Shulou(Shulou.com)06/01 Report--

1 introduction

Iptable works at the osi network layer and data link layer example

Iptables-t nat-A PREROUTING-I eth2-p tcp-- dport 80-j DNAT-- to-destination 192.168.1.3

Parsing:

-t nat operate the table

-A PERROUTING by appending the following rule to its PREROUTING chain

-I eth0 match pactets coming in on the eth2 network interface

-p tcp use tcp protocol

-- dport 80 intended for local port 80

-j DNAT jump to the DNAT target

-- to-destination change the destination address to 192.168.1.3

192.168.1.3:8080 destination port 80

Iptables defines five hook points

PREROUTING

INPUT

FORWARD

POSTROUTING

OUTPUT

Tables comes with three built-in tables

Filter used to set polices for type of traffic allowed into through and out of the computer.unless you refer to a different table explicitly,iptables operate on chains within this table by default.its built-in chains are FORWARD INPUT OUTPUT

Mangles used for specialized packet alteration,built-in chains are FORWARD INPUT OUTPUT POSTROUTING PEROUTING

Nat used with connection tracking to rediect connection for network address translation;typically based on source or destination address tis built-in chain are OUTPUT,POSTROUTING PREROUTING

Chains default,each table has chains, which are initally empty,for some or all of the hook points. You can create your own custom chains to organize your rules. All user-defined chains have an implict policy of RETURN that cannot be changed.

Rules

Matches

Targets built-in four targets

ACCEPT let the packet through to the next stage of processing stop traversing the current chain,start

DROP

QUEQU send the packet ro userspace.see the libipq manpage for more information

From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain's policy to it. See the previous section "Chains" for more information about chain policies.

Aplications

Packet filtering

Accunting using byte packet counters assoiated with packet mataching criteria to moitor netwok traffic volumes.

Connection tracking

Packet mangling

Network address translation (NAT)

Masquerading

Port forwarding

Loading balancing Load balancing involves distributing connections across a group of servers so that higher total throughput can be achieved.One way to implement so that the destination address is selected ina round-robin fashion from a list of possible destinations

Configuring iptables under refer to generic and Red Hat-specific information

Persistent rules

Chkconfig-list iptables

Chkconfig-level 345 iptables on

Service iptables start

Other configure files / proc

/ etc/sysct1.conf contains settings for configurations in the / proc/sys directory that are applied at boot time.

/ proc/sys/net/ipv4/ip_conntrack_max controls the size of the connection tracking table in the kernel.default value is calculated based on the amount of RAM in your computer.you may need to increase it if you are getting "ip_conntrack:table full,dropping packet" errors in your log files

Connection tracking

ESTABLISHED the connection has already seen packets going in both direction.

INVALID the packet doesn't belong to any tracked connections.

NEW the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.

RELATED the packet is starting a new connection,but the new connection is related to an existing connection (such as the data connection for an ftp transfer

@ the connection tracking logic maintains threee bits of status information

ASSURED for tcp connections indicates the tcp connection setup has been completed for UDP connections,indicates its looks like a udp stream to the kernel.

EXPECTED indicates the connection was expected

SEEN_REPLY indicates that packets have gone in both directions.

Ipables connection tracking logic allows plug-in modules

Accounting

NAT

NAT helper modules

Ip_nat_amanda Amanda backup protocol (requires CONFIG_IP_NFNAT_AMANDA kernel config)

Ip_nat_ftp file transfer protocol (requires CONFIG_IP_NF_NAT_FTP kernel config)

Ip_nat_snmp_basic simple network management protocol (requires CONFIG_IP_NF_NAT_SNMP_BASIC kernel conifig)

Ip_nat_tftp t rivial file transfer protocol (

Source NAT and Masquerading source nat is used to share a single internet connection among computers on a network.the computer attached to the internet acts as a gateway and uses

Iptables-t nat-A POSTROUTING to eth2-j SNAT

Iptables-t nat-A POSTROUTING-o eth2-j MASQUERADE

DNAT destination NAT

Iptables-t nat-A PREROUTING-I eth2-p-tcp-- dport 80-j DNAT-- to--destination 192.168.1.3

Transparent proxying

If you hava an http proxy configured to run as a transparenet proxy on you firewall computer and listen on port 8888. You can add a rule to redirect outbound http traffic to the http proxy

Iptables-t nat-A PREROUTING-I eth0-p tcp-- dport 80-j redirect-- to-port 8888

Load distribution and balancing

Stateless and stateful firewalls

Tools of the trade

Ethereal network protocol analyzer

Nessus Remote security scanner

Nmap network mapper

Ntop network traffic probe

Tcpdump packet capture and dumping

Traceroute print the route packets take to a specific host

Iptable command reference

-c packet or bytes

-- exact synonym (synonymous) for-x

-j target determines what to do with packets matching this rule.the target can be the name of a user-defined chain,one of the built-in targets

-M used to load an iptables module with appending inserting or replacing rules

-n displays numeric addresses and ports instead of looking up and displaying domain names for the IP address and displaying service names for the port numbers this can be especially useful if your dns server is slow or down.

-t table perfroms the specified subcommand on table if this option is not used.the subcommand operates on filter tables by default.

-x display exact numbers for packet and byte counters,rather than the default abbreviatd format with metric suffixes (K M G)

The iptables subcommands

-A chain rule appends rule to chain

-append synonym for-A

-D chain deletes the rule at position index or matching

-E rename chain to new chain

-F flushes (deletes) all rules from chain

-replace synonym for-R

Iptables Matches and targets

Internet protocol matches (encyclopedic's extensive format)

Ah match this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_AH_ESP enabled

Connmark match based on the packets connection mark

-- mark match if the packets connection mark is equal to value after applying mask.

CONNMARK target (pay attention to case sensitivity)

-- set-mark value set the packets connection mark to the integer value

-- save-mark save the packets mark into the connection

-- retore-mark restore the packets mark from the connection.

DNAT target the DNAT target extension is avaiable only on the PREROUTING AND OUTPUT chain of the nat table.

DRIP target

Dscp match use this match to identify packets with particular diffntiated services codepoint (DSCP) values in their IPV4 headers this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_DSCP enabled.

Ecn match CONFIG_IP_NF_MATCH_ECN enabled

Esp match match IPsec protocol encapsulation headers,CONFIG_IP_NF_MATCH_AH_ESP enabled

FTOS-set-ftos value Set the IP type of service field to the decimal or hex value (this target does not accept Type of Service names). See Table34 for a list of types of service

Helper match CONFIG_IP_NF_MATCH_HELPER

Icmp match-icmp-type-icmp-type

Iplimit match

Ipv4option match

Length match CONFIG_IP_NF_MATCH_LENGTH enable

Limit match CONFIG_IP_NF_MATCH_LIMIT enabled

Iptables-An INPUT-p icmp--icmp-type ping-m limit-- limit 10max s-j ACCEPT

Log target CONFIG_IP_NF_TARGET enabled

-- log-ip-options

-- log-level level

-- log-prefix prefix

-- log-tcp-options

-- log-tcp-sequence log level refer to page 49

Mac match CONFIG_IP_NF_MATCH_MAC enabled

-- mac-source

Mark match CONFIG_IP_NF_MATCH_MARK enabled

MASQUERADE target-to-ports CONFIG_IP_NF_TARGET_MASQUERADE

Multiport match CONFIG_IP_NF_MATCH_MULTIPORT enabled

Netlink target CONFIG_IP_NF_QUEQU

Iptable-An INPUT-p icmp--icmp-type ping-j NETLINK-- nldrop

NETMAP target CONFIG_IP_NF_TARGET An IPv4 address consists of 32 bits, divided into a network number and a host number based on the network mask. This target strips off the network number and replaces it with a different network number

Iptables-t nat-A RREROUTING-d 192.168.1.10 to 24-j NETMAP-- to 172.16.5.0

Nth match

Owner match CONFIG_IP_NF_MATCH_OWNER enabled

Pkttype match

Pool match

-- srcpool poll match if the source ip address is in pool

-- dstpool pool match if the destination ip address is in pool

Pool target

Psd match the match extension attempts to detect port scans by monitoring connection attempts across port numbers it calulates and maintains a port scan value statictic

QUEUE target match until a quota is reached. -- quota amount

Random match match all traffic from ip addresses that have seen recent activity of a particulrar kind

Record-rpc match

REDIRECT target CONFIG_IP_NF_TARGET enabled-to-ports

REJECT target CONFIG_IP_NF_TARGET_REJECT enabled

RETURN target

ROUTE target

ROUTE target

SAME target

SNAT target

State match CONFIG_IP_NF_STATE

Sting match iptables-An INPUT-m string. PIF-j QUEQU

Tcp match

Tcpmss match CONFIG_IP_NF_MATCH_TCPMSS enable

TCPMSS target CONFIG_IP_NF_TARGET_TCPMSS

Time match

Tos match CONFIG_IP_NF_MATCH_TOS

TOS target CONFIG_IP_NF_TARGET_TOS

Ttl match CONFIG_IP_NF_MATCH_TTL

Udp match

ULOG target CONFIG_IP_NF_TARGET_ULOG and CONFIG_IP_NF_QUEUE enabled

Unclean match CONFIG_IP_NF_MATCH_UNCLEAN matches unusual or malformed ip icmp udp or tcp headers,Documentation of this match is minimal,but you could use it for logging unusual packets here are a few of the checks it perfoms

Ip packet length not less than ip header length

Various ip fragmentation checks

Noozero ip protocol number

Unused ip bits set to zero

Icmp date at least two 32 bit words long

Icmp code appropriate for icmp type

Icmp packet length approgriate for icmp type

Udp data at least as big as the minimun-size udp header.

Nozero udp destination port

Udp fragmentation integrity checks

Tcp date at least as big as the minimum-size tcp header

Tcp data offset and overall packet data length in accord

Nonzero tcp ports

Reserved tcp bits set to zero

Tcp flags match one of the patterns

Various integrity checks on any tcp option

Utility command reference

Iptables-restore

Iptables-save

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.