码迷,mamicode.com
首页 > 移动开发 > 详细

Android网络安全:Netfilter与iptables

时间:2016-05-22 12:15:42      阅读:318      评论:0      收藏:0      [点我收藏+]

标签:

Android 4.4.4
1、Netfilter与iptables关系
Netfilter:
    http://www.netfilter.org/:
    Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be 
    implemented in the form of customized handlers. 

    Netfilter offers various functions and operations for packet filtering, network address translation, and port translation, which provide the functionality required for directing packets through a network, as well as for providing ability to prohibit packets from reaching sensitive locations within a computer network.

Netfilter 利用一些封包过滤的【规则】设定,来定义出什么数据包可以接收, 什么数据包需要剔除。位于内核层。
iptables 通过命令的方式对Netfilter 规则进行排序与修改。位于用户层。

用户的iptables和内核的Netfilter之间的关系和其通讯方式:

技术分享

注:感谢,图片来自http://blog.chinaunix.net/uid-23069658-id-3160506.html

Netfilter 与IP 协议栈无缝契合,因此它的效率非常的高。主要完成:

拒绝让 Internet 的封包进入主机的某些端口口
拒绝让某些来源 IP 的封包进入
拒绝让带有某些特殊标志 (flag) 的封包进入,最常拒绝的就是带有 SYN 的主动联机的flag,只要一经发现就将该封包丢弃
分析硬件地址 (MAC) 来决定联机与否

2、Netfilter工作流程
技术分享

注:感谢,图片来自http://blog.chinaunix.net/uid-23069658-id-3160506.html

收到的每个数据包,都从“A”点进来,经过路由判决,如果是发送给本机的就经过“B”点,然后往协议栈的上层继续传递;否则,如果该数据包的目的地是不本机,那么就经过“C”点,然后顺着“E”点将该包转发出去。
Netfilter在A,B,C,D和E设置回调函数(hook函数),对每一个进出的数据包进行检测,检测完向Netfilter报告一下该数据包的情况,返回结果含:
netfilter.h (kernel\include\uapi\linux)
NF_ACCEPT 继续正常传输数据报,这个返回值告诉 Netfilter:到目前为止,该数据包还是被接受的并且该数据包应当被递交到网络协议栈的下一个阶段。
NF_DROP 丢弃该数据报,不再传输。
NF_STOLEN 回调函数接管该数据报,该回调函数从此开始对数据包的处理,并且Netfilter应当放弃对该数据包做任何的处理。
NF_QUEUE 对该数据报进行排队(通常用于将数据报给用户空间的进程进行处理)
NF_REPEAT 再次调用该回调函数,应当谨慎使用这个值,以免造成死循环。
NF_STOP 功能和NF_ACCEPT类似但强于NF_ACCEPT,一旦挂接链表中某个hook节点返回NF_STOP,该skb包就立即结束检查而被其他模块接受,不再需要进入后续hook点检查。

和A,B,C,D,E五个点对应的在Netfilter中的术语为:

技术分享

注:感谢,图片来自http://blog.chinaunix.net/uid-23069658-id-3160506.html
Netfilter支持的协议栈:
netfilter.h (kernel\include\uapi\linux)
enum {
	NFPROTO_IPV4   =  2,
	NFPROTO_ARP    =  3,
	NFPROTO_BRIDGE =  7,
	NFPROTO_IPV6   = 10,
	NFPROTO_DECNET = 12,
};
以Ipv4为例,从协议栈正常流程,经过A,B,C,D,E每个点时,切入到Netfilter框架中,依次去调用每个HOOK点的回调(钩子)函数,检查完后返回,根据结果确定之后走向:
ip_input.c (kernel\net\ipv4)
ip_output.c (kernel\net\ipv4)
ip_forward.c (kernel\net\ipv4)


(1):NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,ip_rcv_finish)
(2):NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL,ip_local_deliver_finish);
(3):NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev,ip_forward_finish);
(4):NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL, skb->dst->dev, dst_output);
(5):NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev,ip_finish_output, cond);


NF_HOOK(pf, hook, skb, in,  out, okfn)
pf:协议栈名称,定义在socket.h (kernel\include\linux)
hook:HOOK点的名字,对于IPv4就是上述五个值
skb:内核中网络数据包的结构体
in:数据包进来的设备,以struct net_device结构表示
out:数据包出去的设备,以struct net_device结构表示
okfn:函数指针,该HOOK点的所有登记的函数调用完后调用该函数

3、用户层iptables与内核交互方式、流程
Netfilter框架具有三个主要模块,如下:

技术分享

iptables维护这三张表,查看或设置使用参数-t:

iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L

内核负责和用户层iptables命令交互的是ip-tables模块:
ip_tables.c (kernel\net\ipv4\netfilter)	56679	2016-03-08
static int __init ip_tables_init(void)
{
	/* Register setsockopt */
	ret = nf_register_sockopt(&ipt_sockopts);
	if (ret < 0)
		goto err5;
	pr_info("(C) 2000-2006 Netfilter Core Team\n"); // 系统启动打印该log
	return 0;
}
static void __exit ip_tables_fini(void)

module_init(ip_tables_init);
module_exit(ip_tables_fini);

用户层iptables通过setsockopt/getsockopt设置/查询这三张表,并最终调用ip_tables_init()注册的do_ipt_set_ctl/do_ipt_get_ctl()函数:
ip_tables.c (kernel\net\ipv4\netfilter)
static struct nf_sockopt_ops ipt_sockopts = {
	.set		= do_ipt_set_ctl,
	.get		= do_ipt_get_ctl,
	.owner		= THIS_MODULE,
};

ip_tables.c (kernel\net\ipv4\netfilter)
static int do_ipt_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
{
	switch (cmd) {
	case IPT_SO_SET_REPLACE:
		ret = do_replace(sock_net(sk), user, len);
		break;
	case IPT_SO_SET_ADD_COUNTERS:
		ret = do_add_counters(sock_net(sk), user, len, 0);
		break;
	default:
		ret = -EINVAL;
	}
	return ret;
}
static intdo_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
{
	switch (cmd) {
	case IPT_SO_GET_INFO:
		ret = get_info(sock_net(sk), user, len, 0);
		break;
	case IPT_SO_GET_ENTRIES:	
		ret = get_entries(sock_net(sk), user, len);
		break;
	case IPT_SO_GET_REVISION_MATCH:
	case IPT_SO_GET_REVISION_TARGET:
		break;
	}
	default:
		ret = -EINVAL;
	}
	return ret;
}

4、Netfilter默认rules的创建
在没有使用iptables命令设置规则表(filter表、nat表、mangle表)的情况下,系统也自动生成默认的规则表,如下filter表:
(只列出INPUT链)
root@KoolRegister:/ # iptables -t filter -L                                    
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
bw_INPUT   all  --  anywhere             anywhere            
fw_INPUT   all  --  anywhere             anywhere

这个默认规则在代码里通过iptables命令生成:

CommandListener.cpp (system\netd)
CommandListener::CommandListener(UidMarkMap *map) :FrameworkListener("netd", true)
{
    // Create chains for children modules
    createChildChains(V4V6, "filter", "INPUT", FILTER_INPUT);
    createChildChains(V4V6, "filter", "FORWARD", FILTER_FORWARD);
    createChildChains(V4V6, "filter", "OUTPUT", FILTER_OUTPUT);
    createChildChains(V4V6, "raw", "PREROUTING", RAW_PREROUTING);
    createChildChains(V4V6, "mangle", "POSTROUTING", MANGLE_POSTROUTING);
    createChildChains(V4V6, "mangle", "OUTPUT", MANGLE_OUTPUT);
    createChildChains(V4, "nat", "PREROUTING", NAT_PREROUTING);
    createChildChains(V4, "nat", "POSTROUTING", NAT_POSTROUTING);
}

    CommandListener.cpp (system\netd)
    /**
     * List of module chains to be created, along with explicit ordering. ORDERING
     * IS CRITICAL, AND SHOULD BE TRIPLE-CHECKED WITH EACH CHANGE.
     */
    static const char* FILTER_INPUT[] = {
            // Bandwidth should always be early in input chain, to make sure we
            // correctly count incoming traffic against data plan.
            BandwidthController::LOCAL_INPUT, // "bw_INPUT"
            FirewallController::LOCAL_INPUT, // "fw_INPUT"
            NULL,
    };

    【log截图中绿色框部分】
    void createChildChains(IptablesTarget target, const char* table, const char* parentChain, const char** childChains);
    -->int execIptablesSilently(IptablesTarget target, ...);
    ---->int execIptables(IptablesTarget target, bool silent, va_list args) {
            const char *argv[argsList.size()];
            ...
            argv[0] = IPTABLES_PATH; // IPTABLES_PATH = "/system/bin/iptables"
        }
    ------>int execIptablesCommand(int argc, const char *argv[], bool silent);
    -------->int android_fork_execvp(int argc, char* argv[], int *status,boolignore_int_quit, bool logwrap) {
                 pid = fork();
                 if (pid == 0) {
                     child(argc, argv);
                 }
             }
    ---------->static void child(int argc, char* argv[]) {
                   // create null terminated argv_child array
                   char* argv_child[argc + 1];
                   memcpy(argv_child, argv, argc * sizeof(char *));
                   argv_child[argc] = NULL;
                   if (execvp(argv_child[0], argv_child)) {
                        FATAL_CHILD("executing %s failed: %s\n", argv_child[0],
                        strerror(errno));
                   }
               }
还有一个地方,也用iptables命令设置了规则表:
int NatController::setupIptablesHooks() {
    res = setDefaults();
【log截图中蓝色框部分】    
struct CommandsAndArgs defaultCommands[] = {
        {{IPTABLES_PATH, "-F", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
        {{IPTABLES_PATH, "-X", LOCAL_TETHER_COUNTERS_CHAIN,}, 0},
        {{IPTABLES_PATH, "-N", LOCAL_TETHER_COUNTERS_CHAIN,}, 1},
    };
    for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE; cmdNum++) {
        if (runCmd(ARRAY_SIZE, defaultCommands[cmdNum].cmd) && defaultCommands[cmdNum].checkRes) {}
    }
}

【log截图中黄色框部分】
int NatController::setDefaults() {
    struct CommandsAndArgs defaultCommands[] = {
        {{IPTABLES_PATH, "-F", LOCAL_FORWARD,}, 1},
        {{IPTABLES_PATH, "-A", LOCAL_FORWARD, "-j", "DROP"}, 1},
        {{IPTABLES_PATH, "-t", "nat", "-F", LOCAL_NAT_POSTROUTING}, 1},
        {{IP_PATH, "rule", "flush"}, 0},
        {{IP_PATH, "-6", "rule", "flush"}, 0},
        {{IP_PATH, "rule", "add", "from", "all", "lookup", "default", "prio", "32767"}, 0},
        {{IP_PATH, "rule", "add", "from", "all", "lookup", "main", "prio", "32766"}, 0},
        {{IP_PATH, "-6", "rule", "add", "from", "all", "lookup", "default", "prio", "32767"}, 0},
        {{IP_PATH, "-6", "rule", "add", "from", "all", "lookup", "main", "prio", "32766"}, 0},
        {{IP_PATH, "route", "flush", "cache"}, 0},
    };
    for (unsigned int cmdNum = 0; cmdNum < ARRAY_SIZE; cmdNum++) {
        if (runCmd(ARRAY_SIZE, defaultCommands[cmdNum].cmd) && defaultCommands[cmdNum].checkRes) {}
    }
}
int NatController::runCmd(int argc, const char **argv) {
    res = android_fork_execvp(argc, (char **)argv, NULL, false, false);
    ALOGV("runCmd(%s) res=%d", full_cmd.c_str(), res);
    return res;
}

Log:

技术分享

参考资料:

1、鸟哥的Linux私房菜服务器架设篇(第三版)——第九章、防火墙与 NAT 服务器
2、http://www.netfilter.org/
3、iptables使用文档:https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html 
4、系列:
   (一)洞悉linux下的Netfilter&iptables:什么是Netfilter?()
   (二)洞悉linux下的Netfilter&iptables:内核中的ip_tables小觑 (http://blog.chinaunix.net/uid-23069658-id-3162264.html)
   (三)洞悉linux下的Netfilter&iptables:内核中的rule,match和target (http://blog.chinaunix.net/uid-23069658-id-3163999.html)
   (四)洞悉linux下的Netfilter&iptables:包过滤子系统iptable_filter (http://blog.chinaunix.net/uid-23069658-id-3166140.html)

源码路径:

arp_tables.c (kernel\net\ipv4\netfilter)
BandwidthController.cpp (system\netd)
BandwidthController.h (system\netd)
CommandListener.cpp (system\netd)
CommandListener.h (system\netd)
core.c (kernel\net\netfilter)
FirewallController.cpp (system\netd)
FirewallController.h (system\netd)
iptables.h (external\iptables\include)
iptable_filter.c (kernel\net\ipv4\netfilter)
iptable_nat.c (kernel\net\ipv4\netfilter)
iptable_raw.c (kernel\net\ipv4\netfilter)
ip_forward.c (kernel\net\ipv4)
ip_input.c (kernel\net\ipv4)
ip_output.c (kernel\net\ipv4)
ip_tables.c (kernel\net\ipv4\netfilter)
ip_tables.h (kernel\include\linux\netfilter_ipv4)
ip_tables.h (kernel\include\uapi\linux\netfilter_ipv4)
kmod.h (kernel\include\linux)
logwrap.c (system\core\logwrapper)
logwrap.h (system\core\logwrapper\include\logwrap)
NetdCommand.cpp (system\netd)
NetdCommand.h (system\netd)
NetdConstants.cpp (system\netd)
NetdConstants.h (system\netd)
netfilter.h (kernel\include\linux)
netfilter.h (kernel\include\uapi\linux)
nfnetlink.c (kernel\net\netfilter)
nf_sockopt.c (kernel\net\netfilter)
socket.h (kernel\include\linux)
x_tables.c (kernel\net\netfilter)
x_tables.h (kernel\include\linux\netfilter)
x_tables.h (kernel\include\uapi\linux\netfilter)

Android网络安全:Netfilter与iptables

标签:

原文地址:http://blog.csdn.net/u013686019/article/details/51474135

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!