九乡新闻网让爱住我家电视剧:Linux 防火牆入門[大全]
来源:百度文库 编辑:九乡新闻网 时间:2024/04/28 19:20:32
Linux 防火牆入門
臥龍小三
台南縣教育網路中心Copyright © 2002 by OLS3
- Table of Contents
- 簡介
- 網路拓樸
- 所需配備
- 基本觀念
- 架設步驟
- ipchains manpage
- ipchains 的結構
- ipchains 入門
- iptables manpage
- iptables 結構圖
- iptables 入門
- 防火牆注意事項
- 設定檔
- 設定工具
- 參考網站
- 簡介
本研習,將介紹如何利用 Linux 來建構一個簡易的校園網路防火牆系統。
希望能達成以下效益:
利用它來保護整個校園網路的安全
或者,從校園網路中,切出一塊乾淨的網段,利用該網段,來保護某些主機,使其不受外部網路的攻擊。
期待此研習,能讓台南縣中小學網管們,強化網路控管的能力,減輕網路管理的負擔。
簡介
前言
一旦連上網路,就充滿各種危機。
許多人基於各式各樣的理由,想侵入你的系統,這種人俗稱為 cracker。尤有甚者,近年來,cracker 圈裡流行一種結合病毒行為及系統漏洞的入侵工具,稱為網虫(Netwrom),它以類似網路機器人(robot)的模式,到處掃射咬噬,已形成泛濫。比如:Lion、CodeRed、Nimda 等。現在你只要將一台新安裝好的Win平台的機器連上網路,不消幾分鐘之內,即可釣中一堆 CoreRed 或 Nimda 咬噬的封包。
傳統上,為了保護自身內部網路的安全,另一方面,也為了可以做 網路進出交通 的控管,通常所採用的方法是建構一層網路防火牆系統,在外部網路和內部網路之間,構築一道屏障,以做為安全的區隔,使得特定的封包才能進入我們的內部網路,而將大部份奇奇怪怪的封包,如 Nimda 網虫掃射的封包,完全隔離在外,但同時,又可允許內部網路的機器自在地對外連線,內部的使用者上網的行為甚少需要有任何改變。
換言之,防火牆系統可區隔網路封包,使內部網路中流通的封包十分乾淨,更讓網路管理者在安裝新機器時,比如 NT/W2K,不致於一裝好、連上網路就中標。單就這點,防火牆系統對校園網路管理者而言,就十分有價值。
不過,防火牆系統十分昂貴,平民百姓及小單位的我們實在買不起,而且其功能也未必就如其所宣稱的那樣足以符合我們的需求。因此許多前賢開始尋找其它替代的方案,在低成本、高效益、彈性大的考量下,使用 FreeBSD/OpenBSD/Linux 來建構小型防火牆系統蔚為流行。甚至許多公司拿 FreeBSD/Linux的防火牆機制為基礎,製造出商用的防火牆系統;國內某一知名的防火牆公司,其防火核心即源自於 Linux。
什麼是網路防火牆?
根據前述,在此我給防火牆一個簡單的定義 (這是OLS3自己的說法,若有誤謬,請不吝指正)。
"防火牆" 是指一套用來明顯區隔兩個(或以上)網路之間的一組軟硬體裝置, 使網管人員得以事先制定種種安全規則,針對網路交通及安全程度,進行過濾控制和調整, 最大的目的在於防止網路遭受入侵。
防火牆的種類?
防火牆大概可以分為以下三種:
-
封包過濾式 (Packet Filtering Firewall)
-
閘道式
-
代理式
簡單說明如下:
所謂封包過濾式防火牆是指:利用作業系統,在 IP 層及傳輸層運作,藉由檢查封包的 IP 表頭,來決定該封包的路由(放行/轉向/丟棄/拒絕),而達到保護自身網路的功能。本次研習要介紹的防火牆,即屬於封包過濾式的。這種防火牆的優點是:效能好、控管性高、成本低廉。
所謂閘道式防火牆是指:所有外部網路可以到達的地方,僅止於這台閘道主機,而內部網路的使用者欲連至外部網路,需要先登入這台閘道主機。
所謂代理式防火牆是指:針對每一種應用服務程式,做代理伺服的工作,clietn端的使用者其實是和這台代理主機連接,而非外部網路的主機,但卻可使client端的使用者,感覺到他真的在取用外部網路的主機服務一樣,此種特性,稱為 Proxy。代理式防火牆的優點是:可確保資料的完整性,只有特定的服務才會被交換,並可針對其內容做過濾防毒,可進行高階的存取控制。
現代功能完備的的防火牆,經常結合封包過濾及Proxy代理這二種特性,不過價格相常地高。以中小學校園網路而言,封包過濾式的防火牆,其實已足敷需要了。
iptables manpage
iptables manpage 中譯
(由 OLS3 翻譯,未完,翻得不好,請見諒。)
IPTABLES(8) 封包過濾管理 語法 iptables -[ADC] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -P chain target [options] iptables -E old-chain-name new-chain-name DESCRIPTION Iptables is used to set up, maintain, and inspect the tables of IP packet fil ter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target‘, which may be a jump to a user-defined chain in the same table. 描述 iptables 是用來設定、維護、檢驗 Linux 核心中的 IP 封包過濾規則表。 在核心中,可以定義許多不同的規則表。 每一個規則表包含許多內建的規則鏈和使用者自訂的規則鏈。 每一個規則鏈是許多規則的列表,這些規則可以比對一組封包。 每個規則描述符合的封包應該怎麼處置。 這種處置的動作就是所謂的"目標" (target), 這個目標也可以是一個跳入的動作 --- 跳入同一個表中的自訂的規則鏈。 TARGETS A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN. ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the ker nel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet. TARGETS 一條防火牆規則描述對一個封包及一個目標的判準。 如果一個封包不符合這條規則,則同一個鏈中的下一條規則接著檢驗; 若真的符合,則接下來的規則就是這個目標的內容, 它可以是一個自訂鏈名或 ACCEPT、DROP、QUEUE 或 RETURN。 ACCEPT 意指讓封包通過。 DROP 意指丟棄該封包。 QUEUE 意指將該封包送入使用者空間。 RETURN 意指停止比對這個鏈,返回呼叫此鏈時的下一條規則。 若內建的鏈結束或一條規則符合RETURN,則用該鏈的預設政策來決定封包的最後命運。 TABLES There are current three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are pre sent). -t, --table This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there. The tables are as follows: filter This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets). nat This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). mangle This table is used for specialized packet alteration. It has two built- in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing). TABLES 現有三個獨立的規則表。 -t, --table 這個選項指明命令應作用在那一個封包相符的規則表。 若核心設成自動載入模組,且若該表尚未存在,則將會試著去載入適當的模組。 規則表如下: filter 這是預定的表。它包含內建的鏈 INPUT(針對傳入主機本身的封包)、FORWARD(針對經由本主機轉換路由的封包) 和 OUTPUT(針對本地產生的封包)。 nat 當產生一個新的連通時,此表會被查及。它由三個內建的鏈組成:PREROUTING (針對一旦進入即改變的封包)、OUTPUT (針對在路由之前,即改變的本地產生的封包) 及 POSTROUTING (針對將要離去時即改變的封包)。 mangle 此表用於專殊化的封包變更。它有二個內建的鏈:PREROUTING (針對路由前即改變進入的封包) 和 OUTPUT (針對路由前即改變本地產生的封包)。 OPTIONS The options that are recognized by iptables can be divided into several differ ent groups. COMMANDS These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough let ters to ensure that iptables can differentiate it from all other options. -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. -D, --delete Delete one or more rules from the selected chain. There are two ver sions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. -R, --replace Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1. -I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified. -L, --list List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. -F, --flush Flush the selected chain. This is equivalent to deleting all the rules one by one. -Z, --zero Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.) -N, --new-chain Create a new user-defined chain by the given name. There must be no target of that name already. -X, --delete-chain Delete the specified user-defined chain. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. If no argument is given, it will attempt to delete every non-builtin chain in the table. -P, --policy Set the policy for the chain to the given target. See the section TAR GETS for the legal targets. Only non-user-defined chains can have poli cies, and neither built-in nor user-defined chains can be policy tar gets. -E, --rename-chain Rename the user specified chain to the user supplied name. This is cos metic, and has no effect on the structure of the table. -h Help. Give a (currently very brief) description of the command syntax. OPTIONS 規則表認得的選項可區分成許多組。那些選項指明執行時的特殊動作。若無特別明講,以下的選項只有其中一個可以放在命令列中。使用長名或短名時,只要確使 iptables 能區分和其它選項的不同即可。 -A, --append -D, --delete -R, --replace -I, --insert -L, --list -F, --flush 清空某一鏈中的所有規則。 -Z, --zero -N, --new-chain 新產生一個使用者自訂的鏈。 -X, --delete-chain 刪除某一個指定的自訂的鏈。 若未指明對象,則刪除該表中所有非內建的鏈。 -P, --policy 只有內建的鏈才能有預設的政策,而且不管是內建的或自訂的鏈,都不能被拿來當作政策的目標。 -E, --rename-chain -h PARAMETERS The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands). -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified pro tocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A proto col name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Pro tocol all will match with all protocols and is taken as default when this option is omitted. -s, --source [!] address[/mask] Source specification. Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1‘s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argu ment before the address specification inverts the sense of the address. The flag --src is a convenient alias for this option. -d, --destination [!] address[/mask] Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option. -j, --jump target This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet‘s fate, but the counters on the rule will be incre mented. -i, --in-interface [!] [name] Optional name of an interface via which a packet is received (for pack ets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name. -o, --out-interface [!] [name] Optional name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name. [!] -f, --fragment This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or desti nation ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag, the rule will only match head fragments, or unfragmented packets. -c, --set-counters PKTS BYTES This enables the administrater to initialize the packet and byte coun ters of a rule (during INSERT, APPEND, REPLACE operations) OTHER OPTIONS The following additional options can be specified: -v, --verbose Verbose output. This option makes the list command show the interface address, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix ‘K‘, ‘M‘ or ‘G‘ for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, insertion, deletion and replace ment, this causes detailed information on the rule or rules to be printed. -n, --numeric Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever applicable). -x, --exact Expand numbers. Display the exact value of the packet and byte coun ters, instead of only the rounded number in K‘s (multiples of 1000) M‘s (multiples of 1000K) or G‘s (multiples of 1000M). This option is only relevant for the -L command. --line-numbers When listing rules, add line numbers to the beginning of each rule, cor responding to that rule‘s position in the chain. --modprobe=When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc). MATCH EXTENSIONS iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra com mand line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module. The following are included in the base package, and most of these can be pre ceded by a ! to invert the sense of the match. tcp These extensions are loaded if `--protocol tcp‘ is specified. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. If the second port greater then the first they will be swapped. The flag --sport is an alias for this option. --destination-port [!] [port[:port]] Destination port or port range specification. The flag --dport is an alias for this option. --tcp-flags [!] mask comp Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset. [!] --syn Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaf fected. It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!" flag precedes the "--syn", the sense of the option is inverted. --tcp-option [!] number Match if TCP option set. udp These extensions are loaded if `--protocol udp‘ is specified. It provides the following options: --source-port [!] [port[:port]] Source port or port range specification. See the description of the --source-port option of the TCP extension for details. --destination-port [!] [port[:port]] Destination port or port range specification. See the description of the --destination-port option of the TCP extension for details. icmp This extension is loaded if `--protocol icmp‘ is specified. It provides the following option: --icmp-type [!] typename This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command iptables -p icmp -h mac --mac-source [!] address Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering the PREROUTING, FORWARD or INPUT chains for packets coming from an ethernet device. MATCH EXTENSIONS tcp --source-port --sport 和上述相同 --destination-port --dport 和上述相同 --tcp-flags mask comp 例: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN 是說: 凡是 SYN 設定,而 ACK、FIN、RST 清除者。 [!] --syn 只有 tcp 封包中,SYN 旗標設立,而 ACK 和 FIN 旗標清除者,才算符合。 此類的封包用於要求連線初始化,若禁制此類封包進入,則可拒絕傳入的 tcp 連線,但由內部傳出的連線則不受影響。它等同於:--tcp-flag SYN,ACK,FIN SYN。若在其前頭加上 !,則表示意思相反 --- 就是指由內傳出的連線回應。 --tcp-option [!] number Match if TCP option set.(???) udp --source-port --destination-port icmp --icmp-type [!] typename typename 可用數字來表示,或以 iptables -p icmp -h 來列出可用的 typename 有效的 icmp type: echo-reply (pong) destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request (ping) router-advertisement router-solicitation time-exceeded (ttl-exceeded) ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply mac --mac-source [!] address 比對來源 Mac 位址。它必是XX:XX:XX:XX:XX:XX 這種格式。注意:它只對進入 PREROUTING、FORWARD 鏈的封包有效,或是來自一個 ethernet 設備而進入 INPUT 鏈的封包有效。 limit This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!‘ flag is used). --limit rate Maximum average matching rate: specified as a num ber, with an optional `/second‘, `/minute‘, `/hour‘, or `/day‘ suffix; the default is 3/hour. --limit-burst number The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5. multiport This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp. --source-port [port[,port]] Match if the source port is one of the given ports. --destination-port [port[,port]] Match if the destination port is one of the given ports. --port [port[,port]] Match if the both the source and destination ports are equal to each other and to one of the given ports. multiport 用來比對一組來源埠或目的埠,至多15個埠,必須搭配 -p tcp 或 -p udp 使用。 --source-port [port[,port]] --destination-port [port[,port]] --port [port[,port]] 若來源埠和目的埠相同,且等於指定的埠號,則相符。 mark This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below). --mark value[/mask] Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison). owner This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match. --uid-owner userid Matches if the packet was created by a process with the given effective user id. --gid-owner groupid Matches if the packet was created by a process with the given effective group id. --pid-owner processid Matches if the packet was created by a process with the given process id. --sid-owner sessionid Matches if the packet was created by a process in the given session group. state This module, when combined with connection tracking, allows access to the connection tracking state for this packet. --state state Where state is a comma separated list of the con nection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new connection, or other wise associated with a connection which has not seen packets in both directions, and RELATED mean ing that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error. unclear This module takes no options, but attempts to match pack ets which seem malformed or unusual. This is regarded as experimental. tos This module matches the 8 bits of Type of Service field in the IP header (ie. including the precedence bits). --tos tos The argument is either a standard name, (use iptables -m tos -h to see the list), or a numeric value to match. TARGET EXTENSIONS iptables 可以使用擴充的目標模組。 LOG 把開比對封包的核心記錄功能。 --log-level level Level of logging (numeric or see syslog.conf(5)). --log-prefix prefix Prefix log messages with the specified prefix; up to 14 letters long, and useful for distinguishing messages in the logs. --log-tcp-sequence Log TCPsequence numbers. This is a security risk if the log is readable by users. --log-tcp-options Log options from the TCP packet header. --log-ip-options Log options from the IP packet header. MARK 用來設定封包的 mark 值,只適用於 mangle 表。 --set-mark makr REJECT 用來送回一個錯誤的封包給比對相符的封包,其餘等同於 DROP。 --reject-with type The type given can be icmp-net-unreachable, icmp- host-unreachable, icmp-port-unreachable, icmp- proto-unreachable, icmp-net-prohibitedor icmp-host- prohibited, which return the appropriate ICMP error message (port-unreachable is the default). The option echo-reply is also allowed; it can only be used for rules which specify an ICMP ping packet, and generates a ping reply. Finally, the option tcp-reset can be used on rules in (or called from) the INPUT chain which only match the TCP protocol: this causes a TCP RST packet to be sent back. TOS 用來設定 IP 表頭的 8-bit Type of Service field --set-tos tos Set Type of Service field to one of the following numeric or descriptive values: Minimize-Delay 16 (0x10) Maximize-Throughput 8 (0x08) Maximize-Reliability 4 (0x04) Minimize-Cost 2 (0x02) Normal-Service 0 (0x00) MIRROR SNAT 這個目標僅對 nat 表中的 POSTROUTING 鏈有效。它用來標示來源位址應該被修改,且應該停止檢查規則。它有以下一個選項: --to-source [- ][:port-port] If no portrange is specified, thensourceports below 512 will be mapped to other ports below 512: those between 1024 will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. DNAT 這個目標僅在 nat 表中的 PREROUTING、OUTPUT 鏈和來自前二者而被呼叫的自訂鏈有效。它用來標示目標位址應該被修改,且應該停止檢查規則。 --to-destination [- ][:port-port] MASQUERADE 這個目標僅在 nat 表中的 POSTROUTING 鏈中有效,且只用於動態指定IP的連線中(撥接),若有固定IP,應使用 SNAT 目標。 --to-ports [- ] REDIRECT 這個目標僅在 nat 表中的 PREROUTING、OUTPUT 鏈及來自前二者而被呼叫的自定鏈有效。It alters the destina- tion IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address) --to-ports [- ] EXTRA EXTENSIONS The following extensions are not included by default in the standard distribution. ttl This module matches the time to live field in the IP header. --ttl ttl Matches the given TTL value. TTL This target is used to modify the time to live field in the IP header. It is only valid in the mangle table. --ttl-set ttl Set the TTL to the given value. --ttl-dec ttl Decrement the TTL by the given value. --ttl-inc ttl Increment the TTL by the given value. ULOG This target provides userspace logging of matching pack ets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets. --ulog-nlgroup This specifies the netlink group (1-32) to which the packet is sent. Default value is 1. --ulog-prefix Prefix log messages with the specified prefix; up to 32 characters long, and useful fro distinguish ing messages in the logs. --ulog-cprange Number of bytes to be copied to userspace. A value of 0 always copies the entire packet, regardless of its size. Default is 0 --ulog-qthreshold Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility) DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1. BUGS Check is not implemented (yet). COMPATIBILITY WITH IPCHAINS iptables 和 ipchains 主要的差異: iptables 和 ipchains 很相似,主要的不同是:在 iptables 中,INPUT 和 OUTPUT 這二個鏈,只有進來 local 主機的封包和由 local 主機出去的封包,分別地會去那二個 鏈中周遊一下,然而,在 ipchains 中,一個被 forward 的封包,卻都會進入 INPUT、 OUTPUT、FORWARD 三個鏈中,周遊一番。 其它主要的差異尚有:在 iptables 中,-i 是指進入的介面 (input interface); -o 是指出去的介面(output interface), 而且二者對進入 FORWARD 鏈中的封包均可以適用。 iptables 具有許多擴充的模組,當使用預設的 filter 表時,它是一種純粹的封包過濾。 因此,這可以減少許多與 ipchains 中結合IP偽裝和封包過濾的混淆。 因此,下列的選項的處置是不同的: -j MASQ -M -S -M -L iptables 和 ipchains 還有許多其它差異。 可再參考 packet-filtering-HOWTO 這份 HOWTO 文件, 它對封包過濾有更詳細的說明。 NAT-HOWTO 這份 HOWTO 文件對 NAT 有詳細的說明, 而 netfilter-hacking-HOWTO 則對內部機制有詳細的記載。 AUTHORS Rusty Russell wrote iptables, in early consultation with Michael Neuling. Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ran around doing cool stuff everywhere. James Morris wrote the TOS target, and tos match. Jozsef Kadlecsik wrote the REJECT target. Harald Welte wrote the ULOG target, TTL match+target and libipulog. The Netfilter Core Team is: Marc Boucher, James Morris, Harald Welte and Rusty Russell. =============================================================== * 我把 iptables 和 ipchains 的主要差異, 由 Linux 2.4 packet-filtering-HOWTO 節錄如下: Differences Between iptables and ipchains * Firstly, the names of the built-in chains have changed from lower case to UPPER case, because the INPUT and OUTPUT chains now only get locally-destined and locally-generated packets. They used to see all incoming and all outgoing packets respectively. * The `-i‘ flag now means the incoming interface, and only works in the INPUT and FORWARD chains. Rules in the FORWARD or OUTPUT chains that used `-i‘ should be changed to `-o‘. * TCP and UDP ports now need to be spelled out with the --source-port or --sport (or --destination-port/--dport) options, and must be placed after the `-p tcp‘ or `-p udp‘ options, as this loads the TCP or UDP extensions respectively. * The TCP -y flag is now --syn, and must be after `-p tcp‘. * The DENY target is now DROP, finally. * Zeroing single chains while listing them works. * Zeroing built-in chains also clears policy counters. * Listing chains gives you the counters as an atomic snapshot. * REJECT and LOG are now extended targets, meaning they are separate kernel modules. * Chain names can be up to 31 characters. * MASQ is now MASQUERADE and uses a different syntax. REDIRECT, while keeping the same name, has also undergone a syntax change. See the NAT-HOWTO for more information on how to configure both of these. * The -o option is no longer used to direct packets to the userspace device (see -i above). Packets are now sent to userspace via the QUEUE target. * Probably heaps of other things I forgot. iptables 優於 ipchains 的地方:(節錄自 http://www.knowplace.org/netfilter/) Why Netfilter/Iptables instead of Ipchains * State matching - Connection tracking (can you trust the remote host to determine whether your firewall will accept a packet?). * Automatic fragmentation reassembly - Connection tracking automatically reassembles fragmented packets for examination. * Improved matching - Advanced packet matching such as rate limit, string matching (packet data), etc. * Improved logging - Customized logging levels and entries, also allows user space logging. * Allows packet mangling - Allows for the mangling of any information inside a packet. * Userspace queuing - Allows userspace programs access to packets. * Built-in support for port forwarding - obviates IPMASQADM. * Progress - Inexorable fact of life.
iptables 結構圖
Figure 17. iptables 結構圖
Figure 18. iptables 指令結構圖
Figure 19. 封包進入規則表及規則鏈圖
上圖取自 http://www.knowplace.org/netfilter/syntax.html
iptables 入門
這一節開始說明 iptables 的觀念及用法
iptables 中的指令,均需區分大小寫。
ipchains 和 iptables 在語法上的主要的差異,注意如下:
1. 在 ipchains 中,諸如 input 鏈,是使用小寫的 chains 名,在 iptables 中,要改用大寫 INPUT。 2. 在 iptables 中,要指定規則是欲作用在那一個規則表上(使用 -t 來指定,如 -t nat),若不指定,則預設是作用在 filter 這個表。 3. 在 ipchains 中, -i 是指介面(interface),但在 iptables 中,-i 則是指進入的方向,且多了 -o,代表出去的方向。 4. 在 iptables 中,來源 port 要使用關鍵字 --sport 或 --source-port 5. 在 iptables 中,目的 port 要使用關鍵字 --dport 或 --destination-port 6. 在 iptables 中,"丟棄" 的處置動作,不再使用 DENY 這個 target,改用 DROP。 7. 在 ipchains 的記錄檔功能 -l,已改為目標 -j LOG,並可指定記錄檔的標題。 8. 在 ipchains 中的旗標 -y,在 iptables 中可用 --syn 或 --tcp-flag SYN,ACK,FIN SYN 9. 在 iptables 中,imcp messages 型態,要加上關鍵字 --icmp-type,如: iptables -A OUTPUT -o eth0 -p icmp -s $FW_IP --icmp-type 8 -d any/0 -j ACCEPT
iptables 使用時的樣板
在設定 iptables 的封包過濾規則時,有幾個樣板的動作,若先熟悉它們,往後就可自行套用,依此類推,很快地,您就可以進入這個天地之中。
觀察目前的設定
作法如下:
iptables -L -n iptablse -t nat -L -n
定義變數
FW_IP="163.26.197.8"
打開核心 forward 功能
作法如下:
###-----------------------------------------------------### # 打開 forward 功能 ###-----------------------------------------------------### echo "1" > /proc/sys/net/ipv4/ip_forward
清除所有的規則
一開始要先清除所有的規則,重新開始,以免舊有的規則影響新的設定。作法如下:
###-----------------------------------------------------### # 清除先前的設定 ###-----------------------------------------------------### # 清除預設表 filter 中,所有規則鏈中的規則 iptables -F # 清除預設表 filter 中,使用者自訂鏈中的規則 iptables -X # 清除mangle表中,所有規則鏈中的規則 iptables -F -t mangle # 清除mangle表中,使用者自訂鏈中的規則 iptables -t mangle -X # 清除nat表中,所有規則鏈中的規則 iptables -F -t nat # 清除nat表中,使用者自訂鏈中的規則 iptables -t nat -X
選定預設的政策
接著,要選定各個不同的規則鏈,預設的政策為何。作法如下:
預設全部丟棄:
###-----------------------------------------------------### # 設定 filter table 的預設政策 ###-----------------------------------------------------### iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP
或者預設全部接受:
###-----------------------------------------------------### # 設定 filter table 的預設政策 ###-----------------------------------------------------### iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
各個規則鏈的預設政策可獨立自主的設定,不必受其它鏈的影響。
以下練習,若目標為 DROP,則 policy 請設為 ACCEPT;若目標為 ACCEPT,則 policy 請設為 DROP,如此方可看出效果。
開放某一個介面
作法如下:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT 註:IPFW 或 Netfilter 的封包流向,local process 不會經過 FORWARD Chain, 因此 lo 只在 INPUT 及 OUTPUT 二個 chain 作用。 iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT
IP 偽裝
使內部網路的封包經過偽裝之後,使用對外的 eth0 網卡當作代表號,對外連線。作法如下:
###-----------------------------------------------------### # 啟動內部對外轉址 ###-----------------------------------------------------### iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/16 -j SNAT --to-source $FW_IP
上述指令意指:把 172.16.0.0/16 這個網段,偽裝成 $FW_IP 出去。
虛擬主機
利用轉址、轉 port 的方式,使外部網路的封包,可以到達內部網路中的伺服主機,俗稱虛擬主機。這種方式可保護伺服主機大部份的 port 不被外界存取,只開放公開服務的通道(如 Web Server port 80),因此安全性甚高。
作法如下:
###-----------------------------------------------------### # 啟動外部對內部轉址 ###-----------------------------------------------------### # 凡對 $FW_IP:80 連線者, 則轉址至 172.16.255.2:80 iptables -t nat -A PREROUTING -i eth0 -p tcp -d $FW_IP --dport 80 -j DNAT --to-destination 172.16.255.2:80
開放內部主機可以 telnet 至外部的主機
開放內部網路,可以 telnet 至外部主機。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open 外部主機 telnet port 23 ###-----------------------------------------------------### iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 23 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 23 -d $FW_IP --dport 1024:65535 -j ACCEPT
開放郵包轉遞通道
開放任意的郵件主機送信包給你的 Mail Server,而你的 Mail Server 也可以送信包過去。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open SMTP port 25 ###-----------------------------------------------------### # 以下是:別人可以送信給你 iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d $FW_IP --dport 25 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 25 -d any/0 --dport 1024:65535 -j ACCEPT # 以下是:你可以送信給別人 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 25 -d $FW_IP --dport 1024:65525 -j ACCEPT
開放對外離線下載信件的通道
開放內部網路可以對外部網路的 POP3 server 取信件。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open 對外部主機的 POP3 port 110 ###-----------------------------------------------------### iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 110 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 110 -d $FW_IP --dport 1024:65535 -j ACCEPT
開放觀看網頁的通道
開放內部網路可以觀看外部網路的網站。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open 對外部主機的 HTTP port 80 ###-----------------------------------------------------### iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 80 -d $FW_IP --dport 1024:65535 -j ACCEPT
開放查詢外部網路的 DNS 主機
開放內部網路,可以查詢外部網路任何一台 DNS 主機。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open DNS port 53 ###-----------------------------------------------------### # 第一次會用 udp 封包來查詢 iptables -A OUTPUT -o eth0 -p udp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT # 若有錯誤,會改用 tcp 封包來查詢 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT # 開放這台主機上的 DNS 和外部的 DNS 主機互動查詢:使用 udp iptables -A OUTPUT -o eth0 -p udp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT # 開放這台主機上的 DNS 和外部的 DNS 主機互動查詢:使用 tcp iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! -y -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT
開放內部主機可以 ssh 至外部的主機
開放內部網路,可以 ssh 至外部主機。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open 外部主機 ssh port 22 ###-----------------------------------------------------### iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1024:65535 -j ACCEPT # 以下是 ssh protocol 比較不同的地方 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1020:1023 -d any/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1020:1023 -j ACCEPT
開放內部主機可以 ftp 至外部的主機
開放內部網路,可以 ftp 至外部主機。
作法如下:(預設 policy 為 DROP)
###-----------------------------------------------------### # open 對外部主機 ftp port 21 ###-----------------------------------------------------### # 以下是打開命令 channel 21 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 21 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 21 -d $FW_IP --dport 1024:65535 -j ACCEPT # 以下是打開資料 channel 20 iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 20 -d $FW_IP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 1024:65535 -d any/0 --dport 20 -j ACCEPT # 以下是打開 passive mode FTP 資料通道 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 1024:65535 -d $FW_IP --dport 1024:65535 -j ACCEPT
開放 ping
可以對外 ping 任何一台主機。
作法如下:(預設 policy 為 DROP)
iptables -A OUTPUT -o eth0 -p icmp -s $FW_IP --icmp-type 8 -d any/0 -j ACCEPT iptables -A INPUT -i eth0 -p icm -s any/0 --icmp-type 0 -d $FW_IP -j ACCEPT
防火牆注意事項
Bastion firewall
1. 防火牆主機,應該把大部份的服務關閉,僅保留 DHCP Server 及 SSH Server, 並且要限制連線範圍。 2. 防火牆第一片網卡,正常情形之下,設為真實 IP (除非這台防火牆是第二層的防火牆)。 3. 防火牆的 Enable Routing 要打開 (linuxconf -> config -> Routing and gateways -> Set Defaults) 4. 防火牆的 gateway 設貴校的路由器 IP 5. 防火牆的第二片網卡,設私有 IP。(經常設為內部私有IP段最後一個可用的IP(廣播位址除外)) 6. 內部網路的 PC,其 gateway 設防火牆第二片網卡的 IP。 7. 內部網路的 DNS 宜指向外部網路的 DNS 主機。(防火牆內先不擺放 DNS) 如果您在防火牆內擺放 DNS,則該 DNS 僅供內部網路查詢,此時可以使用私有 IP, 若該 DNS 允許外部網路查詢,則該 DNS 的設定檔上,不可使用私有 IP,否則外部網路使用者 查詢貴校 DNS 時,會查得私有 IP,將導至該使用者無法連上貴校網路。 8. 內部網路 IP 取得、路由設定、DNS 設定,可由防火牆上的 DHCP Server 來自動分配。 9. 防火牆上的 DHCP Server 架設,請參考小弟的這篇講義: http://teacher.mdjh.tnc.edu.tw/~ols3/docs/ols3techdoc/dhcp.htm 10.防火牆主機應做好套件的修補,以免被攻擊。 11.防火牆至少要能做到:IP偽裝、虛擬主機,而這二項機制很容易辦到。 12.一塊網路卡即代表一個網段,欲增加一個網段,只要在防火牆上,新增一片網卡即可。 13.防火牆上的第二片網卡,做為和其連接的內部網段的路由器。(其它網段依此類推) 14.防火牆上的網卡設為私有 IP,則和其連接的網段經常做為內部網路 ;若設為真實 IP,則和其連接的網段經常規劃為 DMZ 區。 15.若未在防火牆上啟動 Passive FTP Mode,則內部網路使用 FTP 功能時, 要向貴校使用者,告知以下改變: 利用網路下載檔案或上傳網頁前,務必要調整部份設定,才能順利運作。 說明如下: A. 瀏覽器介面: * 若您使用的瀏覽器是 IE,請將瀏覽器的 Web Based FTP 功能打開(被動式FTP) 步驟:工具->Internet 選項->進階->使用 Web Based FTP 並且取消:永遠以 UTF-8 傳送之選項 * 若您使用的瀏覽器是 Netscape ,則不用調整! B. FTP 介面: 請將軟體中的 passive 模式打開 * WS_FTP:Advanced -> Passive transfers 打勾 * CuteFTP:General -> Use PASV mode 打勾 * 命令列的 ftp:連上 FTP Server 之後, 下 passive 來切換 Passive,使其狀態為 on * 命令列的 ncftp 則不必調整
設定檔
開機自動叫用 rc.firewall
在 /etc/rc.d/rc.local 檔末,加入以下指令:
if [ -f /etc/rc.d/rc.firewall ]; then . /etc/rc.d/rc.firewall fi
該檔屬性: chmod ug+rwx rc.firewall
(即 chmod 774 rc.firewall)
該檔 Owner 應為: root.root
練習時,可下 sh rc.firewall 或 ./rc.firewall
以下指令檔,僅供參考,它們並不完整,未必能符合您的需要,您必須要再修改才能使用。
一般而言,每個指令中的 IP,會使用變數代換的方式來處理。比如:
FW_IP="163.26.197.8" (用 FW_IP 來代表 163.26.197.8)
使用時,再用 $FW_IP 來代換成 163.26.197.8,這樣,維護上會比較方便。
其它大部份常用的指令值,也都會用上述方式來定義及取代。
僅供參考用的 ipchains 設定檔: rc.firewall (1)
以下設定,便可分割出一個乾淨的網段,對外以 $FW_IP 為代表號。
修改一下 IP,直接套用,很快便可架設一個簡易的防火牆。
#! /bin/sh FW_IP="163.26.197.8" ipchains -F ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward ipchains -A forward -s 192.168.1.0/24 -j MASQ ipchains -A input -p tcp -d $FW_IP 80 -j REDIRECT 8080 redir --lport=8080 --caddr=192.168.1.2 --cport=80 &
僅供參考用的 iptables 設定檔: rc.firewall (2)
FW_IP 是指對外網卡的真實 IP,您要套用時,記得要修改成您的防火牆的第一片網卡的IP
修改一下 IP,直接套用,很快便可架設一個簡易的防火牆。
#! /bin/sh ###-----------------------------------------------------### # 設定內部網段 IP 及介面 ###-----------------------------------------------------### echo "Set internal ......" echo LAN_IP="172.16.255.254" LAN_IP_RANGE="172.16.0.0/16" LAN_BCAST_ADRESS="172.16.255.255" LAN_IFACE="eth1" # loopback interface LO_IFACE="lo" LO_IP="127.0.0.1" ###-----------------------------------------------------### # 外部網段 IP 及介面 ###-----------------------------------------------------### echo "Set external ......" echo FW_IP="163.26.197.8" FW_IP_RANGE="163.26.197.0/24" FW_IFACE="eth0" ###-----------------------------------------------------### # 設定 iptables 的路徑 ###-----------------------------------------------------### echo "Set path of iptables" echo IPTABLES="/sbin/iptables" ###-----------------------------------------------------### # 打開 forward 功能 ###-----------------------------------------------------### echo "Enable ip_forward ......" echo echo "1" > /proc/sys/net/ipv4/ip_forward ###-----------------------------------------------------### # 清除先前的設定 ###-----------------------------------------------------### echo "Flush fiter table ......" echo # Flush filter $IPTABLES -F $IPTABLES -X echo "Flush mangle table ......" echo # Flush mangle $IPTABLES -F -t mangle $IPTABLES -t mangle -X echo "Flush nat table ......" echo # Flush nat $IPTABLES -F -t nat $IPTABLES -t nat -X ###-----------------------------------------------------### # 設定 filter table 的預設政策 ###-----------------------------------------------------### echo "Set default policies for filter table" echo $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ###-----------------------------------------------------### # 啟動內部對外轉址 ###-----------------------------------------------------### echo "Enable simple IP Forwarding and Network Address Translation" echo $IPTABLES -t nat -A POSTROUTING -o $FW_IFACE -j SNAT --to-source $FW_IP ###-----------------------------------------------------### # 啟動外部對內部轉址 ###-----------------------------------------------------### # 凡對 $FW_IP:8080 連線者, 則轉址至 172.16.255.2:80 $IPTABLES -t nat -A PREROUTING -p tcp -d $FW_IP --dport 8080 -j DNAT --to 172.16.255.2:80
僅供參考用的 ipchains 設定檔: rc.firewall (3)
$FW_IP 是防火牆主機上的第一片網卡的 IP,各位應把它換成您的防火牆的第一片網卡的IP
#! /bin/sh FW_IP="163.26.197.8" ipchains -F #ipchains -P input ACCEPT #ipchains -P output ACCEPT #ipchains -P forward ACCEPT ipchains -P input DENY ipchains -P output DENY ipchains -P forward DENY # open telnet ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 23 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 23 -d $FW_IP 1024:65535 -j ACCEPT # open web ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 80 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 80 -d $FW_IP 1024:65535 -j ACCEPT # open mail ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 25 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 25 -d $FW_IP 1024:65535 -j ACCEPT # open pop3 ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 110 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 110 -d $FW_IP 1024:65535 -j ACCEPT # open dns : 1st => udp 查詢 ipchains -A output -i eth0 -p udp -s $FW_IP 1024:65535 -d any/0 53 -j ACCEPT ipchains -A input -i eth0 -p udp -s any/0 53 -d $FW_IP 1024:65535 -j ACCEPT # open dns : 2st => tcp 查詢 ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 53 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 53 -d $FW_IP 1024:65535 -j ACCEPT # open dns peer-to-peer : 1st => udp ipchains -A output -i eth0 -p udp -s $FW_IP 53 -d any/0 53 -j ACCEPT ipchains -A input -i eth0 -p udp -s any/0 53 -d $FW_IP 53 -j ACCEPT # open dns peer-to-peer: 2st => tcp 查詢 ipchains -A output -i eth0 -p tcp -s $FW_IP 53 -d any/0 53 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 53 -d $FW_IP 53 -j ACCEPT # open ftp channel 21 : commands channel ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 21 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 21 -d $FW_IP 1024:65535 -j ACCEPT # open ftp channel 20 : data channel ipchains -A input -i eth0 -p tcp -s any/0 20 -d $FW_IP 1024:65535 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y -s $FW_IP 1024:65535 -d any/0 20 -j ACCEPT # open Passive FTP Mode : data channel ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 1024:65535 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 1024:65535 -d $FW_IP 1024:65535 -j ACCEPT # open ssh ipchains -A output -i eth0 -p tcp -s $FW_IP 1024:65535 -d any/0 22 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 22 -d $FW_IP 1024:65535 -j ACCEPT ipchains -A output -i eth0 -p tcp -s $FW_IP 1020:1023 -d any/0 22 -j ACCEPT ipchains -A input -i eth0 -p tcp ! -y -s any/0 22 -d $FW_IP 1020:1023 -j ACCEPT # 開放防火牆的 port 22 給家中或學校的某一個固定 IP 連線 # 以下 211.22.33.44 即代表你家中的固定 IP, $FW_IP 是防火牆的eth0的 IP ipchains -A input -i eth0 -p tcp -s 211.22.33.44 1024:65535 -d $FW_IP 22 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y -s $FW_IP 22 -d 211.22.33.44 1024:65535 -j ACCEPT # 假設這台主機上有 mail server,以下可以開放別人送信包給你這台主機的 SMTP ipchains -A input -i eth0 -p tcp -s any/0 1024:65535 -d $FW_IP 25 -j ACCEPT ipchains -A output -i eth0 -p tcp ! -y -s $FW_IP 25 -d any/0 1024:65535 -j ACCEPT # 假設有一個垃圾郵件主機經常送 SPAM 信過來, 比如: 211.33.44.55,以下可以予以拒絕 ipchains -A input -i eth0 -p tcp -s 211.33.44.55 -d $FW_IP 25 -j DENY # 允許教網中心 163.26.200.4 可以 ping 我 ipchains -A input -i eth0 -p icmp -s 163.26.200.4 8 -d $FW_IP -j ACCEPT ipchains -A output -i eth0 -p icmp -s $FW_IP 0 -d 163.26.200.4 -j ACCEPT # 我可以 ping 任何主機 ipchains -A output -i eth0 -p icmp -s $FW_IP 8 -d any/0 -j ACCEPT ipchains -A input -i eth0 -p icmp -s any/0 0 -d $FW_IP -j ACCEPT # 如果預設的 policy 是 ACCEPT,以下可以拒絕所有站台 ping 你的主機 # 如果預設的 policy 是 DENY,則不必設,就可全部拒絕別人 ping 你的主機 ipchains -A input -i eth0 -p icmp -s any/0 8 -d $FW_IP -j DENY # 如果預設的 policy 是 ACCEPT, 以下可以拒絕任何主機 traceroute 你的主機 ipchains -A output -i eth0 -p icmp -s $FW_IP 3 -d any/0 -j DENY ipchains -A output -i eth0 -p icmp -s $FW_IP 11 -d any/0 -j DENY # 但我想 traceroute 別人 ipchains -A output -i eth0 -p udp -s $FW_IP 1024:65535 -d any/0 33434:33523 -j ACCEPT ipchains -A input -i eth0 -p icmp -s any/0 11 -d $FW_IP -j ACCEPT ipchains -A input -i eth0 -p icmp -s any/0 3 -d $FW_IP -j ACCEPT
僅供參考用的 iptables 設定檔: rc.firewall (4)
以下的 $FW_IP 代表防火牆的第一片網卡的真實 IP。
#! /bin/sh FW_IP="163.26.197.8" # enable forward echo "1" > /proc/sys/net/ipv4/ip_forward # clear all chains ###-----------------------------------------------------### # 清除先前的設定 ###-----------------------------------------------------### # 清除預設表 filter 中,所有規則鏈中的規則 iptables -F # 清除預設表 filter 中,使用者自訂鏈中的規則 iptables -X # 清除mangle表中,所有規則鏈中的規則 iptables -F -t mangle # 清除mangle表中,使用者自訂鏈中的規則 iptables -t mangle -X # 清除nat表中,所有規則鏈中的規則 iptables -F -t nat # 清除nat表中,使用者自訂鏈中的規則 iptables -t nat -X #iptables -P INPUT ACCEPT #iptables -P FORWARD ACCEPT #iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT # NAT iptables -t nat -A POSTROUTING -o eth0 -j SNAT -s 172.16.0.0/16 --to-source $FW_IP # 虛擬主機 iptables -t nat -A PREROUTING -i eth0 -p tcp -d $FW_IP --dport 80 -j DNAT --to-destination 172.16.254.2:80 # open ssh server iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d $FW_IP --dport 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 22 -d any/0 --dport 1024:65535 -j ACCEPT # open telnet iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 23 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 23 -d $FW_IP --dport 1024:65535 -j ACCEPT # open web browser iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 80 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 80 -d $FW_IP --dport 1024:65535 -j ACCEPT # open mail iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 25 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 25 -d $FW_IP --dport 1024:65535 -j ACCEPT # open pop3 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 110 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 110 -d $FW_IP --dport 1024:65535 -j ACCEPT # open ssh client iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1024:65535 -j ACCEPT # open dns 1st => udp iptables -A OUTPUT -o eth0 -p udp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT # open dns 2st => tcp iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT # open telnet server iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d $FW_IP --dport 23 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 23 -d any/0 --dport 1024:65535 -j ACCEPT # open ftp channel 21 iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 21 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 21 -d $FW_IP --dport 1024:65535 -j ACCEPT # open ftp data channel 20 iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 20 -d $FW_IP --dport 1024:65535 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 1024:65535 -d any/0 --dport 20 -j ACCEPT # open Passive FTP mode iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 1024:65535 -j ACCEPT iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 1024:65535 -d $FW_IP --dport 1024:65535 -j ACCEPT # open ping iptables -A OUTPUT -o eth0 -p icmp -s $FW_IP --icmp-type 8 -d any/0 -j ACCEPT iptables -A INPUT -i eth0 -p icmp -s any/0 --icmp-type 0 -d $FW_IP -j ACCEPT
僅供參考用的 iptables 設定檔: rc.firewall (5)
#!/bin/sh # 本 scritp 參考 Oskar Andreasson 的 script 而來, 其版權如下所示。 # OLS3 謹誌。ols3@www.tnc.edu.tw #----------------------------------------------------------------------------- # rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables # # Copyright (C) 2001 Oskar Andreasson <blueflux@koffein.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA 02111-1307 USA #----------------------------------------------------------------------------- ###-----------------------------------------------------### # 設定內部網段 IP 及介面 ###-----------------------------------------------------### echo "Set internal ......" echo LAN_IP="172.16.255.254" LAN_IP_RANGE="172.16.0.0/16" LAN_BCAST_ADRESS="172.16.255.255" LAN_IFACE="eth1" # loopback interface LO_IFACE="lo" LO_IP="127.0.0.1" ###-----------------------------------------------------### # 外部網段 IP 及介面 ###-----------------------------------------------------### echo "Set external ......" echo FW_IP="163.26.197.8" FW_IP_RANGE="163.26.197.0/24" FW_IFACE="eth0" ###-----------------------------------------------------### # 設定 iptables 的路徑 ###-----------------------------------------------------### echo "Set path of iptables" echo IPTABLES="/sbin/iptables" ###-----------------------------------------------------### # 打開 forward 功能 ###-----------------------------------------------------### echo "Enable ip_forward ......" echo echo "1" > /proc/sys/net/ipv4/ip_forward ###-----------------------------------------------------### # 清除先前的設定 ###-----------------------------------------------------### echo "Flush fiter table ......" echo # Flush filter $IPTABLES -F $IPTABLES -X echo "Flush mangle table ......" echo # Flush mangle $IPTABLES -F -t mangle $IPTABLES -t mangle -X echo "Flush nat table ......" echo # Flush nat $IPTABLES -F -t nat $IPTABLES -t nat -X ###-----------------------------------------------------### # 設定 filter table 的預設政策 ###-----------------------------------------------------### echo "Set default policies for filter table" echo $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ###-----------------------------------------------------### # 自訂一個 chain , 名為 tcp_packets ###-----------------------------------------------------### echo "Name a new chain : tcp_packets ......" echo $IPTABLES -N tcp_packets # 在此 tcp_packets chain 中, 附加一個 chain rule , 規則如下: # 1. 在非主動連線時, 卻有一 new connection start , 此時予以記錄下來, 且加上 New not syn:的前置字串 #$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG #--log-prefix "New not syn:" # 2. 這種封包, 予以丟棄. #$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # disable been scaned $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL ALL -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL NONE -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "been scanned:" $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL ALL -j DROP $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A tcp_packets -p TCP --tcp-flags ALL NONE -j DROP $IPTABLES -A tcp_packets -p TCP --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A tcp_packets -p TCP --tcp-flags SYN,FIN SYN,FIN -j DROP ###-----------------------------------------------------### # 啟動內部對外轉址 ###-----------------------------------------------------### echo "Enable simple IP Forwarding and Network Address Translation" echo $IPTABLES -t nat -A POSTROUTING -o $FW_IFACE -j SNAT --to-source $FW_IP ###-----------------------------------------------------### # 啟動外部對內部轉址 ###-----------------------------------------------------### # 凡對 $FW_IP:8080 連線者, 則轉址至 172.16.255.2:80 $IPTABLES -t nat -A PREROUTING -p tcp -d $FW_IP --dport 8080 -j DNAT --to 172.16.255.2:80 ###-----------------------------------------------------### # FOWARD ###-----------------------------------------------------### echo "Process forward ......" echo # FORWARD 由先由 tcp_packets 中來處理不好的 tcp packets $IPTABLES -A FORWARD -p tcp -j tcp_packets # 接受我們想 forward 的封包 $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ###-----------------------------------------------------### # 自訂 ICPM 及 UDP chain 來處理對應的封包 ###-----------------------------------------------------### echo "New name for icpm and udp chain" echo $IPTABLES -N icmp_packets $IPTABLES -N udpincoming_packets ###-----------------------------------------------------### # 自訂 allowed 這個 chain 來處理 允許進入的 tcp 連線 # 凡 tcp_packets 中的 chain rule 目的是某些欲開放的 port 者, # 則跳至此一 allowed chain 來處理. ###-----------------------------------------------------### echo "New name for allowed chain" echo $IPTABLES -N allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP ###-----------------------------------------------------### # ICMP chain rule ###-----------------------------------------------------### # 允許 ping 的要求(icmp-type =8), 至於回應(icmp-type=0)則不必規定 # 回應屬出 OUTPUT, 由 OUTPUT chain 來處理即可. #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $FW_IP_RANGE -d $FW_IP --icmp-type 8 -j ACCEPT # 允許 time-exceeded 的要求(maximus hop count(TTL)is exceeded) #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $FW_IP_RANGE --icmp-type 11 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s $FW_IP_RANGE --icmp-type 3 -j ACCEPT ###-----------------------------------------------------### # TCP rules ###-----------------------------------------------------### $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1024:65535 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed # for CVS server $IPTABLES -A tcp_packets -p TCP -s $FW_IP_RANGE --dport 2401 -j allowed # # UDP ports # # nondocumented commenting out of these rules #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT # 允許 traceroute 至 FW_IP $IPTABLES -A udpincoming_packets -p UDP -s $FW_IP_RANGE -j ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -j ACCEPT ########################## # PREROUTING chain. # # Do some checks for obviously spoofed IP‘s # #$IPTABLES -t nat -A PREROUTING -i $FW_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -t nat -A PREROUTING -i $FW_IFACE -s 10.0.0.0/8 -j DROP #$IPTABLES -t nat -A PREROUTING -i $FW_IFACE -s 172.16.0.0/12 -j DROP ########################## # INPUT chain # Bad TCP packets we don‘t want. $IPTABLES -A FORWARD -p tcp -j tcp_packets # 進來的 ICMP 由 icmp_packets 這個 chain 來處理 $IPTABLES -A INPUT -p ICMP -i $FW_IFACE -j icmp_packets # 進來的 TCP 由 tcp_packets 這個 chain 來處理 $IPTABLES -A INPUT -p TCP -i $FW_IFACE -j tcp_packets # 進來的 UDP 由 udpincomming_packets 這個 chain 來處理 $IPTABLES -A INPUT -p UDP -i $FW_IFACE -j udpincoming_packets # # Rules for special networks not part of the Internet # $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT $IPTABLES -A INPUT -p ALL -d $FW_IP -m state --state ESTABLISHED,RELATED -j ACCEPT ############################### # OUTPUT chain $IPTABLES -A FORWARD -p tcp -j tcp_packets # 對外連線, 先全部打開 $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $FW_IP -j ACCEPT
from: http://linux.tnc.edu.tw/techdoc/firewall/t1.html