| Back to logs list
22128020 2009 年 03 月 26 日 13:44 Reading (loading. ..) Comments (0) Category: Computer Related
Reserved Chinese iptables-1.1.9 Guide (Super Classic) please enjoy
source of the Garden of Eden
Iptables Linux Guide 1.1.19
Oskar Andreasson
blueflux@koffein.net
Copyright? 2001-2003 by Oskar Andreasson
paper GNU Free Documentation License, subject to the conditions of version 1.1, you can copy, distribute, change, but must retain the preface and all chapters, such as printing a book, cover to include This appendix has
text scripts are placed in all the GNU General Public License version 2, you can freely distribute, change.
these scripts are given the hope that they will be useful, but without any guarantee, no commercial availability of some special purpose or implied warranty. See the GNU General Public License
this article with a GNU General Public License, in the section Boston, MA 02111 - 1307 USA
Message
First of all, I want to dedicate this my wonderful girlfriend Ninel (the help she gave me far better than I gave her): I hope I make you happy, as you gave me. (Translator's Note: I did not think of right words to express his girlfriend's wonderful, you want to go it on their own. Also, I do not know whether they are now married)
Secondly, I want to offer this article to all Linux developers and maintainers, that is, they completed the work incredibly hard to make such a good operating system possible.
translator directory of order
on essential knowledge of how to read
this agreement
1. Preamble
1.1. Why write this guide
1.2. guide is how to write the
1.3. paper appears in terms
2. preparation phase
2.1. Where can I get iptables
2.2. Kernel configuration
2.3. compile and install
2.3.1. compile
2.3.2. in the Red Hat 7.1 installed on
3.
tables and chains 3.1. Overview
3.2. mangle table
3.3. nat table
3.4. Filter Table
4. state mechanism
4.1. Overview
4.2. conntrack records
4.3. data packets in user space of the state
4.4. TCP connection
4.5. UDP connections
4.6. ICMP connection
4.7. default connection operation
4.8. complex protocol and connection tracking
5. save and restore data management rules
5.1. speed
5.2. restore inadequacies
5.3. iptables-save
5.4. iptables -restore
6. the rules is how to excel in
6.1. based
6.2. Tables
6.3. Commands
6.4. Matches
6.4 .1. General match
6.4.2. implicit match
6.4.3. explicitly match
6.4.4. for non-normal packet matches
6.5. Targets / Jumps
6.5.1. ACCEPT target
6.5.2. DNAT target
6.5.3. DROP target
6.5.4. LOG target
6.5.5. MARK target
6.5.6. MASQUERADE target
6.5.7. MIRROR target
6.5.8. QUEUE target
6.5.9. REDIRECT target
6.5.10. REJECT target
6.5.11. RETURN target
6.5.12. SNAT target
6.5.13. TOS target
6.5.14. TTL target
6.5.15. ULOG target
7. firewall configuration instance rc. firewall
7.1. on the rc.firewall
7.2. rc.firewall Detailed
7.2.1. parameter configuration
7.2.2. external module loaded
7.2 .3. proc set
7.2.4. rules of the Optimal
7.2.5. default policy settings
7.2.6. custom chain set
7.2.7. INPUT chain
7.2.8. FORWARD chain
7.2.9. OUTPUT chain
7.2.10. PREROUTING chain
7.2.11. POSTROUTING chain
8. examples of Profile
8.1. rc.firewall.txt script structure
8.1.1. script structure
8.2. rc.firewall.txt
8.3. rc.DMZ.firewall.txt
8.4. rc.DHCP.firewall.txt
8.5. rc.UTIN.firewall.txt
8.6. rc.test-iptables.txt
8.7. rc.flush-iptables.txt
8.8. Limit-match.txt
8.9. Pid-owner.txt
8.10. Sid-owner.txt
8.11. Ttl-inc.txt
8.12. Iptables-save ruleset
A. commonly used commands Detailed
A.1. View the current rule set command
A.2. fixes and empty iptables command
B. Frequently Asked Questions at and Answer
B.1. module loading problems
B.2. not set the NEW state SYN packet
B.3. NEW state of SYN / ACK packet
B.4. use private IP address of the ISP
B.5. release the DHCP data
B.6. on the mIRC DCC problems
C. ICMP types
D. Other resources and links
E . Acknowledgements
F. History
G. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
H. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
I. Example scripts code
I.1. rc.firewall script code
I.2. rc.DMZ.firewall script code
I.3. rc.UTIN.firewall script code
I.4. rc.DHCP.firewall script code
I.5. rc.flush-iptables script code
I.6 . rc.test-iptables script code
List of Tables
3-1. to the local target (that is our own machine a) of the package
3-2. as a source of local Package
3-3. is forwarded packets
4-1. data packets in user space state
4-2. internal state
6-1. Tables
6-2. Commands
6-3. Options
6-4. Generic matches
6-5. TCP matches
6-6. UDP matches
6-7. ICMP matches
6 - 8. Limit match options
6-9. MAC match options
6-10. Mark match options
6-11. Multiport match options
6-12. Owner match options
6 - 13. State matches
6-14. TOS matches
6-15. TTL matches
6-16. DNAT target
6-17. LOG target options
6-18. MARK target options
6-19. MASQUERADE target
6-20. REDIRECT target
6-21. REJECT target
6-22. SNAT target
6-23. TOS target
6 -24. TTL target
6-25. ULOG target
C-1. ICMP type
translator translator sllscn order
commune where Linux is members In order to facilitate future reference, but also for the general user, not afraid of their own poor English skills, turned over the dictionary translation of this article. Translations just to be able to read,
tory burch boots, up to
first chapter introduces the preamble section in addition to the third term to look at, everything else is nothing. The second chapter you want to compile the iptables brothers is a bit of help. Third and fourth chapters allows us to understand and grasp the work methods and processes iptables. Chapters V and VI is the iptables command uses the methods described in detail. Chapter VII and VIII are examples to explain, for us to write your own rules as a guideline, and strongly suggest you take a look. There are some resources in Appendix links are very good, I am sure you will like.
for the sake of terminology, the directory is not part of some translations,
tory burch outlet, but the content of the text are translated. Appendix F is the history of this update, Appendix G is a GNU Free Documentation License, Appendix H is the GNU General Public License, they do not understand what the role of iptables, it is not translated.
After reading this article, you may find duplications, this is not the original author is not high, but for us it is precisely the result he. You can put this article out to read any chapter without the need to repeatedly refer to other chapters. Here, once again pay tribute to the author!
because the translator is limited, not understanding the original text to ensure full right, comments or suggestions, you can contact the translator
slcl@sohu.com
solemnly declare: Translation by the original of Oskar Andreasson's permission. For this article (not the original), are free to use, modify, transmit, reprint, but for profit purposes, all rights reserved.
on my LAN on there a lot of Do this, iptables is the ipchains's a good upgrade. You can use the ipchains discard all the But this will cause problems with some services, such as passive FTP, as well as in the outflow of IRC DCC. They assign ports on the server, and inform the client, and then let the customer connection. However, iptables code there are some small problems, in some ways I found the code does not provide a complete product ready for release, but I still recommend the use of ipfwadm ipchains or even older people to upgrade, unless they The code is satisfied, or they could meet their needs.
This article describes how to read the iptables,
tory burch flats, iptables so that you can understand the wonderful, the text does not contain the iptables or Netfilter in the security bug. If you find iptables (or its components) of any bug or special act, please contact the Netfilter mailing lists, they will tell you whether it is or how to solve the bug. iptables or Netfilter almost no security bug, of course, occasionally out of some problem, they can be found in the Netfilter homepage.
script used in the text can not be solved within Netfilter bug, give them only to demonstrate how to structure the rules so that we can solve the problems encountered in data stream management. But this does not include as This guide will show you how to turn off HTTP port iptables, but not because Apache will occasionally be attacked.
paper suitable for beginners, but also as comprehensive as possible. There are too many targets, or matches, so there is no fully included. If you need this information, you can visit the Netfilter homepage.
necessary knowledge
reading this article, we should have some basic knowledge, such as Linux / Unix, shell scripting,
tory burch 2011, kernel compilation, the best there are some simple knowledge of the kernel.
I try as much as possible so that readers do not need this knowledge to fully understand this article, but to understand the extension is not acceptable. So we should agree a little bit based
this agreement the following will be used in the text:
*
code and the command output to use fixed width font, use the command bold.
[blueflux @ work1 neigh] $ ls
default eth0 lo
[blueflux @ work1 neigh] $
*
all commands and program names are in bold.
*
all the system components, such as hardware, the kernel components, loopback use italics.
*
computer text output using this font.
*
file name and path name like this / usr / local / bin / iptables.
1. Preamble
1.1. Why write this guide
HOWTO I found the lack of all current Linux 2.4.x kernel Iptables and Netfilter functions in the information, so I tried to answer some questions, such as the state match. I will use illustrations and examples rc.firewall.txt illustration, the examples here in your / etc / rc.d / use. This article is a HOWTO document was originally in the form of writing, because many people only accept the HOWTO document.
there is a small script rc.flush-iptables.txt, I wrote it just to make when you configure it as much as I have the feeling of success.
1.2. guide is how to write the
Marc Boucher and I ask the other core members of the netfilter team. For their work and to my writing this guide in time for the boingworld.com expressed great gratitude the help, and now this guide in my own maintenance on the site frozentux.net. This document will teach you step by step setup process, so that you know more about the iptables package. Most things are based on this example rc.firewall file, since I found this to be a good way to learn iptables. I decided to follow the top-down rc.firewall file to learn iptables. Although it will difficult,
tory burch reva, but more logical. When you meet do not understand something again view this file.
1.3. paper appears in terms
article contains some terms you should understand. Here are some explanations, and to illustrate how to use them.
DNAT - Destination Network Address Translation Network address translation purposes. DNAT is the purpose of changing the ip address of the packet technologies, often combined with SNAT to allow multiple servers to share a single ip address connected to the Internet, and continue to serve. By the same ip address to assign different ports to determine the flow of data.
Stream - stream is sent and received data packets and communication between both sides of a connection (Translator's Note: In this article, of the connection as a one-way, two-way flow that connection). In general, the term used to describe the transmission in both directions two or three packets of the connection. For TCP,
tory burch shoes, flow means that connection, it sends a SYN, and then return SYN / ACK. But it may also refer to such a connection, sends a SYN, ICMP host unreachable message replies. In other words, I use the word casually.
SNAT - Source Network Address Translation source network address translation. This is a change in the source ip address of the packet technologies, often used to make multiple computers to share an Internet address. Only in the use of IPv4, because IPv4 addresses are running out, IPv6 will solve this problem.
State - the state specified in the packet what state. State in RFC 793 - Transmission Control Protocol is defined, or by the user in the Netfilter / iptables custom. Note that the Netfilter connection and set the number of data packets on the state, but not fully use the use the RFC 793 definition.
User space - the user space, that occurs in the kernel outside or anything outside the kernel. For example, the call iptables-h in the kernel outside, but iptables-A FORWARD-p tcp-j ACCEPT (partially) occurs within the kernel, adding a new rule because the rule set.
Kernel space - the kernel space and user space as opposed to those that occur inside the kernel.
Userland - See User space
target - the word later in a large number of applications, it said on the packet does match the operation.
Make adjustments during the gradual transformation
Linear Mode
