用戶:惟吾無為/iptables
原作者 | Rusty Russell |
---|---|
開發者 | Netfilter Core Team |
首次發佈 | 1998 |
當前版本 | 1.4.21[1](2013年11月22日 ) |
程式語言 | C |
作業系統 | Linux |
類型 | Packet filtering |
許可協議 | GNU General Public License |
網站 | www.netfilter.org |
iptables 是一個 user space 應用程式。 system administrator 靠它來配置 Linux kernel firewall (其內核模塊名為Netfilter) 提供的table(表)以及table里的chain(鏈)和rule(規則)。 目前使用不同的內核模塊名稱和應用程式名稱來區別不同的協議: iptables 對應 IPv4, ip6tables 對應 IPv6, arptables 對應 ARP, 而 ebtables 則對應 Ethernet frames。
iptables 必須在 root 權限下運行。 iptables 一般被安裝在 /usr/sbin/iptables,你可以使用man iptables
來查看用戶手冊(man page)。注意,iptables不是系統必需軟件,所以會放在/usr/sbin,而/sbin/iptables這種路徑是不推薦使用的。
不過, iptables 也經常指代它的內核部件。因為x_tables內核模塊的部分代碼是共享的,而那4個封包處理模塊給擴展模塊提供API時都用到這段代碼,結果後來就有人用Xtables來指代整個防火牆架構。(英文原句: x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4, v6, arp, and eb) architecture.)
注意,iptables將被nftables替代。在2014年1月19日,發佈Linux內核3.13版的時候,此項改變已被合併到了Linux kernel mainline。[2]
概述
[編輯]Xtables允許system administrator通過定義chains、rules來處理數據包. 不同的table有着不同的處理策略。封包會依次經過chain里的rule。當封包符合rule的定義時會抵達目的或是轉交其他的chain處理,封包經過的chain的數目不做限制。(英文原句: A rule in a chain can cause a goto or jump to another chain, and this can be repeated to whatever level of nesting is desired. (A jump is like a 「call」, i.e. the point that was jumped from is remembered.)) 每個出站或者入站的封包會經過至少一條chain。
封包的來源決定了它先進入哪條鏈。而預設鏈(predefined chains。映射到對應的Netfilter hooks)有5條,但不會全部出現在某個table。只有預設鏈才能設置鏈策略(policy)。 假設策略是DROP的話,當封包經過了本chain的所有rule卻未抵達目的,將使用策略定義的DROP作為目的,封包即被丟棄。管理員可以創建其他的chain(一般被稱為 自定義鏈,user-defined chain),自定義鏈無法設置策略,當封包經過整個自定義鏈,回回到當初轉交到此自定義鏈的位置繼續「遊歷」。chain可以為空。
PREROUTING
: 封包進行路由前會先進入此鏈。INPUT
: 封包是本機接收(俗稱「入站」),先進入此鏈。It does not have anything to do with processes having an opened socket; 本機接收由"local-delivery"路由表控制:ip route show table local
.FORWARD
: 封包已經路由,不是本機接收。進入此鏈。OUTPUT
: 封包離開本機(俗稱「出站」)前進入此鏈。POSTROUTING
: 封包已經路由,送入網卡前進入此鏈。
Each rule in a chain contains the specification of which packets it matches. It may also contain a target (used for extensions) or verdict (one of the built-in decisions). As a packet traverses a chain, each rule in turn is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target/verdict, which may result in the packet being allowed to continue along the chain or it may not. Matches make up the large part of rulesets, as they contain the conditions packets are tested for. These can happen for about any layer in the OSI model, as with e.g. the --mac-source
and -p tcp --dport
parameters, and there are also protocol-independent matches, such as -m time
.
The packet continues to traverse the chain until either
- a rule matches the packet and decides the ultimate fate of the packet, for example by calling one of the
ACCEPT
orDROP
, or a module returning such an ultimate fate; or - a rule calls the
RETURN
verdict, in which case processing returns to the calling chain; or - the end of the chain is reached; traversal either continues in the parent chain (as if
RETURN
was used), or the base chain policy, which is an ultimate fate, is used.
Targets also return a verdict like ACCEPT
(NAT
modules will do this) or DROP
(e.g. the REJECT
module), but may also imply CONTINUE
(e.g. the LOG
module; CONTINUE
is an internal name) to continue with the next rule as if no target/verdict was specified at all.
Userspace utilities
[編輯]Front-ends
[編輯]There are numerous third-party software applications for iptables that try to facilitate setting up rules. Front-ends in textual or graphical fashion allow users to click-generate simple rulesets; scripts usually refer to shell scripts (but other scripting languages are possible too) that call iptables or (the faster) iptables-restore
with a set of predefined rules, or rules expanded from a template with the help of a simple configuration file. Linux distributions commonly employ the latter scheme of using templates. Such a template-based approach is practically a limited form of a rule generator, and such generators also exist in standalone fashion, for example, as PHP web pages.
Such front-ends, generators and scripts are often limited by their built-in template systems and where the templates offer substitution spots for user-defined rules. Also, the generated rules are generally not optimized for the particular firewalling effect the user wishes, as doing so will likely increase the maintenance cost for the developer. Users who reasonably understand iptables and want their ruleset optimized are advised to construct their own ruleset.
Other tools
[編輯]- NuFW, an authenticating firewall extension to Netfilter
- Shorewall gateway/firewall configuration tool makes it possible to use much easier rules and takes a burden of translating it to iptables language and maintaining it. iptables made easy is a Shorewall's slogan.
- abyle-firewall a python/xml based iptables wrapper (wiki)
See also
[編輯]References
[編輯]- ^ iptables 1.4.21 released. News of the netfilter/iptables project. netfilter.org. 2013-11-22 [2014-02-10].
- ^ nftables, the successor of iptables. Linux 3.13. kernelnewbies.org. 2014-01-19 [2014-01-20].
External links
[編輯]- The netfilter/iptables project Web page
- Freecode上的iptables
- The netfilter/iptables documentation page (outdated)[需要解釋]
- Detecting and deceiving network scans — countermeasures against nmap (expert users)
- The IPTables ManPage for syntax help
- Iptables Tutorial 1.2.2 by Oskar Andreasson