For this article, we will use iptables user space tool Version 1.2.6a and kernel version 2.4.9.
Linux security and Netfilter/iptables
Linux has become very popular in the IT industry because of its robustness, reliability, flexibility, and customization that seems unlimited. Linux has many built-in capabilities that allow developers to customize their tools, behaviors, and appearances based on their own needs, without the need for expensive third-party tools. If the Linux system is connected to the Internet or LAN, server, or proxy server connected to the LAN and Internet, a built-in capability is to configure the firewall for the Linux system on the network. You canNetfilter/iptables IP information packet filtering system(It is integrated in the Linux Kernel 2.4.x.
In ExampleIpfwadmAndIpchainsIn such a Linux information package filtering solution, the Netfilter/iptables IP information package filtering system is the latest solution and the first solution integrated into the Linux kernel. For Linux system administrators, network administrators, and home users (they want to configure the firewall according to their specific needs, save costs on the firewall solution, and have full control over IP information packet filtering, the Netfilter/iptables system is ideal.
Understand firewall configuration and information packet filtering
For Linux systems connected to the network, the firewall is an essential defense mechanism. It only allows valid network traffic to access the system, and prohibits any other network traffic. To determine whether network traffic is valid, the firewall relies on a group predefined by the network or system administrator.Rules. These rules tell the firewall whether a traffic is valid and what to do for network traffic from a source, to a destination, or with a certain protocol type. The term "Configure Firewall" refers to adding, modifying, and removing these rules. I will discuss this in detail later.Rules.
Network Traffic is composed of IP information packets (orInformation Package)-It is composed of small pieces of data transmitted from the source system to the destination system in the form of a stream. This information includesHeaderThat is, the data bits attached to each package contain information about the source, destination, and protocol type of the information package. The firewall checks these headers according to a set of rules to determine which information package to accept and which information package to reject. We call this processInformation Package Filtering.
Why do I need to configure my own firewall?
You need to configure the firewall according to specific requirements for various factors and reasons. Perhaps the most important reason is security.
Administrators may want their firewalls to prevent unauthorized sources from accessing their Linux systems, such as telnet. They may also want to limit the network traffic in and out of their systems so that only traffic from the source can access their systems and only authorized traffic can go out. Home users may configure the firewall to a lower security level by allowing all outbound information packages to pass.
Another reason is that you can save bandwidth by blocking excessive traffic from sources such as ad sites.
Therefore, you can customize firewall configurations to meet any specific needs and any security level requirements. This is the use of the Netfilter/iptables system.
How does the Netfilter/iptables system work?
The Netfilter/iptables IP information packet filtering system is a powerful tool that can be used to add, edit, and remove rules. These rules are used for filtering and determining information packets, rules of the firewall. These rules are stored in a dedicated information packet filtering table, which is integrated into the Linux kernel. In the information packet filtering table, rules are grouped in what we callChain). I will discuss in detail these rules and how to create them and group them in the chain.
Although the Netfilter/iptables IP information packet filtering system is called a single entity, it is actually composed of two componentsNetfilterAndIptables.
The netfilter component is also calledKernel space)Is a part of the kernel, which consists of some information packet filtering tables that contain the rule set used by the kernel to control information packet filtering.
Iptables is a tool calledUser space)It makes it easy to insert, modify, and remove rules from the information packet filtering table. Unless you are using Red Hat Linux 7.1 or later, you need to download the tool from netfilter.org and install and use it.
By using user space, you can build custom rules that are stored in the information packet filtering table of the kernel space. These rules haveTargetThey tell the kernel what to do with information packages from certain sources, to certain destinations, or with certain protocol types. If an information package matches the rule, use the target
ACCEPTThis information package is allowed to pass. You can also use the target
REJECTTo block and kill information packets. There are many other targets for other operations that can be performed on the information package.
Based on the type of information package processed by the rule, you can group the rule in the chain. Rules for handling inbound information packages are added
INPUTChain. Rules for handling outbound information packages are added
OUTPUTChain. Rules for processing information packets being forwarded are added
FORWARDChain. These three links are the default main chains built in the basic information package filtering table. In addition, there are many other available chain types (such
POSTROUTING), And provides user-defined links. Each chain can havePolicyIt defines the "Default target", that is, the default operation to be performed. This operation is performed when the information package does not match any rule in the chain.
After creating rules and placing the chain in a proper position, you can start to perform real information packet filtering. At this time, the kernel space takes over the work from the user space. When the information package arrives at the firewall, the kernel first checks the header information of the information package, especially the destination of the information package. We call this processRouting.
If the information package comes from outside and goes to the system, and the firewall is enabled, the kernel will pass it to the kernel space information package filtering table.
INPUTChain. If the information package is from another source inside the system or connected to the Intranet, and the information package is to be sent to another external system
OUTPUTChain. Similarly, information packages originating from external systems and sent to external systems are transmitted
Next, compare the header information of the information package with each rule passed to the chain to see if it exactly matches a rule. If the information package matches a rule, the kernel executes the operation specified by the rule's target on the information package. However, if the information package does not match this rule, it will be compared with the next rule in the chain. Finally, if the information package does not match any rule in the chain, the kernel will refer to the chain policy to determine how to process the information package. The ideal policy should tell the kernel
DROPThis information package. Figure 1 shows the information package filtering process in graphs.
Figure 1. Information package filtering process
Because the netfilter component of Netfilter/iptables is integrated with kernel 2.4.x, you only need to download and install the iptables user space tool.
The following are the requirements for installing the Netfilter/iptables system:
- Hardware:To use Netfilter/iptables, you need a system that runs Linux OS and connects to the Internet, lan, or WAN.
- Software:Any version of Linux OS with kernel 2.4 or later. You can download the latest kernel from the http://www.kernel.org. You also need to download the iptables user space tool from the http://www.netfilter.org because it is not part of the kernel. However, for Redhat Linux version 7.1 or later, you do not need to download this tool because it is included in standard installation in version 7.1 or later.
- User:At least moderate understanding of Linux OS and experience in Linux Kernel configuration.
Preparations before installation
You must make some modifications to the system before installing the iptables user space tool. First, you must use
make configCommand to configure the kernel options. During configuration
YTo open them, because this is necessary for Netfilter/iptables to work. The following are other options that may be enabled:
CONFIG_PACKET:This option is useful if you want applications and programs to directly use certain network devices.
CONFIG_IP_NF_MATCH_STATE:If you want to configureStatefulFirewall, so this option is very important and useful. Such firewalls will remember the previous decisions on information packet filtering and make new decisions based on them. I will further discuss this issue in the advantages section of the Netfilter/iptables system.
CONFIG_IP_NF_FILTER:This option provides a basic information packet filtering framework. If this option is enabled, a basic filter table (with built-in
OUTPUTLink) to the kernel space.
CONFIG_IP_NF_TARGET_REJECT:This option can be specified: An ICMP error message should be sent to respond to
DROPInstead of killing them.
Now, you can prepare to install this user space tool.
Install the user space tool
You can start installation after downloading the source code of the iptables user space tool, which is similar to a iptables-1.2.6a.tar.bz2. You need
rootIdentity to log on to install. Listing 1 provides an example of the commands required to install the tool, the necessary order, and descriptions.
List 1. Examples of user space tool Installation
First, unpack the tool package into a directory:# bzip2 -d iptables-1.2.6a.tar.bz2# tar -xvf iptables-1.2.6a.tarThis will unpack the tool source into a directory named iptables-1.2.6a. Now change to the iptables-1.2.6a directory:# cd iptables-1.2.6aThe INSTALL file in this directory contains a lot of useful information on compiling and installing this tool.Now compile the userspace tool using the following command:# make KERNEL_DIR=/usr/src/linux/Here the KERNEL_DIR=/usr/src/linux/ specifies the path to the kernel's directory. If the directory of kernel happens to be different on some systems, the appropriate directory path should be substituted for /usr/src/linux.Now install the source binaries using the following command:# make install KERNEL_DIR=/usr/src/linux/Now the installation is complete.
Note:If you have RedHat Linux version 7.1 or later, you do not need to perform the first two steps described here. As we know, the standard installation of the Linux distribution version (distribution) includes the iptables user space tool. However, by default, this tool is disabled. To run the tool, perform the following steps (listing 2 ):
Listing 2. Example of setting up a user space tool on the Redhat 7.1 system
First you'll have to turn off the old ipchains module (predecessor of iptables) available in this OS package.This can be done using the following command:# chkconfig --level 0123456 ipchains offNext, to completely stop the ipchains module from running, so that it doesn't conflict with the iptables tool, you will have to stop the ipchains service using the following command:# service ipchains stopNow if you don't want to keep this old ipchains module on your system, uninstall it using the following command:# rpm -e ipchainsNow you can turn on the iptables userspace tool with the following command:# chkconfig --level 235 iptables onFinally, you'll have to activate the iptables service to make the userspace tool work by using this command:# service iptables startNow the userspace tool is ready to work on a RedHat 7.1 or higher system.
Now everything is ready and the Netfilter/iptables system should be running. Next, you need to set up rules and chains to filter information packets.
Establish rules and links
By providing a firewall with instructions on what to do for information packets from a source, to a destination, or with a specific protocol type, rules control the filtering of information packets. Use special commands provided by the Netfilter/iptables System
iptablesCreate these rules and add them to the chains in the specific information package filter table of the kernel space. The general syntax of the command for adding, removing, and editing rules is as follows:
$ iptables [-t table] command [match] [target]
[-t table]You can use any table other than the standard table. A table is an information packet filtering table that contains rules and links that only process specific types of information packets. Three table options are available:
mangle. This option is not required. If not specified
filterUsed as the default table.
The filter table is used for filtering information packets. It contains
FORWARDChain. The NAT table is used to forward information packets. It contains
POSTROUTINGChain. Use the mangle table if any changes are made to the information package and its header. This table contains rules to mark the information packages used for advanced routing. This table contains
PREROUTINGA chain is composed of rules that change a specified information package once it reaches the firewall.
POSTROUTINGA chain is composed of rules that change a legitimate information package when it intends to leave the firewall.
The mandatory command section in the preceding command is
iptablesThe most important part of a command. It tells
iptablesCommand, such as inserting rules, adding rules to the end of a chain, or deleting rules. The following are the most common commands:
--append:This command attaches a rule to the end of the chain.
$ iptables -A INPUT -s 126.96.36.199 -j ACCEPT
This example command attaches a rule
INPUTAt the end of the chain, make sure that the information package from the source address 188.8.131.52 can
-DSpecifies the rule to be matched or the location number of the rule in the chain. This command deletes the rule from the chain. The following example shows the two methods.
$ iptables -D INPUT --dport 80 -j DROP
$ iptables -D OUTPUT 3
The first command is from
INPUTChain deletion rule, which specifies
DROPGo to the information package on port 80. The second command is from
OUTPUTDelete a rule numbered 3.
--policy:This command sets the default target of the chain, that is, the policy. All information packages that do not match any rules in the chain will be forced to use the chain policy.
$ iptables -P INPUT DROP
This command will
INPUTThe default target of the chain is
DROP. This means that all and
INPUTAny rule in the chain does not match the information package.
--new-chain:Create a new chain with the name specified in the command.
$ iptables -N allowed-chain
--flush:If the chain name is specified, this command deletes all rules in the chain. If the chain name is not specified, this command deletes all rules in all chains. This parameter is used for quick clearing.
$ iptables -F FORWARD
$ iptables -F
--list:Lists All rules in a chain.
$ iptables -L allowed-chain
The optional match part of the iptables command specifies the characteristics (such as source and destination addresses, protocols, and so on) that the information package matches with the rule ). Matching can be divided into two categories:General matchAndProtocol-specific matching. Here, I will study generic matching that can be used for information packages that use any protocol. Below are some important and commonly used general-purpose matching examples and descriptions:
--protocol:This generic Protocol match is used to check certain protocols. The Protocol examples include:
ICMP, A list of combinations of any of the three protocols separated by commas, and
ALL(For all protocols ).
ALLIs the default match. Available
!Symbol, indicating that it does not match the item.
$ iptables -A INPUT -p TCP, UDP
$ iptables -A INPUT -p ! ICMP
In the preceding example, both commands run the same task-they specify all
UDPThe information package will match the rule. By specifying
! ICMP, We intend to allow all other protocols (in this case
--source:This source match is used to match the source IP address of the information package. This match also allows you to match IP addresses in a certain range. You can use
!Symbol, indicating that it does not match this item. The default source match matches all IP addresses.
$ iptables -A OUTPUT -s 192.168.1.1
$ iptables -A OUTPUT -s 192.168.0.0/24
$ iptables -A OUTPUT -s ! 184.108.40.206
The second command specifies that the rule matches all information packets from the IP address ranges of 192.168.0.0 to 192.168.0.24. The third command specifies that this rule will match any information package except the source address 220.127.116.11.
--destination:This destination match is used to match the destination IP address of the information package. This match also allows you to match IP addresses in a certain range. You can use
!Symbol, indicating that it does not match this item.
$ iptables -A INPUT -d 192.168.1.1
$ iptables -A INPUT -d 192.168.0.0/24
$ iptables -A OUTPUT -d ! 18.104.22.168
We already know that the target is the operation specified by the rule, and these operations are performed on the information packages that match those rules. In addition to allowing users to define targets, there are also many available target options. The following are common objectives, examples, and descriptions:
There are also many other goals for creating advanced rules, such
Now you have learned how to create basic rules and links and how to add or delete them from the information packet filtering table. However, you should remember that the rules created using the above method will be saved to the kernel and will be lost when the system is rebooted. Therefore, if you add a rule set that is not correct and valid to the information packet filtering table and want to use these rules again after the reboot, the rule set must be saved in the file. AvailableIptables-saveCommand to do this:
$ iptables-save > iptables-script
Now, all the rules in the information packet filtering table are saved in the file iptables-script. You can always useIptables-RestoreCommand to restore the rule set from the script file to the information package filtering table, as shown below:
$ iptables-restore iptables-script
If you are willing to automatically restore the rule set every time you boot the system, you can put the command specified above in any initialization shell script.
Advantages of Netfilter/iptables
The biggest advantage of Netfilter/iptables is that it can be configured with a stateful firewall, which is an important feature that previous tools such as ipfwadm and ipchains cannot provide. A stateful firewall can specify and remember the status of the Connection established for sending or receiving information packets. The firewall can obtain this information from the Connection Tracing status of the information package. When determining the filtering of new information packets, the status information used by the firewall can increase the efficiency and speed. There are four valid states, named respectively
ESTABLISHEDIndicates that the information package is a established connection, which is used to send and receive information packages and is fully valid.
INVALIDStatus indicates that the information package is not associated with any known stream or connection. It may contain incorrect data or headers. Status
NEWIt means that the information package has or will start a new connection, or it is associated with a connection that has not been used to send or receive the information package. Finally,
RELATEDIndicates that the information package is starting a new connection and is associated with the established connection.
Another important advantage of Netfilter/iptables is that it allows users to fully control firewall configurations and information packet filtering. You can customize your own rules to meet your specific needs, so that only the network traffic you want can enter the system.
In addition, Netfilter/iptables is free, which is ideal for those who want to save money. It can replace expensive firewall solutions.
The latest Linux kernel 2.4.x has a built-in IP information packet filtering tool such as Netfilter/iptables, which makes it cheaper and more convenient to configure firewall and information packet filtering. The Netfilter/iptables system allows users to fully control firewall configurations and information packet filtering. It allows you to create customizable rules for the firewall to control information packet filtering. It also allows you to configure stateful firewalls.
- Obtain the latest information about the Netfilter/iptables system from the netfilter website and download the iptables user space tool.
- Visit the Linux 2.4 packet filtering howto web page for quick reference on Netfilter/iptables.
- Please refer to this detailed tutorial on Netfilter/iptables (iptables tutorial 1.1.9 ).
- Obtain answers to any questions about Netfilter/iptables from the Netfilter/iptables FAQ.
|About the author
Mugdha vairagade is a developer with experience working in multiple organizations. She has rich experience in wireless application development and is specialized in component architecture. She is particularly interested in the open source project and has participated in the Linux documentation project, Forum Nokia (WAP Developer Forum) and W3C work. She also compiled technical articles on Linux and XML technologies. You can contact mugdha via email@example.com.