tailieunhanh - Configuring NetFilter

Configuring NetFilter The NetFilter packet filter is configured through the iptables command utility. Like its predecessor, ipchains, iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter | Configuring NetFilter The NetFilter packet filter is configured through the iptables command utility. Like its predecessor ipchains iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter. Chief among these are adding or inserting filter rules within a preexisting set of rules defining the policy of the various chains in the filter or creating userdefined chains for specific purposes such as testing for denialofservice DoS attacks or other specific attacks. The path a packet takes through the NetFilter process depends on whether it is destined for the firewall host itself or whether it is being forwarded to a second interface. For most packets that traverse the firewall the sequence of tables and chains is as follows 1. Mangle PREROUTING 2. NAT PREROUTING 3. Filter FORWARD 4. NAT POSTROUTING As shown in Figure 7-4 the process of forwarding packets to the second interface involves a routing decision by the firewall. If a packet is destined for the firewall itself it must traverse the filter INPUT chain before reaching the local process on the firewall. Packets sent by local processes on the firewall must traverse the filter OUTPUT chain and might traverse the NAT POSTROUTING chain but only if some form of destination NAT is being conducted. Overall the process through the NetFilter tables and chains is very logical in order and efficiency. Figure 7-4. Packet Traversal of NetFilter Tables and Chains View full size image Packets need not traverse every chain in the NetFilter system. It all depends on the destination of the packet as well as what rules are applicable and whether NAT is involved. Although the configuration of NetFilter firewalls using the iptables utility may appear to be a daunting task you can also configure NetFilter through a variety of graphical interface tools such as Firewall Builder Firestarter or Webmin. Some examples to follow show how you can configure NetFilter using the iptables .