iptables intro vi

8/6/2019 Iptables Intro Vi

1/25

-1 -

Gii thiu v Iptables

Ti liu ny c dch thttp://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

Vn cn rt thiu st trong ti liu ny . Mong mi ngi ng h v ng gp

kin ti liu ny hon thin hn . Mi kin ng gp xin gi [email protected] .

Tp H Ch Minh , 12/2006

Nhm bin dch : Trn Nht HuyHong Hi NguynNg Tr Hng Nam


2/25

-2 -

I. GII THIU V IPTABLES:

Bo mt mng l mt vn quan trng hng u i vic lp mt website , cngnh nhiu dch v khc trn mng . Mt trong nhng cch bo v l s dngfirewall . bi vit ny s cho thy lm sao chuyn mt Linux server thnh : Mt firewall ng thi cho mail server , web server , DNS server. Mt thit b dn ng ( router ) s dng NAT v chuyn tip cng ( portforwarding ) va bo v h thng mng ca bn , va cho php mt web servercng khai chia sa ch IP firewall .Mt trong nhng firewall thng dng nht chy trn Linux l iptables . Ta s xemqua mt s chc nng ca iptables : Tch hp tt vi Linux kernel , ci thin s tin cy v tc chy iptables . Quan st k tt c cc gi d liu . iu ny cho php firewall theo di mi mtkt ni thng qua n , v dnhin l xem xt ni dung ca tng lung d liu t tin liu hnh ng k tip ca cc giao thc . iu ny rt quan trng trongvic h trcc giao thc FTP , DNS . Lc gi da trn a ch MAC v cc ctrong TCP header. iu ny gip ngnchn vic tn cng bng cch s dng cc gi d dng (malformed packets) v ngnchn vic truy cp t ni bn mt mng khc bt chp IP ca n. Ghi chp h thng (System logging) cho php vic iu chnh mc ca boco H trvic tnh hp cc chng trnh Web proxy chng nh Squid . Ngn chn cc kiu tn cng t chi dch v.

II. SDNG IPTABLES

1. Khi ng iptables :

Cu lnh start, stop, v restart iptables .

[root@bigboy tmp]# service iptables start[root@bigboy tmp]# service iptables stop[root@bigboy tmp]# service iptables restart

khi ng iptables mi khi khi ng my .[root@bigboy tmp]# chkconfig iptables on

xem tnh trng ca iptables[root@bigboy tmp]# service iptables status

2. Xl gi trong iptables:

Tt c mi gi d liu u c kim tra bi iptables bng cch dng cc bngtun t xy dng sn (queues ) . C 3 loi bng ny gm :


3/25

-3 -

_ Mangle : chu trch nhim thay i cc bits cht lng dch v trong TCP headernh TOS (type of service), TTL (time to live), v MARK._ Filter : chu trch nhim lc gi d liu . N gm c 3 quy tc nh (chain) gip bn thit lp cc nguyn tc lc gi , gm : Forward chain: lc gi khi i n n cc server khc . Input chain: lc gi khi i vo trong server .

Output chain: lc gi khi ra khi server ._ NAT : gm c 2 loi : Pre-routing chain: thay i a chn ca gi d liu khi cn thit. Post-routing chain: thay i a ch ngun ca gi d liu khi cn thit .

Bng 1 : Cc loi queues v chain cng chc nng ca n.

Loiqueues

Chc nngqueues

Quy tc xl gi(chain)

Chc nng ca chain

FORWARD Lc gi d liu i n cc server khckt ni trn cc NIC khc ca firewall

INPUT Lc gi i n firewall

Filter Lc gi

OUTPUT Lc gi i ra khi firewallNAT Network

AddressTranslation( Bin dch ach mng )

PREROUTING Vic thay i a ch din ra trc khidn ng. Thay i a ch ch sgip gi d liu ph hp vi bng chng ca firewall. S dngdestination NAT or DNAT.

POSTROUTING Vic thay i a ch din ra sau khidn ng .S dng source NAT, or SNAT.

OUTPUT NAT s dng cho cc gi d liu xutpht t firewall . Him khi dng trong

mi trng SOHO ( small office -home office) .Mangle Chnh sa TCP

header .PREROUTINGPOSTROUTINGOUTPUTINPUTFORWARD

iu chnh cc bit quy ch cht lngdch v trc khi dn ng .Him khi dng trong mi trngSOHO ( small office - home office) .

ci nhn tng qut i vi vic lc v x l gi trong iptables , ta xem hnh sau :


4/25

-4 -

Ta cng xem qua 1 v d m tng i ca gi d liu .


5/25

-5 -

u tin, gi d liu n mng A , tip n c kim tra bi mangle tablePREROUTING chain (nu cn).Tip theo l kim tra gi d liu bi nat table'sPREROUTING chain kim tra xem gi d liu c cn DNAT hay khng? DNATs thay i a chch ca gi d liu . Ri gi d liu c dn i .

Nu gi d liu i vo mt mng c bo v, th n sc lc bi FORWARDchain ca filter table, v nu cn gi d liu sc SNAT trong POSTROUTINGchain thay i IP ngun trc khi vo mng B.


6/25

-6 -

Nu gi d liu c nh hng i vo trong bn trong firewall , n sc kimtra bi INPUT chain trong mangle table, v nu gi d liu qua c cc kim tra caINPUT chain trong filter table, n s vo trong cc chng trnh ca server bn trongfirewall .

Khi firewall cn gi d liu ra ngoi . Gi d liu sc dn v i qua s kimtra ca OUTPUT chain trong mangle table( nu cn ), tip l kim tra trongOUTPUT chain ca nat table xem DNAT (DNAT s thay i a chn) c cnhay khng v OUTPUT chain ca filter table s kim tra gi d liu nhm pht hincc gi d liu khng c php gi i. Cui cng trc khi gi d liu c ra liInternet, SNAT and QoS sc kim tra trong POSTROUTING chain .

3. Targets

Targets l hnh ng s din ra khi mt gi d liu c kim tra v ph hp vi mt yucu no . Khi mt target c nhn dng , gi d liu cn nhy ( jump ) thc hin ccx l tip theo . Bng sau lit k cc targets m iptables s dng .

Bng 2 : Miu t cc target m iptables thng dng nht .

Targets ngha Ty chnACCEPT iptables ngng x l

gi d liu v chuyntip n vo mt ng dngcui hoc h iu hnh x l .

DROP iptables ngng x lgi d liu v gi d liub chn, loi b.

LOG Thng tin ca gi sc

a vo syslog kim tra .Iptables tip tc x l givi quy lut k tip .

--log-prefix "string"

iptables s thm vo logmessage mt chui dongi dng nh sn .Thng thng l thngbo l do v sao gi b b .


7/25

-7 -

REJECT Tng t nh DROP ,nhng n s gi tr li chopha ngi gi mt thngbo li rng gi b chnv loi b .

--reject-with qualifier

Tham s qualifier s chobit loi thng bo gi trli pha gi . Qualifier gm

cc loi sau :

icmp-port-unreachable(default)

icmp-net-unreachable

icmp-host-unreachable

icmp-proto-unreachable

icmp-net-prohibited

icmp-host-prohibited

tcp-reset

echo-reply

DNAT Dng thc hinDestination networkaddress translation , a

ch ch ca gi d liu sc vit li .

--to-destination ipaddress

Iptables s vit li a ch

ipaddress vo a ch chca gi d liu .

SNAT Dng thc hin Sourcenetwork addresstranslation , vit li a chngun ca gi d liu .

--to-source [-][:-

]

Miu t IP v port scvit li bi iptables .

MASQUERADE Dng thc hin SourceNetworkaddress

Translation.Mc nh tha ch IP ngun s gingnh IP ngun ca firewall .

[--to-ports [-

]]

Ghi r tm cc port ngunm port ngun gc c thnh xc.

4. Cc tham schuyn mch quan trng ca Iptables:

Cc tham s sau s cho php Iptables thc hin cc hnh ng sao cho ph hp vibiu x l gi do ngi s dng hoch nh sn .


8/25

-8 -

Bng 3 : Cc tham s chuyn mch (switching) quan trng ca Iptables .

Lnh switching quan trng ngha

-t Nu bn khng chnh r l tables no ,th filter table sc p dng. C ba loitable l filter, nat, mangle.

-j

Nhy n mt chui target no khi gi

d liu ph hp quy lut hin ti .

-ANi thm mt quy lut no vo cuichui ( chain ).

-F

Xa ht tt c mi quy lut trong bng chn .

-p

Ph hp vi giao thc ( protocols ) , thngthng l icmp, tcp, udp, v all .

-s Ph hp IP ngun-d Ph hp IP ch

-i

Ph hp iu kin INPUT khi gi d liui vo firewall

-o Ph hp iu kin OUTPUT khi gi dliu i ra khi firewall .

hiu r hn v cc lnh ta , ta cng xem mt v d sau :

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP \

-j ACCEPT

Iptables c cu hnh cho php firewall chp nhn cc gi d liu c giao tip(protocols) l TCP , n t giao tip card mng eth0 , c bt ka ch IP ngun l btki n a ch 192.168.1.1, l a ch IP ca firewall. 0/0 ngha l bt ka ch IP

no .

Bng 4 : Cc iu kin TCP v UDP thng dng .

Lnh switching Miu t

-p tcp --sport

iu kin TCP port ngun (source port ) .C th l mt gi tr hoc mt chui cdng :start-port-number:end-port-number

-p tcp --dport

iu kin TCP port ch ( destination port )C th l mt gi tr hoc mt chui cdng :starting-port:ending-port


9/25

-9 -

-p tcp syn

Dng nhn dng mt yu cu kt niTCP mi .! --syn , ngha l khng c yu cn kt nimi .

-p udp --sport

iu kin UDP port ngun (source port ) .C th l mt gi tr hoc mt chui c

dng :start-port-number:end-port-number

-p udp --dport

iu kin TCP port ch ( destination port )C th l mt gi tr hoc mt chui cdng :starting-port:ending-port

Ta cng xem v d sau :

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \--sport 1024:65535 --dport 80 -j ACCEPT

Iptables c cu hnh cho php firewall chp nhn cc gi d liu c giao tip(protocols) l TCP , n t card mng eth0 , c bt ka ch IP ngun l bt k , in a ch 192.168.1.58 qua card mng eth1. S port ngun l t 1024 n 65535 vport ch l 80 (www/http).

Bng 5 : iu kin ICMP

Lnh Miu t--icmp-type Thng dng nht l echo-reply v echo-

request

Ta cng xem m v d sau v ICMP .iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Iptables c cu hnh cho php firewall chp nhn gi ICMP echo-requests(pings) v gi tr cc ICMP echo-replies.

Ta cng xem v d khc nh sau :

iptables -A INPUT -p icmp --icmp-type echo-request -m limit\ limit 1/s -i eth0 -j ACCEPT

Iptables cho php gii hn gi tr ln nht s lng cc gi ph hp trong mt giy. Bn c chnh thi gian theo nh dng /second, /minute, /hour, hoc /day . Hocs dng dng vit tt 3/s thay v 3/second . Trong v d ny ICMP echo requests bgii hn khng nhiu hn mt yu cn trong mt giy . c im ny ca iptablesgip ta lc bt cc lu lng ln , y chnh l c tnh ca tn cng t chi dch v (DOS ) v su Internet.

iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i \


10/25

-10 -

eth0 -j ACCEPT

Bn c th mrng kh nng gii hn ca iptables gim thiu kh nng b tncng bi cc loi tn cng t chi dch v. y l cch phng v chng li kiu tncng SYN flood bng cch hn ch s chp nhn cc phn on TCP c bit SYSkhng nhiu hn 5 phn on trong 1 giy.

Bng 6 : Cc iu kin mrng thng dng

Lnh ngha

-m multiport --sport

Nhiu port ngun khc nhau caTCP/UDP c phn cch bi du phy (,). y l lit k ca cc port ch khng phil mt chui cc port.

-m multiport --dport

Nhiu port ch khc nhau ca TCP/UDPc phn cch bi du phy (,) . y llit k ca cc port ch khng phi l mtchui cc port.

-m multiport --ports Nhiu port khc nhau ca TCP/UDP cphn cch bi du phy (,) . y l lit kca cc port ch khng phi l mt chuicc port. Khng phn bit port ch hayport ngun .

-m --state

Cc trng thi thng dng nht c dngl :

ESTABLISHED:Gi d liu l mt phnca kt ni c thit lp bi c 2hng .

NEW:Gi d liu l bt u ca mt ktni mi .

RELATED: Gi d liu bt u mt ktni ph . Thng thng y l t im cacc giao thc nh FTP hoc li ICMP .

INVALID: Gi d liu khng th nhndng c . iu ny c th do vic thiuti nguyn h thng hoc li ICMP khngtrng vi mt lung d liu c sn .

y l phn mrng tip theo ca v d trc :iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \

--sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT

iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \-m state --state ESTABLISHED -j ACCEPT

Iptables c cu hnh cho php firewall chp nhn cc gi d liu c giao tip(protocols) l TCP , n t card mng eth0 , c bt ka ch IP ngun l bt k , i


11/25

-11 -

n a ch 192.168.1.58 qua card mng eth1. S port ngun l t 1024 n 65535 vport ch l 80 (www/http) v 443 (https). n khi cc gi d liu nhn tr li t192.168.1.58, thay v mcc port ngun v ch , bn ch vic cho php dng kt nic thit lp bng cch dng tham s -m state v --state ESTABLISHED.

5_ Sdng user defined chains:

Chui User Defined Chains nm trong bng iptables. N gip cho qu trnh s lgi tt hn.

V d: Thay v s dng gi n c xy dng trong chain cho tt c giao thc, tac th s dng chain ny quyt nh loi giao thc cho gi v sau kim sot vicx l user-defined, protocol-specific chain trong bng filter table.

Mt khc, ta c th thay th mt chui long chain vi chui chnh stubby mainchain bi nhiu chui stubby chain, bng cch chia ngn tng chiu di ca ttc chain gi phi thng qua.

Su lnh sau gip vic ci tin tc xl:iptables -A INPUT -i eth0 -d 206.229.110.2 -j \

fast-input-queue

iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j \fast-output-queue

iptables -A fast-input-queue -p icmp -j icmp-queue-iniptables -A fast-output-queue -p icmp -j icmp-queue-outiptables -A icmp-queue-out -p icmp --icmp-type \

echo-request -m state --state NEW -j ACCEPTiptables -A icmp-queue-in -p icmp --icmp-type echo-reply\

-j ACCEPT

DANH SCH CC LNH (QUEUE)Chain Description

INPUTc xy dng trongINPUT chain trong bngiptables

OUTPUTc xy dng trongONPUT chain trong bngiptables

Fast-input-queue

Input chain tch ring bit h trcho nhng giaothc c bit v chuyn cc

gi n nhng protocolspecific chains.

fast-output-queue

Output chain tch ring bit h trcho nhng giaothc c bit v chuyn ccgi n nhng protocolspecific chains.

icmp-queue-out lnh output tch ring chogiao thc ICMP


12/25

-12 -

icmp-queue-in Lnh input tch ring chogiao thc ICMP

6_ Lu li nhng on m iptables:

on m iptables c lu tm thi file /etc/sysconfig/iptablesnh dng mu trong file iptables cho php giao thc ICMP, IPSec (nhng gi

ESP v AH), thit lp lin kt, v quay li SSH.

[root@bigboy tmp]# cat /etc/sysconfig/iptables

# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [144:12748]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT-A RH-Firewall-1-INPUT -p esp -j ACCEPT-A RH-Firewall-1-INPUT -p ah -j ACCEPT-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j

ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j

ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT

# Completed on Mon Nov 8 11:00:07 2004

[root@bigboy tmp]#

7_ Thit lp nhng Rule cho Fedoras iptable:

Trong Fedora c chng trnh gi lokkit, chong trnh ny c th thit lp mt rulefirewall n gin, gip tng cng bo mt. Chng trnh lokkit lu nhng rulefirewall trong file mi /etc/sysconfig/iptables.

8_ Tm li on m b mt:

on m iptables c lu tr trong file /etc/sysconfig/iptables. Ta c th chnhsa nhng on m v to li nhng thnh nhng rule mi.

V d: xut nhng lnh trong iptables lu tr ra file vn bn vi tn firewall-config:

[root@bigboy tmp]# iptables-save > firewall-config[root@bigboy tmp]# cat firewall-config# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter


13/25

-13 -

:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [144:12748]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i lo -j ACCEPT-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT-A RH-Firewall-1-INPUT -p esp -j ACCEPT-A RH-Firewall-1-INPUT -p ah -j ACCEPT-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED \-j ACCEPT-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 \-j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMIT# Completed on Mon Nov 8 11:00:07 2004

[root@bigboy tmp]#Sau khi chnh sa file firewall-config, ta c th ti n li trong rule firewall vilnh:

[root@bigboy tmp]# iptables-restore < firewall-configTa c th lu tm thi:

[root@bigboy tmp]# service iptables save

9_ Nhng modun Kernel cn thit :

Modun Kernel cn thit hot ng mt vi chng trnh ca ng dng iptablesMt s modun: iptables_nat module, ip_conntrack_ftp module,

+ iptables_nat module cn cho mt s loi NAT.+ ip_conntrack_ftp module cn cho vic thm vo giao thc FTP.+ ip_conntrack module gi trng thi lin kt vi giao thc TCP.+ ip_nat_ftp module cn c ti cho nhng my ch FTP sau mt firewall

NAT*CH : file/etc/sysconfig/iptables khng cp nht nhng m dun ti v, v vy

chng ta phi thm vo nhng trng thi vo file /etc/rc.local v chy n ti cuimi ln boot li.

Nhng mu on m trong phn ny bao gm nhng trng thi c lu trongfile/etc/rc.local:

# File:/etc/rc.local

# Module to track the state of connections modprobe ip_conntrack# Load the iptables active FTP module, requires ip_conntrack modprobe# ip_conntrack_ftp# Load iptables NAT module when required modprobe iptable_nat# Module required for active an FTP server using NAT modprobe ip_nat_ftp

10_Nhng on m iptables mu:

10.1_ Cbn v hot ng ca h thng bo v:


14/25

-14 -

Hiu Hnh Linux c cch bo v l cc thng s kernel h thng trong file hthng/proc qua file/etc/sysctl.conf. Dng file /etc/systl.conf cho cc thng s kernelh tr.

y l mt cu hnh mu:# File: /etc/sysctl.conf#--------------------------------------------------------# Disable routing triangulation. Respond to queries out# the same interface, not another. Helps to maintain

state# Also protects against IP spoofing#--------------------------------------------------------net/ipv4/conf/all/rp_filter = 1#---------------------------------------------------------

-# Enable logging of packets with malformed IP addresses#---------------------------------------------------------

-net/ipv4/conf/all/log_martians = 1# Disable redirects#---------------------------------------------------------

-net/ipv4/conf/all/send_redirects = 0#---------------------------------------------------------

-# Disable source routed packets#---------------------------------------------------------

-net/ipv4/conf/all/accept_source_route = 0#---------------------------------------------------------

-# Disable acceptance of ICMP redirects#---------------------------------------------------------

-net/ipv4/conf/all/accept_redirects = 0#---------------------------------------------------------

-# Turn on protection from Denial of Service (DOS) attacks#---------------------------------------------------------

-net/ipv4/tcp_syncookies = 1#---------------------------------------------------------

-# Disable responding to ping broadcasts#---------------------------------------------------------

-net/ipv4/icmp_echo_ignore_broadcasts = 1#---------------------------------------------------------

-# Enable IP routing. Required if your firewall is

# protecting

# network, NAT included


15/25

-15 -

#---------------------------------------------------------

-net/ipv4/ip_forward = 1

10.2_ u im ca skhi to iptables:

Ta c th thm vo nhiu ci ng dng khi to cho on m, bao gm vic kim

tra ng truyn internet t nhng a ch ring RFC1918. Nhiu hn nhng khi tophc tpbao gm kim tra li bi s tn cng s dng cTCP khng c gi tr.

on m cng s dng nhiu user-defined chain to on m ngn hn vnhanh hn nh nhng chain c th b truy cp lp li. iu ny loi b vic cn thitlp li nhng trng thi tng t.

on m firewall hon tt :#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=##

# Define networks: NOTE!! You may want to put these

# "EXTERNAL"# definitions at the top of your script.

##=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#

EXTERNAL_INT="eth0" # External Internetinterface

EXTERNAL_IP="97.158.253.25" # Internet Interface IP

address#---------------------------------------------------------

-# Initialize our user-defined chains#---------------------------------------------------------

-

iptables -N valid-src iptables -N valid-dst#---------------------------------------------------------

-# Verify valid source and destination addresses for all

packets

#---------------------------------------------------------

-

iptables -A INPUT -i $EXTERNAL_INT -j valid-srciptables -A FORWARD -i $EXTERNAL_INT -j valid-srciptables -A OUTPUT -o $EXTERNAL_INT -j valid-dstiptables -A FORWARD -o $EXTERNAL_INT -j valid-dst

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=### Source and Destination Address Sanity Checks

# Drop packets from networks covered in RFC 1918

# (private nets)# Drop packets from external interface IP

#

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#


16/25

-16 -

iptables -A valid-src -s $10.0.0.0/8 -j DROPiptables -A valid-src -s $172.16.0.0/12 -j DROPiptables -A valid-src -s $192.168.0.0/16 -j DROPiptables -A valid-src -s $224.0.0.0/4 -j DROPiptables -A valid-src -s $240.0.0.0/5 -j DROPiptables -A valid-src -s $127.0.0.0/8 -j DROPiptables -A valid-src -s 0.0.0.0/8 -j DROP

iptables-A valid-src

-d 255.255.255.255

-j

DROPiptables -A valid-src -s 169.254.0.0/16 -j DROP

iptables -A valid-src -s $EXTERNAL_IP -j DROPiptables -A valid-dst -d $224.0.0.0/4 -j DROP

10.3_ Scho php my ch DNS truy cp n Firewall:

Firewall khng th to yu cu DNS queries n Internet bi v Internet c

yu cu cho hm cbn ca firewall, nhng bi v Fedora Linuxs yum RPM sgip gi my ch cp nht vi trng thi bo v mi nht. Nhng trng thi theosau s cp nht khng ch cho firewall hot ng nh nhng DNS client nhngcng cho nhng firewall lm vic trong mt bm hoc c vai tr nh DNSserver.

#--------------------------------------------------------------------------------------------------------

# Allow outbound DNS queries from the FW and the replies

too ## - Interface eth0 is the internet interface ## Zone transfers use TCP and not UDP. Most home networks# / websites using a single DNS server won't require TCP# statements

#--------------------------------------------------------------------------------------------------------

iptables -A OUTPUT -p udp -o eth0 --dport 53 sport \1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 dport \1024:65535 -j ACCEPT

10.4 Cho php WWW v SSH truy cp vo firewall:

on m ngn ny l cho mt firewall v gp i nh mt web server c qun lbi ngi qun tr h thng web server web server system adminitrator qua nhnglp v bo mt (SSH_secure shell). Nhng gi quay li c dnh trc choport 80 (WWW) v 22 (SSH) c php. V vy to nhng bc u tin thit lplin kt.. Ngc li, nhng port trn (80 v 22) s khng c thit lp ch bo mtti ng ra cho nhng gi chc chuyn i khng quay v cho tt c lin kt thit lpc php.


17/25

-17 -

#---------------------------------------------------------

-# Allow previously established connections# - Interface eth0 is the internet interface#---------------------------------------------------------

-iptables -A OUTPUT -o eth0 -m state --state \

ESTABLISHED,RELATED -j ACCEPT

#----------------------------------------------------------

# Allow port 80 (www) and 22 (SSH) connections to the

# firewall#---------------------------------------------------------

-

iptables -A INPUT -p tcp -i eth0 --dport 22 sport \1024:65535 -m state --state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 --dport 80 --sport \1024:65535 -m state --state NEW -j ACCEPT

10.5_Cho php Firewall truy cp internet:

on m iptables ny c th cho php mt user tren firewall s dng Web browsern giao tip Internet. ng truyn giao thc HTTP s dng TCP port 80, HTTPs(HTTP secure) port 443

#---------------------------------------------------------

-

# Allow port 80 (www) and 443 (https) connections from

the

# firewall

#---------------------------------------------------------

-iptables -A OUTPUT -j ACCEPT -m state state \

NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m \multiport --dport 80,443 -m multiport --sport \1024:65535

#---------------------------------------------------------

-

# Allow previously established connections

# - Interface eth0 is the internet interface

#---------------------------------------------------------

-

iptables -A INPUT -j ACCEPT -m state --state \ESTABLISHED,RELATED -i eth0 -p tcp

Nu mun tt cng truyn t firewall c chp nhn, sau xo:

-m multiport --dport 80,443 -m multiport --sport \

1024:65535

10.6_ Cho php mng nh truy cp vo firewall:


18/25

-18 -

V d: eth1 c lin kt vi mng nh dng a ch IP t mng 192.168.1.0. Ttcng truyn ny v firewall c gi s l lin kt c:

Nhng rule c cn cho lin kt giao tip n Internet cho php ch nhngcng c trng, nhng loi lin kt v c thiu chnh nhng server c truy cp nfirewall v mng nh.

#---------------------------------------------------------

-# Allow all bidirectional traffic from your firewall to

#the# protected network# - Interface eth1 is the private network interface#---------------------------------------------------------

-

iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -ieth1 iptables -A OUTPUT -j ACCEPT -p all -d192.168.1.0/24 -o eth1

10.7_ Mt n (Masquerade_many to one NAT):ng truyn t tt c thit b trn mt hoc nhiu mng c bo v s xut hin

nh l n bt u ta ch IP n trn v tr Internet ca firewall.a ch IP mt n (masquerade) lun lun mc nh n a ch IP ca giao tip

chnh ca firewall. u im ca a ch IP mt n (masquerade) l ta khng phi ch ra ch IP NAT. iu ny to cho vic cu hnh bng iptables NAT vi giao thcDHCP.

Ta c th cu hnh nhiu n mt NAT cho mt tn IP bng cch s dngPOSTROUTING v khng dng trng thi MASQUERADE.

Vic che y (Masquerading) ph thuc vo Hiu Hnh Linux c cu hnh

cp nht nh tuyn gia internet v giao tip mng ring ca firewall. iu nyc thc hn bi IP enabling bng cch cho file /proc/sys/net/ipv4/ip_forward gi tr1 nh l i vi gi tr mc nh 0

Mt masquerading c thit lp s dng POSTROUTING chain ca bng nattable, ta s phi nh dng iptables cho php nhiu gi i qua gia 2 b mt. lmc iu ny, s dng FORWARD chain ca filter table. Nhiu hn, nhiu gi linquan nhng lin kt NEW v ESTABLISHED sc cho php outbound nInternet, nhng ch nhng gi lin quan n lin kt ESTABLISHES sc phpinbound. iu ny s gip bo v mng nh t bt c mt ngi no c gng kt nivi mng nh t Internet.

#----------------------------------------------------------

# Load the NAT module

# Note: It is best to use the /etc/rc.local example in

# this# chapter. This value will not be retained in the# /etc/sysconfig/iptables file. Included only as a

# reminder.

#---------------------------------------------------------

-


19/25

-19 -

modprobe iptable_nat

#---------------------------------------------------------

-# Enable routing by modifying the ip_forward /proc

# filesystem

# file## Note: It is best to use the /etc/sysctl.conf example in


# reminder.

#---------------------------------------------------------

-

echo 1 > /proc/sys/net/ipv4/ip_forward

#----------------------------------------------------------

# Allow masquerading# - Interface eth0 is the internet interface# - Interface eth1 is the private network interface#---------------------------------------------------------

-

iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24\

-d 0/0 -j MASQUERADE

#----------------------------------------------------------

# Prior to masquerading, the packets are routed via the

# filter# table's FORWARD chain.# Allowed outbound: New, established and related

# connections# Allowed inbound : Established and related connections#---------------------------------------------------------

-

iptables -A FORWARD -t filter -o eth0 -m state state \

NEW,ESTABLISHED,RELATED -j ACCEPTiptables -A FORWARD -t filter -i eth0 -m state --state \ESTABLISHED,RELATED -j ACCEPT

10.8. Port forwarding theo loi NAT (giao thc DHCP DSL):

Mt s trng hp, nhiu home user c th nhn a ch IP cng cng DHCP nt nhng nh cung cp dch v ISP. Nu mt Linux firewall cng l giao tip viInternet v ta mun dn mt trang Web trn mt trong nhng home server c bo v


20/25

-20 -

NAT, sau ta phi s dng port forwarding. y vic kt hp a ch IP n cafirewall, a ch IP ca server, v port ngun/ch ca ng truyn c thc sdng b sung ng truyn.

Port forwarding c iu chnh bi PREROUTING chain ca bng nat table.Ging nh Masquerading, modun iptables_nat phi c ti v nh tuyn phi

c hin th cho port forwarding lm vic. nh tuyn cng phi c php trongbng iptables vi FORWARD chain, iu ny bao gm tt c lin kt NEW inboundt Internet lm ph hp port forwarding v tt c gi lin kt vi kt niESTABLISHED trong nhng siu khin:

#---------------------------------------------------------

-# Load the NAT module

# Note: It is best to use the /etc/rc.local example in


# reminder.#---------------------------------------------------------

-


#---------------------------------------------------------

-

# Get the IP address of the Internet interface eth0

(linux

# only)

#

# You'll have to use a different expression to get the IP# address# for other operating systems which have a different

ifconfig

# output# or enter the IP address manually in the PREROUTING

# Statement

## This is best when your firewall gets its IP address

using

# DHCP.

# The external IP address could just be hard coded

("typed# in# normally")#---------------------------------------------------------

-

external_int="eth0"external_ip=""ifconfig $external_int | grep 'inet addr'

|\awk '{print $2}' | sed -e 's/. *://'""


21/25

-21 -

#---------------------------------------------------------

-# Enable routing by modifying the ip_forward /proc

# filesystem

# File

#

# Note: It is best to use the /etc/sysctl.conf example in# this chapter. This value will not be retained in

# the# /etc/sysconfig/iptables file. Included only as a

# reminder.

#---------------------------------------------------------

-echo 1 > /proc/sys/net/ipv4/ip_forward#---------------------------------------------------------

-# Allow port forwarding for traffic destined to port 80

of

# the# firewall's IP address to be forwarded to port 8080 on# server# 192.168.1.200

## - Interface eth0 is the internet interface# - Interface eth1 is the private network interface#---------------------------------------------------------

-

iptables -t nat -A PREROUTING -p tcp -i eth0 -d \

$external_ip --dport 80 --sport 1024:65535 -j DNAT to \

192.168.1.200:8080

#---------------------------------------------------------

-# After DNAT, the packets are routed via the filter

# table's# FORWARD chain.# Connections on port 80 to the target machine on the

# private# network must be allowed.#---------------------------------------------------------

-

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \192.168.1.200 --dport 8080 --sport 1024:65535 \-m state --state NEW -j ACCEPT

iptables -A FORWARD -t filter -o eth0 -m state --state \NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -t filter -i eth0 -m state --state \ESTABLISHED,RELATED -j ACCEPT

10.9_ NAT tnh (SNAT):


22/25

-22 -

V d: tt cng truyn n mt a ch IP cng cng ring bit, c chuyni n mt server n trn Subnet c bo v. Bi vig firewall c nhiu hn mt ach IP, ta khng th thc hin MASQUERADE; n s bt buc khi to nha ch IPca giao tip chnh v khng nhng bt c nhng a ch IP trng lp m firewall cth c. Thay v vy, s dng SNAT ch r a ch IP b trng lp c s dng chovic lin kt ban u bi nhng server khc trong mng c bo v.

Ghi ch: Mc d nhng NAT ca bng nat table, tt cng truyn n serverch (192.168.1.100 n 102), ch lin kt vi port 80, 443 v 22 l c php thngqua bi FORWARD chain. Ta phi ch r la chn ring bit m multiport khi ta cnlm cho thch hp nhng cng khng tun t (multiple non-sequential) cho c ngunv ch.

Trong v d ny, firewall c:S dng one to one NAT to server 192.168.1.100 trn home network xut

hin trn Internet nh nhng a ch IP (97.158.253.26).+ To mt many to one NAT cho a ch IP 192.168.1.100 home network, tt

c nhng server nh nhng a ch IP (97.158.253.26). iu ny khc t khi to.Ta to nhng a ch IP trng lp cho mi nhm IP Internet cho one to oneNAT

#---------------------------------------------------------

-# Load the NAT module# Note: It is best to use the/etc/rc.local example in this chapter. This value will# not# be retained in the/etc/sysconfig/iptables file. Included only as a reminder.#---------------------------------------------------------

-


#---------------------------------------------------------

-# Enable routing by modifying the ip_forward /proc filesystem file# Note: It is best to use the/etc/sysctl.confexample in this chapter. This valuewill# not be retained in the/etc/sysconfig/iptables file. Included only as areminder.#---------------------------------------------------------

-

echo 1 > /proc/sys/net/ipv4/ip_forward

# NAT ALL traffic:############ REMEMBER to create aliases for all the internet IP addresses below############


23/25

-23 -

# TO: FROM: MAP TO SERVER:# 97.158.253.26 Anywhere 192.168.1.100(1:1 NAT-Inbound)# Anywhere 2.168.1.100 97.158.253.26(1:1 NATOutbound)# Anywhere 192.168.1.0/24 97.158.253.29(FW IP)## SNAT is used to NAT all other outbound connections initiated# from the protected network to appear to come from# IP address 97.158.253.29## POSTROUTING:# NATs source IP addresses. Frequently used to NAT connections# from your home network to the Internet## PREROUTING:# NATs destination IP addresses. Frequently used to NAT# connections from the Internet to your home network#

# - Interface eth0 is the internet interface# - Interface eth1 is the private network interface#---------------------------------------------------------

-# PREROUTING statements for 1:1 NAT# (Connections originating from the Internet)#---------------------------------------------------------

-

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \-j DNAT --to-destination 192.168.1.100

#---------------------------------------------------------

- # POSTROUTING statements for 1:1 NAT# (Connections originating from the home network servers)#---------------------------------------------------------

-

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \-j SNAT --to-source 97.158.253.26

#---------------------------------------------------------

-# POSTROUTING statements for Many:1 NAT# (Connections originating from the entire home network)

#----------------------------------------------------------

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT\

-o eth0 --to-source 97.158.253.29

#---------------------------------------------------------

-# Allow forwarding to each of the servers configured for 1:1 NAT# (For connections originating from the Internet. Notice how you use the


24/25

-24 -

# real

# IP addresses here)#---------------------------------------------------------

-

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \192.168.1.100 -m multiport --dport 80,443,22 \

m state --state NEW -j ACCEPT#---------------------------------------------------------

-# Allow forwarding for all New and Established SNAT connections originating# on the # home network AND already established DNAT connections#---------------------------------------------------------

-

iptables -A FORWARD -t filter -o eth0 -m state --state \

NEW,ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------

-# Allow forwarding for all 1:1 NAT connections originating on the Internet thathave # already passed through the NEW forwarding statements above#---------------------------------------------------------

-

iptables -A FORWARD -t filter -i eth0 -m state --state \

ESTABLISHED,RELATED -j ACCEPT#---------------------------------------------------------

-

# Allow forwarding to each of the servers configured for 1:1 NAT# (For connections originating from the Internet. Notice how you use the realIP# addresses here)#---------------------------------------------------------

-

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \192.168.1.100 -m multiport --dport 80,443,22 -m

\

state --state NEW -j ACCEPT

#----------------------------------------------------------# Allow forwarding for all New and Established SNAT connections originating# on the # home network AND already established DNAT connections#---------------------------------------------------------

-

iptables -A FORWARD -t filter -o eth0 -m state --state \NEW,ESTABLISHED,RELATED -j ACCEPT


25/25

#---------------------------------------------------------

-# Allow forwarding for all 1:1 NAT connections originating on the Internet that# have # already passed through the NEW forwarding statements above#---------------------------------------------------------

-

iptables -A FORWARD -t filter -i eth0 -m state --state \ESTABLISHED,RELATED -j ACCEPT

10.10_ Sa li bng iptables:

Mt s cng c cho php sa li on m firewall iptables. Mt trong nhngphng php tt nht l loi b tt c nhng gi b kho.

* Kim tra the firewall log:Ta theo di nhng gi i qua firewall c trong danh sch bng iptables ca nhng

rule s dng LOG target.

LOG target s:+ Tm dng tt cng truyn chnh sa rule trong iptables trong ni nc cha.

+ Tng vit vo file/var/log/messages v sau thc thi rule k tip tm dng ng truyn khng mong mun, ta phi thm vo rule ph hp vi

mt DROP target sau LOG rule.Tm dng mt nhm gi b li vo file/var/log/messages.

#------------------------------------------------------# Log and drop all other packets to file /var/log/messages# Without this we could be crawling around in the dark#------------------------------------------------------

iptables -A OUTPUT -j LOGiptables -A INPUT -j LOG

iptables -A FORWARD -j LOG

iptables -A OUTPUT -j DROPiptables -A INPUT -j DROPiptables -A FORWARD -j DROP

iptables intro vi

Documents