Iptables Tutorial 1.1.PDF
(
1789 KB
)
Pobierz
Iptables Tutorial 1.1.9
Iptables Tutorial 1.1.9
Page 1
Iptables Tutorial 1.1.9
Oskar Andreasson
blueflux@koffein.net
Copyright © 2001 by Oskar Andreasson
Permission is granted to copy, distribute and/or modify this document under the terms of the
GNU Free Documentation License, Version 1.1; with the Invariant Sections being
"Introduction" and all sub-sections, with the Front-Cover Texts being "Original Author: Oskar
Andreasson", and with no Back-Cover Texts. A copy of the license is included in the section
entitled "GNU Free Documentation License".
All scripts in this tutorial are covered by the GNU General Public License. The scripts are free
source; you can redistribute them and/or modify them under the terms of the GNU General
Public License as published by the Free Software Foundation, version 2 of the License.
These scripts are distributed in the hope that they will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License within this tutorial, under
the section entitled "GNU General Public License"; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Table of Contents
Introduction
Why this document was written
How it was written
About the author
Dedications
Preparations
Where to get iptables
Kernel setup
1
userland setup
Compiling the userland applications
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
14:33:38 27.08.2002
Iptables Tutorial 1.1.9
Page 2
Installation on Red Hat 7.1
How a rule is built
Basics
Tables
Commands
Matches
Generic matches
Implicit matches
Explicit matches
Targets/Jumps
ACCEPT target
DROP target
QUEUE target
RETURN target
LOG target
MARK target
REJECT target
TOS target
MIRROR target
SNAT target
DNAT target
MASQUERADE target
REDIRECT target
TTL target
ULOG target
Traversing of tables and chains
General
Mangle table
1
Nat table
2
Filter table
rc.firewall file
example rc.firewall
explanation of rc.firewall
Configuration options
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
14:33:38 27.08.2002
Iptables Tutorial 1.1.9
Page 3
Initial loading of extra modules
proc set up
Displacement of rules to different chains
Setting up the different chains used
INPUT chain
The TCP allowed chain
The ICMP chain
The TCP chain
The UDP chain
OUTPUT chain
FORWARD chain
PREROUTING chain of the nat table
Starting the Network Address Translation
Example scripts
rc.firewall.txt script structure
The structure
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
10.
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
Detailed explanations of special commands
Listing your active ruleset
Updating and flushing your tables
Common problems and questionmarks
Passive FTP but no DCC
State NEW packets but no SYN bit set
Internet Service Providers who use assigned IP addresses
ICMP types
Other resources and links
Acknowledgements
History
GNU Free Documentation License
0.
PREAMBLE
1.
APPLICABILITY AND DEFINITIONS
2.
VERBATIM COPYING
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
14:33:38 27.08.2002
Iptables Tutorial 1.1.9
Page 4
3.
COPYING IN QUANTITY
4.
MODIFICATIONS
1.
5.
COMBINING DOCUMENTS
6.
COLLECTIONS OF DOCUMENTS
7.
AGGREGATION WITH INDEPENDENT WORKS
8.
TRANSLATION
9.
TERMINATION
10.
FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0.
Preamble
1.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
MODIFICATION
1.
2.
How to Apply These Terms to Your New Programs
Example scripts codebase
Example rc.firewall script
Example rc.DMZ.firewall script
Example rc.UTIN.firewall script
Example rc.DHCP.firewall script
Example rc.flush-iptables script
Example rc.test-iptables script
Introduction
Why this document was written
Well, I found a big empty space in the HOWTO's out there lacking in information about the
iptables and netfilter functions in the new Linux 2.4.x kernels. Among other things, I'm going to
try to answer questions that some might have about the new possibilities like state matching. Is it
possible to allow passive FTP to your server, but not allow outgoing DCC from IRC as an
example? I will build this all up from an example
rc.firewall.txt
file that you can use in your
/
etc/rc.d/
scripts. Yes, this file was originally based upon the masquerading HOWTO for
those of you who recognize it.
Also, there's a small script that I wrote just in case you screw up as much as I did during the
configuration available as
rc.flush-iptables.txt
.
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
14:33:38 27.08.2002
Iptables Tutorial 1.1.9
Page 5
How it was written
I've placed questions to Marc Boucher and others from the core netfilter team. A big thanks
going out to them for their work and for their help on this tutorial that I wrote and maintain for
boingworld.com. This document will guide you through the setup process step by step, hopefully
make you understand some more about the iptables package. I will base most of the stuff here on
the example rc.firewall file since I find that example to be a good way to learn how to use
iptables. I have decided to just follow the basic chains and from there go down into each and one
of the chains traversed in each due order. This tutorial has turned a little bit harder to follow this
way but at the same time it is more logical. Whenever you find something that's hard to
understand, just consult this tutorial.
About the author
I'm someone with too many old computers on my hands, sitting with my own LAN and wanting
them all to be connected to the Internet, at the same time having it fairly secure. The new iptables
is a good upgrade from the old ipchains in this regard. Before, you could make a fairly secure
network by dropping all incoming packages not destined to certain ports, but this would be a
problem with things like passive FTP or outgoing DCC in IRC, which assigns ports on the
server, tells the client about it, and then lets the client connect. There was some child diseases in
the iptables code that I ran into in the beginning, and in some respects I found the code not quite
ready for release in full production. Today, I'd recommend everyone who uses ipchains or even
older ipfwadm etc to upgrade unless they're happy with what their current code is capable of and
if it does what they need it to.
Dedications
First of all I would like to dedicate this document to my wonderful girlfriend Ninel. She has
supported me more than I ever can support her to any degree. I wish I could make you just as
happy as you make me.
Second of all, I would like to dedicate this work to all of the incredibly hard working Linux
developers and maintainers. It is people like those who makes this wonderful operating system
possible.
Preparations
This chapter is aimed at getting you started and to help you understand the role netfilter and
iptables
play in Linux today. This chapter should hopefully get you set up and finished to go with
http://people.unix-fu.org/andreasson/iptables-tutorial/iptables-tutorial.html
14:33:38 27.08.2002
Plik z chomika:
bohem
Inne pliki z tego folderu:
html_biblia.rar
(27981 KB)
access_2000_ksiega_eksperta.rar
(16770 KB)
borlandc++przyklady.rar
(13386 KB)
3d_studio_max.rar
(2542 KB)
abc_systemu_windows_xp.rar
(4587 KB)
Inne foldery tego chomika:
- Euro 2012
Pliki dostępne do 01.06.2025
Pliki dostępne do 08.07.2024
Pliki dostępne do 19.01.2025
Pliki dostępne do 21.01.2024
Zgłoś jeśli
naruszono regulamin