User:惟吾无为/iptables
原作者 | Rusty Russell |
---|---|
開發者 | Netfilter Core Team |
首次发布 | 1998 |
当前版本 | 1.4.21[1](2013年11月22日 ) |
编程语言 | C |
操作系统 | Linux |
类型 | Packet filtering |
许可协议 | GNU General Public License |
网站 | www.netfilter.org |
iptables 是一个 user space 应用程序。 system administrator 靠它来配置 Linux kernel firewall (其内核模块名为Netfilter) 提供的table(表)以及table里的chain(链)和rule(规则)。 目前使用不同的内核模块名称和应用程序名称来区别不同的协议: iptables 对应 IPv4, ip6tables 对应 IPv6, arptables 对应 ARP, 而 ebtables 则对应 Ethernet frames。
iptables 必须在 root 权限下运行。 iptables 一般被安装在 /usr/sbin/iptables,你可以使用man iptables
来查看用户手册(man page)。注意,iptables不是系统必需软件,所以会放在/usr/sbin,而/sbin/iptables这种路径是不推荐使用的。
不过, iptables 也经常指代它的内核部件。因为x_tables内核模块的部分代码是共享的,而那4个封包处理模块给扩展模块提供API时都用到这段代码,结果后来就有人用Xtables来指代整个防火墙架构。(英文原句: x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture.)
注意,iptables将被nftables替代。在2014年1月19日,发布Linux内核3.13版的时候,此项改变已被合并到了Linux kernel mainline。[2]
概述
编辑Xtables允许system administrator通过定义chains、rules来处理数据包. 不同的table有着不同的处理策略。封包会依次经过chain里的rule。当封包符合rule的定义时会抵达目的或是转交其他的chain处理,封包经过的chain的数目不做限制。(英文原句: A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a “call”, i.e. the point that was jumped from is remembered.)) 每个出站或者入站的封包会经过至少一条chain。
封包的来源决定了它先进入哪条链。而预设链(predefined chains。映射到对应的Netfilter hooks)有5条,但不会全部出现在某个table。只有预设链才能设置链策略(policy)。 假设策略是DROP的话,当封包经过了本chain的所有rule却未抵达目的,将使用策略定义的DROP作为目的,封包即被丢弃。管理员可以创建其他的chain(一般被称为 自定义链,user-defined chain),自定义链无法设置策略,当封包经过整个自定义链,回回到当初转交到此自定义链的位置继续“游历”。chain可以为空。
PREROUTING
: 封包进行路由前会先进入此链。INPUT
: 封包是本机接收(俗称“入站”),先进入此链。It does not have anything to do with processes having an opened socket; 本机接收由"local-delivery"路由表控制:ip route show table local
.FORWARD
: 封包已经路由,不是本机接收。进入此链。OUTPUT
: 封包离开本机(俗称“出站”)前进入此链。POSTROUTING
: 封包已经路由,送入网卡前进入此链。
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source
and -p tcp --dport
parameters, and there are also protocol-independent matches, such as -m time
.
The packet continues to traverse the chain until either
- a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the
ACCEPT
orDROP
, or a module returning such an ultimate fate; or - a rule calls the
RETURN
verdict, in which case processing returns to the calling chain; or - the end of the chain is reached; traversal either continues in the parent chain (as if
RETURN
was used), or the base chain policy, which is an ultimate fate, is used.
Targets also return a verdict like ACCEPT
(NAT
modules will do this) or DROP
(e.g. the REJECT
module), but may also imply CONTINUE
(e.g. the LOG
module; CONTINUE
is an internal name) to continue with the next rule as if no target/verdict was specified at all.
Userspace utilities
编辑Front-ends
编辑There are numerous third-party software applications for iptables that try to facilitate setting up rules. Front-ends in textual or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts (but other scripting languages are possible too) that call iptables or (the faster) iptables-restore
with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.
Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.
Other tools
编辑- NuFW, an authenticating firewall extension to Netfilter
- Shorewall gateway/firewall configuration tool makes it possible to use much easier rules and takes a burden of translating it to iptables language and maintaining it. iptables made easy is a Shorewall's slogan.
- abyle-firewall a python/xml based iptables wrapper (wiki)
See also
编辑References
编辑- ^ iptables 1.4.21 released. News of the netfilter/iptables project. netfilter.org. 2013-11-22 [2014-02-10].
- ^ nftables, the successor of iptables. Linux 3.13. kernelnewbies.org. 2014-01-19 [2014-01-20].
External links
编辑- The netfilter/iptables project Web page
- Freecode上的iptables
- The netfilter/iptables documentation page (outdated)[需要解释]
- Detecting and deceiving network scans — countermeasures against nmap (expert users)
- The IPTables ManPage for syntax help
- Iptables Tutorial 1.2.2 by Oskar Andreasson