iptables可以很方便的构建系统防火墙,那它是如何实现的呢?Linux内核添加了netfilter机制,在IP协议栈上传递过程中,选择了5个检查点。利用5个检测点,查阅用户注册的回调处理函数,根据用户自定义回调函数监视进出的网络数据包。
有了上面的知识,可以实现自己的iptables。
一.编码
该示例简单拦截所有到达本机的http请求。
#ifndef __KERNEL__ #define __KERNEL__ #endif /* __KERNEL__ */ #include#include #include #include #include #include #include // ip4 netfilter,ipv6则需引入相应 linux/netfilter_ipv6.h #include #include #define PORT 80 // 过滤http数据包 static int filter_http(char *type,struct sk_buff *pskb) { int retval = NF_ACCEPT; struct sk_buff *skb = pskb; struct iphdr *iph = ip_hdr(skb); // 获取ip头 struct tcphdr *tcp = NULL; char *p = NULL; // 解析TCP数据包 if( iph->protocol == IPPROTO_TCP ) { tcp = tcp_hdr(skb); p = (char*)(skb->data+iph->tot_len); // 注:sk_buff的data字段数据从ip头开始,不包括以太网数据帧 printk("%s: " "%d.%d.%d.%d => %d.%d.%d.%d " "%u -- %u\n" type, (iph->saddr&0x000000FF)>>0, (iph->saddr&0x0000FF00)>>8, (iph->saddr&0x00FF0000)>>16, (iph->saddr&0xFF000000)>>24, (iph->daddr&0x000000FF)>>0, (iph->daddr&0x0000FF00)>>8, (iph->daddr&0x00FF0000)>>16, (iph->daddr&0xFF000000)>>24, htons(tcp->source), htons(tcp->dest) ); if( htons(tcp->dest) == PORT ) // 当目标端口为80,则丢弃 { retval = NF_DROP; } } return retval; } static unsigned int NET_HookLocalIn(unsigned int hook, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { return filter_http("in",pskb); } static unsigned int NET_HookLocalOut(unsigned int hook, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { return filter_http("out",pskb); } static unsigned int NET_HookPreRouting(unsigned int hook, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { return NF_ACCEPT; } static unsigned int NET_HookPostRouting(unsigned int hook, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { return NF_ACCEPT; } static unsigned int NET_HookForward(unsigned int hook, struct sk_buff *pskb, const struct net_device *in, const struct net_device *out, int (*okfn)(struct sk_buff*)) { return NF_ACCEPT; } // 钩子数组 static struct nf_hook_ops net_hooks[] = { { .hook = NET_HookLocalIn, // 发往本地数据包 .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_LOCAL_IN, .priority = NF_IP_PRI_FILTER-1, }, { .hook = NET_HookLocalOut, // 本地发出数据包 .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_LOCAL_OUT, .priority = NF_IP_PRI_FILTER-1, }, { .hook = NET_HookForward, // 转发的数据包 .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_FORWARD, .priority = NF_IP_PRI_FILTER-1, }, { .hook = NET_HookPreRouting, // 进入本机路由前 .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_PRE_ROUTING, .priority = NF_IP_PRI_FILTER-1, }, { .hook = NET_HookPostRouting, // 本机发出包经路由后 .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_POST_ROUTING, .priority = NF_IP_PRI_FILTER-1, }, }; static int __init nf_init(void) { int ret = 0; ret = nf_register_hooks(net_hooks,ARRAY_SIZE(net_hooks)); // 安装钩子 if(ret) { printk(KERN_ERR "register hook failed\n"); return -1; } return 0; } static void __exit nf_exit(void) { nf_unregister_hooks(net_hooks,ARRAY_SIZE(net_hooks)); // 卸载钩子 } module_init(nf_init); module_exit(nf_exit); MODULE_LICENSE("Dual BSD/GPL"); MODULE_AUTHOR("kettas"); MODULE_DESCRIPTION("Netfilter Demo"); MODULE_VERSION("1.0.1"); MODULE_ALIAS("Netfilter 01");
二.测试
上图发现当没启动netfilter_test.ko时,192.168.4.190可以正常接收192.168.5.212发送过来的hello,当启动驱动后,192.168.4.190无法收到来自192.168.5.212发送的world字符串。
三. 应用拦截
在用户上网行为管控场景下,需要对识别的应用放行或拦截,有以下两种方案实现。
1. 内核态
通过netfilter直接DROP数据包。内核态性能最优,但开发调试难度较大。
2. 用户态
旁路方式采集数据包,然后直接伪造HTTP,TCP,UDP等协议的应答,后到的数据包会被协议丢弃,从而达到阻断应用的目的。
用户态开发调试效率高,但对采集性能提出很高的要求。但是在某些嵌入式环境下,由于资源限制,无法高效采集数据包。