لطفا منتظر باشید ...
What Is iptables ?
Although the details are hidden from most
networking tools, the 2.4.x Linux kernel uses a
procedure like that outlined in
process network packets. Early on in the process, a routing decision is made:
Is the packet destined for the local computer, or should it be forwarded to
another computer? Depending upon the answer to that question, the packet is
passed to one of two chains: the INPUT chain or
the FORWARD chain. Each of these chains can process or modify the incoming data
in various ways, but the default is not to modify the data. The INPUT chain
ultimately leads to what
to as local processes. These may be network
clients (Netscape, telnet , and so on) or network servers (Apache, telnetd , and
so on). In most cases, these processes run in user space, but they may be
kernel-based, as in the kernel's Network Filesystem (NFS) support or the kHTTPd
Web server. Both the local processes and the FORWARD chain eventually
lead to the OUTPUT chain, which can also manipulate data packets in ways described in
this chapter.
Figure 25.1. The Linux
networking system provides several chains in which data packets may be
manipulated.
align=left border=0> It's possible for a data packet to not make
a complete circuit in
chain rules can block the data packet, or the local processes might decide
not to respond to a data packet. It's also possible for a transaction to originate with the local processes, in which case a
response should arrive back as incoming data.
Each of the chains shown in
based on features such as the source or destination IP address, the source or
destination port, or the network interface involved in the transaction. Each
chain is a collection of rules, each of which is matched in turn against the
input packet. If a rule matches, the rule indicates what the kernel should do
with the packet by specifying a target for the
rule. Predefined targets include ACCEPT (accept the packet for further
processing), DROP (ignore the packet), QUEUE (pass the packet to a user-space
program), and RETURN (stop processing the chain and return to the chain that called the
current chain). Some additional targets that require particular kernel options
to be activated include REJECT (to reject the packet, telling the sender that it was rejected), MASQUERADE (used for NAT, as described in the upcoming section "
up the filter table, which is what handles most standard traffic. Two other
standard tables are nat (which is used for NAT, as described in the upcoming section "
to place new chains within a table, and call these new chains from the existing
chains. You might do this to create specialized and complex processing patterns
to filter or alter data.These network tables and chains are features
of the Linux kernel, and iptables is the user-space tool you use to manipulate them. You can use iptables to
add rules to any of the chains shown in
other chains. For instance, you might add rules to the INPUT chain to
block all packets directed at specific network ports, or you might add rules to
the OUTPUT chain to stop packets directed at systems with which you don't want
yours communicating. By manipulating these and other chains, you can implement
a packet-filter firewall, NAT, or other security and routing tools.The changes you make with iptables are
transient; they disappear as soon as you reboot the computer. For this reason,
you should create a script that sets your iptables rules. Some
distributions, such as Red Hat and Mandrake, include tools to help you build
firewall or NAT rules. You can implement such a script yourself and call it as
a SysV or local startup script.
Alternative Filtering Tools
The iptables program was
designed for use with the 2.4.x Linux kernel.
Earlier kernels, though, used different tools. Specifically, 2.2.x kernels used a tool known as ipchains ,
and 2.0.x kernels used ipfwadm . The
changes in firewall and NAT tools reflect changes in the kernel's networking
structure. The latest iptables tool can implement features in the 2.4.x
kernel that didn't exist in the 2.2.x kernel,
such as stateful packet inspection, in which
packets can be tracked based on an entire multi-packet transaction with
another computer, rather than as isolated entities. Stateful packet
inspection greatly enhances the ability of a firewall to protect the
computers it serves.If you're using a pre-2.4.x kernel, you can continue using it with the older
tools. These tools implement similar principles, but many of the details
differ. This chapter doesn't cover the syntax or features of ipchains or ipfwadm , so
if you want to use them, you'll have to track down appropriate documentation.
If future kernels require even more sophisticated tools than iptables ,
you may need to locate documentation on these future tools. Chances are good
that the broad outlines of these tools' operation will resemble those of iptables ,
though, so knowledge of iptables won't be completely useless to you.If you have access to a firewall rule set
built with ipfwadm or ipchains , you can continue to use it with a 2.4.x
kernel, but you must include appropriate kernel support for the older tool. Using
such a firewall rule set with a 2.4.x kernel
has no disadvantages over using it with a 2.0.x
or 2.2.x kernel, but you might be able to use
more powerful features if you rewrite the rules for iptables .To some extent, iptables overlaps in function with tools like TCP Wrappers, xinetd , and
server-specific access control options. All of these tools allow you to
restrict access to a server based on a client's IP address, for instance. As
a general rule, when multiple tools are available, I recommend using two or
more, so that a bug in or misconfiguration of one tool can be corrected by
another tool. Compared to other tools, iptables works at a
lower level and with more protocols and servers. For instance, xinetd can
only protect servers that xinetd launches, whereas iptables can protect all servers.
