User Tools

Site Tools


zh-cn:doc:uci:firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Previous revision
zh-cn:doc:uci:firewall [2013/03/16 06:34]
zh-cn:doc:uci:firewall [2014/07/18 10:17] (current)
tanyingyu
Line 1: Line 1:
 +====== 如何配置防火墙 ======
  
 +  首先我们要明白,​Openwrt 是一个 GNU/Linux 的发行版,​ 和其他大多数的发行版一样,​Openwrt 的防火墙同样也是基于 iptables .
 +
 +  其次,​Openwrt支持两种途径配置 iptables ,​一种就是 Openwrt 自己的 UCI 方式,​另一种就是传统的 Linux 方式.
 +
 +  本文要探讨的是如何通过 UCI 方式来配置 iptables , UCI 的方式就是通过配置 /​etc/​config/​firewall 这个文件来完成的.
 +
 +  至于传统的 Linux 方式,​请参考篇文章,​[[doc:​howto:​netfilter#​configuration|netfilter]].
 +
 +  firewall 文件的结构
 +    default
 +     这是 firewall 文件的第一个小节
 +    zone
 +     可以有数个 zone , zone 又可以包含数个 network interfaces
 +    forwarding
 +     位于的 zone 下面, 主要作用是允许数据封包转发
 +    rule 以及 redirect
 +     可以看作是 zone 子集, 用来扩展进一步的封包限制.
 + 
 +
 +===== 从软件包的角度看 Openwrt 的 iptables 是如何组织的 =====
 +  我们随便打开一个 Openwrt 的分支版本软件包下载页面,​例如 http://​downloads.openwrt.org//​backfire/​10.03.1/​brcm63xx/​packages/,​ 我们会发现有很多相关的软件包.
 +
 +  * ''​ iptables_1.4.6-3.1_brcm63xx.ipk ''​
 + 这个软件包是 iptables 本身,​其实 iptables 早已被大多数官方打包好并公开发行的 firmware 之中.
 +  * ''​kmod-ipt-*''​
 + 这个开头的软件包,​是 kernel space 层级的模块 [[doc:​howtobuild:​vanilla.packages|vanilla]])
 +  * ''​iptables-mod-*''​
 + 这种开头的软件包,​是 user space 层级的模块,​有一部分也被包含进官方打包好并公开发行的 firmware 之中.
 + 比如 iptables-mod-nat_1.4.6-3.1_brcm63xx.ipk 这个软件就是为了提供基本的NAT功能,​针对 SNAT DNAT MASQUERADE 这三个 Targets,​以及针对 nat 这个 Tables 的.
 + 
 +
 +===== 节 =====
 +
 +下面是防火墙可以定义的配置项概要。最小的防火墙配置通常包含一个default节,至少两个//​zones//​(''​lan''​ 和 ''​wan''​)和一个//​forwarding//​允许数据包由''​lan''​转发到''​wan''​。
 +
 +==== Defaults ====
 +
 +''​defaults''​节定义了不依赖于特定区域的防火墙全局设置。
 +本节可以定义以下选项:
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​syn_flood''​ | boolean | no | ''​1''​ | 允许 [[http://​en.wikipedia.org/​wiki/​SYN_flood|SYN flood]] 保护 |
 +| ''​drop_invalid''​ | boolean | no | ''​1''​ | 丢弃任何没有匹配到已有连接的包 |
 +| ''​disable_ipv6''​ | boolean | no | ''​0''​ | 禁用IPv6防火墙设置 ''​1''​ (Firewall v2 and later) |
 +| ''​input''​ | string | no | ''​DROP''​ | ''​INPUT''​链缺省策略(''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) |
 +| ''​forward''​ | string | no | ''​DROP''​ | ''​FORWARD''​链缺省策略(''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) |
 +| ''​output''​ | string | no | ''​DROP''​ | ''​OUTPUT''​缺省策略(''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) |
 +
 +==== Zones ====
 +
 +A ''​zone''​ section groups one more //​interfaces//​ and serves as a //source// or //​destination//​ for //​forwardings//,​ //rules// and //​redirects//​. Masquerading (NAT) of outgoing traffic is controlled on a per-zone basis.
 +
 +The options below are defined within ''​zone''​ sections:
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​name''​ | zone name | yes | //(none)// | Unique zone name |
 +| ''​network''​ | list | no | //(none)// | List of //​[[doc:​uci:​network#​interfaces|interfaces]]//​ attached to this zone, if ommitted, the value of ''​name''​ is used by default |
 +| ''​masq''​ | boolean | no | ''​0''​ | Specifies whether //​outgoing//​ zone traffic should be masqueraded - this is typically enabled on the //wan// zone |
 +| ''​masq_src''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit MASQUERADING to the given source subnets. Negation is possible by prefixing the subnet with ''​!'',​ multiple subnets are allowed. \\ :!: Only supported by the Firewall v2 package, version 11 and above or Firewall v1, version 13 and above |
 +| ''​masq_dest''​ | list of subnets | no | ''​0.0.0.0/​0''​ | Limit MASQUERADING to the given destination subnets. Negation is possible by prefixing the subnet with ''​!'',​ multiple subnets are allowed. \\ :!: Only supported by the Firewall v2 package, version 11 and above or Firewall v1, version 13 and above |
 +| ''​conntrack''​ | boolean | no | ''​1''​ if masquerading is used, ''​0''​ otherwise | Force connection tracking for this zone (see [[#​note.on.connection.tracking.notrack|Note on connection tracking]]) |
 +| ''​mtu_fix''​ | boolean | no | ''​0''​ | Enable MSS clamping for //​outgoing//​ zone traffic |
 +| ''​input''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​incoming//​ zone traffic |
 +| ''​forward''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​forwarded//​ zone traffic |
 +| ''​output''​ | string | no | ''​DROP''​ | Default policy (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for //​outgoing//​ zone traffic |
 +| ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for.\\ :!: Only supported by the Firewall v2 package |
 +| ''​log''​ | boolean | no | ''​0''​ | Create log rules for rejected and dropped traffic in this zone. \\ :!: Only supported by the Firewall v2 package, version 10 and above |
 +| ''​log_limit''​ | string | no | ''​10/​minute''​ | Limits the amount of log messages per interval. \\ :!: Only supported by the Firewall v2 package, version 10 and above |
 +
 +==== 转发 ====
 +
 +The ''​forwarding''​ sections control the traffic flow between //zones// and may enable [[http://​en.wikipedia.org/​wiki/​Path_MTU_discovery#​Problems_with_PMTUD|MSS clamping]] for specific directions. Only one direction is covered by a ''​forwarding''​ rule. To allow bidirectional traffic flows between two //zones//, two //​forwardings//​ are required, with ''​src''​ and ''​dest''​ reversed in each.
 +
 +Below is a listing of allowed option within //​forwardings//:​
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​src''​ | zone name | yes | //(none)// | Specifies the traffic //source zone//, must refer to one of the defined //zone names// |
 +| ''​dest''​ | zone name | yes | //(none)// | Specifies the traffic //​destination zone//, must refer to one of the defined //zone names// |
 +| <​del>''​mtu_fix''</​del>​ | <​del>​boolean</​del>​ | <​del>​no</​del>​ | <​del>''​0''</​del>​ | <​del>​Enable MSS clamping for traffic flowing from the //source zone// to the //​destination zone//</​del>​ (Deprecated and moved to ''​zone''​ sections in 8.09.2+) |
 +| ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for.\\ :!: Only supported by the Firewall v2 package |
 +
 +:!: The //​iptables//​ rules generated for this section rely on the //state match// which needs connection tracking to work.
 +At least one of the ''​src''​ or ''​dest''​ zones needs to have //​connection tracking// enabled through either the ''​masq''​ or the ''​conntrack''​ option.
 +
 +==== 重定向 ====
 +
 +Port forwardings (DNAT) are defined by ''​redirect''​ sections. All //​incoming//​ traffic on the specified //source zone// which matches the given rules will be directed to the specified internal host.
 +
 +The options below are valid for //​redirects//:​
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​src''​ | zone name | yes for ''​DNAT''​ target | //(none)// | Specifies the traffic //source zone//, must refer to one of the defined //zone names//. For typical port forwards this usually is ''​wan''​ |
 +| ''​src_ip''​ | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
 +| ''​src_dip''​ | ip address | yes for ''​SNAT''​ target | //(none)// | For //DNAT//, match incoming traffic directed at the given //​destination ip address//. For //SNAT// rewrite the //source address// to the given address. |
 +| ''​src_mac''​ | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
 +| ''​src_port''​ | port or range | no | //(none)// | Match incoming traffic originating from the given //source port or port range// on the client host |
 +| ''​src_dport''​ | port or range | no | //(none)// | For //DNAT//, match incoming traffic directed at the given //​destination port or port range// on this host. For //SNAT// rewrite the //source ports// to the given value. |
 +| ''​proto''​ | protocol name or number | yes | //tcpudp// | Match incoming traffic using the given //​protocol//​ |
 +| ''​dest''​ | zone name | yes for ''​SNAT''​ target | //(none)// | Specifies the traffic //​destination zone//, must refer to one of the defined //zone names//. |
 +| ''​dest_ip''​ | ip address | yes for ''​DNAT''​ target | //(none)// | For //DNAT//, redirect matched incoming traffic to the specified internal host. For //SNAT//, match traffic directed at the given address. |
 +| ''​dest_port''​ | port or range | no | //(none)// | For //DNAT//, redirect matched incoming traffic to the given port on the internal host. For //SNAT//, match traffic directed at the given ports. |
 +| ''​target''​ | string | no | ''​DNAT''​ | NAT target (''​DNAT''​ or ''​SNAT''​) to use when generating the rule\\ :!: Only supported by the Firewall v2, version 12 and above or Firewall v1, version 15 and above |
 +| ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for.\\ :!: Only supported by the Firewall v2 package |
 +| ''​reflection''​ | boolean | no | ''​1''​ | Disables NAT reflection for this redirect if set to ''​0''​ - applicable to ''​DNAT''​ targets.\\ :!: Only supported by the Firewall v2, version 11 and above or Firewall v1, version 13 and above |
 +
 +==== 规则 ====
 +
 +Sections of the type ''​rule''​ can be used to define basic accept or reject rules to allow or restrict access to specific ports or hosts. Like //​redirects//​ the rules are tied to the given //source zone// and match incoming traffic occuring there.
 +
 +Valid options for this section are:
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​src''​ | zone name | yes | //(none)// | Specifies the traffic //source zone//, must refer to one of the defined //zone names//. |
 +| ''​src_ip''​ | ip address | no | //(none)// | Match incoming traffic from the specified //source ip address// |
 +| ''​src_mac''​ | mac address | no | //(none)// | Match incoming traffic from the specified //mac address// |
 +| ''​src_port''​ | port or range | no | //(none)// | Match incoming traffic originating from the given //source port or port range// on the client host if ''​tcp''​ or ''​udp''​ is specified as protocol |
 +| ''​proto''​ | protocol name or number | no | ''​tcpudp''​ | Match incoming traffic using the given //​protocol//​. Can be one of ''​tcp'',​ ''​udp'',​ ''​tcpudp'',​ ''​udplite'',​ ''​icmp'',​ ''​esp'',​ ''​ah'',​ ''​sctp'',​ or ''​all''​ or it can be a numeric value, representing one of these protocols or a different one. A protocol name from ''/​etc/​protocols''​ is also allowed. The number 0 is equivalent to ''​all''​. |
 +| ''​dest''​ | zone name | no | //(none)// | Specifies the traffic //​destination zone//, must refer to one of the defined //zone names//. If specified, the rule applies to //​forwarded//​ traffic else it is treated as //input// rule. |
 +| ''​dest_ip''​ | ip address | no | //(none)// | Match incoming traffic directed to the specified //​destination ip address// |
 +| ''​dest_port''​ | port or range | no | //(none)// | Match incoming traffic directed at the given //​destination port or port range// on this host if ''​tcp''​ or ''​udp''​ is specified as protocol |
 +| ''​target''​ | string | yes | ''​DROP''​ | Firewall action (''​ACCEPT'',​ ''​REJECT'',​ ''​DROP''​) for matched traffic |
 +| ''​family''​ | string | no | ''​any''​ | Protocol family (''​ipv4'',​ ''​ipv6''​ or ''​any''​) to generate iptables rules for.\\ :!: Only supported by the Firewall v2 package |
 +
 +==== 包括 ====
 +
 +It is possible to include custom firewall scripts by specifying one or more ''​include''​ sections in the firewall configuration.
 +
 +There is only one possible parameter for //​includes//:​
 +
 +^ 名称 ^ 类型 ^ 是否必需 ^ 缺省 ^ 描述 ^
 +| ''​path''​ | file name | yes | ''/​etc/​firewall.user''​ | Specifies a shell script to execute on boot or firewall restarts |
 +
 +Included scripts may contain arbitary commands, for example advanced iptables rules or tc commands required for traffic shaping.
 +
 +:!: When writing custom iptables rules remember to use ''​-I''​ (insert) instead of ''​-A''​ (append) to ensure that the created rules **appear before** the generic ones.
 +
 +===== 举例 =====
 +
 +==== 开放端口 ====
 +
 +The default configuration accepts all LAN traffic, but blocks all incoming WAN traffic on ports not currently used for connections or NAT. To open a port for a service, add a ''​rule''​ section:
 +<​code>​
 +config rule
 +        option src              wan
 +        option dest_port ​       22
 +        option target ​          ​ACCEPT
 +        option proto            tcp
 +</​code>​
 +
 +This example enables machines on the internet to use SSH to access your router.
 +
 +==== 端口转发(NAT/​DNAT) ====
 +
 +This example forwards http (but not HTTPS) traffic to the webserver running on 192.168.1.10:​
 +
 +<​code>​
 +config redirect
 +        option src       wan
 +        option src_dport 80
 +        option proto     tcp
 +        option dest_ip ​  ​192.168.1.10
 +</​code>​
 +
 +==== 源NAT (SNAT) ====
 +
 +Source NAT changes an outgoing packet outgoing packet destined for the system so that is looks as though the system is the source of the packet.
 +
 +Define source NAT for UDP and TCP traffic directed to port 123 originating from the host with the IP address 10.55.34.85.
 +The source address is rewritten to 63.240.161.99.
 +
 +<​code>​
 +config redirect
 +        option src              lan
 +        option dest             wan
 +        option src_ip ​          ​10.55.34.85
 +        option src_dip ​         63.240.161.99
 +        option dest_port ​       123
 +        option target ​          SNAT
 +</​code>​
 +
 +When used alone, Source NAT is used to restrict a computer'​s access to the internet, but allow a it to access a few services my manually forwarding what appear to be a few local services, e.g. [[http://​en.wikipedia.org/​wiki/​Network_time_protocol|NTP]] to the internet. ​ While DNAT hides the local network from the internet, SNAT hides the internet from the local network.
 +
 +Source NAT and destination NAT are combined and used dynamically in IP masquerading to make computers with private (192.168.x.x,​ etc.) IP address to appear on the internet with the system'​s public WAN ip address.
 +
 +==== 实际端口转发 ====
 +
 +//Most users won't want this//​. ​ It's usage is similar to SNAT, but as the the destination IP address isn't changed, machines on the destination network need to be aware that they'​ll receive and answer requests from a public IP address that isn't necessarily theirs. ​ Port forwarding in this fashion is typically used for load balancing.
 +<​code>​
 +config redirect
 +        option src              wan
 +        option src_dport ​       80
 +        option dest             lan
 +        option dest_port ​       80
 +        option proto            tcp
 +</​code>​
 +
 +==== 限制指定机器 ====
 +
 +The following rule blocks all connection attempts to the specified host address.
 +
 +<​code>​
 +config rule
 +        option src              lan
 +        option dest             wan
 +        option dest_ip ​         123.45.67.89
 +        option target ​          ​REJECT
 +</​code>​
 +
 +==== 通过MAC限制访问互联网 ​ ====
 +
 +The following rule blocks all connection attempts from the client to the Internet.
 +
 +<​code>​
 +config rule
 +        option src              lan
 +        option dest             wan
 +        option src_mac ​         00:​00:​00:​00:​00
 +        option target ​          ​REJECT
 +</​code>​
 +
 +==== 转发规则限制 ====
 +
 +The example below creates a //forward// rule rejecting traffic from lan to wan on the ports 1000-1100.
 +
 +<​code>​config rule
 +        option src              lan
 +        option dest             wan
 +        option dest_port ​       1000-1100
 +        option proto            tcpudp
 +        option target ​          ​REJECT</​code>​
 +
 +
 +==== 透明代理规则(同一主机) ====
 +
 +The rule below redirects all outgoing HTTP traffic from //lan// through a proxy server listening at port 3128 on the router itself.
 +
 +<​code>​config redirect
 + option src              lan
 + option proto            tcp
 + option src_dport ​       80
 + option dest_port ​       3128</​code>​
 +
 +==== 透明代理规则(外部) ====
 +
 +The following rule redirects all outgoing HTTP traffic from //lan// through an external proxy at 192.168.1.100 listening on port 3128.
 +
 +<​code>​config redirect
 +        option src              lan
 +        option proto            tcp
 +        option src_ip ​          ​!192.168.1.100
 +        option src_dport ​       80
 +        option dest_ip ​         192.168.1.100
 +        option dest_port ​       3128</​code>​
 +
 +==== 简单DMZ规则 ====
 +
 +The following rule redirects all WAN ports for all protocols to the internal host 192.168.1.2.
 +
 +<​code>​config redirect
 + option src              wan
 + option proto            all
 + option dest_ip ​         192.168.1.2</​code>​
 +
 +==== IPSec passthrough ====
 +
 +This example enables proper forwarding of IPSec traffic through the wan.
 +
 +<​code>​
 +# AH protocol
 +config rule
 +        option src              wan
 +        option dest             lan
 +        option proto            ah
 +        option target ​          ​ACCEPT
 +
 +# ESP protocol
 +config rule
 +        option src              wan
 +        option dest             lan
 +        option proto            esp
 +        option target ​          ​ACCEPT
 +</​code>​
 +
 +For some configurations you also have to open port 500/UDP.
 +
 +<​code>​
 +# ISAKMP protocol
 +config rule
 +        option src              wan
 +        option dest             lan
 +        option proto            udp
 +        option src_port ​        500
 +        option dest_port ​       500
 +        option target ​          ​ACCEPT
 +</​code>​
 +
 +==== IPv6隧道转发 ===
 +
 +:!: This example is for IPv6 tunnels only, and does not apply to native dual-stack interfaces.\\
 +:!: This example only applies to the firewall v2 package and later (only in Trunk, not yet in Backfire).
 +
 +In order to be able to address the IPv6 tunnel interface with uci firewall rules, you need to cover it in the network configuration first.
 +Assuming an established SixXs tunnel, the example below declares a [[doc:​uci:​network#​interfaces|logical interface]] ''​wan6''​ on top of the ''​sixxs''​ tunnel interface:
 +
 +<​code>​config interface wan6
 + option proto            none
 + option ifname ​          ​sixxs</​code>​
 +
 +IPv6 packets are by default not forwarded from lan to your wan6 interface, make sure to add ''​net.ipv6.conf.all.forwarding=1''​ in ''/​etc/​sysctl.conf''​ to enable it per名称nently.
 +Add the following sections to the firewall config to cover the ''​wan6''​ interface:
 +
 +<​code>​config zone
 + option name             wan6
 + option input            REJECT
 + option output ​          ​ACCEPT
 + option forward ​         REJECT
 + option family ​          ipv6
 + option mtu_fix ​         0
 +
 +config forwarding
 + option src              lan
 + option dest             ​wan6</​code>​
 +
 +The ''​family''​ option ensures that the zone and all associated entries (''​rule'',​ ''​forwarding''​ and ''​redirect''​ sections) are only added to //​ip6tables//​ but not //​iptables//​.
 +
 +==== 关于 iptables 的规则文件 ====
 +
 +传统的 iptables 规则, 是指在 Shell 命令行模式下指定一个包含规则定义的外部文件,​ 其实可以在本配置文件中,​ 指定多个配置文件,​ 如下:
 +<​code>​
 +config include
 +       ​option path /​etc/​firewall.user
 +
 +config include
 +       ​option path /​etc/​firewall.vpn
 +</​code>​
 +
 +需要注意的是,​ Openwrt 是以 UCI 方式来配置 iptables 的, 这与传统的 Linux 习惯是不一样的,​ 上面那两个指定的配置文件,​ 里面包含的规则写法必须与传统的 Linux 习惯一样. 那么如何配置上面那两个规则文件呢,​请参考这篇文章 -> [[doc:​howto:​netfilter#​configuration|netfilter]].
 +
 +===== 防火墙管理 =====
 +
 +After a configuration change, firewall rules are rebuilt by executing ''/​etc/​init.d/​firewall restart'';​ calling ''/​etc/​init.d/​firewall stop''​ will flush all rules and set the policies to ACCEPT on all standard chains.
 +To manually start the firewall, call ''/​etc/​init.d/​firewall start''​.
 +
 +The firewall can be permananently disabled by executing ''/​etc/​init.d/​firewall disable''​.
 +Note that ''​disable''​ does not flush the rules, so it might be required to issue a ''​stop''​ before.
 +Use ''​enable''​ to activate the firewall again.
 +
 +===== Hotplug hooks (8.09.2+) =====
 +
 +In addition to //​includes//​ it is possible to let the firewall execute //hotplug handlers// when interfaces are added to a zone or removed from it. This is useful to create rules for interfaces with dynamic ip configurations (dhcp, pppoe) on the fly.
 +
 +Each time an interface is added or removed from a zone, all scripts in the ''/​etc/​hotplug.d/​firewall/''​ directory are executed. Scripts must be named in the form ''​NN-name''​ with ''​NN''​ being a numeric index between ''​00''​ and ''​99''​. The ''​name''​ can be freely choosen.
 +
 +Once a handler script is invoked, the informations about the event are passed through the environment.
 +The table below lists defined variables and their meaning.
 +
 +^ 变量 ^ 描述 ^
 +| ACTION | Type of the event, ''​add''​ if an interface was added, ''​remove''​ if it was removed |
 +| ZONE | Name of the frewall zone the interface was added to |
 +| INTERFACE | OpenWrt name of the interface, for example "​lan"​ or "​wan"​ - corresponds to the interfaces defined in ''/​etc/​config/​network''​ |
 +| DEVICE | The physical interface involved, for example "​eth0"​ or "​ppp0"​ |
 +
 +===== Implications of DROP vs. REJECT =====
 +
 +The decision whether to //drop// or to //reject// traffic should be done on a case-by-case basis. Many people see dropping traffic as a security advantage over rejecting it because it exposes less information to a hypothetical attacker.
 +While dropping slightly increases security, it can also complicate the debugging of network issues or cause unwanted side-effects on client programs.
 +
 +If traffic is //​rejected//,​ the router will respond with an icmp error message ("​destination port unreachable"​) causing the connection attempt to fail immediately. This also means that for each connection attempt a certain amount of response traffic is generated. This can actually harm if the firewall is "​attacked"​ with many simultanous connection attempts, the resulting "​backfire"​ of icmp responses can clog up all available upload and make the connection unusable (DoS).
 +
 +When connection attempts are //​droppped//​ the client is not aware of the blocking and will continue to re-transmit its packets until the connection eventually times out. Depending on the way the client software is implemented,​ this could result in frozen or hanging programs that need to wait until a timeout occurs before they'​re able to continue.
 +
 +**DROP**
 +  * less information is exposed ​
 +  * less attack surface
 +  * client software may not cope well with it (hangs until connection times out)
 +  * may complicate network debugging (where was traffic dropped and why)
 +
 +**REJECT**
 +  * may expose information (like the ip at which traffic was actually blocked)
 +  * client software can recover faster from rejected connection attempts
 +  * network debugging easier (routing and firewall issues clearly distinguishable)
 +
 +
 +===== Note on connection tracking (NOTRACK) =====
 +
 +By default, the firewall will disable connection tracking for a zone if no masquerading is enabled. This is achieved by generating //NOTRACK// firewall rules matching all traffic passing via interfaces referenced by the firewall zone. The purpose of //NOTRACK// is to speed up routing and save memory by circumventing resource intensive connection tracking in cases where it is not needed. You can check if connection tracking is disabled by issuing ''​iptables -t raw -vnL'',​ it will list all rules, check for //NOTRACK// target.
 +
 +:!: //NOTRACK// will render certain ipables extensions unusable, for example the //​MASQUERADE//​ target or the //state// match will not work!
 +
 +If connection tracking is required, for example by custom rules in ''/​etc/​firewall.user'',​ the ''​conntrack''​ option must be enabled in the corresponding zone to disable //​NOTRACK//​. It should appear as ''​option '​conntrack'​ '​1'​ ''​ in the right zone in ''/​etc/​config/​firewall''​.
 +For further information see http://​security.maruhn.com/​iptables-tutorial/​x4772.html .
 +
 +==== 如何删除规则 ====
 +
 +If you make a mistake you can delete a rule this way. First, issue this command:
 +
 +<​code>​
 +# iptables -L -t raw --line-numbers
 +</​code>​
 +
 +Now to delete, e.g. the third rule from chain OUTPUTexecute:​
 +
 +<​code>​
 +# iptables -t raw -D OUTPUT 3
 +</​code>​
 +
 +===== 进一步学习 =====
 +
 +==== 如何理解 iptables/​netfilter框架 ====
 +
 +==== 参考资料 ====
 +1. http://​www.netfilter.org/​
 +\\   netfilter框架的官方主页
 +
 +2. http://​zh.wikipedia.org/​zh/​TCP/​IP%E5%8D%8F%E8%AE%AE
 +\\   整个互联网的网络协议都以 TCP/IP 为基础,​对这个协议簇有一般浅层的了解,​会有助于掌握 iptables.
 +
 +3. <TCP/IP Illustrated,​ Volume 1: The Protocols>​
 +\\   ISBN-10:​ 0321336313
 +\\   作者:​ W. Richard Stevens
 +\\   国内译作<​TCP/​IP协议详解 卷1>​,目前已经有第二版.
 +
 +4. <Modern Operating Systems>
 +\\   作者:​ Andrew S. Tanenbaum
 +\\   如果继续深入学习或应用 iptables ,​必然会涉及到操作系统的内核知识,​这本书可以说是一个相当的权威.例如会理解上文提及的 kernel space 与 user space 有何不同