导航：首页 > 网络安全 >

O'REILLY iptables 笔记

发表于：2025-01-20 作者：千家信息网编辑

千家信息网最后更新 2025年01月20日，1 introductioniptable 工作在osi 网络层和数据链路层 exampleiptables -t nat -A PREROUTING -i eth2 -p tcp --dport

千家信息网最后更新 2025年01月20日O'REILLY iptables 笔记1 introduction
iptable 工作在osi 网络层和数据链路层 example

iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080
1. 解析：
2. -t nat operate the table
3. -A PERROUTING by appending the following rule to its PREROUTING chain
4. -i eth0 match pactets coming in on the eth2 network interface
5. -p tcp use tcp protocol
6. --dport 80 intended for local port 80
7. -j DNAT jump to the DNAT target
8. --to-destination change the destination address to 192.168.1.3
9. 192.168.1.3:8080 destination port 80
iptables defines five hook points
1. PREROUTING
2. INPUT
3. FORWARD
4. POSTROUTING
5. OUTPUT
tables comes with three built-in tables
1. filter used to set polices for type of traffic allowed into through and out of the computer.unless you refer to a different table explicitly,iptables operate on chains within this table by default.its built-in chains are FORWARD INPUT OUTPUT
2. mangles used for specialized packet alteration,built-in chains are FORWARD INPUT OUTPUT POSTROUTING PEROUTING
3. nat used with connection tracking to rediect connection for network address translation;typically based on source or destination address tis built-in chain are OUTPUT,POSTROUTING PREROUTING
chains default,each table has chains ,which are initally empty,for some or all of the hook points. you can create your own custom chains to organize your rules. all user-defined chains have an implict policy of RETURN that cannot be changed.
rules
Matches
targets built-in four targets
1. ACCEPT let the packet through to the next stage of processing stop traversing the current chain,start
2. DROP
3. QUEQU send the packet ro userspace.see the libipq manpage for more information
4. From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain's policy to it. See the previous section "Chains" for more information about chain policies.
aplications
1. packet filtering
2. Accunting using byte packet counters assoiated with packet mataching criteria to moitor netwok traffic volumes.
3. Connection tracking
4. packet mangling
5. network address translation (NAT)
6. masquerading
7. port forwarding
8. loading balancing Load balancing involves distributing connections across a group of servers so that higher total throughput can be achieved.One way to implement so that the destination address is selected in a round-robin fashion from a list of possible destinations
configuring iptables under refer to generic and Red Hat-specific information
1. persistent rules
  1. chkconfig --list iptables
  2. chkconfig --level 345 iptables on
  3. service iptables start
2. other configure files /proc
  1. /etc/sysct1.conf contains settings for configurations in the /proc/sys directory that are applied at boot time.
  2. /proc/sys/net/ipv4/ip_conntrack_max controls the size of the connection tracking table in the kernel.default value is calculated based on the amount of RAM in your computer.you may need to increase it if you are getting "ip_conntrack:table full,dropping packet" errors in your log files
3. connection tracking
  1. ESTABLISHED the connection has already seen packets going in both direction.
  2. INVALID the packet doesn't belong to any tracked connections.
  3. NEW the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.
  4. RELATED the packet is starting a new connection,but the new connection is related to an existing connection (such as the data connection for an ftp transfer
  5. @ the connection tracking logic maintains threee bits of status information
    1. ASSURED for tcp connections indicates the tcp connection setup has been completed for UDP connections,indicates its looks like a udp stream to the kernel.
    2. EXPECTED indicates the connection was expected
    3. SEEN_REPLY indicates that packets have gone in both directions.
  6. ipables connection tracking logic allows plug-in modules
  7. accounting
  8. NAT
    1. NAT helper modules
      1. ip_nat_amanda Amanda backup protocol (requires CONFIG_IP_NFNAT_AMANDA kernel config)
      2. ip_nat_ftp file transfer protocol(requires CONFIG_IP_NF_NAT_FTP kernel config)
      3. ip_nat_snmp_basic simple network management protocol (requires CONFIG_IP_NF_NAT_SNMP_BASIC kernel conifig)
      4. ip_nat_tftp t rivial file transfer protocol (
    2. source NAT and Masquerading source nat is used to share a single internet connection among computers on a network.the computer attached to the internet acts as a gateway and uses
      1. iptables -t nat -A POSTROUTING to eth2 -j SNAT
      2. iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
  9. DNAT destination NAT
    1. iptables -t nat -A PREROUTING -i eth2 -p -tcp --dport 80 -j DNAT --to--destination 192.168.1.3:8000
  10. transparent proxying
    1. if you hava an http proxy configured to run as a transparenet proxy on you firewall computer and listen on port 8888. you can add a rule to redirect outbound http traffic to the http proxy
      1. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j redirect --to-port 8888
  11. Load distribution and balancing
  12. stateless and stateful firewalls
  13. tools of the trade
    1. ethereal network protocol analyzer
    2. Nessus Remote security scanner
    3. nmap network mapper
    4. ntop network traffic probe
    5. tcpdump packet capture and dumping
    6. traceroute print the route packets take to a specific host
  14. iptable command reference
    1. -c packet or bytes
    2. --exact synonym(同义）for -x
    3. -j target determines what to do with packets matching this rule.the target can be the name of a user-defined chain,one of the built-in targets,
    4. -M used to load an iptables module with appending inserting or replacing rules
    5. -n displays numeric addresses and ports instead of looking up and displaying domain names for the IP address and displaying service names for the port numbers this can be especially useful if your dns server is slow or down.
    6. -t table perfroms the specified subcommand on table if this option is not used.the subcommand operates on filter tables by default.
    7. -x display exact numbers for packet and byte counters,rather than the default abbreviatd format with metric suffixes(K　Ｍ　Ｇ）
  15. the iptables subcommands
    1. -A chain rule appends rule to chain
    2. --append synonym for -A
    3. -D chain deletes the rule at position index or matching
    4. -E rename chain to new chain
    5. -F flushes (deletes) all rules from chain
    6. --replace synonym for -R
  16. iptables Matches and targets
    1. internet protocol matches (encyclopedic广博的 format)
    2. ah match this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_AH_ESP enabled
    3. connmark match based on the packets connection mark
      1. --mark match if the packets connection mark is equal to value after applying mask.
    4. CONNMARK target (注意区分大小写）
      1. --set-mark value set the packets connection mark to the integer value
      2. --save-mark save the packets mark into the connection
      3. --retore-mark restore the packets mark from the connection.
    5. DNAT target the DNAT target extension is avaiable only on the PREROUTING AND OUTPUT chain of the nat table.
    6. DRIP target
    7. dscp match use this match to identify packets with particular diffntiated services codepoint(DSCP) values in their IPV4 headers this match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_DSCP enabled.
    8. ecn match CONFIG_IP_NF_MATCH_ECN enabled
    9. esp match match IPsec protocol encapsulation headers,CONFIG_IP_NF_MATCH_AH_ESP enabled
    10. FTOS --set-ftos value Set the IP type of service field to the decimal or hex value (this target does not accept Type of Service names). See Table34 for a list of types of service
    11. helper match CONFIG_IP_NF_MATCH_HELPER
    12. icmp match --icmp-type --icmp-type
    14. iplimit match
    15. ipv4option match
    16. length match CONFIG_IP_NF_MATCH_LENGTH enable
    17. limit match CONFIG_IP_NF_MATCH_LIMIT enabled
      1. iptables -A INPUT -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPT
    18. log target CONFIG_IP_NF_TARGET enabled
      1. --log-ip-options
      2. --log-level level
      3. --log-prefix prefix
      4. --log-tcp-options
      5. --log-tcp-sequence log level refer to page 49
    19. mac match CONFIG_IP_NF_MATCH_MAC enabled
      1. --mac-source
    20. mark match CONFIG_IP_NF_MATCH_MARK enabled
    21. MASQUERADE target --to-ports CONFIG_IP_NF_TARGET_MASQUERADE
    22. multiport match CONFIG_IP_NF_MATCH_MULTIPORT enabled
    23. netlink target CONFIG_IP_NF_QUEQU
      1. iptable -A INPUT -p icmp --icmp-type ping -j NETLINK --nldrop
    24. NETMAP target CONFIG_IP_NF_TARGET An IPv4 address consists of 32 bits, divided into a network number and a host number based on the network mask. This target strips off the network number and replaces it with a different network number
      1. iptables -t nat -A RREROUTING -d 192.168.1.10/24 -j NETMAP --to 172.16.5.0/24
    25. nth match
      1. owner match CONFIG_IP_NF_MATCH_OWNER enabled
    26. pkttype match
    27. pool match
      1. --srcpool poll match if the source ip address is in pool
      2. --dstpool pool match if the destination ip address is in pool
    28. pool target
    29. psd match the match extension attempts to detect port scans by monitoring connection attempts across port numbers it calulates and maintains a port scan value statictic
    30. QUEUE target match until a quota is reached. --quota amount
    31. random match match all traffic from ip addresses that have seen recent activity of a particulrar kind,
    32. record-rpc match
    33. REDIRECT target CONFIG_IP_NF_TARGET enabled --to-ports
    34. REJECT target CONFIG_IP_NF_TARGET_REJECT enabled
    35. RETURN target
    36. ROUTE target
      1. ROUTE target
      2. SAME target
      3. SNAT target
      4. state match CONFIG_IP_NF_STATE
      5. sting match iptables -A INPUT -m string .pif -j QUEQU
      6. tcp match
      7. tcpmss match CONFIG_IP_NF_MATCH_TCPMSS enable
      8. TCPMSS target CONFIG_IP_NF_TARGET_TCPMSS
      9. time match
      10. tos match CONFIG_IP_NF_MATCH_TOS
      11. TOS target CONFIG_IP_NF_TARGET_TOS
      12. ttl match CONFIG_IP_NF_MATCH_TTL
      13. udp match
      14. ULOG target CONFIG_IP_NF_TARGET_ULOG and CONFIG_IP_NF_QUEUE enabled
      15. unclean match CONFIG_IP_NF_MATCH_UNCLEAN matches unusual or malformed ip icmp udp or tcp headers,Documentation of this match is minimal,but you could use it for logging unusual packets here are a few of the checks it perfoms
        ip packet length not less than ip header length
        various ip fragmentation checks
        noozero ip protocol number
        unused ip bits set to zero
        icmp date at least two 32 bit words long
        icmp code appropriate for icmp type
        icmp packet length approgriate for icmp type
        udp data at least as big as the minimun-size udp header.
        nozero udp destination port
        udp fragmentation integrity checks
        tcp date at least as big as the minimum-size tcp header
        tcp data offset and overall packet data length in accord
        nonzero tcp ports
        reserved tcp bits set to zero
        tcp flags match one of the patterns
        various integrity checks on any tcp option
    37. utility command reference
      1. iptables-restore
      2. iptables-save