H Thng Firewall Trn Linux Kernel 2.4 & Netfiter Iptables Nng cp t kernel 2.2, kernel 2.

4 a ra rt nhiu tnh nng mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong nhng tnh nng mi ca n l h tr Netfilter Iptables ngay trong kernel, gip thao tc trn packet hiu qu hn so vi cc n anh trc nh Ipfwadm trong kernel 2.0 v Ipchains trong kernel 2.2, tuy vn h tr cho cc b lnh c.Thit lp firewall theo kiu lc packet (packet filtering lc gi thng tin) vi Ipfwadm hoc Ipchains c nhiu hn ch : thiu cc tch hp cn thit m rng tnh nng, khi s dng lc packet cho cc giao thc thng thng v chuyn i a ch mng (Network Address Translation NAT) th thc hin hon ton tch bit m khng c c tnh kt hp. Netfilter v Iptables trn kernel 2.4 gii quyt tt cc hn ch trn, uyn chuyn hn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c. Nguyn Tc Lm Vic Ca NETFITER V IPTABLES Netfilter l thnh phn c bn API (Application Program Interface) cho php giao din cc lp trn nh Iptables c th dng n thao tc trn cc mang gi. Hin nay Netfilter a ra bn module cho cc lp trn s dng l Ipfwadm + ipchains, Iptables, Connection tracking v Nat. Trong Iptables nh ngha sn cc bng sau: 1. Filter: Dng thao tc trn cc packet 2. Nat: S dng thc hin NAT, v d nh dng che cc ia ch xut pht t trong mng LAN khi chng i ra ngoi Internet m ngy nay hu ht cc mang u s dng. 3. Mangle: Thng dng nh du cc packet dng cho nhng mc ch nh QoS hoc chuyn hng packet. STATELESS PACKET FLLTERLNG Dang b lc khng bit c quan h ca nhng packet vo vi packet i trc n hoc i sau n, gi l c ch lc khng phn bit c trng thc hin c n mc ny. Vi cc firewall khng phn bit c quan h ca cc packet vi nhau, chng ta gi l firewall chn th ng (stateless firewalling) . Loi firewall ny kh c th bo v c mng bn trong trc cc kiu tn cng ph hoi nh DOS, SYN flooding, SYN cookie, ping of death, packet fragmentation hay cc hacker ch cn dng cng c d mng nh nmap chng han l c th bit c cc trng thi ca cc hosts nm sau firewall. iu ny khng xy ra vi firewall tch cc (stateful firewall). STATEFUL PACKET FLLTERING Vi mi packet i vo m b lc c th bit c quan h ca chng nh th no i vi packet i trc hoc i sau n, v d nh cc trang thi bt tay ba ln trc khi thc hin mt kt ni trong giao thc TCP/IP (SYN, SYN/ACK, ACK), gi l firewall c th phn bit c trang thi ca cc packet hay nm na l firewall tch cc (stateful firewalling) . Vi loi firewall ny, chng ta c th xy dng cc quy tc lc c th ngn chn c ngay c cc kiu tn cng ph hoi nh SYN flooding hay Xmas treo. . . Hn th na Iptables cn h tr kh nng gii han tc kt ni i vi cc kiu kt ni khc nhau t bn ngoi, cc k hu hiu ngn chn cc kiu tn cng t chi phc vu (DOS) m hin nay vn l mi e do hng u i vi cc website trn th gii. Mt c im ni bt na ca Iptables l n

h tr chc nng d tm chui tng ng (string pat-tern matching) , chc nng cho php pht trin firewall ln mt mc cao hn, c th a ra quyt inh loi b hay chp nhn packet da trn vic gim st ni dung ca n. Chc nng ny c th c xem nh l can thip c n mc ng dng nh HTTP, TELNET, FTP mc d thc s Netfilter Iptables vn ch hoat ng mc mng (lp 3 theo m hnh OSI 7 lp). THC HIN Chi tit v m t cc bng v cc tham s trong iptables cc bn c th tham kho ti a ch http://www.unixcircle.com/iptables/1ptables-tutorial/1ptable stutorial.html. Sau y ti s trnh by cch thc hin c th trn h iu hnh Redhat Linux. Redhat 7.1 c ng gi vi kernel 2.4.2 v c bin dich h tr cho Netfilter v Iptables, tuy nhin mun s dng y cc tnh nng ca Iptables ni trn th cn phi nng cp Iptables ln phin bn mi nht 1.2.4 (http://netfilter.samba.org/iptables1.2.4.tar.bz2) v bin dch li nhn Linux vi phin bn 2.4.16 (http://wwwkernel.org/pub/linux/kernel/v2.4/linux-2.4.16.tar .gz, hin c phin bn 2.4.17). Khi s dng Linux Redhat 7.1 lm chc nng firewall, chng ta nn ci t ch server vi ch vn bn v loi b tt c cc chc nng (daemon) khng cn thit nh sendmail, ftpd, httpd, telnetd,sshd, lpd v.v. . . ch nn login ngay ti my thao tc. Loi b phin bn c ca iptables trn my nu n c a vo trong qu trnh ci t bng lnh rpm -eiptables. Gii nn kernel 2.4.16 vo th mc /usr/src, chng ta c source ca kernel trong /usr/src/linux. Vd : tar zxvf linux-2.4.16.tar.gz Gii nn iptables-l.2.4 vo th mc usr/local/src chng ta c /usr/local/src/iptables-1.2.4 Trong th mc iptables-1.2.4, chng ta thc hin cc bc sau gn cc chc nng ca iptables-1.2.4 vo kernel. make pending-patches KERNEL-DIR= /usr/src/linux Sau khi gn xong vo kernel, chng ta tip tuc thm vo nhng chc nng mi nht va c pht trin a vo kernel, s dng lnh sau: make patch-o-maltic KERNEL-DIR= /usr/src/linux Khi thc hin cc lnh gn vo kernel nh trn, chng ta nn ch n dng trang thi m t chc nng ca gi thm vo , nu hng trng thi ch ra l gi ny tt (working) hay n nh (stable) nh l vn cn ang th nghim, bn cng c th dng nhng tnh nng ny nu thch. Ch c th s dng c chc nng trong pattern matching bn phi nh thm vo chc nng CONFIG_IP NF MATCH-STRING trong khi thc hin patch-omatic. Qua kim nghim nu cc gi trong patch-o-matic hot ng tt th chng s c a thng vo trong kernel cc phin bn k tip.

Tip tuc tin hnh bin dch Iptables,vn trong /usr/local/src/iptables-1.2.4 Make KERNEL-DIR=/usr/src/linux make install KERNEL-DIR=/usr/src/linux Lc ny iptables c ci t trong /usr/local/sbin v /usr/local/lib Tin hnh bin dch kernel 2.4.16: Sau khi cc gi cn thit ca Netfilter c a vo kernel xong, chng ta bt u bin dch li kemel v cc module ca n.Chuyn vo th mc /usr/src/linux v nh lnh: make menuconfig Trn giao din cu hnh ny, ti u kernel chng ta ch nn a vo nhng thit b no cn thit cho h iu hnh v nn chn chc nng lm router. Mc ch chnh ca chng ta l s dng Netfilter/iptables nn trong phn network Options -> Netfilter Configuration chng ta nn chn tt c cc chc nng trong . Sau khi chon xong thot ra khi menu v dng cc lnh sau bin dch: make dep; make clean; make bzImage, make modules; makeltlodules_install Qu trnh bin dch nhanh hay chm tu thuc vo cu hnh my, sau khi qu trnh bin dch kt thc bn cn phi lm thm mt s th tc sau y h iu hnh c th chy c kernel mi va bin dch. Chuyn tp tin /usr/src/linux/arch/ i386/boot/bzimage vo th muc /boot. v d: mv /usr/src/linux/arch/1386/boot/bzImage /boot/bzImage.fw Chuyn tp tin /usr/src/linux/System.map vo th mc /boot. v d: mv /usr/src/linux/system.map /boot/system.map.fw To lin kt mi : ln -fs /boot/System.map.fw /boot/system.map phng bt trc i vi kernel mi, bn nn to thm cho qu trnh khi ng my mt menu chn np kernel bng cch hiu chnh tp tin /etc/lilo.conf V d: boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=30 message=/boot/message linear default=origin image=/boot/vmlinuz-2.4.2-2 label=ongin read-only root=/dev/hda8 Image=/boot/bzImage.fw label=firewall

read-only root=/dev/hda8 Cng vic cui cng l nh nh lnh /sbin/lilo np lai cu hnh trong tp tin /etc/lilo.conf v reboot li my. Sau y l mt s v d minh ha thit lp mt firewall trn Linux Gi s local network l 10.0.0.0/8 v firewall s dng hai card mng, kt ni vi internet bng card mng ethO v vi local network l eth1 Chng Syn Flooding: Iptables -A FORWARD -p tcp -syn -m hmit -limit 1/s -j ACCEPT Chng Scan Port: Iptables -A FORWARD -P tcp tcp- flags SYN/ACK,FIN/RST RST -mlimit-limit1/s -j ACCEPT Chng Ping of Death: Iptables -A FORWARD -P icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT Cho cc packet thit lp kt ni tip tc i qua firewall: Iptables -A FORWARD -m state state ESTABLISHBD,RELATED j ACCEPT Chng gi mo a ch ni b t bn ngoi xm nhp: Iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 j DROP Chuyn i a ch t trong mng ni b ra bn ngoi (SNAT) : Iptables -t nat -A POSTROUT-o eth0 j SNAT to 203.162.0.10. chuyn i a ch ca web server t bn ngoi vo trong mng ni b (DNAT) : Iptables -t nat -A PREROUTING -d 203.162.0.9 -p tcp dport 80 -j DNAT to 10.0.0.10 Thit lp Transparent proxy bng cch chuyn hng port 80 n server squid proxy 10.0.0.9: Iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT to 10.0.0.9:3128 Ch cho my tnh trong mng ni b c a ch card mng 00:C7:8F:72:14 i ra: Iptables -A FORWARD) -m state -state NEW -mac-mac-source 00:C7:8F:72:14 jACCEPT

Thc hin chia ti trn c hai hng inbound v outhound: (load balancing) : Iptables -t nat -A POSTROUTING -o eth0 -m nth counter 7 every 3 packet 0 j SNAT -to-source 10.0.0.5 Iptables -t nat -A POSTROUTING -o eth0 -m nth -counter 7- every 3 packet 1 j SNAT -to source 10.0.0.6 iptables -t nat -A POSTROUTING -o eth0 -m nth -counter 7- every 3 packet 2 j SNAT -to- source 10.0.0.7 Chc nng u tin thng lng i vi truy cp web:

Iptables -A PREROUTING -t mangle -p tcp sport 80 -j TOS set-tos MaximizeThroughput

Ngn chn su Nimda hay Codered (mc ng dng) : Iptables -I INPUT j DROP -m string -P tcp - s 0.0.0.0 / 0 -string c+ir iptables -I INPUT j DROP -m string -P tcp - s 0.0.0.0 / 0 -string cmd.exe iptables -I INPUT j DROP -m string -P tcp - s 0.0.0.0 / 0 -string default.exe