Scribd
Upload
132 views

Ɜ Ɫɪɟɞɟ LINUX

1. The document discusses iptables configuration for firewall rules and network address translation (NAT). It provides examples of rules for basic port forwarding, access control, and masquerading traffic from an internal network. 2. Configurations are presented for allowing FTP access from the external network while protecting against port scans, and for enabling Internet access for an internal network using iptables and NAT. 3. The document concludes by explaining how to restore iptables rules from a backup file and customize quality of service (QoS) settings using the mangle table.

Uploaded by

Alexander Poghosyan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
132 views

Ɜ Ɫɪɟɞɟ LINUX

1. The document discusses iptables configuration for firewall rules and network address translation (NAT). It provides examples of rules for basic port forwarding, access control, and masquerading traffic from an internal network. 2. Configurations are presented for allowing FTP access from the external network while protecting against port scans, and for enabling Internet access for an internal network using iptables and NAT. 3. The document concludes by explaining how to restore iptables rules from a backup file and customize quality of service (QoS) settings using the mangle table.

Uploaded by

Alexander Poghosyan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 17

iptables

LINUX

=>
, Iptables Tutorial 1.1.19 Iptables Tutorial 1.2.0 iptables Windows, Iptables Tutorial 1.1.14

<=

:
." ." " " " " " " 1. " FORWARD, IP ( 2. " 3. " )" FTP" " , , IP , MAILIPIP( FORWARD" IP ( ) " " " )" " , " "

.
"
, iptables-restore /usr/local/

"
.

demo . . demo /etc/rc.d/rc.local, . . echo "1" > /proc/sys/net/ipv4/ip_forward

/usr/local/iptables-restore/

/sbin/iptables-restore /usr/local/iptables-restore/demo demo (demo), ( ( , ) eth1) " IP ( , demo 1. iptables -F iptables -t nat -F 2. demo: : : , FORWARD ) ( " eth0) IP

iptables-restore /usr/local/iptables-restore/demo 3. iptables -L -n iptables -t nat -L -n 4. iptables-save> / / , iptables-save , . demo 1, , : : :

"
, / :

"

1 2 3 mangle PREROUTING

( . .

) ( , TOS . (Destination Network , eth0)

nat

PREROUTING Address Translation). .

5 6 mangle INPUT mangle. . 7 filter INPUT . , . 8 , , INPUT, . / , , INPUT

( . ., -

FORWARD.

1 2 , . 3 mangle OUTPUT . . 4 nat OUTPUT

( . ., ).

. --

(NAT) 5 6 Filter mangle OUTPUT POSTROUTING POSTROUTING

, . . mangle ,

, . , 7 nat POSTROUTING Translation. , . Source Network Address

. , DROP. 8 9 ( ( . ., Internet) , eth0) -

1 2 3 mangle PREROUTING

( . . (

) , eth0) , TOS ..

nat

PREROUTING (Destination Network Address Translation). Source Network Address Translation , .

5 , . . -. 6 mangle FORWARD mangle, , . 7 Filter FORWARD , . , , FORWARD FORWARD

. 8 mangle POSTROUTING

. 9 nat POSTROUTING Source Network Address Translation. . (Masquerading). 10 eth1). 11 , 1. 2. 3. (FORWARD). , ( ( ) , ) (INPUT). (OUTPUT). ( LAN). . ( ,

1. " "(
10.10.10.10) 1. " , "

, filter):
(eth0, IP (eth1, IP 101.101.101.101) .

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . . .FORWARD , ( " "). . eth0 . . ( )

2. (

, ):

-A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 110 , : -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP ( 100.100.100.110, : 110 110 110 ) . IP , IP , . .( ) ,

-A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP, 88.88.88.88, :

-A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, : IP , 88.88.88.0

-A INPUT -s 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, IP : , 88.88.88.0

-A INPUT -s ! 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . , : -A INPUT -i eth0 -p tcp --dport -j ACCEPT

( input)

. :

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable

3. (
, ( IP , . ), . .

).
(eth1) eth1 eth0. eth0 c IP

IP NAT.
10.10.10.10, :

-A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 : *nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 COMMIT *filter -A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT IP (-A FORWARD -o eth0 -p tcp -j DROP), , . . . "

FORWARD FORWARD"

POSTROUTING-

, IP . . IP , FORWARD IP : *nat 10.10.10.10 ,

eth0

IP

, .( ) ( PPPoE),

-A POSTROUTING -o ppp0 -j MASQUERADE

4.
FORWARD ,

FORWARD
( . :

filter
), . .

( -A FORWARD -o eth0 -p tcp -j DROP FORWARD : tcp . . .

),

eth0

tcp.

, . , . . (ip: 88.88.88.88) (eth0) , ,

139: -A FORWARD -p tcp -d 88.88.88.88 -m tcp --dport 139 -o eth0 -j ACCEPT

-A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.0/24 -A FORWARD -p tcp -d ! 88.88.88.0/24 -o eth0 -p tcp -j DROP : -A FORWARD -m iprange --src-range 88.88.88.5-88.88.88.124 -j ACCEPT -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT , -d 88.88.88.0/24 -d !

1. IP
, : 168.192.1.0/24 eth1 168.192.1.2-168.192.1.254) IP

IP
168.192.1.1-168.192.1.254,

( IP 168.192.1.1 ,

IP 255.255.255.0 IP 168.192.1.1

168.192.1.2-168.192.1.254 DNS IP DNS eth0 ppp0, ppp). 1. : -A FORWARD -s 168.192.1.0/24 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 2. : (80 TCP) : : ( eth0

TCP/IP 255.255.255.0, . ),

ppp0 (

ppp+,

-A FORWARD -s 168.192.1.0/24 -p tcp -m tcp --dport 80 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m tcp --sport 80 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP

-A FORWARD -o eth1 -p tcp -j DROP 3. : -A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,110 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,110 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 4. : IPTABLES: TCP , :

*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -s 168.192.1.0/24 -p icmp -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p icmp -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p udp -m udp --dport 53 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p udp -m udp --sport 53 -o eth1 -j ACCEPT

-A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,80,110,8080 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,80,110,8080 -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p !icmp -m state --state INVALID -i eth1 -j DROP -A FORWARD -d 168.192.1.0/24 -p !icmp -m state --state INVALID -o eth1 -j DROP -A FORWARD -o eth0 -j DROP -A FORWARD -o eth1 -j DROP COMMIT

: 1. 2. ( 3. ( 4. IP, ) 5. IP, 6. ! ( TCP IP IP ). , ). IP (168.192.1.1-168.192.1.254) : 20,21,25,80,110,8080 ( HTTP, FTP Mail , ( ) ( . )

IP UDP 53

(168.192.1.1-168.192.1.254) icmp )

IPTABLES, iptables-restore / /demo

2"
(eth1) . , :

FTP(eth0) ,

":

, ICQ, IRC

FTP. . FTP. " , . FTP ( , . . , , , . RELATED, . . , , , FTP-Data) IP . , . . 20 . FTP FTP" (FTP control session). ,

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 1. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 21 " ":

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT 2. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j REJECT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT , filter): *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos mangle ( mangle , :

-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT . . *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 iptables FTP:

-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT

3"
, 80 *nat 8080:

"

-I PREROUTING -d 10.1.0.20 -p tcp --dport 80 -J DNAT --to-destination 10.1.0.20:8080 -I POSTROUTING -s 10.1.0.20 -o eth0 -p tcp -j SNAT --to-source 10.1.0.20:8080

COMMIT 10.1.0.20 ipweb. . *nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 , ... ( 6.11.2006)

=>

<=

You might also like