
                       Linux 2.4 Packet Filtering HOWTO
                                       
ߣRusty Russell, mailing list netfilter@lists.samba.org
ߣ netmanforever@yahoo.com

   v1.0.1 Mon May 1 18:09:31 CST 2000
     _________________________________________________________________
   
   ļ 2.4 Linux kernel ʹ iptables Բйˡ
     _________________________________________________________________
   
1. Introduction

2. ٷվʼ̳

3. ˣʲǷ(Packer Filter)أ

     * 3.1 ΪʲҪˣ
     * 3.2  Linux ¹˷
       
4. ĸаΪҵĺģ

5.  Rusty ˿ָ

6. δԽ(traverse)

7. ʹ iptables

     * 7.1 Ļʱ
     * 7.2 һһ
     * 7.3 ˹
     * 7.4 Ŀ(Target)
     * 7.5 
       
8. ʹ ipchains  ipfwadm

9.  NAT  Packet Filtering

10. iptables  ipchains Ĳ

11. Ʒ˵Ľ
     _________________________________________________________________
   
1. Introduction

   λ٣ӭһ
   
   ҼѾ֪ʲ IP ַ·ַ· (netmask)·
   ɡԼ DNSҽȶһ Network Concepts HOWTO
   
    HOWTO ļֹһ㵽ֹĽ(е㷢Ⱥͷë
   ϵĸо)Ҳһ˿ʽԭʼ¶(񣬵
   ҡ߻ħ)
   
   ·ʵһҲȫѵٶͨѶ֮ͬʱȷ
   ֻҷаͼεͬһӵϷԺ棬
   ̸ۣȴҺһƪ HOWTO 
   
   
   ԣֻܾδڡһ᳢ָȥʹһЩù
   ҲҪѨȻͬʱϣ;֮ϡ(Ͼ)ͬ
   ⡣
   
2. ٷվʼ̳

   ٷվȥ:
     * л [1]Filewatcher (http://netfilter.filewatcher.org).
     * л [2]The Samba Team and SGI (http://www.samba.org/netfilter).
     * л [3]Jim Pick (http://netfilter.kernelnotes.org).
       
   춹ٷ netfilter ʼ̳ģ [4]Samba's Listserver
   (http://lists.samba.org).
   
3. ˣʲǷ(Packer Filter)أ

   ˾һ鿴֮ͷ(header) ɴ˾
   ˡ (DROP) (磬ûյһ
   )ǽ(ACCEPT)(磬ͨ)ӵĶ
   
   
    Linux ֮£˹ڽ춺֮(Ϊһģ飬ֱ
   ڽ)ͬʱһЩǿ춷֮ϵģõȻǲ鿴
   ͷԾˡ
   
3.1 ΪʲҪˣ

   ֮ơ䡣
   
   Control:
           Linux ڲ··(ȷ˵
          ineternet)ʱлض͵Ľֹͨġ
          磬һıͷĿĵصַԷֹ
          ⲿ·ĳһݡ磬 Netscape  Dilbert
          archivesҳһ doubleclick.net Ĺ棬
          Netscape ˷ҵʱȥǡֻҪ÷˻Ʋκ
          doubleclick.net ķǾͿԽ(Ȼи
          ķο Junkbuster)
          
   Security:
           Linux Ȼڲ·Ǹޱȵ
          internet ֮Ψһ֪ͨЩܽ
          ǲٰ֮ɡ磬κδڲ·ȥĶ
          ֵĶµġPing of Death磬
          ϣ˴ telnet  Linux ȫʺŶ
          (󲿷һ) internet ϵͶԸ
          ŷ(ҲԸ) Ī÷ܾκ
          ߵķκ
          
   Watchfulness:
          ʱһ̨趨ӵĻӱ·ŻͷϢ
          ÷Ƿб̬鷢֮ȡ
          ֻѼ߲ˡ
          
3.2  Linux ¹˷

   Linux ĺԴ 1.1 Ѿз˹ܡһ 1994  Alan
   Cox  BSD  ipfw ֲģ Linux 2.0 汾 Jos Vos ǿ
    ' ipfwadm ' ֻʹ߿ռ(userspace *)ƺĵĹ˹
    1998 У Micahel Neuling Ĵ£Ͷע൱ľ
   Linux  2.2 棬Ƴ ' ipchains ' ֻߡ춣Linux 
   2.4 ĵĴ ' iptables ' ͬĸдҲ 1999 нп
   ˡĿǰ iptables  HOWTO ļ֮ڡ
   
   (* עʹ߿ռ䡱ͨϵͳʹáΧҪͷ
   ΪĿռʹ߿ռ䡣ԭ߿ΪҶǳʽ֣ʻר
   Ȼһ˵ϻѣʴ˶˵䡣Ķ
   Ҳ⡣)
   
   Ҫһ netfilter Уnetfilter  Linux һͨ
   üܹ( iptables ģ) (plug into)仰˵
   Ҫ 2.3.15 µİ汾ͬʱںıʱ ' Y ' ش
   CONFIG_NETFILTER ѡ
   
   iptables ֻ߻ͺĶԽʲҪˡһʽ
   Ա쿪Ʒ˵ˡ
   
  iptables
  
   ֻ iptables ߿ԲƳķ˱(packet filtering
   table) еһЩ(rules)Ҳ˵趨ʲᣬҪ
   (reboot)ϵͳĻͻȫʧ [5]ƶԹ(Making
   Rules Permanent) ȷ趨´ Linux Իش档
   
   iptables ȡ ipfwadm  ipchains ģ [6]ʹ ipchains 
   ipfwadm (Using ipchains and ipfwadm) ʹıʹ iptables
   Ŀǰʹ֮һ
   
  ƶԹ
  
   Ŀǰķǽ趨Ǵ춺ģҲˣ趨ϵͳᶪ
   ʧiptables-save  iptables-restore * ׫дĿǰѾ TODO б
   ˡұ֤ʱ򣬿϶ǳ
   
   (* ע ipchains Уʹ ipchains-save 
   ipchains-restore ѵǰķǽ趨Լ֮ԭû
   ʹù ipchains ܵĻ֪˵ʲᡣ)
   
   Ŀǰ˵Ͱ趨Щдһʼ(script)аɡҪ
   ȷǣһʧܵʱṩһЩܵĶӦ (ͨ
    ' exec /sbin/sulogin' )
   
4. ĸаΪҵĺģ

    Rusty Linux IP ǽάߣͬʱҲһЩ̹
   ʱ˺͵ʹȻɡд ipchains (ǰ [7]
   Linux ¹˷(How Do I Packet Filter Under Linux?) ʵʵĹ
   еЩͬ)ѧ㹻ĶԿεķˡϣ
   ˡ
   
   [8]WatchGuard һǳɫǽ˾õʽǽ
   (plug-in Firebox)ṩҿȫ׫дЩԼά
   һЩԭԤ 6 ¾Ϳˣʵȴ 12 £
   ׶ξûˡ෭дӲٻԡ
   ϵͳ١ԼӫĻգˡ
   
   һЩѵĴҲǺ(kenrl)רҡ֮
   ֪ЩĳЩĹҽӴеһЩԱ David S.
   MillerAlexey KuznetsovAndi KleenAlan Coxͷ(ѵ)
   ǿˣʣµĶ(ȫ׵)ֵʰ
   
5.  Rusty ˿ָ

   󲿷˶õһ PPP ͬʱκ˽ǵ·
   ǽ
   
## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

6. δԽ(traverse)

   Ĵ 'filter' б(lists) ʼб firewall
   chains(ǽ) ͽ chains() ֱΪINPUTOUTPUT 
   FORWARD 
   
    2.0  2.2 кܴŶ
   
    ASCII ˵(chains)Ĳ£
                          _____
Incoming                 /     \         Outgoing
       -->[Routing ]--->|FORWARD|------->
          [Decision]     \_____/        ^
               |                        |
               v                      ____
              ___                    /    \
             /   \                  |OUTPUT|
            |INPUT|                  \____/
             \___/                      ^
               |                        |
                ----> Local Process ----

   ȦǰһִͼеһȦӦ
   ͻܼ(examined)ԾǸˡ˵ DROP 
   ͻ͵˵ ACCEPT ͼͼʾ
   дԽ
   
   һ(chain)ʵڶ(rules)еһ嵥(checklist)ÿһ
   򶼻˵ͷ㴦
   趨ͷ(match)ͽеһ
   գûйԲοľͻῴpolicy(ԭ) Ծ
   һȫϵϵͳԭ(policy)ͨߺ DROP ÷
   
    1. һʱ(裬ͨ Ethernet ·)ȿ
       Ŀĵ(destination)֮Ϊ ' rouging (·)'
    2. ĿĵַΪͰͼʾ INPUT ܹͨ
       ȴг(processes)ͽ֮ӹ
    3. Ĳûתݹ(forwarding)֪ת
       ͻᱻ(dropped)תݹѾͬʱ
       ָһ·(һ)ȻͰͼʾ
        FORWARD (ACCEPT)ͻᱻͳȥ
    4. һΣһڱеĳʽͳ·ֱӽ
       OUTPUT  ACCEPTȻͳָĽ档
       
7. ʹ iptables

   Ҫضϸ˽⣬iptables һǳ꾡 manual page (man
   iptables)Ϥ ipchains Ļֱ [9]iptables 
   ipchains Ĳ (Differences Between iptables and ipchains) ȥ
   ǷǳƵġ
   
    iptables ಻ͬŶʼ
   (buit-in)  INPUTOUTPUTFORWARD ǲɾġǿ
   Ĺɣ
   
    1. һ (-N)
    2. ɾһ (-X)
    3. ıһڽԭ (-P)
    4. гһеĹ (-L)
    5. һей (-F)
    6. (zero) һйķֽ(byte)  (-Z)
       
   кЩͳһеĹ
   
    1. (append) һ¹һ (-A)
    2. ĳλò(insert) һ¹(-I)
    3. ĳλ滻(replace) һ (-R)
    4. ĳλɾ(delete) һ (-D)
    5. ɾ(delete) ڵһ (-D)
       
7.1 Ļʱ

   iptables ģ(module) `iptable_filter.o' һ
   iptables ͻᱻԶ롣ҲԵĽ춺档
   
   κ iptables ֮ǰ (СģЩ׼(distributions) 
   ʼ iptables)ڽ( `INPUT'`FORWARD' `OUTPUT' )
   κιԭΪ ACCEPTԽ iptable_filter ģѡ
   Ϊ `forward=0' ıԤ FORWARD ԭ
   
7.2 һһ

   һԭðɣνҲõĻ
   append (-A)  delete (-D)  insert (-I)  replace
   (-R) ֻЩѡ
   
   ÿһ޶һ(conditions)ضȶԣԼǷʱ
   Ҫδ(ָһ`target' )ȷ˵Ҫ127.0.0.1 
   IP ַ ICMP ͳΪЭ ICMP
   Դַ 127.0.0.1 ǵ target(Ŀ)`DROP' 
   
   ǳ 127.0.0.1 Ϊ `loopback' 棬ûʵ·ӣҲ
   ġ `ping' ֻʽķ (ֻͳһ
   type 8(echo request) ICMP 춻Ӧĺ(cooperative
   hosts) ͻһ type 0(echo reply) ICMP )Ǻܺõġ
   
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#

   Կһ ping ɹ( `-c 1' Ǹ ping ֻͳһ
   )
   
   ȻᣬΪ`INPUT' (-A)һ򣬽 127.0.0.1(`-s 127.0.0.1')
    ICMP Э (`-p icmp')  DROP Ŀ (-j DROP)
   
   Ȼǿõڶ ping ǵĹڳʽȴЩ
   ĻӦ֮ǰһͣ
   
   ƳȣΪĿǰƶ input ֻΨһ
   һǿָƳ磺
   
        # iptables -D INPUT 1
        #

   Ͱѵһ INPUT Ƴ
   
   ڶӳ(mirro) -A  -D  -A ѡһ
   дзǳӵĹ򣬶ֲ 37 оҪ
   ʱⷽͷǳˡ
   
        # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
        #

   У﷨ -D  -A ( -I -R) λһ¡
   ͬһͬĹֻеһᱻƳ
   
7.3 ˹

   Ѿ `-p' ָЭԼ `-s' ָԴַ
   ѡǿָһһĸ
   
  ָԴĿĵ֮ IP ַ
  
   ǿַָԴ(`-s'`--source' `--src') Ŀ
   (`-d'`--destination'`--dst') IP ַõķʹ
   ƣ `localhost'  `www.linuxhq.com' ڶַָ IP 
   ַ `127.0.0.1' 
   
   ͵ַָһ(group) IPַ `199.95.207.0/24' 
   `199.95.207.0/255.255.255.0' 趨ָд 199.95.207.0 
   199.95.207.255 ֮ IP ַ `/' ǸϵͳĲ
   IP Ч `/32'  `/255.255.255.255' ΪԤֵ( IP ֵǺ)
   ȫ `/0' ָ IP ַҲǿеģ磺
   
        [ NOTE: `-s 0/0' is redundant here. ]
        # iptables -A INPUT -s 0/0 -j DROP
        #

   ǳãΪϵЧͲָ `-s' 
   
  ෴ָ
  
   (flags) `-s' ( `--source') `-d' (
   `--destination')ǰһ `!' (Ϊ`not') 
   з(NOT)丳ֵĵַȷ˵`-s ! localhost' з(not) 
   Աķ
   
  ָЭ
  
   Э `-p' ( `--protocol') ָЭΪһ(
   ֪ IP ЭֵĻ)һ `TCP'`UDP'`ICMP' 
   Сдûϵ `tcp'  `TCP' Թ
   
   ЭҲԼһ `!' ǰ÷ţʹ֮෴ `-p ! TCP' ָ
    TCP ķ
   
  ָ
  
    `-i' ( `--in-interface')  `-o' ( `--out-interface') ѡ
   ָһϵĽ(interface)һǷ(`-i') 
   (`-o')֮豸 ifconfig гЩ(`up' )
   
   
   Խ INPUT ķд(output)ģԣκʹ `-o'
   ѡĹ򶼲֮ϡͬģԽ OUTPUT ķҲд
   (input)棬κδ `-i' ѡĹҲǲϵľˡ
   
   ǴԽ FORWARD ķŻͬʱдʹ档
   
   ָһڵĽȫϷ(legal)ģڽ滹û֮ǰ
   ǲϵġ PPP (ͨppp0) ߣͼ֮
   
   
   һУһ `+' βĻͷָԴִͷ
   Ľ(ĿǰǷ)磬Ҫָһе PPP 
   Ļ-i ppp+ ѡͿˡ
   
   ǰһ`!' һָ  ϵķ
   
  ָƬ (Fragments)
  
   ʱһΪ̫һιȥ鷢ˣ
   ᱻи Ƭ(fragments)ͬʱԶ͡һ
   ЩƬԻԭ
   
   ƬǣһʼƬͷλ(IP+TCPUDP ICMP)
   ɹ飬̷ȴֻͷС(Эλ IP)
   ҪƬ֮Эͷ(ȷ TCPUDP ICMP extensions )
   Ͳˡ
   
   Ҫ׷ٻ NATƬڵݸ֮ǰϻһ
   赣Ƭ⡣
   
   ȻҪŪ׹˹δƬģͱ÷ǳҪˡκιҪѯ
   ϶ǲûʱΪ  ϡҲ˵һƬĴ
   һڶ֮ƬͲˡĻһ -p TCP
   --sport www (ָԴΪ`www')Ĺ򣬽ԶƬ(һ
   Ƭ)෴Ĺ-p TCP --sport ! www Ҳһˡ
   
    `-f' (or `--fragment') رΪڶƬָһ
    `-f' ǰһ `!' ָһ  춵ڶƬ
   Ҳǿеġ
   
   ͨõڶƬͨǱΪȫģΪ˻ӰһƬ
   ĻҲͿԱĿ飻ǣһЩ֪ĳʾ
   Ƭ׵ǸҪӦˡ
   
   ·Ҫǣļʱķ(̵̫ TCPUDP
    ICMP ûǽʽڻ ICMP ) ᱻˣ
   TCP Ƭɵ 8 λÿʼ *
   
   (* עҲǺָԭǣSo are TCP
   fragments starting at position 8Ϊȥϣʲ֪
   position 8 ָ TCP ͷλûҵ𰸣ӭдŸ
   塣)
   
   ˵µĹᶪκ͸ 192.168.1.1 Ƭ
   
# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
#

   iptables µıȶ(matches)
  
   iptables  (extensible)Ҳ˵ĺ iptables ߿Խ
   չṩµĹܡ
   
   ĳЩ(Extensions)Ǳ׼ģЩ˵ġѻ
   һЩ죬ͬʱɢʵû
   
   ĵͨ춺ģĿ¼ڣ /lib/modules/2.3.15/net 
   ĺ CONFIG_KMOD 趨ĻӦģ
   Ĳǡ
   
   Ȼiptables ʽͨǾ /usr/local/lib/iptables/ ķ
   ʽ⣬Щɢ汾ὫǷŽ /lib/iptables 
   /usr/lib/iptables ȥ
   
   ࣺĿ(target)±ȶ(match)ǾͽĿ
   ЩЭԶṩµĲ(tests)Ŀǰ TCPUDP ICMP
   
   ʹ `-p' ѡͿָһ²ˡ
   ѡʱʹ `-m' 죬ȷָʾһ²ԡ
   
   ĳϣʹѡ `-h'  `--help' ֮
   (`-p' `-j' `-m')磺
   
# iptables -p tcp --help
#

  TCP 
  
   ָ `-p tcp' TCP ֮Զġṩѡ(
   fragments)
   
   --tcp-flags
          һ `!' ѡִָܹ TCP 
          йˡ һִ(mask)һбڶ
          ִҪ˵ЩҪ趨磺
          
# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY

          ʾ궼Ҫ (`ALL' Ƿָ
          `SYN,ACK,FIN,RST,URG,PSH')ֻ SNY  ACK 趨ѡ
          һ `NONE' û˼
          
   --syn
          Ϊ`--tcp-flags SYN,RST,ACK SYN' ļдǰԱѡһ `!'
          š
          
   --source-port
          Աѡ `!' Ȼһ TCP ڻһֵ
          (range)ڿΪ /etc/services еƣҲһ
          ֵ֡Ļһ`:' ŷָĲ֣һ
           `:' (ָ춺͵춸ò)ֻһǰ `:' (
          ָС춺͵춸ò)
          
   --sport
          ͬ `--source-port'
          
   --destination-port
          
          
   --dport
          ָֻͬĿĵضԴڼԱȶԡ
          
   --tcp-option
          Աѡ `!' ȻΪһ֣ȶһ TCP ѡ춸
          ֵķҪ TCP ѡЩ TCP ͷķͻ
          ı
          
  һ TCP Ľ
  
   ʱ˫ TCP ߻ܺá磬ߵ
    WWW ŷȴԸŷߡ
   
   ɵľٶǵԸŷ TCP ҵǣTCP ߸
   Ҫ˫򴫵ݵġ
   
   ֮ǰЩҪߵķЩΪ SYN (ţ
   Ǵ SYN 趨ķ FIN  ACK ǩǿհףֻǽ֮
   Ϊ SYN )ҪֻķĻǾͿֹЩ
   ߳ˡ
   
   `--syn' Щ棺ЩָΪ TCP ЭĹá
   磬ָ 192.168.1.1  TCP 
   
-p TCP -s 192.168.1.1 --syn

   Ҳһ `!' 裬ָÿһǸʼߵķ
   
  UDP 
  
    `-p udp' ָĻЩͻԶ롣ṩ
   `--source-port' `--sport'`--destination-port'Լ `--dport' Щ
   ѡһǰ TCP 趨
   
  ICMP 
  
    `-p icmp' ָĻͻԶ롣ֻṩһµѡ
   
   --icmp-type
          Աѡ `!' Ȼһ icmp (
          `host-unreachable' )һ( `3' )һ `/'
          ָͺͱ( `3/3' )ʹ `-p icmp --help' ͿԻ
          һݿ icmp 嵥
          
  ȶԵ
  
    nerfilter ׼еչʾ(demonstration)ݣ
    `-m' ѡ(Ѱװ˵Ļ)
   
   mac
          һģҪȷ `-m mac'  `--match mac' ָ
          ȶԴԴ Ethernet (MAC) ַֻЩԽ
          PREROUTING  INPUT ķáֻṩһѡ
          
        --mac-source
                Աѡ `!' Ȼһðŷָʮ
                ethernet ַ `--mac-source 00:60:08:91:CC:B7'
                
   limit
          ģȷ `-m limit'  `--match limit'ָ
          һȶԵȼƼ¼Ϣȡֻܱȶһÿֵ(
          ԤÿһСʱ 3 ȶԣ 5 (burst))ѡ
          
          
        --limit
                һֵָÿƽȶֵֵ
                 `/second'`/minute'`/hour' `/day'в (
                 `5/second'  `5/s' һ)ȷָλ(unit)
                
        --limit-burst
                һֵָʾǰ֮ǰ󴥷
                
          ȶԳ LOG Ŀ꣬Խб(rate-limited) ֮¼Ϊ
          ˸˽ιģǿһĹԤ
          ¼ģ
          
# iptables -A FORWARD -m limit -j LOG

          ˹һõʱ򣬷ͻᱻ¼ʵϣԤ
          Ϊ 5 Ϊ׵ 5 ͻ¼Ȼᣬٸ 20 Ӵ˹
          Żټ¼ڼжٸִңÿ 20 
          ûзϵķָͨ (regained) һֵ
          100 ķĻᴥͻȫ
          ԭ(recharged)صǿʼʱ״̬
          
          עĿǰԴ 59 Сʱĸԭʱһ򣬹ʴˣ
          趨һƽΪÿһΣᣬĴһҪ 3 
          
          ҲģȥԿٱӦϷ񹥻(DoS)
          
          
          Syn-flood protection
          
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

          Furtive port scanner
          
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1
/s -j ACCEPT

          Ping of death
          
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT

          ģĹԭе񡰽һοͼʾ
          
       rate (pkt/s)
             ^        .---.
             |       / DoS \
             |      /       \
Edge of DoS -|.....:.........\.......................
 = (limit *  |    /:          \
limit-burst) |   / :           \         .-.
             |  /  :            \       /   \
             | /   :             \     /     \
End of DoS  -|/....:..............:.../.......\..../.
 = limit     |     :              :`-'         `--'
-------------+-----+--------------+------------------> time (s)
   LOGIC =>  Match | Didn't Match |    Match

          ȷ˵ 5 ȶÿһÿĸ
          ʼ룬룬Ȼ¿ʼ
          


        <--Flood 1-->           <---Flood 2--->

Total  ^                   Line  __--      YNNN
Packets|               Rate  __--      YNNN
       |            mum  __--      YNNN
    10 |        Maxi __--         Y
       |         __--            Y
       |     __--               Y
       | __--    YNNN
       |-    YNNN
     5 |    Y
       |   Y                                Key:  Y -> Matched Rule
       |  Y                                       N -> Didn't Match Rule
       | Y
       |Y
     0 +-------------------------------------------------->  Time (seconds)
        0   1   2   3   4   5   6   7   8   9  10  11  12

          ᷢͷÿһȻˣ
          һͣЪĴҲͲͨ趨߱
          (ڸôʹΪÿһ)
          
   owner
          ģΪķȶԲͬķ(creator)
          OUTPUT ãңĳЩ( ICMP ping responses)û
           ownerΪŶ
          
        --uid-owner userid
                һгЧ(ʽ) user id ģΪ
                
                
        --uid-owner groupid
                һгЧ(ʽ) group id ģΪ
                
                
        --pid-owner processid
                һг process id ģΪϡ
                
        --sid-owner processid
                һг session group ģΪϡ
                
   unclean
          һʵģ `-m unclean'  `--match unclean' ȷָ
          Էвͬжϼ⡣ģδԲ
          Ӧ춰ȫ豸(ңΪг)
          ûṩѡ趨
          
  The State Match
  
   õıȶжϱ׼ `state' ṩڹ `ip_conntrack' ģ
   ׷ٷǷǳֵùʹõġ
   
   ָ `-m state' һ `--state' ѡΪһָ
   ȶԳб( `!' ָʾ (not) Щ)Щǣ
   
   NEW
          һߵķ
          
   ESTABLISHED
          һ(磺ѾӦ)֮
          
   RELATED
          һأȴвݵķ ICMP 
          ǽ FTP ߵķ(FTP ģѲ)
          
   INVALID
          һĳЩԭܱķ岻ͲܻӦκ
          ֪ߵ ICMP ͨķᱻ
          
7.4 Ŀ(Target)

   ڣ֪ԶԷʲļˣǻҪһ˵һ
   ǲԵķҪʲνһ֮Ŀ(target)
   
   
   ǳڽĿ꣺DROP  ACCEPTѾӴˡһ
   һͬʱĿ֮һûйҪѯ
   Ѿˡ
   
   ڽ⣬Ҳ͵Ŀ꣺ûԶ
   
  ûԶ
  
   iptables Ϯ ipchains һǳĹܣʹ߿Դ
   ڽ(INPUTFORWARD OUTPUT)֮⡣ûԶ
   Сдʾ(ǻ [10](Operations on an
   Entire Chain) ȥµûԶ)
   
   һһĿΪûԶ֮ʱͻῪʼԽûԶ
   еĹ򡣼δܾˣһԽᣬͻ
   ǰеһԽȥ
   
    ASCII ˡ()INPUT (ڽ) 
   test (ûԶ)
   
         `INPUT'                         `test'
        ----------------------------    ----------------------------
        | Rule1: -p ICMP -j DROP   |    | Rule1: -s 192.168.1.1    |
        |--------------------------|    |--------------------------|
        | Rule2: -p TCP -j test    |    | Rule2: -d 192.168.1.1    |
        |--------------------------|    ----------------------------
        | Rule3: -p UDP -j DROP    |
        ----------------------------

   һ192.168.1.1  TCP Ҫ 1.2.3.4 ȥINPUT
   ܵ Rule1 Ĳ - ϡǷ Rule2 Ŀ test
   һҪĹ򽫴 test ʼ test е Rule1 ϣû
   ָĿ꣬ټһҲ Rule2 ϣ
   ѾִĩˡȻǻص INPUT УҲǸղż
   Rule2 ھҪ Rule3Ȼϡ
   
   ÷·ӵģ
   
                                v    __________________________
         `INPUT'                |   /    `test'                v
        ------------------------|--/    -----------------------|----
        | Rule1                 | /|    | Rule1                |   |
        |-----------------------|/-|    |----------------------|---|
        | Rule2                 /  |    | Rule2                |   |
        |--------------------------|    -----------------------v----
        | Rule3                 /--+___________________________/
        ------------------------|---
                                v

   ûԶҲһûԶȥ(ҪɻȦķ
   ִ춻Ȧоͻᱻ)
   
  iptables ֮죺Ŀ
  
   һ͵Ŀһ졣һĿɺģͿѡ iptables 
   ɣṩµѡԤ netfilter ɢ汾кü
   
   
   LOG
          ģṩļ¼ϵķṩЩѡ
          
        --log-level
                һ(level)ơϷ(Сдб)
                `debug'`info'`notice'`warning'`err'`crit'
                `alert'Լ `emerg'Եĺ 7  0 κ
                Ľο syslog.conf  man page
                
        --log-prefix
                һ 30 ĸִһϢɼ¼Ϣʼʱͳ
                Ըı
                
          ģ鳣һĿᣬԣҪ౬ļ¼Ŷ
          
   REJECT
          ģͶͳһ `port unreachable'  ICMP 
           `DROP' һġעУICMP Ϣ
          (ο RFC 1122)
          
          + ˵ķһʼһ ICMP Ϣ ICMP
            ͡
          + ˵ķΪһͷ (non-head) Ƭ
          + ĿǰѾͳ̫Ŀĵص ICMP Ϣˡ
            
          REJECT ⻹һ `--reject-with' ѡӦ
          ˵ļ
          
  ڽĿ
  
   ڽĿ꣺RETURN  QUEUE
   
   RETURN ͵һĩͬЧһڽĹԣø
   ԭ򡣶һûԶԣصǰһмԽͽ
   ֮ᡣ
   
   QUEUE ҲһĿ꣬ʹ߿ռ(userspace)г̴зҪ
   Ǳģ
   
     * һΪ "queue handler"ʹ߿ռ֮䴫ͷʵʻ
       
     * һΪһʹ߿ռӦóʽȥգ˵ٿأԼԷ
       
       
   IPv4 iptables ı׼ queue handler Ϊ ip_queue ģ飬Ŀǰʵ
   һ𷢲ġ
   
   һ iptables Ϊʹ߿ռг̽дзļӣ
   
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE

   ô˹򣬱Ķ ICMP ( ping ) ͻᱻ ip_queue
   ģȥȻ᳢Խʹ߿ռӦóʽûʹ߿ռӦó
   ʽڵȴĻ÷ͻᱻ
   
   Ҫдһʹ߿ռӦóʽʹ libipq API ҲǺ iptables һ
   ġʽ CVS е testsuite ( redirect.c) ҵ
   
   ip_queue ״̬·飺
   
/proc/net/ip_queue

   е󳤶(紫ݸʹ߿ռͻزþ֮)ͨ
   ķʽƣ
   
/proc/sys/net/ipv4/ip_queue_maxlen

   гȵԤֵΪ 1024һﵽƣµķͻᱻֱ
   гȵص֮ΪֹõЭ TCPὫķΪӵ
   (congestion)ͬʱأὫ֮ȥȻԤ
   ֵ¾̫СĻҪһЩʵߴг
   
   
7.5 

   iptables һǳõĹǣܹ(group)صĹСֻ
   ҪϲΪһ֣ҽʹСдĸԱڽ
   Ŀˡȥ 31 ĸ
   
  һ
  
   ھһһɡΪʵһļһҳ֮
   Ϊtest (е) `-N'  `--new-chain' ѡ
   
# iptables -N test
#

   򵥡ˣԽһЩУһǰ˵
   
  ɾһ
  
   ҪɾһҲһ򵥣 `-X'  `--delete-chain' ɡΪʲ
   `-X' أţ õĸһù
   
# iptables -X test
#

   ҪɾһĻкЩƣǱǿյ (ο [11]һ
   (Flushing a Chain) ) ͬʱǱ費ΪκιĿꡣκ
   ڽɾˡ
   
   ָһܵĻ ȫ ûԶᱻɾ
   
  һ
  
   һ򵥵ķһей򣬾ʹ `-F' (
   `--flush') 
   
# iptables -F forward
#

   ָһ ȫ ᱻա
   
  ʾһ
  
   ʹ `-L' ( `--list') ʾһей
   
   ÿһûԶе `refcnt' ˵жĿĹԸΪĿ
   ڸɾ֮ǰĿΪ(ͬʱǿյ)
   
   ûṩƵĻᱻʾҲһ
   
   ѡ԰ `-L' һʹõġ `-n' (numeric) ѡ
   ãΪԱ iptables ȥԲ IP ַ DNS û趨
   ȷĻѾ˵ DNS ˣصӳ(ʹ
   һʹ DNS )ͬʱҲὫ TCP  UDP ʾΪֶ
   ơ
   
   ڶ `-v' ѡʾȫϸڣ byte ͳ
   ơTOS ȽϡԼȡЩֵǱԵġ
   
   ע byte ͳƿԷֱʹ `K', `M'  `G' Щβֱ
   10001,000,000Լ1,000,000,000ʾʹ `-x' (expand numbers)
   ͬҲʾ֣ж೤
   
  ()(counter)
  
   ܹȻõġ `-Z' ( `--zero') ѡ
   
   Ψһ鷳ǣʱڽ֮ǰסͳֵǰ
   У `-L' Ȼ `-Z' ĳЩܻڼͨˣ
   ԰ `-L'  `-Z' һ ʹãڶȡͬʱм衣
   
  趨ԭ(policy)
  
   ǰַ̽ͨһʱڹ͹ִڽĩʱ
   ᷢʲ顣ʱɸԭˡֻڽ
   (INPUTOUTPUTԼ FORWARD) ԭ趨Ϊһһ
   ûԶʱصһмԽ
   
   ԭΪ ACCEPT  DROP
   
8. ʹ ipchains  ipfwadm

    netfilter ׼Уģֱ ipchains.o  ipfwadm.oֻҪ
   һ( עǺ iptables.oip_conntrack.o 
   ip_nat.o ǲݵģ)ȻͿһʹ ipchains  ipfwadm
   ˡ
   
   һʱԻᱻֵ֧ġΪļ㹫ʽǣ2 * [ Ʒ
    - ʼȶ ] ټƷȶеӡ
   
   ֮ ipfwadm ֽ֧
   
2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)]
        + January 1999 (2.2.0 release)
    = November 2003.

    ipchains ֧Ϊ
   
2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)]
        + July 2000 (2.4.0 release?)
    = March 2004.

   ԣ 2004 ֮ǰԸޡ
   
9.  NAT  Packet Filtering

   Ҫ Network Address Translation ( NAT HOWTO) Լˣ
   ƽ֮ˡϢǣǻʹʵȫûġ
   
   Ʒ˵ʱ򣬿ȫҪ NAT 춷
   ԴĿĵأֻ `' ԴĿĵء˵
   NAT Ҫ 1.2.3.4 port 80 ͵ 10.1.1.1 port 8080 ȥ
   ˻ῴЩ͵ 10.1.1.1 port 8080 (Ŀĵ)
   1.2.3.4 port 80ƵģҲԺԷαװῴ
   ڲ IP ַ(ȷ 10.1.1.1)ӦҲͻ
   
    `state' ȶ(match extension)÷Ĺ
   ΪΣ NAT Ҫ׷١Ϊǿ NAT HOWTO Ǹ
   򵥵ķαװӣȥ ppp0 κӣ
   
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

10. iptables  ipchains Ĳ

     * ȣڽƴСдɴдΪ INPUT  OUTPUT Ŀǰֻץ
       ĿΪԼӱķǷֱ鿴봫ķ
     * һ `-i' 棬ֻ INPUT  FORWARD
       С FORWARD  OUTPUT оҪ `-i' ĳ `-o' ˡ
     * TCP  UDP ڶҪ --source-port  --sport ѡƴд(
       ǵд --destination-port  --dport)ͬʱ `-p
       tcp'  `-p udp' ѡ֮ᣬΪ TCP  UDP Ƿֿġ
     * ǰ TCP Ǹ -y ڱ --synұ `-p tcp' ֮ᡣ
     * ԭ DENY Ŀ춱 DROP ˡ
     * ʾ乤ͬʱԽ(zeroing)
     * ڽҲԭ(policy counters)
     * ʾѼ΢С(atomic snapshot)
     * REJECT  LOG ڱĿˣζѾͺģֿ
     * ɴ 31 ĸ
     * MASQ ڱ MASQUERADE ʹòͬ﷨REDIRECT ڱͬ
       ƵͬʱҲ﷨ıǨ趨ǵϸϣ
       NAT-HOWTO
     *  -o ѡݸʹ߿ռ豸(οǰ -i )
        QUEUE Ŀ꽫͸ʹ߿ռ䡣
     * ŶҿѼǲˡ
       
11. Ʒ˵Ľ

   ڵ԰ȫս֮ĪȵһУȻῪűġһ
   ǣ`'ҽμģעذȫĻ
   
   ҪЩòķ񣬲ǷΪѾ֮ˡ
   
   Ҫһָʽǽ(dedicated firewall)ʼҪκζ
   ͬʱзȻӷԼķͨ
   
   رǿȫԣ tcp-wrappers(춷˱)(
   ͨ˵)·֤Լ˵ֶΡ·ָ֤
   ЩδԤڽķͻᱻ˵ڲ·һ
   10.1.1.0/24 ĵַͬʱһԸõַķȴⲿ룬
   ᱻΪһ( ppp0) 磺
   
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#

   ȫмеĽ棬磺
   
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
#     echo 1 > $f
# done
#

   Debian ڿ֮ԤͻˡвԳ·(磬Ԥڷ
   )ӦЩϹرմһˡ
   
   趨ǽʱ򣬼ĳЩĻ¼ܾԵúˣ
   һʵķǽϣκʱҪ `limit' ȶһʹã
   Ա˹౬ļ¼
   
   ǿҽ԰ȫϵͳ׷٣ȻһЩ(Ϊ߶Ҫ׷
   )춹·ӿȴáĺĲԶģĻ
   Ҫ`ip_conntrack.o' ģ顣Ҫȷ׷ٸӵЭ
   Ҫʵ helper ģ(磬`ip_conntrack_ftp.o' )
   
# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad pack
et from ppp0:"
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad pa
cket not from ppp0:"
# iptables -A no-conns-from-ppp0 -j DROP

# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0

   һõķǽѾ HOWTO ġΧˣҵĽǣ `һд
   (always be minimalist)'Ͻв̽ĸϣҪ
   ο Security HOWTO ˡ

References

   1. http://netfilter.filewatcher.org/
   2. http://www.samba.org/netfilter
   3. http://netfilter.kernelnotes.org/
   4. http://lists.samba.org/
   5. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#permanent
   6. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#oldstyle
   7. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#filter-linux
   8. http://www.watchguard.com/
   9. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#Appendix-A
  10. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#chain-ops
  11. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#flushing
