Linux Wϥ IP-Masquerade ҿת IP ˥HKFӥ\C

Linux W IPMASQ ] kernel @Ǯ֤ߥ\঳վLAҥH]wu
]P֤ߪҥHP.

kernel 2.0.x ɥNAOϥ ipfwadm {C(oӻkOT)

kernel 2.1.x/2.2.x ɥNAhOϥ ipchains {

kernel 2.3.x/2.4.x ɥNAϥ netfilter LoA Oϥ
iptables {C

tiӬݡAثe kernel 2.4 tXϥ netfilter ֤߹LoA
iHF쪺\۷.... netfilter ѨǾOH
:

1. Dz ipchains \(򥻨ӷPتʥ]LoBɦVB)
2. Source NAT P Destination NAT \
3. iHwSwϥΪ̡BsաBPID sLos
4. iH]wʥ]b Routing Table iXeɥwBz
5. ѥiH UserSpace {Bz filter C
6. iHw~۰ʫإߡBP{suosuLoBz...
7. iHw Mac dBzC

ipmasq AiH\ŪOH linux Ѫ howto ܨF...

ϥ ipfwadm/ipchains { kernel ҡAiHѦ:

http://www.linux.org.tw/CLDP/IP-Masquerade-HOWTO.html

LӪ󤤤½ĶwgӤ[SsFAij媺
IP-Masquerade-HOWTO COHiHWo̧:

http://www.linuxdoc.org

̭F]t port forward nTC
ipmasqadm {ϥΡC

YOzثeϥ kernel 2.3/2.4AiHѦҳogĶ:

http://www.linux.org.tw/CLDP/NAT-HOWTO.html

http://www.linux.org.tw/CLDP/Packet-Filtering-HOWTO.html

ۦPA峡AW http://www.linuxdoc.org ]..

MAYOz linux dist O̪񪺡AtΦw˦n
HOWTO Ӥ]iH..

ok.. YOzثenϥ nat \઺ܡANOTwz֤߬O䴩
linux firewall P ip masquerade \... Lثe\h Linux
Distribution wg IP Masquerade 䴩sJ kernel FA
ҥHs kernel iHL....

MաAثe kernel 2.4.0 release XSh[AҥHYO
zϥ netfilter Ѫ@ǥiAzݭns
֤ߨ 2.4AsĶ֤߮ɭnܧ netfilter Ѫ@ǥ\ॴ}..
(iHܽsJ֤ Ϊ̬OsĶ module)

oҡA]:

~ internet s ip O: 210.1.1.1
鷺Aϥ 192.168.1.1

MAzݭnidA@iNO]w 210.1.1.1At~@i
NO]w 192.168.1.1 (netmask: 255.255.255.0)

t~AH|]\iHϥ ip aliases F@id
NiH ip .. MAoOi檺.. L̤ijϥΦb
nat ҤU.. @̬O]@ nat hbR firewallA
YOϥ ip aliases ~P鷺ʥ]]bP@ interface
WANhʥ]Lo\F... ӤPϬqʥ]]b@_A
į]O|ܮt...

OK.. ثenҰ nat/ipmasq \઺ܡANOun Linux D
IP Forwarding } (ip e)Aèϥ ipchains/iptables o{
]wnAClient ݴNiHzL Linux ox gateway DUӤWFC

kernel 2.2.x :

echo "1" > /proc/sys/net/ipv4/ip_forward
ipchains -P forward DENY
ipchains -A forward -i eth0 -j MASQ -s 192.168.1.0/24
ipchains -M -S 86400 86400 360 <-- oO timeout Ԫ@I
modprobe ip_masq_ftp <-- J ftp module Bz ftp sD

MAڷQt~@ ipmasq module @_J]\@I...

ip_masq_cuseemeBip_masq_ircBip_masq_mfwBip_masq_pptpB
ip_masq_quakeBip_masq_raudioBip_masq_userBip_masq_vdolive ..

kernel 2.3.x/2.4.x :

echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables # oOsĶ֤߬O module ~ݭn
modprobe ip_nat_ftp # PWABz ftp sD
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobn ip_conntrack_irc
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE

WϥΤWAХ`NUtΥثew]C INPUTBOUTPUTBFORWARD CHAIN
OO ACCEPT AӤO DROP/DENY Ϊ̬O REJECTC

for kernel 2.2 :

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

YOnNWhMAiHɤW:

ipchains -F
ipchains -X

for kernel 2.4 :

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

YOnNWhMAiHɤW:

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat

Wܳª nat/ipmasq AȡASw@ǦwʦҶqA
n٨Ӧۤ ip dAO eth0 oӹ~ interface iJܨN
өڵ.... 𫏆O eth1 W 192.168.1.x oq ip ϬqN
O@ӨҤlCҥHo̭nOAYOnYԤ@IܡAB~]wOܻݭn...

t~ɥRANO port forward Akernel 2.2.x Oϥ
ipmasqadm F:

ipmasqadm portfw -a -P tcp -L 210.1.1.1 25 -R 192.168.1.100 25

ipmasqadm ԭzA nat ~DAiHLHϥ
210.1.1.1 port 25 i tcp AȳsAӸӳsШD|൹D
192.168.1.100 port 25 .. ²满AoԭzO@x mail server
Ob nat [cϥε ipAMzL nat D]w port
줺uDC

YOϥ kernel 2.4 ܡAiptables OhO:

iptables -A PREROUTING -t nat -p tcp -d 210.1.1.1 \
--dport 25 -j DNAT --to 192.168.1.100:25

MAHeHA~ϥ telnet 210.1.1.1 25 TOiH workA
L 192.168.1.x qYO telnet 210.1.1.1 25 N..
ɤWUԭz:

iptables -A OUTPUT -t nat -p tcp -d 210.1.1.1 \
--dport 25 -j DNAT --to 192.168.1.100:25

WO@ port .. YOݭn\O port
ɪܡANOϥ:

iptables -A PREROUTING -t nat -p all -d 210.1.1.1 \
-j DNAT --to 192.168.1.1

ok.. ~XInO:

1. ثe\hHϥ adsl eWAYOϥέpɨܭn`NOA
]zL pppoe o{A|ͤ@ ppp0 interfaceA
MAzL@Ӻd@ʥ]ǿAҥHeOw
eth0 ԭzn令 ppp0 ~T....

2. ϥ nat Aϥε ip sWqA@ϥΤWӬO
j|D... LYOQP internet Wq
CԪܡAi|oͤ@ǰD.... ]\h game su
B@觋b nat [cUhbLku@.... @ѨM觋Aݬ
O_MHgXF ipmasq moduleAJNiHѨMF...
Ϊ̬OX game O port sAM]wn port
forwarding ʧ@YiC

port forwarding Ao̦ӳsѫܦnT:

http://www.tsmservices.com/masq

\h ap {Bgame ѬѨM]wALOw
kernel 2.2.x tXϥ ipmasqadm {.. YOOϥ kernel 2.4
ܡAs@U iptables OΪkAPˤ]OiHC

3. HLkϥ icq ɮסAƦܵLkTǰTHګijs
icq 2000 AMs]w令b firewall ᭱
ϥΡANSDF...

4. n[ثe]wWhAШϥ iptables -L CYO즳ϥ -t xxxx
ܡAШϥ iptables -L -t xxx Cex: iptables -L -t nat

5. e netfilter ֤߾@ bug (Connection State,Related state
bug) |ɭP@ǦwʪDAsee:

http://www.tempest.com.br/advisories/01-2001.html

http://netfilter.samba.org/security-fix/

(Mandrake 8.0 , the kernel is ok )

6. YOJeϥ kernel 2.2 iH`su@ǯxAOΤF
kernel 2.4 oop... ڨҤliNOAiH ping A
LosWDC

echo 0 > /proc/sys/net/ipv4/tcp_ecn

see: http://www.tux.org/lkml for more information

7. ӽg峹ٲ]wdBJ...

jNOoˤlFADЧiA]wjaQסC

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
{NHM{H: upǦӤjvBu˥ӳvv
uHӻ\vBu]OӼov
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--
 Origin: Ӹ۸T <bbs.cynix.com.tw> 

`ݨ즳Hèϥ port scan nA(ex:nmap) ӶñLH portA
bܰQ @_@

o̴ѴXӤ觋AzL linux kernel 2.4 s֤߾ + iptables
Ӷi@dz]:

# NMAP FIN/URG/PSH
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP

# Another Xmas Tree
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# Null Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP

# SYN/RST
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# SYN/FIN -- Scan(possibly)
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

oOw@ǹOϥ scan nAtXҿת Stealth hñLH
DɡAiHoǫʥ]󤣳BzC@NdFAΪ̬O
nsu timeout ~~u@AԪ scan һݪɶC

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

{NHM{H: upǦӤjvBu˥ӳvv
uHӻ\vBu]OӼov
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--
 Origin: Ӹ۸T <bbs.cynix.com.tw> 

UOڳ]w iptables @²WhAiHѦҤ@UC(P NAT L)

# J module
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

# ]
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t mangle

# FORWARD
iptables -P FORWARD DROP

# oO}ۤviHKsA]NOӺ줣]

iptables -A INPUT -p all -s ip_net/netmask -j ACCEPT

# \sA

iptables -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 113 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP

WO}\ port 20B21B22B23B25B53B110B113 AȤ~
Q~ҳsuC

port 20B21 : ftp ϥΪC
port 22 : ssh su
port 23 : telnet suCKϥΡAꤣ}wC
port 25 : sendmail ϥΡCHiHHiӡC
port 53 : dns ϥΡCdns ݭn} udp ϥΡC
port 110 : pop3 ϥ
port 113 : auth T{Cڥ}O@Ǩϥθ 113 T{D
ܩϬdɷ|dܤ[C

̫@ODʳsuΪ̬OXksuA@߳qqڵC

o script eAܾAΥu\~sSw port AȡAѤUl
port Nڵ~DʫإߪsuCϥ Modem AuƱ̭iH
`suXhA~LksuiӳoӻݨDC(ps: modem Oϥ ppp0
oǤAW eth0 n令 ppp0 )

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

{NHM{H: upǦӤjvBu˥ӳvv
uHӻ\vBu]OӼov
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--
 Origin: Ӹ۸T <bbs.cynix.com.tw> 

sync flood ]w:

iptables -N synfoold
iptables -A synfoold -p tcp --syn -m limit --limit 1/s -j RETURN
iptables -A synfoold -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -m state --state NEW -j synfoold

oӤ觋@ӫܦLxӻAoӳ]w觋||}vTOH
չL@ӫܦLxγoӳ]wAѹ껡än....
ҥH]\iHվɶPƪIJoȡC

Ping of Death :

iptables -N ping
iptables -A ping -p icmp --icmp-type echo-request -m limit --limit \
1/second -j RETURN
iptables -A ping -p icmp -j REJECT
iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW \
-j ping

o̥u icmp echo request ڵAiHpAվC

Ϊ̬O]wD^ echo request C

/proc/sys/net/ipv4/icmp_echo_ignore_all

--
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

{NHM{H: upǦӤjvBu˥ӳvv
uHӻ\vBu]OӼov
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--
 Origin: Ӹ۸T <bbs.cynix.com.tw> 

iptables Ovˬd...
O]@ӫʥ]nqLɡAĤ@WhwgqLAʥ]RBwgwUӡAѾlWhN|AˬdANѾlWhnפUoӫʥ]ɤ]LġI

ҡG
Wh 1 : Ҧ 80 port ʥ]
Wh 2 : ڵ 210.58.221.241 80 port ʥ]
Wh 3 ........

oˤlɡAڥLkפU 210.58.221.241 80 port ʥ]...
] 1 WhwgҦ 80 port ʥ]FAҥHӫʥ]NqLF......
TgkӱNWh 1 PWh 2 .....