📄 linux 2.4有状态防火墙设计(三).htm
字号:
ACCEPT <BR>iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with
tcp-reset <BR>iptables -A INPUT -p udp -i ${UPLINK} -j REJECT
--reject-with icmp-port-unreachable <BR><BR>#explicitly disable ECN
<BR>if [ -e /proc/sys/net/ipv4/tcp_ecn ] <BR>then <BR>echo 0 >
/proc/sys/net/ipv4/tcp_ecn <BR>fi <BR><BR>#disable spoofing on all
interfaces <BR>for x in ${INTERFACES} <BR>do <BR>echo 1 >
/proc/sys/net/ipv4/conf/${x}/rp_filter <BR>done <BR><BR>if [ "$ROUTER" =
"yes" ] <BR>then <BR>#we e a router of some kind, enable IP forwarding
<BR>echo 1 > /proc/sys/net/ipv4/ip_forward <BR>if [ "$NAT" =
"dynamic" ] <BR>then <BR>#dynamic IP address, use masquerading <BR>echo
"Enabling masquerading (dynamic ip)..." <BR>iptables -t nat -A
POSTROUTING -o ${UPLINK} -j MASQUERADE <BR>elif [ "$NAT" != "" ]
<BR>then <BR>#static IP, use SNAT <BR>echo "Enabling SNAT (static
ip)..." <BR>iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to
${UPIP} <BR>fi <BR>fi <BR><BR>elif [ "$1" = "stop" ] <BR>then <BR>echo
"Stopping firewall..." <BR>iptables -F INPUT <BR>iptables -P INPUT
ACCEPT <BR>#turn off NAT/masquerading, if any <BR>iptables -t nat -F
POSTROUTING <BR>fi <BR><BR><BR>第六章 有状态服务 <BR><BR>查看规则
<BR><BR><BR>在开始定制防火墙以便可以在服务器上使用它之前,我需要演示如何列出当前活动的防火墙规则。要查看过滤器表的 INPUT
链中的规则,输入: <BR><BR><BR># iptables -v -L INPUT <BR><BR>-v
选项给出一个冗长的输出,这样我们可以查看每个规则传送的总包数和总的字节数。还可以使用以下命令查看 nat POSTROUTING 表:
<BR><BR><BR># iptables -t nat -v -L POSTROUTING <BR>Chain POSTROUTING
(policy ACCEPT 399 packets, 48418 bytes) <BR>pkts bytes target prot opt
in out source destination <BR>2728 170K SNAT all -- any eth1 anywhere
anywhere to:215.218.215.2 <BR><BR><BR>准备提供服务
<BR><BR><BR>现在,防火墙不允许陌生人连接我们机器上的服务,因为它只接受进入 ESTABLISHED 或 RELATED
包。由于它删除了所有进入 NEW
包,因此所有连接尝试都将被无条件拒绝。但是,只要有选择地允许一些进入通信流通过防火墙,我们就可以让陌生人连接到我们指定的服务。
<BR><BR>有状态 HTTP
<BR><BR><BR>虽然我们要接受一些进入连接,但我们可能并不想接受所有进入连接。最好从“缺省拒绝”策略开始(就象我们现在使用的策略),逐渐开放对那些希望人们可以连接的服务的访问。例如,如果正在运行
Web 服务器,我们允许 NEW 包进入我们的机器,只要它们去往端口 80 (HTTP)。那就是我们需要做的。一旦允许 NEW
包进入,那我们就允许建立连接。一旦建立了连接,就匹配了允许进入 ESTABLISHED 和 RELATED 包的现有规则,从而 HTTP
连接将变得畅通无阻。 <BR><BR><BR>有状态 HTTP 示例 <BR><BR><BR>让我们看一下防火墙的“核心”,以及允许进入
HTTP 连接的新规则: <BR><BR><BR>iptables -P INPUT DROP <BR>iptables -A INPUT -i
! ${UPLINK} -j ACCEPT <BR>iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT <BR>#our new rule follows <BR>iptables -A
INPUT -p tcp --dport http -m state --state NEW -j ACCEPT <BR>iptables -A
INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset <BR>iptables
-A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with
icmp-port-unreachable <BR><BR>这个新规则允许去往我们机器的端口 80 (http) 的 NEW TCP
包进入。请注意这个规则的位置。它出现在 REJECT 规则有重要意义。由于 iptables 将应用第一个匹配的规则,因此将它放到 REJECT
行的后面会使这个规则无法生效。 <BR><BR><BR>最后的防火墙脚本
<BR><BR><BR>现在来看一下最后的防火墙脚本,它可以用于膝上型计算机、工作站、路由器或服务器(或者其中的某些组合!)。
<BR><BR><BR>#!/bin/bash <BR><BR>#Our complete stateful firewall script.
This firewall can be customized for <BR>#a laptop, workstation, router
or even a server. :) <BR><BR>#change this to the name of the interface
that provides your "uplink" <BR>#(connection to the Internet)
<BR><BR>UPLINK="eth1" <BR><BR>#if you e a router (and thus should
forward IP packets between interfaces), <BR>#you want ROUTER="yes";
otherwise, ROUTER="no" <BR><BR>ROUTER="yes" <BR><BR>#change this next
line to the static IP of your uplink interface for static SNAT, or
<BR>#"dynamic" if you have a dynamic IP. If you don need any NAT, set
NAT to "" to <BR>#disable it. <BR><BR>NAT="1.2.3.4" <BR><BR>#change this
next line so it lists all your network interfaces, including lo
<BR><BR>INTERFACES="lo eth0 eth1" <BR><BR>#change this line so that it
lists the assigned numbers or symbolic names (from <BR>#/etc/services)
of all the services that youd like to provide to the general
<BR>#public. If you don want any services enabled, set it to ""
<BR><BR>SERVICES="http ftp smtp ssh rsync" <BR><BR>if [ "$1" = "start" ]
<BR>then <BR>echo "Starting firewall..." <BR>iptables -P INPUT DROP
<BR>iptables -A INPUT -i ! ${UPLINK} -j ACCEPT <BR>iptables -A INPUT -m
state --state ESTABLISHED,RELATED -j ACCEPT <BR><BR>#enable public
access to certain services <BR>for x in ${SERVICES} <BR>do <BR>iptables
-A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT <BR>done
<BR><BR>iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with
tcp-reset <BR>iptables -A INPUT -p udp -i ${UPLINK} -j REJECT
--reject-with icmp-port-unreachable <BR><BR>#explicitly disable ECN
<BR>if [ -e /proc/sys/net/ipv4/tcp_ecn ] <BR>then <BR>echo 0 >
/proc/sys/net/ipv4/tcp_ecn <BR>fi <BR><BR>#disable spoofing on all
interfaces <BR>for x in ${INTERFACES} <BR>do <BR>echo 1 >
/proc/sys/net/ipv4/conf/${x}/rp_filter <BR>done <BR><BR>if [ "$ROUTER" =
"yes" ] <BR>then <BR>#we e a router of some kind, enable IP forwarding
<BR>echo 1 > /proc/sys/net/ipv4/ip_forward <BR>if [ "$NAT" =
"dynamic" ] <BR>then <BR>#dynamic IP address, use masquerading <BR>echo
"Enabling masquerading (dynamic ip)..." <BR>iptables -t nat -A
POSTROUTING -o ${UPLINK} -j MASQUERADE <BR>elif [ "$NAT" != "" ]
<BR>then <BR>#static IP, use SNAT <BR>echo "Enabling SNAT (static
ip)..." <BR>iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to
${UPIP} <BR>fi <BR>fi <BR><BR>elif [ "$1" = "stop" ] <BR>then <BR>echo
"Stopping firewall..." <BR>iptables -F INPUT <BR>iptables -P INPUT
ACCEPT <BR>#turn off NAT/masquerading, if any <BR>iptables -t nat -F
POSTROUTING <BR>fi <BR><BR><BR>
<DIV align=right>发布人:netbull 来自:IBM developerWorks
中国 </DIV><BR></UL><IMG src="Linux 2.4有状态防火墙设计(三).files/line.jpg"><BR>
<FORM action=post.php?skin=reart&ID=2586 method=post>
<UL>-- 发表评论 --<BR> 昵称:<INPUT name=name> Email:<INPUT
name=email><BR> 内容:<BR><TEXTAREA name=content rows=5 cols=56></TEXTAREA><BR> <INPUT type=submit value=确定回复> <INPUT type=reset value=清除></UL></FORM><IMG
src="Linux 2.4有状态防火墙设计(三).files/line.jpg"><BR>
<UL>
<LI>以下是对此文的评论:<BR><BR></LI></UL></TD><!--第三列-->
<TD vAlign=top align=left width="25%"> <IMG
src="Linux 2.4有状态防火墙设计(三).files/online.jpg" border=0>
<UL>
<LI><A href="http://www.linuxbyte.net/addnews.php"
target=_blank>新闻发布</A><BR><BR>
<LI><A href="http://www.linuxbyte.net/addart.php"
target=_blank>文献发布</A><BR><BR>
<LI><A href="http://www.linuxbyte.net/addsoft.php"
target=_blank>软件发布</A><BR><BR>
<LI><A href="http://www.linuxbyte.net/manger.php"
target=_blank>软件管理</A><BR></LI></UL><IMG height=5
src="Linux 2.4有状态防火墙设计(三).files/tabledi2.jpg" width="100%"><!--下载排行-->
<IMG src="Linux 2.4有状态防火墙设计(三).files/download.jpg" border=0>
<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=676">Red Hat
Linux</A> (81310)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=219">Oracle9i
Enterprise</A> (40539)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=93">星际译王1.31版</A> (37768)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=785">kylix</A> (36517)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=1642">Lindows OS
4.5</A> (29611)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=287">AOL
server</A> (27385)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=969">RedHat
中文环境</A> (26129)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=647">Chinput</A> (24366)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=1041">中软Linux</A> (21924)<BR> <A
href="http://www.linuxbyte.net/view.php?skin=soft&id=946">RedHat Linux
7.1正式</A> (21608)<BR><IMG height=5
src="Linux 2.4有状态防火墙设计(三).files/tabledi2.jpg" width="100%">
<!--文摘分类--> <IMG src="Linux 2.4有状态防火墙设计(三).files/artstyle.jpg"
border=0> <BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=1">内核分析</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=2">网络技术及应用</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=3">应用编程</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=4">硬件应用</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=5">软件应用</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=6">系统管理</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=7">数据库应用</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=8">系统安全</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=9">Linux中文化</A><BR> <A
href="http://www.linuxbyte.net/arttype.php?dno=10">市场与观点</A><BR><IMG
height=5 src="Linux 2.4有状态防火墙设计(三).files/tabledi2.jpg" width="100%"> <BR><!--合作伙伴--> <IMG src="Linux 2.4有状态防火墙设计(三).files/friends.jpg"
border=0> <BR> <A
href="http://www.5ilinux.com/"
target=_blank>我爱linux</A><BR> <A
href="http://www.heblinux.org/"
target=_blank>河北LINUX协会</A><BR> <A
href="http://www.xteamlinux.com.cn/"
target=_blank>冲浪软件下载中心</A><BR> <A
href="http://cosoft.org.cn/html/"
target=_blank>共创联盟</A><BR> <A
href="http://www.coventive.com.cn/"
target=_blank>XLinux</A><BR> <A
href="http://www.it365.net/"
target=_blank>诺金软件电脑网络</A><BR> <A
href="http://www.ch2000.com.cn/"
target=_blank>中文2000软件</A><BR> <A
href="http://www.csuu.com/"
target=_blank>中国Unix联盟</A><BR> <A
href="http://freewares.cn/"
target=_blank>自由软件在中国</A><BR> <A
href="http://www.pconline.com.cn/pcedu"
target=_blank>太平洋电脑信息网</A><BR> <A
href="http://www.linuxaid.com.cn/"
target=_blank>LinuxAid</A><BR> <A
href="http://www.cosoft.org.cn/"
target=_blank>共创软件联盟</A><BR> <A
href="http://wsdn.org/"
target=_blank>WEB程序开发网络</A><BR> <A
href="http://linux.softhouse.com.cn/"
target=_blank>软件屋Linux之家</A><BR> <A
href="http://ljb.vpnet.cn/"
target=_blank>随意网络</A><BR> <A
href="http://linux.ccidnet.com/"
target=_blank>赛迪网Linux专区</A><BR></TD></TR></TBODY></TABLE>
<CENTER>Completed in 0.061628818512 seconds</CENTER>
<CENTER>COPYRIGHT 2002-2003 <FONT color=#9b2626>LinuxByte.net</FONT> <A
href="mailto:oneteam@mail.linuxbyte.net">联系本站</A></CENTER></BODY></HTML>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -