Professional Documents
Culture Documents
li m ngun nu chng ta mun. Li ch th 2 l chng ta s c th qun l c phn mm ca chng ta. V trn Windows, cc gi c m ngun l ng v vy chng ta khng th lm c iu ny. Vi Linux, chng ta c th chn gi m ngun nh httpd-2.2.3.tar.gz. y l gi min ph, chng ta hon ton c th download c trn mng. V ci t gi ny, chng ta s lm nh sau: Gii nn m ngun dng lnh: tar xvzf httpd-2.2.3.tar.gz Di chuyn vo th mc cha m ngun: cd httpd-2.2.3 Sau , chng ta s ln lt ci t n: # ./configure && make && make install. Nu ci t trn Debian hay Ubuntu th g lnh: apt-get install apache Cn nu ci t t nhng gi rpm th g lnh: rpm -ivh httpd-2.2.3.rpm By gi, chng ta c th chy Web Server nu chng ta mun. Tuy nhin, vn c khi gp trng hp khng th khi ng c nh: li v c phn mm no chy trn port m Web Server ta s chy. iu ny c th khc phc c mt cch d dng, bng cch tt chng trnh chy trn port i. V by gi khi ng li l c th chy c. khi ng hay tm dng hay ti khi ng apache ta script sau:
# /etc/init.d/httpd start/stop/restart Hoc dng lnh: #chkconfig httpd on #service httpd restart
Tuy nhin, c th hiu cng nh c th vn hnh theo ng mun ca chng ta th ta cn phi hiu v cng nh phi tn tay cu hnh n. V vic cu hnh , chng ti s trnh by trong mc 2 phn cu hnh Web Server di y. 1.2. Cu hnh Web Server Cc tp tin v th mc cu ca Apache: /etc/httpd/conf: th mc lu gi cc tp tin cu hnh nh httpd.conf. /etc/httpd/modules: lu gi cc module ca Web Server. /etc/httpd/logs: lu cc tp tin log ca Apache. /var/www/html: lu cc trang web. /var/www/cgi-bin: lu cc script s dng cho cc trang web. Tp tin cu hnh Apache c to thnh t nhiu ch dn (directive) khc nhau. Mi dng hoc mi mt directive v phc v cho mt cu hnh ring bit. C nhng directive c nh hng vi nhau. Nhng dng bt u bng du # l nhng dng ch thch. Sau y l nhng directive quan trng khi cu hnh Web Server. ServerName: C php: ServerName <hostname>:port Trong , hostname l tn my tnh ca Server. N c dng trong vic to ra nhng URL chuyn tip (direction URL). Nu khng ch ra, server s c gng suy lun t a ch IP ca n. Tuy nhin, iu ny c th khng tin cy hoc khng tr ra tn my tnh ng. V d: ServerName www.nguyenhongthai.hcmut.edu.vn
NGUYN HNG THI 16/12/2006 2
ServerAdmin: a ch email ca ngi qun tr h thng C php: ServerAdmin <a ch email> V d: ServerAdmin webmaster@hcmut.edu.vn ServerType: quy nh cch np chng trnh. C 2 cch: inetd: chy t cc init level. standalone: chy t h thng. C php: ServerType <inetd/standalone> V d: ServerType standalone DocumentRoot: cu hnh th mc gi lu tr ni dung ca Website. Web Server s ly nhng tp tin trong th mc ny phc v cho yu cu ca client C php: DocumentRoot <ng dn th mc> V d: DocumentRoot/usr/web ServerRoot: ch dn v tr ci t chng trnh Apache. C php: ServerRoot <v tr ci t Apache> V d: ServerRoot /user/local/apache ErrorLog: ch ra tp tin server ghi vo bt k nhng li no m n gp phi. C php: ErrorLog <v tr tp tin log> V d: ErrorLog logs/error_log DirectoryIndex: cc tp tin mc nh c truy vn khi truy cp trang Web. C php: DirectoryIndex <danh sch cc tp tin> V d: DirectoryIndex index.html MaxClients: quy nh s yu cu ti a t cc client c th gi ng thi n server. C php: MaxClients <s kt ni ti a cho php> V d: MaxClients 256 Listen: quy nh a ch IP hoc cng m Apache nhn kt ni t Client. C php: Listen <Port/IP> V d: Listen 80 BindAddress: quy nh a ch card mng chy Apache trn Server. C php: BindAddress <IP/*> S dng du * c th s dng tt c cc a ch trn my. V d: BindAddress 172.28.24.199 TimeOut: quy nh thi gian sng ca mt kt ni (c tnh bng giy). C php: TimeOut <thi gian ti a cho mt kt ni> V d: TimeOut 300 KeepAlive: cho php hoc khng cho php client gi c nhiu yu cu da trn mt kt ni n vi Web Server. C php: KeepAlive <On/Off>
NGUYN HNG THI 16/12/2006 3
V d: KeepAlive
On
MaxKeepAliveRequests: s Request ti a trn mt kt ni (nu cho php nhiu Request trn mt kt ni). C php: MaxKeepAliveRequests <s Request> V d: MaxKeepAliveRequests 100 KeepAliveTimeout: quy nh thi gian ch mt Request k tip t cng mt client trn cng mt kt ni (c tnh bng giy). C php: KeepAliveTimeout <thi gian> V d: KeepAliveTimeout 15 Alias: nh x ng dn cc b (khng nm trong DocumentRoot) thnh tn ng dn a ch URL. C php: Alias <ng dn http><ng dn cc b> V d: Alias /doc /usr/share/doc Khi truy cp http://www.nguyenhongthai.hcmut.edu.vn/doc, n s vo /usr/share/doc. gii hn vic truy cp ca ngi dng ta c th kt hp vi Directory directive. V d:
Alias /doc /usr/share/doc <Directory /usr/share/doc> AuthType Basic # kiu authentication s s dng l Basic AuthName intranet # t tn cho s chng thc l intranet AuthUserFile /etc/httpd/passwd # v tr ca tp tin password Require user hongthai minhtri #user cho php truy cp ti nguyn Allow from internal.hcmut.edu.vn # cho php truy cp t ch ny </Directory>
UserDir: cho php ngi dng to Home page ca user trn Web Server. C php:
<IfModule mod_userdir.c> #UserDir Disables ## thc thi c ch enable UserDir UserDir www ## Khai bo th mc cha Website ca user </IfModule> <Directory /home/*/www> </Directory>
Trong th mc Home Directory ca ngi dng to th mc www. V d /home/nhthai/www. Khi , c php truy cp t Web Browser c dng: http://www.nguyenhongthai.hcmut.edu.vn/~<tnUser>, tc trong trng hp ny l http://www.nguyenhongthai.hcmut.edu.vn/~nhthai. Khi ngi dng c gng truy cp n th mc ca mnh, c th gp mt message li Forbidden. iu ny c th l quyn truy cp n home directory ca ngi dng b gii hn. Nh vy khc phc li trn, chng ta cn gii hn li quyn truy cp home directory ca ngi dng vi nhng cu lnh nh sau:
chown nhthai /home/nhthai /home/nhthai/www chmod 750 /home/nhthai /home/nhthai/www
16/12/2006
VirtualHost: l tnh nng ca Apache, gip ta duy tr nhiu hn mt web server trn mt my tnh. Nhiu tn cng chia s mt a ch IP gi l named-based virtual hosting v s dng nhng a ch IP khc nhau cho tng domain gi l IP-based virtual hosting. IP-based Virtual Host: Virtual Host da trn IP yu cu nhng server phi c mt a ch IP khc nhau cho mi virtual host da trn IP. Nh vy, mt my tnh phi c nhiu interface hay s dng c ch virtual interface m nhng h iu hnh sau hi tr. Nu my ca chng ta c mt a ch IP, 172.28.24.199, chng ta c th cu hnh mt a ch IP khc trn cng mt card mng nh sau:
ifconfig eth0:1 172.28.24.198 netmask 255.255.255.0 up
Name-based Virtual Host: IP-based Virtual Hosts da vo a ch IP quyt nh Virtual Host no ng truy cp. V th, chng ta cn phi c a ch khc nhau cho mi Virtual Host. Vi Named-based Virtual Host, server da vo HTTP header ca client bit c hostname. S dng k thut ny, mt a ch IP c th c nhiu tn my tnh khc nhau. Named-based Virtual Host rt n gin, chng ta ch cn cu hnh DNS sao cho n phn gii mi tn my ng vi mt a ch IP v sau cu hnh Apache t chc nhng web server cho nhng min khc nhau.
# tar xvzf vsftpd-2.0.5.tar.gz ## Gii nn m ngun # cd vsftpd-2.0.5 ## Di chuyn n th mc cha m ngun # make ## To binary file # make /var/ftp ## To th mc cha cc file truy cp FTP # useradd -d /var/ftp ftp ## To ti khon ngi dng vo th mc ch nh # chown root.root /var/ftp ## Chuyn quyn s hu sang root # chmod go-w /var/ftp ## Khng cho php ghi i vi ngi dng khc # make install ## Ci t FTP Server Nu khng thc hin c lnh make install th ta c th lm nh sau: # cp vsftpd /usr/local/sbin/vsftpd # cp vsftpd.conf.5 /usr/local/man/man5 # cp vsftpd.8 /usr/local/man/man8
cng 21 dng truyn lnh (command port). FTP hot ng mt trong 2 c ch: c ch ch ng (active) v c ch b ng (passive). Khi FTP Server hot ng c ch ch ng, client khng ch ng to kt ni tht s vo cng d liu ca FTP Server, m ch n gin l thng bo cho server bit rng n ang lng nghe trn cng no v server phi kt ni ngc v client vo cng . Trn quan im firewall i vi my client iu ny ging nh mt h thng bn ngoi khi to kt ni vo h thng bn trong v iu ny thng b ngn chn trn hu ht h thng firewall. gii quyt vn server phi to kt ni n client, mt phng thc kt ni FTP khc c pht trin. Phng thc ny gi l FTP th ng hoc PASV (l lnh m client gi cho server bo cho bit n ang ch passive). Trong khi FTP ch th ng gii quyt c vn pha client th n gy ra nhiu vn khc v pha server. Th nht l cho php my xa kt ni vo cng bt k ln hn 1024 ca server. iu ny kh nguy him tr khi FTP cho php m t dy cc cng ln hn hoc bng 1024 m FTP s dng. Vn th hai l, mt s FTP client li khng h tr ch th ng. V d tin ch FTP m Solaris cung cp khng h tr FTP th ng. Khi , cn phi dng thm trnh FTP client. Mt lu khc l hu ht cc trnh duyt Web ch h tr FTP th ng khi truy cp FTP server theo ng URL ftp://. Chng trnh FTP Server: FTP Server l mt my ch lu gi nhng ti nguyn v h tr giao thc FTP giao tip vi nhng my tnh khc. N cho php truyn d liu trn Internet. Mt s chng trnh FTP Server s dng trn Linux nh: vsftpd, Wuftpd, PureFTPd, ProFTPD Trn Windows, ta c th s dng phin bn h tr ca MicroSoft hoc c th s dng phin bn ca Golden nh: Golden-FTP-server-PROsetup.exe (bn i hi license) hoc c th dng bn min ph GoldenFTPserversetup.exe. V phn ci t, nu ci trn Windows s dng phin bn h tr ca MicroSoft, ta vo Control Panel Add/Remove Program Add/Remove Windows Components Chn IIS Chn install. Cn dng phin bn ca Golden th ta ch ci gi ci t trn duy nht. By gi, chng ti s trnh by phn ci t t source cho linux. Chn gi ci t l vsftpd-2.0.5.tar.gz. Cc bc s tin hnh nh sau:
16/12/2006
P DNG IPTABLES VO WEB SERVER V FTP SERVER Tip theo, l chp file cu hnh vo th mc /etc: # cp vsftpd.conf /etc Cui cng, ta cn chnh sa mt cht cho php lm vic theo kiu no. Nu cho chy theo kiu standalone th thm dng listen=YES vo cui file /etc/vsftpd.conf. Cn nu mun cho chy vi inetd th thm dng ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/vsftpd vo file /etc/inetd.conf.
Nu khng quen vi vic ci t t m ngun, ta c th chn cc ci ci t lm sn nh nhng gi c ui deb hoc rpm. V vic ci t cc gi ny tng t nh ci t Web Server. Vsfpd l mt package mi. N c pht trin xoay quanh tnh nng nhanh, n nh v an ton. Vsftpd c kh nng qun l s lng kt ni ln mt cch hiu qu v an ton. khi ng v dng vsftpd:
# service vsftpd start/stop/restart
# /etc/init.d/vsftpd start/stop/restart
Nhng tp tin v th mc thng c qua tm khi cu hnh vsftpd server: /etc/pam.d/vsftpd: tp tin cu mc PAM cho vsftpd. Tp tin ny nh ngha nhng yu cu m ngi dng phi cung cp khi ng nhp vo ftp server.
PAM l ch vit tt t Pluggable Authentication Modules, tm dch l cc m-un kim tra c th cm c. PAM c pht trin cho h thng Solaris t Sun MicroSystems. D n Linux-PAM lm cho PAM c sn i vi h iu hnh Linux. PAM l b th vin dng chung cp pht cc c quyn cho ng dng lin quan n PAM.
/etc/vsftpd/vsftpd.conf: tp tin cu hnh vsftpd server. /etc/vsftpd.ftpusers: lit k nhng ngi dng khng c login vo vsftpd.
Mc nh, danh sch nhng ngi dng ny gm root, bin, deamon v nhng ngi dng khc. /etc/vsftpd.user_list: tp tin ny c cu hnh cm hay cho php nhng dng c lit k truy cp ftp server. iu ny ph thuc vo ty chn userlist_deny c xt YES hay NO trong tp tin vsftpd.conf. Nu nhng ngi dng lit k trong tp tin ny th khng c xut hin trong vsftpd.ftpusers. /var/ftp: th mc cha cc tp tin p ng cho vsftpd. N cng cha th mc pub cho ngi dng anonymous (c th hiu l ngi dng n danh). Th mc ny ch c th c, ch c root mi c kh nng ghi.
16/12/2006
dng mng my tnh c th, l mng my tnh ca phng my tnh khoa in - in t. Vi m hnh thit lp nh hnh di y. Vic cu hnh c th c gii thch nh sau. mt gi tin i t mt mng LAN bn trong ra mng bn ngoi th ta cn phi thay i a ch ngun ca gi tin khi ra khi mng LAN m mun nh tuyn c th mng i hi phi cng subnet v ng thi i hi a ch ngun phi c i trc khi n thc hin nh tuyn ra ngoi. Do , ta thc hin Source NAT. V c nh th n s c th i ra ngoi mng internet. V vic cu hnh Source ta c th chn iptables. Chng ti s trnh by vic cu hnh SNAT ti my dng lm gateway ca mng 192.168.1.0/24. Trnh t cc bc s lm nh sau:
# modprobe ipt_MASQUERADE ## Load m-un ip_MASQUERADE # iptables -F ## Xa cc lut trong bng filter # iptables -t nat -F ## Xa cc lut trong bng nat # iptables -t mangle -F ## Xa cc lut trong bng mangle ## Nu gi tin i t 192.168.1.0/24 ra mng ngoi th thc hin i ##### ngun thnh 172.28.24.199 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 172.28.24.199 ## Cho php cc interface c th forward c vi nhau # echo 1 > /proc/sys/net/ipv4/ip_forward ## Cho php cc gi tin t cc kt ni thit lp hoc c mi lin ### kt ni hin ti. Lnh ny c ngha trong trng hp kt ni FTP # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Cho php cc gi tin n t nhng interface khng phi eth0 # iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT ## Mc nh l DROP (cm) # iptables -P INPUT DROP ## Nu gi tin forward t eth0 n eth0 th ngn li v tr thng ### cho ngi gi bit # iptables -A FORWARD -i eth0 -o eth0 -j REJECT Trong trng hp ng ni ra mng ngoi khng phi l card ethernet m l dial s i eth0 thnh ppp0
a ch
h vi
bo v up th ta
Vi vic cu hnh iptables trn trong trng hp m hnh mng nh hnh 7.1.Gi my 192.168.1.2 mun gi Request n my 172.28.2.2. Suy ra, gi tin s c a ch ngun l 192.168.1.2 v a ch ch l 172.28.2.2. N s nh tuyn n gateway v a ch ch khng cng subnet ca a ch ngun, ti y iptables s thit lp li gi tin, tc s i a ch ngun thnh 172.28.24.199 cn a ch ch gi nguyn. Tip theo, n mi thc hin nh tuyn. V vic nh tuyn s ging nh trn, n xem li gi tin r rng a ch ch khng cng subnet ca a ch ngun, n s nh tuyn n gateway v s thc hin i a ch ngun ti y. Vic nh tuyn c tip tc nh th. n khi n thy rng gi tin c a ch ch c cng subnet vi a ch ngun th n xc nh c my cn n nm ti mng ny. V nh th, n s khng cn n gateway m ch cn n switch v chuyn gi tin thng n ch. Qu trnh trnh gi Reponse t my 172.28.2.2 v my 192.168.1.2, n s xem header m nh tuyn v ch.
16/12/2006
Mng internet
172.28.24.1
eth0 172.28.24.199
` ` ` `
172.28.247.197
172.28.24.194
172.28.24.195
192.168.1.2
192.168.1.3
16/12/2006
P DNG IPTABLES VO WEB SERVER V FTP SERVER # modprobe ip_nat_ftp ##Thit lp cc chnh sch mc nh v gii phng cc bng ca iptables # iptables -t nat -F # iptables -P INPUT ACCEPT # iptables -F INPUT # iptables -P OUTPUT ACCEPT # iptables -F OUTPUT # iptables -P FORWARD ACCEPT # iptables -F FORWARD ## Cu hnh Web Server trn my 192.168.1.2 ## i a ch ch ca gi tin khi gi tin c a ch ch l 172.28.24.199 ## port 80, i vo eth0, dng giao thc tcp thnh 192.168.1.2 port 8080 # iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.1.2:8080 # Cho php cc gi tin trn c th forward # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.2 --dport 8080 \ -j ACCEPT ## Tng t, ta cu hnh Web Server trn my 192.168.1.3 # iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp \ --dport 8888 -j DNAT --to-destination 192.168.1.3:80 ## Cu hnh FTP Server trn my 192.168.1.3 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.3 --dport 80 \ -j ACCEPT # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20:21 \ -j DNAT --to-destination 192.168.1.2:21 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.2 --dport 21 \ -j ACCEPT ## Tng t, ta cu hnh cho my 192.168.1.3 # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2020:2121 \ -j DNAT --to-destination 192.168.1.3:21 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.3 --dport 21 \ -j ACCEPT
16/12/2006
10
16/12/2006
11
P DNG IPTABLES VO WEB SERVER V FTP SERVER :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *mangle :PREROUTING ACCEPT [5114:853418] :INPUT ACCEPT [4416:773589] :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] :POSTROUTING ACCEPT [945:100295] COMMIT # Completed on Thu Nov 9 15:47:54 2006
16/12/2006
12
Kt qu t my 192.168.1.2, dng Konqueror truy cp Web server. Nu URL g http://localhost:8080/ my tnh s hiu l truy cp Web Server trn my my 192.168.1.2 trn port 8080. iu ny c th d dng nhn ra v dng lnh ifconfig th thy rng a ch 192.168.1.2 chnh l a ch ca interface eth0 ca my 192.168.1.2. Cn nu URL g http://172.28.24.199 th n s hiu a ch ny khng phi a ch trong mng ca n. Do , n gi n gateway v trn gateway s nh tuyn gi theo quy lut m iptables ci trn ( phn ci t LAN c th truy cp ra mng bn ngoi). N nh x a ch 172.28.24.199 port 80 192.168.1.2 port 8080. V vy, m tuy g hai a ch URL khc nhau nhng kt qu tr v t web server l ging nhau. ng thi, trn my 192.168.1.2 ta ng nhp t xa n mt my khc ngoi mng th dng Internet Explorer truy cp http://172.28.24.199 th ta vn nhn c kt qu t web server hon ton ging vi 2 kt qu trn. Cn nu trn my dng lm gateway ta dng Mozilla Firefox truy cp http://localhost/ th n s hiu l truy cp Web Server trn my ny mc d my ny c a ch 172.28.24.199. Ta r rng thy s khc bit trong iu ny, mc d cng a ch 172.28.24.199 v cng port 80 nhng nhng v tr truy cp khc nhau th cho kt qu khc nhau. Tng t nh trn, trn my 192.168.1.2 ta truy cp ftp://localhost v ng nhp t xa n my mng khc v dng Internet Explorer truy cp ftp://172.28.24.199. C 2 iu ny cng c ngha l truy cp n FTP Server trn my 192.168.1.2 port 21. Do , ta nhn c hai kt qu ging nhau.
16/12/2006
13
16/12/2006
14
Kt qu trn my dng lm gateway, chng ti dng chng trnh tcpdump gim gim vic nh tuyn qua gateway. Kt qu thu c nh sau:
11:01:09.614831 172.28.24.199.1065 > 172.28.24.195.3389: . ack 309 win 53576 <nop,nop,timestamp 589252 23626> (DF) 11:01:09.908869 172.28.24.199.1026 > www.hcmut.edu.vn.domain: 59879+ PTR? 164.24.28.172.in-addr.arpa. (44) (DF) 11:01:09.909556 www.hcmut.edu.vn.domain > 172.28.24.199.1026: 59879 NXDomain* 0/1/0 (112) (DF) 11:01:09.925041 172.28.24.195.3389 > 172.28.24.199.1065: P 309:326(17) ack 1 win 64376 <nop,nop,timestamp 23629 589252> (DF) 11:01:09.925202 172.28.24.199.1065 > 172.28.24.195.3389: . ack 326 win 53576 <nop,nop,timestamp 589283 23629> (DF) 11:01:10.455809 172.28.24.195.3389 > 172.28.24.199.1065: P 326:342(16) ack 1 win 64376 <nop,nop,timestamp 23634 589283> (DF) 11:01:10.455995 172.28.24.199.1065 > 172.28.24.195.3389: . ack 342 win 53576 <nop,nop,timestamp 589336 23634> (DF) 11:01:10.555978 172.28.24.195.3389 > 172.28.24.199.1065: P 342:371(29) ack 1 win 64376 <nop,nop,timestamp 23635 589336> (DF) 11:01:10.556143 172.28.24.199.1065 > 172.28.24.195.3389: . ack 371 win 53576 <nop,nop,timestamp 589346 23635> (DF) 11:01:10.986546 172.28.24.195.3389 > 172.28.24.199.1065: P 371:388(17) ack 1 win 64376 <nop,nop,timestamp 23640 589346> (DF) 11:01:10.986722 172.28.24.199.1065 > 172.28.24.195.3389: . ack 388 win 53576 <nop,nop,timestamp 589389 23640> (DF) 11:01:11.517327 172.28.24.195.3389 > 172.28.24.199.1065: P 388:404(16) ack 1 win 64376 <nop,nop,timestamp 23646 589389> (DF) 11:01:11.517490 172.28.24.199.1065 > 172.28.24.195.3389: . ack 404 win 53576 <nop,nop,timestamp 589442 23646> (DF),nop,timestamp 23626 589230> (DF) 11:01:09.614831 172.28.24.199.1065 > 172.28.24.195.3389: . ack 309 win 53576 <nop,nop,timestamp 589252 23626> (DF) 11:01:09.908869 172.28.24.199.1026 > www.hcmut.edu.vn.domain: 59879+ PTR? 164.24.28.172.in-addr.arpa. (44) (DF) 11:01:09.909556 www.hcmut.edu.vn.domain > 172.28.24.199.1026: 59879 NXDomain* 0/1/0 (112) (DF) 11:01:09.925041 172.28.24.195.3389 > 172.28.24.199.1065: P 309:326(17) ack 1 win 64376 <nop,nop,timestamp 23629 589252> (DF) 11:01:09.925202 172.28.24.199.1065 > 172.28.24.195.3389: . ack 326 win 53576 <nop,nop,timestamp 589283 23629> (DF) 11:01:10.455809 172.28.24.195.3389 > 172.28.24.199.1065: P 326:342(16) ack 1 win 64376 <nop,nop,timestamp 23634 589283> (DF) 11:01:10.455995 172.28.24.199.1065 > 172.28.24.195.3389: . ack 342 win 53576 <nop,nop,timestamp 589336 23634> (DF) 11:01:10.555978 172.28.24.195.3389 > 172.28.24.199.1065: P 342:371(29) ack 1 win 64376 <nop,nop,timestamp 23635 589336> (DF) 11:01:10.556143 172.28.24.199.1065 > 172.28.24.195.3389: . ack 371 win 53576 <nop,nop,timestamp 589346 23635> (DF)
16/12/2006
15
P DNG IPTABLES VO WEB SERVER V FTP SERVER 11:01:10.986546 172.28.24.195.3389 > 172.28.24.199.1065: <nop,nop,timestamp 23640 589346> (DF) 11:01:10.986722 172.28.24.199.1065 > 172.28.24.195.3389: <nop,nop,timestamp 589389 23640> (DF) 11:01:11.517327 172.28.24.195.3389 > 172.28.24.199.1065: <nop,nop,timestamp 23646 589389> (DF) 11:01:11.517490 172.28.24.199.1065 > 172.28.24.195.3389: <nop,nop,timestamp 589442 23646> (DF) P 371:388(17) ack 1 win 64376 . ack 388 win 53576 P 388:404(16) ack 1 win 64376 . ack 404 win 53576
Kt qu trn cho thy ta hon ton khng thy c nhng my trn mng 192.168.1.0/24. Tm li, dng iptables cu hnh vic NAT t trong ra ngoi cho php t nhng my trong mng LAN c th truy cp n cc Server bn ngoi. V vic NAT t ngoi vo trong l cho php cc my c th ngoi mng c th truy cp n nhng Server bn trong mng LAN. Kt qu cho thy, ta thc hin c cn bng ti server, tc l cng a ch IP nhng khc port, ta c th truy cp n 2 server khc nhau. Th hai, l nu vi nhng cch truy cp khc nhau v nhng v tr khc nhau th my tnh cng s hiu khc nhau. V thc ba l, t kt qu ca chng trnh tcpdump cho thy vi iptables ta ngoi vic thc hin lc gi tin, n cn thc hin c NAT v ng thi vn m bo tnh bo mt cho mng bn trong. Tuy nhin, vic cu hnh cn bng ti server v bo mt cho mng ngi ta khng lm trn phn mm m lm trc tip trn cc phn cng. TI LIU THAM KHO
[1] Nguyn Th ip v Tiu ng Nhn, Gio trnh Dch v mng Linux, i hc Quc Gia Thnh ph H Ch Minh 12/2005 [2] How do i forward ftp from my firewall to an internal server by Mark E. Donaldson [3] PORT FORWARDING - with IPTABLES while using BASTILLE firewall by kishan at hackorama dot com [4] Masquerading Made Simple HOWTO by John Tapsell, Thomas Spellman and Matthias Grimm
16/12/2006
16