Quick HOWTO : Ch14 :SSDP Linux Firewalls Using iptables
本文摘要:Introduction Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Tho


Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.

This chapter shows how to convert a Linux server into:

A firewall while simultaneously being your home website's mail, web and DNS server.

A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall.

Creating an iptables firewall script requires many steps, but with the aid of the sample tutorials, you should be able to complete a configuration relatively quickly.

What Is iptables?

Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:

Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.

Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.

Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.

System logging that provides the option of adjusting the level of detail of the reporting.

Better network address translation.

Support for transparent integration with such Web proxy programs as Squid.

A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

Download And Install The Iptables Package

Before you begin, you need to make sure that the iptables software RPM is installed. (See Chapter 6, "Installing Linux Software", if you need a refresher.) When searching for the RPMs, remember that the filename usually starts with the software package name by a version number, as in iptables-1.2.9-1.0.i386.rpm.

Managing the iptables Server

Managing the iptables daemon is easy to do, but the procedure differs between Linux distributions. Here are some things to keep in mind.

Firstly, different Linux distributions use different daemon management systems. Each system has its own set of commands to do similar operations. The most commonly used daemon management systems are SysV and Systemd.

Secondly, the daemon name needs to be known. In this case the name of the daemon is iptables.

Armed with this information you can know how to:

Start your daemons automatically on booting

Stop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.

For more details on this, please take a look at the "Managing Daemons" section of Chapter 6 "Installing Linux Software"

Note: Remember to configure your daemon to start automatically upon your next reboot.

Packet Processing In iptables

All packets inspected by iptables pass through a sequence of built-in tables (queues) for processing. Each of these queues is dedicated to a particular type of packet activity and is controlled by an associated packet transformation/filtering chain.

There are three tables in total. The first is the mangle table which is responsible for the alteration of quality of service bits in the TCP header. This is hardly used in a home or SOHO environment.

The second table is the filter queue which is responsible for packet filtering. It has three built-in chains in which you can place your firewall policy rules. These are the:

Forward chain: Filters packets to servers protected by the firewall.

Input chain: Filters packets destined for the firewall.

Output chain: Filters packets originating from the firewall.

The third table is the nat queue which is responsible for network address translation. It has two built-in chains; these are:

Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.

Post-routing chain: NATs packets when the source address of the packet needs to be changed

Table 14-1 Processing For Packets Routed By The Firewall Queue Type Queue Function Packet Transformation Chain in Queue Chain Function
Filter   Packet filtering   FORWARD   Filters packets to servers accessible by another NIC on the firewall.  
INPUT   Filters packets destined to the firewall.  
OUTPUT   Filters packets originating from the firewall  
Nat   Network Address Translation   PREROUTING   Address translation occurs before routing. Facilitates the transformation of the destination IP address to be compatible with the firewall's routing table. Used with NAT of the destination IP address, also known as destination NAT or DNAT.  
POSTROUTING   Address translation occurs after routing. This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-one NAT. This is known as source NAT, or SNAT.  
OUTPUT   Network address translation for packets generated by the firewall. (Rarely used in SOHO environments)  
Mangle   TCP header modification   PREROUTING POSTROUTING OUTPUT INPUT FORWARD   Modification of the TCP packet quality of service bits before routing occurs. (Rarely used in SOHO environments)  

w88优德:Quick HOWTO : Ch14 :SSDP Linux Firewalls Using iptables