• Indeks
• kromer
• Falun Gong

[ Pobierz całość w formacie PDF ]

them. If it doesn t match anything, it will finally hit the chain policy which is set to
DROPeverything that reaches it.
If the packet would instead be a TCP packet, it would not match the rule as an ICMP
packet and hence be sent to the next rule which checks for TCP packets. Since it is a
TCP packet it will match and be sent to the tcp_packets chain. Here we will check
if it s destined for one of the ports we d like to allow or not, if it is, we send it on to
the allowed chain to do some final checks on it. If it fails at some stage in this check,
it ll be passed down to theINPUTchain and traverse the same way as theICMPpacket
did.
UDP packets do the same basically, except they will traverse the
udpincoming_packets chain, and if it fails to match any of the rules in there, it will
be passed down to the INPUT chain and travel the same way as all the TCP and ICMP
packets.
37
ChapterFORWARDchain.
5. rc.firewall file
If the packet is destined to or from our local net it will be routed to the
If the packet comes from our LAN we will just ACCEPT it as it is, no more, no less. If
we would like to, we could only acceptSYNpackets, but I m skipping that as it is now.
If the packet is destined to our local net on the other hand, we only match packets in
ESTABLISHED or RELATED streams since we don t want hosts from the outside to be
able to establish new connections to our LAN. If none of these rules are matched the
packet getsDROP ed by our chain policy.
This chain is rather straight forward. We allow everything from localhost to go out,
we allow everything from our own local network s ip to go out, and last of all we
allow everything from our own ip to go out to the internet. You might want to just
erase all this in certain cases, just dont forget to erase the default policy of theOUTPUT
chain which is set toDROPeverything.
Setting up the different chains used
So, now you ve got a small picture how the packet traverses the different chains and
how they belong together, we ll take care of setting it all up.
First of all, we set all the default policies on the different chains with a quite simple
command.
iptables -P
The default policy is used every time the packets don t match a rule in the chain.
After this, we create the different special chains that we want to use with the -N
command. The new chains are created and set up with no rules inside of them. The
chains we will use areicmp_packets,tcp_packets,udpincoming_packetsand the
allowed chain fortcp_packets. Incoming packets on eth0, ofICMPtype, will be redi-
rected to the chainicmp_packets, ofTCPtype, will be redirected totcp_packetsand
incoming packets ofUDPtype from eth0 go toudpincoming_packetschain.
PREROUTING chain of the nat table
The PREROUTING chain is pretty much what it says, it does network adress trans-
lation on packets before they actually hit the routing tables that sends them onwards
to the INPUT or FORWARD chains in the filter table. Note that this chain should not
be used for any filtering or such, it should be used for network adress translation,
among other things since this chain is only traversed by the first packet in a stream.
First of all we check for obviously spoofedIPaddresses, such as in case we get pack-
ets from the Internet interface that claim to have a sourceIPof 192.168.x.x, 10.x.x.x or
172.16.x.x, in such case, we drop them quicker than hell since theseIP s are reserved
especially for local intranets and definitely shouldn t be used on the Internet. This
might be used in the opposite direction, too, if we get an packet from $LAN_IFACE
that claims to not come from an IP address in the range which we know that our
LAN is on, we might drop that too. As it looks now, we don t do that though.
38
Chapter 5. rc.firewall file
INPUT chain
TheINPUTchain as I ve written it uses mostly other chains to do the hard work. This
way we don t get too much load from the iptables, and it will work much better on
slow machines which might otherwise drop packets at high loads. [ Pobierz całość w formacie PDF ]