存档

‘Linux安全防护’ 分类的存档

iptables端口转发的一些事例

2016年11月9日 评论已被关闭

iptables端口转发的一些事例
http://xmmok.blog.sohu.com/260275436.html
本机端口转发

转发8081到3306

iptables -t nat -A PREROUTING -p tcp –dport 8081 -j REDIRECT –to-ports 3306

转发所有端口

配置单网卡PPTP VPN的时候需要用到此条配置
转发所有tcp访问到外网ip

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

端口转发跳板

单网卡通过 192.168.1.100:8081 访问 192.168.1.101:3306

iptables -t nat -A PREROUTING -d 192.168.1.100 -p tcp –dport 8081 -j DNAT –to-destination 192.168.1.101:3306
iptables -t nat -A POSTROUTING -d 192.168.1.101 -p tcp –dport 3306 -j SNAT –to 192.168.1.100
顺便说说SNAT, DNAT与MASQUERADE区别

SNAT: source nat 源网络地址转换
数据包从网卡发送出去的时候,把数据包中的源地址部分替换为指定的IP
接收方就认为数据包的来源是被替换的那个IP的主机
在目标机连接外部时要用到这种转换, 例如上面192.168.1.101数据返回到外部访问

DNAT: destination nat 目标网络地址转换,
就是指数据包从网卡发送出去的时候,修改数据包中的目的IP
表现为如果你想访问A,可是因为网关做了DNAT,把所有访问A的数据包的目的IP全部修改为B,那么,你实际上访问的是B
通常用于外部机器访问内部服务器, 例如上面外部机器访问192.168.1.101:3306

MASQUERADE
是用发送数据的网卡上的IP来替换源IP, 是对SNAT的一种扩展
通常用于对于那些IP不固定的场合,比如拨号网络或者通过dhcp分配IP的情况下

分类: Linux安全防护 标签:

iptables做两机之间的端口转发

2016年11月9日 评论已被关闭

iptables做两机之间的端口转发
http://blog.sina.com.cn/s/blog_702eef650101moqb.html

两机:192.168.0.54和192.168.0.61,最终结果就是在指定端口上,54相当于61的代理。

IP包来到之后,修改目的地址,使之转向目标机器的目标端口,在54这个机器上:

iptables -t nat -A PREROUTING -d 192.168.0.54 -p tcp –dport 9000 -j DNAT –to 192.168.0.61:9000

IP包出去的时候,修改源地址(源端口),使之符合IP协议,可以正确返回,还是在54这个机器上:

iptables -t nat -A POSTROUTING -d 192.168.0.61 -p tcp –dport 9000 -j SNAT –to 192.168.0.54:9000

然后我们需要在54操作系统上打开IP转发:

echo ‘1’ > /proc/sys/net/ipv4/ip_forward

最后再设置54防火墙将这两个端口放行:

iptables -A FORWARD -i eth0 -s 192.168.0.61 -p tcp –sport 9000 -m state –state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -d 192.168.0.54 -p tcp –dport 9000 -j ACCEPT

保存iptables配置,完成。

service iptables save

**************20140911增加**************
在某两台机器上配置时,POSTROUTING表不起作用,或者说,iptables似乎对这种转发性能不“够”?10次里成功1次,一段时间里只成功1次,很奇怪,在iptables日志里看不出来异常。后来尝试如下配置,成功率目前看来100%,第一条不变,第二条换一种方式:
#iptables -t nat -A PREROUTING -d 192.168.0.54 -p tcp –dport 9000 -j LOG –log-prefix “*** IN ***” –log-level 4
iptables -t nat -A PREROUTING -d 192.168.0.54 -p tcp –dport 9000 -j DNAT –to 192.168.0.61:9000
#iptables -t nat -A POSTROUTING -d 192.168.0.61 -p tcp –dport 9000 -j LOG –log-prefix “*** IN ***” –log-level 4
iptables -t nat -A POSTROUTING -d 192.168.0.61 -p tcp –dport 9000 -j MASQUERADE
**************20140911增加结束**************
==========================================================================================
附其它文章:http://xmmok.blog.sohu.com/260275436.html
本机端口转发

转发8081到3306

iptables -t nat -A PREROUTING -p tcp –dport 8081 -j REDIRECT –to-ports 3306

转发所有端口

配置单网卡PPTP VPN的时候需要用到此条配置
转发所有tcp访问到外网ip

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

端口转发跳板

单网卡通过 192.168.1.100:8081 访问 192.168.1.101:3306

iptables -t nat -A PREROUTING -d 192.168.1.100 -p tcp –dport 8081 -j DNAT –to-destination 192.168.1.101:3306
iptables -t nat -A POSTROUTING -d 192.168.1.101 -p tcp –dport 3306 -j SNAT –to 192.168.1.100
顺便说说SNAT, DNAT与MASQUERADE区别

SNAT: source nat 源网络地址转换
数据包从网卡发送出去的时候,把数据包中的源地址部分替换为指定的IP
接收方就认为数据包的来源是被替换的那个IP的主机
在目标机连接外部时要用到这种转换, 例如上面192.168.1.101数据返回到外部访问

分类: Linux安全防护 标签:

[SOLVED]iptables table `NAT’: Table does not exist (do … to insmod?)

2016年11月8日 评论已被关闭

[SOLVED]iptables table `NAT’: Table does not exist (do … to insmod?)
https://bbs.archlinux.org/viewtopic.php?id=182400
[root@machine ~]# iptables -t NAT -A POSTROUTING -s 192.168.1.0/24 -o enp2s0 -j MASQUERADE
iptables v1.4.21: can’t initialize iptables table `NAT’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
It’s probably extremely easy to solve this issue, but I’ve bashed my head on this one for far to long.
Latest update just installed with
pacman -Syu
and the machine is freshly rebooted.
Standard kernel/installation of Arch, nothing fancy.
All my other iptable rules work like a charm, only thing missing is the NAT table.
Called a few modprobes without any luck.
Some other general information:
[root@machine ~]# ls /lib/modules/*/kernel/net/*/netfilter/
/lib/modules/3.14.5-1-ARCH/kernel/net/bridge/netfilter/:
ebt_802_3.ko.gz ebtables.ko.gz ebt_dnat.ko.gz ebt_log.ko.gz ebt_pkttype.ko.gz ebt_ulog.ko.gz
ebtable_broute.ko.gz ebt_among.ko.gz ebt_ip6.ko.gz ebt_mark.ko.gz ebt_redirect.ko.gz ebt_vlan.ko.gz
ebtable_filter.ko.gz ebt_arp.ko.gz ebt_ip.ko.gz ebt_mark_m.ko.gz ebt_snat.ko.gz nf_tables_bridge.ko.gz
ebtable_nat.ko.gz ebt_arpreply.ko.gz ebt_limit.ko.gz ebt_nflog.ko.gz ebt_stp.ko.gz

/lib/modules/3.14.5-1-ARCH/kernel/net/ipv4/netfilter/:
arptable_filter.ko.gz iptable_nat.ko.gz ipt_CLUSTERIP.ko.gz ipt_SYNPROXY.ko.gz nf_nat_ipv4.ko.gz nf_tables_ipv4.ko.gz
arp_tables.ko.gz iptable_raw.ko.gz ipt_ECN.ko.gz ipt_ULOG.ko.gz nf_nat_pptp.ko.gz nft_chain_nat_ipv4.ko.gz
arpt_mangle.ko.gz iptable_security.ko.gz ipt_MASQUERADE.ko.gz nf_conntrack_ipv4.ko.gz nf_nat_proto_gre.ko.gz nft_chain_route_ipv4.ko.gz
iptable_filter.ko.gz ip_tables.ko.gz ipt_REJECT.ko.gz nf_defrag_ipv4.ko.gz nf_nat_snmp_basic.ko.gz nft_reject_ipv4.ko.gz
iptable_mangle.ko.gz ipt_ah.ko.gz ipt_rpfilter.ko.gz nf_nat_h323.ko.gz nf_tables_arp.ko.gz

/lib/modules/3.14.5-1-ARCH/kernel/net/ipv6/netfilter/:
ip6table_filter.ko.gz ip6_tables.ko.gz ip6t_ipv6header.ko.gz ip6t_rpfilter.ko.gz nf_nat_ipv6.ko.gz
ip6table_mangle.ko.gz ip6t_ah.ko.gz ip6t_MASQUERADE.ko.gz ip6t_rt.ko.gz nf_tables_ipv6.ko.gz
ip6table_nat.ko.gz ip6t_eui64.ko.gz ip6t_mh.ko.gz ip6t_SYNPROXY.ko.gz nft_chain_nat_ipv6.ko.gz
ip6table_raw.ko.gz ip6t_frag.ko.gz ip6t_NPT.ko.gz nf_conntrack_ipv6.ko.gz nft_chain_route_ipv6.ko.gz
ip6table_security.ko.gz ip6t_hbh.ko.gz ip6t_REJECT.ko.gz nf_defrag_ipv6.ko.gz nft_reject_ipv6.ko.gz
[root@machine ~]# iptables –version
iptables v1.4.21
[root@machine ~]# cat /proc/net/ip_tables_names
[root@machine ~]#
[root@machine doxid]# lsmod
Module Size Used by
iptable_mangle 1616 0
iptable_nat 3454 0
nf_conntrack_ipv4 9474 1
nf_defrag_ipv4 1499 1 nf_conntrack_ipv4
nf_nat_ipv4 3728 1 iptable_nat
nf_nat 13069 2 nf_nat_ipv4,iptable_nat
nf_conntrack 75784 4 nf_nat,nf_nat_ipv4,iptable_nat,nf_conntrack_ipv4
iptable_filter 1552 0
ctr 3927 2
ccm 8278 2
bridge 99966 0
stp 1653 1 bridge
llc 3729 2 stp,bridge
ip_tables 18051 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 17344 3 ip_tables,iptable_filter,iptable_mangle
tun 20995 2
snd_hda_codec_hdmi 36716 1
arc4 2064 2
snd_hda_codec_realtek 48293 1
snd_hda_codec_generic 53860 1 snd_hda_codec_realtek
pcmcia 46612 0
ath9k 94641 0
ath9k_common 1906 1 ath9k
tg3 158849 0
coretemp 6550 0
ath9k_hw 396166 2 ath9k_common,ath9k
ptp 8404 1 tg3
ath 19419 3 ath9k_common,ath9k,ath9k_hw
mac80211 510593 1 ath9k
pps_core 8993 1 ptp
yenta_socket 34233 0
libphy 21863 1 tg3
joydev 10367 0
snd_hda_intel 38728 0
hwmon 3153 2 tg3,coretemp
mousedev 10912 0
iTCO_wdt 5535 0
cfg80211 459335 3 ath,ath9k,mac80211
pcmcia_rsrc 9392 1 yenta_socket
pcmcia_core 14655 3 pcmcia,pcmcia_rsrc,yenta_socket
i915 753180 1
acer_wmi 24550 0
sparse_keymap 3242 1 acer_wmi
iTCO_vendor_support 1929 1 iTCO_wdt
led_class 3611 2 ath9k,acer_wmi
rfkill 15971 3 cfg80211,acer_wmi
drm_kms_helper 35720 1 i915
snd_hda_codec 101816 4 snd_hda_codec_realtek,snd_hda_codec_hdmi,snd_hda_codec_generic,snd_hda_intel
snd_hwdep 6396 1 snd_hda_codec
snd_pcm 81607 3 snd_hda_codec_hdmi,snd_hda_codec,snd_hda_intel
microcode 17157 0
pcspkr 2059 0
mxm_wmi 1595 0
snd_timer 19038 1 snd_pcm
drm 242043 2 i915,drm_kms_helper
psmouse 92968 0
snd 60086 8 snd_hda_codec_realtek,snd_hwdep,snd_timer,snd_hda_codec_hdmi,snd_pcm,snd_hda_codec_generic,snd_hda_codec,snd_hda_intel
shpchp 25706 0
i2c_i801 11364 0
evdev 11784 4
mac_hid 3273 0
serio_raw 5009 0
i2c_algo_bit 5480 1 i915
i2c_core 25400 5 drm,i915,i2c_i801,drm_kms_helper,i2c_algo_bit
lpc_ich 13560 0
soundcore 5551 1 snd
wmi 8539 2 acer_wmi,mxm_wmi
thermal 8812 0
intel_agp 11504 0
intel_gtt 12856 3 i915,intel_agp
battery 7821 0
ac 3366 0
video 12057 2 i915,acer_wmi
button 4765 1 i915
processor 25217 1
ext4 505189 1
crc16 1359 1 ext4
mbcache 6266 1 ext4
jbd2 86487 1 ext4
sd_mod 37234 2
sr_mod 15026 0
cdrom 35191 1 sr_mod
crc_t10dif 1135 1 sd_mod
crct10dif_common 1436 1 crc_t10dif
ata_generic 3434 0
pata_acpi 3579 0
atkbd 16934 0
libps2 4507 2 atkbd,psmouse
ata_piix 25496 1
libata 174140 3 pata_acpi,ata_generic,ata_piix
scsi_mod 137312 3 libata,sd_mod,sr_mod
uhci_hcd 34795 0
ehci_pci 4152 0
ehci_hcd 64747 1 ehci_pci
usbcore 187240 3 uhci_hcd,ehci_hcd,ehci_pci
usb_common 1712 1 usbcore
i8042 13135 2 acer_wmi,libps2
serio 10785 9 serio_raw,atkbd,i8042,psmouse
[root@machine doxid]# strace iptables -nvL
execve(“/usr/bin/iptables”, [“iptables”, “-nvL”], [/* 17 vars */]) = 0
brk(0) = 0x25f8000
access(“/etc/ld.so.preload”, R_OK) = -1 ENOENT (No such file or directory)
open(“/etc/ld.so.cache”, O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=81635, …}) = 0
mmap(NULL, 81635, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f0b4672b000
close(3) = 0
open(“/usr/lib/libip4tc.so.0”, O_RDONLY|O_CLOEXEC) = 3
read(3, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\32\0\0\0\0\0\0″…, 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31440, …}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b4672a000
mmap(NULL, 2126632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b46317000
mprotect(0x7f0b4631d000, 2097152, PROT_NONE) = 0
mmap(0x7f0b4651d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f0b4651d000
close(3) = 0
open(“/usr/lib/libip6tc.so.0”, O_RDONLY|O_CLOEXEC) = 3
read(3, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\33\0\0\0\0\0\0″…, 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=31472, …}) = 0
mmap(NULL, 2126664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b4610f000
mprotect(0x7f0b46116000, 2093056, PROT_NONE) = 0
mmap(0x7f0b46315000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f0b46315000
close(3) = 0
open(“/usr/lib/libxtables.so.10”, O_RDONLY|O_CLOEXEC) = 3
read(3, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@4\0\0\0\0\0\0″…, 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=51984, …}) = 0
mmap(NULL, 2149016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b45f02000
mprotect(0x7f0b45f0d000, 2097152, PROT_NONE) = 0
mmap(0x7f0b4610d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f0b4610d000
close(3) = 0
open(“/usr/lib/libc.so.6”, O_RDONLY|O_CLOEXEC) = 3
read(3, “\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\1\2\0\0\0\0\0″…, 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2047384, …}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b46729000
mmap(NULL, 3858192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b45b54000
mprotect(0x7f0b45cf8000, 2097152, PROT_NONE) = 0
mmap(0x7f0b45ef8000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a4000) = 0x7f0b45ef8000
mmap(0x7f0b45efe000, 16144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f0b45efe000
close(3) = 0
open(“/usr/lib/libdl.so.2”, O_RDONLY|O_CLOEXEC) = 3
read(3, “\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0″…, 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=14672, …}) = 0
mmap(NULL, 2109712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f0b45950000
mprotect(0x7f0b45953000, 2093056, PROT_NONE) = 0
mmap(0x7f0b45b52000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f0b45b52000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b46728000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b46727000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b46726000
arch_prctl(ARCH_SET_FS, 0x7f0b46727700) = 0
mprotect(0x7f0b45ef8000, 16384, PROT_READ) = 0
mprotect(0x7f0b45b52000, 4096, PROT_READ) = 0
mprotect(0x7f0b4610d000, 4096, PROT_READ) = 0
mprotect(0x7f0b46315000, 4096, PROT_READ) = 0
mprotect(0x7f0b4651d000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ) = 0
mprotect(0x7f0b4673f000, 4096, PROT_READ) = 0
munmap(0x7f0b4672b000, 81635) = 0
socket(PF_LOCAL, SOCK_STREAM, 0) = 3
bind(3, {sa_family=AF_LOCAL, sun_path=@”xtables”}, 10) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 4
fcntl(4, F_SETFD, FD_CLOEXEC) = 0
getsockopt(4, SOL_IP, 0x40 /* IP_??? */, “filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, [84]) = 0
brk(0) = 0x25f8000
brk(0x2619000) = 0x2619000
getsockopt(4, SOL_IP, 0x41 /* IP_??? */, “filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0″…, [672]) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), …}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0b4673e000
write(1, “Chain INPUT (policy ACCEPT 11953″…, 54Chain INPUT (policy ACCEPT 11953 packets, 964K bytes)
) = 54
write(1, ” pkts bytes target prot opt “…, 89 pkts bytes target prot opt in out source destination
) = 89
write(1, “\n”, 1
) = 1
write(1, “Chain FORWARD (policy ACCEPT 0 p”…, 49Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
) = 49
write(1, ” pkts bytes target prot opt “…, 89 pkts bytes target prot opt in out source destination
) = 89
write(1, “\n”, 1
) = 1
write(1, “Chain OUTPUT (policy ACCEPT 1284″…, 56Chain OUTPUT (policy ACCEPT 12848 packets, 1242K bytes)
) = 56
write(1, ” pkts bytes target prot opt “…, 89 pkts bytes target prot opt in out source destination
) = 89
close(4) = 0
exit_group(0) = ?
+++ exited with 0 +++
[root@machine ~]# zgrep FILTER /proc/config.gz
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_FILTER=m
CONFIG_BRIDGE_EBT_T_FILTER=m
# CONFIG_ATM_BR2684_IPFILTER is not set
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_BT_BNEP_MC_FILTER=y
CONFIG_BT_BNEP_PROTO_FILTER=y
CONFIG_PPP_FILTER=y
CONFIG_IPPP_FILTER=y
Even tho i think the module is properly loaded, i ran:
[root@machine ~]# modprobe iptable-filter
[root@machine ~]# echo $?
130

Have you tried using “-t nat” instead of “-t NAT” in your iptables command?

分类: Linux安全防护 标签:

iptables详解

2016年11月8日 评论已被关闭

iptables详解

http://blog.chinaunix.net/uid-22780578-id-3346350.html

一:前言
 
防火墙,其实说白了讲,就是用于实现Linux下访问控制的功能的,它分为硬件的或者软件的防火墙两种。无论是在哪个网络中,防火墙工作的地方一定是在网络的边缘。而我们的任务就是需要去定义到底防火墙如何工作,这就是防火墙的策略,规则,以达到让它对出入网络的IP、数据进行检测。
 
目前市面上比较常见的有3、4层的防火墙,叫网络层的防火墙,还有7层的防火墙,其实是代理层的网关
 
对于TCP/IP的七层模型来讲,我们知道第三层是网络层,三层的防火墙会在这层对源地址和目标地址进行检测。但是对于七层的防火墙,不管你源端口或者目标端口,源地址或者目标地址是什么,都将对你所有的东西进行检查。所以,对于设计原理来讲,七层防火墙更加安全,但是这却带来了效率更低。所以市面上通常的防火墙方案,都是两者结合的。而又由于我们都需要从防火墙所控制的这个口来访问,所以防火墙的工作效率就成了用户能够访问数据多少的一个最重要的控制,配置的不好甚至有可能成为流量的瓶颈。
 
二:iptables 的历史以及工作原理
 
1.iptables的发展:
 
iptables的前身叫ipfirewall (内核1.x时代),这是一个作者从freeBSD上移植过来的,能够工作在内核当中的,对数据包进行检测的一款简易访问控制工具。但是ipfirewall工作功能极其有限(它需要将所有的规则都放进内核当中,这样规则才能够运行起来,而放进内核,这个做法一般是极其困难的)。当内核发展到2.x系列的时候,软件更名为ipchains,它可以定义多条规则,将他们串起来,共同发挥作用,而现在,它叫做iptables,可以将规则组成一个列表,实现绝对详细的访问控制功能
 
他们都是工作在用户空间中,定义规则的工具,本身并不算是防火墙。它们定义的规则,可以让在内核空间当中的netfilter来读取,并且实现让防火墙工作。而放入内核的地方必须要是特定的位置,必须是tcp/ip的协议栈经过的地方。而这个tcp/ip协议栈必须经过的地方,可以实现读取规则的地方就叫做 netfilter.(网络过滤器)
 
    作者一共在内核空间中选择了5个位置,
    1.内核空间中:从一个网络接口进来,到另一个网络接口去的
    2.数据包从内核流入用户空间的
    3.数据包从用户空间流出的
    4.进入/离开本机的外网接口
    5.进入/离开本机的内网接口
        
2.iptables的工作机制
 
从上面的发展我们知道了作者选择了5个位置,来作为控制的地方,但是你有没有发现,其实前三个位置已经基本上能将路径彻底封锁了,但是为什么已经在进出的口设置了关卡之后还要在内部卡呢? 由于数据包尚未进行路由决策,还不知道数据要走向哪里,所以在进出口是没办法实现数据过滤的。所以要在内核空间里设置转发的关卡,进入用户空间的关卡,从用户空间出去的关卡。那么,既然他们没什么用,那我们为什么还要放置他们呢?因为我们在做NAT和DNAT的时候,目标地址转换必须在路由之前转换。所以我们必须在外网而后内网的接口处进行设置关卡。        
 
这五个位置也被称为五个钩子函数(hook functions),也叫五个规则链。
1.PREROUTING (路由前)
2.INPUT (数据包流入口)
3.FORWARD (转发管卡)
4.OUTPUT(数据包出口)
5.POSTROUTING(路由后)
        这是NetFilter规定的五个规则链,任何一个数据包,只要经过本机,必将经过这五个链中的其中一个链。       
 
3.防火墙的策略
 
防火墙策略一般分为两种,一种叫“通”策略,一种叫“堵”策略,通策略,默认门是关着的,必须要定义谁能进堵策略则是,大门是洞开的,但是你必须有身份认证,否则不能进。所以我们要定义,让进来的进来,让出去的出去,所以通,是要全通,而堵,则是要选择。当我们定义的策略的时候,要分别定义多条功能,其中:定义数据包中允许或者不允许的策略,filter过滤的功能,而定义地址转换的功能的则是nat选项。为了让这些功能交替工作,我们制定出了“表”这个定义,来定义、区分各种不同的工作功能和处理方式。
 
我们现在用的比较多个功能有3个:
1.filter 定义允许或者不允许的
2.nat 定义地址转换的 
                3.mangle功能:修改报文原数据
 
我们修改报文原数据就是来修改TTL的。能够实现将数据包的元数据拆开,在里面做标记/修改内容的。而防火墙标记,其实就是靠mangle来实现的。
 
小扩展:
对于filter来讲一般只能做在3个链上:INPUT ,FORWARD ,OUTPUT
对于nat来讲一般也只能做在3个链上:PREROUTING ,OUTPUT ,POSTROUTING
而mangle则是5个链都可以做:PREROUTING,INPUT,FORWARD,OUTPUT,POSTROUTING
 
iptables/netfilter(这款软件)是工作在用户空间的,它可以让规则进行生效的,本身不是一种服务,而且规则是立即生效的。而我们iptables现在被做成了一个服务,可以进行启动,停止的。启动,则将规则直接生效,停止,则将规则撤销。 
iptables还支持自己定义链。但是自己定义的链,必须是跟某种特定的链关联起来的。在一个关卡设定,指定当有数据的时候专门去找某个特定的链来处理,当那个链处理完之后,再返回。接着在特定的链中继续检查。
 
注意:规则的次序非常关键,谁的规则越严格,应该放的越靠前,而检查规则的时候,是按照从上往下的方式进行检查的。
 
三.规则的写法:
 
iptables定义规则的方式比较复杂:
格式:iptables [-t table] COMMAND chain CRETIRIA -j ACTION
-t table :3个filter nat mangle
COMMAND:定义如何对规则进行管理
chain:指定你接下来的规则到底是在哪个链上操作的,当定义策略的时候,是可以省略的
CRETIRIA:指定匹配标准
-j ACTION :指定如何进行处理
 
比如:不允许172.16.0.0/24的进行访问。
iptables -t filter -A INPUT -s 172.16.0.0/16 -p udp –dport 53 -j DROP
当然你如果想拒绝的更彻底:
iptables -t filter -R INPUT 1 -s 172.16.0.0/16 -p udp –dport 53 -j REJECT
 
iptables -L -n -v #查看定义规则的详细信息
 
四:详解COMMAND:
 
1.链管理命令(这都是立即生效的)
-P :设置默认策略的(设定默认门是关着的还是开着的)
默认策略一般只有两种
iptables -P INPUT (DROP|ACCEPT)  默认是关的/默认是开的
比如:
iptables -P INPUT DROP 这就把默认规则给拒绝了。并且没有定义哪个动作,所以关于外界连接的所有规则包括Xshell连接之类的,远程连接都被拒绝了。
        -F: FLASH,清空规则链的(注意每个链的管理权限)
    iptables -t nat -F PREROUTING
    iptables -t nat -F 清空nat表的所有链
        -N:NEW 支持用户新建一个链
            iptables -N inbound_tcp_web 表示附在tcp表上用于检查web的。
        -X: 用于删除用户自定义的空链
            使用方法跟-N相同,但是在删除之前必须要将里面的链给清空昂了
        -E:用来Rename chain主要是用来给用户自定义的链重命名
            -E oldname newname
         -Z:清空链,及链中默认规则的计数器的(有两个计数器,被匹配到多少个数据包,多少个字节)
            iptables -Z :清空
 
2.规则管理命令
         -A:追加,在当前链的最后新增一个规则
         -I num : 插入,把当前规则插入为第几条。
            -I 3 :插入为第三条
         -R num:Replays替换/修改第几条规则
            格式:iptables -R 3 …………
         -D num:删除,明确指定删除第几条规则
        
3.查看管理命令 “-L”
附加子命令
-n:以数字的方式显示ip,它会将ip直接显示出来,如果不加-n,则会将ip反向解析成主机名。
-v:显示详细信息
-vv
-vvv :越多越详细
-x:在计数器上显示精确值,不做单位换算
–line-numbers : 显示规则的行号
-t nat:显示所有的关卡的信息
 
五:详解匹配标准
 
1.通用匹配:源地址目标地址的匹配
-s:指定作为源地址匹配,这里不能指定主机名称,必须是IP
IP | IP/MASK | 0.0.0.0/0.0.0.0
而且地址可以取反,加一个“!”表示除了哪个IP之外
-d:表示匹配目标地址
-p:用于匹配协议的(这里的协议通常有3种,TCP/UDP/ICMP)
-i eth0:从这块网卡流入的数据
流入一般用在INPUT和PREROUTING上
-o eth0:从这块网卡流出的数据
流出一般在OUTPUT和POSTROUTING上
        
2.扩展匹配
2.1隐含扩展:对协议的扩展
    -p tcp :TCP协议的扩展。一般有三种扩展
–dport XX-XX:指定目标端口,不能指定多个非连续端口,只能指定单个端口,比如
–dport 21  或者 –dport 21-23 (此时表示21,22,23)
–sport:指定源端口
–tcp-fiags:TCP的标志位(SYN,ACK,FIN,PSH,RST,URG)
    对于它,一般要跟两个参数:
1.检查的标志位
2.必须为1的标志位
–tcpflags syn,ack,fin,rst syn   =    –syn
表示检查这4个位,这4个位中syn必须为1,其他的必须为0。所以这个意思就是用于检测三次握手的第一次包的。对于这种专门匹配第一包的SYN为1的包,还有一种简写方式,叫做–syn
    -p udp:UDP协议的扩展
        –dport
        –sport
    -p icmp:icmp数据报文的扩展
        –icmp-type:
echo-request(请求回显),一般用8 来表示
所以 –icmp-type 8 匹配请求回显数据包
echo-reply (响应的数据包)一般用0来表示
                  
2.2显式扩展(-m)
     扩展各种模块
      -m multiport:表示启用多端口扩展
      之后我们就可以启用比如 –dports 21,23,80
                  
        
六:详解-j ACTION
 
常用的ACTION:
DROP:悄悄丢弃
一般我们多用DROP来隐藏我们的身份,以及隐藏我们的链表
REJECT:明示拒绝
ACCEPT:接受
custom_chain:转向一个自定义的链
DNAT
SNAT
MASQUERADE:源地址伪装
REDIRECT:重定向:主要用于实现端口重定向
MARK:打防火墙标记的
RETURN:返回
在自定义链执行完毕后使用返回,来返回原规则链。
 
练习题1:
     只要是来自于172.16.0.0/16网段的都允许访问我本机的172.16.100.1的SSHD服务
     分析:首先肯定是在允许表中定义的。因为不需要做NAT地址转换之类的,然后查看我们SSHD服务,在22号端口上,处理机制是接受,对于这个表,需要有一来一回两个规则,如果我们允许也好,拒绝也好,对于访问本机服务,我们最好是定义在INPUT链上,而OUTPUT再予以定义就好。(会话的初始端先定义),所以加规则就是:
     定义进来的: iptables -t filter -A INPUT -s 172.16.0.0/16 -d 172.16.100.1 -p tcp –dport 22 -j ACCEPT
     定义出去的: iptables -t filter -A OUTPUT -s 172.16.100.1 -d 172.16.0.0/16 -p tcp –dport 22 -j ACCEPT
     将默认策略改成DROP:
 iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP
        
七:状态检测:
 
是一种显式扩展,用于检测会话之间的连接关系的,有了检测我们可以实现会话间功能的扩展
        什么是状态检测?对于整个TCP协议来讲,它是一个有连接的协议,三次握手中,第一次握手,我们就叫NEW连接,而从第二次握手以后的,ack都为1,这是正常的数据传输,和tcp的第二次第三次握手,叫做已建立的连接(ESTABLISHED),还有一种状态,比较诡异的,比如:SYN=1 ACK=1 RST=1,对于这种我们无法识别的,我们都称之为INVALID无法识别的。还有第四种,FTP这种古老的拥有的特征,每个端口都是独立的,21号和20号端口都是一去一回,他们之间是有关系的,这种关系我们称之为RELATED。
所以我们的状态一共有四种:
        NEW
        ESTABLISHED
        RELATED
        INVALID
 
所以我们对于刚才的练习题,可以增加状态检测。比如进来的只允许状态为NEW和ESTABLISHED的进来,出去只允许ESTABLISHED的状态出去,这就可以将比较常见的反弹式木马有很好的控制机制。
        
对于练习题的扩展:
进来的拒绝出去的允许,进来的只允许ESTABLISHED进来,出去只允许ESTABLISHED出去。默认规则都使用拒绝
iptables -L -n –line-number  :查看之前的规则位于第几行
    改写INPUT
        iptables -R INPUT 2 -s 172.16.0.0/16 -d 172.16.100.1 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
        iptables -R OUTPUT 1 -m state –state ESTABLISHED -j ACCEPT
 
    此时如果想再放行一个80端口如何放行呢?
        iptables -A INPUT -d 172.16.100.1 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
 
        iptables -R INPUT 1 -d 172.16.100.1 -p udp –dport 53 -j ACCEPT
 
练习题2:
假如我们允许自己ping别人,但是别人ping自己ping不通如何实现呢?
分析:对于ping这个协议,进来的为8(ping),出去的为0(响应).我们为了达到目的,需要8出去,允许0进来
 
在出去的端口上:iptables -A OUTPUT -p icmp –icmp-type 8 -j ACCEPT
在进来的端口上:iptables -A INPUT -p icmp –icmp-type 0 -j ACCEPT
 
小扩展:对于127.0.0.1比较特殊,我们需要明确定义它
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 
八:SNAT和DNAT的实现
 
由于我们现在IP地址十分紧俏,已经分配完了,这就导致我们必须要进行地址转换,来节约我们仅剩的一点IP资源。那么通过iptables如何实现NAT的地址转换呢?
 
1.SNAT基于原地址的转换
基于原地址的转换一般用在我们的许多内网用户通过一个外网的口上网的时候,这时我们将我们内网的地址转换为一个外网的IP,我们就可以实现连接其他外网IP的功能
所以我们在iptables中就要定义到底如何转换:
定义的样式:
比如我们现在要将所有192.168.10.0网段的IP在经过的时候全都转换成172.16.100.1这个假设出来的外网地址:
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT –to-source 172.16.100.1
这样,只要是来自本地网络的试图通过网卡访问网络的,都会被统统转换成172.16.100.1这个IP.
那么,如果172.16.100.1不是固定的怎么办?
我们都知道当我们使用联通或者电信上网的时候,一般它都会在每次你开机的时候随机生成一个外网的IP,意思就是外网地址是动态变换的。这时我们就要将外网地址换成 MASQUERADE(动态伪装):它可以实现自动寻找到外网地址,而自动将其改为正确的外网地址。所以,我们就需要这样设置:
         iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE
         这里要注意:地址伪装并不适用于所有的地方。
 
2.DNAT目标地址转换
对于目标地址转换,数据流向是从外向内的,外面的是客户端,里面的是服务器端通过目标地址转换,我们可以让外面的ip通过我们对外的外网ip来访问我们服务器不同的服务器,而我们的服务却放在内网服务器的不同的服务器上
 
    如何做目标地址转换呢?:
iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp –dport 80 -j DNAT –todestination 172.16.100.2
        目标地址转换要做在到达网卡之前进行转换,所以要做在PREROUTING这个位置上
 
九:控制规则的存放以及开启
 
注意:你所定义的所有内容,当你重启的时候都会失效,要想我们能够生效,需要使用一个命令将它保存起来
1.service iptables save 命令
它会保存在/etc/sysconfig/iptables这个文件中
    2.iptables-save 命令
iptables-save > /etc/sysconfig/iptables
 
    3.iptables-restore 命令
开机的时候,它会自动加载/etc/sysconfig/iptabels
如果开机不能加载或者没有加载,而你想让一个自己写的配置文件(假设为iptables.2)手动生效的话:
iptables-restore < /etc/sysconfig/iptables.2
则完成了将iptables中定义的规则手动生效
 
 
十:总结
         Iptables是一个非常重要的工具,它是每一个防火墙上几乎必备的设置,也是我们在做大型网络的时候,为了很多原因而必须要设置的。学好Iptables,可以让我们对整个网络的结构有一个比较深刻的了解,同时,我们还能够将内核空间中数据的走向以及linux的安全给掌握的非常透彻。我们在学习的时候,尽量能结合着各种各样的项目,实验来完成,这样对你加深iptables的配置,以及各种技巧有非常大的帮助。
附加iptables比较好的文章:

 

分类: Linux安全防护 标签:

添加iptables/netfilter功能扩展模块的测试

2016年11月8日 评论已被关闭

添加iptables/netfilter功能扩展模块的测试
http://hegz.iteye.com/blog/629666
软件测试Linux防火墙QQCentOS
由于iptables/netfilter中的扩展模块string、mport、 comment、connlimit、psd、time还处于测试阶段,直到现在各种Linux发行版本中的内核都还没把这些模块包括入来,这些模块的功 能十分实用,本人一直想把这些功能加入到单位的防火墙中去,但苦于手头上编译安装iptables/netfilter扩展模块的资料太少,以及对编译软 件非常耗费时间的恐惧,因此一直没有动手,近日,在仔细研读了白金兄的《iptables添加模块HOWTO》一文后,决定抽空进行测试,待取得经验教训 后,再把这些功能添加到单位的防火墙中去。
一、做好准备工作
安装CentOS 3.6 Linux操作系统(内核版本为2.4.21-37.EL),安装到选择安装系统软件时选择安装“Kernel development tools”,操作系统安装完成后就已自动把编译环境及内核源代码安装好,该版本的内核虽然不算很新,但能够满足测试的需要。由于我不想在编译内核上花费 太多的时间,以及为了这次测试的顺利,因此我选择内核的模块编译安装方式。安装好两块网卡 (eth0:192.168.11.5/255.255.255.0,GW:192.168.11.2,DNS:192.168.11.4,eth1:192.168.12.1 /255.255.255.0),登录192.168.11.2网关服务器,增加一条指到测试机器的路由:route add -net 192.168.12.0/24 gw 192.168.11.5 eth2,否则,客户机将只有出口路由而没有返回路由,因而无法进行下面的相关测试。
进入/usr/src目录,下载iptables-1.3.1.tar.bz2:
# wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.1.tar.bz2
下载patch-o-matic-ng-20050801.tar.bz2:
# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20050801.tar.bz2
说明:iptables-1.3.4.tar.bz2及iptables-1.3.5.tar.bz2中的某些模块(如string)需要 2.6.14及以上的内核。patch-o-matic-ng补丁包要下载最前日期的,否则有些功能无法启用。
二、安装
1、展开压缩包
# cd /usr/src
# tar xvfj iptables-1.3.1.tar.bz2
# tar xvfj patch-o-matic-ng-20050801.tar.bz2
2、给netfilter打补钉
# cd /usr/src/linux-2.4
# make mrproper
# make menuconfig
# vi Makefile
将EXTRAVERSION=-37.ELcustom 改为EXTRAVERSION=-37.EL
# cd /usr/scr/patch-o-matic-ng-20050801
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme string
出现提示后输入y,确认,下面一样按此操作。
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme comment
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme connlimit
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme mport
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme psd
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme ipp2p
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme iprange
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme geoip
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme time
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme quota
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme nth
# KERNEL_DIR=/usr/src/linux-2.4 IPTABLES_DIR=/usr/src/iptables-1.3.1 ./runme ipv4options
# cd /usr/src/linux-2.4
# make menuconfig
进 入Code maturity level options,确认[*] Prompt for development and/or incomplete code/drivers要选中,然后进入Networking optiosn,再进入IP:Netfilter configuration,会看到增加很多模块,每个新增的后面都会出现“NEW”,把其中想要的选中为模块“M”,保存、退出,至此,给 netfilter打补丁工作完成。

3、编译netfilter模块
a.这里只需要编译netfilter,不需要编译整个内核和模块,现在只用到ipv4的,所以ipv6我没有编译。
# cd /usr/src/linux-2.4
# make dep
# make modules SUBDIRS=net/ipv4/netfilter

b.建立一个新目录备份原来模块,以防编译出来的模块有问题:
# mkdir /usr/src/netfilter
# cp /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/*.o /usr/src/netfilter/

c.应用新的模块
# cd /usr/src/linux-2.4
# cp -f net/ipv4/netfilter/*.o /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/

d.更新你的modules.dep,当出现错误时,把出错的模块删除后再做一次。
# depmod -a
说明:开始时,只删除了ipchains_core.o、ipfwadm_core_o、ip_fw_*.o,后来运行防火墙脚本时,modprobe ipt_nat_ftp及ipt_MASQUERADE模块时还是出现问题,于是继续删除ip_nat_core.o、ip_nat_core.o、 ip_nat_standalone.o、ip_nat_helper.o模块后,问题解决。

4、编译安装iptables-1.3.1
# cd /usr/src/iptables-1.3.1
# export KERNEL_DIR=/usr/src/linux-2.4
# export IPTABLES_DIR=/usr/src/iptables-1.3.1
# make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
三.应用测试
# cd /etc/rc.d
# vi fwtest
# !/bin/sh

IPTABLES=”/sbin/iptables”
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_string
/sbin/modprobe ipt_ipp2p
/sbin/modprobe ipt_comment
/sbin/modprobe ipt_iprange
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT
#
#从eth0出发的包要将源地址转换为192.168.11.5
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT –to-source 192.168.11.5
#1.内容过滤
iptables -A FORWARD -m string –string “sina” -j DROP

#2. 备注应用
iptables -A FORWARD -s 192.168.3.159 -p tcp –dport 80 -j DROP -m comment –comment “the bad guy can not online”
iptables -A FORWARD -s 192.168.3.159 -m string –string “qq.com” -j DROP -m comment –comment “denny go to qq.com”

#3.并发连接应用
iptables -A FORWARD -s 192.168.3.159 -p tcp –syn –dport 80 -m connlimit –connlimit-above 3 –connlimit-mask 24 -j DROP

#4.ip范围应用
iptables -A FORWARD -m iprange –src-range 192.168.1.5-192.168.1.124 -j ACCEPT

#5.封 杀BT类P2P软件
iptables -A FORWARD -m ipp2p –edk –kazaa –bit -j DROP
iptables -A FORWARD -p tcp -m ipp2p –ares -j DROP
iptables -A FORWARD -p udp -m ipp2p –kazaa -j DROP

#
#打开转发功能
#
echo “1” > /proc/sys/net/ipv4/ip_forward
# chmod u+x fwtest
# ./fwtest
说明:所增加的扩展功能中只测试了string功能,其它的有待以后再抽时间测试。
四、测试结果
如果FORWARD链的默认策略为DROP,则 iptables -A FORWARD -m string –string “sina” -j ACCEPT 不起作用,如果FORWARD链的默认策略为ACCEPT,则 iptables -A FORWARD -m string –string “sina” -j DROP 语句有效。这样,就无法在默认DROP策略下开放访问某些网站。

参考资料:
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.html
《iptables 添加模块HOWTO》--platinum
《iptables/netfilter模块编译及应用》--KindGeorge

* 注:这是我06年发布在西湖博客上的一篇旧文,现在迁移过来。我的西湖博客地址:http://linuxtech.xhschool.com/

分类: Linux安全防护 标签:

给iptables添加模块

2016年11月8日 评论已被关闭

给iptables添加模块
http://blog.chinaunix.net/uid-56355-id-2735665.html
准备工作:
1, 最新的patch-o-matic-ng,在下面的地址可以下载到最新的:
http://ftp.netfilter.org/pub/patch-o-matic-ng/
2, 最新的iptables源代码:
http://www.netfilter.org
3, 内核源代码:
http://www.kernel.org
4, L7-filter 补丁以及协议描述文件:
http://sourceforge.net/project/showfiles.php?group_id=80085
5, geoip文件下载
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.idx
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.bin
Iptables添加模块 For kernel 2.6
准备工作:
1, 最新的patch-o-matic-ng,在下面的地址可以下载到最新的:
http://ftp.netfilter.org/pub/patch-o-matic-ng/
2, 最新的iptables源代码:
http://www.netfilter.org
3, 内核源代码:
http://www.kernel.org
4, L7-filter 补丁以及协议描述文件:
http://sourceforge.net/project/showfiles.php?group_id=80085
5, geoip文件下载
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.idx
http://people.netfilter.org/peejix/geoip/database/20050410/geoipdb.bin

cd /usr/src/kernels/linux-2.6.14
make mrproper
make menuconfig(注意一定要生成.config)

[root@test11 iptables-1.3.4]# cd /root/iptables/patch-o-matic-ng-20051215
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme string #2.6内核不用该选项
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme comment
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme connlimit
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme time
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme iprange
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme geoip
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme nth
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme ipp2p
KERNEL_DIR=/usr/src/kernels/linux-2.6.14 IPTABLES_DIR=/usr/src/iptables-1.3.4 ./runme quota
[root@test11 patch-o-matic-ng-20051215]# cd /usr/src/kernels/linux-2.6.14/
[root@test11 linux-2.6.14]# patch -p1 [root@test11 linux-2.6.14]# cd /usr/src/iptables-1.3.4
[root@test11 iptables-1.3.4]# patch -p1 [root@test11 iptables-1.3.4]#

编译内核:
make menuconfig (在这里选择你添加的netfilter的模块)
make
make modules_install install
编译iptables:
cd /usr/src/iptables-1.3.4
chmod a+x extensions/.layer7-test
export KERNEL_DIR=/usr/src/kernels/linux-2.6.14/
export IPTABLES_DIR=/usr/src/iptables-1.3.4
make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin && make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install
注意:
[root@test11 iptables-1.3.4]# ll extensions/.layer7-test
-rw-r–r– 1 root root 87 Dec 16 16:51 extensions/.layer7-test
[root@test11 iptables-1.3.4]# chmod a+x extensions/.layer7-test
[root@test11 iptables]# cd l7-protocols-2005-12-16
[root@test11 l7-protocols-2005-12-16]# make install

http://www.douzhe.com/article/data/7/681.html
http://www.douzhe.com/article/data/7/685.html
http://bbs.chinaunix.net/viewthread.php?tid=585771&extra=&page=1
http://ftp.jyt.com.cn/baijin/book/netfilter-extensions-HOWTO-CN.pdf
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
http://phorum.study-area.org/viewtopic.php?t=33426&postdays=0&postorder=asc&start=30&sid=a405f0a8f0fb7dc05fa32372e6a2e2fc
http://www.router.net.cn/softrouter/CoyoteLinux/200503/1748.html
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-pptp-conntrack-nat

注: [root@kindgeorge linux-2.4]# make oldconfig
‘make oldconfig’ – 采用以前的 .config 文件 (编译时十分有用)
技巧:在make menuconfig时,我们面对众多的选项常常不知道该如何选择,此时可以把安装时的配置文件copy到/usr/src/linux-2.4中:cp /boot/config-2.4.* /usr/src/linux-2.4/.config,再用make menuconfig编译,它会读取.config中原来的配置信息.

geoip
The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).Both files are generated from a countries & subnets database with the csv2bin tool,available at www.cookinglinux.org/geoip/. Both files MUST also be moved in /var/geoip/ as the shared library is statically looking for that pathname (ex.: /var/geoip/geoipdb.bin).
这个你需要额外的二进位文件geoipdb.bin 和它的索引文件geoipdb.idx.这两个文件是国家地区网络数据库,是用csv2bin 工具生成的,可以在www.cookinglinux.org/geoip/得到.这些文件必须放在/var/geoip/下,作为一个共享库查找路径名字如/var/geoip/geoipdb.bin

分类: Linux安全防护 标签:

iptables 解决双网卡linux服务器SSH&putty远程访问问题

2016年11月8日 评论已被关闭

iptables 解决双网卡linux服务器SSH&putty远程访问问题

一、屏蔽指定的IP地址
以下规则将屏蔽BLOCK_THIS_IP所指定的IP地址访问本地主机:
BLOCK_THIS_IP=”x.x.x.x”
iptables -A INPUT -i eth0 -s “$BLOCK_THIS_IP” -j DROP
(或者仅屏蔽来自该IP的TCP数据包)
iptables -A INPUT -i eth0 -p tcp -s “$BLOCK_THIS_IP” -j DROP
允许来自外部的ping测试
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
允许从本机ping外部主机
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
允许环回(loopback)访问
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
二、iptables:协议与端口设定
允许所有SSH连接请求
本规则允许所有来自外部的SSH连接请求,也就是说,只允许进入eth0接口,并且目的端口为22的数据包
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
允许从本地发起的SSH连接
本规则和上述规则有所不同,本规则意在允许本机发起SSH连接,上面的规则与此正好相反。
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
仅允许来自指定网络的SSH连接请求
以下规则仅允许来自192.168.100.0/24的网络:
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
上例中,你也可以使用-s 192.168.100.0/255.255.255.0作为网络地址。当然使用上面的CIDR地址更容易让人明白。
仅允许从本地发起到指定网络的SSH连接请求
以下规则仅允许从本地主机连接到192.168.100.0/24的网络:
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT
允许HTTP/HTTPS连接请求
# 1.允许HTTP连接:80端口
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
# 2.允许HTTPS连接:443端口
iptables -A INPUT -i eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
允许从本地发起HTTPS连接
本规则可以允许用户从本地主机发起HTTPS连接,从而访问Internet。
iptables -A OUTPUT -o eth0 -p tcp –dport 443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 443 -m state –state ESTABLISHED -j ACCEPT
类似的,你可以设置允许HTTP协议(80端口)。
-m multiport:指定多个端口
通过指定-m multiport选项,可以在一条规则中同时允许SSH、HTTP、HTTPS连接:
iptables -A INPUT -i eth0 -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT
允许出站DNS连接
iptables -A OUTPUT -p udp -o eth0 –dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 -j ACCEPT
允许NIS连接
如果你在使用NIS管理你的用户账户,你需要允许NIS连接。即使你已允许SSH连接,你仍需允许NIS相关的ypbind连接,否则用户将无法登陆。NIS端口是动态的,当ypbind启动的时候,它会自动分配端口。因此,首先我们需要获取端口号,本例中使用的端口是853和850:
rpcinfo -p | grep ypbind
然后,允许连接到111端口的请求数据包,以及ypbind使用到的端口:
iptables -A INPUT -p tcp –dport 111 -j ACCEPT
iptables -A INPUT -p udp –dport 111 -j ACCEPT
iptables -A INPUT -p tcp –dport 853 -j ACCEPT
iptables -A INPUT -p udp –dport 853 -j ACCEPT
iptables -A INPUT -p tcp –dport 850 -j ACCEPT
iptables -A INPUT -p udp –dport 850 -j ACCEPT
以上做法在你重启系统后将失效,因为ypbind会重新指派端口。我们有两种解决方法:
1.为NIS使用静态IP地址
2.每次系统启动时调用脚本获得NIS相关端口,并根据上述iptables规则添加到filter表中去。
允许来自指定网络的rsync连接请求
你可能启用了rsync服务,但是又不想让rsync暴露在外,只希望能够从内部网络(192.168.101.0/24)访问即可:
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 –dport 873 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 873 -m state –state ESTABLISHED -j ACCEPT
允许来自指定网络的MySQL连接请求
你可能启用了MySQL服务,但只希望DBA与相关开发人员能够从内部网络(192.168.100.0/24)直接登录数据库:
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 –dport 3306 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 3306 -m state –state ESTABLISHED -j ACCEPT
允许Sendmail, Postfix邮件服务
邮件服务都使用了25端口,我们只需要允许来自25端口的连接请求即可。
iptables -A INPUT -i eth0 -p tcp –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 25 -m state –state ESTABLISHED -j ACCEPT
允许IMAP与IMAPS
# IMAP:143
iptables -A INPUT -i eth0 -p tcp –dport 143 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 143 -m state –state ESTABLISHED -j ACCEPT
# IMAPS:993
iptables -A INPUT -i eth0 -p tcp –dport 993 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 993 -m state –state ESTABLISHED -j ACCEPT
允许POP3与POP3S
# POP3:110
iptables -A INPUT -i eth0 -p tcp –dport 110 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 110 -m state –state ESTABLISHED -j ACCEPT
# POP3S:995
iptables -A INPUT -i eth0 -p tcp –dport 995 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 995 -m state –state ESTABLISHED -j ACCEPT
防止DoS攻击
iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT
-m limit: 启用limit扩展
–limit 25/minute: 允许最多每分钟25个连接
–limit-burst 100: 当达到100个连接后,才启用上述25/minute限制
三、转发与NAT
允许路由
如果本地主机有两块网卡,一块连接内网(eth0),一块连接外网(eth1),那么可以使用下面的规则将eth0的数据路由到eht1:
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
DNAT与端口转发
以下规则将会把来自422端口的流量转发到22端口。这意味着来自422端口的SSH连接请求与来自22端口的请求等效。
# 1.启用DNAT转发
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 –dport 422 -j DNAT –to-destination 192.168.102.37:22
# 2.允许连接到422端口的请求
iptables -A INPUT -i eth0 -p tcp –dport 422 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 422 -m state –state ESTABLISHED -j ACCEPT
假设现在外网网关是xxx.xxx.xxx.xxx,那么如果我们希望把HTTP请求转发到内部的某一台计算机,应该怎么做呢?
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx –dport 8888 -j DNAT –to 192.168.0.2:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 –dport 80 -j ACCEPT
当该数据包到达xxx.xxx.xxx.xxx后,需要将该数据包转发给192.168.0.2的80端口,事实上NAT所做的是修改该数据包的目的地址和目的端口号。然后再将该数据包路由给对应的主机。
但是iptables会接受这样的需要路由的包么?这就由FORWARD链决定。我们通过第二条命令告诉iptables可以转发目的地址为192.168.0.2:80的数据包。再看一下上例中422端口转22端口,这是同一IP,因此不需要设置FORWARD链。
SNAT与MASQUERADE
如下命令表示把所有10.8.0.0网段的数据包SNAT成192.168.5.3的ip然后发出去:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j snat –to-source 192.168.5.3
对于snat,不管是几个地址,必须明确的指定要snat的IP。假如我们的计算机使用ADSL拨号方式上网,那么外网IP是动态的,这时候我们可以考虑使用MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
负载平衡
可以利用iptables的-m nth扩展,及其参数(–counter 0 –every 3 –packet x),进行DNAT路由设置(-A PREROUTING -j DNAT –to-destination),从而将负载平均分配给3台服务器:
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 192.168.1.103:443
自定义的链
记录丢弃的数据包
# 1.新建名为LOGGING的链
iptables -N LOGGING
# 2.将所有来自INPUT链中的数据包跳转到LOGGING链中
iptables -A INPUT -j LOGGING
# 3.指定自定义的日志前缀”IPTables Packet Dropped: ”
iptables -A LOGGING -m limit –limit 2/min -j LOG –log-prefix “IPTables Packet Dropped: ” –log-level 7
# 4.丢弃这些数据包
iptables -A LOGGING -j DROP

分类: Linux安全防护 标签:

Links Load balancing

2016年11月8日 评论已被关闭

Links Load balancing
https://home.regit.org/netfilter-en/links-load-balancing/
Add comments
Prerequisites :
Netfilter :
CONNMARK
nth (or statistic module for recent kernel)
condition (for failover, available in xtables addon)
Iproute2
System :
A linux gw and 2 internet links (what ever techno) :
Link 1 : BP 1500 – fraction 3
Link 2 : BP 500 – fraction 1
The ratio between the 2 link is 1/4 3/4.
Objective
The objective is to have a load-balancing failover between the two link at connection level. Setup is here for a nated LAN.
Algorithm and setup
Mark system
We build a mark system on PREROUTING using MARK and we use CONNMARK to restore the mark on prerouting. We use nth or condition module to build a pool :
mark 1 for LINK 1 outgoing
mark 2 for link 2 outgoing
In our exemple, we will use a counter of 4 to respect the link bandwith ratio:
1 : mark 1
2 : mark 2
3 : mark 1
4 : mark 1
This gives something looking like that:

iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 1 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 2 -j MARK –set-mark 2
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 3 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m nth –counter 1 \
–every 4 –packet 4 -j MARK –set-mark 1
iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
The syntax is different on recent kernel (at least 2.6.24 and over) where you need to use the statistic module:

iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 0 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 1 -j MARK –set-mark 2
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 2 -j MARK –set-mark 1
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -m statistic \
–mode nth –every 4 –packet 3 -j MARK –set-mark 1
iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
See the page connmark to understand CONNMARK usage.
Fail over
We will use the condition module which is available in xtables addon. The mark system is modified to have fail-over. Instead of one line, we have two lines for each item of the nth/statistic pool : exemple for item 1 :
-m condition -condition LINK1 UP -j mark 1
-m condition -condition LINK1 DOWN -j mark 2
Thus when link 1 is down packet get mark 2 and get out via LINK2 This gives :

iptables -N MARKING
iptables -A PREROUTING -t mangle -j CONNMARK –restore-mark
iptables -A PREROUTING -t mangle -m mark –mark 0x0 -j MARKING

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 1 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 1 -j MARK –set-mark 1

iptables -A MARKING -t mangle -m condition –condition link2_up
-m nth –counter 1 –every 4 –packet 2 -j MARK –set-mark 2
iptables -A MARKING -t mangle -m condition ! –condition link2_up
-m nth –counter 1 –every 4 –packet 2 -j MARK –set-mark 1

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 3 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 3 -j MARK –set-mark 2

iptables -A MARKING -t mangle -m condition –condition link1_up \
-m nth –counter 1 –every 4 –packet 4 -j MARK –set-mark 1
iptables -A MARKING -t mangle -m condition ! –condition link1_up \
-m nth –counter 1 –every 4 –packet 4 -j MARK –set-mark 2

iptables -A POSTROUTING -t mangle -j CONNMARK –save-mark
IProute
The objective is to:
Route packet with mark 1 to a table having default gw via LINK1
Route packet with mark 2 to a table having default gw via LINK1
The syntax is the following:

ip route add default via GW_LINK1 table LINK1
ip route add default via GW_LINK2 table LINK2
ip rule add fwmark 1 lookup table LINK1
ip rule add fwmark 2 lookup table LINK2
NAT
To have this working when need to translate internal IP at exit. Packets are dispatched:
the ones with mark 1 get IP of link 1.
the other with mark 2 get IP of link 2.
This gives:

iptables -A POSTROUTING -t nat -m mark –mark 1 -j SNAT IP_LINK1
iptables -A POSTROUTING -t nat -m mark –mark 2 -j SNAT IP_LINK2

分类: Linux安全防护 标签:

Advanced Features of netfilter/iptables

2016年11月8日 评论已被关闭

Advanced Features of netfilter/iptables

http://linuxgazette.net/108/odonovan.html

By Barry O’Donovan

Introduction

It is commonly known that netfilter/iptables is the firewall of the Linux operating system. What is not commonly known is that iptables has many hidden gems that can allow you do things with your firewall that you might never have even imagined. In this article I am going to introduce many of these features with some practical uses. If you are not au fait with the basics of iptables then you should read my previous article in the Gazette, “Firewalling with netfilter/iptables“.

The following features are discussed:

  1. Specifying multiple ports in one rule
  2. Load balancing
  3. Restricting the number of connections
  4. Maintaining a list of recent connections to match against
  5. Matching against a string in a packet’s data payload
  6. Time-based rules
  7. Setting transfer quotas
  8. Packet matching based on TTL values

All of the features discussed in this article are extensions to the packet matching modules of iptables. I used only two of these extensions in the previous article: the --state module which allowed us to filter packets based on whether they were NEW, ESTABLISHED, RELATED or INVALID connections; and the multiport extension, of which I will go into more detail on in this article.

Some of the modules introduced in this article (marked with an asterisk) have not made their way into the default Linux kernel yet but a netfilter utility called “patch-o-matic” can be used to add them to your own kernel and this will be discussed at the end of the article.

1. Specifying Multiple Ports with multiport

The multiport module allows one to specify a number of different ports in one rule. This allows for fewer rules and easier maintenance of iptables configuration files. For example, if we wanted to allow global access to the SMTP, HTTP, HTTPS and SSH ports on our server we would normally use something like the following:

-A INPUT -i eth0 -p tcp -m state --state NEW --dport ssh   -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport smtp  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport http  -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport https -j ACCEPT

Using the multiport matching module, we can now write:

-A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

It must be used in conjunction with either -p tcp or -p udp and only up to 15 ports may be specified. The supported options are:

--sports port[,port,port...]
matches source port(s)
--dports port[,port,port...]
matches destination port(s)
--ports port[,port,port...]
matches both source and destination port(s)

mport* is another similar extension that also allows you to specify port ranges, e.g. --dport 22,80,6000:6100.

2. Load Balancing with random* or nth*

Both the random and nth extensions can be used for load balancing. If, for example, you wished to balance incoming web traffic between four mirrored web servers then you could add either of the following rule sets to your nat table:

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \
    -j DNAT --to-destination 192.168.0.5:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 1 \
    -j DNAT --to-destination 192.168.0.6:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 2 \
    -j DNAT --to-destination 192.168.0.7:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 3 \
    -j DNAT --to-destination 192.168.0.8:80

or:

-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \
    -j DNAT --to-destination 192.168.0.5:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \
    -j DNAT --to-destination 192.168.0.6:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \
    -j DNAT --to-destination 192.168.0.7:80
-A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW \
    -j DNAT --to-destination 192.168.0.8:80

The nth matching extension allows you to match the nth packet received by the rule. There are up to 16 (0…15) counters for matching the nth packets. The above four (nth) rules use counter 0 to count every 4th packet. Once the 4th packet is received, the counter is reset to zero. The first rule matches the 1st packet (--packet 0) of every four counted, the second rule matches the 2nd packet (--packet 0), and so on.

The random matching extension allows you to match packets based on a given probability. The first rule from the set of random rules above matches 25% (--average 25) of the TCP connections to port 80 and redirects these to the first mirrored web server. Of the 75% of connections not matching on the first rule, 25% will match the second and a further 25% will match the third. The remaining 25% will be caught by the fourth rule.

Another use of the random extension would be to simulate a faulty network connection to evaluate the performance of networking hardware/software, etc.

3. Restricting the Number of Connections with limit and iplimit*

The limit matching extension can be used to limit the number of times a rule matches in a given time period while the iplimit extension can restrict the number of parallel TCP connections from a particular host or network. These extensions can be used for a variety of purposes:

  • to protect against DOS (denial of service) attacks such as preventing a flood of HTTP requests to your web server while ensuring all your customers have unlimited access;
  • to prevent a brute-force attack to guess passwords;
  • to limit Internet usage by staff during working hours;
  • and many many more.

Let’s take the case where we want to limit the Internet usage of our employees during working hours. We could use a rule like:

-A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \
    -m limit --limit 50/hour --limit-burst 5 -j ACCEPT

This rule assumes that we are acting as a proxy server where the external connection is via eth0 and eth1 connects to our office network. The rule limits all of our internal computers to only 50 new HTTP or HTTPS connections per hour and the use of --limit-burst prevents any one employee from using up all 50 in one go. Packets can be matched /day, /hour, /minute or/sec.

The --limit-burst parameter can be quite confusing at first. In the above example, it will ensure that if all employees are trying to access the Internet throughout the hour then only 5 connections are made every 5 minutes. If 30 minutes pass with no connections and then there is a sudden rush for the remaining 30 minutes, only 5 connections will be permitted every 2.5 minutes. I once heard it explained as follows:

For every limit rule, there’s a “bucket” containing “tokens”. Whenever the rule matches, a token is removed and when the token count reaches zero, the rule doesn’t match anymore.--limit is the bucket refill rate.
--limit-burst is the bucket size (number of tokens that it can hold).

The iplimit extension allows us to restrict the number of parallel TCP connections from a particular host or network. If, for example, we wanted to limit the number of HTTP connections made by any single IP address to 5 we could use:

-A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP

4. Maintaining a List of recent Connections to Match Against

By using the recent extension one can dynamically create a list of IP addresses that match a rule and then match against these IPs in different ways later. One possible use would be to create a “temporary” bad-guy list by detecting possible port scans and to then DROP all other connections from the same source for a given period of time

Port 139 is one of the most dangerous ports for Microsoft Windows® users as it is through this port that the Windows file and print sharing service runs. This also makes this port one of the first scanned by many port scanners or potential hackers and a target for many of the worms around today. We can use the recent matching extension to temporarily block any IP from connecting with our machine that scans this port as follows:

-A FORWARD -m recent --name portscan --rcheck --seconds 300 -j DROP
-A FORWARD -p tcp -i eth0 --dport 139 -m recent --name portscan --set -j DROP

Now anyone trying to connect to port 139 on our firewall will have all of their packets dropped until 300 seconds has passed. The supported options include:

--name name
The name of the list to store the IP in or check it against. If no name is given then DEFAULT will be used
--set
This will add the source address of the packet to the list. If the source address is already in the list, this will update the existing entry.
--rcheck
This will check if the source address of the packet is currently in the list.
--update
This will check if the source address of the packet is currently in the list. If it is then that entry will be updated and the rule will return true.
--remove
This will check if the source address of the packet is currently in the list and if so that address will be removed from the list and the rule will return true.
--seconds seconds
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and was seen within the last given number of seconds.
--hitcount hits
This option must be used in conjunction with one of --rcheck or --update. When used, this will narrow the match to only happen when the address is in the list and packets had been received greater than or equal to the given value. This option may be used along with `seconds’ to create an even narrower match requiring a certain number of hits within a specific time frame.

5. Matching Against a string* in a Packet’s Data Payload

The string extension allows one to match a string anywhere in a packet’s data payload. Although this extension does have many valid uses, I would strongly advise caution. Let’s say, for example, that our Linux firewall is protecting an internal network with some computers running Microsoft Windows® and we would like to block all executable files. We might try something like:

-A FORWARD -m string --string '.com' -j DROP
-A FORWARD -m string --string '.exe' -j DROP

This has a number of problems:

  • if the ‘.com‘ or ‘.exe‘ is split across two packets it will not be matched
  • if any packet being transmitted contains either of the stings it will be dropped; this includes any packets from a web page containing those strings, from an e-mail transmission, etc

6. Time-based Rules with time*

We can match rules based on the time of day and the day of the week using the time module. This could be used to limit staff web usage to lunch-times, to take each of a set of mirrored web servers out of action for automated backups or system maintenance, etc. The following example allows web access during lunch hour:

-A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \
    -m time --timestart 12:30 --timestop 13:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Clearly the start and stop times are 24-hour with the format HH:MM. The day is a comma-separated list that is case sensitive and made up of Mon, Tue, Wed, Thu, Fri, Sat and/or Sun.

7. Setting transfer quotas with quota*

Setting transfer quotas can be very useful in many situations. As an example, a lot of broadband users will have download quotas set for them by their ISP and many may charge extra for every megabyte transferred in excess of this quota. You can use iptables to monitor your usage and cut you off when you reach your quota (say 2GB) with a rule similar to the following:

-A INPUT -p tcp -m quota --quota 2147483648 -j ACCEPT
-A INPUT -j DROP

You can then view your usage with the following command:
$ iptables -v -L

You would also need to reset the quota every month manually (by restarting iptables) or with a cron job. Clearly your computer would need to be ‘always-on’ for this example to be of any use, but there are also any other situations where the quota extension would be useful.

8. Packet Matching Based on TTL Values

The TTL (Time-To-Live) value of a packet is an 8-bit number that is decremented by one each time the packet is processed by an intermediate host between its source and destination. The default value is operating system dependant and usually ranges from 32 to 128. Its purpose includes ensuring that no packet stays in the network for an unreasonable length of time, gets stuck in an endless loop because of bad routing tables, etc. Once the TTL value of a packet reaches 0 it is discarded and a message is sent to its source which can decide whether or not to resend it.

As an interesting aside: this is actually how the traceroute command works. It sends a packet to the destination with a TTL of 1 first and gets a reply from the first intermediate host. It then sends a packet with a TTL of 2 and receives a reply from the second intermediate host and so on until it reaches its destination.

The usefulness of packet matching based on TTL value depends on your imagination. One possible use is to identify “man-in-the-middle” attacks. If you regularly connect from home to work you could monitor your TTL values and establish a reasonable maximum value at the receiving end. You can the use this to deny any packets that arrive with a higher TTL value as it may indicate a possible “man-in-the-middle” attack; someone intercepting your packets, reading/storing them and resending them onto the destination. There are of course “man-in-the-middle” methods that wouldn’t alter the TTL value but, as always, security is never absolute, only incremental. TTL matching could also be used for network debugging or to find hosts with bad default TTL values.

As a simple example, let’s reject all packets from a specific IP with a TTL of less than 40:

-A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT

You can also check for TTL values that are less than (--ttl-gt) or equal to (--ttl-eq) a particular value.

Patching Your Kernel with Patch-O-Matic (POM)

Some of the newer features introduced in this article are not considered stable enough by the netfilter development team for inclusion in the current Linux kernel. To use these you will need to patch your kernel using a utility called patch-o-matic. This is not for the faint of heart and I am not going to provide step-by-step instructions here. I will simply cover patch-o-matic and provide references to more information.

Patch-o-matic can be downloaded from the netfilter homepage, http://www.netfilter.org/. You will also need the source code for your kernel (if you are using a kernel supplied with your distribution, install the kernel-source package or install a new kernel by downloading the latest kernel source code from http://www.kernel.org/) and the source code for iptables which you can also download from the netfilter homepage. Once you have these, unpack them and execute the runme script from patch-o-matic as follows:
$ KERNEL_DIR=<path to the kernel source code> IPTABLES_DIR=<path to the iptables source code> ./runme extra

The script describes each new extension and asks whether or not to patch the kernel for it. Once that is finished you will need to recompile the kernel, the netfilter kernel modules and the iptables binaries. This is outside the scope of this article but you will find useful information on the following sites:

分类: Linux安全防护 标签:

IPtables extensions

2016年11月8日 评论已被关闭

IPtables extensions
http://www.mad-hacking.net/documentation/linux/security/iptables/extensions.xml
Obtaining and installing the extensions

While the standard kernel comes with a variety of NetFilter and xtables modules there are also some extra modules available which are not included in the standard “vanilla” kernel for one reason or another. These extra modules can be found on the Netfilter web site◳.

The extension modules are added to the kernel sources using a tool called patch-o-matic-ng which is released regularly. You should browse the snapshots◳ directory for the latest available snapshot of patch-o-matic-ng and replace the URL and filenames below as appropriate.

firewall ~ # wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070107.tar.bz2
firewall ~ # tar -jxf patch-o-matic-ng-20070107.tar.bz2
firewall ~ # rm patch-o-matic-ng-20070107.tar.bz2
Now that we have downloaded the extension modules, and the patch-o-matic-ng tool with which to apply them to our kernel, all that remains is to install the extension modules into our current kernel source tree.

The first step is to ensure that iptables has been installed with the extensions use flag set. If not add an entry to /etc/portage/package.use as shown below.

firewall ~ # emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies… done!
[ebuild N ] net-firewall/iptables-1.3.5-r4 USE=”-extensions -imq -ipv6 -l7filter -static”

firewall ~ # echo “net-firewall/iptables extensions” >> /etc/portage/package.use
firewall ~ # emerge -pv iptables

These are the packages that would be merged, in order:

Calculating dependencies… done!
[ebuild N ] net-firewall/iptables-1.3.5-r4 USE=”extensions -imq -ipv6 -l7filter -static”
Once we are sure that iptables will be installed with the correct use-flags set we can determine which ebuild will be used with the following command.

firewall ~ # equery which iptables

/usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild
Now that we know which ebuild would be used by portage to install iptables we can use it to unpack the source with the following commands. The ebuild will display a message detailing the path of the unpacked sources which we shall need in the next step.

firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild clean
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild unpack

>>> Unpacking iptables-1.3.5.tar.bz2 to /var/tmp/portage/iptables-1.3.5-r4/work
Armed with this information we are ready to apply the kernel patches using the patch-o-matic-ng tool, our existing kernel sources, and the iptables sources which we obtained above. The following commands will start the patch-o-matic-ng tool and begin the patching process. You will need to modify the paths as appropriate for the version of iptables and the patch-o-matic-ng tool which you are using.

firewall ~ # cd patch-o-matic-ng-20070107
firewall patch-o-matic-ng-20070107 # IPTABLES_DIR=/var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/ KERNEL_DIR=/usr/src/linux ./runme extra
Selecting the extensions

When patch-o-matic-ng is run, assuming that the iptables and kernel source directories can be located, you should be greeted with a screen similar to that shown below.

Welcome to Patch-o-matic ($Revision$)!

Kernel: 2.6.17, /usr/src/linux
Iptables: 1.3.5, /var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don’t apply what you don’t need!
——————————————————-
Already applied: ROUTE

Testing TARPIT… not applied
The TARPIT patch:
Author: “Aaron Hopkins”
Status: Works for me

Adds a TARPIT target to iptables, which captures and holds incoming TCP
connections using no local per-connection resources. Connections are
accepted, but immediately switched to the persist state (0 byte window), in
which the remote side stops sending data and asks to continue every 60-240
seconds. Attempts to close the connection are ignored, forcing the remote
side to time out the connection in 12-24 minutes.

—————————————————————–
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
As you can see the first few lines are taken up by a greeting, some status information, and a warning about the potential instability of any experimental modules. The next section details the currently applied patches, in this case the ROUTE target has been applied already. Following that is a section providing detailed information about the current patch including some brief usage instructions and the current status of the patch.

Rebuilding iptables and the kernel

With the desired patches applied to both the kernel and the iptables sources we are now in a position where both can be built and installed. We can use portage and the ebuild to do all the work for us when it comes to completing the installation of iptables as shown below.

firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild compile
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild install
firewall ~ # ebuild /usr/portage/net-firewall/iptables/iptables-1.3.5-r4.ebuild qmerge
You will have to build and install the kernel by hand in the usual way. Remember to ensure that any extension modules you have patched into the kernel sources have been enabled in the kernel configuration as they are all disabled by default.

分类: Linux安全防护 标签:

配置防火墙,开启80端口、3306端口

2016年11月8日 评论已被关闭

配置防火墙,开启80端口、3306端口
http://www.cnblogs.com/zhenmingliu/archive/2012/04/16/2452629.html
vi /etc/sysconfig/iptables
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT(允许80端口通过防火墙)
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT(允许3306端口通过防火墙)
特别提示:很多网友把这两条规则添加到防火墙配置的最后一行,导致防火墙启动失败,正确的应该是添加到默认的22端口这条规则的下面
添加好之后防火墙规则如下所示:
######################################
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3306 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
#####################################
/etc/init.d/iptables restart #最后重启防火墙使配置生效

分类: Linux安全防护 标签:

解决iptables-restore导入报错 ‘iptables-restore v1.4.7: iptables-restore: unable to initialize table ‘security

2016年11月8日 评论已被关闭

解决iptables-restore导入报错 ‘iptables-restore v1.4.7: iptables-restore: unable to initialize table ‘security
http://www.dabu.info/resolve-iptables-restore-cause-restore-iptables-restore-unable-initialize-table.html
前些天一个网友让我帮他加条iptables规则,我就直接将原来的iptables规则的备份文件拖到windows下编辑,编辑完成后之后sftp传上去,接着用 iptables-restore < iptables-rules.bak 。结果iptables有如下报错,提示以下错误:
FATAL: Module ip_tables not found.
‘iptables-restore v1.4.7: iptables-restore: unable to initialize table ‘security
Error occurred at line: 2
Try `iptables-restore -h’ or ‘iptables-restore –help’ for more information.
提示iptables某个表不能初始化。我看了第二行,还真没看出错误来。
分析过程:因为在使用iptables-restore命令前,还有一个完整的,好的iptables备份文件 iptables 。我试着将这个规则文件导入iptables就没有提示
FATAL: Module ip_tables not found.
‘iptables-restore v1.4.7: iptables-restore: unable to initialize table ‘security
Error occurred at line: 2
Try `iptables-restore -h’ or ‘iptables-restore –help’ for more information.
但是,一旦导入我这修改后的文件就提示报错。可是,肉眼真没看到哪有有语法上的或者单词上的错误。最后,只能猜测是下是不是文件格式不对。我将修改后的文件改成Unix格式,然后重新上传,导入,就没有任何问题了。成功解决报错。
还有可能就是你在windows下编辑的时候,多了很多其他的不必要的字符。所以,简易还是在linux下更改规则文件。

分类: Linux安全防护 标签:

Linux的iptables常用配置范例

2016年11月5日 评论已被关闭

Linux的iptables常用配置范例
http://www.ha97.com/3928.html

以下是来自 http://wiki.ubuntu.org.cn/IptablesHowTo 上的配置说明

可以通过/sbin/iptables -F清除所有规则来暂时停止防火墙: (警告:这只适合在没有配置防火墙的环境中,如果已经配置过默认规则为deny的环境,此步骤将使系统的所有网络访问中断)

如果想清空的话,先执行
/sbin/iptables -P INPUT ACCEPT
然后执行
/sbin/iptables -F
通过iptables -L 看到如下信息
Chain INPUT (policy DROP 0 packets, 0 bytes) (注意 是DROP)
执行/sbin/iptables -F就肯定立马断开连接
当执行了
/sbin/iptables -P INPUT ACCEPT
再次通过iptables -L看信息的话就是
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
所以现在是可以安全使用
/sbin/iptables -F了

——————————————————————

常用的IPTABLES规则如下:
只能收发邮件,别的都关闭
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -j DROP
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p udp –dport 53 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp –dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0F:EA:25:51:37 -p tcp –dport 110 -j ACCEPT

IPSEC NAT 策略
iptables -I PFWanPriv -d 192.168.100.2 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 80 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:80
iptables -t nat -A PREROUTING -p tcp –dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
iptables -t nat -A PREROUTING -p udp –dport 1723 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:1723
iptables -t nat -A PREROUTING -p udp –dport 500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:500
iptables -t nat -A PREROUTING -p udp –dport 4500 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.2:4500

FTP服务器的NAT
iptables -I PFWanPriv -p tcp –dport 21 -d 192.168.100.200 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp –dport 21 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:21

只允许访问指定网址
iptables -A Filter -p udp –dport 53 -j ACCEPT
iptables -A Filter -p tcp –dport 53 -j ACCEPT
iptables -A Filter -d www.3322.org -j ACCEPT
iptables -A Filter -d img.cn99.com -j ACCEPT
iptables -A Filter -j DROP

开放一个IP的一些端口,其它都封闭
iptables -A Filter -p tcp –dport 80 -s 192.168.100.200 -d www.pconline.com.cn -j ACCEPT
iptables -A Filter -p tcp –dport 25 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp –dport 109 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp –dport 110 -s 192.168.100.200 -j ACCEPT
iptables -A Filter -p tcp –dport 53 -j ACCEPT
iptables -A Filter -p udp –dport 53 -j ACCEPT
iptables -A Filter -j DROP

多个端口
iptables -A Filter -p tcp -m multiport –destination-port 22,53,80,110 -s 192.168.20.3 -j REJECT

连续端口
iptables -A Filter -p tcp -m multiport –source-port 22,53,80,110 -s 192.168.20.3 -j REJECT iptables -A Filter -p tcp –source-port 2:80 -s 192.168.20.3 -j REJECT

指定时间上网
iptables -A Filter -s 10.10.10.253 -m time –timestart 6:00 –timestop 11:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP
iptables -A Filter -m time –timestart 12:00 –timestop 13:00 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
iptables -A Filter -m time –timestart 17:30 –timestop 8:30 –days Mon,Tue,Wed,Thu,Fri,Sat,Sun -j ACCEPT
禁止多个端口服务
iptables -A Filter -m multiport -p tcp –dport 21,23,80 -j ACCEPT

将WAN 口NAT到PC
iptables -t nat -A PREROUTING -i $INTERNET_IF -d $INTERNET_ADDR -j DNAT –to-destination 192.168.0.1

将WAN口8000端口NAT到192。168。100。200的80端口
iptables -t nat -A PREROUTING -p tcp –dport 8000 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:80

MAIL服务器要转的端口
iptables -t nat -A PREROUTING -p tcp –dport 110 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:110
iptables -t nat -A PREROUTING -p tcp –dport 25 -d $INTERNET_ADDR -j DNAT –to-destination 192.168.100.200:25

只允许PING 202。96。134。133,别的服务都禁止
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -j DROP
禁用BT配置
iptables –A Filter –p tcp –dport 6000:20000 –j DROP
禁用QQ防火墙配置
iptables -A Filter -p udp –dport ! 53 -j DROP
iptables -A Filter -d 218.17.209.0/24 -j DROP
iptables -A Filter -d 218.18.95.0/24 -j DROP
iptables -A Filter -d 219.133.40.177 -j DROP
基于MAC,只能收发邮件,其它都拒绝
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -j DROP
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp –dport 25 -j ACCEPT
iptables -I Filter -m mac –mac-source 00:0A:EB:97:79:A1 -p tcp –dport 110 -j ACCEPT
禁用MSN配置
iptables -A Filter -p udp –dport 9 -j DROP
iptables -A Filter -p tcp –dport 1863 -j DROP
iptables -A Filter -p tcp –dport 80 -d 207.68.178.238 -j DROP
iptables -A Filter -p tcp –dport 80 -d 207.46.110.0/24 -j DROP
只允许PING 202。96。134。133 其它公网IP都不许PING
iptables -A Filter -p icmp -s 192.168.100.200 -d 202.96.134.133 -j ACCEPT
iptables -A Filter -p icmp -j DROP
禁止某个MAC地址访问internet:
iptables -I Filter -m mac –mac-source 00:20:18:8F:72:F8 -j DROP
禁止某个IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
禁止某个IP地址服务:
iptables –A Filter -p tcp -s 192.168.0.1 –dport 80 -j DROP
iptables –A Filter -p udp -s 192.168.0.1 –dport 53 -j DROP
只允许某些服务,其他都拒绝(2条规则)
iptables -A Filter -p tcp -s 192.168.0.1 –dport 1000 -j ACCEPT
iptables -A Filter -j DROP
禁止某个IP地址的某个端口服务
iptables -A Filter -p tcp -s 10.10.10.253 –dport 80 -j ACCEPT
iptables -A Filter -p tcp -s 10.10.10.253 –dport 80 -j DROP
禁止某个MAC地址的某个端口服务
iptables -I Filter -p tcp -m mac –mac-source 00:20:18:8F:72:F8 –dport 80 -j DROP
禁止某个MAC地址访问internet:
iptables -I Filter -m mac –mac-source 00:11:22:33:44:55 -j DROP
禁止某个IP地址的PING:
iptables –A Filter –p icmp –s 192.168.0.1 –j DROP
————————————————————————————————

IPFW 或 Netfilter 的封包流向,local process 不会经过 FORWARD Chain,
因此 lo 只在 INPUT 及 OUTPUT 二个 chain 作用。
样例1:

#!/bin/sh
#
# 静态安全防火墙脚本
#
# created by yejr,2007-03-20
#
#
#定义信任IP列表
#内部ip子网
MY_IP_LIST_1=192.168.8.0/24
#外部ip子网
MY_IP_LIST_2=1.2.3.0/24
#所有
ALL_IP=0/0
#北京ADSL动态IP列表
BJADSL_IP_LIST=221.218.0.0/16
#定义端口列表
#涉及ftp端口
FTP_PORT_1=20
FTP_PORT_RANGE=”1023:65535″
FTP_PORT_2=21
#dns端口
DNS_PORT=53
#httpd端口
HTTP_PORT=80
#ssh 端口
SSH_PORT=4321
IPT=”/sbin/iptables”
# 内网
LC_IFACE=”eth1″
LC_ADDR=”192.168.8.2″
# 公网
INET_IFACE=”eth0″
INET_ADDR=”1.2.3.4″
# 本机
LO_IFACE=”lo”
LO_ADDR=127.0.0.1
# 定义接受请求速率限制
MAX_NUM_PACKS=1024
# 核心模块
/sbin/modprobe ip_tables
# ftp模块
/sbin/modprobe ip_nat_ftp
# 限速模块
/sbin/modprobe ip_conntrack
# 重新设置防火墙到默认状态
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
#$IPT -P OUTPUT ACCEPT
$IPT -F
$IPT -X
# 先拒绝所有请求
$IPT -P INPUT DROP
#$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
##########################################
# 设定一些内核参数
##########################################
#启动 SYN 泛洪保护
echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
#启用反向路径源认证,防止欺骗
echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#关闭 icom echo 广播包请求
echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#拒绝源路由包
echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
#仅仅接收发给默认网关列表中网关的ICMP重定向消息
echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
#记录来自非法ip的请求
echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
##########################################
# 建立规则
##########################################
# 无效请求包规则
$IPT -N bad_packets
# 另一个恶意 TCP 包规则
$IPT -N bad_tcp_packets
# ICMP规则(进/出)
$IPT -N icmp_packets
# 来自公网的UDP请求规则
$IPT -N inet_udp_inbound
# 从本机发往公网的UDP请求规则,默认全部允许
$IPT -N udp_outbound
# 来自公网的 TCP 请求规则
$IPT -N inet_tcp_inbound
# 从本机发往公网的 TCP 请求规则,默认全部允许
$IPT -N tcp_outbound
##########################################
# 恶意请求规则
##########################################
# 立刻断掉非法的包并且记录
$IPT -A bad_packets -p ALL -m state –state INVALID \
-j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
$IPT -A bad_packets -p ALL -m state –state INVALID \
-j DROP
# 再次检查 TCP 包是否还有问题
$IPT -A bad_packets -p tcp -j bad_tcp_packets
# 都正确了,返回
$IPT -A bad_packets -p ALL -j RETURN
##########################################
# 恶意 TCP 请求
##########################################
#
# 所有的 TCP 请求都必须经过以下规则过滤. 任何新请求都
# 必须以一个 sync 包开始.
# 如果不是这样的话,很可能表示这是一个扫描动作,这些有
# NEW 状态的包会被丢弃
#
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state \
NEW -j LOG –log-prefix ”IPTABLES_NEW_NOT_SYN:”
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state \
NEW -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j \
LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j \
LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH\
-j LOG –log-prefix ”IPTABLES_STEALTH_SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH\
-j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG \
-j LOG –log-prefix ”IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL \
SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags \
SYN,RST SYN,RST -j LOG –log-prefix \
“IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags \
SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp –tcp-flags \
SYN,FIN SYN,FIN -j LOG –log-prefix \
“IPTABLES_STEALTH SCAN:”
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# 都没问题了,返回
$IPT -A bad_tcp_packets -p tcp -j RETURN
##########################################
# ICMP 包规则
##########################################
#
# ICMP 包必须封装在一个2层的帧中,因此它们不会有碎片.
# 带有碎片的 ICMP 包通常被
# 标记为恶意攻击
#
$IPT -A icmp_packets –fragment -p ICMP -j LOG \
–log-prefix ”IPTABLES_ICMP Fragment:”
$IPT -A icmp_packets –fragment -p ICMP -j DROP
#
# 默认地,所有丢弃的 ICMP 包都不记录日志. ”冲击波”
# 以及 ”蠕虫” 会导致系统发起大量
# ping 请求. 如果想要记录 icmp log 就不要把本行注释掉
#
# 允许自有服务器ip及北京地区adsl ip进行 PING
$IPT -A icmp_packets -p ICMP -s $MY_IP_LIST_2 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s $BJADSL_IP_LIST -j ACCEPT
# 拒掉其他 PING
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP
# 接受超时 icmp 包
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
##########################################
# TCP & UDP 包规则
##########################################
##########################################
# 来自公网的 UDP 请求
##########################################
#$IPT -A inet_udp_inbound -p UDP \
-s $MY_IP_LIST_2 –dport $DNS_PORT -j ACCEPT
# 都没问题了,返回
$IPT -A inet_udp_inbound -p UDP -j RETURN
##########################################
# 发往公网的 UDP 请求
##########################################
# 都没问题了,返回
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
##########################################
# 来自公网的 TCP 请求
##########################################
# sshd 只对 北京ADSL IP段开放
$IPT -A inet_tcp_inbound -p TCP \
-s $BJADSL_IP_LIST –dport $SSH_PORT -j ACCEPT
# 允许自有服务器 IP 的 FTP 端口请求
# FTP Data fix
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
–sport $FTP_PORT_1 –dport $FTP_PORT_RANGE ! –syn \
-m state –state RELATED -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
-m state –state ESTABLISHED -j ACCEPT
$IPT -A inet_tcp_inbound -p UDP -s $MY_IP_LIST_2 \
–dport $FTP_PORT_RANGE -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
–dport $FTP_PORT_1 ! –syn -j ACCEPT
$IPT -A inet_tcp_inbound -p TCP -s $MY_IP_LIST_2 \
–dport $FTP_PORT_2 -j ACCEPT
#允许所有ip访问 http 服务
$IPT -A inet_tcp_inbound -p TCP -s $ALL_IP \
–dport $HTTP_PORT -j ACCEPT
# 都没问题了,返回
$IPT -A inet_tcp_inbound -p TCP -j RETURN
##########################################
# 发往公网的 TCP 请求
##########################################
# 都没问题了,返回
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
##########################################
# 其他收到的请求
##########################################
# 允许本机及本子网间的任何通信
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -d $LC_ADDR -j ACCEPT
# 来自信任ip的任何请求都接受
$IPT -A INPUT -p ALL -s $MY_IP_LIST_1 -j ACCEPT
$IPT -A INPUT -p ALL -s $MY_IP_LIST_2 -j ACCEPT
# 丢弃任何错误包
$IPT -A INPUT -p ALL -j bad_packets
# 拒掉 DOCSIS 请求
$IPT -A INPUT -p ALL -d 224.0.0.1 -j REJECT
# 接受 Established 连接
$IPT -A INPUT -p ALL -i $INET_IFACE -m state \
–state ESTABLISHED,RELATED -j ACCEPT
# 定义上面的几条路由规则
$IPT -A INPUT -p TCP -d $INET_ADDR -j inet_tcp_inbound
$IPT -A INPUT -p UDP -d $INET_ADDR -j inet_udp_inbound
$IPT -A INPUT -p ICMP -d $INET_ADDR -j icmp_packets
# 丢弃且不记录广播包
$IPT -A INPUT -m pkttype –pkt-type broadcast -j REJECT
# 记录其他未匹配到的包
$IPT -A INPUT -m limit –limit $MAX_NUM_PACKS/minute \
–limit-burst $MAX_NUM_PACKS -j LOG –log-prefix \
“IPTABLES_MISS_MATCH_INPUT:”
##########################################
# 其他发出的请求
##########################################
# 无论如何都丢弃错误的 ICMP 包,防止溢出
$IPT -A OUTPUT -m state -p icmp –state INVALID \
-j REJECT
# 允许对外的任何请求
$IPT -A OUTPUT -p ALL -s $ALL_IP -j ACCEPT
# 记录其他未匹配到的包
$IPT -A OUTPUT -m limit –limit $MAX_NUM_PACKS/minute \
–limit-burst $MAX_NUM_PACKS -j LOG –log-prefix \
“IPTABLES_MISS_MATCH_OUTPUT: ”
——————————————
我的样例:
——————————————

#!/bin/sh
#
# rc.firewall – Initial SIMPLE IP Firewall script for Linux 2.6.x and iptables
#
# Copyright (C) 2006 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########################################################################
#
# 1. Configuration options.
#
#
# 1.1 Internet Configuration.
#
INET_IP=”1.2.3.4″
INET_IP_1=”1.2.3.5″
INET_IFACE=”eth0″
INET_BROADCAST=”1.2.3.127″
#
# 1.1.1 DHCP
#
#
# 1.1.2 PPPoE
# 1.2 Local Area Network configuration.
#
# your LAN’s IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP=”192.168.0.33″
LAN_IP_RANGE=”192.168.0.0/24″
LAN_IFACE=”eth1″
#
# 1.3 DMZ Configuration.
#
#
# 1.4 Localhost Configuration.
#
LO_IFACE=”lo”
LO_IP=”127.0.0.1″
#
# 1.5 IPTables Configuration.
#
IPTABLES=”/sbin/iptables”
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
#echo ”1″ > /proc/sys/net/ipv4/ip_forward
echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
echo ”1″ > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# 3.2 Non-Required proc configuration
#
#echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#echo ”1″ > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo ”1″ > /proc/sys/net/ipv4/ip_dynaddr
#echo ”1″ > /proc/sys/net/ipv4/tcp_syncookies
#启用反向路径源认证,防止欺骗
#echo ”1″ > /proc/sys/net/ipv4/conf/all/rp_filter
#关闭 icom echo 广播包请求
#echo ”1″ > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#拒绝源路由包
#echo ”0″ > /proc/sys/net/ipv4/conf/all/accept_source_route
#仅仅接收发给默认网关列表中网关的ICMP重定向消息
#echo ”1″ > /proc/sys/net/ipv4/conf/all/secure_redirects
#记录来自非法ip的请求
#echo ”1″ > /proc/sys/net/ipv4/conf/all/log_martians
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
#
# 4.1.1 Set policies
#
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X
$IPTABLES -F -t nat
$IPTABLES -t nat -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# 4.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG –log-prefix ”New not syn:”
#$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP
#$IPT -A bad_packets -p ALL -m state –state INVALID -j LOG –log-prefix ”IPTABLES_INVALID_PACKET:”
#$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP –syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# TCP rules
#
#$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 30000 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 10050 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 10051 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 –dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $INET_IP_1 –dport 110 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 2009 -j allowed
#
# UDP ports
#
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST –destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don’t want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
#$IPTABLES -A INPUT -p UDP -i $LAN_IFACE –dport 67 –sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP_1 -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP_1 -j ACCEPT
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don’t match the above.
#
$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT INPUT packet died: ”
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don’t want
#
#$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
#$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don’t match the above.
#$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT FORWARD packet died: ”
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don’t want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP’s to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP_1 -j ACCEPT
#
# Log weird packets that don’t match the above.
#
#$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG –log-level DEBUG –log-prefix ”IPT OUTPUT packet died: ”
######
# 4.2 nat table
#
#
# 4.2.1 Set policies
#
#
# 4.2.2 Create user specified chains
#
#
# 4.2.3 Create content in user specified chains
#
#
# 4.2.4 PREROUTING chain
#
#
# 4.2.5 POSTROUTING chain
#
#
# Enable simple IP Forwarding and Network Address Translation
#
#$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP
#
# 4.2.6 OUTPUT chain
#
######
# 4.3 mangle table
#
#
# 4.3.1 Set policies
#
#
# 4.3.2 Create user specified chains
#
#
# 4.3.3 Create content in user specified chains
#
#
# 4.3.4 PREROUTING chain
#
#
# 4.3.5 INPUT chain
#
#
# 4.3.6 FORWARD chain
#
#
# 4.3.7 OUTPUT chain
#
#
# 4.3.8 POSTROUTING chain
#
————————————

分类: Linux安全防护 标签:

[重要通知] 【安全预警】关于Linux系统“脏牛”漏洞的修复通告

2016年10月24日 评论已被关闭

[重要通知] 【安全预警】关于Linux系统“脏牛”漏洞的修复通告

http://bbs.qcloud.com/thread-22981-1-1.html

 您好!近日Linux官方爆出了“脏牛”漏洞(代号:Dirty COW,漏洞编号:CVE-2016-5195),攻击者可利用该漏洞本地以低权限提升到root权限。
为避免您的服务器受影响,请尽快检查您的内核版本是否受影响,并及时关注漏洞修复通告信息。

【漏洞详情】:Linux内核的内存子系统在处理写入时复制(copy-on-write, COW)时产生了竞争条件(race condition)。恶意用户可利用此漏洞以欺骗系统修改可读的用户空间代码然后执行,一个低权限的本地用户能够利用此漏洞获取其他只读内存映射的写权限,比如攻击者修改存在的**id文件去提升权限。

【漏洞风险】:高,可实现本地提权

【影响版本】:该漏洞在全版本Linux系统(Linux kernel >= 2.6.22)均可以实现提权,腾讯云受影响的镜像版本为:

CentOS 5.x  32位/64位
CentOS 6.x  32位/64位
CentOS 7.x  32位/64位
CoreOS 717.3.0 64位
Debian 6.x  32位(Debian官方已停止更新,建议使用Debian7、Debian8版本)
Debian 7.x  32位/64位
Debian 8.x  32位/64位
openSUSE 12.3 32位/64位
openSUSE 13.2 64位
SUSE Linux Enterprise Server 11 SP3 64位
SUSE Linux Enterprise Server 12 64位
Ubuntu Server 10.04.1 LTS 32位/64位(Ubuntu官方已停止更新,建议使用Ubuntu 14.04版本)
Ubuntu Server 12.04.1 LTS 32位/64位
Ubuntu Server 14.04.1 LTS 32位/64位

【修复建议】:
我们建议您使用以下方式提前进行自查并完善现有安全策略:
1)提前做好数据备份工作,避免内核修复后意外情况。
2)使用uname –a查看Linux系统的内核版本,或比照【影响版本】确认是否在受影响版本范围,如果在受影响版本,则可按照如下修复建议进行修复:
CentOS用户:由于CentOS系列官方尚未发布官方修复版本,待发布后请您及时更新修复,同时腾讯云在CentOS官方修复版本发出后将第一时间发布修复通告进行知会。
Ubuntu用户:运行sudo apt-get update;sudo apt-get upgrade进行系统更新,更新后重启系统生效
Debian用户:运行apt-get update;apt-get upgrade进行系统更新,更新后重启系统生效
SUSE Linux Enterprise Server用户及OpenSUSE用户:openSUSE 13.2 64位官方暂未发布补丁,其他版本可运行zypper refresh;zypper update kernel-default进行系统更新,更新后重启系统生效
CoreOS用户:运行update_engine_client -update,更新后重启系统生效
3)若您系统为CentOS 7且希望在官方补丁发布前进行修复,可结合Linux内核官方所给的修复方案,自行编译内核进行修复。
修复代码参照:https://git.kernel.org/cgit/linu … 4ad9bdbc7d67ed8e619


【漏洞参考链接】:
http://dirtycow.ninja/
http://www.freebuf.com/vuls/117331.html

分类: Linux安全防护 标签:

tcpdump安装配置及抓包分析

2016年6月1日 评论已被关闭

tcpdump安装配置及抓包分析
http://blog.csdn.net/e421083458/article/details/23963189
tcpdump安装配置及抓包分析

预装软件:
[plain] view plain copy print?在CODE上查看代码片派生到我的代码片
yum -y install flex
yum -y install bison
yum -y install gcc
下载及安装
[plain] view plain copy print?在CODE上查看代码片派生到我的代码片
cd /var/install/
wget http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz
wget http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
tar -zxvf libpcap-1.5.3.tar.gz
cd libpcap-1.5.3
./configure
make && make install

cd ..
tar -zxvf tcpdump-4.5.1.tar.gz
cd tcpdump-4.5.1
./configure
make && make install
安装完毕,下面开始抓包

使用tcpdump抓取HTTP包
[plain] view plain copy print?在CODE上查看代码片派生到我的代码片
tcpdump -XvvennSs 0 -i eth0 tcp[20:2]=0x4745 or tcp[20:2]=0x4854 -w /tmp/http
(0x4745 为”GET”前两个字母”GE”,0x4854 为”HTTP”前两个字母”HT”。)

这句话意思是说将HTTP请求及GET请求的数据包放到/tmp/http文件中。

更多其他抓包方式查看:http://blog.chinaunix.net/uid-22570852-id-225969.html

下面安装Wireshark分析一下数据包。

Wireshark下载问度娘。

Wireshark使用教程:http://blog.csdn.net/xmphoenix/article/details/6546022

分类: Linux安全防护 标签:

iptables基础知识详解

2016年5月27日 评论已被关闭

iptables基础知识详解


# 1.允许接收远程主机的SSH请求 
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT# 2.允许发送本地主机的SSH响应
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

  • -m state: 启用状态匹配模块(state matching module)
  • –-state: 状态匹配模块的参数。当SSH客户端第一个数据包到达服务器时,状态字段为NEW;建立连接后数据包的状态字段都是ESTABLISHED
  • –sport 22: sshd监听22端口,同时也通过该端口和客户端建立连接、传送数据。因此对于SSH服务器而言,源端口就是22
  • –dport 22: ssh客户端程序可以从本机的随机端口与SSH服务器的22端口建立连接。因此对于SSH客户端而言,目的端口就是22
如果服务器也需要使用SSH连接其他远程主机,则还需要增加以下配置:
# 1.送出的数据包目的端口为22 
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT# 2.接收的数据包源端口为22
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

2.HTTP
HTTP的配置与SSH类似:
# 1.允许接收远程主机的HTTP请求 
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT# 1.允许发送本地主机的HTTP响应
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

3.完整的配置
# 1.删除现有规则 
iptables -F# 2.配置默认链策略
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3.允许远程主机进行SSH连接
iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

# 4.允许本地主机进行SSH连接
iptables -A OUTPUT -o eth0 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

# 5.允许HTTP请求
iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT

References
[6] man 8 iptables 

原文地址: http://www.tsingpost.com/articles/201406/878.html

http://www.open-open.com/lib/view/open1410922014555.html
分类: Linux安全防护 标签:

service iptables start 无反应的解决方法

2016年5月25日 评论已被关闭

service iptables start 无反应的解决方法
http://www.2cto.com/os/201112/115166.html

service iptables start 无反应的解决方法;

[root@lt ~]# service iptables status

防火墙已停

[root@lt ~]# service iptables start

[root@lt ~]# service iptables status

防火墙已停

比如,配置文件在yum安装时没有生成。

解决方法:

方法1(推荐).初始化iptables。

iptables -F

service iptables save

service iptables restart

方法2.手工添加配置文件。

www.2cto.com

vi /etc/sysconfig/iptables

把预置的iptables规则添加进去就可以了:

# Firewall configuration written by system-config-securitylevel

# Manual customization of this file is not recommended.

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:RH-Firewall-1-INPUT – [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT

-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT

-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

COMMIT

分类: Linux安全防护 标签:

iptables:unrecognized service 的解决方法

2016年5月25日 评论已被关闭

iptables:unrecognized service 的解决方法
http://blog.csdn.net/feeltouch/article/details/21830541
本人准备在Linux下配置一个ftp服务,采用vsftpd自然是首选,但是在配置过程中,执行到:
启动vsftpd服务器:
#service vsftpd restart
#service iptables stop
时,提示iptables:unrecognized service的错误。
于是准备着手解决,解决思路很是明了,就是首先确定Linux是否安装了 iptables 。
service iptables status
但是仍然提示:iptables:unrecognized service。准备安装,根据不同的Linux内核选择不同的方法如下:
yum install iptables #CentOS系统
apt-get install iptables #Debian系统
但是提示已经安装,那为什么状态显示是未识别的服务呢?继续找原因。继续研究发现可能是由于没有安装iptables-ipv6,于是采用
sudo apt-get install iptables-ipv6进行安装,但提示Unable to locate package错误得错误。
考虑到软件间的不兼容,无奈先进行更新:sudo apt-get update,更新后重新安装仍然无法解决定位的问题。
于是采用apt-get install iptables*进行所有可能性查找和安装。经过一轮安装后iptables:unrecognized service的问题仍然没有解决。
继续研读相关资料,最终发现问题所在:
在ubuntu中由于不存在 /etc/init.d/iptales文件,所以无法使用service等命令来启动iptables,需要用modprobe命令。
启动iptables
modprobe ip_tables
关闭iptables(关闭命令要比启动复杂)
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
modprobe -r ip_tables
依次执行以上命令即可关闭iptables,否则在执行modproble -r ip_tables时将会提示
FATAL: Module ip_tables is in use.
上述问题最总得到解决。
另外附上一些好的配置Vsftpd和iptables的博客站点:
1,http://blog.163.com/xyz_1112/blog/static/3869440220080442851960/
2,http://www.cnblogs.com/hhuai/archive/2011/02/12/1952647.html
3,http://www.cnblogs.com/JemBai/archive/2009/02/05/1384413.html
4,http://www.zrblog.net/7027.html

分类: Linux安全防护 标签:

Linux常用命令及组件:iptables简单应用

2016年5月25日 评论已被关闭

Linux常用命令及组件:iptables简单应用
http://www.zrblog.net/7027.html
iptables是linux下一个简单实用的防火墙组件,之前,赵容部落在VPS新手教程⑧:VPS实用简单安全配置以及有关DA的教程中提到过涉及iptables的部分,这里,我对iptables做一个简单的解释,一方面方便有不明白的朋友查阅,另一方面……也是为了我自己忘记的时候查找。

一、安装软件

我们购买的VPS,一般都已经预装iptables,可以先检查下iptables状态,确认是否安装。

service iptables status
若提示为iptables:unrecognized service,则需要安装。
yum install iptables #CentOS系统
apt-get install iptables #Debian系统
二、配置规则
以下命令我们以CentOS为例,敬请留意。
安装好的iptables配置文件在/etc/sysconfig/iptables,默认的iptables我们可以无视之,采用下面的命令,清除默认规则。
iptables –F
iptables –X
iptables –Z
接下来,添加我们自己的iptalbes规则,开放指定端口,关闭危险端口之类。,以下,是一个简单的规则:
#允许本地回环接口(即运行本机访问本机)

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

# 允许已建立的或相关连的通行

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#允许所有本机向外的访问

iptables -A OUTPUT -j ACCEPT

# 允许访问22端口

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

#允许访问80端口

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

#允许FTP服务的21和20端口

iptables -A INPUT -p tcp –dport 21 -j ACCEPT

iptables -A INPUT -p tcp –dport 20 -j ACCEPT

#如果有其他端口的话,规则也类似,稍微修改上述语句就行

#禁止其他未允许的规则访问

iptables -A INPUT -j REJECT (注意:如果22端口未加入允许规则,SSH链接会直接断开。)

iptables -A FORWARD -j REJECT

如果还有需要开启的端口,可以在上面添加,然后,保存规则并重启。

service iptables save #保存

或者/etc/rc.d/init.d/iptables save

service iptables restart #重启

在写到iptalbes规则的时候,我这里列出可能涉及的其他规则,譬如禁止单个IP:

-A INPUT -s 1.2.3.4 -j DROP
三、查询修改及删除
iptables -L –n #查询规则
iptables -L -n –line-numbers #将规则按数字序号显示方便删除
iptables -D INPUT 4 #删除第四条规则
四、设定开机启动
chkconfig iptables on
五、其他规则
以下部分规则,大家可以做些参考。
# 打开 syncookie (轻量级预防 DOS 攻击)

sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null

# 设置默认 TCP 连接痴呆时长为 3800 秒(此选项可以大大降低连接数)

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null

# 设置支持最大连接树为 30W(这个根据内存和 iptables 版本来,每个 connection 需要 300 多个字节)

sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/null

# 防止SYN攻击 轻量

iptables -N syn-flood

iptables -A INPUT -p tcp –syn -j syn-flood

iptables -A syn-flood -p tcp -m limit –limit 3/s –limit-burst 6 -j RETURN

iptables -A syn-flood -j REJECT

# 对于不管来自哪里的ip碎片都进行控制,允许每秒通过100个碎片

iptables -A FORWARD -f -m limit –limit 100/s –limit-burst 100 -j ACCEPT

# icmp包通过的控制,防止icmp黑客攻击

iptables -A FORWARD -p icmp -m limit –limit 1/s –limit-burst 10 -j ACCEPT

# 丢弃坏的TCP包

iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j LOG –log-prefix “New not syn:”

iptables -A FORWARD -p TCP ! –syn -m state –state NEW -j DROP

分类: Linux安全防护 标签:

Ubuntu的防火墙配置-ufw-iptables

2016年5月23日 评论已被关闭

Ubuntu的防火墙配置-ufw-iptables

http://www.cnblogs.com/ylan2009/articles/2321136.html

自打2.4版本以后的Linux内核中, 提供了一个非常优秀的防火墙工具。这个工具可以对出入服务的网络数据进行分割、过滤、转发等等细微的控制,进而实现诸如防火墙、NAT等功能。
一般来说, 我们会使用名气比较的大iptables等程序对这个防火墙的规则进行管理。iptables可以灵活的定义防火墙规则, 功能非常强大。但是由此产生的副作用便是配置过于复杂。一向以简单易用著称Ubuntu在它的发行版中,附带了一个相对iptables简单很多的防火墙配置工具:ufw。
ufw默认是没有启用的。也就是说, ubuntu中的端口默认都是开放的。使用如下命令启动ufw:
$sudo ufw default deny
$sudo ufw enable
通过第一命令,我们设置默认的规则为allow, 这样除非指明打开的端口, 否则所有端口默认都是关闭的。第二个命令则启动了ufw。如果下次重新启动机器, ufw也会自动启动。
对于大部分防火墙操作来说, 其实无非就是的打开关闭端口。如果要打开SSH服务器的22端口, 我们可以这样:
$sudo ufw allow 22
由于在/etc/services中, 22端口对应的服务名是ssh。所以下面的命令是一样的:
$sudo ufw allow ssh
现在可以通过下面命令来查看防火墙的状态了:
$sudo ufw status
Firewall loaded

To Action From
– —— —-
22:tcp ALLOW Anywhere
22:udp ALLOW Anywhere
我们可以看到, 22端口的tcp和udp协议都打开了。
删除已经添加过的规则:
$sudo ufw delete allow 22
只打开使用tcp/ip协议的22端口:
$sudo ufw allow 22/tcp
打开来自192.168.0.1的tcp请求的80端口:
$sudo ufw allow proto tcp from 192.168.0.1 to any port 22
要关系防火墙:
$sudu ufw disable

ubuntu下的ufw防火墙配置
2009-06-26 23:47
UFW防火墙是一个主机端的iptables类防火墙配置工具。这个工具的目的是提供给用户一个可以轻松驾驭的界面,就像包集成和动态检测开放的端口一样。
在Ubuntu中安装UFW:
目前这个包存在于Ubuntu 8.04的库中。
sudo apt-get install ufw
上面这行命令将把软件安装到您系统中。
开启/关闭防火墙 (默认设置是’disable’)
# ufw enable|disable
转换日志状态
# ufw logging on|off
设置默认策略 (比如 “mostly open” vs “mostly closed”)
# ufw default allow|deny
许 可或者屏蔽某些入埠的包 (可以在“status” 中查看到服务列表[见后文])。可以用“协议:端口”的方式指定一个存在于/etc/services中的服务名称,也可以通过包的meta-data。 ‘allow’ 参数将把条目加入 /etc/ufw/maps ,而 ‘deny’ 则相反。基本语法如下:
# ufw allow|deny [service]
显示防火墙和端口的侦听状态,参见 /var/lib/ufw/maps。括号中的数字将不会被显示出来。
# ufw status
[注意:上文中虽然没有使用 sudo,但是命令提示符号都是“#”。所以……你知道啥意思了哈。原文如此。──译者注]
UFW 使用范例:
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口
$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254
——————————————
我自己还用7.10呢,所以翻译的过程中上面步骤没经过试验。
Ubuntu的名字都很别嘴,一直记不住:
* Ubuntu 6.06 LTS (Dapper Drake)
* Ubuntu 6.10 (Edgy Eft)
* Ubuntu 7.04 (Feisty Fawn)
* Ubuntu 7.10 (Gutsy Gibbon)
* Ubuntu 8.04 (Hardy Heron)

ubuntu 防火墙
2010-01-14 11:02
ufw是Ubuntu下的一个简易的防火墙配置工具,底层还是调用iptables来处理的,虽然功能较简单,但对桌面型应用来说比较实用,基本常用功能都有,使用也较为容易。
==鱼漂(admin.net#163.com)原创,转载请注明==
==http://www.eit.name==

1.安装
sudo apt-get install ufw

2.启用
sudo ufw enable
sudo ufw default deny
运行以上两条命令后,开启了防火墙,并在系统启动时自动开启。
关闭所有外部对本机的访问,但本机访问外部正常。

3.开启/禁用
sudo ufw allow|deny [service]
打开或关闭某个端口,例如:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 192.168.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则

4.查看防火墙状态
sudo ufw status

一般用户,只需如下设置:
sudo apt-get install ufw
sudo ufw enable
sudo default deny
以上三条命令已经足够安全了,如果你需要开放某些服务,再使用sudo ufw allow开启。

Ubuntu防火墙 UFW 设置简介
2010-03-03 16:27
1.安装
sudo apt-get install ufw
2.启用
sudo ufw enable
sudo ufw default deny
运行以上两条命令后,开启了防火墙,并在系统启动时自动开启。关闭所有外部对本机的访问,但本机访问外部正常。
3.开启/禁用
sudo ufw allow|deny [service]
打开或关闭某个端口,例如:
sudo ufw allow smtp 允许所有的外部IP访问本机的25/tcp (smtp)端口
sudo ufw allow 22/tcp 允许所有的外部IP访问本机的22/tcp (ssh)端口
sudo ufw allow 53 允许外部访问53端口(tcp/udp)
sudo ufw allow from 192.168.1.100 允许此IP访问所有的本机端口
sudo ufw allow proto udp 192.168.0.1 port 53 to 192.168.0.2 port 53
sudo ufw deny smtp 禁止外部访问smtp服务
sudo ufw delete allow smtp 删除上面建立的某条规则
4.查看防火墙状态
sudo ufw status
一般用户,只需如下设置:
sudo apt-get install ufw
sudo ufw enable
sudo ufw default deny
以上三条命令已经足够安全了,如果你需要开放某些服务,再使用sudo ufw allow开启。
开启/关闭防火墙 (默认设置是’disable’)
sudo ufw enable|disable
转换日志状态
sudo ufw logging on|off
设置默认策略 (比如 “mostly open” vs “mostly closed”)
sudo ufw default allow|deny
许可或者屏蔽端口 (可以在“status” 中查看到服务列表)。可以用“协议:端口”的方式指定一个存在于/etc/services中的服务名称,也可以通过包的meta-data。 ‘allow’ 参数将把条目加入 /etc/ufw/maps ,而 ‘deny’ 则相反。基本语法如下:
sudo ufw allow|deny [service]
显示防火墙和端口的侦听状态,参见 /var/lib/ufw/maps。括号中的数字将不会被显示出来。
sudo ufw status
UFW 使用范例:
允许 53 端口
$ sudo ufw allow 53
禁用 53 端口
$ sudo ufw delete allow 53
允许 80 端口
$ sudo ufw allow 80/tcp
禁用 80 端口
$ sudo ufw delete allow 80/tcp
允许 smtp 端口
$ sudo ufw allow smtp
删除 smtp 端口的许可
$ sudo ufw delete allow smtp
允许某特定 IP
$ sudo ufw allow from 192.168.254.254
删除上面的规则
$ sudo ufw delete allow from 192.168.254.254

分类: Linux安全防护 标签: