2.1. Where to get iptables
Iptables packages can be downloaded from the Netfilter project home page. In addition, the iptables must be appropriately configured kernel to your Linux system. Configuring the kernel will be discussed below.
2.2. Configuring the kernel
To ensure the basic capabilities of iptables using utility make config or the like (make menuconfig or make xconfig long), the kernel must include the following options:
CONFIG_PACKET–this option is required for applications, working directly with network devices, such as: tcpdump and snort.
Strictly speaking, the option does not work trebuetsâdlâ CONFIG_PACKET iptables, but since it is used quite often, I included it in the list. If you do not need this option, you can include it.
CONFIG_NETFILTER–this option is required if you are going to use your computer as a firewall (firewall) or gateway (gateway) in the Internet. In other words, you it definitely need, otherwise why then read this guide!
And of course you want to add drivers for your devices, i.e. for the Ethernet card, PPP and SLIP. These options are essential to ensure that the basic features of iptables for more options would have to include some additional options to the kernel. The following is a list of options to the kernel 2.4.9 and a brief description of each:
CONFIG_IP_NF_CONNTRACK–Trace compounds. Tracing connections, among other things, is used in NAT and maskaradinge (NAT/Masquerading). If you are going to build a firewall (firewall) for your LAN, then you definitely need this option. For example, this module is required for rc.firewall.txt.
CONFIG_IP_NF_FTP–FTP connection Tracking. FTP sharing is too intense to use traditional tracing methods. If you do not add this module too, then you run into difficulties with the Transfer Protocol FTP through Firewall (firewall).
CONFIG_IP_NF_IPTABLES–this option is required to perform filtering, network address translation (NAT) and masquerade (masquerading). Without it, you won’t be able to do anything at all with iptables.
CONFIG_IP_NF_MATCH_LIMIT–this module is optional, but is used in the examples rc.firewall.txt. It provides the ability to restrict the number of inspections for some rules. For example,-m limit-limit 3/minute indicates that the specified rule may miss no more than 3-piece packages per minute. Therefore, this module can be used to protect against attacks denial of service.
CONFIG_IP_NF_MATCH_MAC–this module allows you to create rules based on the MAC address. As you know, each network interface card has its own unique Ethernet address, so there is the ability to block incoming packets from specific MAC addresses (i.e. with specific network cards). However, it should be noted that this module is not used in rc.firewall.txt or where else in this guide.
CONFIG_IP_NF_MATCH_MARK–tagging Feature of the MARK. For example, when using the MARK we get an opportunity to mark the required packages and then, at the other tables, depending on the value of the label, to decide on the route marked package. A more detailed description of the MARK function described later in this document.
CONFIG_IP_NF_MATCH_MULTIPORT–this module allows you to build the validation rules package to a range of port numbers, source/sink.
CONFIG_IP_NF_MATCH_TOS–this module allows you to create rules based on the State of the TOS field in the packet. The TOS field is set for the Type Of Service. Also it is possible to set or reset the bits of this field in its own rules in mangle table or ip commands/tc.
CONFIG_IP_NF_MATCH_TCPMSS-this option adds the ability to validate the MSS in TCP packets.
CONFIG_IP_NF_MATCH_STATE is one of the greatest improvements compared to ipchains. This module provides the ability to manage the TCP packets based on their status (state). For example, let’s say that we have established TCP connection, with traffic in both ends, then the package received by this connection will be ESTABLISHED (connection–-ed. Note). This feature is widely used in the example rc.firewall.txt.
CONFIG_IP_NF_MATCH_UNCLEAN–this module implements an additional verification IP, TCP, UDP, and ICMP packets for inconsistencies, “oddities“, errors. By his example, we will be able to “cut off“ such packages. However, I would like to note that this module is still at an experimental stage and not all cases will work the same way, so you can never be sure that we are not “dropped” quite correct packages.
CONFIG_IP_NF_MATCH_OWNER-checking the “owner” of the connection (socket). For example, we can allow only root user surf the Internet. This module has been written as an example of work with iptables. Note that this module is experimental and may not always perform their functions.
CONFIG_IP_NF_FILTER–the filter implementation mainly and are filtered. In this table are chains INPUT, FORWARD and OUTPUT. This module is required if you plan to implement packet filtering.
CONFIG_IP_NF_TARGET_REJECT–adds an action REJECT that transmits an ICMP error message in response to an incoming packet, which is specified by the rule. Note that TCP connection, as opposed to UDP and ICMP, always terminate or reject TCP RST packet.
CONFIG_IP_NF_TARGET_MIRROR-the ability to send the package back (reflection). For example, if you assign an action to a MIRROR for packages going to HTTP port using our INPUT chain (i.e. on our WEB server for long), then the package will be sent back (reflected) and, as a result, the sender will see his own home page. (Here are some solid “If“: If the sender‘s WEB server when it is running on the same port, if the sender has a home page, etc. Essence-the fact is that from the point of view of the sender it looks as if the package he sent to his own machine, and simply put, the MIRROR swaps the address of the sender and the recipient and issues a modified peket motivated network.)
CONFIG_IP_NF_NAT–network address translation in its various forms. With this option you will be able to provide Internet access to all computers on your local network, having only one unique IP address. This option is required for this example rc.firewall.txt.
CONFIG_IP_NF_TARGET_MASQUERADE–Masquerading. Unlike NAT masquerading is used when previously unknown to our IP address on the Internet, i.e. for DHCP, PPP, SLIP or some other connection method, which involves the obtain an IP address dynamically. Masquerading allows slightly higher load on your computer, compared with NAT, but it works in situations where it is not possible to specify in advance its own external IP address.
CONFIG_IP_NF_TARGET_REDIRECT–Redirect. Typically, this is used in conjunction with proksirovaniem. Instead of simply miss the Pack on, it forwards the packet to another port of the firewall (proxy server long). In other words, this way we can perform “transparent proxying“.
CONFIG_IP_NF_TARGET_LOG–adds an action LOG to iptables. We can use this module to secure the individual packages in the system log (syslog). This can be very useful when debugging your scripts.
CONFIG_IP_NF_TARGET_TCPMSS–this option can be used to overcome the limitations of some of the ISPs (Internet Service Providers) that block ICMP Fragmentation Needed packets. As a result of such restrictions may not transfer providers servers web page, ssh can operate, while scp is dropped after the connection, etc. To overcome these limitations, we can use TCPMSS limiting value of MSS (Maximum Segment Size) (typically the MSS is constrained by the size of the MTU of the outgoing interface minus 40 bytes long). So we get the ability to overcome what the authors call a “criminal netfilter bezmozglost′û ISPs or servers“ (“criminally braindead ISPs or servers”) in reference to the kernel configuration.
CONFIG_IP_NF_COMPAT_IPCHAINS–adds compatibility with the older technology of ipchains. It is possible that this kind of compatibility will be maintained in the 2.6.x kernel series.
CONFIG_IP_NF_COMPAT_IPFWADM–adds compatibility with ipfwadm, despite the fact that this is a very old tool build firewalls.
As you can see, I gave a brief description of each module. These options are available in the kernel version 2.4.9. If you require additional features-I advise to pay attention to the expansion of patch-o-matic, which adds a number of extra features to the Netfilter. Patch-o-matic is a collection of Add-ons that are expected in the future will be integrated into the kernel.
The script rc.firewall.txt, you will need to add the following options to the kernel or loadable modules are collected. For information on options for other scenarios, refer to annex c examples of these scenarios.
Above is a list of the minimum required kernel options to the script rc.firewall.txt list of options necessary for the other sample scripts you can find in the relevant sections below. Now we will focus on the main scenario and begin his study.