鸟哥学习笔记---防火墙

原创

s910501 2013-03-24 23:49:15 ©著作权

文章标签 Linux 文章分类 运维

©著作权归作者所有：来自51CTO博客作者s910501的原创作品，请联系作者获取转载授权，否则将追究法律责任

1.Netfilter
2.TCP Wrappers(链接的程序名与IP来判断)
3.Proxy----------squid

TCP Wrappers就是通过/etc/hosts.allow、/etc/hosts.deny来管理的，但要满足下面这两个程序才可能用这个来管理：
1：由Super Deamon（Xinetd）所管理的服务
2：支持libwrap.so模块的服务

[root@szm ~]# chkconfig xinetd on这个一定要打开，下面的命令才有Xinetd的内容

[root@szm ~]# chkconfig --list

................省略......

xinetd based services:

chargen-dgram: off

chargen-stream: off

cvs: off

daytime-dgram: off

daytime-stream: off

discard-dgram: off

discard-stream: off

echo-dgram: off

echo-stream: off

rsync: off

tcpmux-server: off

telnet: on

time-dgram: off

time-stream: off

[root@szm ~]# ldd $(which rsyslogd sshd xinetd httpd)

/sbin/rsyslogd:

linux-gate.so.1 => (0x00348000)

libz.so.1 => /lib/libz.so.1 (0x005b9000)

libpthread.so.0 => /lib/libpthread.so.0 (0x0071d000)

libdl.so.2 => /lib/libdl.so.2 (0x0053d000)

librt.so.1 => /lib/librt.so.1 (0x001f0000)

libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00ca1000)

libc.so.6 => /lib/libc.so.6 (0x003b0000)

/lib/ld-linux.so.2 (0x0038a000)

/usr/sbin/sshd:

linux-gate.so.1 => (0x0030c000)

libfipscheck.so.1 => /usr/lib/libfipscheck.so.1 (0x00321000)

libwrap.so.0 => /lib/libwrap.so.0 (0x00276000)

libpam.so.0 => /lib/libpam.so.0 (0x00110000)

libdl.so.2 => /lib/libdl.so.2 (0x00391000)

libselinux.so.1 => /lib/libselinux.so.1 (0x00e1d000)

libaudit.so.1 => /lib/libaudit.so.1 (0x004f7000)

libresolv.so.2 => /lib/libresolv.so.2 (0x003a4000)

libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x00bd5000)

libutil.so.1 => /lib/libutil.so.1 (0x00900000)

libz.so.1 => /lib/libz.so.1 (0x004c6000)

libnsl.so.1 => /lib/libnsl.so.1 (0x00472000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x0011d000)

libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0x00f69000)

libkrb5.so.3 => /lib/libkrb5.so.3 (0x0014d000)

libk5crypto.so.3 => /lib/libk5crypto.so.3 (0x0021d000)

libcom_err.so.2 => /lib/libcom_err.so.2 (0x00ba7000)

libnss3.so => /usr/lib/libnss3.so (0x005ea000)

libc.so.6 => /lib/libc.so.6 (0x00722000)

/lib/ld-linux.so.2 (0x005ca000)

libfreebl3.so => /lib/libfreebl3.so (0x0027f000)

libkrb5support.so.0 => /lib/libkrb5support.so.0 (0x009c1000)

libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00e93000)

libpthread.so.0 => /lib/libpthread.so.0 (0x00edb000)

libnssutil3.so => /usr/lib/libnssutil3.so (0x00529000)

libplc4.so => /lib/libplc4.so (0x00244000)

libplds4.so => /lib/libplds4.so (0x00967000)

libnspr4.so => /lib/libnspr4.so (0x002c9000)

/usr/sbin/xinetd:

linux-gate.so.1 => (0x004b0000)

libselinux.so.1 => /lib/libselinux.so.1 (0x00aa8000)

libwrap.so.0 => /lib/libwrap.so.0 (0x00cc3000)

libnsl.so.1 => /lib/libnsl.so.1 (0x00333000)

libm.so.6 => /lib/libm.so.6 (0x00f1c000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x002c0000)

libc.so.6 => /lib/libc.so.6 (0x004b1000)

libdl.so.2 => /lib/libdl.so.2 (0x00110000)

/lib/ld-linux.so.2 (0x003f4000)

libfreebl3.so => /lib/libfreebl3.so (0x006d8000)

/usr/sbin/httpd:

linux-gate.so.1 => (0x00fd5000)

libm.so.6 => /lib/libm.so.6 (0x00de7000)

libpcre.so.0 => /lib/libpcre.so.0 (0x00946000)

libselinux.so.1 => /lib/libselinux.so.1 (0x00395000)

libaprutil-1.so.0 =/> /usr/lib/libaprutil-1.so.0 (0x007ec000)

libcrypt.so.1 => /lib/libcrypt.so.1 (0x00bc9000)

libexpat.so.1 => /lib/libexpat.so.1 (0x00a70000)

libdb-4.7.so => /lib/libdb-4.7.so (0x0056e000)

libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00130000)

libpthread.so.0 => /lib/libpthread.so.0 (0x00baa000)

libc.so.6 => /lib/libc.so.6 (0x0015e000)

/lib/ld-linux.so.2 (0x00110000)

libdl.so.2 => /lib/libdl.so.2 (0x0073a000)

libuuid.so.1 => /lib/libuuid.so.1 (0x00c92000)

libfreebl3.so => /lib/libfreebl3.so (0x002e9000)

rsyslogd、httpd这两个程序不支持；
sshd、xinetd支持；

查看顺序：
1./etc/hosts.allow
2./etc/hosts.deny
3.两个都没有就放行

查找rsync的服务启动文件名：（因为TCP Wrappers是通过启动服务的文件名来管理的）
[root@szm ~]# cat /etc/xinetd.d/rsync

# default: off

# description: The rsync server is a good addition to an ftp server, as it \

# allows crc checksumming etc.

service rsync

{

disable = yes

flags = IPv6

socket_type = stream

wait = no

user = root

server = /usr/bin/rsync

server_args = --daemon

log_on_failure += USERID

}

[root@szm ~]# cat /etc/hosts.allow

# hosts.allow This file contains access rules which are used to

# allow or deny connections to network services that

# either use the tcp_wrappers library or that have been

# started through a tcp_wrappers-enabled xinetd.

# See 'man 5 hosts_options' and 'man 5 hosts_access'

# for information on rule syntax.

# See 'man tcpd' for information on tcp_wrappers

ALL:127.0.0.1

rsync:192.168.179.0/255.255.255.0 10.0.0.100

[root@szm ~]# cat /etc/hosts.deny

# hosts.deny This file contains access rules which are used to

# deny connections to network services that either use

# the tcp_wrappers library or that have been

# started through a tcp_wrappers-enabled xinetd.

# The rules in this file can also be set up in

# /etc/hosts.allow with a 'deny' option instead.

# See 'man 5 hosts_options' and 'man 5 hosts_access'

# for information on rule syntax.

# See 'man tcpd' for information on tcp_wrappers

rsync: ALL

允许127.0.0.1，192.168.179.0，10.0.0.100
其他的地方不允许；

iptables:由Linux内核所提供的，所以速度快
V2.0：ipfwadm
V2.2：ipchains
V2.4与V2.6：iptables

Linux的iptables至少就有3个表格，

1.包括管理本机进出的Filter（INPUT,OUTPUT,FORWARD）

2.管理后端（防火墙内部的其他计算机）的NAT(PREROUTING,POSTROUTING,OUTPUT)

3.管理特殊标志使用的Mangle(PREROUTING,OUTPUT,INPUT,FORWORD)

如果Iptables只是用来保护Linux主机本身的话，根本就不需要理NAT规则，直接设置为开放即可。

[root@szm ~]# iptables -L -n默认查看Filter表

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0---------这里没有标识接口lo

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target prot opt source destination

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

详细信息，包括数据包数：

[root@szm ~]# iptables -L -n -v

查看NAT表：

[root@szm ~]# iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@szm ~]# iptables-save

# Generated by iptables-save v1.4.7 on Mon Mar 25 08:18:52 2013

*nat

:PREROUTING ACCEPT [69:5769]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar 25 08:18:52 2013

# Generated by iptables-save v1.4.7 on Mon Mar 25 08:18:52 2013

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [218:19174]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT本机主动向外发出请求

-A INPUT -p icmp -j ACCEPT所有ICMP

-A INPUT -i lo -j ACCEPT所有本机进程数据通信

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTssh

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Mar 25 08:18:52 2013

-F:清除所有已制定规则
-X:除掉所有用户自定义的Tables
-Z:将所有的Chain的计数与流量统计都归零

[root@szm ~]# iptables -P INPUT DROP

[root@szm ~]# iptables -P OUTPUT ACCEPT

[root@szm ~]# iptables -P FORWARD ACCEPT

[root@szm ~]# iptables -t nat -P PREROUTING ACCEPT

[root@szm ~]# iptables -A INPUT -i lo -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -s 192.168.179.0/24 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -s 192.168.179.222 -j DROP

[root@szm ~]# iptables-save

# Generated by iptables-save v1.4.7 on Mon Mar 25 14:15:07 2013

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [31:2076]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -s 192.168.179.0/24 -i eth0 -j ACCEPT----规则设置有问题

-A INPUT -s 192.168.179.2/32 -i eth0 -j ACCEPT

-A INPUT -s 192.168.179.222/32 -i eth0 -j DROP

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Mar 25 14:15:07 2013

记内核记录日志：/etc/messages
[root@szm ~]# iptables -A INPUT -s 192.168.179.200 -j LOG

-A：增加
-I：插入
-i：Input
-o：Output
-p：协议
-s：源
-d：目的
-j：操作（ACCEPT，Drop，Reject，Log）

TCP、UDP规则：

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

[root@szm ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.179.44/24 --sport 1024:65534 --dport ssh -j DROP

注意要加上-p这个参数

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP

状态检测包过滤：
-m:state与mac模块
--state：INVALID（无效的数据包）,ESTABLISHED（已经连接成功），NEW（想要新建连接）,RELATED（与主机发送出去的数据包有关）

[root@szm ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@szm ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@szm ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

针对ICPM类型的Chain:

[root@szm ~]# cat /bin/iptable.icmp.sh

#!/bin/bash

icmp_type="0 3 4 11 12 14 16 18"

for typeicmp in $icmp_type

iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT

done

应用目前的设置规则：
[root@szm ~]# /etc/init.d/iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

IPv4内核管理功能：/proc/sys/net/ipv4/

资料：[root@szm ~]# yum install kernel-doc

这个防止Dos攻击的模块默认开启：
[root@szm ~]# cat /proc/sys/net/ipv4/tcp_syncookies

当启动SYN Cookie时，主机在改善SYN/ACK确认数据前，会要求Clinet端在短时间内回复一个序号，这个序号包含许多原SYN数据包内的信息，包括IP、port等。若Client端可以回复正确的序号，那么主机就确定该数据包为可信的，因此会发送SYN/ACK数据包，否则就不理会以此数据包。

[root@szm ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/rp_filter

逆向路由过滤，可以根据路由表来判断IP的来源是否可靠；

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/log_martians

记录不合法IP事件，建议为1

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/accept_source_route

来源路由；建议为0

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/accept_redirects

建议关闭0，ICMP重定向

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/send_redirects

建议关闭0

[root@szm ~]# /etc/init.d/iptables save

这条命令会写配置文件：/etc/sysconfig/iptables

开机启动脚本：

[root@szm ~]# cat /etc/rc.d/rc.local

#!/bin/sh

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

=======================================================NAT

1.NAT tables 的PREROUTING（修改目标IP）DNAT－－－－－－DMZ，发布内部服务
2.是否进入本机，不是就下一步
3.Filter tables 的FORWARD
4.NAT tables的POSTROUTING（修改源IP）SNAT－－－－－NAT上网

SNAT配置：

如果外网接口取得IP的方式是拨号时，对于配置文件/etc/sysconfig/network和ifcfg-eth0,不要设置GateWay，否则会出现两个Default Gateway的情况。

[root@szm ~]# cat /proc/sys/net/ipv4/ip_forward

端口NAT：[root@szm ~]# iptables -t nat -A POSTROUTING -s $innet -o eth1 -j MASQUERADEIP伪装

静态NAT：[root@szm ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100

动态NAT：[root@szm ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100-192.168.1.200

DNAT配置：eth1为Public IP

[root@szm ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.179.10:80

高级设置：[root@szm ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8080

上一篇：鸟哥学习笔记---路由器

下一篇：鸟哥学习笔记---DNS

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯