close

Network Resource Access Controls

*Netfilter
#iptables

#chkconfig --list iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

(1)Rule Targets
DROP, ACCEPT, LOG, REJECT, custom chain

(2)Basic Chain
-L (list rules)
options: -nv --line

-A (append a rule)
-I chain 3 (insert rule 3 of the chain)

-D chain 3 (deletes rule 3 of the chain)
-D chain [Rule] (deletes rule)

-s (source)
-d (destination)

-i (input interface)
-o (output interface)

-s ! 192.168.0.0/24
! = NOT (反向)
Ex:
iptables -t filter -A INPUT -s ! 192.168.0.0/24 -j DROP
(非192.168.0.0/24網段都drop, 即只放行192.168.0.0/24網段)

-p tcp --dport 80(httpd)
-p udp --dport 53(named)
-p tcp --sport 123
-p udp --sport 123
-p icmp --icmp-type destination-unreachable

#assign chain policy
#iptalbes -P INPUT DROP(危險用法)
預設所有input都會DROP
(必須做自動還原 at now+5min, 將原本設定復原, 不然就死定啦^^..)

-Z : zero byte and packet counters
-N : adds your chain-name
-X: deletes chain

(3) Connection Tracking
NEW, ESTABLISHED, RELATED, INVALID
%requires more memory, 切勿過度使用

connections stored in /proc
Ex:
/proc/sys/net/ipv4/ip_conntrack
/proc/sys/net/ipv4/netfilter/ip_conntrack_*

ip_conntrack_ftp
ip_nat_ftp

%加入connection tracking
configuration: /etc/sysconfig/iptables-config
#vi /etc/sysconfig/iptables-config
---略---
IPTABLES_MODULES="ip_nat_ftp"
---略---

修改完重新啟動
#service iptables restart

-m state --state ESTABLISHED, RELATED
-m state --state NEW

%NAT (table)

-t nat -A POSTROUTING
-t nat -A POSTROUTING
-t nat -A OUTPUT -p tcp --dort 80 -j DNAT --to-dest 192.168.0.200:3128


%寫完所有設定後
%#service iptables save 寫回/etc/sysconfig/iptables
%開機會自動讀取rules

(4) Sampe /etc/sysocnfig/iptables

*create a custom chain called CLASS-RULES and insert a rule at INPUT that jumps all packets to it
#iptables -N CLASS-RULES
#iptables -A INPUT -j CLASS-RULES

*ACCEPT all traffic arriving on the loopback interface(lo)
#iptables -t filter -A CLASS-RULES -i lo -j ACCEPT

*ACCEPT packets that use the icmp protocol
#iptables -t filter -A CLASS-RULES -p tcp icmp -j ACCEPT

*ACCEPT packets with the ESTABLISHED or RELATED state
#iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED, RELATED -j ACCEPT

*ACCEPT packets destined for tcp port 22
#iptables -t filter -A CALSS-RULES -p tcp --dport 22 -j ACCEPT

*ACCEPT packets with the NEW state destined for udp port 514(syslog)
#iptables -t filter -A CLASS-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT

*LOG and REJECT all packets not matched by one of the above rules
#iptables -t filter -j LOG
#iptables -t filter -j REJECT


arrow
arrow
    全站熱搜
    創作者介紹
    創作者 aquatower 的頭像
    aquatower

    2006隨手札記

    aquatower 發表在 痞客邦 留言(0) 人氣()

    E-mail轉寄