iptables tutorial

Podobne

Cytat

Do celu tam się wysiada. Lec Stanisław Jerzy (pierw. de Tusch-Letz, 1909-1966)
A bogowie grają w kości i nie pytają wcale czy chcesz przyłączyć się do gry (. . . ) Bogowie kpią sobie z twojego poukładanego życia (. . . ) nie przejmują się zbytnio ani naszymi planami na przyszłość ani oczekiwaniami. Gdzieś we wszechświecie rzucają kości i przypadkiem wypada twoja kolej. I odtąd zwyciężyć lub przegrać - to tylko kwestia szczęścia. Borys Pasternak
Idąc po kurzych jajach nie podskakuj. Przysłowie szkockie
I Herkules nie poradzi przeciwko wielu.
Dialog półinteligentów równa się monologowi ćwierćinteligenta. Stanisław Jerzy Lec (pierw. de Tusch - Letz, 1909-1966)

[ Pobierz całość w formacie PDF ]
.37ChapterFORWARDchain.5.rc.firewall fileIf the packet is destined to or from our local net it will be routed to theIf the packet comes from our LAN we will just ACCEPT it as it is, no more, no less.Ifwe would like to, we could only acceptSYNpackets, but I m skipping that as it is now.If the packet is destined to our local net on the other hand, we only match packets inESTABLISHED or RELATED streams since we don t want hosts from the outside to beable to establish new connections to our LAN.If none of these rules are matched thepacket getsDROP ed by our chain policy.This chain is rather straight forward.We allow everything from localhost to go out,we allow everything from our own local network s ip to go out, and last of all weallow everything from our own ip to go out to the internet.You might want to justerase all this in certain cases, just dont forget to erase the default policy of theOUTPUTchain which is set toDROPeverything.Setting up the different chains usedSo, now you ve got a small picture how the packet traverses the different chains andhow they belong together, we ll take care of setting it all up.First of all, we set all the default policies on the different chains with a quite simplecommand.iptables -PThe default policy is used every time the packets don t match a rule in the chain.After this, we create the different special chains that we want to use with the -Ncommand.The new chains are created and set up with no rules inside of them.Thechains we will use areicmp_packets,tcp_packets,udpincoming_packetsand theallowed chain fortcp_packets.Incoming packets on eth0, ofICMPtype, will be redi-rected to the chainicmp_packets, ofTCPtype, will be redirected totcp_packetsandincoming packets ofUDPtype from eth0 go toudpincoming_packetschain.PREROUTING chain of the nat tableThe PREROUTING chain is pretty much what it says, it does network adress trans-lation on packets before they actually hit the routing tables that sends them onwardsto the INPUT or FORWARD chains in the filter table.Note that this chain should notbe used for any filtering or such, it should be used for network adress translation,among other things since this chain is only traversed by the first packet in a stream.First of all we check for obviously spoofedIPaddresses, such as in case we get pack-ets from the Internet interface that claim to have a sourceIPof 192.168.x.x, 10.x.x.x or172.16.x.x, in such case, we drop them quicker than hell since theseIP s are reservedespecially for local intranets and definitely shouldn t be used on the Internet.Thismight be used in the opposite direction, too, if we get an packet from $LAN_IFACEthat claims to not come from an IP address in the range which we know that ourLAN is on, we might drop that too.As it looks now, we don t do that though.38Chapter 5.rc.firewall fileINPUT chainTheINPUTchain as I ve written it uses mostly other chains to do the hard work.Thisway we don t get too much load from the iptables, and it will work much better onslow machines which might otherwise drop packets at high loads.We do certain checks for bad packets here.If you want to fully understand this, youneed to look at the Appendices regarding state NEW and non-SYN packets gettingthrough other rules.These packets could be allowed under certain circumstances butin 99% of the cases we wouldn t want these packets to get through.Hence, we logthem to our logs and then we DROP them.First of all we match allICMPpackets in theINPUTchain that come on the incoming in-terface$INET_IFACE, which in my case is eth0, and send those to theicmp_packets,which was previously described.After this, we do the same match for TCP packetson the $INET_IFACEand send those to thetcp_packets chain, and after this allUDPpackets get sent toudpincoming_packetschain.Finally, we check for everything that comes from our $LOCALHOST_IP, which wouldnormally be 127.1 andACCEPTall incoming traffic from there, do the same for ev-erything to$LAN_IP, which in my case would be 192.168.0/24, and after this, some-thing that some might consider a security problem, I allow everything that comesfrom my own InternetIPthat is eitherESTABLISHEDorRELATEDto some connection.Also, we allow broadcast traffic from our LAN, some applications depend on it suchas Samba etc.These applications will not work properly without it.Before we hit the default policy of the INPUT chain, we log it so we might be able tofind out about possible problems and or bugs.Either it might be a packet that wejust dont want to allow or it might be someone who s doing something bad to us,or finally it might be a problem in our firewall not allowing traffic that should beallowed.In either case we want to know about it so it can be dealt with.Though, wedon t log more than 3 packets per minute as to not getting flooded with crap all overthe log files, also we set a prefix to all log entries so we know where it came from.Everything that hasn t yet been caught will be DROP ed by the default policy on theINPUT chain.The default policy was set quite some time back, as you might remem-ber.The TCP allowed chainIf a packet comes in on eth0 and is of TCP type, it travels through the tcp_packetschain, if the connection is against an allowed port, we want to do some final checkson it to see if we actually do want to allow it or not.First of all, we create the chain the same way as all the others.After that, we checkif the packet is a SYN packet.If it is a SYN packet, it is most likely to be the firstpacket in a new connection so, of course, we allow this.Then we check if the packetcomes from an ESTABLISHED or RELATED connection, if it does, then we, again ofcourse, allow it.An ESTABLISHED connection is a connection that has seen traffic inboth directions, and since we ve got a SYN packet, and a reply to this SYN packet,the connection then must be in state ESTABLISHED.The last rule in this chain willDROPeverything else.In this case this pretty much means everything that hasn t seentraffic in both directions, ie, we didn t reply to the SYN packet, or they are trying tostart the connection with a non SYN packet.There is no practical use of not startinga connection with a SYN packet, except to portscan people pretty much.There is nocurrently available TCP/IP implementation that supports opening a TCP connectionwith something else than a SYN packet to my knowledge, hence, DROP the crap sinceit s 99% sure to be a portscan.The ICMP chainThis is where we decide whatICMPtypes to allow.If a packet ofICMPtype comes in oneth0 on the INPUT chain, we then redirect it to the icmp_packets chain as explainedbefore.Here we check what kind of ICMP types to allow.As it is now, I only allowincomingICMPEcho Replies, Destination unreachable, Redirect and Time Exceeded.39Chapter 5.The reason that I allow these ICMP packets are as follows, Echo Repliesrc.firewall fileis what youget for example when you ping another host, if we don t allow this, we will be unableto ping other hosts.Destination Unreachable is used if a certain host is unreachable, so for example if wesend aHTTPrequest, and the host is unreachable, the last gateway that was unable tofind the route to the host replies with a Destination Unreachable telling us that it wasunable to find it [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

trendy-girls.htw.pl