Gi i thi u v Iptables Tài li u c d ch t http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14 _:_Linux_Firewalls_Using_iptables V n r t thi u sót tài li u Mong m i ngư i ng h óng góp ý ki n tài li u hồn thi n M i ý ki n óng góp xin g i v trannhathuy@gmail.com Tp H Chí Minh , 12/2006 Nhóm biên d ch : Tr n Nh t Huy Hồng H i Ngun Ngơ Trí Hùng Nam -1 - I GI I THI U V IPTABLES: B o m t m ng m t v n quan tr ng hàng u i vi c l p m t website , nhi u d ch v khác m ng M t nh ng cách b o v s d ng firewall vi t s cho th y chuy n m t Linux server thành : • M t firewall ng th i cho mail server , web server , DNS server • M t thi t b d n ng ( router ) s dùng NAT chuy n ti p c ng ( port forwarding ) v a b o v h th ng m ng c a b n , v a cho phép m t web server công khai chia s a ch IP firewall M t nh ng firewall thông d ng nh t ch y Linux iptables Ta s xem qua m t s ch c c a iptables : • Tích h p t t v i Linux kernel , c i thi n s tin c y t c ch y iptables • Quan sát k t t c gói d li u i u cho phép firewall theo dõi m i m t k t n i thơng qua , dĩ nhiên xem xét n i dung c a t ng lu ng d li u t ó tiên li u hành ng k ti p c a giao th c i u r t quan tr ng vi c h tr giao th c FTP , DNS … • L c gói d a a ch MAC c TCP header i u giúp ngăn ch n vi c t n công b ng cách s d ng gói d d ng (malformed packets) ngăn n m t m ng khác b t ch p IP c a ch n vi c truy c p t n i b • Ghi chép h th ng (System logging) cho phép vi c i u ch nh m c c a báo cáo • H tr vi c tính h p chương trình Web proxy ch ng Squid • Ng n ch n ki u t n công t ch i d ch v II S D NG IPTABLES Kh i ng iptables : Câu l nh start, stop, restart iptables [root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables restart kh i ng iptables m i kh i ng máy [root@bigboy tmp]# chkconfig iptables on xem tình tr ng c a iptables [root@bigboy tmp]# service iptables status X lý gói iptables: T t c m i gói d li u u c ki m tra b i iptables b ng cách dùng b ng tu n t xây d ng s n (queues ) Có lo i b ng g m : -2 - _ Mangle : ch u trách nhi m thay i bits ch t lư ng d ch v TCP header TOS (type of service), TTL (time to live), MARK _ Filter : ch u trách nhi m l c gói d li u Nó g m có quy t c nh (chain) giúp b n thi t l p nguyên t c l c gói , g m : • Forward chain: l c gói i n n server khác • Input chain: l c gói i vào server • Output chain: l c gói kh i server _ NAT : g m có lo i : • Pre-routing chain: thay i a ch n c a gói d li u c n thi t • Post-routing chain: thay i a ch ngu n c a gói d li u c n thi t B ng : Các lo i queues chain ch c c a Lo i queues Filter NAT Ch c queues L c gói Network Address Translation ( Biên d ch ch m ng ) Quy t c x lý gói (chain) FORWARD INPUT OUTPUT PREROUTING a POSTROUTING OUTPUT Mangle Ch nh s a TCP PREROUTING header POSTROUTING OUTPUT INPUT FORWARD nhìn t ng quát Ch c c a chain L c gói d li u i n server khác k t n i NIC khác c a firewall L c gói i n firewall L c gói i kh i firewall Vi c thay i a ch di n trư c d n ng Thay i a ch ích s giúp gói d li u phù h p v i b ng ch ng c a firewall S d ng destination NAT or DNAT Vi c thay i a ch di n sau d n ng S d ng source NAT, or SNAT NAT s d ng cho gói d li u xu t phát t firewall Hi m dùng môi trư ng SOHO ( small office home office) i u ch nh bit quy ch ch t lư ng d ch v trư c d n ng Hi m dùng môi trư ng SOHO ( small office - home office) i v i vi c l c x lý gói iptables , ta xem hình sau : -3 - Ta xem qua ví d mơ t ng i c a gói d li u -4 - u tiên, gói d li u n m ng A , ti p ó c ki m tra b i mangle table PREROUTING chain (n u c n).Ti p theo ki m tra gói d li u b i nat table's PREROUTING chain ki m tra xem gói d li u có c n DNAT hay không? DNAT s thay i a ch ích c a gói d li u R i gói d li u c d n i N u gói d li u i vào m t m ng c b o v , s c l c b i FORWARD chain c a filter table, n u c n gói d li u s c SNAT POSTROUTING chain thay i IP ngu n trư c vào m ng B -5 - N u gói d li u c nh hư ng i vào bên firewall , s c ki m tra b i INPUT chain mangle table, n u gói d li u qua c ki m tra c a INPUT chain filter table, s vào chương trình c a server bên firewall Khi firewall c n g i d li u ngồi Gói d li u s c d n i qua s ki m tra c a OUTPUT chain mangle table( n u c n ), ti p ó ki m tra OUTPUT chain c a nat table xem DNAT (DNAT s thay i a ch n) có c n hay khơng OUTPUT chain c a filter table s ki m tra gói d li u nh m phát hi n gói d li u khơng c phép g i i Cu i trư c gói d li u c l i Internet, SNAT and QoS s c ki m tra POSTROUTING chain Targets Targets hành ng s di n m t gói d li u c ki m tra phù h p v i m t yêu c u ó Khi m t target ã c nh n d ng , gói d li u c n nh y ( jump ) th c hi n x lý ti p theo B ng sau li t kê targets mà iptables s d ng B ng : Miêu t target mà iptables thư ng dùng nh t Targets ACCEPT DROP LOG Ý nghĩa Tùy ch n iptables ng ng x lý gói d li u ó chuy n ti p vào m t ng d ng cu i ho c h i u hành x lý iptables ng ng x lý gói d li u ó gói d li u b ch n, lo i b Thơng tin c a gói s c log-prefix "string" ưa vào syslog ki m tra Iptables ti p t c x lý gói iptables s thêm vào log v i quy lu t k ti p message m t chu i ngư i dùng nh s n Thông thư ng thơng báo lý gói b b -6 - REJECT Tương t DROP , reject-with qualifier s g i tr l i cho phía ngư i g i m t thơng báo l i r ng gói ã b ch n lo i b Tham s qualifier s cho bi t lo i thông báo g i tr l i phía g i Qualifier g m lo i sau : icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply DNAT SNAT MASQUERADE Dùng th c hi n Destination network address translation , a ch ích c a gói d li u s c vi t l i to-destination ipaddress Iptables s vi t l i a ch ipaddress vào a ch ích c a gói d li u Dùng th c hi n Source to-source [network address ][:translation , vi t l i a ch ] ngu n c a gói d li u Miêu t IP port s c vi t l i b i iptables Dùng th c hi n Source [ to-ports []] Networkaddress Translation.M c nh a ch IP ngu n s gi ng Ghi rõ t m port ngu n IP ngu n c a firewall mà port ngu n g c có th ánh x c Các tham s chuy n m ch quan tr ng c a Iptables: Các tham s sau s cho phép Iptables th c hi n hành bi u x lý gói ngư i s d ng ho ch nh s n -7 - ng cho phù h p v i B ng : Các tham s chuy n m ch (switching) quan tr ng c a Iptables L nh switching quan tr ng -t -j -A -F -p -s -d -i -o Ý nghĩa N u b n khơng ch nh rõ tables , filter table s c áp d ng Có ba lo i table filter, nat, mangle Nh y n m t chu i target ó gói d li u phù h p quy lu t hi n t i N i thêm m t quy luât ó vào cu i chu i ( chain ) Xóa h t t t c m i quy lu t b ng ã ch n Phù h p v i giao th c ( protocols ) , thông thư ng icmp, tcp, udp, all Phù h p IP ngu n Phù h p IP ích Phù h p i u ki n INPUT gói d li u i vào firewall Phù h p i u ki n OUTPUT gói d li u i kh i firewall hi u rõ v l nh ta , ta xem m t ví d sau : iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -j ACCEPT -p TCP \ Iptables c c u hình cho phép “firewall” ch p nh n gói d li u có giao ti p (protocols) TCP , n t giao ti p card m ng eth0 , có b t kỳ a ch IP ngu n b t kỳ i n a ch 192.168.1.1, a ch IP c a firewall 0/0 nghĩa b t kỳ a ch IP B ng : Các i u ki n TCP UDP thông d ng L nh switching -p tcp sport -p tcp dport Miêu t i u ki n TCP port ngu n (source port ) Có th m t giá tr ho c m t chu i có d ng : start-port-number:end-port-number i u ki n TCP port ích ( destination port ) Có th m t giá tr ho c m t chu i có d ng : starting-port:ending-port -8 - Dùng nh n d ng m t yêu c u k t n i TCP m i ! syn , nghĩa khơng có u c n k t n i m i i u ki n UDP port ngu n (source port ) Có th m t giá tr ho c m t chu i có d ng : start-port-number:end-port-number i u ki n TCP port ích ( destination port ) Có th m t giá tr ho c m t chu i có d ng : starting-port:ending-port -p tcp –syn -p udp sport -p udp dport Ta xem ví d sau : iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ sport 1024:65535 dport 80 -j ACCEPT Iptables c c u hình cho phép firewall ch p nh n gói d li u có giao ti p (protocols) TCP , n t card m ng eth0 , có b t kỳ a ch IP ngu n b t kỳ , i n a ch 192.168.1.58 qua card m ng eth1 S port ngu n t 1024 n 65535 port ích 80 (www/http) B ng : i u ki n ICMP L nh icmp-type Miêu t Thư ng dùng nh t echo-reply echorequest Ta xem m ví d sau v ICMP iptables -A OUTPUT -p icmp icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp icmp-type echo-reply -j ACCEPT Iptables c c u hình cho phép firewall ch p nh n g i ICMP echo-requests (pings) g i tr ICMP echo-replies Ta xem ví d khác sau : iptables -A INPUT -p icmp icmp-type echo-request -m limit \ –limit 1/s -i eth0 -j ACCEPT Iptables cho phép gi i h n giá tr l n nh t s lư ng gói phù h p m t giây B n có ch nh th i gian theo nh d ng /second, /minute, /hour, ho c /day Ho c s d ng d ng vi t t t 3/s thay 3/second Trong ví d ICMP echo requests b gi i h n không nhi u m t yêu c n m t giây c i m c a iptables giúp ta l c b t lưu lư ng l n , ây c tính c a t n công t ch i d ch v ( DOS ) sâu Internet iptables -A INPUT -p tcp syn -m limit limit 5/s -i \ -9 - eth0 -j ACCEPT B n có th m r ng kh gi i h n c a iptables gi m thi u kh b t n công b i lo i t n công t ch i d ch v ây cách phòng v ch ng l i ki u t n công SYN flood b ng cách h n ch s ch p nh n phân o n TCP có bit SYS không nhi u phân o n giây B ng : Các i u ki n m r ng thông d ng L nh -m multiport sport -m multiport dport -m multiport ports Ý nghĩa Nhi u port ngu n khác c a TCP/UDP c phân cách b i d u ph y (,) ây li t kê c a port ch không ph i m t chu i port Nhi u port ích khác c a TCP/UDP c phân cách b i d u ph y (,) ây li t kê c a port ch không ph i m t chu i port Nhi u port khác c a TCP/UDP c phân cách b i d u ph y (,) ây li t kê c a port ch không ph i m t chu i port Khơng phân bi t port ích hay port ngu n Các tr ng thái thông d ng nh t c dùng : -m state ESTABLISHED:Gói d li u m t ph n c a k t n i ã c thi t l p b i c hư ng NEW:Gói d li u b t n im i uc am tk t RELATED: Gói d li u b t u m t k t n i ph Thông thư ng ây t i m c a giao th c FTP ho c l i ICMP INVALID: Gói d li u khơng th nh n d ng c i u có th vi c thi u tài nguyên h th ng ho c l i ICMP không trùng v i m t lu ng d li u ã có s n ây ph n m r ng ti p theo c a ví d trư c : iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ sport 1024:65535 -m multiport dport 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state state ESTABLISHED -j ACCEPT Iptables c c u hình cho phép firewall ch p nh n gói d li u có giao ti p (protocols) TCP , n t card m ng eth0 , có b t kỳ a ch IP ngu n b t kỳ , i -10 - n a ch 192.168.1.58 qua card m ng eth1 S port ngu n t 1024 n 65535 port ích 80 (www/http) 443 (https) n gói d li u nh n tr l i t 192.168.1.58, thay m port ngu n ích , b n ch vi c cho phép dùng k t n i cũ ã thi t l p b ng cách dùng tham s -m state state ESTABLISHED 5_ S d ng user defined chains: Chu i User Defined Chains n m b ng iptables Nó giúp cho q trình s lý gói t t Ví d : Thay s d ng gói ơn c xây d ng chain cho t t c giao th c, ta có th s d ng chain quy t nh lo i giao th c cho gói sau ó ki m soát vi c x lý user-defined, protocol-specific chain b ng filter table M t khác, ta có th thay th m t chu i “long chain” v i chu i “stubby main chain” b i nhi u chu i “stubby chain”, b ng cách chia ng n ó t ng chi u dài c a t t c chain gói ph i thơng qua Sáu l nh sau giúp vi c c i ti n t c x lý: iptables -A INPUT -i eth0 -d 206.229.110.2 -j \ fast-input-queue iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j \ fast-output-queue iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out iptables -A icmp-queue-out -p icmp icmp-type \ echo-request -m state state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp icmp-type echo-reply\ -j ACCEPT DANH SÁCH CÁC L NH (QUEUE) Chain INPUT OUTPUT Fast-input-queue fast-output-queue icmp-queue-out Description c xây d ng INPUT chain b ng iptables c xây d ng ONPUT chain b ng iptables Input chain tách riêng bi t h tr cho nh ng giao th c c bi t chuy n gói n nh ng protocol specific chains Output chain tách riêng bi t h tr cho nh ng giao th c c bi t chuy n gói n nh ng protocol specific chains l nh output tách riêng cho giao th c ICMP -11 - icmp-queue-in L nh input tách riêng cho giao th c ICMP 6_ Lưu l i nh ng o n mã iptables: o n mã iptables c lưu t m th i file “/etc/sysconfig/iptables” nh d ng m u file iptables cho phép giao th c ICMP, IPSec (nh ng gói ESP AH), thi t l p liên k t, quay l i SSH [root@bigboy tmp]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.9 on Mon Nov 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state state NEW -m tcp dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 11:00:07 2004 [root@bigboy tmp]# 7_ Thi t l p nh ng Rule cho Fedora’s iptable: Trong Fedora có chương trình g i lokkit, chưong trình có th thi t l p m t rule firewall ơn gi n, giúp tăng cư ng b o m t Chương trình lokkit lưu nh ng rule firewall file m i “/etc/sysconfig/iptables” 8_ Tìm l i o n mã b m t: o n mã iptables c lưu tr file “/etc/sysconfig/iptables” Ta có th chình s a nh ng o n mã t o l i nh ng thành nh ng rule m i Ví d : xu t nh ng l nh iptables ã lưu tr file văn b n v i tên firewallconfig: [root@bigboy tmp]# iptables-save > firewall-config [root@bigboy tmp]# cat firewall-config # Generated by iptables-save v1.2.9 on Mon Nov 11:00:07 2004 *filter -12 - :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state state RELATED,ESTABLISHED \ -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state state NEW -m tcp dport 22 \ -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 11:00:07 2004 [root@bigboy tmp]# Sau ch nh s a file firewall-config, ta có th t i l i rule firewall v i l nh: [root@bigboy tmp]# iptables-restore < firewall-config Ta có th lưu t m th i: [root@bigboy tmp]# service iptables save 9_ Nh ng modun Kernel c n thi t : Modun Kernel c n thi t ho t ng m t vài chương trình c a ng d ng iptables M t s modun: iptables_nat module, ip_conntrack_ftp module, + iptables_nat module c n cho m t s lo i NAT + ip_conntrack_ftp module c n cho vi c thêm vào giao th c FTP + ip_conntrack module gi tr ng thái liên k t v i giao th c TCP + ip_nat_ftp module c n c t i cho nh ng máy ch FTP sau m t firewall NAT *CHÚ Ý: file /etc/sysconfig/iptables không c p nh t nh ng mô dun t i v , v y ph i thêm vào nh ng tr ng thái ó vào file /etc/rc.local ch y t i cu i m i l n boot l i Nh ng m u o n mã ph n bao g m nh ng tr ng thái c lưu file /etc/rc.local: # File: /etc/rc.local # Module to track the state of connections modprobe ip_conntrack # Load the iptables active FTP module, requires ip_conntrack modprobe # ip_conntrack_ftp # Load iptables NAT module when required modprobe iptable_nat # Module required for active an FTP server using NAT modprobe ip_nat_ftp 10_Nh ng o n mã iptables m u: 10.1_ Cơ b n v ho t ng c a h th ng b o v : -13 - H i u Hành Linux có ch b o v thông s kernel h th ng file h th ng /proc qua file /etc/sysctl.conf Dùng file /etc/systl.conf cho thông s kernel h tr ây m t c u hình m u: # File: /etc/sysctl.conf # # Disable routing triangulation Respond to queries out # the same interface, not another Helps to maintain state # Also protects against IP spoofing # -net/ipv4/conf/all/rp_filter = # # Enable logging of packets with malformed IP addresses # net/ipv4/conf/all/log_martians = # Disable redirects # net/ipv4/conf/all/send_redirects = # # Disable source routed packets # net/ipv4/conf/all/accept_source_route = # # Disable acceptance of ICMP redirects # net/ipv4/conf/all/accept_redirects = # # Turn on protection from Denial of Service (DOS) attacks # net/ipv4/tcp_syncookies = # # Disable responding to ping broadcasts # net/ipv4/icmp_echo_ignore_broadcasts = # # Enable IP routing Required if your firewall is # protecting # network, NAT included -14 - # - net/ipv4/ip_forward = 10.2_ Ưu i m c a s kh i t o iptables: Ta có th thêm vào nhi u ng d ng kh i t o cho o n mã, bao g m vi c ki m tra ng truy n internet t nh ng a ch riêng RFC1918 Nhi u nh ng kh i t o ph c t pbao g m ki m tra l i b i s t n công s d ng c TCP giá tr o n mã s d ng nhi u “user-defined chain” t o o n mã ng n nhanh nh ng chain có th b truy c p l p l i i u lo i b vi c c n thi t l p l i nh ng tr ng thái tương t o n mã firewall hoàn t t : #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Define networks: NOTE!! You may want to put these # "EXTERNAL" # definitions at the top of your script # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# EXTERNAL_INT="eth0" # External Internet interface EXTERNAL_IP="97.158.253.25" # Internet Interface IP address # # Initialize our user-defined chains # iptables -N valid-src iptables -N valid-dst # # Verify valid source and destination addresses for all packets # iptables iptables iptables iptables -A -A -A -A INPUT FORWARD OUTPUT FORWARD -i -i -o -o $EXTERNAL_INT $EXTERNAL_INT $EXTERNAL_INT $EXTERNAL_INT -j -j -j -j valid-src valid-src valid-dst valid-dst #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Source and Destination Address Sanity Checks # Drop packets from networks covered in RFC 1918 # (private nets) # Drop packets from external interface IP # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# -15 - iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A -A -A -A -A -A -A -A -A valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-dst -s -s -s -s -s -s -s -d -s -s -d $10.0.0.0/8 $172.16.0.0/12 $192.168.0.0/16 $224.0.0.0/4 $240.0.0.0/5 $127.0.0.0/8 0.0.0.0/8 255.255.255.255 169.254.0.0/16 $EXTERNAL_IP $224.0.0.0/4 10.3_ S cho phép máy ch DNS truy c p -j -j -j -j -j -j -j -j -j -j -j DROP DROP DROP DROP DROP DROP DROP DROP DROP DROP DROP n Firewall: Firewall không th t o yêu c u DNS queries n Internet b i Internet c yêu c u cho hàm b n c a firewall, b i Fedora Linux’s yum RPM s giúp gi máy ch c p nh t v i tr ng thái b o v m i nh t Nh ng tr ng thái theo sau s c p nh t không ch cho firewall ho t ng DNS client cho nh ng firewall làm vi c m t b m ho c có vai trị DNS server - - # - # Allow outbound DNS queries from the FW and the replies too # # - Interface eth0 is the internet interface # # Zone transfers use TCP and not UDP Most home networks # / websites using a single DNS server won't require TCP # statements # iptables -A OUTPUT -p udp -o eth0 dport 53 –sport \ 1024:65535 -j ACCEPT iptables -A INPUT -p udp -i eth0 sport 53 –dport \ 1024:65535 -j ACCEPT 10.4 Cho phép WWW SSH truy c p vào firewall: o n mã ng n cho m t firewall g p ôi m t web server c qu n lý b i ngư i qu n tr h th ng web server “web server system adminitrator” qua nh ng l p v b o m t (SSH_secure shell) Nh ng gói quay l i ã c d nh trư c cho port 80 (WWW) 22 (SSH) c phép Vì v y t o nh ng bư c u tiên thi t l p liên k t Ngư c l i, nh ng port (80 22) s không c thi t l p ch b om t t i ngõ cho nh ng gói ch c chuy n i không quay v cho t t c liên k t thi t l p c phép -16 - -# Allow previously established connections # - Interface eth0 is the internet interface # # iptables -A OUTPUT -o eth0 -m state state \ ESTABLISHED,RELATED -j ACCEPT # # Allow port 80 (www) and 22 (SSH) connections to the # firewall # iptables -A INPUT -p tcp -i eth0 dport 1024:65535 -m state state NEW iptables -A INPUT -p tcp -i eth0 dport 1024:65535 -m state state NEW 22 -j 80 -j –sport \ ACCEPT sport \ ACCEPT 10.5_Cho phép Firewall truy c p internet: o n mã iptables có th cho phép m t user tren firewall s d ng Web browser n giao ti p Internet ng truy n giao th c HTTP s d ng TCP port 80, HTTPs (HTTP secure) port 443 # - # Allow port 80 (www) and 443 (https) connections from the # firewall # iptables -A OUTPUT -j ACCEPT -m state –state \ NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m \ multiport dport 80,443 -m multiport sport \ 1024:65535 # # Allow previously established connections # - Interface eth0 is the internet interface # iptables -A INPUT -j ACCEPT -m state state \ ESTABLISHED,RELATED -i eth0 -p tcp N u mu n t t c ng truy n t firewall c ch p nh n, sau ó xố: -m multiport dport 80,443 -m multiport sport \ 1024:65535 10.6_ Cho phép m ng nhà truy c p vào firewall: -17 - Ví d : eth1 c liên k t v i m ng nhà dùng a ch IP t m ng 192.168.1.0 T t ng truy n firewall c gi s liên k t c: Nh ng rule c c n cho liên k t giao ti p n Internet cho phép ch nh ng c ng c trưng, nh ng lo i liên k t có th i u ch nh nh ng server có truy c p n firewall m ng nhà c # - -# Allow all bidirectional traffic from your firewall to #the # protected network # - Interface eth1 is the private network interface # iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1 10.7_ M t n (Masquerade_many to one NAT): ng truy n t t t c thi t b m t ho c nhi u m ng c b o v s xu t hi n b t u t a ch IP ơn v trí Internet c a firewall a ch IP m t n (masquerade) luôn m c nh n a ch IP c a giao ti p c a firewall Ưu i m c a a ch IP m t n (masquerade) ta không ph i ch rõ a ch IP NAT i u t o cho vi c c u hình b ng iptables NAT v i giao th c DHCP Ta có th c u hình nhi u n m t NAT cho m t tên IP b ng cách s d ng POSTROUTING không dùng tr ng thái MASQUERADE Vi c che y (Masquerading) ph thu c vào H i u Hành Linux c c u hình c p nh t nh n gi a internet giao ti p m ng riêng c a firewall i u c th c h ên b i IP enabling b ng cách cho file /proc/sys/net/ipv4/ip_forward giá tr i v i giá tr m c nh M t masquerading c thi t l p s d ng POSTROUTING chain c a b ng nat table, ta s ph i nh d ng iptables cho phép nhi u gói i qua gi a b m t làm c i u này, s d ng FORWARD chain c a filter table Nhi u hơn, nhi u gói liên quan nh ng liên k t NEW ESTABLISHED s c cho phép outbound n Internet, ch nh ng gói liên quan n liên k t ESTABLISHES s c phép inbound i u s giúp b o v m ng nhà t b t c m t ngư i c g ng k t n i v i m ng nhà t Internet # - # Load the NAT module # Note: It is best to use the /etc/rc.local example in # this # chapter This value will not be retained in the # /etc/sysconfig/iptables file Included only as a # reminder # -18 - modprobe iptable_nat # - # Enable routing by modifying the ip_forward /proc # filesystem # file # # Note: It is best to use the /etc/sysctl.conf example in # this # chapter This value will not be retained in the # /etc/sysconfig/iptables file Included only as a # reminder # echo > /proc/sys/net/ipv4/ip_forward # - # Allow masquerading # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface # iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 \ -d 0/0 -j MASQUERADE # - # Prior to masquerading, the packets are routed via the # filter # table's FORWARD chain # Allowed outbound: New, established and related # connections # Allowed inbound : Established and related connections # iptables -A FORWARD -t filter -o eth0 -m state –state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state state \ ESTABLISHED,RELATED -j ACCEPT 10.8 Port forwarding theo lo i NAT (giao th c DHCP DSL): M t s trư ng h p, nhi u home user có th nh n a ch IP công c ng DHCP ơn t nh ng nhà cung c p d ch v ISP N u m t Linux firewall giao ti p v i Internet ta mu n d n m t trang Web m t nh ng home server c b o v -19 - NAT, sau ó ta ph i s d ng port forwarding ây vi c k t h p a ch IP ơn c a firewall, a ch IP c a server, port ngu n/ ích c a ng truy n có th c s d ng b sung ng truy n Port forwarding c i u ch nh b i PREROUTING chain c a b ng nat table Gi ng Masquerading, modun iptables_nat ph i c t i nh n ph i c hi n th cho port forwarding làm vi c nh n ph i c phép b ng iptables v i FORWARD chain, i u bao g m t t c liên k t NEW inbound t Internet làm phù h p port forwarding t t c gói liên k t v i k t n i ESTABLISHED nh ng s i u n: # - # Load the NAT module # Note: It is best to use the /etc/rc.local example in # this # chapter This value will not be retained in the # /etc/sysconfig/iptables file Included only as a # reminder # modprobe iptable_nat # - # Get the IP address of the Internet interface eth0 (linux # only) # # You'll have to use a different expression to get the IP # address # for other operating systems which have a different ifconfig # output # or enter the IP address manually in the PREROUTING # Statement # # This is best when your firewall gets its IP address using # DHCP # The external IP address could just be hard coded ("typed # in # normally") # external_int="eth0" external_ip=""ifconfig $external_int | grep 'inet addr' |\ awk '{print $2}' | sed -e 's/ *://'"" -20 - # - # Enable routing by modifying the ip_forward /proc # filesystem # File # # Note: It is best to use the /etc/sysctl.conf example in # this chapter This value will not be retained in # the # /etc/sysconfig/iptables file Included only as a # reminder # echo > /proc/sys/net/ipv4/ip_forward # # Allow port forwarding for traffic destined to port 80 of # the # firewall's IP address to be forwarded to port 8080 on # server # 192.168.1.200 # # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface # iptables -t nat -A PREROUTING -p tcp -i eth0 -d \ $external_ip dport 80 sport 1024:65535 -j DNAT –to \ 192.168.1.200:8080 # - # After DNAT, the packets are routed via the filter # table's # FORWARD chain # Connections on port 80 to the target machine on the # private # network must be allowed # iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.200 dport 8080 sport 1024:65535 \ -m state state NEW -j ACCEPT iptables -A FORWARD -t filter -o eth0 -m state state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state state \ ESTABLISHED,RELATED -j ACCEPT 10.9_ NAT tĩnh (SNAT): -21 - Ví d : t t c ng truy n n m t a ch IP công c ng riêng bi t, c chuy n i n m t server ơn Subnet c b o v B i vig firewall có nhi u m t a ch IP, ta khơng th th c hi n MASQUERADE; s b t bu c kh i t o a ch IP c a giao ti p khơng b t c nh ng a ch IP trùng l p mà firewall có th có Thay v y, s d ng SNAT ch rõ a ch IP b trùng l p c s d ng cho vi c liên k t ban u b i nh ng server khác m ng c b o v Ghi chú: M c dù nh ng NAT c a b ng nat table, t t c ng truy n n server ích (192.168.1.100 n 102), ch liên k t v i port 80, 443 22 c phép thông qua b i FORWARD chain Ta ph i ch rõ l a ch n riêng bi t –m multiport ta c n làm cho thích h p nh ng c ng không tu n t (multiple non-sequential) cho c ngu n ích Trong ví d này, firewall có: S d ng one to one NAT t o server 192.168.1.100 home network xu t hi n Internet nh ng a ch IP (97.158.253.26) + T o m t many to one NAT cho a ch IP 192.168.1.100 home network, t t c nh ng server nh ng a ch IP (97.158.253.26) i u khác t kh i t o Ta t o nh ng a ch IP trùng l p cho m i nhóm IP Internet cho one to one NAT # - - # Load the NAT module # Note: It is best to use the /etc/rc.local example in this chapter This value will # not # be retained in the /etc/sysconfig/iptables file Included only as a reminder # - modprobe iptable_nat # - - # Enable routing by modifying the ip_forward /proc filesystem file # Note: It is best to use the /etc/sysctl.conf example in this chapter This value will # not be retained in the /etc/sysconfig/iptables file Included only as a reminder # - echo > /proc/sys/net/ipv4/ip_forward # NAT ALL traffic: ########### # REMEMBER to create aliases for all the internet IP addresses below ########### # -22 - # TO: FROM: MAP TO SERVER: # 97.158.253.26 Anywhere 192.168.1.100(1:1 NAT-Inbound) # Anywhere 2.168.1.100 97.158.253.26(1:1 NAT–Outbound) # Anywhere 192.168.1.0/24 97.158.253.29(FW IP) # # SNAT is used to NAT all other outbound connections initiated # from the protected network to appear to come from # IP address 97.158.253.29 # # POSTROUTING: # NATs source IP addresses Frequently used to NAT connections # from your home network to the Internet # # PREROUTING: # NATs destination IP addresses Frequently used to NAT # connections from the Internet to your home network # # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface # - - # PREROUTING statements for 1:1 NAT # (Connections originating from the Internet) # - iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \ -j DNAT to-destination 192.168.1.100 # - # POSTROUTING statements for 1:1 NAT # (Connections originating from the home network servers) # - iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \ -j SNAT to-source 97.158.253.26 # # POSTROUTING statements for Many:1 NAT # (Connections originating from the entire home network) # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT \ -o eth0 to-source 97.158.253.29 # - # Allow forwarding to each of the servers configured for 1:1 NAT # (For connections originating from the Internet Notice how you use the -23 - # real # IP addresses here) # iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.100 -m multiport dport 80,443,22 \ –m state state NEW -j ACCEPT # - # Allow forwarding for all New and Established SNAT connections originating # on the # home network AND already established DNAT connections # - iptables -A FORWARD -t filter -o eth0 -m state state \ NEW,ESTABLISHED,RELATED -j ACCEPT # - - # Allow forwarding for all 1:1 NAT connections originating on the Internet that have # already passed through the NEW forwarding statements above # - iptables -A FORWARD -t filter -i eth0 -m state state \ ESTABLISHED,RELATED -j ACCEPT # - # Allow forwarding to each of the servers configured for 1:1 NAT # (For connections originating from the Internet Notice how you use the real IP # addresses here) # - iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.100 -m multiport dport 80,443,22 -m \ state state NEW -j ACCEPT # - # Allow forwarding for all New and Established SNAT connections originating # on the # home network AND already established DNAT connections # - iptables -A FORWARD -t filter -o eth0 -m state state \ NEW,ESTABLISHED,RELATED -j ACCEPT -24 - # - - # Allow forwarding for all 1:1 NAT connections originating on the Internet that # have # already passed through the NEW forwarding statements above # - iptables -A FORWARD -t filter -i eth0 -m state state \ ESTABLISHED,RELATED -j ACCEPT 10.10_ S a l i b ng iptables: M t s công c cho phép s a l i o n mã firewall iptables M t nh ng phương pháp t t nh t lo i b t t c nh ng gói b khố * Ki m tra the firewall log: Ta theo dõi nh ng gói i qua firewall có danh sách b ng iptables c a nh ng rule s d ng LOG target LOG target s : + T m d ng t t c ng truy n ch nh s a rule iptables nơi c ch a ng vi t vào file /var/log/messages sau ó th c thi rule k ti p +T t m d ng ng truy n không mong mu n, ta ph i thêm vào rule phù h p v i m t DROP target sau LOG rule T m d ng m t nhóm gói b l i vào file /var/log/messages # # Log and drop all other packets to file /var/log/messages # Without this we could be crawling around in the dark # iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG iptables -A FORWARD -j LOG iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP -25 - ... external interface IP # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# -15 - iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables -A -A -A... D NG IPTABLES Kh i ng iptables : Câu l nh start, stop, restart iptables [root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables... # iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG iptables -A FORWARD -j LOG iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP -25