Linux 2.4 Packet Filtering HOWTO
§@ªÌ¡RRusty Russell, mailing list netfilter@lists.samba.org
ĶªÌ¡Rºô¤¤¤H netmanforever@yahoo.com
v1.0.1 Mon May 1 18:09:31 CST 2000
_________________________________________________________________
¦¹¤å¥ó´yz¦p¦ó¦b 2.4 Linux kernel ¤W¨Ï¥Î iptables ¹ï¤£¨}«Ê¥]¶i¦æ¹LÂo¡C
_________________________________________________________________
1. Introduction
2. ©x¤èªººô¯¸¦bþ¸Ì¡S¦³¶l¥ó½×¾Â¶Ü¡S
3. ¦n¤F¡M¤°»ò¬O«Ê¥]¹LÂo(Packer Filter)©O¡S
* 3.1 §Ú¬°¤°»òn«Ê¥]¹LÂo¡S
* 3.2 ¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S
4. §Aºâþ®Ú½µ°Ú¡S¬°¦óª±§Úªº®Ö¤ß¡S
5. ¯u¥¿ªº Rusty «Ê¥]¹LÂo§Ö³t«ü«n
6. «Ê¥]¦p¦ó¬ï¶V(traverse)¹LÂo
7. ¨Ï¥Î iptables
* 7.1 ·í±zªº¾÷¾¹±Ò°Ê®É¡M±z©Ò¬Ý¨ìªº
* 7.2 ¤@Ó³æ¤@³W«hªº¹B§@
* 7.3 ¹LÂo³W®æ
* 7.4 ¥Ø¼Ð(Target)³W®æ
* 7.5 ¦b¾ãÃì¤W¹B§@
8. ¨Ï¥Î ipchains »P ipfwadm
9. ¾ã¦X NAT »P Packet Filtering
10. iptables »P ipchains ªº®t²§
11. Ãö©ó³]p«Ê¥]¹LÂoªº«Øij
_________________________________________________________________
1. Introduction
¦U¦ì¬Ý©x¡MÅwªï¨ì¦¹¤@Ū¡T
³o¸Ì¡M§Ú°²³]±z¤w¸gª¾¹D¤°»ò¬O IP ¦a§}¡Nºô¸ô¦a§}¡Nºô¸ô¾B¸n (netmask)¡N¸ô
¥Ñ¡N¥H¤Î DNS¡C§_«h¡M§Ú«Øij±z¥ýŪ¤@Ū Network Concepts HOWTO¡C
¦¹ HOWTO ¤å¥ó¤£¤î©ó¬O¤@ÓÂI¨ì§Y¤îªº¤¶²Ð(Åý±z¦³ÂIµo¼ö©Mµo¤ò¡M¦ý¤S¦×¦b¯z
¤Wªº·Pı)¡M¤]¤£¦Ü©ó¬O¤@Ó©âµ·éõ¦¡ªºì©l¤j©ÜÅS(Åý±z¥²¦³©ÒÀò¡M¦ý¤£·|¯«
¸g¿ù¶Ã¡N¨«¤õ¤JÅ])¡C
±zªººô¸ô¨ä¹ê¤@ÂI¤]¤£¦w¥þ¡C°ÝÃDÃøÂI¬O¦b¤¹³\§Ö³t¦Ó«K§Q³q°T¤§¦P®É¡M¤S·Q½T
«O¥¦¥u¥Î©ó¨}¦n¥B«D¨¸´cªº·N¹Ï¡C¨ä±¡§Îµ¥¦P©ó¦b¤@Ó¾ÖÀ½ªºÀ¸°|¸Ì±¡M¤¹³\±z
°ª½ÍÁï½×¡M¦ý«o¤£¯à¶Ã³Û¡§µÛ¤õ°Õ¡T¡¨¤@¼Ë¡C³o½g HOWTO ¤£¬O¥Î¨Ó¸Ñ¨M³o°ÝÃDªº
¡C
©Ò¥H¡M¥u¦³±z¤~¯à¨M©w¦ó³B¤~¬O§é°J©Ò¦b¡C§Ú·|¹Á¸Õ«ü¤Þ±z¥h¨Ï¥Î¤@¨Ç¥i¥Î¤u¨ã
¡M¤]·|ÂI¥Xn¯d·Nªº¦º¥Þ¡M·íµM¡M¦P®É§Æ±æ±z¥Î©ó¥¿³~¤§¤W¡C¤S¬O(»P¤W¥y)¦Pµ¥
ªº°ÝÃD¡C
2. ©x¤èªººô¯¸¦bþ¸Ì¡S¦³¶l¥ó½×¾Â¶Ü¡S
¦³¤TÓ©x¤èºô¯¸«D¥h¤£¥i:
* ·PÁÂ [1]Filewatcher (http://netfilter.filewatcher.org).
* ·PÁÂ [2]The Samba Team and SGI (http://www.samba.org/netfilter).
* ·PÁÂ [3]Jim Pick (http://netfilter.kernelnotes.org).
¦Ü©ó©x¤èªº netfilter ¶l¥ó½×¾Â¡M½Ð°Ñ¾\¡R [4]Samba's Listserver
(http://lists.samba.org).
3. ¦n¤F¡M¤°»ò¬O«Ê¥]¹LÂo(Packer Filter)©O¡S
«Ê¥]¹LÂo´N¬O¥Î¤@Ó³nÅé¬d¬Ý©Ò¬y¸g«Ê¥]¤§ªíÀY(header) ¡M¥Ñ¦¹¨M©w¾ãÓ«Ê¥]ªº
©R¹B¡C¥¦©Î³\·|¨M©w ¥á±ó(DROP) ³oÓ«Ê¥](¨Ò¦p¡M©¿²¤¥¦´N¦p®Ú¥»¨S¦¬¨ì¥¦¤@
¼Ë)¡M©Î¬O±µ¦¬(ACCEPT)³oÓ«Ê¥](¨Ò¦p¡MÅý³oÓ«Ê¥]³q¹L)¡M©Î¬O¨ä¥¦§ó½ÆÂøªº°Ê
§@¡C
¦b Linux ¤§¤U¡M«Ê¥]¹LÂo¥\¯à¬O¤º«Ø©ó®Ö¤ß¤§¤º(°µ¬°¤@Ӯ֤߼ҲաM©ÎªÌª½±µ
¤º«Ø)¡M¦P®ÉÁÙ¦³¤@¨Ç§Þ¥©§ÚÌ¥i¥H¹B¥Î©ó«Ê¥]¤§¤Wªº¡M¤£¹L³ÌºD¥Îªº¨ÌµM¬O¬d¬Ý
ªíÀY¥H¨M©w«Ê¥]ªº©R¹B¡C
3.1 §Ú¬°¤°»òn«Ê¥]¹LÂo¡S
²¦Ó¨¥¤§¡R±±¨î¡N«O¦w¡Nĵ§Ù¡C
Control:
·í±z¥Î±zªº Linux ¥D¾÷±N±zªº¤º³¡ºô¸ô³s±µ¦Ü¨ä¥¦ºô¸ô(¤ñ¤è»¡
¡Mineternet)ªº®ÉÔ¡M±z¦³¾÷·|¤¹³\¯S©wÃþ«¬ªº¥æ³q¡M¦Ó¸T¤î¨ä¥¦ªº¡C
¨Ò¦p¡M¤@Ó«Ê¥]ªºªíÀY·|¥]§t«Ê¥]ªº¥Øªº¦a¦a§}¡M©Ò¥H±z¥i¥H¨¾¤î«Ê¥]¬y
¦V¥~³¡ºô¸ôªº¬Y¤@³¡¥÷¡C¦A¦p¡M§Ú¥Î Netscape ³s½u¦Ü Dilbert
archives¡M¨ººô¶¤W¦³¤@Ó¨Ó¦Û doubleclick.net ªº¼s§i¡M³o¼Ë
Netscape ·|®ö¶O§Úªº®É¶¡¥h¤U¸ü¥¦Ì¡C¥unÅý«Ê¥]¹LÂo¾÷¨î¤£¤¹³\¥ô¦ó
¨Ó¦Ûdoubleclick.net ªº«Ê¥]¡M§ÚÌ´N¥i¥H¸Ñ¨M³oÓ°ÝÃD(·íµM¡M¦³§ó¦n
ªº¤èªk¨Ó°µ³o¥ó¨Æ±¡°Õ¡M½Ð°Ñ¦Ò Junkbuster)¡C
Security:
·í±zªº Linux ¥D¾÷¬O±z¤«µM¦³§Çªº¤º³¡ºô¸ô©M¥~±¨ºÓ²V¨PµL¤ñªº
internet ¤§¶¡ªº°ß¤@³q¹D¡M¦Ó±zª¾¹D¥i¥H¨îþ¨ÇªF¦è¤~¯à¶i¤J±zªºªù
¤á¡M¸Û¬O¤£¿ù¤§Á|§a¡C¨Ò¦p¡M±z©Î³\·|©ñ¦æ¥ô¦ó±q¤º³¡ºô¸ô¥X¥hªºªF¦è¡M
¦ý¤S¾á¤ß¨Ó¦Û¥~±ªº´c¦W¬L³¹ªº¡¥Ping of Death¡¦¡C¤S¦p¡M±z©Î³\¨Ã¤£
§Æ±æ§O¤H±q¥~± telnet ¤W±zªº Linux ¥D¾÷¡MºÉºÞ¥þ³¡ªº±b¸¹³£¦³±K½X
«OÅ@¡C©Î³\¡M±zÁÙ·Q(¥¿¦p¤j³¡¥÷¤H¤@¼Ë)¦b internet ¤W·í¬Ý«È¦Ó¤£Ä@·í
¦øªA¾¹(¤]¥i¯à±z¬OÄ@·Nªº) ¡M³Ì²³æ²ö¦p¥Î«Ê¥]¹LÂo¨Ó©Úµ´¥ô¦ó·N±ý³s
½uªº«Ê¥]¡M¤£Åý¥ô¦ó¤H³s¶i¨Ó¡C
Watchfulness:
¦³®ÉÔ¡M¤@¥x³]©w®t¦Hªº¾÷¾¹·|±q¥»¦aºô¸ô¦V¥~±¹Ã°e«Ê¥]¡C¦Ó¦n®ø®§¬O
±z¥i¥HÅý«Ê¥]¹LÂo¨Ó§i¶D±z¬O§_¦³ÅܺAªº¨Æ±¡µo¥Í¡C±z©Î³\·|¹ï¤§±Ä¨ú¦æ
°Ê¡M¤S©Î³\¦¤w¨£ºD¤£©Ç¤F¡C
3.2 ¦p¦ó¦b Linux ¤U¹LÂo«Ê¥]¡S
Linux ªº®Ö¤ß¦Û±q 1.1 ª©´N¤w¸g¦³«Ê¥]¹LÂo¥\¯à¡C²Ä¤@¥N¬O 1994 ¦~¥Ñ Alan
Cox °ò©ó BSD ªº ipfw ²¾´Ó¹L¨Óªº¡M«á¨Ó¦b Linux 2.0 ª©¥»¦A¥Ñ Jos Vos ¥[±j
¡M§Q¥Î ' ipfwadm ' ³o°¦¨Ï¥ÎªÌªÅ¶¡(userspace *)¤u¨ã¨Ó±±¨î®Ö¤ßªº¹LÂo³W«h
¡C¦b 1998 ¦~¦~¤¤¡M§Ú¦b Micahel Neuling ªº¤j¤OÀ°§U¤U¡M§ëª`¤F¬Û·íªººë¤O¦b
Linux ®Ö¤ß 2.2 ¤W±¡M±À¥X¤F ' ipchains ' ³o°¦¤u¨ã¡C²×©ó¡MLinux ®Ö¤ß
2.4 ªº²Ä¥|¥N¤u¨ã ' iptables ' ³s¦P¨ä¥¦®Ö¤ß§ï¼g¤]¦b 1999 ¦~¦~¤¤¶i¦æ¶}µo
¤F¡C³o´N¬O¥Ø«e³oÓ iptables ªº HOWTO ¤å¥ó©ÒP¤O¤§©Ò¦b¡C
(* ĶªÌµù¡R¡§¨Ï¥ÎªÌªÅ¶¡¡¨³q±`¬O¥Î¨Ó°Ï§O¨t²Î°O¾ÐÅ骺¨Ï¥Î½d³ò¡M¥DnÃþ«¬¤À
¬°®Ö¤ßªÅ¶¡©M¨Ï¥ÎªÌªÅ¶¡¡Cì§@ªÌ¥i¯à¥H¬°¤j®a³£¬Oµ{¦¡°ª¤â¡M¬G·|¥Î¦p¦¹±Mªù
³N»y¡CµM¹ï¤@¯ëŪªÌ¨Ó»¡¡M²z¸Ñ¤W©Î³\¦³§xÃø¡M¬G¦¹¦h»¡¨â¥y¡C¦b©¹«áªº¾\Ū¤¤
¤]½Ð¯d·N¡C)
±z»Ýn¤@Ӯ֤ߦ³ netfilter «Øºc©ó¨ä¤¤¡Rnetfilter ¬O Linux ®Ö¤ß¤¤¤@Ó³q
¥Î¬[ºc¡M¥i¥HÅý¨ä¥¦ªF¦è(¨Ò¦p iptables ¼Ò²Õ) ´¡¤J(plug into)¡C´«¥y¸Ü»¡¡M
±z»Ýn®Ö¤ß 2.3.15 ©Î§ó·sªºª©¥»¡M¦P®É¦b®Ö¤ß½sĶ®É¥H ' Y ' ¦^µª
CONFIG_NETFILTER ³oӿﶵ¡C
iptables ³o°¦¤u¨ã·|©M®Ö¤ß¹ïÁ¿¨Ã§i¶D¥¦¤°»ò«Ê¥]n¹LÂo¡C°£«D±z¬O¤@Óµ{¦¡¤H
û¡M©Î²§·Q¤Ñ¶}¡M¨º±z´N¬O¥Î¥¦¨Ó±±¨î«Ê¥]«ç¼Ë¹LÂoªº¤F¡C
iptables
³o°¦ iptables ¤u¨ã¥i¥H´¡¤J©Î²¾°£®Ö¤ß«Ê¥]¹LÂoªí®æ(packet filtering
table) ¤¤ªº¤@¨Ç³W«h(rules)¡C¤]´N¬O»¡¡MµL½×±z³]©w¤F¤°»ò¡Mn¬O«·s±Ò
°Ê(reboot)¨t²Îªº¸Ü¡M´N·|¥þ³¡¥á¥¢¡Q½Ð°Ñ¾\ [5]¨î©w¥Ã¤[©Ê³W«h(Making
Rules Permanent)¡M ¬Ý¬Ý¦p¦ó½T«O³]©w¦b¤U¦¸ Linux ±Ò°Ê«á¥i¥H¦^¦s¡C
iptables ¬O¥Î¨Ó¨ú¥N ipfwadm ©M ipchains ªº¡R½Ð°Ñ¾\ [6]¨Ï¥Î ipchains ©M
ipfwadm (Using ipchains and ipfwadm)¡M ¬Ý¬Ý¦p¦óµLµhªºÁקK¨Ï¥Î iptables
¡M°²¦p±z¥Ø«e¥¿¨Ï¥Î¥¦Ì¨ä¤¤¤§¤@¡C
¨î©w¥Ã¤[©Ê³W«h
±z¥Ø«eªº¨¾¤õÀð³]©w¬OÀx¦s©ó®Ö¤ß¸Ì±ªº¡M¤]¥¿¦]¦p¦¹¡M³]©w·|¦b¨t²Î«±Ò«á¥á
¥¢¡Ciptables-save ©M iptables-restore * ªº¼¶¼g¥Ø«e¤w¸g³Q¦C¤J TODO ¦Cªí
¤¤¤F¡C§Ú«OÃÒ·í¥¦Ì°Ý¥@ªº®ÉÔ¡MªÖ©w«D±`´Î¡C
(* ĶªÌµù¡R¦b ipchains ¤u¨ã¤¤¡M¥i¥H¨Ï¥Î ipchains-save »P
ipchains-restore ¨Ó§â·í«eªº¨¾¤õÀð³]©wÀx¦s°_¨Ó¡M¥H¤Î±N¤§ÁÙì¡C¦pªGŪªÌ¨S
¨Ï¥Î¹L ipchains ¨º¨âÓ¥\¯àªº¸Ü¡M©Î³\¤£ª¾¹D§@ªÌ¦b»¡¤°»ò¡C)
¥Ø«e¨Ó»¡¡M´N§â³]©w³W«h©Ò»Ýªº¨º¨Ç©R¥O¼g¶i¤@Óªì©l©R¥O½Z(script)¤¤§a¡Cn
½T©wªº¬O¡M°²¦p¦³¨ä¤¤¤@Ó©R¥O¥¢±Ñªº®ÉÔ¡M±z¯à´£¨Ñ¤@¨Ç´¼¯àªº°Ê§@¤ÏÀ³ (³q
±`¦p ' exec /sbin/sulogin' )¡C
4. §Aºâþ®Ú½µ°Ú¡S¬°¦óª±§Úªº®Ö¤ß¡S
§Ú¬O Rusty¡M¬O Linux IP ¨¾¤õÀ𪺺ûÅ@ªÌ¡M¦P®É¤]¶i¦æ¨ä¥¦ªº¤@¨Ç½sµ{¤u§@¡M
¥i¥Hºâ¬O¤Ñ®É¦a§Q¤H©Mªº¨ÏµM§a¡C§Ú¼g¹L ipchains (½Ð°Ñ¾\«e±ªº [7]¦p¦ó¦b
Linux ¤U¹LÂo«Ê¥]¡S(How Do I Packet Filter Under Linux?)¡M ¬Ý¬Ý¹ê»Úªº¤u
§@©|±o¯q©óþ¨Ç¦P¤¯)¡M±q¨ä¤¤¾Ç¨ì¨¬°÷ªºªF¦è¥H¦J¥¿¤µ¦¸ªº«Ê¥]¹LÂo¡C§Ú§Æ±æ¦p
¦¹¡C
[8]WatchGuard ¬O¤@Ó«D±`¥X¦â¨¾¤õÀ𤽥q¡M¥X°â¯u¥¿¦n¥ÎªºÀH´¡¦¡¨¾¤õÀð³]
³Æ(plug-in Firebox)¡M¥B¦V§Ú§K¶O´£¨Ñ¡MÅý§Ú¥i¥H¥þ¤O¼¶¼g³o¨ÇªF¦è¡M¥H¤ÎºûÅ@
¹L©¹ªº¤@¨ÇªF¦è¡C§Ú쥻¹w¦ô 6 Ó¤ë´N¥i¥H¤F¡M¦ý¹ê»Ú¤W«oªá¤F 12 Ó¤ë¡M¤£¹L
§Ú¦b³Ì«á¶¥¬qı±o°µ±oÁÙ¤£¿ù´N¬O¤F¡C¦h½«¼g¡NµwºÐ·´Ãa¡N¤â´£¹q¸£¾DÅÑ¡N¼Æ
ÓÀɮרt²Îªº·l·´¡N¥H¤Î«á¨Óªºº·¹õÃa±¼¡M³Ì²×¡MÁÙ¬O°µ¥X¨Ó¤F¡C
¦b³o¸Ì¡M§Ú·Q¼á²M¤@¨ÇªB¤Íªº¿ù»~Æ[©À¡R§Ú¨Ã«D®Ö¤ß(kenrl)¸Ì±ªº±M®a¡C§Ú¤§©Ò
¥Hª¾¹D³o¨Ç¡M¬O¥Ñ©ó¬Y¨Ç®Ö¤ß¤u§@Åý§Ú±µÄ²¨ì¥L̨䤤ªº¤@¨Ç¦¨û¡R David S.
Miller¡NAlexey Kuznetsov¡NAndi Kleen¡NAlan Cox¡C¤£¹L¡M½ÞÀY°©(³ÌÃøªº)³£
¥Ñ¥LÌ°Ù¤F¡M³Ñ¤Uªº¨§»G(¦w¥þ©M®e©öªº)¤~½ü¨ì§Ú¨Ó¦¬¬B°Õ¡C
5. ¯u¥¿ªº Rusty «Ê¥]¹LÂo§Ö³t«ü«n
¤j³¡¤À¤H³£¶È¥Î³æ¤@ªº PPP ¼·±µ¤Wºô¡M¦P®É¨Ã¤£·Q¥ô¦ó¤H¶i¤J¥L̪ººô¸ô¡N©Î¨¾
¤õÀð¡R
## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp
## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block
6. «Ê¥]¦p¦ó¬ï¶V(traverse)¹LÂo
®Ö¤ß±q 'filter' ªí®æªº¤TÓ¦Cªí(lists) ¶}©l¡Q³o¤TÓ¦Cªí¥s°µ firewall
chains(¨¾¤õÀðÃì) ©Î´N¥s chains(Ãì)¡C ³o¤TÓÃì¤À§O¬°INPUT¡NOUTPUT ¡N©M
FORWARD ¡C
³o¸ò 2.0 ©M 2.2 ®Ö¤ß¦³«Ü¤j®t§O®@¡T
¹ï©ó ASCII ÃÀ³N°g¨Ó»¡¡M¦UÃì(chains)ªº§G¸m¦p¤U¡R
_____
Incoming / \ Outgoing
-->[Routing ]--->|FORWARD|------->
[Decision] \_____/ ^
| |
v ____
___ / \
/ \ |OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
¨ä¤¤¤TÓ°é¥NªíµÛ«ezªº¤TÓÃì¡M·í¤@Ó«Ê¥]©è¹F¤W¹Ï¤¤ªº¨ä¤¤¤@Ó°é¡M¬ÛÀ³ªº
Ãì´N·|±µ¨üÀËÅç(examined)¡M¥H¨M©w¨ºÓ«Ê¥]ªº©R¹B¡C¦pªGÃ컡 DROP ±¼³oÓ«Ê
¥]¡M¨º»ò¥¦´N·|´N¦a¥¿ªk¡M¦ý¦pªGÃ컡 ACCEPT ³oÓ«Ê¥]¡M¨º»ò¥¦´NÄ~Äò¦b¹Ï¥Ü
¤¤¬ï¶V¡C
¤@ÓÃì(chain)¨ä¹ê´N¬O²³¦h³W«h(rules)¤¤ªº¤@ÓÀˬd²M³æ(checklist)¡C¨C¤@±ø
³W«h³£·|»¡¡§¦pªG«Ê¥]ªíÀY¬Ý°_¨Ó¹³³o¼Ë¡M´N¦p¦¹³o¯ë³B¸m³oÓ«Ê¥]¡¨¡C¦pªG³W
«hªº³]©w©M«Ê¥]¨Ã¤£²Å¦X(match)¡M¨º»ò´N¥æ¥ÑÃ줤ªº¤U¤@Ó³W«hÄ~Äò³B²z¡C¦Ó³Ì
²×¡M¦pªG¦A¨S¦³³W«h¥i¥H°Ñ¦Ò¡M¨º»ò®Ö¤ß´N·|¬ÝÃ쪺policy(ì«h) ¥H¨M©w«ç»ò°µ
¡C¦b¤@Ó¦w¥þ¦Ü¤Wªº¨t²Î¸Ì¡Mì«h(policy)³q±`³£·|§i¶D®Ö¤ß DROP ±¼¸Ó«Ê¥]¡C
1. ·í¤@Ó«Ê¥]¶i¤Jªº®ÉÔ(°²³]¡M³q¹L Ethernet ºô¸ô¥d)¡M®Ö¤ßº¥ý¬Ý¬Ý«Ê¥]
ªº¥Øªº¦a(destination)¡R³oºÙ¤§¬° ' rouging (¸ô¥Ñ)'¡C
2. ¦pªG¥Øªº¦a§}¬°¥»¾÷¡M³oÓ«Ê¥]´N«ö¹Ï¥Ü¤U¦æ¦Ü INPUT Ãì¡C¦pªG¥¦¯à°÷³q¹L
¡M¨º»òµ¥«Ý³oÓ«Ê¥]ªº¦æµ{(processes)´N±N¤§±µºÞ¤U¨Ó¡C
3. §_«h¡M¦pªG®Ö¤ß¨Ã¨S±Ò°ÊÂ໼¥\¯à(forwarding)¡M©Î¬O¥¦¤£ª¾¹D¦p¦óÂ໼³o
Ó«Ê¥]¡M¨º»ò³oÓ«Ê¥]´N·|³Q¥á±ó(dropped)¡C¦pªGÂ໼¥\¯à¤w¸g±Ò°Ê¡M¦P®É
«Ê¥]«ü¦V¥t¤@Óºô¸ô¬É±(¦pªG±zÁÙ¦³¥t¥~¤@±i)¡MµM«á³oÓ«Ê¥]´N«ö¹Ï¥Ü¥k
¦æ¦Ü FORWARD Ãì¡C¦pªG¥¦³Q±µ¨ü(ACCEPT)¡M¨º»ò¥¦´N·|³Q°e¥X¥h¡C
4. ³Ì«á¤@ºØ±¡§Î¡M¤@Ó¦b¥»¾÷¹B¦æªºµ{¦¡·|°e¥Xºô¸ô«Ê¥]¡C«Ê¥]´Nª½±µ¥æµ¹
OUTPUT Ãì¡R¦pªG¬O ACCEPT¡MµM«á³oÓ«Ê¥]·|Ä~Äò°e¥X¦Ü¥¦©Ò«ü¦Vªº¬É±¡C
7. ¨Ï¥Î iptables
¦pªG±z»Ýn¯S©wªº¸Ô²Ó¤F¸Ñ¡Miptables ¦³¤@Ó«D±`¸ÔºÉªº manual page (man
iptables)¡C°²¦p±z¼ô±x ipchains ªº¸Ü¡M©Î³\¥i¥Hª½±µ¸õ¨ì [9]iptables »P
ipchains ªº®t²§ (Differences Between iptables and ipchains) ¥h¬Ý¡Q¥¦Ì
¬O«D±`ªñ¦üªº¡C
±zÁÙ¥i¥H§Q¥Î iptables °µ³\¦h¤£¦Pªº¨Æ±¡®@¡C±z©Ò¶}©lªº¨º¤TÓ¤º
«Ø(buit-in) Ãì¡R INPUT¡NOUTPUT¡N©MFORWARD ¡M±z¬O¤£¯à§R°£ªº¡CÅý§Ú̬ݬÝ
¾ãÓÃ쪺ºÞ²z¹B§@§a¡R
1. «Ø¥ß¤@Ó·sÃì (-N)¡C
2. §R°£¤@ÓªÅÃì (-X)¡C
3. §ïÅܤ@Ó¤º«ØÃ쪺ì«h (-P)¡C
4. ¦C¥X¤@ÓÃ줤ªº³W«h (-L)¡C
5. ²M°£¤@ÓÃ줤ªº©Ò¦³³W«h (-F)¡C
6. Âk¹s(zero) ¤@ÓÃ줤©Ò¦³³W«hªº«Ê¥]¦r¸`(byte) °O¼Æ¾¹ (-Z)¡C
¦³¦n¨Ç¤èªk¥i¥H²ÎÄw¤@ÓÃ줤ªº³W«h¡R
1. ©µ¼W(append) ¤@Ó·s³W«h¨ì¤@ÓÃì (-A)¡C
2. ¦bÃ줺¬YÓ¦ì¸m´¡¤J(insert) ¤@Ó·s³W«h(-I)¡C
3. ¦bÃ줺¬YÓ¦ì¸m´À´«(replace) ¤@±ø³W«h (-R)¡C
4. ¦bÃ줺¬YÓ¦ì¸m§R°£(delete) ¤@±ø³W«h (-D)¡C
5. §R°£(delete) Ã줺²Ä¤@±ø³W«h (-D)¡C
7.1 ·í±zªº¾÷¾¹±Ò°Ê®É¡M±z©Ò¬Ý¨ìªº
iptables ¥i¥H°µ¦¨¼Ò²Õ(module)¡M¥s°µ `iptable_filter.o' ¡M·í±z²Ä¤@¦¸¶]
iptables ´N·|³Q¦Û°Ê¸ü¤J¡C¥¦¤]¥i¥H¥Ã¤[©Êªº«Ø¸m©ó®Ö¤ß¸Ì±¡C
¦b¶]¥ô¦ó iptables ©R¥O¤§«e (¤p¤ß¡R¦³¨Ç®M¥ó(distributions) ©Î³\·|¥Î¥¦Ì
ªº°_©l©R¥O½Z¨Ó¶] iptables)¡M¤º«ØÃì( `INPUT'¡N`FORWARD'¡N©M `OUTPUT' )±N
¤£±a¥ô¦ó³W«h¡M©Ò¦³Ãì³£±Nì«h³]¬° ACCEPT¡C±z¥i¥H±N iptable_filter ¼Ò²Õ¿ï
¶µ³]¬° `forward=0' ¡M¨Ó§ïÅܹw³]ªº FORWARD Ãìì«h¡C
7.2 ¤@Ó³æ¤@³W«hªº¹B§@
¤U±Åý§Ų́Ӽô½m¤@¤Uì«hªº¹B¥Î§a¡M©Ò¿×¼ô¯à¥Í¥©¬O¤]¡C±z³Ì±`¥Îªº©Î³\·|¬O
append (-A) ©M delete (-D) ©R¥O¡C¦Ü©ó¨ä¥¦¦p insert (-I) ©M replace
(-R)¡M ¥u¬O³o¨Ç·§©Àªº©µ¦ù¦Ó¤w¡C
¨C¤@±ø³W«h³£©w¤F¤@²Õ±ø¥ó(conditions)»P¯S©w«Ê¥]¤ñ¹ï¡M¥H¤Î·í¥¦Ì²Å¦X®É
n¦p¦ó³B¸m(«ü¤@Ó`target' )¡C¤ñ¤è»¡¡M±z©Î³\n¥á±ó©Ò¦³¨Ó¦Û127.0.0.1 ³oÓ
IP ¦a§}ªº ICMP «Ê¥]¡M¦]¦Ó§Ú̳o¸Ìªº±ø¥ó´N¦¨¬°³o¼Ë¡R¨ó©w¥²¶·¬O ICMP¡M¦Ó
¨Ó·½¦a§}¥²¶·¬O 127.0.0.1 ¡M¦Ó§Ú̪º target(¥Ø¼Ð)±N·|¬O`DROP' ¡C
§Ú̺٠127.0.0.1 ¬° `loopback' ¬É±¡M´Nºâ±z¨S¦³¯u¹êªººô¸ô³s±µ¡M±z¤]·|¦³
³oӬɱªº¡C±z¥i¥H¥Î `ping' ³o°¦µ{¦¡²£¥Í³o¼Ëªº«Ê¥] (¥¦¥u¬O°e¥X¤@Ó
type 8(echo request)ªº ICMP «Ê¥]¡M¦Ó©Ò¦³¼Ö©ó¦^À³ªº¦X§@ºÝ(cooperative
hosts) «h°e¦^¤@Ó type 0(echo reply)ªº ICMP «Ê¥])¡C¥Î¨Ó´ú¸Õ¬O«Ü¦n¥Îªº¡C
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#
³o¸Ì±z¥i¥H¬Ý¨ì²Ä¤@Ó ping ¦¨¥\¤F(³o¸Ìªº `-c 1' °Ñ¼Æ¬O§i¶D ping ¥u°e¥X¤@
Ó«Ê¥])¡C
µM«á¡M§Ú̬°`INPUT' ©µ¼W(-A)¤@±ø³W«h¡M±N¨Ó¦Û 127.0.0.1(`-s 127.0.0.1')
ªº ICMP ¨ó©w (`-p icmp') «Ê¥]°e¦Ü DROP ³oӥؼР(-j DROP)¡C
µM«á§ÚÌ¥i¥H¥Î²Ä¤GÓ ping ¨Ó´ú¸Õ§Ú̪º³W«h¡C¦bµ{¦¡©ñ±óÄ~Äòµ¥«Ý¨º¨Ç¥Ã¤£
¨ì¨Óªº¦^À³¤§«e¡M±N¦³¤@¬q¼È°±¡C
§Ú̦³¨âÓ¤èªk¥i¥H²¾°£³W«h¡Cº¥ý¡M¦]¬°§Ú̥ثe¨î©w¦b input Ã줤¥u¦³°ß¤@
¤@±ø³W«h¡M©Ò¥H§ÚÌ¥i¥H«ü©w¼Æ¦r¨Ó²¾°£¡M¨Ò¦p¡R
# iptables -D INPUT 1
#
³o¼Ë´N§â²Ä¤@±ø³W«h±q INPUT Ã줤²¾°£±¼¡C
²Ä¤GÓ¤èªk¬O¬M®g(mirro)¤W±ªº -A ©R¥O¡M¦ý¥Î -D ¨Ó¥N´À -A ¦Ó¤w¡C·í±z¦³¤@
ÓÃì¡M¸Ì±¼g¦³«D±`½ÆÂøªº³W«h¡M¦Ó¤S¤£·Q³v¦æ¼Æ¥X²Ä 37 ¦æ´N¬O±znªº¨º±ø³W
«h¡M³o®ÉÔ¡M³o¤èªk´N«D±`¦³¥Î¤F¡C
# iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
#
¦b©R¥O¦æ¤¤¡M¨ä»yªk¬O -D ¥²¶·©M -A (©Î -I¡N©Î -R) ©R¥Oªº¦ì¸m¤@P¡C¦pªG¦b
¦P¤@ÓÃ줤¦³¼Æ±ø¬Û¦Pªº³W«h¡M¨º»ò¥u¦³²Ä¤@±ø·|³Q²¾°£±¼¡C
7.3 ¹LÂo³W®æ
§Ṳ́w¸g¬Ý¹L¥Î `-p' ¨Ó«ü©w¨ó©w¡M¥H¤Î¥Î `-s' ¨Ó«ü©w¨Ó·½¦a§}¡M¦ýÁÙ¦³¨ä¥¦
¿ï¶µ§Ú̬O¥i¥H¥Î¨Ó«ü©w¥X¤@Ó«Ê¥]ªº¯S©º¡C©³¤U¬O¤@Ó§¹¾ãªº·§z¡C
«ü©w¨Ó·½©M¥Øªº¦a¤§ IP ¦a§}
§ÚÌ¥i¥H¥Î¥|ºØ¤èªk¨Ó«ü©w¨Ó·½(`-s'¡N©Î`--source'¡N©Î `--src') ©M¥Øªº
¦a(`-d'¡N©Î`--destination'¡N©Î`--dst') IP ¦a§}¡C³Ì±`¥Îªº¤èªk¬O¨Ï¥Î§¹¾ã
¦WºÙ¡M¨Ò¦p `localhost' ©Î `www.linuxhq.com' ¡C²Ä¤GºØ¤èªk¬O«ü©w¨ä IP ¦a
§}¡M¨Ò¦p `127.0.0.1' ¡C
²Ä¤T©M²Ä¥|ºØ¤èªk¤¹³\«ü©w¤@²Õ(group) IP¦a§}¡M¨Ò¦p `199.95.207.0/24' ©Î
`199.95.207.0/255.255.255.0' ¡M³o¨âÓ³]©w³£«ü©w¤F©Ò¦³±q 199.95.207.0 ¨ì
199.95.207.255 ¤§¶¡ªº IP ¦a§}¡Q¦Ó¦b¼Æ¦r«á±ªº `/' ²Å¸¹¬O§i¶D¨t²Îþ³¡¥÷
IP ¤~¦³®Ä¡C `/32' ©Î `/255.255.255.255' ¬°¹w³]È(©Ò¦³ IP ȳ£¥²¶·§k¦X)
¡C¥þ³¡¥Î `/0' ¨Ó«ü©w IP ¦a§}¤]¬O¥i¦æªº¡M¨Ò¦p¡R
[ NOTE: `-s 0/0' is redundant here. ]
# iptables -A INPUT -s 0/0 -j DROP
#
¤£¹L³o«D±`¤Ö¥Î¡M¦]¬°¥H¤Wªº®ÄªG©M¤£«ü©w `-s' ²@µL¨â¼Ë¡C
¬Û¤Ï«ü©w
³\¦hºX¼Ð(flags)¡M¥]¬A `-s' (©Î `--source')¡N©M `-d' (©Î
`--destination')¡M¥i¥H¦b¥¦Ì«e±©ñ¸m¤@Ó `!' ²Å¸¹(µoµ¬°`not') ¡M¨Ó²Å¦X
©Ò¦³«D(NOT)¨ä½á¤©Èªº¦a§}¡C¤ñ¤è»¡¡M`-s ! localhost' ²Å¦X©Ò¦³«D(not) ¨Ó
¦Û¥»¾÷ªº«Ê¥]¡C
«ü©w¨ó©w
¨ó©w¥i¥H¥Î `-p' (©Î `--protocol') ºX¼Ð¨Ó«ü©w¡C¨ó©w¥i¥H¬°¤@Ó¸¹½X(°²¦p±z
ª¾¹D IP ¨ó©w¼ÆȪº¸Ü)¡M©Î¬O¤@ӽѦp `TCP'¡N©Î`UDP'¡N©Î`ICMP' ³o¼Ëªº¦WºÙ
¡C¤j¤p¼g¨SÃö«Y¡M©Ò¥H `tcp' ©M `TCP' ³£¥i¥H¤u§@¡C
¨ó©w¤]¥i¥H¥[¤W¤@Ó `!' «e¸m²Å¸¹¡M¨Ï¤§¬Û¤Ï¡C¨Ò¦p `-p ! TCP' «h«ü©w¤F©Ò¦³
«D TCP ªº«Ê¥]¡C
«ü©w¬É±
§Ú̥Π`-i' (©Î `--in-interface') ©M `-o' (©Î `--out-interface') ¿ï¶µ¨Ó
«ü©w¤@ӲŦXªº¬É±(interface)¡C¤@Ӭɱ´N¬O«Ê¥]¶i¤J(`-i') ¡M©Î¶Ç
¥X(`-o')¤§ª«²z³]³Æ¡C±z¥i¥H¥Î ifconfig ©R¥O¦C¥Xþ¨Ç¬É±¬O¶]°_¨Ó(`up' )ªº
¡C
¬ï¶V INPUT Ã쪺«Ê¥]¤£·|¦³¶Ç¥X(output)¬É±ªº¡M©Ò¥H¡M¥ô¦ó¦bÃ줤¨Ï¥Î `-o'
¿ï¶µªº³W«h³£¤£»P¤§²Å¦X¡C¦P¼Ëªº¡M¬ï¶V OUTPUT Ã쪺«Ê¥]¤]¤£·|¦³¶Ç
¤J(input)¬É±¡M©Ò¥H¦bÃ줤¥ô¦ó±a `-i' ¿ï¶µªº³W«h¤]¬O¤£²Å¦Xªº´N¬O¤F¡C
¶È¶È¬O¬ï¶V FORWARD Ã쪺«Ê¥]¤~·|¦P®É¦³¶Ç¤J©M¶Ç¥X¬É±¡C
«ü©w¤@Ó¤£¦s¦bªº¬É±¬O§¹¥þ¦Xªk(legal)ªº¡Q¤Ï¥¿¦b¬É±ÁÙ¨S°_¨Ó¤§«e¡M³o±ø³W
«h¬O¤£·|²Å¦Xªº¡C³o¹ï©ó PPP ¼·±µ(³q±`·|¬Oppp0) ©Î¬ÛÃþ³s½u¡M´N·¥¤§¦³¥Î¤F
¡C
¨Ò¦p¦b¤@Ó¯S®í¨Ò¤l¤¤¡M¬É±¬O¥Î¤@Ó `+' µ²§Àªº¸Ü¡M´Nªx«ü©Ò¦³¥H¦¹¦r¦ê¶}ÀY
ªº¬É±(¤£ºÞ¥¦Ì¥Ø«e¬O§_°_¨Ó¤F)¡C¨Ò¦p¡Mn«ü©w¤@±ø³W«h¨Ó²Å¦X©Ò¦³ªº PPP ¬É
±ªº¸Ü¡M-i ppp+ ¿ï¶µ´N¥i¥H¥Î¤W¤F¡C
¬É±¦WºÙ«e±¥i¥H¥Î¤@Ó`!' ²Å¸¹¨Ó²Å¦X¤@Ó»P«ü©w¬É± ¤£ ²Å¦Xªº«Ê¥]¡C
«ü©w«Ê¥]¸H¤ù (Fragments)
¦³®ÉÔ¡M¤@Ó«Ê¥]·|¦]¬°¤Ó¤j¦Ó¤£¯à¤@¦¸¹L¶ë¶i³s½u¥h¡C·í³o¼Ëªº¨Æ±¡µo¥Í¤F¡M
«Ê¥]·|³Q¤Á³Î¦¨ ¸H¤ù(fragments)¡M¦P®É·|¥H¦hÓ«Ê¥]¨Ó¶Ç°e¡C¦Ó¥t¤@ºÝ«h«²Õ
³o¨Ç¸H¤ù¥HÁÙì¾ãÓ«Ê¥]¡C
¦ý¸H¤ùªº°ÝÃD¬O¡M²Ä¤@Ó°_©l¸H¤ù¦³¾ãÓ«Ê¥]ªíÀYÄæ¦ì(IP+TCP¡NUDP¡N©M ICMP)
¥i¨ÑÀˬd¡M¦ý«áÄ~«Ê¥]«o¥u¥]§tªíÀYªº¤p³¡¥÷(¤£±aÃB¥~¨ó©wÄæ¦ìªº IP)¡C³o¼Ëªº
¸Ü¡MnÀˬd«áÄ~¸H¤ù¤§¨ó©wªíÀY(¤ñ¤è¥Ñ TCP¡NUDP¡N©M ICMP extensions ¦Ó¦¨)
¡M´N¤£¥i¯à¤F¡C
¦pªG±zn°µ³s½u°lÂÜ©Î NAT¡M¨º©Ò¦³¸H¤ù¦b»¼µ¹«Ê¥]¹LÂo½X¤§«e³£·|¶×¦X¦^¤@°_
¡M©Ò¥H±zµL»Ý¾á¤ß¸H¤ù°ÝÃD¡C
µM¦Ó¡Mn§Ë©ú¥Õ¹LÂo³W«h¦p¦ó³B²z¸H¤ùªº¡M´NÅܱo«D±`«n¤F¡C¥ô¦ó³W«hn¸ß°Ý
ªº¸ê®Æ¦Ó§Ų́èS¦³®É¡M±N³Qµø¬° ¤£ ²Å¦X¡C¤]´N¬O»¡¡M²Ä¤@Ó¸H¤ù«Ê¥]ªº³B²z
©M¨ä¥¦«Ê¥]¤@¼Ë¡C¦ý²Ä¤G¤Î¤§«áªº¸H¤ù´N¤£¬O³o¼Ë¤F¡C³o¼Ëªº¸Ü¡M¤@±ø -p TCP
--sport www («ü©w¨Ó·½°ð¤f¬°`www')ªº³W«h¡M±N¥Ã»·¤£©M¸H¤ù²Å¦X(°£²Ä¤@Ó¸H
¤ù¥~)¡C¬Û¤Ïªº³W«h¦p-p TCP --sport ! www ¤]¤@¼Ë´N¬O¤F¡C
¤£¹L¡M±z¥i¥H¥Î `-f' (or `--fragment') ºX¼Ð¯S§O¬°²Ä¤G¤Î¥H«áªº¸H¤ù«ü©w¤@
±ø³W«h¡C¦b `-f' «e±¥[¤W¤@Ó `!' ¨Ó«ü©w¤@±ø³W«h ¤£ ¾A¥Î©ó²Ä¤G¤Î¥H«á¸H¤ù
¡M¤]¬O¥i¦æªº¡C
³q±`¡MÅý²Ä¤G¤Î¥H«á¸H¤ù³q¹L¬O³Qµø¬°¦w¥þªº¡M¦]¬°¦pªG¹LÂo·|¼vÅT²Ä¤@Ó¸H¤ù
ªº¸Ü¡M¨º»ò¤]´N¥i¥HÁקK¦b¥Ø¼Ð¥D¾÷¶i¦æ«²Õ¡Q¦ý¬O¡M¤@¨Ç¤wª¾ªº¯ä¦äÅã¥Ü¡M¥á
°e¸H¤ù«Ê¥]¥i¥H»´©öªºÅý¥D¾÷·í±¼¡C¨º¬O»Õ¤UnÀ³¥Iªº¨Æ±¡¤F¡C
ºô¸ôª±®an¯d·Nªº¬O¡R·í¶i¦æ³o¼ËªºÀË´ú®É¡M¤£§¹¾ãªº«Ê¥](¤Óµuªº TCP¡NUDP¡N
©M ICMP «Ê¥]·|Åý¤õÀðµ{¦¡Åª¤£¨ì°ð¤f©Î ICMP ½X©MÃþ«¬) ·|³Q¥á±ó¡C¦]¦¹¡M
TCP ¸H¤ù³£¥Ñ²Ä 8 Ó¦ì¸m¶}©lªº *¡C
(* ĶªÌµù¡R§Ú¤]¤£¬O«Ü©ú¥Õ§@ªÌ³o¸Ì©Ò«ü¦óª«¡Mì¤å¬O¡R¡¥So are TCP
fragments starting at position 8¡¦¡C¦]¬°Ãi±o¥h½¸ê®Æ¡M¬G¤£ª¾¹D
position 8 ¬O«ü TCP ªíÀY¦ì¸mÁÙ¬O¨ä¥¦¡C°²¦p±z§ä¨ìµª®×¡MÅwªï¼g«Hµ¹§Ú¥H§@
¼á²M¡C)
Á|¨Ò¨Ó»¡¡M¥H¤Uªº³W«h·|¥á±ó¥ô¦ó°eµ¹ 192.168.1.1 ªº¸H¤ù¡C
# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
#
©µ¦ù iptables ¡R·sªº¤ñ¹ï(matches)
iptables ¬O ¥i©µ¦ùªº(extensible)¡M¤]´N¬O»¡¡M®Ö¤ß©M iptables ¤u¨ã¥i¥H¶i
¦æÂX®i¥H´£¨Ñ·sªº¥\¯à¡C
¬Y¨Ç©µ¦ù(Extensions)¬O¼Ð·Çªº¡M¦ý¦³¨Ç«h¥i¥H»¡¬O¬£¥Í¥X¨Óªº¡C§OªºªB¤Í©Î³\
·|»s°µ¥X¤@¨Ç©µ¦ù¡M¦P®É´²¼½µ¹¦X¾Aªº¥Î¤á¡C
®Ö¤ßªº©µ¦ù³q±`©~©ó®Ö¤ß¼Ò²Õ¥Ø¿ý¤º¡M¨Ò¦p /lib/modules/2.3.15/net ¡C°²¦p±z
ªº®Ö¤ß¬O¥Î CONFIG_KMOD ³]©w¨Ó½sĶªº¸Ü¡M¥¦Ì¬OÀ³»Ý¨D¸ü¤Jªº¡M©Ò¥H±zµL»Ý¤â
°Êªº´¡¤J¥¦Ì¡C
µM¦Ó¡Miptables µ{¦¡ªº©µ¦ù«h³q±`¬O©~©ó /usr/local/lib/iptables/ ¸Ì±ªº¤À
¨É¨ç¦¡®w¡M©ÎªÌ¦³¨Ç´²¼½ª©¥»·|±N¥¦Ì©ñ¶i /lib/iptables ©Î
/usr/lib/iptables ¸Ì¥h¡C
©µ¦ù¦³¨âÓºØÃþ¡R·s¥Ø¼Ð(target)¡M©M·s¤ñ¹ï(match)¡Q¤U±§ÚÌ´NÁ¿Á¿·s¥Ø¼Ð§a
¡C¦³¨Ç¨ó©w·|¦Û°Ê´£¨Ñ·sªº´ú¸Õ(tests)¡R¥Ø«e¦³ TCP¡NUDP¡N©M ICMP¡M¦p¤Uz¡C
¦b©R¥O«á¨Ï¥Î `-p' ¿ï¶µ§â©µ¦ù¸ü¤J¶i¨Ó¡M±z´N¥i¥H¨Ó«ü©w¤@Ó·s´ú¸Õ¤F¡C·í©µ
¦ù¿ï¶µ¤¹³\ªº®ÉÔ¡M¨Ï¥Î `-m' ¨Ó¸ü¤J©µ¦ù¡M«h¥i¥H©ú½T«ü¥Ü¤@Ó·s´ú¸Õ¡C
¦p»Ý¬YÓ©µ¦ùªº¨D§U¸ê®Æ¡M¥i¥H¨Ï¥Î¿ï¶µ«á±µ `-h' ©Î `--help' ±N¤§¸ü
¤J(`-p'¡N `-j'¡N©Î `-m')¡M¨Ò¦p¡R
# iptables -p tcp --help
#
TCP ©µ¦ù
¦pªG«ü©w¤F `-p tcp' ¡MTCP ¤§©µ¦ù·|¦Û°Ê¸ü¤Jªº¡C¥¦´£¨Ñ¦p¤U¿ï¶µ(¨Ã¤£²Å¦X
fragments)¡C
--tcp-flags
«á±µ¤@Ó `!' ¿ï¶µ¡M«h¦³¨âÓºX¼Ðªº¦r¦êÅý±z¯à°÷¹ï«ü©wªº TCP ºX¼Ð¶i
¦æ¹LÂo¡C ²Ä¤@Ó¦r¦ê¬O¾B¸n(mask)¡R¤@Ó±z±ýÀˬdªººX¼Ð¦Cªí¡C²Ä¤GÓ
¦r¦ê¬On»¡þ¨ÇªF¦èn³]©w¡C¨Ò¦p¡R
# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY
³oªí¥Ü©Ò¦³ºX¼Ð³£nÀˬd (`ALL' ´N¬Oªx«ü
`SYN,ACK,FIN,RST,URG,PSH')¡M¦ý¥u¦³ SNY ©M ACK ³Q³]©w¦Ó¤w¡C¥t¥~¦³
¤@Ó°Ñ¼Æ `NONE' «h¬O¨SºX¼Ðªº·N«ä¡C
--syn
¬°`--tcp-flags SYN,RST,ACK SYN' ªºÂ²¼g¡M¨ä«e±¥i¥H³Æ¿ï¤@Ó `!'
²Å¸¹¡C
--source-port
¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@Ó³æ¿Wªº TCP °ð¤f©Î¤@Ó°ð¤fÈ
°ì(range)¡C°ð¤f¥i¥H¬° /etc/services ©Ò¦C®q°ð¤f¦WºÙ¡M¤]¥i¥H¬O¤@Ó
¼Æ¦r¡C¦pªG¬OȰ쪺¸Ü¡M¥i¥H¬O¤@¹ï¥Î`:' ²Å¸¹¤À¹jªº°ð¤f¦W¦r¡M©Î¤@Ó
°ð¤f«á±±a `:' («ü¤j©ó©Mµ¥©ó¸Ó°ð¤f)¡M¤S©Î¬O¤@Ó°ð¤f«e±±a `:' (
«ü¤p©ó©Mµ¥©ó¸Ó°ð¤f)¡C
--sport
µ¥¦P©ó `--source-port'¡C
--destination-port
©M
--dport
»P¤W¦P¡M¥u¬O¥¦Ì¬O¥Î¨Ó«ü©w¥Øªº¦a¦Ó«D¨Ó·½°ð¤f¥[¥H¤ñ¹ï¡C
--tcp-option
¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬°¤@ӼƦr¡M¥Î¨Ó¤ñ¹ï¤@Ó TCP ¿ï¶µµ¥©ó¸Ó¼Æ
¦rªº«Ê¥]¡C°²¦p»ÝnÀˬd TCP ¿ï¶µ¡M¨º¨Ç TCP ªíÀY¤£§¹¾ãªº«Ê¥]´N·|¦Û
°Êªº³Q¥á±ó¡C
¤@Ó TCP ºX¼Ðªº¸ÑÄÀ
¦³®ÉÔ¡M¤¹³\³æ¦V¦Ó«DÂù¦Vªº TCP ³s½u·|«Ü¦n¥Î¡C¨Ò¦p¡M±z©Î³\·Q¤¹³\³s½u¨ì¥~
³¡ WWW ¦øªA¾¹¡M¦ý«o¤£·Q¨Ó¦Û¸Ó¦øªA¾¹ªº³s½u¡C
³Ì¥®¸XªºÁ|°Ê©Î³\·|¬O¾×±¼¨Ó¦Û¸Ó¦øªA¾¹ªº TCP «Ê¥]¡C¦ý¤£©¯ªº¬O¡MTCP ³s½u®Ú
¥»´Nn¨D«Ê¥]¬OÂù¦V¶Ç»¼ªº¡C
¸Ñ¨M¤§¹D¬O§â¨º¨Çn¨D³s½uªº«Ê¥]¾×±¼¡C³o¨Ç«Ê¥]³QºÙ¬° SYN «Ê¥](¶â¡M§Þ³N¤W
Á¿¡M¥¦Ì¬O±a SYN ³]©wªº«Ê¥]¡M¦Ó FIN ©M ACK ¼ÐÅÒ«h¬OªÅ¥Õ¡M¥u¬O§Ú̱N¤§Â²
ºÙ¬° SYN «Ê¥]¦Ó¤w)¡Cn¥u¨î³o¼Ëªº«Ê¥]ªº¸Ü¡M§ÚÌ´N¥i¥H¨î¤î¨º¨Ç¥~¨Óªº³s
½u¹Á¸Õ¤F¡C
`--syn' ºX¼Ð¥i¥H¥Î©ó³o¨Ç¤è±¡R¥¦¶È¹ï¨º¨Ç«ü©w¬° TCP ¨ó©wªº³W«h¦³§@¥Î¡C¨Ò
¦p¡M«ü©w¨Ó¦Û 192.168.1.1 ªº TCP ³s½u½Ð¨D¡R
-p TCP -s 192.168.1.1 --syn
³oºX¼Ð¤]¥i¥H«á±µ¤@Ó `!' ¨Ó¤Ï³]¡M·N«ü¨C¤@Ó«D¸ÓÃþªì©l³s½uªº«Ê¥]¡C
UDP ©µ¦ù
¦pªG `-p udp' ³Q«ü©wªº¸Ü¡M³o¨Ç©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦´£¨Ñ¤F
`--source-port'¡N `--sport'¡N`--destination-port'¡N¥H¤Î `--dport' ³o¨Ç
¿ï¶µ¡M¤@¦p«ezªº TCP ³]©w¡C
ICMP ©µ¦ù
¦pªG `-p icmp' ³Q«ü©wªº¸Ü¡M³oÓ©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦¥u´£¨Ñ¤@Ó·sªº¿ï¶µ¡R
--icmp-type
¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@Ó icmp ¦WºÙÃþ«¬(¦p
`host-unreachable' )¡M©Î¬O¤@ӼƦrÃþ«¬(¦p `3' )¡M©Î¬O¤@¹ï¥Î `/'
¤À¹jªº¼Æ¦rÃþ«¬©M½s½X(¦p `3/3' )¡C¨Ï¥Î `-p icmp --help' ´N¥i¥HÀò
±o¤@¥÷¥i¥Î icmp Ãþ«¬¦WºÙ²M³æ¡C
¨ä¥¦¤ñ¹ïªº©µ¦ù
¦b nerfilter ®M¥ó¤¤ªº¨ä¥¦©µ¦ù«h¬O®i¥Ü©Ê(demonstration)ªº©µ¦ù¤º®e¡M¥i¥H
¥Î `-m' ¿ï¶µ¨Ó©I¥s(°²¦p¤w¦w¸Ë¤Fªº¸Ü)¡C
mac
¦¹¤@¼Ò²Õ¥²¶·n©ú½Tªº¥Î `-m mac' ©Î `--match mac' ¨Ó«ü©w¡C¥¦¥Î©ó
¤ñ¹ï¶Ç¤J«Ê¥]ªº¨Ó·½ Ethernet (MAC) ¦a§}¡M¦]¦Ó¥u¹ï¨º¨Ç¬ï¶V
PREROUTING ©M INPUT Ã쪺«Ê¥]°_§@¥Î¡C¥¦¥u´£¨Ñ¤@ӿﶵ¡R
--mac-source
¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@ӥΫ_¸¹¤À¹jªº¤Q¤»¶i¨î
ethernet ¦a§}¡M¦p `--mac-source 00:60:08:91:CC:B7'¡C
limit
³oÓ¼Ò²Õ¥²¶·©ú½Tªº¥Î `-m limit' ©Î `--match limit'¨Ó«ü©w¡C¥¦¥Î¨Ó
¨î¤@Ó¤ñ¹ïµ¥¯Å¡M½Ñ¦p§í¨î°O¿ý«H®§µ¥¡C¥¦¥u¯à¤ñ¹ï¤@Ó¨C¬í¦¸¼ÆÈ(
¹w³]¬O¨C¤@Ó¤p®É 3 Ó¤ñ¹ï¡M¦ñÀH 5 ÓIJµo(burst))¡C¥¦±µ¨ü¨âӳƿï
°Ñ¼Æ¡R
--limit
«á±µ¤@Ó¼ÆÈ¡Q«ü©w¥i¤¹³\ªº¨C¬í³Ì¤j¥§¡¤ñ¹ï¼ÆÈ¡C¸Ó¼ÆÈ¥i¥H
¥Î `/second'¡N`/minute'¡N`/hour'¡N©Î `/day'¡N©Î¨ä¤¤³¡¥÷ (
¬G `5/second' ©M `5/s' ¬O¤@¼Ëªº)¡M¨Ó©ú½T«ü©w³æ¦ì(unit)¡M
--limit-burst
«á±µ¤@Ó¼ÆÈ¡M«ü¥Ü¥X¤Þ°_«ez¨î¤§«eªº³Ì¤jIJµo¦¸¼Æ¡C
³oÓ¤ñ¹ï±`¥Î©ó LOG ¥Ø¼Ð¡M¥H¶i¦æ¤ñ²v¨î(rate-limited) ¤§°O¿ý¡C¬°
¤F§ó¦n¤F¸Ñ¥¦¬O¦p¦ó¤u§@ªº¡MÅý§Ú̬ݤ@¬Ý¤U±ªº³W«h¡M¬O¥H¹w³]¨î¤Þ
¼Æ¨Ó°O¿ý«Ê¥]ªº¡R
# iptables -A FORWARD -m limit -j LOG
·í¦¹³W«h²Ä¤@¦¸¤Þ¥Îªº®ÉÔ¡M«Ê¥]´N·|³Q°O¿ý¤U¨Ó¡Q¨Æ¹ê¤W¡M¥Ñ©ó¹w³]ªº
IJµo¬° 5 ¡M¨º¬°ºªº 5 Ó«Ê¥]´N·|°O¿ý¤U¨Ó¡CµM«á¡M¦A¹j 20 ¤ÀÄÁ¦¹³W
«h¤~·|¦A°O¿ý«Ê¥]¡M¦Ó¤£ºÞ´Á¶¡¦³¦h¤ÖÓ«Ê¥]©è¹F¡C¦Ó¥B¡M¨C 20 ¤ÀÄÁ¦p
ªG¨S¦³²Å¦Xªº«Ê¥]³q¹L¡M«h·|«ì´_ (regained) ¤@ÓIJµo¼ÆÈ¡Q°²¦p
100 ¤ÀÄÁ¤º¦AµL³o¼Ëªº«Ê¥]IJ¤Î³o³W«hªº¸Ü¡M¨º»òIJµo¦¸¼Æ´N·|§¹¥þ´_
ì(recharged)¡Q¦^¨ì§Ú̶}©l®Éªºª¬ºA¡C
µù¡R±z¥Ø«e¤£¯à¥H¤j©ó 59 ¤p®Éªº´_ì®É¶¡¨Ó«Ø¥ß¤@Ó³W«h¡M¬G¦¹¡M°²¦p
±z³]©w¤@Ó¥§¡²v¬°¨C¤Ñ¤@¦¸¡M¨º»ò¡M±zªºÄ²µo²v«h¤@©wn¤Ö©ó 3 ¡C
±z¤]¥i¥H¥Î³o¼Ò²Õ¥hÁקK¥H§Ö³t¤ñ²v´£ª@ªA°È¦^À³ªºªýÂ_ªA°È§ðÀ»(DoS)
¡C
Syn-flood protection¡R
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Furtive port scanner¡R
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1
/s -j ACCEPT
Ping of death¡R
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
¦¹¼Ò²Õªº¤u§@ì²z¦³ÂI¹³¡§ºI¬y»Ö¡¨¤@¼Ë¡M½Ð°Ñ¦Ò¤U±ªº¹Ï¥Ü¡C
rate (pkt/s)
^ .---.
| / DoS \
| / \
Edge of DoS -|.....:.........\.......................
= (limit * | /: \
limit-burst) | / : \ .-.
| / : \ / \
| / : \ / \
End of DoS -|/....:..............:.../.......\..../.
= limit | : :`-' `--'
-------------+-----+--------------+------------------> time (s)
LOGIC => Match | Didn't Match | Match
¤ñ¤è»¡¡M§ÚÌ¥H 5 Ó«Ê¥]IJµo¨Ó¤ñ¹ï¨C¬í¤@Ó«Ê¥]¡M¦ý«Ê¥]±q¨C¬í¥|Ó
¶}©l¶Ç¤J¡M«ùÄò¤T¬í¡MµM«áµ¥¤T¬í¦A«·s¶}©l¡C
<--Flood 1--> <---Flood 2--->
Total ^ Line __-- YNNN
Packets| Rate __-- YNNN
| mum __-- YNNN
10 | Maxi __-- Y
| __-- Y
| __-- Y
| __-- YNNN
|- YNNN
5 | Y
| Y Key: Y -> Matched Rule
| Y N -> Didn't Match Rule
| Y
|Y
0 +--------------------------------------------------> Time (seconds)
0 1 2 3 4 5 6 7 8 9 10 11 12
±z·|µo²{ÀY¤Ó«Ê¥]³Q¤¹³\¶W¹L¨C¬í¤@Ó«Ê¥]¡MµM«á´N¤Þ°_¨î¤F¡M¦pªG
¦³¤@Ó°±·²¡M¨ä¥¦ªºÄ²µo¤]±N³Q¤¹³\¡M¦ý´N¤£¯à³q¹L³W«h³]©wªº³Ì°ª¤ñ
²v(¦b¸ÓIJµo¨Ï¥Î«á¬°¨C¬í¤@Ó«Ê¥])¡C
owner
¦¹¼Ò²Õ¬°¥»¾÷²£¥Íªº«Ê¥]¤ñ¹ï¤£¦P¯S©ºªº«Ê¥]«Ø¥ßªÌ(creator)¡C¥¦¶È¹ï
OUTPUT Ã즳¥Î¡M¦Ó¥B¡M¬Æ¦Ü¬Y¨Ç«Ê¥](¦p ICMP ping responses)©Î³\¨S
¦³ owner¡M±N³Qµø¬°¤£²Å¦X®@¡C
--uid-owner userid
¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) user id «Ø¥ßªº¡M«h¬°²Å¦X
¡C
--uid-owner groupid
¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) group id «Ø¥ßªº¡M«h¬°²Å¦X
¡C
--pid-owner processid
¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H process id «Ø¥ßªº¡M«h¬°²Å¦X¡C
--sid-owner processid
¦pªG«Ê¥]¥Ñ¤@Ó¦æµ{¥H session group «Ø¥ßªº¡M«h¬°²Å¦X¡C
unclean
¦¹¤@¹êÅç©Ê¼Ò²Õ¥²¶·¥H `-m unclean' ©Î `--match unclean' ¨Ó©ú½T«ü
©w¡C¥¦·|¹ï«Ê¥]¶i¦æ¤£¦PªºÀH¾÷§PÂ_ÀË´ú¡C³o¼Ò²Õ©|¥¼³Q½]¬d¹L¡M©Ò¥H¤£
À³¸Ó¥Î©ó¦w¥þ³]³Æ¤W(¥¦©Î³\·|§â¨Æ±¡·d¯{¡M¦]¬°¥¦¥»¨©Î³\¦³¯ä¦äªº)¡C
¥¦¨Ã¨S´£¨Ñ¿ï¶µ³]©w¡C
The State Match
³Ì¦³¥Îªº¤ñ¹ï§PÂ_¼Ð·Ç¥Ñ `state' ©µ¦ù©Ò´£¨Ñ¡M¥H¸àÄÀ `ip_conntrack' ¼Ò²Õªº
³s½u°lÂܤÀªR¡C³o¬O«D±`ȱo¹ªÀy¨Ï¥Îªº¡C
«ü©w `-m state' «h¤¹³\¥t¤@ÓÃB¥~ªº `--state' ¿ï¶µ¡M¥i¥H¬°¤@Ó¨§ÂI¤À¹jªº
¤ñ¹ï³¯z¦Cªí( `!' ºX¼Ð«ü¥Ü ¤£(not) ²Å¦X¨º¨Ç³¯z)¡C³o¨Ç³¯z¬O¡R
NEW
¤@ӫإ߷s³s½uªº«Ê¥]¡C
ESTABLISHED
¤@ÓÄÝ©ó²{¦³³s½u(¦p¡R¤w¸g¦^À³«Ê¥]¤F)¤§«Ê¥]¡C
RELATED
¤@Ó»P²{¦³³s½u¬ÛÃö¡M¦ý«o¨Ã¤£©ó¨ä¤¤³¡¥÷ªº«Ê¥]¡M½Ñ¦p ICMP ¿ù»~¡M
©Î¬O«Ø¥ß FTP ¼Æ¾Ú³s½uªº«Ê¥](FTP ¼Ò²Õ¤w´¡¤J)¡C
INVALID
¤@Ó¦]¬Y¨Çì¦]¤£¯à³Qų§Oªº«Ê¥]¡R³o¥]¬A°O¾ÐÅ餣¨¬©M¤£¯à¦^À³¥ô¦ó¤w
ª¾³s½uªº ICMP ¿ù»~¡C³q±`¡M³o¼Ëªº«Ê¥]³£·|³Q¥á±ó±¼¡C
7.4 ¥Ø¼Ð(Target)³W®æ
²{¦b¡M§Ú̪¾¹D¥i¥H¹ï«Ê¥]°µ¤°»ò¼ËªºÀˬd¤F¡M§ÚÌÁÙ»Ýn¤@Ó¤èªk¨Ó»¡¥X¹ï¤@
ӲŦX§ÚÌ´ú¸Õªº«Ê¥]n°µ¤°»ò¼Ë°Ê§@¡C³o´N¬O©Ò¿×ªº¤@±ø³W«h¤§¥Ø¼Ð(target)
°Õ¡C
¦³¨âÓ«D±`¬ÛÃþªº¤º«Ø¥Ø¼Ð¡RDROP ©M ACCEPT¡M§Ṳ́w¸g±µÄ²¹L¤F¡C¦pªG¤@±ø³W
«h²Å¦X¤@Ó«Ê¥]¡M¦P®É¥Ø¼Ð¬O¨ä¤¤¤§¤@¡M¨º»ò´N¦A¨S¦³³W«h»Ýn«t¸ß¡R«Ê¥]ªº©R
¹B¤w¸g©w¤U¨Ó¤F¡C
°£¤F¤º«Ø¥~¡M¤]¦³¨âºØÃþ«¬ªº¥Ø¼Ð¡R©µ¦ù©M¥Î¤á¦Û©wÃì¡C
¥Î¤á¦Û©wÃì
iptables ©Óŧ¤F ipchains ¤@Ó«D±`¼F®`ªº¥\¯à¡M´N¬OÅý¨Ï¥ÎªÌ¥i¥H³Ð«Ø¥X·sÃì
¡Mªþ¥[©ó¤TÓ¤º«ØÃì(INPUT¡NFORWARD¡N©M OUTPUT)¤§¥~¡C«öºD¨Ò¡M¥Î¤á¦Û©wÃì¥Î
¤p¼g¥H¥Ü°Ï§O(«Ý·|§ÚÌ·|¦b«á±ªº [10]¦b¾ãÃì¤W¹B§@(Operations on an
Entire Chain) ¨º¸Ì¸ÑÄÀ¦p¦ó¥h«Ø¥ß·sªº¥Î¤á¦Û©w³s)
·í¤@Ó«Ê¥]²Å¦X¤@±ø¥Ø¼Ð¬°¥Î¤á¦Û©wÃ줧³W«h®É¡M«Ê¥]´N·|¶}©l¬ï¶V¥Î¤á¦Û©wÃì
¤¤ªº³W«h¡C°²¦p¸ÓÃ쥼¯à¨M©w¥X«Ê¥]ªº©R¹B¡M«h¤@¥¹µ²§ô¬ï¶V¸ÓÃì«á¡M´N·|±µµÛ
·í«eÃ줤ªº¤U¤@Ó³W«hÄ~Äò¬ï¶V¤U¥h¡C
Ä~Äòª±ª± ASCII ÃÀ³N¦n¤F¡C°²³]¦³³o»ò¨â±ø(©Ç)Ãì¡RINPUT (¤º«ØÃì)¡M ©M
test (¥Î¤á¦Û©wÃì)¡C
`INPUT' `test'
---------------------------- ----------------------------
| Rule1: -p ICMP -j DROP | | Rule1: -s 192.168.1.1 |
|--------------------------| |--------------------------|
| Rule2: -p TCP -j test | | Rule2: -d 192.168.1.1 |
|--------------------------| ----------------------------
| Rule3: -p UDP -j DROP |
----------------------------
°²³]¤@Ó¨Ó¦Û192.168.1.1 ªº TCP «Ê¥]¡Mn¨ì 1.2.3.4 ¨º¸Ì¥h¡C¥¦¶i¤JINPUT
Ãì¡M¨Ã¨ü¨ì Rule1 ªº´ú¸Õ - ¦ý¤£²Å¦X¡C¦ý¬O²Å¦X Rule2 ¡M¥B¥¦ªº¥Ø¼Ð¬O test
¡M©Ò¥H¤U¤@ÓnÀËÅ窺³W«h±N±q test ¶}©l¡C¦b test ¤¤ªº Rule1 ²Å¦X¡M¦ý¨Ã¨S
¦³«ü©w¥Ø¼Ð¡M©Ò¥H¦AÀËÅç¤U¤@±ø³W«h¡M¤]´N¬O Rule2 ¡C¤£¹L¥¦¨Ã¤£²Å¦X¡M©Ò¥H§Ú
̤w¸g©è¹F³o±øÃ쪺¥½ºÝ¤F¡CµM«á§Ú̦^¨ì INPUT Ã줤¡M¤]´N¬O§ÚÌè¤~ÀËÅç
Rule2 ¨º¸Ì¡M©Ò¥H§Ú̲{¦b´NnÀˬd Rule3¡M¨ÌµM¤£²Å¦X¡C
³o¼Ë¡M¸Ó«Ê¥]ªº¸ô®|¬O³o¼Ë¤lªº¡R
v __________________________
`INPUT' | / `test' v
------------------------|--/ -----------------------|----
| Rule1 | /| | Rule1 | |
|-----------------------|/-| |----------------------|---|
| Rule2 / | | Rule2 | |
|--------------------------| -----------------------v----
| Rule3 /--+___________________________/
------------------------|---
v
¥Î¤á¦Û©wÃì¤]¥i¥H¦A¸õ¨ì¥t¤@ӥΤá¦Û©wÃì¥h(¦ý¤£n°µ¦¨°j°é¡R±zªº«Ê¥]¦pªG³Q
µo²{³B©ó°j°é¤¤´N·|³Q¥á±ó)¡C
iptables ¤§©µ¦ù¡R·s¥Ø¼Ð
¥t¤@Ãþ«¬ªº¥Ø¼Ð¬O¤@Ó©µ¦ù¡C¤@ӥؼЪº©µ¦ù¥Ñ®Ö¤ß¼Ò²Õ©M¥i¿ïªº iptables ©µ
¦ù²Õ¦¨¡M¥H´£¨Ñ·sªº©R¥O¦æ¿ï¶µ¡C¦b¹w³]ªº netfilter ´²¼½ª©¥»¤¤¦³¦n´XÓ©µ¦ù
¡R
LOG
¦¹¼Ò²Õ´£¨Ñ®Ö¤ß°O¿ý²Å¦Xªº«Ê¥]¡C¥¦´£¨Ñ³o¨ÇÃB¥~¿ï¶µ¡R
--log-level
«á±µ¤@Ó¼h¦¸(level)¸¹½X©Î¦WºÙ¡C¦Xªkªº¦WºÙ¦³(¤j¤p¼g¦³§O)
¡R`debug'¡N`info'¡N`notice'¡N`warning'¡N`err'¡N`crit'
¡N`alert'¡N¥H¤Î `emerg'¡M¬Û¹ïªº¸¹½X¥Ñ 7 ¨ì 0 ¡C¦U¼h¦¸¸¹½X
ªº¸ÑÄÀ½Ð°Ñ¦Ò syslog.conf ªº man page¡C
--log-prefix
«á±µ¤@ӳ̦h 30 Ó¦r¥Àªº¦r¦ê¡C¦¹¤@«H®§¥Ñ°O¿ý«H®§¶}©l®É°e¥X
¡M¥O¨ä¥i¥HÓ§Oªº³Qų§O¥X¨Ó¡C
¦¹¼Ò²Õ±`¥Î©ó¤@Ó¨î¥Ø¼Ð«á¡M©Ò¥H¡M±z¤£nÄéÃz±zªº°O¿ýÀÉ®@¡C
REJECT
¦¹¼Ò²Õ°£¤F¦Vµo°eºÝ°e¥X¤@Ó `port unreachable' ³o¼Ëªº ICMP ¿ù»~¥~
¡M©M `DROP' ¬O¤@¼Ëªº¡Cµù¡R¦b¤U¦C±ø¥ó¤¤¡MICMP ¿ù»~«H®§±N¤£·|°e
¥X(½Ð°Ñ¦Ò RFC 1122)¡R
+ ³Q¹LÂoªº«Ê¥]¤@¶}©l´N¬O¤@Ó ICMP ¿ù»~«H®§¡M©Î¬O¨ä¥¦¤£©úªº ICMP
Ãþ«¬¡C
+ ³Q¹LÂoªº«Ê¥]¬°¤@ÓµLÀY (non-head) ¸H¤ù¡C
+ §Ú̥ثe¤w¸g°e¥X¤Ó¦h¦Ü¸Ó¥Øªº¦aªº ICMP ¿ù»~«H®§¤F¡C
REJECT ¥t¥~ÁÙ±µ¨ü¤@Ó `--reject-with' ¿ï¶µ¨Ó§ó§ï¨ä¦^À³«Ê¥]¡R½Ð°Ñ
¦Ò»¡©ú¤å¥ó¡C
¯S®íªº¤º«Ø¥Ø¼Ð
¦³¨âºØ¯S®íªº¤º«Ø¥Ø¼Ð¡RRETURN ©M QUEUE¡C
RETURN ©M±¼¨ì¤@ÓÃ쪺¥½ºÝ¦³¬Û¦Pªº®ÄªG¡R¹ï¤@±ø¤º«ØÃ쪺³W«h¦Ó¨¥¡M«h±Ò¥Î¸Ó
Ã쪺ì«h¡C¹ï¤@±ø¥Î¤á¦Û©w³W«h¦Ó¨¥¡M«h·|¦^¨ì«e¤@ÓÃ줤Ä~Äò¬ï¶V¡M´N±µ¦b¸õ
¨ì³oÓÃ쪺¨º±ø³W«h¤§«á¡C
QUEUE ¤]¬O¤@Ó¯S®í¥Ø¼Ð¡M¥i¥H´À¨Ï¥ÎªÌªÅ¶¡(userspace)¦æµ{Àx¦C«Ê¥]¡Cn¹B¥Î
¥¦¡M¨âÓ¥\¯à²Õ¥ó¬O¥²»Ýªº¡R
* ¨ä¤@¬° "queue handler"¡M³B²z¨Ï¥ÎªÌªÅ¶¡»P®Ö¤ß¤§¶¡¶Ç°e«Ê¥]ªº¹ê½è¾÷¨î
¡Q
* ¥t¤@Ó¬°¤@¨Ï¥ÎªÌªÅ¶¡ªºÀ³¥Îµ{¦¡¡M¥h±µ¦¬¡M©Î»¡¾Þ±±¡M¥H¤Î¹ï«Ê¥]°µ¥Xµô
¨M¡C
IPv4 iptables ªº¼Ð·Ç queue handler ¬° ip_queue ¼Ò²Õ¡M¥¦¥Ø«e¬O¥H¹êÅç©Ê½è
»P®Ö¤ß¤@°_µo§Gªº¡C
¦p¤U¬O¤@Ó¦p¦ó¥Î iptables ¬°¨Ï¥ÎªÌªÅ¶¡¦æµ{¶i¦æÀx¦C«Ê¥]ªºÂ²³æ¨Ò¤l¡R
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
¥Î¦¹³W«h¡M¥»¾÷²£¥Íªº¹ï¥~ ICMP «Ê¥](¦p¥Î ping «Ø¥ß) ´N·|³Q°e¦Ü ip_queue
¼Ò²Õ¥h¡MµM«á¹Á¸Õ±N«Ê¥]¶Çµ¹¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{¦¡¡C¦pªG¨S¦³¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{
¦¡¦bµ¥«Ýªº¸Ü¡M¸Ó«Ê¥]´N·|³Q¥á±ó¡C
n¼g¤@ӨϥΪ̪Ŷ¡À³¥Îµ{¦¡¡M»Ý¨Ï¥Î libipq API ¡C¥¦¤]¬O©M iptables ¤@°_
µo§Gªº¡Cµ{¦¡½X½d¨Ò¥i¥H¦b CVS ¤¤ªº testsuite ¤u¨ã(¦p redirect.c) §ä¨ì¡C
ip_queue ªºª¬ºA¥i¥H¥Î¦p¤U¤èªk¨ÓÀˬd¡R
/proc/net/ip_queue
Àx¦Cªº³Ì¤jªø«×(¦p¶Ç»¼µ¹¨Ï¥ÎªÌªÅ¶¡¥BµL»Ý°e¦^µô¨M«Ê¥]¤§¼Æ¶q)¥i¥H³q¹L³o¼Ë
ªº¤è¦¡¨Ó±±¨î¡R
/proc/sys/net/ipv4/ip_queue_maxlen
³Ì¤jÀx¦Cªø«×ªº¹w³]Ȭ° 1024¡C¤@¥¹¹F¨ì¦¹¨î¡M·sªº«Ê¥]´N·|³Q¥á±ó¡Mª½¨ìÀx
¦Cªø«×¶^¦^§C©ó¨î¤§¼Æ¬°¤î¡C¦nªº¨ó©w¡M¦p TCP¡M·|±N¥á±óªº«Ê¥]¸ÑÄÀ¬°¾Ö
À½(congestion)¡M¦P®É²z·Q¦a¡M·íÀx¦C¶ñ°_¨Ó«á·|±N¤§¾×¦^¥h¡CµM¦Ó¡M¦pªG¹w³]
Ȧb©ÒÁ|±¡§Î¤Uı±o¤Ó¤pªº¸Ü¡M©Î³\»Ýn¤@¨Ç¹êÅç¨Ó¨M©w¨ä²z·Qªº³Ì°ªÀx¦Cªø«×
¡C
7.5 ¦b¾ãÃì¤W¹B§@
iptables ªº¤@Ó«D±`¦³¥Îªº¥\¯à¬O¡M¥¦¯à°÷²Õ¦X(group)¬ÛÃöªº³W«h©óÃ줤¡C¥u
n±z³ßÅw¡M±z¥i¥HÀH«K¬°Ãì°_¤@Ó¦W¦r¡M¦ý§Ú«Øij±z¨Ï¥Î¤p¼g¦r¥À¥HÁקK©M¤º«Ø
Ãì¤Î¥Ø¼Ð·d²V¤F¡CÃì¦W³Ìªø¥i¥H¥h¨ì 31 Ó¦r¥À¡C
«Ø¥ß¤@Ó·sÃì
²{¦b´NÅý§Ṳ́@°_«Ø¤@Ó·sÃì§a¡C¦]¬°§Ú¹ê¦b¬O¤@Ó·R¤Û·Qªº³Ã¥ë¡M©Ò¥H§ÚºÙ¤§
¬°test («¢¡M¦³ÂI¿Ø¨ë)¡C³o¸Ì¡M§Ú̥Π`-N' ©Î `--new-chain' ¿ï¶µ¡R
# iptables -N test
#
´N¬O³o»ò²³æ¡C¦n¤F¡M²{¦b±z¥i¥H±N¤@¨Ç³W«h¥[¤J¨ä¤¤¡M¤@¦p«e±»¡ªº¨º¼Ë¡C
§R°£¤@±øÃì
n§R°£¤@±øÃì¤]¬O¤@¼Ë²³æ¡M¥Î `-X' ©Î `--delete-chain' §Y¥i¡C¬°¤°»ò¥Î
`-X' ©O¡S¶â¡M ¦n¥Îªº¦r¥À³£¤@¦µ¹¥Î¥ú¤F°Õ¡C
# iptables -X test
#
n§R°£¤@±øÃ쪺¸Ü¡M·|¦³¦n¨Ç¨î¡R¥¦Ì¥²»Ý¬OªÅªº (½Ð°Ñ¦Ò«á±ªº [11]²MªÅ¤@
±øÃì(Flushing a Chain) ) ¡M¦P®É¥¦Ì¥²»Ý¤£¯à§@¬°¥ô¦ó³W«hªº¥Ø¼Ð¡C¥ô¦ó¤T±ø
¤º«ØÃì±z³£¤£¯à§R°£´N¬O¤F¡C
°²¦p±z¤£«ü©w¤@±øÃì¡M¨º»ò¦pªG¥i¯àªº¸Ü¡M ¥þ³¡ ¥Î¤á¦Û©wÂIÃì³£·|³Q§R°£¡C
²MªÅ¤@±øÃì
¦³¤@Ó²³æªº¤èªk¥i¥H²MªÅ¤@±øÃ줤ªº©Ò¦³³W«h¡M´N¬O¨Ï¥Î `-F' (©Î
`--flush') ©R¥O¡C
# iptables -F forward
#
¦pªG±z¤£«ü©w¬Oþ¤@±øÃì¡M¨º»ò ¥þ³¡ Ãì³£·|³Q²MªÅ¡C
¦C¥Ü¤@±øÃì
±z¥i¥H¨Ï¥Î `-L' (©Î `--list') ©R¥O¦C¥Ü¤@±øÃ줤ªº©Ò¦³³W«h¡C
¨C¤@ӥΤá¦Û©wÃì©Ò¦Cªº `refcnt' ¡M¬O»¡¦³¦h¤Ö¼Æ¥Øªº³W«h¬O¥H¸ÓÃ쬰¥Ø¼Ðªº
¡C¦b¸ÓÃì³Q§R°£¤§«e¡M³o¼Æ¥Ø¥²»Ý¬°¹s(¦P®ÉÃì¬OªÅªº)¡C
¦pªG¨S´£¨ÑÃì¦WºÙªº¸Ü¡M©Ò¦³Ãì³£·|³Q¦C¥Ü¥X¨Ó¡M´NºâªÅÃì¤]¤@¼Ë¡C
¦³¤Tӿﶵ¥i¥H¦ñÀH `-L' ¤@°_¨Ï¥Îªº¡Cº¥ý¬O `-n' (numeric) ¿ï¶µ¡M¥¦«Ü¦³
¥Î¡M¦]¬°¥¦¥i¥HÁקK iptables ¥h¹Á¸Õ¬d§ä IP ¦a§}¡M°²¦p±zªº DNS ¨S¦³³]©w¥¿
½Tªº¸Ü¡M©Î¬O±z¤w¸g¹LÂo±¼ DNS ½Ð¨D¤F¡M³o©Î³\·|³y¦¨ÄY«ªº©µ¿ð(°²³]±z©M¤j
¦h¼Æ¤H¤@¼Ë³£¬O¨Ï¥Î DNS )¡C¥¦¦P®É¤]·|±N TCP »P UDP °ð¤fÅã¥Ü¬°¼Æ¦r¦Ó«D¦W
ºÙ¡C
²Ä¤GÓ¬O `-v' ¿ï¶µ¡M¥¦·|Åã¥Ü¥X±z¥þ³¡³W«hªº²Ó¸`¡M½Ñ¦p«Ê¥]ªº byte ¬y¶q²Î
p¡NTOS ¤ñ¸û¡N¥H¤Î¬É±µ¥¡C§_«h³o¨Ç¼ÆȬO³Q²¤±¼ªº¡C
µù¡R«Ê¥]ªº byte ¬y¶q²Îp¥i¥H¤À§O¨Ï¥Î `K', `M' ©Î `G' ³o¨Ç¦r§À¡M¤À§O¥Nªí
1000¡N1,000,000¡N¥H¤Î1,000,000,000¡M¨ÓÅã¥Ü¡C¨Ï¥Î `-x' (expand numbers)
ºX¼Ð¦P¼Ë¤]¥i¥HÅã¥Ü¥X§¹¾ãªº¼Æ¦r¡M®Ú¥»¤£²z·|¥¦Ì¦³¦hªø¡C
«³](Âk¹s)¬y¶q°O¼Æ¾¹(counter)
¯à°÷«³]¬y¶q°O¼Æ¾¹·íµM¬O¦³¥Îªº¡C±z¥i¥H¥Î `-Z' (©Î `--zero') ¿ï¶µ¨Ó°µ¡C
°ß¤@³Â·Ð¬O¡M¦³®ÉÔ¦b¶i¦æ«³]¤§«e¡M±z¥²»Ý¥ß§Y°O¦í¬y¶q²ÎpÈ¡C¦b«e±ªº¨Ò
¤l¤¤¡M·í±z¤U `-L' µM«á `-Z' ©R¥O¡M¬Y¨Ç«Ê¥]¥i¯à·|¦b³o´Á¶¡³q¹L¡C¦]¦¹¡M±z
¥i¥H§â `-L' ©M `-Z' ¤@°_ ¨Ï¥Î¡M¦bŪ¨úªº¦P®É¶i¦æ°O¼Æ¾¹«³]¡C
³]©wì«h(policy)
§Ú̦b«e±±´°Q«Ê¥]¦p¦ó³q¹L¤@ÓÃ쪺®ÉÔ¡M¤w¸àÄÀ¹L·í«Ê¥]©è¹F¤º«ØÃ쥽ºÝ®É
±N·|µo¥Í¤°»ò¨Æ±¡¡C¦¹®É¡M´N¥Ñ¸ÓÃ쪺ì«h¨Ó¨M©w«Ê¥]ªº©R¹B¡C¥u¦³¤º«Ø
Ãì(INPUT¡NOUTPUT¡N¥H¤Î FORWARD) ¤~¦³ì«h³]©w¡M¦]¬°¡M¦pªG¤@Ó«Ê¥]±¼¦Ü¤@
ӥΤá¦Û©wÃ쪺®ÉÔ¡M«h·|¦^¨ì¤W¤@ÓÃ줤Ä~Äò¬ï¶V¡C
ì«h¥i¥H¬° ACCEPT ©Î DROP¡C
8. ¨Ï¥Î ipchains »P ipfwadm
¦b netfilter ®M¥ó¤¤¡M¦³¨âÓ¼Ò²Õ¤À§O¥s°µ ipchains.o ©M ipfwadm.o¡C±z¥un
±N¨ä¤¤¤@Ó´¡¤J¶i®Ö¤ß¸Ì±( µù¡R¥¦Ì©M iptables.o¡Nip_conntrack.o ¤Î
ip_nat.o ¬O¤£Ý®eªº¡T)¡CµM«á±z´N¥i¥H¦p©¹±`¤@¯ë¨Ï¥Î ipchains ©Î ipfwadm
¤F¡C
³o¦b¤@©w®É´Á¤º³o¤´·|³Q¤ä«ùªº¡C§Ú»{¬°¦X²zªºpºâ¤½¦¡¬O¡R2 * [ ´À¥N²£«~µo
§G - ªì©léwµo¦æ ] ¡M¦A¥[¤W´À¥N²£«~¥i¥H¯u¥¿Ã©wµo¦æªº¤é¤l¡C
´«¦Ó¨¥¤§¡M¹ï ipfwadm ªº³Ì«á¤ä«ù±N·|©µ¦Ü¡R
2 * [October 1997 (2.1.102 release) - March 1995 (ipfwadm 1.0)]
+ January 1999 (2.2.0 release)
= November 2003.
¦Ó¹ï ipchains ªº³Ì«á¤ä«ù«h¬°¡R
2 * [August 1999 (2.3.15 release) - October 1997 (2.2.0 release)]
+ July 2000 (2.4.0 release?)
= March 2004.
©Ò¥H¡M¦b 2004 ¦~¤§«e³£¥i¥H°ªªEµLïÊ°Õ¡C
9. ¾ã¦X NAT »P Packet Filtering
n°µ Network Address Translation (½Ð°Ñ¾\ NAT HOWTO) ¥H¤Î«Ê¥]¹LÂo¡M¤w¬O
«Ü¥±`¤§¨Æ¤F¡C¦n®ø®§¬O¡M±N¥¦Ì²V¦X°_¨Ó¨Ï¥Î¹ê¬O§¹¥þ¨S°ÝÃDªº¡C
·í§A³]p«Ê¥]¹LÂoªº®ÉÔ¡M¥i¥H§¹¥þ¤£¥Î²z·|±zn°µ«ç¼Ëªº NAT ¡C©ó«Ê¥]¹LÂo¤¤
¬Ý¨ìªº¨Ó·½»P¥Øªº¦a¡M¥u·|¬O `¯u¥¿ªº' ¨Ó·½©M¥Øªº¦a¡CÁ|¨Ò¨Ó»¡¡M¦pªG±z°µ
NAT ¡Mn±N©Ò¦³³s¨ì 1.2.3.4 port 80 ªº³s½u°e¨ì 10.1.1.1 port 8080 ¥h¡M³o
¼Ë«Ê¥]¹LÂo·|¬Ý¨º¨Ç°e¨ì 10.1.1.1 port 8080 (¯u¥¿ªº¥Øªº¦a)¡M¦Ó¤£¬O
1.2.3.4 port 80¡CÃþ¦üªº¡M±z¤]¥i¥H©¿²¤«Ê¥]°°¸Ë¡R«Ê¥]·|¬Ý°_¨Ó¬O¨Ó¦Û¯u¥¿ªº
¤º³¡ IP ¦a§}(¤ñ¤è 10.1.1.1)¡M¦^À³¤]¬Ý°_¨Ó°e¦^¨º¸Ì¡C
±z¥i¥H¹B¥Î `state' ¤ñ¹ï©µ¦ù(match extension)¦ÓµL»ÝÅý«Ê¥]¹LÂo°µÃB¥~ªº¤u
§@¡M¦]¬°µL½×¦p¦ó¡M NAT ³£·|n¨D³s½u°lÂÜ¡C¬°¤F¼W±j¦b NAT HOWTO ¸Ì±¨ºÓ
²³æªº«Ê¥]°°¸Ë¨Ò¤l¡M¥h¾×±¼¨Ó¦Û ppp0 ¬É±ªº¥ô¦ó·s³s±µ¡M±z¥i¥H³o¼Ë°µ¡R
# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
10. iptables »P ipchains ªº®t²§
* º¥ý¡M¤º«ØÃì¦WºÙ±q¤p¼gÁÙ´«¦¨¤j¼g¡M¦]¬° INPUT »P OUTPUT Ãì¥Ø«e¥u·|§ì
¥Ø¼Ð¬°¥»¾÷¥H¤Î±q¥»¾÷²£¥Íªº«Ê¥]¡C¥¦Ì¤À§O¥Î¨Ó¬d¬Ý¶Ç¤J»P¶Ç¥Xªº«Ê¥]¡C
* ²{¦b¦³¤@Ó `-i' ºX¼Ð¨Ó¥Nªí¶Ç¤J¬É±¡M¨Ã¥B¥u¤u§@©ó INPUT ©M FORWARD
Ã줤¡C¦b FORWARD »P OUTPUT Ã줤´Nn±N `-i' §ï¦¨ `-o' ¤F¡C
* TCP »P UDP °ð¤f²{¦b³£n¥Î --source-port ©Î --sport ¿ï¶µ¨Ó«÷¼g¥X¨Ó(
©Î¬O±¼¹L¨Ó¼g --destination-port ©Î --dport)¡M¦P®É¡M¥²»Ý¸m©ó `-p
tcp' ©Î `-p udp' ¿ï¶µ¤§«á¡M¦]¬° TCP ©Î UDP ©µ¦ù¬O¤À¶}¸ü¤Jªº¡C
* ¥H«e TCP ¨ºÓ -y ²{¦bÅܦ¨ --syn¡M¨Ã¥B¥²»Ý¸m©ó `-p tcp' ¤§«á¡C
* ì¨Óªº DENY ¥Ø¼Ð²{¦b²×©óÅܦ¨ DROP ¤F¡C
* ¦b¦C¥Ü¨ä¤u§@ªº¦P®É¥i¥H±N¸ÓÃìÂk¹s(zeroing)¡C
* Âk¹s¤º«ØÃì¤]¥i¥H²M±¼ì«h°O¼Æ¾¹(policy counters)¡C
* ¦C¥ÜÃì¥i¥HÅý±z§â°O¼Æ¾¹Åܦ¨·L¤p§Ö·Ó(atomic snapshot)¡C
* REJECT »P LOG ²{¦bÅܦ¨©µ¦ù¥Ø¼Ð¤F¡M·N¨ýµÛ¥¦Ì¤w¸g©M®Ö¤ß¼Ò²Õ¤À¶}¡C
* Ãì¦WºÙ³Ìªø¥i¹F 31 Ó¦r¥À¡C
* MASQ ²{¦bÅܦ¨ MASQUERADE¡M ¦Ó¥B¨Ï¥Î¤£¦Pªº»yªk¡CREDIRECT ¦b«O¯d¬Û¦P
¦WºÙªº¦P®É¡M¤]¸g¾ú¤F»yªkªºÅܾE¡C¦Ü©ó¦p¦ó³]©w¥¦Ìªº¸Ô²Ó¸ê®Æ¡M½Ð°Ñ¾\
NAT-HOWTO¡C
* ¦Ó -o ¿ï¶µ«h¤£¦A¥Î¨Ó±N«Ê¥]¶Ç»¼µ¹¨Ï¥ÎªÌªÅ¶¡³]³Æ¤F(°Ñ¦Ò«e±ªº -i )¡C
²{¦b«h¥Î QUEUE ¥Ø¼Ð±N«Ê¥]°eµ¹¨Ï¥ÎªÌªÅ¶¡¡C
* ®@¡M§Ú¥i¯à¤w°O¤£±o¨º»ò¦h¤F¡C
11. Ãö©ó³]p«Ê¥]¹LÂoªº«Øij
¦b¹q¸£¦w¥þ¾Ô³õ¤W³Ì©ú´¼¤§Á|²ö¹L©ó¥ý¾×±¼¤@¤Á¡MµM«á¶}©ñ¥²»Ýªº¡C¦³¤@¥y¦Ü²z
¦W¨¥¬O¡R`«D½Ð¤Å¶i'¡C§Ú«Øij±z¨c°O©ó¤ß¡M°²¦p±z³Ìª`«¦w¥þªº¸Ü¡C
¤£n¶]¨º¨Ç±z¥Î¤£¨ìªºªA°È¡M¤£ºÞ±z¬O§_¥H¬°¤w¸g±N¤§¾×¤U¨Ó¤F¡C
¦pªG±zn«Ø¥ß¤@Ó«ü©w¦¡¨¾¤õÀð(dedicated firewall)¡M¶}©l¤£n¶]¥ô¦óªF¦è¡M
¦P®É¾×±¼©Ò¦³«Ê¥]¡MµM«á¼W¥[ªA°È¥H¤ÎÅý©Ò»Ýªº«Ê¥]³q¹L¡C
§Ú¯S§O±j½Õ¦w¥þ©Ê¡Rµ²¦X tcp-wrappers(¹ï©ó«Ê¥]¹LÂo¥»¨ªº³s±µ)¡NªA°È¥N²z(
¹ï©ó³q¹L«Ê¥]¹LÂoªº³s±µ)¡N¸ô¥ÑÅçÃÒ¡N¥H¤Î«Ê¥]¹LÂoµ¥¤â¬q¡C¸ô¥ÑÅçÃÒ¬O«ü¡M¨º
¨Ç¨Ó¦Û¥¼¹w´Á¬É±ªº«Ê¥]´N·|³Q¥á±ó¡RÁ|¨Ò»¡¡M¦pªG±zªº¤º³¡ºô¸ô¦³¤@¬q
10.1.1.0/24 ªº¦a§}¡M¦P®É¦³¤@Ó¨Ó¦Û¸Ó¦a§}ªº«Ê¥]«o±q¥~³¡¬É±¶i¤J¡M¨º¥¦´N
·|³Q¥á±ó±¼¡C¥¦¥i¥H¬°¤@Ӭɱ(¦p ppp0) ³]°_¨Ó¡M¦p¡R
# echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter
#
©Î¬O¥þ³¡²{¦³¤Î±N¦³ªº¬É±¡M¦p¡R
# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
# echo 1 > $f
# done
#
Debian ¦b¥i¯à¤§¤U¹w³]´N·|¦p¦¹¤F¡C¦pªG±z¦³¤£¹ïºÙ¸ô¥Ñ(¨Ò¦p¡M±z¹w´Á«Ê¥]·|
±q¨ä¥¦¤è¦V¶i¤J)¡M±zÀ³¸Ó¦b¨º¨Ç¬É±¤WÃö³¬¦¹¤@¹LÂo¡C
³]©w¨¾¤õÀ𪺮ÉÔ¡M°²¦p¦³¬Y¨ÇªF¦è¤£¤u§@ªº¸Ü¡M°O¿ý¥\¯à´NÅã±o«Ü¦³¥Î¤F¡Q¦ý
¦b¤@Ó¹ê»Ú¹B§@ªº¨¾¤õÀð¤W¡M¥ô¦ó®ÉÔ³£n±N¥¦µ²¦X `limit' ¤ñ¹ï¨Ó¤@°_¨Ï¥Î¡M
¥HÁקK¦³¤HÄéÃz±zªº°O¿ýÀÉ¡C
§Ú±j¯P«Øij¹ï¦w¥þ¨t²Î°µ³s½u°lÂÜ¡R¥¦ÁöµM·|¤ÞP¤@¨Çt¾á(¦]¬°©Ò¦³³s½u³£n°l
ÂÜ)¡M¦ý¹ï©ó¶Qºô¸ôªº³s±µ±±¨î«o«Ü¦³¥Î¡C¦pªG±zªº®Ö¤ß¤£·|¦Û°Ê¸ü¤J¼Ò²Õªº¸Ü¡M
±z©Î³\»Ýn¸ü¤J`ip_conntrack.o' ¼Ò²Õ¡C°²¦p±znºë½T°lÂܽÆÂøªº¨ó©w¡M±zÁÙ»Ý
n¸ü¤J¦X¾Aªº helper ¼Ò²Õ(¦p¡M`ip_conntrack_ftp.o' )¡C
# iptables -N no-conns-from-ppp0
# iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad pack
et from ppp0:"
# iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad pa
cket not from ppp0:"
# iptables -A no-conns-from-ppp0 -j DROP
# iptables -A INPUT -j no-conns-from-ppp0
# iptables -A FORWARD -j no-conns-from-ppp0
«Ø¸m¤@Ó¨}¦nªº¨¾¤õÀð¤w¸g¶W¥X³oÓ HOWTO ªº½d³ò¤F¡M¦ý§Úªº«Øij¬O¡R `¤@¤Á±q
ÄY(always be minimalist)'¡C¹ï©ó¦b±z¾÷¾¹¤W¶i¦æ´ú¸Õ»P±´¯Áªº§ó¦h¸ê®Æ¡M´Nn
°Ñ¦Ò Security HOWTO ¤F¡C
References
1. http://netfilter.filewatcher.org/
2. http://www.samba.org/netfilter
3. http://netfilter.kernelnotes.org/
4. http://lists.samba.org/
5. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#permanent
6. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#oldstyle
7. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#filter-linux
8. http://www.watchguard.com/
9. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#Appendix-A
10. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#chain-ops
11. file://localhost/tmp/zh-sgmltools.7467/Packet-Filtering-HOWTO.txt.html#flushing
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
f8eb492b80dedd2f6cd33cf45dfc65b6
>
files
>
49
