Professional Documents
Culture Documents
Cai Dat Va Cau Hinh Iptables-Libre
Cai Dat Va Cau Hinh Iptables-Libre
CI T V CU HNH IPTABLES
Nguyn Hng Thi < nhthai2005@gmail.com >
Dept. of Telecommunication
H Chi Minh City University of Technology, South Vietnam
1.
Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng Linux.
Iptables cung cp cc tnh nng sau:
Tch hp tt vi kernel ca Linux.
C kh nng phn tch package hiu qu.
Lc package da vo MAC v mt s c hiu trong TCP Header
Cung cp chi tit cc ty chn ghi nhn s kin h thng
Cung cp k thut NAT
C kh nng ngn chn mt s c ch tn cng theo kiu DoS
2.
Ci t iptables
Iptables c ci t mc nh trong h thng Linux, package ca iptables l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t package ny:
$ rpm ivh iptables-version.rpm i Red Hat
$ apt-get install iptables i vi Debian
- Khi ng iptables: service iptables start
- Tt iptables: service iptables stop
- Ti khi ng iptables: service iptables restart
- Xc nh trng thi iptables: service iptables status
3.
Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra ny
c thc hin mt cch tun t entry u tin n entry cui cng.
C ba loi bng trong iptables:
Mangle table: chu trch nhim bin i quality of service bits trong TCP header. Thng
thng loi table ny c ng dng trong SOHO (Small Office/Home Office).
Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba loi builtin chains c m t thc hin cc chnh sch v firewall (firewall policy rules).
Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi
khi thc thi c ch routing. iu ny thun li cho vic i a ch ch a ch tng
thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t
k thut ny.
16/12/2006
CI T V CU HNH IPTABLES
Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin
c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny
c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT.
4.
Target v Jumps
tc khc.
Target l c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc
target c xy dng sn trong iptables nh:
REJECT: ngn chn packet v gi thng bo cho sender. Vi ty chn thng dng l -reject-with qualifier, tc qualifier ch nh loi reject message s c gi li cho ngi
gi. Cc loi qualifer sau: icmp-port-unreachable (default), icmp-net-unreachable,
icmp-host-unreachable, icmp-proto-unreachable,
5.
M t
Ch nh bng cho iptables bao gm:
filter, nat, mangle tables.
Nhy n mt target chain khi packet
tha lut hin ti.
Thm lut vo cui iptables chain.
Xa tt c cc lut trong bng la chn.
M t cc giao thc bao gm: icmp,
tcp, udp v all
Ch nh a ch ngun
Ch nh a ch ch
16/12/2006
CI T V CU HNH IPTABLES
-i <interface-name>
M t
-m multiport sport<port,port>
M t nhiu dy sport, phi cch nhau
bng du , v dng ty chn m
-m multiport dport<port,port>
M t nhiu dy dport, phi cch nhau
bng du , v dng ty chn m
-m multiport ports<port,port>
M t nhiu dy port, phi cch nhau bng
du , v dng ty chn m
-m state<state>
Kim tra trng thi:
ESTABLISHED: thit lp connection
NEW: bt u thit lp connection
RELATED: thit lp connection th 2(FTP
data transfer hoc ICMP error)
Bng 2: M t mt s thng s m rng
V d 5: Firewall chp nhn TCP packet t bt k a ch no i vo interface eth0 n a
ch 172.28.24.195 qua interface eth1, source port t 102465535 v destionation port l
8080 v 443 (dng lnh th 1). Packet tr v cng c chp nhn t 172.28.2.2 (dng lnh
th 2).
# iptables -A FORWARD -s 0/0 -i eth0 -d 172.28.24.195 -o eth1 -p tcp \
--sport 1024:65535 -m multiport --dport 8080,443 -j ACCEPT
16/12/2006
CI T V CU HNH IPTABLES
# iptables -A FORWARD -d 0/0 -i eth0 -s 172.28.2.2 -o eth1 -p tcp \
-m state --state ESTABLISHED -j ACCEPT
6.
7.
Lu iptables script
16/12/2006
CI T V CU HNH IPTABLES
:FORWARD ACCEPT [552:57100]
:OUTPUT ACCEPT [393:43195]
:POSTROUTING ACCEPT [945:100295]
COMMIT
# Completed on Thu Nov 9 15:47:54 2006
8.
c th phc hi script khi mt script file. u tin, ta phi lu script li dng lnh:
iptables-save > script_du_phong. Sau , ta c th xem li script_du_phong va lu, dng
lnh cat script_du_phong. Kt qu nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006
*nat
:PREROUTING ACCEPT [4169:438355]
:POSTROUTING ACCEPT [106:6312]
:OUTPUT ACCEPT [22:1332]
-A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.2:8080
-A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination
192.168.1.3:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.2:21
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2020:2121 -j DNAT --to-destination 192.168.1.3:21
-A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199
COMMIT
# Completed on Thu Nov 9 15:47:54 2006
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006
*filter
:INPUT DROP [4011:414080]
:FORWARD ACCEPT [552:57100]
:OUTPUT ACCEPT [393:43195]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov 9 15:47:54 2006
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006
*mangle
:PREROUTING ACCEPT [5114:853418]
:INPUT ACCEPT [4416:773589]
:FORWARD ACCEPT [552:57100]
:OUTPUT ACCEPT [393:43195]
:POSTROUTING ACCEPT [945:100295]
COMMIT
# Completed on Thu Nov 9 15:47:54 2006
16/12/2006
CI T V CU HNH IPTABLES
9.
10.
Mt s gi tr khi to ca iptables
16/12/2006
CI T V CU HNH IPTABLES
Eth0
172.28.24.199
Firewall
(iptables)
Eth1
192.168.1.1
Mng ni b
192.168.1.0/24
11.
Mt s v d v Firewall
V d 9: Masquerading (many to One NAT) l k thut NAT Many to One cho php
nhiu my cc b c th s dng a ch IP chnh thc (c cung cp t ISP) truy cp
internet.
#########Cho php script t khi ng vi shell
#! /bin/sh
######### Np module iptable_nat
modprobe iptable_nat
16/12/2006
CI T V CU HNH IPTABLES
######## Bt chc nng nh tuyn
echo 1 > /proc/sys/net/ipv4/ip_forward
##### Cho php s dng NAT gi mo trong
###### - Interface eth0 l interface lin kt mng internet
###### - Interface eth1 lin kt n mng ni b
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
# Cho php i qua firewall trong trng cc trng hp cc kt ni l mi,
### thit lp hoc c lin h
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
V d 10: Thc hin Port Forwarding vi DHCP DSL. Trong trng hp ta nhn 1 a ch
IP ng t ISP v ta mun s dng a ch ny cung cp cho tt c a ch trong mng ni
b v public cc server ni b ra bn ngoi internet. Tt c cc yu cu trn c th gii
quyt bng cch s dng k thut Port Forwarding.
######### Cho script chy vi shell
#!/bin/sh
##### Np module iptable_nat
modprobe iptable_nat
##### Gn eth0 ln bin external_int
external_int = eth0
##### Thc hin ly ip m DHCP cp cho my ny
external_ip = `ifconfig $external_int | grep inet addr | awk {print $2} | \
sed e s/.*://`
##### Cho php cc interface forward vi nhau
echo 1 > /proc/sys/net/ipv4/ip_forward
##### Thc hin i a ch ch trc khi thc hin routing
iptables - nat - PREROUTING - tcp -ieth0 - $external_ip --dport 80 \
--sport 1024:65535 - DNAT to 192.168.1.2:8080
# Cho php cc packet FORWARD qua firewall trong cc trng hp di y
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 -dport 8080 \
-sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
S dng one to one NAT cho php server c a ch 192.168.1.2 trn mng ni b
truy xut ra ngoi internet thng qua a ch 172.28.24.199.
16/12/2006
CI T V CU HNH IPTABLES
# Thc hin DNAT i a ch ch thnh a ch ca server
#### mng ni b (192.168.1.2) khi truy cp n 172.28.24.199
iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 \
-j DNAT to-destination 192.168.1.2
## Thc hin SNAT i a ch ngun t 192.168.1.2
######################### 172.28.24.199
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0 \
-j SNAT --to-source 172.28.24.199
## Tng t nh trn, cho php my t LAN truy cp n cc server
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 \
-j SNAT --to-source 172.28.24.199
## Cho php bn ngoi truy xut vo server (192.168.1.2)
#####thng qua cc port 80, 443, 22
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 \
-m multiport --dport 80,443,22 -m state --state NEW -j ACCEPT
# Cho php chuyn tt c cc NEW, ESTABLISHED SNAT connections
#### bt u t homework v thc s thit lp trc vi DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
# Cho php chuyn tt c cc connections bt u t internet c thit lp
##########thng qua t kha NEW
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED, RELATED -j ACCEPT
V d 12: To mt proxy
########### Cho php script chy vi sh
#!/bin/sh
INTIF="eth1" ## Gn chui eth1 vo INTIF
EXTIF="eth0" ## Gn chui eth0 vo EXTIF
######## Thc hin ly a ch ip m DHCP cp
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
###### Load module cn thit
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
## Cho php cc card mng c th forward c vi nhau
echo "1" > /proc/sys/net/ipv4/ip_forward
###### Cho php thc hin vi ip ng
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
## Mc nh INPUT chain l ACCEPT
iptables -F INPUT
## Xa cc lut trong INPUT chain
iptables -P OUTPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT
iptables -F OUTPUT
## Xa cc lut trong OUTPUT chain
iptables -P FORWARD DROP ## Mc nh FORWARD chain l DROP
iptables -F FORWARD
## Xa cc lut trong FORWARD chain
iptables -t nat -F
## Xa tt c cc lut ca bng nat
16/12/2006
CI T V CU HNH IPTABLES
## Cho php FORWARD i vo eth0 i ra eth1 trong trng hp
#####cc connection l ESTABLISHED, RELATED
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
######## V ngc li
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
## Thc hin i a ch ngun trong trng hp i ra t eth0
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
172.28.24.199
Firewall
(iptables)
192.168.1.1
Switch
Mng ni b
192.168.1.0/24
Server
192.168.1.2
16/12/2006
10
CI T V CU HNH IPTABLES
# Completed on Thu Nov 9 10:02:42 2006
# Generated by iptables-save v1.2.8 on Thu Nov 9 10:02:42 2006
*filter
:INPUT ACCEPT [132:12857]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov 9 10:02:42 2006
12.
Cch vn hnh v bo tr nhng phn mm trn Linux thng s qua nhng bc sau
y: ci t, cu hnh, vn hnh v khc phc s c khi c li. Trong nhng phn trn,
chng ti trnh by cch ci t, cu hnh v vn hnh. Cn phn khc phc s c v
nhng phn mm trn Linux, thng th ngi qun tr s c file Log, c th vi
iptables th chng ta cn kim tra Firewall Logs.
Firewall logs c ghi nhn vo file /var/log/message. cho php iptables ghi vo
/var/log/message, chng ta phi cu hnh nh sau:
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
OUTPUT -j LOG
INPUT -j LOG
FORWARD -j LOG
OUTPUT -j DROP
INPUT -j DROP
FORWARD -j DROP
16/12/2006
11
CI T V CU HNH IPTABLES
13.
Khi ta thay i cu hnh trn iptables th ta phi dng lnh service iptables save lu
li cc thng tin cu hnh. Sau , mi tin hnh restart li iptables.
V d 13:
# service iptables start
## Khi ng iptables
# touch /etc/sysconfig/iptables
## To file iptables trng
##Thit lp quyn cho file ny
# chmod 600 /etc/sysconfig/iptables
# service iptables start
Applying iptables firewall rules: [OK]
16/12/2006
12