wFHɪ`Nn骺|}HκWwq~AA̦n̾ڦۤvҨӭqwI
o˹AҡA|O٤@IIOOHNOzLqw@ǦǪWhAúިiJڭ̺줺D (Ϊ̥iHO)
ƫʥ]@ؾIsqӻAunRPLoiXڭ̺z쪺ʥ]ơA
NiH٬C
SiHw骡Pn骡Cw骡OѼtӳ]pnDwA
ow骡𤺪@~tΥDnHѫʥ]ƪLoDAñNLn\ளC]§@\ӤwA
]ʥ]LoIJvΡCܩn骡OHNOڭ̳oӳ`nӽͽתڡI
n骡𥻨NObO@tκw@Mn(κ٬)AҦp Netfilter P TCP Wrappers iH٬n骡C
LAϥNOΨӫO@ڭ̺wNNNաIڭ̳oӳ`Dnb
Linux tΥѪn骡𪺥\ANO Netfilter Cܩ TCP Wrappers Mb¦gĤQK{ѨtΪA̭LFAڭ̳oٷ|yL²檺аաI
9.1.1 }leӭӴƶ
ѩDnتb Netfilter oثʥ]LoA]¦̭\hʥ]PTتnD`MA
]A쪺, IP 쪺g觋Aݦ@w¦~CШĤG[j@U
MAC,
IP,
ICMP,
TCP,
UDP ʥ]Yƪ{ѡAH
Network/Netmask
(CIDR) gkC
t~AM Netfilter iHzL iptables O觋ӶiWhƧǻPקALijAQ shell
script ӼgݩAۤvnA]WhƧǻPJ㦳n[ʡA
iHAWhM@ICҥHbA}lAѩUƤeAƱAiH\ŪLƤFG
9.1.2 ݭn
JӤRĤC 7.1-1 iHo{A
ʥ]iJɡA|qLBAn{ǡBSELinuxPɮרtεCҥHWApGAt
(1)wgݭnӥBMIAȡF
(2)wgNӨtΪҦn鳣Ob̷sAF (3)v]wBwɶiƥu@F
(4)wgШ|ϥΪ̨㦳}nBtξާ@ߺDC
AtιڤWwgᬰwFInn[]HNoI
LA@ɬOܽA Linux D]O@²檺FAw@ѧAbiYӳn骺ծɡA
DMNҰʤF@ӺAȡApGASިӪAȪϥνdAӪAȴNҦ Internet }A
N·ФFI]ӪAȥiiH\HnJAtΡAOMIH
ҥHoA@OH̤j\NOUAyYǪAȪsӷzI
|ҨӻG (1)AiHɮǿA (FTP) ubl줺D~ϥΡAӤ Internet }F
(2)AiH㳡 Linux DȥiHȤݪ WWW nDALAȳF
(3)A٥iH㳡DȯDʹ~suCϹLӻAYΤݹڭ̥DoeDʳsuʥ]A (TCP ʥ] SYN flag)
NHCoǴNO̥Dn\FI
ҥH{A̭nȴNObWXG
- γQH(pl)PQH(p Internet)qF
- Xi Internet AȻPO@AȡF
- RXiPiʥ]AF
MաA Linux iptables n٥iHiӳ`J NAT (Network Address Translation)
]wAöiuʪ IP ʥ]˥\ALA@DӻA
²檺٬OWTNOFIҥHAAݤݭnOHzפWAMݭnI
ӥBAnDyAtέǸƻPAȻݭnO@zAwݭnO@AȨӳ]w𪺳WhaI
Uڭ̥ӽͤ@͡Ab Linux WY`ǡH
9.1.3 Linux tΤW𪺥DnO
WA̾ڨzdAڭ̥iHNϤ쫬P@DޡCb@Dޤ譱A
Dn𦳫ʥ]Lo Netfilter P̾ڪAȳn{@R TCP Wrappers ءCYHϰ쫬ӨA
ѩO@ѾA]Dnhʥ]Lo Netfilter PQΥNzA (proxy server)
isNz觋FC
Netfilter (ʥ]Lo)
ҿתʥ]LoAYORiJDʥ]ANʥ]YƮXӶiRAHMwӳsuΩתC
ѩoؤ觋iHRʥ]YơAҥH]Aw}(MAC), n} (IP), TCP, UDP, ICMP
ʥ]TiHiLoR\A]γ~D`sxC(DnRO OSI Chw 2, 3, 4 h)
b Linux Wڭ̨ϥή֤ߤت Netfilter oӾA Netfilter ѤF iptables
oӳnӧ@ʥ]LoOCѩ Netfilter O֤ߤت\A]LIJvD`I
D`AX@pҪ]wOINetfilter QΤ@ǫʥ]LoWh]wAөwqXƥiHA
ƻݭn篑AHFO@DتI
TCP Wrappers ({)
t@ةʥ]iJkAzLA{~ (tcpd) ӳBmIPʥ]LoPOA
oؾDnORֹY{isAMzLWhhRӦA{֯suB֤suC
ѩDnOzLRA{ӱޡA]PҰʪfLAuP{W٦C
|ҨӻAڭ̪D FTP iHҰʦbDW port 21 iťAAzL Linux ت TCP wrappers FTP ɡA
AunD FTP nW (vsftpd) AML@Ah FTP ҰʦbӰfA|QӳWhzC
Proxy (NzA)
NzAO@غAȡAiHyNzzϥΪ̪ݨDAӥNeAoơCNIUoӹϥܧaG
9.1-1BProxy Server B@z²
HWϬҡA Client ݷQne Internet o Google ƮɡALoƪy{Oo˪G
- client |V proxy server nDơA proxy BzF
- proxy iHRϥΪ̪ IP ӷO_XkHϥΪ̷Qnh Google AO_XkH
pGo client nDXkܡA proxy N|Dʪ client e Google oơF
- Google Ҧ^ǪƬOǵ proxy server AҥH Google AWݨ쪺O proxy server IP oF
- ̫ proxy N Google ^Ǫưe clientC
oAѤFܡHSA client èSsW Internet AҥHbu(BJ 1, 4)un Proxy P Client
iHsuNiHFI client Ʀܤݭn֦ public IP IӷHQn client ݪDɡA
DL} Proxy server A_hOLkP client suաI
t~A@ proxy Dq`ȶ} port 80, 21, 20 WWW P FTP fӤwAӥBq` Proxy
N[]bѾWA]iH㪺xϰ~suIA LAN ܪwڡI
ѩ@pҫܤַ|ΨNzAA]ѨèSͨ proxy server ]wA쪺ܥiHѦҤ@U squid
(1) oӳn骺x google @UaI
9.1.4 𪺤@GuܷN
9.1.5 𪺨ϥέ
qeRAڭ̤wgDLʥ]oDnbR OSI Chw 2, 3, 4 hAJMpܡA
Linux Netfilter 쩳iHǤƱOHiHi檺Ru@DnG
- ڵ Internet ʥ]iJDYǰf
oӤAѧaIҦpA port 21 o FTP fAYuQn}ܡA Internet
Ӫʥ]QniJA port 21 ɡANiHNӸƫʥ]ᱼI]ڭ̥iHRӫʥ]YfXrI
- ڵYǨӷ IP ʥ]iJ
ҦpAwgo{Y IP DnOӦۧ欰DAunӦ۸ IP
ƫʥ]ANNLIoˤ]iHF¦wI
- ڵaYǯSX (flag) ʥ]iJ
̱`ڵNOa SYN DʳsuXФFIun@go{AKKIANiHNӫʥ]rI
- Rw} (MAC) ӨMwsuP_
pGAϰ̭oJOS㦳j\OɡApGAϥ IP
өץLϥκvAӥLooϥ@ IP NnFAbP@Ӻ줺I
P٬Obd}aHSYAڭ̥iHꦺLdw}ڡI] MAC
OZbdWAҥHAunRӨϥΪ̩ҨϥΪ MAC AiHQΨN
MAC AIDL@ALdӨos MACA_h IP OSΪաI
M Netfilter wgiHohƱALA٬OܦhƱSkzL Netfilter ӧI
H]w𤧫٤wڡIMաIֻ]wF𤧫AtδN@wwH
MiHw諸ʥ]iJڭ̪ALAYDZpUALäOҧڭ̪@wNܦwC
|XӨҤlӽͤ@͡G
- äܦĪׯfrΤ차{
]Awg}F WWW AȡAA WWW DWA@wonN WWW AȪ port } Client
ݵnJ~aI_hA WWW D]wFSιaI]NOAuniJADʥ]OnD
WWW ƪANiHqLACnFAyU@A WWW An驰|}AΪ̥VAnD
WWW AȪӫʥ]NOfrbAtΡzɡAAiO@Ik]SڡI
]ӳ]wWhNO|LqLڡC
- Ӧۤ LAN LӨO
@ӻAڭ̹ LAN ̭DS𪺳]wA]Oڭ̦ۤv LAN
ڡAҥHMN]wHFILA LAN ̭`OiǺpհڡAML̤OGNnd}aA
OL̴NOIҥHNåκFCoӮɭԴNV|A]Wh]wq`֡A
ҥHNeyu~ΩݥΪpC
ҥHաA٬O^ĤC 7.1-1
hݬݡAR@UӹϥܡAAN|DAbA Linux DaWeA٬OoG
- XӤwAȡF
- ɯŴXӥiDMF
- []n̰_Xw@----
LT٬OШĤC{Ѻw̭hݤ@ݫW[ۨwaI
WͤFohADn٬OƱAAѨ쨾OoijDIӥB]ƱADëDUC
nFAUڭ̲שiH@@@Aثeڭ̪ 2.6 o Linux ֤ߨ쩳ϥΤ֤ߥ\Ӷi樾]wH
9.3.1 P Linux
֤ߪn
Linux 𬰤\onHoO]LNO Linux ֤ߩҴѡAѩgL֤ߨӳBzA]įD`nI
LAP֤ߪҨϥΪnO@˪I]֤ߤ䴩OvtiӨӪI
- Version 2.0Gϥ ipfwadm oӨF
- Version 2.2GϥΪO ipchains oӨF
- Version 2.4 P 2.6 GDnOϥ iptables oӨALbYǦ Version 2.4
distributions APɤ䴩 ipchains (sĶҲ)AnϥΪ̤MiHϥΨӦ
2.2 ipchains WCLAijb 2.4 HW֤ߪϥ ipchains I
]P֤ߨϥΪPAB䴩nOPyk]ۦPAҥHb Linux
WY]wݩAۤvWhɡAn`NڡA uname -r
lܤ@UA֤ߪAIpGAOw 2004 ~HX distributions ANݭnߤFA]o distributions
XGϥ kernel 2.6 ֤߰ڡI ^_^
9.3.2
ʥ]iJy{GWhǪnʡI
eXӤp`̭ڭ̤@ͨGyWhzAxIԣOWhڡH] iptables OQΫʥ]LoA
ҥHL|Rʥ]YơCھڪYƻPwqyWhzӨMwӫʥ]O_iHiJDΪ̬OQC
NNOGyھګʥ]R "" AwwqWheA
Yʥ]ƻPWheۦPhiʧ@A_hN~U@WhIz
IbӡyPRǡzWC
|²檺ҤlA]ڹwwq 10 WhnFA Internet ӤF@ӫʥ]QniJڪDA
OpRoӫʥ]OHڭ̥HUϥܨӻnFG
![ʥ]LoWhʧ@ΤRy{](/linux_server/0250simple_firewall//iptables_01.png "ʥ]LoWhʧ@ΤRy{")
9.3-1Bʥ]LoWhʧ@ΤRy{
@Ӻʥ]niJDeA|g NetFilter iˬdANO iptables WhFC
ˬdqLh (ACCEPT) iJo귽ApGˬdqLAhiऩH (DROP) I
WϤDnتbiAGyWhOǪzIҦpʥ]iJ Rule 1 ɡA
pGﵲGŦX Rule 1 AɳoӺʥ]N|i Action 1
ʧ@AӤ|z| Rule 2, Rule 3.... WhRFC
ӦpGoӫʥ]äŦX Rule 1 AN|iJ Rule 2 FIp@Ӥ@ӳWhhiNOFC
pGҦWhŦXHɴN|zLw]ʧ@ (ʥ]F, Policy) ӨMwoӫʥ]hVC
ҥHաAAWhDZƦC~ɡAN|ͫY~FC
OHڭ̬ݬݩUoӨҤlG
]A Linux DѤF WWW AȡA۵MNnw port 80 ӱҥγqLʥ]WhAOAo{
IP ӷ 192.168.100.100 ѬOcNդJIAtΡAҥHAQnN IP ڵӡA̫AҦD
WWW ʥ]LANoTӳWhӻAAnp]w綶ǩOH
- Rule 1 192.168.100.100 F
- Rule 2 AnD WWW AȪʥ]qLF
- Rule 3 NҦʥ]C
o˪ƦCǴNŦXAݨDALAU@ADZƿFAܦG
- Rule 1 nD WWW AȪʥ]qLF
- Rule 2 A 192.168.100.100 F
- Rule 3 NҦʥ]C
ɡA 192.168.100.100 yiHϥΧA WWW AȡzIunLADeX WWW nDʥ]ANiHϥΧA WWW
\FA]AWhǩwqĤ@N|LqLAӤhҼ{ĤGWhIo˥iHzѳWhǪNqFܡI
{bAӷQ@QApG Rule 1 ܦFyNҦʥ]zARule 2 ~]wyWWW Aȫʥ]qLzAаݡAڪ client
iHϥΧڪ WWW AȶܡHIOy_zQqFܡH ^_^
9.3.3 iptables (table)
P (chain)
ƹWA 9.3-1 ҦCXWhȬO iptables h@ (chain) ӤwC
OOHoo iptables Wٻ_C٬ ip"tables" OH
]oӨṋhӪ (table) ACӪ泣wqXۤvw]FPWhA
BCӪ檺γ~ۦPCڭ̥iHϥΩUoiϨӵyLAѤ@UG
9.3-2Biptables PܷN
9.3-1 WheȥuO 9.3-2 Y chain ӤwI
ӹw]pUA Linux iptables ܤִNTӪA]AziX filter BzݥD
(𤺳Lq) nat BzSXШϥΪ mangle (֨ϥ) Cƪ̡Aڭ٥iHۭqB~OI
uOܯ_aICӪP𫟺쪺γ~OOo˪G
- filter (Lo)GDniJ Linux ʥ]AoӬOw] table I
- INPUTGDnPQniJڭ Linux ʥ]F
- OUTPUTGDnPڭ Linux ҭneXʥ]F
- FORWARDGoөNNP Linux SYA
LiHyʥ]zݪqAPUC nat table ʸC
- nat (}ഫ)GO Network Address Translation YgA
oӪDnbiӷPت IP port ഫAP Linux LADnP Linux
D᪺ϰqC
- PREROUTINGGbiѧP_eҭni檺Wh(DNAT/REDIRECT)
- POSTROUTINGGbiѧP_ҭni檺Wh(SNAT/MASQUERADE)
- OUTPUTGPoeXhʥ]
- mangle (}a)GoӪDnOPSʥ]ѺXЦA
Ȧ PREROUTING OUTPUT ALq kernel 2.4.18 [JF INPUT FORWARD C
ѩoӪPSXЬʸAҥH̳oسªҷA֨ϥ mangle oӪC
ҥHApGA Linux O@ www AȡAn}ΤݹA www nD^ANonBz filter INPUT F
ӦpGA Linux O@ϰѾANonR nat UH filter FORWARD ~C]NOA
UӪ檺쵲OYI²檺YiHѤUϳoݡG
9.3-3Biptables ئUP쪺
WϥܫܽILWA¥iHݥXӡAڭ̪ iptables iHTثʥ]yVG
- ʥ]iJ Linux Dϥθ귽 (| A)G
bѧP_TwOV Linux DnDƪʥ]ADnN|zL filter INPUT Ӷi汱ޡF
- ʥ]g Linux DASϥΥD귽AӬOVݥDy (| B)G
bѧP_eiʥ]Yq@~Ao{ʥ]DnOnzLӥhݡAɫʥ]N|zL| B Ӷ]ʡC
]NOAӫʥ]ؼШëDڭ̪ Linux CDngLO filter FORWARD H nat POSTROUTING, PREROUTINGC
o| B ʥ]yVϥαpAڭ̷|b 9.5 p`Ӹja@²檺СC
- ʥ] Linux oeXh (| C)G
Ҧp^ΤݪnDAΪ̬O Linux DʰeXʥ]AOzL| C Ӷ]COzLѧP_A
MwFX|AAzL filter OUTPUT ӶǰeIMA̲٬O|gL nat POSTROUTING C
So{ӡyѧP_zOH]OVAҥHiPXn}ӬݡI]AiJʥ]ݭnѧP_A
eXʥ]M]niѧP_~oeXhڡIAѥGH
ѩ mangle oӪܤֳQϥΡApGN 9.3-3 mangle ܡANeݪhFG
9.3-4Biptables ئUP쪺(²)
zL 9.3-4 ANiHPAѨAƹWP̦O filter oӪ椺 INPUT P OUTPUT
oApGA iptables uOΨӫO@ Linux DܡA nat
WhڥNݭnzLA]w}YiC
LApGAƹWOΨӺި LAN LDܡAANnAw
filter FORWARD oA٦ nat PREROUTING, POSTROUTING H OUTPUT iB~Whqw~C
nat 檺ϥλݭnܲMѷ~]wnAijsnII̦hNO@̶K nat
\yIP ɾ\zNnFI ^_^Ioڭ̦b̫@p`|ЪաI
9.3.4 iptables yk
zפWAAw˦n Linux Atӷ|DʪAҰʤ@ӶKWh~OA
LoӶKiणOڭ̷QnҦA]ڭ̻ݭnB~i@ǭq欰CLAb}li橳UmߤeA
o̦ӫܭnƱni@UC] iptables O|Nʥ]iLoΩתʧ@AҥHA
ФnbݥDWi樾𪺽mA]Aܦi@p߱Nۤvba~I
ɶqbenJ tty1-tty6 ݾimߡA_h``|oʹd@ڡIHeb iptables
ɡAN``]p߳Wh]w~AɭP``nлݪBs}...
责쫥̪ iptables ܤ֦Tӹw] table (filter, nat, mangle)A`ΪO filter A
o]Ow]աCt@ӫhOݥD nat Aܩ mangle ֨ϥΡAҥHoӳ`ڭ̨ä|Q mangleC
ѩP table L̪줣@ˡAɭPϥΪOykΦhΤֳItC
boӤp`Aڭ̥DnNw filter oӹw]檺TӰСCUNӪ@aI
𪺳]wDnϥΪNO iptables oӫOӤwCӨOtκzDnȤ@A
BtΪvT۷jA]yu root ϥ iptables zAO]w٬O[WhI
9.3.4-1
Wh[PM
pGAbw˪ɭԿܨS𪺸ܡA iptables b@}lɭӬOSWhALA
i]Abw˪ɭԴNܨtΦ۰AإߨAtδN|w]WhFI
LצpAڭ̥ӬݬݥثeWhOpaI
[root@www ~]# iptables [-t tables] [-L] [-nv]
ﶵPѼơG
-t G᭱ table AҦp nat filter AYٲءAhϥιw] filter
-L GCXثe table Wh
-n Gi IP P HOSTNAME ϬdAܰTt|֫ܦhI
-v GCXhTA]AqLӳWhʥ]`줸ơB
dҡGCX filter table T쪺Wh
[root@www ~]# iptables -L -n
Chain INPUT (policy ACCEPT) <==w INPUT ABw]Fi
target prot opt source destination <==
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <==Wh RH hˬd
Chain FORWARD (policy ACCEPT) <==w FORWARD ABw]Fi
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT) <==w OUTPUT ABw]Fi
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references) <==ۭq쪺Wh
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 <== 1 Wh
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 <== 2 Wh
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 <== 3 Wh
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 <==U@ 9 Wh
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
dҡGCX nat table T쪺Wh
[root@www ~]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
|
bWAC@ Chain NOe쪺Co Chain @̭A policy NOw]FA
U target, prot NOH
- targetGNi檺ʧ@A ACCEPT OA REJECT hOڵA~A| DROP () ءI
- protGNϥΪʥ]wADn tcp, udp icmp Tثʥ]榡F
- optGB~ﶵ
- source GNWhOwӡyӷ IPzi歭H
- destination GNWhOwӡyؼ IPzi歭H
bXGAĤ@ӽdҦ]S[W -t ﶵAҥHw]NO filter oӪ椺 INPUT,
OUTPUT, FORWARD T쪺WhoCѩw]WhAINPUT P FORWARD Wh@PA] CentOS
N쪺Whgb@Aܦ@Ӧۭq RH-Firewall-1-INPUT IAon`NOA̫@WhFO REJECT (ڵ) I
ҥHAM INPUT P FORWARD FO (ACCEPT)ALꤣXe 8 Whʥ]|Q 9 WhڵC
LoӫO[uO@Ӯ榡ƪd\AnԲӸCӳWh|eѪRC|ҨӻA
ڭ̱NWzEWh̾ڿXGӻ@UAG|ܦG
- Lץӷ (0.0.0.0/0) BnhؼЪʥ]Aץʥ]榡 (prot all)Aqq
- unO icmp 255 ANH
- unOʥ]榡 esp ANH (S\)
- unOʥ]榡 ah ANH (S\)
- unOnǰeؼЬ 224.0.0.251 B udp f 5353 ANH
- unOǵ port 631 udp ʥ]N
- unOǵ port 631 tcp ʥ]N
- unOʥ]A RELATED,ESTABLISHED NH
- ʥ]Tqqڵ
̦쪺ӬOĤ@WhFA|Ҧʥ]THHpGܡAWhڥN|ιI
WhOȰwCDjպ (lo) աIpGSCXAڭ̴Nܮedo
ҥHAӳijϥ iptables-save oӫO[WhաI] iptables-save
|CX㪺WhAuOèSWƿXӤwC
[root@www ~]# iptables-save [-t table]
ﶵPѼơG
-t GiHȰwYǪӿXAҦpȰw nat filter
[root@www ~]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Jan 26 18:25:15 2011
*filter <==P}YOAo̬ filter
:INPUT ACCEPT [0:0] <==_}YOATؤ@ۭq
:FORWARD ACCEPT [0:0] <==T쪺FO ACCEPT oI
:OUTPUT ACCEPT [4:496]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT <==w INPUT Wh
-A FORWARD -j RH-Firewall-1-INPUT <==w FORWARD Wh
-A RH-Firewall-1-INPUT -i lo -j ACCEPT <==wۭq RH Wh
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 26 18:25:15 2011
|
ѤWXӬݡAuWhA -i lo NO lo diӪʥ]I
oˬݴNMhFI]g줶YڡIe iptables -L -n IoAѥGI
LAJMoӳWhOڭ̷QnAӦpקWhOHijARWhACCإߦUӻݭnWhI
pMWhHo˰NFG
[root@www ~]# iptables [-t tables] [-FXZ]
ﶵPѼơG
-F GMҦwqwWhF
-X GҦϥΪ "ۭq" chain (ӻO tables ^oF
-Z GNҦ chain pƻPyqέpks
dҡGM (filter) ҦWh
[root@www ~]# iptables -F
[root@www ~]# iptables -X
[root@www ~]# iptables -Z
|
ѩoTӫO|N𪺩ҦWhMAo|ܹw]F (policy) A
ҥHpGAObUFoTOɡAܥiA|Qۤvצba~ (Y INPUT ]w DROP )Inp߰ڡI
@ӻAڭ̦bswq𪺮ɭԡA|NWhLMCٰOoڭ̫eͨ쪺A
𪺡yWhǡzOSNqAҥHoA
MMWhAM@@ӳ]w|e@IաCUNӽͽͩwqw]FaI
9.3.4-2
wqw]F (policy)
MWhAAUӴNOn]wWhFաIٰOoFOܡHy
Aʥ]bA]wWhɡAhӫʥ]qLP_AOH Policy
]wzAb譱w]FA]AϥΪ̦HߪܡA
filter INPUT 譱iHwqY@IA FORWARD P OUTPUT
hiHqwP@ǡIq`ON INPUT policy wq DROP աALӫhwq ACCEPTC
ܩ nat table hȮɥz|LC
[root@www ~]# iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP]
ﶵPѼơG
-P GwqF( Policy )C`NAo P jgڡI
ACCEPT Gӫʥ]i
DROP Gӫʥ]A| client ݪDQC
dҡGN INPUT ]w DROP AL]w ACCEPT
[root@www ~]# iptables -P INPUT DROP
[root@www ~]# iptables -P OUTPUT ACCEPT
[root@www ~]# iptables -P FORWARD ACCEPT
[root@www ~]# iptables-save
# Generated by iptables-save v1.3.5 on Wed Jan 26 23:41:43 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2120]
COMMIT
# Completed on Wed Jan 26 23:41:43 2011
# ѩ INPUT ]w DROP ӤS|WhAҥHWXGܡG
# Ҧʥ]LkiJADIOq]wI(suOV)
|
ݨXGFaHINPUT QקF]wIL nat table T쪺w]F]w]O@˪觋AҦpGy
iptables -t nat -P PREROUTING ACCEPT zN]wF nat table
PREROUTING 쬰iNIw]F]wAӽͤ@UWhʥ]¦]waC
9.3.4-3
ʥ]¦GIP, Τ˸m
}lӶi樾Whʥ]]waIJMOںAڭ̴Nѳ̰¦ IP, ΰfAYO OSI
ĤThͰ_AAӽͽ˸m (d) Co@p`PU@p`ykA@wnOA]oO̰¦ykI
[root@www ~]# iptables [-AI W] [-io ] [-p w] \
> [-s ӷIP/] [-d ؼIP/] -j [ACCEPT|DROP|REJECT|LOG]
ﶵPѼơG
-AI WGwYiWh "J" "֥["
-A GsW[@WhAӳWhW[b쥻Wh̫᭱CҦp쥻wg|WhA
ϥ -A NiH[WĤWhI
-I GJ@WhCpGSwWhǡAw]OJܦĤ@WhC
Ҧp쥻|WhAϥ -I hӳWhܦĤ@Aӭ쥻|ܦ 2~5
G INPUT, OUTPUT, FORWARD AW٤SP -io AЬݩUC
-io G]wʥ]iXWd
-i Gʥ]ҶiJӺAҦp eth0, lo CݻP INPUT tXF
-o Gʥ]ҶǥXӺAݻP OUTPUT tXF
-p wG]wWhAΩثʥ]榡
Dnʥ]榡G tcp, udp, icmp all C
-s ӷ IP/G]wWhʥ]ӷءAiwª IP Υ]AAҦpG
IP G192.168.0.100
G192.168.0.0/24, 192.168.0.0/255.255.255.0 iC
YWdy\zɡAh[W ! YiAҦpG
-s ! 192.168.100.0/24 ܤ\ 192.168.100.0/24 ʥ]ӷF
-d ؼ IP/GP -s AuLo̫OؼЪ IP κC
-j G᭱ʧ@ADnʧ@(ACCEPT)B(DROP)Bڵ(REJECT)ΰO(LOG)
|
iptables ѼƴNpPWҥܪAȥuͨ IP BP˸mTA
ܩ TCP, UDP ʥ]Sf (port number) PA (p SYN X) hbUp`~|ͨC
nAڭ̨Ӭݬݳ̰¦XӳWhAҦp} lo oӥHάY IP ӷaI
dҡG]w lo H˸mAYiX lo ʥ]H
[root@www ~]# iptables -A INPUT -i lo -j ACCEPT
|
JӬݤWèSCX -s, -d WhAoܡGʥ]ӦۦBΥh̡AunOӦ
lo oӤANHIo[nANOySwءAhܸӶاzNI
ҦpoӮרҷA -s, -d...ѼƨSWwɡANNפȳ|QoC
oNOҿתH˸mաIpADiAӺdA𫟺@iO鷺A]ӺdN eth1 nFA
pGOiHAӺdiXʥ]Nqq|QAANΡGyiptables -A INPUT -i eth1 -j ACCEPTz
ӱNӸ˸m]wH˸mCLAUFoӫOenSO`NA]o˵ӺdSƤFI
dҡGunOӦۤ (192.168.1.0/24) ʥ]qq
[root@www ~]# iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# ѩONA]]iH٤yHzoC
dҡGunOӦ 192.168.0.1 NA 192.168.1.20 oӴcNӷN
[root@www ~]# iptables -A INPUT -i eth0 -s 192.168.0.1 -j ACCEPT
[root@www ~]# iptables -A INPUT -i eth0 -s 192.168.1.20 -j DROP
# w@ IP ӷAiHDΪ̬OHcNӷI
[root@www ~]# iptables-save
# Generated by iptables-save v1.3.5 on Fri Jan 28 14:25:09 2011
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17:1576]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 192.168.0.1 -i eth0 -j ACCEPT
-A INPUT -s 192.168.1.20 -i eth0 -j DROP
COMMIT
# Completed on Fri Jan 28 14:25:09 2011
|
oNO̳²檺Wh]wP[觋CLAbWרҤAA]o{즳WhiD
NOWSr_ӪWhǡCwgF 192.168.1.0/24 FAҥH 192.168.1.20 WhNi|QΨI
oNOD]wڡIAѥGHӫHNڡI@_@IpGAQnOYӳWhHiHo˰G
[root@www ~]# iptables -A INPUT -s 192.168.2.200 -j LOG
[root@www ~]# iptables -L -n
target prot opt source destination
LOG all -- 192.168.2.200 0.0.0.0/0 LOG flags 0 level 4
|
ݨXG̥A|X{O LOG Iunʥ]Ӧ 192.168.2.200 o IP ɡA
ӫʥ]TN|QgJ֤߰TAYO /var/log/messages oɮC
Mӫʥ]|~iWhCҥHA
LOG oӰʧ@ȦbiOӤwAä|vToӫʥ]LWh諸C
nFAUӧڭ̤OӬݬ TCP,UDP H ICMP ʥ]LWhaI
9.3.4-4
TCP, UDP WhGwf]w
ڭ̦bĤG¦LUؤPʥ]榡A
bͨ TCP P UDP ɡASNOӰf (port)Ab TCP 譱ht~ҿתsuʥ]AA
]A̱` SYN Dʳsuʥ]榡Cpwoثʥ]榡i樾Wh]wOHAiHoˬݡG
[root@www ~]# iptables [-AI ] [-io ] [-p tcp,udp] \
> [-s ӷIP/] [--sport fd] \
> [-d ؼIP/] [--dport fd] -j [ACCEPT|DROP|REJECT]
ﶵPѼơG
--sport fdGӷfXAfXiHOsAҦp 1024:65535
--dport fdGؼЪfXC
|
ƹWNOhF --sport --dport oӪNAIb port WաI
LAonSO`NA]Ȧ tcp P udp ʥ]㦳fA]AQnϥ
--dport, --sport ɡAon[W -p tcp -p udp ѼƤ~|\IUڭ̨ӶiXӤpաG
dҡGQnsuiJ port 21 ʥ]ױG
[root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP
dҡGQsڳoD (upd port 137,138 tcp port 139,445) N
[root@www ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT
[root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
[root@www ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT
|
@IAiHQ UDP P TCP wҾ֦fXӶiYǪAȪ}IA٥iHXBzOIҦpGunӦ
192.168.1.0/24 1024:65535 fʥ]ABQnsu쥻 ssh port NHסAiHo˰G
[root@www ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 \
> --sport 1024:65534 --dport ssh -j DROP
|
pGѰO[W -p tcp NϥΤF --dport ɡA|oԣDOH
[root@www ~]# iptables -A INPUT -i eth0 --dport 21 -j DROP
iptables v1.3.5: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
|
Aӷ|ıoܩ_ǡAy --dport z|OѼ (arg) OHoO]AS[W -p tcp -p udp
tGڡIܭnI
Ff~Ab TCP ٦SXаڡI̱`NOӥDʳsu SYN XФFC
ڭ̦b iptables ̭٤䴩y --syn zBz觋Aڭ̥HUҤlӻnFG
dҡGNӦۥaӷ port 1:1023 Dʳsu쥻ݪ 1:1023 su
[root@www ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 \
> --dport 1:1023 --syn -j DROP
|
@ӻAclient ݱҥΪ port Oj 1024 HWfA server ݫhOҥΤp 1023
HUfbťCҥHڭ̥iHӦۻݪp 1023 HUfƪDʳsuLI
AΦb FTP DʳsuIoڭ̥Ӧb FTP `AӽͧaI
9.3.4-5
iptables ~ҲաGmac P state
b kernel 2.2 Heϥ ipchains zɡAq`|tκz۷YhI] ipchains
Sҿתʥ]AҲաA]ڭ̥nwʥ]iBXViޱC|ҨӻApGAQnsu컷ݥD
port 22 ɡAAnwWhӳ]wG
- ݪ 1024:65535 컷ݪ port 22 n (OUTPUT )F
- ݥD port 22 쥻 1024:65535 (INPUT )F
o|ܳ·СI]pGAnsu 10 D port 22 ɡA] OUTPUT w]} (ACCEPT)A
A»ݭngQWhAQݥD port 22 iHsuAaݥDWC
pG}ҥ port 22 OHS߬YǴcND|DʥH port 22 suAWI
P˪DzApGAnaݥDiHs~ port 80 (WWW A)ANoF
oNOsuOV@ӫܭnI
nbڭ̪ iptables KFoӧxZILiHzL@ӪAҲըӤR
yoӷQniJʥ]O_ڵoXh^Hz
pGOڵoXh^ANiHHIzIuΡIo˴NκݥDO_suiӪDFI
pFOHݬݩUykG
[root@www ~]# iptables -A INPUT [-m state] [--state A]
ﶵPѼơG
-m G@ iptables ~ҲաADn`G
state GAҲ
mac Gdw} (hardware address)
--state G@ǫʥ]AADnG
INVALID GLĪʥ]AҦpƯ}lʥ]A
ESTABLISHEDGwgsu\suAF
NEW GQnsإ߳suʥ]AF
RELATED Goӳ̱`ΡIܳoӫʥ]OPڭ̥DoeXhʥ]
dҡGunwإߩάʥ]NHqLAunOXkʥ]N
[root@www ~]# iptables -A INPUT -m state \
> --state RELATED,ESTABLISHED -j ACCEPT
[root@www ~]# iptables -A INPUT -m state --state INVALID -j DROP
|
p@ӡAڭ̪ iptables N|DʤRXӫʥ]O_^AAYOܡANHCI
oˤ@ӧANݭnw^ʥ]ӼgӧOWhFIouOӴΤFIUڭ~ͤ@U iptables t@ӥ~A
NOwdӶiPmG
dҡGwϰ aa:bb:cc:dd:ee:ff D}su
[root@www ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff \
> -j ACCEPT
ﶵPѼơG
--mac-source GNOӷD MAC աI
|
pGAϺYǺAѬOiHzLק IP hճzLѾ~]AAӫH
DNӰϺڵHäݭnAAiHzLeͨ쪺 ARP Ah쨺D MAC AMzLWYoӾA
NӥD DROP YiCޥLF IP ADLDAOκd MAC ӺzA_hLNOXhաIAѥGH
MAC ]OiH˪AiHzLYdznӭקd MACCLAo̧ڭ̬O] MAC OLkק諸pӻC
~AMAC OѪA]WzרҤ~SOObϺAӤO Internet ~ӷI
9.3.4-6
ICMP ʥ]WhGwO_^ ping ӳ]p
bĤG ICMP wڭ̪D
ICMP ۷hAӥBܦh ICMP ʥ]OFnΨӶi˴ΪIҥH̦nnNҦ ICMP
ʥ]IpGOѾDɡAq`ڭ̷| ICMP type 8 (echo request)
ӤwAݥDDڭ̬O_sbA]| ping ^NOFCICMP ʥ]榡BzOo˪G
[root@www ~]# iptables -A INPUT [-p icmp] [--icmp-type ] -j ACCEPT
ﶵPѼơG
--icmp-type G᭱n ICMP ʥ]A]iHϥΥNA
Ҧp 8 N echo request NC
dҡG 0,3,4,11,12,14,16,18 ICMP type iHiJG
[root@www ~]# vi somefile
#!/bin/bash
icmp_type="0 3 4 11 12 14 16 18"
for typeicmp in $icmp_type
do
iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT
done
[root@www ~]# sh somefile
|
o˴N} ICMP ʥ]榡iJi˴u@FILApGADO@ϺѾA
ij icmp ʥ]٬Onqq~nIoO]Τ˴ɡA``|ϥ ping ӴըѾuO_ZqGI
ҥHnNѾ icmp A|pաI
9.3.4-7
WKΤݨ]pPWhxs
gLWz iptables ykRAUӧڭ̨ӷQQApGbΤݥBѺAȪ Linux ɡA
Aӭnp]pAOHѹ껡AAunRL CentOS w]WhN|DFAzפWA
ӭnWhpUG
- WhksGMҦwgsbWh (iptables -F...)
- w]FGF INPUT oӦۭq] DROP ~ALw] ACCEPTF
- HGѩ lo 糧ӻO۷nA] lo ]wH˸mF
- ^ʥ]GDʦV~nDӦ^ʥ]iHiJ (ESTABLISHED,RELATED)
- HΤGoODnApGAQnϺӷiΧAD귽
oNO̶̳KAAiHzLĤGBJשҦݪӷʥ]AӳzLĥ|BJAnDݥD^ʥ]iHiJA
[W lo oӤj˸miHAKKI@ client MΪWhN OK FIAiHbY script
Wo˰YiG
[root@www ~]# vim firewall.sh
#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin; export PATH
# 1. MWh
iptables -F
iptables -X
iptables -Z
# 2. ]wF
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# 3~5. qUWh
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
# 6. gJWh]w
/etc/init.d/iptables save
[root@www ~]# sh firewall.sh
bxsWh /etc/sysconfig/iptables: [ Tw ]
|
]O@ӪAȡAAiHzLychkconfig --list iptableszhݴNDFC
]AAoק諸Uس]wQnbU}٫OsANoniy /etc/init.d/iptables save zoӫO[ѼơC
]A{bONxsʧ@gJo firewall.sh }A¨oI{bAA Linux Dwg۷O@FA
uOpGQn@AAΪ̬O@ѾANonۦ[WYǦۭqWhoC
ѹ껡ApGA Linux xܡAhק /etc/sysconfig/iptables MN iptables oӪA restartA
AWhNO|b}sboILAӤH٬Owg scripts NOFC
qnWhMNOnoIpթOH
- ѥDV~DʳsuլݬݡF
- AѨp줺 PC V~DʳsuլݬݡF
- ̫A Internet WDADʳsuA Linux DլݬݡF
@B@B@UӡAݬݰDXb̡AMhhhiB}IWAWثeܦhƥiHѧAѦҤFI
o@g]wgO²Aj٦bжqӤwIƱjaUI
bѦҸ(2)CXXӦΪAƱjaůunhhhݬݡI|ܦUI
9.3.5 IPv4 ֤ߺz\G
/proc/sys/net/ipv4/*
F iptables oӨn𫗪~Aꫥ Linux kernel 2.6 ѫܦh֤߹w]I
ѩO֤ߪ\AҥH]wƳOmb /proc/sys/net/ipv4/ oӥؿC
ܩӥؿUUɮתԲӸơAiHѦҮ֤ߪG
- /usr/src/linux-{version}/networking/ip-sysctl.txt
WoӻƥiH http://www.kernel.org oӺU@Ӯ֤߭lXAYNݨC
o̤]@ƥG
쪺ӭnۦhd@dnIڭ̩UNX²檺ɮרӧ@aI
/proc/sys/net/ipv4/tcp_syncookies
ڭ̦be@ͨҿת_A (DoS)
k@ؤ觋ANOQ TCP ʥ]
SYN TV洤zҹFA
oؤ觋٬ SYN Flooding Cpwoؤ觋OHڭ̥iHҥή֤ߪ SYN Cookie ҲհڡI
o SYN Cookie ҲեiHbtΥΨӱҰHsuf (1024:65535) YNΧɦ۰ʱҰʡC
Ұ SYN Cookie ɡADboe SYN/ACK T{ʥ]eA|nD
Client ݦbuɶ^Ф@ӧǸAoӧǸ]t\h쥻 SYN ʥ]TA]A IPBport CY Client
ݥiH^ХTǸADNTwӫʥ]iHA]|oe SYN/ACK ʥ]A_hNz|@ʥ]C
zL@iHjjCLĪ SYN ݰfAקK SYN Flooding DoS I
pҰʳoӼҲթOH²Ao˰YiG
[root@www ~]# echo "1" > /proc/sys/net/ipv4/tcp_syncookies
|
Ooӳ]wȥѩH TCP TV洤 (]Dboe SYN/ACK eݭn client Ǹ^)A
ҥHi|yYǪAȪ{HAҦp SMTP (mail server)C
L`ӻAoӳ]w٬OΪI
uOAXΦbtwgܰAI
]tӰDɷ|֤~PD SYN Flooding OC
pGOFtΪ TCP ʥ]sųΤơAhiHѦ tcp_max_syn_backlog,
tcp_synack_retries, tcp_abort_on_overflow oXӳ]wȪNqC
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
_Aȱ`O SYN Flooding ALAڭ̪DtΨiHϥ ping ^A
ping ʥ]ƶqOiHܤjIQ@ӪpA
pGӷd}aHϥ 1000 xDǰe ping ADAӥBC ping FƦ K bytesɡA
AWe|ˡHnNOWeQYAnitη|I
oؤ觋OQ٬ ping flooding (_o ping) ping of death (oej ping ʥ])C
pקKOH ICMP 8 ICMP ʥ]^NOFCڭ̥iHzLөסA
o]Oij觋CM]iH֤ߦ۰ʨ ping ^CLAnAѡA
Yǰϰ`A (ҦpʺA IP t DHCP w) |ϥ ping
觋ӰO_ƪ IP AҥHA̦nnҦ ping ^nC
֤ߨ ping ^]wȦӡAOOG/proc/sys/net/ipv4 icmp_echo_ignore_broadcasts
(Ȧ ping broadcast }ɤ~ ping ^)
icmp_echo_ignore_all ( ping ^)Cij]w icmp_echo_ignore_broadcasts NnFC
AiHoG
[root@www ~]# echo "1" > \
> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
/proc/sys/net/ipv4/conf//*
̪֤٥iHw藍Pi椣@˪ѼƳ]wI]wmb
/proc/sys/net/ipv4/conf/ ACӤHNNAҦp eth0 ]wƦb
/proc/sys/net/ipv4/conf/eth0/ C]wƦǤݭn`NOH
jUoXӡG
- rp_filterG٬fV|Lo (Reverse Path Filtering)A
iHǥѤRѸTtXʥ]ӷ}AӤRӫʥ]O_XzC|ҨӻAAidAeth0
192.168.1.10/24 Aeth1 public IP C@ӫʥ]ۺ٨Ӧ eth1 AO IP ӷ 192.168.1.200 A
oӫʥ]NXzAHCoӳ]wȫijiHҰʪC
- log_martiansGoӳ]wƥiHΨӱҰʰOXk IP ӷA
|ҨӻA]Aӷ 0.0.0.0B127.x.x.xB Class E IP ӷA]oǨӷ IP Ω Internet ڡC
Oƹw]m֤ߩmn /var/log/messagesC
- accept_source_routeGγ\YǸѾ|Ұʳoӳ]wȡA
Lثe]ƫܤ֨ϥΨoبӷѡAAiHoӳ]wȡC
- accept_redirectsGAbP@ӹ줺[]@ѾA
oӹ즳 IP AҦp 192.168.0.0/24, 192.168.1.0/24CɧA 192.168.0.100 QnV
192.168.1.100 ǰeTɡAѾi|ǰe@ ICMP redirect ʥ]i 192.168.0.100 ǰeƵ
192.168.1.100 YiAӤݳzLѾC] 192.168.0.100 P 192.168.1.100TObP@ӹuW
(̥iHq)AҥHѾ|iӷ IP ϥγ̵u|hǻơCⳡDbP IP
qAoOLkڶǻTIoӳ]w]i|ͤ@ǻLwIAҥHijLC
- send_redirectsGPW@AuOȬoe@ ICMP redirect ʥ]C
P˫ijC(ƹWANgFo ICMP redirect D˸I redirect oӶاYiڡI)
MAiHϥΡy echo "1" > /proc/sys/net/ipv4/conf/???/rp_filter zkӱҰʳoӶءALA
ijקtγ]wȡANO /etc/sysctl.conf oɮסI]ڭ̶Ȧ eth0 oӤAӤAӥBWz\nqqҰʡA
AiHo˰G
[root@www ~]# vim /etc/sysctl.conf
# Adding by VBird 2011/01/28
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
....(HUٲ)....
[root@www ~]# sysctl -p
|
ФFohykP`NƶAשnӬ[]FC٬Onϥθ}ӼgA
MzL̲ת /etc/init.d/iptables save ӱNGxs /etc/sysconfig/iptables hI
ӥB@S٥iHΦbIsL scripts AiHWh㦳FϥΤ觋C
nFANӽͽͦp]w̪WhaI
9.4.1 Wh
UЪoӨAiHΨӧ@ѾWA]iHΨӧ@C
]wsupPUϩҥܡA Linux D]O LAN ѾIYO@²檺 IP
ɾ\աI]UoǡG
- ~ϥ eth1 (pGOAiO ppp0AаwAҨӳ]w)F
- ϥ eth0 ABϥ 192.168.1.0/24 o Class F
- Dw]}AȦ WWW, SSH, https F
9.4-1B@ӰϰѾ[cܷN
ѩƱNH (LAN) PH (Internet) Ӥ}@IA
ҥHƱAiHb Linux Ww˨HWdANdbPAo˥iHקKܦhDC
ܩ̭nFOGyҦsuAȶ}SwAzҦC
ӥB]ϥΪ̤wgL}nVmA]b filter table Tӹw]FOG
- INPUT DROP
- OUTPUT FORWARD ACCEPT
UwpѪy{Oo˪G
9.4-2BWhy{ܷN
hWA LAN DPD}ܰA] Output P Forward
O}zIpaxDOiHA]ڭ̤qƶqhAӥBHOxA
ҥHݭnSO[HޡIOGybj~Ao˪WOܤX檺A
]AOҤҦHiHӧAWwӨϥ Network Iz]NOyazrI
]A˪ҳs Output P Forward ݭnSO[Hz~I
9.4.2 ڳ]w
ƹWAڭ̦b]w𪺮ɭԡAӥi|@Ӥ@ӫOJAq`OQ shell scripts
ڭ̹Fo˪\oIUOQΤWy{ϩҳWXӪ}AAiHѦҬݬݡA
OAݭnNҭק令AXAۤvҤ~I~AFӭק@KAN script TAOOG
- iptables.ruleG]w̰WhA]AMWhBJҲաB]wAȥiF
- iptables.denyG]wYǴcNDiJF
- iptables.allowG]w\YǦۭqӷDI
ӤHߺDONoӸ}m /usr/local/virus/iptables ؿUAA]iHۦmۤvߺDmhC
UN@@o}OgaI
[root@www ~]# mkdir -p /usr/local/virus/iptables
[root@www ~]# cd /usr/local/virus/iptables
[root@www iptables]# vim iptables.rule
#!/bin/bash
# ХJzѼơAnJ~FI
EXTIF="eth1" # oӬOiHsW Public IP
INIF="eth0" # LAN sFYLhg INIF=""
INNET="192.168.1.0/24" # YL줶Aжg INNET=""
export EXTIF INIF INNET
# Ĥ@Aw糧]wI##########################################
# 1. ]wn֤ߪ\G
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/{rp_filter,log_martians}; do
echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/{,accept_source_route,accept_redirects,\
send_redirects}; do
echo "0" > $i
done
# 2. MWhB]ww]Fζ} lo P]w
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 3. ҰB~ script Ҳ
if [ -f /usr/local/virus/iptables/iptables.deny ]; then
sh /usr/local/virus/iptables/iptables.deny
fi
if [ -f /usr/local/virus/iptables/iptables.allow ]; then
sh /usr/local/virus/iptables/iptables.allow
fi
if [ -f /usr/local/virus/httpd-err/iptables.http ]; then
sh /usr/local/virus/httpd-err/iptables.http
fi
# 4. \Y ICMP ʥ]iJ
AICMP="0 3 3/4 4 11 12 14 16 18"
for tyicmp in $AICMP
do
iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT
done
# 5. \YǪAȪiJAШ̷ӧAۤvҶ}
# iptables -A INPUT -p TCP -i $EXTIF --dport 21 --sport 1024:65534 -j ACCEPT # FTP
# iptables -A INPUT -p TCP -i $EXTIF --dport 22 --sport 1024:65534 -j ACCEPT # SSH
# iptables -A INPUT -p TCP -i $EXTIF --dport 25 --sport 1024:65534 -j ACCEPT # SMTP
# iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT # DNS
# iptables -A INPUT -p TCP -i $EXTIF --dport 80 --sport 1024:65534 -j ACCEPT # WWW
# iptables -A INPUT -p TCP -i $EXTIF --dport 110 --sport 1024:65534 -j ACCEPT # POP3
# iptables -A INPUT -p TCP -i $EXTIF --dport 443 --sport 1024:65534 -j ACCEPT # HTTPS
# ĤGAwݥD]wI###############################
# 1. J@ǦΪҲ
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
testmod=`lsmod | grep "^${mod} " | awk '{print $1}'`
if [ "$testmod" == "" ]; then
modprobe $mod
fi
done
# 2. M NAT table WhaI
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# 3. }ѾAB IP ɾI
if [ "$INIF" != "" ]; then
iptables -A INPUT -i $INIF -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
if [ "$INNET" != "" ]; then
for innet in $INNET
do
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
done
fi
fi
# pGA MSN @LksuAΪ̬OYǺ OK YǺ OKA
# iO MTU DAAiHNUo@浃LѨӱҰ MTU d
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
# --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
# 4. NAT Aݪ LAN ~A]w
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
# -j DNAT --to-destination 192.168.1.210:80 # WWW
# 5. S\A]A Windows ݮୱҲͪWhA]ୱD 1.2.3.4
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --dport 6000 \
# -j DNAT --to-destination 192.168.1.100
# iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 --sport 3389 \
# -j DNAT --to-destination 192.168.1.100
# 6. ̲ױNoǥ\xsUӧaI
/etc/init.d/iptables save
|
SOdNW{XSr鳡AWAAunק@ṲW𫍧A
ӴNB@oӨFCL]CӤHҳۦPA
]Ab]wA»ݭnդ@U~IMAXFDnǧڰڡI....
AӬݤ@U iptables.allow eOpHpڭn@ 140.116.44.0/24
oӺ쪺ҦDӷiHiJڪDܡAoɮתeiHgoˡG
[root@www iptables]# vim iptables.allow
#!/bin/bash
# UhgA\iJLΥDڡI
iptables -A INPUT -i $EXTIF -s 140.116.44.0/24 -j ACCEPT
# UhOתɮ׳]wkI
[root@www iptables]# vim iptables.deny
#!/bin/bash
# UgOyAnתөNNIz
iptables -A INPUT -i $EXTIF -s 140.116.44.254 -j DROP
[root@www iptables]# chmod 700 iptables.*
|
NoTɮתv]w 700 Buݩ root vAN iptables.rule oI
Ln`NOAbWרҷAw]NҦAȪqDOI
ҥHAn𪺲 5 BJBN@ǵѲŸ (#) Ѷ}~C
P˪ApGLh port Qn}ҮɡA@˻ݭnW[B~Wh~I
LA٬OpPeڭ̩һAo firewall ȯണѰw@ALDٻݭnAմթOI
~ApGAƱ@}N۰ʰo script ܡAбNoɮתɦWgJ /etc/rc.d/rc.local
AIUoˡG
[root@www ~]# vim /etc/rc.d/rc.local
....(Lٲ)....
# 1. Firewall
/usr/local/virus/iptables/iptables.rule
|
ƹWAoӸ}̩Uwg[JgJw]Whɪ\AҥHAun@AN֦̥TWhFI
Wz rc.local ȬOwU@ӤwC ^_^IWzTɮЧAnb Windows tΤWs~ǰe Linux
WB@A] Windows tΪ_rDANiɭPɮLkCijA쩳UhUAǰe Linux iHQ
dos2unix Ohഫ_rIN|DI
oNO@ӳ²BKCPɡAoӨ٥iH㦳̶K IP ɾ\OI
]NOb iptables.rule oɮĤGFC
oڭ̦bU@`|A~ЪC
IIIשӨoӦaFIڭ̷dzƭn[]@ѾAAN٤ NAT AC
NAT OOH²檺AAiH٥L LAN Dy IP ɾzաI
NAT WO
Network Address TranslationArWNOy}ഫzCѦrWNڭ̨ӷQ@QA
TCP/IP ʥ]O IP }ܡH IP }OӷPتܡHڭ̪ iptables ONק IP ʥ]YơA
KKIsؼЩΨӷ IP }iHקOIƦܳs TCP ʥ]Y port number ]קIuOI
NAT A\iHF 9.1-2ҤЪ IP ɪ\ध~A
٥iHF 9.1-4ҤЪ DMZ (Dxư) \IoMڭ̪ NAT OקG
(1)ӷ IP ٬O (2)ؼ IP IUڭ̴NӲ@aI ^_^
9.5.1 O NATH SNATH DNATH
bͨ NAT ڹB@eAڭ̦AӬݤ@U²檺ʥ]zL iptables
ӶǰeݥDPy{(ЩeѦ 9.3-4)C
Gup 9.1-2[cAY LAN @DQnǰeʥ]XhɡA
oӫʥ]npzL Linux DӶǰeXhHLOo˪G
- gL NAT table PREROUTING F
- gѸѧP_Twoӫʥ]OniJP_AYiJAhU@BF
- AgL Filter table FORWARD F
- qL NAT table POSTROUTING A̫ǰeXhC
NAT AINbWy{ 1,4 BJA]NO NAT table nGPREROUTING P POSTROUTINGC
o즳n\OHIbק IP IOoק諸 IP O@˪I
POSTROUTING bקӷ IP APREROUTING hbקؼ IP C
ѩק諸 IP @ˡAҥHN٬ӷ NAT (Source NAT, SNAT) Υؼ NAT
(Destination NAT, DNAT)Cڭ̥ӽͤ@ IP ɾ\ SNAT aI
ӷ NAT, SNATGקʥ]Yyӷz
AӦťL IP ɾoӪNALiHAax̪nXDPɳzL@ ADSL su Internet WA
Ҧp 9.1-2su觋ӻA Linux DNO IP ɾաILOpF IP
ɪ\HNOzL NAT 檺 POSTROUTING ӳBzC]AGup 9.1-2ҥܡA
NAT AOpBzoӫʥ]OH
![SNAT ʥ]ǰeXhܷN](/linux_server/0250simple_firewall//nat_01.png "SNAT ʥ]ǰeXhܷN")
9.5-1BSNAT ʥ]ǰeXhܷN
pWϩҥܡAbΤ 192.168.1.100 oDnsu http://tw.yahoo.com hɡALʥ]Y|pܤơH
- ΤݩҵoXʥ]YAӷ|O 192.168.1.100 AMǰe NAT oDF
- NAT oD (192.168.1.2) oӫʥ]A|DʤRYơA
]YܥتëD Linux AҥH}lgLA
Nʥ]iHs Internet Public IP BF
- ѩ private IP P public IP बqAҥH Linux DzL
iptables NAT table Postrouting Nʥ]Yӷ˦ Linux Public
IP AåBNӤPӷ (192.168.1.100 public IP) ʥ]gJȦsOA
MNʥ]ǰeXhFF
Internet Wݨoӫʥ]ɡAu|Doӫʥ]Ӧۨ Public IP ӤDOӦۤաC
nFApG Internet ^ǫʥ]OHS|@H
![SNAT ʥ]ܷN](/linux_server/0250simple_firewall//nat_02.png "SNAT ʥ]ܷN")
9.5-2BSNAT ʥ]ܷN
- b Internet WDoӫʥ]ɡA|N^ƶǰe Public IP DF
- Linux NAT AӦ Internet ^ʥ]A|Rӫʥ]ǸAäOOơA
ѩo{ӫʥ]ݥDeǰeXhA]b NAT Prerouting
줤A|Nؼ IP ק令ݥDAY 192.168.1.100AMo{ؼФwgO (public IP)A
ҥH}lzLѤRʥ]yVF
- ʥ]|ǰe 192.168.1.2 oӤAMAǰe̲ץؼ 192.168.1.100 WhI
gLoӬy{AANiHo{AҦ LAN DiHzLo NAT AsuXhA
Ӥjab Internet Wݨ쪺OP@ IP (NO NAT D public IP աI)A
ҥHApG LAN DSsWܡADO㦳@w{תwʪաI
] Internet WLDSkDʧA LAN PC IҥHڭ̤~|A
NAT ²檺\NO IP ɾաI]O SNAT @ءC
NAT APѾԣPHWANAT A@wOѾALA NAT Aѩ|ק IP YơA
]Pʥ]ѾPC̱` IP ɾNO@ӸѾAOo IP ɾ@w|@
Public IP P@ Private IPA LAN Private IP iHzL IP ɾ Public IP ǰeXhI
ܩѾq`䳣O Public IP ΦPɬ Private IPC
ؼ NAT, DNATGקʥ]YyؼСz
SNAT DnOI LAN s Internet ϥΤ觋Aܩ DNAT
hDnΦbDQn[]iH Internet sAաI
NI 9.1-4 DMZ AڡIU]ӽͤ@ DNAT B@aI
![DNAT ʥ]ǰeܷN](/linux_server/0250simple_firewall//nat_03.png "DNAT ʥ]ǰeܷN")
9.5-3BDNAT ʥ]ǰeܷN
pWϩҥܡA]ڪD 192.168.1.210 ҰʤF WWW AȡAoӪAȪ port }Ҧb port 80 A
Internet WD (61.xx.xx.xx) npsڪAOHMաA
٬OonzL Linux NAT AIҥHo Internet Wnsڭ̪ NAT public IP ~C
- ~DQnsتݪ WWW AȡAhnsڭ̪ NAT AWYF
- ڭ̪ NAT Awg]wnnRX port 80 ʥ]AҥH NAT Aoӫʥ]A
|Nؼ IP public IP 令 192.168.1.210 ABNӫʥ]TOUӡAݤA^F
- Wzʥ]bgLѫAӨ private BAMzL LAN ǰe 192.168.1.210 WYI
- 192.186.1.210 |^Ƶ 61.xx.xx.xx AoӦ^M|ǰe 192.168.1.2 WYhF
- gLѧP_AӨ NAT Postrouting AMzLĤGBJOANӷ IP 192.168.1.210
אּ public IP ANiHǰeXhFI
ӨBJXGN SNAT ϦVǰeIoNO DNAT oI²aI
9.5.2 ̶K NAT AG
IP ɥ\
b Linux NAT AAȷA̱`NO 9.1-2 IP ɾ\FC
ӥѭ𫍧ЧA]ӪDAo IP ɾ\NO SNAT աI@δNuOb iptables
NAT AӸѫ᪺ POSTROUTING i IP ˴NOFCt~A
A]nAѡAA NAT An@ public IP AHΤ@Ӥ LAN s
private IP ~CUdҤA]Oo˪G
- ~ϥ eth1 AoӤ㦳 public IP F
- ϥ eth0 A]o IP 192.168.1.2 F
OIAQΫeXͨ쪺ƨӳ]wAѼƫAȥniѪ˴A
]b NAT A]w譱A̮eXaNOѤFIרOb ppp0 oӹ~ҤUA
oӰDYCϥAnOoGypGA public IP o觋O
cable modem ɡAA]w /etc/sysconfig/network, ifcfg-eth0, ifcfg-eth1
ɮסAdUn]w GATEWAY աIz_hN|X{ default gateway AϦӷ|yDC
pGAwgUF iptables.rule Aɮפwgt NAT }FI
AiHݨɮתĤG NAT AAӦݨ쩳UoXG
iptables -A INPUT -i $INIF -j ACCEPT
# o@欰DnADnتO LAN ϥ NAT A귽C
# 𫟺 $INIF bҤ eth0
echo "1" > /proc/sys/net/ipv4/ip_forward
# WYo@hObA Linux 㦳 router O
iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
# o@INO[J nat table ʥ]ˡIҤ $innet O 192.168.1.0/24
# $EXTIF hO~AҤ eth1
|
Ibӡy MASQUERADE zIoӳ]wȴNOy IP ˦ʥ]Xh
(-o) ˸mW IP zIHWҤlӻANO $EXTIF A]NO eth1 աI
ҥHʥ]ӷunӦ $innet (]NO LAN LD) Aunӫʥ]izL eth1 ǰeXhA
N|۰ʪק IP ӷY eth1 public IP աINo²I
AunN iptables.rule UAó]wnAB~A
iptables.rule AA Linux N֦DH NAT A\FI
|
DG
pPWҭzרҡAA LAN L PC ӭnp]wѼơH
G
ר²ڡAN NAT A@ PC GATEWAY YiIunOoUѼƭȡG
- NETWORK 192.168.1.0
- NETMASK 255.255.255.0
- BROADCAST 192.168.1.255
- IP iH]w 192.168.1.1 ~ 192.168.1.254 AiơI
- qTh (Gateway) ݭn]w 192.168.1.2 (NAT A Private IP)
- DNS (/etc/resolv.conf) ݳ]w 168.95.1.1 (Hinet) 139.175.10.20 (Seed Net)A
oӽШ̧A ISP өwF
|
ƹWAF IP (MASQUERADE) ~Aڭ٥iHwק IP ʥ]Yӷ IP OI
|ҨӻApUoӨҤlG
|
DG
]~ IP Tw 192.168.200.250 AYQϥΰˡAӦpBzH
G
iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 192.168.200.250
|
|
DG
]A NAT A~ IP nXӡAAQnyϥΤP IP ɡASӦp]wH|ҨӻAA IP d
192.168.200.210~192.168.200.220
G
iptables -t nat -A POSTROUTING -o eth1 -j SNAT \
--to-source 192.168.200.210-192.168.200.220
|
oˤ]iHקʥ]ӷ IP ƳILADAϥΪOTw IP ABh IP iH~suA_h@ϥ
IP ˧YiAݭnϥΨo SNAT աIMAA]iۤvWSҰաI ^_^
9.5.3 iptables
B~֤Ҳե\
pGAb iptables.rule ĤGJӬݪܡA
Sıoܩ_ǡAڭ̻ݭnJ@ǦΪҲաH|ҨӻA ip_nat_ftp ip_nat_irc H
oO]ܦhqTwϥΪʥ]ǿSAרO FTP ɮǿϥΨ port ӳBzơI
oӳڭ̷|b FTP `AӸԽ͡Abo̧AnDAڭ̪ iptables ѫܦhnΪҲաA
oǼҲեiHUʥ]Loγ~Aڭ̥iH`٫ܦh iptables WhwAnΪoI ^_^
9.5.4 bݤA
DNAT ]w
JMiH SNAT IP ɥ\Aڭ̷MiHϥ iptables X DMZ աI
OAӡAPAʥ]ǿ骺觋iItA]Aijs⤣noөNNI
_hܮeɭPYǪAȵLkQ Internet ѪDC
ӽͤ@͡ApGڷQnBz DNAT \ɡA iptables npUFOH
t~AAnDOA DNAT Ψ쪺O nat table Prerouting IndFC
|
DG
]D IP 192.168.1.210 AӥDOi Internet } WWW ACAӦpzL NAT
AN WWW ʥ]ǨӥDWH
G
] public IP Ҧb eth1 AAWhNOG
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.1.210:80
|
ӡy -j DNAT --to-destination IP[:port] zNOաINq eth1 oӤǤJABQnϥ port 80 AȮɡA
Nӫʥ]sǾɨ 192.168.1.210:80 IP port WIiHPɭק IP P port OIuKC
L٦@Ǹi iptables ϥΤ觋ApUҥܡG
-j REDIRECT --to-ports <port number>
# oӤ]`AWANOi楻W port ഫNOFI
# LASOdNOAoӰʧ@ȯb nat table PREROUTING H
# OUTPUT WӤwI
dҡGNnDP 80 suʥ] 8080 o port
[root@www ~]# iptables -t nat -A PREROUTING -p tcp --dport 80 \
> -j REDIRECT --to-ports 8080
# oN̮ebAϥΤFDW port ӶiY well known wA
# Ҧpϥ 8080 o port ӱҰ WWW AOOHH port 80 ӳsuA
# ҥHAANiHϥΤW觋ӱNADsuǻ 8080 oI
|
ܩhγ~ANݧAۤvooI ^_^
![]tݭnwl](/linux_server/0250simple_firewall//firewall_02.png "]tݭnwl")
![[]bݪAҥܷN](/linux_server/0250simple_firewall//firewall_03.png "[]bݪAҥܷN")