2006隨手札記

Network Resource Access Controls *Netfilter #iptables #chkconfig --list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off (1)Rule Targets DROP, ACCEPT, LOG, REJECT, custom chain (2)Basic Chain -L (list rules) options: -nv --line -A (append a rule) -I chain 3 (insert rule 3 of the chain) -D chain 3 (deletes rule 3 of the chain) -D chain [Rule] (deletes rule) -s (source) -d (destination) -i (input interface) -o (output interface) -s ! 192.168.0.0/24 ! = NOT (反向) Ex: iptables -t filter -A INPUT -s ! 192.168.0.0/24 -j DROP (非192.168.0.0/24網段都drop, 即只放行192.168.0.0/24網段) -p tcp --dport 80(httpd) -p udp --dport 53(named) -p tcp --sport 123 -p udp --sport 123 -p icmp --icmp-type destination-unreachable #assign chain policy #iptalbes -P INPUT DROP(危險用法) 預設所有input都會DROP (必須做自動還原 at now+5min, 將原本設定復原, 不然就死定啦^^..) -Z : zero byte and packet counters -N : adds your chain-name -X: deletes chain (3) Connection Tracking NEW, ESTABLISHED, RELATED, INVALID %requires more memory, 切勿過度使用 connections stored in /proc Ex: /proc/sys/net/ipv4/ip_conntrack /proc/sys/net/ipv4/netfilter/ip_conntrack_* ip_conntrack_ftp ip_nat_ftp %加入connection tracking configuration: /etc/sysconfig/iptables-config #vi /etc/sysconfig/iptables-config ---略--- IPTABLES_MODULES="ip_nat_ftp" ---略--- 修改完重新啟動 #service iptables restart -m state --state ESTABLISHED, RELATED -m state --state NEW %NAT (table) -t nat -A POSTROUTING -t nat -A POSTROUTING -t nat -A OUTPUT -p tcp --dort 80 -j DNAT --to-dest 192.168.0.200:3128 %寫完所有設定後 %#service iptables save 寫回/etc/sysconfig/iptables %開機會自動讀取rules (4) Sampe /etc/sysocnfig/iptables *create a custom chain called CLASS-RULES and insert a rule at INPUT that jumps all packets to it #iptables -N CLASS-RULES #iptables -A INPUT -j CLASS-RULES *ACCEPT all traffic arriving on the loopback interface(lo) #iptables -t filter -A CLASS-RULES -i lo -j ACCEPT *ACCEPT packets that use the icmp protocol #iptables -t filter -A CLASS-RULES -p tcp icmp -j ACCEPT *ACCEPT packets with the ESTABLISHED or RELATED state #iptables -t filter -A CLASS-RULES -m state --state ESTABLISHED, RELATED -j ACCEPT *ACCEPT packets destined for tcp port 22 #iptables -t filter -A CALSS-RULES -p tcp --dport 22 -j ACCEPT *ACCEPT packets with the NEW state destined for udp port 514(syslog) #iptables -t filter -A CLASS-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT *LOG and REJECT all packets not matched by one of the above rules #iptables -t filter -j LOG #iptables -t filter -j REJECT