Linux firewall-201503

2,418 views

Published on

Linux iptables firewall

Published in: Technology
0 Comments
20 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,418
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
201
Comments
0
Likes
20
Embeds 0
No embeds

No notes for slide

Linux firewall-201503

  1. 1. Linux Firewall £51 NAT
  2. 2. I7?! E71 o Firewall F"é*i1i‘£"i1’= ’i%lfi 0 Linux Firewall 0 Linux | PTab| es 39$ 0 Linux NAT 39$ £')'l, l"I 0 Transparent Proxy axm P-2
  3. 3. Firewall Fifi‘
  4. 4. Firewall Fifi‘ o Firewall (|3)‘J'9<l| %) F"= 'tJ'7T - EFEHH - 7§i‘i'§. ll$EtElZI79 - Firewall E’]’: ’i%i%§QEti%‘E§’I: ]EL‘XFl§5l€B)5i—irP Ei1l%E’§$iz*= l% v FfififillfififltfififiélfifletitiiififlififiEfiftllfi - B)5Y<ll%E’J7(¥HW: ’i%l% - EL‘X%E%El': Et_%EJZ%%$/ ’lt_%75EC‘i¥fl P-4
  5. 5. Firewall Fifi‘ o Firewall (|3)‘J'9<ll%) étélfi - Packet Filtering Firewall ($9"i=3?@§l7%B)3Y<ll%) - Proxy Firewall (l’Ct§B)5Y<i‘lt%) P-5
  6. 6. Firewall §'éE’= i2’: ’i%lE o Firewall (|3)‘J'9<ll%) $37511 - Packet Filtering Firewall ($9"i=3?fl§l7%B)5Y<tl%) - Diélfifletfifl (Layer 2, Layer3 . .) 73%tEi%E’JlEEl3tst%@§l7% - EEEi%l%ZlS%flDX$t¥9‘%E/ EZ$i%l%E4Jififlififitflilffi - Router §§‘l%EL‘X$t¥9‘? E?@$iz“= l%E’J$9‘@3Ei? r?E§l7% P-6
  7. 7. Firewall §'éE’= i2’7’i%lE o Firewall (|3)‘J'9<ll%) ¥E’§'—J - Proxy Firewall (lJC'£EB)5Y<tlf£. ) - éaitattte (H'| ‘|'P, FTP, Socks ) teateatitteéaite - Client llriiiifiifl Proxy Server lil§i%? E,%EH5%9l* P-7
  8. 8. Pi re: iIai i P” ‘E 0 Packet Filtering Firewall %l§fif§%’i%lfilEFfi (“My 1 Internet ’ ‘")v/ " T A IP: 61.16.1.100 Router 5W”9“g/ “U3 IP: 61.16.1.102 IP: 61.16.1.254 IP: 61.16.1.1 P-8
  9. 9. Pi re: "iIali Proxy Firewall . %l§f: f:‘i—’i%lfilEFH / “”"@ "” Internets ”l~ , m ; <‘_ Router i —fiL ‘ IP: 192.168.1.1 IP: 61.16.1.254 Switch/ HUB Internal ‘ 61.16.1.1 ti] 192.168.1254 Proxy Server P-9
  10. 10. Linux Firewall P-10
  11. 11. Linux Firewall fiéfi 0 Linux Firewall lfllfiifiifi - Linux kernel 2.0 l'filJClEl5H ipfwadm - Linux kernel 2.2 filfilififi ipchains + ipmasqadm - Linux kernel 2.4 l'£“lJCEt'i? lfi¥U1r'Eil-’tlEl5l§ iptables - %9l~? §EL‘X% ebtables l‘El§%§lEEFFstE, $l§‘z? fi§l7%IJJi%‘E P-11
  12. 12. Linux | PTab| es P31? 0 Linux lPTab| es Pétlfi ° EFEEH - Linux kernel 2.4 I7WlZ/ DPltl‘El3iE’] Firewall ltléfill - netfilter project E’]§%‘P<Et%IE§ - I7Ji%‘EIE§ - Eifi ipv4 it ipv6 E4J%l%i”t? -tliiiafi - $§$t¥9‘ Layer3 (i%B§J‘ Layer2) E, $l§tE’J? E§l; ’% - Eta NAT Ijtat (IP ' Port tezatett) - El‘)§%. '<E9l~iE? EE4J5El$| :b¥'tIJJi%‘E P-12
  13. 13. Linux | PTab| es ? .I'§§l§. ’l7“l%$| J 0 Linux lPTab| es 15-%l3=EEl*. liiEil. §l§§$| J - $t¥9‘—z‘= l§ Layer3 $E@E’J? E§l7%l2“= l%%| l - Source IP, Destination IP - Source Port, Destination Port - Packet Type (TCP, UDP, |CMP. .) - Header Flag (SYN, ACK. ..), Length P-13
  14. 14. Linux | PTab| es ? .I'§§l§. ’l7“l%$| J 0 Linux lPTab| es 15-%l3=EEl’~JiiEil. §l%§$| J - t%§5lEE’J? @§l; ’%i; *=l%%| l (iiéfifl Match Extension) - ififlififl (Unicast, Broadcast, Mu| ticast. .) - Eriififli ~ H%F'a'ilEP§ ~ 4E, ’—i~$7_l/ |='3lé§: $li'i, %§l3E%ll - %l%Ft‘é‘l5E’J‘l5"3'l7t? E§l7% (Mac Address) P-14
  15. 15. Linux lPTa. bies o RedHat/ CentOS Linux El’~J firewall %>’z‘z"E - fiifi RedHat 5-51 CentOS WEE Firewall 3”” - EEUEQIPE ? é?$ - / etc/ sysconfig/ iptables (ipv4) - / etc/ sysconfig/ ip6tab| es (ipv6) - , %EfeEPBElEtfi§fitP%Pfi - / etc/ init. d/iptables {start I stop I restart} - / etc/ init. d/ip6tab| es {start I stop I restart} P-15
  16. 16. |PTab| es $El’@.3E§l; '§’: ’i%lfi
  17. 17. iPTai: ies tflfiitfiie o | PTab| es Table I791? - iptables iZ‘Zil§Xla§= '1‘afl2Pl3i$iz%i3=fXla table IEE - E'= ..? $9"i=3?Efif%, %iEH%§l7iE,9.’t-3 table I79E’J£%EU‘i’$i‘Trl: l:¥'t I ’i=3”§ $9"i=3Efl%lE'£¥ $9"i=3l; i3}l; §Hf. H?‘} T? E? tablel I791’§%EP. |l E? tab| e2 I791’§%EPJl E? tab| e.. Wfitfififl P-17
  18. 18. iPTai: ies %§@. ‘:3E§lP; o | PTab| es Table I791? - iptables El’J table TEE filter table nat table mangle table raw table P-18
  19. 19. iPTai: ies tflfiitfiie o | PTab| es Table I791? - filter table W34] chain TEE filter table INPUT . t El OUTPUT ‘ifiiijtfl, FORWARD «iittfitfitéiél ‘ll 1 313 El F‘. P-19
  20. 20. iPTai: ies tflfiitfiie o | PTab| es Table I791? - nat table 7934] chain TEE nat table ' :5; 2; PREROUTING I I tie OUTPUT POSTROUTINC V ‘ifiiijifl. P-20
  21. 21. iPTai: ies tflfiitfiie o | PTab| es Table I791? - mangle table V934] chain TEE mangle table I PREROUTINC *“i! '-7iii, 'l"fl. 0% POSTROUTING ifiiijifl, INPUT OUTPUT FORWARD P-21
  22. 22. |PTab| es $‘J‘El? E§l; '§ o | PTab| es iflflifiieiifiii eA$amaa eemaa eeaaiaaa PREROUTI NG FORWARD POSTROUTI NG ( nat table ) ( nat table ) (filter table) OUTPUT (filter table ) 2lSl¥§§'e': ‘§§-': |:'i£l5l’J$= i‘E OUTPUT ( nat table ) I 2lStti§§éi§t| d£E<J$t’i=3 El5l’J2.5.: 'i. %31‘<Il%lt§= i‘El INPUT (filter table ) g P-22
  23. 23. iPTai: ies %§@. Z3E§l; P; o | PTab| es $9"i'= ]?. l§. il; §§; "iits% - table PBEIEPP - —§§’§EL‘X filter ELE nat table - $t¥'tZlSl%%? E/E'—'51?E9l~? fl§l7% I IEPH filter table - PP¥eE$Z%E’J$9"i=3 IP Eii Port BEE v IEPH nat table P-23
  24. 24. |PTab| es IE 0 Linux El’~J | PTab| es TEEPIE. - IE firewall EQEIE-IEE (ipv4 $%t%) (ipv6 t%t%) - iptables - | p6tab| es ° PE‘/ PETEPH firewall IE-TEE - iptab| es—save E'—'5i iptab| es—restore - ip6tab| es—save E'—'5i ip6tab| es—restore (ipv4) (ipv6) P-25
  25. 25. iPTai: ies $’%‘§ E o | PTab| es Firewall fi%‘I - - iptables fiéifit-"ti? - iptables [—t table] cmd rule [options] , _ ‘T filter GEEQ) if nat mangle raw P-26
  26. 26. |PTab| es I’: °I: "$‘9:<§$I I o | PTab| es Firewall ’I$’%I, E. - —f= l§I%$’$§| l§E ’3¥tP~P —A CHAIN %lit"et|3lt7Jl]%IlEl9EEE| l§ CHAIN I79 —D CHAIN lfllulla CHAIN Vfileltfifiu —| CHAIN taA: %lIEItEEI]§é CHAIN I79 —L [CHAIN] Elttlj CHAIN wfififitfifiu —F [CHAIN] Sella CHAIN mfififitfifiu —z [CHAIN] CHAIN tta/ iflfutflatatfifitattztaeés —P [CHAIN] EQE CHAIN tateattttatéttfi -X [CHAIN] lflluiate/ “EH9 CHAIN IEE P-27
  27. 27. |PTab| es I‘: ’i: "$‘f"/ /‘Pitt o | PTab| es Firewall ’i$’$‘I, E. - ifiifififiétfiii/ BWE@ firewall itfififl ' IEPH iptab| es—save $3 ° IEPH iptables —L —n -t <tab| ename> fié‘ - —n %7T<7Ffi$7l‘)f$i2“= l%%7l‘Ei (EH3 ip, port %IPI%l7tPI'IE7T<) - Ellflfrifli/ _]iLIZ§EL)(7Jl]J: —v l§§Pl§P¥r%Hli§€E5l‘2‘Ei‘E P-28
  28. 28. W | PTab| es fin‘? 2 E5! 0 IPTab| es Firewall ’i$’%‘I - $§%‘EE'—'51Et%lZ%E't - lfifi —F aiefiflfiifif/ ??"rIlE table WIE chain WEWEEU - IEFH —X 9:<§flfillllUf/ tfifii chain IEE - §§; ’EF, '—'51Et§fl%E'tFéPP'§~§§z“E - iptables —F # £t¥~t filter table - iptables —X # fit¥1 filter table - iptables —F -t nat #£t¥1 nat table - iptables —X —t nat #£t¥1 nat table
  29. 29. IPTaI: Ies EEE E o IPTab| es Firewall fi%‘I - —§$E%3§fl§Ui'% - —s [I] address[/ mask] - iEE%9‘@5l€§lPIEE I §‘EE§§§iEE§. '%7T<l5ltE5l€§lP - IEFP I §. '%7T<i3l5|3/? /7F@§ - —d [I] address[/ mask] - IEEEIEEIYIJIEE I i‘EE§§§t'§E§. '%7T<l5ltE5lE§lP - IEFH I Efiiifffi/ TEE P-30
  30. 30. |PTab| es ’Itia"$“>2§${ o IPTab| es Firewall E9/"E ° —I'il§$E’: <EZ§U§E - —i interface E -0 interface - $9‘@EEiEEI3’IJ interface , %l%P: tfI‘ElE/ /lE'clj - SEIEEHEI I E§§E75(‘PEElEFfi —i all E -0 all IEE - fI‘E%f§Ei I eth+ E7? ethO E ethl P-31
  31. 31. |PTab| es ’Itia"$“>2§${ ‘_-)1 I-‘-I o IPTab| es Firewall ax/ E - —lil§$E9:<E§| l§. '§ - —p protocol - i'e= IE$9‘@I? I’IJ protocol EE (tcp ~ udp ~ icmp) - —p icmp - TEIPEPE -—icmp—type TEE icmp SUEZ]! - EH? iptables —p icmp h EJDXEEEEEEEUE P-32
  32. 32. | PTab| es fi’T: "$‘f’/3&5! ‘_-)'L I-‘-I o IPTab| es Firewall ix/ E - —2‘= l§$§9:<§$Z§U§. '§ - -—sport (——source—port ) - JEE source port - lififi porti : port2 $7? porti ~ port2 fififiiéifiifi - ——dport ( ——destination-port) - ififi destination port - lififi porti : port2 $7? porti ~ port2 EEEE §%i$ P-33
  33. 33. |PTab| es ’u: °ia"$“>/ :35! o lPTab| es Firewall 39$ - —2'i§$§9:<§fl§U§E - —j TARGET - iEEl"t9Efl53£9EEE| JE’fé¥ ' ‘Ti? TARGET TEEJJIEE (ACCEPT, DROP , REJECT . ..) P-34
  34. 34. |PTab| es ifia"$“>2§${ o IPTab| es Firewall E9/"E - —2'§l§$9"| =3r”§”Eu‘%E1|§rfl¢FH¥; Fg‘i'£EE4JEEC ° ACCEPT - fE'§5F$9‘@? E?@ ° DROP - z§$$9‘@ ° REJECT - I7J‘n5E%‘§E1L)U5(‘ DROP Fsiififift - §| §lE"§$i*su‘Eb“= il$9"I§i-§ETl, %’Eu‘l$3Eila”'i P-35
  35. 35. | PTab| es fi’T: "$‘f’/3&5! o IPTab| es Firewall E9/"E ° —z‘Il§$iJ"I= E1k§/ Eu‘5l§E1|, ‘1‘<15l= H%Fa‘E'5EEl4JEEC ' QUEUE - iE$fl"I§FEE¥z”§, %’E. ‘ User Space TEEEJEEE ° RETURN - l‘%‘JJ: ,%E%§| :b¥9‘7EEEU v ili| El§| JJ: —llE| Rule ' SNAT - iEl# SNAT 171% v fiT¥9‘5lE§l%'I IP E5Z§%" ' DNAT - i§'sl# SNAT DJRE v fiT¥9‘EE’J IP E$Z, ?%" P-36
  36. 36. | PTab| es fi’T: "$‘f%§${ o | PTab| es Firewall E9/"E - —zii§%9"| =3?§”Eu‘¢%E1|§rf1¢FH¥; Fa‘E'£EE43753? ' REDIRECT - §l‘n1$9‘@ v i| :§’: $fi@§l‘: fl§Zl§i5‘<l%%llEl Port - MASQUDEADE - IP v —E§? .E. §ii‘§sl# SNAT HETEE - LOG - il%9‘@l$$§Ei-%E’Fl, %E$§273i‘ log 7lE'a“‘%§ - ULOG - i| :§’: $fi’I§l$$§ii§E’Fl, %E$$T”273i‘?3?@ ulogd TEEEFEEE P-37
  37. 37. lPTables 75EEJJ%§2x"E o lPTables ffifillfifi/ "E - fiE§7f§i? $ - §"r? Zv’§§T? rHl§<ZlS%BTEl3% / etc/ rc. loca| 7l§i?7% - / etc/ rc. |oca| 7}%5lEa'= r'ii%%5;zFL5F%I79E'%? §§$3ilT‘TrE’] script - llE| Alt firewall 3iEEUflL‘, {Fa%lt73fl/ %'Zi? .r“é$I79 - |3f%$§’f§EC$§fLfi - sh —x / etc/ rc. |oca| P-38
  38. 38. lF*Tal: les 'é'§}'7EE§i'E"~§U o lPTables ffiE| J§§‘ur"‘E$’fil§U - SEEEETZ/ DW iptables firewall EQE - iptables —F #fi| ter table - iptables —X #filter table - iptables —F —t nat #fi| ter table - iptables —X —t nat #nat table - iptables -2 #filter table - iptables —Z —t nat #nat table P-39
  39. 39. lPTal: les 'é'§)"3E§'E"~§U o lPTables ffiE| J§§‘<I"‘Effil§U - %§Lt l92.l68.2.l ‘2¥)7(¥H2 - iptables —A INPUT —s l92.l68.2.l —j DROP ° §T’§J_l: l92.l68.2.l 1%/ KTSTTHR ssh HE? ?? - iptables —A INPUT -5 l92.l68.2.l -p tcp ——dport 22 —j DROP P-40
  40. 40. lPTables iii/ :"E$fil§| J o lPTables ffifillfiébififilill - ééit ping H9%EfiU$flEflE§)K - iptables —A INPUT —p icmp ——icmp echo—request —j DROP -%E%¢%§memI%fifiE%A€Wsh%%W%fi - iptables -A INPUT —i ethl -p tcp ——dport 22 —j DROP P-41
  41. 41. lPTables iii/ :"E$fil§| J o lPTables fHEJJ§§; 'i$fil§| J - EQEZISTPETPHREElil§i‘§§T§ElEflI3R%U - iptables —A INPUT —i lo —j ACCEPT - E§ITF; F'EB= fi73i 192.1 68.2.0/24 5lE§l§EL‘, {%E, %RT¥HR ssh HETEE - iptables —A INPUT —s I92.I68.2.0/24 —p tcp ——dport 22 -j ACCEPT - iptables —A INPUT —p tcp ——dport 22 —j DROP P-42
  42. 42. lPTal: les 'é'§)"3E§'E"~§U o lPTables tfifiufiafififilfil - EQEREP-E255: 192.168.2.0/24 5lE3l§E_lL‘, {‘i§, %RT? HR ssh 51%; ; lEz'T: HFP5i%rEUi—“T’§JJ: 192.168.2.100 7FE_lL‘, l‘i§%R7(? HR ssh 11154113; - iptables —A INPUT —s 192.168.2.100 —p tcp ——dport 22 -j DROP - iptables —A INPUT —s 192.168.2.0/24 —p tcp ——dport 22 -j ACCEPT - iptables —A INPUT —p tcp ——dport 22 —j DROP P-43
  43. 43. lPTables iii/ :"E$fil§| J o lPTables fHEJJ§§; 'i$fil§| J ' §§LE:5T’§J_l: 192.168.2.0/24 5l5§}§i¥%§T¥HY ssh HE? ?? ’ lE%EFP5l%EUF= fi73$Z 192.168.2.100 fBE4FT¥HR ssh HE? ?? - iptables —A INPUT -5 192.168.2.100 —p tcp ——dport 22 —j ACCEPT - iptables —A INPUT -5 192.168.2.0/24 —p tcp ——dport 22 -j DROP P-44
  44. 44. lPTables l: l:¥~1§£lE|3 o lPTables Match Extension - Efiflfi - iptables I79i‘zEEl§%'a“-*r%’75E1El3$fi@tb¥’fiIéI<J module I7JfiETzEEl§%%EB'é‘ IE E l§l’J? E§l7§l%l%%U - Elxiééfilfiffi —m Risifizfiiiiffifiili/ KEIIEI module IE3?-IEPH EZDJRE P-45
  45. 45. lPTables l: |3¥~13£lE|3 o lPTables Match Extension T - %‘%l3’J module TEE - mac — source mac address - multiport — mu| ti—port match - length — packet length - owner — | oca| |y—generated packets by someone - state — connection state P-46
  46. 46. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension T - Efiflfi : EH3 mac module l‘El§¥, %|%E‘é‘l5?@§l7§ - 93% : ——mac—source HWADDR - Fulfil-3'rE - %§J. l: Ian I79,%| %‘l5‘l5*'3'I7T‘. ?.5.§'; 00:I0:22:EF:90:3E ififififififl - $fi1§U - iptables —A INPUT -1 ethO —m mac ——mac—source 00:I0:22:EF:90:3E —j DROP P-47
  47. 47. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension - Efiflfi : EH3 multiport module T%l§¥%’v§ port - 93%: ——sports [port, ..] I —dports [port, ... ] - F23;-? 'rE - i—“T’§J. l: 192.168.1.1 T¥HRZl§i%l%l§l’J 25,80,110tcp port - $E1§U - iptables —A INPUT —p tcp —m multiport ——dports 25,80,110 —j DROP P-48
  48. 48. lPTables l: |3¥J‘ElE|3 o lPTables Match Extension - Efiflfi : EH3 length module ixElé%¥| lEli$T@2lS%l3’JEf§ - ”: <§$Z 2 ——length | ength: [|ength] - PEPE - %§JJ: ¥E’_—"liJ echo—request I34] icmp T73'7”aEE’3?fi 84 bytes $913 - $fil§U - iptables —A INPUT —p icmp -—icmp—type echo—request —m length ——length !1:84 —j DROP P-49
  49. 49. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension - EEEH : IEFE owner module i‘Elé%¥| lEli$ElJ%E9ll3’J%l93 - 93% : ——uid—owner username - F2353 - %§JJ: $3ilfi%l93?% peter 1343 process ¥9‘9|*%E. %‘§T¥HR ssh HEf% - $E1§U - iptables —A OUTPUT —p tcp —m owner ——uid—owner peter —j DROP P-50
  50. 50. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension - ESEHH : EH? state module ¥UEfi$T@ZlS%E9%$, %E'l$‘sTHfi%§ - 23%? : ——state state[, ... ] iiifiéfiééifi NEW %%fi%fiEE5iIé? @:: lél’J$T@ ESTABLISHED %%fi‘Ey‘ElE%Eé2Rl7SllEIKE@: zlél’J$a"Ifl RELATED §EflT<é'3iZEfi%Eé7REEH i’$fifi%lfEE5iIé? @:ZEl’~J%a"a E/ ET FTP i-§JJr<3rl$$§EEZ%? % ICMP $%§9'%El’J%a"a INVALID P-51
  51. 51. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension Hostl iE¥| J Host2 ' New ($§JJ%: ¥€vR) - | ESTABLISHED (iiésfilillifi) P-52
  52. 52. lPTables l: |3¥J‘§ElE|3 o lPTables Match Extension - EQEEELE 192.168.2.1 $EiJ%E%ETiHR2lSi%l% - iptables -A INPUT -1 eth0 -m -s 192.168.2.1 —m state ——state NEW —j DROP - §E, TE3".55bZl§T§3§? §,%E? ET'IElElE’E§l§§}EA]: it§l/ I33 - iptables -A INPUT —m state ——state ESTABLISHED -j ACCEPT P-53
  53. 53. lPTables l: l:¥~1§£lE|3 o lPTables Match Extension - E§ZTEREF= Hl3fl ssh HE%%¥9‘9|~ ~ ¥UE?1%%E)7(¥E'R%B%§lJ: (#1) - iptables -A INPUT -p tcp ——dport 22 -j ACCEPT - iptables —A INPUT —m state ——state NEW —j DROP P-54
  54. 54. lPTables TEEE Policy 0 lPTables EEEQ Policy - EEEIIH - EIDXTEETIE chain ? E§EE4J%EEU? %l'; fE'ETr? §%§T’§JJ: - ACAEIZIEHH —P [chain—name] [ACCEPT I DROP] - EEEIEEEEEU ' iptables -P INPUT ACCEPT ' iptables -P INPUT DROP P-55
  55. 55. lPTables fix 7? IUIIII‘ E‘ Polil: v I o lPTables ? E%>’z‘ Policy - 9—E%§§E$”EI§U (I%F= Hl35ZuZ%EHEi‘§§ — H1IIJ%Bi—“—él£) - iptables -F - iptables —X - iptables —P INPUT ACCEPT - iptables —A INPUT —m state ——state ESTABLISHED, RELATED -j ACCEPT - iptables -A INPUT -1 lo -j ACCEPT - iptables —A INPUT —p tcp ——dport 21 —j ACCEPT - iptables —A INPUT —p tcp ——dport 22 —j ACCEPT - iptables -A INPUT —m state ——state NEW —j DROP P-56
  56. 56. lPTables EEEQ Policy 0 lPTables EEEQ Policy - FTEEEQEEEEU (l%F= fil35ZuZEHE? §§ v EIIIIJEBEEJE) - iptables —F - iptables —X ° iptables —P INPUT DROP - iptables -A INPUT -m state ——state ESTABLISHED, RELATED —j ACCEPT - iptables —A INPUT -1 lo —j ACCEPT - iptables —A INPUT —p tcp ——dport 21 —j ACCEPT - iptables -A INPUT -p tcp ——dport 22 -j ACCEPT P-57
  57. 57. Firewall iii FTP o lPTables Firewall £5! FTP - FIEFJHIEQ ssh E ftp HE? §§¥T9l v iIEU’§?1%%EAT¥HR%B%§JJ: E§E - iptables -A INPUT -1 lo —j ACCEPT - iptables -A INPUT -p tcp ——dport 21 -j ACCEPT - iptables -A INPUT -p tcp ——dport 22 -j ACCEPT - iptables —A INPUT —m state ——state NEW —j DROP - J: ‘i/ E§%§£EEEF= HEE - FTP I7?7”JE%I5%'?3§? E7f5%Efi— port v %zEEF'EF= H73fl port 21 1% IEEAE v El? ?? ftp 3§? EI§$§E§EF= HI-EFE P-58
  58. 58. Firewall iii FTP o lPTables Firewall £51 FTP - FTP IHHJEZIEEEEEIIEI Channel - Command Channel - $’7"§E§§EI§El? I3’J? E‘iE (—HE2% Port 21) - Data Channel - IEEEEPITE-'5%%i§>Jr3IH%P)Tl§ElHI34J? E?E - E_lJ«)I, %HI§3‘ Active Mode , Passive Mode I7E7jJE%‘, I$-$EHI§EE - IZEIIEKIEIIETJEEEEEEE port EEHPEEEEHHEPETIE P-59
  59. 59. Ei rewall ,1 ET? 0 lPTables Firewall E5-1 FTP - Active Mode I§3$H'II§EE A * B 20 21 2000 command channel 2100 Command Channel data Channel IEFH Port €I‘: I"%»‘ server P-60
  60. 60. Firewall iii FTP o lPTables Firewall £5! FTP - Active Mode IEEEIIEEEEEHE - Client IIEH (‘EH3 Port 1024 ? L¥iZ—IlE| Port ZEIEEE Server 1% v Port fi’7"f§ElT Server EITEEE9 Port , %IE'r'? l;*H - Server IIrI”= fiJ«‘X Port 20 EA: 3%? Client TEEE9 Port i’$I‘_Iié“: ?’r3I IEEEH - Active Mode ? E?EI§HH'I%3R - Command : (client > port 1024) 9 server port 21 - Data: (client > port 1024) 9 server port 20 P-61
  61. 61. Firewall iii FTP o lPTables Firewall £51 FTP - Passive Mode IEEITITEEE 7 I —’ T '1" ‘ I — ’ ’ I-. : ‘ , l_IL, LL" 1;“. 2L IJLJL" E1 command channel __ If , ‘Ln, ‘ : p I. .**l5rfI I _—_‘; . If data channel
  62. 62. Firewall E1 FTP o lPTables Firewall £1 FTP - Passive Mode IQEIEEIIEEEEEEEE - Client IIrI”E‘i§_? E PASV fiéféfili Server IITTEIEHH Passive Mode ? EI: II§%§i§PJr‘§rI§, $§I3§? E - Server II#fi75(‘I%'73i‘ Port 1024 ? L¥iZ—IlE| Port ZEIEEE Client v "/ TEEIJ Client IHEEITEEE9 Port , %lnE'aHl; *E - Client 1%: E32 Server TEEEI9 Port i’$? ‘_Ié3?T5II; §,$§I - Passive Mode ? E%EI§HH'l%§R - Command : (client > port 1024) 9 server port 21 - Data: (client > port 1024) 9 (server > port 1024) P-63
  63. 63. Firewall E1 FTP o lPTables Firewall £1 FTP - EQE : $I%I%I%E-HIE ssh E ftp HE? ?? v HIIIJ%E}T¥HR'%‘%§JJ: - modprobe nf_conntrack_ftp - iptables —A INPUT —m state ——state ESTABLISHED, RELATED —j ACCEPT ° iptables —A INPUT —I I0 —j ACCEPT - iptables -A INPUT —p tcp ——dport 21 —j ACCEPT - iptables —A INPUT —p tcp ——dport 22 —j ACCEPT - iptables —A INPUT —m state ——state NEW, INVALID —j DROP P-64
  64. 64. NAT IHIEIEEI-EEEE ‘
  65. 65. NAT I)J‘fiI§ o NAT (Network Address Translation) - EEHH - NAT Network Address Translation - NAT TEIEETEIEHEWBU IP I$zilI%EfiE5Z, ?.%"§IJI’E - NAT IEEIDXEQ/ fi?% SNAT E» DNAT EEWEEEQ P-66
  66. 66. NAT %| HI't‘. ?%’I%Ifii%i% 0 NAT i%iR7—F7E"‘. .. 11>: 192.168.1.1 11>: 192.168.1.2 E IP: 192.168.1.3 IP: 61.16.1.254 I" _‘I External IQ. Internal | Eaa‘D 61.16.1.1 192.168.1.254 NAT Server P-67
  67. 67. NAT I)J‘fiI§ o NAT £1 Private IP - Efiflfi - EZEEEEEE IP I§1_EI79f: i|1,%| HH‘éI§FIH ~ 7f3§"': IjiEI1(‘ internet 1%-1% - RFC 1918 PSI Private IP EEE - Class A: 10.0.0.0 ~~ 10.255.255.255 - Class B:172.16.0.0 ~~172.31.255.255 - Class C: 192.168.0.0 ~~ 192.168.255.255 P-68
  68. 68. NAT I)J‘fiI§ o NAT (Network Address Translation) - NAT 13:11 - SNAT - TFEIJTEIEEIE IP E1’JE5Z, ?.%? $§§,1§*é - F. %fi’§: HEE(‘1EI9¥E%T3§E Private IP JZGEJ: Internet - DNAT - IZTEI: /EEEEI/ ‘J IP El’JE5Z, ?.%? $§: ,1§*é - ETEIEEEUEETEIDHE P-69
  69. 69. NAT %| ¥.| flf: ?’= ’I%1E1%Jfi 0 SNAT i%i%7—F%T 192.168.1.254/24 192.168.1.1/24 Internet NAT Router H TERH : 192.168.1.0/24 Client 2% Internet at . _ .7 %|1%§%ENATl? l%11“-§fi2.E1161.l6.1.lEZIPEIETEHR 192.168.1.2J24 P-70
  70. 70. NAT %| ¥.| fl‘. ?’= ’I5.1E1%fi 0 DNAT i%i%7_F7é7 192.168.1.254/24 192.168.1.1/24 Internet NAT Router WEFH : Internet EEEWEEEEU 61 .16.1.1 :80 BE ’F§$$? ‘i§:7I§ 192.1 68.1 .1 :80 P-71
  71. 71. IP Forwarding 0 Linux Kernel IPv4 Forwarding - EEHI1 - E11 Linux 12/E, l’EEIP= '.'é'zT: §fBE"t$1@$: ii}? E ( IP Forward ) IDEE - 7IE. ?%§%1f—lt'I’? .Eé1 / etc/ sys/ net/ ipv4/ip_fonlvard - EEEEEE - E-H131 - echo1 > / proc/ sys/ net/ ipv4/ip_forward - echo 0 > / proc/ sys/ net/ ipv4/ip_fon/ vard P-72
  72. 72. IP Forwarding o lPTables I79 IPv4 Forward 1%$| J - ERHH - EE iptables %E—*51$§£%§fBE4F ip forwarding DJEE - EEfiIEfi - 1EE§feE4F$1@§; ‘fi%E FORWARD chain ° iptables —P FORWARD ACCEPT - 1EEE%§JJ: $1@i; ’fi3E FORWARD chain ° iptables -P FORWARD DROP P-73
  73. 73. IP Forwarding o lPTables I79 IPv4 Forward 1‘%$| J - IIEHUEBEEEEETEEE - iptables —P FORWARD ACCEPT - iptables —A FORWARD —s 192.168.1.1 —j DROP P-74
  74. 74. Sll/ LT E? o lPTables l79EI’~J SNAT EEE - IEFIHEEEE - —j SNAT ——to—source ipaddr[—ipaddr][: port—port] - —j MASQUERADE - IEFIHEIE - 11§. EE71(‘ nat table 179134] POSTROUTING chain IEHH P-75
  75. 75. Sll/ LT E? o lPTables l79EI’~J SNAT EEE -fifl - EEEE SNAT I7J’l§EE%3 Private IP HD1111: Internet - IEFIH MASQUERADE 32 target rule - $%&E§E75EE - echo "1" > / proc/ sys/ net/ ipv4/ip_forward - iptables -t nat —A POSTROUTING -0 eth0 —s192.168.1.0/24 —j MASQUERADE P-76
  76. 76. Sll/ LT E? o lPTables l79EI’~J SNAT EEE -fifl ° 59% SNAT IDEEEE Private IP El/ ‘X111: Internet - EH1 SNAT E2 target rule - Efifififififfi - echo "1“ > / proc/ sys/ net/ ipv4/ip_forward - iptables -t nat —A POSTROUTING -0 eth0 —s192.168.1.0/24 —j SNAT ——to <externa| _ip> P-77
  77. 77. SNAT £1 FTP EEE 0 lPTables |7<. IEl’J SNAT+ FTP HEE -fifl - NAT 1%; i%T@§5‘Efi1‘E§|1 FTP I$$§1’7”I%1§F'=1EE - E_IL‘, (1?§. EE nf_nat_ftp E2 kernel module TEJHHFEEE - EEEQEEEE - modprobe nf_nat_ftp - echo "1" > / proc/ sys/ net/ ipv4/ip_forward - iptables —t nat -A POSTROUTING -0 eth0 —s192.168.1.0/24 —j MASQUERADE P-78
  78. 78. D N / ST DEE o lPTables l79EI’~J DNAT EEE -fifl - TEIEAHEAEEEIEIDEUHE — fiL‘XE$Z, ?%TEI%E%EEl1’JI11il1 -Efifii - —j DNAT ——to—destination ipaddr[—ipaddr][: port—port] -EEEE ° 1§EE nat table 17913141 PREROUTING $1 OUTPUT chain E1511 P-79
  79. 79. D N / ST DEE o lPTables l79EI’~J DNAT EEE - EEEEEE - iptables —A PREROUTING —t nat —p tcp —d 61.16.1.1 ——dport 80 —j DNAT ——to—destination 192.168.1.100:80 ( ’57I*‘%H? §,%E§U 61.16.1.1:80 HT: ?E? E DNAT §U192.168.100:80) - iptables —A PREROUTING -t nat —d 61.16.1.2 —j DNAT ——to—destination 192.168.1.101 (’57I*1:t‘H? E,%E§U 61.16.1.2 v Eflfi DNAT $11 192.168.101 ) P-80
  80. 80. Trarfis L, merit Fr‘r: .><*»IEE§ 1
  81. 81. Transparent Proxy 0 Transparent Proxy - “EEH - TE-Ei|1a’U2.E. !5%£%E1”fiE¥ - E19? Client Ha”%$%-'%§5l= %EUE§E proxy %EfaET%BEL‘1,$. § proxy 1’C$¥7‘7’EC? E9| - —ifi§*$1%. EB NAT £%; i%‘F1EFfi Ell P-82
  82. 82. Transparent Proxy 0 Transparent Proxy n%’: %1‘§ 11>: 192.168.1.1 11>: 192.168.1.2 E IP: 192.168.1.3 IP: 61.16.1.254 Switch / HUB ethl: 192.168.1.254 Proxy Server + NAT P_83
  83. 83. Transparent Proxy 0 Transparent Proxy - squid proxy squid. conf 7f§= ..? $%<§’x7§§‘/ :"E - http_port 3128 transparent - iptables EEEIEE - echo1 > / proc/ sys/ net/ ipv4/ip_fon/ vard - iptables —t nat —A POSTROUTING —o ethO —s 192.168.1.0/24 —j MASQUERADE - iptables —t nat —A PREROUTING —p tcp ——dport 80 —i ethO —s192.168.1.0/24 —j REDIRECT ——to—ports 3128 P-84
  84. 84. Thank you

×