You are on page 1of 39

Chuyn S1

GVHD : Nguyn Th Thanh Vn

MC LC
Phn I : TNG QUAN V FIREWALL .............................................................................. 3
I. Gii thiu v Firewall ...................................................................................................... 3
1. Firewall l g? ....................................................................................................................................... 3
2. Cc loi Firewall: .................................................................................................................................. 3
3. Cu trc Firewall : ................................................................................................................................ 4
4. Chc nng ca Firewall ........................................................................................................................ 7

II. Nguyn l hot ng ........................................................................................................ 8


III. u im ca Firewall ....................................................................................................... 8
IV. Nhc im ...................................................................................................................... 8
V. Mt s sn phm ca Firewall ......................................................................................... 9
Phn II: IPTABLES ................................................................................................................ 9
I. Gii thiu v Iptables ....................................................................................................... 9
II. Ci t Iptables................................................................................................................ 10
III. C ch x l package trong Iptables ............................................................................. 13
1. Mangle table: ...................................................................................................................................... 13
2. Filter queue: ........................................................................................................................................ 13
3. NAT queue:......................................................................................................................................... 13

IV. Target v Jumps ............................................................................................................. 14


1. Jupms: ................................................................................................................................................. 14
2. Target: ................................................................................................................................................. 14

V. Mt s lnh trong Iptables.............................................................................................. 15


1. Mt s lnh thng dng: ................................................................................................................... 15
2. Nhng giao thc thng dng ............................................................................................................ 16
3. Nhng iu kin m rng thng dng .............................................................................................. 16
4. Mt s v d: ....................................................................................................................................... 17

VI. Iptables script................................................................................................................. 18


1. Lu Iptables script: ............................................................................................................................. 18
2. Sao lu v phc hi script ................................................................................................................... 18

Phn III : Cu hnh mt s chc nng ca IPTABLES .................................................... 19


I. M hnh mng ................................................................................................................ 19
II. Ci t c bn Iptables ................................................................................................... 20
Nhm 10

Page 1

Chuyn S1

GVHD : Nguyn Th Thanh Vn

1. Kim tra dch v Iptables ci t cha ................................................................................................ 20


2. Khi ng Iptables .............................................................................................................................. 20
3. Xem trng thi ca Iptables ................................................................................................................ 21
4. Xem file cu hnh Iptables .................................................................................................................. 22
5. Lu Iptables ........................................................................................................................................ 23
6. Cho dch v iptables khi ng vo thi im h thng khi ng: .................................................. 23

III. Cu hnh Filter................................................................................................................ 23


1. Ping ..................................................................................................................................................... 23
2. SSH : Port 22 ...................................................................................................................................... 26
3. Telnet : Port 23.................................................................................................................................... 28
4. HTTP : Port 80 .................................................................................................................................... 30

IV. Cu hnh Nat .................................................................................................................. 33


1. Nat In .................................................................................................................................................. 33
2. Nat Out ................................................................................................................................................ 37

Nhm 10

Page 2

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Phn I : TNG QUAN V FIREWALL


I. Gii thiu v Firewall
1. Firewall l g?
-

Thut ng Firewall c ngun gc t mt k thut c thit k trong xy dng


ngn chn, hn ch ha hon.

Firewall l mt k thut c tch hp vo h thng chng li cc truy cp tri


php, nhm bo v cc ngun thn tin ni b v hn ch s xm nhp khng mong
mun vo h thng.

Firewall c miu t nh l h phng th bao quanh vi cc cht kim sot tt


c cc lung lu thng nhp xut. C th theo di v kha truy cp ti cc cht ny.

Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t


chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn
chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn
trong (Intranet) ti mt s a ch nht nh trn Internet.

2. Cc loi Firewall:
Firewall cng : L nhng firewall c tch hp trn Router.
c im ca Firewall cng:
- Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy tc
nh firewall mm)
- Firewall cng hot ng tng thp hn Firewall mm (Tng Network v tng
Transport)
- Firewall cng khng th kim tra c nt dung ca gi tin.
V d v Firewall cng: NAT (Network Address Translate).

Nhm 10

Page 3

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Firewall mm: L nhng Firewall c ci t trn Server.


c im ca Firewall mm:
- Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng.
- Firewall mm hot ng tng cao hn Firewall cng (tng ng dng)
- Firewal mm c th kim tra c ni dung ca gi tin (thng qua cc t kha).
V d v Firewall mm: Zone Alarm, Norton Firewall
3. Cu trc Firewall :
Bao gm 1 hoc nhiu cc thnh phn sau
B lc packet (packet- filtering router).
Nguyn l hot ng :
-

B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton
b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut
l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin
u mi packet (packet header), dng cho php truyn cc packet trn mng.)

Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu


khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo
cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng
mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm
cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my
ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi
chy c trn h thng mng cc b.
u im
- a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im
ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao
gm trong mi phn mm router.
- Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy
n khng yu cu s hun luyn c bit no c.

Nhm 10

Page 4

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Hn ch
-

Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi ngi

qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header,
v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc
lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin.
-

Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim

sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo
nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.
Cng ng dng (Application-level gateway hay proxy server)
Nguyn l:
- y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi
dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca
n da trn cch thc gi l Proxy service. Proxy service l cc b code c bit ci
t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy
code cho mt ng dng no , dch v tng ng s khng c cung cp v do
khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu
hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l
chp nhn c trong khi t chi nhng c im khc.
- Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n
c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m
bo an ninh ca mt bastion host l:

- Bastion host lun chy cc version an ton (secure version) ca cc phn mm h


thng (Operating system). Cc version an ton ny c thit k chuyn cho mc
ch chng li s tn cng vo Operating System, cng nh l m bo s tch hp
firewall. Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t
trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th
b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet,
Nhm 10

Page 5

Chuyn S1

GVHD : Nguyn Th Thanh Vn

DNS, FTP, SMTP v xc thc user l c ci t trn bastion host. Bastion host c
th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart
card. Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch
nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch
ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k
ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian
kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi.
Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d
dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn .
u im:
Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng,
bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy
nhp c bi cc dch v. Cho php ngi qun tr mng hon ton iu khin c
nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng
ng c ngha l cc dch v y b kho. Cng ng dng cho php kim tra xc
thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc
filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc
packet.
Hn ch:
Yu cu cc users thay i thao tc, hoc thay i phn mm ci t trn my
client cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng
ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy
nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l
trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng
trn lnh Telnet.

Nhm 10

Page 6

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Cng mch (Circuite level gateway)


Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng
dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc
hin bt k mt hnh ng x l hay lc packet no.
Hnh di y minh ho mt hnh ng s dng ni telnet qua cng vng. Cng
vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim
tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si
dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn
ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng
firewall, n che du thng tin v mng ni b.
Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr
mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion
host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt
ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d
dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc
dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni
b t nhng s tn cng bn ngoi.
4. Chc nng ca Firewall
Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v
Internet.
+ Cho php hoc cm nhng dch v truy cp ra ngoi.
+ Cho php hoc cm nhng dch v t ngoi truy cp vo trong.
+ Theo di lung d liu mng gia Internet v Intranet
+ Kim sot a ch truy nhp, cm a ch truy nhp
+ Kim sot ngi s dng v vic truy cp ca ngi s dng.

Nhm 10

Page 7

Chuyn S1

GVHD : Nguyn Th Thanh Vn

II. Nguyn l hot ng


-

Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo
thut tan chia nh cc d liu nhn c t cc ng dng trn mng. V vy,
Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng.

B lc packet cho php hay t chi mi packet m n nhn c.

Cc lut l lc packet ny l da trn cc thng tin u mi packet (header), dng


cho php truyn cc packet trn mng.

Nu packet tha cc lut l c thit lp trc ca Firewall th packet c


chuyn qua, nu khng tha th s b loi b.

Ch : Vic kim tra da trn header ca cc packet nn b lc khng kim sot


c ni dng thng tin ca packet. Cho nn, cc packet chuyn qua vn c th
mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu.

III. u im ca Firewall
-

Gii hn c s lng kt ni, gip cho ta chng c cc c ch tn cng

a s cc h thng firewall u s dng b lc packet nn u im ca n l :


+ Chi ph thp v c ch lc packet c bao gm trong mi phn mm router.
+ Ci t d v n gin
+ C th cnh bo trc cc cuc tn cng (vd : pht hin qut cng)

IV. Nhc im
-

i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc


dng packet header

Khi lc cng ln, cc lut v lc cng tr nn di v phc tp, rt kh qun l v


iu khin.

Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n,


s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu,
thot khi kh nng kim sot ca firewall

Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong
mun nhng phi xc nh r cc thng s a ch.
Nhm 10

Page 8

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i

qua n.
-

V d :
+ S d r thng tin do d liu b sao chp bt hp php ln a mm , USB , CD
+ Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent
attack).
+ V in hnh l cc virus my tnh
V. Mt s sn phm ca Firewall
-

Mt s sn phm v lc packet trong Linux:


+ Iptables
+ Ipchains
+ SmoothWall

Chng ta nn dng iptables. Ipchains li thi.

Phn II: IPTABLES


I. Gii thiu v Iptables
-

Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng


Linux.

Iptables cung cp cc tnh nng sau:


+ Tch hp tt vi kernel ca Linux.
+ C kh nng phn tch package hiu qu.
+ Lc package da vo MAC v mt s c hiu trong TCP Header
+ Cung cp chi tit cc ty chn ghi nhn s kin h thng
+ Cung cp k thut NAT
+ C kh nng ngn chn mt s c ch tn cng theo kiu DoS (Denial of
Service attack)

Nhm 10

Page 9

Chuyn S1

GVHD : Nguyn Th Thanh Vn

II. Ci t Iptables
-

Thng thng th iptables c ci t mc nh trong h thng Linux, gi tin ca


iptables trong Linux l iptables-version.rpm (vi version l phin bn iptables cn ci
t)
Ci t dch v iptables:
# rpm ivh iptables-version.rpm.
Khi ng iptables:
# service iptables start.
Cho dch v iptables khi ng vo thi im h thng khi ng:
# chkconfig iptables on.
Ti khi ng:
# service iptables restart.
Tt iptables:
# service iptables stop.
Xc nh trng thi ca iptables:
# service iptables status
Lu Iptables :
# service iptables save
M file cu hnh Iptables:
# vi /etc/sysconfig/iptables
Sa file cu hnh Iptables:
# gedit /etc/sysconfig/iptables

Nhm 10

Page 10

Chuyn S1

Mn hnh sau khi m file cu hnh Iptables

Dng giao din cu hnh Firewall

GVHD : Nguyn Th Thanh Vn

+ G setup, chn Firewall configuration

Nhm 10

Page 11

Chuyn S1

GVHD : Nguyn Th Thanh Vn

+ Chn Enabled cho dng Security level chn Custumize

+ nh du vo cc dch v mun cho qua Firewall. V d nh SSH, Telnet,


HTTP

Nhm 10

Page 12

Chuyn S1

GVHD : Nguyn Th Thanh Vn

III. C ch x l package trong Iptables


-

Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra
ny c thc hin mt cch tun t entry u tin n entry cui cng.

C ba loi bng trong iptables:


Mangle table.
Filter queue.
NAT queue.

1. Mangle table:
Chu trch nhim thay i cc bits cht lng dch v trong TCP header nh TOS ,
TTL, MARK. Thng thng loi table ny c ng dng trong mng SOHO (Small
Office and Home Office).
+ PREROUTING
+ POSTROUTING
+ OUTPUT
+ INPUT
+ FORWARD
2. Filter queue:
Chu trch nhim thit lp b lc packet (packet filtering). C ba loi built-in chain
c m t thc hin cc chnh sch v firewall ( firewall policy rules)
+ Forward chain: Lc gi tin i qua firewall.
+ Input chain: Lc gi tin i vo firewall.
+ Output chain: Lc gi tin i ra firewall.
3. NAT queue:
Thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in
chains sau y:
+ Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin
trc khi thc thi c ch routing. iu ny thun li cho vic i a ch ch

Nhm 10

Page 13

Chuyn S1

GVHD : Nguyn Th Thanh Vn

a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng


kha DNAT m t k thut ny.
+ Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi
thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi
tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l
Source NAT hay SNAT.
IV. Target v Jumps
1. Jupms:
L c ch chuyn mt packet n mt target no x l thm mt s thao tc
khc.
2. Target:
L c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc target
c xy dng sn trong iptables nh: ACCEPT, DROP, LOG, REJECT, DNAT,
SNAT, MASQUERADE.
+ ACCEPT: iptables chp nhn chuyn data n ch.
+ DROP: iptables kha nhng packet.
+ LOG: thng tin ca packet s gi vo syslog daemon iptables tip tc x l lut
tip theo trong bng m t lut. Nu lut cui cng khng match th s drop
packet. Vi ty chn thng dng l --log-prefix=string, tc iptables s ghi
nhn li nhng message bt u bng chui string.
+ REJECT: ngn chn packet v gi thng bo cho sender. Vi ty chn thng
dng l --reject-with qualifier, tc qualifier ch nh loi reject message s c
gi li cho ngi gi.
+ DNAT: thay i a ch ch ca packet. Ty chn l --to-destination ipaddress.
+ SNAT: thay i a ch ngun ca packet. Ty chn l --to-source
<address>[-address][:<port>-<port>]

Nhm 10

Page 14

Chuyn S1

GVHD : Nguyn Th Thanh Vn

+ MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch


ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports <port>[<port>]], ch nh dy port ngun s nh x vi dy port ban u.
V. Mt s lnh trong Iptables
1. Mt s lnh thng dng:
# iptables [tham s chuyn mch] . . .
-t <table> : Ch nh bng cho iptables bao gm: filter, nat, mangle tables.
-j <target> : Nhy n mt target chain khi packet tha lut hin ti.
-A : Thm lut vo cui iptables chain.
V d:
+ # iptables -A INPUT -j ACCEPT : chp nhn tt c cc gi tin gi n cho
Firewall.
+ # iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE :
mt rule trong bng nat.
-P <chain-name> : Thay i chnh sch ca chain
-F <chain-name> : Xa tt c cc lut trong chain la chn.
-N <chain-name> : To chain mi.
-X <chain-name> : Xa chain t to
V d:
+ # iptables -P INPUT DROP : t chnh sch cho chain INPUT l DROP. Khi mt
gi tin vo m khng tha bt k rule no ca chain th n s x l gi tin theo
chnh sch.
+ # iptables -F INPUT : xa tt c lut ca chain INPUT.
+ # iptables -F OUTPUT : xa tt c lut ca chain OUTPUT.
+ # iptables -F : xa tt c cc lut ca tt c cc chain.
+ # iptables -N ChainMoi
+ # iptables -X ChainMoi
Lu : khng th xa nhng built-in chain
Nhm 10

Page 15

Chuyn S1

GVHD : Nguyn Th Thanh Vn

-p <protocol-type> : M t cc giao thc bao gm: icmp, tcp, udp v all


-s <ip-address> : Ch nh a ch ngun
-d <ip-address> : Ch nh a ch ch
-i <interface-name> : Ch nh input interface nhn packet
-o <interface-name> : Ch nh output interface chuyn
packet ra ngoi
2. Nhng giao thc thng dng
-p tcp --sport <port> : TCP port ngun (source port ). C th l mt gi tr hoc
mt dy c dng: start-port:end-port.
-p tcp --dport <port> : TCP port ch
-p tcp --syn : Dng nhn dng mt yu cu kt ni TCP mi
-p udp --sport <port> : UDP port ngun
-p udp --dport <port>: UDP port ch
-p icmp --icmp-type <type>: ICMP-Type thng dng nht l echo-reply v
echo-request.
V d :
# iptables -A FORWARD -s 0/0 -i eth0 -o eth1 -d 172.16.0.2 -p tcp --sport
1024:65535 --dport 80 -j ACCEPT
Firewall chp nhn cc gi d liu c giao tip (protocols) l TCP , n t card
mng eth0 , c a ch IP ngun l bt k , i n a ch 172.16.0.2 qua card mng
eth1. S port ngun l t 1024 n 65535 v port ch l 80 (www/http).
3. Nhng iu kin m rng thng dng
-m multiport --sport <port, port>: Nhiu port ngun khc nhau ca TCP/UDP
c phn cch bi du phy (,). y l lit k cc port ch khng phi l mt
dy lin tc cc port.
-m multiport --dport <port, port>: TCP/UDP port ch.
-m multiport --ports <port, port> : Khng phn bit port ch hay port ngun.
Nhm 10

Page 16

Chuyn S1

GVHD : Nguyn Th Thanh Vn

-m state --state <state> : Cc trng thi <state> thng dng l: ESTABLISHED


, NEW , RELATED , INVALID .
Trng thi ca gi d liu:
+ ESTABLISHED : Gi d liu l mt phn ca kt ni c thit lp
bi c hai hng.
+ NEW : Gi d liu l bt u ca mt kt ni mi.
+ RELATED : Gi d liu l bt u mt kt ni ph. Thng thng y l
c im ca giao thc FTP hoc li ICPM.
+ INVALID : Gi d liu khng th nhn dng c.
-m limit --limit 1/s: Ch nh s lng ph hp cho mt n v thi gian theo
dng(/second, /minute, /hour, /day)
4. Mt s v d:
V d 1: FireWall chp nhn cho bt k TCP packet i vo interface eth0 n
a ch 172.28.24.199
# iptables -A INPUT -s 0/0 -i eth0 -d 172.28.24.199 -p tcp -j ACCEPT
V d 2: FireWall cho php gi icmp echo-request v icmp echo-reply
# iptables -A OUPUT -p icmp --icmp-type echo-request -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
V d 3: Cho php truy xut DNS n FireWall
# iptables -A OUTPUT -p udp -o eth0 --dport 53 sport 1024:65535 -j
ACCEPT
# iptables -A INPUT -p udp -i eth0 --dport 53 sport 1024:65535 -j ACCEPT
V d 4: Cho php WWW v ssh truy xut ti FireWall
# iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED, RELATED -j
ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dprt 22 --sport 1024:65535 -m state \ -state NEW -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \ -state NEW -j ACCEPT
Nhm 10

Page 17

Chuyn S1

GVHD : Nguyn Th Thanh Vn

VI. Iptables script


1. Lu Iptables script:
-

Lnh service iptables save lu li cc rule vo file # /etc/sysconfig/iptables.

Khi ta khi ng li th chng trnh iptables-restore s c li file script ny v


kch hot li thng tin cu hnh.

2. Sao lu v phc hi script


-

c th phc hi script khi mt script file. u tin, ta phi lu script li dng


lnh:
# iptables-save > script_du_phong

Khi cn phc hi ta np li iptables thng qua lnh iptables-restore


# iptables-restore < script_du_phong

Cui cng, ta dng lnh lu tr li cc lut vo file cu hnh:


# service iptables save

Nhm 10

Page 18

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Phn III : Cu hnh mt s chc nng ca


IPTABLES
I.

M hnh mng

Ci t :
My Client c mt card mng ch Host vi IP 10.0.0.4
My Web-Mail c mt card mng ch Host vi IP 10.0.0.2
My Firewall c 2 card mng 1 ch host vi a ch IP 10.0.0.1 , mt card mng
ra ngoi Internet vi IP 192.168.0.1
My ngoi Internet c 1 card mng vi IP 192.168.0.2
Yu cu :
Cc my Client , Web-Mail , Firewall ping thy nhau
My ngoi Internet ping thy my Firewall v ngc li

Nhm 10

Page 19

Chuyn S1

II.

GVHD : Nguyn Th Thanh Vn

Ci t c bn Iptables
1. Kim tra dch v Iptables ci t cha

Dng lnh : # rpm qa iptables

2. Khi ng Iptables
Dng lnh :

Nhm 10

# service iptables start

Page 20

Chuyn S1

GVHD : Nguyn Th Thanh Vn

3. Xem trng thi ca Iptables


Dng lnh:

Nhm 10

# service iptables status

Page 21

Chuyn S1

GVHD : Nguyn Th Thanh Vn

4. Xem file cu hnh Iptables


Dng lnh :

# iptables L

Dng lnh # vi /etc/sysconfig/iptables

Nhm 10

Page 22

Chuyn S1

GVHD : Nguyn Th Thanh Vn

5. Lu Iptables
Dng lnh :

# service iptables save

6. Cho dch v iptables khi ng vo thi im h thng khi ng:

# chkconfig iptables on

III.

Cu hnh Filter
1. Ping

M t : mc nh th cc my trong h thng c cng dy mng s ping thy nhau


, gi chng ta s chn khng cho cc my ny ping thy nhau
T my Firewall , ta m file cu hnh Iptables ln bng lnh
# vi /etc/sysconfig/iptables

Nhm 10

Page 23

Chuyn S1

GVHD : Nguyn Th Thanh Vn

dng 13 l Rule cho php ping , chng ta mun chn ping th thm #
trc Rule ny , hoc i ACCPECT thnh DROP

Nhm 10

Page 24

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Hoc l Drop

Sau Lu rule va chnh sa li v restart iptables bng lnh


# service iptables restart

Nhm 10

Page 25

Chuyn S1

GVHD : Nguyn Th Thanh Vn

2. SSH : Port 22
M t : Iptables ca my Firewall cho php hoc chn khng cho cc my
trong mng Lan SSH ti my Firewall
Trong phn ci t ta cho php dch v SSH c thng qua

Sau ta m file cu hnh iptables bng lnh


# vi /etc/sysconfig/iptables
dng 21 l Rule cho php dch v telnet thng qua

Nhm 10

Page 26

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Chn dch v SSH bng cch thm # vo dng 21

Nhm 10

Page 27

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Sau lu rule va chnh sa li v restart iptables bng lnh


# service iptables restart

3. Telnet : Port 23
M t : Iptables ca my Firewall cho php hoc chn khng cho cc my
trong mng Lan telnet ti my Firewall
Trong phn ci t ta cho php dch v telnet c thng qua

Nhm 10

Page 28

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Sau ta m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables


dng 21 l Rule cho php dch v telnet thng qua

Chn dch v telnet bng cch thm # vo dng 21

Nhm 10

Page 29

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Sau lu rule va chnh sa li v restart iptables bng lnh


# service iptables restart

4. HTTP : Port 80
M t : cc my trong mng Lan c th kt ni c Internet v vo c cc
trang web thng qua cc trnh duyt , ni cch khc i qua port 80 : HTTP v
HTTPS port 443 trn iptables ta cho php hoc chn cc my trong mng Lan
s dng web
Trong phn ci t ta cho php dch v HTTP hoc l HTTPS c thng qua

Nhm 10

Page 30

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Sau ta m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables


dng 21,22 l Rule cho php dch v HTTP,HTTPS thng qua

Nhm 10

Page 31

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Chn dch v HTTP v HTTPS bng cch thm # vo dng 21, 22

Sau lu rule va chnh sa li v restart iptables bng lnh


# service iptables restart

Tng t cho cc dch v cn li


Ch :
Khi m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables
Ta mun sa cu hnh th ta nhn ch a v lu li :x .

Nhm 10

Page 32

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Ta c th m cu hnh iptables bng lnh # gedit /etc/sysconfig/iptables


v ta c th sa v lu trc tip trn file cu hnh
Sau khi thay i Rule bt k , ta phi lu li v restart lai iptables th
Rule mi c thc thi

IV.

Cu hnh Nat
1. Nat In
M t : Cc my ngoi Internet , mun truy cp vo Web-Mail server ca
mng Lan , th ta phi dng k thut Nat In
my Firewall vo setup ta cho php cc cc dch v c thng qua cc
card mng
Trusted Devices ta nh du vo cc card mng

Nhm 10

Page 33

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Thc hin switching ( nh tuyn) gia cc card mng

Nhp dng lnh Nat In

Lu file cu hnh iptables li bng lnh


# service iptables save

Khi ng li dch v dng lnh


# service iptables restart

Nhm 10

Page 34

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Cho dch v iptables khi ng vo thi im h thng khi ng:


# chkconfig iptables on

M li file cu hnh iptables xem Nat In c thc hin cha

Nhm 10

Page 35

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Sau t 1 my ngoi Internet bt k c th s dng Web ca h thng mnh

Nhm 10

Page 36

Chuyn S1

GVHD : Nguyn Th Thanh Vn

2. Nat Out
M t : Cho php cc my trong mng Lan kt ni c ra ngoi Internet
my Firewall vo setup ta cho php cc cc dch v c thng qua cc card
mng
Trusted Devices ta nh du vo cc card mng

Thc hin switching ( nh tuyn) gia cc card mng

Nhm 10

Page 37

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Nhp dng lnh Nat Out

Lu file cu hnh iptables li bng lnh


# service iptables save

Khi ng li dch v dng lnh


# service iptables restart

Nhm 10

Page 38

Chuyn S1

GVHD : Nguyn Th Thanh Vn

Cho dch v iptables khi ng vo thi im h thng khi ng:


# chkconfig iptables on

M li file cu hnh iptables xem Nat Out c thc hin cha

Sau t 1 my mng Lan bt k c th kt ni vi internet

Nhm 10

Page 39

You might also like