14.2. 防火墙或者包过滤

回到基础 防火墙

防火墙是计算机设备的一部分,该设备使用硬件和(或者)软件分拣流入和流出的网络数据包(源自或者源于局域网),并且只允许符合预定义条件的包通过。

防火墙是一个过滤网关,并且只对要通过它的数据包有作用。因此,只有在防火墙是这些数据包的唯一路由器的时候才有效。

特例 局部防火墙

防火墙可以应用在个别机器上(相对于整个网络而言),在这些情况中其角色是过滤或限制对一些服务的访问,或阻止用户有意或无意安装的流氓软件对外部的连接。

The Linux kernel embeds the netfilter firewall, which can be controlled from user space with the iptables, ip6tables, arptables and ebtables commands.

However, Netfilter iptables commands are being replaced by nftables, which avoids many of its problems. Its design involves less code duplication, and it can be managed with just the nft command. Debian Buster uses the nftables framework by default.

To enable a default firewall in Debian execute:

  1. #

14.2.1. nftables Behavior

As the kernel is processing a network packet it pauses and allows us to inspect the packet and decide what to do with that package. For example, we might want to drop or discard certain incoming packages, modify other packages in various ways, block certain outgoing packets to control against malware or redirect some packets at the earliest possible stage to bridge network interfaces or to spread the load of incoming packets between systems.

A good understanding of the layers 3, 4 and 5 of the OSI (Open Systems Interconnection) model is essential to get the most from netfilter.

CULTURE The OSI model

The OSI model is a conceptual model to implement networking protocols without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.

This model was defined in the standard ISO/EIC 7498. The following seven layers are described:

  1. Physical: transmission and reception of raw bit streams over a physical medium

  2. Data Link: reliable transmission of data frames between two nodes connected by a connected by a physical layer

  3. Network: structuring and managing a multi-node network, including addressing, routing and traffic control

  4. Transport: reliable transmission of data segments between points on a network, including segmentation, acknowledgment and multiplexing

  5. Session: managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes

  6. Presentation: translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption

  7. Application: High-level APIs, including resource sharing, remote file access.

More information can be found on Wikipedia:

https://en.wikipedia.org/wiki/Osi_model

The firewall is configured with tables, which hold rules contained in chains. Unlike iptables, nftables does not have any default table. The user decides which and how many tables to create. Every table must have only one of the following five families assigned: ip, ip6, inet, arp and bridge. ip is used if the family is not specified.

There are two types of chains: base chains and regular chains. A base chain is an entry point for packets from the networking stack, they are registered into the Netfilter hooks, ie. these chains see packets flowing through the TCP/IP stack. On the other hand, and a regular chain is not attached to any hook, so they do not see any traffic, but it may be used as a jump target for better organization.

Rules are made of statements, which includes some expressions to be matched and then a verdict statement, like accept, drop, queue, continue, return, jump chain and goto chain.

回到基础 ICMP

ICMP (互联网控制信息Internet Control Message 协议)是用来在通信中传递补充信息的协议。支持使用 ping 命令来测试网络的连通性(发送 ICMP 回应请求信息,接收者要用 ICMP回应应答信息应答)。它会产生防火墙拒绝数据包,显示接收缓冲区溢出,为连接中后续数据包提供更好的路由,等等。该协议有几个 RFC 文档定义;起先 RFC777 和 RFC792 很快就完成了,并被扩展。

http://www.faqs.org/rfcs/rfc777.html

http://www.faqs.org/rfcs/rfc792.html

接收缓冲区是一个小内存区域,用来存储已经从网络到达而内核还未来得及处理的数据。如果该区域满了,新的数据就不能被接收,ICMP 会发出错误信号,这样发送者会减缓传输速率(理想情况下,过段时间就会达到平衡)。

注意,虽然 IPv4 在没有 ICMP 的情况下,仍然能工作;但是,ICMPv6 对于 IPv6 来说是必须的。因为它结合了一些,在 IPv4 的世界中,遍布 ICMPv4 功能,IGMP(Internet Group Membership Protocol)和 ARP(Address Resolution Protocol)。 ICMPv6 在 RFC4443 中定义。

http://www.faqs.org/rfcs/rfc4443.html

14.2.2. Moving from iptables to nftables

The iptables-translate and ip6tables-translate commands can be used to translate old iptables commands into the new nftables syntax. Whole rulesets can also be translated, in this case we migrate the rules configured in one computer which has Docker installed:

  1. #

The tools iptables-nft, ip6tables-nft, arptables-nft, ebtables-nft are versions of iptables that use the nftables API, so users can keep using the old iptables syntax with them, but that is not recommended; these tools should only be used for backwards compatibility.

14.2.3. Syntax of nft

The nft commands allow manipulating tables, chains and rules. The table option supports multiple operations: add, create, delete, list and flush. nft add table ip6 mangle adds a new table from the family ip6.

To insert a new base chain to the filter table, you can execute the following command (note that the semicolon is escaped with a backslash when using Bash):

  1. #

Rules are usually added with the following syntax: nft add rule [*family*] *table* *chain* handle *handle* statement.

insert is similar to the add command, but the given rule is prepended to the beginning of the chain or before the rule with the given handle instead of at the end or after that rule. For example, the following command inserts a rule before the rule with handler number 8:

  1. #

The executed nft commands do not make permanent changes to the configuration, so they are lost if they are not saved. The firewall rules are located in /etc/nftables.conf. A simple way to save the current firewall configuration permanently is to execute nft list ruleset > /etc/nftables.conf as root.

nft allows many more operations, refer to its manual page nft(8) for more information.

14.2.4. 每次启动时加载规则

To enable a default firewall in Debian, you need to store the rules in /etc/nftables.conf and execute systemctl enable nftables.service as root. You can stop the firewall executing nft flush ruleset as root.

In other cases, the recommended way is to register the configuration script in up directive of the /etc/network/interfaces file. In the following example, the script is stored under /usr/local/etc/arrakis.fw.

例 14.1. 接口(interfaces) 文件调用防火墙脚本

  1. auto eth0
  2. iface eth0 inet static
  3.     address 192.168.0.1
  4.     network 192.168.0.0
  5.     netmask 255.255.255.0
  6.     broadcast 192.168.0.255
  7.     up /usr/local/etc/arrakis.fw

以上内容显然假设您正在使用 ifupdown 来配置网络接口。如果您正在使用其它工具(例如 NetworkManagersystemd-networkd),那么您需要参考他们对应的文档来了解接口被启动后执行脚本的配置方式。