Iptables

Phn 1: Firewall (iptables) 1. Gii thiu iptables. Iptables l mt tng la (firewall) thng dng nht trn linux.
Ban u th ipchains l tng la c dng ph bin .Sau pht hin ra nhiu thiu st nn netfilter pht trin mt sn phm mi l iptbables. Iptables c nhng ci tin sau: o Tch hp tt hn vi nhn ca h iu hnh Linux o Cho php load tt hn cc modules c bit ca iptables, giup cho vic ci thin tin cy v tc x l. o L mt statefull firewall. o Lc gi da trn a ch MAC v cc flag ca TCP header. iu ny gip ngn chn vic tn cng bng cch s dng cc gi d dng (malformed packets ) v ngn chn vic truy cp t ni b n mt mng khc bt chp IP ca n. o NAT tt hn. o H tr vic tch hp mt cch trong sut vi cc chng trnh Web proxy chng hn nh Squid. o Mt s thng s limit c th c s dng trong iptables gip cho vic ngn chn c cuc tn cng DOS. 2. Ci t v s dng iptables 2.1. Ci t. Iptables c ci t mc nh trong h thng Linux,, package ca iptables l iptables-version.rpm hoc iptables-version.tgz, ta c th s dng lnh ci t package ny nh sau: Red Hat: $ rpm ivh iptables-version.rpm Debian: $ apt-get install iptables 2.2. Khi ng iptables
Cu lnh start, stop v restart iptables: # service iptables start # service iptables stop # service iptable restart
iptables khi khi ng cng Linux: # chkconfig iptables on Kim tra tnh trng ca iptables: # service iptables status 2.3. X l gi tin trong iptables
Tt c cc gi tin khi i qua server c ci t iptables s i qua mt chui cc bng tun t xy dng sn ( queues ). Iptables c 3 loi bng quan trng l Filter, Nat v Mangle. Mangle: chu trch nhim thay i cc bits cht lng dch v trong TCP header nh: ToS ( Type of Service), TTL ( Time To Live) v MARK. Filter : chu trch nhim lc gi d liu. Trong filter c nhng qui lut con gi l chain, c 3 loi chain : o Forward chain: Lc cc gi tin i ngang qua server. o Input chain: Lc cc gi tin i vo server. o Output chain: Lc cc gi tin i ra khi server. NAT: gm c 2 loi: o Pre-routing chain: thay i a ch n ca gi d liu khi cn thit. o Post-routing chain: thay i a ch ngun ca gi d liu khi cn thit. Bng cc loi queues v chain cng chc nng ca n: Loi queues Filter Chc nng Qui tc x l gi ( Chc nng ca chain chain) Lc gi Forward Lc gi d liu i n cc server khc kt ni trn cc NIC khc ca firewall Input Lc gi i n firewall Output Lc gi ra khi firewall Bin dch a Pre-routing Thay i a ch ch, gip gi d ch mng liu ph hp vi bng routing ca firewall. S dng destination Nat Post-routin Vic thay i a ch din ra sau khi ch ng. S dng source NAT Chnh sa Pre-routing iu chnh cc bit qui nh cht
NAT
Mangle
TCP Header
Post-routing Output Input forward
lng dch v trc khi dn ng. M hnh SOHO ( small office home office )
S tng quan i vi vic lc v x l gi tin trong iptables:
2.4.
Target
Target l hnh ng s din ra khi mt gi d liu c kim tra v ph hp vi mt yu cu no . Khi mt target c nhn dng, gi d liu cn nhy ( jump) thc hin x l tip theo. Bng sau lit k cc targets m iptables s dng. Bng 2: Cc target ca iptable thng dng Targets ACCEPT ngha Iptables ngng x l gi d liu v chuyn tip n vo mt ng dng cui hoc h iu hnh x l. Iptables ngng x l gi d liu v gi d liu b chn, loi b Thng tin ca gi s c a vo syslog kim tra. Gi c iptables tip tc x l vi qui lut k tip Ty chn
DROP LOG
--log-prefix string Iptables s thm vo log message mt chui do ngi dng nh sn. Thng thng l thng bo l do v sao
gi b b. --reject-with qualifier - Tham s qualifier s cho bit loi thng bo gi tr li ph gi, bao gm cc loi sau: Icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-host-prohibited tcp-reset echo-reply DNAT Dng thc hin Destination --to-destination ip address network address translation, a ch ch ca gi d liu s c vit li SNAT Dng thc hin Source network --to-source <address>[address Translation <address>][:port>-<port>] Miu t ip v port s c vit li bi iptables. MASQUERDE Dng thc hin Source Network [--to-ports <port> [-<port>]] address Translation. Mc nh th ip ngun s ging nh ip ngun ca firewall REJECT Tng t nh DROP nhng n s gi tr li cho pha ngi gi mt thng bo li rng gi b chn v loi b 2.5. Cc tham s chuyn mch quan trng ca iptables
Cc tham s sau s cho php iptables thc hin cc hnh ng sao cho ph hp vi biu x l do ngi dng hoch nh sn Bng 3: Cc tham s chuyn mch (switching) quan trng ca iptables Iptables switching command -t <table> M t Ch nh bng cho iptables : filter, Nat hay mangle. Nu khng ch nh r l table no th filter s c p dng. Nhy ti mt chui target no khi gi tha qui lut hin ti. Thm mt qui lut no vo cui chui. Xa ht tt c mi qui lut trong bng chn Xa mt rule ca mt chain no
-j <target> -A -F -D
-L -N -P -p <protocol-type> -s <ip-address> -d <ip-address> -i <interface-name> -o <interface-name> -m
Lit k cc rule To mt chain mi Gn mt policy cho mt chain M t giao thc, thng thng l icmp, tcp, udp v all nh a ch ip ngun nh a ch ip ch iu kin input khi gi d liu i vo firewall iu kin output khi gi d liu i ra khi firewall Ch th module s dng
V d: iptables A INPUT s 0/0 i eth0 d 192.168.1.254 p TCP j ACCEPT Iptables c cu hnh cho php firewall chp nhn cc gi d liu c giao tip l TCP, n t card mng eth0, ip ngun l bt k ( 0/0 ) i n a ch 192.168.1.254, l ip ca fireward
Bng 4: Cc iu kin TCP v UDP thng dng -p tcp - -sport <port> iu kin tcp port ngun (source port). C th l mt gi tr hoc mt chui c dng: start-port-number:end-port-number iu kin tcp port ch (destination port), c th l mt gi tr hoc mt chui dng: starting-port:end-port Dng nhn dng mt yu cu kt ni tcp mi ! - -syn: khng c yu cu kt ni mi. iu kin UDP port ngun. c th l mt gi tr hoc mt chui dng: start-portnumber:end-port-number. iu kin UDP port ch. C th l mt gi tr hoc mt chui dng: startingport:ending-port
-p tcp - -dport <port>
-p tcp - -syn
-p udp - -sport <port>
-p udp - -dport <port>
V d: iptables A FORWARD s 0/0 i eth0 d 192.16.1.123 -o eth1 p TCP - -sport 1024:65535 - -dport 80 j ACCEPT
Iptables c cu hnh cho php firewall chp nhn cc d liu c giao tip l TCP, n t card eth0,ip ngun l bt k, i n a ch 192.168.1.123 qua card mang eth1. Port ngun l 1024 65535 v port ch l 80(http) Bng 5: iu kin ICMP Lnh --icmp-type <type> M t Thng dng nht l : echo-reply v echorequest
Bng 6: cc iu kin m rng thng dng Lnh -m multiport - -sport <port, port> -m multiport - -dport <port, port> -m multiport - -port <port, port> -m - -state <state> M t Lit k cc port v c phn cch bng du phy (,) Tng t: port ch Lit k port v khng phn bit port ch hay port ngun Cc trng thi thng dng: ESTABLISHED: Gi d liu l mt phn ca kt ni c thit lp bi c 2 hng NEW: Gi d liu l bt u mt kt ni mi. RELATED: Gi d liu bt u kt ni ph. Thng thng y l c im ca cc giao thc FTP hoc li ICMP. INVALID: Gi d liu khng th nhn dng c.
2.6.
S dng User Defined Chains
Chui User Defined Chains nm trong bng iptables, n gip qu trnh x l gi tt hn 2.7. Lu li on m iptables
on m iptables c lu tm thi file /etc/sysconfig/iptables 2.8. Thit lp nhng rule cho Fedoras iptables
Trong Fedora c chng trnh gi l lokkit, chng trnh ny c th thit lp mt rule firewall n gin, gip tng cng bo mt. Chng trnh lokkit lu nhng rule firewall trong file mi /etc/sysconfig/iptables. 2.9. Tm li on m mt. 2.10. Mt s Module Kernel : Module Kernel cn thit hot ng mt vi chng trnh ca ng dng iptables Mt s module: + iptable_nat module: cn ch mt s loi NAT. + ip_conntrack_ftp module: cn cho vic thm vo giao thc FTP. + ip_conntrack module: gi trng thi lin kt vi giao thc TCP. + ip_nat_ftp module: cn c ti cho nhng my ch FTP sau mt firewall NAT. Ch : file /etc/sysconfig/iptables khng cp nht nhng module ti v, v vy ta phi thm vo nhng trng thi file /etc/rc.local v chy n ti cui mi ln boot li. 3. Thc hin bi Lab theo m hnh sau:

Iptables

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iptables

Uploaded by

Copyright:

Available Formats

Phn 1: Firewall (iptables) 1. Gii thiu iptables. Iptables l mt tng la (firewall) thng dng nht trn linux.

Post-routing Output Input forward

S tng quan i vi vic lc v x l gi tin trong iptables:

-L -N -P -p <protocol-type> -s <ip-address> -d <ip-address> -i <interface-name> -o <interface-name> -m

-p tcp - -dport <port>

-p udp - -sport <port>

-p udp - -dport <port>

S dng User Defined Chains

You might also like