Linux 2.4 Packet Filtering HOWTO §@ªÌ¡RRusty Russell, mailing list netfilter@lists.samba.org ĶªÌ¡Rºô¤¤¤H netmanforever@yahoo.com v1.0.1 Mon May 1 18:09:31 CST 2000 _________________________________________________________________ ¦¹¤å¥ó´yz¦p¦ó¦b 2.4 Linux kernel ¤W¨Ï¥Î iptables ¹ï¤£¨}«Ê¥]¶i¦æ¹LÂo¡C _________________________________________________________________ 1. Introduction 2. ©x¤èªººô¯¸¦bþ¸Ì¡S¦³¶l¥ó½×¾Â¶Ü¡S 3. ¦n¤F¡M¤°»ò¬O«Ê¥]¹LÂo(Packer Filter)©O¡S * 3.1 §Ú¬°¤°»òn«Ê¥]¹LÂo¡S * 3.2 ¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S 4. §Aºâþ®Ú½µ°Ú¡S¬°¦óª±§Úªº®Ö¤ß¡S 5. ¯u¥¿ªº Rusty «Ê¥]¹LÂo§Ö³t«ü«n 6. «Ê¥]¦p¦ó¬ï¶V(traverse)¹LÂo 7. ¨Ï¥Î iptables * 7.1 ·í±zªº¾÷¾¹±Ò°Ê®É¡M±z©Ò¬Ý¨ìªº * 7.2 ¤@Ó³æ¤@³W«hªº¹B§@ * 7.3 ¹LÂo³W®æ * 7.4 ¥Ø¼Ð(Target)³W®æ * 7.5 ¦b¾ãÃì¤W¹B§@ 8. ¨Ï¥Î ipchains »P ipfwadm 9. ¾ã¦X NAT »P Packet Filtering 10. iptables »P ipchains ªº®t²§ 11. Ãö©ó³]p«Ê¥]¹LÂoªº«Øij _________________________________________________________________ 1. Introduction ¦U¦ì¬Ý©x¡MÅwªï¨ì¦¹¤@Ū¡T ³o¸Ì¡M§Ú°²³]±z¤w¸gª¾¹D¤°»ò¬O IP ¦a§}¡Nºô¸ô¦a§}¡Nºô¸ô¾B¸n (netmask)¡N¸ô ¥Ñ¡N¥H¤Î DNS¡C§_«h¡M§Ú«Øij±z¥ýŪ¤@Ū Network Concepts HOWTO¡C ¦¹ HOWTO ¤å¥ó¤£¤î©ó¬O¤@ÓÂI¨ì§Y¤îªº¤¶²Ð(Åý±z¦³ÂIµo¼ö©Mµo¤ò¡M¦ý¤S¦×¦b¯z ¤Wªº·Pı)¡M¤]¤£¦Ü©ó¬O¤@Ó©âµ·éõ¦¡ªºì©l¤j©ÜÅS(Åý±z¥²¦³©ÒÀò¡M¦ý¤£·|¯« ¸g¿ù¶Ã¡N¨«¤õ¤JÅ])¡C ±zªººô¸ô¨ä¹ê¤@ÂI¤]¤£¦w¥þ¡C°ÝÃDÃøÂI¬O¦b¤¹³\§Ö³t¦Ó«K§Q³q°T¤§¦P®É¡M¤S·Q½T «O¥¦¥u¥Î©ó¨}¦n¥B«D¨¸´cªº·N¹Ï¡C¨ä±¡§Îµ¥¦P©ó¦b¤@Ó¾ÖÀ½ªºÀ¸°|¸Ì±¡M¤¹³\±z °ª½ÍÁï½×¡M¦ý«o¤£¯à¶Ã³Û¡§µÛ¤õ°Õ¡T¡¨¤@¼Ë¡C³o½g HOWTO ¤£¬O¥Î¨Ó¸Ñ¨M³o°ÝÃDªº ¡C ©Ò¥H¡M¥u¦³±z¤~¯à¨M©w¦ó³B¤~¬O§é°J©Ò¦b¡C§Ú·|¹Á¸Õ«ü¤Þ±z¥h¨Ï¥Î¤@¨Ç¥i¥Î¤u¨ã ¡M¤]·|ÂI¥Xn¯d·Nªº¦º¥Þ¡M·íµM¡M¦P®É§Æ±æ±z¥Î©ó¥¿³~¤§¤W¡C¤S¬O(»P¤W¥y)¦Pµ¥ ªº°ÝÃD¡C 2. ©x¤èªººô¯¸¦bþ¸Ì¡S¦³¶l¥ó½×¾Â¶Ü¡S ¦³¤TÓ©x¤èºô¯¸«D¥h¤£¥i: * ·PÁ [1]Filewatcher (http://netfilter.filewatcher.org). * ·PÁ [2]The Samba Team and SGI (http://www.samba.org/netfilter). * ·PÁ [3]Jim Pick (http://netfilter.kernelnotes.org). ¦Ü©ó©x¤èªº netfilter ¶l¥ó½×¾Â¡M½Ð°Ñ¾\¡R [4]Samba's Listserver (http://lists.samba.org). 3. ¦n¤F¡M¤°»ò¬O«Ê¥]¹LÂo(Packer Filter)©O¡S «Ê¥]¹LÂo´N¬O¥Î¤@Ó³nÅé¬d¬Ý©Ò¬y¸g«Ê¥]¤§ªíÀY(header) ¡M¥Ñ¦¹¨M©w¾ãÓ«Ê¥]ªº ©R¹B¡C¥¦©Î³\·|¨M©w ¥á±ó(DROP) ³oÓ«Ê¥](¨Ò¦p¡M©¿²¤¥¦´N¦p®Ú¥»¨S¦¬¨ì¥¦¤@ ¼Ë)¡M©Î¬O±µ¦¬(ACCEPT)³oÓ«Ê¥](¨Ò¦p¡MÅý³oÓ«Ê¥]³q¹L)¡M©Î¬O¨ä¥¦§ó½ÆÂøªº°Ê §@¡C ¦b Linux ¤§¤U¡M«Ê¥]¹LÂo¥\¯à¬O¤º«Ø©ó®Ö¤ß¤§¤º(°µ¬°¤@Ӯ֤߼ҲաM©ÎªÌª½±µ ¤º«Ø)¡M¦P®ÉÁÙ¦³¤@¨Ç§Þ¥©§ÚÌ¥i¥H¹B¥Î©ó«Ê¥]¤§¤Wªº¡M¤£¹L³ÌºD¥Îªº¨ÌµM¬O¬d¬Ý ªíÀY¥H¨M©w«Ê¥]ªº©R¹B¡C 3.1 §Ú¬°¤°»òn«Ê¥]¹LÂo¡S ²¦Ó¨¥¤§¡R±±¨î¡N«O¦w¡Nĵ§Ù¡C Control: ·í±z¥Î±zªº Linux ¥D¾÷±N±zªº¤º³¡ºô¸ô³s±µ¦Ü¨ä¥¦ºô¸ô(¤ñ¤è»¡ ¡Mineternet)ªº®ÉÔ¡M±z¦³¾÷·|¤¹³\¯S©wÃþ«¬ªº¥æ³q¡M¦Ó¸T¤î¨ä¥¦ªº¡C ¨Ò¦p¡M¤@Ó«Ê¥]ªºªíÀY·|¥]§t«Ê¥]ªº¥Øªº¦a¦a§}¡M©Ò¥H±z¥i¥H¨¾¤î«Ê¥]¬y ¦V¥~³¡ºô¸ôªº¬Y¤@³¡¥÷¡C¦A¦p¡M§Ú¥Î Netscape ³s½u¦Ü Dilbert archives¡M¨ººô¶¤W¦³¤@Ó¨Ó¦Û doubleclick.net ªº¼s§i¡M³o¼Ë Netscape ·|®ö¶O§Úªº®É¶¡¥h¤U¸ü¥¦Ì¡C¥unÅý«Ê¥]¹LÂo¾÷¨î¤£¤¹³\¥ô¦ó ¨Ó¦Ûdoubleclick.net ªº«Ê¥]¡M§ÚÌ´N¥i¥H¸Ñ¨M³oÓ°ÝÃD(·íµM¡M¦³§ó¦n ªº¤èªk¨Ó°µ³o¥ó¨Æ±¡°Õ¡M½Ð°Ñ¦Ò Junkbuster)¡C Security: ·í±zªº Linux ¥D¾÷¬O±z¤«µM¦³§Çªº¤º³¡ºô¸ô©M¥~±¨ºÓ²V¨PµL¤ñªº internet ¤§¶¡ªº°ß¤@³q¹D¡M¦Ó±zª¾¹D¥i¥H¨îþ¨ÇªF¦è¤~¯à¶i¤J±zªºªù ¤á¡M¸Û¬O¤£¿ù¤§Á|§a¡C¨Ò¦p¡M±z©Î³\·|©ñ¦æ¥ô¦ó±q¤º³¡ºô¸ô¥X¥hªºªF¦è¡M ¦ý¤S¾á¤ß¨Ó¦Û¥~±ªº´c¦W¬L³¹ªº¡¥Ping of Death¡¦¡C¤S¦p¡M±z©Î³\¨Ã¤£ §Æ±æ§O¤H±q¥~± telnet ¤W±zªº Linux ¥D¾÷¡MºÉºÞ¥þ³¡ªº±b¸¹³£¦³±K½X «OÅ@¡C©Î³\¡M±zÁÙ·Q(¥¿¦p¤j³¡¥÷¤H¤@¼Ë)¦b internet ¤W·í¬Ý«È¦Ó¤£Ä@·í ¦øªA¾¹(¤]¥i¯à±z¬OÄ@·Nªº) ¡M³Ì²³æ²ö¦p¥Î«Ê¥]¹LÂo¨Ó©Úµ´¥ô¦ó·N±ý³s ½uªº«Ê¥]¡M¤£Åý¥ô¦ó¤H³s¶i¨Ó¡C Watchfulness: ¦³®ÉÔ¡M¤@¥x³]©w®t¦Hªº¾÷¾¹·|±q¥»¦aºô¸ô¦V¥~±¹Ã°e«Ê¥]¡C¦Ó¦n®ø®§¬O ±z¥i¥HÅý«Ê¥]¹LÂo¨Ó§i¶D±z¬O§_¦³ÅܺAªº¨Æ±¡µo¥Í¡C±z©Î³\·|¹ï¤§±Ä¨ú¦æ °Ê¡M¤S©Î³\¦¤w¨£ºD¤£©Ç¤F¡C 3.2 ¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S Linux ªº®Ö¤ß¦Û±q 1.1 ª©´N¤w¸g¦³«Ê¥]¹LÂo¥\¯à¡C²Ä¤@¥N¬O 1994 ¦~¥Ñ Alan Cox °ò©ó BSD ªº ipfw ²¾´Ó¹L¨Óªº¡M«á¨Ó¦b Linux 2.0 ª©¥»¦A¥Ñ Jos Vos ¥[±j ¡M§Q¥Î ' ipfwadm ' ³o°¦¨Ï¥ÎªÌªÅ¶¡(userspace *)¤u¨ã¨Ó±±¨î®Ö¤ßªº¹LÂo³W«h ¡C¦b 1998 ¦~¦~¤¤¡M§Ú¦b Micahel Neuling ªº¤j¤OÀ°§U¤U¡M§ëª`¤F¬Û·íªººë¤O¦b Linux ®Ö¤ß 2.2 ¤W±¡M±À¥X¤F ' ipchains ' ³o°¦¤u¨ã¡C²×©ó¡MLinux ®Ö¤ß 2.4 ªº²Ä¥|¥N¤u¨ã ' iptables ' ³s¦P¨ä¥¦®Ö¤ß§ï¼g¤]¦b 1999 ¦~¦~¤¤¶i¦æ¶}µo ¤F¡C³o´N¬O¥Ø«e³oÓ iptables ªº HOWTO ¤å¥ó©ÒP¤O¤§©Ò¦b¡C (* ĶªÌµù¡R¡§¨Ï¥ÎªÌªÅ¶¡¡¨³q±`¬O¥Î¨Ó°Ï§O¨t²Î°O¾ÐÅ骺¨Ï¥Î½d³ò¡M¥DnÃþ«¬¤À ¬°®Ö¤ßªÅ¶¡©M¨Ï¥ÎªÌªÅ¶¡¡Cì§@ªÌ¥i¯à¥H¬°¤j®a³£¬Oµ{¦¡°ª¤â¡M¬G·|¥Î¦p¦¹±Mªù ³N»y¡CµM¹ï¤@¯ëŪªÌ¨Ó»¡¡M²z¸Ñ¤W©Î³\¦³§xÃø¡M¬G¦¹¦h»¡¨â¥y¡C¦b©¹«áªº¾\Ū¤¤ ¤]½Ð¯d·N¡C) ±z»Ýn¤@Ӯ֤ߦ³ netfilter «Øºc©ó¨ä¤¤¡Rnetfilter ¬O Linux ®Ö¤ß¤¤¤@Ó³q ¥Î¬[ºc¡M¥i¥HÅý¨ä¥¦ªF¦è(¨Ò¦p iptables ¼Ò²Õ) ´¡¤J(plug into)¡C´«¥y¸Ü»¡¡M ±z»Ýn®Ö¤ß 2.3.15 ©Î§ó·sªºª©¥»¡M¦P®É¦b®Ö¤ß½sĶ®É¥H ' Y ' ¦^µª CONFIG_NETFILTER ³oӿﶵ¡C iptables ³o°¦¤u¨ã·|©M®Ö¤ß¹ïÁ¿¨Ã§i¶D¥¦¤°»ò«Ê¥]n¹LÂo¡C°£«D±z¬O¤@Óµ{¦¡¤H û¡M©Î²§·Q¤Ñ¶}¡M¨º±z´N¬O¥Î¥¦¨Ó±±¨î«Ê¥]«ç¼Ë¹LÂoªº¤F¡C iptables ³o°¦ iptables ¤u¨ã¥i¥H´¡¤J©Î²¾°£®Ö¤ß«Ê¥]¹LÂoªí®æ(packet filtering table) ¤¤ªº¤@¨Ç³W«h(rules)¡C¤]´N¬O»¡¡MµL½×±z³]©w¤F¤°»ò¡Mn¬O«·s±Ò °Ê(reboot)¨t²Îªº¸Ü¡M´N·|¥þ³¡¥á¥¢¡Q½Ð°Ñ¾\ [5]¨î©w¥Ã¤[©Ê³W«h(Making Rules Permanent)¡M ¬Ý¬Ý¦p¦ó½T«O³]©w¦b¤U¦¸ Linux ±Ò°Ê«á¥i¥H¦^¦s¡C iptables ¬O¥Î¨Ó¨ú¥N ipfwadm ©M ipchains ªº¡R½Ð°Ñ¾\ [6]¨Ï¥Î ipchains ©M ipfwadm (Using ipchains and ipfwadm)¡M ¬Ý¬Ý¦p¦óµLµhªºÁקK¨Ï¥Î iptables ¡M°²¦p±z¥Ø«e¥¿¨Ï¥Î¥¦Ì¨ä¤¤¤§¤@¡C ¨î©w¥Ã¤[©Ê³W«h ±z¥Ø«eªº¨¾¤õÀð³]©w¬OÀx¦s©ó®Ö¤ß¸Ì±ªº¡M¤]¥¿¦]¦p¦¹¡M³]©w·|¦b¨t²Î«±Ò«á¥á ¥¢¡Ciptables-save ©M iptables-restore * ªº¼¶¼g¥Ø«e¤w¸g³Q¦C¤J TODO ¦Cªí ¤¤¤F¡C§Ú«OÃÒ·í¥¦Ì°Ý¥@ªº®ÉÔ¡MªÖ©w«D±`´Î¡C (* ĶªÌµù¡R¦b ipchains ¤u¨ã¤¤¡M¥i¥H¨Ï¥Î ipchains-save »P ipchains-restore ¨Ó§â·í«eªº¨¾¤õÀð³]©wÀx¦s°_¨Ó¡M¥H¤Î±N¤§ÁÙì¡C¦pªGŪªÌ¨S ¨Ï¥Î¹L ipchains ¨º¨âÓ¥\¯àªº¸Ü¡M©Î³\¤£ª¾¹D§@ªÌ¦b»¡¤°»ò¡C) ¥Ø«e¨Ó»¡¡M´N§â³]©w³W«h©Ò»Ýªº¨º¨Ç©R¥O¼g¶i¤@Óªì©l©R¥O½Z(script)¤¤§a¡Cn ½T©wªº¬O¡M°²¦p¦³¨ä¤¤¤@Ó©R¥O¥¢±Ñªº®ÉÔ¡M±z¯à´£¨Ñ¤@¨Ç´¼¯àªº°Ê§@¤ÏÀ³ (³q ±`¦p ' exec /sbin/sulogin' )¡C 4. §Aºâþ®Ú½µ°Ú¡S¬°¦óª±§Úªº®Ö¤ß¡S §Ú¬O Rusty¡M¬O Linux IP ¨¾¤õÀ𪺺ûÅ@ªÌ¡M¦P®É¤]¶i¦æ¨ä¥¦ªº¤@¨Ç½sµ{¤u§@¡M ¥i¥Hºâ¬O¤Ñ®É¦a§Q¤H©Mªº¨ÏµM§a¡C§Ú¼g¹L ipchains (½Ð°Ñ¾\«e±ªº [7]¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S(How Do I Packet Filter Under Linux?)¡M ¬Ý¬Ý¹ê»Úªº¤u §@©|±o¯q©óþ¨Ç¦P¤¯)¡M±q¨ä¤¤¾Ç¨ì¨¬°÷ªºªF¦è¥H¦J¥¿¤µ¦¸ªº«Ê¥]¹LÂo¡C§Ú§Æ±æ¦p ¦¹¡C [8]WatchGuard ¬O¤@Ó«D±`¥X¦â¨¾¤õÀ𤽥q¡M¥X°â¯u¥¿¦n¥ÎªºÀH´¡¦¡¨¾¤õÀð³] ³Æ(plug-in Firebox)¡M¥B¦V§Ú§K¶O´£¨Ñ¡MÅý§Ú¥i¥H¥þ¤O¼¶¼g³o¨ÇªF¦è¡M¥H¤ÎºûÅ@ ¹L©¹ªº¤@¨ÇªF¦è¡C§Ú쥻¹w¦ô 6 Ó¤ë´N¥i¥H¤F¡M¦ý¹ê»Ú¤W«oªá¤F 12 Ó¤ë¡M¤£¹L §Ú¦b³Ì«á¶¥¬qı±o°µ±oÁÙ¤£¿ù´N¬O¤F¡C¦h½«¼g¡NµwºÐ·´Ãa¡N¤â´£¹q¸£¾DÅÑ¡N¼Æ ÓÀɮרt²Îªº·l·´¡N¥H¤Î«á¨Óªºº·¹õÃa±¼¡M³Ì²×¡MÁÙ¬O°µ¥X¨Ó¤F¡C ¦b³o¸Ì¡M§Ú·Q¼á²M¤@¨ÇªB¤Íªº¿ù»~Æ[©À¡R§Ú¨Ã«D®Ö¤ß(kenrl)¸Ì±ªº±M®a¡C§Ú¤§©Ò ¥Hª¾¹D³o¨Ç¡M¬O¥Ñ©ó¬Y¨Ç®Ö¤ß¤u§@Åý§Ú±µÄ²¨ì¥L̨䤤ªº¤@¨Ç¦¨û¡R David S. Miller¡NAlexey Kuznetsov¡NAndi Kleen¡NAlan Cox¡C¤£¹L¡M½ÞÀY°©(³ÌÃøªº)³£ ¥Ñ¥LÌ°Ù¤F¡M³Ñ¤Uªº¨§»G(¦w¥þ©M®e©öªº)¤~½ü¨ì§Ú¨Ó¦¬¬B°Õ¡C 5. ¯u¥¿ªº Rusty «Ê¥]¹LÂo§Ö³t«ü«n ¤j³¡¤À¤H³£¶È¥Î³æ¤@ªº PPP ¼·±µ¤Wºô¡M¦P®É¨Ã¤£·Q¥ô¦ó¤H¶i¤J¥L̪ººô¸ô¡N©Î¨¾ ¤õÀð¡R ## Insert connection-tracking modules (not needed if built into kernel). # insmod ip_conntrack # insmod ip_conntrack_ftp ## Create chain which blocks new connections, except if coming from inside. # iptables -N block # iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. # iptables -A INPUT -j block # iptables -A FORWARD -j block 6. «Ê¥]¦p¦ó¬ï¶V(traverse)¹LÂo ®Ö¤ß±q 'filter' ªí®æªº¤TÓ¦Cªí(lists) ¶}©l¡Q³o¤TÓ¦Cªí¥s°µ firewall chains(¨¾¤õÀðÃì) ©Î´N¥s chains(Ãì)¡C ³o¤TÓÃì¤À§O¬°INPUT¡NOUTPUT ¡N©M FORWARD ¡C ³o¸ò 2.0 ©M 2.2 ®Ö¤ß¦³«Ü¤j®t§O®@¡T ¹ï©ó ASCII ÃÀ³N°g¨Ó»¡¡M¦UÃì(chains)ªº§G¸m¦p¤U¡R _____ Incoming / \ Outgoing -->[Routing ]--->|FORWARD|-------> [Decision] \_____/ ^ | | v ____ ___ / \ / \ |OUTPUT| |INPUT| \____/ \___/ ^ | | ----> Local Process ---- ¨ä¤¤¤TÓ°é¥NªíµÛ«ezªº¤TÓÃì¡M·í¤@Ó«Ê¥]©è¹F¤W¹Ï¤¤ªº¨ä¤¤¤@Ó°é¡M¬ÛÀ³ªº Ãì´N·|±µ¨üÀËÅç(examined)¡M¥H¨M©w¨ºÓ«Ê¥]ªº©R¹B¡C¦pªGÃ컡 DROP ±¼³oÓ«Ê ¥]¡M¨º»ò¥¦´N·|´N¦a¥¿ªk¡M¦ý¦pªGÃ컡 ACCEPT ³oÓ«Ê¥]¡M¨º»ò¥¦´NÄ~Äò¦b¹Ï¥Ü ¤¤¬ï¶V¡C ¤@ÓÃì(chain)¨ä¹ê´N¬O²³¦h³W«h(rules)¤¤ªº¤@ÓÀˬd²M³æ(checklist)¡C¨C¤@±ø ³W«h³£·|»¡¡§¦pªG«Ê¥]ªíÀY¬Ý°_¨Ó¹³³o¼Ë¡M´N¦p¦¹³o¯ë³B¸m³oÓ«Ê¥]¡¨¡C¦pªG³W «hªº³]©w©M«Ê¥]¨Ã¤£²Å¦X(match)¡M¨º»ò´N¥æ¥ÑÃ줤ªº¤U¤@Ó³W«hÄ~Äò³B²z¡C¦Ó³Ì ²×¡M¦pªG¦A¨S¦³³W«h¥i¥H°Ñ¦Ò¡M¨º»ò®Ö¤ß´N·|¬ÝÃ쪺policy(ì«h) ¥H¨M©w«ç»ò°µ ¡C¦b¤@Ó¦w¥þ¦Ü¤Wªº¨t²Î¸Ì¡Mì«h(policy)³q±`³£·|§i¶D®Ö¤ß DROP ±¼¸Ó«Ê¥]¡C 1. ·í¤@Ó«Ê¥]¶i¤Jªº®ÉÔ(°²³]¡M³q¹L Ethernet ºô¸ô¥d)¡M®Ö¤ßº¥ý¬Ý¬Ý«Ê¥] ªº¥Øªº¦a(destination)¡R³oºÙ¤§¬° ' rouging (¸ô¥Ñ)'¡C 2. ¦pªG¥Øªº¦a§}¬°¥»¾÷¡M³oÓ«Ê¥]´N«ö¹Ï¥Ü¤U¦æ¦Ü INPUT Ãì¡C¦pªG¥¦¯à°÷³q¹L ¡M¨º»òµ¥«Ý³oÓ«Ê¥]ªº¦æµ{(processes)´N±N¤§±µºÞ¤U¨Ó¡C 3. §_«h¡M¦pªG®Ö¤ß¨Ã¨S±Ò°ÊÂ໼¥\¯à(forwarding)¡M©Î¬O¥¦¤£ª¾¹D¦p¦óÂ໼³o Ó«Ê¥]¡M¨º»ò³oÓ«Ê¥]´N·|³Q¥á±ó(dropped)¡C¦pªGÂ໼¥\¯à¤w¸g±Ò°Ê¡M¦P®É «Ê¥]«ü¦V¥t¤@Óºô¸ô¬É±(¦pªG±zÁÙ¦³¥t¥~¤@±i)¡MµM«á³oÓ«Ê¥]´N«ö¹Ï¥Ü¥k ¦æ¦Ü FORWARD Ãì¡C¦pªG¥¦³Q±µ¨ü(ACCEPT)¡M¨º»ò¥¦´N·|³Q°e¥X¥h¡C 4. ³Ì«á¤@ºØ±¡§Î¡M¤@Ó¦b¥»¾÷¹B¦æªºµ{¦¡·|°e¥Xºô¸ô«Ê¥]¡C«Ê¥]´Nª½±µ¥æµ¹ OUTPUT Ãì¡R¦pªG¬O ACCEPT¡MµM«á³oÓ«Ê¥]·|Ä~Äò°e¥X¦Ü¥¦©Ò«ü¦Vªº¬É±¡C 7. ¨Ï¥Î iptables ¦pªG±z»Ýn¯S©wªº¸Ô²Ó¤F¸Ñ¡Miptables ¦³¤@Ó«D±`¸ÔºÉªº manual page (man iptables)¡C°²¦p±z¼ô±x ipchains ªº¸Ü¡M©Î³\¥i¥Hª½±µ¸õ¨ì [9]iptables »P ipchains ªº®t²§ (Differences Between iptables and ipchains) ¥h¬Ý¡Q¥¦Ì ¬O«D±`ªñ¦üªº¡C ±zÁÙ¥i¥H§Q¥Î iptables °µ³\¦h¤£¦Pªº¨Æ±¡®@¡C±z©Ò¶}©lªº¨º¤TÓ¤º «Ø(buit-in) Ãì¡R INPUT¡NOUTPUT¡N©MFORWARD ¡M±z¬O¤£¯à§R°£ªº¡CÅý§ÚÌ¬Ý¬Ý ¾ãÓÃ쪺ºÞ²z¹B§@§a¡R 1. «Ø¥ß¤@Ó·sÃì (-N)¡C 2. §R°£¤@ÓªÅÃì (-X)¡C 3. §ïÅܤ@Ó¤º«ØÃ쪺ì«h (-P)¡C 4. ¦C¥X¤@ÓÃ줤ªº³W«h (-L)¡C 5. ²M°£¤@ÓÃ줤ªº©Ò¦³³W«h (-F)¡C 6. Âk¹s(zero) ¤@ÓÃ줤©Ò¦³³W«hªº«Ê¥]¦r¸`(byte) °O¼Æ¾¹ (-Z)¡C ¦³¦n¨Ç¤èªk¥i¥H²ÎÄw¤@ÓÃ줤ªº³W«h¡R 1. ©µ¼W(append) ¤@Ó·s³W«h¨ì¤@ÓÃì (-A)¡C 2. ¦bÃ줺¬YÓ¦ì¸m´¡¤J(insert) ¤@Ó·s³W«h(-I)¡C 3. ¦bÃ줺¬YÓ¦ì¸m´À´«(replace) ¤@±ø³W«h (-R)¡C 4. ¦bÃ줺¬YÓ¦ì¸m§R°£(delete) ¤@±ø³W«h (-D)¡C 5. §R°£(delete) Ã줺²Ä¤@±ø³W«h (-D)¡C 7.1 ·í±zªº¾÷¾¹±Ò°Ê®É¡M±z©Ò¬Ý¨ìªº iptables ¥i¥H°µ¦¨¼Ò²Õ(module)¡M¥s°µ `iptable_filter.o' ¡M·í±z²Ä¤@¦¸¶] iptables ´N·|³Q¦Û°Ê¸ü¤J¡C¥¦¤]¥i¥H¥Ã¤[©Êªº«Ø¸m©ó®Ö¤ß¸Ì±¡C ¦b¶]¥ô¦ó iptables ©R¥O¤§«e (¤p¤ß¡R¦³¨Ç®M¥ó(distributions) ©Î³\·|¥Î¥¦Ì ªº°_©l©R¥O½Z¨Ó¶] iptables)¡M¤º«ØÃì( `INPUT'¡N`FORWARD'¡N©M `OUTPUT' )±N ¤£±a¥ô¦ó³W«h¡M©Ò¦³Ãì³£±Nì«h³]¬° ACCEPT¡C±z¥i¥H±N iptable_filter ¼Ò²Õ¿ï ¶µ³]¬° `forward=0' ¡M¨Ó§ïÅܹw³]ªº FORWARD Ãìì«h¡C 7.2 ¤@Ó³æ¤@³W«hªº¹B§@ ¤U±Åý§Ų́Ӽô½m¤@¤Uì«hªº¹B¥Î§a¡M©Ò¿×¼ô¯à¥Í¥©¬O¤]¡C±z³Ì±`¥Îªº©Î³\·|¬O append (-A) ©M delete (-D) ©R¥O¡C¦Ü©ó¨ä¥¦¦p insert (-I) ©M replace (-R)¡M ¥u¬O³o¨Ç·§©Àªº©µ¦ù¦Ó¤w¡C ¨C¤@±ø³W«h³£©w¤F¤@²Õ±ø¥ó(conditions)»P¯S©w«Ê¥]¤ñ¹ï¡M¥H¤Î·í¥¦Ì²Å¦X®É n¦p¦ó³B¸m(«ü¤@Ó`target' )¡C¤ñ¤è»¡¡M±z©Î³\n¥á±ó©Ò¦³¨Ó¦Û127.0.0.1 ³oÓ IP ¦a§}ªº ICMP «Ê¥]¡M¦]¦Ó§Ú̳o¸Ìªº±ø¥ó´N¦¨¬°³o¼Ë¡R¨ó©w¥²¶·¬O ICMP¡M¦Ó ¨Ó·½¦a§}¥²¶·¬O 127.0.0.1 ¡M¦Ó§Ú̪º target(¥Ø¼Ð)±N·|¬O`DROP' ¡C §Ú̺٠127.0.0.1 ¬° `loopback' ¬É±¡M´Nºâ±z¨S¦³¯u¹êªººô¸ô³s±µ¡M±z¤]·|¦³ ³oӬɱªº¡C±z¥i¥H¥Î `ping' ³o°¦µ{¦¡²£¥Í³o¼Ëªº«Ê¥] (¥¦¥u¬O°e¥X¤@Ó type 8(echo request)ªº ICMP «Ê¥]¡M¦Ó©Ò¦³¼Ö©ó¦^À³ªº¦X§@ºÝ(cooperative hosts) «h°e¦^¤@Ó type 0(echo reply)ªº ICMP «Ê¥])¡C¥Î¨Ó´ú¸Õ¬O«Ü¦n¥Îªº¡C # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms # iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP # ping -c 1 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes --- 127.0.0.1 ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss # ³o¸Ì±z¥i¥H¬Ý¨ì²Ä¤@Ó ping ¦¨¥\¤F(³o¸Ìªº `-c 1' °Ñ¼Æ¬O§i¶D ping ¥u°e¥X¤@ Ó«Ê¥])¡C µM«á¡M§Ú̬°`INPUT' ©µ¼W(-A)¤@±ø³W«h¡M±N¨Ó¦Û 127.0.0.1(`-s 127.0.0.1') ªº ICMP ¨ó©w (`-p icmp') «Ê¥]°e¦Ü DROP ³oӥؼР(-j DROP)¡C µM«á§ÚÌ¥i¥H¥Î²Ä¤GÓ ping ¨Ó´ú¸Õ§Ú̪º³W«h¡C¦bµ{¦¡©ñ±óÄ~Äòµ¥«Ý¨º¨Ç¥Ã¤£ ¨ì¨Óªº¦^À³¤§«e¡M±N¦³¤@¬q¼È°±¡C §Ú̦³¨âÓ¤èªk¥i¥H²¾°£³W«h¡Cº¥ý¡M¦]¬°§Ú̥ثe¨î©w¦b input Ã줤¥u¦³°ß¤@ ¤@±ø³W«h¡M©Ò¥H§ÚÌ¥i¥H«ü©w¼Æ¦r¨Ó²¾°£¡M¨Ò¦p¡R # iptables -D INPUT 1 # ³o¼Ë´N§â²Ä¤@±ø³W«h±q INPUT Ã줤²¾°£±¼¡C ²Ä¤GÓ¤èªk¬O¬M®g(mirro)¤W±ªº -A ©R¥O¡M¦ý¥Î -D ¨Ó¥N´À -A ¦Ó¤w¡C·í±z¦³¤@ ÓÃì¡M¸Ì±¼g¦³«D±`½ÆÂøªº³W«h¡M¦Ó¤S¤£·Q³v¦æ¼Æ¥X²Ä 37 ¦æ´N¬O±znªº¨º±ø³W «h¡M³o®ÉÔ¡M³o¤èªk´N«D±`¦³¥Î¤F¡C # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP # ¦b©R¥O¦æ¤¤¡M¨ä»yªk¬O -D ¥²¶·©M -A (©Î -I¡N©Î -R) ©R¥Oªº¦ì¸m¤@P¡C¦pªG¦b ¦P¤@ÓÃ줤¦³¼Æ±ø¬Û¦Pªº³W«h¡M¨º»ò¥u¦³²Ä¤@±ø·|³Q²¾°£±¼¡C 7.3 ¹LÂo³W®æ §Ṳ́w¸g¬Ý¹L¥Î `-p' ¨Ó«ü©w¨ó©w¡M¥H¤Î¥Î `-s' ¨Ó«ü©w¨Ó·½¦a§}¡M¦ýÁÙ¦³¨ä¥¦ ¿ï¶µ§Ú̬O¥i¥H¥Î¨Ó«ü©w¥X¤@Ó«Ê¥]ªº¯S©º¡C©³¤U¬O¤@Ó§¹¾ãªº·§z¡C «ü©w¨Ó·½©M¥Øªº¦a¤§ IP ¦a§} §ÚÌ¥i¥H¥Î¥|ºØ¤èªk¨Ó«ü©w¨Ó·½(`-s'¡N©Î`--source'¡N©Î `--src') ©M¥Øªº ¦a(`-d'¡N©Î`--destination'¡N©Î`--dst') IP ¦a§}¡C³Ì±`¥Îªº¤èªk¬O¨Ï¥Î§¹¾ã ¦WºÙ¡M¨Ò¦p `localhost' ©Î `www.linuxhq.com' ¡C²Ä¤GºØ¤èªk¬O«ü©w¨ä IP ¦a §}¡M¨Ò¦p `127.0.0.1' ¡C ²Ä¤T©M²Ä¥|ºØ¤èªk¤¹³\«ü©w¤@²Õ(group) IP¦a§}¡M¨Ò¦p `199.95.207.0/24' ©Î `199.95.207.0/255.255.255.0' ¡M³o¨âÓ³]©w³£«ü©w¤F©Ò¦³±q 199.95.207.0 ¨ì 199.95.207.255 ¤§¶¡ªº IP ¦a§}¡Q¦Ó¦b¼Æ¦r«á±ªº `/' ²Å¸¹¬O§i¶D¨t²Îþ³¡¥÷ IP ¤~¦³®Ä¡C `/32' ©Î `/255.255.255.255' ¬°¹w³]È(©Ò¦³ IP ȳ£¥²¶·§k¦X) ¡C¥þ³¡¥Î `/0' ¨Ó«ü©w IP ¦a§}¤]¬O¥i¦æªº¡M¨Ò¦p¡R [ NOTE: `-s 0/0' is redundant here. ] # iptables -A INPUT -s 0/0 -j DROP # ¤£¹L³o«D±`¤Ö¥Î¡M¦]¬°¥H¤Wªº®ÄªG©M¤£«ü©w `-s' ²@µL¨â¼Ë¡C ¬Û¤Ï«ü©w ³\¦hºX¼Ð(flags)¡M¥]¬A `-s' (©Î `--source')¡N©M `-d' (©Î `--destination')¡M¥i¥H¦b¥¦Ì«e±©ñ¸m¤@Ó `!' ²Å¸¹(µoµ¬°`not') ¡M¨Ó²Å¦X ©Ò¦³«D(NOT)¨ä½á¤©Èªº¦a§}¡C¤ñ¤è»¡¡M`-s ! localhost' ²Å¦X©Ò¦³«D(not) ¨Ó ¦Û¥»¾÷ªº«Ê¥]¡C «ü©w¨ó©w ¨ó©w¥i¥H¥Î `-p' (©Î `--protocol') ºX¼Ð¨Ó«ü©w¡C¨ó©w¥i¥H¬°¤@Ó¸¹½X(°²¦p±z ª¾¹D IP ¨ó©w¼ÆȪº¸Ü)¡M©Î¬O¤@ӽѦp `TCP'¡N©Î`UDP'¡N©Î`ICMP' ³o¼Ëªº¦WºÙ ¡C¤j¤p¼g¨SÃö«Y¡M©Ò¥H `tcp' ©M `TCP' ³£¥i¥H¤u§@¡C ¨ó©w¤]¥i¥H¥[¤W¤@Ó `!' «e¸m²Å¸¹¡M¨Ï¤§¬Û¤Ï¡C¨Ò¦p `-p ! TCP' «h«ü©w¤F©Ò¦³ «D TCP ªº«Ê¥]¡C «ü©w¬É± §Ú̥Π`-i' (©Î `--in-interface') ©M `-o' (©Î `--out-interface') ¿ï¶µ¨Ó «ü©w¤@ӲŦXªº¬É±(interface)¡C¤@Ӭɱ´N¬O«Ê¥]¶i¤J(`-i') ¡M©Î¶Ç ¥X(`-o')¤§ª«²z³]³Æ¡C±z¥i¥H¥Î ifconfig ©R¥O¦C¥Xþ¨Ç¬É±¬O¶]°_¨Ó(`up' )ªº ¡C ¬ï¶V INPUT Ã쪺«Ê¥]¤£·|¦³¶Ç¥X(output)¬É±ªº¡M©Ò¥H¡M¥ô¦ó¦bÃ줤¨Ï¥Î `-o' ¿ï¶µªº³W«h³£¤£»P¤§²Å¦X¡C¦P¼Ëªº¡M¬ï¶V OUTPUT Ã쪺«Ê¥]¤]¤£·|¦³¶Ç ¤J(input)¬É±¡M©Ò¥H¦bÃ줤¥ô¦ó±a `-i' ¿ï¶µªº³W«h¤]¬O¤£²Å¦Xªº´N¬O¤F¡C ¶È¶È¬O¬ï¶V FORWARD Ã쪺«Ê¥]¤~·|¦P®É¦³¶Ç¤J©M¶Ç¥X¬É±¡C «ü©w¤@Ó¤£¦s¦bªº¬É±¬O§¹¥þ¦Xªk(legal)ªº¡Q¤Ï¥¿¦b¬É±ÁÙ¨S°_¨Ó¤§«e¡M³o±ø³W «h¬O¤£·|²Å¦Xªº¡C³o¹ï©ó PPP ¼·±µ(³q±`·|¬Oppp0) ©Î¬ÛÃþ³s½u¡M´N·¥¤§¦³¥Î¤F ¡C ¨Ò¦p¦b¤@Ó¯S®í¨Ò¤l¤¤¡M¬É±¬O¥Î¤@Ó `+' µ²§Àªº¸Ü¡M´Nªx«ü©Ò¦³¥H¦¹¦r¦ê¶}ÀY ªº¬É±(¤£ºÞ¥¦Ì¥Ø«e¬O§_°_¨Ó¤F)¡C¨Ò¦p¡Mn«ü©w¤@±ø³W«h¨Ó²Å¦X©Ò¦³ªº PPP ¬É ±ªº¸Ü¡M-i ppp+ ¿ï¶µ´N¥i¥H¥Î¤W¤F¡C ¬É±¦WºÙ«e±¥i¥H¥Î¤@Ó`!' ²Å¸¹¨Ó²Å¦X¤@Ó»P«ü©w¬É± ¤£ ²Å¦Xªº«Ê¥]¡C «ü©w«Ê¥]¸H¤ù (Fragments) ¦³®ÉÔ¡M¤@Ó«Ê¥]·|¦]¬°¤Ó¤j¦Ó¤£¯à¤@¦¸¹L¶ë¶i³s½u¥h¡C·í³o¼Ëªº¨Æ±¡µo¥Í¤F¡M «Ê¥]·|³Q¤Á³Î¦¨ ¸H¤ù(fragments)¡M¦P®É·|¥H¦hÓ«Ê¥]¨Ó¶Ç°e¡C¦Ó¥t¤@ºÝ«h«²Õ ³o¨Ç¸H¤ù¥HÁÙì¾ãÓ«Ê¥]¡C ¦ý¸H¤ùªº°ÝÃD¬O¡M²Ä¤@Ó°_©l¸H¤ù¦³¾ãÓ«Ê¥]ªíÀYÄæ¦ì(IP+TCP¡NUDP¡N©M ICMP) ¥i¨ÑÀˬd¡M¦ý«áÄ~«Ê¥]«o¥u¥]§tªíÀYªº¤p³¡¥÷(¤£±aÃB¥~¨ó©wÄæ¦ìªº IP)¡C³o¼Ëªº ¸Ü¡MnÀˬd«áÄ~¸H¤ù¤§¨ó©wªíÀY(¤ñ¤è¥Ñ TCP¡NUDP¡N©M ICMP extensions ¦Ó¦¨) ¡M´N¤£¥i¯à¤F¡C ¦pªG±zn°µ³s½u°lÂÜ©Î NAT¡M¨º©Ò¦³¸H¤ù¦b»¼µ¹«Ê¥]¹LÂo½X¤§«e³£·|¶×¦X¦^¤@°_ ¡M©Ò¥H±zµL»Ý¾á¤ß¸H¤ù°ÝÃD¡C µM¦Ó¡Mn§Ë©ú¥Õ¹LÂo³W«h¦p¦ó³B²z¸H¤ùªº¡M´NÅܱo«D±`«n¤F¡C¥ô¦ó³W«hn¸ß°Ý ªº¸ê®Æ¦Ó§Ų́èS¦³®É¡M±N³Qµø¬° ¤£ ²Å¦X¡C¤]´N¬O»¡¡M²Ä¤@Ó¸H¤ù«Ê¥]ªº³B²z ©M¨ä¥¦«Ê¥]¤@¼Ë¡C¦ý²Ä¤G¤Î¤§«áªº¸H¤ù´N¤£¬O³o¼Ë¤F¡C³o¼Ëªº¸Ü¡M¤@±ø -p TCP --sport www («ü©w¨Ó·½°ð¤f¬°`www')ªº³W«h¡M±N¥Ã»·¤£©M¸H¤ù²Å¦X(°£²Ä¤@Ó¸H ¤ù¥~)¡C¬Û¤Ïªº³W«h¦p-p TCP --sport ! www ¤]¤@¼Ë´N¬O¤F¡C ¤£¹L¡M±z¥i¥H¥Î `-f' (or `--fragment') ºX¼Ð¯S§O¬°²Ä¤G¤Î¥H«áªº¸H¤ù«ü©w¤@ ±ø³W«h¡C¦b `-f' «e±¥[¤W¤@Ó `!' ¨Ó«ü©w¤@±ø³W«h ¤£ ¾A¥Î©ó²Ä¤G¤Î¥H«á¸H¤ù ¡M¤]¬O¥i¦æªº¡C ³q±`¡MÅý²Ä¤G¤Î¥H«á¸H¤ù³q¹L¬O³Qµø¬°¦w¥þªº¡M¦]¬°¦pªG¹LÂo·|¼vÅT²Ä¤@Ó¸H¤ù ªº¸Ü¡M¨º»ò¤]´N¥i¥HÁקK¦b¥Ø¼Ð¥D¾÷¶i¦æ«²Õ¡Q¦ý¬O¡M¤@¨Ç¤wª¾ªº¯ä¦äÅã¥Ü¡M¥á °e¸H¤ù«Ê¥]¥i¥H»´©öªºÅý¥D¾÷·í±¼¡C¨º¬O»Õ¤UnÀ³¥Iªº¨Æ±¡¤F¡C ºô¸ôª±®an¯d·Nªº¬O¡R·í¶i¦æ³o¼ËªºÀË´ú®É¡M¤£§¹¾ãªº«Ê¥](¤Óµuªº TCP¡NUDP¡N ©M ICMP «Ê¥]·|Åý¤õÀðµ{¦¡Åª¤£¨ì°ð¤f©Î ICMP ½X©MÃþ«¬) ·|³Q¥á±ó¡C¦]¦¹¡M TCP ¸H¤ù³£¥Ñ²Ä 8 Ó¦ì¸m¶}©lªº *¡C (* ĶªÌµù¡R§Ú¤]¤£¬O«Ü©ú¥Õ§@ªÌ³o¸Ì©Ò«ü¦óª«¡Mì¤å¬O¡R¡¥So are TCP fragments starting at position 8¡¦¡C¦]¬°Ãi±o¥h½¸ê®Æ¡M¬G¤£ª¾¹D position 8 ¬O«ü TCP ªíÀY¦ì¸mÁÙ¬O¨ä¥¦¡C°²¦p±z§ä¨ìµª®×¡MÅwªï¼g«Hµ¹§Ú¥H§@ ¼á²M¡C) Á|¨Ò¨Ó»¡¡M¥H¤Uªº³W«h·|¥á±ó¥ô¦ó°eµ¹ 192.168.1.1 ªº¸H¤ù¡C # iptables -A OUTPUT -f -d 192.168.1.1 -j DROP # ©µ¦ù iptables ¡R·sªº¤ñ¹ï(matches) iptables ¬O ¥i©µ¦ùªº(extensible)¡M¤]´N¬O»¡¡M®Ö¤ß©M iptables ¤u¨ã¥i¥H¶i ¦æÂX®i¥H´£¨Ñ·sªº¥\¯à¡C ¬Y¨Ç©µ¦ù(Extensions)¬O¼Ð·Çªº¡M¦ý¦³¨Ç«h¥i¥H»¡¬O¬£¥Í¥X¨Óªº¡C§OªºªB¤Í©Î³\ ·|»s°µ¥X¤@¨Ç©µ¦ù¡M¦P®É´²¼½µ¹¦X¾Aªº¥Î¤á¡C ®Ö¤ßªº©µ¦ù³q±`©~©ó®Ö¤ß¼Ò²Õ¥Ø¿ý¤º¡M¨Ò¦p /lib/modules/2.3.15/net ¡C°²¦p±z ªº®Ö¤ß¬O¥Î CONFIG_KMOD ³]©w¨Ó½sĶªº¸Ü¡M¥¦Ì¬OÀ³»Ý¨D¸ü¤Jªº¡M©Ò¥H±zµL»Ý¤â °Êªº´¡¤J¥¦Ì¡C µM¦Ó¡Miptables µ{¦¡ªº©µ¦ù«h³q±`¬O©~©ó /usr/local/lib/iptables/ ¸Ì±ªº¤À ¨É¨ç¦¡®w¡M©ÎªÌ¦³¨Ç´²¼½ª©¥»·|±N¥¦Ì©ñ¶i /lib/iptables ©Î /usr/lib/iptables ¸Ì¥h¡C ©µ¦ù¦³¨âÓºØÃþ¡R·s¥Ø¼Ð(target)¡M©M·s¤ñ¹ï(match)¡Q¤U±§ÚÌ´NÁ¿Á¿·s¥Ø¼Ð§a ¡C¦³¨Ç¨ó©w·|¦Û°Ê´£¨Ñ·sªº´ú¸Õ(tests)¡R¥Ø«e¦³ TCP¡NUDP¡N©M ICMP¡M¦p¤Uz¡C ¦b©R¥O«á¨Ï¥Î `-p' ¿ï¶µ§â©µ¦ù¸ü¤J¶i¨Ó¡M±z´N¥i¥H¨Ó«ü©w¤@Ó·s´ú¸Õ¤F¡C·í©µ ¦ù¿ï¶µ¤¹³\ªº®ÉÔ¡M¨Ï¥Î `-m' ¨Ó¸ü¤J©µ¦ù¡M«h¥i¥H©ú½T«ü¥Ü¤@Ó·s´ú¸Õ¡C ¦p»Ý¬YÓ©µ¦ùªº¨D§U¸ê®Æ¡M¥i¥H¨Ï¥Î¿ï¶µ«á±µ `-h' ©Î `--help' ±N¤§¸ü ¤J(`-p'¡N `-j'¡N©Î `-m')¡M¨Ò¦p¡R # iptables -p tcp --help # TCP ©µ¦ù ¦pªG«ü©w¤F `-p tcp' ¡MTCP ¤§©µ¦ù·|¦Û°Ê¸ü¤Jªº¡C¥¦´£¨Ñ¦p¤U¿ï¶µ(¨Ã¤£²Å¦X fragments)¡C --tcp-flags «á±µ¤@Ó `!' ¿ï¶µ¡M«h¦³¨âÓºX¼Ðªº¦r¦êÅý±z¯à°÷¹ï«ü©wªº TCP ºX¼Ð¶i ¦æ¹LÂo¡C ²Ä¤@Ó¦r¦ê¬O¾B¸n(mask)¡R¤@Ó±z±ýÀˬdªººX¼Ð¦Cªí¡C²Ä¤GÓ ¦r¦ê¬On»¡þ¨ÇªF¦èn³]©w¡C¨Ò¦p¡R # iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY ³oªí¥Ü©Ò¦³ºX¼Ð³£nÀˬd (`ALL' ´N¬Oªx«ü `SYN,ACK,FIN,RST,URG,PSH')¡M¦ý¥u¦³ SNY ©M ACK ³Q³]©w¦Ó¤w¡C¥t¥~¦³ ¤@Ó°Ñ¼Æ `NONE' «h¬O¨SºX¼Ðªº·N«ä¡C --syn ¬°`--tcp-flags SYN,RST,ACK SYN' ªºÂ²¼g¡M¨ä«e±¥i¥H³Æ¿ï¤@Ó `!' ²Å¸¹¡C --source-port ¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@Ó³æ¿Wªº TCP °ð¤f©Î¤@Ó°ð¤fÈ °ì(range)¡C°ð¤f¥i¥H¬° /etc/services ©Ò¦C®q°ð¤f¦WºÙ¡M¤]¥i¥H¬O¤@Ó ¼Æ¦r¡C¦pªG¬OȰ쪺¸Ü¡M¥i¥H¬O¤@¹ï¥Î`:' ²Å¸¹¤À¹jªº°ð¤f¦W¦r¡M©Î¤@Ó °ð¤f«á±±a `:' («ü¤j©ó©Mµ¥©ó¸Ó°ð¤f)¡M¤S©Î¬O¤@Ó°ð¤f«e±±a `:' ( «ü¤p©ó©Mµ¥©ó¸Ó°ð¤f)¡C --sport µ¥¦P©ó `--source-port'¡C --destination-port ©M --dport »P¤W¦P¡M¥u¬O¥¦Ì¬O¥Î¨Ó«ü©w¥Øªº¦a¦Ó«D¨Ó·½°ð¤f¥[¥H¤ñ¹ï¡C --tcp-option ¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬°¤@ӼƦr¡M¥Î¨Ó¤ñ¹ï¤@Ó TCP ¿ï¶µµ¥©ó¸Ó¼Æ ¦rªº«Ê¥]¡C°²¦p»ÝnÀˬd TCP ¿ï¶µ¡M¨º¨Ç TCP ªíÀY¤£§¹¾ãªº«Ê¥]´N·|¦Û °Êªº³Q¥á±ó¡C ¤@Ó TCP ºX¼Ðªº¸ÑÄÀ ¦³®ÉÔ¡M¤¹³\³æ¦V¦Ó«DÂù¦Vªº TCP ³s½u·|«Ü¦n¥Î¡C¨Ò¦p¡M±z©Î³\·Q¤¹³\³s½u¨ì¥~ ³¡ WWW ¦øªA¾¹¡M¦ý«o¤£·Q¨Ó¦Û¸Ó¦øªA¾¹ªº³s½u¡C ³Ì¥®¸XªºÁ|°Ê©Î³\·|¬O¾×±¼¨Ó¦Û¸Ó¦øªA¾¹ªº TCP «Ê¥]¡C¦ý¤£©¯ªº¬O¡MTCP ³s½u®Ú ¥»´Nn¨D«Ê¥]¬OÂù¦V¶Ç»¼ªº¡C ¸Ñ¨M¤§¹D¬O§â¨º¨Çn¨D³s½uªº«Ê¥]¾×±¼¡C³o¨Ç«Ê¥]³QºÙ¬° SYN «Ê¥](¶â¡M§Þ³N¤W Á¿¡M¥¦Ì¬O±a SYN ³]©wªº«Ê¥]¡M¦Ó FIN ©M ACK ¼ÐÅÒ«h¬OªÅ¥Õ¡M¥u¬O§Ú̱N¤§Â² ºÙ¬° SYN «Ê¥]¦Ó¤w)¡Cn¥u¨î³o¼Ëªº«Ê¥]ªº¸Ü¡M§ÚÌ´N¥i¥H¨î¤î¨º¨Ç¥~¨Óªº³s ½u¹Á¸Õ¤F¡C `--syn' ºX¼Ð¥i¥H¥Î©ó³o¨Ç¤è±¡R¥¦¶È¹ï¨º¨Ç«ü©w¬° TCP ¨ó©wªº³W«h¦³§@¥Î¡C¨Ò ¦p¡M«ü©w¨Ó¦Û 192.168.1.1 ªº TCP ³s½u½Ð¨D¡R -p TCP -s 192.168.1.1 --syn ³oºX¼Ð¤]¥i¥H«á±µ¤@Ó `!' ¨Ó¤Ï³]¡M·N«ü¨C¤@Ó«D¸ÓÃþªì©l³s½uªº«Ê¥]¡C UDP ©µ¦ù ¦pªG `-p udp' ³Q«ü©wªº¸Ü¡M³o¨Ç©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦´£¨Ñ¤F `--source-port'¡N `--sport'¡N`--destination-port'¡N¥H¤Î `--dport' ³o¨Ç ¿ï¶µ¡M¤@¦p«ezªº TCP ³]©w¡C ICMP ©µ¦ù ¦pªG `-p icmp' ³Q«ü©wªº¸Ü¡M³oÓ©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦¥u´£¨Ñ¤@Ó·sªº¿ï¶µ¡R --icmp-type ¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@Ó icmp ¦WºÙÃþ«¬(¦p `host-unreachable' )¡M©Î¬O¤@ӼƦrÃþ«¬(¦p `3' )¡M©Î¬O¤@¹ï¥Î `/' ¤À¹jªº¼Æ¦rÃþ«¬©M½s½X(¦p `3/3' )¡C¨Ï¥Î `-p icmp --help' ´N¥i¥HÀò ±o¤@¥÷¥i¥Î icmp Ãþ«¬¦WºÙ²M³æ¡C ¨ä¥¦¤ñ¹ïªº©µ¦ù ¦b nerfilter ®M¥ó¤¤ªº¨ä¥¦©µ¦ù«h¬O®i¥Ü©Ê(demonstration)ªº©µ¦ù¤º®e¡M¥i¥H ¥Î `-m' ¿ï¶µ¨Ó©I¥s(°²¦p¤w¦w¸Ë¤Fªº¸Ü)¡C mac ¦¹¤@¼Ò²Õ¥²¶·n©ú½Tªº¥Î `-m mac' ©Î `--match mac' ¨Ó«ü©w¡C¥¦¥Î©ó ¤ñ¹ï¶Ç¤J«Ê¥]ªº¨Ó·½ Ethernet (MAC) ¦a§}¡M¦]¦Ó¥u¹ï¨º¨Ç¬ï¶V PREROUTING ©M INPUT Ã쪺«Ê¥]°_§@¥Î¡C¥¦¥u´£¨Ñ¤@ӿﶵ¡R --mac-source ¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@ӥΫ_¸¹¤À¹jªº¤Q¤»¶i¨î ethernet ¦a§}¡M¦p `--mac-source 00:60:08:91:CC:B7'¡C limit ³oÓ¼Ò²Õ¥²¶·©ú½Tªº¥Î `-m limit' ©Î `--match limit'¨Ó«ü©w¡C¥¦¥Î¨Ó ¨î¤@Ó¤ñ¹ïµ¥¯Å¡M½Ñ¦p§í¨î°O¿ý«H®§µ¥¡C¥¦¥u¯à¤ñ¹ï¤@Ó¨C¬í¦¸¼ÆÈ( ¹w³]¬O¨C¤@Ó¤p®É 3 Ó¤ñ¹ï¡M¦ñÀH 5 ÓIJµo(burst))¡C¥¦±µ¨ü¨âÓ³Æ¿ï °Ñ¼Æ¡R --limit «á±µ¤@Ó¼ÆÈ¡Q«ü©w¥i¤¹³\ªº¨C¬í³Ì¤j¥§¡¤ñ¹ï¼ÆÈ¡C¸Ó¼ÆÈ¥i¥H ¥Î `/second'¡N`/minute'¡N`/hour'¡N©Î `/day'¡N©Î¨ä¤¤³¡¥÷ ( ¬G `5/second' ©M `5/s' ¬O¤@¼Ëªº)¡M¨Ó©ú½T«ü©w³æ¦ì(unit)¡M --limit-burst «á±µ¤@Ó¼ÆÈ¡M«ü¥Ü¥X¤Þ°_«ez¨î¤§«eªº³Ì¤jIJµo¦¸¼Æ¡C ³oÓ¤ñ¹ï±`¥Î©ó LOG ¥Ø¼Ð¡M¥H¶i¦æ¤ñ²v¨î(rate-limited) ¤§°O¿ý¡C¬° ¤F§ó¦n¤F¸Ñ¥¦¬O¦p¦ó¤u§@ªº¡MÅý§Ú̬ݤ@¬Ý¤U±ªº³W«h¡M¬O¥H¹w³]¨î¤Þ ¼Æ¨Ó°O¿ý«Ê¥]ªº¡R # iptables -A FORWARD -m limit -j LOG ·í¦¹³W«h²Ä¤@¦¸¤Þ¥Îªº®ÉÔ¡M«Ê¥]´N·|³Q°O¿ý¤U¨Ó¡Q¨Æ¹ê¤W¡M¥Ñ©ó¹w³]ªº IJµo¬° 5 ¡M¨º¬°ºªº 5 Ó«Ê¥]´N·|°O¿ý¤U¨Ó¡CµM«á¡M¦A¹j 20 ¤ÀÄÁ¦¹³W «h¤~·|¦A°O¿ý«Ê¥]¡M¦Ó¤£ºÞ´Á¶¡¦³¦h¤ÖÓ«Ê¥]©è¹F¡C¦Ó¥B¡M¨C 20 ¤ÀÄÁ¦p ªG¨S¦³²Å¦Xªº«Ê¥]³q¹L¡M«h·|«ì´_ (regained) ¤@ÓIJµo¼ÆÈ¡Q°²¦p 100 ¤ÀÄÁ¤º¦AµL³o¼Ëªº«Ê¥]IJ¤Î³o³W«hªº¸Ü¡M¨º»òIJµo¦¸¼Æ´N·|§¹¥þ´_ ì(recharged)¡Q¦^¨ì§Ú̶}©l®Éªºª¬ºA¡C µù¡R±z¥Ø«e¤£¯à¥H¤j©ó 59 ¤p®Éªº´_ì®É¶¡¨Ó«Ø¥ß¤@Ó³W«h¡M¬G¦¹¡M°²¦p ±z³]©w¤@Ó¥§¡²v¬°¨C¤Ñ¤@¦¸¡M¨º»ò¡M±zªºÄ²µo²v«h¤@©wn¤Ö©ó 3 ¡C ±z¤]¥i¥H¥Î³o¼Ò²Õ¥hÁקK¥H§Ö³t¤ñ²v´£ª@ªA°È¦^À³ªºªýÂ_ªA°È§ðÀ»(DoS) ¡C Syn-flood protection¡R # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT Furtive port scanner¡R # iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1 /s -j ACCEPT Ping of death¡R # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT ¦¹¼Ò²Õªº¤u§@ì²z¦³ÂI¹³¡§ºI¬y»Ö¡¨¤@¼Ë¡M½Ð°Ñ¦Ò¤U±ªº¹Ï¥Ü¡C rate (pkt/s) ^ .---. | / DoS \ | / \ Edge of DoS -|.....:.........\....................... = (limit * | /: \ limit-burst) | / : \ .-. | / : \ / \ | / : \ / \ End of DoS -|/....:..............:.../.......\..../. = limit | : :`-' `--' -------------+-----+--------------+------------------> time (s) LOGIC => Match | Didn't Match | Match ¤ñ¤è»¡¡M§ÚÌ¥H 5 Ó«Ê¥]IJµo¨Ó¤ñ¹ï¨C¬í¤@Ó«Ê¥]¡M¦ý«Ê¥]±q¨C¬í¥|Ó ¶}©l¶Ç¤J¡M«ùÄò¤T¬í¡MµM«áµ¥¤T¬í¦A«·s¶}©l¡C <--Flood 1--> <---Flood 2---> Total ^ Line __-- YNNN Packets| Rate __-- YNNN | mum __-- YNNN 10 | Maxi __-- Y | __-- Y | __-- Y | __-- YNNN |- YNNN 5 | Y | Y Key: Y -> Matched Rule | Y N -> Didn't Match Rule | Y |Y 0 +--------------------------------------------------> Time (seconds) 0 1 2 3 4 5 6 7 8 9 10 11 12 ±z·|µo²{ÀY¤Ó«Ê¥]³Q¤¹³\¶W¹L¨C¬í¤@Ó«Ê¥]¡MµM«á´N¤Þ°_¨î¤F¡M¦pªG ¦³¤@Ó°±·²¡M¨ä¥¦ªºÄ²µo¤]±N³Q¤¹³\¡M¦ý´N¤£¯à³q¹L³W«h³]©wªº³Ì°ª¤ñ ²v(¦b¸ÓIJµo¨Ï¥Î«á¬°¨C¬í¤@Ó«Ê¥])¡C owner ¦¹¼Ò²Õ¬°¥»¾÷²£¥Íªº«Ê¥]¤ñ¹ï¤£¦P¯S©ºªº«Ê¥]«Ø¥ßªÌ(creator)¡C¥¦¶È¹ï OUTPUT Ã즳¥Î¡M¦Ó¥B¡M¬Æ¦Ü¬Y¨Ç«Ê¥](¦p ICMP ping responses)©Î³\¨S ¦³ owner¡M±N³Qµø¬°¤£²Å¦X®@¡C --uid-owner userid ¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) user id «Ø¥ßªº¡M«h¬°²Å¦X ¡C --uid-owner groupid ¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) group id «Ø¥ßªº¡M«h¬°²Å¦X ¡C --pid-owner processid ¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H process id «Ø¥ßªº¡M«h¬°²Å¦X¡C --sid-owner processid ¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H session group «Ø¥ßªº¡M«h¬°²Å¦X¡C unclean ¦¹¤@¹êÅç©Ê¼Ò²Õ¥²¶·¥H `-m unclean' ©Î `--match unclean' ¨Ó©ú½T«ü ©w¡C¥¦·|¹ï«Ê¥]¶i¦æ¤£¦PªºÀH¾÷§PÂ_ÀË´ú¡C³o¼Ò²Õ©|¥¼³Q½]¬d¹L¡M©Ò¥H¤£ À³¸Ó¥Î©ó¦w¥þ³]³Æ¤W(¥¦©Î³\·|§â¨Æ±¡·d¯{¡M¦]¬°¥¦¥»¨©Î³\¦³¯ä¦äªº)¡C ¥¦¨Ã¨S´£¨Ñ¿ï¶µ³]©w¡C The State Match ³Ì¦³¥Îªº¤ñ¹ï§PÂ_¼Ð·Ç¥Ñ `state' ©µ¦ù©Ò´£¨Ñ¡M¥H¸àÄÀ `ip_conntrack' ¼Ò²Õªº ³s½u°lÂܤÀªR¡C³o¬O«D±`ȱo¹ªÀy¨Ï¥Îªº¡C «ü©w `-m state' «h¤¹³\¥t¤@ÓÃB¥~ªº `--state' ¿ï¶µ¡M¥i¥H¬°¤@Ó¨§ÂI¤À¹jªº ¤ñ¹ï³¯z¦Cªí( `!' ºX¼Ð«ü¥Ü ¤£(not) ²Å¦X¨º¨Ç³¯z)¡C³o¨Ç³¯z¬O¡R NEW ¤@ӫإ߷s³s½uªº«Ê¥]¡C ESTABLISHED ¤@ÓÄÝ©ó²{¦³³s½u(¦p¡R¤w¸g¦^À³«Ê¥]¤F)¤§«Ê¥]¡C RELATED ¤@Ó»P²{¦³³s½u¬ÛÃö¡M¦ý«o¨Ã¤£©ó¨ä¤¤³¡¥÷ªº«Ê¥]¡M½Ñ¦p ICMP ¿ù»~¡M ©Î¬O«Ø¥ß FTP ¼Æ¾Ú³s½uªº«Ê¥](FTP ¼Ò²Õ¤w´¡¤J)¡C INVALID ¤@Ó¦]¬Y¨Çì¦]¤£¯à³Qų§Oªº«Ê¥]¡R³o¥]¬A°O¾ÐÅ餣¨¬©M¤£¯à¦^À³¥ô¦ó¤w ª¾³s½uªº ICMP ¿ù»~¡C³q±`¡M³o¼Ëªº«Ê¥]³£·|³Q¥á±ó±¼¡C 7.4 ¥Ø¼Ð(Target)³W®æ ²{¦b¡M§Ú̪¾¹D¥i¥H¹ï«Ê¥]°µ¤°»ò¼ËªºÀˬd¤F¡M§ÚÌÁÙ»Ýn¤@Ó¤èªk¨Ó»¡¥X¹ï¤@ ӲŦX§ÚÌ´ú¸Õªº«Ê¥]n°µ¤°»ò¼Ë°Ê§@¡C³o´N¬O©Ò¿×ªº¤@±ø³W«h¤§¥Ø¼Ð(target) °Õ¡C ¦³¨âÓ«D±`¬ÛÃþªº¤º«Ø¥Ø¼Ð¡RDROP ©M ACCEPT¡M§Ṳ́w¸g±µÄ²¹L¤F¡C¦pªG¤@±ø³W «h²Å¦X¤@Ó«Ê¥]¡M¦P®É¥Ø¼Ð¬O¨ä¤¤¤§¤@¡M¨º»ò´N¦A¨S¦³³W«h»Ýn«t¸ß¡R«Ê¥]ªº©R ¹B¤w¸g©w¤U¨Ó¤F¡C °£¤F¤º«Ø¥~¡M¤]¦³¨âºØÃþ«¬ªº¥Ø¼Ð¡R©µ¦ù©M¥Î¤á¦Û©wÃì¡C ¥Î¤á¦Û©wÃì iptables ©Óŧ¤F ipchains ¤@Ó«D±`¼F®`ªº¥\¯à¡M´N¬OÅý¨Ï¥ÎªÌ¥i¥H³Ð«Ø¥X·sÃì ¡Mªþ¥[©ó¤TÓ¤º«ØÃì(INPUT¡NFORWARD¡N©M OUTPUT)¤§¥~¡C«öºD¨Ò¡M¥Î¤á¦Û©wÃì¥Î ¤p¼g¥H¥Ü°Ï§O(«Ý·|§ÚÌ·|¦b«á±ªº [10]¦b¾ãÃì¤W¹B§@(Operations on an Entire Chain) ¨º¸Ì¸ÑÄÀ¦p¦ó¥h«Ø¥ß·sªº¥Î¤á¦Û©w³s) ·í¤@Ó«Ê¥]²Å¦X¤@±ø¥Ø¼Ð¬°¥Î¤á¦Û©wÃ줧³W«h®É¡M«Ê¥]´N·|¶}©l¬ï¶V¥Î¤á¦Û©wÃì ¤¤ªº³W«h¡C°²¦p¸ÓÃ쥼¯à¨M©w¥X«Ê¥]ªº©R¹B¡M«h¤@¥¹µ²§ô¬ï¶V¸ÓÃì«á¡M´N·|±µµÛ ·í«eÃ줤ªº¤U¤@Ó³W«hÄ~Äò¬ï¶V¤U¥h¡C Ä~Äòª±ª± ASCII ÃÀ³N¦n¤F¡C°²³]¦³³o»ò¨â±ø(©Ç)Ãì¡RINPUT (¤º«ØÃì)¡M ©M test (¥Î¤á¦Û©wÃì)¡C `INPUT' `test' ---------------------------- ---------------------------- | Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 | |--------------------------| |--------------------------| | Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 | |--------------------------| ---------------------------- | Rule3: -p UDP -j DROP | ---------------------------- °²³]¤@Ó¨Ó¦Û192.168.1.1 ªº TCP «Ê¥]¡Mn¨ì 1.2.3.4 ¨º¸Ì¥h¡C¥¦¶i¤JINPUT Ãì¡M¨Ã¨ü¨ì Rule1 ªº´ú¸Õ - ¦ý¤£²Å¦X¡C¦ý¬O²Å¦X Rule2 ¡M¥B¥¦ªº¥Ø¼Ð¬O test ¡M©Ò¥H¤U¤@ÓnÀËÅ窺³W«h±N±q test ¶}©l¡C¦b test ¤¤ªº Rule1 ²Å¦X¡M¦ý¨Ã¨S ¦³«ü©w¥Ø¼Ð¡M©Ò¥H¦AÀËÅç¤U¤@±ø³W«h¡M¤]´N¬O Rule2 ¡C¤£¹L¥¦¨Ã¤£²Å¦X¡M©Ò¥H§Ú ̤w¸g©è¹F³o±øÃ쪺¥½ºÝ¤F¡CµM«á§Ú̦^¨ì INPUT Ã줤¡M¤]´N¬O§ÚÌè¤~ÀËÅç Rule2 ¨º¸Ì¡M©Ò¥H§Ú̲{¦b´NnÀˬd Rule3¡M¨ÌµM¤£²Å¦X¡C ³o¼Ë¡M¸Ó«Ê¥]ªº¸ô®|¬O³o¼Ë¤lªº¡R v __________________________ `INPUT' | / `test' v ------------------------|--/ -----------------------|---- | Rule1 | /| | Rule1 | | |-----------------------|/-| |----------------------|---| | Rule2 / | | Rule2 | | |--------------------------| -----------------------v---- | Rule3 /--+___________________________/ ------------------------|--- v ¥Î¤á¦Û©wÃì¤]¥i¥H¦A¸õ¨ì¥t¤@ӥΤá¦Û©wÃì¥h(¦ý¤£n°µ¦¨°j°é¡R±zªº«Ê¥]¦pªG³Q µo²{³B©ó°j°é¤¤´N·|³Q¥á±ó)¡C iptables ¤§©µ¦ù¡R·s¥Ø¼Ð ¥t¤@Ãþ«¬ªº¥Ø¼Ð¬O¤@Ó©µ¦ù¡C¤@ӥؼЪº©µ¦ù¥Ñ®Ö¤ß¼Ò²Õ©M¥i¿ïªº iptables ©µ ¦ù²Õ¦¨¡M¥H´£¨Ñ·sªº©R¥O¦æ¿ï¶µ¡C¦b¹w³]ªº netfilter ´²¼½ª©¥»¤¤¦³¦n´XÓ©µ¦ù ¡R LOG ¦¹¼Ò²Õ´£¨Ñ®Ö¤ß°O¿ý²Å¦Xªº«Ê¥]¡C¥¦´£¨Ñ³o¨ÇÃB¥~¿ï¶µ¡R --log-level «á±µ¤@Ó¼h¦¸(level)¸¹½X©Î¦WºÙ¡C¦Xªkªº¦WºÙ¦³(¤j¤p¼g¦³§O) ¡R`debug'¡N`info'¡N`notice'¡N`warning'¡N`err'¡N`crit' ¡N`alert'¡N¥H¤Î `emerg'¡M¬Û¹ïªº¸¹½X¥Ñ 7 ¨ì 0 ¡C¦U¼h¦¸¸¹½X ªº¸ÑÄÀ½Ð°Ñ¦Ò syslog.conf ªº man page¡C --log-prefix «á±µ¤@ӳ̦h 30 Ó¦r¥Àªº¦r¦ê¡C¦¹¤@«H®§¥Ñ°O¿ý«H®§¶}©l®É°e¥X ¡M¥O¨ä¥i¥HÓ§Oªº³Qų§O¥X¨Ó¡C ¦¹¼Ò²Õ±`¥Î©ó¤@Ó¨î¥Ø¼Ð«á¡M©Ò¥H¡M±z¤£nÄéÃz±zªº°O¿ýÀÉ®@¡C REJECT ¦¹¼Ò²Õ°£¤F¦Vµo°eºÝ°e¥X¤@Ó `port unreachable' ³o¼Ëªº ICMP ¿ù»~¥~ ¡M©M `DROP' ¬O¤@¼Ëªº¡Cµù¡R¦b¤U¦C±ø¥ó¤¤¡MICMP ¿ù»~«H®§±N¤£·|°e ¥X(½Ð°Ñ¦Ò RFC 1122)¡R + ³Q¹LÂoªº«Ê¥]¤@¶}©l´N¬O¤@Ó ICMP ¿ù»~«H®§¡M©Î¬O¨ä¥¦¤£©úªº ICMP Ãþ«¬¡C + ³Q¹LÂoªº«Ê¥]¬°¤@ÓµLÀY (non-head) ¸H¤ù¡C + §Ú̥ثe¤w¸g°e¥X¤Ó¦h¦Ü¸Ó¥Øªº¦aªº ICMP ¿ù»~«H®§¤F¡C REJECT ¥t¥~ÁÙ±µ¨ü¤@Ó `--reject-with' ¿ï¶µ¨Ó§ó§ï¨ä¦^À³«Ê¥]¡R½Ð°Ñ ¦Ò»¡©ú¤å¥ó¡C ¯S®íªº¤º«Ø¥Ø¼Ð ¦³¨âºØ¯S®íªº¤º«Ø¥Ø¼Ð¡RRETURN ©M QUEUE¡C RETURN ©M±¼¨ì¤@ÓÃ쪺¥½ºÝ¦³¬Û¦Pªº®ÄªG¡R¹ï¤@±ø¤º«ØÃ쪺³W«h¦Ó¨¥¡M«h±Ò¥Î¸Ó Ã쪺ì«h¡C¹ï¤@±ø¥Î¤á¦Û©w³W«h¦Ó¨¥¡M«h·|¦^¨ì«e¤@ÓÃ줤Ä~Äò¬ï¶V¡M´N±µ¦b¸õ ¨ì³oÓÃ쪺¨º±ø³W«h¤§«á¡C QUEUE ¤]¬O¤@Ó¯S®í¥Ø¼Ð¡M¥i¥H´À¨Ï¥ÎªÌªÅ¶¡(userspace)¦æµ{Àx¦C«Ê¥]¡Cn¹B¥Î ¥¦¡M¨âÓ¥\¯à²Õ¥ó¬O¥²»Ýªº¡R * ¨ä¤@¬° "queue handler"¡M³B²z¨Ï¥ÎªÌªÅ¶¡»P®Ö¤ß¤§¶¡¶Ç°e«Ê¥]ªº¹ê½è¾÷¨î ¡Q * ¥t¤@Ó¬°¤@¨Ï¥ÎªÌªÅ¶¡ªºÀ³¥Îµ{¦¡¡M¥h±µ¦¬¡M©Î»¡¾Þ±±¡M¥H¤Î¹ï«Ê¥]°µ¥Xµô ¨M¡C IPv4 iptables ªº¼Ð·Ç queue handler ¬° ip_queue ¼Ò²Õ¡M¥¦¥Ø«e¬O¥H¹êÅç©Ê½è »P®Ö¤ß¤@°_µo§Gªº¡C ¦p¤U¬O¤@Ó¦p¦ó¥Î iptables ¬°¨Ï¥ÎªÌªÅ¶¡¦æµ{¶i¦æÀx¦C«Ê¥]ªºÂ²³æ¨Ò¤l¡R # modprobe iptable_filter # modprobe ip_queue # iptables -A OUTPUT -p icmp -j QUEUE ¥Î¦¹³W«h¡M¥»¾÷²£¥Íªº¹ï¥~ ICMP «Ê¥](¦p¥Î ping «Ø¥ß) ´N·|³Q°e¦Ü ip_queue ¼Ò²Õ¥h¡MµM«á¹Á¸Õ±N«Ê¥]¶Çµ¹¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{¦¡¡C¦pªG¨S¦³¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{ ¦¡¦bµ¥«Ýªº¸Ü¡M¸Ó«Ê¥]´N·|³Q¥á±ó¡C n¼g¤@ӨϥΪ̪Ŷ¡À³¥Îµ{¦¡¡M»Ý¨Ï¥Î libipq API ¡C¥¦¤]¬O©M iptables ¤@°_ µo§Gªº¡Cµ{¦¡½X½d¨Ò¥i¥H¦b CVS ¤¤ªº testsuite ¤u¨ã(¦p redirect.c) §ä¨ì¡C ip_queue ªºª¬ºA¥i¥H¥Î¦p¤U¤èªk¨ÓÀˬd¡R /proc/net/ip_queue Àx¦Cªº³Ì¤jªø«×(¦p¶Ç»¼µ¹¨Ï¥ÎªÌªÅ¶¡¥BµL»Ý°e¦^µô¨M«Ê¥]¤§¼Æ¶q)¥i¥H³q¹L³o¼Ë ªº¤è¦¡¨Ó±±¨î¡R /proc/sys/net/ipv4/ip_queue_maxlen ³Ì¤jÀx¦Cªø«×ªº¹w³]Ȭ° 1024¡C¤@¥¹¹F¨ì¦¹¨î¡M·sªº«Ê¥]´N·|³Q¥á±ó¡Mª½¨ìÀx ¦Cªø«×¶^¦^§C©ó¨î¤§¼Æ¬°¤î¡C¦nªº¨ó©w¡M¦p TCP¡M·|±N¥á±óªº«Ê¥]¸ÑÄÀ¬°¾Ö À½(congestion)¡M¦P®É²z·Q¦a¡M·íÀx¦C¶ñ°_¨Ó«á·|±N¤§¾×¦^¥h¡CµM¦Ó¡M¦pªG¹w³] Ȧb©ÒÁ|±¡§Î¤Uı±o¤Ó¤pªº¸Ü¡M©Î³\»Ýn¤@¨Ç¹êÅç¨Ó¨M©w¨ä²z·Qªº³Ì°ªÀx¦Cªø«× ¡C 7.5 ¦b¾ãÃì¤W¹B§@ iptables ªº¤@Ó«D±`¦³¥Îªº¥\¯à¬O¡M¥¦¯à°÷²Õ¦X(group)¬ÛÃöªº³W«h©óÃ줤¡C¥u n±z³ßÅw¡M±z¥i¥HÀH«K¬°Ãì°_¤@Ó¦W¦r¡M¦ý§Ú«Øij±z¨Ï¥Î¤p¼g¦r¥À¥HÁקK©M¤º«Ø Ãì¤Î¥Ø¼Ð·d²V¤F¡CÃì¦W³Ìªø¥i¥H¥h¨ì 31 Ó¦r¥À¡C «Ø¥ß¤@Ó·sÃì ²{¦b´NÅý§Ṳ́@°_«Ø¤@Ó·sÃì§a¡C¦]¬°§Ú¹ê¦b¬O¤@Ó·R¤Û·Qªº³Ã¥ë¡M©Ò¥H§ÚºÙ¤§ ¬°test («¢¡M¦³ÂI¿Ø¨ë)¡C³o¸Ì¡M§Ú̥Π`-N' ©Î `--new-chain' ¿ï¶µ¡R # iptables -N test # ´N¬O³o»ò²³æ¡C¦n¤F¡M²{¦b±z¥i¥H±N¤@¨Ç³W«h¥[¤J¨ä¤¤¡M¤@¦p«e±»¡ªº¨º¼Ë¡C §R°£¤@±øÃì n§R°£¤@±øÃì¤]¬O¤@¼Ë²³æ¡M¥Î `-X' ©Î `--delete-chain' §Y¥i¡C¬°¤°»ò¥Î `-X' ©O¡S¶â¡M ¦n¥Îªº¦r¥À³£¤@¦µ¹¥Î¥ú¤F°Õ¡C # iptables -X test # n§R°£¤@±øÃ쪺¸Ü¡M·|¦³¦n¨Ç¨î¡R¥¦Ì¥²»Ý¬OªÅªº (½Ð°Ñ¦Ò«á±ªº [11]²MªÅ¤@ ±øÃì(Flushing a Chain) ) ¡M¦P®É¥¦Ì¥²»Ý¤£¯à§@¬°¥ô¦ó³W«hªº¥Ø¼Ð¡C¥ô¦ó¤T±ø ¤º«ØÃì±z³£¤£¯à§R°£´N¬O¤F¡C °²¦p±z¤£«ü©w¤@±øÃì¡M¨º»ò¦pªG¥i¯àªº¸Ü¡M ¥þ³¡ ¥Î¤á¦Û©wÂIÃì³£·|³Q§R°£¡C ²MªÅ¤@±øÃì ¦³¤@Ó²³æªº¤èªk¥i¥H²MªÅ¤@±øÃ줤ªº©Ò¦³³W«h¡M´N¬O¨Ï¥Î `-F' (©Î `--flush') ©R¥O¡C # iptables -F forward # ¦pªG±z¤£«ü©w¬Oþ¤@±øÃì¡M¨º»ò ¥þ³¡ Ãì³£·|³Q²MªÅ¡C ¦C¥Ü¤@±øÃì ±z¥i¥H¨Ï¥Î `-L' (©Î `--list') ©R¥O¦C¥Ü¤@±øÃ줤ªº©Ò¦³³W«h¡C ¨C¤@ӥΤá¦Û©wÃì©Ò¦Cªº `refcnt' ¡M¬O»¡¦³¦h¤Ö¼Æ¥Øªº³W«h¬O¥H¸ÓÃ쬰¥Ø¼Ðªº ¡C¦b¸ÓÃì³Q§R°£¤§«e¡M³o¼Æ¥Ø¥²»Ý¬°¹s(¦P®ÉÃì¬OªÅªº)¡C ¦pªG¨S´£¨ÑÃì¦WºÙªº¸Ü¡M©Ò¦³Ãì³£·|³Q¦C¥Ü¥X¨Ó¡M´NºâªÅÃì¤]¤@¼Ë¡C ¦³¤Tӿﶵ¥i¥H¦ñÀH `-L' ¤@°_¨Ï¥Îªº¡Cº¥ý¬O `-n' (numeric) ¿ï¶µ¡M¥¦«Ü¦³ ¥Î¡M¦]¬°¥¦¥i¥HÁקK iptables ¥h¹Á¸Õ¬d§ä IP ¦a§}¡M°²¦p±zªº DNS ¨S¦³³]©w¥¿ ½Tªº¸Ü¡M©Î¬O±z¤w¸g¹LÂo±¼ DNS ½Ð¨D¤F¡M³o©Î³\·|³y¦¨ÄY«ªº©µ¿ð(°²³]±z©M¤j ¦h¼Æ¤H¤@¼Ë³£¬O¨Ï¥Î DNS )¡C¥¦¦P®É¤]·|±N TCP »P UDP °ð¤fÅã¥Ü¬°¼Æ¦r¦Ó«D¦W ºÙ¡C ²Ä¤GÓ¬O `-v' ¿ï¶µ¡M¥¦·|Åã¥Ü¥X±z¥þ³¡³W«hªº²Ó¸`¡M½Ñ¦p«Ê¥]ªº byte ¬y¶q²Î p¡NTOS ¤ñ¸û¡N¥H¤Î¬É±µ¥¡C§_«h³o¨Ç¼ÆȬO³Q²¤±¼ªº¡C µù¡R«Ê¥]ªº byte ¬y¶q²Îp¥i¥H¤À§O¨Ï¥Î `K', `M' ©Î `G' ³o¨Ç¦r§À¡M¤À§O¥Nªí 1000¡N1,000,000¡N¥H¤Î1,000,000,000¡M¨ÓÅã¥Ü¡C¨Ï¥Î `-x' (expand numbers) ºX¼Ð¦P¼Ë¤]¥i¥HÅã¥Ü¥X§¹¾ãªº¼Æ¦r¡M®Ú¥»¤£²z·|¥¦Ì¦³¦hªø¡C «³](Âk¹s)¬y¶q°O¼Æ¾¹(counter) ¯à°÷«³]¬y¶q°O¼Æ¾¹·íµM¬O¦³¥Îªº¡C±z¥i¥H¥Î `-Z' (©Î `--zero') ¿ï¶µ¨Ó°µ¡C °ß¤@³Â·Ð¬O¡M¦³®ÉÔ¦b¶i¦æ«³]¤§«e¡M±z¥²»Ý¥ß§Y°O¦í¬y¶q²ÎpÈ¡C¦b«e±ªº¨Ò ¤l¤¤¡M·í±z¤U `-L' µM«á `-Z' ©R¥O¡M¬Y¨Ç«Ê¥]¥i¯à·|¦b³o´Á¶¡³q¹L¡C¦]¦¹¡M±z ¥i¥H§â `-L' ©M `-Z' ¤@°_ ¨Ï¥Î¡M¦bŪ¨úªº¦P®É¶i¦æ°O¼Æ¾¹«³]¡C ³]©wì«h(policy) §Ú̦b«e±±´°Q«Ê¥]¦p¦ó³q¹L¤@ÓÃ쪺®ÉÔ¡M¤w¸àÄÀ¹L·í«Ê¥]©è¹F¤º«ØÃ쥽ºÝ®É ±N·|µo¥Í¤°»ò¨Æ±¡¡C¦¹®É¡M´N¥Ñ¸ÓÃ쪺ì«h¨Ó¨M©w«Ê¥]ªº©R¹B¡C¥u¦³¤º«Ø Ãì(INPUT¡NOUTPUT¡N¥H¤Î FORWARD) ¤~¦³ì«h³]©w¡M¦]¬°¡M¦pªG¤@Ó«Ê¥]±¼¦Ü¤@ ӥΤá¦Û©wÃ쪺®ÉÔ¡M«h·|¦^¨ì¤W¤@ÓÃ줤Ä~Äò¬ï¶V¡C ì«h¥i¥H¬° ACCEPT ©Î DROP¡C 8. ¨Ï¥Î ipchains »P ipfwadm ¦b netfilter ®M¥ó¤¤¡M¦³¨âÓ¼Ò²Õ¤À§O¥s°µ ipchains.o ©M ipfwadm.o¡C±z¥un ±N¨ä¤¤¤@Ó´¡¤J¶i®Ö¤ß¸Ì±( µù¡R¥¦Ì©M iptables.o¡Nip_conntrack.o ¤Î ip_nat.o ¬O¤£Ý®eªº¡T)¡CµM«á±z´N¥i¥H¦p©¹±`¤@¯ë¨Ï¥Î ipchains ©Î ipfwadm ¤F¡C ³o¦b¤@©w®É´Á¤º³o¤´·|³Q¤ä«ùªº¡C§Ú»{¬°¦X²zªºpºâ¤½¦¡¬O¡R2 * [ ´À¥N²£«~µo §G - ªì©léwµo¦æ ] ¡M¦A¥[¤W´À¥N²£«~¥i¥H¯u¥¿Ã©wµo¦æªº¤é¤l¡C ´«¦Ó¨¥¤§¡M¹ï ipfwadm ªº³Ì«á¤ä«ù±N·|©µ¦Ü¡R 2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)] + January 1999 (2.2.0 release) = November 2003. ¦Ó¹ï ipchains ªº³Ì«á¤ä«ù«h¬°¡R 2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)] + July 2000 (2.4.0 release?) = March 2004. ©Ò¥H¡M¦b 2004 ¦~¤§«e³£¥i¥H°ªªEµLïÊ°Õ¡C 9. ¾ã¦X NAT »P Packet Filtering n°µ Network Address Translation (½Ð°Ñ¾\ NAT HOWTO) ¥H¤Î«Ê¥]¹LÂo¡M¤w¬O «Ü¥±`¤§¨Æ¤F¡C¦n®ø®§¬O¡M±N¥¦Ì²V¦X°_¨Ó¨Ï¥Î¹ê¬O§¹¥þ¨S°ÝÃDªº¡C ·í§A³]p«Ê¥]¹LÂoªº®ÉÔ¡M¥i¥H§¹¥þ¤£¥Î²z·|±zn°µ«ç¼Ëªº NAT ¡C©ó«Ê¥]¹LÂo¤¤ ¬Ý¨ìªº¨Ó·½»P¥Øªº¦a¡M¥u·|¬O `¯u¥¿ªº' ¨Ó·½©M¥Øªº¦a¡CÁ|¨Ò¨Ó»¡¡M¦pªG±z°µ NAT ¡Mn±N©Ò¦³³s¨ì 1.2.3.4 port 80 ªº³s½u°e¨ì 10.1.1.1 port 8080 ¥h¡M³o ¼Ë«Ê¥]¹LÂo·|¬Ý¨º¨Ç°e¨ì 10.1.1.1 port 8080 (¯u¥¿ªº¥Øªº¦a)¡M¦Ó¤£¬O 1.2.3.4 port 80¡CÃþ¦üªº¡M±z¤]¥i¥H©¿²¤«Ê¥]°°¸Ë¡R«Ê¥]·|¬Ý°_¨Ó¬O¨Ó¦Û¯u¥¿ªº ¤º³¡ IP ¦a§}(¤ñ¤è 10.1.1.1)¡M¦^À³¤]¬Ý°_¨Ó°e¦^¨º¸Ì¡C ±z¥i¥H¹B¥Î `state' ¤ñ¹ï©µ¦ù(match extension)¦ÓµL»ÝÅý«Ê¥]¹LÂo°µÃB¥~ªº¤u §@¡M¦]¬°µL½×¦p¦ó¡M NAT ³£·|n¨D³s½u°lÂÜ¡C¬°¤F¼W±j¦b NAT HOWTO ¸Ì±¨ºÓ ²³æªº«Ê¥]°°¸Ë¨Ò¤l¡M¥h¾×±¼¨Ó¦Û ppp0 ¬É±ªº¥ô¦ó·s³s±µ¡M±z¥i¥H³o¼Ë°µ¡R # Masquerade out ppp0 iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Disallow NEW and INVALID incoming or forwarded packets from ppp0. iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward 10. iptables »P ipchains ªº®t²§ * º¥ý¡M¤º«ØÃì¦WºÙ±q¤p¼gÁÙ´«¦¨¤j¼g¡M¦]¬° INPUT »P OUTPUT Ãì¥Ø«e¥u·|§ì ¥Ø¼Ð¬°¥»¾÷¥H¤Î±q¥»¾÷²£¥Íªº«Ê¥]¡C¥¦Ì¤À§O¥Î¨Ó¬d¬Ý¶Ç¤J»P¶Ç¥Xªº«Ê¥]¡C * ²{¦b¦³¤@Ó `-i' ºX¼Ð¨Ó¥Nªí¶Ç¤J¬É±¡M¨Ã¥B¥u¤u§@©ó INPUT ©M FORWARD Ã줤¡C¦b FORWARD »P OUTPUT Ã줤´Nn±N `-i' §ï¦¨ `-o' ¤F¡C * TCP »P UDP °ð¤f²{¦b³£n¥Î --source-port ©Î --sport ¿ï¶µ¨Ó«÷¼g¥X¨Ó( ©Î¬O±¼¹L¨Ó¼g --destination-port ©Î --dport)¡M¦P®É¡M¥²»Ý¸m©ó `-p tcp' ©Î `-p udp' ¿ï¶µ¤§«á¡M¦]¬° TCP ©Î UDP ©µ¦ù¬O¤À¶}¸ü¤Jªº¡C * ¥H«e TCP ¨ºÓ -y ²{¦bÅܦ¨ --syn¡M¨Ã¥B¥²»Ý¸m©ó `-p tcp' ¤§«á¡C * ì¨Óªº DENY ¥Ø¼Ð²{¦b²×©óÅܦ¨ DROP ¤F¡C * ¦b¦C¥Ü¨ä¤u§@ªº¦P®É¥i¥H±N¸ÓÃìÂk¹s(zeroing)¡C * Âk¹s¤º«ØÃì¤]¥i¥H²M±¼ì«h°O¼Æ¾¹(policy counters)¡C * ¦C¥ÜÃì¥i¥HÅý±z§â°O¼Æ¾¹Åܦ¨·L¤p§Ö·Ó(atomic snapshot)¡C * REJECT »P LOG ²{¦bÅܦ¨©µ¦ù¥Ø¼Ð¤F¡M·N¨ýµÛ¥¦Ì¤w¸g©M®Ö¤ß¼Ò²Õ¤À¶}¡C * Ãì¦WºÙ³Ìªø¥i¹F 31 Ó¦r¥À¡C * MASQ ²{¦bÅܦ¨ MASQUERADE¡M ¦Ó¥B¨Ï¥Î¤£¦Pªº»yªk¡CREDIRECT ¦b«O¯d¬Û¦P ¦WºÙªº¦P®É¡M¤]¸g¾ú¤F»yªkªºÅܾE¡C¦Ü©ó¦p¦ó³]©w¥¦Ìªº¸Ô²Ó¸ê®Æ¡M½Ð°Ñ¾\ NAT-HOWTO¡C * ¦Ó -o ¿ï¶µ«h¤£¦A¥Î¨Ó±N«Ê¥]¶Ç»¼µ¹¨Ï¥ÎªÌªÅ¶¡³]³Æ¤F(°Ñ¦Ò«e±ªº -i )¡C ²{¦b«h¥Î QUEUE ¥Ø¼Ð±N«Ê¥]°eµ¹¨Ï¥ÎªÌªÅ¶¡¡C * ®@¡M§Ú¥i¯à¤w°O¤£±o¨º»ò¦h¤F¡C 11. Ãö©ó³]p«Ê¥]¹LÂoªº«Øij ¦b¹q¸£¦w¥þ¾Ô³õ¤W³Ì©ú´¼¤§Á|²ö¹L©ó¥ý¾×±¼¤@¤Á¡MµM«á¶}©ñ¥²»Ýªº¡C¦³¤@¥y¦Ü²z ¦W¨¥¬O¡R`«D½Ð¤Å¶i'¡C§Ú«Øij±z¨c°O©ó¤ß¡M°²¦p±z³Ìª`«¦w¥þªº¸Ü¡C ¤£n¶]¨º¨Ç±z¥Î¤£¨ìªºªA°È¡M¤£ºÞ±z¬O§_¥H¬°¤w¸g±N¤§¾×¤U¨Ó¤F¡C ¦pªG±zn«Ø¥ß¤@Ó«ü©w¦¡¨¾¤õÀð(dedicated firewall)¡M¶}©l¤£n¶]¥ô¦óªF¦è¡M ¦P®É¾×±¼©Ò¦³«Ê¥]¡MµM«á¼W¥[ªA°È¥H¤ÎÅý©Ò»Ýªº«Ê¥]³q¹L¡C §Ú¯S§O±j½Õ¦w¥þ©Ê¡Rµ²¦X tcp-wrappers(¹ï©ó«Ê¥]¹LÂo¥»¨ªº³s±µ)¡NªA°È¥N²z( ¹ï©ó³q¹L«Ê¥]¹LÂoªº³s±µ)¡N¸ô¥ÑÅçÃÒ¡N¥H¤Î«Ê¥]¹LÂoµ¥¤â¬q¡C¸ô¥ÑÅçÃÒ¬O«ü¡M¨º ¨Ç¨Ó¦Û¥¼¹w´Á¬É±ªº«Ê¥]´N·|³Q¥á±ó¡RÁ|¨Ò»¡¡M¦pªG±zªº¤º³¡ºô¸ô¦³¤@¬q 10.1.1.0/24 ªº¦a§}¡M¦P®É¦³¤@Ó¨Ó¦Û¸Ó¦a§}ªº«Ê¥]«o±q¥~³¡¬É±¶i¤J¡M¨º¥¦´N ·|³Q¥á±ó±¼¡C¥¦¥i¥H¬°¤@Ӭɱ(¦p ppp0) ³]°_¨Ó¡M¦p¡R # echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter # ©Î¬O¥þ³¡²{¦³¤Î±N¦³ªº¬É±¡M¦p¡R # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo 1 > $f # done # Debian ¦b¥i¯à¤§¤U¹w³]´N·|¦p¦¹¤F¡C¦pªG±z¦³¤£¹ïºÙ¸ô¥Ñ(¨Ò¦p¡M±z¹w´Á«Ê¥]·| ±q¨ä¥¦¤è¦V¶i¤J)¡M±zÀ³¸Ó¦b¨º¨Ç¬É±¤WÃö³¬¦¹¤@¹LÂo¡C ³]©w¨¾¤õÀ𪺮ÉÔ¡M°²¦p¦³¬Y¨ÇªF¦è¤£¤u§@ªº¸Ü¡M°O¿ý¥\¯à´NÅã±o«Ü¦³¥Î¤F¡Q¦ý ¦b¤@Ó¹ê»Ú¹B§@ªº¨¾¤õÀð¤W¡M¥ô¦ó®ÉÔ³£n±N¥¦µ²¦X `limit' ¤ñ¹ï¨Ó¤@°_¨Ï¥Î¡M ¥HÁקK¦³¤HÄéÃz±zªº°O¿ýÀÉ¡C §Ú±j¯P«Øij¹ï¦w¥þ¨t²Î°µ³s½u°lÂÜ¡R¥¦ÁöµM·|¤ÞP¤@¨Çt¾á(¦]¬°©Ò¦³³s½u³£n°l ÂÜ)¡M¦ý¹ï©ó¶Qºô¸ôªº³s±µ±±¨î«o«Ü¦³¥Î¡C¦pªG±zªº®Ö¤ß¤£·|¦Û°Ê¸ü¤J¼Ò²Õªº¸Ü¡M ±z©Î³\»Ýn¸ü¤J`ip_conntrack.o' ¼Ò²Õ¡C°²¦p±znºë½T°lÂܽÆÂøªº¨ó©w¡M±zÁÙ»Ý n¸ü¤J¦X¾Aªº helper ¼Ò²Õ(¦p¡M`ip_conntrack_ftp.o' )¡C # iptables -N no-conns-from-ppp0 # iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad pack et from ppp0:" # iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad pa cket not from ppp0:" # iptables -A no-conns-from-ppp0 -j DROP # iptables -A INPUT -j no-conns-from-ppp0 # iptables -A FORWARD -j no-conns-from-ppp0 «Ø¸m¤@Ó¨}¦nªº¨¾¤õÀð¤w¸g¶W¥X³oÓ HOWTO ªº½d³ò¤F¡M¦ý§Úªº«Øij¬O¡R `¤@¤Á±q ÄY(always be minimalist)'¡C¹ï©ó¦b±z¾÷¾¹¤W¶i¦æ´ú¸Õ»P±´¯Áªº§ó¦h¸ê®Æ¡M´Nn °Ñ¦Ò Security HOWTO ¤F¡C References 1. http://netfilter.filewatcher.org/ 2. http://www.samba.org/netfilter 3. http://netfilter.kernelnotes.org/ 4. http://lists.samba.org/ 5. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#permanent 6. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#oldstyle 7. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#filter-linux 8. http://www.watchguard.com/ 9. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#Appendix-A 10. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#chain-ops 11. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#flushing