ptables指南.pdf

目录 译者序..................................................................................................................................................................................4 关于作者..............................................................................................................................................................................5 如何阅读..............................................................................................................................................................................5 必备知识..............................................................................................................................................................................6 本文约定..............................................................................................................................................................................6 Chapter1.序言......................................................................................................................................................................6 1.1.为什么要写这个指南.......................................................................................................................................... 6 1.2.指南是如何写的.................................................................................................................................................. 7 1.3.文中出现的术语.................................................................................................................................................. 7 Chapter2.准备阶段..............................................................................................................................................................8 2.1.哪里能取得 iptables.............................................................................................................................................8 2.2.内核配置.............................................................................................................................................................. 8 2.3.编译与安装........................................................................................................................................................ 11 2.3.1.编译........................................................................................................................................................ 11 2.3.2.在 RedHat7.1 上安装.............................................................................................................................12 Chapter3.表和链................................................................................................................................................................14 3.1.概述.................................................................................................................................................................... 14 3.2.mangle 表........................................................................................................................................................... 17 3.3.nat 表.................................................................................................................................................................. 18 3.4.Filter 表...............................................................................................................................................................19 Chapter4.状态机制............................................................................................................................................................19 4.1.概述.................................................................................................................................................................... 19 4.2.conntrack 记录................................................................................................................................................... 20 4.3.数据包在用户空间的状态................................................................................................................................ 21 4.4.TCP 连接............................................................................................................................................................22 4.5.UDP 连接........................................................................................................................................................... 25 4.6.ICMP 连接......................................................................................................................................................... 26 4.7.缺省的连接操作................................................................................................................................................ 28 4.8.复杂协议和连接跟踪........................................................................................................................................ 29 Chapter5.规则的保存与恢复............................................................................................................................................30 5.1.速度.................................................................................................................................................................... 30 5.2.restore 的不足之处............................................................................................................................................ 31 5.3.iptables-save....................................................................................................................................................... 31 5.4.iptables-restore....................................................................................................................................................34 Chapter6.规则是如何练成的............................................................................................................................................34 6.1.基础.................................................................................................................................................................... 35 6.2.Tables..................................................................................................................................................................35 6.3.Commands.......................................................................................................................................................... 36 6.4.Matches...............................................................................................................................................................39 6.4.1.通用匹配................................................................................................................................................39 6.4.2.隐含匹配................................................................................................................................................41 6.4.3.显式匹配................................................................................................................................................44 6.4.4.针对非正常包的匹配............................................................................................................................49 6.5.Targets/Jumps..................................................................................................................................................... 49 6.5.1.ACCEPTtarget....................................................................................................................................... 50 6.5.2.DNATtarget............................................................................................................................................ 50 6.5.3.DROPtarget............................................................................................................................................ 53 6.5.4.LOGtarget...............................................................................................................................................54 6.5.5.MARKtarget...........................................................................................................................................55 6.5.6.MASQUERADEtarget........................................................................................................................... 55 6.5.7.MIRRORtarget....................................................................................................................................... 56 6.5.8.QUEUEtarget......................................................................................................................................... 576.5.9.REDIRECTtarget................................................................................................................................... 57 6.5.10.REJECTtarget.......................................................................................................................................57 6.5.11.RETURNtarget..................................................................................................................................... 58 6.5.12.SNATtarget...........................................................................................................................................58 6.5.13.TOStarget............................................................................................................................................. 59 6.5.14.TTLtarget............................................................................................................................................. 60 6.5.15.ULOGtarget..........................................................................................................................................61 Chapter7.防火墙配置实例 rc.firewall.............................................................................................................................. 62 7.1.关于 rc.firewall...................................................................................................................................................62 7.2.rc.firewall 详解...................................................................................................................................................63 7.2.1.参数配置................................................................................................................................................63 7.2.2.外部模块的装载....................................................................................................................................63 7.2.3.proc 的设置............................................................................................................................................65 7.2.4.规则位置的优化....................................................................................................................................65 7.2.5.缺省策略的设置....................................................................................................................................68 7.2.6.自定义链的设置....................................................................................................................................68 7.2.7.INPUT 链............................................................................................................................................... 72 7.2.8.FORWARD 链........................................................................................................................................73 7.2.9.OUTPUT 链........................................................................................................................................... 74 7.2.10.PREROUTING 链................................................................................................................................74 7.2.11.POSTROUTING 链............................................................................................................................. 74 Chapter8.例子简介............................................................................................................................................................75 8.1.rc.firewall.txt 脚本的结构................................................................................................................................. 75 8.1.1.脚本结构................................................................................................................................................75 8.2.rc.firewall.txt...................................................................................................................................................... 79 8.3.rc.DMZ.firewall.txt.............................................................................................................................................80 8.4.rc.DHCP.firewall.txt........................................................................................................................................... 81 8.5.rc.UTIN.firewall.txt............................................................................................................................................84 8.6.rc.test-iptables.txt................................................................................................................................................85 8.7.rc.flush-iptables.txt............................................................................................................................................. 85 8.8.Limit-match.txt................................................................................................................................................... 86 8.9.Pid-owner.txt.......................................................................................................................................................86 8.10.Sid-owner.txt.....................................................................................................................................................86 8.11.Ttl-inc.txt.......................................................................................................................................................... 86 8.12.Iptables-saveruleset.......................................................................................................................................... 87 附录 A.常用命令详解.......................................................................................................................................................87 A.1.查看当前规则集的命令................................................................................................................................... 87 A.2.修正和清空 iptables 的命令.............................................................................................................................88 附录 B.常见问题与解答...................................................................................................................................................88 B.1.模块装载问题....................................................................................................................................................88 B.2.未设置 SYN 的 NEW 状态包.......................................................................................................................... 90 B.3.NEW 状态的 SYN/ACK 包..............................................................................................................................91 B.4.使用私有 IP 地址的 ISP................................................................................................................................... 91 B.5.放行 DHCP 数据...............................................................................................................................................92 B.6.关于 mIRCDCC 的问题....................................................................................................................................92 附录 C.ICMP 类型............................................................................................................................................................ 93 附录 D.其他资源和链接...................................................................................................................................................94 附录 E.鸣谢....................................................................................................................................................................... 96 附录 F.History....................................................................................................................................................................97 附录 G.GNUFreeDocumentationLicense........................................................................................................................100 附录 H.GNUGeneralPublicLicense.................................................................................................................................107 附录 I.示例脚本的代码.................................................................................................................................................. 114 I.1.rc.firewall 脚本代码......................................................................................................................................... 114 I.2.rc.DMZ.firewall 脚本代码............................................................................................................................... 124I.3.rc.UTIN.firewall 脚本代码...............................................................................................................................135 I.4.rc.DHCP.firewall 脚本代码.............................................................................................................................. 145 I.5.rc.flush-iptables 脚本代码................................................................................................................................ 155 I.6.rc.test-iptables 脚本代码.................................................................................................................................. 157