لطفا منتظر باشید ...
7.4. Netfilter and iptables
While developing the previous version of
Linux IP firewalling (called ipchains), Paul
"Rusty" Russell decided that IP
firewalling should be less difficult. He set about the task of
simplifying aspects of packet processing in the kernel firewalling
code and produced a filtering framework that was both much cleaner
and much more flexible. He called this new framework
netfilter.
While ipchains
was a vast improvement over its predecessor
(ipfwadm) for the management of firewall rules,
the way it processed packets was still complex, especially in
conjunction with important features such as IP masquerade (discussed
in Chapter 9) and other forms of address
translation. Part of this complexity existed because IP masquerade
and NAT were developed independently of the IP firewalling code and
integrated later, rather than having been designed as a true part of
the firewall code from the start. If a developer wanted to add yet
more features in the packet-processing sequence, he would have had
difficulty finding a place to insert the code and would have been
forced to make changes in the kernel in order to do so.netfilter addresses both the complexity and the
rigidity of older solutions by implementing a generic framework in
the kernel that streamlines the way packets are processed and
provides a capability to extend filtering policy without having to
modify the kernel. The Linux 2.4 Packet Filtering
HOWTO (available online at http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTOl)
offers a detailed list of the changes that have been made, so
let's focus on the more practical aspects here.To build a Linux IP firewall, it is necessary to have a kernel built
with IP firewall (netfilter) support and the
iptables user-space configuration
utility. The netfilter code is the result of a
large redesign of the packet handling flow in Linux.
netfilter provides direct backward-compatible
support for both of the two older Linux firewalling solutions
(ipfwadm and ipchains), as
well as a new command called iptables. In this book, we'll
only cover iptables, but you can
refer to previous editions of this book if you need to understand
ipfwadm or ipchains rules.
7.4.1. Example iptables Commands
The iptables architecture groups network packet
processing rules into tables by function (packet
filtering, network address translation, and other packet mangling),
each of which have chains (sequences) of
processing rules. Rules consist of
matches (used to determine which packets the
rule will apply to) and targets (which determine
what will be done with the matching packets).iptables operates at OSI Layer 3
(Network). For OSI Layer 2 (Link), there are other technologies such
as ebtables (Ethernet Bridge Tables). See
http://ebtables.sourceforge.net/
for more information.This section will give a couple examples of iptables usage with high-level explanations.
See the "iptables Concepts"
section, later in the chapter, for additional information.
7.4.1.1 A packet-filtering example
This
command could be used on a firewall to filter out all non-HTTP
traffic, implementing the rules described in the earlier section,
"What Is IP Filtering?", assuming
eth0 is the Ethernet interface on the inside and
eth1 is the Ethernet interface to the Internet.
iptables -t filter -P FORWARD DROPThe first command sets the default policy
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 80 -j ACCEPT
for the FORWARD chain of the
filter table to DROP all
packets. Table 7-1 shows how the second command
means "allow all outbound HTTP
requests." The third command is similar except that
it means "allow all inbound HTTP
responses."
7.4.1.2 A Masquerading example
The
previous section's packet filtering example
doesn't make the best use of iptables' functionality. If
you have a dynamic IP address on your Internet interface,
you'd be better off using Masquerading (see Chapter 9 for more on Masquerading):
iptables -t nat -P POSTROUTING DROP
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j MASQUERADE
7.4.1.3 A network translation example
This command could be used on a firewall
to forward incoming HTTP traffic to a web server on the internal
network (see Chapter 9 for more on Network
Address Translation):
iptables -t nat -A PREROUTING -i eth1 -p tcp -dport 80 -j DNAT --to-destination 192.168.1.3:8080Table 7-2 shows what this sample iptables command means.
