P DNG IPTABLES VO WEB SERVER V FTP SERVER

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Nguyn Hng Thi < nhthai2005@gmail.com > Dept. of Telecommunication H Chi Minh City University of Technology, South Vietnam

1. Ci t v cu hnh Web Server

1.1. Ci t Web Server 1.1.1. Web l mt nhu cu khng th thiu hin nay. N l mt trong nhng phng tin mi ngi trn th gii c th trao i thng tin. ng v phng din no th Web c th xem nh mt t bo in t, n cha ng cc thng tin mi ngi c th nm bt mt cch d dng. N c u im hn bo ch bnh thng thng tin cha ng trn nhiu hn, hnh nh c sc hnN cn cho php ngi xem c th tng tc phn hiv c bit n tin li rt nhiu trong vic tm kim thng tin. N tht s l mt cng c khng th thiu i vi chng ta. Nhng lm sao c mt trang Web? Ta cn phi c mt Web Server. Web Server l ni cha nhng trang web. Web Server cn mt nhim v l qun l, bo v cc trang web. V c mt Web Server th chng ta s tng bc lm nh phn trnh by di y. 1.1.2. ci t Web Server th chng ta cn mt phn mm h tr lm iu ny. Chng ta c th chn Apache. y l phn mm c nhiu tnh nng mnh v linh hot dng ci Web Server. N h tr y nhng giao thc HTTP trc y l HTTP/1.1. C th cu hnh v m rng vi nhng module ca cng ty th ba. Cung cp source code y vi license khng hn ch. Chy trn nhiu h iu hnh nh Windows NT/9x, Netware 5.x, OS/2 v trn hu ht cc h iu hnh Unix. 1.1.3. i vi phin bn Apache trn Windows, ta ch cn download gi v (nh apache_2.2.3-win32-x86-no-ssl.msi) v ci t n. Nh vy, chng ta c th s dng n ngay by gi nu chng ta mun. 1.1.4. i vi phin bn phin bn trn Linux, thng th chng ta s ci t ngay t u lc m chng ta ci t h iu hnh. Cn nu cha ci t th chng ta c th ci t n nh sau. Chng ta c th ci t t cc gi to sn vi ui file thng l deb hoc rpm, deb l cc gi ca Debian, dnh cho cc distro nh: Debian, SuSe, Ubuntu Cn rpm, y l cc gi ci t dnh cho Red Had, vit tt t cm t RedHat Package Management. Tuy c ui file l nh vy nhng chng ta c th ci t trn nhng distro khc ngoi n v d nh cc gi ui deb vn c th ci t trn Red Hat hoc cc gi rpm vn c th ci t trn Debian hay Ubuntu , ch cn c trnh qun l n. V d nh vi cc gi ui rpm th ta c trnh qun l n l rpm cn cc gi deb th c apt-get qun l n. Cc gi ny c th xem tng t nh trn Windows, cc gi ci t c ui msi hay exe. Tuy nhin, trn linux cn cho php ta ci t m ngun. iu ny, rt c ch cho ta chng hn nh c th sa
NGUYN HNG THI 16/12/2006 1

P DNG IPTABLES VO WEB SERVER V FTP SERVER

li m ngun nu chng ta mun. Li ch th 2 l chng ta s c th qun l c phn mm ca chng ta. V trn Windows, cc gi c m ngun l ng v vy chng ta khng th lm c iu ny. Vi Linux, chng ta c th chn gi m ngun nh httpd-2.2.3.tar.gz. y l gi min ph, chng ta hon ton c th download c trn mng. V ci t gi ny, chng ta s lm nh sau: Gii nn m ngun dng lnh: tar xvzf httpd-2.2.3.tar.gz Di chuyn vo th mc cha m ngun: cd httpd-2.2.3 Sau , chng ta s ln lt ci t n: # ./configure && make && make install. Nu ci t trn Debian hay Ubuntu th g lnh: apt-get install apache Cn nu ci t t nhng gi rpm th g lnh: rpm -ivh httpd-2.2.3.rpm By gi, chng ta c th chy Web Server nu chng ta mun. Tuy nhin, vn c khi gp trng hp khng th khi ng c nh: li v c phn mm no chy trn port m Web Server ta s chy. iu ny c th khc phc c mt cch d dng, bng cch tt chng trnh chy trn port i. V by gi khi ng li l c th chy c. khi ng hay tm dng hay ti khi ng apache ta script sau:
# /etc/init.d/httpd start/stop/restart Hoc dng lnh: #chkconfig httpd on #service httpd restart

Tuy nhin, c th hiu cng nh c th vn hnh theo ng mun ca chng ta th ta cn phi hiu v cng nh phi tn tay cu hnh n. V vic cu hnh , chng ti s trnh by trong mc 2 phn cu hnh Web Server di y. 1.2. Cu hnh Web Server Cc tp tin v th mc cu ca Apache: /etc/httpd/conf: th mc lu gi cc tp tin cu hnh nh httpd.conf. /etc/httpd/modules: lu gi cc module ca Web Server. /etc/httpd/logs: lu cc tp tin log ca Apache. /var/www/html: lu cc trang web. /var/www/cgi-bin: lu cc script s dng cho cc trang web. Tp tin cu hnh Apache c to thnh t nhiu ch dn (directive) khc nhau. Mi dng hoc mi mt directive v phc v cho mt cu hnh ring bit. C nhng directive c nh hng vi nhau. Nhng dng bt u bng du # l nhng dng ch thch. Sau y l nhng directive quan trng khi cu hnh Web Server. ServerName: C php: ServerName <hostname>:port Trong , hostname l tn my tnh ca Server. N c dng trong vic to ra nhng URL chuyn tip (direction URL). Nu khng ch ra, server s c gng suy lun t a ch IP ca n. Tuy nhin, iu ny c th khng tin cy hoc khng tr ra tn my tnh ng. V d: ServerName www.nguyenhongthai.hcmut.edu.vn
NGUYN HNG THI 16/12/2006 2

P DNG IPTABLES VO WEB SERVER V FTP SERVER

ServerAdmin: a ch email ca ngi qun tr h thng C php: ServerAdmin <a ch email> V d: ServerAdmin webmaster@hcmut.edu.vn ServerType: quy nh cch np chng trnh. C 2 cch: inetd: chy t cc init level. standalone: chy t h thng. C php: ServerType <inetd/standalone> V d: ServerType standalone DocumentRoot: cu hnh th mc gi lu tr ni dung ca Website. Web Server s ly nhng tp tin trong th mc ny phc v cho yu cu ca client C php: DocumentRoot <ng dn th mc> V d: DocumentRoot/usr/web ServerRoot: ch dn v tr ci t chng trnh Apache. C php: ServerRoot <v tr ci t Apache> V d: ServerRoot /user/local/apache ErrorLog: ch ra tp tin server ghi vo bt k nhng li no m n gp phi. C php: ErrorLog <v tr tp tin log> V d: ErrorLog logs/error_log DirectoryIndex: cc tp tin mc nh c truy vn khi truy cp trang Web. C php: DirectoryIndex <danh sch cc tp tin> V d: DirectoryIndex index.html MaxClients: quy nh s yu cu ti a t cc client c th gi ng thi n server. C php: MaxClients <s kt ni ti a cho php> V d: MaxClients 256 Listen: quy nh a ch IP hoc cng m Apache nhn kt ni t Client. C php: Listen <Port/IP> V d: Listen 80 BindAddress: quy nh a ch card mng chy Apache trn Server. C php: BindAddress <IP/*> S dng du * c th s dng tt c cc a ch trn my. V d: BindAddress 172.28.24.199 TimeOut: quy nh thi gian sng ca mt kt ni (c tnh bng giy). C php: TimeOut <thi gian ti a cho mt kt ni> V d: TimeOut 300 KeepAlive: cho php hoc khng cho php client gi c nhiu yu cu da trn mt kt ni n vi Web Server. C php: KeepAlive <On/Off>
NGUYN HNG THI 16/12/2006 3

P DNG IPTABLES VO WEB SERVER V FTP SERVER

V d: KeepAlive

On

MaxKeepAliveRequests: s Request ti a trn mt kt ni (nu cho php nhiu Request trn mt kt ni). C php: MaxKeepAliveRequests <s Request> V d: MaxKeepAliveRequests 100 KeepAliveTimeout: quy nh thi gian ch mt Request k tip t cng mt client trn cng mt kt ni (c tnh bng giy). C php: KeepAliveTimeout <thi gian> V d: KeepAliveTimeout 15 Alias: nh x ng dn cc b (khng nm trong DocumentRoot) thnh tn ng dn a ch URL. C php: Alias <ng dn http><ng dn cc b> V d: Alias /doc /usr/share/doc Khi truy cp http://www.nguyenhongthai.hcmut.edu.vn/doc, n s vo /usr/share/doc. gii hn vic truy cp ca ngi dng ta c th kt hp vi Directory directive. V d:
Alias /doc /usr/share/doc <Directory /usr/share/doc> AuthType Basic # kiu authentication s s dng l Basic AuthName intranet # t tn cho s chng thc l intranet AuthUserFile /etc/httpd/passwd # v tr ca tp tin password Require user hongthai minhtri #user cho php truy cp ti nguyn Allow from internal.hcmut.edu.vn # cho php truy cp t ch ny </Directory>

UserDir: cho php ngi dng to Home page ca user trn Web Server. C php:
<IfModule mod_userdir.c> #UserDir Disables ## thc thi c ch enable UserDir UserDir www ## Khai bo th mc cha Website ca user </IfModule> <Directory /home/*/www> </Directory>

Trong th mc Home Directory ca ngi dng to th mc www. V d /home/nhthai/www. Khi , c php truy cp t Web Browser c dng: http://www.nguyenhongthai.hcmut.edu.vn/~<tnUser>, tc trong trng hp ny l http://www.nguyenhongthai.hcmut.edu.vn/~nhthai. Khi ngi dng c gng truy cp n th mc ca mnh, c th gp mt message li Forbidden. iu ny c th l quyn truy cp n home directory ca ngi dng b gii hn. Nh vy khc phc li trn, chng ta cn gii hn li quyn truy cp home directory ca ngi dng vi nhng cu lnh nh sau:
chown nhthai /home/nhthai /home/nhthai/www chmod 750 /home/nhthai /home/nhthai/www

NGUYN HNG THI

16/12/2006

P DNG IPTABLES VO WEB SERVER V FTP SERVER

VirtualHost: l tnh nng ca Apache, gip ta duy tr nhiu hn mt web server trn mt my tnh. Nhiu tn cng chia s mt a ch IP gi l named-based virtual hosting v s dng nhng a ch IP khc nhau cho tng domain gi l IP-based virtual hosting. IP-based Virtual Host: Virtual Host da trn IP yu cu nhng server phi c mt a ch IP khc nhau cho mi virtual host da trn IP. Nh vy, mt my tnh phi c nhiu interface hay s dng c ch virtual interface m nhng h iu hnh sau hi tr. Nu my ca chng ta c mt a ch IP, 172.28.24.199, chng ta c th cu hnh mt a ch IP khc trn cng mt card mng nh sau:
ifconfig eth0:1 172.28.24.198 netmask 255.255.255.0 up

Sau , chng ta m t thng tin cu hnh trong file httpd.conf

<VirtualHost *> ; VirtualHost default ... DocumentRoot/tmp ServerName www.domain </VirtualHost> <VirtualHost 172.28.24.199>;VirtualHost cho site 1 DocumentRoot/home/www/site1 ServerName www1.domain </VirtualHost> <VirtualHost 172.28.24.198>;VirtualHost cho site 2 DocumentRoot/home/www/site2 ServerName www2.domain </VirtualHost>

Name-based Virtual Host: IP-based Virtual Hosts da vo a ch IP quyt nh Virtual Host no ng truy cp. V th, chng ta cn phi c a ch khc nhau cho mi Virtual Host. Vi Named-based Virtual Host, server da vo HTTP header ca client bit c hostname. S dng k thut ny, mt a ch IP c th c nhiu tn my tnh khc nhau. Named-based Virtual Host rt n gin, chng ta ch cn cu hnh DNS sao cho n phn gii mi tn my ng vi mt a ch IP v sau cu hnh Apache t chc nhng web server cho nhng min khc nhau.

2. Ci t v cu hnh FTP Server

2.1.Ci t FTP Server Cng nh Web, FTP cng l mt cng c khng th thiu trong lnh vc mng. FTP l ch vit tt ca File Transfer Protocol. Giao thc ny c xy dng da trn chun TCP. FTP cung cp c ch truyn tin di dng file thng qua mng TCP/IP. FTP l dch v c bit v n dng n 2 cng: cng 20 dng truyn d liu (data port) v
NGUYN HNG THI 16/12/2006 5

P DNG IPTABLES VO WEB SERVER V FTP SERVER

# tar xvzf vsftpd-2.0.5.tar.gz ## Gii nn m ngun # cd vsftpd-2.0.5 ## Di chuyn n th mc cha m ngun # make ## To binary file # make /var/ftp ## To th mc cha cc file truy cp FTP # useradd -d /var/ftp ftp ## To ti khon ngi dng vo th mc ch nh # chown root.root /var/ftp ## Chuyn quyn s hu sang root # chmod go-w /var/ftp ## Khng cho php ghi i vi ngi dng khc # make install ## Ci t FTP Server Nu khng thc hin c lnh make install th ta c th lm nh sau: # cp vsftpd /usr/local/sbin/vsftpd # cp vsftpd.conf.5 /usr/local/man/man5 # cp vsftpd.8 /usr/local/man/man8

cng 21 dng truyn lnh (command port). FTP hot ng mt trong 2 c ch: c ch ch ng (active) v c ch b ng (passive). Khi FTP Server hot ng c ch ch ng, client khng ch ng to kt ni tht s vo cng d liu ca FTP Server, m ch n gin l thng bo cho server bit rng n ang lng nghe trn cng no v server phi kt ni ngc v client vo cng . Trn quan im firewall i vi my client iu ny ging nh mt h thng bn ngoi khi to kt ni vo h thng bn trong v iu ny thng b ngn chn trn hu ht h thng firewall. gii quyt vn server phi to kt ni n client, mt phng thc kt ni FTP khc c pht trin. Phng thc ny gi l FTP th ng hoc PASV (l lnh m client gi cho server bo cho bit n ang ch passive). Trong khi FTP ch th ng gii quyt c vn pha client th n gy ra nhiu vn khc v pha server. Th nht l cho php my xa kt ni vo cng bt k ln hn 1024 ca server. iu ny kh nguy him tr khi FTP cho php m t dy cc cng ln hn hoc bng 1024 m FTP s dng. Vn th hai l, mt s FTP client li khng h tr ch th ng. V d tin ch FTP m Solaris cung cp khng h tr FTP th ng. Khi , cn phi dng thm trnh FTP client. Mt lu khc l hu ht cc trnh duyt Web ch h tr FTP th ng khi truy cp FTP server theo ng URL ftp://. Chng trnh FTP Server: FTP Server l mt my ch lu gi nhng ti nguyn v h tr giao thc FTP giao tip vi nhng my tnh khc. N cho php truyn d liu trn Internet. Mt s chng trnh FTP Server s dng trn Linux nh: vsftpd, Wuftpd, PureFTPd, ProFTPD Trn Windows, ta c th s dng phin bn h tr ca MicroSoft hoc c th s dng phin bn ca Golden nh: Golden-FTP-server-PROsetup.exe (bn i hi license) hoc c th dng bn min ph GoldenFTPserversetup.exe. V phn ci t, nu ci trn Windows s dng phin bn h tr ca MicroSoft, ta vo Control Panel Add/Remove Program Add/Remove Windows Components Chn IIS Chn install. Cn dng phin bn ca Golden th ta ch ci gi ci t trn duy nht. By gi, chng ti s trnh by phn ci t t source cho linux. Chn gi ci t l vsftpd-2.0.5.tar.gz. Cc bc s tin hnh nh sau:

NGUYN HNG THI

16/12/2006

P DNG IPTABLES VO WEB SERVER V FTP SERVER Tip theo, l chp file cu hnh vo th mc /etc: # cp vsftpd.conf /etc Cui cng, ta cn chnh sa mt cht cho php lm vic theo kiu no. Nu cho chy theo kiu standalone th thm dng listen=YES vo cui file /etc/vsftpd.conf. Cn nu mun cho chy vi inetd th thm dng ftp stream tcp nowait root /usr/sbin/tcpd /usr/local/sbin/vsftpd vo file /etc/inetd.conf.

Nu khng quen vi vic ci t t m ngun, ta c th chn cc ci ci t lm sn nh nhng gi c ui deb hoc rpm. V vic ci t cc gi ny tng t nh ci t Web Server. Vsfpd l mt package mi. N c pht trin xoay quanh tnh nng nhanh, n nh v an ton. Vsftpd c kh nng qun l s lng kt ni ln mt cch hiu qu v an ton. khi ng v dng vsftpd:
# service vsftpd start/stop/restart

Hoc s dng lnh: 2.2.Cu hnh FTP Server

# /etc/init.d/vsftpd start/stop/restart

Nhng tp tin v th mc thng c qua tm khi cu hnh vsftpd server: /etc/pam.d/vsftpd: tp tin cu mc PAM cho vsftpd. Tp tin ny nh ngha nhng yu cu m ngi dng phi cung cp khi ng nhp vo ftp server.
PAM l ch vit tt t Pluggable Authentication Modules, tm dch l cc m-un kim tra c th cm c. PAM c pht trin cho h thng Solaris t Sun MicroSystems. D n Linux-PAM lm cho PAM c sn i vi h iu hnh Linux. PAM l b th vin dng chung cp pht cc c quyn cho ng dng lin quan n PAM.

/etc/vsftpd/vsftpd.conf: tp tin cu hnh vsftpd server. /etc/vsftpd.ftpusers: lit k nhng ngi dng khng c login vo vsftpd.

Mc nh, danh sch nhng ngi dng ny gm root, bin, deamon v nhng ngi dng khc. /etc/vsftpd.user_list: tp tin ny c cu hnh cm hay cho php nhng dng c lit k truy cp ftp server. iu ny ph thuc vo ty chn userlist_deny c xt YES hay NO trong tp tin vsftpd.conf. Nu nhng ngi dng lit k trong tp tin ny th khng c xut hin trong vsftpd.ftpusers. /var/ftp: th mc cha cc tp tin p ng cho vsftpd. N cng cha th mc pub cho ngi dng anonymous (c th hiu l ngi dng n danh). Th mc ny ch c th c, ch c root mi c kh nng ghi.

3. Cu hnh LAN c th truy cp mng bn ngoi

Vic cu hnh cc my t LAN c th truy cp ra bn ngoi internet. y l m hnh cho php nhiu my cng chia s mt IP public. c th lm iu ny trn h iu hnh Linux, ta c th chn la tool chy rt n nh, l iptables cu hnh. Ngoi mc ch trn, iptables cn c th dng lc gi tin rt hiu qu. Chng ta c th cho php nhng gi tin no hay chn nhng gi tin no m ta mun. thc hin mt cch c th, chng ti a ra mt m hnh c th t chng ti thit lp v cho chy thc t. S

NGUYN HNG THI

16/12/2006

P DNG IPTABLES VO WEB SERVER V FTP SERVER

dng mng my tnh c th, l mng my tnh ca phng my tnh khoa in - in t. Vi m hnh thit lp nh hnh di y. Vic cu hnh c th c gii thch nh sau. mt gi tin i t mt mng LAN bn trong ra mng bn ngoi th ta cn phi thay i a ch ngun ca gi tin khi ra khi mng LAN m mun nh tuyn c th mng i hi phi cng subnet v ng thi i hi a ch ngun phi c i trc khi n thc hin nh tuyn ra ngoi. Do , ta thc hin Source NAT. V c nh th n s c th i ra ngoi mng internet. V vic cu hnh Source ta c th chn iptables. Chng ti s trnh by vic cu hnh SNAT ti my dng lm gateway ca mng 192.168.1.0/24. Trnh t cc bc s lm nh sau:
# modprobe ipt_MASQUERADE ## Load m-un ip_MASQUERADE # iptables -F ## Xa cc lut trong bng filter # iptables -t nat -F ## Xa cc lut trong bng nat # iptables -t mangle -F ## Xa cc lut trong bng mangle ## Nu gi tin i t 192.168.1.0/24 ra mng ngoi th thc hin i ##### ngun thnh 172.28.24.199 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 172.28.24.199 ## Cho php cc interface c th forward c vi nhau # echo 1 > /proc/sys/net/ipv4/ip_forward ## Cho php cc gi tin t cc kt ni thit lp hoc c mi lin ### kt ni hin ti. Lnh ny c ngha trong trng hp kt ni FTP # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ## Cho php cc gi tin n t nhng interface khng phi eth0 # iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT ## Mc nh l DROP (cm) # iptables -P INPUT DROP ## Nu gi tin forward t eth0 n eth0 th ngn li v tr thng ### cho ngi gi bit # iptables -A FORWARD -i eth0 -o eth0 -j REJECT Trong trng hp ng ni ra mng ngoi khng phi l card ethernet m l dial s i eth0 thnh ppp0

a ch

h vi

bo v up th ta

Vi vic cu hnh iptables trn trong trng hp m hnh mng nh hnh 7.1.Gi my 192.168.1.2 mun gi Request n my 172.28.2.2. Suy ra, gi tin s c a ch ngun l 192.168.1.2 v a ch ch l 172.28.2.2. N s nh tuyn n gateway v a ch ch khng cng subnet ca a ch ngun, ti y iptables s thit lp li gi tin, tc s i a ch ngun thnh 172.28.24.199 cn a ch ch gi nguyn. Tip theo, n mi thc hin nh tuyn. V vic nh tuyn s ging nh trn, n xem li gi tin r rng a ch ch khng cng subnet ca a ch ngun, n s nh tuyn n gateway v s thc hin i a ch ngun ti y. Vic nh tuyn c tip tc nh th. n khi n thy rng gi tin c a ch ch c cng subnet vi a ch ngun th n xc nh c my cn n nm ti mng ny. V nh th, n s khng cn n gateway m ch cn n switch v chuyn gi tin thng n ch. Qu trnh trnh gi Reponse t my 172.28.2.2 v my 192.168.1.2, n s xem header m nh tuyn v ch.

NGUYN HNG THI

16/12/2006

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Mng internet

172.28.24.1

eth0 172.28.24.199
` ` ` `

172.28.247.197

172.28.24.198 eth1 192.168.1.1

172.28.24.194

172.28.24.195

192.168.1.2

192.168.1.3

Hnh 1: M hnh mng LAN t thit lp

4. Cu hnh mng bn ngoi c th truy cp c cc Server

Vic cu hnh mng bn ngoi c th truy cp c cc Server t mt LAN ni b. y cng l m hnh rt ph bin. N c th lm cng vic cn bng ti va to tnh an ton cho mng ni b. Phong php thc hin iu ny c th l gii ngn gn nh sau: ngi dng internet mun truy cp n mt trang web no th trn URL h ch g a ch ca Server o (hay cn gi l VIP, vit tt t cm t Virtual IP). V Server o ny cng l gateway, ti y ta cng thit lp tng la. Ti y, n s xem xt a ch cng nh port, sau n s forward n server cn thit M hnh cu hnh server do chng ti t thit lp c minh ha hnh di y. V trnh t cu hnh s ln lt nh sau:
# echo 1 > /proc/sys/net/ipv4/ip_forward ## Cho php IP forwarding ## Load cc modules # modprobe ip_conntrack_ftp

NGUYN HNG THI

16/12/2006

P DNG IPTABLES VO WEB SERVER V FTP SERVER # modprobe ip_nat_ftp ##Thit lp cc chnh sch mc nh v gii phng cc bng ca iptables # iptables -t nat -F # iptables -P INPUT ACCEPT # iptables -F INPUT # iptables -P OUTPUT ACCEPT # iptables -F OUTPUT # iptables -P FORWARD ACCEPT # iptables -F FORWARD ## Cu hnh Web Server trn my 192.168.1.2 ## i a ch ch ca gi tin khi gi tin c a ch ch l 172.28.24.199 ## port 80, i vo eth0, dng giao thc tcp thnh 192.168.1.2 port 8080 # iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp \ --dport 80 -j DNAT --to-destination 192.168.1.2:8080 # Cho php cc gi tin trn c th forward # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.2 --dport 8080 \ -j ACCEPT ## Tng t, ta cu hnh Web Server trn my 192.168.1.3 # iptables -t nat -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp \ --dport 8888 -j DNAT --to-destination 192.168.1.3:80 ## Cu hnh FTP Server trn my 192.168.1.3 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.3 --dport 80 \ -j ACCEPT # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20:21 \ -j DNAT --to-destination 192.168.1.2:21 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.2 --dport 21 \ -j ACCEPT ## Tng t, ta cu hnh cho my 192.168.1.3 # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2020:2121 \ -j DNAT --to-destination 192.168.1.3:21 # iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.3 --dport 21 \ -j ACCEPT

NGUYN HNG THI

16/12/2006

10

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Hnh 2: M hnh mng LAN cng vi cc server

5. Kt qu ca vic cu hnh trn

Kt qu ca vic cu hnh iptables s c lu trong file /etc/sysconfig/iptables nh sau:
# Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *nat :PREROUTING ACCEPT [4169:438355] :POSTROUTING ACCEPT [106:6312] :OUTPUT ACCEPT [22:1332] -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.2:8080 -A PREROUTING -d 172.28.24.199 -i eth0 -p tcp -m tcp --dport 8888 -j DNAT --to-destination 192.168.1.3:80 -A PREROUTING -i eth0 -p tcp -m tcp --dport 20:21 -j DNAT --to-destination 192.168.1.2:21 -A PREROUTING -i eth0 -p tcp -m tcp --dport 2020:2121 -j DNAT --to-destination 192.168.1.3:21 -A POSTROUTING -o eth0 -j SNAT --to-source 172.28.24.199 COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *filter :INPUT DROP [4011:414080]

NGUYN HNG THI

16/12/2006

11

P DNG IPTABLES VO WEB SERVER V FTP SERVER :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ! eth0 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.1.3 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT # Completed on Thu Nov 9 15:47:54 2006 # Generated by iptables-save v1.2.8 on Thu Nov 9 15:47:54 2006 *mangle :PREROUTING ACCEPT [5114:853418] :INPUT ACCEPT [4416:773589] :FORWARD ACCEPT [552:57100] :OUTPUT ACCEPT [393:43195] :POSTROUTING ACCEPT [945:100295] COMMIT # Completed on Thu Nov 9 15:47:54 2006

Kt qu khi thc hin traceroute t my 192.168.1.2 n my khc nh sau:

sysadmin@debian:~$ traceroute 172.28.24.195 traceroute to 172.28.24.195 (172.28.24.195), 30 hops max, 38 byte packets 1 192.168.1.1 (192.168.1.1) 2.541 ms 3.409 ms 0.142 ms 2 172.28.24.195 (172.28.24.195) 0.298 ms 3.125 ms 0.256 ms sysadmin@debian:~$ traceroute 172.28.2.2 traceroute to 172.28.2.2 (172.28.2.2), 30 hops max, 38 byte packets 1 192.168.1.1 (192.168.1.1) 0.259 ms 4.546 ms 0.185 ms 2 172.28.24.1 (172.28.24.1) 1.182 ms 2.777 ms 0.820 ms 3 hcmut-server.hcmut.edu.vn (172.28.2.2) 0.988 ms 4.159 ms 5.069 ms sysadmin@debian:~$

Kt qu khi thc hin mtr t my 192.168.1.2 n my khc nh sau:

My traceroute [v0.67] debian (0.0.0.0)(tos=0x0 psize=64 bitpattern=0x00) Wed Nov 15 11:11:31 2006 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 192.168.1.1 0.0% 70 0.3 1.4 0.2 59.0 7.2 2. 172.28.24.195 0.0% 70 0.4 6.8 0.3 292.3 35.7 My traceroute [v0.67] debian (0.0.0.0)(tos=0x0 psize=64 bitpattern=0x00) Wed Nov 15 11:13:13 2006 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 192.168.1.1 0.0% 12 0.2 0.3 0.2 1.2 0.3 2. 172.28.24.1 0.0% 12 0.9 1.5 0.8 6.0 1.6 3. hcmut-server.hcmut.edu.vn 0.0% 12 0.4 0.9 0.4 4.7 1.3

NGUYN HNG THI

16/12/2006

12

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Kt qu t my 192.168.1.2, dng Konqueror truy cp Web server. Nu URL g http://localhost:8080/ my tnh s hiu l truy cp Web Server trn my my 192.168.1.2 trn port 8080. iu ny c th d dng nhn ra v dng lnh ifconfig th thy rng a ch 192.168.1.2 chnh l a ch ca interface eth0 ca my 192.168.1.2. Cn nu URL g http://172.28.24.199 th n s hiu a ch ny khng phi a ch trong mng ca n. Do , n gi n gateway v trn gateway s nh tuyn gi theo quy lut m iptables ci trn ( phn ci t LAN c th truy cp ra mng bn ngoi). N nh x a ch 172.28.24.199 port 80 192.168.1.2 port 8080. V vy, m tuy g hai a ch URL khc nhau nhng kt qu tr v t web server l ging nhau. ng thi, trn my 192.168.1.2 ta ng nhp t xa n mt my khc ngoi mng th dng Internet Explorer truy cp http://172.28.24.199 th ta vn nhn c kt qu t web server hon ton ging vi 2 kt qu trn. Cn nu trn my dng lm gateway ta dng Mozilla Firefox truy cp http://localhost/ th n s hiu l truy cp Web Server trn my ny mc d my ny c a ch 172.28.24.199. Ta r rng thy s khc bit trong iu ny, mc d cng a ch 172.28.24.199 v cng port 80 nhng nhng v tr truy cp khc nhau th cho kt qu khc nhau. Tng t nh trn, trn my 192.168.1.2 ta truy cp ftp://localhost v ng nhp t xa n my mng khc v dng Internet Explorer truy cp ftp://172.28.24.199. C 2 iu ny cng c ngha l truy cp n FTP Server trn my 192.168.1.2 port 21. Do , ta nhn c hai kt qu ging nhau.

Hnh 3: Kt qu truy cp Web Server trn 2 my khc nhau

NGUYN HNG THI

16/12/2006

13

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Hnh 4:Kt qu truy cp Web Server trn my dng lm gateway

Hnh 5: Kt qu truy cp ftp ng thi trn 2 my

NGUYN HNG THI

16/12/2006

14

P DNG IPTABLES VO WEB SERVER V FTP SERVER

Kt qu trn my dng lm gateway, chng ti dng chng trnh tcpdump gim gim vic nh tuyn qua gateway. Kt qu thu c nh sau:
11:01:09.614831 172.28.24.199.1065 > 172.28.24.195.3389: . ack 309 win 53576 <nop,nop,timestamp 589252 23626> (DF) 11:01:09.908869 172.28.24.199.1026 > www.hcmut.edu.vn.domain: 59879+ PTR? 164.24.28.172.in-addr.arpa. (44) (DF) 11:01:09.909556 www.hcmut.edu.vn.domain > 172.28.24.199.1026: 59879 NXDomain* 0/1/0 (112) (DF) 11:01:09.925041 172.28.24.195.3389 > 172.28.24.199.1065: P 309:326(17) ack 1 win 64376 <nop,nop,timestamp 23629 589252> (DF) 11:01:09.925202 172.28.24.199.1065 > 172.28.24.195.3389: . ack 326 win 53576 <nop,nop,timestamp 589283 23629> (DF) 11:01:10.455809 172.28.24.195.3389 > 172.28.24.199.1065: P 326:342(16) ack 1 win 64376 <nop,nop,timestamp 23634 589283> (DF) 11:01:10.455995 172.28.24.199.1065 > 172.28.24.195.3389: . ack 342 win 53576 <nop,nop,timestamp 589336 23634> (DF) 11:01:10.555978 172.28.24.195.3389 > 172.28.24.199.1065: P 342:371(29) ack 1 win 64376 <nop,nop,timestamp 23635 589336> (DF) 11:01:10.556143 172.28.24.199.1065 > 172.28.24.195.3389: . ack 371 win 53576 <nop,nop,timestamp 589346 23635> (DF) 11:01:10.986546 172.28.24.195.3389 > 172.28.24.199.1065: P 371:388(17) ack 1 win 64376 <nop,nop,timestamp 23640 589346> (DF) 11:01:10.986722 172.28.24.199.1065 > 172.28.24.195.3389: . ack 388 win 53576 <nop,nop,timestamp 589389 23640> (DF) 11:01:11.517327 172.28.24.195.3389 > 172.28.24.199.1065: P 388:404(16) ack 1 win 64376 <nop,nop,timestamp 23646 589389> (DF) 11:01:11.517490 172.28.24.199.1065 > 172.28.24.195.3389: . ack 404 win 53576 <nop,nop,timestamp 589442 23646> (DF),nop,timestamp 23626 589230> (DF) 11:01:09.614831 172.28.24.199.1065 > 172.28.24.195.3389: . ack 309 win 53576 <nop,nop,timestamp 589252 23626> (DF) 11:01:09.908869 172.28.24.199.1026 > www.hcmut.edu.vn.domain: 59879+ PTR? 164.24.28.172.in-addr.arpa. (44) (DF) 11:01:09.909556 www.hcmut.edu.vn.domain > 172.28.24.199.1026: 59879 NXDomain* 0/1/0 (112) (DF) 11:01:09.925041 172.28.24.195.3389 > 172.28.24.199.1065: P 309:326(17) ack 1 win 64376 <nop,nop,timestamp 23629 589252> (DF) 11:01:09.925202 172.28.24.199.1065 > 172.28.24.195.3389: . ack 326 win 53576 <nop,nop,timestamp 589283 23629> (DF) 11:01:10.455809 172.28.24.195.3389 > 172.28.24.199.1065: P 326:342(16) ack 1 win 64376 <nop,nop,timestamp 23634 589283> (DF) 11:01:10.455995 172.28.24.199.1065 > 172.28.24.195.3389: . ack 342 win 53576 <nop,nop,timestamp 589336 23634> (DF) 11:01:10.555978 172.28.24.195.3389 > 172.28.24.199.1065: P 342:371(29) ack 1 win 64376 <nop,nop,timestamp 23635 589336> (DF) 11:01:10.556143 172.28.24.199.1065 > 172.28.24.195.3389: . ack 371 win 53576 <nop,nop,timestamp 589346 23635> (DF)

NGUYN HNG THI

16/12/2006

15

P DNG IPTABLES VO WEB SERVER V FTP SERVER 11:01:10.986546 172.28.24.195.3389 > 172.28.24.199.1065: <nop,nop,timestamp 23640 589346> (DF) 11:01:10.986722 172.28.24.199.1065 > 172.28.24.195.3389: <nop,nop,timestamp 589389 23640> (DF) 11:01:11.517327 172.28.24.195.3389 > 172.28.24.199.1065: <nop,nop,timestamp 23646 589389> (DF) 11:01:11.517490 172.28.24.199.1065 > 172.28.24.195.3389: <nop,nop,timestamp 589442 23646> (DF) P 371:388(17) ack 1 win 64376 . ack 388 win 53576 P 388:404(16) ack 1 win 64376 . ack 404 win 53576

Kt qu trn cho thy ta hon ton khng thy c nhng my trn mng 192.168.1.0/24. Tm li, dng iptables cu hnh vic NAT t trong ra ngoi cho php t nhng my trong mng LAN c th truy cp n cc Server bn ngoi. V vic NAT t ngoi vo trong l cho php cc my c th ngoi mng c th truy cp n nhng Server bn trong mng LAN. Kt qu cho thy, ta thc hin c cn bng ti server, tc l cng a ch IP nhng khc port, ta c th truy cp n 2 server khc nhau. Th hai, l nu vi nhng cch truy cp khc nhau v nhng v tr khc nhau th my tnh cng s hiu khc nhau. V thc ba l, t kt qu ca chng trnh tcpdump cho thy vi iptables ta ngoi vic thc hin lc gi tin, n cn thc hin c NAT v ng thi vn m bo tnh bo mt cho mng bn trong. Tuy nhin, vic cu hnh cn bng ti server v bo mt cho mng ngi ta khng lm trn phn mm m lm trc tip trn cc phn cng. TI LIU THAM KHO
[1] Nguyn Th ip v Tiu ng Nhn, Gio trnh Dch v mng Linux, i hc Quc Gia Thnh ph H Ch Minh 12/2005 [2] How do i forward ftp from my firewall to an internal server by Mark E. Donaldson [3] PORT FORWARDING - with IPTABLES while using BASTILLE firewall by kishan at hackorama dot com [4] Masquerading Made Simple HOWTO by John Tapsell, Thomas Spellman and Matthias Grimm

NGUYN HNG THI

16/12/2006

16