Iptables_Tutorial_1.2.pdf

(1948 KB) Pobierz

Iptables Tutorial 1.2.2

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.TC...

Iptables Tutorial 1.2.2

Oskar Andreasson

<oan@frozentux.net>

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free

Documentation License, Version 1.1; with the Invariant Sections being "Introduction" and all sub-sections,

with the Front-Cover Texts being "Original Author: Oskar Andreasson", and with no Back-Cover Texts. A

copy of the license is included in the section entitled "GNU Free Documentation License".

All scripts in this tutorial are covered by the GNU General Public License. The scripts are free source; you can

redistribute them and/or modify them under the terms of the GNU General Public License as published by the

Free Software Foundation, version 2 of the License.

These scripts are distributed in the hope that they will be useful, but WITHOUT ANY WARRANTY; without

even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License within this tutorial, under the section

entitled "GNU General Public License"; if not, write to the Free Software Foundation, Inc., 59 Temple Place,

Suite 330, Boston, MA 02111-1307 USA

Dedications

I would like to dedicate this document to my wonderful sister, niece and brother-in-law for giving me

inspiration and feedback. They are a source of joy and a ray of light when I have need of it. Thank you!

A special word should also be extended to Ninel for always encouraging my writing and for taking care of me

when I needed it the most. Thank you!

Second of all, I would like to dedicate this work to all of the incredibly hard working Linux developers and

maintainers. It is people like those who make this wonderful operating system possible.

Table of Contents

About the author

How to read

Prerequisites

Conventions used in this document

Introduction

Why this document was written

How it was written

Terms used in this document

What's next?

TCP/IP repetition

1 of 273

1/6/2007 12:55 PM

Iptables Tutorial 1.2.2

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.TC...

TCP/IP Layers

IP characteristics

IP headers

TCP characteristics

TCP headers

UDP characteristics

UDP headers

ICMP characteristics

ICMP headers

ICMP Echo Request/Reply

ICMP Destination Unreachable

Source Quench

Redirect

TTL equals 0

Parameter problem

Timestamp request/reply

Information request/reply

SCTP Characteristics

Initialization and association

Data sending and control session

Shutdown and abort

SCTP Headers

SCTP Generic header format

SCTP Common and generic headers

SCTP ABORT chunk

SCTP COOKIE ACK chunk

SCTP COOKIE ECHO chunk

SCTP DATA chunk

SCTP ERROR chunk

SCTP HEARTBEAT chunk

SCTP HEARTBEAT ACK chunk

SCTP INIT chunk

SCTP INIT ACK chunk

SCTP SACK chunk

SCTP SHUTDOWN chunk

SCTP SHUTDOWN ACK chunk

SCTP SHUTDOWN COMPLETE chunk

TCP/IP destination driven routing

What's next?

IP filtering introduction

What is an IP filter

IP filtering terms and expressions

How to plan an IP filter

What's next?

Network Address Translation Introduction

What NAT is used for and basic terms and expressions

Caveats using NAT

Example NAT machine in theory

What is needed to build a NAT machine

Placement of NAT machines

How to place proxies

The final stage of our NAT machine

2 of 273

1/6/2007 12:55 PM

Iptables Tutorial 1.2.2

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.TC...

What's next?

Preparations

Where to get iptables

Kernel setup

User-land setup

Compiling the user-land applications

Installation on Red Hat 7.1

What's next?

Traversing of tables and chains

General

Mangle table

Nat table

Raw table

Filter table

User specified chains

What's next?

The state machine

Introduction

The conntrack entries

User-land states

TCP connections

UDP connections

ICMP connections

Default connections

Untracked connections and the raw table

Complex protocols and connection tracking

What's next?

Saving and restoring large rule-sets

Speed considerations

Drawbacks with restore

iptables-save

iptables-restore

What's next?

How a rule is built

Basics of the iptables command

Tables

Commands

What's next?

10.

Iptables matches

Generic matches

Implicit matches

TCP matches

UDP matches

ICMP matches

SCTP matches

Explicit matches

Addrtype match

AH/ESP match

Comment match

Connmark match

Conntrack match

Dscp match

3 of 273

1/6/2007 12:55 PM

Iptables Tutorial 1.2.2

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.TC...

Ecn match

Hashlimit match

Helper match

IP range match

Length match

Limit match

Mac match

Mark match

Multiport match

Owner match

Packet type match

Realm match

Recent match

State match

Tcpmss match

Tos match

Ttl match

Unclean match

What's next?

11.

Iptables targets and jumps

ACCEPT target

CLASSIFY target

CLUSTERIP target

CONNMARK target

CONNSECMARK target

DNAT target

DROP target

DSCP target

ECN target

LOG target options

MARK target

MASQUERADE target

MIRROR target

NETMAP target

NFQUEUE target

NOTRACK target

QUEUE target

REDIRECT target

REJECT target

RETURN target

SAME target

SECMARK target

SNAT target

TCPMSS target

TOS target

TTL target

ULOG target

What's next?

12.

Debugging your scripts

Debugging, a necessity

Bash debugging tips

System tools used for debugging

4 of 273

1/6/2007 12:55 PM

Iptables Tutorial 1.2.2

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TABLE.TC...

Iptables debugging

Other debugging tools

Nmap

Nessus

What's next?

13.

rc.firewall file

example rc.firewall

explanation of rc.firewall

Configuration options

Initial loading of extra modules

proc set up

Displacement of rules to different chains

Setting up default policies

Setting up user specified chains in the filter table

INPUT chain

FORWARD chain

OUTPUT chain

PREROUTING chain of the nat table

Starting SNAT and the POSTROUTING chain

What's next?

14.

Example scripts

rc.firewall.txt script structure

The structure

rc.firewall.txt

rc.DMZ.firewall.txt

rc.DHCP.firewall.txt

rc.UTIN.firewall.txt

rc.test-iptables.txt

rc.flush-iptables.txt

Limit-match.txt

Pid-owner.txt

Recent-match.txt

Sid-owner.txt

Ttl-inc.txt

Iptables-save ruleset

What's next?

15.

Graphical User Interfaces for Iptables/netfilter

fwbuilder

Turtle Firewall Project

Integrated Secure Communications System

IPMenu

Easy Firewall Generator

What's next?

16.

Commercial products based on Linux, iptables and netfilter

Ingate Firewall 1200

What's next?

Detailed explanations of special commands

Listing your active rule-set

Updating and flushing your tables

Common problems and questions

Problems loading modules

State NEW packets but no SYN bit set

5 of 273

1/6/2007 12:55 PM

Plik z chomika:

lew0039

Inne pliki z tego folderu:

CentOS Bible.pdf (18672 KB)
Linux_03_2010_PL.pdf (18982 KB)
Linux ksiega experta.pdf (13487 KB)
CentOS 6 Linux Server Cookbook.pdf (4441 KB)
Linux_01_2010_PL.pdf (8075 KB)

Iptables_Tutorial_1.2.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: