iptables tutorial

[ Pobierz całość w formacie PDF ]

would be FTP-data. Maximize-Reliability means to maximize the reliability of the
connection and to use lines that are as reliable as possible, some good protocols that
would fit with this TOS values would be BOOTP and TFTP. Minimize-Delay means
to minimize the delay until the packets gets through all the way to the client/server,
ie find the fastest route. Some good protocols that would use this would be RTSP
(Real Time Stream Control Protocol) and other streaming video/radio protocols.
Normal-Service would finally mean any normal protocol that has no special needs
for their transfers.
TTL match
The TTL match is used to match packets based on their TTL (Time To Live) field
residing in the IP header. The TTL field contains 2 bits and is decremented once every
time it is processed by an intermediate host between the client and host. If the TTL
reaches 0, an ICMP type 11 code 0 (TTL equals 0 during transit) or code 1 (TTL equals
0 during reassembly) is transmitted to the party sending the packet and telling about
the problem. This match is only used to match packets based on their TTL, and not
to change anything. This is true here, as well as in all kinds of matches. To load this
match, you need to add an -m ttl to the rule.
22
Chapter 3. How a rule is built
Table 3-15. TTL matches
Command
Example
Explanation
ttl
iptables -A OUTPUT -m ttl ttl 60
This match option is used to specify which TTL value to match. It takes an numeric
value and matches based on this value. There is no inversion and there is no other
specifics to this match. If anyone has a good example of what this match could be
used for and when, please send me an example and tell me what it would be good
for.
Targets/Jumps
The target/jumps tells the rule what to do with a packet that is a perfect match with
the match section of the rule. There is a few basic targets, the ACCEPT and DROP
targets which we will deal with first of all targets. However, before we do that, let us
have a brief look at how a jump is done.
The jump specification is done exactly the same as the target definition except that
it requires a chain within the same table to jump to. To jump to a specific chain, it is
required that the chain has already been created. As we have already explained be-
fore, a chain is created with the -N command. For example, let s say we create a chain
in the filter table called tcp_packets like this: iptables -N tcp_packets. We could then
add a jump target to it like this: iptables -A INPUT -p tcp -j tcp_packets. We would
then jump from the INPUT chain to the tcp_packets chain and start traversing that
chain. When/If we reach the end of that chain, we get dropped back to the INPUT
chain and the packet starts traversing from the rule one step below where it jumped
to the other chain (tcp_packets in this case). If a packet is ACCEPT ed within one of
the subchains, it will automatically be ACCEPT ed in the superset chain also and it
will not traverse any of the superset chains any further. However, do note that the
packet will traverse all other chains in the other tables in a normal fashion. For more
information on table and chain traversing, see the chapter "Traversing of tables and
chains"
Targets on the other hand specify an action to take on the packet in question. We
could for example, DROP or ACCEPT the packet depending on what we want to
do. There is also a number of other actions we may want to take which we will
describe further on in this section. Targets may also end with different results one
could say, some targets will make the packet stop traversing the specific chain and
superset chains as described above. Good examples of such rules are DROP and AC-
CEPT. Rules that are stopped, will not pass through any of the rules further on in the
chain or superset chains. Other targets, may take an action on the packet and then the
packet will continue passing through the rest of the rules anyway, a good example
of this would be the LOG, DNAT and SNAT targets. These packets may be logged,
Network Address Translationed and then be passed on to the other rules in the same
chains. This may be good in cases where we want to take two actions on the same
packet, such as both mangling the TTL and the TOS value of a specific packet/stream.
Some targets will also take options that may be necessary (What address to do NAT
to, what TOS to use etcetera) while others have options not necessary, but available
in any case (log prefixes, masquerade to ports and so on). We will try to answer all
these questions as we go in the descriptions. Let us have a look at what kinds of
targets there are.
ACCEPT target
23
Chapter 3. How a rule is built
DROP target
Table 3-16. DROP target
Command
Example
Explanation
Command
Example
Explanation
QUEUE target
Table 3-17. QUEUE target
Command
Example
Explanation
Command
Example
Explanation
RETURN target
Table 3-18. RETURN target
Command
Example
Explanation
Command
Example
Explanation
LOG target
Table 3-19. LOG target
Command
Example
Explanation
Command
Example
Explanation
24
Chapter 3. How a rule is built
MARK target
Table 3-20. MARK target
Command
Example
Explanation
Command
Example
Explanation
REJECT target
Table 3-21. REJECT target
Command
Example
Explanation
Command
Example
Explanation
TOS target
Table 3-22. TOS target
Command
Example
Explanation
Command
Example
Explanation
MIRROR target
Table 3-23. MIRROR target
Command
Example
Explanation
Command
Example
Explanation
25
Chapter 3. How a rule is built
SNAT target
Table 3-24. SNAT target
Command
Example
Explanation
Command
Example
Explanation
DNAT target
Table 3-25. DNAT target
Command
Example
Explanation
Command
Example
Explanation
MASQUERADE target
Table 3-26. MASQUERADE target
Command
Example
Explanation
Command
Example
Explanation
REDIRECT target
Table 3-27. REDIRECT target
Command
Example
Explanation
Command
Example
Explanation
26
Chapter 3. How a rule is built
TTL target
Table 3-28. TTL target
Command
Example
Explanation
Command
Example
Explanation
ULOG target
Table 3-29. ULOG target
Command
Example
Explanation
Command
Example
Explanation
27
Chapter 4. Traversing of tables and chains
This chapter will talk about how packets traverse the the different chains and in
which order. Also we will speak about in which order the tables are traversed. This
is extremely valuable information later on when you write your own specific rules.
We will also look at which points certain other parts that also are kernel dependant
gets in the picture. With this we mainly mean the different routing decisions and so
on. This is especially necessary if you want to write rules with iptables that chould
change how different packets get routed, good examples of this is DNAT and SNAT
and of course the TOS bits.
General
When a packet first enters the firewall, it hits the hardware and then get s passed
on to the proper device driver in the kernel. Then the packet starts to go through a
series of steps in the kernel before it is either sent to the correct application (locally), or
forwarded to another host or whatever happens to it. In this example, we re assuming
that the packet is destined for another host on another network. The packet goes
through the different steps in the following fashion:
Table 4-1. Forwarded packets
Step Table Chain Comment
1 On the wire(ie,
internet)
2 Comes in on the
interface(ie, eth0)
3 mangle PREROUTING This chain is
normally used for
mangling packets,
ie, changing TOS
and so on.
4 nat PREROUTING This chain is used
for Destination
Network Address
Translation mainly.
Source Network
Address Translation
is done further on.
Avoid filtering in
this chain since it
will be passed
through in certain
cases.
5 Routing decision, ie,
is the packet
destined for our
localhost or to be
forwarded and
where.
28
Chapter 4. Traversing of tables and chains
Step Table Chain Comment
6 filter FORWARD The packet got
routed onto the
FORWARD chain,
only forwarded
packets go through
here, we do all the
filtering here. Note
that all traffic that s
forwarded goes
here, so you need to
think about it when
writing your ruleset.
7 nat POSTROUTING This chain should
first and foremost be
used for Source
Network Address [ Pobierz całość w formacie PDF ]

Archiwum