My Centos, Tips,article,how to,guide,intro to centos,

? ? firewall introduces

? ? Disclaimer: Some content that describe below may be completely not correct. But the hope is helpful to your understanding Iptables,If you discovered an error,Inform me please.

? ? notices,This explains dispute is copied (be in for example GPL) . If you want to do any modification, release, copy, cite,Contact me first please.(With a ha breath out,Without giving thought to)

? ? what is firewall?

? ? says simply,A lead plane that firewall uses the network that protects you namely,It is right come from Internet and you inside net (get protection) the communication between undertakes limitative,Conversely also but.

? ? is not firewall function

? ? error - the network that firewall can not assure you is absolutely and safe

Lead plane of ? ? fort (A Bastion Host)- In An Ideal World, this Would Be True. However, a Firewall Is Only As Secure As The Work You Put Into Securing It.

Safety of ? ? lead plane is replaced (the service that each firewall allows A Replacement For Host Security) - is potential risk.

? ? uses a type

? ? this locality - to in actual physical join character,Without safety but character.Apparently,Firewall is helpless to this.

? ? Local Privilege Escalation - The Trojan Horse Attack. The Attacker Alreay Has A Local Account On Your Box (inside The Gates) And Obtains Root By Some Means (vulnerability Or Misconfiguration) . A Firewall Cannot Protect Again This Type Of Attacks.

? ? Remote - Your Host Is Listening On A Port That The Attacker Is Able To Connect To Remotely Over A Network And Exploit A Vunerability Somehow. This Is The Only Type Of Attack A Firewall Can (hopefully) Protect You Against. There Is Another Important Point Here That Most Firewall Howtos Neglect. In Order For Someone To Exploit Your Box Remotely, it Has To Be Listening On Some Ports (i.e. Providing A Way For An Attacker To Connect) . Therefore, if Your Host Isn't Listening On Any Ports, you Are Safe From Remote Exploits (unless The Attacker Manages To Attack The Network Stack Itself) .

Why does ? ? need firewall?

? ? enhances network security - certain service is having inherent risk,Make security impossibly.Firewall can help you raise a net paragraph or the security of partial network.

? ? network visits control - firewall can be mandatory in the network applied safety is regular.

? ? log is recorded - because firewall detects all entering station / the network news report that gives a station,It can record the activity in the network.

The type of ? ? firewall

Firewall of ? ? representative - acting server.

? ? bag filters firewall - detect IP is wrapped (Netfilter) .

? ? what is Netfilter/Iptables?

The Netfilter in kernel of ? ? Linux 2.4 uses implementation firewall newly. Iptables is to use the user tool that appoints Netfilter regulation.

? ? why Ipchains by instead Netfilter/Iptables

Does ? ? condition match - does join dog (Can You Trust The Remote Host To Determine Whether Your Firewall Will Accept A Packet? ) .

Reshipment of ? ? automatic fragment - Connection Tracking Automatically Reassembles Fragmented Packets For Examination.

? ? matchs regulation improvedly - senior package matchs,For example rate limitation, string matchs.

The log function that ? ? enhances - allow to define log level and substance oneself.

Does ? ? allow a bag to tear off (? Mangle) - allows to tear off any packet of medium information

Userspace Queuing - of alignment of ? ? user allows Userspace to be able to undertake process designing to the bag.

The buy inside ? ? support wraps transmit - abandoned IPMASQADM.

? ? main function

Bag of ? ? condition filters (join dogs)

All sorts of network addresses translate ? ?

The mechanism of nimbleness of mind in dealing with emergencies that ? ? expands neatly, easily

The buildup with ? many ? patch is wrapped

What can ? ? Netfilter/iptables do?

? ? builds Internet firewall and the bag that are based on condition to filter

? ? uses NAT and camouflage (Masquerading) is shared get online

? ? realizes transparent representative with NAT

It is OK that ? ? and Tc+iproute2 cooperate to use implementation QoS road by

? ? is used (the TOS field of Baotou of Mangling) modification IP will realize more complex function

? ? installs Iptables

? ? downloads

? ? Iptables V1.2.2 (netfilter.samba.org/iptables-1.2.2.tar.bz2) Md5sum 7d065a5d1e7003a061bece79a88d903

? ? Linux Kernel V2.4.5 (http://www.kernel.org/pub/linux/kernel/v2.4/linux-2.4.5.tar.bz2)

? ? installs clew

? ? notices, compiling, before installing Iptables,Do not need to compile a kernel.And certain kernel option cannot be used,Unless use "make Patch-o-matic" .

? ? is in / in Usr/src/linux catalog,'make Oldconfig' (when doing not have.config file,'make Menuconfig') .

In the list seeing a newspaper that ? ? includes in Iptables,'make %26amp;%26amp;Make Install'

? ? hits a patch,'make Patch-o-matic' ,Recommend the patch that hits you to need only.

? ? is returned / Usr/src/linux catalog,'make Menuconfig' ,The option is new, practicable option

? ? finishs normal kernel to compile a process (Make Dep; Make Clean; Make BzImage)

? ? is compiled - Iptales is compiled compare commonly simple

? ? 'make %26amp;%26amp;Make Install' will be in default method / a the smallest installation is made in Usr/local.

? ? 'make Pending-patches' will hit on a few famous flaw patches to standard kernel.

? ? 'make Patch-o-matic' will hit the on a few patches that enhance a function to standard kernel.

? ? 'make Experimental %26amp;%26amp;Make Install-experimental' will establish Iptables-save and code of Iptables-restore binary system.

? ? if you want to revise installation method,Can take parameter 'BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man' to undertake compiling.(E.g. 'make BINDIR=/usr/sbin LIBDIR=/usr/lib MANDIR=/usr/man Install' )

? ? patch is wrapped - every patch has new function,But almost every have flaw,Had better not install entirely accordingly.

? ? notices: What list below is V1.2.1a version,Not be newest version. You can command with 'make Patch-o-matic' listed patch list comes.

Option of ? ? CONFIG_IP_NF_TARGET_BALANCE, similar DNAT:load equational go up to a paragraph of address.(`- - To-dest 1.2.3.4-1.2.3.7' )

? ? CONFIG_IP_NF_TARGET_NETLINK, in replacing Ipchains - O option,Through raising target of a NETLINK,Send the package that discard toward user space

? ? CONFIG_IP_NF_TARGET_SAME,Similar SNAT,Use a paragraph of address (`- - To-source 1.2.3.4-1.2.3.7') , every join that carries to the client gives identical address.

? ? CONFIG_IP_NF_TARGET_TTL,The TTL in allowing an user to revise IP to wrap is worth.

? ? CONFIG_IP_NF_MATCH_AH_ESP, support expands twice match (`ah' And `esp') ,The AH in allowing to be wrapped in IPSec perhaps matchs limits of a paragraph of SPI in ESP Baotou

? ? CONFIG_IP_NF_DROPTABLE. Will cast off bag will be expressed through this,Will allow to do a log to record,(This patch has flaw)

? ? CONFIG_IP_NF_EGG: Join dogs.Connection Tracking For Eggdrop Bot Networks.

? ? CONFIG_IP_NF_TARGET_FTOS,Allow you to install TOS to be worth arbitrarily.From 0x0-0xff

? ? Ftp-multi.patch allows Ftp join to dog to be translated with the address most 8 port.`ports=' option is used in Ip_conntrack_ftp and Ip_nat_ftp module. Otherwise,Will use default 21 port.Additional,It still supports FXP(direct FTP 2 FTP Transport) . Use module is record in parameter `fxp=1` to be able to support FXP

? ? Ftp-pasv-fix.patch:Can fall in the circumstance of use Ip_conntrack_ftp.o module,Function of condition type firewall comes true on FTP server

? ? CONFIG_IP_NF_MATCH_IPLIMIT allows to restrict every client to carry (connective of every IP) intercurrent TCP is the biggest number

? ? for example:

Every client carries ? ? # to allow 2 Telnet link at most

? ? Iptables -p Tcp -dport 23 -m Iplimit- - Iplimit-above 2 -j REJECT

? ? # You Can Also Match The Other Way Around:

? ? Iptables -p Tcp -dport 23 -m Iplimit! - - Iplimit-above 2 -j ACCEPT

? ? # every C kind the Http connective that the address allows is intercurrent the biggest number is 16

? ? Iptables -p Tcp -dport 80 -m Iplimit- - Iplimit-above 16- - Iplimit-mask 24 -j REJECT

? ? # allows every IP address to be able to launch 4 HTTP link at the same time

? ? Iptables -A INPUT -p Tcp- - Syn- - Dport Http -m Iplimit- - Iplimit-above 4 -j REJE

? ? CT

? ? # allows whole A kind the HTTP visit of every address in the address is 4

? ? Iptables -A INPUT -p Tcp- - Syn- - Dport Http -m Iplimit- - Iplimit-mask 8- - Iplimit-above 4 -j REJECT

? ? CONFIG_IP_NF_IRC: IRC supports module,Allow DCC and NAT, join to dog to work together.This patch is depended on discard watch (Dropped-table) is mixed paragraph of deflection (Seqoffset) .

?of ? ? Masquerade+fwmark.patch:Extensive shows the clump embraces ? of boundless and indistinct of shaddock of solemn phenol copy to pull branny late bulbul to fall seek covered with clouds to grab combination of MASQUERADE NAT Target of ?of ? of ampling phenol mulberry to use

Join of setting of ? ? Nat+conntrack-hashsize.patch dogs the module parameter in code and NAT code (the size that Hashsize=xxx) Hash expresses, the default of NAT is worth those who be memory

? ? 1/16384(to most machine,Be worth than foregoing default 64 a lot of) .

? ? CONFIG_IP_NF_POOL, offerred a kind from IP address paragraph a medium a map,Whether was it relies on a source or destination location installed in address pool.It also offerred poll of a target

? ? CONFIG_IP_NF_MATCH_PSD, supportive port scanning detects (PSD:POrtScanDetection) . Can detect TCP and UDP port scanning. It comes from Solar Designer ? Scanlogd.

The option that ? ? supports:

? ?- - Psd-weight-threshold

The total first step that ? ? includes toward the TCP/UDP of different goal port from hair of same lead plane,Be used to regard port as scanning order

? ?- - Psd-delay-threshold

The defer that ? ? sends the package toward different goal port by same lead plane (In Hundredths Of Second) ,Scan with the port that will serve as a likelihood child order

? ?- - Psd-lo-ports-weight

The first step of port of purpose of ? ? privilege,Namely target port (the first step of %26lt;=1024)

? ?- - Psd-hi-ports-weight

The first step of port of purpose of privilege of ? ? blame (%26gt; 1024) .

? ? citing:Iptables -A INPUT -m Psd -j DROP

? ? CONFIG_IP_NF_MATCH_RPC, support two module Ip_conntrack_rpc_udp and Ip_conntrack_rpc_tcp (to be used dog respectively the port map of UDP and TCP requests) ,Record_rpc(is added to had sent port map to request with the source address that will match to whether be wrapped in IptabIe,Or a new hair requests toward the GET of port map,Filter in order to allow RPC)

The API function in the NAT with ? ? new Seqoffset.patch - . This API function concealed all agreements to translate (for example:The bag in Ftp/irc) is heavy