Cai Dat Va Cau Hinh Iptables

CI T V CU HNH IPTABLES
Nguyn Hng Thi < nhthai2005@gmail.com >
Dept. of Telecommunication
H Chi Minh City University of Technology, South Vietnam
1.
Gii thiu v iptables
Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng Linux.
Iptables cung cp cc tnh nng sau:
Tch hp tt vi kernel ca Linux.
C kh nng phn tch package hiu qu.
Lc package da vo MAC v mt s c hiu trong TCP Header
Cung cp chi tit cc ty chn ghi nhn s kin h thng
Cung cp k thut NAT
C kh nng ngn chn mt s c ch tn cng theo kiu DoS
2.
Ci t iptables
Iptables c ci t mc nh trong h thng Linux, package ca iptables l iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t package ny:
$ rpm ivh iptables-version.rpm i Red Hat
$ apt-get install iptables i vi Debian
- Khi ng iptables: service iptables start
- Tt iptables: service iptables stop
- Ti khi ng iptables: service iptables restart
- Xc nh trng thi iptables: service iptables status
3.
C ch x l package trong iptables
Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra ny
c thc hin mt cch tun t entry u tin n entry cui cng.
C ba loi bng trong iptables:
Mangle table: chu trch nhim bin i quality of service bits trong TCP header. Thng
thng loi table ny c ng dng trong SOHO (Small Office/Home Office).
Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba loi builtin chains c m t thc hin cc chnh sch v firewall (firewall policy rules).
Forward chain: Cho php packet ngun chuyn qua firewall.
Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi
khi thc thi c ch routing. iu ny thun li cho vic i a ch ch a ch tng
thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t
k thut ny.
Input chain: Cho php nhng gi tin i vo t firewall.
Output chain: Cho php nhng gi tin i ra t firewall.

NAT queue: thc thi chc nng NAT (Network Address Translation), cung cp hai loi
built-in chains sau y:
NGUYN HNG THI
16/12/2006
Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin
c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny
c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT.
OUPUT: Trong loi ny firewall thc hin qu trnh NAT.
4.
Target v Jumps
Jump l c ch chuyn mt packet n mt target no x l thm mt s thao

tc khc.
Target l c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc
target c xy dng sn trong iptables nh:
ACCEPT: iptables chp nhn chuyn data n ch.
REJECT: ngn chn packet v gi thng bo cho sender. Vi ty chn thng dng l -reject-with qualifier, tc qualifier ch nh loi reject message s c gi li cho ngi
gi. Cc loi qualifer sau: icmp-port-unreachable (default), icmp-net-unreachable,
icmp-host-unreachable, icmp-proto-unreachable,
DNAT: thay i a ch ch ca packet. Ty chn l --to-destination ipaddress.
MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch ngun

vi a ch ca interface ca firewall). Ty chn l [--to-ports <port>[-<port>]], ch
nh dy port ngun s nh x vi dy port ban u.
5.
DROP: iptables kha nhng packet.

LOG: thng tin ca packet s gi vo syslog daemon iptables tip tc x l lut tip
theo trong bng m t lut. Nu lut cui cng khng match th s drop packet. Vi ty
chn thng dng l --log-prefix=string, tc iptables s ghi nhn li nhng message
bt u bng chui string.
SNAT: thay i a ch ngun ca packet. Ty chn l --to-source <address>[address][:<port>-<port>]
Thc hin lnh trong iptables

Iptables command
Switch
-t <table>
-j <target>
-A
-F
-p <protocol-type>
-s <ip-address>
-d <ip-address>
NGUYN HNG THI
M t
Ch nh bng cho iptables bao gm:
filter, nat, mangle tables.
Nhy n mt target chain khi packet
tha lut hin ti.
Thm lut vo cui iptables chain.
Xa tt c cc lut trong bng la chn.
M t cc giao thc bao gm: icmp,
tcp, udp v all
Ch nh a ch ngun
Ch nh a ch ch
16/12/2006
-i <interface-name>
Ch nh input interface nhn packet

-o <interface-name>
Ch nh output interface chuyn
packet ra ngoi
Bng 1: Bng m t v iptables command Switch
V d 1: Firewall chp nhn cho bt k TCP packet i vo interface eth0 n a ch
172.28.24.199
# iptables -A INPUT -s 0/0 -i eth0 -d 172.28.24.199 -p tcp -j ACCEPT
V d 2: Firewall chp nhn TCP packet c nh tuyn khi n i vo interface eth0 v i
ra interface eth1 n ch 172.28.2.2 vi port ngun bt u 102465535 v port ch
8080
# iptables -A FORWARD -s 0/0 -i eth0 -o eth1 -d 172.28.2.2 -p tcp \
--sport 1024:65535 --dport 8080 -j ACCEPT
V d 3: Firewall cho php gi icmp echo-request v icmp echo-reply

# iptables -A OUPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
V d 4: Ch nh s lng yu cu ph hp cho mt n v thi gian theo dng(/second,

/minute, /hour. /day)
# iptables -A INPUT -p icmp -icmp-type echo-request -m limit --limit 1/s \
-i eth0 -j ACCEPT
u im ca n l gii hn c s lng kt ni, gip cho ta chng c cc c ch

tn cng nh DoS (Denial of Service attack).
Kha chuyn (Switch)
M t
-m multiport sport<port,port>
M t nhiu dy sport, phi cch nhau
bng du , v dng ty chn m
-m multiport dport<port,port>
M t nhiu dy dport, phi cch nhau
bng du , v dng ty chn m
-m multiport ports<port,port>
M t nhiu dy port, phi cch nhau bng
du , v dng ty chn m
-m state<state>
Kim tra trng thi:
ESTABLISHED: thit lp connection
NEW: bt u thit lp connection
RELATED: thit lp connection th 2(FTP
data transfer hoc ICMP error)
Bng 2: M t mt s thng s m rng
V d 5: Firewall chp nhn TCP packet t bt k a ch no i vo interface eth0 n a
ch 172.28.24.195 qua interface eth1, source port t 102465535 v destionation port l
8080 v 443 (dng lnh th 1). Packet tr v cng c chp nhn t 172.28.2.2 (dng lnh
th 2).
# iptables -A FORWARD -s 0/0 -i eth0 -d 172.28.24.195 -o eth1 -p tcp \
--sport 1024:65535 -m multiport --dport 8080,443 -j ACCEPT
NGUYN HNG THI
16/12/2006
# iptables -A FORWARD -d 0/0 -i eth0 -s 172.28.2.2 -o eth1 -p tcp \
-m state --state ESTABLISHED -j ACCEPT
6.
S dng chain t nh ngha
Thay v s dng cc chain c xy dng trong iptables, ta c th s dng User

Defined chains nh ngha mt chain name m t cho tt c protocol-type cho packet. Ta
c th dng User Defined chains thay th chain di dng bng cch s dng chain chnh ch
n nhiu chain con.
V d 6:
# iptables -A INPUT -i eth0 -d 172.28.24.198 -j fast-input-queue
# iptables -A OUTPUT -o eth0 -s 172.28.2.2 -j fast-output-queue
# iptables -A fast-input-queue -p icmp -j icmp-queue-in
# iptables -A fast-output-queue -p icmp -j icmp-queue-out
# iptables -A icmp-queue-out -p icmp --icmp-type echo-request \
-m state --state NEW -j ACCEPT
# iptables -A icmp-queue-in-p icmp --icmp-type echo-reply \
-m state --state NEW -j ACCEPT
7.
Lu iptables script
Lnh service iptables save lu tr cu hnh iptables trong file /etc/sysconfig/iptables.

Khi ta khi ng li th chng trnh iptables-restore s c li file script ny v kch hot
li thng tin cu hnh. nh dng ca file nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006
*nat
:PREROUTING ACCEPT [4169:438355]
:POSTROUTING ACCEPT [106:6312]
:OUTPUT ACCEPT [22:1332]
-A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.2:8080
192.168.1.3:80
-A PREROUTING -i eth0 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.2:21
-A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199
COMMIT
# Completed on Thu Nov 9 15:47:54 2006
*filter
:INPUT DROP [4011:414080]
:FORWARD ACCEPT [552:57100]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
*mangle
:INPUT ACCEPT [4416:773589]
NGUYN HNG THI
16/12/2006
COMMIT
8.
Phc hi script khi mt script file
c th phc hi script khi mt script file. u tin, ta phi lu script li dng lnh:
iptables-save > script_du_phong. Sau , ta c th xem li script_du_phong va lu, dng
lnh cat script_du_phong. Kt qu nh sau:
*nat
192.168.1.2:8080
192.168.1.3:80
-A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199
COMMIT
*filter
:INPUT DROP [4011:414080]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
*mangle
COMMIT
Sau , sa file script_du_phong v np li iptables thng qua lnh iptables-restore
# iptables-restore < script_du_phong
Cui cng, ta dng lnh lu tr li cc lut vo file cu hnh:
# service iptables save
NGUYN HNG THI
16/12/2006
9.
Load kernel module cn cho iptables

ng dng iptables yu cu load mt s module sau:
10.
iptable_nat module cho NAT.

ip_conntrack_ftp module cn cho FTP support
ip_conntrack module theo di trng thi ca TCP connect.
ip_nat_ftp module cn cho vic load FTP servers sau NAT firewall.
Mt s gi tr khi to ca iptables
######## Internal-Firewall.sh cript

######## Cho php t chy script bng shell
#!/bin/sh
#### Gn lnh vo bin
IPTABLES=/sbin/iptables
######### Cc gi tr khi to
INTERNAL_LAN="192.168.1.0/24" # a ch mng LAN
INTERNAL_LAN_INTERFACE="eth1" # Interface ni n mng LAN
INTERNAL_LAN_INTERFACE_ADDR="192.168.1.1" ##a ch int eth1
EXTERNAL_INTERFACE="eth0"
## Interface public
EXTERNAL_INTERFACE_ADDR="172.28.24.199" ## a ch eth0
$IPTABLES -F FORWARD
## Xa cc lut ca FORWARD chain
$IPTABLES -F INPUT
## Xa cc lut ca INPUT chain
$IPTABLES -F OUTPUT
## Xa cc lut ca OUTPUT chain
$IPTABLES -P FORWARD DROP ## Mc nh FORWARD chain l DROP
$IPTABLES -P OUPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT
$IPTABLES -P INPUT DROP ## Mc nh INPUT chain l DROP
#++++++++++++++++++++++++++++++++++++++++++++++++
## Cho php tt c cc packet i vo loopback vi tt c cc protocol
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
## Cho php cc gi tin i vo firewall ch vi icmp protocol
$IPTABLES -A INPUT -p icmp -j ACCEPT
## Cho php cc packet i vo eth1 c a ch ngun l a ch ca LAN
$IPTABLES -A INPUT -i $INTERNAL_LAN_INTERFACE -s $INTERNAL_LAN -j ACCEPT
# Cho php cc packet ra t eth1 c a ch ch l a ch ca LAN
$IPTABLES -A OUTPUT -o $INTERNAL_LAN_INTERFACE \
-d $INTERNAL_LAN -j ACCEPT
# Thc hin NAT bng cch i a ch ngun ca gi tin trc khi nh tuyn,
#####i ra t eth0 vi bt k a ch no khc a ch ca LAN
$IPTABLES -A -t nat -A POSTROUTING -o $EXTERNAL_LAN_INTERFACE \
-d ! $INTERNAL_LAN -j MASQUERADE
## Cho php cc gi tin i qua firewall c a ch ngun hoc a ch ch
########l a ch ca LAN
$IPTABLES -A FORWARD -s $INTERNAL_LAN -j ACCEPT
$IPTABLES -A FORWARD -d $INTERNAL_LAN -j ACCEPT
NGUYN HNG THI
16/12/2006
Ngi dng bn ngoi
Eth0
172.28.24.199
Firewall
(iptables)
Eth1
192.168.1.1
Mng ni b
192.168.1.0/24
Hnh 1: M hnh mng m t cho script internal-firewall.sh
11.
Mt s v d v Firewall
V d 7: Cho php truy xut DNS n Firewall
# iptables -A OUTPUT -p udp -o eth0 --dport 53 sport 1024:65535 -j ACCEPT

# iptables -A INPUT -p udp -i eth0 --dport 53 sport 1024:65535 -j ACCEPT
V d 8: Cho php www v ssh truy xut ti Firewall

# iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dprt 22 --sport 1024:65535 -m state \
--state NEW -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \
--state NEW -j ACCEPT
V d 9: Masquerading (many to One NAT) l k thut NAT Many to One cho php
nhiu my cc b c th s dng a ch IP chnh thc (c cung cp t ISP) truy cp
internet.
#########Cho php script t khi ng vi shell
#! /bin/sh
######### Np module iptable_nat
modprobe iptable_nat
NGUYN HNG THI
16/12/2006
######## Bt chc nng nh tuyn
echo 1 > /proc/sys/net/ipv4/ip_forward
##### Cho php s dng NAT gi mo trong
###### - Interface eth0 l interface lin kt mng internet
###### - Interface eth1 lin kt n mng ni b
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
# Cho php i qua firewall trong trng cc trng hp cc kt ni l mi,
### thit lp hoc c lin h
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW, ESTABLISHED, RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
V d 10: Thc hin Port Forwarding vi DHCP DSL. Trong trng hp ta nhn 1 a ch
IP ng t ISP v ta mun s dng a ch ny cung cp cho tt c a ch trong mng ni
b v public cc server ni b ra bn ngoi internet. Tt c cc yu cu trn c th gii
quyt bng cch s dng k thut Port Forwarding.
######### Cho script chy vi shell
#!/bin/sh
##### Np module iptable_nat
##### Gn eth0 ln bin external_int
external_int = eth0
##### Thc hin ly ip m DHCP cp cho my ny
external_ip = `ifconfig $external_int | grep inet addr | awk {print $2} | \
sed e s/.*://`
##### Cho php cc interface forward vi nhau
##### Thc hin i a ch ch trc khi thc hin routing
iptables - nat - PREROUTING - tcp -ieth0 - $external_ip --dport 80 \
--sport 1024:65535 - DNAT to 192.168.1.2:8080
# Cho php cc packet FORWARD qua firewall trong cc trng hp di y
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 -dport 8080 \
-sport 1024:65535 -m state --state NEW -j ACCEPT
V d 11: Thc hin NAT vi ip tnh.
S dng one to one NAT cho php server c a ch 192.168.1.2 trn mng ni b
truy xut ra ngoi internet thng qua a ch 172.28.24.199.
To many to one NAT cho mng 192.168.1.0 c th truy xut n tt c cc server

trn internet thng qua a ch 172.28.24.199.
##### Cho script chy vi shell

#! /bin/sh
## Load module v cho php forward gia cc card mng
NGUYN HNG THI
16/12/2006
# Thc hin DNAT i a ch ch thnh a ch ca server
#### mng ni b (192.168.1.2) khi truy cp n 172.28.24.199
iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 \
-j DNAT to-destination 192.168.1.2
## Thc hin SNAT i a ch ngun t 192.168.1.2
######################### 172.28.24.199
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0 \
-j SNAT --to-source 172.28.24.199
## Tng t nh trn, cho php my t LAN truy cp n cc server
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 \
-j SNAT --to-source 172.28.24.199
## Cho php bn ngoi truy xut vo server (192.168.1.2)
#####thng qua cc port 80, 443, 22
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.2 \
-m multiport --dport 80,443,22 -m state --state NEW -j ACCEPT
# Cho php chuyn tt c cc NEW, ESTABLISHED SNAT connections
#### bt u t homework v thc s thit lp trc vi DNAT connections
# Cho php chuyn tt c cc connections bt u t internet c thit lp
##########thng qua t kha NEW
--state ESTABLISHED, RELATED -j ACCEPT
V d 12: To mt proxy
########### Cho php script chy vi sh
#!/bin/sh
INTIF="eth1" ## Gn chui eth1 vo INTIF
EXTIF="eth0" ## Gn chui eth0 vo EXTIF
######## Thc hin ly a ch ip m DHCP cp
EXTIP="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
###### Load module cn thit
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
## Cho php cc card mng c th forward c vi nhau
echo "1" > /proc/sys/net/ipv4/ip_forward
###### Cho php thc hin vi ip ng
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
## Mc nh INPUT chain l ACCEPT
iptables -F INPUT
## Xa cc lut trong INPUT chain
iptables -P OUTPUT ACCEPT ## Mc nh OUTPUT chain l ACCEPT
iptables -F OUTPUT
## Xa cc lut trong OUTPUT chain
iptables -P FORWARD DROP ## Mc nh FORWARD chain l DROP
iptables -F FORWARD
## Xa cc lut trong FORWARD chain
iptables -t nat -F
## Xa tt c cc lut ca bng nat
NGUYN HNG THI
16/12/2006
## Cho php FORWARD i vo eth0 i ra eth1 trong trng hp
#####cc connection l ESTABLISHED, RELATED
iptables -A FORWARD -i $EXTIF -o $INTIF -m state \
--state ESTABLISHED,RELATED -j ACCEPT
######## V ngc li
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
## Thc hin i a ch ngun trong trng hp i ra t eth0
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Ngi dng internet
172.28.24.199
Firewall
(iptables)
192.168.1.1
Switch
Mng ni b
192.168.1.0/24
Server
192.168.1.2
Hnh 2: M hnh mng LAN vi server

Kt qu ca vic cu hnh proxy trn, nh sau:
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
NGUYN HNG THI
16/12/2006
10
*filter
:FORWARD DROP [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
12.
Khc phc s c trn iptables
Vi phn trnh by v iptables trn l kh y . Vi kin thc trn, chng ta c th

thc hin nhng yu cu v lc gi tin mt cch kh tt. Nhng phn trn ch trnh by
cch thc hin vi iptables m khng nu ra cch khc phc s c trn iptables. Trong
phn ny, chng ti s trnh by cch khc phc s c v iptables ni ring, nhng phn
mm trn h iu hnh m ngun m ni chung.
Cch vn hnh v bo tr nhng phn mm trn Linux thng s qua nhng bc sau
y: ci t, cu hnh, vn hnh v khc phc s c khi c li. Trong nhng phn trn,
chng ti trnh by cch ci t, cu hnh v vn hnh. Cn phn khc phc s c v
nhng phn mm trn Linux, thng th ngi qun tr s c file Log, c th vi
iptables th chng ta cn kim tra Firewall Logs.
Firewall logs c ghi nhn vo file /var/log/message. cho php iptables ghi vo
/var/log/message, chng ta phi cu hnh nh sau:
iptables
iptables
iptables
iptables
iptables
iptables
-A
-A
-A
-A
-A
-A
OUTPUT -j LOG
INPUT -j LOG
FORWARD -j LOG
OUTPUT -j DROP
INPUT -j DROP
FORWARD -j DROP
NGUYN HNG THI
16/12/2006
11
13.
iptables khng khi ng

Khi ta khi ng iptables th ta dng lnh /etc/init.d/iptables start. Lc ny, iptables gi
script trong file /etc/sysconfig/iptables. Do , nu file ny khng tn ti hoc b li th
iptables s khng thc hin c.
Khi ta thay i cu hnh trn iptables th ta phi dng lnh service iptables save lu
li cc thng tin cu hnh. Sau , mi tin hnh restart li iptables.
V d 13:
# service iptables start
## Khi ng iptables
# touch /etc/sysconfig/iptables
## To file iptables trng
##Thit lp quyn cho file ny
# chmod 600 /etc/sysconfig/iptables
# service iptables start
Applying iptables firewall rules: [OK]
TI LIU THAM KHO

[1] Nguyn Th ip v Tiu ng Nhn, Gio trnh Dch v mng Linux, i hc Quc Gia Thnh
ph H Ch Minh 12/2005.
[2] How To Set Up A Debian Linux Proxy Server by Debian's Web.
NGUYN HNG THI
16/12/2006
12

Cai Dat Va Cau Hinh Iptables

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cai Dat Va Cau Hinh Iptables

Uploaded by

Copyright:

Available Formats

CI T V CU HNH IPTABLES

Gii thiu v iptables

C ch x l package trong iptables

Forward chain: Cho php packet ngun chuyn qua firewall.

Input chain: Cho php nhng gi tin i vo t firewall.

Output chain: Cho php nhng gi tin i ra t firewall.

NGUYN HNG THI

OUPUT: Trong loi ny firewall thc hin qu trnh NAT.

Jump l c ch chuyn mt packet n mt target no x l thm mt s thao

ACCEPT: iptables chp nhn chuyn data n ch.

DNAT: thay i a ch ch ca packet. Ty chn l --to-destination ipaddress.

MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch ngun

DROP: iptables kha nhng packet.

SNAT: thay i a ch ngun ca packet. Ty chn l --to-source <address>[address][:<port>-<port>]

Thc hin lnh trong iptables

NGUYN HNG THI

Ch nh input interface nhn packet

V d 3: Firewall cho php gi icmp echo-request v icmp echo-reply

V d 4: Ch nh s lng yu cu ph hp cho mt n v thi gian theo dng(/second,

u im ca n l gii hn c s lng kt ni, gip cho ta chng c cc c ch

NGUYN HNG THI

S dng chain t nh ngha

Thay v s dng cc chain c xy dng trong iptables, ta c th s dng User

Lnh service iptables save lu tr cu hnh iptables trong file /etc/sysconfig/iptables.

NGUYN HNG THI

Phc hi script khi mt script file

Sau , sa file script_du_phong v np li iptables thng qua lnh iptables-restore

# iptables-restore < script_du_phong

Cui cng, ta dng lnh lu tr li cc lut vo file cu hnh:

# service iptables save

NGUYN HNG THI

Load kernel module cn cho iptables

iptable_nat module cho NAT.

######## Internal-Firewall.sh cript

NGUYN HNG THI

Ngi dng bn ngoi

Hnh 1: M hnh mng m t cho script internal-firewall.sh

V d 7: Cho php truy xut DNS n Firewall

# iptables -A OUTPUT -p udp -o eth0 --dport 53 sport 1024:65535 -j ACCEPT

V d 8: Cho php www v ssh truy xut ti Firewall

NGUYN HNG THI

V d 11: Thc hin NAT vi ip tnh.

To many to one NAT cho mng 192.168.1.0 c th truy xut n tt c cc server

##### Cho script chy vi shell

NGUYN HNG THI

NGUYN HNG THI

Ngi dng internet

Hnh 2: M hnh mng LAN vi server

NGUYN HNG THI

Khc phc s c trn iptables

Vi phn trnh by v iptables trn l kh y . Vi kin thc trn, chng ta c th

NGUYN HNG THI

iptables khng khi ng

TI LIU THAM KHO

NGUYN HNG THI

You might also like