You are on page 1of 17

iptables

LINUX

=>
, Iptables Tutorial 1.1.19 Iptables Tutorial 1.2.0 iptables Windows, Iptables Tutorial 1.1.14

<=

:
." ." " " " " " " 1. " FORWARD, IP ( 2. " 3. " )" FTP" " , , IP , MAILIPIP( FORWARD" IP ( ) " " " )" " , " "

.
"
, iptables-restore /usr/local/

"
.

demo . . demo /etc/rc.d/rc.local, . . echo "1" > /proc/sys/net/ipv4/ip_forward

/usr/local/iptables-restore/

/sbin/iptables-restore /usr/local/iptables-restore/demo demo (demo), ( ( , ) eth1) " IP ( , demo 1. iptables -F iptables -t nat -F 2. demo: : : , FORWARD ) ( " eth0) IP

iptables-restore /usr/local/iptables-restore/demo 3. iptables -L -n iptables -t nat -L -n 4. iptables-save> / / , iptables-save , . demo 1, , : : :

"
, / :

"

1 2 3 mangle PREROUTING

( . .

) ( , TOS . (Destination Network , eth0)

nat

PREROUTING Address Translation). .

5 6 mangle INPUT mangle. . 7 filter INPUT . , . 8 , , INPUT, . / , , INPUT

( . ., -

FORWARD.

1 2 , . 3 mangle OUTPUT . . 4 nat OUTPUT

( . ., ).

. --

(NAT) 5 6 Filter mangle OUTPUT POSTROUTING POSTROUTING

, . . mangle ,

, . , 7 nat POSTROUTING Translation. , . Source Network Address

. , DROP. 8 9 ( ( . ., Internet) , eth0) -

1 2 3 mangle PREROUTING

( . . (

) , eth0) , TOS ..

nat

PREROUTING (Destination Network Address Translation). Source Network Address Translation , .

5 , . . -. 6 mangle FORWARD mangle, , . 7 Filter FORWARD , . , , FORWARD FORWARD

. 8 mangle POSTROUTING

. 9 nat POSTROUTING Source Network Address Translation. . (Masquerading). 10 eth1). 11 , 1. 2. 3. (FORWARD). , ( ( ) , ) (INPUT). (OUTPUT). ( LAN). . ( ,

1. " "(
10.10.10.10) 1. " , "

, filter):
(eth0, IP (eth1, IP 101.101.101.101) .

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . . .FORWARD , ( " "). . eth0 . . ( )

2. (

, ):

-A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 110 , : -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP ( 100.100.100.110, : 110 110 110 ) . IP , IP , . .( ) ,

-A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP, 88.88.88.88, :

-A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, : IP , 88.88.88.0

-A INPUT -s 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, IP : , 88.88.88.0

-A INPUT -s ! 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . , : -A INPUT -i eth0 -p tcp --dport -j ACCEPT

( input)

. :

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable

3. (
, ( IP , . ), . .

).
(eth1) eth1 eth0. eth0 c IP

IP NAT.
10.10.10.10, :

-A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 : *nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 COMMIT *filter -A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT IP (-A FORWARD -o eth0 -p tcp -j DROP), , . . . "

FORWARD FORWARD"

POSTROUTING-

, IP . . IP , FORWARD IP : *nat 10.10.10.10 ,

eth0

IP

, .( ) ( PPPoE),

-A POSTROUTING -o ppp0 -j MASQUERADE

4.
FORWARD ,

FORWARD
( . :

filter
), . .

( -A FORWARD -o eth0 -p tcp -j DROP FORWARD : tcp . . .

),

eth0

tcp.

, . , . . (ip: 88.88.88.88) (eth0) , ,

139: -A FORWARD -p tcp -d 88.88.88.88 -m tcp --dport 139 -o eth0 -j ACCEPT

-A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.0/24 -A FORWARD -p tcp -d ! 88.88.88.0/24 -o eth0 -p tcp -j DROP : -A FORWARD -m iprange --src-range 88.88.88.5-88.88.88.124 -j ACCEPT -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT , -d 88.88.88.0/24 -d !

1. IP
, : 168.192.1.0/24 eth1 168.192.1.2-168.192.1.254) IP

IP
168.192.1.1-168.192.1.254,

( IP 168.192.1.1 ,

IP 255.255.255.0 IP 168.192.1.1

168.192.1.2-168.192.1.254 DNS IP DNS eth0 ppp0, ppp). 1. : -A FORWARD -s 168.192.1.0/24 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 2. : (80 TCP) : : ( eth0

TCP/IP 255.255.255.0, . ),

ppp0 (

ppp+,

-A FORWARD -s 168.192.1.0/24 -p tcp -m tcp --dport 80 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m tcp --sport 80 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP

-A FORWARD -o eth1 -p tcp -j DROP 3. : -A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,110 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,110 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 4. : IPTABLES: TCP , :

*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -s 168.192.1.0/24 -p icmp -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p icmp -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p udp -m udp --dport 53 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p udp -m udp --sport 53 -o eth1 -j ACCEPT

-A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,80,110,8080 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,80,110,8080 -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p !icmp -m state --state INVALID -i eth1 -j DROP -A FORWARD -d 168.192.1.0/24 -p !icmp -m state --state INVALID -o eth1 -j DROP -A FORWARD -o eth0 -j DROP -A FORWARD -o eth1 -j DROP COMMIT

: 1. 2. ( 3. ( 4. IP, ) 5. IP, 6. ! ( TCP IP IP ). , ). IP (168.192.1.1-168.192.1.254) : 20,21,25,80,110,8080 ( HTTP, FTP Mail , ( ) ( . )

IP UDP 53

(168.192.1.1-168.192.1.254) icmp )

IPTABLES, iptables-restore / /demo

2"
(eth1) . , :

FTP(eth0) ,

":

, ICQ, IRC

FTP. . FTP. " , . FTP ( , . . , , , . RELATED, . . , , , FTP-Data) IP . , . . 20 . FTP FTP" (FTP control session). ,

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 1. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 21 " ":

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT 2. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j REJECT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT , filter): *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos mangle ( mangle , :

-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT . . *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 iptables FTP:

-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT

3"
, 80 *nat 8080:

"

-I PREROUTING -d 10.1.0.20 -p tcp --dport 80 -J DNAT --to-destination 10.1.0.20:8080 -I POSTROUTING -s 10.1.0.20 -o eth0 -p tcp -j SNAT --to-source 10.1.0.20:8080

COMMIT 10.1.0.20 ipweb. . *nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 , ... ( 6.11.2006)

=>

<=