Академический Документы
Профессиональный Документы
Культура Документы
Outline
Functionality Architecture Introduction to the Iptable command An real-life example
Netfilter Architecture
The Hooks
z z
A kernel module can register with netfilter to see packets at various points in the stack Five hooks defined in IPv4: z PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING. Each hook can inspect/alter packets and return NF_DROP, NF_ACCEPT, NF_QUEUE, NF_REPEAT or NF_STOLEN.
Netfilter Hooks
PRE_ROUTING
z
Incoming packets pass this hook in ip_rcv() before routing All incoming packets addressed to the local host pass this hook in ip_local_deliver() All incoming packets not addressed to the local host pass this hook in ip_forward() All outgoing packets created by this local computer pass this hook in ip_build_and_send_pkt() All outgoing packets (forwarded or locally created) will pass this hook in ip_finish_output()
LOCAL_IN
z
FORWARD
z
LOCAL_OUT
z
POST_ROUTING
z
FORWARD
LOCAL_IN
LOCAL_OUT
Netfilter Functionality
IP packet filter Stateful firewalling NAT Packet mangling
Used to filter packets The command to enter a rule is called iptables The framework inside the kernel is called netfilter Full matching on IP, TCP, UDP and ICMP packet headers Insertion point Match Target
IP Filter rules
z z z
Conntrack manages individual connections and serves to allocate incoming,outgoing and forwarded IP packets to existing connection. A new connection entry is generated as soon as the connectiontracking module registers a connection-establishment packet.
This enables the NAT implementation to figure out exactly whether an incoming packet needs a free IP address and port number or one of the addresses and port numbers previously assigned can be used.
One example is FTP. z The client initially establishes a control connection to TCP port 21 at the server, and transmits FTP commands and replies. z As soon as a file has to be transmitted, FTP server opens an additional data connection in the reverse direction (from TCP port 20 in the server to a dynamically selected client port (which the client sends to the server)).
NEW
z z
All new connections Includes Non SYN TCP packets All connections that has seen traffic in both directions All connections/packets related to other connections Examples: ICMP errors, FTP-Data, DCC Certain invalid packets depending on states E.g. FIN/ACK when no FIN was sent
z z
ESTABLISHED
z
RELATED
z z
INVALID
z z
The science of switching Source or Destination Addresses Netfilter NAT Fast NAT Making a LAN look as if it came from a single source (the firewall) Creating separate servers with a single IP DNAT - Destination Network Address Translation SNAT - Source Network Address Translation Requires Connection tracking to keep states and expectations
Usages
z z
Netfilter NAT
z z z
NAT Example
SNAT ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 DNAT ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -j DNAT --to 5.6.7.8:8080
Strip all IP options Change TOS values Change TTL values Strip ECN values Clamp MSS to PMTU Mark packets within kernel Mark connections within kernel
hooks in at LOCAL_IN (INPUT), FORWARD, LOCAL_OUT (OUTPUT) iptable_filter hooks in at those points and passes all packets to the table default table operated on by iptables program
Destination address Resolvable (/etc/resolve.conf) Destination port Numeric or resolvable (/etc/services) Port range
Accepts the packet Ends further processing of the specific chain Ends processing of all previous chains Except other main chains and tables Drops the packet No reply Ends all further processing
DROP
z z z
Ends all further processing Returns from a chain to the calling chain
RETURN
z
Example
Input Rule1: -p ICMP j DROP Rule2: -p TCP j test Rule3: -p UDP j DROP What happens to a TCP packet with the source address192.168.1.1 and the destination address 1.2.3.4? test Rule1: -s 192.168.1.1 Rule2: -d 192.168.1.1
Iptables syntax
Listing the rules z -L, --list [chain] -F, --flush [chain] z Flushes (erases) all rules in a chain z Or a table -N, --new chain z Creates a user-specified chain z There must be no target with that name previously -X, --delete-chain [chain] z Deletes a user-created chain z No rules may reference the chain z Can delete all user-created chains in a table
ICMP Echo request & reply Identd requests HTTP requests Everything generated by the host Except "nonet" group
Outgoing:
z z
And a LAN
z
LAN
z
IP range 192.168.1.0/24
Examples
iptables -A INPUT -p tcp -m state --state NEW ! -syn -j REJECT --reject-with-tcp-reset iptables -A INPUT -p tcp --dport 80:1024 -j DROP iptables -A FORWARD -p tcp --dport 22:113 -j DROP iptables -A FORWARD -p tcp --dport ftp-data:ftp -j DROP iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT iptables -A OUTPUT -p tcp -o lo -j ACCEPT iptables -P OUTPUT DROP