wFHɪ`NM󪺺|}AHκWwq~Az̦n̾ڦۤvҨӭqwAo˹zҡA|O٤@II򤰻OOHFANObިiJڭ̺줺D(Ϊ̥iHO)ƫʥ]@ؾAҦpڭ̦be@`{Ѻw쪺 iptables NO@بFCMFAsqӻAunRPLoiJڭ̺޲z쪺ʥ]ơANiH٬AҥHoӨSiHw骡Pn骡ڡIw骡]NO@Ǽtӳ]pnwA̭tγnwg]wnFʥ]ƪLoA]LXG´NOΨӶiw޲zAҥH٬w骡Cܩn骡OHNOڭ̳oӳ`nӽͽתڡIn骡𥻨NObO@tκw@Mn(κ٬)AҦp iptables P TCP Wrappers iH٬n骡CL׫AϥNOΨӫO@ڭ̺wNNNաIIڭ̳oӳ`Dnb Linux tΥѪn骡𪺥\ANO iptables P TCP Wrappers I
@


---

ݭn
@
]Ʊ``bWݨyrIڨ̾ڬYYT[]F@ Linux DALF@ӬPAH root KXLknJڪDHzA٦@ػkyIڪ Linux DLkdߵnɤFHQ ISP ĵiڪ mail server QC¦WFAQ컡ڦHaHڳSaƧrIHzIܶ˸藍SաIwGMOܳ·СISonѤѷULASonHɧs̷sMI·ЧoIOwoSO@ӺޤH򥻪ѭnDA@Ө㦳}n𱹬IDAiH@ӺޤHL}ߧrI
@
noOAڭ̬O@몺paxAҥHDYϳQ Cracker JIAunbQΧڭ̪ IP FaƤeNNDLܡAٯyLO@@UۤvAOYzO@Ӥj~DAӥBٴѦHΥdաAӤHΤ᪺TյTɡAi໡NAoӮɭԫHpGzS]wܤhAS}nnɮפRߺDA]SYɦ^tΦbzzDAKKI`lFB~A٥]AqHAAiOܥiȪIѰ~RiHo{AXGDQJIAlF~A٦D@ɶBnw魫s]wOεA۷i[@OΧr
@
ҥHաI[]@㦳wDAڭ̨ӻA]O۷nA򻡩OHOHڭ̬O@몺 ADSL pNLҿIuQJIAMzDQQΨӧ@aơAMQαzD@aƪӤHSNLnTAHa䤣LAKKIɭԦYxqi|OzIOH ADSL WeOInϥαzDӰƨ]ݭnhjWeAunsW Internet AunAǥѱzDV~XAKKIApWeH|QΪIydUnpݨtΪwʡz
@


---

𪺥DnO
@
FHnεw@𪺤~A򥻤WAڭ̤]iHϥΨʥ]׾ӶiCDniHjAOONzA (Proxy) H IP Filter CbNzA譱AѦW٧ڭ̴NiHDANzAȬONz Client ݥhV Internet nDơAҥHOA Proxy wgNiNzwܤ֫ܤ֡AåBѩ󤺳P~qäઽqAҥHiHF}nO@ĪGFt@ثhOW쪺 IP fileter աIQΫʥ]Lo觋ӹF쨾𪺥تI
@
• Proxy G

oOݩyμhzNNFAo Proxy ( NzA ) 򥻤WNO@ءyAȡzIL\iHpUϨӪܡG
@
Ϥ@BProxy DܷN @
Client nDɭԡA Proxy Server | Client h~ơAMANƥ^ Client ݡIЪ`NAɯuXh Internet AO Proxy Server AӤO Client I( oӸ NAT AȨäӤ@ˡA|b NATD]wɦAC) ѩ Client ݨäOXhA[W Proxy Server @ȶ} 80 21, 20 port ӤwA]iHwI۹諸A Client ݪ۵MNhFIԲӪ Proxy ڭ̷|bNzA`C
@
• IP fileter G

H IP filter Ӷiʥ]LoIoӮɭԷ| TCP header R_ӡAAMwO_iH TCP ʥ]iJDC]OR TCP/IP ʥ]AҥHϥΨ쪺wOhTA]hT۷A]AFdw}(MAC)Bn}BTCP, UDP, ICMP ʥ] Header TBTCP ʥ]TV洤[AҥH IP Filter iHF\iNjhFIt~A@ڭ̽ͨ쪺 Linux WjhNO iptables o IP Filter FALQΤ@ǫʥ]LoWh]wAөwqXƥiHAƻݭn篑AHFO@DتI
@
boӳ`Aڭ̥ Proxy oӪFAȨӤR@Ṵ¦ӨA@ӬO iptables At@ӫhO TCP_Wrappers I
@


---

𪺤@uGuPקޥ
@
ѫeAzӥiHAѨ@ơANO𰣤FiHyO@(iptables)ҦbDz~A٥iHyO@᭱D PCzCISI𪺥\iOܤjIFiHUڭ̩m~ӪDʳsu~A]iHڭ̱޺yqAåBAb²檺ϰWA Firewall ft Router ( NO NAT D[c ) ]O۷`@سWIoسW󤺳p쪺w]@w{תO@@ΩOIUڭ̵yLͤ@ͥثe`WG
@
• @ Linux Dݥ\G

ڭ̪̭Ȧ@ Linux DAӥDtdڭ̾ LAN ̭ҦӤHq~suAҥHL]Oڭ LAN ̭ Router CӨ@|ӤA@ӹ鷺@ӹ~APɡAz]iHb Linux W[]AoOثewp~ұ`tmACbo˪tmAAҦ PC |gL Firewall ʥ]LoA~Nƫʥ]eXΪ̬OAӦpG Internet WX{DAzun޲z Firewall DANiHܻNӦ Internet }ʥ]ױI޲z@Ny־ LAN ̭ PCAܦEaI ^_^IӥBAb Firewall WiHPɬ[] Proxy AΨӱ Client ݪ WWW suAAIԺɧoI(G]iH[]yqʱnAҦp MRTG ӤRWeI)򥻤WAo˪tmnBG
• w@biH}vjI
• w]wiHw Linux DӺ@YiI
• ~uݪ Linux DAҥH󤺳iHF즳Īw@I
@
ϤGB@ Linux D @
• @ Linux A LAN t]G

@ӻAڭ̪ LAN Ƴ|]wYA]Oڭ̦ۤv LAN IҥHOH줧@oILA̱`ť쪺JIk]Oϥγo˪@ӫH|}I]zOҩҦϥΥ~qϥΪ̳OquA]LkOұzu|yd}aIzIҥHApGzSOnݭnwO@ҡAN LAN ̭A[]@ӨANwŤAN|znoΪO@I
@
ϤTBLAN ̭[]𪺰tm @
• bݪD]wG

٦@ا󦳽쪺]wANONѺAȪAb᭱AonBOHpUϥ|ҥܡAWeb, Mail P FTP OzLs Internet WhAҥHAUo|Db Internet W Public IP O@˪I(o[ڭ̷|b NAT DɭԦAj)uOzL𪺫ʥ]RAN WWW nDʥ]e Web DAN Mail e Mail Server hBzӤw(zL port P໼)CnFA]|Db Internet Wݨ쪺 IP ۦPAOƹWoO|PDAӷ̷QnJIz FTP DnFALϥΦUؤRkhi𪺥DAOyz@A̷QnzDADL\dwzA_hNJIzDOILAoج[cUҶi檺]wNo]t port ໼AsӻA]wW@wסAӤHӫijso򰵡A٬OHᦳg礧AӪoج[caI
@
ϥ|B[]bݪDA
@
WNOثe`Xب𪺰tmkCpiʥ]׳]wOHAӽƲߤ@U@Ӹƫʥ]eApUϩҥܡG
@
ϤB@ƫʥ]ҧt¦T
@ ѩ󨾤iHRWǰeLӪƫʥ]AèoRӸƫʥ]YơAYiHRWϥܤتaPӷa IP, port, O_DʳsuLTIҥHgѤRoǸƫAڭ̤o{תkiHXӰʧ@G
@
• ڵʥ]iJDY port G

oӤAѧaIҦpz port 20-21 o FTP port Azun}񵹤ܡAҥH Internet }A Internet Ӫʥ]QniJz port 20-21 ܡANiHNӸƫʥ]ᱼI]ڭ̥iHRӫʥ]ұa port XrI
@
• ڵYǨӷ IP ʥ]iJG

Ҧpzwgo{Y IP DnOӦۧ欰DAunӦ۸ IP ƫʥ]ANNLIoˤ]iHF¦wI
@
• ڵaYǯSX( flag )ʥ]iJG

̱`ڵNOa SYN DʳsuXФFIun@go{AKKIzNiHNӫʥ]rI
@
• Rw}(MAC)ӴѪAȡG

pGzϰ̭oJOS㦳j\OɡApGzϥ IP өץLϥκvAӥLooϥ@ IP NnFAbP@Ӻ줺IP٬Obd}aHISYAڭ̥iHꦺLdw}ڡI] MAC OZbdWAҥHzunRӨϥΪ̩ҨϥΪ MAC AiHQΨN MAC AIDL@ALdӨos MACA_h IP OSΪաI
@
M٦ܦhޥAo̧ڭ̴NhFIUnnӽͤ@ͫ˫ظm@²檺 firewall DaI~AڹwpϥΨhAOO iptables P TCP_Wrappers A𫟺A̪ʬG
@
ϤBʥ]iJDy{ @
]NOAƫʥ]|gL iptables ~|gL TCP_Wrappers @ΡI

---

𪺨ϥέ
@
HI]w𤧫٤wڡHIMաIֻ]wF𤧫ztδN@wwHIi@wڡIMiHw諸ʥ]iJڭ̪ALAYDZpUALäOҧڭ̪@wNܦwC|XӨҤlӽͤ@͡G
@
• äܦĪׯfrΤ차{G]zwg}F WWW AȡAz WWW DWA@wonN WWW AȪ port } Client ݵnJ~aI_hz WWW D]wFSιaI]NOAuniJzDʥ]OnD WWW ƪANiHqLzCnFAyU@z WWW An驰|}AΪ̥VznD WWW AȪӫʥ]NOfrbztzɡAziO@Ik]SڡI]ӳ]wWhNO|LqLڡIרe@~ Nimda frNO WWW DALOzLJI WWW D 80 port AIҥHAfräܦĴNOFC

@
• Ӧۤ LAN LӨOG@ӻAڭ̹ LAN ̭DS򨾤𪺳]wA]Oڭ̦ۤv LAN ڡAҥHMN]wHFILA LAN ̭`Oi঳ǺpհڡAML̤OGNnd}aAOL̴NOIҥHNåκFCoӮɭԴNV|A] Firewall 󤺳Wh]wq`֡AҥHNeyu~ΩݥΪpCFקKoرpo͡AItκ޲zz
@
ҥHաAbz Linux DaWeA٬OoG
@
• XӤwAȡF
• ɯŴXӥi঳DMF
• []n̰_Xw@----
@
LTШ {Ѻw--D@pe ̭hݤ@ݫW[ۨwaI

שiHͨDDFI^_^IUڭ̴Nnӽͤ@͡AO Linux ʥ]LoI
@


---

Linux ֤ߪP
@
Linux bʥ]LoOCCtiΦثe iptables Ab֤ߤ 2.4 ɥNAϥΪOPI
@
• Version 2.0Gϥ ipfwadm oӨF
• Version 2.2GϥΪO ipchains oӨF
• Version 2.4GDnOϥ iptables oӨAӬFۮe ipchains A]b Version 2.4 APɱN ipchains sĶҲաAnϥΪ̤MiHϥΨӦ 2.2 ipchains WC
@
ѤWAiHD Linux WO̾ڤP֤ߦܪAӦ]ثeڭ̬ݨ쪺s Linux ֤߳O 2.4.xx AҥHϥΪMNOH iptables ǤFC~A٭nSOdNOA֤߬ 2.4 Linux Pɤ䴩 ipchains oӦb֤ 2.2 AMӤOAyiptables P ipchains ̤PɰIzAҥHpGzo{ztΤwgb ipchains FANoN ipchains oӼҲղA~ϥ iptables AϤMI
@
LצpAb֤߬ 2.4.xx tΤWA٬Oijϥ iptables A] iptables \jjӥBbWh]wW²A~A٨㦳L䴩~ҲաAM 2.4 Pɤ䴩 ipchains ALb 2.2 W䴩 ipchains ҲճA 2.4 WsbFAҥHAMܥ\j iptables Cp󪾹Dڪ Linux ֤ߪHIϥ uname oӫONFI
@


---

iptables Pʥ]iJy{
@
unOAq`OHywʥ]RWhӳWdCثʥ]qLP_AHӶi檺ʧ@zAP˪DzAiptables u@VAn̳WhǨӤRʥ]A|²檺ҤlA]ڦQWhnFA Internet ӤF@ӫʥ]QniJڪDA򨾤|Roӫʥ]OHڭ̥HUϥܨӻnFG
@
ϤCBʥ]LoWhʧ@ @
WϤC Rule OWhNAyodzWhOǪzAܩ Action hOʧ@NAq`wʥ]ʧ@ ACCEPT/DROP (/) ذʧ@COyWhǩOzHڭ̬ݤ@UWҤlA TCP ʥ]qLF Rule 1 AnŦX Rule 1 WwA TCP ʥ]N|i Action 1 AӤ|z| Rule 2 H᪺WhFIӦpG TCP ŦX Rule 1 WwAN|iJĤGWh (Rule 2) ˬdA....@ Rule 10 ɭԡA TCP ʥ]SŦXWhiHiA򦹮ɴN|Hyw]ʧ@ ( ʥ]F, Policy )z TCP ʥ]iqLP_ʧ@CҥHաAzWhDZƦC~ɡAN|ͫܤjxZI򻡩OHڭ̦A|ӨҤlnFA]z Linux DѤF WWW AȡA۵MNnw port 80 ӱҥγqLʥ]WhAOzo{ IP ӷ 192.168.100.100 ѬOcNդJIztΡAҥHzQnN IP ڵӡA̫AҦD WWW ʥ]LANoTӳWhӻAznp]w綶ǩOH
@
1. Rule 1 192.168.100.100 F
2. Rule 2 AnD WWW AȪʥ]qLF
3. Rule 3 NҦʥ]C
@
o˪ƦCǴNŦXzݨDALAU@zDZƿFAܦG
@
1. Rule 1 nD WWW AȪʥ]qLF
2. Rule 2 A 192.168.100.100 F
3. Rule 3 NҦʥ]C
@
ɡA 192.168.100.100 yiHϥαz WWW AzI]unLzDeX WWW nDʥ]ANiHϥαz WWW D\FA]zWhǩwqĤ@N|LqLAӤhҼ{ĤGWhIo˥iHzѳWhǪNqFܡHI{bAӷQ@QApG Rule 1 ܦFyNҦʥ]zARule 2 ~]wyWWW Aȫʥ]qLzAаݡAڪ client iHϥΧڪ WWW AȶܡHII׬Oy_zQqFܡHI ^_^
@
ƹWAϤCNO iptables y@i̭@(chains)zAziHQ@UA iptables WhOgby, tablez̭AӨCӪS̾ګʥ]iuAӥijTGyiJBXB໼zCb iptables ̭Ӹg`Ψ쪺ت (build-in table) AOOwD filter Hΰw慨ݪD]w nat ӡAoӪSO㦳TAOOG
@
• filterGDn Linux AoӬOw] table I
• INPUTGDnPʥ]QniJڭ Linux F
• OUTPUTGDnPڭ Linux ҭneXʥ]F
• FORWARDGoөNNP Linux SYALiHʥ]y໼zݪqAP nat o table ʫܰC
@
• natGDn NAT D]w
• PREROUTINGGbiѧP_eҭni檺Wh
• POSTROUTINGGbiѧP_ҭni檺Wh
• OUTPUTGPoeXhʥ]
@
ҥHApϤCWhqwܤִN|էoIo즳ʩOHooݭnʥ]iuӻG
@
• ʥ]QniJG

ʥ]QniJڭ Linux ɡAӫʥ]|gLAOoqL nat PREROUTING AAqL filter INPUT ~iJϥΧڭ̥귽CƹWApGȦҼ{ܡA nat PREROUTING w]FNLqLAȦҼ{ filter INPUT YiF
@
ϤKBiJʥ]һݳqL table P chains @
• ʥ]QniJݪqG

ʥ]QniJݪqɡA]NOAӸƫʥ]OnϥΥ귽AҥHpPUϤEҥܡAʥ]ä|iJIӥBAɫʥ]yqP nat PREROUTING, POSTROUTING H filter FORWARD OYIoInSOSO`NڡI
@
ϤEBiJݪqɡAʥ]һݳqL table P chains
• ѥoeʥ]G

Iiptables uiHިѥ~Ӥʥ]APɤ]iHިѤӥ~TOIʥ]ѥǰeXhɡA|qL nat P filter OUTPUT Aٷ| POSTROUTING ˬdIƹWApGҼ{ڭ̥ݪqAȭnϥ filter OUTPUT YiI
@
ϤQBoeXʥ]һݳqL table P chains
@
@ӻApGzO]b Linux WAåBz Linux èSҥ NAT \AzuݭnҼ{ filter o table INPUT P OUTPUT oNiHFI²ƪܦhIOpGz Linux D٦Ҽ{ NAT \A nat table PREROUTING P POSTROUTING ٦ filter table FORWARD Noݭnnn]w@fFIUڭ̴Nӽͤ@͡An]w iptables WhykaI
@


---

iptables yk
@
ƹWA iptables NO@ӥiHJҲաAb}li iptables ]weAT{@UAѩ ipchains P iptables OPɦsbAҥHˬd@U ipchains O_p߳QJtηFOH
@

[root@test root]# lsmod # Yo{ ipchains rˡAܨtΤp߸JF ipchains FAШϥΡG [root@test root]# rmmod ipchains # o˴N ipchains FIMJ iptables aI [root@test root]# modprobe ip_tables

@
WY ip_tables NO iptables ҲդFIJAڭ̴NiHϥ iptables ykFI] iptables yk۷hAҥHUڱNoǻykWhMBwqFHηsWPJWhTӻG(G𪺳]wO۷nu@At~AL]wL{``|yաzNb̭A]OաAɭԧڭ̷|pߡyNۤvsuʥ]צFIzAɭPLksuAҥHAy]w𪺮ɭԡAɶqbe]wAnQλݳsuAȨӳ]wA_hܮeͦۤvNۤvױjDIz)
@

---

MWhP[Wh
@
iptables b@}lɭԡAӬOSWhALAi]zbw˪ɭԴNܨtΦ۰zإߨAɨtδN|w]WhFInFALצpAڭ̥ӬݬݥثeWhOpaIH
@

[root@test root]# iptables [-t tables] [-L] [-n] ѼƻG -tG᭱ iptables table AҦp nat filter ApGS -t table  @@ܡAw]NO -t filter o table I -LGCXثe table Wh -nGi IP P HOSTNAME ഫAùܰTt׷|֫ܦhI dҡG @ [root@test root]# iptables -L -n Chain INPUT (policy ACCEPT) target     prot opt source               destination @ Chain FORWARD (policy ACCEPT) target     prot opt source               destination @ Chain OUTPUT (policy ACCEPT) target     prot opt source               destination @ # JӬݨWA]S[W -t ѼơAҥHw]NO filter oӪA # boӪTAOO INPUT, OUTPUT P FORWARD AӥB] # SWhAҥHWh̭OŪIPɪ`N@UAbC chain ᭱ ()  # ̭A|o{ policy aINOyw]ʧ@(F)zIHWӬݡA # Mڭ̱ҰʤF iptables AOڭ̨S]wWhAMFSO ACCEPTA # ҥHyʥ]|zNI @ [root@test root]# iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target     prot opt source               destination Chain POSTROUTING (policy ACCEPT) target     prot opt source               destination Chain OUTPUT (policy ACCEPT) target     prot opt source               destination @ # P filter A nat oӪ̭hO PREROUTING, POSTROUTING # H OUTPUT TڡI

@
ܩnMWhܡANonoˤUFOFI
@

[root@test root]# /sbin/iptables [-t tables] [-FXZ] ѼƻG -F GMҦwqwWhF -X GҦϥΪ̫إߪ chain (ӻO tables ^oF -Z GNҦ chain pƻPyqέpks dҡG [root@test root]# /sbin/iptables -F [root@test root]# /sbin/iptables -X [root@test root]# /sbin/iptables -Z [root@test root]# /sbin/iptables -t nat -F  # Ъ`NApGbݳsuɭԡAyoTӫOn scripts ӳszA # M֩wy|zۤvQDצb~Iz

@
@ӻAڭ̦bswq𪺮ɭԡA|NWhLMCٰOoڭ̫eͨ쪺A𪺡yWhzOSNqAҥHoAMMWhAM@@ӳ]w|e@IաI
@


---

wqF
@
MWhAAUӴNOn]wWhFաIٰOoFOܡHyzʥ]bz]wWhɡAhӫʥ]qLP_AH Policy ]wzAq`oӬFb filter o table INPUT 譱iHwqY@IA FORWARD P OUTPUT hiHqwP@ǡIq`ڳON INPUT policy wq DROP աIױAI
@

[root@test root]# /sbin/iptables [-t tables] [-P] [INPUT,OUTPUT,FORWARD| PREROUTING,OUTPUT,POSTROUTING] [ACCEPT,DROP] ѼƻG -P @@GwqF( Policy )C`NAo P jgڡI INPUT@Gʥ]JDVF OUTPUT Gʥ]XDVF FORWARDGʥ]iJDӦV~AǿXhVF PREROUTING GbiJѤei檺u@F OUTPUT@ @Gʥ]XDVF POSTROUTINGGbiJѤi檺u@C dҡG [root@test root]# /sbin/iptables -P   INPUT DROP [root@test root]# /sbin/iptables -P  OUTPUT ACCEPT [root@test root]# /sbin/iptables -P FORWARD ACCEPT [root@test root]# /sbin/iptables -t nat -P  PREROUTING ACCEPT [root@test root]# /sbin/iptables -t nat -P      OUTPUT ACCEPT [root@test root]# /sbin/iptables -t nat -P POSTROUTING ACCEPT # F INPUT ~ALL]woIbW]wA # ڭ̪DoXʥ]iHXhAOʥ]LkiJA # ]A^ڭ̰eXʥ]^ʥ](ACK)]LkiJI ^_^

@


---

W[PJWh
@
nFAUӷdzƭnөwqWhFIЪ`NAboӤp`̭ڭw Linux i]w ( NOȰw filter table oI )Aܩ NAT ᭱DAڭ̤@d NAT D]wA͡A@db̫᭱igA͡Ao̥ǰ¦NnFIn]w iptables Wh򥻻ykpUG
@

[root@test root]# iptables [-t filter] [-AI INPUT,OUTPUT,FORWARD] \ > [-io interface] [-p tcp,udp,icmp,all] [-s IP/network] [--sport ports]  \ > [-d IP/network] [--dport ports] -j [ACCEPT,DROP] ѼƻG -A @GsW[@WhAӳWhW[b̫᭱AҦp쥻wg|WhA @@ @ϥ -A NiH[WĤWhI -I@ GJ@WhApGS]wWhǡAw]OJܦĤ@WhA @@ @Ҧp쥻|WhAϥ -I hӳWhܦĤ@Aӭ쥻|ܦ 2~5 @INPUT@GWh]w filter table INPUT @OUTPUT GWh]w filter table OUTPUT @FORWARDGWh]w filter table FORWARD @ -i@@@  G]wyʥ]iJzd -o@@@@G]wyʥ]yXzd @interface GdAҦp ppp0, eth0, eth1.... @ -p @GЪ`NAoOpgIʥ]wաI @tcp Gʥ] TCP wʥ]F @upd Gʥ] UDP wʥ]F @icmpGʥ] ICMP wB @all GܬҦʥ]I @ -s     Gӷʥ] IP Ϊ̬O Network ( )F --sportGӷʥ] port XA]iHϥ port1:port2 p 21:23 @@@@ PɳqL 21,22,23 N -d     GؼХD IP Ϊ̬O Network ( )F --dportGؼХD port XF @ -j @@Gʧ@AiHUʧ@F @ACCEPT Gӫʥ] @DROP@ Gʥ] @LOG@@GNӫʥ]TOU (w]O /var/log/messages ɮ) @ dҡG @ dҤ@GҦӦ lo oӤʥ]AH [root@test root]# iptables -A INPUT -i lo -j ACCEPT # `N@UA] -d, --dport, -s, --sport ѼƳS]wAoܡG # ׫ʥ]ӦۦBΥh̡AunOӦ lo oӤANHI # o[nANOyS]wWwAhܸӳWwzNI # ҦpoӮרҷA -s, -d...ѼƨSWwɡI @ dҤGGӦ 192.168.0.1 o IP ʥ]HG [root@test root]# iptables -A INPUT -i eth0 -p tcp -s 192.168.0.1 -j ACCEPT # sW@WhAunOӦ۩ 192.168.0.1 ʥ]AץLnh̡A # ϥΪOӨw (port) D|HN @ dҤTGӦ 192.168.1.0 o C Class 쪺@qANHI [root@test root]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -j ACCEPT # oӬO쪺gkIyL`N@UOAbdҤGڭ̶Ȱw@ IP A # ܩoӽdҷAhOwӺӶ}oIӺ쪺gkiHOG # 192.168.1.0/24 ]iHO 192.168.1.0/255.255.255.0 I @ dҥ|GӦ 192.168.1.25 ʥ]LhI [root@test root]# iptables -A INPUT -i eth0 -p tcp -s 192.168.1.25 -j DROP @ dҤGunOQiJ port 21 ʥ]NL [root@test root]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP @ dҤGӦ 192.168.0.24 o IP ʥ]AQnڪ 137,138,139 fɡA [root@test root]# iptables -A INPUT -i eth0 -p tcp -s 192.168.0.24  \ > --dport 137:139 -j ACCEPT @ dҤCGunOIJڥD port 25 NNӫʥ]O (LOG) U [root@test root]# iptables -A INPUT -p tcp --dport 25 -j LOG # ٬OЯSO`NyWhDZƦCzDI

@
pW򥻻ykҥܡAڭ̪ iptables iHWwʥ]yӦ̡ۭBnh̡BϥΤw(port number)zTOIҥHL\NuOjjڡIӰFWz\ध~Aڭ̤O͹LAn٥iHϥκdw}(MAC)ӶiRܡHӥBA ping O^ʥ] ICMP w]iHi]wI~ATCP ʥ] Header W SYN XЪ\P_A]]wOIUͤ@ͳoǧ`JWhI
@

iptables LѼƻG @ [!] --syn Goӳ]wȯΩ -p tcp WhA] TCP ʥ] syn XЦs @@bڡI TCP ʥ]s syn XСAܳoӳsuOyDʡzsLӪI @@Y --syn e[W ! ܸӫʥ]a syn N(nۤϤNI) @ dҤ@GNӦ 192.168.100.200 Dʳsuʥ]G [root@test root]# iptables -A INPUT -p tcp -i eth0 -s 192.168.1.235  \ > --syn -j DROP @ --icmp-typeGiHި ICMP ʥ]YIٰOoڭ̦b ¦ ̭ @@ͨ쪺 ICMP YaIաIpGzQn ping zA @@NOQγoӶذաI @ dҤGGOD ping ڭ̥DɡAڭ̥DH^ [root@test root]# iptables -A INPUT -p icmp --icmp-type 8 -j DROP # zUFo˪OANܥӧOHzϥ ping ɭԡA # ڭ̪DN|^AҥHDN|ܧڭ̥DyLkszAI @ -m Gܫʥ]AAAUƺءG @-m mac --mac-source aa:bb:cc:dd:ee:ff  @@@oӴNOڭ̤W쪺iHydd, MACz]wkoI @@@ aa:bb:cc:dd:ee:ff NOd MAC I @-m state --state <A> @@@ƺتAAAG @@@INVALIDGLĪʥ]AҦpƯ}lʥ]A @@@ESTABLISHEDGwgsu\suAF @@@NEWGQnsإ߳suʥ]AF @@@RELATEDGoӳ̱`ΡIܳoӫʥ]OPڭ̥DoeXhʥ]A @@@@iO^ʥ]Ϊ̬Osu\᪺ǰeʥ]IoӪAܱ`Q]wA @@@@]]wFLAunӥѥoeXhʥ]AYϧڭ̨S]w @@@@ʥ] INPUT WhAӦʥ]٬OiHiJڭ̥DI @@@@iH²Ƭ۷h]wWhաI @ dҤTG bb:cc:dd:aa:ee:ff dLkϥΧڭ̥D귽 [root@test root]# iptables -A INPUT -p all -m mac --mac-source \ > 01:01:01:01:02:01 -j DROP # oؤ觋iHΨӺިddINȧOHϥ IP dǤFI @ dҥ|GwgإߩΪ̬OPڭ̥D^ʥ]qLAOXkA @@@@HηQnշsإߪʥ]Qצb~I [root@test root]# iptables -A INPUT -p tcp -m state  \ > --state ESTABLISHED,RELATED -j ACCEPT [root@test root]# iptables -A INPUT -p tcp -m state  \ > --state INVALID,NEW -j DROP # ݭn]wIܩʥ]AhiHϥγrj}Ir䤣nŮ @ -j <ʧ@>GF` ACCEPT P DROP ~A٦ǰʧ@H @REDIRECT --to-ports <port number> @@@oӤ]`A򥻤WANOi楻W port ഫNOFI @@@LASOdNOAoӰʧ@ȯb nat table PREROUTING H @@@OUTPUT WӤwI(suy{AаѦϤK) @MASQUERADEGʥ] @@@oӴNO NAT Ḓn@ӾաIiʥ]ˡI @ dҤGNnDP 80 suʥ]໼ 8080 o port  [root@test root]# iptables -t nat -A PREROUTING -p tcp  --dport 80 \ > -j REDIRECT --to-ports 8080 # oN̮ebzϥΤFDW port ӶiY well known wA # Ҧpϥ 8080 o port ӱҰ WWW AOOHH port 80 ӳsuA # ҥHAzNiHϥΤW觋ӱNzDsuǻ 8080 oI @ dҤGiʥ]ˡANӦ 192.168.0.0/24 ʥ]ӷ IP ˦ @@@@ ppp0 Ӥ IP [root@test root]# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 \ > -o ppp0 -j MASQUERADE

@


---

P^_Wh
@
Wڭ̽ͤFܦh]wFAڸӦp[ثeDWWhOHڭ̥iHϥΡyiptables -L -n z[ALAӫOܪT٬OӨIoӮɭԡAڭ̨iHϥΩUӫOӱNثeDWyxszUӡAbUQnNoӳWhy^_zɭԡANQΫONWh^_I
@

[root@test root]# iptables-save > filename # Nثexs filename ɮסIɮ׬ ASCII 榡A # ziHiJd\@UI [root@test root]# iptables-restore < filename # N filename Өɮ (`NIäO shell scripts 榡) Wh # ŪJثe Linux DҤI

@
Q iptables-save P iptables-restore ]iHܻP޲znڭ̪tΧoI

nڳ]w𤧫eA̦nyεNzһݭnWhP}񪺪Aȳ]p@UzMAӳ]pIӤYKWSINOG
@
ڵҦA}Sw]wkΡI
 @
]NON Policy ]w DROP ӱNLAȤ@Ӥ@ӪҰʡAo˷|nաI ^_^I
@


---

ڪWh
@
ڳo̴@Z²檺WAڪwsupW ϤG ҥܪˡAYu@ Linux DAӧڪ]wG
@
• ~ϥ ppp0GѩOAҥHڹ~O ppp0 o@ӬɭF
• ϥ eth0 Go eth0 ϥΦbsWAӥB쬰 192.168.1.0/24 o C ClassF
• D}񪺪AGثeڪDMu} NAT AOٷ|W[@ǪAȡAثeڰ]ڪDwp| Internet WҥΪAȦG
• NAT
• WWW
• SSH
• SMTP
• POP3
• IMAP
• DNS
• FTP, Telnet, DHCP, NFS u鷺}I
@
ڭ̯WhGyҦA}SwzҦAҥHbFW( Policy )h DROP Iӱz]oA iptables ҭqwWh@@RUhAҥHڭ̦b wƨ𪺳Wh WNoSOnFIFwYǰʧ@QdVäFA[Wӧڭ̭nHo²ii@B]wWAҥHo̧ڭ̻ݭnΤ@²檺y{ϨӥܷNISOdNGo̧ڭ`@ΤFTɮסAکmؿb Linux tΩU /usr/local/virus/iptables ̭AɦWOG
@
• iptables.rule G]wWhɮסA]AMWhBJҲաB]w@ǪAȪnJP_I
• iptables.deny G]wcN IP κqɮסA̭Oת IP qykI
• iptables.allowGiHQO@Ǧۤv]wաI]ڭ̤D@ѷ|X~YhIoӮɭԡA@Y檺𻡤w|צۤvAҥHݭn[W@ IP }oI
@
`NGCק粒F@ɮסAnߨͮĪܡAа iptables.rule YiIӾӪy{IUoˡG
@
ϤQ@B²檺Wy{
@ WOڭӤHijppy{AhWAPD}׫ܰA] Output P Forward O}񤣲zIpaxDOiHA]ڭ̤qƶqhAӥBHOxAҥHݭnSO[HޡIOGybj~Ao˪WOܤX檺A]zOҤҦHiHӱzWwӨϥ Network Iz]NOyazrI]As Output P Forward ݭnSO[H޲z~I
@


---

Wh]w
@
ƹWAڭ̦b]w𪺮ɭԡAӥi|@Ӥ@ӫOJAq`OQ shell scripts ڭ̹Fo˪\oIUOQΤWy{ϩҳWXӪ scripts AziHѦҬݬݡAOzݭnNҭק令AXzۤvҤ~I
@

[root@test root]# mkdir -p /usr/local/virus/iptables [root@test root]# cd /usr/local/virus/iptables [root@test iptables]# vi iptables.rule #!/bin/bash # # ======================================================== # {G # wϥ iptables.rule o script ӫإ߱zI # o script ٻݭnzB~]wiAXzDҡI # 򥻳WhwqyڵҦA}SwzҦI # # ϥλG # ХNo scripts vאּiG #       chmod 755 iptables.rule # bNoӵ{mb /usr/local/virus/iptables ؿUG #       mkdir -p /usr/local/virus/iptables #       mv /㪺|/iptables.rule /usr/local/virus/iptables # աG #       /usr/local/virus/iptables/iptables.rule #       iptables -L -n   (oӰʧ@bˬdWh) # NUo@[J /etc/rc.d/rc.local #       /usr/local/virus/iptables/iptables.rule # G #       iptables -F #       iptables -X #       iptables -t nat -F #       iptables -t nat -X # # ======================================================== # vŧiG # o{ GPL vAHҥiϥΡA # MAYϥΥ scripts oͰDɡA # Htd # VBird <vbird@tsai.adsldns.org> # ======================================================== # vG # 2002/08/20    VBird   X # 2003/04/26    VBird   [J寸n骺ɮסI # 2003/08/25    VBird   ק INPUT Policy DROP # ======================================================== # 0.0 Please key in your parameters # o EXTIF ᭱y~isW Internet zA # @ӻApGO ADSL A򩳤UNO ppp0 A # pGOTw IP AӴNO eth0 oI # The interface that connect Internet   EXTIF="ppp0" # Uo INIF 鷺dA # pGz Linux èS鷺sdA򩳤UЧ令 # INIF="" # t~ApGINIF O "" ɭԡAаȥNz # J INNET I] INNET 쪺]wȡI # the inside interface. if you don't have this one # and you must let this be black ex> INIF=""   INIF="eth0"   INNET="192.168.1.0/24"        # This is for NAT's network # 1.0 ձz֤ߪPҲ   kver=`uname -r | cut -c 1-3`   if [ "$kver" != "2.4" ] && [ "$kver" != "2.5" ]; then         echo "Your Linux Kernel Version may not be suported by this script!"         echo "This scripts will not be runing"         exit   fi   ipchains=`lsmod | grep ipchains`   if [ "$ipchains" != "" ]; then         echo "unload ipchains in your system"         rmmod ipchains 2> /dev/null   fi # 2.0 JAҲ   PATH=/sbin:/bin:/usr/sbin:/usr/bin   export PATH EXTIF INIF INNET   modprobe ip_tables            > /dev/null 2>&1   modprobe iptable_nat          > /dev/null 2>&1   modprobe ip_nat_ftp           > /dev/null 2>&1   modprobe ip_nat_irc           > /dev/null 2>&1   modprobe ip_conntrack         > /dev/null 2>&1   modprobe ip_conntrack_ftp     > /dev/null 2>&1   modprobe ip_conntrack_irc     > /dev/null 2>&1 # 3.0 MҦWh   /sbin/iptables -F   /sbin/iptables -X   /sbin/iptables -Z   /sbin/iptables -F -t nat   /sbin/iptables -X -t nat   /sbin/iptables -Z -t nat   /sbin/iptables -P INPUT   DROP   /sbin/iptables -P OUTPUT  ACCEPT   /sbin/iptables -P FORWARD ACCEPT   /sbin/iptables -t nat -P PREROUTING  ACCEPT   /sbin/iptables -t nat -P POSTROUTING ACCEPT   /sbin/iptables -t nat -P OUTPUT      ACCEPT # 4.0 \HAo]t lo oӤj馉A #     HέwI #     MAIOiHҰʱz Linux NAT DաI   /sbin/iptables -A INPUT -i lo   -j ACCEPT   if [ "$INIF" != "" ]; then         /sbin/iptables -A INPUT -i $INIF -j ACCEPT         echo "1" > /proc/sys/net/ipv4/ip_forward         /sbin/iptables -t nat -A POSTROUTING -s $INNET -o $EXTIF -j MASQUERADE   fi # 5.0 }lJHPڵ]wɮסA #     UɮץiHۦإ߳I   if [ -f /usr/local/virus/iptables/iptables.deny ]; then         sh /usr/local/virus/iptables/iptables.deny   fi   if [ -f /usr/local/virus/iptables/iptables.allow ]; then         sh /usr/local/virus/iptables/iptables.allow   fi # 6.0 Uoɮ׭YsbAhIЪ`NA #     oɮ׻P寸n驰I   if [ -f /usr/local/virus/httpd-err/iptables.http ]; then         sh /usr/local/virus/httpd-err/iptables.http   fi # 7.0 \ ICMP ʥ]P\wإߪsuqLI   /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT   AICMP="0 3 3/4 4 11 12 14 16 18"   for tyicmp in $AICMP   do         /sbin/iptables -A INPUT -i $EXTIF -p icmp --icmp-type $tyicmp -j ACCEPT   done # 8.0 Allow servicesSOdNUAȡANzDS}񪺪AaI   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport  22 -j ACCEPT        # SSH   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport  25 -j ACCEPT        # SMTP   /sbin/iptables -A INPUT -p UDP -i $EXTIF --dport  53 -j ACCEPT        # DNS   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport  53 -j ACCEPT        # DNS   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport  80 -j ACCEPT        # WWW   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 110 -j ACCEPT        # POP3   /sbin/iptables -A INPUT -p TCP -i $EXTIF --dport 113 -j ACCEPT        # auth

@
SOdNڤWеrA]CӤHҳۦPA]zn]wݩzۤvҰѼƤ~IMAXFDnǧڰڡI....AӬݤ@U iptables.allow eOpHpڭn@ 140.116.44.0/24 oӺiJڪDܡAoɮתeiHgoˡG
@

[root@test iptables]# vi iptables.allow #!/bin/bash # # This program is used to allow some IP or hosts to access your Server # # HISTORY # 2002/08/20 first release by VBird /sbin/iptables -A INPUT  -i $EXTIF -s 140.116.44.0/24 -j ACCEPT [root@test iptables]# vi iptables.deny #!/bin/bash # # This script will deny some IPs that I don't want it IN # # HISTORY # 2002/08/20    revise        by VBird /sbin/iptables -A INPUT   -i $EXTIF -s 140.115.236.8   -j DROP /sbin/iptables -A INPUT   -i $EXTIF -s 140.120.13.237  -j DROP

@
ЯSO`NAYzs port Ϊ̬OS}ҬY port ɭԡAЦbz iptables.rule ̭ 8 BJAsW[L port AȡAo˴NiHաILA٬OpPeڭ̩һAo firewall ȯണѰ򥻪w@ALDAٻݭnAմթOI~ApGzƱ@}N۰ʰo script ܡAбNoɮתɦWgJ /etc/rc.d/rc.local AIUoˡG
 

[root@test /root]# vi /etc/rc.d/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local #1. adsl connectting.           2002/04/06      VBird         /usr/sbin/adsl-start #2. Starting the NAT Server     2002/04/06      VBird         /usr/local/nat/nat.sh #3. Starting firewall settings  2002/08/20      VBird         /usr/local/virus/iptables/iptables.rule

WTɮץiHbUWoUG
http://vbird.org.cn/download/index.php#firewall_iptables

be@{ѺwAڭ̽ͨƫʥ]iJDe|qL{ǡAĤ@DNOڭ̤W쪺 iptables AĤGDjNO TCP Wrappers oITCP Wrappers I TCP ]q{ǡAo TCP Wrappers ]iHNLQOt~@ӨNOFIƹWAo TCP Wrappers O tcpd o{ұALiHUDӤRyYӪAȪʥ]zOI~Aثe xinetd ]t\AҥHM xinetd Sϥ tcpd o{AOMiH㦳ۦPR\I
@


---

O TCP Wrappers PL׾
@
軡ATCP Wrappers ׾OH tcpd o{DAӳo{DnѼɦb /etc/hosts.allow H /etc/hosts.deny ɮ׷AyYӳn䴩 tcpd (TCP Wrappers) \Ahʥ]զVӪAȭnDƮɡAӺʥ]N TCP Wrappers A窥ѼƳ]whO /etc/hosts.allow H /etc/hosts.denyɮzCҥHoApGznϥ TCP Wrappers Ӻ޲zYӵ{ɡAݭnSOdNӵ{O_䴩 TCP Wrappers InFAo̦ɮ׻ݭnӳ]wA򨺭ɮץQϥΩOH
@
• bw]AUA/etc/hosts.allow oɮת]we|QŪF
• M~|Ū /etc/hosts.deny eC
@
oɮצp]wOH²檺ykpU
@

ªϥ tcpd {yk <AȦW> :  <IP/network> : <action> # SO`NA network iHϥ 192.168.0.0/255.255.255.0 A # iϥ 192.168.0.0/24 I @ dҤ@G [root@test root]# vi /etc/hosts.allow in.telnetd: 127.0.0.1 : allow in.telnetd: 192.168.1.0/255.255.255.0 : allow in.telnetd: .ncku.edu.tw : allow in.ftpd:    127.0.0.1 : allow # \ 127.0.0.1 o IP ϥΥ telnet ftp oӪAȡI # ЯSO`NAӡyAȦW١zNOy{ɦWzI @ [root@test root]# vi /etc/hosts.deny in.telnetd: 192.168.2.3 : deny # NӦ 192.168.2.3 ϥΥ telnet vI @ # SO`NAoӻykb xinetd ̭ɡA<action> wgQFI # ҥHAثeziHϥγo˪榡G [root@test root]# vi /etc/hosts.allow in.telnetd: 127.0.0.1  in.telnetd: 192.168.1.0/255.255.255.0  in.telnetd: .ncku.edu.tw  # ƹWAo]O TCP Wrappers 䴩榡AҥHijzϥΦ榡YiA # Yݭn[W allow Ϊ̬O deny ʧ@A]b hosts.allow ̭ # WhNO allow Ӧb hosts.deny ̭WhNO deny NI

@
bWykA̭nLXyAȦWzI|ӨҤlӻAӧڭ̷| ssh oӻݳsuAAӳoӦAҰʪ binary iɬ sshd oɦW{AҥHznYǨӷ IP ΥDWٳqL TCP Wrappers ɡANnG
@
sshd: 192.168.0.100
@
åBPɻݭn`N SSH O_䴩 TCP Wrappers InnI~Az]iHϥ ALL ӥNyҦAȡzΪ̬OyҦӷzAҦpb /etc/hosts.deny ̭[JG
@
ALL: ALL
@
NyצتAȡBרӦۭ̪ʥ]ALױIzC
@


---

TCP Wrapperes Wh
@
WyLF@U TCP Wrappers ϥΤkA𫟺̻ݭn`NOGʥ]OH /etc/hosts.allow DAMAH /etc/hosts.deny Ӻ޲zIҥHq`ڭ̳]wkNOG
@
• b /etc/hosts.allow ̭wYǪAȻPʥ]ӷ}ҥL̨ϥΪvF
• b /etc/hosts.deny ̭NӪAȪLӷױI
@
`NIpGzb /etc/hosts.deny ̭S]wתܡA TCP Wrappers w]ʧ@OyiHqLAöiJDzI|ҨӻAP˪H SSH, Telnet P FTP ҡApGzuQnyHDznJܡA]iHbYiWInFIo̧ڭ̥Hpq 192.168.1.0/24 iH Telnet FTP hosts 192.168.1.2, 192.168.1.10, 192.168.1.20 oTqAΨӦ Internet WiH SSH D xxx.yyy.zzz.qqq oӥDA 192.168.1.0/24 qIhzɮץiHgoˡG
@

[root@test root]# vi /etc/hosts.allow # g telnet, ftp sshd }񪺸 in.telnetd: 192.168.1.2, 192.168.1.10, 192.168.1.20  in.ftpd:    192.168.1.2, 192.168.1.10, 102.168.1.20 sshd:       192.168.1.0/255.255.255.0, xxx.yyy.zzz.qqq  # C IP Ϊ̥DAiHQγrΪŮӹj}I @ [root@test root]# vi /etc/hosts.deny # NWTӪAȳաI in.telnetd: ALL  in.ftpd:    ALL  sshd:       ALL @ # SO`NAܦhBͳwb /etc/hosts.deny ̭[Jo@G ALL: ALL # өשҦAȻPҦӷILAڭӤHOӫijo˰I # ]ܦhɭԡAz[]nAoo{ѬOLk Client su\A # ܦhgiDڭ̡A̤jDNOX{b ALL : ALL o@I

@
𫟺A٦󰪬 /etc/hosts.deny gkAoOӦۤHhϥ nmap port nӱ˱zDɡAL IP |QOUI(`NAUgkNݭn TCP Wrappers UFIo]AF safe_finger oӫOIªϥ xinetd OLkF쩳U\઺IҥHAЦw tcp_wrappers oӮM)
@

[root@test root]# vi /etc/hosts.deny in.telnetd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \ /bin/echo; /usr/sbin/safe_finger @%h ) | \ /bin/mail -s "%d -%h security" root@localhost & \ : twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵiz|\nJAzsuN|QAåB@H᪺Ѧ\n\n ". ) in.ftpd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \ /bin/echo; /usr/sbin/safe_finger @%h ) | \ /bin/mail -s "%d -%h security" root@localhost & \ : twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵiz|\nJAzsuN|QAåB@H᪺Ѧ\n\n ". ) sshd : ALL : spawn (/bin/echo Security notice from host `/bin/hostname`; \ /bin/echo; /usr/sbin/safe_finger @%h ) | \ /bin/mail -s "%d -%h security" root@localhost & \ : twist ( /bin/echo -e "\n\nWARNING connectin not allowed. Your attempt has been logged. \n\n\nĵiz|\nJAzsuN|QAåB@H᪺Ѧ\n\n ". )

@
p@ӡAӦ۫DzҳWwXk IP չϥH telnet, ftp ssh suzDɡAtδN|N IP H@Ƶ root ӯdɡILAoӶ˸aAU@ IP ̫ᦨ\nJzDAi|N root Hc屼AɭPoӧ@δNSĪGFIҥHAoӮɭԡAбzNW root@localhost 令t@ӫDDHcӦHIo˷|wWOٰաI ^_^oөNN@]wߨNͮĤFIҥHΥhzL]SYIOnHɪ`N@Uz]wO_TIWykunzקyAȦW١zӴNAΩLAȧaIOAЪ`NI Internet }񪺪AȤn]woӼˤlڡIMHaiOLksuiӪIW]wkAjhOAΦbyYǶȰw鷺}񪺪AzI
@
W hosts.deny dұziHbUUG
http://vbird.org.cn/download/index.php#firewall_iptables

Moˤ@ӴNyLظmnFzFIOֳD쩳o˪ĪGpHҥHAzݭnOhɶӶiթOIժBJiHOG

1. ѥDV~DʳsuլݬݡF
2. AѨp줺 PC V~DʳsuլݬݡF
3. ̫A Internet WDADʳsuz Linux DլݬݡF

@B@B@UӡAݬݰDXb̡AMhhhiB}II򥻤WAWثeܦhƥiHѱzѦҤFIo@g]wgO²Aj٦bжqӤwIƱjaUIڦbѦҸƷCXXӦΪAƱjaůunhhhݬݡI|ܦUI

ڭ̨ӦҼ{@Ӥ쪺DANOpPϥ|pAƹWADO[]bݪIbo˪pUAڭ̭nNӦ Internet ʥ]Ag firewall ໼ݪDWOHIڭ̥iHѦҤ@Uʥ]y{ApPWϤEA]Ӧ Internet ʥ]nᵹݪDAҥHbyѤeNݭn]wnഫzAFI]b nat table PREROUTING WӶiҿתy Destination NAT, DNAT zʧ@~աIzݭnb iptables WAb nat table WsW@Wh~IykpUG
@

iptables LѼƻG @ -j <ʧ@>GF` ACCEPT P DROP ~A٦ǰʧ@H @DNAT --to IP[:port] @@@`ΦbݪDʥ]໼WI @ dҡGNӦ Internet port 80 suʥ]໼ 192.168.10.10 oӥDW [root@test root]# iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 \ > -j DNAT --to 192.168.10.10:80

@
WdҬO²檺@ӨҤlAb²ҤUOiH\zi WWW Ϊ̬O Mail AȪILApGΦb FTP WiNܳ·ФF] FTP FW 21 oөROqDf~A٦ƶǰeDʩʻPQʩʡI]wWܬOxZ㦳쪺ܡAiHѦҩUCXX iptables Io̤AFI

• frרäӷPF
• Ӧۤ~ΩݥΪשʥiF
• äO[]𤧫AtδN@wܦwI٬OݭnsM|}I
• ̾ګʥ]תhAiH Proxy H IP Filter F
• ֤߬ 2.4 Linux ϥΪ iptables F
• 𪺭qwPyWhǡzܤjYF
• iptables table AܤִN filter P nat ̡Ao̤SUTF
• iptables OCAiHUFѼƬ۷hAUF -j LOG ѼƮɡAhӫʥ]y{|Q /var/log/messages F
• iHh]wAҦpMwg]wF iptables AOMiH]w TCP Wrappers A]֤]oɭ iptables ||}Ϊ̬OWhW}I

G
• http://www.study-area.org/linux/servers/linux_nat.htm
• http://linux.tnc.edu.tw/techdoc/firewall/
• http://www.linuxyes.com/tw/tutorial/iptables.html
• http://www.linux.org.tw/CLDP/Packet-Filtering-HOWTO.html
• http://www.linux.org.tw/CLDP/Firewall-HOWTO.html

@
^G
• http://www.linux-firewall-tools.com/linux/
• http://www.netfilter.org/
• http://www.linuxguruz.org/iptables/
• http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
• http://www.interhack.net/pubs/fwfaq/

• ڬ[]FAڪD٬OiतrH
• л[]FAڪD٬OiQJIHJI̾ڥiOkH
• ڭ̪D֤߬ 2.4 Linux ϥΪ iptables AаݡAp󪾹Dڪ Linux ֤ߪH
• ЦCX iptables w] table AHΦU table ̭ chains PU chains ҥNNqF
• O iptables w]F (Policy)H
• ]ѧڪ Linux ȬO@ Client ΡAèS Internet iAȡAzWӦp]wnHI
• ڭnNӦ 192.168.1.50 o IP ӷʥ]AunOVڪ 21~23 fnDʥ]ANNLסAӦpUF iptables OH
• ڭnNڦۤvD ping ^\AӦpUF iptables OH
• лoӫOO~Hyiptables -A INPUT -p udp --syn -s 192.168.0.20 -j DROPzH
• DNS nDOAڸӦp]wڪDiHnD DNS ^OH
• p iptables bڪtΤWH
• pxsثeAHΦpNWxsUӪ^_ثetΤH

eѦҥθѵ