BBS水木清华站∶精华区
发信人: zixia (Do you zixia tonight), 信区: Linux
标 题: 3. So What's A Packet Filter?
发信站: BBS 水木清华站 (Wed Oct 11 01:17:06 2000) WWW-POST
Linux 2.4 Packet Filtering HOWTO: So What's A Packet Filter? (p1 of
3)
3. So What's A Packet Filter?
A packet filter is a piece of software which looks at the header of
packets as they pass through, and decides the fate of the entire packet.
It might decide to DROP the packet (i.e., discard the packet as if it had
never received it), ACCEPT the packet (i.e., let the packet go through),
or something more complicated.
LinUnder Linux, packet filtering is built into the kernel (as a kernelhere a
Ma
module, or built right in), and there are a few trickier things we can do
with packets, but the general principle of looking at the headers and
deciding the fate of the packet is still there.-------------------------
3.1 Why Would I Want to Packet Filter?there a Mailing List?
Control. Security. Watchfulness.
* Thanks to Filewatcher.
Control:ks to The Samba Team and SGI.
* Thanks to Jim Pick.
when you are using a Linux box to connect your internal network
to
For the another network (say, the Internet) you have an opportunity to
allow certain types of traffic, and disallow others. For example,
------the header of a packet contains the destination address of the--
packet, so you can prevent packets going to a certain part of the
Next Preoutside network. As another example, I use Netscape to access the
Dilbert archives. There are advertisements from doubleclick.net
on
the page, and Netscape wastes my time by cheerfully downloading
them. Telling the packet filter not to allow any packets to or
from the addresses owned by doubleclick.net solves that problem
(there are better ways of doing this though: see Junkbuster).
Security:
when your Linux box is the only thing between the chaos of the
Internet and your nice, orderly network, it's nice to know you
can
restrict what comes tromping in your door. For example, you might
allow anything to go out from your network, but you might be
worried about the well-known `Ping of Death' coming in
from
LinUnder Limalicious outsiders. As another example, you might not wanthere a
Ma
mo outsiders telnetting to your Linux box, even though all your o
with pacaccounts have passwords. Maybe you want (like most people) to be
an observer on the Internet, and not a server (willing or-------
otherwise). Simply don't let anyone connect in, by having the
3.1 packet filter reject incoming packets used to set up connections.
Watchfulness:
sometimes a badly configured machine on the local network will
decide to spew packets to the outside world. It's nice to tell
the
packet filter to let you know if anything abnormal occurs;
maybeto
you can do something about it, or maybe you're just curious by
nature. ple,
tination address of the--
3.2 How Do I Packet Filter Under Linux?ackets going to a certain part of the
example, I use Netscape to access the
Linux kernels have had packet filtering since the 1.1 series. The first
on
generation, based on ipfw from BSD, was ported by Alan Cox in late 1994.
This was enhanced by Jos Vos and others for Linux 2.0; the userspace tool
`ipfwadm' controlled the kernel filtering rules. In mid-1998, for Linux
2.2, I reworked the kernel quite heavily, with the help of Michaelr).
Neuling, and introduced the userspace tool `ipchains'. Finally, the
fourth-generation tool, `iptables', and another kernel rewrite occurred
in
mid-1999 for Linux 2.4. It is this iptables which this HOWTO concentrates
on.
n
You need a kernel which has the netfilter infrastructure in it: netfilter
is a general framework inside the Linux kernel which other things (such
as
the iptables module) can plug into. This means you need kernel 2.3.15 or
beyond, and answer `Y' to CONFIG_NETFILTER in the kernel configuration.
The tool iptables talks to the kernel and tells it what packets to
filter.
Unless you are a programmer, or overly curious, this is how you will
control the packet filtering.
iptables
The iptables tool inserts and deletes rules from the kernel's packet
filtering table. This means that whatever you set up, it will be lost
upon
reboot; see Making Rules Permanent for how to make sure they are
restored
Linthe next time Linux is booted. here a
Ma
mo o
iptables is a replacement for ipfwadm and ipchains: see Using ipchains
and
ipfwadm for how to painlessly avoid using iptables if you're using one of
those tools.
3.1
Making Rules Permanent
Your current firewall setup is stored in the kernel, and thus will be
lost
on reboot. Writing iptables-save and iptables-restore is on my TODO list.
When they exist, they'll be cool, I promise.
to
Meanwhile, put the command required to set up your rules in an
initialization script. Make sure you do something intelligent if one ofe,
the commands should fail (usually `exec /sbin/sulogin').address of the--
ackets going to a certain part of the
----------------------------------------------------------------------e
on
Next Previous Contents
--
)))))))))))))))))))))))))))))))))))))))))))))))))))
((((((((((((生命的欢喜可以再影印一张吗?((((((((((((
))))))))))))老去的热情可以再拉皮整形吗?))))))))))))
((((((((((((病中的真理可以再传真校对吗?((((((((((((
))))))))))))死掉的爱情可以再输入键出吗?))))))))))))
(((((((((((((((((((((((((((((((((((((((((((((((((((
※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.45.49]
BBS水木清华站∶精华区