1. eǳƤu@
2. {Ѩ
@@2.1 ݭn
@@2.2 Linux tΤW𪺥DnO
@@2.3 𪺤@uGuPקޥ
@@2.4 𪺨ϥέ
3. Linux ʥ]LoG iptables
@@3.1 P Linux ֤ߪn
@@3.2 iptables Pʥ]iJy{
@@3.3 iptables yk
@@@@WhMP[
@@@@wqw]F (policy)
@@@@ʥ]¦ IP/netmask I/O ˸m
@@@@TCP, UDP Wh
@@@@AҲաGMAC P RELATED
@@@@ICMP ʥ]Wh
@@3.4 𪺰OB^_P
@@3.5 IPv4 ֤ߺ޲z\G/proc/sys/net/ipv4/*
4. 𪺤@ӹ
@@4.1 Wh
@@4.2 ڳ]w
5. NAT D]w
@@5.1 O NATH SNATH DNATH
@@5.2 ̶K NAT DG IP ɥ\
@@5.3 iptables B~֤߼Ҳե\
@@5.4 bݤA DNAT ]w
6. I^U
7. ҫm
8. ѦҸ
9. w糧媺ĳGhttp://phorum.vbird.org/viewtopic.php?p=114475

ѩoӳ`̭ͨD`hʥ]A]A MAC, IP, TCP, UDP, ICMP wA HΦpץ~ IP ӷ¦A٦ IP/netmask gkC ӳzǲߨ𪺫ĳOƱAiHϥ shell script Ӽg}Ap@ӥiHAWhM@ICҥHbz}lAѩUƤeA ƱAiH\ŪLƤFG

wg{ Shell H Shell scriptF
wg\ŪL¦@ӳ`eF
wg\ŪLe@g{ѺwF
wg\ŪL Ѿ@`eAAѸѪF
̦n֦ⳡDHWpϰҡAHKըF
Linux DW̦nidAiHihشաAì[] NAT DF
ϥ uname -r T{A֤߬O 2.4 2.6 F

YǳƧFAӶ}liaI

wFHɪ`NM󪺺|}AHκWwq~AA̦n̾ڦۤvҨӭqwA o˹AҡA|O٤@II򤰻OOH NObިiJڭ̺줺D(Ϊ̥iHO)ƫʥ]@ؾA Ҧpڭ̦be@`{Ѻw쪺 iptables NO@بFCMFAsqӻA unRPLoiXڭ̺޲z쪺ʥ]ơANiH٬C

ӳoӨSiHw骡Pn骡Cw骡OѼtӳ]pnDwA ow骡𤺪@~tΥDnHѫʥ]ƪLoDAñNL\ளC]§@\ӤwA ]ʥ]Lot׻PĲvΡCܩn骡OHNOڭ̳oӳ`nӽͽתڡI n骡𥻨NObO@tκw@Mn(κ٬)AҦp iptables P TCP Wrappers iH٬n骡C

L׫AϥNOΨӫO@ڭ̺wNNNաIIڭ̳oӳ`Dnb Linux tΥѪn骡𪺥\ANO iptables Cܩ TCP Wrappers Ыe¦g {ѨtΪA ѦҰѦҳI

ݭn

򥻤WApGAt (1)wgݭnӥBMIAȡF (2)wgNӨtΪҦM󳣫Ob̷sAF (3)v]wBwɶiƥu@F (4)wgШ|ϥΪ̨㦳}nBtξާ@ߺDC AtιڤWwgᬰwFInn[]HNoI

LA@ɬOܽA Linux D]O@²檺FA w@ѧAbiYӳn骺ծɡADMNҰʤF@ӺAȡA pGASިӪAȪϥνdAӪAȴNҦ Internet }A N·ФFI]ӪAȥiiH\HnJAtΡAOMIH

ҥHoA@OH̤j\NOUAyYǪAȪsӷzI |ҨӻG (1)AiHɮ׶ǿA (FTP) ubl줺D~ϥΡAӤ Internet }F (2)AiH㳡 Linux DȥiHȤݪ WWW nDALAȳF (3)A٥iH㳡DȯDʹ~suAڭ̥DDʳsuʥ]A (TCP ʥ] SYN flag) NH׵C oǴNO̥Dn\FI

ҥH{A̭nȴNObWXG

γQH(pl)PQH(p Internet)qF

Xi Internet AȻPO@AȡF

RXiPiʥ]AF

MաA Linux iptables n٥iHiӳ`J NAT (Network Address Translation) ]wAöiuʪ IP ʥ]˥\ALA@DӻA ²檺٬OWTNOFIҥHAAݤݭnOHzפWAMݭnI ӥBAnDyAtέǸƻPAȻݭnO@zAwݭnO@AȨӳ]w𪺳WhaI Uڭ̥ӽͤ@͡Ab Linux WY`ǡH

Linux tΤW𪺥DnO

FHnεw@𪺤~Aڭ̤]iHϥ ƫʥ]o觋ӶiCDniHjA OONzA (Proxy) H IP FilterCbNzA譱A ѦW٧ڭ̴NiHDANzAȬONz Client ݥhV Internet nDơAҥH Proxy wgNiNzwܤ֫ܤ֡AåBѩ󤺳P~qäઽqA ҥHiHF}nO@ĪGFt@ثhOW쪺 IP fileter աIQΫʥ]Lo觋ӹF쨾𪺥تI

IP filter (ʥ]Lo)

ϥζiJ TCP/IP Wʥ]wӶiLoRAҦpQ TCP/IP ʥ]Y IP ӷB Port number ƶiLoAHP_ӫʥ]O_iJo귽Cѩoؤ觋iHR̩hʥ]YơA ҥH]Aw}(MAC), n} (IP), TCP, UDP, ICMP ʥ]TiHiLoR\A ]γ~D`sxC

b Linux Wڭ̨ϥή֤ߤت iptables nӧ@ʥ]LoA ѩ iptables O֤ߤت\A]LĲvD`ID`AX@pҪ]wOI LQΤ@ǫʥ]LoWh]wAөwqXƥiHAƻݭn篑AHFO@DتI

Proxy (NzA)

NzAO@غA (service, daemon)ALiHyNzzϥΪ̪ݨDA ӥNeAoơCNIUoӹϥܧaG

Ϥ@BProxy Server B@z²
HWϬҡA Client ݷQne Internet o WWW ƮɡALoƪy{Oo˪G

L|V proxy server nDơA proxy BzF
Proxy iHRϥΪ̪ IP ӷO_XkHϥΪ̷Qnh WWW AO_XkH pGo client nDXkܡA Proxy N|Dʪ client e WWW AoơF
Internet Ҧ^ǪƬOǵ Proxy server AҥH WWW AWݨ쪺O Proxy Server IP oF
̫ Proxy N client nDǦ^ clientC

oAѤFܡHSA client èSsW Internet AҥHbu(BJ 1, 4)un Proxy P Client iHsuNiHFI client Ʀܤݭn֦ public IP IӷHQn client ݪDɡA DL} Proxy server A_hOLkP client suաI

t~A@ proxy Dq`ȶ} port 80, 21, 20 WWW P FTP fӤwA ӥBq` Proxy N[]b Router WA]iH㪺xϰ~suI A LAN ܪwڡIԲӪ Proxy ]wڭ̷|b NzA `ΪI

boӳ`Aڭ̥ Proxy oӪFAӬOйLo iptables oI

𪺤@uGuPקޥ

ѫeAzӥiHAѨ@ơANO𰣤FiHy O@ (iptables) ҦbDz~A٥iHy O@᭱D PCzCI ]NOA𰣤FiHƥDQJI~A L٥iH[]bѾWǥH޶iXaݺ (LAN) ʥ]C oسW󤺳p쪺w]@w{תO@@ΩOIUڭ̵yLͤ@ͥثe`tmaG

@ Linux Dݥ\G

𰣤FiH@ Linux 򥻨@~AL٥iH[]bѾWHޱӰϰʥ]iXC ]AboWYq`ܤֻݭnӤANiHPiH Internet }A ҥHiHO]wWhաIҦpPUCϤGҥܡC

bϤGAѩ󨾤O]wbҦʥ]|gLѾWYA ]oӨiHܻNxϰҦʥ]A ӥBAun޲zoDANiHܻNӦ Internet }ʥ]ױoC un޲z@DNy־㪺 LAN ̭ PCAܦE⪺աC

pGAQnNϰުY檺ܡAAƦܥiHbo Linux W[]Y檺NzAA ΤݶȯsWAҶ} WWW AӤwAӥB٥iHzLNzAnɤR\A TdXӨӨϥΪ̦bYӮɶIgsW WWW AAz@@IF`aI pGboӨWA[ MRTG yqʱnAٯwӺ쪺yqiʴC o˰tmuIOG

]~wg}AҥHw@biH}vjI

w]wiHw Linux DӺ@YiI

~uݪ Linux DAҥH󤺳iHF즳Īw@I

ϤGB@ Linux D

@ Linux A LAN t]

@ӻAڭ̪ LAN Ƴ|]wYA]Oڭ̦ۤv LAN IҥHOH줧@oILA̱`ť쪺JIk]Oϥγo˪@ӫH|}I ]zOҩҦϥΥ~qϥΪ̳OquA]LkOұzu|yd}aIz hɭԬOѩYǥ~ӳXȧQβʦ˸m (Oq) s줽qLuӥ[HѨ~nTC

IҥHApGzSOnݭnwO@ҡAN LAN A[]@ӨANwŤAN|znoΪO@I Ӭ[cIUϤTҥܡC

ϤTB@ Linux DA LAN t]

bݪD]w

٦@ا󦳽쪺]wANONѺAȪAb᭱AonBOH pUϥ|ҥܡAWeb, Mail P FTP OzLs Internet WhAҥHA Uo|Db Internet W Public IP O@˪I (o[ڭ̷|bU NAT DɭԦAj)C uOzL𪺫ʥ]RAN WWW nDʥ]e Web DAN Mail e Mail Server hBzӤw(zL port P໼)C

nFA]|Db Internet Wݨ쪺 IP ۦPAOƹWoO|PDA ӷ̷QnJIz FTP DnFALϥΦUؤRkhi𪺥DAOyz@A ̷QnzDADL\dwzA_hNJIzDOI

ӥBAѩDmbⳡ𤤶ApGoͪp (ҦpYǨϥΪ̤}ާ@ɭPrڡB Qu{𳴾ɭPDQj[ڵ) AO|vTD`B@C oؤ觋AΦbj~A]oǥ~ӻAD_ѥ`íwAȬOܭnI

LAoج[cUҶi檺]wNo]t port ໼AӥBnܱj޿跧A iHMʥ]Vqɪyʤ觋CsӻA]wW@wסA ӤHӫĳso򰵡A٬OHᦳg礧AӪoج[caI

[]bݪDA

ϥ|B[]bݪDA
q`Wϥ|ҤANAWߩmbӨ𤤶A ڭ̺٤Dxưϰ (DMZ)C DMZ تNpPe쪺AIbO@AA ҥHN Internet P LAN j}ӡAp@Ӥ׬OAAΪ̬O LAN Q𳴮ɡA t@Ӱ϶٬OnLʪI

nFAڭ Linux n iptables OiHiʥ]LoALiHRʥ] socket pair A ٥iHRPwAAҦp TCP ʥ]X (flags) AƦܥiHRddOI gѤRoǸƫA̪ iptables ܤ֥iHUoXة׫ʥ]觋G

ڵ Internet ʥ]iJ Linux DY port
oӤAѧaIҦpz port 20-21 o FTP port A zun}񵹤ܡAҥH Internet }A Internet Ӫʥ]QniJz port 20-21 ܡANiHNӸƫʥ]ᱼI]ڭ̥iHRӫʥ]ұa port XrI
ڵYǨӷ IP ʥ]iJ
Ҧpzwgo{Y IP DnOӦۧ欰DAunӦ۸ IP ƫʥ]ANNLIoˤ]iHF¦wI
ڵaYǯSX( flag )ʥ]iJ
̱`ڵNOa SYN DʳsuXФFIun@go{AKKIzNiHNӫʥ]rI
Rw}(MAC)ӴѪA
pGzϰ̭oJOS㦳j\OɡApGzϥ IP өץLϥκvAӥLooϥ@ IP NnFAbP@Ӻ줺I P٬Obd}aHSYAڭ̥iHꦺLdw}ڡI] MAC OZbdWAҥHzunRӨϥΪ̩ҨϥΪ MAC AiHQΨN MAC AIDL@ALdӨos MACA_h IP OSΪաI

M٦hϥΧޥAAiHѦҥ̫CXѦҸơA YhiΪpޥCڭ̳o̶ȷ|u²檺AHΧ@ IP ɾ NAT D@²檺ЦӤwաI ^_^InFA}lӪ@ iptables aI

𪺨ϥέ

HI]w𤧫٤wڡHIMաIֻ]wF𤧫ztδN@wwH MiHw諸ʥ]iJڭ̪ALAYǱpUA LäOҧڭ̪@wNܦwC|XӨҤlӽͤ@͡G

äܦĪׯfrΤ차{
]zwg}F WWW AȡAz WWW DWA@wonN WWW AȪ port } Client ݵnJ~aI_hz WWW D]wFSιaI]NOAuniJzDʥ]OnD WWW ƪANiHqLzCnFAyU@z WWW An驰|}AΪ̥VznD WWW AȪӫʥ]NOfrbztΡzɡAziO@Ik]SڡI ]ӳ]wWhNO|LqLڡC
Ӧۤ LAN LӨO
@ӻAڭ̹ LAN ̭DS򨾤𪺳]wA]Oڭ̦ۤv LAN ڡAҥHMN]wHFILA LAN ̭`Oi঳ǺpհڡAML̤OGNnd}aA OL̴NOIҥHNåκFCoӮɭԴNV|A]󤺳Wh]wq`֡A ҥHNeyu~ΩݥΪpC

ҥHաAbz Linux DaWeA٬OoG

XӤwAȡF

ɯŴXӥi঳DMF

[]n̰_Xw@----

LTШ {Ѻw ̭hݤ@ݫW[ۨwaI

WͤFohADn٬OƱzAѨ쨾OoĳDIӥB]ƱzDëDU઺C nFA򩳤Uڭ̲שiH@@@Aثeڭ̪ 2.6 o Linux ֤ߨ쩳ϥΤ֤ߥ\Ӷi樾]wH

P Linux ֤ߪn

Linux 𬰤\onHoO]LNO Linux kernel ҴѡA ѩ󪽱gL֤ߨӳBzA]įD`nILAP֤ߪҨϥΪnO@˪I ]֤ߤ䴩OvtiӪI

Version 2.0Gϥ ipfwadm oӨF

Version 2.2GϥΪO ipchains oӨF

Version 2.4 P 2.6 GDnOϥ iptables oӨALbYǦ Version 2.4 distributions APɤ䴩 ipchains (sĶҲ)AnϥΪ̤MiHϥΨӦ 2.2 ipchains WCLAĳb 2.4 HW֤ߪϥ ipchains I

]P֤ߨϥΪPAB䴩nOPyk]ۦPA ҥHb Linux WY]wݩAۤvWhɡAn`NڡA uname -r lܤ@UA֤ߪAI pGAOw 2004 ~HX distributions ANݭnߤFA]o distributions XGϥ kernel 2.6 ֤߰ڡI ^_^

iptables Pʥ]iJy{

eXӤp`̭ڭ̤@ͨGyWhzAxIԣOWhڡH] iptables OQΫʥ]LoA ҥHL|Rʥ]YơCھڪYƻPwqyWhzӨMwӫʥ]O_iHiJDΪ̬OQC NNOGyھګʥ]R "" AwwqWheA Yʥ]ƻPWheۦPhiʧ@A_hN~U@WhIz IbӡyPRǡzWC

|²檺ҤlA]ڹwwq 10 WhnFA Internet ӤF@ӫʥ]QniJڪDA 򨾤OpRoӫʥ]OHڭ̥HUϥܨӻnFG

ϤBʥ]LoWhʧ@ΤRy{
@Ӻʥ]niJDeA|g NetFilter iˬdANO iptables WhFC ˬdqLh (ACCEPT) iJo귽ApGˬdqLAhiऩH (DROP) I WϤDnتbizGyWhOǪzIҦpʥ]iJ Rule 1 ɡA pGﵲGŦX Rule 1 AɳoӺʥ]N|i Action 1 ʧ@AӤ|z| Rule 2, Rule 3.... WhRFC

ӦpGoӫʥ]äŦX Rule 1 AN|iJ Rule 2 FIp@Ӥ@ӳWhhiNOFC pGҦWhŦXHɴN|zLw]ʧ@ (ʥ]F, Policy) ӨMwoӫʥ]hVC ҥHաAzWhǱƦC~ɡAN|ͫY~FC 򻡩OHڭ̬ݬݩUoӨҤlG

]z Linux DѤF WWW AȡA۵MNnw port 80 ӱҥγqLʥ]WhAOzo{ IP ӷ 192.168.100.100 ѬOcNդJIztΡAҥHzQnN IP ڵӡA̫AҦD WWW ʥ]LANoTӳWhӻAznp]w綶ǩOH

Rule 1 192.168.100.100 F

Rule 2 AnD WWW AȪʥ]qLF

Rule 3 NҦʥ]C

o˪ƦCǴNŦXzݨDALAU@zǱƿFAܦG

Rule 1 nD WWW AȪʥ]qLF
Rule 2 A 192.168.100.100 F
Rule 3 NҦʥ]C

ɡA 192.168.100.100 yiHϥαz WWW AȡzI]unLzDeX WWW nDʥ]ANiHϥαz WWW D\FA]zWhǩwqĤ@N|LqLA ӤhҼ{ĤGWhIo˥iHzѳWhǪNqFܡI{bAӷQ@QApG Rule 1 ܦFyNҦʥ]zARule 2 ~]wyWWW Aȫʥ]qLzAаݡAڪ client iHϥΧڪ WWW AȶܡHI׬Oy_zQqFܡH ^_^

iptables P (chain)

ƹWAӹϤҦCXWhȬO iptables h@ (chain) ӤwC OOHoo iptables Wٻ_C٬ ip"tables" OH ]oӨṋhӪ (table) ACӪ泣wqXۤvw]FPWhA BCӪ泣γ~ۦPCڭ̥iHϥΩUoiϨӵyLAѤ@UG

ϤBiptables ܷN
ϤWheȥuOϤY chain ӤwI ӹw]pUA Linux iptables ܤִNTӪA]A޲ziX filter B޲zݥD (𤺳Lq) nat B ޲zSXШϥΪ mangle (֨ϥ) C󦳬ƪ̡Aڭ٥iHۭqB~OI uOܯ_aICӪP𫟺쪺γ~OOo˪G

filterGDn Linux AoӬOw] table I
- INPUTGDnPʥ]QniJڭ Linux F
- OUTPUTGDnPڭ Linux ҭneXʥ]F
- FORWARDGoөNNP Linux SYALiHʥ]y໼zݪqAP nat o table ʫܰC

natGoӪDnbΧ@ӷPت IP port ഫA P Linux LADnP Linux D᪺ϰqC
- PREROUTINGGbiѧP_eҭni檺Wh(DNAT/REDIRECT)
- POSTROUTINGGbiѧP_ҭni檺Wh(SNAT/MASQUERADE)
- OUTPUTGPoeXhʥ]

mangleGoӪDnOPSʥ]ѺXЦA Ȧ PREROUTING OUTPUT ALq kernel 2.4.18 [JF INPUT FORWARD C ѩoӪPSXЬʸAҥH̳oسªҷA֨ϥ mangle oӪC

UӪP쪺ʥiHϥΤUϨӪܡG

ϤCBiptables ئUP쪺
WϥܫܽIL򥻤WA¥iHݥXӡAڭ̪ iptables iHثʥ]yVG

pWϪ A Aʥ]DnOnŪڭ Linux ơA|gL filter INPUT A ӸƪXhOgL filter OUTPUT F

pWϪ B Aʥ]DnOnzLӥhݡA]NOAӫʥ]ؼШëDڭ̪ Linux C DngLO filter FORWARD H nat POSTROUTING, PREROUTINGC

ѩ mangle oӪܤֳQϥΡApGNϤC mangle ܡANeݪhFG

ϤKBiptables ئUP쪺(²)
zLϤKANiHPAѨAƹWP̦O filter oӪ椺 INPUT P OUTPUT oApGA iptables uOΨӨ Linux DܡA nat WhڥNݭnzLA]w}YiC

LApGAƹWOΨӺި LAN LDܡAANnAw filter FORWARD oA٦ nat PREROUTING, POSTROUTING H OUTPUT iB~Whqw~C nat 檺ϥλݭnܲMѷ~]wnAĳsnII ̦hNO@̶K nat \yIP ɾ\zNnFI ^_^I oڭ̦b̫@p`|ЪաI

iptables yk

zפWAAw˦n Linux Atӷ|DʪAҰʤ@ӶKWh~OC LpGzO̷ӳĳӦw Linux ɡAw˧AAtӬOS𪺰աC t~AYǦ (Ҧp Red Hat 9) Pɴ iptables ipchains oӨҲաA LoӼҲլOLkPɦsbIҥHAȯҰʨ𫟺@ӡAMOҰ iptables ~ڡI pGp߱ҰʤF ipchains (s Linux |oӧxZ) AШϥ rmmod ӲaI

LAb}li橳UmߤeAo̦ӫܭnƱni@UC ] iptables O|Nʥ]iLoΩתʧ@AҥH ФnbݥDWi樾𪺽mA]zܦi@p߱Nۤvba~I ɶqbenJ tty1-tty6 ׺ݾimߡA_h``|oʹd@ڡI Heb iptables ɡAN``]p߳Wh]w~AɭP``nлݪBs}...

责쫥̪ iptables ܤ֦Tӹw] table (filter, nat, mangle)A`ΪO filter A o]Ow]աCt@ӫhOݥD nat Aܩ mangle ֨ϥΡAҥHoӳ`ڭ̨ä|Q mangleC ѩ󤣦P table L̪줣@ˡAɭPϥΪOykΦhΤֳItC boӤp`Aڭ̥DnNw filter oӹw]檺TӰСCUNӪ@aI
𪺳]wDnϥΪNO iptables oӫOӤwCӨOtκ޲zDnȤ@A BtΪvT۷jA]yu root ϥ iptables zA׬O]w٬O[WhI

WhMP[

pGAbw˪ɭԿܨS𪺸ܡA iptables b@}lɭӬOSWhALA i]Abw˪ɭԴNܨtΦ۰zإߨAtδN|w]WhFI LצpAڭ̥ӬݬݥثeWhOpaI

[root@linux ~]# iptables [-t tables] [-L] [-nv]
ѼơG
-t G᭱ table AҦp nat  filter AYٲءAhϥιw] filter
-L GCXثe table Wh
-n Gi IP P HOSTNAME ϬdAܰTt׷|֫ܦhI
-v GCXhTA]AqLӳWhʥ]`줸ơB

dҡGCX filter table T쪺Wh
[root@linux ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

dҡGCXhT
[root@linux ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 5748 packets, 746K bytes)
 pkts bytes target     prot opt in     out     source               destination
....Uٲ....

JӬݨW檺XA]S[W -t ѼơAҥHw]NO filter oӪ椺 INPUT, OUTPUT, FORWARD T쪺WhoCѩSWhIҥHC줺WhOŪC Pɪ`N@UAbC chain ᭱A policy ءANOyw]ʧ@(F)zIHWӬݡA Mڭ̱ҰʤF iptables AOڭ̨S]wWhAMFSO ACCEPTA ҥHOyʥ]|zNIܩpG[W -v ѼƮɡA hsPӳWhҳqLʥ]`줸Ƥ]|QCXӰڡCUhO nat 檺WhءG

[root@linux ~]# iptables -t nat -L -n
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

@IP fiter @Ҥ@˧aIuOT쪺ePoIn`NڡI ^_^I HA]wC@𪺳WhɡAOo@@@]wInApMWhHo˰NFG

[root@linux ~]# iptables [-t tables] [-FXZ]
ѼơG
-F GMҦwqwWhF
-X GҦϥΪ "ۭq"  chain (ӻO tables ^oF
-Z GNҦ chain pƻPyqέpks

dҡGM (filter) ҦWh
[root@linux ~]# iptables -F
[root@linux ~]# iptables -X
[root@linux ~]# iptables -Z

wqw]F (policy)

MWhAAUӴNOn]wWhFաIٰOoFOܡHy zʥ]bz]wWhɡAhӫʥ]qLP_AH Policy ]wzAb譱w]FA]z󤺳ϥΥΪ̦HߪܡA filter INPUT 譱iHwqY@IA FORWARD P OUTPUT hiHqwP@ǡIq`ON INPUT policy wq DROP աALӫhwq ACCEPTC ܩ nat table hȮɤz|LC

[root@linux ~]# iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
ѼơG
-P GwqF( Policy )C`NAo P jgڡI
ACCEPT Gӫʥ]i
DROP   Gӫʥ]A| client ݪDQC

dҡGN INPUT ]w DROP AL]w ACCEPT
[root@linux ~]# iptables -P   INPUT DROP
[root@linux ~]# iptables -P  OUTPUT ACCEPT
[root@linux ~]# iptables -P FORWARD ACCEPT
[root@linux ~]# iptables -L -n
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
# ѩ INPUT ]w DROP ӤS|WhAҥHWXGܡG
# Ҧʥ]LkiJADIOq]wI(suOV)

ݨXGFaHINPUT Qק]wFIL nat table T쪺]w]O@˪AҦpGy iptables -t nat -P PREROUTING ACCEPT zN]wF nat table PREROUTING 쬰iNIw]F]wAӽͤ@ʥ]¦]waC

ʥ]¦ IP/netmask I/O ˸m

}lӶiʥ]]waIڭ̥ѳ̰¦ IP P쪺SxͰ_AA͸˸m (d) C

[root@linux ~]# iptables [-AI ] [-io ] [-p w] \
> [-s ӷIP/] [-d ؼIP/] -j [ACCEPT|DROP]
ѼơG
-AI GwYiWh "J"  "֥["
    -A GsW[@WhAӳWhW[b쥻Wh̫᭱CҦp쥻wg|WhA
         ϥ -A NiH[WĤWhI
    -I GJ@WhCpGSwWhǡAw]OJܦĤ@WhC
         Ҧp쥻|WhAϥ -I hӳWhܦĤ@Aӭ쥻|ܦ 2~5 
     G INPUT, OUTPUT, FORWARD AW٤SP -io AЬݩUC

-io G]wʥ]iXWd
    -i Gʥ]ҶiJӺAҦp eth0, lo CݻP INPUT tXF
    -o Gʥ]ҶǥXӺAݻP OUTPUT tXF

-p wG]wWhAΩثʥ]榡
   Dnʥ]榡G tcp, udp, icmp  all C

-s ӷ IP/G]wWhʥ]ӷءAiwª IP Υ]AAҦpG
   IP  G192.168.0.100
   G192.168.0.0/24, 192.168.0.0/255.255.255.0 iC
   YWdy\zɡAh[W ! YiAҦpG
   -s ! 192.168.100.0/24 ܤ\ 192.168.100.0/24 ʥ]ӷF

-d ؼ IP/GP -s AuLo̫OؼЪ IP κC

-j G᭱ʧ@ADnʧ@ (ACCEPT)B (DROP) ΰO (LOG)

iptables 򥻰ѼƴNpPWҥܪAȥuͨ IP BP˸mTA ܩ TCP, UDP ʥ]Sf (port number) PA (p SYN X) hbUp`~|ͨC nAڭ̨Ӭݬݳ̰¦XӳWhAҦp} lo oӥHάY IP ӷaI

dҤ@GҦӦ lo oӤʥ]AH
[root@linux ~]# iptables -A INPUT -i lo -j ACCEPT
# JӬݤWèSCX -s, -d WhAoܡG׫ʥ]ӦۦBΥh̡A
# unOӦ lo oӤANHIo[nANO
#yS]wWwAhܸӳWwzNIҦpoӮרҷA
#  -s, -d...ѼƨSWw

dҤGGؼШӦ 192.168.0.1 o IP ʥ]H
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
# ޤʥ]榡AunӦ 192.168.0.1 NHC

dҤTGؼШӦ 192.168.1.0/24 iA 192.168.1.10 
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.10 -j DROP
[root@linux ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# WzoӽdҫܭnڡI]IYIn 192.168.1.10 ~౵ӺC

[root@linux ~]# iptables -L -n
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  192.168.0.1          0.0.0.0/0
DROP       all  --  192.168.1.10         0.0.0.0/0
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0
# @I𫍧]wbo̤wgͮoI

oNO̳¡B²檺Wh]wP[觋CAb]wAiHQ iptables -L -n iptables -L -v ²檺d\@UCӦpGAQnOYӳWhHiHo˰G

[root@linux ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
[root@linux ~]# iptables -L -n
target prot opt source         destination
LOG    all  --  192.168.2.200  0.0.0.0/0   LOG flags 0 level 4

ݨXG̥A|X{O LOG Iunʥ]Ӧ 192.168.2.200 o IP ɡA ӫʥ]TN|QgJ֤߰TAYO /var/log/messages oɮ׷C Mӫʥ]|~i򪺳WhCҥHA LOG oӰʧ@ȦbiOӤwAä|vToӫʥ]LWh諸C nFAUӧڭ̤OӬݬ TCP,UDP H ICMP ʥ]LWhaI

TCP, UDP Wh

ڭ̦b¦͹LUؤPʥ]榡A bͨ TCP P UDP ɡASNOӰf (port number)Ab TCP 譱ht~ҿתsuʥ]AA ]A̱` SYN Dʳsuʥ]榡Cpwoثʥ]榡i樾Wh]wOHAiHoˬݡG

[root@linux ~]# iptables [-AI ] [-io ] [-p tcp,udp] \
> [-s ӷIP/] [--sport fd] \
> [-d ؼIP/] [--dport fd] -j [ACCEPT|DROP]
ѼơG
--sport fdGӷfXAfXiHOs򪺡AҦp 1024:65535
--dport fdGؼЪfXC

ƹWNOhF --sport --dport oӪNAIb port number WաI Uڭ̨ӶiXӤpաG

dҤ@GQnsuiJ port 21 ʥ]ױG
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

dҤGGQsڳoD (upd port 137,138 tcp port 139,445) N
[root@linux ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT

@IAiHQ UDP P TCP wҾ֦fXӶiYǪAȪ}I A٥iHXBzOIҦpGunӦ 192.168.1.0/24 1024:65535 fʥ]A unQnsu쥻 ssh port NHסAiHo˰G

[root@linux ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP

`NڡIpGAϥΨ --sport --dport ѼƮɡANw udp tcp ʥ]榡~I_hܡA iptables ON|X{pU~G

[root@linux ~]# iptables -A INPUT -i eth0 --dport 21 -j DROP
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.

Aӷ|ıoܩ_ǡAy --dport z|OѼ (arg) OHoO]AS[W -p tcp -p udp tGڡI] port O TCP,UDP SAL ICMP hSofưڡI o˻AziHzѧaI ^_^

Ff~Ab TCP ٦SXаڡI̱`NOӥDʳsu SYN XФFC ڭ̦b iptables ̭٤䴩y --syn zBz觋Aڭ̥HUҤlӻnFG

dҡGNӦۥaӷ port 1:1023 Dʳsu쥻ݪ 1:1023 su
[root@linux ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 \
> --dport 1:1023 --syn -j DROP

@ӻAclient ݱҥΪ port Oj 1024 HWfA server ݫhOҥΤp 1023 HUfbťCҥHڭ̥iHӦۻݪp 1023 HUfƪDʳsuLI AΦb FTP DʳsuIoڭ̥Ӧb FTP `AӽͧaI

AҲաGMAC P RELATED

b kernel 2.2 Heϥ ipchains ޲zɡAq`|tκ޲z۷YhI ] ipchains Sҿתʥ]AҲաA]ڭ̥nwʥ]iBXViޱC |ҨӻApGAQnsu컷ݥD port 22 ɡAAnwWhӳ]wG

ݪ 1024:65535 컷ݪ port 22 n (OUTPUT )F
ݥD port 22 쥻 1024:65535 (INPUT )F

o|ܳ·СI]pGAnsu 10 D port 22 ɡA] OUTPUT w]} (ACCEPT)A A»ݭngQWhAQݥD port 22 iHsuAaݥDWC pG}ҥ port 22 OHS߬YǴcND|DʥH port 22 suAWI P˪DzApGAnaݥDiHs~ port 80 (WWW A)AN󤣱oF oNOsuOV@ӫܭnI

nbڭ̪ iptables KFoӧxZILiHzL@ӪAҲըӤR yoӷQniJʥ]O_ڵoXh^Hz pGOڵoXh^ANiHHIzIuΡIo˴Nκ޻ݥDO_suiӪDFI pFOHݬݩUykG

[root@linux ~]# iptables -A INPUT -m state --state A
ѼơG
-m G@ iptables ҲաADn`G
     state GAҲ
     mac   Gdw} (hardware address)
--state G@ǫʥ]AADnG
     INVALID    GLĪʥ]AҦpƯ}lʥ]A
     ESTABLISHEDGwgsu\suAF
     NEW        GQnsإ߳suʥ]AF
     RELATED    Goӳ̱`ΡIܳoӫʥ]OPڭ̥DoeXhʥ]

dҡGunwإߩάʥ]NHqLAunOXkʥ]N
[root@linux ~]# iptables -A INPUT -m state \
> --state RELATED,ESTABLISHED -j ACCEPT
[root@linux ~]# iptables -A INPUT -m state --state INVALID -j DROP

ҥHApGA Linux DuQn@ client γ~A\ҦDʹAsuӷA AiHo˰YiG

MҦwgsbWh (iptables -F...)

]ww]FAF INPUT w] DROP Lw] ACCEPTF

}񥻾 lo iHۥѩF

]wʥ]AiHsuiJC

oNO̶̳KAAiHzLĤGBJשҦݪӷʥ]A ӳzLĥ|BJAnDݥD^ʥ]iHiJA [W lo oӤj˸miHAKKI@ client MΪWhN OK FI AiHbY script Wo˰YiG

#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P   INPUT DROP
iptables -P  OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT

pGϰLDɡAANW̫@檺 # ANiHӦۥa LAN LDsuFC ӦpGA߬Y LAN cNӷD|DʪAsuɡAA٥iHwHaݥD MAC iLoI PˬOϥΪAҲաIoAhO MAC C|ҨӻG

dҤ@Gwϰ aa:bb:cc:dd:ee:ff D}su
[root@linux ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff \
>  -j ACCEPT
ѼơG
--mac-source GNOӷD MAC աI

zLoӪNAANiHwqY檺 LAN LD_suADvFI

ICMP ʥ]Wh

b¦ ICMP wڭ̪D ICMP 榡۷hAӥBܦh ICMP ʥ]榡OFnΨӶi˴ΪI ҥH̦nnNҦ ICMP ʥ]Iq`ڭ̷| ICMP type 8 (echo request) ӤwA ݥDDڭ̬O_sbA]| ping ^NOFCICMP ʥ]榡BzOo˪G

[root@linux ~]# iptables -A INPUT -p icmp --icmp-type  -j ACCEPT
ѼơG
--icmp-type G᭱n ICMP ʥ]A]iHϥΥNA
              Ҧp 8  N echo request NC

dҡG 0,3,4,11,12,14,16,18  ICMP type iHiJG
[root@linux ~]# vi somefile
#!/bin/bash
icmp_type="0 3 4 11 12 14 16 18"
for typeicmp in $icmp_type
do
   iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
done

[root@linux ~]# sh  somefile

o˴N}񳡤 ICMP ʥ]榡iJi˴u@FIunIOI^_^

𪺰OB^_P

Wڭ̽ͤFܦh]wFAڸӦp[ثeDWWhOH ڭ̥iHϥΡyiptables -L -n z[ALAӫOܪT٬OӨC oӮɭԡAڭ̨iHϥΩUӫOӱNثeDWyxszUӡA bUQnNoӳWhy^_zɭԡANQΫONWh^_I

[root@linux ~]# iptables-save > filename
[root@linux ~]# iptables-restore < filename

@ӬOxs@ӬO^_IӦb Red Hat tΪ RHEL,CentOS,Fedora ApGAN filename ɮצsy /etc/sysconfig/iptables zAåBQ chkconfig N iptables b}ɹw]ҰʪܡA@}tδN|DʪA⨾𪺳WhJFNOI ϥ iptables-save ұo쪺G|OpOHڭ̨ӬݬݡG

[root@linux ~]# iptables-save
# Generated by iptables-save v1.2.11 on Mon Sep 11 17:47:35 2006
*filter    <==ϥΪ table
:INPUT DROP [7335:859454] <==Tw]Pw]F
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16992:13134791]
-A INPUT -i lo -j ACCEPT  <==}lUӳWh]w
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -m mac --mac-source 00:04:75:D0:A2:58 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
....ٲ....
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Mon Sep 11 17:47:35 2006
#  (#) OѡAP (*) Nw] tableAӫ_ (:) NU쪺w]FF
# 򪺰ʧ@hOUӳWhաI

A@XGաIӸƴXGNOʦbOCҦJOI _ iptables -L -n ұo쪺TnJӪhCo]O iptables S榡A iHΦb iptables-restore OŪJOI _oؤ觋A٬Owϥ script ӼgۤvWhաC qnWhMNOnoIpթOH

ѥDV~DʳsuլݬݡF

AѨp줺 PC V~DʳsuլݬݡF

̫A Internet WDADʳsuz Linux DլݬݡF

@B@B@UӡAݬݰDXb̡AMhhhiB}I򥻤WA WثeܦhƥiHѱzѦҤFIo@g]wgO²A j٦bжqӤwIƱjaUI bѦҸCXXӦΪA ƱjaůunhhhݬݡI|ܦUI

IPv4 ֤ߺ޲z\G /proc/sys/net/ipv4/*

F iptables oӨn𫗪~Aꫥ Linux kernel 2.6 ѫܦh֤߹w]׾I ѩO֤ߪ\AҥH]wƳOmb /proc/sys/net/ipv4/ oӥؿC ܩӥؿUUɮתԲӸơAiHѦҮ֤ߪG

/usr/src/linux-{version}/networking/ip-sysctl.txt

WoӻƥiH http://www.kernel.org oӺU@Ӯ֤߭lXAYNݨC o̤]@ƥG

http:/linux.vbird.org/linux_server/0250simple_firewall/ip-sysctl.txt

쪺ӭnۦhd@dnIڭ̩UNX²檺ɮרӧ@aI

/proc/sys/net/ipv4/tcp_syncookies

ڭ̦be@ͨҿת_A (DoS) k@ؤ觋ANOQ TCP ʥ] SYN TV洤zҹFA oؤ觋٬ SYN Flooding Cpwoؤ觋OHڭ̥iHҥή֤ߪ SYN Cookie ҲհڡI o SYN Cookie ҲեiHbtΥΨӱҰHsuf (1024:65535) YNΧɦ۰ʱҰʡC

Ұ SYN Cookie ɡADboe SYN/ACK T{ʥ]eA|nD Client ݦbuɶ^Ф@ӧǸA oӧǸ]t\h쥻 SYN ʥ]TA]A IPBport CY Client ݥiH^ХTǸA DNTwӫʥ]iHA]|oe SYN/ACK ʥ]A_hNz|@ʥ]C

zL@iHjjCLĪ SYN ݰfAקK SYN Flooding DoS I pҰʳoӼҲթOH²Ao˰YiG

[root@linux ~]# echo "1" > /proc/sys/net/ipv4/tcp_syncookies

Ooӳ]wȥѩH TCP TV洤 (]Dboe SYN/ACK eݭn client Ǹ^)A ҥHi|yYǪAȪ{HAҦp SMTP (mail server)C L`ӻAoӳ]w٬OΪI uOAXΦbtwgܰAI ]tӰDɷ|֤߻~PD SYN Flooding OC

pGOFtΪ TCP ʥ]sųΤơAhiHѦ tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow oXӳ]wȪNqC

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

_Aȱ`O SYN Flooding ALAڭ̪DtΨiHϥ ping ^A ping ʥ]OiHܤjIQ@ӪpA pGӷd}aHϥ 1000 xDǰe ping ADAӥBC ping FƦ K bytesɡA AWe|ˡHnNOWeQYAnitη|I oؤ觋OQ٬ ping flooding (_o ping) ping of death (oej ping ʥ])C

pקKOH ICMP 8 ICMP ʥ]^NOFCڭ̥iHzLөסA o]Oĳ觋CM]iH֤ߦ۰ʨ ping ^CLznAѡA Yǰϰ`A (ҦpʺA IP t DHCP w) |ϥ ping 觋ӰO_ƪ IP AҥHA̦nnҦ ping ^nC

֤ߨ ping ^]wȦӡAOOG/proc/sys/net/ipv4 icmp_echo_ignore_broadcasts (Ȧ ping broadcast }ɤ~ ping ^) icmp_echo_ignore_all ( ping ^)Cĳ]w icmp_echo_ignore_broadcasts NnFC AiHo򰵡G

[root@linux ~]# echo "1" >  \
> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/proc/sys/net/ipv4/conf//*

̪֤٥iHw藍Pi椣@˪ѼƳ]wI]wmb /proc/sys/net/ipv4/conf/ ACӤHNNAҦp eth0 ]wƦb /proc/sys/net/ipv4/conf/eth0/ C]wƦǤݭn`NOH jUoXӡG

rp_filterG٬fV|Lo (Reverse Path Filtering)A iHǥѤRѸTtXʥ]ӷ}AӤRӫʥ]O_XzC|ҨӻAAidAeth0 192.168.10.100/24 Aeth1 public IP C@ӫʥ]ۺ٨Ӧ eth1 AO IP ӷ 192.168.10.200 A oӫʥ]NXzAHCoӳ]wȫĳiHҰʪC
log_martiansGoӳ]wƥiHΨӱҰʰOXk IP ӷA |ҨӻA]Aӷ 0.0.0.0B127.x.x.xB Class E IP ӷA]oǨӷ IP Ω Internet ڡC Oƹw]m֤ߩmn /var/log/messagesC
accept_source_routeGγ\YǸѾ|Ұʳoӳ]wȡA Lثe]ƫܤ֨ϥΨoبӷѡAAiHoӳ]wȡC
accept_redirectsGAbP@ӹ줺[]@ѾA oӹ즳 IP AҦp 192.168.0.0/24, 192.168.1.0/24CɧA 192.168.0.100 QnV 192.168.1.100 ǰeTɡAѾi|ǰe@ ICMP redirect ʥ]i 192.168.0.100 ǰeƵ 192.168.1.100 YiAӤݳzLѾC] 192.168.0.100 P 192.168.1.100TObP@ӹuW (̥iHq)AҥHѾ|iӷ IP ϥγ̵u|hǻơCⳡDbP IP qAoOLkڶǻTIoӳ]w]i|ͤ@ǻLwIAҥHĳLC
send_redirectsGPW@AuOȬoe@ ICMP redirect ʥ]C P˫ĳC(ƹWAbYɱФ߱ЦPǬ[]ѾɡANgFo ICMP redirect D˸I redirect oӶاYiڡI)

nFW\Ano˰G

[root@linux ~]# vi somefile
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo "0" > $i
done

[root@linux ~]# sh somefile

ФFohykP`NƶAשnӬ[]FCpPeͨ쪺A AMiHϥ iptables-save ykNWhs /etc/sysconfig/iptables hA MzL iptables-restore Ϊ̬OsҰ iptables ӱҥΧAsWhC L٬OߺDϥ shell script ӼgWhAӥB@S٥iHΦbIsL scripts A iHWh㦳FϥΤ觋CnFANӽͽͦp]w̪WhaI

Wh

UЪoӨAiHΨӧ@ѾWA]iHΨӧ@C ]wsupPϤGҥܨ˪ҡA Linux D]O LAN ѾI YO@²檺 IP ɾ\աI]UoǡG

~ϥ eth1 (pGOAiO ppp0AаwzҨӳ]w)F
ϥ eth0 ABϥ 192.168.1.0/24 o Class F
Dw]}񪺪AȦ WWW, SSH, SMTP F

ѩƱNH (LAN) PH (Internet) Ӥ}@IA ҥHƱAiHb Linux Ww˨HWdANdbPAo˥iHקKܦhDC ܩ̭nWhOGyҦsuAȶ}SwAzҦC ӥB]ϥΪ̤wgL}nVmA]b filter table Tӹw]FOG

INPUT DROP
OUTPUT FORWARD ACCEPT

Fӭק諸KAN script TAOOG

iptables.ruleG]w̰򥻪WhA]AMWhBJҲաB]wAȥiF
iptables.denyG]w׬YǴcNDiJF
iptables.allowG]w\YǦۭqӷDI

UwpѪy{Oo˪G

Why{

ϤEBWhy{
hWA LAN DPD}׫ܰA] Output P Forward O}񤣲zIpaxDOiHA]ڭ̤qƶqhAӥBHOxA ҥHݭnSO[HޡIOGybj~Ao˪WOܤX檺A ]zOҤҦHiHӱzWwӨϥ Network Iz]NOyazrI ]As Output P Forward ݭnSO[H޲z~I

ڳ]w

ƹWAڭ̦b]w𪺮ɭԡAӥi|@Ӥ@ӫOJAq`OQ shell scripts ڭ̹Fo˪\oIUOQΤWy{ϩҳWXӪ scriptsAziHѦҬݬݡA OzݭnNҭק令AXzۤvҤ~I

[root@linux ~]# mkdir -p /usr/local/virus/iptables
[root@linux ~]# cd /usr/local/virus/iptables
[root@linux iptables]# vi iptables.rule
#!/bin/bash

# ХJzѼơAnJ~FI
  EXTIF="eth1"              # oӬOiHsW Public IP 
  INIF="eth0"               #  LAN sFYLж ""
  INNET="192.168.1.0/24"    #  LAN AYS LAN г]w ""
  export EXTIF INIF INNET

# Ĥ@Aw糧]wI###########################
# 1. ]wn֤ߪ\G
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo "1" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo "0" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo "0" > $i
  done
  for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo "0" > $i
  done

# 2. MWhB]ww]Fζ} lo P]w
  PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
  iptables -F
  iptables -X
  iptables -Z
  iptables -P INPUT   DROP
  iptables -P OUTPUT  ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -m state --state RELATED -j ACCEPT

# 3. ҰB~ script Ҳ
  if [ -f /usr/local/virus/iptables/iptables.deny ]; then
        sh /usr/local/virus/iptables/iptables.deny
  fi
  if [ -f /usr/local/virus/iptables/iptables.allow ]; then
        sh /usr/local/virus/iptables/iptables.allow
  fi
  if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
        sh /usr/local/virus/httpd-err/iptables.http
  fi
  iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

# 4. \Y ICMP ʥ]iJ
  AICMP="0 3 3/4 4 11 12 14 16 18"
  for tyicmp in $AICMP
  do
     iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
  done

# 5. \YǪAȪiJAШ̷ӱzۤvҶ}
# iptables -A INPUT -p TCP -i $EXTIF --dport  22  -j ACCEPT   # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport  25  -j ACCEPT   # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --sport  53  -j ACCEPT   # DNS
# iptables -A INPUT -p TCP -i $EXTIF --sport  53  -j ACCEPT   # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport  80  -j ACCEPT   # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110  -j ACCEPT   # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443  -j ACCEPT   # HTTPS

# ĤGAwݥD]wI##############################
# 1. J@ǦΪҲ
  modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack 
ip_conntrack_ftp ip_conntrack_irc"
  for mod in $modules
  do
        testmod=`lsmod | grep "${mod} "`
        if [ "$testmod" == "" ]; then
                modprobe $mod
        fi
  done

# 2. M NAT table WhaI
  iptables -F -t nat
  iptables -X -t nat
  iptables -Z -t nat
  iptables -t nat -P PREROUTING  ACCEPT
  iptables -t nat -P POSTROUTING ACCEPT
  iptables -t nat -P OUTPUT      ACCEPT

# 3. }񦨬ѾAB IP ɾI
  if [ "$INIF" != "" ]; then
    iptables -A INPUT -i $INIF -j ACCEPT
    echo "1" > /proc/sys/net/ipv4/ip_forward
    if [ "$INNET" != "" ]; then
      for innet in $INNET
      do
        iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
      done
    fi
  fi
  # pGA MSN @LksuAΪ̬OYǺ OK YǺ OKA
  # iO MTU DAAiHNUo@浃LѨӱҰ MTU d
  # iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
  #          --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu

# 4. A]wG
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80  \
#          -j DNAT --to 192.168.1.210:80

SOdNW{XSr鳡A򥻤WAAunק@ṲW𫍧A ӴNB@oӨFCL]CӤHҳۦPA ]Ab]wA»ݭnդ@U~IMAXFDnǧڰڡI.... AӬݤ@U iptables.allow eOpHpڭn@ 140.116.44.0/24 oӺ쪺ҦDӷiHiJڪDܡAoɮתeiHgoˡG

[root@linux iptables]# vi iptables.allow
#!/bin/bash
# UhgA\iJLΥDڡI
  iptables -A INPUT -i $EXTIF -s 140.116.44.0/24 -j ACCEPT

# UhOתɮ׳]wkI
[root@linux iptables]# vi iptables.deny
#!/bin/bash
# UgOyAnתөNNIz
  iptables -A INPUT -i $EXTIF -s 140.116.44.254 -j DROP

[root@linux iptables]# chmod 700 iptables.*

NoTɮתv]w 700 Buݩ root vAN iptables.rule oI Ln`NOAbWרҷAw]NҦAȪqDOI ҥHAn𪺲 5 BJBN@ǵѲŸ (#) Ѷ}~C P˪ApGLh port Qn}ҮɡA@˻ݭnW[B~Wh~I

LA٬OpPeڭ̩һAo firewall ȯണѰ򥻪w@ALDٻݭnAմթOI ~ApGAƱ@}N۰ʰo script ܡAбNoɮתɦWgJ /etc/rc.d/rc.local AIUoˡG

[root@linux ~]# vi /etc/rc.d/rc.local
.....Lٲ.....
# 1. Firewall
/usr/local/virus/iptables/iptables.rule
.....Lٲ.....

WzTɮ׽ЧAnb Windows tΤWsǰe Linux WB@A] Windows tΪ_rDA NiɭPɮ׵LkCĳA쩳UhUAǰe Linux iHQ dos2unix Ohഫ_rI N|DI

http://vbird.org.cn/download/index.php?action=detail&fileid=43

oNO@ӳ²BKCPɡAoӨ٥iH㦳̶K IP ɾ\OI ]NOb iptables.rule oɮ׷ĤGFC oڭ̦bU@`|A~򤶲ЪC

IIIשӨoӦaFIڭ̷ǳƭn[]@ѾAAN٤ NAT DC NAT OOH²檺AAiH٥L LAN Dy IP ɾzաI

NAT WO Network Address TranslationArWNOy}ഫzCѦrWNڭ̨ӷQ@QA TCP/IP ʥ]O IP }ܡH IP }OӷPتܡHڭ̪ iptables ONק IP ʥ]YơA KKIsؼЩΨӷ IP }iHקOIƦܳs TCP ʥ]Y port number ]קIuOI

NAT D\iHFϤGҤЪ IP ɪ\ध~A ٥iHFϥ|ҤЪ DMZ (Dxư) \IoMڭ̪ NAT OקG (1)ӷ IP ٬O (2)ؼ IP IUڭ̴NӲ@aI ^_^

O NATH SNATH DNATH

bͨ NAT ڹB@eAڭ̦AӬݤ@U²檺ʥ]zL iptables ӶǰeݥDy{(ЩeѦϤK)CGupϤG[cA Y LAN @DQnǰeʥ]XhɡAoӫʥ]npzL Linux DӶǰeXhH LOo˪G

gL NAT table PREROUTING F

gѸѧP_Twoӫʥ]OniJP_AYiJAhU@BF

AgL Filter table FORWARD F

qL NAT table POSTROUTING A̫ǰeXhC

NAT DINbWy{ 1,4 BJA]NO NAT table nGPREROUTING P POSTROUTINGC o즳򭫭n\OHIbק IP IOoק諸 IP O@˪I POSTROUTING bקӷ IP APREROUTING hbקؼ IP C ѩק諸 IP @ˡAҥHN٬ ӷ NAT (Source NAT, SNAT) Υؼ NAT (Destination NAT, DNAT)Cڭ̥ӽͤ@ IP ɾ\઺ SNAT aI

ӷ NAT, SNAT

AӦťL IP ɾoӪNALiHAax̪nXDPɳzL@ ADSL su Internet WA ҦpϤGsu觋ӻA Linux DNO IP ɾաILOpF IP ɪ\HNOzL NAT 檺 POSTROUTING ӳBzC]AGupϤGҥܡA NAT DOpBzoӫʥ]OH

ϤQBSNAT ʥ]ǰeXhܷN
pWϩҥܡAbΤ 192.168.1.100 oDnsu http://tw.yahoo.com hɡALʥ]Y|pܤơH

ΤݩҵoXʥ]YAӷ|O 192.168.1.100 AMǰe NAT oDF
NAT oD (192.168.1.2) oӫʥ]A|DʤRYơA ]YܥتëD Linux AҥH}lgLA Nʥ]iHs Internet Public IP BF
ѩ private IP P public IP बqAҥH Linux DzL iptables NAT table Postrouting Nʥ]Yӷ˦ Linux Public IP AåBNӤPӷ (192.168.1.100 public IP) ʥ]gJȦsOA MNʥ]ǰeXhFF

Internet Wݨoӫʥ]ɡAu|Doӫʥ]Ӧۨ Public IP ӤDOӦۤաC nFApG Internet ^ǫʥ]OHS|@H

ϤQ@BSNAT ʥ]ܷN

b Internet WDoӫʥ]ɡA|N^ƶǰe Public IP DF
Linux NAT DӦ Internet ^ʥ]A|Rӫʥ]ǸAäOOơA ѩo{ӫʥ]ݥDeǰeXhA]b NAT Prerouting 줤A|Nؼ IP ק令ݥDAY 192.168.1.100AMo{ؼФwgO (public IP)A ҥH}lzLѤRʥ]yVF
ʥ]|ǰe 192.168.1.2 oӤAMAǰe̲ץؼ 192.168.1.100 WhI

gLoӬy{AzNiHo{AҦ LAN DiHzLo NAT DsuXhA Ӥjab Internet Wݨ쪺OP@ IP (NO NAT D public IP աI)A ҥHApG LAN DSsWܡA򤺳DO㦳@w{תwʪաI ] Internet WLDSkDʧA LAN PC IҥHڭ̤~|A NAT ²檺\NO IP ɾաI]O SNAT @ءC
NAT DPѾԣPH򥻤WANAT D@wOѾALA NAT Dѩ|ק IP YơA ]P໼ʥ]ѾPC̱` IP ɾNO@ӸѾAOo IP ɾ@w|@ Public IP P@ Private IPA LAN Private IP iHzL IP ɾ Public IP ǰeXhI ܩѾq`䳣O Public IP ΦPɬ Private IPC

ؼ NAT, DNAT

SNAT DnOI LAN s Internet ϥΤ觋Aܩ DNAT hDnΦbDQn[]iH Internet sAաI NIϥ| DMZ DڡIU]ӽͤ@ DNAT B@aI

ϤQGBDNAT ʥ]ǰeܷN
pWϤQGҥܡA]ڪD 192.168.1.210 ҰʤF WWW AȡAoӪAȪ port }Ҧb port 80 A Internet WD (61.xx.xx.xx) npsڪAOHMաA ٬OonzL Linux NAT DIҥHo Internet Wnsڭ̪ NAT public IP ~C

~DQnsتݪ WWW AȡAhnsڭ̪ NAT DWYF
ڭ̪ NAT Dwg]wnnRX port 80 ʥ]AҥH NAT Doӫʥ]A |Nؼ IP public IP 令 192.168.1.210 ABNӫʥ]TOUӡAݤA^F
Wzʥ]bgLѫAӨ private BAMzL LAN ǰe 192.168.1.210 WYI
192.186.1.210 |^Ƶ 61.xx.xx.xx AoӦ^M|ǰe 192.168.1.2 WYhF
gLѧP_AӨ NAT Postrouting AMzLĤGBJOANӷ IP 192.168.1.210 אּ public IP ANiHǰeXhFI (ϤQAI)C

ӨBJXGN SNAT ϦVǰeIoNO DNAT oI²aI

̶K NAT DG IP ɥ\

b Linux NAT DAȷA̱`NOϤG IP ɾ\FC ӥѭ𫍧ЧA]ӪDAo IP ɾ\NO SNAT աI@δNuOb iptables NAT AӸѫ᪺ POSTROUTING i IP ˴NOFCt~A A]nAѡAA NAT Dn@ public IP AHΤ@Ӥ LAN s private IP ~C

P˪Aڪ]Oo˪G

~ϥ eth1 AoӤ㦳 public IP F
ϥ eth0 A]o IP 192.168.1.2 F

OIAQΫeXͨ쪺ƨӳ]wAѼƫAȥniѪ˴A ]b NAT D]w譱A̮eXaNOѤFIרObҲ ppp0 oӹ~ҤUA oӰDYCϥAnOoGypGA public IP o觋O cable modem ɡAA]w /etc/sysconfig/network, ifcfg-eth0, ifcfg-eth1 ɮסAdUn]w GATEWAY աIz_hN|X{ default gateway AϦӷ|yDC

pGAwgUF iptables.rule Aɮפwgt NAT }FI AiHݨɮתĤG NAT DAӦݨ쩳UoXG

iptables -A INPUT -i $INIF -j ACCEPT
# o@b NAT DiӦۤ LAN ʥ]
echo "1" > /proc/sys/net/ipv4/ip_forward
# WYo@hObA Linux 㦳 router O
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
# o@INO[J nat table ʥ]ˡI

Ibӡy MASQUERADE zIoӳ]wȴNOy IP ˦ʥ]Xh (-o) ˸mW IP zIHWҤlӻANO $EXTIF A]NO eth1 աI ҥHʥ]ӷunӦ $innet (]NO LAN LD) Aunӫʥ]izL eth1 ǰeXhA N|۰ʪק IP ӷY eth1 public IP աINo²I AunN iptables.rule UAó]wnAB~A iptables.rule AA Linux N֦DH NAT D\FI

LAN L PC ]w

W쪺O NAT D]wAb LAN L PC Ѽƭnp]wOH²ڡA unOoUѼƭȧYiG

NETWORK 192.168.1.0

NETMASK 255.255.255.0

BROADCAST 192.168.1.255

IP iH]w 192.168.1.1 ~ 192.168.1.254 AiơI

qTh (Gateway) ݭn]w 192.168.1.2 (NAT D Private IP)

DNS (/etc/resolv.conf) ݳ]w 168.95.1.1 (Hinet) 139.175.10.20 (Seed Net)A oӽШ̱z ISP өwF

o˴Ndw@K NAT DFI²檺nRڡI

ƹWAF IP (MASQUERADE) ~Aڭ٥iHwק IP ʥ]Yӷ IP OI |ҨӻApUoӨҤlG

dҡGNn eth1 ǰeXhʥ]Aʥ]ӷאּ 192.168.200.250
[root@linux ~]# iptables -t nat -A POSTROUTING -o eth1 \
>  -j SNAT --to 192.168.200.250

dҡGPWAʥ]ӷ 192.168.200.210~220
[root@linux ~]# iptables -t nat -A POSTROUTING -o eth1 \
>  -j SNAT --to 192.168.200.210-192.168.200.210

oˤ]iHקʥ]ӷ IP ƳILADAϥΪOTw IP A Bh IP iH~suA_h@ϥ IP ˧YiAݭnϥΨo SNAT aH MAA]i঳ۤvWSҰաI ^_^

iptables B~֤߼Ҳե\

pGAb iptables.rule ĤGJӬݪܡA Sıoܩ_ǡAڭ̻ݭnJ@ǦΪҲաH|ҨӻA ip_nat_ftp ip_net_irc H oO]ܦhqTwϥΪʥ]ǿSAרO FTP ɮ׶ǿϥΨ port ӳBzơI oӳڭ̷|b FTP `AԽ͡Abo̧AnDAڭ̪ iptables ѫܦhnΪҲաA oǼҲեiHUʥ]Loγ~Aڭ̥iH`٫ܦh iptables WhwA nΪoI ^_^

bݤA DNAT ]w

JMiH SNAT IP ɥ\Aڭ̷MiHϥ iptables X DMZ աI OAӡAPAʥ]ǿ骺觋i঳ItA]Aĳs⤣noөNNI _hܮeɭPYǪAȵLkQ Internet ѪDC

ӽͤ@͡ApGڷQnBz DNAT \ɡA iptables npUFOH t~AAnDOA DNAT Ψ쪺O nat table Prerouting IndFC

dҡGNs eth1  port 80 Ǿɨ줺 192.168.1.210 
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp -i eth1 \
> --dport 80 -j DNAT --to 192.168.1.210:80

ӡy -j DNAT --to IP[:port] zNOաINq eth1 oӤǤJABQnϥ port 80 AȮɡA Nӫʥ]sǾɨ 192.168.1.210:80 IP port WIiHPɭק IP P port OIuKC L٦@Ǹi iptables ϥΤ觋ApUҥܡG

-j REDIRECT --to-ports <port number>
# oӤ]`A򥻤WANOi楻W port ഫNOFI
# LASOdNOAoӰʧ@ȯb nat table  PREROUTING H
# OUTPUT WӤwI

dҡGNnDP 80 suʥ]໼ 8080 o port
[root@linux ~]# iptables -t nat -A PREROUTING -p tcp  --dport 80 \
> -j REDIRECT --to-ports 8080
# oN̮ebzϥΤFDW port ӶiY well known wA
# Ҧpϥ 8080 o port ӱҰ WWW AOOHH port 80 ӳsuA
# ҥHAzNiHϥΤW觋ӱNzDsuǻ 8080 oI

ܩhγ~ANݧAۤvooI ^_^

n֦@wDAn}nDv]wFHɪsMFwnƳƥFuШ|VmC ȦOF

̤j\NOUAyYǪAȪsӷzAiHިӷPؼЪ IP F

̾ګʥ]תhAiH Proxy H IP Filter (ʥ]Lo) F

FNӺH (LAN) PH (Internet) 짹ΡAq`㦳ӹA OsHPHF

b𤺡Ab LAN AҦbAq`Q٬ DMZ (Dxư)Apϥ|ҥܡF

ʥ]LoAq`ܤ֥iHR IP, port, flag (p TCP ʥ] SYN), MAC F

frרäӷPF

Ӧۤ~ΩݥΪשʥiF

äO[]𤧫AtδN@wܦwI٬OݭnsM|}HκިϥΪ̤v]wF

֤ 2.4 H᪺ Linux ϥ iptables @𪺳nF

𪺭qwPyWhǡzܤjYFYWhǿ~Ai|ɭP𪺥ġF

iptables w] table @TӡAOO filter, nat mangle ADΪ̬ filter () P nat (ݥD)C

filter table Dnw糧]wA̾ګʥ]yVS INPUT, OUTPUT, FORWARD TF

nat table Dnw慨𪺫ݥDA̾ګʥ]yVS PREROUTING, OUTPUT, POSTROUTING TA 𫟺 PREROUTING P DNAT A POSTROUTING hP SNAT F

iptables 𬰳WhAҦWhŦXɡAhHw]F (policy) @ʥ]欰̾ڡF

֤ߥѫܦh\Aw IPv4 ]wȳb /proc/sys/net/ipv4/* F

iptables OCAiHUFѼƬ۷hAUF -j LOG ѼƮɡAhӫʥ]y{|Q /var/log/messages F

iHh]wAҦpMwg]wF iptables AOMiH]w TCP Wrappers A]֤]oɭ iptables ||}Ϊ̬OWhW}I

ڬ[]FAڪD٬OiतrH

𤣬OUFAL٬OiQfrΪ̬O차{ҤJII ~ApGzDNwgѤFhӺAȡAhӺAȪM󦳺|}ɡA 𤴵MLkJAӪAȪ|}I]Mݭn򪺶iDʵu@

л[]FAڪD٬OiQJIHJI̾ڥiOkH

]ȬO׬YǤw諸ʥ]ApGz} WWW AȮɡAhnDzD port 80 ʥ]NiiJzDAU@ WWW M󦳺|}ɡANiQJIFIҥHM󪺧sܭnI

ڭ̪D֤߬ 2.4 Linux ϥΪ iptables AаݡAp󪾹Dڪ Linux ֤ߪH

Q uname -r iHdoI

ЦCX iptables w]ӥDn table AHΦU table ̭ chains PU chains ҥNNqF

filter w] TableAYw]즳G

INPUTGӦۥ~AQniJDʥ]F
OUTPUTGӦۥDAQn}Dʥ]F
FORWARDGDP~쪺ʥ](׶iΪ̥X)Aӫʥ]|iJDC

٦ nat o tableG

PREROUTINGGiѤeʥ]ǰeL{
OUTPUTG}Dʥ]ǰeL{F
POSTROUTINGGwggLѤFAM~i檺LoWhC

O iptables w]F (Policy)HYڭnw filter INPUT DROP w]FAOpUFH

ʥ]Ҧݩʳb𪺳WhɡAoӫʥ]_QqLAhH Policy @oӫʥ]̲װʧ@FI
iptables -P INPUT DROP

]ѧڪ Linux ȬO@ Client ΡAèS Internet iAȡA zWӦp]wnHI

JMS Internet ѥAȡA(1)бNҦ~faI(2)WhA̭nO INPUT Policy @wn DROP AMNy iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT zYiI

ڭnNӦ 192.168.1.50 o IP ӷʥ]AunOVڪ 21~23 fnDʥ]ANNLסAӦpUF iptables OH

iptables -A INPUT -p tcp -s 192.168.1.50 --dport 21:23 -j DROP

ڭnNڦۤvD ping ^\AӦpUF iptables OH

] ping _^ΪO icmp type 8 (аѦҺ¦ ICMP e)AҥHڥiHo˰G
iptables -I INPUT -p icmp --icmp-type 8 -j DROP

лoӫOO~Hyiptables -A INPUT -p udp --syn -s 192.168.0.20 -j DROPzH

]u TCP ʥ]~|㦳 SYN лxA UDP èS SYN лxڡIҥHWOO~

DNS nDOAڸӦp]wڪDiHnD DNS ^OH

] DNS ӷO port 53 A]nӦ port 53 ʥ]NFG
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT

p iptables bڪtΤWH

nMWhA~N iptables ILAڭ̥DnNWhMYiI
iptables -F; iptables -X; iptables -Z
iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z

pxsثeAHΦpNWxsUӪ^_ثetΤH

ЧQ iptables-save H iptables-restore oӫOAtXROɦVYiI

pGAϺ PC ϥΪ̦ѬOsW Internet ÷dAAQnNL IP AL`Okק令L IP ӳs~A AӫHLLk~s~H

iHQΫdd MAC ӳBzI

Robert L. Ziegler ۡAG_ĶAy Linux --iptables Υ`zAW_XA2004C
֤ߤG/usr/src/linux-{version}/networking/ip-sysctl.txt
iptables tables PU chain ʡG http://ebtables.sourceforge.net/br_fw_ia/bridge3b.png
֤߰ѼƪGhttp://www.study-area.org/tips/adv-route/Adv-Routing-HOWTO-12.html
ϥ PPPoE ɭP MTU DGhttp://www.akadia.com/services/pppoe_iptables.html