Kali Linux Revealed

Download 11,68 Mb. Pdf ko'rish
bet	94/174
Sana	15.01.2024
Hajmi	11,68 Mb.
	#137314

1 ... 90 91 92 93 94 95 96 97 ... 174

Bog'liq
Kali-Linux-Revealed-2021-edition

Figure 7.1 How
Netfilter
Chains are Called
Each chain is a list of rules; each rule is a set of conditions and an action to perform when the
conditions are met. When processing a packet, the firewall scans the appropriate chain, one rule
after another, and when the conditions for one rule are met, it jumps (hence the -j option in the
commands with section
7.4.2.2
, “
Rules
” [page 163]) to the specified action to continue processing.
The most common behaviors are standardized and dedicated actions exist for them. Taking one
of these standard actions interrupts the processing of the chain, since the packets fate is already
sealed (barring an exception mentioned below). Listed below are the Netfilter actions.
• ACCEPT: allow the packet to go on its way.
• REJECT: reject the packet with an Internet control message protocol (ICMP) error packet
(the --reject-with
type
option of
iptables
determines the type of error to send).
• DROP: delete (ignore) the packet.
• LOG: log (via
syslogd
) a message with a description of the packet. Note that this action
does not interrupt processing, and the execution of the chain continues at the next rule,
which is why logging refused packets requires both a LOG and a REJECT/DROP rule. Common
parameters associated with logging include:
– --log-level, with default value warning, indicates the
syslog
severity level.
– --log-prefix allows specifying a text prefix to differentiate between logged messages.
– --log-tcp-sequence, --log-tcp-options, and --log-ip-options indicate extra data to be in-
tegrated into the message: respectively, the TCP sequence number, TCP options, and
IP options.
• ULOG: log a message via
ulogd
, which can be better adapted and more efficient than
syslogd
for handling large numbers of messages; note that this action, like LOG, also re-
turns processing to the next rule in the calling chain.
• chain_name: jump to the given chain and evaluate its rules.
161
Chapter 7 — Securing and Monitoring Kali Linux

• RETURN: interrupt processing of the current chain and return to the calling chain; in case
the current chain is a standard one, there’s no calling chain, so the default action (defined
with the -P option to
iptables
) is executed instead.
• SNAT (only in the nat table): apply Source Network Address Translation (SNAT). Extra options
describe the exact changes to apply, including the --to-source
address
:
port
option, which
defines the new source IP address and/or port.
• DNAT (only in the nat table): apply Destination Network Address Translation (DNAT). Extra op-
tions describe the exact changes to apply, including the --to-destination
address
:
port
option,
which defines the new destination IP address and/or port.
• MASQUERADE (only in the nat table): apply masquerading (a special case of Source NAT).
• REDIRECT (only in the nat table): transparently redirect a packet to a given port of the
firewall itself; this can be used to set up a transparent web proxy that works with no con-
figuration on the client side, since the client thinks it connects to the recipient whereas the
communications actually go through the proxy. The --to-ports
port(s)
option indicates the
port, or port range, where the packets should be redirected.
Other actions, particularly those concerning the mangle table, are outside the scope of this text.
The
iptables(8)
and
ip6tables(8)
manual pages have a comprehensive list.

Download 11,68 Mb.

1 ... 90 91 92 93 94 95 96 97 ... 174

Download 11,68 Mb.

Pdf ko'rish