Linux 2.4 Packet Filtering HOWTO @RRusty Russell, mailing list netfilter@lists.samba.org RH netmanforever@yahoo.com v1.0.1 Mon May 1 18:09:31 CST 2000 yzpb 2.4 Linux kernel W iptables }]iLoC ______________________________________________________________________ Table of Contents 1. Introduction 2. xbSlS 3. nFMO]Lo(Packer Filter)OS 3.1 n]LoS 3.2 pb Linux ULo]S 3.2.1 iptables 3.2.2 w Wh ze]wOxsM]]pM]w rbtCiptables-save M iptables-restore * gewgQCJ TODO CFCO@MwD`C (* Rb ipchains uMiH ipchains-save P ipchains-restore e]wxs_MHNCpGS L ipchains \M\D@bC) eMN]wWhROgi@lROZ(scri pt)aCnTwOMp@ROMz @@ (q`p ' exec /sbin/sulogin' )C ASS 4. u Rusty ]Lotn 5. ]pV(traverse)Lo 6. iptables 6.1 zMz 6.2 @@WhB@ 6.3 LoW 6.3.1 wMa IP a} 6.3.2 w 6.3.3 ww 6.3.4 w 6.3.5 w]H (Fragments) 6.3.6 iptables Rs(matches) 6.3.6.1 TCP 6.3.6.1.1 @ TCP X 6.3.6.2 UDP 6.3.6.3 ICMP 6.3.6.4 6.3.6.5 The State Match 6.4 (Target)W 6.4.1 w 6.4.2 iptables Rs 6.4.3 S 6.5 bWB@ 6.5.1 @s 6.5.2 R@ 6.5.3 M@ 6.5.4 C@ 6.5.5 ](ks)yqO(counter) 6.5.6 ]wh(policy) 7. ipchains P ipfwadm 8. X NAT P Packet Filtering 9. iptables P ipchains t 10. ]p]Lo ______________________________________________________________________ 1. Introduction UxMw@T oM]zwgDO IP a}Na}NBn (netmask)NNH DNSC_hMz@ Network Concepts HOWTOC HOWTO O@IY(zIoMoMSbzWP)M]O@ljS(zM|gNJ])C z@I]wCDIOb\tKQqTPMSQTOu}nBDcNCPb@|M\zMoT@Cog HOWTO OMoDC HMuz MwB OJbC|zh@iuM]|IXndNMMMPz WCSO(PWy)PDC 2. xbSlS TxDhi: o PFilewatcher (http://netfilter.filewatcher.org) . o P The Samba Team and SGI (http://www.samba.org/netfilter) . o PJim Pick (http://netfilter.kernelnotes.org) . x netfilter lM\R Samba's Listserver (http://lists.samba.org) . 3. nFMO]Lo(Packer Filter)OS ]LoNO@ndyg]Y(header) MMw]RBC\|Mw (DROP) o](pMNpS@)MO(ACCEPT)o](pMo]qL)MO@C b Linux UM]Lo\O(@M)MP@iHB]WMLDMOdYHMw]RBC 3.1. n]LoS RNOwNC Control: zz Linux DNzs(Mineternet)Mz|\SwqMTC pM@]Y|]t]aa}MHziH]yV Y@CApM Netscape su Dilbert archivesMW@ doubleclick.net siMo Netscape |OhUCun]Lo\doubleclick.net ]MNiHMoD(MMnkoM Junkbuster)C Security: z Linux DOzMM VPL internet @qDMzDiHF iJzMO|aCpMz\|qXhFMS cWLPing of DeathCSpMz\OHq telnet Wz Linux DMbKXO@C\MzQ(pjH@)b internet W@A(]izO@N) Mp]LoNsu]MHsiC Watchfulness: M@x]wtH|qaV e]CnOziH]LoiDzO_AoCz\|MS\wDFC 3.2. pb Linux ULo]S Linux q 1.1 Nwg]Lo\C@NO 1994 Alan Cox BSD ipfw LMb Linux 2.0 A Jos Vos [jMQ ' ipfwadm ' o(userspace *)uLoWhCb 1998 Mb Micahel Neuling jOUUM`FOb Linux 2.2 WMXF ' ipchains ' ouCMLinux 2.4 |Nu ' iptables ' sPg]b 1999 i}oFCoNOeo iptables HOWTO PObC (* Rq`OOtOdMDnMC@iHjaO{MG|pMNyCM@MzW\xMGhyCb\]dNC) zn@ netfilter cRnetfilter O Linux @q[cMiHF(p iptables ) J(plug into)CyMzn 2.3.15 sMPbsH ' Y ' ^ CONFIG_NETFILTER oC iptables ou|MiD]nLoCDzO@{HMQ}MzNO]LoFC 3.2.1. iptables o iptables uiHJ]Lo(packet filtering table) @Wh(rules)C]NOMLz]wFMnOs(reboot)tMN|Q\ ``w[Wh(Making Rules Permanent)''M pTO]wbU Linux iH^sC iptables ON ipfwadm M ipchains R\ `` ipchains M ipfwadm (Using ipchains and ipfwadm)''M pLhK iptablesMpze@C 3.2.2. 4. w Wh ze]wOxsM]]pM]w|btCiptables-save M iptables-restore * gewgQCJ TODO CFCO@MwD`C (* Rb ipchains uMiH ipchains-save P ipchains- restore e]wxs_MHNCpGSL ipchains \M\D@bC) eMN]wWhROgi@lROZ(script)aCnT- wOMp@ROMz@@ (q`p ' exec /sbin/sulogin' )C ASS O RustyMO Linux IP @MP]i@s{u@MiHOaQHMMaCgL ipchains (\e ``pb Linux ULo]S(How Do I Packet Filter Under Linux?)''M u@|oqP)MqFHJ]LoCpC WatchGuard O@D`XqMXunH](plug-in Firebox)MBVKOMiHOgoFMH@L@FCw 6 NiHFMWoF 12 MLbqooNOFChgNwaNqDNtlNHaMMOXFC boMQM@B [RD(kenrl)MaCHDoMOYu@L@R David S. MillerNAlexey KuznetsovNAndi KleenNAlan CoxCLMY()LFMUG(wMe) BC 5. u Rusty ]Lotn jH@ PPP WMPQHiJLNR ## Insert connection-tracking modules (not needed if built into kernel). # insmod ip_conntrack # insmod ip_conntrack_ftp ## Create chain which blocks new connections, except if coming from inside. # iptables -N block # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. # iptables -A INPUT -j block # iptables -A FORWARD -j block 6. ]pV(traverse)Lo q 'filter' TC(lists) }lQoTCs firewall chains() Ns chains()C oTOINPUTNOUTPUT NM FORWARD C o 2.0 M 2.2 jtO@T ASCII NgMU(chains)GmpUR _____ Incoming / \ Outgoing -->[Routing ]--->|FORWARD|-------> [Decision] \_____/ ^ | | v ____ ___ / \ / \ |OUTPUT| |INPUT| \____/ \___/ ^ | | ----> Local Process ---- TNezTM@]FW@MN|(examined)MHMw]RBCpG DROP o]MN|NakMpG ACCEPT o]MN bVC @(chain)NOhWh(rules)@dM(checklist)CC@Wh|pG]Y_oMNpoBmo]CpGWh]wM]X(match)MNU@Wh BzCMpGASWhiHMN|policy(h) HMwCb@wWtMh(policy)q`|iD DROP ]C 1. @]iJ(]MqL Ethernet d)M]a(destination)Ro ' rouging ()'C 2. pGa}Mo]NU INPUT CpGqLMo]{(processes)NNUC 3. _hMpGS\(forwarding)MODpo]Mo]N|Q(dropped)CpG\wgMP]Vt@(pGzt @i)MMo]Nk FORWARD CpGQ(ACCEPT)MN|QeXhC 4. @M@bB{|eX]C]N OUTPUT RpGO ACCEPTMMo]| eXVC 7. iptables pGznSwFMiptables @D` manual page (man iptables)Cpzx ipchains M\iH ``iptables P ipchains t (Differences Between iptables and ipchains)'' hQOD`C ziHQ iptables \hP@Cz}lT(buit-in) R INPUTNOUTPUTNMFORWARD MzORCzB@aR 1. @s (-N)C 2. R@ (-X)C 3. @h (-P)C 4. CX@Wh (-L)C 5. M@Wh (-F)C 6. ks(zero) @Wh]r`(byte) O (-Z)C nkiHw@WhR 1. W(append) @sWh@ (-A)C 2. bYmJ(insert) @sWh(-I)C 3. bYm(replace) @Wh (-R)C 4. bYmR(delete) @Wh (-D)C 5. R(delete) @Wh (-D)C 7.1. zMz iptables iH(module)Ms `iptable_filter.o' Mz@] iptables N|QJC]iH[mC b] iptables ROe (pRM(distributions) \|_lROZ] iptables)M( `INPUT'N`FORWARD'NM `OUTPUT' )NaWhMNh] ACCEPTCziHN iptable_filter ] `forward=0' Mw] FORWARD hC 7.2. @@WhB@ Um@UhBaMO]Cz`\|O append (-A) M delete (-D) ROCp insert (-I) M replace (-R)M uOowC C@WhwF@(conditions)PSw]MHXnpBm(@`target' )CMz\n127.0.0.1 o IP a} ICMP ]M]oNoRwO ICMPMa}O 127.0.0.1 M target()N|O`DROP' C 127.0.0.1 `loopback' MNzSusMz]|oCziH `ping' o{o] (uOeX@ type 8(echo request) ICMP ]M^X@(cooperative hosts) he^@ type 0(echo reply) ICMP ])COnC # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss # oziH@ ping \F(o `-c 1' OiD ping ueX@])C MM`INPUT' W(-A)@WhMN 127.0.0.1(`-s 127.0.0.1') ICMP w (`-p icmp') ]e DROP o (-j DROP)C MiHG ping WhCb{ ^eMN@qC kiHWhCM]ewb input u@@WhMHiHwrMpR # iptables -D INPUT 1 # oN@Whq INPUT C GkOMg(mirro)W -A ROM -D N -A wCz@MgD`WhMSQvX 37 NOznWhMoMokND`FC # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP # bROMykO -D M -A ( -IN -R) ROm@PCpGbP@PWhMu@|QC 7.3. LoW wgL `-p' wwMH `-s' wa}MOiHwX@]SCUO@zC 7.3.1. wMa IP a} iH|kw(`-s'N`--source'N `--src') Ma(`-d'N`--destination'N`--dst') IP a}C`kOWMp `localhost' `www.linuxhq.com' CGkOw IP a}Mp `127.0.0.1' C TM|k\w@(group) IPa}Mp `199.95.207.0/24' `199.95.207.0/255.255.255.0' Mo]wwFq 199.95.207.0 199.95.207.255 IP a}Qbr `/' OiDt IP C `/32' `/255.255.255.255' w]( IP kX)C `/0' w IP a}]OiMpR [ NOTE: `-s 0/0' is redundant here. ] # iptables -A INPUT -s 0/0 -j DROP # LoD`M]HWGMw `-s' @LC 7.3.2. w \hX(flags)M]A `-s' ( `--source')NM `-d' ( `--destination')MiHbem@ `!' (o`not') MXD(NOT)a}CM`-s ! localhost' XD(not) ]C 7.3.3. ww wiH `-p' ( `--protocol') XwCwiH@X(pzD IP w)MO@p `TCP'N`UDP'N`ICMP' oWCjpgSYMH `tcp' M `TCP' iHu@C w]iH[W@ `!' emMCp `-p ! TCP' hwFD TCP ]C 7.3.4. w `-i' ( `--in-interface') M `-o' ( `--out-interface') w@X(interface)C@NO]iJ(`-i') MX(`-o')z]CziH ifconfig ROCXO]_(`up' )C V INPUT ]|X(output)MHMb `-o' WhPXCPMV OUTPUT ]]|J(input)MHba `-i' Wh]OXNOFC OV FORWARD ] |PJMXC w@sbOXk(legal)QbS_eMoWhO|XCo PPP (q`|Oppp0) suMNFC pb@SlMO@ `+' MNxHr}Y(eO__F)CpMnw@WhX PPP M-i ppp+ NiHWFC WeiH@`!' X@Pw X]C 7.3.5. w]H (Fragments) M@]|]j@LisuhCooFM]|Q H(fragments)MP|Hh]eCt@hoHH]C HDOM@_lH]Y(IP+TCPNUDPNM ICMP)idM ]ou]tYp(aB w IP)CoMnd HwY( TCPNUDPNM ICMP extensions )MNiFC pGznsul NATMHb]LoXe|X^@_MHzLHDC MMnLoWhpBzHMNoD`nFCWhnSMNQ XC]NOM@H]BzM]@CGHNOoFCoM@ -p TCP --sport www (wf`www')WhMNMHX(@H )CWhp-p TCP --sport ! www ]@NOFC LMziH `-f' (or `--fragment') XSOGHHw@WhCb `-f' e[W@ `!' w@Wh AGHHM]OiC q`MGHHqLOQwM]pGLo|vT@HM]NiHKbDiQOM@wMeH]iHDCOUnIFC andNORioM](u TCPNUDPNM ICMP ]|{f ICMP XM) |QC]M TCP H 8 m}l *C (* R]O@oMORSo are TCP fragments starting at position 8C]iohMGD position 8 O TCP YmOCpzMwgHH@MC) |MHUWh|e 192.168.1.1 HC # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP # 7.3.6. iptables Rs(matches) iptables O i(extensible)M]NOMM iptables uiHiXiHs\C Y(Extensions)OMhiHOXCOB\|sX@MPXAC q` Mp /lib/modules/2.3.15/net CpzO CONFIG_KMOD ]wsMODJMHzLJC MMiptables {hq`O /usr/local/lib/iptables/ wM|Ni /lib/iptables /usr/lib/iptables hC Rs(target)MMs(match)QUNsaCw|s(tests)Re TCPNUDPNM ICMPMpUzC bRO `-p' JiMzNiHw@sFC\M `-m' JMhiHT@sC pYDUMiH `-h' `--help' NJ(`-p'N `-j'N `-m')MpR # iptables -p tcp --help # 7.3.6.1. TCP pGwF `-p tcp' MTCP |JCpU(X fragments)C --tcp-flags @ `!' MhXrzw TCP XiLoC @rOBn(mask)R@zdXCCGrOnFn]wCpR # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY oXnd (`ALL' NOx `SYN,ACK,FIN,RST,URG,PSH')Mu SNY M ACK Q]wwCt @ `NONE' hOSXNC --syn `--tcp-flags SYN,RST,ACK SYN' gMeiH@ `!' C --source-port iH `!' MMO@W TCP f@f(range)CfiH /etc/services CqfWM]iHO@rCpGOMiHO@`:' jfWrM@fa `:' (jMf)MSO@fea `:' (pMf)C --sport P `--source-port'C --destination-port M --dport PWPMuOOwaDf[HC --tcp-option iH `!' MM@rM@ TCP r]Cpnd TCP M TCP Y]N|QC 7.3.6.1.1. @ TCP X M\VDV TCP su|nCpMz\Q\su WWW AMoQAsuC X|\|OA TCP ]COMTCP suNnD]OVC MDOnDsu]Co]Q SYN ](MNWMOa SYN ]w]M FIN M ACK hOMuON SYN ]w)Cnuo]MNiH suFC `--syn' XiHoRw TCP wWh@CpMw 192.168.1.1 TCP suDR -p TCP -s 192.168.1.1 --syn oX]iH@ `!' ]MNC@Dlsu]C 7.3.6.2. UDP pG `-p udp' QwMoN|JCF `--source-port'N `--sport'N`--destination- port'NH `--dport' oM@pez TCP ]wC 7.3.6.3. ICMP pG `-p icmp' QwMoN|JCu@sR --icmp-type iH `!' MMO@ icmp W(p `host-unreachable' )MO@r(p `3' )MO@ `/' jrMsX(p `3/3' )C `-p icmp --help' NiHo@i icmp WMC 7.3.6.4. b nerfilter MhOi(demonstration)eMiH `-m' Is(pwwF)C mac @nT `-m mac' `--match mac' wCJ] Ethernet (MAC) a}M]uV PREROUTING M INPUT ]_@Cu@R --mac-source iH `!' MMO@_jQi ethernet a}Mp `--mac-source 00:60:08:91:CC:B7'C limit oT `-m limit' `--match limit'wC@MpOHCu@C(w]OC@p 3 MH 5 o(burst))CR --limit @Qwi\CjCiH `/second'N`/minute'N`/hour'N `/day'N (G `5/second' M `5/s' O@)MTw(unit)M --limit-burst @MX_ezejoC o` LOG MHiv(rate-limited) OCFnFOpu@M@UWhMOHw]O]R # iptables -A FORWARD -m limit -j LOG Wh@M]N|QOUQWMw]o 5 M 5 ]N|OUCMMAj 20 Wh |AO]Mh]FCBMC 20 pGSX]qLMh|_ (regained) @oQp 100 ALo]oWhMoN|_(recharged)Q^}lAC RzeHj 59 p_@WhMGMpz]w@vC@MMzovh@wn 3 C z]iHohKHtv@A^_A(DoS)C Syn-flood protectionR # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT Furtive port scannerR # iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT Ping of deathR # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT u@zIIy@MUC rate (pkt/s) ^ .---. | / DoS \ | / \ Edge of DoS -|.....:.........\....................... = (limit * | /: \ limit-burst) | / : \ .-. | / : \ / \ | / : \ / \ End of DoS -|/....:..............:.../.......\..../. = limit | : :`-' `--' -------------+-----+--------------+------------------> time (s) LOGIC => Match | Didn't Match | Match MH 5 ]oC@]M]qC|}lJMTMMTAs}lC <--Flood 1--> <---Flood 2---> Total ^ Line __-- YNNN Packets| Rate __-- YNNN | mum __-- YNNN 10 | Maxi __-- Y | __-- Y | __-- Y | __-- YNNN |- YNNN 5 | Y | Y Key: Y -> Matched Rule | Y N -> Didn't Match Rule | Y |Y 0 +--------------------------------------------------> Time (seconds) 0 1 2 3 4 5 6 7 8 9 10 11 12 z|o{Y]Q\WLC@]MMN_FMpG@Mo]NQ\MNqLWh]wv(boC@])C owner ]PS](creator)C OUTPUT MBMY](p ICMP ping responses)\S ownerMNQX@C --uid-owner userid pG]@{H(r) user id MhXC --uid-owner groupid pG]@{H(r) group id MhXC --pid-owner processid pG]@{H process id MhXC --sid-owner processid pG]@{H session group MhXC unclean @H `-m unclean' `--match unclean' TwC|]iPHP_Co|Q]dLMHw]W(\|d{M]\)CS]wC 7.3.6.5. The State Match P_ `state' MH `ip_conntrack' sulRCoOD`oyC w `-m state' h\t@B `--state' MiH@IjzC( `!' X (not) Xz)CozOR NEW @ssu]C ESTABLISHED @{su(pRwg^]F)]C RELATED @P{suMo]Mp ICMP MO FTP su](FTP wJ)C INVALID @]Y]QO]Ro]AOM^wsu ICMP Cq`Mo]|QC 7.4. (Target)W {bMDiH]dFMn@kX@X]n@CoNO@Wh(target) C D`RDROP M ACCEPTMwgLFCpG@WhX@]MPO@MNASWhntR]RBwgwUFC F M]RMwC 7.4.1. w iptables F ipchains @D`F`\MNOiHXsM[T(INPUTNFORWARDNM OUTPUT) CDMwpgHO(||b ``bWB@(Operations on an Entire Chain)'' phsws) @]X@wWhM]N|}lVwWhCpMwX]RBMh@VMN|eU@Wh VUhC ASCII NnFC]o()RINPUT ()M M test (w)C `INPUT' `test' ---------------------------- ---------------------------- | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 | |--------------------------| |--------------------------| | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 | |--------------------------| ---------------------------- | Rule3: -p UDP -j DROP | ---------------------------- ]@192.168.1.1 TCP ]Mn 1.2.3.4 hCiJINPUT M Rule1 - XCOX Rule2 MBO testMHU@nWhNq test }lCb test Rule1 XMSwMHAU@WhM]NO Rule2 CLXMHwgFoFCM^ INPUT M]NO Rule2 MH{bNnd Rule3MMXC oM]|OolR v __________________________ `INPUT' | / `test' v ------------------------|--/ -----------------------|---- | Rule1 | /| | Rule1 | | |-----------------------|/-| |----------------------|---| | Rule2 / | | Rule2 | | |--------------------------| -----------------------v---- | Rule3 /--+___________________________/ ------------------------|--- v w]iHAt@wh(njRz]pGQo{BjN|Q)C 7.4.2. iptables Rs t@O@C@Mi iptables MHsROCbw] netfilter nXR LOG OX]CoB R --log-level @h(level)XWCXkW(jpgO)R`debug'N`info'N`notice'N`warning'N`err'N`crit'N`alert'NH `emerg'MX 7 0 CUhX syslog.conf man pageC --log-prefix @h 30 rrC@HOH}leXMOiHOQOXC `@MHMznzzO@C REJECT FVoeeX@ `port unreachable' o ICMP MM `DROP' O@CRbUCMICMP HN|eX( RFC 1122)R o QLo]@}lNO@ ICMP HMO ICMP C o QLo]@LY (non-head) HC o ewgeXha ICMP HFC REJECT t @ `--reject-with' ^]RC 7.4.3. S SRRETURN M QUEUEC RETURN M@PGR@WhMhhC@wWhMh|^e@ VMNboWhC QUEUE ]O@SMiH(userspace){xC]CnBM\OR o @ "queue handler"MBzPe]Q o t@@{MhMMH]XMC IPv4 iptables queue handler ip_queue MeOHP@_oGC pUO@p iptables {ixC]lR # modprobe iptable_filter # modprobe ip_queue # iptables -A OUTPUT -p icmp -j QUEUE WhM ICMP ](p ping ) N|Qe ip_queue hMMN]{CpGS{bM]N|QC ng@{M libipq API C]OM iptables @_oGC{XdiHb CVS testsuite u(p redirect.c) C ip_queue AiHpUkdR /proc/net/ip_queue xCj(pBLe^M]q)iHqLoR /proc/sys/net/ipv4/ip_queue_maxlen jxCw] 1024C@FMs]N|QMxC^^CCnwMp TCPM|N](conges- tion)MPzQaMxC_|N^hCMMpGw]b|UopM\n@MwzQxCC 7.5. bWB@ iptables @D`\OMX(group)WhCunzwMziHHK_@WrMzpgrHKMdVFCWiHh 31 rC 7.5.1. @s {bN@_@saC]bO@RQMHtest (MI)CoM `-N' `--new-chain' R # iptables -N test # NOoCnFM{bziHN@Wh[JM@peC 7.5.2. R@ nR@]O@M `-X' `--delete-chain' YiC `-X' OSM nr@FC # iptables -X test # nR@M|nRO ( ``M@(Flushing a Chain)'' ) MP@WhCTzRNOFC pzw@MpGiM wI|QRC 7.5.3. M@ @kiHM@WhMNO `-F' ( `--flush') ROC # iptables -F forward # pGzwO@M |QMC 7.5.4. C@ ziH `-L' ( `--list') ROC@WhC C@wC `refcnt' MOhWhOHCbQReMos(PO)C pGSWM|QCXMN]@C TiHH `-L' @_CO `-n' (numeric) MM]iHK iptables hd IP a}Mpz DNS S]wTMOzwgLo DNS DFMo\|yY(]zMjhH@O DNS )CP]|N TCP P UDP frDWC GO `-v' M|XzWh`Mp] byte yqpNTOS NHC_hoOQC R] byte yqpiHO `K', `M' `G' orMON 1000N1,000,000NH1,000,000,000MC `-x' (expand numbers) XP]iHXrMz|hC 7.5.5. ](ks)yqO(counter) ]yqOMOCziH `-Z' ( `--zero') C @OMbi]eMzYOyqpCbelMzU `-L' M `-Z' ROMY]i|boqLC]MziH `-L' M `-Z' @_ MbPiO]C 7.5.6. ]wh(policy) beQ]pqL@MwL]FN|oCMNhMw]RBCu(INPUTNOUTPUTNH FORWARD) h]wM]MpG@]@wMh|^W@ VC hiH ACCEPT DROPC 8. ipchains P ipfwadm b netfilter MMOs ipchains.o M ipfwadm.oCzunN@Ji( RM iptables.oNip_conntrack.o ip_nat.o OeT)CMzNiHp`@ ipchains ipfwadm FC ob@wo|QC{XzpOR2 * [ N oG - lwo ] MA[WN iHuwolC M ipfwadm N|R 2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)] + January 1999 (2.2.0 release) = November 2003. ipchains hR 2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)] + July 2000 (2.4.0 release?) = March 2004. HMb 2004 eiHELC 9. X NAT P Packet Filtering n Network Address Translation (\ NAT HOWTO) H]LoMwO`FCnOMNVX_OSDC A]p]LoMiHz|zn NAT C]LoPaMu|O `u' MaC|MpGz NAT MnNs 1.2.3.4 port 80 sue 10.1.1.1 port 8080 hMo]Lo|e 10.1.1.1 port 8080 (ua)MO 1.2.3.4 port 80CMz]iH]R]|_Ou IP a}( 10.1.1.1)M^]_e^C ziHB `state' (match extension)L]LoB u@M]LpM NAT |nDsulCFWjb NAT HOWTO ]lMh ppp0 ssMziHoR # Masquerade out ppp0 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Disallow NEW and INVALID incoming or forwarded packets from ppp0. iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward 10. iptables P ipchains t o MWqpgjgM] INPUT P OUTPUT eu|Hq]COdJPX]C o {b@ `-i' XNJMBuu@ INPUT M FORWARD Cb FORWARD P OUTPUT NnN `-i' `-o' FC o TCP P UDP f{bn --source-port --sport gX(OLg --destination-port --dport)MPMm `-p tcp' `-p udp' M] TCP UDP O}JC o He TCP -y {b --synMBm `-p tcp' C o DENY {b DROP FC o bCu@PiHNks(zeroing)C o ks]iHMhO(policy counters)C o CiHzOLp(atomic snapshot)C o REJECT P LOG {bFMNwgM}C o WiF 31 rC o MASQ {b MASQUERADEM BPykCREDIRECT bOdPWPM]gFykECp]wM\ NAT-HOWTOC o -o hAN]]F(e -i )C{bh QUEUE N]eC o @MiwOohFC 11. ]p]Lo bqwW|L@MM}C@yzWOR`Di'CzcOMpz`wC n]zAMzO_HwgNUFC pGzn@w(dedicated firewall)M}ln]FMP]MMW[AH]qLC SOjwRX tcp-wrappers(]Los)NANz(qL]Los)NNH]LoqCOMw]N|QR|MpGz@q 10.1.1.0/24 a}MP@a}]oq iJMN|QCiH@(p ppp0) ]_MpR # echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter # O{NMpR # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo 1 > $f # done # Debian biUw]N|pFCpGz(pMzw]|qViJ)MzbW@LoC ]wMpYFu@MO\NoFQb@B@WMnNX `limit' @_MHKHzzOC jPwtsulRM|P@t(]sunl)MQsoCpGz|JMz\nJ`ip_conntrack.o' CpznTlwMznJXA helper (pM`ip_conntrack_ftp.o' )C # iptables -N no-conns-from-ppp0 # iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:" # iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:" # iptables -A no-conns-from-ppp0 -j DROP # iptables -A INPUT -j no-conns-from-ppp0 # iptables -A FORWARD -j no-conns-from-ppp0 m@}nwgWXo HOWTO dFMOR `@qY(always be minimalist)'CbzWiPhMNn Security HOWTO FC } ]p]Lo