CI T V CU HNH IPTABLES

CI T V CU HNH IPTABLES
Nguyn Hng Thi < nhthai2005@gmail.com > Dept. of Telecommunication H Chi Minh City University of Technology, South Vietnam

1.

Gii thiu v iptables

Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng Linux. Iptables cung cp cc tnh nng sau: Tch hp tt vi kernel ca Linux. C kh nng phn tch package hiu qu. Lc package da vo MAC v mt s c hiu trong TCP Header Cung cp chi tit cc ty chn ghi nhn s kin h thng Cung cp k thut NAT C kh nng ngn chn mt s c ch tn cng theo kiu DoS

2.

Ci t iptables

Iptables c ci t mc nh trong h thng Linux, package ca iptables l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t package ny:
$ rpm ivh iptables-version.rpm i Red Hat $ apt-get install iptables i vi Debian - Khi ng iptables: service iptables start - Tt iptables: service iptables stop - Ti khi ng iptables: service iptables restart - Xc nh trng thi iptables: service iptables status

3.

C ch x l package trong iptables

Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra ny c thc hin mt cch tun t entry u tin n entry cui cng. C ba loi bng trong iptables: Mangle table: chu trch nhim bin i quality of service bits trong TCP header. Thng thng loi table ny c ng dng trong SOHO (Small Office/Home Office). Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba loi builtin chains c m t thc hin cc chnh sch v firewall (firewall policy rules).

Forward chain: Cho php packet ngun chuyn qua firewall. Input chain: Cho php nhng gi tin i vo t firewall.

Output chain: Cho php nhng gi tin i ra t firewall. NAT queue: thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in chains sau y: Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi khi thc thi c ch routing. iu ny thun li cho vic i a ch ch a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t k thut ny.

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES

4.

Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT. OUPUT: Trong loi ny firewall thc hin qu trnh NAT.

Target v Jumps

Jump l c ch chuyn mt packet n mt target no x l thm mt s thao

tc khc. Target l c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc target c xy dng sn trong iptables nh:

ACCEPT: iptables chp nhn chuyn data n ch. DROP: iptables kha nhng packet. LOG: thng tin ca packet s gi vo syslog daemon iptables tip tc x l lut tip theo trong bng m t lut. Nu lut cui cng khng match th s drop packet. Vi ty chn thng dng l --log-prefix=string, tc iptables s ghi nhn li nhng message bt u bng chui string. REJECT: ngn chn packet v gi thng bo cho sender. Vi ty chn thng dng l -reject-with qualifier, tc qualifier ch nh loi reject message s c gi li cho ngi gi. Cc loi qualifer sau: icmp-port-unreachable (default), icmp-net-unreachable, icmp-host-unreachable, icmp-proto-unreachable, DNAT: thay i a ch ch ca packet. Ty chn l --to-destination ipaddress. SNAT: thay i a ch ngun ca packet. Ty chn l --to-source <address>[address][:<port>-<port>] MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports <port>[-<port>]], ch nh dy port ngun s nh x vi dy port ban u.

5.

Thc hin lnh trong iptables

Iptables command Switch
-t <table> -j <target> -A -F -p <protocol-type> -s <ip-address> -d <ip-address>

M t Ch nh bng cho iptables bao gm: filter, nat, mangle tables. Nhy n mt target chain khi packet tha lut hin ti. Thm lut vo cui iptables chain. Xa tt c cc lut trong bng la chn. M t cc giao thc bao gm: icmp, tcp, udp v all Ch nh a ch ngun Ch nh a ch ch

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES -i <interface-name>

Ch nh input interface nhn packet -o <interface-name> Ch nh output interface chuyn packet ra ngoi Bng 1: Bng m t v iptables command Switch V d 1: Firewall chp nhn cho bt k TCP packet i vo interface eth0 n a ch 172.28.24.199 # iptables -A INPUT -s 0/0 -i eth0 -d 172.28.24.199 -p tcp -j ACCEPT V d 2: Firewall chp nhn TCP packet c nh tuyn khi n i vo interface eth0 v i ra interface eth1 n ch 172.28.2.2 vi port ngun bt u 102465535 v port ch 8080
# iptables -A FORWARD -s 0/0 -i eth0 -o eth1 -d 172.28.2.2 -p tcp \ --sport 1024:65535 --dport 8080 -j ACCEPT

V d 3: Firewall cho php gi icmp echo-request v icmp echo-reply

# iptables -A OUPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

V d 4: Ch nh s lng yu cu ph hp cho mt n v thi gian theo dng(/second, /minute, /hour. /day)

# iptables -A INPUT -p icmp -icmp-type echo-request -m limit --limit 1/s \ -i eth0 -j ACCEPT

u im ca n l gii hn c s lng kt ni, gip cho ta chng c cc c ch tn cng nh DoS (Denial of Service attack). M t -m multiport sport<port,port> M t nhiu dy sport, phi cch nhau bng du , v dng ty chn m -m multiport dport<port,port> M t nhiu dy dport, phi cch nhau bng du , v dng ty chn m -m multiport ports<port,port> M t nhiu dy port, phi cch nhau bng du , v dng ty chn m -m state<state> Kim tra trng thi: ESTABLISHED: thit lp connection NEW: bt u thit lp connection RELATED: thit lp connection th 2(FTP data transfer hoc ICMP error) Bng 2: M t mt s thng s m rng V d 5: Firewall chp nhn TCP packet t bt k a ch no i vo interface eth0 n a ch 172.28.24.195 qua interface eth1, source port t 102465535 v destionation port l 8080 v 443 (dng lnh th 1). Packet tr v cng c chp nhn t 172.28.2.2 (dng lnh th 2).
# iptables -A FORWARD -s 0/0 -i eth0 -d 172.28.24.195 -o eth1 -p tcp \ --sport 1024:65535 -m multiport --dport 8080,443 -j ACCEPT

Kha chuyn (Switch)

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES # iptables -A FORWARD -d 0/0 -i eth0 -s 172.28.2.2 -o eth1 -p tcp \ -m state --state ESTABLISHED -j ACCEPT

6.

S dng chain t nh ngha

Thay v s dng cc chain c xy dng trong iptables, ta c th s dng User Defined chains nh ngha mt chain name m t cho tt c protocol-type cho packet. Ta c th dng User Defined chains thay th chain di dng bng cch s dng chain chnh ch n nhiu chain con. V d 6:
# iptables -A INPUT -i eth0 -d 172.28.24.198 -j fast-input-queue # iptables -A OUTPUT -o eth0 -s 172.28.2.2 -j fast-output-queue # iptables -A fast-input-queue -p icmp -j icmp-queue-in # iptables -A fast-output-queue -p icmp -j icmp-queue-out # iptables -A icmp-queue-out -p icmp --icmp-type echo-request \ -m state --state NEW -j ACCEPT # iptables -A icmp-queue-in-p icmp --icmp-type echo-reply \ -m state --state NEW -j ACCEPT

7.

Lu iptables script

Lnh service iptables save lu tr cu hnh iptables trong file /etc/sysconfig/iptables. Khi ta khi ng li th chng trnh iptables-restore s c li file script ny v kch hot li thng tin cu hnh. nh dng ca file nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *nat :PREROUTING ACCEPT [4169:438355] :POSTROUTING ACCEPT [106:6312] :OUTPUT ACCEPT [22:1332] -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:8080 -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.1.3:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.2:21 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2020:2121 -j DNAT --to-destination 192.168.1.3:21 -A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199 COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *filter :INPUT DROP [4011:414080] :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *mangle :PREROUTING ACCEPT [5114:853418] :INPUT ACCEPT [4416:773589]

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] :POSTROUTING ACCEPT [945:100295] COMMIT # Completed on Thu Nov 9 15:47:54 2006

8.

Phc hi script khi mt script file

c th phc hi script khi mt script file. u tin, ta phi lu script li dng lnh: iptables-save > script_du_phong. Sau , ta c th xem li script_du_phong va lu, dng lnh cat script_du_phong. Kt qu nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *nat :PREROUTING ACCEPT [4169:438355] :POSTROUTING ACCEPT [106:6312] :OUTPUT ACCEPT [22:1332] -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:8080 -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.1.3:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.2:21 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2020:2121 -j DNAT --to-destination 192.168.1.3:21 -A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199 COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *filter :INPUT DROP [4011:414080] :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *mangle :PREROUTING ACCEPT [5114:853418] :INPUT ACCEPT [4416:773589] :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] :POSTROUTING ACCEPT [945:100295] COMMIT # Completed on Thu Nov 9 15:47:54 2006 # iptables-restore < script_du_phong # service iptables save

Sau , sa file script_du_phong v np li iptables thng qua lnh iptables-restore Cui cng, ta dng lnh lu tr li cc lut vo file cu hnh:

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES

9.

Load kernel module cn cho iptables

ng dng iptables yu cu load mt s module sau: iptable_nat module cho NAT. ip_conntrack_ftp module cn cho FTP support ip_conntrack module theo di trng thi ca TCP connect. ip_nat_ftp module cn cho vic load FTP servers sau NAT firewall.

10.

Mt s gi tr khi to ca iptables

######## Internal-Firewall.sh cript ######## Cho php t chy script bng shell #!/bin/sh #### Gn lnh vo bin IPTABLES=/sbin/iptables ######### Cc gi tr khi to INTERNAL_LAN="192.168.1.0/24" # a ch mng LAN INTERNAL_LAN_INTERFACE="eth1" # Interface ni n mng LAN INTERNAL_LAN_INTERFACE_ADDR="192.168.1.1" ##a ch int eth1 EXTERNAL_INTERFACE="eth0" ## Interface public EXTERNAL_INTERFACE_ADDR="172.28.24.199" ## a ch eth0 $IPTABLES -F FORWARD ## Xa cc lut ca FORWARD chain $IPTABLES -F INPUT ## Xa cc lut ca INPUT chain $IPTABLES -F OUTPUT ## Xa cc lut ca OUTPUT chain $IPTABLES -P FORWARD DROP ## Mc nh FORWARD chain l DROP $IPTABLES -P OUPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT $IPTABLES -P INPUT DROP ## Mc nh INPUT chain l DROP #++++++++++++++++++++++++++++++++++++++++++++++++ ## Cho php tt c cc packet i vo loopback vi tt c cc protocol $IPTABLES -A INPUT -i lo -p all -j ACCEPT ## Cho php cc gi tin i vo firewall ch vi icmp protocol $IPTABLES -A INPUT -p icmp -j ACCEPT ## Cho php cc packet i vo eth1 c a ch ngun l a ch ca LAN $IPTABLES -A INPUT -i $INTERNAL_LAN_INTERFACE -s $INTERNAL_LAN -j ACCEPT # Cho php cc packet ra t eth1 c a ch ch l a ch ca LAN $IPTABLES -A OUTPUT -o $INTERNAL_LAN_INTERFACE \ -d $INTERNAL_LAN -j ACCEPT # Thc hin NAT bng cch i a ch ngun ca gi tin trc khi nh tuyn, #####i ra t eth0 vi bt k a ch no khc a ch ca LAN $IPTABLES -A -t nat -A POSTROUTING -o $EXTERNAL_LAN_INTERFACE \ -d ! $INTERNAL_LAN -j MASQUERADE ## Cho php cc gi tin i qua firewall c a ch ngun hoc a ch ch ########l a ch ca LAN $IPTABLES -A FORWARD -s $INTERNAL_LAN -j ACCEPT $IPTABLES -A FORWARD -d $INTERNAL_LAN -j ACCEPT

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES

Ngi dng bn ngoi

Eth0 172.28.24.199 Firewall (iptables) Eth1 192.168.1.1

Mng ni b 192.168.1.0/24

Hnh 1: M hnh mng m t cho script internal-firewall.sh

11.

Mt s v d v Firewall

V d 7: Cho php truy xut DNS n Firewall

# iptables -A OUTPUT -p udp -o eth0 --dport 53 sport 1024:65535 -j ACCEPT # iptables -A INPUT -p udp -i eth0 --dport 53 sport 1024:65535 -j ACCEPT

V d 8: Cho php www v ssh truy xut ti Firewall

# iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT # iptables -A INPUT -p tcp -i eth0 --dprt 22 --sport 1024:65535 -m state \ --state NEW -j ACCEPT # iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \ --state NEW -j ACCEPT

V d 9: Masquerading (many to One NAT) l k thut NAT Many to One cho php nhiu my cc b c th s dng a ch IP chnh thc (c cung cp t ISP) truy cp internet.
#########Cho php script t khi ng vi shell #! /bin/sh ######### Np module iptable_nat modprobe iptable_nat

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES ######## Bt chc nng nh tuyn echo 1 > /proc/sys/net/ipv4/ip_forward ##### Cho php s dng NAT gi mo trong ###### - Interface eth0 l interface lin kt mng internet ###### - Interface eth1 lin kt n mng ni b iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE # Cho php i qua firewall trong trng cc trng hp cc kt ni l mi, ### thit lp hoc c lin h iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPT

V d 10: Thc hin Port Forwarding vi DHCP DSL. Trong trng hp ta nhn 1 a ch IP ng t ISP v ta mun s dng a ch ny cung cp cho tt c a ch trong mng ni b v public cc server ni b ra bn ngoi internet. Tt c cc yu cu trn c th gii quyt bng cch s dng k thut Port Forwarding.
######### Cho script chy vi shell #!/bin/sh ##### Np module iptable_nat modprobe iptable_nat ##### Gn eth0 ln bin external_int external_int = eth0 ##### Thc hin ly ip m DHCP cp cho my ny external_ip = `ifconfig $external_int | grep inet addr | awk {print $2} | \ sed e s/.*://` ##### Cho php cc interface forward vi nhau echo 1 > /proc/sys/net/ipv4/ip_forward ##### Thc hin i a ch ch trc khi thc hin routing iptables - nat - PREROUTING - tcp -ieth0 - $external_ip --dport 80 \ --sport 1024:65535 - DNAT to 192.168.1.2:8080 # Cho php cc packet FORWARD qua firewall trong cc trng hp di y iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 -dport 8080 \ -sport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPT

V d 11: Thc hin NAT vi ip tnh.

S dng one to one NAT cho php server c a ch 192.168.1.2 trn mng ni b truy xut ra ngoi internet thng qua a ch 172.28.24.199. To many to one NAT cho mng 192.168.1.0 c th truy xut n tt c cc server trn internet thng qua a ch 172.28.24.199.

##### Cho script chy vi shell #! /bin/sh ## Load module v cho php forward gia cc card mng modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES # Thc hin DNAT i a ch ch thnh a ch ca server #### mng ni b (192.168.1.2) khi truy cp n 172.28.24.199 iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 \ -j DNAT to-destination 192.168.1.2 ## Thc hin SNAT i a ch ngun t 192.168.1.2 ######################### 172.28.24.199 iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0 \ -j SNAT --to-source 172.28.24.199 ## Tng t nh trn, cho php my t LAN truy cp n cc server iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 \ -j SNAT --to-source 172.28.24.199 ## Cho php bn ngoi truy xut vo server (192.168.1.2) #####thng qua cc port 80, 443, 22 iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 \ -m multiport --dport 80,443,22 -m state --state NEW -j ACCEPT # Cho php chuyn tt c cc NEW, ESTABLISHED SNAT connections #### bt u t homework v thc s thit lp trc vi DNAT connections iptables -A FORWARD -t filter -o eth0 -m state \ --state NEW, ESTABLISHED, RELATED -j ACCEPT # Cho php chuyn tt c cc connections bt u t internet c thit lp ##########thng qua t kha NEW iptables -A FORWARD -t filter -i eth0 -m state \ --state ESTABLISHED, RELATED -j ACCEPT

V d 12: To mt proxy
########### Cho php script chy vi sh #!/bin/sh INTIF="eth1" ## Gn chui eth1 vo INTIF EXTIF="eth0" ## Gn chui eth0 vo EXTIF ######## Thc hin ly a ch ip m DHCP cp EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" ###### Load module cn thit /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp ## Cho php cc card mng c th forward c vi nhau echo "1" > /proc/sys/net/ipv4/ip_forward ###### Cho php thc hin vi ip ng echo "1" > /proc/sys/net/ipv4/ip_dynaddr iptables -P INPUT ACCEPT ## Mc nh INPUT chain l ACCEPT iptables -F INPUT ## Xa cc lut trong INPUT chain iptables -P OUTPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT iptables -F OUTPUT ## Xa cc lut trong OUTPUT chain iptables -P FORWARD DROP ## Mc nh FORWARD chain l DROP iptables -F FORWARD ## Xa cc lut trong FORWARD chain iptables -t nat -F ## Xa tt c cc lut ca bng nat

NGUYN HNG THI

16/12/2006

CI T V CU HNH IPTABLES ## Cho php FORWARD i vo eth0 i ra eth1 trong trng hp #####cc connection l ESTABLISHED, RELATED iptables -A FORWARD -i $EXTIF -o $INTIF -m state \ --state ESTABLISHED,RELATED -j ACCEPT ######## V ngc li iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT ## Thc hin i a ch ngun trong trng hp i ra t eth0 iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Ngi dng internet

172.28.24.199 Firewall (iptables) 192.168.1.1

Switch

Mng ni b 192.168.1.0/24
Server 192.168.1.2

Hnh 2: M hnh mng LAN vi server Kt qu ca vic cu hnh proxy trn, nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 10:02:42 2006 *nat :PREROUTING ACCEPT [536:76253] :POSTROUTING ACCEPT [2:119] :OUTPUT ACCEPT [15:909] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT

NGUYN HNG THI

16/12/2006

10

CI T V CU HNH IPTABLES # Completed on Thu Nov 9 10:02:42 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 10:02:42 2006 *filter :INPUT ACCEPT [132:12857] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Nov 9 10:02:42 2006

12.

Khc phc s c trn iptables

Vi phn trnh by v iptables trn l kh y . Vi kin thc trn, chng ta c th thc hin nhng yu cu v lc gi tin mt cch kh tt. Nhng phn trn ch trnh by cch thc hin vi iptables m khng nu ra cch khc phc s c trn iptables. Trong phn ny, chng ti s trnh by cch khc phc s c v iptables ni ring, nhng phn mm trn h iu hnh m ngun m ni chung. Cch vn hnh v bo tr nhng phn mm trn Linux thng s qua nhng bc sau y: ci t, cu hnh, vn hnh v khc phc s c khi c li. Trong nhng phn trn, chng ti trnh by cch ci t, cu hnh v vn hnh. Cn phn khc phc s c v nhng phn mm trn Linux, thng th ngi qun tr s c file Log, c th vi iptables th chng ta cn kim tra Firewall Logs. Firewall logs c ghi nhn vo file /var/log/message. cho php iptables ghi vo /var/log/message, chng ta phi cu hnh nh sau:
iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A OUTPUT -j LOG INPUT -j LOG FORWARD -j LOG OUTPUT -j DROP INPUT -j DROP FORWARD -j DROP

NGUYN HNG THI

16/12/2006

11

CI T V CU HNH IPTABLES

13.

iptables khng khi ng

Khi ta khi ng iptables th ta dng lnh /etc/init.d/iptables start. Lc ny, iptables gi script trong file /etc/sysconfig/iptables. Do , nu file ny khng tn ti hoc b li th iptables s khng thc hin c.

Khi ta thay i cu hnh trn iptables th ta phi dng lnh service iptables save lu li cc thng tin cu hnh. Sau , mi tin hnh restart li iptables. V d 13:
# service iptables start ## Khi ng iptables # touch /etc/sysconfig/iptables ## To file iptables trng ##Thit lp quyn cho file ny # chmod 600 /etc/sysconfig/iptables # service iptables start Applying iptables firewall rules: [OK]

TI LIU THAM KHO [1] Nguyn Th ip v Tiu ng Nhn, Gio trnh Dch v mng Linux, i hc Quc Gia Thnh ph H Ch Minh 12/2005. [2] How To Set Up A Debian Linux Proxy Server by Debian's Web.

NGUYN HNG THI

16/12/2006

12