iptables log rule policy ( ) 1. (Packet Filter) OSI IP (Router) router router access control list ACL (Transparency) 2. Proxy store-and-forward proxy filter " " 3. Application
internet java script 4. Hardware Software IC 5. Personal Internet CISCOSYSTEMS Router DMZ DMZ (DMZ - Demilitarized Zone) DMZ DNS WWW FTP MAIL rsync DMZ DMZ DMZ iptables linux iptables iptables packet filter 1.
Red Hat Linux RedHat => => shell XTerm GNOME redhat-config-securitylevel DNS DHCP 1023 FTP 20 21 SSH 22 HTTP 80 NFS (2049) NFS X X
(NIS LDAP) PPP eth0 ppp0 iptables /etc/sysconfig/iptables iptables setup->firewall configuration high medium No firewall Customize other port 161 udp 1001 tcp /etc/sysconfig/iptables /etc/init.d/iptables restart iptables -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 131 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 192.168.10.1 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMIT
iptables L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:131 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:syn,rst,ack/syn ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc ACCEPT all -- anywhere anywhere ACCEPT udp -- 192.168.10.1 anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:syn,rst,ack/syn reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable /etc/sysconfig/iptables 2. iptables linux router packet filter firewall router firewall router pc router+firewall pc linux IP IP echo 1 > /proc/sys/net/ipv4/ip_forward PC route PC router router PC router IP router internet PC router
PC router IP ping 163.17.35.10 iptables iptalbes L chain iptables PREROUTING FORWARD POSTROUTING ROUTING TABLE INPUT LOCAL HOST OUTPUT iptables 5 chain Chains PREROUTING INPUT OUTPUT FORWARD Route Table Route Table Route Table Route Table POSTROUTING> Route Table chain policy ACCEPT DROP ACCEPT DROP iptables iptables TAGET
ACCEPT DROP REJECT REDIRECT QUEUE LOG MARK SNAT / DNAT / DROP ICMP port unreachable port ( queue ) NAT Source Socket MASQUERADE Destination Socket Source Socket iptables ( ) ( -N ) ( ) ( -X ) ( -P ) ( -L ) ( ) ( -F ( zero ) ( byte ) ( -Z ) ( append ) ( -A ) ( insert ) ( -I ) ( replace ) ( -R ) ( delete ) ( -D ) (delete) (-D) iptables pattern pattern target ( INPUT OUTPUT FORWARD ) ( -i -o ) ( -p ) ( -m state ) ( --syn ) ( -s ) ( --sport ) ( -d ) ( --dport ) iptables -A INPUT -i eth0 -p tcp dport 80 -j ACCEPT
eth0 tcp port 80 localhost iptables -A FORWARD -i ppp0 -p TCP -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -j DROP ppp0 tcp ip= xxx.xxx.xxx.xxx ip= yyy.yyy.yyy.yyy NAT IP RFC1918 IP Private IP IP Address Private IP Address routing information Private IP Address Private IP Address IP RFC 1918 Private IP address 10.0.0.0-10.255.255.255 172.16.0.0-172.31.255.255 192.168.0.0-192.168.255.255 IP IP Internet IP Public IP public IP private IP private IP NAT network address transition iptables NAT NAT IP iptables iptables shell script /etc/rc.d/rc.local linux iptables script script script script chmod +x script_filename script http://www.adj.idv.tw/server/linux_nat.htm 1 IP firewall ipt_router1 #!/bin/bash # # Script name: ipt_route1 # A simple script for firewall, used in Linux (kernel 2.4.x), # with certain services provided to outside world. #
# Copyleft 2002 by netman (netman@study-area.org). # # Redistribution of this file is permitted under the terms of # the GNU General Public License (GPL). # # Date: 2002/07/03 # Version: 1.4 # modify by jim hwang 2003/7 PATH=/sbin:/usr/sbin:/bin:/usr/bin EXT_IF=eth0 INT_IF=eth1 FIREWALL_TRUSTED_TCP_PORT="22 80" FIREWALL_TRUSTED_UDP_PORT="53" FIREWALL_ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18" TRUSTED_TCP_PORT="20 21 22 25 53 80 110" TRUSTED_UDP_PORT="53" ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18 8" # # ------------- ensure iptables ---------- which iptables &>/dev/null { echo echo "$(basename $0): iptables program is not found." echo " Please install the program first." echo exit 1 } # ------------- disable ipchains ---------- lsmod grep ipchains &>/dev/null && { echo "Disabling ipchains..." rmmod ipchains } # ------------- modules ----------- echo "Loading modules..." modprobe ip_tables &>/dev/null {
echo -n "$(basename $0): loading ip_tables module failure." echo " Please Fix it!" exit 3 } for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o do module=$(basename $file) modprobe ${module%.*} &>/dev/null for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o do module=$(basename $file) modprobe ${module%.*} &>/dev/null # ------------- ipforwarding ----------- echo "Turning on IP forwarding..." echo "1" > /proc/sys/net/ipv4/ip_forward # ------------- anti spoofing ----------- echo "Turning on anti-spoofing..." for file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $file # ------------- flushing ---------- echo "Cleaning up..." iptables -F -t filter iptables -X -t filter iptables -Z -t filter iptables -F -t nat iptables -X -t nat iptables -Z -t nat # ------------- policies ------------- echo "Setting up policies to ACCEPT..." iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # ------------- FIREWALL ICMP ------------- echo "Creating FIREWALLicmpfilter chain..." iptables -N firewallicmpfilter for TYPE in $FIREWALL_ALLOWED_ICMP; do iptables -A firewallicmpfilter -i $EXT_IF -p icmp \ --icmp-type $TYPE -j ACCEPT # ------------- FIREWALL services ------------ echo "Creating services chain..." iptables -N firewallservices for PORT in $FIREWALL_TRUSTED_TCP_PORT; do iptables -A firewallservices -i $EXT_IF -p tcp --dport $PORT -j ACCEPT for PORT in $FIREWALL_TRUSTED_UDP_PORT; do iptables -A firewallservices -i $EXT_IF -p udp --dport $PORT -j ACCEPT # ------------- ICMP ------------- echo "Creating icmpfilter chain..." iptables -N icmpfilter for TYPE in $ALLOWED_ICMP; do iptables -A icmpfilter -i $EXT_IF -p icmp \ --icmp-type $TYPE -j ACCEPT # ------------- services ------------ echo "Creating services chain..." iptables -N services for PORT in $TRUSTED_TCP_PORT; do iptables -A services -i $EXT_IF -p tcp --dport $PORT -j ACCEPT for PORT in $TRUSTED_UDP_PORT; do iptables -A services -i $EXT_IF -p udp --dport $PORT -j ACCEPT # ------------- block -------------
echo "Creating block chain..." iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i! $EXT_IF -j ACCEPT #iptables -A block -j LOG --log-level warning --log-prefix "fw-drop: " iptables -A block -j DROP # ------------- filter ------------- echo "Filtering packets..." iptables -A INPUT -j firewallicmpfilter iptables -A INPUT -j firewallservices iptables -A INPUT -j block iptables -A FORWARD -j icmpfilter iptables -A FORWARD -j services iptables -A FORWARD -j block exit 0 ## EOS 2. ACCEPT server ip service services ICMP # -----setup filter policy for each IP iptables -N icmpfilter iptables -N services DIP_LIST="163.17.40.4 163.17.40.199 163.17.40.81" TRUSTED_TCP_PORT="22 25 110 80" TRUSTED_UDP_PORT="" ALLOWED_ICMP="0 3 3/4 4 11 12 14 16 18 8" for DIP in $DIP_LIST; do for TYPE in $ALLOWED_ICMP; do iptables -A icmpfilter -i $EXT_IF -p icmp \ -d $DIP --icmp-type $TYPE -j ACCEPT for PORT in $TRUSTED_TCP_PORT; do iptables -A services -i $EXT_IF -p tcp -d $DIP --dport $PORT -j ACCEPT
# for PORT in $TRUSTED_UDP_PORT; do # iptables -A services -i $EXT_IF -p udp $DIP --dport $PORT -j ACCEPT # ipt_route2 IP IP NAT head IP IP $EXT_IF ip iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE ADSL A B D IP 10.111.xxx.xxx IP linux route iptables NAT iptables squid proxy proxy proxy proxy server proxy iptables squid squid work /etc/squid/squid.conf httpd_accel_host localhost.localdomain httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on /etc/init.d/squid restart squid iptables iptables -t nat -A PREROUTING -i $INT_IF -p tcp -m tcp \ --dport 80 -j REDIRECT --to-ports 3128 proxy # squid ipt_server ipt_server EXT_IF=ppp0 INT_IF=eth0 ADSL script linux IP Layer 3 L3 L2 iptables eth0:1 eth0 EXT_IF=eth0 INT_IF=eth0 -i interface -s
-s! 192.168.0.0/24 s 192.168.0.0/24 block IP 192.168.0.0/24 forward iptables -A block -s 192.168.0.0/24 -j ACCEPT iptables -A block -m state --state NEW -s 192.168.0.0/24 -j ACCEPT POSTROUTING ip source access NAT port 80 iptables -t nat -A PREROUTING -d 192.168.0.254 \ -p tcp -m tcp --dport 80 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to 163.17.40.5 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE server forwarding firewall iptables -A PREROUTING -t nat -i eth0 -p tcp -d 163.17.35.10 --dport 80 -j DNAT --to-destination 192.168.0.2:80 iptables -A PREROUTING -t nat -i eth0 -p tcp -d 163.17.35.10 --dport 80 -j DNAT --to-destination 192.168.0.2-192.168.0.3:80 log block iptables -A block -j DROP iptables -A block -j LOG --log-level warning --log-prefix "fw-drop: " DROP /var/log/messages Jul 31 07:57:57 firewall2 kernel: fw-drop: IN=eth1 OUT=eth0 SRC=203.168.249.64 DST=163.17.40.18 LEN=1052 TOS=0x00 PREC=0x00 TTL=103 ID=3073 PROTO=UDP SPT=2390 DPT=135 LEN=1032 Jul 31 07:57:57 firewall2 kernel: fw-drop: IN=eth1 OUT=eth0 SRC=203.168.249.64 DST=163.17.40.13 LEN=1052 TOS=0x00 PREC=0x00 TTL=103 ID=3074 PROTO=UDP SPT=2388 DPT=135 LEN=1032 Jul 31 07:57:57 firewall2 kernel: fw-drop: IN=eth1 OUT=eth0 SRC=203.168.249.64 DST=163.17.40.9 LEN=1052 TOS=0x00 PREC=0x00 TTL=103 ID=3075 PROTO=UDP SPT=2391 DPT=135 LEN=1032
log firewall log firewall fwanalog http://tud.at/programm/fwanalog/ fwanalog firewall log IP Filter iptables ipchain ZyXEL/NetGear routers Cisco PIX Watchguard Firebox Firewall-One firewalls. Analog http://www.analog.cx/ cd /usr/local/src wget http://www.trilithium.com/software/misc/analog/analog-5.32-1.i686.rpm rpm ivh analog-5.32-1.i686.rpm fwanalog wget http://tud.at/programm/fwanalog/fwanalog-0.6.3.tar.gz tar zxvf fwanalog-0.6.3.tar.gz cd fwanalog-0.6.3.tar.gz cp fwanalog.opts.linux24 fwanalog.opts # fwanalog.opts outdir="/var/www/html/fwanalog" #log./fwanalog.sh alldates.html lastweek.html today.html crontab e * 0 * * * /usr/local/src/fwanalog-0.6.3/fwanalog.sh