2/ mangle 3.3. nat 3.4. Filter conntrack TCP 4.5. UDP 4.6. ICMP restore 5.3. iptables-save

Size: px

Start display at page:

Download "2/ mangle 3.3. nat 3.4. Filter conntrack TCP 4.5. UDP 4.6. ICMP restore 5.3. iptables-save"

伉粮邱
5 years ago
Views:

1 1/131 Iptables Oskar Andreasson Copyright by Oskar Andreasson GNU Free Documentation 1.1 Oskar Andreasson GNU Free Documentation License GNU General Public License 2 GNU General Public License GNU General Public License GNU Free Documentation License the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA USA wonderful Ninel wonderful :) Linux iptables Red Hat

2 2/ mangle 3.3. nat 3.4. Filter conntrack TCP 4.5. UDP 4.6. ICMP restore 5.3. iptables-save 5.4. iptables-restore Tables 6.3. Commands 6.4. Matches Targets/Jumps ACCEPT target DNAT target DROP target LOG target MARK target MASQUERADE target MIRROR target QUEUE target REDIRECT target REJECT target RETURN target SNAT target TOS target TTL target ULOG target 7. rc.firewall 7.1. rc.firewall 7.2. rc.firewall proc INPUT

3 3/ FORWARD OUTPUT PREROUTING POSTROUTING rc.firewall.txt rc.firewall.txt 8.3. rc.dmz.firewall.txt 8.4. rc.dhcp.firewall.txt 8.5. rc.utin.firewall.txt 8.6. rc.test-iptables.txt 8.7. rc.flush-iptables.txt 8.8. Limit-match.txt 8.9. Pid-owner.txt Sid-owner.txt Ttl-inc.txt Iptables-save ruleset A. A.1. A.2. iptables B. B.1. B.2. SYN NEW B.3. NEW SYN/ACK B.4. IP ISP B.5. DHCP B.6. mirc DCC C. ICMP D. E. F. History G. GNU Free Documentation License 0. PREAMBLE 1. APPLICABILITY AND DEFINITIONS 2. VERBATIM COPYING 3. COPYING IN QUANTITY 4. MODIFICATIONS 5. COMBINING DOCUMENTS 6. COLLECTIONS OF DOCUMENTS 7. AGGREGATION WITH INDEPENDENT WORKS 8. TRANSLATION 9. TERMINATION 10. FUTURE REVISIONS OF THIS LICENSE How to use this License for your documents H. GNU General Public License 0. Preamble 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 2. How to Apply These Terms to Your New Programs I. I.1. rc.firewall I.2. rc.dmz.firewall I.3. rc.utin.firewall

4 4/131 I.4. rc.dhcp.firewall I.5. rc.flush-iptables I.6. rc.test-iptables List of Tables Tables 6-2. Commands 6-3. Options 6-4. Generic matches 6-5. TCP matches 6-6. UDP matches 6-7. ICMP matches 6-8. Limit match options 6-9. MAC match options Mark match options Multiport match options Owner match options State matches TOS matches TTL matches DNAT target LOG target options MARK target options MASQUERADE target REDIRECT target REJECT target SNAT target TOS target TTL target ULOG target C-1. ICMP sllscn Linux Linux iptables iptables iptables iptables

5 5/131 F G GNU Free Documentation License H GNU General Public License iptables slcl@sohu.com Oskar Andreasson Internet iptables ipchains ipchains FTP IRC DCC iptables ipchains ipfwadm iptables iptables iptables Netfilter bug iptables bug Netfilter mailing lists bug iptables Netfilter bug Netfilter Netfilter bug HTTP Apache iptables HTTP Apache targets matches Netfilter Linux/Unix shell

6 6/131 :) neigh]$ ls default eth0 lo neigh]$ loopback /usr/local/bin/iptables HOWTO Linux 2.4.x Iptables Netfilter, rc.firewall.txt /etc/rc.d/ HOWTO, HOWTO rc.flush-iptables.txt 1.2. Marc Boucher netfilter boingworld.com frozentux.net setup iptables rc.firewall iptables rc.firewall iptables

7 7/ DNAT - Destination Network Address Translation DNAT ip SNAT ip Internet ip Stream - TCP SYN SYN/ACK SYN ICMP SNAT - Source Network Address Translation ip Internet IPv4 IPv6 State - RFC Transmission Control Protocol Netfilter/iptables Netfilter RFC 793 User space - iptables -h iptables -A FORWARD -p tcp -j ACCEPT Kernel space - Userland - target - 2. iptables Netfilter iptables Linux :) 2.1. iptables iptables FAQs iptables make configure

8 8/ iptables make config CONFIG_PACKET - tcpdump snort iptables CONFIG_PACKET CONFIG_NETFILTER - iptables :) Ethernet, PPP SLIP iptables CONFIG_IP_NF_CONNTRACK - NAT Masquerading ip LAN rc.firewall.txt CONFIG_IP_NF_FTP - FTP helper helper FTP CONFIG_IP_NF_IPTABLES - NAT iptables iptables CONFIG_IP_NF_MATCH_LIMIT - rc.firewall.txt LIMIT -m limit --limit 3/minute DoS CONFIG_IP_NF_MATCH_MAC - MAC MAC Ethernet MAC rc.firewall.txt :) CONFIG_IP_NF_MATCH_MARK - MARK CONFIG_IP_NF_MATCH_MULTIPORT - CONFIG_IP_NF_MATCH_TOS - TOS Type Of Service ip/tc mangle CONFIG_IP_NF_MATCH_TCPMSS - MSS TCP

9 9/131 CONFIG_IP_NF_MATCH_STATE - ipchains TCP ESTABLISHED rc.firewall.txt CONFIG_IP_NF_MATCH_UNCLEAN - P TCP UDP ICMP UNCLEAN UNCLEAN CONFIG_IP_NF_MATCH_OWNER - root Internet iptables CONFIG_IP_NF_FILTER - iptables INPUT FORWARD OUTPUT IP CONFIG_IP_NF_TARGET_REJECT - ICMP ICMP UDP TCP TCP RST CONFIG_IP_NF_TARGET_MIRROR - INPUT HTTP MIRROR HTTP MIRROR CONFIG_IP_NF_NAT - NAT nat LAN IP rc.firewall.txt :) CONFIG_IP_NF_TARGET_MASQUERADE - MASQUERADE Internet IP MASQUERADE DNAT SNAT PPP SLIP Internet DHCP IP SNAT MASQUERADE Internet IP MASQUERADE NAT CONFIG_IP_NF_TARGET_REDIRECT - CONFIG_IP_NF_TARGET_LOG - iptables LOG CONFIG_IP_NF_TARGET_TCPMSS - ICMP ISP ICMP ssh scp TCPMSS MSS Maximum Segment Size PMTU Path Maximum Transmit Unit Netfilter criminally brain-dead ISPs or servers CONFIG_IP_NF_COMPAT_IPCHAINS - ipchains

10 10/131 CONFIG_IP_NF_COMPAT_IPFWADM - ipfwadm Netfilter patch-o-matic POM Linus Torvalds rc.firewall.txt CONFIG_PACKET CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_FTP CONFIG_IP_NF_IRC CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_TARGET_LOG CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_TARGET_MASQUERADE rc.firewall.txt 2.3. iptables iptables Linux iptables Red Hat iptables Linux iptables iptables 1.2.6a bug match target

11 11/131 bzip2 -cd iptables-1.2.6a.tar.bz2 tar -xvf - tar -xjvf iptables-1.2.6a.tar.bz2 tar iptables-1.2.6a INSTALL iptables make pending-patches KERNEL_DIR=/usr/src/linux/ KERNEL_DIR /usr/src/linux/ Linux Netfilter make most-of-pom KERNEL_DIR=/usr/src/linux/ patch-o-matic netfilter patch-omatic make patch-o-matic KERNEL_DIR=/usr/src/linux/ patch-o-matic patch-o-matic patch-o-matic iptables, iptables make KERNEL_DIR=/usr/src/linux/ iptables Netfilter mailing list iptables

12 12/131 make install KERNEL_DIR=/usr/src/linux/ iptables INSTALL Red Hat 7.1 Red Hat x Netfilter iptables Red Hat B class=command>ipchains iptables ipchains iptables Red Hat 7.1 iptables ipchains /etc/rc.d/ chkconfig --level ipchains off /etc/rc.d/init.d/ipchains K92ipchains S K ipchains service ipchains service ipchains stop iptables NFS X11 iptables chkconfig --level 235 iptables on iptables iptables service iptables start iptables Red Hat 7.1 /etc/rc.d/init.d/iptables RPM iptables

13 13/131 iptables-save rc.d /etc/rc.d/init.d/iptables /etc/rc.d/init.d/iptables iptables start) start() start) start() stop) iptables restart condrestart iptables Red Hat RPM iptables iptables-save iptables-save > /etc/sysconfig/iptables /etc/sysconfig/iptables service iptables save /etc/sysconfig/iptables rc.d iptables-restore ipchains iptables, iptables rpm rpm -e iptables ipchains rpm -e ipchains iptables Chapter 3. iptables iptables DNAT SNAT TOS 3.1. MAC

14 14/131 mangle mangle TOS TTL MARK Table 3-1. Step Table Chain ipchain INPUT FORWARD Table 3-2. Comment 1 ( Internet) 2 ( eth0) 3 mangle PREROUTING mangle TOS 4 nat PREROUTING DNAT 5 6 mangle INPUT mangle 7 filter INPUT 8 ( ) mangle Step Table Chain Comment mangle OUTPUT mangle 4 nat OUTPUT DNAT 5 filter OUTPUT 6 mangle POSTROUTING DNAT ( DNAT NAT )

15 15/131 7 nat POSTROUTING SNAT DROP 8 ( eth0) 9 ( Internet) Table 3-3. mangle FORWARD Step Table Chain Comment 1 ( Internet) 2 eth0 3 mangle PREROUTING mangle TOS 4 nat PREROUTING DNAT SNAT 5 6 mangle FORWARD mangle FORWARD mangle mangle 7 filter FORWARD FORWARD 8 mangle POSTROUTING 6 mangle 9 nat POSTROUTING SNAT 10 ( eth0) 11 ( LAN) iptables / FORWARD

16 16/131 INPUT INPUT FORWARD IP INPUT NAT PREROUTING DNAT rc.test-iptables.txt

17 17/ mangle mangle mangle TOS DANT SNAT Masquerade mangle TOS TTL MARK TOS Internet Internet TOS iproute2 TTL ISP ISP TTL MARK iproute nat NAT DNAT SNAT MASQUERADE DNAT IP DMZ SNAT DMZ SNAT De-SNAT( SNAT), LAN Internet /24 Internet IANA LAN

18 18/131 MASQUERADE MASQUERADE MASQUERADE IP SNAT IP PPP PPPOE SLIP ISP DHCP 3.4. Filter filter DROP ACCEPT target Chapter iptables Netfilter iptables NEW ESTABLISHED RELATED INVALID --state Netfilter conntrack connection tracking conntrack conntrack conntrack TCP UDP ICMP conntrack UDP iptables Netfilter conntrack conntrack OUTPUT PREROUTING iptables PREROUTING

19 19/131 OUTPUT NEW PREROUTING ESTABLISHED PREROUTING NEW nat PREROUTING OUTPUT 4.2. conntrack /proc/net/ip_conntrack conntrack ip_conntrack cat /proc/net/ip_conntrack tcp SYN_SENT src= dst= sport=32775 dport=22 [UNREPLIED] src= dst= sport=22 dport=32775 use=2 conntrack tcp 6 tcp conntrack SYN_SENT iptables SYN_SENT TCP SYN UNREPLIED IP linux/include/netfilter-ipv4/ip_conntrack*.h IP TCP UDP ICMP linux/include/netfilter-ipv4/ip_conntrack.h conntrack patch-o-matic /proc/sys/net/ipv4/netfilter /proc/sys/net/ipv4/netfilter/ip_ct_* conntrack [UNREPLIED] [ASSURED] [ASSURED] ip- sysctl 128MB MB /proc/sys/net/ipv4/ip_conntrack_max 4.3.

20 20/131 IP 4 NEW ESTABLISHED RELATED INVALID Table 4-1. State Explanation NEW ESTABLISHED RELATED INVALID NEW conntrack SYN SYN NEW ESTABLISHED ESTABLISHED ESTABLISHED NEW ESTABLISHED ICMP ESTABLISHED RELATED ESTABLISHED RELATED RELATED ESTABLISHED ESTABLISHED RELATED conntrack RELATED ftp FTP-data FTP-control RELATED IRC DCC ICMP FTP DCC UDP INVALID ICMP DROP TCP TCP UDP ICMP TCP iptables TCP SYN SYN/ACK ACK

21 21/131 TCP SYN NEW SYN/ACK ESTABLISHED NEW ESTABLISHED ESTABLISHED NEW NEW NEW NEW TCP RFC Transmission Control Protocol /proc/net/ip_conntrack tcp SYN_SENT src= dst= sport=1031 dport=23 [UNREPLIED] src= dst= sport=23 dport=1031 use=1 SYN_SENT SYN [UNREPLIED] tcp 6 57 SYN_RECV src= dst= sport=1031 dport=23 src= dst= sport=23 dport=1031 use=1 SYN/ACK SYN_RECV SYN SYN/ACK tcp ESTABLISHED src= dst= sport=1031 dport=23 src= dst= sport=23 dport=1031 use=1 ACK ESTABLISHED [ASSURED]

22 22/131 TCP ACK RST TIME_WAIT 2 RST CLOSE 10 RST TCP Table 4-2. State Timeout value NONE 30 minutes ESTABLISHED 5 days SYN_SENT 2 minutes SYN_RECV 60 seconds FIN_WAIT 2 minutes TIME_WAIT 2 minutes CLOSE 10 seconds CLOSE_WAIT 12 hours

23 23/131 LAST_ACK LISTEN> 30 seconds 2 minutes /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* jiffies TCP NEW NEW SYN iptables SYN ACK NEW SYN NEW patch-o-matic tcp-window-tracking TCP 4.5. UDP UDP UDP UDP conntrack UDP TCP conntrack UDP conntrack udp src= dst= sport=137 dport=1025 [UNREPLIED] src= dst= sport=1025 dport=137 use=1 UDP 30 [UNREPLIED]

24 24/131 udp src= dst= sport=137 dport=1025 src= dst= sport=1025 dport=137 use=1 [UNREPLIED] ESTABLISHED ESTABLISHED [ASSURED] [ASSURED] udp src= dst= sport=1025 dport=53 src= dst= sport=53 dport=1025 [ASSURED] use=1 [ASSURED] [UNREPLIED] [ASSURED] ICMP ICMP Echo request and reply Timestamp request and reply Information request and reply Address mask request and reply NEW ESTABLISHED ping ICMP NEW ESTABLISHED NEW ESTABLISHED ip_conntrack icmp 1 25 src= dst= type=8 code=0

25 25/131 id=33029 [UNREPLIED] src= dst= type=0 code=0 id=33029 use=1 ICMP TCP UDP type code id type ICMP code ICMP id ICMP ID ICMP ID [UNREPLIED] type code id ESTABLISHED ICMP ICMP NEW ESTABLISHED NEW ESTABLISHED established ICMP 30 /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout ICMP UDP TCP ICMP RELATED ICMP RELATED SYN NEW RELATED UDP ICMP RELATED

26 UDP NEW UDP RELATED 4.7. conntrack NETBLT MUX EGP conntrack UDP NEW ESTABLISHED /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout 4.8. ICQ IRC FTP helper FTP FTP FTP FTP IP 20 FTP-Data 26/131 Iptables

27 27/131 helper FTP RELATED FTP data FTP FTP HTTP FTP Internet FTP helper data conntrack helper FTP IRC conntrack helper iptables patcho-matic helper ntalk H.323 iptables CVS Netfilter-devel Rusty Russell's Unreliable Netfilter Hacking HOW-TO Conntrack helper

28 28/131 modprobe ip_conntrack_* NAT NAT FTP FTP NAT helper ip_nat_ FTP NAT helper ip_nat_ftp IRC ip_nat_irc conntrack helper IRC conntrack helper ip_conntrack_irc FTP ip_conntrack_ftp Chapter 5. iptables iptables-save iptablesrestore 5.1. iptables-save iptables-restore iptables iptables Netfilter iptables-save restore iptables-save iptables-restore iptables iptables-save iptables-restore 5.2. restore iptables-restore iptables-restore IP iptables-restore IP iptables-restore IP iptables-restore

29 29/131 iptables-save iptables-restore iptables-restore IP iptables-restore iptables-restore iptables-save match target match target 5.3. iptables-save iptables-save iptables-restore iptables-save [-c] [-t table] -c -c iptables-save -t iptablessave Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *filter :INPUT ACCEPT [404:19766] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [530:43376] COMMIT Completed on Wed Apr 24 10:19: Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *mangle :PREROUTING ACCEPT [451:22060] :INPUT ACCEPT [451:22060] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [594:47151] :POSTROUTING ACCEPT [594:47151] COMMIT Completed on Wed Apr 24 10:19: Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [3:450] :OUTPUT ACCEPT [3:450] COMMIT Completed on Wed Apr 24 10:19: *<table-name> *mangle :<chain-name> <chain-policy> [<packetcounter>:<byte-counter>] PREROUTING ACCEPT iptables -L -v

30 30/131 COMMIT Iptables-save ruleset iptables-save Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *filter :INPUT DROP [1:229] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT COMMIT Completed on Wed Apr 24 10:19: Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *mangle :PREROUTING ACCEPT [658:32445] :INPUT ACCEPT [658:32445] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [891:68234] :POSTROUTING ACCEPT [891:68234] COMMIT Completed on Wed Apr 24 10:19: Generated by iptables-save v1.2.6a on Wed Apr 24 10:19: *nat :PREROUTING ACCEPT [1:229] :POSTROUTING ACCEPT [3:450] :OUTPUT ACCEPT [3:450] -A POSTROUTING -o eth0 -j SNAT --to-source COMMIT Completed on Wed Apr 24 10:19: c linux iptables-save -c > /etc/iptables-save /etc/iptables-save 5.4. iptables-restore iptables-restore iptables-save iptables-restore [-c] [-n] -c iptables-save --counters -n iptables-restore --noflush

31 31/131 iptables-restore Chapter 6. matche target 6.1. matche target jump iptables [-t table] command [match] [target/jump] target [table] iptables filter command match IP match match target target 6.2. Tables -t filter

32 32/131 Table 6-1. Tables Table Explanation nat mangle filter nat Network Address Translation NAT NAT NAT Masqueraded NAT PREROUTING OUTPUT POSTROUTING mangle TTL TOS MARK MARK tc PREROUTING POSTROUTING OUTPUT INPUT FORWARD PREROUTING POSTROUTING OUTPUT INPUT FORWARD mangle mangle NAT TTL TOS MARK NAT nat filter DROP LOG ACCEPT REJECT FORWARD INPUT OUTPUT 6.3. Commands command iptables iptables command filter Table 6-2. Commands Command -A, --append Example iptables -A INPUT... Explanation ip

33 33/131 Command -D, --delete Example iptables -D INPUT --dport 80 -j DROP iptables -D INPUT 1 Explanation 1 Command -R, --replace Example iptables -R INPUT 1 -s j DROP Explanation 1 ip command Command Example -I, --insert iptables -I INPUT 1 --dport 80 -j ACCEPT Explanation 1 1 Command Example -L, --list iptables -L INPUT Explanation -n v Command Example -F, --flush iptables -F INPUT Explanation command Command Example -Z, --zero iptables -Z INPUT Explanation Command Example -N, --new-chain iptables -N allowed Explanation allowed target Command Example -X, --delete-chain iptables -X allowed Explanation Command -P, --policy Example iptables -P INPUT DROP Explanation target DROP ACCEPT target iptables -P INPUT allowed Command -E, --rename-chain

34 34/131 Example iptables iptables -v iptables -h Table 6-3. Options iptables -E allowed disallowed Explanation allowed disallowed Option -v, --verbose --list, --append, --insert, --delete, --replace Explanation --list --list TOS K M G x -v --append -- insert --delete --replace iptables Option -x, --exact Commands --list used with Explanation --list K M G --list Option Commands used with -n, --numeric --list Explanation IP --list Option Commands used with --line-numbers --list Explanation --list Option -c, --set-counters Commands used with --insert, --append, --replace Explanation --set-counters Option Commands used with --modprobe All Explanation iptables modprobe

35 35/131 iptables 6.4. Matches matche generic matches TCP matches TCP UDP matches UDP ICMP matches ICMP state owner limit Table 6-4. Generic matches Match Example -p, --protocol iptables -A INPUT -p tcp Explanation Match 1 /etc/protocols 2 ICMP 1 TCP 6 UDP 17 3 ALL 0 TCP UDP ICMP /etc/protocols 4 udp,tcp 5 : --protocol! tcp tcp UDP ICMP TCP UDP ICMP -s, --src, --source Example iptables -A INPUT -s Explanation IP / / / / source!

36 36/131 Match /24 4 -d, --dst, --destination Example iptables -A INPUT -d Explanation IP -- source Match Example -i, --in-interface iptables -A INPUT -i eth0 Explanation INPUT FORWARD PREROUTING Match Example 1 eth0 ppp0 2 iptables -A INPUT -i + eth+ Ethernet 3 -i! eth0 eth0 -o, --out-interface iptables -A FORWARD -o eth0 Explanation -- in-interface Match -f, --fragment Example iptables -A INPUT -f Explanation ICMP! -f protocol tcp IP TCP matches UDP matches ICMP matches -m --match TCP matches

37 37/131 TCP matches TCP --protocol tcp Table 6-5. TCP matches Match --sport, --source-port Example iptables -A INPUT -p tcp --sport 22 Explanation TCP Match 1 2 /etc/services iptables source-port 22: source-port 80:22 --source-port 22: source-port : source-port 22: source-port! source-port! 22: source-port! 22, 36, 80 --dport, --destination-port Example iptables -A INPUT -p tcp --dport 22 Explanation TCP --sport Match Example --tcp-flags Explanation TCP SYN ACK FIN RST URG PSH ALL NONE ALL NONE 1 iptables -p tcp --tcp-flags SYN,FIN,ACK SYN

38 38/131 Match Example FIN ACK 2 --tcp-flags ALL NONE 1 3 iptables -p tcp --tcp-flags! SYN,FIN,ACK SYN FIN ACK SYN 1 --syn iptables -p tcp --syn Explanation ipchains iptables ipchains SYN ACK RST iptables -p tcp --tcp-flags SYN,RST,ACK SYN TCP! --syn RST ACK Match --tcp-option Example iptables -p tcp --tcp-option 16 Explanation TCP TCP 8 8 TCP Internet Engineering Task Force UDP matches UDP matches --protocol UDP UDP ICMP UDP matches TCP matches UDP ICMP TCP Table 6-6. UDP matches Match --sport, --source-port Example iptables -A INPUT -p udp --sport 53 Explanation UDP TCP matches --sport Match --dport, --destination-port Example iptables -A INPUT -p udp --dport 53 Explanation UDP TCP matches --sport

39 39/ ICMP matches ICMP ICMP UDP ICMP IP ICMP IP ICMP host unreachable ICMP ICMP matche --protocol ICMP ICMP Table 6-7. ICMP matches Match --icmp-type Example iptables -A INPUT -p icmp --icmp-type 8 Explanation ICMP RFC792 iptables --protocol icmp --help ICMP --icmptype! 8 ICMP m --match state NEW ESTABLISHED RELATED iptables iptables Limit match -m limit DoS syn flood limit match -m limit! --limit 5/s limit match

40 40/131 iptables limit match --limit-burst --limit iptables --limit 3/minute --limit-burst iptables 20 --limit 3/hour --limit-burst 5 Table 6-8. Limit match options Match Example --limit iptables -A INPUT -m limit --limit 3/hour Explanation limit match limit /second /minute /hour /day 3 3/hour 20 iptables Match --limit-burst Example iptables -A INPUT -m limit --limit-burst 5 Explanation limit match -- limit --limit-burst limit 5 Limit- match.txt ping echo replies MAC match MAC match MAC match -m mac -m mac-source Table 6-9. MAC match options Match --mac-source Example iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01 Explanation MAC XX:XX:XX:XX:XX:XX --mac- source! 00:00:00:00:00:01 MAC addresses Ethernet match Ethernet PREROUTING FORWARD INPUT

41 41/ Mark match mark linux mark iptables MARK target ipchains FWMARK target FWMARK mark :) Table Mark match options Match --mark Example iptables -t mangle -A INPUT -m mark --mark 1 Explanation mark MARK target Netfilter mark field mark mark --mark value[/mask] --mark 1/1 mark mark Multiport match --sport 1024: m multiport --dport 21,23,80 iptables :) Table Multiport match options Match --source-port Example iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110 Explanation 15 -p tcp -p udp Match --destination-port Example iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110 Explanation Match --port

42 42/131 Example iptables -A INPUT -p tcp -m multiport --port 22,53,80,110 Explanation Owner match owner ID owner ID ID ID iptables OUTPUT ID OUTPUT owner ICMP responses match :) Table Owner match options Match --uid-owner Example iptables -A OUTPUT -m owner --uid-owner 500 Explanation ID UID root http HTTP Match --gid-owner Example iptables -A OUTPUT -m owner --gid-owner 0 Explanation ID GID network Internet http HTTP Match --pid-owner Example iptables -A OUTPUT -m owner --pid-owner 78 Explanation ID GID PID 94 http ID ps PID Pid-owner.txt Match --sid-owner Example iptables -A OUTPUT -m owner --sid-owner 100 Explanation ID SID SID HTTPD SID HTTPD HTTPD Apache Roxen Sid-owner.txt State match ICMP UDP match -m state

43 43/131 Table State matches Match --state Example iptables -A INPUT -m state --state RELATED,ESTABLISHED Explanation 4 INVALID ESTABLISHED NEW RELATED INVALID ESTABLISHED NEW RELATED FTP data transfer ICMP error TCP UDP NEW TCP SYN :) TOS match TOS -m tos TOS IP Type Of Service 8 3 bit 4 TOS 1 bit 0 Table TOS matches Match Example --tos iptables -A INPUT -p tcp -m tos --tos 0x16 Explanation TOS match mark iproute2 16 iptables -m tos -h Minimize-Delay 16 (0x10) telnet SSH FTP-control Maximize-Throughput 8 (0x08) FTP-data Maximize-Reliability 4 (0x04) BOOTP TFTP Minimize-Cost 2 (0x02) RTSP Real Time Stream Control Protocol Normal-Service 0 (0x00) TTL match

44 44/131 IP TTL (Time To Live ) -m ttl TTL field ICMP ICMP ICMP match TTL match Table TTL matches Match --ttl Example iptables -A OUTPUT -m ttl --ttl 60 Explanation TTL LAN Internet Trojan Trojan match TTL TCP/IP unclean package match DROP 6.5. Targets/Jumps target/jump --jump target -j target target Target Jump jump target ACCEPT DROP -N filter tcp_packets iptables -N tcp_packets jump iptables -A INPUT -p tcp -j tcp_packets INPUT tcp_packets tcp_packets tcp_packets INPUT ACCEPT

45 45/131 target DROP ACCEPT target target DROP ACCEPT target LOG ULOG TOS mangle target, TTL TOS target TOS target ACCEPT target target -j ACCEPT ACCEPT DROP DNAT target target IP DNAT target Web LAN Internet IP target HTTP LAN Web DNAT target DANT target nat PREROUTING OUTPUT DANT target POSTROUTING Table DNAT target Option --to-destination Example iptables -t nat -A PREROUTING -p tcp -d dport 80 -j DNAT --to-destination Explanation IP LAN IP --to-destination :80 --to-destination : SNAT target --protocol TCP UDP DNAT Internet HTTP server IP $INET_IP IP $LAN_IP HTTP server IP $HTTP_IP

46 46/131 nat PREROUTING iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT --todestination $HTTP_IP Internet 80 DNAT HTTP Internet IP $EXT_BOX 1. $EXT_BOX $INET_IP DNAT 4. $HTTP_IP 5. HTTP $EXT_BOX HTTP 6. Un-DNAT DNAT 7. $EXT_BOX HTTP IP $LAN_BOX 1. $LAN_BOX $INET_IP DNAT, SNAT $LAN_BOX IP 4. HTTP 5. HTTP $LAN_BOX 6. DNAT SNAT $HTTP_IP 80 SNAT

47 47/131 $LAN_IP HTTP Un-DNAT iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 -j SNAT --tosource $LAN_IP POSTROUTING DNAT $HTTP_IP Internet DNAT SNAT HTTP HTTP IP IP LAN SMTP SMTP DMZ DMZ SNAT LAN DNS HTTP DNS HTTP HTTP DMZ HTTP :) HTTP HTTP DNAT HTTP :) nat OUTPUT iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 -j DNAT --todestination $HTTP_IP HTTP DNAT SNAT

48 48/131 filter FORWARD POSTROUTING OUTPUT FORWARD PREROUTING DNAT DROP target target target sockets :) REJECT target DROP LOG target target LOG IP syslogd dmesg syslogd LOG 100% LOG DROP ULOG target MySQL databases iptables Netfilter syslogd /etc/syslog.conf man syslog.conf LOG 5 Table LOG target options Option Example --log-level iptables -A FORWARD -p tcp -j LOG --log-level debug Explanation iptables syslog syslog.conf debug info notice warning warn err error crit alert emerg panic error err warn warning panic emerg

49 49/131 Option Example syslog.conf kern.=info /var/log/iptables iptables LOG info /var/log/iptables info syslog syslog.conf HOWTO --log-prefix iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets" Explanation iptables grep 29 Option Example --log-tcp-sequence iptables -A INPUT -p tcp -j LOG --log-tcp-sequence Explanation TCP iptables Option --log-tcp-options Example iptables -A FORWARD -p tcp -j LOG --log-tcp-options Explanation TCP Option --log-ip-options Example iptables -A FORWARD -p tcp -j LOG --log-ip-options Explanation IP MARK target mark mangle mark TOS target Linux Advanced Routing and Traffic Control HOW-TO Table MARK target options Option --set-mark Example iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --setmark 2 Explanation mark mark

50 50/ MASQUERADE target target SNAT target --to-source MASQUERADE IP DHCP IP SNAT target IP --to-source MASQUERADE kill SNAT target IP IP MASQUERADE SNAT MASQUERADE SNAT nat POSTROUTING Table MASQUERADE target Option --to-ports Example iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports Explanation TCP UDP -- to-ports to- ports SNAT target MIRROR target target DoS target IP target :) A 80 MIRROR yahoo.com B A HTTP yahoo yahoo MIRROR INPUT FORWARD PREROUTING MIRROR target filter nat mangle MIRROR TTL 255 MIRROR TTL K

51 51/ QUEUE target target iptables Netfilter iptables Hacking HOW-TO REDIRECT target HTTP REDIRECT HTTP proxy squid target IP LAN target nat PREROUTING OUTPUT REDIRECT Table REDIRECT target Option --to-ports Example iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --toports 8080 Explanation TCP UDP to-ports to-ports REJECT target REJECT DROP target INPUT FORWARD OUTPUT REJECT TCP/IP Table REJECT target Option --reject-with Example iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcpreset Explanation REJECT target DROP 1 icmp-net-unreachable 2 icmp-host-unreachable 3 icmp-

52 52/131 port-unreachable 4 icmp-proto-unreachable 5 icmp-net-prohibited 6 icmp-host-prohibited port-unreachable ICMP echo-reply ICMP ping tcp-reset TCP REJECT TCP RST TCP RFC Transmission Control Protocol iptables man page tcp-reset 113/tcp RETURN target > > RETURN INPUT RETURN ACCEPT DROP C INPUT target --jump EXAMPLE_CHAIN EXAMPLE_CHAIN target --jump RETURN INPUT INPUT --jump RETURN SNAT target target IP Internet ip SNAT Internet Internet IANA Internet SNAT target SNAT nat POSTROUTING SNAT SNAT, Table SNAT target Option Example --to-source iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source : Explanation IP

53 53/131 IP 3 -p tcp -p udp : iptables iptables HTTP FTP control TOS target TOS IP Type of Service iproute2 TOS MARK TOS Internet TOS TOS WAN LAN TOS TOS TOS include Linux/ip.h FTOS patch Matthew G. Marsh Paksecured Linux Kernel patches target mangle iptables target TOS mangle :) TOS target Table TOS target Option Example --set-tos iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos

54 54/131 0x10 Explanation TOS 16 TOS x00-0xFF 16 1 Minimize-Delay 16 (0x10) telnet SSH FTP- control 2 Maximize-Throughput 8 (0x08) FTP-data 3 Maximize-Reliability 4 (0x04) BOOTP TFTP 4 Minimize-Cost 2 (0x02) RTSP Real Time Stream Control Protocol 5 Normal-Service 0 (0x00) iptables -j TOS -h TTL target target patch-o-matic TTL patch, FAQ iptables Netfilter TTL IP Time To Live Time To Live 64 Linux ISP TTL TTL Linux TTL ip-sysctl.txt TTL mangle 3 Table TTL target Option --ttl-set Example iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64 Explanation TTL 64

55 55/131 Option TTL target DNS --ttl-dec Example iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-dec 1 Explanation TTL --ttl-dec 3 TTL 53 TTL TTL 1 TTL target 3 4 target DNS --ttl-dec DNS --set-ttl Option --ttl-inc Example iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1 Explanation TTL --ttl-inc 4 TTL 53 TTL 56, --ttl-dec trace-routes --ttl-inc 1 TTL 1 1 TTL trace-routes Trace-routes Ttl-inc.txt ULOG target ULOG netlink socket ULOG iptables Netfilter target MySQL ULOGD project page ULOGD Table ULOG target Option --ulog-nlgroup Example iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2 Explanation netlink -- ulog-nlgroup 5 32 netlink Option --ulog-prefix Example iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: " Explanation LOG prefix 32 Option --ulog-cprange Example iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100 Explanation ULOG --ulog-cprange

56 56/ Option --ulog-qthreshold Example iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10 Explanation ULOG --ulog-qthreshold netlink 1 Chapter 7. rc.firewall BASH 7.1. rc.firewall rc.firewall.txt 7.2. rc.firewall rc.firewall rc.firewall.txt IP $INET_IP Internet $INET_IP rc.dhcp.firewall.txt $INET_IFACE Internet eth0 eth1 ppp0 tr0 DHCP PPPoE

57 57/131 :) Local Area Network LAN IP LAN Localhost configuration 99% lo IPTables Configuration $IPTABLES iptables /usr/local/sbin/iptables /usr/sbin/iptables /sbin/depmod -a module dependencies files LOG REJECT MASQUERADE target /sbin/insmod ipt_log /sbin/insmod ipt_reject /sbin/insmod ipt_masquerade ipt_owner root FTP HTTP redhat.com root Internet ipt_owner Owner match ip_conntrack_* ip_nat_* helper helper NAT helper helper FTP NAT Internet FTP IP FTP LAN FTP NAT helper FTP DCC IP IRC helper FTP IRC DCC DCC

58 58/131 helper DCC Internet IP IRC IP mirc DCC IRC mirc DCC FTP IRC nat patch-o-matic H.323 conntrack helper NAT helper patch-o-matic FTP IRC ip_nat_ftp ip_nat_irc NAT ip_conntrack_ftp ip_conntrack_irc NAT conntrack NAT NAT proc IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward SLIP PPP DHCP IP ip_dynaddr IP iptables IP IP echo "1" > /proc/sys/net/ipv4/ip_dynaddr proc proc Non-Required proc configuration proc

59 rc.firewall.txt CPU TCP ICMP UDP TCP TCP Netfilter Internet IP DHCP PPP SLIP Internet DROP Internet Internet Internet Internet NAT IP NAT PREROUTING FORWARD Internet 59/131 Iptables

60 HTTP FTP SSH IDENTD INPUT OUTPUT loopback IP loopback Internet IP /8 90% ISP FTP established related INPUT TCP UDP ICMP TCP tcp_packets TCP FTP HTTP allowed TCP ICMP icmp_packets ICMP UDP udp_packets speak freely ICQ OUTPUT IP IP ACCEPT IP OUTPUT DROP 60/131 Iptables

61 61/ iptables [-P {chain} {policy}] icmp_packets tcp_packets udp_packets allowed allowed tcp_packets $INET_IFACE ICMP icmp_packets TCP tcp_packets UDP udp_packets INPUT chain - N iptables [-N chain] bad_tcp_packets incoming packet SYN NEW TCP SYN/ACK NEW TCP XMAS port-scans INVALID SYN NEW not SYN SYN NEW SYN NEW 99% SYN/ACK NEW NEW SYN/ACK sequence number prediction

62 62/ allowed $INET_IFACE TCP tcp_packets allowed SYN ESTABLISHED RELATED ESTABLISHED ESTABLISHED SYN DROP SYN SYN TCP/ IP SYN TCP DROP 99% TCP tcp_packets Internet allowed -A tcp_packets iptables -p TCP TCP -s 0/ dport 21 allowed TCP 21 FTP RELATED PASSIVE ACTIVE ip_conntrack_ftp FTP ip_conntrack_ftp $IPTABLES -A tcp_packets -p TCP -s 0/0 -- dport 21 -j allowed rc.firewall.txt 22 SSH telnet 23 SSH 80 HTTP IDENTD 113 IRC NAT oidentd IDENTD tcp_packets tcp_packets

63 63/ UDP INPUT UDP udp_packets UDP -p UDP -s 0/0 Internet UDP DNS ESTABLISHED --state ESTABLISHED,RELATED INPUT Internet 53 UDP DNS Internet DNS 123 network time protocol NTP 2074 speak freely 4000 ICQ ICQ Linux 2-3 ICQ QQ 8000 UC Microsoft NetBIOS SMB Microsoft Network DHCP DHCP IP DHCP INPUT ICMP ICMP INPUT ICMP eth0 Internet icmp_packets ICMP Echo requests TTL equals 0 during transit TTL equals 0 during reassembly ICMP ICMP RELATED ICMP RELATED

64 64/131 ICMP Echo Request echo reply ping ping Internet ping Time Exceeded TTL equals 0 during transit 0 TTL equals 0 during reassembly 0 TTL 0 TTL = 1 TTL 0 TTL = 2 ICMP ICMP ICMP Ralph Walden The Internet Control Message Protocol J. Postel RFC Internet Control Message Protocol ICMP INPUT INPUT iptables INPUT tcp tcp bad_tcp_packets bad_tcp_packets loopback IP Internet LAN Internet

65 65/131 Internet ESTABLISHED RELATED Internet allowed INPUT allowed --state ESTABLISHED,RELATED INPUT $INET_IFACE TCP tcp_packets UDP udp_packets ICMP icmp_packets TCP UDP ICMP mbit Pentium III Microsoft Microsoft /8 udp_packets UDP INPUT bug 3 DROP FORWARD FORWARD bad_tcp_packets FORWARD $LAN_IFACE LAN Internet ESTABLISHED RELATED Internet FORWARD DROP Internet Internet INPUT "IPT FORWARD packet died: " OUTPUT

66 66/131 IP LOCALHOST_IP $LAN_IP $STATIC_IP DROP PREROUTING PREROUTING nat filter INPUT FORWARD PREROUTING PREROUTING DNAT web server PREROUTING PREROUTING POSTROUTING nat POSTROUTING Internet eth0 NAT -t nat -A POSTROUTING -o $INET_IFACE INET_IFACE eth0 target SNAT target Internet SNAT IP -- to-source SNAT MASQUERADE IP SNAT IP SNAT MASQUERADE IP DHCP MASQUERADE target rc.dhcp.firewall.txt Chapter 8.

67 67/ rc.firewall.txt Configuration shell-script 1. Internet Internet Internet 1. DHCP DHCP 2. PPPoE PPPoE 2. LAN 3. DMZ DMZ zone 4. Localhost local-host 5. iptables iptables iptables 6. Other 2. Module loading 1. Required modules

68 68/ Non-required modules 3. proc configuration proc proc 1. Required proc configuration proc 2. Non-required proc configuration 4. rules set up iptables -L 1. Filter table filter 1. Set policies DROP ACCEPT 2. Create user specified chains 3. Create content in user specified chains 4. INPUT chain INPUT iptables -L 5. FORWARD chain FORWARD 6. OUTPUT chain OUTPUT 2. nat table filter nat filter NAT NAT nat filter nat mangle 1. Set policies filter ACCEPT

69 69/131 ACCEPT 2. Create user specified chains nat 3. Create content in user specified chains 4. PREROUTING chain DNAT 5. POSTROUTING chain SNAT POSTROUTING SNAT target PPPoE MASQUERADE target 6. OUTPUT chain 3. mangle table mangle TTL TOS mangle 1. Set policies nat mangle 2. Create user specified chains 3. Create content in user specified chains 4. PREROUTING 5. INPUT chain 6. FORWARD chain 7. OUTPUT chain 8. POSTROUTING chain

70 70/ rc.firewall.txt rc.firewall.txt rc.firewall Internet IP DHCP PPP SLIP IP rc.dhcp.firewall.txt rc.firewall.txt CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER

71 71/131 CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_LOG 8.3. rc.dmz.firewall.txt rc.dmz.firewall.txt DMZ Internet DMZ NAT IP IP DMZ DMZ IP DMZ IP NAT CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES

72 72/131 CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_LOG /24 DMZ NAT /24 Internet DNS_IP DNAT DMZ DNS DNS DNAT $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP nat PREROUTING TCP 53 $INET_IFACE $DNS_IP DNAT target --to-destination $DMZ_DNS_IP DNAT un-dnat 8.4. rc.dhcp.firewall.txt

73 73/131 rc.dhcp.firewall.txt DHCP PPP SLIP Internet rc.firewall.txt STATIC_IP IP CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_MASQUERADE CONFIG_IP_NF_TARGET_LOG STATIC_IP STATIC_IP INET_IFACE -d $STATIC_IP -i $INET_IFACE

74 74/131 INPUT --in-interface $LAN_IFACE --dst $INET_IP Internet Internet IP HTTP DNS NAT HTTP IP IP IP HTTP INPUT DROP Internet IP IP LAN INET_IP ACCEPT IP Internet ifconfig IP IP pppd ip-up linuxguruz.org rc.firewall.txt IP INET_IP=`ifconfig $INET_IFACE grep inet cut -d : -f 2 cut -d ' ' -f 1` ifconfig $INET_IFACE IP $INET_IP retreiveip.txt 1. PPP daemon NEW not SYN rules SYN NEW 2. PPP daemon rc.utin.firewall.txt

75 75/131 rc.utin.firewall.txt POP3 HTTP FTP Internet CONFIG_NETFILTER CONFIG_IP_NF_CONNTRACK CONFIG_IP_NF_IPTABLES CONFIG_IP_NF_MATCH_LIMIT CONFIG_IP_NF_MATCH_STATE CONFIG_IP_NF_FILTER CONFIG_IP_NF_NAT CONFIG_IP_NF_TARGET_LOG rc.firewall.txt

76 76/ rc.test-iptables.txt iptables ip_forwarding masquerading iptables LOG ping ping ping -c 1 host.on.the.internet tail -n 0 -f /var/log/messages DoS DoS 8.7. rc.flush-iptables.txt rc.flush-iptables.txt filter INPUT OUTPUT FORWARD ACCEPT nat PREROUTING POSTROUTING OUTPUT filter NAT filter NAT mangle rc.firewall Red Hat Linux rc.firewall iptables shell shell 8.8. Limit-match.txt limit match limit match ping limit burst echo replies

77 77/ Pid-owner.txt PID owner match iptables -L -v Sid-owner.txt SID owner match iptables -L -v Ttl-inc.txt Iptables-save ruleset iptables-save A. A.1. iptables iptables -L /etc/services DNS IP LAN IP /16 Internet Internet DNS iptables -L -n

78 78/131 verbose iptables -L -n -v iptables -L nat mangle filter -t, nat iptables -L -t nat /proc cat /proc/net/ip_conntrack less A.2. iptables iptables -A -D iptables INPUT 10 iptables -D INPUT 10 -F INPUT iptables -F INPUT -F INPUT DROP DROP INPUT ACCEPT iptables -P INPUT ACCEPT iptables rc.flush- iptables.txt mangle rc.firewall.txt mangle rc.flush-iptables.txt B. B.1. insmod: iptable_filter: no module by that name found

79 79/131 filter filter filter iptables -t filter -L filter filter Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination filter iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. depmod -a make modules_install compile build depmod -a Linux iptables iptables: No chain/target/match by that name target match iptables target B.2. SYN NEW

80 80/131 iptables NEW SYN ESTABLISHED NEW TCP 3 INPUT OUTPUT FORWARD NEW not SYN rules $IPTABLES -A INPUT -p tcp! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A INPUT -p tcp! --syn -m state --state NEW -j DROP Netfilter/iptables microsoft TCP/IP TCP/IP microsoft NEW FIN/ACK Netfilter Microsoft SYN NEW --log-headers LAN PPP PPP be killed conntrack nat telnet telnet rc.firewall.txt telnet telnet client daemon SYN telnet client daemon B.3. NEW SYN/ACK TCP Sequence Number Prediction IP [A] attacker [O] other host [V] victim

81 81/ [A] [O] IP [V] SYN 2. [V] [O] SYN/ACK 3. [O] RST SYN/ACK [O] SYN flood RST 4. [O] [A] [O] [V] RST SYN/ACK [V] [V] RST NEW not SYN rules SYN/ACK bad_tcp_packets iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset [O] portscan B.4. IP ISP ISP ISP IANA Swedish Internet Service Provider Telia DNS IP 10.x.x.x 10.x.x.x DNS /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s /32 -j ACCEPT ISP IP

82 82/131 B.5. DHCP DHCP DHCP UDP DHCP eth0 eth1 DHCP allow DHCP UDP $IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT UDP DHCP B.6. mirc DCC mirc mirc DCC iptables ip_conntrack_irc ip_nat_irc mirc NAT IP IRC DCC mirc I am behind a firewall ip_conntrack_irc ip_nat_irc Netfilter Forged DCC send packet mirc iptables mirc C. ICMP ICMP Table C-1. ICMP TYPE CODE Description Query Error 0 0 Echo Reply Ping x 3 0 Network Unreachable x 3 1 Host Unreachable x

83 83/ Protocol Unreachable x 3 3 Port Unreachable x 3 4 Fragmentation needed but no frag. bit set x 3 5 Source routing failed x 3 6 Destination network unknown x 3 7 Destination host unknown x 3 8 Source host isolated (obsolete) x 3 9 Destination network administratively prohibited x 3 10 Destination host administratively prohibited 3 11 Network unreachable for TOS x TOS 3 12 Host unreachable for TOS TOS 3 13 Communication administratively prohibited x by filtering 3 14 Host precedence violation x 3 15 Precedence cutoff in effect x 4 0 Source quench 5 0 Redirect for network 5 1 Redirect for host 5 2 Redirect for TOS and network 5 3 Redirect for TOS and host 8 0 Echo request Ping x 9 0 Router advertisement 10 0 Route solicitation 11 0 TTL equals 0 during transit x TTL equals 0 during reassembly IP header bad (catchall error) IP x 12 1 Required options missing x 13 0 Timestamp request (obsolete) x 14 Timestamp reply (obsolete) x 15 0 Information request (obsolete) x x x x

84 84/ Information reply (obsolete) x 17 0 Address mask request x 18 0 Address mask reply x D. ip-sysctl.txt IP The Internet Control Message Protocol ICMP Ralph Walden RFC Internet Control Message Protocol ICMP ICMP J. Postel RFC Transmission Control Protocol TCP 1981 TCP TCP J. Postel ip_dynaddr.txt sysctl proc ip_dynaddr iptables.8 iptables HTML iptables Firewall rules table Stuart Clark PDF Netfilter iptables linux iptables Netfilter Netfilter Frequently Asked Questions iptables Netfilter iptables Netfilter Rusty Russell iptables Netfilter Rusty Russell HOWTO/index.html Netfilter iptables Rusty Russell

85 85/131 Internet iptables iptables iptables Slackware IP ICMP TCP /etc/protocols /etc/services Slackware Internet Engineering Task Force IETF Internet Linux Advanced Routing and Traffic Control HOW-TO Linux HOW-TO Linux Bert Hubert Paksecured Linux Kernel patches Matthew G. Marsh FTOS patch ULOGD project page ULOGD The Linux Documentation Project Linux Linux TLDP conntrack Netfilter conntrack CBQ Class Based Queue tc ip Stef Coene Netfilter iptables E. Fabrice Marie make

86 86/131 DocBook Marc Boucher Frode E. Nyboe rc.firewall the multiple table traversing Chapman Brad, Alexander W. Janssen nat filter Michiel Brandenburg, Myles Uyema Kent `Artech' Stahre Anders 'DeZENT' Johansson ISP Internet Jeremy `Spliffy' Smith Appendix F. History Version (21 May 2003). By: Oskar Andreasson Contributors: Peter van Kampen, Xavier Bartol, Jon Anderson, Thorsten Bremer and Spanish Translation Team. Version (24 Apr 2003). By: Oskar Andreasson Contributors: Stuart Clark, Robert P. J. Day, Mark Orenstein and Edmond Shwayri. Version (6 Apr 2003). By: Oskar Andreasson Contributors: Geraldo Amaral Filho, Ondrej Suchy, Dino Conti, Robert P. J. Day, Velev Dimo, Spencer Rouser, Daveonos, Amanda Hickman, Olle Jonsson and Bengt Aspvall. Version (16 Dec 2002). By: Oskar Andreasson Contributors: Clemens Schwaighower, Uwe Dippel and Dave Wreski.

87 87/131 Version (13 Nov 2002). By: Oskar Andreasson Contributors: Mark Sonarte, A. Lester Buck, Robert P. J. Day, Togan Muftuoglu, Antony Stone, Matthew F. Barnes and Otto Matejka. Version (14 Oct 2002). By: Oskar Andreasson Contributors: Carol Anne, Manuel Minzoni, Yves Soun, Miernik, Uwe Dippel, Dave Klipec and Eddy L O Jansson. Version (22 Aug 2002) tutorial.haringstad.com By: Oskar Andreasson Contributors: Tons of people reporting bad HTML version. Version (19 Aug 2002) By: Oskar Andreasson Contributors: Peter Schubnell, Stephen J. Lawrence, Uwe Dippel, Bradley Dilger, Vegard Engen, Clifford Kite, Alessandro Oliveira, Tony Earnshaw, Harald Welte, Nick Andrew and Stepan Kasal. Version (27 May 2002) By: Oskar Andreasson Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte, Valentina Barrios and Tony Earnshaw. Version (12 April 2002) By: Oskar Andreasson Contributors: Jelle Kalf, Theodore Alexandrov, Paul Corbett, Rodrigo Rubira Branco, Alistair Tonner, Matthew G. Marsh, Uwe Dippel, Evan Nemerson and Marcel J.E. Mol. Version (21 March 2002) By: Oskar Andreasson Contributors: Vince Herried, Togan Muftuoglu, Galen Johnson, Kelly Ashe, Janne Johansson, Thomas Smets, Peter Horst, Mitch Landers, Neil Jolly, Jelle Kalf, Jason Lam and Evan Nemerson. Version (5 March 2002) By: Oskar Andreasson Version (4 February 2002) By: Oskar Andreasson Contributors: Parimi Ravi, Phil Schultz, Steven McClintoc, Bill Dossett, Dave Wreski, Erik Sj und, Adam Mansbridge, Vasoo Veerapen, Aladdin and

88 88/131 Rusty Russell. Version (7 December 2001) By: Oskar Andreasson Contributors: Jim Ramsey, Phil Schultz, G an B e, Doug Monroe, Jasper Aikema, Kurt Lieber, Chris Tallon, Chris Martin, Jonas Pasche, Jan Labanowski, Rodrigo R. Branco, Jacco van Koll and Dave Wreski. Version (14 November 2001) By: Oskar Andreasson Contributors: Fabrice Marie, Merijn Schering and Kurt Lieber. Version (6 November 2001) By: Oskar Andreasson Contributors: Stig W. Jensen, Steve Hnizdur, Chris Pluta and Kurt Lieber. Version (9 October 2001) By: Oskar Andreasson Contributors: Joni Chu, N.Emile Akabi- Davis and Jelle Kalf. Version (29 September 2001) By: Oskar Andreasson Version (26 September 2001) By: Oskar Andreasson Contributors: Dave Richardson. Version (15 September 2001) By: Oskar Andreasson Version (9 September 2001) By: Oskar Andreasson Version (7 September 2001) By: Oskar Andreasson Version (23 August 2001) By: Oskar Andreasson Contributors: Fabrice Marie. Version By: Oskar Andreasson

89 89/131 Version By: Oskar Andreasson Contributors: Fabrice Marie. Appendix G. GNU Free Documentation License Version 1.1, March 2000 Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. 0. PREAMBLE The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

展开

文件1

文件1 iptables log rule policy ( ) 1. (Packet Filter) OSI IP (Router) router router access control list ACL (Transparency) 2. Proxy store-and-forward proxy filter " " 3. Application internet java script 4. Hardware