
                       Linux 2.4 Packet Filtering HOWTO
                                       
@̡RRusty Russell, mailing list netfilter@lists.samba.org
Ķ̡RH netmanforever@yahoo.com

   v1.0.1 Mon May 1 18:09:31 CST 2000
     _________________________________________________________________
   
   yzpb 2.4 Linux kernel Wϥ iptables 藍}ʥ]iLoC
     _________________________________________________________________
   
1. Introduction

2. x誺b̡Sl׾¶ܡS

3. nFMOʥ]Lo(Packer Filter)OS

     * 3.1 ڬnʥ]LoS
     * 3.2 pb Linux ULoʥ]S
       
4. AڽڡS󪱧ڪ֤ߡS

5. u Rusty ʥ]Loֳtn

6. ʥ]pV(traverse)Lo

7. ϥ iptables

     * 7.1 zҰʮɡMzҬݨ쪺
     * 7.2 @ӳ@WhB@
     * 7.3 LoW
     * 7.4 ؼ(Target)W
     * 7.5 bWB@
       
8. ϥ ipchains P ipfwadm

9. X NAT P Packet Filtering

10. iptables P ipchains t

11. ]pʥ]Loĳ
     _________________________________________________________________
   
1. Introduction

   UݩxMw즹@ŪT
   
   o̡Mڰ]zwgDO IP a}Na}NBn (netmask)N
   ѡNH DNSC_hMګĳzŪ@Ū Network Concepts HOWTOC
   
    HOWTO 󤣤O@IY(zIoMoMSצbz
   WPı)M]ܩO@ө⵷õljS(zM|
   gáNJ])C
   
   z@I]wCDIOb\ֳtӫKQqTPɡMSQT
   OuΩ}nBDcNϡC䱡εPb@Ӿ|̭M\z
   סMoóۡۤաT@ˡCog HOWTO OΨӸѨMoD
   C
   
   ҥHMuz~MwB~OJҦbCڷ|իޱzhϥΤ@ǥiΤu
   M]|IXndNޡMMMPɧƱzΩ󥿳~WCSO(PWy)P
   DC
   
2. x誺b̡Sl׾¶ܡS

   TөxDhi:
     * P [1]Filewatcher (http://netfilter.filewatcher.org).
     * P [2]The Samba Team and SGI (http://www.samba.org/netfilter).
     * P [3]Jim Pick (http://netfilter.kernelnotes.org).
       
   ܩx誺 netfilter l׾¡MаѾ\R [4]Samba's Listserver
   (http://lists.samba.org).
   
3. nFMOʥ]Lo(Packer Filter)OS

   ʥ]LoNOΤ@ӳndݩҬygʥ]Y(header) MѦMwӫʥ]
   RBCγ\|Mw (DROP) oӫʥ](ҦpMNpڥS쥦@
   )MάO(ACCEPT)oӫʥ](ҦpMoӫʥ]qL)MάO䥦
   @C
   
   b Linux UMʥ]Lo\Oة֤ߤ(@Ӯ֤߼ҲաMΪ̪
   )MP٦@ǧޥڭ̥iHBΩʥ]WML̺DΪ̵MOd
   YHMwʥ]RBC
   
3.1 ڬnʥ]LoS

   ²ӨRNOwNĵ١C
   
   Control:
          zαz Linux DNzsܨ䥦(軡
          Mineternet)ɭԡMz|\SwqMӸT䥦C
          ҦpM@ӫʥ]Y|]tʥ]تaa}MҥHziHʥ]y
          V~Y@CApMڥ Netscape su Dilbert
          archivesMW@ӨӦ doubleclick.net siMo
          Netscape |OڪɶhU̡Cunʥ]Lo\
          Ӧdoubleclick.net ʥ]Mڭ̴NiHѨMoӰD(MMn
          kӰoƱաMаѦ Junkbuster)C
          
   Security:
          z Linux DOzMǪM~ӲVPL
          internet ߤ@qDMӱzDiHǪF~iJz
          M۬O|aCҦpMzγ\|qXhFM
          SߨӦۥ~cWLPing of DeathCSpMzγ\ä
          ƱOHq~ telnet Wz Linux DMɺޥbKX
          O@Cγ\MzٷQ(pjH@)b internet WݫȦӤ@
          A(]izO@N) M²pΫʥ]LoөڵNs
          uʥ]MHsiӡC
          
   Watchfulness:
          ɭԡM@x]wtH|qaV~ðeʥ]CӦnO
          ziHʥ]LoӧiDzO_ܺAƱo͡Czγ\|蠟Ĩ
          ʡMSγ\wDǤFC
          
3.2 pb Linux ULoʥ]S

   Linux ֤ߦ۱q 1.1 Nwgʥ]Lo\CĤ@NO 1994 ~ Alan
   Cox  BSD  ipfw ӹLӪMӦb Linux 2.0 A Jos Vos [j
   MQ ' ipfwadm ' oϥΪ̪Ŷ(userspace *)uӱ֤ߪLoWh
   Cb 1998 ~~Mڦb Micahel Neuling jOUUM`F۷Ob
   Linux ֤ 2.2 WMXF ' ipchains ' ouCשMLinux ֤
   2.4 ĥ|Nu ' iptables ' sP䥦֤ߧg]b 1999 ~~i}o
   FCoNOثeo iptables  HOWTO ҭPOҦbC
   
   (* Ķ̵RϥΪ̪Ŷq`OΨӰϧOtΰO骺ϥνdMDn
   ֤ߪŶMϥΪ̪ŶC@̥iHjaO{MG|ΦpM
   NyCM@Ų̄ӻMzѤWγ\xMGhyCb᪺\Ū
   ]ЯdNC)
   
   zݭn@Ӯ֤ߦ netfilter غc䤤Rnetfilter O Linux ֤ߤ@ӳq
   ά[cMiH䥦F(Ҧp iptables Ҳ) J(plug into)CyܻM
   zݭn֤ 2.3.15 ΧsMPɦb֤߽sĶɥH ' Y ' ^
   CONFIG_NETFILTER oӿﶵC
   
   iptables ou|M֤߹çiDʥ]nLoCDzO@ӵ{H
   MβQѶ}MzNOΥӱʥ]˹LoFC
   
  iptables
  
   o iptables uiHJβ֤߫ʥ]Lo(packet filtering
   table) @ǳWh(rules)C]NOMLױz]wFMnOs
   (reboot)tΪܡMN|ᥢQаѾ\ [5]wä[ʳWh(Making
   Rules Permanent)M ݬݦpTO]wbU Linux ҰʫiH^sC
   
   iptables OΨӨN ipfwadm M ipchains RаѾ\ [6]ϥ ipchains M
   ipfwadm (Using ipchains and ipfwadm)M ݬݦpLhקKϥ iptables
   MpzثeϥΥ̨䤤@C
   
  wä[ʳWh
  
   zثe]wOxs֤߸̭M]]pM]w|btέҫ
   Ciptables-save M iptables-restore * gثewgQCJ TODO C
   FCګOҷ̰ݥ@ɭԡM֩wD`ΡC
   
   (* Ķ̵Rb ipchains u㤤MiHϥ ipchains-save P
   ipchains-restore ӧe]wxs_ӡMHαN٭CpGŲ̄S
   ϥιL ipchains ӥ\઺ܡMγ\D@̦bC)
   
   ثeӻMN]wWhһݪǩROgi@ӪlROZ(script)aCn
   TwOMp䤤@өROѪɭԡMzണѤ@Ǵ઺ʧ@ (q
   `p ' exec /sbin/sulogin' )C
   
4. AڽڡS󪱧ڪ֤ߡS

   ڬO RustyMO Linux IP 𪺺@̡MPɤ]i䥦@ǽs{u@M
   iHOѮɦaQHMϵMaCڼgL ipchains (аѾ\e [7]pb
   Linux ULoʥ]S(How Do I Packet Filter Under Linux?)M ݬݹڪu
   @|oqǦP)Mq䤤Ǩ쨬FHJʥ]LoCڧƱp
   C
   
   [8]WatchGuard O@ӫD`X⨾𤽥qMXunΪH]
   (plug-in Firebox)MBVڧKOѡMڥiHOgoǪFMHκ@
   L@ǪFCڭ쥻w 6 ӤNiHFMڤWoF 12 ӤML
   ڦb̫ᶥqıoo٤NOFCh½gNwзaNⴣqDѡN
   ɮרtΪlNHΫӪaM̲סM٬OXӤFC
   
   bo̡MڷQM@ǪBͪ~[RڨëD֤(kenrl)̭MaCڤ
   HDoǡMOѩYǮ֤ߤu@ڱĲL̨䤤@ǦR David S.
   MillerNAlexey KuznetsovNAndi KleenNAlan CoxCLMY()
   ѥL̰٤FMѤUG(wMe)~ڨӦBաC
   
5. u Rusty ʥ]Loֳtn

   jHȥγ@ PPP WMPɨäQHiJL̪NΨ
   R
   
## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

6. ʥ]pV(traverse)Lo

   ֤߱q 'filter' 檺TӦC(lists) }lQoTӦCs firewall
   chains() δNs chains()C oTOINPUTNOUTPUT NM
   FORWARD C
   
   o 2.0 M 2.2 ֤ߦܤjtO@T
   
    ASCII NgӻMU(chains)GmpUR
                          _____
Incoming                 /     \         Outgoing
       -->[Routing ]--->|FORWARD|------->
          [Decision]     \_____/        ^
               |                        |
               v                      ____
              ___                    /    \
             /   \                  |OUTPUT|
            |INPUT|                  \____/
             \___/                      ^
               |                        |
                ----> Local Process ----

   䤤TӰN۫ezTM@ӫʥ]FWϤ䤤@ӰM
   N|(examined)MHMwӫʥ]RBCpG컡 DROP oӫ
   ]M򥦴N|NakMpG컡 ACCEPT oӫʥ]M򥦴N~bϥ
   VC
   
   @(chain)NOhWh(rules)@ˬdM(checklist)CC@
   Wh|pGʥ]Yݰ_ӹoˡMNpoBmoӫʥ]CpGW
   h]wMʥ]äŦX(match)MN줤U@ӳWh~BzCӳ
   סMpGASWhiHѦҡM֤ߴN|쪺policy(h) HMw
   Cb@ӦwܤWtθ̡Mh(policy)q`|iD֤ DROP ӫʥ]C
   
    1. @ӫʥ]iJɭ(]MqL Ethernet d)M֤߭ݬݫʥ]
       تa(destination)Ro٤ ' rouging ()'C
    2. pGتa}Moӫʥ]NϥܤU INPUT CpGqL
       M򵥫ݳoӫʥ]{(processes)NNޤUӡC
    3. _hMpG֤ߨèSҰ໼\(forwarding)MάODp໼o
       ӫʥ]Moӫʥ]N|Q(dropped)CpG໼\wgҰʡMP
       ʥ]Vt@Ӻɭ(pGz٦t~@i)MMoӫʥ]Nϥܥk
        FORWARD CpGQ(ACCEPT)M򥦴N|QeXhC
    4. ̫@رΡM@ӦbB檺{|eXʥ]Cʥ]N浹
       OUTPUT RpGO ACCEPTMMoӫʥ]|~eXܥҫVɭC
       
7. ϥ iptables

   pGzݭnSwԲӤFѡMiptables @ӫD`Ժɪ manual page (man
   iptables)Cpzx ipchains ܡMγ\iH [9]iptables P
   ipchains t (Differences Between iptables and ipchains) hݡQ
   OD`C
   
   z٥iHQ iptables \hPƱ@CzҶ}lTӤ
   (buit-in) R INPUTNOUTPUTNMFORWARD MzORCڭ̬ݬ
   쪺޲zB@aR
   
    1. إߤ@ӷs (-N)C
    2. R@Ӫ (-X)C
    3. ܤ@Ӥ쪺h (-P)C
    4. CX@줤Wh (-L)C
    5. M@줤ҦWh (-F)C
    6. ks(zero) @줤ҦWhʥ]r`(byte) Oƾ (-Z)C
       
   nǤkiHw@줤WhR
   
    1. W(append) @ӷsWh@ (-A)C
    2. b줺YӦmJ(insert) @ӷsWh(-I)C
    3. b줺YӦm(replace) @Wh (-R)C
    4. b줺YӦmR(delete) @Wh (-D)C
    5. R(delete) 줺Ĥ@Wh (-D)C
       
7.1 zҰʮɡMzҬݨ쪺

   iptables iHҲ(module)Ms `iptable_filter.o' MzĤ@]
   iptables N|Q۰ʸJC]iHä[ʪظm֤߸̭C
   
   b] iptables ROe (pߡRǮM(distributions) γ\|Υ
   _lROZӶ] iptables)M( `INPUT'N`FORWARD'NM `OUTPUT' )N
   aWhMҦ쳣Nh] ACCEPTCziHN iptable_filter Ҳտ
   ] `forward=0' Mӧܹw] FORWARD hC
   
7.2 @ӳ@WhB@

   Uڭ̨Ӽm@UhBΧaMҿ׼ͥO]Cẕ`Ϊγ\|O
   append (-A) M delete (-D) ROCܩ䥦p insert (-I) M replace
   (-R)M uOoǷӤwC
   
   C@WhwF@ձ(conditions)PSwʥ]MHη̲ŦX
   npBm(@`target' )C軡Mzγ\nҦӦ127.0.0.1 o
   IP a} ICMP ʥ]M]ӧڭ̳o̪NoˡRwO ICMPM
   ӷa}O 127.0.0.1 Mӧڭ̪ target(ؼ)N|O`DROP' C
   
   ڭ̺ 127.0.0.1  `loopback' ɭMNzSuꪺsMz]|
   oӬɭCziH `ping' o{ͳo˪ʥ] (uOeX@
   type 8(echo request) ICMP ʥ]MөҦ֩^X@(cooperative
   hosts) he^@ type 0(echo reply) ICMP ʥ])CΨӴլOܦnΪC
   
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#

   o̱ziHݨĤ@ ping \F(o̪ `-c 1' ѼƬOiD ping ueX@
   ӫʥ])C
   
   MMڭ̬`INPUT' W(-A)@WhMNӦ 127.0.0.1(`-s 127.0.0.1')
    ICMP w (`-p icmp') ʥ]e DROP oӥؼ (-j DROP)C
   
   Mڭ̥iHβĤG ping Ӵէڭ̪WhCb{~򵥫ݨǥä
   Ӫ^eMN@qȰC
   
   ڭ̦ӤkiHWhCM]ڭ̥ثewb input 줤uߤ@
   @WhMҥHڭ̥iHwƦrӲMҦpR
   
        # iptables -D INPUT 1
        #

   o˴NĤ@Whq INPUT 줤C
   
   ĤGӤkOMg(mirro)W -A ROM -D ӥN -A ӤwCz@
   M̭gD`WhMӤSQvƥX 37 NOznW
   hMoɭԡMokND`ΤFC
   
        # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
        #

   bRO椤MykO -D M -A ( -IN -R) ROm@PCpGb
   P@줤ƱۦPWhMuĤ@|QC
   
7.3 LoW

   ڭ̤wgݹL `-p' ӫwwMHΥ `-s' ӫwӷa}M٦䥦
   ﶵڭ̬OiHΨӫwX@ӫʥ]SCUO@ӧ㪺zC
   
  wӷMتa IP a}
  
   ڭ̥iHΥ|ؤkӫwӷ(`-s'N`--source'N `--src') Mت
   a(`-d'N`--destination'N`--dst') IP a}C̱`ΪkOϥΧ
   W١MҦp `localhost'  `www.linuxhq.com' CĤGؤkOw IP a
   }MҦp `127.0.0.1' C
   
   ĤTMĥ|ؤk\w@(group) IPa}MҦp `199.95.207.0/24' 
   `199.95.207.0/255.255.255.0' Moӳ]wwFҦq 199.95.207.0 
   199.95.207.255  IP a}QӦbƦr᭱ `/' ŸOiDtέ
   IP ~ġC `/32'  `/255.255.255.255' w](Ҧ IP ȳkX)
   C `/0' ӫw IP a}]Oi檺MҦpR
   
        [ NOTE: `-s 0/0' is redundant here. ]
        # iptables -A INPUT -s 0/0 -j DROP
        #

   LoD`֥ΡM]HWĪGMw `-s' @LˡC
   
  ۤϫw
  
   \hX(flags)M]A `-s' ( `--source')NM `-d' (
   `--destination')MiHb̫em@ `!' Ÿ(o`not') MӲŦX
   ҦD(NOT)ᤩȪa}C軡M`-s ! localhost' ŦXҦD(not) 
   ۥʥ]C
   
  ww
  
   wiH `-p' ( `--protocol') XШӫwCwiH@ӸX(pz
   D IP wƭȪ)MάO@ӽѦp `TCP'N`UDP'N`ICMP' o˪W
   CjpgSYMҥH `tcp' M `TCP' iHu@C
   
   w]iH[W@ `!' emŸMϤۤϡCҦp `-p ! TCP' hwFҦ
   D TCP ʥ]C
   
  wɭ
  
   ڭ̥ `-i' ( `--in-interface') M `-o' ( `--out-interface') ﶵ
   w@ӲŦXɭ(interface)C@ӬɭNOʥ]iJ(`-i') Mζ
   X(`-o')z]ơCziH ifconfig ROCXǬɭO]_(`up' )
   C
   
   V INPUT 쪺ʥ]|ǥX(output)ɭMҥHMb줤ϥ `-o'
   ﶵWhPŦXCP˪MV OUTPUT 쪺ʥ]]|
   J(input)ɭMҥHb줤a `-i' ﶵWh]OŦXNOFC
   
   ȶȬOV FORWARD 쪺ʥ]~|PɦǤJMǥXɭC
   
   w@ӤsbɭOXk(legal)Qϥbɭ٨S_ӤeMoW
   hO|ŦXCo PPP (q`|Oppp0) άsuMNΤF
   C
   
   Ҧpb@ӯSҤlMɭOΤ@ `+' ܡMNxҦHr}Y
   ɭ(ޥ̥ثeO__ӤF)CҦpMnw@WhӲŦXҦ PPP 
   ܡM-i ppp+ ﶵNiHΤWFC
   
   ɭW٫eiHΤ@`!' ŸӲŦX@ӻPwɭ  ŦXʥ]C
   
  wʥ]H (Fragments)
  
   ɭԡM@ӫʥ]|]ӤjӤ@LisuhCo˪ƱoͤFM
   ʥ]|QΦ H(fragments)MPɷ|Hhӫʥ]ӶǰeCӥt@ݫh
   oǸHH٭ӫʥ]C
   
   HDOMĤ@Ӱ_lHӫʥ]Y(IP+TCPNUDPNM ICMP)
   iˬdM~ʥ]ou]tYp(aB~w쪺 IP)Co˪
   ܡMnˬd~HwY( TCPNUDPNM ICMP extensions Ӧ)
   MNiFC
   
   pGznsulܩ NATMҦHbʥ]LoXe|צX^@_
   MҥHzLݾ߸HDC
   
   MӡMn˩չLoWhpBzHMNܱoD`nFCWhn߰
   Ʀӧڭ̨èSɡMNQ  ŦXC]NOMĤ@ӸHʥ]Bz
   M䥦ʥ]@ˡCĤGΤ᪺HNOoˤFCo˪ܡM@ -p TCP
   --sport www (wӷf`www')WhMNûMHŦX(Ĥ@ӸH
   ~)CۤϪWhp-p TCP --sport ! www ]@˴NOFC
   
   LMziH `-f' (or `--fragment') XЯSOĤGΥH᪺Hw@
   WhCb `-f' e[W@ `!' ӫw@Wh  AΩĤGΥHH
   M]Oi檺C
   
   q`MĤGΥHHqLOQwM]pGLo|vTĤ@ӸH
   ܡM]NiHקKbؼХDi歫աQOM@ǤwܡM
   eHʥ]iHDCOդUnIƱFC
   
   andNORio˪˴ɡM㪺ʥ](ӵu TCPNUDPN
   M ICMP ʥ]|{Ūf ICMP XM) |QC]M
   TCP HѲ 8 Ӧm}l *C
   
   (* Ķ̵Rڤ]Oܩէ@̳o̩ҫ󪫡MORSo are TCP
   fragments starting at position 8C]ioh½ơMGD
   position 8 O TCP Ym٬O䥦Cpz쵪סMwgHڥH@
   MC)
   
   |ҨӻMHUWh|e 192.168.1.1 HC
   
# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
#

   iptables Rs(matches)
  
   iptables O i(extensible)M]NOM֤ߩM iptables uiHi
   XiHѷs\C
   
   Yǩ(Extensions)OзǪMǫhiHOͥXӪCOBͩγ\
   |sX@ǩMPɴXAΤC
   
   ֤ߪq`~֤߼ҲեؿMҦp /lib/modules/2.3.15/net Cpz
   ֤߬O CONFIG_KMOD ]wӽsĶܡM̬OݨDJMҥHzLݤ
   ʪJ̡C
   
   MӡMiptables {hq`O~ /usr/local/lib/iptables/ ̭
   ɨ禡wMΪ̦Ǵ|N̩i /lib/iptables 
   /usr/lib/iptables ̥hC
   
   ӺRsؼ(target)MMs(match)QUڭ̴NsؼЧa
   CǨw|۰ʴѷs(tests)Rثe TCPNUDPNM ICMPMpUzC
   
   bROϥ `-p' ﶵ⩵JiӡMzNiHӫw@ӷsդFC
   ﶵ\ɭԡMϥ `-m' ӸJMhiHTܤ@ӷsաC
   
   pݬYөDUơMiHϥοﶵᱵ `-h'  `--help' N
   J(`-p'N `-j'N `-m')MҦpR
   
# iptables -p tcp --help
#

  TCP 
  
   pGwF `-p tcp' MTCP |۰ʸJCѦpUﶵ(äŦX
   fragments)C
   
   --tcp-flags
          ᱵ@ `!' ﶵMhӺXЪrzw TCP Xжi
          LoC Ĥ@ӦrOBn(mask)R@ӱzˬdXЦCCĤG
          rOnǪFn]wCҦpR
          
# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY

          oܩҦXгnˬd (`ALL' NOx
          `SYN,ACK,FIN,RST,URG,PSH')Mu SNY M ACK Q]wӤwCt~
          @ӰѼ `NONE' hOSXЪNC
          
   --syn
          `--tcp-flags SYN,RST,ACK SYN' ²gMeiHƿ@ `!'
          ŸC
          
   --source-port
          iHƿ `!' MMO@ӳW TCP fΤ@Ӱf
          (range)CfiH /etc/services ҦCqfW١M]iHO@
          ƦrCpGOȰ쪺ܡMiHO@`:' ŸjfWrMΤ@
          f᭱a `:' (jMӰf)MSάO@Ӱfea `:' (
          pMӰf)C
          
   --sport
          P `--source-port'C
          
   --destination-port
          M
          
   --dport
          PWPMuO̬OΨӫwتaӫDӷf[HC
          
   --tcp-option
          iHƿ `!' MMᬰ@ӼƦrMΨӤ@ TCP ﶵӼ
          rʥ]Cpݭnˬd TCP ﶵM TCP Y㪺ʥ]N|
          ʪQC
          
  @ TCP XЪ
  
   ɭԡM\VӫDV TCP su|ܦnΡCҦpMzγ\Q\su~
    WWW AMoQӦ۸ӦAsuC
   
   ̥X|ʩγ\|OױӦ۸ӦA TCP ʥ]COMTCP su
   NnDʥ]OVǻC
   
   ѨMDO⨺ǭnDsuʥ]ױCoǫʥ]Q٬ SYN ʥ](M޳NW
   M̬Oa SYN ]wʥ]M FIN M ACK ҫhOťաMuOڭ̱N²
   ٬ SYN ʥ]Ӥw)Cnuo˪ʥ]ܡMڭ̴NiHǥ~Ӫs
   uդFC
   
   `--syn' XХiHΩoǤ譱Rȹ墨ǫw TCP wWh@ΡC
   pMwӦ 192.168.1.1  TCP suШDR
   
-p TCP -s 192.168.1.1 --syn

   oXФ]iHᱵ@ `!' Ӥϳ]MNC@ӫDlsuʥ]C
   
  UDP 
  
   pG `-p udp' QwܡMoǩN|۰ʸJCѤF
   `--source-port'N `--sport'N`--destination-port'NH `--dport' o
   ﶵM@pez TCP ]wC
   
  ICMP 
  
   pG `-p icmp' QwܡMoөN|۰ʸJCuѤ@ӷsﶵR
   
   --icmp-type
          iHƿ `!' MMO@ icmp W(p
          `host-unreachable' )MάO@ӼƦr(p `3' )MάO@ `/'
          jƦrMsX(p `3/3' )Cϥ `-p icmp --help' NiH
          o@i icmp WٲMC
          
  䥦諸
  
   b nerfilter M󤤪䥦hOiܩ(demonstration)eMiH
    `-m' ﶵөIs(pwwˤF)C
   
   mac
          @ҲեnT `-m mac'  `--match mac' ӫwCΩ
          ǤJʥ]ӷ Ethernet (MAC) a}M]ӥu墨ǬV
          PREROUTING M INPUT 쪺ʥ]_@ΡCuѤ@ӿﶵR
          
        --mac-source
                iHƿ `!' MMO@ӥΫ_jQi
                ethernet a}Mp `--mac-source 00:60:08:91:CC:B7'C
                
   limit
          oӼҲեT `-m limit'  `--match limit'ӫwCΨ
          @ӤﵥšMѦpOHCu@ӨCƭ(
          w]OC@Ӥp 3 ӤMH 5 Ĳo(burst))Cӳƿ
          ѼơR
          
        --limit
                ᱵ@ӼƭȡQwi\C̤jƭȡCӼƭȥiH
                 `/second'N`/minute'N`/hour'N `/day'NΨ䤤 (
                G `5/second' M `5/s' O@˪)MөTw(unit)M
                
        --limit-burst
                ᱵ@ӼƭȡMܥXް_eze̤jĲoơC
                
          oӤ`Ω LOG ؼСMHiv(rate-limited) OC
          FnFѥOpu@Mڭ̬ݤ@ݤUWhMOHw]
          ƨӰOʥ]R
          
# iptables -A FORWARD -m limit -j LOG

          WhĤ@ޥΪɭԡMʥ]N|QOUӡQƹWMѩw]
          Ĳo 5 M 5 ӫʥ]N|OUӡCMMAj 20 W
          h~|AOʥ]MӤ޴h֭ӫʥ]FCӥBMC 20 p
          GSŦXʥ]qLMh|_ (regained) @ĲoƭȡQp
          100 ALo˪ʥ]ĲγoWhܡMĲoƴN|_
          (recharged)Q^ڭ̶}lɪAC
          
          RzثeHj 59 pɪ_ɶӫإߤ@ӳWhMGMp
          z]w@ӥvCѤ@MMzĲovh@wn֩ 3 C
          
          z]iHγoҲեhקKHֳtv@AȦ^_Aȧ(DoS)
          C
          
          Syn-flood protectionR
          
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

          Furtive port scannerR
          
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1
/s -j ACCEPT

          Ping of deathR
          
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT

          Ҳժu@zIIy֡@ˡMаѦҤUϥܡC
          
       rate (pkt/s)
             ^        .---.
             |       / DoS \
             |      /       \
Edge of DoS -|.....:.........\.......................
 = (limit *  |    /:          \
limit-burst) |   / :           \         .-.
             |  /  :            \       /   \
             | /   :             \     /     \
End of DoS  -|/....:..............:.../.......\..../.
 = limit     |     :              :`-'         `--'
-------------+-----+--------------+------------------> time (s)
   LOGIC =>  Match | Didn't Match |    Match

          軡Mڭ̥H 5 ӫʥ]ĲoӤC@ӫʥ]Mʥ]qC|
          }lǤJMTMMᵥTAs}lC
          


        <--Flood 1-->           <---Flood 2--->

Total  ^                   Line  __--      YNNN
Packets|               Rate  __--      YNNN
       |            mum  __--      YNNN
    10 |        Maxi __--         Y
       |         __--            Y
       |     __--               Y
       | __--    YNNN
       |-    YNNN
     5 |    Y
       |   Y                                Key:  Y -> Matched Rule
       |  Y                                       N -> Didn't Match Rule
       | Y
       |Y
     0 +-------------------------------------------------->  Time (seconds)
        0   1   2   3   4   5   6   7   8   9  10  11  12

          z|o{Yӫʥ]Q\WLC@ӫʥ]MMNް_FMpG
          @ӰM䥦Ĳo]NQ\MNqLWh]w̰
          v(bĲoϥΫᬰC@ӫʥ])C
          
   owner
          Ҳլͪʥ]藍PSʥ]إߪ(creator)Cȹ
          OUTPUT 즳ΡMӥBMƦܬYǫʥ](p ICMP ping responses)γ\S
           ownerMNQŦX@C
          
        --uid-owner userid
                pGʥ]Ѥ@Ӧ{H(Ʀr) user id إߪMhŦX
                C
                
        --uid-owner groupid
                pGʥ]Ѥ@Ӧ{H(Ʀr) group id إߪMhŦX
                C
                
        --pid-owner processid
                pGʥ]Ѥ@Ӧ{H process id إߪMhŦXC
                
        --sid-owner processid
                pGʥ]Ѥ@Ӧ{H session group إߪMhŦXC
                
   unclean
          @ʼҲեH `-m unclean'  `--match unclean' өT
          wC|ʥ]i椣PHP_˴CoҲթ|Q]dLMҥH
          ӥΩw]ƤW(γ\|Ʊd{M]γ\䪺)C
          èSѿﶵ]wC
          
  The State Match
  
   ̦ΪP_зǥ `state' ҴѡMH `ip_conntrack' Ҳժ
   sulܤRCoOD`ȱoyϥΪC
   
   w `-m state' h\t@B~ `--state' ﶵMiH@ӨIj
   ﳯzC( `!' XЫ (not) ŦXǳz)CoǳzOR
   
   NEW
          @ӫإ߷ssuʥ]C
          
   ESTABLISHED
          @ݩ{su(pRwg^ʥ]F)ʥ]C
          
   RELATED
          @ӻP{suMoä䤤ʥ]MѦp ICMP ~M
          άOإ FTP ƾڳsuʥ](FTP ҲդwJ)C
          
   INVALID
          @Ӧ]Yǭ]QųOʥ]Ro]AO餣M^w
          su ICMP ~Cq`Mo˪ʥ]|Q󱼡C
          
7.4 ؼ(Target)W

   {bMڭ̪DiHʥ]˪ˬdFMڭٻݭn@ӤkӻX@
   ӲŦXڭ̴ժʥ]n˰ʧ@CoNOҿת@Whؼ(target)
   աC
   
   ӫD`إؼСRDROP M ACCEPTMڭ̤wgĲLFCpG@W
   hŦX@ӫʥ]MPɥؼЬO䤤@MNASWhݭntߡRʥ]R
   BwgwUӤFC
   
   Fإ~M]ؼСRMΤ۩wC
   
  Τ۩w
  
   iptables ŧF ipchains @ӫD`F`\MNOϥΪ̥iHЫإXs
   M[TӤ(INPUTNFORWARDNM OUTPUT)~CDҡMΤ۩w
   pgHܰϧO(ݷ|ڭ̷|b᭱ [10]bWB@(Operations on an
   Entire Chain) ̸phإ߷sΤ۩ws)
   
   @ӫʥ]ŦX@ؼЬΤ۩w줧WhɡMʥ]N|}lVΤ۩w
   WhCp쥼MwXʥ]RBMh@VMN|
   e줤U@ӳWh~VUhC
   
   ~򪱪 ASCII NnFC]o()RINPUT ()M M
   test (Τ۩w)C
   
         `INPUT'                         `test'
        ----------------------------    ----------------------------
        | Rule1: -p ICMP -j DROP   |    | Rule1: -s 192.168.1.1    |
        |--------------------------|    |--------------------------|
        | Rule2: -p TCP -j test    |    | Rule2: -d 192.168.1.1    |
        |--------------------------|    ----------------------------
        | Rule3: -p UDP -j DROP    |
        ----------------------------

   ]@ӨӦ192.168.1.1  TCP ʥ]Mn 1.2.3.4 ̥hCiJINPUT
   Mè Rule1  - ŦXCOŦX Rule2 MBؼЬO test
   MҥHU@ӭn窺WhNq test }lCb test  Rule1 ŦXMèS
   wؼСMҥHAU@WhM]NO Rule2 CLäŦXMҥH
   ̤wgFo쪺ݤFCMڭ̦^ INPUT 줤M]NOڭ̭~
   Rule2 ̡MҥHڭ̲{bNnˬd Rule3M̵MŦXC
   
   oˡMӫʥ]|OoˤlR
   
                                v    __________________________
         `INPUT'                |   /    `test'                v
        ------------------------|--/    -----------------------|----
        | Rule1                 | /|    | Rule1                |   |
        |-----------------------|/-|    |----------------------|---|
        | Rule2                 /  |    | Rule2                |   |
        |--------------------------|    -----------------------v----
        | Rule3                 /--+___________________________/
        ------------------------|---
                                v

   Τ۩w]iHAt@ӥΤ۩wh(njRzʥ]pGQ
   o{Bj餤N|Q)C
   
  iptables Rsؼ
  
   t@ؼЬO@өC@ӥؼЪѮ֤߼ҲթMi諸 iptables 
   զMHѷsROﶵCbw] netfilter nXө
   R
   
   LOG
          ҲմѮ֤߰OŦXʥ]CѳoB~ﶵR
          
        --log-level
                ᱵ@Ӽh(level)XΦW١CXkW٦(jpgO)
                R`debug'N`info'N`notice'N`warning'N`err'N`crit'
                N`alert'NH `emerg'M۹諸X 7  0 CUhX
                аѦ syslog.conf  man pageC
                
        --log-prefix
                ᱵ@ӳ̦h 30 ӦrrC@HѰOH}lɰeX
                MOiHӧOQųOXӡC
                
          Ҳձ`Ω@ӭؼЫMҥHMznzzOɮ@C
          
   REJECT
          ҲհFVoeݰeX@ `port unreachable' o˪ ICMP ~~
          MM `DROP' O@˪CRbUC󤤡MICMP ~HN|e
          X(аѦ RFC 1122)R
          
          + QLoʥ]@}lNO@ ICMP ~HMάO䥦 ICMP
            C
          + QLoʥ]@ӵLY (non-head) HC
          + ڭ̥ثewgeXӦhܸӥتa ICMP ~HFC
            
          REJECT t~ٱ@ `--reject-with' ﶵӧ^ʥ]Rа
          һC
          
  Sإؼ
  
   دSإؼСRRETURN M QUEUEC
   
   RETURN M@쪺ݦۦPĪGR@쪺WhӨMhҥθ
   쪺hC@Τ۩wWhӨMh|^e@줤~VMNb
   o쪺WhC
   
   QUEUE ]O@ӯSؼСMiHϥΪ̪Ŷ(userspace){xCʥ]CnB
   Mӥ\եOݪR
   
     * @ "queue handler"MBzϥΪ̪ŶP֤ߤǰeʥ]
       Q
     * t@Ӭ@ϥΪ̪Ŷε{MhMλޱMHιʥ]X
       MC
       
   IPv4 iptables з queue handler  ip_queue ҲաMثeOHʽ
   P֤ߤ@_oGC
   
   pUO@Ӧp iptables ϥΪ̪Ŷ{ixCʥ]²ҤlR
   
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE

   ΦWhMͪ~ ICMP ʥ](p ping إ) N|Qe ip_queue
   ҲեhMMձNʥ]ǵϥΪ̪Ŷε{CpGSϥΪ̪Ŷε{
   bݪܡMӫʥ]N|QC
   
   ng@ӨϥΪ̪Ŷε{Mݨϥ libipq API C]OM iptables @_
   oGC{XdҥiHb CVS  testsuite u(p redirect.c) C
   
   ip_queue AiHΦpUkˬdR
   
/proc/net/ip_queue

   xC̤j(pǻϥΪ̪ŶBLݰe^Mʥ]ƶq)iHqLo
   覡ӱR
   
/proc/sys/net/ipv4/ip_queue_maxlen

   ̤jxCתw]Ȭ 1024C@F즹Msʥ]N|QMx
   C׶^^C󭭨ƬCnwMp TCPM|N󪺫ʥ]
   (congestion)MPɲzQaMxC_ӫ|Nצ^hCMӡMpGw]
   Ȧb|ΤUıoӤpܡMγ\ݭn@ǹӨMwzQ̰xC
   C
   
7.5 bWB@

   iptables @ӫD`Ϊ\OMզX(group)Wh줤Cu
   nzwMziHHK_@ӦWrMګĳzϥΤpgrHקKM
   ΥؼзdVFCW̪iHh 31 ӦrC
   
  إߤ@ӷs
  
   {bNڭ̤@_ؤ@ӷsaC]ڹbO@ӷR۷QåMҥHں٤
   test (MIب)Co̡Mڭ̥ `-N'  `--new-chain' ﶵR
   
# iptables -N test
#

   NOo²CnFM{bziHN@ǳWh[J䤤M@peˡC
   
  R@
  
   nR@]O@²M `-X'  `--delete-chain' YiC
   `-X' OSM nΪr@ΥFաC
   
# iptables -X test
#

   nR@쪺ܡM|nǭR̥ݬOŪ (аѦҫ᭱ [11]MŤ@
   (Flushing a Chain) ) MPɥ̥ݤ@WhؼСCT
   zRNOFC
   
   pzw@MpGi઺ܡM  Τ۩wI쳣|QRC
   
  MŤ@
  
   @²檺kiHMŤ@줤ҦWhMNOϥ `-F' (
   `--flush') ROC
   
# iptables -F forward
#

   pGzwO@M  쳣|QMšC
   
  Cܤ@
  
   ziHϥ `-L' ( `--list') ROCܤ@줤ҦWhC
   
   C@ӥΤ۩wҦC `refcnt' MOhּƥتWhOH쬰ؼЪ
   CbQReMoƥإݬs(POŪ)C
   
   pGSW٪ܡMҦ쳣|QCܥXӡMN]@ˡC
   
   TӿﶵiHH `-L' @_ϥΪCO `-n' (numeric) ﶵMܦ
   ΡM]iHקK iptables hլd IP a}Mpz DNS S]w
   TܡMάOzwgLo DNS ШDFMoγ\|yY(]zMj
   hƤH@˳Oϥ DNS )CPɤ]|N TCP P UDP fܬƦrӫDW
   ١C
   
   ĤGӬO `-v' ﶵM|ܥXzWhӸ`MѦpʥ] byte yq
   pNTOS NHάɭC_hoǼƭȬOQC
   
   Rʥ] byte yqέpiHOϥ `K', `M'  `G' oǦrMON
   1000N1,000,000NH1,000,000,000MܡCϥ `-x' (expand numbers)
   XЦPˤ]iHܥX㪺ƦrMڥz|̦hC
   
  ](ks)yqOƾ(counter)
  
   ]yqOƾMOΪCziH `-Z' ( `--zero') ﶵӰC
   
   ߤ@·ЬOMɭԦbi歫]eMzݥߧYOyqέpȡCbe
   lMzU `-L' M `-Z' ROMYǫʥ]i|boqLC]Mz
   iH `-L' M `-Z' @_ ϥΡMbŪPɶiOƾ]C
   
  ]wh(policy)
  
   ڭ̦beQʥ]pqL@쪺ɭԡMwLʥ]F쥽ݮ
   N|oͤƱCɡMNѸ쪺hӨMwʥ]RBCu
   (INPUTNOUTPUTNH FORWARD) ~h]wM]MpG@ӫʥ]ܤ@
   ӥΤ۩w쪺ɭԡMh|^W@줤~VC
   
   hiH ACCEPT  DROPC
   
8. ϥ ipchains P ipfwadm

   b netfilter M󤤡MӼҲդOs ipchains.o M ipfwadm.oCzun
   N䤤@ӴJi֤߸̭( R̩M iptables.oNip_conntrack.o 
   ip_nat.o OݮeT)CMzNiHp`@ϥ ipchains  ipfwadm
   FC
   
   ob@wɴo|QCڻ{Xzp⤽OR2 * [ N~o
   G - líwo ] MA[WN~iHuíwo檺lC
   
   ӨM ipfwadm ̫N|ܡR
   
2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)]
        + January 1999 (2.2.0 release)
    = November 2003.

   ӹ ipchains ̫hR
   
2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)]
        + July 2000 (2.4.0 release?)
    = March 2004.

   ҥHMb 2004 ~eiHELʰաC
   
9. X NAT P Packet Filtering

   n Network Address Translation (аѾ\ NAT HOWTO) HΫʥ]LoMwO
   ܥ`ƤFCnOMN̲VX_ӨϥιOSDC
   
   A]pʥ]LoɭԡMiHβz|zn˪ NAT Cʥ]Lo
   ݨ쪺ӷPتaMu|O `u' ӷMتaC|ҨӻMpGz
   NAT MnNҦs 1.2.3.4 port 80 sue 10.1.1.1 port 8080 hMo
   ˫ʥ]Lo|ݨǰe 10.1.1.1 port 8080 (uتa)MӤO
   1.2.3.4 port 80CMz]iHʥ]ˡRʥ]|ݰ_ӬOӦۯu
    IP a}( 10.1.1.1)M^]ݰ_Ӱe^̡C
   
   ziHB `state' 冀(match extension)ӵLʥ]LoB~u
   @M]LצpM NAT |nDsulܡCFWjb NAT HOWTO ̭
   ²檺ʥ]˨ҤlMhױӦ ppp0 ɭssMziHo˰R
   
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

10. iptables P ipchains t

     * MWٱqpgٴjgM] INPUT P OUTPUT ثeu|
       ؼЬHαqͪʥ]C̤OΨӬdݶǤJPǥXʥ]C
     * {b@ `-i' XШӥNǤJɭMåBuu@ INPUT M FORWARD
       줤Cb FORWARD P OUTPUT 줤NnN `-i' 令 `-o' FC
     * TCP P UDP f{bn --source-port  --sport ﶵӫgX(
       άOLӼg --destination-port  --dport)MPɡMݸm `-p
       tcp'  `-p udp' ﶵM] TCP  UDP O}JC
     * He TCP  -y {bܦ --synMåBݸm `-p tcp' C
     * Ӫ DENY ؼв{bשܦ DROP FC
     * bCܨu@PɥiHNks(zeroing)C
     * ks]iHMhOƾ(policy counters)C
     * CiHzOƾܦLpַ(atomic snapshot)C
     * REJECT P LOG {bܦؼФFMNۥ̤wgM֤߼Ҳդ}C
     * Wٳ̪iF 31 ӦrC
     * MASQ {bܦ MASQUERADEM ӥBϥΤPykCREDIRECT bOdۦP
       W٪PɡM]gFykܾECܩp]w̪ԲӸơMаѾ\
       NAT-HOWTOC
     *  -o ﶵhAΨӱNʥ]ǻϥΪ̪Ŷ]ƤF(Ѧҫe -i )C
       {bh QUEUE ؼбNʥ]eϥΪ̪ŶC
     * @MڥiwOohFC
       
11. ]pʥ]Loĳ

   bqwԳW̩|Lױ@MM}񥲻ݪC@yܲz
   WOR`DФŶi'CګĳzcOߡMpz̪`wܡC
   
   n]ǱzΤ쪺AȡMޱzO_HwgNפUӤFC
   
   pGznإߤ@ӫw(dedicated firewall)M}ln]FM
   PɾױҦʥ]MMW[AȥHһݪʥ]qLC
   
   گSOjզwʡRX tcp-wrappers(ʥ]Los)NAȥNz(
   qLʥ]Los)NҡNHΫʥ]LoqCҬOM
   ǨӦۥwɭʥ]N|QR|һMpGz@q
   10.1.1.0/24 a}MPɦ@ӨӦ۸Ӧa}ʥ]oq~ɭiJMN
   |Q󱼡CiH@Ӭɭ(p ppp0) ]_ӡMpR
   
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#

   άO{αNɭMpR
   
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
#     echo 1 > $f
# done
#

   Debian biधUw]N|pFCpGzٸ(ҦpMzwʥ]|
   q䥦ViJ)MzӦbǬɭW@LoC
   
   ]w𪺮ɭԡMpYǪF褣u@ܡMO\NoܦΤFQ
   b@ӹڹB@WMɭԳnNX `limit' Ӥ@_ϥΡM
   HקKHzzOɡC
   
   ڱjPĳwtΰsulܡRM|ޭP@ǭt(]Ҧsunl
   )MQsoܦΡCpGz֤ߤ|۰ʸJҲժܡM
   zγ\ݭnJ`ip_conntrack.o' ҲաCpznTlܽwMzٻ
   nJXA helper Ҳ(pM`ip_conntrack_ftp.o' )C
   
# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad pack
et from ppp0:"
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad pa
cket not from ppp0:"
# iptables -A no-conns-from-ppp0 -j DROP

# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0

   ظm@Ө}nwgWXo HOWTO dFMڪĳOR `@q
   Y(always be minimalist)'CbzWiջPhơMNn
   Ѧ Security HOWTO FC

References

   1. http://netfilter.filewatcher.org/
   2. http://www.samba.org/netfilter
   3. http://netfilter.kernelnotes.org/
   4. http://lists.samba.org/
   5. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#permanent
   6. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#oldstyle
   7. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#filter-linux
   8. http://www.watchguard.com/
   9. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#Appendix-A
  10. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#chain-ops
  11. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#flushing
