Параметры ядра Linux:Networking:Network packet filterning

Материал из Wiki Open book
Перейти к: навигация, поиск
Network packet filterning (replaces ipchains) --->
Netfilter is a framework for filtering and mangling network packets that pass through your Linux box.

The most common use of packet filtering is to run your Linux box as a firewall protecting a local network from the Internet. The type of firewall provided by this kernel support is called a "packet filter", which means that it can reject individual network packets based on type, source, destination etc. The other kind of firewall, a "proxy-based" one, is more secure but more intrusive and more bothersome to set up; it inspects the network traffic much more closely, modifies it and has knowledge about the higher level protocols, which a packet filter lacks. Moreover, proxy-based firewalls often require changes to the programs running on the local clients. Proxy-based firewalls don't need support by the kernel, but they are often combined with a packet filter, which only works if you say Y here.

You should also say Y here if you intend to use your Linux box as the gateway to the Internet for a local network of machines without globally valid IP addresses. This is called "masquerading": if one of the computers on your local network wants to send something to the outside, your box can "masquerade" as that computer, i.e. it forwards the traffic to the intended outside destination, but modifies the packets to make it look like they came from the firewall box itself. It works both ways: if the outside host replies, the Linux box will silently forward the traffic to the correct local computer. This way, the computers on your local net are completely invisible to the outside world, even though they can reach the outside and can receive replies. It is even possible to run globally visible servers from within a masqueraded local network using a mechanism called portforwarding. Masquerading is also often called NAT (Network Address Translation).

Another use of Netfilter is in transparent proxying: if a machine on the local network tries to connect to an outside host, your Linux box can transparently forward the traffic to a local server, typically a caching proxy server.

Yet another use of Netfilter is building a bridging firewall. Using a bridge with Network packet filtering enabled makes iptables "see" the bridged traffic. For filtering on the lower network and Ethernet protocols over the bridge, use ebtables (under bridge netfilter configuration).

Various modules exist for netfilter which replace the previous masquerading (ipmasqadm), packet filtering (ipchains), transparent proxying, and portforwarding mechanisms. Please see <file:Documentation/Changes> under "iptables" for the location of these packages.

Make sure to say N to "Fast switching" below if you intend to say Y here, as Fast switching currently bypasses netfilter.

Chances are that you should say Y here if you compile a kernel which will run as a router and N for regular hosts. If unsure, say N.

Русский флаг
Русский перевод

--- Network packet filterning (replaces ipchains)

Network packet filtering debugging
You can say Y here if you want to get additional messages useful in debugging the netfilter code.
Русский флаг
Вы можете выбрать Y если хотите получать дополнительные полезные сообщения при отладке кода netfilter
Bridged IP/ARP packets filtering
Enabling this option will let arptables resp. iptables see bridged ARP resp. IP traffic. If you want a bridging firewall, you probably want this option enabled. Enabling or disabling this option doesn't enable or disable ebtables.

If unsure, say N.

Русский флаг
Русский перевод

Core Netfilter Configure --->

Netfilter netlink interface
If this option is enabled, the kernel will include support for the new netfilter netlink interface.
Русский флаг
Русский перевод
  Netfilter NFQUEUE over NFNETLINK interface
  If this option isenabled, the kernel will include support for queueing packets via NFNETLINK.
 
Русский флаг
Русский перевод
  Netfilter LOG over NFNETLINK interface
  If this option is enabled, the kernel will include support for logging packets via NFNETLINK.

This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, and is also scheduled to replace the old syslog-based ipt_LOG and ip6t_LOG modules.

 
Русский флаг
Русский перевод

IP: Netfilter Configure --->

Connectinon tracking (required for masq/NAT)
Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related into connections.

This is required to do Masquerading or other kinds of Network Address Translation (except for Fast NAT). It can also be used to enhance packet filtering (see `Connection state match support' below).

To compile it as a module, choose M here. If unsure, say N.

Русский флаг
Русский перевод
  Connection tracking flow accounting
  If this option is enabled, the connection tracking code will keep per-flow packet and byte counters.

Those counters can be used for flow-based accounting or the `connbytes' match.

If unsure, say `N'.

 
Русский флаг
Русский перевод
  Conection mark tracking support
  This option enables support for connection marks, used by the `CONNMARK' target and `connmark' match. Similar to the mark value of packets, but this mark value is kept in the conntrack session instead of the individual packets.
 
Русский флаг
Русский перевод
  Connection tracking events
  If this option is enabled, the connection tracking code will provide a notifier chain that can be used by other kernel code to get notified about changes in the connection tracking state.

IF unsure, say `N'.

 
Русский флаг
Русский перевод
  Connection tracking netlink interface
  This option enables support for a netlink-based userspace interface
 
Русский флаг
Русский перевод
  SCTP protocol connection tracking support (EXPERIMENTAL)
  With this option enabled, the connection tracking code will be able to do state tracking on SCTP connections.

If you want to compile it as a module, say M here and read <file:Documentation/modules.txt>. If unsure, say `N'.

 
Русский флаг
Русский перевод
  FTP protocol support
  Tracking FTP connections is problematic: special helpers are required for tracking them, and doing masquerading and other forms of Network Address Translation on them.

To compile it as a module, choose M here. If unsure, say Y.

 
Русский флаг
Русский перевод
  IRC protocol support
  There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send files to each other, and also chat to each other without the need of a server. DCC Sending is used anywhere you send files over IRC, and DCC Chat is most commonly used by Eggdrop bots. If you are using NAT, this extension will enable you to send files and initiate chats. Note that you do NOT need this extension to get files or have others initiate chats, or everything else in IRC.

To compile it as a module, choose M here. If unsure, say Y.

 
Русский флаг
Русский перевод
  NetBIOS name service protocol support (RXPERIMENTAL)
  NetBIOS name service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the same port. This make them hard to firewall properly because connection tracking doesn't deal with broadcasts. This helper tracks locally originating NetBIOS name service requests and the corresponding responses. It relies on correct IP address configuration, specifically netmask and broadcast address. When properly configured, the output of "ip address show" should look similar to this:
$ ip -4 address show eth0
 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
  TFTP protocol support
  TFTP connection tracking helper, this is required depending on how restrictive your ruleset is. If you are using a tftp client behind -j SNAT or -j MASQUERADING you will need this.

To compile it as a module, choose M here. If unsure, say Y.

 
Русский флаг
Русский перевод
  Amanda backup protocol support
  If you are running the Amanda backup package <http://www.amanda.org/> on this machine or machines that will be MASQUERADED through this machine, then you may want to enable this feature. This allows the connection tracking and natting code to allow the sub-channels that Amanda requires for communication of the backup data, messages and index.

To compile it as a module, choose M here. If unsure, say Y.

 
Русский флаг
Русский перевод
  PPTP protocol support
  This module adds support for PPTP (Point to Point Tunnelling Protocol, RFC2637) connection tracking and NAT.

If you are running PPTP sessions over a stateful firewall or NAT box, you may want to enable this feature.

Please note that not all PPTP modes of operation are supported yet. For more info, read top of the file net/ipv4/netfilter/ip_conntrack_pptp.c

If you want to compile it as a module, say M here and read Documentation/modules.txt. If unsure, say `N'.

 
Русский флаг
Русский перевод
IP Userspace queueing via NETLINK (OBSOLETE)
Netfilter has the ability to queue packets to user space: the netlink device can be used to access them using this driver.

This option enables the old IPv4-only "ip_queue" implementation which has been obsoleted by the new "nfnetlink_queue" code (see CONFIG_NETFILTER_NETLINK_QUEUE).

To compile it as a module, choose M here. If unsure, say N.

Русский флаг
Русский перевод
IP tables support (required for filtering/masq/NAT)
iptables is a general, extensible packet identification framework. The packet filtering and full NAT (masquerading, port forwarding, etc) subsystems now use this: say `Y' or `M' here if you want to use either of those.

To compile it as a module, choose M here. If unsure, say N.

Русский флаг
Русский перевод
  limit match support
  limit matching allows you to control the rate at which a rule can be matched: mainly useful in combination with the LOG target ("LOG target support", below) and to avoid some Denial of Service attacks.

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
  IP range match support
  This option makes possible to match IP addresses against IP address

ranges.

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
  MAC address match support
  MAC matching allows you to match packets based on the source

Ethernet address of the packet.

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
  Packet type match support
  Packet type matching allows you to match a packet by

its "class", eg. BROADCAST, MULTICAST, ...

Typical usage: iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
  netfilter MARK match support
  Netfilter mark matching allows you to match packets based on the

`nfmark' value in the packet. This can be set by the MARK target (see below).

To compile it as a module, choose M here. If unsure, say N.

 
Русский флаг
Русский перевод
                             <*> Multiple port match support
                             <*> TOS match support
                             <*> recent match support
                             <*> ESN match support
                             <*> DSCP match supporrt
                             <*> LENGTH match support
                             <*> TTL match support
                             <*> tcpmss match support
                             <M> Helper match support
                             <M> Connection state match support
                             <M> Connection tracking match support
                             <*> Owner match support
                             < > address type match support
                             < > realm match support
                             < > SCTP protocol match support
                             < > DCCP protocol match support
                             < > comment match support
                             < > hashlimit match support
                             < > string match support
                             <*> Packet filtering
                             <*> REJECT target support
                             <*> LOG target support
                             <*> ULOG target support (OBSOLETE)
                             <*> TCPMSS target support
                             < > NFQUEUE Target Support
                             <M> Full NAT
                             <M> MSQUERADE target support
                             <M> REDIRECT target support
                             <M> NETMAP target support
                             <M> SAME target support
                             < > Basic SNMP-ALG support
                             <*> Packet mangling
                             <*> TOS target support
                             <*> ESN target support
                             <*> DSCP target support
                             <*> MARK target support
                             <*> CLASSIFY target support
                             < > TTL target support
                             <M> raw table support (required for NOTRACK/TRACE)
                             <M> NOTRACK target support
                             <*> ARP tables support
                             <*> ARP packet filtering
                             <*> ARP payload mangling  
                         IPv6: Netfilter Configure (EXPERIMENTAL)
                             < > IP6 Userspace queueing via NETLINK (OBSOLETE)
                             < > IP6 tables support (required for filtering/masq/NAT)
                                 < > limit match support
                                 < > MAC adress match support
                                 < > routing header match support
                                 < > Hop-by-hop and Dst opts header match support
                                 < > Fragmentation header match support
                                 < > HL match support
                                 < > Multiple port match support
                                 < > Owner match suport
                                 < > netfilter MARK match support
                                 < > IPv6 Extension Headers Match
                                 < > AH/ESP match support
                                 < > Packet Length match support
                                 < > EUI64 address check
                                 < > Packet filterning
                                 < > NFQUEUE Target Support
                                 < > Packet mangling
                                 < > raw table support (required for TRACE)
Инструменты
    
Личные инструменты