDIRECT Target 6-21.  REJECT Target 6-22.  SNAT Target 6-23.  TOS Target 6-24.  TTL Target 6-25.  Ulog Target C-1. ICMP typeTranslator Preface

Translator SLLSCN is a "Linux fresh member" in China's Linux commune, a Linux enthusiast, in the actual work using iptables construction firewall, found that the Chinese information about iptables is too little, and therefore had to refer to the English version of the material. For the convenience of the future reference, but also for the majority of users, not afraid of their English level is too poor, turned the dictionary translated this article. Only in order to be able to read, can not achieve "good-looking", do not blame.

The preamble to the first chapter, in addition to the terminology introduced in the third subsection, is nothing else. Chapter Two is helpful to the brothers who want to compile iptables in person. Chapter 42 can enable us to understand and master iptables working methods and processes. The fifth chapter and the sixth chapter are the detailed introduction of the iptables command usage method. The seventh chapter and the eighth chapter is the example explanation, has the instruction significance to us to write own rule, strongly recommends that you take a look. There are some resource links in the Appendix are very good, I believe you will like.

Because of the terminology, there are some untranslated parts of the catalogue, but the contents of the text are translated. Appendix F is the update history of this article, Appendix G is GNU Free Documentation License, and Appendix H is the GNU General public License, they have no effect on understanding iptables, so they are not translated.

When reading this article, you may find that there is a repetition of the place, this is not the original author's level is not high, but it is precisely his consideration for our results. You can read any chapter of this article without having to refer to other chapters over and over again. Here, once again to pay tribute to the author.

Due to the limited level of translators, the understanding of the original text is not guaranteed to be completely correct, if you have comments or suggestions, you can contact the translator slcl@sohu.com

Solemn statement: Translation obtained the original author Oskar Andreasson's permission. For this article (not the original text), can be free to use, modify, disseminate, reprint, but for the purpose of profit for the use of all rights reserved. about the author

My local area network has a lot of "old" computers, and they want to connect to the Internet and be secure. To do this, iptables is a good upgrade for IPChains. With IPChains you can build a secure network by discarding all the "destination ports that are not specific ports" packages. But this will cause problems with some services, such as passive FTP, and DCC streaming out of IRC. They assign ports on the server, inform the client, and then let the customer connect. However, there are a few bugs in Iptables's code, and in some ways I find that the code is not ready for a complete product release, but I still recommend that people with ipchains or older ipfwadm be upgraded, unless they are satisfied with the code in use, Or they are sufficient to meet their needs. How to read

This article introduces iptables so that you can comprehend Iptables's wonderful, the article does not contain iptables or netfilter bugs in security. If you find Iptables (or its components) of any bugs or special behaviors, please contact NetFilter mailing lists and they will tell you whether it is a bug or how to fix it. There are few security bugs in iptables or netfilter, and occasionally there are problems that can be found in the NetFilter home page.

The scripts used in this article do not solve the bugs within the netfilter, give them, just to demonstrate how to construct the rules so that we can solve the problem of data flow management encountered. But this article does not include an issue like "How to turn off HTTP ports because Apache 1.2.12 are occasionally attacked". This guide will show you how to turn off the HTTP port via iptables, but not because Apache is occasionally attacked.

This article is suitable for beginners, but also as perfect as possible. Because there are too many targets or matches, so not fully included. If you need this information, you can visit the NetFilter homepage. Essential Knowledge

Read this article, to have some basic knowledge, such as Linux/unix,shell script writing, kernel compilation, and preferably some simple kernel knowledge.

I try to make sure that the reader doesn't need the knowledge to understand this article as much as possible, but it doesn't work to understand the extension part. So there's a basis for that: This article agreed

The following conventions are used in the article:

The code and command output uses a fixed-width font, and the command is bold.

ls
Default  eth0  lo
[Blueflux@work1 neigh]$
     

All commands and program names are in bold.

All system components, such as hardware, kernel parts, loopback use italic.

This font is used for computer text output.

The file name and path name are/usr/local/bin/iptables like this. 1. Preamble 1.1. Why do you write this guide ?

I found that all of the current howto lacked information on the iptables and NetFilter functions in the Linux 2.4.x kernel, so I tried to answer some questions, such as state matching. I will use illustrations and examples rc.firewall.txt to illustrate the example here in your/etc/rc.d/