| Back to logs list
22128020 2009 年 03 月 26 日 13:46 Reading (loading. ..) Comments (0) Category: Computer Related
2 .
preparation phase of this chapter is to learn iptables start, it will help you understand Netfilter and iptables in Linux role. It will tell you how to configure, install a firewall, your experience will grow. Of course, in order to achieve your goals, it takes time, but also have perseverance. (Translator's Note: That sounds very scary)
2.1. Where can I get iptables
iptables
www.netfilter.org download from the site in the FAQs is a good tutorial. iptables can use some kernel space, you can configure the kernel with make configure configuration process, the following will explain the necessary steps.
2.2. kernel configuration
to run iptables, required during the kernel configuration, select the following options, whether you use make config, or other commands.
CONFIG_PACKET - allows programs direct access to network devices (Translator's Note: The most common is the network card), such as tcpdump and snort is necessary to use this feature.
Note
Strictly speaking, iptables does not need CONFIG_PACKET, but it has many uses (Translator's Note: other programs needed), so chosen. Of course, you do not want, do not choose it wants to. (Translator's Note: It is recommended or chosen for good)
CONFIG_NETFILTER - allows the computer as a gateway or firewall. This is necessary because the entire article should use this function. I think you need this, who told you to learn iptables it
course, you give the correct network device drivers installed, for example, Ethernet cards, PPP also SLIP. The above options,
mbt shoes, but in the establishment of a framework for the kernel, iptables, it has been run, but can not do any substantive work. We need more options. The following are given the option to kernel 2.4.9 and simple instructions:
CONFIG_IP_NF_CONNTRACK - connection tracking module for NAT (network address translation) and Masquerading (ip masquerading), and of course, there are other applications. If you want one of these machines in the LAN as the firewall, this module you count the election. Script rc.firewall.txt To work, to must have its existence.
CONFIG_IP_NF_FTP - This option provides the connection for the FTP connection tracking. In general, connection tracking on FTP connections is very difficult to do this, you need a dynamic link library called the helper. This option is used to compile the helper's. Without this feature, you can not pass through the firewall or gateway to use FTP.
CONFIG_IP_NF_IPTABLES - With it, you can use filtering, masquerading,
mbt sale, NAT. It joined the iptables identification framework for the kernel. Without it, iptables useless.
CONFIG_IP_NF_MATCH_LIMIT - This module is not very necessary, but I used the example rc.firewall.txt. It provides matching LIMIT function to facilitate the use of an appropriate rule to control every minute to match the number of packets. For example,-m limit - limit 3/minute role is to match up to three per minute packets. This feature can also be used to eliminate a DoS attack.
CONFIG_IP_NF_MATCH_MAC - selecting this module, can match the MAC address of the packet. For example, we want to block certain MAC address to use the data packet, or block certain computer communications, with this very easy. Because each Ethernet card has its own MAC address, and almost never change. But I have not used this feature rc.firewall.txt, other examples are not used. (Translator's Note: This is another description of the study is laying the foundation for the future)
CONFIG_IP_NF_MATCH_MARK - This option is used to mark packets. The packet to do MARK (mark) operation, we can in the back of the table using the tags to match packets. Described in detail later.
CONFIG_IP_NF_MATCH_MULTIPORT - choose this module we can use the port range to match the packet, without it, can not do this.
CONFIG_IP_NF_MATCH_TOS - so that we can set the data packets TOS (Type Of Service service type). This work also use the command ip / tc completed, can also be used in the mangle table to set some rules.
CONFIG_IP_NF_MATCH_TCPMSS - MSS matches can be based on TCP packets.
CONFIG_IP_NF_MATCH_STATE - compared to ipchains This is the biggest update, and with it, we can do on the state of the packet matches. For example, a TCP connection in both directions have been communications, the data packets on the connection to be considered as ESTABLISHED (connection established) state. Is used extensively in the rc.firewall.txt function of this module.
CONFIG_IP_NF_MATCH_UNCLEAN - match the type that do not meet the standard or invalid P, TCP, UDP, ICMP packet (Translator's Note: The reason why this module is named UNCLEAN, can be understood, where the package is not the correct model are dirty . This is somewhat like the operating system memory management in the We generally discard such a packet, but I do not know whether this is correct. Also note that this matching is still the experimental stage, there might be some problems.
CONFIG_IP_NF_MATCH_OWNER - according to the owner of the socket matches the packet. For example, we only allow root access to Internet. In iptables, this module was originally just an example to illustrate its functionality. Again, this module also in the experimental stage, it can not be used.
CONFIG_IP_NF_FILTER - this module to add the basic filter table iptables, which contains the INPUT, FORWARD, OUTPUT chain. Table by filtering IP filtering can be done completely. Just want to filter data packets, whether sent or received, and regardless of what kind of filter, are required for this module.
CONFIG_IP_NF_TARGET_REJECT - This action allows us to respond with ICMP error message packets received, rather than simply discard it. Must have responded in some cases, for example, relative to the ICMP and UDP, the TCP connection to reset or reject always need a TCP RST packet.
CONFIG_IP_NF_TARGET_MIRROR - This operation allows data packets to send it back to the computer. For example, we in the INPUT chain to the destination port for the HTTP package set MIRROR operation, when someone visits HTTP, the packet is sent back to the original computer, and finally, his visit might be his own home. (Translator's Note: It should be easy to understand why it is called MIRROR a)
CONFIG_IP_NF_NAT - As the name implies, this module provides NAT functionality. This option so that we have access to the nat table. Port forwarding and masquerading is required for this module. Of course, if your LAN where all computers are the only valid IP addresses, or disguise it when making a firewall need not be this option. rc.firewall.txt is needed
CONFIG_IP_NF_TARGET_MASQUERADE - provide MASQUERADE (camouflage) operation. Internet connection if we do not know the IP, the preferred method is to use MASQUERADE, DNAT or instead of SNAT. In other words, if we use PPP or SLIP, etc. connected to the Internet, or other services allocated by the DHCP IP, use SNAT better than this. MASQUERADE do not need to know in advance because of Internet connection the IP, although the computer than NAT MASQUERADE load is slightly higher.
CONFIG_IP_NF_TARGET_REDIRECT - this operation and the agent used is useful. It will not make the data packets directly through, but the package re-mapped to the local host, which is complete and transparent proxy.
CONFIG_IP_NF_TARGET_LOG - an increase for the iptables LOG (log) operation. With it, you can use the system log service records of certain data packets, so we can understand what happened in the bag. This is for us to do security reviews, debugging scripts help is priceless.
CONFIG_IP_NF_TARGET_TCPMSS - This option can deal with some of the information sub-block ICMP ISP (service provider) or services. No ICMP segment information, a number of web pages, e-mail can not large, although small messages can be, and, after the completion of the handshake, ssh works but scp does not work. TCPMSS we can solve this problem is to make the MSS (Maximum Segment Size) is clamped in the PMTU (Path Maximum Transmit Unit). This method can handle Netfilter developers in the kernel configuration help called
CONFIG_IP_NF_COMPAT_IPCHAINS - ipchains, and this is just for the core conversion from 2.2 to 2.4 and use, it will be removed in 2.6.
CONFIG_IP_NF_COMPAT_IPFWADM - above, this is only a temporary use ipfwadm compatibility mode.
above, I outlined a lot of options, but only in the kernel 2.4.9. To see more options, I suggest you go look Netfilter patch-o-matic. Where there are some other options. POM may be added to the kernel, of course, not yet. There are many reasons, for example, is not stable, Linus Torvalds did not intend to or did not insist on these patches into the mainstream kernel, because they are still experimental.
the following options compiled into the kernel or compiled as modules, rc.firewall.txt to use.
*
CONFIG_PACKET
*
CONFIG_NETFILTER
*
CONFIG_IP_NF_CONNTRACK
*
CONFIG_IP_NF_FTP
*
CONFIG_IP_NF_IRC
*
CONFIG_IP_NF_IPTABLES
*
CONFIG_IP_NF_FILTER
*
CONFIG_IP_NF_NAT
*
CONFIG_IP_NF_MATCH_STATE
*
CONFIG_IP_NF_TARGET_LOG
*
CONFIG_IP_NF_MATCH_LIMIT
*
CONFIG_IP_NF_TARGET_MASQUERADE
more is to ensure the normal work rc.firewall.txt the minimum required options. Other options script requires, in the corresponding chapters are instructions. Currently, we only need to pay attention to learn the script.
2.3. compile and install
the following, we take a look at how to compile iptables. iptables configuration of many components, the configuration of the kernel is compiled, the compiler is associated, to understand this point is very important. Some of the products pre-installed Linux iptables, such as Red Hat, but it is not enabled by default iptables's. We will explain later how to enable it, will also introduce other products in the iptables Linux situation.
2.3.1. compile iptables
first to extract the package. Here, an example I use iptables 1.2.6a (Translator's Note: In my translation, the latest version is already 1.2.9, of which there are a number of improvements, fixes some bug, add a couple of match and the target.) . Command bzip2-cd iptables-1.2.6a.tar.bz2 | tar-xvf - (of course, can also use tar-xjvf iptables-1.2.6a.tar.bz2, but this command may be some older version of tar does not apply) will be extract the archive to the directory iptables-1.2.6a, which the INSTALL file has a lot of build and run useful information.
this step,
mbt shoes clearance, you will configure, install some additional modules, you can also add some options for the kernel. Just check here, install some standards not included in the kernel patch. Of course, the more patches in the experimental stage, only during some other operations will be used.
Note
some patches only at the experimental stage, they installed is not a good idea. This step, you will meet many interesting matches and the operation of the data packets, but they also are experiments.
order to complete this step, we have to use the directory in the following iptables commands:
make pending-patches KERNEL_DIR = / usr / src / linux /
variable KERNEL_DIR kernel source points to the true path. Under normal circumstances, is / usr / src / linux /, but it will be different, depending on your use of the Linux product.
Note
short, only some of the patches will be asked whether to join the core, while the Netfilter developers are a large number of patches or attachments you want to add the kernel, but still have to experiment a while to do it. If you want to install these things, use the following command:
make most-of-pom KERNEL_DIR = / usr / src / linux /
This command will install some patch-o-matic (netfilter patch world call), ignore the very extreme of that part of the kernel that they may cause serious damage. You have to know the role of this command to understand their impact on the core of the original code, and good use before you will be prompted. The following command to install all the patch-o-matic (Translator's Note: Oh, be careful.)
make patch-o-matic KERNEL_DIR = / usr / src / linux /
to carefully read the help files for each patch, because some of the patch-o-matic will damage the core, and some of the other patches are damaging.
Note
If you do not intend to use patch-o-matic patch the kernel, the above commands do not need, they are not required. However, you can use these commands to see what interesting stuff, this will not affect anything.
install patch-o-matic, should now recompile the kernel, because it increased the number of patches. But do not forget to re-configure the kernel, the existing configuration file will not have the information you add the patch. Of course, you can first compile iptables, kernel again.
compile iptables on the next, and with the following simple command:
make KERNEL_DIR = / usr / src / linux /
iptables should be compiled, and if not, consider the issue carefully consider where, or subscribe to Netfilter mailing list, there may be someone to help you.
all goes well, we installed iptables, which would have little problem. We use the following command to complete this step:
make install KERNEL_DIR = / usr / src / linux /
now done. If you do not recompile the front, install the kernel, now do, or else, you still can not use the updated iptables. INSTALL a good look at it, that there are detailed installation information.
2.3.2. in the Red Hat 7.1 installed on
Red Hat 7.1 uses kernel 2.4.x support Netfilter and iptables. Red Hat includes all the basic procedures and the required configuration files, but the default is to use B class = COMMAND> ipchains.
Note
Red Hat 7.1 pre-installed iptables version of some old, prior to use, you may want to install a new, re-compile the kernel yourself.
we need to turn off ipchains, and do not want to let it run up and do this, to change the directory / etc / rc.d / under some of the file name. Completed with the following command:
chkconfig - level 0123456 ipchains off
all point to the command / etc / rc.d / init.d / ipchains soft connection renamed K92ipchains. To S at the beginning that when it starts to run this script from the init script. To K at the beginning, you said that termination of service, or after the boot is no longer running. This, ipchains will not turn on after the run.
order to terminate the services are running, use the service command. Termination of service ipchains command is:
service ipchains stop
Now we can start the iptables service. First, be sure to run the floor which runs generally 2,
mbt trainers,3 and 5, the layer has a different purpose:
*
2. Not with NFS, multi-user environment, and the difference between layer 3 is not only with network support.
*
3. multi-user environment, that is something we generally use the layer.
*
5. X11, graphical interface.
with the following command to make iptables run in these layers:
chkconfig - level 235 iptables on
You can also use this command to make iptables run in the other layers. But no need, because the level 1 is single user mode, is generally used in maintenance; layer 4 are reserved; layer 6 is used to turn off the computer.
start iptables by:
service iptables start
iptables script was not yet defined rules. In the Red Hat 7.1 There are two ways to add the rule: the first is to edit / etc / rc.d / init.d / iptables, pay attention to the use of RPM to upgrade iptables, the existing rules may be deleted. Another method is to load the rules, then use the command iptables-save to save the rules file, then under the directory rc.d script (/ etc / rc.d / init.d / iptables) automatically loaded.
us to illustrate how to use In order to load when the computer starts iptables rules, you can put the rules on the Note: If the rules on the , the script knows what to do. Should also check Must pay attention to the changes we have done the upgrade iptables may be deleted, and whether through Red Hat Network automatically update or upgrade with RPM.
second method described below: the first to write a regular script, or directly with the iptables command to generate the rules. Rules to suit their needs, do not forget to experiment to see if there is a problem recognized correctly, use the command iptables-save to save the rule. General use iptables-save> / etc / sysconfig / iptables rules save the file generated / etc / sysconfig / iptables, can also use service iptables save, it can automatically save the rules in / etc / sysconfig / iptables in. When the computer starts, rc.d scripts under the command iptables-restore will call up the file, which will automatically restore the rules.
best not to mix the two methods in order to avoid the rules defined in different ways influence each other, and even the firewall settings are invalid.
this point, you can delete the pre-installed ipchains and iptables,
mbt chapa, and so avoid the old and the new version of iptables conflict. In fact,
mbt lami, only when you install from the original code, only need to do this. But in general, it will not influence one another, because the package does not use rpm based on the original code of the default directory. Delete the following command:
rpm-e iptables
since ipchains why not keep it? Delete it! Command as follows:
rpm-e ipchains
long-suffering, victory finally arrived. You have to install iptables from the source. Those things to delete the old version of it.
Around 1865
Hybrid Mode
