10.12.1 Netfilter configuration
The netfilter/iptables project is a firewalling subsystem for Linux 2.4 and
after. See
Netfilter
,
where many network configuration issues are explained.
10.12.1.1 Basics of netfilter
Netfilter process packets use five built-in chains: PREROUTING, INPUT, FORWARD,
OUTPUT, and POSTROUTING.
routing
decision
IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT
interface ROUTING \ filter / ROUTING interface
DNAT | tracking ^ SNAT
REDIRECT | | MASQUERADE
v |
INPUT OUTPUT
| filter ^ filter,DNAT
v |
\--> Local Process --/
user-space programs
10.12.1.2 Netfilter table
Packets are processed at each built-in chain using the following tables.
-
filter (packet filter, default)
-
INPUT (for packets coming into the box itself)
-
FORWARD (for packets being routed through the box)
-
OUTPUT (for locally generated packets).
-
nat (network address translation )
-
PREROUTING (for altering packets as soon as they come in)
-
OUTPUT (for altering locally generated packets before routing)
-
POSTROUTING (for altering packets as they are about to go out)
-
mangle (network address mangling, good only after 2.4.18)
10.12.1.3 Netfilter target
Firewall rules have several targets:
-
four basic targets:
-
ACCEPT means to let the packet through.
-
DROP means to drop the packet.
-
QUEUE means to pass the packet to userspace (if supported by the kernel).
-
RETURN means stop traversing this chain and resume at the next rule in the
previous (calling) chain.
-
extended targets:
-
LOG turns on kernel logging.
-
REJECT sends back an error packet and drops the packet.
-
SNAT alters the source address of the packet and is used only in the
POSTROUTING chain. (nat table only)
--to-source ipaddr[-ipaddr][:port-port]
-
MASQUERADE is the same as SNAT but for dynamically assigned IP (dialup)
connections. (nat table only)
--to-ports port[-port]
-
DNAT alters the destination address of the packet and is used in the PREROUTING
and OUTPUT chains, and user-defined chains which are only called from those
chains. (nat table only)
--to-destination ipaddr[-ipaddr][:port-port]
-
REDIRECT alters the destination IP address to send the packet to the machine
itself.
--to-ports port[-port]
10.12.1.4 Netfilter commands
The basic commands of iptables
are:
iptables -N chain # create a chain
iptables -A chain \ # add rule to chain
-t table \ # use table (filter, nat, mangle)
-p protocol \ # tcp, udp, icmp, or all,
-s source-address[/mask] \
--sport port[:port] \ # source port if -p is tcp or udp
-d destination-address[/mask] \
--dport port[:port] \ # dest. port if -p is tcp or udp
-j target \ # what to do if match
-i in-interface-name \ # for INPUT, FORWARD, PREROUTING
-o out-interface-name # for FORWARD, OUTPUT, POSTROUTING
10.12.1.5 Network Address Translation
Machines on a LAN can access Internet resources through a gateway that
translates IP address on the LAN to IP addresses usable on the Internet.
# apt-get install ipmasq
Apply example rules to strengthen the ipmasq
protection. See
/usr/share/doc/ipmasq/examples/stronger/README
.
For Debian kernel-image-2.4 under woody, make sure to load the proper modules.
Sarge version of ipmasq fixed this issue. See Network function, Section 7.2.3 for
configuration instructions.
For Debian kernel-image-2.2, edit Z92timeouts.rul
in
/etc/masq/rules
as follows to ensure a longer connection to remote
sites (good for large emails, etc.):
# tcp, tcp-fin, udp
# 2hr, 10 sec, 160 sec - default
# 1 day, 10 min, 10 min - longer example
$IPCHAINS -M -S 86400 600 600
Also, if the network is accessed through a PCMCIA NIC, ipmasq
needs to be started either from /etc/pcmcia/network.opts
(read:
/usr/share/doc/ipmasq/ipmasq.txt.gz
)
or from /etc/network/interfaces
(read: Network configuration and PCMCIA, Section 10.8.5
and
Triggering network configuration, Section
10.8).
10.12.1.6 Redirect SMTP connection (2.4)
Suppose you have a notebook PC which is configured to use other LAN
environments and you want to use your mail user agent on the notebook PC
without reconfiguring it.
Adding the following rules through the iptables
command to the
gateway machine will redirect the SMTP connection to the gateway machine.
# iptables -t nat -A PREROUTING -s 192.168.1.0/24 -j REDIRECT \
-p tcp --dport smtp --to-port 25 # smtp=25, INPUT is open
For a more thorough redirect rule set consider installing the
ipmasq
package and adding M30redirect.def
to the
/etc/ipmasq/rules/
directory.