close
Network Resource Access Controls
*Netfilter
#iptables
#chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
(1)Rule Targets
DROP, ACCEPT, LOG, REJECT, custom chain
(2)Basic Chain
-L (list rules)
options: -nv --line
-A (append a rule)
-I chain 3 (insert rule 3 of the chain)
-D chain 3 (deletes rule 3 of the chain)
-D chain [Rule] (deletes rule)
-s (source)
-d (destination)
-i (input interface)
-o (output interface)
-s ! 192.168.0.0/24
! = NOT (反向)
Ex:
iptables -t filter -A INPUT -s ! 192.168.0.0/24 -j DROP
(非192.168.0.0/24網段都drop, 即只放行192.168.0.0/24網段)
-p tcp --dport 80(httpd)
-p udp --dport 53(named)
-p tcp --sport 123
-p udp --sport 123
-p icmp --icmp-type destination-unreachable
#assign chain policy
#iptalbes -P INPUT DROP(危險用法)
預設所有input都會DROP
(必須做自動還原 at now+5min, 將原本設定復原, 不然就死定啦^^..)
-Z : zero byte and packet counters
-N : adds your chain-name
-X: deletes chain
(3) Connection Tracking
NEW, ESTABLISHED, RELATED, INVALID
%requires more memory, 切勿過度使用
connections stored in /proc
Ex:
/proc/sys/net/ipv4/ip_conntrack
/proc/sys/net/ipv4/netfilter/ip_conntrack_*
ip_conntrack_ftp
ip_nat_ftp
%加入connection tracking
configuration: /etc/sysconfig/iptables-config
#vi /etc/sysconfig/iptables-config
---略---
IPTABLES_MODULES="ip_nat_ftp"
---略---
修改完重新啟動
#service iptables restart
-m state --state ESTABLISHED, RELATED
-m state --state NEW
%NAT (table)
-t nat -A POSTROUTING
-t nat -A POSTROUTING
-t nat -A OUTPUT -p tcp --dort 80 -j DNAT --to-dest 192.168.0.200:3128
%寫完所有設定後
%#service iptables save 寫回/etc/sysconfig/iptables
%開機會自動讀取rules
(4) Sampe /etc/sysocnfig/iptables
*create a custom chain called CLASS-RULES and insert a rule at INPUT that jumps all packets to it
#iptables -N CLASS-RULES
#iptables -A INPUT -j CLASS-RULES
*ACCEPT all traffic arriving on the loopback interface(lo)
#iptables -t filter -A CLASS-RULES -i lo -j ACCEPT
*ACCEPT packets that use the icmp protocol
#iptables -t filter -A CLASS-RULES -p tcp icmp -j ACCEPT
*ACCEPT packets with the ESTABLISHED or RELATED state
#iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED, RELATED -j ACCEPT
*ACCEPT packets destined for tcp port 22
#iptables -t filter -A CALSS-RULES -p tcp --dport 22 -j ACCEPT
*ACCEPT packets with the NEW state destined for udp port 514(syslog)
#iptables -t filter -A CLASS-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT
*LOG and REJECT all packets not matched by one of the above rules
#iptables -t filter -j LOG
#iptables -t filter -j REJECT
*Netfilter
#iptables
#chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
(1)Rule Targets
DROP, ACCEPT, LOG, REJECT, custom chain
(2)Basic Chain
-L (list rules)
options: -nv --line
-A (append a rule)
-I chain 3 (insert rule 3 of the chain)
-D chain 3 (deletes rule 3 of the chain)
-D chain [Rule] (deletes rule)
-s (source)
-d (destination)
-i (input interface)
-o (output interface)
-s ! 192.168.0.0/24
! = NOT (反向)
Ex:
iptables -t filter -A INPUT -s ! 192.168.0.0/24 -j DROP
(非192.168.0.0/24網段都drop, 即只放行192.168.0.0/24網段)
-p tcp --dport 80(httpd)
-p udp --dport 53(named)
-p tcp --sport 123
-p udp --sport 123
-p icmp --icmp-type destination-unreachable
#assign chain policy
#iptalbes -P INPUT DROP(危險用法)
預設所有input都會DROP
(必須做自動還原 at now+5min, 將原本設定復原, 不然就死定啦^^..)
-Z : zero byte and packet counters
-N : adds your chain-name
-X: deletes chain
(3) Connection Tracking
NEW, ESTABLISHED, RELATED, INVALID
%requires more memory, 切勿過度使用
connections stored in /proc
Ex:
/proc/sys/net/ipv4/ip_conntrack
/proc/sys/net/ipv4/netfilter/ip_conntrack_*
ip_conntrack_ftp
ip_nat_ftp
%加入connection tracking
configuration: /etc/sysconfig/iptables-config
#vi /etc/sysconfig/iptables-config
---略---
IPTABLES_MODULES="ip_nat_ftp"
---略---
修改完重新啟動
#service iptables restart
-m state --state ESTABLISHED, RELATED
-m state --state NEW
%NAT (table)
-t nat -A POSTROUTING
-t nat -A POSTROUTING
-t nat -A OUTPUT -p tcp --dort 80 -j DNAT --to-dest 192.168.0.200:3128
%寫完所有設定後
%#service iptables save 寫回/etc/sysconfig/iptables
%開機會自動讀取rules
(4) Sampe /etc/sysocnfig/iptables
*create a custom chain called CLASS-RULES and insert a rule at INPUT that jumps all packets to it
#iptables -N CLASS-RULES
#iptables -A INPUT -j CLASS-RULES
*ACCEPT all traffic arriving on the loopback interface(lo)
#iptables -t filter -A CLASS-RULES -i lo -j ACCEPT
*ACCEPT packets that use the icmp protocol
#iptables -t filter -A CLASS-RULES -p tcp icmp -j ACCEPT
*ACCEPT packets with the ESTABLISHED or RELATED state
#iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED, RELATED -j ACCEPT
*ACCEPT packets destined for tcp port 22
#iptables -t filter -A CALSS-RULES -p tcp --dport 22 -j ACCEPT
*ACCEPT packets with the NEW state destined for udp port 514(syslog)
#iptables -t filter -A CLASS-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT
*LOG and REJECT all packets not matched by one of the above rules
#iptables -t filter -j LOG
#iptables -t filter -j REJECT
全站熱搜
留言列表
學習 (2)