1. Главная
  2. Книги
  3. Mas Roland
  4. The Debian Administrator's Handbook
  5. Страница 119
Выбрать главу

BACK TO BASICS ICMP

ICMP (Internet Control Message Protocol) is the protocol used to transmit complementary information on communications. It allows testing network connectivity with the ping command (which sends an ICMP echo request message, which the recipient is meant to answer with an ICMP echo reply message). It signals a firewall rejecting a packet, indicates an overflow in a receive buffer, proposes a better route for the next packets in the connection, and so on. This protocol is defined by several RFC documents; the initial RFC777 and RFC792 were soon completed and extended.

→ http://www.faqs.org/rfcs/rfc777.html

→ http://www.faqs.org/rfcs/rfc792.html

For reference, a receive buffer is a small memory zone storing data between the time it arrives from the network and the time the kernel handles it. If this zone is full, new data cannot be received, and ICMP signals the problem, so that the emitter can slow down its transfer rate (which should ideally reach an equilibrium after some time).

Note that although an IPv4 network can work without ICMP, ICMPv6 is strictly required for an IPv6 network, since it combines several functions that were, in the IPv4 world, spread across ICMPv4, IGMP (Internet Group Membership Protocol) and ARP (Address Resolution Protocol). ICMPv6 is defined in RFC4443.

→ http://www.faqs.org/rfcs/rfc4443.html

ACCEPT: allow the packet to go on its way;

REJECT: reject the packet with an ICMP error packet (the --reject-with type option to iptables allows selecting the type of error);

DROP: delete (ignore) the packet;

LOG: log (via syslogd) a message with a description of the packet; note that this action does not interrupt processing, and the execution of the chain continues at the next rule, which is why logging refused packets requires both a LOG and a REJECT/DROP rule;

ULOG: log a message via ulogd, which can be better adapted and more efficient than syslogd for handling large numbers of messages; note that this action, like LOG, also returns processing to the next rule in the calling chain;

chain_name: jump to the given chain and evaluate its rules;

RETURN: interrupt processing of the current chain, and return to the calling chain; in case the current chain is a standard one, there's no calling chain, so the default action (defined with the -P option to iptables) is executed instead;

SNAT (only in the nat table, therefore only in IPv4): apply Source NAT (extra options describe the exact changes to apply);

DNAT (only in the nat table, therefore only in IPv4): apply Destination NAT (extra options describe the exact changes to apply);

MASQUERADE (only in the nat table, therefore only in IPv4): apply masquerading (a special case of Source NAT);

REDIRECT (only in the nat table, therefore only in IPv4): redirect a packet to a given port of the firewall itself; this can be used to set up a transparent web proxy that works with no configuration on the client side, since the client thinks it connects to the recipient whereas the communications actually go through the proxy.

Other actions, particularly those concerning the mangle table, are outside the scope of this text. The iptables(8) and ip6tables(8) have a comprehensive list.

14.2.2. Syntax of iptables and ip6tables

The iptables and ip6tables commands allow manipulating tables, chains and rules. Their -t table option indicates which table to operate on (by default, filter).

14.2.2.1. Commands

The -N chain option creates a new chain. The -X chain deletes an empty and unused chain. The -A chainrule adds a rule at the end of the given chain. The -I chain rule_numrule option inserts a rule before the rule number rule_num. The -D chainrule_num (or -D chainrule) option deletes a rule in a chain; the first syntax identifies the rule to be deleted by its number, while the latter identifies it by its contents. The -F chain option flushes a chain (deletes all its rules); if no chain is mentioned, all the rules in the table are deleted. The -L chain option lists the rules in the chain. Finally, the -P chainaction option defines the default action, or “policy”, for a given chain; note that only standard chains can have such a policy.

14.2.2.2. Rules

Each rule is expressed as conditions -j actionaction_options. If several conditions are described in the same rule, then the criterion is the conjunction (logical and) of the conditions, which is at least as restrictive as each individual condition.

The -p protocol condition matches the protocol field of the IP packet. The most common values are tcp, udp, icmp, and icmpv6. Prefixing the condition with an exclamation mark negates the condition, which then becomes a match for “any packets with a different protocol than the specified one”. This negation mechanism is not specific to the -p option and it can be applied to all other conditions too.

The -s adress or -s network/mask condition matches the source address of the packet. Correspondingly, -d adress or -d network/mask matches the destination address.

The -i interface condition selects packets coming from the given network interface. -o interface selects packets going out on a specific interface.

There are more specific conditions, depending on the generic conditions described above. For instance, the -p tcp condition can be complemented with conditions on the TCP ports, with clauses such as --source-port port and --destination-port port.

The --state state condition matches the state of a packet in a connection (this requires the ipt_conntrack kernel module, for connection tracking). The NEW state describes a packet starting a new connection; ESTABLISHED matches packets belonging to an already existing connection, and RELATED matches packets initiating a new connection related to an existing one (which is useful for the ftp-data connections in the “active” mode of the FTP protocol).

The previous section lists available actions, but not their respective options. The LOG action, for instance, has the following options:

--log-priority, with default value warning, indicates the syslog message priority;

--log-prefix allows specifying a text prefix to differenciate between logged messages;

--log-tcp-sequence, --log-tcp-options and --log-ip-options indicate extra data to be integrated into the message: respectively, the TCP sequence number, TCP options, and IP options.

The DNAT action (only available for IPv4) provides the --to-destination address:port option to indicate the new destination IP address and/or port. Similarly, SNAT provides --to-source address:port to indicate the new source IP address and/or port.

The REDIRECT action (only available for IPv4) provides the --to-ports port(s) option to indicate the port, or port range, where the packets should be redirected.

~ 119 ~