O'REILLY iptables 笔记

  iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT  --to-destination 192.168.1.3:8080

1. 解析：

2. -t  nat    operate the table

3. -A PERROUTING     by appending the following rule to its PREROUTING chain

4. -i   eth0       match pactets coming in on the eth2 network interface

5.  -p   tcp      use tcp protocol

6. --dport 80    intended for local port 80

7. -j DNAT      jump to the DNAT target

8. --to-destination  change the destination address to 192.168.1.3

9. 192.168.1.3:8080  destination port 80

iptables defines five hook points

1. PREROUTING

2. INPUT

3. FORWARD

4. POSTROUTING

5. OUTPUT

tables   comes with three built-in tables

1. filter   used to set polices for type of traffic allowed into  through and out of the computer.unless you refer to a different table explicitly,iptables operate on chains within this table by default.its built-in chains are FORWARD INPUT OUTPUT

2. mangles used for specialized packet alteration,built-in chains are FORWARD INPUT OUTPUT POSTROUTING PEROUTING

3. nat used with connection tracking to rediect connection for network address translation;typically based on source or destination address tis built-in chain are OUTPUT,POSTROUTING PREROUTING

chains      default,each table has chains ,which are initally empty,for some or all of the hook points.  you can create your own custom chains to organize your rules. all user-defined chains have an implict policy of RETURN that cannot be changed.

rules

Matches

targets   built-in four targets

1. ACCEPT   let the packet through to the next stage of processing stop traversing the  current chain,start

2. DROP

3. QUEQU send the packet ro userspace.see the libipq manpage for more information

4. From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain’s policy to it. See the previous section “Chains” for more information about chain policies.

aplications

1. packet filtering

2. Accunting   using byte  packet counters assoiated with packet mataching criteria to moitor netwok traffic volumes.

3. Connection tracking

4. packet mangling

5. network address translation (NAT)

6. masquerading

7. port forwarding

8. loading balancing    Load balancing involves distributing connections across a group of servers so that higher total throughput can be achieved.One way to implement so that the destination address is selected in a round-robin fashion from a list of possible destinations

configuring iptables      under refer to generic and Red Hat-specific information

1. persistent rules  

   1. chkconfig --list iptables

   2. chkconfig --level 345 iptables on

   3. service iptables start

2. other configure files     /proc

   1. /etc/sysct1.conf       contains settings for configurations in the /proc/sys directory that are applied at boot time.

   2. /proc/sys/net/ipv4/ip_conntrack_max          controls the size of the connection tracking table in the kernel.default value is calculated  based on the amount of RAM in your computer.you may need to increase it if you are getting "ip_conntrack:table full,dropping packet" errors in your log files

3. connection tracking

   1. ESTABLISHED  the connection has already seen packets going in both direction.

   2. INVALID  the packet doesn't belong to any tracked connections.

   3. NEW   the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.

   4. RELATED   the packet is starting a new connection,but the new connection is related to an existing connection (such as the data connection for an ftp transfer

   5. @ the connection tracking logic maintains threee bits of status information

      1. ASSURED for tcp connections indicates the tcp connection setup has been completed for UDP connections,indicates its looks like a udp stream to the kernel.

      2. EXPECTED   indicates the connection was expected

      3. SEEN_REPLY  indicates that packets have gone in both directions.

   6. ipables connection tracking logic allows plug-in modules

   7. accounting

   8. NAT

      1. NAT helper modules

         1. ip_nat_amanda                                                                     Amanda backup protocol (requires CONFIG_IP_NFNAT_AMANDA kernel config)

         2. ip_nat_ftp                                                                                                                file transfer protocol(requires CONFIG_IP_NF_NAT_FTP kernel config)

         3. ip_nat_snmp_basic                                                                  simple network management protocol (requires CONFIG_IP_NF_NAT_SNMP_BASIC kernel conifig)

         4. ip_nat_tftp  t                                                                                         rivial file transfer protocol (                                                                          

      2. source NAT and Masquerading                                                           source nat is used to share a single internet connection among computers on a network.the computer attached to the internet acts as a gateway and uses

         1. iptables -t nat -A POSTROUTING to eth2 -j SNAT

         2. iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

   9. DNAT  destination NAT

      1. iptables -t nat -A PREROUTING -i eth2 -p -tcp --dport 80 -j DNAT --to--destination 192.168.1.3:8000

   10. transparent proxying

       1. if you hava an http proxy configured to run as a transparenet proxy on you firewall computer and listen on port 8888. you can add a rule to redirect outbound http traffic to the http proxy

          1. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j redirect --to-port 8888

   11. Load distribution and balancing

   12. stateless and stateful firewalls

   13. tools of the trade

       1. ethereal  network protocol analyzer

       2. Nessus  Remote security scanner

       3. nmap   network mapper

       4. ntop      network traffic probe

       5. tcpdump  packet capture and dumping

       6. traceroute   print the route packets take to a specific host

   14. iptable command reference

       1. -c    packet  or bytes

       2. --exact  synonym(同义）for -x

       3. -j    target  determines what to do with packets matching this rule.the target can be the name of a user-defined chain,one of the built-in targets,

       4. -M     used to load an iptables module with appending inserting  or replacing rules

       5. -n         displays numeric addresses and ports instead of looking up and displaying domain names for the IP address and displaying service names for the port numbers this can be especially useful if your dns server is slow or down.

       6. -t  table    perfroms the specified subcommand on table  if this option is not used.the subcommand operates on filter tables by default.

       7. -x    display exact numbers for packet and byte counters,rather than the default abbreviatd format with metric suffixes(K　Ｍ　Ｇ）

   15. the iptables subcommands

       1. -A chain rule   appends rule to chain

       2. --append synonym for -A

       3. -D chain deletes the rule at position index or matching

       4. -E rename chain to new chain

       5. -F flushes (deletes) all rules from chain

       6. --replace synonym for -R

   16. iptables Matches and targets

       1. internet protocol matches (encyclopedic广博的 format)

       2. ah match     this  match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_AH_ESP enabled

       3. connmark match     based on the packets connection mark

          1. --mark     match if the packets connection mark is equal to value after applying mask.

       4. CONNMARK target  (注意区分大小写）

          1. --set-mark value  set the packets connection mark to the integer value

          2. --save-mark  save the packets mark into the connection

          3. --retore-mark  restore the packets mark from the connection.

       5. DNAT target   the DNAT target extension is avaiable only on the PREROUTING AND OUTPUT chain of the nat table.

       6. DRIP target

       7. dscp match    use this match to identify packets with particular diffntiated services codepoint(DSCP) values in their IPV4 headers    this match is available only if your kernel has been configured with  CONFIG_IP_NF_MATCH_DSCP enabled.

       8. ecn match      CONFIG_IP_NF_MATCH_ECN enabled

       9. esp match     match IPsec protocol encapsulation headers,CONFIG_IP_NF_MATCH_AH_ESP enabled

       10. FTOS  --set-ftos value Set the IP type of service field to the decimal or hex value (this target does not accept Type of Service names). See Table34 for a list of types of service

       11. helper match  CONFIG_IP_NF_MATCH_HELPER

       12. icmp match   --icmp-type   --icmp-type

       13. 

       14. iplimit match

       15. ipv4option match

       16. length match   CONFIG_IP_NF_MATCH_LENGTH enable

       17. limit match     CONFIG_IP_NF_MATCH_LIMIT enabled

           1. iptables -A INPUT -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPT

       18. log target    CONFIG_IP_NF_TARGET enabled    

           1. --log-ip-options

           2. --log-level level

           3. --log-prefix prefix

           4. --log-tcp-options

           5. --log-tcp-sequence  log level   refer to page 49

       19. mac match   CONFIG_IP_NF_MATCH_MAC enabled

           1. --mac-source  

       20. mark match   CONFIG_IP_NF_MATCH_MARK enabled

       21. MASQUERADE target  --to-ports  CONFIG_IP_NF_TARGET_MASQUERADE

       22. multiport match  CONFIG_IP_NF_MATCH_MULTIPORT enabled

       23. netlink target   CONFIG_IP_NF_QUEQU

           1. iptable -A INPUT -p icmp --icmp-type ping -j NETLINK --nldrop

       24. NETMAP       target     CONFIG_IP_NF_TARGET      An IPv4 address consists of 32 bits, divided into a network number and a host number based on the network mask. This target strips off the network number and replaces it with a different network number

           1. iptables -t nat -A RREROUTING -d 192.168.1.10/24 -j NETMAP --to 172.16.5.0/24

       25. nth match

           1. owner match    CONFIG_IP_NF_MATCH_OWNER enabled

       26. pkttype match

       27. pool match  

           1. --srcpool poll  match if the source ip address is in pool

           2. --dstpool pool  match if the destination ip address is in pool

       28. pool target

       29. psd match      the match extension attempts to detect port scans by monitoring connection attempts across port numbers it calulates and maintains a port scan value statictic

       30. QUEUE target    match until a quota is reached.    --quota amount

       31. random match     match all traffic from ip addresses that have seen recent activity of a particulrar kind,

       32. record-rpc match

       33. REDIRECT target  CONFIG_IP_NF_TARGET enabled     --to-ports

       34. REJECT target      CONFIG_IP_NF_TARGET_REJECT enabled

       35. RETURN target  

       36. ROUTE target

           1. ROUTE target

           2. SAME target

           3. SNAT target

           4. state match  CONFIG_IP_NF_STATE

           5. sting match  iptables -A INPUT -m string .pif -j QUEQU

           6. tcp match

           7. tcpmss match   CONFIG_IP_NF_MATCH_TCPMSS enable

           8. TCPMSS target  CONFIG_IP_NF_TARGET_TCPMSS

           9. time match

           10. tos match  CONFIG_IP_NF_MATCH_TOS

           11. TOS target  CONFIG_IP_NF_TARGET_TOS

           12. ttl match     CONFIG_IP_NF_MATCH_TTL

           13. udp match  

           14. ULOG target   CONFIG_IP_NF_TARGET_ULOG and CONFIG_IP_NF_QUEUE enabled

           15. unclean match     CONFIG_IP_NF_MATCH_UNCLEAN  matches unusual or malformed ip icmp udp or tcp headers,Documentation of this match is minimal,but you could use it  for logging unusual packets here are a few of the checks it perfoms

               1. ip packet length not less than ip header length

               2. various ip fragmentation checks

               3. noozero ip protocol number

               4. unused ip bits set to zero

               5. icmp date at least two 32 bit words long

               6. icmp code appropriate for icmp type

               7. icmp packet length approgriate for icmp type

               8. udp data at least as big as the minimun-size udp header.

               9. nozero udp destination port

               10. udp fragmentation integrity checks

               11. tcp date at least as big  as the minimum-size tcp header

               12. tcp data offset and overall packet data length in accord

               13. nonzero tcp ports

               14. reserved tcp bits set to zero

               15. tcp flags match one of the patterns

               16. various integrity checks on any tcp option

       37. utility command reference

           1. iptables-restore

           2. iptables-save