[ Pobierz całość w formacie PDF ]
.unix-fu.org/andreasson/iptables-tutorial/rc.test-iptables.txt1.Mangle tableThis table should as we ve already noted mainly be used for mangling packets.Inother words, you may freely use the mangle matches etc that could be used to change32 Chapterstrongly adviced that and4.Traversing of tablesTOS (Type Of Service) fields and so on.However, it s youchainsdon tuse this table to do any filtering in, nor will any DNAT, SNAT or Masquerading workin this table.Target s that only valid in the mangle table:TOSTTLMARKThe TOS target is used to set and/or change the Type of Service field in the packet.This could be used for setting up policies on the network regarding how a packetshould be routed and so on.Note that this isn t really used on the internet and mostof the routers don t care about the value in this field, and sometimes, they act faultyon what they get.Don t set this in other words for packets going to the internet unlessyou want to do routing decisions on it with iproute2.The TTL target is used to change the TTL (Time To Live) field of the packet.We couldtell packets to only have a specific TTL and so on.One good reason for this could bethat we don t want to give ourself away to nosy ISP s.Some ISP s does not like usersrunning multiple computers on one single connection, and in there are some ISP sknown to look for a single host generating many different TTL values, and takes thisas one of many signs of multiple computers connected to a single connection.The MARK target is used to set special mark values to the packet.These marks couldthen be recognised by the iproute2 programs to do different routing on the packetdepending on what mark they have, or if they don t have any.We could also dobandwidth limiting and Class Based Queuing with this target.Nat tableThis table should only be used for NAT (Network Address Translation) on differentpackets.In other words, it should only be used to translate packets source field ordestination field.Note that, as we have said before, only the first packet in a streamwill hit this chain.After this, the rest of the packets will automatically have the sameaction taken on them as the first packet.The actual targets that does these kind ofthings areDNATSNATMASQUERADEThe DNAT (Destination Network Address Translation) target is mainly used in casessuch as when you have one IP and want to redirect accesses to the firewall to someother host on a DMZ for example.In other words, we change the destination addressof the packet and reroute it to some other host.SNAT (Source Network Address Translation) is mainly used for changing the sourceaddress of packets.This is mainly done to hide our local networks or DMZ etc.Agood example when this is very good is when we have a firewall that we know theoutside IP address of, but need to change our local networks IP numbers to the sameof the IP of our firewall.The firewall will with this target automatically De-SNATand SNAT the packets, hence making it possible to make connections from the LANto the Internet.If you re network uses 192.168.x.x netmask for example, the packetswould never get back from the Internet because these networks are regulated to beused in LAN s by IANA and RFC s.The MASQUERADE target is used in exactly the same way as SNAT, but the MAS-QUERADE target takes a little bit more overhead to compute.The reason for this isthat each time that the MASQUERADE target gets hit by a packet, it automaticallychecks for the IP address to use, instead of doing as the SNAT target does and justuse an IP address submitted while the rule was parsed.The MASQUERADE targetwill on the other hand work properly with Dynamic IP addresses that you may beprovided when you connect to the Internet with, for example ppp, slip or dhcp.33 Chapter 4.Traversing of tables and chainsFilter tableThe filter table is, of course, mainly used for filtering packets.We can match pack-ets and filter them however we want, and there s nothing special to this chain orspecial packets that might slip through because they re malformed, etc.This is theplace that we actually take action against packets and look at what they contain andDROP/ACCEPT depending on their payload.Of course we may do filtering earliertoo, however, this is the place that was designed for it.Almost all targets are usablein this chain, however, the targets discussed previously in this chapter are only us-able in their respective tables.We will not go into deeper discussion about this chainthough, as you already know, this is where we (should) do the main filtering.Notes1.http://people.unix-fu.org/andreasson/iptables-tutorial/rc.test-iptables.txt34 Chapter 5.rc.firewall fileThis chapter will deal with an example firewall setup and how the script file wouldlook.We ve used one of the basic setups and dug deeper into how it works and whatwe do in it.This should be used to get a basic idea on how to solve different problemsand what you may need to think about before actually putting your scripts into work.It could be used as is with some changes to the variables, but is not suggested since itmay not work perfectly together with your network setup.As long as you have a verybasic setup however, it will very likely run perfectly with just a few fixes to it.Alsonote that there might be more coding efficient ways of making the rules, however,the script s been written for readability so that everyone can understand it withouthaving to know BASH scripting beforehand.example rc.firewallOK, so you ve got everything set up and are ready to check out an examplerc.firewall file, or at least you should be.This example rc.firewall.txt1 (alsoincluded as appendix) is large and has lots of comments in it so look at that and thencome back here for more explanations.explanation of rc.firewallInitial loading of extra modulesFirst, we see to it that the module dependencies files are up to date by issuing an/sbin/depmod -a command.After this we load some modules that we might be in-terested in.For example, if you want to have support for the ,REJECTandMASQUER-ADE targets and don t have this compiled statically into your kernel, we load thesemodules.Next is the option to loadipt_ownermodule, for example only allowing certain usersto make certain connections etc.I will not use that in this example but basically, youcould allow only root to do FTP and HTTP connections to redhat and DROP all theothers.Or you could disallow all users but your own user and root to connect fromyour box to the Internet, might be boring for others, but you will be a bit more secureto bouncing hacker attacks etc.After this there is the first part used by our state matching filters, the loading ofip_conntrack_ftp and ip_conntrack_irc.To do what I promised in the beginning ofthis tutorial, disallowing for example passive FTP but allowing DCC sends to work,we load only the ip_conntrack_irc module, but not the ip_conntrack_ftp module.Forthis to work, these two must not be compiled into the kernel.For the vice versa, wherewe want passive FTP to work, but not DCC send, we do it the other way aroundof course, load the ip_conntrack_ftp module, but not the ip_conntrack_irc module [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • personata.xlx.pl