From 38664cee7853a7fa4334d64a063de5e68ecb0ecc Mon Sep 17 00:00:00 2001 From: Zhe Weng Date: Tue, 11 Jun 2024 17:12:53 +0800 Subject: [PATCH] Documentation: Add docs for ipfilter Signed-off-by: Zhe Weng --- Documentation/components/net/index.rst | 1 + Documentation/components/net/ipfilter.rst | 125 ++++++++++++++++++++++ 2 files changed, 126 insertions(+) create mode 100644 Documentation/components/net/ipfilter.rst diff --git a/Documentation/components/net/index.rst b/Documentation/components/net/index.rst index 24218071df..ebefe8d32c 100644 --- a/Documentation/components/net/index.rst +++ b/Documentation/components/net/index.rst @@ -8,6 +8,7 @@ Network Support sixlowpan.rst socketcan.rst pkt.rst + ipfilter.rst nat.rst netdev.rst netdriver.rst diff --git a/Documentation/components/net/ipfilter.rst b/Documentation/components/net/ipfilter.rst new file mode 100644 index 0000000000..a69bcb99ea --- /dev/null +++ b/Documentation/components/net/ipfilter.rst @@ -0,0 +1,125 @@ +================ +IP Packet Filter +================ + +NuttX supports IP packet filter (firewall) compatible with Linux's iptables and +netfilter. It is a stateless packet filter that can be used to filter packets +based on source and destination IP addresses, source and destination ports, +protocol, and interface. + +Workflow +======== + +Similar to Linux's iptables, NuttX's IP packet filter defines chains at similar +points in the packet processing path. The following diagram shows the packet +processing path and the chains that are defined in NuttX's IP packet filter. + +:: + + NIC ──> ipv[46]_input ─┬─> ipv[46]_forward ──> [FORWARD CHAIN] ──> devif_poll_out ──> NIC + │ ^ + │ ┌─> tcp ─┐ │ + │ ├─> udp ─┤ │ + └─> [INPUT CHAIN] ─┼─> icmp ─┼─> [OUTPUT CHAIN] ─┘ + ├─> icmp6 ─┤ + └─> ... ─┘ + +Configuration Options +===================== + +``CONFIG_NET_IPFILTER`` + Enable this option to enable the IP packet filter (firewall). + +``CONFIG_NET_IPTABLES`` + Enable or disable iptables compatible interface (including ip6tables). + +``CONFIG_SYSTEM_IPTABLES`` + Enable support for the 'iptables' command. + +``CONFIG_SYSTEM_IP6TABLES`` + Enable support for the 'ip6tables' command. + +Usage +===== + +With `iptables` command, we can add, delete, and list rules in the IP packet +filter. It's similar to the `iptables` command in Linux. + +The following examples show the commands we support: + +.. code-block:: shell + + > iptables -h + + USAGE: iptables -t table -[AD] chain rule-specification + iptables -t table -I chain [rulenum] rule-specification + iptables -t table -D chain rulenum + iptables -t table -P chain target + iptables -t table -[FL] [chain] + + Commands: + --append -A chain Append a rule to chain + --insert -I chain [rulenum] Insert a rule to chain at rulenum (default = 1) + --delete -D chain [rulenum] Delete matching rule from chain + --policy -P chain target Set policy for chain to target + --flush -F [chain] Delete all rules in chain or all chains + --list -L [chain] List all rules in chain or all chains + + Options: + --table -t table Table to manipulate (default: filter) + --jump -j target Target for rule + [!] --in-interface -i dev Input network interface name + [!] --out-interface -o dev Output network interface name + [!] --source -s address[/mask] Source address + [!] --destination -d address[/mask] Destination address + [!] --protocol -p proto Protocol (tcp, udp, icmp, esp, all) + [!] --source-port,--sport + port[:port] Source port + [!] --destination-port,--dport + port[:port] Destination port + [!] --icmp-type type ICMP type + [!] --icmpv6-type type ICMPv6 type + +.. code-block:: shell + + > iptables -P FORWARD DROP + > iptables -I INPUT -i eth0 ! -p icmp -j DROP + > iptables -t filter -A FORWARD -p tcp -s 10.0.1.2/24 -d 10.0.3.4/24 -i eth0 -o eth1 --sport 3000:3200 --dport 123:65535 -j ACCEPT + > iptables -t filter -I FORWARD 2 -p icmp ! -s 123.123.123.123 ! -i eth0 -o eth1 ! --icmp-type 255 -j REJECT + + > iptables -L + Chain INPUT (policy ACCEPT) + target prot idev odev source destination + DROP !icmp eth0 any anywhere anywhere + + Chain FORWARD (policy DROP) + target prot idev odev source destination + ACCEPT tcp eth0 eth1 10.0.1.2/24 10.0.3.4/24 tcp spts:3000:3200 dpts:123:65535 + REJECT icmp !eth0 eth1 !123.123.123.123/32 anywhere icmp !type 255 + + Chain OUTPUT (policy ACCEPT) + target prot idev odev source destination + +.. code-block:: shell + + > ip6tables -P FORWARD DROP + > ip6tables -t filter -I FORWARD -p tcp -s fc00::2/64 -d 2001:da8::2:4/64 -i eth0 -o eth1 --sport 3000:3200 --dport 123:65535 -j ACCEPT + > ip6tables -t filter -I FORWARD -p icmpv6 -s fc00::2/64 -d 2001:da8::2:4/64 -i eth0 -o eth1 --icmpv6-type 123 -j ACCEPT + > ip6tables -t filter -I FORWARD -p tcp -i eth0 -o eth1 --sport 3000 -j ACCEPT + > ip6tables -t filter -I FORWARD 1 ! -p tcp ! -s fc00::2/64 ! -d 2001:da8::2:4/64 ! -i eth0 ! -o eth1 ! --sport 3000:3200 ! --dport 0:123 -j DROP + > ip6tables -t filter -I FORWARD 3 ! -p icmpv6 ! -s fc00::2/64 -d 2001:da8::2:4/64 ! -i eth0 -o eth1 ! --icmpv6-type 255 -j REJECT + + > ip6tables -L + Chain INPUT (policy ACCEPT) + target prot idev odev source destination + + Chain FORWARD (policy DROP) + target prot idev odev source destination + DROP !tcp !eth0 !eth1 !fc00::2/64 !2001:da8::2:4/64 tcp spts:!3000:3200 dpts:!0:123 + ACCEPT tcp eth0 eth1 anywhere anywhere tcp spts:3000:3000 dpts:0:65535 + REJECT !ipv6-icmp !eth0 eth1 !fc00::2/64 2001:da8::2:4/64 ipv6-icmp !type 255 + ACCEPT ipv6-icmp eth0 eth1 fc00::2/64 2001:da8::2:4/64 ipv6-icmp type 123 + ACCEPT tcp eth0 eth1 fc00::2/64 2001:da8::2:4/64 tcp spts:3000:3200 dpts:123:65535 + + Chain OUTPUT (policy ACCEPT) + target prot idev odev source destination