Gi i thi u v Iptables

Ti li u ny c d ch t http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14 _:_Linux_Firewalls_Using_iptables V n cn r t thi u st trong ti li u ny . Mong m i ng i ng h v ng gp ki n ti li u ny hon thi n hn . M i ki n ng gp xin g i v trannhathuy@gmail.com . Tp H Ch Minh , 12/2006 Nhm bin d ch : Tr n Nh t Huy Hong H i Nguyn Ng Tr Hng Nam

-1 -

I. GI I THI U V IPTABLES: B o m t m ng l m t v n quan tr ng hng u i vi c l p m t website , cng nh nhi u d ch v khc trn m ng . M t trong nh ng cch b o v l s d ng firewall . bi vi t ny s cho th y lm sao chuy n m t Linux server thnh : M t firewall ng th i cho mail server , web server , DNS server. M t thi t b d n ng ( router ) s dng NAT v chuy n ti p c ng ( port forwarding ) v a b o v h th ng m ng c a b n , v a cho php m t web server cng khai chia s a ch IP firewall . M t trong nh ng firewall thng d ng nh t ch y trn Linux l iptables . Ta s xem qua m t s ch c nng c a iptables : Tch h p t t v i Linux kernel , c i thi n s tin c y v t c ch y iptables . Quan st k t t c cc gi d li u . i u ny cho php firewall theo di m i m t k t n i thng qua n , v d nhin l xem xt n i dung c a t ng lu ng d li u t tin li u hnh ng k ti p c a cc giao th c . i u ny r t quan tr ng trong vi c h tr cc giao th c FTP , DNS . L c gi d a trn a ch MAC v cc c trong TCP header. i u ny gip ngn ch n vi c t n cng b ng cch s d ng cc gi d d ng (malformed packets) v ngn n m t m ng khc b t ch p IP c a n. ch n vi c truy c p t n i b Ghi chp h th ng (System logging) cho php vi c i u ch nh m c c a bo co H tr vi c tnh h p cc chng trnh Web proxy ch ng nh Squid . Ng n ch n cc ki u t n cng t ch i d ch v .

II. S

D NG IPTABLES
ng iptables :

1. Kh i

Cu l nh start, stop, v restart iptables .

[root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables restart

kh i

ng iptables m i khi kh i

ng my .

[root@bigboy tmp]# chkconfig iptables on

xem tnh tr ng c a iptables

[root@bigboy tmp]# service iptables status

2. X l gi trong iptables: T t c m i gi d li u u c ki m tra b i iptables b ng cch dng cc b ng tu n t xy d ng s n (queues ) . C 3 lo i b ng ny g m :

-2 -

_ Mangle : ch u trch nhi m thay i cc bits ch t l ng d ch v trong TCP header nh TOS (type of service), TTL (time to live), v MARK. _ Filter : ch u trch nhi m l c gi d li u . N g m c 3 quy t c nh (chain) gip b n thi t l p cc nguyn t c l c gi , g m : Forward chain: l c gi khi i n n cc server khc . Input chain: l c gi khi i vo trong server . Output chain: l c gi khi ra kh i server . _ NAT : g m c 2 lo i : Pre-routing chain: thay i a ch n c a gi d li u khi c n thi t. Post-routing chain: thay i a ch ngu n c a gi d li u khi c n thi t .
B ng 1 : Cc lo i queues v chain cng ch c nng c a n. Lo i queues Filter Ch c nng queues L c gi Quy t c x l gi (chain) FORWARD INPUT OUTPUT PREROUTING a POSTROUTING OUTPUT Ch c nng c a chain L c gi d li u i n cc server khc k t n i trn cc NIC khc c a firewall L c gi i n firewall L c gi i ra kh i firewall Vi c thay i a ch di n ra tr c khi d n ng. Thay i a ch ch s gip gi d li u ph h p v i b ng ch ng c a firewall. S d ng destination NAT or DNAT. Vi c thay i a ch di n ra sau khi d n ng . S d ng source NAT, or SNAT. NAT s d ng cho cc gi d li u xu t pht t firewall . Hi m khi dng trong mi tr ng SOHO ( small office home office) . i u ch nh cc bit quy ch ch t l ng d ch v tr c khi d n ng . Hi m khi dng trong mi tr ng SOHO ( small office - home office) .

NAT

Network Address Translation ( Bin d ch ch m ng )

Mangle

Ch nh s a TCP PREROUTING header . POSTROUTING OUTPUT INPUT FORWARD

ci nhn t ng qut

i v i vi c l c v x l gi trong iptables , ta xem hnh sau :

-3 -

Ta cng xem qua 1 v d m t

ng i c a gi d li u .

-4 -

u tin, gi d li u n m ng A , ti p n c ki m tra b i mangle table PREROUTING chain (n u c n).Ti p theo l ki m tra gi d li u b i nat table's PREROUTING chain ki m tra xem gi d li u c c n DNAT hay khng? DNAT s thay i a ch ch c a gi d li u . R i gi d li u c d n i . N u gi d li u i vo m t m ng c b o v , th n s c l c b i FORWARD chain c a filter table, v n u c n gi d li u s c SNAT trong POSTROUTING chain thay i IP ngu n tr c khi vo m ng B.
-5 -

N u gi d li u c nh h ng i vo trong bn trong firewall , n s c ki m tra b i INPUT chain trong mangle table, v n u gi d li u qua c cc ki m tra c a INPUT chain trong filter table, n s vo trong cc chng trnh c a server bn trong firewall . Khi firewall c n g i d li u ra ngoi . Gi d li u s c d n v i qua s ki m tra c a OUTPUT chain trong mangle table( n u c n ), ti p l ki m tra trong OUTPUT chain c a nat table xem DNAT (DNAT s thay i a ch n) c c n hay khng v OUTPUT chain c a filter table s ki m tra gi d li u nh m pht hi n cc gi d li u khng c php g i i. Cu i cng tr c khi gi d li u c ra l i Internet, SNAT and QoS s c ki m tra trong POSTROUTING chain .
3. Targets Targets l hnh ng s di n ra khi m t gi d li u c ki m tra v ph h p v i m t yu c u no . Khi m t target c nh n d ng , gi d li u c n nh y ( jump ) th c hi n cc x l ti p theo . B ng sau li t k cc targets m iptables s d ng . B ng 2 : Miu t cc target m iptables th ng dng nh t . Targets ACCEPT ngha Ty ch n iptables ng ng x l gi d li u v chuy n ti p n vo m t ng d ng cu i ho c h i u hnh x l . iptables ng ng x l gi d li u v gi d li u b ch n, lo i b . Thng tin c a gi s c --log-prefix "string" a vo syslog ki m tra . Iptables ti p t c x l gi iptables s thm vo log v i quy lu t k ti p . message m t chu i do ng i dng nh s n . Thng th ng l thng bo l do v sao gi b b .

DROP LOG

-6 -

REJECT

Tng t nh DROP , --reject-with qualifier nhng n s g i tr l i cho pha ng i g i m t thng bo l i r ng gi b ch n v lo i b . Tham s qualifier s cho bi t lo i thng bo g i tr l i pha g i . Qualifier g m cc lo i sau : icmp-port-unreachable (default) icmp-net-unreachable icmp-host-unreachable icmp-proto-unreachable icmp-net-prohibited icmp-host-prohibited tcp-reset echo-reply

DNAT

Dng th c hi n Destination network address translation , a ch ch c a gi d li u s c vi t l i .

--to-destination ipaddress Iptables s vi t l i a ch ipaddress vo a ch ch c a gi d li u .

SNAT

MASQUERADE

Dng th c hi n Source --to-source <address>[network address <address>][:<port>translation , vi t l i a ch <port>] ngu n c a gi d li u . Miu t IP v port s c vi t l i b i iptables . Dng th c hi n Source [--to-ports <port>[<port>]] Networkaddress Translation.M c nh th a ch IP ngu n s gi ng Ghi r t m cc port ngu n nh IP ngu n c a firewall . m port ngu n g c c th nh x c.

4. Cc tham s chuy n m ch quan tr ng c a Iptables: Cc tham s sau s cho php Iptables th c hi n cc hnh bi u x l gi do ng i s d ng ho ch nh s n .
-7 -

ng sao cho ph h p v i

B ng 3 : Cc tham s chuy n m ch (switching) quan tr ng c a Iptables .

L nh switching quan tr ng -t <table> ngha N u b n khng ch nh r l tables no , th filter table s c p d ng. C ba lo i table l filter, nat, mangle. Nh y n m t chu i target no khi gi d li u ph h p quy lu t hi n t i . N i thm m t quy lut no vo cu i chu i ( chain ). Xa h t t t c m i quy lu t trong b ng ch n . Ph h p v i giao th c ( protocols ) , thng th ng l icmp, tcp, udp, v all . Ph h p IP ngu n Ph h p IP ch Ph h p i u ki n INPUT khi gi d li u i vo firewall Ph h p i u ki n OUTPUT khi gi d li u i ra kh i firewall .

-j <target> -A -F -p <protocol-type> -s <ip-address> -d <ip-address> -i <interface-name> -o <interface-name>

hi u r hn v cc l nh ta , ta cng xem m t v d sau :

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -j ACCEPT -p TCP \

Iptables c c u hnh cho php firewall ch p nh n cc gi d li u c giao ti p (protocols) l TCP , n t giao ti p card m ng eth0 , c b t k a ch IP ngu n l b t k i n a ch 192.168.1.1, l a ch IP c a firewall. 0/0 ngha l b t k a ch IP no .

B ng 4 : Cc i u ki n TCP v UDP thng d ng . L nh switching Miu t i u ki n TCP port ngu n (source port ) . C th l m t gi tr ho c m t chu i c d ng : start-port-number:end-port-number i u ki n TCP port ch ( destination port ) C th l m t gi tr ho c m t chu i c d ng : starting-port:ending-port -8 -

-p tcp --sport <port>

-p tcp --dport <port>

-p tcp syn

-p udp --sport <port>

-p udp --dport <port>

Dng nh n d ng m t yu c u k t n i TCP m i . ! --syn , ngha l khng c yu c n k t n i m i. i u ki n UDP port ngu n (source port ) . C th l m t gi tr ho c m t chu i c d ng : start-port-number:end-port-number i u ki n TCP port ch ( destination port ) C th l m t gi tr ho c m t chu i c d ng : starting-port:ending-port

Ta cng xem v d sau :

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 --dport 80 -j ACCEPT

Iptables c c u hnh cho php firewall ch p nh n cc gi d li u c giao ti p (protocols) l TCP , n t card m ng eth0 , c b t k a ch IP ngu n l b t k , i n a ch 192.168.1.58 qua card m ng eth1. S port ngu n l t 1024 n 65535 v port ch l 80 (www/http).
B ng 5 : i u ki n ICMP L nh --icmp-type <type> Miu t Th ng dng nh t l echo-reply v echorequest

Ta cng xem m v d sau v ICMP .

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Iptables c c u hnh cho php firewall ch p nh n g i ICMP echo-requests (pings) v g i tr cc ICMP echo-replies. Ta cng xem v d khc nh sau :
iptables -A INPUT -p icmp --icmp-type echo-request -m limit \ limit 1/s -i eth0 -j ACCEPT

Iptables cho php gi i h n gi tr l n nh t s l ng cc gi ph h p trong m t giy . B n c ch nh th i gian theo nh d ng /second, /minute, /hour, ho c /day . Ho c s d ng d ng vi t t t 3/s thay v 3/second . Trong v d ny ICMP echo requests b gi i h n khng nhi u hn m t yu c n trong m t giy . c i m ny c a iptables gip ta l c b t cc lu l ng l n , y chnh l c tnh c a t n cng t ch i d ch v ( DOS ) v su Internet.
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i \ -9 -

eth0 -j ACCEPT

B n c th m r ng kh nng gi i h n c a iptables gi m thi u kh nng b t n cng b i cc lo i t n cng t ch i d ch v . y l cch phng v ch ng l i ki u t n cng SYN flood b ng cch h n ch s ch p nh n cc phn o n TCP c bit SYS khng nhi u hn 5 phn o n trong 1 giy. B ng 6 : Cc i u ki n m r ng thng d ng
L nh
-m multiport --sport <port, port>

-m multiport --dport <port, port>

-m multiport --ports <port, port>

ngha Nhi u port ngu n khc nhau c a TCP/UDP c phn cch b i d u ph y (,) . y l li t k c a cc port ch khng ph i l m t chu i cc port. Nhi u port ch khc nhau c a TCP/UDP c phn cch b i d u ph y (,) . y l li t k c a cc port ch khng ph i l m t chu i cc port. Nhi u port khc nhau c a TCP/UDP c phn cch b i d u ph y (,) . y l li t k c a cc port ch khng ph i l m t chu i cc port. Khng phn bi t port ch hay port ngu n . Cc tr ng thi thng d ng nh t c dng l : ESTABLISHED:Gi d li u l m t ph n c a k t n i c thi t l p b i c 2 h ng . NEW:Gi d li u l b t n im i. uc am tk t

-m --state <state>

RELATED: Gi d li u b t u m t k t n i ph . Thng th ng y l t i m c a cc giao th c nh FTP ho c l i ICMP . INVALID: Gi d li u khng th nh n d ng c . i u ny c th do vi c thi u ti nguyn h th ng ho c l i ICMP khng trng v i m t lu ng d li u c s n .

y l ph n m r ng ti p theo c a v d tr c :
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 -m multiport --dport 80,443 -j ACCEPT iptables -A FORWARD -d 0/0 -o eth0 -s 192.168.1.58 -i eth1 -p TCP \ -m state --state ESTABLISHED -j ACCEPT

Iptables c c u hnh cho php firewall ch p nh n cc gi d li u c giao ti p (protocols) l TCP , n t card m ng eth0 , c b t k a ch IP ngu n l b t k , i
-10 -

n a ch 192.168.1.58 qua card m ng eth1. S port ngu n l t 1024 n 65535 v port ch l 80 (www/http) v 443 (https). n khi cc gi d li u nh n tr l i t 192.168.1.58, thay v m cc port ngu n v ch , b n ch vi c cho php dng k t n i c thi t l p b ng cch dng tham s -m state v --state ESTABLISHED. 5_ S d ng user defined chains: Chu i User Defined Chains n m trong b ng iptables. N gip cho qu trnh s l gi t t hn. V d : Thay v s d ng gi n c xy d ng trong chain cho t t c giao th c, ta c th s d ng chain ny quy t nh lo i giao th c cho gi v sau ki m sot vi c x l user-defined, protocol-specific chain trong b ng filter table. M t khc, ta c th thay th m t chu i long chain v i chu i chnh stubby main chain b i nhi u chu i stubby chain, b ng cch chia ng n t ng chi u di c a t t c chain gi ph i thng qua. Su l nh sau gip vi c c i ti n t c x l:

iptables -A INPUT -i eth0 -d 206.229.110.2 -j \ fast-input-queue iptables -A OUTPUT -o eth0 -s 206.229.110.2 -j \ fast-output-queue iptables -A fast-input-queue -p icmp -j icmp-queue-in iptables -A fast-output-queue -p icmp -j icmp-queue-out iptables -A icmp-queue-out -p icmp --icmp-type \ echo-request -m state --state NEW -j ACCEPT iptables -A icmp-queue-in -p icmp --icmp-type echo-reply\ -j ACCEPT

DANH SCH CC L NH (QUEUE)

Chain INPUT OUTPUT Description c xy d ng trong INPUT chain trong b ng iptables c xy d ng trong ONPUT chain trong b ng iptables Input chain tch ring bi t h tr cho nh ng giao th c c bi t v chuy n cc gi n nh ng protocol specific chains. Output chain tch ring bi t h tr cho nh ng giao th c c bi t v chuy n cc gi n nh ng protocol specific chains. l nh output tch ring cho giao th c ICMP -11 -

Fast-input-queue

fast-output-queue icmp-queue-out

icmp-queue-in

L nh input tch ring cho giao th c ICMP

6_ Lu l i nh ng o n m iptables: o n m iptables c lu t m th i file /etc/sysconfig/iptables nh d ng m u trong file iptables cho php giao th c ICMP, IPSec (nh ng gi ESP v AH), thi t l p lin k t, v quay l i SSH. [root@bigboy tmp]# cat /etc/sysconfig/iptables # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 8 11:00:07 2004 [root@bigboy tmp]# 7_ Thi t l p nh ng Rule cho Fedoras iptable: Trong Fedora c chng trnh g i lokkit, chong trnh ny c th thi t l p m t rule firewall n gi n, gip tng c ng b o m t. Chng trnh lokkit lu nh ng rule firewall trong file m i /etc/sysconfig/iptables. 8_ Tm l i o n m b m t: o n m iptables c lu tr trong file /etc/sysconfig/iptables. Ta c th chnh s a nh ng o n m v t o l i nh ng thnh nh ng rule m i. V d : xu t nh ng l nh trong iptables lu tr ra file vn b n v i tn firewallconfig: [root@bigboy tmp]# iptables-save > firewall-config [root@bigboy tmp]# cat firewall-config # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 *filter
-12 -

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [144:12748] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT -A RH-Firewall-1-INPUT -p esp -j ACCEPT -A RH-Firewall-1-INPUT -p ah -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED \ -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 \ -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Mon Nov 8 11:00:07 2004 [root@bigboy tmp]# Sau khi ch nh s a file firewall-config, ta c th t i n l i trong rule firewall v i l nh: [root@bigboy tmp]# iptables-restore < firewall-config Ta c th lu t m th i: [root@bigboy tmp]# service iptables save 9_ Nh ng modun Kernel c n thi t : Modun Kernel c n thi t ho t ng m t vi chng trnh c a ng d ng iptables M t s modun: iptables_nat module, ip_conntrack_ftp module, + iptables_nat module c n cho m t s lo i NAT. + ip_conntrack_ftp module c n cho vi c thm vo giao th c FTP. + ip_conntrack module gi tr ng thi lin k t v i giao th c TCP. + ip_nat_ftp module c n c t i cho nh ng my ch FTP sau m t firewall NAT *CH : file /etc/sysconfig/iptables khng c p nh t nh ng m dun t i v , v v y chng ta ph i thm vo nh ng tr ng thi vo file /etc/rc.local v ch y n t i cu i m i l n boot l i. Nh ng m u o n m trong ph n ny bao g m nh ng tr ng thi c lu trong file /etc/rc.local: # File: /etc/rc.local # Module to track the state of connections modprobe ip_conntrack # Load the iptables active FTP module, requires ip_conntrack modprobe # ip_conntrack_ftp # Load iptables NAT module when required modprobe iptable_nat # Module required for active an FTP server using NAT modprobe ip_nat_ftp 10_Nh ng o n m iptables m u: 10.1_ C b n v ho t ng c a h th ng b o v :
-13 -

H i u Hnh Linux c c ch b o v l cc thng s kernel h th ng trong file h th ng /proc qua file /etc/sysctl.conf. Dng file /etc/systl.conf cho cc thng s kernel h tr . y l m t c u hnh m u: # File: /etc/sysctl.conf
#--------------------------------------------------------

# Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing #-------------------------------------------------------net/ipv4/conf/all/rp_filter = 1 #--------------------------------------------------------# Enable logging of packets with malformed IP addresses #--------------------------------------------------------net/ipv4/conf/all/log_martians = 1 # Disable redirects #--------------------------------------------------------net/ipv4/conf/all/send_redirects = 0 #--------------------------------------------------------# Disable source routed packets #--------------------------------------------------------net/ipv4/conf/all/accept_source_route = 0 #--------------------------------------------------------# Disable acceptance of ICMP redirects #--------------------------------------------------------net/ipv4/conf/all/accept_redirects = 0 #--------------------------------------------------------# Turn on protection from Denial of Service (DOS) attacks #--------------------------------------------------------net/ipv4/tcp_syncookies = 1 #--------------------------------------------------------# Disable responding to ping broadcasts #--------------------------------------------------------net/ipv4/icmp_echo_ignore_broadcasts = 1 #--------------------------------------------------------# Enable IP routing. Required if your firewall is # protecting # network, NAT included -14 -

#---------------------------------------------------------

net/ipv4/ip_forward = 1

10.2_ u i m c a s kh i t o iptables: Ta c th thm vo nhi u ci ng d ng kh i t o cho o n m, bao g m vi c ki m tra ng truy n internet t nh ng a ch ring RFC1918. Nhi u hn nh ng kh i t o ph c t pbao g m ki m tra l i b i s t n cng s d ng c TCP khng c gi tr . o n m cng s d ng nhi u user-defined chain t o o n m ng n hn v nhanh hn nh nh ng chain c th b truy c p l p l i. i u ny lo i b vi c c n thi t l p l i nh ng tr ng thi tng t . o n m firewall hon t t :
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Define networks: NOTE!! You may want to put these # "EXTERNAL" # definitions at the top of your script. # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# EXTERNAL_INT="eth0" # External Internet interface EXTERNAL_IP="97.158.253.25" # Internet Interface IP address #--------------------------------------------------------# Initialize our user-defined chains #--------------------------------------------------------iptables -N valid-src iptables -N valid-dst #--------------------------------------------------------# Verify valid source and destination addresses for all packets #--------------------------------------------------------iptables iptables iptables iptables -A -A -A -A INPUT FORWARD OUTPUT FORWARD -i -i -o -o $EXTERNAL_INT $EXTERNAL_INT $EXTERNAL_INT $EXTERNAL_INT -j -j -j -j valid-src valid-src valid-dst valid-dst

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# # # Source and Destination Address Sanity Checks # Drop packets from networks covered in RFC 1918 # (private nets) # Drop packets from external interface IP # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=# -15 -

iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables iptables

-A -A -A -A -A -A -A -A -A -A -A

valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-src valid-dst

-s -s -s -s -s -s -s -d -s -s -d

$10.0.0.0/8 $172.16.0.0/12 $192.168.0.0/16 $224.0.0.0/4 $240.0.0.0/5 $127.0.0.0/8 0.0.0.0/8 255.255.255.255 169.254.0.0/16 $EXTERNAL_IP $224.0.0.0/4

-j -j -j -j -j -j -j -j -j -j -j

DROP DROP DROP DROP DROP DROP DROP DROP DROP DROP DROP

10.3_ S cho php my ch DNS truy c p

n Firewall:

Firewall khng th t o yu c u DNS queries n Internet b i v Internet c yu c u cho hm c b n c a firewall, nhng b i v Fedora Linuxs yum RPM s gip gi my ch c p nh t v i tr ng thi b o v m i nh t. Nh ng tr ng thi theo sau s c p nh t khng ch cho firewall ho t ng nh nhng DNS client nhng cng cho nh ng firewall lm vi c trong m t b m ho c c vai tr nh DNS server.
#-------------------------------------------------------------------------------------------------------

# Allow outbound DNS queries from the FW and the replies too # # - Interface eth0 is the internet interface # # Zone transfers use TCP and not UDP. Most home networks # / websites using a single DNS server won't require TCP # statements #------------------------------------------------------------------------------------------------------iptables -A OUTPUT -p udp -o eth0 --dport 53 sport \ 1024:65535 -j ACCEPT iptables -A INPUT -p udp -i eth0 --sport 53 dport \ 1024:65535 -j ACCEPT

10.4 Cho php WWW v SSH truy c p vo firewall: o n m ng n ny l cho m t firewall v g p i nh m t web server c qu n l b i ng i qu n tr h th ng web server web server system adminitrator qua nh ng l p v b o m t (SSH_secure shell). Nh ng gi quay l i c d nh tr c cho port 80 (WWW) v 22 (SSH) c php. V v y t o nh ng b c u tin thi t l p lin k t.. Ng c l i, nh ng port trn (80 v 22) s khng c thi t l p ch b om t t i ng ra cho nh ng gi ch c chuy n i khng quay v cho t t c lin k t thi t l p c php.
-16 -

---------------------------------------------------------# Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------#

iptables -A OUTPUT -o eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT #--------------------------------------------------------# Allow port 80 (www) and 22 (SSH) connections to the # firewall #--------------------------------------------------------iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -m state --state NEW iptables -A INPUT -p tcp -i eth0 --dport 1024:65535 -m state --state NEW 22 -j 80 -j sport \ ACCEPT --sport \ ACCEPT

10.5_Cho php Firewall truy c p internet: o n m iptables ny c th cho php m t user tren firewall s d ng Web browser n giao ti p Internet. ng truy n giao th c HTTP s d ng TCP port 80, HTTPs (HTTP secure) port 443
#---------------------------------------------------------

# Allow port 80 (www) and 443 (https) connections from the # firewall #--------------------------------------------------------iptables -A OUTPUT -j ACCEPT -m state state \ NEW,ESTABLISHED,RELATED -o eth0 -p tcp -m \ multiport --dport 80,443 -m multiport --sport \ 1024:65535 #--------------------------------------------------------# Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------iptables -A INPUT -j ACCEPT -m state --state \ ESTABLISHED,RELATED -i eth0 -p tcp

N u mu n t t c

ng truy n t firewall c ch p nh n, sau xo:

-m multiport --dport 80,443 -m multiport --sport \ 1024:65535 10.6_ Cho php m ng nh truy c p vo firewall:

-17 -

V d : eth1 c lin k t v i m ng nh dng a ch IP t m ng 192.168.1.0. T t ng truy n ny v firewall c gi s l lin k t c: Nh ng rule c c n cho lin k t giao ti p n Internet cho php ch nh ng c ng c trng, nh ng lo i lin k t v c th i u ch nh nh ng server c truy c p n firewall v m ng nh.
#---------------------------------------------------------

-# Allow all bidirectional traffic from your firewall to #the # protected network # - Interface eth1 is the private network interface #--------------------------------------------------------iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i eth1 iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o eth1

10.7_ M t n (Masquerade_many to one NAT): ng truy n t t t c thi t b trn m t ho c nhi u m ng c b o v s xu t hi n nh l n b t u t a ch IP n trn v tr Internet c a firewall. a ch IP m t n (masquerade) lun lun m c nh n a ch IP c a giao ti p chnh c a firewall. u i m c a a ch IP m t n (masquerade) l ta khng ph i ch r a ch IP NAT. i u ny t o cho vi c c u hnh b ng iptables NAT v i giao th c DHCP. Ta c th c u hnh nhi u n m t NAT cho m t tn IP b ng cch s d ng POSTROUTING v khng dng tr ng thi MASQUERADE. Vi c che y (Masquerading) ph thu c vo H i u Hnh Linux c c u hnh c p nh t nh tuy n gi a internet v giao ti p m ng ring c a firewall. i u ny c th c h n b i IP enabling b ng cch cho file /proc/sys/net/ipv4/ip_forward gi tr 1 nh l i v i gi tr m c nh 0 M t masquerading c thi t l p s d ng POSTROUTING chain c a b ng nat table, ta s ph i nh d ng iptables cho php nhi u gi i qua gi a 2 b m t. lm c i u ny, s d ng FORWARD chain c a filter table. Nhi u hn, nhi u gi lin quan nh ng lin k t NEW v ESTABLISHED s c cho php outbound n Internet, nhng ch nh ng gi lin quan n lin k t ESTABLISHES s c php inbound. i u ny s gip b o v m ng nh t b t c m t ng i no c g ng k t n i v i m ng nh t Internet.
#---------------------------------------------------------

# Load the NAT module # Note: It is best to use the /etc/rc.local example in # this # chapter. This value will not be retained in the # /etc/sysconfig/iptables file. Included only as a # reminder. #---------------------------------------------------------18 -

modprobe iptable_nat
#---------------------------------------------------------

# Enable routing by modifying the ip_forward /proc # filesystem # file # # Note: It is best to use the /etc/sysctl.conf example in # this # chapter. This value will not be retained in the # /etc/sysconfig/iptables file. Included only as a # reminder. #--------------------------------------------------------echo 1 > /proc/sys/net/ipv4/ip_forward
#---------------------------------------------------------

# Allow masquerading # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface #--------------------------------------------------------iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 \ -d 0/0 -j MASQUERADE
#---------------------------------------------------------

# Prior to masquerading, the packets are routed via the # filter # table's FORWARD chain. # Allowed outbound: New, established and related # connections # Allowed inbound : Established and related connections #--------------------------------------------------------iptables -A FORWARD -t filter -o eth0 -m state state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT

10.8. Port forwarding theo lo i NAT (giao th c DHCP DSL): M t s tr ng h p, nhi u home user c th nh n a ch IP cng c ng DHCP n t nh ng nh cung c p d ch v ISP. N u m t Linux firewall cng l giao ti p v i Internet v ta mu n d n m t trang Web trn m t trong nh ng home server c b o v
-19 -

NAT, sau ta ph i s d ng port forwarding. y vi c k t h p a ch IP n c a firewall, a ch IP c a server, v port ngu n/ ch c a ng truy n c th c s d ng b sung ng truy n. Port forwarding c i u ch nh b i PREROUTING chain c a b ng nat table. Gi ng nh Masquerading, modun iptables_nat ph i c t i v nh tuy n ph i c hi n th cho port forwarding lm vi c. nh tuy n cng ph i c php trong b ng iptables v i FORWARD chain, i u ny bao g m t t c lin k t NEW inbound t Internet lm ph h p port forwarding v t t c gi lin k t v i k t n i ESTABLISHED trong nh ng s i u khi n:

#---------------------------------------------------------

# Load the NAT module # Note: It is best to use the /etc/rc.local example in # this # chapter. This value will not be retained in the # /etc/sysconfig/iptables file. Included only as a # reminder. #--------------------------------------------------------modprobe iptable_nat
#---------------------------------------------------------

# Get the IP address of the Internet interface eth0 (linux # only) # # You'll have to use a different expression to get the IP # address # for other operating systems which have a different ifconfig # output # or enter the IP address manually in the PREROUTING # Statement # # This is best when your firewall gets its IP address using # DHCP. # The external IP address could just be hard coded ("typed # in # normally") #--------------------------------------------------------external_int="eth0" external_ip=""ifconfig $external_int | grep 'inet addr' |\ awk '{print $2}' | sed -e 's/. *://'"" -20 -

#---------------------------------------------------------

# Enable routing by modifying the ip_forward /proc # filesystem # File # # Note: It is best to use the /etc/sysctl.conf example in # this chapter. This value will not be retained in # the # /etc/sysconfig/iptables file. Included only as a # reminder. #--------------------------------------------------------echo 1 > /proc/sys/net/ipv4/ip_forward #--------------------------------------------------------# Allow port forwarding for traffic destined to port 80 of # the # firewall's IP address to be forwarded to port 8080 on # server # 192.168.1.200 # # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface #--------------------------------------------------------iptables -t nat -A PREROUTING -p tcp -i eth0 -d \ $external_ip --dport 80 --sport 1024:65535 -j DNAT to \ 192.168.1.200:8080
#---------------------------------------------------------

# After DNAT, the packets are routed via the filter # table's # FORWARD chain. # Connections on port 80 to the target machine on the # private # network must be allowed. #--------------------------------------------------------iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.200 --dport 8080 --sport 1024:65535 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -t filter -o eth0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT

10.9_ NAT tnh (SNAT):

-21 -

V d : t t c ng truy n n m t a ch IP cng c ng ring bi t, c chuy n i n m t server n trn Subnet c b o v . B i vig firewall c nhi u hn m t a ch IP, ta khng th th c hi n MASQUERADE; n s b t bu c kh i t o nh a ch IP c a giao ti p chnh v khng nhng b t c nh ng a ch IP trng l p m firewall c th c. Thay v v y, s d ng SNAT ch r a ch IP b trng l p c s d ng cho vi c lin k t ban u b i nh ng server khc trong m ng c b o v . Ghi ch: M c d nh ng NAT c a b ng nat table, t t c ng truy n n server ch (192.168.1.100 n 102), ch lin k t v i port 80, 443 v 22 l c php thng qua b i FORWARD chain. Ta ph i ch r l a ch n ring bi t m multiport khi ta c n lm cho thch h p nh ng c ng khng tu n t (multiple non-sequential) cho c ngu n v ch. Trong v d ny, firewall c: S d ng one to one NAT t o server 192.168.1.100 trn home network xu t hi n trn Internet nh nh ng a ch IP (97.158.253.26). + T o m t many to one NAT cho a ch IP 192.168.1.100 home network, t t c nh ng server nh nh ng a ch IP (97.158.253.26). i u ny khc t kh i t o. Ta t o nh ng a ch IP trng l p cho m i nhm IP Internet cho one to one NAT
#---------------------------------------------------------

# Load the NAT module # Note: It is best to use the /etc/rc.local example in this chapter. This value will # not # be retained in the /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------

modprobe iptable_nat
#---------------------------------------------------------

# Enable routing by modifying the ip_forward /proc filesystem file # Note: It is best to use the /etc/sysctl.conf example in this chapter. This value will # not be retained in the /etc/sysconfig/iptables file. Included only as a reminder.
#---------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

# NAT ALL traffic: ########### # REMEMBER to create aliases for all the internet IP addresses below ########### #
-22 -

# TO: FROM: MAP TO SERVER: # 97.158.253.26 Anywhere 192.168.1.100(1:1 NAT-Inbound) # Anywhere 2.168.1.100 97.158.253.26(1:1 NATOutbound) # Anywhere 192.168.1.0/24 97.158.253.29(FW IP) # # SNAT is used to NAT all other outbound connections initiated # from the protected network to appear to come from # IP address 97.158.253.29 # # POSTROUTING: # NATs source IP addresses. Frequently used to NAT connections # from your home network to the Internet # # PREROUTING: # NATs destination IP addresses. Frequently used to NAT # connections from the Internet to your home network # # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface
#---------------------------------------------------------

# PREROUTING statements for 1:1 NAT # (Connections originating from the Internet)
#---------------------------------------------------------

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 \ -j DNAT --to-destination 192.168.1.100 --------------------------------------------------------# -

# POSTROUTING statements for 1:1 NAT # (Connections originating from the home network servers)
#---------------------------------------------------------

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 \ -j SNAT --to-source 97.158.253.26 #--------------------------------------------------------# POSTROUTING statements for Many:1 NAT # (Connections originating from the entire home network) #--------------------------------------------------------iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT \ -o eth0 --to-source 97.158.253.29 #---------------------------------------------------------

# Allow forwarding to each of the servers configured for 1:1 NAT # (For connections originating from the Internet. Notice how you use the
-23 -

# real # IP addresses here) #--------------------------------------------------------iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.100 -m multiport --dport 80,443,22 \ m state --state NEW -j ACCEPT #---------------------------------------------------------

# Allow forwarding for all New and Established SNAT connections originating # on the # home network AND already established DNAT connections
#---------------------------------------------------------

iptables -A FORWARD -t filter -o eth0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT

#---------------------------------------------------------

# Allow forwarding for all 1:1 NAT connections originating on the Internet that have # already passed through the NEW forwarding statements above
#---------------------------------------------------------

iptables -A FORWARD -t filter -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT --------------------------------------------------------# -

# Allow forwarding to each of the servers configured for 1:1 NAT # (For connections originating from the Internet. Notice how you use the real IP # addresses here)
#---------------------------------------------------------

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d \ 192.168.1.100 -m multiport --dport 80,443,22 -m \ state --state NEW -j ACCEPT #---------------------------------------------------------

# Allow forwarding for all New and Established SNAT connections originating # on the # home network AND already established DNAT connections
#---------------------------------------------------------

iptables -A FORWARD -t filter -o eth0 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT -24 -

#---------------------------------------------------------

# Allow forwarding for all 1:1 NAT connections originating on the Internet that # have # already passed through the NEW forwarding statements above
#---------------------------------------------------------

iptables -A FORWARD -t filter -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT

10.10_ S a l i b ng iptables: M t s cng c cho php s a l i o n m firewall iptables. M t trong nh ng phng php t t nh t l lo i b t t c nh ng gi b kho. * Ki m tra the firewall log: Ta theo di nh ng gi i qua firewall c trong danh sch b ng iptables c a nh ng rule s d ng LOG target. LOG target s : + T m d ng t t c ng truy n ch nh s a rule trong iptables trong ni n c ch a. ng vi t vo file /var/log/messages v sau th c thi rule k ti p +T t m d ng ng truy n khng mong mu n, ta ph i thm vo rule ph h p v i m t DROP target sau LOG rule. T m d ng m t nhm gi b l i vo file /var/log/messages.
#------------------------------------------------------

# Log and drop all other packets to file /var/log/messages

# Without this we could be crawling around in the dark

#------------------------------------------------------

iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG iptables -A FORWARD -j LOG iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP

-25 -