÷ÅÒÓÉÑ ÄÌÑ ÐÅÞÁÔÉ

áÒÈÉ× ÄÏËÕÍÅÎÔÁÃÉÉ ÎÁ OpenNet.ru / òÁÚÄÅÌ "âÅÚÏÐÁÓÎÏÓÔØ" (íÎÏÇÏÓÔÒÁÎÉÞÎÁÑ ×ÅÒÓÉÑ)

òÕËÏ×ÏÄÓÔ×Ï ÐÏ iptables (Iptables Tutorial 1.1.19)

á×ÔÏÒ: Oskar Andreasson

šššššblueflux@koffein.net
ššššššCopyright (C) 2001-2003 Oskar Andreasson
šššš

ðÅÒÅ×ÏÄ: áÎÄÒÅÊ ëÉÓÅÌÅ×

ššššškis_an@mail.ru
šššš

óËÁÞÁÔØ ÄÏËÕÍÅÎÔ × ×ÉÄÅ tar.gz ÁÒÈÉ×Á

ðÏÓÌÅÄÎÀÀ ×ÅÒÓÉÀ ÄÏËÕÍÅÎÔÁ ÍÏÖÎÏ ÐÏÌÕÞÉÔØ ÐÏ ÁÄÒÅÓÕ: http://iptables-tutorial.frozentux.net .

äÏÐÕÓËÁÅÔÓÑ ËÏÐÉÒÏ×ÁÎÉÅ É/ÉÌÉ ÍÏÄÉÆÉËÁÃÉÑ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ ÉÌÉ ÅÇÏ ÞÁÓÔÉ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÑÍÉ, ÐÒÉÎÑÔÙÍÉ × GNU Free Documentation License, ×ÅÒÓÉÉ 1.1. îÅÉÚÍÅÎÑÅÍÙÍÉ ÒÁÚÄÅÌÁÍÉ Ñ×ÌÑÀÔÓÑ ÒÁÚÄÅÌ "÷×ÅÄÅÎÉÅ" É ×ÓÅ ÐÏÄÒÁÚÄÅÌÙ ÜÔÏÇÏ ÒÁÚÄÅÌÁ, Á ÔÁË ÖÅ ÒÁÚÄÅÌÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ ÓÌÏ×ÁÍÉ "Original Author: Oskar Andreasson", ëÏÐÉÑ GNU Free Documentation License ×ËÌÀÞÅÎÁ × ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ É ÎÁÈÏÄÉÔÓÑ × ÓÅËÃÉÉ "GNU Free Documentation License".

÷ÓÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å ÐÏÄÐÁÄÁÀÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ GNU General Public License. ïÎÉ Ñ×ÌÑÀÔÓÑ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÍÙÍÉ É ÍÏÇÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ É/ÉÌÉ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÕÓÌÏ×ÉÑÍÉ GNU General Public License ×ÅÒÓÉÉ 2.

óÃÅÎÁÒÉÉ ÒÁÓÐÒÏÓÔÒÁÎÑÀÔÓÑ × ÎÁÄÅÖÄÅ ÎÁ ÔÏ, ÞÔÏ ÏÎÉ ÂÕÄÕÔ ÐÏÌÅÚÎÙ ×ÁÍ, ÎÏ âåú ëáëéè ìéâï çáòáîôéê. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÔÅËÓÔÕ GNU General Public License.

ó ÄÁÎÎÙÍ ÄÏËÕÍÅÎÔÏÍ ÄÏÌÖÎÁ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ËÏÐÉÑ GNU General Public License, × ÓÅËÃÉÉ "GNU General Public License"; × ÓÌÕÞÁÅ ÅÅ ÏÔÓÕÔÓÔ×ÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÐÉÓÁÔØ ÐÏ ÁÄÒÅÓÕ Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


óÏÄÅÒÖÁÎÉÅ
ðÏÓ×ÑÝÅÎÉÑ
ï Á×ÔÏÒÅ
ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ
ðÒÅÄ×ÁÒÉÔÅÌØÎÙÅ ÕÓÌÏ×ÉÑ
ôÉÐÏÇÒÁÆÓËÉÅ ÓÏÇÌÁÛÅÎÉÑ
1. ÷×ÅÄÅÎÉÅ
1.1. ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï
1.2. ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎ
1.3. ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ
2. ðÏÄÇÏÔÏ×ËÁ
2.1. çÄÅ ×ÚÑÔØ iptables
2.2. îÁÓÔÒÏÊËÁ ÑÄÒÁ
2.3. õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ
2.3.1. óÂÏÒËÁ ÐÁËÅÔÁ
2.3.2. õÓÔÁÎÏ×ËÁ × Red Hat 7.1
3. ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË
3.1. ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ
3.2. ôÁÂÌÉÃÁ Mangle
3.3. ôÁÂÌÉÃÁ Nat
3.4. ôÁÂÌÉÃÁ Filter
4. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ
4.1. ÷×ÅÄÅÎÉÅ
4.2. ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ÝÉËÁ
4.3. óÏÓÔÏÑÎÉÑ × ÐÒÏÓÔÒÁÎÓÔ×Å ÐÏÌØÚÏ×ÁÔÅÌÑ
4.4. TCP ÓÏÅÄÉÎÅÎÉÑ
4.5. UDP ÓÏÅÄÉÎÅÎÉÑ
4.6. ICMP ÓÏÅÄÉÎÅÎÉÑ
4.7. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ
4.8. ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×
5. óÏÈÒÁÎÅÎÉÅ É ×ÏÓÓÔÁÎÏ×ÌÅÎÉÅ ÂÏÌØÛÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ
5.1. ðÌÀÓÙ
5.2. é ÍÉÎÕÓÙ
5.3. iptables-save
5.4. iptables-restore
6. ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ
6.1. ïÓÎÏ×Ù
6.2. ôÁÂÌÉÃÙ
6.3. ëÏÍÁÎÄÙ
6.4. ëÒÉÔÅÒÉÉ
6.4.1. ïÂÝÉÅ ËÒÉÔÅÒÉÉ
6.4.2. îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ
6.4.3. ñ×ÎÙÅ ËÒÉÔÅÒÉÉ
6.4.4. ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)
6.5. äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ
6.5.1. äÅÊÓÔ×ÉÅ ACCEPT
6.5.2. äÅÊÓÔ×ÉÅ DNAT
6.5.3. äÅÊÓÔ×ÉÅ DROP
6.5.4. äÅÊÓÔ×ÉÅ LOG
6.5.5. äÅÊÓÔ×ÉÅ MARK
6.5.6. äÅÊÓÔ×ÉÅ MASQUERADE
6.5.7. äÅÊÓÔ×ÉÅ MIRROR
6.5.8. äÅÊÓÔ×ÉÅ QUEUE
6.5.9. äÅÊÓÔ×ÉÅ REDIRECT
6.5.10. äÅÊÓÔ×ÉÅ REJECT
6.5.11. äÅÊÓÔ×ÉÅ RETURN
6.5.12. äÅÊÓÔ×ÉÅ SNAT
6.5.13. äÅÊÓÔ×ÉÅ TOS
6.5.14. äÅÊÓÔ×ÉÅ TTL
6.5.15. äÅÊÓÔ×ÉÅ ULOG
7. æÁÊÌ rc.firewall
7.1. ðÒÉÍÅÒ rc.firewall
7.2. ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall
7.2.1. ëÏÎÆÉÇÕÒÁÃÉÑ
7.2.2. úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ
7.2.3. îÁÓÔÒÏÊËÁ /proc
7.2.4. òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ ÐÏ ÒÁÚÎÙÍ ÃÅÐÏÞËÁÍ
7.2.5. õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ
7.2.6. óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter
7.2.7. ãÅÐÏÞËÁ INPUT
7.2.8. ãÅÐÏÞËÁ FORWARD
7.2.9. ãÅÐÏÞËÁ OUTPUT
7.2.10. ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat
7.2.11. úÁÐÕÓË SNAT É ÃÅÐÏÞËÁ POSTROUTING
8. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
8.1. óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt
8.1.1. óÔÒÕËÔÕÒÁ
8.2. rc.firewall.txt
8.3. rc.DMZ.firewall.txt
8.4. rc.DHCP.firewall.txt
8.5. rc.UTIN.firewall.txt
8.6. rc.test-iptables.txt
8.7. rc.flush-iptables.txt
8.8. Limit-match.txt
8.9. Pid-owner.txt
8.10. Sid-owner.txt
8.11. Ttl-inc.txt
8.12. Iptables-save ruleset
A. äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ
A.1. ÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ
A.2. éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ
B. ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ
B.1. ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ
B.2. ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN
B.3. SYN/ACK - ÐÁËÅÔÙ É ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW
B.4. ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁ
B.5. ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables
B.6. ðÒÏÂÌÅÍÙ mIRC DCC
C. ôÉÐÙ ICMP
D. óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ
E. âÌÁÇÏÄÁÒÎÏÓÔÉ
F. èÒÏÎÏÌÏÇÉÑ
G. GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
H. GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
I. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
I.1. ðÒÉÍÅÒ rc.firewall
I.2. ðÒÉÍÅÒ rc.DMZ.firewall
I.3. ðÒÉÍÅÒ rc.UTIN.firewall
I.4. ðÒÉÍÅÒ rc.DHCP.firewall
I.5. ðÒÉÍÅÒ rc.flush-iptables
I.6. ðÒÉÍÅÒ rc.test-iptables
ðÅÒÅÞÅÎØ ÔÁÂÌÉÃ
3-1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×
3-2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ
3-3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×
4-1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ × ÐÒÏÓÔÒÁÎÓÔ×Å ÐÏÌØÚÏ×ÁÔÅÌÑ
4-2. Internal states
6-1. ôÁÂÌÉÃÙ
6-2. ëÏÍÁÎÄÙ
6-3. äÏÐÏÌÎÉÔÅÌØÎÙÅ ËÌÀÞÉ
6-4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ
6-5. TCP ËÒÉÔÅÒÉÉ
6-6. UDP ËÒÉÔÅÒÉÉ
6-7. ICMP ËÒÉÔÅÒÉÉ
6-8. ëÌÀÞÉ ËÒÉÔÅÒÉÑ limit
6-9. ëÌÀÞÉ ËÒÉÔÅÒÉÑ MAC
6-10. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Mark
6-11. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Multiport
6-12. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Owner
6-13. ëÌÀÞÉ ËÒÉÔÅÒÉÑ State
6-14. ëÌÀÞÉ ËÒÉÔÅÒÉÑ TOS
6-15. ëÌÀÞÉ ËÒÉÔÅÒÉÑ TTL
6-16. äÅÊÓÔ×ÉÅ DNAT
6-17. ëÌÀÞÉ ÄÅÊÓÔ×ÉÑ LOG
6-18. ëÌÀÞÉ ÄÅÊÓÔ×ÉÑ MARK
6-19. äÅÊÓÔ×ÉÅ MASQUERADE
6-20. äÅÊÓÔ×ÉÅ REDIRECT
6-21. äÅÊÓÔ×ÉÅ REJECT
6-22. äÅÊÓÔ×ÉÅ SNAT
6-23. äÅÊÓÔ×ÉÅ TOS
6-24. äÅÊÓÔ×ÉÅ TTL
6-25. äÅÊÓÔ×ÉÅ ULOG
C-1. ICMP types

ðÏÓ×ÑÝÅÎÉÑ

ðÒÅÖÄÅ ×ÓÅÇÏ, Ñ ÈÏÔÅÌ ÂÙ ÐÏÓ×ÑÔÉÔØ ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ ÍÏÅÊ ÚÁÍÅÞÁÔÅÌØÎÏÊ ÐÏÄÒÕÇÅ îÉÎÅÌØ (Ninel). ïÎÁ ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÅÎÑ ÂÏÌØÛÅ, ÞÅÍ Ñ ËÏÇÄÁ-ÌÉÂÏ ÓÍÏÇÕ ÐÏÄÄÅÒÖÁÔØ ÅÅ.

÷Ï-×ÔÏÒÙÈ - ×ÓÅÍ ÒÁÚÒÁÂÏÔÞÉËÁÍ Linux ÓÄÅÌÁ×ÛÉÍ ÜÔÕ ÚÁÍÅÞÁÔÅÌØÎÕÀ ÏÐÅÒÁÃÉÏÎÎÕÀ ÓÉÓÔÅÍÕ, ÚÁ ÉÈ ÎÅ×ÅÒÏÑÔÎÏ ÎÁÐÒÑÖÅÎÎÙÊ ÔÒÕÄ.


ï Á×ÔÏÒÅ

ñ ÞÅÌÏ×ÅË, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÎÁ Ó×ÏÅÍ ÐÏÐÅÞÅÎÉÉ ÄÏÓÔÁÔÏÞÎÏ ÍÎÏÇÏ ÓÔÁÒÅÎØËÉÈ ËÏÍÐØÀÔÅÒÏ×, ÏÂßÅÄÉÎÅÎÎÙÈ ÍÎÏÀ × ÌÏËÁÌØÎÕÀ ÓÅÔØ Ó ×ÙÈÏÄÏÍ × éÎÔÅÒÎÅÔ, É ÏÂÅÓÐÅÞÉ×ÁÀÝÉÊ ÉÈ ÂÅÚÏÐÁÓÎÏÓÔØ. é × ÜÔÏÍ ÏÔÎÏÛÅÎÉÉ ÐÅÒÅÈÏÄ ÏÔ ipchains Ë iptables Ñ×ÌÑÅÔÓÑ ÏÐÒÁ×ÄÁÎÎÙÍ. òÁÎÅÅ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó×ÏÅÊ ÓÅÔÉ, ×Ù ÍÏÇÌÉ ÏÔÓÅËÁÔØ ×ÓÅ ÐÁËÅÔÙ, ÚÁËÒÙ×ÁÑ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÏÒÔÙ, ÏÄÎÁËÏ ÜÔÏ ÐÏÒÏÖÄÁÌÏ ÐÒÏÂÌÅÍÙ Ó ÐÁÓÓÉ×ÎÙÍ FTP (passive FTP) ÉÌÉ ÉÓÈÏÄÑÝÉÍ DCC × IRC (outgoing DCC in IRC), ÄÌÑ ËÏÔÏÒÙÈ ÐÏÒÔÙ ÎÁ ÓÅÒ×ÅÒÅ ÎÁÚÎÁÞÁÀÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ É ÐÏÔÏÍ ÓÏÏÂÝÁÀÔÓÑ ËÌÉÅÎÔÕ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÓÁÍÏÍ ÎÁÞÁÌÅ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅËÏÔÏÒÙÍÉ 'ÂÏÌÅÚÎÑÍÉ', ÐÅÒÅËÏÞÅ×Á×ÛÉÍÉ ÉÚ ipchains, É ÓÞÉÔÁÌ ËÏÄ iptables ÎÅ ÓÏ×ÓÅÍ ÇÏÔÏ×ÙÍ Ë ÏËÏÎÞÁÔÅÌØÎÏÍÕ ×ÙÐÕÓËÕ. óÅÇÏÄÎÑ ÖÅ Ñ ÍÏÇ ÂÙ ÐÏÒÅËÏÍÅÎÄÏ×ÁÔØ ×ÓÅÍ, ËÔÏ ÉÓÐÏÌØÚÕÅÔ × Ó×ÏÅÊ ÒÁÂÏÔÅ ipchains É ipfwadm 'ÐÅÒÅÓÅÓÔØ' ÎÁ iptables!


ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ

üÔÏÔ ÄÏËÕÍÅÎÔ ÎÁÐÉÓÁÎ, ÔÁË ÞÔÏÂÙ ÏÂÌÅÇÞÉÔØ ÞÉÔÁÔÅÌÑÍ ÐÏÎÉÍÁÎÉÅ ÚÁÍÅÞÁÔÅÌØÎÏÇÏ ÍÉÒÁ iptables. úÄÅÓØ ×Ù ÎÅ ÎÁÊÄÅÔÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÛÉÂËÁÈ × iptables ÉÌÉ × netfilter. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ, ÔÏ ÍÏÖÅÔÅ Ó×ÑÚÑÔØÓÑ Ó ËÏÍÁÎÄÏÊ ÒÁÚÒÁÂÏÔÞÉËÏ×, Á ÏÎÉ × ÏÔ×ÅÔ ÍÏÇÕÔ ÓÏÏÂÝÉÔØ ×ÁÍ, ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÌÉ ÓÕÝÅÓÔ×ÕÅÔ ÔÁËÁÑ ÏÛÉÂËÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ iptables É netfilter ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÓÏÄÅÒÖÁÔ ÏÛÉÂÏË, ÈÏÔÑ ÉÚÒÅÄËÁ ÏÄÎÁ - Ä×Å "ÐÒÏÓËÁËÉ×ÁÀÔ". éÎÆÏÒÍÁÃÉÑ Ï ÔÁËÉÈ ÏÛÉÂËÁÈ ÏÂÑÚÁÔÅÌØÎÏ ÐÏÑ×ÌÑÅÔÓÑ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ ÐÒÏÅËÔÁ Netfilter.

÷ÙÛÅÓËÁÚÁÎÎÏÅ ÔÁËÖÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÐÒÉÌÁÇÁÅÍÙÈ Ë ÄÁÎÎÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ, ÎÅ ÕÞÉÔÙ×ÁÌÏÓØ ×ÏÚÍÏÖÎÏÅ ÎÁÌÉÞÉÅ ËÁËÉÈ-ÌÉÂÏ ÏÛÉÂÏË ×ÎÕÔÒÉ netfilter. ïÓÎÏ×ÎÁÑ ÃÅÌØ ÐÒÉÍÅÒÏ× - ÐÏËÁÚÁÔØ ÐÏÒÑÄÏË ÎÁÐÉÓÁÎÉÑ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÐÒÏÂÌÅÍÙ, Ó ËÏÔÏÒÙÍÉ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ. îÁÐÒÉÍÅÒ, × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÎÅ ÐÏÑÓÎÑÅÔÓÑ, ËÁË ÚÁËÒÙÔØ ÕÑÚ×ÉÍÏÓÔØ Apache 1.2.12 ÎÁ HTTP ÐÏÒÔÕ (ÆÁËÔÉÞÅÓËÉ × ÐÒÉÍÅÒÁÈ ×Ù ÎÁÊÄÅÔÅ, ËÁË ÚÁËÒÙÔØ ÜÔÏÔ ÐÏÒÔ, ÎÏ ÐÏ ÄÒÕÇÏÊ ÐÒÉÞÉÎÅ).

üÔÏÔ ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÄÁÔØ ÎÁÞÉÎÁÀÝÉÍ ÈÏÒÏÛÉÊ, ÐÒÏÓÔÏÊ É × ÔÏ ÖÅ ×ÒÅÍÑ ÄÏÓÔÁÔÏÞÎÏ ÐÏÌÎÙÊ ÕÞÅÂÎÉË ÐÏ iptables. ïÎ ÎÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÄÅÊÓÔ×ÉÑÍ É ËÒÉÔÅÒÉÑÍ ÉÚ patch-o-matic ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÐÏÔÒÅÂÏ×ÁÌÏÓØ ÂÙ ÓÌÉÛËÏÍ ÍÎÏÇÏ ÕÓÉÌÉÊ, ÞÔÏÂÙ ÚÁÐÏÍÎÉÔØ ×ÅÓØ ÓÐÉÓÏË ÉÚÍÅÎÅÎÉÊ. åÓÌÉ Õ ×ÁÓ ×ÏÚÎÉËÎÅÔ ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÐÏÌÕÞÅÎÉÉ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÍÏÄÉÆÉËÁÃÉÑÍ patch-o-matic, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÝÁÔØÓÑ Ë ÄÏËÕÍÅÎÔÁÃÉÉ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ËÏÎËÒÅÔÎÙÊ patch-o-matic, ÏÎÁ ÄÏÓÔÕÐÎÁ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ ÐÒÏÅËÔÁ Netfilter.


ðÒÅÄ×ÁÒÉÔÅÌØÎÙÅ ÕÓÌÏ×ÉÑ

äÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ Õ ÞÉÔÁÔÅÌÑ ÎÁÞÁÌØÎÙÈ Ó×ÅÄÅÎÉÊ Ï Linux/Unix, ÑÚÙËÅ ÓÃÅÎÁÒÉÅ× ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÉ. ëÒÏÍÅ ÔÏÇÏ, ×Ù ÄÏÌÖÎÙ ÚÎÁÔØ - ËÁË ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ É ÉÍÅÔØ ÎÅËÏÔÏÒÏÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ×ÎÕÔÒÅÎÎÅÍ ÕÓÔÒÏÊÓÔ×Å.

ñ ÐÏÓÔÁÒÁÌÓÑ, ÎÁÓËÏÌØËÏ ÜÔÏ ×ÏÚÍÏÖÎÏ, ÓÄÅÌÁÔØ ÄÏËÕÍÅÎÔ ÄÏÓÔÕÐÎÙÍ ÄÌÑ ÐÏÎÉÍÁÎÉÑ ËÁË ÍÏÖÎÏ ÂÏÌÅÅ ÛÉÒÏËÏÍÕ ËÒÕÇÕ ÞÉÔÁÔÅÌÅÊ, ÏÄÎÁËÏ Ñ ÎÅ ×ÓÅÓÉÌÅÎ, É ÐÏÜÔÏÍÕ ÏÔ ×ÁÓ ×ÓÅ-ÔÁËÉ ÐÏÔÒÅÂÕÅÔÓÑ ÎÁÌÉÞÉÅ ÎÅËÏÔÏÒÙÈ ÐÏÚÎÁÎÉÊ.


ôÉÐÏÇÒÁÆÓËÉÅ ÓÏÇÌÁÛÅÎÉÑ

÷ ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ÐÒÉÎÑÔÙ ÓÌÅÄÕÀÝÉÅ ÓÏÇÌÁÛÅÎÉÑ ÐÏ ×ÙÄÅÌÅÎÉÀ ÉÎÆÏÒÍÁÃÉÉ ÒÁÚÌÉÞÎÏÇÏ ÒÏÄÁ:


çÌÁ×Á 1. ÷×ÅÄÅÎÉÅ

1.1. ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï

óËÁÖÅÍ ÔÁË, Ñ ÐÏÓÞÉÔÁÌ, ÞÔÏ ÓÕÝÅÓÔ×ÕÅÔ ÄÏÓÁÄÎÙÊ ÐÒÏÂÅÌ × HOWTO ÐÏ ÞÁÓÔÉ ÉÎÆÏÒÍÁÃÉÉ Ï iptables É ÆÕÎËÃÉÑÈ ÓÅÔÅ×ÏÇÏ ÆÉÌØÔÒÁ (netfilter), ÒÅÁÌÉÚÏ×ÁÎÎÙÈ × ÎÏ×ÏÊ ÓÅÒÉÉ ÑÄÅÒ 2.4.x Linux. ëÒÏÍÅ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, Ñ ÐÏÐÙÔÁÌÓÑ ÏÔ×ÅÔÉÔØ ÎÁ ÎÅËÏÔÏÒÙÅ ×ÏÐÒÏÓÙ ÐÏ ÐÏ×ÏÄÕ ÎÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ, ÎÁÐÒÉÍÅÒ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× (state matching). âÏÌØÛÉÎÓÔ×Ï ÉÚ ÎÉÈ ÐÒÏÉÌÌÀÓÔÒÉÒÏ×ÁÎÙ × ÆÁÊÌÅ ÓËÒÉÐÔÁ rc.firewall.txt, ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ×ÓÔÁ×ÉÔØ × /etc/rc.d/. äÌÑ ÔÅÈ, ËÏÍÕ ÉÎÔÅÒÅÓÎÏ, ÇÏÔÏ× ÓÏÏÂÝÉÔØ, ÞÔÏ ÜÔÏÔ ÆÁÊÌ ÐÅÒ×ÏÎÁÞÁÌØÎÏ ÂÙÌ ÏÓÎÏ×ÁÎ ÎÁ masquerading HOWTO.

ôÁÍ ÖÅ ×Ù ÎÁÊÄÅÔÅ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ rc.flush-iptables.txt, ÎÁÐÉÓÁÎÎÙÊ ÍÎÏÀ, ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ, ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ, ÐÒÉ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÒÁÓÛÉÒÑÑ ÐÏÄ Ó×ÏÀ ËÏÎÆÉÇÕÒÁÃÉÀ.


1.2. ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎ

ñ ËÏÎÓÕÌØÔÉÒÏ×ÁÌÓÑ Ó íÁÒËÏÍ âÕÞÅÒÏÍ (Marc Boucher) É ÄÒÕÇÉÍÉ ÞÌÅÎÁÍÉ ËÏÍÁÎÄÙ ÒÁÚÒÁÂÏÔÞÉËÏ× netfilter. ðÏÌØÚÕÑÓØ ÓÌÕÞÁÅÍ, ×ÙÒÁÖÁÀ ÏÇÒÏÍÎÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÚÁ ÉÈ ÐÏÍÏÝØ × ÓÏÚÄÁÎÉÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, ËÏÔÏÒÏÅ ÉÚÎÁÞÁÌØÎÏ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÌÑ boingworld.com, Á ÔÅÐÅÒØ ÄÏÓÔÕÐÎÏ ÎÁ ÍÏÅÍ ÐÅÒÓÏÎÁÌØÎÏÍ ÓÁÊÔÅ frozentux.net. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ ×Ù ÐÒÏÊÄÅÔÅ ÐÒÏÃÅÓÓ ÎÁÓÔÒÏÊËÉ ÛÁÇ ÚÁ ÛÁÇÏÍ É, ÎÁÄÅÀÓØ, ÞÔÏ Ë ËÏÎÃÕ ÉÚÕÞÅÎÉÑ ÅÇÏ ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ Ï ÐÁËÅÔÅ iptables ÚÎÁÞÉÔÅÌØÎÏ ÂÏÌØÛÅ. âÏÌØÛÁÑ ÞÁÓÔØ ÍÁÔÅÒÉÁÌÁ ÂÁÚÉÒÕÅÔÓÑ ÎÁ ÆÁÊÌÅ rc.firewall.txt, ÔÁË ËÁË Ñ ÓÞÉÔÁÀ, ÞÔÏ ÒÁÓÓÍÏÔÒÅÎÉÅ ÐÒÉÍÅÒÁ -- ÌÕÞÛÉÊ ÓÐÏÓÏ ÉÚÕÞÅÎÉÑ iptables. ñ ÐÒÏÊÄÕ ÐÏ ÏÓÎÏ×ÎÙÍ ÃÅÐÏÞËÁÍ ÐÒÁ×ÉÌ × ÐÏÒÑÄËÅ ÉÈ ÓÌÅÄÏ×ÁÎÉÑ. üÔÏ ÎÅÓËÏÌØËÏ ÕÓÌÏÖÎÑÅÔ ÉÚÕÞÅÎÉÅ, ÚÁÔÏ ÉÚÌÏÖÅÎÉÅ ÓÔÁÎÏ×ÉÔÓÑ ÌÏÇÉÞÎÅÅ. é, ×ÓÑËÉÊ ÒÁÚ, ËÏÇÄÁ Õ ×ÁÓ ×ÏÚÎÉËÎÕÔ ÚÁÔÒÕÄÎÅÎÉÑ, ×Ù ÍÏÖÅÔÅ ÏÂÒÁÝÁÔØÓÑ Ë ÜÔÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ.


1.3. ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ

üÔÏÔ ÄÏËÕÍÅÎÔ ÓÏÄÅÒÖÉÔ ÎÅÓËÏÌØËÏ ÔÅÒÍÉÎÏ×, ËÏÔÏÒÙÅ ÓÌÅÄÕÅÔ ÐÏÑÓÎÉÔØ ÐÒÅÖÄÅ, ÞÅÍ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ.

DNAT - ÏÔ ÁÎÇÌ. Destination Network Address Translation -- éÚÍÅÎÅÎÉÅ óÅÔÅ×ÏÇÏ áÄÒÅÓÁ ðÏÌÕÞÁÔÅÌÑ. DNAT - ÜÔÏ ÉÚÍÅÎÅÎÉÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. úÁÞÁÓÔÕÀ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÁÒÅ Ó SNAT. ïÓÎÏ×ÎÏÅ ÐÒÉÍÅÎÅÎÉÅ -- ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÅÄÉÎÓÔ×ÅÎÎÏÇÏ ÒÅÁÌØÎÏÇÏ IP-ÁÄÒÅÓÁ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ É ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÓÅÔÅ×ÙÈ ÕÓÌÕÇ ×ÎÅÛÎÉÍ ËÌÉÅÎÔÁÍ.

"ðÏÔÏË" (Stream) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÀÔÓÑ É ÐÒÉÎÉÍÁÀÔÓÑ ÐÁËÅÔÙ. ñ ÉÓÐÏÌØÚÏ×ÁÌ ÜÔÏÔ ÔÅÒÍÉÎ ÄÌÑ ÏÂÏÚÎÁÞÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ, ÞÅÒÅÚ ËÏÔÏÒÙÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÍÅÎØÛÅÊ ÍÅÒÅ 2 ÐÁËÅÔÁ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ÷ ÓÌÕÞÁÅ TCP ÜÔÏ ÍÏÖÅÔ ÏÚÎÁÞÁÔØ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÅÔÓÑ SYN ÐÁËÅÔ É ÚÁÔÅÍ ÐÒÉÎÉÍÁÅÔÓÑ SYN/ACK ÐÁËÅÔ. îÏ ÜÔÏ ÔÁË ÖÅ ÍÏÖÅÔ ÐÏÄÒÁÚÕÍÅ×ÁÔØ É ÐÅÒÅÄÁÞÕ SYN ÐÁËÅÔÁ É ÐÒÉÅÍ ÓÏÏÂÝÅÎÉÑ ICMP Host unreachable. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÉÓÐÏÌØÚÕÀ ÜÔÏÔ ÔÅÒÍÉÎ × ÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏËÏÍ ÄÉÁÐÁÚÏÎÅ ÐÒÉÍÅÎÅÎÉÊ.

SNAT - ÏÔ ÁÎÇÌ. Source Network Address Translation -- éÚÍÅÎÅÎÉÅ óÅÔÅ×ÏÇÏ áÄÒÅÓÁ ïÔÐÒÁ×ÉÔÅÌÑ. SNAT - ÜÔÏ ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÎÏÇÏ ÁÄÒÅÓÁ × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. ïÓÎÏ×ÎÏÅ ÐÒÉÍÅÎÅÎÉÅ -- ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÅÄÉÎÓÔ×ÅÎÎÏÇÏ ÒÅÁÌØÎÏÇÏ IP-ÁÄÒÅÓÁ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÎÁÔÏÑÝÅÅ ×ÒÅÍÑ ÄÉÁÐÁÚÏÎ ÒÅÁÌØÎÙÈ IP-ÁÄÒÅÓÏ×, ÐÏ ÓÔÁÎÄÁÒÔÕ IPv4, ÎÅÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏË, É ÅÇÏ ÎÅ È×ÁÔÁÅÔ ÎÁ ×ÓÅÈ (ÐÅÒÅÈÏÄ ÎÁ IPv6 ÒÁÚÒÅÛÉÔ ÜÔÕ ÐÒÏÂÌÅÍÕ).

"óÏÓÔÏÑÎÉÅ" (State) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ, × ËÏÔÏÒÏÍ ÎÁÈÏÄÉÔÓÑ ÐÁËÅÔ, ÓÏÇÌÁÓÎÏ RFC 793 - RFC 793 - Transmission Control Protocol, Á ÔÁËÖÅ ÔÒÁËÔÏ×ËÁÍ, ÉÓÐÏÌØÚÕÅÍÙÍ × netfilter/iptables. èÏÞÕ ÏÂÒÁÔÉÔØ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ ÐÁËÅÔÏ×, ËÁË ÄÌÑ ×ÎÕÔÒÅÎÎÉÈ ÔÁË É ÄÌÑ ×ÎÅÛÎÉÈ ÓÏÓÔÏÑÎÉÊ, ÉÓÐÏÌØÚÕÅÍÙÅ Netfilter, ÎÅ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÕËÁÚÁÎÎÏÍÕ ×ÙÛÅ RFC 793.

"ðÒÏÓÔÒÁÎÓÔ×Ï ÐÏÌØÚÏ×ÁÔÅÌÑ" (User space) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ Ñ ÐÏÄÒÁÚÕÍÅ×ÁÀ ×ÓÅ, ÞÔÏ ÒÁÓÐÏÌÏÖÅÎÏ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, ÎÁÐÒÉÍÅÒ: ËÏÍÅÎÄÁ iptables -h ×ÙÐÏÌÎÑÅÔÓÑ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, × ÔÏ ×ÒÅÍÑ ËÁË ËÏÍÁÎÄÁ iptables -A FORWARD -p tcp -j ACCEPT ×ÙÐÏÌÎÑÅÔÓÑ (ÞÁÓÔÉÞÎÏ) × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÏÎÁ ÄÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ Ë ÉÍÅÀÝÅÍÕÓÑ ÎÁÂÏÒÕ.

"ðÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ" (Kernel space) - × ÂÏÌØÛÅÊ ÉÌÉ ÍÅÎØÛÅÊ ÓÔÅÐÅÎÉ Ñ×ÌÑÅÔÓÑ ÕÔ×ÅÒÖÄÅÎÉÅÍ, ÏÂÒÁÔÎÙÍ ÔÅÒÍÉÎÕ "ðÒÏÓÔÒÁÎÓÔ×Ï ÐÏÌØÚÏ×ÁÔÅÌÑ". ðÏÄÒÁÚÕÍÅ×ÁÅÔ ÍÅÓÔÏ ÉÓÐÏÌÎÅÎÉÑ - × ÐÒÅÄÅÌÁÈ ÑÄÒÁ.

"Userland" - ÓÍ. "ðÒÏÓÔÒÁÎÓÔ×Ï ÐÏÌØÚÏ×ÁÔÅÌÑ".


çÌÁ×Á 2. ðÏÄÇÏÔÏ×ËÁ

ãÅÌØÀ ÄÁÎÎÏÊ ÇÌÁ×Ù Ñ×ÌÑÅÔÓÑ ÏËÁÚÁÎÉÅ ÐÏÍÏÝÉ × ÐÏÎÉÍÁÎÉÉ ÔÏÊ ÒÏÌÉ, ËÏÔÏÒÕÀ netfilter É iptables ÉÇÒÁÀÔ × Linux ÓÅÇÏÄÎÑ. ôÁË ÖÅ ÏÎÁ ÄÏÌÖÎÁ ÐÏÍÏÞØ ×ÁÍ ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÖÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).


2.1. çÄÅ ×ÚÑÔØ iptables

ðÁËÅÔÙ iptables ÍÏÇÕÔ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ó ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÙ ÐÒÏÅËÔÁ Netfilter. ëÒÏÍÅ ÔÏÇÏ, ÄÌÑ ÒÁÂÏÔÙ iptables ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÏÂÒÁÚÏÍ ÄÏÌÖÎÏ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÏ ÑÄÒÏ ×ÁÛÅÊ Linux-ÓÉÓÔÅÍÙ. îÁÓÔÒÏÊËÁ ÑÄÒÁ ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÎÉÖÅ.


2.2. îÁÓÔÒÏÊËÁ ÑÄÒÁ

äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, Ó ÐÏÍÏÝØÀ ÕÔÉÌÉÔÙ make config ÉÌÉ ÅÊ ÐÏÄÏÂÎÙÈ (make menuconfig ÉÌÉ make xconfig ÐÒÉÍ. ÐÅÒÅ×.), × ÑÄÒÏ ÄÏÌÖÎÙ ÂÙÔØ ×ËÌÀÞÅÎÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ:

CONFIG_PACKET - üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÐÒÉÌÏÖÅÎÉÊ, ÒÁÂÏÔÁÀÝÉÈ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ Ó ÓÅÔÅ×ÙÍÉ ÕÓÔÒÏÊÓÔ×ÁÍÉ, ÎÁÐÒÉÍÅÒ: tcpdump ÉÌÉ snort.

Note

óÔÒÏÇÏ ÇÏ×ÏÒÑ, ÏÐÃÉÑ CONFIG_PACKET ÎÅ ÔÒÅÂÕÅÔÓÑÄÌÑ ÒÁÂÏÔÙ iptables, ÎÏ, ÐÏÓËÏÌØËÕ ÏÎÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÏ×ÏÌØÎÏ ÞÁÓÔÏ, Ñ ×ËÌÀÞÉÌ ÅÅ × ÓÐÉÓÏË. åÓÌÉ ×ÁÍ ÜÔÁ ÏÐÃÉÑ ÎÅ ÎÕÖÎÁ, ÔÏ ÍÏÖÅÔÅ ÅÅ ÎÅ ×ËÌÀÞÁÔØ.

CONFIG_NETFILTER - üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ, ÅÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ËÏÍÐØÀÔÅÒ × ËÁÞÅÓÔ×Å ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (firewall) ÉÌÉ ÛÌÀÚÁ (gateway) × éÎÔÅÒÎÅÔ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ×ÁÍ ÏÎÁ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÎÁÄÏÂÉÔÓÑ, ÉÎÁÞÅ ÚÁÞÅÍ ÔÏÇÄÁ ÞÉÔÁÔØ ÜÔÏ ÒÕËÏ×ÏÄÓÔ×Ï!

é ËÏÎÅÞÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ÄÒÁÊ×ÅÒÙ ÄÌÑ ×ÁÛÉÈ ÕÓÔÒÏÊÓÔ×, Ô.Å. ÄÌÑ ËÁÒÔÙ Ethernet, PPP É SLIP. üÔÉ ÏÐÃÉÉ ÎÅÏÂÈÏÄÉÍÙ ÄÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, ÄÌÑ ÐÏÌÕÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ ÐÒÉÄÅÔÓÑ ×ËÌÀÞÉÔØ × ÑÄÒÏ ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÏÐÃÉÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÏÐÃÉÊ ÄÌÑ ÑÄÒÁ 2.4.9 É ÉÈ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ:

CONFIG_IP_NF_CONNTRACK - ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ, ÓÒÅÄÉ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× É ÍÁÓËÁÒÁÄÉÎÇÅ (NAT É Masquerading). åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÔÒÏÉÔØ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall) ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÔÏ ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÁ ÏÐÃÉÑ. ë ÐÒÉÍÅÒÕ, ÜÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÈÏÄÉÍ ÄÌÑ ÒÁÂÏÔÙ rc.firewall.txt.

CONFIG_IP_NF_FTP - ôÒÁÓÓÉÒÏ×ËÁ FTP ÓÏÅÄÉÎÅÎÉÊ. ïÂÍÅÎ ÐÏ FTP ÉÄÅÔ ÓÌÉÛËÏÍ ÉÎÔÅÎÓÉ×ÎÏ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÂÙÞÎÙÅ ÍÅÔÏÄÙ ÔÒÁÓÓÉÒÏ×ËÉ. åÓÌÉ ÎÅ ÄÏÂÁ×ÉÔØ ÜÔÏÔ ÍÏÄÕÌØ, ÔÏ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÒÕÄÎÏÓÔÑÍÉ ÐÒÉ ÐÅÒÅÄÁÞÅ ÐÒÏÔÏËÏÌÁ FTP ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).

CONFIG_IP_NF_IPTABLES - üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÊ ÆÉÌØÔÒÁÃÉÉ, ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) É ÍÁÓËÁÒÁÄÉÎÇÁ (masquerading). âÅÚ ÎÅÅ ×Ù ×ÏÏÂÝÅ ÎÉÞÅÇÏ ÎÅ ÓÍÏÖÅÔÅ ÄÅÌÁÔØ Ó iptables.

CONFIG_IP_NF_MATCH_LIMIT - üÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÑÚÁÔÅÌÅÎ, ÏÄÎÁËÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÁÈ rc.firewall.txt. ïÎ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÏÇÒÁÎÉÞÅÎÉÑ ËÏÌÉÞÅÓÔ×Á ÐÒÏ×ÅÒÏË ÄÌÑ ÎÅËÏÔÏÒÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, -m limit --limit 3/minute ÕËÁÚÙ×ÁÅÔ, ÞÔÏ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÐÒÏÐÕÓÔÉÔØ ÎÅ ÂÏÌÅÅ 3-È ÐÁËÅÔÏ× × ÍÉÎÕÔÕ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÎÁÐÁÄÅÎÉÊ ÔÉÐÁ "ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ".

CONFIG_IP_NF_MATCH_MAC - üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÓÎÏ×ÁÎÎÙÅ ÎÁ MAC-ÁÄÒÅÓÁÃÉÉ. ëÁË ÉÚ×ÅÓÔÎÏ, ËÁÖÄÁÑ ÓÅÔÅ×ÁÑ ËÁÒÔÁ ÉÍÅÅÔ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ÕÎÉËÁÌØÎÙÊ Ethernet-ÁÄÒÅÓ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÓÕÝÅÓÔ×ÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÂÌÏËÉÒÏ×ÁÔØ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ Ó ÏÐÒÅÄÅÌÅÎÎÙÈ MAC-ÁÄÒÅÓÏ× (Ô.Å. Ó ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÅÔÅ×ÙÈ ËÁÒÔ). óÌÅÄÕÅÔ, ÏÄÎÁËÏ, ÏÔÍÅÔÉÔØ ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ × rc.firewall.txt ÉÌÉ ÇÄÅ ÌÉÂÏ ÅÝÅ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å.

CONFIG_IP_NF_MATCH_MARK - æÕÎËÃÉÑ ÍÁÒËÉÒÏ×ËÉ ÐÁËÅÔÏ× MARK. îÁÐÒÉÍÅÒ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÆÕÎËÃÉÉ MARK ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÏÍÅÔÉÔØ ÔÒÅÂÕÅÍÙÅ ÐÁËÅÔÙ, Á ÚÁÔÅÍ, × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ ÍÅÔËÉ, ÐÒÉÎÉÍÁÔØ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÏÍÅÞÅÎÎÏÇÏ ÐÁËÅÔÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ÆÕÎËÃÉÉ MARK ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ.

CONFIG_IP_NF_MATCH_MULTIPORT - üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ Ó ÐÒÏ×ÅÒËÏÊ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ ÐÁËÅÔÁ Ë ÄÉÁÐÁÚÏÎÕ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÉÓÔÏÞÎÉËÁ/ÐÒÉÅÍÎÉËÁ.

CONFIG_IP_NF_MATCH_TOS - üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÔÔÁÌËÉ×ÁÑÓØ ÏÔ ÓÏÓÔÏÑÎÉÑ ÐÏÌÑ TOS × ÐÁËÅÔÅ. ðÏÌÅ TOS ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ Type Of Service. ôÁË ÖÅ ÓÔÁÎÏ×ÉÔÓÑ ×ÏÚÍÏÖÎÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ É ÓÂÒÁÓÙ×ÁÔØ ÂÉÔÙ ÜÔÏÇÏ ÐÏÌÑ × ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌÁÈ × ÔÁÂÌÉÃÅ mangle ÉÌÉ ËÏÍÁÎÄÁÍÉ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS - üÔÁ ÏÐÃÉÑ ÄÏÂÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏ×ÅÒËÉ ÐÏÌÑ MSS × TCP-ÐÁËÅÔÁÈ.

CONFIG_IP_NF_MATCH_STATE - üÔÏ ÏÄÎÏ ÉÚ ÓÁÍÙÈ ÓÅÒØÅÚÎÙÈ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÊ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ipchains. üÔÏÔ ÍÏÄÕÌØ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÕÐÒÁ×ÌÅÎÉÑ TCP ÐÁËÅÔÁÍÉ, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ (state). ë ÐÒÉÍÅÒÕ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ, Ó ÔÒÁÆÆÉËÏÍ × ÏÂÁ ËÏÎÃÁ, ÔÏÇÄÁ ÐÁËÅÔ ÐÏÌÕÞÅÎÎÙÊ ÐÏ ÔÁËÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ -- ÐÒÉÍ. ÒÅÄ). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÅ rc.firewall.txt.

CONFIG_IP_NF_MATCH_UNCLEAN - üÔÏÔ ÍÏÄÕÌØ ÒÅÁÌÉÚÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ IP, TCP, UDP É ICMP ÐÁËÅÔÏ× ÎÁ ÐÒÅÄÍÅÔ ÎÁÌÉÞÉÑ × ÎÉÈ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÊ, "ÓÔÒÁÎÎÏÓÔÅÊ", ÏÛÉÂÏË. õÓÔÁÎÏ×É× ÅÇÏ ÍÙ, Ë ÐÒÉÍÅÒÕ, ÐÏÌÕÞÉÍ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔÓÅËÁÔØ" ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ. ïÄÎÁËÏ ÈÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÐÏËÁ ÎÁÈÏÄÉÔÓÑ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÅ ×Ï ×ÓÅÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÏÄÉÎÁËÏ×Ï, ÐÏÜÔÏÍÕ ÎÉËÏÇÄÁ ÎÅÌØÚÑ ÂÕÄÅÔ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÍÙ ÎÅ "ÓÂÒÏÓÉÌÉ" ×ÐÏÌÎÅ ÐÒÁ×ÉÌØÎÙÅ ÐÁËÅÔÙ.

CONFIG_IP_NF_MATCH_OWNER - ðÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÓÏÅÄÉÎÅÎÉÑ (socket). äÌÑ ÐÒÉÍÅÒÁ, ÍÙ ÍÏÖÅÍ ÐÏÚ×ÏÌÉÔØ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ root ×ÙÈÏÄÉÔØ × Internet. üÔÏÔ ÍÏÄÕÌØ ÂÙÌ ÎÁÐÉÓÁÎ ËÁË ÐÒÉÍÅÒ ÒÁÂÏÔÙ Ó iptables. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÉÍÅÅÔ ÓÔÁÔÕÓ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ É ÍÏÖÅÔ ÎÅ ×ÓÅÇÄÁ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ.

CONFIG_IP_NF_FILTER - òÅÁÌÉÚÁÃÉÑ ÔÁÂÌÉÃÙ filter × ËÏÔÏÒÏÊ × ÏÓÎÏ×ÎÏÍ É ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÆÉÌØÔÒÁÃÉÑ. ÷ ÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÎÁÈÏÄÑÔÓÑ ÃÅÐÏÞËÉ INPUT, FORWARD É OUTPUT. üÔÏÔ ÍÏÄÕÌØ ÏÂÑÚÁÔÅÌÅÎ, ÅÓÌÉ ×Ù ÐÌÁÎÉÒÕÅÔÅ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ×.

CONFIG_IP_NF_TARGET_REJECT - äÏÂÁ×ÌÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÄÁÞÕ ICMP-ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ × ÏÔ×ÅÔ ÎÁ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÏÔ×ÅÒÇÁÅÔÓÑ ÚÁÄÁÎÎÙÍ ÐÒÁ×ÉÌÏÍ. úÁÐÏÍÎÉÔÅ, ÞÔÏ TCP ÓÏÅÄÉÎÅÎÉÑ, × ÏÔÌÉÞÉÅ ÏÔ UDP É ICMP, ×ÓÅÇÄÁ ÚÁ×ÅÒÛÁÀÔÓÑ ÉÌÉ ÏÔ×ÅÒÇÁÀÔÓÑ ÐÁËÅÔÏÍ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR - ÷ÏÚÍÏÖÎÏÓÔØ ÏÔÐÒÁ×ËÉ ÐÏÌÕÞÅÎÎÏÇÏ ÐÁËÅÔÁ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎÉÅ). îÁÐÒÉÍÅÒ, ÅÓÌÉ ÎÁÚÎÁÞÉÔØ ÄÅÊÓÔ×ÉÅ MIRROR ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ × ÐÏÒÔ HTTP ÞÅÒÅÚ ÎÁÛÕ ÃÅÐÏÞËÕ INPUT (Ô.Å. ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ ÐÒÉÍ. ÐÅÒÅ×.), ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÅÎ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎ) É, × ÒÅÚÕÌØÔÁÔÅ, ÏÔÐÒÁ×ÉÔÅÌØ Õ×ÉÄÉÔ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ. (ôÕÔ ÏÄÎÉ ÓÐÌÏÛÎÙÅ "ÅÓÌÉ": åÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÓÔÏÉÔ WEB-ÓÅÒ×ÅÒ, ÅÓÌÉ ÏÎ ÒÁÂÏÔÁÅÔ ÎÁ ÔÏÍ ÖÅ ÐÏÒÔÕ, ÅÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÅÓÔØ ÄÏÍÁÛÎÑÑ ÓÔÒÁÎÉÞËÁ, É Ô.Ä. . óÕÔØ-ÔÏ ÓÏÂÓÔ×ÅÎÎÏ Ó×ÏÄÉÔÓÑ Ë ÔÏÍÕ, ÞÔÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÏÔÐÒÁ×ÉÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÏÎ ÏÔÐÒÁ×ÉÌ ÎÁ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÍÁÛÉÎÕ, Á ÐÒÏÝÅ ÇÏ×ÏÒÑ, ÄÅÊÓÔ×ÉÅ MIRROR ÍÅÎÑÅÔ ÍÅÓÔÁÍÉ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ É ×ÙÄÁÅÔ ÉÚÍÅÎÅÎÎÙÊ ÐÅËÅÔ × ÓÅÔØ ÐÒÉÍ. ÐÅÒÅ×.)

CONFIG_IP_NF_NAT - ôÒÁÎÓÌÑÃÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× × ÒÁÚÌÉÞÎÙÈ ÅÅ ×ÉÄÁÈ. ó ÐÏÍÏÝØÀ ÜÔÏÊ ÏÐÃÉÉ ×Ù ÓÍÏÖÅÔÅ ÄÁÔØ ×ÙÈÏÄ × éÎÔÅÒÎÅÔ ×ÓÅÍ ËÏÍÐØÀÔÅÒÁÍ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP-ÁÄÒÅÓ. üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÒÁÂÏÔÙ ÐÒÉÍÅÒÁ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE - íÁÓËÁÒÁÄÉÎÇ. ÷ ÏÔÌÉÞÉÅ ÏÔ NAT, ÍÁÓËÁÒÁÄÉÎÇ ÉÓÐÏÌØÚÕÅÔÓÑ × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÚÁÒÁÎÅÅ ÎÅÉÚ×ÅÓÔÅÎ ÎÁÛ IP-ÁÄÒÅÓ × éÎÔÅÒÎÅÔÅ, Ô.Å. ÄÌÑ ÓÌÕÞÁÅ× DHCP, PPP, SLIP ÉÌÉ ËÁËÏÇÏ-ÌÉÂÏ ÄÒÕÇÏÇÏ ÓÐÏÓÏÂÁ ÐÏÄËÌÀÞÅÎÉÑ, ÐÏÄÒÁÚÕÍÅ×ÁÀÝÅÇÏ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÌÕÞÅÎÉÅ IP-ÁÄÒÅÓÁ. íÁÓËÁÒÁÄÉÎÇ ÄÁÅÔ ÎÅÓËÏÌØËÏ ÂÏÌÅÅ ×ÙÓÏËÕÀ ÎÁÇÒÕÚËÕ ÎÁ ËÏÍÐØÀÔÅÒ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó NAT, ÏÄÎÁËÏ ÏÎ ÒÁÂÏÔÁÅÔ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ÎÅ×ÏÚÍÏÖÎÏ ÚÁÒÁÎÅÅ ÕËÁÚÁÔØ ÓÏÂÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP-ÁÄÒÅÓ.

CONFIG_IP_NF_TARGET_REDIRECT - ðÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ. ïÂÙÞÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÐÒÏËÓÉÒÏ×ÁÎÉÅÍ. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓÔÉÔØ ÐÁËÅÔ ÄÁÌØÛÅ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (ÐÒÏËÓÉ-ÓÅÒ×ÅÒÕ ÐÒÉÍ. ÐÅÒÅ×.). äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÁËÉÍ ÓÐÏÓÏÂÏÍ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ "ÐÒÏÚÒÁÞÎÏÅ ÐÒÏËÓÉÒÏ×ÁÎÉÅ".

CONFIG_IP_NF_TARGET_LOG - äÏÂÁ×ÌÑÅÔ ÄÅÊÓÔ×ÉÅ LOG × iptables. íÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÍÏÄÕÌØ ÄÌÑ ÆÉËÓÁÃÉÉ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ (syslog). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ×ÅÓØÍÁ ÐÏÌÅÚÎÏÊ ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×.

CONFIG_IP_NF_TARGET_TCPMSS - üÔÁ ÏÐÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÊ, ÎÁËÌÁÄÙ×ÁÅÍÙÈ ÎÅËÏÔÏÒÙÍÉ ÐÒÏ×ÁÊÄÅÒÁÍÉ (Internet Service Providers), ËÏÔÏÒÙÅ ÂÌÏËÉÒÕÀÔ ICMP Fragmentation Needed ÐÁËÅÔÙ. ÷ ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÈ ÏÇÒÁÎÉÞÅÎÉÊ ÓÅÒ×ÅÒÙ ÐÒÏ×ÁÊÄÅÒÏ× ÍÏÇÕÔ ÎÅ ÐÅÒÅÄÁ×ÁÔØ web-ÓÔÒÁÎÉÃÙ, ssh ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, × ÔÏ ×ÒÅÍÑ ËÁË scp ÏÂÒÙ×ÁÅÔÓÑ ÐÏÓÌÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ É ÐÒ. äÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÏÇÒÁÎÉÞÅÎÉÊ ÍÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ TCPMSS ÏÇÒÁÎÉÞÉ×ÁÑ ÚÎÁÞÅÎÉÅ MSS (Maximum Segment Size) (ÏÂÙÞÎÏ MSS ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÒÁÚÍÅÒÏÍ MTU ÉÓÈÏÄÑÝÅÇÏ ÉÎÔÅÒÆÅÊÓÁ ÍÉÎÕÓ 40 ÂÁÊÔ ÐÒÉÍ. ÐÅÒÅ×.). ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÅÏÄÏÌÅÔØ ÔÏ, ÞÔÏ Á×ÔÏÒÙ netfilter ÎÁÚÙ×ÁÀÔ "ÐÒÅÓÔÕÐÎÏÊ ÂÅÚÍÏÚÇÌÏÓÔØÀ ÐÒÏ×ÁÊÄÅÒÏ× ÉÌÉ ÓÅÒ×ÅÒÏ×" ("criminally braindead ISPs or servers") × ÓÐÒÁ×ËÅ ÐÏ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ.

CONFIG_IP_NF_COMPAT_IPCHAINS - äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ÂÏÌÅÅ ÓÔÁÒÏÊ ÔÅÈÎÏÌÏÇÉÅÊ ipchains. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÓÏ×ÍÅÓÔÉÍÏÓÔØ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎÁ É × ÑÄÒÁÈ ÓÅÒÉÉ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM - äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ipfwadm, ÎÅ ÓÍÏÔÒÑ ÎÁ ÔÏ ÞÔÏ ÜÔÏ ÏÞÅÎØ ÓÔÁÒÏÅ ÓÒÅÄÓÔ×Ï ÐÏÓÔÒÏÅÎÉÑ ÂÒÁÎÄÍÁÕÜÒÏ×.

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, Ñ ÄÁÌ ËÒÁÔËÕÀ ÈÁÒÁËÔÅÒÉÓÔÉËÕ ËÁÖÄÏÍÕ ÍÏÄÕÌÀ. äÁÎÎÙÅ ÏÐÃÉÉ ÄÏÓÔÕÐÎÙ × ÑÄÒÅ ×ÅÒÓÉÉ 2.4.9. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ - ÓÏ×ÅÔÕÀ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÒÁÓÛÉÒÅÎÉÑ patch-o-matic, ËÏÔÏÒÙÅ ÄÏÂÁ×ÌÑÀÔ ÄÏÓÔÁÔÏÞÎÏ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÆÕÎËÃÉÊ Ë Netfilter. Patch-o-matic - ÜÔÏ ÎÁÂÏÒ ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ, ËÁË ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, × ÂÕÄÕÝÅÍ ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ.

äÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ rc.firewall.txt ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÄÏÂÁ×ÉÔØ × ÑÄÒÏ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÉÌÉ ÓÏÂÒÁÔØ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÏÐÃÉÑÍ, ÎÅÏÂÈÏÄÉÍÙÍ ÄÌÑ ÒÁÂÏÔÙ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ Ó ÐÒÉÍÅÒÁÍÉ ÜÔÉÈ ÓÃÅÎÁÒÉÅ×.

  • CONFIG_PACKET

  • CONFIG_NETFILTER

  • CONFIG_IP_NF_CONNTRACK

  • CONFIG_IP_NF_FTP

  • CONFIG_IP_NF_IRC

  • CONFIG_IP_NF_IPTABLES

  • CONFIG_IP_NF_FILTER

  • CONFIG_IP_NF_NAT

  • CONFIG_IP_NF_MATCH_STATE

  • CONFIG_IP_NF_TARGET_LOG

  • CONFIG_IP_NF_MATCH_LIMIT

  • CONFIG_IP_NF_TARGET_MASQUERADE

÷ÙÛÅ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÍÉÎÉÍÁÌØÎÏ ÎÅÏÂÈÏÄÉÍÙÈ ÏÐÃÉÊ ÑÄÒÁ ÄÌÑ ÓÃÅÎÁÒÉÑ rc.firewall.txt ðÅÒÅÞÅÎØ ÏÐÃÉÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÄÒÕÇÉÈ ÐÒÉÍÅÒÏ× ÓÃÅÎÁÒÉÅ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÎÉÖÅ. óÅÊÞÁÓ ÖÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÇÌÁ×ÎÏÍ ÓÃÅÎÁÒÉÉ É ÎÁÞÎÅÍ ÅÇÏ ÉÚÕÞÅÎÉÅ.


2.3. õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÐÏÓÍÏÔÒÉÍ ËÁË ÓÏÂÒÁÔØ (ÓËÏÍÐÉÌÉÒÏ×ÁÔØ) ÐÁËÅÔ iptables. óÂÏÒËÁ ÐÁËÅÔÁ × ÚÎÁÞÉÔÅÌØÎÏÊ ÓÔÅÐÅÎÉ ÚÁ×ÉÓÉÔ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅËÏÔÏÒÙÅ ÄÉÓÔÒÉÂÕÔÉ×Ù ÐÒÅÄÐÏÌÁÇÁÀÔ ÐÒÅÄÕÓÔÁÎÏ×ËÕ ÐÁËÅÔÁ iptables, ÏÄÉÎ ÉÚ ÎÉÈ -- Red Hat. ïÄÎÁËÏ, × RedHat ÜÔÏÔ ÐÁËÅÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ×ÙËÌÀÞÅÎ, ÐÏÜÔÏÍÕ ÎÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ËÁË ÅÇÏ ×ËÌÀÞÉÔØ × ÄÁÎÎÏÍ É × ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ.


2.3.1. óÂÏÒËÁ ÐÁËÅÔÁ

äÌÑ ÎÁÞÁÌÁ ÐÁËÅÔ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ iptables ÎÕÖÎÏ ÒÁÓÐÁËÏ×ÁÔØ. íÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÐÁËÅÔ iptables 1.2.6a É ÑÄÒÏ ÓÅÒÉÉ 2.4. òÁÓÐÁËÕÅÍ ËÁË ÏÂÙÞÎÏ, ËÏÍÁÎÄÏÊ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf - (ÒÁÓÐÁËÏ×ËÕ ÍÏÖÎÏ ×ÙÐÏÌÎÉÔØ ÔÁËÖË ËÏÍÁÎÄÏÊ tar -xjvf iptables-1.2.6a.tar.bz2). åÓÌÉ ÒÁÓÐÁËÏ×ËÁ ÐÒÏÛÌÁ ÕÄÁÞÎÏ, ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÒÁÚÍÅÝÅÎ × ËÁÔÁÌÏÇÅ iptables-1.2.6a. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë ÆÁÊÌÕ iptables-1.2.6a/INSTALL, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÐÏÄÒÏÂÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÓÂÏÒËÅ É ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ.

äÁÌÅÅ ÎÅÏÂÈÏÄÉÍÏ ÐÒÏ×ÅÒÉÔØ ×ËÌÀÞÅÎÉÅ × ÑÄÒÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ É ÏÐÃÉÊ. ûÁÇÉ, ÏÐÉÓÙ×ÁÅÍÙÅ ÚÄÅÓØ, ÂÕÄÕÔ ËÁÓÁÔØÓÑ ÔÏÌØËÏ ÎÁÌÏÖÅÎÉÑ "ÚÁÐÌÁÔ" (patches) ÎÁ ÑÄÒÏ. îÁ ÜÔÏÍ ÛÁÇÅ ÍÙ ÕÓÔÁÎÏ×ÉÍ ÏÂÎÏ×ÌÅÎÉÑ, ËÏÔÏÒÙÅ, ËÁË ÏÖÉÄÁÅÔÓÑ, ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÑÄÒÏ × ÂÕÄÕÝÅÍ.

Note

îÅËÏÔÏÒÙÅ ÉÚ ÎÉÈ ÎÁÈÏÄÑÔÓÑ ÐÏËÁ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÁÌÏÖÅÎÉÅ ÜÔÉÈ ÚÁÐÌÁÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅ ×ÓÅÇÄÁ ÏÐÒÁ×ÄÁÎÎÏÊ, ÏÄÎÁËÏ ÓÒÅÄÉ ÎÉÈ ÅÓÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÉÎÔÅÒÅÓÎÙÅ ÆÕÎËÃÉÉ É ÄÅÊÓÔ×ÉÑ.

÷ÙÐÏÌÎÉÍ ÜÔÏÔ ÛÁÇ, ÎÁÂÒÁ× ËÏÍÁÎÄÕ (ÅÓÔÅÓÔ×ÅÎÎÏ, ÏÂÌÁÄÁÑ ÐÒÁ×ÁÍÉ ÐÏÌØÚÏ×ÁÔÅÌÑ root)

make pending-patches KERNEL_DIR=/usr/src/linux/

ðÅÒÅÍÅÎÎÁÑ KERNEL_DIR ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÐÕÔØ Ë ÉÓÈÏÄÎÙÍ ÔÅËÓÔÁÍ ×ÁÛÅÇÏ ÑÄÒÁ. ïÂÙÞÎÏ ÜÔÏ /usr/src/linux/. åÓÌÉ ÉÓÈÏÄÎÙÅ ÔÅËÓÔÙ Õ ×ÁÓ ÒÁÓÐÏÌÏÖÅÎÙ × ÄÒÕÇÏÍ ÍÅÓÔÅ, ÔÏ, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ×Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ Ó×ÏÊ ÐÕÔØ.

Note

úÄÅÓØ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÎÅÓËÏÌØËÏ ÏÂÎÏ×ÌÅÎÉÊ É ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ ÏÐÒÅÄÅÌÅÎÎÏ ×ÏÊÄÕÔ × ÓÏÓÔÁ× ÑÄÒÁ, ÎÏ ÎÅÓËÏÌØËÏ ÐÏÚÄÎÅÅ, ÓÅÊÞÁÓ ÖÅ ÍÙ ×ÏÚØÍÅÍ ÉÈ ÏÔÓÀÄÁ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ:

make most-of-pom KERNEL_DIR=/usr/src/linux/

÷ ÐÒÏÃÅÓÓÅ ×ÙÐÏÌÎÅÎÉÑ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÙ Õ ×ÁÓ ÂÕÄÅÔ ÚÁÐÒÁÛÉ×ÁÔØÓÑ ÐÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÏÂÎÏ×ÌÅÎÉÅ ËÁÖÄÏÇÏ ÒÁÚÄÅÌÁ ÉÚ ÔÏÇÏ, ÞÔÏ × ÍÉÒÅ netfilter ÎÁÚÙ×ÁÅÔÓÑ patch-o-matic. þÔÏÂÙ ÕÓÔÁÎÏ×ÉÔØ ×ÓÅ "ÚÁÐÌÁÔËÉ" ÉÚ patch-o-matic, ×ÁÍ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

îÅ ÚÁÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÏ É ÄÏ ËÏÎÃÁ ÐÒÏÞÉÔÁÔØ ÓÐÒÁ×ËÕ ÐÏ ËÁÖÄÏÊ "ÚÁÐÌÁÔËÅ" ÄÏ ÔÏÇÏ ËÁË ×Ù ÂÕÄÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÞÔÏ-ÌÉÂÏ, ÐÏÓËÏÌØËÕ ÏÄÎÉ "ÚÁÐÌÁÔËÉ" ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÎÅÓÏ×ÍÅÓÔÉÍÙ Ó ÄÒÕÇÉÍÉ, Á ÎÅËÏÔÏÒÙÅ -- ÐÒÉ ÓÏ×ÍÅÓÔÎÏÍ ÎÁÌÏÖÅÎÉÉ ÄÁÖÅ ÒÁÚÒÕÛÉÔØ ÑÄÒÏ.

Note

÷Ù ÍÏÖÅÔÅ ×ÏÏÂÝÅ ÐÒÏÐÕÓÔÉÔØ ÏÂÎÏ×ÌÅÎÉÅ ÑÄÒÁ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÓÏÂÏÊ ÎÕÖÄÙ × ÔÁËÏÍ ÏÂÎÏ×ÌÅÎÉÉ ÎÅÔ, ÏÄÎÁËÏ patch-o-matic ÓÏÄÅÒÖÉÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÉÎÔÅÒÅÓÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ, É Õ ×ÁÓ ×ÐÏÌÎÅ ÍÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ÖÅÌÁÎÉÅ ÐÏÓÍÏÔÒÅÔØ ÎÁ ÎÉÈ. îÉÞÅÇÏ ÓÔÒÁÛÎÏÇÏ ÎÅ ÓÌÕÞÉÔÓÑ, ÅÓÌÉ ×Ù ÚÁÐÕÓÔÉÔÅ ÜÔÉ ËÏÍÁÎÄÙ É ÐÏÓÍÏÔÒÉÔÅ ËÁËÉÅ ÏÂÎÏ×ÌÅÎÉÑ ÉÍÅÀÔÓÑ.

ðÏÓÌÅ ÚÁ×ÅÒÛÅÎÉÑ ÏÂÎÏ×ÌÅÎÉÑ, ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ, ÄÏÂÁ×É× × ÎÅÇÏ ÔÏÌØËÏ ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ. îÅ ÚÁÂÕÄØÔÅ ÓÎÁÞÁÌÁ ×ÙÐÏÌÎÉÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÅ ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ ÓËÏÒÅÅ ×ÓÅÇÏ ÏËÁÖÕÔÓÑ ×ÙËÌÀÞÅÎÎÙÍÉ. ÷ ÐÒÉÎÃÉÐÅ, ÍÏÖÎÏ ÐÏÄÏÖÄÁÔØ Ó ËÏÍÐÉÌÑÃÉÅÊ ÑÄÒÁ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ×Ù ÎÅ ÚÁËÏÎÞÉÔÅ ÕÓÔÁÎÏ×ËÕ iptables.

ðÒÏÄÏÌÖÁÑ ÓÂÏÒËÕ iptables, ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:

make KERNEL_DIR=/usr/src/linux/

åÓÌÉ × ÐÒÏÃÅÓÓÅ ÓÂÏÒËÉ ×ÏÚÎÉËÌÉ ËÁËÉÅ ÌÉÂÏ ÐÒÏÂÌÅÍÙ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÙÔÁÔØÓÑ ÒÁÚÒÅÛÉÔØ ÉÈ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ, ÌÉÂÏ ÏÂÒÁÔÉÔØÓÑ ÎÁ Netfilter mailing list, ÇÄÅ ×ÁÍ ÓÍÏÇÕÔ ÐÏÍÏÞØ. ôÁÍ ×Ù ÎÁÊÄÅÔÅ ÐÏÑÓÎÅÎÉÑ, ÞÔÏ ÍÏÇÌÏ ÂÙÔØ ÓÄÅÌÁÎÏ ×ÁÍÉ ÎÅÐÒÁ×ÉÌØÎÏ ÐÒÉ ÕÓÔÁÎÏ×ËÅ, ÔÁË ÞÔÏ ÓÒÁÚÕ ÎÅ ÐÁÎÉËÕÊÔÅ. åÓÌÉ ÜÔÏ ÎÅ ÐÏÍÏÇÌÏ -- ÐÏÓÔÁÒÁÊÔÅÓØ ÐÏÒÁÚÍÙÓÌÉÔØ ÌÏÇÉÞÅÓËÉ, ×ÏÚÍÏÖÎÏ ÜÔÏ ÐÏÍÏÖÅÔ. éÌÉ ÏÂÒÁÔÉÔÅÓØ Ë ÚÎÁËÏÍÏÍÕ "ÇÕÒÕ".

åÓÌÉ ×ÓÅ ÐÒÏÛÌÏ ÇÌÁÄËÏ, ÔÏ ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÇÏÔÏ×Ù Ë ÕÓÔÁÎÏ×ËÅ ÉÓÐÏÌÎÑÅÍÙÈ ÍÏÄÕÌÅÊ (binaries), ÄÌÑ ÞÅÇÏ ÚÁÐÕÓÔÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make install KERNEL_DIR=/usr/src/linux/

îÁÄÅÀÓØ, ÞÔÏ ÚÄÅÓØ-ÔÏ ÐÒÏÂÌÅÍ ÎÅ ×ÏÚÎÉËÌÏ! ôÅÐÅÒØ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÐÁËÅÔÁ iptables ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÐÅÒÅÓÏÂÒÁÔØ É ÐÅÒÅÕÓÔÁÎÏ×ÉÔØ ÑÄÒÏ, ÅÓÌÉ ×Ù ÄÏ ÓÉÈ ÐÏÒ ÜÔÏÇÏ ÎÅ ÓÄÅÌÁÌÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ ×Ù ÎÁÊÄÅÔÅ × ÆÁÊÌÅ INSTALL.


2.3.2. õÓÔÁÎÏ×ËÁ × Red Hat 7.1

RedHAt 7.1, Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÑÄÒÏÍ 2.4.x ÕÖÅ ×ËÌÀÞÁÅÔ ÐÒÅÄÕÓÔÁÎÏ×ÌÅÎÎÙÅ netfilter É iptables. ïÄÎÁËÏ, ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÐÒÅÄÙÄÕÝÉÍÉ ÄÉÓÔÒÉÂÕÔÉ×ÁÍÉ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÒÁÂÏÔÁÅÔ ÐÁËÅÔ ipchains. óÅÊÞÁÓ ÍÙ ËÏÒÏÔËÏ ÒÁÚÂÅÒÅÍ - ËÁË ÕÄÁÌÉÔØ ipchains É ÚÁÐÕÓÔÉÔØ ×ÍÅÓÔÏ ÎÅÇÏ iptables.

Note

÷ÅÒÓÉÑ iptables × Red Hat 7.1 ÓÉÌØÎÏ ÕÓÔÁÒÅÌÁ É, ÎÁ×ÅÒÎÏÅ ÎÅÐÌÏÈÉÍ ÒÅÛÅÎÉÅÍ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÉÔØ ÂÏÌÅÅ ÎÏ×ÕÀ ×ÅÒÓÉÀ.

äÌÑ ÎÁÞÁÌÁ ÎÕÖÎÏ ÏÔËÌÀÞÉÔØ ipchains, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÚÁÇÒÕÚËÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÍÏÄÕÌÅÊ × ÂÕÄÕÝÅÍ. þÔÏÂÙ ÄÏÂÉÔØÓÑ ÜÔÏÇÏ, ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÉÚÍÅÎÉÔØ ÉÍÅÎÁ ÎÅËÏÔÏÒÙÈ ÆÁÊÌÏ× × ÄÅÒÅ×Å ËÁÔÁÌÏÇÏ× /etc/rc.d/. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ, ×ÙÐÏÌÎÉÔ ÔÒÅÂÕÅÍÙÅ ÄÅÊÓÔ×ÉÑ:

chkconfig --level 0123456 ipchains off

÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ, × ÎÅËÏÔÏÒÙÈ ÉÍÅÎÁÈ ÓÓÙÌÏË, ÕËÁÚÙ×ÁÀÝÉÈ ÎÁ ÆÁÊÌÙ × ËÁÔÁÌÏÇÅ /etc/rc.d/init.d/ipchains, ÓÉÍ×ÏÌ S (ËÏÔÏÒÙÊ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÄÁÎÎÙÊ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ ÎÁ ÚÁÐÕÓËÅ ÓÉÓÔÅÍÙ) ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÓÉÍ×ÏÌÏÍ K (ÏÔ ÓÌÏ×Á Kill, ËÏÔÏÒÙÊ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ, ÐÒÉ ÚÁ×ÅÒÛÅÎÉÉ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ. ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÒÅÄÏÔ×ÒÁÔÉÍ ÚÁÐÕÓË ÎÅÎÕÖÎÏÇÏ ÓÅÒ×ÉÓÁ × ÂÕÄÕÝÅÍ.

ïÄÎÁËÏ ipchains ÐÏ-ÐÒÅÖÎÅÍÕ ÏÓÔÁÀÔÓÑ × ÒÁÂÏÔÅ. ôÅÐÅÒØ ÎÁÄÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ, ËÏÔÏÒÁÑ ÏÓÔÁÎÏ×ÉÔ ÜÔÏÔ ÓÅÒ×ÉÓ:

service ipchains stop

é × ÚÁËÌÀÞÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÐÕÓÔÉÔØ ÓÅÒ×ÉÓ iptables. äÌÑ ÜÔÏÇÏ, ×Ï-ÐÅÒ×ÙÈ, ÎÁÄÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÕÒÏ×ÎÑÍÉ ÚÁÐÕÓËÁ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÎÁ ËÏÔÏÒÙÈ ÎÕÖÎÏ ÓÔÁÒÔÏ×ÁÔØ ÜÔÏÔ ÓÅÒ×ÉÓ. ïÂÙÞÎÏ ÜÔÏ ÕÒÏ×ÎÉ 2, 3 É 5. ï ÜÔÉÈ ÕÒÏ×ÎÑÈ ÍÙ ÚÎÁÅÍ:

  • 2. íÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÂÅÚ ÐÏÄÄÅÒÖËÉ NFS ÉÌÉ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É 3, ÎÏ ÂÅÚ ÓÅÔÅ×ÏÊ ÐÏÄÄÅÒÖËÉ.

  • 3. ðÏÌÎÏÆÕÎËÃÉÏÎÁÌØÎÙÊ ÍÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ.

  • 5. X11. äÁÎÎÙÊ ÕÒÏ×ÅÎØ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÚÁÇÒÕÚËÉ Xwindows.



þÔÏÂÙ ÚÁÐÕÓÔÉÔØ iptables ÎÁ ÜÔÉÈ ÕÒÏ×ÎÑÈ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ:

chkconfig --level 235 iptables on

èÏÞÅÔÓÑ ÕÐÏÍÑÎÕÔØ Ï ÕÒÏ×ÎÑÈ, ÎÁ ËÏÔÏÒÙÈ ÎÅ ÔÒÅÂÕÅÔÓÑ ÚÁÐÕÓËÁ iptables: õÒÏ×ÅÎØ 1 -- ÏÄÎÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÒÁÂÏÔÙ, ËÁË ÐÒÁ×ÉÌÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÜËÓÔÒÅÎÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÍÙ "ÐÏÄÎÉÍÁÅÍ" "ÕÐÁ×ÛÕÀ" ÓÉÓÔÅÍÕ. õÒÏ×ÅÎØ 4 -- ×ÏÏÂÝÅ ÎÅ ÄÏÌÖÅÎ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ. õÒÏ×ÅÎØ ×ÙÐÏÌÎÅÎÉÑ 6 -- ÜÔÏ ÕÒÏ×ÅÎØ ÏÓÔÁÎÏ×ËÉ ÓÉÓÔÅÍÙ ÐÒÉ ×ÙËÌÀÞÅÎÉÉ ÉÌÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ.

äÌÑ ÁËÔÉ×ÁÃÉÉ ÓÅÒ×ÉÓÁ iptables ÐÏÄÁÄÉÍ ËÏÍÁÎÄÕ:

service iptables start

éÔÁË, ÍÙ ÚÁÐÕÓÔÉÌÉ iptables, ÎÏ Õ ÎÁÓ ÐÏËÁ ÅÝÅ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. þÔÏÂÙ ÄÏÂÁ×ÉÔØ ÎÏ×ÙÅ ÐÒÁ×ÉÌÁ × Red Hat 7.1 ÍÏÖÎÏ ÐÏÊÔÉ Ä×ÕÍÑ ÐÕÔÑÍÉ, ×Ï-ÐÅÒ×ÙÈ: ÐÏÄÐÒÁ×ÉÔØ ÆÁÊÌ /etc/rc.d/init.d/iptables, ÎÏ ÜÔÏÔ ÓÐÏÓÏ ÉÍÅÅÔ ÏÄÎÏ ÎÅÇÁÔÉ×ÎÏÅ Ó×ÏÊÓÔ×Ï -- ÐÒÉ ÏÂÎÏ×ÌÅÎÉÉ iptables ÉÚ RPM-ÐÁËÅÔÏ× ×ÓÅ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÕÔÅÒÑÎÙ, Á ×Ï-×ÔÏÒÙÈ: ÚÁÎÅÓÔÉ ÐÒÁ×ÉÌÁ É ÓÏÈÒÁÎÉÔØ ÉÈ ËÏÍÁÎÄÏÊ iptables-save, ÓÏÈÒÁÎÅÎÎÙÅ ÔÁËÉÍ ÏÂÒÁÚÏÍ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ.

÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÉÚÂÒÁÌÉ ÐÅÒ×ÙÊ ×ÁÒÉÁÎÔ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ × iptables, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÚÁÎÅÓÔÉ ÉÈ × ÓÅËÃÉÀ start ÓÃÅÎÁÒÉÑ /etc/rc.d/init.d/iptables (ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ) ÉÌÉ × ÆÕÎËÃÉÀ start(). äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÄÅÊÓÔ×ÉÊ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÉÓÔÅÍÙ -- ×ÎÅÓÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÓÅËÃÉÀ stop) ÉÌÉ × ÆÕÎËÃÉÀ stop(). ôÁË ÖÅ ÎÅ ÚÁÂÕÄØÔÅ ÐÒÏ ÓÅËÃÉÉ restart É condrestart. èÏÞÅÔÓÑ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÓÌÕÞÁÅ ÏÂÎÏ×ÌÅÎÉÑ iptables ÉÚ RPM-ÐÁËÅÔÏ× ÉÌÉ ÞÅÒÅÚ Á×ÔÏÍÁÔÉÞÅÓËÏÅ ÏÂÎÏ×ÌÅÎÉÅ ÐÏ ÓÅÔÉ, ×Ù ÍÏÖÅÔÅ ÕÔÅÒÑÔØ ×ÓÅ ÉÚÍÅÎÅÎÉÑ, ×ÎÅÓÅÎÎÙÅ × ÆÁÊÌ /etc/rc.d/init.d/iptables.

÷ÔÏÒÏÊ ÓÐÏÓÏ ÚÁÇÒÕÚËÉ ÐÒÁ×ÉÌ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. ïÎ ÐÒÅÄÐÏÌÁÇÁÅÔ ÓÌÅÄÕÀÝÉÅ ÛÁÇÉ. äÌÑ ÎÁÞÁÌÁ -- ÚÁÐÉÛÉÔÅ ÐÒÁ×ÉÌÁ × ÆÁÊÌ ÉÌÉ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ, ÞÅÒÅÚ ËÏÍÁÎÄÕ iptables, ÓÍÏÔÒÑ ÞÔÏ ÄÌÑ ×ÁÓ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. úÁÔÅÍ ÉÓÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables-save. üÔÁ ËÏÍÁÎÄÁ ÜË×É×ÁÌÅÎÔÎÁ ËÏÍÁÎÄÅ iptables-save > /etc/sysconfig/iptables. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎ × ÆÁÊÌÅ /etc/sysconfig/iptables, ËÏÔÏÒÙÊ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÔÓÑ ÐÒÉ ÚÁÐÕÓËÅ ÓÅÒ×ÉÓÁ iptables. äÒÕÇÉÍ ÓÐÏÓÏÂÏÍ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÐÏÄÁÞÁ ËÏÍÁÎÄÙ service iptables save, ËÏÔÏÒÁÑ ÐÏÌÎÏÓÔØÀ ÉÄÅÎÔÉÞÎÁ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÅ. ÷ÐÏÓÌÅÄÓÔ×ÉÉ, ÐÒÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ, ÓÃÅÎÁÒÉÊ iptables ÉÚ rc.d ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØ ËÏÍÁÎÄÕ iptables-restore ÄÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ /etc/sysconfig/iptables.

é ÎÁËÏÎÅÃ, × ÚÁ×ÅÒÛÅÎÉÅ ÕÓÔÁÎÏ×ËÉ, ÎÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÕÄÁÌÉÔØ ÓÔÁÒÙÅ ×ÅÒÓÉÉ ipchains É iptables. üÔÏ ÎÅÏÂÈÏÄÉÍÏ ÓÄÅÌÁÔØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÉÓÔÅÍÁ ÎÅ "ÐÅÒÅÐÕÔÁÌÁ" ÓÔÁÒÙÊ ÐÁËÅÔ iptables Ó ×ÎÏר ÕÓÔÁÎÏ×ÌÅÎÎÙÍ. õÄÁÌÅÎÉÅ ÓÔÁÒÏÇÏ ÐÁËÅÔÁ iptables ÎÅÏÂÈÏÄÉÍÏ ÐÒÏÉÚ×ÅÓÔÉ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÐÒÏÉÚ×ÏÄÉÌÉ ÕÓÔÁÎÏ×ËÕ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×. äÅÌÏ × ÔÏÍ, ÞÔÏ RPM ÐÁËÅÔÙ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÎÅÓËÏÌØËÏ ÉÎÏÅ ÍÅÓÔÏ ÎÅÖÅÌÉ ÐÁËÅÔÙ, ÓÏÂÒÁÎÎÙÅ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×, Á ÐÏÜÔÏÍÕ ÎÏ×ÙÊ ÐÁËÅÔ ÎÅ "ÚÁÔÉÒÁÅÔ" ÓÔÁÒÙÊ. þÔÏÂÙ ×ÙÐÏÌÎÉÔØ ÄÅÉÎÓÔÁÌÌÑÃÉÀ ÐÒÅÄÙÄÕÝÅÊ ×ÅÒÓÉÉ iptables ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

rpm -e iptables

áÎÁÌÏÇÉÞÎÙÍ ÏÂÒÁÚÏÍ ÕÄÁÌÉÍ É ipchains, ÐÏÓËÏÌØËÕ ÏÓÔÁ×ÌÑÔØ ÜÔÏÔ ÐÁËÅÔ × ÓÉÓÔÅÍÅ ÂÏÌÅÅ ÎÅÔ ÎÉËÁËÏÇÏ ÓÍÙÓÌÁ.

rpm -e ipchains


çÌÁ×Á 3. ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË × ËÁÖÄÏÊ ÔÁÂÌÉÃÅ. üÔÁ ÉÎÆÏÒÍÁÃÉÑ ÂÕÄÅÔ ÏÞÅÎØ ×ÁÖÎÁ ÄÌÑ ×ÁÓ ÐÏÚÄÎÅÅ, ËÏÇÄÁ ×Ù ÎÁÞÎÅÔÅ ÓÔÒÏÉÔØ Ó×ÏÉ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ × ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÂÕÄÕÔ ×ËÌÀÞÁÔØÓÑ ÔÁËÉÅ ÄÅÊÓÔ×ÉÑ ËÁË DNAT, SNAT É ËÏÎÅÞÎÏ ÖÅ TOS.


3.1. ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ

ëÏÇÄÁ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÏ ÏÎ ÓÐÅÒ×Á ÐÏÐÁÄÁÅÔ ÎÁ ÓÅÔÅ×ÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÐÅÒÅÈ×ÁÔÙ×ÁÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÄÒÁÊ×ÅÒÏÍ É ÄÁÌÅÅ ÐÅÒÅÄÁÅÔÓÑ × ÑÄÒÏ. äÁÌÅÅ ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÒÑÄ ÔÁÂÌÉÃ É ÚÁÔÅÍ ÐÅÒÅÄÁÅÔÓÑ ÌÉÂÏ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ, ÌÉÂÏ ÐÅÒÅÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÄÒÕÇÕÀ ÍÁÛÉÎÕ. ðÏÒÑÄÏË ÓÌÅÄÏ×ÁÎÉÑ ÐÁËÅÔÁ ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ:

ôÁÂÌÉÃÁ 3-1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1 š š ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2 š š óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÜÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÂÉÔÏ× TOS É ÐÒ..
4 nat PREROUTING üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Destination Network Address Translation). Source Network Address Translation ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÚÄÎÅÅ, × ÄÒÕÇÏÊ ÃÅÐÏÞËÅ. ìÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÑ × ÜÔÏÊ ÃÅÐÏÞËÅ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ
5 š š ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÄÁÌØÎÅÊÛÅÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, Ô.Å. × ÜÔÏÊ ÔÏÞËÅ ÒÅÛÁÅÔÓÑ ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ -- ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ÉÌÉ ÎÁ ÄÒÕÇÏÊ ÕÚÅÌ ÓÅÔÉ.
6 mangle FORWARD äÁÌÅÅ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ FORWARD ÔÁÂÌÉÃÙ mangle, ËÏÔÏÒÁÑ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÎÅËÏÔÏÒÙÅ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÍÅÖÄÕ Ä×ÕÍÑ ÔÏÞËÁÍÉ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
7 Filter FORWARD ÷ ÃÅÐÏÞËÕ FORWARD ÐÏÐÁÄÁÀÔ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÉÄÕÔ ÎÁ ÄÒÕÇÏÊ ÈÏÓÔ ÷ÓÑ ÆÉÌØÔÒÁÃÉÑ ÔÒÁÎÚÉÔÎÏÇÏ ÔÒÁÆÉËÁ ÄÏÌÖÎÁ ×ÙÐÏÌÎÑÔØÓÑ ÚÄÅÓØ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÏÈÏÄÉÔ ÔÒÁÆÆÉË × ÏÂÏÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÏÂÑÚÁÔÅÌØÎÏ ÕÞÉÔÙ×ÁÊÔÅ ÜÔÏ ÏÂÓÔÏÑÔÅÌØÓÔ×Ï ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÐÒÁ×ÉÌ ÆÉÌØÔÒÁÃÉÉ.
8 mangle POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÕÖÅ ÐÏÓÌÅ ÔÏÇÏ ËÁË ÐÒÉÎÑÔÏ ÐÏÓÌÅÄÎÅÅ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
9 nat POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ × ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÄÌÑ Source Network Address Translation. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÅÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÂÅÚ ÏÓÏÂÏÊ ÎÁ ÔÏ ÎÅÏÂÈÏÄÉÍÏÓÔÉ. úÄÅÓØ ÖÅ ×ÙÐÏÌÎÑÅÔÓÑ É ÍÁÓËÁÒÁÄÉÎÇ (Masquerading).
10 š š ÷ÙÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth1).
11 š š ëÁÂÅÌØ (ÐÕÓÔØ ÂÕÄÅÔ LAN).

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÎÅÓËÏÌØËÏ ÜÔÁÐÏ×, ÐÒÅÖÄÅ ÞÅÍ ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÄÁÌÅÅ. îÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÐÁËÅÔ ÍÏÖÅÔ ÂÙÔØ ÏÓÔÁÎÏ×ÌÅÎ, ÂÕÄØ ÔÏ ÃÅÐÏÞËÁ iptables ÉÌÉ ÞÔÏ ÌÉÂÏ ÅÝÅ, ÎÏ ÎÁÓ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÎÔÅÒÅÓÕÅÔ iptables. úÁÍÅÔØÔÅ, ÞÔÏ ÎÅÔ ËÁËÉÈ ÌÉÂÏ ÃÅÐÏÞÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ ÏÔÄÅÌØÎÙÈ ÉÎÔÅÒÆÅÊÓÏ× ÉÌÉ ÞÅÇÏ ÌÉÂÏ ÐÏÄÏÂÎÏÇÏ. ãÅÐÏÞËÕ FORWARD ÐÒÏÈÏÄÑÔ ÷óå ÐÁËÅÔÙ, ËÏÔÏÒÙÅ Ä×ÉÖÕÔÓÑ ÞÅÒÅÚ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ/ ÒÏÕÔÅÒ. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÃÅÐÏÞËÕ INPUT ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×, ÏÎÉ ÔÕÄÁ ÐÒÏÓÔÏ ÎÅ ÐÏÐÁÄÁÀÔ! þÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ Ä×ÉÖÕÔÓÑ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÁÎÎÏÍÕ ÈÏÓÔÕ!

á ÔÅÐÅÒØ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÏÇÏ ÌÏËÁÌØÎÏÍÕ ÐÒÏÃÅÓÓÕ/ÐÒÉÌÏÖÅÎÉÀ:

ôÁÂÌÉÃÁ 3-2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1 š š ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2 š š ÷ÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× TOS É ÐÒ.
4 nat PREROUTING ðÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (Destination Network Address Translation). æÉÌØÔÒÁÃÉÑ ÐÁËÅÔÏ× ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ.
5 š š ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
6 mangle INPUT ðÁËÅÔ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT ÔÁÂÌÉÃÙ mangle. úÄÅÓØ ×ÎÅÓÑÔÓÑ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÐÅÒÅÄ ÔÅÍ ËÁË ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ.
7 filter INPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÆÉÌØÔÒÁÃÉÑ ×ÈÏÄÑÝÅÇÏ ÔÒÁÆÉËÁ. ðÏÍÎÉÔÅ, ÞÔÏ ×ÓÅ ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ, ÁÄÒÅÓÏ×ÁÎÎÙÅ ÎÁÍ, ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÔÏÇÏ Ó ËÁËÏÇÏ ÉÎÔÅÒÆÅÊÓÁ ÏÎÉ ÐÏÓÔÕÐÉÌÉ.
8 š š ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ/ÐÒÉÌÏÖÅÎÉÅ (Ô.Å., ÐÒÏÇÒÁÍÍÁ-ÓÅÒ×ÅÒ ÉÌÉ ÐÒÏÇÒÁÍÍÁ-ËÌÉÅÎÔ)

÷ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÎÁ ÜÔÏÔ ÒÁÚ ÐÁËÅÔÙ ÉÄÕÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ INPUT, Á ÎÅ ÞÅÒÅÚ FORWARD.

é × ÚÁËÌÀÞÅÎÉÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ.

ôÁÂÌÉÃÁ 3-3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1 š š ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ (Ô.Å., ÐÒÏÇÒÁÍÍÁ-ÓÅÒ×ÅÒ ÉÌÉ ÐÒÏÇÒÁÍÍÁ-ËÌÉÅÎÔ).
2 š š ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. úÄÅÓØ ÒÅÛÁÅÔÓÑ ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ ÄÁÌØÛÅ -- ÎÁ ËÁËÏÊ ÁÄÒÅÓ, ÞÅÒÅÚ ËÁËÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É ÐÒ.
3 mangle OUTPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ×ÎÅÓÅÎÉÅ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ. ÷ÙÐÏÌÎÅÎÉÅ ÆÉÌØÔÒÁÃÉÉ × ÜÔÏÊ ÃÅÐÏÞËÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ.
4 nat OUTPUT üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) × ÐÁËÅÔÁÈ, ÉÓÈÏÄÑÝÉÈ ÏÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ× ÂÒÁÎÄÍÁÕÜÒÁ.
5 Filter OUTPUT úÄÅÓØ ÆÉÌØÔÒÕÅÔÓÑ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË.
6 mangle POSTROUTING ãÅÐÏÞËÁ POSTROUTING ÔÁÂÌÉÃÙ mangle × ÏÓÎÏ×ÎÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÄÏÌÖÎÙ ×ÎÏÓÉÔØ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÐÅÒÅÄ ÔÅÍ, ËÁË ÏÎ ÐÏËÉÎÅÔ ÂÒÁÎÄÍÁÕÜÒ, ÎÏ ÕÖÅ ÐÏÓÌÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ÷ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÀÔ ×ÓÅ ÐÁËÅÔÙ, ËÁË ÔÒÁÎÚÉÔÎÙÅ, ÔÁË É ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ ÂÒÁÎÄÍÁÕÜÒÁ.
7 nat POSTROUTING úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ Source Network Address Translation. îÅ ÓÌÅÄÕÅÔ × ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÖÅÌÁÔÅÌØÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ×. ïÄÎÁËÏ É ÚÄÅÓØ ÍÏÖÎÏ ÏÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÁËÅÔÙ, ÐÒÉÍÅÎÑÑ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.
8 š š óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
9 š š ëÁÂÅÌØ (Ô.Å., Internet)

ôÅÐÅÒØ ÍÙ ÚÎÁÅÍ, ÞÔÏ ÅÓÔØ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ×ÁÒÉÁÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×. òÉÓÕÎÏË ÎÉÖÅ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÜÔÏ:



üÔÏÔ ÒÉÓÕÎÏË ÄÁÅÔ ÄÏ×ÏÌØÎÏ ÑÓÎÏÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ. ÷ ÐÅÒ×ÏÊ ÔÏÞËÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ (routing decision) ×ÓÅ ÐÁËÅÔÙ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÅ ÄÁÎÎÏÍÕ ÈÏÓÔÕ ÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ INPUT, ÏÓÔÁÌØÎÙÅ - × ÃÅÐÏÞËÕ FORWARD.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÔÁËÖÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÐÁËÅÔÙ, Ó ÁÄÒÅÓÏÍ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÂÒÁÎÄÍÁÕÜÒ, ÍÏÇÕÔ ÐÒÅÔÅÒÐÅÔØ ÉÚÍÅÎÅÎÉÅ ÓÅÔÅ×ÏÇÏ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ (DNAT) × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat É ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÄÁÌØÎÅÊÛÁÑ ÍÁÒÛÒÕÔÉÚÁÃÉÑ × ÐÅÒ×ÏÊ ÔÏÞËÅ ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØÓÑ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÐÒÏÉÚ×ÅÄÅÎÎÙÈ ÉÚÍÅÎÅÎÉÊ. úÁÐÏÍÎÉÔÅ -- ×ÓÅ ÐÁËÅÔÙ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ ÐÏ ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÍÁÒÛÒÕÔÕ. äÁÖÅ ÅÓÌÉ ×ÙÐÏÌÎÑÅÔÓÑ DNAT × ÔÕ ÖÅ ÓÅÔØ, ÏÔËÕÄÁ ÐÁËÅÔ ÐÒÉÛÅÌ, ÔÏ ÏÎ ×ÓÅ ÒÁ×ÎÏ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ.

Tip

÷ ÓÃÅÎÁÒÉÉ rc.test-iptables.txt ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×.


3.2. ôÁÂÌÉÃÁ Mangle

ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÜÔÁ ÔÁÂÌÉÃÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ× (mangle - ÉÓËÁÖÁÔØ, ÉÚÍÅÎÑÔØ. ÐÒÉÍ. ÐÅÒÅ×.). ô.Å. × ÜÔÏÊ ÔÁÂÌÉÃÅ ×Ù ÍÏÖÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÂÉÔÙ TOS (Type Of Service) É Ô.Ä.

Caution

åÝÅ ÒÁÚ ÎÁÐÏÍÉÎÁÀ ×ÁÍ, ÞÔÏ × ÜÔÏÊ ÔÁÂÌÉÃÅ ÎÅ ÓÌÅÄÕÅÔ ÐÒÏÉÚ×ÏÄÉÔØ ÌÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÀ, ÍÁÓËÉÒÏ×ËÕ ÉÌÉ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (DNAT, SNAT, MASQUERADE).

÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ ÎÉÖÅÐÅÒÅÞÉÓÌÅÎÎÙÅ ÄÅÊÓÔ×ÉÑ:

  • TOS

  • TTL

  • MARK

äÅÊÓÔ×ÉÅ TOS ×ÙÐÏÌÎÑÅÔ ÕÓÔÁÎÏ×ËÕ ÂÉÔÏ× ÐÏÌÑ Type of Service × ÐÁËÅÔÅ. üÔÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÚÎÁÞÅÎÉÑ ÓÅÔÅ×ÏÊ ÐÏÌÉÔÉËÉ ÏÂÓÌÕÖÉ×ÁÎÉÑ ÐÁËÅÔÁ, Ô.Å. ÚÁÄÁÅÔ ÖÅÌÁÅÍÙÊ ×ÁÒÉÁÎÔ ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÄÎÁËÏ, ÓÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÏÅ Ó×ÏÊÓÔ×Ï × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÎÁ ÎÅÚÎÁÞÉÔÅÌØÎÏÍ ËÏÌÉÞÅÓÔ×Å ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÚÍÅÎÑÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ÄÌÑ ÐÁËÅÔÏ×, ÕÈÏÄÑÝÉÈ × éÎÔÅÒÎÅÔ, ÐÏÔÏÍÕ ÞÔÏ ÎÁ ÒÏÕÔÅÒÁÈ, ËÏÔÏÒÙÅ ÔÁËÉ ÏÂÓÌÕÖÉ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÍÏÖÅÔ ÂÙÔØ ÐÒÉÎÑÔÏ ÎÅÐÒÁ×ÉÌØÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ.

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÚÎÁÞÅÎÉÑ ÐÏÌÑ TTL (Time To Live) ÐÁËÅÔÁ. åÓÔØ ÏÄÎÏ ÎÅÐÌÏÈÏÅ ÐÒÉÍÅÎÅÎÉÅ ÜÔÏÍÕ ÄÅÊÓÔ×ÉÀ. íÙ ÍÏÖÅÍ ÐÒÉÓ×ÁÉ×ÁÔØ ÏÐÒÅÄÅÌÅÎÎÏÅ ÚÎÁÞÅÎÉÅ ÜÔÏÍÕ ÐÏÌÀ, ÞÔÏÂÙ ÓËÒÙÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÏÔ ÞÅÒÅÓÞÕÒ ÌÀÂÏÐÙÔÎÙÈ ÐÒÏ×ÁÊÄÅÒÏ× (Internet Service Providers). äÅÌÏ × ÔÏÍ, ÞÔÏ ÏÔÄÅÌØÎÙÅ ÐÒÏ×ÁÊÄÅÒÙ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ ËÏÇÄÁ ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. É ÔÏÇÄÁ ÏÎÉ ÎÁÞÉÎÁÀÔ ÐÒÏ×ÅÒÑÔØ ÚÎÁÞÅÎÉÅ TTL ÐÒÉÈÏÄÑÝÉÈ ÐÁËÅÔÏ× É ÉÓÐÏÌØÚÕÀÔ ÅÇÏ ËÁË ÏÄÉÎ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÏÄÉÎ ËÏÍÐØÀÔÅÒ "ÓÉÄÉÔ" ÎÁ ÐÏÄËÌÀÞÅÎÉÉ ÉÌÉ ÎÅÓËÏÌØËÏ.

äÅÊÓÔ×ÉÅ MARK ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÓÐÅÃÉÁÌØÎÕÀ ÍÅÔËÕ ÎÁ ÐÁËÅÔ, ËÏÔÏÒÁÑ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÐÒÏ×ÅÒÅÎÁ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ × iptables ÉÌÉ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ, ÎÁÐÒÉÍÅÒ iproute2. ó ÐÏÍÏÝØÀ "ÍÅÔÏË" ÍÏÖÎÏ ÕÐÒÁ×ÌÑÔØ ÍÁÒÛÒÕÔÉÚÁÃÉÅÊ ÐÁËÅÔÏ×, ÏÇÒÁÎÉÞÉ×ÁÔØ ÔÒÁÆÆÉË É Ô.Ð.


3.3. ôÁÂÌÉÃÁ Nat

üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÊ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× NAT (Network Address Translation). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ÒÁÎÅÅ, ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÃÅÐÏÞËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ, ÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÉÒÏ×ËÁ ÐÒÉÍÅÎÑÀÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ × ÐÏÔÏËÅ Á×ÔÏÍÁÔÉÞÅÓËÉ. äÌÑ ÜÔÏÊ ÔÁÂÌÉÃÙ ÈÁÒÁËÔÅÒÎÙ ÄÅÊÓÔ×ÉÑ:

  • DNAT

  • SNAT

  • MASQUERADE

äÅÊÓÔ×ÉÅ DNAT (Destination Network Address Translation) ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× ÎÁ ÄÒÕÇÉÅ ÁÄÒÅÓÁ, ÏÔÌÉÞÎÙÅ ÏÔ ÕËÁÚÁÎÎÙÈ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×.

SNAT (Source Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ÐÁËÅÔÏ×. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÍÏÖÎÏ ÓËÒÙÔØ ÓÔÒÕËÔÕÒÕ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÒÁÚÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP ÁÄÒÅÓ ÍÅÖÄÕ ËÏÍÐØÀÔÅÒÁÍÉ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÒÁÎÄÍÁÕÜÒ, Ó ÐÏÍÏÝØÀ SNAT, Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÑÍÏÅ É ÏÂÒÁÔÎÏÅ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ×, ÔÅÍ ÓÁÍÙÍ ÄÁ×ÁÑ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ ÐÏÄËÌÀÞÅÎÉÅ Ë ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔÅ Ó ËÏÍÐØÀÔÅÒÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

íÁÓËÉÒÏ×ËÁ (MASQUERADE) ÐÒÉÍÅÎÑÅÔÓÑ × ÔÅÈ ÖÅ ÃÅÌÑÈ, ÞÔÏ É SNAT, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ ÐÏÓÌÅÄÎÅÊ, MASQUERADE ÄÁÅÔ ÂÏÌÅÅ ÓÉÌØÎÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ËÁÖÄÙÊ ÒÁÚ, ËÏÇÄÁ ÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÅÎÉÅ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÐÒÏÉÚ×ÏÄÉÔÓÑ ÚÁÐÒÏÓ IP ÁÄÒÅÓÁ ÄÌÑ ÕËÁÚÁÎÎÏÇÏ × ÄÅÊÓÔ×ÉÉ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, × ÔÏ ×ÒÅÍÑ ËÁË ÄÌÑ SNAT IP ÁÄÒÅÓ ÕËÁÚÙ×ÁÅÔÓÑ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ. ïÄÎÁËÏ, ÂÌÁÇÏÄÁÒÑ ÔÁËÏÍÕ ÏÔÌÉÞÉÀ, MASQUERADE ÍÏÖÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÑÈ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, Ô.Å. ËÏÇÄÁ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ, ÓËÁÖÅÍ ÞÅÒÅÚ PPP, SLIP ÉÌÉ DHCP.


3.4. ôÁÂÌÉÃÁ Filter

ëÁË ÓÌÅÄÕÅÔ ÉÚ ÎÁÚ×ÁÎÉÑ, × ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÌÖÎÙ ÓÏÄÅÒÖÁÔØÓÑ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ðÁËÅÔÙ ÍÏÇÕÔ ÐÒÏÐÕÓËÁÔØÓÑ ÄÁÌÅÅ, ÌÉÂÏ ÏÔ×ÅÒÇÁÔØÓÑ (ÄÅÊÓÔ×ÉÑ ACCEPT É DROP ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ), × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÉÍÏÇÏ. ëÏÎÅÞÎÏ ÖÅ, ÍÙ ÍÏÖÅÍ ÏÔÆÉÌØÔÒÏ×Ù×ÁÔØ ÐÁËÅÔÙ É × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, ÎÏ ÜÔÁ ÔÁÂÌÉÃÁ ÓÕÝÅÓÔ×ÕÅÔ ÉÍÅÎÎÏ ÄÌÑ ÎÕÖÄ ÆÉÌØÔÒÁÃÉÉ. ÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÏÌØÛÉÎÓÔ×Á ÉÚ ÓÕÝÅÓÔ×ÕÀÝÉÈ ÄÅÊÓÔ×ÉÊ, ÏÄÎÁËÏ ÒÑÄ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ×ÙÛÅ × ÜÔÏÊ ÇÌÁ×Å, ÄÏÌÖÎÙ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÉÓÕÝÉÈ ÉÍ ÔÁÂÌÉÃÁÈ.


çÌÁ×Á 4. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ×ÓÅ ×ÎÉÍÁÎÉÅ ÂÕÄÅÔ ÕÄÅÌÅÎÏ ÍÅÈÁÎÉÚÍÕ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ ÐÁËÅÔÏ× (state machine). ðÏ ÐÒÏÞÔÅÎÉÉ ÅÅ Õ ×ÁÓ ÄÏÌÖÎÏ ÓÌÏÖÉÔØÓÑ ÄÏÓÔÁÔÏÞÎÏ ÞÅÔËÏÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÒÁÂÏÔÅ ÍÅÈÁÎÉÚÍÁ, Á ÓÐÏÓÏÂÓÔ×Ï×ÁÔØ ÜÔÏÍÕ ÄÏÌÖÅÎ ÚÎÁÞÉÔÅÌØÎÙÊ ÏÂßÅÍ ÐÏÑÓÎÑÀÝÉÈ ÐÒÉÍÅÒÏ×.


4.1. ÷×ÅÄÅÎÉÅ

íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ (state machine) Ñ×ÌÑÅÔÓÑ ÏÔÄÅÌØÎÏÊ ÞÁÓÔØÀ iptables É × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÄÏÌÖÅÎ ÂÙ ÔÁË ÎÁÚÙ×ÁÔØÓÑ, ÐÏÓËÏÌØËÕ ÆÁËÔÉÞÅÓËÉ Ñ×ÌÑÅÔÓÑ ÍÅÈÁÎÉÚÍÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ. ïÄÎÁËÏ ÚÎÁÞÉÔÅÌØÎÏÍÕ ËÏÌÉÞÅÓÔ×Õ ÌÀÄÅÊ ÏÎ ÉÚ×ÅÓÔÅÎ ÉÍÅÎÎÏ ËÁË "ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ" (state machine). ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÜÔÉ ÎÁÚ×ÁÎÉÑ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÓÉÎÏÎÉÍÙ. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÓÏÚÄÁÎ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ netfilter ÍÏÇ ÐÏÓÔÏÑÎÎÏ ÉÍÅÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÇÏ ËÏÎËÒÅÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. îÁÌÉÞÉÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÏÚ×ÏÌÑÅÔ ÓÏÚÄÁ×ÁÔØ ÂÏÌÅÅ ÎÁÄÅÖÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÂÒÁÎÄÍÁÕÜÒÁÍÉ, ËÏÔÏÒÙÅ ÎÅ ÉÍÅÀÔ ÐÏÄÄÅÒÖËÉ ÔÁËÏÇÏ ÍÅÈÁÎÉÚÍÁ.

÷ ÐÒÅÄÅÌÁÈ iptables, ÓÏÅÄÉÎÅÎÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÄÎÏ ÉÚ 4-È ÂÁÚÏ×ÙÈ ÓÏÓÔÏÑÎÉÊ: NEW, ESTABLISHED, RELATED É INVALID. ðÏÚÄÎÅÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ. äÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÐÒÏÈÏÖÄÅÎÉÅÍ ÐÁËÅÔÏ×, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ, ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÊ --state.

ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÐÅÃÉÁÌØÎÙÍ ËÏÄÏÍ × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ -- ÔÒÁÓÓÉÒÏ×ÝÉËÏÍ (conntrack). ëÏÄ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÍÏÖÅÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎ ËÁË ÐÏÄÇÒÕÖÁÅÍÙÊ ÍÏÄÕÌØ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÎÁÍ ÐÏÔÒÅÂÎÁ ÂÏÌÅÅ ÓÐÅÃÉÆÉÞÎÁÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ, ÞÅÍ ÔÁ, ËÏÔÏÒÕÀ ÐÏÓÔÁ×ÌÑÅÔ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÜÔÏÍÕ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÏÂÒÁÂÏÔÞÉËÉ ÒÁÚÌÉÞÎÙÈ ÐÒÏÔÏËÏÌÏ×, ÎÁÐÒÉÍÅÒ TCP, UDP ÉÌÉ ICMP. óÏÂÒÁÎÎÁÑ ÉÍÉ ÉÎÆÏÒÍÁÃÉÑ ÚÁÔÅÍ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÄÅÎÔÉÆÉËÁÃÉÉ É ÏÐÒÅÄÅÌÅÎÉÑ ÔÅËÕÝÅÇÏ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. îÁÐÒÉÍÅÒ -- ÓÏÅÄÉÎÅÎÉÅ ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÏÄÎÏÚÎÁÞÎÏ ÉÄÅÎÔÉÆÉÃÉÒÕÅÔÓÑ ÐÏ IP-ÁÄÒÅÓÁÍ É ÐÏÒÔÁÍ ÉÓÔÏÞÎÉËÁ É ÐÒÉÅÍÎÉËÁ.

÷ ÐÒÅÄÙÄÕÝÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ ÉÍÅÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ ×ËÌÀÞÅÎÉÑ/×ÙËÌÀÞÅÎÉÑ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÐÏÓÌÅ ÔÏÇÏ ËÁË ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÂÙÌÁ ×ËÌÀÞÅÎÁ × ÓÏÓÔÁ× iptables/netfilter, ÎÁÄÏÂÎÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ ÔÒÁÓÓÉÒÏ×ÝÉË ÎÅ × ÓÏÓÔÏÑÎÉÉ ×ÙÐÏÌÎÑÔØ ×ÏÚÌÏÖÅÎÎÙÅ ÎÁ ÎÅÇÏ ÆÕÎËÃÉÉ ÂÅÚ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ É ÐÏÜÔÏÍÕ ÏÎÁ ×ËÌÀÞÅÎÁ ÐÏÓÔÏÑÎÎÏ. åÅ ÎÅÌØÚÑ ÏÔËÌÀÞÉÔØ ÉÎÁÞÅ ËÁË ÏÔËÌÀÞÉ× ÔÒÁÓÓÉÒÏ×ËÕ ÓÏÅÄÉÎÅÎÉÊ. äÅÆÒÁÇÍÅÎÔÁÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ×ÓÅÇÄÁ, ÅÓÌÉ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÅÎ.

ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ PREROUTING, ÉÓËÌÀÞÁÑ ÓÌÕÞÁÉ, ËÏÇÄÁ ÐÁËÅÔÙ ÓÏÚÄÁÀÔÓÑ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, × ÜÔÏÍ ÓÌÕÞÁÅ ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ OUTPUT. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ iptables ÐÒÏÉÚ×ÏÄÉÔ ×ÓÅ ×ÙÞÉÓÌÅÎÉÑ, Ó×ÑÚÁÎÎÙÅ Ó ÏÐÒÅÄÅÌÅÎÉÅÍ ÓÏÓÔÏÑÎÉÑ, × ÐÒÅÄÅÌÁÈ ÜÔÉÈ ÃÅÐÏÞÅË. ëÏÇÄÁ ÌÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÏÔÐÒÁ×ÌÑÅÔ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ, ÔÏ × ÃÅÐÏÞËÅ OUTPUT ÅÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ NEW, Á ËÏÇÄÁ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ × ÃÅÐÏÞËÅ PREROUTING ÉÚÍÅÎÑÅÔÓÑ ÎÁ ESTABLISHED, É ÔÁË ÄÁÌÅÅ. åÓÌÉ ÖÅ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÉÚ×ÎÅ, ÔÏ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÐÅÒ×ÏÍÕ ÐÁËÅÔÕ ÉÚ ÐÏÔÏËÁ × ÃÅÐÏÞËÅ PREROUTING. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÏÐÒÅÄÅÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÐÒÅÄÅÌÁÈ ÃÅÐÏÞÅË PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat.


4.2. ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ÝÉËÁ

ëÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÔÁÂÌÉÃÕ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ËÏÔÏÒÕÀ ÍÏÖÎÏ ÎÁÊÔÉ × ÆÁÊÌÅ /proc/net/ip_conntrack. úÄÅÓØ ÓÏÄÅÒÖÉÔÓÑ ÓÐÉÓÏË ×ÓÅÈ ÁËÔÉ×ÎÙÈ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ÍÏÄÕÌØ ip_conntrack ÚÁÇÒÕÖÅÎ, ÔÏ ËÏÍÁÎÄÁ cat /proc/net/ip_conntrak ÄÏÌÖÎÁ ×Ù×ÅÓÔÉ ÎÅÞÔÏ, ÐÏÄÏÂÎÏÅ:

tcp  6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 \
     dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 \
     dport=32775 use=2
    

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÓÏÄÅÒÖÉÔÓÑ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ, ËÏÔÏÒÁÑ ÉÚ×ÅÓÔÎÁ ÔÒÁÓÓÉÒÏ×ÝÉËÕ, ÐÏ ËÏÎËÒÅÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. ðÅÒ×ÏÅ, ÞÔÏ ÍÏÖÎÏ Õ×ÉÄÅÔØ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ - tcp. äÁÌÅÅ ÓÌÅÄÕÅÔ ÎÅËÏÔÏÒÏÅ ÞÉÓÌÏ × ÏÂÙÞÎÏÍ ÄÅÓÑÔÉÞÎÏÍ ÐÒÅÄÓÔÁ×ÌÅÎÉÉ. ðÏÓÌÅ ÎÅÇÏ ÓÌÅÄÕÅÔ ÞÉÓÌÏ, ÏÐÒÅÄÅÌÑÀÝÅÅ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ (Ô.Å. ËÏÌÉÞÅÓÔ×Ï ÓÅËÕÎÄ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ). äÌÑ ÎÁÛÅÇÏ ÓÌÕÞÁÑ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÂÕÄÅÔ ÈÒÁÎÉÔØÓÑ ÅÝÅ 117 ÓÅËÕÎÄ, ÅÓÌÉ ËÏÎÅÞÎÏ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÂÏÌÅÅ ÎÅ ÐÒÏÓÌÅÄÕÅÔ ÎÉ ÏÄÎÏÇÏ ÐÁËÅÔÁ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ËÁÖÄÏÇÏ ÐÏÓÌÅÄÕÀÝÅÇÏ ÐÁËÅÔÁ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ÜÔÏ ÚÎÁÞÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ × ÚÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÇÏ ÓÏÓÔÏÑÎÉÑ. üÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1 ËÁÖÄÕÀ ÓÅËÕÎÄÕ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÆÁËÔÉÞÅÓËÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. äÌÑ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ ÓÏÓÔÏÑÎÉÅ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ SYN_SENT. ÷ÎÕÔÒÅÎÎÅÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ×ÎÅÛÎÅÇÏ. úÎÁÞÅÎÉÅ SYN_SENT ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÓÌÅÄÏ×ÁÌ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÐÁËÅÔ TCP SYN. äÁÌÅÅ ÒÁÓÐÏÌÏÖÅÎÙ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï [UNREPLIED], ËÏÔÏÒÏÅ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÔ×ÅÔÎÏÇÏ ÔÒÁÆÉËÁ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÅÝÅ ÎÅ ÂÙÌÏ. é ÎÁËÏÎÅà ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÉÎÆÏÒÍÁÃÉÑ ÐÏ ÏÖÉÄÁÅÍÏÍÕ ÐÁËÅÔÕ, ÜÔÏ IP ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ/ÐÏÌÕÞÁÔÅÌÑ (ÔÅ ÖÅ ÓÁÍÙÅ, ÔÏÌØËÏ ÐÏÍÅÎÑ×ÛÉÅÓÑ ÍÅÓÔÁÍÉ, ÐÏÓËÏÌØËÕ ÏÖÉÄÁÅÔÓÑ ÏÔ×ÅÔÎÙÊ ÐÁËÅÔ), ÔÏ ÖÅ ËÁÓÁÅÔÓÑ É ÐÏÒÔÏ×.

úÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÍÏÇÕÔ ÐÒÉÎÉÍÁÔØ ÒÑÄ ÚÎÁÞÅÎÉÊ, ×ÓÅ ÏÎÉ ÏÐÒÅÄÅÌÅÎÙ × ÚÁÇÏÌÏ×ÏÞÎÙÈ ÆÁÊÌÁÈ linux/include/netfilter-ipv4/ip_conntrack*.h. úÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ëÁÖÄÙÊ ÉÚ IP-ÐÒÏÔÏËÏÌÏ× -- TCP, UDP ÉÌÉ ICMP ÉÍÅÀÔ ÓÏÂÓÔ×ÅÎÎÙÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÙÅ ÏÐÒÅÄÅÌÅÎÙ × ÚÁÇÏÌÏ×ÏÞÎÏÍ ÆÁÊÌÅ linux/include/netfilter-ipv4/ip_conntrack.h. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÉÈ ÚÎÁÞÅÎÉÑÈ, ËÏÇÄÁ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁÖÄÙÊ ÉÚ ÐÒÏÔÏËÏÌÏ× × ÏÔÄÅÌØÎÏÓÔÉ.

Note

óÏ×ÓÅÍ ÎÅÄÁ×ÎÏ, × patch-o-matic, ÐÏÑ×ÉÌÁÓØ ÚÁÐÌÁÔÁ tcp-window-tracking, ËÏÔÏÒÁÑ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÚÎÁÞÅÎÉÊ ×ÓÅÈ ÔÁÊÍÁÕÔÏ× ÞÅÒÅÚ ÓÐÅÃÉÁÌØÎÙÅ ÐÅÒÅÍÅÎÎÙÅ, Ô.Å. ÐÏÚ×ÏÌÑÅÔ ÉÚÍÅÎÑÔØ ÉÈ "ÎÁ ÌÅÔÕ". ôÁËÉÍ ÏÂÒÁÚÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÉÚÍÅÎÅÎÉÑ ÔÁÊÍÁÕÔÏ× ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÓÂÏÒËÉ ÑÄÒÁ.

éÚÍÅÎÅÎÉÑ ×ÎÏÓÑÔÓÑ Ó ÐÏÍÏÝØÀ ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÉÓÔÅÍÎÙÈ ×ÙÚÏ×Ï×, ÞÅÒÅÚ ËÁÔÁÌÏÇ /proc/sys/net/ipv4/netfilter. ïÓÏÂÏÅ ×ÎÉÍÁÎÉÅ ÏÂÒÁÔÉÔÅ ÎÁ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ /proc/sys/net/ipv4/netfilter/ip_ct_*.

ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ ÏÔ×ÅÔÁ ÔÒÁÓÓÉÒÏ×ÝÉË ÓÎÉÍÅÔ ÆÌÁÇ [UNREPLIED] É ÚÁÍÅÎÉÔ ÅÇÏ ÆÌÁÇÏÍ [ASSURED]. üÔÏÔ ÆÌÁÇ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÏ Õ×ÅÒÅÎÎÏ É ÜÔÁ ÚÁÐÉÓØ ÎÅ ÂÕÄÅÔ ÓÔÅÒÔÁ ÐÏ ÄÏÓÔÉÖÅÎÉÉ ÍÁËÓÉÍÁÌØÎÏ ×ÏÚÍÏÖÎÏÇÏ ËÏÌÉÞÅÓÔ×Á ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ. íÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÚÁÐÉÓÅÊ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØÓÑ × ÔÁÂÌÉÃÅ ÚÁ×ÉÓÉÔ ÏÔ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎÏ ×ÙÚÏ×ÏÍ ÆÕÎËÃÉÉ ipsysctl × ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ. äÌÑ ÏÂßÅÍÁ ïúõ 128 í ÜÔÏ ÚÎÁÞÅÎÉÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 8192 ÚÁÐÉÓÑÍ, ÄÌÑ 256 í - 16376. ÷Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ É ÉÚÍÅÎÉÔØ ÜÔÏ ÚÎÁÞÅÎÉÅ ÕÓÔÁÎÏ×ËÏÊ ÐÅÒÅÍÅÎÎÏÊ /proc/sys/net/ipv4/ip_conntrack_max.


4.3. óÏÓÔÏÑÎÉÑ × ÐÒÏÓÔÒÁÎÓÔ×Å ÐÏÌØÚÏ×ÁÔÅÌÑ

ëÁË ×Ù ÕÖÅ ÎÁ×ÅÒÎÑËÁ ÚÁÍÅÔÉÌÉ, × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ, ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÎÅÓËÏÌØËÏ ÒÁÚÌÉÞÎÙÈ ÓÏÓÔÏÑÎÉÊ. ïÄÎÁËÏ, ×ÎÅ ÑÄÒÁ ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÔÏÌØËÏ 4 ÓÏÓÔÏÑÎÉÑ. ÷ ÏÓÎÏ×ÎÏÍ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÁ ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÅÍ --state. äÏÐÕÓÔÉÍÙÍÉ Ñ×ÌÑÀÔÓÑ ÓÏÓÔÏÑÎÉÑ NEW, ESTABLISHED, RELATED É INVALID. ÷ ÔÁÂÌÉÃÅ, ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ, ÒÁÓÓÍÔÒÉ×ÁÀÔÓÑ ËÁÖÄÏÅ ÉÚ ×ÏÚÍÏÖÎÙÈ ÓÏÓÔÏÑÎÉÊ.

ôÁÂÌÉÃÁ 4-1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ × ÐÒÏÓÔÒÁÎÓÔ×Å ÐÏÌØÚÏ×ÁÔÅÌÑ

óÏÓÔÏÑÎÉÅ ïÐÉÓÁÎÉÅ
NEW ðÒÉÚÎÁË NEW ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ, ËÏÔÏÒÙÊ Õ×ÉÄÅÌ ÍÏÄÕÌØ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. îÁÐÒÉÍÅÒ ÅÓÌÉ ÐÏÌÕÞÅÎ SYN ÐÁËÅÔ Ñ×ÌÑÀÝÉÊÓÑ ÐÅÒ×ÙÍ ÐÁËÅÔÏÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ÏÎ ÐÏÌÕÞÉÔ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ, ÐÁËÅÔ ÍÏÖÅÔ É ÎÅ ÂÙÔØ SYN ÐÁËÅÔÏÍ É ÔÅÍ ÎÅ ÍÅÎÅÅ ÐÏÌÕÞÉÔØ ÓÔÁÔÕÓ NEW. üÔÏ ÍÏÖÅÔ ÐÏÒÏÄÉÔØ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÒÏÂÌÅÍÙ × ÏÔÄÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ÎÏ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ É ×ÅÓØÍÁ ÐÏÌÅÚÎÙÍ, ÎÁÐÒÉÍÅÒ ËÏÇÄÁ ÖÅÌÁÔÅÌØÎÏ "ÐÏÄÈ×ÁÔÉÔØ" ÓÏÅÄÉÎÅÎÉÑ, "ÐÏÔÅÒÑÎÎÙÅ" ÄÒÕÇÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ ÉÌÉ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÔÁÊÍÁÕÔ ÓÏÅÄÉÎÅÎÉÑ ÕÖÅ ÉÓÔÅË, ÎÏ ÓÁÍÏ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÙÌÏ ÚÁËÒÙÔÏ.
RELATED óÏÓÔÏÑÎÉÅ RELATED ÏÄÎÏ ÉÚ ÓÁÍÙÈ "ÈÉÔÒÙÈ". óÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ RELATED ÅÓÌÉ ÏÎÏ Ó×ÑÚÁÎÏ Ó ÄÒÕÇÉÍ ÓÏÅÄÉÎÅÎÉÅÍ, ÉÍÅÀÝÉÍ ÐÒÉÚÎÁË ESTABLISHED. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÐÒÉÚÎÁË RELATED ÔÏÇÄÁ, ËÏÇÄÁ ÏÎÏ ÉÎÉÃÉÉÒÏ×ÁÎÏ ÉÚ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÉÍÅÀÝÅÇÏ ÐÒÉÚÎÁË ESTABLISHED. èÏÒÏÛÉÍ ÐÒÉÍÅÒÏÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË RELATED, Ñ×ÌÑÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ FTP-data, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ Ó×ÑÚÁÎÎÙÍ Ó ÐÏÒÔÏÍ FTP control, Á ÔÁË ÖÅ DCC ÓÏÅÄÉÎÅÎÉÅ, ÚÁÐÕÝÅÎÎÏÅ ÉÚ IRC. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÂÏÌØÛÉÎÓÔ×Ï ÐÒÏÔÏËÏÌÏ× TCP É ÎÅËÏÔÏÒÙÅ ÉÚ ÐÒÏÔÏËÏÌÏ× UDP ×ÅÓØÍÁ ÓÌÏÖÎÙ É ÐÅÒÅÄÁÀÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ TCP ÉÌÉ UDP ÐÁËÅÔÏ× É ÐÏÜÔÏÍÕ ÔÒÅÂÕÀÔ ÎÁÌÉÞÉÑ ÓÐÅÃÉÁÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ËÏÒÒÅËÔÎÏÊ ÒÁÂÏÔÙ.
ESTABLISHED óÏÓÔÏÑÎÉÅ ESTABLISHED ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÎÅ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. óÈÅÍÁ ÕÓÔÁÎÏ×ËÉ ÓÏÓÔÏÑÎÉÑ ESTABLISHED ÄÏÓÔÁÔÏÞÎÁ ÐÒÏÓÔÁ ÄÌÑ ÐÏÎÉÍÁÎÉÑ. åÄÉÎÓÔ×ÅÎÎÏÅ ÔÒÅÂÏ×ÁÎÉÅ, ÐÒÅÄßÑ×ÌÑÅÍÏÅ Ë ÓÏÅÄÉÎÅÎÉÀ, ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ ÄÌÑ ÐÅÒÅÈÏÄÁ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÎÅÏÂÈÏÄÉÍÏ ÞÔÏÂÙ ÕÚÅÌ ÓÅÔÉ ÐÅÒÅÄÁÌ ÐÁËÅÔ É ÐÏÌÕÞÉÌ ÎÁ ÎÅÇÏ ÏÔ×ÅÔ ÏÔ ÄÒÕÇÏÇÏ ÕÚÌÁ (ÈÏÓÔÁ). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÏÔ×ÅÔÁ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ NEW ÉÌÉ RELATEDÂÕÄÅÔ ÉÚÁÍÅÎÅÎÏ ÎÁ ESTABLISHED.
INVALID ðÒÉÚÎÁË INVALID ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ ÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÄÅÎÔÉÆÉÃÉÒÏ×ÁÎ É ÐÏÜÔÏÍÕ ÎÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÐÒÅÄÅÌÅÎÎÏÇÏ ÓÔÁÔÕÓÁ. üÔÏ ÍÏÖÅÔ ÐÒÏÉÓÈÏÄÉÔØ ÐÏ ÒÁÚÎÙÍ ÐÒÉÞÉÎÁÍ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÎÅÈ×ÁÔËÅ ÐÁÍÑÔÉ ÉÌÉ ÐÒÉ ÐÏÌÕÞÅÎÉÉ ICMP-ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ, ËÏÔÏÒÏÅ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ËÁËÏÍÕ ÌÉÂÏ ÉÚ×ÅÓÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. îÁ×ÅÒÎÏÅ ÎÁÉÌÕÞÛÉÍ ×ÁÒÉÁÎÔÏÍ ÂÙÌÏ ÂÙ ÐÒÉÍÅÎÅÎÉÅ ÄÅÊÓÔ×ÉÑ DROP Ë ÔÁËÉÍ ÐÁËÅÔÁÍ.

üÔÉ ÞÅÔÙÒÅ ÓÏÓÔÏÑÎÉÑ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ËÒÉÔÅÒÉÉ --state. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÏÚ×ÏÌÑÅÔ ÓÔÒÏÉÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÍÏÝÎÕÀ É ÜÆÆÅËÔÉ×ÎÕÀ ÚÁÝÉÔÕ. òÁÎØÛÅ ÐÒÉÈÏÄÉÌÏÓØ ÏÔËÒÙ×ÁÔØ ×ÓÅ ÐÏÒÔÙ ×ÙÛÅ 1024, ÞÔÏÂÙ ÐÒÏÐÕÓÔÉÔØ ÏÂÒÁÔÎÙÊ ÔÒÁÆÉË × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÔÅÐÅÒØ ÖÅ, ÐÒÉ ÎÁÌÉÞÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ, ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ, ÐÏÓËÏÌØËÕ ÐÏÑ×ÉÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔËÒÙ×ÁÔØ" ÄÏÓÔÕÐ ÔÏÌØËÏ ÄÌÑ ÏÂÒÁÔÎÏÇÏ (ÏÔ×ÅÔÎÏÇÏ) ÔÒÁÆÉËÁ, ÐÒÅÓÅËÁÑ ÐÏÐÙÔËÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ ÉÚ×ÎÅ.


4.4. TCP ÓÏÅÄÉÎÅÎÉÑ

÷ ÜÔÏÍ É × ÐÏÓÌÅÄÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÍÙ ÐÏÂÌÉÖÅ ÒÁÓÓÍÏÔÒÉÍ ÐÒÉÚÎÁËÉ ÓÏÓÔÏÑÎÉÊ É ÐÏÒÑÄÏË ÉÈ ÏÂÒÁÂÏÔËÉ ËÁÖÄÙÍ ÉÚ ÔÒÅÈ ÂÁÚÏ×ÙÈ ÐÒÏÔÏËÏÌÏ× TCP, UDP É ICMP, Á ÔÁË ÖÅ ËÏÓÎÅÍÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ÐÒÏÔÏËÏÌ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÍÏÖÅÔ ÂÙÔØ ËÌÁÓÓÉÆÉÃÉÒÏ×ÁÎ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ Ë ÔÒÅÍ, ×ÙÛÅÕËÁÚÁÎÎÙÍ, ÐÒÏÔÏËÏÌÁÍ. îÁÞÎÅÍ ÒÁÓÓÍÏÔÒÅÎÉÅ Ó ÐÒÏÔÏËÏÌÁ TCP, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÍÎÏÖÅÓÔ×Ï ÉÎÔÅÒÅÓÎÅÊÛÉÈ ÏÓÏÂÅÎÎÏÓÔÅÊ × ÏÔÎÏÛÅÎÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ × iptables.

TCP ÓÏÅÄÉÎÅÎÉÅ ×ÓÅÇÄÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÅÒÅÄÁÞÅÊ ÔÒÅÈ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÎÉÃÉÁÌÉÚÉÒÕÀÔ É ÕÓÔÁÎÁ×ÌÉ×ÁÀÔ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ × ÄÁÌØÎÅÊÛÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÄÁÎÎÙÅ. óÅÓÓÉÑ ÎÁÞÉÎÁÅÔÓÑ Ó ÐÅÒÅÄÁÞÉ SYN ÐÁËÅÔÁ, × ÏÔ×ÅÔ ÎÁ ËÏÔÏÒÙÊ ÐÅÒÅÄÁÅÔÓÑ SYN/ACK ÐÁËÅÔ É ÐÏÄÔ×ÅÒÖÄÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÐÁËÅÔ ACK. ðÏÓÌÅ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ É ÇÏÔÏ×ÙÍ Ë ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ. íÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ×ÏÐÒÏÓ: "á ËÁË ÖÅ ÔÒÁÓÓÉÒÕÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ?". ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ.

äÌÑ ×ÓÅÈ ÔÉÐÏ× ÓÏÅÄÉÎÅÎÉÊ, ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÈÏÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÏÄÉÎÁËÏ×Ï. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ, ÇÄÅ ÐÏËÁÚÁÎÙ ×ÓÅ ÓÔÁÄÉÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÁË ×ÉÄÉÔÅ, ÔÒÁÓÓÉÒÏ×ÝÉË, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÆÁËÔÉÞÅÓËÉ ÎÅ ÓÌÅÄÉÔ ÚÁ ÈÏÄÏÍ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ðÒÏÓÔÏ, ËÁË ÔÏÌØËÏ ÔÒÁÓÓÉÒÏ×ÝÉË "Õ×ÉÄÅÌ" ÐÅÒ×ÙÊ (SYN) ÐÁËÅÔ, ÔÏ ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ NEW. ëÁË ÔÏÌØËÏ ÞÅÒÅÚ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÒÏÈÏÄÉÔ ×ÔÏÒÏÊ ÐÁËÅÔ (SYN/ACK), ÔÏ ÓÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ ESTABLISHED. ðÏÞÍÕ ÉÍÅÎÎÏ ×ÔÏÒÏÊ ÐÁËÅÔ? óÅÊÞÁÓ ÒÁÚÂÅÒÅÍÓÑ. óÔÒÏÑ Ó×ÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×Ù ÍÏÖÅÔÅ ÐÏÚ×ÏÌÉÔØ ÐÏËÉÄÁÔØ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÐÁËÅÔÁÍ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ESTABLISHED, Á ×Ï ×ÈÏÄÑÝÅÍ ÔÒÁÆÉËÅ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÔÏÌØËÏ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED É ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. é ÎÁÏÂÏÒÏÔ, ÅÓÌÉ ÂÙ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÒÏÄÏÌÖÁÌ ÓÞÉÔÁÔØ ÓÏÅÄÉÎÅÎÉÅ ËÁË NEW, ÔÏ ÆÁËÔÉÞÅÓËÉ ×ÁÍ ÎÉËÏÇÄÁ ÎÅ ÕÄÁÌÏÓØ ÂÙ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó "×ÎÅÛÎÉÍ ÍÉÒÏÍ", ÌÉÂÏ ÐÒÉÛÌÏÓØ ÂÙ ÐÏÚ×ÏÌÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ NEW ÐÁËÅÔÏ× × ÌÏËÁÌØÎÕÀ ÓÅÔØ. ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ ×ÓÅ ×ÙÇÌÑÄÉÔ ÂÏÌÅÅ ÓÌÏÖÎÙÍ, ÐÏÓËÏÌØËÕ × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ TCP ÓÏÅÄÉÎÅÎÉÑ ÉÍÅÀÔ ÒÑÄ ÐÒÏÍÅÖÕÔÏÞÎÙÈ ÓÏÓÔÏÑÎÉÊ, ÎÅÄÏÓÔÕÐÎÙÈ × ÐÒÏÓÔÒÁÎÓÔ×Å ÐÏÌØÚÏ×ÁÔÅÌÑ. ÷ ÏÂÝÉÈ ÞÅÒÔÁÈ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÓÐÅÃÉÆÉËÁÃÉÉ RFC 793 - Transmission Control Protocol ÎÁ ÓÔÒÁÎÉÃÅ 21-23. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÜÔÁ ÔÅÍÁ ÂÕÄÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ÞÕÔØ ÎÉÖÅ.



ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ, ÏÄÎÁËÏ ÅÓÌÉ ÐÏÓÍÏÔÒÅÔØ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ, ÔÏ ×ÓÅ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÓÌÏÖÎÅÅ. òÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÉÚÍÅÎÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ × ÔÁÂÌÉÃÅ /proc/net/ip_conntrack. ðÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ SYN.

tcp      6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 \
     dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 \
     dport=1031 use=1
  

ëÁË ×ÉÄÉÔÅ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÏÔÒÁÖÁÅÔ ÔÏÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ -- ÂÙÌ ÏÔÍÅÞÅÎ ÆÁËÔ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ SYN (ÆÌÁÇ SYN_SENT), ÎÁ ËÏÔÏÒÙÊ ÏÔ×ÅÔÁ ÐÏËÁ ÎÅ ÂÙÌÏ (ÆÌÁÇ [UNREPLIED]). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÌÅÄÕÀÝÅÅ ×ÎÕÔÒÅÎÎÅÅ ÓÏÓÔÏÑÎÉÅ:

tcp      6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 \
     dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 \
     use=1
  

ôÅÐÅÒØ ÚÁÐÉÓØ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÒÁÔÎÏ ÐÒÏÛÅÌ ÐÁËÅÔ SYN/ACK. îÁ ÜÔÏÔ ÒÁÚ ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ SYN_RECV. üÔÏ ÓÏÓÔÏÑÎÉÅ ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ SYN ÂÙÌ ÂÌÁÇÏÐÏÌÕÞÎÏ ÄÏÓÔÁ×ÌÅÎ ÐÏÌÕÞÁÔÅÌÀ É × ÏÔ×ÅÔ ÎÁ ÎÅÇÏ ÐÒÉÛÅÌ ÐÁËÅÔ-ÐÏÄÔ×ÅÒÖÄÅÎÉÅ (SYN/ACK). ëÒÏÍÅ ÔÏÇÏ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ "Õ×ÉÄÅ×" ÐÁËÅÔÙ, ÓÌÅÄÕÀÝÉÅ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÓÎÉÍÁÅÔ ÆÌÁÇ [UNREPLIED]. é ÎÁËÏÎÅà ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÚÁËÌÀÞÉÔÅÌØÎÏÇÏ ACK-ÐÁËÅÔÁ, × ÐÒÏÃÅÄÕÒÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ

tcp      6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 \
     sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 \
     sport=23 dport=1031 use=1
  

ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅÈÏÄÉÔ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ). ðÏÓÌÅ ÐÒÉÅÍÁ ÎÅÓËÏÌØËÉÈ ÐÁËÅÔÏ× ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ, Ë ÎÅÍÕ ÄÏÂÁ×ÉÔÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ).

ðÒÉ ÚÁËÒÙÔÉÉ, TCP ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÓÌÅÄÕÀÝÉÅ ÓÏÓÔÏÑÎÉÑ.



ëÁË ×ÉÄÎÏ ÉÚ ÒÉÓÕÎËÁ, ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÚÁËÒÙ×ÁÅÔÓÑ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÐÏÓÌÅÄÎÉÊ ÐÁËÅÔ ACK. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ -- ÜÔÁ ËÁÒÔÉÎËÁ ÏÐÉÓÙ×ÁÅÔ ÎÏÒÍÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÅÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÏÔ×ÅÒÇÁÅÔÓÑ, ÔÏ ÏÎÏ ÍÏÖÅÔ ÂÙÔØ ÚÁËÒÙÔÏ ÐÅÒÅÄÁÞÅÊ ÐÁËÅÔÁ RST (ÓÂÒÏÓ). ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÚÁËÒÙÔÏ ÐÏ ÉÓÔÅÞÅÎÉÅ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÏÇÏ ×ÒÅÍÅÎÉ.

ðÒÉ ÚÁËÒÙÔÉÉ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ TIME_WAIT, ÐÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ ËÏÔÏÒÏÇÏ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 2 ÍÉÎÕÔÁÍ, × ÔÅÞÅÎÉÅ ËÏÔÏÒÏÇÏ ÅÝÅ ×ÏÚÍÏÖÎÏ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. üÔÏ Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ "ÂÕÆÅÒÎÙÍ ×ÒÅÍÅÎÅÍ", ËÏÔÏÒÏÅ ÄÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏÊÔÉ ÐÁËÅÔÁÍ, "Õ×ÑÚÛÉÍ" ÎÁ ÔÏÍ ÉÌÉ ÉÎÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ (ÒÏÕÔÅÒÅ).

åÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÐÏ ÐÏÌÕÞÅÎÉÉ ÐÁËÅÔÁ RST, ÔÏ ÏÎÏ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ CLOSE. ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ ÄÏ ÆÁËÔÉÞÅÓËÏÇÏ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 10 ÓÅËÕÎÄ. ðÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÐÁËÅÔÙ RST ÎÅ ÐÅÒÅÄÁÅÔÓÑ É ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÓÒÁÚÕ ÖÅ. ëÒÏÍÅ ÔÏÇÏ ÉÍÅÅÔÓÑ ÒÑÄ ÄÒÕÇÉÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ. ÷ ÔÁÂÌÉÃÅ ÎÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ×ÏÚÍÏÖÎÙÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ ÓÏÅÄÉÎÅÎÉÑ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÍ ÒÁÚÍÅÒÙ ÔÁÊÍÁÕÔÏ×.

ôÁÂÌÉÃÁ 4-2. Internal states

óÏÓÔÏÑÎÉÅ ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ
NONE 30 ÍÉÎÕÔ
ESTABLISHED 5 ÄÎÅÊ
SYN_SENT 2 ÍÉÎÕÔÙ
SYN_RECV 60 ÓÅËÕÎÄ
FIN_WAIT 2 ÍÉÎÕÔÙ
TIME_WAIT 2 ÍÉÎÕÔÙ
CLOSE 10 ÓÅËÕÎÄ
CLOSE_WAIT 12 ÞÁÓÏ×
LAST_ACK 30 ÓÅËÕÎÄ
LISTEN> 2 ÍÉÎÕÔÙ

üÔÉ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÎÅÓËÏÌØËÏ ÉÚÍÅÎÑÔØÓÑ ÏÔ ×ÅÒÓÉÉ Ë ×ÅÒÓÉÉ ÑÄÒÁ, ËÒÏÍÅ ÔÏÇÏ, ÏÎÉ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc (ÐÅÒÅÍÅÎÎÙÅ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). úÎÁÞÅÎÉÑ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÓÏÔÙÈ ÄÏÌÑÈ ÓÅËÕÎÄÙ, ÔÁË ÞÔÏ ÞÉÓÌÏ 3000 ÏÚÎÁÞÁÅÔ 30 ÓÅËÕÎÄ.

Note

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÉËÁË ÎÅ ÏÔÏÂÒÁÖÁÅÔ ÓÏÓÔÏÑÎÉÅ ÆÌÁÇÏ× TCP ÐÁËÅÔÏ×. ëÁË ÐÒÁ×ÉÌÏ - ÜÔÏ ÎÅ ×ÓÅÇÄÁ ÈÏÒÏÛÏ, ÐÏÓËÏÌØËÕ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ, ÎÅ ÔÏÌØËÏ ÐÁËÅÔÁÍ SYN.

üÔÏ ËÁÞÅÓÔ×Ï ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÉÚÂÙÔÏÞÎÏÇÏ ÆÁÊÅÒ×ÏÌÌÉÎÇÁ (firewalling), ÎÏ ÄÌÑ ÓÌÕÞÁÑ ÄÏÍÁÛÎÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, × ËÏÔÏÒÏÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ ÜÔÏ ÏÞÅÎØ ÐÌÏÈÏ. üÔÁ ÐÒÏÂÌÅÍÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÐÒÉÌÏÖÅÎÉÑ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. áÌØÔÅÒÎÁÔÉ×ÎÙÍ ×ÁÒÉÁÎÔÏÍ ÒÅÛÅÎÉÑ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÕÓÔÁÎÏ×ËÁ ÚÁÐÌÁÔÙ tcp-window-tracking ÉÚ patch-o-matic, ËÏÔÏÒÁÑ ÓÄÅÌÁÅÔ ×ÏÚÍÏÖÎÙÍ ÐÒÉÎÑÔÉÅ ÒÅÛÅÎÉÊ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ TCP window.


4.5. UDP ÓÏÅÄÉÎÅÎÉÑ

ðÏ ÓÕÔÉ Ó×ÏÅÊ, UDP ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÉÍÅÀÔ ÐÒÉÚÎÁËÁ ÓÏÓÔÏÑÎÉÑ. üÔÏÍÕ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÉÞÉÎ, ÏÓÎÏ×ÎÁÑ ÉÚ ÎÉÈ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÜÔÏÔ ÐÒÏÔÏËÏÌ ÎÅ ÐÒÅÄÕÓÍÁÔÒÉ×ÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÑ É ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ ÓÁÍÙÊ ÂÏÌØÛÏÊ ÎÅÄÏÓÔÁÔÏË -- ÏÔÓÕÔÓÔ×ÉÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÞÅÒÅÄÎÏÓÔÉ ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ×. ðÒÉÎÑ× Ä×Å ÄÁÔÁÇÒÁÍÍÙ UDP, ÎÅ×ÏÚÍÏÖÎÏ ÓËÁÚÁÔØ ÔÏÞÎÏ × ËÁËÏÍ ÐÏÒÑÄËÅ ÏÎÉ ÂÙÌÉ ÏÔÐÒÁ×ÌÅÎÙ. ïÄÎÁËÏ, ÄÁÖÅ × ÜÔÏÊ ÓÉÔÕÁÃÉÉ ×ÓÅ ÅÝÅ ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÒÉÓÕÎÏË ÔÏÇÏ, ËÁË ×ÙÇÌÑÄÉÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.



éÚ ÒÉÓÕÎËÁ ×ÉÄÎÏ, ÞÔÏ ÓÏÓÔÏÑÎÉÅ UDP ÓÏÅÄÉÎÅÎÉÑ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÞÔÉ ÔÁË ÖÅ ËÁË É ÓÏÓÔÏÑÎÉÅ TCP ÓÏÅÄÉÎÅÎÉÑ, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÉÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á. éÚÎÕÔÒÉ ÖÅ ÜÔÏ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÉÎÁÞÅ, ÈÏÔÑ ×Ï ÍÎÏÇÏÍ ÐÏÈÏÖÅ. äÌÑ ÎÁÞÁÌÁ ÐÏÓÍÏÔÒÉÍ ÎÁ ÚÁÐÉÓØ, ÐÏÑ×É×ÛÕÀÓÑ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ UDP.

udp      17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 \
     [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 \
     dport=137 use=1
  

ðÅÒ×ÏÅ, ÞÔÏ ÍÙ ×ÉÄÉÍ -- ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ (udp) É ÅÇÏ ÎÏÍÅÒ (ÓÍ. /etc/protocols ÐÒÉÍ. ÐÅÒÅ×.). ôÒÅÔØÅ ÚÎÁÞÅÎÉÅ -- ÏÓÔÁ×ÛÅÅÓÑ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ. äÁÌÅÅ ÓÌÅÄÕÀÔ ÈÁÒÁËÔÅÒÉÓÔÉËÉ ÐÁËÅÔÁ, ÐÒÏÛÅÄÛÅÇÏ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ -- ÜÔÏ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÅÓÓÉÉ (ÆÌÁÇ [UNREPLIED]). é ÚÁ×ÅÒÛÁÀÔ ÚÁÐÉÓØ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ. ôÁÊÍÁÕÔ ÔÁËÏÊ ÚÁÐÉÓÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÓÔÁ×ÌÑÅÔ 30 ÓÅËÕÎÄ.

udp      17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 \
     dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 \
     dport=137 use=1
  

ðÏÓÌÅ ÔÏÇÏ ËÁË ÓÅÒ×ÅÒ "Õ×ÉÄÅÌ" ÏÔ×ÅÔ ÎÁ ÐÅÒ×ÙÊ ÐÁËÅÔ, ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ), ÅÄÉÎÓÔ×ÅÎÎÏÅ ÏÔÌÉÞÉÅ ÏÔ ÐÒÅÄÙÄÕÝÅÊ ÚÁÐÉÓÉ ÓÏÓÔÏÉÔ × ÏÔÓÕÔÓÔ×ÉÉ ÆÌÁÇÁ [UNRREPLIED] É, ËÒÏÍÅ ÔÏÇÏ, ÔÁÊÍÁÕÔ ÄÌÑ ÚÁÐÉÓÉ ÓÔÁÌ ÒÁ×ÎÙÍ 180 ÓÅËÕÎÄÁÍ. ðÏÓÌÅ ÜÔÏÇÏ ÍÏÖÅÔ ÔÏÌØËÏ ÄÏÂÁ×ÉÔØÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ), ËÏÔÏÒÙÊ ÂÙÌ ÏÐÉÓÁÎ ×ÙÛÅ. æÌÁÇ [ASSURED] ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÎÅËÏÔÏÒÏÇÏ ËÏÌÉÞÅÓÔ×Á ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ.

udp      17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 \
     dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 \
     dport=1025 [ASSURED] use=1
  

ôÅÐÅÒØ ÓÏÅÄÉÎÅÎÉÅ ÓÔÁÌÏ "Õ×ÅÒÅÎÎÙÍ". úÁÐÉÓØ × ÔÁÂÌÉÃÅ ×ÙÇÌÑÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÔÁË ÖÅ ËÁË É × ÐÒÅÄÙÄÕÝÅÍ ÐÒÉÍÅÒÅ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÆÌÁÇÁ [ASSURED]. åÓÌÉ × ÔÅÞÅÎÉÅ 180 ÓÅËÕÎÄ ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÐÒÏÊÄÅÔ ÈÏÔÑ ÂÙ ÏÄÉÎ ÐÁËÅÔ, ÔÏ ÚÁÐÉÓØ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ. üÔÏ ÄÏÓÔÁÔÏÞÎÏ ÍÁÌÅÎØËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ÎÏ ÅÇÏ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ ÄÌÑ ÂÏÌØÛÉÎÓÔ×Á ÐÒÉÍÅÎÅÎÉÊ. "÷ÒÅÍÑ ÖÉÚÎÉ" ÏÔÓÞÉÔÙ×ÁÅÔÓÑ ÏÔ ÍÏÍÅÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÐÁËÅÔÁ É ÐÒÉ ÐÏÑ×ÌÅÎÉÉ ÎÏ×ÏÇÏ, ×ÒÅÍÑ ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ × Ó×ÏÅ ÎÁÞÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ, ÜÔÏ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ×ÓÅÈ ÏÓÔÁÌØÎÙÈ ÔÉÐÏ× ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ.


4.6. ICMP ÓÏÅÄÉÎÅÎÉÑ

ICMP ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÅÒÅÄÁÞÉ ÕÐÒÁ×ÌÑÀÝÉÈ ÓÏÏÂÝÅÎÉÊ É ÎÅ ÏÒÇÁÎÉÚÕÀÔ ÐÏÓÔÏÑÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ïÄÎÁËÏ, ÓÕÝÅÓÔ×ÕÅÔ 4 ÔÉÐÁ ICMP ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ×ÙÚÙ×ÁÀÔ ÐÅÒÅÄÁÞÕ ÏÔ×ÅÔÁ, ÐÏÜÔÏÍÕ ÏÎÉ ÍÏÇÕÔ ÉÍÅÔØ Ä×Á ÓÏÓÔÏÑÎÉÑ: NEW É ESTABLISHED. ë ÜÔÉÍ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply É ICMP Address Mask Request/Address Mask Reply. éÚ ÎÉÈ -- ICMP Timestamp Request/Timestamp Reply É ICMP Information Request/Information Reply ÓÞÉÔÁÀÔÓÑ ÕÓÔÁÒÅ×ÛÉÍÉ É ÐÏÜÔÏÍÕ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÍÏÇÕÔ ÂÙÔØ ÂÅÚÂÏÌÅÚÎÅÎÎÏ ÓÂÒÏÛÅÎÙ (DROP). ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ.



ëÁË ×ÉÄÎÏ ÉÚ ÜÔÏÇÏ ÒÉÓÕÎËÁ, ÓÅÒ×ÅÒ ×ÙÐÏÌÎÑÅÔ Echo Request (ÜÈÏ-ÚÁÐÒÏÓ) Ë ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ (ÚÁÐÒÏÓ) ÒÁÓÐÏÚÎÁÅÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ ËÁË NEW. îÁ ÜÔÏÔ ÚÁÐÒÏÓ ËÌÉÅÎÔ ÏÔ×ÅÞÁÅÔ ÐÁËÅÔÏÍ Echo Reply, É ÔÅÐÅÒØ ÐÁËÅÔ ÒÁÓÐÏÚÎÁÅÔÓÑ ËÁË ÉÍÅÀÝÉÊ ÓÏÓÔÏÑÎÉÅ ESTABLISHED. ðÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ (Echo Request) × ip_conntrack ÐÏÑ×ÌÑÅÔÓÑ ÚÁÐÉÓØ:

icmp     1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 \
     id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 \
     type=0 code=0 id=33029 use=1
  

üÔÁ ÚÁÐÉÓØ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÚÁÐÉÓÅÊ, Ó×ÏÊÓÔ×ÅÎÎÙÈ ÐÒÏÔÏËÏÌÁÍ TCP É UDP, ÈÏÔÑ ÔÏÞÎÏ ÔÁË ÖÅ ÐÒÉÓÕÔÓÔ×ÕÀÔ É ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ É ×ÒÅÍÑ ÔÁÊÍÁÕÔÁ É ÁÄÒÅÓÁ ÐÅÒÅÄÁÔÞÉËÁ É ÐÒÉÅÍÎÉËÁ, ÎÏ ÄÁÌÅÅ ÐÏÑ×ÌÑÀÔÓÑ ÔÒÉ ÎÏ×ÙÈ ÐÏÌÑ - type, code É id. ðÏÌÅ type ÓÏÄÅÒÖÉÔ ÔÉÐ ICMP, ÐÏÌÅ code - ËÏÄ ICMP. úÎÁÞÅÎÉÑ ÔÉÐÏ× É ËÏÄÏ× ICMP ÐÒÉ×ÏÄÑÔÓÑ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. é ÐÏÓÌÅÄÎÅÅ ÐÏÌÅ id ÓÏÄÅÒÖÉÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ. ëÁÖÄÙÊ ICMP-ÐÁËÅÔ ÉÍÅÅÔ Ó×ÏÊ ÉÄÅÎÔÉÆÉËÁÔÏÒ. ëÏÇÄÁ ÐÒÉÅÍÎÉË, × ÏÔ×ÅÔ ÎÁ ICMP-ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔ ÏÔ×ÅÔ, ÏÎ ÐÏÄÓÔÁ×ÌÑÅÔ × ÐÁËÅÔ ÏÔ×ÅÔÁ ÜÔÏÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ, ÐÅÒÅÄÁÔÞÉË ÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÒÁÓÐÏÚÎÁÔØ × ÏÔ×ÅÔ ÎÁ ËÁËÏÊ ÚÁÐÒÏÓ ÐÒÉÛÅÌ ÏÔ×ÅÔ.

óÌÅÄÕÀÝÅÅ ÐÏÌÅ -- ÆÌÁÇ [UNREPLIED], ËÏÔÏÒÙÊ ×ÓÔÒÅÞÁÌÓÑ ÎÁÍ ÒÁÎÅÅ. ïÎ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉÂÙÌ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. úÁ×ÅÒÛÁÅÔÓÑ ÚÁÐÉÓØ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍÉ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ÏÔ×ÅÔÁ. óÀÄÁ ×ËÌÀÞÁÀÔÓÑ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. þÔÏ ËÁÓÁÅÔÓÑ ÔÉÐÁ É ËÏÄÁ ICMP ÐÁËÅÔÁ, ÔÏ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌØÎÙÍ ÚÎÁÞÅÎÉÑÍ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ICMP Echo Reply. éÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ ÔÏÔ ÖÅ, ÞÔÏ É × ÐÁËÅÔÅ ÚÁÐÒÏÓÁ.

ðÁËÅÔ ÏÔ×ÅÔÁ ÒÁÓÐÏÚÎÁÅÔÓÑ ÕÖÅ ËÁË ESTABLISHED. ïÄÎÁËÏ, ÍÙ ÚÎÁÅÍ, ÞÔÏ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÏÔ×ÅÔÁ, ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÖÅ ÎÉÞÅÇÏ ÎÅ ÏÖÉÄÁÅÔÓÑ, ÐÏÜÔÏÍÕ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÏÔ×ÅÔÁ ÞÅÒÅÚ netfilter, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ.

÷ ÌÀÂÏÍ ÓÌÕÞÁÅ ÚÁÐÒÏÓ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ËÁË NEW, Á ÏÔ×ÅÔ ËÁË ESTABLISHED.

Note

úÁÍÅÔØÔÅ ÐÒÉ ÜÔÏÍ, ÞÔÏ ÐÁËÅÔ ÏÔ×ÅÔÁ ÄÏÌÖÅÎ ÓÏ×ÐÁÄÁÔØ ÐÏ Ó×ÏÉÍ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍ (ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÔÉÐ, ËÏÄ É ÉÄÅÎÔÉÆÉËÁÔÏÒ) Ó ÕËÁÚÁÎÎÙÍÉ × ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ÜÔÏ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ×ÓÅÈ ÏÓÔÁÌØÎÙÈ ÔÉÐÏ× ÔÒÁÆÉËÁ.

ICMP ÚÁÐÒÏÓÙ ÉÍÅÀÔ ÔÁÊÍÁÕÔ, ÐÏ-ÕÍÏÌÞÁÎÉÀ, 30 ÓÅËÕÎÄ. üÔÏÇÏ ×ÒÅÍÅÎÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ. ÷ÒÅÍÑ ÔÁÊÍÁÕÔÁ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( îÁÐÏÍÉÎÁÀ, ÞÔÏ ÐÅÒÅÍÅÎÎÙÅ ÔÉÐÁ /proc/sys/net/ipv4/netfilter/ip_ct_* ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ ÔÏÌØËÏ ÐÏÓÌÅ ÕÓÔÁÎÏ×ËÉ "ÚÁÐÌÁÔÙ" tcp-window-tracking ÉÚ patch-o-matic ÐÒÉÍ. ÐÅÒÅ×.).

úÎÁÞÉÔÅÌØÎÁÑ ÞÁÓÔØ ICMP ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÔÏÍ, ÞÔÏ ÐÒÏÉÓÈÏÄÉÔ Ó ÔÅÍ ÉÌÉ ÉÎÙÍ UDP ÉÌÉ TCP ÓÏÅÄÉÎÅÎÉÅÍ. ÷Ó×ÑÚÉ Ó ÜÔÉÍ ÏÎÉ ÏÞÅÎØ ÞÁÓÔÏ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË Ó×ÑÚÁÎÎÙÅ (RELATED) Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ ÓÏÅÄÉÎÅÎÉÅÍ. ðÒÏÓÔÙÍ ÐÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÓÏÏÂÝÅÎÉÑ ICMP Host Unreachable ÉÌÉ ICMP Network Unreachable. ïÎÉ ×ÓÅÇÄÁ ÐÏÒÏÖÄÁÀÔÓÑ ÐÒÉ ÐÏÐÙÔËÅ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕÚÌÏÍ ÓÅÔÉ ËÏÇÄÁ ÜÔÏÔ ÕÚÅÌ ÉÌÉ ÓÅÔØ ÎÅÄÏÓÔÕÐÎÙ, × ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ×ÅÒÎÅÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ICMP ÐÁËÅÔ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎ ËÁË RELATED. îÁ ÒÉÓÕÎËÅ ÎÉÖÅ ÐÏËÁÚÁÎÏ ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ.



÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÎÅËÏÔÏÒÏÍÕ ÕÚÌÕ ÐÅÒÅÄÁÅÔÓÑ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (SYN ÐÁËÅÔ). ïÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ NEW ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. ïÄÎÁËÏ, × ÜÔÏÔ ÍÏÍÅÎÔ ×ÒÅÍÅÎÉ, ÓÅÔØ ÏËÁÚÙ×ÁÅÔÓÑ ÎÅÄÏÓÔÕÐÎÏÊ, ÐÏÜÔÏÍÕ ÒÏÕÔÅÒ ×ÏÚ×ÒÁÝÁÅÔ ÐÁËÅÔ ICMP Network Unreachable. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏÔ ÐÁËÅÔ ËÁË RELATED, ÂÌÁÇÏÄÁÒÑ ÕÖÅ ÉÍÅÀÝÅÊÓÑ ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ, ÔÁË ÞÔÏ ÐÁËÅÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÏÂÏÒ×ÅÔ ÎÅÕÄÁÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ. ôÅÍ ×ÒÅÍÅÎÅÍ, ÂÒÁÎÄÍÁÕÜÒ ÕÎÉÞÔÏÖÉÔ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ, ÐÏÓËÏÌØËÕ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ÂÙÌÏ ÐÏÌÕÞÅÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ.

ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ É Ó UDP ÓÏÅÄÉÎÅÎÉÑÍÉ -- ÅÓÌÉ ÏÂÎÁÒÕÖÉ×ÁÀÔÓÑ ÐÏÄÏÂÎÙÅ ÐÒÏÂÌÅÍÙ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ICMP, ÐÅÒÅÄÁ×ÁÅÍÙÅ × ÏÔ×ÅÔ ÎÁ UDP ÓÏÅÄÉÎÅÎÉÅ, ÒÁÓÓÍÁÔÒÉ×ÁÀÔÓÑ ËÁË RELATED. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÓÌÅÄÕÀÝÉÊ ÒÉÓÕÎÏË.



äÁÔÁÇÒÁÍÍÁ UDP ÐÅÒÅÄÁÅÔÓÑ ÎÁ ÓÅÒ×ÅÒ. óÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ ÄÏÓÔÕÐ Ë ÓÅÔÉ ÚÁÐÒÅÝÅÎ (ÂÒÁÎÄÍÁÕÜÒÏÍ ÉÌÉ ÒÏÕÔÅÒÏÍ), ÐÏÜÔÏÍÕ ÏÂÒÁÔÎÏ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ ICMP Network Prohibited. âÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏ ÓÏÏÂÝÅÎÉÅ ËÁË Ó×ÑÚÁÎÎÏÅ Ó ÏÔËÒÙÔÙÍ UDP ÓÏÅÄÉÎÅÎÉÅÍ, ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ RELATED É ÐÅÒÅÄÁÅÔ ËÌÉÅÎÔÕ. ðÏÓÌÅ ÞÅÇÏ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ, Á ËÌÉÅÎÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÏÂÒÙ×ÁÅÔ ÓÏÅÄÉÎÅÎÉÅ.


4.7. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ

÷ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÍÏÖÅÔ ÒÁÓÐÏÚÎÁÔØ ÐÒÏÔÏËÏÌ ÏÂÍÅÎÁ É, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÎÅ ÍÏÖÅÔ ×ÙÂÒÁÔØ ÓÔÒÁÔÅÇÉÀ ÏÂÒÁÂÏÔËÉ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÏÎ ÐÅÒÅÈÏÄÉÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏ×ÅÄÅÎÉÀ. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÏÂÓÌÕÖÉ×ÁÎÉÉ ÐÒÏÔÏËÏÌÏ× NETBLT, MUX É EGP. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÍÏÌÞÁÎÉÀ ×Ï ÍÎÏÇÏÍ ÓÈÏÖÅ Ó ÔÒÁÓÓÉÒÏ×ËÏÊ UDP ÓÏÅÄÉÎÅÎÉÊ. ðÅÒ×ÏÍÕ ÐÁËÅÔÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, Á ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ - ÓÔÁÔÕÓ ESTABLISHED.

ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÐÏ×ÅÄÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ× ÉÓÐÏÌØÚÕÅÔÓÑ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ ÔÁÊÍÁÕÔÁ, ËÏÔÏÒÏÅ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ðÏ-ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÚÎÁÞÅÎÉÅ ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ, ÉÌÉ 10 ÍÉÎÕÔÁÍ ÷ ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÔÒÁÆÉËÁ, ÜÔÏ ×ÒÅÍÑ ÍÏÖÅÔ ÍÅÎÑÔØÓÑ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÏ ÓÐÕÔÎÉËÏ×ÏÍÕ ËÁÎÁÌÕ.


4.8. ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×

éÍÅÅÔÓÑ ÒÑÄ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×, ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ËÏÔÏÒÙÈ ÂÏÌÅÅ ÓÌÏÖÎÁ. ðÒÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÐÒÏÔÏËÏÌÙ ICQ, IRC É FTP. ëÁÖÄÙÊ ÉÚ ÜÔÉÈ ÐÒÏÔÏËÏÌÏ× ÎÅÓÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ÔÁËÉÈ ÓÏÅÄÉÎÅÎÉÊ ÔÒÅÂÕÅÔ ÐÏÄËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ.

÷ ËÁÞÅÓÔ×Å ÐÅÒ×ÏÇÏ ÐÒÉÍÅÒÁ ÒÁÓÓÍÏÔÒÉÍ ÐÒÏÔÏËÏÌ FTP. ðÒÏÔÏËÏÌ FTP ÓÎÁÞÁÌÁ ÏÔËÒÙ×ÁÅÔ ÏÄÉÎÏÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ËÏÔÏÒÏÅ ÎÁÚÙ×ÁÅÔÓÑ "ÓÅÁÎÓÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP" (FTP control session). ðÒÉ ×ÙÐÏÌÎÅÎÉÉ ËÏÍÁÎÄ × ÐÒÅÄÅÌÁÈ ÜÔÏÇÏ ÓÅÁÎÓÁ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÐÕÔÓÔ×ÕÀÝÉÈ ÄÁÎÎÙÈ ÏÔËÒÙ×ÁÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ. üÔÉ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÁËÔÉ×ÎÙÍÉ ÉÌÉ ÐÁÓÓÉ×ÎÙÍÉ. ðÒÉ ÓÏÚÄÁÎÉÉ ÁËÔÉ×ÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ËÌÅÎÔ ÐÅÒÅÄÁÅÔ FTP ÓÅÒ×ÅÒÕ ÎÏÍÅÒ ÐÏÒÔÁ É IP ÁÄÒÅÓ ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ. úÁÔÅÍ ËÌÅÎÔ ÏÔËÒÙ×ÁÅÔ ÐÏÒÔ, ÓÅÒ×ÅÒ ÐÏÄËÌÀÞÁÅÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏÒÔÕ ËÌÉÅÎÔÁ Ó×ÏÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 20 (ÉÚ×ÅÓÔÎÙÊ ËÁË FTP-Data) É ÐÅÒÅÄÁÅÔ ÄÁÎÎÙÅ ÞÅÒÅÚ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ.

ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÎÉÞÅÇÏ ÎÅ ÚÎÁÅÔ Ï ÜÔÉÈ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÏÄËÌÀÞÅÎÉÑÈ, ÐÏÓËÏÌØËÕ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÎÉÈ ÐÅÒÅÄÁÅÔÓÑ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ ÐÁËÅÔÁ. éÚ-ÚÁ ÜÔÏÇÏ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÐÏÚ×ÏÌÉÔ ÓÅÒ×ÅÒÕ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕËÁÚÁÎÎÙÍ ÐÏÒÔÏÍ ËÌÉÅÎÔÁ.

òÅÛÅÎÉÅ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ÔÒÁÓÓÉÒÏ×ËÉ, ËÏÔÏÒÙÊ ÏÔÓÌÅÖÉ×ÁÅÔ, ÓÐÅÃÉÆÉÞÎÕÀ ÄÌÑ ÄÁÎÎÏÇÏ ÐÒÏÔÏËÏÌÁ, ÉÎÆÏÒÍÁÃÉÀ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÒÁÍËÁÈ ÓÅÁÎÓÁ ÕÐÒÁ×ÌÅÎÉÑ. ðÒÉ ÓÏÚÄÁÎÉÉ ÔÁËÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ËÏÒÒÅËÔÎÏ ×ÏÓÐÒÉÍÅÔ ÐÅÒÅÄÁ×ÁÅÍÕÀ ÉÎÆÏÒÍÁÃÉÀ É ÓÏÚÄÁÓÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏ ÓÔÁÔÕÓÏÍ RELATED, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. òÉÓÕÎÏË ÎÉÖÅ ÐÏÑÓÎÑÅÔ ÐÏÒÑÄÏË ×ÙÐÏÌÎÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.



ðÁÓÓÉ×ÎÙÊ FTP ÄÅÊÓÔ×ÕÅÔ ÐÒÏÔÉ×ÏÐÏÌÏÖÎÙÍ ÏÂÒÁÚÏÍ. ëÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÚÁÐÒÏÓ ÓÅÒ×ÅÒÕ ÎÁ ÐÏÌÕÞÅÎÉÅ ÄÁÎÎÙÈ, Á ÓÅÒ×ÅÒ ×ÏÚ×ÒÁÝÁÅÔ ËÌÉÅÎÔÕ IP ÁÄÒÅÓ É ÎÏÍÅÒ ÐÏÒÔÁ ÄÌÑ ÐÏÄËÌÀÞÅÎÉÑ. ëÌÉÅÎÔ ÐÏÄËÌÀÞÁÅÔ Ó×ÏÊ 20-Ê ÐÏÒÔ (FTP-data) Ë ÕËÁÚÁÎÎÏÍÕ ÐÏÒÔÕ ÓÅÒ×ÅÒÁ É ÐÏÌÕÞÁÅÔ ÚÁÐÒÏÛÅÎÎÙÅ ÄÁÎÎÙÅ. åÓÌÉ ×ÁÛ FTP ÓÅÒ×ÅÒ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÏÔ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÅÒ×ÅÒ ÓÍÏÇ ÏÂÓÌÕÖÉ×ÁÔØ ËÌÉÅÎÔÏ× ÉÚ éÎÔÅÒÎÅÔ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ×Ù ÈÏÔÉÔÅ ÏÇÒÁÎÉÞÉÔØ Ó×ÏÉÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÔÏÌØËÏ ×ÏÚÍÏÖÎÏÓÔØÀ ÐÏÄËÌÀÞÅÎÉÑ Ë HTTP É FTP ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔ É ÚÁËÒÙÔØ ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÏÒÔÙ. òÉÓÕÎÏË ÎÉÖÅ ÐÏËÁÚÙ×ÁÅÔ ËÁË ×ÙÐÏÌÎÑÅÔÓÑ ÐÁÓÓÉ×ÎÏÅ ÓÏÅÄÉÎÅÎÉÅ FTP.



îÅËÏÔÏÒÙÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÕÖÅ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. åÓÌÉ ÂÙÔØ ÂÏÌÅÅ ÔÏÞÎÙÍ, ÔÏ × ÓÏÓÔÁ× ÑÄÒÁ ×ËÌÀÞÅÎÙ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏÔÏËÏÌÏ× FTP É IRC. åÓÌÉ × ×ÁÛÅÍ ÒÁÓÐÏÒÑÖÅÎÉÉ ÎÅÔ ÎÅÏÂÈÏÄÉÍÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØÓÑ Ë patch-o-matic, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ÔÒÁÓÓÉÒÏ×ËÉ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ×, ËÁË ntalk ÉÌÉ H.323. åÓÌÉ É ÚÄÅÓØ ×Ù ÎÅ ÎÁÛÌÉ ÔÏ, ÞÔÏ ×ÁÍ ÎÕÖÎÏ, ÔÏ Õ ×ÁÓ ÅÓÔØ ÅÝÅ ×ÁÒÉÁÎÔÙ: ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë CVS iptables, ÅÓÌÉ ÉÓËÏÍÙÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÅÝÅ ÎÅ ÂÙÌ ×ËÌÀÞÅÎ × patch-o-matic, ÌÉÂÏ ÍÏÖÅÔÅ ×ÏÊÔÉ × ËÏÎÔÁËÔ Ó ÒÁÚÒÁÂÏÔÞÉËÁÍÉ netfilter É ÕÚÎÁÔØ Õ ÎÉÈ -- ÉÍÅÅÔÓÑ ÌÉ ÐÏÄÏÂÎÙÊ ÍÏÄÕÌØ É ÐÌÁÎÉÒÕÅÔÓÑ ÌÉ ÏÎ Ë ×ÙÐÕÓËÕ. åÓÌÉ É ÔÕÔ ×Ù ÐÏÔÅÒÐÅÌÉ ÎÅÕÄÁÞÕ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÓÌÅÄÕÅÔ ÐÒÏÞÉÔÁÔØ Rusty Russell's Unreliable Netfilter Hacking HOW-TO.

÷ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÍÏÇÕÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ Ó×ÑÚÁÎÙ Ó ÑÄÒÏÍ. åÓÌÉ ÏÎÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË ÍÏÄÕÌÉ, ÔÏ ×Ù ÍÏÖÅÔÅ ÚÁÇÒÕÚÉÔØ ÉÈ ËÏÍÁÎÄÏÊ:

modprobe ip_conntrack_*
  

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÉÍÅÅÔ ÎÉËÁËÏÇÏ ÏÔÎÏÛÅÎÉÑ Ë ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT), ÐÏÜÔÏÍÕ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ, ÅÓÌÉ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÁËÕÀ ÔÒÁÎÓÌÑÃÉÀ. äÏÐÕÓÔÉÍ, ÞÔÏ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ× É ÔÒÁÓÓÉÒÏ×ËÕ FTP ÓÏÅÄÉÎÅÎÉÊ, ÔÏÇÄÁ ×ÁÍ ÎÅÏÂÈÏÄÉÍ ÔÁË ÖÅ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ NAT. éÍÅÎÁ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ NAT ÎÁÞÉÎÁÀÔÓÑ Ó ip_nat_, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÅÍ Ï ÉÍÅÎÁÈ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÍÏÄÕÌØ ÎÁÚÙ×ÁÅÔÓÑ ip_nat_ftp. äÌÑ ÐÒÏÔÏËÏÌÁ IRC ÔÁËÏÊ ÍÏÄÕÌØ ÂÕÄÅÔ ÎÁÚÙ×ÁÔØÓÑ ip_nat_irc. ôÏÍÕ ÖÅ ÓÁÍÏÍÕ ÓÏÇÌÁÛÅÎÉÀ ÓÌÅÄÕÀÔ É ÎÁÚ×ÁÎÉÑ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ÎÁÐÒÉÍÅÒ: ip_conntrack_ftp É ip_conntrack_irc.


çÌÁ×Á 5. óÏÈÒÁÎÅÎÉÅ É ×ÏÓÓÔÁÎÏ×ÌÅÎÉÅ ÂÏÌØÛÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ

÷ ÓÏÓÔÁ× ÐÁËÅÔÁ iptables ×ÈÏÄÑÔ Ä×Å ÏÞÅÎØ ÕÄÏÂÎÙÅ ÕÔÉÌÉÔÙ, ÏÓÏÂÅÎÎÏ ÅÓÌÉ ×ÁÍ ÐÒÉÈÏÄÉÔÓÑ ÉÍÅÔØ ÄÅÌÏ Ó ÂÏÌØÛÉÍÉ ÎÁÂÏÒÁÍÉ ÐÒÁ×ÉÌ. îÁÚÙ×ÁÀÔÓÑ ÏÎÉ iptables-save É iptables-restore. ðÅÒ×ÁÑ ÉÚ ÎÉÈ ÓÏÈÒÁÎÑÅÔ, Á ×ÔÏÒÁÑ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÅÔ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ×/ÉÚ ÆÁÊÌÁ. ðÏ Ó×ÏÅÍÕ ÆÏÒÍÁÔÕ ÆÁÊÌ Ó ÎÁÂÏÒÏÍ ÐÒÁ×ÉÌ ÐÏÈÏÖ ÎÁ ÏÂÙÞÎÙÅ ÆÁÊÌÙ ÓÃÅÎÁÒÉÅ× ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÉ (shell), × ÞÅÍ ×Ù ÓÍÏÖÅÔÅ ÕÂÅÄÉÔØÓÑ ÞÕÔØ ÎÉÖÅ.


5.1. ðÌÀÓÙ

ïÄÉÎ ÉÚ ÐÌÀÓÏ× ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÕÔÉÌÉÔ iptables-save É iptables-restore ÓÏÓÔÏÉÔ × ×ÙÓÏËÏÊ ÓËÏÒÏÓÔÉ ÚÁÇÒÕÚËÉ É ÓÏÈÒÁÎÅÎÉÑ ÂÏÌØÛÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ. çÌÁ×ÎÙÊ ÎÅÄÏÓÔÁÔÏË, Ó×ÑÚÁÎÎÙÊ Ó ÕÓÔÁÎÏ×ËÏÊ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ ÉÚ ÓÃÅÎÁÒÉÅ× ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÉ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ËÏÍÁÎÄÁ iptables ËÏÐÉÒÕÅÔ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÉÚ ÐÒÏÓÔÒÁÎÓÔ×Á ÑÄÒÁ × ÐÒÏÓÔÒÁÎÓÔ×Ï ÐÏÌØÚÏ×ÁÔÅÌÑ, ×ÓÔÁ×ÌÑÅÔ, ÄÏÂÁ×ÌÑÅÔ ÉÌÉ ÉÚÍÅÎÑÅÔ ÐÒÁ×ÉÌÏ É, ÎÁËÏÎÅÃ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ËÏÐÉÒÕÅÔÓÑ ÏÂÒÁÔÎÏ × ÐÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ. üÔÁ ÐÏÓÌÅÄÏ×ÁÔÅÌØÎÏÓÔØ ÄÅÊÓÔ×ÉÊ ×ÙÐÏÌÎÑÅÔÓÑ ÄÌÑ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÏÅ ×ÓÔÁ×ÌÑÅÔÓÑ ÉÌÉ ÉÚÍÅÎÑÅÔÓÑ × ÎÁÂÏÒÅ ÐÒÁ×ÉÌ.

üÔÁ ÐÒÏÂÌÅÍÁ ÌÅÇËÏ ÒÅÛÁÅÔÓÑ Ó ÐÏÍÏÝØÀ iptables-save É iptables-restore õÔÉÌÉÔÁ iptables-save ÚÁÐÉÓÙ×ÁÅÔ ÎÁÂÏÒ ÐÒÁ×ÉÌ × ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ × ÏÓÏÂÏÍ ÆÏÒÍÁÔÅ. õÔÉÌÉÔÁ iptables-restore ÚÁÇÒÕÖÁÅÔ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ. çÌÁ×ÎÏÅ ÐÒÅÉÍÕÝÅÓÔ×Ï ÜÔÉÈ ÕÔÉÌÉÔ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÏÎÉ ÐÒÏÉÚ×ÏÄÑÔ ÓÏÈÒÁÎÅÎÉÅ/×ÏÓÓÔÁÎÏ×ÌÅÎÉÅ ×ÓÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÚÁ ÏÄÎÏ ÏÂÒÁÝÅÎÉÅ. iptables-save "× ÏÄÉÎ ÐÒÉÓÅÓÔ" ÐÏÌÕÞÁÅÔ ÉÚ ÐÒÏÓÔÒÁÎÓÔ×Á ÑÄÒÁ É ÚÁÐÉÓÙ×ÁÅÔ × ÆÁÊÌ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ, Á iptables-restore ÚÁÇÒÕÖÁÅÔ ÉÚ ÆÁÊÌÁ É ÐÅÒÅÐÉÓÙ×ÁÅÔ ÚÁ ÏÄÎÏ ÏÂÒÁÝÅÎÉÅ × ÐÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÄÌÑ ËÁÖÄÏÊ ÔÁÂÌÉÃÙ. éÌÉ ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -- ×ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÏÂÒÁÝÁÔØÓÑ ÏÇÒÏÍÎÏÅ ÞÉÓÌÏ ÒÁÚ Ë ÑÄÒÕ ÄÌÑ ÔÏÇÏ ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ, Á ÚÁÔÅÍ ÏÐÑÔØ ÚÁÐÉÓÁÔØ ÅÇÏ × ÐÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ ÎÅ ÍÅÎØÛÅÅ ÞÉÓÌÏ ÒÁÚ, ÍÏÖÎÏ ÐÒÏÓÔÏ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ × ÆÁÊÌ, Á ÚÁÔÅÍ ÚÁÇÒÕÖÁÔØ ÅÇÏ ÉÚ ÆÁÊÌÁ, ÐÒÉ ÜÔÏÍ ÞÉÓÌÏ ÐÅÒÅÍÅÝÅÎÉÊ ÎÁÂÏÒÏ× × ÑÄÒÏ ÂÕÄÅÔ ÚÁ×ÉÓÅÔØ ÔÏÌØËÏ ÏÔ ÞÉÓÌÁ ÉÓÐÏÌØÚÕÅÍÙÈ ÔÁÂÌÉÃ.

÷Ù ÕÖÅ ÎÁ×ÅÒÎÑËÁ ÐÏÎÑÌÉ, ÞÔÏ ÜÔÉ ÕÔÉÌÉÔÙ ÍÏÇÕÔ ÐÒÅÄÓÔÁ×ÌÑÔØ ÄÌÑ ×ÁÓ ÉÎÔÅÒÅÓ, ÏÓÏÂÅÎÎÏ ÅÓÌÉ ×ÁÍ ÐÒÉÈÏÄÉÔÓÑ ÚÁÇÒÕÖÁÔØ ÏÇÒÏÍÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ïÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÉÈ ÕÔÉÌÉÔ ÉÍÅÅÔ É Ó×ÏÉ ÏÔÒÉÃÁÔÅÌØÎÙÅ ÓÔÏÒÏÎÙ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ × ÓÌÅÄÕÀÝÅÍ ÒÁÚÄÅÌÅ.


5.2. é ÍÉÎÕÓÙ

õ ×ÁÓ ÍÏÖÅÔ ÓÌÏÖÉÔØÓÑ ×ÐÅÞÁÔÌÅÎÉÅ, ÞÔÏ iptables-restore ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ Ó×ÏÅÇÏ ÒÏÄÁ ÓÃÅÎÁÒÉÉ. ðÏËÁ ÎÅ ÍÏÖÅÔ É ×ÅÒÏÑÔÎÅÅ ×ÓÅÇÏ -- ÎÉËÏÇÄÁ ÎÅ ÓÍÏÖÅÔ. ÷ ÜÔÏÍ É ÓÏÓÔÏÉÔ ÇÌÁ×ÎÙÊ ÎÅÄÏÓÔÁÔÏË iptables-restore. þÔÏÂÙ ÂÙÌÏ ÂÏÌÅÅ ÐÏÎÑÔÎÏ -- ÐÒÅÄÓÔÁרÔÅ ÓÅÂÅ ÓÌÕÞÁÊ, ËÏÇÄÁ ÂÒÁÎÄÍÁÕÜÒ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP-ÁÄÒÅÓ É ×Ù ÈÏÔÉÔÅ ×ÓÔÁ×ÉÔØ ÅÇÏ ÚÎÁÞÅÎÉÅ × Ó×ÏÉ ÐÒÁ×ÉÌÁ ×Ï ×ÒÅÍÑ ÚÁÇÒÕÚËÉ ÓÉÓÔÅÍÙ. òÅÛÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ Ó ÐÏÍÏÝØÀ iptables-restore ÐÒÁËÔÉÞÅÓËÉ ÎÅ×ÏÚÍÏÖÎÏ.

ëÁË ÏÄÎÏ ÉÚ ÒÅÛÅÎÉÊ ÍÏÖÎÏ ÐÒÅÄÌÏÖÉÔØ ÎÁÐÉÓÁÔØ ÎÅÂÏÌØÛÏÊ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÏÐÒÅÄÅÌÑÅÔ ÚÎÁÞÅÎÉÅ IP-ÁÄÒÅÓÁ É ÚÁÔÅÍ ×ÓÔÁ×ÌÑÅÔ ÅÇÏ × ÎÁÂÏÒ ÐÒÁ×ÉÌ (ÎÁÐÒÉÍÅÒ, Ó ÐÏÍÏÝØÀ sed) ÎÁ ÍÅÓÔÏ ÎÅËÏÔÏÒÏÇÏ ËÌÀÞÅ×ÏÇÏ ÓÌÏ×Á. úÄÅÓØ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÓÏÚÄÁÔØ ×ÒÅÍÅÎÎÙÊ ÆÁÊÌ, × ËÏÔÏÒÏÍ ÐÒÏÉÚ×ÏÄÑÔÓÑ ÉÚÍÅÎÅÎÉÑ É ËÏÔÏÒÙÊ ÚÁÔÅÍ ÚÁÇÒÕÖÁÅÔÓÑ Ó ÐÏÍÏÝØÀ iptables-restore. ïÄÎÁËÏ ÔÁËÏÊ ×ÁÒÉÁÎÔ ÒÅÛÅÎÉÑ ÐÏÒÏÖÄÁÅÔ Ó×ÏÉ ÐÒÏÂÌÅÍÙ -- ×ÁÍ ÐÒÉÄÅÔÓÑ ÏÔËÁÚÁÔØÓÑ ÏÔ ÕÔÉÌÉÔÙ iptables-save ÐÏÓËÏÌØËÕ ÏÎÁ ÍÏÖÅÔ ÚÁÔÅÒÅÔØ, ÓÏÚÄÁÎÎÕÀ ×ÒÕÞÎÕÀ, ÚÁÇÏÔÏ×ËÕ ÆÁÊÌÁ Ó ÐÒÁ×ÉÌÁÍÉ ÄÌÑ iptables-restore. ÷ÏÂÝÅÍ -- ÄÏ×ÏÌØÎÏ ÎÅÕËÌÀÖÅÅ ÒÅÛÅÎÉÅ.

åÝÅ ÏÄÉÎ ×ÁÒÉÁÎÔ -- ÈÒÁÎÉÔØ × ÆÁÊÌÅ ÄÌÑ iptables-restore ÔÏÌØËÏ ÓÔÁÔÉÞÅÓËÉÅ ÐÒÁ×ÉÌÁ, Á ÚÁÔÅÍ Ó ÐÏÍÏÝØÀ ÎÅÂÏÌØÛÏÇÏ ÓËÒÉÐÔÁ ÄÏÂÁ×ÌÑÔØ ÐÒÁ×ÉÌÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍÉ ÐÁÒÁÍÅÔÒÁÍÉ. ëÏÎÅÞÎÏ ÖÅ ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÞÔÏ ÜÔÏ ÒÅÛÅÎÉÅ ÔÁËÏÅ ÖÅ ÎÅÕËÌÀÖÅÅ ËÁË É ÐÅÒ×ÏÅ. ÷ÁÍ ÐÒÉÄÅÔÓÑ ÓÍÉÒÉÔØÓÑ Ó ÔÅÍ, ÞÔÏ iptables-restore ÎÅ ÏÞÅÎØ ÈÏÒÏÛÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÓÌÕÞÁÑ Ó ÄÉÎÁÍÉÞÅÓËÉ ÎÁÚÎÁÞÁÅÍÙÍ IP-ÁÄÒÅÓÏÍ É ×ÏÏÂÝÅ ÄÌÑ ÓÌÕÞÁÅ×, ËÏÇÄÁ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ ÉÚÍÅÎÑÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÉÓÔÅÍÙ É Ô.Ð..

åÝÅ ÏÄÉÎ ÎÅÄÏÓÔÁÔÏË iptables-restore É iptables-save × ÔÏÍ, ÞÔÏ ÉÈ ÆÕÎËÃÉÏÎÁÌØÎÏÓÔØ ÎÅ ×ÓÅÇÄÁ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÏÐÉÓÁÎÎÏÊ. ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÎÅ ÍÎÏÇÉÅ ÐÏÌØÚÕÀÔÓÑ ÜÔÉÍÉ ÕÔÉÌÉÔÁÍÉ, ÅÝÅ ÍÅÎØÛÅ ÌÀÄÅÊ ×Ï×ÌÅÞÅÎÏ × ÐÒÏÃÅÓÓ ÐÏÉÓËÁ ÏÛÉÂÏË × ÜÔÉÈ ÐÒÏÇÒÁÍÍÁÈ. ðÏÜÔÏÍÕ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÎÅËÏÔÏÒÙÈ, ×ÎÏר ÐÏÑ×É×ÛÉÈÓÑ, ËÒÉÔÅÒÉÅ× ÉÌÉ ÄÅÊÓÔ×ÉÊ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÏÖÉÄÁÎÎÙÍ ÐÏ×ÅÄÅÎÉÅÍ Ó×ÏÉÈ ÐÒÁ×ÉÌ. îÅÓÍÏÔÒÑ ÎÁ ×ÏÚÍÏÖÎÏÅ ÓÕÝÅÓÔ×Ï×ÁÎÉÅ ÎÅËÏÔÏÒÙÈ ÐÒÏÂÌÅÍ, Ñ ×ÓÅ ÖÅ ÎÁÓÔÏÑÔÅÌØÎÏ ÒÅËÏÍÅÎÄÕÀ Ë ÉÓÐÏÌØÚÏ×ÁÎÉÀ ÜÔÉ Ä×Á ÉÎÓÔÒÕÍÅÎÔÁ, ËÏÔÏÒÙÅ ÐÒÅËÒÁÓÎÏ ÒÁÂÏÔÁÀÔ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÉÓËÌÀÞÅÎÉÅ ÍÏÇÕÔ ÓÏÓÔÁ×ÌÑÔØ ÌÉÛØ ÎÅËÏÔÏÒÙÅ ÎÏ×ÙÅ ËÒÉÔÅÒÉÉ É ÄÅÊÓÔ×ÉÑ.


5.3. iptables-save

õÔÉÌÉÔÁ iptables-save, ËÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ, ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÔÅËÕÝÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ × ÆÁÊÌ, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÕÔÉÌÉÔÏÊ iptables-restore. üÔÁ ËÏÍÁÎÄÁ ÏÞÅÎØ ÐÒÏÓÔÁ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÉÍÅÅÔ ×ÓÅÇÏ Ä×Á ÁÒÇÕÍÅÎÔÁ.

iptables-save [-c] [-t table]



ðÅÒ×ÙÊ ÁÒÇÕÍÅÎÔ -c (ÄÏÐÕÓÔÉÍÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÂÏÌÅÅ ÄÌÉÎÎÙÊ ×ÁÒÉÁÎÔ --counters) ÚÁÓÔÁ×ÌÑÅÔ iptables-save ÓÏÈÒÁÎÉÔØ ÚÎÞÅÎÉÑ ÓÞÅÔÞÉËÏ× ÂÁÊÔ É ÐÁËÅÔÏ×. üÔÏ ÄÅÌÁÅÔ ×ÏÚÍÏÖÎÙÍ ÒÅÓÔÁÒÔ ÂÒÁÎÄÍÁÕÜÒÁ ÂÅÚ ÐÏÔÅÒÉ ÓÞÅÔÞÉËÏ×, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÓÞÅÔÁ ÓÔÁÔÉÓÔÉËÉ. ðÏ-ÕÍÏÌÞÁÎÉÀ, ÐÒÉ ÚÁÐÕÓËÅ ÂÅÚ ËÌÀÞÁ , ÓÏÈÒÁÎÅÎÉÅ ÓÞÅÔÞÉËÏ× ÎÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ.

ó ÐÏÍÏÝØÀ ËÌÀÞÁ -t (ÂÏÌÅÅ ÄÌÉÎÎÙÊ ×ÁÒÉÁÎÔ --table) ÍÏÖÎÏ ÕËÁÚÁÔØ ÉÍÑ ÔÁÂÌÉÃÙ ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ. åÓÌÉ ËÌÀÞ -t ÎÅ ÚÁÄÁÎ, ÔÏ ÓÏÈÒÁÎÑÀÔÓÑ ×ÓÅ ÔÁÂÌÉÃÙ. îÉÖÅ ÐÒÉ×ÅÄÅÎ ÐÒÉÍÅÒ ÒÁÂÏÔÙ ËÏÍÁÎÄÙ iptables-save × ÓÌÕÞÁÅ, ËÏÇÄÁ ÎÁÂÏÒ ÎÅ ÓÏÄÅÒÖÉÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ.

# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*filter
:INPUT ACCEPT [404:19766]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [530:43376]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*mangle
:PREROUTING ACCEPT [451:22060]
:INPUT ACCEPT [451:22060]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [594:47151]
:POSTROUTING ACCEPT [594:47151]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:17 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
COMMIT
# Completed on Wed Apr 24 10:19:17 2002

óÔÒÏËÉ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÓÉÍ×ÏÌÁ #, Ñ×ÌÑÀÔÓÑ ËÏÍÍÅÎÔÁÒÉÑÍÉ. éÍÅÎÁ ÔÁÂÌÉà ÎÁÞÉÎÁÀÔÓÑ Ó ÓÉÍ×ÏÌÁ * (Ú×ÅÚÄÏÞËÁ), ÎÁÐÒÉÍÅÒ: *mangle. ðÏÓÌÅ ËÁÖÄÏÇÏ ÉÍÅÎÉ ÔÁÂÌÉÃÙ ÓÌÅÄÕÀÔ ÏÐÉÓÁÎÉÑ ÃÅÐÏÞÅË É ÐÒÁ×ÉÌ. ïÐÉÓÁÎÉÑ ÃÅÐÏÞÅË ÚÁÐÉÓÙ×ÁÀÔÓÑ × ÆÏÒÍÁÔÅ :<chain-name> <chain-policy> [<packet-counter>:<byte-counter>], ÇÄÅ <chain-name> -- ÜÔÏ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ (ÎÁÐÒÉÍÅÒ PREROUTING), <chain-policy> -- ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ (ÎÁÐÒÉÍÅÒ ACCEPT). úÁ×ÅÒÛÁÀÔ ÏÐÉÓÁÎÉÅ ÃÅÐÏÞËÉ ÚÎÁÞÅÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ, ÔÅ ÓÁÍÙÅ ÓÞÅÔÞÉËÉ, ËÏÔÏÒÙÅ ×Ù ÐÏÌÕÞÉÔÅ × ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ËÏÍÁÎÄÙ iptables -L -v. ïÐÉÓÁÎÉÅ ËÁÖÄÏÊ ÔÁÂÌÉÃÙ ÚÁ×ÅÒÛÁÅÔ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï COMMIT, ËÏÔÏÒÏÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ × ÜÔÏÊ ÔÏÞËÅ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÄÌÑ ÄÁÎÎÏÊ ÔÁÂÌÉÃÙ ÂÕÄÅÔ ÐÅÒÅÄÁÎ × ÐÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ.

ðÒÉÍÅÒ ×ÙÛÅ ÐÏËÁÚÁÌ ËÁË ×ÙÇÌÑÄÉÔ ÓÏÄÅÒÖÉÍÏÅ ÐÕÓÔÏÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÓÏÈÒÁÎÅÎÎÏÇÏ ÕÔÉÌÉÔÏÊ iptables-save. îÉÖÅ ÐÏËÁÚÁÎ ÒÅÚÕÌØÔÁÔ ÓÏÈÒÁÎÅÎÉÑ ÎÅÂÏÌØÛÏÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ (Iptables-save ruleset) :

# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*filter
:INPUT DROP [1:229]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*mangle
:PREROUTING ACCEPT [658:32445]
:INPUT ACCEPT [658:32445]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [891:68234]
:POSTROUTING ACCEPT [891:68234]
COMMIT
# Completed on Wed Apr 24 10:19:55 2002
# Generated by iptables-save v1.2.6a on Wed Apr 24 10:19:55 2002
*nat
:PREROUTING ACCEPT [1:229]
:POSTROUTING ACCEPT [3:450]
:OUTPUT ACCEPT [3:450]
[0:0] -A POSTROUTING -o eth0 -j SNAT --to-source 195.233.192.1
COMMIT
# Completed on Wed Apr 24 10:19:55 2002

éÚ ÐÒÉÍÅÒÁ ×ÉÄÅÎ ÒÅÚÕÌØÔÁÔ ÄÅÊÓÔ×ÉÑ ÁÒÇÕÍÅÎÔÁ -c -- ÐÅÒÅÄ ËÁÖÄÙÍ ÐÒÁ×ÉÌÏÍ É × ÓÔÒÏËÅ ÏÐÉÓÁÎÉÑ ËÁÖÄÏÊ ÃÅÐÏÞËÉ ÉÍÅÀÔÓÑ ÞÉÓÌÁ, ÏÔÏÂÒÁÖÁÀÝÉÅ ÓÏÄÅÒÖÉÍÏÅ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ. óÒÁÚÕ ÚÁÍÅÞÕ, ÞÔÏ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÕÔÉÌÉÔÁ iptables-save ×ÙÄÁÅÔ ÎÁ ÓÔÁÎÄÁÒÔÎÙÊ ×Ù×ÏÄ, ÐÏÜÔÏÍÕ, ÐÒÉ ÓÏÈÒÁÎÅÎÉÉ ÎÁÂÏÒÁ × ÆÁÊÌ ËÏÍÁÎÄÁ ÄÏÌÖÎÁ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables-save -c > /etc/iptables-save

üÔÁ ËÏÍÁÎÄÁ ÚÁÐÉÛÅÔ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×ÍÅÓÔÅ Ó ÓÏÄÅÒÖÉÍÙÍ ÓÞÅÔÞÉËÏ×, × ÆÁÊÌ Ó ÉÍÅÎÅÍ /etc/iptables-save.


5.4. iptables-restore

õÔÉÌÉÔÁ iptables-restore ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÏÓÓÔÁÎÏ×ÌÅÎÉÑ (ÚÁÇÒÕÚËÉ) ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÊ ÒÁÎÅÅ ÂÙÌ ÓÏÈÒÁÎÅÎ ÕÔÉÌÉÔÏÊ iptables-save. îÁÂÏÒ ÐÒÁ×ÉÌ ÕÔÉÌÉÔÁ ÐÏÌÕÞÁÅÔ ÓÏ ÓÔÁÎÄÁÒÔÎÏÇÏ ××ÏÄÁ É ÎÅ ÍÏÖÅÔ ÚÁÇÒÕÖÁÔØ ÅÇÏ ÉÚ ÆÁÊÌÁ ÎÁÐÒÑÍÕÀ. ëÏÍÁÎÄÁ ÉÍÅÅÔ ÓÌÅÄÕÀÝÉÊ ÓÉÎÔÁËÓÉÓ:

iptables-restore [-c] [-n]



ëÌÀÞ -c (ÂÏÌÅÅ ÄÌÉÎÎÙÊ ×ÁÒÉÁÎÔ --counters) ÚÁÓÔÁ×ÌÑÅÔ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÑ ÓÞÅÔÞÉËÏ×.

õËÁÚÁÎÉÅ ËÌÀÞÁ -n (ÂÏÌÅÅ ÄÌÉÎÎÙÊ ×ÁÒÉÁÎÔ --noflush) ÓÏÏÂÝÁÅÔ iptables-restore Ï ÔÏÍ, ÞÔÏ ÐÒÁ×ÉÌÁ ÄÏÌÖÎÙ ÂÙÔØ ÄÏÂÁ×ÌÅÎÙ Ë ÉÍÅÀÝÉÍÓÑ. ðÏ-ÕÍÏÌÞÁÎÉÀ ÕÔÉÌÉÔÁ iptables-restore (ÂÅÚ ËÌÀÞÁ -n) ÏÞÉÓÔÉÔ ÓÏÄÅÒÖÉÍÏÅ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË ÐÅÒÅÄ ÚÁÇÒÕÚËÏÊ ÎÏ×ÏÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ.

äÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÕÔÉÌÉÔÏÊ iptables-restore ÉÚ ÆÁÊÌÁ ÍÏÖÎÏ ÐÒÅÄÌÏÖÉÔØ ÎÅÓËÏÌØËÏ ×ÁÒÉÁÎÔÏ×, ÎÏ ÎÁÉÂÏÌÅÅ ÕÐÏÔÒÅÂÉÍÙÊ:

cat /etc/iptables-save | iptables-restore -c

÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ ÓÏÄÅÒÖÉÍÏÅ ÆÁÊÌÁ /etc/iptables-save ÂÕÄÅÔ ÐÒÏÞÉÔÁÎÏ ÕÔÉÌÉÔÏÊ cat É ÐÅÒÅÎÁÐÒÁ×ÌÅÎÎÏ ÎÁ ÓÔÁÎÄÁÒÔÎÙÊ ××ÏÄ ÕÔÉÌÉÔÙ iptables-restore. íÏÖÎÏ ÂÙÌÏ ÂÙ ÐÒÉ×ÅÓÔÉ ÅÝÅ ÃÅÌÙÊ ÒÑÄ ËÏÍÁÎÄ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÏÒÇÁÎÉÚÏ×ÁÔØ ÚÁÇÒÕÚËÕ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ, ÎÏ ÜÔÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÔÅÍÙ, ÐÏÜÔÏÍÕ ÏÓÔÁ×ÌÀ ÞÉÔÁÔÅÌÀ ×ÏÚÍÏÖÎÏÓÔØ ÓÁÍÏÍÕ ÎÁÊÔÉ ÂÏÌÅÅ ÕÄÏÂÎÙÊ ÄÌÑ ÎÅÇÏ ×ÁÒÉÁÎÔ.

ðÏÓÌÅ ÉÓÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÄÏÌÖÅÎ ÚÁÇÒÕÚÉÔØÓÑ É ×ÓÅ ÄÏÌÖÎÏ ÒÁÂÏÔÁÔØ. åÓÌÉ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ×Ù ÄÏÐÕÓÔÉÌÉ ÏÛÉÂËÕ ÐÒÉ ÎÁÂÏÒÅ ËÏÍÁÎÄÙ.


çÌÁ×Á 6. ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÐÏÒÑÄÏË ÐÏÓÔÒÏÅÎÉÑ ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌ ÄÌÑ iptables. ëÁÖÄÁÑ ÓÔÒÏËÁ, ËÏÔÏÒÕÀ ×Ù ×ÓÔÁ×ÌÑÅÔÅ × ÔÕ ÉÌÉ ÉÎÕÀ ÃÅÐÏÞËÕ, ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÏÔÄÅÌØÎÏÅ ÐÒÁ×ÉÌÏ. íÙ ÔÁË ÖÅ ÏÂÓÕÄÉÍ ÏÓÎÏ×ÎÙÅ ËÒÉÔÅÒÉÉ É ÄÅÊÓÔ×ÉÑ (targets) É ÐÏÒÑÄÏË ÓÏÚÄÁÎÉÑ Ó×ÏÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÅÊÓÔ×ÉÊ (Ô.Å. ÐÏÄÃÅÐÏÞÅË ÐÒÁ×ÉÌ).


6.1. ïÓÎÏ×Ù

ëÁË ÕÖÅ ÇÏ×ÏÒÉÌÏÓØ ×ÙÛÅ, ËÁÖÄÏÅ ÐÒÁ×ÉÌÏ -- ÜÔÏ ÓÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ × ÓÅÂÅ ËÒÉÔÅÒÉÉ ÏÐÒÅÄÅÌÑÀÝÉÅ, ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ, É ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ × ÓÌÕÞÁÅ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÑ. ÷ ÏÂÝÅÍ ×ÉÄÅ ÐÒÁ×ÉÌÁ ÚÁÐÉÓÙ×ÁÀÔÓÑ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables [-t table] command [match] [target/jump]



îÉÇÄÅ ÎÅ ÕÔ×ÅÒÖÄÁÅÔÓÑ, ÞÔÏ ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÑ (target/jump) ÄÏÌÖÎÏ ÓÔÏÑÔØ ÐÏÓÌÅÄÎÉÍ × ÓÔÒÏËÅ, ÏÄÎÁËÏ, ÔÁËÁÑ ÎÏÔÁÃÉÑ ÂÏÌÅÅ ÕÄÏÂÏÞÉÔÁÅÍÁ. ëÁË ÂÙ ÔÏ ÎÉ ÂÙÌÏ, ÎÏ ÞÁÝÅ ×ÓÅÇÏ ×ÁÍ ÂÕÄÅÔ ×ÓÔÒÅÞÁÔØÓÑ ÉÍÅÎÎÏ ÔÁËÏÊ ÓÐÏÓÏ ÚÁÐÉÓÉ ÐÒÁ×ÉÌ.

åÓÌÉ × ÐÒÁ×ÉÌÏ ÎÅ ×ËÌÀÞÁÅÔÓÑ ÓÐÅÃÉÆÉËÁÔÏÒ [-t table], ÔÏ ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉÃÙ filter, ÅÓÌÉ ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÒÕÇÏÊ ÔÁÂÌÉÃÙ, ÔÏ ÜÔÏ ÔÒÅÂÕÅÔÓÑ ÕËÁÚÁÔØ Ñ×ÎÏ. óÐÅÃÉÆÉËÁÔÏÒ ÔÁÂÌÉÃÙ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ × ÌÀÂÏÍ ÍÅÓÔÅ ÓÔÒÏËÉ ÐÒÁ×ÉÌÁ, ÏÄÎÁËÏ ÂÏÌÅÅ ÉÌÉ ÍÅÎÅÅ ÓÔÁÎÄÁÒÔÏÍ ÓÞÉÔÁÅÔÓÑ ÕËÁÚÁÎÉÅ ÔÁÂÌÉÃÙ × ÎÁÞÁÌÅ ÐÒÁ×ÉÌÁ.

äÁÌÅÅ, ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÚÁ ÉÍÅÎÅÍ ÔÁÂÌÉÃÙ, ÄÏÌÖÎÁ ÓÔÏÑÔØ ËÏÍÁÎÄÁ. åÓÌÉ ÓÐÅÃÉÆÉËÁÔÏÒÁ ÔÁÂÌÉÃÙ ÎÅÔ, ÔÏ ËÏÍÁÎÄÁ ×ÓÅÇÄÁ ÄÏÌÖÎÁ ÓÔÏÑÔØ ÐÅÒ×ÏÊ. ëÏÍÁÎÄÁ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ iptables, ÎÁÐÒÉÍÅÒ: ×ÓÔÁ×ÉÔØ ÐÒÁ×ÉÌÏ, ÉÌÉ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ, ÉÌÉ ÕÄÁÌÉÔØ ÐÒÁ×ÉÌÏ É Ô.Ð.

òÁÚÄÅÌ match ÚÁÄÁÅÔ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ, ÐÏ ËÏÔÏÒÙÍ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÁ ÉÌÉ ÎÅÔ. úÄÅÓØ ÍÙ ÍÏÖÅÍ ÕËÁÚÁÔØ ÓÁÍÙÅ ÒÁÚÎÙÅ ËÒÉÔÅÒÉÉ -- IP-ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ ÉÌÉ ÓÅÔÉ, IP-ÁÄÒÅÓ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ,ÐÏÒÔ, ÐÒÏÔÏËÏÌ, ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É Ô.Ä. óÕÝÅÓÔ×ÕÅÔ ÍÎÏÖÅÓÔ×Ï ÒÁÚÎÏÏÂÒÁÚÎÙÈ ËÒÉÔÅÒÉÅ×, ÎÏ Ï ÜÔÏÍ -- ÎÅÓËÏÌØËÏ ÐÏÚÖÅ.

é ÎÁËÏÎÅà target ÕËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÌÖÎÏ ÂÙÔØ ×ÙÐÏÌÎÅÎÏ ÐÒÉ ÕÓÌÏ×ÉÉ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÅ× × ÐÒÁ×ÉÌÅ. úÄÅÓØ ÍÏÖÎÏ ÚÁÓÔÁ×ÉÔØ ÑÄÒÏ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × ÄÒÕÇÕÀ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ, "ÓÂÒÏÓÉÔØ" ÐÁËÅÔ É ÚÁÂÙÔØ ÐÒÏ ÎÅÇÏ, ×ÙÄÁÔØ ÎÁ ÉÓÔÏÞÎÉË ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ É Ô.Ð.


6.2. ôÁÂÌÉÃÙ

ïÐÃÉÑ -t ÕËÁÚÙ×ÁÅÔ ÎÁ ÉÓÐÏÌØÚÕÅÍÕÀ ÔÁÂÌÉÃÕ. ðÏ ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁÂÌÉÃÁ filter. ó ËÌÀÞÏÍ -t ÐÒÉÍÅÎÑÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ.

ôÁÂÌÉÃÁ 6-1. ôÁÂÌÉÃÙ

ôÁÂÌÉÃÁ ïÐÉÓÁÎÉÅ
nat ôÁÂÌÉÃÁ nat ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Address Translation). þÅÒÅÚ ÜÔÕ ÔÁÂÌÉÃÕ ÐÒÏÈÏÄÉÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ. ðÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ× Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉÍÅÎÑÅÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ. üÔÏ ÏÄÉÎ ÉÚ ÆÁËÔÏÒÏ×, ÉÓÈÏÄÑ ÉÚ ËÏÔÏÒÙÈ ÍÙ ÎÅ ÄÏÌÖÎÙ ÏÓÕÝÅÓÔ×ÌÑÔØ ËÁËÕÀ-ÌÉÂÏ ÆÉÌØÔÒÁÃÉÀ × ÜÔÏÊ ÔÁÂÌÉÃÅ. ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ× × ÐÁËÅÔÁÈ, ÓÏÚÄÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. é ÐÏÓÌÅÄÎÑÑ ÃÅÐÏÞËÁ × ÜÔÏÊ ÔÁÂÌÉÃÅ -- POSTROUTING, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ× ÐÅÒÅÄ ×ÙÄÁÞÅÊ ÉÈ × ÓÅÔØ.
mangle üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ×. ðÒÉÍÅÒÏÍ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÉÚÍÅÎÅÎÉÅ ÐÏÌÑ TTL, TOS ÉÌÉ MARK. ÷ÁÖÎÏ: × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÐÏÌÅ MARK ÎÅ ÉÚÍÅÎÑÅÔÓÑ, ÎÏ × ÐÁÍÑÔÉ ÑÄÒÁ ÚÁ×ÏÄÉÔÓÑ ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ÄÁÎÎÙÊ ÐÁËÅÔ ×ÓÅ ×ÒÅÍÑ ÅÇÏ ÐÒÏÈÏÖÄÅÎÉÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÔÁË ÞÔÏ ÄÒÕÇÉÅ ÐÒÁ×ÉÌÁ É ÐÒÉÌÏÖÅÎÉÑ ÎÁ ÄÁÎÎÏÍ ÂÒÁÎÄÍÁÕÜÒÅ (É ÔÏÌØËÏ ÎÁ ÄÁÎÎÏÊ ÂÒÁÎÄÍÁÕÜÒÅ) ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÃÅÌÑÈ. ôÁÂÌÉÃÁ ÉÍÅÅÔ ÐÑÔØ ÃÅÐÏÞÅË PREROUTING, POSTROUTING, INPUT, OUTPUT É FORWARD. PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ, ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÙÈÏÄÅ ÉÚ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÏÓÌÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. INPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÐÅÒÅÄ ÔÅÍ ËÁË ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. OUTPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÏÔ ÐÒÉÌÏÖÅÎÉÊ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. FORWARD -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÔÒÁÎÚÉÔÎÙÅ ÐÁËÅÔÙ ÐÏÓÌÅ ÐÅÒ×ÏÇÏ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÉÐÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ÐÅÒÅÄ ÐÏÓÌÅÄÎÉÍ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÉÐÒÛÒÕÔÉÚÁÃÉÉ. úÁÍÅÞÕ, ÞÔÏ ÔÁÂÌÉÃÁ mangle ÎÉ × ËÏÅÍ ÓÌÕÞÁÅ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇÁ (Network Address Translation, Masquerading), ÐÏÓËÏÌØËÕ ÄÌÑ ÜÔÉÈ ÃÅÌÅÊ ÉÍÅÅÔÓÑ ÔÁÂÌÉÃÁ nat.
filter ôÁÂÌÉÃÁ filter ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. äÌÑ ÐÒÉÍÅÒÁ, ÚÄÅÓØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÉÔØ DROP, LOG, ACCEPT ÉÌÉ REJECT ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÏÇÒÁÎÉÞÅÎÉÊ, ËÏÔÏÒÙÅ ÉÍÅÀÔÓÑ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. éÍÅÅÔÓÑ ÔÒÉ ×ÓÔÒÏÅÎÎÙÈ ÃÅÐÏÞËÉ. ðÅÒ×ÁÑ -- FORWARD, ÉÓÐÏÌØÚÕÅÍÁÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ ÔÒÁÎÚÉÔÏÍ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÕ INPUT ÐÒÏÈÏÄÑÔ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÌÏËÁÌØÎÙÍ ÐÒÉÌÏÖÅÎÉÑÍ (ÂÒÁÎÄÍÁÕÜÒÕ). é ÃÅÐÏÞËÁ OUTPUT -- ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ÎÁ ÓÁÍÏÍ ÂÒÁÎÄÍÁÕÜÒÅ.

÷ÙÛÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÏÓÎÏ×ÎÙÅ ÏÔÌÉÞÉÑ ÔÒÅÈ ÉÍÅÀÝÉÈÓÑ ÔÁÂÌÉÃ. ëÁÖÄÁÑ ÉÚ ÎÉÈ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × Ó×ÏÉÈ ÃÅÌÑÈ, É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅÃÅÌÅ×ÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉà ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÏÓÌÁÂÌÅÎÉÀ ÚÁÝÉÔÙ ÂÒÁÎÄÍÁÕÜÒÁ É ÓÅÔÉ, ÎÁÈÏÄÑÝÅÊÓÑ ÚÁ ÎÉÍ. ðÏÚÄÎÅÅ, × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÏÍ.


6.3. ëÏÍÁÎÄÙ

îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ËÏÍÁÎÄ É ÐÒÁ×ÉÌÁ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ. ðÏÓÒÅÄÓÔ×ÏÍ ËÏÍÁÎÄ ÍÙ ÓÏÏÂÝÁÅÍ iptables ÞÔÏ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÓÄÅÌÁÔØ. ïÂÙÞÎÏ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÏÄÎÏ ÉÚ Ä×ÕÈ ÄÅÊÓÔ×ÉÊ -- ÄÏÂÁ×ÌÅÎÉÅ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ ÉÌÉ ÕÄÁÌÅÎÉÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÐÒÁ×ÉÌÁ ÉÚ ÔÏÊ ÉÌÉ ÉÎÏÊ ÔÁÂÌÉÃÙ. äÁÌÅÅ ÐÒÉ×ÅÄÅÎÙ ËÏÍÁÎÄÙ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ × iptables.

ôÁÂÌÉÃÁ 6-2. ëÏÍÁÎÄÙ

ëÏÍÁÎÄÁ -A, --append
ðÒÉÍÅÒ iptables -A INPUT ...
ïÐÉÓÁÎÉÅ äÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ.
ëÏÍÁÎÄÁ -D, --delete
ðÒÉÍÅÒ iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
ïÐÉÓÁÎÉÅ õÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ ÉÚ ÃÅÐÏÞËÉ. ëÏÍÁÎÄÁ ÉÍÅÅÔ Ä×Á ÆÏÒÍÁÔÁ ÚÁÐÉÓÉ, ÐÅÒ×ÙÊ -- ËÏÇÄÁ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ Ó ÏÐÃÉÅÊ -D (ÓÍ. ÐÅÒ×ÙÊ ÐÒÉÍÅÒ), ×ÔÏÒÏÊ -- ÐÏÒÑÄËÏ×ÙÊ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ. åÓÌÉ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ, ÔÏ ÕÄÁÌÑÅÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÉÍÅÅÔ × ÓÅÂÅ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÅÓÌÉ ÚÁÄÁÅÔÓÑ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÔÏ ÂÕÄÅÔ ÕÄÁÌÅÎÏ ÐÒÁ×ÉÌÏ Ó ÚÁÄÁÎÎÙÍ ÎÏÍÅÒÏÍ. óÞÅÔ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÁÈ ÎÁÞÉÎÁÅÔÓÑ Ó 1.
ëÏÍÁÎÄÁ -R, --replace
ðÒÉÍÅÒ iptables -R INPUT 1 -s 192.168.0.1 -j DROP
ïÐÉÓÁÎÉÅ üÔÁ ËÏÍÁÎÄÁ ÚÁÍÅÎÑÅÔ ÏÄÎÏ ÐÒÁ×ÉÌÏ ÄÒÕÇÉÍ. ÷ ÏÓÎÏ×ÎÏÍ ÏÎÁ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ×ÒÅÍÑ ÏÔÌÁÄËÉ ÎÏ×ÙÈ ÐÒÁ×ÉÌ.
ëÏÍÁÎÄÁ -I, --insert
ðÒÉÍÅÒ iptables -I INPUT 1 --dport 80 -j ACCEPT
ïÐÉÓÁÎÉÅ ÷ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ. þÉÓÌÏ, ÓÌÅÄÕÀÝÅÅ ÚÁ ÉÍÅÎÅÍ ÃÅÐÏÞËÉ ÕËÁÚÙ×ÁÅÔ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÅÒÅÄ ËÏÔÏÒÙÍ ÎÕÖÎÏ ×ÓÔÁ×ÉÔØ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÞÉÓÌÏ ÚÁÄÁÅÔ ÎÏÍÅÒ ÄÌÑ ×ÓÔÁ×ÌÑÅÍÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÐÒÉÍÅÒÅ ×ÙÛÅ, ÕËÁÚÙ×ÁÅÔÓÑ, ÞÔÏ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÏÌÖÎÏ ÂÙÔØ 1-Í × ÃÅÐÏÞËÅ INPUT.
ëÏÍÁÎÄÁ -L, --list
ðÒÉÍÅÒ iptables -L INPUT
ïÐÉÓÁÎÉÅ ÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ, × ÄÁÎÎÏÍ ÐÒÉÍÅÒÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×Ù×ÏÄ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞËÉ INPUT. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ×Ù×ÏÄÉÔÓÑ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÄÌÑ ×ÓÅÈ ÃÅÐÏÞÅË. æÏÒÍÁÔ ×Ù×ÏÄÁ ÚÁ×ÉÓÉÔ ÏÔ ÎÁÌÉÞÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ × ËÏÍÁÎÄÅ, ÎÁÐÒÉÍÅÒ -n, -v, É ÐÒ.
ëÏÍÁÎÄÁ -F, --flush
ðÒÉÍÅÒ iptables -F INPUT
ïÐÉÓÁÎÉÅ óÂÒÏÓ (ÕÄÁÌÅÎÉÅ) ×ÓÅÈ ÐÒÁ×ÉÌ ÉÚ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ (ÔÁÂÌÉÃÙ). åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ É ÔÁÂÌÉÃÙ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÕÄÁÌÑÀÔÓÑ ×ÓÅ ÐÒÁ×ÉÌÁ, ×Ï ×ÓÅÈ ÃÅÐÏÞËÁÈ. (èÏÞÅÔÓÑ ÏÔ ÓÅÂÑ ÄÏÂÁ×ÉÔØ, ÞÔÏ ÅÓÌÉ ÎÅ ÕËÁÚÁÎÁ ÔÁÂÌÉÃÁ ËÌÀÞÏÍ -t (--table), ÔÏ ÏÞÉÓÔËÁ ÃÅÐÏÞÅË ÐÒÏÉÚ×ÏÄÉÔÓÑ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ filter, ÐÒÉÍ. ÐÅÒÅ×. )
ëÏÍÁÎÄÁ -Z, --zero
ðÒÉÍÅÒ iptables -Z INPUT
ïÐÉÓÁÎÉÅ ïÂÎÕÌÅÎÉÅ ×ÓÅÈ ÓÞÅÔÞÉËÏ× × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÀÔÓÑ ×ÓÅ ÃÅÐÏÞËÉ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ËÌÀÞÁ -v ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ -L, ÎÁ ×Ù×ÏÄ ÂÕÄÕÔ ÐÏÄÁÎÙ É ÓÏÓÔÏÑÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ×, ÐÏÐÁ×ÛÉÈ ÐÏÄ ÄÅÊÓÔ×ÉÅ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. äÏÐÕÓËÁÅÔÓÑ ÓÏ×ÍÅÓÔÎÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÍÁÎÄ -L É -Z. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ×ÙÄÁÎ ÓÎÁÞÁÌÁ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÓÏ ÓÞÅÔÞÉËÁÍÉ, Á ÚÁÔÅÍ ÐÒÏÉÚÏÊÄÅÔ ÏÂÎÕÌÅÎÉÅ ÓÞÅÔÞÉËÏ×.
ëÏÍÁÎÄÁ -N, --new-chain
ðÒÉÍÅÒ iptables -N allowed
ïÐÉÓÁÎÉÅ óÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÚÁÄÁÎÎÙÍ ÉÍÅÎÅÍ × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÉÍÅÎÅÍ allowed. éÍÑ ÃÅÐÏÞËÉ ÄÏÌÖÎÏ ÂÙÔØ ÕÎÉËÁÌØÎÙÍ É ÎÅ ÄÏÌÖÎÏ ÓÏ×ÐÁÄÁÔØ Ó ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÍÉ ÉÍÅÎÁÍÉ ÃÅÐÏÞÅË É ÄÅÊÓÔ×ÉÊ (ÔÁËÉÍÉ ËÁË DROP, REJECT É Ô.Ð.)
ëÏÍÁÎÄÁ -X, --delete-chain
ðÒÉÍÅÒ iptables -X allowed
ïÐÉÓÁÎÉÅ õÄÁÌÅÎÉÅ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ ÉÚ ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÙ. õÄÁÌÑÅÍÁÑ ÃÅÐÏÞËÁ ÎÅ ÄÏÌÖÎÁ ÉÍÅÔØ ÐÒÁ×ÉÌ É ÎÅ ÄÏÌÖÎÏ ÂÙÔØ ÓÓÙÌÏË ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË ÎÁ ÕÄÁÌÑÅÍÕÀ ÃÅÐÏÞËÕ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÁÎÏ, ÔÏ ÂÕÄÕÔ ÕÄÁÌÅÎÙ ×ÓÅ ÃÅÐÏÞËÉ ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ËÒÏÍÅ ×ÓÔÒÏÅÎÎÙÈ.
ëÏÍÁÎÄÁ -P, --policy
ðÒÉÍÅÒ iptables -P INPUT DROP
ïÐÉÓÁÎÉÅ úÁÄÁÅÔ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ, ÐÒÉÍÅÎÑÅÍÏÅ Ë ÐÁËÅÔÁÍ ÎÅ ÐÏÐÁ×ÛÉÍ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. ÷ ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ DROP É ACCEPT.
ëÏÍÁÎÄÁ -E, --rename-chain
ðÒÉÍÅÒ iptables -E allowed disallowed
ïÐÉÓÁÎÉÅ ëÏÍÁÎÄÁ -E ×ÙÐÏÌÎÑÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÃÅÐÏÞËÉ. ÷ ÐÒÉÍÅÒÅ ÃÅÐÏÞËÁ allowed ÂÕÄÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÁ × ÃÅÐÏÞËÕ disallowed. üÔÉ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÑ ÎÅ ÉÚÍÅÎÑÀÔ ÐÏÒÑÄÏË ÒÁÂÏÔÙ, Á ÎÏÓÑÔ ÔÏÌØËÏ ËÏÓÍÅÔÉÞÅÓËÉÊ ÈÁÒÁËÔÅÒ.

ëÏÍÁÎÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÕËÁÚÁÎÁ ×ÓÅÇÄÁ. óÐÉÓÏË ÄÏÓÔÕÐÎÙÈ ËÏÍÁÎÄ ÍÏÖÎÏ ÐÒÏÓÍÏÔÒÅÔØ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -h ÉÌÉ, ÞÔÏ ÔÏÖÅ ÓÁÍÏÅ, iptables --help. îÅËÏÔÏÒÙÅ ËÏÍÁÎÄÙ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍÉ ËÌÀÞÁÍÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÏÐÉÓÙ×ÁÅÔÓÑ ÒÅÚÕÌØÔÁÔ ÉÈ ÄÅÊÓÔ×ÉÑ. ðÒÉ ÜÔÏÍ ÚÁÍÅÔØÔÅ, ÞÔÏ ÚÄÅÓØ ÎÅ ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ËÒÉÔÅÒÉÅ× (matches) ÉÌÉ ÄÅÊÓÔ×ÉÊ (targets). üÔÉ ÏÐÃÉÉ ÍÙ ÂÕÄÅÍ ÏÂÓÕÖÄÁÔØ ÄÁÌÅÅ.

ôÁÂÌÉÃÁ 6-3. äÏÐÏÌÎÉÔÅÌØÎÙÅ ËÌÀÞÉ

ëÌÀÞ -v, --verbose
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list, --append, --insert, --delete, --replace
ïÐÉÓÁÎÉÅ éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÉÎÆÏÒÍÁÔÉ×ÎÏÓÔÉ ×Ù×ÏÄÁ É, ËÁË ÐÒÁ×ÉÌÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ --list. ÷ ÓÌÕÞÁÅ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ËÏÍÁÎÄÏÊ --list, × ×Ù×ÏÄ ÜÔÏÊ ËÏÍÁÎÄÙ ×ËÌÀÞÁÀÔÓÑ ÔÁË ÖÅ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ, ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ× É ÂÁÊÔ ÄÌÑ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. æÏÒÍÁÔ ×Ù×ÏÄÁ ÓÞÅÔÞÉËÏ× ÐÒÅÄÐÏÌÁÇÁÅÔ ×Ù×ÏÄ ËÒÏÍÅ ÃÉÆÒ ÞÉÓÌÁ ÅÝÅ É ÓÉÍ×ÏÌØÎÙÅ ÍÎÏÖÉÔÅÌÉ K (x1000), M (x1,000,000) É G (x1,000,000,000). äÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÚÁÓÔÁ×ÉÔØ ËÏÍÁÎÄÕ --list ×Ù×ÏÄÉÔØ ÐÏÌÎÏÅ ÞÉÓÌÏ (ÂÅÚ ÕÐÏÔÒÅÂÌÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ) ÔÒÅÂÕÅÔÓÑ ÐÒÉÍÅÎÑÔØ ËÌÀÞ -x, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ. åÓÌÉ ËÌÀÞ -v, --verbose ÉÓÐÏÌØÚÕÅÔÓÑ Ó ËÏÍÁÎÄÁÍÉ --append, --insert, --delete ÉÌÉ --replace, ÔÏ ÂÕÄÅÔ ×Ù×ÅÄÅÎ ÐÏÄÒÏÂÎÙÊ ÏÔÞÅÔ Ï ÐÒÏÉÚ×ÅÄÅÎÎÏÊ ÏÐÅÒÁÃÉÉ.
ëÌÀÞ -x, --exact
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ äÌÑ ×ÓÅÈ ÞÉÓÅÌ × ×ÙÈÏÄÎÙÈ ÄÁÎÎÙÈ ×Ù×ÏÄÑÔÓÑ ÉÈ ÔÏÞÎÙÅ ÚÎÁÞÅÎÉÑ ÂÅÚ ÏËÒÕÇÌÅÎÉÑ É ÂÅÚ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÍÎÏÖÉÔÅÌÅÊ K, M, G. üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list É ÎÅ ÐÒÉÍÅÎÉÍ Ó ÄÒÕÇÉÍÉ ËÏÍÁÎÄÁÍÉ.
ëÌÀÞ -n, --numeric
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ úÁÓÔÁ×ÌÑÅÔ iptables ×Ù×ÏÄÉÔØ IP-ÁÄÒÅÓÁ É ÎÏÍÅÒÁ ÐÏÒÔÏ× × ÞÉÓÌÏ×ÏÍ ×ÉÄÅ ÐÒÅÄÏÔ×ÒÁÝÁÑ ÐÏÐÙÔËÉ ÐÒÅÏÂÒÁÚÏ×ÁÔØ ÉÈ × ÓÉÍ×ÏÌÉÞÅÓËÉÅ ÉÍÅÎÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
ëÌÀÞ --line-numbers
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ ëÌÀÞ --line-numbers ×ËÌÀÞÁÅÔ ÒÅÖÉÍ ×Ù×ÏÄÁ ÎÏÍÅÒÏ× ÓÔÒÏË ÐÒÉ ÏÔÏÂÒÁÖÅÎÉÉ ÓÐÉÓËÁ ÐÒÁ×ÉÌ ËÏÍÁÎÄÏÊ --list. îÏÍÅÒ ÓÔÒÏËÉ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÏÚÉÃÉÉ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ. üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
ëÌÀÞ -c, --set-counters
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --insert, --append, --replace
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÎÁÞÁÌØÎÏÇÏ ÚÎÁÞÅÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ ÓÏÚÄÁÎÉÉ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, ËÌÀÞ --set-counters 20 4000 ÕÓÔÁÎÏ×ÉÔ ÓÞÅÔÞÉË ÐÁËÅÔÏ× = 20, Á ÓÞÅÔÞÉË ÂÁÊÔ = 4000.
ëÌÀÞ --modprobe
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÷ÓÅ
ïÐÉÓÁÎÉÅ ëÌÀÞ --modprobe ÏÐÒÅÄÅÌÑÅÔ ËÏÍÁÎÄÕ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ ÑÄÒÁ. äÁÎÎÙÊ ËÌÀÞ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÏÄÕÌÉ ÑÄÒÁ ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÐÕÔÉ ÐÏÉÓËÁ (search path). üÔÏÔ ËÌÀÞ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ Ó ÌÀÂÏÊ ËÏÍÁÎÄÏÊ.

6.4. ëÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÒÉÔÅÒÉÑÈ ×ÙÄÅÌÅÎÉÑ ÐÁËÅÔÏ×. ñ ÒÁÚÂÉÌ ×ÓÅ ËÒÉÔÅÒÉÉ ÎÁ ÐÑÔØ ÇÒÕÐÐ. ðÅÒ×ÁÑ -- ÏÂÝÉÅ ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ. ÷ÔÏÒÁÑ - TCP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë TCP ÐÁËÅÔÁÍ. ôÒÅÔØÑ -- UDP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë UDP ÐÁËÅÔÁÍ. þÅÔ×ÅÒÔÁÑ -- ICMP ËÒÉÔÅÒÉÉ ÄÌÑ ÒÁÂÏÔÙ Ó ICMP ÐÁËÅÔÁÍÉ. é ÎÁËÏÎÅà ÐÑÔÁÑ -- ÓÐÅÃÉÁÌØÎÙÅ ËÒÉÔÅÒÉÉ, ÔÁËÉÅ ËÁË state, owner, limit É ÐÒ.


6.4.1. ïÂÝÉÅ ËÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ïÂÝÉÅ ËÒÉÔÅÒÉÉ. ïÂÝÉÅ ËÒÉÔÅÒÉÉ ÄÏÐÕÓÔÉÍÏ ÕÐÏÔÒÅÂÌÑÔØ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ, ÏÎÉ ÎÅ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÎÅ ÔÒÅÂÕÀÔ ÐÏÄÇÒÕÚËÉ ÍÏÄÕÌÅÊ ÒÁÓÛÉÒÅÎÉÑ. ë ÜÔÏÊ ÇÒÕÐÐÅ Ñ ÕÍÙÛÌÅÎÎÏ ÏÔÎÅÓ ËÒÉÔÅÒÉÊ --protocol ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÎÅËÏÔÏÒÙÈ ÓÐÅÃÉÆÉÞÎÙÈ ÏÔ ÐÒÏÔÏËÏÌÁ ÒÁÓÛÉÒÅÎÉÑÈ. îÁÐÒÉÍÅÒ, ÍÙ ÒÅÛÉÌÉ ÉÓÐÏÌØÚÏ×ÁÔØ TCP ËÒÉÔÅÒÉÊ, ÔÏÇÄÁ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ É ËÒÉÔÅÒÉÊ --protocol ËÏÔÏÒÏÍÕ × ËÁÞÅÓÔ×Å ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ËÌÀÞÁ ÐÅÒÅÄÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ -- TCP. ïÄÎÁËÏ ËÒÉÔÅÒÉÊ --protocol ÓÁÍ ÐÏ ÓÅÂÅ Ñ×ÌÑÅÔÓÑ ËÒÉÔÅÒÉÅÍ, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ.

ôÁÂÌÉÃÁ 6-4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ -p, --protocol
ðÒÉÍÅÒ iptables -A INPUT -p tcp
ïÐÉÓÁÎÉÅ üÔÏÔ ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ðÒÉÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× ÍÏÇÕÔ ÂÙÔØ TCP, UDP É ICMP. óÐÉÓÏË ÐÒÏÔÏËÏÌÏ× ÍÏÖÎÏ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/protocols. ðÒÅÖÄÅ ×ÓÅÇÏ, × ËÁÞÅÓÔ×Å ÉÍÅÎÉ ÐÒÏÔÏËÏÌÁ × ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÎÏ ÐÅÒÅÄÁ×ÁÔØ ÏÄÉÎ ÉÚ ÔÒÅÈ ×ÙÛÅÕÐÏÍÑÎÕÔÙÈ ÐÒÏÔÏËÏÌÏ×, Á ÔÁËÖÅ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï ALL. ÷ ËÁÞÅÓÔ×Å ÐÒÏÔÏËÏÌÁ ÄÏÐÕÓËÁÅÔÓÑ ÐÅÒÅÄÁ×ÁÔØ ÞÉÓÌÏ - ÎÏÍÅÒ ÐÒÏÔÏËÏÌÁ, ÔÁË ÎÁÐÒÉÍÅÒ, ÐÒÏÔÏËÏÌÕ ICMP ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÞÉÓÌÏ 1, TCP -- 6 É UDP -- 17. óÏÏÔ×ÅÔÓÔ×ÉÑ ÍÅÖÄÕ ÎÏÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× É ÉÈ ÉÍÅÎÁÍÉ ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/protocols, ËÏÔÏÒÙÊ ÕÖÅ ÕÐÏÍÉÎÁÌÓÑ. ëÒÉÔÅÒÉÀ ÍÏÖÅÔ ÐÅÒÅÄÁ×ÁÔØÓÑ É ÓÐÉÓÏË ÐÒÏÔÏËÏÌÏ×, ÒÁÚÄÅÌÅÎÎÙÈ ÚÁÐÑÔÙÍÉ, ÎÁÐÒÉÍÅÒ ÔÁË: udp,tcp (èÏÔÑ Á×ÔÏÒ É ÕËÁÚÙ×ÁÅÔ ÎÁ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÓÐÉÓËÁ ÐÒÏÔÏËÏÌÏ×, ÔÅÍ ÎÅ ÍÅÎÅÅ ×ÁÍ ×ÒÑÔ ÌÉ ÕÄÁÓÔÓÑ ÜÔÏ ÓÄÅÌÁÔØ! ëÓÔÁÔÉ, man iptables Ñ×ÎÏ ÏÇÏ×ÁÒÉ×ÁÅÔ, ÞÔÏ × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÍÏÖÅÔ ÂÙÔØ ÕËÁÚÁÎ ÔÏÌØËÏ ÏÄÉÎ ÐÒÏÔÏËÏÌ. íÏÖÅÔ ÂÙÔØ ÜÔÏ ÒÁÓÛÉÒÅÎÉÅ ÉÍÅÅÔÓÑ × patch-o-matic? ÐÒÉÍ. ÐÅÒÅ×.) åÓÌÉ ÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ ÐÅÒÅÄÁÅÔÓÑ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ 0, ÔÏ ÜÔÏ ÜË×É×ÁÌÅÎÔÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ÓÐÅÃÉÆÉËÁÔÏÒÁ ALL, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÇÄÁ ËÒÉÔÅÒÉÊ --protocol ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ. äÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÐÅÒÅÄ ÉÍÅÎÅÍ ÐÒÏÔÏËÏÌÁ (ÓÐÉÓËÏÍ ÐÒÏÔÏËÏÌÏ×) ÉÓÐÏÌØÚÕÅÔÓÑ ÓÉÍ×ÏÌ !, ÎÁÐÒÉÍÅÒ --protocol ! tcp ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÏ×, UDP É ICMP.
ëÒÉÔÅÒÉÊ -s, --src, --source
ðÒÉÍÅÒ iptables -A INPUT -s 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ. áÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÔÁË, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏÇÄÁ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ. á ÍÏÖÎÏ ÕËÁÚÁÔØ ÁÄÒÅÓ × ×ÉÄÅ address/mask, ÎÁÐÒÉÍÅÒ ËÁË 192.168.0.0/255.255.255.0, ÉÌÉ ÂÏÌÅÅ ÓÏ×ÒÅÍÅÎÎÙÍ ÓÐÏÓÏÂÏÍ 192.168.0.0/24, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÑ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ× ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ !, ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÐÅÒÅÄ ÁÄÒÅÓÏÍ, ÏÚÎÁÞÁÅÔ ÌÏÇÉÞÅÓËÏÅ ÏÔÒÉÃÁÎÉÅ, Ô.Å. --source ! 192.168.0.0/24 ÏÚÎÁÞÁÅÔ ÌÀÂÏÊ ÁÄÒÅÓ ËÒÏÍÅ ÁÄÒÅÓÏ× 192.168.0.x.
ëÒÉÔÅÒÉÊ -d, --dst, --destination
ðÒÉÍÅÒ iptables -A INPUT -d 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÐÏÌÕÞÁÔÅÌÑ. éÍÅÅÔ ÓÉÎÔÁËÓÉÓ ÓÈÏÖÉÊ Ó ËÒÉÔÅÒÉÅÍ --source, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÔÏÇÏ, ÞÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÁÄÒÅÓ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ôÏÞÎÏ ÔÁË ÖÅ ÍÏÖÅÔ ÏÐÒÅÄÅÌÑÔØ ËÁË ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ, ÔÁË É ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×. óÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ.
ëÒÉÔÅÒÉÊ -i, --in-interface
ðÒÉÍÅÒ iptables -A INPUT -i eth0
ïÐÉÓÁÎÉÅ éÎÔÅÒÆÅÊÓ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÐÏÌÕÞÅÎ ÐÁËÅÔ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, × ÌÀÂÙÈ ÄÒÕÇÉÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ×ÙÚÙ×ÁÔØ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -i +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -i PPP+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ PPP ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -i ! eth+ -- ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth.
ëÒÉÔÅÒÉÊ -o, --out-interface
ðÒÉÍÅÒ iptables -A FORWARD -o eth0
ïÐÉÓÁÎÉÅ úÁÄÁÅÔ ÉÍÑ ×ÙÈÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ OUTPUT, FORWARD É POSTROUTING, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ÇÅÎÅÒÉÒÏ×ÁÔØÓÑ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -o +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -o eth+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ eth ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -o ! eth+ - ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth.
ëÒÉÔÅÒÉÊ -f, --fragment
ðÒÉÍÅÒ iptables -A INPUT -f
ïÐÉÓÁÎÉÅ ðÒÁ×ÉÌÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ ÎÁ ×ÓÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÏÇÏ ÐÁËÅÔÁ, ËÒÏÍÅ ÐÅÒ×ÏÇÏ, ÓÄÅÌÁÎÏ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅÔ ×ÏÚÍÏÖÎÏÓÔÉ ÏÐÒÅÄÅÌÉÔØ ÉÓÈÏÄÑÝÉÊ/×ÈÏÄÑÝÉÊ ÐÏÒÔ ÄÌÑ ÆÒÁÇÍÅÎÔÁ ÐÁËÅÔÁ, Á ÄÌÑ ICMP-ÐÁËÅÔÏ× ÏÐÒÅÄÅÌÉÔØ ÉÈ ÔÉÐ. ó ÐÏÍÏÝØÀ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× ÍÏÇÕÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÁÔÁËÉ ÎÁ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÁË ËÁË ÆÒÁÇÍÅÎÔÙ ÐÁËÅÔÏ× ÍÏÇÕÔ ÎÅ ÏÔÌÁ×ÌÉ×ÁÔØÓÑ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ. ëÁË É ÒÁÎØÛÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÓÉÍ×ÏÌÁ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ ÒÅÚÕÌØÔÁÔÁ ÓÒÁ×ÎÅÎÉÑ. ÔÏÌØËÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÉÍ×ÏÌ ! ÄÏÌÖÅÎ ÐÒÅÄÛÅÓÔ×Ï×ÁÔØ ËÒÉÔÅÒÉÀ -f, ÎÁÐÒÉÍÅÒ ! -f. éÎ×ÅÒÓÉÑ ËÒÉÔÅÒÉÑ ÔÒÁËÔÕÅÔÓÑ ËÁË "×ÓÅ ÐÅÒ×ÙÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× É/ÉÌÉ ÎÅÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÅ ÐÁËÅÔÙ, ÎÏ ÎÅ ×ÔÏÒÙÅ É ÐÏÓÌÅÄÕÀÝÉÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×".

6.4.2. îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ

÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ, ÔÏÞÎÅÅ, ÔÅ ËÒÉÔÅÒÉÉ, ËÏÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ ÎÅÑ×ÎÏ É ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÕËÁÚÁÎÉÉ ËÒÉÔÅÒÉÑ --protocol tcp. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÍÙÈ ÒÁÓÛÉÒÅÎÉÑ, ÜÔÏ TCP ËÒÉÔÅÒÉÉ, UDP ËÒÉÔÅÒÉÉ É ICMP ËÒÉÔÅÒÉÉ (ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅÏÂÈÏÄÉÍÏÓÔØÀ Ñ×ÎÏÇÏ ÕËÁÚÁÎÉÑ ËÌÀÞÁ -m tcp, Ô.Å. Ï ÎÅÑ×ÎÏÓÔÉ ÚÄÅÓØ ÇÏ×ÏÒÉÔØ ÎÅ ÐÒÉÈÏÄÉÔÓÑ, ÐÏÜÔÏÍÕ ÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÅÅ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ, ÅÓÌÉ ÞÔÏ-ÔÏ ÎÅ ÉÄÅÔ -- ÐÒÏÂÕÊÔÅ Ñ×ÎÏ ÕËÁÚÙ×ÁÔØ ÎÅÏÂÈÏÄÉÍÏÅ ÒÁÓÛÉÒÅÎÉÅ. ÐÒÉÍ. ÐÅÒÅ×.). úÁÇÒÕÚËÁ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ É Ñ×ÎÙÍ ÏÂÒÁÚÏÍ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m, -match, ÎÁÐÒÉÍÅÒ -m tcp.


6.4.2.1. TCP ËÒÉÔÅÒÉÉ

üÔÏÔ ÎÁÂÏÒ ËÒÉÔÅÒÉÅ× ÚÁ×ÉÓÉÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó TCP ÐÁËÅÔÁÍÉ. þÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÉÈ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ × ÐÒÁ×ÉÌÁÈ ÕËÁÚÙ×ÁÔØ ÔÉÐ ÐÒÏÔÏËÏÌÁ --protocol tcp. ÷ÁÖÎÏ: ËÒÉÔÅÒÉÊ --protocol tcp ÏÂÑÚÁÔÅÌØÎÏ ÄÏÌÖÅÎ ÓÔÏÑÔØ ÐÅÒÅÄ ÓÐÅÃÉÆÉÞÎÙÍ ËÒÉÔÅÒÉÅÍ. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÚÁÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ËÁË ÄÌÑ tcp ÐÒÏÔÏËÏÌÁ, ÔÁË É ÄÌÑ udp É icmp ÐÒÏÔÏËÏÌÏ×. (ï ÎÅÑ×ÎÏÊ ÚÁÇÒÕÚËÅ ÒÁÓÛÉÒÅÎÉÊ Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ×ÙÛÅ ÐÒÉÍ. ÐÅÒÅ×.).

ôÁÂÌÉÃÁ 6-5. TCP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --sport 22
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services. ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×. îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÏÐÉÓÁÎÉÀ ËÒÉÔÅÒÉÑ multiport.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --dport 22
ïÐÉÓÁÎÉÅ ðÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. áÒÇÕÍÅÎÔÙ ÚÁÄÁÀÔÓÑ × ÔÏÍ ÖÅ ÆÏÒÍÁÔÅ, ÞÔÏ É ÄÌÑ --source-port.
ëÒÉÔÅÒÉÊ --tcp-flags
ðÒÉÍÅÒ iptables -p tcp --tcp-flags SYN,FIN,ACK SYN
ïÐÉÓÁÎÉÅ ïÐÒÅÄÅÌÑÅÔ ÍÁÓËÕ É ÆÌÁÇÉ tcp-ÐÁËÅÔÁ. ðÁËÅÔ ÓÞÉÔÁÅÔÓÑ ÕÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ËÒÉÔÅÒÉÀ, ÅÓÌÉ ÉÚ ÐÅÒÅÞÉÓÌÅÎÎÙÈ ÆÌÁÇÏ× × ÐÅÒ×ÏÍ ÓÐÉÓËÅ × ÅÄÉÎÉÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÙ ÆÌÁÇÉ ÉÚ ×ÔÏÒÏÇÏ ÓÐÉÓËÁ. ôÁË ÄÌÑ ×ÙÛÅÕËÁÚÁÎÎÏÇÏ ÐÒÉÍÅÒÁ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ Õ ËÏÔÏÒÙÈ ÆÌÁÇ SYN ÕÓÔÁÎÏ×ÌÅÎ, Á ÆÌÁÇÉ FIN É ACK ÓÂÒÏÛÅÎÙ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÏ× ËÒÉÔÅÒÉÑ ÍÏÇÕÔ ×ÙÓÔÕÐÁÔØ ÆÌÁÇÉ SYN, ACK, FIN, RST, URG, PSH, Á ÔÁË ÖÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÉÄÅÎÔÉÆÉËÁÔÏÒÙ ALL É NONE. ALL -- ÚÎÁÞÉÔ ÷óå ÆÌÁÇÉ É NONE - îé ïäéî ÆÌÁÇ. ôÁË, ËÒÉÔÅÒÉÊ --tcp-flags ALL NONE ÏÚÎÁÞÁÅÔ -- "×ÓÅ ÆÌÁÇÉ × ÐÁËÅÔÅ ÄÏÌÖÎÙ ÂÙÔØ ÓÂÒÏÛÅÎÙ". ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÏÚÎÁÞÁÅÔ ÉÎ×ÅÒÓÉÀ ËÒÉÔÅÒÉÑ ÷ÁÖÎÏ: ÉÍÅÎÁ ÆÌÁÇÏ× × ËÁÖÄÏÍ ÓÐÉÓËÅ ÄÏÌÖÎÙ ÒÁÚÄÅÌÑÔØÓÑ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ ÓÌÕÖÁÔ ÄÌÑ ÒÁÚÄÅÌÅÎÉÑ ÓÐÉÓËÏ×.
ëÒÉÔÅÒÉÊ --syn
ðÒÉÍÅÒ iptables -p tcp --syn
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ --syn Ñ×ÌÑÅÔÓÑ ÐÏ ÓÕÔÉ ÒÅÌÉËÔÏÍ, ÐÅÒÅËÏÞÅ×Á×ÛÉÍ ÉÚ ipchains. ëÒÉÔÅÒÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÆÌÁÇÏÍ SYN É ÓÂÒÏÛÅÎÎÙÍÉ ÆÌÁÇÁÍÉ ACK É FIN. üÔÏÔ ËÒÉÔÅÒÉÊ ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --tcp-flags SYN,ACK,FIN SYN. ôÁËÉÅ ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÏÔËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ TCP. úÁÂÌÏËÉÒÏ×Á× ÔÁËÉÅ ÐÁËÅÔÙ, ×Ù ÎÁÄÅÖÎÏ ÚÁÂÌÏËÉÒÕÅÔÅ ×ÓÅ ×ÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÏÄÎÁËÏ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÎÅ ÓÐÏÓÏÂÅÎ ÚÁÂÌÏËÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÎ×ÅÒÔÉÒÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ ÓÉÍ×ÏÌÏÍ !. ôÁË ËÒÉÔÅÒÉÊ ! --syn ÏÚÎÁÞÁÅÔ -- "×ÓÅ ÐÁËÅÔÙ, ÎÅ Ñ×ÌÑÀÝÉÅÓÑ ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ", Ô.Å. ×ÓÅ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍÉ ÆÌÁÇÁÍÉ FIN ÉÌÉ ACK.
ëÒÉÔÅÒÉÊ --tcp-option
ðÒÉÍÅÒ iptables -p tcp --tcp-option 16
ïÐÉÓÁÎÉÅ õÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ÕÓÌÏ×ÉÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÂÕÄÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÁËÅÔ, TCP ÐÁÒÁÍÅÔÒ ËÏÔÏÒÏÇÏ ÒÁ×ÅÎ ÚÁÄÁÎÎÏÍÕ ÞÉÓÌÕ. TCP Option - ÜÔÏ ÞÁÓÔØ ÚÁÇÏÌÏ×ËÁ ÐÁËÅÔÁ. ïÎÁ ÓÏÓÔÏÉÔ ÉÚ 3 ÒÁÚÌÉÞÎÙÈ ÐÏÌÅÊ. ðÅÒ×ÏÅ 8-ÍÉ ÂÉÔÏ×ÏÅ ÐÏÌÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÏÐÃÉÑÈ, ÉÓÐÏÌØÚÕÅÍÙÈ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ. ÷ÔÏÒÏÅ 8-ÍÉ ÂÉÔÏ×ÏÅ ÐÏÌÅ ÓÏÄÅÒÖÉÔ ÄÌÉÎÕ ÐÏÌÑ ÏÐÃÉÊ. åÓÌÉ ÓÌÅÄÏ×ÁÔØ ÓÔÁÎÄÁÒÔÁÍ ÄÏ ËÏÎÃÁ, ÔÏ ÓÌÅÄÏ×ÁÌÏ ÂÙ ÒÅÁÌÉÚÏ×ÁÔØ ÏÂÒÁÂÏÔËÕ ×ÓÅÈ ×ÏÚÍÏÖÎÙÈ ×ÁÒÉÁÎÔÏ×, ÏÄÎÁËÏ, ×ÍÅÓÔÏ ÜÔÏÇÏ ÍÙ ÍÏÖÅÍ ÐÒÏ×ÅÒÉÔØ ÐÅÒ×ÏÅ ÐÏÌÅ É × ÓÌÕÞÁÅ, ÅÓÌÉ ÔÁÍ ÕËÁÚÁÎÁ ÎÅÐÏÄÄÅÒÖÉ×ÁÅÍÁÑ ÎÁÛÉÍ ÂÒÁÎÄÍÁÕÜÒÏÍ ÏÐÃÉÑ, ÔÏ ÐÒÏÓÔÏ ÐÅÒÅÛÁÇÎÕÔØ ÞÅÒÅÚ ÔÒÅÔØÅ ÐÏÌÅ (ÄÌÉÎÁ ËÏÔÏÒÏÇÏ ÓÏÄÅÒÖÉÔÓÑ ×Ï ×ÔÏÒÏÍ ÐÏÌÅ). ðÁËÅÔ, ËÏÔÏÒÙÊ ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÐÏÌÎÏÇÏ TCP ÚÁÇÏÌÏ×ËÁ, ÂÕÄÅÔ ÓÂÒÏÛÅÎ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÐÏÐÙÔËÅ ÉÚÕÞÅÎÉÑ ÅÇÏ TCP ÐÁÒÁÍÅÔÒÁ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ !. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ TCP Options ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ ÎÁ Internet Engineering Task Force

6.4.2.2. UDP ËÒÉÔÅÒÉÉ

÷ ÄÁÎÎÏÍ ÒÁÚÄÅÌÅ ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÒÉÔÅÒÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ UDP. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÕËÁÚÁÎÉÉ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ --protocol udp. ÷ÁÖÎÏ ÏÔÍÅÔÉÔØ, ÞÔÏ ÐÁËÅÔÙ UDP ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÙ ÎÁ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, É ÐÏÜÔÏÍÕ ÎÅ ÉÍÅÀÔ ÒÁÚÌÉÞÎÙÈ ÆÌÁÇÏ× ËÏÔÏÒÙÅ ÄÁÀÔ ×ÏÚÍÏÖÎÏÓÔØ ÓÕÄÉÔØ Ï ÐÒÅÄÎÁÚÎÁÞÅÎÉÉ ÄÁÔÁÇÒÁÍÍ. ðÏÌÕÞÅÎÉÅ UDP ÐÁËÅÔÏ× ÎÅ ÔÒÅÂÕÅÔ ËÁËÏÇÏ ÌÉÂÏ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌÕÞÁÔÅÌÑ. åÓÌÉ ÏÎÉ ÐÏÔÅÒÑÎÙ, ÔÏ ÏÎÉ ÐÒÏÓÔÏ ÐÏÔÅÒÑÎÙ (ÎÅ ×ÙÚÙ×ÁÑ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ). üÔÏ ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ ÚÎÁÞÉÔÅÌØÎÏ ÍÅÎØÛÅÇÏ ÞÉÓÌÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÒÉÔÅÒÉÅ×, × ÏÔÌÉÞÉÅ ÏÔ TCP ÐÁËÅÔÏ×. ÷ÁÖÎÏ: èÏÒÏÛÉÊ ÂÒÁÎÄÍÁÕÜÒ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ Ó ÐÁËÅÔÁÍÉ ÌÀÂÏÇÏ ÔÉÐÁ, UDP ÉÌÉ ICMP, ËÏÔÏÒÙÅ ÓÞÉÔÁÀÔÓÑ ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÎÙÍÉ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÔÁË ÖÅ ÈÏÒÏÛÏ ËÁË É Ó TCP ÐÁËÅÔÁÍÉ. ï ÜÔÏÍ ÍÙ ÐÏÇÏ×ÏÒÉÍ ÐÏÚÄÎÅÅ, × ÓÌÅÄÕÀÝÉÈ ÇÌÁ×ÁÈ.

ôÁÂÌÉÃÁ 6-6. UDP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --sport 53
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ other/services.txt. ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×. îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ -source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22: , ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22 , × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80 . ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --dport 53
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ ÐÒÉÎÑÔÏÍÕ × ËÒÉÔÅÒÉÉ --source-port.

6.4.2.3. ICMP ËÒÉÔÅÒÉÉ

üÔÏÔ ÐÒÏÔÏËÏÌ ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÏÛÉÂËÁÈ É ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÅÍ. ïÎ ÎÅ Ñ×ÌÑÅÔÓÑ ÐÏÄÞÉÎÅÎÎÙÍ IP ÐÒÏÔÏËÏÌÕ, ÎÏ ÔÅÓÎÏ Ó ÎÉÍ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÅÔ, ÐÏÓËÏÌØËÕ ÐÏÍÏÇÁÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ ÏÛÉÂÏÞÎÙÅ ÓÉÔÕÁÃÉÉ. úÁÇÏÌÏ×ËÉ ICMP ÐÁËÅÔÏ× ÏÞÅÎØ ÐÏÈÏÖÉ ÎÁ IP ÚÁÇÏÌÏ×ËÉ, ÎÏ ÉÍÅÀÔ É ÏÔÌÉÞÉÑ. çÌÁ×ÎÏÅ Ó×ÏÊÓÔ×Ï ÜÔÏÇÏ ÐÒÏÔÏËÏÌÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÉÐÅ ÚÁÇÏÌÏ×ËÁ, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÚÁ ÐÁËÅÔ. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ÍÙ ÐÙÔÁÅÍÓÑ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÅÄÏÓÔÕÐÎÙÍ ÈÏÓÔÏÍ, ÔÏ ÍÙ ÐÏÌÕÞÉÍ × ÏÔ×ÅÔ ÓÏÏÂÝÅÎÉÅ ICMP host unreachable. ðÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. óÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÏÄÉÎ ÓÐÅÃÉÆÉÞÎÙÊ ËÒÉÔÅÒÉÊ ÄÌÑ ICMP ÐÁËÅÔÏ×. üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁÇÒÕÖÁÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ, ËÏÇÄÁ ÍÙ ÕËÁÚÙ×ÁÅÍ ËÒÉÔÅÒÉÊ --protocol icmp. úÁÍÅÔØÔÅ, ÞÔÏ ÄÌÑ ÐÒÏ×ÅÒËÉ ICMP ÐÁËÅÔÏ× ÍÏÇÕÔ ÕÐÏÔÒÅÂÌÑÔØÓÑ É ÏÂÝÉÅ ËÒÉÔÅÒÉÉ, ÐÏÓËÏÌØËÕ ÉÚ×ÅÓÔÎÙ É ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ É ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÒ.

ôÁÂÌÉÃÁ 6-7. ICMP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --icmp-type
ðÒÉÍÅÒ iptables -A INPUT -p icmp --icmp-type 8
ïÐÉÓÁÎÉÅ ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ÏÐÒÅÄÅÌÑÅÔÓÑ ÎÏÍÅÒÏÍ ÉÌÉ ÉÍÅÎÅÍ. þÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÏÐÒÅÄÅÌÑÀÔÓÑ × RFC 792. þÔÏÂÙ ÐÏÌÕÞÉÔØ ÓÐÉÓÏË ÉÍÅÎ ICMP ÚÎÁÞÅÎÉÊ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables --protocol icmp --help, ÉÌÉ ÐÏÓÍÏÔÒÉÔÅ ÐÒÉÌÏÖÅÎÉÅ ôÉÐÙ ICMP. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ËÒÉÔÅÒÉÊ, ÎÁÐÒÉÍÅÒ --icmp-type ! 8.

6.4.3. ñ×ÎÙÅ ËÒÉÔÅÒÉÉ

ðÅÒÅÄ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ, ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m ÉÌÉ --match. ôÁË, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ËÒÉÔÅÒÉÉ state, ÔÏ ÍÙ ÄÏÌÖÎÙ Ñ×ÎÏ ÕËÁÚÁÔØ ÜÔÏ × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ: -m state ÌÅ×ÅÅ ÉÓÐÏÌØÚÕÅÍÏÇÏ ËÒÉÔÅÒÉÑ. îÅËÏÔÏÒÙÅ ÉÚ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏËÁ ÅÝÅ ÎÁÈÏÄÑÔÓÑ × ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ, Á ÐÏÓÅÍÕ ÍÏÇÕÔ ÒÁÂÏÔÁÔØ ÎÅ ×ÓÅÇÄÁ, ÏÄÎÁËÏ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÏÎÉ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ÕÓÔÏÊÞÉ×Ï. ÷ÓÅ ÏÔÌÉÞÉÅ ÍÅÖÄÕ Ñ×ÎÙÍÉ É ÎÅÑ×ÎÙÍÉ ËÒÉÔÅÒÉÑÍÉ ÚÁËÌÀÞÁÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ, ÞÔÏ ÐÅÒ×ÙÅ ÎÕÖÎÏ ÐÏÄÇÒÕÖÁÔØ Ñ×ÎÏ, Á ×ÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ.


6.4.3.1. ëÒÉÔÅÒÉÊ Limit

äÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m limit. ðÒÅËÒÁÓÎÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÐÒÁ×ÉÌ, ÐÒÏÉÚ×ÏÄÑÝÉÈ ÚÁÐÉÓØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (logging) É Ô.Ð. äÏÂÁ×ÌÑÑ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÍÙ ÔÅÍ ÓÁÍÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÅÄÅÌØÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× × ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, ËÏÔÏÒÏÅ ÓÐÏÓÏÂÎÏ ÐÒÏÐÕÓÔÉÔØ ÐÒÁ×ÉÌÏ. íÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÉÍ×ÏÌ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ, ÎÁÐÒÉÍÅÒ -m limit ! --limit 5/s. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÞÔÏ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÈÏÄÉÔØ ÐÒÁ×ÉÌÏ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÅ×ÙÛÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÑ.

âÏÌÅÅ ÎÁÇÌÑÄÎÏ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÍÏÖÎÏ ÐÒÅÄÓÔÁ×ÉÔØ ÓÅÂÅ ËÁË ÎÅËÏÔÏÒÕÀ ÅÍËÏÓÔØ Ó ×ÙÐÕÓËÎÙÍ ÏÔ×ÅÒÓÔÉÅÍ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÒÏÈÏÄÉÔ ÏÐÒÅÄÅÌÅÎÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× ÚÁ ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ (Ô.Å. ÓËÏÒÏÓÔØ "×ÙÔÅËÁÎÉÑ"). óËÏÒÏÓÔØ "×ÙÔÅËÁÎÉÑ" ËÁË ÒÁÚ É ÏÐÒÅÄÅÌÑÅÔ ×ÅÌÉÞÉÎÁ --limit. ÷ÅÌÉÞÉÎÁ --limit-burst ÚÁÄÁÅÔ ÏÂÝÉÊ "ÏÂßÅÍ ÅÍËÏÓÔÉ". á ÔÅÐÅÒØ ÐÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÐÒÁ×ÉÌÏ --limit 3/minute --limit-burst 5, ÔÏÇÄÁ ÐÏÓÌÅ ÐÏÓÔÕÐÌÅÎÉÑ 5 ÐÁËÅÔÏ× (ÚÁ ÏÞÅÎØ ËÏÒÏÔËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ), ÅÍËÏÓÔØ "ÎÁÐÏÌÎÉÔÓÑ" É ËÁÖÄÙÊ ÐÏÓÌÅÄÕÀÝÉÊ ÐÁËÅÔ ÂÕÄÅÔ ×ÙÚÙ×ÁÔØ "ÐÅÒÅÐÏÌÎÅÎÉÅ" ÅÍËÏÓÔÉ, Ô.Å. "ÓÒÁÂÁÔÙ×ÁÎÉÅ" ËÒÉÔÅÒÉÑ. þÅÒÅÚ 20 ÓÅËÕÎÄ "ÕÒÏ×ÅÎØ" × ÅÍËÏÓÔÉ ÂÕÄÅÔ ÐÏÎÉÖÅÎ (× ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÅÌÉÞÉÎÏÊ --limit), ÔÁËÉÍ ÏÂÒÁÚÏÍ ÏÎÁ ÇÏÔÏ×Á ÂÕÄÅÔ ÐÒÉÎÑÔØ ÅÝÅ ÏÄÉÎ ÐÁËÅÔ, ÎÅ ×ÙÚÙ×ÁÑ "ÐÅÒÅÐÏÌÎÅÎÉÑ" ÅÍËÏÓÔÉ, Ô.Å. ÓÒÁÂÁÔÙ×ÁÎÉÑ ËÒÉÔÅÒÉÑ.

òÁÓÓÍÏÔÒÉÍ ÅÝÅ ÐÏÄÒÏÂÎÅÅ.

  1. ðÒÅÄÐÏÌÏÖÉÍ ÎÁÌÉÞÉÅ ÐÒÁ×ÉÌÁ, ÓÏÄÅÒÖÁÝÅÇÏ ËÒÉÔÅÒÉÊ -m limit --limit 5/second --limit-burst 10. ëÌÀÞ limit-burst ÕÓÔÁÎÏ×ÉÌ ÏÂßÅÍ "ÅÍËÏÓÔÉ" ÒÁ×ÎÙÊ 10-ÔÉ. ëÁÖÄÙÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ÕËÁÚÁÎÎÏÅ ÐÒÁ×ÉÌÏ, ÎÁÐÒÁ×ÌÑÅÔÓÑ × ÜÔÕ ÅÍËÏÓÔØ.

  2. äÏÐÕÓÔÉÍ, × ÔÅÞÅÎÉÅ 1/1000 ÓÅËÕÎÄÙ, ÍÙ ÐÏÌÕÞÉÌÉ 10 ÐÁËÅÔÏ×, ÔÏÇÄÁ Ó ÐÏÌÕÞÅÎÉÅÍ ËÁÖÄÏÇÏ ÐÁËÅÔÁ "ÕÒÏ×ÅÎØ" × "ÅÍËÏÓÔÉ" ÂÕÄÅÔ ×ÏÚÒÁÓÔÁÔØ: 1-2-3-4-5-6-7-8-9-10.

  3. åÍËÏÓÔØ ÎÁÐÏÌÎÉÌÁÓØ. ôÅÐÅÒØ ÐÁËÅÔÙ, ÐÏÄÐÁÄÁÀÝÉÅ ÐÏÄ ÎÁÛÅ ÏÇÒÁÎÉÞÉÔÅÌØÎÏÅ ÐÒÁ×ÉÌÏ, ÂÏÌØÛÅ ÎÅ ÓÍÏÇÕÔ ÐÏÐÁÓÔØ × ÜÔÕ "ÅÍËÏÓÔØ" (ÔÁÍ ÐÒÏÓÔÏ ÎÅÔ ÍÅÓÔÁ), ÐÏÜÔÏÍÕ ÏÎÉ (ÐÁËÅÔÙ) ÐÏÊÄÕÔ ÄÁÌØÛÅ ÐÏ ÎÁÂÏÒÕ ÐÒÁ×ÉÌ, ÐÏËÁ ÎÅ ÂÕÄÕÔ Ñ×ÎÏ ×ÏÓÐÒÉÎÑÔÙ ÏÄÎÉÍ ÉÚ ÎÉÈ, ÌÉÂÏ ÐÏÄ×ÅÒÇÎÕÔÓÑ ÐÏÌÉÔÉËÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ.

  4. ëÁÖÄÙÅ 1/5 ÓÅËÕÎÄÙ "ÕÒÏ×ÅÎØ" × ×ÏÏÂÒÁÖÁÅÍÏÊ ÅÍËÏÓÔÉ ÓÎÉÖÁÅÔÓÑ ÎÁ 1, É ÔÁË ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ "ÅÍËÏÓÔØ" ÎÅ ÂÕÄÅÔ ÏÐÕÓÔÏÛÅÎÁ. þÅÒÅÚ ÓÅËÕÎÄÕ, ÐÏÓÌÅ ÐÒÉÅÍÁ 10-ÔÉ ÐÁËÅÔÏ× "ÅÍËÏÓÔØ" ÇÏÔÏ×Á ÂÕÄÅÔ ÐÒÉÎÑÔØ ÅÝÅ 5 ÐÁËÅÔÏ×.

  5. óÁÍÏ ÓÏÂÏÊ ÒÁÚÕÍÅÅÔÓÑ, ÞÔÏ "ÕÒÏ×ÅÎØ" × "ÅÍËÏÓÔÉ" ×ÏÚÒÁÓÔÁÅÔ ÎÁ 1 Ó ËÁÖÄÙÍ ×ÎÏר ÐÒÉÛÅÄÛÉÍ ÐÁËÅÔÏÍ.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÞÅÎØ ÄÏÌÇÏÅ ×ÒÅÍÑ ÍÏÅ ÐÏÎÉÍÁÎÉÅ ËÒÉÔÅÒÉÅ× limit ÎÁÈÏÄÉÌÏÓØ ÎÁ ÉÎÔÕÉÔÉ×ÎÏÍ ÕÒÏ×ÎÅ, ÐÏËÁ ÷ÌÁÄÉÍÉÒ èÏÌÍÁÎÏ× (ÓÎÉÍÁÀ ÛÌÑÐÕ × ÇÌÕÂÏÞÁÊÛÅÍ ÐÏËÌÏÎÅ) ÎÅ ÏÂßÑÓÎÉÌ ÍÎÅ ÐÒÏÓÔÏ É ÐÏÎÑÔÎÏ ÅÇÏ ÓÕÔØ. ðÏÓÔÁÒÁÀÓØ ÐÅÒÅÄÁÔØ ÅÇÏ ÐÏÑÓÎÅÎÉÑ:

  1. òÁÓÛÉÒÅÎÉÅ -m limit ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÎÁÌÉÞÉÅ ËÌÀÞÅÊ --limit É --limit-burst. åÓÌÉ ×Ù ÎÅ ÕËÁÚÙ×ÁÅÔÅ ÜÔÉ ËÌÀÞÉ, ÔÏ ÏÎÉ ÐÒÉÎÉÍÁÀÔ ÚÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ.

  2. ëÌÀÞ --limit-burst - ÜÔÏ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÓÞÅÔÞÉËÁ ÐÁËÅÔÏ×, ÐÒÉ ËÏÔÏÒÏÍ ÓÒÁÂÁÔÙ×ÁÅÔ ÏÇÒÁÎÉÞÅÎÉÅ.

  3. ëÌÀÞ --limit - ÜÔÏ ÓËÏÒÏÓÔØ, Ó ËÏÔÏÒÏÊ ÓÞÅÔÞÉË burst limit "ÏÔËÒÕÞÉ×ÁÅÔÓÑ ÎÁÚÁÄ".

ðÒÉÎÃÉÐ, ËÏÔÏÒÙÊ ÐÒÏÓÔÏ ÒÅÁÌÉÚÕÅÔÓÑ ÎÁ C É ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ÍÎÏÇÉÈ ÁÌÇÏÒÉÔÍÁÈ-ÏÇÒÁÎÉÞÉÔÅÌÑÈ.

ôÁÂÌÉÃÁ 6-8. ëÌÀÞÉ ËÒÉÔÅÒÉÑ limit

ëÌÀÞ --limit
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit 3/hour
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÓÒÅÄÎÑÑ ÓËÏÒÏÓÔØ "ÏÓ×ÏÂÏÖÄÅÎÉÑ ÅÍËÏÓÔÉ" ÚÁ ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ÕËÁÚÙ×ÁÅÔÓÑ ÞÉÓÌÏ ÐÁËÅÔÏ× É ×ÒÅÍÑ. äÏÐÕÓÔÉÍÙÍÉ ÓÞÉÔÁÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÅÄÉÎÉÃÙ ÉÚÍÅÒÅÎÉÑ ×ÒÅÍÅÎÉ: /second /minute /hour /day. ðÏ ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÑÔÏ ÚÎÁÞÅÎÉÅ 3 ÐÁËÅÔÁ × ÞÁÓ, ÉÌÉ 3/hour. éÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ ! × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÎÅÄÏÐÕÓÔÉÍ.
ëÌÀÞ --limit-burst
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit-burst 5
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÞÉÓÌÁ burst limit ÄÌÑ ËÒÉÔÅÒÉÑ limit. üÔÏ ÞÉÓÌÏ Õ×ÅÌÉÞÉ×ÁÅÔÓÑ ÎÁ ÅÄÉÎÉÃÕ ÅÓÌÉ ÐÏÌÕÞÅÎ ÐÁËÅÔ, ÐÏÄÐÁÄÁÀÝÉÊ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÄÁÎÎÏÇÏ ÐÒÁ×ÉÌÁ, É ÐÒÉ ÜÔÏÍ ÓÒÅÄÎÑÑ ÓËÏÒÏÓÔØ (ÚÁÄÁ×ÁÅÍÁÑ ËÌÀÞÏÍ --limit) ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ× ÕÖÅ ÄÏÓÔÉÇÎÕÔÁ. ôÁË ÐÒÏÉÓÈÏÄÉÔ ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÞÉÓÌÏ burst limit ÎÅ ÄÏÓÔÉÇÎÅÔ ÍÁËÓÉÍÁÌØÎÏÇÏ ÚÎÁÞÅÎÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍÏÇÏ ËÌÀÞÏÍ --limit-burst. ðÏÓÌÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÏ ÎÁÞÉÎÁÅÔ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÓÏ ÓËÏÒÏÓÔØÀ, ÚÁÄÁ×ÁÅÍÏÊ ËÌÀÞÏÍ --limit. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÉÍÁÅÔÓÑ ÒÁ×ÎÙÍ 5. äÌÑ ÄÅÍÏÎÓÔÒÁÃÉÉ ÐÒÉÎÃÉÐÏ× ÒÁÂÏÔÙ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ Ñ ÎÁÐÉÓÁÌ ÓÃÅÎÁÒÉÊ Limit-match.txt ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×Ù Õ×ÉÄÉÔÅ ËÁË ÒÁÂÏÔÁÅÔ ËÒÉÔÅÒÉÊ limit, ÐÒÏÓÔÏ ÐÏÓÙÌÁÑ ping-ÐÁËÅÔÙ Ó ÒÁÚÌÉÞÎÙÍÉ ×ÒÅÍÅÎÎùÍÉ ÉÎÔÅÒ×ÁÌÁÍÉ.

6.4.3.2. ëÒÉÔÅÒÉÊ MAC

MAC (Ethernet Media Access Control) ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÉÓÈÏÄÎÏÇÏ MAC-ÁÄÒÅÓÁ ÐÁËÅÔÁ. òÁÓÛÉÒÅÎÉÅ -m mac, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÒÉÔÅÒÉÊ, ÎÏ ×ÏÚÍÏÖÎÏ × ÂÕÄÕÝÅÍ ÏÎ ÂÕÄÅÔ ÒÁÓÛÉÒÅÎ É ÓÔÁÎÅÔ ÂÏÌÅÅ ÐÏÌÅÚÅÎ.

Note

íÏÄÕÌØ ÒÁÓÛÉÒÅÎÉÑ ÄÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m mac. õÐÏÍÉÎÁÀ Ñ Ï ÜÔÏÍ ÐÏÔÏÍÕ, ÞÔÏ ÍÎÏÇÉÅ, ÚÁÂÙ× ÕËÁÚÁÔØ ÜÔÏÔ ËÌÀÞ, ÕÄÉ×ÌÑÀÔÓÑ, ÐÏÞÅÍÕ ÎÅ ÒÁÂÏÔÁÅÔ ÜÔÏÔ ËÒÉÔÅÒÉÊ.

ôÁÂÌÉÃÁ 6-9. ëÌÀÞÉ ËÒÉÔÅÒÉÑ MAC

ëÌÀÞ --mac-source
ðÒÉÍÅÒ iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
ïÐÉÓÁÎÉÅ MAC ÁÄÒÅÓ ÓÅÔÅ×ÏÇÏ ÕÚÌÁ, ÐÅÒÅÄÁ×ÛÅÇÏ ÐÁËÅÔ. MAC ÁÄÒÅÓ ÄÏÌÖÅÎ ÕËÁÚÙ×ÁÔØÓÑ × ÆÏÒÍÅ XX:XX:XX:XX:XX:XX. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÎÁÐÒÉÍÅÒ --mac-source ! 00:00:00:00:00:01, ÞÔÏ ÏÚÎÁÞÁÅÔ - "ÐÁËÅÔ Ó ÌÀÂÏÇÏ ÕÚÌÁ, ËÒÏÍÅ ÕÚÌÁ, ËÏÔÏÒÙÊ ÉÍÅÅÔ MAC ÁÄÒÅÓ 00:00:00:00:00:01" . üÔÏÔ ËÒÉÔÅÒÉÊ ÉÍÅÅÔ ÓÍÙÓÌ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING, FORWARD É INPUT É ÎÉÇÄÅ ÂÏÌÅÅ.

6.4.3.3. ëÒÉÔÅÒÉÊ Mark

ëÒÉÔÅÒÉÊ mark ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ "ÐÏÍÅÔÉÔØ" ÐÁËÅÔÙ ÓÐÅÃÉÁÌØÎÙÍ ÏÂÒÁÚÏÍ. Mark - ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ, ËÏÔÏÒÏÅ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÏÂÌÁÓÔÉ ÐÁÍÑÔÉ ÑÄÒÁ É Ó×ÑÚÁÎÏ Ó ËÏÎËÒÅÔÎÙÍ ÐÁËÅÔÏÍ. íÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÁÍÙÈ ÒÁÚÎÏÏÂÒÁÚÎÙÈ ÃÅÌÑÈ, ÎÁÐÒÉÍÅÒ, ÏÇÒÁÎÉÞÅÎÉÅ ÔÒÁÆÉËÁ É ÆÉÌØÔÒÁÃÉÑ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÅÄÉÎÓÔ×ÅÎÎÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÕÓÔÁÎÏ×ËÉ ÍÅÔËÉ ÎÁ ÐÁËÅÔ × Linux -- ÜÔÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ MARK. ðÏÌÅ mark ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÂÅÚÚÎÁËÏ×ÏÅ ÃÅÌÏÅ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 4294967296 ÄÌÑ 32-ÂÉÔÎÙÈ ÓÉÓÔÅÍ.

ôÁÂÌÉÃÁ 6-10. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Mark

ëÌÀÞ --mark
ðÒÉÍÅÒ iptables -t mangle -A INPUT -m mark --mark 1
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÂÙÌÉ ÐÒÅÄ×ÁÒÉÔÅÌØÎÏ "ÐÏÍÅÞÅÎÙ". íÅÔËÉ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÄÅÊÓÔ×ÉÅÍ MARK, ËÏÔÏÒÏÅ ÍÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÎÉÖÅ. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÏÈÏÄÑÝÉÅ ÞÅÒÅÚ netfilter ÉÍÅÀÔ ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ mark. úÁÐÏÍÎÉÔÅ, ÞÔÏ ÎÅÔ ÎÉËÁËÏÊ ×ÏÚÍÏÖÎÏÓÔÉ ÐÅÒÅÄÁÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ×ÍÅÓÔÅ Ó ÐÁËÅÔÏÍ × ÓÅÔØ. ðÏÌÅ mark Ñ×ÌÑÅÔÓÑ ÃÅÌÙÍ ÂÅÚÚÎÁËÏ×ÙÍ, ÔÁËÉÍ ÏÂÒÁÚÏÍ ÍÏÖÎÏ ÓÏÚÄÁÔØ ÎÅ ÂÏÌÅÅ 4294967296 ÒÁÚÌÉÞÎÙÈ ÍÅÔÏË. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÕ Ó ÍÅÔËÁÍ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ËÒÉÔÅÒÉÊ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ ÐÏÄÏÂÎÙÍ ÏÂÒÁÚÏÍ: --mark 1/1. åÓÌÉ ÕËÁÚÙ×ÁÅÔÓÑ ÍÁÓËÁ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÌÏÇÉÞÅÓËÏÅ AND ÍÅÔËÉ É ÍÁÓËÉ.

6.4.3.4. ëÒÉÔÅÒÉÊ Multiport

òÁÓÛÉÒÅÎÉÅ multiport ÐÏÚ×ÏÌÑÅÔ ÕËÁÚÙ×ÁÔØ × ÔÅËÓÔÅ ÐÒÁ×ÉÌÁ ÎÅÓËÏÌØËÏ ÐÏÒÔÏ× É ÄÉÁÐÁÚÏÎÏ× ÐÏÒÔÏ×.

Note

÷Ù ÎÅ ÓÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÔÁÎÄÁÒÔÎÕÀ ÐÒÏ×ÅÒËÕ ÐÏÒÔÏ× É ÒÁÓÛÉÒÅÎÉÅ -m multiport (ÎÁÐÒÉÍÅÒ --sport 1024:63353 -m multiport --dport 21,23,80) ÏÄÎÏ×ÒÅÍÅÎÎÏ. ðÏÄÏÂÎÙÅ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÐÒÏÓÔÏ ÏÔ×ÅÒÇÁÔØÓÑ iptables.

ôÁÂÌÉÃÁ 6-11. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Multiport

ëÌÀÞ --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ÉÓÈÏÄÑÝÉÈ ÐÏÒÔÏ×. ó ÐÏÍÏÝØÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÏ 15 ÒÁÚÌÉÞÎÙÈ ÐÏÒÔÏ×. îÁÚ×ÁÎÉÑ ÐÏÒÔÏ× × ÓÐÉÓËÅ ÄÏÌÖÎÙ ÏÔÄÅÌÑÔØÓÑ ÄÒÕÇ ÏÔ ÄÒÕÇÁ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ × ÓÐÉÓËÅ ÎÅ ÄÏÐÕÓÔÉÍÙ. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÓÏ×ÍÅÓÔÎÏ Ó ËÒÉÔÅÒÉÑÍÉ -p tcp ÉÌÉ -p udp. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÒÁÓÛÉÒÅÎÎÁÑ ×ÅÒÓÉÑ ÏÂÙÞÎÏÇÏ ËÒÉÔÅÒÉÑ --source-port.
ëÌÀÞ --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ×ÈÏÄÎÙÈ ÐÏÒÔÏ×. æÏÒÍÁÔ ÚÁÄÁÎÉÑ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ -m multiport --source-port.
ëÌÀÞ --port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ËÁË ÉÓÈÏÄÑÝÉÊ ÔÁË É ×ÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --source-port É --destination-port. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ ÞÔÏ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ÐÏÒÔÙ ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÊ, Ô.Å. ÅÓÌÉ ×Ù ÐÉÛÅÔÅ -m multiport --port 80, ÔÏ ÐÏÄ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ Ó ÐÏÒÔÁ 80 ÎÁ ÐÏÒÔ 80.

6.4.3.5. ëÒÉÔÅÒÉÊ Owner

òÁÓÛÉÒÅÎÉÅ owner ÐÒÅÄÎÁÚÎÁÞÅÎÏ ÄÌÑ ÐÒÏ×ÅÒËÉ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ. éÚÎÁÞÁÌØÎÏ ÄÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ËÁË ÐÒÉÍÅÒ ÄÅÍÏÎÓÔÒÁÃÉÉ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÔÏÌØËÏ × ÃÅÐÏÞËÅ OUTPUT. ôÁËÏÅ ÏÇÒÁÎÉÞÅÎÉÅ ÎÁÌÏÖÅÎÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌØÎÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÅÒÅÄÁÞÉ ÉÎÆÏÒÍÁÃÉÉ Ï "×ÌÁÄÅÌØÃÅ" ÐÏ ÓÅÔÉ. óÐÒÁ×ÅÄÌÉ×ÏÓÔÉ ÒÁÄÉ ÓÌÅÄÕÅÔ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÌÑ ÎÅËÏÔÏÒÙÈ ÐÁËÅÔÏ× ÎÅ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ "×ÌÁÄÅÌØÃÁ" × ÜÔÏÊ ÃÅÐÏÞËÅ. ë ÔÁËÏÇÏ ÒÏÄÁ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ÒÁÚÌÉÞÎÙÅ ICMP responses. ðÏÜÔÏÍÕ ÎÅ ÓÌÅÄÕÅÔ ÐÒÉÍÅÎÑÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ Ë ICMP responses ÐÁËÅÔÁÍ.

ôÁÂÌÉÃÁ 6-12. ëÌÀÞÉ ËÒÉÔÅÒÉÑ Owner

ëÌÀÞ --uid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --uid-owner 500
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÏ User ID (UID). ðÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÒÏ×ÅÒËÁ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ, Ë ÐÒÉÍÅÒÕ, ÄÌÑ ÂÌÏËÉÒÏ×ËÉ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÏÔÄÅÌØÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.
ëÌÀÞ --gid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --gid-owner 0
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Group ID (GID).
ëÌÀÞ --pid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --pid-owner 78
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Process ID (PID). üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÅÎ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÚ×ÏÌÉÔØ ÐÅÒÅÄÁÞÕ ÐÁËÅÔÏ× ÎÁ HTTP ÐÏÒÔ ÔÏÌØËÏ ÏÔ ÚÁÄÁÎÎÏÇÏ ÄÅÍÏÎÁ, ÔÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÎÁÐÉÓÁÔØ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ PID ÐÒÏÃÅÓÓÁ (ÈÏÔÑ ÂÙ ÞÅÒÅÚ ps) É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÎÁÊÄÅÎÎÙÊ PID × ÐÒÁ×ÉÌÁ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × Pid-owner.txt.
ëÌÀÞ --sid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --sid-owner 100
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ Session ID ÐÁËÅÔÁ. úÎÁÞÅÎÉÅ SID ÎÁÓÌÅÄÕÀÔÓÑ ÄÏÞÅÒÎÉÍÉ ÐÒÏÃÅÓÓÁÍÉ ÏÔ "ÒÏÄÉÔÅÌÑ", ÔÁË, ÎÁÐÒÉÍÅÒ, ×ÓÅ ÐÒÏÃÅÓÓÙ HTTPD ÉÍÅÀÔ ÏÄÉÎ É ÔÏÔ ÖÅ SID (ÐÒÉÍÅÒÏÍ ÔÁËÉÈ ÐÒÏÃÅÓÓÏ× ÍÏÇÕÔ ÓÌÕÖÉÔØ HTTPD Apache É Roxen). ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × Sid-owner.txt. üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÎÏ ÚÁÐÕÓËÁÔØ ÐÏ ×ÒÅÍÅÎÉ ÄÌÑ ÐÒÏ×ÅÒËÉ ÎÁÌÉÞÉÑ ÐÒÏÃÅÓÓÁ HTTPD, É × ÓÌÕÞÁÅ ÏÔÓÕÔÓÔ×ÉÑ - ÐÅÒÅÚÁÐÕÓÔÉÔØ "ÕÐÁ×ÛÉÊ" ÐÒÏÃÅÓÓ, ÐÏÓÌÅ ÞÅÇÏ ÓÂÒÏÓÉÔØ ÓÏÄÅÒÖÉÍÏÅ ÃÅÐÏÞËÉ OUTPUT É ××ÅÓÔÉ ÅÅ ÓÎÏ×Á.

6.4.3.6. ëÒÉÔÅÒÉÊ State

ëÒÉÔÅÒÉÊ state ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÄÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ É ÐÏÚ×ÏÌÑÅÔ ÎÁÍ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÒÉÚÎÁËÅ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÞÔÏ ÐÏÚ×ÏÌÑÅÔ ÓÕÄÉÔØ Ï ÓÏÓÔÏÑÎÉÉ ÓÏÅÄÉÎÅÎÉÑ, ÐÒÉÞÅÍ ÄÁÖÅ ÄÌÑ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ× ËÁË ICMP É UDP. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÖÁÔØ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m state. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ .

ôÁÂÌÉÃÁ 6-13. ëÌÀÞÉ ËÒÉÔÅÒÉÑ State

ëÌÀÞ --state
ðÒÉÍÅÒ iptables -A INPUT -m state --state RELATED,ESTABLISHED
ïÐÉÓÁÎÉÅ ðÒÏ×ÅÒÑÅÔÓÑ ÐÒÉÚÎÁË ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ (state) îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ 4 ÓÏÓÔÏÑÎÉÑ: INVALID, ESTABLISHED, NEW É RELATED. INVALID ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ Ó×ÑÚÁÎ Ó ÎÅÉÚ×ÅÓÔÎÙÍ ÐÏÔÏËÏÍ ÉÌÉ ÓÏÅÄÉÎÅÎÉÅÍ É, ×ÏÚÍÏÖÎÏ ÓÏÄÅÒÖÉÔ ÏÛÉÂËÕ × ÄÁÎÎÙÈ ÉÌÉ × ÚÁÇÏÌÏ×ËÅ. óÏÓÔÏÑÎÉÅ ESTABLISHED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÁËÅÔÙ ÉÄÕÔ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ðÒÉÚÎÁË NEW ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ÉÌÉ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÏÄÎÏÎÁÐÒÁ×ÌÅÎÎÏÍÕ ÐÏÔÏËÕ. é ÎÁËÏÎÅÃ, ÐÒÉÚÎÁË RELATED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÍÕ ÓÏÅÄÉÎÅÎÉÀ, ÎÏ ÐÒÉ ÜÔÏÍ ÏÎ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ðÒÉÍÅÒÏÍ ÔÏÍÕ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÐÅÒÅÄÁÞÁ ÄÁÎÎÙÈ ÐÏ FTP, ÉÌÉ ×ÙÄÁÞÁ ÓÏÏÂÝÅÎÉÑ ICMP Ï ÏÛÉÂËÅ, ËÏÔÏÒÏÅ Ó×ÑÚÁÎÏ Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ TCP ÉÌÉ UDP ÓÏÅÄÉÎÅÎÉÅÍ. úÁÍÅÞÕ, ÞÔÏ ÐÒÉÚÎÁË NEW ÜÔÏ ÎÅ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÂÉÔ SYN × ÐÁËÅÔÁÈ TCP, ÐÏÓÒÅÄÓÔ×ÏÍ ËÏÔÏÒÙÈ ÏÔËÒÙ×ÁÅÔÓÑ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ, É, ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ, ÍÏÇÕÔ ÂÙÔØ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÎÙ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÄÌÑ ÚÁÝÉÔÙ ÓÅÔÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÏÄÉÎ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÜÔÁ ÐÒÏÂÌÅÍÁ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ÎÉÖÅ × ÇÌÁ×Å íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ.

6.4.3.7. ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ TOS ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÐÒÏ×ÅÒËÉ ÂÉÔÏ× ÐÏÌÑ TOS. TOS -- Type Of Service -- ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ 8-ÍÉ ÂÉÔÏ×ÏÅ, ÐÏÌÅ × ÚÁÇÏÌÏ×ËÅ IP-ÐÁËÅÔÁ. íÏÄÕÌØ ÄÏÌÖÅÎ ÚÁÇÒÕÖÁÔØÓÑ Ñ×ÎÏ, ËÌÀÞÏÍ -m tos.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÏÐÉÓÁÎÉÅ ÐÏÌÑ TOS, ×ÚÑÔÏÅ ÎÅ ÉÚ ÏÒÉÇÉÎÁÌÁ, ÐÏÓËÏÌØËÕ ÏÒÉÇÉÎÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ Ñ ÎÁÈÏÖÕ ÎÅÓËÏÌØËÏ ÔÕÍÁÎÎÙÍ.

äÁÎÎÏÅ ÐÏÌÅ ÓÌÕÖÉÔ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. õÓÔÁÎÏ×ËÁ ÌÀÂÏÇÏ ÂÉÔÁ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÂÒÁÂÏÔÁÎ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÎÅ ÔÁË ËÁË ÐÁËÅÔ ÓÏ ÓÂÒÏÛÅÎÎÙÍÉ ÂÉÔÁÍÉ TOS. ëÁÖÄÙÊ ÂÉÔ ÐÏÌÑ TOS ÉÍÅÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ. ÷ ÐÁËÅÔÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ ÔÏÌØËÏ ÏÄÉÎ ÉÚ ÂÉÔÏ× ÜÔÏÇÏ ÐÏÌÑ, ÐÏÜÔÏÍÕ ËÏÍÂÉÎÁÃÉÉ ÎÅ ÄÏÐÕÓÔÉÍÙ. ëÁÖÄÙÊ ÂÉÔ ÏÐÒÅÄÅÌÑÅÔ ÔÉÐ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ:

íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ éÓÐÏÌØÚÕÅÔÓÑ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ×ÒÅÍÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÄÏÌÖÎÏ ÂÙÔØ ÍÉÎÉÍÁÌØÎÙÍ, Ô.Å., ÅÓÌÉ ÅÓÔØ ×ÏÚÍÏÖÎÏÓÔØ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÄÌÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÊ ËÁÎÁÌ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÅÓÔØ ×ÙÂÏÒ ÍÅÖÄÕ ÏÐÔÏ×ÏÌÏËÏÎÎÏÊ ÌÉÎÉÅÊ É ÓÐÕÔÎÉËÏ×ÙÍ ËÁÎÁÌÏÍ, ÔÏ ÐÒÅÄÐÏÞÔÅÎÉÅ ÂÕÄÅÔ ÏÔÄÁÎÏ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÍÕ ÏÐÔÏ×ÏÌÏËÎÕ.

íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ õËÁÚÙ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÐÒÁ×ÌÅÎ ÞÅÒÅÚ ËÁÎÁÌ Ó ÍÁËÓÉÍÁÌØÎÏÊ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔØÀ. îÁÐÒÉÍÅÒ ÓÐÕÔÎÉËÏ×ÙÅ ËÁÎÁÌÙ, ÏÂÌÁÄÁÑ ÂÏÌØÛÅÊ ÚÁÄÅÒÖËÏÊ ÉÍÅÀÔ ×ÙÓÏËÕÀ ÐÒÏÐÕÓËÎÕÀ ÓÐÏÓÏÂÎÏÓÔØ.

íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ ÷ÙÂÉÒÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏ ÎÁÄÅÖÎÙÊ ÍÁÒÛÒÕÔ ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏ×ÔÏÒÎÏÊ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ. ðÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ PPP É SLIP ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏ Ó×ÏÅÊ ÎÁÄÅÖÎÏÓÔÉ ÕÓÔÕÐÁÀÔ, Ë ÐÒÉÍÅÒÕ, ÓÅÔÑÍ X.25, ÐÏÜÔÏÍÕ, ÓÅÔÅ×ÏÊ ÐÒÏ×ÁÊÄÅÒ ÍÏÖÅÔ ÐÒÅÄÕÓÍÏÔÒÅÔØ ÓÐÅÃÉÁÌØÎÙÊ ÍÁÒÛÒÕÔ Ó ÐÏ×ÙÛÅÎÎÏÊ ÎÁÄÅÖÎÏÓÔØÀ.

íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ ðÒÉÍÅÎÑÅÔÓÑ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ×ÁÖÎÏ ÍÉÎÉÍÉÚÉÒÏ×ÁÔØ ÚÁÔÒÁÔÙ (× ÓÍÙÓÌÅ ÄÅÎØÇÉ) ÎÁ ÐÅÒÅÄÁÞÕ ÄÁÎÎÙÈ. îÁÐÒÉÍÅÒ, ÐÒÉ ÐÅÒÅÄÁÞÅ ÞÅÒÅÚ ÏËÅÁÎ (ÎÁ ÄÒÕÇÏÊ ËÏÎÔÉÎÅÎÔ) ÁÒÅÎÄÁ ÓÐÕÔÎÉËÏ×ÏÇÏ ËÁÎÁÌÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÅÛÅ×ÌÅ, ÞÅÍ ÁÒÅÎÄÁ ÏÐÔÏ×ÏÌÏËÏÎÎÏÇÏ ËÁÂÅÌÑ. õÓÔÁÎÏ×ËÁ ÄÁÎÎÏÇÏ ÂÉÔÁ ×ÐÏÌÎÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÂÏÌÅÅ "ÄÅÛÅ×ÏÍÕ" ÍÁÒÛÒÕÔÕ.

ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ ÷ ÄÁÎÎÏÊ ÓÉÔÕÁÃÉÉ ×ÓÅ ÂÉÔÙ ÐÏÌÑ TOS ÓÂÒÏÛÅÎÙ. íÁÒÛÒÕÔÉÚÁÃÉÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÐÏÌÎÏÓÔØÀ ÏÔÄÁÅÔÓÑ ÎÁ ÕÓÍÏÔÒÅÎÉÅ ÐÒÏ×ÁÊÄÅÒÁ.

ôÁÂÌÉÃÁ 6-14. ëÌÀÞÉ ËÒÉÔÅÒÉÑ TOS

ëÌÀÞ --tos
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m tos --tos 0x16
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÂÉÔÏ× TOS, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÌÉÓØ ×ÙÛÅ. ëÁË ÐÒÁ×ÉÌÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ×ÐÏÌÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ Ó ÃÅÌØÀ "ÍÁÒËÉÒÏ×ËÉ" ÐÁËÅÔÏ× ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó iproute2 É ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ × linux. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ËÒÉÔÅÒÉÀ ÍÏÖÅÔ ÂÙÔØ ÐÅÒÅÄÁÎÏ ÄÅÓÑÔÉÞÎÏÅ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÅ ÞÉÓÌÏ, ÉÌÉ ÍÎÅÍÏÎÉÞÅÓËÏÅ ÏÐÉÓÁÎÉÅ ÂÉÔÁ, ÍÎÅÍÏÎÉËÉ É ÉÈ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -m tos -h. îÉÖÅ ÐÒÉ×ÏÄÑÔÓÑ ÍÎÅÍÏÎÉËÉ É ÉÈ ÚÎÁÞÅÎÉÑ. Minimize-Delay 16 (0x10) (íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ), Maximize-Throughput 8 (0x08) (íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ), Maximize-Reliability 4 (0x04) (íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ), Minimize-Cost 2 (0x02) (íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ), Normal-Service 0 (0x00) (ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ)

6.4.3.8. ëÒÉÔÅÒÉÊ TTL

TTL (Time To Live) Ñ×ÌÑÅÔÓÑ ÞÉÓÌÏ×ÙÍ ÐÏÌÅÍ × IP ÚÁÇÏÌÏ×ËÅ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ÏÞÅÒÅÄÎÏÇÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÜÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. åÓÌÉ ÞÉÓÌÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÏÔÐÒÁ×ÉÔÅÌÀ ÐÁËÅÔÁ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ICMP ÓÏÏÂÝÅÎÉÅ ÔÉÐÁ 11 Ó ËÏÄÏÍ 0 (TTL equals 0 during transit) ÉÌÉ Ó ËÏÄÏÍ 1 (TTL equals 0 during reassembly) . äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÎÅÏÂÈÏÄÉÍÏ Ñ×ÎÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌØ ËÌÀÞÏÍ -m ttl.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÐÑÔØ ÏÂÎÁÒÕÖÉÌÏÓØ ÎÅËÏÔÏÒÏÅ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÅ ÏÒÉÇÉÎÁÌØÎÏÇÏ ÔÅËÓÔÁ Ó ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔØÀ, ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ iptables 1.2.6a, Ï ËÏÔÏÒÏÊ ÓÏÂÓÔ×ÅÎÎÏ É ÉÄÅÔ ÒÅÞØ, ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ËÒÉÔÅÒÉÑ ÐÒÏ×ÅÒËÉ ÐÏÌÑ TTL, ÜÔÏ -m ttl --ttl-eq ÞÉÓÌÏ, -m ttl --ttl-lt ÞÉÓÌÏ É -m ttl --ttl-gt ÞÉÓÌÏ. îÁÚÎÁÞÅÎÉÅ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏÎÑÔÎÏ ÕÖÅ ÉÚ ÉÈ ÓÉÎÔÁËÓÉÓÁ. ôÅÍ ÎÅ ÍÅÎÅÅ, Ñ ×ÓÅ ÔÁËÉ ÐÒÉ×ÅÄÕ ÐÅÒÅ×ÏÄ ÏÒÉÇÉÎÁÌÁ:

ôÁÂÌÉÃÁ 6-15. ëÌÀÞÉ ËÒÉÔÅÒÉÑ TTL

ëÌÀÞ --ttl
ðÒÉÍÅÒ iptables -A OUTPUT -m ttl --ttl 60
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÏÌÑ TTL ÎÁ ÒÁ×ÅÎÓÔ×Ï ÚÁÄÁÎÎÏÍÕ ÚÎÁÞÅÎÉÀ. äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÐÒÉ ÎÁÌÁÄËÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÁÐÒÉÍÅÒ: ÄÌÑ ÓÌÕÞÁÅ×, ËÏÇÄÁ ËÁËÁÑ ÌÉÂÏ ÍÁÛÉÎÁ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÎÅ ÍÏÖÅÔ ÐÏÄËÌÀÞÉÔØÓÑ Ë ÓÅÒ×ÅÒÕ × éÎÔÅÒÎÅÔÅ, ÉÌÉ ÄÌÑ ÐÏÉÓËÁ "ÔÒÏÑÎÏ×" É ÐÒ. ÷ÏÂÝÅÍ, ÏÂÌÁÓÔÉ ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÐÏÌÑ ÏÇÒÁÎÉÞÉ×ÁÀÔÓÑ ÔÏÌØËÏ ×ÁÛÅÊ ÆÁÎÔÁÚÉÅÊ. åÝÅ ÏÄÉÎ ÐÒÉÍÅÒ: ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÅÔ ÂÙÔØ ÎÁÐÒÁ×ÌÅÎÏ ÎÁ ÐÏÉÓË ÍÁÛÉÎ Ó ÎÅËÁÞÅÓÔ×ÅÎÎÏÊ ÒÅÁÌÉÚÁÃÉÅÊ ÓÔÅËÁ TCP/IP ÉÌÉ Ó ÏÛÉÂËÁÍÉ × ËÏÎÆÉÇÕÒÁÃÉÉ ïó.

6.4.4. ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)

ëÒÉÔÅÒÉÊ unclean ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÄÌÑ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÄÏÓÔÁÔÏÞÎÏ Ñ×ÎÏ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌØ. âÕÄØÔÅ ÏÓÔÏÒÏÖÎÙ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÁÈÏÄÉÔÓÑ ÅÝÅ ÎÁ ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ É ÐÏÜÔÏÍÕ × ÎÅËÏÔÏÒÙÈ ÓÉÔÕÁÃÉÑÈ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ ÎÅËÏÒÒÅËÔÎÏ. äÁÎÎÁÑ ÐÒÏ×ÅÒËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÌÑ ×ÙÞÌÅÎÅÎÉÑ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÍÅÀÔ ÒÁÓÈÏÖÄÅÎÉÑ Ó ÐÒÉÎÑÔÙÍÉ ÓÔÁÎÄÁÒÔÁÍÉ, ÜÔÏ ÍÏÇÕÔ ÂÙÔØ ÐÁËÅÔÙ Ó ÐÏ×ÒÅÖÄÅÎÎÙÍ ÚÁÇÏÌÏ×ËÏÍ ÉÌÉ Ó ÎÅ×ÅÒÎÏÊ ËÏÎÔÒÏÌØÎÏÊ ÓÕÍÍÏÊ É ÐÒ., ÏÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ÐÒÏ×ÅÒËÉ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÒÁÚÒÙ×Õ É ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.


6.5. äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ ÓÏÏÂÝÁÀÔ ÐÒÁ×ÉÌÕ, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏÏÔ×ÅÓÔ×ÕÅÔ ÚÁÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ. þÁÝÅ ×ÓÅÇÏ ÕÐÏÔÒÅÂÌÑÀÔÓÑ ÄÅÊÓÔ×ÉÑ ACCEPT É DROP. ïÄÎÁËÏ, ÄÁ×ÁÊÔÅ ËÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÐÏÎÑÔÉÅ ÐÅÒÅÈÏÄÏ×.

ïÐÉÓÁÎÉÅ ÐÅÒÅÈÏÄÏ× × ÐÒÁ×ÉÌÁÈ ×ÙÇÌÑÄÉÔ ÔÏÞÎÏ ÔÁË ÖÅ ËÁË É ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÊ, Ô.Å. ÓÔÁ×ÉÔÓÑ ËÌÀÞ -j É ÕËÁÚÙ×ÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ ÐÒÁ×ÉÌ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ. îÁ ÐÅÒÅÈÏÄÙ ÎÁËÌÁÄÙ×ÁÅÔÓÑ ÒÑÄ ÏÇÒÁÎÉÞÅÎÉÊ, ÐÅÒ×ÏÅ - ÃÅÐÏÞËÁ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ, ÄÏÌÖÎÁ ÎÁÈÏÄÉÔØÓÑ × ÔÏÊ ÖÅ ÔÁÂÌÉÃÅ, ÞÔÏ É ÃÅÐÏÞËÁ, ÉÚ ËÏÔÏÒÏÊ ÜÔÏÔ ÐÅÒÅÈÏÄ ×ÙÐÏÌÎÑÅÔÓÑ, ×ÔÏÒÏÅ - ÃÅÐÏÞËÁ , Ñ×ÌÑÀÝÁÑÓÑ ÃÅÌØÀ ÐÅÒÅÈÏÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÏ ÔÏÇÏ ËÁË ÎÁ ÎÅÅ ÂÕÄÕÔ ×ÙÐÏÌÎÑÔØÓÑ ÐÅÒÅÈÏÄÙ. îÁÐÒÉÍÅÒ, ÓÏÚÄÁÄÉÍ ÃÅÐÏÞËÕ tcp_packets × ÔÁÂÌÉÃÅ filter Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ

iptables -N tcp_packets
   

ôÅÐÅÒØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ ÐÅÒÅÈÏÄÙ ÎÁ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÄÏÂÎÏ:

iptables -A INPUT -p tcp -j tcp_packets
   

ô.Å. ×ÓÔÒÅÔÉ× ÐÁËÅÔ ÐÒÏÔÏËÏÌÁ tcp, iptables ÐÒÏÉÚ×ÅÄÅÔ ÐÅÒÅÈÏÄ ÎÁ ÃÅÐÏÞËÕ tcp_packets É ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÜÔÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÐÁËÅÔ ÄÏÓÔÉÇ ËÏÎÃÁ ÃÅÐÏÞËÉ ÔÏ ÏÎ ÂÕÄÅÔ ×ÏÚ×ÒÁÝÅÎ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ (× ÎÁÛÅÍ ÓÌÕÞÁÅ ÜÔÏ ÃÅÐÏÞËÁ INPUT) É Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÒÏÄÏÌÖÉÔÓÑ Ó ÐÒÁ×ÉÌÁ, ÓÌÅÄÕÀÝÅÇÏ ÚÁ ÐÒÁ×ÉÌÏÍ, ×ÙÚ×Á×ÛÅÍ ÐÅÒÅÈÏÄ. åÓÌÉ Ë ÐÁËÅÔÕ ×Ï ×ÌÏÖÅÎÎÏÊ ÃÅÐÏÞËÅ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÁËÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÒÉÎÑÔÙÍ É × ×ÙÚÙ×ÁÀÝÅÊ ÃÅÐÏÞËÅ É ÕÖÅ ÎÅ ÂÕÄÅÔ ÐÒÏÄÏÌÖÁÔØ Ä×ÉÖÅÎÉÅ ÐÏ ×ÙÚÙ×ÁÀÝÉÍ ÃÅÐÏÞËÁÍ. ïÄÎÁËÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÄÒÕÇÉÍ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÃÅÐÏÞÅË É ÔÁÂÌÉà ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

äÅÊÓÔ×ÉÅ - ÜÔÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÁÑ ËÏÍÁÎÄÁ, ÏÐÉÓÙ×ÁÀÝÁÑ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÐÒÉÍÅÎÉÔØ ÄÅÊÓÔ×ÉÅ DROP ÉÌÉ ACCEPT Ë ÐÁËÅÔÕ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÎÁÛÉÈ ÎÕÖÄ. óÕÝÅÓÔ×ÕÅÔ É ÒÑÄ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔÓÑ ÎÉÖÅ × ÜÔÏÍ ÒÁÚÄÅÌÅ. ÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÏÄÎÉÈ ÄÅÊÓÔ×ÉÊ, ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ó×ÏÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ, ÎÁÐÒÉÍÅÒ DROP É ACCEPT, × ÒÅÚÕÌØÔÁÔÅ ÄÒÕÇÉÈ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ÎÅËÉÈ ÏÐÅÒÁÃÉÊ, ÐÒÏÄÏÌÖÁÅÔ ÐÒÏ×ÅÒËÕ, ÎÁÐÒÉÍÅÒ, LOG, × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ÔÒÅÔØÉÈ ÄÁÖÅ ×ÉÄÏÉÚÍÅÎÑÅÔÓÑ, ÎÁÐÒÉÍÅÒ DNAT É SNAT, TTL É TOS, ÎÏ ÔÁË ÖÅ ÐÒÏÄÏÌÖÁÅÔ ÐÒÏÄ×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ.


6.5.1. äÅÊÓÔ×ÉÅ ACCEPT

äÁÎÎÁÑ ÏÐÅÒÁÃÉÑ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ. åÓÌÉ ÎÁÄ ÐÁËÅÔÏÍ ×ÙÐÏÌÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ (É ×ÓÅÍ ×ÙÚ×Á×ÛÉÍ ÃÅÐÏÞËÁÍ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ) É ÓÞÉÔÁÅÔÓÑ ðòéîñôùí (ÔÏ ÂÉÛØ ÐÒÏÐÕÓËÁÅÔÓÑ), ÔÅÍ ÎÅ ÍÅÎÅÅ, ÐÁËÅÔ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ É ÍÏÖÅÔ ÂÙÔØ ÏÔ×ÅÒÇÎÕÔ ÔÁÍ. äÅÊÓÔ×ÉÅ ÚÁÄÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -j ACCEPT.


6.5.2. äÅÊÓÔ×ÉÅ DNAT

DNAT (Destination Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. åÓÌÉ ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÒÁ×ÉÌÁ, ×ÙÐÏÌÎÑÀÝÅÇÏ DNAT, ÔÏ ÜÔÏÔ ÐÁËÅÔ, É ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ ÉÚ ÜÔÏÇÏ ÖÅ ÐÏÔÏËÁ, ÂÕÄÕÔ ÐÏÄ×ÅÒÇÎÕÔÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÎÙ ÎÁ ÔÒÅÂÕÅÍÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÈÏÓÔ ÉÌÉ ÓÅÔØ. äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ, Ë ÐÒÉÍÅÒÕ, ÕÓÐÅÛÎÏ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ×ÁÛÅÍÕ web-ÓÅÒ×ÅÒÕ, ÎÁÈÏÄÑÝÅÍÕÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, É ÎÅ ÉÍÅÀÝÅÍÕ ÒÅÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÔÒÏÉÔÅ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÎÁ HTTP ÐÏÒÔ ÂÒÁÎÄÍÁÕÜÒÁ É ×ÙÐÏÌÎÑÑ DNAT ÐÅÒÅÄÁÅÔÅ ÉÈ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ web-ÓÅÒ×ÅÒÁ. äÌÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÔÏÇÄÁ ×ÙÂÏÒ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÓÌÕÞÁÊÎÁÍ ÏÂÒÁÚÏÍ.

äÅÊÓÔ×ÉÅ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat, É ×Ï ×ÌÏÖÅÎÎÙÈ ÐÏÄ-ÃÅÐÏÞËÁÈ. ÷ÁÖÎÏ ÚÁÐÏÍÎÉÔØ, ÞÔÏ ×ÌÏÖÅÎÎÙÅ ÐÏÄÃÅÐÏÞËÉ, ÒÅÁÌÉÚÕÀÝÉÅ DNAT ÎÅ ÄÏÌÖÎÙ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ËÒÏÍÅ PREROUTING É OUTPUT.

ôÁÂÌÉÃÁ 6-16. äÅÊÓÔ×ÉÅ DNAT

ëÌÀÞ --to-destination
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-destination ÕËÁÚÙ×ÁÅÔ, ËÁËÏÊ IP ÁÄÒÅÓ ÄÏÌÖÅÎ ÂÙÔØ ÐÏÄÓÔÁ×ÌÅÎ × ËÁÞÅÓÔ×Å ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ×Ï ×ÓÅÈ ÐÁËÅÔÁÈ, ÐÒÉÛÅÄÛÉÈ ÎÁ ÁÄÒÅÓ 15.45.23.67, ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÂÕÄÅÔ ÉÚÍÅÎÅÎ ÎÁ ÏÄÉÎ ÉÚ ÄÉÁÐÁÚÏÎÁ ÏÔ 192.168.1.1 ÄÏ 192.168.1.10. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ×ÓÅ ÐÁËÅÔÙ ÉÚ ÏÄÎÏÇÏ ÐÏÔÏËÁ ÂÕÄÕÔ ÎÁÐÒÁ×ÌÑÔØÓÑ ÎÁ ÏÄÉÎ É ÔÏÔ ÖÅ ÁÄÒÅÓ, Á ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÏÄÉÎ ÉÚ ÁÄÒÅÓÏ× × ÕËÁÚÁÎÎÏÍ ÄÉÁÐÁÚÏÎÅ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ. íÏÖÎÏ ÔÁËÖÅ ÏÐÒÅÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP ÁÄÒÅÓ. íÏÖÎÏ ÄÏÐÏÌÎÉÔÅÌØÎÏ ÕËÁÚÁÔØ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÎÁ ËÏÔÏÒÙÊ (ËÏÔÏÒÙÅ) ÂÕÄÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎ ÔÒÁÆÆÉË. äÌÑ ÜÔÏÇÏ ÐÏÓÌÅ ip ÁÄÒÅÓÁ ÞÅÒÅÚ Ä×ÏÅÔÏÞÉÅ ÕËÁÖÉÔÅ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ --to-destination 192.168.1.1:80, Á ÕËÁÚÁÎÉÅ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ×ÙÇÌÑÄÉÔ ÔÁË: --to-destination 192.168.1.1:80-100. ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÓÉÎÔÁËÓÉÓ ÄÅÊÓÔ×ÉÊ DNAT É SNAT ×Ï ÍÎÏÇÏÍ ÓÈÏÖ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÕËÁÚÁÎÉÅ ÐÏÒÔÏ× ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ ÐÒÉ ÒÁÂÏÔÅ Ó ÐÒÏÔÏËÏÌÏÍ TCP ÉÌÉ UDP, ÐÒÉ ÎÁÌÉÞÉÉ ÏÐÃÉÉ --protocol × ËÒÉÔÅÒÉÉ.

äÅÊÓÔ×ÉÅ DNAT ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÎÏ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÔÒÅÂÕÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ÐÏÑÓÎÅÎÉÑ. òÁÓÓÍÏÔÒÉÍ ÐÒÏÓÔÏÊ ÐÒÉÍÅÒ. õ ÎÁÓ ÅÓÔØ WEB ÓÅÒ×ÅÒ É ÍÙ ÈÏÔÉÍ ÒÁÚÒÅÛÉÔØ ÄÏÓÔÕÐ Ë ÎÅÍÕ ÉÚ éÎÔÅÒÎÅÔ. íÙ ÉÍÅÅÍ ÔÏÌØËÏ ÏÄÉÎ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, Á WEB-ÓÅÒ×ÅÒ ÒÁÓÐÏÌÏÖÅÎ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. òÅÁÌØÎÙÊ IP ÁÄÒÅÓ $INET_IP ÎÁÚÎÁÞÅÎ ÂÒÁÎÄÍÁÕÜÒÕ, HTTP ÓÅÒ×ÅÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ $HTTP_IP É, ÎÁËÏÎÅà ÂÒÁÎÄÍÁÕÜÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÌÒÅÓ $LAN_IP. äÌÑ ÎÁÞÁÌÁ ÄÏÂÁ×ÉÍ ÐÒÏÓÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ PREROUTING ÔÁÂÌÉÃÙ nat:

iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 -j DNAT \
--to-destination $HTTP_IP
   

÷ ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ 80-Ê ÐÏÒÔ ÁÄÒÅÓÁ $INET_IP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ ÎÁ ÎÁÛ ×ÎÕÔÒÅÎÎÉÊ WEB-ÓÅÒ×ÅÒ. åÓÌÉ ÔÅÐÅÒØ ÏÂÒÁÔÉÔØÓÑ Ë WEB-ÓÅÒ×ÅÒÕ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. îÏ ÞÔÏ ÖÅ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÐÏÐÒÏÂÏ×ÁÔØ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÉÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ? óÏÅÄÉÎÅÎÉÅ ÐÒÏÓÔÏ ÎÅ ÕÓÔÁÎÏ×ÉÔÓÑ. äÁ×ÁÊÔÅ ÐÏÓÍÏÔÒÉÍ ËÁË ÍÁÒÛÒÕÔÉÚÉÒÕÀÔÓÑ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÉÚ éÎÔÅÒÎÅÔ ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × éÎÔÅÒÎÅÔ ÒÁ×ÎÙÍ $EXT_BOX.

  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ ËÌÉÅÎÔÓËÉÊ ÕÚÅÌ Ó ÁÄÒÅÓÏÍ $EXT_BOX É ÎÁÐÒÁ×ÌÑÅÔÓÑ ÎÁ $INET_IP

  2. ðÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ.

  3. âÒÁÎÄÍÁÕÜÒ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍ ÐÒÁ×ÉÌÏÍ, ÐÏÄÍÅÎÑÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÅÔ ÅÇÏ ÄÁÌØÛÅ, × ÄÒÕÇÉÅ ÃÅÐÏÞËÉ.

  4. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ÎÁ $HTTP_IP.

  5. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ HTTP ÓÅÒ×ÅÒ É ÓÅÒ×ÅÒ ÐÅÒÅÄÁÅÔ ÏÔ×ÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÅÓÌÉ × ÔÁÂÌÉÃÅ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÏÎ ÏÂÏÚÎÁÞÅÎ ËÁË ÛÌÀÚ ÄÌÑ $EXT_BOX. ëÁË ÐÒÁ×ÉÌÏ, ÏÎ ÎÁÚÎÁÞÁÅÔÓÑ ÛÌÀÚÏÍ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ HTTP ÓÅÒ×ÅÒÁ.

  6. âÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÏÂÒÁÔÎÕÀ ÐÏÄÓÔÁÎÏ×ËÕ ÁÄÒÅÓÁ × ÐÁËÅÔÅ, ÔÅÐÅÒØ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÂÙÌ ÓÆÏÒÍÉÒÏ×ÁÎ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ.

  7. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ËÌÉÅÎÔÕ $EXT_BOX.

á ÔÅÐÅÒØ ÐÏÓÍÏÔÒÉÍ, ÞÔÏ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔÓÑ Ó ÕÚÌÁ, ÒÁÓÐÏÌÏÖÅÎÎÏÇÏ × ÔÏÊ ÖÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÒÁ×ÎÙÍ $LAN_BOX.

  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ $LAN_BOX.

  2. ðÏÓÔÕÐÁÅÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ.

  3. ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÓÔÁÎÏ×ËÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ, ÏÄÎÁËÏ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÎÅ ÐÏÄÍÅÎÑÅÔÓÑ, Ô.Å. ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ ÏÓÔÁÅÔÓÑ × ÐÁËÅÔÅ ÂÅÚ ÉÚÍÅÎÅÎÉÑ.

  4. ðÁËÅÔ ÐÏËÉÄÁÅÔ ÂÒÁÎÄÍÁÕÜÒ É ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ HTTP ÓÅÒ×ÅÒ.

  5. HTTP ÓÅÒ×ÅÒ, ÇÏÔÏ×ÑÓØ Ë ÏÔÐÒÁ×ËÅ ÏÔ×ÅÔÁ, ÏÂÎÁÒÕÖÉ×ÁÅÔ, ÞÔÏ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ (ÐÏÓËÏÌØËÕ ÐÁËÅÔ ÚÁÐÒÏÓÁ ÓÏÄÅÒÖÁÌ ÏÒÉÇÉÎÁÌØÎÙÊ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÔÅÐÅÒØ ÐÒÅ×ÒÁÔÉÌÓÑ × ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ) É ÐÏÜÔÏÍÕ ÏÔÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ $LAN_BOX.

  6. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ $LAN_BOX. ëÌÉÅÎÔ "ÐÕÔÁÅÔÓÑ", ÐÏÓËÏÌØËÕ ÏÔ×ÅÔ ÐÒÉÛÅÌ ÎÅ Ó ÔÏÇÏ ÕÚÌÁ, ÎÁ ËÏÔÏÒÙÊ ÏÔÐÒÁ×ÌÑÌÓÑ ÚÁÐÒÏÓ. ðÏÜÔÏÍÕ ËÌÉÅÎÔ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ ÏÔ×ÅÔÁ É ÐÒÏÄÏÌÖÁÅÔ ÖÄÁÔØ "ÎÁÓÔÏÑÝÉÊ" ÏÔ×ÅÔ.

ðÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ Ó ÐÏÍÏÝØÀ SNAT. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÜÔÕ ÆÕÎËÃÉÀ. üÔÏ ÐÒÁ×ÉÌÏ ×ÙÎÕÖÄÁÅÔ HTTP ÓÅÒ×ÅÒ ÐÅÒÅÄÁ×ÁÔØ ÏÔ×ÅÔÙ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÅ ÚÁÔÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ËÌÉÅÎÔÕ.

iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 -j SNAT \
--to-source $LAN_IP
   

úÁÐÏÍÎÉÔÅ, ÃÅÐÏÞËÁ POSTROUTING ÏÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÓÁÍÏÊ ÐÏÓÌÅÄÎÅÊ É Ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÐÁËÅÔ ÕÖÅ ÐÒÏÛÅÌ ÐÒÏÃÅÄÕÒÕ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ DNAT, ÐÏÜÔÏÍÕ ËÒÉÔÅÒÉÊ ÓÔÒÏÉÔÓÑ ÎÁ ÂÁÚÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ $HTTP_IP.

åÓÌÉ ×Ù ÄÕÍÁÅÔÅ, ÞÔÏ ÎÁ ÜÔÏÍ ÍÏÖÎÏ ÏÓÔÁÎÏ×ÉÔØÓÑ, ÔÏ ×Ù ÏÛÉÂÁÅÔÅÓØ! ðÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÓÉÔÕÁÃÉÀ, ËÏÇÄÁ × ËÁÞÅÓÔ×Å ËÌÉÅÎÔÁ ×ÙÓÔÕÐÁÅÔ ÓÁÍ ÂÒÁÎÄÍÁÕÜÒ. ôÏÇÄÁ, Ë ÓÏÖÁÌÅÎÉÀ, ÐÁËÅÔÙ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÎÁ ÌÏËÁÌØÎÙÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 80 ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ, Á ÎÅ ÎÁ $HTTP_IP. þÔÏÂÙ ÒÁÚÒÅÛÉÔØ É ÜÔÕ ÐÒÏÂÌÅÍÕ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ:

iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 -j DNAT \
--to-destination $HTTP_IP
   

ôÅÐÅÒØ ÎÉËÁËÉÈ ÐÒÏÂÌÅÍ, Ó ÄÏÓÔÕÐÏÍ Ë ÎÁÛÅÍÕ WEB-ÓÅÒ×ÅÒÕ, ÕÖÅ ÎÅ ÄÏÌÖÎÏ ×ÏÚÎÉËÁÔØ.

Note

ëÁÖÄÙÊ ÄÏÌÖÅÎ ÐÏÎÑÔØ, ÞÔÏ ÜÔÉ ÐÒÁ×ÉÌÁ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÔÏÌØËÏ ÌÉÛØ ÄÌÑ ËÏÒÒÅËÔÎÏÊ ÏÂÒÁÂÏÔËÉ ÁÄÒÅÓÁÃÉÉ ÐÁËÅÔÏ×. ÷ ÄÏÐÏÌÎÅÎÉÅ Ë ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÁÐÉÓÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÒÁ×ÉÌÁ ÄÌÑ ÃÅÐÏÞËÉ FORWARD ÔÁÂÌÉÃÙ filter. îÅ ÚÁÂÕÄØÔÅ ÐÒÉ ÜÔÏÍ, ÞÔÏ ÐÁËÅÔÙ ÕÖÅ ÐÒÏÛÌÉ ÃÅÐÏÞËÕ PREROUTING É ÐÏÜÔÏÍÕ ÉÈ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÕÖÅ ÉÚÍÅÎÅÎÙ ÄÅÊÓÔ×ÉÅÍ DNAT.


6.5.3. äÅÊÓÔ×ÉÅ DROP

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÐÒÏÓÔÏ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ É iptables "ÚÁÂÙ×ÁÅÔ" Ï ÅÇÏ ÓÕÝÅÓÔ×Ï×ÁÎÉÉ. "óÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ ÐÒÅËÒÁÝÁÀÔ Ó×ÏÅ Ä×ÉÖÅÎÉÅ ÐÏÌÎÏÓÔØÀ, Ô.Å. ÏÎÉ ÎÅ ÐÅÒÅÄÁÀÔÓÑ × ÄÒÕÇÉÅ ÔÁÂÌÉÃÙ, ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÓÌÕÞÁÅ Ó ÄÅÊÓÔ×ÉÅÍ ACCEPT. óÌÅÄÕÅÔ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ, ÐÏÓËÏÌØËÕ ÍÏÖÅÔ ÏÓÔÁ×ÌÑÔØ ÎÅÚÁËÒÙÔÙÅ "ÍÅÒÔ×ÙÅ" ÓÏËÅÔÙ ËÁË ÎÁ ÓÔÏÒÏÎÅ ÓÅÒ×ÅÒÁ, ÔÁË É ÎÁ ÓÔÏÒÏÎÅ ËÌÉÅÎÔÁ, ÎÁÉÌÕÞÛÉÍ ÓÐÏÓÏÂÏÍ ÚÁÝÉÔÙ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ REJECT ÏÓÏÂÅÎÎÏ ÐÒÉ ÚÁÝÉÔÅ ÏÔ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×.


6.5.4. äÅÊÓÔ×ÉÅ LOG

LOG -- ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÓÌÕÖÉÔ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× É ÓÏÂÙÔÉÊ. ÷ ÖÕÒÎÁÌ ÍÏÇÕÔ ÚÁÎÏÓÉÔØÓÑ ÚÁÇÏÌÏ×ËÉ IP ÐÁËÅÔÏ× É ÄÒÕÇÁÑ ÉÎÔÅÒÅÓÕÀÝÁÑ ×ÁÓ ÉÎÆÏÒÍÁÃÉÑ. éÎÆÏÒÍÁÃÉÑ ÉÚ ÖÕÒÎÁÌÁ ÍÏÖÅÔ ÂÙÔØ ÚÁÔÅÍ ÐÒÏÞÉÔÁÎÁ Ó ÐÏÍÏÝØÀ dmesg ÉÌÉ syslogd ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÄÒÕÇÉÈ ÐÒÏÇÒÁÍÍ. ðÒÅ×ÏÓÈÏÄÎÏÅ ÓÒÅÄÓÔ×Ï ÄÌÑ ÏÔÌÁÄËÉ ×ÁÛÉÈ ÐÒÁ×ÉÌ. îÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÎÁ ÐÅÒÉÏÄ ÏÔÌÁÄËÉ ÐÒÁ×ÉÌ ×ÍÅÓÔÏ ÄÅÊÓÔ×ÉÑ DROP ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ LOG, ÞÔÏÂÙ ÄÏ ËÏÎÃÁ ÕÂÅÄÉÔØÓÑ, ÞÔÏ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ÒÁÂÏÔÁÅÔ ÂÅÚÕÐÒÅÞÎÏ. ïÂÒÁÔÉÔÅ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÔÁË ÖÅ ÎÁ ÄÅÊÓÔ×ÉÅ ULOG, ËÏÔÏÒÏÅ ÎÁ×ÅÒÎÑËÁ ÚÁÉÎÔÅÒÅÓÕÅÔ ×ÁÓ Ó×ÏÉÍÉ ×ÏÚÍÏÖÎÏÓÔÑÍÉ, ÐÏÓËÏÌØËÕ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØ ÚÁÐÉÓØ ÖÕÒÎÁÌÉÒÕÅÍÏÊ ÉÎÆÏÒÍÁÃÉÉ ÎÅ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á × ÂÁÚÕ ÄÁÎÎÙÈ MySQL É Ô.Ð..

Note

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÅÓÌÉ Õ ×ÁÓ ÉÍÅÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÚÁÐÉÓØÀ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ÔÏ ÜÔÏ ÐÒÏÂÌÅÍÙ ÎÅ iptables ÉÌÉ netfilter, Á syslogd. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÀ syslogd ÏÂÒÁÝÁÊÔÅÓØ Ë man syslog.conf.

äÅÊÓÔ×ÉÅ LOG ÉÍÅÅÔ ÐÑÔØ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÐÅÒÅÞÉÓÌÅÎÙ ÎÉÖÅ.

ôÁÂÌÉÃÁ 6-17. ëÌÀÞÉ ÄÅÊÓÔ×ÉÑ LOG

ëÌÀÞ --log-level
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-level debug
ïÐÉÓÁÎÉÅ éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÚÁÄÁÎÉÑ ÕÒÏ×ÎÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ (log level). ðÏÌÎÙÊ ÓÐÉÓÏË ÕÒÏ×ÎÅÊ ×Ù ÎÁÊÄÅÔÅ × ÒÕËÏ×ÏÄÓÔ×Å (man) ÐÏ syslog.conf. ïÂÙÞÎÏ, ÍÏÖÎÏ ÚÁÄÁÔØ ÓÌÅÄÕÀÝÉÅ ÕÒÏ×ÎÉ: debug, info, notice, warning, warn, err, error, crit, alert, emerg É panic. ëÌÀÞÅ×ÏÅ ÓÌÏ×Ï error ÏÚÎÁÞÁÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É err, warn - warning É panic - emerg. ÷ÁÖÎÏ: × ÐÏÓÌÅÄÎÉÈ ÔÒÅÈ ÐÁÒÁÈ ÓÌÏ× ÎÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ error, warn É panic. ðÒÉÏÒÉÔÅÔ ÏÐÒÅÄÅÌÑÅÔ ÒÁÚÌÉÞÉÑ × ÔÏÍ ËÁË ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ ÓÏÏÂÝÅÎÉÑ × ÖÕÒÎÁÌ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ÚÁÎÏÓÑÔÓÑ × ÖÕÒÎÁÌ ÓÒÅÄÓÔ×ÁÍÉ ÑÄÒÁ. åÓÌÉ ×Ù ÕÓÔÁÎÏ×ÉÔÅ ÓÔÒÏËÕ kern.=info /var/log/iptables × ÆÁÊÌÅ syslog.conf, ÔÏ ×ÓÅ ×ÁÛÉ ÓÏÏÂÝÅÎÉÑ ÉÚ iptables, ÉÓÐÏÌØÚÕÀÝÉÅ ÕÒÏ×ÅÎØ info, ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ × ÆÁÊÌ /var/log/iptables ïÄÎÁËÏ, × ÜÔÏÔ ÆÁÊÌ ÐÏÐÁÄÕÔ É ÄÒÕÇÉÅ ÓÏÏÂÝÅÎÉÑ, ÐÏÓÔÕÐÁÀÝÉÅ ÉÚ ÄÒÕÇÉÈ ÐÏÄÓÉÓÔÅÍ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÕÒÏ×ÅÎØ info. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ syslog É syslog.conf Ñ ÒÅËÏÍÅÎÄÕÀ ÏÂÒÁÝÁÔØÓÑ Ë manpages É HOWTO.
ëÌÀÞ --log-prefix
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
ïÐÉÓÁÎÉÅ ëÌÀÞ ÚÁÄÁÅÔ ÔÅËÓÔ (ÐÒÅÆÉËÓ), ËÏÔÏÒÙÍ ÂÕÄÕÔ ÐÒÅÄ×ÁÒÑÔØÓÑ ×ÓÅ ÓÏÏÂÝÅÎÉÑ iptables. óÏÏÂÝÅÎÉÑ ÓÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÅÆÉËÓÏÍ ÚÁÔÅÍ ÌÅÇËÏ ÍÏÖÎÏ ÎÁÊÔÉ, Ë ÐÒÉÍÅÒÕ, Ó ÐÏÍÏÝØÀ grep. ðÒÅÆÉËÓ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØ ÄÏ 29 ÓÉÍ×ÏÌÏ×, ×ËÌÀÞÁÑ É ÐÒÏÂÅÌÙ.
ëÌÀÞ --log-tcp-sequence
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÖÕÒÎÁÌ ÎÏÍÅÒ TCP Sequence ÐÁËÅÔÁ. îÏÍÅÒ TCP Sequence ÉÄÅÎÔÉÆÉÃÉÒÕÅÔ ËÁÖÄÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ É ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÑÄÏË "ÓÂÏÒËÉ" ÐÏÔÏËÁ. üÔÏÔ ËÌÀÞ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÅÎ ÄÌÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ, ÅÓÌÉ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÅÛÁÅÔ ÄÏÓÔÕÐ "îá þôåîéå" ×ÓÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ. ëÁË É ÌÀÂÏÊ ÄÒÕÇÏÊ ÖÕÒÎÁÌ, ÓÏÄÅÒÖÁÝÉÊ ÓÏÏÂÝÅÎÉÑ ÏÔ iptables.
ëÌÀÞ --log-tcp-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-tcp-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ TCP ÐÁËÅÔÁ. ôÁËÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÁ ÐÒÉ ÏÔÌÁÄËÅ. üÔÏÔ ËÌÀÞ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÁÒÁÍÅÔÒÏ×, ËÁË É ÂÏÌØÛÉÎÓÔ×Ï ËÌÀÞÅÊ ÄÅÊÓÔ×ÉÑ LOG.
ëÌÀÞ --log-ip-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-ip-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ IP ÐÁËÅÔÁ. ÷Ï ÍÎÏÇÏÍ ÓÈÏÖ Ó ËÌÀÞÏÍ --log-tcp-options, ÎÏ ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó IP ÚÁÇÏÌÏ×ËÏÍ.

6.5.5. äÅÊÓÔ×ÉÅ MARK

éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÍÅÔÏË ÄÌÑ ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÁËÅÔÏ×. üÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle. õÓÔÁÎÏ×ËÁ ÍÅÔÏË ÏÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ× ÐÏ ÒÁÚÌÉÞÎÙÍ ÍÁÒÛÒÕÔÁÍ, ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÔÒÁÆÉËÁ É Ô.Ð.. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë Linux Advanced Routing and Traffic Control HOW-TO. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ "ÍÅÔËÁ" ÐÁËÅÔÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÐÅÒÉÏÄ ×ÒÅÍÅÎÉ ÐÏËÁ ÐÁËÅÔ ÎÅ ÐÏËÉÎÕÌ ÂÒÁÎÄÍÁÕÜÒ, Ô.Å. ÍÅÔËÁ ÎÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÓÅÔÉ. åÓÌÉ ÎÅÏÂÈÏÄÉÍÏ ËÁË-ÔÏ ÐÏÍÅÔÉÔØ ÐÁËÅÔÙ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÒËÉÒÏ×ËÕ ÎÁ ÄÒÕÇÏÊ ÍÁÛÉÎÅ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÒÏÂÏ×ÁÔØ ÍÁÎÉÐÕÌÉÒÏ×ÁÔØ ÂÉÔÁÍÉ ÐÏÌÑ TOS.

ôÁÂÌÉÃÁ 6-18. ëÌÀÞÉ ÄÅÊÓÔ×ÉÑ MARK

ëÌÀÞ --set-mark
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-mark ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÅÔËÕ ÎÁ ÐÁËÅÔ. ðÏÓÌÅ ËÌÀÞÁ --set-mark ÄÏÌÖÎÏ ÓÌÅÄÏ×ÁÔØ ÃÅÌÏÅ ÂÅÚÚÎÁËÏ×ÏÅ ÞÉÓÌÏ.

6.5.6. äÅÊÓÔ×ÉÅ MASQUERADE

íÁÓËÁÒÁÄÉÎÇ (MASQUERADE) × ÏÓÎÏ×Å Ó×ÏÅÊ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É SNAT ÔÏÌØËÏ ÎÅ ÉÍÅÅÔ ËÌÀÞÁ --to-source. ðÒÉÞÉÎÏÊ ÔÏÍÕ ÔÏ, ÞÔÏ ÍÁÓËÁÒÁÄÉÎÇ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, ÎÁÐÒÉÍÅÒ, Ó dialup ÐÏÄËÌÀÞÅÎÉÅÍ ÉÌÉ DHCP, Ô.Å. × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ IP ÁÄÒÅÓ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÕÓÔÒÏÊÓÔ×Õ ÄÉÎÁÍÉÞÅÓËÉ. åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÎÕÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÁÒÁÄÉÎÇ, ÅÓÌÉ ÖÅ Õ ×ÁÓ ÓÔÁÔÉÞÅÓËÏÅ IP ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÂÅÓÓÐÏÒÎÏ ÌÕÞÛÉÍ ×ÙÈÏÄÏÍ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ SNAT.

íÁÓËÁÒÁÄÉÎÇ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÏÌÕÞÅÎÉÅ IP ÁÄÒÅÓÁ ÏÔ ÚÁÄÁÎÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, ×ÍÅÓÔÏ ÐÒÑÍÏÇÏ ÅÇÏ ÕËÁÚÁÎÉÑ, ËÁË ÜÔÏ ÄÅÌÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-source × ÄÅÊÓÔ×ÉÉ SNAT. äÅÊÓÔ×ÉÅ MASQUERADE ÉÍÅÅÔ ÈÏÒÏÛÅÅ Ó×ÏÊÓÔ×Ï - "ÚÁÂÙ×ÁÔØ" ÓÏÅÄÉÎÅÎÉÑ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. ÷ ÓÌÕÞÁÅ ÖÅ SNAT, × ÜÔÏÊ ÓÉÔÕÁÃÉÉ, × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÏÓÔÁÀÔÓÑ ÄÁÎÎÙÅ Ï ÐÏÔÅÒÑÎÎÙÈ ÓÏÅÄÉÎÅÎÉÑÈ, É ÜÔÉ ÄÁÎÎÙÅ ÍÏÇÕÔ ÓÏÈÒÁÎÑÔØÓÑ ÄÏ ÓÕÔÏË, ÐÏÇÌÏÝÁÑ ÃÅÎÎÕÀ ÐÁÍÑÔØ. üÆÆÅËÔ "ÚÁÂÙ×ÞÉ×ÏÓÔÉ" Ó×ÑÚÁÎ Ó ÔÅÍ, ÞÔÏ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, ÅÓÔØ ×ÅÒÏÑÔÎÏÓÔØ ÎÁ ÓÌÅÄÕÀÝÅÍ ÚÁÐÕÓËÅ ÐÏÌÕÞÉÔØ ÄÒÕÇÏÊ IP ÁÄÒÅÓ, ÎÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÌÀÂÙÅ ÓÏÅÄÉÎÅÎÉÑ ×ÓÅ ÒÁ×ÎÏ ÂÕÄÕÔ ÐÏÔÅÒÑÎÙ, É ÂÙÌÏ ÂÙ ÇÌÕÐÏ ÈÒÁÎÉÔØ ÔÒÁÓÓÉÒÏ×ÏÞÎÕÀ ÉÎÆÏÒÍÁÃÉÀ.

ëÁË ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÄÅÊÓÔ×ÉÅ MASQUERADE ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ×ÍÅÓÔÏ SNAT, ÄÁÖÅ ÅÓÌÉ ×Ù ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ, ÏÄÎÁËÏ, ÎÅ×ÚÉÒÁÑ ÎÁ ÐÏÌÏÖÉÔÅÌØÎÙÅ ÞÅÒÔÙ, ÍÁÓËÁÒÁÄÉÎÇ ÎÅ ÓÌÅÄÕÅÔ ÓÞÉÔÁÔØ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÙÍ × ÜÔÏÍ ÓÌÕÞÁÅ, ÐÏÓËÏÌØËÕ ÏÎ ÄÁÅÔ ÂÏÌØÛÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ.

äÅÊÓÔ×ÉÅ MASQUERADE ÄÏÐÕÓËÁÅÔÓÑ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat, ÔÁË ÖÅ ËÁË É ÄÅÊÓÔ×ÉÅ SNAT. MASQUERADE ÉÍÅÅÔ ËÌÀÞ, ÏÐÉÓÙ×ÁÅÍÙÊ ÎÉÖÅ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÔÏÒÏÇÏ ÎÅÏÂÑÚÁÔÅÌØÎÏ.

ôÁÂÌÉÃÁ 6-19. äÅÊÓÔ×ÉÅ MASQUERADE

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÐÏÒÔÁ ÉÓÔÏÞÎÉËÁ ÉÌÉ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ÉÓÈÏÄÑÝÅÇÏ ÐÁËÅÔÁ. íÏÖÎÏ ÕËÁÚÁÔØ ÏÄÉÎ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ: --to-ports 1025, ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ËÁË ÚÄÅÓØ: --to-ports 1024-3000. üÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

6.5.7. äÅÊÓÔ×ÉÅ MIRROR

äÅÊÓÔ×ÉÅ MIRROR ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÔÏÌØËÏ ÄÌÑ ÜËÓÐÅÒÉÍÅÎÔÏ× É × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ, ÐÏÓËÏÌØËÕ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁÃÉËÌÉ×ÁÎÉÀ" ÐÁËÅÔÁ É × ÒÅÚÕÌØÔÁÔÅ Ë "ïÔËÁÚÕ ÏÔ ÏÂÓÌÕÖÉ×ÁÎÉÑ". ÷ ÒÅÚÕÌØÔÁÔÅ ÄÅÊÓÔ×ÉÑ MIRROR × ÐÁËÅÔÅ, ÐÏÌÑ source É destination ÍÅÎÑÀÔÓÑ ÍÅÓÔÁÍÉ (invert the source and destination fields) É ÐÁËÅÔ ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÅÔØ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ËÏÍÁÎÄÙ ÍÏÖÅÔ ÉÍÅÔØ ×ÅÓØÍÁ ÚÁÂÁ×ÎÙÊ ÒÅÚÕÌØÔÁÔ, ÎÁ×ÅÒÎÏÅ, ÓÏ ÓÔÏÒÏÎÙ ÄÏ×ÏÌØÎÏ ÐÏÔÅÛÎÏ ÎÁÂÌÀÄÁÔØ, ËÁË ËÁËÏÊ ÎÉÂÕÄØ ËÕÌØÈÁÃËÅÒ ÐÙÔÁÅÔÓÑ "×ÚÌÏÍÁÔØ" Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ËÏÍÐØÀÔÅÒ!

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, É × ÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ ÉÚ ÜÔÉÈ ÔÒÅÈ. ðÁËÅÔÙ, ÏÔÐÒÁ×ÌÑÅÍÙÅ × ÓÅÔØ ÄÅÊÓÔ×ÉÅÍ MIRROR ÂÏÌØÛÅ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÆÉÌØÔÒÁÃÉÉ, ÔÒÁÓÓÉÒÏ×ËÅ ÉÌÉ NAT, ÉÚÂÅÇÁÑ ÔÅÍ ÓÁÍÙÍ "ÚÁÃÉËÌÉ×ÁÎÉÑ" É ÄÒÕÇÉÈ ÎÅÐÒÉÑÔÎÏÓÔÅÊ. ïÄÎÁËÏ ÜÔÏ ÎÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÏÂÌÅÍ Ó ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÎÅÔ. äÁ×ÁÊÔÅ, Ë ÐÒÉÍÅÒÕ, ÐÒÅÄÓÔÁ×ÉÍ, ÞÔÏ ÎÁ ÈÏÓÔÅ, ÉÓÐÏÌØÚÕÀÝÅÍ ÄÅÊÓÔ×ÉÅ MIRROR ÆÁÂÒÉËÕÅÔÓÑ ÐÁËÅÔ, Ó TTL ÒÁ×ÎÙÍ 255, ÎÁ ÜÔÏÔ ÖÅ ÓÁÍÙÊ ÈÏÓÔ É ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ "ÚÅÒËÁÌÉÒÕÀÝÅÇÏ" ÐÒÁ×ÉÌÁ. ðÁËÅÔ "ÏÔÒÁÖÁÅÔÓÑ" ÎÁ ÜÔÏÔ ÖÅ ÈÏÓÔ, Á ÐÏÓËÏÌØËÕ ÍÅÖÄÕ "ÐÒÉÅÍÎÉËÏÍ" É "ÐÅÒÅÄÁÔÞÉËÏÍ" ÔÏÌØËÏ 1 ÈÏÐ (hop) ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÐÒÙÇÁÔØ ÔÕÄÁ É ÏÂÒÁÔÎÏ 255 ÒÁÚ. îÅÐÌÏÈÏ ÄÌÑ ËÒÑËÅÒÁ, ×ÅÄØ, ÐÒÉ ×ÅÌÉÞÉÎÅ ÐÁËÅÔÁ 1500 ÂÁÊÔ, ÍÙ ÐÏÔÅÒÑÅÍ ÄÏ 380 ëÂÁÊÔ ÔÒÁÆÉËÁ!


6.5.8. äÅÊÓÔ×ÉÅ QUEUE

ÅÊÓÔ×ÉÅ QUEUE ÓÔÁ×ÉÔ ÐÁËÅÔ × ÏÞÅÒÅÄØ ÎÁ ÏÂÒÁÂÏÔËÕ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÍÕ ÐÒÏÃÅÓÓÕ. ïÎÏ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÎÕÖÄ ÕÞÅÔÁ, ÐÒÏËÓÉÒÏ×ÁÎÉÑ ÉÌÉ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ Á×ÔÏÒ ÐÒÏÓÔÒÁÎÎÏ ÒÁÓÓÕÖÄÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÓÕÖÄÅÎÉÅ ÄÁÎÎÏÊ ÔÅÍÙ ÄÁÌÅËÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÏËÕÍÅÎÔÁ É ÐÒ., ÐÏÜÔÏÍÕ, ÎÅ ÍÕÄÒÓÔ×ÕÑ ÌÕËÁ×Ï, ÐÒÉ×ÅÄÕ ÚÄÅÓØ ×ÙÄÅÒÖËÕ ÉÚ http://antonio.mccinet.ru/protection/iptables_howto.html × ÐÅÒÅ×ÏÄÅ å×ÇÅÎÉÑ äÁÎÉÌØÞÅÎËÏ aka virii5, eugene@kriljon.ru

"...äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÜÔÁ ÃÅÌØ ÂÙÌÁ ÐÏÌÅÚÎÁ, ÎÅÏÂÈÏÄÉÍÙ ÅÝÅ Ä×Á ËÏÍÐÏÎÅÎÔÁ:

  1. "queue handler" - ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ, ËÏÔÏÒÙÊ ×ÙÐÏÌÎÑÅÔ ÒÁÂÏÔÕ ÐÏ ÐÅÒÅÄÁÞÅ ÐÁËÅÔÏ× ÍÅÖÄÕ ÑÄÒÏÍ É ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÐÒÉÌÏÖÅÎÉÅÍ; É

  2. ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ËÏÔÏÒÏÅ ÂÕÄÅÔ ÐÏÌÕÞÁÔØ, ×ÏÚÍÏÖÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ, É ÒÅÛÁÔØ ÓÕÄØÂÕ ÐÁËÅÔÏ×.

óÔÁÎÄÁÒÔÎÙÊ ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ ÄÌÑ IPv4 - ÍÏÄÕÌØ ip-queue, ËÏÔÏÒÙÊ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÑÄÒÏÍ É ÐÏÍÅÞÅÎ ËÁË ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÙÊ. îÉÖÅ ÄÁÎ ÐÒÉÍÅÒ, ËÁË ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ iptables ÄÌÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ:

# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE

ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÏ ÐÁËÅÔÙ ICMP ÔÉÐÁ (ÔÁËÉÅ, ÞÔÏ ÓÏÚÄÁÀÔÓÑ ÓËÁÖÅÍ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÁÎÄÙ ping) ÐÏÐÁÄÁÀÔ × ÍÏÄÕÌØ ip_queue, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÐÙÔÁÅÔÓÑ ÐÅÒÅÄÁÔØ ÉÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ. åÓÌÉ ÎÉ ÏÄÎÏ ÉÚ ÔÁËÉÈ ÐÒÉÌÏÖÅÎÉÊ ÎÅ ÎÁÊÄÅÎÏ, ÐÁËÅÔÙ ÓÂÒÁÓÙ×ÁÀÔÓÑ. þÔÏÂÙ ÎÁÐÉÓÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÐÒÏÇÒÁÍÍÕ ÏÂÒÁÂÏÔËÉ ÐÁËÅÔÏ×, ÉÓÐÏÌØÚÕÊÔÅ libipq API. ïÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÐÁËÅÔÏÍ iptables. ðÒÉÍÅÒÙ ÍÏÖÎÏ ÎÁÊÔÉ × testsuite tools (ÎÁÐÒÉÍÅÒ redirect.c) ÎÁ CVS. óÔÁÔÕÓ ip_queue ÍÏÖÎÏ ÐÒÏ×ÅÒÉÔØ Ó ÐÏÍÏÝØÀ: /proc/net/ip_queue íÁËÓÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ (ÔÏ ÅÓÔØ, ÞÉÓÌÏ ÐÁËÅÔÏ× ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÏÂÒÁÂÏÔËÉ) ÍÏÖÎÏ ËÏÎÔÒÏÌÉÒÏ×ÁÔØ Ó ÐÏÍÏÝØÀ: /proc/sys/net/ipv4/ip_queue_maxlen ðÏ ÕÍÏÌÞÁÎÉÀ - ÍÁËÓÉÍÁÌØÎÁÑ ÄÌÉÎÎÁ ÏÞÅÒÅÄÉ ÒÁ×ÎÁ 1024. ëÁË ÔÏÌØËÏ ÜÔÏÔ ÐÒÅÄÅÌ ÄÏÓÔÉÇÁÅÔÓÑ, ÎÏ×ÙÅ ÐÁËÅÔÙ ÂÕÄÕÔ ÓÂÒÁÓÙ×ÁÔØÓÑ, ÐÏËÁ ÏÞÅÒÅÄØ ÎÅ ÓÎÉÚÉÔØÓÑ ÎÉÖÅ ÄÁÎÎÏÇÏ ÐÒÅÄÅÌÁ. èÏÒÏÛÉÅ ÐÒÏÔÏËÏÌÙ, ÔÁËÉÅ ËÁË TCP ÉÎÔÅÒÐÒÅÔÉÒÕÀÔ ÓÂÒÏÛÅÎÎÙÅ ÐÁËÅÔÙ ËÁË ÐÅÒÅÇÒÕÖÅÎÎÏÓÔØ ËÁÎÁÌÁ ÐÅÒÅÄÁÞÉ, É ÕÓÐÅÛÎÏ Ó ÜÔÉÍ ÓÐÒÁ×ÌÑÀÔÓÑ (ÎÁÓËÏÌØËÏ Ñ ÐÏÍÎÀ, ÐÁËÅÔ ÂÕÄÅÔ ÐÒÏÓÔÏ ÐÅÒÅÓÌÁÎ ÚÁÎÏ×Ï ÕÄÁÌÅÎÎÏÊ ÓÔÏÒÏÎÏÊ, ÐÒÉÍ. ÐÅÒÅ×ÏÄ.). ïÄÎÁËÏ, ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÅËÏÔÏÒÏÇÏ ÒÏÄÁ ÜËÓÐÅÒÅÍÅÎÔÉÒÏ×ÁÎÉÅ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ ÏÐÔÉÍÁÌØÎÕÀ ÄÌÉÎÕ ÏÞÅÒÅÄÉ × ËÁÖÄÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÞÅÒÅÄØ ÓÌÉÛËÏÍ ÍÁÌÁ..."


6.5.9. äÅÊÓÔ×ÉÅ REDIRECT

÷ÙÐÏÌÎÑÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× É ÐÏÔÏËÏ× ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÔÏÊ ÖÅ ÓÁÍÏÊ ÍÁÛÉÎÙ. ë ÐÒÉÍÅÒÕ, ÍÏÖÎÏ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ HTTP ÐÏÒÔ ÐÅÒÅÎÁÐÒÁ×ÉÔØ ÎÁ ÐÏÒÔ HTTP proxy. äÅÊÓÔ×ÉÅ REDIRECT ÏÞÅÎØ ÕÄÏÂÎÏ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ "ÐÒÏÚÒÁÞÎÏÇÏ" ÐÒÏËÓÉÒÏ×ÁÎÉÑ (transparent proxying), ËÏÇÄÁ ÍÁÛÉÎÙ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÁÖÅ ÎÅ ÐÏÄÏÚÒÅ×ÁÀÔ Ï ÓÕÝÅÓÔ×Ï×ÁÎÉÉ ÐÒÏËÓÉ.

REDIRECT ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. é ËÏÎÅÞÎÏ ÖÅ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ×ÙÐÏÌÎÑÔØ × ÐÏÄÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ É ×ÙÛÅÕËÁÚÁÎÎÙÈ. äÌÑ ÄÅÊÓÔ×ÉÑ REDIRECT ÐÒÅÄÕÓÍÏÔÒÅÎ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ.

ôÁÂÌÉÃÁ 6-20. äÅÊÓÔ×ÉÅ REDIRECT

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ. âÅÚ ÕËÁÚÁÎÉÑ ËÌÀÞÁ --to-ports, ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÑ ÎÅ ÐÒÏÉÓÈÏÄÉÔ, Ô.Å. ÐÁËÅÔ ÉÄÅÔ ÎÁ ÔÏÔ ÐÏÒÔ, ËÕÄÁ É ÂÙÌ ÎÁÚÎÁÞÅÎ. ÷ ÐÒÉÍÅÒÅ, ÐÒÉ×ÅÄÅÎÎÏÍ ×ÙÛÅ, --to-ports 8080 ÕËÁÚÁÎ ÏÄÉÎ ÐÏÒÔ ÎÁÚÎÁÞÅÎÉÑ. åÓÌÉ ÎÕÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÔÏ ÍÙ ÄÏÌÖÎÙ ÎÁÐÉÓÁÔØ ÎÅÞÔÏ ÐÏÄÏÂÎÏÅ --to-ports 8080-8090. üÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

6.5.10. äÅÊÓÔ×ÉÅ REJECT

REJECT ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, × ÔÅÈ ÖÅ ÓÁÍÙÈ ÓÉÔÕÁÃÉÑÈ, ÞÔÏ É DROP, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ DROP, ËÏÍÁÎÄÁ REJECT ×ÙÄÁÅÔ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ ÎÁ ÈÏÓÔ, ÐÅÒÅÄÁ×ÛÉÊ ÐÁËÅÔ. äÅÊÓÔ×ÉÅ REJECT ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É OUTPUT (É ×Ï ×ÌÏÖÅÎÎÙÈ × ÎÉÈ ÃÅÐÏÞËÁÈ). ðÏËÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÌÀÞ, ÕÐÒÁ×ÌÑÀÝÉÊ ÐÏ×ÅÄÅÎÉÅÍ ËÏÍÁÎÄÙ REJECT.

ôÁÂÌÉÃÁ 6-21. äÅÊÓÔ×ÉÅ REJECT

ëÌÀÞ --reject-with
ðÒÉÍÅÒ iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
ïÐÉÓÁÎÉÅ õËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÓÏÏÂÝÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÐÅÒÅÄÁÔØ × ÏÔ×ÅÔ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. ðÒÉ ÐÒÉÍÅÎÅÎÉÉ ÄÅÊÓÔ×ÉÑ REJECT Ë ÐÁËÅÔÕ, ÓÎÁÞÁÌÁ ÎÁ ÈÏÓÔ-ÏÔÐÒÁ×ÉÔÅÌØ ÂÕÄÅÔ ÏÔÏÓÌÁÎ ÕËÁÚÁÎÎÙÊ ÏÔ×ÅÔ, Á ÚÁÔÅÍ ÐÁËÅÔ ÂÕÄÅÔ "ÓÂÒÏÛÅÎ". äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÌÅÄÕÀÝÉÅ ÔÉÐÙ ÏÔ×ÅÔÏ×: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited É icmp-host-prohibited. ðÏ-ÕÍÏÌÞÁÎÉÀ ÐÅÒÅÄÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ port-unreachable. ÷ÓÅ ×ÙÛÅÕËÁÚÁÎÎÙÅ ÔÉÐÙ ÏÔ×ÅÔÏ× Ñ×ÌÑÀÔÓÑ ICMP error messages. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÔÉÐÁÍ ICMP ÓÏÏÂÝÅÎÉÊ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. ÷ ÚÁËÌÀÞÅÎÉÅ ÕËÁÖÅÍ ÅÝÅ ÏÄÉÎ ÔÉÐ ÏÔ×ÅÔÁ - tcp-reset, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ TCP. åÓÌÉ ÕËÁÚÁÎÏ ÚÎÁÞÅÎÉÅ tcp-reset, ÔÏ ÄÅÊÓÔ×ÉÅ REJECT ÐÅÒÅÄÁÓÔ × ÏÔ×ÅÔ ÐÁËÅÔ TCP RST, ÐÁËÅÔÙ TCP RST ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁËÒÙÔÉÑ TCP ÓÏÅÄÉÎÅÎÉÊ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë RFC 793 - Transmission Control Protocol. (óÐÉÓÏË ÔÉÐÏ× ICMP ÏÔ×ÅÔÏ× É ÉÈ ÁÌÉÁÓÏ× ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ××ÅÄÑ ËÏÍÁÎÄÕ iptables -j REJECT -h ÐÒÉÍ. ÐÅÒÅ×.).

6.5.11. äÅÊÓÔ×ÉÅ RETURN

äÅÊÓÔ×ÉÅ RETURN ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÔÅËÕÝÅÊ ÃÅÐÏÞËÅ ÐÒÁ×ÉÌ É ÐÒÏÉÚ×ÏÄÉÔ ×ÏÚ×ÒÁÔ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ, ÉÌÉ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÌÅÖÉÔ ÎÁ ÓÁÍÏÍ ×ÅÒÈÎÅÍ ÕÒÏ×ÎÅ (ÎÁÐÒÉÍÅÒ INPUT), ÔÏ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ïÂÙÞÎÏ, × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÎÁÚÎÁÞÁÀÔ ÄÅÊÓÔ×ÉÑ ACCEPT ÉÌÉ DROP .

äÌÑ ÐÒÉÍÅÒÁ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÐÁËÅÔ ÉÄÅÔ ÐÏ ÃÅÐÏÞËÅ INPUT É ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÈÏÄ ×Ï ×ÌÏÖÅÎÎÕÀ ÃÅÐÏÞËÕ - --jump EXAMPLE_CHAIN. äÁÌÅÅ, × ÃÅÐÏÞËÅ EXAMPLE_CHAIN ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN. ôÏÇÄÁ ÐÒÏÉÚÏÊÄÅÔ ×ÏÚ×ÒÁÔ ÐÁËÅÔÁ × ÃÅÐÏÞËÕ INPUT. äÒÕÇÏÊ ÐÒÉÍÅÒ, ÐÕÓÔØ ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN × ÃÅÐÏÞËÅ INPUT. ôÏÇÄÁ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÃÅÐÏÞËÉ INPUT.


6.5.12. äÅÊÓÔ×ÉÅ SNAT

SNAT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Source Network Address Translation), Ô.Å. ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÑÝÅÇÏ IP ÁÄÒÅÓÁ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. îÁÐÒÉÍÅÒ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÄÒÕÇÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP ÁÄÒÅÓ. äÌÑ ÜÔÏÇÏ. ÎÅÏÂÈÏÄÉÍÏ ×ËÌÀÞÉÔØ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (forwarding) × ÑÄÒÅ É ÚÁÔÅÍ ÓÏÚÄÁÔØ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÔÒÁÎÓÌÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ IP ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ × ÒÅÁÌØÎÙÊ ×ÎÅÛÎÉÊ ÁÄÒÅÓ. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÎÅÛÎÉÊ ÍÉÒ ÎÉÞÅÇÏ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ Ï ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÎ ÂÕÄÅÔ ÓÞÉÔÁÔØ, ÞÔÏ ÚÁÐÒÏÓÙ ÐÒÉÛÌÉ Ó ÎÁÛÅÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

SNAT ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ nat, × ÃÅÐÏÞËÅ POSTROUTING. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÏÌØËÏ ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÑÝÉÈ ÁÄÒÅÓÏ×. åÓÌÉ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ ÐÏÄ×ÅÒÇÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ, ÔÏ ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ, ÉÚ ÜÔÏÇÏ ÖÅ ÓÏÅÄÉÎÅÎÉÑ, ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÐÏÊÄÕÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ.

ôÁÂÌÉÃÁ 6-22. äÅÊÓÔ×ÉÅ SNAT

ëÌÀÞ --to-source
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-source ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÁÄÒÅÓÁ, ÐÒÉÓ×ÁÅÍÏ×ÏÇÏ ÐÁËÅÔÕ. ÷ÓÅ ÐÒÏÓÔÏ, ×Ù ÕËÁÚÙ×ÁÅÔÅ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÏÄÓÔÁ×ÌÅÎ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ × ËÁÞÅÓÔ×Å ÉÓÈÏÄÑÝÅÇÏ. åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÐÅÒÅÒÁÓÐÒÅÄÅÌÑÔØ ÎÁÇÒÕÚËÕ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ, ÔÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÇÄÅ ÎÁÞÁÌØÎÙÊ É ËÏÎÅÞÎÙÊ ÁÄÒÅÓÁ ÄÉÁÐÁÚÏÎÁ ÒÁÚÄÅÌÑÀÔÓÑ ÄÅÆÉÓÏÍ, ÎÁÐÒÉÍÅÒ: 194.236.50.155-194.236.50.160. ôÏÇÄÁ, ËÏÎËÒÅÔÎÙÊ IP ÁÄÒÅÓ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÉÚ ÄÉÁÐÁÚÏÎÁ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ. äÏÐÏÌÎÉÔÅÌØÎÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÄÌÑ ÎÕÖÄ SNAT. ÷ÓÅ ÉÓÈÏÄÑÝÉÅ ÐÏÒÔÙ ÂÕÄÕÔ ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅËÁÒÔÉÒÏ×ÁÔØÓÑ × ÚÁÄÁÎÎÙÊ ÄÉÁÐÁÚÏÎ. iptables ÓÔÁÒÁÅÔÓÑ, ÐÏ-×ÏÚÍÏÖÎÏÓÔÉ, ÉÚÂÅÇÁÔØ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×, ÏÄÎÁËÏ ÎÅ ×ÓÅÇÄÁ ÜÔÏ ×ÏÚÍÏÖÎÏ, É ÔÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÅ . åÓÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÅ ÚÁÄÁÎ, ÔÏ ÉÓÈÏÄÎÙÅ ÐÏÒÔÙ ÎÉÖÅ 512 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 0-511, ÐÏÒÔÙ × ÄÉÁÐÁÚÏÎÅ 512-1023 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 512-1023, É, ÎÁËÏÎÅà ÐÏÒÔÙ ÉÚ ÄÉÁÐÁÚÏÎÁ 1024-65535 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 1024-65535. þÔÏ ËÁÓÁÅÔÓÑ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ, ÔÏ ÏÎÉ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÀ.

6.5.13. äÅÊÓÔ×ÉÅ TOS

ëÏÍÁÎÄÁ TOS ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× × ÐÏÌÅ Type of Service IP ÚÁÇÏÌÏ×ËÁ. ðÏÌÅ TOS ÓÏÄÅÒÖÉÔ 8 ÂÉÔ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ×. üÔÏ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ÐÏÌÅÊ, ÉÓÐÏÌØÚÕÅÍÙÈ iproute2. ôÁË ÖÅ ×ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÐÏÌÅ ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØÓÑ ÒÁÚÌÉÞÎÙÍÉ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁÍÉ Ó ÃÅÌØÀ ×ÙÂÏÒÁ ÍÁÒÛÒÕÔÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ÜÔÏ ÐÏÌÅ, × ÏÔÌÉÞÉÅ ÏÔ MARK, ÓÏÈÒÁÎÑÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ Ä×ÉÖÅÎÉÉ ÐÏ ÓÅÔÉ, Á ÐÏÜÔÏÍÕ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÂÏÌØÛÉÎÓÔ×Ï ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ ÎÉËÁË ÎÅ ÏÂÒÁÂÁÔÙ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÏÄÎÁËÏ ÅÓÔØ É ÔÁËÉÅ, ËÏÔÏÒÙÅ ÓÍÏÔÒÑÔ ÎÁ ÎÅÇÏ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÎÕÖÄÁÈ, ÔÏ ÐÏÄÏÂÎÙÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÙ ÍÏÇÕÔ ÐÒÉÎÑÔØ ÎÅ×ÅÒÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ, ÐÏÜÔÏÍÕ, ÌÕÞÛÅ ×ÓÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ×ÁÛÅÊ WAN ÉÌÉ LAN.

Caution

äÅÊÓÔ×ÉÅ TOS ×ÏÓÐÒÉÎÉÍÁÅÔ ÔÏÌØËÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÙÅ ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ É ÍÎÅÍÏÎÉËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × linux/ip.h. åÓÌÉ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÏÉÚ×ÏÌØÎÙÅ ÚÎÁÞÅÎÉÑ × ÐÏÌÅ TOS, ÔÏ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ "ÚÁÐÌÁÔÏÊ" FTOS Ó ÓÁÊÔÁ Paksecured Linux Kernel patches, ÐÏÄÄÅÒÖÉ×ÁÅÍÏÇÏ Matthew G. Marsh. ïÄÎÁËÏ, ÂÕÄØÔÅ ËÒÁÊÎÅ ÏÓÔÏÒÏÖÎÙ Ó ÜÔÏÊ "ÚÁÐÌÁÔÏÊ". îÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÔÁÎÄÁÒÔÎÙÅ ÚÎÁÞÅÎÉÑ TOS ÉÎÁÞÅ ËÁË × ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ.

Note

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle.

Note

÷ ÎÅËÏÔÏÒÙÈ ÓÔÁÒÙÈ ×ÅÒÓÉÑÈ iptables (1.2.2 É ÎÉÖÅ) ÜÔÏ ÄÅÊÓÔ×ÉÅ ÒÅÁÌÉÚÏ×ÁÎÏ Ó ÏÛÉÂËÏÊ (ÎÅ ÉÓÐÒÁ×ÌÑÅÔÓÑ ËÏÎÔÒÏÌØÎÁÑ ÓÕÍÍÁ ÐÁËÅÔÁ), Á ÜÔÏ ×ÅÄÅÔ Ë ÎÁÒÕÛÅÎÉÀ ÐÒÏÔÏËÏÌÁ ÏÂÍÅÎÁ É × ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÅ ÓÏÅÄÉÎÅÎÉÑ ÏÂÒÙ×ÁÀÔÓÑ.

ëÏÍÁÎÄÁ TOS ÉÍÅÅÔ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ.

ôÁÂÌÉÃÁ 6-23. äÅÊÓÔ×ÉÅ TOS

ëÌÀÞ --set-tos
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-tos ÏÐÒÅÄÅÌÑÅÔ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ × ÄÅÓÑÔÉÞÎÏÍ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÍ ×ÉÄÅ. ðÏÓËÏÌØËÕ ÐÏÌÅ TOS Ñ×ÌÑÅÔÓÑ 8-ÂÉÔÎÙÍ, ÔÏ ×Ù ÍÏÖÅÔÅ ÕËÁÚÁÔØ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 255 (0x00 - 0xFF). ïÄÎÁËÏ, ÂÏÌØÛÉÎÓÔ×Ï ÚÎÁÞÅÎÉÊ ÜÔÏÇÏ ÐÏÌÑ ÎÉËÁË ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ × ÂÕÄÕÝÉÈ ÒÅÁÌÉÚÁÃÉÑÈ TCP/IP ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ, ÐÏÜÔÏÍÕ, ×Ï-ÉÚÂÅÖÁÎÉÅ ÏÛÉÂÏË, ÌÕÞÛÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÎÅÍÏÎÉÞÅÓËÉÅ ÏÂÏÚÎÁÞÅÎÉÑ: Minimize-Delay (16 ÉÌÉ 0x10), Maximize-Throughput (8 ÉÌÉ 0x08), Maximize-Reliability (4 ÉÌÉ 0x04), Minimize-Cost (2 ÉÌÉ 0x02) ÉÌÉ Normal-Service (0 ÉÌÉ 0x00). ðÏ-ÕÍÏÌÞÁÎÉÀ ÂÏÌØÛÉÎÓÔ×Ï ÐÁËÅÔÏ× ÉÍÅÀÔ ÐÒÉÚÎÁË Normal-Service, ÉÌÉ 0. óÐÉÓÏË ÍÎÅÍÏÎÉË ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ, ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -j TOS -h.

6.5.14. äÅÊÓÔ×ÉÅ TTL

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÐÏÌÑ Time To Live × IP ÚÁÇÏÌÏ×ËÅ. ïÄÉÎ ÉÚ ×ÁÒÉÁÎÔÏ× ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÜÔÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÅ ÐÏÌÑ Time To Live ÷ï ÷óåè ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÁÈ × ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ. äÌÑ ÞÅÇÏ ÜÔÏ?! åÓÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏ×ÁÊÄÅÒÙ, ËÏÔÏÒÙÅ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ, ËÏÇÄÁ ÏÄÎÉÍ ÐÏÄËÌÀÞÅÎÉÅÍ ÐÏÌØÚÕÅÔÓÑ ÎÅÓËÏÌØËÏ ËÏÍÐØÀÔÅÒÏ×, ÅÓÌÉ ÍÙ ÎÁÞÉÎÁÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÎÁ ×ÓÅ ÐÁËÅÔÙ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ TTL, ÔÏ ÔÅÍ ÓÁÍÙÍ ÍÙ ÌÉÛÁÅÍ ÐÒÏ×ÁÊÄÅÒÁ ÏÄÎÏÇÏ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÞÔÏ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔÕ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. äÌÑ ÐÒÉÍÅÒÁ ÍÏÖÎÏ ÐÒÉ×ÅÓÔÉ ÞÉÓÌÏ TTL = 64, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ ÓÔÁÎÄÁÒÔÎÙÍ ÄÌÑ ÑÄÒÁ Linux.

úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÕÓÔÁÎÏ×ËÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÂÒÁÝÁÊÔÅÓØ Ë ip-sysctl.txt, ËÏÔÏÒÙÊ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

äÅÊÓÔ×ÉÅ TTL ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ mangle É ÎÉÇÄÅ ÂÏÌØÛÅ. äÌÑ ÄÁÎÎÏÇÏ ÄÅÊÓÔ×ÉÑ ÐÒÅÄÕÓÍÏÔÒÅÎÏ 3 ËÌÀÞÁ, ÏÐÉÓÙ×ÁÅÍÙÈ ÎÉÖÅ.

ôÁÂÌÉÃÁ 6-24. äÅÊÓÔ×ÉÅ TTL

ëÌÀÞ --ttl-set
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 64
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÅ TTL × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. ïÐÔÉÍÁÌØÎÙÍ ÓÞÉÔÁÅÔÓÑ ÚÎÁÞÅÎÉÅ ÏËÏÌÏ 64. üÔÏ ÎÅ ÓÌÉÛËÏÍ ÍÎÏÇÏ, ÎÏ É ÎÅ ÓÌÉÛËÏÍ ÍÁÌÏ îÅ ÚÁÄÁ×ÁÊÔÅ ÓÌÉÛËÏÍ ÂÏÌØÛÏÅ ÚÎÁÞÅÎÉÅ, ÜÔÏ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÐÒÉÑÔÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ ÄÌÑ ×ÁÛÅÊ ÓÅÔÉ. ðÒÅÄÓÔÁרÔÅ ÓÅÂÅ, ÞÔÏ ÐÁËÅÔ "ÚÁÃÉËÌÉ×ÁÅÔÓÑ" ÍÅÖÄÕ Ä×ÕÍÑ ÎÅÐÒÁ×ÉÌØÎÏ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÎÙÍÉ ÒÏÕÔÅÒÁÍÉ, ÔÏÇÄÁ, ÐÒÉ ÂÏÌØÛÉÈ ÚÎÁÞÅÎÉÑÈ TTL, ÅÓÔØ ÒÉÓË "ÐÏÔÅÒÑÔØ" ÚÎÁÞÉÔÅÌØÎÕÀ ÄÏÌÀ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔÉ ËÁÎÁÌÁ.
ëÌÀÞ --ttl-dec
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-dec 1
ïÐÉÓÁÎÉÅ õÍÅÎØÛÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ TTL ÒÁ×ÎÏÅ 53 É ÍÙ ×ÙÐÏÌÎÑÅÍ ËÏÍÁÎÄÕ --ttl-dec 3, ÔÏÇÄÁ ÐÁËÅÔ ÐÏËÉÎÅÔ ÎÁÛ ÈÏÓÔ Ó ÐÏÌÅÍ TTL ÒÁ×ÎÙÍ 49. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÓÅÔÅ×ÏÊ ËÏÄ Á×ÔÏÍÁÔÉÞÅÓËÉ ÕÍÅÎØÛÉÔ ÚÎÁÞÅÎÉÅ TTL ÎÁ 1, ÐÏÜÔÏÍÕ, ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ 53 - 3 - 1 = 49.
ëÌÀÞ --ttl-inc
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-inc 1
ïÐÉÓÁÎÉÅ õ×ÅÌÉÞÉ×ÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. ÷ÏÚØÍÅÍ ÐÒÅÄÙÄÕÝÉÊ ÐÒÉÍÅÒ, ÐÕÓÔØ Ë ÎÁÍ ÐÏÓÔÕÐÁÅÔ ÐÁËÅÔ Ó TTL = 53, ÔÏÇÄÁ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ËÏÍÁÎÄÙ --ttl-inc 4, ÎÁ ×ÙÈÏÄÅ Ó ÎÁÛÅÇÏ ÈÏÓÔÁ, ÐÁËÅÔ ÂÕÄÅÔ ÉÍÅÔØ TTL = 56, ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï Á×ÔÏÍÁÔÉÞÅÓËÏÍ ÕÍÅÎØÛÅÎÉÉ ÐÏÌÑ TTL ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ ×ÙÒÁÖÅÎÉÅ 53 + 4 - 1 = 56. õ×ÅÌÉÞÅÎÉÅ ÐÏÌÑ TTL ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÍÅÎÅÅ "ÚÁÍÅÔÎÙÍ" ÄÌÑ ÔÒÁÓÓÉÒÏ×ÝÉËÏ× (traceroutes). ðÒÏÇÒÁÍÍÙ ÔÒÁÓÓÉÒÏ×ËÉ ÌÀÂÑÔ ÚÁ ÃÅÎÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÒÉ ÐÏÉÓËÅ ÐÒÏÂÌÅÍÎÙÈ ÕÞÁÓÔËÏ× ÓÅÔÉ, É ÎÅÎÁ×ÉÄÑÔ ÚÁ ÜÔÏ ÖÅ, ÐÏÓËÏÌØËÕ ÜÔÁ ÉÎÆÏÒÍÁÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÒÑËÅÒÁÍÉ × ÎÅÂÌÁÇÏ×ÉÄÎÙÈ ÃÅÌÑÈ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÃÅÎÁÒÉÉ Ttl-inc.txt.

6.5.15. äÅÊÓÔ×ÉÅ ULOG

äÅÊÓÔ×ÉÅ ULOG ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï. ïÎÏ ÚÁÍÅÎÑÅÔ ÔÒÁÄÉÃÉÏÎÎÏÅ ÄÅÊÓÔ×ÉÅ LOG, ÂÁÚÉÒÕÀÝÅÅÓÑ ÎÁ ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ, ÐÁËÅÔ, ÞÅÒÅÚ ÓÏËÅÔÙ netlink, ÐÅÒÅÄÁÅÔÓÑ ÓÐÅÃÉÁÌØÎÏÍÕ ÄÅÍÏÎÕ ËÏÔÏÒÙÊ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØ ÏÞÅÎØ ÄÅÔÁÌØÎÏÅ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÅ × ÒÁÚÌÉÞÎÙÈ ÆÏÒÍÁÔÁÈ (ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ, ÂÁÚÁ ÄÁÎÎÙÈ MySQL É ÐÒ.) É Ë ÔÏÍÕ ÖÅ ÐÏÄÄÅÒÖÉ×ÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÂÁ×ÌÅÎÉÑ ÎÁÄÓÔÒÏÅË (ÐÌÁÇÉÎÏ×) ÄÌÑ ÆÏÒÍÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ×ÙÈÏÄÎÙÈ ÆÏÒÍÁÔÏ× É ÏÂÒÁÂÏÔËÉ ÓÅÔÅ×ÙÈ ÐÒÏÔÏËÏÌÏ×. ðÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÞÁÓÔØ ULOGD ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÎÁ ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÅ ULOGD project page.

ôÁÂÌÉÃÁ 6-25. äÅÊÓÔ×ÉÅ ULOG

ëÌÀÞ --ulog-nlgroup
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-nlgroup ÓÏÏÂÝÁÅÔ ULOG × ËÁËÕÀ ÇÒÕÐÐÕ netlink ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÄÁÎ ÐÁËÅÔ. ÷ÓÅÇÏ ÓÕÝÅÓÔ×ÕÅÔ 32 ÇÒÕÐÐÙ (ÏÔ 1 ÄÏ 32). åÓÌÉ ×Ù ÖÅÌÁÅÔÅ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × 5-À ÇÒÕÐÐÕ, ÔÏ ÍÏÖÎÏ ÐÒÏÓÔÏ ÕËÁÚÁÔØ --ulog-nlgroup 5. ðÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ 1-Ñ ÇÒÕÐÐÁ.
ëÌÀÞ --ulog-prefix
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-prefix ÉÍÅÅÔ ÔÏÔ ÖÅ ÓÍÙÓÌ, ÞÔÏ É ÁÎÁÌÏÇÉÞÎÁÑ ÏÐÃÉÑ × ÄÅÊÓÔ×ÉÉ LOG. äÌÉÎÁ ÓÔÒÏËÉ ÐÒÅÆÉËÓÁ ÎÅ ÄÏÌÖÎÁ ÐÒÅ×ÙÛÁÔØ 32 ÓÉÍ×ÏÌÁ.
ëÌÀÞ --ulog-cprange
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-cprange ÏÐÒÅÄÅÌÑÅÔ, ËÁËÕÀ ÄÏÌÀ ÐÁËÅÔÁ, × ÂÁÊÔÁÈ, ÎÁÄÏ ÐÅÒÅÄÁ×ÁÔØ ÄÅÍÏÎÕ ULOG. åÓÌÉ ÕËÁÚÁÔØ ÞÉÓÌÏ 100, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ÔÏÌØËÏ 100 ÂÁÊÔ ÉÚ ÐÁËÅÔÁ, ÜÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ É ÎÅËÏÔÏÒÁÑ ÞÁÓÔØ ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. åÓÌÉ ÕËÁÚÁÔØ 0, ÔÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ×ÅÓØ ÐÁËÅÔ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÅÇÏ ÒÁÚÍÅÒÁ. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÒÁ×ÎÏ 0.
ëÌÀÞ --ulog-qthreshold
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-qthreshold ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ × ÏÂÌÁÓÔÉ ÑÄÒÁ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÚÁÄÁÔØ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ ÒÁ×ÎÏÊ 10, ËÁË × ÐÒÉÍÅÒÅ, ÔÏ ÑÄÒÏ ÂÕÄÅÔ ÎÁËÁÐÌÉ×ÁÔØ ÖÕÒÎÁÌÉÒÕÅÍÙÅ ÐÁËÅÔÙ ×Ï ×ÎÕÔÒÅÎÎÅÍ ÂÕÆÅÒÅ É ÐÅÒÅÄÁ×ÁÔØ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï ÇÒÕÐÐÁÍÉ ÐÏ 10 ÐÁËÅÔÏ×. ðÏ-ÕÍÏÌÞÁÎÉÀ ÒÁÚÍÅÒ ÂÕÆÅÒÁ ÒÁ×ÅÎ 1 ÉÚ-ÚÁ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÒÁÎÎÉÍÉ ×ÅÒÓÉÑÍÉ ulogd, ËÏÔÏÒÙÅ ÎÅ ÍÏÇÌÉ ÐÒÉÎÉÍÁÔØ ÇÒÕÐÐÙ ÐÁËÅÔÏ×.

çÌÁ×Á 7. æÁÊÌ rc.firewall

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÁÓÔÒÏÊËÕ ÂÒÁÎÄÍÁÕÜÒÁ ÎÁ ÐÒÉÍÅÒÅ ÓÃÅÎÁÒÉÑ rc.firewall.txt. íÙ ÂÕÄÅÍ ÂÒÁÔØ ËÁÖÄÕÀ ÂÁÚÏ×ÕÀ ÎÁÓÔÒÏÊËÕ É ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ É ÞÔÏ ÄÅÌÁÅÔ. üÔÏ ÍÏÖÅÔ ÎÁÔÏÌËÎÕÔØ ×ÁÓ ÎÁ ÒÅÛÅÎÉÅ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÚÁÄÁÞ. äÌÑ ÚÁÐÕÓËÁ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÎÅÓÔÉ × ÎÅÇÏ ÉÚÍÅÎÅÎÉÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏÂÙ ÏÎ ÍÏÇ ÒÁÂÏÔÁÔØ Ó ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÅÊ ÓÅÔÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÄÏÓÔÁÔÏÞÎÏ ÉÚÍÅÎÉÔØ ÔÏÌØËÏ ÐÅÒÅÍÅÎÎÙÅ.

Note

ðÒÉÍÅÞÁÔÅÌØÎÏ, ÞÔÏ ÅÓÔØ ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÙÅ ÓÐÏÓÏÂÙ ÚÁÄÁÎÉÑ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÏÄÎÁËÏ Ñ ÉÓÈÏÄÉÌ ÉÚ ÍÙÓÌÉ Ï ÂÏÌØÛÅÊ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ ÓÃÅÎÁÒÉÑ, ÔÁË, ÞÔÏÂÙ ËÁÖÄÙÊ ÓÍÏÇ ÐÏÎÑÔØ ÅÇÏ ÂÅÚ ÇÌÕÂÏËÉÈ ÐÏÚÎÁÎÉÊ ÏÂÏÌÏÞËÉ BASH.


7.1. ðÒÉÍÅÒ rc.firewall

éÔÁË, ×ÓÅ ÇÏÔÏ×Ï ÄÌÑ ÒÁÚÂÏÒÁ ÆÁÊÌÁ ÐÒÉÍÅÒÁ rc.firewall.txt (ÓÃÅÎÁÒÉÊ ×ËÌÀÞÅÎ × ÓÏÓÔÁ× ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ × ÐÒÉÌÏÖÅÎÉÉ ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×). ïÎ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÎÏ ÔÏÌØËÏ ÉÚ-ÚÁ ÂÏÌØÛÏÇÏ ËÏÌÉÞÅÓÔ×Á ËÏÍÍÅÎÔÁÒÉÅ×. óÅÊÞÁÓ Ñ ÐÒÅÄÌÁÇÁÀ ×ÁÍ ÐÒÏÓÍÏÔÒÅÔØ ÜÔÏÔ ÆÁÊÌ, ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ÓÏÄÅÒÖÉÍÏÍ É ÚÁÔÅÍ ×ÅÒÎÕÔØÓÑ ÓÀÄÁ ÚÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÙÍÉ ÐÏÑÓÎÅÎÉÑÍÉ.


7.2. ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall

7.2.1. ëÏÎÆÉÇÕÒÁÃÉÑ

ðÅÒ×ÁÑ ÞÁÓÔØ ÆÁÊÌÁ rc.firewall.txt Ñ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÍ ÒÁÚÄÅÌÏÍ. úÄÅÓØ ÚÁÄÁÀÔÓÑ ÏÓÎÏ×ÎÙÅ ÎÁÓÔÒÏÊËÉ ÂÒÁÎÄÍÁÕÜÒÁ, ËÏÔÏÒÙÅ ÚÁ×ÉÓÑÔ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÉ. îÁÐÒÉÍÅÒ IP ÁÄÒÅÓÁ - ÎÁ×ÅÒÎÑËÁ ÄÏÌÖÎÙ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÎÁ ×ÁÛÉ ÓÏÂÓÔ×ÅÎÎÙÅ. ðÅÒÅÍÅÎÎÁÑ $INET_IP ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, ÅÓÌÉ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ DHCP, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÓËÒÉÐÔ rc.DHCP.firewall.txt, áÎÁÌÏÇÉÞÎÏ $INET_IFACE ÄÏÌÖÎÁ ÕËÁÚÙ×ÁÔØ ×ÁÛÅ ÕÓÔÒÏÊÓÔ×Ï, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ. üÔÏ ÍÏÖÅÔ ÂÙÔØ, Ë ÐÒÉÍÅÒÕ, eth0, eth1, ppp0, tr0 É ÐÒ.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÎÅ ÓÏÄÅÒÖÉÔ ËÁËÉÈ ÌÉÂÏ ÎÁÓÔÒÏÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ DHCP, PPPoE, ÐÏÜÔÏÍÕ ÜÔÉ ÒÁÚÄÅÌÙ ÎÅ ÚÁÐÏÌÎÅÎÙ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ É ÄÒÕÇÉÈ "ÐÕÓÔÙÈ" ÒÁÚÄÅÌÏ×. üÔÏ ÓÄÅÌÁÎÏ ÐÒÅÄÎÁÍÅÒÅÎÎÏ, ÞÔÏÂÙ ×Ù ÍÏÇÌÉ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ×ÉÄÅÔØ ÒÁÚÎÉÃÕ ÍÅÖÄÕ ÓÃÅÎÁÒÉÑÍÉ. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÏÌÎÉÔØ ÜÔÉ ÒÁÚÄÅÌÙ, ÔÏ ×Ù ÍÏÖÅÔÅ ×ÚÑÔØ ÉÈ ÉÚ ÄÒÕÇÉÈ ÓËÒÉÐÔÏ×, ÉÌÉ ÎÁÐÉÓÁÔØ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ.

òÁÚÄÅÌ Local Area Network ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÁÓÔÒÏÊËÉ, ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ËÏÎÆÉÇÕÒÁÃÉÉ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. ÷Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÂÒÁÎÄÍÁÕÜÒÁ, ÉÎÔÅÒÆÅÊÓ, ÐÏÄËÌÀÞÅÎÎÙÊ Ë ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÍÁÓËÕ ÐÏÄÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Localhost Configuration, ËÏÔÏÒÕÀ ÉÚÍÅÎÑÔØ ×ÁÍ ÅÄ×Á ÌÉ ÐÒÉÄÅÔÓÑ. ÷ ÜÔÏÊ ÓÅËÃÉÉ ÕËÁÚÙ×ÁÅÔÓÑ ÌÏËÁÌØÎÙÊ ÉÎÔÅÒÆÅÊÓ lo É ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ 127.0.0.1. úÁ ÒÁÚÄÅÌÏÍ Localhost Configuration, ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Iptables Configuration. úÄÅÓØ ÓÏÚÄÁÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ $IPTABLES, ÓÏÄÅÒÖÁÝÁÑ ÐÕÔØ Ë ÆÁÊÌÕ iptables (ÏÂÙÞÎÏ /usr/local/sbin/iptables). åÓÌÉ ×Ù ÕÓÔÁÎÁ×ÌÉ×ÁÌÉ iptables ÉÚ ÉÓÈÏÄÎÙÈ ÍÏÄÕÌÅÊ, ÔÏ Õ ×ÁÓ ÐÕÔØ Ë iptables ÍÏÖÅÔ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÔØÓÑ ÏÔ ÐÒÉ×ÅÄÅÎÎÏÇÏ × ÓÃÅÎÁÒÉÉ (ÎÁÐÒÉÍÅÒ /usr/sbin/iptables), ÏÄÎÁËÏ × ÂÏÌØÛÉÎÓÔ×Å ÄÉÓÔÒÉÂÕÔÉ×Ï× iptables ÒÁÓÐÏÌÏÖÅÎÁ ÉÍÅÎÎÏ ÚÄÅÓØ.


7.2.2. úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ËÏÍÁÎÄÏÊ /sbin/depmod -a, ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÏ×ÅÒËÁ ÚÁ×ÉÓÉÍÏÓÔÅÊ ÍÏÄÕÌÅÊ ÐÏÓÌÅ ÞÅÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÇÒÕÚËÁ ÍÏÄÕÌÅÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. óÔÁÒÁÊÔÅÓØ × ×ÁÛÉÈ ÓÃÅÎÁÒÉÑÈ ÚÁÇÒÕÖÁÔØ ÔÏÌØËÏ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ. îÁÐÒÉÍÅÒ, ÐÏ ËÁËÉÍ ÔÏ ÐÒÉÞÉÎÁÍ ÍÙ ÓÏÂÒÁÌÉ ÐÏÄÄÅÒÖËÕ ÄÅÊÓÔ×ÉÊ LOG, REJECT É MASQUERADE × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ É ÔÅÐÅÒØ ÓÏÂÉÒÁÅÍÓÑ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÉÓÐÏÌØÚÕÀÝÉÅ ÜÔÉ ÄÅÊÓÔ×ÉÑ, ÔÏÇÄÁ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÍÏÄÕÌÉ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÚÉÔØ ËÏÍÁÎÄÁÍÉ:

/sbin/insmod ipt_LOG
/sbin/insmod ipt_REJECT
/sbin/insmod ipt_MASQUERADE
   


Caution

÷ Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ Ñ ÐÒÉÎÕÄÉÔÅÌØÎÏ ÚÁÇÒÕÖÁÀ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ, ×Ï ÉÚÂÅÖÁÎÉÅ ÏÔËÁÚÏ×. åÓÌÉ ÐÒÏÉÓÈÏÄÉÔ ÏÛÉÂËÁ ×Ï ×ÒÅÍÑ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ, ÔÏ ÐÒÉÞÉÎ ÍÏÖÅÔ ÂÙÔØ ÍÎÏÖÅÓÔ×Ï, ÎÏ ÏÓÎÏ×ÎÏÊ ÐÒÉÞÉÎÏÊ Ñ×ÌÑÅÔÓÑ ÔÏ, ÞÔÏ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÒÁÚÄÅÌÕ ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ.

÷ ÓÌÅÄÕÀÝÅÊ ÓÅËÃÉÉ ÐÒÉ×ÏÄÉÔÓÑ ÒÑÄ ÍÏÄÕÌÅÊ, ËÏÔÏÒÙÅ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ × ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ, ÎÏ ÐÅÒÅÞÉÓÌÅÎÙ ÄÌÑ ÐÒÉÍÅÒÁ. ôÁË ÎÁÐÒÉÍÅÒ ÍÏÄÕÌØ ipt_owner, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ÓÅÔÉ Ó ×ÁÛÅÊ ÍÁÛÉÎÙ ÔÏÌØËÏ ÏÐÒÅÄÅÌÅÎÎÏÍÕ ËÒÕÇÕ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÐÏ×ÙÛÁÑ, ÔÅÍ ÓÁÍÙÍ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ. éÎÆÏÒÍÁÃÉÀ ÐÏ ËÒÉÔÅÒÉÑÍ ipt_owner, ÓÍÏÔÒÉÔÅ × ÒÁÚÄÅÌÅ ëÒÉÔÅÒÉÊ Owner ÇÌÁ×Ù ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ.

íÙ ÍÏÖÅÍ ÚÁÇÒÕÚÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏ×ÅÒËÉ "ÓÏÓÔÏÑÎÉÑ" ÐÁËÅÔÏ× (state matching). ÷ÓÅ ÍÏÄÕÌÉ, ÒÁÓÛÉÒÑÀÝÉÅ ×ÏÚÍÏÖÎÏÓÔÉ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ×, ÉÍÅÎÕÀÔÓÑ ËÁË ip_conntrack_* É ip_nat_*. ó ÐÏÍÏÝØÀ ÜÔÉÈ ÍÏÄÕÌÅÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÏÔÏËÏÌÁÍ. îÁÐÒÉÍÅÒ: ÐÒÏÔÏËÏÌ FTP Ñ×ÌÑÅÔÓÑ ËÏÍÐÌÅËÓÎÙÍ ÐÒÏÔÏËÏÌÏÍ ÐÏ ÏÐÒÅÄÅÌÅÎÉÀ, ÏÎ ÐÅÒÅÄÁÅÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. ôÁË, ÅÓÌÉ ÎÁÛ ÌÏËÁÌØÎÙÊ ÈÏÓÔ ÐÅÒÅÄÁÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÐÒÏÉÚ×ÏÄÑÝÉÊ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ×, ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ Ó FTP ÓÅÒ×ÅÒÏÍ × éÎÔÅÒÎÅÔ, ÔÏ ×ÎÕÔÒÉ ÐÁËÅÔÁ ÐÅÒÅÄÁÅÔÓÑ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÈÏÓÔÁ. á ÐÏÓËÏÌØËÕ, IP ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÓÞÉÔÁÀÔÓÑ ÏÛÉÂÏÞÎÙÍÉ × éÎÔÅÒÎÅÔ, ÔÏ ÓÅÒ×ÅÒ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ ÞÔÏ ÄÅÌÁÔØ Ó ÜÔÉÍ ÚÁÐÒÏÓÏÍ, × ÒÅÚÕÌØÔÁÔÅ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ FTP NAT ×ÙÐÏÌÎÑÅÔ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÄÅÊÓÔ×ÉÑ ÐÏ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÏ×, ÐÏÜÔÏÍÕ FTP ÓÅÒ×ÅÒ ÆÁËÔÉÞÅÓËÉ ÐÏÌÕÞÉÔ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÏÔ ÉÍÅÎÉ ÎÁÛÅÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ É ÓÍÏÖÅÔ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ. ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ DCC ÄÌÑ ÐÅÒÅÄÁÞÉ ÆÁÊÌÏ× É ÞÁÔÏ×. õÓÔÁÎÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÜÔÏÇÏ ÔÉÐÁ ÔÒÅÂÕÅÔ ÐÅÒÅÄÁÞÉ IP ÁÄÒÅÓÁ É ÐÏÒÔÁ ÐÏ ÐÒÏÔÏËÏÌÕ IRC, ËÏÔÏÒÙÊ ÔÁË ÖÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. âÅÚ ÓÐÅÃÉÁÌØÎÏÇÏ ÍÏÄÕÌÑ ÒÁÓÛÉÒÅÎÉÑ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ÐÒÏÔÏËÏÌÏ× FTP É IRC ÓÔÁÎÏ×ÉÔÓÑ ×ÅÓØÍÁ ÓÏÍÎÉÔÅÌØÎÏÊ. îÁÐÒÉÍÅÒ, ×Ù ÍÏÖÅÔÅ ÐÒÉÎÉÍÁÔØ ÆÁÊÌÙ ÞÅÒÅÚ DCC, ÎÏ ÎÅ ÍÏÖÅÔÅ ÏÔÐÒÁ×ÌÑÔØ. üÔÏ ÏÂÕÓÌÏ×ÌÉ×ÁÅÔÓÑ ÔÅÍ, ËÁË DCC "ÚÁÐÕÓËÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ. ÷Ù ÓÏÏÂÝÁÅÔÅ ÐÒÉÎÉÍÁÀÝÅÍÕ ÕÚÌÕ Ï Ó×ÏÅÍ ÖÅÌÁÎÉÉ ÐÅÒÅÄÁÔØ ÆÁÊÌ É ËÕÄÁ ÏÎ ÄÏÌÖÅÎ ÐÏÄËÌÀÞÉÔØÓÑ. âÅÚ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ DCC ÓÏÅÄÉÎÅÎÉÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÅÓÌÉ ÂÙ ÍÙ ÐÏÔÒÅÂÏ×ÁÌÉ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ×ÎÅÛÎÅÇÏ ÐÒÉÅÍÎÉËÁ Ó ÕÚÌÏÍ × ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÝÅ ÇÏ×ÏÒÑ ÔÁËÏÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ "ÏÂÒÕÛÅÎÏ". ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÖÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ×ÓÅ ÒÁÂÏÔÁÅÔ ÐÒÅËÒÁÓÎÏ. ÐÏÓËÏÌØËÕ ÐÒÉÅÍÎÉËÕ ÐÅÒÅÄÁÅÔÓÑ ËÏÒÒÅËÔÎÙÊ IP ÁÄÒÅÓ ÄÌÑ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ.

Note

åÓÌÉ Õ ×ÁÓ ÎÁÂÌÀÄÁÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÐÒÏÈÏÖÄÅÎÉÅÍ mIRC DCC ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÎÏ ÐÒÉ ÜÔÏÍ ÄÒÕÇÉÅ IRC-ËÌÉÅÎÔÙ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏ -- ÐÒÏÞÉÔÁÊÔÅ ÒÁÚÄÅÌ ðÒÏÂÌÅÍÙ mIRC DCC × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÍÏÄÕÌÑÍ conntrack É nat ÞÉÔÁÊÔÅ × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ÖÅ ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï ÄÏËÕÍÅÎÔÁÃÉÉ, ×ËÌÀÞÁÅÍÏÊ × ÐÁËÅÔ iptables. þÔÏÂÙ ÉÍÅÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÕÓÔÁÎÏ×ÉÔØ patch-o-matic É ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ. ëÁË ÜÔÏ ÓÄÅÌÁÔØ - ÏÂßÑÓÎÑÅÔÓÑ ×ÙÛÅ × ÇÌÁ×Å ðÏÄÇÏÔÏ×ËÁ.

Note

úÁÍÅÔØÔÅ, ÞÔÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_nat_irc É ip_nat_ftp ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÈÏÔÉÔÅ, ÞÔÏÂÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÐÒÏÉÚ×ÏÄÉÌÏÓØ ËÏÒÒÅËÔÎÏ Ó ÐÒÏÔÏËÏÌÁÍÉ FTP É IRC. ôÁË ÖÅ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÐÏÄÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_conntrack_ftp ÄÏ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ NAT.


7.2.3. îÁÓÔÒÏÊËÁ /proc

úÄÅÓØ ÍÙ ÚÁÐÕÓËÁÅÍ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (IP forwarding), ÚÁÐÉÓÁ× ÅÄÉÎÉÃÕ × ÆÁÊÌ /proc/sys/net/ipv4/ip_forward ÔÁËÉÍ ÓÐÏÓÏÂÏÍ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Warning

îÁ×ÅÒÎÏÅ ÓÔÏÉÔ ÚÁÄÕÍÁÔØÓÑ ÎÁÄ ÔÅÍ ÇÄÅ É ËÏÇÄÁ ×ËÌÀÞÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding). ÷ ÜÔÏÍ É × ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÑÈ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÍÙ ×ËÌÀÞÁÅÍ ÐÅÒÅÓÙÌËÕ ÄÏ ÔÏÇÏ ËÁË ÓÏÚÄÁÄÉÍ ËÁËÉÅ ÌÉÂÏ ÐÒÁ×ÉÌÁ iptables. ïÔ ÎÁÞÁÌÁ ÒÁÂÏÔÙ ÐÅÒÅÓÙÌËÉ (IP forwarding) ÄÏ ÍÏÍÅÎÔÁ, ËÏÇÄÁ ÂÕÄÕÔ ÓÏÚÄÁÎÙ ÎÅÏÂÈÏÄÉÍÙÅ ÐÒÁ×ÉÌÁ, ÐÒÉ ÎÁÛÅÍ ×ÁÒÉÁÎÔÅ, ÍÏÖÅÔ ÐÒÏÊÔÉ ÏÔ ÎÅÓËÏÌØËÉÈ ÍÉÌÌÉÓÅËÕÎÄ ÄÏ ÍÉÎÕÔ, ×ÓÅ ÚÁ×ÉÓÉÔ ÏÔ ÏÂßÅÍÁ ÒÁÂÏÔÙ, ×ÙÐÏÌÎÑÅÍÏÊ ÓÃÅÎÁÒÉÅÍ É ÂÙÓÔÒÏÄÅÊÓÔ×ÉÑ ËÏÎËÒÅÔÎÏÇÏ ËÏÍÐØÀÔÅÒÁ. ðÏÎÑÔÎÏ, ÞÔÏ ÜÔÏ ÄÁÅÔ ÎÅËÏÔÏÒÙÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ËÏÇÄÁ ÚÌÏÕÍÙÛÌÅÎÎÉË ÍÏÖÅÔ ÐÒÏÎÉËÎÕÔØ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ðÏÜÔÏÍÕ, × ÒÅÁÌØÎÏÊ ÓÉÔÕÁÃÉÉ ÚÁÐÕÓËÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding) ÓÌÅÄÕÅÔ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ×ÓÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ. úÄÅÓØ ÖÅ Ñ ÐÏÍÅÓÔÉÌ ×ËÌÀÞÅÎÉÅ ÐÅÒÅÓÙÌËÉ × ÎÁÞÁÌÅ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÃÅÌÑÈ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ ×ÁÍ ÎÅÏÂÈÏÄÉÍÁ ÐÏÄÄÅÒÖËÁ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP, (ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ SLIP, PPP ÉÌÉ DHCP) ×Ù ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÁÒÉÔØ ÓÔÒÏËÕ:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

åÓÌÉ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ×ËÌÀÞÉÔØ ÌÀÂÙÅ ÄÒÕÇÉÅ ÏÐÃÉÉ, ×Ù ÄÏÌÖÎÙ ÏÂÒÁÝÁÔØÓÑ Ë ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÊ ÄÏËÕÍÅÎÔÁÃÉÉ ÐÏ ÜÔÉÍ ÏÐÃÉÑÍ. èÏÒÏÛÉÊ É ÌÁËÏÎÉÞÎÙÊ ÄÏËÕÍÅÎÔ ÐÏ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÐÏÓÔÁ×ÌÑÅÔÓÑ ×ÍÅÓÔÅ Ó ÑÄÒÏÍ. óÓÙÌËÉ ÎÁ ÎÁ ÄÒÕÇÉÅ ÄÏËÕÍÅÎÔÙ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

Note

óÃÅÎÁÒÉÊ rc.firewall.txt É ×ÓÅ ÏÓÔÁÌØÎÙÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÓÏÄÅÒÖÁÔ ÎÅÂÏÌØÛÕÀ ÐÏ ÒÁÚÍÅÒÁÍ ÓÅËÃÉÀ ÎÅ ÔÒÅÂÕÅÍÙÈ (non-required) ÎÁÓÔÒÏÅË /proc. ëÁË ÂÙ ÐÒÉ×ÌÅËÁÔÅÌØÎÏ ÎÅ ×ÙÇÌÑÄÅÌÉ ÜÔÉ ÏÐÃÉÉ - ÎÅ ×ËÌÀÞÁÊÔÅ ÉÈ, ÐÏËÁ ÎÅ ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÄÏÓÔÁÔÏÞÎÏ ÞÅÔËÏ ÐÒÅÄÓÔÁ×ÌÑÅÔÅ ÓÅÂÅ ÆÕÎËÃÉÉ, ËÏÔÏÒÙÅ ÏÎÉ ×ÙÐÏÌÎÑÀÔ.


7.2.4. òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ ÐÏ ÒÁÚÎÙÍ ÃÅÐÏÞËÁÍ

úÄÅÓØ ÍÙ ÐÏÇÏ×ÏÒÉÍ Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, × ÞÁÓÔÎÏÓÔÉ - Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, ÏÐÒÅÄÅÌÑÅÍÙÈ × ÓÃÅÎÁÒÉÉ rc.firewall.txt. íÏÊ ×ÁÒÉÁÎÔ ÒÁÚÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÐÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÃÅÐÏÞËÁÍ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅÐÒÉÅÍÌÅÍÙÍ × ÔÏÍ ÉÌÉ ÉÎÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ. ñ ÎÁÄÅÀÓØ, ÞÔÏ ÓÍÏÇÕ ÐÏËÁÚÁÔØ ×ÁÍ ×ÏÚÍÏÖÎÙÅ "ÐÏÄ×ÏÄÎÙÅ ËÁÍÎÉ". äÁÎÎÙÊ ÒÁÚÄÅÌ ÔÅÓÎÏ ÐÅÒÅËÌÉËÁÅÔÓÑ Ó ÇÌÁ×ÏÊ ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË É ÓÏ×ÅÒÛÅÎÎÏ ÎÅÌÉÛÎÉÍ ÂÕÄÅÔ ÅÝÅ ÒÁÚ, ÈÏÔÑ ÂÙ ÂÅÇÌÏ, ÐÒÏÓÍÏÔÒÅÔØ ÅÅ.

òÁÓÐÒÅÄÅÌÉ× ÎÁÂÏÒ ÐÒÁ×ÉÌ ÐÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ, Ñ ÄÏÂÉÌÓÑ ÜËÏÎÏÍÉÉ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÂÅÚ ÐÏÔÅÒÉ ÕÒÏ×ÎÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ É ÞÉÔÁÂÅÌØÎÏÓÔÉ ÓÃÅÎÁÒÉÅ×. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÐÕÓËÁÔØ TCP ÐÁËÅÔÙ ÞÅÒÅÚ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ (É ÄÌÑ ICMP, É ÄÌÑ UDP), Ñ ÐÒÏÓÔÏ ÏÔÂÉÒÁÀ TCP ÐÁËÅÔÙ É ÐÒÏÐÕÓËÁÀ ÉÈ ÞÅÒÅÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÃÅÐÏÞËÕ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÕÀ ÉÍÅÎÎÏ ÄÌÑ TCP ÐÁËÅÔÏ×, ÞÔÏ ÐÒÉ×ÏÄÉÔ Ë ÕÍÅÎØÛÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. îÁ ÓÌÅÄÕÀÝÅÊ ËÁÒÔÉÎËÅ ÓÈÅÍÁÔÉÞÎÏ ÐÒÉ×ÏÄÉÔÓÑ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ netfilter. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ËÁÒÔÉÎËÁ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÏÇÒÁÎÉÞÅÎÎÏ ÐÏ ÓÒÁ×ÎÅÎÉÀ ÓÏ ÓÈÅÍÏÊ, ÐÒÉ×ÅÄÅÎÎÏÊ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.



ïÓÎÏ×ÎÏÅ ÎÁÚÎÁÞÅÎÉÅ ÒÉÓÕÎËÁ - ÏÓ×ÅÖÉÔØ ÎÁÛÕ ÐÁÍÑÔØ. ÷ ÃÅÌÏÍ, ÄÁÎÎÙÊ ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÓÎÏ×ÁÎ ÎÁ ÐÒÅÄÐÏÌÏÖÅÎÉÉ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÏÄÎÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ (firewall) É ÅÄÉÎÓÔ×ÅÎÎÏÅ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ, Ó ÐÏÓÔÏÑÎÎÙÍ IP ÁÄÒÅÓÏÍ (× ÐÒÏÔÉ×ÏÐÏÌÏÖÎÏÓÔØ PPP, SLIP, DHCP É ÐÒÏÞÉÍ). ôÁË ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÄÏÓÔÕÐ Ë ÓÅÒ×ÉÓÁÍ éÎÔÅÒÎÅÔ ÉÄÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÞÔÏ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ É ÐÏÜÔÏÍÕ ÎÅ ÓÏÂÉÒÁÅÍÓÑ ÂÌÏËÉÒÏ×ÁÔØ ÔÒÁÆÆÉË, ÉÓÈÏÄÑÝÉÊ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÄÎÁËÏ éÎÔÅÒÎÅÔ ÎÅ ÍÏÖÅÔ ÓÞÉÔÁÔØÓÑ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔØÀ É ÐÏÜÔÏÍÕ ÎÅÏÂÈÏÄÉÍÏ ÏÇÒÁÎÉÞÉÔØ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÓÔÕÐÁ × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÉÚ×ÎÅ. íÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÈÏÄÉÔØ ÉÚ ÐÒÉÎÃÉÐÁ "÷ÓÅ ÞÔÏ ÎÅ ÒÁÚÒÅÛÅÎÏ - ÔÏ ÚÁÐÒÅÝÅÎÏ". äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÏÇÒÁÎÉÞÅÎÉÑ, ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ôÅÍ ÓÁÍÙÍ ÍÙ ÏÔÓÅËÁÅÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ Ñ×ÎÏ ÎÅ ÒÁÚÒÅÛÅÎÙ.

á ÔÅÐÅÒØ ÄÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÞÔÏ ÎÁÍ ÎÕÖÎÏ ÓÄÅÌÁÔØ É ËÁË.



äÌÑ ÎÁÞÁÌÁ - ÐÏÚ×ÏÌÉÍ ÓÏÅÄÉÎÅÎÉÑ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó éÎÔÅÒÎÅÔ. äÌÑ ÜÔÏÇÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT). äÅÌÁÅÔÓÑ ÜÔÏ × ÃÅÐÏÞËÅ PREROUTING (ñ ÐÏÌÁÇÁÀ, ÞÔÏ ÚÄÅÓØ Á×ÔÏÒ ÐÒÏÓÔÏ ÄÏÐÕÓÔÉÌ ÏÐÅÞÁÔËÕ, ÐÏÓËÏÌØËÕ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ POSTROUTING, ÄÁ É ÍÙ ÕÖÅ ÚÎÁÅÍ, ÞÔÏ SNAT ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÚÁÐÏÌÎÑÅÔÓÑ ÐÏÓÌÅÄÎÅÊ × ÎÁÛÅÍ ÓÃÅÎÁÒÉÉ. ðÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÔÁËÖÅ, ×ÙÐÏÌÎÅÎÉÅ ÎÅËÏÔÏÒÏÊ ÆÉÌØÔÒÁÃÉÉ × ÃÅÐÏÞËÅ FORWARD. åÓÌÉ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÐÕÓËÁÑ ×ÅÓØ ÔÒÁÆÆÉË × éÎÔÅÒÎÅÔ, ÔÏ ÜÔÏ ÅÝÅ ÎÅ ÏÚÎÁÞÁÅÔ ÄÏ×ÅÒÉÑ Ë éÎÔÅÒÎÅÔ É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ××ÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÄÏÓÔÕÐ Ë ÎÁÛÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ×ÎÅ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÍÙ ÄÏÐÕÓËÁÅÍ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× × ÎÁÛÕ ÓÅÔØ ÔÏÌØËÏ × ÓÌÕÞÁÅ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÌÉÂÏ × ÓÌÕÞÁÅ ÏÔËÒÙÔÉÑ ÎÏ×ÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ × ÒÁÍËÁÈ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ (ESTABLISHED É RELATED).



þÔÏ ËÁÓÁÅÔÓÑ ÍÁÛÉÎÙ-ÂÒÁÎÄÍÁÕÜÒÁ -- ÎÅÏÂÈÏÄÉÍÏ ÄÏ ÍÉÎÉÍÕÍÁ Ó×ÅÓÔÉ ÓÅÒ×ÉÓÙ, ÒÁÂÏÔÁÀÝÉÅ Ó éÎÔÅÒÎÅÔ. óÌÅÄÏ×ÁÔÅÌØÎÏ ÍÙ ÄÏÐÕÓËÁÅÍ ÔÏÌØËÏ HTTP, FTP, SSH É IDENTD ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ. ÷ÓÅ ÜÔÉ ÐÒÏÔÏËÏÌÙ ÍÙ ÂÕÄÅÍ ÓÞÉÔÁÔØ ÄÏÐÕÓÔÉÍÙÍÉ × ÃÅÐÏÞËÅ INPUT, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ "ÏÔ×ÅÔÎÙÊ" ÔÒÁÆÆÉË × ÃÅÐÏÞËÅ OUTPUT. ðÏÓËÏÌØËÕ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÄÏ×ÅÒÉÔÅÌØÎÙÅ ×ÚÁÉÍÏÏÔÎÏÛÅÎÉÑ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ, ÔÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ ÄÌÑ ÄÉÁÐÁÚÏÎÁ ÁÄÒÅÓÏ× ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÄÌÑ ÌÏËÁÌØÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ É ÌÏËÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ (127.0.0.1). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÓÕÝÅÓÔ×ÕÅÔ ÒÑÄ ÄÉÁÐÁÚÏÎÏ× ÁÄÒÅÓÏ×, ×ÙÄÅÌÅÎÎÙÈ ÓÐÅÃÉÁÌØÎÏ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÜÔÉ ÁÄÒÅÓÁ ÓÞÉÔÁÀÔÓÑ × éÎÔÅÒÎÅÔ ÏÛÉÂÏÞÎÙÍÉ É ËÁË ÐÒÁ×ÉÌÏ ÎÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ. ðÏÜÔÏÍÕ É ÍÙ ÚÁÐÒÅÔÉÍ ÌÀÂÏÊ ÔÒÁÆÆÉË ÉÚ éÎÔÅÒÎÅÔ Ó ÉÓÈÏÄÑÝÉÍ ÁÄÒÅÓÏÍ, ÐÒÉÎÁÄÌÅÖÁÝÉÍ ÄÉÁÐÁÚÏÎÁÍ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. é × ÚÁËÌÀÞÅÎÉÅ ÐÒÏÞÉÔÁÊÔÅ ÇÌÁ×Õ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ.

ôÁË ËÁË Õ ÎÁÓ ÒÁÂÏÔÁÅÔ FTP ÓÅÒ×ÅÒ, ÔÏ ÐÒÁ×ÉÌÁ, ÏÂÓÌÕÖÉ×ÁÀÝÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÜÔÉÍ ÓÅÒ×ÅÒÏÍ, ÖÅÌÁÔÅÌØÎÏ ÂÙÌÏ ÂÙ ÐÏÍÅÓÔÉÔØ × ÎÁÞÁÌÏ ÃÅÐÏÞËÉ INPUT, ÄÏÂÉ×ÁÑÓØ ÔÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÅÎÉÑ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. ÷ ÃÅÌÏÍ ÖÅ, ÎÁÄÏ ÐÏÎÉÍÁÔØ, ÞÔÏ ÞÅÍ ÍÅÎØÛÅ ÐÒÁ×ÉÌ ÐÒÏÈÏÄÉÔ ÐÁËÅÔ, ÔÅÍ ÂÏÌØÛÅ ÜËÏÎÏÍÉÑ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÔÅÍ ÎÉÖÅ ÎÁÇÒÕÚËÁ ÎÁ ÓÉÓÔÅÍÕ. ó ÜÔÏÊ ÃÅÌØÀ Ñ ÒÁÚÂÉÌ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ.

÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ Ñ ÒÁÚÂÉÌ ÐÁËÅÔÙ ÎÁ ÇÒÕÐÐÙ ÐÏ ÉÈ ÐÒÉÎÁÄÌÅÖÎÏÓÔÉ Ë ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÐÒÏÔÏËÏÌÕ. äÌÑ ËÁÖÄÏÇÏ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ ÓÏÚÄÁÎÁ Ó×ÏÑ ÃÅÐÏÞËÁ ÐÒÁ×ÉÌ, ÎÁÐÒÉÍÅÒ, tcp_packets, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÒÏ×ÅÒËÉ ×ÓÅÈ ÄÏÐÕÓÔÉÍÙÈ TCP ÐÏÒÔÏ× É ÐÒÏÔÏËÏÌÏ×. äÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÏÄÎÕ ÃÅÐÏÞËÕ, ÍÏÖÅÔ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÒÕÇÁÑ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÔÁËÏ×ÏÊ Ñ×ÌÑÅÔÓÑ ÃÅÐÏÞËÁ allowed. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ ÏÔÄÅÌØÎÙÈ ÈÁÒÁËÔÅÒÉÓÔÉË TCP ÐÁËÅÔÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÒÉÎÑÔØ ÏËÏÎÞÁÔÅÌØÎÏÅ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ. ICMP ÐÁËÅÔÙ ÓÌÅÄÕÀÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ icmp_packets. úÄÅÓØ ÍÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ ICMP ÐÁËÅÔÙ Ó ÕËÁÚÁÎÎÙÍ ËÏÄÏÍ ÓÏÏÂÝÅÎÉÑ. é ÎÁËÏÎÅà UDP ÐÁËÅÔÙ. ïÎÉ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ udp_packets, ËÏÔÏÒÁÑ ÏÂÒÁÂÁÔÙ×ÁÅÔ ×ÈÏÄÑÝÉÅ UDP ÐÁËÅÔÙ. åÓÌÉ ÏÎÉ ÐÒÉÎÁÄÌÅÖÁÔ ÄÏÐÕÓÔÉÍÙÍ ÓÅÒ×ÉÓÁÍ, ÔÏ ÏÎÉ ÐÒÏÐÕÓËÁÀÔÓÑ ÂÅÚ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ðÏÓËÏÌØËÕ ÍÙ ÒÁÓÓÍÁÔÒÉ×ÁÅÍ ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÕÀ ÓÅÔØ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÉÓÐÏÌØÚÕÅÔÓÑ ÅÝÅ É × ËÁÞÅÓÔ×Å ÒÁÂÏÞÅÊ ÓÔÁÎÃÉÉ, ÐÏÜÔÏÍÕ ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ É Ó ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.



é × ÚÁ×ÅÒÛÅÎÉÅ Ï ÃÅÐÏÞËÅ OUTPUT. íÙ ÎÅ ×ÙÐÏÌÎÑÅÍ ËÁËÉÈ ÌÉÂÏ ÓÐÅÃÉÆÉÞÎÙÈ ÂÌÏËÉÒÏ×ÏË ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÏÄÎÁËÏ ÍÙ ÎÅ ÈÏÔÉÍ, ÞÔÏÂÙ ËÔÏ ÌÉÂÏ, ÉÓÐÏÌØÚÕÑ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÄÁ×ÁÌ × ÓÅÔØ "ÐÏÄÄÅÌØÎÙÅ" ÐÁËÅÔÙ, ÐÏÜÔÏÍÕ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÁ, ÐÏÚ×ÏÌÑÀÝÉÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÔÏÌØËÏ Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ÎÁÛÉÍ ÌÏËÁÌØÎÙÍ ÁÄÒÅÓÏÍ (127.0.0.1) É Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × éÎÔÅÒÎÅÔ. ó ÜÔÉÈ ÁÄÒÅÓÏ× ÐÁËÅÔÙ ÐÒÏÐÕÓËÁÀÔÓÑ ÃÅÐÏÞËÏÊ OUTPUT, ×ÓÅ ÏÓÔÁÌØÎÙÅ (ÓËÏÒÅÅ ×ÓÅÇÏ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÅ) ÏÔÓÅËÁÀÔÓÑ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.


7.2.5. õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ

ðÒÅÖÄÅ, ÞÅÍ ÐÒÉÓÔÕÐÉÔØ Ë ÓÏÚÄÁÎÉÀ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÐÏÌÉÔÉËÁÍÉ ÃÅÐÏÞÅË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÏÍÁÎÄÏÊ, ÐÏÄÏÂÎÏÊ ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ

iptables [-P {chain} {policy}]



ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÐÒÉÍÅÎÑÅÔÓÑ Ë ÐÁËÅÔÕ, ÎÅ ÐÏÐÁ×ÛÅÍÕ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. (îÅÂÏÌØÛÏÅ ÕÔÏÞÎÅÎÉÅ, ËÏÍÁÎÄÁ iptables -P ÐÒÉÍÅÎÉÍÁ ôïìøëï ë ÷óôòïåîîùí ÃÅÐÏÞËÁÍ, Ô.Å. INPUT, FORWARD, OUTPUT É Ô.Ð., É ÎÅ ÐÒÉÍÅÎÉÍÁ Ë ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ. ÐÒÉÍ. ÐÅÒÅ×.).

Caution

âÕÄØÔÅ ÐÒÅÄÅÌØÎÏ ÏÓÔÏÒÏÖÎÙ Ó ÕÓÔÁÎÏ×ËÏÊ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃ, ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÈ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, ÔÁË ËÁË ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÏÄÉÔØ Ë ÄÏ×ÏÌØÎÏ ÓÔÒÁÎÎÙÍ ÒÅÚÕÌØÔÁÔÁÍ.


7.2.6. óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter

éÔÁË, Õ ×ÁÓ ÐÅÒÅÄ ÇÌÁÚÁÍÉ ÎÁ×ÅÒÎÑËÁ ÕÖÅ ÓÔÏÉÔ ËÁÒÔÉÎËÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ, É ËÁË ÜÔÉ ÃÅÐÏÞËÉ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÀÔ ÍÅÖÄÕ ÓÏÂÏÊ! ÷Ù ÕÖÅ ÄÏÌÖÎÙ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÃÅÌÉ É ÎÁÚÎÁÞÅÎÉÅ ÄÁÎÎÏÇÏ ÓÃÅÎÁÒÉÑ. äÁ×ÁÊÔÅ ÎÁÞÎÅÍ ÓÏÚÄÁ×ÁÔØ ÃÅÐÏÞËÉ É ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ÎÉÈ.

ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÓÏÚÄÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ -N. óÒÁÚÕ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ÃÅÐÏÞËÉ ÅÝÅ ÎÅ ÉÍÅÀÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÀÔÓÑ ÃÅÐÏÞËÉ icmp_packets, tcp_packets, udp_packets É ÃÅÐÏÞËÁ allowed, ËÏÔÏÒÁÑ ×ÙÚÙ×ÁÅÔÓÑ ÉÚ ÃÅÐÏÞËÉ tcp_packets. ÷ÈÏÄÑÝÉÅ ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE (Ô.Å. ÉÚ éÎÔÅÒÎÅÔ), ÐÏ ÐÒÏÔÏËÏÌÕ ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÁ TCP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets É ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ UDP Ó ÉÎÔÅÒÆÅÊÓÁ eth0 ÉÄÕÔ × ÃÅÐÏÞËÕ udp_packets. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ×Ù ÎÁÊÄÅÔÅ × ÒÁÚÄÅÌÅ ãÅÐÏÞËÁ INPUT. óÉÎÔÁËÓÉÓ ËÏÍÁÎÄÙ ÄÌÑ ÓÏÚÄÁÎÉÑ Ó×ÏÅÊ ÃÅÐÏÞËÉ ÏÞÅÎØ ÐÒÏÓÔ:

iptables [-N chain]




7.2.6.1. ãÅÐÏÞËÁ bad_tcp_packets

üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÏÔÆÉÌØÔÒÏ×Ù×ÁÎÉÑ ÐÁËÅÔÏ× Ó "ÎÅÐÒÁ×ÉÌØÎÙÍÉ" ÚÁÇÏÌÏ×ËÁÍÉ É ÒÅÛÅÎÉÑ ÒÑÄÁ ÄÒÕÇÉÈ ÐÒÏÂÌÅÍ. úÄÅÓØ ÏÔÆÉÌØÔÒÏ×Ù×ÁÀÔÓÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË NEW, ÎÏ ÎÅ Ñ×ÌÑÀÔÓÑ SYN ÐÁËÅÔÁÍÉ, Á ÔÁË ÖÅ ÏÂÒÁÂÁÔÙ×ÁÀÔÓÑ SYN/ACK-ÐÁËÅÔÙ, ÉÍÅÀÝÉÅ ÓÔÁÔÕÓ NEW. üÔÁ ÃÅÐÏÞËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ×ÔÏÒÖÅÎÉÑ É ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. óÀÄÁ, ÔÁË ÖÅ, ÄÏÂÁ×ÌÅÎÏ ÐÒÁ×ÉÌÏ ÄÌÑ ÏÔÓÅÉ×ÁÎÉÑ ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ INVALID.

åÓÌÉ ×Ù ÐÏÖÅÌÁÅÔÅ ÐÏÞÉÔÁÔØ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ Ï ÜÔÏÊ ÐÒÏÂÌÅÍÅ, ÔÏ ÓÍÏÔÒÉÔÅ ÒÁÚÄÅÌ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. òÁÚÕÍÅÅÔÓÑ, ÎÅ ×ÓÅÇÄÁ ÓÐÒÁ×ÅÄÌÉ×Ï ÂÕÄÅÔ ÐÒÏÓÔÏ ÓÂÒÁÓÙ×ÁÔØ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ NEW É ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ÎÏ × 99% ÓÌÕÞÁÅ× ÜÔÏ ÏÐÒÁ×ÄÁÎÎÙÊ ÛÁÇ. ðÏÜÔÏÍÕ ÍÏÊ ÓÃÅÎÁÒÉÊ ÚÁÎÏÓÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÁËÉÈ ÐÁËÅÔÁÈ × ÞÉÞÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á ÚÁÔÅÍ "ÓÂÒÁÓÙ×ÁÅÔ" ÉÈ.

ðÒÉÞÉÎÁ, ÐÏ ËÏÔÏÒÏÊ ÄÌÑ SYN/ACK-ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ NEW ÐÒÉÍÅÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ. ïÎÁ ÏÐÉÓÙ×ÁÅÔÓÑ × ÒÁÚÄÅÌÅ SYN/ACK - ÐÁËÅÔÙ É ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW ÐÒÉÌÏÖÅÎÉÑ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ïÂÝÅÐÒÉÎÑÔÏÊ ÓÞÉÔÁÅÔÓÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ ÏÔÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁ RST × ÐÏÄÏÂÎÙÈ ÓÌÕÞÁÑÈ (RST × ÏÔ×ÅÔ ÎÁ ÎÅÚÁÐÒÏÛÅÎÎÙÊ SYN/ACK). ôÅÍ ÓÁÍÙÍ ÍÙ ÐÒÅÄÏÔ×ÒÁÝÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÁÔÁËÉ "ðÒÅÄÓËÁÚÁÎÉÅ ÎÏÍÅÒÁ TCP-ÐÏÓÌÅÄÏ×ÁÔÅÌØÎÏÓÔÉ" (Sequence Number Prediction) ÎÁ ÄÒÕÇÉÅ ÕÚÌÙ ÓÅÔÉ.


7.2.6.2. ãÅÐÏÞËÁ allowed

TCP ÐÁËÅÔ, ÓÌÅÄÕÑ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ tcp_packets, ÅÓÌÉ ÐÁËÅÔ ÓÌÅÄÕÅÔ ÎÁ ÒÁÚÒÅÛÅÎÎÙÊ ÐÏÒÔ, ÔÏ ÐÏÓÌÅ ÜÔÏÇÏ ÐÒÏ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ × ÃÅÐÏÞËÅ allowed.

ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÐÒÏ×ÅÒÑÅÔ, Ñ×ÌÑÅÔÓÑ ÌÉ ÐÁËÅÔ SYN ÐÁËÅÔÏÍ, Ô.Å. ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ôÁËÏÊ ÐÁËÅÔ ÍÙ ÓÞÉÔÁÅÍ ÄÏÐÕÓÔÉÍÙÍ É ÐÒÏÐÕÓËÁÅÍ. óÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÓÅ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ ESTABLISHED ÉÌÉ RELATED. ëÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ SYN ÐÁËÅÔÏÍ, É ÎÁ ÜÔÏÔ ÚÁÐÒÏÓ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÏÌÏÖÉÔÅÌØÎÙÊ ÏÔ×ÅÔ, ÔÏ ÏÎÏ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ ESTABLISHED. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÜÔÏÊ ÃÅÐÏÞËÅ ÓÂÒÁÓÙ×ÁÀÔÓÑ ×ÓÅ ÏÓÔÁÌØÎÙÅ TCP ÐÁËÅÔÙ. ðÏÄ ÜÔÏ ÐÒÁ×ÉÌÏ ÐÏÐÁÄÁÀÔ ÐÁËÅÔÙ ÉÚ ÎÅÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ËÏÔÏÒÙÅ ÐÙÔÁÀÔÓÑ ÚÁÐÕÓÔÉÔØ ÓÏÅÄÉÎÅÎÉÅ. îÅ SYN ÐÁËÅÔÙ ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁÐÕÓËÁ ÓÏÅÄÉÎÅÎÉÑ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÓÌÕÞÁÅ× ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. îÁÓËÏÌØËÏ Ñ ÚÎÁÀ, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌÉÚÁÃÉÉ TCP/IP, ËÏÔÏÒÁÑ ÐÏÄÄÅÒÖÉ×ÁÌÁ ÂÙ ÏÔËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÎÁÞÅ, ÞÅÍ ÐÅÒÅÄÁÞÁ SYN ÐÁËÅÔÁ, ÐÏÜÔÏÍÕ ÎÁ 99% ÍÏÖÎÏ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÓÂÒÏÛÅÎÙ ÐÁËÅÔÙ, ÐÏÓÌÁÎÎÙÅ ÓËÁÎÅÒÏÍ ÐÏÒÔÏ×.


7.2.6.3. ãÅÐÏÞËÁ ÄÌÑ TCP

éÔÁË, ÍÙ ÐÏÄÏÛÌÉ Ë TCP ÓÏÅÄÉÎÅÎÉÑÍ. úÄÅÓØ ÍÙ ÕËÁÚÙ×ÁÅÍ, ËÁËÉÅ ÐÏÒÔÙ ÍÏÇÕÔ ÂÙÔØ ÄÏÓÔÕÐÎÙ ÉÚ Internet. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÄÁÖÅ ÅÓÌÉ ÐÁËÅÔ ÐÒÏÛÅÌ ÐÒÏ×ÅÒËÕ ÚÄÅÓØ, ÍÙ ×ÓÅ ÒÁ×ÎÏ ×ÓÅ ÐÁËÅÔÙ ÐÅÒÅÄÁÅÍ × ÃÅÐÏÞËÕ allowed ÄÌÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ñ ÏÔËÒÙÌ TCP ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 21, ËÏÔÏÒÙÊ Ñ×ÌÑÅÔÓÑ ÐÏÒÔÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP ÓÏÅÄÉÎÅÎÉÑÍÉ. É ÄÁÌÅÅ, Ñ ÒÁÚÒÅÛÁÀ ×ÓÅ RELATED ÓÏÅÄÉÎÅÎÉÑ, ÒÁÚÒÅÛÁÑ, ÔÅÍ ÓÁÍÙÍ, PASSIVE FTP, ÐÒÉ ÕÓÌÏ×ÉÉ, ÞÔÏ ÂÙÌ ÚÁÇÒÕÖÅÎ ÍÏÄÕÌØ ip_conntrack_ftp. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÒÅÔÉÔØ FTP ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÇÒÕÚÉÔØ ÍÏÄÕÌØ ip_conntrack_ftp É ÕÄÁÌÉÔØ ÓÔÒÏËÕ $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ÉÚ ÓÃÅÎÁÒÉÑ rc.firewall.txt.

ðÏÒÔ 22 - ÜÔÏ SSH, ËÏÔÏÒÙÊ ÎÁÍÎÏÇÏ ÂÏÌÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ telnet ÎÁ 23 ÐÏÒÔÕ. åÓÌÉ ÷ÁÍ ×ÚÄÕÍÁÅÔÓÑ ÐÒÅÄÏÓÔÁ×ÉÔØ ÄÏÓÔÕÐ Ë ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÅ (shell) ËÏÍÕ ÂÙ ÔÏ ÎÉ ÂÙÌÏ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ÌÕÞÛÅ ËÏÎÅÞÎÏ ÐÏÌØÚÏ×ÁÔØÓÑ SSH. ïÄÎÁËÏ , ÈÏÞÕ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÏÏÂÝÅ-ÔÏ ÓÞÉÔÁÅÔÓÑ ÄÕÒÎÙÍ ÔÏÎÏÍ ÐÒÅÄÏÓÔÁ×ÌÑÔØ ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ ÌÀÂÏÍÕ ËÒÏÍÅ ×ÁÓ ÓÁÍÉÈ. ÷ÁÛ ÓÅÔÅ×ÏÊ ÜËÒÁÎ ÄÏÌÖÅÎ ÉÍÅÔØ ÔÏÌØËÏ ÔÅ ÓÅÒ×ÉÓÙ, ËÏÔÏÒÙÅ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÙ É ÎÅ ÂÏÌÅÅ ÔÏÇÏ.

ðÏÒÔ 80 - ÜÔÏ ÐÏÒÔ HTTP, ÄÒÕÇÉÍ ÓÌÏ×ÁÍÉ - web ÓÅÒ×ÅÒ, ÕÂÅÒÉÔÅ ÜÔÏ ÐÒÁ×ÉÌÏ, ÅÓÌÉ Õ ×ÁÓ ÎÅÔ web ÓÅÒ×ÅÒÁ.

é ÎÁËÏÎÅà ÐÏÒÔ 113, ÏÔ×ÅÔÓÔ×ÅÎÎÙÊ ÚÁ ÓÌÕÖÂÕ IDENTD É ÉÓÐÏÌØÚÕÀÝÉÊÓÑ ÎÅËÏÔÏÒÙÍÉ ÐÒÏÔÏËÏÌÁÍÉ ÔÉÐÁ IRC, É ÐÒ. úÁÍÅÞÕ, ÞÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÐÁËÅÔ oidentd ÅÓÌÉ ×Ù ÄÅÌÁÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÄÌÑ ÎÅËÏÔÏÒÙÈ ÕÚÌÏ× (ÈÏÓÔÏ×) × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. oidentd ÐÏÄÄÅÒÖÉ×ÁÅÔ ÐÅÒÅÄÁÞÕ IDENTD ÚÁÐÒÏÓÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ ÏÔËÒÙÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ, ÔÏ ÐÒÏÓÔÏ ÓËÏÐÉÒÕÊÔÅ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ tcp_packets É ÐÏÄÐÒÁרÔÅ ÎÏÍÅÒÁ ÐÏÒÔÏ× × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÁÛÉÍÉ ÔÒÅÂÏ×ÁÎÉÑÍÉ.


7.2.6.4. ãÅÐÏÞËÁ ÄÌÑ UDP

ðÁËÅÔÙ UDP ÉÚ ÃÅÐÏÞËÉ INPUT ÓÌÅÄÕÀÔ × ÃÅÐÏÞËÕ udp_packets ëÁË É × ÓÌÕÞÁÅ Ó TCP ÐÁËÅÔÁÍÉ, ÚÄÅÓØ ÏÎÉ ÐÒÏ×ÅÒÑÀÔÓÑ ÎÁ ÄÏÐÕÓÔÉÍÏÓÔØ ÐÏ ÎÏÍÅÒÕ ÐÏÒÔÁ ÎÁÚÎÁÞÅÎÉÑ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÍÙ ÎÅ ÐÒÏ×ÅÒÑÅÍ ÉÓÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ, ÐÏÓËÏÌØËÕ Ï ÜÔÏÍ ÚÁÂÏÔÉÔÓÑ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ. ïÔËÒÙ×ÁÀÔÓÑ ÔÏÌØËÏ ÔÅ ÐÏÒÔÙ, ËÏÔÏÒÙÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ ÓÅÒ×ÅÒÁÍÉ ÉÌÉ ÄÅÍÏÎÁÍÉ ÎÁ ÎÁÛÅÍ ÂÒÁÎÄÍÁÕÜÒÅ. ðÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÏÓÔÕÐÁÀÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ ÐÏ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÓÏÅÄÉÎÅÎÉÑÍ (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ) ÐÒÏÐÕÓËÁÀÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ Á×ÔÏÍÁÔÉÞÅÓËÉ, ÐÏÓËÏÌØËÕ ÉÍÅÀÔ ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÉÌÉ RELATED.

ëÁË ×ÉÄÎÏ ÉÚ ÔÅËÓÔÁ ÓÃÅÎÁÒÉÑ, ÐÏÒÔ 53, ÎÁ ËÏÔÏÒÏÍ "ÓÉÄÉÔ" DNS, ÄÌÑ UDP ÐÁËÅÔÏ× ÚÁËÒÙÔ, ÔÏ ÅÓÔØ ÐÒÁ×ÉÌÏ, ÏÔËÒÙ×ÁÀÝÅÅ 53-Ê ÐÏÒÔ × ÓÃÅÎÁÒÉÉ ÐÒÉÓÕÔÓÔ×ÕÅÔ, ÎÏ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ. åÓÌÉ ×Ù ÐÏÖÅÌÁÅÔÅ ÚÁÐÕÓÔÉÔØ DNS ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, ÔÏ ÜÔÏ ÐÒÁ×ÉÌÏ ÓÌÅÄÕÅÔ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ.

ñ ÌÉÞÎÏ ÒÁÚÒÅÛÁÀ ÐÏÒÔ 123, ÎÁ ËÏÔÏÒÏÍ ÒÁÂÏÔÁÅÔ NTP (network time protocol). üÔÏÊ ÓÌÕÖÂÏÊ ÏÂÙÞÎÏ ÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÒÉÅÍÁ ÔÏÞÎÏÇÏ ×ÒÅÍÅÎÉ Ó ÓÅÒ×ÅÒÏ× ×ÒÅÍÅÎÉ × éÎÔÅÒÎÅÔ. ïÄÎÁËÏ, ×ÅÒÏÑÔÎÅÅ ×ÓÅÇÏ, ÞÔÏ ×Ù ÎÅ ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏÔ ÐÒÏÔÏËÏÌ, ÐÏÜÔÏÍÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÅ ÐÒÁ×ÉÌÏ × ÓÃÅÎÁÒÉÉ ÔÁË ÖÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ.

ðÏÒÔ 2074 ÉÓÐÏÌØÚÕÅÔÓÑ ÎÅËÏÔÏÒÙÍÉ ÍÕÌØÔÉÍÅÄÉÊÎÙÍÉ ÐÒÉÌÏÖÅÎÉÑÍÉ, ÐÏÄÏÂÎÏ speak freely, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÇÏÌÏÓÁ × ÒÅÖÉÍÅ ÒÅÁÌØÎÏÇÏ ×ÒÅÍÅÎÉ.

é ÎÁËÏÎÅà - ICQ, ÎÁ ÐÏÒÔÕ 4000. üÔÏ ÛÉÒÏËÏ ÉÚ×ÅÓÔÎÙÊ ÐÒÏÔÏËÏÌ, ÉÓÐÏÌØÚÕÅÍÙÊ ICQ-ÐÒÉÌÏÖÅÎÉÑÍÉ ñ ÐÏÌÁÇÁÀ ÎÅ ÓÌÅÄÕÅÔ ÏÂßÑÓÎÑÔØ ×ÁÍ ÞÔÏ ÜÔÏ ÔÁËÏÅ.

ëÒÏÍÅ ÔÏÇÏ × ÓÃÅÎÁÒÉÉ ÐÒÉ×ÅÄÅÎÙ ÅÝÅ Ä×Á ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. éÍÉ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ, ÅÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÞÒÅÚÍÅÒÎÏ ÎÁÇÒÕÖÅÎ. ðÅÒ×ÏÅ - ÂÌÏËÉÒÕÅÔ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ ÐÏÒÔÙ ÓÏ 135 ÐÏ 139. üÔÉ ÐÏÒÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÏÔÏËÏÌÁÍÉ SMB É NetBIOS ÏÔ Microsoft. ôÁËÉÍ ÏÂÒÁÚÏÍ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÐÒÅÄÏÔ×ÒÁÝÁÅÔ ÐÅÒÅÐÏÌÎÅÎÉÅ ÔÁÂÌÉÃÙ ÔÒÁÓÓÉÒÏ×ÝÉËÁ × ÓÅÔÑÈ Microsoft Network. ÷ÔÏÒÏÅ ÐÒÁ×ÉÌÏ ÂÌÏËÉÒÕÅÔ DHCP ÚÁÐÒÏÓÙ ÉÚ×ÎÅ. üÔÏ ÐÒÁ×ÉÌÏ ÏÐÒÅÄÅÌÅÎÎÏ ÉÍÅÅÔ ÓÍÙÓÌ ÅÓÌÉ ×ÎÅÛÎÑÑ ÓÅÔØ ÓÏÄÅÒÖÉÔ ÎÅËÏÍÍÕÔÉÒÕÅÍÙÅ ÓÅÇÍÅÎÔÙ, ÇÄÅ IP ÁÄÒÅÓÁ ×ÙÄÅÌÑÀÔÓÑ ËÌÉÅÎÔÁÍ ÄÉÎÁÍÉÞÅÓËÉ.

Note

ðÏÓÌÅÄÎÉÅ Ä×Á ÐÒÁ×ÉÌÁ ÎÅ Ñ×ÌÑÀÔÓÑ ÏÂÑÚÁÔÅÌØÎÙÍÉ (× ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÏÎÉ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ). ÷ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÎÅ ÂÙÌÉ ÏÔ×ÅÒÇÎÕÔÙ ÉÌÉ ÐÒÉÎÑÔÙ Ñ×ÎÏ, ÌÏÇÉÒÕÀÔÓÑ × ÖÕÒÎÁÌ ÐÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÃÅÐÏÞËÅ INPUT, ÐÏÜÔÏÍÕ, ÅÓÌÉ ×ÁÓ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ "ÒÁÚÄÕ×ÁÎÉÑ" ÓÉÓÔÅÍÎÏÇÏ ÖÕÒÎÁÌÁ -- ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ ÜÔÉ ÐÒÁ×ÉÌÁ.


7.2.6.5. ãÅÐÏÞËÁ ÄÌÑ ICMP

úÄÅÓØ ÐÒÉÎÉÍÁÅÔÓÑ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ ICMP ÐÁËÅÔÏ×. åÓÌÉ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ Ó eth0 × ÃÅÐÏÞËÕ INPUT, ÔÏ ÄÁÌÅÅ ÏÎ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏ×ÅÒÑÅÔÓÑ ÔÉÐ ICMP ÓÏÏÂÝÅÎÉÑ. ðÒÏÐÕÓËÁÀÔÓÑ ÔÏÌØËÏ ICMP Echo Request, TTL equals 0 during transit É TTL equals 0 during reassembly. ÷ÓÅ ÏÓÔÁÌØÎÙÅ ÔÉÐÙ ICMP ÓÏÏÂÝÅÎÉÊ ÄÏÌÖÎÙ ÐÒÏÈÏÄÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÂÅÓÐÒÅÐÑÔÓÔ×ÅÎÎÏ, ÐÏÓËÏÌØËÕ ÂÕÄÕÔ ÉÍÅÔØ ÓÏÓÔÏÑÎÉÅ RELATED.

Note

åÓÌÉ ICMP ÐÁËÅÔ ÐÒÉÈÏÄÉÔ × ÏÔ×ÅÔ ÎÁ ÎÁÛ ÚÁÐÒÏÓ, ÔÏ ÏÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ RELATED (Ó×ÑÚÁÎÎÙÊ Ó ÉÍÅÀÝÉÍÓÑ ÓÏÅÄÉÎÅÎÉÅÍ). âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÏ× ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ × ÇÌÁ×Å íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ

ðÒÉ ÐÒÉÎÑÔÉÉ ÒÅÛÅÎÉÑ Ñ ÉÓÈÏÖÕ ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÏÏÂÒÁÖÅÎÉÊ: ICMP Echo Request ÐÁËÅÔÙ ÐÏÓÙÌÁÀÔÓÑ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ, ÄÌÑ ÐÒÏ×ÅÒËÉ ÄÏÓÔÕÐÎÏÓÔÉ ÈÏÓÔÁ. åÓÌÉ ÕÄÁÌÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÂÕÄÅÔ "ÏÔËÌÉËÁÔØÓÑ" × ÏÔ×ÅÔ ÎÁ ICMP Echo Request, ÞÔÏ ÓÄÅÌÁÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÕÔÉÌÉÔÙ ping É ÐÏÄÏÂÎÙÈ ÅÊ, ÐÏ ÏÔÎÏÛÅÎÉÀ Ë ÂÒÁÎÄÍÁÕÜÒÕ, ÂÅÓÐÏÌÅÚÎÙÍÉ.

Time Exceeded (Ô.Å., TTL equals 0 during transit É TTL equals 0 during reassembly). ÷Ï ×ÒÅÍÑ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ ÐÏ ÓÅÔÉ, ÎÁ ËÁÖÄÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÐÏÌÅ TTL, × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ, ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. ëÁË ÔÏÌØËÏ ÐÏÌÅ TTL ÓÔÁÎÅÔ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÂÕÄÅÔ ÐÏÓÌÁÎÏ ÓÏÏÂÝÅÎÉÅ Time Exceeded. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÓÓÉÒÏ×ËÕ (traceroute) ËÁËÏÇÏ ÌÉÂÏ ÕÚÌÁ, ÔÏ ÐÏÌÅ TTL ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 1, ÎÁ ÐÅÒ×ÏÍ ÖÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÏÎÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ É Ë ÎÁÍ ÐÒÉÈÏÄÉÔ ÓÏÏÂÝÅÎÉÅ Time Exceeded, ÄÁÌÅÅ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ TTL = 2 É ×ÔÏÒÏÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÐÅÒÅÄÁÅÔ ÎÁÍ Time Exceeded, É ÔÁË ÄÁÌÅÅ, ÐÏËÁ ÎÅ ÐÏÌÕÞÉÍ ÏÔ×ÅÔ Ó ÓÁÍÏÇÏ ÕÚÌÁ.

óÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ ÓÍÏÔÒÉÔÅ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ICMP ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÓÌÅÄÕÀÝÉÈ ÄÏËÕÍÅÎÔÁÈ:



Note

âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÂÌÏËÉÒÏ×ÁÎÉÉ ICMP ÐÁËÅÔÏ×, ×ÏÚÍÏÖÎÏ Ñ ÎÅ ÐÒÁ×, ÂÌÏËÉÒÕÑ ËÁËÉÅ-ÔÏ ÉÚ ÎÉÈ, ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÔÁË, ÞÔÏ ÄÌÑ ×ÁÓ ÜÔÏ ÎÅÐÒÉÅÍÌÅÍÏ.


7.2.7. ãÅÐÏÞËÁ INPUT

ãÅÐÏÞËÁ INPUT, ËÁË Ñ ÕÖÅ ÐÉÓÁÌ, ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÓÎÏ×ÎÏÊ ÒÁÂÏÔÙ ÉÓÐÏÌØÚÕÅÔ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ, ÚÁ ÓÞÅÔ ÞÅÇÏ ÓÎÉÖÁÑ ÎÁÇÒÕÚËÕ ÎÁ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ. üÆÆÅËÔ ÐÒÉÍÅÎÅÎÉÑ ÔÁËÏÇÏ ×ÁÒÉÁÎÔÁ ÏÒÇÁÎÉÚÁÃÉÉ ÐÒÁ×ÉÌ ÌÕÞÛÅ ÚÁÍÅÔÅÎ ÎÁ ÍÅÄÌÅÎÎÙÈ ÍÁÛÉÎÁÈ, ËÏÔÏÒÙÅ × ÄÒÕÇÏÍ ÓÌÕÞÁÅ ÎÁÞÉÎÁÀÔ "ÔÅÒÑÔØ" ÐÁËÅÔÙ ÐÒÉ ×ÙÓÏËÏÊ ÎÁÇÒÕÚËÅ. äÏÓÔÉÇÁÅÔÓÑ ÜÔÏ ÒÁÚÂÉÅÎÉÅÍ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÐÏ ÎÅËÏÔÏÒÏÍÕ ÐÒÉÚÎÁËÕ É ×ÙÄÅÌÅÎÉÅ ÉÈ × ÏÔÄÅÌØÎÙÅ ÃÅÐÏÞËÉ. ôÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÁÅÔÓÑ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ, ËÏÔÏÒÏÅ ÐÒÏÈÏÄÉÔ ËÁÖÄÙÊ ÐÁËÅÔ.

ðÅÒ×ÙÍ ÖÅ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÙÔÁÅÍÓÑ ÏÔÂÒÏÓÉÔØ "ÐÌÏÈÉÅ" ÐÁËÅÔÙ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ ãÅÐÏÞËÁ bad_tcp_packets. ÷ ÎÅËÏÔÏÒÙÈ ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ ÔÁËÉÅ ÐÁËÅÔÙ ÍÏÇÕÔ ÓÞÉÔÁÔØÓÑ ÄÏÐÕÓÔÉÍÙÍÉ, ÎÏ × 99% ÓÌÕÞÁÅ× ÌÕÞÛÅ ÉÈ "ÏÓÔÁÎÏ×ÉÔØ". ðÏÜÔÏÍÕ ÔÁËÉÅ ÐÁËÅÔÙ ÚÁÎÏÓÑÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (ÌÏÇÉÒÕÀÔÓÑ) É "ÓÂÒÁÓÙ×ÁÀÔÓÑ".

äÁÌÅÅ ÓÌÅÄÕÅÔ ÃÅÌÁÑ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÁÑ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË, ÉÄÕÝÉÊ ÉÚ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔÉ, ËÏÔÏÒÁÑ ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÓÅÔÅ×ÏÊ ÁÄÁÐÔÅÒ, Ó×ÑÚÁÎÎÙÊ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ É ÌÏËÁÌØÎÙÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (lo) É ÉÍÅÀÝÉÊ ÉÓÈÏÄÎÙÅ ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ (×ËÌÀÞÁÑ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ). üÔÁ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ ÓÔÏÉÔ ÐÅÒ×ÏÊ ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÌÏËÁÌØÎÁÑ ÓÅÔØ ÇÅÎÅÒÉÒÕÅÔ ÚÎÁÞÉÔÅÌØÎÏ ÂïÌØÛÉÊ ÔÒÁÆÉË ÞÅÍ ÔÒÁÆÉË ÉÚ Internet. ðÏÜÔÏÍÕ, ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ×ÓÅÇÄÁ ÓÔÁÒÁÊÔÅÓØ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÕËÁÚÙ×ÁÑ ÐÅÒ×ÙÍÉ ÔÅ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÏÂÓÌÕÖÉ×ÁÔØ ÂÏÌØÛÉÊ ÔÒÁÆÉË.

ðÅÒ×ÙÍ × ÇÒÕÐÐÅ, ÁÎÁÌÉÚÉÒÕÀÝÅÊ ÔÒÁÆÉË ÉÄÕÝÉÊ Ó $INET_IFACE, ÓÔÏÉÔ ÐÒÁ×ÉÌÏ, ÐÒÏÐÕÓËÁÀÝÅÅ ×ÓÅ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED ÉÌÉ RELATED (ÜÔÉ ÐÁËÅÔÙ Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ õóôáîï÷ìåîîïçï ÉÌÉ ó÷ñúáîîïçï ÓÏÅÄÉÎÅÎÉÑ). üÔÏ ÐÒÁ×ÉÌÏ ÜË×É×ÁÌÅÎÔÎÏ ÐÒÁ×ÉÌÕ, ÓÔÏÑÝÅÍÕ × ÃÅÐÏÞËÅ allowed. é × ÎÅËÏÔÏÒÏÊ ÓÔÅÐÅÎÉ Ñ×ÌÑÅÔÓÑ ÉÚÂÙÔÏÞÎÙÍ, ÐÏÓËÏÌØËÕ ÚÁÔÅÍ ÃÅÐÏÞËÁ allowed ×ÙÚÙ×ÁÅÔÓÑ ÏÐÏÓÒÅÄÏ×ÁÎÎÏ ÞÅÒÅÚ ÃÅÐÏÞËÕ tcp_packets, ÏÄÎÁËÏ ÏÎÏ ÎÅÓËÏÌØËÏ ÒÁÚÇÒÕÖÁÅÔ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ, ÐÏÓËÏÌØËÕ ÚÎÁÞÉÔÅÌØÎÁÑ ÄÏÌÑ ÔÒÁÆÉËÁ ÐÒÏÐÕÓËÁÅÔÓÑ ÜÔÉÍ ÐÒÁÉÌÏÍ É ÎÅ ÐÒÏÈÏÄÉÔ ×ÓÀ ÐÏÓÌÅÄÏ×ÁÔÅÌØÎÏÓÔØ ÄÏ ÃÅÐÏÞËÉ allowed.

ðÏÓÌÅ ÜÔÏÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÁÎÁÌÉÚ ÔÒÁÆÉËÁ, ÉÄÕÝÅÇÏ ÉÚ Internet. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ × ÃÅÐÏÞËÕ INPUT Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE ÒÁÓÐÒÅÄÅÌÑÀÔÓÑ ÐÏ ×ÌÏÖÅÎÎÙÍ ÃÅÐÏÞËÁÍ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. TCP ÐÁËÅÔÙ ÐÅÒÅÄÁÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets, UDP ÐÁËÅÔÙ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ udp_packets É ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ëÁË ÐÒÁ×ÉÌÏ, ÂÏÌØÛÕÀ ÞÁÓÔØ ÔÒÁÆÉËÁ "ÓßÅÄÁÀÔ" TCP ÐÁËÅÔÙ, ÐÏÔÏÍ UDP É ÍÅÎØÛÉÊ ÏÂßÅÍ ÐÒÉÈÏÄÉÔÓÑ ÎÁ ÄÏÌÀ ICMP, ÏÄÎÁËÏ × ×ÁÛÅÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÐÒÅÄÐÏÌÏÖÅÎÉÅ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅ×ÅÒÎÙÍ. ïÞÅÎØ ×ÁÖÎÏ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÐÒÏÈÏÄÑÝÅÇÏ ÞÅÒÅÚ ÎÁÂÏÒ ÐÒÁ×ÉÌ. õÞÅÔ ÏÂßÅÍÁ ÔÒÁÆÉËÁ - ÁÂÓÏÌÀÔÎÁÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ. ÷ ÓÌÕÞÁÅ ÎÅÏÐÔÉÍÁÌØÎÏÇÏ ÒÁÓÐÒÅÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÄÁÖÅ ÍÁÛÉÎÕ ËÌÁÓÓÁ Pentium III É ×ÙÛÅ, Ó ÓÅÔÅ×ÏÊ ËÁÒÔÏÊ 100 íÂÉÔ É ÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÅÒÅÄÁ×ÁÅÍÙÈ ÄÁÎÎÙÈ ÐÏ ÓÅÔÉ, ÄÏ×ÏÌØÎÏ ÌÅÇËÏ ÍÏÖÎÏ "ÐÏÓÔÁ×ÉÔØ ÎÁ ËÏÌÅÎÉ" ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÒÁ×ÉÌ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ×ÅÓØÍÁ ÓÐÅÃÉÆÉÞÅÓËÏÅ ÐÒÁ×ÉÌÏ (ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ). äÅÌÏ × ÔÏÍ, ÞÔÏ ËÌÉÅÎÔÙ Microsoft Network ÉÍÅÀÔ "ÄÕÒÎÕÀ ÐÒÉ×ÙÞËÕ" ×ÙÄÁ×ÁÔØ ÏÇÒÏÍÎÏÅ ËÏÌÉÞÅÓÔ×Ï Multicast (ÇÒÕÐÐÏ×ÙÈ) ÐÁËÅÔÏ× × ÄÉÁÐÁÚÏÎÅ ÁÄÒÅÓÏ× 224.0.0.0/8. ðÏÜÔÏÍÕ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÌÑ ÐÒÅÄÏÔ×ÒÁÝÅÎÉÑ "ÚÁÓÏÒÅÎÉÑ" ÌÏÇÏ× × ÓÌÕÞÁÅ, ÅÓÌÉ Ó ×ÎÅÛÎÅÊ ÓÔÏÒÏÎÙ ÉÍÅÅÔÓÑ ËÁËÁÑ ÌÉÂÏ ÓÅÔØ Microsoft Network. ðÏÄÏÂÎÕÀ ÖÅ ÐÒÏÂÌÅÍÕ ÒÅÛÁÀÔ Ä×Á ÐÏÓÌÅÄÎÉÈ ÐÒÁ×ÉÌÁ (ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ) × ÃÅÐÏÞËÅ udp_packets, ÏÐÉÓÁÎÎÙÅ × ãÅÐÏÞËÁ ÄÌÑ UDP.

ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ, ÐÅÒÅÄ ÔÅÍ ËÁË ËÏ ×ÓÅÍ ÎÅ ÐÒÉÎÑÔÙÍ Ñ×ÎÏ ÐÁËÅÔÁÍ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÒÁÆÆÉË ÖÕÒÎÁÌÉÒÕÅÔÓÑ, ÎÁ ÓÌÕÞÁÊ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏÉÓËÁ ÐÒÉÞÉÎ ×ÏÚÎÉËÁÀÝÉÈ ÐÒÏÂÌÅÍ. ðÒÉ ÜÔÏÍ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÕ, ÏÇÒÁÎÉÞÅÎÉÅ ÎÁ ËÏÌÉÞÅÓÔ×Ï ÌÏÇÉÒÕÅÍÙÈ ÐÁËÅÔÏ× - ÎÅ ÂÏÌÅÅ 3-È × ÍÉÎÕÔÕ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÞÒÅÚÍÅÒÎÏÅ ÒÁÚÄÕ×ÁÎÉÅ ÖÕÒÎÁÌÁ É ËÒÏÍÅ ÔÏÇÏ ÐÏÄÏÂÎÙÅ ÚÁÐÉÓÉ × ÖÕÒÎÁÌ ÓÏÐÒÏ×ÏÖÄÁÀÔÓÑ ÓÏÂÓÔ×ÅÎÎÙÍ ËÏÍÍÅÎÔÁÒÉÅÍ (ÐÒÅÆÉËÓÏÍ), ÞÔÏÂÙ ÚÎÁÔØ ÏÔËÕÄÁ ÐÏÑ×ÉÌÉÓØ ÜÔÉ ÚÁÐÉÓÉ.

÷ÓÅ ÞÔÏ ÎÅ ÂÙÌÏ Ñ×ÎÏ ÐÒÏÐÕÝÅÎÏ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÏÄ×ÅÒÇÎÕÔÏ ÄÅÊÓÔ×ÉÀ DROP, ÐÏÓËÏÌØËÕ ÉÍÅÎÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÎÁÚÎÁÞÅÎÏ × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÂÙÌÉ ÏÐÉÓÁÎÙ ÞÕÔØ ×ÙÛÅ × ÒÁÚÄÅÌÅ õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ.


7.2.8. ãÅÐÏÞËÁ FORWARD

ãÅÐÏÞËÁ FORWARD ÓÏÄÅÒÖÉÔ ÏÞÅÎØ ÎÅÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ. ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÎÁÐÒ×ÌÑÅÔ ×ÓÅ TCP ÐÁËÅÔÙ ÎÁ ÐÒÏ×ÅÒËÕ × ÃÅÐÏÞËÕ bad_tcp_packets, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁË ÖÅ É × ÃÅÐÏÞËÅ INPUT. ãÅÐÏÞËÁ bad_tcp_packets ÓËÏÎÓÔÒÕÉÒÏ×ÁÎÁ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏ ÍÏÖÅÔ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ÎÅ×ÚÉÒÁÑ ÎÁ ÔÏ, ËÕÄÁ ÎÁÐÒÁ×ÌÑÅÔÓÑ ÐÁËÅÔ. ðÏÓÌÅ ÐÒÏ×ÅÒËÉ TCP ÐÁËÅÔÏ×, ËÁË ÏÂÙÞÎÏ, ÍÙ ÒÁÚÒÅÛÅÍ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÏ× ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ.

äÁÌÅÅ, ÐÒÏÐÕÓËÁÅÔÓÑ ×ÅÓØ ÔÒÁÆÉË ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. åÓÔÅÓÔ×ÅÎÎÏ, ÎÕÖÎÏ ÐÒÏÐÕÓÔÉÔØ ÏÔ×ÅÔÎÙÅ ÐÁËÅÔÙ × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÐÏÜÔÏÍÕ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ, ÞÔÏ ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED, Ô.Å. ÍÙ ÐÒÏÐÕÓËÁÅÍ ÐÁËÅÔÙ ÐÏ ÓÏÅÄÉÎÅÎÉÀ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ éú ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

é × ÚÁËÌÀÞÅÎÉÅ ÚÁÎÏÓÉÍ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÂÒÏÛÅÎÎÙÈ ÐÁËÅÔÁÈ, ÐÒÅÄ×ÁÒÑÑ ÉÈ ÐÒÅÆÉËÓÏÍ "IPT FORWARD packet died: ", ÞÔÏÂÙ ÐÏÔÏÍ, × ÓÌÕÞÁÅ ÐÏÉÓËÁ ÏÛÉÂÏË, ÎÅ ÐÅÒÅÐÕÔÁÔØ ÉÈ Ó ÐÁËÅÔÁÍÉ, ÓÂÒÏÛÅÎÎÙÍÉ × ÃÅÐÏÞËÅ INPUT.


7.2.9. ãÅÐÏÞËÁ OUTPUT

ëÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ÒÁÎÅÅ, × ÍÏÅÍ ÓÌÕÞÁÅ ËÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÂÒÁÎÄÍÁÕÜÒ É ÏÄÎÏ×ÒÅÍÅÎÎÏ ËÁË ÒÁÂÏÞÁÑ ÓÔÁÎÃÉÑ. ðÏÜÔÏÍÕ Ñ ÐÏÚ×ÏÌÑÀ ÐÏËÉÄÁÔØ ÍÏÊ ÈÏÓÔ ×ÓÅÍÕ, ÞÔÏ ÉÍÅÅÔ ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ $LOCALHOST_IP, $LAN_IP ÉÌÉ $STATIC_IP. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÔÒÁÆÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÓÆÁÌØÓÉÃÉÒÏ×ÁÓ ÍÏÅÇÏ ËÏÍÐØÀÔÅÒÁ, ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ Ñ ÓÏ×ÅÒÛÅÎÎÏ Õ×ÅÒÅÎ ×Ï ×ÓÅÈ, ËÔÏ ÉÍÅÅÔ Ë ÎÅÍÕ ÄÏÓÔÕÐ. é × ÄÏ×ÅÒÛÅÎÉÅ ËÏ ×ÓÅÍÕ, Ñ ÖÕÒÎÁÌÉÒÕÀ "ÓÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ, ÎÁ ÓÌÕÞÁÊ ÐÏÉÓËÁ ÏÛÉÂÏË ÉÌÉ × ÃÅÌÑÈ ×ÙÑ×ÌÅÎÉÑ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×. ëÏ ×ÓÅÍ ÐÁËÅÔÁÍ, ÎÅ ÐÒÏÛÅÄÛÉÍ ÎÉ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ, ÐÒÉÍÅÎÑÅÔÓÑ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ -- DROP.


7.2.10. ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat

÷ ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÉÍÅÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ É ÅÄÉÎÓÔ×ÅÎÎÏ, ÐÏÞÅÍÕ Ñ ÐÒÉ×ÏÖÕ ÅÅ ÏÐÉÓÁÎÉÅ ÚÄÅÓØ, ÜÔÏ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÄÁÎÎÏÊ ÃÅÐÏÞËÅ ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (DNAT) ÐÅÒÅÄ ÔÅÍ ËÁË ÐÁËÅÔÙ ÐÏÐÁÄÕÔ × ÃÅÐÏÞËÕ INPUT ÉÌÉ FORWARD.

Caution

åÝÅ ÒÁÚ ÈÏÞÕ ÎÁÐÏÍÎÉÔØ, ÞÔÏ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÎÉ ÄÌÑ ËÁËÏÇÏ ×ÉÄÁ ÆÉÌØÔÒÁÃÉÉ, Á ÔÏÌØËÏ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ × ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÅÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ.


7.2.11. úÁÐÕÓË SNAT É ÃÅÐÏÞËÁ POSTROUTING

é ÚÁËÌÀÞÉÔÅÌØÎÙÊ ÒÁÚÄÅÌ -- ÎÁÓÔÒÏÊËÁ SNAT. ðÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ ÍÅÎÑ. ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÏ × ÔÁÂÌÉÃÕ nat, × ÃÅÐÏÞËÕ POSTROUTING, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ×ÓÅÈ ÐÁËÅÔÏ×, ÉÓÈÏÄÑÝÉÈ Ó ÉÎÔÅÒÆÅÊÓÁ, ÐÏÄËÌÀÞÅÎÎÏÇÏ Ë Internet. ÷ ÓÃÅÎÁÒÉÉ ÏÐÒÅÄÅÌÅÎ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÎÁÓÔÒÏÊËÉ ÓÃÅÎÁÒÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÐÅÒÅÍÅÎÎÙÈ ÐÏ×ÙÛÁÅÔ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔØ ÓËÒÉÐÔÏ×. ëÌÀÞÏÍ -t ÚÁÄÁÅÔÓÑ ÉÍÑ ÔÁÂÌÉÃÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ nat. ëÏÍÁÎÄÁ -A ÄÏÂÁ×ÌÑÅÔ (Add) ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ POSTROUTING, ËÒÉÔÅÒÉÊ -o $INET_IFACE ÚÁÄÁÅÔ ÉÓÈÏÄÑÝÉÊ ÉÎÔÅÒÆÅÊÓ, É × ËÏÎÃÅ ÐÒÁ×ÉÌÁ ÚÁÄÁÅÍ ÄÅÊÓÔ×ÉÅ ÎÁÄ ÐÁËÅÔÏÍ -- SNAT. ôÁËÉÍ ÏÂÒÁÚÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÄÏÛÅÄÛÉÅ ÐÏÄ ÚÁÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÂÕÄÕÔ "ÚÁÍÁÓËÉÒÏ×ÁÎÙ", Ô.Å. ÂÕÄÕÔ ×ÙÇÌÑÄÅÔØ ÔÁË, ËÁË ÂÕÄÔÏ ÏÎÉ ÏÔÐÒÁ×ÌÅÎÙ Ó ÎÁÛÅÇÏ ÕÚÌÁ. îÅ ÚÁÂÕÄØÔÅ ÕËÁÚÁÔØ ËÌÀÞ --to-source Ó ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ IP ÁÄÒÅÓÏÍ ÄÌÑ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×

÷ ÜÔÏÍ ÓÃÅÎÁÒÉÅ Ñ ÉÓÐÏÌØÚÕÀ SNAT ×ÍÅÓÔÏ MASQUERADE ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÅÒ×ÁÑ -- ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ ÎÁ ÓÅÔÅ×ÏÍ ÕÚÌÅ, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ. óÌÅÄÕÀÝÁÑ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ SNAT ÒÁÂÏÔÁÅÔ ÂÙÓÔÒÅÅ É ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÏ. ëÏÎÅÞÎÏ, ÅÓÌÉ ×Ù ÎÅ ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÏÇÏ IP ÁÄÒÅÓÁ, ÔÏ ×Ù ÄÏÌÖÎÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ MASQUERADE, ËÏÔÏÒÏÅ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÂÏÌÅÅ ÐÒÏÓÔÏÊ ÓÐÏÓÏ ÔÒÁÎÓÌÑÃÉÉ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ ÏÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÅÔ IP ÁÄÒÅÓ, ÐÒÉÓ×ÏÅÎÎÙÊ ÚÁÄÁÎÎÏÍÕ ÉÎÔÅÒÆÅÊÓÕ. ïÄÎÁËÏ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó SNAT ÜÔÏ ÄÅÊÓÔ×ÉÅ ÔÒÅÂÕÅÔ ÎÅÓËÏÌØËÏ ÂÏÌØÛÉÈ ×ÙÞÉÓÌÉÔÅÌØÎÙÈ ÒÅÓÕÒÓÏ×, ÈÏÔÑ É ÎÅ ÚÎÁÞÉÔÅÌØÎÏ. ðÒÉÍÅÒ ÒÁÂÏÔÙ Ó MASQUERADE, ×Ù ÎÁÊÄÅÔÅ × ÓÃÅÎÁÒÉÉ rc.DHCP.firewall.txt.


çÌÁ×Á 8. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

ãÅÌØ ÜÔÏÊ ÇÌÁ×Ù ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ÄÁÔØ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ ËÁÖÄÏÇÏ ÓÃÅÎÁÒÉÑ, × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. üÔÉ ÓÃÅÎÁÒÉÉ ÎÅ ÓÏ×ÅÒÛÅÎÎÙ, É ÏÎÉ ÎÅ ÍÏÇÕÔ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ×ÁÛÉÍ ÎÕÖÄÁÍ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÓÁÍÉ "ÐÏÄÏÇÎÁÔØ" ÜÔÉ ÓÃÅÎÁÒÉÉ ÐÏÄ ÓÅÂÑ. ðÏÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ ÒÕËÏ×ÏÄÓÔ×Á ÐÒÉÚ×ÁÎÁ ÏÂÌÅÇÞÉÔØ ×ÁÍ ÜÔÕ ÐÏÄÇÏÎËÕ.


8.1. óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt

÷ÓÅ ÓÃÅÎÁÒÉÉ, ÏÐÉÓÁÎÎÙÅ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÉÍÅÀÔ ÏÐÒÅÄÅÌÅÎÎÕÀ ÓÔÒÕËÔÕÒÕ. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÍÁËÓÉÍÁÌØÎÏ ÐÏÈÏÖÉ ÄÒÕÇ ÎÁ ÄÒÕÇÁ, ÏÂÌÅÇÞÁÑ ÔÅÍ ÓÁÍÙÍ ÐÏÉÓË ÒÁÚÌÉÞÉÊ ÍÅÖÄÕ ÎÉÍÉ. üÔÁ ÓÔÒÕËÔÕÒÁ ÄÏ×ÏÌØÎÏ ÈÏÒÏÛÏ ÏÐÉÓÙ×ÁÅÔÓÑ × ÜÔÏÊ ÇÌÁ×Å. úÄÅÓØ Ñ ÎÁÄÅÀÓØ ÄÁÔØ ×ÁÍ ÐÏÎÉÍÁÎÉÅ, ÐÏÞÅÍÕ ×ÓÅ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÎÁÐÉÓÁÎÙ ÉÍÅÎÎÏ ÔÁË É ÐÏÞÅÍÕ Ñ ×ÙÂÒÁÌ ÉÍÅÎÎÏ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

Note

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÜÔÁ ÓÔÒÕËÔÕÒÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÁÌÅËÏ ÎÅÏÐÔÉÍÁÌØÎÏÊ ÄÌÑ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×. üÔÁ ÓÔÒÕËÔÕÒÁ ×ÙÂÒÁÎÁ ÌÉÛØ ÄÌÑ ÌÕÞÛÅÇÏ ÏÂßÑÓÎÅÎÉÑ ÈÏÄÁ ÍÏÉÈ ÍÙÓÌÅÊ.


8.1.1. óÔÒÕËÔÕÒÁ

üÔÏ - ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÏÊ ÓÌÅÄÕÀÔ ×ÓÅ ÓÃÅÎÁÒÉÉ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. åÓÌÉ ×Ù ÏÂÎÁÒÕÖÉÔÅ, ÞÔÏ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ, ÅÓÌÉ ËÏÎÅÞÎÏ Ñ ÎÅ ÏÂßÑÓÎÉÌ, ÐÏÞÅÍÕ Ñ ÎÁÒÕÛÉÌ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

  1. Configuration -- ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÌÖÎÙ ÚÁÄÁÔØ ÐÁÒÁÍÅÔÒÙ ËÏÎÆÉÇÕÒÁÃÉÉ, ÄÌÑ ÓÃÅÎÁÒÉÑ. ðÁÒÁÍÅÔÒÙ ëÏÎÆÉÇÕÒÁÃÉÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÄÏÌÖÎÙ ÂÙÔØ ÏÐÉÓÁÎÙ ÐÅÒ×ÙÍÉ × ÌÀÂÏÍ ÓÃÅÎÁÒÉÉ.

    1. Internet -- üÔÏ ÒÁÚÄÅÌ ËÏÎÆÉÇÕÒÁÃÉÉ, ÏÐÉÓÙ×ÁÀÝÅÊ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÒÁÚÄÅÌ ÍÏÖÅÔ ÂÙÔØ ÏÐÕÝÅÎ, ÅÓÌÉ ×Ù ÎÅ ÐÏÄËÌÀÞÅÎÙ Ë éÎÔÅÒÎÅÔ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÍÏÖÅÔ ÉÍÅÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÐÏÄÒÁÚÄÅÌÏ× ÞÅÍ, ÚÄÅÓØ ÐÅÒÅÞÉÓÌÅÎÏ, ÎÏ ÔÏÌØËÏ ÔÅ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔ ÎÁÛÅ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet.

      1. DHCP - åÓÌÉ ÉÍÅÀÔÓÑ ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ DHCP ÎÁÓÔÒÏÊËÉ, ÔÏ ÏÎÉ ÄÏÂÁ×ÌÑÀÔÓÑ ÚÄÅÓØ.

      2. PPPoE - ïÐÉÓÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ ÎÁÓÔÒÏÊËÉ PPPoE ÐÏÄËÌÀÞÅÎÉÑ.

    2. LAN - åÓÌÉ ÉÍÅÅÔÓÑ ÌÀÂÁÑ ìïëáìøîáñ óåôø ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ÚÄÅÓØ ÕËÁÚÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ, ÉÍÅÀÝÉÅ ÏÔÎÏÛÅÎÉÅ Ë ÎÅÊ. îÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ÜÔÏÔ ÒÁÚÄÅÌ ÂÕÄÅÔ ÐÒÉÓÕÔÓÔ×Ï×ÁÔØ ÐÏÞÔÉ ×ÓÅÇÄÁ.

    3. DMZ - úÄÅÓØ ÄÏÂÁ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÚÏÎÙ DMZ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÜÔÏÇÏ ÒÁÚÄÅÌÁ ÎÅ ÂÕÄÅÔ, Ô.Ë. ÌÀÂÁÑ ÎÏÒÍÁÌØÎÁÑ ÄÏÍÁÛÎÑÑ ÓÅÔØ, ÉÌÉ ÍÁÌÅÎØËÁÑ ÌÏËÁÌØÎÁÑ ÓÅÔØ, ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÅÅ. (DMZ - de-militarized zone. óËÏÒÅÅ ×ÓÅÇÏ ÐÏÄ ÜÔÏ ÐÏÎÑÔÉÅ Á×ÔÏÒ ÐÏÄ×ÅÌ ÎÅÂÏÌØÛÕÀ ÐÏÄÓÅÔØ, × ËÏÔÏÒÏÊ ÒÁÓÐÏÌÏÖÅÎÙ ÓÅÒ×ÅÒÙ, ÎÁÐÒÉÍÅÒ: DNS, MAIL, WEB É Ô.Ð, É ÎÅÔ ÎÉ ÏÄÎÏÊ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÍÁÛÉÎÙ. ÐÒÉÍ. ÐÅÒÅ×.)

    4. Localhost - üÔÉ ÐÁÒÁÍÅÔÒÙ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÍÕ ÂÒÁÎÄÍÁÕÜÒÕ (localhost). ÷ ×ÁÛÅÍ ÓÌÕÞÁÅ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ ×ÒÑÄ ÌÉ ÉÚÍÅÎÑÔÓÑ, ÎÏ, ÔÅÍ ÎÅ ÍÅÎÅÅ, Ñ ÓÏÚÄÁÌ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.èÏÔÅÌÏÓØ ÂÙ ÎÁÄÅÑÔØÓÑ, ÞÔÏ Õ ×ÁÓ ÎÅ ÂÕÄÅÔ ÐÒÉÞÉÎ ÉÚÍÅÎÑÔØ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.

    5. iptables - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï iptables. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÄÏÓÔÁÔÏÞÎÏ ÂÕÄÅÔ ÔÏÌØËÏ ÏÄÎÏÊ ÐÅÒÅÍÅÎÎÏÊ, ËÏÔÏÒÁÑ ÕËÁÚÙ×ÁÅÔ ÐÕÔØ Ë iptables.

    6. Other - úÄÅÓØ ÒÁÓÐÏÌÁÇÁÀÔÓÑ ÐÒÏÞÉÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÎÅ ÏÔÎÏÓÑÔÓÑ É Ë ÏÄÎÏÍÕ ÉÚ ×ÙÛÅÕËÁÚÁÎÎÙÈ ÒÁÚÄÅÌÏ×.

  2. Module loading - üÔÏÔ ÒÁÚÄÅÌ ÓÃÅÎÁÒÉÅ× ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÍÏÄÕÌÅÊ. ðÅÒ×ÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ, × ÔÏ ×ÒÅÍÑ ËÁË ×ÔÏÒÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÎÅÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ.

    Note

    ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ. îÅËÏÔÏÒÙÅ ÍÏÄÕÌÉ, ÏÔ×ÅÞÁÀÝÉÅ ÚÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ÍÏÇÕÔ ÂÙÔØ ÕËÁÚÁÎÙ ÄÁÖÅ ÅÓÌÉ ÏÎÉ ÎÅ ÔÒÅÂÕÀÔÓÑ. ïÂÙÞÎÏ, × ÔÁËÉÈ ÓÌÕÞÁÑÈ, ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÔÍÅÞÁÅÔ ÜÔÕ ÏÓÏÂÅÎÎÏÓÔØ.

    1. Required modules - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÍÏÄÕÌÉ, ÎÅÏÂÈÏÄÉÍÙÅ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ.

    2. Non-required modules - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÍÏÄÕÌÉ, ËÏÔÏÒÙÅ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÎÏÒÍÁÌØÎÏÊ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. ÷ÓÅ ÜÔÉ ÍÏÄÕÌÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. åÓÌÉ ×ÁÍ ÏÎÉ ÐÏÔÒÅÂÕÀÔÓÑ, ÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏÓÔÏ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ ÉÈ.

  3. proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÏÔ×ÅÞÁÅÔ ÚÁ ÎÁÓÔÒÏÊËÕ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc. åÓÌÉ ÜÔÉ ÐÁÒÁÍÅÔÒÙ ÎÅÏÂÈÏÄÉÍÙ - ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ, ÅÓÌÉ ÎÅÔ, ÔÏ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ ÐÏ-ÕÍÏÌÞÁÎÉÀ, É ÕËÁÚÁÎÙ ËÁË ÎÅ-ÔÒÅÂÕÅÍÙÅ. âÏÌØÛÉÎÓÔ×Ï ÐÏÌÅÚÎÙÈ ÎÁÓÔÒÏÅË /proc ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ × ÐÒÉÍÅÒÁÈ, ÎÏ ÄÁÌÅËÏ ÎÅ ×ÓÅ.

    1. Required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ×ÓÅ ÔÒÅÂÕÅÍÙÅ ÓÃÅÎÁÒÉÅÍ ÎÁÓÔÒÏÊËÁ ÄÌÑ /proc. üÔÏ ÍÏÇÕÔ ÂÙÔØ ÎÁÓÔÒÏÊËÉ ÄÌÑ ÚÁÐÕÓËÁ ÓÉÓÔÅÍÙ ÚÁÝÉÔÙ, ×ÏÚÍÏÖÎÏ, ÄÏÂÁ×ÌÑÀÔ ÓÐÅÃÉÁÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ ÉÌÉ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.

    2. Non-required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÎÁÓÔÒÏÊËÉ /proc, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÐÏÌÅÚÎÙÍÉ × ÂÕÄÕÝÅÍ. ÷ÓÅ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ, ÔÁË ËÁË ÏÎÉ ÆÁËÔÉÞÅÓËÉ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. üÔÏÔ ÓÐÉÓÏË ÂÕÄÅÔ ÓÏÄÅÒÖÁÔØ ÄÁÌÅËÏ ÎÅ ×ÓÅ ÎÁÓÔÒÏÊËÉ /proc.

  4. rules set up - ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÓËÒÉÐÔ, ËÁË ÐÒÁ×ÉÌÏ, ÕÖÅ ÐÏÄÇÏÔÏ×ÌÅÎ Ë ÔÏÍÕ, ÞÔÏÂÙ ×ÓÔÁ×ÌÑÔØ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ñ ÒÁÚÂÉÌ ×ÓÅ ÐÒÁ×ÉÌÁ ÐÏ ÔÁÂÌÉÃÁÍ É ÃÅÐÏÞËÁÍ. ìÀÂÙÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÐÒÅÖÄÅ, ÞÅÍ ÍÙ ÓÍÏÖÅÍ ÉÈ ÉÓÐÏÌØÚÏ×ÁÔØ. ñ ÕËÁÚÙ×ÁÀ ÃÅÐÏÞËÉ É ÉÈ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ × ÔÏÍ ÖÅ ÐÏÒÑÄËÅ, × ËÁËÏÍ ÏÎÉ ×Ù×ÏÄÑÔÓÑ ËÏÍÁÎÄÏÊ iptables -L.

    1. Filter table - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÐÒÏÈÏÄÉÍ ÔÁÂÌÉÃÕ filter. äÌÑ ÎÁÞÁÌÁ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÔÁÂÌÉÃÅ.

      1. Set policies - îÁÚÎÁÞÅÎÉÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÓÉÓÔÅÍÎÙÈ ÃÅÐÏÞÅË. ïÂÙÞÎÏ Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ DROP ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter, É ÂÕÄÕ ÐÒÏÐÕÓËÁÔØ ÐÏÔÏËÉ, ËÏÔÏÒÙÅ ÉÄÕÔ ÉÚÎÕÔÒÉ. ôÅÍ ÓÁÍÙÍ ÍÙ ÉÚÂÁ×ÉÍÓÑ ÏÔ ×ÓÅÇÏ, ÞÔÏ ÎÁÍ ÎÅÕÇÏÄÎÏ.

      2. Create user specified chains - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ, ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ, ËÏÔÏÒÙÅ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÐÏÚÖÅ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ. íÙ ÎÅ ÓÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÃÅÐÏÞËÉ × ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÎÅ ÓÏÚÄÁÄÉÍ ÉÈ.

      3. Create content in user specified chains - ðÏÓÌÅ ÓÏÚÄÁÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË, ÍÙ ÍÏÖÅÍ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ. åÄÉÎÓÔ×ÅÎÎÁÑ ÐÒÉÞÉÎÁ, ÐÏ ËÏÔÏÒÏÊ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË ÏÐÒÅÄÅÌÑÀÔÓÑ ÚÄÅÓØ -- ÜÔÏ ÂÌÉÚÏÓÔØ Ë ËÏÍÁÎÄÁÍ, ÓÏÚÄÁÀÝÉÍ ÜÔÉ ÃÅÐÏÞËÉ. ÷Ù ÖÅ ÍÏÖÅÔÅ ÒÁÚÍÅÝÁÔØ ÐÒÁ×ÉÌÁ × ÄÒÕÇÏÍ ÍÅÓÔÅ ×ÁÛÅÇÏ ÓÃÅÎÁÒÉÑ.

      4. INPUT chain - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÄÏÂÁ×ÌÑÀÔÓÑ ÐÒÁ×ÉÌÁ ÄÌÑ ÃÅÐÏÞËÉ INPUT.

        Note

        ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ, Ñ ÓÔÁÒÁÌÓÑ ÓÌÅÄÏ×ÁÔØ ÐÏÒÑÄËÕ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔÓÑ × ×Ù×ÏÄÅ ËÏÍÁÎÄÙ iptables -L. îÅÔ ÓÅÒØÅÚÎÙÈ ÐÒÉÞÉÎ, ÞÔÏÂÙ ÓÏÂÌÀÄÁÔØ ÜÔÕ ÓÔÒÕËÔÕÒÕ, ÏÄÎÁËÏ, ÐÒÏÂÕÊÔÅ ÉÚÂÅÖÁÔØ ÓÍÅÛÉ×ÁÎÉÑ ÄÁÎÎÙÈ ÉÚ ÒÁÚÌÉÞÎÙÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÔÁË ËÁË ÓÔÁÎÅÔ ÎÁÍÎÏÇÏ ÔÑÖÅÌÅÅ ÞÉÔÁÔØ ÔÁËÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ É ×ÙÉÓËÉ×ÁÔØ ×ÏÚÍÏÖÎÙÅ ÐÒÏÂÌÅÍÙ.

      5. FORWARD chain - úÄÅÓØ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ FORWARD

      6. OUTPUT chain - ÁÍÏÊ ÐÏÓÌÅÄÎÅÊ × ÔÁÂÌÉÃÅ filter, ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ OUTPUT.

    2. nat table - ðÏÓÌÅ ÔÁÂÌÉÃÙ filter ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÔÁÂÌÉÃÅ nat. óÄÅÌÁÎÏ ÜÔÏ ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÒÅÖÄÅ ×ÓÅÇÏ - ÎÅ ÓÌÅÄÕÅÔ ÚÁÐÕÓËÁÔØ ÍÅÈÁÎÉÚÍ NAT ÎÁ ÒÁÎÎÅÊ ÓÔÁÄÉÉ, ËÏÇÄÁ ÅÝÅ ×ÏÚÍÏÖÎÁ ÐÅÒÅÄÁÞÁ ÐÁËÅÔÏ× ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ (ÔÏ ÅÓÔØ, ËÏÇÄÁ NAT ÕÖÅ ×ËÌÀÞÅÎÁ, ÎÏ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ ÆÉÌØÔÒÁÃÉÉ). ôÁËÖÅ, Ñ ÒÁÓÓÍÁÔÒÉ×ÁÀ ÔÁÂÌÉÃÕ nat ËÁË Ó×ÏÅÇÏ ÒÏÄÁ ÕÒÏ×ÅÎØ, ËÏÔÏÒÙÊ ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÔÁÂÌÉÃÙ filter. ôÁÂÌÉÃÁ filter Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ ÑÄÒÏÍ, × ÔÏ ×ÒÅÍÑ ËÁË nat - ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÑÄÒÁ, Á ÔÁÂÌÉÃÁ mangle. ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÔÁÂÌÉÃÙ nat. üÔÏ ÍÏÖÅÔ ÂÙÔØ ÎÅ ÓÏ×ÓÅÍ ÐÒÁ×ÉÌØÎÏ, ÎÏ É ÎÅ ÄÁÌÅËÏ ÏÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.

      1. Set policies - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ×ÓÀ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ, Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ ACCEPT. üÔÁ ÔÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÍÙ ÎÅ ÄÏÌÖÎÙ ÚÄÅÓØ "×ÙÂÒÁÓÙ×ÁÔØ" (DROP) ÐÁËÅÔÙ. åÓÔØ ÒÑÄ ÎÅÐÒÉÑÔÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ× ËÏÔÏÒÙÅ ÉÍÅÀÔ ÍÅÓÔÏ ÂÙÔØ × ÔÁËÉÈ ÓÌÕÞÁÑÈ ÉÚ-ÚÁ ÎÁÛÉÈ ÐÒÅÄÐÏÌÏÖÅÎÉÊ. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ ÐÁËÅÔÙ × ÜÔÉÈ ÃÅÐÏÞËÁÈ, ÐÏÓËÏÌØËÕ ÎÅ ×ÉÖÕ ÎÉËÁËÉÈ ÐÒÉÞÉÎ ÎÅ ÄÅÌÁÔØ ÜÔÏÇÏ.

      2. Create user specified chains - úÄÅÓØ ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÌÑ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ Õ ÍÅÎÑ ÉÈ ÎÅÔ, ÎÏ Ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÄÏ ÉÈ ÆÁËÔÉÞÅÓËÏÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ.

      3. Create content in user specified chains - äÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÔÁÂÌÉÃÙ nat. ðÒÉÎÃÉÐ ÒÁÚÍÅÝÅÎÉÑ ÐÒÁ×ÉÌ ÚÄÅÓØ ÔÏÔ ÖÅ ÞÔÏ É × ÔÁÂÌÉÃÅ filter. ñ ÄÏÂÁ×ÌÑÀ ÉÈ ÚÄÅÓØ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ×ÉÖÕ ÐÒÉÞÉÎ ×ÙÎÏÓÉÔØ ÉÈ × ÄÒÕÇÏÅ ÍÅÓÔÏ.

      4. PREROUTING chain - ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ DNAT. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× DNAT ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ, ÉÌÉ ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÁ, ÞÔÏÂÙ ÎÅ "ÏÔËÒÙ×ÁÔØ ×ÏÒÏÔÁ" × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÓÌÉÛËÏÍ ÛÉÒÏËÏ. ÷ ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ ÜÔÏ ÐÒÁ×ÉÌÏ ×ËÌÀÞÅÎÏ, ÔÁË ËÁË ÅÄÉÎÓÔ×ÅÎÎÁÑ ÃÅÌØ ÜÔÉÈ ÓÃÅÎÁÒÉÅ× ÓÏÓÔÏÉÔ × ÐÒÅÄÏÓÔÁ×ÌÅÎÉÉ ÕÓÌÕÇ, ËÏÔÏÒÙÅ ÂÅÚ DNAT ÎÅ×ÏÚÍÏÖÎÙ.

      5. POSTROUTING chain - ãÅÐÏÞËÁ POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÓÃÅÎÁÒÉÑÍÉ, ËÏÔÏÒÙÅ Ñ ÎÁÐÉÓÁÌ, ÔÁË ËÁË × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÉÍÅÅÔÓÑ ÏÄÎÁ ÉÌÉ ÂÏÌÅÅ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ËÏÔÏÒÙÅ ÍÙ ÈÏÔÉÍ ÐÏÄËÌÀÞÉÔØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ SNAT, ÎÏ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ, ÍÙ ×ÙÎÕÖÄÅÎÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ MASQUERADE.

      6. OUTPUT chain - ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ×ÏÏÂÝÅ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ×. îÏ Ñ ÐÏËÁ ÎÅ ÎÁÛÅÌ ÓÅÒØÅÚÎÙÈ ÏÓÎÏ×ÁÎÉÊ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÃÅÐÏÞËÉ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÕ ÃÅÐÏÞËÕ, ÞÅÒËÎÉÔÅ ÍÎÅ ÐÁÒÕ ÓÔÒÏË, É Ñ ×ÎÅÓÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï.

    3. mangle table - ôÁÂÌÉÃÁ mangle - ÐÏÓÌÅÄÎÑÑ ÔÁÂÌÉÃÁ ÎÁ ÐÕÔÉ ÐÁËÅÔÏ×. ïÂÙÞÎÏ Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÜÔÕ ÔÁÂÌÉÃÕ ×ÏÏÂÝÅ, ÔÁË ËÁË ÏÂÙÞÎÏ ÎÅ ×ÏÚÎÉËÁÅÔ ÐÏÔÒÅÂÎÏÓÔÅÊ × ÞÅÍ ÌÉÂÏ, ÔÉÐÁ ÉÚÍÅÎÅÎÉÑ TTL ÐÏÌÑ ÉÌÉ ÐÏÌÑ TOS É ÐÒ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÏÓÔÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÐÕÓÔÙÍ × ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ, Ó ÎÅÓËÏÌØËÉÍÉ ÉÓËÌÀÞÅÎÉÑÍÉ, ÇÄÅ Ñ ÄÏÂÁ×ÉÌ, ÎÅÓËÏÌØËÏ ÐÒÉÍÅÒÏ× ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÔÁÂÌÉÃÙ.

      1. Set policies - úÄÅÓØ ÚÁÄÁÅÔÓÑ ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. úÄÅÓØ ÓÕÝÅÓÔ×ÕÀÔ ÔÅ ÖÅ ÏÇÒÁÎÉÞÅÎÉÑ, ÞÔÏ É ÄÌÑ ÔÁÂÌÉÃÙ nat. ôÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÄÏÌÖÎÙ ÉÚÂÅÇÁÔØ ÜÔÏÇÏ. ñ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÌ ÎÉËÁËÏÊ ÐÏÌÉÔÉËÉ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ× ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ mangle, É ×ÁÍ ÓÌÅÄÕÔ ÐÏÓÔÕÐÁÔØ ÔÁË ÖÅ.

      2. Create user specified chains - óÏÚÄÁÀÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ. ôÁË ËÁË Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÔÁÂÌÉÃÕ mangle × ÓÃÅÎÁÒÉÑÈ, Ñ ÎÅ ÓÔÁÌ ÓÏÚÄÁ×ÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË. ïÄÎÁËÏ, ÜÔÏÔ ÒÁÚÄÅÌ ÂÙÌ ÄÏÂÁ×ÌÅÎ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ.

      3. Create content in user specified chains - åÓÌÉ ×Ù ÓÏÚÄÁÌÉ ËÁËÉÅ ÌÉÂÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ, ×Ù ÍÏÖÅÔÅ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ ÚÄÅÓØ.

      4. PREROUTING - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

      5. INPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

      6. FORWARD chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

      7. OUTPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

      8. POSTROUTING chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

îÁÄÅÀÓØ, ÞÔÏ Ñ ÏÂßÑÓÎÉÌ ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ, ËÁË ËÁÖÄÙÊ ÓÃÅÎÁÒÉÊ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎ É ÐÏÞÅÍÕ ÏÎÉ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ.

Caution

ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÜÔÉ ÏÐÉÓÁÎÉÑ ÞÒÅÚ×ÙÞÁÊÎÏ ËÒÁÔËÉ, É Ñ×ÌÑÀÔÓÑ ÌÉÛØ ËÒÁÔËÉÍ ÐÏÑÓÎÅÎÉÅÍ ÔÏÇÏ, ÐÏÞÅÍÕ ÓÃÅÎÁÒÉÉ ÉÍÅÀÔ ÔÁËÕÀ ÓÔÒÕËÔÕÒÕ. ñ ÎÅ ÐÒÅÔÅÎÄÕÀ ÎÁ ÉÓÔÉÎÕ × ÐÏÓÌÅÄÎÅÊ ÉÎÓÔÁÎÃÉÉ É ÎÅ ÕÔ×ÅÒÖÄÁÀ, ÞÔÏ ÜÔÏ -- ÅÄÉÎÓÔ×ÅÎÎÙÊ É ÌÕÞÛÉÊ ×ÁÒÉÁÎÔ.


8.2. rc.firewall.txt



óÃÅÎÁÒÉÊ rc.firewall.txt - ÏÓÎÏ×ÎÏÅ ÑÄÒÏ, ÎÁ ËÏÔÏÒÏÍ ÏÓÎÏ×Ù×ÁÅÔÓÑ ÏÓÔÁÌØÎÙÅ ÓÃÅÎÁÒÉÉ. çÌÁ×Á æÁÊÌ rc.firewall ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ ÏÐÉÓÙ×ÁÅÔ ÓÃÅÎÁÒÉÊ. óÃÅÎÁÒÉÊ ÎÁÐÉÓÁÎ ÄÌÑ ÄÏÍÁÛÎÅÊ ÓÅÔÉ, ÇÄÅ ×Ù ÉÍÅÅÔÅ ÏÄÎÕ ìïëáìøîõà óåôø É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÓÃÅÎÁÒÉÊ ÔÁËÖÅ ÉÓÈÏÄÉÔ ÉÚ ÐÒÅÄÐÏÌÏÖÅÎÉÑ, ÞÔÏ ×Ù ÉÍÅÅÔÅ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅ ÉÓÐÏÌØÚÕÅÔÅ DHCP, PPP, SLIP ÌÉÂÏ ËÁËÏÊ ÔÏ ÄÒÕÇÏÊ ÐÒÏÔÏËÏÌ, ËÏÔÏÒÙÊ ÎÁÚÎÁÞÁÅÔ IP ÄÉÎÁÍÉÞÅÓËÉ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×ÏÚØÍÉÔÅ ÚÁ ÏÓÎÏ×Õ ÓÃÅÎÁÒÉÊ rc.DHCP.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ ëÒÏÍÅ ÔÏÇÏ, ÉÚÍÅÎÅÎÉÑ, ËÏÔÏÒÙÅ ×Ù ×ÏÚÍÏÖÎÏ ×ÎÅÓÅÔÅ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ, ÍÏÇÕÔ ÐÏÔÒÅÂÏ×ÁÔØ ×ËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ × ×ÁÛÅ ÑÄÒÏ.

  • CONFIG_NETFILTER

  • CONFIG_IP_NF_CONNTRACK

  • CONFIG_IP_NF_IPTABLES

  • CONFIG_IP_NF_MATCH_LIMIT

  • CONFIG_IP_NF_MATCH_STATE

  • CONFIG_IP_NF_FILTER

  • CONFIG_IP_NF_NAT

  • CONFIG_IP_NF_TARGET_LOG


8.3. rc.DMZ.firewall.txt



óÃÅÎÁÒÉÊ rc.DMZ.firewall.txt ÂÙÌ ÎÁÐÉÓÁÎ ÄÌÑ ÔÅÈ, ËÔÏ ÉÍÅÅÔ ÄÏ×ÅÒÉÔÅÌØÎÕÀ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÎÕ "äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÕÀ úÏÎÕ" É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. äÌÑ ÄÏÓÔÕÐÁ Ë ÓÅÒ×ÅÒÁÍ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ, ÉÚ×ÎÅ, ÉÓÐÏÌØÚÕÅÔÓÑ NAT "ÏÄÉÎ Ë ÏÄÎÏÍÕ", ÔÏ ÅÓÔØ, ÷Ù ÄÏÌÖÎÙ ÚÁÓÔÁ×ÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁ×ÁÔØ ÐÁËÅÔÙ ÂÏÌÅÅ ÞÅÍ ÄÌÑ ÏÄÎÏÇÏ IP ÁÄÒÅÓÁ.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_NETFILTER

  • CONFIG_IP_NF_CONNTRACK

  • CONFIG_IP_NF_IPTABLES

  • CONFIG_IP_NF_MATCH_LIMIT

  • CONFIG_IP_NF_MATCH_STATE

  • CONFIG_IP_NF_FILTER

  • CONFIG_IP_NF_NAT

  • CONFIG_IP_NF_TARGET_LOG

óÃÅÎÁÒÉÊ ÒÁÂÏÔÁÅÔ Ó Ä×ÕÍÑ ×ÎÕÔÒÅÎÎÉÍÉ ÓÅÔÑÍÉ, ËÁË ÜÔÏ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÎÏ ÎÁ ÒÉÓÕÎËÅ. ïÄÎÁ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ IP ÁÄÒÅÓÏ× 192.168.0.0/24 É Ñ×ÌÑÅÔÓÑ äÏ×ÅÒÉÔÅÌØÎÏÊ ÷ÎÕÔÒÅÎÎÅÊ óÅÔØÀ. äÒÕÇÁÑ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 192.168.1.0/24 É ÎÁÚÙ×ÁÅÔÓÑ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÏÊ (DMZ), ÄÌÑ ËÏÔÏÒÏÊ ÍÙ ÂÕÄÅÍ ×ÙÐÏÌÎÑÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (NAT) "ÏÄÉÎ Ë ÏÄÎÏÍÕ". îÁÐÒÉÍÅÒ, ÅÓÌÉ ËÔÏ-ÔÏ ÉÚ éÎÔÅÒÎÅÔ ÏÔÐÒÁ×ÉÔ ÐÁËÅÔ ÎÁ ÎÁÛ DNS_IP, ÔÏ ÍÙ ×ÙÐÏÌÎÉÍ DNAT ÄÌÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÎÁ DNS × DMZ. åÓÌÉ ÂÙ DNAT ÎÅ ×ÙÐÏÌÎÑÌÓÑ, ÔÏ DNS ÎÅ ÓÍÏÇ ÂÙ ÐÏÌÕÞÉÔØ ÚÁÐÒÏÓ, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÁÄÒÅÓ DMZ_DNS_IP, Á ÎÅ DNS_IP. ôÒÁÎÓÌÑÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ:

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP \
--dport 53 -j DNAT --to-destination $DMZ_DNS_IP
   

äÌÑ ÎÁÞÁÌÁ ÎÁÐÏÍÎÀ, ÞÔÏ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat. óÏÇÌÁÓÎÏ ÜÔÏÍÕ ÐÒÁ×ÉÌÕ, ÐÁËÅÔ ÄÏÌÖÅÎ ÐÒÉÈÏÄÉÔØ ÐÏ ÐÒÏÔÏËÏÌÕ TCP ÎÁ $INET_IFACE Ó ÁÄÒÅÓÁÔÏÍ IP, ËÏÔÏÒÙÊ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÁÛÅÍÕ $DNS_IP, É ÎÁÐÒÁ×ÌÅÎ ÎÁ ÐÏÒÔ 53. åÓÌÉ ×ÓÔÒÅÞÅÎ ÔÁËÏÊ ÐÁËÅÔ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÄÍÅÎÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ, ÉÌÉ DNAT. äÅÊÓÔ×ÉÀ DNAT ÐÅÒÅÄÁÅÔÓÑ ÁÄÒÅÓ ÄÌÑ ÐÏÄÍÅÎÙ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-destination $DMZ_DNS_IP. ëÏÇÄÁ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÂÕÄÅÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ÉÚÍÅÎÅÎ Ó $DMZ_DNS_IP ÎÁ $DNS_IP, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÂÒÁÔÎÁÑ ÄÅÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ×ÙÐÏÌÎÑÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÔÒÅÂÕÅÔ ÓÏÚÄÁÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÒÁ×ÉÌ.

ôÅÐÅÒØ ×Ù ÕÖÅ ÄÏÌÖÎÙ ÐÏÎÉÍÁÔØ ËÁË ÒÁÂÏÔÁÅÔ DNAT, ÞÔÏÂÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÒÁÚÏÂÒÁÔØÓÑ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÐÒÏÂÌÅÍ. åÓÌÉ ÞÔÏ-ÔÏ ÄÌÑ ×ÁÓ ÏÓÔÁÌÏÓØ ÎÅ ÑÓÎÙÍ É ÜÔÏ ÎÅ ÂÙÌÏ ÒÁÓÓÍÏÔÒÅÎÏ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ, ÔÏ ×Ù ÍÏÖÅÔÅ ÓÏÏÂÝÉÔØ ÍÎÅ Ï ÜÔÏÍ -- ×ÅÒÏÑÔÎÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ.


8.4. rc.DHCP.firewall.txt



óÃÅÎÁÒÉÊ The rc.DHCP.firewall.txt ÏÞÅÎØ ÐÏÈÏÖ ÎÁ ÏÒÉÇÉÎÁÌ rc.firewall.txt. ïÄÎÁËÏ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÏÌØÛÅ ÎÅ ÉÓÐÏÌØÚÕÅÔ ÐÅÒÅÍÅÎÎÕÀ STATIC_IP, ÜÔÏ É Ñ×ÌÑÅÔÓÑ ÏÓÎÏ×ÎÙÍ ÏÔÌÉÞÉÅÍ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ rc.firewall.txt ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÅ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP ÁÄÒÅÓÁ. éÚÍÅÎÅÎÉÑ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÏÒÉÇÉÎÁÌÏÍ - ÍÉÎÉÍÁÌØÎÙ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÐÏÌÅÚÅÎ × ÓÌÕÞÁÅ DHCP, PPP É SLIP ÐÏÄËÌÀÞÅÎÉÑ Ë éÎÔÅÒÎÅÔ.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_NETFILTER

  • CONFIG_IP_NF_CONNTRACK

  • CONFIG_IP_NF_IPTABLES

  • CONFIG_IP_NF_MATCH_LIMIT

  • CONFIG_IP_NF_MATCH_STATE

  • CONFIG_IP_NF_FILTER

  • CONFIG_IP_NF_NAT

  • CONFIG_IP_NF_TARGET_MASQUERADE

  • CONFIG_IP_NF_TARGET_LOG

çÌÁ×ÎÏÅ ÏÔÌÉÞÉÅ ÄÁÎÎÏÇÏ ÓËÒÉÐÔÁ ÓÏÓÔÏÉÔ × ÕÄÁÌÅÎÉÉ ÐÅÒÅÍÅÎÎÏÊ STATIC_IP É ×ÓÅÈ ÓÓÙÌÏË ÎÁ ÜÔÕ ÐÅÒÅÍÅÎÎÕÀ. ÷ÍÅÓÔÏ ÎÅÅ ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ INET_IFACE. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -d $STATIC_IP ÚÁÍÅÎÑÅÔÓÑ ÎÁ -i $INET_IFACE. óÏÂÓÔ×ÅÎÎÏ ÜÔÏ ×ÓÅ, ÞÔÏ ÎÕÖÎÏ ÉÚÍÅÎÉÔØ × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ. (èÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÐÏÄ STATIC_IP Á×ÔÏÒ ÐÏÎÉÍÁÅÔ ÐÅÒÅÍÅÎÎÕÀ INET_IP ÐÒÉÍ. ÐÅÒÅ×.)

íÙ ÂÏÌØÛÅ ÎÅ ÍÏÖÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT ÐÏÄÏÂÎÙÈ ÜÔÏÍÕ: --in-interface $LAN_IFACE --dst $INET_IP. üÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ ×ÙÎÕÖÄÁÅÔ ÎÁÓ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ ÏÓÎÏ×Ù×ÁÑÓØ ÔÏÌØËÏ ÎÁ ÓÅÔÅ×ÏÍ ÉÎÔÅÒÆÅÊÓÅ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÚÁÐÕÝÅÎ HTTP ÓÅÒ×ÅÒ. åÓÌÉ ÍÙ ÐÒÉÈÏÄÉÍ ÎÁ ÇÌÁ×ÎÕÀ ÓÔÒÁÎÉÞËÕ, ÓÏÄÅÒÖÁÝÕÀ ÓÔÁÔÉÞÅÓËÕÀ ÓÓÙÌËÕ ÏÂÒÁÔÎÏ ÎÁ ÜÔÏÔ ÖÅ ÓÅÒ×ÅÒ, ËÏÔÏÒÙÊ ÒÁÂÏÔÁÅÔ ÐÏÄ ÄÉÎÁÍÉÞÅÓËÉÍ ÁÄÒÅÓÏÍ, ÔÏ ÍÙ ÍÏÖÅÍ "ÏÇÒÅÓÔÉ" ÎÅÍÁÌÏ ÐÒÏÂÌÅÍ. èÏÓÔ, ËÏÔÏÒÙÊ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ NAT, ÚÁÐÒÏÓÉÔ ÞÅÒÅÚ DNS IP ÁÄÒÅÓ HTTP ÓÅÒ×ÅÒÁ, ÐÏÓÌÅ ÞÅÇÏ ÐÏÐÒÏÂÕÅÔ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÜÔÏÍÕ IP. åÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÆÉÌØÔÒÁÃÉÀ ÐÏ ÉÎÔÅÒÆÅÊÓÕ É IP ÁÄÒÅÓÕ, ÔÏ ÈÏÓÔ ÎÅ ÓÍÏÖÅÔ ÐÏÌÕÞÉÔØ ÏÔ×ÅÔ, ÐÏÓËÏÌØËÕ ÃÅÐÏÞËÁ INPUT ÏÔÆÉÌØÔÒÕÅÔ ÔÁËÏÊ ÚÁÐÒÏÓ. üÔÏ ÔÁË ÖÅ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÅ× ËÏÇÄÁ ÍÙ ÉÍÅÅÍ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, ÎÏ ÔÏÇÄÁ ÜÔÏ ÍÏÖÎÏ ÏÂÏÊÔÉ, ÉÓÐÏÌØÚÕÑ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÒÏ×ÅÒÑÀÔ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ Ó LAN ÉÎÔÅÒÆÅÊÓÁ ÎÁ ÎÁÛ INET_IP É ×ÙÐÏÌÎÑÔØ ACCEPT ÄÌÑ ÎÉÈ.

ðÏÓÌÅ ×ÓÅÇÏ ×ÙÛÅÓËÁÚÁÎÎÏÇÏ, ÎÅ ÔÁËÏÊ ÕÖ ÐÌÏÈÏÊ ÍÏÖÅÔ ÐÏËÁÚÁÔØÓÑ ÍÙÓÌØ Ï ÓÏÚÄÁÎÉÉ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ ÂÙ ÏÂÒÁÂÁÔÙ×ÁÌ ÄÉÎÁÍÉÞÅÓËÉÊ IP. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÂÙÌÏ ÂÙ ÎÁÐÉÓÁÔØ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ IP ÁÄÒÅÓ ÞÅÒÅÚ ifconfig É ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ (ÇÄÅ ÏÐÒÅÄÅÌÑÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÁÑ ÐÅÒÅÍÅÎÎÁÑ), ËÏÔÏÒÙÊ "ÐÏÄÎÉÍÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ. úÁÍÅÞÁÔÅÌØÎÙÊ ÓÁÊÔ linuxguruz.org ÉÍÅÅÔ ÏÇÒÏÍÎÕÀ ËÏÌÌÅËÃÉÀ ÓËÒÉÐÔÏ×, ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓËÁÞÉ×ÁÎÉÑ. óÓÙÌËÕ ÎÁ linuxguruz.org ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÅÎÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ rc.firewall.txt. ñ ÎÁÓÔÏÑÔÅÌØÎÏ ÒÅËÏÍÅÎÄÕÀ ×ÁÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÃÅÎÁÒÉÊ rc.firewall.txt, ÅÓÌÉ ÜÔÏ ×ÏÚÍÏÖÎÏ, ÔÁË ËÁË rc.DHCP.firewall.txt ÂÏÌÅÅ ÏÔËÒÙÔ ÄÌÑ ÎÁÐÁÄÅÎÉÊ ÉÚ×ÎÅ.

ôÁËÖÅ, ÍÏÖÎÏ ÄÏÂÁ×ÉÔØ × ×ÁÛÉ ÓÃÅÎÁÒÉÉ ÞÔÏ ÎÉÂÕÄØ ×ÒÏÄÅ ÜÔÏÇÏ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | \
cut -d ' ' -f 1`
   

÷ÙÛÅ ÐÒÉ×ÅÄÅÎÎÁÑ ËÏÍÁÎÄÁ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP ÏÔ ÉÎÔÅÒÆÅÊÓÁ. âÏÌÅÅ ÓÏ×ÅÒÛÅÎÎÙÅ ÍÅÔÏÄÙ ÐÏÌÕÞÅÎÉÑ IP ÁÄÒÅÓÁ ×Ù ÎÁÊÄÅÔÅ × ÓÃÅÎÁÒÉÉ retreiveip.txt. ïÄÎÁËÏ Õ ÔÁËÏÇÏ ÐÏÄÈÏÄÁ ÅÓÔØ ÓÅÒØÅÚÎÙÅ ÎÅÄÏÓÔÁÔËÉ, ËÏÔÏÒÙÅ ÏÐÉÓÁÎÎÙ ÎÉÖÅ.

  1. åÓÌÉ ÓËÒÉÐÔ ÚÁÐÕÓËÁÅÔÓÑ ÉÚ ÄÒÕÇÏÇÏ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ × Ó×ÏÀ ÏÞÅÒÅÄØ ÚÁÐÕÓËÁÅÔÓÑ ÄÅÍÏÎÏÍ PPP, ÔÏ ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁ×ÉÓÁÎÉÀ" ×ÓÅÈ, ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÓÏÅÄÉÎÅÎÉÊ, ÉÚ-ÚÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÏÔÂÒÁËÏ×Ù×ÁÀÔ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. (ÓÍÏÔÒÉ ÒÁÚÄÅÌ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN). ðÒÏÂÌÅÍÕ ËÏÎÅÞÎÏ ÍÏÖÎÏ ÒÁÚÒÅÛÉÔØ ÕÄÁÌÅÎÉÅÍ ÜÔÉÈ ÐÒÁ×ÉÌ, ÎÏ ÔÁËÏÅ ÒÅÛÅÎÉÅ ÄÏ×ÏÌØÎÏ ÓÏÍÎÉÔÅÌØÎÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ.

  2. ðÒÅÄÐÏÌÏÖÉÍ, ÞÔÏ Õ ×ÁÓ ÅÓÔØ ÎÁÂÏÒ ÓÔÁÔÉÞÅÓËÉÈ ÐÒÁ×ÉÌ, ÄÏ×ÏÌØÎÏ ÇÒÕÂÏ ÂÕÄÅÔ ÐÏÓÔÏÑÎÎÏ ÓÔÉÒÁÔØ É ÄÏÂÁ×ÌÑÔØ ÐÒÁ×ÉÌÁ, Ë ÔÏÍÕ ÖÅ ÒÉÓËÕÑ ÐÏ×ÒÅÄÉÔØ ÓÕÝÅÓÔ×ÕÀÝÉÅ.

  3. üÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÉÚÌÉÛÎÉÍ ÕÓÌÏÖÎÅÎÉÑÍ, ÞÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ, ×ÌÅÞÅÔ ÏÓÌÁÂÌÅÎÉÅ ÚÁÝÉÔÙ. þÅÍ ÐÒÏÝÅ ÓËÒÉÐÔ, ÔÅÍ ÐÒÏÝÅ ÅÇÏ ÓÏÐÒÏ×ÏÖÄÁÔØ.


8.5. rc.UTIN.firewall.txt



óÃÅÎÁÒÉÊ rc.UTIN.firewall.txt, × ÏÔÌÉÞÉÅ ÏÔ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÂÌÏËÉÒÕÅÔ LAN, ËÏÔÏÒÁÑ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ. íÙ ÄÏ×ÅÒÑÅÍ ×ÎÕÔÒÅÎÎÉÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÎÅ ÂÏÌØÛÅ ÞÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÉÚ Internet. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÎÅ ÄÏ×ÅÒÑÅÍ ÎÉËÏÍÕ, ÎÉ × éÎÔÅÒÎÅÔ, ÎÉ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ËÏÔÏÒÙÍÉ ÍÙ Ó×ÑÚÁÎÙ. ðÏÜÔÏÍÕ ÄÏÓÔÕÐ Ë éÎÔÅÒÎÅÔ ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÒÏÔÏËÏÌÁÍÉ POP3, HTTP É FTP.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÓÌÅÄÕÅÔ ÚÏÌÏÔÏÍÕ ÐÒÁ×ÉÌÕ - "ÎÅ ÄÏ×ÅÒÑÊ ÎÉËÏÍÕ, ÄÁÖÅ ÓÏÂÓÔ×ÅÎÎÙÍ ÓÌÕÖÁÝÉÍ". üÔÏ ÇÒÕÓÔÎÏ ÎÏ ÆÁËÔ -- ÂÏÌØÛÁÑ ÞÁÓÔØ ÁÔÁË É ×ÚÌÏÍÏ×, ËÏÔÏÒÙÍ ÐÏÄ×ÅÒÇÁÅÔÓÑ ËÏÍÐÁÎÉÑ, ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÌÕÖÁÝÉÍÉ ËÏÍÐÁÎÉÊ ÉÚ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. üÔÏÔ ÓÃÅÎÁÒÉÊ, ÎÁÄÅÀÓØ, ÄÁÓÔ ÎÅËÏÔÏÒÙÅ Ó×ÅÄÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏÍÏÇÕÔ ×ÁÍ ÕÓÉÌÉÔØ ×ÁÛÕ ÍÅÖÓÅÔÅ×ÕÀ ÚÁÝÉÔÕ. ïÎ ÍÁÌÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt, ÎÏ ÓÏÄÅÒÖÉÔ ÐÏÄÓËÁÚËÉ Ï ÔÏÍ, ÞÔÏ ÍÙ ÏÂÙÞÎÏ ÐÒÏÐÕÓËÁÅÍ.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_NETFILTER

  • CONFIG_IP_NF_CONNTRACK

  • CONFIG_IP_NF_IPTABLES

  • CONFIG_IP_NF_MATCH_LIMIT

  • CONFIG_IP_NF_MATCH_STATE

  • CONFIG_IP_NF_FILTER

  • CONFIG_IP_NF_NAT

  • CONFIG_IP_NF_TARGET_LOG

This script follows the golden rule to not trust anyone, not even our own employees. This is a sad fact, but a large part of the hacks and cracks that a company gets hit by is a matter of people from their own staff perpetrating the hit. This script will hopefully give you some clues as to what you can do with your firewall to strengthen it up. It's not very different from the original rc.firewall.txt script, but it does give a few hints at what we would normally let through etc.


8.6. rc.test-iptables.txt

óÃÅÎÁÒÉÊ rc.test-iptables.txt ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞÅË ÎÏ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÎÁÓÔÒÏÅË, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÎÁÐÒÉÍÅÒ, ×ËÌÀÞÅÎÉÑ ip_forwarding ÉÌÉ ÎÁÓÔÒÏÊËÉ masquerading É Ô.Ð. ôÅÍ ÎÅ ÍÅÎÅÅ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× Ó ÂÁÚÏ×ÙÍÉ ÎÁÓÔÒÏÊËÁÍÉ, ËÏÇÄÁ ÎÁÓÔÒÏÅÎÙ ÏÓÎÏ×ÎÙÅ ÔÁÂÌÉÃÙ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÒÁÂÏÔÏÓÐÏÓÏÂÅÎ. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, × ÜÔÏÍ ÓÃÅÎÁÒÉÉ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÓÔÁÎÏ×ËÁ ÄÅÊÓÔ×ÉÊ LOG ÎÁ ping-ÚÁÐÒÏÓÙ É ping-ÏÔ×ÅÔÙ. ôÁËÉÍ ÓÐÏÓÏÂÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÚÁÆÉËÓÉÒÏ×ÁÔØ × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ ËÁËÉÅ ÃÅÐÏÞËÉ ÐÒÏÈÏÄÉÌÉÓØ É × ËÁËÏÍ ÐÏÒÑÄËÅ. úÁÐÕÓÔÉÔÅ ÓÃÅÎÁÒÉÊ É ÚÁÔÅÍ ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:

ping -c 1 host.on.the.internet
   

é ×Ï ×ÒÅÍÑ ÉÓÐÏÌÎÅÎÉÑ ÐÅÒ×ÏÊ ËÏÍÁÎÄÙ ×ÙÐÏÌÎÉÔÅ tail -n 0 -f /var/log/messages. ôÅÐÅÒØ ×Ù ÄÏÌÖÎÙ ÑÓÎÏ ×ÉÄÅÔØ ×ÓÅ ÉÓÐÏÌØÚÕÅÍÙÅ ÃÅÐÏÞËÉ É ÐÏÒÑÄÏË ÉÈ ÐÒÏÈÏÖÄÅÎÉÑ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÙÌ ÎÁÐÉÓÁÎ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÍÅÔØ ÐÒÁ×ÉÌÁ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÏÄÏÂÎÏ ÜÔÉÍ, ËÏÔÏÒÙÅ ÒÅÇÉÓÔÒÉÒÕÀÔ ×ÓÅ ÐÁËÅÔÙ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×Ù ÒÉÓËÕÅÔÅ ÓÔÁÔØ ÌÅÇËÏÊ ÄÏÂÙÞÅÊ ÄÌÑ ÚÌÏÕÍÙÛÌÅÎÎÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÚÁÓÙÐÁÔØ ×ÁÓ ÐÁËÅÔÁÍÉ, "ÒÁÚÄÕÔØ" ×ÁÛ ÌÏÇ, ÞÔÏ ÍÏÖÅÔ ×ÙÚ×ÁÔØ "ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ", Á ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅÊÔÉ Ë ÒÅÁÌØÎÏÍÕ ×ÚÌÏÍÕ ×ÁÛÅÊ ÓÉÓÔÅÍÙ ÎÅ ÂÏÑÓØ ÂÙÔØ ÏÂÎÁÒÕÖÅÎÎÙÍ, ÐÏÓËÏÌØËÕ ÎÅ ÓÍÏÖÅÔ ÂÙÔØ ÚÁÒÅÇÉÓÔÒÉÒÏ×ÁÎ ÓÉÓÔÅÍÏÊ.


8.7. rc.flush-iptables.txt

óÃÅÎÁÒÉÊ rc.flush-iptables.txt × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÉÍÅÅÔ ÓÁÍÏÓÔÏÑÔÅÌØÎÏÊ ÃÅÎÎÏÓÔÉ ÐÏÓËÏÌØËÕ ÏÎ ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ×ÁÛÉ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ. ÷ ÎÁÞÁÌÅ ÓÃÅÎÁÒÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ACCEPT ÄÌÑ ÃÅÐÏÞÅË INPUT, OUTPUT É FORWARD × ÔÁÂÌÉÃÅ filter. ðÏÓÌÅ ÜÔÏÇÏ ÓÂÒÁÓÙ×ÁÀÔÓÑ × ÚÁÄÁÎÎÕÀ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏÌÉÔÉËÉ ÄÌÑ ÃÅÐÏÞÅË PREROUTING, POSTROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. üÔÉ ÄÅÊÓÔ×ÉÑ ×ÙÐÏÌÎÑÀÔÓÑ ÐÅÒ×ÙÍÉ, ÞÔÏÂÙ ÎÅ ×ÏÚÎÉËÁÌÏ ÐÒÏÂÌÅÍ Ó ÚÁËÒÙÔÙÍÉ ÓÏÅÄÉÎÅÎÉÑÍÉ É ÂÌÏËÉÒÕÅÍÙÍÉ ÐÁËÅÔÁÍÉ. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÇÏÔÏ×ËÉ ÂÒÁÎÄÍÁÕÜÒÁ Ë ÎÁÓÔÒÏÊËÅ É ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×, ÐÏÜÔÏÍÕ ÚÄÅÓØ ÍÙ ÚÁÂÏÔÉÍÓÑ ÔÏÌØËÏ Ï ÏÞÉÓÔËÅ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÕÓÔÁÎÏ×ËÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ.

ëÏÇÄÁ ×ÙÐÏÌÎÅÎÁ ÕÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÏÞÉÓÔËÅ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÁÈ filter É nat, Á ÚÁÔÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÄÁÌÅÎÉÅ ×ÓÅÈ, ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, ÃÅÐÏÞÅË. ðÏÓÌÅ ÜÔÏÇÏ ÒÁÂÏÔÁ ÓËÒÉÐÔÁ ÚÁ×ÅÒÛÁÅÔÓÑ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÂÁ×ÉÔØ × ÓÃÅÎÁÒÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÓÔÒÏËÉ ÄÌÑ ÏÂÒÁÂÏÔËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ.

Note

÷ ÚÁËÌÀÞÅÎÉÅ ÐÁÒÕ ÓÌÏ×. ïÞÅÎØ ÍÎÏÇÉÅ ÓÐÒÁÛÉ×ÁÀÔ ÍÅÎÑ, Á ÐÏÞÅÍÕ ÂÙ ÎÅ ÐÏÍÅÓÔÉÔØ ×ÙÚÏ× ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ × rc.firewal, ÎÁÐÉÓÁ× ÞÔÏ ÎÉÂÕÄØ ÔÉÐÁ rc.firewall start ÄÌÑ ÚÁÐÕÓËÁ ÓËÒÉÐÔÁ. ñ ÎÅ ÓÄÅÌÁÌ ÜÔÏÇÏ ÄÏ ÓÉÈ ÐÏÒ, ÐÏÔÏÍÕ ÞÔÏ ÓÞÉÔÁÀ, ÞÔÏ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÄÏÌÖÅÎ ÎÅÓÔÉ × ÓÅÂÅ ÏÓÎÏ×ÎÙÅ ÉÄÅÉ É ÎÅ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÇÒÕÖÅÎ ÒÁÚÎÏÏÂÒÁÚÎÙÍÉ ÓÃÅÎÁÒÉÑÍÉ ÓÏ ÓÔÒÁÎÎÙÍ ÓÉÎÔÁËÓÉÓÏÍ. äÏÂÁ×ÌÅÎÉÅ ÓÐÅÃÉÆÉÞÎÏÇÏ ÓÉÎÔÁËÓÉÓÁ ÄÅÌÁÅÔ ÓÃÅÎÁÒÉÉ ÍÅÎÅÅ ÞÉÔÁÂÅÌØÎÙÍÉ, Á ÓÁÍ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÂÏÌÅÅ ÓÌÏÖÎÙÍ × ÐÏÎÉÍÁÎÉÉ, ÐÏÜÔÏÍÕ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÏÓÔÁÅÔÓÑ ÔÁËÉÍ, ËÁËÏ×Ï ÏÎÏ ÅÓÔØ, É ÐÒÏÄÏÌÖÉÔ ÏÓÔÁ×ÁÔØÓÑ ÔÁËÉÍ.


8.8. Limit-match.txt

óÃÅÎÁÒÉÊ limit-match.txt ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÔØ ÒÁÂÏÔÕ Ó ËÒÉÔÅÒÉÅÍ limit. úÁÐÕÓÔÉÔÅ ÜÔÏÔ ÓËÒÉÐÔ É ÐÏÐÒÏÂÕÊÔÅ ÏÔÐÒÁ×ÌÑÔØ ÎÁ ÜÔÏÔ ÈÏÓÔ ping-ÐÁËÅÔÙ Ó ÒÁÚÌÉÞÎÙÍÉ ÉÎÔÅÒ×ÁÌÁÍÉ.


8.9. Pid-owner.txt

óÃÅÎÁÒÉÊ pid-owner.txt ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ --pid-owner. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÎÉÞÅÇÏ ÎÅ ÂÌÏËÉÒÕÅÔ, ÐÏÜÔÏÍÕ, ÞÔÏÂÙ Õ×ÉÄÅÔØ ÅÇÏ ÄÅÊÓÔ×ÉÅ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÍÁÎÄÏÊ iptables -L -v.


8.10. Sid-owner.txt

óÃÅÎÁÒÉÊ sid-owner.txt ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ --sid-owner. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÎÉÞÅÇÏ ÎÅ ÂÌÏËÉÒÕÅÔ, ÐÏÜÔÏÍÕ, ÞÔÏÂÙ Õ×ÉÄÅÔØ ÅÇÏ ÄÅÊÓÔ×ÉÅ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ ËÏÍÁÎÄÏÊ iptables -L -v.


8.11. Ttl-inc.txt

îÅÂÏÌØÛÏÊ ÐÒÉÍÅÒ ttl-inc.txt, ÄÅÍÏÎÓÔÒÉÒÕÀÝÉÊ ËÁË ÍÏÖÎÏ ÓÄÅÌÁÔØ ÂÒÁÎÄÍÁÕÜÒ/ÒÏÕÔÅÒ "ÎÅ×ÉÄÉÍÙÍ" ÄÌÑ ÔÒÁÓÓÉÒÏ×ÝÉËÏ×, ÏÓÌÏÖÎÑÑ ÔÅÍ ÓÁÍÙÍ ÒÁÂÏÔÕ ÁÔÁËÕÀÝÅÇÏ.


8.12. Iptables-save ruleset

îÅÂÏÌØÛÏÊ ÐÒÉÍÅÒ iptsave-saved.txt,, Ï ËÏÔÏÒÏÍ ÇÏ×ÏÒÉÌÏÓØ × ÇÌÁ×Å óÏÈÒÁÎÅÎÉÅ É ×ÏÓÓÔÁÎÏ×ÌÅÎÉÅ ÂÏÌØÛÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÉÌÌÀÓÔÒÉÒÕÀÝÉÊ ÒÁÂÏÔÕ ËÏÍÁÎÄÙ iptables-save. îÅ Ñ×ÌÑÅÔÓÑ ÉÓÐÏÌÎÑÅÍÙÍ ÓÃÅÎÁÒÉÅÍ É ÐÒÅÄÎÁÚÎÁÞÅÎ ÌÉÛØ ÄÌÑ ÄÅÍÏÎÓÔÒÁÃÉÉ ÒÅÚÕÌØÔÁÔÁ ÒÁÂÏÔÙ iptables-save.


ðÒÉÌÏÖÅÎÉÅ A. äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ

A.1. ÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ

þÔÏÂÙ ×Ù×ÅÓÔÉ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ iptables Ó ËÌÀÞÏÍ L, ËÏÔÏÒÙÊ ËÒÁÔËÏ ÂÙÌ ÏÐÉÓÁÎ ÒÁÎÅÅ × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. ÷ÙÇÌÑÄÉÔ ÜÔÏ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables -L

üÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÎÁ ÜËÒÁÎ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÕÄÏÂÏÞÉÔÁÅÍÏÍ ×ÉÄÅ. îÏÍÅÒÁ ÐÏÒÔÏ× ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÓÌÕÖÂ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÆÁÊÌÏÍ /etc/services, IP ÁÄÒÅÓÁ ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÈÏÓÔÏ× ÞÅÒÅÚ ÒÁÚÒÅÛÅÎÉÅ ÉÍÅÎ × ÓÌÕÖÂÅ DNS. ó ÒÁÚÒÅÛÅÎÉÅÍ (resolving) ÉÍÅÎ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏÂÌÅÍÙ, ÎÁÐÒÉÍÅÒ, ÉÍÅÑ ÓÅÔØ 192.168.0.0/16 ÓÌÕÖÂÁ DNS ÎÅ ÓÍÏÖÅÔ ÏÐÒÅÄÅÌÉÔØ ÉÍÑ ÈÏÓÔÁ Ó ÁÄÒÅÓÏÍ 192.168.1.1, × ÒÅÚÕÌØÔÁÔÅ ÐÒÏÉÚÏÊÄÅÔ ÐÏÄ×ÉÓÁÎÉÅ ËÏÍÁÎÄÙ. þÔÏÂÙ ÏÂÏÊÔÉ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÌÅÄÕÅÔ ×ÙÐÏÌÎÉÔØ ×Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ËÌÀÞÏÍ:

iptables -L -n

þÔÏÂÙ ×Ù×ÅÓÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÃÅÐÏÞËÁÈ É ÐÒÁ×ÉÌÁÈ, ×ÙÐÏÌÎÉÔÅ

iptables -L -n -v

îÅ ÚÁÂÙ×ÁÊÔÅ Ï ËÌÀÞÅ -t, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÄÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉà nat É mangle, ÎÁÐÒÉÍÅÒ:

iptables -L -t nat

÷ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÉÍÅÅÔÓÑ ÒÑÄ ÆÁÊÌÏ×, ËÏÔÏÒÙÅ ÓÏÄÅÒÖÁÔ ÄÏÓÔÁÔÏÞÎÏ ÉÎÔÅÒÅÓÎÕÀ ÄÌÑ ÎÁÓ ÉÎÆÏÒÍÁÃÉÀ. îÁÐÒÉÍÅÒ, ÄÏÐÕÓÔÉÍ ÎÁÍ ÚÁÈÏÔÅÌÏÓØ ÐÒÏÓÍÏÔÒÅÔØ ÓÐÉÓÏË ÓÏÅÄÉÎÅÎÉÊ × ÔÁÂÌÉÃÅ conntrack. üÔÏ ÏÓÎÏ×ÎÁÑ ÔÁÂÌÉÃÁ, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ É × ËÁËÏÍ ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÅ ÉÚ ÎÉÈ ÎÁÈÏÄÉÔÓÑ. äÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉÃÙ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ

cat /proc/net/ip_conntrack | less


A.2. éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ

ðÏ ÍÅÒÅ ÔÏÇÏ ËÁË ×Ù ÐÒÏÄÏÌÖÉÔÅ ÕÇÌÕÂÌÑÔØÓÑ × ÉÓÓÌÅÄÏ×ÁÎÉÅ iptables, ÐÅÒÅÄ ×ÁÍÉ ×ÓÅ ÁËÔÕÁÌØÎÅÅ ÂÕÄÅÔ ×ÓÔÁ×ÁÔØ ×ÏÐÒÏÓ Ï ÕÄÁÌÅÎÉÉ ÏÔÄÅÌØÎÙÈ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞÅË ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÚÁÇÒÕÚËÉ ÍÁÛÉÎÙ. óÅÊÞÁÓ Ñ ÐÏÐÒÏÂÕÀ ÎÁ ÎÅÇÏ ÏÔ×ÅÔÉÔØ. åÓÌÉ ×Ù ÐÏ ÏÛÉÂËÅ ÄÏÂÁ×ÉÌÉ ËÁËÏÅ ÌÉÂÏ ÐÒÁ×ÉÌÏ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÔÏÌØËÏ ÚÁÍÅÎÉÔØ ËÏÍÁÎÄÕ -A ÎÁ ËÏÍÁÎÄÕ -D × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ. iptables ÎÁÊÄÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ É ÕÄÁÌÉÔ ÅÇÏ. åÓÌÉ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ×ÙÇÌÑÄÑÔ ËÁË ÚÁÄÁÎÎÙÊ ÛÁÂÌÏÎ ÄÌÑ ÕÄÁÌÅÎÉÑ, ÔÏ ÂÕÄÅÔ ÓÔÅÒÔÏ ÐÅÒ×ÏÅ ÉÚ ÎÁÊÄÅÎÎÙÈ ÐÒÁ×ÉÌ. åÓÌÉ ÔÁËÏÊ ÐÏÒÑÄÏË ×ÅÝÅÊ ×ÁÓ ÎÅ ÕÓÔÒÁÉ×ÁÅÔ, ÔÏ ËÏÍÁÎÄÅ -D, × ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ, ÍÏÖÎÏ ÐÅÒÅÄÁÔØ ÎÏÍÅÒ ÕÄÁÌÑÅÍÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ, ËÏÍÁÎÄÁ iptables -D INPUT 10 ÓÏÔÒÅÔ ÄÅÓÑÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ INPUT. (þÔÏÂÙ ÕÚÎÁÔØ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÏÄÁÊÔÅ ËÏÍÁÎÄÕ iptables -L îáú÷áîéå_ãåðïþëé --line-numbers, ÔÏÇÄÁ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ×Ù×ÏÄÉÔØÓÑ ÓÏ Ó×ÏÉÍÉ ÎÏÍÅÒÁÍÉ ÐÒÉÍ. ÐÅÒÅ×.)

äÌÑ ÕÄÁÌÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÌÏÊ ÃÅÐÏÞËÉ ÉÓÐÏÌØÚÕÊÔÅ ËÏÍÁÎÄÕ -F. îÁÐÒÉÍÅÒ: iptables -F INPUT - ÓÏÔÒÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT, ÏÄÎÁËÏ ÜÔÁ ËÏÍÁÎÄÁ ÎÅ ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÁË ÞÔÏ ÅÓÌÉ ÏÎÁ ÕÓÔÁÎÏ×ÌÅÎÁ ËÁË DROP ÔÏ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØÓÑ ×ÓÅ, ÞÔÏ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT. þÔÏÂÙ ÓÂÒÏÓÉÔØ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÎÕÖÎÏ ÐÒÏÓÔÏ ÕÓÔÁÎÏ×ÉÔØ ÅÅ × ÐÅÒ×ÏÎÁÞÁÌØÎÏÅ ÓÏÓÔÏÑÎÉÅ, ÎÁÐÒÉÍÅÒ iptables -P INPUT ACCEPT. (é ÅÝÅ: ÅÓÌÉ ÔÁÂÌÉÃÁ ÎÅ ÕËÁÚÁÎÁ Ñ×ÎÏ ËÌÀÞÏÍ -t (--table), ÔÏ ÏÞÉÓÔËÁ ÃÅÐÏÞÅË ÐÒÏÉÚ×ÏÄÉÔÓÑ ôïìøëï × ÔÁÂÌÉÃÅ filter, ÐÒÉÍ. ÐÅÒÅ×. )

íÎÏÀ ÂÙÌ ÎÁÐÉÓÁÎ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ (ÏÐÉÓÁÎÎÙÊ ÎÅÓËÏÌØËÏ ×ÙÛÅ) ËÏÔÏÒÙÊ ÐÒÏÉÚ×ÏÄÉÔ ÏÞÉÓÔËÕ ×ÓÅÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, É ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞÅË × iptables. úÁÐÏÍÎÉÔÅ, ÞÔÏ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÔÁÂÌÉÃÙ mangle ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÄÏÐÏÌÎÅÎÉÑ × ÜÔÏÔ ÓÃÅÎÁÒÉÊ, ÐÏÓËÏÌØËÕ ÏÎ ÅÅ ÎÅ ÏÂÒÁÂÁÔÙ×ÁÅÔ.


ðÒÉÌÏÖÅÎÉÅ B. ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ

B.1. ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ

÷Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÓËÏÌØËÉÍÉ ÐÒÏÂÌÅÍÁÍÉ ÐÒÉ ÐÏÐÙÔËÅ ÚÁÇÒÕÚÉÔØ ÔÏÔ ÉÌÉ ÉÎÏÊ ÍÏÄÕÌØ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ×ÙÄÁÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÔÓÕÔÓÔ×ÉÉ ÚÁÐÒÁÛÉ×ÁÅÍÏÇÏ ÍÏÄÕÌÑ

insmod: iptable_filter: no module by that name found

ðÏËÁ ÅÝÅ ÎÅÔ ÐÒÉÞÉÎ ÄÌÑ ÂÅÓÐÏËÏÊÓÔ×Á. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÚÁÐÒÁÛÉ×ÁÅÍÙÊ ÍÏÄÕÌØ (ÉÌÉ ÍÏÄÕÌÉ) ÂÙÌ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. üÔÏ ÐÅÒ×ÏÅ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ. ÷ ÐÒÉÍÅÒÅ, ÐÒÉ×ÅÄÅÎÎÏÍ ×ÙÛÅ, ÐÒÏÉÚÏÛÌÁ ÏÛÉÂËÁ ÐÒÉ ÚÁÇÒÕÚËÅ ÔÁÂÌÉÃÙ filter. þÔÏÂÙ ÐÒÏ×ÅÒÉÔØ ÎÁÌÉÞÉÅ ÜÔÏÊ ÔÁÂÌÉÃÙ ÐÒÏÓÔÏ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:

iptables -t filter -L
  

åÓÌÉ ×ÓÅ ÎÏÒÍÁÌØÎÏ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÓÐÉÓÏË ×ÓÅÈ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃÙ filter. ÷Ù×ÏÄ ÄÏÌÖÅÎ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
   

åÓÌÉ ÔÁÂÌÉÃÁ filter ÏÔÓÕÔÓÔ×ÕÅÔ, ÔÏ ×Ù×ÏÄ ÂÕÄÅÔ ÐÒÉÍÅÒÎÏ ÓÌÅÄÕÀÝÉÍ

iptables v1.2.5: can't initialize iptables table `filter': Table \
     does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
   

üÔÏ ÕÖÅ ÓÅÒØÅÚÎÅÅ, ÔÁË ËÁË ÜÔÏ ÓÏÏÂÝÅÎÉÅ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ÕÓÔÁÎÏ×ÉÔØ ÍÏÄÕÌÉ, ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ×ÙÐÏÌÎÉÔØ depmod -a, ÌÉÂÏ ×Ù ×ÏÏÂÝÅ ÎÅ ÓËÏÍÐÉÌÉÒÏ×ÁÌÉ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ äÌÑ ÒÅÛÅÎÉÑ ÐÅÒ×ÏÊ ÐÒÏÂÌÅÍÙ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ make modules_install × ËÁÔÁÌÏÇÅ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ ÑÄÒÁ. ÷ÔÏÒÁÑ ÐÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÚÁÐÕÓËÏÍ ËÏÍÁÎÄÙ depmod -a. òÁÚÒÅÛÅÎÉÅ ÔÒÅÔØÅÊ ÐÒÏÂÌÅÍÙ ÕÖÅ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, É × ÜÔÏÍ ÓÌÕÞÁÅ ÒÅËÏÍÅÎÄÕÀ ÐÏÓÅÔÉÔØ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ The Linux Documentation Project. (÷ÚÇÌÑÎÉÔÅ ÅÝÅ ÒÁÚ × ÎÁÞÁÌÏ ÄÏËÕÍÅÎÔÁ, ÇÄÅ ÏÐÉÓÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ iptables. ÐÒÉÍ. ÐÅÒÅ×.)

äÒÕÇÉÅ ÏÛÉÂËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÐÒÉ ÚÁÐÕÓËÅ iptables:

iptables: No chain/target/match by that name
  

üÔÁ ÏÛÉÂËÁ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÎÅÔ ÔÁËÏÊ ÃÅÐÏÞËÉ, ÄÅÊÓÔ×ÉÑ ÉÌÉ ËÒÉÔÅÒÉÑ. üÔÏ ÍÏÖÅÔ ÚÁ×ÉÓÅÔØ ÏÔ ÏÇÒÏÍÎÏÇÏ ÞÉÓÌÁ ÆÁËÔÏÒÏ×, ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ×Ù ÐÙÔÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÕÝÅÓÔ×ÕÀÝÕÀ (ÉÌÉ ÅÝÅ ÎÅ ÏÐÒÅÄÅÌÅÎÎÕÀ) ÃÅÐÏÞËÕ, ÎÅÓÕÝÅÓÔ×ÕÀÝÅÅ ÄÅÊÓÔ×ÉÅ ÉÌÉ ËÒÉÔÅÒÉÊ. ìÉÂÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ÚÁÇÒÕÖÅÎ ÎÅÏÂÈÏÄÉÍÙÊ ÍÏÄÕÌØ.


B.2. ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN

üÔÏ Ó×ÏÊÓÔ×Ï iptables ÎÅÄÏÓÔÁÔÏÞÎÏ ÈÏÒÏÛÏ ÚÁÄÏËÕÍÅÎÔÉÒÏ×ÁÎÏ, Á ÐÏÜÔÏÍÕ ÍÎÏÇÉÅ ÍÏÇÕÔ ÕÄÅÌÉÔØ ÅÍÕ ÎÅÄÏÓÔÁÔÏÞÎÏÅ ×ÎÉÍÁÎÉÅ (×ËÌÀÞÁÑ É ÍÅÎÑ). åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÐÒÁ×ÉÌÁ, ÏÐÒÅÄÅÌÑÀÝÉÅ ÓÔÁÔÕÓ ÐÁËÅÔÁ NEW, ÎÏ ÎÅ ÐÒÏ×ÅÒÑÅÔÅ ÓÏÓÔÏÑÎÉÅ ÂÉÔÁ SYN, ÔÏ ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÓÍÏÇÕÔ "ÐÒÏÓÏÞÉÔØÓÑ" ÞÅÒÅÚ ×ÁÛÕ ÚÁÝÉÔÕ. èÏÔÑ, × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÙ ÉÓÐÏÌØÚÕÅÍ ÎÅÓËÏÌØËÏ ÂÒÁÎÄÍÁÕÜÒÏ×, ÔÁËÏÊ ÐÁËÅÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÞÁÓÔØÀ ESTABLISHED ÓÏÅÄÉÎÅÎÉÑ, ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÞÅÒÅÚ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ðÒÏÐÕÓËÁÑ ÐÏÄÏÂÎÙÅ ÐÁËÅÔÙ, ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏ×ÍÅÓÔÎÕÀ ÒÁÂÏÔÕ Ä×ÕÈ ÉÌÉ ÂÏÌÅÅ ÂÒÁÎÄÍÁÕÜÒÏ×, ÐÒÉ ÜÔÏÍ ÍÙ ÍÏÖÅÍ ÌÀÂÏÊ ÉÚ ÎÉÈ ÏÓÔÁÎÏ×ÉÔØ ÎÅ ÂÏÑÓØ ÒÁÚÏÒ×ÁÔØ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÓÏÅÄÉÎÅÎÉÑ, ðÏÓËÏÌØËÕ ÆÕÎËÃÉÉ ÐÏ ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ ÔÕÔ ÖÅ ×ÏÚØÍÅÔ ÎÁ ÓÅÂÑ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ïÄÎÁËÏ ÜÔÏ ÐÏÚ×ÏÌÉÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁËÔÉÞÅÓËÉ ÌÀÂÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ. ÷Ï ÉÚÂÅÖÁÎÉÅ ÜÔÏÇÏ ÓÌÅÄÕÅÔ ÄÏÂÁ×ÉÔØ ÓÌÅÄÕÀÝÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÉ INPUT, OUTPUT É FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
     --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
   
Caution

÷ÙÛÅÐÒÉ×ÅÄÅÎÎÙÅ ÐÒÁ×ÉÌÁ ÐÏÚÁÂÏÔÑÔÓÑ Ï ÜÔÏÊ ÐÒÏÂÌÅÍÅ. âÕÄØÔÅ ÞÒÅÚ×ÙÞÁÊÎÏ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ÐÒÁ×ÉÌ ÐÒÉÎÉÍÁÀÝÉÈ ÒÅÛÅÎÉÅ ÎÁ ÏÓÎÏ×Å ÓÔÁÔÕÓÁ ÐÁËÅÔÁ.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÉÍÅÀÔÓÑ ÎÅËÏÔÏÒÙÅ ÎÅÐÒÉÑÔÎÏÓÔÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍÉ ÐÒÁ×ÉÌÁÍÉ É ÐÌÏÈÏÊ ÒÅÁÌÉÚÁÃÉÅÊ TCP/IP ÏÔ Microsoft. äÅÌÏ × ÔÏÍ, ÞÔÏ ÐÒÉ ÎÅËÏÔÏÒÙÈ ÕÓÌÏ×ÉÑÈ, ÐÁËÅÔÙ, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÅ ÐÒÏÇÒÁÍÍÁÍÉ ÏÔ Microsoft ÍÁÒËÉÒÕÀÔÓÑ ËÁË NEW É ÓÏÇÌÁÓÎÏ ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ÂÕÄÕÔ ÓÂÒÏÛÅÎÙ. üÔÏ, ÏÄÎÁËÏ, ÎÅ ÐÒÉ×ÏÄÉÔ Ë ÒÁÚÒÕÛÅÎÉÀ ÓÏÅÄÉÎÅÎÉÊ, ÎÁÓËÏÌØËÏ Ñ ÚÎÁÀ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ, ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ, É ÐÏÓÙÌÁÅÔÓÑ ÚÁ×ÅÒÛÁÀÝÉÊ ÐÁËÅÔ FIN/ACK, ÔÏ netfilter ÚÁËÒÙ×ÁÅÔ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ É ÕÄÁÌÑÅÔ ÅÇÏ ÉÚ ÔÁÂÌÉÃÙ conntrack. ÷ ÜÔÏÔ ÍÏÍÅÎÔ, ÄÅÆÅËÔÎÙÊ ËÏÄ Microsoft ÐÏÓÙÌÁÅÔ ÄÒÕÇÏÊ ÐÁËÅÔ, ËÏÔÏÒÏÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, ÎÏ × ÜÔÏÍ ÐÁËÅÔÅ ÎÅ ÕÓÔÁÎÏ×ÌÅÎ ÂÉÔ SYN É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÙÛÅÕÐÏÍÑÎÕÔÙÍ ÐÒÁ×ÉÌÁÍ. ëÏÒÏÞÅ ÇÏ×ÏÒÑ - ÏÓÏÂÏ ÎÅ ÐÅÒÅÖÉ×ÁÊÔÅ ÐÏ ÐÏ×ÏÄÕ ÜÔÉÈ ÐÒÁ×ÉÌ. ÷ ÓÌÕÞÁÅ ÞÅÇÏ - ×Ù ÓÍÏÖÅÔÅ ÐÒÏÓÍÏÔÒÅÔØ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ËÕÄÁ ÌÏÇÉÒÕÀÔÓÑ ÏÔÂÒÁÓÙ×ÁÅÍÙÅ ÐÁËÅÔÙ (ÓÍ. ÐÒÁ×ÉÌÁ ×ÙÛÅ) É ÒÁÚÏÂÒÁÔØÓÑ Ó ÎÉÍÉ.

éÍÅÅÔÓÑ ÅÝÅ ÏÄÎÁ ÉÚ×ÅÓÔÎÁÑ ÐÒÏÂÌÅÍÁ Ó ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. åÓÌÉ ËÔÏ-ÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ Ó×ÑÚÁÎ Ó ÂÒÁÎÄÍÁÕÜÒÏÍ, ÎÁÐÒÉÍÅÒ ÉÚ LAN, É ÁËÔÉ×ÉÒÕÅÔ PPP, ÔÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÎÉÞÔÏÖÅÎÏ. üÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÍÏÍÅÎÔ, ËÏÇÄÁ ÚÁÇÒÕÖÁÀÔÓÑ ÉÌÉ ×ÙÇÒÕÖÁÀÔÓÑ conntrack É nat ÍÏÄÕÌÉ. äÒÕÇÏÊ ÓÐÏÓÏ ÐÏÌÕÞÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ×ÙÐÏÌÎÉÔØ ÓÃÅÎÁÒÉÊ rc.firewall.txt ÉÚ ÓÅÁÎÓÁ telnet Ó ÄÒÕÇÏÇÏ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÏÅÄÉÎÑÅÔÅÓØ ÐÏ telnet Ó ÂÒÁÎÄÍÁÕÜÒÏÍ. úÁÐÕÓËÁÅÔÅ rc.firewall.txt, × ÐÒÏÃÅÓÓÅ ÉÓÐÏÌÎÅÎÉÑ ËÏÔÏÒÏÇÏ, ÚÁÐÕÓËÁÀÔÓÑ ÍÏÄÕÌÉ ÔÒÁÓÓÉÒÏ×ËÉ ÐÏÄËÌÀÞÅÎÉÊ, ÇÒÕÚÑÔÓÑ ÐÒÁ×ÉÌÁ "NEW not SYN". ëÏÇÄÁ ËÌÉÅÎÔ telnet ÉÌÉ daemon ÐÒÏÂÕÀÔ ÐÏÓÌÁÔØ ÞÔÏ ÎÉÂÕÄØ, ÔÏ ÜÔÏ ÐÏÄËÌÀÞÅÎÉÅ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÙÍ ËÏÄÏÍ ËÁË NEW, ÎÏ ÐÁËÅÔÙ ÎÅ ÉÍÅÀÔ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÂÉÔÁ SYN, ÔÁË ËÁË ÏÎÉ, ÆÁËÔÉÞÅÓËÉ, Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÁËÅÔ ÂÕÄÅÔ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ÐÒÁ×ÉÌÁÍ × ÒÅÚÕÌØÔÁÔÅ ÞÅÇÏ ÂÕÄÅÔ ÚÁÖÕÒÎÁÌÉÒÏ×ÁÎ É ÓÂÒÏÛÅÎ.


B.3. SYN/ACK - ÐÁËÅÔÙ É ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW

óÕÝÅÓÔ×ÕÅÔ ÏÄÎÁ ÉÚ ÒÁÚÎÏ×ÉÄÎÏÓÔÅÊ ÓÐÕÆÉÎÇ-ÁÔÁË (ÏÔ ÁÎÇÌ. spoofing - ÍÉÓÔÉÆÉËÁÃÉÑ, ÐÏÄÍÅÎÁ. ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÎÁÚÙ×ÁÅÔÓÑ "ðÒÅÄÓËÁÚÁÎÉÅ ÎÏÍÅÒÁ TCP-ÐÏÓÌÅÄÏ×ÁÔÅÌØÎÏÓÔÉ" (Sequence Number Prediction). óÍÙÓÌ ÁÔÁË ÔÁËÏÇÏ ÒÏÄÁ ÚÁËÌÀÞÁÅÔÓÑ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÞÕÖÏÇÏ IP-ÁÄÒÅÓÁ ÄÌÑ ÎÁÐÁÄÅÎÉÑ ÎÁ ËÁËÏÊ ÌÉÂÏ ÕÚÅÌ ÓÅÔÉ.

äÌÑ ÒÁÓÓÍÏÔÒÅÎÉÑ ÔÉÐÉÞÎÏÊ Sequence Number Prediction ÁÔÁËÉ ÏÂÏÚÎÁÞÉÍ ÞÅÒÅÚ [A] - ÁÔÁËÕÀÝÉÊ ÈÏÓÔ, [V] - ÁÔÁËÕÅÍÙÊ ÈÏÓÔ, [O] - ÔÒÅÔÉÊ ÈÏÓÔ, ÞÅÊ IP-ÁÄÒÅÓ ÉÓÐÏÌØÚÕÅÔÓÑ ÁÔÁËÕÀÝÉÍ.

  1. èÏÓÔ [A] ÏÔÐÒÁ×ÌÑÅÔ SYN-ÐÁËÅÔ (ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÐÒÉÍ. ÐÅÒÅ×.) ÈÏÓÔÕ [V] Ó ÏÂÒÁÔÎÙÍ IP-ÁÄÒÅÓÏÍ ÈÏÓÔÁ [O].

  2. èÏÓÔ [V] ÏÔ×ÅÞÁÅÔ ÈÏÓÔÕ [O] ÐÁËÅÔÏÍ SYN/ACK.

  3. ôÅÐÅÒØ, ÐÏ ÌÏÇÉËÅ ×ÅÝÅÊ, ÈÏÓÔ [O] ÄÏÌÖÅÎ ÒÁÚÏÒ×ÁÔØ ÓÏÅÄÉÎÅÎÉÅ ÐÁËÅÔÏÍ RST, ÐÏÓËÏÌØËÕ ÏÎ ÎÅ ÐÏÓÙÌÁÌ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (ÐÁËÅÔ SYN) É ÐÏÐÙÔËÁ ÁÔÁËÉ ÐÒÏ×ÁÌÉÔÓÑ, ÏÄÎÁËÏ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÈÏÓÔ [O] ÎÅ ÏÔ×ÅÔÉÌ (ÏËÁÚÁÌÓÑ ×ÙËÌÀÞÅÎÎÙÍ, ÐÅÒÅÇÒÕÖÅÎ ÒÁÂÏÔÏÊ ÉÌÉ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ËÏÔÏÒÙÊ ÎÅ ÐÒÏÐÕÓÔÉÌ ÐÁËÅÔ SYN/ACK).

  4. åÓÌÉ ÈÏÓÔ [O] ÎÅ ÏÔÐÒÁ×ÉÌ ÐÁËÅÔ RST, ÐÒÅÒ×Á× ÔÁËÉÍ ÏÂÒÁÚÏÍ ÎÁÞÁ×ÛÕÀÓÑ ÁÔÁËÕ, ÔÏ ÁÔÁËÕÀÝÉÊ ÈÏÓÔ [A] ÐÏÌÕÞÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ×ÚÁÉÍÏÄÅÊÓÔ×ÉÑ Ó ÈÏÓÔÏÍ [V], ×ÙÄÁ×ÁÑ ÓÅÂÑ ÚÁ [O].

îÅ ÐÅÒÅÄÁ× RST-ÐÁËÅÔ ÍÙ, ÔÅÍ ÓÁÍÙÍ, ÓÐÏÓÏÂÓÔ×ÕÅÍ ×ÙÐÏÌÎÅÎÉÀ ÁÔÁËÉ ÎÁ ÈÏÓÔ [V], ËÏÔÏÒÁÑ ÍÏÖÅÔ ÂÙÔØ ÉÎËÒÉÍÉÎÉÒÏ×ÁÎÁ ÎÁÍ ÓÁÍÉÍ. ïÂÝÅÐÒÉÎÑÔÏÊ ÓÞÉÔÁÅÔÓÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ ÏÔÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁ RST × ÐÏÄÏÂÎÙÈ ÓÌÕÞÁÑÈ (RST × ÏÔ×ÅÔ ÎÁ ÎÅÚÁÐÒÏÛÅÎÎÙÊ SYN/ACK). åÓÌÉ × ×ÁÛÅÍ ÂÒÁÎÄÍÁÕÜÒÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÁ×ÉÌÁ, ÆÉÌØÔÒÕÀÝÉÅ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ÔÏ SYN/ACK-ÐÁËÅÔÙ ÂÕÄÕÔ "ÓÂÒÁÓÙ×ÁÔØÓÑ" ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. ðÏÜÔÏÍÕ, ÓÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÎÅÏÂÈÏÄÉÍÏ ×ÓÔÁ×ÉÔØ × ÃÅÐÏÞËÕ bad_tcp_packets ÐÅÒ×ÙÍ:

iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
  

÷ ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÐÏÄÏÂÎÙÅ ÐÒÁ×ÉÌÁ ÏÂÅÓÐÅÞÉ×ÁÀÔ ÄÏÓÔÁÔÏÞÎÙÊ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ ÄÌÑ ÈÏÓÔÁ [O] É ÒÉÓË ÏÔ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÏÔÎÏÓÉÔÅÌØÎÏ ÎÅ×ÅÌÉË. éÓËÌÀÞÅÎÉÅ ÓÏÓÔÁ×ÌÑÀÔ ÓÌÕÞÁÉ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÓÅÒÉÉ ÂÒÁÎÄÍÁÕÜÒÏ×. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÎÅËÏÔÏÒÙÅ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÚÁÂÌÏËÉÒÏ×ÁÎÎÙÍÉ, ÄÁÖÅ ÅÓÌÉ ÏÎÉ ×ÐÏÌÎÅ ÚÁËÏÎÎÙ. üÔÉ ÐÒÁ×ÉÌÁ, ËÏ ×ÓÅÍÕ ÐÒÏÞÅÍÕ, ÄÏÐÕÓËÁÀÔ ÎÅËÏÔÏÒÙÅ ×ÉÄÙ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×, ÎÏ ÎÅ ÂÏÌÅÅ ÔÏÇÏ.


B.4. ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁ

ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÞÔÏÂÙ ÐÒÅÄÕÐÒÅÄÉÔØ ×ÁÓ Ï ÔÕÐÏ×ÁÔÙÈ ÐÒÏ×ÁÊÄÅÒÁÈ (Internet Service Providers), ËÏÔÏÒÙÅ ÎÁÚÎÁÞÁÀÔ IP ÁÄÒÅÓÁ, ÏÔ×ÅÄÅÎÎÙÅ IANA ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. îÁÐÒÉÍÅÒ, Swedish Internet Service Provider É ÔÅÌÅÆÏÎÎÁÑ ÍÏÎÏÐÏÌÉÑ Telia ÉÓÐÏÌØÚÕÀÔ ÔÁËÉÅ ÁÄÒÅÓÁ ÄÌÑ Ó×ÏÉÈ ÓÅÒ×ÅÒÏ× DNS (ÄÉÁÐÁÚÏÎ 10.x.x.x). ðÒÏÂÌÅÍÁ, Ó ËÏÔÏÒÏÊ ×Ù ÂÕÄÅÔÅ ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ ÓÔÁÌËÉ×ÁÔØÓÑ, ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÍÙ, × Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ, ÂÌÏËÉÒÕÅÍ ÐÏÄËÌÀÞÅÎÉÑ Ó ÌÀÂÙÈ IP × ÄÉÁÐÁÚÏÎÅ 10.x.x.x, ÉÚ-ÚÁ ×ÏÚÍÏÖÎÏÓÔÉ ÆÁÌØÓÉÆÉËÁÃÉÉ ÐÁËÅÔÏ×. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÁËÏÊ ÓÉÔÕÁÃÉÅÊ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÐÒÉÄÅÔÓÑ ÓÎÑÔØ ÞÁÓÔØ ÐÒÁ×ÉÌ. éÌÉ ÕÓÔÁÎÏ×ÉÔØ ÐÒÁ×ÉÌÁ, ÐÒÏÐÕÓËÁÀÝÉÅ ÔÒÁÆÆÉË Ó ÜÔÉÈ ÓÅÒ×ÅÒÏ×, ÒÁÎÅÅ ÃÅÐÏÞËÉ INPUT, ÎÁÐÒÉÍÅÒ ÔÁË:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s \
     10.0.0.1/32 -j ACCEPT
  

èÏÔÅÌÏÓØ ÂÙ ÎÁÐÏÍÎÉÔØ ÐÏÄÏÂÎÙÍ ÐÒÏ×ÁÊÄÅÒÁÍ, ÞÔÏ ÜÔÉ ÄÉÁÐÁÚÏÎÙ ÁÄÒÅÓÏ× ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × éÎÔÅÒÎÅÔ. äÌÑ ËÏÒÐÏÒÁÔÉ×ÎÙÈ ÓÅÔÅÊ - ÐÏÖÁÌÕÊÓÔÁ, ÄÌÑ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÏÍÁÛÎÉÈ ÓÅÔÅÊ - ÐÒÅËÒÁÓÎÏ! îÏ ×Ù ÎÅ ÄÏÌÖÎÙ ×ÙÎÕÖÄÁÔØ ÎÁÓ "ÏÔËÒÙ×ÁÔØÓÑ" ÐÏ ×ÁÛÅÊ ÐÒÉÈÏÔÉ.


B.5. ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables

÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ÚÁÄÁÞÁ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ, ÅÓÌÉ ×ÁÍ ÉÚ×ÅÓÔÎÙ ÐÒÉÎÃÉÐÙ ÒÁÂÏÔÙ ÐÒÏÔÏËÏÌÁ DHCP. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ, ÞÔÏ DHCP ÒÁÂÏÔÁÅÔ ÐÏ ÐÒÏÔÏËÏÌÕ UDP. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÒÏÔÏËÏÌ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ËÒÉÔÅÒÉÅÍ. äÁÌÅÅ, ÎÅÏÂÈÏÄÉÍÏ ÕÔÏÞÎÉÔØ ÉÎÔÅÒÆÅÊÓ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ DHCP ÚÁÐÒÏÓÙ ÉÄÕÔ ÞÅÒÅÚ $LAN_IFACE, ÔÏ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× DHCP ÓÌÅÄÕÅÔ ÒÁÚÒÅÛÉÔØ ÔÏÌØËÏ ÞÅÒÅÚ ÜÔÏÔ ÉÎÔÅÒÆÅÊÓ. é ÎÁËÏÎÅÃ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÐÒÁ×ÉÌÏ ÂÏÌÅÅ ÏÐÒÅÄÅÌÅÎÎÙÍ, ÓÌÅÄÕÅÔ ÕÔÏÞÎÉÔØ ÐÏÒÔÙ. DHCP ÉÓÐÏÌØÚÕÅÔ ÐÏÒÔÙ 67 É 68. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÉÓËÏÍÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ×ÙÇÌÑÄÅÔØ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:

$IPTABLES  -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport \
     67:68 -j ACCEPT
  

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÜÔÏ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÞÅÒÅÚ ÐÏÒÔÙ 67 É 68, ÏÄÎÁËÏ ÜÔÏ ÎÅ ÄÏÌÖÎÏ ×ÁÓ ÏÓÏÂÅÎÎÏ ÓÍÕÝÁÔØ, ÐÏÓËÏÌØËÕ ÏÎÏ ÒÁÚÒÅÛÁÅÔ ÌÉÛØ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× ÏÔ ÕÚÌÏ× ÓÅÔÉ, ÐÙÔÁÀÝÉÈÓÑ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó ÐÏÒÔÁÍÉ 67 É 68. üÔÏÇÏ ÐÒÁ×ÉÌÁ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ, ÞÔÏÂÙ ÐÏÚ×ÏÌÉÔØ ×ÙÐÏÌÎÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× É ÐÒÉ ÜÔÏÍ ÎÅ ÓÌÉÛËÏÍ ÛÉÒÏËÏ "ÏÔËÒÙÔØ ×ÏÒÏÔÁ". åÓÌÉ ×ÁÓ ÏÞÅÎØ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÔÏ ×Ù ×ÐÏÌÎÅ ÍÏÖÅÔÅ ÕÖÅÓÔÏÞÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ.


B.6. ðÒÏÂÌÅÍÙ mIRC DCC

mIRC ÉÓÐÏÌØÚÕÅÔ ÓÐÅÃÉÆÉÞÎÙÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÐÏÚ×ÏÌÑÀÔ ÓÏÅÄÉÎÑÔØÓÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ É ÏÂÒÁÂÁÔÙ×ÁÔØ DCC ÓÏÅÄÉÎÅÎÉÑ ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ. åÓÌÉ ÜÔÉ ÎÁÓÔÒÏÊËÉ ÉÓÐÏÌØÚÕÀÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó iptables, ÔÏÞÎÅÅ Ó ÍÏÄÕÌÑÍÉ ip_conntrack_irc É ip_nat_irc, ÔÏ ÜÔÁ Ó×ÑÚËÁ ÐÒÏÓÔÏ ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ. ðÒÏÂÌÅÍÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ mIRC Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÙÐÏÌÎÑÅÔ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) ×ÎÕÔÒÉ ÐÁËÅÔÏ×. ÷ ÒÅÚÕÌØÔÁÔÅ, ËÏÇÄÁ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × iptables, ÏÎÁ ÐÒÏÓÔÏ ÎÅ ÚÎÁÅÔ, ÞÔÏ Ó ÎÉÍ ÄÅÌÁÔØ. mIRC ÎÅ ÏÖÉÄÁÅÔ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÂÕÄÅÔ ÎÁÓÔÏÌØËÏ "ÕÍÎÙÍ", ÞÔÏÂÙ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ IRC, É ÐÏÜÔÏÍÕ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÚÁÐÒÁÛÉ×ÁÅÔ Ó×ÏÊ IP Õ ÓÅÒ×ÅÒÁ É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ, ÐÒÉ ÐÅÒÅÄÁÞÅ DCC ÚÁÐÒÏÓÁ.

÷ËÌÀÞÅÎÉÅ ÏÐÃÉÉ "I am behind a firewall" ("ñ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ") É ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÍÏÄÕÌÅÊ ip_conntrack_irc É ip_nat_irc ÐÒÉ×ÏÄÉÔ Ë ÔÏÍÕ, ÞÔÏ netfilter ÐÉÛÅÔ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÓÏÏÂÝÅÎÉÅ "Forged DCC send packet".

õ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÅÓÔØ ÐÒÏÓÔÏÅ ÒÅÛÅÎÉÅ - ÏÔËÌÀÞÉÔÅ ÜÔÕ ÏÐÃÉÀ × mIRC É ÐÏÚ×ÏÌØÔÅ iptables ×ÙÐÏÌÎÑÔØ ×ÓÀ ÒÁÂÏÔÕ.


ðÒÉÌÏÖÅÎÉÅ C. ôÉÐÙ ICMP

üÔÏ ÐÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ:

ôÁÂÌÉÃÁ C-1. ICMP types

ôéð ëïä ïÐÉÓÁÎÉÅ úÁÐÒÏÓ ïÛÉÂËÁ
0 0 Echo Reply x š
3 0 Network Unreachable š x
3 1 Host Unreachable š x
3 2 Protocol Unreachable š x
3 3 Port Unreachable š x
3 4 Fragmentation needed but no frag. bit set š x
3 5 Source routing failed š x
3 6 Destination network unknown š x
3 7 Destination host unknown š x
3 8 Source host isolated (obsolete) š x
3 9 Destination network administratively prohibited š x
3 10 Destination host administratively prohibited š x
3 11 Network unreachable for TOS š x
3 12 Host unreachable for TOS š x
3 13 Communication administratively prohibited by filtering š x
3 14 Host precedence violation š x
3 15 Precedence cutoff in effect š x
4 0 Source quench š š
5 0 Redirect for network š š
5 1 Redirect for host š š
5 2 Redirect for TOS and network š š
5 3 Redirect for TOS and host š š
8 0 Echo request x š
9 0 Router advertisement š š
10 0 Route solicitation š š
11 0 TTL equals 0 during transit š x
11 1 TTL equals 0 during reassembly š x
12 0 IP header bad (catchall error) š x
12 1 Required options missing š x
13 0 Timestamp request (obsolete) x š
14 š Timestamp reply (obsolete) x š
15 0 Information request (obsolete) x š
16 0 Information reply (obsolete) x š
17 0 Address mask request x š
18 0 Address mask reply x š

ðÒÉÌÏÖÅÎÉÅ D. óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ

úÄÅÓØ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÓÓÙÌÏË, ÇÄÅ ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ :



é ËÏÎÅÞÎÏ ÖÅ ÉÓÈÏÄÎÙÊ ËÏÄ iptables, ÄÏËÕÍÅÎÔÁÃÉÑ É ÌÀÄÉ, ËÏÔÏÒÙÅ ÐÏÍÏÇÁÌÉ ÍÎÅ.


ðÒÉÌÏÖÅÎÉÅ E. âÌÁÇÏÄÁÒÎÏÓÔÉ

ñ ÈÏÔÅÌ ÂÙ ×ÙÒÁÚÉÔØ ÏÓÏÂÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÌÀÄÑÍ, ËÏÔÏÒÙÅ ÏËÁÚÁÌÉ ÍÎÅ ÎÅÏÃÅÎÉÍÕÀ ÐÏÍÏÝØ ÐÒÉ ÓÏÚÄÁÎÉÉ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ.:

é ËÏÎÅÞÎÏ ÖÅ ×ÓÅÍ ÏÓÔÁÌØÎÙÍ, ËÔÏ ÏÔ×ÅÞÁÌ ÎÁ ÍÏÉ ×ÏÐÒÏÓÙ, ×ÙÓËÁÚÙ×ÁÌ Ó×ÏÉ ÓÕÖÄÅÎÉÑ Ï ÜÔÏÍ ÄÏËÕÍÅÎÔÅ. ïÞÅÎØ ÓÏÖÁÌÅÀ, ÞÔÏ ÎÅ ÍÏÇÕ ÕÐÏÍÑÎÕÔØ ×ÓÅÈ.


ðÒÉÌÏÖÅÎÉÅ F. èÒÏÎÏÌÏÇÉÑ

Versionš1.1.19š(21šMayš2003)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šPeteršvanšKampen,šXavieršBartol,šJonšAnderson,šThorstenšBremer
andšSpanishšTranslationšTeam.

Versionš1.1.18š(24šAprš2003)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šStuartšClark,šRobertšP.šJ.šDay,šMarkšOrensteinšandšEdmondšShwayri.

Versionš1.1.17š(6šAprš2003)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šGeraldošAmaralšFilho,šOndrejšSuchy,šDinošConti,šRobertšP.šJ.šDay,
VelevšDimo,šSpenceršRouser,šDaveonos,šAmandašHickman,šOllešJonssonšand
BengtšAspvall.

Versionš1.1.16š(16šDecš2002)
šhttp://iptables-tutorial.frozentux.net
šBy:šOskaršAndreasson
šContributors:šClemensšSchwaighower,šUwešDippelšandšDavešWreski.

Versionš1.1.15š(13šNovš2002)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šClemensšSchwaighower,šUwešDippelšandšDavešWreski.

Versionš1.1.15š(13šNovš2002)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šMarkšSonarte,šA.šLesteršBuck,šRobertšP.šJ.šDay,šToganšMuftuoglu,
AntonyšStone,šMatthewšF.šBarnesšandšOttošMatejka.š

Versionš1.1.14š(14šOctš2002)
http://iptables-tutorial.frozentux.net
By:šOskaršAndreasson
Contributors:šCarolšAnne,šManuelšMinzoni,šYvesšSoun,šMiernik,šUwešDippel,š
DavešKlipecšandšEddyšLšOšJansson.

Versionš1.1.13š(22šAugš2002)
http://iptables-tutorial.haringstad.com
By:šOskaršAndreasson
Contributors:šTonsšofšpeoplešreportingšbadšHTMLšversion.

Versionš1.1.12š(19šAugš2002)
http://www.netfilter.org/tutorial/
By:šOskaršAndreasson
Contributors:šPeteršSchubnell,šStephenšJ.šLawrence,šUwešDippel,šBradleyš
Dilger,šVegardšEngen,šCliffordšKite,šAlessandrošOliveira,šTonyšEarnshaw,š
HaraldšWelte,šNickšAndrewšandšStepanšKasal.

Versionš1.1.11š(27šMayš2002)
http://www.netfilter.org/tutorial/
By:šOskaršAndreasson
Contributors:šStevešHnizdur,šLonnišFriedman,šJellešKalf,šHaraldšWelte,š
ValentinašBarriosšandšTonyšEarnshaw.

Versionš1.1.10š(12šAprilš2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:šOskaršAndreasson
Contributors:šJellešKalf,šTheodorešAlexandrov,šPaulšCorbett,šRodrigoš
RubirašBranco,šAlistairšTonner,šMatthewšG.šMarsh,šUwešDippel,šEvanš
NemersonšandšMarcelšJ.E.šMol.š

Versionš1.1.9š(21šMarchš2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:šOskaršAndreasson
Contributors:šVincešHerried,šToganšMuftuoglu,šGalenšJohnson,šKellyšAshe,šJanne
Johansson,šThomasšSmets,šPeteršHorst,šMitchšLanders,šNeilšJolly,šJellešKalf,
JasonšLamšandšEvanšNemerson.

Versionš1.1.8š(5šMarchš2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:šOskaršAndreasson

Versionš1.1.7š(4šFebruaryš2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:šOskaršAndreasson
Contributors:šParimišRavi,šPhilšSchultz,šStevenšMcClintoc,šBillšDossett,
DavešWreski,šErikšSjilund,šAdamšMansbridge,šVasoošVeerapen,šAladdinšand
RustyšRussell.

Versionš1.1.6š(7šDecemberš2001)
http://people.unix-fu.org/andreasson/
By:šOskaršAndreasson
Contributors:šJimšRamsey,šPhilšSchultz,šGiranšBÈge,šDougšMonroe,šJasper
Aikema,šKurtšLieber,šChrisšTallon,šChrisšMartin,šJonasšPasche,šJan
Labanowski,šRodrigošR.šBranco,šJaccošvanšKollšandšDavešWreski.

Versionš1.1.5š(14šNovemberš2001)
http://people.unix-fu.org/andreasson/
By:šOskaršAndreasson
Contributors:šFabricešMarie,šMerijnšScheringšandšKurtšLieber.

Versionš1.1.4š(6šNovemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson
Contributors:šStigšW.šJensen,šStevešHnizdur,šChrisšPlutašandšKurtšLieber.

Versionš1.1.3š(9šOctoberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson
Contributors:šJonišChu,šN.EmilešAkabi-DavisšandšJellešKalf.

Versionš1.1.2š(29šSeptemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson

Versionš1.1.1š(26šSeptemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson
Contributors:šDavešRichardson.

Versionš1.1.0š(15šSeptemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson

Versionš1.0.9š(9šSeptemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson

Versionš1.0.8š(7šSeptemberš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson

Versionš1.0.7š(23šAugustš2001)
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson
Contributors:šFabricešMarie.

Versionš1.0.6
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson

Versionš1.0.5
http://people.unix-fu.org/andreasson
By:šOskaršAndreasson
Contributors:šFabricešMarie.
ššš




ðÒÉÌÏÖÅÎÉÅ G. GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


ðÒÉÌÏÖÅÎÉÅ H. GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<onešlineštošgivešthešprogram'sšnamešandšašbriefšideašofšwhatšitšdoes.>
Copyrightš(C)š<year>šš<namešofšauthor>
šššš

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne,šInc.,šherebyšdisclaimsšallšcopyrightšinterestšinšthešprogram
`Gnomovision'š(whichšmakesšpassesšatšcompilers)šwrittenšbyšJamesšHacker.
šš

<signaturešofšTyšCoon>,š1šAprilš1989
TyšCoon,šPresidentšofšVice
šš

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


ðÒÉÌÏÖÅÎÉÅ I. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

I.1. ðÒÉÍÅÒ rc.firewall

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset 
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines 
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will 
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

   



I.2. ðÒÉÍÅÒ rc.DMZ.firewall

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.1"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

   



I.3. ðÒÉÍÅÒ rc.UTIN.firewall

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udp_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

   



I.4. ðÒÉÍÅÒ rc.DHCP.firewall

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly 
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

   



I.5. ðÒÉÍÅÒ rc.flush-iptables

#!/bin/sh
# 
# rc.flush-iptables - Resets iptables to default values. 
# 
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



   



I.6. ðÒÉÍÅÒ rc.test-iptables

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -I FORWARD 1 -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle FORWARD:"
iptables -t mangle -I FORWARD 1 -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle FORWARD:"
iptables -t mangle -I INPUT 1 -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle INPUT:"
iptables -t mangle -I INPUT 1 -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle INPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -I POSTROUTING 1 -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle POSTROUTING:"
iptables -t mangle -I POSTROUTING 1 -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle POSTROUTING:"

   



òÕËÏ×ÏÄÓÔ×Ï ÐÏ Iptables

Iptables Tutorial 1.1.14

Oskar Andreasson

blueflux@koffein.net

Copyright (C) 2001-2002 by Oskar Andreasson

ðÅÒÅ×ÏÄ: áÎÄÒÅÊ ëÉÓÅÌÅ× kis_an@mail.ru

ðÏÓÌÅÄÎÀÀ ×ÅÒÓÉÀ ÄÏËÕÍÅÎÔÁ ÍÏÖÎÏ ÎÁÊÔÉ ÐÏ ÁÄÒÅÓÕ: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html


äÏÐÕÓËÁÅÔÓÑ ËÏÐÉÒÏ×ÁÎÉÅ É/ÉÌÉ ÍÏÄÉÆÉËÁÃÉÑ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ ÉÌÉ ÅÇÏ ÞÁÓÔÉ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÑÍÉ, ÐÒÉÎÑÔÙÍÉ × GNU Free Documentation License, ×ÅÒÓÉÉ 1.1. îÅÉÚÍÅÎÑÅÍÙÍÉ ÒÁÚÄÅÌÁÍÉ Ñ×ÌÑÀÔÓÑ ÒÁÚÄÅÌ "÷×ÅÄÅÎÉÅ" É ×ÓÅ ÐÏÄÒÁÚÄÅÌÙ ÜÔÏÇÏ ÒÁÚÄÅÌÁ, Á ÔÁË ÖÅ ÒÁÚÄÅÌÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ ÓÌÏ×ÁÍÉ "Original Author: Oskar Andreasson",
ëÏÐÉÑ GNU Free Documentation License ×ËÌÀÞÅÎÁ × ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ É ÎÁÈÏÄÉÔÓÑ × ÓÅËÃÉÉ "GNU Free Documentation License".

÷ÓÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å ÐÏÄÐÁÄÁÀÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ GNU General Public License. ÷ÓÅ ÏÎÉ Ñ×ÌÑÀÔÓÑ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÍÙÍÉ É ÍÏÇÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ É/ÉÌÉ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÕÓÌÏ×ÉÑÍÉ GNU General Public License ×ÅÒÓÉÉ 2.

÷ÓÅ ÓÃÅÎÁÒÉÉ ÒÁÓÐÒÏÓÔÒÁÎÑÀÔÓÑ × ÎÁÄÅÖÄÅ ÎÁ ÔÏ, ÞÔÏ ÏÎÉ ÂÕÄÕÔ ÐÏÌÅÚÎÙ ×ÁÍ, ÎÏ âåú ëáëéè ìéâï çáòáîôéê. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÔÅËÓÔÕ GNU General Public License.

ó ÄÁÎÎÙÍ ÄÏËÕÍÅÎÔÏÍ ÄÏÌÖÎÁ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ËÏÐÉÑ GNU General Public License, × ÓÅËÃÉÉ "GNU General Public License"; × ÓÌÕÞÁÅ ÅÅ ÏÔÓÕÔÓÔ×ÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÐÉÓÁÔØ ÐÏ ÁÄÒÅÓÕ Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


ðÏÓ×ÑÝÅÎÉÑ

ðÒÅÖÄÅ ×ÓÅÇÏ Ñ ÈÏÔÅÌ ÂÙ ÐÏÓ×ÑÔÉÔØ ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ ÍÏÅÊ ÚÁÍÅÞÁÔÅÌØÎÏÊ ÐÏÄÒÕÇÅ îÉÎÅÌØ (Ninel). ïÎÁ ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÅÎÑ ÂÏÌØÛÅ, ÞÅÍ Ñ ËÏÇÄÁ ÌÉÂÏ ÓÍÏÇÕ ÐÏÄÄÅÒÖÁÔØ ÅÅ.

÷Ï-×ÔÏÒÙÈ - ×ÓÅÍ ÒÁÚÒÁÂÏÔÞÉËÁÍ Linux ÓÄÅÌÁ×ÛÉÍ ÜÔÕ ÚÁÍÅÞÁÔÅÌØÎÕÀ ÏÐÅÒÁÃÉÏÎÎÕÀ ÓÉÓÔÅÍÕ, ÚÁ ÉÈ ÎÅ×ÅÒÏÑÔÎÏ ÎÁÐÒÑÖÅÎÎÙÊ ÔÒÕÄ.


óÏÄÅÒÖÁÎÉÅ

ï Á×ÔÏÒÅ
ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ
ôÉÐÏÇÒÁÆÓËÉÅ ÓÏÇÌÁÛÅÎÉÑ
÷×ÅÄÅÎÉÅ
ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï
ëÁË ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ
ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ
ðÏÄÇÏÔÏ×ËÁ
çÄÅ ×ÚÑÔØ iptables
îÁÓÔÒÏÊËÁ ÑÄÒÁ
õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ
óÂÏÒËÁ ÐÁËÅÔÁ
õÓÔÁÎÏ×ËÁ × Red Hat 7.1
ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË
ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ
ôÁÂÌÉÃÁ Mangle
ôÁÂÌÉÃÁ Nat
ôÁÂÌÉÃÁ Filter
íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ
÷×ÅÄÅÎÉÅ
ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ
óÏÓÔÏÑÎÉÑ
TCP ÓÏÅÄÉÎÅÎÉÑ
UDP ÓÏÅÄÉÎÅÎÉÑ
ICMP ÓÏÅÄÉÎÅÎÉÑ
ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ
ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×
ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ
ïÓÎÏ×Ù
ôÁÂÌÉÃÙ
ëÏÍÁÎÄÙ
ëÒÉÔÅÒÉÉ
ïÂÝÉÅ ËÒÉÔÅÒÉÉ
îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ
ñ×ÎÙÅ ËÒÉÔÅÒÉÉ
äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ
äÅÊÓÔ×ÉÅ ACCEPT
äÅÊÓÔ×ÉÅ DROP
äÅÊÓÔ×ÉÅ QUEUE
äÅÊÓÔ×ÉÅ RETURN
äÅÊÓÔ×ÉÅ LOG
äÅÊÓÔ×ÉÅ MARK
äÅÊÓÔ×ÉÅ REJECT
äÅÊÓÔ×ÉÅ TOS
äÅÊÓÔ×ÉÅ MIRROR
äÅÊÓÔ×ÉÅ SNAT
äÅÊÓÔ×ÉÅ DNAT
äÅÊÓÔ×ÉÅ MASQUERADE
äÅÊÓÔ×ÉÅ REDIRECT
äÅÊÓÔ×ÉÅ TTL
äÅÊÓÔ×ÉÅ ULOG
æÁÊÌ rc.firewall
ðÒÉÍÅÒ rc.firewall
ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall
ëÏÎÆÉÇÕÒÁÃÉÑ
úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ
îÁÓÔÒÏÊËÁ /proc
òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ
õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ
óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË
ãÅÐÏÞËÁ bad_tcp_packets
ãÅÐÏÞËÁ allowed
ãÅÐÏÞËÁ ÄÌÑ TCP
ãÅÐÏÞËÁ ÄÌÑ UDP
ãÅÐÏÞËÁ ÄÌÑ ICMP
ãÅÐÏÞËÁ INPUT
ãÅÐÏÞËÁ OUTPUT
ãÅÐÏÞËÁ FORWARD
ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat
úÁÐÕÓË Network Address Translation
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt
óÔÒÕËÔÕÒÁ
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ
÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ
éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ
ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ
ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ
Passive FTP ÂÅÚ DCC
ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN
ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ éÎÔÅÒÎÅÔÁ (ISP), ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÁÄÒÅÓÁ IP
ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables
ðÒÏÂÌÅÍÙ mIRC DCC
ôÉÐÙ ICMP
óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ
âÌÁÇÏÄÁÒÎÏÓÔÉ
èÒÏÎÏÌÏÇÉÑ
GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DMZ.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.UTIN.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DHCP.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.flush-iptables
rc.test-iptables

ï Á×ÔÏÒÅ

ñ ÞÅÌÏ×ÅË, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÎÁ Ó×ÏÅÍ ÐÏÐÅÞÅÎÉÉ ÄÏÓÔÁÔÏÞÎÏ ÍÎÏÇÏ ÓÔÁÒÅÎØËÉÈ ËÏÍÐØÀÔÅÒÏ×, ÏÂßÅÄÉÎÅÎÎÙÈ ÍÎÏÀ × ÌÏËÁÌØÎÕÀ ÓÅÔØ Ó ×ÙÈÏÄÏÍ × éÎÔÅÒÎÅÔ, É ÏÂÅÓÐÅÞÉ×ÁÀÝÉÊ ÉÈ ÂÅÚÏÐÁÓÎÏÓÔØ. é × ÜÔÏÍ ÏÔÎÏÛÅÎÉÉ ÐÅÒÅÈÏÄ ÏÔ ipchains Ë iptables Ñ×ÌÑÅÔÓÑ ÏÐÒÁ×ÄÁÎÎÙÍ. òÁÎÅÅ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó×ÏÅÊ ÓÅÔÉ, ×Ù ÍÏÇÌÉ ÏÔÓÅËÁÔØ ×ÓÅ ÐÁËÅÔÙ, ÚÁËÒÙ×ÁÑ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÏÒÔÙ, ÏÄÎÁËÏ ÜÔÏ ÐÏÒÏÖÄÁÌÏ ÐÒÏÂÌÅÍÙ Ó ÐÁÓÓÉ×ÎÙÍ FTP (passive FTP) ÉÌÉ ÉÓÈÏÄÑÝÉÍ DCC × IRC (outgoing DCC in IRC), ÄÌÑ ËÏÔÏÒÙÈ ÐÏÒÔÙ ÎÁ ÓÅÒ×ÅÒÅ ÎÁÚÎÁÞÁÀÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ É ÐÏÔÏÍ ÓÏÏÂÝÁÀÔÓÑ ËÌÉÅÎÔÕ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÓÁÍÏÍ ÎÁÞÁÌÅ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅËÏÔÏÒÙÍÉ 'ÂÏÌÅÚÎÑÍÉ', ÐÅÒÅËÏÞÅ×Á×ÛÉÍÉ ÉÚ ipchains, É ÓÞÉÔÁÌ ËÏÄ iptables ÎÅ ÓÏ×ÓÅÍ ÇÏÔÏ×ÙÍ Ë ÏËÏÎÞÁÔÅÌØÎÏÍÕ ×ÙÐÕÓËÕ. óÅÇÏÄÎÑ ÖÅ Ñ ÍÏÇ ÂÙ ÐÏÒÅËÏÍÅÎÄÏ×ÁÔØ ×ÓÅÍ, ËÔÏ ÉÓÐÏÌØÚÕÅÔ × Ó×ÏÅÊ ÒÁÂÏÔÅ ipchains É ipfwadm 'ÐÅÒÅÓÅÓÔØ' ÎÁ iptables!


ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ

üÔÏÔ ÄÏËÕÍÅÎÔ ÎÁÐÉÓÁÎ, ÔÁË ÞÔÏÂÙ ÏÂÌÅÇÞÉÔØ ÞÉÔÁÔÅÌÑÍ ÐÏÎÉÍÁÎÉÅ ÚÁÍÅÞÁÔÅÌØÎÏÇÏ ÍÉÒÁ iptables. úÄÅÓØ ×Ù ÎÅ ÎÁÊÄÅÔÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÛÉÂËÁÈ × iptables ÉÌÉ × netfilter. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ, ÔÏ ÍÏÖÅÔÅ Ó×ÑÚÑÔØÓÑ Ó ËÏÍÁÎÄÏÊ ÒÁÚÒÁÂÏÔÞÉËÏ×, Á ÏÎÉ × ÏÔ×ÅÔ ÍÏÇÕÔ ÓÏÏÂÝÉÔØ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÌÉ ÓÕÝÅÓÔ×ÕÅÔ ÔÁËÁÑ ÏÛÉÂËÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ iptables É netfilter ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÓÏÄÅÒÖÁÔ ÏÛÉÂÏË, ÈÏÔÑ ÉÚÒÅÄËÁ ÏÄÎÁ - Ä×Å "ÐÒÏÓËÁËÉ×ÁÀÔ". éÎÆÏÒÍÁÃÉÑ Ï ÔÁËÉÈ ÏÛÉÂËÁÈ ÏÂÑÚÁÔÅÌØÎÏ ÐÏÑ×ÌÑÅÔÓÑ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.

÷ÙÛÅÓËÁÚÁÎÎÏÅ ÔÁËÖÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÐÒÉÌÁÇÁÅÍÙÈ Ë ÄÁÎÎÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ, ÎÅ ÕÞÉÔÙ×ÁÌÏÓØ ×ÏÚÍÏÖÎÏÅ ÎÁÌÉÞÉÅ ËÁËÉÈ-ÌÉÂÏ ÏÛÉÂÏË ×ÎÕÔÒÉ netfilter. ïÓÎÏ×ÎÁÑ ÃÅÌØ ÐÒÉÍÅÒÏ× - ÐÏËÁÚÁÔØ ÐÏÒÑÄÏË ÎÁÐÉÓÁÎÉÑ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÐÒÏÂÌÅÍÙ, Ó ËÏÔÏÒÙÍÉ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ. îÁÐÒÉÍÅÒ × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÎÅ ÐÏÑÓÎÑÅÔÓÑ ËÁË ÚÁËÒÙÔØ ÕÑÚ×ÉÍÏÓÔØ Apache 1.2.12 ÎÁ HTTP ÐÏÒÔÕ (ÆÁËÔÉÞÅÓËÉ × ÐÒÉÍÅÒÁÈ ×Ù ÎÁÊÄÅÔÅ ËÁË ÚÁËÒÙÔØ ÜÔÏÔ ÐÏÒÔ, ÎÏ ÐÏ ÄÒÕÇÏÊ ÐÒÉÞÉÎÅ).

üÔÏÔ ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÄÁÔØ ÎÁÞÉÎÁÀÝÉÍ ÈÏÒÏÛÉÊ, ÐÒÏÓÔÏÊ É × ÔÏ ÖÅ ×ÒÅÍÑ ÄÏÓÔÁÔÏÞÎÏ ÐÏÌÎÙÊ ÕÞÅÂÎÉË ÐÏ iptables. ïÎ ÎÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÄÅÊÓÔ×ÉÑÍ É ËÒÉÔÅÒÉÑÍ ÉÚ patch-o-matic ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÐÏÔÒÅÂÏ×ÁÌÏÓØ ÂÙ ÓÌÉÛËÏÍ ÍÎÏÇÏ ÕÓÉÌÉÊ, ÞÔÏÂÙ ÚÁÐÏÍÎÉÔØ ×ÅÓØ ÓÐÉÓÏË ÉÚÍÅÎÅÎÉÊ. åÓÌÉ Õ ×ÁÓ ×ÏÚÎÉËÎÅÔ ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÐÏÌÕÞÅÎÉÉ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÍÏÄÉÆÉËÁÃÉÑÍ patch-o-matic, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÝÁÔØÓÑ Ë ÄÏËÕÍÅÎÔÁÃÉÉ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ËÏÎËÒÅÔÎÙÊ patch-o-matic, ÏÎÁ ÄÏÓÔÕÐÎÁ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.


ôÉÐÏÇÒÁÆÓËÉÅ ÓÏÇÌÁÛÅÎÉÑ

÷ ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ÐÒÉÎÑÔÙ ÓÌÅÄÕÀÝÉÅ ÓÏÇÌÁÛÅÎÉÑ ÐÏ ×ÙÄÅÌÅÎÉÀ ÉÎÆÏÒÍÁÃÉÉ ÒÁÚÌÉÞÎÏÇÏ ÒÏÄÁ:

  • ëÏÍÁÎÄÙ, ××ÏÄÉÍÙÅ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, É ×Ù×ÏÄ, ÐÏÌÕÞÁÅÍÙÊ × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ËÏÍÁÎÄ ÏÔÏÂÒÁÖÁÀÔÓÑ ÍÏÎÏÛÉÒÉÎÎÙÍ ÛÒÉÆÔÏÍ, ËÒÏÍÅ ÔÏÇÏ, ××ÏÄ ÐÏÌØÚÏ×ÁÔÅÌÑ ÏÔÏÂÒÁÖÁÅÔÓÑ ÖÉÒÎÙÍ ÛÒÉÆÔÏÍ:

    [blueflux@work1 neigh]$ ls
    default eth0 lo
    [blueflux@work1 neigh]$
  • ÷ÓÅ ËÏÍÁÎÄÙ É ÉÍÅÎÁ ÐÒÏÇÒÁÍÍ ÏÔÏÂÒÁÖÁÀÔÓÑ ÖÉÒÎÙÍ ÛÒÉÆÔÏÍ.
  • ÷ÓÅ ÕÐÏÍÉÎÁÎÉÑ Ï ÁÐÐÁÒÁÔÎÏÍ ÏÂÅÓÐÅÞÅÎÉÉ, Á ÔÁË ÖÅ Ï ×ÎÕÔÒÅÎÎÉÈ ÍÅÈÁÎÉÚÍÁÈ ÑÄÒÁ ÉÌÉ ÁÂÓÔÒÁËÔÎÙÈ ÐÏÎÑÔÉÑÈ ÓÉÓÔÅÍÙ (ÎÁÐÒÉÍÅÒ: ÐÅÔÌÅ×ÏÊ (loopback) ÉÎÔÅÒÆÅÊÓ), ÏÔÏÂÒÁÖÁÀÔÓÑ ËÕÒÓÉ×ÏÍ.
  • éÍÅÎÁ ÆÁÊÌÏ× É ÐÕÔÉ Ë ÆÁÊÌÁÍ ÏÔÏÂÒÁÖÁÀÔÓÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ: /usr/local/bin/iptables.

÷×ÅÄÅÎÉÅ

ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï

óËÁÖÅÍ ÔÁË, Ñ ÐÏÓÞÉÔÁÌ, ÞÔÏ ÓÕÝÅÓÔ×ÕÅÔ ÄÏÓÁÄÎÙÊ ÐÒÏÂÅÌ × HOWTO ÐÏ ÞÁÓÔÉ ÉÎÆÏÒÍÁÃÉÉ Ï iptables É ÆÕÎËÃÉÑÈ ÓÅÔÅ×ÏÇÏ ÆÉÌØÔÒÁ (netfilter), ÒÅÁÌÉÚÏ×ÁÎÎÙÈ × ÎÏ×ÏÊ ÓÅÒÉÉ ÑÄÅÒ 2.4.x Linux. ëÒÏÍÅ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, Ñ ÐÏÐÙÔÁÌÓÑ ÏÔ×ÅÔÉÔØ ÎÁ ÎÅËÏÔÏÒÙÅ ×ÏÐÒÏÓÙ ÐÏ ÐÏ×ÏÄÕ ÎÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ, ÎÁÐÒÉÍÅÒ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× (state matching). âÏÌØÛÉÎÓÔ×Ï ÉÚ ÎÉÈ ÐÒÏÉÌÌÀÓÔÒÉÒÏ×ÁÎÙ × ÆÁÊÌÅ ÓËÒÉÐÔÁ rc.firewall.txt ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ×ÓÔÁ×ÉÔØ × /etc/rc.d/. äÌÑ ÔÅÈ, ËÏÍÕ ÉÎÔÅÒÅÓÎÏ, ÇÏÔÏ× ÓÏÏÂÝÉÔØ, ÞÔÏ ÜÔÏÔ ÆÁÊÌ ÐÅÒ×ÏÎÁÞÁÌØÎÏ ÂÙÌ ÏÓÎÏ×ÁÎ ÎÁ masquerading HOWTO.

ôÁÍ ÖÅ ×Ù ÎÁÊÄÅÔÅ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ rc.flush-iptables.txt, ÎÁÐÉÓÁÎÎÙÊ ÍÎÏÀ, ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ, ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ, ÐÒÉ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÒÁÓÛÉÒÑÑ ÐÏÄ Ó×ÏÀ ËÏÎÆÉÇÕÒÁÃÉÀ.


ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎ

ñ ËÏÎÓÕÌØÔÉÒÏ×ÁÌÓÑ Ó íÁÒËÏÍ âÕÞÅÒÏÍ (Marc Boucher) É ÄÒÕÇÉÍÉ ÞÌÅÎÁÍÉ ËÏÍÁÎÄÙ ÒÁÚÒÁÂÏÔÞÉËÏ× netfilter. ðÏÌØÚÕÑÓØ ÓÌÕÞÁÅÍ, ×ÙÒÁÖÁÀ ÏÇÒÏÍÎÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÚÁ ÉÈ ÐÏÍÏÝØ × ÓÏÚÄÁÎÉÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, ËÏÔÏÒÏÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÌÑ boingworld.com. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ ×Ù ÐÒÏÊÄÅÔÅ ÐÒÏÃÅÓÓ ÎÁÓÔÒÏÊËÉ ÛÁÇ ÚÁ ÛÁÇÏÍ É, ÎÁÄÅÀÓØ, ÞÔÏ Ë ËÏÎÃÕ ÉÚÕÞÅÎÉÑ ÅÇÏ ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ Ï ÐÁËÅÔÅ iptables ÚÎÁÞÉÔÅÌØÎÏ ÂÏÌØÛÅ. âÏÌØÛÁÑ ÞÁÓÔØ ÍÁÔÅÒÉÁÌÁ ÂÁÚÉÒÕÅÔÓÑ ÎÁ ÆÁÊÌÅ rc.firewall.txt, ÔÁË ËÁË Ñ ÓÞÉÔÁÀ, ÞÔÏ ÒÁÓÓÍÏÔÒÅÎÉÅ ÐÒÉÍÅÒÁ -- ÌÕÞÛÉÊ ÓÐÏÓÏ ÉÚÕÞÅÎÉÑ iptables. ñ ÐÒÏÊÄÕ ÐÏ ÏÓÎÏ×ÎÙÍ ÃÅÐÏÞËÁÍ ÐÒÁ×ÉÌ × ÐÏÒÑÄËÅ ÉÈ ÓÌÅÄÏ×ÁÎÉÑ. üÔÏ ÎÅÓËÏÌØËÏ ÕÓÌÏÖÎÑÅÔ ÉÚÕÞÅÎÉÅ, ÚÁÔÏ ÉÚÌÏÖÅÎÉÅ ÓÔÁÎÏ×ÉÔÓÑ ÌÏÇÉÞÎÅÅ. é, ×ÓÑËÉÊ ÒÁÚ, ËÏÇÄÁ Õ ×ÁÓ ×ÏÚÎÉËÎÕÔ ÚÁÔÒÕÄÎÅÎÉÑ, ×Ù ÍÏÖÅÔÅ ÏÂÒÁÝÁÔØÓÑ Ë ÜÔÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ.


ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ

üÔÏÔ ÄÏËÕÍÅÎÔ ÓÏÄÅÒÖÉÔ ÎÅÓËÏÌØËÏ ÔÅÒÍÉÎÏ×, ËÏÔÏÒÙÅ ÓÌÅÄÕÅÔ ÐÏÑÓÎÉÔØ ÐÒÅÖÄÅ, ÞÅÍ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ.

"ðÏÔÏË" (Stream) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÀÔÓÑ É ÐÒÉÎÉÍÁÀÔÓÑ ÐÁËÅÔÙ. ñ ÉÓÐÏÌØÚÏ×ÁÌ ÜÔÏÔ ÔÅÒÍÉÎ ÄÌÑ ÏÂÏÚÎÁÞÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ, ÞÅÒÅÚ ËÏÔÏÒÙÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÍÅÎØÛÅÊ ÍÅÒÅ 2 ÐÁËÅÔÁ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ÷ ÓÌÕÞÁÅ TCP ÜÔÏ ÍÏÖÅÔ ÏÚÎÁÞÁÔØ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÅÔÓÑ SYN ÐÁËÅÔ É ÚÁÔÅÍ ÐÒÉÎÉÍÁÅÔÓÑ SYN/ACK ÐÁËÅÔ. îÏ ÜÔÏ ÔÁË ÖÅ ÍÏÖÅÔ ÐÏÄÒÁÚÕÍÅ×ÁÔØ É ÐÅÒÅÄÁÞÕ SYN ÐÁËÅÔÁ É ÐÒÉÅÍ ÓÏÏÂÝÅÎÉÑ ICMP Host unreachable. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÉÓÐÏÌØÚÕÀ ÜÔÏÔ ÔÅÒÍÉÎ × ÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏËÏÍ ÄÉÁÐÁÚÏÎÅ ÐÒÉÍÅÎÅÎÉÊ.

"óÏÓÔÏÑÎÉÅ" (State) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ, × ËÏÔÏÒÏÍ ÎÁÈÏÄÉÔÓÑ ÐÁËÅÔ, ÓÏÇÌÁÓÎÏ RFC 793 - Transmission Control Protocol , Á ÔÁËÖÅ ÔÒÁËÔÏ×ËÁÍ, ÉÓÐÏÌØÚÕÅÍÙÍ × netfilter/iptables. èÏÞÕ ÏÂÒÁÔÉÔØ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ ÐÁËÅÔÏ×, ËÁË ÄÌÑ ×ÎÕÔÒÅÎÎÉÈ ÔÁË É ÄÌÑ ×ÎÅÛÎÉÈ ÓÏÓÔÏÑÎÉÊ, ÉÓÐÏÌØÚÕÅÍÙÅ Netfilter, ÎÅ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÕËÁÚÁÎÎÏÍÕ ×ÙÛÅ RFC 793.

"ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï" (User space) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ Ñ ÐÏÄÒÁÚÕÍÅ×ÁÀ ×ÓÅ, ÞÔÏ ÒÁÓÐÏÌÏÖÅÎÏ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, ÎÁÐÒÉÍÅÒ: ËÏÍÅÎÄÁ iptables -h ×ÙÐÏÌÎÑÅÔÓÑ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, × ÔÏ ×ÒÅÍÑ ËÁË iptables -A FORWARD -p tcp -j ACCEPT ×ÙÐÏÌÎÑÅÔÓÑ (ÞÁÓÔÉÞÎÏ) × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÏÎÁ ÄÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ Ë ÉÍÅÀÝÅÍÕÓÑ ÎÁÂÏÒÕ.

"ðÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ" (Kernel space) - × ÂÏÌØÛÅÊ ÉÌÉ ÍÅÎØÛÅÊ ÓÔÅÐÅÎÉ Ñ×ÌÑÅÔÓÑ ÕÔ×ÅÒÖÄÅÎÉÅÍ, ÏÂÒÁÔÎÙÍ ÔÅÒÍÉÎÕ "ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï". ðÏÄÒÁÚÕÍÅ×ÁÅÔ ÍÅÓÔÏ ÉÓÐÏÌÎÅÎÉÑ - × ÐÒÅÄÅÌÁÈ ÑÄÒÁ.

"Userland" - ÓÍ. "ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï".


ðÏÄÇÏÔÏ×ËÁ

ãÅÌØÀ ÄÁÎÎÏÊ ÇÌÁ×Ù Ñ×ÌÑÅÔÓÑ ÏËÁÚÁÎÉÅ ÐÏÍÏÝÉ × ÐÏÎÉÍÁÎÉÉ ÔÏÊ ÒÏÌÉ, ËÏÔÏÒÕÀ netfilter É iptables ÉÇÒÁÀÔ × Linux ÓÅÇÏÄÎÑ. ôÁË ÖÅ ÏÎÁ ÄÏÌÖÎÁ ÐÏÍÏÞØ ×ÁÍ ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÖÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).


çÄÅ ×ÚÑÔØ iptables

ðÁËÅÔÙ iptables ÍÏÇÕÔ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ó ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÙ netfilter. äÌÑ ÒÁÂÏÔÙ Ó iptables ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÏÂÒÁÚÏÍ ÄÏÌÖÎÏ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÏ ÑÄÒÏ ×ÁÛÅÊ Linux-ÓÉÓÔÅÍÙ. îÁÓÔÒÏÊËÁ ÑÄÒÁ ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÎÉÖÅ.


îÁÓÔÒÏÊËÁ ÑÄÒÁ

äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, Ó ÐÏÍÏÝØÀ ÕÔÉÌÉÔÙ make config ÉÌÉ ÅÊ ÐÏÄÏÂÎÙÈ (make menuconfig ÉÌÉ make xconfig ÐÒÉÍ. ÐÅÒÅ×.), × ÑÄÒÏ ÄÏÌÖÎÙ ÂÙÔØ ×ËÌÀÞÅÎÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ:

CONFIG_PACKET -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÐÒÉÌÏÖÅÎÉÊ, ÒÁÂÏÔÁÀÝÉÈ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ Ó ÓÅÔÅ×ÙÍÉ ÕÓÔÒÏÊÓÔ×ÁÍÉ, ÎÁÐÒÉÍÅÒ: tcpdump ÉÌÉ snort.

CONFIG_NETFILTER -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ, ÅÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ËÏÍÐØÀÔÅÒ × ËÁÞÅÓÔ×Å ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (firewall) ÉÌÉ ÛÌÀÚÁ (gateway) × éÎÔÅÒÎÅÔ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ×ÁÍ ÏÎÁ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÎÁÄÏÂÉÔÓÑ, ÉÎÁÞÅ ÚÁÞÅÍ ÔÏÇÄÁ ÞÉÔÁÔØ ÜÔÏ ÒÕËÏ×ÏÄÓÔ×Ï!

é ËÏÎÅÞÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ÄÒÁÊ×ÅÒÙ ÄÌÑ ×ÁÛÉÈ ÕÓÔÒÏÊÓÔ×, Ô.Å. ÄÌÑ ËÁÒÔÙ Ethernet , PPP É SLIP. äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÒÁÓÛÉÒÅÎÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ IPTables ÐÒÉÄÅÔÓÑ ×ËÌÀÞÉÔØ × ÑÄÒÏ ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÏÐÃÉÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÏÐÃÉÊ ÄÌÑ ÑÄÒÁ 2.4.9 É ÉÈ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ.

CONFIG_IP_NF_CONNTRACK -- ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ, ÓÒÅÄÉ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× É ÍÁÓËÁÒÁÄÉÎÇÅ (NAT and Masquerading). åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÔÒÏÉÔØ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall) ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÔÏ ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÁ ÏÐÃÉÑ. ë ÐÒÉÍÅÒÕ, ÜÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÈÏÄÉÍ ÄÌÑ ÒÁÂÏÔÙ rc.firewall.txt.

CONFIG_IP_NF_FTP -- ôÒÁÓÓÉÒÏ×ËÁ FTP ÓÏÅÄÉÎÅÎÉÊ. ïÂÍÅÎ ÐÏ FTP ÉÄÅÔ ÓÌÉÛËÏÍ ÉÎÔÅÎÓÉ×ÎÏ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÂÙÞÎÙÅ ÍÅÔÏÄÙ ÔÒÁÓÓÉÒÏ×ËÉ. åÓÌÉ ÎÅ ÄÏÂÁ×ÉÔØ ÜÔÏÔ ÍÏÄÕÌØ, ÔÏ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÒÕÄÎÏÓÔÑÍÉ ÐÒÉ ÐÅÒÅÄÁÞÅ ÐÒÏÔÏËÏÌÁ FTP ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).

CONFIG_IP_NF_IPTABLES -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÊ ÆÉÌØÔÒÁÃÉÉ, ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) É ÍÁÓËÁÒÁÄÉÎÇÁ (masquerading). âÅÚ ÎÅÅ ×Ù ×ÏÏÂÝÅ ÎÉÞÅÇÏ ÎÅ ÓÍÏÖÅÔÅ ÄÅÌÁÔØ Ó iptables.

CONFIG_IP_NF_MATCH_LIMIT -- üÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÑÚÁÔÅÌÅÎ, ÏÄÎÁËÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÁÈ rc.firewall.txt. ïÎ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÏÇÒÁÎÉÞÅÎÉÑ ËÏÌÉÞÅÓÔ×Á ÐÒÏ×ÅÒÏË ÄÌÑ ÎÅËÏÔÏÒÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, -m limit -limit 3/minute ÕËÁÚÙ×ÁÅÔ, ÞÔÏ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÐÒÏÐÕÓÔÉÔØ ÎÅ ÂÏÌÅÅ 3-È ÐÁËÅÔÏ× × ÍÉÎÕÔÕ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÎÁÐÁÄÅÎÉÊ ÔÉÐÁ ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ.

CONFIG_IP_NF_MATCH_MAC -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÓÎÏ×ÁÎÎÙÅ ÎÁ MAC-ÁÄÒÅÓÁÃÉÉ. ëÁË ÉÚ×ÅÓÔÎÏ, ËÁÖÄÁÑ ÓÅÔÅ×ÁÑ ËÁÒÔÁ ÉÍÅÅÔ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ÕÎÉËÁÌØÎÙÊ Ethernet-ÁÄÒÅÓ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÓÕÝÅÓÔ×ÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÂÌÏËÉÒÏ×ÁÔØ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ Ó ÏÐÒÅÄÅÌÅÎÎÙÈ MAC-ÁÄÒÅÓÏ× (Ô.Å. Ó ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÅÔÅ×ÙÈ ËÁÒÔ). óÌÅÄÕÅÔ, ÏÄÎÁËÏ, ÏÔÍÅÔÉÔØ ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ × rc.firewall.txt ÉÌÉ ÇÄÅ ÌÉÂÏ ÅÝÅ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å.

CONFIG_IP_NF_MATCH_MARK -- æÕÎËÃÉÑ ÍÁÒËÉÒÏ×ËÉ ÐÁËÅÔÏ× (MARK). îÁÐÒÉÍÅÒ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÆÕÎËÃÉÉ MARK ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÏÍÅÔÉÔØ ÔÒÅÂÕÅÍÙÅ ÐÁËÅÔÙ, Á ÚÁÔÅÍ, × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ ÍÅÔËÉ, ÐÒÉÎÉÍÁÔØ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÏÍÅÞÅÎÎÏÇÏ ÐÁËÅÔÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ÆÕÎËÃÉÉ MARK ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ.

CONFIG_IP_NF_MATCH_MULTIPORT -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ Ó ÐÒÏ×ÅÒËÏÊ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ ÐÁËÅÔÁ Ë ÄÉÁÐÁÚÏÎÕ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÉÓÔÏÞÎÉËÁ/ÐÒÉÅÍÎÉËÁ.

CONFIG_IP_NF_MATCH_TOS -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÔÔÁÌËÉ×ÁÑÓØ ÏÔ ÓÏÓÔÏÑÎÉÑ ÐÏÌÑ TOS × ÐÁËÅÔÅ. ðÏÌÅ TOS ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ Type Of Service. ôÁË ÖÅ ÓÔÁÎÏ×ÉÔÓÑ ×ÏÚÍÏÖÎÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ É ÓÂÒÁÓÙ×ÁÔØ ÂÉÔÙ ÜÔÏÇÏ ÐÏÌÑ × ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌÁÈ × ÔÁÂÌÉÃÅ mangle ÉÌÉ ËÏÍÁÎÄÁÍÉ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS -- üÔÁ ÏÐÃÉÑ ÄÏÂÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏ×ÅÒËÉ ÐÏÌÑ MSS ÄÌÑ TCP-ÐÁËÅÔÏ×.

CONFIG_IP_NF_MATCH_STATE -- üÔÏ ÏÄÎÏ ÉÚ ÓÁÍÙÈ ÓÅÒØÅÚÎÙÈ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÊ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ipchains. üÔÏÔ ÍÏÄÕÌØ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÕÐÒÁ×ÌÅÎÉÑ TCP ÐÁËÅÔÁÍÉ, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ (state). ë ÐÒÉÍÅÒÕ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ, Ó ÔÒÁÆÆÉËÏÍ × ÏÂÁ ËÏÎÃÁ, ÔÏÇÄÁ ÐÁËÅÔ ÐÏÌÕÞÅÎÎÙÊ ÐÏ ÔÁËÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ -- ÐÒÉÍ. ÒÅÄ). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÅ rc.firewall.txt .

CONFIG_IP_NF_MATCH_UNCLEAN -- üÔÏÔ ÍÏÄÕÌØ ÒÅÁÌÉÚÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ IP, TCP, UDP É ICMP ÐÁËÅÔÏ× ÎÁ ÐÒÅÄÍÅÔ ÎÁÌÉÞÉÑ × ÎÉÈ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÊ, "ÓÔÒÁÎÎÏÓÔÅÊ", ÏÛÉÂÏË. õÓÔÁÎÏ×É× ÅÇÏ ÍÙ, Ë ÐÒÉÍÅÒÕ, ÐÏÌÕÞÉÍ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔÓÅËÁÔØ" ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ. ïÄÎÁËÏ ÈÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÐÏËÁ ÎÁÈÏÄÉÔÓÑ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÅ ×Ï ×ÓÅÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÏÄÉÎÁËÏ×Ï, ÐÏÜÔÏÍÕ ÎÉËÏÇÄÁ ÎÅÌØÚÑ ÂÕÄÅÔ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÍÙ ÎÅ "ÓÂÒÏÓÉÌÉ" ×ÐÏÌÎÅ ÐÒÁ×ÉÌØÎÙÅ ÐÁËÅÔÙ.

CONFIG_IP_NF_MATCH_OWNER - ðÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÓÏÅÄÉÎÅÎÉÑ (socket). äÌÑ ÐÒÉÍÅÒÁ, ÍÙ ÍÏÖÅÍ ÐÏÚ×ÏÌÉÔØ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ root ×ÙÈÏÄÉÔØ × Internet. üÔÏÔ ÍÏÄÕÌØ ÂÙÌ ÎÁÐÉÓÁÎ ËÁË ÐÒÉÍÅÒ ÒÁÂÏÔÙ Ó iptables. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÉÍÅÅÔ ÓÔÁÔÕÓ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ É ÍÏÖÅÔ ÎÅ ×ÓÅÇÄÁ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ.

CONFIG_IP_NF_FILTER -- òÅÁÌÉÚÁÃÉÑ ÔÁÂÌÉÃÙ filter × ËÏÔÏÒÏÊ × ÏÓÎÏ×ÎÏÍ É ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÆÉÌØÔÒÁÃÉÑ. ÷ ÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÎÁÈÏÄÑÔÓÑ ÃÅÐÏÞËÉ INPUT, FORWARD É OUTPUT. üÔÏÔ ÍÏÄÕÌØ ÏÂÑÚÁÔÅÌÅÎ, ÅÓÌÉ ×Ù ÐÌÁÎÉÒÕÅÔÅ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ×.

CONFIG_IP_NF_TARGET_REJECT -- äÏÂÁ×ÌÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ × ÏÔ×ÅÔ ÎÁ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÏÔ×ÅÒÇÁÅÔÓÑ ÚÁÄÁÎÎÙÍ ÐÒÁ×ÉÌÏÍ. úÁÐÏÍÎÉÔÅ, ÞÔÏ TCP ÓÏÅÄÉÎÅÎÉÑ, × ÏÔÌÉÞÉÅ ÏÔ UDP É ICMP, ×ÓÅÇÄÁ ÚÁ×ÅÒÛÁÀÔÓÑ ÉÌÉ ÏÔ×ÅÒÇÁÀÔÓÑ ÐÁËÅÔÏÍ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR -- ÷ÏÚÍÏÖÎÏÓÔØ ÏÔÐÒÁ×ËÉ ÐÏÌÕÞÅÎÎÏÇÏ ÐÁËÅÔÁ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎÉÅ). îÁÐÒÉÍÅÒ, ÅÓÌÉ ÎÁÚÎÁÞÉÔØ ÄÅÊÓÔ×ÉÅ MIRROR ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ × ÐÏÒÔ HTTP ÞÅÒÅÚ ÎÁÛÕ ÃÅÐÏÞËÕ INPUT (Ô.Å. ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ ÐÒÉÍ. ÐÅÒÅ×.), ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÅÎ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎ) É, × ÒÅÚÕÌØÔÁÔÅ, ÏÔÐÒÁ×ÉÔÅÌØ Õ×ÉÄÉÔ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ. (ôÕÔ ÏÄÎÉ ÓÐÌÏÛÎÙÅ "ÅÓÌÉ": åÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÓÔÏÉÔ WEB-ÓÅÒ×ÅÒ, ÅÓÌÉ ÏÎ ÒÁÂÏÔÁÅÔ ÎÁ ÔÏÍ ÖÅ ÐÏÒÔÕ, ÅÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÅÓÔØ ÄÏÍÁÛÎÑÑ ÓÔÒÁÎÉÞËÁ, É Ô.Ä. . óÕÔØ-ÔÏ ÓÏÂÓÔ×ÅÎÎÏ Ó×ÏÄÉÔÓÑ Ë ÔÏÍÕ, ÞÔÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÏÔÐÒÁ×ÉÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÏÎ ÏÔÐÒÁ×ÉÌ ÎÁ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÍÁÛÉÎÕ, Á ÐÒÏÝÅ ÇÏ×ÏÒÑ, ÄÅÊÓÔ×ÉÅ MIRROR ÍÅÎÑÅÔ ÍÅÓÔÁÍÉ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ É ×ÙÄÁÅÔ ÉÚÍÅÎÅÎÎÙÊ ÐÅËÅÔ × ÓÅÔØ ÐÒÉÍ. ÐÅÒÅ×.)

CONFIG_IP_NF_NAT -- NAT. ôÒÁÎÓÌÑÃÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× × ÒÁÚÌÉÞÎÙÈ ÅÅ ×ÉÄÁÈ. ó ÐÏÍÏÝØÀ ÜÔÏÊ ÏÐÃÉÉ ×Ù ÓÍÏÖÅÔÅ ÄÁÔØ ×ÙÈÏÄ × éÎÔÅÒÎÅÔ ×ÓÅÍ ËÏÍÐØÀÔÅÒÁÍ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP-ÁÄÒÅÓ. üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÒÁÂÏÔÙ ÐÒÉÍÅÒÁ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE -- íÁÓËÁÒÁÄÉÎÇ. ÷ ÏÔÌÉÞÉÅ ÏÔ NAT, ÍÁÓËÁÒÁÄÉÎÇ ÉÓÐÏÌØÚÕÅÔÓÑ × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÚÁÒÁÎÅÅ ÎÅÉÚ×ÅÓÔÅÎ ÎÁÛ IP-ÁÄÒÅÓ × éÎÔÅÒÎÅÔÅ, Ô.Å. ÄÌÑ ÓÌÕÞÁÅ× DHCP, PPP, SLIP ÉÌÉ ËÁËÏÇÏ-ÌÉÂÏ ÄÒÕÇÏÇÏ ÓÐÏÓÏÂÁ ÐÏÄËÌÀÞÅÎÉÑ, ÐÏÄÒÁÚÕÍÅ×ÁÀÝÅÇÏ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÌÕÞÅÎÉÅ IP-ÁÄÒÅÓÁ. íÁÓËÁÒÁÄÉÎÇ ÄÁÅÔ ÎÅÓËÏÌØËÏ ÂÏÌÅÅ ×ÙÓÏËÕÀ ÎÁÇÒÕÚËÕ ÎÁ ËÏÍÐØÀÔÅÒ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó NAT, ÏÄÎÁËÏ ÏÎ ÒÁÂÏÔÁÅÔ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ÎÅ×ÏÚÍÏÖÎÏ ÚÁÒÁÎÅÅ ÕËÁÚÁÔØ ÓÏÂÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP-ÁÄÒÅÓ.

CONFIG_IP_NF_TARGET_REDIRECT -- ðÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ. ïÂÙÞÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÐÒÏËÓÉ. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓÔÉÔØ ÐÁËÅÔ ÄÁÌØÛÅ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ ÉÍÅÅÍ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ "ÐÒÏÚÒÁÞÎÏÅ ÐÒÏËÓÉÒÏ×ÁÎÉÅ".

CONFIG_IP_NF_TARGET_LOG -- äÏÂÁ×ÌÑÅÔ ÄÅÊÓÔ×ÉÅ LOG × iptables. íÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÍÏÄÕÌØ ÄÌÑ ÆÉËÓÁÃÉÉ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ (syslog). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ×ÅÓØÍÁ ÐÏÌÅÚÎÏÊ ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×.

CONFIG_IP_NF_TARGET_TCPMSS -- üÔÁ ÏÐÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÊ, ÎÁËÌÁÄÙ×ÁÅÍÙÈ ÎÅËÏÔÏÒÙÍÉ ÐÒÏ×ÁÊÄÅÒÁÍÉ (Internet Service Providers), ËÏÔÏÒÙÅ ÂÌÏËÉÒÕÀÔ ICMP Fragmentation Needed ÐÁËÅÔÙ. ÷ ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÈ ÏÇÒÁÎÉÞÅÎÉÊ ÓÅÒ×ÅÒÙ ÐÒÏ×ÁÊÄÅÒÏ× ÍÏÇÕÔ ÎÅ ÐÅÒÅÄÁ×ÁÔØ web-ÓÔÒÁÎÉÃÙ, ssh ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, × ÔÏ ×ÒÅÍÑ ËÁË scp ÏÂÒÙ×ÁÅÔÓÑ ÐÏÓÌÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ É ÐÒ. äÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÏÇÒÁÎÉÞÅÎÉÊ ÍÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ TCPMSS ÏÇÒÁÎÉÞÉ×ÁÑ ÚÎÁÞÅÎÉÅ MSS (Maximum Segment Size) (ÏÂÙÞÎÏ MSS ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÒÁÚÍÅÒÏÍ MTU ÉÓÈÏÄÑÝÅÇÏ ÉÎÔÅÒÆÅÊÓÁ ÍÉÎÕÓ 40 ÂÁÊÔ ÐÒÉÍ. ÐÅÒÅ×.). ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÅÏÄÏÌÅÔØ ÔÏ, ÞÔÏ Á×ÔÏÒÙ netfilter ÎÁÚÙ×ÁÀÔ "ÐÒÅÓÔÕÐÎÏÊ ÂÅÚÍÏÚÇÌÏÓÔØÀ ÐÒÏ×ÁÊÄÅÒÏ× ÉÌÉ ÓÅÒ×ÅÒÏ×" ("criminally braindead ISPs or servers") × ÓÐÒÁ×ËÅ ÐÏ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ.

CONFIG_IP_NF_COMPAT_IPCHAINS -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ÂÏÌÅÅ ÓÔÁÒÏÊ ÔÅÈÎÏÌÏÇÉÅÊ ipchains. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÓÏ×ÍÅÓÔÉÍÏÓÔØ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎÁ É × ÑÄÒÁÈ ÓÅÒÉÉ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ipfwadm, ÎÅ ÓÍÏÔÒÑ ÎÁ ÔÏ ÞÔÏ ÜÔÏ ÏÞÅÎØ ÓÔÁÒÏÅ ÓÒÅÄÓÔ×Ï ÐÏÓÔÒÏÅÎÉÑ ÂÒÁÎÄÍÁÕÜÒÏ×.

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, Ñ ÄÁÌ ËÒÁÔËÕÀ ÈÁÒÁËÔÅÒÉÓÔÉËÕ ËÁÖÄÏÍÕ ÍÏÄÕÌÀ. äÁÎÎÙÅ ÏÐÃÉÉ ÄÏÓÔÕÐÎÙ × ÑÄÒÅ ×ÅÒÓÉÉ 2.4.9. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ - ÓÏ×ÅÔÕÀ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÒÁÓÛÉÒÅÎÉÑ patch-o-matic, ËÏÔÏÒÙÅ ÄÏÂÁ×ÌÑÀÔ ÄÏÓÔÁÔÏÞÎÏ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÆÕÎËÃÉÊ Ë Netfilter. Patch-o-matic - ÜÔÏ ÎÁÂÏÒ ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ, ËÁË ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, × ÂÕÄÕÝÅÍ ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ.

äÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ rc.firewall.txt ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÄÏÂÁ×ÉÔØ × ÑÄÒÏ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÉÌÉ ÓÏÂÒÁÔØ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÏÐÃÉÑÍ, ÎÅÏÂÈÏÄÉÍÙÍ ÄÌÑ ÒÁÂÏÔÙ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ Ó ÐÒÉÍÅÒÁÍÉ ÜÔÉÈ ÓÃÅÎÁÒÉÅ×.

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_CONNTRACK
  • CONFIG_IP_NF_FTP
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_TARGET_LOG
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_TARGET_MASQUERADE

÷ÙÛÅ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÍÉÎÉÍÁÌØÎÏ ÎÅÏÂÈÏÄÉÍÙÈ ÏÐÃÉÊ ÑÄÒÁ ÄÌÑ ÓÃÅÎÁÒÉÑ rc.firewall.txt ðÅÒÅÞÅÎØ ÏÐÃÉÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÄÒÕÇÉÈ ÐÒÉÍÅÒÏ× ÓÃÅÎÁÒÉÅ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÎÉÖÅ. óÅÊÞÁÓ ÖÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÇÌÁ×ÎÏÍ ÓÃÅÎÁÒÉÉ É ÎÁÞÎÅÍ ÅÇÏ ÉÚÕÞÅÎÉÅ.


õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÐÏÓÍÏÔÒÉÍ ËÁË ÓÏÂÒÁÔØ (ÓËÏÍÐÉÌÉÒÏ×ÁÔØ) ÐÁËÅÔ iptables. óÂÏÒËÁ ÐÁËÅÔÁ × ÚÎÁÞÉÔÅÌØÎÏÊ ÓÔÅÐÅÎÉ ÚÁ×ÉÓÉÔ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅËÏÔÏÒÙÅ ÄÉÓÔÒÉÂÕÔÉ×Ù ÐÒÅÄÐÏÌÁÇÁÀÔ ÐÒÅÄÕÓÔÁÎÏ×ËÕ ÐÁËÅÔÁ iptables, ÏÄÉÎ ÉÚ ÎÉÈ -- Red Hat. ïÄÎÁËÏ, × RedHat ÜÔÏÔ ÐÁËÅÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ×ÙËÌÀÞÅÎ, ÐÏÜÔÏÍÕ ÎÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ËÁË ÅÇÏ ×ËÌÀÞÉÔØ × ÄÁÎÎÏÍ É × ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ.


óÂÏÒËÁ ÐÁËÅÔÁ

äÌÑ ÎÁÞÁÌÁ ÐÁËÅÔ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ iptables ÎÕÖÎÏ ÒÁÓÐÁËÏ×ÁÔØ. íÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÐÁËÅÔ iptables 1.2.6a É ÑÄÒÏ 2.4.9. òÁÓÐÁËÕÅÍ ËÁË ÏÂÙÞÎÏ, ËÏÍÁÎÄÏÊ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. åÓÌÉ ÒÁÓÐÁËÏ×ËÁ ÐÒÏÛÌÁ ÕÄÁÞÎÏ, ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÒÁÚÍÅÝÅÎ × ËÁÔÁÌÏÇÅ iptables-1.2.6a. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë ÆÁÊÌÕ iptables-1.2.6a/INSTALL, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÐÏÄÒÏÂÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÓÂÏÒËÅ É ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ.

äÁÌÅÅ ÎÅÏÂÈÏÄÉÍÏ ÐÒÏ×ÅÒÉÔØ ×ËÌÀÞÅÎÉÅ × ÑÄÒÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ É ÏÐÃÉÊ. ûÁÇÉ, ÏÐÉÓÙ×ÁÅÍÙÅ ÚÄÅÓØ, ÂÕÄÕÔ ËÁÓÁÔØÓÑ ÔÏÌØËÏ ÎÁÌÏÖÅÎÉÑ ÎÁ ÑÄÒÏ "ÚÁÐÌÁÔ" (patches). îÁ ÜÔÏÍ ÛÁÇÅ ÍÙ ÕÓÔÁÎÏ×ÉÍ ÏÂÎÏ×ÌÅÎÉÑ, ËÏÔÏÒÙÅ, ËÁË ÏÖÉÄÁÅÔÓÑ, ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÑÄÒÏ × ÂÕÄÕÝÅÍ.

Note

îÅËÏÔÏÒÙÅ ÉÚ ÎÉÈ ÎÁÈÏÄÑÔÓÑ ÐÏËÁ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ, ÏÄÎÁËÏ ÓÒÅÄÉ ÎÉÈ ÅÓÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÉÎÔÅÒÅÓÎÙÅ ÆÕÎËÃÉÉ É ÄÅÊÓÔ×ÉÑ. ÷ÙÐÏÌÎÉÍ ÜÔÏÔ ÛÁÇ, ÎÁÂÒÁ× ËÏÍÁÎÄÕ (ÅÓÔÅÓÔ×ÅÎÎÏ, ÏÂÌÁÄÁÑ ÐÒÁ×ÁÍÉ ÐÏÌØÚÏ×ÁÔÅÌÑ root)

make pending-patches KERNEL_DIR=/usr/src/linux/

ðÅÒÅÍÅÎÎÁÑ KERNEL_DIR ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÐÕÔØ Ë ÉÓÈÏÄÎÙÍ ÔÅËÓÔÁÍ ×ÁÛÅÇÏ ÑÄÒÁ. ïÂÙÞÎÏ ÜÔÏ /usr/src/linux/. åÓÌÉ ÉÓÈÏÄÎÙÅ ÔÅËÓÔÙ Õ ×ÁÓ ÒÁÓÐÏÌÏÖÅÎÙ × ÄÒÕÇÏÍ ÍÅÓÔÅ, ÔÏ, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ×Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ Ó×ÏÊ ÐÕÔØ.

Note

úÄÅÓØ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÎÅÓËÏÌØËÏ ÏÂÎÏ×ÌÅÎÉÊ É ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ ÏÐÒÅÄÅÌÅÎÎÏ ×ÏÊÄÕÔ × ÓÏÓÔÁ× ÑÄÒÁ, ÎÏ ÎÅÓËÏÌØËÏ ÐÏÚÄÎÅÅ, ÓÅÊÞÁÓ ÖÅ ÍÙ ×ÏÚØÍÅÍ ÉÈ ÏÔÓÀÄÁ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ

make most-of-pom KERNEL_DIR=/usr/src/linux/

÷ ÐÒÏÃÅÓÓÅ ×ÙÐÏÌÎÅÎÉÑ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÙ Õ ×ÁÓ ÂÕÄÅÔ ÚÁÐÒÁÛÉ×ÁÔØÓÑ ÐÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÏÂÎÏ×ÌÅÎÉÅ ËÁÖÄÏÇÏ ÒÁÚÄÅÌÁ ÉÚ ÔÏÇÏ, ÞÔÏ × ÍÉÒÅ netfilter ÎÁÚÙ×ÁÅÔÓÑ patch-o-matic. þÔÏÂÙ ÕÓÔÁÎÏ×ÉÔØ ×ÓÅ "ÚÁÐÌÁÔËÉ" ÉÚ patch-o-matic, ×ÁÍ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

îÅ ÚÁÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÏ É ÄÏ ËÏÎÃÁ ÐÒÏÞÉÔÁÔØ ÓÐÒÁ×ËÕ ÐÏ ËÁÖÄÏÊ "ÚÁÐÌÁÔËÅ" ÄÏ ÔÏÇÏ ËÁË ×Ù ÂÕÄÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÞÔÏ-ÌÉÂÏ, ÐÏÓËÏÌØËÕ ÏÄÎÉ "ÚÁÐÌÁÔËÉ" ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÎÅÓÏ×ÍÅÓÔÉÍÙ Ó ÄÒÕÇÉÍÉ, Á ÎÅËÏÔÏÒÙÅ -- ÐÒÉ ÓÏ×ÍÅÓÔÎÏÍ ÎÁÌÏÖÅÎÉÉ ÄÁÖÅ ÒÁÚÒÕÛÉÔØ ÑÄÒÏ.

Note

÷Ù ÍÏÖÅÔÅ ×ÏÏÂÝÅ ÐÒÏÐÕÓÔÉÔØ ÏÂÎÏ×ÌÅÎÉÅ ÑÄÒÁ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÓÏÂÏÊ ÎÕÖÄÙ × ÔÁËÏÍ ÏÂÎÏ×ÌÅÎÉÉ ÎÅÔ, ÏÄÎÁËÏ patch-o-matic ÓÏÄÅÒÖÉÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÉÎÔÅÒÅÓÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ, É Õ ×ÁÓ ×ÐÏÌÎÅ ÍÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ÖÅÌÁÎÉÅ ÐÏÓÍÏÔÒÅÔØ ÎÁ ÎÉÈ. îÉÞÅÇÏ ÓÔÒÁÛÎÏÇÏ ÎÅ ÓÌÕÞÉÔÓÑ, ÅÓÌÉ ×Ù ÚÁÐÕÓÔÉÔÅ ÜÔÉ ËÏÍÁÎÄÙ É ÐÏÓÍÏÔÒÉÔÅ ËÁËÉÅ ÏÂÎÏ×ÌÅÎÉÑ ÉÍÅÀÔÓÑ.

ðÏÓÌÅ ÚÁ×ÅÒÛÅÎÉÑ ÏÂÎÏ×ÌÅÎÉÑ, ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ, ÄÏÂÁ×É× × ÎÅÇÏ ÔÏÌØËÏ ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ. îÅ ÚÁÂÕÄØÔÅ ÓÎÁÞÁÌÁ ×ÙÐÏÌÎÉÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÅ ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ ÓËÏÒÅÅ ×ÓÅÇÏ ÏËÁÖÕÔÓÑ ×ÙËÌÀÞÅÎÎÙÍÉ. ÷ ÐÒÉÎÃÉÐÅ, ÍÏÖÎÏ ÐÏÄÏÖÄÁÔØ Ó ËÏÍÐÉÌÑÃÉÅÊ ÑÄÒÁ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ×Ù ÎÅ ÚÁËÏÎÞÉÔÅ ÕÓÔÁÎÏ×ËÕ iptables.

ðÒÏÄÏÌÖÁÑ ÓÂÏÒËÕ iptables, ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:

make KERNEL_DIR=/usr/src/linux/

åÓÌÉ × ÐÒÏÃÅÓÓÅ ÓÂÏÒËÉ ×ÏÚÎÉËÌÉ ËÁËÉÅ ÌÉÂÏ ÐÒÏÂÌÅÍÙ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÙÔÁÔØÓÑ ÒÁÚÒÅÛÉÔØ ÉÈ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ, ÌÉÂÏ ÏÂÒÁÔÉÔØÓÑ ÎÁ netfilter mailing list, ÇÄÅ ×ÁÍ ÓÍÏÇÕÔ ÐÏÍÏÞØ. ôÁÍ ×Ù ÎÁÊÄÅÔÅ ÐÏÑÓÎÅÎÉÑ, ÞÔÏ ÍÏÇÌÏ ÂÙÔØ ÓÄÅÌÁÎÏ ×ÁÍÉ ÎÅÐÒÁ×ÉÌØÎÏ ÐÒÉ ÕÓÔÁÎÏ×ËÅ, ÔÁË ÞÔÏ ÓÒÁÚÕ ÎÅ ÐÁÎÉËÕÊÔÅ. åÓÌÉ ÜÔÏ ÎÅ ÐÏÍÏÇÌÏ -- ÐÏÓÔÁÒÁÊÔÅÓØ ÐÏÒÁÚÍÙÓÌÉÔØ ÌÏÇÉÞÅÓËÉ, ×ÏÚÍÏÖÎÏ ÜÔÏ ÐÏÍÏÖÅÔ. éÌÉ ÏÂÒÁÔÉÔÅÓØ Ë ËÏÍÕ-ÎÉÂÕÄØ ÚÎÁÀÝÅÍÕ.

åÓÌÉ ×ÓÅ ÐÒÏÛÌÏ ÇÌÁÄËÏ, ÔÏ ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÇÏÔÏ×Ù Ë ÕÓÔÁÎÏ×ËÅ ÉÓÐÏÌÎÑÅÍÙÈ ÍÏÄÕÌÅÊ (binaries), ÄÌÑ ÞÅÇÏ ÚÁÐÕÓÔÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make install KERNEL_DIR=/usr/src/linux/

îÁÄÅÀÓØ, ÞÔÏ ÚÄÅÓØ-ÔÏ ÐÒÏÂÌÅÍ ÎÅ ×ÏÚÎÉËÌÏ! ôÅÐÅÒØ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÐÁËÅÔÁ iptables ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÐÅÒÅÓÏÂÒÁÔØ É ÕÓÔÁÎÏ×ÉÔØ ÑÄÒÏ, ÅÓÌÉ ×Ù ÄÏ ÓÉÈ ÐÏÒ ÜÔÏÇÏ ÎÅ ÓÄÅÌÁÌÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ ×Ù ÎÁÊÄÅÔÅ × ÆÁÊÌÅ INSTALL.


õÓÔÁÎÏ×ËÁ × Red Hat 7.1

RedHAt 7.1, Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÑÄÒÏÍ 2.4.x ÕÖÅ ×ËÌÀÞÁÅÔ ÐÒÅÄÕÓÔÁÎÏ×ÌÅÎÎÙÅ netfilter É iptables. ïÄÎÁËÏ, ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÐÒÅÄÙÄÕÝÉÍÉ ÄÉÓÔÒÉÂÕÔÉ×ÁÍÉ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÒÁÂÏÔÁÅÔ ÐÁËÅÔ ipchains. óÅÊÞÁÓ ÍÙ ËÏÒÏÔËÏ ÒÁÚÂÅÒÅÍ - ËÁË ÕÄÁÌÉÔØ ipchains É ÚÁÐÕÓÔÉÔØ ×ÍÅÓÔÏ ÎÅÇÏ iptables.

Note

÷ÅÒÓÉÑ iptables × Red Hat 7.1 ÓÉÌØÎÏ ÕÓÔÁÒÅÌÁ É, ÎÁ×ÅÒÎÏÅ ÎÅÐÌÏÈÉÍ ÒÅÛÅÎÉÅÍ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÉÔØ ÂÏÌÅÅ ÎÏ×ÕÀ ×ÅÒÓÉÀ iptables.

äÌÑ ÎÁÞÁÌÁ ÎÕÖÎÏ ÏÔËÌÀÞÉÔØ ipchains, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÚÁÇÒÕÚËÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÍÏÄÕÌÅÊ × ÂÕÄÕÝÅÍ. þÔÏÂÙ ÄÏÂÉÔØÓÑ ÜÔÏÇÏ, ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÉÚÍÅÎÉÔØ ÉÍÅÎÁ ÎÅËÏÔÏÒÙÈ ÆÁÊÌÏ× × ÄÅÒÅ×Å ËÁÔÁÌÏÇÏ× /etc/rc.d/. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ, ×ÙÐÏÌÎÉÔ ÔÒÅÂÕÅÍÙÅ ÄÅÊÓÔ×ÉÑ:

chkconfig --level 0123456 ipchains off

÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ, × ÎÅËÏÔÏÒÙÈ ÉÍÅÎÁÈ ÆÁÊÌÏ× ÓÉÍ×ÏÌ S (ËÏÔÏÒÙÊ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÄÁÎÎÙÊ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ ÎÁ ÚÁÐÕÓËÅ ÓÉÓÔÅÍÙ) ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÓÉÍ×ÏÌÏÍ K (ÏÔ ÓÌÏ×Á Kill, ËÏÔÏÒÙÊ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ, ÐÒÉ ÚÁ×ÅÒÛÅÎÉÉ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ. ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÉÍ ÉÍÅÎÁ ÓÓÙÌÏË K92ipchains, ÐÒÅÄÏÔ×ÒÁÔÉ× ÔÅÍ ÓÁÍÙÍ ÚÁÐÕÓË ÜÔÏÇÏ ÓÅÒ×ÉÓÁ × ÂÕÄÕÝÅÍ.

ïÄÎÁËÏ ipchains ÐÏ-ÐÒÅÖÎÅÍÕ ÏÓÔÁÀÔÓÑ × ÒÁÂÏÔÅ. ôÅÐÅÒØ ÎÁÄÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ, ËÏÔÏÒÁÑ ÏÓÔÁÎÏ×ÉÔ ÜÔÏÔ ÓÅÒ×ÉÓ.

service ipchains stop

é × ÚÁËÌÀÞÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÐÕÓÔÉÔØ ÓÅÒ×ÉÓ iptables. äÌÑ ÜÔÏÇÏ, ×Ï-ÐÅÒ×ÙÈ, ÎÁÄÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÕÒÏ×ÎÑÍÉ ÚÁÐÕÓËÁ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÎÁ ËÏÔÏÒÙÈ ÎÕÖÎÏ ÓÔÁÒÔÏ×ÁÔØ ÜÔÏÔ ÓÅÒ×ÉÓ. ïÂÙÞÎÏ ÜÔÏ ÕÒÏ×ÎÉ 2, 3 É 5. ï ÜÔÉÈ ÕÒÏ×ÎÑÈ ÍÙ ÚÎÁÅÍ:

  • 2. íÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÂÅÚ ÐÏÄÄÅÒÖËÉ NFS ÉÌÉ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É 3, ÎÏ ÂÅÚ ÓÅÔÅ×ÏÊ ÐÏÄÄÅÒÖËÉ.
  • 3. ðÏÌÎÏÆÕÎËÃÉÏÎÁÌØÎÙÊ ÍÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ.
  • 5. X11. äÁÎÎÙÊ ÕÒÏ×ÅÎØ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÚÁÇÒÕÚËÉ Xwindows.

þÔÏÂÙ ÚÁÐÕÓÔÉÔØ iptables ÎÁ ÜÔÉÈ ÕÒÏ×ÎÑÈ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ:

chkconfig --level 235 iptables on

èÏÞÅÔÓÑ ÕÐÏÍÑÎÕÔØ Ï ÕÒÏ×ÎÑÈ, ÎÁ ËÏÔÏÒÙÈ ÎÅ ÔÒÅÂÕÅÔÓÑ ÚÁÐÕÓËÁ iptables: õÒÏ×ÅÎØ 1 -- ÏÄÎÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÒÁÂÏÔÙ, ËÁË ÐÒÁ×ÉÌÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÜËÓÔÒÅÎÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÍÙ "ÐÏÄÎÉÍÁÅÍ" "ÕÐÁ×ÛÕÀ" ÓÉÓÔÅÍÕ. õÒÏ×ÅÎØ 4 -- ×ÏÏÂÝÅ ÎÅ ÄÏÌÖÅÎ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ. õÒÏ×ÅÎØ ×ÙÐÏÌÎÅÎÉÑ 6 -- ÜÔÏ ÕÒÏ×ÅÎØ ÏÓÔÁÎÏ×ËÉ ÓÉÓÔÅÍÙ ÐÒÉ ×ÙËÌÀÞÅÎÉÉ ÉÌÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ.

äÌÑ ÁËÔÉ×ÁÃÉÉ ÓÅÒ×ÉÓÁ iptables ÐÏÄÁÄÉÍ ËÏÍÁÎÄÕ:

service iptables start

éÔÁË, ÍÙ ÚÁÐÕÓÔÉÌÉ iptables, ÎÏ Õ ÎÁÓ ÐÏËÁ ÅÝÅ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. þÔÏÂÙ ÄÏÂÁ×ÉÔØ ÎÏ×ÙÅ ÐÒÁ×ÉÌÁ × Red Hat 7.1 ÍÏÖÎÏ ÐÏÊÔÉ Ä×ÕÍÑ ÐÕÔÑÍÉ, ×Ï-ÐÅÒ×ÙÈ: ÐÏÄÐÒÁ×ÉÔØ ÆÁÊÌ /etc/rc.d/init.d/iptables, ÎÏ ÜÔÏÔ ÓÐÏÓÏ ÉÍÅÅÔ ÔÏ ÎÅÇÁÔÉ×ÎÏÅ Ó×ÏÊÓÔ×Ï, ÞÔÏ ÐÒÉ ÏÂÎÏ×ÌÅÎÉÉ iptables ÉÚ RPM-ÐÁËÅÔÏ× ×ÓÅ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÕÔÅÒÑÎÙ, Á ×Ï-×ÔÏÒÙÈ: ÚÁÎÅÓÔÉ ÐÒÁ×ÉÌÁ É ÓÏÈÒÁÎÉÔØ ÉÈ ËÏÍÁÎÄÏÊ iptables-save, ÓÏÈÒÁÎÅÎÎÙÅ ÔÁËÉÍ ÏÂÒÁÚÏÍ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ.

÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÉÚÂÒÁÌÉ ÐÅÒ×ÙÊ ×ÁÒÉÁÎÔ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ × iptables, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÚÁÎÅÓÔÉ ÉÈ × ÓÅËÃÉÀ start ÓÃÅÎÁÒÉÑ /etc/rc.d/init.d/iptables (ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ) ÉÌÉ × ÆÕÎËÃÉÀ start(). äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÄÅÊÓÔ×ÉÊ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÉÓÔÅÍÙ -- ×ÎÅÓÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÓÅËÃÉÀ stop) ÉÌÉ × ÆÕÎËÃÉÀ stop(). ôÁË ÖÅ ÎÅ ÚÁÂÕÄØÔÅ ÐÒÏ ÓÅËÃÉÉ restart É condrestart. èÏÞÅÔÓÑ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÓÌÕÞÁÅ ÏÂÎÏ×ÌÅÎÉÑ iptables ÉÚ RPM-ÐÁËÅÔÏ× ÉÌÉ ÞÅÒÅÚ Á×ÔÏÍÁÔÉÞÅÓËÏÅ ÏÂÎÏ×ÌÅÎÉÅ ÐÏ ÓÅÔÉ, ×Ù ÍÏÖÅÔÅ ÕÔÅÒÑÔØ ×ÓÅ ÉÚÍÅÎÅÎÉÑ, ×ÎÅÓÅÎÎÙÅ × ÆÁÊÌ /etc/rc.d/init.d/iptables.

÷ÔÏÒÏÊ ÓÐÏÓÏ ÚÁÇÒÕÚËÉ ÐÒÁ×ÉÌ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. ïÎ ÐÒÅÄÐÏÌÁÇÁÅÔ ÓÌÅÄÕÀÝÉÅ ÛÁÇÉ. äÌÑ ÎÁÞÁÌÁ -- ÚÁÐÉÛÉÔÅ ÐÒÁ×ÉÌÁ × ÆÁÊÌ ÉÌÉ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ, ÞÅÒÅÚ ËÏÍÁÎÄÕ iptables, ÓÍÏÔÒÑ ÞÔÏ ÄÌÑ ×ÁÓ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. úÁÔÅÍ ÉÓÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables-save. üÔÁ ËÏÍÁÎÄÁ ÜË×É×ÁÌÅÎÔÎÁ ËÏÍÁÎÄÅ iptables-save > /etc/sysconfig/iptables. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎ × ÆÁÊÌÅ /etc/sysconfig/iptables, ËÏÔÏÒÙÊ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÔÓÑ ÐÒÉ ÚÁÐÕÓËÅ ÓÅÒ×ÉÓÁ iptables. äÒÕÇÉÍ ÓÐÏÓÏÂÏÍ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÐÏÄÁÞÁ ËÏÍÁÎÄÙ service iptables save, ËÏÔÏÒÁÑ ÐÏÌÎÏÓÔØÀ ÉÄÅÎÔÉÞÎÁ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÅ. ÷ÐÏÓÌÅÄÓÔ×ÉÉ, ÐÒÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ, ÓÃÅÎÁÒÉÊ iptables ÉÚ rc.d ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØ ËÏÍÁÎÄÕ iptables-restore ÄÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ /etc/sysconfig/iptables.

îÕ É ÎÁËÏÎÅÃ, × ÚÁ×ÅÒÛÅÎÉÅ ÕÓÔÁÎÏ×ËÉ, ÎÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÕÄÁÌÉÔØ ÓÔÁÒÙÅ ×ÅÒÓÉÉ ipchains É iptables. üÔÏ ÎÅÏÂÈÏÄÉÍÏ ÓÄÅÌÁÔØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÉÓÔÅÍÁ ÎÅ "ÐÅÒÅÐÕÔÁÌÁ" ÓÔÁÒÙÊ ÐÁËÅÔ iptables Ó ×ÎÏר ÕÓÔÁÎÏ×ÌÅÎÎÙÍ. õÄÁÌÅÎÉÅ ÓÔÁÒÏÇÏ ÐÁËÅÔÁ iptables ÎÅÏÂÈÏÄÉÍÏ ÐÒÏÉÚ×ÅÓÔÉ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÐÒÏÉÚ×ÏÄÉÌÉ ÕÓÔÁÎÏ×ËÕ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×. äÅÌÏ × ÔÏÍ, ÞÔÏ RPM ÐÁËÅÔÙ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÎÅÓËÏÌØËÏ ÉÎÏÅ ÍÅÓÔÏ ÎÅÖÅÌÉ ÐÁËÅÔÙ, ÓÏÂÒÁÎÎÙÅ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×, Á ÐÏÜÔÏÍÕ ÎÏ×ÙÊ ÐÁËÅÔ ÎÅ "ÚÁÔÉÒÁÅÔ" ÓÔÁÒÙÊ. þÔÏÂÙ ×ÙÐÏÌÎÉÔØ ÄÅÉÎÓÔÁÌÌÑÃÉÀ ÐÒÅÄÙÄÕÝÅÊ ×ÅÒÓÉÉ iptables ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

rpm -e  iptables

áÎÁÌÏÇÉÞÎÙÍ ÏÂÒÁÚÏÍ ÕÄÁÌÉÍ É ipchains, ÐÏÓËÏÌØËÕ ÏÓÔÁ×ÌÑÔØ ÜÔÏÔ ÐÁËÅÔ × ÓÉÓÔÅÍÅ ÂÏÌÅÅ ÎÅÔ ÎÉËÁËÏÇÏ ÓÍÙÓÌÁ.

rpm -e  ipchains

ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË × ËÁÖÄÏÊ ÔÁÂÌÉÃÅ. üÔÁ ÉÎÆÏÒÍÁÃÉÑ ÂÕÄÅÔ ÏÞÅÎØ ×ÁÖÎÁ ÄÌÑ ×ÁÓ ÐÏÚÄÎÅÅ, ËÏÇÄÁ ×Ù ÎÁÞÎÅÔÅ ÓÔÒÏÉÔØ Ó×ÏÉ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ × ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÂÕÄÕÔ ×ËÌÀÞÁÔØÓÑ ÔÁËÉÅ ÄÅÊÓÔ×ÉÑ ËÁË DNAT, SNAT É ËÏÎÅÞÎÏ ÖÅ TOS.


ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ

ëÏÇÄÁ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÏ ÏÎ ÓÐÅÒ×Á ÐÏÐÁÄÁÅÔ ÎÁ ÓÅÔÅ×ÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÐÅÒÅÈ×ÁÔÙ×ÁÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÄÒÁÊ×ÅÒÏÍ É ÄÁÌÅÅ ÐÅÒÅÄÁÅÔÓÑ × ÑÄÒÏ. äÁÌÅÅ ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÒÑÄ ÔÁÂÌÉÃ É ÚÁÔÅÍ ÐÅÒÅÄÁÅÔÓÑ ÌÉÂÏ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ, ÌÉÂÏ ÐÅÒÅÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÄÒÕÇÕÀ ÍÁÛÉÎÕ. ðÏÒÑÄÏË ÓÌÅÄÏ×ÁÎÉÑ ÐÁËÅÔÁ ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ.

ôÁÂÌÉÃÁ 1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 Mangle PREROUTING ïÂÙÞÎÏ ÜÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÂÉÔÏ× TOS É ÐÒ..
4 Nat PREROUTING üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Destination Network Address Translation). Source Network Address Translation ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÚÄÎÅÅ, × ÄÒÕÇÏÊ ÃÅÐÏÞËÅ. ìÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÑ × ÜÔÏÊ ÃÅÐÏÞËÅ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÄÁÌØÎÅÊÛÅÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, Ô.Å. × ÜÔÏÊ ÔÏÞËÅ ÒÅÛÁÅÔÓÑ ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ - ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ÉÌÉ ÎÁ ÄÒÕÇÏÊ ÕÚÅÌ ÓÅÔÉ.
6 Filter FORWARD ÷ ÃÅÐÏÞËÕ FORWARD ÐÏÐÁÄÁÀÔ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÉÄÕÔ ÎÁ ÄÒÕÇÏÊ ÈÏÓÔ ÷ÓÑ ÆÉÌØÔÒÁÃÉÑ ÔÒÁÎÚÉÔÎÏÇÏ ÔÒÁÆÉËÁ ÄÏÌÖÎÁ ×ÙÐÏÌÎÑÔØÓÑ ÚÄÅÓØ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÏÈÏÄÉÔ ÔÒÁÆÆÉË × ÏÂÏÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÏÂÑÚÁÔÅÌØÎÏ ÕÞÉÔÙ×ÁÊÔÅ ÜÔÏ ÏÂÓÔÏÑÔÅÌØÓÔ×Ï ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÐÒÁ×ÉÌ ÆÉÌØÔÒÁÃÉÉ.
7 Mangle FORWARD äÁÌÅÅ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ FORWARD ÔÁÂÌÉÃÙ mangle, ËÏÔÏÒÁÑ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÎÅËÏÔÏÒÙÅ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÍÅÖÄÕ Ä×ÕÍÑ ÔÏÞËÁÍÉ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
8     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÄÁÌØÎÅÊÛÅÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, Ô.Å. × ÜÔÏÊ ÔÏÞËÅ, Ë ÐÒÉÍÅÒÕ, ÒÅÛÁÅÔÓÑ ÎÁ ËÁËÏÊ ÉÎÔÅÒÆÅÊÓ ÐÏÊÄÅÔ ÐÁËÅÔ.
9 Nat POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ × ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÄÌÑ Source Network Address Translation. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÅÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÂÅÚ ÏÓÏÂÏÊ ÎÁ ÔÏ ÎÅÏÂÈÏÄÉÍÏÓÔÉ. úÄÅÓØ ÖÅ ×ÙÐÏÌÎÑÅÔÓÑ É ÍÁÓËÉÒÏ×ËÁ (Masquerading).
10 Mangle POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÕÖÅ ÐÏÓÌÅ ÔÏÇÏ ËÁË ÐÒÉÎÑÔÏ ÐÏÓÌÅÄÎÅÅ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
11     ÷ÙÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth1).
12     ëÁÂÅÌØ (ÐÕÓÔØ ÂÕÄÅÔ LAN).

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÎÅÓËÏÌØËÏ ÜÔÁÐÏ×, ÐÒÅÖÄÅ ÞÅÍ ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÄÁÌÅÅ. îÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÐÁËÅÔ ÍÏÖÅÔ ÂÙÔØ ÏÓÔÁÎÏ×ÌÅÎ, ÂÕÄØ ÔÏ ÃÅÐÏÞËÁ iptables ÉÌÉ ÞÔÏ ÌÉÂÏ ÅÝÅ, ÎÏ ÎÁÓ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÎÔÅÒÅÓÕÅÔ iptables. úÁÍÅÔØÔÅ, ÞÔÏ ÎÅÔ ËÁËÉÈ ÌÉÂÏ ÃÅÐÏÞÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ ÏÔÄÅÌØÎÙÈ ÉÎÔÅÒÆÅÊÓÏ× ÉÌÉ ÞÅÇÏ ÌÉÂÏ ÐÏÄÏÂÎÏÇÏ. ãÅÐÏÞËÕ FORWARD ÐÒÏÈÏÄÑÔ ÷óå ÐÁËÅÔÙ, ËÏÔÏÒÙÅ Ä×ÉÖÕÔÓÑ ÞÅÒÅÚ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ/ÒÏÕÔÅÒ. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÃÅÐÏÞËÕ INPUT ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×, ÏÎÉ ÔÕÄÁ ÐÒÏÓÔÏ ÎÅ ÐÏÐÁÄÁÀÔ! þÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ Ä×ÉÖÕÔÓÑ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÁÎÎÏÍÕ ÈÏÓÔÕ!

á ÔÅÐÅÒØ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÏÇÏ ÌÏËÁÌØÎÏÍÕ ÐÒÏÃÅÓÓÕ/ÐÒÉÌÏÖÅÎÉÀ

ôÁÂÌÉÃÁ 2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅt
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     ÷ÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 Mangle PREROUTING ïÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× TOS É ÐÒ.
4 Nat PREROUTING ðÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (Destination Network Address Translation). æÉÌØÔÒÁÃÉÑ ÐÁËÅÔÏ× ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
6 Mangle INPUT ðÁËÅÔ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT ÔÁÂÌÉÃÙ mangle. úÄÅÓØ ×ÎÅÓÑÔÓÑ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÐÅÒÅÄ ÔÅÍ ËÁË ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ.
7 Filter INPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÆÉÌØÔÒÁÃÉÑ ×ÈÏÄÑÝÅÇÏ ÔÒÁÆÉËÁ. ðÏÍÎÉÔÅ, ÞÔÏ ×ÓÅ ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ, ÁÄÒÅÓÏ×ÁÎÎÙÅ ÎÁÍ, ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÔÏÇÏ Ó ËÁËÏÇÏ ÉÎÔÅÒÆÅÊÓÁ ÏÎÉ ÐÏÓÔÕÐÉÌÉ.
8     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ/ÐÒÉÌÏÖÅÎÉÅ

÷ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÎÁ ÜÔÏÔ ÒÁÚ ÐÁËÅÔÙ ÉÄÕÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ INPUT, Á ÎÅ ÞÅÒÅÚ FORWARD. é × ÚÁËÌÀÞÅÎÉÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ.

ôÁÂÌÉÃÁ 3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ
2 Mangle OUTPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ×ÎÅÓÅÎÉÅ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ. æÉÌØÔÒÁÃÉÑ, ×ÙÐÏÌÎÑÅÍÁÑ × ÜÔÏÊ ÃÅÐÏÞËÅ, ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ.
3 Nat OUTPUT üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) × ÐÁËÅÔÁÈ, ÉÓÈÏÄÑÝÉÈ ÏÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ× ÂÒÁÎÄÍÁÕÜÒÁ.
4 Filter OUTPUT úÄÅÓØ ÆÉÌØÔÒÕÅÔÓÑ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. úÄÅÓØ ÒÅÛÁÅÔÓÑ - ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ ÄÁÌØÛÅ.
6 Nat POSTROUTING úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ Source Network Address Translation. îÅ ÓÌÅÄÕÅÔ × ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÖÅÌÁÔÅÌØÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ×. ïÄÎÁËÏ É ÚÄÅÓØ ÍÏÖÎÏ ÏÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÁËÅÔÙ, ÐÒÉÍÅÎÑÑ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.
7 Mangle POSTROUTING ãÅÐÏÞËÁ POSTROUTING ÔÁÂÌÉÃÙ mangle × ÏÓÎÏ×ÎÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÄÏÌÖÎÙ ×ÎÏÓÉÔØ ÉÚÍÅÎÅÎÉÑ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ ÐÅÒÅÄ ÔÅÍ, ËÁË ÏÎ ÐÏËÉÎÅÔ ÂÒÁÎÄÍÁÕÜÒ, ÎÏ ÕÖÅ ÐÏÓÌÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ÷ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÀÔ ×ÓÅ ÐÁËÅÔÙ, ËÁË ÔÒÁÎÚÉÔÎÙÅ, ÔÁË É ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ ÂÒÁÎÄÍÁÕÜÒÁ.
8     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
9     ëÁÂÅÌØ (Ô.Å., Internet)

ôÅÐÅÒØ ÍÙ ÚÎÁÅÍ, ÞÔÏ ÅÓÔØ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ×ÁÒÉÁÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×. òÉÓÕÎÏË ÎÉÖÅ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÜÔÏ.

üÔÏÔ ÒÉÓÕÎÏË ÄÁÅÔ ÄÏ×ÏÌØÎÏ ÑÓÎÏÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ. ÷ ÐÅÒ×ÏÊ ÔÏÞËÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ (routing decision) ×ÓÅ ÐÁËÅÔÙ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÅ ÄÁÎÎÏÍÕ ÈÏÓÔÕ ÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ INPUT, ÏÓÔÁÌØÎÙÅ - × ÃÅÐÏÞËÕ FORWARD.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÔÁËÖÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÐÁËÅÔÙ, Ó ÁÄÒÅÓÏÍ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÂÒÁÎÄÍÁÕÜÒ, ÍÏÇÕÔ ÐÒÅÔÅÒÐÅÔØ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÏÇÏ ÁÄÒÅÓÁ (DNAT) × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat É ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÄÁÌØÎÅÊÛÁÑ ÍÁÒÛÒÕÔÉÚÁÃÉÑ × ÐÅÒ×ÏÊ ÔÏÞËÅ ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØÓÑ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÐÒÏÉÚ×ÅÄÅÎÎÙÈ ÉÚÍÅÎÅÎÉÊ.

Tip

÷ ÓÃÅÎÁÒÉÉ rc.test-iptables.txt ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×.


ôÁÂÌÉÃÁ Mangle

ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÜÔÁ ÔÁÂÌÉÃÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ× (mangle - ÉÓËÁÖÁÔØ, ÉÚÍÅÎÑÔØ. ÐÒÉÍ. ÐÅÒÅ×.). ô.Å. × ÜÔÏÊ ÔÁÂÌÉÃÅ ×Ù ÍÏÖÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÂÉÔÙ TOS (Type Of Service) É Ô.Ä.

Caution

åÝÅ ÒÁÚ ÎÁÐÏÍÉÎÁÀ ×ÁÍ, ÞÔÏ × ÜÔÏÊ ÔÁÂÌÉÃÅ ÎÅ ÓÌÅÄÕÅÔ ÐÒÏÉÚ×ÏÄÉÔØ ÌÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÀ, ÍÁÓËÉÒÏ×ËÕ ÉÌÉ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (DNAT, SNAT, MASQUERADE).

÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ

  • TOS

  • TTL

  • MARK

äÅÊÓÔ×ÉÅ TOS ×ÙÐÏÌÎÑÅÔ ÕÓÔÁÎÏ×ËÕ ÂÉÔÏ× ÐÏÌÑ Type of Service × ÐÁËÅÔÅ. üÔÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÚÎÁÞÅÎÉÑ ÓÅÔÅ×ÏÊ ÐÏÌÉÔÉËÉ ÏÂÓÌÕÖÉ×ÁÎÉÑ ÐÁËÅÔÁ, Ô.Å. ÚÁÄÁÅÔ ÖÅÌÁÅÍÙÊ ×ÁÒÉÁÎÔ ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÄÎÁËÏ, ÓÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÏÅ Ó×ÏÊÓÔ×Ï × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÎÁ ÎÅÚÎÁÞÉÔÅÌØÎÏÍ ËÏÌÉÞÅÓÔ×Å ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ.äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÚÍÅÎÑÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ÄÌÑ ÐÁËÅÔÏ×, ÕÈÏÄÑÝÉÈ × éÎÔÅÒÎÅÔ, ÐÏÔÏÍÕ ÞÔÏ ÎÁ ÒÕÔÅÒÁÈ, ËÏÔÏÒÙÅ ÔÁËÉ ÏÂÓÌÕÖÉ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÍÏÖÅÔ ÂÙÔØ ÐÒÉÎÑÔÏ ÎÅÐÒÁ×ÉÌØÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ.

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÚÎÁÞÅÎÉÑ ÐÏÌÑ TTL (Time To Live) ÐÁËÅÔÁ. åÓÔØ ÏÄÎÏ ÎÅÐÌÏÈÏÅ ÐÒÉÍÅÎÅÎÉÅ ÜÔÏÍÕ ÄÅÊÓÔ×ÉÀ. íÙ ÍÏÖÅÍ ÐÒÉÓ×ÁÉ×ÁÔØ ÏÐÒÅÄÅÌÅÎÎÏÅ ÚÎÁÞÅÎÉÅ ÜÔÏÍÕ ÐÏÌÀ, ÞÔÏÂÙ ÓËÒÙÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÏÔ ÞÅÒÅÓÞÕÒ ÌÀÂÏÐÙÔÎÙÈ ÐÒÏ×ÁÊÄÅÒÏ× (Internet Service Providers). äÅÌÏ × ÔÏÍ, ÞÔÏ ÏÔÄÅÌØÎÙÅ ÐÒÏ×ÁÊÄÅÒÙ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ ËÏÇÄÁ ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. É ÔÏÇÄÁ ÏÎÉ ÎÁÞÉÎÁÀÔ ÐÒÏ×ÅÒÑÔØ ÚÎÁÞÅÎÉÅ TTL ÐÒÉÈÏÄÑÝÉÈ ÐÁËÅÔÏ× É ÉÓÐÏÌØÚÕÀÔ ÅÇÏ ËÁË ÏÄÉÎ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÏÄÉÎ ËÏÍÐØÀÔÅÒ "ÓÉÄÉÔ" ÎÁ ÐÏÄËÌÀÞÅÎÉÉ ÉÌÉ ÎÅÓËÏÌØËÏ.

äÅÊÓÔ×ÉÅ MARK ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÓÐÅÃÉÁÌØÎÕÀ ÍÅÔËÕ ÎÁ ÐÁËÅÔ, ËÏÔÏÒÁÑ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÐÒÏ×ÅÒÅÎÁ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ × iptables ÉÌÉ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ, ÎÁÐÒÉÍÅÒ iproute2. ó ÐÏÍÏÝØÀ "ÍÅÔÏË" ÍÙ ÍÏÖÅÍ ÕÐÒÁ×ÌÑÔØ ÍÁÒÛÒÕÔÉÚÁÃÉÅÊ ÐÁËÅÔÏ×, ÏÇÒÁÎÉÞÉ×ÁÔØ ÔÒÁÆÆÉË É Ô.Ð.


ôÁÂÌÉÃÁ Nat

üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÊ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× NAT (Network Address Translation) ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ÒÁÎÅÅ, ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÃÅÐÏÞËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ, ÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÉÒÏ×ËÁ ÐÒÉÍÅÎÑÀÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ × ÐÏÔÏËÅ Á×ÔÏÍÁÔÉÞÅÓËÉ. äÌÑ ÜÔÏÊ ÔÁÂÌÉÃÙ ÈÁÒÁËÔÅÒÎÙ ÄÅÊÓÔ×ÉÑ:

  • DNAT

  • SNAT

  • MASQUERADE

äÅÊÓÔ×ÉÅ DNAT (Destination Network Address Translation) ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× ÎÁ ÄÒÕÇÉÅ ÁÄÒÅÓÁ, ÏÔÌÉÞÎÙÅ ÏÔ ÕËÁÚÁÎÎÙÈ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×.

SNAT (Source Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ÐÁËÅÔÏ×. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÍÏÖÎÏ ÓËÒÙÔØ ÓÔÒÕËÔÕÒÕ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÒÁÚÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP ÁÄÒÅÓ ÍÅÖÄÕ ËÏÍÐØÀÔÅÒÁÍÉ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÒÁÎÄÍÁÕÜÒ, Ó ÐÏÍÏÝØÀ SNAT, Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÑÍÏÅ É ÏÂÒÁÔÎÏÅ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ×, ÔÅÍ ÓÁÍÙÍ ÄÁ×ÁÑ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ ÐÏÄËÌÀÞÅÎÉÅ Ë ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔÅ Ó ËÏÍÐØÀÔÅÒÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

íÁÓËÉÒÏ×ËÁ (MASQUERADE) ÐÒÉÍÅÎÑÅÔÓÑ × ÔÅÈ ÖÅ ÃÅÌÑÈ, ÞÔÏ É SNAT, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ ÐÏÓÌÅÄÎÅÊ, MASQUERADE ÄÁÅÔ ÂÏÌÅÅ ÓÉÌØÎÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ËÁÖÄÙÊ ÒÁÚ, ËÏÇÄÁ ÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÅÎÉÅ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÐÒÏÉÚ×ÏÄÉÔÓÑ ÚÁÐÒÏÓ IP ÁÄÒÅÓÁ ÄÌÑ ÕËÁÚÁÎÎÏÇÏ × ÄÅÊÓÔ×ÉÉ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, × ÔÏ ×ÒÅÍÑ ËÁË ÄÌÑ SNAT IP ÁÄÒÅÓ ÕËÁÚÙ×ÁÅÔÓÑ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ. ïÄÎÁËÏ, ÂÌÁÇÏÄÁÒÑ ÔÁËÏÍÕ ÏÔÌÉÞÉÀ, MASQUERADE ÍÏÖÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÑÈ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, Ô.Å. ËÏÇÄÁ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ, ÓËÁÖÅÍ ÞÅÒÅÚ PPP, SLIP ÉÌÉ DHCP.


ôÁÂÌÉÃÁ Filter

ëÁË ÓÌÅÄÕÅÔ ÉÚ ÎÁÚ×ÁÎÉÑ, × ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÌÖÎÙ ÓÏÄÅÒÖÁÔØÓÑ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ðÁËÅÔÙ ÍÏÇÕÔ ÐÒÏÐÕÓËÁÔØÓÑ ÄÁÌÅÅ, ÌÉÂÏ ÏÔ×ÅÒÇÁÔØÓÑ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÉÍÏÇÏ. ëÏÎÅÞÎÏ ÖÅ, ÍÙ ÍÏÖÅÍ ÏÔÆÉÌØÔÒÏ×Ù×ÁÔØ ÐÁËÅÔÙ É × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, ÎÏ ÜÔÁ ÔÁÂÌÉÃÁ ÓÕÝÅÓÔ×ÕÅÔ ÉÍÅÎÎÏ ÄÌÑ ÎÕÖÄ ÆÉÌØÔÒÁÃÉÉ. ÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÏÌØÛÉÎÓÔ×Á ÉÚ ÓÕÝÅÓÔ×ÕÀÝÉÈ ÄÅÊÓÔ×ÉÊ, ÏÄÎÁËÏ ÒÑÄ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ×ÙÛÅ × ÜÔÏÊ ÇÌÁ×Å, ÄÏÌÖÎÙ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÉÓÕÝÉÈ ÉÍ ÔÁÂÌÉÃÁÈ.


íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ×ÓÅ ×ÎÉÍÁÎÉÅ ÂÕÄÅÔ ÕÄÅÌÅÎÏ ÍÅÈÁÎÉÚÍÕ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÁ (state machine). ðÏÓÌÅ ÅÅ ÐÒÏÞÔÅÎÉÑ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÓÔÁÔÏÞÎÏ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÒÁÂÏÔÕ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ. ôÁËÖÅ ÂÕÄÅÔ ÒÁÓÓÍÏÔÒÅÎ ÚÎÁÞÉÔÅÌØÎÙÊ ÏÂßÅÍ ÐÏÑÓÎÑÀÝÉÈ ÐÒÉÍÅÒÏ×.


÷×ÅÄÅÎÉÅ

íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ (state machine) Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ iptables É × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÄÏÌÖÅÎ ÂÙ ÔÁË ÎÁÚÙ×ÁÔØÓÑ, ÐÏÓËÏÌØËÕ ÆÁËÔÉÞÅÓËÉ Ñ×ÌÑÅÔÓÑ ÍÅÈÁÎÉÚÍÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ. ïÄÎÁËÏ ÚÎÁÞÉÔÅÌØÎÏÍÕ ËÏÌÉÞÅÓÔ×Õ ÌÀÄÅÊ ÏÎ ÉÚ×ÅÓÔÅÎ ÉÍÅÎÎÏ ËÁË "ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ" (state machine). ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÜÔÉ ÎÁÚ×ÁÎÉÑ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÓÉÎÏÎÉÍÙ. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÓÏÚÄÁÎ ÔÁË, ÞÔÏÂÙ netfilter ÍÏÇ ÐÏÌÕÞÉÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÓÔÏÑÎÉÉ ËÏÎËÒÅÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. îÁÌÉÞÉÅ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÏÚ×ÏÌÉÔ ×ÁÍ ÓÏÚÄÁ×ÁÔØ ÂÏÌÅÅ ÎÁÄÅÖÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ.

÷ ÐÒÅÄÅÌÁÈ iptables, ÓÏÅÄÉÎÅÎÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÄÎÏ ÉÚ 4-È ÂÁÚÏ×ÙÈ ÓÏÓÔÏÑÎÉÊ: NEW, ESTABLISHED, RELATED É INVALID. ðÏÚÄÎÅÅ, ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ, ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ. äÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁÍÉ, ÎÁ ÏÓÎÏ×Å ÉÈ ÓÏÓÔÏÑÎÉÑ, ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÊ --state.

ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÐÅÃÉÁÌØÎÙÍ ËÏÄÏÍ ÑÄÒÁ - ÔÒÁÓÓÉÒÏ×ÝÉËÏÍ (conntrack). ëÏÄ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÍÏÖÅÔ ÂÙÔØ, ËÁË ÐÏÄÇÒÕÖÁÅÍÙÍ ÍÏÄÕÌÅÍ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÎÁÍ ÐÏÔÒÅÂÎÁ ÂÏÌÅÅ ÓÐÅÃÉÆÉÞÎÁÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ, ÞÅÍ ÔÁ, ËÏÔÏÒÕÀ ÐÏÓÔÁ×ÌÑÅÔ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÜÔÏÍÕ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÏÂÒÁÂÏÔÞÉËÉ ÒÁÚÌÉÞÎÙÈ ÐÒÏÔÏËÏÌÏ×, ÎÁÐÒÉÍÅÒ TCP, UDP ÉÌÉ ICMP. óÏÂÒÁÎÎÁÑ ÉÍÉ ÉÎÆÏÒÍÁÃÉÑ ÚÁÔÅÍ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÄÅÎÔÉÆÉËÁÃÉÉ É ÏÐÒÅÄÅÌÅÎÉÑ ÔÅËÕÝÅÇÏ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. îÁÐÒÉÍÅÒ - ÓÏÅÄÉÎÅÎÉÅ ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÏÄÎÏÚÎÁÞÎÏ ÉÄÅÎÔÉÆÉÃÉÒÕÅÔÓÑ ÐÏ IP-ÁÄÒÅÓÁÍ É ÐÏÒÔÁÍ ÉÓÔÏÞÎÉËÁ É ÐÒÉÅÍÎÉËÁ.

÷ ÐÒÅÄÙÄÕÝÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ ÉÍÅÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ ×ËÌÀÞÅÎÉÑ/×ÙËÌÀÞÅÎÉÑ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÐÏÓÌÅ ÔÏÇÏ ËÁË ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÂÙÌÁ ×ËÌÀÞÅÎÁ × ÓÏÓÔÁ× iptables/netfilter, ÎÁÄÏÂÎÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ ÔÒÁÓÓÉÒÏ×ÝÉË ÎÅ × ÓÏÓÔÏÑÎÉÉ ×ÙÐÏÌÎÑÔØ ×ÏÚÌÏÖÅÎÎÙÅ ÎÁ ÎÅÇÏ ÆÕÎËÃÉÉ ÂÅÚ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ É ÐÏÜÔÏÍÕ ÏÎÁ ×ËÌÀÞÅÎÁ ÐÏÓÔÏÑÎÎÏ. åÅ ÎÅÌØÚÑ ÏÔËÌÀÞÉÔØ ÉÎÁÞÅ ËÁË ÏÔËÌÀÞÉ× ÔÒÁÓÓÉÒÏ×ËÕ ÓÏÅÄÉÎÅÎÉÊ. äÅÆÒÁÇÍÅÎÔÁÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ×ÓÅÇÄÁ, ÅÓÌÉ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÅÎ.

ôÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ PREROUTING, ÉÓËÌÀÞÁÑ ÓÌÕÞÁÉ, ËÏÇÄÁ ÐÁËÅÔÙ ÇÅÎÅÒÉÒÕÀÔÓÑ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, × ÜÔÏÍ ÓÌÕÞÁÅ ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ OUTPUT. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ iptables ÐÒÏÉÚ×ÏÄÉÔ ×ÓÅ ×ÙÞÉÓÌÅÎÉÑ, Ó×ÑÚÁÎÎÙÅ Ó ÏÐÒÅÄÅÌÅÎÉÅÍ ÓÏÓÔÏÑÎÉÑ, × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÃÅÐÏÞËÉ. ëÏÇÄÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ, ÔÏ × ÃÅÐÏÞËÅ OUTPUT ÅÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ NEW, Á ËÏÇÄÁ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ , × ÃÅÐÏÞËÅ PREROUTING, ÉÚÍÅÎÑÅÔÓÑ ÎÁ ESTABLISHED, É ÔÁË ÄÁÌÅÅ. åÓÌÉ ÖÅ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÉÚ×ÎÅ, ÔÏ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÐÅÒ×ÏÍÕ ÐÁËÅÔÕ × ÃÅÐÏÞËÅ PREROUTING. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÏÐÒÅÄÅÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÐÒÅÄÅÌÁÈ ÃÅÐÏÞÅË PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat.


ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ

ëÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÔÁÂÌÉÃÕ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ËÏÔÏÒÕÀ ÍÏÖÎÏ ÎÁÊÔÉ × ÆÁÊÌÅ /proc/net/ip_conntrack. úÄÅÓØ ÓÏÄÅÒÖÉÔÓÑ ÓÐÉÓÏË ×ÓÅÈ ÁËÔÉ×ÎÙÈ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ÍÏÄÕÌØ ip_conntrack ÚÁÇÒÕÖÅÎ, ÔÏ ËÏÍÁÎÄÁ cat /proc/net/ip_conntrak ÄÏÌÖÎÁ ×Ù×ÅÓÔÉ ÎÅÞÔÏ, ÐÏÄÏÂÎÏÅ:

tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÓÏÄÅÒÖÉÔÓÑ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ, ËÏÔÏÒÁÑ ÉÚ×ÅÓÔÎÁ ÔÒÁÓÓÉÒÏ×ÝÉËÕ, ÐÏ ËÏÎËÒÅÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. ðÅÒ×ÏÅ, ÞÔÏ ÍÏÖÎÏ Õ×ÉÄÅÔØ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ - tcp. äÁÌÅÅ ÓÌÅÄÕÅÔ ÎÅËÏÔÏÒÏÅ ÞÉÓÌÏ × ÏÂÙÞÎÏÍ ÄÅÓÑÔÉÞÎÏÍ ÐÒÅÄÓÔÁ×ÌÅÎÉÉ. ðÏÓÌÅ ÎÅÇÏ ÓÌÅÄÕÅÔ ÞÉÓÌÏ, ÏÐÒÅÄÅÌÑÀÝÅÅ "×ÒÅÍÑ ÖÉÚÎÉ" (Ô.Å. ËÏÌÉÞÅÓÔ×Ï ÓÅËÕÎÄ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ) ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ. äÌÑ ÎÁÛÅÇÏ ÓÌÕÞÁÑ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÂÕÄÅÔ ÈÒÁÎÉÔØÓÑ ÅÝÅ 117 ÓÅËÕÎÄ, ÅÓÌÉ ËÏÎÅÞÎÏ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÂÏÌÅÅ ÎÅ ÐÒÏÓÌÅÄÕÅÔ ÎÉ ÏÄÎÏÇÏ ÐÁËÅÔÁ, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÚÎÁÞÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ × ÚÎÁÞÅÎÉÅ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÇÏ ÓÏÓÔÏÑÎÉÑ. üÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1 ËÁÖÄÕÀ ÓÅËÕÎÄÕ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÆÁËÔÉÞÅÓËÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. äÌÑ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ ÓÏÓÔÏÑÎÉÅ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ SYN_SENT. ÷ÎÕÔÒÅÎÎÅÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ×ÎÅÛÎÅÇÏ. úÎÁÞÅÎÉÅ SYN_SENT ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÓÌÅÄÏ×ÁÌ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÐÁËÅÔ TCP SYN. äÁÌÅÅ ÒÁÓÐÏÌÏÖÅÎÙ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï, ËÏÔÏÒÏÅ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÔ×ÅÔÎÏÇÏ ÔÒÁÆÉËÁ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÅÝÅ ÎÅ ÂÙÌÏ. é ÎÁËÏÎÅà ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÉÎÆÏÒÍÁÃÉÑ ÐÏ ÏÖÉÄÁÅÍÏÍÕ ÐÁËÅÔÕ, ÜÔÏ IP ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ/ÐÏÌÕÞÁÔÅÌÑ (ÔÅ ÖÅ ÓÁÍÙÅ, ÔÏÌØËÏ ÐÏÍÅÎÑ×ÛÉÅÓÑ ÍÅÓÔÁÍÉ, ÐÏÓËÏÌØËÕ ÏÖÉÄÁÅÔÓÑ ÏÔ×ÅÔÎÙÊ ÐÁËÅÔ), ÔÏ ÖÅ ËÁÓÁÅÔÓÑ É ÐÏÒÔÏ×.

úÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÍÏÇÕÔ ÐÒÉÎÉÍÁÔØ ÒÑÄ ÚÎÁÞÅÎÉÊ, ×ÓÅ ÏÎÉ ÏÐÒÅÄÅÌÅÎÙ × ÚÁÇÏÌÏ×ÏÞÎÙÈ ÆÁÊÌÁÈ linux/include/netfilter-ipv4/ip_conntrack*.h. úÎÁÞÅÎÉÑ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÉÈ ÚÎÁÞÅÎÉÑÈ, ËÏÇÄÁ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁÖÄÙÊ ÉÚ ÐÒÏÔÏËÏÌÏ× × ÏÔÄÅÌØÎÏÓÔÉ.

Note

óÏ×ÓÅÍ ÎÅÄÁ×ÎÏ, × patch-o-matic, ÐÏÑ×ÉÌÁÓØ ÚÁÐÌÁÔÁ tcp-window-tracking, ËÏÔÏÒÁÑ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÚÎÁÞÅÎÉÊ ×ÓÅÈ ÔÁÊÍÁÕÔÏ× ÞÅÒÅÚ ÓÐÅÃÉÁÌØÎÙÅ ÐÅÒÅÍÅÎÎÙÅ, Ô.Å. ÐÏÚ×ÏÌÑÅÔ ÉÚÍÅÎÑÔØ ÉÈ "ÎÁ ÌÅÔÕ". ôÁËÉÍ ÏÂÒÁÚÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÉÚÍÅÎÅÎÉÑ ÔÁÊÍÁÕÔÏ× ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÓÂÏÒËÉ ÑÄÒÁ.

éÚÍÅÎÅÎÉÑ ×ÎÏÓÑÔÓÑ Ó ÐÏÍÏÝØÀ ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÉÓÔÅÍÎÙÈ ×ÙÚÏ×Ï×, ÞÅÒÅÚ ËÁÔÁÌÏÇ /proc/sys/net/ipv4/netfilter. ïÓÏÂÏÅ ×ÎÉÍÁÎÉÅ ÏÂÒÁÔÉÔÅ ÎÁ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ /proc/sys/net/ipv4/netfilter/ip_ct_* .



ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ ÏÔ×ÅÔÁ ÔÒÁÓÓÉÒÏ×ÝÉË ÓÎÉÍÅÔ ÆÌÁÇ [UNREPLIED] É ÚÁÍÅÎÉÔ ÅÇÏ ÆÌÁÇÏÍ [ASSURED]. üÔÏÔ ÆÌÁÇ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÏ Õ×ÅÒÅÎÎÏ É ÜÔÁ ÚÁÐÉÓØ ÎÅ ÂÕÄÅÔ ÓÔÅÒÔÁ ÐÏ ÄÏÓÔÉÖÅÎÉÉ ÍÁËÓÉÍÁÌØÎÏ ×ÏÚÍÏÖÎÏÇÏ ËÏÌÉÞÅÓÔ×Á ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ. íÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÚÁÐÉÓÅÊ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØÓÑ × ÔÁÂÌÉÃÅ, ÚÁ×ÉÓÉÔ ÏÔ ÚÎÁÞÅÎÉÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎÏ ×ÙÚÏ×ÏÍ ÆÕÎËÃÉÉ ipsysctl × ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ. äÌÑ ÏÂßÅÍÁ ïúõ 128 í ÜÔÏ ÚÎÁÞÅÎÉÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 8192 ÚÁÐÉÓÑÍ, ÄÌÑ 256 í - 16376. ÷Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ É ÉÚÍÅÎÉÔØ ÜÔÏ ÚÎÁÞÅÎÉÅ ÞÅÒÅÚ /proc/sys/net/ipv4/ip_conntrack_max.


óÏÓÔÏÑÎÉÑ

ëÁË ×Ù ÕÖÅ ×ÉÄÅÌÉ, ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÎÅÓËÏÌØËÏ ÒÁÚÌÉÞÎÙÈ ÓÏÓÔÏÑÎÉÊ × ÐÒÅÄÅÌÁÈ ÑÄÒÁ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ïÄÎÁËÏ, ×ÎÅ ÑÄÒÁ ÉÍÅÅÔÓÑ ÔÏÌØËÏ 4 ÓÏÓÔÏÑÎÉÑ, ËÁË ÂÙÌÏ ÓËÁÚÁÎÏ ×ÙÛÅ. ÷ ÏÓÎÏ×ÎÏÍ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÁ ÉÓÐÏÌØÚÕÅÔÓÑ × ËÒÉÔÅÒÉÉ --state. äÏÐÕÓÔÉÍÙÍÉ Ñ×ÌÑÀÔÓÑ ÓÏÓÔÏÑÎÉÑ NEW, ESTABLISHED, RELATED É INVALID. ÷ ÔÁÂÌÉÃÅ, ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ, ÒÁÓÓÍÔÒÉ×ÁÀÔÓÑ ËÁÖÄÏÅ ÉÚ ×ÏÚÍÏÖÎÙÈ ÓÏÓÔÏÑÎÉÊ.

Table 1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ

óÏÓÔÏÑÎÉÅ ïÐÉÓÁÎÉÅ
NEW ðÒÉÚÎÁË NEW ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ, ËÏÔÏÒÙÊ Õ×ÉÄÅÌ ÍÏÄÕÌØ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. îÁÐÒÉÍÅÒ ÅÓÌÉ ÐÏÌÕÞÅÎ SYN ÐÁËÅÔ Ñ×ÌÑÀÝÉÊÓÑ ÐÅÒ×ÙÍ ÐÁËÅÔÏÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ÏÎ ÐÏÌÕÞÉÔ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ, ÐÁËÅÔ ÍÏÖÅÔ É ÎÅ ÂÙÔØ SYN ÐÁËÅÔÏÍ É ÔÅÍ ÎÅ ÍÅÎÅÅ ÐÏÌÕÞÉÔØ ÓÔÁÔÕÓ NEW. üÔÏ ÍÏÖÅÔ ÐÏÒÏÄÉÔØ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÒÏÂÌÅÍÙ × ÏÔÄÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ÎÏ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ É ×ÅÓØÍÁ ÐÏÌÅÚÎÙÍ, ÎÁÐÒÉÍÅÒ ËÏÇÄÁ ÖÅÌÁÔÅÌØÎÏ "ÐÏÄÈ×ÁÔÉÔØ" ÓÏÅÄÉÎÅÎÉÑ, "ÐÏÔÅÒÑÎÎÙÅ" ÄÒÕÇÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ ÉÌÉ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÔÁÊÍÁÕÔ ÓÏÅÄÉÎÅÎÉÑ ÕÖÅ ÉÓÔÅË, ÎÏ ÓÁÍÏ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÙÌÏ ÚÁËÒÙÔÏ.
ESTABLISHED ðÒÉÚÎÁË ESTABLISHED ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÎÅ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. óÈÅÍÁ ÕÓÔÁÎÏ×ËÉ ÐÒÉÚÎÁËÁ ESTABLISHED ÄÏÓÔÁÔÏÞÎÁ ÐÒÏÓÔÁ ÄÌÑ ÐÏÎÉÍÁÎÉÑ. åÄÉÎÓÔ×ÅÎÎÏÅ ÔÒÅÂÏ×ÁÎÉÅ, ÐÒÅÄßÑ×ÌÑÅÍÏÅ Ë ÓÏÅÄÉÎÅÎÉÀ, ÄÌÑ ÐÅÒÅÈÏÄÁ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÎÅÏÂÈÏÄÉÍÏ ÞÔÏÂÙ ÏÄÉÎ ÈÏÓÔ ÐÅÒÅÄÁÌ ÐÁËÅÔ É ÐÏÌÕÞÉÌ ÎÁ ÎÅÇÏ ÏÔ×ÅÔ ÏÔ ÄÒÕÇÏÇÏ ÈÏÓÔÁ. ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÏÔ×ÅÔÁ ÐÒÉÚÎÁË ÓÏÅÄÉÎÅÎÉÑ NEW ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÎÁ ESTABLISHED.
RELATED óÏÓÔÏÑÎÉÅ RELATED ÏÄÎÏ ÉÚ ÓÁÍÙÈ "ÈÉÔÒÙÈ". óÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ RELATED ÅÓÌÉ ÏÎÏ Ó×ÑÚÁÎÏ Ó ÄÒÕÇÉÍ ÓÏÅÄÉÎÅÎÉÅÍ, ÉÍÅÀÝÉÍ ÐÒÉÚÎÁË ESTABLISHED. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÐÒÉÚÎÁË RELATED ÔÏÇÄÁ, ËÏÇÄÁ ÏÎÏ ÉÎÉÃÉÉÒÏ×ÁÎÏ ÉÚ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÉÍÅÀÝÅÇÏ ÐÒÉÚÎÁË ESTABLISHED. èÏÒÏÛÉÍ ÐÒÉÍÅÒÏÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË RELATED, Ñ×ÌÑÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ FTP-data, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ Ó×ÑÚÁÎÎÙÍ Ó ÐÏÒÔÏÍ FTP control, Á ÔÁË ÖÅ DCC ÓÏÅÄÉÎÅÎÉÅ, ÚÁÐÕÝÅÎÎÏÅ ÉÚ IRC. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÂÏÌØÛÉÎÓÔ×Ï ÐÒÏÔÏËÏÌÏ× TCP É ÎÅËÏÔÏÒÙÅ ÉÚ ÐÒÏÔÏËÏÌÏ× UDP, ËÏÔÏÒÙÅ ÐÏÌÁÇÁÀÔÓÑ ÎÁ ÜÔÏÔ ÍÅÈÁÎÉÚÍ, ×ÅÓØÍÁ ÓÌÏÖÎÙ É ÐÅÒÅÄÁÀÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ TCP ÉÌÉ UDP ÐÁËÅÔÏ× É ÐÏÜÔÏÍÕ ÔÒÅÂÕÀÔ ÎÁÌÉÞÉÑ ÓÐÅÃÉÁÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ËÏÒÒÅËÔÎÏÊ ÒÁÂÏÔÙ.
INVALID ðÒÉÚÎÁË INVALID ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ ÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÄÅÎÔÉÆÉÃÉÒÏ×ÁÎ É ÐÏÜÔÏÍÕ ÎÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÐÒÅÄÅÌÅÎÎÏÇÏ ÓÔÁÔÕÓÁ. üÔÏ ÍÏÖÅÔ ÐÒÏÉÓÈÏÄÉÔØ ÐÏ ÒÁÚÎÙÍ ÐÒÉÞÉÎÁÍ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÎÅÈ×ÁÔËÅ ÐÁÍÑÔÉ ÉÌÉ ÐÒÉ ÐÏÌÕÞÅÎÉÉ ICMP ÓÏÏÂÝÅÎÉÑ, ËÏÔÏÒÏÅ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ËÁËÏÍÕ ÌÉÂÏ ÉÚ×ÅÓÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. îÁ×ÅÒÎÏÅ ÎÁÉÌÕÞÛÉÍ ×ÁÒÉÁÎÔÏÍ ÂÙÌÏ ÂÙ ÐÒÉÍÅÎÅÎÉÅ ÄÅÊÓÔ×ÉÑ DROP Ë ÔÁËÉÍ ÐÁËÅÔÁÍ.

üÔÉ ÞÅÔÙÒÅ ÓÏÓÔÏÑÎÉÑ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ËÒÉÔÅÒÉÉ --state. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÏÚ×ÏÌÑÅÔ ÓÔÒÏÉÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÍÏÝÎÕÀ É ÜÆÆÅËÔÉ×ÎÕÀ ÚÁÝÉÔÕ. òÁÎØÛÅ ÎÁÍ ÐÒÉÈÏÄÉÌÏÓØ ÏÔËÒÙ×ÁÔØ ×ÓÅ ÐÏÒÔÙ ×ÙÛÅ 1024, ÞÔÏÂÙ ÐÒÏÐÕÓÔÉÔØ ÏÂÒÁÔÎÙÊ ÔÒÁÆÉË × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÔÅÐÅÒØ ÖÅ, ÐÒÉ ÎÁÌÉÞÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ, ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ, ÐÏÓËÏÌØËÕ ÔÅÐÅÒØ ÓÔÁÌÏ ×ÏÚÍÏÖÎÙÍ "ÏÔËÒÙ×ÁÔØ" ÄÏÓÔÕÐ ÔÏÌØËÏ ÄÌÑ ÏÂÒÁÔÎÏÇÏ (ÏÔ×ÅÔÎÏÇÏ) ÔÒÁÆÉËÁ.


TCP ÓÏÅÄÉÎÅÎÉÑ

÷ ÜÔÏÍ É × ÐÏÓÌÅÄÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÍÙ ÐÏÂÌÉÖÅ ÒÁÓÓÍÏÔÒÉÍ ÐÒÉÚÎÁËÉ ÓÏÓÔÏÑÎÉÊ É ÐÏÒÑÄÏË ÉÈ ÏÂÒÁÂÏÔËÉ ËÁÖÄÙÍ ÉÚ ÔÒÅÈ ÂÁÚÏ×ÙÈ ÐÒÏÔÏËÏÌÏ× TCP, UDP É ICMP, Á ÔÁË ÖÅ ËÏÓÎÅÍÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ÐÒÏÔÏËÏÌ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÍÏÖÅÔ ÂÙÔØ ËÌÁÓÓÉÆÉÃÉÒÏ×ÁÎ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ Ë ÔÒÅÍ, ×ÙÛÅÕËÁÚÁÎÎÙÍ, ÐÒÏÔÏËÏÌÁÍ. îÁÞÎÅÍ ÒÁÓÓÍÏÔÒÅÎÉÅ Ó ÐÒÏÔÏËÏÌÁ TCP, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÍÎÏÖÅÓÔ×Ï ÉÎÔÅÒÅÓÎÅÊÛÉÈ ÏÓÏÂÅÎÎÏÓÔÅÊ × ÏÔÎÏÛÅÎÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ × iptables.

TCP ÓÏÅÄÉÎÅÎÉÅ ×ÓÅÇÄÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÅÒÅÄÁÞÅÊ ÔÒÅÈ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÎÉÃÉÁÌÉÚÉÒÕÀÔ É ÕÓÔÁÎÁ×ÌÉ×ÁÀÔ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ × ÄÁÌØÎÅÊÛÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÄÁÎÎÙÅ. óÅÓÓÉÑ ÎÁÞÉÎÁÅÔÓÑ Ó ÐÅÒÅÄÁÞÉ SYN ÐÁËÅÔÁ, × ÏÔ×ÅÔ ÎÁ ËÏÔÏÒÙÊ ÐÅÒÅÄÁÅÔÓÑ SYN/ACK ÐÁËÅÔ É ÐÏÄÔ×ÅÒÖÄÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÐÁËÅÔ ACK. ðÏÓÌÅ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ É ÇÏÔÏ×ÙÍ Ë ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ. íÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ×ÏÐÒÏÓ: "á ËÁË ÖÅ ÔÒÁÓÓÉÒÕÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ?". ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ.

äÌÑ ×ÓÅÈ ÔÉÐÏ× ÓÏÅÄÉÎÅÎÉÊ, ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÈÏÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÏÄÉÎÁËÏ×Ï. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ, ÇÄÅ ÐÏËÁÚÁÎÙ ×ÓÅ ÓÔÁÄÉÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÁË ×ÉÄÉÔÅ, ÔÒÁÓÓÉÒÏ×ÝÉË, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÆÁËÔÉÞÅÓËÉ ÎÅ ÓÌÅÄÉÔ ÚÁ ÈÏÄÏÍ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ðÒÏÓÔÏ, ËÁË ÔÏÌØËÏ ÔÒÁÓÓÉÒÏ×ÝÉË "Õ×ÉÄÅÌ" ÐÅÒ×ÙÊ (SYN) ÐÁËÅÔ, ÔÏ ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ NEW. ëÁË ÔÏÌØËÏ ÞÅÒÅÚ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÒÏÈÏÄÉÔ ×ÔÏÒÏÊ ÐÁËÅÔ (SYN/ACK), ÔÏ ÓÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ ESTABLISHED. ðÏÞÍÕ ÉÍÅÎÎÏ ×ÔÏÒÏÊ ÐÁËÅÔ? óÅÊÞÁÓ ÒÁÚÂÅÒÅÍÓÑ. óÔÒÏÑ Ó×ÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×Ù ÍÏÖÅÔÅ ÐÏÚ×ÏÌÉÔØ ÐÏËÉÄÁÔØ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÐÁËÅÔÁÍ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ESTABLISHED, Á ×Ï ×ÈÏÄÑÝÅÍ ÔÒÁÆÉËÅ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÔÏÌØËÏ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED É ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. é ÎÁÏÂÏÒÏÔ, ÅÓÌÉ ÂÙ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÒÏÄÏÌÖÁÌ ÂÙ ÓÞÉÔÁÔØ ÓÏÅÄÉÎÅÎÉÅ ËÁË NEW, ÔÏ ÆÁËÔÉÞÅÓËÉ ×ÁÍ ÎÉËÏÇÄÁ ÎÅ ÕÄÁÌÏÓØ ÂÙ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó "×ÎÅÛÎÉÍ ÍÉÒÏÍ", ÌÉÂÏ ÐÒÉÛÌÏÓØ ÂÙ ÐÏÚ×ÏÌÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ NEW ÐÁËÅÔÏ× × ÌÏËÁÌØÎÕÀ ÓÅÔØ.

ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ, ÏÄÎÁËÏ ÅÓÌÉ ÐÏÓÍÏÔÒÅÔØ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ, ÔÏ ×ÓÅ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÓÌÏÖÎÅÅ. òÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÉÚÍÅÎÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ × ÔÁÂÌÉÃÅ /proc/net/ip_conntrack. ðÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ SYN.

tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ëÁË ×ÉÄÉÔÅ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÏÔÒÁÖÁÅÔ ÔÏÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ: ÂÙÌ ÏÔÍÅÞÅÎ ÆÁËÔ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ SYN (ÆÌÁÇ SYN_SENT), ÎÁ ËÏÔÏÒÙÊ ÏÔ×ÅÔÁ ÐÏËÁ ÎÅ ÂÙÌÏ (ÆÌÁÇ [UNREPLIED]). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÌÅÄÕÀÝÅÅ ×ÎÕÔÒÅÎÎÅÅ ÓÏÓÔÏÑÎÉÅ:

tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ô.Å. ÚÁÐÉÓØ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÏÂÒÁÔÎÏ ÐÒÏÛÅÌ ÐÁËÅÔ SYN/ACK. îÁ ÜÔÏÔ ÒÁÚ ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ SYN_RECV. üÔÏ ÓÏÓÔÏÑÎÉÅ ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ SYN ÂÙÌ ÂÌÁÇÏÐÏÌÕÞÎÏ ÄÏÓÔÁ×ÌÅÎ ÐÏÌÕÞÁÔÅÌÀ É × ÏÔ×ÅÔ ÎÁ ÎÅÇÏ ÐÒÉÛÅÌ ÐÁËÅÔ-ÐÏÄÔ×ÅÒÖÄÅÎÉÅ (SYN/ACK). ëÒÏÍÅ ÔÏÇÏ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ "Õ×ÉÄÅ×" ÐÁËÅÔÙ, ÓÌÅÄÕÀÝÉÅ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÓÎÉÍÁÅÔ ÆÌÁÇ [UNREPLIED]. é ÎÁËÏÎÅà ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÚÁËÌÀÞÉÔÅÌØÎÏÇÏ ACK-ÐÁËÅÔÁ, × ÐÒÏÃÅÄÕÒÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ

tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅÈÏÄÉÔ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ). ðÏÓÌÅ ÐÒÉÅÍÁ ÎÅÓËÏÌØËÉÈ ÐÁËÅÔÏ× ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ, Ë ÎÅÍÕ ÄÏÂÁ×ÉÔÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ).

ðÒÉ ÚÁËÒÙÔÉÉ, TCP ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÓÌÅÄÕÀÝÉÅ ÓÏÓÔÏÑÎÉÑ.



ëÁË ×ÉÄÎÏ ÉÚ ÒÉÓÕÎËÁ, ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÚÁËÒÙ×ÁÅÔÓÑ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÐÏÓÌÅÄÎÉÊ ÐÁËÅÔ ACK. ïÂÒÁÔÉÔÅ ×ÎÉÍÐÎÉÅ, ÜÔÁ ËÁÒÔÉÎËÁ ÏÐÉÓÙ×ÁÅÔ ÎÏÒÍÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÅÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÏÔ×ÅÒÇÁÅÔÓÑ, ÔÏ ÏÎÏ ÍÏÖÅÔ ÂÙÔØ ÚÁËÒÙÔÏ ÐÅÒÅÄÁÞÅÊ ÐÁËÅÔÁ RST (ÓÂÒÏÓ). ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÚÁËÒÙÔÏ ÐÏ ÉÓÔÅÞÅÎÉÅ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÏÇÏ ×ÒÅÍÅÎÉ.

ðÒÉ ÚÁËÒÙÔÉÉ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ TIME_WAIT, ÐÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ ËÏÔÏÒÏÇÏ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 2 ÍÉÎÕÔÁÍ, × ÔÅÞÅÎÉÅ ËÏÔÏÒÏÇÏ ÅÝÅ ×ÏÚÍÏÖÎÏ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. üÔÏ Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ "ÂÕÆÅÒÎÙÍ ×ÒÅÍÅÎÅÍ", ËÏÔÏÒÏÅ ÄÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏÊÔÉ ÐÁËÅÔÁÍ, "Õ×ÑÚÛÉÍ" ÎÁ ÔÏÍ ÉÌÉ ÉÎÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ (ÒÏÕÔÅÒÅ).

åÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÐÏ ÐÏÌÕÞÅÎÉÉ ÐÁËÅÔÁ RST, ÔÏ ÏÎÏ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ CLOSE. ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ ÄÏ ÆÁËÔÉÞÅÓËÏÇÏ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 10 ÓÅËÕÎÄ. ðÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÐÁËÅÔÙ RST ÎÅ ÐÅÒÅÄÁÅÔÓÑ É ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÓÒÁÚÕ ÖÅ. ëÒÏÍÅ ÔÏÇÏ ÉÍÅÅÔÓÑ ÒÑÄ ÄÒÕÇÉÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ. ÷ ÔÁÂÌÉÃÅ ÎÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ×ÏÚÍÏÖÎÙÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ ÓÏÅÄÉÎÅÎÉÑ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÍ ÒÁÚÍÅÒÙ ÔÁÊÍÁÕÔÏ×.

ôÁÂÌÉÃÁ 2. ÷ÎÕÔÒÅÎÎÉÅ ÓÏÓÔÏÑÎÉÑ

óÏÓÔÏÑÎÉÅ ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ
NONE 30 ÍÉÎÕÔ
ESTABLISHED 5 ÄÎÅÊ
SYN_SENT 2 ÍÉÎÕÔÙ
SYN_RECV 60 ÓÅËÕÎÄ
FIN_WAIT 2 ÍÉÎÕÔÙ
TIME_WAIT 2 ÍÉÎÕÔÙ
CLOSE 10 ÓÅËÕÎÄ
CLOSE_WAIT 12 ÞÁÓÏ×
LAST_ACK 30 ÓÅËÕÎÄ
LISTEN> 2 ÍÉÎÕÔÙ


üÔÉ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÎÅÓËÏÌØËÏ ÉÚÍÅÎÑÔØÓÑ ÏÔ ×ÅÒÓÉÉ Ë ×ÅÒÓÉÉ ÑÄÒÁ, ËÒÏÍÅ ÔÏÇÏ, ÏÎÉ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc (ÐÅÒÅÍÅÎÎÙÅ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). úÎÁÞÅÎÉÑ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÓÏÔÙÈ ÄÏÌÑÈ ÓÅËÕÎÄÙ, ÔÁË ÞÔÏ ÞÉÓÌÏ 3000 ÏÚÎÁÞÁÅÔ 30 ÓÅËÕÎÄ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÉËÁË ÎÅ ÏÔÏÂÒÁÖÁÅÔ ÓÏÓÔÏÑÎÉÅ ÆÌÁÇÏ× TCP ÐÁËÅÔÏ×. ëÁË ÐÒÁ×ÉÌÏ - ÜÔÏ ÐÌÏÈÏ, ÐÏÓËÏÌØËÕ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ, ÎÅ ÔÏÌØËÏ ÐÁËÅÔÁÍ SYN.

üÔÁ ÐÒÏÂÌÅÍÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.


UDP ÓÏÅÄÉÎÅÎÉÑ



ðÏ ÓÕÔÉ Ó×ÏÅÊ, UDP ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÉÍÅÀÔ ÐÒÉÚÎÁËÁ ÓÏÓÔÏÑÎÉÑ. üÔÏÍÕ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÉÞÉÎ, ÏÓÎÏ×ÎÁÑ ÉÚ ÎÉÈ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÜÔÏÔ ÐÒÏÔÏËÏÌ ÎÅ ÐÒÅÄÕÓÍÁÔÒÉ×ÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÑ É ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ ÓÁÍÙÊ ÂÏÌØÛÏÊ ÎÅÄÏÓÔÁÔÏË - ÏÔÓÕÔÓÔ×ÉÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÞÅÒÅÄÎÏÓÔÉ ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ×. ðÒÉÎÑ× Ä×Å UDP ÄÁÔÁÇÒÁÍÍÙ, ÎÅ×ÏÚÍÏÖÎÏ ÕÚÎÁÔØ ÔÏÞÎÏ × ËÁËÏÍ ÐÏÒÑÄËÅ ÏÎÉ ÂÙÌÉ ÏÔÐÒÁ×ÌÅÎÙ. ïÄÎÁËÏ, ÄÁÖÅ × ÜÔÏÊ ÓÉÔÕÁÃÉÉ ÅÝÅ ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÒÉÓÕÎÏË ÔÏÇÏ, ËÁË ×ÙÇÌÑÄÉÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.



ëÁË ×ÉÄÉÔÅ, ÓÏÓÔÏÑÎÉÅ UDP ÓÏÅÄÉÎÅÎÉÑ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÞÔÉ ÔÁË ÖÅ ËÁË É ÓÏÓÔÏÑÎÉÅ TCP ÓÏÅÄÉÎÅÎÉÑ, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÉÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á. éÚÎÕÔÒÉ ÖÅ ÜÔÏ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÉÎÁÞÅ, ÈÏÔÑ É ×Ï ÍÎÏÇÏÍ ÐÏÈÏÖÅ. äÌÑ ÎÁÞÁÌÁ ÐÏÓÍÏÔÒÉÍ ÎÁ ÚÁÐÉÓØ, ÐÏÑ×É×ÛÕÀÓÑ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ UDP.

udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÅÒ×ÏÅ, ÞÔÏ ÍÙ ×ÉÄÉÍ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ (udp) É ÅÇÏ ÎÏÍÅÒ (ÓÍ. /etc/protocols ÐÒÉÍ. ÐÅÒÅ×.). ôÒÅÔØÅ ÚÎÁÞÅÎÉÅ - ÏÓÔÁ×ÛÅÅÓÑ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ. äÁÌÅÅ ÓÌÅÄÕÀÔ ÈÁÒÁËÔÅÒÉÓÔÉËÉ ÐÁËÅÔÁ, ÐÒÏÛÅÄÛÅÇÏ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ - ÜÔÏ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÅÓÓÉÉ (ÆÌÁÇ [UNREPLIED]). é ÚÁ×ÅÒÛÁÀÔ ÚÁÐÉÓØ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ. ôÁÊÍÁÕÔ ÔÁËÏÊ ÚÁÐÉÓÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÓÔÁ×ÌÑÅÔ 30 ÓÅËÕÎÄ.

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÏÓÌÅ ÔÏÇÏ ËÁË ÓÅÒ×ÅÒ "Õ×ÉÄÅÌ" ÏÔ×ÅÔ ÎÁ ÐÅÒ×ÙÊ ÐÁËÅÔ, ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ), ÏÄÎÁËÏ ÅÄÉÎÓÔ×ÅÎÎÏÅ ÏÔÌÉÞÉÅ ÏÔ ÐÒÅÄÙÄÕÝÅÊ ÚÁÐÉÓÉ ÓÏÓÔÏÉÔ × ÏÔÓÕÔÓÔ×ÉÉ ÆÌÁÇÁ [UNRREPLIED] É, ËÒÏÍÅ ÔÏÇÏ, ÔÁÊÍÁÕÔ ÄÌÑ ÚÁÐÉÓÉ ÓÔÁÌ ÒÁ×ÎÙÍ 180 ÓÅËÕÎÄÁÍ. ðÏÓÌÅ ÜÔÏÇÏ ÍÏÖÅÔ ÔÏÌØËÏ ÄÏÂÁ×ÉÔØÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ), ËÏÔÏÒÙÊ ÂÙÌ ÏÐÉÓÁÎ ×ÙÛÅ. æÌÁÇ [ASSURED] ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÎÅËÏÔÏÒÏÇÏ ËÏÌÉÞÅÓÔ×Á ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ.

udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1

ôÅÐÅÒØ ÓÏÅÄÉÎÅÎÉÅ ÓÔÁÌÏ "Õ×ÅÒÅÎÎÙÍ". úÁÐÉÓØ × ÔÁÂÌÉÃÅ ×ÙÇÌÑÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÔÁË ÖÅ ËÁË É × ÐÒÅÄÙÄÕÝÅÍ ÐÒÉÍÅÒÅ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÆÌÁÇÁ [ASSURED]. åÓÌÉ × ÔÅÞÅÎÉÅ 180 ÓÅËÕÎÄ ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÐÒÏÊÄÅÔ ÈÏÔÑÂÙ ÏÄÉÎ ÐÁËÅÔ, ÔÏ ÚÁÐÉÓØ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ. üÔÏ ÄÏÓÔÁÔÏÞÎÏ ÍÁÌÅÎØËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ÎÏ ÅÇÏ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ ÄÌÑ ÂÏÌØÛÉÎÓÔ×Á ÐÒÉÍÅÎÅÎÉÊ. "÷ÒÅÍÑ ÖÉÚÎÉ" ÏÔÓÞÉÔÙ×ÁÅÔÓÑ ÏÔ ÍÏÍÅÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÐÁËÅÔÁ É ÐÒÉ ÐÏÑ×ÌÅÎÉÉ ÎÏ×ÏÇÏ, ×ÒÅÍÑ ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ × Ó×ÏÅ ÎÁÞÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ.


ICMP ÓÏÅÄÉÎÅÎÉÑ

ICMP ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÅÒÅÄÁÞÉ ÕÐÒÁ×ÌÑÀÝÉÈ ÓÏÏÂÝÅÎÉÊ É ÎÅ ÏÒÇÁÎÉÚÕÀÔ ÐÏÓÔÏÑÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ïÄÎÁËÏ, ÓÕÝÅÓÔ×ÕÅÔ 4 ÔÉÐÁ ICMP ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ×ÏÚÂÕÖÄÁÀÔ ÐÅÒÅÄÁÞÕ ÏÔ×ÅÔÁ, ÐÏÜÔÏÍÕ ÏÎÉ ÍÏÇÕÔ ÉÍÅÔØ Ä×Á ÓÏÓÔÏÑÎÉÑ: NEW É ESTABLISHED. ë ÜÔÉÍ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply É ICMP Address Mask Request/Address Mask Reply. éÚ ÎÉÈ ICMP Timestamp Request/Timestamp Reply É ICMP Information Request/Information Reply ÓÞÉÔÁÀÔÓÑ ÕÓÔÁÒÅ×ÛÉÍÉ É ÐÏÜÔÏÍÕ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÍÏÇÕÔ ÂÅÚÂÏÌÅÚÎÅÎÎÏ ÓÂÒÁÓÙ×ÁÔØÓÑ (DROP). ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ.



ëÁË ×ÉÄÎÏ ÉÚ ÜÔÏÇÏ ÒÉÓÕÎËÁ, ÓÅÒ×ÅÒ ×ÙÐÏÌÎÑÅÔ Echo Request (ÜÈÏ-ÚÁÐÒÏÓ) Ë ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ (ÚÁÐÒÏÓ) ÒÁÓÐÏÚÎÁÅÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ ËÁË NEW. îÁ ÜÔÏÔ ÚÁÐÒÏÓ ËÌÉÅÎÔ ÏÔ×ÅÞÁÅÔ ÐÁËÅÔÏÍ Echo Reply, É ÔÅÐÅÒØ ÐÁËÅÔ ÒÁÓÐÏÚÎÁÅÔÓÑ ËÁË ÉÍÅÀÝÉÊ ÓÏÓÔÏÑÎÉÅ ESTABLISHED. ðÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ (Echo Request) × ip_conntrack ÐÏÑ×ÌÑÅÔÓÑ ÚÁÐÉÓØ:

icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1

üÔÁ ÚÁÐÉÓØ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÚÁÐÉÓÅÊ, Ó×ÏÊÓÔ×ÅÎÎÙÈ ÐÒÏÔÏËÏÌÁÍ TCP É UDP, ÈÏÔÑ ÔÏÞÎÏ ÔÁË ÖÅ ÐÒÉÓÕÔÓÔ×ÕÀÔ É ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ É ×ÒÅÍÑ ÔÁÊÍÁÕÔÁ É ÁÄÒÅÓÁ ÐÅÒÅÄÁÔÞÉËÁ É ÐÒÉÅÍÎÉËÁ, ÎÏ ÄÁÌÅÅ ÐÏÑ×ÌÑÀÔÓÑ ÔÒÉ ÎÏ×ÙÈ ÐÏÌÑ - type, code É id. ðÏÌÅ type ÓÏÄÅÒÖÉÔ ÔÉÐ ICMP, ÐÏÌÅ code - ËÏÄ ICMP. úÎÁÞÅÎÉÑ ÔÉÐÏ× É ËÏÄÏ× ICMP ÐÒÉ×ÏÄÑÔÓÑ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. é ÐÏÓÌÅÄÎÅÅ ÐÏÌÅ id ÓÏÄÅÒÖÉÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ. ëÁÖÄÙÊ ICMP-ÐÁËÅÔ ÉÍÅÅÔ Ó×ÏÊ ÉÄÅÎÔÉÆÉËÁÔÏÒ. ëÏÇÄÁ ÐÒÉÅÍÎÉË, × ÏÔ×ÅÔ ÎÁ ICMP-ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔ ÏÔ×ÅÔ, ÏÎ ÐÏÄÓÔÁ×ÌÑÅÔ × ÐÁËÅÔ ÏÔ×ÅÔÁ ÜÔÏÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ, ÐÅÒÅÄÁÔÞÉË ÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÒÁÓÐÏÚÎÁÔØ × ÏÔ×ÅÔ ÎÁ ËÁËÏÊ ÚÁÐÒÏÓ ÐÒÉÛÅÌ ÏÔ×ÅÔ.

óÌÅÄÕÀÝÅÅ ÐÏÌÅ - ÆÌÁÇ [UNREPLIED], ËÏÔÏÒÙÊ ×ÓÔÒÅÞÁÌÓÑ ÎÁÍ ÒÁÎÅÅ. ïÎ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉÂÙÌ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. úÁ×ÅÒÛÁÅÔÓÑ ÚÁÐÉÓØ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍÉ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ÏÔ×ÅÔÁ. óÀÄÁ ×ËÌÀÞÁÀÔÓÑ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. þÔÏ ËÁÓÁÅÔÓÑ ÔÉÐÁ É ËÏÄÁ ICMP ÐÁËÅÔÁ, ÔÏ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌØÎÙÍ ÚÎÁÞÅÎÉÑÍ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ICMP Echo Reply. éÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ ÔÏÔ ÖÅ, ÞÔÏ É × ÐÁËÅÔÅ ÚÁÐÒÏÓÁ.

ðÁËÅÔ ÏÔ×ÅÔÁ ÒÁÓÐÏÚÎÁÅÔÓÑ ÕÖÅ ËÁË ESTABLISHED. ïÄÎÁËÏ, ÍÙ ÚÎÁÅÍ, ÞÔÏ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÏÔ×ÅÔÁ, ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÖÅ ÎÉÞÅÇÏ ÎÅ ÏÖÉÄÁÅÔÓÑ, ÐÏÜÔÏÍÕ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÏÔ×ÅÔÁ ÞÅÒÅÚ netfilter, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ.

÷ ÌÀÂÏÍ ÓÌÕÞÁÅ ÚÁÐÒÏÓ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ËÁË NEW, Á ÏÔ×ÅÔ ËÁË ESTABLISHED. úÁÍÅÔØÔÅ, ÞÔÏ ÐÒÉ ÜÔÏÍ ÐÁËÅÔ ÏÔ×ÅÔÁ ÄÏÌÖÅÎ ÓÏ×ÐÁÄÁÔØ ÐÏ Ó×ÏÉÍ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍ (ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÔÉÐ, ËÏÄ É ÉÄÅÎÔÉÆÉËÁÔÏÒ) Ó ÕËÁÚÁÎÎÙÍÉ × ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.

ICMP ÚÁÐÒÏÓÙ ÉÍÅÀÔ ÔÁÊÍÁÕÔ, ÐÏ-ÕÍÏÌÞÁÎÉÀ, 30 ÓÅËÕÎÄ. üÔÏÇÏ ×ÒÅÍÅÎÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ. ÷ÒÅÍÑ ÔÁÊÍÁÕÔÁ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( îÁÐÏÍÉÎÁÀ, ÞÔÏ ÐÅÒÅÍÅÎÎÙÅ ÔÉÐÁ /proc/sys/net/ipv4/netfilter/ip_ct_* ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ ÔÏÌØËÏ ÐÏÓÌÅ ÕÓÔÁÎÏ×ËÉ "ÚÁÐÌÁÔÙ" tcp-window-tracking ÉÚ patch-o-matic ÐÒÉÍ. ÐÅÒÅ×.).

úÎÁÞÉÔÅÌØÎÁÑ ÞÁÓÔØ ICMP ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÔÏÍ, ÞÔÏ ÐÒÏÉÓÈÏÄÉÔ Ó ÔÅÍ ÉÌÉ ÉÎÙÍ UDP ÉÌÉ TCP ÓÏÅÄÉÎÅÎÉÅÍ. ÷Ó×ÑÚÉ Ó ÜÔÉÍ ÏÎÉ ÏÞÅÎØ ÞÁÓÔÏ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË Ó×ÑÚÁÎÎÙÅ (RELATED) Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ ÓÏÅÄÉÎÅÎÉÅÍ. ðÒÏÓÔÙÍ ÐÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÓÏÏÂÝÅÎÉÑ ICMP Host Unreachable ÉÌÉ ICMP Network Unreachable. ïÎÉ ×ÓÅÇÄÁ ÐÏÒÏÖÄÁÀÔÓÑ ÐÒÉ ÐÏÐÙÔËÅ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕÚÌÏÍ ÓÅÔÉ ËÏÇÄÁ ÜÔÏÔ ÕÚÅÌ ÉÌÉ ÓÅÔØ ÎÅÄÏÓÔÕÐÎÙ, × ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ×ÅÒÎÅÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ICMP ÐÁËÅÔ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎ ËÁË RELATED. îÁ ÒÉÓÕÎËÅ ÎÉÖÅ ÐÏËÁÚÁÎÏ ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ.

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÎÅËÏÔÏÒÏÍÕ ÕÚÌÕ ÐÅÒÅÄÁÅÔÓÑ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (SYN ÐÁËÅÔ). ïÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ NEW ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. ïÄÎÁËÏ, × ÜÔÏÔ ÍÏÍÅÎÔ ×ÒÅÍÅÎÉ, ÓÅÔØ ÏËÁÚÙ×ÁÅÔÓÑ ÎÅÄÏÓÔÕÐÎÏÊ, ÐÏÜÔÏÍÕ ÒÏÕÔÅÒ ×ÏÚ×ÒÁÝÁÅÔ ÐÁËÅÔ ICMP Network Unreachable. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏÔ ÐÁËÅÔ ËÁË RELATED, ÂÌÁÇÏÄÁÒÑ ÕÖÅ ÉÍÅÀÝÅÊÓÑ ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ, ÔÁË ÞÔÏ ÐÁËÅÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÏÂÏÒ×ÅÔ ÎÅÕÄÁÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ. ôÅÍ ×ÒÅÍÅÎÅÍ, ÂÒÁÎÄÍÁÕÜÒ ÕÎÉÞÔÏÖÉÔ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ, ÐÏÓËÏÌØËÕ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ÂÙÌÏ ÐÏÌÕÞÅÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ.

ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ É Ó UDP ÓÏÅÄÉÎÅÎÉÑÍÉ, ÅÓÌÉ ÏÂÎÁÒÕÖÉ×ÁÀÔÓÑ ÐÏÄÏÂÎÙÅ ÐÒÏÂÌÅÍÙ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ICMP, ÐÅÒÅÄÁ×ÁÅÍÙÅ × ÏÔ×ÅÔ ÎÁ UDP ÓÏÅÄÉÎÅÎÉÅ, ÒÁÓÓÍÁÔÒÉ×ÁÀÔÓÑ ËÁË RELATED. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÓÌÅÄÕÀÝÉÊ ÒÉÓÕÎÏË.



äÁÔÁÇÒÁÍÍÁ UDP ÐÅÒÅÄÁÅÔÓÑ ÎÁ ÓÅÒ×ÅÒ. óÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ ÄÏÓÔÕÐ Ë ÓÅÔÉ ÚÁÐÒÅÝÅÎ (ÂÒÁÎÄÍÁÕÜÒÏÍ ÉÌÉ ÒÏÕÔÅÒÏÍ), ÐÏÜÔÏÍÕ ÏÂÒÁÔÎÏ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ ICMP Network Prohibited. âÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏ ÓÏÏÂÝÅÎÉÅ ËÁË Ó×ÑÚÁÎÎÏÅ Ó ÏÔËÒÙÔÙÍ UDP ÓÏÅÄÉÎÅÎÉÅÍ, ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ RELATED É ÐÅÒÅÄÁÅÔ ËÌÉÅÎÔÕ. ðÏÓÌÅ ÞÅÇÏ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ, Á ËÌÉÅÎÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÏÂÒÙ×ÁÅÔ ÓÏÅÄÉÎÅÎÉÅ.


ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ

÷ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÍÏÖÅÔ ÒÁÓÐÏÚÎÁÔØ ÐÒÏÔÏËÏÌ ÏÂÍÅÎÁ É, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÎÅ ÍÏÖÅÔ ×ÙÂÒÁÔØ ÓÔÒÁÔÅÇÉÀ ÏÂÒÁÂÏÔËÉ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÏÎ ÐÅÒÅÈÏÄÉÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏ×ÅÄÅÎÉÀ. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÏÂÓÌÕÖÉ×ÁÎÉÉ ÐÒÏÔÏËÏÌÏ× NETBLT, MUX É EGP. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÍÏÌÞÁÎÉÀ ×Ï ÍÎÏÇÏÍ ÓÈÏÖÅ Ó ÔÒÁÓÓÉÒÏ×ËÏÊ UDP ÓÏÅÄÉÎÅÎÉÊ. ðÅÒ×ÏÍÕ ÐÁËÅÔÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, Á ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ - ÓÔÁÔÕÓ ESTABLISHED.

ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÐÏ×ÅÄÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ× ÉÓÐÏÌØÚÕÅÔÓÑ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ ÔÁÊÍÁÕÔÁ, ËÏÔÏÒÏÅ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ðÏ-ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÚÎÁÞÅÎÉÅ ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ, ÉÌÉ 6 ÍÉÎÕÔÁÍ (ÄÁ, ÄÁ, ÉÍÅÎÎÏ ÔÁË É ÕËÁÚÁÎÏ × ÏÒÉÇÉÎÁÌØÎÏÍ ÔÅËÓÔÅ. ðÏÄÏÚÒÅ×ÁÀ, ÞÔÏ Á×ÔÏÒ ÐÒÏÓÔÏ ÏÐÉÓáÌÓÑ É × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÌÅÄÕÅÔ ÐÏÎÉÍÁÔØ "600 ÓÅËÕÎÄ ÉÌÉ 10 ÍÉÎÕÔ". ëÓÔÁÔÉ, × ÉÓÈÏÄÎÏÍ ËÏÄÅ (/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c ÚÎÁÞÅÎÉÅ GENERIC_TIMEOUT ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ. ÐÒÉÍ. ÐÅÒÅ×.). ÷ ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÔÒÁÆÉËÁ, ÜÔÏ ×ÒÅÍÑ ÍÏÖÅÔ ÍÅÎÑÔØÓÑ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÞÅÒÅÚ ÓÐÕÔÎÉË.


ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×

éÍÅÅÔÓÑ ÒÑÄ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×, ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ËÏÔÏÒÙÈ ÂÏÌÅÅ ÓÌÏÖÎÁ. ðÒÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÐÒÏÔÏËÏÌÙ ICQ, IRC É FTP. ëÁÖÄÙÊ ÉÚ ÜÔÉÈ ÐÒÏÔÏËÏÌÏ× ÎÅÓÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ÔÁËÉÈ ÓÏÅÄÎÅÎÉÊ ÔÒÅÂÕÅÔ ÐÏÄËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ.

÷ ËÁÞÅÓÔ×Å ÐÅÒ×ÏÇÏ ÐÒÉÍÅÒÁ ÒÁÓÓÍÏÔÒÉÍ ÐÒÏÔÏËÏÌ FTP. ðÒÏÔÏËÏÌ FTP ÓÎÁÞÁÌÁ ÏÔËÒÙ×ÁÅÔ ÏÄÉÎÏÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ËÏÔÏÒÏÅ ÎÁÚÙ×ÁÅÔÓÑ "ÓÅÁÎÓÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP" (FTP control session). ðÒÉ ×ÙÐÏÌÎÅÎÉÉ ËÏÍÁÎÄ × ÐÒÅÄÅÌÁÈ ÜÔÏÇÏ ÓÅÁÎÓÁ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÐÕÔÓÔ×ÕÀÝÉÈ ÄÁÎÎÙÈ ÏÔËÒÙ×ÁÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ. üÔÉ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÁËÔÉ×ÎÙÍÉ ÉÌÉ ÐÁÓÓÉ×ÎÙÍÉ. ðÒÉ ÓÏÚÄÁÎÉÉ ÁËÔÉ×ÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ËÌÅÎÔ ÐÅÒÅÄÁÅÔ FTP ÓÅÒ×ÅÒÕ ÎÏÍÅÒ ÐÏÒÔÁ É IP ÁÄÒÅÓ ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ. úÁÔÅÍ ËÌÅÎÔ ÏÔËÒÙ×ÁÅÔ ÐÏÒÔ, ÓÅÒ×ÅÒ ÐÏÄËÌÀÞÁÅÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏÒÔÕ ËÌÉÅÎÔÁ Ó×ÏÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 20 (ÉÚ×ÅÓÔÎÙÊ ËÁË FTP-Data) É ÐÅÒÅÄÁÅÔ ÄÁÎÎÙÅ ÞÅÒÅÚ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ.

ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÎÉÞÅÇÏ ÎÅ ÚÎÁÅÔ Ï ÜÔÉÈ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÏÄËÌÀÞÅÎÉÑÈ, ÐÏÓËÏÌØËÕ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÎÉÈ ÐÅÒÅÄÁÅÔÓÑ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ ÐÁËÅÔÁ. éÚ-ÚÁ ÜÔÏÇÏ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÐÏÚ×ÏÌÉÔ ÓÅÒ×ÅÒÕ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕËÁÚÁÎÎÙÍ ÐÏÒÔÏÍ ËÌÉÅÎÔÁ.

òÅÛÅÎÉÅ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ÔÒÁÓÓÉÒÏ×ËÉ, ËÏÔÏÒÙÊ ÏÔÓÌÅÖÉ×ÁÅÔ, ÓÐÅÃÉÆÉÞÎÕÀ ÄÌÑ ÄÁÎÎÏÇÏ ÐÒÏÔÏËÏÌÁ, ÉÎÆÏÒÍÁÃÉÀ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÒÁÍËÁÈ ÓÅÁÎÓÁ ÕÐÒÁ×ÌÅÎÉÑ. ðÒÉ ÓÏÚÄÁÎÉÉ ÔÁËÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ËÏÒÒÅËÔÎÏ ×ÏÓÐÒÉÍÅÔ ÐÅÒÅÄÁ×ÁÅÍÕÀ ÉÎÆÏÒÍÁÃÉÀ É ÓÏÚÄÁÓÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏ ÓÔÁÔÕÓÏÍ RELATED, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. òÉÓÕÎÏË ÎÉÖÅ ÐÏÑÓÎÑÅÔ ÐÏÒÑÄÏË ×ÙÐÏÌÎÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.



ðÁÓÓÉ×ÎÙÊ FTP ÄÅÊÓÔ×ÕÅÔ ÐÒÏÔÉ×ÏÐÏÌÏÖÎÙÍ ÏÂÒÁÚÏÍ. ëÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÚÁÐÒÏÓ ÓÅÒ×ÅÒÕ ÎÁ ÐÏÌÕÞÅÎÉÅ ÄÁÎÎÙÈ, Á ÓÅÒ×ÅÒ ×ÏÚ×ÒÁÝÁÅÔ ËÌÉÅÎÔÕ IP ÁÄÒÅÓ É ÎÏÍÅÒ ÐÏÒÔÁ ÄÌÑ ÐÏÄËÌÀÞÅÎÉÑ. ëÌÉÅÎÔ ÐÏÄËÌÀÞÁÅÔ Ó×ÏÊ 20-Ê ÐÏÒÔ (FTP-data) Ë ÕËÁÚÁÎÎÏÍÕ ÐÏÒÔÕ ÓÅÒ×ÅÒÁ É ÐÏÌÕÞÁÅÔ ÚÁÐÒÏÛÅÎÎÙÅ ÄÁÎÎÙÅ. åÓÌÉ ×ÁÛ FTP ÓÅÒ×ÅÒ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÏÔ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÅÒ×ÅÒ ÓÍÏÇ ÏÂÓÌÕÖÉ×ÁÔØ ËÌÉÅÎÔÏ× ÉÚ éÎÔÅÒÎÅÔ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ×Ù ÈÏÔÉÔÅ ÏÇÒÁÎÉÞÉÔØ Ó×ÏÉÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÔÏÌØËÏ ×ÏÚÍÏÖÎÏÓÔØÀ ÐÏÄËÌÀÞÅÎÉÑ Ë HTTP É FTP ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔ É ÚÁËÒÙÔØ ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÏÒÔÙ. òÉÓÕÎÏË ÎÉÖÅ ÐÏËÁÚÙ×ÁÅÔ ËÁË ×ÙÐÏÌÎÑÅÔÓÑ ÐÁÓÓÉ×ÎÏÅ ÓÏÅÄÉÎÅÎÉÅ FTP.



îÅËÏÔÏÒÙÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÕÖÅ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. åÓÌÉ ÂÙÔØ ÂÏÌÅÅ ÔÏÞÎÙÍ, ÔÏ × ÓÏÓÔÁ× ÑÄÒÁ ×ËÌÀÞÅÎÙ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏÔÏËÏÌÏ× FTP É IRC. åÓÌÉ × ×ÁÛÅÍ ÒÁÓÐÏÒÑÖÅÎÉÉ ÎÅÔ ÎÅÏÂÈÏÄÉÍÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØÓÑ Ë patch-o-matic, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ÔÒÁÓÓÉÒÏ×ËÉ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ×, ËÁË ntalk ÉÌÉ H.323. åÓÌÉ É ÚÄÅÓØ ×Ù ÎÅ ÎÁÛÌÉ ÔÏ, ÞÔÏ ×ÁÍ ÎÕÖÎÏ, ÔÏ Õ ×ÁÓ ÅÓÔØ ÅÝÅ ×ÁÒÉÁÎÔÙ: ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë CVS iptables, ÅÓÌÉ ÉÓËÏÍÙÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÅÝÅ ÎÅ ÂÙÌ ×ËÌÀÞÅÎ × patch-o-matic, ÌÉÂÏ ÍÏÖÅÔÅ ×ÏÊÔÉ × ËÏÎÔÁËÔ Ó ÒÁÚÒÁÂÏÔÞÉËÁÍÉ netfilter É ÕÚÎÁÔØ Õ ÎÉÈ, ÉÍÅÅÔÓÑ ÌÉ ÐÏÄÏÂÎÙÊ ÍÏÄÕÌØ É ÐÌÁÎÉÒÕÅÔÓÑ ÌÉ ÏÎ Ë ×ÙÐÕÓËÕ. åÓÌÉ É ÔÕÔ ×Ù ÐÏÔÅÒÐÅÌÉ ÎÅÕÄÁÞÕ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÓÌÅÄÕÅÔ ÐÒÏÞÉÔÁÔØ Rusty Russells Unreliable Netfilter Hacking HOWTO.

÷ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÍÏÇÕÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ. åÓÌÉ ÏÎÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË ÍÏÄÕÌÉ, ÔÏ ×Ù ÍÏÖÅÔÅ ÚÁÇÒÕÚÉÔØ ÉÈ ËÏÍÁÎÄÏÊ

modprobe ip_conntrack_*

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÉÍÅÅÔ ÎÉËÁËÏÇÏ ÏÔÎÏÛÅÎÉÑ Ë ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT), ÐÏÜÔÏÍÕ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ, ÅÓÌÉ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÁËÕÀ ÔÒÁÎÓÌÑÃÉÀ. äÏÐÕÓÔÉÍ, ÞÔÏ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ× É ÔÒÁÓÓÉÒÏ×ËÕ FTP ÓÏÅÄÉÎÅÎÉÊ, ÔÏÇÄÁ ×ÁÍ ÎÅÏÂÈÏÄÉÍ ÔÁË ÖÅ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ NAT. éÍÅÎÁ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ NAT ÎÁÞÉÎÁÀÔÓÑ Ó ip_nat, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÅÍ Ï ÉÍÅÎÁÈ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÍÏÄÕÌØ ÎÁÚÙ×ÁÅÔÓÑ ip_nat_ftp. äÌÑ ÐÒÏÔÏËÏÌÁ IRC ÔÁËÏÊ ÍÏÄÕÌØ ÂÕÄÅÔ ÎÁÚÙ×ÁÔØÓÑ ip_nat_irc. ôÏÍÕ ÖÅ ÓÁÍÏÍÕ ÓÏÇÌÁÛÅÎÉÀ ÓÌÅÄÕÀÔ É ÎÁÚ×ÁÎÉÑ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ÎÁÐÒÉÍÅÒ: ip_conntrack_ftp É ip_conntrack_irc.


ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÐÏÒÑÄÏË ÐÏÓÔÒÏÅÎÉÑ ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌ ÄÌÑ iptables. ëÁÖÄÁÑ ÓÔÒÏËÁ, ËÏÔÏÒÕÀ ×Ù ×ÓÔÁ×ÌÑÅÔÅ × ÔÕ ÉÌÉ ÉÎÕÀ ÃÅÐÏÞËÕ, ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÏÔÄÅÌØÎÏÅ ÐÒÁ×ÉÌÏ. íÙ ÔÁË ÖÅ ÏÂÓÕÄÉÍ ÏÓÎÏ×ÎÙÅ ÐÒÏ×ÅÒËÉ É ÄÅÊÓÔ×ÉÑ É ÐÏÒÑÄÏË ÓÏÚÄÁÎÉÑ Ó×ÏÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÃÅÐÏÞÅË ÐÒÁ×ÉÌ.


ïÓÎÏ×Ù

ëÁË ÕÖÅ ÇÏ×ÏÒÉÌÏÓØ ×ÙÛÅ, ËÁÖÄÏÅ ÐÒÁ×ÉÌÏ -- ÜÔÏ ÓÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ × ÓÅÂÅ ËÒÉÔÅÒÉÉ ÏÐÒÅÄÅÌÑÀÝÉÅ, ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ, É ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ × ÓÌÕÞÁÅ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÑ. ÷ ÏÂÝÅÍ ×ÉÄÅ ÐÒÁ×ÉÌÁ ÚÁÐÉÓÙ×ÁÀÔÓÑ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables [-t table] command [match] [target/jump]

îÉÇÄÅ ÎÅ ÕÔ×ÅÒÖÄÁÅÔÓÑ, ÞÔÏ ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÑ (target/jump) ÄÏÌÖÎÏ ÓÔÏÑÔØ ÐÏÓÌÅÄÎÉÍ × ÓÔÒÏËÅ, ÍÙ, ÏÄÎÁËÏ, ÂÕÄÅÍ ÐÒÉÄÅÒÖÉ×ÁÔØÓÑ ÉÍÅÎÎÏ ÔÁËÏÊ ÎÏÔÁÃÉÉ ÄÌÑ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ × ÐÒÁ×ÉÌÏ ÎÅ ×ËÌÀÞÁÅÔÓÑ ÓÐÅÃÉÆÉËÁÔÏÒ [-t table], ÔÏ ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉÃÙ filter, ÅÓÌÉ ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÒÕÇÏÊ ÔÁÂÌÉÃÙ, ÔÏ ÜÔÏ ÔÒÅÂÕÅÔÓÑ ÕËÁÚÁÔØ Ñ×ÎÏ. óÐÅÃÉÆÉËÁÔÏÒ ÔÁÂÌÉÃÙ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ × ÌÀÂÏÍ ÍÅÓÔÅ ÓÔÒÏËÉ ÐÒÁ×ÉÌÁ, ÏÄÎÁËÏ ÂÏÌÅÅ ÉÌÉ ÍÅÎÅÅ ÓÔÁÎÄÁÒÔÏÍ ÓÞÉÔÁÅÔÓÑ ÕËÁÚÁÎÉÅ ÔÁÂÌÉÃÙ × ÎÁÞÁÌÅ ÐÒÁ×ÉÌÁ.

äÁÌÅÅ, ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÚÁ ÉÍÅÎÅÍ ÔÁÂÌÉÃÙ, ÄÏÌÖÎÁ ÓÔÏÑÔØ ËÏÍÁÎÄÁ. åÓÌÉ ÓÐÅÃÉÆÉËÁÔÏÒÁ ÔÁÂÌÉÃÙ ÎÅÔ, ÔÏ ËÏÍÁÎÄÁ ×ÓÅÇÄÁ ÄÏÌÖÎÁ ÓÔÏÑÔØ ÐÅÒ×ÏÊ. ëÏÍÁÎÄÁ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ iptables, ÎÁÐÒÉÍÅÒ: ×ÓÔÁ×ÉÔØ ÐÒÁ×ÉÌÏ, ÉÌÉ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ, ÉÌÉ ÕÄÁÌÉÔØ ÐÒÁ×ÉÌÏ É Ô.Ð.

òÁÚÄÅÌ match ÚÁÄÁÅÔ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ, ÐÏ ËÏÔÏÒÙÍ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÁ ÉÌÉ ÎÅÔ. úÄÅÓØ ÍÙ ÍÏÖÅÍ ÕËÁÚÁÔØ ÓÁÍÙÅ ÒÁÚÎÙÅ ËÒÉÔÅÒÉÉ -- É IP-ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ ÉÌÉ ÓÅÔÉ, É ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É Ô.Ä. óÕÝÅÓÔ×ÕÅÔ ÍÎÏÖÅÓÔ×Ï ËÒÉÔÅÒÉÅ×, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ × ÄÁÎÎÏÊ ÇÌÁ×Å.

é ÎÁËÏÎÅà target ÕËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÌÖÎÏ ÂÙÔØ ×ÙÐÏÌÎÅÎÏ ÐÒÉ ÕÓÌÏ×ÉÉ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÅ× × ÐÒÁ×ÉÌÅ. úÄÅÓØ ÍÏÖÎÏ ÚÁÓÔÁ×ÉÔØ ÑÄÒÏ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × ÄÒÕÇÕÀ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ, "ÓÂÒÏÓÉÔØ" ÐÁËÅÔ É ÚÁÂÙÔØ ÐÒÏ ÎÅÇÏ, ×ÙÄÁÔØ ÎÁ ÉÓÔÏÞÎÉË ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ É Ô.Ð.


ôÁÂÌÉÃÙ

ïÐÃÉÑ -t ÕËÁÚÙ×ÁÅÔ ÎÁ ÉÓÐÏÌØÚÕÅÍÕÀ ÔÁÂÌÉÃÕ. ðÏ ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁÂÌÉÃÁ filter. ó ËÌÀÞÏÍ -t ÐÒÉÍÅÎÑÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ.

ôÁÂÌÉÃÁ 1. ôÁÂÌÉÃÙ

ôÁÂÌÉÃÁ ïÐÉÓÁÎÉÅ
nat ôÁÂÌÉÃÁ nat ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Address Translation). þÅÒÅÚ ÜÔÕ ÔÁÂÌÉÃÕ ÐÒÏÈÏÄÉÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ. ðÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ× Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉÍÅÎÑÅÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ. üÔÏ ÏÄÉÎ ÉÚ ÆÁËÔÏÒÏ×, ÉÓÈÏÄÑ ÉÚ ËÏÔÏÒÙÈ ÍÙ ÎÅ ÄÏÌÖÎÙ ÏÓÕÝÅÓÔ×ÌÑÔØ ËÁËÕÀ-ÌÉÂÏ ÆÉÌØÔÒÁÃÉÀ × ÜÔÏÊ ÔÁÂÌÉÃÅ. ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÒÁÂÏÔÁÅÔ. é ÐÏÓÌÅÄÎÑÑ ÃÅÐÏÞËÁ × ÜÔÏÊ ÔÁÂÌÉÃÅ -- POSTROUTING, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ× ÐÅÒÅÄ ×ÙÄÁÞÅÊ ÉÈ ×Ï ×ÎÅ.
mangle üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ×. ðÒÉÍÅÒÏÍ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÉÚÍÅÎÅÎÉÅ ÐÏÌÑ TTL, TOS ÉÌÉ MARK. ÷ÁÖÎÏ: × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÐÏÌÅ MARK ÎÅ ÉÚÍÅÎÑÅÔÓÑ, ÎÏ × ÐÁÍÑÔÉ ÑÄÒÁ ÚÁ×ÏÄÉÔÓÑ ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ÄÁÎÎÙÊ ÐÁËÅÔ ×ÓÅ ×ÒÅÍÑ ÅÇÏ ÐÒÏÈÏÖÄÅÎÉÑ ÞÅÒÅÚ ÍÁÛÉÎÕ, ÔÁË ÞÔÏ ÄÒÕÇÉÅ ÐÒÁ×ÉÌÁ É ÐÒÉÌÏÖÅÎÉÑ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ (É ÔÏÌØËÏ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ) ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÃÅÌÑÈ. ôÁÂÌÉÃÁ ÉÍÅÅÔ ÐÑÔØ ÃÅÐÏÞÅË PREROUTING, POSTROUTING, INPUT, OUTPUT É FORWARD. PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ, ÐÅÒÅÄ ÐÅÒ×ÙÍ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÙÈÏÄÅ ÉÚ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÏÓÌÅ ÐÏÓÌÅÄÎÅÇÏ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. INPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÐÅÒÅÄ ÔÅÍ ËÁË ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. OUTPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÏÔ ÐÒÉÌÏÖÅÎÉÊ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. FORWARD -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÔÒÁÎÚÉÔÎÙÅ ÐÁËÅÔÙ ÐÏÓÌÅ ÐÅÒ×ÏÇÏ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÉÐÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ÐÅÒÅÄ ÐÏÓÌÅÄÎÉÍ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÉÐÒÛÒÕÔÉÚÁÃÉÉ. úÁÍÅÔØÔÅ, ÞÔÏ ÔÁÂÌÉÃÁ mangle ÎÉ × ËÏÅÍ ÓÌÕÞÁÅ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇÁ (Network Address Translation, Masquerading), ÐÏÓËÏÌØËÕ ÄÌÑ ÜÔÉÈ ÃÅÌÅÊ ÉÍÅÅÔÓÑ ÔÁÂÌÉÃÁ nat.
filter ôÁÂÌÉÃÁ filter ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. äÌÑ ÐÒÉÍÅÒÁ, ÚÄÅÓØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÉÔØ DROP, LOG, ACCEPT ÉÌÉ REJECT ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÓÌÏÖÎÏÓÔÅÊ, ËÁË × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. éÍÅÅÔÓÑ ÔÒÉ ×ÓÔÒÏÅÎÎÙÈ ÃÅÐÏÞËÉ. ðÅÒ×ÁÑ -- FORWARD, ÉÓÐÏÌØÚÕÅÍÁÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ ÔÒÁÎÚÉÔÏÍ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÕ INPUT ÐÒÏÈÏÄÑÔ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÌÏËÁÌØÎÙÍ ÐÒÉÌÏÖÅÎÉÑÍ (ÂÒÁÎÄÍÁÕÜÒÕ). é ÃÅÐÏÞËÁ OUTPUT -- ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ÎÁ ÓÁÍÏÍ ÂÒÁÎÄÍÁÕÜÒÅ.

÷ÙÛÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÏÓÎÏ×ÎÙÅ ÏÔÌÉÞÉÑ ÔÒÅÈ ÉÍÅÀÝÉÈÓÑ ÔÁÂÌÉÃ. ëÁÖÄÁÑ ÉÚ ÎÉÈ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × Ó×ÏÉÈ ÃÅÌÑÈ, É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅÃÅÌÅ×ÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉà ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÏÓÌÁÂÌÅÎÉÀ ÚÁÝÉÔÙ ÂÒÁÎÄÍÁÕÜÒÁ É ÓÅÔÉ, ÎÁÈÏÄÑÝÅÊÓÑ ÚÁ ÎÉÍ. ðÏÚÄÎÅÅ, × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÏÍ.


ëÏÍÁÎÄÙ

îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ËÏÍÁÎÄ É ÐÒÁ×ÉÌÁ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ. ðÏÓÒÅÄÓÔ×ÏÍ ËÏÍÁÎÄ ÍÙ ÓÏÏÂÝÁÅÍ iptables ÞÔÏ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÓÄÅÌÁÔØ. ïÂÙÞÎÏ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÏÄÎÏ ÉÚ Ä×ÕÈ ÄÅÊÓÔ×ÉÊ -- ÜÔÏ ÄÏÂÁ×ÌÅÎÉÅ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ ÉÌÉ ÕÄÁÌÅÎÉÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÐÒÁ×ÉÌÁ ÉÚ ÔÏÊ ÉÌÉ ÉÎÏÊ ÔÁÂÌÉÃÙ. äÁÌÅÅ ÐÒÉ×ÅÄÅÎÙ ËÏÍÁÎÄÙ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ × iptables.

ôÁÂÌÉÃÁ 2. ëÏÍÁÎÄÙ

ëÏÍÁÎÄÁ -A, --append
ðÒÉÍÅÒ iptables -A INPUT ...
ðÏÑÓÎÅÎÉÑ äÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ.
ëÏÍÁÎÄÁ -D, --delete
ðÒÉÍÅÒ iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
ðÏÑÓÎÅÎÉÑ õÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ ÉÚ ÃÅÐÏÞËÉ. ëÏÍÁÎÄÁ ÉÍÅÅÔ Ä×Á ÆÏÒÍÁÔÁ ÚÁÐÉÓÉ, ÐÅÒ×ÙÊ -- ËÏÇÄÁ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ Ó ÏÐÃÉÅÊ -D (ÓÍ. ÐÅÒ×ÙÊ ÐÒÉÍÅÒ), ×ÔÏÒÏÊ -- ÐÏÒÑÄËÏ×ÙÊ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ. åÓÌÉ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ, ÔÏ ÕÄÁÌÑÅÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÉÍÅÅÔ × ÓÅÂÅ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÅÓÌÉ ÚÁÄÁÅÔÓÑ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÔÏ ÂÕÄÅÔ ÕÄÁÌÅÎÏ ÐÒÁ×ÉÌÏ Ó ÚÁÄÁÎÎÙÍ ÎÏÍÅÒÏÍ. óÞÅÔ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÁÈ ÎÁÞÉÎÁÅÔÓÑ Ó 1.
ëÏÍÁÎÄÁ -R, --replace
ðÒÉÍÅÒ iptables -R INPUT 1 -s 192.168.0.1 -j DROP
ðÏÑÓÎÅÎÉÑ äÁÎÎÁÑ ËÏÍÁÎÄÁ ÚÁÍÅÎÑÅÔ ÏÄÎÏ ÐÒÁ×ÉÌÏ ÄÒÕÇÉÍ. ÷ ÏÓÎÏ×ÎÏÍ ÏÎÁ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ×ÒÅÍÑ ÏÔÌÁÄËÉ ÎÏ×ÙÈ ÐÒÁ×ÉÌ.
ëÏÍÁÎÄÁ -I, --insert
ðÒÉÍÅÒ iptables -I INPUT 1 --dport 80 -j ACCEPT
ðÏÑÓÎÅÎÉÑ ÷ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ. þÉÓÌÏ, ÓÌÅÄÕÀÝÅÅ ÚÁ ÉÍÅÎÅÍ ÃÅÐÏÞËÉ ÕËÁÚÙ×ÁÅÔ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÅÒÅÄ ËÏÔÏÒÙÍ ÎÕÖÎÏ ×ÓÔÁ×ÉÔØ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÞÉÓÌÏ ÚÁÄÁÅÔ ÎÏÍÅÒ ÄÌÑ ×ÓÔÁ×ÌÑÅÍÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÐÒÉÍÅÒÅ ×ÙÛÅ, ÕËÁÚÙ×ÁÅÔÓÑ, ÞÔÏ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÏÌÖÎÏ ÂÙÔØ 1-Í × ÃÅÐÏÞËÅ INPUT.
ëÏÍÁÎÄÁ -L, --list
ðÒÉÍÅÒ iptables -L INPUT
ðÏÑÓÎÅÎÉÑ ÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ, × ÄÁÎÎÏÍ ÐÒÉÍÅÒÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×Ù×ÏÄ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞËÉ INPUT. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ×Ù×ÏÄÉÔÓÑ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÄÌÑ ×ÓÅÈ ÃÅÐÏÞÅË. æÏÒÍÁÔ ×Ù×ÏÄÁ ÚÁ×ÉÓÉÔ ÏÔ ÎÁÌÉÞÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ × ËÏÍÁÎÄÅ, ÎÁÐÒÉÍÅÒ -n, -v, É ÐÒ.
ëÏÍÁÎÄÁ -F, --flush
ðÒÉÍÅÒ iptables -F INPUT
ðÏÑÓÎÅÎÉÑ óÂÒÏÓ (ÕÄÁÌÅÎÉÅ) ×ÓÅÈ ÐÒÁ×ÉÌ ÉÚ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ (ÔÁÂÌÉÃÙ). åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ É ÔÁÂÌÉÃÙ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÕÄÁÌÑÀÔÓÑ ×ÓÅ ÐÒÁ×ÉÌÁ, ×Ï ×ÓÅÈ ÃÅÐÏÞËÁÈ.
ëÏÍÁÎÄÁ -Z, --zero
ðÒÉÍÅÒ iptables -Z INPUT
ðÏÑÓÎÅÎÉÑ ïÂÎÕÌÅÎÉÅ ×ÓÅÈ ÓÞÅÔÞÉËÏ× × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÀÔÓÑ ×ÓÅ ÃÅÐÏÞËÉ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ËÌÀÞÁ -v ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ -L, ÎÁ ×Ù×ÏÄ ÂÕÄÕÔ ÐÏÄÁÎÙ É ÓÏÓÔÏÑÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ×, ÐÏÐÁ×ÛÉÈ ÐÏÄ ÄÅÊÓÔ×ÉÅ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. äÏÐÕÓËÁÅÔÓÑ ÓÏ×ÍÅÓÔÎÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÍÁÎÄ -L É -Z. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ×ÙÄÁÎ ÓÎÁÞÁÌÁ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÓÏ ÓÞÅÔÞÉËÁÍÉ, Á ÚÁÔÅÍ ÐÒÏÉÚÏÊÄÅÔ ÏÂÎÕÌÅÎÉÅ ÓÞÅÔÞÉËÏ×.
ëÏÍÁÎÄÁ -N, --new-chain
ðÒÉÍÅÒ iptables -N allowed
ðÏÑÓÎÅÎÉÑ óÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÚÁÄÁÎÎÙÍ ÉÍÅÎÅÍ × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÉÍÅÎÅÍ allowed. éÍÑ ÃÅÐÏÞËÉ ÄÏÌÖÎÏ ÂÙÔØ ÕÎÉËÁÌØÎÙÍ É ÎÅ ÄÏÌÖÎÏ ÓÏ×ÐÁÄÁÔØ Ó ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÍÉ ÉÍÅÎÁÍÉ ÃÅÐÏÞÅË É ÄÅÊÓÔ×ÉÊ (DROP, REJECT É Ô.Ð.)
ëÏÍÁÎÄÁ -X, --delete-chain
ðÒÉÍÅÒ iptables -X allowed
ðÏÑÓÎÅÎÉÑ õÄÁÌÅÎÉÅ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ ÉÚ ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÙ. õÄÁÌÑÅÍÁÑ ÃÅÐÏÞËÁ ÎÅ ÄÏÌÖÎÁ ÉÍÅÔØ ÐÒÁ×ÉÌ É ÎÅ ÄÏÌÖÎÏ ÂÙÔØ ÓÓÙÌÏË ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË ÎÁ ÕÄÁÌÑÅÍÕÀ ÃÅÐÏÞËÕ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÁÎÏ, ÔÏ ÂÕÄÕÔ ÕÄÁÌÅÎÙ ×ÓÅ ÃÅÐÏÞËÉ, ÏÐÒÅÄÅÌÅÎÎÙÅ ËÏÍÁÎÄÏÊ -N × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ.
ëÏÍÁÎÄÁ -P, --policy
ðÒÉÍÅÒ iptables -P INPUT DROP
ðÏÑÓÎÅÎÉÑ ïÐÒÅÄÅÌÑÅÔ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ. ðÏÌÉÔÉËÁ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ, ÐÒÉÍÅÎÑÅÍÏÅ Ë ÐÁËÅÔÁÍ ÎÅ ÐÏÐÁ×ÛÉÍ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. ÷ ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ DROP, ACCEPT É REJECT.
ëÏÍÁÎÄÁ -E, --rename-chain
ðÒÉÍÅÒ iptables -E allowed disallowed
ðÏÑÓÎÅÎÉÑ ëÏÍÁÎÄÁ -E ×ÙÐÏÌÎÑÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÃÅÐÏÞËÉ. ÷ ÐÒÉÍÅÒÅ ÃÅÐÏÞËÁ allowed ÂÕÄÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÁ × ÃÅÐÏÞËÕ disallowed. üÔÉ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÑ ÎÅ ÉÚÍÅÎÑÀÔ ÐÏÒÑÄÏË ÒÁÂÏÔÙ, Á ÎÏÓÑÔ ÔÏÌØËÏ ËÏÓÍÅÔÉÞÅÓËÉÊ ÈÁÒÁËÔÅÒ.

ëÏÍÁÎÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÕËÁÚÁÎÁ ×ÓÅÇÄÁ. óÐÉÓÏË ÄÏÓÔÕÐÎÙÈ ËÏÍÁÎÄ ÍÏÖÎÏ ÐÒÏÓÍÏÔÒÅÔØ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -h ÉÌÉ, ÞÔÏ ÔÏÖÅ ÓÁÍÏÅ, iptables --help. îÅËÏÔÏÒÙÅ ËÏÍÁÎÄÙ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍÉ ËÌÀÞÁÍÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÏÐÉÓÙ×ÁÅÔÓÑ ÒÅÚÕÌØÔÁÔ ÉÈ ÄÅÊÓÔ×ÉÑ. ðÒÉ ÜÔÏÍ ÚÁÍÅÔØÔÅ, ÞÔÏ ÚÄÅÓØ ÎÅ ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ËÒÉÔÅÒÉÅ× (matches) ÉÌÉ ÄÅÊÓÔ×ÉÊ (targets). üÔÉ ÏÐÃÉÉ ÍÙ ÂÕÄÅÍ ÏÂÓÕÖÄÁÔØ ÄÁÌÅÅ.

ôÁÂÌÉÃÁ 3. ëÌÀÞÉ

ëÌÀÞ -v, --verbose
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list, --append, --insert, --delete, --replace
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÉÎÆÏÒÍÁÔÉ×ÎÏÓÔÉ ×Ù×ÏÄÁ É, ËÁË ÐÒÁ×ÉÌÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ --list. ÷ ÓÌÕÞÁÅ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ËÏÍÁÎÄÏÊ --list, × ×Ù×ÏÄ ÜÔÏÊ ËÏÍÁÎÄÙ ×ËÌÀÞÁÀÔÓÑ ÔÁË ÖÅ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ, ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ× É ÂÁÊÔ ÄÌÑ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. æÏÒÍÁÔ ×Ù×ÏÄÁ ÓÞÅÔÞÉËÏ× ÐÒÅÄÐÏÌÁÇÁÅÔ ×Ù×ÏÄ ËÒÏÍÅ ÃÉÆÒ ÞÉÓÌÁ ÅÝÅ É ÓÉÍ×ÏÌØÎÙÅ ÍÎÏÖÉÔÅÌÉ K (x1000), M (x1,000,000) É G (x1,000,000,000). äÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÚÁÓÔÁ×ÉÔØ ËÏÍÁÎÄÕ --list ×Ù×ÏÄÉÔØ ÐÏÌÎÏÅ ÞÉÓÌÏ (ÂÅÚ ÕÐÏÔÒÅÂÌÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ) ÔÒÅÂÕÅÔÓÑ ÐÒÉÍÅÎÑÔØ ËÌÀÞ -x, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ. åÓÌÉ ËÌÀÞ -v, --verbose ÉÓÐÏÌØÚÕÅÔÓÑ Ó ËÏÍÁÎÄÁÍÉ --append, --insert, --delete ÉÌÉ --replace, ÔÏ ÔÏ ÎÁ ×Ù×ÏÄ ÂÕÄÅÔ ×ÙÄÁÎ ÐÏÄÒÏÂÎÙÊ ÏÔÞÅÔ Ï ÐÒÏÉÚ×ÅÄÅÎÎÏÊ ÏÐÅÒÁÃÉÉ.
ëÌÀÞ -x, --exact
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ äÌÑ ×ÓÅÈ ÞÉÓÅÌ × ×ÙÈÏÄÎÙÈ ÄÁÎÎÙÈ ×Ù×ÏÄÑÔÓÑ ÉÈ ÔÏÞÎÙÅ ÚÎÁÞÅÎÉÑ ÂÅÚ ÏËÒÕÇÌÅÎÉÑ É ÂÅÚ ÐÒÉÍÅÎÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ K, M, G. ÷ÁÖÎÏ ÔÏ, ÞÔÏ ÄÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list É ÎÅ ÐÒÉÍÅÎÑÅÔÓÑ Ó ÄÒÕÇÉÍÉ ËÏÍÁÎÄÁÍÉ.
ëÌÀÞ -n, --numeric
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ úÁÓÔÁ×ÌÑÅÔ iptables ×Ù×ÏÄÉÔØ IP-ÁÄÒÅÓÁ É ÎÏÍÅÒÁ ÐÏÒÔÏ× × ÞÉÓÌÏ×ÏÍ ×ÉÄÅ ÐÒÅÄÏÔ×ÒÁÝÁÑ ÐÏÐÙÔËÉ ÐÒÅÏÂÒÁÚÏ×ÁÔØ ÉÈ × ÓÉÍ×ÏÌÉÞÅÓËÉÅ ÉÍÅÎÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
ëÌÀÞ --line-numbers
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --list
ïÐÉÓÁÎÉÅ ëÌÀÞ --line-numbers ×ËÌÀÞÁÅÔ ÒÅÖÉÍ ×Ù×ÏÄÁ ÎÏÍÅÒÏ× ÓÔÒÏË ÐÒÉ ÏÔÏÂÒÁÖÅÎÉÉ ÓÐÉÓËÁ ÐÒÁ×ÉÌ ËÏÍÁÎÄÏÊ --list. îÏÍÅÒ ÓÔÒÏËÉ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÏÚÉÃÉÉ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ. üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
ëÌÀÞ -c, --set-counters
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ --insert, --append, --replace
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÓÏÚÄÁÎÉÉ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. îÁÐÒÉÍÅÒ, ËÌÀÞ --set-counters 20 4000ÕÓÔÁÎÏ×ÉÔ ÓÞÅÔÞÉË ÐÁËÅÔÏ× = 20, Á ÓÞÅÔÞÉË ÂÁÊÔ = 4000.
ëÌÀÞ --modprobe
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÷ÓÅ
ïÐÉÓÁÎÉÅ ëÌÀÞ --modprobe ÏÐÒÅÄÅÌÑÅÔ ËÏÍÁÎÄÕ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ ÑÄÒÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ × ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛÁ ËÏÍÁÎÄÁ modprobe ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÐÕÔÉ ÐÏÉÓËÁ (searchpath). üÔÏÔ ËÌÀÞ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ Ó ÌÀÂÏÊ ËÏÍÁÎÄÏÊ.

ëÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÒÉÔÅÒÉÑÈ ×ÙÄÅÌÅÎÉÑ ÐÁËÅÔÏ×. ñ ÒÁÚÂÉÌ ×ÓÅ ËÒÉÔÅÒÉÉ ÎÁ ÐÑÔØ ÇÒÕÐÐ. ðÅÒ×ÁÑ -- ÏÂÝÉÅ ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ. ÷ÔÏÒÁÑ - TCP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë TCP ÐÁËÅÔÁÍ. ôÒÅÔØÑ -- UDP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë UDP ÐÁËÅÔÁÍ. þÅÔ×ÅÒÔÁÑ - ICMP ËÒÉÔÅÒÉÉ ÄÌÑ ÒÁÂÏÔÙ Ó ICMP ÐÁËÅÔÁÍÉ. é ÎÁËÏÎÅà ÐÑÔÁÑ -- ÓÐÅÃÉÁÌØÎÙÅ ËÒÉÔÅÒÉÉ, ÔÁËÉÅ ËÁË state, owner, limit É ÐÒ.


ïÂÝÉÅ ËÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ïÂÝÉÅ ËÒÉÔÅÒÉÉ. ïÂÝÉÅ ËÒÉÔÅÒÉÉ ÄÏÐÕÓÔÉÍÏ ÕÐÏÔÒÅÂÌÑÔØ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ É ÎÅ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÎÅ ÔÒÅÂÕÀÔ ÐÏÄÇÒÕÚËÉ ÍÏÄÕÌÅÊ ÒÁÓÛÉÒÅÎÉÑ. ÷ ÜÔÕ ÇÒÕÐÐÕ Ñ ÄÏÂÁ×ÉÌ ËÒÉÔÅÒÉÊ --protocol ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÎÅËÏÔÏÒÙÈ ÓÐÅÃÉÆÉÞÎÙÈ ÏÔ ÐÒÏÔÏËÏÌÁ ÒÁÓÛÉÒÅÎÉÑÈ. îÁÐÒÉÍÅÒ, ÍÙ ÒÅÛÉÌÉ ÉÓÐÏÌØÚÏ×ÁÔØ TCP ËÒÉÔÅÒÉÊ, ÔÏÇÄÁ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ É ËÒÉÔÅÒÉÊ --protocol ËÏÔÏÒÏÍÕ × ËÁÞÅÓÔ×Å ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ËÌÀÞÁ ÐÅÒÅÄÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ -- TCP. ïÄÎÁËÏ --protocol ÓÁÍ ÐÏ ÓÅÂÅ Ñ×ÌÑÅÔÓÑ ËÒÉÔÅÒÉÅÍ, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ.

ôÁÂÌÉÃÁ 4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ -p, --protocol
ðÒÉÍÅÒ iptables -A INPUT -p tcp
ïÐÉÓÁÎÉÅ üÔÏÔ ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ðÒÉÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× ÍÏÇÕÔ ÂÙÔØ TCP, UDP É ICMP. óÐÉÓÏË ÐÒÏÔÏËÏÌÏ× ÍÏÖÎÏ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/p rotocols. ðÒÅÖÄÅ ×ÓÅÇÏ, × ËÁÞÅÓÔ×Å ÉÍÅÎÉ ÐÒÏÔÏËÏÌÁ × ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÎÏ ÐÅÒÅÄÁ×ÁÔØ ÔÒÉ ×ÙÛÅÕÐÏÍÑÎÕÔÙÈ ÐÒÏÔÏËÏÌÁ, Á ÔÁËÖÅ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï ALL. ÷ ËÁÞÅÓÔ×Å ÐÒÏÔÏËÏÌÁ ÄÏÐÕÓËÁÅÔÓÑ ÐÅÒÅÄÁ×ÁÔØ ÞÉÓÌÏ - ÎÏÍÅÒ ÐÒÏÔÏËÏÌÁ, ÔÁË ÎÁÐÒÉÍÅÒ, 255 ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÒÏÔÏËÏÌÕ RAW IP. óÏÏÔ×ÅÔÓÔ×ÉÑ ÍÅÖÄÕ ÎÏÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× É ÉÈ ÉÍÅÎÁÍÉ ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/protocols, ËÏÔÏÒÙÊ ÕÖÅ ÕÐÏÍÉÎÁÌÓÑ. ëÒÉÔÅÒÉÀ ÍÏÖÅÔ ÐÅÒÅÄÁ×ÁÔØÓÑ É ÓÐÉÓÏË ÐÒÏÔÏËÏÌÏ×, ÒÁÚÄÅÌÅÎÎÙÈ ÚÁÐÑÔÙÍÉ, ÎÁÐÒÉÍÅÒ ÔÁË: udp,tcp (èÏÔÑ Á×ÔÏÒ É ÕËÁÚÙ×ÁÅÔ ÎÁ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÓÐÉÓËÁ ÐÒÏÔÏËÏÌÏ×, ÔÅÍ ÎÅ ÍÅÎÅÅ ÎÉËÏÍÕ ÅÝÅ ÎÅ ÕÄÁÌÏÓØ ÓÄÅÌÁÔØ ÜÔÏÇÏ! ëÓÔÁÔÉ, man iptables Ñ×ÎÏ ÏÇÏ×ÁÒÉ×ÁÅÔ, ÞÔÏ × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÍÏÖÅÔ ÂÙÔØ ÕËÁÚÁÎ ÔÏÌØËÏ ÏÄÉÎ ÐÒÏÔÏËÏÌ. íÏÖÅÔ ÂÙÔØ ÜÔÏ ÒÁÓÛÉÒÅÎÉÅ ÉÍÅÅÔÓÑ × patch-o-matic? ÐÒÉÍ. ÐÅÒÅ×.) åÓÌÉ ÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ ÐÅÒÅÄÁÅÔÓÑ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ 0, ÔÏ ÜÔÏ ÜË×É×ÁÌÅÎÔÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ÓÐÅÃÉÆÉËÁÔÏÒÁ ALL, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÇÄÁ ËÒÉÔÅÒÉÊ --protocol ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ. äÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÐÅÒÅÄ ÉÍÅÎÅÍ ÐÒÏÔÏËÏÌÁ (ÓÐÉÓËÏÍ ÐÒÏÔÏËÏÌÏ×) ÉÓÐÏÌØÚÕÅÔÓÑ ÓÉÍ×ÏÌ !, ÎÁÐÒÉÍÅÒ --protocol ! tcp ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÁËÅÔÙ ÌÀÂÏÇÏ ÐÒÏÔÏËÏÌÁ, ËÒÏÍÅ tcp.
ëÒÉÔÅÒÉÊ -s, --src, --source
ðÒÉÍÅÒ iptables -A INPUT -s 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ. áÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÔÁË, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏÇÄÁ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ. á ÍÏÖÎÏ ÕËÁÚÁÔØ ÁÄÒÅÓ × ×ÉÄÅ address/mask, ÎÁÐÒÉÍÅÒ ËÁË 192.168.0.0/255.255.255.0, ÉÌÉ ÂÏÌÅÅ ÓÏ×ÒÅÍÅÎÎÙÍ ÓÐÏÓÏÂÏÍ 192.168.0.0/24, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÑ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ× ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ !, ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÐÅÒÅÄ ÁÄÒÅÓÏÍ, ÏÚÎÁÞÁÅÔ ÌÏÇÉÞÅÓËÏÅ ÏÔÒÉÃÁÎÉÅ, Ô.Å. --source ! 192.168.0.0/24 ÏÚÎÁÞÁÅÔ ÌÀÂÏÊ ÁÄÒÅÓ ËÒÏÍÅ ÁÄÒÅÓÏ× 192.168.0.x
ëÒÉÔÅÒÉÊ -d, --dst, --destination
ðÒÉÍÅÒ iptables -A INPUT -d 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÐÏÌÕÞÁÔÅÌÑ. éÍÅÅÔ ÓÉÎÔÁËÓÉÓ ÓÈÏÖÉÊ Ó ËÒÉÔÅÒÉÅÍ --source, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÔÏÇÏ, ÞÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÁÄÒÅÓ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ôÏÞÎÏ ÔÁË ÖÅ ÍÏÖÅÔ ÏÐÒÅÄÅÌÑÔØ ËÁË ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ, ÔÁË É ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×. óÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ.
ëÒÉÔÅÒÉÊ -i, --in-interface
ðÒÉÍÅÒ iptables -A INPUT -i eth0
ïÐÉÓÁÎÉÅ éÎÔÅÒÆÅÊÓ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÐÏÌÕÞÅÎ ÐÁËÅÔ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, × ÌÀÂÙÈ ÄÒÕÇÉÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ×ÙÚÙ×ÁÔØ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -i +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -i PPP+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ PPP ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -i ! eth+ -- ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth.
ëÒÉÔÅÒÉÊ -o, --out-interface
ðÒÉÍÅÒ iptables -A FORWARD -o eth0
ïÐÉÓÁÎÉÅ úÁÄÁÅÔ ÉÍÑ ×ÙÈÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ OUTPUT, FORWARD É POSTROUTING, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ÇÅÎÅÒÉÒÏ×ÁÔØÓÑ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -o +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -o eth+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ eth ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -o ! eth+ - ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth
ëÒÉÔÅÒÉÊ -f, --fragment
ðÒÉÍÅÒ iptables -A INPUT -f
ïÐÉÓÁÎÉÅ ðÒÁ×ÉÌÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ ÎÁ ×ÓÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÏÇÏ ÐÁËÅÔÁ, ËÒÏÍÅ ÐÅÒ×ÏÇÏ, ÓÄÅÌÁÎÏ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅÔ ×ÏÚÍÏÖÎÏÓÔÉ ÏÐÒÅÄÅÌÉÔØ ÉÓÈÏÄÑÝÉÊ/×ÈÏÄÑÝÉÊ ÐÏÒÔ ÄÌÑ ÆÒÁÇÍÅÎÔÁ ÐÁËÅÔÁ, Á ÄÌÑ ICMP-ÐÁËÅÔÏ× ÏÐÒÅÄÅÌÉÔØ ÉÈ ÔÉÐ. ó ÐÏÍÏÝØÀ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× ÍÏÇÕÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÁÔÁËÉ ÎÁ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÁË ËÁË ÆÒÁÇÍÅÎÔÙ ÐÁËÅÔÏ× ÍÏÇÕÔ ÎÅ ÏÔÌÁ×ÌÉ×ÁÔØÓÑ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ. ëÁË É ÒÁÎØÛÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÓÉÍ×ÏÌÁ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ ÒÅÚÕÌØÔÁÔÁ ÓÒÁ×ÎÅÎÉÑ. ÔÏÌØËÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÉÍ×ÏÌ ! ÄÏÌÖÅÎ ÐÒÅÄÛÅÓÔ×Ï×ÁÔØ ËÒÉÔÅÒÉÀ -f, ÎÁÐÒÉÍÅÒ ! -f. éÎ×ÅÒÓÉÑ ËÒÉÔÅÒÉÑ ÔÒÁËÔÕÅÔÓÑ ËÁË "×ÓÅ ÐÅÒ×ÙÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× É/ÉÌÉ ÎÅÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÅ ÐÁËÅÔÙ, ÎÏ ÎÅ ×ÔÏÒÙÅ É ÐÏÓÌÅÄÕÀÝÉÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×".

îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ

÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ, ÔÏÞÎÅÅ, ÔÅ ËÒÉÔÅÒÉÉ, ËÏÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ ÎÅÑ×ÎÏ É ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÕËÁÚÁÎÉÉ ËÒÉÔÅÒÉÑ --protocol. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÍÙÈ ÒÁÓÛÉÒÅÎÉÑ, ÜÔÏ TCP ËÒÉÔÅÒÉÉ, UDP ËÒÉÔÅÒÉÉ É ICMP ËÒÉÔÅÒÉÉ (ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅÏÂÈÏÄÉÍÏÓÔØÀ ÚÁÇÒÕÚËÉ ÕËÁÚÁÎÎÙÈ ÒÁÓÛÉÒÅÎÉÊ Ñ×ÎÏ, Ô.Å. ÒÁÓÛÉÒÅÎÉÑ ÎÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ. ÐÒÉÍ. ÐÅÒÅ×.). úÁÇÒÕÚËÁ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ É Ñ×ÎÙÍ ÏÂÒÁÚÏÍ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m, -match, ÎÁÐÒÉÍÅÒ -m tcp.


TCP ËÒÉÔÅÒÉÉ

üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁ×ÉÓÉÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó TCP ÐÁËÅÔÁÍÉ. þÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ËÒÉÔÅÒÉÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ × ÐÒÁ×ÉÌÁÈ ÕËÁÚÙ×ÁÔØ ÔÉÐ ÐÒÏÔÏËÏÌÁ --protocol tcp. ÷ÁÖÎÏ: ËÒÉÔÅÒÉÊ --protocol tcp ÏÂÑÚÁÔÅÌØÎÏ ÄÏÌÖÅÎ ÓÔÏÑÔØ ÐÅÒÅÄ ÓÐÅÃÉÆÉÞÎÙÍ ËÒÉÔÅÒÉÅÍ. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÚÁÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ËÁË ÄÌÑ tcp ÐÒÏÔÏËÏÌÁ, ÔÁË É ÄÌÑ udp É icmp ÐÒÏÔÏËÏÌÏ×.(ï ÎÅÑ×ÎÏÊ ÚÁÇÒÕÚËÅ ÒÁÓÛÉÒÅÎÉÊ Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ×ÙÛÅ ÐÒÉÍ. ÐÅÒÅ×.).

ôÁÂÌÉÃÁ 5. TCP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --sport 22
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --dport 22
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. áÒÇÕÍÅÎÔÙ ÚÁÄÁÀÔÓÑ × ÔÏÍ ÖÅ ÆÏÒÍÁÔÅ, ÞÔÏ É ÄÌÑ --source-port.
ëÒÉÔÅÒÉÊ --tcp-flags
ðÒÉÍÅÒ iptables -p tcp --tcp-flags SYN,ACK,FIN SYN
ïÐÉÓÁÎÉÅ ïÐÒÅÄÅÌÑÅÔ ÍÁÓËÕ É ÆÌÁÇÉ tcp-ÐÁËÅÔÁ. ðÁËÅÔ ÓÞÉÔÁÅÔÓÑ ÕÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ËÒÉÔÅÒÉÀ, ÅÓÌÉ ÉÚ ÐÅÒÅÞÉÓÌÅÎÎÙÈ ÆÌÁÇÏ× × ÐÅÒ×ÏÍ ÓÐÉÓËÅ × ÅÄÉÎÉÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÙ ÆÌÁÇÉ ÉÚ ×ÔÏÒÏÇÏ ÓÐÉÓËÁ. ôÁË ÄÌÑ ×ÙÛÅÕËÁÚÁÎÎÏÇÏ ÐÒÉÍÅÒÁ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ Õ ËÏÔÏÒÙÈ ÆÌÁÇ SYN ÕÓÔÁÎÏ×ÌÅÎ, Á ÆÌÁÇÉ FIN É ACK ÓÂÒÏÛÅÎÙ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÏ× ËÒÉÔÅÒÉÑ ÍÏÇÕÔ ×ÙÓÔÕÐÁÔØ ÆÌÁÇÉ SYN, ACK, FIN, RST, URG, PSH, Á ÔÁË ÖÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÉÄÅÎÔÉÆÉËÁÔÏÒÙ ALL É NONE. ALL -- ÚÎÁÞÉÔ ÷óå ÆÌÁÇÉ É NONE - îé ïäéî ÆÌÁÇ. ôÁË, ËÒÉÔÅÒÉÊ --tcp-flags ALL NONE ÏÚÎÁÞÁÅÔ, ÞÔÏ ×ÓÅ ÆÌÁÇÉ × ÐÁËÅÔÅ ÄÏÌÖÎÙ ÂÙÔØ ÓÂÒÏÛÅÎÙ. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÏÚÎÁÞÁÅÔ ÉÎ×ÅÒÓÉÀ ËÒÉÔÅÒÉÑ ÷ÁÖÎÏ: ÉÍÅÎÁ ÆÌÁÇÏ× × ËÁÖÄÏÍ ÓÐÉÓËÅ ÄÏÌÖÎÙ ÒÁÚÄÅÌÑÔØÓÑ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ ÓÌÕÖÁÔ ÄÌÑ ÒÁÚÄÅÌÅÎÉÑ ÓÐÉÓËÏ×.
ëÒÉÔÅÒÉÊ --syn
ðÒÉÍÅÒ iptables -p tcp --syn
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ --syn Ñ×ÌÑÅÔÓÑ ÐÏ ÓÕÔÉ ÒÅÌÉËÔÏÍ, ÐÅÒÅËÏÞÅ×Á×ÛÉÍ ÉÚ ipchains. ëÒÉÔÅÒÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÆÌÁÇÏÍ SYN É ÓÂÒÏÛÅÎÎÙÍÉ ÆÌÁÇÁÍÉ ACK É FIN. üÔÏÔ ËÒÉÔÅÒÉÊ ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --tcp-flags SYN,ACK,FIN SYN. ôÁËÉÅ ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÏÔËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ TCP. úÁÂÌÏËÉÒÏ×Á× ÔÁËÉÅ ÐÁËÅÔÙ, ×Ù ÎÁÄÅÖÎÏ ÚÁÂÌÏËÉÒÕÅÔÅ ×ÓÅ ×ÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÏÄÎÁËÏ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÎÅ ÓÐÏÓÏÂÅÎ ÚÁÂÌÏËÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÎ×ÅÒÔÉÒÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ ÓÉÍ×ÏÌÏÍ !. ôÁË ËÒÉÔÅÒÉÊ ! --syn ÏÚÎÁÞÁÅÔ ×ÓÅ ÐÁËÅÔÙ, ÎÅ Ñ×ÌÑÀÝÉÅÓÑ ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, Ô.Å. ×ÓÅ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍÉ ÆÌÁÇÁÍÉ FIN ÉÌÉ ACK.
ëÒÉÔÅÒÉÊ --tcp-option
ðÒÉÍÅÒ iptables -p tcp --tcp-option 16
ïÐÉÓÁÎÉÅ õÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ÕÓÌÏ×ÉÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÂÕÄÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÁËÅÔ, TCP ÐÁÒÁÍÅÔÒ ËÏÔÏÒÏÇÏ ÒÁ×ÅÎ ÚÁÄÁÎÎÏÍÕ ÞÉÓÌÕ. TCP Option - ÜÔÏ ÞÁÓÔØ ÚÁÇÏÌÏ×ËÁ ÐÁËÅÔÁ. ïÎÁ ÓÏÓÔÏÉÔ ÉÚ 3 ÒÁÚÌÉÞÎÙÈ ÐÏÌÅÊ. ðÅÒ×ÏÅ 8-ÍÉ ÂÉÔÏ×ÏÅ ÐÏÌÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÏÐÃÉÑÈ, ÉÓÐÏÌØÚÕÅÍÙÈ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ. ÷ÔÏÒÏÅ 8-ÍÉ ÂÉÔÏ×ÏÅ ÐÏÌÅ ÓÏÄÅÒÖÉÔ ÄÌÉÎÕ ÐÏÌÑ ÏÐÃÉÊ. åÓÌÉ ÓÌÅÄÏ×ÁÔØ ÓÔÁÎÄÁÒÔÁÍ ÄÏ ËÏÎÃÁ, ÔÏ ÓÌÅÄÏ×ÁÌÏ ÂÙ ÒÅÁÌÉÚÏ×ÁÔØ ÏÂÒÁÂÏÔËÕ ×ÓÅÈ ×ÏÚÍÏÖÎÙÈ ×ÁÒÉÁÎÔÏ×, ÏÄÎÁËÏ, ×ÍÅÓÔÏ ÜÔÏÇÏ ÍÙ ÍÏÖÅÍ ÐÒÏ×ÅÒÉÔØ ÐÅÒ×ÏÅ ÐÏÌÅ É × ÓÌÕÞÁÅ, ÅÓÌÉ ÔÁÍ ÕËÁÚÁÎÁ ÎÅÐÏÄÄÅÒÖÉ×ÁÅÍÁÑ ÎÁÛÉÍ ÂÒÁÎÄÍÁÕÜÒÏÍ ÏÐÃÉÑ, ÔÏ ÐÒÏÓÔÏ ÐÅÒÅÛÁÇÎÕÔØ ÞÅÒÅÚ ÔÒÅÔØÅ ÐÏÌÅ (ÄÌÉÎÁ ËÏÔÏÒÏÇÏ ÓÏÄÅÒÖÉÔÓÑ ×Ï ×ÔÏÒÏÍ ÐÏÌÅ). ðÁËÅÔ, ËÏÔÏÒÙÊ ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÐÏÌÎÏÇÏ TCP ÚÁÇÏÌÏ×ËÁ, ÂÕÄÅÔ ÓÂÒÏÛÅÎ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÐÏÐÙÔËÅ ÉÚÕÞÅÎÉÑ ÅÇÏ TCP ÐÁÒÁÍÅÔÒÁ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!]. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ TCP Options ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ ÎÁ Internet Engineering Task Force.

UDP ËÒÉÔÅÒÉÉ

÷ ÄÁÎÎÏÍ ÒÁÚÄÅÌÅ ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÒÉÔÅÒÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ UDP. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÕËÁÚÁÎÉÉ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ --protocol UDP. ÷ÁÖÎÏ ÏÔÍÅÔÉÔØ, ÞÔÏ ÐÁËÅÔÙ UDP ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÙ ÎÁ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, É ÐÏÜÔÏÍÕ ÎÅ ÉÍÅÀÔ ÒÁÚÌÉÞÎÙÈ ÆÌÁÇÏ× ËÏÔÏÒÙÅ ÄÁÀÔ ×ÏÚÍÏÖÎÏÓÔØ ÓÕÄÉÔØ Ï ÐÒÅÄÎÁÚÎÁÞÅÎÉÉ ÄÁÔÁÇÒÁÍÍÙ. ðÏÌÕÞÅÎÉÅ UDP ÐÁËÅÔÏ× ÎÅ ÔÒÅÂÕÅÔ ËÁËÏÇÏ ÌÉÂÏ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌÕÞÁÔÅÌÑ. åÓÌÉ ÏÎÉ ÐÏÔÅÒÑÎÙ, ÔÏ ÏÎÉ ÐÒÏÓÔÏ ÐÏÔÅÒÑÎÙ (ÎÅ ×ÙÚÙ×ÁÑ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ). üÔÏ ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ ÚÎÁÞÉÔÅÌØÎÏ ÍÅÎØÛÅÇÏ ÞÉÓÌÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÒÉÔÅÒÉÅ×, × ÏÔÌÉÞÉÅ ÏÔ TCP ÐÁËÅÔÏ×. ÷ÁÖÎÏ: èÏÒÏÛÉÊ ÂÒÁÎÄÍÁÕÜÒ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ Ó ÐÁËÅÔÁÍÉ ÌÀÂÏÇÏ ÔÉÐÁ, UDP ÉÌÉ ICMP, ËÏÔÏÒÙÅ ÓÞÉÔÁÀÔÓÑ ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÎÙÍÉ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÔÁË ÖÅ ÈÏÒÏÛÏ ËÁË É Ó TCP ÐÁËÅÔÁÍÉ. ï ÜÔÏÍ ÍÙ ÐÏÇÏ×ÏÒÉÍ ÐÏÚÄÎÅÅ, × ÓÌÅÄÕÀÝÉÈ ÇÌÁ×ÁÈ.

ôÁÂÌÉÃÁ 6. UDP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --sport 53
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --dport 53
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ ÐÒÉÎÑÔÏÍÕ × ËÒÉÔÅÒÉÉ --source-port.

ICMP ËÒÉÔÅÒÉÉ

üÔÏÔ ÐÒÏÔÏËÏÌ ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÏÛÉÂËÁÈ É ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÅÍ. ïÎ ÎÅ Ñ×ÌÑÅÔÓÑ ÐÏÄÞÉÎÅÎÎÙÍ IP ÐÒÏÔÏËÏÌÕ, ÎÏ ÔÅÓÎÏ Ó ÎÉÍ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÅÔ, ÐÏÓËÏÌØËÕ ÐÏÍÏÇÁÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ ÏÛÉÂÏÞÎÙÅ ÓÉÔÕÁÃÉÉ. úÁÇÏÌÏ×ËÉ ICMP ÐÁËÅÔÏ× ÏÞÅÎØ ÐÏÈÏÖÉ ÎÁ IP ÚÁÇÏÌÏ×ËÉ, ÎÏ ÉÍÅÀÔ É ÏÔÌÉÞÉÑ. çÌÁ×ÎÏÅ Ó×ÏÊÓÔ×Ï ÜÔÏÇÏ ÐÒÏÔÏËÏÌÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÉÐÅ ÚÁÇÏÌÏ×ËÁ, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÚÁ ÐÁËÅÔ. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ÍÙ ÐÙÔÁÅÍÓÑ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÅÄÏÓÔÕÐÎÙÍ ÈÏÓÔÏÍ, ÔÏ ÍÙ ÐÏÌÕÞÉÍ × ÏÔ×ÅÔ ÓÏÏÂÝÅÎÉÅ ICMP host unreachable. ðÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÐÒÉÌÏÖÅÎÉÉ ÔÉÐÙ ICMP. óÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÏÄÉÎ ÓÐÅÃÉÆÉÞÎÙÊ ËÒÉÔÅÒÉÊ ÄÌÑ ICMP ÐÁËÅÔÏ×. üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁÇÒÕÖÁÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ, ËÏÇÄÁ ÍÙ ÕËÁÚÙ×ÁÅÍ ËÒÉÔÅÒÉÊ --protocol ICMP. úÁÍÅÔØÔÅ, ÞÔÏ ÄÌÑ ÐÒÏ×ÅÒËÉ ICMP ÐÁËÅÔÏ× ÍÏÇÕÔ ÕÐÏÔÒÅÂÌÑÔØÓÑ É ÏÂÝÉÅ ËÒÉÔÅÒÉÉ, ÐÏÓËÏÌØËÕ ÉÚ×ÅÓÔÎÙ É ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ É ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÒ.

ôÁÂÌÉÃÁ 7. ICMP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --icmp-type
ðÒÉÍÅÒ iptables -A INPUT -p icmp --icmp-type 8
ïÐÉÓÁÎÉÅ ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ÏÐÒÅÄÅÌÑÅÔÓÑ ÎÏÍÅÒÏÍ ÉÌÉ ÉÍÅÎÅÍ. þÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÏÐÒÅÄÅÌÑÀÔÓÑ × RFC 792. þÔÏÂÙ ÐÏÌÕÞÉÔØ ÓÐÉÓÏË ÉÍÅÎ ICMP ÚÎÁÞÅÎÉÊ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables --protocol icmp --help, ÉÌÉ ÐÏÓÍÏÔÒÉÔÅ ÐÒÉÌÏÖÅÎÉÅ ÔÉÐÙ ICMP. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ËÒÉÔÅÒÉÊ, ÎÁÐÒÉÍÅÒ --icmp-type ! 8.

ñ×ÎÙÅ ËÒÉÔÅÒÉÉ

ðÅÒÅÄ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ, ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m ÉÌÉ --match. ôÁË, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ËÒÉÔÅÒÉÉ state, ÔÏ ÍÙ ÄÏÌÖÎÙ Ñ×ÎÏ ÕËÁÚÁÔØ ÜÔÏ × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ: -m state ÌÅ×ÅÅ ÉÓÐÏÌØÚÕÅÍÏÇÏ ËÒÉÔÅÒÉÑ. îÅËÏÔÏÒÙÅ ÉÚ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏËÁ ÅÝÅ ÎÁÈÏÄÑÔÓÑ × ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ, Á ÐÏÓÅÍÕ ÍÏÇÕÔ ÒÁÂÏÔÁÔØ ÎÅ ×ÓÅÇÄÁ, ÏÄÎÁËÏ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÏÎÉ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ÕÓÔÏÊÞÉ×Ï. ÷ÓÅ ÏÔÌÉÞÉÅ ÍÅÖÄÕ Ñ×ÎÙÍÉ É ÎÅÑ×ÎÙÍÉ ËÒÉÔÅÒÉÑÍÉ ÚÁËÌÀÞÁÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ, ÞÔÏ ÐÅÒ×ÙÅ ÎÕÖÎÏ ÐÏÄÇÒÕÖÁÔØ Ñ×ÎÏ, Á ×ÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ.


MAC ËÒÉÔÅÒÉÊ

ôÁÂÌÉÃÁ 8. MAC ËÒÉÔÅÒÉÉ

MAC ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÉÓÈÏÄÎÏÇÏ MAC-ÁÄÒÅÓÁ ÐÁËÅÔÁ. íÏÄÕÌØ -m mac, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÒÉÔÅÒÉÊ, ÎÏ ×ÏÚÍÏÖÎÏ × ÂÕÄÕÝÅÍ ÏÎ ÂÕÄÅÔ ÒÁÓÛÉÒÅÎ É ÓÔÁÎÅÔ ÂÏÌÅÅ ÐÏÌÅÚÅÎ.

Note

íÏÄÕÌØ ÒÁÓÛÉÒÅÎÉÑ ÄÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m mac. õÐÏÍÉÎÁÀ Ñ Ï ÜÔÏÍ ÐÏÔÏÍÕ, ÞÔÏ ÍÎÏÇÉÅ, ÚÁÂÙ× ÕËÁÚÁÔØ ÜÔÏÔ ËÌÀÞ, ÕÄÉ×ÌÑÀÔÓÑ, ÐÏÞÅÍÕ ÎÅ ÒÁÂÏÔÁÅÔ ÜÔÏÔ ËÒÉÔÅÒÉÊ.

ëÒÉÔÅÒÉÊ --mac-source
ðÒÉÍÅÒ iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
ïÐÉÓÁÎÉÅ MAC ÁÄÒÅÓ ÓÅÔÅ×ÏÇÏ ÕÚÌÁ, ÐÅÒÅÄÁ×ÛÅÇÏ ÐÁËÅÔ. MAC ÁÄÒÅÓ ÄÏÌÖÅÎ ÕËÁÚÙ×ÁÔØÓÑ × ÆÏÒÍÅ XX:XX:XX:XX:XX:XX. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÎÁÐÒÉÍÅÒ --mac-source ! 00:00:00:00:00:01, ÞÔÏ ÏÚÎÁÞÁÅÔ - ÐÁËÅÔ Ó ÌÀÂÏÇÏ ÕÚÌÁ, ËÒÏÍÅ ÕÚÌÁ, ËÏÔÏÒÙÊ ÉÍÅÅÔ MAC ÁÄÒÅÓ 00:00:00:00:00:01 üÔÏÔ ËÒÉÔÅÒÉÊ ÉÍÅÅÔ ÓÍÙÓÌ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING, FORWARD É INPUT É ÎÉÇÄÅ ÂÏÌÅÅ.

ëÒÉÔÅÒÉÊ limit

äÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m limit. ðÒÅËÒÁÓÎÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÐÒÁ×ÉÌ, ÐÒÏÉÚ×ÏÄÑÝÉÈ ÚÁÐÉÓØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (logging) É Ô.Ð. äÏÂÁ×ÌÑÑ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÍÙ ÔÅÍ ÓÁÍÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÅÄÅÌØÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× × ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, ËÏÔÏÒÏÅ ÓÐÏÓÏÂÎÏ ÐÒÏÐÕÓÔÉÔØ ÐÒÁ×ÉÌÏ. íÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÉÍ×ÏÌ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ, ÎÁÐÒÉÍÅÒ -m ! limit. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÞÔÏ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÈÏÄÉÔØ ÐÒÁ×ÉÌÏ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÅ×ÙÛÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÑ.

ôÁÂÌÉÃÁ 9. ëÒÉÔÅÒÉÊ limit

ëÒÉÔÅÒÉÊ --limit
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit 3/hour
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÁËÅÔÏ× ÚÁ ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, Ë ËÏÔÏÒÏÍÕ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÐÒÉ ÓÏ×ÐÁÄÅÎÉÉ ×ÓÅÈ ÐÒÏÞÉÈ ÕÓÌÏ×ÉÊ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ÕËÁÚÙ×ÁÅÔÓÑ ÞÉÓÌÏ ÐÁËÅÔÏ× É ×ÒÅÍÑ. äÏÐÕÓÔÉÍÙÍÉ ÓÞÉÔÁÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÅÄÉÎÉÃÙ ÉÚÍÅÒÅÎÉÑ ×ÒÅÍÅÎÉ: /second /minute /hour /day. ðÏ ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÑÔÏ ÚÎÁÞÅÎÉÅ 3 ÐÁËÅÔÁ × ÞÁÓ, ÉÌÉ 3/hour. éÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!] × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÎÅÄÏÐÕÓÔÉÍ.
ëÒÉÔÅÒÉÊ --limit-burst
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit-burst 5
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÞÉÓÌÁ burst limit ÄÌÑ ËÒÉÔÅÒÉÑ limit. üÔÏ ÞÉÓÌÏ Õ×ÅÌÉÞÉ×ÁÅÔÓÑ ÎÁ ÅÄÉÎÉÃÕ ÅÓÌÉ ÐÏÌÕÞÅÎ ÐÁËÅÔ, ÐÏÄÐÁÄÁÀÝÉÊ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÄÁÎÎÏÇÏ ÐÒÁ×ÉÌÁ, É ÐÒÉ ÜÔÏÍ ÓÒÅÄÎÑÑ ÓËÏÒÏÓÔØ (ÚÁÄÁ×ÁÅÍÁÑ ËÌÀÞÏÍ --limit) ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ× ÕÖÅ ÄÏÓÔÉÇÎÕÔÁ. ôÁË ÐÒÏÉÓÈÏÄÉÔ ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÞÉÓÌÏ burst limit ÎÅ ÄÏÓÔÉÇÎÅÔ ÍÁËÓÉÍÁÌØÎÏÇÏ ÚÎÁÞÅÎÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍÏÇÏ ËÌÀÞÏÍ --limit-burst. ðÏÓÌÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÏ ÎÁÞÉÎÁÅÔ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÓÏ ÓËÏÒÏÓÔØÀ, ÚÁÄÁ×ÁÅÍÏÊ ËÌÀÞÏÍ --limit. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÉÍÁÅÔÓÑ ÒÁ×ÎÙÍ 5. äÌÑ ÄÅÍÏÎÓÔÒÁÃÉÉ ÐÒÉÎÃÉÐÏ× ÒÁÂÏÔÙ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ Ñ ÎÁÐÉÓÁÌ ÓÃÅÎÁÒÉÊ limit-match.txt. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×Ù Õ×ÉÄÉÔÅ ËÁË ÒÁÂÏÔÁÅÔ ËÒÉÔÅÒÉÊ limit, ÐÒÏÓÔÏ ÐÏÓÙÌÁÑ ping-ÐÁËÅÔÙ Ó ÒÁÚÌÉÞÎÙÍÉ ×ÒÅÍÅÎÎùÍÉ ÉÎÔÅÒ×ÁÌÁÍÉ.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÞÅÎØ ÄÏÌÇÏÅ ×ÒÅÍÑ ÍÏÅ ÐÏÎÉÍÁÎÉÅ ËÒÉÔÅÒÉÅ× limit ÎÁÈÏÄÉÌÏÓØ ÎÁ ÉÎÔÕÉÔÉ×ÎÏÍ ÕÒÏ×ÎÅ, ÐÏËÁ ÷ÌÁÄÉÍÉÒ èÏÌÍÁÎÏ× (ÓÎÉÍÁÀ ÛÌÑÐÕ × ÇÌÕÂÏÞÁÊÛÅÍ ÐÏËÌÏÎÅ) ÎÅ ÏÂßÑÓÎÉÌ ÍÎÅ ÐÒÏÓÔÏ É ÐÏÎÑÔÎÏ ÅÇÏ ÓÕÔØ. ðÏÓÔÁÒÁÀÓØ ÐÅÒÅÄÁÔØ ÅÇÏ ÐÏÑÓÎÅÎÉÑ:

  1. òÁÓÛÉÒÅÎÉÅ -m limit ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÎÁÌÉÞÉÅ ËÌÀÞÅÊ --limit É --limit-burst. åÓÌÉ ×Ù ÎÅ ÕËÁÚÙ×ÁÅÔÅ ÜÔÉ ËÌÀÞÉ, ÔÏ ÏÎÉ ÐÒÉÎÉÍÁÀÔ ÚÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ.
  2. ëÌÀÞ --limit-burst - ÜÔÏ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÓÞÅÔÞÉËÁ ÐÁËÅÔÏ×, ÐÒÉ ËÏÔÏÒÏÍ ÓÒÁÂÁÔÙ×ÁÅÔ ÏÇÒÁÎÉÞÅÎÉÅ.
  3. ëÌÀÞ --limit - ÜÔÏ ÓËÏÒÏÓÔØ, Ó ËÏÔÏÒÏÊ ÓÞÅÔÞÉË burst limit "ÏÔËÒÕÞÉ×ÁÅÔÓÑ ÎÁÚÁÄ".

ðÒÉÎÃÉÐ, ËÏÔÏÒÙÊ ÐÒÏÓÔÏ ÒÅÁÌÉÚÕÅÔÓÑ ÎÁ C É ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ÍÎÏÇÉÈ ÁÌÇÏÒÉÔÍÁÈ-ÏÇÒÁÎÉÞÉÔÅÌÑÈ.




òÁÓÛÉÒÅÎÉÅ Multiport

òÁÓÛÉÒÅÎÉÅ multiport ÐÏÚ×ÏÌÑÅÔ ÕËÁÚÙ×ÁÔØ × ÔÅËÓÔÅ ÐÒÁ×ÉÌÁ ÎÅÓËÏÌØËÏ ÐÏÒÔÏ× É ÄÉÁÐÁÚÏÎÏ× ÐÏÒÔÏ×.

Note

÷Ù ÎÅ ÓÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÔÁÎÄÁÒÔÎÕÀ ÐÒÏ×ÅÒËÕ ÐÏÒÔÏ× É ÒÁÓÛÉÒÅÎÉÅ -m multiport (ÎÁÐÒÉÍÅÒ --sport 1024:63353 -m multiport --dport 21,23,80) ÏÄÎÏ×ÒÅÍÅÎÎÏ. ðÏÄÏÂÎÙÅ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÐÒÏÓÔÏ ÏÔ×ÅÒÇÁÔØÓÑ iptables.

ôÁÂÌÉÃÁ 10. òÁÓÛÉÒÅÎÉÅ Multiport

ëÒÉÔÅÒÉÊ --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ÉÓÈÏÄÑÝÉÈ ÐÏÒÔÏ×. ó ÐÏÍÏÝØÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÏ 15 ÒÁÚÌÉÞÎÙÈ ÐÏÒÔÏ×. îÁÚ×ÁÎÉÑ ÐÏÒÔÏ× × ÓÐÉÓËÅ ÄÏÌÖÎÙ ÏÔÄÅÌÑÔØÓÑ ÄÒÕÇ ÏÔ ÄÒÕÇÁ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ × ÓÐÉÓËÅ ÎÅ ÄÏÐÕÓÔÉÍÙ. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÓÏ×ÍÅÓÔÎÏ Ó ËÒÉÔÅÒÉÑÍÉ the -p tcp ÉÌÉ -p udp. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÒÁÓÛÉÒÅÎÎÁÑ ×ÅÒÓÉÑ ÏÂÙÞÎÏÇÏ ËÒÉÔÅÒÉÑ --source-port.
ëÒÉÔÅÒÉÊ --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ×ÈÏÄÎÙÈ ÐÏÒÔÏ×. æÏÒÍÁÔ ÚÁÄÁÎÉÑ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ -m multiport --source-port
ëÒÉÔÅÒÉÊ --port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ËÁË ÉÓÈÏÄÑÝÉÊ ÔÁË É ×ÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --source-port É --destination-port. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ ÞÔÏ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ÐÏÒÔÙ ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÊ, Ô.Å. ÅÓÌÉ ×Ù ÐÉÛÅÔÅ-multiport --port 80, ÔÏ ÐÏÄ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ Ó ÐÏÒÔÁ 80 ÎÁ ÐÏÒÔ 80. .

òÁÓÛÉÒÅÎÉÅ Mark

òÁÓÛÉÒÅÎÉÅ mark ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ "ÐÏÍÅÔÉÔØ" ÐÁËÅÔÙ ÓÐÅÃÉÁÌØÎÙÍ ÏÂÒÁÚÏÍ. Mark - ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ, ËÏÔÏÒÏÅ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÏÂÌÁÓÔÉ ÐÁÍÑÔÉ ÑÄÒÁ É Ó×ÑÚÁÎÏ Ó ËÏÎËÒÅÔÎÙÍ ÐÁËÅÔÏÍ. íÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÁÍÙÈ ÒÁÚÎÏÏÂÒÁÚÎÙÈ ÃÅÌÑÈ, ÎÁÐÒÉÍÅÒ, ÏÇÒÁÎÉÞÅÎÉÅ ÔÒÁÆÉËÁ É ÆÉÌØÔÒÁÃÉÑ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÅÄÉÎÓÔ×ÅÎÎÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÕÓÔÁÎÏ×ËÉ ÍÅÔËÉ ÎÁ ÐÁËÅÔ × Linux -- ÜÔÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ MARK. ðÏÌÅ mark ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÂÅÚÚÎÁËÏ×ÏÅ ÃÅÌÏÅ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 4294967296 ÄÌÑ 32-ÂÉÔÎÙÈ ÓÉÓÔÅÍ.

ôÁÂÌÉÃÁ 11. òÁÓÛÉÒÅÎÉÅ mark

ëÒÉÔÅÒÉÊ --mark
ðÒÉÍÅÒ iptables -t mangle -A INPUT -m mark --mark 1
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÂÙÌÉ ÐÒÅÄ×ÁÒÉÔÅÌØÎÏ "ÐÏÍÅÞÅÎÙ". íÅÔËÉ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÄÅÊÓÔ×ÉÅÍ MARK, ËÏÔÏÒÏÅ ÍÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÎÉÖÅ. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÏÈÏÄÑÝÉÅ ÞÅÒÅÚ netfilter ÉÍÅÀÔ ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ mark. úÁÐÏÍÎÉÔÅ, ÞÔÏ ÎÅÔ ÎÉËÁËÏÊ ×ÏÚÍÏÖÎÏÓÔÉ ÐÅÒÅÄÁÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ×ÍÅÓÔÅ Ó ÐÁËÅÔÏÍ × ÓÅÔØ. ðÏÌÅ mark Ñ×ÌÑÅÔÓÑ ÃÅÌÙÍ ÂÅÚÚÎÁËÏ×ÙÍ, ÔÁËÉÍ ÏÂÒÁÚÏÍ ÍÏÖÎÏ ÓÏÚÄÁÔØ ÎÅ ÂÏÌÅÅ 65535 ÒÁÚÌÉÞÎÙÈ ÍÅÔÏË. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÕ Ó ÍÅÔËÁÍ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ËÒÉÔÅÒÉÊ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ ÐÏÄÏÂÎÙÍ ÏÂÒÁÚÏÍ: --mark 1/1. åÓÌÉ ÕËÁÚÙ×ÁÅÔÓÑ ÍÁÓËÁ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÌÏÇÉÞÅÓËÏÅ AND ÍÅÔËÉ É ÍÁÓËÉ.

òÁÓÛÉÒÅÎÉÅ owner

òÁÓÛÉÒÅÎÉÅ owner ÐÒÅÄÎÁÚÎÁÞÅÎÏ ÄÌÑ ÐÒÏ×ÅÒËÉ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ. éÚÎÁÞÁÌØÎÏ ÄÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ËÁË ÐÒÉÍÅÒ ÄÅÍÏÎÓÔÒÁÃÉÉ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÔÏÌØËÏ × ÃÅÐÏÞËÅ OUTPUT. ôÁËÏÅ ÏÇÒÁÎÉÞÅÎÉÅ ÎÁÌÏÖÅÎÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌØÎÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÅÒÅÄÁÞÉ ÉÎÆÏÒÍÁÃÉÉ Ï "×ÌÁÄÅÌØÃÅ" ÐÏ ÓÅÔÉ. óÐÒÁ×ÅÄÌÉ×ÏÓÔÉ ÒÁÄÉ ÓÌÅÄÕÅÔ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÌÑ ÎÅËÏÔÏÒÙÈ ÐÁËÅÔÏ× ÎÅ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ "×ÌÁÄÅÌØÃÁ" × ÜÔÏÊ ÃÅÐÏÞËÅ. ë ÔÁËÏÇÏ ÒÏÄÁ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ÒÁÚÌÉÞÎÙÅ ICMP responses. ðÏÜÔÏÍÕ ÎÅ ÓÌÅÄÕÅÔ ÕÐÏÔÒÅÂÌÑÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ Ë ICMP responses ÐÁËÅÔÁÍ.

ôÁÂÌÉÃÁ 12. òÁÓÛÉÒÅÎÉÅ owner

ëÒÉÔÅÒÉÊ --uid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --uid-owner 500
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÏ User ID (UID). ðÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÒÏ×ÅÒËÁ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ, Ë ÐÒÉÍÅÒÕ, ÄÌÑ ÂÌÏËÉÒÏ×ËÉ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÏÔÄÅÌØÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.
ëÒÉÔÅÒÉÊ --gid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --gid-owner 0
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Group ID (GID).
ëÒÉÔÅÒÉÊ --pid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --pid-owner 78
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Process ID (PID). üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÅÎ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÚ×ÏÌÉÔØ ÐÅÒÅÄÁÞÕ ÐÁËÅÔÏ× ÎÁ HTTP ÐÏÒÔ ÔÏÌØËÏ ÏÔ ÚÁÄÁÎÎÏÇÏ ÄÅÍÏÎÁ, ÔÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÎÁÐÉÓÁÔØ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ PID ÐÒÏÃÅÓÓÁ (ÈÏÔÑÂÙ ÞÅÒÅÚ ps) É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÎÁÊÄÅÎÎÙÊ PID × ÐÒÁ×ÉÌÁ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × pid-owner.txt.
ëÒÉÔÅÒÉÊ --sid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --sid-owner 100
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ Session ID ÐÁËÅÔÁ. úÎÁÞÅÎÉÅ SID ÎÁÓÌÅÄÕÀÔÓÑ ÄÏÞÅÒÎÉÍÉ ÐÒÏÃÅÓÓÁÍÉ ÏÔ "ÒÏÄÉÔÅÌÑ", ÔÁË, ÎÁÐÒÉÍÅÒ, ×ÓÅ ÐÒÏÃÅÓÓÙ HTTPD ÉÍÅÀÔ ÏÄÉÎ É ÔÏÔ ÖÅ SID (ÐÒÉÍÅÒÏÍ ÔÁËÉÈ ÐÒÏÃÅÓÓÏ× ÍÏÇÕÔ ÓÌÕÖÉÔØ HTTPD Apache É Roxen). ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × sid-owner.txt. üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÎÏ ÚÁÐÕÓËÁÔØ ÐÏ ×ÒÅÍÅÎÉ ÄÌÑ ÐÒÏ×ÅÒËÉ ÎÁÌÉÞÉÑ ÐÒÏÃÅÓÓÁ HTTPD, É × ÓÌÕÞÁÅ ÏÔÓÕÔÓÔ×ÉÑ - ÐÅÒÅÚÁÐÕÓÔÉÔØ "ÕÐÁ×ÛÉÊ" ÐÒÏÃÅÓÓ, ÐÏÓÌÅ ÞÅÇÏ ÓÂÒÏÓÉÔØ ÓÏÄÅÒÖÉÍÏÅ ÃÅÐÏÞËÉ OUTPUT É ××ÅÓÔÉ ÅÅ ÓÎÏ×Á.

ëÒÉÔÅÒÉÊ state

ëÒÉÔÅÒÉÊ state ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÄÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ É ÐÏÚ×ÏÌÑÅÔ ÎÁÍ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÒÁÓÓÉÒÏ×ÏÞÎÏÍ ÐÒÉÚÎÁËÅ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÞÔÏ ÐÏÚ×ÏÌÑÅÔ ÓÕÄÉÔØ Ï ÓÏÓÔÏÑÎÉÉ ÓÏÅÄÉÎÅÎÉÑ, ÐÒÉÞÅÍ ÄÁÖÅ ÄÌÑ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ× ËÁË ICMP É UDP. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÖÁÔØ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m state. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ .

ôÁÂÌÉÃÁ 13. ëÒÉÔÅÒÉÉ state

ëÒÉÔÅÒÉÊ --state
ðÒÉÍÅÒ iptables -A INPUT -m state --state RELATED,ESTABLISHED
ïÐÉÓÁÎÉÅ ðÒÏ×ÅÒÑÅÔÓÑ ÐÒÉÚÎÁË ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ (state) îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ 4 ÓÏÓÔÏÑÎÉÑ: INVALID, ESTABLISHED, NEW É RELATED. INVALID ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ Ó×ÑÚÁÎ Ó ÎÅÉÚ×ÅÓÔÎÙÍ ÐÏÔÏËÏÍ ÉÌÉ ÓÏÅÄÉÎÅÎÉÅÍ É, ×ÏÚÍÏÖÎÏ ÓÏÄÅÒÖÉÔ ÏÛÉÂËÕ × ÄÁÎÎÙÈ ÉÌÉ × ÚÁÇÏÌÏ×ËÅ. ESTABLISHED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÁËÅÔÙ ÉÄÕÔ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. NEW ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ÉÌÉ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÏÄÎÏÎÁÐÒÁ×ÌÅÎÎÏÍÕ ÐÏÔÏËÕ. é ÎÁËÏÎÅÃ, RELATED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÍÕ ÓÏÅÄÉÎÅÎÉÀ, ÎÏ ÐÒÉ ÜÔÏÍ ÏÎ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ðÒÉÍÅÒÏÍ ÔÏÍÕ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÐÅÒÅÄÁÞÁ ÄÁÎÎÙÈ ÐÏ FTP, ÉÌÉ ×ÙÄÁÞÁ ÓÏÏÂÝÅÎÉÑ ICMP Ï ÏÛÉÂËÅ, ËÏÔÏÒÏÅ Ó×ÑÚÁÎÏ Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ TCP ÉÌÉ UDP ÓÏÅÄÉÎÅÎÉÅÍ. úÁÍÅÞÕ, ÞÔÏ ÐÒÉÚÎÁË NEW ÜÔÏ ÎÅ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÂÉÔ SYN × ÐÁËÅÔÁÈ TCP, ÐÏÓÒÅÄÓÔ×ÏÍ ËÏÔÏÒÙÈ ÏÔËÒÙ×ÁÅÔÓÑ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ, É, ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ, ÍÏÇÕÔ ÂÙÔØ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÎÙ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÄÌÑ ÚÁÝÉÔÙ ÓÅÔÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÏÄÉÎ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÜÔÁ ÐÒÏÂÌÅÍÁ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ðÒÉÚÎÁË NEW × ÐÁËÅÔÁÈ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.

ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)

ëÒÉÔÅÒÉÊ unclean ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÄÌÑ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÄÏÓÔÁÔÏÞÎÏ Ñ×ÎÏ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌØ. âÕÄØÔÅ ÏÓÔÏÒÏÖÎÙ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÁÈÏÄÉÔÓÑ ÅÝÅ ÎÁ ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ É ÐÏÜÔÏÍÕ × ÎÅËÏÔÏÒÙÈ ÓÉÔÕÁÃÉÑÈ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ ÎÅËÏÒÒÅËÔÎÏ. äÁÎÎÁÑ ÐÒÏ×ÅÒËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÌÑ ×ÙÞÌÅÎÅÎÉÑ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÍÅÀÔ ÒÁÓÈÏÖÄÅÎÉÑ Ó ÐÒÉÎÑÔÙÍÉ ÓÔÁÎÄÁÒÔÁÍÉ, ÜÔÏ ÍÏÇÕÔ ÂÙÔØ ÐÁËÅÔÙ Ó ÐÏ×ÒÅÖÄÅÎÎÙÍ ÚÁÇÏÌÏ×ËÏÍ ÉÌÉ Ó ÎÅ×ÅÒÎÏÊ ËÏÎÔÒÏÌØÎÏÊ ÓÕÍÍÏÊ É ÐÒ., ÏÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ÐÒÏ×ÅÒËÉ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÒÁÚÒÙ×Õ É ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.


ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ TOS ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÐÒÏ×ÅÒËÉ ÂÉÔÏ× ÐÏÌÑ TOS. TOS -- Type Of Service -- ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ 8-ÍÉ ÂÉÔÏ×ÏÅ, ÐÏÌÅ × ÚÁÇÏÌÏ×ËÅ IP-ÐÁËÅÔÁ. íÏÄÕÌØ ÄÏÌÖÅÎ ÚÁÇÒÕÖÁÔØÓÑ Ñ×ÎÏ, ËÌÀÞÏÍ -m tos.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÏÐÉÓÁÎÉÅ ÐÏÌÑ TOS, ×ÚÑÔÏÅ ÎÅ ÉÚ ÏÒÉÇÉÎÁÌÁ, ÐÏÓËÏÌØËÕ ÏÒÉÇÉÎÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ Ñ ÎÁÈÏÖÕ ÎÅÓËÏÌØËÏ ÔÕÍÁÎÎÙÍ.
äÁÎÎÏÅ ÐÏÌÅ ÓÌÕÖÉÔ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. õÓÔÁÎÏ×ËÁ ÌÀÂÏÇÏ ÂÉÔÁ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÂÒÁÂÏÔÁÎ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÎÅ ÔÁË ËÁË ÐÁËÅÔ ÓÏ ÓÂÒÏÛÅÎÎÙÍÉ ÂÉÔÁÍÉ TOS. ëÁÖÄÙÊ ÂÉÔ ÐÏÌÑ TOS ÉÍÅÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ. ÷ ÐÁËÅÔÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ ÔÏÌØËÏ ÏÄÉÎ ÉÚ ÂÉÔÏ× ÜÔÏÇÏ ÐÏÌÑ, ÐÏÜÔÏÍÕ ËÏÍÂÉÎÁÃÉÉ ÎÅ ÄÏÐÕÓÔÉÍÙ. ëÁÖÄÙÊ ÂÉÔ ÏÐÒÅÄÅÌÑÅÔ ÔÉÐ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ:
íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ
éÓÐÏÌØÚÕÅÔÓÑ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ×ÒÅÍÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÄÏÌÖÎÏ ÂÙÔØ ÍÉÎÉÍÁÌØÎÙÍ, Ô.Å., ÅÓÌÉ ÅÓÔØ ×ÏÚÍÏÖÎÏÓÔØ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÄÌÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÊ ËÁÎÁÌ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÅÓÔØ ×ÙÂÏÒ ÍÅÖÄÕ ÏÐÔÏ×ÏÌÏËÏÎÎÏÊ ÌÉÎÉÅÊ É ÓÐÕÔÎÉËÏ×ÙÍ ËÁÎÁÌÏÍ, ÔÏ ÐÒÅÄÐÏÞÔÅÎÉÅ ÂÕÄÅÔ ÏÔÄÁÎÏ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÍÕ ÏÐÔÏ×ÏÌÏËÎÕ.
íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ
õËÁÚÙ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÐÒÁ×ÌÅÎ ÞÅÒÅÚ ËÁÎÁÌ Ó ÍÁËÓÉÍÁÌØÎÏÊ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔØÀ. îÁÐÒÉÍÅÒ ÓÐÕÔÎÉËÏ×ÙÅ ËÁÎÁÌÙ, ÏÂÌÁÄÁÑ ÂÏÌØÛÅÊ ÚÁÄÅÒÖËÏÊ ÉÍÅÀÔ ×ÙÓÏËÕÀ ÐÒÏÐÕÓËÎÕÀ ÓÐÏÓÏÂÎÏÓÔØ.
íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ
÷ÙÂÉÒÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏ ÎÁÄÅÖÎÙÊ ÍÁÒÛÒÕÔ ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏ×ÔÏÒÎÏÊ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ. ðÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ PPP É SLIP ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏ Ó×ÏÅÊ ÎÁÄÅÖÎÏÓÔÉ ÕÓÔÕÐÁÀÔ, Ë ÐÒÉÍÅÒÕ, ÓÅÔÑÍ X.25, ÐÏÜÔÏÍÕ, ÓÅÔÅ×ÏÊ ÐÒÏ×ÁÊÄÅÒ ÍÏÖÅÔ ÐÒÅÄÕÓÍÏÔÒÅÔØ ÓÐÅÃÉÁÌØÎÙÊ ÍÁÒÛÒÕÔ Ó ÐÏ×ÙÛÅÎÎÏÊ ÎÁÄÅÖÎÏÓÔØÀ.
íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ
ðÒÉÍÅÎÑÅÔÓÑ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ×ÁÖÎÏ ÍÉÎÉÍÉÚÉÒÏ×ÁÔØ ÚÁÔÒÁÔÙ (× ÓÍÙÓÌÅ ÄÅÎØÇÉ) ÎÁ ÐÅÒÅÄÁÞÕ ÄÁÎÎÙÈ. îÁÐÒÉÍÅÒ, ÐÒÉ ÐÅÒÅÄÁÞÅ ÞÅÒÅÚ ÏËÅÁÎ (ÎÁ ÄÒÕÇÏÊ ËÏÎÔÉÎÅÎÔ) ÁÒÅÎÄÁ ÓÐÕÔÎÉËÏ×ÏÇÏ ËÁÎÁÌÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÅÛÅ×ÌÅ, ÞÅÍ ÁÒÅÎÄÁ ÏÐÔÏ×ÏÌÏËÏÎÎÏÇÏ ËÁÂÅÌÑ. õÓÔÁÎÏ×ËÁ ÄÁÎÎÏÇÏ ÂÉÔÁ ×ÐÏÌÎÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÂÏÌÅÅ "ÄÅÛÅ×ÏÍÕ" ÍÁÒÛÒÕÔÕ.
ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ
÷ ÄÁÎÎÏÊ ÓÉÔÕÁÃÉÉ ×ÓÅ ÂÉÔÙ ÐÏÌÑ TOS ÓÂÒÏÛÅÎÙ. íÁÒÛÒÕÔÉÚÁÃÉÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÐÏÌÎÏÓÔØÀ ÏÔÄÁÅÔÓÑ ÎÁ ÕÓÍÏÔÒÅÎÉÅ ÐÒÏ×ÁÊÄÅÒÁ.

ôÁÂÌÉÃÁ 14. ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ --tos
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m tos --tos 0x16
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÂÉÔÏ× TOS, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÌÉÓØ ×ÙÛÅ. ëÁË ÐÒÁ×ÉÌÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ×ÐÏÌÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ Ó ÃÅÌØÀ "ÍÁÒËÉÒÏ×ËÉ" ÐÁËÅÔÏ× ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó iproute2 É ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ × linux. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ËÒÉÔÅÒÉÀ ÍÏÖÅÔ ÂÙÔØ ÐÅÒÅÄÁÎÏ ÄÅÓÑÔÉÞÎÏÅ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÅ ÞÉÓÌÏ, ÉÌÉ ÍÎÅÍÏÎÉÞÅÓËÏÅ ÏÐÉÓÁÎÉÅ ÂÉÔÁ, ÍÎÅÍÏÎÉËÉ É ÉÈ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -m tos -h. îÉÖÅ ÐÒÉ×ÏÄÑÔÓÑ ÍÎÅÍÏÎÉËÉ É ÉÈ ÚÎÁÞÅÎÉÑ.
Minimize-Delay 16 (0x10) (íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ),
Maximize-Throughput 8 (0x08) (íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ),
Maximize-Reliability 4 (0x04) (íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ),
Minimize-Cost 2 (0x02) (íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ),
Normal-Service 0 (0x00) (ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ).

ëÒÉÔÅÒÉÊ TTL

TTL (Time To Live) Ñ×ÌÑÅÔÓÑ ÞÉÓÌÏ×ÙÍ ÐÏÌÅÍ × IP ÚÁÇÏÌÏ×ËÅ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ÏÞÅÒÅÄÎÏÇÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÜÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. åÓÌÉ ÞÉÓÌÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÏÔÐÒÁ×ÉÔÅÌÀ ÐÁËÅÔÁ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ICMP ÓÏÏÂÝÅÎÉÅ ÔÉÐÁ 11 Ó ËÏÄÏÍ 0 (TTL equals 0 during transit) ÉÌÉ Ó ËÏÄÏÍ 1 (TTL equals 0 during reassembly) . äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÎÅÏÂÈÏÄÉÍÏ Ñ×ÎÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌØ ËÌÀÞÏÍ -m ttl.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÐÑÔØ ÏÂÎÁÒÕÖÉÌÏÓØ ÎÅËÏÔÏÒÏÅ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÅ ÏÒÉÇÉÎÁÌØÎÏÇÏ ÔÅËÓÔÁ Ó ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔØÀ, ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ iptables 1.2.6a, Ï ËÏÔÏÒÏÊ ÓÏÂÓÔ×ÅÎÎÏ É ÉÄÅÔ ÒÅÞØ, ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ËÒÉÔÅÒÉÑ ÐÒÏ×ÅÒËÉ ÐÏÌÑ TTL, ÜÔÏ -m ttl --ttl-eq ÞÉÓÌÏ, -m ttl --ttl-lt ÞÉÓÌÏ É -m ttl --ttl-gt ÞÉÓÌÏ. îÁÚÎÁÞÅÎÉÅ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏÎÑÔÎÏ ÕÖÅ ÉÚ ÉÈ ÓÉÎÔÁËÓÉÓÁ.
ôÅÍ ÎÅ ÍÅÎÅÅ, Ñ ×ÓÅ ÔÁËÉ ÐÒÉ×ÅÄÕ ÐÅÒÅ×ÏÄ ÏÒÉÇÉÎÁÌÁ:

ôÁÂÌÉÃÁ 15. ëÒÉÔÅÒÉÊ TTL

ëÒÉÔÅÒÉÊ --ttl
ðÒÉÍÅÒ iptables -A OUTPUT -m ttl --ttl 60
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÏÌÑ TTL ÎÁ ÒÁ×ÅÎÓÔ×Ï ÚÁÄÁÎÎÏÍÕ ÚÎÁÞÅÎÉÀ. äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÐÒÉ ÎÁÌÁÄËÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÁÐÒÉÍÅÒ: ÄÌÑ ÓÌÕÞÁÅ×, ËÏÇÄÁ ËÁËÁÑ ÌÉÂÏ ÍÁÛÉÎÁ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÎÅ ÍÏÖÅÔ ÐÏÄËÌÀÞÉÔØÓÑ Ë ÓÅÒ×ÅÒÕ × éÎÔÅÒÎÅÔÅ, ÉÌÉ ÄÌÑ ÐÏÉÓËÁ "ÔÒÏÑÎÏ×" É ÐÒ. ÷ÏÂÝÅÍ, ÏÂÌÁÓÔÉ ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÐÏÌÑ ÏÇÒÁÎÉÞÉ×ÁÀÔÓÑ ÔÏÌØËÏ ×ÁÛÅÊ ÆÁÎÔÁÚÉÅÊ. åÝÅ ÏÄÉÎ ÐÒÉÍÅÒ: ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÅÔ ÂÙÔØ ÎÁÐÒÁ×ÌÅÎÏ ÎÁ ÐÏÉÓË ÍÁÛÉÎ Ó ÎÅËÁÞÅÓÔ×ÅÎÎÏÊ ÒÅÁÌÉÚÁÃÉÅÊ ÓÔÅËÁ TCP/IP ÉÌÉ Ó ÏÛÉÂËÁÍÉ × ËÏÎÆÉÇÕÒÁÃÉÉ ïó.

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ ÓÏÏÂÝÁÀÔ ÐÒÁ×ÉÌÕ, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏÏÔ×ÅÓÔ×ÕÅÔ ÚÁÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ. þÁÝÅ ×ÓÅÇÏ ÕÐÏÔÒÅÂÌÑÀÔÓÑ ÄÅÊÓÔ×ÉÑ ACCEPT É DROP. ïÄÎÁËÏ, ÄÁ×ÁÊÔÅ ËÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÐÏÎÑÔÉÅ ÐÅÒÅÈÏÄÏ×.

ïÐÉÓÁÎÉÅ ÐÅÒÅÈÏÄÏ× × ÐÒÁ×ÉÌÁÈ ×ÙÇÌÑÄÉÔ ÔÏÞÎÏ ÔÁË ÖÅ ËÁË É ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÊ, Ô.Å. ÓÔÁ×ÉÔÓÑ ËÌÀÞ -j É ÕËÁÚÙ×ÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ ÐÒÁ×ÉÌ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ. îÁ ÐÅÒÅÈÏÄÙ ÎÁËÌÁÄÙ×ÁÅÔÓÑ ÒÑÄ ÏÇÒÁÎÉÞÅÎÉÊ, ÐÅÒ×ÏÅ - ÃÅÐÏÞËÁ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ, ÄÏÌÖÎÁ ÎÁÈÏÄÉÔØÓÑ × ÔÏÊ ÖÅ ÔÁÂÌÉÃÅ, ÞÔÏ É ÃÅÐÏÞËÁ, ÉÚ ËÏÔÏÒÏÊ ÜÔÏÔ ÐÅÒÅÈÏÄ ×ÙÐÏÌÎÑÅÔÓÑ, ×ÔÏÒÏÅ - ÃÅÐÏÞËÁ , Ñ×ÌÑÀÝÁÑÓÑ ÃÅÌØÀ ÐÅÒÅÈÏÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÏ ÔÏÇÏ ËÁË ÎÁ ÎÅÅ ÂÕÄÕÔ ×ÙÐÏÌÎÑÔØÓÑ ÐÅÒÅÈÏÄÙ. îÁÐÒÉÍÅÒ, ÓÏÚÄÁÄÉÍ ÃÅÐÏÞËÕ tcp_packets × ÔÁÂÌÉÃÅ filter Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ

iptables -N tcp_packets

ôÅÐÅÒØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ ÐÅÒÅÈÏÄÙ ÎÁ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÄÏÂÎÏ

iptables -A INPUT -p tcp -j tcp_packets

ô.Å. ×ÓÔÒÅÔÉ× ÐÁËÅÔ ÐÒÏÔÏËÏÌÁ tcp, iptables ÐÒÏÉÚ×ÅÄÅÔ ÐÅÒÅÈÏÄ ÎÁ ÃÅÐÏÞËÕ tcp_packets É ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÜÔÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÐÁËÅÔ ÄÏÓÔÉÇ ËÏÎÃÁ ÃÅÐÏÞËÉ ÔÏ ÏÎ ÂÕÄÅÔ ×ÏÚ×ÒÁÝÅÎ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ (× ÎÁÛÅÍ ÓÌÕÞÁÅ ÜÔÏ ÃÅÐÏÞËÁ INPUT) É Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÒÏÄÏÌÖÉÔÓÑ Ó ÐÒÁ×ÉÌÁ, ÓÌÅÄÕÀÝÅÇÏ ÚÁ ÐÒÁ×ÉÌÏÍ, ×ÙÚ×Á×ÛÅÍ ÐÅÒÅÈÏÄ. åÓÌÉ Ë ÐÁËÅÔÕ ×Ï ×ÌÏÖÅÎÎÏÊ ÃÅÐÏÞËÅ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÁËÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÒÉÎÑÔÙÍ É × ×ÙÚÙ×ÁÀÝÅÊ ÃÅÐÏÞËÅ É ÕÖÅ ÎÅ ÂÕÄÅÔ ÐÒÏÄÏÌÖÁÔØ Ä×ÉÖÅÎÉÅ ÐÏ ×ÙÚÙ×ÁÀÝÉÍ ÃÅÐÏÞËÁÍ. ïÄÎÁËÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÄÒÕÇÉÍ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÃÅÐÏÞÅË É ÔÁÂÌÉà ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

äÅÊÓÔ×ÉÅ - ÜÔÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÁÑ ËÏÍÁÎÄÁ, ÏÐÉÓÙ×ÁÀÝÁÑ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÐÒÉÍÅÎÉÔØ ÄÅÊÓÔ×ÉÅ DROP ÉÌÉ ACCEPT Ë ÐÁËÅÔÕ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÎÁÛÉÈ ÎÕÖÄ. óÕÝÅÓÔ×ÕÅÔ É ÒÑÄ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔÓÑ ÎÉÖÅ × ÜÔÏÊ ÓÅËÃÉÉ. ÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÏÄÎÉÈ ÄÅÊÓÔ×ÉÊ, ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ó×ÏÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ, ÎÁÐÒÉÍÅÒ DROP É ACCEPT, × ÒÅÚÕÌØÔÁÔÅ ÄÒÕÇÉÈ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ÎÅËÉÈ ÏÐÅÒÁÃÉÊ, ÐÒÏÄÏÌÖÁÅÔ ÐÒÏ×ÅÒËÕ, ÎÁÐÒÉÍÅÒ, LOG, × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ÔÒÅÔØÉÈ ÄÁÖÅ ×ÉÄÏÉÚÍÅÎÑÅÔÓÑ, ÎÁÐÒÉÍÅÒ DNAT É SNAT, TTL É TOS, ÎÏ ÔÁË ÖÅ ÐÒÏÄÏÌÖÁÅÔ ÐÒÏÄ×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ.


äÅÊÓÔ×ÉÅ ACCEPT

äÁÎÎÁÑ ÏÐÅÒÁÃÉÑ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ. åÓÌÉ ÎÁÄ ÐÁËÅÔÏÍ ×ÙÐÏÌÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ (É ×ÓÅÍ ×ÙÚ×Á×ÛÉÍ ÃÅÐÏÞËÁÍ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ) É ÓÞÉÔÁÅÔÓÑ ðòéîñôùí (ÔÏ ÂÉÛØ ÐÒÏÐÕÓËÁÅÔÓÑ), ÔÅÍ ÎÅ ÍÅÎÅÅ, ÐÁËÅÔ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ É ÍÏÖÅÔ ÂÙÔØ ÏÔ×ÅÒÇÎÕÔ ÔÁÍ. äÅÊÓÔ×ÉÅ ÚÁÄÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -j ACCEPT.


äÅÊÓÔ×ÉÅ DROP

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÐÒÏÓÔÏ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ É iptables "ÚÁÂÙ×ÁÅÔ" Ï ÅÇÏ ÓÕÝÅÓÔ×Ï×ÁÎÉÉ. "óÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ ÐÒÅËÒÁÝÁÀÔ Ó×ÏÅ Ä×ÉÖÅÎÉÅ ÐÏÌÎÏÓÔØÀ, Ô.Å. ÏÎÉ ÎÅ ÐÅÒÅÄÁÀÔÓÑ × ÄÒÕÇÉÅ ÔÁÂÌÉÃÙ, ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÓÌÕÞÁÅ Ó ÄÅÊÓÔ×ÉÅÍ ACCEPT. óÌÅÄÕÅÔ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ, ÐÏÓËÏÌØËÕ ÍÏÖÅÔ ÏÓÔÁ×ÌÑÔØ ÎÅÚÁËÒÙÔÙÅ "ÍÅÒÔ×ÙÅ" ÓÏËÅÔÙ ËÁË ÎÁ ÓÔÏÒÏÎÅ ÓÅÒ×ÅÒÁ, ÔÁË É ÎÁ ÓÔÏÒÏÎÅ ËÌÉÅÎÔÁ, ÎÁÉÌÕÞÛÉÍ ÓÐÏÓÏÂÏÍ ÚÁÝÉÔÙ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ REJECT ÏÓÏÂÅÎÎÏ ÐÒÉ ÚÁÝÉÔÅ ÏÔ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×.


äÅÊÓÔ×ÉÅ QUEUE

äÅÊÓÔ×ÉÅ QUEUE ÓÔÁ×ÉÔ ÐÁËÅÔ × ÏÞÅÒÅÄØ ÎÁ ÏÂÒÁÂÏÔËÕ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÍÕ ÐÒÏÃÅÓÓÕ. ïÎÏ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÎÕÖÄ ÕÞÅÔÁ, ÐÒÏËÓÉÒÏ×ÁÎÉÑ ÉÌÉ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ Á×ÔÏÒ ÐÒÏÓÔÒÁÎÎÏ ÒÁÓÓÕÖÄÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÓÕÖÄÅÎÉÅ ÄÁÎÎÏÊ ÔÅÍÙ ÄÁÌÅËÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ É ÐÒ., ÐÏÜÔÏÍÕ, ÎÅ ÍÕÄÒÓÔ×ÕÑ ÌÕËÁ×Ï, ÐÒÉ×ÅÄÕ ÚÄÅÓØ ×ÙÄÅÒÖËÕ ÉÚ Linux 2.4 Packet Filtering HOWTO × ÐÅÒÅ×ÏÄÅ å×ÇÅÎÉÑ äÁÎÉÌØÞÅÎËÏ aka virii5, eugene@kriljon.ru

"...äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÜÔÁ ÃÅÌØ ÂÙÌÁ ÐÏÌÅÚÎÁ, ÎÅÏÂÈÏÄÉÍÙ ÅÝÅ Ä×Á ËÏÍÐÏÎÅÎÔÁ:

  • "queue handler" - ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ, ËÏÔÏÒÙÊ ×ÙÐÏÌÎÑÅÔ ÒÁÂÏÔÕ ÐÏ ÐÅÒÅÄÁÞÅ ÐÁËÅÔÏ× ÍÅÖÄÕ ÑÄÒÏÍ É ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÐÒÉÌÏÖÅÎÉÅÍ; É
  • ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ËÏÔÏÒÏÅ ÂÕÄÅÔ ÐÏÌÕÞÁÔØ, ×ÏÚÍÏÖÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ, É ÒÅÛÁÔØ ÓÕÄØÂÕ ÐÁËÅÔÏ×.
óÔÁÎÄÁÒÔÎÙÊ ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ ÄÌÑ IPv4 - ÍÏÄÕÌØ ip-queue, ËÏÔÏÒÙÊ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÑÄÒÏÍ É ÐÏÍÅÞÅÎ ËÁË ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÙÊ. îÉÖÅ ÄÁÎ ÐÒÉÍÅÒ, ËÁË ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ iptables ÄÌÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ:
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÏ ÐÁËÅÔÙ ICMP ÔÉÐÁ (ÔÁËÉÅ, ÞÔÏ ÓÏÚÄÁÀÔÓÑ ÓËÁÖÅÍ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÁÎÄÙ ping) ÐÏÐÁÄÁÀÔ × ÍÏÄÕÌØ ip_queue, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÐÙÔÁÅÔÓÑ ÐÅÒÅÄÁÔØ ÉÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ. åÓÌÉ ÎÉ ÏÄÎÏ ÉÚ ÔÁËÉÈ ÐÒÉÌÏÖÅÎÉÊ ÎÅ ÎÁÊÄÅÎÏ, ÐÁËÅÔÙ ÓÂÒÁÓÙ×ÁÀÔÓÑ. þÔÏÂÙ ÎÁÐÉÓÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÐÒÏÇÒÁÍÍÕ ÏÂÒÁÂÏÔËÉ ÐÁËÅÔÏ×, ÉÓÐÏÌØÚÕÊÔÅ libipq API. ïÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÐÁËÅÔÏÍ iptables. ðÒÉÍÅÒÙ ÍÏÖÎÏ ÎÁÊÔÉ × testsuite tools (ÎÁÐÒÉÍÅÒ redirect.c) ÎÁ CVS. óÔÁÔÕÓ ip_queue ÍÏÖÎÏ ÐÒÏ×ÅÒÉÔØ Ó ÐÏÍÏÝØÀ: /proc/net/ip_queue íÁËÓÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ (ÔÏ ÅÓÔØ, ÞÉÓÌÏ ÐÁËÅÔÏ× ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÏÂÒÁÂÏÔËÉ) ÍÏÖÎÏ ËÏÎÔÒÏÌÉÒÏ×ÁÔØ Ó ÐÏÍÏÝØÀ: /proc/sys/net/ipv4/ip_queue_maxlen ðÏ ÕÍÏÌÞÁÎÉÀ - ÍÁËÓÉÍÁÌØÎÁÑ ÄÌÉÎÎÁ ÏÞÅÒÅÄÉ ÒÁ×ÎÁ 1024. ëÁË ÔÏÌØËÏ ÜÔÏÔ ÐÒÅÄÅÌ ÄÏÓÔÉÇÁÅÔÓÑ, ÎÏ×ÙÅ ÐÁËÅÔÙ ÂÕÄÕÔ ÓÂÒÁÓÙ×ÁÔØÓÑ, ÐÏËÁ ÏÞÅÒÅÄØ ÎÅ ÓÎÉÚÉÔØÓÑ ÎÉÖÅ ÄÁÎÎÏÇÏ ÐÒÅÄÅÌÁ. èÏÒÏÛÉÅ ÐÒÏÔÏËÏÌÙ, ÔÁËÉÅ ËÁË TCP ÉÎÔÅÒÐÒÅÔÉÒÕÀÔ ÓÂÒÏÛÅÎÎÙÅ ÐÁËÅÔÙ ËÁË ÐÅÒÅÇÒÕÖÅÎÎÏÓÔØ ËÁÎÁÌÁ ÐÅÒÅÄÁÞÉ, É ÕÓÐÅÛÎÏ Ó ÜÔÉÍ ÓÐÒÁ×ÌÑÀÔÓÑ (ÎÁÓËÏÌØËÏ Ñ ÐÏÍÎÀ, ÐÁËÅÔ ÂÕÄÅÔ ÐÒÏÓÔÏ ÐÅÒÅÓÌÁÎ ÚÁÎÏ×Ï ÕÄÁÌÅÎÎÏÊ ÓÔÏÒÏÎÏÊ, ÐÒÉÍ. ÐÅÒÅ×ÏÄ.). ïÄÎÁËÏ, ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÅËÏÔÏÒÏÇÏ ÒÏÄÁ ÜËÓÐÅÒÅÍÅÎÔÉÒÏ×ÁÎÉÅ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ ÏÐÔÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ × ËÁÖÄÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÞÅÒÅÄØ ÓÌÉÛËÏÍ ÍÁÌÁ..."




äÅÊÓÔ×ÉÅ RETURN

äÅÊÓÔ×ÉÅ RETURN ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÔÅËÕÝÅÊ ÃÅÐÏÞËÅ ÐÒÁ×ÉÌ É ÐÒÏÉÚ×ÏÄÉÔ ×ÏÚ×ÒÁÔ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ, ÉÌÉ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÌÅÖÉÔ ÎÁ ÓÁÍÏÍ ×ÅÒÈÎÅÍ ÕÒÏ×ÎÅ (ÎÁÐÒÉÍÅÒ INPUT), ÔÏ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ïÂÙÞÎÏ, × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÎÁÚÎÁÞÁÀÔ ÄÅÊÓÔ×ÉÑ ACCEPT ÉÌÉ DROP .

äÌÑ ÐÒÉÍÅÒÁ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÐÁËÅÔ ÉÄÅÔ ÐÏ ÃÅÐÏÞËÅ INPUT É ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÈÏÄ ×Ï ×ÌÏÖÅÎÎÕÀ ÃÅÐÏÞËÕ - --jump EXAMPLE_CHAIN. äÁÌÅÅ, × ÃÅÐÏÞËÅ EXAMPLE_CHAIN ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN. ôÏÇÄÁ ÐÒÏÉÚÏÊÄÅÔ ×ÏÚ×ÒÁÔ ÐÁËÅÔÁ × ÃÅÐÏÞËÕ INPUT. äÒÕÇÏÊ ÐÒÉÍÅÒ, ÐÕÓÔØ ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN × ÃÅÐÏÞËÅ INPUT. ôÏÇÄÁ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÃÅÐÏÞËÉ INPUT.


äÅÊÓÔ×ÉÅ LOG

LOG - ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÓÌÕÖÉÔ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× É ÓÏÂÙÔÉÊ. ÷ ÖÕÒÎÁÌ ÍÏÇÕÔ ÚÁÎÏÓÉÔØÓÑ ÚÁÇÏÌÏ×ËÉ IP ÐÁËÅÔÏ× É ÄÒÕÇÁÑ ÉÎÔÅÒÅÓÕÀÝÁÑ ×ÁÓ ÉÎÆÏÒÍÁÃÉÑ. éÎÆÏÒÍÁÃÉÑ ÉÚ ÖÕÒÎÁÌÁ ÍÏÖÅÔ ÂÙÔØ ÚÁÔÅÍ ÐÒÏÞÉÔÁÎÁ Ó ÐÏÍÏÝØÀ dmesg ÉÌÉ syslogd ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÄÒÕÇÉÈ ÐÒÏÇÒÁÍÍ. ðÒÅ×ÏÓÈÏÄÎÏÅ ÓÒÅÄÓÔ×Ï ÄÌÑ ÏÔÌÁÄËÉ ×ÁÛÉÈ ÐÒÁ×ÉÌ. îÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÎÁ ÐÅÒÉÏÄ ÏÔÌÁÄËÉ ÐÒÁ×ÉÌ ×ÍÅÓÔÏ ÄÅÊÓÔ×ÉÑ DROP ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ LOG, ÞÔÏÂÙ ÄÏ ËÏÎÃÁ ÕÂÅÄÉÔØÓÑ, ÞÔÏ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ÒÁÂÏÔÁÅÔ ÂÅÚÕÐÒÅÞÎÏ. ïÂÒÁÔÉÔÅ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÔÁË ÖÅ ÎÁ ÄÅÊÓÔ×ÉÅ ULOG, ËÏÔÏÒÏÅ ÎÁ×ÅÒÎÑËÁ ÚÁÉÎÔÅÒÅÓÕÅÔ ×ÁÓ Ó×ÏÉÍÉ ×ÏÚÍÏÖÎÏÓÔÑÍÉ, ÐÏÓËÏÌØËÕ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØ ÚÁÐÉÓØ ÖÕÒÎÁÌÉÒÕÅÍÏÊ ÉÎÆÏÒÍÁÃÉÉ ÎÅ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á × ÂÁÚÕ ÄÁÎÎÙÈ MySQL É Ô.Ð..

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÅÓÌÉ Õ ×ÁÓ ÉÍÅÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÚÁÐÉÓØÀ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ÔÏ ÜÔÏ ÐÒÏÂÌÅÍÙ ÎÅ iptables ÉÌÉ netfilter, Á syslogd. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÀ syslogd ÏÂÒÁÝÁÊÔÅÓØ Ë man syslog.conf.

LOG ÉÍÅÅÔ ÐÑÔØ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÐÅÒÅÞÉÓÌÅÎÙ ÎÉÖÅ.

ôÁÂÌÉÃÁ 17. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ LOG

ëÌÀÞ --log-level
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-level debug
ïÐÉÓÁÎÉÅ éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÚÁÄÁÎÉÑ ÕÒÏ×ÎÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ (log level). ðÏÌÎÙÊ ÓÐÉÓÏË ÕÒÏ×ÎÅÊ ×Ù ÎÁÊÄÅÔÅ × ÒÕËÏ×ÏÄÓÔ×Å (man) ÐÏ syslog.conf. ïÂÙÞÎÏ, ÍÏÖÎÏ ÚÁÄÁÔØ ÓÌÅÄÕÀÝÉÅ ÕÒÏ×ÎÉ: debug, info, notice, warning, warn, err, error, crit, alert, emerg É panic. ëÌÀÞÅ×ÏÅ ÓÌÏ×Ï error ÏÚÎÁÞÁÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É err, warn - warning É panic - emerg. ÷ÁÖÎÏ: × ÐÏÓÌÅÄÎÉÈ ÔÒÅÈ ÐÁÒÁÈ ÓÌÏ× ÎÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ error, warn É panic. ðÒÉÏÒÉÔÅÔ ÏÐÒÅÄÅÌÑÅÔ ÒÁÚÌÉÞÉÑ × ÔÏÍ ËÁË ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ ÓÏÏÂÝÅÎÉÑ × ÖÕÒÎÁÌ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ÚÁÎÏÓÑÔÓÑ × ÖÕÒÎÁÌ ÓÒÅÄÓÔ×ÁÍÉ ÑÄÒÁ. åÓÌÉ ×Ù ÕÓÔÁÎÏ×ÉÔÅ ÓÔÒÏËÕ kern.=info /var/log/iptables × ÆÁÊÌÅ syslog.conf, ÔÏ ×ÓÅ ×ÁÛÉ ÓÏÏÂÝÅÎÉÑ ÉÚ iptables, ÉÓÐÏÌØÚÕÀÝÉÅ ÕÒÏ×ÅÎØ info, ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ × ÆÁÊÌ /var/log/iptables ïÄÎÁËÏ, × ÜÔÏÔ ÆÁÊÌ ÐÏÐÁÄÕÔ É ÄÒÕÇÉÅ ÓÏÏÂÝÅÎÉÑ, ÐÏÓÔÕÐÁÀÝÉÅ ÉÚ ÄÒÕÇÉÈ ÐÏÄÓÉÓÔÅÍ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÕÒÏ×ÅÎØ info. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ syslog É syslog.conf Ñ ÒÅËÏÍÅÎÄÕÀ ÏÂÒÁÝÁÔØÓÑ Ë manpages É HOWTO.
ëÌÀÞ --log-prefix
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
ïÐÉÓÁÎÉÅ ëÌÀÞ ÚÁÄÁÅÔ ÔÅËÓÔ (ÐÒÅÆÉËÓ), ËÏÔÏÒÙÍ ÂÕÄÕÔ ÐÒÅÄ×ÁÒÑÔØÓÑ ×ÓÅ ÓÏÏÂÝÅÎÉÑ iptables. óÏÏÂÝÅÎÉÑ ÓÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÅÆÉËÓÏÍ ÚÁÔÅÍ ÌÅÇËÏ ÍÏÖÎÏ ÎÁÊÔÉ, Ë ÐÒÉÍÅÒÕ, Ó ÐÏÍÏÝØÀ grep. ðÒÅÆÉËÓ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØ ÄÏ 29 ÓÉÍ×ÏÌÏ×, ×ËÌÀÞÁÑ É ÐÒÏÂÅÌÙ.
ëÌÀÞ --log-tcp-sequence
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÖÕÒÎÁÌ ÎÏÍÅÒ TCP Sequence ÐÁËÅÔÁ. îÏÍÅÒ TCP Sequence ÉÄÅÎÔÉÆÉÃÉÒÕÅÔ ËÁÖÄÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ É ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÑÄÏË "ÓÂÏÒËÉ" ÐÏÔÏËÁ. üÔÏÔ ËÌÀÞ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÅÎ ÄÌÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ, ÅÓÌÉ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÅÛÁÅÔ ÄÏÓÔÕÐ "îá þôåîéå" ×ÓÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ. ëÁË É ÌÀÂÏÊ ÄÒÕÇÏÊ ÖÕÒÎÁÌ, ÓÏÄÅÒÖÁÝÉÊ ÓÏÏÂÝÅÎÉÑ ÏÔ iptables.
ëÌÀÞ --log-tcp-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-tcp-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ TCP ÐÁËÅÔÁ. ôÁËÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÁ ÐÒÉ ÏÔÌÁÄËÅ. üÔÏÔ ËÌÀÞ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÁÒÁÍÅÔÒÏ×, ËÁË É ÂÏÌØÛÉÎÓÔ×Ï ËÌÀÞÅÊ ÄÅÊÓÔ×ÉÑ LOG.
ëÌÀÞ --log-ip-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-ip-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ IP ÐÁËÅÔÁ. ÷Ï ÍÎÏÇÏÍ ÓÈÏÖ Ó ËÌÀÞÏÍ --log-tcp-options, ÎÏ ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó IP ÚÁÇÏÌÏ×ËÏÍ.

äÅÊÓÔ×ÉÅ MARK

éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÍÅÔÏË ÄÌÑ ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÁËÅÔÏ×. üÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle. õÓÔÁÎÏ×ËÁ ÍÅÔÏË ÏÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ× ÐÏ ÒÁÚÌÉÞÎÙÍ ÍÁÒÛÒÕÔÁÍ, ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÔÒÁÆÉËÁ É Ô.Ð.. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë LARTC HOWTO. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ "ÍÅÔËÁ" ÐÁËÅÔÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÐÅÒÉÏÄ ×ÒÅÍÅÎÉ ÐÏËÁ ÐÁËÅÔ ÎÅ ÐÏËÉÎÕÌ ÂÒÁÎÄÍÁÕÜÒ, Ô.Å. ÍÅÔËÁ ÎÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÓÅÔÉ. åÓÌÉ ÎÅÏÂÈÏÄÉÍÏ ËÁË-ÔÏ ÐÏÍÅÔÉÔØ ÐÁËÅÔÙ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÒËÉÒÏ×ËÕ ÎÁ ÄÒÕÇÏÊ ÍÁÛÉÎÅ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÒÏÂÏ×ÁÔØ ÍÁÎÉÐÕÌÉÒÏ×ÁÔØ ÂÉÔÁÍÉ ÐÏÌÑ TOS.

ôÁÂÌÉÃÁ 18. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ MARK

ëÌÀÞ --set-mark
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-mark ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÅÔËÕ ÎÁ ÐÁËÅÔ. ðÏÓÌÅ ËÌÀÞÁ --set-mark ÄÏÌÖÎÏ ÓÌÅÄÏ×ÁÔØ ÃÅÌÏÅ ÂÅÚÚÎÁËÏ×ÏÅ ÞÉÓÌÏ.

äÅÊÓÔ×ÉÅ REJECT

REJECT ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, × ÔÅÈ ÖÅ ÓÁÍÙÈ ÓÉÔÕÁÃÉÑÈ, ÞÔÏ É DROP, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ DROP, ËÏÍÁÎÄÁ REJECT ×ÙÄÁÅÔ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ ÎÁ ÈÏÓÔ, ÐÅÒÅÄÁ×ÛÉÊ ÐÁËÅÔ. äÅÊÓÔ×ÉÅ REJECT ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ "ÒÁÂÏÔÁÅÔ" ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É OUTPUT (É ×Ï ×ÌÏÖÅÎÎÙÈ × ÎÉÈ ÃÅÐÏÞËÁÈ). ðÏËÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÌÀÞ, ÕÐÒÁ×ÌÑÀÝÉÊ ÐÏ×ÅÄÅÎÉÅÍ ËÏÍÁÎÄÙ REJECT.

ôÁÂÌÉÃÁ 19. äÅÊÓÔ×ÉÅ REJECT

ëÌÀÞ --reject-with
ðÒÉÍÅÒ iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
ïÐÉÓÁÎÉÅ õËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÓÏÏÂÝÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÐÅÒÅÄÁÔØ × ÏÔ×ÅÔ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. ðÒÉ ÐÒÉÍÅÎÅÎÉÉ ÄÅÊÓÔ×ÉÑ REJECT Ë ÐÁËÅÔÕ, ÓÎÁÞÁÌÁ ÎÁ ÈÏÓÔ-ÏÔÐÒÁ×ÉÔÅÌØ ÂÕÄÅÔ ÏÔÏÓÌÁÎ ÕËÁÚÁÎÎÙÊ ÏÔ×ÅÔ, Á ÚÁÔÅÍ ÐÁËÅÔ ÂÕÄÅÔ "ÓÂÒÏÛÅÎ". äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÌÅÄÕÀÝÉÅ ÔÉÐÙ ÏÔ×ÅÔÏ×: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited É icmp-host-prohibited. ðÏ-ÕÍÏÌÞÁÎÉÀ ÐÅÒÅÄÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ port-unreachable. ÷ÓÅ ×ÙÛÅÕËÁÚÁÎÎÙÅ ÔÉÐÙ ÏÔ×ÅÔÏ× Ñ×ÌÑÀÔÓÑ ICMP error messages. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÔÉÐÁÍ ICMP ÓÏÏÂÝÅÎÉÊ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. ÷ ÚÁËÌÀÞÅÎÉÅ ÕËÁÖÅÍ ÅÝÅ ÏÄÉÎ ÔÉÐ ÏÔ×ÅÔÁ - tcp-reset, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ TCP. åÓÌÉ ÕËÁÚÁÎÏ ÚÎÁÞÅÎÉÅ tcp-reset, ÔÏ ÄÅÊÓÔ×ÉÅ REJECT ÐÅÒÅÄÁÓÔ × ÏÔ×ÅÔ ÐÁËÅÔ TCP RST, ÐÁËÅÔÙ TCP RST ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁËÒÙÔÉÑ TCP ÓÏÅÄÉÎÅÎÉÊ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë RFC 793 - Transmission Control Protocol. (óÐÉÓÏË ÔÉÐÏ× ICMP ÏÔ×ÅÔÏ× É ÉÈ ÁÌÉÁÓÏ× ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ××ÅÄÑ ËÏÍÁÎÄÕ iptables -j REJECT -hÐÒÉÍ. ÐÅÒÅ×.).

äÅÊÓÔ×ÉÅ TOS

ëÏÍÁÎÄÁ TOS ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× × ÐÏÌÅ Type of Service IP ÚÁÇÏÌÏ×ËÁ. ðÏÌÅ TOS ÓÏÄÅÒÖÉÔ 8 ÂÉÔ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ×. üÔÏ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ÐÏÌÅÊ, ÉÓÐÏÌØÚÕÅÍÙÈ iproute2. ôÁË ÖÅ ×ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÐÏÌÅ ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØÓÑ ÒÁÚÌÉÞÎÙÍÉ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁÍÉ Ó ÃÅÌØÀ ×ÙÂÏÒÁ ÍÁÒÛÒÕÔÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ÜÔÏ ÐÏÌÅ, × ÏÔÌÉÞÉÅ ÏÔ MARK, ÓÏÈÒÁÎÑÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ Ä×ÉÖÅÎÉÉ ÐÏ ÓÅÔÉ, Á ÐÏÜÔÏÍÕ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÂÏÌØÛÉÎÓÔ×Ï ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ ÎÉËÁË ÎÅ ÏÂÒÁÂÁÔÙ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÏÄÎÁËÏ ÅÓÔØ É ÔÁËÉÅ, ËÏÔÏÒÙÅ ÓÍÏÔÒÑÔ ÎÁ ÎÅÇÏ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÎÕÖÄÁÈ, ÔÏ ÐÏÄÏÂÎÙÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÙ ÍÏÇÕÔ ÐÒÉÎÑÔØ ÎÅ×ÅÒÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ, ÐÏÜÔÏÍÕ, ÌÕÞÛÅ ×ÓÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ×ÁÛÅÊ WAN ÉÌÉ LAN.

Caution

äÅÊÓÔ×ÉÅ TOS ×ÏÓÐÒÉÎÉÍÁÅÔ ÔÏÌØËÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÙÅ ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ É ÍÎÅÍÏÎÉËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × linux/ip.h. åÓÌÉ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÏÉÚ×ÏÌØÎÙÅ ÚÎÁÞÅÎÉÑ × ÐÏÌÅ TOS, ÔÏ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ "ÚÁÐÌÁÔÏÊ" FTOS ÏÔ Matthew G. Marsh. ïÄÎÁËÏ, ÂÕÄØÔÅ ËÒÁÊÎÅ ÏÓÔÏÒÏÖÎÙ Ó ÜÔÏÊ "ÚÁÐÌÁÔÏÊ". îÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÔÁÎÄÁÒÔÎÙÅ ÚÎÁÞÅÎÉÑ TOS ÉÎÁÞÅ ËÁË × ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ.

Note

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle.

Note

÷ ÎÅËÏÔÏÒÙÈ ÓÔÁÒÙÈ ×ÅÒÓÉÑÈ iptables (1.2.2 É ÎÉÖÅ) ÜÔÏ ÄÅÊÓÔ×ÉÅ ÒÅÁÌÉÚÏ×ÁÎÏ Ó ÏÛÉÂËÏÊ (ÎÅ ÉÓÐÒÁ×ÌÑÅÔÓÑ ËÏÎÔÒÏÌØÎÁÑ ÓÕÍÍÁ ÐÁËÅÔÁ), Á ÜÔÏ ×ÅÄÅÔ Ë ÎÁÒÕÛÅÎÉÀ ÐÒÏÔÏËÏÌÁ ÏÂÍÅÎÁ É × ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÅ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÒÁÂÏÔÁÀÔ.

ëÏÍÁÎÄÁ TOS ÉÍÅÅÔ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ.

ôÁÂÌÉÃÁ 20. äÅÊÓÔ×ÉÅ TOS

ëÌÀÞ --set-tos
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-tos ÏÐÒÅÄÅÌÑÅÔ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ × ÄÅÓÑÔÉÞÎÏÍ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÍ ×ÉÄÅ. ðÏÓËÏÌØËÕ ÐÏÌÅ TOS Ñ×ÌÑÅÔÓÑ 8-ÂÉÔÎÙÍ, ÔÏ ×Ù ÍÏÖÅÔÅ ÕËÁÚÁÔØ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 255 (0x00 - 0xFF). ïÄÎÁËÏ, ÂÏÌØÛÉÎÓÔ×Ï ÚÎÁÞÅÎÉÊ ÜÔÏÇÏ ÐÏÌÑ ÎÉËÁË ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ × ÂÕÄÕÝÉÈ ÒÅÁÌÉÚÁÃÉÑÈ TCP/IP ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ, ÐÏÜÔÏÍÕ, ×Ï-ÉÚÂÅÖÁÎÉÅ ÏÛÉÂÏË, ÌÕÞÛÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÎÅÍÏÎÉÞÅÓËÉÅ ÏÂÏÚÎÁÞÅÎÉÑ: Minimize-Delay (16 ÉÌÉ 0x10), Maximize-Throughput (8 ÉÌÉ 0x08), Maximize-Reliability (4 ÉÌÉ 0x04), Minimize-Cost (2 ÉÌÉ 0x02) ÉÌÉ Normal-Service (0 ÉÌÉ 0x00). ðÏ-ÕÍÏÌÞÁÎÉÀ ÂÏÌØÛÉÎÓÔ×Ï ÐÁËÅÔÏ× ÉÍÅÀÔ ÐÒÉÚÎÁË Normal-Service, ÉÌÉ 0. óÐÉÓÏË ÍÎÅÍÏÎÉË ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ, ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -j TOS -h.

äÅÊÓÔ×ÉÅ MIRROR

ëÏÍÁÎÄÁ MIRROR ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÔÏÌØËÏ ÄÌÑ ÜËÓÐÅÒÉÍÅÎÔÏ× É × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ, ÐÏÓËÏÌØËÕ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁÃÉËÌÉ×ÁÎÉÀ" ÐÁËÅÔÁ É × ÒÅÚÕÌØÔÁÔÅ Ë "ïÔËÁÚÕ ÏÔ ÏÂÓÌÕÖÉ×ÁÎÉÑ". ÷ ÒÅÚÕÌØÔÁÔÅ ÄÅÊÓÔ×ÉÑ MIRROR × ÐÁËÅÔÅ, ÐÏÌÑ source É destination ÍÅÎÑÀÔÓÑ ÍÅÓÔÁÍÉ (invert the source and destination fields) É ÐÁËÅÔ ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÅÔØ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ËÏÍÁÎÄÙ ÍÏÖÅÔ ÉÍÅÔØ ×ÅÓØÍÁ ÚÁÂÁ×ÎÙÊ ÒÅÚÕÌØÔÁÔ, ÎÁ×ÅÒÎÏÅ, ÓÏ ÓÔÏÒÏÎÙ ÄÏ×ÏÌØÎÏ ÐÏÔÅÛÎÏ ÎÁÂÌÀÄÁÔØ, ËÁË ËÕÌØÈÁÃËÅÒ ÐÙÔÁÅÔÓÑ "×ÚÌÏÍÁÔØ" Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ËÏÍÐØÀÔÅÒ!

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, É × ÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ ÉÚ ÜÔÉÈ ÔÒÅÈ. ðÁËÅÔÙ, ÏÔÐÒÁ×ÌÑÅÍÙÅ × ÓÅÔØ ÄÅÊÓÔ×ÉÅÍ MIRROR ÂÏÌØÛÅ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÆÉÌØÔÒÁÃÉÉ, ÔÒÁÓÓÉÒÏ×ËÅ ÉÌÉ NAT, ÉÚÂÅÇÁÑ ÔÅÍ ÓÁÍÙÍ "ÚÁÃÉËÌÉ×ÁÎÉÑ" É ÄÒÕÇÉÈ ÎÅÐÒÉÑÔÎÏÓÔÅÊ. ïÄÎÁËÏ ÜÔÏ ÎÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÏÂÌÅÍ Ó ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÎÅÔ. äÁ×ÁÊÔÅ, Ë ÐÒÉÍÅÒÕ, ÐÒÅÄÓÔÁ×ÉÍ, ÞÔÏ ÎÁ ÈÏÓÔÅ, ÉÓÐÏÌØÚÕÀÝÅÍ ÄÅÊÓÔ×ÉÅ MIRROR ÆÁÂÒÉËÕÅÔÓÑ ÐÁËÅÔ, Ó TTL ÒÁ×ÎÙÍ 255, ÎÁ ÜÔÏÔ ÖÅ ÓÁÍÙÊ ÈÏÓÔ É ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ "ÚÅÒËÁÌÉÒÕÀÝÅÇÏ" ÐÒÁ×ÉÌÁ. ðÁËÅÔ "ÏÔÒÁÖÁÅÔÓÑ" ÎÁ ÜÔÏÔ ÖÅ ÈÏÓÔ, Á ÐÏÓËÏÌØËÕ ÍÅÖÄÕ "ÐÒÉÅÍÎÉËÏÍ" É "ÐÅÒÅÄÁÔÞÉËÏÍ" ÔÏÌØËÏ 1 ÈÏÐ (hop) ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÐÒÙÇÁÔØ ÔÕÄÁ É ÏÂÒÁÔÎÏ 255 ÒÁÚ. îÅÐÌÏÈÏ ÄÌÑ ËÒÑËÅÒÁ, ×ÅÄØ, ÐÒÉ ×ÅÌÉÞÉÎÅ ÐÁËÅÔÁ 1500 ÂÁÊÔ, ÍÙ ÐÏÔÅÒÑÅÍ ÄÏ 380 ëÂÁÊÔ ÔÒÁÆÉËÁ!


äÅÊÓÔ×ÉÅ SNAT

SNAT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Source Network Address Translation), Ô.Å. ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÑÝÅÇÏ IP ÁÄÒÅÓÁ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. îÁÐÒÉÍÅÒ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÄÒÕÇÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP ÁÄÒÅÓ. äÌÑ ÜÔÏÇÏ. ÎÅÏÂÈÏÄÉÍÏ ×ËÌÀÞÉÔØ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (forwarding) × ÑÄÒÅ É ÚÁÔÅÍ ÓÏÚÄÁÔØ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÔÒÁÎÓÌÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ IP ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ × ÒÅÁÌØÎÙÊ ×ÎÅÛÎÉÊ ÁÄÒÅÓ. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÎÅÛÎÉÊ ÍÉÒ ÎÉÞÅÇÏ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ Ï ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÎ ÂÕÄÅÔ ÓÞÉÔÁÔØ, ÞÔÏ ÚÁÐÒÏÓÙ ÐÒÉÛÌÉ Ó ÎÁÛÅÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

SNAT ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ nat, × ÃÅÐÏÞËÅ POSTROUTING. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÏÌØËÏ ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÑÝÉÈ ÁÄÒÅÓÏ×. åÓÌÉ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ ÐÏÄ×ÅÒÇÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ, ÔÏ ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ, ÉÚ ÜÔÏÇÏ ÖÅ ÓÏÅÄÉÎÅÎÉÑ, ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÐÏÊÄÕÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ.

ôÁÂÌÉÃÁ 21. äÅÊÓÔ×ÉÅ SNAT

ëÌÀÞ --to-source
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-source ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÁÄÒÅÓÁ, ÐÒÉÓ×ÁÅÍÏ×ÏÇÏ ÐÁËÅÔÕ. ÷ÓÅ ÐÒÏÓÔÏ, ×Ù ÕËÁÚÙ×ÁÅÔÅ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÏÄÓÔÁ×ÌÅÎ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ × ËÁÞÅÓÔ×Å ÉÓÈÏÄÑÝÅÇÏ. åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÐÅÒÅÒÁÓÐÒÅÄÅÌÑÔØ ÎÁÇÒÕÚËÕ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ, ÔÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÇÄÅ ÎÁÞÁÌØÎÙÊ É ËÏÎÅÞÎÙÊ ÁÄÒÅÓÁ ÄÉÁÐÁÚÏÎÁ ÒÁÚÄÅÌÑÀÔÓÑ ÄÅÆÉÓÏÍ, ÎÁÐÒÉÍÅÒ: 194.236.50.155-194.236.50.160. ôÏÇÄÁ, ËÏÎËÒÅÔÎÙÊ IP ÁÄÒÅÓ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÉÚ ÄÉÁÐÁÚÏÎÁ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ. äÏÐÏÌÎÉÔÅÌØÎÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÄÌÑ ÎÕÖÄ SNAT. ÷ÓÅ ÉÓÈÏÄÑÝÉÅ ÐÏÒÔÙ ÂÕÄÕÔ ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅËÁÒÔÉÒÏ×ÁÔØÓÑ × ÚÁÄÁÎÎÙÊ ÄÉÁÐÁÚÏÎ. iptables ÓÔÁÒÁÅÔÓÑ, ÐÏ-×ÏÚÍÏÖÎÏÓÔÉ, ÉÚÂÅÇÁÔØ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×, ÏÄÎÁËÏ ÎÅ ×ÓÅÇÄÁ ÜÔÏ ×ÏÚÍÏÖÎÏ, É ÔÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÅ . åÓÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÅ ÚÁÄÁÎ, ÔÏ ÉÓÈÏÄÎÙÅ ÐÏÒÔÙ ÎÉÖÅ 512 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 0-511, ÐÏÒÔÙ × ÄÉÁÐÁÚÏÎÅ 512-1023 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 512-1023, É, ÎÁËÏÎÅà ÐÏÒÔÙ ÉÚ ÄÉÁÐÁÚÏÎÁ 1024-65535 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 1024-65535. þÔÏ ËÁÓÁÅÔÓÑ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ, ÔÏ ÏÎÉ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÀ.

äÅÊÓÔ×ÉÅ DNAT

DNAT (Destination Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. åÓÌÉ ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÒÁ×ÉÌÁ, ×ÙÐÏÌÎÑÀÝÅÇÏ DNAT, ÔÏ ÜÔÏÔ ÐÁËÅÔ, É ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ ÉÚ ÜÔÏÇÏ ÖÅ ÐÏÔÏËÁ, ÂÕÄÕÔ ÐÏÄ×ÅÒÇÎÕÔÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÎÙ ÎÁ ÔÒÅÂÕÅÍÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÈÏÓÔ ÉÌÉ ÓÅÔØ. äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ, Ë ÐÒÉÍÅÒÕ, ÕÓÐÅÛÎÏ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ×ÁÛÅÍÕ web-ÓÅÒ×ÅÒÕ, ÎÁÈÏÄÑÝÅÍÕÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, É ÎÅ ÉÍÅÀÝÅÍÕ ÒÅÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÔÒÏÉÔÅ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÎÁ HTTP ÐÏÒÔ ÂÒÁÎÄÍÁÕÜÒÁ É ×ÙÐÏÌÎÑÑ DNAT ÐÅÒÅÄÁÅÔÅ ÉÈ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ web-ÓÅÒ×ÅÒÁ. äÌÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÔÏÇÄÁ ×ÙÂÏÒ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÓÌÕÞÁÊÎÁÍ ÏÂÒÁÚÏÍ.

äÅÊÓÔ×ÉÅ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat, É ×Ï ×ÌÏÖÅÎÎÙÈ ÐÏÄ-ÃÅÐÏÞËÁÈ. ÷ÁÖÎÏ ÚÁÐÏÍÎÉÔØ, ÞÔÏ ×ÌÏÖÅÎÎÙÅ ÐÏÄÃÅÐÏÞËÉ, ÒÅÁÌÉÚÕÀÝÉÅ DNAT ÎÅ ÄÏÌÖÎÙ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ËÒÏÍÅ PREROUTING É OUTPUT.

ôÁÂÌÉÃÁ 22. äÅÊÓÔ×ÉÅ DNAT

ëÌÀÞ --to-destination
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-destination ÕËÁÚÙ×ÁÅÔ, ËÁËÏÊ IP ÁÄÒÅÓ ÄÏÌÖÅÎ ÂÙÔØ ÐÏÄÓÔÁ×ÌÅÎ × ËÁÞÅÓÔ×Å ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ×Ï ×ÓÅÈ ÐÁËÅÔÁÈ, ÐÒÉÛÅÄÛÉÈ ÎÁ ÁÄÒÅÓ 15.45.23.67, ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÂÕÄÅÔ ÉÚÍÅÎÅÎ ÎÁ ÏÄÉÎ ÉÚ ÄÉÁÐÁÚÏÎÁ ÏÔ 192.168.1.1 ÄÏ 192.168.1.10. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ×ÓÅ ÐÁËÅÔÙ ÉÚ ÏÄÎÏÇÏ ÐÏÔÏËÁ ÂÕÄÕÔ ÎÁÐÒÁ×ÌÑÔØÓÑ ÎÁ ÏÄÉÎ É ÔÏÔ ÖÅ ÁÄÒÅÓ, Á ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÏÄÉÎ ÉÚ ÁÄÒÅÓÏ× × ÕËÁÚÁÎÎÏÍ ÄÉÁÐÁÚÏÎÅ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ. íÏÖÎÏ ÔÁËÖÅ ÏÐÒÅÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP ÁÄÒÅÓ. íÏÖÎÏ ÄÏÐÏÌÎÉÔÅÌØÎÏ ÕËÁÚÁÔØ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÎÁ ËÏÔÏÒÙÊ (ËÏÔÏÒÙÅ) ÂÕÄÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎ ÔÒÁÆÆÉË. äÌÑ ÜÔÏÇÏ ÐÏÓÌÅ ip ÁÄÒÅÓÁ ÞÅÒÅÚ Ä×ÏÅÔÏÞÉÅ ÕËÁÖÉÔÅ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ --to-destination 192.168.1.1:80, Á ÕËÁÚÁÎÉÅ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ×ÙÇÌÑÄÉÔ ÔÁË: --to-destination 192.168.1.1:80-100. ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÓÉÎÔÁËÓÉÓ ÄÅÊÓÔ×ÉÊ DNAT É SNAT ×Ï ÍÎÏÇÏÍ ÓÈÏÖ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÕËÁÚÁÎÉÅ ÐÏÒÔÏ× ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ ÐÒÉ ÒÁÂÏÔÅ Ó ÐÒÏÔÏËÏÌÏÍ TCP ÉÌÉ UDP, ÐÒÉ ÎÁÌÉÞÉÉ ÏÐÃÉÉ --protocol × ËÒÉÔÅÒÉÉ.

äÅÊÓÔ×ÉÅ DNAT ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÎÏ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÔÒÅÂÕÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ÐÏÑÓÎÅÎÉÑ. òÁÓÓÍÏÔÒÉÍ ÐÒÏÓÔÏÊ ÐÒÉÍÅÒ. õ ÎÁÓ ÅÓÔØ WEB ÓÅÒ×ÅÒ É ÍÙ ÈÏÔÉÍ ÒÁÚÒÅÛÉÔØ ÄÏÓÔÕÐ Ë ÎÅÍÕ ÉÚ éÎÔÅÒÎÅÔ. íÙ ÉÍÅÅÍ ÔÏÌØËÏ ÏÄÉÎ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, Á WEB-ÓÅÒ×ÅÒ ÒÁÓÐÏÌÏÖÅÎ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. òÅÁÌØÎÙÊ IP ÁÄÒÅÓ $INET_IP ÎÁÚÎÁÞÅÎ ÂÒÁÎÄÍÁÕÜÒÕ, HTTP ÓÅÒ×ÅÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ $HTTP_IP É, ÎÁËÏÎÅà ÂÒÁÎÄÍÁÕÜÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÌÒÅÓ $LAN_IP. äÌÑ ÎÁÞÁÌÁ ÄÏÂÁ×ÉÍ ÐÒÏÓÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ PREROUTING ÔÁÂÌÉÃÙ nat.

iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

÷ ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ 80-Ê ÐÏÒÔ ÁÄÒÅÓÁ $INET_IP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ ÎÁ ÎÁÛ ×ÎÕÔÒÅÎÎÉÊ WEB-ÓÅÒ×ÅÒ. åÓÌÉ ÔÅÐÅÒØ ÏÂÒÁÔÉÔØÓÑ Ë WEB-ÓÅÒ×ÅÒÕ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. îÏ ÞÔÏ ÖÅ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÐÏÐÒÏÂÏ×ÁÔØ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÉÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ? óÏÅÄÉÎÅÎÉÅ ÐÒÏÓÔÏ ÎÅ ÕÓÔÁÎÏ×ÉÔÓÑ. äÁ×ÁÊÔÅ ÐÏÓÍÏÔÒÉÍ ËÁË ÍÁÒÛÒÕÔÉÚÉÒÕÀÔÓÑ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÉÚ éÎÔÅÒÎÅÔ ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × éÎÔÅÒÎÅÔ ÒÁ×ÎÙÍ $EXT_BOX.
  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ ËÌÉÅÎÔÓËÉÊ ÕÚÅÌ Ó ÁÄÒÅÓÏÍ $EXT_BOX É ÎÁÐÒÁ×ÌÑÅÔÓÑ ÎÁ $INET_IP

  2. ðÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ.

  3. âÒÁÎÄÍÁÕÜÒ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍ ÐÒÁ×ÉÌÏÍ, ÐÏÄÍÅÎÑÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÅÔ ÅÇÏ ÄÁÌØÛÅ, × ÄÒÕÇÉÅ ÃÅÐÏÞËÉ.

  4. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ÎÁ $HTTP_IP.

  5. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ HTTP ÓÅÒ×ÅÒ É ÓÅÒ×ÅÒ ÐÅÒÅÄÁÅÔ ÏÔ×ÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÅÓÌÉ × ÔÁÂÌÉÃÅ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÏÎ ÏÂÏÚÎÁÞÅÎ ËÁË ÛÌÀÚ ÄÌÑ $EXT_BOX. ëÁË ÐÒÁ×ÉÌÏ, ÏÎ ÎÁÚÎÁÞÁÅÔÓÑ ÛÌÀÚÏÍ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ HTTP ÓÅÒ×ÅÒÁ.

  6. âÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÏÂÒÁÔÎÕÀ ÐÏÄÓÔÁÎÏ×ËÕ ÁÄÒÅÓÁ × ÐÁËÅÔÅ, ÔÅÐÅÒØ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÂÙÌ ÓÆÏÒÍÉÒÏ×ÁÎ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ.

  7. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ËÌÉÅÎÔÕ $EXT_BOX.



á ÔÅÐÅÒØ ÐÏÓÍÏÔÒÉÍ, ÞÔÏ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔÓÑ Ó ÕÚÌÁ, ÒÁÓÐÏÌÏÖÅÎÎÏÇÏ × ÔÏÊ ÖÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÒÁ×ÎÙÍ $LAN_BOX.

  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ $LAN_BOX.

  2. ðÏÓÔÕÐÁÅÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ.

  3. ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÓÔÁÎÏ×ËÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ, ÏÄÎÁËÏ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÎÅ ÐÏÄÍÅÎÑÅÔÓÑ, Ô.Å. ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ ÏÓÔÁÅÔÓÑ × ÐÁËÅÔÅ ÂÅÚ ÉÚÍÅÎÅÎÉÑ.

  4. ðÁËÅÔ ÐÏËÉÄÁÅÔ ÂÒÁÎÄÍÁÕÜÒ É ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ HTTP ÓÅÒ×ÅÒ.

  5. HTTP ÓÅÒ×ÅÒ, ÇÏÔÏ×ÑÓØ Ë ÏÔÐÒÁ×ËÅ ÏÔ×ÅÔÁ, ÏÂÎÁÒÕÖÉ×ÁÅÔ, ÞÔÏ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ (ÐÏÓËÏÌØËÕ ÐÁËÅÔ ÚÁÐÒÏÓÁ ÓÏÄÅÒÖÁÌ ÏÒÉÇÉÎÁÌØÎÙÊ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÔÅÐÅÒØ ÐÒÅ×ÒÁÔÉÌÓÑ × ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ) É ÐÏÜÔÏÍÕ ÏÔÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ $LAN_BOX.

  6. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ $LAN_BOX. ëÌÉÅÎÔ ÐÕÔÁÅÔÓÑ, ÐÏÓËÏÌØËÕ ÏÔ×ÅÔ ÐÒÉÛÅÌ ÎÅ Ó ÔÏÇÏ ÕÚÌÁ, ÎÁ ËÏÔÏÒÙÊ ÏÔÐÒÁ×ÌÑÌÓÑ ÚÁÐÒÏÓ. ðÏÜÔÏÍÕ ËÌÉÅÎÔ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ ÏÔ×ÅÔÁ É ÐÒÏÄÏÌÖÁÅÔ ÖÄÁÔØ "ÎÁÓÔÏÑÝÉÊ" ÏÔ×ÅÔ.



ðÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ Ó ÐÏÍÏÝØÀ SNAT. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÜÔÕ ÆÕÎËÃÉÀ. üÔÏ ÐÒÁ×ÉÌÏ ×ÙÎÕÖÄÁÅÔ HTTP ÓÅÒ×ÅÒ ÐÅÒÅÄÁ×ÁÔØ ÏÔ×ÅÔÙ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÅ ÚÁÔÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ËÌÉÅÎÔÕ.

iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

úÁÐÏÍÎÉÔÅ, ÃÅÐÏÞËÁ POSTROUTING ÏÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÓÁÍÏÊ ÐÏÓÌÅÄÎÅÊ É Ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÐÁËÅÔ ÕÖÅ ÐÒÏÛÅÌ ÐÒÏÃÅÄÕÒÕ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ DNAT, ÐÏÜÔÏÍÕ ËÒÉÔÅÒÉÊ ÓÔÒÏÉÔÓÑ ÎÁ ÂÁÚÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ $HTTP_IP.

åÓÌÉ ×Ù ÄÕÍÁÅÔÅ, ÞÔÏ ÎÁ ÜÔÏÍ ÍÏÖÎÏ ÏÓÔÁÎÏ×ÉÔØÓÑ, ÔÏ ×Ù ÏÛÉÂÁÅÔÅÓØ! ðÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÓÉÔÕÁÃÉÀ, ËÏÇÄÁ × ËÁÞÅÓÔ×Å ËÌÉÅÎÔÁ ×ÙÓÔÕÐÁÅÔ ÓÁÍ ÂÒÁÎÄÍÁÕÜÒ. ôÏÇÄÁ, Ë ÓÏÖÁÌÅÎÉÀ, ÐÁËÅÔÙ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÎÁ ÌÏËÁÌØÎÙÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 80 ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ, Á ÎÅ ÎÁ $HTTP_IP. þÔÏÂÙÒÁÚÒÅÛÉÔØ É ÜÔÕ ÐÒÏÂÌÅÍÕ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ

iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

ôÅÐÅÒØ ÎÉËÁËÉÈ ÐÒÏÂÌÅÍ, Ó ÄÏÓÔÕÐÏÍ Ë ÎÁÛÅÍÕ WEB-ÓÅÒ×ÅÒÕ, ÕÖÅ ÎÅ ÄÏÌÖÎÏ ×ÏÚÎÉËÁÔØ.


äÅÊÓÔ×ÉÅ MASQUERADE

íÁÓËÁÒÁÄÉÎÇ (MASQUERADE) × ÏÓÎÏ×Å Ó×ÏÅÊ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É SNAT ÔÏÌØËÏ ÎÅ ÉÍÅÅÔ ËÌÀÞÁ --to-source. ðÒÉÞÉÎÏÊ ÔÏÍÕ ÔÏ, ÞÔÏ ÍÁÓËÁÒÁÄÉÎÇ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, ÎÁÐÒÉÍÅÒ, Ó dialup ÐÏÄËÌÀÞÅÎÉÅÍ ÉÌÉ DHCP, Ô.Å. × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ IP ÁÄÒÅÓ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÕÓÔÒÏÊÓÔ×Õ ÄÉÎÁÍÉÞÅÓËÉ. åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÎÕÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÁÒÁÄÉÎÇ, ÅÓÌÉ ÖÅ Õ ×ÁÓ ÓÔÁÔÉÞÅÓËÏÅ IP ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÂÅÓÓÐÏÒÎÏ ÌÕÞÛÉÍ ×ÙÈÏÄÏÍ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ SNAT.

íÁÓËÁÒÁÄÉÎÇ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÏÌÕÞÅÎÉÅ IP ÁÄÒÅÓÁ ÏÔ ÚÁÄÁÎÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, ×ÍÅÓÔÏ ÐÒÑÍÏÇÏ ÅÇÏ ÕËÁÚÁÎÉÑ, ËÁË ÜÔÏ ÄÅÌÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-source × ÄÅÊÓÔ×ÉÉ SNAT. äÅÊÓÔ×ÉÅ MASQUERADE ÉÍÅÅÔ ÈÏÒÏÛÅÅ Ó×ÏÊÓÔ×Ï - "ÚÁÂÙ×ÁÔØ" ÓÏÅÄÉÎÅÎÉÑ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. ÷ ÓÌÕÞÁÅ ÖÅ SNAT, × ÜÔÏÊ ÓÉÔÕÁÃÉÉ, × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÏÓÔÁÀÔÓÑ ÄÁÎÎÙÅ Ï ÐÏÔÅÒÑÎÎÙÈ ÓÏÅÄÉÎÅÎÉÑÈ, É ÜÔÉ ÄÁÎÎÙÅ ÍÏÇÕÔ ÓÏÈÒÁÎÑÔØÓÑ ÄÏ ÓÕÔÏË, ÐÏÇÌÏÝÁÑ ÃÅÎÎÕÀ ÐÁÍÑÔØ. üÆÆÅËÔ "ÚÁÂÙ×ÞÉ×ÏÓÔÉ" Ó×ÑÚÁÎ Ó ÔÅÍ, ÞÔÏ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, ÅÓÔØ ×ÅÒÏÑÔÎÏÓÔØ ÎÁ ÓÌÅÄÕÀÝÅÍ ÚÁÐÕÓËÅ ÐÏÌÕÞÉÔØ ÄÒÕÇÏÊ IP ÁÄÒÅÓ, ÎÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÌÀÂÙÅ ÓÏÅÄÉÎÅÎÉÑ ×ÓÅ ÒÁ×ÎÏ ÂÕÄÕÔ ÐÏÔÅÒÑÎÙ, É ÂÙÌÏ ÂÙ ÇÌÕÐÏ ÈÒÁÎÉÔØ ÔÒÁÓÓÉÒÏ×ÏÞÎÕÀ ÉÎÆÏÒÍÁÃÉÀ.

ëÁË ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÄÅÊÓÔ×ÉÅ MASQUERADE ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ×ÍÅÓÔÏ SNAT, ÄÁÖÅ ÅÓÌÉ ×Ù ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ, ÏÄÎÁËÏ, ÎÅ×ÚÉÒÁÑ ÎÁ ÐÏÌÏÖÉÔÅÌØÎÙÅ ÞÅÒÔÙ, ÍÁÓËÁÒÁÄÉÎÇ ÎÅ ÓÌÅÄÕÅÔ ÓÞÉÔÁÔØ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÙÍ × ÜÔÏÍ ÓÌÕÞÁÅ, ÐÏÓËÏÌØËÕ ÏÎ ÄÁÅÔ ÂÏÌØÛÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ.

äÅÊÓÔ×ÉÅ MASQUERADE ÄÏÐÕÓËÁÅÔÓÑ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat, ÔÁË ÖÅ ËÁË É ÄÅÊÓÔ×ÉÅ SNAT. MASQUERADE ÉÍÅÅÔ ËÌÀÞ, ÏÐÉÓÙ×ÁÅÍÙÊ ÎÉÖÅ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÔÏÒÏÇÏ ÎÅÏÂÑÚÁÔÅÌØÎÏ.

ôÁÂÌÉÃÁ 23. äÅÊÓÔ×ÉÅ MASQUERADE

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÐÏÒÔÁ ÉÓÔÏÞÎÉËÁ ÉÌÉ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ÉÓÈÏÄÑÝÅÇÏ ÐÁËÅÔÁ. íÏÖÎÏ ÕËÁÚÁÔØ ÏÄÉÎ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ: --to-ports 1025, ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ËÁË ÚÄÅÓØ: --to-ports 1024-3000. ÜÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ REDIRECT

÷ÙÐÏÌÎÑÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× É ÐÏÔÏËÏ× ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÔÏÊ ÖÅ ÓÁÍÏÊ ÍÁÛÉÎÙ. ë ÐÒÉÍÅÒÕ, ÍÏÖÎÏ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ HTTP ÐÏÒÔ ÐÅÒÅÎÁÐÒÁ×ÉÔØ ÎÁ ÐÏÒÔ HTTP proxy. äÅÊÓÔ×ÉÅ REDIRECT ÏÞÅÎØ ÕÄÏÂÎÏ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ "ÐÒÏÚÒÁÞÎÏÇÏ" ÐÒÏËÓÉÒÏ×ÁÎÉÑ (transparent proxying), ËÏÇÄÁ ÍÁÛÉÎÙ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÁÖÅ ÎÅ ÐÏÄÏÚÒÅ×ÁÀÔ Ï ÓÕÝÅÓÔ×Ï×ÁÎÉÉ ÐÒÏËÓÉ.

REDIRECT ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. îÕ É ËÏÎÅÞÎÏ ÖÅ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ×ÙÐÏÌÎÑÔØ × ÐÏÄÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ É ×ÙÛÅÕËÁÚÁÎÎÙÈ. äÌÑ ÄÅÊÓÔ×ÉÑ REDIRECT ÐÒÅÄÕÓÍÏÔÒÅÎ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ.

ôÁÂÌÉÃÁ 24. äÅÊÓÔ×ÉÅ REDIRECT

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ. âÅÚ ÕËÁÚÁÎÉÑ ËÌÀÞÁ --to-ports, ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÑ ÎÅ ÐÒÏÉÓÈÏÄÉÔ, Ô.Å. ÐÁËÅÔ ÉÄÅÔ ÎÁ ÔÏÔ ÐÏÒÔ, ËÕÄÁ É ÂÙÌ ÎÁÚÎÁÞÅÎ. ÷ ÐÒÉÍÅÒÅ, ÐÒÉ×ÅÄÅÎÎÏÍ ×ÙÛÅ, --to-ports 8080 ÕËÁÚÁÎ ÏÄÉÎ ÐÏÒÔ ÎÁÚÎÁÞÅÎÉÑ. åÓÌÉ ÎÕÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÔÏ ÍÙ ÄÏÌÖÎÙ ÎÁÐÉÓÁÔØ ÎÅÞÔÏ ÐÏÄÏÂÎÏÅ --to-ports 8080-8090. üÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ TTL

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÐÏÌÑ Time To Live × IP ÚÁÇÏÌÏ×ËÅ. ïÄÉÎ ÉÚ ×ÁÒÉÁÎÔÏ× ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÜÔÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÅ ÐÏÌÑ Time To Live ÷ï ÷óåè ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÁÈ × ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ. äÌÑ ÞÅÇÏ ÜÔÏ?! åÓÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏ×ÁÊÄÅÒÙ, ËÏÔÏÒÙÅ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ, ËÏÇÄÁ ÏÄÎÉÍ ÐÏÄËÌÀÞÅÎÉÅÍ ÐÏÌØÚÕÅÔÓÑ ÎÅÓËÏÌØËÏ ËÏÍÐØÀÔÅÒÏ×, ÅÓÌÉ ÍÙ ÎÁÞÉÎÁÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÎÁ ×ÓÅ ÐÁËÅÔÙ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ TTL, ÔÏ ÔÅÍ ÓÁÍÙÍ ÍÙ ÌÉÛÁÅÍ ÐÒÏ×ÁÊÄÅÒÁ ÏÄÎÏÇÏ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÞÔÏ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔÕ ÒÁÚÄÅÌÑÅÔÓÑ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. äÌÑ ÐÒÉÍÅÒÁ ÍÏÖÎÏ ÐÒÉ×ÅÓÔÉ ÞÉÓÌÏ TTL = 64, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ ÓÔÁÎÄÁÒÔÎÙÍ ÄÌÑ ÑÄÒÁ Linux.

úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÕÓÔÁÎÏ×ËÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÂÒÁÝÁÊÔÅÓØ Ë ip-sysctl.txt, ËÏÔÏÒÙÊ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

äÅÊÓÔ×ÉÅ TTL ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ mangle É ÎÉÇÄÅ ÂÏÌØÛÅ. äÌÑ ÄÁÎÎÏÇÏ ÄÅÊÓÔ×ÉÑ ÐÒÅÄÕÓÍÏÔÒÅÎÏ 3 ËÌÀÞÁ, ÏÐÉÓÙ×ÁÅÍÙÈ ÎÉÖÅ.

ôÁÂÌÉÃÁ 25. äÅÊÓÔ×ÉÅ TTL

ëÌÀÞ --ttl-set
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÅ TTL × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. ïÐÔÉÍÁÌØÎÙÍ ÓÞÉÔÁÅÔÓÑ ÚÎÁÞÅÎÉÅ ÏËÏÌÏ 64. üÔÏ ÎÅ ÓÌÉÛËÏÍ ÍÎÏÇÏ, ÎÏ É ÎÅ ÓÌÉÛËÏÍ ÍÁÌÏ îÅ ÚÁÄÁ×ÁÊÔÅ ÓÌÉÛËÏÍ ÂÏÌØÛÏÅ ÚÎÁÞÅÎÉÅ, ÜÔÏ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÐÒÉÑÔÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ ÄÌÑ ×ÁÛÅÊ ÓÅÔÉ. ðÒÅÄÓÔÁרÔÅ ÓÅÂÅ, ÞÔÏ ÐÁËÅÔ "ÚÁÃÉËÌÉ×ÁÅÔÓÑ" ÍÅÖÄÕ Ä×ÕÍÑ ÎÅÐÒÁ×ÉÌØÎÏ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÎÙÍÉ ÒÏÕÔÅÒÁÍÉ, ÔÏÇÄÁ, ÐÒÉ ÂÏÌØÛÉÈ ÚÎÁÞÅÎÉÑÈ TTL, ÅÓÔØ ÒÉÓË "ÐÏÔÅÒÑÔØ" ÚÎÁÞÉÔÅÌØÎÕÀ ÄÏÌÀ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔÉ ËÁÎÁÌÁ.
ëÌÀÞ --ttl-dec
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1
ïÐÉÓÁÎÉÅ õÍÅÎØÛÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ TTL ÒÁ×ÎÏÅ 53 É ÍÙ ×ÙÐÏÌÎÑÅÍ ËÏÍÁÎÄÕ --ttl-dec 3, ÔÏÇÄÁ ÐÁËÅÔ ÐÏËÉÎÅÔ ÎÁÛ ÈÏÓÔ Ó ÐÏÌÅÍ TTL ÒÁ×ÎÙÍ 49. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÓÅÔÅ×ÏÊ ËÏÄ Á×ÔÏÍÁÔÉÞÅÓËÉ ÕÍÅÎØÛÉÔ ÚÎÁÞÅÎÉÅ TTL ÎÁ 1, ÐÏÜÔÏÍÕ, ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ 53 - 3 - 1 = 49. åóìé ëôï-îéâõäø íïöåô ðòé÷åóôé ðòéíåò ðòáëôéþåóëé ãåîîïçï ðòéíåîåîéñ üôïê ïðãéé, óïïâýéôå íîå!
ëÌÀÞ --ttl-inc
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1
ïÐÉÓÁÎÉÅ õ×ÅÌÉÞÉ×ÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. ÷ÏÚØÍÅÍ ÐÒÅÄÙÄÕÝÉÊ ÐÒÉÍÅÒ, ÐÕÓÔØ Ë ÎÁÍ ÐÏÓÔÕÐÁÅÔ ÐÁËÅÔ Ó TTL = 53, ÔÏÇÄÁ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ËÏÍÁÎÄÙ --ttl-inc 4, ÎÁ ×ÙÈÏÄÅ Ó ÎÁÛÅÇÏ ÈÏÓÔÁ, ÐÁËÅÔ ÂÕÄÅÔ ÉÍÅÔØ TTL = 56, ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï Á×ÔÏÍÁÔÉÞÅÓËÏÍ ÕÍÅÎØÛÅÎÉÉ ÐÏÌÑ TTL ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ ×ÙÒÁÖÅÎÉÅ 53 + 4 - 1 = 56. õ×ÅÌÉÞÅÎÉÅ ÐÏÌÑ TTL ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÍÅÎÅÅ "ÚÁÍÅÔÎÙÍ" ÄÌÑ ÔÒÁÓÓÉÒÏ×ÝÉËÏ× (traceroutes). ðÒÏÇÒÁÍÍÙ ÔÒÁÓÓÉÒÏ×ËÉ ÌÀÂÑÔ ÚÁ ÃÅÎÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÒÉ ÐÏÉÓËÅ ÐÒÏÂÌÅÍÎÙÈ ÕÞÁÓÔËÏ× ÓÅÔÉ, É ÎÅÎÁ×ÉÄÑÔ ÚÁ ÜÔÏ ÖÅ, ÐÏÓËÏÌØËÕ ÜÔÁ ÉÎÆÏÒÍÁÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÒÑËÅÒÁÍÉ × ÎÅÂÌÁÇÏ×ÉÄÎÙÈ ÃÅÌÑÈ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × ttl-inc.txt.

ULOG target

äÅÊÓÔ×ÉÅ ULOG ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï. ïÎÏ ÚÁÍÅÎÑÅÔ ÔÒÁÄÉÃÉÏÎÎÏÅ ÄÅÊÓÔ×ÉÅ LOG, ÂÁÚÉÒÕÀÝÅÅÓÑ ÎÁ ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ, ÐÁËÅÔ, ÞÅÒÅÚ ÓÏËÅÔÙ netlink, ÐÅÒÅÄÁÅÔÓÑ ÓÐÅÃÉÁÌØÎÏÍÕ ÄÅÍÏÎÕ ËÏÔÏÒÙÊ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØ ÏÞÅÎØ ÄÅÔÁÌØÎÏÅ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÅ × ÒÁÚÌÉÞÎÙÈ ÆÏÒÍÁÔÁÈ (ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ, ÂÁÚÁ ÄÁÎÎÙÈ MySQL É ÐÒ.) É Ë ÔÏÍÕ ÖÅ ÐÏÄÄÅÒÖÉ×ÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÂÁ×ÌÅÎÉÑ ÎÁÄÓÔÒÏÅË (ÐÌÁÇÉÎÏ×) ÄÌÑ ÆÏÒÍÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ×ÙÈÏÄÎÙÈ ÆÏÒÍÁÔÏ× É ÏÂÒÁÂÏÔËÉ ÓÅÔÅ×ÙÈ ÐÒÏÔÏËÏÌÏ×. ðÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÞÁÓÔØ ULOGD ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÎÁ ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÅ ULOGD project.

Table 26. ULOG target

ëÌÀÞ --ulog-nlgroup
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-nlgroup ÓÏÏÂÝÁÅÔ ULOG × ËÁËÕÀ ÇÒÕÐÐÕ netlink ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÄÁÎ ÐÁËÅÔ. ÷ÓÅÇÏ ÓÕÝÅÓÔ×ÕÅÔ 32 ÇÒÕÐÐÙ (ÏÔ 1 ÄÏ 32). åÓÌÉ ×Ù ÖÅÌÁÅÔÅ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × 5-À ÇÒÕÐÐÕ, ÔÏ ÍÏÖÎÏ ÐÒÏÓÔÏ ÕËÁÚÁÔØ --ulog-nlgroup 5. ðÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ 1-Ñ ÇÒÕÐÐÁ.
ëÌÀÞ --ulog-prefix
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-prefix ÉÍÅÅÔ ÔÏÔ ÖÅ ÓÍÙÓÌ, ÞÔÏ É ÁÎÁÌÏÇÉÞÎÁÑ ÏÐÃÉÑ × ÄÅÊÓÔ×ÉÉ LOG. äÌÉÎÁ ÓÔÒÏËÉ ÐÒÅÆÉËÓÁ ÎÅ ÄÏÌÖÎÁ ÐÒÅ×ÙÛÁÔØ 32 ÓÉÍ×ÏÌÁ.
ëÌÀÞ --ulog-cprange
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-cprange ÏÐÒÅÄÅÌÑÅÔ, ËÁËÕÀ ÄÏÌÀ ÐÁËÅÔÁ, × ÂÁÊÔÁÈ, ÎÁÄÏ ÐÅÒÅÄÁ×ÁÔØ ÄÅÍÏÎÕ ULOG. åÓÌÉ ÕËÁÚÁÔØ ÞÉÓÌÏ 100, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ÔÏÌØËÏ 100 ÂÁÊÔ ÉÚ ÐÁËÅÔÁ, ÜÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ É ÎÅËÏÔÏÒÁÑ ÞÁÓÔØ ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. åÓÌÉ ÕËÁÚÁÔØ 0, ÔÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ×ÅÓØ ÐÁËÅÔ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÅÇÏ ÒÁÚÍÅÒÁ. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÒÁ×ÎÏ 0.
ëÌÀÞ --ulog-qthreshold
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-qthreshold ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ × ÏÂÌÁÓÔÉ ÑÄÒÁ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÚÁÄÁÔØ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ ÒÁ×ÎÏÊ 10, ËÁË × ÐÒÉÍÅÒÅ, ÔÏ ÑÄÒÏ ÂÕÄÅÔ ÎÁËÁÐÌÉ×ÁÔØ ÖÕÒÎÁÌÉÒÕÅÍÙÅ ÐÁËÅÔÙ ×Ï ×ÎÕÔÒÅÎÎÅÍ ÂÕÆÅÒÅ É ÐÅÒÅÄÁ×ÁÔØ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï ÇÒÕÐÐÁÍÉ ÐÏ 10 ÐÁËÅÔÏ×. ðÏ-ÕÍÏÌÞÁÎÉÀ ÒÁÚÍÅÒ ÂÕÆÅÒÁ ÒÁ×ÅÎ 1 ÉÚ-ÚÁ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÒÁÎÎÉÍÉ ×ÅÒÓÉÑÍÉ ulogd, ËÏÔÏÒÙÅ ÎÅ ÍÏÇÌÉ ÐÒÉÎÉÍÁÔØ ÇÒÕÐÐÙ ÐÁËÅÔÏ×.


æÁÊÌ rc.firewall

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÁÓÔÒÏÊËÕ ÂÒÁÎÄÍÁÕÜÒÁ ÎÁ ÐÒÉÍÅÒÅ ÓÃÅÎÁÒÉÑ rc.firewall.txt. íÙ ÂÕÄÅÍ ÂÒÁÔØ ËÁÖÄÕÀ ÂÁÚÏ×ÕÀ ÎÁÓÔÒÏÊËÕ É ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ É ÞÔÏ ÄÅÌÁÅÔ. üÔÏ ÍÏÖÅÔ ÎÁÔÏÌËÎÕÔØ ×ÁÓ ÎÁ ÒÅÛÅÎÉÅ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÚÁÄÁÞ. äÌÑ ÚÁÐÕÓËÁ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÎÅÓÔÉ × ÎÅÇÏ ÉÚÍÅÎÅÎÉÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏÂÙ ÏÎ ÍÏÇ ÒÁÂÏÔÁÔØ Ó ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÅÊ ÓÅÔÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÄÏÓÔÁÔÏÞÎÏ ÉÚÍÅÎÉÔØ ÔÏÌØËÏ ÐÅÒÅÍÅÎÎÙÅ.

Note

ðÒÉÍÅÞÁÔÅÌØÎÏ, ÞÔÏ ÅÓÔØ ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÙÅ ÓÐÏÓÏÂÙ ÚÁÄÁÎÉÑ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÏÄÎÁËÏ Ñ ÉÓÈÏÄÉÌ ÉÚ ÍÙÓÌÉ Ï ÂÏÌØÛÅÊ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ ÓÃÅÎÁÒÉÑ, ÔÁË, ÞÔÏÂÙ ËÁÖÄÙÊ ÓÍÏÇ ÐÏÎÑÔØ ÅÇÏ ÂÅÚ ÇÌÕÂÏËÉÈ ÐÏÚÎÁÎÉÊ ÏÂÏÌÏÞËÉ BASH.


ðÒÉÍÅÒ rc.firewall

éÔÁË, ×ÓÅ ÇÏÔÏ×Ï ÄÌÑ ÒÁÚÂÏÒÁ ÆÁÊÌÁ ÐÒÉÍÅÒÁ rc.firewall.txt (ÓÃÅÎÁÒÉÊ ×ËÌÀÞÅÎ × ÓÏÓÔÁ× ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ × ÐÒÉÌÏÖÅÎÉÉ ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×). ïÎ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÎÏ ÔÏÌØËÏ ÉÚ-ÚÁ ÂÏÌØÛÏÇÏ ËÏÌÉÞÅÓÔ×Á ËÏÍÍÅÎÔÁÒÉÅ×. óÅÊÞÁÓ Ñ ÐÒÅÄÌÁÇÁÀ ×ÁÍ ÐÒÏÓÍÏÔÒÅÔØ ÜÔÏÔ ÆÁÊÌ, ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ÓÏÄÅÒÖÉÍÏÍ É ÚÁÔÅÍ ×ÅÒÎÕÔØÓÑ ÓÀÄÁ ÚÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÙÍÉ ÐÏÑÓÎÅÎÉÑÍÉ.


ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall

ëÏÎÆÉÇÕÒÁÃÉÑ

ðÅÒ×ÁÑ ÞÁÓÔØ ÆÁÊÌÁ rc.firewall.txt Ñ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÍ ÒÁÚÄÅÌÏÍ. úÄÅÓØ ÚÁÄÁÀÔÓÑ ÏÓÎÏ×ÎÙÅ ÎÁÓÔÒÏÊËÉ ÂÒÁÎÄÍÁÕÜÒÁ, ËÏÔÏÒÙÅ ÚÁ×ÉÓÑÔ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÉ. îÁÐÒÉÍÅÒ IP ÁÄÒÅÓÁ - ÎÁ×ÅÒÎÑËÁ ÄÏÌÖÎÙ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÎÁ ×ÁÛÉ ÓÏÂÓÔ×ÅÎÎÙÅ. ðÅÒÅÍÅÎÎÁÑ $INET_IP ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, ÅÓÌÉ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ DHCP, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÓËÒÉÐÔ rc.DHCP.firewall.txt, áÎÁÌÏÇÉÞÎÏ $INET_IFACE ÄÏÌÖÎÁ ÕËÁÚÙ×ÁÔØ ×ÁÛÅ ÕÓÔÒÏÊÓÔ×Ï, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ. üÔÏ ÍÏÖÅÔ ÂÙÔØ, Ë ÐÒÉÍÅÒÕ, eth0, eth1, ppp0, tr0 É ÐÒ.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÎÅ ÓÏÄÅÒÖÉÔ ËÁËÉÈ ÌÉÂÏ ÎÁÓÔÒÏÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ DHCP, PPPoE, ÐÏÜÔÏÍÕ ÜÔÉ ÒÁÚÄÅÌÙ ÎÅ ÚÁÐÏÌÎÅÎÙ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ É ÄÒÕÇÉÈ "ÐÕÓÔÙÈ" ÒÁÚÄÅÌÏ×. üÔÏ ÓÄÅÌÁÎÏ ÐÒÅÄÎÁÍÅÒÅÎÎÏ, ÞÔÏÂÙ ×Ù ÍÏÇÌÉ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ×ÉÄÅÔØ ÒÁÚÎÉÃÕ ÍÅÖÄÕ ÓÃÅÎÁÒÉÑÍÉ. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÏÌÎÉÔØ ÜÔÉ ÒÁÚÄÅÌÙ, ÔÏ ×Ù ÍÏÖÅÔÅ ×ÚÑÔØ ÉÈ ÉÚ ÄÒÕÇÉÈ ÓËÒÉÐÔÏ×, ÉÌÉ ÎÁÐÉÓÁÔØ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ.

òÁÚÄÅÌ Local Area Network ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÁÓÔÒÏÊËÉ, ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ËÏÎÆÉÇÕÒÁÃÉÉ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. ÷Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÂÒÁÎÄÍÁÕÜÒÁ, ÉÎÔÅÒÆÅÊÓ, ÐÏÄËÌÀÞÅÎÎÙÊ Ë ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÍÁÓËÕ ÐÏÄÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Localhost Configuration, ËÏÔÏÒÕÀ ÉÚÍÅÎÑÔØ ×ÁÍ ÅÄ×Á ÌÉ ÐÒÉÄÅÔÓÑ. ÷ ÜÔÏÊ ÓÅËÃÉÉ ÕËÁÚÙ×ÁÅÔÓÑ ÌÏËÁÌØÎÙÊ ÉÎÔÅÒÆÅÊÓ lo É ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ 127.0.0.1. úÁ ÒÁÚÄÅÌÏÍ Localhost Configuration, ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Iptables Configuration. úÄÅÓØ ÓÏÚÄÁÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ $IPTABLES, ÓÏÄÅÒÖÁÝÁÑ ÐÕÔØ Ë ÆÁÊÌÕ iptables (/usr/local/sbin/iptables). åÓÌÉ ×Ù ÕÓÔÁÎÁ×ÌÉ×ÁÌÉ iptables ÉÚ ÉÓÈÏÄÎÙÈ ÍÏÄÕÌÅÊ, ÔÏ Õ ×ÁÓ ÐÕÔØ Ë iptables ÍÏÖÅÔ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÔØÓÑ ÏÔ ÐÒÉ×ÅÄÅÎÎÏÇÏ × ÓÃÅÎÁÒÉÉ, ÏÄÎÁËÏ × ÂÏÌØÛÉÎÓÔ×Å ÄÉÓÔÒÉÂÕÔÉ×Ï× iptables ÒÁÓÐÏÌÏÖÅÎÁ ÉÍÅÎÎÏ ÚÄÅÓØ.


úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ËÏÍÁÎÄÏÊ /sbin/depmod -a, ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÏ×ÅÒËÁ ÚÁ×ÉÓÉÍÏÓÔÅÊ ÍÏÄÕÌÅÊ ÐÏÓÌÅ ÞÅÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÇÒÕÚËÁ ÍÏÄÕÌÅÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. óÔÁÒÁÊÔÅÓØ × ×ÁÛÉÈ ÓÃÅÎÁÒÉÑÈ ÚÁÇÒÕÖÁÔØ ÔÏÌØËÏ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ. îÁÐÒÉÍÅÒ, ÐÏ ËÁËÉÍ ÔÏ ÐÒÉÞÉÎÁÍ ÍÙ ÓÏÂÒÁÌÉ ÐÏÄÄÅÒÖËÕ ÄÅÊÓÔ×ÉÊ LOG, REJECT É MASQUERADE × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ É ÔÅÐÅÒØ ÓÏÂÉÒÁÅÍÓÑ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÉÓÐÏÌØÚÕÀÝÉÅ ÜÔÉ ÄÅÊÓÔ×ÉÑ, ÔÏÇÄÁ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÍÏÄÕÌÉ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÚÉÔØ ËÏÍÁÎÄÁÍÉ:

/sbin/insmod ipt_LOG

/sbin/insmod ipt_REJECT

/sbin/insmod ipt_MASQUERADE

Caution

÷ Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ Ñ ÐÒÉÎÕÄÉÔÅÌØÎÏ ÚÁÇÒÕÖÁÀ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ, ×Ï ÉÚÂÅÖÁÎÉÅ ÏÔËÁÚÏ×. åÓÌÉ ÐÒÏÉÓÈÏÄÉÔ ÏÛÉÂËÁ ×Ï ×ÒÅÍÑ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ, ÔÏ ÐÒÉÞÉÎ ÍÏÖÅÔ ÂÙÔØ ÍÎÏÖÅÓÔ×Ï, ÎÏ ÏÓÎÏ×ÎÏÊ ÐÒÉÞÉÎÏÊ Ñ×ÌÑÅÔÓÑ ÔÏ, ÞÔÏ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÒÁÚÄÅÌÕ ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ.

÷ ÓÌÅÄÕÀÝÅÊ ÓÅËÃÉÉ ÐÒÉ×ÏÄÉÔÓÑ ÒÑÄ ÍÏÄÕÌÅÊ, ËÏÔÏÒÙÅ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ × ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ, ÎÏ ÐÅÒÅÞÉÓÌÅÎÙ ÄÌÑ ÐÒÉÍÅÒÁ. ôÁË ÎÁÐÒÉÍÅÒ ÍÏÄÕÌØ ipt_owner, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ÓÅÔÉ Ó ×ÁÛÅÊ ÍÁÛÉÎÙ ÔÏÌØËÏ ÏÐÒÅÄÅÌÅÎÎÏÍÕ ËÒÕÇÕ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÐÏ×ÙÛÁÑ, ÔÅÍ ÓÁÍÙÍ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ. éÎÆÏÒÍÁÃÉÀ ÐÏ ËÒÉÔÅÒÉÑÍ ipt_owner, ÓÍÏÔÒÉÔÅ × òÁÓÛÉÒÅÎÉÅ Owner × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ.

íÙ ÍÏÖÅÍ ÚÁÇÒÕÚÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏ×ÅÒËÉ "ÓÏÓÔÏÑÎÉÑ" ÐÁËÅÔÏ× (state matching). ÷ÓÅ ÍÏÄÕÌÉ, ÒÁÓÛÉÒÑÀÝÉÅ ×ÏÚÍÏÖÎÏÓÔÉ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ×, ÉÍÅÎÕÀÔÓÑ ËÁË ip_conntrack_* É ip_nat_*. ó ÐÏÍÏÝØÀ ÜÔÉÈ ÍÏÄÕÌÅÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÏÔÏËÏÌÁÍ. îÁÐÒÉÍÅÒ: ÐÒÏÔÏËÏÌ FTP Ñ×ÌÑÅÔÓÑ ËÏÍÐÌÅËÓÎÙÍ ÐÒÏÔÏËÏÌÏÍ ÐÏ ÏÐÒÅÄÅÌÅÎÉÀ, ÏÎ ÐÅÒÅÄÁÅÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. ôÁË, ÅÓÌÉ ÎÁÛ ÌÏËÁÌØÎÙÊ ÈÏÓÔ ÐÅÒÅÄÁÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÐÒÏÉÚ×ÏÄÑÝÉÊ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ×, ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ Ó FTP ÓÅÒ×ÅÒÏÍ × éÎÔÅÒÎÅÔ, ÔÏ ×ÎÕÔÒÉ ÐÁËÅÔÁ ÐÅÒÅÄÁÅÔÓÑ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÈÏÓÔÁ. á ÐÏÓËÏÌØËÕ, IP ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÓÞÉÔÁÀÔÓÑ ÏÛÉÂÏÞÎÙÍÉ × éÎÔÅÒÎÅÔ, ÔÏ ÓÅÒ×ÅÒ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ ÞÔÏ ÄÅÌÁÔØ Ó ÜÔÉÍ ÚÁÐÒÏÓÏÍ, × ÒÅÚÕÌØÔÁÔÅ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ FTP NAT ×ÙÐÏÌÎÑÅÔ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÄÅÊÓÔ×ÉÑ ÐÏ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÏ×, ÐÏÜÔÏÍÕ FTP ÓÅÒ×ÅÒ ÆÁËÔÉÞÅÓËÉ ÐÏÌÕÞÉÔ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÏÔ ÉÍÅÎÉ ÎÁÛÅÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ É ÓÍÏÖÅÔ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ. ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ DCC ÄÌÑ ÐÅÒÅÄÁÞÉ ÆÁÊÌÏ× É ÞÁÔÏ×. õÓÔÁÎÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÜÔÏÇÏ ÔÉÐÁ ÔÒÅÂÕÅÔ ÐÅÒÅÄÁÞÉ IP ÁÄÒÅÓÁ É ÐÏÒÔÁ ÐÏ ÐÒÏÔÏËÏÌÕ IRC, ËÏÔÏÒÙÊ ÔÁË ÖÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. âÅÚ ÓÐÅÃÉÁÌØÎÏÇÏ ÍÏÄÕÌÑ ÒÁÓÛÉÒÅÎÉÑ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ÐÒÏÔÏËÏÌÏ× FTP É IRC ÓÔÁÎÏ×ÉÔÓÑ ×ÅÓØÍÁ ÓÏÍÎÉÔÅÌØÎÏÊ. îÁÐÒÉÍÅÒ, ×Ù ÍÏÖÅÔÅ ÐÒÉÎÉÍÁÔØ ÆÁÊÌÙ ÞÅÒÅÚ DCC, ÎÏ ÎÅ ÍÏÖÅÔÅ ÏÔÐÒÁ×ÌÑÔØ. üÔÏ ÏÂÕÓÌÏ×ÌÉ×ÁÅÔÓÑ ÔÅÍ, ËÁË DCC "ÚÁÐÕÓËÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ. ÷Ù ÓÏÏÂÝÁÅÔÅ ÐÒÉÎÉÍÁÀÝÅÍÕ ÕÚÌÕ Ï Ó×ÏÅÍ ÖÅÌÁÎÉÉ ÐÅÒÅÄÁÔØ ÆÁÊÌ É ËÕÄÁ ÏÎ ÄÏÌÖÅÎ ÐÏÄËÌÀÞÉÔØÓÑ. âÅÚ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ DCC ÓÏÅÄÉÎÅÎÉÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÅÓÌÉ ÂÙ ÍÙ ÐÏÔÒÅÂÏ×ÁÌÉ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ×ÎÅÛÎÅÇÏ ÐÒÉÅÍÎÉËÁ Ó ÕÚÌÏÍ × ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÝÅ ÇÏ×ÏÒÑ ÔÁËÏÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ "ÏÂÒÕÛÅÎÏ". ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÖÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ×ÓÅ ÒÁÂÏÔÁÅÔ ÐÒÅËÒÁÓÎÏ. ÐÏÓËÏÌØËÕ ÐÒÉÅÍÎÉËÕ ÐÅÒÅÄÁÅÔÓÑ ËÏÒÒÅËÔÎÙÊ IP ÁÄÒÅÓ ÄÌÑ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÍÏÄÕÌÑÍ conntrack É nat ÞÉÔÁÊÔÅ × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ÖÅ ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï ÄÏËÕÍÅÎÔÁÃÉÉ, ×ËÌÀÞÁÅÍÏÊ × ÐÁËÅÔ iptables. þÔÏÂÙ ÉÍÅÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÕÓÔÁÎÏ×ÉÔØ patch-o-matic É ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ. ëÁË ÜÔÏ ÓÄÅÌÁÔØ - ÏÂßÑÓÎÑÅÔÓÑ ×ÙÛÅ × ÇÌÁ×Å ðÏÄÇÏÔÏ×ËÁ.

Note

úÁÍÅÔØÔÅ, ÞÔÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_nat_irc É ip_nat_ftp ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÈÏÔÉÔÅ, ÞÔÏÂÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÐÒÏÉÚ×ÏÄÉÌÏÓØ ËÏÒÒÅËÔÎÏ Ó ÐÒÏÔÏËÏÌÁÍÉ FTP É IRC. ôÁË ÖÅ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÐÏÄÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_conntrack_ftp ÄÏ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ NAT.


îÁÓÔÒÏÊËÁ /proc

úÄÅÓØ ÍÙ ÚÁÐÕÓËÁÅÍ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (IP forwarding), ÚÁÐÉÓÁ× ÅÄÉÎÉÃÕ × ÆÁÊÌ /proc/sys/net/ipv4/ip_forward ÔÁËÉÍ ÓÐÏÓÏÂÏÍ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Caution

îÁ×ÅÒÎÏÅ ÓÔÏÉÔ ÚÁÄÕÍÁÔØÓÑ ÎÁÄ ÔÅÍ ÇÄÅ É ËÏÇÄÁ ×ËÌÀÞÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding). ÷ ÜÔÏÍ É × ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÑÈ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÍÙ ×ËÌÀÞÁÅÍ ÐÅÒÅÓÙÌËÕ ÄÏ ÔÏÇÏ ËÁË ÓÏÚÄÁÄÉÍ ËÁËÉÅ ÌÉÂÏ ÐÒÁ×ÉÌÁ iptables. ïÔ ÎÁÞÁÌÁ ÒÁÂÏÔÙ ÐÅÒÅÓÙÌËÉ (IP forwarding) ÄÏ ÍÏÍÅÎÔÁ, ËÏÇÄÁ ÂÕÄÕÔ ÓÏÚÄÁÎÙ ÎÅÏÂÈÏÄÉÍÙÅ ÐÒÁ×ÉÌÁ, ÐÒÉ ÎÁÛÅÍ ×ÁÒÉÁÎÔÅ, ÍÏÖÅÔ ÐÒÏÊÔÉ ÏÔ ÎÅÓËÏÌØËÉÈ ÍÉÌÌÉÓÅËÕÎÄ ÄÏ ÍÉÎÕÔ, ×ÓÅ ÚÁ×ÉÓÉÔ ÏÔ ÏÂßÅÍÁ ÒÁÂÏÔÙ, ×ÙÐÏÌÎÑÅÍÏÊ ÓÃÅÎÁÒÉÅÍ É ÂÙÓÔÒÏÄÅÊÓÔ×ÉÑ ËÏÎËÒÅÔÎÏÇÏ ËÏÍÐØÀÔÅÒÁ. ðÏÎÑÔÎÏ, ÞÔÏ ÜÔÏ ÄÁÅÔ ÎÅËÏÔÏÒÙÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ËÏÇÄÁ ÚÌÏÕÍÙÛÌÅÎÎÉË ÍÏÖÅÔ ÐÒÏÎÉËÎÕÔØ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ðÏÜÔÏÍÕ, × ÒÅÁÌØÎÏÊ ÓÉÔÕÁÃÉÉ ÚÁÐÕÓËÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding) ÓÌÅÄÕÅÔ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ×ÓÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ. úÄÅÓØ ÖÅ Ñ ÐÏÍÅÓÔÉÌ ×ËÌÀÞÅÎÉÅ ÐÅÒÅÓÙÌËÉ × ÎÁÞÁÌÅ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÃÅÌÑÈ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ ×ÁÍ ÎÅÏÂÈÏÄÉÍÁ ÐÏÄÄÅÒÖËÁ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP, (ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ SLIP, PPP ÉÌÉ DHCP) ×Ù ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÁÒÉÔØ ÓÔÒÏËÕ:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

åÓÌÉ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ×ËÌÀÞÉÔØ ÌÀÂÙÅ ÄÒÕÇÉÅ ÏÐÃÉÉ, ×Ù ÄÏÌÖÎÙ ÏÂÒÁÝÁÔØÓÑ Ë ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÊ ÄÏËÕÍÅÎÔÁÃÉÉ ÐÏ ÜÔÉÍ ÏÐÃÉÑÍ. èÏÒÏÛÉÊ É ÌÁËÏÎÉÞÎÙÊ ÄÏËÕÍÅÎÔ ÐÏ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÐÏÓÔÁ×ÌÑÅÔÓÑ ×ÍÅÓÔÅ Ó ÑÄÒÏÍ. óÓÙÌËÉ ÎÁ ÎÁ ÄÒÕÇÉÅ ÄÏËÕÍÅÎÔÙ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ äÒÕÇÉÅ ÒÅÓÕÒÓÙ É ÓÓÙÌËÉ.

Note

óÃÅÎÁÒÉÊ rc.firewall.txt É ×ÓÅ ÏÓÔÁÌØÎÙÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÓÏÄÅÒÖÁÔ ÎÅÂÏÌØÛÕÀ ÐÏ ÒÁÚÍÅÒÁÍ ÓÅËÃÉÀ ÎÅ ÔÒÅÂÕÅÍÙÈ (non-required) ÎÁÓÔÒÏÅË proc. ëÁË ÂÙ ÐÒÉ×ÌÅËÁÔÅÌØÎÏ ÎÅ ×ÙÇÌÑÄÅÌÉ ÜÔÉ ÏÐÃÉÉ - ÎÅ ×ËÌÀÞÁÊÔÅ ÉÈ, ÐÏËÁ ÎÅ ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÄÏÓÔÁÔÏÞÎÏ ÞÅÔËÏ ÐÒÅÄÓÔÁ×ÌÑÅÔÅ ÓÅÂÅ ÆÕÎËÃÉÉ, ËÏÔÏÒÙÅ ÏÎÉ ×ÙÐÏÌÎÑÀÔ.


òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ

úÄÅÓØ ÍÙ ÐÏÇÏ×ÏÒÉÍ Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, × ÞÁÓÔÎÏÓÔÉ - Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, ÏÐÒÅÄÅÌÑÅÍÙÈ × ÓÃÅÎÁÒÉÉ rc.firewall.txt. íÏÊ ×ÁÒÉÁÎÔ ÒÁÚÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÐÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÃÅÐÏÞËÁÍ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅÐÒÉÅÍÌÅÍÙÍ × ÔÏÍ ÉÌÉ ÉÎÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ. ñ ÎÁÄÅÀÓØ, ÞÔÏ ÓÍÏÇÕ ÐÏËÁÚÁÔØ ×ÁÍ ×ÏÚÍÏÖÎÙÅ "ÐÏÄ×ÏÄÎÙÅ ËÁÍÎÉ". äÁÎÎÙÊ ÒÁÚÄÅÌ ÔÅÓÎÏ ÐÅÒÅËÌÉËÁÅÔÓÑ Ó ÇÌÁ×ÏÊ ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË É ÓÏ×ÅÒÛÅÎÎÏ ÎÅÌÉÛÎÉÍ ÂÕÄÅÔ ÅÝÅ ÒÁÚ, ÈÏÔÑ ÂÙ ÂÅÇÌÏ, ÐÒÏÓÍÏÔÒÅÔØ ÅÅ.

òÁÓÐÒÅÄÅÌÉ× ÎÁÂÏÒ ÐÒÁ×ÉÌ ÐÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ, Ñ ÄÏÂÉÌÓÑ ÜËÏÎÏÍÉÉ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÂÅÚ ÐÏÔÅÒÉ ÕÒÏ×ÎÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ É ÞÉÔÁÂÅÌØÎÏÓÔÉ ÓÃÅÎÁÒÉÅ×. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÐÕÓËÁÔØ TCP ÐÁËÅÔÙ ÞÅÒÅÚ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ (É ÄÌÑ ICMP, É ÄÌÑ UDP), Ñ ÐÒÏÓÔÏ ÏÔÂÉÒÁÀ TCP ÐÁËÅÔÙ É ÐÒÏÐÕÓËÁÀ ÉÈ ÞÅÒÅÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÃÅÐÏÞËÕ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÕÀ ÉÍÅÎÎÏ ÄÌÑ TCP ÐÁËÅÔÏ×, ÞÔÏ ÐÒÉ×ÏÄÉÔ Ë ÕÍÅÎØÛÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. îÁ ÓÌÅÄÕÀÝÅÊ ËÁÒÔÉÎËÅ ÓÈÅÍÁÔÉÞÎÏ ÐÒÉ×ÏÄÉÔÓÑ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ netfilter. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ËÁÒÔÉÎËÁ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÏÇÒÁÎÉÞÅÎÎÏ ÐÏ ÓÒÁ×ÎÅÎÉÀ ÓÏ ÓÈÅÍÏÊ, ÐÒÉ×ÅÄÅÎÎÏÊ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

ïÓÎÏ×ÎÏÅ ÎÁÚÎÁÞÅÎÉÅ ÒÉÓÕÎËÁ - ÏÓ×ÅÖÉÔØ ÎÁÛÕ ÐÁÍÑÔØ. ÷ ÃÅÌÏÍ, ÄÁÎÎÙÊ ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÓÎÏ×ÁÎ ÎÁ ÐÒÅÄÐÏÌÏÖÅÎÉÉ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÏÄÎÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ (firewall) É ÅÄÉÎÓÔ×ÅÎÎÏÅ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ, Ó ÐÏÓÔÏÑÎÎÙÍ IP ÁÄÒÅÓÏÍ (× ÐÒÏÔÉ×ÏÐÏÌÏÖÎÏÓÔØ PPP, SLIP, DHCP É ÐÒÏÞÉÍ). ôÁË ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÄÏÓÔÕÐ Ë ÓÅÒ×ÉÓÁÍ éÎÔÅÒÎÅÔ ÉÄÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÞÔÏ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ É ÐÏÜÔÏÍÕ ÎÅ ÓÏÂÉÒÁÅÍÓÑ ÂÌÏËÉÒÏ×ÁÔØ ÔÒÁÆÆÉË, ÉÓÈÏÄÑÝÉÊ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÄÎÁËÏ éÎÔÅÒÎÅÔ ÎÅ ÍÏÖÅÔ ÓÞÉÔÁÔØÓÑ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔØÀ É ÐÏÜÔÏÍÕ ÎÅÏÂÈÏÄÉÍÏ ÏÇÒÁÎÉÞÉÔØ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÓÔÕÐÁ × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÉÚ×ÎÅ. íÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÈÏÄÉÔØ ÉÚ ÐÒÉÎÃÉÐÁ "÷ÓÅ ÞÔÏ ÎÅ ÒÁÚÒÅÛÅÎÏ - ÔÏ ÚÁÐÒÅÝÅÎÏ". äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÏÇÒÁÎÉÞÅÎÉÑ, ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ôÅÍ ÓÁÍÙÍ ÍÙ ÏÔÓÅËÁÅÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ Ñ×ÎÏ ÎÅ ÒÁÚÒÅÛÅÎÙ.

á ÔÅÐÅÒØ ÄÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÞÔÏ ÎÁÍ ÎÕÖÎÏ ÓÄÅÌÁÔØ É ËÁË.

äÌÑ ÎÁÞÁÌÁ - ÐÏÚ×ÏÌÉÍ ÓÏÅÄÉÎÅÎÉÑ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó éÎÔÅÒÎÅÔ. äÌÑ ÜÔÏÇÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT). äÅÌÁÅÔÓÑ ÜÔÏ × ÃÅÐÏÞËÅ PREROUTING (ñ ÐÏÌÁÇÁÀ, ÞÔÏ ÚÄÅÓØ Á×ÔÏÒ ÐÒÏÓÔÏ ÄÏÐÕÓÔÉÌ ÏÐÅÞÁÔËÕ, ÐÏÓËÏÌØËÕ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ POSTROUTING, ÄÁ É ÍÙ ÕÖÅ ÚÎÁÅÍ, ÞÔÏ SNAT ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÚÁÐÏÌÎÑÅÔÓÑ ÐÏÓÌÅÄÎÅÊ × ÎÁÛÅÍ ÓÃÅÎÁÒÉÉ. ðÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÔÁËÖÅ, ×ÙÐÏÌÎÅÎÉÅ ÎÅËÏÔÏÒÏÊ ÆÉÌØÔÒÁÃÉÉ × ÃÅÐÏÞËÅ FORWARD. åÓÌÉ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÐÕÓËÁÑ ×ÅÓØ ÔÒÁÆÆÉË × éÎÔÅÒÎÅÔ, ÔÏ ÜÔÏ ÅÝÅ ÎÅ ÏÚÎÁÞÁÅÔ ÄÏ×ÅÒÉÑ Ë éÎÔÅÒÎÅÔ É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ××ÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÄÏÓÔÕÐ Ë ÎÁÛÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ×ÎÅ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÍÙ ÄÏÐÕÓËÁÅÍ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× × ÎÁÛÕ ÓÅÔØ ÔÏÌØËÏ × ÓÌÕÞÁÅ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÌÉÂÏ × ÓÌÕÞÁÅ ÏÔËÒÙÔÉÑ ÎÏ×ÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ × ÒÁÍËÁÈ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ (ESTABLISHED É RELATED).

þÔÏ ËÁÓÁÅÔÓÑ ÍÁÛÉÎÙ-ÂÒÁÎÄÍÁÕÜÒÁ - ÎÅÏÂÈÏÄÉÍÏ ÄÏ ÍÉÎÉÍÕÍÁ Ó×ÅÓÔÉ ÓÅÒ×ÉÓÙ, ÒÁÂÏÔÁÀÝÉÅ Ó éÎÔÅÒÎÅÔ. óÌÅÄÏ×ÁÔÅÌØÎÏ ÍÙ ÄÏÐÕÓËÁÅÍ ÔÏÌØËÏ HTTP, FTP, SSH É IDENTD ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ. ÷ÓÅ ÜÔÉ ÐÒÏÔÏËÏÌÙ ÍÙ ÂÕÄÅÍ ÓÞÉÔÁÔØ ÄÏÐÕÓÔÉÍÙÍÉ × ÃÅÐÏÞËÅ INPUT, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ "ÏÔ×ÅÔÎÙÊ" ÔÒÁÆÆÉË × ÃÅÐÏÞËÅ OUTPUT. ðÏÓËÏÌØËÕ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÄÏ×ÅÒÉÔÅÌØÎÙÅ ×ÚÁÉÍÏÏÔÎÏÛÅÎÉÑ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ, ÔÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ ÄÌÑ ÄÉÁÐÁÚÏÎÁ ÁÄÒÅÓÏ× ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÄÌÑ ÌÏËÁÌØÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ É ÌÏËÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ (127.0.0.1). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÓÕÝÅÓÔ×ÕÅÔ ÒÑÄ ÄÉÁÐÁÚÏÎÏ× ÁÄÒÅÓÏ×, ×ÙÄÅÌÅÎÎÙÈ ÓÐÅÃÉÁÌØÎÏ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÜÔÉ ÁÄÒÅÓÁ ÓÞÉÔÁÀÔÓÑ × éÎÔÅÒÎÅÔ ÏÛÉÂÏÞÎÙÍÉ É ËÁË ÐÒÁ×ÉÌÏ ÎÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ. ðÏÜÔÏÍÕ É ÍÙ ÚÁÐÒÅÔÉÍ ÌÀÂÏÊ ÔÒÁÆÆÉË ÉÚ éÎÔÅÒÎÅÔ Ó ÉÓÈÏÄÑÝÉÍ ÁÄÒÅÓÏÍ, ÐÒÉÎÁÄÌÅÖÁÝÉÍ ÄÉÁÐÁÚÏÎÁÍ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. é × ÚÁËÌÀÞÅÎÉÅ ÐÒÏÞÉÔÁÊÔÅ ÇÌÁ×Õ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ.

ôÁË ËÁË Õ ÎÁÓ ÒÁÂÏÔÁÅÔ FTP ÓÅÒ×ÅÒ, ÔÏ ÐÒÁ×ÉÌÁ, ÏÂÓÌÕÖÉ×ÁÀÝÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÜÔÉÍ ÓÅÒ×ÅÒÏÍ, ÖÅÌÁÔÅÌØÎÏ ÂÙÌÏ ÂÙ ÐÏÍÅÓÔÉÔØ × ÎÁÞÁÌÏ ÃÅÐÏÞËÉ INPUT, ÄÏÂÉ×ÁÑÓØ ÔÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÅÎÉÑ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. ÷ ÃÅÌÏÍ ÖÅ, ÎÁÄÏ ÐÏÎÉÍÁÔØ, ÞÔÏ ÞÅÍ ÍÅÎØÛÅ ÐÒÁ×ÉÌ ÐÒÏÈÏÄÉÔ ÐÁËÅÔ, ÔÅÍ ÂÏÌØÛÅ ÜËÏÎÏÍÉÑ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÔÅÍ ÎÉÖÅ ÎÁÇÒÕÚËÁ ÎÁ ÓÉÓÔÅÍÕ. ó ÜÔÏÊ ÃÅÌØÀ Ñ ÒÁÚÂÉÌ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ.

÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ Ñ ÒÁÚÂÉÌ ÐÁËÅÔÙ ÎÁ ÇÒÕÐÐÙ ÐÏ ÉÈ ÐÒÉÎÁÄÌÅÖÎÏÓÔÉ Ë ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÐÒÏÔÏËÏÌÕ. äÌÑ ËÁÖÄÏÇÏ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ ÓÏÚÄÁÎÁ Ó×ÏÑ ÃÅÐÏÞËÁ ÐÒÁ×ÉÌ, ÎÁÐÒÉÍÅÒ, tcp_packets, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÒÏ×ÅÒËÉ ×ÓÅÈ ÄÏÐÕÓÔÉÍÙÈ TCP ÐÏÒÔÏ× É ÐÒÏÔÏËÏÌÏ×. äÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÏÄÎÕ ÃÅÐÏÞËÕ, ÍÏÖÅÔ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÒÕÇÁÑ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÔÁËÏ×ÏÊ Ñ×ÌÑÅÔÓÑ ÃÅÐÏÞËÁ allowed. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ ÏÔÄÅÌØÎÙÈ ÈÁÒÁËÔÅÒÉÓÔÉË TCP ÐÁËÅÔÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÒÉÎÑÔØ ÏËÏÎÞÁÔÅÌØÎÏÅ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ. ICMP ÐÁËÅÔÙ ÓÌÅÄÕÀÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ icmp_packets. úÄÅÓØ ÍÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ ICMP ÐÁËÅÔÙ Ó ÕËÁÚÁÎÎÙÍ ËÏÄÏÍ ÓÏÏÂÝÅÎÉÑ. é ÎÁËÏÎÅà UDP ÐÁËÅÔÙ. ïÎÉ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ udp_packets, ËÏÔÏÒÁÑ ÏÂÒÁÂÁÔÙ×ÁÅÔ ×ÈÏÄÑÝÉÅ UDP ÐÁËÅÔÙ. åÓÌÉ ÏÎÉ ÐÒÉÎÁÄÌÅÖÁÔ ÄÏÐÕÓÔÉÍÙÍ ÓÅÒ×ÉÓÁÍ, ÔÏ ÏÎÉ ÐÒÏÐÕÓËÁÀÔÓÑ ÂÅÚ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ðÏÓËÏÌØËÕ ÍÙ ÒÁÓÓÍÁÔÒÉ×ÁÅÍ ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÕÀ ÓÅÔØ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÉÓÐÏÌØÚÕÅÔÓÑ ÅÝÅ É × ËÁÞÅÓÔ×Å ÒÁÂÏÞÅÊ ÓÔÁÎÃÉÉ, ÐÏÜÔÏÍÕ ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ É Ó ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

é × ÚÁ×ÅÒÛÅÎÉÅ Ï ÃÅÐÏÞËÅ OUTPUT. íÙ ÎÅ ×ÙÐÏÌÎÑÅÍ ËÁËÉÈ ÌÉÂÏ ÓÐÅÃÉÆÉÞÎÙÈ ÂÌÏËÉÒÏ×ÏË ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÏÄÎÁËÏ ÍÙ ÎÅ ÈÏÔÉÍ, ÞÔÏÂÙ ËÔÏ ÌÉÂÏ, ÉÓÐÏÌØÚÕÑ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÄÁ×ÁÌ × ÓÅÔØ "ÐÏÄÄÅÌØÎÙÅ" ÐÁËÅÔÙ, ÐÏÜÔÏÍÕ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÁ, ÐÏÚ×ÏÌÑÀÝÉÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÔÏÌØËÏ Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ÎÁÛÉÍ ÌÏËÁÌØÎÙÍ ÁÄÒÅÓÏÍ (127.0.0.1) É Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × éÎÔÅÒÎÅÔ. ó ÜÔÉÈ ÁÄÒÅÓÏ× ÐÁËÅÔÙ ÐÒÏÐÕÓËÁÀÔÓÑ ÃÅÐÏÞËÏÊ OUTPUT, ×ÓÅ ÏÓÔÁÌØÎÙÅ (ÓËÏÒÅÅ ×ÓÅÇÏ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÅ) ÏÔÓÅËÁÀÔÓÑ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.


õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ

ðÒÅÖÄÅ, ÞÅÍ ÐÒÉÓÔÕÐÉÔØ Ë ÓÏÚÄÁÎÉÀ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÐÏÌÉÔÉËÁÍÉ ÃÅÐÏÞÅË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÏÍÁÎÄÏÊ, ÐÏÄÏÂÎÏÊ ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ

iptables -P <chain name> <policy>

ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÐÒÉÍÅÎÑÅÔÓÑ Ë ÐÁËÅÔÕ, ÎÅ ÐÏÐÁ×ÛÅÍÕ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. (îÅÂÏÌØÛÏÅ ÕÔÏÞÎÅÎÉÅ, ËÏÍÁÎÄÁ iptables -P ÐÒÉÍÅÎÉÍÁ ôïìøëï ë ÷óôòïåîîùí ÃÅÐÏÞËÁÍ, Ô.Å. INPUT, FORWARD, OUTPUT É Ô.Ð., É ÎÅ ÐÒÉÍÅÎÉÍÁ Ë ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ. ÐÒÉÍ. ÐÅÒÅ×.).

Caution

âÕÄØÔÅ ÐÒÅÄÅÌØÎÏ ÏÓÔÏÒÏÖÎÙ Ó ÕÓÔÁÎÏ×ËÏÊ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃ, ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÈ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, ÔÁË ËÁË ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÏÄÉÔØ Ë ÄÏ×ÏÌØÎÏ ÓÔÒÁÎÎÙÍ ÒÅÚÕÌØÔÁÔÁÍ.


óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË

éÔÁË, Õ ×ÁÓ ÐÅÒÅÄ ÇÌÁÚÁÍÉ ÎÁ×ÅÒÎÑËÁ ÕÖÅ ÓÔÏÉÔ ËÁÒÔÉÎËÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ, É ËÁË ÜÔÉ ÃÅÐÏÞËÉ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÀÔ ÍÅÖÄÕ ÓÏÂÏÊ! ÷Ù ÕÖÅ ÄÏÌÖÎÙ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÃÅÌÉ É ÎÁÚÎÁÞÅÎÉÅ ÄÁÎÎÏÇÏ ÓÃÅÎÁÒÉÑ. äÁ×ÁÊÔÅ ÎÁÞÎÅÍ ÓÏÚÄÁ×ÁÔØ ÃÅÐÏÞËÉ É ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ÎÉÈ.

ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÓÏÚÄÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ -N. óÒÁÚÕ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ÃÅÐÏÞËÉ ÅÝÅ ÎÅ ÉÍÅÀÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÀÔÓÑ ÃÅÐÏÞËÉ icmp_packets, tcp_packets, udp_packets É ÃÅÐÏÞËÁ allowed, ËÏÔÏÒÁÑ ×ÙÚÙ×ÁÅÔÓÑ ÉÚ ÃÅÐÏÞËÉ tcp_packets. ÷ÈÏÄÑÝÉÅ ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE (Ô.Å. ÉÚ éÎÔÅÒÎÅÔ), ÐÏ ÐÒÏÔÏËÏÌÕ ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÁ TCP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets É ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ UDP Ó ÉÎÔÅÒÆÅÊÓÁ eth0 ÉÄÕÔ × ÃÅÐÏÞËÕ udp_packets.


ãÅÐÏÞËÁ bad_tcp_packets

üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÏÔÆÉÌØÔÒÏ×Ù×ÁÎÉÑ ÐÁËÅÔÏ× Ó "ÎÅÐÒÁ×ÉÌØÎÙÍÉ" ÚÁÇÏÌÏ×ËÁÍÉ É ÒÅÛÅÎÉÑ ÒÑÄÁ ÄÒÕÇÉÈ ÐÒÏÂÌÅÍ. úÄÅÓØ ÏÔÆÉÌØÔÒÏ×Ù×ÁÀÔÓÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË NEW, ÎÏ ÎÅ Ñ×ÌÑÀÔÓÑ SYN ÐÁËÅÔÁÍÉ. üÔÁ ÃÅÐÏÞËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ×ÔÏÒÖÅÎÉÑ É ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. óÀÄÁ, ÔÁË ÖÅ, ÄÏÂÁ×ÌÅÎÏ ÐÒÁ×ÉÌÏ ÄÌÑ ÏÔÓÅÉ×ÁÎÉÑ ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ INVALID.


ãÅÐÏÞËÁ allowed

TCP ÐÁËÅÔ, ÓÌÅÄÕÑ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ tcp_packets, ÅÓÌÉ ÐÁËÅÔ ÓÌÅÄÕÅÔ ÎÁ ÒÁÚÒÅÛÅÎÎÙÊ ÐÏÒÔ, ÔÏ ÐÏÓÌÅ ÜÔÏÇÏ ÐÒÏ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ.

ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÐÒÏ×ÅÒÑÅÔ, Ñ×ÌÑÅÔÓÑ ÌÉ ÐÁËÅÔ SYN ÐÁËÅÔÏÍ, Ô.Å. ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ôÁËÏÊ ÐÁËÅÔ ÍÙ ÓÞÉÔÁÅÍ ÄÏÐÕÓÔÉÍÙÍ É ÐÒÏÐÕÓËÁÅÍ. óÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÓÅ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ ESTABLISHED ÉÌÉ RELATED. ëÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ SYN ÐÁËÅÔÏÍ, É ÎÁ ÜÔÏÔ ÚÁÐÒÏÓ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÏÌÏÖÉÔÅÌØÎÙÊ ÏÔ×ÅÔ, ÔÏ ÏÎÏ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ ESTABLISHED. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÜÔÏÊ ÃÅÐÏÞËÅ ÓÂÒÁÓÙ×ÁÀÔÓÑ ×ÓÅ ÏÓÔÁÌØÎÙÅ TCP ÐÁËÅÔÙ. ðÏÄ ÜÔÏ ÐÒÁ×ÉÌÏ ÐÏÐÁÄÁÀÔ ÐÁËÅÔÙ ÉÚ ÎÅÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ËÏÔÏÒÙÅ ÐÙÔÁÀÔÓÑ ÚÁÐÕÓÔÉÔØ ÓÏÅÄÉÎÅÎÉÅ. îÅ SYN ÐÁËÅÔÙ ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁÐÕÓËÁ ÓÏÅÄÉÎÅÎÉÑ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÓÌÕÞÁÅ× ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. îÁÓËÏÌØËÏ Ñ ÚÎÁÀ, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌÉÚÁÃÉÉ TCP/IP, ËÏÔÏÒÁÑ ÐÏÄÄÅÒÖÉ×ÁÌÁ ÂÙ ÏÔËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÎÁÞÅ, ÞÅÍ ÐÅÒÅÄÁÞÁ SYN ÐÁËÅÔÁ, ÐÏÜÔÏÍÕ ÎÁ 99% ÍÏÖÎÏ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÓÂÒÏÛÅÎÙ ÐÁËÅÔÙ, ÐÏÓÌÁÎÎÙÅ ÓËÁÎÅÒÏÍ ÐÏÒÔÏ×.


ãÅÐÏÞËÁ ÄÌÑ TCP

éÔÁË, ÍÙ ÐÏÄÏÛÌÉ Ë TCP ÓÏÅÄÉÎÅÎÉÑÍ. úÄÅÓØ ÍÙ ÕËÁÚÙ×ÁÅÍ, ËÁËÉÅ ÐÏÒÔÙ ÍÏÇÕÔ ÂÙÔØ ÄÏÓÔÕÐÎÙ ÉÚ Internet. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÄÁÖÅ ÅÓÌÉ ÐÁËÅÔ ÐÒÏÛÅÌ ÐÒÏ×ÅÒËÕ ÚÄÅÓØ, ÍÙ ×ÓÅ ÒÁ×ÎÏ ×ÓÅ ÐÁËÅÔÙ ÐÅÒÅÄÁÅÍ × ÃÅÐÏÞËÕ allowed ÄÌÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ñ ÏÔËÒÙÌ TCP ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 21, ËÏÔÏÒÙÊ Ñ×ÌÑÅÔÓÑ ÐÏÒÔÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP ÓÏÅÄÉÎÅÎÉÑÍÉ. É ÄÁÌÅÅ, Ñ ÒÁÚÒÅÛÁÀ ×ÓÅ RELATED ÓÏÅÄÉÎÅÎÉÑ, ÒÁÚÒÅÛÁÑ, ÔÅÍ ÓÁÍÙÍ, PASSIVE FTP, ÐÒÉ ÕÓÌÏ×ÉÉ, ÞÔÏ ÂÙÌ ÚÁÇÒÕÖÅÎ ÍÏÄÕÌØ ip_conntrack_ftp. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÒÅÔÉÔØ FTP ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÇÒÕÚÉÔØ ÍÏÄÕÌØ ip_conntrack_ftp É ÕÄÁÌÉÔØ ÓÔÒÏËÕ $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ÉÚ ÓÃÅÎÁÒÉÑ rc.firewall.txt.

ðÏÒÔ 22 - ÜÔÏ SSH, ËÏÔÏÒÙÊ ÎÁÍÎÏÇÏ ÂÏÌÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ telnet ÎÁ 23 ÐÏÒÔÕ. åÓÌÉ ÷ÁÍ ×ÚÄÕÍÁÅÔÓÑ ÐÒÅÄÏÓÔÁ×ÉÔØ ÄÏÓÔÕÐ Ë ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÅ (shell) ËÏÍÕ ÂÙ ÔÏ ÎÉ ÂÙÌÏ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ÌÕÞÛÅ ËÏÎÅÞÎÏ ÐÏÌØÚÏ×ÁÔØÓÑ SSH. ïÄÎÁËÏ , ÈÏÞÕ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÏÏÂÝÅ-ÔÏ ÓÞÉÔÁÅÔÓÑ ÄÕÒÎÙÍ ÔÏÎÏÍ ÐÒÅÄÏÓÔÁ×ÌÑÔØ ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ ÌÀÂÏÍÕ ËÒÏÍÅ ×ÁÓ ÓÁÍÉÈ. ÷ÁÛ ÓÅÔÅ×ÏÊ ÜËÒÁÎ ÄÏÌÖÅÎ ÉÍÅÔØ ÔÏÌØËÏ ÔÅ ÓÅÒ×ÉÓÙ, ËÏÔÏÒÙÅ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÙ É ÎÅ ÂÏÌÅÅ ÔÏÇÏ.

ðÏÒÔ 80 - ÜÔÏ ÐÏÒÔ HTTP, ÄÒÕÇÉÍ ÓÌÏ×ÁÍÉ - web ÓÅÒ×ÅÒ, ÕÂÅÒÉÔÅ ÜÔÏ ÐÒÁ×ÉÌÏ, ÅÓÌÉ Õ ×ÁÓ ÎÅÔ web ÓÅÒ×ÅÒÁ.

é ÎÁËÏÎÅà ÐÏÒÔ 113, ÏÔ×ÅÔÓÔ×ÅÎÎÙÊ ÚÁ ÓÌÕÖÂÕ IDENTD É ÉÓÐÏÌØÚÕÀÝÉÊÓÑ ÎÅËÏÔÏÒÙÍÉ ÐÒÏÔÏËÏÌÁÍÉ ÔÉÐÁ IRC, É ÐÒ.


ãÅÐÏÞËÁ ÄÌÑ UDP

ðÁËÅÔÙ UDP ÉÚ ÃÅÐÏÞËÉ INPUT ÓÌÅÄÕÀÔ × ÃÅÐÏÞËÕ udp_packets ëÁË É × ÓÌÕÞÁÅ Ó TCP ÐÁËÅÔÁÍÉ, ÚÄÅÓØ ÏÎÉ ÐÒÏ×ÅÒÑÀÔÓÑ ÎÁ ÄÏÐÕÓÔÉÍÏÓÔØ ÐÏ ÎÏÍÅÒÕ ÐÏÒÔÁ ÎÁÚÎÁÞÅÎÉÑ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÍÙ ÎÅ ÐÒÏ×ÅÒÑÅÍ ÉÓÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ, ÐÏÓËÏÌØËÕ Ï ÜÔÏÍ ÚÁÂÏÔÉÔÓÑ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ. ïÔËÒÙ×ÁÀÔÓÑ ÔÏÌØËÏ ÔÅ ÐÏÒÔÙ, ËÏÔÏÒÙÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ ÓÅÒ×ÅÒÁÍÉ ÉÌÉ ÄÅÍÏÎÁÍÉ ÎÁ ÎÁÛÅÍ ÂÒÁÎÄÍÁÕÜÒÅ. ðÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÏÓÔÕÐÁÀÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ ÐÏ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÓÏÅÄÉÎÅÎÉÑÍ (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ) ÐÒÏÐÕÓËÁÀÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ Á×ÔÏÍÁÔÉÞÅÓËÉ, ÐÏÓËÏÌØËÕ ÉÍÅÀÔ ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÉÌÉ RELATED.

ëÁË ×ÉÄÎÏ ÉÚ ÔÅËÓÔÁ ÓÃÅÎÁÒÉÑ, ÐÏÒÔ 53, ÎÁ ËÏÔÏÒÏÍ "ÓÉÄÉÔ" DNS, ÄÌÑ UDP ÐÁËÅÔÏ× ÚÁËÒÙÔ, ÔÏ ÅÓÔØ ÐÒÁ×ÉÌÏ, ÏÔËÒÙ×ÁÀÝÅÅ 53-Ê ÐÏÒÔ × ÓÃÅÎÁÒÉÉ ÐÒÉÓÕÔÓÔ×ÕÅÔ, ÎÏ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ. åÓÌÉ ×Ù ÐÏÖÅÌÁÅÔÅ ÚÁÐÕÓÔÉÔØ DNS ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, ÔÏ ÜÔÏ ÐÒÁ×ÉÌÏ ÓÌÅÄÕÅÔ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ.

ñ ÌÉÞÎÏ ÒÁÚÒÅÛÁÀ ÐÏÒÔ 123, ÎÁ ËÏÔÏÒÏÍ ÒÁÂÏÔÁÅÔ NTP (network time protocol). üÔÏÊ ÓÌÕÖÂÏÊ ÏÂÙÞÎÏ ÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÒÉÅÍÁ ÔÏÞÎÏÇÏ ×ÒÅÍÅÎÉ Ó ÓÅÒ×ÅÒÏ× ×ÒÅÍÅÎÉ × éÎÔÅÒÎÅÔ. ïÄÎÁËÏ, ×ÅÒÏÑÔÎÅÅ ×ÓÅÇÏ, ÞÔÏ ×Ù ÎÅ ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏÔ ÐÒÏÔÏËÏÌ, ÐÏÜÔÏÍÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÅ ÐÒÁ×ÉÌÏ × ÓÃÅÎÁÒÉÉ ÔÁË ÖÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ.

ðÏÒÔ 2074 ÉÓÐÏÌØÚÕÅÔÓÑ ÎÅËÏÔÏÒÙÍÉ ÍÕÌØÔÉÍÅÄÉÊÎÙÍÉ ÐÒÉÌÏÖÅÎÉÑÍÉ, ÐÏÄÏÂÎÏ speak freely, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÇÏÌÏÓÁ × ÒÅÖÉÍÅ ÒÅÁÌØÎÏÇÏ ×ÒÅÍÅÎÉ.

é ÎÁËÏÎÅà - ICQ, ÎÁ ÐÏÒÔÕ 4000. üÔÏ ÛÉÒÏËÏ ÉÚ×ÅÓÔÎÙÊ ÐÒÏÔÏËÏÌ, ÉÓÐÏÌØÚÕÅÍÙÊ ICQ-ÐÒÉÌÏÖÅÎÉÑÍÉ ñ ÐÏÌÁÇÁÀ ÎÅ ÓÌÅÄÕÅÔ ÏÂßÑÓÎÑÔØ ×ÁÍ ÞÔÏ ÜÔÏ ÔÁËÏÅ.

ëÒÏÍÅ ÔÏÇÏ × ÓÃÅÎÁÒÉÉ ÐÒÉ×ÅÄÅÎÙ ÅÝÅ Ä×Á ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. éÍÉ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ, ÅÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÞÒÅÚÍÅÒÎÏ ÎÁÇÒÕÖÅÎ. ðÅÒ×ÏÅ - ÂÌÏËÉÒÕÅÔ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ ÐÏÒÔÙ ÓÏ 135 ÐÏ 139. üÔÉ ÐÏÒÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÏÔÏËÏÌÁÍÉ SMB É NetBIOS ÏÔ Microsoft. ôÁËÉÍ ÏÂÒÁÚÏÍ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÐÒÅÄÏÔ×ÒÁÝÁÅÔ ÐÅÒÅÐÏÌÎÅÎÉÅ ÔÁÂÌÉÃÙ ÔÒÁÓÓÉÒÏ×ÝÉËÁ × ÓÅÔÑÈ Microsoft Network. ÷ÔÏÒÏÅ ÐÒÁ×ÉÌÏ ÂÌÏËÉÒÕÅÔ DHCP ÚÁÐÒÏÓÙ ÉÚ×ÎÅ. üÔÏ ÐÒÁ×ÉÌÏ ÏÐÒÅÄÅÌÅÎÎÏ ÉÍÅÅÔ ÓÍÙÓÌ ÅÓÌÉ ×ÎÅÛÎÑÑ ÓÅÔØ ÓÏÄÅÒÖÉÔ ÎÅËÏÍÍÕÔÉÒÕÅÍÙÅ ÓÅÇÍÅÎÔÙ, ÇÄÅ IP ÁÄÒÅÓÁ ×ÙÄÅÌÑÀÔÓÑ ËÌÉÅÎÔÁÍ ÄÉÎÁÍÉÞÅÓËÉ. ë ÔÏÍÕ ÖÅ ÏÎÏ ÐÒÅÄÏÔ×ÒÁÝÁÅÔ "ÒÁÚÄÕ×ÁÎÉÅ" ÌÏÇÏ× (×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÎÅ ÂÙÌÉ ÏÔ×ÅÒÇÎÕÔÙ ÉÌÉ ÐÒÉÎÑÔÙ Ñ×ÎÏ, ÌÏÇÉÒÕÀÔÓÑ × ÖÕÒÎÁÌ ÐÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÃÅÐÏÞËÅ INPUT).


ãÅÐÏÞËÁ ÄÌÑ ICMP

úÄÅÓØ ÐÒÉÎÉÍÁÅÔÓÑ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ ICMP ÐÁËÅÔÏ×. åÓÌÉ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ Ó eth0 × ÃÅÐÏÞËÕ INPUT, ÔÏ ÄÁÌÅÅ ÏÎ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏ×ÅÒÑÅÔÓÑ ÔÉÐ ICMP ÓÏÏÂÝÅÎÉÑ. ðÒÏÐÕÓËÁÀÔÓÑ ÔÏÌØËÏ ICMP Echo Request, TTL equals 0 during transit É TTL equals 0 during reassembly. ÷ÓÅ ÏÓÔÁÌØÎÙÅ ÔÉÐÙ ICMP ÓÏÏÂÝÅÎÉÊ ÄÏÌÖÎÙ ÐÒÏÈÏÄÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÂÅÓÐÒÅÐÑÔÓÔ×ÅÎÎÏ, ÐÏÓËÏÌØËÕ ÂÕÄÕÔ ÉÍÅÔØ ÓÏÓÔÏÑÎÉÅ RELATED.

Note åÓÌÉ ICMP ÐÁËÅÔ ÐÒÉÈÏÄÉÔ × ÏÔ×ÅÔ ÎÁ ÎÁÛ ÚÁÐÒÏÓ, ÔÏ ÏÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ RELATED (Ó×ÑÚÁÎÎÙÊ Ó ÉÍÅÀÝÉÍÓÑ ÓÏÅÄÉÎÅÎÉÅÍ). âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÏ× ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ × ÇÌÁ×Å íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ.

ðÒÉ ÐÒÉÎÑÔÉÉ ÒÅÛÅÎÉÑ Ñ ÉÓÈÏÖÕ ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÏÏÂÒÁÖÅÎÉÊ: ICMP Echo Request ÐÁËÅÔÙ ÐÏÓÙÌÁÀÔÓÑ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ, ÄÌÑ ÐÒÏ×ÅÒËÉ ÄÏÓÔÕÐÎÏÓÔÉ ÈÏÓÔÁ. åÓÌÉ ÕÄÁÌÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÂÕÄÅÔ "ÏÔËÌÉËÁÔØÓÑ" × ÏÔ×ÅÔ ÎÁ ICMP Echo Request, ÞÔÏ ÓÄÅÌÁÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÕÔÉÌÉÔÙ ping É ÐÏÄÏÂÎÙÈ ÅÊ, ÐÏ ÏÔÎÏÛÅÎÉÀ Ë ÂÒÁÎÄÍÁÕÜÒÕ, ÂÅÓÐÏÌÅÚÎÙÍÉ.

Time Exceeded (Ô.Å., TTL equals 0 during transit É TTL equals 0 during reassembly). ÷Ï ×ÒÅÍÑ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ ÐÏ ÓÅÔÉ, ÎÁ ËÁÖÄÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÐÏÌÅ TTL, × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ, ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. ëÁË ÔÏÌØËÏ ÐÏÌÅ TTL ÓÔÁÎÅÔ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÂÕÄÅÔ ÐÏÓÌÁÎÏ ÓÏÏÂÝÅÎÉÅ Time Exceeded. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÓÓÉÒÏ×ËÕ (traceroute) ËÁËÏÇÏ ÌÉÂÏ ÕÚÌÁ, ÔÏ ÐÏÌÅ TTL ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 1, ÎÁ ÐÅÒ×ÏÍ ÖÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÏÎÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ É Ë ÎÁÍ ÐÒÉÈÏÄÉÔ ÓÏÏÂÝÅÎÉÅ Time Exceeded, ÄÁÌÅÅ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ TTL = 2 É ×ÔÏÒÏÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÐÅÒÅÄÁÅÔ ÎÁÍ Time Exceeded, É ÔÁË ÄÁÌÅÅ, ÐÏËÁ ÎÅ ÐÏÌÕÞÉÍ ÏÔ×ÅÔ Ó ÓÁÍÏÇÏ ÕÚÌÁ.

óÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ ÓÍÏÔÒÉÔÅ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ICMP ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÓÌÅÄÕÀÝÉÈ ÄÏËÕÍÅÎÔÁÈ:

Note âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÂÌÏËÉÒÏ×ÁÎÉÉ ICMP ÐÁËÅÔÏ×, ×ÏÚÍÏÖÎÏ Ñ ÎÅ ÐÒÁ×, ÂÌÏËÉÒÕÑ ËÁËÉÅ-ÔÏ ÉÚ ÎÉÈ, ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÔÁË, ÞÔÏ ÄÌÑ ×ÁÓ ÜÔÏ ÎÅÐÒÉÅÍÌÅÍÏ.

ãÅÐÏÞËÁ INPUT

ãÅÐÏÞËÁ INPUT, ËÁË Ñ ÕÖÅ ÐÉÓÁÌ, ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÓÎÏ×ÎÏÊ ÒÁÂÏÔÙ ÉÓÐÏÌØÚÕÅÔ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ, ÚÁ ÓÞÅÔ ÞÅÇÏ ÓÎÉÖÁÑ ÎÁÇÒÕÚËÕ ÎÁ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ. üÆÆÅËÔ ÐÒÉÍÅÎÅÎÉÑ ÔÁËÏÇÏ ×ÁÒÉÁÎÔÁ ÏÒÇÁÎÉÚÁÃÉÉ ÐÒÁ×ÉÌ ÌÕÞÛÅ ÚÁÍÅÔÅÎ ÎÁ ÍÅÄÌÅÎÎÙÈ ÍÁÛÉÎÁÈ, ËÏÔÏÒÙÅ × ÄÒÕÇÏÍ ÓÌÕÞÁÅ ÎÁÞÉÎÁÀÔ "ÔÅÒÑÔØ" ÐÁËÅÔÙ ÐÒÉ ×ÙÓÏËÏÊ ÎÁÇÒÕÚËÅ. äÏÓÔÉÇÁÅÔÓÑ ÜÔÏ ÒÁÚÂÉÅÎÉÅÍ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÐÏ ÎÅËÏÔÏÒÏÍÕ ÐÒÉÚÎÁËÕ É ×ÙÄÅÌÅÎÉÅ ÉÈ × ÏÔÄÅÌØÎÙÅ ÃÅÐÏÞËÉ. ôÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÁÅÔÓÑ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ, ËÏÔÏÒÏÅ ÐÒÏÈÏÄÉÔ ËÁÖÄÙÊ ÐÁËÅÔ.

ðÅÒ×ÙÍ ÖÅ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÙÔÁÅÍÓÑ ÏÔÂÒÏÓÉÔØ "ÐÌÏÈÉÅ" ÐÁËÅÔÙ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÁËÅÔÏ× Ó ÐÒÉÚÎÁËÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. ÷ ÎÅËÏÔÏÒÙÈ ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ ÔÁËÉÅ ÐÁËÅÔÙ ÍÏÇÕÔ ÓÞÉÔÁÔØÓÑ ÄÏÐÕÓÔÉÍÙÍÉ, ÎÏ × 99% ÓÌÕÞÁÅ× ÌÕÞÛÅ ÉÈ "ÏÓÔÁÎÏ×ÉÔØ". ðÏÜÔÏÍÕ ÔÁËÉÅ ÐÁËÅÔÙ ÚÁÎÏÓÑÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (ÌÏÇÉÒÕÀÔÓÑ) É "ÓÂÒÁÓÙ×ÁÀÔÓÑ".

äÁÌÅÅ ÓÌÅÄÕÅÔ ÃÅÌÁÑ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÁÑ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË, ÉÄÕÝÉÊ ÉÚ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔÉ, ËÏÔÏÒÁÑ ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÓÅÔÅ×ÏÊ ÁÄÁÐÔÅÒ, Ó×ÑÚÁÎÎÙÊ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ É ÌÏËÁÌØÎÙÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (lo) É ÉÍÅÀÝÉÊ ÉÓÈÏÄÎÙÅ ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ (×ËÌÀÞÁÑ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ). üÔÁ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ ÓÔÏÉÔ ÐÅÒ×ÏÊ ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÌÏËÁÌØÎÁÑ ÓÅÔØ ÇÅÎÅÒÉÒÕÅÔ ÚÎÁÞÉÔÅÌØÎÏ ÂïÌØÛÉÊ ÔÒÁÆÉË ÞÅÍ ÔÒÁÆÉË ÉÚ Internet. ðÏÜÔÏÍÕ, ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ×ÓÅÇÄÁ ÓÔÁÒÁÊÔÅÓØ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÕËÁÚÙ×ÁÑ ÐÅÒ×ÙÍÉ ÔÅ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÏÂÓÌÕÖÉ×ÁÔØ ÂÏÌØÛÉÊ ÔÒÁÆÉË.

ðÏÓÌÅ ÜÔÏÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÁÎÁÌÉÚ ÔÒÁÆÉËÁ, ÉÄÕÝÅÇÏ ÉÚ Internet. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ × ÃÅÐÏÞËÕ INPUT Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE ÒÁÓÐÒÅÄÅÌÑÀÔÓÑ ÐÏ ×ÌÏÖÅÎÎÙÍ ÃÅÐÏÞËÁÍ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. TCP ÐÁËÅÔÙ ÐÅÒÅÄÁÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets, UDP ÐÁËÅÔÙ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ udp_packets É ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ëÁË ÐÒÁ×ÉÌÏ, ÂÏÌØÛÕÀ ÞÁÓÔØ ÔÒÁÆÉËÁ "ÓßÅÄÁÀÔ" TCP ÐÁËÅÔÙ, ÐÏÔÏÍ UDP É ÍÅÎØÛÉÊ ÏÂßÅÍ ÐÒÉÈÏÄÉÔÓÑ ÎÁ ÄÏÌÀ ICMP, ÏÄÎÁËÏ × ×ÁÛÅÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÐÒÅÄÐÏÌÏÖÅÎÉÅ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅ×ÅÒÎÙÍ. ïÞÅÎØ ×ÁÖÎÏ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÐÒÏÈÏÄÑÝÅÇÏ ÞÅÒÅÚ ÎÁÂÏÒ ÐÒÁ×ÉÌ. õÞÅÔ ÏÂßÅÍÁ ÔÒÁÆÉËÁ - ÁÂÓÏÌÀÔÎÁÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ. ÷ ÓÌÕÞÁÅ ÎÅÏÐÔÉÍÁÌØÎÏÇÏ ÒÁÓÐÒÅÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÄÁÖÅ ÍÁÛÉÎÕ ËÌÁÓÓÁ Pentium III É ×ÙÛÅ, Ó ÓÅÔÅ×ÏÊ ËÁÒÔÏÊ 100 íÂÉÔ É ÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÅÒÅÄÁ×ÁÅÍÙÈ ÄÁÎÎÙÈ ÐÏ ÓÅÔÉ, ÄÏ×ÏÌØÎÏ ÌÅÇËÏ ÍÏÖÎÏ "ÐÏÓÔÁ×ÉÔØ ÎÁ ËÏÌÅÎÉ" ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÒÁ×ÉÌ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ×ÅÓØÍÁ ÓÐÅÃÉÆÉÞÅÓËÏÅ ÐÒÁ×ÉÌÏ (ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ). äÅÌÏ × ÔÏÍ, ÞÔÏ ËÌÉÅÎÔÙ Microsoft Network ÉÍÅÀÔ "ÄÕÒÎÕÀ ÐÒÉ×ÙÞËÕ" ×ÙÄÁ×ÁÔØ ÏÇÒÏÍÎÏÅ ËÏÌÉÞÅÓÔ×Ï Multicast (ÇÒÕÐÐÏ×ÙÈ) ÐÁËÅÔÏ× × ÄÉÁÐÁÚÏÎÅ ÁÄÒÅÓÏ× 224.0.0.0/8. ðÏÜÔÏÍÕ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÌÑ ÐÒÅÄÏÔ×ÒÁÝÅÎÉÑ "ÚÁÓÏÒÅÎÉÑ" ÌÏÇÏ× × ÓÌÕÞÁÅ, ÅÓÌÉ Ó ×ÎÅÛÎÅÊ ÓÔÏÒÏÎÙ ÉÍÅÅÔÓÑ ËÁËÁÑ ÌÉÂÏ ÓÅÔØ Microsoft Network.

ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ, ÐÅÒÅÄ ÔÅÍ ËÁË ËÏ ×ÓÅÍ ÎÅ ÐÒÉÎÑÔÙÍ Ñ×ÎÏ ÐÁËÅÔÁÍ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÒÁÆÆÉË ÖÕÒÎÁÌÉÒÕÅÔÓÑ, ÎÁ ÓÌÕÞÁÊ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏÉÓËÁ ÐÒÉÞÉÎ ×ÏÚÎÉËÁÀÝÉÈ ÐÒÏÂÌÅÍ. ðÒÉ ÜÔÏÍ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÕ, ÏÇÒÁÎÉÞÅÎÉÅ ÎÁ ËÏÌÉÞÅÓÔ×Ï ÌÏÇÉÒÕÅÍÙÈ ÐÁËÅÔÏ× - ÎÅ ÂÏÌÅÅ 3-È × ÍÉÎÕÔÕ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÞÒÅÚÍÅÒÎÏÅ ÒÁÚÄÕ×ÁÎÉÅ ÖÕÒÎÁÌÁ.

÷ÓÅ ÞÔÏ ÎÅ ÂÙÌÏ Ñ×ÎÏ ÐÒÏÐÕÝÅÎÏ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÏÄ×ÅÒÇÎÕÔÏ ÄÅÊÓÔ×ÉÀ DROP, ÐÏÓËÏÌØËÕ ÉÍÅÎÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÎÁÚÎÁÞÅÎÏ × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ.


ãÅÐÏÞËÁ OUTPUT

ëÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ÒÁÎÅÅ, × ÍÏÅÍ ÓÌÕÞÁÅ ËÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÂÒÁÎÄÍÁÕÜÒ É ÏÄÎÏ×ÒÅÍÅÎÎÏ ËÁË ÒÁÂÏÞÁÑ ÓÔÁÎÃÉÑ. ðÏÜÔÏÍÕ Ñ ÐÏÚ×ÏÌÑÀ ÐÏËÉÄÁÔØ ÍÏÊ ÈÏÓÔ ×ÓÅÍÕ, ÞÔÏ ÉÍÅÅÔ ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ $LOCALHOST_IP, $LAN_IP ÉÌÉ $STATIC_IP. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÔÒÁÆÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÓÆÁÌØÓÉÃÉÒÏ×ÁÔØ ÎÅ ÏÞÅÎØ ÈÏÒÏÛÉÊ ÞÅÌÏ×ÅË ÎÁ ÍÏÅÊ ÍÁÛÉÎÅ. é × ÄÏ×ÅÒÛÅÎÉÅ ËÏ ×ÓÅÍÕ, Ñ ÖÕÒÎÁÌÉÒÕÀ "ÓÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ, ÎÁ ÓÌÕÞÁÊ ÐÏÉÓËÁ ÏÛÉÂÏË ÉÌÉ × ÃÅÌÑÈ ×ÙÑ×ÌÅÎÉÑ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×. ëÏ ×ÓÅÍ ÐÁËÅÔÁÍ, ÎÅ ÐÒÏÛÅÄÛÉÍ ÎÉ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ, ÐÒÉÍÅÎÑÅÔÓÑ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP.


ãÅÐÏÞËÁ FORWARD

ãÅÐÏÞËÁ FORWARD ÓÏÄÅÒÖÉÔ ÏÞÅÎØ ÎÅÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ.

ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÎÁÐÒ×ÌÑÅÔ ×ÓÅ TCP ÐÁËÅÔÙ ÎÁ ÐÒÏ×ÅÒËÕ × ÃÅÐÏÞËÕ bad_tcp_packets, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁË ÖÅ É × ÃÅÐÏÞËÅ INPUT. ãÅÐÏÞËÁ bad_tcp_packets ÓÏÚÄÁÎÁ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏ ÍÏÖÅÔ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ÎÅ×ÚÉÒÁÑ ÎÁ ÔÏ, ËÕÄÁ ÎÁÐÒÁ×ÌÑÅÔÓÑ ÐÁËÅÔ. ðÏÓÌÅ ÐÒÏ×ÅÒËÉ TCP ÐÁËÅÔÏ×, ËÁË ÏÂÙÞÎÏ, ÍÙ ÒÁÚÒÅÛÅÍ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÏ× ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ.

åÓÔÅÓÔ×ÅÎÎÏ, ÎÕÖÎÏ ÐÒÏÐÕÓÔÉÔØ ÏÔ×ÅÔÎÙÅ ÐÁËÅÔÙ × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÐÏÜÔÏÍÕ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ, ÞÔÏ ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED, Ô.Å. ÍÙ ÐÒÏÐÕÓËÁÅÍ ÐÁËÅÔÙ ÐÏ ÓÏÅÄÉÎÅÎÉÀ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ éú ÌÏËÁÌØÎÏÊ ÓÅÔÉ. é ÐÅÒÅÄ ÔÅÍ ËÁË ÓÂÒÏÓÉÔØ ×ÓÅ ÎÅÄÏÐÕÓÔÉÍÙÅ ÐÁËÅÔÙ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÖÕÒÎÁÌÉÒÕÅÍ ÔÒÁÆÆÉË ÕÓÔÁÎÏ×É× ÐÒÅÄÅÌ 3 ÚÁÐÉÓÉ ÚÁ ÍÉÎÕÔÕ.


ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat

÷ ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÉÍÅÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ É ÅÄÉÎÓÔ×ÅÎÎÏ, ÐÏÞÅÍÕ Ñ ÐÒÉ×ÏÖÕ ÅÅ ÏÐÉÓÁÎÉÅ ÚÄÅÓØ, ÜÔÏ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÄÁÎÎÏÊ ÃÅÐÏÞËÅ ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (DNAT) ÐÅÒÅÄ ÔÅÍ ËÁË ÐÁËÅÔÙ ÐÏÐÁÄÕÔ × ÃÅÐÏÞËÕ INPUT ÉÌÉ FORWARD. åÝÅ ÒÁÚ ÈÏÞÕ ÎÁÐÏÍÎÉÔØ, ÞÔÏ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÎÉ ÄÌÑ ËÁËÏÇÏ ×ÉÄÁ ÆÉÌØÔÒÁÃÉÉ, Á ÔÏÌØËÏ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ × ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÅÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ.


úÁÐÕÓË Network Address Translation

é ÚÁËÌÀÞÉÔÅÌØÎÙÊ ÒÁÚÄÅÌ - ÎÁÓÔÒÏÊËÁ SNAT. ðÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ ÍÅÎÑ. ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÏ × ÔÁÂÌÉÃÕ nat, × ÃÅÐÏÞËÕ POSTROUTING, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ×ÓÅÈ ÐÁËÅÔÏ×, ÉÓÈÏÄÑÝÉÈ Ó ÉÎÔÅÒÆÅÊÓÁ, ÐÏÄËÌÀÞÅÎÎÏÇÏ Ë Internet. ÷ ÓÃÅÎÁÒÉÉ ÏÐÒÅÄÅÌÅÎ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÎÁÓÔÒÏÊËÉ ÓÃÅÎÁÒÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÐÅÒÅÍÅÎÎÙÈ ÐÏ×ÙÛÁÅÔ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔØ ÓËÒÉÐÔÏ×. ëÌÀÞÏÍ -t ÚÁÄÁÅÔÓÑ ÉÍÑ ÔÁÂÌÉÃÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ nat. ëÏÍÁÎÄÁ -A ÄÏÂÁ×ÌÑÅÔ (Add) ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ POSTROUTING, ËÒÉÔÅÒÉÊ -o $INET_IFACE ÚÁÄÁÅÔ ÉÓÈÏÄÑÝÉÊ ÉÎÔÅÒÆÅÊÓ, É × ËÏÎÃÅ ÐÒÁ×ÉÌÁ ÚÁÄÁÅÍ ÄÅÊÓÔ×ÉÅ ÎÁÄ ÐÁËÅÔÏÍ - SNAT. ôÁËÉÍ ÏÂÒÁÚÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÄÏÛÅÄÛÉÅ ÐÏÄ ÚÁÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÂÕÄÕÔ "ÚÁÍÁÓËÉÒÏ×ÁÎÙ", Ô.Å. ÂÕÄÕÔ ×ÙÇÌÑÄÅÔØ ÔÁË, ËÁË ÂÕÄÔÏ ÏÎÉ ÏÔÐÒÁ×ÌÅÎÙ Ó ÎÁÛÅÇÏ ÕÚÌÁ. îÅ ÚÁÂÕÄØÔÅ ÕËÁÚÁÔØ ËÌÀÞ --to-source Ó ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ IP ÁÄÒÅÓÏÍ ÄÌÑ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×

÷ ÜÔÏÍ ÓÃÅÎÁÒÉÅ Ñ ÉÓÐÏÌØÚÕÀ SNAT ×ÍÅÓÔÏ MASQUERADE ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÅÒ×ÁÑ - ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ ÎÁ ÓÅÔÅ×ÏÍ ÕÚÌÅ, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ. óÌÅÄÕÀÝÁÑ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ SNAT ÒÁÂÏÔÁÅÔ ÂÙÓÔÒÅÅ É ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÏ. ëÏÎÅÞÎÏ, ÅÓÌÉ ×Ù ÎÅ ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÏÇÏ IP ÁÄÒÅÓÁ, ÔÏ ×Ù ÄÏÌÖÎÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ MASQUERADE, ËÏÔÏÒÏÅ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÂÏÌÅÅ ÐÒÏÓÔÏÊ ÓÐÏÓÏ ÔÒÁÎÓÌÑÃÉÉ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ ÏÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÅÔ IP ÁÄÒÅÓ, ÐÒÉÓ×ÏÅÎÎÙÊ ÚÁÄÁÎÎÏÍÕ ÉÎÔÅÒÆÅÊÓÕ. ïÄÎÁËÏ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó SNAT ÜÔÏ ÄÅÊÓÔ×ÉÅ ÔÒÅÂÕÅÔ ÎÅÓËÏÌØËÏ ÂÏÌØÛÉÈ ×ÙÞÉÓÌÉÔÅÌØÎÙÈ ÒÅÓÕÒÓÏ×, ÈÏÔÑ É ÎÅ ÚÎÁÞÉÔÅÌØÎÏ. åÓÌÉ ×ÁÍ ÎÕÖÅÎ ÐÒÉÍÅÒ ÒÁÂÏÔÙ MASQUERADE, ÔÏ ÏÂÒÁÝÁÊÔÅÓØ Ë ÓÃÅÎÁÒÉÀ rc.DHCP.firewall.txt.


ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

ãÅÌØ ÜÔÏÊ ÇÌÁ×Ù ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ÄÁÔØ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ ËÁÖÄÏÇÏ ÓÃÅÎÁÒÉÑ, × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. üÔÉ ÓÃÅÎÁÒÉÉ ÎÅ ÓÏ×ÅÒÛÅÎÎÙ, É ÏÎÉ ÎÅ ÍÏÇÕÔ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ×ÁÛÉÍ ÎÕÖÄÁÍ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÓÁÍÉ "ÐÏÄÏÇÎÁÔØ" ÜÔÉ ÓÃÅÎÁÒÉÉ ÐÏÄ ÓÅÂÑ. ðÏÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ ÒÕËÏ×ÏÄÓÔ×Á ÐÒÉÚ×ÁÎÁ ÏÂÌÅÇÞÉÔØ ×ÁÍ ÜÔÕ ÐÏÄÇÏÎËÕ.


óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt

÷ÓÅ ÓÃÅÎÁÒÉÉ, ÏÐÉÓÁÎÎÙÅ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÉÍÅÀÔ ÏÐÒÅÄÅÌÅÎÎÕÀ ÓÔÒÕËÔÕÒÕ. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÍÁËÓÉÍÁÌØÎÏ ÐÏÈÏÖÉ ÄÒÕÇ ÎÁ ÄÒÕÇÁ, ÏÂÌÅÇÞÁÑ ÔÅÍ ÓÁÍÙÍ ÐÏÉÓË ÒÁÚÌÉÞÉÊ ÍÅÖÄÕ ÎÉÍÉ. üÔÁ ÓÔÒÕËÔÕÒÁ ÄÏ×ÏÌØÎÏ ÈÏÒÏÛÏ ÏÐÉÓÙ×ÁÅÔÓÑ × ÜÔÏÊ ÇÌÁ×Å. úÄÅÓØ Ñ ÎÁÄÅÀÓØ ÄÁÔØ ×ÁÍ ÐÏÎÉÍÁÎÉÅ, ÐÏÞÅÍÕ ×ÓÅ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÎÁÐÉÓÁÎÙ ÉÍÅÎÎÏ ÔÁË É ÐÏÞÅÍÕ Ñ ×ÙÂÒÁÌ ÉÍÅÎÎÏ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÜÔÁ ÓÔÒÕËÔÕÒÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÁÌÅËÏ ÎÅÏÐÔÉÍÁÌØÎÏÊ ÄÌÑ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×. üÔÁ ÓÔÒÕËÔÕÒÁ ×ÙÂÒÁÎÁ ÌÉÛØ ÄÌÑ ÌÕÞÛÅÇÏ ÏÂßÑÓÎÅÎÉÑ ÈÏÄÁ ÍÏÉÈ ÍÙÓÌÅÊ.


óÔÒÕËÔÕÒÁ

üÔÏ - ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÏÊ ÓÌÅÄÕÀÔ ×ÓÅ ÓÃÅÎÁÒÉÉ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. åÓÌÉ ×Ù ÏÂÎÁÒÕÖÉÔÅ, ÞÔÏ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ, ÅÓÌÉ ËÏÎÅÞÎÏ Ñ ÎÅ ÏÂßÑÓÎÉÌ, ÐÏÞÅÍÕ Ñ ÎÁÒÕÛÉÌ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

  1. Configuration - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÌÖÎÙ ÚÁÄÁÔØ ÐÁÒÁÍÅÔÒÙ ËÏÎÆÉÇÕÒÁÃÉÉ, ÄÌÑ ÓÃÅÎÁÒÉÑ. ðÁÒÁÍÅÔÒÙ ëÏÎÆÉÇÕÒÁÃÉÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÄÏÌÖÎÙ ÂÙÔØ ÏÐÉÓÁÎÙ ÐÅÒ×ÙÍÉ × ÌÀÂÏÍ ÓÃÅÎÁÒÉÉ.

    1. Internet - üÔÏ ÒÁÚÄÅÌ ËÏÎÆÉÇÕÒÁÃÉÉ, ÏÐÉÓÙ×ÁÀÝÅÊ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÒÁÚÄÅÌ ÍÏÖÅÔ ÂÙÔØ ÏÐÕÝÅÎ, ÅÓÌÉ ×Ù ÎÅ ÐÏÄËÌÀÞÅÎÙ Ë éÎÔÅÒÎÅÔ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÍÏÖÅÔ ÉÍÅÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÐÏÄÒÁÚÄÅÌÏ× ÞÅÍ, ÚÄÅÓØ ÐÅÒÅÞÉÓÌÅÎÏ, ÎÏ ÔÏÌØËÏ ÔÅ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔ ÎÁÛÅ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet.

      1. DHCP - åÓÌÉ ÉÍÅÀÔÓÑ ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ DHCP ÎÁÓÔÒÏÊËÉ, ÔÏ ÏÎÉ ÄÏÂÁ×ÌÑÀÔÓÑ ÚÄÅÓØ.

      2. PPPoE - ïÐÉÓÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ ÎÁÓÔÒÏÊËÉ PPPOE ÐÏÄËÌÀÞÅÎÉÑ.

    2. LAN - åÓÌÉ ÉÍÅÅÔÓÑ ÌÀÂÁÑ ìïëáìøîáñ óåôø ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ÚÄÅÓØ ÕËÁÚÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ, ÉÍÅÀÝÉÅ ÏÔÎÏÛÅÎÉÅ Ë ÎÅÊ. îÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ÜÔÏÔ ÒÁÚÄÅÌ ÂÕÄÅÔ ÐÒÉÓÕÔÓÔ×Ï×ÁÔØ ÐÏÞÔÉ ×ÓÅÇÄÁ.

    3. DMZ - úÄÅÓØ ÄÏÂÁ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÚÏÎÙ DMZ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÜÔÏÇÏ ÒÁÚÄÅÌÁ ÎÅ ÂÕÄÅÔ, Ô.Ë. ÌÀÂÁÑ ÎÏÒÍÁÌØÎÁÑ ÄÏÍÁÛÎÑÑ ÓÅÔØ, ÉÌÉ ÍÁÌÅÎØËÁÑ ÌÏËÁÌØÎÁÑ ÓÅÔØ, ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÅÅ. (DMZ - de-militarized zone. óËÏÒÅÅ ×ÓÅÇÏ ÐÏÄ ÜÔÏ ÐÏÎÑÔÉÅ Á×ÔÏÒ ÐÏÄ×ÅÌ ÎÅÂÏÌØÛÕÀ ÐÏÄÓÅÔØ, × ËÏÔÏÒÏÊ ÒÁÓÐÏÌÏÖÅÎÙ ÓÅÒ×ÅÒÙ, ÎÁÐÒÉÍÅÒ: DNS, MAIL, WEB É Ô.Ð, É ÎÅÔ ÎÉ ÏÄÎÏÊ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÍÁÛÉÎÙ. ÐÒÉÍ. ÐÅÒÅ×.)

    4. Localhost - üÔÉ ÐÁÒÁÍÅÔÒÙ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÍÕ ÂÒÁÎÄÍÁÕÜÒÕ (localhost). ÷ ×ÁÛÅÍ ÓÌÕÞÁÅ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ ×ÒÑÄ ÌÉ ÉÚÍÅÎÑÔÓÑ, ÎÏ, ÔÅÍ ÎÅ ÍÅÎÅÅ, Ñ ÓÏÚÄÁÌ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.èÏÔÅÌÏÓØ ÂÙ ÎÁÄÅÑÔØÓÑ, ÞÔÏ Õ ×ÁÓ ÎÅ ÂÕÄÅÔ ÐÒÉÞÉÎ ÉÚÍÅÎÑÔØ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.

    5. iptables - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï iptables. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÄÏÓÔÁÔÏÞÎÏ ÂÕÄÅÔ ÔÏÌØËÏ ÏÄÎÏÊ ÐÅÒÅÍÅÎÎÏÊ, ËÏÔÏÒÁÑ ÕËÁÚÙ×ÁÅÔ ÐÕÔØ Ë iptables.

    6. Other - úÄÅÓØ ÒÁÓÐÏÌÁÇÁÀÔÓÑ ÐÒÏÞÉÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÎÅ ÏÔÎÏÓÑÔÓÑ É Ë ÏÄÎÏÍÕ ÉÚ ×ÙÛÅÕËÁÚÁÎÎÙÈ ÒÁÚÄÅÌÏ×.

  2. Module loading - üÔÏÔ ÒÁÚÄÅÌ ÓÃÅÎÁÒÉÅ× ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÍÏÄÕÌÅÊ. ðÅÒ×ÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ, × ÔÏ ×ÒÅÍÑ ËÁË ×ÔÏÒÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ.

    Note

    ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ. îÅËÏÔÏÒÙÅ ÍÏÄÕÌÉ, ÏÔ×ÅÞÁÀÝÉÅ ÚÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ,, ÍÏÇÕÔ ÂÙÔØ ÕËÁÚÁÎÙ ÄÁÖÅ ÅÓÌÉ ÏÎÉ ÎÅ ÔÒÅÂÕÀÔÓÑ. ïÂÙÞÎÏ, × ÔÁËÉÈ ÓÌÕÞÁÑÈ, ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÔÍÅÞÁÅÔ ÜÔÕ ÏÓÏÂÅÎÎÏÓÔØ.

    1. Required modules - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÍÏÄÕÌÉ, ÎÅÏÂÈÏÄÉÍÙÅ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ.

    2. Non-required modules - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÍÏÄÕÌÉ, ËÏÔÏÒÙÅ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÎÏÒÍÁÌØÎÏÊ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. ÷ÓÅ ÜÔÉ ÍÏÄÕÌÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. åÓÌÉ ×ÁÍ ÏÎÉ ÐÏÔÒÅÂÕÀÔÓÑ, ÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏÓÔÏ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ ÉÈ.

  3. proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÏÔ×ÅÞÁÅÔ ÚÁ ÎÁÓÔÒÏÊËÕ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc. åÓÌÉ ÜÔÉ ÐÁÒÁÍÅÔÒÙ ÎÅÏÂÈÏÄÉÍÙ - ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ, ÅÓÌÉ ÎÅÔ, ÔÏ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ ÐÏ-ÕÍÏÌÞÁÎÉÀ, É ÕËÁÚÁÎÙ ËÁË ÎÅ-ÔÒÅÂÕÅÍÙÅ. âÏÌØÛÉÎÓÔ×Ï ÐÏÌÅÚÎÙÈ ÎÁÓÔÒÏÅË /proc ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ × ÐÒÉÍÅÒÁÈ, ÎÏ ÄÁÌÅËÏ ÎÅ ×ÓÅ.

    1. Required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ×ÓÅ ÔÒÅÂÕÅÍÙÅ ÓÃÅÎÁÒÉÅÍ ÎÁÓÔÒÏÊËÁ ÄÌÑ /proc. üÔÏ ÍÏÇÕÔ ÂÙÔØ ÎÁÓÔÒÏÊËÉ ÄÌÑ ÚÁÐÕÓËÁ ÓÉÓÔÅÍÙ ÚÁÝÉÔÙ, ×ÏÚÍÏÖÎÏ, ÄÏÂÁ×ÌÑÀÔ ÓÐÅÃÉÁÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ ÉÌÉ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.

    2. Non-required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÎÁÓÔÒÏÊËÉ /proc, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÐÏÌÅÚÎÙÍÉ × ÂÕÄÕÝÅÍ. ÷ÓÅ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ, ÔÁË ËÁË ÏÎÉ ÆÁËÔÉÞÅÓËÉ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. üÔÏÔ ÓÐÉÓÏË ÂÕÄÅÔ ÓÏÄÅÒÖÁÔØ ÄÁÌÅËÏ ÎÅ ×ÓÅ ÎÁÓÔÒÏÊËÉ /proc.

  4. rules set up - ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÓËÒÉÐÔ, ËÁË ÐÒÁ×ÉÌÏ, ÕÖÅ ÐÏÄÇÏÔÏ×ÌÅÎ Ë ÔÏÍÕ, ÞÔÏÂÙ ×ÓÔÁ×ÌÑÔØ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ñ ÒÁÚÂÉÌ ×ÓÅ ÐÒÁ×ÉÌÁ ÐÏ ÔÁÂÌÉÃÁÍ É ÃÅÐÏÞËÁÍ. ìÀÂÙÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÐÒÅÖÄÅ, ÞÅÍ ÍÙ ÓÍÏÖÅÍ ÉÈ ÉÓÐÏÌØÚÏ×ÁÔØ. ñ ÕËÁÚÙ×ÁÀ ÃÅÐÏÞËÉ É ÉÈ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ × ÔÏÍ ÖÅ ÐÏÒÑÄËÅ, × ËÁËÏÍ ÏÎÉ ×Ù×ÏÄÑÔÓÑ ËÏÍÁÎÄÏÊ iptables -L.

    1. Filter table - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÐÒÏÈÏÄÉÍ ÔÁÂÌÉÃÕ ÆÉÌØÔÒÁ. äÌÑ ÎÁÞÁÌÁ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÔÁÂÌÉÃÅ.

      1. Set policies - îÁÚÎÁÞÅÎÉÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÓÉÓÔÅÍÎÙÈ ÃÅÐÏÞÅË. ïÂÙÞÎÏ Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ DROP ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter, É ÂÕÄÕ ÐÒÏÐÕÓËÁÔØ ÐÏÔÏËÉ, ËÏÔÏÒÙÅ ÉÄÕÔ ÉÚÎÕÔÒÉ. ôÅÍ ÓÁÍÙÍ ÍÙ ÉÚÂÁ×ÉÍÓÑ ÏÔ ×ÓÅÇÏ, ÞÔÏ ÎÁÍ ÎÅÕÇÏÄÎÏ.

      2. Create user specified chains - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ, ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ, ËÏÔÏÒÙÅ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÐÏÚÖÅ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ. íÙ ÎÅ ÓÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÃÅÐÏÞËÉ × ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÎÅ ÓÏÚÄÁÄÉÍ ÉÈ.

      3. Create content in user specified chains - ðÏÓÌÅ ÓÏÚÄÁÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË, ÍÙ ÍÏÖÅÍ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ. åÄÉÎÓÔ×ÅÎÎÁÑ ÐÒÉÞÉÎÁ, ÐÏ ËÏÔÏÒÏÊ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË ÏÐÒÅÄÅÌÑÀÔÓÑ ÚÄÅÓØ - ÜÔÏ ÂÌÉÚÏÓÔØ Ë ËÏÍÁÎÄÁÍ, ÓÏÚÄÁÀÝÉÍ ÜÔÉ ÃÅÐÏÞËÉ. ÷Ù ÖÅ ÍÏÖÅÔÅ ÒÁÚÍÅÝÁÔØ ÐÒÁ×ÉÌÁ × ÄÒÕÇÏÍ ÍÅÓÔÅ ×ÁÛÅÇÏ ÓÃÅÎÁÒÉÑ.

      4. INPUT chain - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÄÏÂÁ×ÌÑÀÔÓÑ ÐÒÁ×ÉÌÁ ÄÌÑ ÃÅÐÏÞËÉ INPUT.

        Note

        ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ, Ñ ÓÔÁÒÁÌÓÑ ÓÌÅÄÏ×ÁÔØ ÐÏÒÑÄËÕ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔÓÑ × ×Ù×ÏÄÅ ËÏÍÁÎÄÙ iptables -L. îÅÔ ÓÅÒØÅÚÎÙÈ ÐÒÉÞÉÎ, ÞÔÏÂÙ ÓÏÂÌÀÄÁÔØ ÜÔÕ ÓÔÒÕËÔÕÒÕ, ÏÄÎÁËÏ, ÐÒÏÂÕÊÔÅ ÉÚÂÅÖÁÔØ ÓÍÅÛÉ×ÁÎÉÑ ÄÁÎÎÙÈ ÉÚ ÒÁÚÌÉÞÎÙÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÔÁË ËÁË ÓÔÁÎÅÔ ÎÁÍÎÏÇÏ ÔÑÖÅÌÅÅ ÞÉÔÁÔØ ÔÁËÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ É ×ÙÉÓËÉ×ÁÔØ ×ÏÚÍÏÖÎÙÅ ÐÒÏÂÌÅÍÙ.

      5. FORWARD chain - úÄÅÓØ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ FORWARD

      6. OUTPUT chain - óÁÍÏÊ ÐÏÓÌÅÄÎÅÊ × ÔÁÂÌÉÃÅ filter, ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ OUTPUT.

    2. nat table - ðÏÓÌÅ ÔÁÂÌÉÃÙ filter ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÔÁÂÌÉÃÅ nat. óÄÅÌÁÎÏ ÜÔÏ ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÒÅÖÄÅ ×ÓÅÇÏ - ÎÅ ÓÌÅÄÕÅÔ ÚÁÐÕÓËÁÔØ ÍÅÈÁÎÉÚÍ NAT ÎÁ ÒÁÎÎÅÊ ÓÔÁÄÉÉ, ËÏÇÄÁ ÅÝÅ ×ÏÚÍÏÖÎÁ ÐÅÒÅÄÁÞÁ ÐÁËÅÔÏ× ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ (ÔÏ ÅÓÔØ, ËÏÇÄÁ NAT ÕÖÅ ×ËÌÀÞÅÎÁ, ÎÏ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ ÆÉÌØÔÒÁÃÉÉ). ôÁËÖÅ, Ñ ÒÁÓÓÍÁÔÒÉ×ÁÀ ÔÁÂÌÉÃÕ nat ËÁË Ó×ÏÅÇÏ ÒÏÄÁ ÕÒÏ×ÅÎØ, ËÏÔÏÒÙÊ ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÔÁÂÌÉÃÙ filter. ôÁÂÌÉÃÁ filter Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ ÑÄÒÏÍ, × ÔÏ ×ÒÅÍÑ ËÁË nat - ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÑÄÒÁ, Á ÔÁÂÌÉÃÁ mangle. ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÔÁÂÌÉÃÙ nat. üÔÏ ÍÏÖÅÔ ÂÙÔØ ÎÅ ÓÏ×ÓÅÍ ÐÒÁ×ÉÌØÎÏ, ÎÏ ÎÅ ÔÁË ÄÁÌÅËÏ ÏÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.

    3. Set policies - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ×ÓÀ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ, Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ ACCEPT. üÔÁ ÔÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÍÙ ÎÅ ÄÏÌÖÎÙ ÚÄÅÓØ "×ÙÂÒÁÓÙ×ÁÔØ" (DROP) ÐÁËÅÔÙ. åÓÔØ ÒÑÄ ÎÅÐÒÉÑÔÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ× ËÏÔÏÒÙÅ ÉÍÅÀÔ ÍÅÓÔÏ ÂÙÔØ × ÔÁËÉÈ ÓÌÕÞÁÑÈ ÉÚ-ÚÁ ÎÁÛÉÈ ÐÒÅÄÐÏÌÏÖÅÎÉÊ. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ ÐÁËÅÔÙ × ÜÔÉÈ ÃÅÐÏÞËÁÈ, ÐÏÓËÏÌØËÕ ÎÅ ×ÉÖÕ ÎÉËÁËÉÈ ÐÒÉÞÉÎ ÎÅ ÄÅÌÁÔØ ÜÔÏÇÏ.

    4. Create user specified chains - úÄÅÓØ ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÌÑ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ Õ ÍÅÎÑ ÉÈ ÎÅÔ, ÎÏ Ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÄÏ ÉÈ ÆÁËÔÉÞÅÓËÏÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ.

    5. Create content in user specified chains - äÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÔÁÂÌÉÃÙ nat. ðÒÉÎÃÉÐ ÒÁÚÍÅÝÅÎÉÑ ÐÒÁ×ÉÌ ÚÄÅÓØ ÔÏÔ ÖÅ ÞÔÏ É × ÔÁÂÌÉÃÅ filtert. ñ ÄÏÂÁ×ÌÑÀ ÉÈ ÚÄÅÓØ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ×ÉÖÕ ÐÒÉÞÉÎ ×ÙÎÏÓÉÔØ ÉÈ × ÄÒÕÇÏÅ ÍÅÓÔÏ.

    6. PREROUTING chain - ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ DNAT. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× DNAT ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ, ÉÌÉ ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÁ, ÞÔÏÂÙ ÎÅ "ÏÔËÒÙ×ÁÔØ ×ÏÒÏÔÁ" × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÓÌÉÛËÏÍ ÛÉÒÏËÏ. ÷ ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ ÜÔÏ ÐÒÁ×ÉÌÏ ×ËÌÀÞÅÎÏ, ÔÁË ËÁË ÅÄÉÎÓÔ×ÅÎÎÁÑ ÃÅÌØ ÜÔÉÈ ÓÃÅÎÁÒÉÅ× ÓÏÓÔÏÉÔ × ÐÒÅÄÏÓÔÁ×ÌÅÎÉÉ ÕÓÌÕÇ, ËÏÔÏÒÙÅ ÂÅÚ DNAT ÎÅ×ÏÚÍÏÖÎÙ.

    7. POSTROUTING chain - ãÅÐÏÞËÁ POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÓÃÅÎÁÒÉÑÍÉ, ËÏÔÏÒÙÅ Ñ ÎÁÐÉÓÁÌ, ÔÁË ËÁË × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÉÍÅÅÔÓÑ ÏÄÎÁ ÉÌÉ ÂÏÌÅÅ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ËÏÔÏÒÙÅ ÍÙ ÈÏÔÉÍ ÐÏÄËÌÀÞÉÔØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ SNAT, ÎÏ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ, ÍÙ ×ÙÎÕÖÄÅÎÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ MASQUERADE.

    8. OUTPUT chain - ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ×ÏÏÂÝÅ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ×. îÏ Ñ ÐÏËÁ ÎÅ ÎÁÛÅÌ ÓÅÒØÅÚÎÙÈ ÏÓÎÏ×ÁÎÉÊ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÃÅÐÏÞËÉ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÕ ÃÅÐÏÞËÕ, ÞÅÒËÎÉÔÅ ÍÎÅ ÐÁÒÕ ÓÔÒÏË, É Ñ ×ÎÅÓÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï.

  5. mangle table - ôÁÂÌÉÃÁ mangle - ÐÏÓÌÅÄÎÑÑ ÔÁÂÌÉÃÁ ÎÁ ÐÕÔÉ ÐÁËÅÔÏ×. ïÂÙÞÎÏ Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÜÔÕ ÔÁÂÌÉÃÕ ×ÏÏÂÝÅ, ÔÁË ËÁË ÏÂÙÞÎÏ ÎÅ ×ÏÚÎÉËÁÅÔ ÐÏÔÒÅÂÎÏÓÔÅÊ × ÞÅÍ ÌÉÂÏ, ÔÉÐÁ ÉÚÍÅÎÅÎÉÑ TTL ÐÏÌÑ ÉÌÉ ÐÏÌÑ TOS É ÐÒ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÏÓÔÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÐÕÓÔÙÍ × ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ, Ó ÎÅÓËÏÌØËÉÍÉ ÉÓËÌÀÞÅÎÉÑÍÉ, ÇÄÅ Ñ ÄÏÂÁ×ÉÌ, ÎÅÓËÏÌØËÏ ÐÒÉÍÅÒÏ× ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÔÁÂÌÉÃÙ.

    1. Set policies - úÄÅÓØ ÚÁÄÁÅÔÓÑ ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. úÄÅÓØ ÓÕÝÅÓÔ×ÕÀÔ ÔÅ ÖÅ ÏÇÒÁÎÉÞÅÎÉÑ, ÞÔÏ É ÄÌÑ ÔÁÂÌÉÃÙ nat. ôÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÄÏÌÖÎÙ ÉÚÂÅÇÁÔØ ÜÔÏÇÏ. ñ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÌ ÎÉËÁËÏÊ ÐÏÌÉÔÉËÉ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ× ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ mangle, É ×ÁÍ ÓÌÅÄÕÔ ÐÏÓÔÕÐÁÔØ ÔÁË ÖÅ.

    2. Create user specified chains - óÏÚÄÁÀÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ. ôÁË ËÁË Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÔÁÂÌÉÃÕ mangle × ÓÃÅÎÁÒÉÑÈ, Ñ ÎÅ ÓÔÁÌ ÓÏÚÄÁ×ÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË. ïÄÎÁËÏ, ÜÔÏÔ ÒÁÚÄÅÌ ÂÙÌ ÄÏÂÁ×ÌÅÎ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ.

    3. Create content in userspecified chains - åÓÌÉ ×Ù ÓÏÚÄÁÌÉ ËÁËÉÅ ÌÉÂÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ, ×Ù ÍÏÖÅÔÅ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ ÚÄÅÓØ.

    4. PREROUTING - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    5. INPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    6. FORWARD chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    7. OUTPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    8. POSTROUTING chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

îÁÄÅÀÓØ, ÞÔÏ Ñ ÏÂßÑÓÎÉÌ ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ, ËÁË ËÁÖÄÙÊ ÓÃÅÎÁÒÉÊ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎ É ÐÏÞÅÍÕ ÏÎÉ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ.

Caution

ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÜÔÉ ÏÐÉÓÁÎÉÑ ÞÒÅÚ×ÙÞÁÊÎÏ ËÒÁÔËÉ, É Ñ×ÌÑÀÔÓÑ ÌÉÛØ ËÒÁÔËÉÍ ÐÏÑÓÎÅÎÉÅÍ ÔÏÇÏ, ÐÏÞÅÍÕ ÓÃÅÎÁÒÉÉ ÉÍÅÀÔ ÔÁËÕÀ ÓÔÒÕËÔÕÒÕ. ñ ÎÅ ÐÒÅÔÅÎÄÕÀ ÎÁ ÉÓÔÉÎÕ × ÐÏÓÌÅÄÎÅÊ ÉÎÓÔÁÎÃÉÉ É ÎÅ ÕÔ×ÅÒÖÄÁÀ, ÞÔÏ ÜÔÏ - ÅÄÉÎÓÔ×ÅÎÎÙÊ É ÌÕÞÛÉÊ ×ÁÒÉÁÎÔ.


rc.firewall.txt

óÃÅÎÁÒÉÊ rc.firewall.txt - ÏÓÎÏ×ÎÏÅ ÑÄÒÏ, ÎÁ ËÏÔÏÒÏÍ ÏÓÎÏ×Ù×ÁÅÔÓÑ ÏÓÔÁÌØÎÁÑ ÞÁÓÔØ ÓÃÅÎÁÒÉÅ×. çÌÁ×Á rc.firewall file ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ ÏÐÉÓÙ×ÁÅÔ ÓÃÅÎÁÒÉÊ. óÃÅÎÁÒÉÊ ÎÁÐÉÓÁÎ ÄÌÑ ÄÏÍÁÛÎÅÊ ÓÅÔÉ, ÇÄÅ ×Ù ÉÍÅÅÔÅ ÏÄÎÕ ìïëáìøîõà óåôø É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÓÃÅÎÁÒÉÊ ÔÁËÖÅ ÉÓÈÏÄÉÔ ÉÚ ÐÒÅÄÐÏÌÏÖÅÎÉÑ, ÞÔÏ ×Ù ÉÍÅÅÔÅ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅ ÉÓÐÏÌØÚÕÅÔÅ DHCP, PPP, SLIP ÌÉÂÏ ËÁËÏÊ ÔÏ ÄÒÕÇÏÊ ÐÒÏÔÏËÏÌ, ËÏÔÏÒÙÊ ÎÁÚÎÁÞÁÅÔ IP ÄÉÎÁÍÉÞÅÓËÉ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×ÏÚØÍÉÔÅ ÚÁ ÏÓÎÏ×Õ ÓÃÅÎÁÒÉÊ rc.DHCP.firewall.txt.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG



rc.DMZ.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DMZ.firewall.txt ÂÙÌ ÎÁÐÉÓÁÎ ÄÌÑ ÔÅÈ, ËÔÏ ÉÍÅÅÔ ÄÏ×ÅÒÉÔÅÌØÎÕÀ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÎÕ "äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÕÀ úÏÎÕ" É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. äÌÑ ÄÏÓÔÕÐÁ Ë ÓÅÒ×ÅÒÁÍ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÙ ÉÚ×ÎÅ, ÉÓÐÏÌØÚÕÅÔÓÑ NAT "ÏÄÉÎ Ë ÏÄÎÏÍÕ", ÔÏ ÅÓÔØ, ÷Ù ÄÏÌÖÎÙ ÚÁÓÔÁ×ÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁ×ÁÔØ ÐÁËÅÔÙ ÂÏÌÅÅ ÞÅÍ ÄÌÑ ÏÄÎÏÇÏ IP ÁÄÒÅÓÁ.

óÃÅÎÁÒÉÊ ÒÁÂÏÔÁÅÔ Ó Ä×ÕÍÑ ×ÎÕÔÒÅÎÎÉÍÉ ÓÅÔÑÍÉ, ËÁË ÜÔÏ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÎÏ ÎÁ ÒÉÓÕÎËÅ. ïÄÎÁ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ IP ÁÄÒÅÓÏ× 192.168.0.0/24 É Ñ×ÌÑÅÔÓÑ äÏ×ÅÒÉÔÅÌØÎÏÊ ÷ÎÕÔÒÅÎÎÅÊ óÅÔØÀ. äÒÕÇÁÑ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 192.168.1.0/24 É ÎÁÚÙ×ÁÅÔÓÑ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÏÊ (DMZ), ÄÌÑ ËÏÔÏÒÏÊ ÍÙ ÂÕÄÅÍ ×ÙÐÏÌÎÑÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (NAT) "ÏÄÉÎ Ë ÏÄÎÏÍÕ". îÁÐÒÉÍÅÒ, ÅÓÌÉ ËÔÏ - ÔÏ ÉÚ éÎÔÅÒÎÅÔ ÐÏÓÙÌÁÅÔ ÐÁËÅÔ ÎÁÛÅÍÕ DNS_IP, ÔÏ ÍÙ ×ÙÐÏÌÎÑÅÍ DNAT, ËÏÔÏÒÙÊ ÚÁÍÅÝÁÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ ÓÅÒ×ÅÒÁ DNS × DMZ. åÓÌÉ ÂÙ DNAT ÎÅ ×ÙÐÏÌÎÑÌÓÑ, ÔÏ DNS ÎÅ ÓÍÏÇ ÂÙ ÐÏÌÕÞÉÔØ ÚÁÐÒÏÓ, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÁÄÒÅÓ DMZ_DNS_IP, Á ÎÅ DNS_IP. ôÒÁÎÓÌÑÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

äÌÑ ÎÁÞÁÌÁ ÎÁÐÏÍÎÀ, ÞÔÏ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat. óÏÇÌÁÓÎÏ ÜÔÏÍÕ ÐÒÁ×ÉÌÕ, ÐÁËÅÔ ÄÏÌÖÅÎ ÐÒÉÈÏÄÉÔØ ÐÏ ÐÒÏÔÏËÏÌÕ TCP ÎÁ $INET_IFACE Ó ÁÄÒÅÓÁÔÏÍ IP, ËÏÔÏÒÙÊ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÁÛÅÍÕ $DNS_IP, É ÎÁÐÒÁ×ÌÅÎ ÎÁ ÐÏÒÔ 53. åÓÌÉ ×ÓÔÒÅÞÅÎ ÔÁËÏÊ ÐÁËÅÔ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÄÍÅÎÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÉÌÉ DNAT. äÅÊÓÔ×ÉÀ DNAT ÐÅÒÅÄÁÅÔÓÑ ÁÄÒÅÓ ÄÌÑ ÐÏÄÍÅÎÙ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-destination $DMZ_DNS_IP. ëÏÇÄÁ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÂÕÄÅÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ÉÚÍÅÎÅÎ Ó $DMZ_DNS_IP ÎÁ $DNS_IP, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÂÒÁÔÎÁÑ ÄÅÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ×ÙÐÏÌÎÑÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÔÒÅÂÕÅÔ ÓÏÚÄÁÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÒÁ×ÉÌ.

ôÅÐÅÒØ ×Ù ÕÖÅ ÄÏÌÖÎÙ ÐÏÎÉÍÁÔØ ËÁË ÒÁÂÏÔÁÅÔ DNAT, ÞÔÏÂÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÒÁÚÏÂÒÁÔØÓÑ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÐÒÏÂÌÅÍ. åÓÌÉ ÞÔÏ-ÔÏ ÄÌÑ ×ÁÓ ÏÓÔÁÌÏÓØ ÎÅ ÑÓÎÙÍ É ÜÔÏ ÎÅ ÂÙÌÏ ÒÁÓÓÍÏÔÒÅÎÏ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ, ÔÏ ×Ù ÍÏÖÅÔÅ ÓÏÏÂÝÉÔØ ÍÎÅ Ï ÜÔÏÍ - ×ÅÒÏÑÔÎÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ.


rc.DHCP.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DHCP.firewall.txt ÏÞÅÎØ ÐÏÈÏÖ ÎÁ ÏÒÉÇÉÎÁÌ rc.firewall.txt. ïÄÎÁËÏ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÏÌØÛÅ ÎÅ ÉÓÐÏÌØÚÕÅÔ ÐÅÒÅÍÅÎÎÕÀ STATIC_IP, ÜÔÏ É Ñ×ÌÑÅÔÓÑ ÏÓÎÏ×ÎÙÍ ÏÔÌÉÞÉÅÍ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ rc.firewall.txt ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÅ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP ÁÄÒÅÓÁ. éÚÍÅÎÅÎÉÑ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÏÒÉÇÉÎÁÌÏÍ - ÍÉÎÉÍÁÌØÎÙ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÐÏÌÅÚÅÎ × ÓÌÕÞÁÅ DHCP, PPP É SLIP ÐÏÄËÌÀÞÅÎÉÑ Ë éÎÔÅÒÎÅÔ.

çÌÁ×ÎÏÅ ÏÔÌÉÞÉÅ ÄÁÎÎÏÇÏ ÓËÒÉÐÔÁ ÓÏÓÔÏÉÔ × ÕÄÁÌÅÎÉÉ ÐÅÒÅÍÅÎÎÏÊ STATIC_IP É ×ÓÅÈ ÓÓÙÌÏË ÎÁ ÜÔÕ ÐÅÒÅÍÅÎÎÕÀ. ÷ÍÅÓÔÏ ÎÅÅ ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ INET_IFACE. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -d $STATIC_IP ÚÁÍÅÎÑÅÔÓÑ ÎÁ -i $INET_IFACE. óÏÂÓÔ×ÅÎÎÏ ÜÔÏ ×ÓÅ, ÞÔÏ ÎÕÖÎÏ ÉÚÍÅÎÉÔØ × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.
(èÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÐÏÄ STATIC_IP Á×ÔÏÒ ÐÏÎÉÍÁÅÔ ÐÅÒÅÍÅÎÎÕÀ INET_IP ÐÒÉÍ. ÐÅÒÅ×.)

íÙ ÂÏÌØÛÅ ÎÅ ÍÏÖÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT ÐÏÄÏÂÎÙÈ ÜÔÏÍÕ: --in-interface $LAN_IFACE --dst $INET_IP. üÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ ×ÙÎÕÖÄÁÅÔ ÎÁÓ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ ÏÓÎÏ×Ù×ÁÑÓØ ÔÏÌØËÏ ÎÁ ÓÅÔÅ×ÏÍ ÉÎÔÅÒÆÅÊÓÅ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÚÁÐÕÝÅÎ HTTP ÓÅÒ×ÅÒ. åÓÌÉ ÍÙ ÐÒÉÈÏÄÉÍ ÎÁ ÇÌÁ×ÎÕÀ ÓÔÒÁÎÉÞËÕ, ÓÏÄÅÒÖÁÝÕÀ ÓÔÁÔÉÞÅÓËÕÀ ÓÓÙÌËÕ ÏÂÒÁÔÎÏ ÎÁ ÜÔÏÔ ÖÅ ÓÅÒ×ÅÒ, ËÏÔÏÒÙÊ ÒÁÂÏÔÁÅÔ ÐÏÄ ÄÉÎÁÍÉÞÅÓËÉÍ ÁÄÒÅÓÏÍ, ÔÏ ÍÙ ÍÏÖÅÍ "ÏÇÒÅÓÔÉ" ÎÅÍÁÌÏ ÐÒÏÂÌÅÍ. èÏÓÔ, ËÏÔÏÒÙÊ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ NAT, ÚÁÐÒÏÓÉÔ ÞÅÒÅÚ DNS IP ÁÄÒÅÓ HTTP ÓÅÒ×ÅÒÁ, ÐÏÓÌÅ ÞÅÇÏ ÐÏÐÒÏÂÕÅÔ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÜÔÏÍÕ IP. åÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÆÉÌØÔÒÁÃÉÀ ÐÏ ÉÎÔÅÒÆÅÊÓÕ É IP ÁÄÒÅÓÕ, ÔÏ ÈÏÓÔ ÎÅ ÓÍÏÖÅÔ ÐÏÌÕÞÉÔØ ÏÔ×ÅÔ, ÐÏÓËÏÌØËÕ ÃÅÐÏÞËÁ INPUT ÏÔÆÉÌØÔÒÕÅÔ ÔÁËÏÊ ÚÁÐÒÏÓ. (óËÏÒÅÅ ×ÓÅÇÏ Á×ÔÏÒ ÉÍÅÅÔ ××ÉÄÕ ÓËÒÉÐÔ rc.firewall.txt ÐÒÉÍ. ÐÅÒÅ×.) üÔÏ ÔÁË ÖÅ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÅ× ËÏÇÄÁ ÍÙ ÉÍÅÅÍ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, ÎÏ ÔÏÇÄÁ ÜÔÏ ÍÏÖÎÏ ÏÂÏÊÔÉ, ÉÓÐÏÌØÚÕÑ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÒÏ×ÅÒÑÀÔ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ Ó LAN ÉÎÔÅÒÆÅÊÓÁ ÎÁ ÎÁÛ INET_IP É ×ÙÐÏÌÎÑÔØ ACCEPT ÄÌÑ ÎÉÈ.

ðÏÓÌÅ ×ÓÅÇÏ ×ÙÛÅÓËÁÚÁÎÎÏÇÏ, ÎÅ ÔÁËÏÊ ÕÖ ÐÌÏÈÏÊ ÍÏÖÅÔ ÐÏËÁÚÁÔØÓÑ ÍÙÓÌØ Ï ÓÏÚÄÁÎÉÉ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ ÂÙ ÏÂÒÁÂÁÔÙ×ÁÌ ÄÉÎÁÍÉÞÅÓËÉÊ IP. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÂÙÌÏ ÂÙ ÎÁÐÉÓÁÔØ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ IP ÁÄÒÅÓ ÞÅÒÅÚ ifconfig É ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ (ÇÄÅ ÏÐÒÅÄÅÌÑÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÁÑ ÐÅÒÅÍÅÎÎÁÑ), ËÏÔÏÒÙÊ "ÐÏÄÎÉÍÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ. úÁÍÅÞÁÔÅÌØÎÙÊ ÓÁÊÔ linuxguruz.org ÉÍÅÅÔ ÏÇÒÏÍÎÕÀ ËÏÌÌÅËÃÉÀ ÓËÒÉÐÔÏ×, ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓËÁÞÉ×ÁÎÉÑ. óÓÙÌËÕ ÎÁ linuxguruz.org ×Ù ÎÁÊÄÅÔÅ × óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÅÎÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ rc.firewall.txt. ñ ÎÁÓÔÏÑÔÅÌØÎÏ ÒÅËÏÍÅÎÄÕÀ ×ÁÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÃÅÎÁÒÉÊ rc.firewall.txt, ÅÓÌÉ ÜÔÏ ×ÏÚÍÏÖÎÏ, ÔÁË ËÁË rc.DHCP.firewall.txt ÂÏÌÅÅ ÏÔËÒÙÔ ÄÌÑ ÎÁÐÁÄÅÎÉÊ ÉÚ×ÎÅ.

ôÁËÖÅ, ÍÏÖÎÏ ÄÏÂÁ×ÉÔØ × ×ÁÛÉ ÓÃÅÎÁÒÉÉ ÞÔÏ ÎÉÂÕÄØ ×ÒÏÄÅ ÜÔÏÇÏ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`

÷ÙÛÅ ÐÒÉ×ÅÄÅÎÎÁÑ ËÏÍÁÎÄÁ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP ÏÔ ÉÎÔÅÒÆÅÊÓÁ, ÏÄÎÁËÏ Õ ÔÁËÏÇÏ ÐÏÄÈÏÄÁ ÅÓÔØ ÓÅÒØÅÚÎÙÅ ÎÅÄÏÓÔÁÔËÉ, ÏÐÉÓÁÎÎÙÅ ÎÉÖÅ.

  1. åÓÌÉ ÓËÒÉÐÔ ÚÁÐÕÓËÁÅÔÓÑ ÉÚ ÄÒÕÇÏÇÏ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ × Ó×ÏÀ ÏÞÅÒÅÄØ ÚÁÐÕÓËÁÅÔÓÑ ÄÅÍÏÎÏÍ PPP, ÔÏ ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁ×ÉÓÁÎÉÀ" ×ÓÅÈ, ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÓÏÅÄÉÎÅÎÉÊ, ÉÚ-ÚÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÏÔÂÒÁËÏ×Ù×ÁÀÔ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. (ÓÍÏÔÒÉ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN). ðÒÏÂÌÅÍÕ ËÏÎÅÞÎÏ ÍÏÖÎÏ ÒÁÚÒÅÛÉÔØ ÕÄÁÌÅÎÉÅÍ ÜÔÉÈ ÐÒÁ×ÉÌ, ÎÏ ÔÁËÏÅ ÒÅÛÅÎÉÅ ÄÏ×ÏÌØÎÏ ÓÏÍÎÉÔÅÌØÎÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ.

  2. ðÒÅÄÐÏÌÏÖÉÍ, ÞÔÏ Õ ×ÁÓ ÅÓÔØ ÎÁÂÏÒ ÓÔÁÔÉÞÅÓËÉÈ ÐÒÁ×ÉÌ, ÄÏ×ÏÌØÎÏ ÇÒÕÂÏ ÂÕÄÅÔ ÐÏÓÔÏÑÎÎÏ ÓÔÉÒÁÔØ É ÄÏÂÁ×ÌÑÔØ ÐÒÁ×ÉÌÁ, Ë ÔÏÍÕ ÖÅ ÒÉÓËÕÑ ÐÏ×ÒÅÄÉÔØ ÓÕÝÅÓÔ×ÕÀÝÉÅ. For example, if you want to block hosts on your LAN to connect to the firewall, but at the same time operate a script from the PPP daemon, how would you do it without erasing your already active rules blocking the LAN?

  3. üÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÉÚÌÉÛÎÉÍ ÕÓÌÏÖÎÅÎÉÑÍ, ÞÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ, ×ÌÅÞÅÔ ÏÓÌÁÂÌÅÎÉÅ ÚÁÝÉÔÙ. þÅÍ ÐÒÏÝÅ ÓËÒÉÐÔ, ÔÅÍ ÐÒÏÝÅ ÅÇÏ ÓÏÐÒÏ×ÏÖÄÁÔØ.


rc.UTIN.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.UTIN.firewall.txt, × ÏÔÌÉÞÉÅ ÏÔ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÂÌÏËÉÒÕÅÔ LAN, ËÏÔÏÒÁÑ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ. íÙ ÄÏ×ÅÒÑÅÍ ×ÎÕÔÒÅÎÎÉÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÎÅ ÂÏÌØÛÅ ÞÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÉÚ Internet. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÎÅ ÄÏ×ÅÒÑÅÍ ÎÉËÏÍÕ, ÎÉ × éÎÔÅÒÎÅÔ, ÎÉ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ËÏÔÏÒÙÍÉ ÍÙ Ó×ÑÚÁÎÙ. ðÏÜÔÏÍÕ ÄÏÓÔÕÐ Ë éÎÔÅÒÎÅÔ ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÒÏÔÏËÏÌÁÍÉ POP3, HTTP É FTP.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÓÌÅÄÕÅÔ ÚÏÌÏÔÏÍÕ ÐÒÁ×ÉÌÕ - "ÎÅ ÄÏ×ÅÒÑÊ ÎÉËÏÍÕ, ÄÁÖÅ ÓÏÂÓÔ×ÅÎÎÙÍ ÓÌÕÖÁÝÉÍ". üÔÏ ÇÒÕÓÔÎÏ ÎÏ ÆÁËÔ, ÞÔÏ ÂÏÌØÛÁÑ ÞÁÓÔØ ÁÔÁË É ×ÚÌÏÍÏ×, ËÏÔÏÒÙÍ ÐÏÄ×ÅÒÇÁÅÔÓÑ ËÏÍÐÁÎÉÑ, ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÌÕÖÁÝÉÍÉ ËÏÍÐÁÎÉÊ ÉÚ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. üÔÏÔ ÓÃÅÎÁÒÉÊ, ÎÁÄÅÀÓØ, ÄÁÓÔ ÎÅËÏÔÏÒÙÅ Ó×ÅÄÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏÍÏÇÕÔ ×ÁÍ ÕÓÉÌÉÔØ ×ÁÛÕ ÍÅÖÓÅÔÅ×ÕÀ ÚÁÝÉÔÕ. ïÎ ÍÁÌÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt, ÎÏ ÓÏÄÅÒÖÉÔ ÐÏÄÓËÁÚËÉ Ï ÔÏÍ, ÞÔÏ ÍÙ ÏÂÙÞÎÏ ÐÒÏÐÕÓËÁÅÍ.


rc.test-iptables.txt

óÃÅÎÁÒÉÊ rc.test-iptables.txt ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞÅË ÎÏ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÎÁÓÔÒÏÅË, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÎÁÐÒÉÍÅÒ, ×ËÌÀÞÅÎÉÑ ip_forwarding ÉÌÉ ÎÁÓÔÒÏÊËÉ masquerading É Ô.Ð. ôÅÍ ÎÅ ÍÅÎÅÅ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× Ó ÂÁÚÏ×ÙÍÉ ÎÁÓÔÒÏÊËÁÍÉ, ËÏÇÄÁ ÎÁÓÔÒÏÅÎÙ ÏÓÎÏ×ÎÙÅ ÔÁÂÌÉÃÙ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÒÁÂÏÔÏÓÐÏÓÏÂÅÎ. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, × ÜÔÏÍ ÓÃÅÎÁÒÉÉ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÓÔÁÎÏ×ËÁ ÄÅÊÓÔ×ÉÊ LOG ÎÁ ping-ÚÁÐÒÏÓÙ É ping-ÏÔ×ÅÔÙ. ôÁËÉÍ ÓÐÏÓÏÂÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÚÁÆÉËÓÉÒÏ×ÁÔØ × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ ËÁËÉÅ ÃÅÐÏÞËÉ ÐÒÏÈÏÄÉÌÉÓØ É × ËÁËÏÍ ÐÏÒÑÄËÅ. úÁÐÕÓÔÉÔÅ ÓÃÅÎÁÒÉÊ É ÚÁÔÅÍ ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:

ping -c 1 host.on.the.internet

é ×Ï ×ÒÅÍÑ ÉÓÐÏÌÎÅÎÉÑ ÐÅÒ×ÏÊ ËÏÍÁÎÄÙ ×ÙÐÏÌÎÉÔÅ tail -n 0 -f /var/log/messages. ôÅÐÅÒØ ×Ù ÄÏÌÖÎÙ ÑÓÎÏ ×ÉÄÅÔØ ×ÓÅ ÉÓÐÏÌØÚÕÅÍÙÅ ÃÅÐÏÞËÉ É ÐÏÒÑÄÏË ÉÈ ÐÒÏÈÏÖÄÅÎÉÑ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÙÌ ÎÁÐÉÓÁÎ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÍÅÔØ ÐÒÁ×ÉÌÁ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÏÄÏÂÎÏ ÜÔÉÍ, ËÏÔÏÒÙÅ ÒÅÇÉÓÔÒÉÒÕÀÔ ×ÓÅ ÐÁËÅÔÙ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×Ù ÒÉÓËÕÅÔÅ ÓÔÁÔØ ÌÅÇËÏÊ ÄÏÂÙÞÅÊ ÄÌÑ ÚÌÏÕÍÙÛÌÅÎÎÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÚÁÓÙÐÁÔØ ×ÁÓ ÐÁËÅÔÁÍÉ, "ÒÁÚÄÕÔØ" ×ÁÛ ÌÏÇ, ÞÔÏ ÍÏÖÅÔ ×ÙÚ×ÁÔØ "ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ", Á ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅÊÔÉ Ë ÒÅÁÌØÎÏÍÕ ×ÚÌÏÍÕ ×ÁÛÅÊ ÓÉÓÔÅÍÙ ÎÅ ÂÏÑÓØ ÂÙÔØ ÏÂÎÁÒÕÖÅÎÎÙÍ, ÐÏÓËÏÌØËÕ ÎÅ ÓÍÏÖÅÔ ÂÙÔØ ÚÁÒÅÇÉÓÔÒÉÒÏ×ÁÎ ÓÉÓÔÅÍÏÊ.


rc.flush-iptables.txt

óÃÅÎÁÒÉÊ rc.flush-iptables.txt × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÉÍÅÅÔ ÓÁÍÏÓÔÏÑÔÅÌØÎÏÊ ÃÅÎÎÏÓÔÉ ÐÏÓËÏÌØËÕ ÏÎ ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ×ÁÛÉ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ. ÷ ÎÁÞÁÌÅ ÓÃÅÎÁÒÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ACCEPT ÄÌÑ ÃÅÐÏÞÅË INPUT, OUTPUT É FORWARD × ÔÁÂÌÉÃÅ filter. ðÏÓÌÅ ÜÔÏÇÏ ÓÂÒÁÓÙ×ÁÀÔÓÑ × ÚÁÄÁÎÎÕÀ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏÌÉÔÉËÉ ÄÌÑ ÃÅÐÏÞÅË PREROUTING, POSTROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. üÔÉ ÄÅÊÓÔ×ÉÑ ×ÙÐÏÌÎÑÀÔÓÑ ÐÅÒ×ÙÍÉ, ÞÔÏÂÙ ÎÅ ×ÏÚÎÉËÁÌÏ ÐÒÏÂÌÅÍ Ó ÚÁËÒÙÔÙÍÉ ÓÏÅÄÉÎÅÎÉÑÍÉ É ÂÌÏËÉÒÕÅÍÙÍÉ ÐÁËÅÔÁÍÉ. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÇÏÔÏ×ËÉ ÂÒÁÎÄÍÁÕÜÒÁ Ë ÎÁÓÔÒÏÊËÅ É ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×, ÐÏÜÔÏÍÕ ÚÄÅÓØ ÍÙ ÚÁÂÏÔÉÍÓÑ ÔÏÌØËÏ Ï ÏÞÉÓÔËÅ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÕÓÔÁÎÏ×ËÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ.

ëÏÇÄÁ ×ÙÐÏÌÎÅÎÁ ÕÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÏÞÉÓÔËÅ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÁÈ filter É nat, Á ÚÁÔÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÄÁÌÅÎÉÅ ×ÓÅÈ, ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, ÃÅÐÏÞÅË. ðÏÓÌÅ ÜÔÏÇÏ ÒÁÂÏÔÁ ÓËÒÉÐÔÁ ÚÁ×ÅÒÛÁÅÔÓÑ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÂÁ×ÉÔØ × ÓÃÅÎÁÒÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÓÔÒÏËÉ ÄÌÑ ÏÂÒÁÂÏÔËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ.

Note

÷ ÚÁËÌÀÞÅÎÉÅ ÐÁÒÕ ÓÌÏ×. ïÞÅÎØ ÍÎÏÇÉÅ ÓÐÒÁÛÉ×ÁÀÔ ÍÅÎÑ, Á ÐÏÞÅÍÕ ÂÙ ÎÅ ÐÏÍÅÓÔÉÔØ ×ÙÚÏ× ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ × rc.firewal, ÎÁÐÉÓÁ× ÞÔÏ ÎÉÂÕÄØ ÔÉÐÁ rc.firewall start ÄÌÑ ÚÁÐÕÓËÁ ÓËÒÉÐÔÁ. ñ ÎÅ ÓÄÅÌÁÌ ÜÔÏÇÏ ÄÏ ÓÉÈ ÐÏÒ, ÐÏÔÏÍÕ ÞÔÏ ÓÞÉÔÁÀ, ÞÔÏ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÄÏÌÖÅÎ ÎÅÓÔÉ × ÓÅÂÅ ÏÓÎÏ×ÎÙÅ ÉÄÅÉ É ÎÅ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÇÒÕÖÅÎ ÒÁÚÎÏÏÂÒÁÚÎÙÍÉ ÓÃÅÎÁÒÉÑÍÉ ÓÏ ÓÔÒÁÎÎÙÍ ÓÉÎÔÁËÓÉÓÏÍ. äÏÂÁ×ÌÅÎÉÅ ÓÐÅÃÉÆÉÞÎÏÇÏ ÓÉÎÔÁËÓÉÓÁ ÄÅÌÁÅÔ ÓÃÅÎÁÒÉÉ ÍÅÎÅÅ ÞÉÔÁÂÅÌØÎÙÍÉ, Á ÓÁÍ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÂÏÌÅÅ ÓÌÏÖÎÙÍ × ÐÏÎÉÍÁÎÉÉ, ÐÏÜÔÏÍÕ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÏÓÔÁÅÔÓÑ ÔÁËÉÍ, ËÁËÏ×Ï ÏÎÏ ÅÓÔØ, É ÐÒÏÄÏÌÖÉÔ ÏÓÔÁ×ÁÔØÓÑ ÔÁËÉÍ.


äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ

÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ

þÔÏÂÙ ×Ù×ÅÓÔÉ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ iptables Ó ËÌÀÞÏÍ L, ËÏÔÏÒÙÊ ËÒÁÔËÏ ÂÙÌ ÏÐÉÓÁÎ ÒÁÎÅÅ × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. ÷ÙÇÌÑÄÉÔ ÜÔÏ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables -L

üÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÎÁ ÜËÒÁÎ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÕÄÏÂÏÞÉÔÁÅÍÏÍ ×ÉÄÅ. îÏÍÅÒÁ ÐÏÒÔÏ× ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÓÌÕÖÂ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÆÁÊÌÏÍ /etc/services, IP ÁÄÒÅÓÁ ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÈÏÓÔÏ× ÞÅÒÅÚ ÒÁÚÒÅÛÅÎÉÅ ÉÍÅÎ × ÓÌÕÖÂÅ DNS. ó ÒÁÚÒÅÛÅÎÉÅÍ (resolving) ÉÍÅÎ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏÂÌÅÍÙ, ÎÁÐÒÉÍÅÒ, ÉÍÅÑ ÓÅÔØ 192.168.0.0/16 ÓÌÕÖÂÁ DNS ÎÅ ÓÍÏÖÅÔ ÏÐÒÅÄÅÌÉÔØ ÉÍÑ ÈÏÓÔÁ Ó ÁÄÒÅÓÏÍ 192.168.1.1, × ÒÅÚÕÌØÔÁÔÅ ÐÒÏÉÚÏÊÄÅÔ ÐÏÄ×ÉÓÁÎÉÅ ËÏÍÁÎÄÙ. þÔÏÂÙ ÏÂÏÊÔÉ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÌÅÄÕÅÔ ×ÙÐÏÌÎÉÔØ ×Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ËÌÀÞÏÍ:

iptables -L -n

þÔÏÂÙ ×Ù×ÅÓÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÃÅÐÏÞËÁÈ É ÐÒÁ×ÉÌÁÈ, ×ÙÐÏÌÎÉÔÅ

iptables -L -n -v

éÍÅÅÔÓÑ ÒÑÄ ÆÁÊÌÏ× × ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc, ËÏÔÏÒÙÅ ÓÏÄÅÒÖÁÔ ÄÏÓÔÁÔÏÞÎÏ ÉÎÔÅÒÅÓÎÕÀ ÄÌÑ ÎÁÓ ÉÎÆÏÒÍÁÃÉÀ. îÁÐÒÉÍÅÒ, ÄÏÐÕÓÔÉÍ ÎÁÍ ÚÁÈÏÔÅÌÏÓØ ÐÒÏÓÍÏÔÒÅÔØ ÓÐÉÓÏË ÓÏÅÄÉÎÅÎÉÊ × ÔÁÂÌÉÃÅ conntrack. üÔÏ ÏÓÎÏ×ÎÁÑ ÔÁÂÌÉÃÁ, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ É × ËÁËÏÍ ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÅ ÉÚ ÎÉÈ ÎÁÈÏÄÉÔÓÑ. äÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉÃÙ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ

cat /proc/net/conntrack | less


éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ

ðÏ ÍÅÒÅ ÔÏÇÏ ËÁË ×Ù ÐÒÏÄÏÌÖÉÔÅ ÕÇÌÕÂÌÑÔØÓÑ × ÉÓÓÌÅÄÏ×ÁÎÉÅ iptables, ÐÅÒÅÄ ×ÁÍÉ ×ÓÅ ÁËÔÕÁÌØÎÅÅ ÂÕÄÅÔ ×ÓÔÁ×ÁÔØ ×ÏÐÒÏÓ Ï ÕÄÁÌÅÎÉÉ ÏÔÄÅÌØÎÙÈ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞÅË ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÚÁÇÒÕÚËÉ ÍÁÛÉÎÙ. óÅÊÞÁÓ Ñ ÐÏÐÒÏÂÕÀ ÎÁ ÎÅÇÏ ÏÔ×ÅÔÉÔØ. åÓÌÉ ×Ù ÐÏ ÏÛÉÂËÅ ÄÏÂÁ×ÉÌÉ ËÁËÏÅ ÌÉÂÏ ÐÒÁ×ÉÌÏ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÔÏÌØËÏ ÚÁÍÅÎÉÔØ ËÏÍÁÎÄÕ -A ÎÁ ËÏÍÁÎÄÕ -D × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ. iptables ÎÁÊÄÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ É ÕÄÁÌÉÔ ÅÇÏ. åÓÌÉ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ×ÙÇÌÑÄÑÔ ËÁË ÚÁÄÁÎÎÙÊ ÛÁÂÌÏÎ ÄÌÑ ÕÄÁÌÅÎÉÑ, ÔÏ ÂÕÄÅÔ ÓÔÅÒÔÏ ÐÅÒ×ÏÅ ÉÚ ÎÁÊÄÅÎÎÙÈ ÐÒÁ×ÉÌ. åÓÌÉ ÔÁËÏÊ ÐÏÒÑÄÏË ×ÅÝÅÊ ×ÁÓ ÎÅ ÕÓÔÒÁÉ×ÁÅÔ, ÔÏ ËÏÍÁÎÄÅ -D, × ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ, ÍÏÖÎÏ ÐÅÒÅÄÁÔØ ÎÏÍÅÒ ÕÄÁÌÑÅÍÏÊ ÓÔÒÏËÉ., ÎÁÐÒÉÍÅÒ, ËÏÍÁÎÄÁ iptables -D INPUT 10 ÓÏÔÒÅÔ ÄÅÓÑÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ INPUT. (þÔÏÂÙ ÕÚÎÁÔØ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÏÄÁÊÔÅ ËÏÍÁÎÄÕ iptables -L îáú÷áîéå_ãåðïþëé --line-numbers, ÔÏÇÄÁ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ×Ù×ÏÄÉÔØÓÑ ÓÏ Ó×ÏÉÍÉ ÎÏÍÅÒÁÍÉ ÐÒÉÍ. ÐÅÒÅ×.)

äÌÑ ÕÄÁÌÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÌÏÊ ÃÅÐÏÞËÉ ÉÓÐÏÌØÚÕÊÔÅ ËÏÍÁÎÄÕ -F. îÁÐÒÉÍÅÒ: iptables -F INPUT - ÓÏÔÒÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT, ÏÄÎÁËÏ ÜÔÁ ËÏÍÁÎÄÁ ÎÅ ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÁË ÞÔÏ ÅÓÌÉ ÏÎÁ ÕÓÔÁÎÏ×ÌÅÎÁ ËÁË DROP ÔÏ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØÓÑ ×ÓÅ, ÞÔÏ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT. þÔÏÂÙ ÓÂÒÏÓÉÔØ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÎÕÖÎÏ ÐÒÏÓÔÏ ÕÓÔÁÎÏ×ÉÔØ ÅÅ × ÐÅÒ×ÏÎÁÞÁÌØÎÏÅ ÓÏÓÔÏÑÎÉÅ, ÎÁÐÒÉÍÅÒ iptables -P INPUT ACCEPT.

íÎÏÀ ÂÙÌ ÎÁÐÉÓÁÎ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ (ÏÐÉÓÁÎÎÙÊ ÎÅÓËÏÌØËÏ ×ÙÛÅ) ËÏÔÏÒÙÊ ÐÒÏÉÚ×ÏÄÉÔ ÏÞÉÓÔËÕ ×ÓÅÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, É ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞÅË × iptables. úÁÍÅÔØÔÅ ÔÏÌØËÏ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÄÏÐÏÌÎÅÎÉÑ × ÜÔÏÔ ÓÃÅÎÁÒÉÊ, ÐÏÓËÏÌØËÕ ÏÎ ÅÅ ÎÅ ÏÂÒÁÂÁÔÙ×ÁÅÔ.


ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ

ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ

÷Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÓËÏÌØËÉÍÉ ÐÒÏÂÌÅÍÁÍÉ ÐÒÉ ÐÏÐÙÔËÅ ÚÁÇÒÕÚÉÔØ ÔÏÔ ÉÌÉ ÉÎÏÊ ÍÏÄÕÌØ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ×ÙÄÁÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÔÓÕÔÓÔ×ÉÉ ÚÁÐÒÁÛÉ×ÁÅÍÏÇÏ ÍÏÄÕÌÑ

insmod: iptable_filter: no module by that name found

ðÏËÁ ÅÝÅ ÎÅÔ ÐÒÉÞÉÎ ÄÌÑ ÂÅÓÐÏËÏÊÓÔ×Á. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÚÁÐÒÁÛÉ×ÁÅÍÙÊ ÍÏÄÕÌØ (ÉÌÉ ÍÏÄÕÌÉ) ÂÙÌ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. üÔÏ ÐÅÒ×ÏÅ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ. äÌÑ ÜÔÏÇÏ ÐÒÏÓÔÏ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ

iptables -t filter -L

åÓÌÉ ×ÓÅ ÎÏÒÍÁÌØÎÏ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ × ÔÅÒÍÉÎÁÌÅ ÓÐÉÓÏË ×ÓÅÈ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃÙ filter. ÷Ù×ÏÄ ÄÏÌÖÅÎ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

åÓÌÉ ÔÁÂÌÉÃÁ filter ÏÔÓÕÔÓÔ×ÕÅÔ, ÔÏ ×Ù×ÏÄ ÂÕÄÅÔ ÐÒÉÍÅÒÎÏ ÓÌÅÄÕÀÝÉÍ

iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

üÔÏ ÕÖÅ ÓÅÒØÅÚÎÅÅ, ÔÁË ËÁË ÜÔÏ ÓÏÏÂÝÅÎÉÅ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ÕÓÔÁÎÏ×ÉÔØ ÍÏÄÕÌÉ, ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ×ÙÐÏÌÎÉÔØ depmod -a, ÌÉÂÏ ×Ù ×ÏÏÂÝÅ ÎÅ ÓËÏÍÐÉÌÉÒÏ×ÁÌÉ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ äÌÑ ÒÅÛÅÎÉÑ ÐÅÒ×ÏÊ ÐÒÏÂÌÅÍÙ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ make modules_install × ËÁÔÁÌÏÇÅ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ ÑÄÒÁ. ÷ÔÏÒÁÑ ÐÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÚÁÐÕÓËÏÍ ËÏÍÁÎÄÙ depmod -a. òÁÚÒÅÛÅÎÉÅ ÔÒÅÔØÅÊ ÐÒÏÂÌÅÍÙ ÕÖÅ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, É × ÜÔÏÍ ÓÌÕÞÁÅ ÒÅËÏÍÅÎÄÕÀ ÐÏÓÅÔÉÔØ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ Linux Documentation Project. (÷ÚÇÌÑÎÉÔÅ ÅÝÅ ÒÁÚ × ÎÁÞÁÌÏ ÄÏËÕÍÅÎÔÁ, ÇÄÅ ÏÐÉÓÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ iptables. ÐÒÉÍ. ÐÅÒÅ×.)

äÒÕÇÉÅ ÏÛÉÂËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÐÒÉ ÚÁÐÕÓËÅ iptables:

iptables: No chain/target/match by that name

üÔÁ ÏÛÉÂËÁ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÎÅÔ ÔÁËÏÊ ÃÅÐÏÞËÉ, ÄÅÊÓÔ×ÉÑ ÉÌÉ ËÒÉÔÅÒÉÑ. üÔÏ ÍÏÖÅÔ ÚÁ×ÉÓÅÔØ ÏÔ ÏÇÒÏÍÎÏÇÏ ÞÉÓÌÁ ÆÁËÔÏÒÏ×, ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ×Ù ÐÙÔÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÕÝÅÓÔ×ÕÀÝÕÀ (ÉÌÉ ÅÝÅ ÎÅ ÏÐÒÅÄÅÌÅÎÎÕÀ) ÃÅÐÏÞËÕ, ÎÅÓÕÝÅÓÔ×ÕÀÝÅÅ ÄÅÊÓÔ×ÉÅ ÉÌÉ ËÒÉÔÅÒÉÊ. ìÉÂÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ÚÁÇÒÕÖÅÎ ÎÅÏÂÈÏÄÉÍÙÊ ÍÏÄÕÌØ.


Passive FTP ÂÅÚ DCC

üÔÏ ÏÄÎÁ ÉÚ ÚÁÍÅÞÁÔÅÌØÎÙÈ ÏÓÏÂÅÎÎÏÓÔÅÊ ÎÏ×ÙÈ iptables, ÐÏÄÄÅÒÖÉ×ÁÅÍÙÈ ÑÄÒÁÍÉ ÓÅÒÉÉ 2.4.x, ËÏÇÄÁ ×Ù ÍÏÖÅÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP, É ÚÁÐÒÅÔÉÔØ ÐÅÒÅÄÁÞÕ ÐÏ DCC Ó ÐÏÍÏÝØÀ ÎÏ×ÏÇÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÏÇÏ ËÏÄÁ. ÷Ù ÍÏÖÅÔÅ ÓÐÒÏÓÉÔØ "ëÁË ÜÔÏ?", ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ. þÔÏÂÙ ÓÄÅÌÁÔØ ÜÔÏ ×ÏÚÍÏÖÎÙÍ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÓËÏÍÐÉÌÉÒÏ×ÁÔØ ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp É ip_nat_ftp ËÁË ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ, Á ÎÅ ËÁË ÓÔÁÔÉÞÅÓËÉÊ ËÏÄ × ÑÄÒÅ. þÔÏ ÜÔÉ ÍÏÄÕÌÉ ÄÅÌÁÀÔ, ÔÁË ÏÎÉ ÄÏÂÁ×ÌÑÀÔ ÐÏÄÄÅÒÖËÕ ÔÒÁÓÓÉÒÏ×ËÉ É NAT ÄÌÑ Passive FTP É DCC send. âÅÚ ÜÔÉÈ ÍÏÄÕÌÅÊ ÓÅÔÅ×ÏÊ ËÏÄ ÑÄÒÁ ÎÅ ÓÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ ÓÏÅÄÉÎÅÎÉÑ ÜÔÏÇÏ ÔÉÐÁ.

åÓÌÉ, Ë ÐÒÉÍÅÒÕ, ×Ù ÈÏÔÉÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP É ÐÒÉ ÜÔÏÍ ÚÁÐÒÅÔÉÔØ DCC send, ÔÏ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É ÚÁÔÅÍ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ:

iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT

ëÏÔÏÒÏÅ ÐÏÚ×ÏÌÉÔ ×ÙÐÏÌÎÅÎÉÅ ÓÏÅÄÉÎÅÎÉÊ Passive FTP, ÎÏ ÎÅ DCC. åÓÌÉ ÎÕÖÎÏ ÎÁÏÂÏÒÏÔ ÚÁÐÒÅÔÉÔØ Passive FTP É ÒÁÚÒÅÛÉÔØ DCC, ÔÏ ×ÁÍ ÎÁÄÏ Ó ÔÏÞÎÏÓÔØÀ ÄÏ ÎÁÏÂÏÒÏÔ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp. úÁÍÅÔØÔÅ, ÞÔÏ ÍÏÄÕÌÉ ip_nat_* ÎÅÏÂÈÏÄÉÍÙ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÐÏÌÎÑÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇ ÐÒÉ ÐÏÄËÌÀÞÅÎÉÉ ÌÏËÁÌØÎÙÈ ÕÚÌÏ× Õ éÎÔÅÒÎÅÔ.

äÌÑ ÐÏÌÕÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÉ ÏÔÎÏÓÉÔÅÌØÎÏ Active É Passive FTP, ÞÉÔÁÊÔÅ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. üÔÏÔ RFC ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÒÏÔÏËÏÌÁ FTP, Active É Passive FTP É ËÁË ÏÎÉ ÒÁÂÏÔÁÀÔ. ëÁË ÏÐÉÓÙ×ÁÅÔ ÜÔÏÔ ÄÏËÕÍÅÎÔ, × ÓÌÕÞÁÅ Active FTP, ËÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÓÅÒ×ÅÒÕ Ó×ÏÊ IP É ÐÏÒÔ, ×ÙÂÒÁÎÎÙÊ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ Õ ÓÅÂÑ ÄÌÑ Ó×ÑÚÉ. úÁÔÅÍ ÓÅÒ×ÅÒ ÓÏÅÄÉÎÑÅÔÓÑ Ó ÜÔÉÍ ÐÏÒÔÏÍ ÎÁ ËÌÉÅÎÔÅ. ÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ×ÙÐÏÌÎÑÀÝÉÍ NAT, ÔÏÇÄÁ ÒÁÚÄÅÌ ÄÁÎÎÙÈ ÐÁËÅÔÏ× ÄÏÌÖÅÎ ÂÙÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎ ÔÁË ËÁË ÜÔÏ ÄÅÌÁÅÔ ÍÏÄÕÌØ ip_nat_ftp. ÷ Passive FTP ÐÏÒÑÄÏË ÄÅÊÓÔ×ÉÊ ÐÏÌÎÏÓÔØÀ ÉÚÍÅÎÅÎ. ëÌÉÅÎÔ ÓÏÏÂÝÁÅÔ ÓÅÒ×ÅÒÕ, ÞÔÏ ÈÏÞÅÔ ÐÏÓÌÁÔØ ÉÌÉ ÐÒÉÎÑÔØ ÄÁÎÎÙÅ, Á ÓÅÒ×ÅÒ × ÏÔ×ÅÔÅ ÓÏÏÂÝÁÅÔ ËÌÉÅÎÔÕ Ë ËÁËÏÍÕ ÁÄÒÅÓÕ ÎÕÖÎÏ ÐÏÄËÌÀÞÉÔØÓÑ É ËÁËÏÊ ÐÏÒÔ ÉÓÐÏÌØÚÏ×ÁÔØ.


ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN

üÔÏ Ó×ÏÊÓÔ×Ï iptables ÎÅÄÏÓÔÁÔÏÞÎÏ ÈÏÒÏÛÏ ÚÁÄÏËÕÍÅÎÔÉÒÏ×ÁÎÏ, Á ÐÏÜÔÏÍÕ ÍÎÏÇÉÅ ÍÏÇÕÔ ÕÄÅÌÉÔØ ÅÍÕ ÎÅÄÏÓÔÁÔÏÞÎÏÅ ×ÎÉÍÁÎÉÅ (×ËÌÀÞÁÑ É ÍÅÎÑ). åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÐÒÁ×ÉÌÁ, ÏÐÒÅÄÅÌÑÀÝÉÅ ÓÔÁÔÕÓ ÐÁËÅÔÁ NEW, ÎÏ ÎÅ ÐÒÏ×ÅÒÑÅÔÅ ÓÏÓÔÏÑÎÉÅ ÂÉÔÁ SYN, ÔÏ ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÓÍÏÇÕÔ "ÐÒÏÓÏÞÉÔØÓÑ" ÞÅÒÅÚ ×ÁÛÕ ÚÁÝÉÔÕ. èÏÔÑ, × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÙ ÉÓÐÏÌØÚÕÅÍ ÎÅÓËÏÌØËÏ ÂÒÁÎÄÍÁÕÜÒÏ×, ÔÁËÏÊ ÐÁËÅÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÞÁÓÔØÀ ESTABLISHED ÓÏÅÄÉÎÅÎÉÑ, ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÞÅÒÅÚ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ðÒÏÐÕÓËÁÑ ÐÏÄÏÂÎÙÅ ÐÁËÅÔÙ, ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏ×ÍÅÓÔÎÕÀ ÒÁÂÏÔÕ Ä×ÕÈ ÉÌÉ ÂÏÌÅÅ ÂÒÁÎÄÍÁÕÜÒÏ×, ÐÒÉ ÜÔÏÍ ÍÙ ÍÏÖÅÍ ÌÀÂÏÊ ÉÚ ÎÉÈ ÏÓÔÁÎÏ×ÉÔØ ÎÅ ÂÏÑÓØ ÒÁÚÏÒ×ÁÔØ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÓÏÅÄÉÎÅÎÉÑ, ðÏÓËÏÌØËÕ ÆÕÎËÃÉÉ ÐÏ ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ ÔÕÔ ÖÅ ×ÏÚØÍÅÔ ÎÁ ÓÅÂÑ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ïÄÎÁËÏ ÜÔÏ ÐÏÚ×ÏÌÉÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁËÔÉÞÅÓËÉ ÌÀÂÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ. ÷Ï ÉÚÂÅÖÁÎÉÅ ÜÔÏÇÏ ÓÌÅÄÕÅÔ ÄÏÂÁ×ÉÔØ ÓÌÅÄÕÀÝÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÉ INPUT, OUTPUT É FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

÷ÙÛÅÐÒÉ×ÅÄÅÎÎÙÅ ÐÒÁ×ÉÌÁ ÐÏÚÁÂÏÔÑÔÓÑ Ï ÜÔÏÊ ÐÒÏÂÌÅÍÅ. âÕÄØÔÅ ÞÒÅÚ×ÙÞÁÊÎÏ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ÐÒÁ×ÉÌ ÐÒÉÎÉÍÁÀÝÉÈ ÒÅÛÅÎÉÅ ÎÁ ÏÓÎÏ×Å ÓÔÁÔÕÓÁ ÐÁËÅÔÁ.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÉÍÅÀÔÓÑ ÎÅËÏÔÏÒÙÅ ÎÅÐÒÉÑÔÎÏÓÔÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍÉ ÐÒÁ×ÉÌÁÍÉ É ÐÌÏÈÏÊ ÒÅÁÌÉÚÁÃÉÅÊ TCP/IP ÏÔ Microsoft. äÅÌÏ × ÔÏÍ, ÞÔÏ ÐÒÉ ÎÅËÏÔÏÒÙÈ ÕÓÌÏ×ÉÑÈ, ÐÁËÅÔÙ, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÅ ÐÒÏÇÒÁÍÍÁÍÉ ÏÔ Microsoft ÍÁÒËÉÒÕÀÔÓÑ ËÁË NEW É ÓÏÇÌÁÓÎÏ ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ÂÕÄÕÔ ÓÂÒÏÛÅÎÙ. üÔÏ, ÏÄÎÁËÏ, ÎÅ ÐÒÉ×ÏÄÉÔ Ë ÒÁÚÒÕÛÅÎÉÀ ÓÏÅÄÉÎÅÎÉÊ, ÎÁÓËÏÌØËÏ Ñ ÚÎÁÀ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ, ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ, É ÐÏÓÙÌÁÅÔÓÑ ÚÁ×ÅÒÛÁÀÝÉÊ ÐÁËÅÔ FIN/ACK, ÔÏ netfilter ÚÁËÒÙ×ÁÅÔ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ É ÕÄÁÌÑÅÔ ÅÇÏ ÉÚ ÔÁÂÌÉÃÙ conntrack. ÷ ÜÔÏÔ ÍÏÍÅÎÔ, ÄÅÆÅËÔÉ×ÎÙÊ ËÏÄ Microsoft ÐÏÓÙÌÁÅÔ ÄÒÕÇÏÊ ÐÁËÅÔ, ËÏÔÏÒÏÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, ÎÏ × ÜÔÏÍ ÐÁËÅÔÅ ÎÅ ÕÓÔÁÎÏ×ÌÅÎ ÂÉÔ SYN É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÙÛÅÕÐÏÍÑÎÕÔÙÍ ÐÒÁ×ÉÌÁÍ. ëÏÒÏÞÅ ÇÏ×ÏÒÑ - ÏÓÏÂÏ ÎÅ ÐÅÒÅÖÉ×ÁÊÔÅ ÐÏ ÐÏ×ÏÄÕ ÜÔÉÈ ÐÒÁ×ÉÌ. ÷ ÓÌÕÞÁÅ ÞÅÇÏ - ×Ù ÓÍÏÖÅÔÅ ÐÒÏÓÍÏÔÒÅÔØ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ËÕÄÁ ÌÏÇÉÒÕÀÔÓÑ ÏÔÂÒÁÓÙ×ÁÅÍÙÅ ÐÁËÅÔÙ (ÓÍ. ÐÒÁ×ÉÌÁ ×ÙÛÅ) É ÒÁÚÏÂÒÁÔØÓÑ Ó ÎÉÍÉ.

éÍÅÅÔÓÑ ÅÝÅ ÏÄÎÁ ÉÚ×ÅÓÔÎÁÑ ÐÒÏÂÌÅÍÁ Ó ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. åÓÌÉ ËÔÏ - ÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ Ó×ÑÚÁÎ Ó ÂÒÁÎÄÍÁÕÜÒÏÍ, ÎÁÐÒÉÍÅÒ ÉÚ LAN, É ÁËÔÉ×ÉÒÕÅÔ PPP, ÔÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÎÉÞÔÏÖÅÎÏ. üÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÍÏÍÅÎÔ, ËÏÇÄÁ ÚÁÇÒÕÖÁÀÔÓÑ ÉÌÉ ×ÙÇÒÕÖÁÀÔÓÑ conntrack É nat ÍÏÄÕÌÉ. äÒÕÇÏÊ ÓÐÏÓÏ ÐÏÌÕÞÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ×ÙÐÏÌÎÉÔØ rc.firewall.txt ÓÃÅÎÁÒÉÊ ÉÚ ÐÏÄËÌÀÞÅÎÉÑ telnet Ó ÄÒÕÇÏÇÏ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÏÅÄÉÎÑÅÔÅÓØ ÐÏ telnet Ó ÂÒÁÎÄÍÁÕÜÒÏÍ. úÁÐÕÓËÁÅÔÅ rc.firewall.txt, × ÐÒÏÃÅÓÓÅ ÉÓÐÏÌÎÅÎÉÑ ËÏÔÏÒÏÇÏ, ÚÁÐÕÓËÁÀÔÓÑ ÍÏÄÕÌÉ ÔÒÁÓÓÉÒÏ×ËÉ ÐÏÄËÌÀÞÅÎÉÊ, ÇÒÕÚÑÔÓÑ ÐÒÁ×ÉÌÁ "NEW not SYN". ëÏÇÄÁ ËÌÉÅÎÔ telnet ÉÌÉ daemon ÐÒÏÂÕÀÔ ÐÏÓÌÁÔØ ÞÔÏ ÎÉÂÕÄØ, ÔÏ ÜÔÏ ÐÏÄËÌÀÞÅÎÉÅ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÙÍ ËÏÄÏÍ ËÁË NEW, ÎÏ ÐÁËÅÔÙ ÎÅ ÉÍÅÀÔ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÂÉÔÁ SYN, ÔÁË ËÁË ÏÎÉ, ÆÁËÔÉÞÅÓËÉ, Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÁËÅÔ ÂÕÄÅÔ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ÐÒÁ×ÉÌÁÍ × ÒÅÚÕÌØÔÁÔÅ ÞÅÇÏ ÂÕÄÅÔ ÚÁÖÕÒÎÁÌÉÒÏ×ÁÎ É ÓÂÒÏÛÅÎ.


ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁ

ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÞÔÏÂÙ ÐÒÅÄÕÐÒÅÄÉÔØ ×ÁÓ Ï ÔÕÐÏ×ÁÔÙÈ Internet Service Providers, ËÏÔÏÒÙÅ ÎÁÚÎÁÞÁÀÔ IP ÁÄÒÅÓÁ, ÏÔ×ÅÄÅÎÎÙÅ IANA ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. îÁÐÒÉÍÅÒ, Swedish Internet Service Provider É ÔÅÌÅÆÏÎÎÁÑ ÍÏÎÏÐÏÌÉÑ Telia ÉÓÐÏÌØÚÕÀÔ ÔÁËÉÅ ÁÄÒÅÓÁ, ÎÁÐÒÉÍÅÒ, ÄÌÑ ÉÈ ÓÅÒ×ÅÒÏ× DNS, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 10.x.x.x. ðÒÏÂÌÅÍÁ, Ó ËÏÔÏÒÏÊ ×Ù ÂÕÄÅÔÅ ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ ÓÔÁÌËÉ×ÁÔØÓÑ, ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÍÙ, × Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ, ÎÅ ÐÏÚ×ÏÌÑÅÍ ÐÏÄËÌÀÞÅÎÉÑ Ó ÌÀÂÙÈ IP × ÄÉÁÐÁÚÏÎÅ 10.x.x.x, ÉÚ-ÚÁ ×ÏÚÍÏÖÎÏÓÔÉ ÆÁÌØÓÉÆÉËÁÃÉÉ ÐÁËÅÔÏ×. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÁËÏÊ ÓÉÔÕÁÃÉÅÊ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÐÒÉÄÅÔÓÑ ÓÎÑÔØ ÞÁÓÔØ ÐÒÁ×ÉÌ. éÌÉ ÕÓÔÁÎÏ×ÉÔØ ÐÒÁ×ÉÌÁ, ÐÒÏÐÕÓËÁÀÝÉÅ ÔÒÁÆÆÉË Ó ÜÔÉÈ ÓÅÒ×ÅÒÏ×, ÒÁÎÅÅ ÃÅÐÏÞËÉ INPUT, ÎÁÐÒÉÍÅÒ ÔÁË:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT

èÏÔÅÌÏÓØ ÂÙ ÎÁÐÏÍÎÉÔØ ÐÏÄÏÂÎÙÍ ÐÒÏ×ÁÊÄÅÒÁÍ, ÞÔÏ ÜÔÉ ÄÉÁÐÁÚÏÎÙ ÁÄÒÅÓÏ× ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × éÎÔÅÒÎÅÔ. äÌÑ ËÏÒÐÏÒÁÔÉ×ÎÙÈ ÓÅÔÅÊ - ÐÏÖÁÌÕÊÓÔÁ, ÄÌÑ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÏÍÁÛÎÉÈ ÓÅÔÅÊ - ÐÒÅËÒÁÓÎÏ! îÏ ×Ù ÎÅ ÄÏÌÖÎÙ ×ÙÎÕÖÄÁÔØ ÎÁÓ "ÏÔËÒÙ×ÁÔØÓÑ" ÐÏ ×ÁÛÅÊ ÐÒÉÈÏÔÉ.


ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables

÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ÚÁÄÁÞÁ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ, ÅÓÌÉ ×ÁÍ ÉÚ×ÅÓÔÎÙ ÐÒÉÎÃÉÐÙ ÒÁÂÏÔÙ ÐÒÏÔÏËÏÌÁ DHCP. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ, ÞÔÏ DHCP ÒÁÂÏÔÁÅÔ ÐÏ ÐÒÏÔÏËÏÌÕ UDP. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÒÏÔÏËÏÌ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ËÒÉÔÅÒÉÅÍ. äÁÌÅÅ, ÎÅÏÂÈÏÄÉÍÏ ÕÔÏÞÎÉÔØ ÉÎÔÅÒÆÅÊÓ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ DHCP ÚÁÐÒÏÓÙ ÉÄÕÔ ÞÅÒÅÚ $LAN_IFACE, ÔÏ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× DHCP ÓÌÅÄÕÅÔ ÒÁÚÒÅÛÉÔØ ÔÏÌØËÏ ÞÅÒÅÚ ÜÔÏÔ ÉÎÔÅÒÆÅÊÓ. é ÎÁËÏÎÅÃ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÐÒÁ×ÉÌÏ ÂÏÌÅÅ ÏÐÒÅÄÅÌÅÎÎÙÍ, ÓÌÅÄÕÅÔ ÕÔÏÞÎÉÔØ ÐÏÒÔÙ. DHCP ÉÓÐÏÌØÚÕÅÔ ÐÏÒÔÙ 67 É 68. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÉÓËÏÍÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ×ÙÇÌÑÄÅÔØ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:

$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÜÔÏ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÞÅÒÅÚ ÐÏÒÔÙ 67 É 68, ÏÄÎÁËÏ ÜÔÏ ÎÅ ÄÏÌÖÎÏ ×ÁÓ ÏÓÏÂÅÎÎÏ ÓÍÕÝÁÔØ, ÐÏÓËÏÌØËÕ ÏÎÏ ÒÁÚÒÅÛÁÅÔ ÌÉÛØ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× ÏÔ ÕÚÌÏ× ÓÅÔÉ, ÐÙÔÁÀÝÉÈÓÑ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó ÐÏÒÔÁÍÉ 67 É 68. üÔÏÇÏ ÐÒÁ×ÉÌÁ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ, ÞÔÏÂÙ ÐÏÚ×ÏÌÉÔØ ×ÙÐÏÌÎÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× É ÐÒÉ ÜÔÏÍ ÎÅ ÓÌÉÛËÏÍ ÛÉÒÏËÏ "ÏÔËÒÙÔØ ×ÏÒÏÔÁ". åÓÌÉ ×ÁÓ ÏÞÅÎØ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÔÏ ×Ù ×ÐÏÌÎÅ ÍÏÖÅÔÅ ÕÖÅÓÔÏÞÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ.


ðÒÏÂÌÅÍÙ mIRC DCC

mIRC ÉÓÐÏÌØÚÕÅÔ ÓÐÅÃÉÆÉÞÎÙÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÐÏÚ×ÏÌÑÀÔ ÓÏÅÄÉÎÑÔØÓÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ É ÏÂÒÁÂÁÔÙ×ÁÔØ DCC ÓÏÅÄÉÎÅÎÉÑ ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ. åÓÌÉ ÜÔÉ ÎÁÓÔÒÏÊËÉ ÉÓÐÏÌØÚÕÀÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó iptables, ÔÏÞÎÅÅ Ó ÍÏÄÕÌÑÍÉ ip_conntrack_irc É ip_nat_irc, ÔÏ ÜÔÁ Ó×ÑÚËÁ ÐÒÏÓÔÏ ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ. ðÒÏÂÌÅÍÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ mIRC Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÙÐÏÌÎÑÅÔ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) ×ÎÕÔÒÉ ÐÁËÅÔÏ×. ÷ ÒÅÚÕÌØÔÁÔÅ, ËÏÇÄÁ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × iptables, ÏÎÁ ÐÒÏÓÔÏ ÎÅ ÚÎÁÅÔ, ÞÔÏ Ó ÎÉÍ ÄÅÌÁÔØ. mIRC ÎÅ ÏÖÉÄÁÅÔ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÂÕÄÅÔ ÎÁÓÔÏÌØËÏ "ÕÍÎÙÍ", ÞÔÏÂÙ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ IRC, É ÐÏÜÔÏÍÕ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÚÁÐÒÁÛÉ×ÁÅÔ Ó×ÏÊ IP Õ ÓÅÒ×ÅÒÁ É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ, ÐÒÉ ÐÅÒÅÄÁÞÅ DCC ÚÁÐÒÏÓÁ.

÷ËÌÀÞÅÎÉÅ ÏÐÃÉÉ "I am behind a firewall" ("ñ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ") É ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÍÏÄÕÌÅÊ ip_conntrack_irc É ip_nat_irc ÐÒÉ×ÏÄÉÔ Ë ÔÏÍÕ, ÞÔÏ netfilter ÐÉÛÅÔ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÓÏÏÂÝÅÎÉÅ "Forged DCC send packet".

õ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÅÓÔØ ÐÒÏÓÔÏÅ ÒÅÛÅÎÉÅ - ÏÔËÌÀÞÉÔÅ ÜÔÕ ÏÐÃÉÀ × mIRC É ÐÏÚ×ÏÌØÔÅ iptables ×ÙÐÏÌÎÑÔØ ×ÓÀ ÒÁÂÏÔÕ.


ôÉÐÙ ICMP

üÔÏ ÐÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ:

ôÁÂÌÉÃÁ 1. ôÉÐÙ ICMP

TYPE CODE Description Query Error
0 0 Echo Reply x  
3 0 Network Unreachable   x
3 1 Host Unreachable   x
3 2 Protocol Unreachable   x
3 3 Port Unreachable   x
3 4 Fragmentation needed but no frag. bit set   x
3 5 Source routing failed   x
3 6 Destination network unknown   x
3 7 Destination host unknown   x
3 8 Source host isolated (obsolete)   x
3 9 Destination network administratively prohibited   x
3 10 Destination host administratively prohibited   x
3 11 Network unreachable for TOS   x
3 12 Host unreachable for TOS   x
3 13 Communication administratively prohibited by filtering   x
3 14 Host precedence violation   x
3 15 Precedence cutoff in effect   x
4 0 Source quench    
5 0 Redirect for network    
5 1 Redirect for host    
5 2 Redirect for TOS and network    
5 3 Redirect for TOS and host    
8 0 Echo request x  
9 0 Router advertisement    
10 0 Route sollicitation    
11 0 TTL equals 0 during transit   x
11 1 TTL equals 0 during reassembly   x
12 0 IP header bad (catchall error)   x
12 1 Required options missing   x
13 0 Timestamp request (obsolete) x  
14 Timestamp reply (obsolete) x  
15 0 Information request (obsolete) x  
16 0 Information reply (obsolete) x  
17 0 Address mask request x  
18 0 Address mask reply x  

óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ

úÄÅÓØ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÓÓÙÌÏË, ÇÄÅ ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ :

  • ip-sysctl.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ, ÎÏ ÈÏÒÏÛÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÏÒÇÁÎÉÚÁÃÉÉ ÓÅÔÅ×ÏÇÏ ËÏÄÁ ÑÄÒÁ.

  • ip_dynaddr.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÐÁÒÁÍÅÔÒÁÍ ÎÁÓÔÒÏÊËÉ ip_dynaddr, ÄÏÓÔÕÐÎÙÍ ÞÅÒÅÚ sysctl É ÆÁÊÌÏ×ÕÀ ÓÉÓÔÅÍÕ /proc.

  • iptables.8 - íÁÎÙ ÄÌÑ iptables 1.2.4 × ÆÏÒÍÁÔÅ HTML ðÒÅËÒÁÓÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÄÌÑ ÓÏÚÄÁÎÉÑ ÐÒÁ×ÉÌ × iptables. ÷ÓÅÇÄÁ ÐÏÌÅÚÎÏ ÉÍÅÔØ ÐÏÄ ÒÕËÏÊ.

  • http://netfilter.filewatcher.org/ - ïÆÉÃÉÁÌØÎÙÊ ÓÁÊÔ netfilter É iptables. îÅÏÂÈÏÄÉÍ ÄÌÑ ×ÓÅÈ ÖÅÌÁÀÝÉÈ ÕÓÔÁÎÏ×ÉÔØ iptables É netfilter × linux.

  • http://netfilter.filewatcher.org/netfilter-faq.html - ïÆÉÃÉÁÌØÎÙÊ FAQ (Frequently Asked Questions) ÐÏ netfilter .

  • http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html - Rusty Russells Unreliable Guide to packet filtering. ðÒÅËÒÁÓÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ ÏÓÎÏ×ÁÍ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× Ó ÐÏÍÏÝØÀ iptables, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÒÁÚÒÁÂÏÔÞÉËÏ× iptables É netfilter.

  • http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html - Rusty Russells Unreliable Guide to Network Address Translation. úÁÍÅÞÁÔÅÌØÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ Network Address Translation × iptables É netfilter, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÏÓÎÏ×ÎÙÈ ÒÁÚÒÁÂÏÔÞÉËÏ× òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html - Rusty Russells Unreliable Netfilter Hacking HOWTO. ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÄÏËÕÍÅÎÔÏ× ÐÏ ÓÏÚÄÁÎÉÀ ËÏÄÁ ÄÌÑ ÒÁÂÏÔÙ Ó netfilter É iptables. ôÁË ÖÅ ÎÁÐÉÓÁÎ òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://www.linuxguruz.org/iptables/ - óÏÄÅÒÖÉÔ ÍÎÏÖÅÓÔ×Ï ÓÓÙÌÏË × éÎÔÅÒÎÅÔ ÐÏ ÔÅÍÁÔÉËÅ. éÍÅÅÔÓÑ ÓÐÉÓÏË ÓÃÅÎÁÒÉÅ× iptables ÄÌÑ ÒÁÚÌÉÞÎÙÈ ÐÒÉÍÅÎÅÎÉÊ.

  • http://www.islandsoft.net/veerapen.html - ïÔÌÉÞÎÏÅ ÏÂÓÕÖÄÅÎÉÅ ÐÏ Á×ÔÏÍÁÔÉÚÁÃÉÉ ÒÁÂÏÔÙ iptables, ÎÁÐÒÉÍÅÒ: ËÁË, ×ÎÅÓÅÎÉÅÍ ÎÅÚÎÁÞÉÔÅÌØÎÙÈ ÉÚÍÅÎÅÎÉÊ, ÚÁÓÔÁ×ÉÔØ ×ÁÛ ËÏÍÐØÀÔÅÒ Á×ÔÏÍÁÔÉÞÅÓËÉ ÄÏÂÁ×ÌÑÔØ "ÎÅÕÇÏÄÎÙÅ" ÓÁÊÔÙ × ÓÐÅÃÉÁÌØÎÙÊ ÓÐÉÓÏË (banlist) × iptables.

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ðÒÅËÒÁÓÎÏÅ ÏÐÉÓÁÎÉÅ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ×ÁÍ ÉÎÔÅÒÅÓÎÁ ÔÅÍÁ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÜÔÏ ÐÒÏÞÉÔÁÔØ.

  • http://www.docum.org - ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÓÁÊÔÏ×, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ËÏÍÁÎÄÁÈ Linux CBQ, tc É ip. ðÏÄÄÅÒÖÉ×ÁÅÔ ÓÁÊÔ - Stef Coene.

  • http://lists.samba.org/mailman/listinfo/netfilter- ïÆÉÃÉÁÌØÎÙÊ ÓÐÉÓÏË ÁÄÒÅÓÏ× (mailing-list) ÐÏ netfilter. þÒÅÚ×ÙÞÁÊÎÏ ÐÏÌÅÚÅÎ ÄÌÑ ÒÁÚÒÅÛÅÎÉÑ ×ÏÐÒÏÓÏ× ÐÏ iptables É netfilter.

é ËÏÎÅÞÎÏ ÖÅ ÉÓÈÏÄÎÙÊ ËÏÄ iptables, ÄÏËÕÍÅÎÔÁÃÉÑ É ÌÀÄÉ, ËÏÔÏÒÙÅ ÐÏÍÏÇÁÌÉ ÍÎÅ.


âÌÁÇÏÄÁÒÎÏÓÔÉ

ñ ÈÏÔÅÌ ÂÙ ×ÙÒÁÚÉÔØ ÏÓÏÂÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÌÀÄÑÍ, ËÏÔÏÒÙÅ ÏËÁÚÁÌÉ ÍÎÅ ÎÅÏÃÅÎÉÍÕÀ ÐÏÍÏÝØ ÐÒÉ ÓÏÚÄÁÎÉÉ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ.:

  • Fabrice Marie, ëÁË ÇÌÁ×ÎÏÍÕ ÒÅÄÁËÔÏÒÕ, ÚÁ ÉÓÐÒÁ×ÌÅÎÉÅ ÍÏÉÈ ÖÕÔËÉÈ ÏÛÉÂÏË. á ÔÁË ÖÅ ÏÇÒÏÍÎÏÅ ÓÐÁÓÉÂÏ ÚÁ ÐÅÒÅ×ÏÄ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ × ÆÏÒÍÁÔ DocBook.

  • Marc Boucher, úÁ ÐÏÍÏÝØ ÐÏ ÎÅËÏÔÏÒÙÍ ÁÓÐÅËÔÁÍ ÒÁÂÏÔÙ ËÏÄÁ, ÏÐÒÅÄÅÌÑÀÝÅÇÏ ÓÔÁÔÕÓ ÐÁËÅÔÏ× (state matching code).

  • Frode E. Nyboe, úÁ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÅ ÐÒÁ×ÉÌ rc.firewall, ÚÁ ×ÄÏÈÎÏ×ÌÅÎÉÅ ÍÅÎÑ ÎÁ ÐÅÒÅÐÉÓÙ×ÁÎÉÅ ÐÒÁ×ÉÌ É ÚÁ ××ÅÄÅÎÉÅ ÎÅÓËÏÌØËÉÈ ÔÁÂÌÉÃ × ÜÔÏÔ ÖÅ ÆÁÊÌ.

  • Chapman Brad, Alexander W. Janssen, úÁ ÐÏÍÏÝØ × ÐÏÎÉÍÁÎÉÉ ÐÏÒÑÄËÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÁÍÉ ÏÓÎÏ×ÎÙÈ ÔÁÂÌÉà NAT É filter.

  • Michiel Brandenburg, Myles Uyema, úÁ ÐÏÍÏÝØ × ÐÏÌÕÞÅÎÉÉ ÒÁÂÏÔÏÓÐÏÓÏÂÎÙÈ ÐÒÁ×ÉÌ, ÉÓÐÏÌØÚÕÀÝÉÈ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ ÓÔÁÔÕÓÁ (state matching).

  • Kent `Artech' Stahre, úÁ ÐÏÍÏÝØ Ó ËÁÒÔÉÎËÁÍÉ. ñ ÚÎÁÀ, ÞÔÏ Ñ ÐÌÏÈÏÊ ÏÆÏÒÍÉÔÅÌØ, Á ×Ù ÌÕÞÛÉÅ ÉÚ ÔÅÈ ËÏÇÏ Ñ ÚÎÁÀ ;). á ÔÁË ÖÅ ÓÐÁÓÉÂÏ ÚÁ ÐÏÉÓË ÏÛÉÂÏË × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ.

  • Anders 'DeZENT' Johansson, úÁ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÔÒÁÎÎÙÈ ÐÒÏ×ÁÊÄÅÒÁÈ (ISP), ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ.

  • Jeremy `Spliffy' Smith, ÚÁ ÍÎÏÇÏÞÉÓÌÅÎÎÙÅ ÐÏÄÓËÁÚËÉ É ÚÁ ×ÙÌÁ×ÌÉ×ÁÎÉÅ ÍÏÉÈ ÏÛÉÂÏË.

é ËÏÎÅÞÎÏ ÖÅ ×ÓÅÈ, ËÔÏ ÏÔ×ÅÞÁÌ ÎÁ ÍÏÉ ×ÏÐÒÏÓÙ, ×ÙÓËÁÚÙ×ÁÌ Ó×ÏÉ ÓÕÖÄÅÎÉÑ Ï ÜÔÏÍ ÄÏËÕÍÅÎÔÅ. ïÞÅÎØ ÓÏÖÁÌÅÀ, ÞÔÏ ÎÅ ÍÏÇÕ ÕÐÏÍÑÎÕÔØ ×ÓÅÈ.

èÒÏÎÏÌÏÇÉÑ

Version 1.1.14 (14 Oct 2002)
http://iptables-tutorial.frozentux.net
By: Oskar Andreasson
Contributors: Carol Anne, Manuel Minzoni, Yves Soun, Miernik, Uwe Dippel,
Dave Klipec and Eddy L O Jansson.

Version 1.1.13 (22 Aug 2002)
http://iptables-tutorial.haringstad.com
By: Oskar Andreasson
Contributors: Tons of people reporting bad HTML version.

Version 1.1.12 (19 Aug 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Peter Schubnell, Stephen J. Lawrence, Uwe Dippel, Bradley
Dilger, Vegard Engen, Clifford Kite, Alessandro Oliveira, Tony Earnshaw,
Harald Welte, Nick Andrew and Stepan Kasal.

Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.

Version1.1.9(21March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:VinceHerried,ToganMuftuoglu,GalenJohnson,KellyAshe,Janne
Johansson,ThomasSmets,PeterHorst,MitchLanders,NeilJolly,JelleKalf,
JasonLamandEvanNemerson

Version1.1.8(5March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson

Version1.1.7(4February2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:ParimiRavi,PhilSchultz,StevenMcClintoc,BillDossett,
DaveWreski,ErikSj?lund,AdamMansbridge,VasooVeerapen,Aladdinand
RustyRussell.

Version1.1.6(7December2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:JimRamsey,PhilSchultz,G?ranBÈge,DougMonroe,Jasper
Aikema,KurtLieber,ChrisTallon,ChrisMartin,JonasPasche,Jan
Labanowski,RodrigoR.Branco,JaccovanKollandDaveWreski

Version1.1.5(14November2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:FabriceMarie,MerijnScheringandKurtLieber

Version1.1.4(6November2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:StigW.Jensen,SteveHnizdur,ChrisPlutaandKurtLieber

Version1.1.3(9October2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:JoniChu,N.EmileAkabi-DavisandJelleKalf

Version1.1.2(29September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.1.1(26September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:DaveRichardson

Version1.1.0(15September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.9(9September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.8(7September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.7(23August2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie

Version1.0.6
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.5
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie


GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<one line to give  the program's name and a brief idea of what it does.>
Copyright (C) <year>  <name of author>
    

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
  

<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
  

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

ðÒÉÍÅÒ rc.firewall

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines 
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will 
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may 
# also get flooded by Multicasts. We drop them so we do not get flooded by 
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

    


ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DMZ.firewall

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

    


ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.UTIN.firewall

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"
INET_BROADCAST="194.236.50.255"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udp_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

    


ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DHCP.firewall

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly 
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

    


ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.flush-iptables

#!/bin/sh

# rc.flush-iptables - Resets iptables to default values. 

# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



    


ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.test-iptables

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"




    

ëÏÎÅÃ.


Iptables Tutorial 1.1.11

Oskar Andreasson (blueflux@koffein.net)

Copyright (C) 2001 by Oskar Andreasson

¿ÕàÕÒÞÔ: °ÝÔàÕÙ ºØáÕÛÕÒ kis_an@mail.ru
¾àØÓØÝÐÛ ÜÞÖÝÞ ÝÐÙâØ ßÞ ÐÔàÕáã: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html

´ÞßãáÚÐÕâáï ÚÞߨàÞÒÐÝØÕ Ø/ØÛØ ÜÞÔØäØÚÐæØï ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ ØÛØ ÕÓÞ çÐáâØ, Ò áÞÞâÒÕâáâÒØØ á áÞÓÛÐèÕÝØïÜØ, ßàØÝïâëÜØ Ò GNU Free Documentation License, ÒÕàáØØ 1.1. ½ÕØ×ÜÕÝïÕÜëÜØ àÐ×ÔÕÛÐÜØ ïÒÛïîâáï àÐ×ÔÕÛ "²ÒÕÔÕÝØÕ" Ø ÒáÕ ßÞÔàÐ×ÔÕÛë íâÞÓÞ àÐ×ÔÕÛÐ, Ð âÐÚ ÖÕ àÐ×ÔÕÛë, ÝÐçØÝÐîéØÕáï áÛÞÒÐÜØ "Original Author: Oskar Andreasson",
ºÞߨï GNU Free Documentation License ÒÚÛîçÕÝÐ Ò ÔÐÝÝëÙ ÔÞÚãÜÕÝâ Ø ÝÐåÞÔØâáï Ò áÕ򾯯 "GNU Free Documentation License".

²áÕ áæÕÝÐàØØ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ ßÞÔßÐÔÐîâ ßÞÔ ÔÕÙáâÒØÕ GNU General Public License. ²áÕ ÞÝØ ïÒÛïîâáï áÒÞÑÞÔÝÞ àÐáßàÞáâàÐÝïÕÜëÜØ Ø ÜÞÓãâ ÚÞߨàÞÒÐâìáï Ø/ØÛØ ÜÞÔØäØæØàÞÒÐâìáï Ò áÞÞâÒÕâáâÒØØ á ãáÛÞÒØïÜØ GNU General Public License ÒÕàáØØ 2.

²áÕ áæÕÝÐàØØ àÐáßàÞáâàÐÝïîâáï Ò ÝÐÔÕÖÔÕ ÝÐ âÞ, çâÞ ÞÝØ ÑãÔãâ ßÞÛÕ×Ýë ÒÐÜ, ÝÞ ±µ· º°º¸Å »¸±¾ ³°À°½Â¸¹. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú âÕÚáâã GNU General Public License.

Á ÔÐÝÝëÜ ÔÞÚãÜÕÝâÞÜ ÔÞÛÖÝÐ àÐáßàÞáâàÐÝïâìáï ÚÞߨï GNU General Public License, Ò áÕ򾯯 "GNU General Public License"; Ò áÛãçÐÕ ÕÕ ÞâáãâáâÒØï Òë ÜÞÖÕâÕ ÝÐߨáÐâì ßÞ ÐÔàÕáã Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


ÁÞÔÕàÖÐÝØÕ

²ÒÕÔÕÝØÕ
¾Ñ ÐÒâÞàÕ
¿ÞáÒïéÕÝØï
¿ÞçÕÜã ÑëÛÞ ÝÐߨáÐÝÞ ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ
ºÐÚ ÔÞÚãÜÕÝâ ÑëÛ ÝÐߨáÐÝ
ºÐÚ çØâÐâì íâÞâ ÔÞÚãÜÕÝâ
ÂÕàÜØÝë, ØáßÞÛì×ãÕÜëÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ
¿ÞÔÓÞâÞÒÚÐ
³ÔÕ Ò×ïâì iptables
½ÐáâàÞÙÚÐ ïÔàÐ
ÃáâÐÝÞÒÚÐ ßÐÚÕâÐ
ÁÑÞàÚÐ ßÐÚÕâÐ
ÃáâÐÝÞÒÚÐ Ò Red Hat 7.1
¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ
¾ÑéØÕ ßÞÛÞÖÕÝØï
ÂÐÑÛØæÐ Mangle
ÂÐÑÛØæÐ Nat
ÂÐÑÛØæÐ Filter
¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï
²ÒÕÔÕÝØÕ
ÂÐÑÛØæÐ âàÐááØàÞÒÚØ
ÁÞáâÞïÝØï
TCP áÞÕÔØÝÕÝØï
UDP áÞÕÔØÝÕÝØï
ICMP áÞÕÔØÝÕÝØï
¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî
ÂàÐááØàÞÒÚÐ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ
ºÐÚ áâàÞØâì ßàÐÒØÛÐ
¾áÝÞÒë
ÂÐÑÛØæë
ºÞÜÐÝÔë
ºàØâÕàØØ
¾ÑéØÕ ÚàØâÕàØØ
½ÕïÒÝëÕ ÚàØâÕàØØ
ÏÒÝëÕ ÚàØâÕàØØ
´ÕÙáâÒØï Ø ßÕàÕåÞÔë
´ÕÙáâÒØÕ ACCEPT
´ÕÙáâÒØÕ DROP
´ÕÙáâÒØÕ QUEUE
´ÕÙáâÒØÕ RETURN
´ÕÙáâÒØÕ LOG
´ÕÙáâÒØÕ MARK
´ÕÙáâÒØÕ REJECT
´ÕÙáâÒØÕ TOS
´ÕÙáâÒØÕ MIRROR
´ÕÙáâÒØÕ SNAT
´ÕÙáâÒØÕ DNAT
´ÕÙáâÒØÕ MASQUERADE
´ÕÙáâÒØÕ REDIRECT
´ÕÙáâÒØÕ TTL
´ÕÙáâÒØÕ ULOG
ÄÐÙÛ rc.firewall
¿àØÜÕà rc.firewall
¾ßØáÐÝØÕ áæÕÝÐàØï rc.firewall
ºÞÝäØÓãàÐæØï
·ÐÓàã×ÚÐ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ
½ÐáâàÞÙÚÐ /proc
ÀÐ×ÜÕéÕÝØÕ ßàÐÒØÛ Ò ÔàãÓØå æÕßÞçÚÐå
ÃáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî
ÁÞ×ÔÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ
ÆÕßÞçÚÐ bad_tcp_packets
ÆÕßÞçÚÐ allowed
ÆÕßÞçÚÐ ÔÛï TCP
ÆÕßÞçÚÐ ÔÛï UDP
ÆÕßÞçÚÐ ÔÛï ICMP
ÆÕßÞçÚÐ INPUT
ÆÕßÞçÚÐ OUTPUT
ÆÕßÞçÚÐ FORWARD
ÆÕßÞçÚÐ PREROUTING âÐÑÛØæë nat
·ÐßãáÚ Network Address Translation
¿àØÜÕàë áæÕÝÐàØÕÒ
ÁâàãÚâãàÐ äÐÙÛÐ rc.firewall.txt
ÁâàãÚâãàÐ
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
´ÕâÐÛìÝÞÕ ÞߨáÐÝØÕ áßÕæØÐÛìÝëå ÚÞÜÐÝÔ
²ëÒÞÔ áߨáÚÐ ÝÐÑÞàÐ ßàÐÒØÛ
¸×ÜÕÝÕÝØÕ Ø ÞçØáâÚÐ ÒÐèØå âÐÑÛØæ
¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë
¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ
Passive FTP ÑÕ× DCC
¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN
¿ÞáâÐÒéØÚØ ãáÛãÓ ¸ÝâÕàÝÕâÐ (ISP), ØáßÞÛì×ãîéØÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÐÔàÕáÐ IP
ºÐÚ àÐ×àÕèØâì ßàÞåÞÖÔÕÝØÕ DHCP ×ÐßàÞáÞÒ çÕàÕ× iptables
¿àÞÑÛÕÜë mIRC DCC
ÂØßë ICMP
ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë
±ÛÐÓÞÔÐàÝÞáâØ
ÅàÞÝÞÛÞÓØï
GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
¿àØÜÕàë áæÕÝÐàØÕÒ
¿àØÜÕà áæÕÝÐàØï rc.firewall
¿àØÜÕà áæÕÝÐàØï rc.firewall
¿àØÜÕà áæÕÝÐàØï rc.DMZ.firewall
¿àØÜÕà áæÕÝÐàØï rc.UTIN.firewall
¿àØÜÕà áæÕÝÐàØï rc.DHCP.firewall
¿àØÜÕà áæÕÝÐàØï rc.flush-iptables
rc.test-iptables

²ÒÕÔÕÝØÕ

¾Ñ ÐÒâÞàÕ

Ï çÕÛÞÒÕÚ, ÚÞâÞàëÙ ØÜÕÕâ ÝÐ áÒÞÕÜ ßÞßÕçÕÝØØ ÔÞáâÐâÞçÝÞ ÜÝÞÓÞ áâÐàÕÝìÚØå ÚÞÜßìîâÕàÞÒ, ÞÑêÕÔØÝÕÝÝëå ÜÝÞî Ò ÛÞÚÐÛìÝãî áÕâì á ÒëåÞÔÞÜ Ò ¸ÝâÕàÝÕâ, Ø ÞÑÕáßÕçØÒÐîéØÙ Øå ÑÕ×ÞßÐáÝÞáâì. ¸ Ò íâÞÜ ÞâÝÞèÕÝØØ ßÕàÕåÞÔ Þâ ipchains Ú iptables ïÒÛïÕâáï ÞßàÐÒÔÐÝÝëÜ. ÀÐÝÕÕ ÔÛï ßÞÒëèÕÝØï ÑÕ×ÞßÐáÝÞáâØ áÒÞÕÙ áÕâØ, Òë ÜÞÓÛØ ÞâáÕÚÐâì ÒáÕ ßÐÚÕâë, ×ÐÚàëÒÐï ÞßàÕÔÕÛÕÝÝëÕ ßÞàâë, ÞÔÝÐÚÞ íâÞ ßÞàÞÖÔÐÛÞ ßàÞÑÛÕÜë á ßÐááØÒÝëÜ FTP (passive FTP) ØÛØ ØáåÞÔïéØÜ DCC Ò IRC (outgoing DCC in IRC), ÔÛï ÚÞâÞàëå ßÞàâë ÝÐ áÕàÒÕàÕ ÝÐ×ÝÐçÐîâáï ÔØÝÐÜØçÕáÚØ Ø ßÞâÞÜ áÞÞÑéÐîâáï ÚÛØÕÝâã ÔÛï ÒëßÞÛÝÕÝØï áÞÕÔØÝÕÝØï. ² áÐÜÞÜ ÝÐçÐÛÕ ï áâÞÛÚÝãÛáï á ÝÕÚÞâÞàëÜØ 'ÑÞÛÕ×ÝïÜØ', ßÕàÕÚÞçÕÒÐÒèØÜØ Ø× ipchains, Ø áçØâÐÛ ÚÞÔ iptables ÝÕ áÞÒáÕÜ ÓÞâÞÒëÜ Ú ÞÚÞÝçÐâÕÛìÝÞÜã ÒëßãáÚã. ÁÕÓÞÔÝï ÖÕ ï ÜÞÓ Ñë ßÞàÕÚÞÜÕÝÔÞÒÐâì ÒáÕÜ, ÚâÞ ØáßÞÛì×ãÕâ Ò áÒÞÕÙ àÐÑÞâÕ ipchains Ø ipfwadm 'ßÕàÕáÕáâì' ÝÐ iptables!


¿ÞáÒïéÕÝØï

¿àÕÖÔÕ ÒáÕÓÞ ï åÞâÕÛ Ñë ßÞáÒïâØâì ÔÐÝÝëÙ ÔÞÚãÜÕÝâ ÜÞÕÙ ×ÐÜÕçÐâÕÛìÝÞÙ ßÞÔàãÓÕ ½ØÝÕÛì (Ninel). ¾ÝÐ ßÞÔÔÕàÖØÒÐÕâ ÜÕÝï ÑÞÛìèÕ, çÕÜ ï ÚÞÓÔÐ ÛØÑÞ áÜÞÓã ßÞÔÔÕàÖÐâì ÕÕ.

²Þ-ÒâÞàëå - ÒáÕÜ àÐ×àÐÑÞâçØÚÐÜ Linux áÔÕÛÐÒèØÜ íâã ×ÐÜÕçÐâÕÛìÝãî ÞßÕàÐæØÞÝÝãî áØáâÕÜã, ×Ð Øå ÝÕÒÕàÞïâÝÞ ÝÐßàïÖÕÝÝëÙ âàãÔ.


¿ÞçÕÜã ÑëÛÞ ÝÐߨáÐÝÞ ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ

ÁÚÐÖÕÜ âÐÚ, ï ßÞáçØâÐÛ, çâÞ áãéÕáâÒãÕâ ÔÞáÐÔÝëÙ ßàÞÑÕÛ Ò HOWTO ßÞ çÐáâØ ØÝäÞàÜÐæØØ ÞÑ iptables Ø äãÝÚæØïå áÕâÕÒÞÓÞ äØÛìâàÐ (netfilter), àÕÐÛØ×ÞÒÐÝÝëå Ò ÝÞÒÞÙ áÕàØØ ïÔÕà 2.4.x Linux. ºàÞÜÕ ÒáÕÓÞ ßàÞçÕÓÞ, ï ßÞßëâÐÛáï ÞâÒÕâØâì ÝÐ ÝÕÚÞâÞàëÕ ÒÞßàÞáë ßÞ ßÞÒÞÔã ÝÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ, ÝÐßàØÜÕà ßàÞÒÕàÚØ áâÐâãáÐ (ÑÞÛÕÕ ÛãçèÕÓÞ âÕàÜØÝÐ ÝÕ ÝÐèÕÛ :(( ßàØÜ. ßÕàÕÒ.) ßÐÚÕâÞÒ (state matching), ÚÞâÞàÐï ÔÕÛÐÕâ ÒÞ×ÜÞÖÝëÜ passive FTP ÝÐ ÒÐè áÕàÒÕà, ÝÞ ÝÕ ßàÞßãáÚÐÕâ ØáåÞÔïéØÙ âàÐääØÚ DCC Þâ IRC. ²áÕ ßàØÜÕàë ï ÑãÔã ÑàÐâì Ø× äÐÙÛÐ rc.firewall.txt ÚÞâÞàëÙ Òë ÜÞÖÕâÕ ÒáâÐÒØâì Ò /etc/rc.d/. ´Ûï âÕå, ÚÞÜã íâÞ ØÝâÕàÕáÝÞ, ÓÞâÞÒ áÞÞÑéØâì, çâÞ íâÞâ äÐÙÛ ßÕàÒÞÝÐçÐÛìÝÞ ÑëÛ ÞáÝÞÒÐÝ ÝÐ masquerading HOWTO.

ÂÐÜ ÖÕ Òë ÝÐÙÔÕâÕ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ rc.flush-iptables.txt, ÝÐߨáÐÝÝëÙ ÜÝÞî. ²ë âÐÚ ÖÕ ÜÞÖÕâÕ ÕÓÞ ØáßÞÛì×ÞÒÐâì, ßàØ ÝÕÞÑåÞÔØÜÞáâØ àÐáèØàïï ßÞÔ áÒÞî ÚÞÝäØÓãàÐæØî.


ºÐÚ ÞÝ ÑëÛ ÝÐߨáÐÝ

Ï ×ÐÔÐÒÐÛ ÒÞßàÞáë ¼ÐàÚã ±ãçÕàã (Marc Boucher) Ø ÔàãÓØÜ çÛÕÝÐÜ ÚÞÜÐÝÔë àÐ×àÐÑÞâÚØ netfilter. ¿ÞÛì×ãïáì áÛãçÐÕÜ, ÒëàÐÖÐî ÞÓàÞÜÝãî ßàØ×ÝÐâÕÛìÝÞáâì ×Ð Øå ßÞÜÞéì Ò áÞ×ÔÐÝØØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, ÚÞâÞàÞÕ ÑëÛÞ áÞ×ÔÐÝÞ ÔÛï boingworld.com. ² ÝÕÜ Òë ßàÞÙÔÕâÕ ßàÞæÕáá ÝÐáâàÞÙÚØ èÐÓ ×Ð èÐÓÞÜ Ø, ÝÐÔÕîáì, çâÞ Ú ÚÞÝæã Ø×ãçÕÝØï ÔÞÚãÜÕÝâÐ Òë ÑãÔÕâÕ ×ÝÐâì Þ ßÐÚÕâÕ iptables ×ÝÐçØâÕÛìÝÞ ÑÞÛìèÕ. ±ÞÛìèÐï çÐáâì ÜÐâÕàØÐÛÐ ÑÐרàãÕâáï ÝÐ äÐÙÛÕ rc.firewall.txt, âÐÚ ÚÐÚ ï áçØâÐî, çâÞ àÐááÜÞâàÕÝØÕ ßàØÜÕàÐ -- ÛãçèØÙ áßÞáÞÑ Ø×ãçÕÝØï iptables. Ï ßàÞÙÔã ßÞ ÞáÝÞÒÝëÜ æÕßÞçÚÐÜ ßàÐÒØÛ Ò ßÞàïÔÚÕ Øå áÛÕÔÞÒÐÝØï. ÍâÞ ÝÕáÚÞÛìÚÞ ãáÛÞÖÝïÕâ Ø×ãçÕÝØÕ, ×ÐâÞ Ø×ÛÞÖÕÝØÕ áâÐÝÞÒØâáï ÛÞÓØçÝÕÕ. ¸, ÒáïÚØÙ àÐ×, ÚÞÓÔÐ ã ÒÐá ÒÞ×ÝØÚÝãâ ×ÐâàãÔÝÕÝØï, Òë ÜÞÖÕâÕ ÞÑàÐéÐâìáï Ú íâÞÜã àãÚÞÒÞÔáâÒã.


ºÐÚ çØâÐâì íâÞâ ÔÞÚãÜÕÝâ

ÍâÞâ ÔÞÚãÜÕÝâ ÝÐߨáÐÝ, âÐÚ çâÞÑë ÞÑÛÕÓçØâì çØâÐâÕÛïÜ ßÞÝØÜÐÝØÕ ×ÐÜÕçÐâÕÛìÝÞÓÞ ÜØàÐ iptables. ·ÔÕáì Òë ÝÕ ÝÐÙÔÕâÕ ØÝäÞàÜÐæØØ ÞÑ ÞèØÑÚÐå Ò iptables ØÛØ Ò netfilter. µáÛØ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ, âÞ ÜÞÖÕâÕ áÒï×ïâìáï á ÚÞÜÐÝÔÞÙ àÐ×àÐÑÞâçØÚÞÒ, Ð ÞÝØ Ò ÞâÒÕâ ÜÞÓãâ áÞÞÑéØâì ÒÐÜ ÔÕÙáâÒØâÕÛìÝÞ ÛØ áãéÕáâÒãÕâ âÐÚÐï ÞèØÑÚÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì iptables Ø netfilter ßàÐÚâØçÕáÚØ ÝÕ áÞÔÕàÖÐâ ÞèØÑÞÚ, åÞâï Ø×àÕÔÚÐ ÞÔÝÐ - ÔÒÕ "ßàÞáÚÐÚØÒÐîâ". ¸ÝäÞàÜÐæØï Þ âÐÚØå ÞèØÑÚÐå ÞÑï×ÐâÕÛìÝÞ ßÞïÒÛïÕâáï ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter.

²ëèÕáÚÐ×ÐÝÝÞÕ âÐÚÖÕ Þ×ÝÐçÐÕâ, çâÞ ßàØ ÝÐߨáÐÝØØ ÝÐÑÞàÞÒ ßàÐÒØÛ, ßàØÛÐÓÐÕÜëå Ú ÔÐÝÝÞÜã àãÚÞÒÞÔáâÒã, ÝÕ ãçØâëÒÐÛÞáì ÒÞ×ÜÞÖÝÞÕ ÝÐÛØçØÕ ÚÐÚØå-ÛØÑÞ ÞèØÑÞÚ ÒÝãâàØ netfilter. ¾áÝÞÒÝÐï æÕÛì ßàØÜÕàÞÒ - ßÞÚÐ×Ðâì ßÞàïÔÞÚ ÝÐߨáÐÝØï ÝÐÑÞàÐ ßàÐÒØÛ Ø ßàÞÑÛÕÜë, á ÚÞâÞàëÜØ Òë ÜÞÖÕâÕ áâÞÛÚÝãâìáï. ½ÐßàØÜÕà Ò íâÞÜ ÔÞÚãÜÕÝâÕ ÝÕ ßÞïáÝïÕâáï ÚÐÚ ×ÐÚàëâì ãï×ÒØÜÞáâì Apache 1.2.12 ÝÐ HTTP ßÞàâã (äÐÚâØçÕáÚØ Ò ßàØÜÕàÐå Òë ÝÐÙÔÕâÕ ÚÐÚ ×ÐÚàëâì íâÞâ ßÞàâ, ÝÞ ßÞ ÔàãÓÞÙ ßàØçØÝÕ).

ÍâÞâ ÔÞÚãÜÕÝâ ÑëÛ ÝÐߨáÐÝ á æÕÛìî ÔÐâì ÝÐçØÝÐîéØÜ åÞàÞèØÙ Ø ßàÞáâÞÙ ãçÕÑÝØÚ ßÞ iptables Ø Ò âÞ ÖÕ ÒàÕÜï ÔÞáâÐâÞçÝÞ ßÞÛÝëÙ. ¾Ý ÝÕ áÞÔÕàÖØâ ØÝäÞàÜÐæØØ ßÞ ÔÕÙáâÒØïÜ Ø ÚàØâÕàØïÜ Ø× patch-o-matic ßÞ âÞÙ ßàÞáâÞÙ ßàØçØÝÕ, çâÞ ßÞâàÕÑÞÒÐÛÞáì Ñë áÛØèÚÞÜ ÜÝÞÓÞ ãáØÛØÙ, çâÞÑë ×ÐßÞÜÝØâì ÒÕáì áߨáÞÚ Ø×ÜÕÝÕÝØÙ. µáÛØ ã ÒÐá ÒÞ×ÝØÚÝÕâ ÝÕÞÑåÞÔØÜÞáâì Ò ßÞÛãçÕÝØØ ØÝäÞàÜÐæØØ ßÞ ÜÞÔØäØÚÐæØïÜ patch-o-matic, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐéÐâìáï Ú ÔÞÚãÜÕÝâÐæØØ, ÚÞâÞàÐï áÞßàÞÒÞÖÔÐÕâ ÚÞÝÚàÕâÝëÙ patch-o-matic, ÞÝÐ ÔÞáâãàÝÐ ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter.


ÂÕàÜØÝë, ØáßÞÛì×ãÕÜëÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ

ÍâÞâ ÔÞÚãÜÕÝâ áÞÔÕàÖØâ ÝÕáÚÞÛìÚÞ âÕàÜØÝÞÒ, ÚÞâÞàëÕ áÛÕÔãÕâ ßÞïáÝØâì ßàÕÖÔÕ, çÕÜ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ.

¿ÞâÞÚ (Stream) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐîâáï Ø ßàØÝØÜÐîâáï ßÐÚÕâë. Ï ØáßÞÛì×ÞÒÐÛ íâÞâ âÕàÜØÝ ÔÛï ÞÑÞ×ÝÐçÕÝØï áÞÕÔØÝÕÝØÙ, çÕàÕ× ÚÞâÞàëÕ ßÕàÕÔÐÕâáï ßÞ ÜÕÝìèÕÙ ÜÕàÕ 2 ßÐÚÕâÐ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå. ² áÛãçÐÕ TCP íâÞ ÜÞÖÕâ Þ×ÝÐçÐâì áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐÕâáï SYN ßÐÚÕâ Ø ×ÐâÕÜ ßàØÝØÜÐÕâáï SYN/ACK ßÐÚÕâ. ½Þ íâÞ âÐÚ ÖÕ ÜÞÖÕâ ßÞÔàÐ×ãÜÕÒÐâì Ø ßÕàÕÔÐçã SYN ßÐÚÕâÐ Ø ßàØÕÜ áÞÞÑéÕÝØï ICMP Host unreachable. ´àãÓØÜØ áÛÞÒÐÜØ, ï ØáßÞÛì×ãî íâÞâ âÕàÜØÝ Ò ÔÞáâÐâÞçÝÞ èØàÞÚÞÜ ÔØÐßÐ×ÞÝÕ ßàØÜÕÝÕÝØÙ.

ÁÞáâÞïÝØÕ (State) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞáâÞïÝØÕ, Ò ÚÞâÞàÞÜ ÝÐåÞÔØâáï ßÐÚÕâ, áÞÓÛÐáÝÞ RFC 793 - Transmission Control Protocol , Ð âÐÚÖÕ âàÐÚâÞÒÚÐÜ, ØáßÞÛì×ãÕÜëÜ Ò netfilter/iptables.


¿ÞÔÓÞâÞÒÚÐ

ÆÕÛìî ÔÐÝÝÞÙ ÓÛÐÒë ïÒÛïÕâáï ÞÚÐ×ÐÝØÕ ßÞÜÞéØ Ò ßÞÝØÜÐÝØØ âÞÙ àÞÛØ, ÚÞâÞàãî netfilter Ø iptables ØÓàÐîâ Ò Linux áÕÓÞÔÝï. ÂÐÚ ÖÕ ÞÝÐ ÔÞÛÖÝÐ ßÞÜÞçì ÒÐÜ ãáâÐÝÞÒØâì Ø ÝÐáâàÞØâì ÜÕÖáÕâÕÒÞÙ íÚàÐÝ (firewall).


³ÔÕ Ò×ïâì iptables

¿ÐÚÕâë iptables ÜÞÓãâ Ñëâì ×ÐÓàãÖÕÝë á ÔÞÜÐèÝÕÙ áâàÐÝØæë netfilter. ´Ûï àÐÑÞâë á iptables áÞÞâÒÕâáâÒãîéØÜ ÞÑàÐ×ÞÜ ÔÞÛÖÝÞ Ñëâì áÚÞÝäØÓãàØàÞÒÐÝÞ ïÔàÞ ÒÐèÕÙ Linux-áØáâÕÜë. ½ÐáâàÞÙÚÐ ïÔàÐ ÑãÔÕâ ÞÑáãÖÔÐâìáï ÝØÖÕ.


½ÐáâàÞÙÚÐ ïÔàÐ

´Ûï ÞÑÕáßÕçÕÝØï ÑÐ×ÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ iptables, á ßÞÜÞéìî ãâØÛØâë make config ØÛØ ÕÙ ßÞÔÞÑÝëå (make menuconfig ØÛØ make xconfig ßàØÜ. ßÕàÕÒ.), Ò ïÔàÞ ÔÞÛÖÝë Ñëâì ÒÚÛîçÕÝë áÛÕÔãîéØÕ ÞßæØØ:

CONFIG_PACKET -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï ßàØÛÞÖÕÝØÙ, àÐÑÞâÐîéØå ÝÕßÞáàÕÔáâÒÕÝÝÞ á áÕâÕÒëÜØ ãáâàÞÙáâÒÐÜØ, ÝÐßàØÜÕà: tcpdump ØÛØ snort.

CONFIG_NETFILTER -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ, ÕáÛØ Òë áÞÑØàÐÕâÕáì ØáßÞÛì×ÞÒÐâì ÚÞÜßìîâÕà Ò ÚÐçÕáâÒÕ áÕâÕÒÞÓÞ íÚàÐÝÐ (firewall) ØÛØ èÛî×Ð (gateway) Ò ¸ÝâÕàÝÕâ. ´àãÓØÜØ áÛÞÒÐÜØ, ÒÐÜ ÞÝÐ ÞßàÕÔÕÛÕÝÝÞ ßÞÝÐÔÞÑØâáï, ØÝÐçÕ ×ÐçÕÜ âÞÓÔÐ çØâÐâì íâÞ àãÚÞÒÞÔáâÒÞ!

¸ ÚÞÝÕçÝÞ ÝãÖÝÞ ÔÞÑÐÒØâì ÔàÐÙÒÕàë ÔÛï ÒÐèØå ãáâàÞÙáâÒ, â.Õ. ÔÛï ÚÐàâë Ethernet , PPP Ø SLIP. ´Ûï ØáßÞÛì×ÞÒÐÝØï àÐáèØàÕÝÝëå ÒÞ×ÜÞÖÝÞáâÕÙ IPTables ßàØÔÕâáï ÒÚÛîçØâì Ò ïÔàÞ ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ ÞßæØØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÞßæØÙ ÔÛï ïÔàÐ 2.4.9 Ø Øå ÚàÐâÚÞÕ ÞߨáÐÝØÕ.

CONFIG_IP_NF_CONNTRACK -- ÂàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ. ÂàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ, áàÕÔØ ÒáÕÓÞ ßàÞçÕÓÞ, ØáßÞÛì×ãÕâáï ßàØ âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ Ø ÜÐáÚÐàÐÔØÝÓÕ (NAT and Masquerading). µáÛØ Òë áÞÑØàÐÕâÕáì áâàÞØâì áÕâÕÒÞÙ íÚàÐÝ (firewall) ÔÛï ÛÞÚÐÛìÝÞÙ áÕâØ, âÞ ÒÐÜ ÞßàÕÔÕÛÕÝÝÞ ßÞâàÕÑãÕâáï íâÐ ÞßæØï. º ßàØÜÕàã, íâÞâ ÜÞÔãÛì ÝÕÞÑåÞÔØÜ ÔÛï àÐÑÞâë rc.firewall.txt.

CONFIG_IP_NF_FTP -- ÂàÐááØàÞÒÚÐ FTP áÞÕÔØÝÕÝØÙ. ¾ÑÜÕÝ ßÞ FTP ØÔÕâ áÛØèÚÞÜ ØÝâÕÝáØÒÝÞ, çâÞÑë ØáßÞÛì×ÞÒÐâì ÞÑëçÝëÕ ÜÕâÞÔë âàÐááØàÞÒÚØ. µáÛØ ÝÕ ÔÞÑÐÒØâì íâÞâ ÜÞÔãÛì, âÞ Òë áâÞÛÚÝÕâÕáì á âàãÔÝÞáâïÜØ ßàØ ßÕàÕÔÐçÕ ßàÞâÞÚÞÛÐ FTP çÕàÕ× áÕâÕÒÞÙ íÚàÐÝ (firewall).

CONFIG_IP_NF_IPTABLES -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï ÒëßÞÛÝÕÝØï ÞßÕàÐæØÙ äØÛìâàÐæØØ, ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (NAT) Ø ÜÐáÚÐàÐÔØÝÓÐ (masquerading). ±Õ× ÝÕÕ Òë ÒÞÞÑéÕ ÝØçÕÓÞ ÝÕ áÜÞÖÕâÕ ÔÕÛÐâì á iptables.

CONFIG_IP_NF_MATCH_LIMIT -- ÍâÞâ ÜÞÔãÛì ÝÕÞÑï×ÐâÕÛÕÝ, ÞÔÝÐÚÞ ÞÝ ØáßÞÛì×ãÕâáï Ò ßàØÜÕàÐå rc.firewall.txt. ¾Ý ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ÞÓàÐÝØçÕÝØï ÚÞÛØçÕáâÒÐ ßàÞÒÕàÞÚ ÔÛï ÝÕÚÞâÞàÞÓÞ ßàÐÒØÛÐ. ½ÐßàØÜÕà, -m limit -limit 3/minute ãÚÐ×ëÒÐÕâ, çâÞ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ßàÞßãáâØâì ÝÕ ÑÞÛÕÕ 3-å ßÐÚÕâÞÒ Ò ÜØÝãâã. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ÔÐÝÝëÙ ÜÞÔãÛì ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ×ÐéØâë Þâ ÝÐßÐÔÕÝØÙ âØßÐ ¾âÚÐ× Ò ÞÑáÛãÖØÒÐÝØØ.

CONFIG_IP_NF_MATCH_MAC -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ, ÞáÝÞÒÐÝÝëÕ ÝÐ MAC-ÐÔàÕáÐæØØ. ºÐÚ Ø×ÒÕáâÝÞ, ÚÐÖÔÐï áÕâÕÒÐï ÚÐàâÐ ØÜÕÕâ áÒÞÙ áÞÑáâÒÕÝÝëÙ ãÝØÚÐÛìÝëÙ Ethernet-ÐÔàÕá, âÐÚØÜ ÞÑàÐ×ÞÜ, áãéÕáâÒãÕâ ÒÞ×ÜÞÖÝÞáâì ÑÛÞÚØàÞÒÐâì ßÐÚÕâë, ßÞáâãßÐîéØÕ á ÞßàÕÔÕÛÕÝÝëå MAC-ÐÔàÕáÞÒ (â.Õ. á ÞßàÕÔÕÛÕÝÝëå áÕâÕÒëå ÚÐàâ). ÁÛÕÔãÕâ, ÞÔÝÐÚÞ, ÞâÜÕâØâì çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ÝÕ ØáßÞÛì×ãÕâáï Ò rc.firewall.txt ØÛØ ÓÔÕ ÛØÑÞ ÕéÕ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ.

CONFIG_IP_NF_MATCH_MARK -- ÄãÝÚæØï ÜÐàÚØàÞÒÚØ ßÐÚÕâÞÒ (MARK). ½ÐßàØÜÕà, ßàØ ØáßÞÛì×ÞÒÐÝØØ äãÝ򾯯 MARK Üë ßÞÛãçÐÕÜ ÒÞ×ÜÞÖÝÞáâì ßÞÜÕâØâì âàÕÑãÕÜëÕ ßÐÚÕâë, Ð ×ÐâÕÜ, Ò ÔàãÓØå âÐÑÛØæÐå, Ò ×ÐÒØáØÜÞáâØ Þâ ×ÝÐçÕÝØï ÜÕâÚØ, ßàØÝØÜÐâì àÕèÕÝØÕ Þ ÜÐàèàãâØ×ÐæØØ ßÞÜÕçÕÝÝÞÓÞ ßÐÚÕâÐ. ±ÞÛÕÕ ßÞÔàÞÑÝÞÕ ÞߨáÐÝØÕ äãÝ򾯯 MARK ßàØÒÞÔØâáï ÝØÖÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ.

CONFIG_IP_NF_MATCH_MULTIPORT -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ á ßàÞÒÕàÚÞÙ ÝÐ ßàØÝÐÔÛÕÖÝÞáâì ßÐÚÕâÐ Ú ÔØÐßÐ×ÞÝã ÝÞÜÕàÞÒ ßÞàâÞÒ ØáâÞçÝØÚÐ/ßàØÕÜÝØÚÐ.

CONFIG_IP_NF_MATCH_TOS -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ, ÞââÐÛÚØÒÐïáì Þâ áÞáâÞïÝØï ßÞÛï TOS Ò ßÐÚÕâÕ. ¿ÞÛÕ TOS ãáâÐÝÐÒÛØÒÐÕâáï ÔÛï Type Of Service. ÂÐÚ ÖÕ áâÐÝÞÒØâáï ÒÞ×ÜÞÖÝëÜ ãáâÐÝÐÒÛØÒÐâì Ø áÑàÐáëÒÐâì ÑØâë íâÞÓÞ ßÞÛï Ò áÞÑáâÒÕÝÝëå ßàÐÒØÛÐå Ò âÐÑÛØæÕ mangle ØÛØ ÚÞÜÐÝÔÐÜØ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS -- ÍâÐ ÞßæØï ÔÞÑÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ßàÞÒÕàÚØ ßÞÛï MSS ÔÛï TCP-ßÐÚÕâÞÒ.

CONFIG_IP_NF_MATCH_STATE -- ÍâÞ ÞÔÝÞ Ø× áÐÜëå áÕàìÕ×Ýëå ãáÞÒÕàèÕÝáâÒÞÒÐÝØÙ ßÞ áàÐÒÝÕÝØî á ipchains. ÍâÞâ ÜÞÔãÛì ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ãßàÐÒÛÕÝØï TCP ßÐÚÕâÐÜØ, ÞáÝÞÒëÒÐïáì ÝÐ Øå áÞáâÞïÝØØ (state). º ßàØÜÕàã, ÔÞßãáâØÜ, çâÞ Üë ØÜÕÕÜ ãáâÐÝÞÒÛÕÝÝÞÕ TCP áÞÕÔØÝÕÝØÕ, á âàÐääØÚÞÜ Ò ÞÑÐ ÚÞÝæÐ, âÞÓÔÐ ßÐÚÕâ ßÞÛãçÕÝÝëÙ ßÞ âÐÚÞÜã áÞÕÔØÝÕÝØî ÑãÔÕâ áçØâÐâìáï ESTABLISHED (ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ -- ßàØÜ. àÕÔ). ÍâÐ ÒÞ×ÜÞÖÝÞáâì èØàÞÚÞ ØáßÞÛì×ãÕâáï Ò ßàØÜÕàÕ rc.firewall.txt .

CONFIG_IP_NF_MATCH_UNCLEAN -- ÍâÞâ ÜÞÔãÛì àÕÐÛØ×ãÕâ ÒÞ×ÜÞÖÝÞáâì ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ IP, TCP, UDP Ø ICMP ßÐÚÕâÞÒ ÝÐ ßàÕÔÜÕâ ÝÐÛØçØï Ò ÝØå ÝÕáÞÞâÒÕâáâÒØÙ, "áâàÐÝÝÞáâÕÙ", ÞèØÑÞÚ. ÃáâÐÝÞÒØÒ ÕÓÞ Üë, Ú ßàØÜÕàã, ßÞÛãçØÜ ÒÞ×ÜÞÖÝÞáâì "ÞâáÕÚÐâì" ßÞÔÞÑÝÞÓÞ àÞÔÐ ßÐÚÕâë. ¾ÔÝÐÚÞ åÞçÕâáï ÞâÜÕâØâì, çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ßÞÚÐ ÝÐåÞÔØâáï ÝÐ íÚáßÕàØÜÕÝâÐÛìÝÞÙ áâÐÔØØ Ø ÝÕ ÒÞ ÒáÕå áÛãçÐïå ÑãÔÕâ àÐÑÞâÐâì ÞÔØÝÐÚÞÒÞ, ßÞíâÞÜã ÝØÚÞÓÔÐ ÝÕÛì×ï ÑãÔÕâ Ñëâì ãÒÕàÕÝÝëÜ, çâÞ Üë ÝÕ "áÑàÞáØÛØ" ÒßÞÛÝÕ ßàÐÒØÛìÝëÕ ßÐÚÕâë.

CONFIG_IP_NF_MATCH_OWNER - ¿àÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" áÞÕÔØÝÕÝØï (socket). ´Ûï ßàØÜÕàÐ, Üë ÜÞÖÕÜ ßÞ×ÒÞÛØâì âÞÛìÚÞ ßÞÛì×ÞÒÐâÕÛî root ÒëåÞÔØâì Ò Internet. ÍâÞâ ÜÞÔãÛì ÑëÛ ÝÐߨáÐÝ ÚÐÚ ßàØÜÕà àÐÑÞâë á iptables. ÁÛÕÔãÕâ ×ÐÜÕâØâì, çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ØÜÕÕâ áâÐâãá íÚáßÕàØÜÕÝâÐÛìÝÞÓÞ Ø ÜÞÖÕâ ÝÕ ÒáÕÓÔÐ ÒëßÞÛÝïâì áÒÞØ äãÝ򾯯.

CONFIG_IP_NF_FILTER -- ÀÕÐÛØ×ÐæØï âÐÑÛØæë filter Ò ÚÞâÞàÞÙ Ò ÞáÝÞÒÝÞÜ Ø ÞáãéÕáâÒÛïÕâáï äØÛìâàÐæØï. ² ÔÐÝÝÞÙ âÐÑÛØæÕ ÝÐåÞÔïâáï æÕßÞçÚØ INPUT, FORWARD Ø OUTPUT. ÍâÞâ ÜÞÔãÛì ÞÑï×ÐâÕÛÕÝ, ÕáÛØ Òë ßÛÐÝØàãÕâÕ ÞáãéÕáâÒÛïâì äØÛìâàÐæØî ßÐÚÕâÞÒ.

CONFIG_IP_NF_TARGET_REJECT -- ´ÞÑÐÒÛïÕâáï ÔÕÙáâÒØÕ REJECT, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßÕàÕÔÐçã ICMP áÞÞÑéÕÝØï ÞÑ ÞèØÑÚÕ Ò ÞâÒÕâ ÝÐ ÒåÞÔïéØÙ ßÐÚÕâ, ÚÞâÞàëÙ ÞâÒÕàÓÐÕâáï ×ÐÔÐÝÝëÜ ßàÐÒØÛÞÜ. ·ÐßÞÜÝØâÕ, çâÞ TCP áÞÕÔØÝÕÝØï, Ò ÞâÛØçØÕ Þâ UDP Ø ICMP, ÒáÕÓÔÐ ×ÐÒÕàèÐîâáï ØÛØ ÞâÒÕàÓÐîâáï ßÐÚÕâÞÜ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR -- ²Þ×ÜÞÖÝÞáâì ÞâßàÐÒÚØ ßÞÛãçÕÝÝÞÓÞ ßÐÚÕâÐ ÞÑàÐâÝÞ (ÞâàÐÖÕÝØÕ). ½ÐßàØÜÕà, ÕáÛØ ÝÐ×ÝÐçØâì ÔÕÙáâÒØÕ MIRROR ÔÛï ßÐÚÕâÞÒ, ØÔãéØå Ò ßÞàâ HTTP çÕàÕ× ÝÐèã æÕßÞçÚã INPUT (â.Õ. ÝÐ ÝÐè WEB-áÕàÒÕà ßàØÜ. ßÕàÕÒ.), âÞ ßÐÚÕâ ÑãÔÕâ ÞâßàÐÒÛÕÝ ÞÑàÐâÝÞ (ÞâàÐÖÕÝ) Ø, Ò àÕ×ãÛìâÐâÕ, ÞâßàÐÒØâÕÛì ãÒØÔØâ áÒÞî áÞÑáâÒÕÝÝãî ÔÞÜÐèÝîî áâàÐÝØçÚã. (Âãâ ÞÔÝØ áßÛÞèÝëÕ "ÕáÛØ": µáÛØ ã ÞâßàÐÒØâÕÛï áâÞØâ WEB-áÕàÒÕà, ÕáÛØ ÞÝ àÐÑÞâÐÕâ ÝÐ âÞÜ ÖÕ ßÞàâã, ÕáÛØ ã ÞâßàÐÒØâÕÛï Õáâì ÔÞÜÐèÝïï áâàÐÝØçÚÐ, Ø â.Ô. . Áãâì-âÞ áÞÑáâÒÕÝÝÞ áÒÞÔØâáï Ú âÞÜã, çâÞ á âÞçÚØ ×àÕÝØï ÞâßàÐÒØâÕÛï ÒáÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÑãÔâÞ Ñë ßÐÚÕâ ÞÝ ÞâßàÐÒØÛ ÝÐ áÒÞî áÞÑáâÒÕÝÝãî ÜÐèØÝã, Ð ßàÞéÕ ÓÞÒÞàï, ÔÕÙáâÒØÕ MIRROR ÜÕÝïÕâ ÜÕáâÐÜØ ÐÔàÕá ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï Ø ÒëÔÐÕâ Ø×ÜÕÝÕÝÝëÙ ßÕÚÕâ Ò áÕâì ßàØÜ. ßÕàÕÒ.)

CONFIG_IP_NF_NAT -- NAT. ÂàÐÝáÛïæØï áÕâÕÒëå ÐÔàÕáÞÒ Ò àÐ×ÛØçÝëå ÕÕ ÒØÔÐå. Á ßÞÜÞéìî íâÞÙ ÞßæØØ Òë áÜÞÖÕâÕ ÔÐâì ÒëåÞÔ Ò ¸ÝâÕàÝÕâ ÒáÕÜ ÚÞÜßìîâÕàÐÜ ÒÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ØÜÕï ÛØèì ÞÔØÝ ãÝØÚÐÛìÝëÙ IP-ÐÔàÕá. ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï àÐÑÞâë ßàØÜÕàÐ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE -- ¼ÐáÚÐàÐÔØÝÓ. ² ÞâÛØçØÕ Þâ NAT, ÜÐáÚÐàÐÔØÝÓ ØáßÞÛì×ãÕâáï Ò âÕå áÛãçÐïå, ÚÞÓÔÐ ×ÐàÐÝÕÕ ÝÕØ×ÒÕáâÕÝ ÝÐè IP-ÐÔàÕá Ò ¸ÝâÕàÝÕâÕ, â.Õ. ÔÛï áÛãçÐÕÒ DHCP, PPP, SLIP ØÛØ ÚÐÚÞÓÞ-ÛØÑÞ ÔàãÓÞÓÞ áßÞáÞÑÐ ßÞÔÚÛîçÕÝØï, ßÞÔàÐ×ãÜÕÒÐîéÕÓÞ ÔØÝÐÜØçÕáÚÞÕ ßÞÛãçÕÝØÕ IP-ÐÔàÕáÐ. ¼ÐáÚÐàÐÔØÝÓ ÔÐÕâ ÝÕáÚÞÛìÚÞ ÑÞÛÕÕ ÒëáÞÚãî ÝÐÓàã×Úã ÝÐ ÚÞÜßìîâÕà, ßÞ áàÐÒÝÕÝØî á NAT, ÞÔÝÐÚÞ ÞÝ àÐÑÞâÐÕâ Ò áØâãÐæØïå, ÚÞÓÔÐ ÝÕÒÞ×ÜÞÖÝÞ ×ÐàÐÝÕÕ ãÚÐ×Ðâì áÞÑáâÒÕÝÝëÙ ÒÝÕèÝØÙ IP-ÐÔàÕá.

CONFIG_IP_NF_TARGET_REDIRECT -- ¿ÕàÕÝÐßàÐÒÛÕÝØÕ. ¾ÑëçÝÞ íâÞ ÔÕÙáâÒØÕ ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ßàÞÚáØ. ²ÜÕáâÞ âÞÓÞ, çâÞÑë ßàÞáâÞ ßàÞßãáâØâì ßÐÚÕâ ÔÐÛìèÕ, íâÞ ÔÕÙáâÒØÕ ßÕàÕÝÐßàÐÒÛïÕâ ßÐÚÕâ ÝÐ ÔàãÓÞÙ ßÞàâ áÕâÕÒÞÓÞ íÚàÐÝÐ. ´àãÓØÜØ áÛÞÒÐÜØ, Üë âÐÚØÜ áßÞáÞÑÞÜ ØÜÕÕÜ ÒÞ×ÜÞÖÝÞáâì ÒëßÞÛÝïâì "ßàÞ×àÐçÝÞÕ ßàÞÚáØàÞÒÐÝØÕ".

CONFIG_IP_NF_TARGET_LOG -- ´ÞÑÐÒÛïÕâ ÔÕÙáâÒØÕ LOG Ò iptables. ¼ë ÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì íâÞâ ÜÞÔãÛì ÔÛï äØÚáÐæØØ ÞâÔÕÛìÝëå ßÐÚÕâÞÒ Ò áØáâÕÜÝÞÜ ÖãàÝÐÛÕ (syslog). ÍâÐ ÒÞ×ÜÞÖÝÞáâì ÜÞÖÕâ ÞÚÐ×Ðâìáï ÒÕáìÜÐ ßÞÛÕ×ÝÞÙ ßàØ ÞâÛÐÔÚÕ ÒÐèØå áæÕÝÐàØÕÒ.

CONFIG_IP_NF_TARGET_TCPMSS -- ÍâÐ ÞßæØï ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÞÔÞÛÕÝØï ÞÓàÐÝØçÕÝØÙ, ÝÐÚÛÐÔëÒÐÕÜëå ÝÕÚÞâÞàëÜØ ßàÞÒÐÙÔÕàÐÜØ (Internet Service Providers), ÚÞâÞàëÕ ÑÛÞÚØàãîâ ICMP Fragmentation Needed ßÐÚÕâë. ² àÕ×ãÛìâÐâÕ âÐÚØå ÞÓàÐÝØçÕÝØÙ áÕàÒÕàë ßàÞÒÐÙÔÕàÞÒ ÜÞÓãâ ÝÕ ßÕàÕÔÐÒÐâì web-áâàÐÝØæë, ssh ÜÞÖÕâ àÐÑÞâÐâì, Ò âÞ ÒàÕÜï ÚÐÚ scp ÞÑàëÒÐÕâáï ßÞáÛÕ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï Ø ßà. ´Ûï ßàÕÞÔÞÛÕÝØï ßÞÔÞÑÝÞÓÞ àÞÔÐ ÞÓàÐÝØçÕÝØÙ Üë ÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ TCPMSS ÞÓàÐÝØçØÒÐï ×ÝÐçÕÝØÕ MSS (Maximum Segment Size) (ÞÑëçÝÞ MSS ÞÓàÐÝØçØÒÐÕâáï àÐ×ÜÕàÞÜ MTU ØáåÞÔïéÕÓÞ ØÝâÕàäÕÙáÐ ÜØÝãá 40 ÑÐÙâ ßàØÜ. ßÕàÕÒ.). ÂÐÚØÜ ÞÑàÐ×ÞÜ Üë ßÞÛãçÐÕÜ ÒÞ×ÜÞÖÝÞáâì ßàÕÞÔÞÛÕâì âÞ, çâÞ ÐÒâÞàë netfilter ÝÐ×ëÒÐîâ "ßàÕáâãßÝÞÙ ÑÕ×ÜÞ×ÓÛÞáâìî ßàÞÒÐÙÔÕàÞÒ Ø áÕàÒÕàÞÒ" ("criminally braindead ISPs or servers") Ò áßàÐÒÚÕ ßÞ ÚÞÝäØÓãàÐæØØ ïÔàÐ.

CONFIG_IP_NF_COMPAT_IPCHAINS -- ´ÞÑÐÒÛïÕâ áÞÒÜÕáâØÜÞáâì á ÑÞÛÕÕ áâÐàÞÙ âÕåÝÞÛÞÓØÕÙ ipchains. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ ßÞÔÞÑÝÞÓÞ àÞÔÐ áÞÒÜÕáâØÜÞáâì ÑãÔÕâ áÞåàÐÝÕÝÐ Ø Ò ïÔàÐå áÕàØØ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM -- ´ÞÑÐÒÛïÕâ áÞÒÜÕáâØÜÞáâì á ipfwadm, ÝÕ áÜÞâàï ÝÐ âÞ çâÞ íâÞ ÞçÕÝì áâÐàÞÕ áàÕÔáâÒÞ ßÞáâàÞÕÝØï ÑàÐÝÔÜÐãíàÞÒ.

ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ï ÔÐÛ ÚàÐâÚãî åÐàÐÚâÕàØáâØÚã ÚÐÖÔÞÜã ÜÞÔãÛî. ´ÐÝÝëÕ ÞßæØØ ÔÞáâãßÝë Ò ïÔàÕ ÒÕàáØØ 2.4.9.

´Ûï àÐÑÞâë áæÕÝÐàØï rc.firewall.txt ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ÔÞÑÐÒØâì Ò ïÔàÞ áÛÕÔãîéØÕ ÞßæØØ ØÛØ áÞÑàÐâì áÞÞâÒÕâáâÒãîéØÕ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÞßæØïÜ, ÝÕÞÑåÞÔØÜëÜ ÔÛï àÐÑÞâë ÔàãÓØå áæÕÝÐàØÕÒ, ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî á ßàØÜÕàÐÜØ íâØå áæÕÝÐàØÕÒ.

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_CONNTRACK
  • CONFIG_IP_NF_FTP
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_TARGET_LOG
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_TARGET_MASQUERADE

²ëèÕ ßàØÒÕÔÕÝ áߨáÞÚ ÜØÝØÜÐÛìÝÞ ÝÕÞÑåÞÔØÜëå ÞßæØÙ ïÔàÐ ÔÛï áæÕÝÐàØï rc.firewall.txt ¿ÕàÕçÕÝì ÞßæØÙ, ÝÕÞÑåÞÔØÜëå ÔÛï ÔàãÓØå ßàØÜÕàÞÒ áæÕÝÐàØÕÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áÞÞâÒÕâáâÒãîéØå àÐ×ÔÕÛÐå ÝØÖÕ. ÁÕÙçÐá ÖÕ Üë ÞáâÐÝÞÒØÜáï ÝÐ ÓÛÐÒÝÞÜ áæÕÝÐàØØ Ø ÝÐçÝÕÜ ÕÓÞ Ø×ãçÕÝØÕ.


ÃáâÐÝÞÒÚÐ ßÐÚÕâÐ

² ßÕàÒãî ÞçÕàÕÔì ßÞáÜÞâàØÜ ÚÐÚ áÞÑàÐâì (áÚÞÜßØÛØàÞÒÐâì) ßÐÚÕâ iptables. ÁÑÞàÚÐ ßÐÚÕâÐ Ò ×ÝÐçØâÕÛìÝÞÙ áâÕßÕÝØ ×ÐÒØáØâ Þâ ÚÞÝäØÓãàÐæØØ ïÔàÐ Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕÚÞâÞàëÕ ÔØáâàØÑãâØÒë ßàÕÔßÞÛÐÓÐîâ ßàÕÔãáâÐÝÞÒÚã ßÐÚÕâÐ iptables, ÞÔØÝ Ø× ÝØå -- Red Hat 7.1. ¾ÔÝÐÚÞ Ò RedHat 7.1 íâÞâ ßÐÚÕâ ßÞ ãÜÞÛçÐÝØî ÒëÚÛîçÕÝ, ßÞíâÞÜã ÝØÖÕ Üë àÐááÜÞâàØÜ ÚÐÚ ÕÓÞ ÒÚÛîçØâì Ò ÔÐÝÝÞÜ Ø Ò ÔàãÓØå ÔØáâàØÑãâØÒÐå.

ÁÑÞàÚÐ ßÐÚÕâÐ

´Ûï ÝÐçÐÛÐ ßÐÚÕâ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ iptables ÝãÖÝÞ àÐáßÐÚÞÒÐâì. ¼ë ÑãÔÕÜ àÐááÜÐâàØÒÐâì ßÐÚÕâ iptables 1.2.6a Ø ïÔàÞ 2.4.9. ÀÐáßÐÚãÕÜ ÚÐÚ ÞÑëçÝÞ, ÚÞÜÐÝÔÞÙ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. µáÛØ àÐáßÐÚÞÒÚÐ ßàÞèÛÐ ãÔÐçÝÞ, âÞ ßÐÚÕâ ÑãÔÕâ àÐ×ÜÕéÕÝ Ò ÚÐâÐÛÞÓÕ iptables-1.2.6a. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú äÐÙÛã iptables-1.2.6a/INSTALL, ÚÞâÞàëÙ áÞÔÕàÖØâ ßÞÔàÞÑÝãî ØÝäÞàÜÐæØî ßÞ áÑÞàÚÕ Ø ãáâÐÝÞÒÚÕ ßÐÚÕâÐ.

´ÐÛÕÕ ÝÕÞÑåÞÔØÜÞ ßàÞÒÕàØâì ÒÚÛîçÕÝØÕ Ò ïÔàÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ Ø ÞßæØÙ. ÈÐÓØ, ÞߨáëÒÐÕÜëÕ ×ÔÕáì, ÑãÔãâ ÚÐáÐâìáï âÞÛìÚÞ ÝÐÛÞÖÕÝØï ÝÐ ïÔàÞ "×ÐßÛÐâ" (patches). ½Ð íâÞÜ èÐÓÕ Üë ãáâÐÝÞÒØÜ ÞÑÝÞÒÛÕÝØï, ÚÞâÞàëÕ, ÚÐÚ ÞÖØÔÐÕâáï, ÑãÔãâ ÒÚÛîçÕÝë Ò ïÔàÞ Ò ÑãÔãéÕÜ.

Note

½ÕÚÞâÞàëÕ Ø× ÝØå ÝÐåÞÔïâáï ßÞÚÐ ÝÐ íÚáßÕàØÜÕÝâÐÛìÝÞÙ áâÐÔØØ, ÞÔÝÐÚÞ áàÕÔØ ÝØå Õáâì çàÕ×ÒëçÐÙÝÞ ØÝâÕàÕáÝëÕ äãÝ򾯯 Ø ÔÕÙáâÒØï. ²ëßÞÛÝØÜ íâÞâ èÐÓ, ÝÐÑàÐÒ ÚÞÜÐÝÔã (ÕáâÕáâÒÕÝÝÞ, ÞÑÛÐÔÐï ßàÐÒÐÜØ ßÞÛì×ÞÒÐâÕÛï root)

make pending-patches KERNEL_DIR=/usr/src/linux/

¿ÕàÕÜÕÝÝÐï KERNEL_DIR ÔÞÛÖÝÐ áÞÔÕàÖÐâì ßãâì Ú ØáåÞÔÝëÜ âÕÚáâÐÜ ÒÐèÕÓÞ ïÔàÐ. ¾ÑëçÝÞ íâÞ /usr/src/linux/. µáÛØ ØáåÞÔÝëÕ âÕÚáâë ã ÒÐá àÐáßÞÛÞÖÕÝë Ò ÔàãÓÞÜ ÜÕáâÕ, âÞ, áÞÞâÒÕâáâÒÕÝÝÞ, Òë ÔÞÛÖÝë ãÚÐ×Ðâì áÒÞÙ ßãâì.

Note

·ÔÕáì ßàÕÔßÞÛÐÓÐÕâáï ÒëßÞÛÝØâì ÝÕáÚÞÛìÚÞ ÞÑÝÞÒÛÕÝØÙ Ø ÔÞßÞÛÝÕÝØÙ, ÚÞâÞàëÕ ÞßàÕÔÕÛÕÝÝÞ ÒÞÙÔãâ Ò áÞáâÐÒ ïÔàÐ, ÝÞ ÝÕáÚÞÛìÚÞ ßÞ×ÔÝÕÕ, áÕÙçÐá ÖÕ Üë ÒÞ×ìÜÕÜ Øå ÞâáîÔÐ ÒëßÞÛÝØÒ ÚÞÜÐÝÔã

make most-of-pom KERNEL_DIR=/usr/src/linux/

² ßàÞæÕááÕ ÒëßÞÛÝÕÝØï ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔë ã ÒÐá ÑãÔÕâ ×ÐßàÐèØÒÐâìáï ßÞÔâÒÕàÖÔÕÝØÕ ÝÐ ÞÑÝÞÒÛÕÝØÕ ÚÐÖÔÞÓÞ àÐ×ÔÕÛÐ Ø× âÞÓÞ, çâÞ Ò ÜØàÕ netfilter ÝÐ×ëÒÐÕâáï patch-o-matic. ÇâÞÑë ãáâÐÝÞÒØâì ÒáÕ "×ÐßÛÐâÚØ" Ø× patch-o-matic, ÒÐÜ ÝãÖÝÞ ÒëßÞÛÝØâì áÛÕÔãîéãî ÚÞÜÐÝÔã:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

½Õ ×ÐÑãÔìâÕ ÒÝØÜÐâÕÛìÝÞ Ø ÔÞ ÚÞÝæÐ ßàÞçØâÐâì áßàÐÒÚã ßÞ ÚÐÖÔÞÙ "×ÐßÛÐâÚÕ" ÔÞ âÞÓÞ ÚÐÚ Òë ÑãÔÕâÕ ãáâÐÝÐÒÛØÒÐâì çâÞ-ÛØÑÞ, ßÞáÚÞÛìÚã ÞÔÝØ "×ÐßÛÐâÚØ" ÜÞÓãâ ÞÚÐ×Ðâìáï ÝÕáÞÒÜÕáâØÜë á ÔàãÓØÜØ, Ð ÝÕÚÞâÞàëÕ -- ßàØ áÞÒÜÕáâÝÞÜ ÝÐÛÞÖÕÝØØ ÔÐÖÕ àÐ×àãèØâì ïÔàÞ.

Note

²ë ÜÞÖÕâÕ ÒÞÞÑéÕ ßàÞßãáâØâì ÞÑÝÞÒÛÕÝØÕ ïÔàÐ, ÔàãÓØÜØ áÛÞÒÐÜØ ÞáÞÑÞÙ ÝãÖÔë Ò âÐÚÞÜ ÞÑÝÞÒÛÕÝØØ ÝÕâ, ÞÔÝÐÚÞ patch-o-matic áÞÔÕàÖØâ ÔÕÙáâÒØâÕÛìÝÞ ØÝâÕàÕáÝëÕ ÞÑÝÞÒÛÕÝØï, Ø ã ÒÐá ÒßÞÛÝÕ ÜÞÖÕâ ÒÞ×ÝØÚÝãâì ÖÕÛÐÝØÕ ßÞáÜÞâàÕâì ÝÐ ÝØå. ½ØçÕÓÞ áâàÐèÝÞÓÞ ÝÕ áÛãçØâáï, ÕáÛØ Òë ×ÐßãáâØâÕ íâØ ÚÞÜÐÝÔë Ø ßÞáÜÞâàØâÕ ÚÐÚØÕ ÞÑÝÞÒÛÕÝØï ØÜÕîâáï.

¿ÞáÛÕ ×ÐÒÕàèÕÝØï ÞÑÝÞÒÛÕÝØï, ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ßÕàÕáÞÑàÐâì ïÔàÞ, ÔÞÑÐÒØÒ Ò ÝÕÓÞ âÞÛìÚÞ çâÞ ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï. ½Õ ×ÐÑãÔìâÕ áÝÐçÐÛÐ ÒëßÞÛÝØâì ÚÞÝäØÓãàØàÞÒÐÝØÕ ïÔàÐ, ßÞáÚÞÛìÚã ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï áÚÞàÕÕ ÒáÕÓÞ ÞÚÐÖãâáï ÒëÚÛîçÕÝÝëÜØ. ² ßàØÝæØßÕ, ÜÞÖÝÞ ßÞÔÞÖÔÐâì á ÚÞÜߨÛïæØÕÙ ïÔàÐ ÔÞ âÕå ßÞà ßÞÚÐ Òë ÝÕ ×ÐÚÞÝçØâÕ ãáâÐÝÞÒÚã iptables.

¿àÞÔÞÛÖÐï áÑÞàÚã iptables, ×ÐßãáâØâÕ ÚÞÜÐÝÔã:

make KERNEL_DIR=/usr/src/linux/

µáÛØ Ò ßàÞæÕááÕ áÑÞàÚØ ÒÞ×ÝØÚÛØ ÚÐÚØÕ ÛØÑÞ ßàÞÑÛÕÜë, âÞ ÜÞÖÕâÕ ßÞßëâÐâìáï àÐ×àÕèØâì Øå áÐÜÞáâÞïâÕÛìÝÞ, ÛØÑÞ ÞÑàÐâØâìáï ÝÐ netfilter mailing list, ÓÔÕ ÒÐÜ áÜÞÓãâ ßÞÜÞçì. ÂÐÜ Òë ÝÐÙÔÕâÕ ßÞïáÝÕÝØï, çâÞ ÜÞÓÛÞ Ñëâì áÔÕÛÐÝÞ ÒÐÜØ ÝÕßàÐÒØÛìÝÞ ßàØ ãáâÐÝÞÒÚÕ, âÐÚ çâÞ áàÐ×ã ÝÕ ßÐÝØÚãÙâÕ. µáÛØ íâÞ ÝÕ ßÞÜÞÓÛÞ -- ßÞáâÐàÐÙâÕáì ßÞàÐ×ÜëáÛØâì ÛÞÓØçÕáÚØ, ÒÞ×ÜÞÖÝÞ íâÞ ßÞÜÞÖÕâ. ¸ÛØ ÞÑàÐâØâÕáì Ú ÚÞÜã-ÝØÑãÔì ×ÝÐîéÕÜã.

µáÛØ ÒáÕ ßàÞèÛÞ ÓÛÐÔÚÞ, âÞ áÛÕÔÞÒÐâÕÛìÝÞ Òë ÓÞâÞÒë Ú ãáâÐÝÞÒÚÕ ØáßÞÛÝïÕÜëå ÜÞÔãÛÕÙ (binaries), ÔÛï çÕÓÞ ×ÐßãáâØâÕ áÛÕÔãîéãî ÚÞÜÐÝÔã:

make install KERNEL_DIR=/usr/src/linux/

½ÐÔÕîáì, çâÞ ×ÔÕáì-âÞ ßàÞÑÛÕÜ ÝÕ ÒÞ×ÝØÚÛÞ! ÂÕßÕàì ÔÛï ØáßÞÛì×ÞÒÐÝØï ßÐÚÕâÐ iptables ÒÐÜ ÞßàÕÔÕÛÕÝÝÞ ßÞâàÕÑãÕâáï ßÕàÕáÞÑàÐâì Ø ãáâÐÝÞÒØâì ïÔàÞ, ÕáÛØ Òë ÔÞ áØå ßÞà íâÞÓÞ ÝÕ áÔÕÛÐÛØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ãáâÐÝÞÒÚÕ ßÐÚÕâÐ Òë ÝÐÙÔÕâÕ Ò äÐÙÛÕ INSTALL.


ÃáâÐÝÞÒÚÐ Ò Red Hat 7.1

RedHAt 7.1, á ãáâÐÝÞÒÛÕÝÝëÜ ïÔàÞÜ 2.4.x ãÖÕ ÒÚÛîçÐÕâ ßàÕÔãáâÐÝÞÒÛÕÝÝëÕ netfilter Ø iptables. ¾ÔÝÐÚÞ, ÔÛï áÞåàÐÝÕÝØï ÞÑàÐâÝÞÙ áÞÒÜÕáâØÜÞáâØ á ßàÕÔëÔãéØÜØ ÔØáâàØÑãâØÒÐÜØ, ßÞ ãÜÞÛçÐÝØî àÐÑÞâÐÕâ ßÐÚÕâ ipchains. ÁÕÙçÐá Üë ÚÞàÞâÚÞ àÐ×ÑÕàÕÜ - ÚÐÚ ãÔÐÛØâì ipchains Ø ×ÐßãáâØâì ÒÜÕáâÞ ÝÕÓÞ iptables.

Note

²ÕàáØï iptables Ò Red Hat 7.1 áØÛìÝÞ ãáâÐàÕÛÐ Ø, ÝÐÒÕàÝÞÕ ÝÕßÛÞåØÜ àÕèÕÝØÕÜ ÑãÔÕâ ãáâÐÝÞÒØâì ÑÞÛÕÕ ÝÞÒãî ÒÕàáØî iptables.

´Ûï ÝÐçÐÛÐ ÝãÖÝÞ ÞâÚÛîçØâì ipchains, çâÞÑë ßàÕÔÞâÒàÐâØâì ×ÐÓàã×Úã áÞÞâÒÕâáâÒãîéØå ÜÞÔãÛÕÙ Ò ÑãÔãéÕÜ. ÇâÞÑë ÔÞÑØâìáï íâÞÓÞ, ÝÐÜ ßÞâàÕÑãÕâáï Ø×ÜÕÝØâì ØÜÕÝÐ ÝÕÚÞâÞàëå äÐÙÛÞÒ Ò ÔÕàÕÒÕ ÚÐâÐÛÞÓÞÒ /etc/rc.d/. ÁÛÕÔãîéÐï ÚÞÜÐÝÔÐ, ÒëßÞÛÝØâ âàÕÑãÕÜëÕ ÔÕÙáâÒØï:

chkconfig --level 0123456 ipchains off

² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï íâÞÙ ÚÞÜÐÝÔë, Ò ÝÕÚÞâÞàëå ØÜÕÝÐå äÐÙÛÞÒ áØÜÒÞÛ S (ÚÞâÞàëÙ áÞÞÑéÐÕâ, çâÞ ÔÐÝÝëÙ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ ÝÐ ×ÐßãáÚÕ áØáâÕÜë) ÑãÔÕâ ×ÐÜÕÝÕÝ áØÜÒÞÛÞÜ K (Þâ áÛÞÒÐ Kill, ÚÞâÞàëÙ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ, ßàØ ×ÐÒÕàèÕÝØØ àÐÑÞâë áØáâÕÜë. ÂÐÚØÜ ÞÑàÐ×ÞÜ Üë ßÞÛãçØÜ ØÜÕÝÐ ááëÛÞÚ K92ipchains, ßàÕÔÞâÒàÐâØÒ âÕÜ áÐÜëÜ ×ÐßãáÚ íâÞÓÞ áÕàÒØáÐ Ò ÑãÔãéÕÜ.

¾ÔÝÐÚÞ ipchains ßÞ-ßàÕÖÝÕÜã ÞáâÐîâáï Ò àÐÑÞâÕ. ÂÕßÕàì ÝÐÔÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã, ÚÞâÞàÐï ÞáâÐÝÞÒØâ íâÞâ áÕàÒØá.

service ipchains stop

¸ Ò ×ÐÚÛîçÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐßãáâØâì áÕàÒØá iptables. ´Ûï íâÞÓÞ, ÒÞ-ßÕàÒëå, ÝÐÔÞ ÞßàÕÔÕÛØâìáï á ãàÞÒÝïÜØ ×ÐßãáÚÐ ÞßÕàÐæØÞÝÝÞÙ áØáâÕÜë, ÝÐ ÚÞâÞàëå ÝãÖÝÞ áâÐàâÞÒÐâì íâÞâ áÕàÒØá. ¾ÑëçÝÞ íâÞ ãàÞÒÝØ 2, 3 Ø 5. ¾Ñ íâØå ãàÞÒÝïå Üë ×ÝÐÕÜ:

  • 2. ¼ÝÞÓÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ ÑÕ× ßÞÔÔÕàÖÚØ NFS ØÛØ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø 3, ÝÞ ÑÕ× áÕâÕÒÞÙ ßÞÔÔÕàÖÚØ.
  • 3. ¿ÞÛÝÞäãÝÚæØÞÝÐÛìÝëÙ ÜÝÞÓÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ.
  • 5. X11. ´ÐÝÝëÙ ãàÞÒÕÝì ØáßÞÛì×ãÕâáï ÔÛï ÐÒâÞÜÐâØçÕáÚÞÙ ×ÐÓàã×ÚØ Xwindows.

ÇâÞÑë ×ÐßãáâØâì iptables ÝÐ íâØå ãàÞÒÝïå ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã:

chkconfig --level 235 iptables on

ÅÞçÕâáï ãßÞÜïÝãâì ÞÑ ãàÞÒÝïå, ÝÐ ÚÞâÞàëå ÝÕ âàÕÑãÕâáï ×ÐßãáÚÐ iptables: ÃàÞÒÕÝì 1 -- ÞÔÝÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ àÐÑÞâë, ÚÐÚ ßàÐÒØÛÞ ØáßÞÛì×ãÕâáï Ò íÚáâàÕÝÝëå áÛãçÐïå, ÚÞÓÔÐ Üë "ßÞÔÝØÜÐÕÜ" "ãßÐÒèãî" áØáâÕÜã. ÃàÞÒÕÝì 4 -- ÒÞÞÑéÕ ÝÕ ÔÞÛÖÕÝ ØáßÞÛì×ÞÒÐâìáï. ÃàÞÒÕÝì ÒëßÞÛÝÕÝØï 6 -- íâÞ ãàÞÒÕÝì ÞáâÐÝÞÒÚØ áØáâÕÜë ßàØ ÒëÚÛîçÕÝØØ ØÛØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ.

´Ûï ÐÚâØÒÐæØØ áÕàÒØáÐ iptables ßÞÔÐÔØÜ ÚÞÜÐÝÔã:

service iptables start

¸âÐÚ, Üë ×ÐßãáâØÛØ iptables, ÝÞ ã ÝÐá ßÞÚÐ ÕéÕ ÝÕâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ÇâÞÑë ÔÞÑÐÒØâì ÝÞÒëÕ ßàÐÒØÛÐ Ò Red Hat 7.1 ÜÞÖÝÞ ßÞÙâØ ÔÒãÜï ßãâïÜØ, ÒÞ-ßÕàÒëå: ßÞÔßàÐÒØâì äÐÙÛ /etc/rc.d/init.d/iptables, ÝÞ íâÞâ áßÞáÞÑ ØÜÕÕâ âÞ ÝÕÓÐâØÒÝÞÕ áÒÞÙáâÒÞ, çâÞ ßàØ ÞÑÝÞÒÛÕÝØØ iptables Ø× RPM-ßÐÚÕâÞÒ ÒáÕ ÒÐèØ ßàÐÒØÛÐ ÑãÔãâ ãâÕàïÝë, Ð ÒÞ-ÒâÞàëå: ×ÐÝÕáâØ ßàÐÒØÛÐ Ø áÞåàÐÝØâì Øå ÚÞÜÐÝÔÞÙ iptables-save, áÞåàÐÝÕÝÝëÕ âÐÚØÜ ÞÑàÐ×ÞÜ ßàÐÒØÛÐ ÑãÔãâ ÐÒâÞÜÐâØçÕáÚØ ÒÞááâÐÝÐÒÛØÒÐâìáï ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë.

² áÛãçÐÕ, ÕáÛØ Òë Ø×ÑàÐÛØ ßÕàÒëÙ ÒÐàØÐÝâ ãáâÐÝÞÒÚØ ßàÐÒØÛ Ò iptables, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ×ÐÝÕáâØ Øå Ò áÕÚæØî start áæÕÝÐàØï /etc/rc.d/init.d/iptables (ÔÛï ãáâÐÝÞÒÚØ ßàÐÒØÛ ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë) ØÛØ Ò äãÝÚæØî start(). ´Ûï ÒëßÞÛÝÕÝØï ÔÕÙáâÒØÙ ßàØ ÞáâÐÝÞÒÚÕ áØáâÕÜë -- ÒÝÕáØâÕ áÞÞâÒÕâáâÒãîéØÕ Ø×ÜÕÝÕÝØï Ò áÕÚæØî stop) ØÛØ Ò äãÝÚæØî stop(). ÂÐÚ ÖÕ ÝÕ ×ÐÑãÔìâÕ ßàÞ áÕ򾯯 restart Ø condrestart. ÅÞçÕâáï ÕéÕ àÐ× ÝÐßÞÜÝØâì, çâÞ Ò áÛãçÐÕ ÞÑÝÞÒÛÕÝØï iptables Ø× RPM-ßÐÚÕâÞÒ ØÛØ çÕàÕ× ÐÒâÞÜÐâØçÕáÚÞÕ ÞÑÝÞÒÛÕÝØÕ ßÞ áÕâØ, Òë ÜÞÖÕâÕ ãâÕàïâì ÒáÕ Ø×ÜÕÝÕÝØï, ÒÝÕáÕÝÝëÕ Ò äÐÙÛ /etc/rc.d/init.d/iptables.

²âÞàÞÙ áßÞáÞÑ ×ÐÓàã×ÚØ ßàÐÒØÛ ßàÕÔßÞçâØâÕÛìÝÕÕ. ¾Ý ßàÕÔßÞÛÐÓÐÕâ áÛÕÔãîéØÕ èÐÓØ. ´Ûï ÝÐçÐÛÐ -- ×ÐߨèØâÕ ßàÐÒØÛÐ Ò äÐÙÛ ØÛØ ÝÕßÞáàÕÔáâÒÕÝÝÞ, çÕàÕ× ÚÞÜÐÝÔã iptables, áÜÞâàï çâÞ ÔÛï ÒÐá ßàÕÔßÞçâØâÕÛìÝÕÕ. ·ÐâÕÜ ØáßÞÛÝØâÕ ÚÞÜÐÝÔã iptables-save. ÍâÐ ÚÞÜÐÝÔÐ íÚÒØÒÐÛÕÝâÝÐ ÚÞÜÐÝÔÕ iptables-save > /etc/sysconfig/iptables. ² àÕ×ãÛìâÐâÕ, ÒÕáì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ áÞåàÐÝÕÝ Ò äÐÙÛÕ /etc/sysconfig/iptables, ÚÞâÞàëÙ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕâáï ßàØ ×ÐßãáÚÕ áÕàÒØáÐ iptables. ´àãÓØÜ áßÞáÞÑÞÜ áÞåàÐÝØâì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ ßÞÔÐçÐ ÚÞÜÐÝÔë service iptables save, ÚÞâÞàÐï ßÞÛÝÞáâìî ØÔÕÝâØçÝÐ ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔÕ. ²ßÞáÛÕÔáâÒØØ, ßàØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ, áæÕÝÐàØÙ iptables Ø× rc.d ÑãÔÕâ ÒëßÞÛÝïâì ÚÞÜÐÝÔã iptables-restore ÔÛï ×ÐÓàã×ÚØ ÝÐÑÞàÐ ßàÐÒØÛ Ø× äÐÙÛÐ /etc/sysconfig/iptables.

½ã Ø ÝÐÚÞÝÕæ, Ò ×ÐÒÕàèÕÝØÕ ãáâÐÝÞÒÚØ, ÝÕßÛÞåÞ ÑëÛÞ Ñë ãÔÐÛØâì áâÐàãî ÒÕàáØî ipchains.

rpm -e  ipchains

¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ

² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ò ÚÐÖÔÞÙ âÐÑÛØæÕ. ÍâÐ ØÝäÞàÜÐæØï ÑãÔÕâ ÞçÕÝì ÒÐÖÝÐ ÔÛï ÒÐá ßÞ×ÔÝÕÕ, ÚÞÓÔÐ Òë ÝÐçÝÕâÕ áâàÞØâì áÒÞØ ÝÐÑÞàë ßàÐÒØÛ, ÞáÞÑÕÝÝÞ ÚÞÓÔÐ Ò ÝÐÑÞàë ßàÐÒØÛ ÑãÔãâ ÒÚÛîçÐâìáï âÐÚØÕ ÔÕÙáâÒØï ÚÐÚ DNAT, SNAT Ø ÚÞÝÕçÝÞ ÖÕ TOS.


¾ÑéØÕ ßÞÛÞÖÕÝØï

ºÞÓÔÐ ßÐÚÕâ ßàØåÞÔØâ ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, âÞ ÞÝ áßÕàÒÐ ßÞßÐÔÐÕâ ÝÐ áÕâÕÒÞÕ ãáâàÞÙáâÒÞ, ßÕàÕåÒÐâëÒÐÕâáï áÞÞâÒÕâáâÒãîéØÜ ÔàÐÙÒÕàÞÜ Ø ÔÐÛÕÕ ßÕàÕÔÐÕâáï Ò ïÔàÞ. ´ÐÛÕÕ ßÐÚÕâ ßàÞåÞÔØâ àïÔ âÐÑÛØæ Ø ×ÐâÕÜ ßÕàÕÔÐÕâáï ÛØÑÞ ÛÞÚÐÛìÝÞÜã ßàØÛÞÖÕÝØî, ÛØÑÞ ßÕàÕßàÐÒÛïÕâáï ÝÐ ÔàãÓãî ÜÐèØÝã. ¿ÞàïÔÞÚ áÛÕÔÞÒÐÝØï ßÐÚÕâÐ ßàØÒÞÔØâáï ÝØÖÕ.

ÂÐÑÛØæÐ 1. ¿ÞàïÔÞÚ ÔÒØÖÕÝØï âàÐÝרâÝëå ßÐÚÕâÞÒ

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕ
1     ºÐÑÕÛì (â.Õ. ¸ÝâÕàÝÕâ)
2     ÁÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
3 mangle PREROUTING ¾ÑëçÝÞ íâÐ æÕßÞçÚÐ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ, ÝÐßàØÜÕà ÔÛï Ø×ÜÕÝÕÝØï ÑØâÞÒ TOS Ø ßà..
4 nat PREROUTING ÍâÐ æÕßÞçÚÐ ØáßÞÛì×ãÕâáï ÔÛï âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ (Destination Network Address Translation). Source Network Address Translation ÒëßÞÛÝïÕâáï ßÞ×ÔÝÕÕ, Ò ÔàãÓÞÙ æÕßÞçÚÕ. »îÑÞÓÞ àÞÔÐ äØÛìâàÐæØï Ò íâÞÙ æÕßÞçÚÕ ÜÞÖÕâ ßàÞØ×ÒÞÔØâìáï âÞÛìÚÞ Ò ØáÚÛîçØâÕÛìÝëå áÛãçÐïå
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÔÐÛìÝÕÙèÕÙ ÜÐàèàãâØ×ÐæØØ, â.Õ. Ò íâÞÙ âÞçÚÕ àÕèÐÕâáï ÚãÔÐ ßÞÙÔÕâ ßÐÚÕâ - ÛÞÚÐÛìÝÞÜã ßàØÛÞÖÕÝØî ØÛØ ÝÐ ÔàãÓÞÙ ã×ÕÛ áÕâØ.
6 filter FORWARD ² æÕßÞçÚã FORWARD ßÞßÐÔÐîâ âÞÛìÚÞ âÕ ßÐÚÕâë, ÚÞâÞàëÕ ØÔãâ ÝÐ ÔàãÓÞÙ åÞáâ ²áï äØÛìâàÐæØï âàÐÝרâÝÞÓÞ âàÐäØÚÐ ÔÞÛÖÝÐ ÒëßÞÛÝïâìáï ×ÔÕáì. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ çÕàÕ× íâã æÕßÞçÚã ßàÞåÞÔØâ âàÐääØÚ Ò ÞÑÞØå ÝÐßàÐÒÛÕÝØïå, ÞÑï×ÐâÕÛìÝÞ ãçØâëÒÐÙâÕ íâÞ ÞÑáâÞïâÕÛìáâÒÞ ßàØ ÝÐߨáÐÝØØ ßàÐÒØÛ äØÛìâàÐæØØ.
7 nat POSTROUTING ÍâÐ æÕßÞçÚÐ ßàÕÔÝÐ×ÝÐçÕÝÐ Ò ßÕàÒãî ÞçÕàÕÔì ÔÛï Source Network Address Translation. ½Õ ØáßÞÛì×ãÙâÕ ÕÕ ÔÛï äØÛìâàÐæØØ ÑÕ× ÞáÞÑÞÙ ÝÐ âÞ ÝÕÞÑåÞÔØÜÞáâØ. ·ÔÕáì ÖÕ ÒëßÞÛÝïÕâáï Ø ÜÐáÚØàÞÒÚÐ (Masquerading).
8     ²ëåÞÔÝÞÙ áÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth1).
9     ºÐÑÕÛì (ßãáâì ÑãÔÕâ LAN).

ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ßÐÚÕâ ßàÞåÞÔØâ ÝÕáÚÞÛìÚÞ íâÐßÞÒ, ßàÕÖÔÕ çÕÜ ÞÝ ÑãÔÕâ ßÕàÕÔÐÝ ÔÐÛÕÕ. ½Ð ÚÐÖÔÞÜ Ø× ÝØå ßÐÚÕâ ÜÞÖÕâ Ñëâì ÞáâÐÝÞÒÛÕÝ, ÑãÔì âÞ æÕßÞçÚÐ iptables ØÛØ çâÞ ÛØÑÞ ÕéÕ, ÝÞ ÝÐá ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ØÝâÕàÕáãÕâ iptables. ·ÐÜÕâìâÕ, çâÞ ÝÕâ ÚÐÚØå ÛØÑÞ æÕßÞçÕÚ, áßÕæØäØçÝëå ÔÛï ÞâÔÕÛìÝëå ØÝâÕàäÕÙáÞÒ ØÛØ çÕÓÞ ÛØÑÞ ßÞÔÞÑÝÞÓÞ. ÆÕßÞçÚã FORWARD ßàÞåÞÔïâ ²Áµ ßÐÚÕâë, ÚÞâÞàëÕ ÔÒØÖãâáï çÕàÕ× ÝÐè ÑàÐÝÔÜÐãíà/àãâÕà. ½ØÖÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÐ, ßàÕÔÝÐ×ÝÐçÕÝÝÞÓÞ ÛÞÚÐÛìÝÞÜã ßàÞæÕááã/ßàØÛÞÖÕÝØî

ÂÐÑÛØæÐ 2. ´Ûï ÛÞÚÐÛìÝÞÓÞ ßàØÛÞÖÕÝØï

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕt
1     ºÐÑÕÛì (â.Õ. ¸ÝâÕàÝÕâ)
2     ²åÞÔÝÞÙ áÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
3 mangle PREROUTING ¾ÑëçÝÞ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ, ÝÐßàØÜÕà ÔÛï ãáâÐÝÞÒÚØ ÑØâÞÒ TOS Ø ßà.
4 nat PREROUTING ¿àÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (Destination Network Address Translation). ÄØÛìâàÐæØï ßÐÚÕâÞÒ ×ÔÕáì ÔÞßãáÚÐÕâáï âÞÛìÚÞ Ò ØáÚÛîçØâÕÛìÝëå áÛãçÐïå.
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ.
6 filter INPUT ·ÔÕáì ßàÞØ×ÒÞÔØâáï äØÛìâàÐæØï ÒåÞÔïéÕÓÞ âàÐäØÚÐ. ¿ÞÜÝØâÕ, çâÞ ÒáÕ ÒåÞÔïéØÕ ßÐÚÕâë, ÐÔàÕáÞÒÐÝÝëÕ ÝÐÜ, ßàÞåÞÔïâ çÕàÕ× íâã æÕßÞçÚã, ÝÕ×ÐÒØáØÜÞ Þâ âÞÓÞ á ÚÐÚÞÓÞ ØÝâÕàäÕÙáÐ ÞÝØ ßÞáâãßØÛØ.
7     »ÞÚÐÛìÝëÙ ßàÞæÕáá/ßàØÛÞÖÕÝØÕ

²ÐÖÝÞ ßÞÜÝØâì, çâÞ ÝÐ íâÞâ àÐ× ßÐÚÕâë ØÔãâ çÕàÕ× æÕßÞçÚã INPUT, Ð ÝÕ çÕàÕ× FORWARD. ¸ Ò ×ÐÚÛîçÕÝØÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÞÒ, áÞ×ÔÐÝÝëå ÛÞÚÐÛìÝëÜØ ßàÞæÕááÐÜØ.

ÂÐÑÛØæÐ 3. ¾â ÛÞÚÐÛìÝëå ßàÞæÕááÞÒ

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕ
1     »ÞÚÐÛìÝëÙ ßàÞæÕáá
2 Mangle OUTPUT ·ÔÕáì ßàÞØ×ÒÞÔØâáï ÒÝÕáÕÝØÕ Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ. ÄØÛìâàÐæØï, ÒëßÞÛÝïÕÜÐï Ò íâÞÙ æÕßÞçÚÕ, ÜÞÖÕâ ØÜÕâì ÝÕÓÐâØÒÝëÕ ßÞáÛÕÔáâÒØï.
3 Nat OUTPUT ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì íâÐ æÕßÞçÚÐ ÝÕ àÐÑÞâÐÕâ. ¼ÞÖÕâ ÚâÞ ×ÝÐÕâ ÚÞÓÔÐ ØáßàÐÒïâ íâã ÞèØÑÚã?
4 Filter OUTPUT ·ÔÕáì äØÛìâàãÕâáï ØáåÞÔïéØÙ âàÐääØÚ.
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. ·ÔÕáì àÕèÐÕâáï - ÚãÔÐ ßÞÙÔÕâ ßÐÚÕâ ÔÐÛìèÕ.
6 Nat POSTROUTING ·ÔÕáì ÒëßÞÛÝïÕâáï Source Network Address Translation. ½Õ áÛÕÔãÕâ Ò íâÞÙ æÕßÞçÚÕ ßàÞØ×ÒÞÔØâì äØÛìâàÐæØî ßÐÚÕâÞÒ ÒÞ Ø×ÑÕÖÐÝØÕ ÝÕÖÕÛÐâÕÛìÝëå ßÞÑÞçÝëå íääÕÚâÞÒ. ¾ÔÝÐÚÞ Ø ×ÔÕáì ÜÞÖÝÞ ÞáâÐÝÐÒÛØÒÐâì ßÐÚÕâë, ßàØÜÕÝïï ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî DROP.
7     ÁÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
8     ºÐÑÕÛì (â.Õ., Internet)

ÂÕßÕàì Üë ×ÝÐÕÜ, çâÞ Õáâì âàØ àÐ×ÛØçÝëå ÒÐàØÐÝâÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ. ÀØáãÝÞÚ ÝØÖÕ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÔÕÜÞÝáâàØàãÕâ íâÞ.

´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áæÕÝÐàØØ rc.test-iptables.txt, Ò ÚÞâÞàÞÜ ßàØÒÞÔØâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜëå ÔÛï ßÞÝØÜÐÝØï ßÞàïÔÚÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ.


ÂÐÑÛØæÐ Mangle

ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, íâÐ âÐÑÛØæÐ ßàÕÔÝÐ×ÝÐçÕÝÐ, ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÚØ ßÐÚÕâÞÒ (mangle - ØáÚÐÖÐâì, Ø×ÜÕÝïâì. ßàØÜ. ßÕàÕÒ.). Â.Õ. Ò íâÞÙ âÐÑÛØæÕ Òë ÜÞÖÕâÕ ãáâÐÝÐÒÛØÒÐâì ÑØâë TOS (Type Of Service) Ø â.Ô.

Caution

µéÕ àÐ× ÝÐßÞÜØÝÐî ÒÐÜ, çâÞ Ò íâÞÙ âÐÑÛØæÕ ÝÕ áÛÕÔãÕâ ßàÞØ×ÒÞÔØâì ÛîÑÞÓÞ àÞÔÐ äØÛìâàÐæØî, ÜÐáÚØàÞÒÚã ØÛØ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (DNAT, SNAT).

² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ

  • TOS

  • TTL

  • MARK

´ÕÙáâÒØÕ TOS ÒëßÞÛÝïÕâ ãáâÐÝÞÒÚã ÑØâÞÒ ßÞÛï Type of Service Ò ßÐÚÕâÕ. ÍâÞ ßÞÛÕ ØáßÞÛì×ãÕâáï ÔÛï ÝÐ×ÝÐçÕÝØï áÕâÕÒÞÙ ßÞÛØâØÚØ ÞÑáÛãÖØÒÐÝØï ßÐÚÕâÐ, â.Õ. ×ÐÔÐÕâ ÖÕÛÐÕÜëÙ ÒÐàØÐÝâ ÜÐàèàãâØ×ÐæØØ. ¾ÔÝÐÚÞ, áÛÕÔãÕâ ×ÐÜÕâØâì, çâÞ ÔÐÝÝÞÕ áÒÞÙáâÒÞ Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ØáßÞÛì×ãÕâáï ÝÐ ÝÕ×ÝÐçØâÕÛìÝÞÜ ÚÞÛØçÕáâÒÕ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ.´àãÓØÜØ áÛÞÒÐÜØ, ÝÕ áÛÕÔãÕâ Ø×ÜÕÝïâì áÞáâÞïÝØÕ íâÞÓÞ ßÞÛï ÔÛï ßÐÚÕâÞÒ, ãåÞÔïéØå Ò ¸ÝâÕàÝÕâ, ßÞâÞÜã çâÞ ÝÐ àãâÕàÐå, ÚÞâÞàëÕ âÐÚØ ÞÑáÛãÖØÒÐîâ íâÞ ßÞÛÕ, ÜÞÖÕâ Ñëâì ßàØÝïâÞ ÝÕßàÐÒØÛìÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ.

´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ×ÝÐçÕÝØï ßÞÛï TTL (Time To Live) ßÐÚÕâÐ. µáâì ÞÔÝÞ ÝÕßÛÞåÞÕ ßàØÜÕÝÕÝØÕ íâÞÜã ÔÕÙáâÒØî. ¼ë ÜÞÖÕÜ ßàØáÒÐØÒÐâì ÞßàÕÔÕÛÕÝÝÞÕ ×ÝÐçÕÝØÕ íâÞÜã ßÞÛî, çâÞÑë áÚàëâì ÝÐè ÑàÐÝÔÜÐãíà Þâ çÕàÕáçãà ÛîÑÞßëâÝëå ßàÞÒÐÙÔÕàÞÒ (Internet Service Providers). ´ÕÛÞ Ò âÞÜ, çâÞ ÞâÔÕÛìÝëÕ ßàÞÒÐÙÔÕàë ÞçÕÝì ÝÕ ÛîÑïâ ÚÞÓÔÐ ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ àÐ×ÔÕÛïÕâáï ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. Ø âÞÓÔÐ ÞÝØ ÝÐçØÝÐîâ ßàÞÒÕàïâì ×ÝÐçÕÝØÕ TTL ßàØåÞÔïéØå ßÐÚÕâÞÒ Ø ØáßÞÛì×ãîâ ÕÓÞ ÚÐÚ ÞÔØÝ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, ÞÔØÝ ÚÞÜßìîâÕà "áØÔØâ" ÝÐ ßÞÔÚÛîçÕÝØØ ØÛØ ÝÕáÚÞÛìÚÞ.

´ÕÙáâÒØÕ MARK ãáâÐÝÐÒÛØÒÐÕâ áßÕæØÐÛìÝãî ÜÕâÚã ÝÐ ßÐÚÕâ, ÚÞâÞàÐï ×ÐâÕÜ ÜÞÖÕâ Ñëâì ßàÞÒÕàÕÝÐ ÔàãÓØÜØ ßàÐÒØÛÐÜØ Ò iptables ØÛØ ÔàãÓØÜØ ßàÞÓàÐÜÜÐÜØ, ÝÐßàØÜÕà iproute2. Á ßÞÜÞéìî "ÜÕâÞÚ" Üë ÜÞÖÕÜ ãßàÐÒÛïâì ÜÐàèàãâØ×ÐæØÕÙ ßÐÚÕâÞÒ, ÞÓàÐÝØçØÒÐâì âàÐääØÚ Ø â.ß.


ÂÐÑÛØæÐ Nat

ÍâÐ âÐÑÛØæÐ ØáßÞÛì×ãÕâáï ÔÛï ÒëßÞÛÝÕÝØï ßàÕÞÑàÐ×ÞÒÐÝØÙ áÕâÕÒëå ÐÔàÕáÞÒ NAT (Network Address Translation) ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì àÐÝÕÕ, âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ ßàÞåÞÔØâ çÕàÕ× æÕßÞçÚØ íâÞÙ âÐÑÛØæë, âàÐÝáÛïæØï ÐÔàÕáÞÒ ØÛØ ÜÐáÚØàÞÒÚÐ ßàØÜÕÝïîâáï ÚÞ ÒáÕÜ ßÞáÛÕÔãîéØÜ ßÐÚÕâÐÜ Ò ßÞâÞÚÕ ÐÒâÞÜÐâØçÕáÚØ. ´Ûï íâÞÙ âÐÑÛØæë åÐàÐÚâÕàÝë ÔÕÙáâÒØï:

  • DNAT

  • SNAT

  • MASQUERADE

´ÕÙáâÒØÕ DNAT (Destination Network Address Translation) ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ ÝÐ×ÝÐçÕÝØï Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ. ´àãÓØÜØ áÛÞÒÐÜØ, íâØÜ ÔÕÙáâÒØÕÜ ßàÞØ×ÒÞÔØâáï ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ ÝÐ ÔàãÓØÕ ÐÔàÕáÐ, ÞâÛØçÝëÕ Þâ ãÚÐ×ÐÝÝëå Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ.

SNAT (Source Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï ØáåÞÔÝëå ÐÔàÕáÞÒ ßÐÚÕâÞÒ. Á ßÞÜÞéìî íâÞÓÞ ÔÕÙáâÒØï ÜÞÖÝÞ áÚàëâì áâàãÚâãàã ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø àÐ×ÔÕÛØâì ÕÔØÝáâÒÕÝÝëÙ ÒÝÕèÝØÙ IP ÐÔàÕá ÜÕÖÔã ÚÞÜßìîâÕàÐÜØ ÛÞÚÐÛìÝÞÙ áÕâØ ÔÛï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ. ² íâÞÜ áÛãçÐÕ ÑàÐÝÔÜÐãíà, á ßÞÜÞéìî SNAT, ÐÒâÞÜÐâØçÕáÚØ ßàÞØ×ÒÞÔØâ ßàïÜÞÕ Ø ÞÑàÐâÝÞÕ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ, âÕÜ áÐÜëÜ ÔÐÒÐï ÒÞ×ÜÞÖÝÞáâì ÒëßÞÛÝïâì ßÞÔÚÛîçÕÝØÕ Ú áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâÕ á ÚÞÜßìîâÕàÞÒ Ò ÛÞÚÐÛìÝÞÙ áÕâØ.

¼ÐáÚØàÞÒÚÐ (MASQUERADE) ßàØÜÕÝïÕâáï Ò âÕå ÖÕ æÕÛïå, çâÞ Ø SNAT, ÝÞ Ò ÞâÛØçØÕ Þâ ßÞáÛÕÔÝÕÙ, MASQUERADE ÔÐÕâ ÑÞÛÕÕ áØÛìÝãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ ÚÐÖÔëÙ àÐ×, ÚÞÓÔÐ âàÕÑãÕâáï ÒëßÞÛÝÕÝØÕ íâÞÓÞ ÔÕÙáâÒØï - ßàÞØ×ÒÞÔØâáï ×ÐßàÞá IP ÐÔàÕáÐ ÔÛï ãÚÐ×ÐÝÝÞÓÞ Ò ÔÕÙáâÒØØ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, Ò âÞ ÒàÕÜï ÚÐÚ ÔÛï SNAT IP ÐÔàÕá ãÚÐ×ëÒÐÕâáï ÝÕßÞáàÕÔáâÒÕÝÝÞ. ¾ÔÝÐÚÞ, ÑÛÐÓÞÔÐàï âÐÚÞÜã ÞâÛØçØî, MASQUERADE ÜÞÖÕâ àÐÑÞâÐâì Ò áÛãçÐïå á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, â.Õ. ÚÞÓÔÐ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ, áÚÐÖÕÜ çÕàÕ× PPP, SLIP ØÛØ DHCP.


ÂÐÑÛØæÐ Filter

ºÐÚ áÛÕÔãÕâ Ø× ÝÐ×ÒÐÝØï, Ò íâÞÙ âÐÑÛØæÕ ÔÞÛÖÝë áÞÔÕàÖÐâìáï ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÒëßÞÛÝÕÝØï äØÛìâàÐæØØ ßÐÚÕâÞÒ. ¿ÐÚÕâë ÜÞÓãâ ßàÞßãáÚÐâìáï ÔÐÛÕÕ, ÛØÑÞ ÞâÒÕàÓÐâìáï, Ò ×ÐÒØáØÜÞáâØ Þâ Øå áÞÔÕàÖØÜÞÓÞ. ºÞÝÕçÝÞ ÖÕ, Üë ÜÞÖÕÜ ÞâäØÛìâàÞÒëÒÐâì ßÐÚÕâë Ø Ò ÔàãÓØå âÐÑÛØæÐå, ÝÞ íâÐ âÐÑÛØæÐ áãéÕáâÒãÕâ ØÜÕÝÝÞ ÔÛï ÝãÖÔ äØÛìâàÐæØØ. ² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÑÞÛìèØÝáâÒÐ Ø× áãéÕáâÒãîéØå ÔÕÙáâÒØÙ, ÞÔÝÐÚÞ àïÔ ÔÕÙáâÒØÙ, ÚÞâÞàëÕ Üë àÐááÜÞâàÕÛØ ÒëèÕ Ò íâÞÙ ÓÛÐÒÕ, ÔÞÛÖÝë ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàØáãéØå ØÜ âÐÑÛØæÐå.


¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï

² ÔÐÝÝÞÙ ÓÛÐÒÕ ÒáÕ ÒÝØÜÐÝØÕ ÑãÔÕâ ãÔÕÛÕÝÞ ÜÕåÐÝØ×Üã ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÐÚÕâÐ (state machine). ¿ÞáÛÕ ÕÕ ßàÞçâÕÝØï Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞáâÐâÞçÝÞ ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ àÐÑÞâã íâÞÓÞ ÜÕåÐÝØ×ÜÐ. ÂÐÚÖÕ ÑãÔÕâ àÐááÜÞâàÕÝ ×ÝÐçØâÕÛìÝëÙ ÞÑêÕÜ ßÞïáÝïîéØå ßàØÜÕàÞÒ.

²ÒÕÔÕÝØÕ

¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï (state machine) ïÒÛïÕâáï çÐáâìî iptables Ø Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ÔÞÛÖÕÝ Ñë âÐÚ ÝÐ×ëÒÐâìáï, ßÞáÚÞÛìÚã äÐÚâØçÕáÚØ ïÒÛïÕâáï ÜÕåÐÝØ×ÜÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ. ¾ÔÝÐÚÞ ×ÝÐçØâÕÛìÝÞÜã ÚÞÛØçÕáâÒã ÛîÔÕÙ ÞÝ Ø×ÒÕáâÕÝ ØÜÕÝÝÞ ÚÐÚ "ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï" (state machine). ² ÔÐÝÝÞÙ ÓÛÐÒÕ íâØ ÝÐ×ÒÐÝØï ÑãÔãâ ØáßÞÛì×ÞÒÐâìáï ÚÐÚ áØÝÞÝØÜë. ÂàÐááØàÞÒéØÚ áÞÕÔØÝÕÝØÙ áÞ×ÔÐÝ âÐÚ, çâÞÑë netfilter ÜÞÓ ßÞÛãçØâì ØÝäÞàÜÐæØî Þ áÞáâÞïÝØØ ÚÞÝÚàÕâÝÞÓÞ áÞÕÔØÝÕÝØï. ½ÐÛØçØÕ íâÞÓÞ ÜÕåÐÝØ×ÜÐ ßÞ×ÒÞÛØâ ÒÐÜ áÞ×ÔÐÒÐâì ÑÞÛÕÕ ÝÐÔÕÖÝëÕ ÝÐÑÞàë ßàÐÒØÛ.

² ßàÕÔÕÛÐå iptables, áÞÕÔØÝÕÝØÕ ÜÞÖÕâ ØÜÕâì ÞÔÝÞ Ø× 4-å ÑÐ×ÞÒëå áÞáâÞïÝØÙ: NEW, ESTABLISHED, RELATED Ø INVALID. ¿Þ×ÔÝÕÕ, ÑÞÛÕÕ ßÞÔàÞÑÝÞ, Üë ÞáâÐÝÞÒØÜáï ÝÐ ÚÐÖÔÞÜ Ø× ÝØå. ´Ûï ãßàÐÒÛÕÝØï ßÐÚÕâÐÜØ, ÝÐ ÞáÝÞÒÕ Øå áÞáâÞïÝØï, ØáßÞÛì×ãÕâáï ÚàØâÕàØÙ --state. ÂàÐááØàÞÒéØÚ ÞßàÕÔÕÛïÕâ 4 ÞáÝÞÒÝëå áÞáâÞïÝØï ÚÐÖÔÞÓÞ TCP ØÛØ UDP ßÐÚÕâÐ Ø ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ åÐàÐÚâÕàØáâØÚØ. ´Ûï TCP Ø UDP ßÐÚÕâÞÒ íâÞ IP ÐÔàÕá ÞâßàÐÒØâÕÛï, IP ÐÔàÕá ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞàâ ßÞÛãçÐâÕÛï.

² ßàÕÔëÔãéØå ÒÕàáØïå ïÔàÐ ØÜÕÛÐáì ÒÞ×ÜÞÖÝÞáâì ÒÚÛîçÕÝØï/ÒëÚÛîçÕÝØï ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ ßÐÚÕâÞÒ. ¾ÔÝÐÚÞ, ßÞáÛÕ âÞÓÞ ÚÐÚ âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ÑëÛÐ ÒÚÛîçÕÝÐ Ò áÞáâÐÒ iptables/netfilter, ÝÐÔÞÑÝÞáâì Ò íâÞÜ ÞâßÐÛÐ. ¿àØçØÝÐ Ò âÞÜ, çâÞ âàÐááØàÞÒéØÚ ÝÕ Ò áÞáâÞïÝØØ ÒëßÞÛÝïâì ÒÞ×ÛÞÖÕÝÝëÕ ÝÐ ÝÕÓÞ äãÝ򾯯 ÑÕ× ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ Ø ßÞíâÞÜã ÞÝÐ ÒÚÛîçÕÝÐ ßÞáâÞïÝÝÞ. µÕ ÝÕÛì×ï ÞâÚÛîçØâì ØÝÐçÕ ÚÐÚ ÞâÚÛîçØÒ âàÐááØàÞÒÚã áÞÕÔØÝÕÝØÙ.

ÂàÐááØàÞÒÚÐ ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ PREROUTING. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ iptables ßàÞØ×ÒÞÔØâ ÒáÕ ÒëçØáÛÕÝØï, áÒï×ÐÝÝëÕ á ÞßàÕÔÕÛÕÝØÕÜ áÞáâÞïÝØï, Ò ßàÕÔÕÛÐå íâÞÙ æÕßÞçÚØ. ºÞÓÔÐ ÞâßàÐÒÛïÕâáï ØÝØæØØàãîéØÙ ßÐÚÕâ Ò ßÞâÞÚÕ, âÞ ÕÜã ßàØáÒÐØÒÐÕâáï áÞáâÞïÝØÕ NEW, Ð ÚÞÓÔÐ ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï Ø×ÜÕÝïÕâáï ÝÐ ESTABLISHED, Ø âÐÚ ÔÐÛÕÕ.


ÂÐÑÛØæÐ âàÐááØàÞÒÚØ

ºàÐâÚÞ àÐááÜÞâàØÜ âÐÑÛØæã âàÐááØàÞÒéØÚÐ, ÚÞâÞàãî ÜÞÖÝÞ ÝÐÙâØ Ò äÐÙÛÕ /proc/net/ip_conntrack. ·ÔÕáì áÞÔÕàÖØâáï áߨáÞÚ ÒáÕå ÐÚâØÒÝëå áÞÕÔØÝÕÝØÙ. µáÛØ ÜÞÔãÛì ip_conntrack ×ÐÓàãÖÕÝ, âÞ ÚÞÜÐÝÔÐ cat /proc/net/ip_conntrak ÔÞÛÖÝÐ ÒëÒÕáâØ ÝÕçâÞ, ßÞÔÞÑÝÞÕ:

tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2

² íâÞÜ ßàØÜÕàÕ áÞÔÕàÖØâáï Òáï ØÝäÞàÜÐæØï, ÚÞâÞàÐï Ø×ÒÕáâÝÐ âàÐááØàÞÒéØÚã, ßÞ ÚÞÝÚàÕâÝÞÜã áÞÕÔØÝÕÝØî. ¿ÕàÒÞÕ, çâÞ ÜÞÖÝÞ ãÒØÔÕâì - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ, Ò ÔÐÝÝÞÜ áÛãçÐÕ - tcp. ´ÐÛÕÕ áÛÕÔãÕâ ÝÕÚÞâÞàÞÕ çØáÛÞ Ò ÞÑëçÝÞÜ ÔÕáïâØçÝÞÜ ßàÕÔáâÐÒÛÕÝØØ. ¿ÞáÛÕ ÝÕÓÞ áÛÕÔãÕâ çØáÛÞ, ÞßàÕÔÕÛïîéÕÕ "ÒàÕÜï ÖØ×ÝØ" (â.Õ. ÚÞÛØçÕáâÒÞ áÕÚãÝÔ, çÕàÕ× ÚÞâÞàÞÕ ØÝäÞàÜÐæØï Þ áÞÕÔØÝÕÝØØ ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë) ×ÐßØáØ Ò âÐÑÛØæÕ. ´Ûï ÝÐèÕÓÞ áÛãçÐï, ×Ðߨáì Ò âÐÑÛØæÕ ÑãÔÕâ åàÐÝØâìáï ÕéÕ 117 áÕÚãÝÔ, ÕáÛØ ÚÞÝÕçÝÞ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÑÞÛÕÕ ÝÕ ßàÞáÛÕÔãÕâ ÝØ ÞÔÝÞÓÞ ßÐÚÕâÐ, Ò ßàÞâØÒÝÞÜ áÛãçÐÕ íâÞ ×ÝÐçÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ Ò ×ÝÐçÕÝØÕ ßÞ ãÜÞÛçÐÝØî ÔÛï ×ÐÔÐÝÝÞÓÞ áÞáâÞïÝØï. ÍâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1 ÚÐÖÔãî áÕÚãÝÔã. ´ÐÛÕÕ áÛÕÔãÕâ äÐÚâØçÕáÚÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ´Ûï ÝÐèÕÓÞ ßàØÜÕàÐ áÞáâÞïÝØÕ ØÜÕÕâ ×ÝÐçÕÝØÕ SYN_SENT. ²ÝãâàÕÝÝÕÕ ßàÕÔáâÐÒÛÕÝØÕ áÞáâÞïÝØï ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ÒÝÕèÝÕÓÞ. ·ÝÐçÕÝØÕ SYN_SENT ÓÞÒÞàØâ Þ âÞÜ, çâÞ çÕàÕ× ÔÐÝÝÞÕ áÞÕÔØÝÕÝØÕ ßàÞáÛÕÔÞÒÐÛ ÕÔØÝáâÒÕÝÝëÙ ßÐÚÕâ TCP SYN. ´ÐÛÕÕ àÐáßÞÛÞÖÕÝë ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ ÚÛîçÕÒÞÕ áÛÞÒÞ, ÚÞâÞàÞÕ áÞÞÑéÐÕâ Þ âÞÜ, çâÞ ÞâÒÕâÝÞÓÞ âàÐäØÚÐ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÕéÕ ÝÕ ÑëÛÞ. ¸ ÝÐÚÞÝÕæ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ØÝäÞàÜÐæØï ßÞ ÞÖØÔÐÕÜÞÜã ßÐÚÕâã, íâÞ IP ÐÔàÕáÐ ÞâßàÐÒØâÕÛï/ßÞÛãçÐâÕÛï (âÕ ÖÕ áÐÜëÕ, âÞÛìÚÞ ßÞÜÕÝïÒèØÕáï ÜÕáâÐÜØ, ßÞáÚÞÛìÚã ÞÖØÔÐÕâáï ÞâÒÕâÝëÙ ßÐÚÕâ), âÞ ÖÕ ÚÐáÐÕâáï Ø ßÞàâÞÒ.

Note

ÁÞÒáÕÜ ÝÕÔÐÒÝÞ, Ò patch-o-matic, ßÞïÒØÛÐáì ×ÐßÛÐâÐ tcp-window-tracking, ÚÞâÞàÐï ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ßÕàÕÔÐçØ ×ÝÐçÕÝØÙ ÒáÕå âÐÙÜÐãâÞÒ çÕàÕ× áßÕæØÐÛìÝëÕ ßÕàÕÜÕÝÝëÕ, â.Õ. ßÞ×ÒÞÛïÕâ Ø×ÜÕÝïâì Øå "ÝÐ ÛÕâã". ÂÐÚØÜ ÞÑàÐ×ÞÜ ßÞïÒÛïÕâáï ÒÞ×ÜÞÖÝÞáâì Ø×ÜÕÝÕÝØï âÐÙÜÐãâÞÒ ÑÕ× ÝÕÞÑåÞÔØÜÞáâØ ßÕàÕáÑÞàÚØ ïÔàÐ.

¸×ÜÕÝÕÝØï ÒÝÞáïâáï á ßÞÜÞéìî ÞßàÕÔÕÛÕÝÝëå áØáâÕÜÝëå Òë×ÞÒÞÒ, çÕàÕ× ÚÐâÐÛÞÓ /proc/sys/net/ipv4/netfilter. ¾áÞÑÞÕ ÒÝØÜÐÝØÕ ÞÑàÐâØâÕ ÝÐ àïÔ ßÕàÕÜÕÝÝëå /proc/sys/net/ipv4/netfilter/ip_ct_* .



¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ ÞâÒÕâÐ âàÐááØàÞÒéØÚ áÝØÜÕâ äÛÐÓ [UNREPLIED] Ø ×ÐÜÕÝØâ ÕÓÞ äÛÐÓÞÜ [ASSURED]. ÍâÞâ äÛÐÓ áÞÞÑéÐÕâ, çâÞ áÞÕÔØÝÕÝØÕ ãáâÐÝÞÒÛÕÝÞ ãÒÕàÕÝÝÞ Ø íâÐ ×Ðߨáì ÝÕ ÑãÔÕâ áâÕàâÐ ßÞ ÔÞáâØÖÕÝØØ ÜÐÚáØÜÐÛìÝÞ ÒÞ×ÜÞÖÝÞÓÞ ÚÞÛØçÕáâÒÐ âàÐááØàãÕÜëå áÞÕÔØÝÕÝØÙ. ¼ÐÚáØÜÐÛìÝÞÕ ÚÞÛØçÕáâÒÞ ×ÐߨáÕÙ, ÚÞâÞàÞÕ ÜÞÖÕâ áÞÔÕàÖÐâìáï Ò âÐÑÛØæÕ, ×ÐÒØáØâ Þâ ×ÝÐçÕÝØï ßÞ ãÜÞÛçÐÝØî, ÚÞâÞàÞÕ ÜÞÖÕâ Ñëâì ãáâÐÝÞÒÛÕÝÞ Òë×ÞÒÞÜ äãÝ򾯯 ipsysctl Ò ßÞáÛÕÔÝØå ÒÕàáØïå ïÔàÐ. ´Ûï ÞÑêÕÜÐ ¾·Ã 128 ¼Ñ íâÞ ×ÝÐçÕÝØÕ áÞÞâÒÕâáâÒãÕâ 8192 ×ÐߨáïÜ, ÔÛï 256 ¼Ñ - 16376. ²ë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ø Ø×ÜÕÝØâì íâÞ ×ÝÐçÕÝØÕ çÕàÕ× /proc/sys/net/ipv4/ip_conntrack_max.


ÁÞáâÞïÝØï

ºÐÚ Òë ãÖÕ ÒØÔÕÛØ, ßÐÚÕâë ÜÞÓãâ ØÜÕâì ÝÕáÚÞÛìÚÞ àÐ×ÛØçÝëå áÞáâÞïÝØÙ Ò ßàÕÔÕÛÐå ïÔàÐ, Ò ×ÐÒØáØÜÞáâØ Þâ âØßÐ ßàÞâÞÚÞÛÐ. ¾ÔÝÐÚÞ, ÒÝÕ ïÔàÐ ØÜÕÕâáï âÞÛìÚÞ 4 áÞáâÞïÝØï, ÚÐÚ ÑëÛÞ áÚÐ×ÐÝÞ ÒëèÕ. ² ÞáÝÞÒÝÞÜ áÞáâÞïÝØÕ ßÐÚÕâÐ ØáßÞÛì×ãÕâáï Ò ÚàØâÕàØØ --state. ´ÞßãáâØÜëÜØ ïÒÛïîâáï áÞáâÞïÝØï NEW, ESTABLISHED, RELATED Ø INVALID. ² âÐÑÛØæÕ, ßàØÒÞÔØÜÞÙ ÝØÖÕ, àÐááÜâàØÒÐîâáï ÚÐÖÔÞÕ Ø× ÒÞ×ÜÞÖÝëå áÞáâÞïÝØÙ.

Table 1. ¿ÕàÕçÕÝì áÞáâÞïÝØÙ

ÁÞáâÞïÝØÕ ¾ßØáÐÝØÕ
NEW ¿àØ×ÝÐÚ NEW áÞÞÑéÐÕâ Þ âÞÜ, çâÞ ßÐÚÕâ ïÒÛïÕâáï ßÕàÒëÜ ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ íâÞ ßÕàÒëÙ ßÐÚÕâ Ò ÔÐÝÝÞÜ áÞÕÔØÝÕÝØØ, ÚÞâÞàëÙ ãÒØÔÕÛ ÜÞÔãÛì âàÐááØàÞÒéØÚÐ. ½ÐßàØÜÕà ÕáÛØ ßÞÛãçÕÝ SYN ßÐÚÕâ ïÒÛïîéØÙáï ßÕàÒëÜ ßÐÚÕâÞÜ ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï, âÞ ÞÝ ßÞÛãçØâ áâÐâãá NEW. ¾ÔÝÐÚÞ, ßÐÚÕâ ÜÞÖÕâ Ø ÝÕ Ñëâì SYN ßÐÚÕâÞÜ Ø âÕÜ ÝÕ ÜÕÝÕÕ ßÞÛãçØâì áâÐâãá NEW. ÍâÞ ÜÞÖÕâ ßÞàÞÔØâì ÞßàÕÔÕÛÕÝÝëÕ ßàÞÑÛÕÜë Ò ÞâÔÕÛìÝëå áÛãçÐïå, ÝÞ ÜÞÖÕâ ÞÚÐ×Ðâìáï Ø ÒÕáìÜÐ ßÞÛÕ×ÝëÜ, ÝÐßàØÜÕà ÚÞÓÔÐ ÖÕÛÐâÕÛìÝÞ "ßÞÔåÒÐâØâì" áÞÕÔØÝÕÝØï, "ßÞâÕàïÝÝëÕ" ÔàãÓØÜØ ÑàÐÝÔÜÐãíàÐÜØ ØÛØ Ò áÛãçÐïå, ÚÞÓÔÐ âÐÙÜÐãâ áÞÕÔØÝÕÝØï ãÖÕ ØáâÕÚ, ÝÞ áÐÜÞ áÞÕÔØÝÕÝØÕ ÝÕ ÑëÛÞ ×ÐÚàëâÞ.
ESTABLISHED ¿àØ×ÝÐÚ ESTABLISHED ÓÞÒÞàØâ Þ âÞÜ, çâÞ íâÞ ÝÕ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ. ÁåÕÜÐ ãáâÐÝÞÒÚØ ßàØ×ÝÐÚÐ ESTABLISHED ÔÞáâÐâÞçÝÐ ßàÞáâÐ ÔÛï ßÞÝØÜÐÝØï. µÔØÝáâÒÕÝÝÞÕ âàÕÑÞÒÐÝØÕ, ßàÕÔêïÒÛïÕÜÞÕ Ú áÞÕÔØÝÕÝØî, ÔÛï ßÕàÕåÞÔÐ Ò áÞáâÞïÝØÕ ESTABLISHED ÝÕÞÑåÞÔØÜÞ çâÞÑë ÞÔØÝ åÞáâ ßÕàÕÔÐÛ ßÐÚÕâ Ø ßÞÛãçØÛ ÝÐ ÝÕÓÞ ÞâÒÕâ Þâ ÔàãÓÞÓÞ åÞáâÐ. ¿ÞáÛÕ ßÞÛãçÕÝØï ÞâÒÕâÐ ßàØ×ÝÐÚ áÞÕÔØÝÕÝØï NEW ÑãÔÕâ ×ÐÜÕÝÕÝ ÝÐ ESTABLISHED.
RELATED ÁÞáâÞïÝØÕ RELATED ÞÔÝÞ Ø× áÐÜëå "åØâàëå". ÁÞÕÔØÝÕÝØÕ ßÞÛãçÐÕâ áâÐâãá RELATED ÕáÛØ ÞÝÞ áÒï×ÐÝÞ á ÔàãÓØÜ áÞÕÔØÝÕÝØÕÜ, ØÜÕîéØÜ ßàØ×ÝÐÚ ESTABLISHED. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ áÞÕÔØÝÕÝØÕ ßÞÛãçÐÕâ ßàØ×ÝÐÚ RELATED âÞÓÔÐ, ÚÞÓÔÐ ÞÝÞ ØÝØæØØàÞÒÐÝÞ Ø× ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï, ØÜÕîéÕÓÞ ßàØ×ÝÐÚ ESTABLISHED. ÅÞàÞèØÜ ßàØÜÕàÞÜ áÞÕÔØÝÕÝØï, ÚÞâÞàÞÕ ÜÞÖÕâ àÐááÜÐâàØÒÐâìáï ÚÐÚ RELATED, ïÒÛïÕâáï áÞÕÔØÝÕÝØÕ FTP-data, ÚÞâÞàÞÕ ïÒÛïÕâáï áÒï×ÐÝÝëÜ á ßÞàâÞÜ FTP control, Ð âÐÚ ÖÕ DCC áÞÕÔØÝÕÝØÕ, ×ÐßãéÕÝÝÞÕ Ø× IRC. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ ÑÞÛìèØÝáâÒÞ ßàÞâÞÚÞÛÞÒ TCP Ø ÝÕÚÞâÞàëÕ Ø× ßàÞâÞÚÞÛÞÒ UDP, ÚÞâÞàëÕ ßÞÛÐÓÐîâáï ÝÐ íâÞâ ÜÕåÐÝØ×Ü, ÒÕáìÜÐ áÛÞÖÝë Ø ßÕàÕÔÐîâ ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ çÕàÕ× ÞÑÛÐáâì ÔÐÝÝëå TCP ØÛØ UDP ßÐÚÕâÞÒ Ø ßÞíâÞÜã âàÕÑãîâ ÝÐÛØçØï áßÕæØÐÛìÝëå ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ ÔÛï ÚÞààÕÚâÝÞÙ àÐÑÞâë.
INVALID ¿àØ×ÝÐÚ INVALID ÓÞÒÞàØâ Þ âÞÜ, çâÞ ßÐÚÕâ ÝÕ ÜÞÖÕâ Ñëâì ØÔÕÝâØäØæØàÞÒÐÝ Ø ßÞíâÞÜã ÝÕ ÜÞÖÕâ ØÜÕâì ÞßàÕÔÕÛÕÝÝÞÓÞ áâÐâãáÐ. ÍâÞ ÜÞÖÕâ ßàÞØáåÞÔØâì ßÞ àÐ×ÝëÜ ßàØçØÝÐÜ, ÝÐßàØÜÕà ßàØ ÝÕåÒÐâÚÕ ßÐÜïâØ ØÛØ ßàØ ßÞÛãçÕÝØØ ICMP áÞÞÑéÕÝØï, ÚÞâÞàÞÕ ÝÕ áÞÞâÒÕâáâÒãÕâ ÚÐÚÞÜã ÛØÑÞ Ø×ÒÕáâÝÞÜã áÞÕÔØÝÕÝØî. ½ÐÒÕàÝÞÕ ÝÐØÛãçèØÜ ÒÐàØÐÝâÞÜ ÑëÛÞ Ñë ßàØÜÕÝÕÝØÕ ÔÕÙáâÒØï DROP Ú âÐÚØÜ ßÐÚÕâÐÜ.

ÍâØ çÕâëàÕ áÞáâÞïÝØï ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÚàØâÕàØØ --state. ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÞ×ÒÞÛïÕâ áâàÞØâì çàÕ×ÒëçÐÙÝÞ ÜÞéÝãî Ø íääÕÚâØÒÝãî ×ÐéØâã. ÀÐÝìèÕ ÝÐÜ ßàØåÞÔØÛÞáì ÞâÚàëÒÐâì ÒáÕ ßÞàâë ÒëèÕ 1024, çâÞÑë ßàÞßãáâØâì ÞÑàÐâÝëÙ âàÐäØÚ Ò ÛÞÚÐÛìÝãî áÕâì, âÕßÕàì ÖÕ, ßàØ ÝÐÛØçØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï, ÝÕÞÑåÞÔØÜÞáâì Ò íâÞÜ ÞâßÐÛÐ, ßÞáÚÞÛìÚã âÕßÕàì áâÐÛÞ ÒÞ×ÜÞÖÝëÜ "ÞâÚàëÒÐâì" ÔÞáâãß âÞÛìÚÞ ÔÛï ÞÑàÐâÝÞÓÞ (ÞâÒÕâÝÞÓÞ) âàÐäØÚÐ.


TCP áÞÕÔØÝÕÝØï

² íâÞÜ Ø Ò ßÞáÛÕÔãîéØå àÐ×ÔÕÛÐå Üë ßÞÑÛØÖÕ àÐááÜÞâàØÜ ßàØ×ÝÐÚØ áÞáâÞïÝØÙ Ø ßÞàïÔÞÚ Øå ÞÑàÐÑÞâÚØ ÚÐÖÔëÜ Ø× âàÕå ÑÐ×ÞÒëå ßàÞâÞÚÞÛÞÒ TCP, UDP Ø ICMP, Ð âÐÚ ÖÕ ÚÞáÝÕÜáï áÛãçÐï, ÚÞÓÔÐ ßàÞâÞÚÞÛ áÞÕÔØÝÕÝØï ÝÕ ÜÞÖÕâ Ñëâì ÚÛÐááØäØæØàÞÒÐÝ ÝÐ ßàØÝÐÔÛÕÖÝÞáâì Ú âàÕÜ, ÒëèÕãÚÐ×ÐÝÝëÜ, ßàÞâÞÚÞÛÐÜ. ½ÐçÝÕÜ àÐááÜÞâàÕÝØÕ á ßàÞâÞÚÞÛÐ TCP, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÜÝÞÖÕáâÒÞ ØÝâÕàÕáÝÕÙèØå ÞáÞÑÕÝÝÞáâÕÙ Ò ÞâÝÞèÕÝØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï Ò iptables.

TCP áÞÕÔØÝÕÝØÕ ÒáÕÓÔÐ ãáâÐÝÐÒÛØÒÐÕâáï ßÕàÕÔÐçÕÙ âàÕå ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÝØæØÐÛØ×Øàãîâ Ø ãáâÐÝÐÒÛØÒÐîâ áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ Ò ÔÐÛìÝÕÙèÕÜ ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÔÐÝÝëÕ. ÁÕááØï ÝÐçØÝÐÕâáï á ßÕàÕÔÐçØ SYN ßÐÚÕâÐ, Ò ÞâÒÕâ ÝÐ ÚÞâÞàëÙ ßÕàÕÔÐÕâáï SYN/ACK ßÐÚÕâ Ø ßÞÔâÒÕàÖÔÐÕâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ßÐÚÕâ ACK. ¿ÞáÛÕ íâÞÓÞ áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ãáâÐÝÞÒÛÕÝÝëÜ Ø ÓÞâÞÒëÜ Ú ßÕàÕÔÐçÕ ÔÐÝÝëå. ¼ÞÖÕâ ÒÞ×ÝØÚÝãâì ÒÞßàÞá: "° ÚÐÚ ÖÕ âàÐááØàãÕâáï áÞÕÔØÝÕÝØÕ?". ² ÔÕÙáâÒØâÕÛìÝÞáâØ ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ.

´Ûï ÒáÕå âØßÞÒ áÞÕÔØÝÕÝØÙ, âàÐááØàÞÒÚÐ ßàÞåÞÔØâ ßàÐÚâØçÕáÚØ ÞÔØÝÐÚÞÒÞ. ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ, ÓÔÕ ßÞÚÐ×ÐÝë ÒáÕ áâÐÔØØ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ºÐÚ ÒØÔØâÕ, âàÐááØàÞÒéØÚ, á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï, äÐÚâØçÕáÚØ ÝÕ áÛÕÔØâ ×Ð åÞÔÞÜ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ¿àÞáâÞ, ÚÐÚ âÞÛìÚÞ âàÐááØàÞÒéØÚ "ãÒØÔÕÛ" ßÕàÒëÙ (SYN) ßÐÚÕâ, âÞ ßàØáÒÐØÒÐÕâ ÕÜã áâÐâãá NEW. ºÐÚ âÞÛìÚÞ çÕàÕ× âàÐááØàÞÒéØÚÐ ßàÞåÞÔØâ ÒâÞàÞÙ ßÐÚÕâ (SYN/ACK), âÞ áÞÕÔØÝÕÝØî ßàØáÒÐØÒÐÕâáï áâÐâãá ESTABLISHED. ¿ÞçÜã ØÜÕÝÝÞ ÒâÞàÞÙ ßÐÚÕâ? ÁÕÙçÐá àÐ×ÑÕàÕÜáï. ÁâàÞï áÒÞÙ ÝÐÑÞà ßàÐÒØÛ, Òë ÜÞÖÕâÕ ßÞ×ÒÞÛØâì ßÞÚØÔÐâì ÛÞÚÐÛìÝãî áÕâì ßÐÚÕâÐÜ áÞ áâÐâãáÞÜ NEW Ø ESTABLISHED, Ð ÒÞ ÒåÞÔïéÕÜ âàÐäØÚÕ ßàÞßãáÚÐâì ßÐÚÕâë âÞÛìÚÞ áÞ áâÐâãáÞÜ ESTABLISHED Ø ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ¸ ÝÐÞÑÞàÞâ, ÕáÛØ Ñë âàÐááØàÞÒéØÚ ßàÞÔÞÛÖÐÛ Ñë áçØâÐâì áÞÕÔØÝÕÝØÕ ÚÐÚ NEW, âÞ äÐÚâØçÕáÚØ ÒÐÜ ÝØÚÞÓÔÐ ÝÕ ãÔÐÛÞáì Ñë ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á "ÒÝÕèÝØÜ ÜØàÞÜ", ÛØÑÞ ßàØèÛÞáì Ñë ßÞ×ÒÞÛØâì ßàÞåÞÖÔÕÝØÕ NEW ßÐÚÕâÞÒ Ò ÛÞÚÐÛìÝãî áÕâì.

Á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï ÒáÕ ÒëÓÛïÔØâ ÔÞáâÐâÞçÝÞ ßàÞáâÞ, ÞÔÝÐÚÞ ÕáÛØ ßÞáÜÞâàÕâì á âÞçÚØ ×àÕÝØï ïÔàÐ, âÞ ÒáÕ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ áÛÞÖÝÕÕ. ÀÐááÜÞâàØÜ ßÞàïÔÞÚ Ø×ÜÕÝÕÝØï áÞáâÞïÝØï áÞÕÔØÝÕÝØï Ò âÐÑÛØæÕ /proc/net/ip_conntrack. ¿ÞáÛÕ ßÕàÕÔÐçØ ßÕàÒÞÓÞ ßÐÚÕâÐ SYN.

tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ºÐÚ ÒØÔØâÕ, ×Ðߨáì Ò âÐÑÛØæÕ ÞâàÐÖÐÕâ âÞçÝÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï: ÑëÛ ÞâÜÕçÕÝ äÐÚâ ßÕàÕÔÐçØ ßÐÚÕâÐ SYN (äÛÐÓ SYN_SENT), ÝÐ ÚÞâÞàëÙ ÞâÒÕâÐ ßÞÚÐ ÝÕ ÑëÛÞ (äÛÐÓ [UNREPLIED]). ¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ-ÞâÒÕâÐ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÛÕÔãîéÕÕ ÒÝãâàÕÝÝÕÕ áÞáâÞïÝØÕ:

tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

Â.Õ. ×Ðߨáì áÞÞÑéÐÕâ, çâÞ ÞÑàÐâÝÞ ßàÞèÕÛ ßÐÚÕâ SYN/ACK. ½Ð íâÞâ àÐ× áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ SYN_RECV. ÍâÞ áÞáâÞïÝØÕ ÓÞÒÞàØâ Þ âÞÜ, çâÞ ßÐÚÕâ SYN ÑëÛ ÑÛÐÓÞßÞÛãçÝÞ ÔÞáâÐÒÛÕÝ ßÞÛãçÐâÕÛî Ø Ò ÞâÒÕâ ÝÐ ÝÕÓÞ ßàØèÕÛ ßÐÚÕâ-ßÞÔâÒÕàÖÔÕÝØÕ (SYN/ACK). ºàÞÜÕ âÞÓÞ, ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï "ãÒØÔÕÒ" ßÐÚÕâë, áÛÕÔãîéØÕ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå, áÝØÜÐÕâ äÛÐÓ [UNREPLIED]. ¸ ÝÐÚÞÝÕæ ßÞáÛÕ ßÕàÕÔÐçØ ×ÐÚÛîçØâÕÛìÝÞÓÞ ACK-ßÐÚÕâÐ, Ò ßàÞæÕÔãàÕ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï

tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

áÞÕÔØÝÕÝØÕ ßÕàÕåÞÔØâ Ò áÞáâÞïÝØÕ ESTABLISHED (ãáâÐÝÞÒÛÕÝÝÞÕ). ¿ÞáÛÕ ßàØÕÜÐ ÝÕáÚÞÛìÚØå ßÐÚÕâÞÒ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ, Ú ÝÕÜã ÔÞÑÐÒØâáï äÛÐÓ [ASSURED] (ãÒÕàÕÝÝÞÕ).

¿àØ ×ÐÚàëâØØ, TCP áÞÕÔØÝÕÝØÕ ßàÞåÞÔØâ çÕàÕ× áÛÕÔãîéØÕ áÞáâÞïÝØï.



ºÐÚ ÒØÔÝÞ Ø× àØáãÝÚÐ, áÞÕÔØÝÕÝØÕ ÝÕ ×ÐÚàëÒÐÕâáï ÔÞ âÕå ßÞà ßÞÚÐ ÝÕ ÑãÔÕâ ßÕàÕÔÐÝ ßÞáÛÕÔÝØÙ ßÐÚÕâ ACK. ¾ÑàÐâØâÕ ÒÝØÜßÝØÕ, íâÐ ÚÐàâØÝÚÐ ÞߨáëÒÐÕâ ÝÞàÜÐÛìÝëÙ ßàÞæÕáá ×ÐÚàëâØï áÞÕÔØÝÕÝØï. ºàÞÜÕ âÞÓÞ, ÕáÛØ áÞÕÔØÝÕÝØÕ ÞâÒÕàÓÐÕâáï, âÞ ÞÝÞ ÜÞÖÕâ Ñëâì ×ÐÚàëâÞ ßÕàÕÔÐçÕÙ ßÐÚÕâÐ RST (áÑàÞá). ² íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ×ÐÚàëâÞ ßÞ ØáâÕçÕÝØÕ ßàÕÔÞßàÕÔÕÛÕÝÝÞÓÞ ÒàÕÜÕÝØ.

¿àØ ×ÐÚàëâØØ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ TIME_WAIT, ßàÞÔÞÛÖØâÕÛìÝÞáâì ÚÞâÞàÞÓÞ, ßÞ ãÜÞÛçÐÝØî áÞÞâÒÕâáâÒãÕâ 2 ÜØÝãâÐÜ, Ò âÕçÕÝØÕ ÚÞâÞàÞÓÞ ÕéÕ ÒÞ×ÜÞÖÝÞ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ çÕàÕ× ÑàÐÝÔÜÐãíà. ÍâÞ ïÒÛïÕâáï áÒÞÕÓÞ àÞÔÐ "ÑãäÕàÝëÜ ÒàÕÜÕÝÕÜ", ÚÞâÞàÞÕ ÔÐÕâ ÒÞ×ÜÞÖÝÞáâì ßàÞÙâØ ßÐÚÕâÐÜ, "ãÒï×èØÜ" ÝÐ âÞÜ ØÛØ ØÝÞÜ ÜÐàèàãâØ×ÐâÞàÕ (àÞãâÕàÕ).

µáÛØ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï ßÞ ßÞÛãçÕÝØØ ßÐÚÕâÐ RST, âÞ ÞÝÞ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ CLOSE. ²àÕÜï ÞÖØÔÐÝØï ÔÞ äÐÚâØçÕáÚÞÓÞ ×ÐÚàëâØï áÞÕÔØÝÕÝØï, ßÞ ãÜÞÛçÐÝØî ãáâÐÝÐÒÛØÒÐÕâáï àÐÒÝëÜ 10 áÕÚãÝÔ. ¿ÞÔâÒÕàÖÔÕÝØÕ ÝÐ ßÐÚÕâë RST ÝÕ ßÕàÕÔÐÕâáï Ø áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï áàÐ×ã ÖÕ. ºàÞÜÕ âÞÓÞ ØÜÕÕâáï àïÔ ÔàãÓØå ÒÝãâàÕÝÝØå áÞáâÞïÝØÙ. ² âÐÑÛØæÕ ÝØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÒÞ×ÜÞÖÝëå ÒÝãâàÕÝÝØå áÞáâÞïÝØÙ áÞÕÔØÝÕÝØï Ø áÞÞâÒÕâáâÒãîéØÕ ØÜ àÐ×ÜÕàë âÐÙÜÐãâÞÒ.

ÂÐÑÛØæÐ 2. ²ÝãâàÕÝÝØÕ áÞáâÞïÝØï

ÁÞáâÞïÝØÕ ²àÕÜï ÞÖØÔÐÝØï
NONE 30 ÜØÝãâ
ESTABLISHED 5 ÔÝÕÙ
SYN_SENT 2 ÜØÝãâë
SYN_RECV 60 áÕÚãÝÔ
FIN_WAIT 2 ÜØÝãâë
TIME_WAIT 2 ÜØÝãâë
CLOSE 10 áÕÚãÝÔ
CLOSE_WAIT 12 çÐáÞÒ
LAST_ACK 30 áÕÚãÝÔ
LISTEN> 2 ÜØÝãâë


ÍâØ ×ÝÐçÕÝØï ÜÞÓãâ ÝÕáÚÞÛìÚÞ Ø×ÜÕÝïâìáï Þâ ÒÕàáØØ Ú ÒÕàáØØ ïÔàÐ, ÚàÞÜÕ âÞÓÞ, ÞÝØ ÜÞÓãâ Ñëâì Ø×ÜÕÝÕÝë çÕàÕ× ØÝâÕàäÕÙá äÐÙÛÞÒÞÙ áØáâÕÜë /proc (ßÕàÕÜÕÝÝëÕ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). ·ÝÐçÕÝØï ãáâÐÝÐÒÛØÒÐîâáï Ò áÞâëå ÔÞÛïå áÕÚãÝÔë, âÐÚ çâÞ çØáÛÞ 3000 Þ×ÝÐçÐÕâ 30 áÕÚãÝÔ.

Note ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ áÞ áâÞàÞÝë ßÞÛì×ÞÒÐâÕÛï, ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝØÚÐÚ ÝÕ ÞâÞÑàÐÖÐÕâ áÞáâÞïÝØÕ äÛÐÓÞÒ TCP ßÐÚÕâÞÒ. ºÐÚ ßàÐÒØÛÞ - íâÞ ßÛÞåÞ, ßÞáÚÞÛìÚã áÞáâÞïÝØÕ NEW ßàØáÒÐØÒÐÕâáï, ÝÕ âÞÛìÚÞ ßÐÚÕâÐÜ SYN.

ÍâÐ ßàÞÑÛÕÜÐ ÑÞÛÕÕ ßÞÔàÞÑÝÞ ÞÑáãÖÔÐÕâáï Ò àÐ×ÔÕÛÕ ¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN.


UDP áÞÕÔØÝÕÝØï



¿Þ áãâØ áÒÞÕÙ, UDP áÞÕÔØÝÕÝØï ÝÕ ØÜÕîâ ßàØ×ÝÐÚÐ áÞáâÞïÝØï. ÍâÞÜã ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàØçØÝ, ÞáÝÞÒÝÐï Ø× ÝØå áÞáâÞØâ Ò âÞÜ, çâÞ íâÞâ ßàÞâÞÚÞÛ ÝÕ ßàÕÔãáÜÐâàØÒÐÕâ ãáâÐÝÞÒÛÕÝØï Ø ×ÐÚàëâØï áÞÕÔØÝÕÝØï, ÝÞ áÐÜëÙ ÑÞÛìèÞÙ ÝÕÔÞáâÐâÞÚ - ÞâáãâáâÒØÕ ØÝäÞàÜÐæØØ ÞÑ ÞçÕàÕÔÝÞáâØ ßÞáâãßÛÕÝØï ßÐÚÕâÞÒ. ¿àØÝïÒ ÔÒÕ UDP ÔÐâÐÓàÐÜÜë, ÝÕÒÞ×ÜÞÖÝÞ ã×ÝÐâì âÞçÝÞ Ò ÚÐÚÞÜ ßÞàïÔÚÕ ÞÝØ ÑëÛØ ÞâßàÐÒÛÕÝë. ¾ÔÝÐÚÞ, ÔÐÖÕ Ò íâÞÙ áØâãÐæØØ ÕéÕ ÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ½ØÖÕ ßàØÒÞÔØâáï àØáãÝÞÚ âÞÓÞ, ÚÐÚ ÒëÓÛïÔØâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï á âÞçÚØ ×àÕÝØï âàÐááØàÞÒéØÚÐ.



ºÐÚ ÒØÔØâÕ, áÞáâÞïÝØÕ UDP áÞÕÔØÝÕÝØï ÞßàÕÔÕÛïÕâáï ßÞçâØ âÐÚ ÖÕ ÚÐÚ Ø áÞáâÞïÝØÕ TCP áÞÕÔØÝÕÝØï, á âÞçÚØ ×àÕÝØï Ø× ßÞÛì×ÞÒÐâÕÛìáÚÞÓÞ ßàÞáâàÐÝáâÒÐ. ¸×ÝãâàØ ÖÕ íâÞ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ØÝÐçÕ, åÞâï Ø ÒÞ ÜÝÞÓÞÜ ßÞåÞÖÕ. ´Ûï ÝÐçÐÛÐ ßÞáÜÞâàØÜ ÝÐ ×Ðߨáì, ßÞïÒØÒèãîáï ßÞáÛÕ ßÕàÕÔÐçØ ßÕàÒÞÓÞ ßÐÚÕâÐ UDP.

udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

¿ÕàÒÞÕ, çâÞ Üë ÒØÔØÜ - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ (udp) Ø ÕÓÞ ÝÞÜÕà (áÜ. /etc/protocols ßàØÜ. ßÕàÕÒ.). ÂàÕâìÕ ×ÝÐçÕÝØÕ - ÞáâÐÒèÕÕáï "ÒàÕÜï ÖØ×ÝØ" ×ÐßØáØ Ò áÕÚãÝÔÐå. ´ÐÛÕÕ áÛÕÔãîâ åÐàÐÚâÕàØáâØÚØ ßÐÚÕâÐ, ßàÞèÕÔèÕÓÞ çÕàÕ× ÑàÐÝÔÜÐãíà - íâÞ ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ, çâÞ íâÞ ßÕàÒëÙ ßÐÚÕâ Ò áÕááØØ (äÛÐÓ [UNREPLIED]). ¸ ×ÐÒÕàèÐîâ ×Ðߨáì ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ. ÂÐÙÜÐãâ âÐÚÞÙ ×ÐßØáØ ßÞ ãÜÞÛçÐÝØî áÞáâÐÒÛïÕâ 30 áÕÚãÝÔ.

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

¿ÞáÛÕ âÞÓÞ ÚÐÚ áÕàÒÕà "ãÒØÔÕÛ" ÞâÒÕâ ÝÐ ßÕàÒëÙ ßÐÚÕâ, áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ESTABLISHED (ãáâÐÝÞÒÛÕÝÝëÜ), ÞÔÝÐÚÞ ÕÔØÝáâÒÕÝÝÞÕ ÞâÛØçØÕ Þâ ßàÕÔëÔãéÕÙ ×ÐßØáØ áÞáâÞØâ Ò ÞâáãâáâÒØØ äÛÐÓÐ [UNRREPLIED] Ø, ÚàÞÜÕ âÞÓÞ, âÐÙÜÐãâ ÔÛï ×ÐßØáØ áâÐÛ àÐÒÝëÜ 180 áÕÚãÝÔÐÜ. ¿ÞáÛÕ íâÞÓÞ ÜÞÖÕâ âÞÛìÚÞ ÔÞÑÐÒØâìáï äÛÐÓ [ASSURED] (ãÒÕàÕÝÝÞÕ áÞÕÔØÝÕÝØÕ), ÚÞâÞàëÙ ÑëÛ ÞߨáÐÝ ÒëèÕ. ÄÛÐÓ [ASSURED] ãáâÐÝÐÒÛØÒÐÕâáï âÞÛìÚÞ ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÝÕÚÞâÞàÞÓÞ ÚÞÛØçÕáâÒÐ ßÐÚÕâÞÒ çÕàÕ× áÞÕÔØÝÕÝØÕ.

udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1

ÂÕßÕàì áÞÕÔØÝÕÝØÕ áâÐÛÞ "ãÒÕàÕÝÝëÜ". ·Ðߨáì Ò âÐÑÛØæÕ ÒëÓÛïÔØâ ßàÐÚâØçÕáÚØ âÐÚ ÖÕ ÚÐÚ Ø Ò ßàÕÔëÔãéÕÜ ßàØÜÕàÕ, ×Ð ØáÚÛîçÕÝØÕÜ äÛÐÓÐ [ASSURED]. µáÛØ Ò âÕçÕÝØÕ 180 áÕÚãÝÔ çÕàÕ× áÞÕÔØÝÕÝØÕ ÝÕ ßàÞÙÔÕâ åÞâïÑë ÞÔØÝ ßÐÚÕâ, âÞ ×Ðߨáì ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë. ÍâÞ ÔÞáâÐâÞçÝÞ ÜÐÛÕÝìÚØÙ ßàÞÜÕÖãâÞÚ ÒàÕÜÕÝØ, ÝÞ ÕÓÞ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ ÔÛï ÑÞÛìèØÝáâÒÐ ßàØÜÕÝÕÝØÙ. "²àÕÜï ÖØ×ÝØ" ÞâáçØâëÒÐÕâáï Þâ ÜÞÜÕÝâÐ ßàÞåÞÖÔÕÝØï ßÞáÛÕÔÝÕÓÞ ßÐÚÕâÐ Ø ßàØ ßÞïÒÛÕÝØØ ÝÞÒÞÓÞ, ÒàÕÜï ßÕàÕãáâÐÝÐÒÛØÒÐÕâáï Ò áÒÞÕ ÝÐçÐÛìÝÞÕ ×ÝÐçÕÝØÕ.


ICMP áÞÕÔØÝÕÝØï

ICMP ßÐÚÕâë ØáßÞÛì×ãîâáï âÞÛìÚÞ ÔÛï ßÕàÕÔÐçØ ãßàÐÒÛïîéØå áÞÞÑéÕÝØÙ Ø ÝÕ ÞàÓÐÝØ×ãîâ ßÞáâÞïÝÝÞÓÞ áÞÕÔØÝÕÝØï. ¾ÔÝÐÚÞ, áãéÕáâÒãÕâ 4 âØßÐ ICMP ßÐÚÕâÞÒ, ÚÞâÞàëÕ ÒÞ×ÑãÖÔÐîâ ßÕàÕÔÐçã ÞâÒÕâÐ, ßÞíâÞÜã ÞÝØ ÜÞÓãâ ØÜÕâì ÔÒÐ áÞáâÞïÝØï: NEW Ø ESTABLISHED. º íâØÜ ßÐÚÕâÐÜ ÞâÝÞáïâáï ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply Ø ICMP Address Mask Request/Address Mask Reply. ¸× ÝØå ICMP Timestamp Request/Timestamp Reply Ø ICMP Information Request/Information Reply áçØâÐîâáï ãáâÐàÕÒèØÜØ Ø ßÞíâÞÜã, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÜÞÓãâ ÑÕ×ÑÞÛÕ×ÝÕÝÝÞ áÑàÐáëÒÐâìáï (DROP). ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ.



ºÐÚ ÒØÔÝÞ Ø× íâÞÓÞ àØáãÝÚÐ, áÕàÒÕà ÒëßÞÛÝïÕâ Echo Request (íåÞ-×ÐßàÞá) Ú ÚÛØÕÝâã, ÚÞâÞàëÙ (×ÐßàÞá) àÐáßÞ×ÝÐÕâáï ÑàÐÝÔÜÐãíàÞÜ ÚÐÚ NEW. ½Ð íâÞâ ×ÐßàÞá ÚÛØÕÝâ ÞâÒÕçÐÕâ ßÐÚÕâÞÜ Echo Reply, Ø âÕßÕàì ßÐÚÕâ àÐáßÞ×ÝÐÕâáï ÚÐÚ ØÜÕîéØÙ áÞáâÞïÝØÕ ESTABLISHED. ¿ÞáÛÕ ßàÞåÞÖÔÕÝØï ßÕàÒÞÓÞ ßÐÚÕâÐ (Echo Request) Ò ip_conntrack ßÞïÒÛïÕâáï ×Ðߨáì:

icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1

ÍâÐ ×Ðߨáì ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ×ÐߨáÕÙ, áÒÞÙáâÒÕÝÝëå ßàÞâÞÚÞÛÐÜ TCP Ø UDP, åÞâï âÞçÝÞ âÐÚ ÖÕ ßàØáãâáâÒãîâ Ø ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ Ø ÒàÕÜï âÐÙÜÐãâÐ Ø ÐÔàÕáÐ ßÕàÕÔÐâçØÚÐ Ø ßàØÕÜÝØÚÐ, ÝÞ ÔÐÛÕÕ ßÞïÒÛïîâáï âàØ ÝÞÒëå ßÞÛï - type, code Ø id. ¿ÞÛÕ type áÞÔÕàÖØâ âØß ICMP, ßÞÛÕ code - ÚÞÔ ICMP. ·ÝÐçÕÝØï âØßÞÒ Ø ÚÞÔÞÒ ICMP ßàØÒÞÔïâáï Ò ßàØÛÞÖÕÝØØ ÂØßë ICMP. ¸ ßÞáÛÕÔÝÕÕ ßÞÛÕ id áÞÔÕàÖØâ ØÔÕÝâØäØÚÐâÞà ßÐÚÕâÐ. ºÐÖÔëÙ ICMP-ßÐÚÕâ ØÜÕÕâ áÒÞÙ ØÔÕÝâØäØÚÐâÞà. ºÞÓÔÐ ßàØÕÜÝØÚ, Ò ÞâÒÕâ ÝÐ ICMP-×ÐßàÞá ßÞáëÛÐÕâ ÞâÒÕâ, ÞÝ ßÞÔáâÐÒÛïÕâ Ò ßÐÚÕâ ÞâÒÕâÐ íâÞâ ØÔÕÝâØäØÚÐâÞà, ÑÛÐÓÞÔÐàï çÕÜã, ßÕàÕÔÐâçØÚ ÜÞÖÕâ ÚÞààÕÚâÝÞ àÐáßÞ×ÝÐâì Ò ÞâÒÕâ ÝÐ ÚÐÚÞÙ ×ÐßàÞá ßàØèÕÛ ÞâÒÕâ.

ÁÛÕÔãîéÕÕ ßÞÛÕ - äÛÐÓ [UNREPLIED], ÚÞâÞàëÙ ÒáâàÕçÐÛáï ÝÐÜ àÐÝÕÕ. ¾Ý Þ×ÝÐçÐÕâ, çâÞ ßàØÑëÛ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ. ·ÐÒÕàèÐÕâáï ×Ðߨáì åÐàÐÚâÕàØáâØÚÐÜØ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ÞâÒÕâÐ. ÁîÔÐ ÒÚÛîçÐîâáï ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ÇâÞ ÚÐáÐÕâáï âØßÐ Ø ÚÞÔÐ ICMP ßÐÚÕâÐ, âÞ ÞÝØ áÞÞâÒÕâáâÒãîâ ßàÐÒØÛìÝëÜ ×ÝÐçÕÝØïÜ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ICMP Echo Reply. ¸ÔÕÝâØäØÚÐâÞà ßÐÚÕâÐ-ÞâÒÕâÐ âÞâ ÖÕ, çâÞ Ø Ò ßÐÚÕâÕ ×ÐßàÞáÐ.

¿ÐÚÕâ ÞâÒÕâÐ àÐáßÞ×ÝÐÕâáï ãÖÕ ÚÐÚ ESTABLISHED. ¾ÔÝÐÚÞ, Üë ×ÝÐÕÜ, çâÞ ßÞáÛÕ ßÕàÕÔÐçØ ßÐÚÕâÐ ÞâÒÕâÐ, çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ãÖÕ ÝØçÕÓÞ ÝÕ ÞÖØÔÐÕâáï, ßÞíâÞÜã ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÞâÒÕâÐ çÕàÕ× netfilter, ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ãÝØçâÞÖÐÕâáï.

² ÛîÑÞÜ áÛãçÐÕ ×ÐßàÞá àÐááÜÐâàØÒÐÕâáï ÚÐÚ NEW, Ð ÞâÒÕâ ÚÐÚ ESTABLISHED. ·ÐÜÕâìâÕ, çâÞ ßàØ íâÞÜ ßÐÚÕâ ÞâÒÕâÐ ÔÞÛÖÕÝ áÞÒßÐÔÐâì ßÞ áÒÞØÜ åÐàÐÚâÕàØáâØÚÐÜ (ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, âØß, ÚÞÔ Ø ØÔÕÝâØäØÚÐâÞà) á ãÚÐ×ÐÝÝëÜØ Ò ×ÐßØáØ Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ.

ICMP ×ÐßàÞáë ØÜÕîâ âÐÙÜÐãâ, ßÞ-ãÜÞÛçÐÝØî, 30 áÕÚãÝÔ. ÍâÞÓÞ ÒàÕÜÕÝØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ. ²àÕÜï âÐÙÜÐãâÐ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( ½ÐßÞÜØÝÐî, çâÞ ßÕàÕÜÕÝÝëÕ âØßÐ /proc/sys/net/ipv4/netfilter/ip_ct_* áâÐÝÞÒïâáï ÔÞáâãßÝë âÞÛìÚÞ ßÞáÛÕ ãáâÐÝÞÒÚØ "×ÐßÛÐâë" tcp-window-tracking Ø× patch-o-matic ßàØÜ. ßÕàÕÒ.).

·ÝÐçØâÕÛìÝÐï çÐáâì ICMP ØáßÞÛì×ãÕâáï ÔÛï ßÕàÕÔÐçØ áÞÞÑéÕÝØÙ Þ âÞÜ, çâÞ ßàÞØáåÞÔØâ á âÕÜ ØÛØ ØÝëÜ UDP ØÛØ TCP áÞÕÔØÝÕÝØÕÜ. ²áÒïר á íâØÜ ÞÝØ ÞçÕÝì çÐáâÞ àÐáßÞ×ÝÐîâáï ÚÐÚ áÒï×ÐÝÝëÕ (RELATED) á áãéÕáâÒãîéØÜ áÞÕÔØÝÕÝØÕÜ. ¿àÞáâëÜ ßàØÜÕàÞÜ ÜÞÓãâ áÛãÖØâì áÞÞÑéÕÝØï ICMP Host Unreachable ØÛØ ICMP Network Unreachable. ¾ÝØ ÒáÕÓÔÐ ßÞàÞÖÐîâáï ßàØ ßÞßëâÚÕ áÞÕÔØÝØâìáï á ã×ÛÞÜ áÕâØ ÚÞÓÔÐ íâÞâ ã×ÕÛ ØÛØ áÕâì ÝÕÔÞáâãßÝë, Ò íâÞÜ áÛãçÐÕ ßÞáÛÕÔÝØÙ ÜÐàèàãâØ×ÐâÞà ÒÕàÝÕâ áÞÞâÒÕâáâÒãîéØÙ ICMP ßÐÚÕâ, ÚÞâÞàëÙ ÑãÔÕâ àÐáßÞ×ÝÐÝ ÚÐÚ RELATED. ½Ð àØáãÝÚÕ ÝØÖÕ ßÞÚÐ×ÐÝÞ ÚÐÚ íâÞ ßàÞØáåÞÔØâ.

² íâÞÜ ßàØÜÕàÕ ÝÕÚÞâÞàÞÜã ã×Ûã ßÕàÕÔÐÕâáï ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ (SYN ßÐÚÕâ). ¾Ý ßàØÞÑàÕâÐÕâ áâÐâãá NEW ÝÐ ÑàÐÝÔÜÐãíàÕ. ¾ÔÝÐÚÞ, Ò íâÞâ ÜÞÜÕÝâ ÒàÕÜÕÝØ, áÕâì ÞÚÐ×ëÒÐÕâáï ÝÕÔÞáâãßÝÞÙ, ßÞíâÞÜã àÞãâÕà ÒÞ×ÒàÐéÐÕâ ßÐÚÕâ ICMP Network Unreachable. ÂàÐááØàÞÒéØÚ áÞÕÔØÝÕÝØÙ àÐáßÞ×ÝÐÕâ íâÞâ ßÐÚÕâ ÚÐÚ RELATED, ÑÛÐÓÞÔÐàï ãÖÕ ØÜÕîéÕÙáï ×ÐßØáØ Ò âÐÑÛØæÕ, âÐÚ çâÞ ßÐÚÕâ ÑÛÐÓÞßÞÛãçÝÞ ÑãÔÕâ ßÕàÕÔÐÝ ÚÛØÕÝâã, ÚÞâÞàëÙ ×ÐâÕÜ ÞÑÞàÒÕâ ÝÕãÔÐçÝÞÕ áÞÕÔØÝÕÝØÕ. ÂÕÜ ÒàÕÜÕÝÕÜ, ÑàÐÝÔÜÐãíà ãÝØçâÞÖØâ ×Ðߨáì Ò âÐÑÛØæÕ, ßÞáÚÞÛìÚã ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï ÑëÛÞ ßÞÛãçÕÝÞ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ.

ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ Ø á UDP áÞÕÔØÝÕÝØïÜØ, ÕáÛØ ÞÑÝÐàãÖØÒÐîâáï ßÞÔÞÑÝëÕ ßàÞÑÛÕÜë. ²áÕ áÞÞÑéÕÝØï ICMP, ßÕàÕÔÐÒÐÕÜëÕ Ò ÞâÒÕâ ÝÐ UDP áÞÕÔØÝÕÝØÕ, àÐááÜÐâàØÒÐîâáï ÚÐÚ RELATED. ²×ÓÛïÝØâÕ ÝÐ áÛÕÔãîéØÙ àØáãÝÞÚ.



´ÐâÐÓàÐÜÜÐ UDP ßÕàÕÔÐÕâáï ÝÐ áÕàÒÕà. ÁÞÕÔØÝÕÝØî ßàØáÒÐØÒÐÕâáï áâÐâãá NEW. ¾ÔÝÐÚÞ ÔÞáâãß Ú áÕâØ ×ÐßàÕéÕÝ (ÑàÐÝÔÜÐãíàÞÜ ØÛØ àÞãâÕàÞÜ), ßÞíâÞÜã ÞÑàÐâÝÞ ÒÞ×ÒàÐéÐÕâáï áÞÞÑéÕÝØÕ ICMP Network Prohibited. ±àÐÝÔÜÐãíà àÐáßÞ×ÝÐÕâ íâÞ áÞÞÑéÕÝØÕ ÚÐÚ áÒï×ÐÝÝÞÕ á ÞâÚàëâëÜ UDP áÞÕÔØÝÕÝØÕÜ, ßàØáÒÐØÒÐÕâ ÕÜã áâÐâãá RELATED Ø ßÕàÕÔÐÕâ ÚÛØÕÝâã. ¿ÞáÛÕ çÕÓÞ ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ãÝØçâÞÖÐÕâáï, Ð ÚÛØÕÝâ ÑÛÐÓÞßÞÛãçÝÞ ÞÑàëÒÐÕâ áÞÕÔØÝÕÝØÕ.


¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî

² ÝÕÚÞâÞàëå áÛãçÐïå ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝÕ ÜÞÖÕâ àÐáßÞ×ÝÐâì ßàÞâÞÚÞÛ ÞÑÜÕÝÐ Ø, áÞÞâÒÕâáâÒÕÝÝÞ, ÝÕ ÜÞÖÕâ ÒëÑàÐâì áâàÐâÕÓØî ÞÑàÐÑÞâÚØ íâÞÓÞ áÞÕÔØÝÕÝØï. ² íâÞÜ áÛãçÐÕ ÞÝ ßÕàÕåÞÔØâ Ú ×ÐÔÐÝÝÞÜã ßÞ-ãÜÞÛçÐÝØî ßÞÒÕÔÕÝØî. ¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï, ÝÐßàØÜÕà ßàØ ÞÑáÛãÖØÒÐÝØØ ßàÞâÞÚÞÛÞÒ NETBLT, MUX Ø EGP. ¿ÞÒÕÔÕÝØÕ ßÞ-ÜÞÛçÐÝØî ÒÞ ÜÝÞÓÞÜ áåÞÖÕ á âàÐááØàÞÒÚÞÙ UDP áÞÕÔØÝÕÝØÙ. ¿ÕàÒÞÜã ßÐÚÕâã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, Ð ÒáÕÜ ßÞáÛÕÔãîéØÜ - áâÐâãá ESTABLISHED.

¿àØ ØáßÞÛì×ÞÒÐÝØØ ßÞÒÕÔÕÝØï ßÞ-ãÜÞÛçÐÝØî, ÔÛï ÒáÕå ßÐÚÕâÞÒ ØáßÞÛì×ãÕâáï ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ âÐÙÜÐãâÐ, ÚÞâÞàÞÕ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ¿Þ-ãÜÞÛçÐÝØî íâÞ ×ÝÐçÕÝØÕ àÐÒÝÞ 600 áÕÚãÝÔÐÜ, ØÛØ 6 ÜØÝãâÐÜ (ÔÐ, ÔÐ, ØÜÕÝÝÞ âÐÚ Ø ãÚÐ×ÐÝÞ Ò ÞàØÓØÝÐÛìÝÞÜ âÕÚáâÕ. ¿ÞÔÞ×àÕÒÐî, çâÞ ÐÒâÞà ßàÞáâÞ Þߨá°Ûáï Ø Ò ÔÐÝÝÞÜ áÛãçÐÕ áÛÕÔãÕâ ßÞÝØÜÐâì "600 áÕÚãÝÔ ØÛØ 10 ÜØÝãâ". ºáâÐâØ, Ò ØáåÞÔÝÞÜ ÚÞÔÕ (/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c ×ÝÐçÕÝØÕ GENERIC_TIMEOUT àÐÒÝÞ 600 áÕÚãÝÔÐÜ. ßàØÜ. ßÕàÕÒ.). ² ×ÐÒØáØÜÞáâØ Þâ âØßÐ âàÐäØÚÐ, íâÞ ÒàÕÜï ÜÞÖÕâ ÜÕÝïâìáï, ÞáÞÑÕÝÝÞ ÚÞÓÔÐ áÞÕÔØÝÕÝØÕ ãáâÐÝÐÒÛØÒÐÕâáï çÕàÕ× áßãâÝØÚ.


ÂàÐááØàÞÒÚÐ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ

¸ÜÕÕâáï àïÔ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ, ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ ÚÞâÞàëå ÑÞÛÕÕ áÛÞÖÝÐ. ¿àÜÕàÞÜ ÜÞÓãâ áÛãÖØâì ßàÞâÞÚÞÛë ICQ, IRC Ø FTP. ºÐÖÔëÙ Ø× íâØå ßàÞâÞÚÞÛÞÒ ÝÕáÕâ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÁÞÞâÒÕâáâÒÕÝÝÞ ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ âÐÚØå áÞÕÔÝÕÝØÙ âàÕÑãÕâ ßÞÔÚÛîçÕÝØï ÔÞßÞÛÝØâÕÛìÝëå ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ.

² ÚÐçÕáâÒÕ ßÕàÒÞÓÞ ßàØÜÕàÐ àÐááÜÞâàØÜ ßàÞâÞÚÞÛ FTP. ¿àÞâÞÚÞÛ FTP áÝÐçÐÛÐ ÞâÚàëÒÐÕâ ÞÔØÝÞçÝÞÕ áÞÕÔØÝÕÝØÕ, ÚÞâÞàÞÕ ÝÐ×ëÒÐÕâáï "áÕÐÝáÞÜ ãßàÐÒÛÕÝØï FTP" (FTP control session). ¿àØ ÒëßÞÛÝÕÝØØ ÚÞÜÐÝÔ Ò ßàÕÔÕÛÐå íâÞÓÞ áÕÐÝáÐ, ÔÛï ßÕàÕÔÐçØ áÞßãâáâÒãîéØå ÔÐÝÝëå ÞâÚàëÒÐîâáï ÔÞßÞÛÝØâÕÛìÝëÕ ßÞàâë. ÍâØ áÞÕÔØÝÕÝØï ÜÞÓãâ Ñëâì ÐÚâØÒÝëÜØ ØÛØ ßÐááØÒÝëÜØ. ¿àØ áÞ×ÔÐÝØØ ÐÚâØÒÝÞÓÞ áÞÕÔØÝÕÝØï ÚÛÕÝâ ßÕàÕÔÐÕâ FTP áÕàÒÕàã ÝÞÜÕà ßÞàâÐ Ø IP ÐÔàÕá ÔÛï áÞÕÔØÝÕÝØï. ·ÐâÕÜ ÚÛÕÝâ ÞâÚàëÒÐÕâ ßÞàâ, áÕàÒÕà ßÞÔÚÛîçÐÕâ Ú ×ÐÔÐÝÝÞÜã ßÞàâã ÚÛØÕÝâÐ áÒÞÙ ßÞàâ á ÝÞÜÕàÞÜ 20 (Ø×ÒÕáâÝëÙ ÚÐÚ FTP-Data) Ø ßÕàÕÔÐÕâ ÔÐÝÝëÕ çÕàÕ× ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ.

¿àÞÑÛÕÜÐ áÞáâÞØâ Ò âÞÜ, çâÞ ÑàÐÝÔÜÐãíà ÝØçÕÓÞ ÝÕ ×ÝÐÕâ ÞÑ íâØå ÔÞßÞÛÝØâÕÛìÝëå ßÞÔÚÛîçÕÝØïå, ßÞáÚÞÛìÚã Òáï ØÝäÞàÜÐæØï Þ ÝØå ßÕàÕÔÐÕâáï çÕàÕ× ÞÑÛÐáâì ÔÐÝÝëå ßÐÚÕâÐ. ¸×-×Ð íâÞÓÞ ÑàÐÝÔÜÐãíà ÝÕ ßÞ×ÒÞÛØâ áÕàÒÕàã áÞÕÔØÝØâìáï á ãÚÐ×ÐÝÝëÜ ßÞàâÞÜ ÚÛØÕÝâÐ.

ÀÕèÕÝØÕ ßàÞÑÛÕÜë áÞáâÞØâ Ò ÔÞÑÐÒÛÕÝØØ áßÕæØÐÛìÝÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï âàÐááØàÞÒÚØ, ÚÞâÞàëÙ ÞâáÛÕÖØÒÐÕâ, áßÕæØäØçÝãî ÔÛï ÔÐÝÝÞÓÞ ßàÞâÞÚÞÛÐ, ØÝäÞàÜÐæØî Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÞÒ, ßÕàÕÔÐÒÐÕÜëå Ò àÐÜÚÐå áÕÐÝáÐ ãßàÐÒÛÕÝØï. ¿àØ áÞ×ÔÐÝØØ âÐÚÞÓÞ áÞÕÔØÝÕÝØï, ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÚÞààÕÚâÝÞ ÒÞáßàØÜÕâ ßÕàÕÔÐÒÐÕÜãî ØÝäÞàÜÐæØî Ø áÞ×ÔÐáâ áÞÞâÒÕâáâÒãîéãî ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ áÞ áâÐâãáÞÜ RELATED, ÑÛÐÓÞÔÐàï çÕÜã áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ÀØáãÝÞÚ ÝØÖÕ ßÞïáÝïÕâ ßÞàïÔÞÚ ÒëßÞÛÝÕÝØï ßÞÔÞÑÝÞÓÞ áÞÕÔØÝÕÝØï.



¿ÐááØÒÝëÙ FTP ÔÕÙáâÒãÕâ ßàÞâØÒÞßÞÛÞÖÝëÜ ÞÑàÐ×ÞÜ. ºÛØÕÝâ ßÞáëÛÐÕâ ×ÐßàÞá áÕàÒÕàã ÝÐ ßÞÛãçÕÝØÕ ÔÐÝÝëå, Ð áÕàÒÕà ÒÞ×ÒàÐéÐÕâ ÚÛØÕÝâã IP ÐÔàÕá Ø ÝÞÜÕà ßÞàâÐ ÔÛï ßÞÔÚÛîçÕÝØï. ºÛØÕÝâ ßÞÔÚÛîçÐÕâ áÒÞÙ 20-Ù ßÞàâ (FTP-data) Ú ãÚÐ×ÐÝÝÞÜã ßÞàâã áÕàÒÕàÐ Ø ßÞÛãçÐÕâ ×ÐßàÞèÕÝÝëÕ ÔÐÝÝëÕ. µáÛØ ÒÐè FTP áÕàÒÕà ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, âÞ ÒÐÜ ßÞâàÕÑãÕâáï íâÞâ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÔÛï âÞÓÞ, çâÞÑë áÕàÒÕà áÜÞÓ ÞÑáÛãÖØÒÐâì ÚÛØÕÝâÞÒ Ø× ¸ÝâÕàÝÕâ. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï áÛãçÐï, ÚÞÓÔÐ Òë åÞâØâÕ ÞÓàÐÝØçØâì áÒÞØå ßÞÛì×ÞÒÐâÕÛÕÙ âÞÛìÚÞ ÒÞ×ÜÞÖÝÞáâìî ßÞÔÚÛîçÕÝØï Ú HTTP Ø FTP áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâ Ø ×ÐÚàëâì ÒáÕ ÞáâÐÛìÝëÕ ßÞàâë. ÀØáãÝÞÚ ÝØÖÕ ßÞÚÐ×ëÒÐÕâ ÚÐÚ ÒëßÞÛÝïÕâáï ßÐááØÒÝÞÕ áÞÕÔØÝÕÝØÕ FTP.



½ÕÚÞâÞàëÕ ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ãÖÕ ÒÚÛîçÕÝë Ò áÞáâÐÒ ïÔàÐ. µáÛØ Ñëâì ÑÞÛÕÕ âÞçÝëÜ, âÞ Ò áÞáâÐÒ ïÔàÐ ÒÚÛîçÕÝë ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞâÞÚÞÛÞÒ FTP Ø IRC. µáÛØ Ò ÒÐèÕÜ àÐáßÞàïÖÕÝØØ ÝÕâ ÝÕÞÑåÞÔØÜÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâìáï Ú patch-o-matic, ÚÞâÞàëÙ áÞÔÕàÖØâ ÑÞÛìèÞÕ ÚÞÛØçÕáâÒÞ ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ ÔÛï âàÐááØàÞÒÚØ âÐÚØå ßàÞâÞÚÞÛÞÒ, ÚÐÚ ntalk ØÛØ H.323. µáÛØ Ø ×ÔÕáì Òë ÝÕ ÝÐèÛØ âÞ, çâÞ ÒÐÜ ÝãÖÝÞ, âÞ ã ÒÐá Õáâì ÕéÕ ÒÐàØÐÝâë: Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú CVS iptables, ÕáÛØ ØáÚÞÜëÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÕéÕ ÝÕ ÑëÛ ÒÚÛîçÕÝ Ò patch-o-matic, ÛØÑÞ ÜÞÖÕâÕ ÒÞÙâØ Ò ÚÞÝâÐÚâ á àÐ×àÐÑÞâçØÚÐÜØ netfilter Ø ã×ÝÐâì ã ÝØå, ØÜÕÕâáï ÛØ ßÞÔÞÑÝëÙ ÜÞÔãÛì Ø ßÛÐÝØàãÕâáï ÛØ ÞÝ Ú ÒëßãáÚã. µáÛØ Ø âãâ Òë ßÞâÕàßÕÛØ ÝÕãÔÐçã, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ áÛÕÔãÕâ ßàÞçØâÐâì Rusty Russells Unreliable Netfilter Hacking HOWTO.

²áßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÜÞÓãâ Ñëâì áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ Ò ÒØÔÕ ßÞÔÓàãÖÐÕÜëå ÜÞÔãÛÕÙ ïÔàÐ, âÐÚ Ø áâÐâØçÕáÚØ. µáÛØ ÞÝØ áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ ÜÞÔãÛØ, âÞ Òë ÜÞÖÕâÕ ×ÐÓàãרâì Øå ÚÞÜÐÝÔÞÙ

modprobe ip_conntrack_*

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝÕ ØÜÕÕâ ÝØÚÐÚÞÓÞ ÞâÝÞèÕÝØï Ú âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ (NAT), ßÞíâÞÜã ÒÐÜ ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÑÞÛìèÕÕ ÚÞÛØçÕáâÒÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ, ÕáÛØ Òë ÒëßÞÛÝïÕâÕ âÐÚãî âàÐÝáÛïæØî. ´ÞßãáâØÜ, çâÞ Òë ÒëßÞÛÝïÕâÕ âàÐÝáÛïæØî ÐÔàÕáÞÒ Ø âàÐááØàÞÒÚã FTP áÞÕÔØÝÕÝØÙ, âÞÓÔÐ ÒÐÜ ÝÕÞÑåÞÔØÜ âÐÚ ÖÕ Ø áÞÞâÒÕâáâÒãîéØÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì NAT. ¸ÜÕÝÐ ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ NAT ÝÐçØÝÐîâáï á ip_nat, Ò áÞÞâÒÕâáâÒØØ á áÞÓÛÐèÕÝØÕÜ ÞÑ ØÜÕÝÐå. ² ÔÐÝÝÞÜ áÛãçÐÕ ÜÞÔãÛì ÝÐ×ëÒÐÕâáï ip_nat_ftp. ´Ûï ßàÞâÞÚÞÛÐ IRC âÐÚÞÙ ÜÞÔãÛì ÑãÔÕâ ÝÐ×ëÒÐâìáï ip_nat_irc. ÂÞÜã ÖÕ áÐÜÞÜã áÞÓÛÐèÕÝØî áÛÕÔãîâ Ø ÝÐ×ÒÐÝØï ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ âàÐááØàÞÒéØÚÐ, ÝÐßàØÜÕà: ip_conntrack_ftp Ø ip_conntrack_irc.


ºÐÚ áâàÞØâì ßàÐÒØÛÐ

² ÔÐÝÝÞÙ ÓÛÐÒÕ ÑãÔÕâ ÞÑáãÖÔÐâìáï ßÞàïÔÞÚ ßÞáâàÞÕÝØï áÞÑáâÒÕÝÝëå ßàÐÒØÛ ÔÛï iptables. ºÐÖÔÐï áâàÞÚÐ, ÚÞâÞàãî Òë ÒáâÐÒÛïÕâÕ Ò âã ØÛØ ØÝãî æÕßÞçÚã, ÔÞÛÖÝÐ áÞÔÕàÖÐâì ÞâÔÕÛìÝÞÕ ßàÐÒØÛÞ. ¼ë âÐÚ ÖÕ ÞÑáãÔØÜ ÞáÝÞÒÝëÕ ßàÞÒÕàÚØ Ø ÔÕÙáâÒØï Ø ßÞàïÔÞÚ áÞ×ÔÐÝØï áÒÞØå áÞÑáâÒÕÝÝëå æÕßÞçÕÚ ßàÐÒØÛ.


¾áÝÞÒë

ºÐÚ ãÖÕ ÓÞÒÞàØÛÞáì ÒëèÕ, ÚÐÖÔÞÕ ßàÐÒØÛÞ -- íâÞ áâàÞÚÐ, áÞÔÕàÖÐéÐï Ò áÕÑÕ ÚàØâÕàØØ ÞßàÕÔÕÛïîéØÕ, ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ, Ø ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì Ò áÛãçÐÕ ÒëßÞÛÝÕÝØï ÚàØâÕàØï. ² ÞÑéÕÜ ÒØÔÕ ßàÐÒØÛÐ ×ÐߨáëÒÐîâáï ßàØÜÕàÝÞ âÐÚ:

iptables [-t table] command [match] [target/jump]

½ØÓÔÕ ÝÕ ãâÒÕàÖÔÐÕâáï, çâÞ ÞߨáÐÝØÕ ÔÕÙáâÒØï (target/jump) ÔÞÛÖÝÞ áâÞïâì ßÞáÛÕÔÝØÜ Ò áâàÞÚÕ, Üë, ÞÔÝÐÚÞ, ÑãÔÕÜ ßàØÔÕàÖØÒÐâìáï ØÜÕÝÝÞ âÐÚÞÙ ÝÞâÐæØØ ÔÛï ãÔÞÑÞçØâÐÕÜÞáâØ.

µáÛØ Ò ßàÐÒØÛÞ ÝÕ ÒÚÛîçÐÕâáï áßÕæØäØÚÐâÞà [-t table], âÞ ßÞ ãÜÞÛçÐÝØî ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæë filter, ÕáÛØ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÔàãÓÞÙ âÐÑÛØæë, âÞ íâÞ âàÕÑãÕâáï ãÚÐ×Ðâì ïÒÝÞ. ÁßÕæØäØÚÐâÞà âÐÑÛØæë âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×ëÒÐâì Ò ÛîÑÞÜ ÜÕáâÕ áâàÞÚØ ßàÐÒØÛÐ, ÞÔÝÐÚÞ ÑÞÛÕÕ ØÛØ ÜÕÝÕÕ áâÐÝÔÐàâÞÜ áçØâÐÕâáï ãÚÐ×ÐÝØÕ âÐÑÛØæë Ò ÝÐçÐÛÕ ßàÐÒØÛÐ.

´ÐÛÕÕ, ÝÕßÞáàÕÔáâÒÕÝÝÞ ×Ð ØÜÕÝÕÜ âÐÑÛØæë, ÔÞÛÖÝÐ áâÞïâì ÚÞÜÐÝÔÐ. µáÛØ áßÕæØäØÚÐâÞàÐ âÐÑÛØæë ÝÕâ, âÞ ÚÞÜÐÝÔÐ ÒáÕÓÔÐ ÔÞÛÖÝÐ áâÞïâì ßÕàÒÞÙ. ºÞÜÐÝÔÐ ÞßàÕÔÕÛïÕâ ÔÕÙáâÒØÕ iptables, ÝÐßàØÜÕà: ÒáâÐÒØâì ßàÐÒØÛÞ, ØÛØ ÔÞÑÐÒØâì ßàÐÒØÛÞ Ò ÚÞÝÕæ æÕßÞçÚØ, ØÛØ ãÔÐÛØâì ßàÐÒØÛÞ Ø â.ß.

ÀÐ×ÔÕÛ matches ×ÐÔÐÕâ ÚàØâÕàØØ ßàÞÒÕàÚØ, ßÞ ÚÞâÞàëÜ ÞßàÕÔÕÛïÕâáï ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ÔÕÙáâÒØÕ íâÞÓÞ ßàÐÒØÛÐ ØÛØ ÝÕâ. ·ÔÕáì Üë ÜÞÖÕÜ ãÚÐ×Ðâì áÐÜëÕ àÐ×ÝëÕ ÚàØâÕàØØ -- Ø IP-ÐÔàÕá ØáâÞçÝØÚÐ ßÐÚÕâÐ ØÛØ áÕâØ, Ø áÕâÕÒÞÙ ØÝâÕàäÕÙá Ø â.Ô. ÁãéÕáâÒãÕâ ÜÝÞÖÕáâÒÞ ÚàØâÕàØÕÒ, ÚÞâÞàëÕ Üë àÐááÜÞâàØÜ Ò ÔÐÝÝÞÙ ÓÛÐÒÕ.

¸ ÝÐÚÞÝÕæ target ãÚÐ×ëÒÐÕâ, ÚÐÚÞÕ ÔÕÙáâÒØÕ ÔÞÛÖÝÞ Ñëâì ÒëßÞÛÝÕÝÞ ßàØ ãáÛÞÒØØ ÒëßÞÛÝÕÝØï ÚàØâÕàØÕÒ Ò ßàÐÒØÛÕ. ·ÔÕáì ÜÞÖÝÞ ×ÐáâÐÒØâì ïÔàÞ ßÕàÕÔÐâì ßÐÚÕâ Ò ÔàãÓãî æÕßÞçÚã ßàÐÒØÛ, "áÑàÞáØâì" ßÐÚÕâ Ø ×ÐÑëâì ßàÞ ÝÕÓÞ, ÒëÔÐâì ÝÐ ØáâÞçÝØÚ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ Ø â.ß.


ÂÐÑÛØæë

¾ßæØï -t ãÚÐ×ëÒÐÕâ ÝÐ ØáßÞÛì×ãÕÜãî âÐÑÛØæã. ¿Þ ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï âÐÑÛØæÐ filter. Á ÚÛîçÞÜ -t ßàØÜÕÝïîâáï áÛÕÔãîéØÕ ÞßæØØ.

ÂÐÑÛØæÐ 1. ÂÐÑÛØæë

ÂÐÑÛØæÐ ¾ßØáÐÝØÕ
nat ÂÐÑÛØæÐ nat ØáßÞÛì×ãÕâáï ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (Network Address Translation). ÇÕàÕ× íâã âÐÑÛØæã ßàÞåÞÔØâ âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ. ¿àÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÞÒ ÐÒâÞÜÐâØçÕáÚØ ßàØÜÕÝïÕâáï ÚÞ ÒáÕÜ ßÞáÛÕÔãîéØÜ ßÐÚÕâÐÜ. ÍâÞ ÞÔØÝ Ø× äÐÚâÞàÞÒ, ØáåÞÔï Ø× ÚÞâÞàëå Üë ÝÕ ÔÞÛÖÝë ÞáãéÕáâÒÛïâì ÚÐÚãî-ÛØÑÞ äØÛìâàÐæØî Ò íâÞÙ âÐÑÛØæÕ. ÆÕßÞçÚÐ PREROUTING ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ßÐÚÕâë ÝÐ ÒåÞÔÕ Ò ÑàÐÝÔÜÐãíà. ÆÕßÞçÚÐ OUTPUT ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ßÐÚÕâÞÒ, áÞ×ÔÐÝÝëå ßàØÛÞÖÕÝØïÜØ ÒÝãâàØ ÑàÐÝÔÜÐãíàÐ, ßÕàÕÔ ßàØÝïâØÕÜ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ Ò ÝÐáâÞïéÕÕ ÒàÕÜï íâÐ æÕßÞçÚÐ ÝÕ àÐÑÞâÐÕâ. ¸ ßÞáÛÕÔÝïï æÕßÞçÚÐ Ò íâÞÙ âÐÑÛØæÕ -- POSTROUTING, ÚÞâÞàÐï ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ßÐÚÕâÞÒ ßÕàÕÔ ÒëÔÐçÕÙ Øå ÒÞ ÒÝÕ.
mangle ÍâÐ âÐÑÛØæÐ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÚØ ßÐÚÕâÞÒ. ¿àØÜÕàÞÜ ÜÞÖÕâ áÛãÖØâì Ø×ÜÕÝÕÝØÕ ßÞÛï TTL, TOS ØÛØ MARK. ²ÐÖÝÞ: Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ßÞÛÕ MARK ÝÕ Ø×ÜÕÝïÕâáï, ÝÞ Ò ßÐÜïâØ ïÔàÐ ×ÐÒÞÔØâáï áâàãÚâãàÐ, ÚÞâÞàÐï áÞßàÞÒÞÖÔÐÕâ ÔÐÝÝëÙ ßÐÚÕâ ÒáÕ ÒàÕÜï ÕÓÞ ßàÞåÞÖÔÕÝØï çÕàÕ× ÜÐèØÝã, âÐÚ çâÞ ÔàãÓØÕ ßàÐÒØÛÐ Ø ßàØÛÞÖÕÝØï ÝÐ ÔÐÝÝÞÙ ÜÐèØÝÕ (Ø âÞÛìÚÞ ÝÐ ÔÐÝÝÞÙ ÜÐèØÝÕ) ÜÞÓãâ ØáßÞÛì×ÞÒÐâì íâÞ ßÞÛÕ Ò áÒÞØå æÕÛïå. ÂÐÑÛØæÐ ØÜÕÕâ ÔÒÕ æÕßÞçÚØ PREROUTING Ø OUTPUT. PREROUTING ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ ÝÐ ÒåÞÔÕ Ò ÑàÐÝÔÜÐãíà ßÕàÕÔ ßàØÝïâØÕÜ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. OUTPUT -- ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ßÐÚÕâë, ßÞáâãßÐîéØÕ Þâ ßàØÛÞÖÕÝØÙ ÒÝãâàØ ÑàÐÝÔÜÐãíàÐ. ·ÐÜÕâìâÕ, çâÞ âÐÑÛØæÐ mangle ÝØ Ò ÚÞÕÜ áÛãçÐÕ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ ØÛØ ÜÐáÚÐàÐÔØÝÓÐ (Network Address Translation, Masquerading), ßÞáÚÞÛìÚã ÔÛï íâØå æÕÛÕÙ ØÜÕÕâáï âÐÑÛØæÐ nat.
filter ÂÐÑÛØæÐ filter ØáßÞÛì×ãÕâáï ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï äØÛìâàÐæØØ ßÐÚÕâÞÒ. ´Ûï ßàØÜÕàÐ, ×ÔÕáì Üë ÜÞÖÕÜ ÒëßÞÛÝØâì DROP, LOG, ACCEPT ØÛØ REJECT ÑÕ× ÚÐÚØå ÛØÑÞ áÛÞÖÝÞáâÕÙ, ÚÐÚ Ò ÔàãÓØå âÐÑÛØæÐå. ¸ÜÕÕâáï âàØ ÒáâàÞÕÝÝëå æÕßÞçÚØ. ¿ÕàÒÐï -- FORWARD, ØáßÞÛì×ãÕÜÐï ÔÛï äØÛìâàÐæØØ ßÐÚÕâÞÒ, ØÔãéØå âàÐÝרâÞÜ çÕàÕ× ÑàÐÝÔÜÐãíà. ÆÕßÞçÚã INPUT ßàÞåÞÔïâ ßÐÚÕâë, ÚÞâÞàëÕ ßàÕÔÝÐ×ÝÐçÕÝë ÛÞÚÐÛìÝëÜ ßàØÛÞÖÕÝØïÜ (ÑàÐÝÔÜÐãíàã). ¸ æÕßÞçÚÐ OUTPUT -- ØáßÞÛì×ãÕâáï ÔÛï äØÛìâàÐæØØ ØáåÞÔïéØå ßÐÚÕâÞÒ, áÓÕÝÕàØàÞÒÐÝÝëå ßàØÛÞÖÕÝØïÜØ ÝÐ áÐÜÞÜ ÑàÐÝÔÜÐãíàÕ.

²ëèÕ Üë àÐááÜÞâàÕÛØ ÞáÝÞÒÝëÕ ÞâÛØçØï âàÕå ØÜÕîéØåáï âÐÑÛØæ. ºÐÖÔÐï Ø× ÝØå ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò áÒÞØå æÕÛïå, Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕæÕÛÕÒÞÕ ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæ ÜÞÖÕâ ßàØÒÕáâØ Ú ÞáÛÐÑÛÕÝØî ×ÐéØâë ÑàÐÝÔÜÐãíàÐ Ø áÕâØ, ÝÐåÞÔïéÕÙáï ×Ð ÝØÜ. ¿Þ×ÔÝÕÕ, Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ, Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ íâÞÜ.


ºÞÜÐÝÔë

½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÚÞÜÐÝÔ Ø ßàÐÒØÛÐ Øå ØáßÞÛì×ÞÒÐÝØï. ¿ÞáàÕÔáâÒÞÜ ÚÞÜÐÝÔ Üë áÞÞÑéÐÕÜ iptables çâÞ Üë ßàÕÔßÞÛÐÓÐÕÜ áÔÕÛÐâì. ¾ÑëçÝÞ ßàÕÔßÞÛÐÓÐÕâáï ÞÔÝÞ Ø× ÔÒãå ÔÕÙáâÒØÙ -- íâÞ ÔÞÑÐÒÛÕÝØÕ ÝÞÒÞÓÞ ßàÐÒØÛÐ Ò æÕßÞçÚã ØÛØ ãÔÐÛÕÝØÕ áãéÕáâÒãîéÕÓÞ ßàÐÒØÛÐ Ø× âÞÙ ØÛØ ØÝÞÙ âÐÑÛØæë. ´ÐÛÕÕ ßàØÒÕÔÕÝë ÚÞÜÐÝÔë, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï Ò iptables.

ÂÐÑÛØæÐ 2. ºÞÜÐÝÔë

ºÞÜÐÝÔÐ
¿àØÜÕà
¿ÞïáÝÕÝØï
-A, --append
iptables -A INPUT ...
´ÞÑÐÒÛïÕâ ÝÞÒÞÕ ßàÐÒØÛÞ Ò ÚÞÝÕæ ×ÐÔÐÝÝÞÙ æÕßÞçÚØ.
-D, --delete
iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
ÃÔÐÛÕÝØÕ ßàÐÒØÛÐ Ø× æÕßÞçÚØ. ºÞÜÐÝÔÐ ØÜÕÕâ ÔÒÐ äÞàÜÐâÐ ×ÐߨáØ, ßÕàÒëÙ -- ÚÞÓÔÐ ×ÐÔÐÕâáï ÚàØâÕàØÙ áàÐÒÝÕÝØï á ÞßæØÕÙ -D (áÜ. ßÕàÒëÙ ßàØÜÕà), ÒâÞàÞÙ -- ßÞàïÔÚÞÒëÙ ÝÞÜÕà ßàÐÒØÛÐ. µáÛØ ×ÐÔÐÕâáï ÚàØâÕàØÙ áàÐÒÝÕÝØï, âÞ ãÔÐÛïÕâáï ßàÐÒØÛÞ, ÚÞâÞàÞÕ ØÜÕÕâ Ò áÕÑÕ íâÞâ ÚàØâÕàØÙ, ÕáÛØ ×ÐÔÐÕâáï ÝÞÜÕà ßàÐÒØÛÐ, âÞ ÑãÔÕâ ãÔÐÛÕÝÞ ßàÐÒØÛÞ á ×ÐÔÐÝÝëÜ ÝÞÜÕàÞÜ. ÁçÕâ ßàÐÒØÛ Ò æÕßÞçÚÐå ÝÐçØÝÐÕâáï á 1.
-R, --replace
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
´ÐÝÝÐï ÚÞÜÐÝÔÐ ×ÐÜÕÝïÕâ ÞÔÝÞ ßàÐÒØÛÞ ÔàãÓØÜ. ² ÞáÝÞÒÝÞÜ ÞÝÐ ØáßÞÛì×ãÕâáï ÒÞ ÒàÕÜï ÞâÛÐÔÚØ ÝÞÒëå ßàÐÒØÛ.
-I, --insert
iptables -I INPUT 1 --dport 80 -j ACCEPT
²áâÐÒÛïÕâ ÝÞÒÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã. ÇØáÛÞ, áÛÕÔãîéÕÕ ×Ð ØÜÕÝÕÜ æÕßÞçÚØ ãÚÐ×ëÒÐÕâ ÝÞÜÕà ßàÐÒØÛÐ, ßÕàÕÔ ÚÞâÞàëÜ ÝãÖÝÞ ÒáâÐÒØâì ÝÞÒÞÕ ßàÐÒØÛÞ, ÔàãÓØÜØ áÛÞÒÐÜØ çØáÛÞ ×ÐÔÐÕâ ÝÞÜÕà ÔÛï ÒáâÐÒÛïÕÜÞÓÞ ßàÐÒØÛÐ. ² ßàØÜÕàÕ ÒëèÕ, ãÚÐ×ëÒÐÕâáï, çâÞ ÔÐÝÝÞÕ ßàÐÒØÛÞ ÔÞÛÖÝÞ Ñëâì 1-Ü Ò æÕßÞçÚÕ INPUT.
-L, --list
iptables -L INPUT
²ëÒÞÔ áߨáÚÐ ßàÐÒØÛ Ò ×ÐÔÐÝÝÞÙ æÕßÞçÚÕ, Ò ÔÐÝÝÞÜ ßàØÜÕàÕ ßàÕÔßÞÛÐÓÐÕâáï ÒëÒÞÔ ßàÐÒØÛ Ø× æÕßÞçÚØ INPUT. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ÒëÒÞÔØâáï áߨáÞÚ ßàÐÒØÛ ÔÛï ÒáÕå æÕßÞçÕÚ. ÄÞàÜÐâ ÒëÒÞÔÐ ×ÐÒØáØâ Þâ ÝÐÛØçØï ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ò ÚÞÜÐÝÔÕ, ÝÐßàØÜÕà -n, -v, Ø ßà.
-F, --flush
iptables -F INPUT
ÁÑàÞá (ãÔÐÛÕÝØÕ) ÒáÕå ßàÐÒØÛ Ø× ×ÐÔÐÝÝÞÙ æÕßÞçÚØ (âÐÑÛØæë). µáÛØ ØÜï æÕßÞçÚØ Ø âÐÑÛØæë ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ãÔÐÛïîâáï ÒáÕ ßàÐÒØÛÐ, ÒÞ ÒáÕå æÕßÞçÚÐå.
-Z, --zero
iptables -Z INPUT
¾ÑÝãÛÕÝØÕ ÒáÕå áçÕâçØÚÞÒ Ò ×ÐÔÐÝÝÞÙ æÕßÞçÚÕ. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ßÞÔàÐ×ãÜÕÒÐîâáï ÒáÕ æÕßÞçÚØ. ¿àØ ØáßÞÛì×ÞÒÐÝØØ ÚÛîçÐ -v áÞÒÜÕáâÝÞ á ÚÞÜÐÝÔÞÙ -L, ÝÐ ÒëÒÞÔ ÑãÔãâ ßÞÔÐÝë Ø áÞáâÞïÝØï áçÕâçØÚÞÒ ßÐÚÕâÞÒ, ßÞßÐÒèØå ßÞÔ ÔÕÙáâÒØÕ ÚÐÖÔÞÓÞ ßàÐÒØÛÐ. ´ÞßãáÚÐÕâáï áÞÒÜÕáâÝÞÕ ØáßÞÛì×ÞÒÐÝØÕ ÚÞÜÐÝÔ -L Ø -Z. ² íâÞÜ áÛãçÐÕ ÑãÔÕâ ÒëÔÐÝ áÝÐçÐÛÐ áߨáÞÚ ßàÐÒØÛ áÞ áçÕâçØÚÐÜØ, Ð ×ÐâÕÜ ßàÞØ×ÞÙÔÕâ ÞÑÝãÛÕÝØÕ áçÕâçØÚÞÒ.
-N, --new-chain
iptables -N allowed
ÁÞ×ÔÐÕâáï ÝÞÒÐï æÕßÞçÚÐ á ×ÐÔÐÝÝëÜ ØÜÕÝÕÜ Ò ×ÐÔÐÝÝÞÙ âÐÑÛØæÕ ² ÒëèÕ ßàØÒÕÔÕÝÝÞÜ ßàØÜÕàÕ áÞ×ÔÐÕâáï ÝÞÒÐï æÕßÞçÚÐ á ØÜÕÝÕÜ allowed. ¸Üï æÕßÞçÚØ ÔÞÛÖÝÞ Ñëâì ãÝØÚÐÛìÝëÜ Ø ÝÕ ÔÞÛÖÝÞ áÞÒßÐÔÐâì á ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÜØ ØÜÕÝÐÜØ æÕßÞçÕÚ Ø ÔÕÙáâÒØÙ (DROP, REJECT Ø â.ß.)
-X, --delete-chain
iptables -X allowed
ÃÔÐÛÕÝØÕ ×ÐÔÐÝÝÞÙ æÕßÞçÚØ Ø× ×ÐÔÐÝÝÞÙ âÐÑÛØæë. ÃÔÐÛïÕÜÐï æÕßÞçÚÐ ÝÕ ÔÞÛÖÝÐ ØÜÕâì ßàÐÒØÛ Ø ÝÕ ÔÞÛÖÝÞ Ñëâì ááëÛÞÚ Ø× ÔàãÓØå æÕßÞçÕÚ ÝÐ ãÔÐÛïÕÜãî æÕßÞçÚã. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ÐÝÞ, âÞ ÑãÔãâ ãÔÐÛÕÝë ÒáÕ æÕßÞçÚØ, ÞßàÕÔÕÛÕÝÝëÕ ÚÞÜÐÝÔÞÙ -N Ò ×ÐÔÐÝÝÞÙ âÐÑÛØæÕ.
-P, --policy
iptables -P INPUT DROP
¾ßàÕÔÕÛïÕâ ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî ÔÛï ×ÐÔÐÝÝÞÙ æÕßÞçÚØ. ¿ÞÛØâØÚÐ ßÞ ãÜÞÛçÐÝØî ÞßàÕÔÕÛïÕâ ÔÕÙáâÒØÕ, ßàØÜÕÝïÕÜÞÕ Ú ßÐÚÕâÐÜ ÝÕ ßÞßÐÒèØÜ ßÞÔ ÔÕÙáâÒØÕ ÝØ ÞÔÝÞÓÞ Ø× ßàÐÒØÛ Ò æÕßÞçÚÕ. ² ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ ãÜÞÛçÐÝØî ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì DROP, ACCEPT Ø REJECT.
-E, --rename-chain
iptables -E allowed disallowed
ºÞÜÐÝÔÐ -E ÒëßÞÛÝïÕâ ßÕàÕØÜÕÝÞÒÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚÞÙ æÕßÞçÚØ. ² ßàØÜÕàÕ æÕßÞçÚÐ allowed ÑãÔÕâ ßÕàÕØÜÕÝÞÒÐÝÐ Ò æÕßÞçÚã disallowed. ÍâØ ßÕàÕØÜÕÝÞÒÐÝØï ÝÕ Ø×ÜÕÝïîâ ßÞàïÔÞÚ àÐÑÞâë, Ð ÝÞáïâ âÞÛìÚÞ ÚÞáÜÕâØçÕáÚØÙ åÐàÐÚâÕà.

ºÞÜÐÝÔÐ ÔÞÛÖÝÐ Ñëâì ãÚÐ×ÐÝÐ ÒáÕÓÔÐ. ÁߨáÞÚ ÔÞáâãßÝëå ÚÞÜÐÝÔ ÜÞÖÝÞ ßàÞáÜÞâàÕâì á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -h ØÛØ, çâÞ âÞÖÕ áÐÜÞÕ, iptables --help. ½ÕÚÞâÞàëÕ ÚÞÜÐÝÔë ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï áÞÒÜÕáâÝÞ á ÔÞßÞÛÝØâÕÛìÝëÜØ ÚÛîçÐÜØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÞߨáëÒÐÕâáï àÕ×ãÛìâÐâ Øå ÔÕÙáâÒØï. ¿àØ íâÞÜ ×ÐÜÕâìâÕ, çâÞ ×ÔÕáì ÝÕ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ßàØ ßÞáâàÞÕÝØØ ÚàØâÕàØÕÒ (matches) ØÛØ ÔÕÙáâÒØÙ (targets). ÍâØ ÞßæØØ Üë ÑãÔÕÜ ÞÑáãÖÔÐâì ÔÐÛÕÕ.

ÂÐÑÛØæÐ 3. ºÛîçØ

ºÛîç
ºÞÜÐÝÔë, á ÚÞâÞàëÜØ ØáßÞÛì×ãÕâáï
¾ßØáÐÝØÕ
-v, --verbose
--list, --append, --insert, --delete, --replace
´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï ÔÛï ßÞÒëèÕÝØï ØÝäÞàÜÐâØÒÝÞáâØ ÒëÒÞÔÐ Ø, ÚÐÚ ßàÐÒØÛÞ, ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ÚÞÜÐÝÔÞÙ --list. ² áÛãçÐÕ ØáßÞÛì×ÞÒÐÝØï á ÚÞÜÐÝÔÞÙ --list, Ò ÒëÒÞÔ íâÞÙ ÚÞÜÐÝÔë ÒÚÛîçÐîâáï âÐÚ ÖÕ ØÜï ØÝâÕàäÕÙáÐ, áçÕâçØÚØ ßÐÚÕâÞÒ Ø ÑÐÙâ ÔÛï ÚÐÖÔÞÓÞ ßàÐÒØÛÐ. ÄÞàÜÐâ ÒëÒÞÔÐ áçÕâçØÚÞÒ ßàÕÔßÞÛÐÓÐÕâ ÒëÒÞÔ ÚàÞÜÕ æØäà çØáÛÐ ÕéÕ Ø áØÜÒÞÛìÝëÕ ÜÝÞÖØâÕÛØ K (x1000), M (x1,000,000) Ø G (x1,000,000,000). ´Ûï âÞÓÞ, çâÞÑë ×ÐáâÐÒØâì ÚÞÜÐÝÔã --list ÒëÒÞÔØâì ßÞÛÝÞÕ çØáÛÞ (ÑÕ× ãßÞâàÕÑÛÕÝØï ÜÝÞÖØâÕÛÕÙ) âàÕÑãÕâáï ßàØÜÕÝïâì ÚÛîç -x, ÚÞâÞàëÙ ÞߨáÐÝ ÝØÖÕ. µáÛØ ÚÛîç -v, --verbose ØáßÞÛì×ãÕâáï á ÚÞÜÐÝÔÐÜØ --append, --insert, --delete ØÛØ --replace, âÞ âÞ ÝÐ ÒëÒÞÔ ÑãÔÕâ ÒëÔÐÝ ßÞÔàÞÑÝëÙ ÞâçÕâ Þ ßàÞØ×ÒÕÔÕÝÝÞÙ ÞßÕàÐæØØ.
-x, --exact
--list
´Ûï ÒáÕå çØáÕÛ Ò ÒëåÞÔÝëå ÔÐÝÝëå ÒëÒÞÔïâáï Øå âÞçÝëÕ ×ÝÐçÕÝØï ÑÕ× ÞÚàãÓÛÕÝØï Ø ÑÕ× ßàØÜÕÝÕÝØï ÜÝÞÖØâÕÛÕÙ K, M, G. ²ÐÖÝÞ âÞ, çâÞ ÔÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list Ø ÝÕ ßàØÜÕÝïÕâáï á ÔàãÓØÜØ ÚÞÜÐÝÔÐÜØ.
-n, --numeric
--list
·ÐáâÐÒÛïÕâ iptables ÒëÒÞÔØâì IP-ÐÔàÕáÐ Ø ÝÞÜÕàÐ ßÞàâÞÒ Ò çØáÛÞÒÞÜ ÒØÔÕ ßàÕÔÞâÒàÐéÐï ßÞßëâÚØ ßàÕÞÑàÐ×ÞÒÐâì Øå Ò áØÜÒÞÛØçÕáÚØÕ ØÜÕÝÐ. ´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list.
--line-numbers
--list
ºÛîç --line-numbers ÒÚÛîçÐÕâ àÕÖØÜ ÒëÒÞÔÐ ÝÞÜÕàÞÒ áâàÞÚ ßàØ ÞâÞÑàÐÖÕÝØØ áߨáÚÐ ßàÐÒØÛ ÚÞÜÐÝÔÞÙ --list. ½ÞÜÕà áâàÞÚØ áÞÞâÒÕâáâÒãÕâ ßÞ×ØæØØ ßàÐÒØÛÐ Ò æÕßÞçÚÕ. ÍâÞâ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list.
-c, --set-counters
--insert, --append, --replace
ÍâÞâ ÚÛîç ØáßÞÛì×ãÕâáï ßàØ áÞ×ÔÐÝØØ ÝÞÒÞÓÞ ßàÐÒØÛÐ ÔÛï ãáâÐÝÞÒÚØ áçÕâçØÚÞÒ ßÐÚÕâÞÒ Ø ÑÐÙâ Ò ×ÐÔÐÝÝÞÕ ×ÝÐçÕÝØÕ. ½ÐßàØÜÕà, ÚÛîç --set-counters 20 4000ãáâÐÝÞÒØâ áçÕâçØÚ ßÐÚÕâÞÒ = 20, Ð áçÕâçØÚ ÑÐÙâ = 4000.
--modprobe
All
ºÛîç --modprobe ÞßàÕÔÕÛïÕâ ÚÞÜÐÝÔã ×ÐÓàã×ÚØ ÜÞÔãÛï ïÔàÐ. ´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï Ò áÛãçÐÕ, ÕáÛØ ÒÐèÐ ÚÞÜÐÝÔÐ modprobe ÝÐåÞÔØâáï ÒÝÕ ßãâØ ßÞØáÚÐ (searchpath). ÍâÞâ ÚÛîç ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï á ÛîÑÞÙ ÚÞÜÐÝÔÞÙ.

ºàØâÕàØØ

·ÔÕáì Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ ÚàØâÕàØïå ÒëÔÕÛÕÝØï ßÐÚÕâÞÒ. Ï àÐ×ÑØÛ ÒáÕ ÚàØâÕàØØ ÝÐ ßïâì Óàãßß. ¿ÕàÒÐï -- ÞÑéØÕ ÚàØâÕàØØ ÚÞâÞàëÕ ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÛîÑëå ßàÐÒØÛÐå. ²âÞàÐï - TCP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú TCP ßÐÚÕâÐÜ. ÂàÕâìï -- UDP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú UDP ßÐÚÕâÐÜ. ÇÕâÒÕàâÐï - ICMP ÚàØâÕàØØ ÔÛï àÐÑÞâë á ICMP ßÐÚÕâÐÜØ. ¸ ÝÐÚÞÝÕæ ßïâÐï -- áßÕæØÐÛìÝëÕ ÚàØâÕàØØ, âÐÚØÕ ÚÐÚ state, owner, limit Ø ßà.


¾ÑéØÕ ÚàØâÕàØØ

·ÔÕáì Üë àÐááÜÞâàØÜ ¾ÑéØÕ ÚàØâÕàØØ. ¾ÑéØÕ ÚàØâÕàØØ ÔÞßãáâØÜÞ ãßÞâàÕÑÛïâì Ò ÛîÑëå ßàÐÒØÛÐå Ø ÝÕ ×ÐÒØáïâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø ÝÕ âàÕÑãîâ ßÞÔÓàã×ÚØ ÜÞÔãÛÕÙ àÐáèØàÕÝØï. ² íâã Óàãßßã ï ÔÞÑÐÒØÛ ÚàØâÕàØÙ --protocol ÝÕáÜÞâàï ÝÐ âÞ, çâÞ ÞÝ ØáßÞÛì×ãÕâáï Ò ÝÕÚÞâÞàëå áßÕæØäØçÝëå Þâ ßàÞâÞÚÞÛÐ àÐáèØàÕÝØïå. ½ÐßàØÜÕà, Üë àÕèØÛØ ØáßÞÛì×ÞÒÐâì TCP ÚàØâÕàØÙ, âÞÓÔÐ ÝÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ØáßÞÛì×ÞÒÐâì Ø ÚàØâÕàØÙ --protocol ÚÞâÞàÞÜã Ò ÚÐçÕáâÒÕ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ÚÛîçÐ ßÕàÕÔÐÕâáï ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ -- TCP. ¾ÔÝÐÚÞ --protocol áÐÜ ßÞ áÕÑÕ ïÒÛïÕâáï ÚàØâÕàØÕÜ, ÚÞâÞàëÙ ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï âØßÐ ßàÞâÞÚÞÛÐ.

ÂÐÑÛØæÐ 4. ¾ÑéØÕ ÚàØâÕàØØ

ºàØâÕàØÙ -p, --protocol
¿àØÜÕà iptables -A INPUT -p tcp
¾ßØáÐÝØÕ ÍâÞâ ÚàØâÕàØÙ ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï âØßÐ ßàÞâÞÚÞÛÐ. ¿àØÜÕàÐÜØ ßàÞâÞÚÞÛÞÒ ÜÞÓãâ Ñëâì TCP, UDP Ø ICMP. ÁߨáÞÚ ßàÞâÞÚÞÛÞÒ ÜÞÖÝÞ ßÞáÜÞâàÕâì Ò äÐÙÛÕ /etc/p rotocols. ¿àÕÖÔÕ ÒáÕÓÞ, Ò ÚÐçÕáâÒÕ ØÜÕÝØ ßàÞâÞÚÞÛÐ Ò ÔÐÝÝëÙ ÚàØâÕàØÙ ÜÞÖÝÞ ßÕàÕÔÐÒÐâì âàØ ÒëèÕãßÞÜïÝãâëå ßàÞâÞÚÞÛÐ, Ð âÐÚÖÕ ÚÛîçÕÒÞÕ áÛÞÒÞ ALL. ² ÚÐçÕáâÒÕ ßàÞâÞÚÞÛÐ ÔÞßãáÚÐÕâáï ßÕàÕÔÐÒÐâì çØáÛÞ - ÝÞÜÕà ßàÞâÞÚÞÛÐ, âÐÚ ÝÐßàØÜÕà, 255 áÞÞâÒÕâáâÒãÕâ ßàÞâÞÚÞÛã RAW IP. ÁÞÞâÒÕâáâÒØï ÜÕÖÔã ÝÞÜÕàÐÜØ ßàÞâÞÚÞÛÞÒ Ø Øå ØÜÕÝÐÜØ Òë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ò äÐÙÛÕ /etc/protocols, ÚÞâÞàëÙ ãÖÕ ãßÞÜØÝÐÛáï. ºàØâÕàØî ÜÞÖÕâ ßÕàÕÔÐÒÐâìáï Ø áߨáÞÚ ßàÞâÞÚÞÛÞÒ, àÐ×ÔÕÛÕÝÝëå ×ÐßïâëÜØ, ÝÐßàØÜÕà âÐÚ: udp,tcp (ÅÞâï ÐÒâÞà Ø ãÚÐ×ëÒÐÕâ ÝÐ ÒÞ×ÜÞÖÝÞáâì ßÕàÕÔÐçØ áߨáÚÐ ßàÞâÞÚÞÛÞÒ, âÕÜ ÝÕ ÜÕÝÕÕ ÝØÚÞÜã ÕéÕ ÝÕ ãÔÐÛÞáì áÔÕÛÐâì íâÞÓÞ! ºáâÐâØ, man iptables ïÒÝÞ ÞÓÞÒÐàØÒÐÕâ, çâÞ Ò ÔÐÝÝÞÜ ÚàØâÕàØØ ÜÞÖÕâ Ñëâì ãÚÐ×ÐÝ âÞÛìÚÞ ÞÔØÝ ßàÞâÞÚÞÛ. ¼ÞÖÕâ Ñëâì íâÞ àÐáèØàÕÝØÕ ØÜÕÕâáï Ò patch-o-matic? ßàØÜ. ßÕàÕÒ.) µáÛØ ÔÐÝÝÞÜã ÚàØâÕàØî ßÕàÕÔÐÕâáï çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ 0, âÞ íâÞ íÚÒØÒÐÛÕÝâÝÞ ØáßÞÛì×ÞÒÐÝØî áßÕæØäØÚÐâÞàÐ ALL, ÚÞâÞàëÙ ßÞÔàÐ×ãÜÕÒÐÕâáï ßÞ ãÜÞÛçÐÝØî, ÚÞÓÔÐ ÚàØâÕàØÙ --protocol ÝÕ ØáßÞÛì×ãÕâáï. ´Ûï ÛÞÓØçÕáÚÞÙ ØÝÒÕàáØØ ÚàØâÕàØï, ßÕàÕÔ ØÜÕÝÕÜ ßàÞâÞÚÞÛÐ (áߨáÚÞÜ ßàÞâÞÚÞÛÞÒ) ØáßÞÛì×ãÕâáï áØÜÒÞÛ !, ÝÐßàØÜÕà --protocol ! tcp ßÞÔàÐ×ãÜÕÒÐÕâ ßÐÚÕâë ÛîÑÞÓÞ ßàÞâÞÚÞÛÐ, ÚàÞÜÕ tcp.
ºàØâÕàØÙ -s, --src, --source
¿àØÜÕà iptables -A INPUT -s 192.168.1.1
¾ßØáÐÝØÕ IP-ÐÔàÕá(Ð) ØáâÞçÝØÚÐ ßÐÚÕâÐ. °ÔàÕá ØáâÞçÝØÚÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï âÐÚ, ÚÐÚ ßÞÚÐ×ÐÝÞ Ò ßàØÜÕàÕ, âÞÓÔÐ ßÞÔàÐ×ãÜÕÒÐÕâáï ÕÔØÝáâÒÕÝÝëÙ IP-ÐÔàÕá. ° ÜÞÖÝÞ ãÚÐ×Ðâì ÐÔàÕá Ò ÒØÔÕ address/mask, ÝÐßàØÜÕà ÚÐÚ 192.168.0.0/255.255.255.0, ØÛØ ÑÞÛÕÕ áÞÒàÕÜÕÝÝëÜ áßÞáÞÑÞÜ 192.168.0.0/24, â.Õ. äÐÚâØçÕáÚØ ÞßàÕÔÕÛïï ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ !, ãáâÐÝÞÒÛÕÝÝëÙ ßÕàÕÔ ÐÔàÕáÞÜ, Þ×ÝÐçÐÕâ ÛÞÓØçÕáÚÞÕ ÞâàØæÐÝØÕ, â.Õ. --source ! 192.168.0.0/24 Þ×ÝÐçÐÕâ ÛîÑÞÙ ÐÔàÕá ÚàÞÜÕ ÐÔàÕáÞÒ 192.168.0.x
ºàØâÕàØÙ -d, --dst, --destination
¿àØÜÕà iptables -A INPUT -d 192.168.1.1
¾ßØáÐÝØÕ IP-ÐÔàÕá(Ð) ßÞÛãçÐâÕÛï. ¸ÜÕÕâ áØÝâÐÚáØá áåÞÖØÙ á ÚàØâÕàØÕÜ --source, ×Ð ØáÚÛîçÕÝØÕÜ âÞÓÞ, çâÞ ßÞÔàÐ×ãÜÕÒÐÕâ ÐÔàÕá ÜÕáâÐ ÝÐ×ÝÐçÕÝØï. ÂÞçÝÞ âÐÚ ÖÕ ÜÞÖÕâ ÞßàÕÔÕÛïâì ÚÐÚ ÕÔØÝáâÒÕÝÝëÙ IP-ÐÔàÕá, âÐÚ Ø ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ. ÁØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ÛÞÓØçÕáÚÞÙ ØÝÒÕàáØØ ÚàØâÕàØï.
ºàØâÕàØÙ -i, --in-interface
¿àØÜÕà iptables -A INPUT -i eth0
¾ßØáÐÝØÕ ¸ÝâÕàäÕÙá, á ÚÞâÞàÞÓÞ ÑëÛ ßÞÛãçÕÝ ßÐÚÕâ. ¸áßÞÛì×ÞÒÐÝØÕ íâÞÓÞ ÚàØâÕàØï ÔÞßãáÚÐÕâáï âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø PREROUTING, Ò ÛîÑëå ÔàãÓØå áÛãçÐïå ÑãÔÕâ Òë×ëÒÐâì áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ. ¿àØ ÞâáãâáâÒØØ íâÞÓÞ ÚàØâÕàØï ßàÕÔßÞÛÐÓÐÕâáï ÛîÑÞÙ ØÝâÕàäÕÙá, çâÞ àÐÒÝÞáØÛìÝÞ ØáßÞÛì×ÞÒÐÝØî ÚàØâÕàØï -i +. ºÐÚ Ø ßàÕÖÔÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ àÕ×ãÛìâÐâ áÞÒßÐÔÕÝØï. µáÛØ ØÜï ØÝâÕàäÕÙáÐ ×ÐÒÕàèÐÕâáï áØÜÒÞÛÞÜ +, âÞ ÚàØâÕàØÙ ×ÐÔÐÕâ ÒáÕ ØÝâÕàäÕÙáë, ÝÐçØÝÐîéØÕáï á ×ÐÔÐÝÝÞÙ áâàÞÚØ, ÝÐßàØÜÕà -i PPP+ ÞÑÞ×ÝÐçÐÕâ ÛîÑÞÙ PPP ØÝâÕàäÕÙá, Ð ×Ðߨáì -i ! eth+ -- ÛîÑÞÙ ØÝâÕàäÕÙá, ÚàÞÜÕ ÛîÑÞÓÞ eth.
ºàØâÕàØÙ -o, --out-interface
¿àØÜÕà iptables -A FORWARD -o eth0
¾ßØáÐÝØÕ ·ÐÔÐÕâ ØÜï ÒëåÞÔÝÞÓÞ ØÝâÕàäÕÙáÐ. ÍâÞâ ÚàØâÕàØÙ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÐå OUTPUT, FORWARD Ø POSTROUTING, Ò ßàÞâØÒÝÞÜ áÛãçÐÕ ÑãÔÕâ ÓÕÝÕàØàÞÒÐâìáï áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ. ¿àØ ÞâáãâáâÒØØ íâÞÓÞ ÚàØâÕàØï ßàÕÔßÞÛÐÓÐÕâáï ÛîÑÞÙ ØÝâÕàäÕÙá, çâÞ àÐÒÝÞáØÛìÝÞ ØáßÞÛì×ÞÒÐÝØî ÚàØâÕàØï -o +. ºÐÚ Ø ßàÕÖÔÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ àÕ×ãÛìâÐâ áÞÒßÐÔÕÝØï. µáÛØ ØÜï ØÝâÕàäÕÙáÐ ×ÐÒÕàèÐÕâáï áØÜÒÞÛÞÜ +, âÞ ÚàØâÕàØÙ ×ÐÔÐÕâ ÒáÕ ØÝâÕàäÕÙáë, ÝÐçØÝÐîéØÕáï á ×ÐÔÐÝÝÞÙ áâàÞÚØ, ÝÐßàØÜÕà -o eth+ ÞÑÞ×ÝÐçÐÕâ ÛîÑÞÙ eth ØÝâÕàäÕÙá, Ð ×Ðߨáì -o ! eth+ - ÛîÑÞÙ ØÝâÕàäÕÙá, ÚàÞÜÕ ÛîÑÞÓÞ eth
ºàØâÕàØÙ -f, --fragment
¿àØÜÕà iptables -A INPUT -f
¾ßØáÐÝØÕ ¿àÐÒØÛÞ àÐáßàÞáâàÐÝïÕâáï ÝÐ ÒáÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝÞÓÞ ßÐÚÕâÐ, ÚàÞÜÕ ßÕàÒÞÓÞ, áÔÕÛÐÝÞ íâÞ ßÞâÞÜã, çâÞ ÝÕâ ÒÞ×ÜÞÖÝÞáâØ ÞßàÕÔÕÛØâì ØáåÞÔïéØÙ/ÒåÞÔïéØÙ ßÞàâ ÔÛï äàÐÓÜÕÝâÐ ßÐÚÕâÐ, Ð ÔÛï ICMP-ßÐÚÕâÞÒ ÞßàÕÔÕÛØâì Øå âØß. Á ßÞÜÞéìî äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ ÜÞÓãâ ßàÞØ×ÒÞÔØâìáï ÐâÐÚØ ÝÐ ÒÐè ÑàÐÝÔÜÐãíà, âÐÚ ÚÐÚ äàÐÓÜÕÝâë ßÐÚÕâÞÒ ÜÞÓãâ ÝÕ ÞâÛÐÒÛØÒÐâìáï ÔàãÓØÜØ ßàÐÒØÛÐÜØ. ºÐÚ Ø àÐÝìèÕ, ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØï áØÜÒÞÛÐ ! ÔÛï ØÝÒÕàáØØ àÕ×ãÛìâÐâÐ áàÐÒÝÕÝØï. âÞÛìÚÞ Ò ÔÐÝÝÞÜ áÛãçÐÕ áØÜÒÞÛ ! ÔÞÛÖÕÝ ßàÕÔèÕáâÒÞÒÐâì ÚàØâÕàØî -f, ÝÐßàØÜÕà ! -f. ¸ÝÒÕàáØï ÚàØâÕàØï âàÐÚâãÕâáï ÚÐÚ "ÒáÕ ßÕàÒëÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ Ø/ØÛØ ÝÕäàÐÓÜÕÝâØàÞÒÐÝÝëÕ ßÐÚÕâë, ÝÞ ÝÕ ÒâÞàëÕ Ø ßÞáÛÕÔãîéØÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ".

½ÕïÒÝëÕ ÚàØâÕàØØ

² íâÞÜ àÐ×ÔÕÛÕ Üë àÐááÜÞâàØÜ ÝÕïÒÝëÕ ÚàØâÕàØØ, âÞçÝÕÕ, âÕ ÚàØâÕàØØ, ÚÞâÞàëÕ ßÞÔÓàãÖÐîâáï ÝÕïÒÝÞ Ø áâÐÝÞÒïâáï ÔÞáâãßÝë, ÝÐßàØÜÕà ßàØ ãÚÐ×ÐÝØØ ÚàØâÕàØï --protocol. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ âàØ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕÜëå àÐáèØàÕÝØï, íâÞ TCP ÚàØâÕàØØ, UDP ÚàØâÕàØØ Ø ICMP ÚàØâÕàØØ (ßàØ ßÞáâàÞÕÝØØ áÒÞØå ßàÐÒØÛ ï áâÞÛÚÝãÛáï á ÝÕÞÑåÞÔØÜÞáâìî ×ÐÓàã×ÚØ ãÚÐ×ÐÝÝëå àÐáèØàÕÝØÙ ïÒÝÞ, â.Õ. àÐáèØàÕÝØï ÝÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ. ßàØÜ. ßÕàÕÒ.). ·ÐÓàã×ÚÐ íâØå àÐáèØàÕÝØÙ ÜÞÖÕâ ßàÞØ×ÒÞÔØâìáï Ø ïÒÝëÜ ÞÑàÐ×ÞÜ á ßÞÜÞéìî ÚÛîçÐ -m, -match, ÝÐßàØÜÕà -m tcp.


TCP ÚàØâÕàØØ

ÍâÞ àÐáèØàÕÝØÕ ×ÐÒØáØâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø àÐÑÞâÐÕâ âÞÛìÚÞ á TCP ßÐÚÕâÐÜØ. ÇâÞÑë ØáßÞÛì×ÞÒÐâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÚàØâÕàØØ, ÒÐÜ ßÞâàÕÑãÕâáï Ò ßàÐÒØÛÐå ãÚÐ×ëÒÐâì âØß ßàÞâÞÚÞÛÐ --protocol tcp. ²ÐÖÝÞ: ÚàØâÕàØÙ --protocol tcp ÞÑï×ÐâÕÛìÝÞ ÔÞÛÖÕÝ áâÞïâì ßÕàÕÔ áßÕæØäØçÝëÜ ÚàØâÕàØÕÜ. ÍâØ àÐáèØàÕÝØï ×ÐÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ÚÐÚ ÔÛï tcp ßàÞâÞÚÞÛÐ, âÐÚ Ø ÔÛï udp Ø icmp ßàÞâÞÚÞÛÞÒ.(¾ ÝÕïÒÝÞÙ ×ÐÓàã×ÚÕ àÐáèØàÕÝØÙ ï ãÖÕ ãßÞÜØÝÐÛ ÒëèÕ ßàØÜ. ßÕàÕÒ.).

ÂÐÑÛØæÐ 5. TCP ÚàØâÕàØØ

ºàØâÕàØÙ --sport, --source-port
¿àØÜÕà iptables -A INPUT -p tcp --sport 22
¾ßØáÐÝØÕ ¸áåÞÔÝëÙ ßÞàâ, á ÚÞâÞàÞÓÞ ÑëÛ ÞâßàÐÒÛÕÝ ßÐÚÕâ. ² ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï ÝÞÜÕà ßÞàâÐ ØÛØ ÝÐ×ÒÐÝØÕ áÕâÕÒÞÙ áÛãÖÑë. ÁÞÞâÒÕâáâÒØÕ ØÜÕÝ áÕàÒØáÞÒ Ø ÝÞÜÕàÞÒ ßÞàâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò äÐÙÛÕ /etc/services ¿àØ ãÚÐ×ÐÝØØ ÝÞÜÕàÞÒ ßÞàâÞÒ ßàÐÒØÛÐ ÞâàÐÑÐâëÒÐîâ ÝÕáÚÞÛìÚÞ ÑëáâàÕÕ. ÞÔÝÐÚÞ íâÞ ÜÕÝÕÕ ãÔÞÑÝÞ ßàØ àÐ×ÑÞàÕ ÛØáâØÝÓÞÒ áÚàØßâÞÒ. µáÛØ ÖÕ Òë áÞÑØàÐÕâÕáì áÞ×ÔÐÒÐâì ×ÝÐçØâÕÛìÝëÕ ßÞ ÞÑêÕÜã ÝÐÑÞàë ßàÐÒØÛ, áÚÐÖÕÜ ßÞàïÔÚÐ ÝÕáÚÞÛìÚØå áÞâÕÝ Ø ÑÞÛÕÕ, âÞ âãâ ßàÕÔßÞçâØâÕÛìÝÕÕ ØáßÞÛì×ÞÒÐâì ÝÞÜÕàÐ ßÞàâÞÒ.
½ÞÜÕàÐ ßÞàâÞÒ ÜÞÓãâ ×ÐÔÐÒÐâìáï Ò ÒØÔÕ ØÝâÕàÒÐÛÐ Ø× ÜØÝØÜÐÛìÝÞÓÞ Ø ÜÐÚáØÜÐÛìÝÞÓÞ ÝÞÜÕàÞÒ, ÝÐßàØÜÕà --source-port 22:80. µáÛØ ÞßãáÚÐÕâáï ÜØÝØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port :80, âÞ Ò ÚÐçÕáâÒÕ ÝÐçÐÛÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 0. µáÛØ ÞßãáÚÐÕâáï ÜÐÚáØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port 22:, âÞ Ò ÚÐçÕáâÒÕ ÚÞÝæÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 65535. ´ÞßãáÚÐÕâáï âÐÚÐï ×Ðߨáì --source-port 80:22, Ò íâÞÜ áÛãçÐÕ iptables ßÞÜÕÝïÕâ çØáÛÐ 22 Ø 80 ÜÕáâÐÜØ, â.Õ. ßÞÔÞÑÝÞÓÞ àÞÔÐ ×Ðߨáì ÑãÔÕâ ßàÕÞÑàÐ×ÞÒÐÝÐ Ò --source-port 22:80. ºÐÚ Ø àÐÝìèÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ. ÂÐÚ ÚàØâÕàØÙ --source-port ! 22 ßÞÔàÐ×ãÜÕÒÐÕâ ÛîÑÞÙ ßÞàâ, ÚàÞÜÕ 22. ¸ÝÒÕàáØï ÜÞÖÕâ ßàØÜÕÝïâìáï Ø Ú ÔØÐßÐ×ÞÝã ßÞàâÞÒ, ÝÐßàØÜÕà --source-port ! 22:80.
ºàØâÕàØÙ --dport, --destination-port
¿àØÜÕà iptables -A INPUT -p tcp --dport 22
¾ßØáÐÝØÕ ¿Þàâ, ÝÐ ÚÞâÞàëÙ ÐÔàÕáÞÒÐÝ ßÐÚÕâ. °àÓãÜÕÝâë ×ÐÔÐîâáï Ò âÞÜ ÖÕ äÞàÜÐâÕ, çâÞ Ø ÔÛï --source-port.
ºàØâÕàØÙ --tcp-flags
¿àØÜÕà iptables -p tcp --tcp-flags SYN,ACK,FIN SYN
¾ßØáÐÝØÕ ¾ßàÕÔÕÛïÕâ ÜÐáÚã Ø äÛÐÓØ tcp-ßÐÚÕâÐ. ¿ÐÚÕâ áçØâÐÕâáï ãÔÞÒÛÕâÒÞàïîéØÜ ÚàØâÕàØî, ÕáÛØ Ø× ßÕàÕçØáÛÕÝÝëå äÛÐÓÞÒ Ò ßÕàÒÞÜ áߨáÚÕ Ò ÕÔØÝØçÝÞÕ áÞáâÞïÝØÕ ãáâÐÝÞÒÛÕÝë äÛÐÓØ Ø× ÒâÞàÞÓÞ áߨáÚÐ. ÂÐÚ ÔÛï ÒëèÕãÚÐ×ÐÝÝÞÓÞ ßàØÜÕàÐ ßÞÔ ÚàØâÕàØÙ ßÞÔßÐÔÐîâ ßÐÚÕâë ã ÚÞâÞàëå äÛÐÓ SYN ãáâÐÝÞÒÛÕÝ, Ð äÛÐÓØ FIN Ø ACK áÑàÞèÕÝë. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÞÒ ÚàØâÕàØï ÜÞÓãâ ÒëáâãßÐâì äÛÐÓØ SYN, ACK, FIN, RST, URG, PSH, Ð âÐÚ ÖÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ØÔÕÝâØäØÚÐâÞàë ALL Ø NONE. ALL -- ×ÝÐçØâ ²Áµ äÛÐÓØ Ø NONE - ½¸ ¾´¸½ äÛÐÓ. ÂÐÚ, ÚàØâÕàØÙ --tcp-flags ALL NONE Þ×ÝÐçÐÕâ, çâÞ ÒáÕ äÛÐÓØ Ò ßÐÚÕâÕ ÔÞÛÖÝë Ñëâì áÑàÞèÕÝë. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! Þ×ÝÐçÐÕâ ØÝÒÕàáØî ÚàØâÕàØï ²ÐÖÝÞ: ØÜÕÝÐ äÛÐÓÞÒ Ò ÚÐÖÔÞÜ áߨáÚÕ ÔÞÛÖÝë àÐ×ÔÕÛïâìáï ×ÐßïâëÜØ, ßàÞÑÕÛë áÛãÖÐâ ÔÛï àÐ×ÔÕÛÕÝØï áߨáÚÞÒ.
ºàØâÕàØÙ --syn
¿àØÜÕà iptables -p tcp --syn
¾ßØáÐÝØÕ ºàØâÕàØÙ --syn ïÒÛïÕâáï ßÞ áãâØ àÕÛØÚâÞÜ, ßÕàÕÚÞçÕÒÐÒèØÜ Ø× ipchains. ºàØâÕàØî áÞÞâÒÕâáâÒãîâ ßÐÚÕâë á ãáâÐÝÞÒÛÕÝÝëÜ äÛÐÓÞÜ SYN Ø áÑàÞèÕÝÝëÜØ äÛÐÓÐÜØ ACK Ø FIN. ÍâÞâ ÚàØâÕàØÙ ÐÝÐÛÞÓØçÕÝ ÚàØâÕàØî --tcp-flags SYN,ACK,FIN SYN. ÂÐÚØÕ ßÐÚÕâë ØáßÞÛì×ãîâáï ÔÛï ÞâÚàëâØï áÞÕÔØÝÕÝØï TCP. ·ÐÑÛÞÚØàÞÒÐÒ âÐÚØÕ ßÐÚÕâë, Òë ÝÐÔÕÖÝÞ ×ÐÑÛÞÚØàãÕâÕ ÒáÕ ÒåÞÔïéØÕ ×ÐßàÞáë ÝÐ áÞÕÔØÝÕÝØÕ, ÞÔÝÐÚÞ íâÞâ ÚàØâÕàØÙ ÝÕ áßÞáÞÑÕÝ ×ÐÑÛÞÚØàÞÒÐâì ØáåÞÔïéØÕ ×ÐßàÞáë ÝÐ áÞÕÔØÝÕÝØÕ. ºÐÚ Ø àÐÝÕÕ, ÔÞßãáÚÐÕâáï ØÝÒÕàâØàÞÒÐÝØÕ ÚàØâÕàØï áØÜÒÞÛÞÜ !. ÂÐÚ ÚàØâÕàØÙ ! --syn Þ×ÝÐçÐÕâ ÒáÕ ßÐÚÕâë, ÝÕ ïÒÛïîéØÕáï ×ÐßàÞáÞÜ ÝÐ áÞÕÔØÝÕÝØÕ, â.Õ. ÒáÕ ßÐÚÕâë á ãáâÐÝÞÒÛÕÝÝëÜØ äÛÐÓÐÜØ FIN ØÛØ ACK.
ºàØâÕàØÙ --tcp-option
¿àØÜÕà iptables -p tcp --tcp-option 16
¾ßØáÐÝØÕ ÃÔÞÒÛÕâÒÞàïîéØÜ ãáÛÞÒØî ÔÐÝÝÞÓÞ ÚàØâÕàØï ÑãÔÕâ ÑãÔÕâ áçØâÐâìáï ßÐÚÕâ, TCP ßÐàÐÜÕâà ÚÞâÞàÞÓÞ àÐÒÕÝ ×ÐÔÐÝÝÞÜã çØáÛã. ¿ÐÚÕâ, ÚÞâÞàëÙ ÝÕ ÑãÔÕâ ØÜÕâì ßÞÛÝÞÓÞ TCP ×ÐÓÞÛÞÒÚÐ, ÑãÔÕâ áÑàÞèÕÝ ÐÒâÞÜÐâØçÕáÚØ ßàØ ßÞßëâÚÕ Ø×ãçÕÝØï ÕÓÞ TCP ßÐàÐÜÕâàÐ. ºÐÚ Ø àÐÝÕÕ, ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ äÛÐÓÐ ØÝÒÕàáØØ ãáÛÞÒØï [!].

UDP ÚàØâÕàØØ

² ÔÐÝÝÞÜ àÐ×ÔÕÛÕ ÑãÔãâ àÐááÜÐâàØÒÐâìáï ÚàØâÕàØØ, áßÕæØäØçÝëÕ âÞÛìÚÞ ÔÛï ßàÞâÞÚÞÛÐ UDP. ÍâØ àÐáèØàÕÝØï ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ßàØ ãÚÐ×ÐÝØØ âØßÐ ßàÞâÞÚÞÛÐ --protocol UDP. ²ÐÖÝÞ ÞâÜÕâØâì, çâÞ ßÐÚÕâë UDP ÝÕ ÞàØÕÝâØàÞÒÐÝë ÝÐ ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ, Ø ßÞíâÞÜã ÝÕ ØÜÕîâ àÐ×ÛØçÝëå äÛÐÓÞÒ ÚÞâÞàëÕ ÔÐîâ ÒÞ×ÜÞÖÝÞáâì áãÔØâì Þ ßàÕÔÝÐ×ÝÐçÕÝØØ ÔÐâÐÓàÐÜÜë. ¿ÞÛãçÕÝØÕ UDP ßÐÚÕâÞÒ ÝÕ âàÕÑãÕâ ÚÐÚÞÓÞ ÛØÑÞ ßÞÔâÒÕàÖÔÕÝØï áÞ áâÞàÞÝë ßÞÛãçÐâÕÛï. µáÛØ ÞÝØ ßÞâÕàïÝë, âÞ ÞÝØ ßàÞáâÞ ßÞâÕàïÝë (ÝÕ Òë×ëÒÐï ßÕàÕÔÐçã ICMP áÞÞÑéÕÝØï ÞÑ ÞèØÑÚÕ). ÍâÞ ßàÕÔßÞÛÐÓÐÕâ ÝÐÛØçØÕ ×ÝÐçØâÕÛìÝÞ ÜÕÝìèÕÓÞ çØáÛÐ ÔÞßÞÛÝØâÕÛìÝëå ÚàØâÕàØÕÒ, Ò ÞâÛØçØÕ Þâ TCP ßÐÚÕâÞÒ. ²ÐÖÝÞ: ÅÞàÞèØÙ ÑàÐÝÔÜÐãíà ÔÞÛÖÕÝ àÐÑÞâÐâì á ßÐÚÕâÐÜØ ÛîÑÞÓÞ âØßÐ, UDP ØÛØ ICMP, ÚÞâÞàëÕ áçØâÐîâáï ÝÕ ÞàØÕÝâØàÞÒÐÝÝëÜØ ÝÐ áÞÕÔØÝÕÝØÕ, âÐÚ ÖÕ åÞàÞèÞ ÚÐÚ Ø á TCP ßÐÚÕâÐÜØ. ¾Ñ íâÞÜ Üë ßÞÓÞÒÞàØÜ ßÞ×ÔÝÕÕ, Ò áÛÕÔãîéØå ÓÛÐÒÐå.

ÂÐÑÛØæÐ 6. UDP ÚàØâÕàØØ

ºàØâÕàØÙ --sport, --source-port
¿àØÜÕà iptables -A INPUT -p udp --sport 53
¾ßØáÐÝØÕ ¸áåÞÔÝëÙ ßÞàâ, á ÚÞâÞàÞÓÞ ÑëÛ ÞâßàÐÒÛÕÝ ßÐÚÕâ. ² ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï ÝÞÜÕà ßÞàâÐ ØÛØ ÝÐ×ÒÐÝØÕ áÕâÕÒÞÙ áÛãÖÑë. ÁÞÞâÒÕâáâÒØÕ ØÜÕÝ áÕàÒØáÞÒ Ø ÝÞÜÕàÞÒ ßÞàâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò äÐÙÛÕ /etc/services ¿àØ ãÚÐ×ÐÝØØ ÝÞÜÕàÞÒ ßÞàâÞÒ ßàÐÒØÛÐ ÞâàÐÑÐâëÒÐîâ ÝÕáÚÞÛìÚÞ ÑëáâàÕÕ. ÞÔÝÐÚÞ íâÞ ÜÕÝÕÕ ãÔÞÑÝÞ ßàØ àÐ×ÑÞàÕ ÛØáâØÝÓÞÒ áÚàØßâÞÒ. µáÛØ ÖÕ Òë áÞÑØàÐÕâÕáì áÞ×ÔÐÒÐâì ×ÝÐçØâÕÛìÝëÕ ßÞ ÞÑêÕÜã ÝÐÑÞàë ßàÐÒØÛ, áÚÐÖÕÜ ßÞàïÔÚÐ ÝÕáÚÞÛìÚØå áÞâÕÝ Ø ÑÞÛÕÕ, âÞ âãâ ßàÕÔßÞçâØâÕÛìÝÕÕ ØáßÞÛì×ÞÒÐâì ÝÞÜÕàÐ ßÞàâÞÒ.
½ÞÜÕàÐ ßÞàâÞÒ ÜÞÓãâ ×ÐÔÐÒÐâìáï Ò ÒØÔÕ ØÝâÕàÒÐÛÐ Ø× ÜØÝØÜÐÛìÝÞÓÞ Ø ÜÐÚáØÜÐÛìÝÞÓÞ ÝÞÜÕàÞÒ, ÝÐßàØÜÕà --source-port 22:80. µáÛØ ÞßãáÚÐÕâáï ÜØÝØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port :80, âÞ Ò ÚÐçÕáâÒÕ ÝÐçÐÛÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 0. µáÛØ ÞßãáÚÐÕâáï ÜÐÚáØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port 22:, âÞ Ò ÚÐçÕáâÒÕ ÚÞÝæÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 65535. ´ÞßãáÚÐÕâáï âÐÚÐï ×Ðߨáì --source-port 80:22, Ò íâÞÜ áÛãçÐÕ iptables ßÞÜÕÝïÕâ çØáÛÐ 22 Ø 80 ÜÕáâÐÜØ, â.Õ. ßÞÔÞÑÝÞÓÞ àÞÔÐ ×Ðߨáì ÑãÔÕâ ßàÕÞÑàÐ×ÞÒÐÝÐ Ò --source-port 22:80. ºÐÚ Ø àÐÝìèÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ. ÂÐÚ ÚàØâÕàØÙ --source-port ! 22 ßÞÔàÐ×ãÜÕÒÐÕâ ÛîÑÞÙ ßÞàâ, ÚàÞÜÕ 22. ¸ÝÒÕàáØï ÜÞÖÕâ ßàØÜÕÝïâìáï Ø Ú ÔØÐßÐ×ÞÝã ßÞàâÞÒ, ÝÐßàØÜÕà --source-port ! 22:80.
ºàØâÕàØÙ --dport, --destination-port
¿àØÜÕà iptables -A INPUT -p udp --dport 53
¾ßØáÐÝØÕ ¿Þàâ, ÝÐ ÚÞâÞàëÙ ÐÔàÕáÞÒÐÝ ßÐÚÕâ. ÄÞàÜÐâ ÐàÓãÜÕÝâÞÒ ßÞÛÝÞáâìî ÐÝÐÛÞÓØçÕÝ ßàØÝïâÞÜã Ò ÚàØâÕàØØ --source-port.

ICMP ÚàØâÕàØØ

ÍâÞâ ßàÞâÞÚÞÛ ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, ÔÛï ßÕàÕÔÐçØ áÞÞÑéÕÝØÙ ÞÑ ÞèØÑÚÐå Ø ÔÛï ãßàÐÒÛÕÝØï áÞÕÔØÝÕÝØÕÜ. ¾Ý ÝÕ ïÒÛïÕâáï ßÞÔçØÝÕÝÝëÜ IP ßàÞâÞÚÞÛã, ÝÞ âÕáÝÞ á ÝØÜ Ò×ÐØÜÞÔÕÙáâÒãÕâ, ßÞáÚÞÛìÚã ßÞÜÞÓÐÕâ ÞÑàÐÑÐâëÒÐâì ÞèØÑÞçÝëÕ áØâãÐæØØ. ·ÐÓÞÛÞÒÚØ ICMP ßÐÚÕâÞÒ ÞçÕÝì ßÞåÞÖØ ÝÐ IP ×ÐÓÞÛÞÒÚØ, ÝÞ ØÜÕîâ Ø ÞâÛØçØï. ³ÛÐÒÝÞÕ áÒÞÙáâÒÞ íâÞÓÞ ßàÞâÞÚÞÛÐ ×ÐÚÛîçÐÕâáï Ò âØßÕ ×ÐÓÞÛÞÒÚÐ, ÚÞâÞàëÙ áÞÔÕàÖØâ ØÝäÞàÜÐæØî Þ âÞÜ, çâÞ íâÞ ×Ð ßÐÚÕâ. ½ÐßàØÜÕà, ÚÞÓÔÐ Üë ßëâÐÕÜáï áÞÕÔØÝØâìáï á ÝÕÔÞáâãßÝëÜ åÞáâÞÜ, âÞ Üë ßÞÛãçØÜ Ò ÞâÒÕâ áÞÞÑéÕÝØÕ ICMP host unreachable. ¿ÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ, Òë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ò ßàØÛÞÖÕÝØØ âØßë ICMP. ÁãéÕáâÒãÕâ âÞÛìÚÞ ÞÔØÝ áßÕæØäØçÝëÙ ÚàØâÕàØÙ ÔÛï ICMP ßÐÚÕâÞÒ. ÍâÞ àÐáèØàÕÝØÕ ×ÐÓàãÖÐÕâáï ÐÒâÞÜÐâØçÕáÚØ, ÚÞÓÔÐ Üë ãÚÐ×ëÒÐÕÜ ÚàØâÕàØÙ --protocol ICMP. ·ÐÜÕâìâÕ, çâÞ ÔÛï ßàÞÒÕàÚØ ICMP ßÐÚÕâÞÒ ÜÞÓãâ ãßÞâàÕÑÛïâìáï Ø ÞÑéØÕ ÚàØâÕàØØ, ßÞáÚÞÛìÚã Ø×ÒÕáâÝë Ø ÐÔàÕá ØáâÞçÝØÚÐ Ø ÐÔàÕá ÝÐ×ÝÐçÕÝØï Ø ßà.

ÂÐÑÛØæÐ 7. ICMP ÚàØâÕàØØ

ºàØâÕàØÙ --icmp-type
¿àØÜÕà iptables -A INPUT -p icmp --icmp-type 8
¾ßØáÐÝØÕ ÂØß áÞÞÑéÕÝØï ICMP ÂØß áÞÞÑéÕÝØï ICMP ÞßàÕÔÕÛïÕâáï ÝÞÜÕàÞÜ ØÛØ ØÜÕÝÕÜ. ÇØáÛÞÒëÕ ×ÝÐçÕÝØï ÞßàÕÔÕÛïîâáï Ò RFC 792. ÇâÞÑë ßÞÛãçØâì áߨáÞÚ ØÜÕÝ ICMP ×ÝÐçÕÝØÙ ÒëßÞÛÝØâÕ ÚÞÜÐÝÔã iptables --protocol icmp --help, ØÛØ ßÞáÜÞâàØâÕ ßàØÛÞÖÕÝØÕ âØßë ICMP. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ ÚàØâÕàØÙ, ÝÐßàØÜÕà --icmp-type ! 8.

ÏÒÝëÕ ÚàØâÕàØØ

¿ÕàÕÔ ØáßÞÛì×ÞÒÐÝØÕÜ íâØå àÐáèØàÕÝØÙ, ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÓàãÖÕÝë ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m ØÛØ --match. ÂÐÚ, ÝÐßàØÜÕà, ÕáÛØ Üë áÞÑØàÐÕÜáï ØáßÞÛì×ÞÒÐâì ÚàØâÕàØØ state, âÞ Üë ÔÞÛÖÝë ïÒÝÞ ãÚÐ×Ðâì íâÞ Ò áâàÞÚÕ ßàÐÒØÛÐ: -m state ÛÕÒÕÕ ØáßÞÛì×ãÕÜÞÓÞ ÚàØâÕàØï. ½ÕÚÞâÞàëÕ Ø× íâØå ÚàØâÕàØÕÒ ßÞÚÐ ÕéÕ ÝÐåÞÔïâáï Ò áâÐÔØØ àÐ×àÐÑÞâÚØ, Ð ßÞáÕÜã ÜÞÓãâ àÐÑÞâÐâì ÝÕ ÒáÕÓÔÐ, ÞÔÝÐÚÞ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÞÝØ àÐÑÞâÐîâ ÒßÞÛÝÕ ãáâÞÙçØÒÞ. ²áÕ ÞâÛØçØÕ ÜÕÖÔã ïÒÝëÜØ Ø ÝÕïÒÝëÜØ ÚàØâÕàØïÜØ ×ÐÚÛîçÐÕâáï âÞÛìÚÞ Ò âÞÜ, çâÞ ßÕàÒëÕ ÝãÖÝÞ ßÞÔÓàãÖÐâì ïÒÝÞ, Ð ÒâÞàëÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ.


MAC ÚàØâÕàØÙ

ÂÐÑÛØæÐ 8. MAC ÚàØâÕàØØ

MAC ÚàØâÕàØÙ ØáßÞÛì×ãÕâáï ÔÛï ßàÞÒÕàÚØ ØáåÞÔÝÞÓÞ MAC-ÐÔàÕáÐ ßÐÚÕâÐ. ¼ÞÔãÛì -m mac, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì, ßàÕÔÞáâÐÒÛïÕâ ÕÔØÝáâÒÕÝÝëÙ ÚàØâÕàØÙ, ÝÞ ÒÞ×ÜÞÖÝÞ Ò ÑãÔãéÕÜ ÞÝ ÑãÔÕâ àÐáèØàÕÝ Ø áâÐÝÕâ ÑÞÛÕÕ ßÞÛÕ×ÕÝ.

Note

¼ÞÔãÛì àÐáèØàÕÝØï ÔÞÛÖÕÝ ßÞÔÓàãÖÐâìáï ïÒÝÞ ÚÛîçÞÜ -m mac. ÃßÞÜØÝÐî ï ÞÑ íâÞÜ ßÞâÞÜã, çâÞ ÜÝÞÓØÕ, ×ÐÑëÒ ãÚÐ×Ðâì íâÞâ ÚÛîç, ãÔØÒÛïîâáï, ßÞçÕÜã ÝÕ àÐÑÞâÐÕâ íâÞâ ÚàØâÕàØÙ.

ºàØâÕàØÙ --mac-source
¿àØÜÕà iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
¾ßØáÐÝØÕ MAC ÐÔàÕá áÕâÕÒÞÓÞ ã×ÛÐ, ßÕàÕÔÐÒèÕÓÞ ßÐÚÕâ. MAC ÐÔàÕá ÔÞÛÖÕÝ ãÚÐ×ëÒÐâìáï Ò äÞàÜÕ XX:XX:XX:XX:XX:XX. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ ÚàØâÕàØï, ÝÐßàØÜÕà --mac-source ! 00:00:00:00:00:01, çâÞ Þ×ÝÐçÐÕâ - ßÐÚÕâ á ÛîÑÞÓÞ ã×ÛÐ, ÚàÞÜÕ ã×ÛÐ, ÚÞâÞàëÙ ØÜÕÕâ MAC ÐÔàÕá 00:00:00:00:00:01 ÍâÞâ ÚàØâÕàØÙ ØÜÕÕâ áÜëáÛ âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING, FORWARD Ø INPUT Ø ÝØÓÔÕ ÑÞÛÕÕ.

ºàØâÕàØÙ limit

´ÞÛÖÕÝ ßÞÔÓàãÖÐâìáï ïÒÝÞ ÚÛîçÞÜ -m limit. ¿àÕÚàÐáÝÞ ßÞÔåÞÔØâ ÔÛï ßàÐÒØÛ, ßàÞØ×ÒÞÔïéØå ×Ðߨáì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (logging) Ø â.ß. ´ÞÑÐÒÛïï íâÞâ ÚàØâÕàØÙ, Üë âÕÜ áÐÜëÜ ãáâÐÝÐÒÛØÒÐÕÜ ßàÕÔÕÛìÝÞÕ çØáÛÞ ßÐÚÕâÞÒ Ò ÕÔØÝØæã ÒàÕÜÕÝØ, ÚÞâÞàÞÕ áßÞáÞÑÝÞ ßàÞßãáâØâì ßàÐÒØÛÞ. ¼ÞÖÝÞ ØáßÞÛì×ÞÒÐâì áØÜÒÞÛ ! ÔÛï ØÝÒÕàáØØ, ÝÐßàØÜÕà -m ! limit. ² íâÞÜ áÛãçÐÕ ßÞÔàÐ×ãÜÕÒÐÕâáï, çâÞ ßÐÚÕâë ÑãÔãâ ßàÞåÞÔØâì ßàÐÒØÛÞ âÞÛìÚÞ ßÞáÛÕ ßàÕÒëèÕÝØï ÞÓàÐÝØçÕÝØï.

ÂÐÑÛØæÐ 9. ºàØâÕàØÙ limit

ºàØâÕàØÙ --limit
¿àØÜÕà iptables -A INPUT -m limit --limit 3/hour
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâáï ÜÐÚáØÜÐÛìÝÞÕ ÚÞÛØçÕáâÒÞ ßÐÚÕâÞÒ ×Ð ÕÔØÝØæã ÒàÕÜÕÝØ, Ú ÚÞâÞàÞÜã ÔÐÝÝÞÕ ßàÐÒØÛÞ ÑãÔÕâ ßàØÜÕÝÕÝÞ ßàØ áÞÒßÐÔÕÝØØ ÒáÕå ßàÞçØå ãáÛÞÒØÙ. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÐ ãÚÐ×ëÒÐÕâáï çØáÛÞ ßÐÚÕâÞÒ Ø ÒàÕÜï. ´ÞßãáâØÜëÜØ áçØâÐîâáï áÛÕÔãîéØÕ ÕÔØÝØæë Ø×ÜÕàÕÝØï ÒàÕÜÕÝØ: /second /minute /hour /day. ¿Þ ãÜÞÛçÐÝØî ßàØÝïâÞ ×ÝÐçÕÝØÕ 3 ßÐÚÕâÐ Ò çÐá, ØÛØ 3/hour. ¸áßÞÛì×ÞÒÐÝØÕ äÛÐÓÐ ØÝÒÕàáØØ ãáÛÞÒØï [!] Ò ÔÐÝÝÞÜ ÚàØâÕàØØ ÝÕÔÞßãáâØÜ.
ºàØâÕàØÙ --limit-burst
¿àØÜÕà iptables -A INPUT -m limit --limit-burst 5
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâ ÜÐÚáØÜÐÛìÝÞÕ ×ÝÐçÕÝØÕ çØáÛÐ burst limit ÔÛï ÚàØâÕàØï limit. ÍâÞ çØáÛÞ ãÒÕÛØçØÒÐÕâáï ÝÐ ÕÔØÝØæã ÕáÛØ ßÞÛãçÕÝ ßÐÚÕâ, ßÞÔßÐÔÐîéØÙ ßÞÔ ÔÕÙáâÒØÕ ÔÐÝÝÞÓÞ ßàÐÒØÛÐ, Ø ßàØ íâÞÜ áàÕÔÝïï áÚÞàÞáâì (×ÐÔÐÒÐÕÜÐï ÚÛîçÞÜ --limit) ßÞáâãßÛÕÝØï ßÐÚÕâÞÒ ãÖÕ ÔÞáâØÓÝãâÐ. ÂÐÚ ßàÞØáåÞÔØâ ÔÞ âÕå ßÞà, ßÞÚÐ çØáÛÞ burst limit ÝÕ ÔÞáâØÓÝÕâ ÜÐÚáØÜÐÛìÝÞÓÞ ×ÝÐçÕÝØï, ãáâÐÝÐÒÛØÒÐÕÜÞÓÞ ÚÛîçÞÜ --limit-burst. ¿ÞáÛÕ íâÞÓÞ ßàÐÒØÛÞ ÝÐçØÝÐÕâ ßàÞßãáÚÐâì ßÐÚÕâë áÞ áÚÞàÞáâìî, ×ÐÔÐÒÐÕÜÞÙ ÚÛîçÞÜ --limit. ·ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî ßàØÝØÜÐÕâáï àÐÒÝëÜ 5. ´Ûï ÔÕÜÞÝáâàÐæØØ ßàØÝæØßÞÒ àÐÑÞâë ÔÐÝÝÞÓÞ ÚàØâÕàØï ï ÝÐߨáÐÛ áæÕÝÐàØÙ limit-test.txt. Á ßÞÜÞéìî íâÞÓÞ áæÕÝÐàØï Òë ãÒØÔØâÕ ÚÐÚ àÐÑÞâÐÕâ ÚàØâÕàØÙ limit, ßàÞáâÞ ßÞáëÛÐï ping-ßÐÚÕâë á àÐ×ÛØçÝëÜØ ÒàÕÜÕÝÝËÜØ ØÝâÕàÒÐÛÐÜØ.

¾â ßÕàÕÒÞÔçØÚÐ: ¾çÕÝì ÔÞÛÓÞÕ ÒàÕÜï ÜÞÕ ßÞÝØÜÐÝØÕ ÚàØâÕàØÕÒ limit ÝÐåÞÔØÛÞáì ÝÐ ØÝâãØâØÒÝÞÜ ãàÞÒÝÕ, ßÞÚÐ ²ÛÐÔØÜØà ÅÞÛÜÐÝÞÒ (áÝØÜÐî èÛïßã Ò ÓÛãÑÞçÐÙèÕÜ ßÞÚÛÞÝÕ) ÝÕ ÞÑêïáÝØÛ ÜÝÕ ßàÞáâÞ Ø ßÞÝïâÝÞ ÕÓÞ áãâì. ¿ÞáâÐàÐîáì ßÕàÕÔÐâì ÕÓÞ ßÞïáÝÕÝØï:

  1. ÀÐáèØàÕÝØÕ -m limit ßÞÔàÐ×ãÜÕÒÐÕâ ÝÐÛØçØÕ ÚÛîçÕÙ --limit Ø --limit-burst. µáÛØ Òë ÝÕ ãÚÐ×ëÒÐÕâÕ íâØ ÚÛîçØ, âÞ ÞÝØ ßàØÝØÜÐîâ ×ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî.
  2. ºÛîç --limit-burst - íâÞ ÜÐÚáØÜÐÛìÝÞÕ ×ÝÐçÕÝØÕ áçÕâçØÚÐ ßÐÚÕâÞÒ, ßàØ ÚÞâÞàÞÜ áàÐÑÐâëÒÐÕâ ÞÓàÐÝØçÕÝØÕ.
  3. ºÛîç --limit - íâÞ áÚÞàÞáâì, á ÚÞâÞàÞÙ áçÕâçØÚ burst limit "ÞâÚàãçØÒÐÕâáï ÝÐ×ÐÔ".

¿àØÝæØß, ÚÞâÞàëÙ ßàÞáâÞ àÕÐÛØ×ãÕâáï ÝÐ C Ø èØàÞÚÞ ØáßÞÛì×ãÕâáï ÒÞ ÜÝÞÓØå ÐÛÓÞàØâÜÐå-ÞÓàÐÝØçØâÕÛïå.




ÀÐáèØàÕÝØÕ Multiport

ÀÐáèØàÕÝØÕ multiport ßÞ×ÒÞÛïÕâ ãÚÐ×ëÒÐâì Ò âÕÚáâÕ ßàÐÒØÛÐ ÝÕáÚÞÛìÚÞ ßÞàâÞÒ Ø ÔØÐßÐ×ÞÝÞÒ ßÞàâÞÒ.

Note

²ë ÝÕ áÜÞÖÕâÕ ØáßÞÛì×ÞÒÐâì áâÐÝÔÐàâÝãî ßàÞÒÕàÚã ßÞàâÞÒ Ø àÐáèØàÕÝØÕ -m multiport (ÝÐßàØÜÕà --sport 1024:63353 -m multiport --dport 21,23,80) ÞÔÝÞÒàÕÜÕÝÝÞ. ¿ÞÔÞÑÝëÕ ßàÐÒØÛÐ ÑãÔãâ ßàÞáâÞ ÞâÒÕàÓÐâìáï iptables.

ÂÐÑÛØæÐ 10. ÀÐáèØàÕÝØÕ Multiport

ºàØâÕàØÙ --source-port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
¾ßØáÐÝØÕ ÁÛãÖØâ ÔÛï ãÚÐ×ÐÝØï áߨáÚÐ ØáåÞÔïéØå ßÞàâÞÒ. Á ßÞÜÞéìî ÔÐÝÝÞÓÞ ÚàØâÕàØï ÜÞÖÝÞ ãÚÐ×Ðâì ÔÞ 15 àÐ×ÛØçÝëå ßÞàâÞÒ. ½Ð×ÒÐÝØï ßÞàâÞÒ Ò áߨáÚÕ ÔÞÛÖÝë ÞâÔÕÛïâìáï ÔàãÓ Þâ ÔàãÓÐ ×ÐßïâëÜØ, ßàÞÑÕÛë Ò áߨáÚÕ ÝÕ ÔÞßãáâØÜë. ´ÐÝÝÞÕ àÐáèØàÕÝØÕ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ áÞÒÜÕáâÝÞ á ÚàØâÕàØïÜØ the -p tcp ØÛØ -p udp. ³ÛÐÒÝëÜ ÞÑàÐ×ÞÜ ØáßÞÛì×ãÕâáï ÚÐÚ àÐáèØàÕÝÝÐï ÒÕàáØï ÞÑëçÝÞÓÞ ÚàØâÕàØï --source-port.
ºàØâÕàØÙ --destination-port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
¾ßØáÐÝØÕ ÁÛãÖØâ ÔÛï ãÚÐ×ÐÝØï áߨáÚÐ ÒåÞÔÝëå ßÞàâÞÒ. ÄÞàÜÐâ ×ÐÔÐÝØï ÐàÓãÜÕÝâÞÒ ßÞÛÝÞáâìî ÐÝÐÛÞÓØçÕÝ -m multiport --source-port
ºàØâÕàØÙ --port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
¾ßØáÐÝØÕ ´ÐÝÝëÙ ÚàØâÕàØÙ ßàÞÒÕàïÕâ ÚÐÚ ØáåÞÔïéØÙ âÐÚ Ø ÒåÞÔïéØÙ ßÞàâ ßÐÚÕâÐ. ÄÞàÜÐâ ÐàÓãÜÕÝâÞÒ ÐÝÐÛÞÓØçÕÝ ÚàØâÕàØî --source-port Ø --destination-port. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ çâÞ ÔÐÝÝëÙ ÚàØâÕàØÙ ßàÞÒÕàïÕâ ßÞàâë ÞÑÕØå ÝÐßàÐÒÛÕÝØÙ, â.Õ. ÕáÛØ Òë ߨèÕâÕ-multiport --port 80, âÞ ßÞÔ ÔÐÝÝëÙ ÚàØâÕàØÙ ßÞÔßÐÔÐîâ ßÐÚÕâë, ØÔãéØÕ á ßÞàâÐ 80 ÝÐ ßÞàâ 80. .

ÀÐáèØàÕÝØÕ Mark

ÀÐáèØàÕÝØÕ mark ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì "ßÞÜÕâØâì" ßÐÚÕâë áßÕæØÐÛìÝëÜ ÞÑàÐ×ÞÜ. Mark - áßÕæØÐÛìÝÞÕ ßÞÛÕ, ÚÞâÞàÞÕ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ÞÑÛÐáâØ ßÐÜïâØ ïÔàÐ Ø áÒï×ÐÝÞ á ÚÞÝÚàÕâÝëÜ ßÐÚÕâÞÜ. ¼ÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ò áÐÜëå àÐ×ÝÞÞÑàÐ×Ýëå æÕÛïå, ÝÐßàØÜÕà, ÞÓàÐÝØçÕÝØÕ âàÐäØÚÐ Ø äØÛìâàÐæØï. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ ÕÔØÝáâÒÕÝÝÐï ÒÞ×ÜÞÖÝÞáâì ãáâÐÝÞÒÚØ ÜÕâÚØ ÝÐ ßÐÚÕâ Ò Linux -- íâÞ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï MARK. ¿ÞÛÕ mark ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÑÕ××ÝÐÚÞÒÞÕ æÕÛÞÕ çØáÛÞ Ò ÔØÐßÐ×ÞÝÕ Þâ 0 ÔÞ 4294967296 ÔÛï 32-ÑØâÝëå áØáâÕÜ.

ÂÐÑÛØæÐ 11. ÀÐáèØàÕÝØÕ mark

ºàØâÕàØÙ --mark
¿àØÜÕà iptables -t mangle -A INPUT -m mark --mark 1
¾ßØáÐÝØÕ ºàØâÕàØÙ ßàÞØ×ÒÞÔØâ ßàÞÒÕàÚã ßÐÚÕâÞÒ, ÚÞâÞàëÕ ÑëÛØ ßàÕÔÒÐàØâÕÛìÝÞ "ßÞÜÕçÕÝë". ¼ÕâÚØ ãáâÐÝÐÒÛØÒÐîâáï ÔÕÙáâÒØÕÜ MARK, ÚÞâÞàÞÕ Üë ÑãÔÕÜ àÐááÜÐâàØÒÐâì ÝØÖÕ. ²áÕ ßÐÚÕâë, ßàÞåÞÔïéØÕ çÕàÕ× netfilter ØÜÕîâ áßÕæØÐÛìÝÞÕ ßÞÛÕ mark. ·ÐßÞÜÝØâÕ, çâÞ ÝÕâ ÝØÚÐÚÞÙ ÒÞ×ÜÞÖÝÞáâØ ßÕàÕÔÐâì áÞáâÞïÝØÕ íâÞÓÞ ßÞÛï ÒÜÕáâÕ á ßÐÚÕâÞÜ Ò áÕâì. ¿ÞÛÕ mark ïÒÛïÕâáï æÕÛëÜ ÑÕ××ÝÐÚÞÒëÜ, âÐÚØÜ ÞÑàÐ×ÞÜ ÜÞÖÝÞ áÞ×ÔÐâì ÝÕ ÑÞÛÕÕ 65535 àÐ×ÛØçÝëå ÜÕâÞÚ. ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì ÜÐáÚã á ÜÕâÚÐÜ. ² ÔÐÝÝÞÜ áÛãçÐÕ ÚàØâÕàØÙ ÑãÔÕâ ÒëÓÛïÔÕâì ßÞÔÞÑÝëÜ ÞÑàÐ×ÞÜ: --mark 1/1. µáÛØ ãÚÐ×ëÒÐÕâáï ÜÐáÚÐ, âÞ ÒëßÞÛÝïÕâáï ÛÞÓØçÕáÚÞÕ AND ÜÕâÚØ Ø ÜÐáÚØ.

ÀÐáèØàÕÝØÕ owner

ÀÐáèØàÕÝØÕ owner ßàÕÔÝÐ×ÝÐçÕÝÞ ÔÛï ßàÞÒÕàÚØ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ. ¸×ÝÐçÐÛìÝÞ ÔÐÝÝÞÕ àÐáèØàÕÝØÕ ÑëÛÞ ÝÐߨáÐÝÞ ÚÐÚ ßàØÜÕà ÔÕÜÞÝáâàÐæØØ ÒÞ×ÜÞÖÝÞáâÕÙ iptables. ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì íâÞâ ÚàØâÕàØÙ âÞÛìÚÞ Ò æÕßÞçÚÕ OUTPUT. ÂÐÚÞÕ ÞÓàÐÝØçÕÝØÕ ÝÐÛÞÖÕÝÞ ßÞâÞÜã, çâÞ ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛìÝÞÓÞ ÜÕåÐÝØ×ÜÐ ßÕàÕÔÐçØ ØÝäÞàÜÐæØØ Þ "ÒÛÐÔÕÛìæÕ" ßÞ áÕâØ. ÁßàÐÒÕÔÛØÒÞáâØ àÐÔØ áÛÕÔãÕâ ÞâÜÕâØâì, çâÞ ÔÛï ÝÕÚÞâÞàëå ßÐÚÕâÞÒ ÝÕÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì "ÒÛÐÔÕÛìæÐ" Ò íâÞÙ æÕßÞçÚÕ. º âÐÚÞÓÞ àÞÔÐ ßÐÚÕâÐÜ ÞâÝÞáïâáï àÐ×ÛØçÝëÕ ICMP responses. ¿ÞíâÞÜã ÝÕ áÛÕÔãÕâ ãßÞâàÕÑÛïâì íâÞâ ÚàØâÕàØÙ Ú ICMP responses ßÐÚÕâÐÜ.

ÂÐÑÛØæÐ 12. ÀÐáèØàÕÝØÕ owner

ºàØâÕàØÙ --uid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --uid-owner 500
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÞ User ID (UID). ¿ÞÔÞÑÝÞÓÞ àÞÔÐ ßàÞÒÕàÚÐ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï, Ú ßàØÜÕàã, ÔÛï ÑÛÞÚØàÞÒÚØ ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ ÞâÔÕÛìÝëå ßÞÛì×ÞÒÐâÕÛÕÙ.
ºàØâÕàØÙ --gid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --gid-owner 0
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ ßÞ Group ID (GID).
ºàØâÕàØÙ --pid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --pid-owner 78
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ ßÞ Process ID (PID). ÍâÞâ ÚàØâÕàØÙ ÔÞáâÐâÞçÝÞ áÛÞÖÕÝ Ò ØáßÞÛì×ÞÒÐÝØØ, ÝÐßàØÜÕà, ÕáÛØ Üë åÞâØÜ ßÞ×ÒÞÛØâì ßÕàÕÔÐçã ßÐÚÕâÞÒ ÝÐ HTTP ßÞàâ âÞÛìÚÞ Þâ ×ÐÔÐÝÝÞÓÞ ÔÕÜÞÝÐ, âÞ ÝÐÜ ßÞâàÕÑãÕâáï ÝÐߨáÐâì ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ, ÚÞâÞàëÙ ßÞÛãçÐÕâ PID ßàÞæÕááÐ (åÞâïÑë çÕàÕ× ps) Ø ×ÐâÕÜ ßÞÔáâÐÒÛïÕâ ÝÐÙÔÕÝÝëÙ PID Ò ßàÐÒØÛÐ. ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï ÚàØâÕàØï ÜÞÖÝÞ ÝÐÙâØ Ò pid-owner.txt.
ºàØâÕàØÙ --sid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --sid-owner 100
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ Session ID ßÐÚÕâÐ. ·ÝÐçÕÝØÕ SID ÝÐáÛÕÔãîâáï ÔÞçÕàÝØÜØ ßàÞæÕááÐÜØ Þâ "àÞÔØâÕÛï", âÐÚ, ÝÐßàØÜÕà, ÒáÕ ßàÞæÕááë HTTPD ØÜÕîâ ÞÔØÝ Ø âÞâ ÖÕ SID (ßàØÜÕàÞÜ âÐÚØå ßàÞæÕááÞÒ ÜÞÓãâ áÛãÖØâì HTTPD Apache Ø Roxen). ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï íâÞÓÞ ÚàØâÕàØï ÜÞÖÝÞ ÝÐÙâØ Ò sid-owner.txt. ÍâÞâ áæÕÝÐàØÙ ÜÞÖÝÞ ×ÐßãáÚÐâì ßÞ ÒàÕÜÕÝØ ÔÛï ßàÞÒÕàÚØ ÝÐÛØçØï ßàÞæÕááÐ HTTPD, Ø Ò áÛãçÐÕ ÞâáãâáâÒØï - ßÕàÕ×ÐßãáâØâì "ãßÐÒèØÙ" ßàÞæÕáá, ßÞáÛÕ çÕÓÞ áÑàÞáØâì áÞÔÕàÖØÜÞÕ æÕßÞçÚØ OUTPUT Ø ÒÒÕáâØ ÕÕ áÝÞÒÐ.

ºàØâÕàØÙ state

ºàØâÕàØÙ state ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ÚÞÔÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ Ø ßÞ×ÒÞÛïÕâ ÝÐÜ ßÞÛãçÐâì ØÝäÞàÜÐæØî Þ âàÐááØàÞÒÞçÝÞÜ ßàØ×ÝÐÚÕ áÞáâÞïÝØï áÞÕÔØÝÕÝØï, çâÞ ßÞ×ÒÞÛïÕâ áãÔØâì Þ áÞáâÞïÝØØ áÞÕÔØÝÕÝØï, ßàØçÕÜ ÔÐÖÕ ÔÛï âÐÚØå ßàÞâÞÚÞÛÞÒ ÚÐÚ ICMP Ø UDP. ´ÐÝÝÞÕ àÐáèØàÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐÓàãÖÐâì ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m state. ±ÞÛÕÕ ßÞÔàÞÑÝÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï áÞÕÔØÝÕÝØï ÞÑáãÖÔÐÕâáï Ò àÐ×ÔÕÛÕ ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï .

ÂÐÑÛØæÐ 13. ºàØâÕàØØ state

ºàØâÕàØÙ --state
¿àØÜÕà iptables -A INPUT -m state --state RELATED,ESTABLISHED
¾ßØáÐÝØÕ ¿àÞÒÕàïÕâáï ßàØ×ÝÐÚ áÞáâÞïÝØï áÞÕÔØÝÕÝØï (state) ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì ÜÞÖÝÞ ãÚÐ×ëÒÐâì 4 áÞáâÞïÝØï: INVALID, ESTABLISHED, NEW Ø RELATED. INVALID ßÞÔàÐ×ãÜÕÒÐÕâ, çâÞ ßÐÚÕâ áÒï×ÐÝ á ÝÕØ×ÒÕáâÝëÜ ßÞâÞÚÞÜ ØÛØ áÞÕÔØÝÕÝØÕÜ Ø, ÒÞ×ÜÞÖÝÞ áÞÔÕàÖØâ ÞèØÑÚã Ò ÔÐÝÝëå ØÛØ Ò ×ÐÓÞÛÞÒÚÕ. ESTABLISHED ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÜã áÞÕÔØÝÕÝØî çÕàÕ× ÚÞâÞàÞÕ ßÐÚÕâë ØÔãâ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå. NEW ßÞÔàÐ×ãÜÕÒÐÕâ, çâÞ ßÐÚÕâ ÞâÚàëÒÐÕâ ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ ØÛØ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ÞÔÝÞÝÐßàÐÒÛÕÝÝÞÜã ßÞâÞÚã. ¸ ÝÐÚÞÝÕæ, RELATED ãÚÐ×ëÒÐÕâ ÝÐ âÞ çâÞ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ãÖÕ áãéÕáâÒãîéÕÜã áÞÕÔØÝÕÝØî, ÝÞ ßàØ íâÞÜ ÞÝ ÞâÚàëÒÐÕâ ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ ¿àØÜÕàÞÜ âÞÜã ÜÞÖÕâ áÛãÖØâì ßÕàÕÔÐçÐ ÔÐÝÝëå ßÞ FTP, ØÛØ ÒëÔÐçÐ áÞÞÑéÕÝØï ICMP ÞÑ ÞèØÑÚÕ, ÚÞâÞàÞÕ áÒï×ÐÝÞ á áãéÕáâÒãîéØÜ TCP ØÛØ UDP áÞÕÔØÝÕÝØÕÜ. ·ÐÜÕçã, çâÞ ßàØ×ÝÐÚ NEW íâÞ ÝÕ âÞ ÖÕ áÐÜÞÕ, çâÞ ãáâÐÝÞÒÛÕÝÝëÙ ÑØâ SYN Ò ßÐÚÕâÐå TCP, ßÞáàÕÔáâÒÞÜ ÚÞâÞàëå ÞâÚàëÒÐÕâáï ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ, Ø, ßÞÔÞÑÝÞÓÞ àÞÔÐ ßÐÚÕâë, ÜÞÓãâ Ñëâì ßÞâÕÝæØÐÛìÝÞ ÞßÐáÝë Ò áÛãçÐÕ, ÚÞÓÔÐ ÔÛï ×ÐéØâë áÕâØ Òë ØáßÞÛì×ãÕâÕ ÞÔØÝ áÕâÕÒÞÙ íÚàÐÝ. ±ÞÛÕÕ ßÞÔàÞÑÝÞ íâÐ ßàÞÑÛÕÜÐ àÐááÜÐâàØÒÐÕâáï ÝØÖÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ ¿àØ×ÝÐÚ NEW Ò ßÐÚÕâÐå áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN.

ºàØâÕàØÙ "ÜãáÞàÐ" (Unclean match)

ºàØâÕàØÙ unclean ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÔÛï ÕÓÞ ØáßÞÛì×ÞÒÐÝØï ÔÞáâÐâÞçÝÞ ïÒÝÞ ×ÐÓàãרâì ÜÞÔãÛì. ±ãÔìâÕ ÞáâÞàÞÖÝë, ÔÐÝÝëÙ ÜÞÔãÛì ÝÐåÞÔØâáï ÕéÕ ÝÐ áâÐÔØØ àÐ×àÐÑÞâÚØ Ø ßÞíâÞÜã Ò ÝÕÚÞâÞàëå áØâãÐæØïå ÜÞÖÕâ àÐÑÞâÐâì ÝÕÚÞààÕÚâÝÞ. ´ÐÝÝÐï ßàÞÒÕàÚÐ ßàÞØ×ÒÞÔØâáï ÔÛï ÒëçÛÕÝÕÝØï ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÜÕîâ àÐáåÞÖÔÕÝØï á ßàØÝïâëÜØ áâÐÝÔÐàâÐÜØ, íâÞ ÜÞÓãâ Ñëâì ßÐÚÕâë á ßÞÒàÕÖÔÕÝÝëÜ ×ÐÓÞÛÞÒÚÞÜ ØÛØ á ÝÕÒÕàÝÞÙ ÚÞÝâàÞÛìÝÞÙ áãÜÜÞÙ Ø ßà., ÞÔÝÐÚÞ ØáßÞÛì×ÞÒÐÝØÕ íâÞÙ ßàÞÒÕàÚØ ÜÞÖÕâ ßàØÒÕáâØ Ú àÐ×àëÒã Ø ÒßÞÛÝÕ ÚÞààÕÚâÝÞÓÞ áÞÕÔØÝÕÝØï.


ºàØâÕàØÙ TOS

ºàØâÕàØÙ TOS ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕÔÕÝØï ßàÞÒÕàÚØ ÑØâÞÒ ßÞÛï TOS. TOS -- Type Of Service -- ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ 8-ÜØ ÑØâÞÒÞÕ, ßÞÛÕ Ò ×ÐÓÞÛÞÒÚÕ IP-ßÐÚÕâÐ. ¼ÞÔãÛì ÔÞÛÖÕÝ ×ÐÓàãÖÐâìáï ïÒÝÞ, ÚÛîçÞÜ -m tos.

¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ßàØÒÞÔØâáï ÞߨáÐÝØÕ ßÞÛï TOS, Ò×ïâÞÕ ÝÕ Ø× ÞàØÓØÝÐÛÐ, ßÞáÚÞÛìÚã ÞàØÓØÝÐÛìÝÞÕ ÞߨáÐÝØÕ ï ÝÐåÞÖã ÝÕáÚÞÛìÚÞ âãÜÐÝÝëÜ.
´ÐÝÝÞÕ ßÞÛÕ áÛãÖØâ ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÐ. ÃáâÐÝÞÒÚÐ ÛîÑÞÓÞ ÑØâÐ ÜÞÖÕâ ßàØÒÕáâØ Ú âÞÜã, çâÞ ßÐÚÕâ ÑãÔÕâ ÞÑàÐÑÞâÐÝ ÜÐàèàãâØ×ÐâÞàÞÜ ÝÕ âÐÚ ÚÐÚ ßÐÚÕâ áÞ áÑàÞèÕÝÝëÜØ ÑØâÐÜØ TOS. ºÐÖÔëÙ ÑØâ ßÞÛï TOS ØÜÕÕâ áÒÞÕ ×ÝÐçÕÝØÕ. ² ßÐÚÕâÕ ÜÞÖÕâ Ñëâì ãáâÐÝÞÒÛÕÝ âÞÛìÚÞ ÞÔØÝ Ø× ÑØâÞÒ íâÞÓÞ ßÞÛï, ßÞíâÞÜã ÚÞÜÑØÝÐæØØ ÝÕ ÔÞßãáâØÜë. ºÐÖÔëÙ ÑØâ ÞßàÕÔÕÛïÕâ âØß áÕâÕÒÞÙ áÛãÖÑë:
¼ØÝØÜÐÛìÝÐï ×ÐÔÕàÖÚÐ
¸áßÞÛì×ãÕâáï Ò áØâãÐæØïå, ÚÞÓÔÐ ÒàÕÜï ßÕàÕÔÐçØ ßÐÚÕâÐ ÔÞÛÖÝÞ Ñëâì ÜØÝØÜÐÛìÝëÜ, â.Õ., ÕáÛØ Õáâì ÒÞ×ÜÞÖÝÞáâì, âÞ ÜÐàèàãâØ×ÐâÞà ÔÛï âÐÚÞÓÞ ßÐÚÕâÐ ÑãÔÕâ ÒëÑØàÐâì ÑÞÛÕÕ áÚÞàÞáâÝÞÙ ÚÐÝÐÛ. ½ÐßàØÜÕà, ÕáÛØ Õáâì ÒëÑÞà ÜÕÖÔã ÞßâÞÒÞÛÞÚÞÝÝÞÙ ÛØÝØÕÙ Ø áßãâÝØÚÞÒëÜ ÚÐÝÐÛÞÜ, âÞ ßàÕÔßÞçâÕÝØÕ ÑãÔÕâ ÞâÔÐÝÞ ÑÞÛÕÕ áÚÞàÞáâÝÞÜã ÞßâÞÒÞÛÞÚÝã.
¼ÐÚáØÜÐÛìÝÐï ßàÞßãáÚÝÐï áßÞáÞÑÝÞáâì
ÃÚÐ×ëÒÐÕâ, çâÞ ßÐÚÕâ ÔÞÛÖÕÝ Ñëâì ßÕàÕßàÐÒÛÕÝ çÕàÕ× ÚÐÝÐÛ á ÜÐÚáØÜÐÛìÝÞÙ ßàÞßãáÚÝÞÙ áßÞáÞÑÝÞáâìî. ½ÐßàØÜÕà áßãâÝØÚÞÒëÕ ÚÐÝÐÛë, ÞÑÛÐÔÐï ÑÞÛìèÕÙ ×ÐÔÕàÖÚÞÙ ØÜÕîâ ÒëáÞÚãî ßàÞßãáÚÝãî áßÞáÞÑÝÞáâì.
¼ÐÚáØÜÐÛìÝÐï ÝÐÔÕÖÝÞáâì
²ëÑØàÐÕâáï ÜÐÚáØÜÐÛìÝÞ ÝÐÔÕÖÝëÙ ÜÐàèàãâ ÒÞ Ø×ÑÕÖÐÝØÕ ÝÕÞÑåÞÔØÜÞáâØ ßÞÒâÞàÝÞÙ ßÕàÕÔÐçØ ßÐÚÕâÐ. ¿àØÜÕàÞÜ ÜÞÓãâ áÛãÖØâì PPP Ø SLIP áÞÕÔØÝÕÝØï, ÚÞâÞàëÕ ßÞ áÒÞÕÙ ÝÐÔÕÖÝÞáâØ ãáâãßÐîâ, Ú ßàØÜÕàã, áÕâïÜ X.25, ßÞíâÞÜã, áÕâÕÒÞÙ ßàÞÒÐÙÔÕà ÜÞÖÕâ ßàÕÔãáÜÞâàÕâì áßÕæØÐÛìÝëÙ ÜÐàèàãâ á ßÞÒëèÕÝÝÞÙ ÝÐÔÕÖÝÞáâìî.
¼ØÝØÜÐÛìÝëÕ ×ÐâàÐâë
¿àØÜÕÝïÕâáï Ò áÛãçÐïå, ÚÞÓÔÐ ÒÐÖÝÞ ÜØÝØÜØ×ØàÞÒÐâì ×ÐâàÐâë (Ò áÜëáÛÕ ÔÕÝìÓØ) ÝÐ ßÕàÕÔÐçã ÔÐÝÝëå. ½ÐßàØÜÕà, ßàØ ßÕàÕÔÐçÕ çÕàÕ× ÞÚÕÐÝ (ÝÐ ÔàãÓÞÙ ÚÞÝâØÝÕÝâ) ÐàÕÝÔÐ áßãâÝØÚÞÒÞÓÞ ÚÐÝÐÛÐ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÔÕèÕÒÛÕ, çÕÜ ÐàÕÝÔÐ ÞßâÞÒÞÛÞÚÞÝÝÞÓÞ ÚÐÑÕÛï. ÃáâÐÝÞÒÚÐ ÔÐÝÝÞÓÞ ÑØâÐ ÒßÞÛÝÕ ÜÞÖÕâ ßàØÒÕáâØ Ú âÞÜã, çâÞ ßÐÚÕâ ßÞÙÔÕâ ßÞ ÑÞÛÕÕ "ÔÕèÕÒÞÜã" ÜÐàèàãâã.
¾ÑëçÝëÙ áÕàÒØá
² ÔÐÝÝÞÙ áØâãÐæØØ ÒáÕ ÑØâë ßÞÛï TOS áÑàÞèÕÝë. ¼ÐàèàãâØ×ÐæØï âÐÚÞÓÞ ßÐÚÕâÐ ßÞÛÝÞáâìî ÞâÔÐÕâáï ÝÐ ãáÜÞâàÕÝØÕ ßàÞÒÐÙÔÕàÐ.

ÂÐÑÛØæÐ 14. ºàØâÕàØÙ TOS

ºàØâÕàØÙ --tos
¿àØÜÕà iptables -A INPUT -p tcp -m tos --tos 0x16
¾ßØáÐÝØÕ ´ÐÝÝëÙ ÚàØâÕàØÙ ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕàÚØ ãáâÐÝÞÒÛÕÝÝëå ÑØâÞÒ TOS, ÚÞâÞàëÕ ÞߨáëÒÐÛØáì ÒëèÕ. ºÐÚ ßàÐÒØÛÞ ßÞÛÕ ØáßÞÛì×ãÕâáï ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ, ÝÞ ÒßÞÛÝÕ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ á æÕÛìî "ÜÐàÚØàÞÒÚØ" ßÐÚÕâÞÒ ÔÛï ØáßÞÛì×ÞÒÐÝØï á iproute2 Ø ÔÞßÞÛÝØâÕÛìÝÞÙ ÜÐàèàãâØ×ÐæØØ Ò linux. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÐ ÚàØâÕàØî ÜÞÖÕâ Ñëâì ßÕàÕÔÐÝÞ ÔÕáïâØçÝÞÕ ØÛØ èÕáâÝÐÔæÐâØàØçÝÞÕ çØáÛÞ, ØÛØ ÜÝÕÜÞÝØçÕáÚÞÕ ÞߨáÐÝØÕ ÑØâÐ, ÜÝÕÜÞÝØÚØ Ø Øå çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ Òë ÜÞÖÕâÕ ßÞÛãçØâì ÒëßÞÛÝØÒ ÚÞÜÐÝÔã iptables -m tos -h. ½ØÖÕ ßàØÒÞÔïâáï ÜÝÕÜÞÝØÚØ Ø Øå ×ÝÐçÕÝØï.
Minimize-Delay 16 (0x10) (¼ØÝØÜÐÛìÝÐï ×ÐÔÕàÖÚÐ),
Maximize-Throughput 8 (0x08) (¼ÐÚáØÜÐÛìÝÐï ßàÞßãáÚÝÐï áßÞáÞÑÝÞáâì),
Maximize-Reliability 4 (0x04) (¼ÐÚáØÜÐÛìÝÐï ÝÐÔÕÖÝÞáâì),
Minimize-Cost 2 (0x02) (¼ØÝØÜÐÛìÝëÕ ×ÐâàÐâë),
Normal-Service 0 (0x00) (¾ÑëçÝëÙ áÕàÒØá).

ºàØâÕàØÙ TTL

TTL (Time To Live) ïÒÛïÕâáï çØáÛÞÒëÜ ßÞÛÕÜ Ò IP ×ÐÓÞÛÞÒÚÕ. ¿àØ ßàÞåÞÖÔÕÝØØ ÞçÕàÕÔÝÞÓÞ ÜÐàèàãâØ×ÐâÞàÐ, íâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1. µáÛØ çØáÛÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî, âÞ ÞâßàÐÒØâÕÛî ßÐÚÕâÐ ÑãÔÕâ ßÕàÕÔÐÝÞ ICMP áÞÞÑéÕÝØÕ âØßÐ 11 á ÚÞÔÞÜ 0 (TTL equals 0 during transit) ØÛØ á ÚÞÔÞÜ 1 (TTL equals 0 during reassembly) . ´Ûï ØáßÞÛì×ÞÒÐÝØï íâÞÓÞ ÚàØâÕàØï ÝÕÞÑåÞÔØÜÞ ïÒÝÞ ×ÐÓàãÖÐâì ÜÞÔãÛì ÚÛîçÞÜ -m ttl.

¾â ßÕàÕÒÞÔçØÚÐ: ¾ßïâì ÞÑÝÐàãÖØÛÞáì ÝÕÚÞâÞàÞÕ ÝÕáÞÞâÒÕâáâÒØÕ ÞàØÓØÝÐÛìÝÞÓÞ âÕÚáâÐ á ÔÕÙáâÒØâÕÛìÝÞáâìî, ßÞ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï iptables 1.2.6a, Þ ÚÞâÞàÞÙ áÞÑáâÒÕÝÝÞ Ø ØÔÕâ àÕçì, áãéÕáâÒãÕâ âàØ àÐ×ÛØçÝëå ÚàØâÕàØï ßàÞÒÕàÚØ ßÞÛï TTL, íâÞ -m ttl --ttl-eq çØáÛÞ, -m ttl --ttl-lt çØáÛÞ Ø -m ttl --ttl-gt çØáÛÞ. ½Ð×ÝÐçÕÝØÕ íâØå ÚàØâÕàØÕÒ ÒØÔÝÞ ãÖÕ Ø× Øå áØÝâÐÚáØáÐ.
ÂÕÜ ÝÕ ÜÕÝÕÕ, ï ÒáÕ âÐÚØ ßàØÒÕÔã ßÕàÕÒÞÔ ÞàØÓØÝÐÛÐ:

ÂÐÑÛØæÐ 15. ºàØâÕàØÙ TTL

ºàØâÕàØÙ --ttl
¿àØÜÕà iptables -A OUTPUT -m ttl --ttl 60
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâ ßàÞÒÕàÚã ßÞÛï TTL ÝÐ àÐÒÕÝáâÒÞ ×ÐÔÐÝÝÞÜã ×ÝÐçÕÝØî. ´ÐÝÝëÙ ÚàØâÕàØÙ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝ ßàØ ÝÐÛÐÔÚÕ ÛÞÚÐÛìÝÞÙ áÕâØ, ÝÐßàØÜÕà: ÔÛï áÛãçÐÕÒ, ÚÞÓÔÐ ÚÐÚÐï ÛØÑÞ ÜÐèØÝÐ ÛÞÚÐÛìÝÞÙ áÕâØ ÝÕ ÜÞÖÕâ ßÞÔÚÛîçØâìáï Ú áÕàÒÕàã Ò ¸ÝâÕàÝÕâÕ, ØÛØ ÔÛï ßÞØáÚÐ "âàÞïÝÞÒ" Ø ßà. ²ÞÑéÕÜ, ÞÑÛÐáâØ ßàØÜÕÝÕÝØï íâÞÓÞ ßÞÛï ÞÓàÐÝØçØÒÐîâáï âÞÛìÚÞ ÒÐèÕÙ äÐÝâÐרÕÙ. µéÕ ÞÔØÝ ßàØÜÕà: ØáßÞÛì×ÞÒÐÝØÕ íâÞÓÞ ÚàØâÕàØï ÜÞÖÕâ Ñëâì ÝÐßàÐÒÛÕÝÞ ÝÐ ßÞØáÚ ÜÐèØÝ á ÝÕÚÐçÕáâÒÕÝÝÞÙ àÕÐÛØ×ÐæØÕÙ áâÕÚÐ TCP/IP ØÛØ á ÞèØÑÚÐÜØ Ò ÚÞÝäØÓãàÐæØØ ¾Á.

´ÕÙáâÒØï Ø ßÕàÕåÞÔë

´ÕÙáâÒØï Ø ßÕàÕåÞÔë áÞÞÑéÐîâ ßàÐÒØÛã, çâÞ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÞâÒÕáâÒãÕâ ×ÐÔÐÝÝÞÜã ÚàØâÕàØî. ÇÐéÕ ÒáÕÓÞ ãßÞâàÕÑÛïîâáï ÔÕÙáâÒØï ACCEPT Ø DROP. ¾ÔÝÐÚÞ, ÔÐÒÐÙâÕ ÚàÐâÚÞ àÐááÜÞâàØÜ ßÞÝïâØÕ ßÕàÕåÞÔÞÒ.

¾ßØáÐÝØÕ ßÕàÕåÞÔÞÒ Ò ßàÐÒØÛÐå ÒëÓÛïÔØâ âÞçÝÞ âÐÚ ÖÕ ÚÐÚ Ø ÞߨáÐÝØÕ ÔÕÙáâÒØÙ, â.Õ. áâÐÒØâáï ÚÛîç -j Ø ãÚÐ×ëÒÐÕâáï ÝÐ×ÒÐÝØÕ æÕßÞçÚØ ßàÐÒØÛ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ. ½Ð ßÕàÕåÞÔë ÝÐÚÛÐÔëÒÐÕâáï àïÔ ÞÓàÐÝØçÕÝØÙ, ßÕàÒÞÕ - æÕßÞçÚÐ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ, ÔÞÛÖÝÐ ÝÐåÞÔØâìáï Ò âÞÙ ÖÕ âÐÑÛØæÕ, çâÞ Ø æÕßÞçÚÐ, Ø× ÚÞâÞàÞÙ íâÞâ ßÕàÕåÞÔ ÒëßÞÛÝïÕâáï, ÒâÞàÞÕ - æÕßÞçÚÐ , ïÒÛïîéÐïáï æÕÛìî ßÕàÕåÞÔÐ ÔÞÛÖÝÐ Ñëâì áÞ×ÔÐÝÐ ÔÞ âÞÓÞ ÚÐÚ ÝÐ ÝÕÕ ÑãÔãâ ÒëßÞÛÝïâìáï ßÕàÕåÞÔë. ½ÐßàØÜÕà, áÞ×ÔÐÔØÜ æÕßÞçÚã tcp_packets Ò âÐÑÛØæÕ filter á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -N tcp_packets. ÂÕßÕàì Üë ÜÞÖÕÜ ÒëßÞÛÝïâì ßÕàÕåÞÔë ÝÐ íâã æÕßÞçÚã ßÞÔÞÑÝÞ iptables -A INPUT -p tcp -j tcp_packets. Â.Õ. ÒáâàÕâØÒ ßÐÚÕâ ßàÞâÞÚÞÛÐ tcp, iptables ßàÞØ×ÒÕÔÕâ ßÕàÕåÞÔ ÝÐ æÕßÞçÚã tcp_packets Ø ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ íâÞÙ æÕßÞçÚÕ. µáÛØ ßÐÚÕâ ÔÞáâØÓ ÚÞÝæÐ æÕßÞçÚØ âÞ ÞÝ ÑãÔÕâ ÒÞ×ÒàÐéÕÝ Ò Òë×ëÒÐîéãî æÕßÞçÚã (Ò ÝÐèÕÜ áÛãçÐÕ íâÞ æÕßÞçÚÐ INPUT) Ø ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßàÞÔÞÛÖØâáï á ßàÐÒØÛÐ, áÛÕÔãîéÕÓÞ ×Ð ßàÐÒØÛÞÜ, Òë×ÒÐÒèÕÜ ßÕàÕåÞÔ. µáÛØ Ú ßÐÚÕâã ÒÞ ÒÛÞÖÕÝÝÞÙ æÕßÞçÚÕ ÑãÔÕâ ßàØÜÕÝÕÝÞ ÔÕÙáâÒØÕ ACCEPT, âÞ ÐÒâÞÜÐâØçÕáÚØ ßÐÚÕâ ÑãÔÕâ áçØâÐâìáï ßàØÝïâëÜ Ø Ò Òë×ëÒÐîéÕÙ æÕßÞçÚÕ Ø ãÖÕ ÝÕ ÑãÔÕâ ßàÞÔÞÛÖÐâì ÔÒØÖÕÝØÕ ßÞ Òë×ëÒÐîéØÜ æÕßÞçÚÐÜ. ¾ÔÝÐÚÞ ßÐÚÕâ ßÞÙÔÕâ ßÞ ÔàãÓØÜ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï æÕßÞçÕÚ Ø âÐÑÛØæ Òë áÜÞÖÕâÕ ßÞÛãçØâì Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ.

´ÕÙáâÒØÕ - íâÞ ßàÕÔÞßàÕÔÕÛÕÝÝÐï ÚÞÜÐÝÔÐ, ÞߨáëÒÐîéÐï ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÒßÐÛ á ×ÐÔÐÝÝëÜ ÚàØâÕàØÕÜ. ½ÐßàØÜÕà, ÜÞÖÝÞ ßàØÜÕÝØâì ÔÕÙáâÒØÕ DROP ØÛØ ACCEPT Ú ßÐÚÕâã, Ò ×ÐÒØáØÜÞáâØ Þâ ÝÐèØå ÝãÖÔ. ÁãéÕáâÒãÕâ Ø àïÔ ÔàãÓØå ÔÕÙáâÒØÙ, ÚÞâÞàëÕ ÞߨáëÒÐîâáï ÝØÖÕ Ò íâÞÙ áÕ򾯯. ² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï ÞÔÝØå ÔÕÙáâÒØÙ, ßÐÚÕâ ßàÕÚàÐéÐÕâ áÒÞÕ ßàÞåÞÖÔÕÝØÕ ßÞ æÕßÞçÚÕ, ÝÐßàØÜÕà DROP Ø ACCEPT, Ò àÕ×ãÛìâÐâÕ ÔàãÓØå, ßÞáÛÕ ÒëßÞÛÝÕÝØï ÝÕÚØå ÞßÕàÐæØÙ, ßàÞÔÞÛÖÐÕâ ßàÞÒÕàÚã, ÝÐßàØÜÕà, LOG, Ò àÕ×ãÛìâÐâÕ àÐÑÞâë âàÕâìØå ÔÐÖÕ ÒØÔÞØ×ÜÕÝïÕâáï, ÝÐßàØÜÕà DNAT Ø SNAT, TTL Ø TOS, ÝÞ âÐÚ ÖÕ ßàÞÔÞÛÖÐÕâ ßàÞÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ.


´ÕÙáâÒØÕ ACCEPT

´ÐÝÝÐï ÞßÕàÐæØï ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ. µáÛØ ÝÐÔ ßÐÚÕâÞÜ ÒëßÞÛÝïÕâáï ÔÕÙáâÒØÕ ACCEPT, âÞ ßÐÚÕâ ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ (Ø ÒáÕÜ Òë×ÒÐÒèØÜ æÕßÞçÚÐÜ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ) Ø áçØâÐÕâáï ¿À¸½ÏÂ˼ (âÞ ÑØèì ßàÞßãáÚÐÕâáï), âÕÜ ÝÕ ÜÕÝÕÕ, ßÐÚÕâ ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå Ø ÜÞÖÕâ Ñëâì ÞâÒÕàÓÝãâ âÐÜ. ´ÕÙáâÒØÕ ×ÐÔÐÕâáï á ßÞÜÞéìî ÚÛîçÐ -j ACCEPT.


´ÕÙáâÒØÕ DROP

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ßàÞáâÞ "áÑàÐáëÒÐÕâ" ßÐÚÕâ Ø iptables "×ÐÑëÒÐÕâ" Þ ÕÓÞ áãéÕáâÒÞÒÐÝØØ. "ÁÑàÞèÕÝÝëÕ" ßÐÚÕâë ßàÕÚàÐéÐîâ áÒÞÕ ÔÒØÖÕÝØÕ ßÞÛÝÞáâìî, â.Õ. ÞÝØ ÝÕ ßÕàÕÔÐîâáï Ò ÔàãÓØÕ âÐÑÛØæë, ÚÐÚ íâÞ ßàÞØáåÞÔØâ Ò áÛãçÐÕ á ÔÕÙáâÒØÕÜ ACCEPT. ÁÛÕÔãÕâ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ ØÜÕâì ÝÕÓÐâØÒÝëÕ ßÞáÛÕÔáâÒØï, ßÞáÚÞÛìÚã ÜÞÖÕâ ÞáâÐÒÛïâì ÝÕ×ÐÚàëâëÕ "ÜÕàâÒëÕ" áÞÚÕâë ÚÐÚ ÝÐ áâÞàÞÝÕ áÕàÒÕàÐ, âÐÚ Ø ÝÐ áâÞàÞÝÕ ÚÛØÕÝâÐ, ÝÐØÛãçèØÜ áßÞáÞÑÞÜ ×ÐéØâë ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï REJECT ÞáÞÑÕÝÝÞ ßàØ ×ÐéØâÕ Þâ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ.


´ÕÙáâÒØÕ QUEUE

´ÕÙáâÒØÕ QUEUE áâÐÒØâ ßÐÚÕâ Ò ÞçÕàÕÔì ÝÐ ÞÑàÐÑÞâÚã ßÞÛì×ÞÒÐâÕÛìáÚÞÜã ßàÞæÕááã. ¾ÝÞ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÔÛï ÝãÖÔ ãçÕâÐ, ßàÞÚáØàÞÒÐÝØï ØÛØ ÔÞßÞÛÝØâÕÛìÝÞÙ äØÛìâàÐæØØ ßÐÚÕâÞÒ.

¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ÐÒâÞà ßàÞáâàÐÝÝÞ àÐááãÖÔÐÕâ Þ âÞÜ, çâÞ ÞÑáãÖÔÕÝØÕ ÔÐÝÝÞÙ âÕÜë ÔÐÛÕÚÞ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ø ßà., ßÞíâÞÜã, ÝÕ ÜãÔàáâÒãï ÛãÚÐÒÞ, ßàØÒÕÔã ×ÔÕáì ÒëÔÕàÖÚã Ø× Linux 2.4 Packet Filtering HOWTO Ò ßÕàÕÒÞÔÕ µÒÓÕÝØï ´ÐÝØÛìçÕÝÚÞ aka virii5, eugene@kriljon.ru

"...´Ûï âÞÓÞ çâÞÑë íâÐ æÕÛì ÑëÛÐ ßÞÛÕ×ÝÐ, ÝÕÞÑåÞÔØÜë ÕéÕ ÔÒÐ ÚÞÜßÞÝÕÝâÐ:

  • "queue handler" - ÞÑàÐÑÞâçØÚ ÞçÕàÕÔØ, ÚÞâÞàëÙ ÒëßÞÛÝïÕâ àÐÑÞâã ßÞ ßÕàÕÔÐçÕ ßÐÚÕâÞÒ ÜÕÖÔã ïÔàÞÜ Ø ßÞÛì×ÞÒÐâÕÛìáÚØÜ ßàØÛÞÖÕÝØÕÜ; Ø
  • ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ ÚÞâÞàÞÕ ÑãÔÕâ ßÞÛãçÐâì, ÒÞ×ÜÞÖÝÞ ÞÑàÐÑÐâëÒÐâì, Ø àÕèÐâì áãÔìÑã ßÐÚÕâÞÒ.
ÁâÐÝÔÐàâÝëÙ ÞÑàÐÑÞâçØÚ ÞçÕàÕÔØ ÔÛï IPv4 - ÜÞÔãÛì ip-queue, ÚÞâÞàëÙ àÐáßàÞáâàÐÝïÕâáï á ïÔàÞÜ Ø ßÞÜÕçÕÝ ÚÐÚ íÚáßÕàØÜÕÝâÐÛìÝëÙ. ½ØÖÕ ÔÐÝ ßàØÜÕà, ÚÐÚ ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì iptables ÔÛï ßÕàÕÔÐçØ ßÐÚÕâÞÒ Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ:
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
Á íâØÜ ßàÐÒØÛÞÜ, áÞ×ÔÐÝÝëÕ ÛÞÚÐÛìÝÞ ßÐÚÕâë ICMP âØßÐ (âÐÚØÕ, çâÞ áÞ×ÔÐîâáï áÚÐÖÕÜ ßàØ ßÞÜÞéØ ÚÞÜÐÝÔë ping) ßÞßÐÔÐîâ Ò ÜÞÔãÛì ip_queue, ÚÞâÞàëÙ ×ÐâÕÜ ßëâÐÕâáï ßÕàÕÔÐâì Øå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ. µáÛØ ÝØ ÞÔÝÞ Ø× âÐÚØå ßàØÛÞÖÕÝØÙ ÝÕ ÝÐÙÔÕÝÞ, ßÐÚÕâë áÑàÐáëÒÐîâáï. ÇâÞÑë ÝÐߨáÐâì ßÞÛì×ÞÒÐâÕÛìáÚãî ßàÞÓàÐÜÜã ÞÑàÐÑÞâÚØ ßÐÚÕâÞÒ, ØáßÞÛì×ãÙâÕ libipq API. ¾ÝÞ àÐáßàÞáâàÐÝïÕâáï á ßÐÚÕâÞÜ iptables. ¿àØÜÕàë ÜÞÖÝÞ ÝÐÙâØ Ò testsuite tools (ÝÐßàØÜÕà redirect.c) ÝÐ CVS. ÁâÐâãá ip_queue ÜÞÖÝÞ ßàÞÒÕàØâì á ßÞÜÞéìî: /proc/net/ip_queue ¼ÐÚáØÜÐÛìÝãî ÔÛØÝÝã ÞçÕàÕÔØ (âÞ Õáâì, çØáÛÞ ßÐÚÕâÞÒ ßÕàÕÔÐÒÐÕÜëå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ ÑÕ× ßÞÔâÒÕàÖÔÕÝØï ÞÑàÐÑÞâÚØ) ÜÞÖÝÞ ÚÞÝâàÞÛØàÞÒÐâì á ßÞÜÞéìî: /proc/sys/net/ipv4/ip_queue_maxlen ¿Þ ãÜÞÛçÐÝØî - ÜÐÚáØÜÐÛìÝÐï ÔÛØÝÝÐ ÞçÕàÕÔØ àÐÒÝÐ 1024. ºÐÚ âÞÛìÚÞ íâÞâ ßàÕÔÕÛ ÔÞáâØÓÐÕâáï, ÝÞÒëÕ ßÐÚÕâë ÑãÔãâ áÑàÐáëÒÐâìáï, ßÞÚÐ ÞçÕàÕÔì ÝÕ áÝØ×Øâìáï ÝØÖÕ ÔÐÝÝÞÓÞ ßàÕÔÕÛÐ. ÅÞàÞèØÕ ßàÞâÞÚÞÛë, âÐÚØÕ ÚÐÚ TCP ØÝâÕàßàÕâØàãîâ áÑàÞèÕÝÝëÕ ßÐÚÕâë ÚÐÚ ßÕàÕÓàãÖÕÝÝÞáâì ÚÐÝÐÛÐ ßÕàÕÔÐçØ, Ø ãáßÕèÝÞ á íâØÜ áßàÐÒÛïîâáï (ÝÐáÚÞÛìÚÞ ï ßÞÜÝî, ßÐÚÕâ ÑãÔÕâ ßàÞáâÞ ßÕàÕáÛÐÝ ×ÐÝÞÒÞ ãÔÐÛÕÝÝÞÙ áâÞàÞÝÞÙ, ßàØÜ. ßÕàÕÒÞÔ.). ¾ÔÝÐÚÞ, ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÝÕÚÞâÞàÞÓÞ àÞÔÐ íÚáßÕàÕÜÕÝâØàÞÒÐÝØÕ, çâÞÑë ÞßàÕÔÕÛØâì ÞßâØÜÐÛìÝãî ÔÛØÝÝã ÞçÕàÕÔØ Ò ÚÐÖÔÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ, ÕáÛØ ßÞ ãÜÞÛçÐÝØî ÞçÕàÕÔì áÛØèÚÞÜ ÜÐÛÐ..."




´ÕÙáâÒØÕ RETURN

´ÕÙáâÒØÕ RETURN ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ âÕÚãéÕÙ æÕßÞçÚÕ ßàÐÒØÛ Ø ßàÞØ×ÒÞÔØâ ÒÞ×ÒàÐâ Ò Òë×ëÒÐîéãî æÕßÞçÚã, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ, ØÛØ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÛÕÖØâ ÝÐ áÐÜÞÜ ÒÕàåÝÕÜ ãàÞÒÝÕ (ÝÐßàØÜÕà INPUT), âÞ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî. ¾ÑëçÝÞ, Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ÝÐ×ÝÐçÐîâ ÔÕÙáâÒØï ACCEPT ØÛØ DROP .

´Ûï ßàØÜÕàÐ, ÔÞßãáâØÜ, çâÞ ßÐÚÕâ ØÔÕâ ßÞ æÕßÞçÚÕ INPUT Ø ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßÕàÕåÞÔ ÒÞ ÒÛÞÖÕÝÝãî æÕßÞçÚã - --jump EXAMPLE_CHAIN. ´ÐÛÕÕ, Ò æÕßÞçÚÕ EXAMPLE_CHAIN ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN. ÂÞÓÔÐ ßàÞØ×ÞÙÔÕâ ÒÞ×ÒàÐâ ßÐÚÕâÐ Ò æÕßÞçÚã INPUT. ´àãÓÞÙ ßàØÜÕà, ßãáâì ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN Ò æÕßÞçÚÕ INPUT. ÂÞÓÔÐ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî æÕßÞçÚØ INPUT.


´ÕÙáâÒØÕ LOG

LOG - ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ áÛãÖØâ ÔÛï ÖãàÝÐÛØàÞÒÐÝØï ÞâÔÕÛìÝëå ßÐÚÕâÞÒ Ø áÞÑëâØÙ. ² ÖãàÝÐÛ ÜÞÓãâ ×ÐÝÞáØâìáï ×ÐÓÞÛÞÒÚØ IP ßÐÚÕâÞÒ Ø ÔàãÓÐï ØÝâÕàÕáãîéÐï ÒÐá ØÝäÞàÜÐæØï. ¸ÝäÞàÜÐæØï Ø× ÖãàÝÐÛÐ ÜÞÖÕâ Ñëâì ×ÐâÕÜ ßàÞçØâÐÝÐ á ßÞÜÞéìî dmesg ØÛØ syslogd ÛØÑÞ á ßÞÜÞéìî ÔàãÓØå ßàÞÓàÐÜÜ. ¿àÕÒÞáåÞÔÝÞÕ áàÕÔáâÒÞ ÔÛï ÞâÛÐÔÚØ ÒÐèØå ßàÐÒØÛ. ½ÕßÛÞåÞ ÑëÛÞ Ñë ÝÐ ßÕàØÞÔ ÞâÛÐÔÚØ ßàÐÒØÛ ÒÜÕáâÞ ÔÕÙáâÒØï DROP ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ LOG, çâÞÑë ÔÞ ÚÞÝæÐ ãÑÕÔØâìáï, çâÞ ÒÐè ÑàÐÝÔÜÐãíà àÐÑÞâÐÕâ ÑÕ×ãßàÕçÝÞ. ¾ÑàÐâØâÕ ÒÐèÕ ÒÝØÜÐÝØÕ âÐÚ ÖÕ ÝÐ ÔÕÙáâÒØÕ ULOG, ÚÞâÞàÞÕ ÝÐÒÕàÝïÚÐ ×ÐØÝâÕàÕáãÕâ ÒÐá áÒÞØÜØ ÒÞ×ÜÞÖÝÞáâïÜØ, ßÞáÚÞÛìÚã ßÞ×ÒÞÛïÕâ ÒëßÞÛÝïâì ×Ðߨáì ÖãàÝÐÛØàãÕÜÞÙ ØÝäÞàÜÐæØØ ÝÕ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, Ð Ò ÑÐ×ã ÔÐÝÝëå MySQL Ø â.ß..

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ - ÕáÛØ ã ÒÐá ØÜÕîâáï ßàÞÑÛÕÜë á ×Ðߨáìî Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, âÞ íâÞ ßàÞÑÛÕÜë ÝÕ iptables ØÛØ netfilter, Ð syslogd. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÚÞÝäØÓãàØàÞÒÐÝØî syslogd ÞÑàÐéÐÙâÕáì Ú man syslog.conf.

LOG ØÜÕÕâ ßïâì ÚÛîçÕÙ, ÚÞâÞàëÕ ßÕàÕçØáÛÕÝë ÝØÖÕ.

ÂÐÑÛØæÐ 17. ºÛîçØ ÔÛï ÔÕÙáâÒØï LOG

ºÛîç --log-level
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-level debug
¾ßØáÐÝØÕ ¸áßÞÛì×ãÕâáï ÔÛï ×ÐÔÐÝØï ãàÞÒÝï ÖãàÝÐÛØàÞÒÐÝØï (log level). ¿ÞÛÝëÙ áߨáÞÚ ãàÞÒÝÕÙ Òë ÝÐÙÔÕâÕ Ò àãÚÞÒÞÔáâÒÕ (man) ßÞ syslog.conf. ¾ÑëçÝÞ, ÜÞÖÝÞ ×ÐÔÐâì áÛÕÔãîéØÕ ãàÞÒÝØ: debug, info, notice, warning, warn, err, error, crit, alert, emerg Ø panic. ºÛîçÕÒÞÕ áÛÞÒÞ error Þ×ÝÐçÐÕâ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø err, warn - warning Ø panic - emerg. ²ÐÖÝÞ: Ò ßÞáÛÕÔÝØå âàÕå ßÐàÐå áÛÞÒ ÝÕ áÛÕÔãÕâ ØáßÞÛì×ÞÒÐâì error, warn Ø panic. ¿àØÞàØâÕâ ÞßàÕÔÕÛïÕâ àÐ×ÛØçØï Ò âÞÜ ÚÐÚ ÑãÔãâ ×ÐÝÞáØâìáï áÞÞÑéÕÝØï Ò ÖãàÝÐÛ. ²áÕ áÞÞÑéÕÝØï ×ÐÝÞáïâáï Ò ÖãàÝÐÛ áàÕÔáâÒÐÜØ ïÔàÐ. µáÛØ Òë ãáâÐÝÞÒØâÕ áâàÞÚã kern.=info /var/log/iptables Ò äÐÙÛÕ syslog.conf, âÞ ÒáÕ ÒÐèØ áÞÞÑéÕÝØï Ø× iptables, ØáßÞÛì×ãîéØÕ ãàÞÒÕÝì info, ÑãÔãâ ×ÐÝÞáØâìáï Ò äÐÙÛ /var/log/iptables ¾ÔÝÐÚÞ, Ò íâÞâ äÐÙÛ ßÞßÐÔãâ Ø ÔàãÓØÕ áÞÞÑéÕÝØï, ßÞáâãßÐîéØÕ Ø× ÔàãÓØå ßÞÔáØáâÕÜ, ÚÞâÞàëÕ ØáßÞÛì×ãîâ ãàÞÒÕÝì info. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ßÞ syslog Ø syslog.conf ï àÕÚÞÜÕÝÔãî ÞÑàÐéÐâìáï Ú manpages Ø HOWTO.
ºÛîç --log-prefix
¿àØÜÕà iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
¾ßØáÐÝØÕ ºÛîç ×ÐÔÐÕâ âÕÚáâ (ßàÕäØÚá), ÚÞâÞàëÜ ÑãÔãâ ßàÕÔÒÐàïâìáï ÒáÕ áÞÞÑéÕÝØï iptables. ÁÞÞÑéÕÝØï áÞ áßÕæØäØçÝëÜ ßàÕäØÚáÞÜ ×ÐâÕÜ ÛÕÓÚÞ ÜÞÖÝÞ ÝÐÙâØ, Ú ßàØÜÕàã, á ßÞÜÞéìî grep. ¿àÕäØÚá ÜÞÖÕâ áÞÔÕàÖÐâì ÔÞ 29 áØÜÒÞÛÞÒ, ÒÚÛîçÐï Ø ßàÞÑÕÛë.
ºÛîç --log-tcp-sequence
¿àØÜÕà iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò ÖãàÝÐÛ ÝÞÜÕà TCP Sequence ßÐÚÕâÐ. ½ÞÜÕà TCP Sequence ØÔÕÝâØäØæØàãÕâ ÚÐÖÔëÙ ßÐÚÕâ Ò ßÞâÞÚÕ Ø ÞßàÕÔÕÛïÕâ ßÞàïÔÞÚ "áÑÞàÚØ" ßÞâÞÚÐ. ÍâÞâ ÚÛîç ßÞâÕÝæØÐÛìÝÞ ÞßÐáÕÝ ÔÛï ÑÕ×ÞßÐáÝÞáâØ áØáâÕÜë, ÕáÛØ áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×àÕèÐÕâ ÔÞáâãß "½° ǵ½¸µ" ÒáÕÜ ßÞÛì×ÞÒÐâÕÛïÜ. ºÐÚ Ø ÛîÑÞÙ ÔàãÓÞÙ ÖãàÝÐÛ, áÞÔÕàÖÐéØÙ áÞÞÑéÕÝØï Þâ iptables.
ºÛîç --log-tcp-options
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-tcp-options
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×ÛØçÝëÕ áÒÕÔÕÝØï Ø× ×ÐÓÞÛÞÒÚÐ TCP ßÐÚÕâÐ. ÂÐÚÐï ÒÞ×ÜÞÖÝÞáâì ÜÞÖÕâ Ñëâì ßÞÛÕ×ÝÐ ßàØ ÞâÛÐÔÚÕ. ÍâÞâ ÚÛîç ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ßÐàÐÜÕâàÞÒ, ÚÐÚ Ø ÑÞÛìèØÝáâÒÞ ÚÛîçÕÙ ÔÕÙáâÒØï LOG.
ºÛîç --log-ip-options
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-ip-options
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×ÛØçÝëÕ áÒÕÔÕÝØï Ø× ×ÐÓÞÛÞÒÚÐ IP ßÐÚÕâÐ. ²Þ ÜÝÞÓÞÜ áåÞÖ á ÚÛîçÞÜ --log-tcp-options, ÝÞ àÐÑÞâÐÕâ âÞÛìÚÞ á IP ×ÐÓÞÛÞÒÚÞÜ.

´ÕÙáâÒØÕ MARK

¸áßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÜÕâÞÚ ÔÛï ÞßàÕÔÕÛÕÝÝëå ßÐÚÕâÞÒ. ÍâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàÕÔÕÛÐå âÐÑÛØæë mangle. ÃáâÐÝÞÒÚÐ ÜÕâÞÚ ÞÑëçÝÞ ØáßÞÛì×ãÕâáï ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ ßÞ àÐ×ÛØçÝëÜ ÜÐàèàãâÐÜ, ÔÛï ÞÓàÐÝØçÕÝØï âàÐäØÚÐ Ø â.ß.. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú LARTC HOWTO. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ "ÜÕâÚÐ" ßÐÚÕâÐ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ßÕàØÞÔ ÒàÕÜÕÝØ ßÞÚÐ ßÐÚÕâ ÝÕ ßÞÚØÝãÛ ÑàÐÝÔÜÐãíà, â.Õ. ÜÕâÚÐ ÝÕ ßÕàÕÔÐÕâáï ßÞ áÕâØ. µáÛØ ÝÕÞÑåÞÔØÜÞ ÚÐÚ-âÞ ßÞÜÕâØâì ßÐÚÕâë, çâÞÑë ØáßÞÛì×ÞÒÐâì ÜÐàÚØàÞÒÚã ÝÐ ÔàãÓÞÙ ÜÐèØÝÕ, âÞ ÜÞÖÕâÕ ßÞßàÞÑÞÒÐâì ÜÐÝØßãÛØàÞÒÐâì ÑØâÐÜØ ßÞÛï TOS.

ÂÐÑÛØæÐ 18. ºÛîçØ ÔÛï ÔÕÙáâÒØï MARK

ºÛîç --set-mark
¿àØÜÕà iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
¾ßØáÐÝØÕ ºÛîç --set-mark ãáâÐÝÐÒÛØÒÐÕâ ÜÕâÚã ÝÐ ßÐÚÕâ. ¿ÞáÛÕ ÚÛîçÐ --set-mark ÔÞÛÖÝÞ áÛÕÔÞÒÐâì æÕÛÞÕ ÑÕ××ÝÐÚÞÒÞÕ çØáÛÞ.

´ÕÙáâÒØÕ REJECT

REJECT ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, Ò âÕå ÖÕ áÐÜëå áØâãÐæØïå, çâÞ Ø DROP, ÝÞ Ò ÞâÛØçØÕ Þâ DROP, ÚÞÜÐÝÔÐ REJECT ÒëÔÐÕâ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ ÝÐ åÞáâ, ßÕàÕÔÐÒèØÙ ßÐÚÕâ. ´ÕÙáâÒØÕ REJECT ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì "àÐÑÞâÐÕâ" âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø OUTPUT (Ø ÒÞ ÒÛÞÖÕÝÝëå Ò ÝØå æÕßÞçÚÐå). ¿ÞÚÐ áãéÕáâÒãÕâ âÞÛìÚÞ ÕÔØÝáâÒÕÝÝëÙ ÚÛîç, ãßàÐÒÛïîéØÙ ßÞÒÕÔÕÝØÕÜ ÚÞÜÐÝÔë REJECT.

ÂÐÑÛØæÐ 19. ´ÕÙáâÒØÕ REJECT

ºÛîç --reject-with
¿àØÜÕà iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
¾ßØáÐÝØÕ ÃÚÐ×ëÒÐÕâ, ÚÐÚÞÕ áÞÞÑéÕÝØÕ ÝÕÞÑåÞÔØÜÞ ßÕàÕÔÐâì Ò ÞâÒÕâ, ÕáÛØ ßÐÚÕâ áÞÒßÐÛ á ×ÐÔÐÝÝëÜ ÚàØâÕàØÕÜ. ¿àØ ßàØÜÕÝÕÝØØ ÔÕÙáâÒØï REJECT Ú ßÐÚÕâã, áÝÐçÐÛÐ ÝÐ åÞáâ-ÞâßàÐÒØâÕÛì ÑãÔÕâ ÞâÞáÛÐÝ ãÚÐ×ÐÝÝëÙ ÞâÒÕâ, Ð ×ÐâÕÜ ßÐÚÕâ ÑãÔÕâ "áÑàÞèÕÝ". ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì áÛÕÔãîéØÕ âØßë ÞâÒÕâÞÒ: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited Ø icmp-host-prohibited. ¿Þ-ãÜÞÛçÐÝØî ßÕàÕÔÐÕâáï áÞÞÑéÕÝØÕ port-unreachable. ²áÕ ÒëèÕãÚÐ×ÐÝÝëÕ âØßë ÞâÒÕâÞÒ ïÒÛïîâáï ICMP error messages. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ âØßÐÜ ICMP áÞÞÑéÕÝØÙ Òë ÜÞÖÕâÕ ßÞÛãçØâì Ò ßàØÛÞÖÕÝØØ ÂØßë ICMP. ² ×ÐÚÛîçÕÝØÕ ãÚÐÖÕÜ ÕéÕ ÞÔØÝ âØß ÞâÒÕâÐ - tcp-reset, ÚÞâÞàëÙ ØáßÞÛì×ãÕâáï âÞÛìÚÞ ÔÛï ßàÞâÞÚÞÛÐ TCP. µáÛØ ãÚÐ×ÐÝÞ ×ÝÐçÕÝØÕ tcp-reset, âÞ ÔÕÙáâÒØÕ REJECT ßÕàÕÔÐáâ Ò ÞâÒÕâ ßÐÚÕâ TCP RST, ßÐÚÕâë TCP RST ØáßÞÛì×ãîâáï ÔÛï ×ÐÚàëâØï TCP áÞÕÔØÝÕÝØÙ. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú RFC 793 - Transmission Control Protocol. (ÁߨáÞÚ âØßÞÒ ICMP ÞâÒÕâÞÒ Ø Øå ÐÛØÐáÞÒ Òë áÜÞÖÕâÕ ßÞÛãçØâì ÒÒÕÔï ÚÞÜÐÝÔã iptables -j REJECT -hßàØÜ. ßÕàÕÒ.).

´ÕÙáâÒØÕ TOS

ºÞÜÐÝÔÐ TOS ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÑØâÞÒ Ò ßÞÛÕ Type of Service IP ×ÐÓÞÛÞÒÚÐ. ¿ÞÛÕ TOS áÞÔÕàÖØâ 8 ÑØâ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ. ÍâÞ ÞÔØÝ Ø× ÝÕáÚÞÛìÚØå ßÞÛÕÙ, ØáßÞÛì×ãÕÜëå iproute2. ÂÐÚ ÖÕ ÒÐÖÝÞ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ßÞÛÕ ÜÞÖÕâ ÞÑàÐÑÐâëÒÐâìáï àÐ×ÛØçÝëÜØ ÜÐàèàãâØ×ÐâÞàÐÜØ á æÕÛìî ÒëÑÞàÐ ÜÐàèàãâÐ ÔÒØÖÕÝØï ßÐÚÕâÐ. ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì ÒëèÕ, íâÞ ßÞÛÕ, Ò ÞâÛØçØÕ Þâ MARK, áÞåàÐÝïÕâ áÒÞÕ ×ÝÐçÕÝØÕ ßàØ ÔÒØÖÕÝØØ ßÞ áÕâØ, Ð ßÞíâÞÜã ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì, ÑÞÛìèØÝáâÒÞ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ ÝØÚÐÚ ÝÕ ÞÑàÐÑÐâëÒÐîâ íâÞ ßÞÛÕ, ÞÔÝÐÚÞ Õáâì Ø âÐÚØÕ, ÚÞâÞàëÕ áÜÞâàïâ ÝÐ ÝÕÓÞ. µáÛØ Òë ØáßÞÛì×ãÕâÕ íâÞ ßÞÛÕ Ò áÒÞØå ÝãÖÔÐå, âÞ ßÞÔÞÑÝëÕ ÜÐàèàãâØ×ÐâÞàë ÜÞÓãâ ßàØÝïâì ÝÕÒÕàÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ, ßÞíâÞÜã, ÛãçèÕ ÒáÕÓÞ ØáßÞÛì×ÞÒÐâì íâÞ ßÞÛÕ ÔÛï áÒÞØå ÝãÖÔ âÞÛìÚÞ Ò ßàÕÔÕÛÐå ÒÐèÕÙ WAN ØÛØ LAN.

Caution

´ÕÙáâÒØÕ TOS ÒÞáßàØÝØÜÐÕâ âÞÛìÚÞ ßàÕÔÞßàÕÔÕÛÕÝÝëÕ çØáÛÞÒëÕ ×ÝÐçÕÝØï Ø ÜÝÕÜÞÝØÚØ, ÚÞâÞàëÕ Òë ÜÞÖÕâÕ ÝÐÙâØ Ò linux/ip.h. µáÛØ ÒÐÜ ÔÕÙáâÒØâÕÛìÝÞ ÝÕÞÑåÞÔØÜÞ ãáâÐÝÐÒÛØÒÐâì ßàÞØ×ÒÞÛìÝëÕ ×ÝÐçÕÝØï Ò ßÞÛÕ TOS, âÞ ÜÞÖÝÞ ÒÞáßÞÛì×ÞÒÐâìáï "×ÐßÛÐâÞÙ" FTOS Þâ Matthew G. Marsh. ¾ÔÝÐÚÞ, ÑãÔìâÕ ÚàÐÙÝÕ ÞáâÞàÞÖÝë á íâÞÙ "×ÐßÛÐâÞÙ". ½Õ áÛÕÔãÕâ ØáßÞÛì×ÞÒÐâì ÝÕáâÐÝÔÐàâÝëÕ ×ÝÐçÕÝØï TOS ØÝÐçÕ ÚÐÚ Ò ÞáÞÑÕÝÝëå áØâãÐæØïå.

Note

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ Ò ßàÕÔÕÛÐå âÐÑÛØæë mangle.

Note

² ÝÕÚÞâÞàëå áâÐàëå ÒÕàáØïå iptables (1.2.2 Ø ÝØÖÕ) íâÞ ÔÕÙáâÒØÕ àÕÐÛØ×ÞÒÐÝÞ á ÞèØÑÚÞÙ (ÝÕ ØáßàÐÒÛïÕâáï ÚÞÝâàÞÛìÝÐï áãÜÜÐ ßÐÚÕâÐ), Ð íâÞ ÒÕÔÕâ Ú ÝÐàãèÕÝØî ßàÞâÞÚÞÛÐ ÞÑÜÕÝÐ Ø Ò àÕ×ãÛìâÐâÕ âÐÚØÕ áÞÕÔØÝÕÝØï ÝÕ àÐÑÞâÐîâ.

ºÞÜÐÝÔÐ TOS ØÜÕÕâ âÞÛìÚÞ ÞÔØÝ ÚÛîç, ÚÞâÞàëÙ ÞߨáÐÝ ÝØÖÕ.

ÂÐÑÛØæÐ 20. ´ÕÙáâÒØÕ TOS

ºÛîç --set-tos
¿àØÜÕà iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
¾ßØáÐÝØÕ ºÛîç --set-tos ÞßàÕÔÕÛïÕâ çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ Ò ÔÕáïâØçÝÞÜ ØÛØ èÕáâÝÐÔæÐâØàØçÝÞÜ ÒØÔÕ. ¿ÞáÚÞÛìÚã ßÞÛÕ TOS ïÒÛïÕâáï 8-ÑØâÝëÜ, âÞ Òë ÜÞÖÕâÕ ãÚÐ×Ðâì çØáÛÞ Ò ÔØÐßÐ×ÞÝÕ Þâ 0 ÔÞ 255 (0x00 - 0xFF). ¾ÔÝÐÚÞ, ÑÞÛìèØÝáâÒÞ ×ÝÐçÕÝØÙ íâÞÓÞ ßÞÛï ÝØÚÐÚ ÝÕ ØáßÞÛì×ãîâáï. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ Ò ÑãÔãéØå àÕÐÛØ×ÐæØïå TCP/IP çØáÛÞÒëÕ ×ÝÐçÕÝØï ÜÞÓãâ Ñëâì Ø×ÜÕÝÕÝë, ßÞíâÞÜã, ÒÞ-Ø×ÑÕÖÐÝØÕ ÞèØÑÞÚ, ÛãçèÕ ØáßÞÛì×ÞÒÐâì ÜÝÕÜÞÝØçÕáÚØÕ ÞÑÞ×ÝÐçÕÝØï: Minimize-Delay (16 ØÛØ 0x10), Maximize-Throughput (8 ØÛØ 0x08), Maximize-Reliability (4 ØÛØ 0x04), Minimize-Cost (2 ØÛØ 0x02) ØÛØ Normal-Service (0 ØÛØ 0x00). ¿Þ-ãÜÞÛçÐÝØî ÑÞÛìèØÝáâÒÞ ßÐÚÕâÞÒ ØÜÕîâ ßàØ×ÝÐÚ Normal-Service, ØÛØ 0. ÁߨáÞÚ ÜÝÕÜÞÝØÚ Òë áÜÞÖÕâÕ ßÞÛãçØâì, ÒëßÞÛÝØÒ ÚÞÜÐÝÔã iptables -j TOS -h.

´ÕÙáâÒØÕ MIRROR

ºÞÜÐÝÔÐ MIRROR ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ âÞÛìÚÞ ÔÛï íÚáßÕàØÜÕÝâÞÒ Ø Ò ÔÕÜÞÝáâàÐæØÞÝÝëå æÕÛïå, ßÞáÚÞÛìÚã íâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ßàØÒÕáâØ Ú "×ÐæØÚÛØÒÐÝØî" ßÐÚÕâÐ Ø Ò àÕ×ãÛìâÐâÕ Ú "¾âÚÐ×ã Þâ ÞÑáÛãÖØÒÐÝØï". ² àÕ×ãÛìâÐâÕ ÔÕÙáâÒØï MIRROR Ò ßÐÚÕâÕ, ßÞÛï source Ø destination ÜÕÝïîâáï ÜÕáâÐÜØ (invert the source and destination fields) Ø ßÐÚÕâ ÞâßàÐÒÛïÕâáï Ò áÕâì. ¸áßÞÛì×ÞÒÐÝØÕ íâÞÙ ÚÞÜÐÝÔë ÜÞÖÕâ ØÜÕâì ÒÕáìÜÐ ×ÐÑÐÒÝëÙ àÕ×ãÛìâÐâ, ÝÐÒÕàÝÞÕ, áÞ áâÞàÞÝë ÔÞÒÞÛìÝÞ ßÞâÕèÝÞ ÝÐÑÛîÔÐâì, ÚÐÚ ÚãÛìåÐæÚÕà ßëâÐÕâáï "Ò×ÛÞÜÐâì" áÒÞÙ áÞÑáâÒÕÝÝëÙ ÚÞÜßìîâÕà!

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø PREROUTING, Ø Ò æÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø× íâØå âàÕå. ¿ÐÚÕâë, ÞâßàÐÒÛïÕÜëÕ Ò áÕâì ÔÕÙáâÒØÕÜ MIRROR ÑÞÛìèÕ ÝÕ ßÞÔÒÕàÓÐîâáï äØÛìâàÐæØØ, âàÐááØàÞÒÚÕ ØÛØ NAT, Ø×ÑÕÓÐï âÕÜ áÐÜëÜ "×ÐæØÚÛØÒÐÝØï" Ø ÔàãÓØå ÝÕßàØïâÝÞáâÕÙ. ¾ÔÝÐÚÞ íâÞ ÝÕ Þ×ÝÐçÐÕâ, çâÞ ßàÞÑÛÕÜ á íâØÜ ÔÕÙáâÒØÕÜ ÝÕâ. ´ÐÒÐÙâÕ, Ú ßàØÜÕàã, ßàÕÔáâÐÒØÜ, çâÞ ÝÐ åÞáâÕ, ØáßÞÛì×ãîéÕÜ ÔÕÙáâÒØÕ MIRROR äÐÑàØÚãÕâáï ßÐÚÕâ, á TTL àÐÒÝëÜ 255, ÝÐ íâÞâ ÖÕ áÐÜëÙ åÞáâ Ø ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ "×ÕàÚÐÛØàãîéÕÓÞ" ßàÐÒØÛÐ. ¿ÐÚÕâ "ÞâàÐÖÐÕâáï" ÝÐ íâÞâ ÖÕ åÞáâ, Ð ßÞáÚÞÛìÚã ÜÕÖÔã "ßàØÕÜÝØÚÞÜ" Ø "ßÕàÕÔÐâçØÚÞÜ" âÞÛìÚÞ 1 åÞß (hop) âÞ ßÐÚÕâ ÑãÔÕâ ßàëÓÐâì âãÔÐ Ø ÞÑàÐâÝÞ 255 àÐ×. ½ÕßÛÞåÞ ÔÛï ÚàïÚÕàÐ, ÒÕÔì, ßàØ ÒÕÛØçØÝÕ ßÐÚÕâÐ 1500 ÑÐÙâ, Üë ßÞâÕàïÕÜ ÔÞ 380 ºÑÐÙâ âàÐäØÚÐ!


´ÕÙáâÒØÕ SNAT

SNAT ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (Source Network Address Translation), â.Õ. Ø×ÜÕÝÕÝØÕ ØáåÞÔïéÕÓÞ IP ÐÔàÕáÐ Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. ½ÐßàØÜÕà, íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ ÔàãÓØÜ ÚÞÜßìîâÕàÐÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ØÜÕï ÛØèì ÞÔØÝ ãÝØÚÐÛìÝëÙ IP ÐÔàÕá. ´Ûï íâÞÓÞ. ÝÕÞÑåÞÔØÜÞ ÒÚÛîçØâì ßÕàÕáëÛÚã ßÐÚÕâÞÒ (forwarding) Ò ïÔàÕ Ø ×ÐâÕÜ áÞ×ÔÐâì ßàÐÒØÛÐ, ÚÞâÞàëÕ ÑãÔãâ âàÐÝáÛØàÞÒÐâì ØáåÞÔïéØÕ IP ÐÔàÕáÐ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ò àÕÐÛìÝëÙ ÒÝÕèÝØÙ ÐÔàÕá. ² àÕ×ãÛìâÐâÕ, ÒÝÕèÝØÙ ÜØà ÝØçÕÓÞ ÝÕ ÑãÔÕâ ×ÝÐâì Þ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÝ ÑãÔÕâ áçØâÐâì, çâÞ ×ÐßàÞáë ßàØèÛØ á ÝÐèÕÓÞ ÑàÐÝÔÜÐãíàÐ.

SNAT ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ Ò âÐÑÛØæÕ nat, Ò æÕßÞçÚÕ POSTROUTING. ´àãÓØÜØ áÛÞÒÐÜØ, âÞÛìÚÞ ×ÔÕáì ÔÞßãáÚÐÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔïéØå ÐÔàÕáÞÒ. µáÛØ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ ßÞÔÒÕàÓáï ßàÕÞÑàÐ×ÞÒÐÝØî ØáåÞÔïéÕÓÞ ÐÔàÕáÐ, âÞ ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë, Ø× íâÞÓÞ ÖÕ áÞÕÔØÝÕÝØï, ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ ßÞÙÔãâ çÕàÕ× íâã æÕßÞçÚã ßàÐÒØÛ.

ÂÐÑÛØæÐ 21. ´ÕÙáâÒØÕ SNAT

ºÛîç --to-source
¿àØÜÕà iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
¾ßØáÐÝØÕ ºÛîç --to-source ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï ÐÔàÕáÐ, ßàØáÒÐÕÜÞÒÞÓÞ ßÐÚÕâã. ²áÕ ßàÞáâÞ, Òë ãÚÐ×ëÒÐÕâÕ IP ÐÔàÕá, ÚÞâÞàëÙ ÑãÔÕâ ßÞÔáâÐÒÛÕÝ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ Ò ÚÐçÕáâÒÕ ØáåÞÔïéÕÓÞ. µáÛØ Òë áÞÑØàÐÕâÕáì ßÕàÕàÐáßàÕÔÕÛïâì ÝÐÓàã×Úã ÜÕÖÔã ÝÕáÚÞÛìÚØÜØ ÑàÐÝÔÜÐãíàÐÜØ, âÞ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ, ÓÔÕ ÝÐçÐÛìÝëÙ Ø ÚÞÝÕçÝëÙ ÐÔàÕáÐ ÔØÐßÐ×ÞÝÐ àÐ×ÔÕÛïîâáï ÔÕäØáÞÜ, ÝÐßàØÜÕà: 194.236.50.155-194.236.50.160. ÂÞÓÔÐ, ÚÞÝÚàÕâÝëÙ IP ÐÔàÕá ÑãÔÕâ ÒëÑØàÐâìáï Ø× ÔØÐßÐ×ÞÝÐ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ. ´ÞßÞÛÝØâÕÛìÝÞ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ßÞàâÞÒ, ÚÞâÞàëÕ ÑãÔãâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ ÔÛï ÝãÖÔ SNAT. ²áÕ ØáåÞÔïéØÕ ßÞàâë ÑãÔãâ ßÞáÛÕ íâÞÓÞ ßÕàÕÚÐàâØàÞÒÐâìáï Ò ×ÐÔÐÝÝëÙ ÔØÐßÐ×ÞÝ. iptables áâÐàÐÕâáï, ßÞ-ÒÞ×ÜÞÖÝÞáâØ, Ø×ÑÕÓÐâì ßÕàÕÚÐàâØàÞÒÐÝØï ßÞàâÞÒ, ÞÔÝÐÚÞ ÝÕ ÒáÕÓÔÐ íâÞ ÒÞ×ÜÞÖÝÞ, Ø âÞÓÔÐ ßàÞØ×ÒÞÔØâáï ßÕàÕÚÐàâØàÞÒÐÝØÕ . µáÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÝÕ ×ÐÔÐÝ, âÞ ØáåÞÔÝëÕ ßÞàâë ÝØÖÕ 512 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 0-511, ßÞàâë Ò ÔØÐßÐ×ÞÝÕ 512-1023 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 512-1023, Ø, ÝÐÚÞÝÕæ ßÞàâë Ø× ÔØÐßÐ×ÞÝÐ 1024-65535 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 1024-65535. ÇâÞ ÚÐáÐÕâáï ßÞàâÞÒ ÝÐ×ÝÐçÕÝØï, âÞ ÞÝØ ÝÕ ßÞÔÒÕàÓÐîâáï ßÕàÕÚÐàâØàÞÒÐÝØî.

´ÕÙáâÒØÕ DNAT

DNAT (Destination Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÐ ÜÕáâÐ ÝÐ×ÝÐçÕÝØï Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. µáÛØ ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ ßàÐÒØÛÐ, ÒëßÞÛÝïîéÕÓÞ DNAT, âÞ íâÞâ ßÐÚÕâ, Ø ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë Ø× íâÞÓÞ ÖÕ ßÞâÞÚÐ, ÑãÔãâ ßÞÔÒÕàÓÝãâë ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï Ø ßÕàÕÔÐÝë ÝÐ âàÕÑãÕÜÞÕ ãáâàÞÙáâÒÞ, åÞáâ ØÛØ áÕâì. ´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ, Ú ßàØÜÕàã, ãáßÕèÝÞ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú ÒÐèÕÜã web-áÕàÒÕàã, ÝÐåÞÔïéÕÜãáï Ò ÛÞÚÐÛìÝÞÙ áÕâØ, Ø ÝÕ ØÜÕîéÕÜã àÕÐÛìÝÞÓÞ IP ÐÔàÕáÐ. ´Ûï íâÞÓÞ Òë áâàÞØâÕ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßÕàÕåÒÐâëÒÐÕâ ßÐÚÕâë, ØÔãéØÕ ÝÐ HTTP ßÞàâ ÑàÐÝÔÜÐãíàÐ Ø ÒëßÞÛÝïï DNAT ßÕàÕÔÐÕâÕ Øå ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá web-áÕàÒÕàÐ. ´Ûï íâÞÓÞ ÔÕÙáâÒØï âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ, âÞÓÔÐ ÒëÑÞà ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ ÑãÔÕâ ßàÞØ×ÒÞÔØâìáï áÛãçÐÙÝÐÜ ÞÑàÐ×ÞÜ.

´ÕÙáâÒØÕ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat, Ø ÒÞ ÒÛÞÖÕÝÝëå ßÞÔ-æÕßÞçÚÐå.

ÂÐÑÛØæÐ 22. ´ÕÙáâÒØÕ DNAT

ºÛîç --to-destination
¿àØÜÕà iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
¾ßØáÐÝØÕ ºÛîç --to-destination ãÚÐ×ëÒÐÕâ, ÚÐÚÞÙ IP ÐÔàÕá ÔÞÛÖÕÝ Ñëâì ßÞÔáâÐÒÛÕÝ Ò ÚÐçÕáâÒÕ ÐÔàÕáÐ ÜÕáâÐ ÝÐ×ÝÐçÕÝØï. ² ÒëèÕ ßàØÒÕÔÕÝÝÞÜ ßàØÜÕàÕ ÒÞ ÒáÕå ßÐÚÕâÐå, ßàØèÕÔèØå ÝÐ ÐÔàÕá 15.45.23.67, ÐÔàÕá ÝÐ×ÝÐçÕÝØï ÑãÔÕâ Ø×ÜÕÝÕÝ ÝÐ ÞÔØÝ Ø× ÔØÐßÐ×ÞÝÐ Þâ 192.168.1.1 ÔÞ 192.168.1.10. ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì ÒëèÕ, ÒáÕ ßÐÚÕâë Ø× ÞÔÝÞÓÞ ßÞâÞÚÐ ÑãÔãâ ÝÐßàÐÒÛïâìáï ÝÐ ÞÔØÝ Ø âÞâ ÖÕ ÐÔàÕá, Ð ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ ÑãÔÕâ ÒëÑØàÐâìáï ÞÔØÝ Ø× ÐÔàÕáÞÒ Ò ãÚÐ×ÐÝÝÞÜ ÔØÐßÐ×ÞÝÕ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ. ¼ÞÖÝÞ âÐÚÖÕ ÞßàÕÔÕÛØâì ÕÔØÝáâÒÕÝÝëÙ IP ÐÔàÕá. ¼ÞÖÝÞ ÔÞßÞÛÝØâÕÛìÝÞ ãÚÐ×Ðâì ßÞàâ ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ, ÝÐ ÚÞâÞàëÙ (ÚÞâÞàëÕ) ÑãÔÕâ ßÕàÕÝÐßàÐÒÛÕÝ âàÐääØÚ. ´Ûï íâÞÓÞ ßÞáÛÕ ip ÐÔàÕáÐ çÕàÕ× ÔÒÞÕâÞçØÕ ãÚÐÖØâÕ ßÞàâ, ÝÐßàØÜÕà --to-destination 192.168.1.1:80, Ð ãÚÐ×ÐÝØÕ ÔØÐßÐ×ÞÝÐ ßÞàâÞÒ ÒëÓÛïÔØâ âÐÚ: --to-destination 192.168.1.1:80-100. ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, áØÝâÐÚáØá ÔÕÙáâÒØÙ DNAT Ø SNAT ÒÞ ÜÝÞÓÞÜ áåÞÖ. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ ãÚÐ×ÐÝØÕ ßÞàâÞÒ ÔÞßãáÚÐÕâáï âÞÛìÚÞ ßàØ àÐÑÞâÕ á ßàÞâÞÚÞÛÞÜ TCP ØÛØ UDP, ßàØ ÝÐÛØçØØ ÞßæØØ --protocol Ò ÚàØâÕàØØ.

´ÕÙáâÒØÕ DNAT ÔÞáâÐâÞçÝÞ áÛÞÖÝÞ Ò ØáßÞÛì×ÞÒÐÝØØ Ø âàÕÑãÕâ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ßÞïáÝÕÝØï. ÀÐááÜÞâàØÜ ßàÞáâÞÙ ßàØÜÕà. à ÝÐá Õáâì WEB áÕàÒÕà Ø Üë åÞâØÜ àÐ×àÕèØâì ÔÞáâãß Ú ÝÕÜã Ø× ¸ÝâÕàÝÕâ. ¼ë ØÜÕÕÜ âÞÛìÚÞ ÞÔØÝ àÕÐÛìÝëÙ IP ÐÔàÕá, Ð WEB-áÕàÒÕà àÐáßÞÛÞÖÕÝ Ò ÛÞÚÐÛìÝÞÙ áÕâØ. ÀÕÐÛìÝëÙ IP ÐÔàÕá $INET_IP ÝÐ×ÝÐçÕÝ ÑàÐÝÔÜÐãíàã, HTTP áÕàÒÕà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÔàÕá $HTTP_IP Ø, ÝÐÚÞÝÕæ ÑàÐÝÔÜÐãíà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÛàÕá $LAN_IP. ´Ûï ÝÐçÐÛÐ ÔÞÑÐÒØÜ ßàÞáâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã PREROUTING âÐÑÛØæë nat.

iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

² áÞÞâÒÕâáâÒØØ á íâØÜ ßàÐÒØÛÞÜ, ÒáÕ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ 80-Ù ßÞàâ ÐÔàÕáÐ $INET_IP ßÕàÕÝÐßàÐÒÛïîâáï ÝÐ ÝÐè ÒÝãâàÕÝÝØÙ WEB-áÕàÒÕà. µáÛØ âÕßÕàì ÞÑàÐâØâìáï Ú WEB-áÕàÒÕàã Ø× ¸ÝâÕàÝÕâ, âÞ ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ½Þ çâÞ ÖÕ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ßÞßàÞÑÞÒÐâì áÞÕÔØÝØâìáï á ÝØÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ? ÁÞÕÔØÝÕÝØÕ ßàÞáâÞ ÝÕ ãáâÐÝÞÒØâáï. ´ÐÒÐÙâÕ ßÞáÜÞâàØÜ ÚÐÚ ÜÐàèàãâØ×Øàãîâáï ßÐÚÕâë, ØÔãéØÕ Ø× ¸ÝâÕàÝÕâ ÝÐ ÝÐè WEB-áÕàÒÕà. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ¸ÝâÕàÝÕâ àÐÒÝëÜ $EXT_BOX.
  1. ¿ÐÚÕâ ßÞÚØÔÐÕâ ÚÛØÕÝâáÚØÙ ã×ÕÛ á ÐÔàÕáÞÜ $EXT_BOX Ø ÝÐßàÐÒÛïÕâáï ÝÐ $INET_IP

  2. ¿ÐÚÕâ ßàØåÞÔØâ ÝÐ ÝÐè ÑàÐÝÔÜÐãíà.

  3. ±àÐÝÔÜÐãíà, Ò áÞÞâÒÕâáâÒØØ á ÒëèÕßàØÒÕÔÕÝÝëÜ ßàÐÒØÛÞÜ, ßÞÔÜÕÝïÕâ ÐÔàÕá ÝÐ×ÝÐçÕÝØï Ø ßÕàÕÔÐÕâ ÕÓÞ ÔÐÛìèÕ, Ò ÔàãÓØÕ æÕßÞçÚØ.

  4. ¿ÐÚÕâ ßÕàÕÔÐÕâáï ÝÐ $HTTP_IP.

  5. ¿ÐÚÕâ ßÞáâãßÐÕâ ÝÐ HTTP áÕàÒÕà Ø áÕàÒÕà ßÕàÕÔÐÕâ ÞâÒÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, ÕáÛØ Ò âÐÑÛØæÕ ÜÐàèàãâØ×ÐæØØ ÞÝ ÞÑÞ×ÝÐçÕÝ ÚÐÚ èÛî× ÔÛï $EXT_BOX. ºÐÚ ßàÐÒØÛÞ, ÞÝ ÝÐ×ÝÐçÐÕâáï èÛî×ÞÜ ßÞ-ãÜÞÛçÐÝØî ÔÛï HTTP áÕàÒÕàÐ.

  6. ±àÐÝÔÜÐãíà ßàÞØ×ÒÞÔØâ ÞÑàÐâÝãî ßÞÔáâÐÝÞÒÚã ÐÔàÕáÐ Ò ßÐÚÕâÕ, âÕßÕàì ÒáÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÑãÔâÞ Ñë ßÐÚÕâ ÑëÛ áäÞàÜØàÞÒÐÝ ÝÐ ÑàÐÝÔÜÐãíàÕ.

  7. ¿ÐÚÕâ ßÕàÕÔÐÕâáï ÚÛØÕÝâã $EXT_BOX.



° âÕßÕàì ßÞáÜÞâàØÜ, çâÞ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ×ÐßàÞá ßÞáëÛÐÕâáï á ã×ÛÐ, àÐáßÞÛÞÖÕÝÝÞÓÞ Ò âÞÙ ÖÕ ÛÞÚÐÛìÝÞÙ áÕâØ. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ÛÞÚÐÛìÝÞÙ áÕâØ àÐÒÝëÜ $LAN_BOX.

  1. ¿ÐÚÕâ ßÞÚØÔÐÕâ $LAN_BOX.

  2. ¿ÞáâãßÐÕâ ÝÐ ÑàÐÝÔÜÐãíà.

  3. ¿àÞØ×ÒÞÔØâáï ßÞÔáâÐÝÞÒÚÐ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï, ÞÔÝÐÚÞ ÐÔàÕá ÞâßàÐÒØâÕÛï ÝÕ ßÞÔÜÕÝïÕâáï, â.Õ. ØáåÞÔÝëÙ ÐÔàÕá ÞáâÐÕâáï Ò ßÐÚÕâÕ ÑÕ× Ø×ÜÕÝÕÝØï.

  4. ¿ÐÚÕâ ßÞÚØÔÐÕâ ÑàÐÝÔÜÐãíà Ø ÞâßàÐÒÛïÕâáï ÝÐ HTTP áÕàÒÕà.

  5. HTTP áÕàÒÕà, ÓÞâÞÒïáì Ú ÞâßàÐÒÚÕ ÞâÒÕâÐ, ÞÑÝÐàãÖØÒÐÕâ, çâÞ ÚÛØÕÝâ ÝÐåÞÔØâáï Ò ÛÞÚÐÛìÝÞÙ áÕâØ (ßÞáÚÞÛìÚã ßÐÚÕâ ×ÐßàÞáÐ áÞÔÕàÖÐÛ ÞàØÓØÝÐÛìÝëÙ IP ÐÔàÕá, ÚÞâÞàëÙ âÕßÕàì ßàÕÒàÐâØÛáï Ò ÐÔàÕá ÝÐ×ÝÐçÕÝØï) Ø ßÞíâÞÜã ÞâßàÐÒÛïÕâ ßÐÚÕâ ÝÕßÞáàÕÔáâÒÕÝÝÞ ÝÐ $LAN_BOX.

  6. ¿ÐÚÕâ ßÞáâãßÐÕâ ÝÐ $LAN_BOX. ºÛØÕÝâ ßãâÐÕâáï, ßÞáÚÞÛìÚã ÞâÒÕâ ßàØèÕÛ ÝÕ á âÞÓÞ ã×ÛÐ, ÝÐ ÚÞâÞàëÙ ÞâßàÐÒÛïÛáï ×ÐßàÞá. ¿ÞíâÞÜã ÚÛØÕÝâ "áÑàÐáëÒÐÕâ" ßÐÚÕâ ÞâÒÕâÐ Ø ßàÞÔÞÛÖÐÕâ ÖÔÐâì "ÝÐáâÞïéØÙ" ÞâÒÕâ.



¿àÞÑÛÕÜÐ àÕèÐÕâáï ÔÞÒÞÛìÝÞ ßàÞáâÞ á ßÞÜÞéìî SNAT. ½ØÖÕ ßàØÒÞÔØâáï ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ íâã äãÝÚæØî. ÍâÞ ßàÐÒØÛÞ ÒëÝãÖÔÐÕâ HTTP áÕàÒÕà ßÕàÕÔÐÒÐâì ÞâÒÕâë ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, ÚÞâÞàëÕ ×ÐâÕÜ ÑãÔãâ ßÕàÕÔÐÝë ÚÛØÕÝâã.

iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

·ÐßÞÜÝØâÕ, æÕßÞçÚÐ POSTROUTING ÞÑàÐÑÐâëÒÐÕâáï áÐÜÞÙ ßÞáÛÕÔÝÕÙ Ø Ú íâÞÜã ÜÞÜÕÝâã ßÐÚÕâ ãÖÕ ßàÞèÕÛ ßàÞæÕÔãàã ßàÕÞÑàÐ×ÞÒÐÝØï DNAT, ßÞíâÞÜã ÚàØâÕàØÙ áâàÞØâáï ÝÐ ÑÐ×Õ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï $HTTP_IP.

µáÛØ Òë ÔãÜÐÕâÕ, çâÞ ÝÐ íâÞÜ ÜÞÖÝÞ ÞáâÐÝÞÒØâìáï, âÞ Òë ÞèØÑÐÕâÕáì! ¿àÕÔáâÐÒØÜ áÕÑÕ áØâãÐæØî, ÚÞÓÔÐ Ò ÚÐçÕáâÒÕ ÚÛØÕÝâÐ ÒëáâãßÐÕâ áÐÜ ÑàÐÝÔÜÐãíà. ÂÞÓÔÐ, Ú áÞÖÐÛÕÝØî, ßÐÚÕâë ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÝÐ ÛÞÚÐÛìÝëÙ ßÞàâ á ÝÞÜÕàÞÜ 80 áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ, Ð ÝÕ ÝÐ $HTTP_IP. ÇâÞÑëàÐ×àÕèØâì Ø íâã ßàÞÑÛÕÜã, ÔÞÑÐÒØÜ ßàÐÒØÛÞ

iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

ÂÕßÕàì ÝØÚÐÚØå ßàÞÑÛÕÜ, á ÔÞáâãßÞÜ Ú ÝÐèÕÜã WEB-áÕàÒÕàã, ãÖÕ ÝÕ ÔÞÛÖÝÞ ÒÞ×ÝØÚÐâì.


´ÕÙáâÒØÕ MASQUERADE

¼ÐáÚÐàÐÔØÝÓ (MASQUERADE) Ò ÞáÝÞÒÕ áÒÞÕÙ ßàÕÔáâÐÒÛïÕâ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø SNAT âÞÛìÚÞ ÝÕ ØÜÕÕâ ÚÛîçÐ --to-source. ¿àØçØÝÞÙ âÞÜã âÞ, çâÞ ÜÐáÚÐàÐÔØÝÓ ÜÞÖÕâ àÐÑÞâÐâì, ÝÐßàØÜÕà, á dialup ßÞÔÚÛîçÕÝØÕÜ ØÛØ DHCP, â.Õ. Ò âÕå áÛãçÐïå, ÚÞÓÔÐ IP ÐÔàÕá ßàØáÒÐØÒÐÕâáï ãáâàÞÙáâÒã ÔØÝÐÜØçÕáÚØ. µáÛØ ã ÒÐá ØÜÕÕâáï ÔØÝÐÜØçÕáÚÞÕ ßÞÔÚÛîçÕÝØÕ, âÞ ÝãÖÝÞ ØáßÞÛì×ÞÒÐâì ÜÐáÚÐàÐÔØÝÓ, ÕáÛØ ÖÕ ã ÒÐá áâÐâØçÕáÚÞÕ IP ßÞÔÚÛîçÕÝØÕ, âÞ ÑÕááßÞàÝÞ ÛãçèØÜ ÒëåÞÔÞÜ ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï SNAT.

¼ÐáÚÐàÐÔØÝÓ ßÞÔàÐ×ãÜÕÒÐÕâ ßÞÛãçÕÝØÕ IP ÐÔàÕáÐ Þâ ×ÐÔÐÝÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, ÒÜÕáâÞ ßàïÜÞÓÞ ÕÓÞ ãÚÐ×ÐÝØï, ÚÐÚ íâÞ ÔÕÛÐÕâáï á ßÞÜÞéìî ÚÛîçÐ --to-source Ò ÔÕÙáâÒØØ SNAT. ´ÕÙáâÒØÕ MASQUERADE ØÜÕÕâ åÞàÞèÕÕ áÒÞÙáâÒÞ - "×ÐÑëÒÐâì" áÞÕÔØÝÕÝØï ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ. ² áÛãçÐÕ ÖÕ SNAT, Ò íâÞÙ áØâãÐæØØ, Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ÞáâÐîâáï ÔÐÝÝëÕ Þ ßÞâÕàïÝÝëå áÞÕÔØÝÕÝØïå, Ø íâØ ÔÐÝÝëÕ ÜÞÓãâ áÞåàÐÝïâìáï ÔÞ áãâÞÚ, ßÞÓÛÞéÐï æÕÝÝãî ßÐÜïâì. ÍääÕÚâ "×ÐÑëÒçØÒÞáâØ" áÒï×ÐÝ á âÕÜ, çâÞ ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, Õáâì ÒÕàÞïâÝÞáâì ÝÐ áÛÕÔãîéÕÜ ×ÐßãáÚÕ ßÞÛãçØâì ÔàãÓÞÙ IP ÐÔàÕá, ÝÞ Ò íâÞÜ áÛãçÐÕ ÛîÑëÕ áÞÕÔØÝÕÝØï ÒáÕ àÐÒÝÞ ÑãÔãâ ßÞâÕàïÝë, Ø ÑëÛÞ Ñë ÓÛãßÞ åàÐÝØâì âàÐááØàÞÒÞçÝãî ØÝäÞàÜÐæØî.

ºÐÚ Òë ãÖÕ ßÞÝïÛØ, ÔÕÙáâÒØÕ MASQUERADE ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÒÜÕáâÞ SNAT, ÔÐÖÕ ÕáÛØ Òë ØÜÕÕâÕ ßÞáâÞïÝÝëÙ IP ÐÔàÕá, ÞÔÝÐÚÞ, ÝÕÒרàÐï ÝÐ ßÞÛÞÖØâÕÛìÝëÕ çÕàâë, ÜÐáÚÐàÐÔØÝÓ ÝÕ áÛÕÔãÕâ áçØâÐâì ßàÕÔßÞçâØâÕÛìÝëÜ Ò íâÞÜ áÛãçÐÕ, ßÞáÚÞÛìÚã ÞÝ ÔÐÕâ ÑÞÛìèãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã.

´ÕÙáâÒØÕ MASQUERADE ÔÞßãáÚÐÕâáï ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat, âÐÚ ÖÕ ÚÐÚ Ø ÔÕÙáâÒØÕ SNAT. MASQUERADE ØÜÕÕâ ÚÛîç, ÞߨáëÒÐÕÜëÙ ÝØÖÕ, ØáßÞÛì×ÞÒÐÝØÕ ÚÞâÞàÞÓÞ ÝÕÞÑï×ÐâÕÛìÝÞ.

ÂÐÑÛØæÐ 23. ´ÕÙáâÒØÕ MASQUERADE

ºÛîç --to-ports
¿àØÜÕà iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
¾ßØáÐÝØÕ ºÛîç --to-ports ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï ßÞàâÐ ØáâÞçÝØÚÐ ØÛØ ÔØÐßÐ×ÞÝÐ ßÞàâÞÒ ØáåÞÔïéÕÓÞ ßÐÚÕâÐ. ¼ÞÖÝÞ ãÚÐ×Ðâì ÞÔØÝ ßÞàâ, ÝÐßàØÜÕà: --to-ports 1025, ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÚÐÚ ×ÔÕáì: --to-ports 1024-3000. íâÞâ ÚÛîç ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò ßàÐÒØÛÐå, ÓÔÕ ÚàØâÕàØÙ áÞÔÕàÖØâ ïÒÝÞÕ ãÚÐ×ÐÝØÕ ÝÐ ßàÞâÞÚÞÛ TCP ØÛØ UDP á ßÞÜÞéìî ÚÛîçÐ --protocol.

´ÕÙáâÒØÕ REDIRECT

²ëßÞÛÝïÕâ ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ Ø ßÞâÞÚÞÒ ÝÐ ÔàãÓÞÙ ßÞàâ âÞÙ ÖÕ áÐÜÞÙ ÜÐèØÝë. º ßàØÜÕàã, ÜÞÖÝÞ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ HTTP ßÞàâ ßÕàÕÝÐßàÐÒØâì ÝÐ ßÞàâ HTTP proxy. ´ÕÙáâÒØÕ REDIRECT ÞçÕÝì ãÔÞÑÝÞ ÔÛï ÒëßÞÛÝÕÝØï "ßàÞ×àÐçÝÞÓÞ" ßàÞÚáØàÞÒÐÝØï (transparent proxying), ÚÞÓÔÐ ÜÐèØÝë Ò ÛÞÚÐÛìÝÞÙ áÕâØ ÔÐÖÕ ÝÕ ßÞÔÞ×àÕÒÐîâ Þ áãéÕáâÒÞÒÐÝØØ ßàÞÚáØ.

REDIRECT ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat. ½ã Ø ÚÞÝÕçÝÞ ÖÕ íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ÒëßÞÛÝïâì Ò ßÞÔæÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø ÒëèÕãÚÐ×ÐÝÝëå. ´Ûï ÔÕÙáâÒØï REDIRECT ßàÕÔãáÜÞâàÕÝ âÞÛìÚÞ ÞÔØÝ ÚÛîç.

ÂÐÑÛØæÐ 24. ´ÕÙáâÒØÕ REDIRECT

ºÛîç --to-ports
¿àØÜÕà iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
¾ßØáÐÝØÕ ºÛîç --to-ports ÞßàÕÔÕÛïÕâ ßÞàâ ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÝÐ×ÝÐçÕÝØï. ±Õ× ãÚÐ×ÐÝØï ÚÛîçÐ --to-ports, ßÕàÕÝÐßàÐÒÛÕÝØï ÝÕ ßàÞØáåÞÔØâ, â.Õ. ßÐÚÕâ ØÔÕâ ÝÐ âÞâ ßÞàâ, ÚãÔÐ Ø ÑëÛ ÝÐ×ÝÐçÕÝ. ² ßàØÜÕàÕ, ßàØÒÕÔÕÝÝÞÜ ÒëèÕ, --to-ports 8080 ãÚÐ×ÐÝ ÞÔØÝ ßÞàâ ÝÐ×ÝÐçÕÝØï. µáÛØ ÝãÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ßÞàâÞÒ, âÞ Üë ÔÞÛÖÝë ÝÐߨáÐâì ÝÕçâÞ ßÞÔÞÑÝÞÕ --to-ports 8080-8090. ÍâÞâ ÚÛîç ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò ßàÐÒØÛÐå, ÓÔÕ ÚàØâÕàØÙ áÞÔÕàÖØâ ïÒÝÞÕ ãÚÐ×ÐÝØÕ ÝÐ ßàÞâÞÚÞÛ TCP ØÛØ UDP á ßÞÜÞéìî ÚÛîçÐ --protocol.

´ÕÙáâÒØÕ TTL

´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï áÞÔÕàÖØÜÞÓÞ ßÞÛï Time To Live Ò IP ×ÐÓÞÛÞÒÚÕ. ¾ÔØÝ Ø× ÒÐàØÐÝâÞÒ ßàØÜÕÝÕÝØï íâÞÓÞ ÔÕÙáâÒØï - íâÞ ãáâÐÝÐÒÛØÒÐâì ×ÝÐçÕÝØÕ ßÞÛï Time To Live ²¾ ²ÁµÅ ØáåÞÔïéØå ßÐÚÕâÐå Ò ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ. ´Ûï çÕÓÞ íâÞ?! µáâì ÝÕÚÞâÞàëÕ ßàÞÒÐÙÔÕàë, ÚÞâÞàëÕ ÞçÕÝì ÝÕ ÛîÑïâ, ÚÞÓÔÐ ÞÔÝØÜ ßÞÔÚÛîçÕÝØÕÜ ßÞÛì×ãÕâáï ÝÕáÚÞÛìÚÞ ÚÞÜßìîâÕàÞÒ, ÕáÛØ Üë ÝÐçØÝÐÕÜ ãáâÐÝÐÒÛØÒÐâì ÝÐ ÒáÕ ßÐÚÕâë ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ TTL, âÞ âÕÜ áÐÜëÜ Üë ÛØèÐÕÜ ßàÞÒÐÙÔÕàÐ ÞÔÝÞÓÞ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, çâÞ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâã àÐ×ÔÕÛïÕâáï ÜÕÖÔã ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. ´Ûï ßàØÜÕàÐ ÜÞÖÝÞ ßàØÒÕáâØ çØáÛÞ TTL = 64, ÚÞâÞàÞÕ ïÒÛïÕâáï áâÐÝÔÐàâÝëÜ ÔÛï ïÔàÐ Linux.

·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ßÞ ãáâÐÝÞÒÚÕ ×ÝÐçÕÝØï ßÞ-ãÜÞÛçÐÝØî ÞÑàÐéÐÙâÕáì Ú ip-sysctl.txt, ÚÞâÞàëÙ Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë.

´ÕÙáâÒØÕ TTL ÜÞÖÝÞ ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò âÐÑÛØæÕ mangle Ø ÝØÓÔÕ ÑÞÛìèÕ. ´Ûï ÔÐÝÝÞÓÞ ÔÕÙáâÒØï ßàÕÔãáÜÞâàÕÝÞ 3 ÚÛîçÐ, ÞߨáëÒÐÕÜëå ÝØÖÕ.

ÂÐÑÛØæÐ 25. ´ÕÙáâÒØÕ TTL

ºÛîç --ttl-set
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâ ßÞÛÕ TTL Ò ×ÐÔÐÝÝÞÕ ×ÝÐçÕÝØÕ. ¾ßâØÜÐÛìÝëÜ áçØâÐÕâáï ×ÝÐçÕÝØÕ ÞÚÞÛÞ 64. ÍâÞ ÝÕ áÛØèÚÞÜ ÜÝÞÓÞ, ÝÞ Ø ÝÕ áÛØèÚÞÜ ÜÐÛÞ ½Õ ×ÐÔÐÒÐÙâÕ áÛØèÚÞÜ ÑÞÛìèÞÕ ×ÝÐçÕÝØÕ, íâÞ ÜÞÖÕâ ØÜÕâì ÝÕßàØïâÝëÕ ßÞáÛÕÔáâÒØï ÔÛï ÒÐèÕÙ áÕâØ. ¿àÕÔáâÐÒìâÕ áÕÑÕ, çâÞ ßÐÚÕâ "×ÐæØÚÛØÒÐÕâáï" ÜÕÖÔã ÔÒãÜï ÝÕßàÐÒØÛìÝÞ áÚÞÝäØÓãàØàÞÒÐÝÝëÜØ àÞãâÕàÐÜØ, âÞÓÔÐ, ßàØ ÑÞÛìèØå ×ÝÐçÕÝØïå TTL, Õáâì àØáÚ "ßÞâÕàïâì" ×ÝÐçØâÕÛìÝãî ÔÞÛî ßàÞßãáÚÝÞÙ áßÞáÞÑÝÞáâØ ÚÐÝÐÛÐ.
ºÛîç --ttl-dec
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1
¾ßØáÐÝØÕ ÃÜÕÝìèÐÕâ ×ÝÐçÕÝØÕ ßÞÛï TTL ÝÐ ×ÐÔÐÝÝÞÕ çØáÛÞ. ½ÐßàØÜÕà, ßãáâì ÒåÞÔïéØÙ ßÐÚÕâ ØÜÕÕâ ×ÝÐçÕÝØÕ TTL àÐÒÝÞÕ 53 Ø Üë ÒëßÞÛÝïÕÜ ÚÞÜÐÝÔã --ttl-dec 3, âÞÓÔÐ ßÐÚÕâ ßÞÚØÝÕâ ÝÐè åÞáâ á ßÞÛÕÜ TTL àÐÒÝëÜ 49. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ áÕâÕÒÞÙ ÚÞÔ ÐÒâÞÜÐâØçÕáÚØ ãÜÕÝìèØâ ×ÝÐçÕÝØÕ TTL ÝÐ 1, ßÞíâÞÜã, äÐÚâØçÕáÚØ Üë ßÞÛãçÐÕÜ 53 - 3 - 1 = 49. µÁ»¸ ºÂ¾-½¸±Ã´Ì ¼¾¶µÂ ¿À¸²µÁ¸ ¿À¸¼µÀ ¿À°ºÂ¸ÇµÁº¸ Ƶ½½¾³¾ ¿À¸¼µ½µ½¸Ï ;¹ ¾¿Æ¸¸, Á¾¾±É¸Âµ ¼½µ!
ºÛîç --ttl-inc
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1
¾ßØáÐÝØÕ ÃÒÕÛØçØÒÐÕâ ×ÝÐçÕÝØÕ ßÞÛï TTL ÝÐ ×ÐÔÐÝÝÞÕ çØáÛÞ. ²Þ×ìÜÕÜ ßàÕÔëÔãéØÙ ßàØÜÕà, ßãáâì Ú ÝÐÜ ßÞáâãßÐÕâ ßÐÚÕâ á TTL = 53, âÞÓÔÐ, ßÞáÛÕ ÒëßÞÛÝÕÝØï ÚÞÜÐÝÔë --ttl-inc 4, ÝÐ ÒëåÞÔÕ á ÝÐèÕÓÞ åÞáâÐ, ßÐÚÕâ ÑãÔÕâ ØÜÕâì TTL = 56, ÝÕ ×ÐÑëÒÐÙâÕ ÞÑ ÐÒâÞÜÐâØçÕáÚÞÜ ãÜÕÝìèÕÝØØ ßÞÛï TTL áÕâÕÒëÜ ÚÞÔÞÜ ïÔàÐ, â.Õ. äÐÚâØçÕáÚØ Üë ßÞÛãçÐÕÜ ÒëàÐÖÕÝØÕ 53 + 4 - 1 = 56. ÃÒÕÛØçÕÝØÕ ßÞÛï TTL ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï âÞÓÞ, çâÞÑë áÔÕÛÐâì ÝÐè ÑàÐÝÔÜÐãíà ÜÕÝÕÕ "×ÐÜÕâÝëÜ" ÔÛï âàÐááØàÞÒéØÚÞÒ (traceroutes). ¿àÞÓàÐÜÜë âàÐááØàÞÒÚØ ÛîÑïâ ×Ð æÕÝÝãî ØÝäÞàÜÐæØî ßàØ ßÞØáÚÕ ßàÞÑÛÕÜÝëå ãçÐáâÚÞÒ áÕâØ, Ø ÝÕÝÐÒØÔïâ ×Ð íâÞ ÖÕ, ßÞáÚÞÛìÚã íâÐ ØÝäÞàÜÐæØï ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÚàïÚÕàÐÜØ Ò ÝÕÑÛÐÓÞÒØÔÝëå æÕÛïå. ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï Òë ÜÞÖÕâÕ ÝÐÙâØ Ò ttl-inc.txt.

ULOG target

´ÕÙáâÒØÕ ULOG ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ÖãàÝÐÛØàÞÒÐÝØï ßÐÚÕâÞÒ Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàÞáâàÐÝáâÒÞ. ¾ÝÞ ×ÐÜÕÝïÕâ âàÐÔØæØÞÝÝÞÕ ÔÕÙáâÒØÕ LOG, ÑÐרàãîéÕÕáï ÝÐ áØáâÕÜÝÞÜ ÖãàÝÐÛÕ. ¿àØ ØáßÞÛì×ÞÒÐÝØØ íâÞÓÞ ÔÕÙáâÒØï, ßÐÚÕâ, çÕàÕ× áÞÚÕâë netlink, ßÕàÕÔÐÕâáï áßÕæØÐÛìÝÞÜã ÔÕÜÞÝã ÚÞâÞàëÙ ÜÞÖÕâ ÒëßÞÛÝïâì ÞçÕÝì ÔÕâÐÛìÝÞÕ ÖãàÝÐÛØàÞÒÐÝØÕ Ò àÐ×ÛØçÝëå äÞàÜÐâÐå (ÞÑëçÝëÙ âÕÚáâÞÒëÙ äÐÙÛ, ÑÐ×Ð ÔÐÝÝëå MySQL Ø ßà.) Ø Ú âÞÜã ÖÕ ßÞÔÔÕàÖØÒÐÕâ ÒÞ×ÜÞÖÝÞáâì ÔÞÑÐÒÛÕÝØï ÝÐÔáâàÞÕÚ (ßÛÐÓØÝÞÒ) ÔÛï äÞàÜØàÞÒÐÝØï àÐ×ÛØçÝëå ÒëåÞÔÝëå äÞàÜÐâÞÒ Ø ÞÑàÐÑÞâÚØ áÕâÕÒëå ßàÞâÞÚÞÛÞÒ. ¿ÞÛì×ÞÒÐâÕÛìáÚãî çÐáâì ULOGD Òë ÜÞÖÕâÕ ßÞÛãçØâì ÝÐ ÔÞÜÐèÝÕÙ áâàÐÝØæÕ ULOGD project.

Table 26. ULOG target

ºÛîç --ulog-nlgroup
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
¾ßØáÐÝØÕ ºÛîç --ulog-nlgroup áÞÞÑéÐÕâ ULOG Ò ÚÐÚãî Óàãßßã netlink ÔÞÛÖÕÝ Ñëâì ßÕàÕÔÐÝ ßÐÚÕâ. ²áÕÓÞ áãéÕáâÒãÕâ 32 Óàãßßë (Þâ 1 ÔÞ 32). µáÛØ Òë ÖÕÛÐÕâÕ ßÕàÕÔÐâì ßÐÚÕâ Ò 5-î Óàãßßã, âÞ ÜÞÖÝÞ ßàÞáâÞ ãÚÐ×Ðâì --ulog-nlgroup 5. ¿Þ-ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï 1-ï ÓàãßßÐ.
ºÛîç --ulog-prefix
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
¾ßØáÐÝØÕ ºÛîç --ulog-prefix ØÜÕÕâ âÞâ ÖÕ áÜëáÛ, çâÞ Ø ÐÝÐÛÞÓØçÝÐï ÞßæØï Ò ÔÕÙáâÒØØ LOG. ´ÛØÝÐ áâàÞÚØ ßàÕäØÚáÐ ÝÕ ÔÞÛÖÝÐ ßàÕÒëèÐâì 32 áØÜÒÞÛÐ.
ºÛîç --ulog-cprange
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
¾ßØáÐÝØÕ ºÛîç --ulog-cprange ÞßàÕÔÕÛïÕâ, ÚÐÚãî ÔÞÛî ßÐÚÕâÐ, Ò ÑÐÙâÐå, ÝÐÔÞ ßÕàÕÔÐÒÐâì ÔÕÜÞÝã ULOG. µáÛØ ãÚÐ×Ðâì çØáÛÞ 100, ÚÐÚ ßÞÚÐ×ÐÝÞ Ò ßàØÜÕàÕ, âÞ ÔÕÜÞÝã ÑãÔÕâ ßÕàÕÔÐÝÞ âÞÛìÚÞ 100 ÑÐÙâ Ø× ßÐÚÕâÐ, íâÞ Þ×ÝÐçÐÕâ, çâÞ ÔÕÜÞÝã ÑãÔÕâ ßÕàÕÔÐÝ ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ Ø ÝÕÚÞâÞàÐï çÐáâì ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. µáÛØ ãÚÐ×Ðâì 0, âÞ ÑãÔÕâ ßÕàÕÔÐÝ ÒÕáì ßÐÚÕâ, ÝÕ×ÐÒØáØÜÞ Þâ ÕÓÞ àÐ×ÜÕàÐ. ·ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî àÐÒÝÞ 0.
ºÛîç --ulog-qthreshold
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
¾ßØáÐÝØÕ ºÛîç --ulog-qthreshold ãáâÐÝÐÒÛØÒÐÕâ ÒÕÛØçØÝã ÑãäÕàÐ Ò ÞÑÛÐáâØ ïÔàÐ. ½ÐßàØÜÕà, ÕáÛØ ×ÐÔÐâì ÒÕÛØçØÝã ÑãäÕàÐ àÐÒÝÞÙ 10, ÚÐÚ Ò ßàØÜÕàÕ, âÞ ïÔàÞ ÑãÔÕâ ÝÐÚÐßÛØÒÐâì ÖãàÝÐÛØàãÕÜëÕ ßÐÚÕâë ÒÞ ÒÝãâàÕÝÝÕÜ ÑãäÕàÕ Ø ßÕàÕÔÐÒÐâì Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàÞáâàÐÝáâÒÞ ÓàãßßÐÜØ ßÞ 10 ßÐÚÕâÞÒ. ¿Þ-ãÜÞÛçÐÝØî àÐ×ÜÕà ÑãäÕàÐ àÐÒÕÝ 1 Ø×-×Ð áÞåàÐÝÕÝØï ÞÑàÐâÝÞÙ áÞÒÜÕáâØÜÞáâØ á àÐÝÝØÜØ ÒÕàáØïÜØ ulogd, ÚÞâÞàëÕ ÝÕ ÜÞÓÛØ ßàØÝØÜÐâì Óàãßßë ßÐÚÕâÞÒ.


ÄÐÙÛ rc.firewall

² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ÝÐáâàÞÙÚã ÑàÐÝÔÜÐãíàÐ ÝÐ ßàØÜÕàÕ áæÕÝÐàØï rc.firewall.txt. ¼ë ÑãÔÕÜ ÑàÐâì ÚÐÖÔãî ÑÐ×ÞÒãî ÝÐáâàÞÙÚã Ø àÐááÜÐâàØÒÐâì ÚÐÚ ÞÝÐ àÐÑÞâÐÕâ Ø çâÞ ÔÕÛÐÕâ. ÍâÞ ÜÞÖÕâ ÝÐâÞÛÚÝãâì ÒÐá ÝÐ àÕèÕÝØÕ ÒÐèØå áÞÑáâÒÕÝÝëå ×ÐÔÐç. ´Ûï ×ÐßãáÚÐ íâÞÓÞ áæÕÝÐàØï ÒÐÜ ßÞâàÕÑãÕâáï ÒÝÕáâØ Ò ÝÕÓÞ Ø×ÜÕÝÕÝØï âÐÚØÜ ÞÑàÐ×ÞÜ, çâÞÑë ÞÝ ÜÞÓ àÐÑÞâÐâì á ÒÐèÕÙ ÚÞÝäØÓãàÐæØÕÙ áÕâØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ ÔÞáâÐâÞçÝÞ Ø×ÜÕÝØâì âÞÛìÚÞ ßÕàÕÜÕÝÝëÕ.

Note

¿àØÜÕçÐâÕÛìÝÞ, çâÞ Õáâì ÑÞÛÕÕ íääÕÚâØÒÝëÕ áßÞáÞÑë ×ÐÔÐÝØï ÝÐÑÞàÞÒ ßàÐÒØÛ, ÞÔÝÐÚÞ ï ØáåÞÔØÛ Ø× ÜëáÛØ Þ ÑÞÛìèÕÙ ãÔÞÑÞçØâÐÕÜÞáâØ áæÕÝÐàØï, âÐÚ, çâÞÑë ÚÐÖÔëÙ áÜÞÓ ßÞÝïâì ÕÓÞ ÑÕ× ÓÛãÑÞÚØå ßÞ×ÝÐÝØÙ ÞÑÞÛÞçÚØ BASH.


¿àØÜÕà rc.firewall

¸âÐÚ, ÒáÕ ÓÞâÞÒÞ ÔÛï àÐ×ÑÞàÐ äÐÙÛÐ ßàØÜÕàÐ rc.firewall.txt (áæÕÝÐàØÙ ÒÚÛîçÕÝ Ò áÞáâÐÒ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ò ßàØÛÞÖÕÝØØ ¿àØÜÕàë áæÕÝÐàØÕÒ). ¾Ý ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ÝÞ âÞÛìÚÞ Ø×-×Ð ÑÞÛìèÞÓÞ ÚÞÛØçÕáâÒÐ ÚÞÜÜÕÝâÐàØÕÒ. ÁÕÙçÐá ï ßàÕÔÛÐÓÐî ÒÐÜ ßàÞáÜÞâàÕâì íâÞâ äÐÙÛ, çâÞÑë ßÞÛãçØâì ßàÕÔáâÐÒÛÕÝØÕ Þ ÕÓÞ áÞÔÕàÖØÜÞÜ Ø ×ÐâÕÜ ÒÕàÝãâìáï áîÔÐ ×Ð ÑÞÛÕÕ ßÞÔàÞÑÝëÜØ ßÞïáÝÕÝØïÜØ.


¾ßØáÐÝØÕ áæÕÝÐàØï rc.firewall

ºÞÝäØÓãàÐæØï

¿ÕàÒÐï çÐáâì äÐÙÛÐ rc.firewall.txt ïÒÛïÕâáï ÚÞÝäØÓãàÐæØÞÝÝëÜ àÐ×ÔÕÛÞÜ. ·ÔÕáì ×ÐÔÐîâáï ÞáÝÞÒÝëÕ ÝÐáâàÞÙÚØ ÑàÐÝÔÜÐãíàÐ, ÚÞâÞàëÕ ×ÐÒØáïâ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ áÕâØ. ½ÐßàØÜÕà IP ÐÔàÕáÐ - ÝÐÒÕàÝïÚÐ ÔÞÛÖÝë Ñëâì Ø×ÜÕÝÕÝë ÝÐ ÒÐèØ áÞÑáâÒÕÝÝëÕ. ¿ÕàÕÜÕÝÝÐï $INET_IP ÔÞÛÖÝÐ áÞÔÕàÖÐâì àÕÐÛìÝëÙ IP ÐÔàÕá, ÕáÛØ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ çÕàÕ× DHCP, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâì ÒÝØÜÐÝØÕ ÝÐ áÚàØßâ rc.DHCP.firewall.txt, °ÝÐÛÞÓØçÝÞ $INET_IFACE ÔÞÛÖÝÐ ãÚÐ×ëÒÐâì ÒÐèÕ ãáâàÞÙáâÒÞ, çÕàÕ× ÚÞâÞàÞÕ ÞáãéÕáâÒÛïÕâáï ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ. ÍâÞ ÜÞÖÕâ Ñëâì, Ú ßàØÜÕàã, eth0, eth1, ppp0, tr0 Ø ßà.

ÍâÞâ áæÕÝÐàØÙ ÝÕ áÞÔÕàÖØâ ÚÐÚØå ÛØÑÞ ÝÐáâàÞÕÚ, áßÕæØäØçÝëå ÔÛï DHCP, PPPoE, ßÞíâÞÜã íâØ àÐ×ÔÕÛë ÝÕ ×ÐßÞÛÝÕÝë. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï Ø ÔàãÓØå "ßãáâëå" àÐ×ÔÕÛÞÒ. ÍâÞ áÔÕÛÐÝÞ ßàÕÔÝÐÜÕàÕÝÝÞ, çâÞÑë Òë ÜÞÓÛØ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÒØÔÕâì àÐ×ÝØæã ÜÕÖÔã áæÕÝÐàØïÜØ. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßÞÛÝØâì íâØ àÐ×ÔÕÛë, âÞ Òë ÜÞÖÕâÕ Ò×ïâì Øå Ø× ÔàãÓØå áÚàØßâÞÒ, ØÛØ ÝÐߨáÐâì áÒÞÙ áÞÑáâÒÕÝÝëÙ.

ÀÐ×ÔÕÛ Local Area Network ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÝÐáâàÞÙÚØ, áÞÞâÒÕâáâÒãîéØÕ ÚÞÝäØÓãàÐæØØ ÒÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ. ²ë ÔÞÛÖÝë ãÚÐ×Ðâì ÛÞÚÐÛìÝëÙ IP ÐÔàÕá ÑàÐÝÔÜÐãíàÐ, ØÝâÕàäÕÙá, ßÞÔÚÛîçÕÝÝëÙ Ú ÛÞÚÐÛìÝÞÙ áÕâØ, ÜÐáÚã ßÞÔáÕâØ Ø èØàÞÚÞÒÕéÐâÕÛìÝëÙ ÐÔàÕá.

´ÐÛÕÕ áÛÕÔãÕâ áÕÚæØï Localhost Configuration, ÚÞâÞàãî Ø×ÜÕÝïâì ÒÐÜ ÕÔÒÐ ÛØ ßàØÔÕâáï. ² íâÞÙ áÕ򾯯 ãÚÐ×ëÒÐÕâáï ÛÞÚÐÛìÝëÙ ØÝâÕàäÕÙá lo Ø ÛÞÚÐÛìÝëÙ IP ÐÔàÕá 127.0.0.1. ·Ð àÐ×ÔÕÛÞÜ Localhost Configuration, áÛÕÔãÕâ áÕÚæØï Iptables Configuration. ·ÔÕáì áÞ×ÔÐÕâáï ßÕàÕÜÕÝÝÐï $IPTABLES, áÞÔÕàÖÐéÐï ßãâì Ú äÐÙÛã iptables (/usr/local/sbin/iptables). µáÛØ Òë ãáâÐÝÐÒÛØÒÐÛØ iptables Ø× ØáåÞÔÝëå ÜÞÔãÛÕÙ, âÞ ã ÒÐá ßãâì Ú iptables ÜÞÖÕâ ÝÕáÚÞÛìÚÞ ÞâÛØçÐâìáï Þâ ßàØÒÕÔÕÝÝÞÓÞ Ò áæÕÝÐàØØ, ÞÔÝÐÚÞ Ò ÑÞÛìèØÝáâÒÕ ÔØáâàØÑãâØÒÞÒ iptables àÐáßÞÛÞÖÕÝÐ ØÜÕÝÝÞ ×ÔÕáì.


·ÐÓàã×ÚÐ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ

² ßÕàÒãî ÞçÕàÕÔì, ÚÞÜÐÝÔÞÙ /sbin/depmod -a, ÒëßÞÛÝïÕâáï ßàÞÒÕàÚÐ ×ÐÒØáØÜÞáâÕÙ ÜÞÔãÛÕÙ ßÞáÛÕ çÕÓÞ ßàÞØ×ÒÞÔØâáï ßÞÔÓàã×ÚÐ ÜÞÔãÛÕÙ, ÝÕÞÑåÞÔØÜëå ÔÛï àÐÑÞâë áæÕÝÐàØï. ÁâÐàÐÙâÕáì Ò ÒÐèØå áæÕÝÐàØïå ×ÐÓàãÖÐâì âÞÛìÚÞ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ.

Caution

² áÒÞØå áæÕÝÐàØïå ï ßàØÝãÔØâÕÛìÝÞ ×ÐÓàãÖÐî ÒáÕ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ, ÒÞ Ø×ÑÕÖÐÝØÕ ÞâÚÐ×ÞÒ. µáÛØ ßàÞØáåÞÔØâ ÞèØÑÚÐ ÒÞ ÒàÕÜï ×ÐÓàã×ÚØ ÜÞÔãÛï, âÞ ßàØçØÝ ÜÞÖÕâ Ñëâì ÜÝÞÖÕáâÒÞ, ÝÞ ÞáÝÞÒÝÞÙ ßàØçØÝÞÙ ïÒÛïÕâáï âÞ, çâÞ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ áÚÞÜßØÛØàÞÒÐÝë á ïÔàÞÜ áâÐâØçÕáÚØ. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú àÐ×ÔÕÛã ¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ.

² áÛÕÔãîéÕÙ áÕ򾯯 ßàØÒÞÔØâáï àïÔ ÜÞÔãÛÕÙ, ÚÞâÞàëÕ ÝÕ ØáßÞÛì×ãîâáï Ò ÔÐÝÝÞÜ áæÕÝÐàØØ, ÝÞ ßÕàÕçØáÛÕÝë ÔÛï ßàØÜÕàÐ. ÂÐÚ ÝÐßàØÜÕà ÜÞÔãÛì ipt_owner, ÚÞâÞàëÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú áÕâØ á ÒÐèÕÙ ÜÐèØÝë âÞÛìÚÞ ÞßàÕÔÕÛÕÝÝÞÜã ÚàãÓã ßÞÛì×ÞÒÐâÕÛÕÙ, ßÞÒëèÐï, âÕÜ áÐÜëÜ ãàÞÒÕÝì ÑÕ×ÞßÐáÝÞáâØ. ¸ÝäÞàÜÐæØî ßÞ ÚàØâÕàØïÜ ipt_owner, áÜÞâàØâÕ Ò ÀÐáèØàÕÝØÕ Owner Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ.

¼ë ÜÞÖÕÜ ×ÐÓàãרâì ÔÞßÞÛÝØâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞÒÕàÚØ "áÞáâÞïÝØï" ßÐÚÕâÞÒ (state matching). ²áÕ ÜÞÔãÛØ, àÐáèØàïîéØÕ ÒÞ×ÜÞÖÝÞáâØ ßàÞÒÕàÚØ áÞáâÞïÝØï ßÐÚÕâÞÒ, ØÜÕÝãîâáï ÚÐÚ ip_conntrack_* Ø ip_nat_*. Á ßÞÜÞéìî íâØå ÜÞÔãÛÕÙ ÞáãéÕáâÒÛïÕâáï âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ßÞ áßÕæØäØçÝëÜ ßàÞâÞÚÞÛÐÜ. ½ÐßàØÜÕà: ßàÞâÞÚÞÛ FTP ïÒÛïÕâáï ÚÞÜßÛÕÚáÝëÜ ßàÞâÞÚÞÛÞÜ ßÞ ÞßàÕÔÕÛÕÝØî, ÞÝ ßÕàÕÔÐÕâ ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÂÐÚ, ÕáÛØ ÝÐè ÛÞÚÐÛìÝëÙ åÞáâ ßÕàÕÔÐÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, ßàÞØ×ÒÞÔïéØÙ âàÐÝáÛïæØî ÐÔàÕáÞÒ, ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ á FTP áÕàÒÕàÞÜ Ò ¸ÝâÕàÝÕâ, âÞ ÒÝãâàØ ßÐÚÕâÐ ßÕàÕÔÐÕâáï ÛÞÚÐÛìÝëÙ IP ÐÔàÕá åÞáâÐ. ° ßÞáÚÞÛìÚã, IP ÐÔàÕáÐ, ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, áçØâÐîâáï ÞèØÑÞçÝëÜØ Ò ¸ÝâÕàÝÕâ, âÞ áÕàÒÕà ÝÕ ÑãÔÕâ ×ÝÐâì çâÞ ÔÕÛÐâì á íâØÜ ×ÐßàÞáÞÜ, Ò àÕ×ãÛìâÐâÕ áÞÕÔØÝÕÝØÕ ÝÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ²áßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì FTP NAT ÒëßÞÛÝïÕâ ÒáÕ ÝÕÞÑåÞÔØÜëÕ ÔÕÙáâÒØï ßÞ ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÞÒ, ßÞíâÞÜã FTP áÕàÒÕà äÐÚâØçÕáÚØ ßÞÛãçØâ ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ Þâ ØÜÕÝØ ÝÐèÕÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ Ø áÜÞÖÕâ ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ. ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ ßàØ ØáßÞÛì×ÞÒÐÝØØ DCC ÔÛï ßÕàÕÔÐçØ äÐÙÛÞÒ Ø çÐâÞÒ. ÃáâÐÝÞÒÚÐ áÞÕÔØÝÕÝØÙ íâÞÓÞ âØßÐ âàÕÑãÕâ ßÕàÕÔÐçØ IP ÐÔàÕáÐ Ø ßÞàâÐ ßÞ ßàÞâÞÚÞÛã IRC, ÚÞâÞàëÙ âÐÚ ÖÕ ßàÞåÞÔØâ çÕàÕ× âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ ÝÐ ÑàÐÝÔÜÐãíàÕ. ±Õ× áßÕæØÐÛìÝÞÓÞ ÜÞÔãÛï àÐáèØàÕÝØï àÐÑÞâÞáßÞáÞÑÝÞáâì ßàÞâÞÚÞÛÞÒ FTP Ø IRC áâÐÝÞÒØâáï ÒÕáìÜÐ áÞÜÝØâÕÛìÝÞÙ. ½ÐßàØÜÕà, Òë ÜÞÖÕâÕ ßàØÝØÜÐâì äÐÙÛë çÕàÕ× DCC, ÝÞ ÝÕ ÜÞÖÕâÕ ÞâßàÐÒÛïâì. ÍâÞ ÞÑãáÛÞÒÛØÒÐÕâáï âÕÜ, ÚÐÚ DCC "×ÐßãáÚÐÕâ" áÞÕÔØÝÕÝØÕ. ²ë áÞÞÑéÐÕâÕ ßàØÝØÜÐîéÕÜã ã×Ûã Þ áÒÞÕÜ ÖÕÛÐÝØØ ßÕàÕÔÐâì äÐÙÛ Ø ÚãÔÐ ÞÝ ÔÞÛÖÕÝ ßÞÔÚÛîçØâìáï. ±Õ× ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï DCC áÞÕÔØÝÕÝØÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÕáÛØ Ñë Üë ßÞâàÕÑÞÒÐÛØ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ÒÝÕèÝÕÓÞ ßàØÕÜÝØÚÐ á ã×ÛÞÜ Ò ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞéÕ ÓÞÒÞàï âÐÚÞÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ "ÞÑàãèÕÝÞ". ¿àØ ØáßÞÛì×ÞÒÐÝØØ ÖÕ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï ÒáÕ àÐÑÞâÐÕâ ßàÕÚàÐáÝÞ. ßÞáÚÞÛìÚã ßàØÕÜÝØÚã ßÕàÕÔÐÕâáï ÚÞààÕÚâÝëÙ IP ÐÔàÕá ÔÛï ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï.

´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ÜÞÔãÛïÜ conntrack Ø nat çØâÐÙâÕ Ò ßàØÛÞÖÕÝØØ ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë. ÂÐÚ ÖÕ ÝÕ ×ÐÑëÒÐÙâÕ Þ ÔÞÚãÜÕÝâÐæØØ, ÒÚÛîçÐÕÜÞÙ Ò ßÐÚÕâ iptables. ÇâÞÑë ØÜÕâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ, ÒÐÜ ßÞâàÕÑãÕâáï ãáâÐÝÞÒØâì patch-o-matic Ø ßÕàÕáÞÑàÐâì ïÔàÞ. ºÐÚ íâÞ áÔÕÛÐâì - ÞÑêïáÝïÕâáï ÒëèÕ Ò ÓÛÐÒÕ ¿ÞÔÓÞâÞÒÚÐ.

Note

·ÐÜÕâìâÕ, çâÞ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_nat_irc Ø ip_nat_ftp ÒÐÜ ßÞâàÕÑãÕâáï âÞÛìÚÞ Ò âÞÜ áÛãçÐÕ, ÕáÛØ Òë åÞâØâÕ, çâÞÑë ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (Network Adress Translation) ßàÞØ×ÒÞÔØÛÞáì ÚÞààÕÚâÝÞ á ßàÞâÞÚÞÛÐÜØ FTP Ø IRC. ÂÐÚ ÖÕ ÒÐÜ ßÞâàÕÑãÕâáï ßÞÔÓàãרâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_conntrack_ftp ÔÞ ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ NAT.


½ÐáâàÞÙÚÐ /proc

·ÔÕáì Üë ×ÐßãáÚÐÕÜ ßÕàÕáëÛÚã ßÐÚÕâÞÒ (IP forwarding), ×ÐߨáÐÒ ÕÔØÝØæã Ò äÐÙÛ /proc/sys/net/ipv4/ip_forward âÐÚØÜ áßÞáÞÑÞÜ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Caution

½ÐÒÕàÝÞÕ áâÞØâ ×ÐÔãÜÐâìáï ÝÐÔ âÕÜ ÓÔÕ Ø ÚÞÓÔÐ ÒÚÛîçÐâì ßÕàÕáëÛÚã (IP forwarding). ² íâÞÜ Ø Ò ÔàãÓØå áæÕÝÐàØïå Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ, Üë ÒÚÛîçÐÕÜ ßÕàÕáëÛÚã ÔÞ âÞÓÞ ÚÐÚ áÞ×ÔÐÔØÜ ÚÐÚØÕ ÛØÑÞ ßàÐÒØÛÐ iptables. ¾â ÝÐçÐÛÐ àÐÑÞâë ßÕàÕáëÛÚØ (IP forwarding) ÔÞ ÜÞÜÕÝâÐ, ÚÞÓÔÐ ÑãÔãâ áÞ×ÔÐÝë ÝÕÞÑåÞÔØÜëÕ ßàÐÒØÛÐ, ßàØ ÝÐèÕÜ ÒÐàØÐÝâÕ, ÜÞÖÕâ ßàÞÙâØ Þâ ÝÕáÚÞÛìÚØå ÜØÛÛØáÕÚãÝÔ ÔÞ ÜØÝãâ, ÒáÕ ×ÐÒØáØâ Þâ ÞÑêÕÜÐ àÐÑÞâë, ÒëßÞÛÝïÕÜÞÙ áæÕÝÐàØÕÜ Ø ÑëáâàÞÔÕÙáâÒØï ÚÞÝÚàÕâÝÞÓÞ ÚÞÜßìîâÕàÐ. ¿ÞÝïâÝÞ, çâÞ íâÞ ÔÐÕâ ÝÕÚÞâÞàëÙ ßàÞÜÕÖãâÞÚ ÒàÕÜÕÝØ, ÚÞÓÔÐ ×ÛÞãÜëèÛÕÝÝØÚ ÜÞÖÕâ ßàÞÝØÚÝãâì çÕàÕ× ÑàÐÝÔÜÐãíà. ¿ÞíâÞÜã, Ò àÕÐÛìÝÞÙ áØâãÐæØØ ×ÐßãáÚÐâì ßÕàÕáëÛÚã (IP forwarding) áÛÕÔãÕâ ßÞáÛÕ áÞ×ÔÐÝØï ÒáÕÓÞ ÝÐÑÞàÐ ßàÐÒØÛ. ·ÔÕáì ÖÕ ï ßÞÜÕáâØÛ ÒÚÛîçÕÝØÕ ßÕàÕáëÛÚØ Ò ÝÐçÐÛÕ ØáÚÛîçØâÕÛìÝÞ Ò æÕÛïå ãÔÞÑÞçØâÐÕÜÞáâØ.

µáÛØ ÒÐÜ ÝÕÞÑåÞÔØÜÐ ßÞÔÔÕàÖÚÐ ÔØÝÐÜØçÕáÚÞÓÞ IP, (ßàØ ØáßÞÛì×ÞÒÐÝØØ SLIP, PPP ØÛØ DHCP) Òë ÜÞÖÕâÕ àÐáÚÞÜÜÕÝâÐàØâì áâàÞÚã:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

µáÛØ ÒÐÜ âàÕÑãÕâáï ÒÚÛîçØâì ÛîÑëÕ ÔàãÓØÕ ÞßæØØ, Òë ÔÞÛÖÝë ÞÑàÐéÐâìáï Ú áÞÞâÒÕâáâÒãîéÕÙ ÔÞÚãÜÕÝâÐæØØ ßÞ íâØÜ ÞßæØïÜ. ÅÞàÞèØÙ Ø ÛÐÚÞÝØçÝëÙ ÔÞÚãÜÕÝâ ßÞ äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc ßÞáâÐÒÛïÕâáï ÒÜÕáâÕ á ïÔàÞÜ. ÁáëÛÚØ ÝÐ ÝÐ ÔàãÓØÕ ÔÞÚãÜÕÝâë Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ´àãÓØÕ àÕáãàáë Ø ááëÛÚØ.

Note

ÁæÕÝÐàØÙ rc.firewall.txt Ø ÒáÕ ÞáâÐÛìÝëÕ áæÕÝÐàØØ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ, áÞÔÕàÖÐâ ÝÕÑÞÛìèãî ßÞ àÐ×ÜÕàÐÜ áÕÚæØî ÝÕ âàÕÑãÕÜëå (non-required) ÝÐáâàÞÕÚ proc. ºÐÚ Ñë ßàØÒÛÕÚÐâÕÛìÝÞ ÝÕ ÒëÓÛïÔÕÛØ íâØ ÞßæØØ - ÝÕ ÒÚÛîçÐÙâÕ Øå, ßÞÚÐ ÝÕ ãÑÕÔØâÕáì, çâÞ ÔÞáâÐâÞçÝÞ çÕâÚÞ ßàÕÔáâÐÒÛïÕâÕ áÕÑÕ äãÝ򾯯, ÚÞâÞàëÕ ÞÝØ ÒëßÞÛÝïîâ.


ÀÐ×ÜÕéÕÝØÕ ßàÐÒØÛ Ò ÔàãÓØå æÕßÞçÚÐå

·ÔÕáì Üë ßÞÓÞÒÞàØÜ Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, Ò çÐáâÝÞáâØ - Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, ÞßàÕÔÕÛïÕÜëå Ò áæÕÝÐàØØ rc.firewall.txt. ¼ÞÙ ÒÐàØÐÝâ àÐ×ÔÕÛÕÝØï ßàÐÒØÛ ßÞ ÔÞßÞÛÝØâÕÛìÝëÜ æÕßÞçÚÐÜ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÝÕßàØÕÜÛÕÜëÜ Ò âÞÜ ØÛØ ØÝÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ. Ï ÝÐÔÕîáì, çâÞ áÜÞÓã ßÞÚÐ×Ðâì ÒÐÜ ÒÞ×ÜÞÖÝëÕ "ßÞÔÒÞÔÝëÕ ÚÐÜÝØ". ´ÐÝÝëÙ àÐ×ÔÕÛ âÕáÝÞ ßÕàÕÚÛØÚÐÕâáï á ÓÛÐÒÞÙ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ø áÞÒÕàèÕÝÝÞ ÝÕÛØèÝØÜ ÑãÔÕâ ÕéÕ àÐ×, åÞâï Ñë ÑÕÓÛÞ, ßàÞáÜÞâàÕâì ÕÕ.

ÀÐáßàÕÔÕÛØÒ ÝÐÑÞà ßàÐÒØÛ ßÞ ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ, ï ÔÞÑØÛáï íÚÞÝÞÜØØ ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, ÑÕ× ßÞâÕàØ ãàÞÒÝï ÑÕ×ÞßÐáÝÞáâØ áØáâÕÜë Ø çØâÐÑÕÛìÝÞáâØ áæÕÝÐàØÕÒ. ²ÜÕáâÞ âÞÓÞ, çâÞÑë ßàÞßãáÚÐâì TCP ßÐÚÕâë çÕàÕ× ÒÕáì ÝÐÑÞà ßàÐÒØÛ (Ø ÔÛï ICMP, Ø ÔÛï UDP), ï ßàÞáâÞ ÞâÑØàÐî TCP ßÐÚÕâë Ø ßàÞßãáÚÐî Øå çÕàÕ× ßÞÛì×ÞÒÐâÕÛìáÚãî æÕßÞçÚã, ßàÕÔÝÐ×ÝÐçÕÝÝãî ØÜÕÝÝÞ ÔÛï TCP ßÐÚÕâÞÒ, çâÞ ßàØÒÞÔØâ Ú ãÜÕÝìèÕÝØî ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ½Ð áÛÕÔãîéÕÙ ÚÐàâØÝÚÕ áåÕÜÐâØçÝÞ ßàØÒÞÔØâáï ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ çÕàÕ× netfilter. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ÚÐàâØÝÚÐ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ÞÓàÐÝØçÕÝÝÞ ßÞ áàÐÒÝÕÝØî áÞ áåÕÜÞÙ, ßàØÒÕÔÕÝÝÞÙ Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ.

¾áÝÞÒÝÞÕ ÝÐ×ÝÐçÕÝØÕ àØáãÝÚÐ - ÞáÒÕÖØâì ÝÐèã ßÐÜïâì. ² æÕÛÞÜ, ÔÐÝÝëÙ ßàØÜÕà áæÕÝÐàØï ÞáÝÞÒÐÝ ÝÐ ßàÕÔßÞÛÞÖÕÝØØ, çâÞ Üë ØÜÕÕÜ ÞÔÝã ÛÞÚÐÛìÝãî áÕâì, ÞÔØÝ ÑàÐÝÔÜÐãíà (firewall) Ø ÕÔØÝáâÒÕÝÝÞÕ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ, á ßÞáâÞïÝÝëÜ IP ÐÔàÕáÞÜ (Ò ßàÞâØÒÞßÞÛÞÖÝÞáâì PPP, SLIP, DHCP Ø ßàÞçØÜ). ÂÐÚ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï, çâÞ ÔÞáâãß Ú áÕàÒØáÐÜ ¸ÝâÕàÝÕâ ØÔÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, çâÞ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ø ßÞíâÞÜã ÝÕ áÞÑØàÐÕÜáï ÑÛÞÚØàÞÒÐâì âàÐääØÚ, ØáåÞÔïéØÙ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÔÝÐÚÞ ¸ÝâÕàÝÕâ ÝÕ ÜÞÖÕâ áçØâÐâìáï ÔÞÒÕàØâÕÛìÝÞÙ áÕâìî Ø ßÞíâÞÜã ÝÕÞÑåÞÔØÜÞ ÞÓàÐÝØçØâì ÒÞ×ÜÞÖÝÞáâì ÔÞáâãßÐ Ò ÝÐèã ÛÞÚÐÛìÝãî áÕâì Ø×ÒÝÕ. ¼ë áÞÑØàÐÕÜáï ØáåÞÔØâì Ø× ßàØÝæØßÐ "²áÕ çâÞ ÝÕ àÐ×àÕèÕÝÞ - âÞ ×ÐßàÕéÕÝÞ". ´Ûï ÒëßÞÛÝÕÝØï ßÞáÛÕÔÝÕÓÞ ÞÓàÐÝØçÕÝØï, Üë ãáâÐÝÐÒÛØÒÐÕÜ ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî - DROP. ÂÕÜ áÐÜëÜ Üë ÞâáÕÚÐÕÜ áÞÕÔØÝÕÝØï, ÚÞâÞàëÕ ïÒÝÞ ÝÕ àÐ×àÕèÕÝë.

° âÕßÕàì ÔÐÒÐÙâÕ àÐááÜÞâàØÜ çâÞ ÝÐÜ ÝãÖÝÞ áÔÕÛÐâì Ø ÚÐÚ.

´Ûï ÝÐçÐÛÐ - ßÞ×ÒÞÛØÜ áÞÕÔØÝÕÝØï Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á ¸ÝâÕàÝÕâ. ´Ûï íâÞÓÞ ÝÐÜ ßÞâàÕÑãÕâáï ÒëßÞÛÝØâì ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (NAT). ´ÕÛÐÕâáï íâÞ Ò æÕßÞçÚÕ PREROUTING (Ï ßÞÛÐÓÐî, çâÞ ×ÔÕáì ÐÒâÞà ßàÞáâÞ ÔÞßãáâØÛ ÞßÕçÐâÚã, ßÞáÚÞÛìÚã Ò âÕÚáâÕ áæÕÝÐàØï ×ÐßÞÛÝïÕâáï æÕßÞçÚÐ POSTROUTING, ÔÐ Ø Üë ãÖÕ ×ÝÐÕÜ, çâÞ SNAT ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat ßàØÜ. ßÕàÕÒ.), ÚÞâÞàÐï ×ÐßÞÛÝïÕâáï ßÞáÛÕÔÝÕÙ Ò ÝÐèÕÜ áæÕÝÐàØØ. ¿ÞÔàÐ×ãÜÕÒÐÕâáï, âÐÚÖÕ, ÒëßÞÛÝÕÝØÕ ÝÕÚÞâÞàÞÙ äØÛìâàÐæØØ Ò æÕßÞçÚÕ FORWARD. µáÛØ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞßãáÚÐï ÒÕáì âàÐääØÚ Ò ¸ÝâÕàÝÕâ, âÞ íâÞ ÕéÕ ÝÕ Þ×ÝÐçÐÕâ ÔÞÒÕàØï Ú ¸ÝâÕàÝÕâ Ø, áÛÕÔÞÒÐâÕÛìÝÞ ÝÕÞÑåÞÔØÜÞ ÒÒÞÔØâì ÞÓàÐÝØçÕÝØï ÝÐ ÔÞáâãß Ú ÝÐèØÜ ÚÞÜßìîâÕàÐÜ Ø×ÒÝÕ. ² ÝÐèÕÜ áÛãçÐÕ Üë ÔÞßãáÚÐÕÜ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ Ò ÝÐèã áÕâì âÞÛìÚÞ Ò áÛãçÐÕ ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï, ÛØÑÞ Ò áÛãçÐÕ ÞâÚàëâØï ÝÞÒÞÓÞ áÞÕÔØÝÕÝØï, ÝÞ Ò àÐÜÚÐå ãÖÕ áãéÕáâÒãîéÕÓÞ (ESTABLISHED Ø RELATED).

ÇâÞ ÚÐáÐÕâáï ÜÐèØÝë-ÑàÐÝÔÜÐãíàÐ - ÝÕÞÑåÞÔØÜÞ ÔÞ ÜØÝØÜãÜÐ áÒÕáâØ áÕàÒØáë, àÐÑÞâÐîéØÕ á ¸ÝâÕàÝÕâ. ÁÛÕÔÞÒÐâÕÛìÝÞ Üë ÔÞßãáÚÐÕÜ âÞÛìÚÞ HTTP, FTP, SSH Ø IDENTD ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã. ²áÕ íâØ ßàÞâÞÚÞÛë Üë ÑãÔÕÜ áçØâÐâì ÔÞßãáâØÜëÜØ Ò æÕßÞçÚÕ INPUT, áÞÞâÒÕâáâÒÕÝÝÞ ÝÐÜ ÝÕÞÑåÞÔØÜÞ àÐ×àÕèØâì "ÞâÒÕâÝëÙ" âàÐääØÚ Ò æÕßÞçÚÕ OUTPUT. ¿ÞáÚÞÛìÚã Üë ßàÕÔßÞÛÐÓÐÕÜ ÔÞÒÕàØâÕÛìÝëÕ Ò×ÐØÜÞÞâÝÞèÕÝØï á ÛÞÚÐÛìÝÞÙ áÕâìî, âÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÐ ÔÛï ÔØÐßÐ×ÞÝÐ ÐÔàÕáÞÒ ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø ÔÛï ÛÞÚÐÛìÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ Ø ÛÞÚÐÛìÝÞÓÞ IP ÐÔàÕáÐ (127.0.0.1). ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, áãéÕáâÒãÕâ àïÔ ÔØÐßÐ×ÞÝÞÒ ÐÔàÕáÞÒ, ÒëÔÕÛÕÝÝëå áßÕæØÐÛìÝÞ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, íâØ ÐÔàÕáÐ áçØâÐîâáï Ò ¸ÝâÕàÝÕâ ÞèØÑÞçÝëÜØ Ø ÚÐÚ ßàÐÒØÛÞ ÝÕ ÞÑáÛãÖØÒÐîâáï. ¿ÞíâÞÜã Ø Üë ×ÐßàÕâØÜ ÛîÑÞÙ âàÐääØÚ Ø× ¸ÝâÕàÝÕâ á ØáåÞÔïéØÜ ÐÔàÕáÞÜ, ßàØÝÐÔÛÕÖÐéØÜ ÔØÐßÐ×ÞÝÐÜ ÛÞÚÐÛìÝëå áÕâÕÙ. ¸ Ò ×ÐÚÛîçÕÝØÕ ßàÞçØâÐÙâÕ ÓÛÐÒã ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë.

ÂÐÚ ÚÐÚ ã ÝÐá àÐÑÞâÐÕâ FTP áÕàÒÕà, âÞ ßàÐÒØÛÐ, ÞÑáÛãÖØÒÐîéØÕ áÞÕÔØÝÕÝØï á íâØÜ áÕàÒÕàÞÜ, ÖÕÛÐâÕÛìÝÞ ÑëÛÞ Ñë ßÞÜÕáâØâì Ò ÝÐçÐÛÞ æÕßÞçÚØ INPUT, ÔÞÑØÒÐïáì âÕÜ áÐÜëÜ ãÜÕÝìèÕÝØï ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ² æÕÛÞÜ ÖÕ, ÝÐÔÞ ßÞÝØÜÐâì, çâÞ çÕÜ ÜÕÝìèÕ ßàÐÒØÛ ßàÞåÞÔØâ ßÐÚÕâ, âÕÜ ÑÞÛìèÕ íÚÞÝÞÜØï ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, âÕÜ ÝØÖÕ ÝÐÓàã×ÚÐ ÝÐ áØáâÕÜã. Á íâÞÙ æÕÛìî ï àÐ×ÑØÛ ÝÐÑÞà ßàÐÒØÛ ÝÐ ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ.

² ÝÐèÕÜ ßàØÜÕàÕ ï àÐ×ÑØÛ ßÐÚÕâë ÝÐ Óàãßßë ßÞ Øå ßàØÝÐÔÛÕÖÝÞáâØ Ú âÞÜã ØÛØ ØÝÞÜã ßàÞâÞÚÞÛã. ´Ûï ÚÐÖÔÞÓÞ âØßÐ ßàÞâÞÚÞÛÐ áÞ×ÔÐÝÐ áÒÞï æÕßÞçÚÐ ßàÐÒØÛ, ÝÐßàØÜÕà, tcp_packets, ÚÞâÞàÐï áÞÔÕàÖØâ ßàÐÒØÛÐ ÔÛï ßàÞÒÕàÚØ ÒáÕå ÔÞßãáâØÜëå TCP ßÞàâÞÒ Ø ßàÞâÞÚÞÛÞÒ. ´Ûï ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ ßÐÚÕâÞÒ, ßàÞèÕÔèØå çÕàÕ× ÞÔÝã æÕßÞçÚã, ÜÞÖÕâ Ñëâì áÞ×ÔÐÝÐ ÔàãÓÐï. ² ÝÐèÕÜ áÛãçÐÕ âÐÚÞÒÞÙ ïÒÛïÕâáï æÕßÞçÚÐ allowed. ² íâÞÙ æÕßÞçÚÕ ßàÞØ×ÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ ÞâÔÕÛìÝëå åÐàÐÚâÕàØáâØÚ TCP ßÐÚÕâÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßàØÝïâì ÞÚÞÝçÐâÕÛìÝÞÕ àÕèÕÝØÕ Þ ßàÞßãáÚÕ. ICMP ßÐÚÕâë áÛÕÔãîâ çÕàÕ× æÕßÞçÚã icmp_packets. ·ÔÕáì Üë ßàÞáâÞ ßàÞßãáÚÐÕÜ ÒáÕ ICMP ßÐÚÕâë á ãÚÐ×ÐÝÝëÜ ÚÞÔÞÜ áÞÞÑéÕÝØï. ¸ ÝÐÚÞÝÕæ UDP ßÐÚÕâë. ¾ÝØ ßàÞåÞÔïâ çÕàÕ× æÕßÞçÚã udpincoming_packets, ÚÞâÞàÐï ÞÑàÐÑÐâëÒÐÕâ ÒåÞÔïéØÕ UDP ßÐÚÕâë. µáÛØ ÞÝØ ßàØÝÐÔÛÕÖÐâ ÔÞßãáâØÜëÜ áÕàÒØáÐÜ, âÞ ÞÝØ ßàÞßãáÚÐîâáï ÑÕ× ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ.

¿ÞáÚÞÛìÚã Üë àÐááÜÐâàØÒÐÕÜ áàÐÒÝØâÕÛìÝÞ ÝÕÑÞÛìèãî áÕâì, âÞ ÝÐè ÑàÐÝÔÜÐãíà ØáßÞÛì×ãÕâáï ÕéÕ Ø Ò ÚÐçÕáâÒÕ àÐÑÞçÕÙ áâÐÝæØØ, ßÞíâÞÜã Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ Ø á áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ.

¸ Ò ×ÐÒÕàèÕÝØÕ Þ æÕßÞçÚÕ OUTPUT. ¼ë ÝÕ ÒëßÞÛÝïÕÜ ÚÐÚØå ÛØÑÞ áßÕæØäØçÝëå ÑÛÞÚØàÞÒÞÚ ÔÛï ßÞÛì×ÞÒÐâÕÛÕÙ, ÞÔÝÐÚÞ Üë ÝÕ åÞâØÜ, çâÞÑë ÚâÞ ÛØÑÞ, ØáßÞÛì×ãï ÝÐè ÑàÐÝÔÜÐãíà ÒëÔÐÒÐÛ Ò áÕâì "ßÞÔÔÕÛìÝëÕ" ßÐÚÕâë, ßÞíâÞÜã Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛÐ, ßÞ×ÒÞÛïîéØÕ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ âÞÛìÚÞ á ÝÐèØÜ ÐÔàÕáÞÜ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÝÐèØÜ ÛÞÚÐÛìÝëÜ ÐÔàÕáÞÜ (127.0.0.1) Ø á ÝÐèØÜ ÐÔàÕáÞÜ Ò ¸ÝâÕàÝÕâ. Á íâØå ÐÔàÕáÞÒ ßÐÚÕâë ßàÞßãáÚÐîâáï æÕßÞçÚÞÙ OUTPUT, ÒáÕ ÞáâÐÛìÝëÕ (áÚÞàÕÕ ÒáÕÓÞ áäÐÛìáØäØæØàÞÒÐÝÝëÕ) ÞâáÕÚÐîâáï ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî DROP.


ÃáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî

¿àÕÖÔÕ, çÕÜ ßàØáâãߨâì Ú áÞ×ÔÐÝØî ÝÐÑÞàÐ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜÞ ÞßàÕÔÕÛØâìáï á ßÞÛØâØÚÐÜØ æÕßÞçÕÚ ßÞ-ãÜÞÛçÐÝØî. ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ãáâÐÝÐÒÛØÒÐÕâáï ÚÞÜÐÝÔÞÙ, ßÞÔÞÑÝÞÙ ßàØÒÞÔØÜÞÙ ÝØÖÕ

iptables -P <chain name> <policy>

¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ßàØÜÕÝïÕâáï Ú ßÐÚÕâã, ÝÕ ßÞßÐÒèÕÜã ßÞÔ ÔÕÙáâÒØÕ ÝØ ÞÔÝÞÓÞ Ø× ßàÐÒØÛ Ò æÕßÞçÚÕ. (½ÕÑÞÛìèÞÕ ãâÞçÝÕÝØÕ, ÚÞÜÐÝÔÐ iptables -P ßàØÜÕÝØÜР¾»Ìº¾ º ²ÁÂÀ¾µ½½Ë¼ æÕßÞçÚÐÜ, â.Õ. INPUT, FORWARD, OUTPUT Ø â.ß., Ø ÝÕ ßàØÜÕÝØÜÐ Ú ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ. ßàØÜ. ßÕàÕÒ.).


ÁÞ×ÔÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ

¸âÐÚ, ã ÒÐá ßÕàÕÔ ÓÛÐ×ÐÜØ ÝÐÒÕàÝïÚÐ ãÖÕ áâÞØâ ÚÐàâØÝÚÐ ÔÒØÖÕÝØï ßÐÚÕâÞÒ çÕàÕ× àÐ×ÛØçÝëÕ æÕßÞçÚØ, Ø ÚÐÚ íâØ æÕßÞçÚØ Ò×ÐØÜÞÔÕÙáâÒãîâ ÜÕÖÔã áÞÑÞÙ! ²ë ãÖÕ ÔÞÛÖÝë ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ æÕÛØ Ø ÝÐ×ÝÐçÕÝØÕ ÔÐÝÝÞÓÞ áæÕÝÐàØï. ´ÐÒÐÙâÕ ÝÐçÝÕÜ áÞ×ÔÐÒÐâì æÕßÞçÚØ Ø ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÝØå.

¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ áÞ×ÔÐâì ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ á ßÞÜÞéìî ÚÞÜÐÝÔë -N. ÁàÐ×ã ßÞáÛÕ áÞ×ÔÐÝØï æÕßÞçÚØ ÕéÕ ÝÕ ØÜÕîâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ² ÝÐèÕÜ ßàØÜÕàÕ áÞ×ÔÐîâáï æÕßÞçÚØ icmp_packets, tcp_packets, udpincoming_packets Ø æÕßÞçÚÐ allowed, ÚÞâÞàÐï Òë×ëÒÐÕâáï Ø× æÕßÞçÚØ tcp_packets. ²åÞÔïéØÕ ßÐÚÕâë á ØÝâÕàäÕÙáÐ $INET_IFACE (â.Õ. Ø× ¸ÝâÕàÝÕâ), ßÞ ßàÞâÞÚÞÛã ICMP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ßÐÚÕâë ßàÞâÞÚÞÛÐ TCP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã tcp_packets Ø ÒåÞÔïéØÕ ßÐÚÕâë UDP á ØÝâÕàäÕÙáÐ eth0 ØÔãâ Ò æÕßÞçÚã udpincoming_packets.


ÆÕßÞçÚÐ bad_tcp_packets

ÍâÐ æÕßÞçÚÐ ßàÕÔÝÐ×ÝÐçÕÝÐ ÔÛï ÞâäØÛìâàÞÒëÒÐÝØï ßÐÚÕâÞÒ á "ÝÕßàÐÒØÛìÝëÜØ" ×ÐÓÞÛÞÒÚÐÜØ Ø àÕèÕÝØï àïÔÐ ÔàãÓØå ßàÞÑÛÕÜ. ·ÔÕáì ÞâäØÛìâàÞÒëÒÐîâáï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ àÐáßÞ×ÝÐîâáï ÚÐÚ NEW, ÝÞ ÝÕ ïÒÛïîâáï SYN ßÐÚÕâÐÜØ. ÍâÐ æÕßÞçÚÐ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÐ ÔÛï ×ÐéØâë Þâ ÒâÞàÖÕÝØï Ø áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ÁîÔÐ, âÐÚ ÖÕ, ÔÞÑÐÒÛÕÝÞ ßàÐÒØÛÞ ÔÛï ÞâáÕØÒÐÝØï ßÐÚÕâÞÒ áÞ áâÐâãáÞÜ INVALID.


ÆÕßÞçÚÐ allowed

TCP ßÐÚÕâ, áÛÕÔãï á ØÝâÕàäÕÙáÐ $INET_IFACE, ßÞßÐÔÐÕâ Ò æÕßÞçÚã tcp_packets, ÕáÛØ ßÐÚÕâ áÛÕÔãÕâ ÝÐ àÐ×àÕèÕÝÝëÙ ßÞàâ, âÞ ßÞáÛÕ íâÞÓÞ ßàÞÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ.

¿ÕàÒÞÕ ßàÐÒØÛÞ ßàÞÒÕàïÕâ, ïÒÛïÕâáï ÛØ ßÐÚÕâ SYN ßÐÚÕâÞÜ, â.Õ. ×ÐßàÞáÞÜ ÝÐ áÞÕÔØÝÕÝØÕ. ÂÐÚÞÙ ßÐÚÕâ Üë áçØâÐÕÜ ÔÞßãáâØÜëÜ Ø ßàÞßãáÚÐÕÜ. ÁÛÕÔãîéÕÕ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒáÕ ßÐÚÕâë á ßàØ×ÝÐÚÞÜ ESTABLISHED ØÛØ RELATED. ºÞÓÔÐ áÞÕÔØÝÕÝØÕ ãáâÐÝÐÒÛØÒÐÕâáï SYN ßÐÚÕâÞÜ, Ø ÝÐ íâÞâ ×ÐßàÞá ÑëÛ ÞâßàÐÒÛÕÝ ßÞÛÞÖØâÕÛìÝëÙ ÞâÒÕâ, âÞ ÞÝÞ ßÞÛãçÐÕâ áâÐâãá ESTABLISHED. ¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ Ò íâÞÙ æÕßÞçÚÕ áÑàÐáëÒÐîâáï ÒáÕ ÞáâÐÛìÝëÕ TCP ßÐÚÕâë. ¿ÞÔ íâÞ ßàÐÒØÛÞ ßÞßÐÔÐîâ ßÐÚÕâë Ø× ÝÕáãéÕáâÒãîéÕÓÞ áÞÕÔØÝÕÝØï, ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN, ÚÞâÞàëÕ ßëâÐîâáï ×ÐßãáâØâì áÞÕÔØÝÕÝØÕ. ½Õ SYN ßÐÚÕâë ßàÐÚâØçÕáÚØ ÝÕ ØáßÞÛì×ãîâáï ÔÛï ×ÐßãáÚÐ áÞÕÔØÝÕÝØï, ×Ð ØáÚÛîçÕÝØÕÜ áÛãçÐÕÒ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ½ÐáÚÞÛìÚÞ ï ×ÝÐî, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛØ×ÐæØØ TCP/IP, ÚÞâÞàÐï ßÞÔÔÕàÖØÒÐÛÐ Ñë ÞâÚàëâØÕ áÞÕÔØÝÕÝØï ØÝÐçÕ, çÕÜ ßÕàÕÔÐçÐ SYN ßÐÚÕâÐ, ßÞíâÞÜã ÝÐ 99% ÜÞÖÝÞ Ñëâì ãÒÕàÕÝÝëÜ, çâÞ áÑàÞèÕÝë ßÐÚÕâë, ßÞáÛÐÝÝëÕ áÚÐÝÕàÞÜ ßÞàâÞÒ.


ÆÕßÞçÚÐ ÔÛï TCP

¸âÐÚ, Üë ßÞÔÞèÛØ Ú TCP áÞÕÔØÝÕÝØïÜ. ·ÔÕáì Üë ãÚÐ×ëÒÐÕÜ, ÚÐÚØÕ ßÞàâë ÜÞÓãâ Ñëâì ÔÞáâãßÝë Ø× Internet. ½ÕáÜÞâàï ÝÐ âÞ, çâÞ ÔÐÖÕ ÕáÛØ ßÐÚÕâ ßàÞèÕÛ ßàÞÒÕàÚã ×ÔÕáì, Üë ÒáÕ àÐÒÝÞ ÒáÕ ßÐÚÕâë ßÕàÕÔÐÕÜ Ò æÕßÞçÚã allowed ÔÛï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ.

Ï ÞâÚàëÛ TCP ßÞàâ á ÝÞÜÕàÞÜ 21, ÚÞâÞàëÙ ïÒÛïÕâáï ßÞàâÞÜ ãßàÐÒÛÕÝØï FTP áÞÕÔØÝÕÝØïÜØ. Ø ÔÐÛÕÕ, ï àÐ×àÕèÐî ÒáÕ RELATED áÞÕÔØÝÕÝØï, àÐ×àÕèÐï, âÕÜ áÐÜëÜ, PASSIVE FTP, ßàØ ãáÛÞÒØØ, çâÞ ÑëÛ ×ÐÓàãÖÕÝ ÜÞÔãÛì ip_conntrack_ftp. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßàÕâØâì FTP áÞÕÔØÝÕÝØï, âÞ ÒÐÜ ßÞâàÕÑãÕâáï ÒëÓàãרâì ÜÞÔãÛì ip_conntrack_ftp Ø ãÔÐÛØâì áâàÞÚã $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed Ø× áæÕÝÐàØï rc.firewall.txt.

¿Þàâ 22 - íâÞ SSH, ÚÞâÞàëÙ ÝÐÜÝÞÓÞ ÑÞÛÕÕ ÑÕ×ÞßÐáÕÝ çÕÜ telnet ÝÐ 23 ßÞàâã. µáÛØ ²ÐÜ Ò×ÔãÜÐÕâáï ßàÕÔÞáâÐÒØâì ÔÞáâãß Ú ÚÞÜÐÝÔÝÞÙ ÞÑÞÛÞçÚÕ (shell) ÚÞÜã Ñë âÞ ÝØ ÑëÛÞ Ø× ¸ÝâÕàÝÕâ, âÞ ÛãçèÕ ÚÞÝÕçÝÞ ßÞÛì×ÞÒÐâìáï SSH. ¾ÔÝÐÚÞ , åÞçã ×ÐÜÕâØâì, çâÞ ÒÞÞÑéÕ-âÞ áçØâÐÕâáï ÔãàÝëÜ âÞÝÞÜ ßàÕÔÞáâÐÒÛïâì ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã ÛîÑÞÜã ÚàÞÜÕ ÒÐá áÐÜØå. ²Ðè áÕâÕÒÞÙ íÚàÐÝ ÔÞÛÖÕÝ ØÜÕâì âÞÛìÚÞ âÕ áÕàÒØáë, ÚÞâÞàëÕ ÔÕÙáâÒØâÕÛìÝÞ ÝÕÞÑåÞÔØÜë Ø ÝÕ ÑÞÛÕÕ âÞÓÞ.

¿Þàâ 80 - íâÞ ßÞàâ HTTP, ÔàãÓØÜ áÛÞÒÐÜØ - web áÕàÒÕà, ãÑÕàØâÕ íâÞ ßàÐÒØÛÞ, ÕáÛØ ã ÒÐá ÝÕâ web áÕàÒÕàÐ.

¸ ÝÐÚÞÝÕæ ßÞàâ 113, ÞâÒÕâáâÒÕÝÝëÙ ×Ð áÛãÖÑã IDENTD Ø ØáßÞÛì×ãîéØÙáï ÝÕÚÞâÞàëÜØ ßàÞâÞÚÞÛÐÜØ âØßÐ IRC, Ø ßà.


ÆÕßÞçÚÐ ÔÛï UDP

¿ÐÚÕâë UDP Ø× æÕßÞçÚØ INPUT áÛÕÔãîâ Ò æÕßÞçÚã udpincoming_packets ºÐÚ Ø Ò áÛãçÐÕ á TCP ßÐÚÕâÐÜØ, ×ÔÕáì ÞÝØ ßàÞÒÕàïîâáï ÝÐ ÔÞßãáâØÜÞáâì ßÞ ÝÞÜÕàã ßÞàâÐ ÝÐ×ÝÐçÕÝØï.

¾âÚàëâëÜ ÔÛï UDP ßÐÚÕâÞÒ ïÒÛïÕâáï ßÞàâ 53, ÝÐ ÚÞâÞàÞÜ "áØÔØâ" DNS. µáÛØ Üë åÞâØÜ ßÞÛì×ÞÒÐâìáï áØÜÒÞÛØçÕáÚØÜØ ØÜÕÝÐÜØ ã×ÛÞÒ, Ð ÝÕ Øå IP ÐÔàÕáÐÜØ, âÞ ÕáâÕáâÒÕÝÝÞ ÝÐÔÞ ßÞ×ÒÞÛØâì àÐÑÞâÐâì áÛãÖÑÕ ÔÞÜÕÝÝëå ØÜÕÝ.

Ï ÛØçÝÞ àÐ×àÕèÐî ßÞàâ 123, ÝÐ ÚÞâÞàÞÜ àÐÑÞâÐÕâ NTP (network time protocol). ÍâÞÙ áÛãÖÑÞÙ ÞÑëçÝÞ ßÞÛì×ãîâáï ÔÛï ßàØÕÜÐ ÞçÕÝì âÞçÝÞÓÞ ÒàÕÜÕÝØ á áÕàÒÕàÞÒ ÒàÕÜÕÝØ Ò ¸ÝâÕàÝÕâ.

¿Þàâ 2074 ØáßÞÛì×ãÕâáï ÝÕÚÞâÞàëÜØ ÜãÛìâØÜÕÔØÙÝëÜØ ßàØÛÞÖÕÝØïÜØ, ßÞÔÞÑÝÞ speak freely, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ßÕàÕÔÐçØ ÓÞÛÞáÐ Ò àÕÖØÜÕ àÕÐÛìÝÞÓÞ ÒàÕÜÕÝØ.

¸ ÝÐÚÞÝÕæ - ICQ, ÝÐ ßÞàâã 4000. ÍâÞ èØàÞÚÞ Ø×ÒÕáâÝëÙ ßàÞâÞÚÞÛ, ØáßÞÛì×ãÕÜëÙ ICQ-ßàØÛÞÖÕÝØïÜØ Ï ßÞÛÐÓÐî ÝÕ áÛÕÔãÕâ ÞÑêïáÝïâì ÒÐÜ çâÞ íâÞ âÐÚÞÕ.


ÆÕßÞçÚÐ ÔÛï ICMP

·ÔÕáì ßàØÝØÜÐÕâáï àÕèÕÝØÕ Þ ßàÞßãáÚÕ ICMP ßÐÚÕâÞÒ. µáÛØ ßÐÚÕâ ßàØåÞÔØâ á eth0 Ò æÕßÞçÚã INPUT, âÞ ÔÐÛÕÕ ÞÝ ßÕàÕÝÐßàÐÒÛïÕâáï Ò æÕßÞçÚã icmp_packets. ² íâÞÙ æÕßÞçÚÕ ßàÞÒÕàïÕâáï âØß ICMP áÞÞÑéÕÝØï. ¿àÞßãáÚÐîâáï âÞÛìÚÞ ICMP Echo Replies, Destination unreachable, Redirect Ø Time Exceeded.

¿àØ ßàØÝïâØØ àÕèÕÝØï ï ØáåÞÖã Ø× áÛÕÔãîéØå áÞÞÑàÐÖÕÝØÙ: ICMP Echo Replies ßÐÚÕâë ßàØåÞÔïâ Ò ÞâÒÕâ, ÚÞÓÔÐ Òë Ú ßàØÜÕàã ÒëßÞÛÝïÕâÕ ping ÔàãÓÞÓÞ ã×ÛÐ áÕâØ, ÕáÛØ ×ÐßàÕâØâì íâÞ áÞÞÑéÕÝØÕ, âÞ Üë ÛØèØÜáï ÒÞ×ÜÞÖÝÞáâØ ßÞÛì×ÞÒÐâìáï äãÝÚæØÕÙ ping.

Destination Unreachable ßàØåÞÔØâ, ÕáÛØ ÚÐÚÞÙ ÛØÑÞ ã×ÕÛ áÕâØ ÝÕÔÞáâãßÕÝ, ÝÐßàØÜÕà, ÒëßÞÛÝïï HTTP ×ÐßàÞá ÝÐ ÝÕÔÞáâãßÝëÙ åÞáâ, ßÞáÛÕÔÝØÙ ÜÐàèàãâØ×ÐâÞà, ÚÞâÞàëÙ ÝÕ áÜÞÓ ÝÐÙâØ ÜÐàèàãâ Ú ã×Ûã, ÒÕàÝÕâ ÝÐÜ áÞÞÑéÕÝØÕ Destination Unreachable. ÂÕÜ áÐÜëÜ ÝÐÜ ÝÕ ßàØÔÕâáï ÖÔÐâì ßÞÚÐ ØáâÕçÕâ ÒàÕÜï ÞÖØÔÐÝØï (time out) ÝÐèÕÓÞ ÑàÐã×ÕàÐ, ÚÞâÞàëÙ ßÞ-ãÜÞÛçÐÝØî ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ßÞàïÔÚÐ 60 áÕÚãÝÔ Ø ÒëèÕ

Time Exceeded. ²Þ ÒàÕÜï ÔÒØÖÕÝØï ßÐÚÕâÐ ßÞ áÕâØ, ÝÐ ÚÐÖÔÞÜ ÜÐàèàãâØ×ÐâÞàÕ ßÞÛÕ TTL, Ò ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ, ãÜÕÝìèÐÕâáï ÝÐ 1. ºÐÚ âÞÛìÚÞ ßÞÛÕ TTL áâÐÝÕâ àÐÒÝëÜ ÝãÛî, âÞ ÜÐàèàãâØ×ÐâÞàÞÜ ÑãÔÕâ ßÞáÛÐÝÞ áÞÞÑéÕÝØÕ Time Exceeded. ½ÐßàØÜÕà, ÚÞÓÔÐ Òë ÒëßÞÛÝïÕâÕ âàÐááØàÞÒÚã (traceroute) ÚÐÚÞÓÞ ÛØÑÞ ã×ÛÐ, âÞ ßÞÛÕ TTL ãáâÐÝÐÒÛØÒÐÕâáï àÐÒÝëÜ 1, ÝÐ ßÕàÒÞÜ ÖÕ ÜÐàèàãâØ×ÐâÞàÕ ÞÝÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî Ø Ú ÝÐÜ ßàØåÞÔØâ áÞÞÑéÕÝØÕ Time Exceeded, ÔÐÛÕÕ, ãáâÐÝÐÒÛØÒÐÕÜ TTL = 2 Ø ÒâÞàÞÙ ÜÐàèàãâØ×ÐâÞà ßÕàÕÔÐÕâ ÝÐÜ Time Exceeded, Ø âÐÚ ÔÐÛÕÕ, ßÞÚÐ ÝÕ ßÞÛãçØÜ ÞâÒÕâ á áÐÜÞÓÞ ã×ÛÐ.

ÁߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ áÜÞâàØâÕ Ò ßàØÛÞÖÕÝØØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ICMP Òë ÜÞÖÕâÕ ßÞÛãçØâì Ò áÛÕÔãîéØå ÔÞÚãÜÕÝâÐå:

±ãÔìâÕ ÒÝØÜÐâÕÛìÝë ßàØ ÑÛÞÚØàÞÒÐÝØØ ICMP ßÐÚÕâÞÒ, ÒÞ×ÜÞÖÝÞ ï ÝÕ ßàÐÒ, ÑÛÞÚØàãï ÚÐÚØÕ-âÞ Ø× ÝØå, ÜÞÖÕâ ÞÚÐ×Ðâìáï âÐÚ, çâÞ ÔÛï ÒÐá íâÞ ÝÕßàØÕÜÛÕÜÞ.


ÆÕßÞçÚÐ INPUT

ÆÕßÞçÚÐ INPUT, ÚÐÚ ï ãÖÕ ßØáÐÛ, ÔÛï ÒëßÞÛÝÕÝØï ÞáÝÞÒÝÞÙ àÐÑÞâë ØáßÞÛì×ãÕâ ÔàãÓØÕ æÕßÞçÚØ, ×Ð áçÕâ çÕÓÞ áÝØÖÐï ÝÐÓàã×Úã ÝÐ áÕâÕÒÞÙ äØÛìâà. ÍääÕÚâ ßàØÜÕÝÕÝØï âÐÚÞÓÞ ÒÐàØÐÝâÐ ÞàÓÐÝØ×ÐæØØ ßàÐÒØÛ ÛãçèÕ ×ÐÜÕâÕÝ ÝÐ ÜÕÔÛÕÝÝëå ÜÐèØÝÐå, ÚÞâÞàëÕ Ò ÔàãÓÞÜ áÛãçÐÕ ÝÐçØÝÐîâ "âÕàïâì" ßÐÚÕâë ßàØ ÒëáÞÚÞÙ ÝÐÓàã×ÚÕ.

¿ÕàÒëÜ ÖÕ ßàÐÒØÛÞÜ Üë ßëâÐÕÜáï ÞâÑàÞáØâì "ßÛÞåØÕ" ßÐÚÕâë. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî ÞâÝÞáØâÕÛìÝÞ ßÐÚÕâÞÒ á ßàØ×ÝÐÚÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN. ² ÝÕÚÞâÞàëå ÞáÞÑÕÝÝëå áØâãÐæØïå âÐÚØÕ ßÐÚÕâë ÜÞÓãâ áçØâÐâìáï ÔÞßãáâØÜëÜØ, ÝÞ Ò 99% áÛãçÐÕÒ ÛãçèÕ Øå "ÞáâÐÝÞÒØâì". ¿ÞíâÞÜã âÐÚØÕ ßÐÚÕâë ×ÐÝÞáïâáï Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (ÛÞÓØàãîâáï) Ø "áÑàÐáëÒÐîâáï".

´ÐÛÕÕ, ÒáÕ ICMP ßÐÚÕâë, ßàØåÞÔïéØÕ Ò æÕßÞçÚã INPUT á ØÝâÕàäÕÙáÐ $INET_IFACE, Ò ÜÞÕÜ áÛãçÐÕ íâÞ eth0, ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ÚÞâÞàãî Üë àÐááÜÞâàÕÛØ àÐÝÕÕ. ÁÛÕÔãîéØÜ ßàÐÒØÛÞÜ ÒáÕ TCP ßÐÚÕâë á ØÝâÕàäÕÙáÐ$INET_IFACE ßÕàÕÔÐîâáï Ò æÕßÞçÚãtcp_packets. ¸ ÝÐÚÞÝÕæ ÒáÕ UDP ßÐÚÕâë ÞâßàÐÒÛïîâáï Ò æÕßÞçÚã udpincoming_packets.

² ÚÞÝæÕ Üë ßÞ×ÒÞÛïÕÜ ßàÞÙâØ ÒáÕÜã, çâÞ ÔÒØÖÕâáï á ÝÐèÕÓÞ $LOCALHOST_IP ÐÔàÕáÐ, ÚÞâÞàëÙ ÞÑëçÝÞ ÑëÒÐÕâ 127.0.0.1, ÒáÕ çâÞ ØÔÕâ á $LAN_IP ÐÔàÕáÐ, ÚÞâÞàëÙ Ò ÜÞÕÜ áÛãçÐÕ 192.168.0.2, ×ÐÞÔÝÞ ßàÞßãáÚÐÕÜ Ø ÒáÕ, çâÞ ØÔÕâ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á $LAN_IP_RANGE, ÔÛï ÜÕÝï íâÞ 192.168.0.0/24. Ï ßàÞßãáÚÐî ÒáÕ, çâÞ ØÔÕâ á ÜÞÕÓÞ áÞÑáâÒÕÝÝÞÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ, Ø ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED. ÂÐÚ ÖÕ áçØâÐÕâáï ÔÞßãáâØÜëÜ èØàÞÚÞÒÕéÐâÕÛìÝëÙ âàÐääØÚ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÝÕÚÞâÞàëÕ ßàØÛÞÖÕÝØï ×ÐÒØáïâ Þâ èØàÞÚÞÒÕéÐâÕÛìÝëå áÞÞÑéÕÝØÙ, ÝÐßàØÜÕà Samba, Ø ÝÕ áÜÞÓãâ ÒëßÞÛÝïâì áÒÞØ äãÝ򾯯 ÑÕ× ÝØå.

¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ, ßÕàÕÔ âÕÜ ÚÐÚ ÚÞ ÒáÕÜ ÝÕ ßàØÝïâëÜ ïÒÝÞ ßÐÚÕâÐÜ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî, âàÐääØÚ ÖãàÝÐÛØàãÕâáï, ÝÐ áÛãçÐÙ ÝÕÞÑåÞÔØÜÞáâØ ßÞØáÚÐ ßàØçØÝ ÒÞ×ÝØÚÐîéØå ßàÞÑÛÕÜ. ¿àØ íâÞÜ Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛã, ÞÓàÐÝØçÕÝØÕ ÝÐ ÚÞÛØçÕáâÒÞ ÛÞÓØàãÕÜëå ßÐÚÕâÞÒ - ÝÕ ÑÞÛÕÕ 3-å Ò ÜØÝãâã, çâÞÑë ßàÕÔÞâÒàÐâØâì çàÕ×ÜÕàÝÞÕ àÐ×ÔãÒÐÝØÕ ÖãàÝÐÛÐ.

²áÕ çâÞ ÝÕ ÑëÛÞ ïÒÝÞ ßàÞßãéÕÝÞ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßÞÔÒÕàÓÝãâÞ ÔÕÙáâÒØî DROP, ßÞáÚÞÛìÚã ØÜÕÝÝÞ íâÞ ÔÕÙáâÒØÕ ÝÐ×ÝÐçÕÝÞ Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî.


ÆÕßÞçÚÐ OUTPUT

ºÐÚ ï ãÖÕ ãßÞÜØÝÐÛ àÐÝÕÕ, Ò ÜÞÕÜ áÛãçÐÕ ÚÞÜßìîâÕà ØáßÞÛì×ãÕâáï ÚÐÚ ÑàÐÝÔÜÐãíà Ø ÞÔÝÞÒàÕÜÕÝÝÞ ÚÐÚ àÐÑÞçÐï áâÐÝæØï. ¿ÞíâÞÜã ï ßÞ×ÒÞÛïî ßÞÚØÔÐâì ÜÞÙ åÞáâ ÒáÕÜã, çâÞ ØÜÕÕâ ØáåÞÔÝëÙ ÐÔàÕá $LOCALHOST_IP, $LAN_IP ØÛØ $STATIC_IP. ÁÔÕÛÐÝÞ íâÞ ÔÛï ×ÐéØâë Þâ âàÐäØÚÐ, ÚÞâÞàëÙ ÜÞÖÕâ áäÐÛìáØæØàÞÒÐâì ÝÕ ÞçÕÝì åÞàÞèØÙ çÕÛÞÒÕÚ ÝÐ ÜÞÕÙ ÜÐèØÝÕ. ¸ Ò ÔÞÒÕàèÕÝØÕ ÚÞ ÒáÕÜã, ï ÖãàÝÐÛØàãî "áÑàÞèÕÝÝëÕ" ßÐÚÕâë, ÝÐ áÛãçÐÙ ßÞØáÚÐ ÞèØÑÞÚ ØÛØ Ò æÕÛïå ÒëïÒÛÕÝØï áäÐÛìáØäØæØàÞÒÐÝÝëå ßÐÚÕâÞÒ. ºÞ ÒáÕÜ ßÐÚÕâÐÜ, ÝÕ ßàÞèÕÔèØÜ ÝØ ÞÔÝÞ Ø× ßàÐÒØÛ, ßàØÜÕÝïÕâáï ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî - DROP.


ÆÕßÞçÚÐ FORWARD

ºÐÚ ÞÑëçÝÞ, Üë àÐ×àÕèÕÜ ÔÒØÖÕÝØÕ ßÐÚÕâÞÒ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ ÑÕ× ÞÓàÐÝØçÕÝØÙ ßàÐÒØÛÞÜ.

/usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT

µáâÕáâÒÕÝÝÞ, ÝãÖÝÞ ßàÞßãáâØâì ÞâÒÕâÝëÕ ßÐÚÕâë Ò ÛÞÚÐÛìÝãî áÕâì, ßÞíâÞÜã áÛÕÔãîéØÜ ßàÐÒØÛÞÜ Üë ßàÞßãáÚÐÕÜ ÒáÕ, çâÞ ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED, â.Õ. Üë ßàÞßãáÚÐÕÜ ßÐÚÕâë ßÞ áÞÕÔØÝÕÝØî ãáâÐÝÞÒÛÕÝÝÞÜã ¸· ÛÞÚÐÛìÝÞÙ áÕâØ. ¸ ßÕàÕÔ âÕÜ ÚÐÚ áÑàÞáØâì ÒáÕ ÝÕÔÞßãáâØÜëÕ ßÐÚÕâë ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî, Üë ÖãàÝÐÛØàãÕÜ âàÐääØÚ ãáâÐÝÞÒØÒ ßàÕÔÕÛ 3 ×ÐßØáØ ×Ð ÜØÝãâã.


ÆÕßÞçÚÐ PREROUTING âÐÑÛØæë nat

·ÔÕáì ÒëßÞÛÝïÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßÐÚÕâë ßÞßÐÔãâ Ò æÕßÞçÚã INPUT ØÛØ FORWARD. µéÕ àÐ× åÞçã ÝÐßÞÜÝØâì, çâÞ íâÐ æÕßÞçÚÐ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝÐ ÝØ ÔÛï ÚÐÚÞÓÞ ÒØÔÐ äØÛìâàÐæØØ, Ð âÞÛìÚÞ ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã Ò íâã æÕßÞçÚã ßÞßÐÔÐÕâ âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ.

´Ûï ÝÐçÐÛÐ Üë ÞâáÕÚÐÕÜ ÒáÕ ßÐÚÕâë á ×ÐÒÕÔÞÜÞ ÝÕÒÕàÝëÜØ ØáåÞÔÝëÜØ ÐÔàÕáÐÜØ, âÐÚØÜØ ÚÐÚ ÐÔàÕáÐ Ø× ÔØÐßÐ×ÞÝÞÒ, ÒëÔÕÛÕÝÝëÜØ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ: 192.168.x.x, 10.x.x.x ØÛØ 172.16.x.x. ¿ÞÔÞÑÝÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ø ÔÛï ÞÑàÐâÝÞÓÞ ÝÐßàÐÒÛÕÝØï, áÑàÐáëÒÐï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ ÝÕ ßàØÝÐÔÛÕÖÐâ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ.


·ÐßãáÚ Network Address Translation

¸ ×ÐÚÛîçØâÕÛìÝëÙ àÐ×ÔÕÛ - ÝÐáâàÞÙÚÐ SNAT. ¿Þ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï ÜÕÝï. ¿àÕÖÔÕ ÒáÕÓÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÞ Ò âÐÑÛØæã nat, Ò æÕßÞçÚã POSTROUTING, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔÝëå ÐÔàÕáÞÒ ÒáÕå ßÐÚÕâÞÒ, ØáåÞÔïéØå á ØÝâÕàäÕÙáÐ, ßÞÔÚÛîçÕÝÝÞÓÞ Ú Internet. ´Ûï ÜÕÝï - íâÞ eth0. ² áæÕÝÐàØØ ÞßàÕÔÕÛÕÝ àïÔ ßÕàÕÜÕÝÝëå, á ßÞÜÞéìî ÚÞâÞàëå ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ÐÒâÞÜÐâØçÕáÚÞÙ ÝÐáâàÞÙÚØ áæÕÝÐàØï. ºàÞÜÕ âÞÓÞ, ØáßÞÛì×ÞÒÐÝØÕ ßÕàÕÜÕÝÝëå ßÞÒëèÐÕâ ãÔÞÑÞçØâÐÕÜÞáâì áÚàØßâÞÒ. ºÛîçÞÜ -t ×ÐÔÐÕâáï ØÜï âÐÑÛØæë, Ò ÔÐÝÝÞÜ áÛãçÐÕ nat. ºÞÜÐÝÔÐ -A ÔÞÑÐÒÛïÕâ (Add) ÝÞÒÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã POSTROUTING, ÚàØâÕàØÙ -o $INET_IFACE ×ÐÔÐÕâ ØáåÞÔïéØÙ ØÝâÕàäÕÙá, Ø Ò ÚÞÝæÕ ßàÐÒØÛÐ ×ÐÔÐÕÜ ÔÕÙáâÒØÕ ÝÐÔ ßÐÚÕâÞÜ - SNAT. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ÒáÕ ßÐÚÕâë, ßÞÔÞèÕÔèØÕ ßÞÔ ×ÐÔÐÝÝëÙ ÚàØâÕàØÙ ÑãÔãâ "×ÐÜÐáÚØàÞÒÐÝë", â.Õ. ÑãÔãâ ÒëÓÛïÔÕâì âÐÚ, ÚÐÚ ÑãÔâÞ ÞÝØ ÞâßàÐÒÛÕÝë á ÝÐèÕÓÞ ã×ÛÐ. ½Õ ×ÐÑãÔìâÕ ãÚÐ×Ðâì ÚÛîç --to-source á áÞÞâÒÕâáâÒãîéØÜ IP ÐÔàÕáÞÜ ÔÛï ØáåÞÔïéØå ßÐÚÕâÞÒ

² íâÞÜ áæÕÝÐàØÕ ï ØáßÞÛì×ãî SNAT ÒÜÕáâÞ MASQUERADE ßÞ àïÔã ßàØçØÝ. ¿ÕàÒÐï - ßàÕÔßÞÛÐÓÐÕâáï, çâÞ íâÞâ áæÕÝÐàØÙ ÔÞÛÖÕÝ àÐÑÞâÐâì ÝÐ áÕâÕÒÞÜ ã×ÛÕ, ÚÞâÞàëÙ ØÜÕÕâ ßÞáâÞïÝÝëÙ IP ÐÔàÕá. ÁÛÕÔãîéÐï áÞáâÞØâ Ò âÞÜ, çâÞ SNAT àÐÑÞâÐÕâ ÑëáâàÕÕ Ø ÑÞÛÕÕ íääÕÚâØÒÝÞ. ºÞÝÕçÝÞ, ÕáÛØ Òë ÝÕ ØÜÕÕâÕ ßÞáâÞïÝÝÞÓÞ IP ÐÔàÕáÐ, âÞ Òë ÔÞÛÖÝë ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ MASQUERADE, ÚÞâÞàÞÕ ßàÕÔÞáâÐÒÛïÕâ ÑÞÛÕÕ ßàÞáâÞÙ áßÞáÞÑ âàÐÝáÛïæØØ ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã ÞÝÞ ÐÒâÞÜÐâØçÕáÚØ ÞßàÕÔÕÛïÕâ IP ÐÔàÕá, ßàØáÒÞÕÝÝëÙ ×ÐÔÐÝÝÞÜã ØÝâÕàäÕÙáã. ¾ÔÝÐÚÞ, ßÞ áàÐÒÝÕÝØî á SNAT íâÞ ÔÕÙáâÒØÕ âàÕÑãÕâ ÝÕáÚÞÛìÚÞ ÑÞÛìèØå ÒëçØáÛØâÕÛìÝëå àÕáãàáÞÒ, åÞâï Ø ÝÕ ×ÝÐçØâÕÛìÝÞ. µáÛØ ÒÐÜ ÝãÖÕÝ ßàØÜÕà àÐÑÞâë MASQUERADE, âÞ ÞÑàÐéÐÙâÕáì Ú áæÕÝÐàØî rc.DHCP.firewall.txt.


¿àØÜÕàë áæÕÝÐàØÕÒ

ÆÕÛì íâÞÙ ÓÛÐÒë áÞáâÞØâ Ò âÞÜ, çâÞÑë ÔÐâì ÚàÐâÚÞÕ ÞߨáÐÝØÕ ÚÐÖÔÞÓÞ áæÕÝÐàØï, Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. ÍâØ áæÕÝÐàØØ ÝÕ áÞÒÕàèÕÝÝë, Ø ÞÝØ ÝÕ ÜÞÓãâ ßÞÛÝÞáâìî áÞÞâÒÕâáâÒÞÒÐâì ÒÐèØÜ ÝãÖÔÐÜ. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ Òë ÔÞÛÖÝë áÐÜØ "ßÞÔÞÓÝÐâì" íâØ áæÕÝÐàØØ ßÞÔ áÕÑï. ¿ÞáÛÕÔãîéÐï çÐáâì àãÚÞÒÞÔáâÒÐ ßàØ×ÒÐÝÐ ÞÑÛÕÓçØâì ÒÐÜ íâã ßÞÔÓÞÝÚã.


ÁâàãÚâãàÐ äÐÙÛÐ rc.firewall.txt

²áÕ áæÕÝÐàØØ, ÞߨáÐÝÝëÕ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ, ØÜÕîâ ÞßàÕÔÕÛÕÝÝãî áâàãÚâãàã. ÁÔÕÛÐÝÞ íâÞ ÔÛï âÞÓÞ, çâÞÑë áæÕÝÐàØØ ÑëÛØ ÜÐÚáØÜÐÛìÝÞ ßÞåÞÖØ ÔàãÓ ÝÐ ÔàãÓÐ, ÞÑÛÕÓçÐï âÕÜ áÐÜëÜ ßÞØáÚ àÐ×ÛØçØÙ ÜÕÖÔã ÝØÜØ. ÍâÐ áâàãÚâãàÐ ÔÞÒÞÛìÝÞ åÞàÞèÞ ÞߨáëÒÐÕâáï Ò íâÞÙ ÓÛÐÒÕ. ·ÔÕáì ï ÝÐÔÕîáì ÔÐâì ÒÐÜ ßÞÝØÜÐÝØÕ, ßÞçÕÜã ÒáÕ áæÕÝÐàØØ ÑëÛØ ÝÐߨáÐÝë ØÜÕÝÝÞ âÐÚ Ø ßÞçÕÜã ï ÒëÑàÐÛ ØÜÕÝÝÞ íâã áâàãÚâãàã.

Note ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ íâÐ áâàãÚâãàÐ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÔÐÛÕÚÞ ÝÕÞßâØÜÐÛìÝÞÙ ÔÛï ÒÐèØå áæÕÝÐàØÕÒ. ÍâÐ áâàãÚâãàÐ ÒëÑàÐÝÐ ÛØèì ÔÛï ÛãçèÕÓÞ ÞÑêïáÝÕÝØï åÞÔÐ ÜÞØå ÜëáÛÕÙ.


ÁâàãÚâãàÐ

ÍâÞ - áâàãÚâãàÐ, ÚÞâÞàÞÙ áÛÕÔãîâ ÒáÕ áæÕÝÐàØØ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. µáÛØ Òë ÞÑÝÐàãÖØâÕ, çâÞ íâÞ ÝÕ âÐÚ, âÞ áÚÞàÕÕ ÒáÕÓÞ íâÞ ÜÞï ÞèØÑÚÐ, ÕáÛØ ÚÞÝÕçÝÞ ï ÝÕ ÞÑêïáÝØÛ, ßÞçÕÜã ï ÝÐàãèØÛ íâã áâàãÚâãàã.

  1. Configuration - ¿àÕÖÔÕ ÒáÕÓÞ Üë ÔÞÛÖÝë ×ÐÔÐâì ßÐàÐÜÕâàë ÚÞÝäØÓãàÐæØØ, ÔÛï áæÕÝÐàØï. ¿ÐàÐÜÕâàë ºÞÝäØÓãàÐæØØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÔÞÛÖÝë Ñëâì ÞߨáÐÝë ßÕàÒëÜØ Ò ÛîÑÞÜ áæÕÝÐàØØ.

    1. Internet - ÍâÞ àÐ×ÔÕÛ ÚÞÝäØÓãàÐæØØ, ÞߨáëÒÐîéÕÙ ßÞÔÚÛîçÕÝØÕ Ú Internet. ÍâÞâ àÐ×ÔÕÛ ÜÞÖÕâ Ñëâì ÞßãéÕÝ, ÕáÛØ Òë ÝÕ ßÞÔÚÛîçÕÝë Ú ¸ÝâÕàÝÕâ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ÜÞÖÕâ ØÜÕâìáï ÑÞÛìèÕÕ ÚÞÛØçÕáâÒÞ ßÞÔàÐ×ÔÕÛÞÒ çÕÜ, ×ÔÕáì ßÕàÕçØáÛÕÝÞ, ÝÞ âÞÛìÚÞ âÕ, ÚÞâÞàëÕ ÞߨáëÒÐîâ ÝÐèÕ ßÞÔÚÛîçÕÝØÕ Ú Internet.

      1. DHCP - µáÛØ ØÜÕîâáï áßÕæØäØçÝëÕ ÔÛï DHCP ÝÐáâàÞÙÚØ, âÞ ÞÝØ ÔÞÑÐÒÛïîâáï ×ÔÕáì.

      2. PPPoE - ¾ßØáëÒÐîâáï ßÐàÐÜÕâàë ÝÐáâàÞÙÚØ PPPOE ßÞÔÚÛîçÕÝØï.

    2. LAN - µáÛØ ØÜÕÕâáï ÛîÑÐï »¾º°»Ì½°Ï ÁµÂÌ ×Ð ÑàÐÝÔÜÐãíàÞÜ, âÞ ×ÔÕáì ãÚÐ×ëÒÐîâáï ßÐàÐÜÕâàë, ØÜÕîéØÕ ÞâÝÞèÕÝØÕ Ú ÝÕÙ. ½ÐØÑÞÛÕÕ ÒÕàÞïâÝÞ, çâÞ íâÞâ àÐ×ÔÕÛ ÑãÔÕâ ßàØáãâáâÒÞÒÐâì ßÞçâØ ÒáÕÓÔÐ.

    3. DMZ - ·ÔÕáì ÔÞÑÐÒÛïÕâáï ÚÞÝäØÓãàÐæØï ×ÞÝë DMZ. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ íâÞÓÞ àÐ×ÔÕÛÐ ÝÕ ÑãÔÕâ, â.Ú. ÛîÑÐï ÝÞàÜÐÛìÝÐï ÔÞÜÐèÝïï áÕâì, ØÛØ ÜÐÛÕÝìÚÐï ÛÞÚÐÛìÝÐï áÕâì, ÝÕ ÑãÔÕâ ØÜÕâì ÕÕ. (DMZ - de-militarized zone. ÁÚÞàÕÕ ÒáÕÓÞ ßÞÔ íâÞ ßÞÝïâØÕ ÐÒâÞà ßÞÔÒÕÛ ÝÕÑÞÛìèãî ßÞÔáÕâì, Ò ÚÞâÞàÞÙ àÐáßÞÛÞÖÕÝë áÕàÒÕàë, ÝÐßàØÜÕà: DNS, MAIL, WEB Ø â.ß, Ø ÝÕâ ÝØ ÞÔÝÞÙ ßÞÛì×ÞÒÐâÕÛìáÚÞÙ ÜÐèØÝë. ßàØÜ. ßÕàÕÒ.)

    4. Localhost - ÍâØ ßÐàÐÜÕâàë ßàØÝÐÔÛÕÖÐâ ÝÐèÕÜã ÑàÐÝÔÜÐãíàã (localhost). ² ÒÐèÕÜ áÛãçÐÕ íâØ ßÕàÕÜÕÝÝëÕ ÒàïÔ ÛØ Ø×ÜÕÝïâáï, ÝÞ, âÕÜ ÝÕ ÜÕÝÕÕ, ï áÞ×ÔÐÛ íâØ ßÕàÕÜÕÝÝëÕ.ÅÞâÕÛÞáì Ñë ÝÐÔÕïâìáï, çâÞ ã ÒÐá ÝÕ ÑãÔÕâ ßàØçØÝ Ø×ÜÕÝïâì íâØ ßÕàÕÜÕÝÝëÕ.

    5. iptables - ÍâÞâ àÐ×ÔÕÛ áÞÔÕàÖØâ ØÝäÞàÜÐæØî ÞÑ iptables. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ ÔÞáâÐâÞçÝÞ ÑãÔÕâ âÞÛìÚÞ ÞÔÝÞÙ ßÕàÕÜÕÝÝÞÙ, ÚÞâÞàÐï ãÚÐ×ëÒÐÕâ ßãâì Ú iptables.

    6. Other - ·ÔÕáì àÐáßÞÛÐÓÐîâáï ßàÞçØÕ ÝÐáâàÞÙÚØ, ÚÞâÞàëÕ ÝÕ ÞâÝÞáïâáï Ø Ú ÞÔÝÞÜã Ø× ÒëèÕãÚÐ×ÐÝÝëå àÐ×ÔÕÛÞÒ.

  2. Module loading - ÍâÞâ àÐ×ÔÕÛ áæÕÝÐàØÕÒ áÞÔÕàÖØâ áߨáÞÚ ÜÞÔãÛÕÙ. ¿ÕàÒÐï çÐáâì ÔÞÛÖÝÐ áÞÔÕàÖÐâì âàÕÑãÕÜëÕ ÜÞÔãÛØ, Ò âÞ ÒàÕÜï ÚÐÚ ÒâÞàÐï çÐáâì ÔÞÛÖÝÐ áÞÔÕàÖÐâì ÝÕ-âàÕÑãÕÜëÕ ÜÞÔãÛØ.

    Note

    ¾ÑàÐâØâì ÒÝØÜÐÝØÕ. ½ÕÚÞâÞàëÕ ÜÞÔãÛØ, ÞâÒÕçÐîéØÕ ×Ð ÔÞßÞÛÝØâÕÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ,, ÜÞÓãâ Ñëâì ãÚÐ×ÐÝë ÔÐÖÕ ÕáÛØ ÞÝØ ÝÕ âàÕÑãîâáï. ¾ÑëçÝÞ, Ò âÐÚØå áÛãçÐïå, ßàØÜÕà áæÕÝÐàØï ÞâÜÕçÐÕâ íâã ÞáÞÑÕÝÝÞáâì.

    1. Required modules - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÜÞÔãÛØ, ÝÕÞÑåÞÔØÜëÕ ÔÛï àÐÑÞâë áæÕÝÐàØï.

    2. Non-required modules - ÍâÞâ àÐ×ÔÕÛ áÞÔÕàÖØâ ÜÞÔãÛØ, ÚÞâÞàëÕ ÝÕ âàÕÑãîâáï ÔÛï ÝÞàÜÐÛìÝÞÙ àÐÑÞâë áæÕÝÐàØï. ²áÕ íâØ ÜÞÔãÛØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë. µáÛØ ÒÐÜ ÞÝØ ßÞâàÕÑãîâáï, âÞ Òë ÔÞÛÖÝë ßàÞáâÞ àÐáÚÞÜÜÕÝâØàÞÒÐâì Øå.

  3. proc configuration - ÍâÞâ àÐ×ÔÕÛ ÞâÒÕçÐÕâ ×Ð ÝÐáâàÞÙÚã äÐÙÛÞÒÞÙ áØáâÕÜë /proc. µáÛØ íâØ ßÐàÐÜÕâàë ÝÕÞÑåÞÔØÜë - ÞÝØ ÑãÔãâ ßÕàÕçØáÛÕÝë, ÕáÛØ ÝÕâ, âÞ ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë ßÞ-ãÜÞÛçÐÝØî, Ø ãÚÐ×ÐÝë ÚÐÚ ÝÕ-âàÕÑãÕÜëÕ. ±ÞÛìèØÝáâÒÞ ßÞÛÕ×Ýëå ÝÐáâàÞÕÚ /proc ÑãÔãâ ßÕàÕçØáÛÕÝë Ò ßàØÜÕàÐå, ÝÞ ÔÐÛÕÚÞ ÝÕ ÒáÕ.

    1. Required proc configuration - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÒáÕ âàÕÑãÕÜëÕ áæÕÝÐàØÕÜ ÝÐáâàÞÙÚÐ ÔÛï /proc. ÍâÞ ÜÞÓãâ Ñëâì ÝÐáâàÞÙÚØ ÔÛï ×ÐßãáÚÐ áØáâÕÜë ×ÐéØâë, ÒÞ×ÜÞÖÝÞ, ÔÞÑÐÒÛïîâ áßÕæØÐÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ ÔÛï ÐÔÜØÝØáâàÐâÞàÐ ØÛØ ßÞÛì×ÞÒÐâÕÛÕÙ.

    2. Non-required proc configuration - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÝÕ-âàÕÑãÕÜëÕ ÝÐáâàÞÙÚØ /proc, ÚÞâÞàëÕ ÜÞÓãâ ÞÚÐ×Ðâìáï ßÞÛÕ×ÝëÜØ Ò ÑãÔãéÕÜ. ²áÕ ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë, âÐÚ ÚÐÚ ÞÝØ äÐÚâØçÕáÚØ ÝÕ âàÕÑãîâáï ÔÛï àÐÑÞâë áæÕÝÐàØï. ÍâÞâ áߨáÞÚ ÑãÔÕâ áÞÔÕàÖÐâì ÔÐÛÕÚÞ ÝÕ ÒáÕ ÝÐáâàÞÙÚØ /proc.

  4. rules set up - º íâÞÜã ÜÞÜÕÝâã áÚàØßâ, ÚÐÚ ßàÐÒØÛÞ, ãÖÕ ßÞÔÓÞâÞÒÛÕÝ Ú âÞÜã, çâÞÑë ÒáâÐÒÛïâì ÝÐÑÞàë ßàÐÒØÛ. Ï àÐ×ÑØÛ ÒáÕ ßàÐÒØÛÐ ßÞ âÐÑÛØæÐÜ Ø æÕßÞçÚÐÜ. »îÑëÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÞÛÖÝë Ñëâì áÞ×ÔÐÝë ßàÕÖÔÕ, çÕÜ Üë áÜÞÖÕÜ Øå ØáßÞÛì×ÞÒÐâì. Ï ãÚÐ×ëÒÐî æÕßÞçÚØ Ø Øå ÝÐÑÞàë ßàÐÒØÛ Ò âÞÜ ÖÕ ßÞàïÔÚÕ, Ò ÚÐÚÞÜ ÞÝØ ÒëÒÞÔïâáï ÚÞÜÐÝÔÞÙ iptables -L.

    1. Filter table - ¿àÕÖÔÕ ÒáÕÓÞ Üë ßàÞåÞÔØÜ âÐÑÛØæã äØÛìâàÐ. ´Ûï ÝÐçÐÛÐ ÝÕÞÑåÞÔØÜÞ ãáâÐÝÞÒØâì ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî Ò âÐÑÛØæÕ.

      1. Set policies - ½Ð×ÝÐçÕÝØÕ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî ÔÛï áØáâÕÜÝëå æÕßÞçÕÚ. ¾ÑëçÝÞ ï ãáâÐÝÐÒÛØÒÐî DROP ÔÛï æÕßÞçÕÚ Ò âÐÑÛØæÕ filter, Ø ÑãÔã ßàÞßãáÚÐâì ßÞâÞÚØ, ÚÞâÞàëÕ ØÔãâ Ø×ÝãâàØ. ÂÕÜ áÐÜëÜ Üë Ø×ÑÐÒØÜáï Þâ ÒáÕÓÞ, çâÞ ÝÐÜ ÝÕãÓÞÔÝÞ.

      2. Create user specified chains - ² íâÞÜ àÐ×ÔÕÛÕ, áÞ×ÔÐîâáï ÒáÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ, ÚÞâÞàëÕ Üë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì ßÞ×ÖÕ Ò ßàÕÔÕÛÐå íâÞÙ âÐÑÛØæë. ¼ë ÝÕ áÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì íâØ æÕßÞçÚØ Ò ÔÞ âÕå ßÞà, ßÞÚÐ ÝÕ áÞ×ÔÐÔØÜ Øå.

      3. Create content in user specified chains - ¿ÞáÛÕ áÞ×ÔÐÝØï ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ, Üë ÜÞÖÕÜ ×ÐßÞÛÝØâì Øå ßàÐÒØÛÐÜØ. µÔØÝáâÒÕÝÝÐï ßàØçØÝÐ, ßÞ ÚÞâÞàÞÙ ßàÐÒØÛÐ ÔÛï ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ ÞßàÕÔÕÛïîâáï ×ÔÕáì - íâÞ ÑÛØ×Þáâì Ú ÚÞÜÐÝÔÐÜ, áÞ×ÔÐîéØÜ íâØ æÕßÞçÚØ. ²ë ÖÕ ÜÞÖÕâÕ àÐ×ÜÕéÐâì ßàÐÒØÛÐ Ò ÔàãÓÞÜ ÜÕáâÕ ÒÐèÕÓÞ áæÕÝÐàØï.

      4. INPUT chain - ² íâÞÜ àÐ×ÔÕÛÕ ÔÞÑÐÒÛïîâáï ßàÐÒØÛÐ ÔÛï æÕßÞçÚØ INPUT.

        Note

        ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì, ï áâÐàÐÛáï áÛÕÔÞÒÐâì ßÞàïÔÚã, ÚÞâÞàëÙ ßÞÛãçÐÕâáï Ò ÒëÒÞÔÕ ÚÞÜÐÝÔë iptables -L. ½Õâ áÕàìÕ×Ýëå ßàØçØÝ, çâÞÑë áÞÑÛîÔÐâì íâã áâàãÚâãàã, ÞÔÝÐÚÞ, ßàÞÑãÙâÕ Ø×ÑÕÖÐâì áÜÕèØÒÐÝØï ÔÐÝÝëå Ø× àÐ×ÛØçÝëå âÐÑÛØæ Ø æÕßÞçÕÚ, âÐÚ ÚÐÚ áâÐÝÕâ ÝÐÜÝÞÓÞ âïÖÕÛÕÕ çØâÐâì âÐÚÞÙ ÝÐÑÞà ßàÐÒØÛ Ø ÒëØáÚØÒÐâì ÒÞ×ÜÞÖÝëÕ ßàÞÑÛÕÜë.

      5. FORWARD chain - ·ÔÕáì Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÐ Ò æÕßÞçÚã FORWARD

      6. OUTPUT chain - ÁÐÜÞÙ ßÞáÛÕÔÝÕÙ Ò âÐÑÛØæÕ filter, ×ÐßÞÛÝïÕâáï æÕßÞçÚÐ OUTPUT.

    2. nat table - ¿ÞáÛÕ âÐÑÛØæë filter Üë ßÕàÕåÞÔØÜ Ú âÐÑÛØæÕ nat. ÁÔÕÛÐÝÞ íâÞ ßÞ àïÔã ßàØçØÝ. ¿àÕÖÔÕ ÒáÕÓÞ - ÝÕ áÛÕÔãÕâ ×ÐßãáÚÐâì ÜÕåÐÝØ×Ü NAT ÝÐ àÐÝÝÕÙ áâÐÔØØ, ÚÞÓÔÐ ÕéÕ ÒÞ×ÜÞÖÝÐ ßÕàÕÔÐçÐ ßÐÚÕâÞÒ ÑÕ× ÞÓàÐÝØçÕÝØÙ (âÞ Õáâì, ÚÞÓÔÐ NAT ãÖÕ ÒÚÛîçÕÝÐ, ÝÞ ÝÕâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ äØÛìâàÐæØØ). ÂÐÚÖÕ, ï àÐááÜÐâàØÒÐî âÐÑÛØæã nat ÚÐÚ áÒÞÕÓÞ àÞÔÐ ãàÞÒÕÝì, ÚÞâÞàëÙ ÝÐåÞÔØâáï ÒÝÕ âÐÑÛØæë filter. ÂÐÑÛØæÐ filter ïÒÛïÕâáï áÒÞÕÓÞ àÞÔÐ ïÔàÞÜ, Ò âÞ ÒàÕÜï ÚÐÚ nat - ÞÑÞÛÞçÚÐ ÒÞÚàãÓ ïÔàÐ, Ð âÐÑÛØæÐ mangle. ÜÞÖÕâ àÐááÜÐâàØÒÐâìáï ÚÐÚ ÞÑÞÛÞçÚÐ ÒÞÚàãÓ âÐÑÛØæë nat. ÍâÞ ÜÞÖÕâ Ñëâì ÝÕ áÞÒáÕÜ ßàÐÒØÛìÝÞ, ÝÞ ÝÕ âÐÚ ÔÐÛÕÚÞ Þâ ÔÕÙáâÒØâÕÛìÝÞáâØ.

    3. Set policies - ¿àÕÖÔÕ ÒáÕÓÞ Üë ãáâÐÝÐÒÛØÒÐÕÜ Òáî ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî Ò ßàÕÔÕÛÐå âÐÑÛØæë nat. ¾ÑëçÝÞ, ï ãáâÐÝÐÒÛØÒÐî ACCEPT. ÍâÐ âÐÑÛØæÐ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï äØÛìâàÐæØØ, Ø Üë ÝÕ ÔÞÛÖÝë ×ÔÕáì "ÒëÑàÐáëÒÐâì" (DROP) ßÐÚÕâë. µáâì àïÔ ÝÕßàØïâÝëå ßÞÑÞçÝëå íääÕÚâÞÒ ÚÞâÞàëÕ ØÜÕîâ ÜÕáâÞ Ñëâì Ò âÐÚØå áÛãçÐïå Ø×-×Ð ÝÐèØå ßàÕÔßÞÛÞÖÕÝØÙ. Ï ßàÞßãáÚÐî ÒáÕ ßÐÚÕâë Ò íâØå æÕßÞçÚÐå, ßÞáÚÞÛìÚã ÝÕ ÒØÖã ÝØÚÐÚØå ßàØçØÝ ÝÕ ÔÕÛÐâì íâÞÓÞ.

    4. Create user specified chains - ·ÔÕáì áÞ×ÔÐîâáï ÒáÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÛï âÐÑÛØæë nat. ¾ÑëçÝÞ ã ÜÕÝï Øå ÝÕâ, ÝÞ ï ÔÞÑÐÒØÛ íâÞâ àÐ×ÔÕÛ ÝÐ ÒáïÚØÙ áÛãçÐÙ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÞÛÖÝë Ñëâì áÞ×ÔÐÝë ÔÞ Øå äÐÚâØçÕáÚÞÓÞ ØáßÞÛì×ÞÒÐÝØï.

    5. Create content in user specified chains - ´ÞÑÐÒÛÕÝØÕ ßàÐÒØÛ Ò ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ âÐÑÛØæë nat. ¿àØÝæØß àÐ×ÜÕéÕÝØï ßàÐÒØÛ ×ÔÕáì âÞâ ÖÕ çâÞ Ø Ò âÐÑÛØæÕ filtert. Ï ÔÞÑÐÒÛïî Øå ×ÔÕáì ßÞâÞÜã, çâÞ ÝÕ ÒØÖã ßàØçØÝ ÒëÝÞáØâì Øå Ò ÔàãÓÞÕ ÜÕáâÞ.

    6. PREROUTING chain - ÆÕßÞçÚÐ PREROUTING ØáßÞÛì×ãÕâáï ÔÛï DNAT. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ DNAT ÝÕ ØáßÞÛì×ãÕâáï, ØÛØ ßÞ ÚàÐÙÝÕÙ ÜÕàÕ ×ÐÚÞÜÜÕÝâØàÞÒÐÝÐ, çâÞÑë ÝÕ "ÞâÚàëÒÐâì ÒÞàÞâÐ" Ò ÝÐèã ÛÞÚÐÛìÝãî áÕâì áÛØèÚÞÜ èØàÞÚÞ. ² ÝÕÚÞâÞàëå áæÕÝÐàØïå íâÞ ßàÐÒØÛÞ ÒÚÛîçÕÝÞ, âÐÚ ÚÐÚ ÕÔØÝáâÒÕÝÝÐï æÕÛì íâØå áæÕÝÐàØÕÒ áÞáâÞØâ Ò ßàÕÔÞáâÐÒÛÕÝØØ ãáÛãÓ, ÚÞâÞàëÕ ÑÕ× DNAT ÝÕÒÞ×ÜÞÖÝë.

    7. POSTROUTING chain - ÆÕßÞçÚÐ POSTROUTING ØáßÞÛì×ãÕâáï áæÕÝÐàØïÜØ, ÚÞâÞàëÕ ï ÝÐߨáÐÛ, âÐÚ ÚÐÚ Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ ØÜÕÕâáï ÞÔÝÐ ØÛØ ÑÞÛÕÕ ÛÞÚÐÛìÝëå áÕâÕÙ, ÚÞâÞàëÕ Üë åÞâØÜ ßÞÔÚÛîçØâì Ú ¸ÝâÕàÝÕâ çÕàÕ× áÕâÕÒÞÙ íÚàÐÝ. ³ÛÐÒÝëÜ ÞÑàÐ×ÞÜ Üë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì SNAT, ÝÞ Ò ÝÕÚÞâÞàëå áÛãçÐïå, Üë ÒëÝãÖÔÕÝë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì MASQUERADE.

    8. OUTPUT chain - ÆÕßÞçÚÐ OUTPUT ØáßÞÛì×ãÕâáï ÒÞÞÑéÕ Ò ÛîÑÞÜ Ø× áæÕÝÐàØÕÒ. ½Þ ï ßÞÚÐ ÝÕ ÝÐèÕÛ áÕàìÕ×Ýëå ÞáÝÞÒÐÝØÙ ÔÛï ØáßÞÛì×ÞÒÐÝØï íâÞÙ æÕßÞçÚØ. µáÛØ Òë ØáßÞÛì×ãÕâÕ íâã æÕßÞçÚã, çÕàÚÝØâÕ ÜÝÕ ßÐàã áâàÞÚ, Ø ï ÒÝÕáã áÞÞâÒÕâáâÒãîéØÕ Ø×ÜÕÝÕÝØï Ò ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ.

  5. mangle table - ÂÐÑÛØæÐ mangle - ßÞáÛÕÔÝïï âÐÑÛØæÐ ÝÐ ßãâØ ßÐÚÕâÞÒ. ¾ÑëçÝÞ ï ÝÕ ØáßÞÛì×ãî íâã âÐÑÛØæã ÒÞÞÑéÕ, âÐÚ ÚÐÚ ÞÑëçÝÞ ÝÕ ÒÞ×ÝØÚÐÕâ ßÞâàÕÑÝÞáâÕÙ Ò çÕÜ ÛØÑÞ, âØßÐ Ø×ÜÕÝÕÝØï TTL ßÞÛï ØÛØ ßÞÛï TOS Ø ßà. ´àãÓØÜØ áÛÞÒÐÜØ, ï ÞáâÐÒØÛ íâÞâ àÐ×ÔÕÛ ßãáâëÜ Ò ÝÕÚÞâÞàëå áæÕÝÐàØïå, á ÝÕáÚÞÛìÚØÜØ ØáÚÛîçÕÝØïÜØ, ÓÔÕ ï ÔÞÑÐÒØÛ, ÝÕáÚÞÛìÚÞ ßàØÜÕàÞÒ ØáßÞÛì×ÞÒÐÝØï íâÞÙ âÐÑÛØæë.

    1. Set policies - ·ÔÕáì ×ÐÔÐÕâáï ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî. ·ÔÕáì áãéÕáâÒãîâ âÕ ÖÕ ÞÓàÐÝØçÕÝØï, çâÞ Ø ÔÛï âÐÑÛØæë nat. ÂÐÑÛØæÐ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï äØÛìâàÐæØØ, Ø áÛÕÔÞÒÐâÕÛìÝÞ Òë ÔÞÛÖÝë Ø×ÑÕÓÐâì íâÞÓÞ. Ï ÝÕ ãáâÐÝÐÒÛØÒÐÛ ÝØÚÐÚÞÙ ßÞÛØâØÚØ Ò ÛîÑÞÜ Ø× áæÕÝÐàØÕÒ ÔÛï æÕßÞçÕÚ Ò âÐÑÛØæÕ mangle, Ø ÒÐÜ áÛÕÔãâ ßÞáâãßÐâì âÐÚ ÖÕ.

    2. Create user specified chains - ÁÞ×ÔÐîâáï ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ. ÂÐÚ ÚÐÚ ï ÝÕ ØáßÞÛì×ãî âÐÑÛØæã mangle Ò áæÕÝÐàØïå, ï ÝÕ áâÐÛ áÞ×ÔÐÒÐâì ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ. ¾ÔÝÐÚÞ, íâÞâ àÐ×ÔÕÛ ÑëÛ ÔÞÑÐÒÛÕÝ ÝÐ ÒáïÚØÙ áÛãçÐÙ.

    3. Create content in userspecified chains - µáÛØ Òë áÞ×ÔÐÛØ ÚÐÚØÕ ÛØÑÞ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ Ò ßàÕÔÕÛÐå íâÞÙ âÐÑÛØæë, Òë ÜÞÖÕâÕ ×ÐßÞÛÝØâì Øå ßàÐÒØÛÐÜØ ×ÔÕáì.

    4. PREROUTING - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    5. INPUT chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    6. FORWARD chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    7. OUTPUT chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    8. POSTROUTING chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

½ÐÔÕîáì, çâÞ ï ÞÑêïáÝØÛ ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ, ÚÐÚ ÚÐÖÔëÙ áæÕÝÐàØÙ áâàãÚâãàØàÞÒÐÝ Ø ßÞçÕÜã ÞÝØ áâàãÚâãàØàÞÒÐÝë âÐÚØÜ áßÞáÞÑÞÜ.

Caution

¾ÑàÐâØâì ÒÝØÜÐÝØÕ, çâÞ íâØ ÞߨáÐÝØï çàÕ×ÒëçÐÙÝÞ ÚàÐâÚØ, Ø ïÒÛïîâáï ÛØèì ÚàÐâÚØÜ ßÞïáÝÕÝØÕÜ âÞÓÞ, ßÞçÕÜã áæÕÝÐàØØ ØÜÕîâ âÐÚãî áâàãÚâãàã. Ï ÝÕ ßàÕâÕÝÔãî ÝÐ ØáâØÝã Ò ßÞáÛÕÔÝÕÙ ØÝáâÐÝæØØ Ø ÝÕ ãâÒÕàÖÔÐî, çâÞ íâÞ - ÕÔØÝáâÒÕÝÝëÙ Ø ÛãçèØÙ ÒÐàØÐÝâ.


rc.firewall.txt

ÁæÕÝÐàØÙ rc.firewall.txt - ÞáÝÞÒÝÞÕ ïÔàÞ, ÝÐ ÚÞâÞàÞÜ ÞáÝÞÒëÒÐÕâáï ÞáâÐÛìÝÐï çÐáâì áæÕÝÐàØÕÒ. ³ÛÐÒÐ rc.firewall file ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ ÞߨáëÒÐÕâ áæÕÝÐàØÙ. ÁæÕÝÐàØÙ ÝÐߨáÐÝ ÔÛï ÔÞÜÐèÝÕÙ áÕâØ, ÓÔÕ Òë ØÜÕÕâÕ ÞÔÝã »¾º°»Ì½ÃÎ ÁµÂÌ Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ÍâÞâ áæÕÝÐàØÙ âÐÚÖÕ ØáåÞÔØâ Ø× ßàÕÔßÞÛÞÖÕÝØï, çâÞ Òë ØÜÕÕâÕ áâÐâØçÕáÚØÙ IP ÐÔàÕá, Ø áÛÕÔÞÒÐâÕÛìÝÞ ÝÕ ØáßÞÛì×ãÕâÕ DHCP, PPP, SLIP ÛØÑÞ ÚÐÚÞÙ âÞ ÔàãÓÞÙ ßàÞâÞÚÞÛ, ÚÞâÞàëÙ ÝÐ×ÝÐçÐÕâ IP ÔØÝÐÜØçÕáÚØ. ² ßàÞâØÒÝÞÜ áÛãçÐÕ ÒÞ×ìÜØâÕ ×Ð ÞáÝÞÒã áæÕÝÐàØÙ rc.DHCP.firewall.txt.

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG



rc.DMZ.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.DMZ.firewall.txt ÑëÛ ÝÐߨáÐÝ ÔÛï âÕå, ÚâÞ ØÜÕÕâ ÔÞÒÕàØâÕÛìÝãî ÛÞÚÐÛìÝãî áÕâì, ÞÔÝã "´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝãî ·ÞÝã" Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ´Ûï ÔÞáâãßÐ Ú áÕàÒÕàÐÜ ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝë Ø×ÒÝÕ, ØáßÞÛì×ãÕâáï NAT "ÞÔØÝ Ú ÞÔÝÞÜã", âÞ Õáâì, ²ë ÔÞÛÖÝë ×ÐáâÐÒØâì ÑàÐÝÔÜÐãíà àÐáßÞ×ÝÐÒÐâì ßÐÚÕâë ÑÞÛÕÕ çÕÜ ÔÛï ÞÔÝÞÓÞ IP ÐÔàÕáÐ.

ÁæÕÝÐàØÙ àÐÑÞâÐÕâ á ÔÒãÜï ÒÝãâàÕÝÝØÜØ áÕâïÜØ, ÚÐÚ íâÞ ßàÞÔÕÜÞÝáâàØàÞÒÐÝÞ ÝÐ àØáãÝÚÕ. ¾ÔÝÐ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ IP ÐÔàÕáÞÒ 192.168.0.0/24 Ø ïÒÛïÕâáï ´ÞÒÕàØâÕÛìÝÞÙ ²ÝãâàÕÝÝÕÙ ÁÕâìî. ´àãÓÐï ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 192.168.1.0/24 Ø ÝÐ×ëÒÐÕâáï ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝÞÙ (DMZ), ÔÛï ÚÞâÞàÞÙ Üë ÑãÔÕÜ ÒëßÞÛÝïâì ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (NAT) "ÞÔØÝ Ú ÞÔÝÞÜã". ½ÐßàØÜÕà, ÕáÛØ ÚâÞ - âÞ Ø× ¸ÝâÕàÝÕâ ßÞáëÛÐÕâ ßÐÚÕâ ÝÐèÕÜã DNS_IP, âÞ Üë ÒëßÞÛÝïÕÜ DNAT, ÚÞâÞàëÙ ×ÐÜÕéÐÕâ ÐÔàÕá ÝÐ×ÝÐçÕÝØï ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá áÕàÒÕàÐ DNS Ò DMZ. µáÛØ Ñë DNAT ÝÕ ÒëßÞÛÝïÛáï, âÞ DNS ÝÕ áÜÞÓ Ñë ßÞÛãçØâì ×ÐßàÞá, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÐÔàÕá DMZ_DNS_IP, Ð ÝÕ DNS_IP. ÂàÐÝáÛïæØï ÒëßÞÛÝïÕâáï áÛÕÔãîéØÜ ßàÐÒØÛÞÜ.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

´Ûï ÝÐçÐÛÐ ÝÐßÞÜÝî, çâÞ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÕ PREROUTING âÐÑÛØæë nat. ÁÞÓÛÐáÝÞ íâÞÜã ßàÐÒØÛã, ßÐÚÕâ ÔÞÛÖÕÝ ßàØåÞÔØâì ßÞ ßàÞâÞÚÞÛã TCP ÝÐ $INET_IFACE á ÐÔàÕáÐâÞÜ IP, ÚÞâÞàëÙ áÞÞâÒÕâáâÒãÕâ ÝÐèÕÜã $DNS_IP, Ø ÝÐßàÐÒÛÕÝ ÝÐ ßÞàâ 53. µáÛØ ÒáâàÕçÕÝ âÐÚÞÙ ßÐÚÕâ, âÞ ÒëßÞÛÝïÕâáï ßÞÔÜÕÝÐ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ØÛØ DNAT. ´ÕÙáâÒØî DNAT ßÕàÕÔÐÕâáï ÐÔàÕá ÔÛï ßÞÔÜÕÝë á ßÞÜÞéìî ÚÛîçÐ --to-destination $DMZ_DNS_IP. ºÞÓÔÐ çÕàÕ× ÑàÐÝÔÜÐãíà ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÕâÕÒëÜ ÚÞÔÞÜ ïÔàÐ ÐÔàÕá ÞâßàÐÒØâÕÛï ÑãÔÕâ ÐÒâÞÜÐâØçÕáÚØ Ø×ÜÕÝÕÝ á $DMZ_DNS_IP ÝÐ $DNS_IP, ÔàãÓØÜØ áÛÞÒÐÜØ ÞÑàÐâÝÐï ÔÕâàÐÝáÛïæØï ÐÔàÕáÞÒ ÒëßÞÛÝïÕâáï ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ âàÕÑãÕâ áÞ×ÔÐÝØï ÔÞßÞÛÝØâÕÛìÝëå ßàÐÒØÛ.

ÂÕßÕàì Òë ãÖÕ ÔÞÛÖÝë ßÞÝØÜÐâì ÚÐÚ àÐÑÞâÐÕâ DNAT, çâÞÑë áÐÜÞáâÞïâÕÛìÝÞ àÐ×ÞÑàÐâìáï Ò âÕÚáâÕ áæÕÝÐàØï ÑÕ× ÚÐÚØå ÛØÑÞ ßàÞÑÛÕÜ. µáÛØ çâÞ-âÞ ÔÛï ÒÐá ÞáâÐÛÞáì ÝÕ ïáÝëÜ Ø íâÞ ÝÕ ÑëÛÞ àÐááÜÞâàÕÝÞ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ, âÞ Òë ÜÞÖÕâÕ áÞÞÑéØâì ÜÝÕ ÞÑ íâÞÜ - ÒÕàÞïâÝÞ íâÞ ÜÞï ÞèØÑÚÐ.


rc.DHCP.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.DHCP.firewall.txt ÞçÕÝì ßÞåÞÖ ÝÐ ÞàØÓØÝÐÛ rc.firewall.txt. ¾ÔÝÐÚÞ, íâÞâ áæÕÝÐàØÙ ÑÞÛìèÕ ÝÕ ØáßÞÛì×ãÕâ ßÕàÕÜÕÝÝãî STATIC_IP, íâÞ Ø ïÒÛïÕâáï ÞáÝÞÒÝëÜ ÞâÛØçØÕÜ Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt. ¿àØçØÝÐ Ò âÞÜ, çâÞ rc.firewall.txt ÝÕ ÑãÔÕâ àÐÑÞâÐâì Ò áÛãçÐÕ ÔØÝÐÜØçÕáÚÞÓÞ IP ÐÔàÕáÐ. ¸×ÜÕÝÕÝØï, ßÞ áàÐÒÝÕÝØî á ÞàØÓØÝÐÛÞÜ - ÜØÝØÜÐÛìÝë. ÍâÞâ áæÕÝÐàØÙ ÑãÔÕâ ßÞÛÕ×ÕÝ Ò áÛãçÐÕ DHCP, PPP Ø SLIP ßÞÔÚÛîçÕÝØï Ú ¸ÝâÕàÝÕâ.

³ÛÐÒÝÞÕ ÞâÛØçØÕ ÔÐÝÝÞÓÞ áÚàØßâÐ áÞáâÞØâ Ò ãÔÐÛÕÝØØ ßÕàÕÜÕÝÝÞÙ STATIC_IP Ø ÒáÕå ááëÛÞÚ ÝÐ íâã ßÕàÕÜÕÝÝãî. ²ÜÕáâÞ ÝÕÕ âÕßÕàì ØáßÞÛì×ãÕâáï ßÕàÕÜÕÝÝÐï INET_IFACE. ´àãÓØÜØ áÛÞÒÐÜØ -d $STATIC_IP ×ÐÜÕÝïÕâáï ÝÐ -i $INET_IFACE. ÁÞÑáâÒÕÝÝÞ íâÞ ÒáÕ, çâÞ ÝãÖÝÞ Ø×ÜÕÝØâì Ò ÔÕÙáâÒØâÕÛìÝÞáâØ.
(ÅÞçÕâáï ÞâÜÕâØâì, çâÞ Ò ÔÐÝÝÞÜ áÛãçÐÕ ßÞÔ STATIC_IP ÐÒâÞà ßÞÝØÜÐÕâ ßÕàÕÜÕÝÝãî INET_IP ßàØÜ. ßÕàÕÒ.)

¼ë ÑÞÛìèÕ ÝÕ ÜÞÖÕÜ ãáâÐÝÐÒÛØÒÐâì ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT ßÞÔÞÑÝëå íâÞÜã: --in-interface $LAN_IFACE --dst $INET_IP. ÍâÞ Ò áÒÞî ÞçÕàÕÔì ÒëÝãÖÔÐÕâ ÝÐá áâàÞØâì ßàÐÒØÛÐ ÞáÝÞÒëÒÐïáì âÞÛìÚÞ ÝÐ áÕâÕÒÞÜ ØÝâÕàäÕÙáÕ. ½ÐßàØÜÕà, ßãáâì ÝÐ ÑàÐÝÔÜÐãíàÕ ×ÐßãéÕÝ HTTP áÕàÒÕà. µáÛØ Üë ßàØåÞÔØÜ ÝÐ ÓÛÐÒÝãî áâàÐÝØçÚã, áÞÔÕàÖÐéãî áâÐâØçÕáÚãî ááëÛÚã ÞÑàÐâÝÞ ÝÐ íâÞâ ÖÕ áÕàÒÕà, ÚÞâÞàëÙ àÐÑÞâÐÕâ ßÞÔ ÔØÝÐÜØçÕáÚØÜ ÐÔàÕáÞÜ, âÞ Üë ÜÞÖÕÜ "ÞÓàÕáâØ" ÝÕÜÐÛÞ ßàÞÑÛÕÜ. ÅÞáâ, ÚÞâÞàëÙ ßàÞåÞÔØâ çÕàÕ× NAT, ×ÐßàÞáØâ çÕàÕ× DNS IP ÐÔàÕá HTTP áÕàÒÕàÐ, ßÞáÛÕ çÕÓÞ ßÞßàÞÑãÕâ ßÞÛãçØâì ÔÞáâãß Ú íâÞÜã IP. µáÛØ ÑàÐÝÔÜÐãíà ßàÞØ×ÒÞÔØâ äØÛìâàÐæØî ßÞ ØÝâÕàäÕÙáã Ø IP ÐÔàÕáã, âÞ åÞáâ ÝÕ áÜÞÖÕâ ßÞÛãçØâì ÞâÒÕâ, ßÞáÚÞÛìÚã æÕßÞçÚÐ INPUT ÞâäØÛìâàãÕâ âÐÚÞÙ ×ÐßàÞá. (ÁÚÞàÕÕ ÒáÕÓÞ ÐÒâÞà ØÜÕÕâ ÒÒØÔã áÚàØßâ rc.firewall.txt ßàØÜ. ßÕàÕÒ.) ÍâÞ âÐÚ ÖÕ áßàÐÒÕÔÛØÒÞ Ø ÔÛï ÝÕÚÞâÞàëå áÛãçÐÕÒ ÚÞÓÔÐ Üë ØÜÕÕÜ áâÐâØçÕáÚØÙ IP ÐÔàÕá, ÝÞ âÞÓÔÐ íâÞ ÜÞÖÝÞ ÞÑÞÙâØ, ØáßÞÛì×ãï ßàÐÒØÛÐ, ÚÞâÞàëÕ ßàÞÒÕàïîâ ßÐÚÕâë, ßàØåÞÔïéØÕ á LAN ØÝâÕàäÕÙáÐ ÝÐ ÝÐè INET_IP Ø ÒëßÞÛÝïâì ACCEPT ÔÛï ÝØå.

¿ÞáÛÕ ÒáÕÓÞ ÒëèÕáÚÐ×ÐÝÝÞÓÞ, ÝÕ âÐÚÞÙ ãÖ ßÛÞåÞÙ ÜÞÖÕâ ßÞÚÐ×Ðâìáï ÜëáÛì Þ áÞ×ÔÐÝØØ áæÕÝÐàØï, ÚÞâÞàëÙ Ñë ÞÑàÐÑÐâëÒÐÛ ÔØÝÐÜØçÕáÚØÙ IP. ½ÐßàØÜÕà, ÜÞÖÝÞ ÑëÛÞ Ñë ÝÐߨáÐâì áÚàØßâ, ÚÞâÞàëÙ ßÞÛãçÐÕâ IP ÐÔàÕá çÕàÕ× ifconfig Ø ßÞÔáâÐÒÛïÕâ ÕÓÞ Ò âÕÚáâ áæÕÝÐàØï (ÓÔÕ ÞßàÕÔÕÛïÕâáï áÞÞâÒÕâáâÒãîéÐï ßÕàÕÜÕÝÝÐï), ÚÞâÞàëÙ "ßÞÔÝØÜÐÕâ" áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ. ·ÐÜÕçÐâÕÛìÝëÙ áÐÙâ linuxguruz.org ØÜÕÕâ ÞÓàÞÜÝãî ÚÞÛÛÕÚæØî áÚàØßâÞÒ, ÔÞáâãßÝëå ÔÛï áÚÐçØÒÐÝØï. ÁáëÛÚã ÝÐ linuxguruz.org Òë ÝÐÙÔÕâÕ Ò ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë.

Note

ÍâÞâ áæÕÝÐàØÙ ÜÕÝÕÕ ÑÕ×ÞßÐáÕÝ çÕÜ rc.firewall.txt. Ï ÝÐáâÞïâÕÛìÝÞ àÕÚÞÜÕÝÔãî ÒÐÜ ØáßÞÛì×ÞÒÐâì áæÕÝÐàØÙ rc.firewall.txt, ÕáÛØ íâÞ ÒÞ×ÜÞÖÝÞ, âÐÚ ÚÐÚ rc.DHCP.firewall.txt ÑÞÛÕÕ ÞâÚàëâ ÔÛï ÝÐßÐÔÕÝØÙ Ø×ÒÝÕ.

ÂÐÚÖÕ, ÜÞÖÝÞ ÔÞÑÐÒØâì Ò ÒÐèØ áæÕÝÐàØØ çâÞ ÝØÑãÔì ÒàÞÔÕ íâÞÓÞ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`

²ëèÕ ßàØÒÕÔÕÝÝÐï ÚÞÜÐÝÔÐ ßÞÛãçÐÕâ ÔØÝÐÜØçÕáÚØÙ IP Þâ ØÝâÕàäÕÙáÐ, ÞÔÝÐÚÞ ã âÐÚÞÓÞ ßÞÔåÞÔÐ Õáâì áÕàìÕ×ÝëÕ ÝÕÔÞáâÐâÚØ, ÞߨáÐÝÝëÕ ÝØÖÕ.

  1. µáÛØ áÚàØßâ ×ÐßãáÚÐÕâáï Ø× ÔàãÓÞÓÞ áæÕÝÐàØï, ÚÞâÞàëÙ Ò áÒÞî ÞçÕàÕÔì ×ÐßãáÚÐÕâáï ÔÕÜÞÝÞÜ PPP, âÞ íâÞ ÜÞÖÕâ ßàØÒÕáâØ Ú "×ÐÒØáÐÝØî" ÒáÕå, ãÖÕ ãáâÐÝÞÒÛÕÝÝëå áÞÕÔØÝÕÝØÙ, Ø×-×Ð ßàÐÒØÛ, ÚÞâÞàëÕ ÞâÑàÐÚÞÒëÒÐîâ ßÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN. (áÜÞâàØ ¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN). ¿àÞÑÛÕÜã ÚÞÝÕçÝÞ ÜÞÖÝÞ àÐ×àÕèØâì ãÔÐÛÕÝØÕÜ íâØå ßàÐÒØÛ, ÝÞ âÐÚÞÕ àÕèÕÝØÕ ÔÞÒÞÛìÝÞ áÞÜÝØâÕÛìÝÞ á âÞçÚØ ×àÕÝØï ÑÕ×ÞßÐáÝÞáâØ.

  2. ¿àÕÔßÞÛÞÖØÜ, çâÞ ã ÒÐá Õáâì ÝÐÑÞà áâÐâØçÕáÚØå ßàÐÒØÛ, ÔÞÒÞÛìÝÞ ÓàãÑÞ ÑãÔÕâ ßÞáâÞïÝÝÞ áâØàÐâì Ø ÔÞÑÐÒÛïâì ßàÐÒØÛÐ, Ú âÞÜã ÖÕ àØáÚãï ßÞÒàÕÔØâì áãéÕáâÒãîéØÕ. For example, if you want to block hosts on your LAN to connect to the firewall, but at the same time operate a script from the PPP daemon, how would you do it without erasing your already active rules blocking the LAN?

  3. ÍâÞ ÜÞÖÕâ ßàØÒÕáâØ Ú Ø×ÛØèÝØÜ ãáÛÞÖÝÕÝØïÜ, çâÞ Ò áÒÞî ÞçÕàÕÔì, ÒÛÕçÕâ ÞáÛÐÑÛÕÝØÕ ×ÐéØâë. ÇÕÜ ßàÞéÕ áÚàØßâ, âÕÜ ßàÞéÕ ÕÓÞ áÞßàÞÒÞÖÔÐâì.


rc.UTIN.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.UTIN.firewall.txt, Ò ÞâÛØçØÕ Þâ ÔàãÓØå áæÕÝÐàØÕÒ, ÑÛÞÚØàãÕâ LAN, ÚÞâÞàÐï ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ. ¼ë ÔÞÒÕàïÕÜ ÒÝãâàÕÝÝØÜ ßÞÛì×ÞÒÐâÕÛïÜ ÝÕ ÑÞÛìèÕ çÕÜ ßÞÛì×ÞÒÐâÕÛïÜ Ø× Internet. ´àãÓØÜØ áÛÞÒÐÜØ, Üë ÝÕ ÔÞÒÕàïÕÜ ÝØÚÞÜã, ÝØ Ò ¸ÝâÕàÝÕâ, ÝØ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÚÞâÞàëÜØ Üë áÒï×ÐÝë. ¿ÞíâÞÜã ÔÞáâãß Ú ¸ÝâÕàÝÕâ ÞÓàÐÝØçØÒÐÕâáï âÞÛìÚÞ ßàÞâÞÚÞÛÐÜØ POP3, HTTP Ø FTP.

ÍâÞâ áæÕÝÐàØÙ áÛÕÔãÕâ ×ÞÛÞâÞÜã ßàÐÒØÛã - "ÝÕ ÔÞÒÕàïÙ ÝØÚÞÜã, ÔÐÖÕ áÞÑáâÒÕÝÝëÜ áÛãÖÐéØÜ". ÍâÞ ÓàãáâÝÞ ÝÞ äÐÚâ, çâÞ ÑÞÛìèÐï çÐáâì ÐâÐÚ Ø Ò×ÛÞÜÞÒ, ÚÞâÞàëÜ ßÞÔÒÕàÓÐÕâáï ÚÞÜßÐÝØï, ßàÞØ×ÒÞÔØâáï áÛãÖÐéØÜØ ÚÞÜßÐÝØÙ Ø× ÛÞÚÐÛìÝëå áÕâÕÙ. ÍâÞâ áæÕÝÐàØÙ, ÝÐÔÕîáì, ÔÐáâ ÝÕÚÞâÞàëÕ áÒÕÔÕÝØï, ÚÞâÞàëÕ ßÞÜÞÓãâ ÒÐÜ ãáØÛØâì ÒÐèã ÜÕÖáÕâÕÒãî ×ÐéØâã. ¾Ý ÜÐÛÞ ÞâÛØçÐÕâáï Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt, ÝÞ áÞÔÕàÖØâ ßÞÔáÚÐ×ÚØ Þ âÞÜ, çâÞ Üë ÞÑëçÝÞ ßàÞßãáÚÐÕÜ.


rc.test-iptables.txt

ÁæÕÝÐàØÙ rc.test-iptables.txt ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕàÚØ àÐ×ÛØçÝëå æÕßÞçÕÚ ÝÞ ÜÞÖÕâ ßÞâàÕÑÞÒÐâì ÔÞßÞÛÝØâÕÛìÝëå ÝÐáâàÞÕÚ, Ò ×ÐÒØáØÜÞáâØ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ, ÝÐßàØÜÕà, ÒÚÛîçÕÝØï ip_forwarding ØÛØ ÝÐáâàÞÙÚØ masquerading Ø â.ß. ÂÕÜ ÝÕ ÜÕÝÕÕ Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ á ÑÐ×ÞÒëÜØ ÝÐáâàÞÙÚÐÜØ, ÚÞÓÔÐ ÝÐáâàÞÕÝë ÞáÝÞÒÝëÕ âÐÑÛØæë, íâÞâ áæÕÝÐàØÙ ÑãÔÕâ àÐÑÞâÞáßÞáÞÑÕÝ. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, Ò íâÞÜ áæÕÝÐàØØ ßàÞØ×ÒÞÔØâáï ãáâÐÝÞÒÚÐ ÔÕÙáâÒØÙ LOG ÝÐ ping-×ÐßàÞáë Ø ping-ÞâÒÕâë. ÂÐÚØÜ áßÞáÞÑÞÜ ßÞïÒÛïÕâáï ÒÞ×ÜÞÖÝÞáâì ×ÐäØÚáØàÞÒÐâì Ò áØáâÕÜÝÞÜ ÖãàÝÐÛÕ ÚÐÚØÕ æÕßÞçÚØ ßàÞåÞÔØÛØáì Ø Ò ÚÐÚÞÜ ßÞàïÔÚÕ. ·ÐßãáâØâÕ áæÕÝÐàØÙ Ø ×ÐâÕÜ ÒëßÞÛÝØâÕ áÛÕÔãîéØÕ ÚÞÜÐÝÔë:

ping -c 1 host.on.the.internet

¸ ÒÞ ÒàÕÜï ØáßÞÛÝÕÝØï ßÕàÒÞÙ ÚÞÜÐÝÔë ÒëßÞÛÝØâÕ tail -n 0 -f /var/log/messages. ÂÕßÕàì Òë ÔÞÛÖÝë ïáÝÞ ÒØÔÕâì ÒáÕ ØáßÞÛì×ãÕÜëÕ æÕßÞçÚØ Ø ßÞàïÔÞÚ Øå ßàÞåÞÖÔÕÝØï.

Note

ÍâÞâ áæÕÝÐàØÙ ÑëÛ ÝÐߨáÐÝ ØáÚÛîçØâÕÛìÝÞ Ò ÔÕÜÞÝáâàÐæØÞÝÝëå æÕÛïå. ´àãÓØÜØ áÛÞÒÐÜØ, ÝÕ áÛÕÔãÕâ ØÜÕâì ßàÐÒØÛÐ ÔÛï ÖãàÝÐÛØàÞÒÐÝØï ßÞÔÞÑÝÞ íâØÜ, ÚÞâÞàëÕ àÕÓØáâàØàãîâ ÒáÕ ßÐÚÕâë ÑÕ× ÞÓàÐÝØçÕÝØÙ. ² ßàÞâØÒÝÞÜ áÛãçÐÕ Òë àØáÚãÕâÕ áâÐâì ÛÕÓÚÞÙ ÔÞÑëçÕÙ ÔÛï ×ÛÞãÜëèÛÕÝÝØÚÐ, ÚÞâÞàëÙ ÜÞÖÕâ ×ÐáëßÐâì ÒÐá ßÐÚÕâÐÜØ, "àÐ×Ôãâì" ÒÐè ÛÞÓ, çâÞ ÜÞÖÕâ Òë×ÒÐâì "¾âÚÐ× Ò ÞÑáÛãÖØÒÐÝØØ", Ð ßÞáÛÕ íâÞÓÞ ßÕàÕÙâØ Ú àÕÐÛìÝÞÜã Ò×ÛÞÜã ÒÐèÕÙ áØáâÕÜë ÝÕ ÑÞïáì Ñëâì ÞÑÝÐàãÖÕÝÝëÜ, ßÞáÚÞÛìÚã ÝÕ áÜÞÖÕâ Ñëâì ×ÐàÕÓØáâàØàÞÒÐÝ áØáâÕÜÞÙ.


rc.flush-iptables.txt

ÁæÕÝÐàØÙ rc.flush-iptables.txt Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ØÜÕÕâ áÐÜÞáâÞïâÕÛìÝÞÙ æÕÝÝÞáâØ ßÞáÚÞÛìÚã ÞÝ áÑàÐáëÒÐÕâ ÒáÕ ÒÐèØ âÐÑÛØæë Ø æÕßÞçÚØ. ² ÝÐçÐÛÕ áæÕÝÐàØï, ãáâÐÝÐÒÛØÒÐîâáï ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ACCEPT ÔÛï æÕßÞçÕÚ INPUT, OUTPUT Ø FORWARD Ò âÐÑÛØæÕ filter. ¿ÞáÛÕ íâÞÓÞ áÑàÐáëÒÐîâáï Ò ×ÐÔÐÝÝãî ßÞ-ãÜÞÛçÐÝØî ßÞÛØâØÚØ ÔÛï æÕßÞçÕÚ PREROUTING, POSTROUTING Ø OUTPUT âÐÑÛØæë nat. ÍâØ ÔÕÙáâÒØï ÒëßÞÛÝïîâáï ßÕàÒëÜØ, çâÞÑë ÝÕ ÒÞ×ÝØÚÐÛÞ ßàÞÑÛÕÜ á ×ÐÚàëâëÜØ áÞÕÔØÝÕÝØïÜØ Ø ÑÛÞÚØàãÕÜëÜØ ßÐÚÕâÐÜØ. ÄÐÚâØçÕáÚØ, íâÞâ áæÕÝÐàØÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßÞÔÓÞâÞÒÚØ ÑàÐÝÔÜÐãíàÐ Ú ÝÐáâàÞÙÚÕ Ø ßàØ ÞâÛÐÔÚÕ ÒÐèØå áæÕÝÐàØÕÒ, ßÞíâÞÜã ×ÔÕáì Üë ×ÐÑÞâØÜáï âÞÛìÚÞ ÞÑ ÞçØáâÚÕ ÝÐÑÞàÐ ßàÐÒØÛ Ø ãáâÐÝÞÒÚÕ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî.

ºÞÓÔÐ ÒëßÞÛÝÕÝÐ ãáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî, Üë ßÕàÕåÞÔØÜ Ú ÞçØáâÚÕ áÞÔÕàÖØÜÞÓÞ æÕßÞçÕÚ Ò âÐÑÛØæÐå filter Ø nat, Ð ×ÐâÕÜ ßàÞØ×ÒÞÔØâáï ãÔÐÛÕÝØÕ ÒáÕå, ÞßàÕÔÕÛÕÝÝëå ßÞÛì×ÞÒÐâÕÛÕÜ, æÕßÞçÕÚ. ¿ÞáÛÕ íâÞÓÞ àÐÑÞâÐ áÚàØßâÐ ×ÐÒÕàèÐÕâáï. µáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞÑÐÒØâì Ò áæÕÝÐàØÙ áÞÞâÒÕâáâÒãîéØÕ áâàÞÚØ ÔÛï ÞÑàÐÑÞâÚØ íâÞÙ âÐÑÛØæë.

Note

² ×ÐÚÛîçÕÝØÕ ßÐàã áÛÞÒ. ¾çÕÝì ÜÝÞÓØÕ áßàÐèØÒÐîâ ÜÕÝï, Ð ßÞçÕÜã Ñë ÝÕ ßÞÜÕáâØâì Òë×ÞÒ íâÞÓÞ áæÕÝÐàØï Ò rc.firewal, ÝÐߨáÐÒ çâÞ ÝØÑãÔì âØßÐ rc.firewall start ÔÛï ×ÐßãáÚÐ áÚàØßâÐ. Ï ÝÕ áÔÕÛÐÛ íâÞÓÞ ÔÞ áØå ßÞà, ßÞâÞÜã çâÞ áçØâÐî, çâÞ ãçÕÑÝëÙ ÜÐâÕàØÐÛ ÔÞÛÖÕÝ ÝÕáâØ Ò áÕÑÕ ÞáÝÞÒÝëÕ ØÔÕØ Ø ÝÕ ÔÞÛÖÕÝ Ñëâì ßÕàÕÓàãÖÕÝ àÐ×ÝÞÞÑàÐ×ÝëÜØ áæÕÝÐàØïÜØ áÞ áâàÐÝÝëÜ áØÝâÐÚáØáÞÜ. ´ÞÑÐÒÛÕÝØÕ áßÕæØäØçÝÞÓÞ áØÝâÐÚáØáÐ ÔÕÛÐÕâ áæÕÝÐàØØ ÜÕÝÕÕ çØâÐÑÕÛìÝëÜØ, Ð áÐÜ ãçÕÑÝëÙ ÜÐâÕàØÐÛ ÑÞÛÕÕ áÛÞÖÝëÜ Ò ßÞÝØÜÐÝØØ, ßÞíâÞÜã ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ ÞáâÐÕâáï âÐÚØÜ, ÚÐÚÞÒÞ ÞÝÞ Õáâì, Ø ßàÞÔÞÛÖØâ ÞáâÐÒÐâìáï âÐÚØÜ.


´ÕâÐÛìÝÞÕ ÞߨáÐÝØÕ áßÕæØÐÛìÝëå ÚÞÜÐÝÔ

²ëÒÞÔ áߨáÚÐ ÝÐÑÞàÐ ßàÐÒØÛ

ÇâÞÑë ÒëÒÕáâØ áߨáÞÚ ßàÐÒØÛ ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã iptables á ÚÛîçÞÜ L, ÚÞâÞàëÙ ÚàÐâÚÞ ÑëÛ ÞߨáÐÝ àÐÝÕÕ Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ. ²ëÓÛïÔØâ íâÞ ßàØÜÕàÝÞ âÐÚ:

iptables -L

ÍâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ ÝÐ íÚàÐÝ áߨáÞÚ ßàÐÒØÛ Ò ãÔÞÑÞçØâÐÕÜÞÜ ÒØÔÕ. ½ÞÜÕàÐ ßÞàâÞÒ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ áÛãÖÑ Ò áÞÞâÒÕâáâÒØØ á äÐÙÛÞÜ /etc/services, IP ÐÔàÕáÐ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ åÞáâÞÒ çÕàÕ× àÐ×àÕèÕÝØÕ ØÜÕÝ Ò áÛãÖÑÕ DNS. Á àÐ×àÕèÕÝØÕÜ (resolving) ØÜÕÝ ÜÞÓãâ ÒÞ×ÝØÚÝãâì ÝÕÚÞâÞàëÕ ßàÞÑÛÕÜë, ÝÐßàØÜÕà, ØÜÕï áÕâì 192.168.0.0/16 áÛãÖÑÐ DNS ÝÕ áÜÞÖÕâ ÞßàÕÔÕÛØâì ØÜï åÞáâÐ á ÐÔàÕáÞÜ 192.168.1.1, Ò àÕ×ãÛìâÐâÕ ßàÞØ×ÞÙÔÕâ ßÞÔÒØáÐÝØÕ ÚÞÜÐÝÔë. ÇâÞÑë ÞÑÞÙâØ íâã ßàÞÑÛÕÜã áÛÕÔãÕâ ÒëßÞÛÝØâì ÒëÒÞÔ áߨáÚÐ ßàÐÒØÛ á ÔÞßÞÛÝØâÕÛìÝëÜ ÚÛîçÞÜ:

iptables -L -n

ÇâÞÑë ÒëÒÕáâØ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ æÕßÞçÚÐå Ø ßàÐÒØÛÐå, ÒëßÞÛÝØâÕ

iptables -L -n -v

¸ÜÕÕâáï àïÔ äÐÙÛÞÒ Ò äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc, ÚÞâÞàëÕ áÞÔÕàÖÐâ ÔÞáâÐâÞçÝÞ ØÝâÕàÕáÝãî ÔÛï ÝÐá ØÝäÞàÜÐæØî. ½ÐßàØÜÕà, ÔÞßãáâØÜ ÝÐÜ ×ÐåÞâÕÛÞáì ßàÞáÜÞâàÕâì áߨáÞÚ áÞÕÔØÝÕÝØÙ Ò âÐÑÛØæÕ conntrack. ÍâÞ ÞáÝÞÒÝÐï âÐÑÛØæÐ, ÚÞâÞàÐï áÞÔÕàÖØâ áߨáÞÚ âàÐááØàãÕÜëå áÞÕÔØÝÕÝØÙ Ø Ò ÚÐÚÞÜ áÞáâÞïÝØØ ÚÐÖÔÞÕ Ø× ÝØå ÝÐåÞÔØâáï. ´Ûï ßàÞáÜÞâàÐ âÐÑÛØæë ÒëßÞÛÝØâÕ ÚÞÜÐÝÔã

cat /proc/net/conntrack | less


¸×ÜÕÝÕÝØÕ Ø ÞçØáâÚÐ ÒÐèØå âÐÑÛØæ

¿Þ ÜÕàÕ âÞÓÞ ÚÐÚ Òë ßàÞÔÞÛÖØâÕ ãÓÛãÑÛïâìáï Ò ØááÛÕÔÞÒÐÝØÕ iptables, ßÕàÕÔ ÒÐÜØ ÒáÕ ÐÚâãÐÛìÝÕÕ ÑãÔÕâ ÒáâÐÒÐâì ÒÞßàÞá ÞÑ ãÔÐÛÕÝØØ ÞâÔÕÛìÝëå ßàÐÒØÛ Ø× æÕßÞçÕÚ ÑÕ× ÝÕÞÑåÞÔØÜÞáâØ ßÕàÕ×ÐÓàã×ÚØ ÜÐèØÝë. ÁÕÙçÐá ï ßÞßàÞÑãî ÝÐ ÝÕÓÞ ÞâÒÕâØâì. µáÛØ Òë ßÞ ÞèØÑÚÕ ÔÞÑÐÒØÛØ ÚÐÚÞÕ ÛØÑÞ ßàÐÒØÛÞ, âÞ ÒÐÜ ÝãÖÝÞ âÞÛìÚÞ ×ÐÜÕÝØâì ÚÞÜÐÝÔã -A ÝÐ ÚÞÜÐÝÔã -D Ò áâàÞÚÕ ßàÐÒØÛÐ. iptables ÝÐÙÔÕâ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ Ø ãÔÐÛØâ ÕÓÞ. µáÛØ ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÚÞâÞàëÕ ÒëÓÛïÔïâ ÚÐÚ ×ÐÔÐÝÝëÙ èÐÑÛÞÝ ÔÛï ãÔÐÛÕÝØï, âÞ ÑãÔÕâ áâÕàâÞ ßÕàÒÞÕ Ø× ÝÐÙÔÕÝÝëå ßàÐÒØÛ. µáÛØ âÐÚÞÙ ßÞàïÔÞÚ ÒÕéÕÙ ÒÐá ÝÕ ãáâàÐØÒÐÕâ, âÞ ÚÞÜÐÝÔÕ -D, Ò ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ, ÜÞÖÝÞ ßÕàÕÔÐâì ÝÞÜÕà ãÔÐÛïÕÜÞÙ áâàÞÚØ., ÝÐßàØÜÕà, ÚÞÜÐÝÔÐ iptables -D INPUT 10 áÞâàÕâ ÔÕáïâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚÕ INPUT. (ÇâÞÑë ã×ÝÐâì ÝÞÜÕà ßàÐÒØÛÐ, ßÞÔÐÙâÕ ÚÞÜÐÝÔã iptables -L ½°·²°½¸µ_Ƶ¿¾Çº¸ --line-numbers, âÞÓÔÐ ßàÐÒØÛÐ ÑãÔãâ ÒëÒÞÔØâìáï áÞ áÒÞØÜØ ÝÞÜÕàÐÜØ ßàØÜ. ßÕàÕÒ.)

´Ûï ãÔÐÛÕÝØï áÞÔÕàÖØÜÞÓÞ æÕÛÞÙ æÕßÞçÚØ ØáßÞÛì×ãÙâÕ ÚÞÜÐÝÔã -F. ½ÐßàØÜÕà: iptables -F INPUT - áÞâàÕâ ÒáÕ ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT, ÞÔÝÐÚÞ íâÐ ÚÞÜÐÝÔÐ ÝÕ Ø×ÜÕÝïÕâ ßÞÛØâØÚØ æÕßÞçÚØ ßÞ-ãÜÞÛçÐÝØî, âÐÚ çâÞ ÕáÛØ ÞÝÐ ãáâÐÝÞÒÛÕÝÐ ÚÐÚ DROP âÞ ÑãÔÕâ ÑÛÞÚØàÞÒÐâìáï ÒáÕ, çâÞ ßÞßÐÔÐÕâ Ò æÕßÞçÚã INPUT. ÇâÞÑë áÑàÞáØâì ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî, ÝãÖÝÞ ßàÞáâÞ ãáâÐÝÞÒØâì ÕÕ Ò ßÕàÒÞÝÐçÐÛìÝÞÕ áÞáâÞïÝØÕ, ÝÐßàØÜÕà iptables -P INPUT ACCEPT.

¼ÝÞî ÑëÛ ÝÐߨáÐÝ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ (ÞߨáÐÝÝëÙ ÝÕáÚÞÛìÚÞ ÒëèÕ) ÚÞâÞàëÙ ßàÞØ×ÒÞÔØâ ÞçØáâÚã ÒáÕå âÐÑÛØæ Ø æÕßÞçÕÚ, Ø ßÕàÕãáâÐÝÐÒÛØÒÐÕâ ßÞÛØâØÚØ æÕßÞçÕÚ Ò iptables. ·ÐÜÕâìâÕ âÞÛìÚÞ, çâÞ ÕáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÒÝÕáâØ ÔÞßÞÛÝÕÝØï Ò íâÞâ áæÕÝÐàØÙ, ßÞáÚÞÛìÚã ÞÝ ÕÕ ÝÕ ÞÑàÐÑÐâëÒÐÕâ.


¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë

¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ

²ë ÜÞÖÕâÕ áâÞÛÚÝãâìáï á ÝÕáÚÞÛìÚØÜØ ßàÞÑÛÕÜÐÜØ ßàØ ßÞßëâÚÕ ×ÐÓàãרâì âÞâ ØÛØ ØÝÞÙ ÜÞÔãÛì. ½ÐßàØÜÕà, ÜÞÖÕâ Ñëâì ÒëÔÐÝÞ áÞÞÑéÕÝØÕ ÞÑ ÞâáãâáâÒØØ ×ÐßàÐèØÒÐÕÜÞÓÞ ÜÞÔãÛï

insmod: iptable_filter: no module by that name found

¿ÞÚÐ ÕéÕ ÝÕâ ßàØçØÝ ÔÛï ÑÕáßÞÚÞÙáâÒÐ. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ ×ÐßàÐèØÒÐÕÜëÙ ÜÞÔãÛì (ØÛØ ÜÞÔãÛØ) ÑëÛ áÒï×ÐÝ á ïÔàÞÜ áâÐâØçÕáÚØ. ÍâÞ ßÕàÒÞÕ, çâÞ Òë ÔÞÛÖÝë ßàÞÒÕàØâì. ´Ûï íâÞÓÞ ßàÞáâÞ ×ÐßãáâØâÕ ÚÞÜÐÝÔã

iptables -t filter -L

µáÛØ ÒáÕ ÝÞàÜÐÛìÝÞ, âÞ íâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ Ò âÕàÜØÝÐÛÕ áߨáÞÚ ÒáÕå æÕßÞçÕÚ Ø× âÐÑÛØæë filter. ²ëÒÞÔ ÔÞÛÖÕÝ ÒëÓÛïÔÕâì ßàØÜÕàÝÞ âÐÚ:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

µáÛØ âÐÑÛØæÐ filter ÞâáãâáâÒãÕâ, âÞ ÒëÒÞÔ ÑãÔÕâ ßàØÜÕàÝÞ áÛÕÔãîéØÜ

iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

ÍâÞ ãÖÕ áÕàìÕ×ÝÕÕ, âÐÚ ÚÐÚ íâÞ áÞÞÑéÕÝØÕ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ ÛØÑÞ Òë ×ÐÑëÛØ ãáâÐÝÞÒØâì ÜÞÔãÛØ, ÛØÑÞ Òë ×ÐÑëÛØ ÒëßÞÛÝØâì depmod -a, ÛØÑÞ Òë ÒÞÞÑéÕ ÝÕ áÚÞÜßØÛØàÞÒÐÛØ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ ´Ûï àÕèÕÝØï ßÕàÒÞÙ ßàÞÑÛÕÜë ×ÐßãáâØâÕ ÚÞÜÐÝÔã make modules_install Ò ÚÐâÐÛÞÓÕ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ ïÔàÐ. ²âÞàÐï ßàÞÑÛÕÜÐ àÕèÐÕâáï ×ÐßãáÚÞÜ ÚÞÜÐÝÔë depmod -a. ÀÐ×àÕèÕÝØÕ âàÕâìÕÙ ßàÞÑÛÕÜë ãÖÕ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, Ø Ò íâÞÜ áÛãçÐÕ àÕÚÞÜÕÝÔãî ßÞáÕâØâì ÔÞÜÐèÝîî áâàÐÝØçÚã Linux Documentation Project. (²×ÓÛïÝØâÕ ÕéÕ àÐ× Ò ÝÐçÐÛÞ ÔÞÚãÜÕÝâÐ, ÓÔÕ ÞߨáëÒÐÕâáï ßàÞæÕáá ãáâÐÝÞÒÚØ iptables. ßàØÜ. ßÕàÕÒ.)

´àãÓØÕ ÞèØÑÚØ, ÚÞâÞàëÕ Òë ÜÞÖÕâÕ ßÞÛãçØâì ßàØ ×ÐßãáÚÕ iptables:

iptables: No chain/target/match by that name

ÍâÐ ÞèØÑÚÐ áÞÞÑéÐÕâ, çâÞ ÝÕâ âÐÚÞÙ æÕßÞçÚØ, ÔÕÙáâÒØï ØÛØ ÚàØâÕàØï. ÍâÞ ÜÞÖÕâ ×ÐÒØáÕâì Þâ ÞÓàÞÜÝÞÓÞ çØáÛÐ äÐÚâÞàÞÒ, ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ, çâÞ Òë ßëâÐÕâÕáì ØáßÞÛì×ÞÒÐâì ÝÕáãéÕáâÒãîéãî (ØÛØ ÕéÕ ÝÕ ÞßàÕÔÕÛÕÝÝãî) æÕßÞçÚã, ÝÕáãéÕáâÒãîéÕÕ ÔÕÙáâÒØÕ ØÛØ ÚàØâÕàØÙ. »ØÑÞ ßÞâÞÜã, çâÞ ÝÕ ×ÐÓàãÖÕÝ ÝÕÞÑåÞÔØÜëÙ ÜÞÔãÛì.


Passive FTP ÑÕ× DCC

ÍâÞ ÞÔÝÐ Ø× ×ÐÜÕçÐâÕÛìÝëå ÞáÞÑÕÝÝÞáâÕÙ ÝÞÒëå iptables, ßÞÔÔÕàÖØÒÐÕÜëå ïÔàÐÜØ áÕàØØ 2.4.x, ÚÞÓÔÐ Òë ÜÞÖÕâÕ àÐ×àÕèØâì Passive FTP, Ø ×ÐßàÕâØâì ßÕàÕÔÐçã ßÞ DCC á ßÞÜÞéìî ÝÞÒÞÓÞ âàÐááØàÞÒÞçÝÞÓÞ ÚÞÔÐ. ²ë ÜÞÖÕâÕ áßàÞáØâì "ºÐÚ íâÞ?", ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ. ÇâÞÑë áÔÕÛÐâì íâÞ ÒÞ×ÜÞÖÝëÜ, ÒÐÜ ßÞâàÕÑãÕâáï áÚÞÜßØÛØàÞÒÐâì ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp Ø ip_nat_ftp ÚÐÚ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ, Ð ÝÕ ÚÐÚ áâÐâØçÕáÚØÙ ÚÞÔ Ò ïÔàÕ. ÇâÞ íâØ ÜÞÔãÛØ ÔÕÛÐîâ, âÐÚ ÞÝØ ÔÞÑÐÒÛïîâ ßÞÔÔÕàÖÚã âàÐááØàÞÒÚØ Ø NAT ÔÛï Passive FTP Ø DCC send. ±Õ× íâØå ÜÞÔãÛÕÙ áÕâÕÒÞÙ ÚÞÔ ïÔàÐ ÝÕ áÜÞÖÕâ ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì áÞÕÔØÝÕÝØï íâÞÓÞ âØßÐ.

µáÛØ, Ú ßàØÜÕàã, Òë åÞâØâÕ àÐ×àÕèØâì Passive FTP Ø ßàØ íâÞÜ ×ÐßàÕâØâì DCC send, âÞ ÒÐÜ âàÕÑãÕâáï ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ×ÐâÕÜ ÔÞÑÐÒØâì ßàÐÒØÛÞ:

iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT

ºÞâÞàÞÕ ßÞ×ÒÞÛØâ ÒëßÞÛÝÕÝØÕ áÞÕÔØÝÕÝØÙ Passive FTP, ÝÞ ÝÕ DCC. µáÛØ ÝãÖÝÞ ÝÐÞÑÞàÞâ ×ÐßàÕâØâì Passive FTP Ø àÐ×àÕèØâì DCC, âÞ ÒÐÜ ÝÐÔÞ á âÞçÝÞáâìî ÔÞ ÝÐÞÑÞàÞâ ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp. ·ÐÜÕâìâÕ, çâÞ ÜÞÔãÛØ ip_nat_* ÝÕÞÑåÞÔØÜë âÞÛìÚÞ Ò âÞÜ áÛãçÐÕ, ÕáÛØ ÒÐè ÑàÐÝÔÜÐãíà ÒëßÞÛÝïÕâ ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (Network Adress Translation) ØÛØ ÜÐáÚÐàÐÔØÝÓ ßàØ ßÞÔÚÛîçÕÝØØ ÛÞÚÐÛìÝëå ã×ÛÞÒ ã ¸ÝâÕàÝÕâ.

´Ûï ßÞÛãçÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØØ ÞâÝÞáØâÕÛìÝÞ Active Ø Passive FTP, çØâÐÙâÕ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. ÍâÞâ RFC áÞÔÕàÖØâ ØÝäÞàÜÐæØî ÞâÝÞáØâÕÛìÝÞ ßàÞâÞÚÞÛÐ FTP, Active Ø Passive FTP Ø ÚÐÚ ÞÝØ àÐÑÞâÐîâ. ºÐÚ ÞߨáëÒÐÕâ íâÞâ ÔÞÚãÜÕÝâ, Ò áÛãçÐÕ Active FTP, ÚÛØÕÝâ ßÞáëÛÐÕâ áÕàÒÕàã áÒÞÙ IP Ø ßÞàâ, ÒëÑàÐÝÝëÙ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ ã áÕÑï ÔÛï áÒïר. ·ÐâÕÜ áÕàÒÕà áÞÕÔØÝïÕâáï á íâØÜ ßÞàâÞÜ ÝÐ ÚÛØÕÝâÕ. ² áÛãçÐÕ, ÕáÛØ ÒÐè ÚÛØÕÝâ ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, ÒëßÞÛÝïîéØÜ NAT, âÞÓÔÐ àÐ×ÔÕÛ ÔÐÝÝëå ßÐÚÕâÞÒ ÔÞÛÖÕÝ Ñëâì ßàÕÞÑàÐ×ÞÒÐÝ âÐÚ ÚÐÚ íâÞ ÔÕÛÐÕâ ÜÞÔãÛì ip_nat_ftp. ² Passive FTP ßÞàïÔÞÚ ÔÕÙáâÒØÙ ßÞÛÝÞáâìî Ø×ÜÕÝÕÝ. ºÛØÕÝâ áÞÞÑéÐÕâ áÕàÒÕàã, çâÞ åÞçÕâ ßÞáÛÐâì ØÛØ ßàØÝïâì ÔÐÝÝëÕ, Ð áÕàÒÕà Ò ÞâÒÕâÕ áÞÞÑéÐÕâ ÚÛØÕÝâã Ú ÚÐÚÞÜã ÐÔàÕáã ÝãÖÝÞ ßÞÔÚÛîçØâìáï Ø ÚÐÚÞÙ ßÞàâ ØáßÞÛì×ÞÒÐâì.


¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN

ÍâÞ áÒÞÙáâÒÞ iptables ÝÕÔÞáâÐâÞçÝÞ åÞàÞèÞ ×ÐÔÞÚãÜÕÝâØàÞÒÐÝÞ, Ð ßÞíâÞÜã ÜÝÞÓØÕ ÜÞÓãâ ãÔÕÛØâì ÕÜã ÝÕÔÞáâÐâÞçÝÞÕ ÒÝØÜÐÝØÕ (ÒÚÛîçÐï Ø ÜÕÝï). µáÛØ Òë ØáßÞÛì×ãÕâÕ ßàÐÒØÛÐ, ÞßàÕÔÕÛïîéØÕ áâÐâãá ßÐÚÕâÐ NEW, ÝÞ ÝÕ ßàÞÒÕàïÕâÕ áÞáâÞïÝØÕ ÑØâÐ SYN, âÞ ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN áÜÞÓãâ "ßàÞáÞçØâìáï" çÕàÕ× ÒÐèã ×ÐéØâã. ÅÞâï, Ò áÛãçÐÕ, ÚÞÓÔÐ Üë ØáßÞÛì×ãÕÜ ÝÕáÚÞÛìÚÞ ÑàÐÝÔÜÐãíàÞÒ, âÐÚÞÙ ßÐÚÕâ ÜÞÖÕâ ÞÚÐ×Ðâìáï çÐáâìî ESTABLISHED áÞÕÔØÝÕÝØï, ãáâÐÝÞÒÛÕÝÝÞÓÞ çÕàÕ× ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¿àÞßãáÚÐï ßÞÔÞÑÝëÕ ßÐÚÕâë, Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÒÜÕáâÝãî àÐÑÞâã ÔÒãå ØÛØ ÑÞÛÕÕ ÑàÐÝÔÜÐãíàÞÒ, ßàØ íâÞÜ Üë ÜÞÖÕÜ ÛîÑÞÙ Ø× ÝØå ÞáâÐÝÞÒØâì ÝÕ ÑÞïáì àÐ×ÞàÒÐâì ãáâÐÝÞÒÛÕÝÝëÕ áÞÕÔØÝÕÝØï, ¿ÞáÚÞÛìÚã äãÝ򾯯 ßÞ ßÕàÕÔÐçÕ ÔÐÝÝëå âãâ ÖÕ ÒÞ×ìÜÕâ ÝÐ áÕÑï ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¾ÔÝÐÚÞ íâÞ ßÞ×ÒÞÛØâ ãáâÐÝÐÒÛØÒÐâì ßàÐÚâØçÕáÚØ ÛîÑÞÕ TCP áÞÕÔØÝÕÝØÕ. ²Þ Ø×ÑÕÖÐÝØÕ íâÞÓÞ áÛÕÔãÕâ ÔÞÑÐÒØâì áÛÕÔãîéØÕ ßàÐÒØÛÐ Ò æÕßÞçÚØ INPUT, OUTPUT Ø FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

²ëèÕßàØÒÕÔÕÝÝëÕ ßàÐÒØÛÐ ßÞ×ÐÑÞâïâáï ÞÑ íâÞÙ ßàÞÑÛÕÜÕ. ±ãÔìâÕ çàÕ×ÒëçÐÙÝÞ ÒÝØÜÐâÕÛìÝë ßàØ ßÞáâàÞÕÝØØ ßàÐÒØÛ ßàØÝØÜÐîéØå àÕèÕÝØÕ ÝÐ ÞáÝÞÒÕ áâÐâãáÐ ßÐÚÕâÐ.

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ØÜÕîâáï ÝÕÚÞâÞàëÕ ÝÕßàØïâÝÞáâØ á ÒëèÕßàØÒÕÔÕÝÝëÜØ ßàÐÒØÛÐÜØ Ø ßÛÞåÞÙ àÕÐÛØ×ÐæØÕÙ TCP/IP Þâ Microsoft. ´ÕÛÞ Ò âÞÜ, çâÞ ßàØ ÝÕÚÞâÞàëå ãáÛÞÒØïå, ßÐÚÕâë, áÓÕÝÕàØàÞÒÐÝÝëÕ ßàÞÓàÐÜÜÐÜØ Þâ Microsoft ÜÐàÚØàãîâáï ÚÐÚ NEW Ø áÞÓÛÐáÝÞ íâØÜ ßàÐÒØÛÐÜ ÑãÔãâ áÑàÞèÕÝë. ÍâÞ, ÞÔÝÐÚÞ, ÝÕ ßàØÒÞÔØâ Ú àÐ×àãèÕÝØî áÞÕÔØÝÕÝØÙ, ÝÐáÚÞÛìÚÞ ï ×ÝÐî. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ, ÚÞÓÔÐ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï, Ø ßÞáëÛÐÕâáï ×ÐÒÕàèÐîéØÙ ßÐÚÕâ FIN/ACK, âÞ netfilter ×ÐÚàëÒÐÕâ íâÞ áÞÕÔØÝÕÝØÕ Ø ãÔÐÛïÕâ ÕÓÞ Ø× âÐÑÛØæë conntrack. ² íâÞâ ÜÞÜÕÝâ, ÔÕäÕÚâØÒÝëÙ ÚÞÔ Microsoft ßÞáëÛÐÕâ ÔàãÓÞÙ ßÐÚÕâ, ÚÞâÞàÞÜã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, ÝÞ Ò íâÞÜ ßÐÚÕâÕ ÝÕ ãáâÐÝÞÒÛÕÝ ÑØâ SYN Ø, áÛÕÔÞÒÐâÕÛìÝÞ áÞÞâÒÕâáâÒãÕâ ÒëèÕãßÞÜïÝãâëÜ ßàÐÒØÛÐÜ. ºÞàÞçÕ ÓÞÒÞàï - ÞáÞÑÞ ÝÕ ßÕàÕÖØÒÐÙâÕ ßÞ ßÞÒÞÔã íâØå ßàÐÒØÛ. ² áÛãçÐÕ çÕÓÞ - Òë áÜÞÖÕâÕ ßàÞáÜÞâàÕâì áØáâÕÜÝëÙ ÖãàÝÐÛ, ÚãÔÐ ÛÞÓØàãîâáï ÞâÑàÐáëÒÐÕÜëÕ ßÐÚÕâë (áÜ. ßàÐÒØÛÐ ÒëèÕ) Ø àÐ×ÞÑàÐâìáï á ÝØÜØ.

¸ÜÕÕâáï ÕéÕ ÞÔÝÐ Ø×ÒÕáâÝÐï ßàÞÑÛÕÜÐ á íâØÜØ ßàÐÒØÛÐÜØ. µáÛØ ÚâÞ - âÞ Ò ÝÐáâÞïéÕÕ ÒàÕÜï áÒï×ÐÝ á ÑàÐÝÔÜÐãíàÞÜ, ÝÐßàØÜÕà Ø× LAN, Ø ÐÚâØÒØàãÕâ PPP, âÞ Ò íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãÝØçâÞÖÕÝÞ. ÍâÞ ßàÞØáåÞÔØâ Ò ÜÞÜÕÝâ, ÚÞÓÔÐ ×ÐÓàãÖÐîâáï ØÛØ ÒëÓàãÖÐîâáï conntrack Ø nat ÜÞÔãÛØ. ´àãÓÞÙ áßÞáÞÑ ßÞÛãçØâì íâã ßàÞÑÛÕÜã áÞáâÞØâ Ò âÞÜ, çâÞÑë ÒëßÞÛÝØâì rc.firewall.txt áæÕÝÐàØÙ Ø× ßÞÔÚÛîçÕÝØï telnet á ÔàãÓÞÓÞ ÚÞÜßìîâÕàÐ. ´Ûï íâÞÓÞ Òë áÞÕÔØÝïÕâÕáì ßÞ telnet á ÑàÐÝÔÜÐãíàÞÜ. ·ÐßãáÚÐÕâÕ rc.firewall.txt, Ò ßàÞæÕááÕ ØáßÞÛÝÕÝØï ÚÞâÞàÞÓÞ, ×ÐßãáÚÐîâáï ÜÞÔãÛØ âàÐááØàÞÒÚØ ßÞÔÚÛîçÕÝØÙ, Óàã×ïâáï ßàÐÒØÛÐ "NEW not SYN". ºÞÓÔÐ ÚÛØÕÝâ telnet ØÛØ daemon ßàÞÑãîâ ßÞáÛÐâì çâÞ ÝØÑãÔì, âÞ íâÞ ßÞÔÚÛîçÕÝØÕ ÑãÔÕâ àÐáßÞ×ÝÐÝÞ âàÐááØàÞÒÞçÝëÜ ÚÞÔÞÜ ÚÐÚ NEW, ÝÞ ßÐÚÕâë ÝÕ ØÜÕîâ ãáâÐÝÞÒÛÕÝÝÞÓÞ ÑØâÐ SYN, âÐÚ ÚÐÚ ÞÝØ, äÐÚâØçÕáÚØ, ïÒÛïîâáï çÐáâìî ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßÐÚÕâ ÑãÔÕâ áÞÞâÒÕâáâÒÞÒÐâì ßàÐÒØÛÐÜ Ò àÕ×ãÛìâÐâÕ çÕÓÞ ÑãÔÕâ ×ÐÖãàÝÐÛØàÞÒÐÝ Ø áÑàÞèÕÝ.


¿ÞáâÐÒéØÚØ ãáÛãÓ Internet, ØáßÞÛì×ãîéØÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ IP-ÐÔàÕáÐ

Ï ÔÞÑÐÒØÛ íâÞâ àÐ×ÔÕÛ çâÞÑë ßàÕÔãßàÕÔØâì ÒÐá Þ âãßÞÒÐâëå Internet Service Providers, ÚÞâÞàëÕ ÝÐ×ÝÐçÐîâ IP ÐÔàÕáÐ, ÞâÒÕÔÕÝÝëÕ IANA ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ. ½ÐßàØÜÕà, Swedish Internet Service Provider Ø âÕÛÕäÞÝÝÐï ÜÞÝÞßÞÛØï Telia ØáßÞÛì×ãîâ âÐÚØÕ ÐÔàÕáÐ, ÝÐßàØÜÕà, ÔÛï Øå áÕàÒÕàÞÒ DNS, ÚÞâÞàëÕ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 10.x.x.x. ¿àÞÑÛÕÜÐ, á ÚÞâÞàÞÙ Òë ÑãÔÕâÕ ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ áâÐÛÚØÒÐâìáï, áÞáâÞØâ Ò âÞÜ, çâÞ Üë, Ò áÒÞØå áæÕÝÐàØïå, ÝÕ ßÞ×ÒÞÛïÕÜ ßÞÔÚÛîçÕÝØï á ÛîÑëå IP Ò ÔØÐßÐ×ÞÝÕ 10.x.x.x, Ø×-×Ð ÒÞ×ÜÞÖÝÞáâØ äÐÛìáØäØÚÐæØØ ßÐÚÕâÞÒ. µáÛØ Òë áâÞÛÚÝÕâÕáì á âÐÚÞÙ áØâãÐæØÕÙ, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ ßàØÔÕâáï áÝïâì çÐáâì ßàÐÒØÛ. ¸ÛØ ãáâÐÝÞÒØâì ßàÐÒØÛÐ, ßàÞßãáÚÐîéØÕ âàÐääØÚ á íâØå áÕàÒÕàÞÒ, àÐÝÕÕ æÕßÞçÚØ INPUT, ÝÐßàØÜÕà âÐÚ:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT

ÅÞâÕÛÞáì Ñë ÝÐßÞÜÝØâì ßÞÔÞÑÝëÜ ßàÞÒÐÙÔÕàÐÜ, çâÞ íâØ ÔØÐßÐ×ÞÝë ÐÔàÕáÞÒ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝë ÔÛï ØáßÞÛì×ÞÒÐÝØï Ò ¸ÝâÕàÝÕâ. ´Ûï ÚÞàßÞàÐâØÒÝëå áÕâÕÙ - ßÞÖÐÛãÙáâÐ, ÔÛï ÒÐèØå áÞÑáâÒÕÝÝëå ÔÞÜÐèÝØå áÕâÕÙ - ßàÕÚàÐáÝÞ! ½Þ Òë ÝÕ ÔÞÛÖÝë ÒëÝãÖÔÐâì ÝÐá "ÞâÚàëÒÐâìáï" ßÞ ÒÐèÕÙ ßàØåÞâØ.


ºÐÚ àÐ×àÕèØâì ßàÞåÞÖÔÕÝØÕ DHCP ×ÐßàÞáÞÒ çÕàÕ× iptables

² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ×ÐÔÐçÐ ÔÞáâÐâÞçÝÞ ßàÞáâÐ, ÕáÛØ ÒÐÜ Ø×ÒÕáâÝë ßàØÝæØßë àÐÑÞâë ßàÞâÞÚÞÛÐ DHCP. ¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ ×ÝÐâì, çâÞ DHCP àÐÑÞâÐÕâ ßÞ ßàÞâÞÚÞÛã UDP. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßàÞâÞÚÞÛ ïÒÛïÕâáï ßÕàÒëÜ ÚàØâÕàØÕÜ. ´ÐÛÕÕ, ÝÕÞÑåÞÔØÜÞ ãâÞçÝØâì ØÝâÕàäÕÙá, ÝÐßàØÜÕà, ÕáÛØ DHCP ×ÐßàÞáë ØÔãâ çÕàÕ× $LAN_IFACE, âÞ ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ DHCP áÛÕÔãÕâ àÐ×àÕèØâì âÞÛìÚÞ çÕàÕ× íâÞâ ØÝâÕàäÕÙá. ¸ ÝÐÚÞÝÕæ, çâÞÑë áÔÕÛÐâì ßàÐÒØÛÞ ÑÞÛÕÕ ÞßàÕÔÕÛÕÝÝëÜ, áÛÕÔãÕâ ãâÞçÝØâì ßÞàâë. DHCP ØáßÞÛì×ãÕâ ßÞàâë 67 Ø 68. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ØáÚÞÜÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ÒëÓÛïÔÕâì áÛÕÔãîéØÜ ÞÑàÐ×ÞÜ:

$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, íâÞ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒÕáì âàÐäØÚ ßÞ ßàÞâÞÚÞÛã UDP çÕàÕ× ßÞàâë 67 Ø 68, ÞÔÝÐÚÞ íâÞ ÝÕ ÔÞÛÖÝÞ ÒÐá ÞáÞÑÕÝÝÞ áÜãéÐâì, ßÞáÚÞÛìÚã ÞÝÞ àÐ×àÕèÐÕâ ÛØèì ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ Þâ ã×ÛÞÒ áÕâØ, ßëâÐîéØåáï ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á ßÞàâÐÜØ 67 Ø 68. ÍâÞÓÞ ßàÐÒØÛÐ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ, çâÞÑë ßÞ×ÒÞÛØâì ÒëßÞÛÝÕÝØÕ DHCP ×ÐßàÞáÞÒ Ø ßàØ íâÞÜ ÝÕ áÛØèÚÞÜ èØàÞÚÞ "ÞâÚàëâì ÒÞàÞâÐ". µáÛØ ÒÐá ÞçÕÝì ÑÕáßÞÚÞØâ ßàÞÑÛÕÜÐ ÑÕ×ÞßÐáÝÞáâØ, âÞ Òë ÒßÞÛÝÕ ÜÞÖÕâÕ ãÖÕáâÞçØâì íâÞ ßàÐÒØÛÞ.


¿àÞÑÛÕÜë mIRC DCC

mIRC ØáßÞÛì×ãÕâ áßÕæØäØçÝëÕ ÝÐáâàÞÙÚØ, ÚÞâÞàëÕ ßÞ×ÒÞÛïîâ áÞÕÔØÝïâìáï çÕàÕ× ÑàÐÝÔÜÐãíà Ø ÞÑàÐÑÐâëÒÐâì DCC áÞÕÔØÝÕÝØï ÔÞÛÖÝëÜ ÞÑàÐ×ÞÜ. µáÛØ íâØ ÝÐáâàÞÙÚØ ØáßÞÛì×ãîâáï áÞÒÜÕáâÝÞ á iptables, âÞçÝÕÕ á ÜÞÔãÛïÜØ ip_conntrack_irc Ø ip_nat_irc, âÞ íâÐ áÒï×ÚÐ ßàÞáâÞ ÝÕ ÑãÔÕâ àÐÑÞâÐâì. ¿àÞÑÛÕÜÐ ×ÐÚÛîçÐÕâáï Ò âÞÜ, çâÞ mIRC ÐÒâÞÜÐâØçÕáÚØ ÒëßÞÛÝïÕâ âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ (NAT) ÒÝãâàØ ßÐÚÕâÞÒ. ² àÕ×ãÛìâÐâÕ, ÚÞÓÔÐ ßÐÚÕâ ßÞßÐÔÐÕâ Ò iptables, ÞÝÐ ßàÞáâÞ ÝÕ ×ÝÐÕâ, çâÞ á ÝØÜ ÔÕÛÐâì. mIRC ÝÕ ÞÖØÔÐÕâ, çâÞ ÑàÐÝÔÜÐãíà ÑãÔÕâ ÝÐáâÞÛìÚÞ "ãÜÝëÜ", çâÞÑë ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì IRC, Ø ßÞíâÞÜã áÐÜÞáâÞïâÕÛìÝÞ ×ÐßàÐèØÒÐÕâ áÒÞÙ IP ã áÕàÒÕàÐ Ø ×ÐâÕÜ ßÞÔáâÐÒÛïÕâ ÕÓÞ, ßàØ ßÕàÕÔÐçÕ DCC ×ÐßàÞáÐ.

²ÚÛîçÕÝØÕ ÞßæØØ "I am behind a firewall" ("Ï ×Ð ÑàÐÝÔÜÐãíàÞÜ") Ø ØáßÞÛì×ÞÒÐÝØÕ ÜÞÔãÛÕÙ ip_conntrack_irc Ø ip_nat_irc ßàØÒÞÔØâ Ú âÞÜã, çâÞ netfilter ߨèÕâ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ áÞÞÑéÕÝØÕ "Forged DCC send packet".

à íâÞÙ ßàÞÑÛÕÜë Õáâì ßàÞáâÞÕ àÕèÕÝØÕ - ÞâÚÛîçØâÕ íâã ÞßæØî Ò mIRC Ø ßÞ×ÒÞÛìâÕ iptables ÒëßÞÛÝïâì Òáî àÐÑÞâã.


ÂØßë ICMP

ÍâÞ ßÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ:

ÂÐÑÛØæÐ 1. ÂØßë ICMP

TYPE CODE Description Query Error
0 0 Echo Reply x  
3 0 Network Unreachable   x
3 1 Host Unreachable   x
3 2 Protocol Unreachable   x
3 3 Port Unreachable   x
3 4 Fragmentation needed but no frag. bit set   x
3 5 Source routing failed   x
3 6 Destination network unknown   x
3 7 Destination host unknown   x
3 8 Source host isolated (obsolete)   x
3 9 Destination network administratively prohibited   x
3 10 Destination host administratively prohibited   x
3 11 Network unreachable for TOS   x
3 12 Host unreachable for TOS   x
3 13 Communication administratively prohibited by filtering   x
3 14 Host precedence violation   x
3 15 Precedence cutoff in effect   x
4 0 Source quench    
5 0 Redirect for network    
5 1 Redirect for host    
5 2 Redirect for TOS and network    
5 3 Redirect for TOS and host    
8 0 Echo request x  
9 0 Router advertisement    
10 0 Route sollicitation    
11 0 TTL equals 0 during transit   x
11 1 TTL equals 0 during reassembly   x
12 0 IP header bad (catchall error)   x
12 1 Required options missing   x
13 0 Timestamp request (obsolete) x  
14 Timestamp reply (obsolete) x  
15 0 Information request (obsolete) x  
16 0 Information reply (obsolete) x  
17 0 Address mask request x  
18 0 Address mask reply x  

ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë

·ÔÕáì ßàØÒÕÔÕÝ áߨáÞÚ ááëÛÞÚ, ÓÔÕ Òë áÜÞÖÕâÕ ßÞÛãçØâì ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî :

  • ip-sysctl.txt - Ø× ÔÞÚãÜÕÝâÐæØØ Ú ïÔàã 2.4.14. ¼ÐÛÕÝìÚØÙ, ÝÞ åÞàÞèØÙ áßàÐÒÞçÝØÚ ßÞ ÞàÓÐÝØ×ÐæØØ áÕâÕÒÞÓÞ ÚÞÔÐ ïÔàÐ.

  • ip_dynaddr.txt - Ø× ÔÞÚãÜÕÝâÐæØØ Ú ïÔàã 2.4.14. ¼ÐÛÕÝìÚØÙ áßàÐÒÞçÝØÚ ßÞ ßÐàÐÜÕâàÐÜ ÝÐáâàÞÙÚØ ip_dynaddr, ÔÞáâãßÝëÜ çÕàÕ× sysctl Ø äÐÙÛÞÒãî áØáâÕÜã /proc.

  • iptables.8 - ¼ÐÝë ÔÛï iptables 1.2.4 Ò äÞàÜÐâÕ HTML ¿àÕÚàÐáÝÞÕ àãÚÞÒÞÔáâÒÞ ÔÛï áÞ×ÔÐÝØï ßàÐÒØÛ Ò iptables. ²áÕÓÔÐ ßÞÛÕ×ÝÞ ØÜÕâì ßÞÔ àãÚÞÙ.

  • http://netfilter.filewatcher.org/ - ¾äØæØÐÛìÝëÙ áÐÙâ netfilter Ø iptables. ½ÕÞÑåÞÔØÜ ÔÛï ÒáÕå ÖÕÛÐîéØå ãáâÐÝÞÒØâì iptables Ø netfilter Ò linux.

  • http://netfilter.filewatcher.org/netfilter-faq.html - ¾äØæØÐÛìÝëÙ FAQ (Frequently Asked Questions) ßÞ netfilter .

  • http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html - Rusty Russells Unreliable Guide to packet filtering. ¿àÕÚàÐáÝÐï ÔÞÚãÜÕÝâÐæØï ßÞ ÞáÝÞÒÐÜ äØÛìâàÐæØØ ßÐÚÕâÞÒ á ßÞÜÞéìî iptables, ÝÐߨáÐÝÝÐï ÞÔÝØÜ Ø× àÐ×àÐÑÞâçØÚÞÒ iptables Ø netfilter.

  • http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html - Rusty Russells Unreliable Guide to Network Address Translation. ·ÐÜÕçÐâÕÛìÝÐï ÔÞÚãÜÕÝâÐæØï ßÞ Network Address Translation Ò iptables Ø netfilter, ÝÐߨáÐÝÝÐï ÞÔÝØÜ Ø× ÞáÝÞÒÝëå àÐ×àÐÑÞâçØÚÞÒ ÀÐáâØ ÀÐááÕÛÞÜ (Rusty Russell).

  • http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html - Rusty Russells Unreliable Netfilter Hacking HOWTO. ¾ÔØÝ Ø× ÝÕÜÝÞÓØå ÔÞÚãÜÕÝâÞÒ ßÞ áÞ×ÔÐÝØî ÚÞÔÐ ÔÛï àÐÑÞâë á netfilter Ø iptables. ÂÐÚ ÖÕ ÝÐߨáÐÝ ÀÐáâØ ÀÐááÕÛÞÜ (Rusty Russell).

  • http://www.linuxguruz.org/iptables/ - ÁÞÔÕàÖØâ ÜÝÞÖÕáâÒÞ ááëÛÞÚ Ò ¸ÝâÕàÝÕâ ßÞ âÕÜÐâØÚÕ. ¸ÜÕÕâáï áߨáÞÚ áæÕÝÐàØÕÒ iptables ÔÛï àÐ×ÛØçÝëå ßàØÜÕÝÕÝØÙ.

  • http://www.islandsoft.net/veerapen.html - ¾âÛØçÝÞÕ ÞÑáãÖÔÕÝØÕ ßÞ ÐÒâÞÜÐâØ×ÐæØØ àÐÑÞâë iptables, ÝÐßàØÜÕà: ÚÐÚ, ÒÝÕáÕÝØÕÜ ÝÕ×ÝÐçØâÕÛìÝëå Ø×ÜÕÝÕÝØÙ, ×ÐáâÐÒØâì ÒÐè ÚÞÜßìîâÕà ÐÒâÞÜÐâØçÕáÚØ ÔÞÑÐÒÛïâì "ÝÕãÓÞÔÝëÕ" áÐÙâë Ò áßÕæØÐÛìÝëÙ áߨáÞÚ (banlist) Ò iptables.

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ¿àÕÚàÐáÝÞÕ ÞߨáÐÝØÕ ÜÞÔãÛÕÙ âàÐááØàÞÒéØÚÐ áÞÕÔØÝÕÝØÙ. µáÛØ ÒÐÜ ØÝâÕàÕáÝÐ âÕÜÐ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ, âÞ ÒÐÜ áÛÕÔãÕâ íâÞ ßàÞçØâÐâì.

  • http://www.docum.org - ¾ÔØÝ Ø× ÝÕÜÝÞÓØå áÐÙâÞÒ, ÚÞâÞàëÙ áÞÔÕàÖØâ ØÝäÞàÜÐæØî Þ ÚÞÜÐÝÔÐå Linux CBQ, tc Ø ip. ¿ÞÔÔÕàÖØÒÐÕâ áÐÙâ - Stef Coene.

  • http://lists.samba.org/mailman/listinfo/netfilter- ¾äØæØÐÛìÝëÙ áߨáÞÚ ÐÔàÕáÞÒ (mailing-list) ßÞ netfilter. ÇàÕ×ÒëçÐÙÝÞ ßÞÛÕ×ÕÝ ÔÛï àÐ×àÕèÕÝØï ÒÞßàÞáÞÒ ßÞ iptables Ø netfilter.

¸ ÚÞÝÕçÝÞ ÖÕ ØáåÞÔÝëÙ ÚÞÔ iptables, ÔÞÚãÜÕÝâÐæØï Ø ÛîÔØ, ÚÞâÞàëÕ ßÞÜÞÓÐÛØ ÜÝÕ.


±ÛÐÓÞÔÐàÝÞáâØ

Ï åÞâÕÛ Ñë ÒëàÐרâì ÞáÞÑãî ßàØ×ÝÐâÕÛìÝÞáâì ÛîÔïÜ, ÚÞâÞàëÕ ÞÚÐ×ÐÛØ ÜÝÕ ÝÕÞæÕÝØÜãî ßÞÜÞéì ßàØ áÞ×ÔÐÝØØ íâÞÓÞ ÔÞÚãÜÕÝâÐ.:

  • Fabrice Marie, ºÐÚ ÓÛÐÒÝÞÜã àÕÔÐÚâÞàã, ×Ð ØáßàÐÒÛÕÝØÕ ÜÞØå ÖãâÚØå ÞèØÑÞÚ. ° âÐÚ ÖÕ ÞÓàÞÜÝÞÕ áßÐáØÑÞ ×Ð ßÕàÕÒÞÔ íâÞÓÞ ÔÞÚãÜÕÝâÐ Ò äÞàÜÐâ DocBook.

  • Marc Boucher, ·Ð ßÞÜÞéì ßÞ ÝÕÚÞâÞàëÜ ÐáßÕÚâÐÜ àÐÑÞâë ÚÞÔÐ, ÞßàÕÔÕÛïîéÕÓÞ áâÐâãá ßÐÚÕâÞÒ (state matching code).

  • Frode E. Nyboe, ·Ð ãáÞÒÕàèÕÝáâÒÞÒÐÝØÕ ßàÐÒØÛ rc.firewall, ×Ð ÒÔÞåÝÞÒÛÕÝØÕ ÜÕÝï ÝÐ ßÕàÕߨáëÒÐÝØÕ ßàÐÒØÛ Ø ×Ð ÒÒÕÔÕÝØÕ ÝÕáÚÞÛìÚØå âÐÑÛØæ Ò íâÞâ ÖÕ äÐÙÛ.

  • Chapman Brad, Alexander W. Janssen, ·Ð ßÞÜÞéì Ò ßÞÝØÜÐÝØØ ßÞàïÔÚÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÐÜØ ÞáÝÞÒÝëå âÐÑÛØæ NAT Ø filter.

  • Michiel Brandenburg, Myles Uyema, ·Ð ßÞÜÞéì Ò ßÞÛãçÕÝØØ àÐÑÞâÞáßÞáÞÑÝëå ßàÐÒØÛ, ØáßÞÛì×ãîéØå ÚàØâÕàØØ ßàÞÒÕàÚØ áâÐâãáÐ (state matching).

  • Kent `Artech' Stahre, ·Ð ßÞÜÞéì á ÚÐàâØÝÚÐÜØ. Ï ×ÝÐî, çâÞ ï ßÛÞåÞÙ ÞäÞàÜØâÕÛì, Ð Òë ÛãçèØÕ Ø× âÕå ÚÞÓÞ ï ×ÝÐî ;). ° âÐÚ ÖÕ áßÐáØÑÞ ×Ð ßÞØáÚ ÞèØÑÞÚ Ò íâÞÜ ÔÞÚãÜÕÝâÕ.

  • Anders 'DeZENT' Johansson, ·Ð ØÝäÞàÜÐæØî Þ áâàÐÝÝëå ßàÞÒÐÙÔÕàÐå (ISP), ÚÞâÞàëÕ ØáßÞÛì×ãîâ ÐÔàÕáÐ, ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ.

  • Jeremy `Spliffy' Smith, ×Ð ÜÝÞÓÞçØáÛÕÝÝëÕ ßÞÔáÚÐ×ÚØ Ø ×Ð ÒëÛÐÒÛØÒÐÝØÕ ÜÞØå ÞèØÑÞÚ.

¸ ÚÞÝÕçÝÞ ÖÕ ÒáÕå, ÚâÞ ÞâÒÕçÐÛ ÝÐ ÜÞØ ÒÞßàÞáë, ÒëáÚÐ×ëÒÐÛ áÒÞØ áãÖÔÕÝØï ÞÑ íâÞÜ ÔÞÚãÜÕÝâÕ. ¾çÕÝì áÞÖÐÛÕî, çâÞ ÝÕ ÜÞÓã ãßÞÜïÝãâì ÒáÕå.

ÅàÞÝÞÛÞÓØï

Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.

Version1.1.9(21March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:VinceHerried,ToganMuftuoglu,GalenJohnson,KellyAshe,Janne
Johansson,ThomasSmets,PeterHorst,MitchLanders,NeilJolly,JelleKalf,
JasonLamandEvanNemerson

Version1.1.8(5March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson

Version1.1.7(4February2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:ParimiRavi,PhilSchultz,StevenMcClintoc,BillDossett,
DaveWreski,ErikSj?lund,AdamMansbridge,VasooVeerapen,Aladdinand
RustyRussell.

Version1.1.6(7December2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:JimRamsey,PhilSchultz,G?ranBåge,DougMonroe,Jasper
Aikema,KurtLieber,ChrisTallon,ChrisMartin,JonasPasche,Jan
Labanowski,RodrigoR.Branco,JaccovanKollandDaveWreski

Version1.1.5(14November2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:FabriceMarie,MerijnScheringandKurtLieber

Version1.1.4(6November2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:StigW.Jensen,SteveHnizdur,ChrisPlutaandKurtLieber

Version1.1.3(9October2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:JoniChu,N.EmileAkabi-DavisandJelleKalf

Version1.1.2(29September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.1.1(26September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:DaveRichardson

Version1.1.0(15September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.9(9September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.8(7September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.7(23August2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie

Version1.0.6
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.5
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie


GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<onelinetogivetheprogram'snameandabriefideaofwhatitdoes.>
Copyright(C)<year><nameofauthor>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne,Inc.,herebydisclaimsallcopyrightinterestintheprogram
`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.

<signatureofTyCoon>,1April1989
TyCoon,PresidentofVice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


Example scripts codebase

Example rc.firewall script

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DMZ.firewall script

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.UTIN.firewall script

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DHCP.firewall script

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# adress for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.flush-iptables script

#!/bin/sh

# rc.flush-iptables - Resets iptables to default values. 

# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



    


Example rc.test-iptables script

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"




    

ºÞÝÕæ.

IPTABLES

Section:  (8)
Updated: Aug 11, 2000
Index Return to Main Contents
 

NAME

iptables - IP packet filter administration  

SYNOPSIS

iptables -[ADC] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -P chain target [options]
iptables -E old-chain-name new-chain-name  

DESCRIPTION

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

 

TARGETS

A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE, or RETURN.

ACCEPT means to let the packet through. DROP means to drop the packet on the floor. QUEUE means to pass the packet to userspace (if supported by the kernel). RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.  

TABLES

There are current three independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
-t, --table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not already there.

The tables are as follows:

filter
This is the default table. It contains the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat
This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).
mangle
This table is used for specialized packet alteration. It has two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).
 

OPTIONS

The options that are recognized by iptables can be divided into several different groups.  

COMMANDS

These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough letters to ensure that iptables can differentiate it from all other options.
-A, --append
Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination.
-D, --delete
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
-R, --replace
Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1.
-I, --insert
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.
-L, --list
List all rules in the selected chain. If no chain is selected, all chains are listed. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given.
-F, --flush
Flush the selected chain. This is equivalent to deleting all the rules one by one.
-Z, --zero
Zero the packet and byte counters in all chains. It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared. (See above.)
-N, --new-chain
Create a new user-defined chain by the given name. There must be no target of that name already.
-X, --delete-chain
Delete the specified user-defined chain. There must be no references to the chain. If there are, you must delete or replace the referring rules before the chain can be deleted. If no argument is given, it will attempt to delete every non-builtin chain in the table.
-P, --policy
Set the policy for the chain to the given target. See the section TARGETS for the legal targets. Only non-user-defined chains can have policies, and neither built-in nor user-defined chains can be policy targets.
-E, --rename-chain
Rename the user specified chain to the user supplied name. This is cosmetic, and has no effect on the structure of the table.
-h
Help. Give a (currently very brief) description of the command syntax.
 

PARAMETERS

The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands).
-p, --protocol [!] protocol
The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.
-s, --source [!] address[/mask]
Source specification. Address can be either a hostname, a network name, or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is a convenient alias for this option.
-d, --destination [!] address[/mask]
Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option.
-j, --jump target
This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
-i, --in-interface [!] [name]
Optional name of an interface via which a packet is received (for packets entering the INPUT, FORWARD and PREROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name.
-o, --out-interface [!] [name]
Optional name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, the string "+" is assumed, which will match with any interface name.
[!] -f, --fragment
This means that the rule only refers to second and further fragments of fragmented packets. Since there is no way to tell the source or destination ports of such a packet (or ICMP type), such a packet will not match any rules which specify them. When the "!" argument precedes the "-f" flag, the rule will only match head fragments, or unfragmented packets.
-c, --set-counters PKTS BYTES
This enables the administrater to initialize the packet and byte counters of a rule (during INSERT, APPEND, REPLACE operations)
 

OTHER OPTIONS

The following additional options can be specified:
-v, --verbose
Verbose output. This option makes the list command show the interface address, the rule options (if any), and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively (but see the -x flag to change this). For appending, insertion, deletion and replacement, this causes detailed information on the rule or rules to be printed.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services (whenever applicable).
-x, --exact
Expand numbers. Display the exact value of the packet and byte counters, instead of only the rounded number in K's (multiples of 1000) M's (multiples of 1000K) or G's (multiples of 1000M). This option is only relevant for the -L command.
--line-numbers
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain.
--modprobe=<command>
When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).
 

MATCH EXTENSIONS

iptables can use extended packet matching modules. These are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name; after these, various extra command line options become available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use the -h or --help options after the module has been specified to receive help specific to that module.

The following are included in the base package, and most of these can be preceded by a ! to invert the sense of the match.  

tcp

These extensions are loaded if `--protocol tcp' is specified. It provides the following options:
--source-port [!] [port[:port]]
Source port or port range specification. This can either be a service name or a port number. An inclusive range can also be specified, using the format port:port. If the first port is omitted, "0" is assumed; if the last is omitted, "65535" is assumed. If the second port greater then the first they will be swapped. The flag --sport is an alias for this option.
--destination-port [!] [port[:port]]
Destination port or port range specification. The flag --dport is an alias for this option.
--tcp-flags [!] mask comp
Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command

 iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
[!] --syn
Only match TCP packets with the SYN bit set and the ACK and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. It is equivalent to --tcp-flags SYN,RST,ACK SYN. If the "!" flag precedes the "--syn", the sense of the option is inverted.
--tcp-option [!] number
Match if TCP option set.
 

udp

These extensions are loaded if `--protocol udp' is specified. It provides the following options:
--source-port [!] [port[:port]]
Source port or port range specification. See the description of the --source-port option of the TCP extension for details.
--destination-port [!] [port[:port]]
Destination port or port range specification. See the description of the --destination-port option of the TCP extension for details.
 

icmp

This extension is loaded if `--protocol icmp' is specified. It provides the following option:
--icmp-type [!] typename
This allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command

 iptables -p icmp -h
 

mac

--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets entering the PREROUTING, FORWARD or INPUT chains for packets coming from an ethernet device.
 

limit

This module matches at a limited rate using a token bucket filter: it can be used in combination with the LOG target to give limited logging. A rule using this extension will match until this limit is reached (unless the `!' flag is used).
--limit rate
Maximum average matching rate: specified as a number, with an optional `/second', `/minute', `/hour', or `/day' suffix; the default is 3/hour.
--limit-burst number
The maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
 

multiport

This module matches a set of source or destination ports. Up to 15 ports can be specified. It can only be used in conjunction with -p tcp or -p udp.
--source-port [port[,port]]
Match if the source port is one of the given ports.
--destination-port [port[,port]]
Match if the destination port is one of the given ports.
--port [port[,port]]
Match if the both the source and destination ports are equal to each other and to one of the given ports.
 

mark

This module matches the netfilter mark field associated with a packet (which can be set using the MARK target below).
--mark value[/mask]
Matches packets with the given unsigned mark value (if a mask is specified, this is logically ANDed with the mask before the comparison).
 

owner

This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.
--pid-owner processid
Matches if the packet was created by a process with the given process id.
--sid-owner sessionid
Matches if the packet was created by a process in the given session group.
 

state

This module, when combined with connection tracking, allows access to the connection tracking state for this packet.
--state state
Where state is a comma separated list of the connection states to match. Possible states are INVALID meaning that the packet is associated with no known connection, ESTABLISHED meaning that the packet is associated with a connection which has seen packets in both directions, NEW meaning that the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions, and RELATED meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
 

unclean

This module takes no options, but attempts to match packets which seem malformed or unusual. This is regarded as experimental.  

tos

This module matches the 8 bits of Type of Service field in the IP header (ie. including the precedence bits).
--tos tos
The argument is either a standard name, (use

 iptables -m tos -h
to see the list), or a numeric value to match.
 

TARGET EXTENSIONS

iptables can use extended target modules: the following are included in the standard distribution.  

LOG

Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel will print some information on all matching packets (like most IP header fields) via the kernel log (where it can be read with dmesg or syslogd(8)).
--log-level level
Level of logging (numeric or see syslog.conf(5)).
--log-prefix prefix
Prefix log messages with the specified prefix; up to 29 letters long, and useful for distinguishing messages in the logs.
--log-tcp-sequence
Log TCP sequence numbers. This is a security risk if the log is readable by users.
--log-tcp-options
Log options from the TCP packet header.
--log-ip-options
Log options from the IP packet header.
 

MARK

This is used to set the netfilter mark value associated with the packet. It is only valid in the mangle table.
--set-mark mark
 

REJECT

This is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP. This target is only valid in the INPUT, FORWARD and OUTPUT chains, and user-defined chains which are only called from those chains. Several options control the nature of the error packet returned:
--reject-with type
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibitedor icmp-host-prohibited, which return the appropriate ICMP error message (port-unreachable is the default). The option echo-reply is also allowed; it can only be used for rules which specify an ICMP ping packet, and generates a ping reply. Finally, the option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).
 

TOS

This is used to set the 8-bit Type of Service field in the IP header. It is only valid in the mangle table.
--set-tos tos
You can use a numeric TOS values, or use

 iptables -j TOS -h
to see the list of valid TOS names.
 

MIRROR

This is an experimental demonstration target which inverts the source and destination fields in the IP header and retransmits the packet. It is only valid in the INPUT, FORWARD and PREROUTING chains, and user-defined chains which are only called from those chains. Note that the outgoing packets are NOT seen by any packet filtering chains, connection tracking or NAT, to avoid loops and other problems.  

SNAT

This target is only valid in the nat table, in the POSTROUTING chain. It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one option:
--to-source <ipaddr>[-<ipaddr>][:port-port]
which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.
 

DNAT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one option:
--to-destination <ipaddr>[-<ipaddr>][:port-port]
which can specify a single new destination IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then the destination port will never be modified.
 

MASQUERADE

This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway). It takes one option:
--to-ports <port>[-<port>]
This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics (see above). This is only valid with if the rule also specifies -p tcp or -p udp).
 

REDIRECT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It alters the destination IP address to send the packet to the machine itself (locally-generated packets are mapped to the 127.0.0.1 address). It takes one option:
--to-ports <port>[-<port>]
This specifies a destination port or range or ports to use: without this, the destination port is never altered. This is only valid with if the rule also specifies -p tcp or -p udp).
 

EXTRA EXTENSIONS

The following extensions are not included by default in the standard distribution.  

ttl

This module matches the time to live field in the IP header.
--ttl ttl
Matches the given TTL value.
 

TTL

This target is used to modify the time to live field in the IP header. It is only valid in the mangle table.
--ttl-set ttl
Set the TTL to the given value.
--ttl-dec ttl
Decrement the TTL by the given value.
--ttl-inc ttl
Increment the TTL by the given value.
 

ULOG

This target provides userspace logging of matching packets. When this target is set for a rule, the Linux kernel will multicast this packet through a netlink socket. One or more userspace processes may then subscribe to various multicast groups and receive the packets.
--ulog-nlgroup <nlgroup>
This specifies the netlink group (1-32) to which the packet is sent. Default value is 1.
--ulog-prefix <prefix>
Prefix log messages with the specified prefix; up to 32 characters long, and useful fro distinguishing messages in the logs.
--ulog-cprange <size>
Number of bytes to be copied to userspace. A value of 0 always copies the entire packet, regardless of its size. Default is 0
--ulog-qthreshold <size>
Number of packet to queue inside kernel. Setting this value to, e.g. 10 accumulates ten packets inside the kernel and transmits them as one netlink multipart message to userspace. Default is 1 (for backwards compatibility)
 

DIAGNOSTICS

Various error messages are printed to standard error. The exit code is 0 for correct functioning. Errors which appear to be caused by invalid or abused command line parameters cause an exit code of 2, and other errors cause an exit code of 1.  

BUGS

Check is not implemented (yet).  

COMPATIBILITY WITH IPCHAINS

This iptables is very similar to ipchains by Rusty Russell. The main difference is that the chains INPUT and OUTPUT are only traversed for packets coming into the local host and originating from the local host respectively. Hence every packet only passes through one of the three chains; previously a forwarded packet would pass through all three.

The other main difference is that -i refers to the input interface; -o refers to the output interface, and both are available for packets entering the FORWARD chain.

iptables is a pure packet filter when using the default `filter' table, with optional extension modules. This should simplify much of the previous confusion over the combination of IP masquerading and packet filtering seen previously. So the following options are handled differently:

 -j MASQ

 -M -S

 -M -L
There are several other changes in iptables.  

SEE ALSO

The packet-filtering-HOWTO, which details more iptables usage for packet filtering, the NAT-HOWTO, which details NAT, and the netfilter-hacking-HOWTO which details the internals.  

AUTHORS

Rusty Russell wrote iptables, in early consultation with Michael Neuling.

Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ran around doing cool stuff everywhere.

James Morris wrote the TOS target, and tos match.

Jozsef Kadlecsik wrote the REJECT target.

Harald Welte wrote the ULOG target, TTL match+target and libipulog.

The Netfilter Core Team is: Marc Boucher, James Morris, Harald Welte and Rusty Russell.


 

Index

NAME
SYNOPSIS
DESCRIPTION
TARGETS
TABLES
OPTIONS
COMMANDS
PARAMETERS
OTHER OPTIONS
MATCH EXTENSIONS
tcp
udp
icmp
mac
limit
multiport
mark
owner
state
unclean
tos
TARGET EXTENSIONS
LOG
MARK
REJECT
TOS
MIRROR
SNAT
DNAT
MASQUERADE
REDIRECT
EXTRA EXTENSIONS
ttl
TTL
ULOG
DIAGNOSTICS
BUGS
COMPATIBILITY WITH IPCHAINS
SEE ALSO
AUTHORS

This document was created by man2html, using the manual pages.

òÕËÏ×ÏÄÓÔ×Ï ÐÏ Iptables

Iptables Tutorial 1.1.11

Oskar Andreasson (blueflux@koffein.net)

Copyright (C) 2001 by Oskar Andreasson

ðÅÒÅ×ÏÄ: áÎÄÒÅÊ ëÉÓÅÌÅ× kis_an@mail.ru
ïÒÉÇÉÎÁÌ ÍÏÖÎÏ ÎÁÊÔÉ ÐÏ ÁÄÒÅÓÕ: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html

äÏÐÕÓËÁÅÔÓÑ ËÏÐÉÒÏ×ÁÎÉÅ É/ÉÌÉ ÍÏÄÉÆÉËÁÃÉÑ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ ÉÌÉ ÅÇÏ ÞÁÓÔÉ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÑÍÉ, ÐÒÉÎÑÔÙÍÉ × GNU Free Documentation License, ×ÅÒÓÉÉ 1.1. îÅÉÚÍÅÎÑÅÍÙÍÉ ÒÁÚÄÅÌÁÍÉ Ñ×ÌÑÀÔÓÑ ÒÁÚÄÅÌ "÷×ÅÄÅÎÉÅ" É ×ÓÅ ÐÏÄÒÁÚÄÅÌÙ ÜÔÏÇÏ ÒÁÚÄÅÌÁ, Á ÔÁË ÖÅ ÒÁÚÄÅÌÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ ÓÌÏ×ÁÍÉ "Original Author: Oskar Andreasson",
ëÏÐÉÑ GNU Free Documentation License ×ËÌÀÞÅÎÁ × ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ É ÎÁÈÏÄÉÔÓÑ × ÓÅËÃÉÉ "GNU Free Documentation License".

÷ÓÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å ÐÏÄÐÁÄÁÀÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ GNU General Public License. ÷ÓÅ ÏÎÉ Ñ×ÌÑÀÔÓÑ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÍÙÍÉ É ÍÏÇÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ É/ÉÌÉ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÕÓÌÏ×ÉÑÍÉ GNU General Public License ×ÅÒÓÉÉ 2.

÷ÓÅ ÓÃÅÎÁÒÉÉ ÒÁÓÐÒÏÓÔÒÁÎÑÀÔÓÑ × ÎÁÄÅÖÄÅ ÎÁ ÔÏ, ÞÔÏ ÏÎÉ ÂÕÄÕÔ ÐÏÌÅÚÎÙ ×ÁÍ, ÎÏ âåú ëáëéè ìéâï çáòáîôéê. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÔÅËÓÔÕ GNU General Public License.

ó ÄÁÎÎÙÍ ÄÏËÕÍÅÎÔÏÍ ÄÏÌÖÎÁ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ËÏÐÉÑ GNU General Public License, × ÓÅËÃÉÉ "GNU General Public License"; × ÓÌÕÞÁÅ ÅÅ ÏÔÓÕÔÓÔ×ÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÐÉÓÁÔØ ÐÏ ÁÄÒÅÓÕ Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


óÏÄÅÒÖÁÎÉÅ

÷×ÅÄÅÎÉÅ
ï Á×ÔÏÒÅ
ðÏÓ×ÑÝÅÎÉÑ
ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï
ëÁË ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ
ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ
ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ
ðÏÄÇÏÔÏ×ËÁ
çÄÅ ×ÚÑÔØ iptables
îÁÓÔÒÏÊËÁ ÑÄÒÁ
õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ
óÂÏÒËÁ ÐÁËÅÔÁ
õÓÔÁÎÏ×ËÁ × Red Hat 7.1
ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË
ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ
ôÁÂÌÉÃÁ Mangle
ôÁÂÌÉÃÁ Nat
ôÁÂÌÉÃÁ Filter
íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ
÷×ÅÄÅÎÉÅ
ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ
óÏÓÔÏÑÎÉÑ
TCP ÓÏÅÄÉÎÅÎÉÑ
UDP ÓÏÅÄÉÎÅÎÉÑ
ICMP ÓÏÅÄÉÎÅÎÉÑ
ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ
ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×
ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ
ïÓÎÏ×Ù
ôÁÂÌÉÃÙ
ëÏÍÁÎÄÙ
ëÒÉÔÅÒÉÉ
ïÂÝÉÅ ËÒÉÔÅÒÉÉ
îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ
ñ×ÎÙÅ ËÒÉÔÅÒÉÉ
äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ
äÅÊÓÔ×ÉÅ ACCEPT
äÅÊÓÔ×ÉÅ DROP
äÅÊÓÔ×ÉÅ QUEUE
äÅÊÓÔ×ÉÅ RETURN
äÅÊÓÔ×ÉÅ LOG
äÅÊÓÔ×ÉÅ MARK
äÅÊÓÔ×ÉÅ REJECT
äÅÊÓÔ×ÉÅ TOS
äÅÊÓÔ×ÉÅ MIRROR
äÅÊÓÔ×ÉÅ SNAT
äÅÊÓÔ×ÉÅ DNAT
äÅÊÓÔ×ÉÅ MASQUERADE
äÅÊÓÔ×ÉÅ REDIRECT
äÅÊÓÔ×ÉÅ TTL
äÅÊÓÔ×ÉÅ ULOG
æÁÊÌ rc.firewall
ðÒÉÍÅÒ rc.firewall
ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall
ëÏÎÆÉÇÕÒÁÃÉÑ
úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ
îÁÓÔÒÏÊËÁ /proc
òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ
õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ
óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË
ãÅÐÏÞËÁ bad_tcp_packets
ãÅÐÏÞËÁ allowed
ãÅÐÏÞËÁ ÄÌÑ TCP
ãÅÐÏÞËÁ ÄÌÑ UDP
ãÅÐÏÞËÁ ÄÌÑ ICMP
ãÅÐÏÞËÁ INPUT
ãÅÐÏÞËÁ OUTPUT
ãÅÐÏÞËÁ FORWARD
ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat
úÁÐÕÓË Network Address Translation
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt
óÔÒÕËÔÕÒÁ
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ
÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ
éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ
ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ
ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ
Passive FTP ÂÅÚ DCC
ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN
ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ éÎÔÅÒÎÅÔÁ (ISP), ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÁÄÒÅÓÁ IP
ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables
ðÒÏÂÌÅÍÙ mIRC DCC
ôÉÐÙ ICMP
óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ
âÌÁÇÏÄÁÒÎÏÓÔÉ
èÒÏÎÏÌÏÇÉÑ
GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DMZ.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.UTIN.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DHCP.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.flush-iptables
rc.test-iptables

÷×ÅÄÅÎÉÅ

ï Á×ÔÏÒÅ

ñ ÞÅÌÏ×ÅË, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÎÁ Ó×ÏÅÍ ÐÏÐÅÞÅÎÉÉ ÄÏÓÔÁÔÏÞÎÏ ÍÎÏÇÏ ÓÔÁÒÅÎØËÉÈ ËÏÍÐØÀÔÅÒÏ×, ÏÂßÅÄÉÎÅÎÎÙÈ ÍÎÏÀ × ÌÏËÁÌØÎÕÀ ÓÅÔØ Ó ×ÙÈÏÄÏÍ × éÎÔÅÒÎÅÔ, É ÏÂÅÓÐÅÞÉ×ÁÀÝÉÊ ÉÈ ÂÅÚÏÐÁÓÎÏÓÔØ. é × ÜÔÏÍ ÏÔÎÏÛÅÎÉÉ ÐÅÒÅÈÏÄ ÏÔ ipchains Ë iptables Ñ×ÌÑÅÔÓÑ ÏÐÒÁ×ÄÁÎÎÙÍ. òÁÎÅÅ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó×ÏÅÊ ÓÅÔÉ, ×Ù ÍÏÇÌÉ ÏÔÓÅËÁÔØ ×ÓÅ ÐÁËÅÔÙ, ÚÁËÒÙ×ÁÑ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÏÒÔÙ, ÏÄÎÁËÏ ÜÔÏ ÐÏÒÏÖÄÁÌÏ ÐÒÏÂÌÅÍÙ Ó ÐÁÓÓÉ×ÎÙÍ FTP (passive FTP) ÉÌÉ ÉÓÈÏÄÑÝÉÍ DCC × IRC (outgoing DCC in IRC), ÄÌÑ ËÏÔÏÒÙÈ ÐÏÒÔÙ ÎÁ ÓÅÒ×ÅÒÅ ÎÁÚÎÁÞÁÀÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ É ÐÏÔÏÍ ÓÏÏÂÝÁÀÔÓÑ ËÌÉÅÎÔÕ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÓÁÍÏÍ ÎÁÞÁÌÅ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅËÏÔÏÒÙÍÉ 'ÂÏÌÅÚÎÑÍÉ', ÐÅÒÅËÏÞÅ×Á×ÛÉÍÉ ÉÚ ipchains, É ÓÞÉÔÁÌ ËÏÄ iptables ÎÅ ÓÏ×ÓÅÍ ÇÏÔÏ×ÙÍ Ë ÏËÏÎÞÁÔÅÌØÎÏÍÕ ×ÙÐÕÓËÕ. óÅÇÏÄÎÑ ÖÅ Ñ ÍÏÇ ÂÙ ÐÏÒÅËÏÍÅÎÄÏ×ÁÔØ ×ÓÅÍ, ËÔÏ ÉÓÐÏÌØÚÕÅÔ × Ó×ÏÅÊ ÒÁÂÏÔÅ ipchains É ipfwadm 'ÐÅÒÅÓÅÓÔØ' ÎÁ iptables!


ðÏÓ×ÑÝÅÎÉÑ

ðÒÅÖÄÅ ×ÓÅÇÏ Ñ ÈÏÔÅÌ ÂÙ ÐÏÓ×ÑÔÉÔØ ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ ÍÏÅÊ ÚÁÍÅÞÁÔÅÌØÎÏÊ ÐÏÄÒÕÇÅ îÉÎÅÌØ (Ninel). ïÎÁ ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÅÎÑ ÂÏÌØÛÅ, ÞÅÍ Ñ ËÏÇÄÁ ÌÉÂÏ ÓÍÏÇÕ ÐÏÄÄÅÒÖÁÔØ ÅÅ.

÷Ï-×ÔÏÒÙÈ - ×ÓÅÍ ÒÁÚÒÁÂÏÔÞÉËÁÍ Linux ÓÄÅÌÁ×ÛÉÍ ÜÔÕ ÚÁÍÅÞÁÔÅÌØÎÕÀ ÏÐÅÒÁÃÉÏÎÎÕÀ ÓÉÓÔÅÍÕ, ÚÁ ÉÈ ÎÅ×ÅÒÏÑÔÎÏ ÎÁÐÒÑÖÅÎÎÙÊ ÔÒÕÄ.


ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï

óËÁÖÅÍ ÔÁË, Ñ ÐÏÓÞÉÔÁÌ, ÞÔÏ ÓÕÝÅÓÔ×ÕÅÔ ÄÏÓÁÄÎÙÊ ÐÒÏÂÅÌ × HOWTO ÐÏ ÞÁÓÔÉ ÉÎÆÏÒÍÁÃÉÉ Ï iptables É ÆÕÎËÃÉÑÈ ÓÅÔÅ×ÏÇÏ ÆÉÌØÔÒÁ (netfilter), ÒÅÁÌÉÚÏ×ÁÎÎÙÈ × ÎÏ×ÏÊ ÓÅÒÉÉ ÑÄÅÒ 2.4.x Linux. ëÒÏÍÅ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, Ñ ÐÏÐÙÔÁÌÓÑ ÏÔ×ÅÔÉÔØ ÎÁ ÎÅËÏÔÏÒÙÅ ×ÏÐÒÏÓÙ ÐÏ ÐÏ×ÏÄÕ ÎÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ, ÎÁÐÒÉÍÅÒ ÐÒÏ×ÅÒËÉ ÓÔÁÔÕÓÁ (ÂÏÌÅÅ ÌÕÞÛÅÇÏ ÔÅÒÍÉÎÁ ÎÅ ÎÁÛÅÌ :(( ÐÒÉÍ. ÐÅÒÅ×.) ÐÁËÅÔÏ× (state matching), ËÏÔÏÒÁÑ ÄÅÌÁÅÔ ×ÏÚÍÏÖÎÙÍ passive FTP ÎÁ ×ÁÛ ÓÅÒ×ÅÒ, ÎÏ ÎÅ ÐÒÏÐÕÓËÁÅÔ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË DCC ÏÔ IRC. ÷ÓÅ ÐÒÉÍÅÒÙ Ñ ÂÕÄÕ ÂÒÁÔØ ÉÚ ÆÁÊÌÁ rc.firewall.txt ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ×ÓÔÁ×ÉÔØ × /etc/rc.d/. äÌÑ ÔÅÈ, ËÏÍÕ ÜÔÏ ÉÎÔÅÒÅÓÎÏ, ÇÏÔÏ× ÓÏÏÂÝÉÔØ, ÞÔÏ ÜÔÏÔ ÆÁÊÌ ÐÅÒ×ÏÎÁÞÁÌØÎÏ ÂÙÌ ÏÓÎÏ×ÁÎ ÎÁ masquerading HOWTO.

ôÁÍ ÖÅ ×Ù ÎÁÊÄÅÔÅ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ rc.flush-iptables.txt, ÎÁÐÉÓÁÎÎÙÊ ÍÎÏÀ. ÷Ù ÔÁË ÖÅ ÍÏÖÅÔÅ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ, ÐÒÉ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÒÁÓÛÉÒÑÑ ÐÏÄ Ó×ÏÀ ËÏÎÆÉÇÕÒÁÃÉÀ.


ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎ

ñ ÚÁÄÁ×ÁÌ ×ÏÐÒÏÓÙ íÁÒËÕ âÕÞÅÒÕ (Marc Boucher) É ÄÒÕÇÉÍ ÞÌÅÎÁÍ ËÏÍÁÎÄÙ ÒÁÚÒÁÂÏÔËÉ netfilter. ðÏÌØÚÕÑÓØ ÓÌÕÞÁÅÍ, ×ÙÒÁÖÁÀ ÏÇÒÏÍÎÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÚÁ ÉÈ ÐÏÍÏÝØ × ÓÏÚÄÁÎÉÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, ËÏÔÏÒÏÅ ÂÙÌÏ ÓÏÚÄÁÎÏ ÄÌÑ boingworld.com. ÷ ÎÅÍ ×Ù ÐÒÏÊÄÅÔÅ ÐÒÏÃÅÓÓ ÎÁÓÔÒÏÊËÉ ÛÁÇ ÚÁ ÛÁÇÏÍ É, ÎÁÄÅÀÓØ, ÞÔÏ Ë ËÏÎÃÕ ÉÚÕÞÅÎÉÑ ÄÏËÕÍÅÎÔÁ ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ Ï ÐÁËÅÔÅ iptables ÚÎÁÞÉÔÅÌØÎÏ ÂÏÌØÛÅ. âÏÌØÛÁÑ ÞÁÓÔØ ÍÁÔÅÒÉÁÌÁ ÂÁÚÉÒÕÅÔÓÑ ÎÁ ÆÁÊÌÅ rc.firewall.txt, ÔÁË ËÁË Ñ ÓÞÉÔÁÀ, ÞÔÏ ÒÁÓÓÍÏÔÒÅÎÉÅ ÐÒÉÍÅÒÁ -- ÌÕÞÛÉÊ ÓÐÏÓÏ ÉÚÕÞÅÎÉÑ iptables. ñ ÐÒÏÊÄÕ ÐÏ ÏÓÎÏ×ÎÙÍ ÃÅÐÏÞËÁÍ ÐÒÁ×ÉÌ × ÐÏÒÑÄËÅ ÉÈ ÓÌÅÄÏ×ÁÎÉÑ. üÔÏ ÎÅÓËÏÌØËÏ ÕÓÌÏÖÎÑÅÔ ÉÚÕÞÅÎÉÅ, ÚÁÔÏ ÉÚÌÏÖÅÎÉÅ ÓÔÁÎÏ×ÉÔÓÑ ÌÏÇÉÞÎÅÅ. é, ×ÓÑËÉÊ ÒÁÚ, ËÏÇÄÁ Õ ×ÁÓ ×ÏÚÎÉËÎÕÔ ÚÁÔÒÕÄÎÅÎÉÑ, ×Ù ÍÏÖÅÔÅ ÏÂÒÁÝÁÔØÓÑ Ë ÜÔÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ.


ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ

üÔÏÔ ÄÏËÕÍÅÎÔ ÎÁÐÉÓÁÎ, ÔÁË ÞÔÏÂÙ ÏÂÌÅÇÞÉÔØ ÞÉÔÁÔÅÌÑÍ ÐÏÎÉÍÁÎÉÅ ÚÁÍÅÞÁÔÅÌØÎÏÇÏ ÍÉÒÁ iptables. úÄÅÓØ ×Ù ÎÅ ÎÁÊÄÅÔÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÛÉÂËÁÈ × iptables ÉÌÉ × netfilter. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ, ÔÏ ÍÏÖÅÔÅ Ó×ÑÚÑÔØÓÑ Ó ËÏÍÁÎÄÏÊ ÒÁÚÒÁÂÏÔÞÉËÏ×, Á ÏÎÉ × ÏÔ×ÅÔ ÍÏÇÕÔ ÓÏÏÂÝÉÔØ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÌÉ ÓÕÝÅÓÔ×ÕÅÔ ÔÁËÁÑ ÏÛÉÂËÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ iptables É netfilter ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÓÏÄÅÒÖÁÔ ÏÛÉÂÏË, ÈÏÔÑ ÉÚÒÅÄËÁ ÏÄÎÁ - Ä×Å "ÐÒÏÓËÁËÉ×ÁÀÔ". éÎÆÏÒÍÁÃÉÑ Ï ÔÁËÉÈ ÏÛÉÂËÁÈ ÏÂÑÚÁÔÅÌØÎÏ ÐÏÑ×ÌÑÅÔÓÑ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.

÷ÙÛÅÓËÁÚÁÎÎÏÅ ÔÁËÖÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÐÒÉÌÁÇÁÅÍÙÈ Ë ÄÁÎÎÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ, ÎÅ ÕÞÉÔÙ×ÁÌÏÓØ ×ÏÚÍÏÖÎÏÅ ÎÁÌÉÞÉÅ ËÁËÉÈ-ÌÉÂÏ ÏÛÉÂÏË ×ÎÕÔÒÉ netfilter. ïÓÎÏ×ÎÁÑ ÃÅÌØ ÐÒÉÍÅÒÏ× - ÐÏËÁÚÁÔØ ÐÏÒÑÄÏË ÎÁÐÉÓÁÎÉÑ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÐÒÏÂÌÅÍÙ, Ó ËÏÔÏÒÙÍÉ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ. îÁÐÒÉÍÅÒ × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÎÅ ÐÏÑÓÎÑÅÔÓÑ ËÁË ÚÁËÒÙÔØ ÕÑÚ×ÉÍÏÓÔØ Apache 1.2.12 ÎÁ HTTP ÐÏÒÔÕ (ÆÁËÔÉÞÅÓËÉ × ÐÒÉÍÅÒÁÈ ×Ù ÎÁÊÄÅÔÅ ËÁË ÚÁËÒÙÔØ ÜÔÏÔ ÐÏÒÔ, ÎÏ ÐÏ ÄÒÕÇÏÊ ÐÒÉÞÉÎÅ).

üÔÏÔ ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÄÁÔØ ÎÁÞÉÎÁÀÝÉÍ ÈÏÒÏÛÉÊ É ÐÒÏÓÔÏÊ ÕÞÅÂÎÉË ÐÏ iptables É × ÔÏ ÖÅ ×ÒÅÍÑ ÄÏÓÔÁÔÏÞÎÏ ÐÏÌÎÙÊ. ïÎ ÎÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÄÅÊÓÔ×ÉÑÍ É ËÒÉÔÅÒÉÑÍ ÉÚ patch-o-matic ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÐÏÔÒÅÂÏ×ÁÌÏÓØ ÂÙ ÓÌÉÛËÏÍ ÍÎÏÇÏ ÕÓÉÌÉÊ, ÞÔÏÂÙ ÚÁÐÏÍÎÉÔØ ×ÅÓØ ÓÐÉÓÏË ÉÚÍÅÎÅÎÉÊ. åÓÌÉ Õ ×ÁÓ ×ÏÚÎÉËÎÅÔ ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÐÏÌÕÞÅÎÉÉ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÍÏÄÉÆÉËÁÃÉÑÍ patch-o-matic, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÝÁÔØÓÑ Ë ÄÏËÕÍÅÎÔÁÃÉÉ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ËÏÎËÒÅÔÎÙÊ patch-o-matic, ÏÎÁ ÄÏÓÔÕÒÎÁ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.


ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ

üÔÏÔ ÄÏËÕÍÅÎÔ ÓÏÄÅÒÖÉÔ ÎÅÓËÏÌØËÏ ÔÅÒÍÉÎÏ×, ËÏÔÏÒÙÅ ÓÌÅÄÕÅÔ ÐÏÑÓÎÉÔØ ÐÒÅÖÄÅ, ÞÅÍ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ.

ðÏÔÏË (Stream) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÀÔÓÑ É ÐÒÉÎÉÍÁÀÔÓÑ ÐÁËÅÔÙ. ñ ÉÓÐÏÌØÚÏ×ÁÌ ÜÔÏÔ ÔÅÒÍÉÎ ÄÌÑ ÏÂÏÚÎÁÞÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ, ÞÅÒÅÚ ËÏÔÏÒÙÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÍÅÎØÛÅÊ ÍÅÒÅ 2 ÐÁËÅÔÁ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ÷ ÓÌÕÞÁÅ TCP ÜÔÏ ÍÏÖÅÔ ÏÚÎÁÞÁÔØ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÅÔÓÑ SYN ÐÁËÅÔ É ÚÁÔÅÍ ÐÒÉÎÉÍÁÅÔÓÑ SYN/ACK ÐÁËÅÔ. îÏ ÜÔÏ ÔÁË ÖÅ ÍÏÖÅÔ ÐÏÄÒÁÚÕÍÅ×ÁÔØ É ÐÅÒÅÄÁÞÕ SYN ÐÁËÅÔÁ É ÐÒÉÅÍ ÓÏÏÂÝÅÎÉÑ ICMP Host unreachable. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÉÓÐÏÌØÚÕÀ ÜÔÏÔ ÔÅÒÍÉÎ × ÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏËÏÍ ÄÉÁÐÁÚÏÎÅ ÐÒÉÍÅÎÅÎÉÊ.

óÏÓÔÏÑÎÉÅ (State) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ, × ËÏÔÏÒÏÍ ÎÁÈÏÄÉÔÓÑ ÐÁËÅÔ, ÓÏÇÌÁÓÎÏ RFC 793 - Transmission Control Protocol , Á ÔÁËÖÅ ÔÒÁËÔÏ×ËÁÍ, ÉÓÐÏÌØÚÕÅÍÙÍ × netfilter/iptables.


ðÏÄÇÏÔÏ×ËÁ

ãÅÌØÀ ÄÁÎÎÏÊ ÇÌÁ×Ù Ñ×ÌÑÅÔÓÑ ÏËÁÚÁÎÉÅ ÐÏÍÏÝÉ × ÐÏÎÉÍÁÎÉÉ ÔÏÊ ÒÏÌÉ, ËÏÔÏÒÕÀ netfilter É iptables ÉÇÒÁÀÔ × Linux ÓÅÇÏÄÎÑ. ôÁË ÖÅ ÏÎÁ ÄÏÌÖÎÁ ÐÏÍÏÞØ ×ÁÍ ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÖÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).


çÄÅ ×ÚÑÔØ iptables

ðÁËÅÔÙ iptables ÍÏÇÕÔ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ó ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÙ netfilter. äÌÑ ÒÁÂÏÔÙ Ó iptables ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÏÂÒÁÚÏÍ ÄÏÌÖÎÏ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÏ ÑÄÒÏ ×ÁÛÅÊ Linux-ÓÉÓÔÅÍÙ. îÁÓÔÒÏÊËÁ ÑÄÒÁ ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÎÉÖÅ.


îÁÓÔÒÏÊËÁ ÑÄÒÁ

äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, Ó ÐÏÍÏÝØÀ ÕÔÉÌÉÔÙ make config ÉÌÉ ÅÊ ÐÏÄÏÂÎÙÈ (make menuconfig ÉÌÉ make xconfig ÐÒÉÍ. ÐÅÒÅ×.), × ÑÄÒÏ ÄÏÌÖÎÙ ÂÙÔØ ×ËÌÀÞÅÎÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ:

CONFIG_PACKET -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÐÒÉÌÏÖÅÎÉÊ, ÒÁÂÏÔÁÀÝÉÈ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ Ó ÓÅÔÅ×ÙÍÉ ÕÓÔÒÏÊÓÔ×ÁÍÉ, ÎÁÐÒÉÍÅÒ: tcpdump ÉÌÉ snort.

CONFIG_NETFILTER -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ, ÅÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ËÏÍÐØÀÔÅÒ × ËÁÞÅÓÔ×Å ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (firewall) ÉÌÉ ÛÌÀÚÁ (gateway) × éÎÔÅÒÎÅÔ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ×ÁÍ ÏÎÁ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÎÁÄÏÂÉÔÓÑ, ÉÎÁÞÅ ÚÁÞÅÍ ÔÏÇÄÁ ÞÉÔÁÔØ ÜÔÏ ÒÕËÏ×ÏÄÓÔ×Ï!

é ËÏÎÅÞÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ÄÒÁÊ×ÅÒÙ ÄÌÑ ×ÁÛÉÈ ÕÓÔÒÏÊÓÔ×, Ô.Å. ÄÌÑ ËÁÒÔÙ Ethernet , PPP É SLIP. äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÒÁÓÛÉÒÅÎÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ IPTables ÐÒÉÄÅÔÓÑ ×ËÌÀÞÉÔØ × ÑÄÒÏ ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÏÐÃÉÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÏÐÃÉÊ ÄÌÑ ÑÄÒÁ 2.4.9 É ÉÈ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ.

CONFIG_IP_NF_CONNTRACK -- ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ, ÓÒÅÄÉ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× É ÍÁÓËÁÒÁÄÉÎÇÅ (NAT and Masquerading). åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÔÒÏÉÔØ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall) ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÔÏ ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÁ ÏÐÃÉÑ. ë ÐÒÉÍÅÒÕ, ÜÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÈÏÄÉÍ ÄÌÑ ÒÁÂÏÔÙ rc.firewall.txt.

CONFIG_IP_NF_FTP -- ôÒÁÓÓÉÒÏ×ËÁ FTP ÓÏÅÄÉÎÅÎÉÊ. ïÂÍÅÎ ÐÏ FTP ÉÄÅÔ ÓÌÉÛËÏÍ ÉÎÔÅÎÓÉ×ÎÏ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÂÙÞÎÙÅ ÍÅÔÏÄÙ ÔÒÁÓÓÉÒÏ×ËÉ. åÓÌÉ ÎÅ ÄÏÂÁ×ÉÔØ ÜÔÏÔ ÍÏÄÕÌØ, ÔÏ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÒÕÄÎÏÓÔÑÍÉ ÐÒÉ ÐÅÒÅÄÁÞÅ ÐÒÏÔÏËÏÌÁ FTP ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).

CONFIG_IP_NF_IPTABLES -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÊ ÆÉÌØÔÒÁÃÉÉ, ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) É ÍÁÓËÁÒÁÄÉÎÇÁ (masquerading). âÅÚ ÎÅÅ ×Ù ×ÏÏÂÝÅ ÎÉÞÅÇÏ ÎÅ ÓÍÏÖÅÔÅ ÄÅÌÁÔØ Ó iptables.

CONFIG_IP_NF_MATCH_LIMIT -- üÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÑÚÁÔÅÌÅÎ, ÏÄÎÁËÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÁÈ rc.firewall.txt. ïÎ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÏÇÒÁÎÉÞÅÎÉÑ ËÏÌÉÞÅÓÔ×Á ÐÒÏ×ÅÒÏË ÄÌÑ ÎÅËÏÔÏÒÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, -m limit -limit 3/minute ÕËÁÚÙ×ÁÅÔ, ÞÔÏ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÐÒÏÐÕÓÔÉÔØ ÎÅ ÂÏÌÅÅ 3-È ÐÁËÅÔÏ× × ÍÉÎÕÔÕ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÎÁÐÁÄÅÎÉÊ ÔÉÐÁ ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ.

CONFIG_IP_NF_MATCH_MAC -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÓÎÏ×ÁÎÎÙÅ ÎÁ MAC-ÁÄÒÅÓÁÃÉÉ. ëÁË ÉÚ×ÅÓÔÎÏ, ËÁÖÄÁÑ ÓÅÔÅ×ÁÑ ËÁÒÔÁ ÉÍÅÅÔ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ÕÎÉËÁÌØÎÙÊ Ethernet-ÁÄÒÅÓ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÓÕÝÅÓÔ×ÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÂÌÏËÉÒÏ×ÁÔØ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ Ó ÏÐÒÅÄÅÌÅÎÎÙÈ MAC-ÁÄÒÅÓÏ× (Ô.Å. Ó ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÅÔÅ×ÙÈ ËÁÒÔ). óÌÅÄÕÅÔ, ÏÄÎÁËÏ, ÏÔÍÅÔÉÔØ ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ × rc.firewall.txt ÉÌÉ ÇÄÅ ÌÉÂÏ ÅÝÅ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å.

CONFIG_IP_NF_MATCH_MARK -- æÕÎËÃÉÑ ÍÁÒËÉÒÏ×ËÉ ÐÁËÅÔÏ× (MARK). îÁÐÒÉÍÅÒ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÆÕÎËÃÉÉ MARK ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÏÍÅÔÉÔØ ÔÒÅÂÕÅÍÙÅ ÐÁËÅÔÙ, Á ÚÁÔÅÍ, × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ ÍÅÔËÉ, ÐÒÉÎÉÍÁÔØ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÏÍÅÞÅÎÎÏÇÏ ÐÁËÅÔÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ÆÕÎËÃÉÉ MARK ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ.

CONFIG_IP_NF_MATCH_MULTIPORT -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ Ó ÐÒÏ×ÅÒËÏÊ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ ÐÁËÅÔÁ Ë ÄÉÁÐÁÚÏÎÕ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÉÓÔÏÞÎÉËÁ/ÐÒÉÅÍÎÉËÁ.

CONFIG_IP_NF_MATCH_TOS -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÔÔÁÌËÉ×ÁÑÓØ ÏÔ ÓÏÓÔÏÑÎÉÑ ÐÏÌÑ TOS × ÐÁËÅÔÅ. ðÏÌÅ TOS ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ Type Of Service. ôÁË ÖÅ ÓÔÁÎÏ×ÉÔÓÑ ×ÏÚÍÏÖÎÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ É ÓÂÒÁÓÙ×ÁÔØ ÂÉÔÙ ÜÔÏÇÏ ÐÏÌÑ × ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌÁÈ × ÔÁÂÌÉÃÅ mangle ÉÌÉ ËÏÍÁÎÄÁÍÉ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS -- üÔÁ ÏÐÃÉÑ ÄÏÂÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏ×ÅÒËÉ ÐÏÌÑ MSS ÄÌÑ TCP-ÐÁËÅÔÏ×.

CONFIG_IP_NF_MATCH_STATE -- üÔÏ ÏÄÎÏ ÉÚ ÓÁÍÙÈ ÓÅÒØÅÚÎÙÈ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÊ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ipchains. üÔÏÔ ÍÏÄÕÌØ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÕÐÒÁ×ÌÅÎÉÑ TCP ÐÁËÅÔÁÍÉ, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ (state). ë ÐÒÉÍÅÒÕ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ, Ó ÔÒÁÆÆÉËÏÍ × ÏÂÁ ËÏÎÃÁ, ÔÏÇÄÁ ÐÁËÅÔ ÐÏÌÕÞÅÎÎÙÊ ÐÏ ÔÁËÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ -- ÐÒÉÍ. ÒÅÄ). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÅ rc.firewall.txt .

CONFIG_IP_NF_MATCH_UNCLEAN -- üÔÏÔ ÍÏÄÕÌØ ÒÅÁÌÉÚÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ IP, TCP, UDP É ICMP ÐÁËÅÔÏ× ÎÁ ÐÒÅÄÍÅÔ ÎÁÌÉÞÉÑ × ÎÉÈ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÊ, "ÓÔÒÁÎÎÏÓÔÅÊ", ÏÛÉÂÏË. õÓÔÁÎÏ×É× ÅÇÏ ÍÙ, Ë ÐÒÉÍÅÒÕ, ÐÏÌÕÞÉÍ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔÓÅËÁÔØ" ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ. ïÄÎÁËÏ ÈÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÐÏËÁ ÎÁÈÏÄÉÔÓÑ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÅ ×Ï ×ÓÅÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÏÄÉÎÁËÏ×Ï, ÐÏÜÔÏÍÕ ÎÉËÏÇÄÁ ÎÅÌØÚÑ ÂÕÄÅÔ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÍÙ ÎÅ "ÓÂÒÏÓÉÌÉ" ×ÐÏÌÎÅ ÐÒÁ×ÉÌØÎÙÅ ÐÁËÅÔÙ.

CONFIG_IP_NF_MATCH_OWNER - ðÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÓÏÅÄÉÎÅÎÉÑ (socket). äÌÑ ÐÒÉÍÅÒÁ, ÍÙ ÍÏÖÅÍ ÐÏÚ×ÏÌÉÔØ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ root ×ÙÈÏÄÉÔØ × Internet. üÔÏÔ ÍÏÄÕÌØ ÂÙÌ ÎÁÐÉÓÁÎ ËÁË ÐÒÉÍÅÒ ÒÁÂÏÔÙ Ó iptables. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÉÍÅÅÔ ÓÔÁÔÕÓ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ É ÍÏÖÅÔ ÎÅ ×ÓÅÇÄÁ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ.

CONFIG_IP_NF_FILTER -- òÅÁÌÉÚÁÃÉÑ ÔÁÂÌÉÃÙ filter × ËÏÔÏÒÏÊ × ÏÓÎÏ×ÎÏÍ É ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÆÉÌØÔÒÁÃÉÑ. ÷ ÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÎÁÈÏÄÑÔÓÑ ÃÅÐÏÞËÉ INPUT, FORWARD É OUTPUT. üÔÏÔ ÍÏÄÕÌØ ÏÂÑÚÁÔÅÌÅÎ, ÅÓÌÉ ×Ù ÐÌÁÎÉÒÕÅÔÅ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ×.

CONFIG_IP_NF_TARGET_REJECT -- äÏÂÁ×ÌÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ × ÏÔ×ÅÔ ÎÁ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÏÔ×ÅÒÇÁÅÔÓÑ ÚÁÄÁÎÎÙÍ ÐÒÁ×ÉÌÏÍ. úÁÐÏÍÎÉÔÅ, ÞÔÏ TCP ÓÏÅÄÉÎÅÎÉÑ, × ÏÔÌÉÞÉÅ ÏÔ UDP É ICMP, ×ÓÅÇÄÁ ÚÁ×ÅÒÛÁÀÔÓÑ ÉÌÉ ÏÔ×ÅÒÇÁÀÔÓÑ ÐÁËÅÔÏÍ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR -- ÷ÏÚÍÏÖÎÏÓÔØ ÏÔÐÒÁ×ËÉ ÐÏÌÕÞÅÎÎÏÇÏ ÐÁËÅÔÁ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎÉÅ). îÁÐÒÉÍÅÒ, ÅÓÌÉ ÎÁÚÎÁÞÉÔØ ÄÅÊÓÔ×ÉÅ MIRROR ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ × ÐÏÒÔ HTTP ÞÅÒÅÚ ÎÁÛÕ ÃÅÐÏÞËÕ INPUT (Ô.Å. ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ ÐÒÉÍ. ÐÅÒÅ×.), ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÅÎ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎ) É, × ÒÅÚÕÌØÔÁÔÅ, ÏÔÐÒÁ×ÉÔÅÌØ Õ×ÉÄÉÔ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ. (ôÕÔ ÏÄÎÉ ÓÐÌÏÛÎÙÅ "ÅÓÌÉ": åÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÓÔÏÉÔ WEB-ÓÅÒ×ÅÒ, ÅÓÌÉ ÏÎ ÒÁÂÏÔÁÅÔ ÎÁ ÔÏÍ ÖÅ ÐÏÒÔÕ, ÅÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÅÓÔØ ÄÏÍÁÛÎÑÑ ÓÔÒÁÎÉÞËÁ, É Ô.Ä. . óÕÔØ-ÔÏ ÓÏÂÓÔ×ÅÎÎÏ Ó×ÏÄÉÔÓÑ Ë ÔÏÍÕ, ÞÔÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÏÔÐÒÁ×ÉÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÏÎ ÏÔÐÒÁ×ÉÌ ÎÁ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÍÁÛÉÎÕ, Á ÐÒÏÝÅ ÇÏ×ÏÒÑ, ÄÅÊÓÔ×ÉÅ MIRROR ÍÅÎÑÅÔ ÍÅÓÔÁÍÉ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ É ×ÙÄÁÅÔ ÉÚÍÅÎÅÎÎÙÊ ÐÅËÅÔ × ÓÅÔØ ÐÒÉÍ. ÐÅÒÅ×.)

CONFIG_IP_NF_NAT -- NAT. ôÒÁÎÓÌÑÃÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× × ÒÁÚÌÉÞÎÙÈ ÅÅ ×ÉÄÁÈ. ó ÐÏÍÏÝØÀ ÜÔÏÊ ÏÐÃÉÉ ×Ù ÓÍÏÖÅÔÅ ÄÁÔØ ×ÙÈÏÄ × éÎÔÅÒÎÅÔ ×ÓÅÍ ËÏÍÐØÀÔÅÒÁÍ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP-ÁÄÒÅÓ. üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÒÁÂÏÔÙ ÐÒÉÍÅÒÁ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE -- íÁÓËÁÒÁÄÉÎÇ. ÷ ÏÔÌÉÞÉÅ ÏÔ NAT, ÍÁÓËÁÒÁÄÉÎÇ ÉÓÐÏÌØÚÕÅÔÓÑ × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÚÁÒÁÎÅÅ ÎÅÉÚ×ÅÓÔÅÎ ÎÁÛ IP-ÁÄÒÅÓ × éÎÔÅÒÎÅÔÅ, Ô.Å. ÄÌÑ ÓÌÕÞÁÅ× DHCP, PPP, SLIP ÉÌÉ ËÁËÏÇÏ-ÌÉÂÏ ÄÒÕÇÏÇÏ ÓÐÏÓÏÂÁ ÐÏÄËÌÀÞÅÎÉÑ, ÐÏÄÒÁÚÕÍÅ×ÁÀÝÅÇÏ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÌÕÞÅÎÉÅ IP-ÁÄÒÅÓÁ. íÁÓËÁÒÁÄÉÎÇ ÄÁÅÔ ÎÅÓËÏÌØËÏ ÂÏÌÅÅ ×ÙÓÏËÕÀ ÎÁÇÒÕÚËÕ ÎÁ ËÏÍÐØÀÔÅÒ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó NAT, ÏÄÎÁËÏ ÏÎ ÒÁÂÏÔÁÅÔ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ÎÅ×ÏÚÍÏÖÎÏ ÚÁÒÁÎÅÅ ÕËÁÚÁÔØ ÓÏÂÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP-ÁÄÒÅÓ.

CONFIG_IP_NF_TARGET_REDIRECT -- ðÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ. ïÂÙÞÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÐÒÏËÓÉ. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓÔÉÔØ ÐÁËÅÔ ÄÁÌØÛÅ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ ÉÍÅÅÍ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ "ÐÒÏÚÒÁÞÎÏÅ ÐÒÏËÓÉÒÏ×ÁÎÉÅ".

CONFIG_IP_NF_TARGET_LOG -- äÏÂÁ×ÌÑÅÔ ÄÅÊÓÔ×ÉÅ LOG × iptables. íÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÍÏÄÕÌØ ÄÌÑ ÆÉËÓÁÃÉÉ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ (syslog). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ×ÅÓØÍÁ ÐÏÌÅÚÎÏÊ ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×.

CONFIG_IP_NF_TARGET_TCPMSS -- üÔÁ ÏÐÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÊ, ÎÁËÌÁÄÙ×ÁÅÍÙÈ ÎÅËÏÔÏÒÙÍÉ ÐÒÏ×ÁÊÄÅÒÁÍÉ (Internet Service Providers), ËÏÔÏÒÙÅ ÂÌÏËÉÒÕÀÔ ICMP Fragmentation Needed ÐÁËÅÔÙ. ÷ ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÈ ÏÇÒÁÎÉÞÅÎÉÊ ÓÅÒ×ÅÒÙ ÐÒÏ×ÁÊÄÅÒÏ× ÍÏÇÕÔ ÎÅ ÐÅÒÅÄÁ×ÁÔØ web-ÓÔÒÁÎÉÃÙ, ssh ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, × ÔÏ ×ÒÅÍÑ ËÁË scp ÏÂÒÙ×ÁÅÔÓÑ ÐÏÓÌÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ É ÐÒ. äÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÏÇÒÁÎÉÞÅÎÉÊ ÍÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ TCPMSS ÏÇÒÁÎÉÞÉ×ÁÑ ÚÎÁÞÅÎÉÅ MSS (Maximum Segment Size) (ÏÂÙÞÎÏ MSS ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÒÁÚÍÅÒÏÍ MTU ÉÓÈÏÄÑÝÅÇÏ ÉÎÔÅÒÆÅÊÓÁ ÍÉÎÕÓ 40 ÂÁÊÔ ÐÒÉÍ. ÐÅÒÅ×.). ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÅÏÄÏÌÅÔØ ÔÏ, ÞÔÏ Á×ÔÏÒÙ netfilter ÎÁÚÙ×ÁÀÔ "ÐÒÅÓÔÕÐÎÏÊ ÂÅÚÍÏÚÇÌÏÓÔØÀ ÐÒÏ×ÁÊÄÅÒÏ× É ÓÅÒ×ÅÒÏ×" ("criminally braindead ISPs or servers") × ÓÐÒÁ×ËÅ ÐÏ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ.

CONFIG_IP_NF_COMPAT_IPCHAINS -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ÂÏÌÅÅ ÓÔÁÒÏÊ ÔÅÈÎÏÌÏÇÉÅÊ ipchains. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÓÏ×ÍÅÓÔÉÍÏÓÔØ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎÁ É × ÑÄÒÁÈ ÓÅÒÉÉ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ipfwadm, ÎÅ ÓÍÏÔÒÑ ÎÁ ÔÏ ÞÔÏ ÜÔÏ ÏÞÅÎØ ÓÔÁÒÏÅ ÓÒÅÄÓÔ×Ï ÐÏÓÔÒÏÅÎÉÑ ÂÒÁÎÄÍÁÕÜÒÏ×.

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, Ñ ÄÁÌ ËÒÁÔËÕÀ ÈÁÒÁËÔÅÒÉÓÔÉËÕ ËÁÖÄÏÍÕ ÍÏÄÕÌÀ. äÁÎÎÙÅ ÏÐÃÉÉ ÄÏÓÔÕÐÎÙ × ÑÄÒÅ ×ÅÒÓÉÉ 2.4.9.

äÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ rc.firewall.txt ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÄÏÂÁ×ÉÔØ × ÑÄÒÏ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÉÌÉ ÓÏÂÒÁÔØ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÏÐÃÉÑÍ, ÎÅÏÂÈÏÄÉÍÙÍ ÄÌÑ ÒÁÂÏÔÙ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ Ó ÐÒÉÍÅÒÁÍÉ ÜÔÉÈ ÓÃÅÎÁÒÉÅ×.

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_CONNTRACK
  • CONFIG_IP_NF_FTP
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_TARGET_LOG
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_TARGET_MASQUERADE

÷ÙÛÅ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÍÉÎÉÍÁÌØÎÏ ÎÅÏÂÈÏÄÉÍÙÈ ÏÐÃÉÊ ÑÄÒÁ ÄÌÑ ÓÃÅÎÁÒÉÑ rc.firewall.txt ðÅÒÅÞÅÎØ ÏÐÃÉÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÄÒÕÇÉÈ ÐÒÉÍÅÒÏ× ÓÃÅÎÁÒÉÅ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÎÉÖÅ. óÅÊÞÁÓ ÖÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÇÌÁ×ÎÏÍ ÓÃÅÎÁÒÉÉ É ÎÁÞÎÅÍ ÅÇÏ ÉÚÕÞÅÎÉÅ.


õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÐÏÓÍÏÔÒÉÍ ËÁË ÓÏÂÒÁÔØ (ÓËÏÍÐÉÌÉÒÏ×ÁÔØ) ÐÁËÅÔ iptables. óÂÏÒËÁ ÐÁËÅÔÁ × ÚÎÁÞÉÔÅÌØÎÏÊ ÓÔÅÐÅÎÉ ÚÁ×ÉÓÉÔ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅËÏÔÏÒÙÅ ÄÉÓÔÒÉÂÕÔÉ×Ù ÐÒÅÄÐÏÌÁÇÁÀÔ ÐÒÅÄÕÓÔÁÎÏ×ËÕ ÐÁËÅÔÁ iptables, ÏÄÉÎ ÉÚ ÎÉÈ -- Red Hat 7.1. ïÄÎÁËÏ × RedHat 7.1 ÜÔÏÔ ÐÁËÅÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ×ÙËÌÀÞÅÎ, ÐÏÜÔÏÍÕ ÎÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ËÁË ÅÇÏ ×ËÌÀÞÉÔØ × ÄÁÎÎÏÍ É × ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ.

óÂÏÒËÁ ÐÁËÅÔÁ

äÌÑ ÎÁÞÁÌÁ ÐÁËÅÔ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ iptables ÎÕÖÎÏ ÒÁÓÐÁËÏ×ÁÔØ. íÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÐÁËÅÔ iptables 1.2.6a É ÑÄÒÏ 2.4.9. òÁÓÐÁËÕÅÍ ËÁË ÏÂÙÞÎÏ, ËÏÍÁÎÄÏÊ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. åÓÌÉ ÒÁÓÐÁËÏ×ËÁ ÐÒÏÛÌÁ ÕÄÁÞÎÏ, ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÒÁÚÍÅÝÅÎ × ËÁÔÁÌÏÇÅ iptables-1.2.6a. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë ÆÁÊÌÕ iptables-1.2.6a/INSTALL, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÐÏÄÒÏÂÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÓÂÏÒËÅ É ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ.

äÁÌÅÅ ÎÅÏÂÈÏÄÉÍÏ ÐÒÏ×ÅÒÉÔØ ×ËÌÀÞÅÎÉÅ × ÑÄÒÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ É ÏÐÃÉÊ. ûÁÇÉ, ÏÐÉÓÙ×ÁÅÍÙÅ ÚÄÅÓØ, ÂÕÄÕÔ ËÁÓÁÔØÓÑ ÔÏÌØËÏ ÎÁÌÏÖÅÎÉÑ ÎÁ ÑÄÒÏ "ÚÁÐÌÁÔ" (patches). îÁ ÜÔÏÍ ÛÁÇÅ ÍÙ ÕÓÔÁÎÏ×ÉÍ ÏÂÎÏ×ÌÅÎÉÑ, ËÏÔÏÒÙÅ, ËÁË ÏÖÉÄÁÅÔÓÑ, ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÑÄÒÏ × ÂÕÄÕÝÅÍ.

Note

îÅËÏÔÏÒÙÅ ÉÚ ÎÉÈ ÎÁÈÏÄÑÔÓÑ ÐÏËÁ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ, ÏÄÎÁËÏ ÓÒÅÄÉ ÎÉÈ ÅÓÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÉÎÔÅÒÅÓÎÙÅ ÆÕÎËÃÉÉ É ÄÅÊÓÔ×ÉÑ. ÷ÙÐÏÌÎÉÍ ÜÔÏÔ ÛÁÇ, ÎÁÂÒÁ× ËÏÍÁÎÄÕ (ÅÓÔÅÓÔ×ÅÎÎÏ, ÏÂÌÁÄÁÑ ÐÒÁ×ÁÍÉ ÐÏÌØÚÏ×ÁÔÅÌÑ root)

make pending-patches KERNEL_DIR=/usr/src/linux/

ðÅÒÅÍÅÎÎÁÑ KERNEL_DIR ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÐÕÔØ Ë ÉÓÈÏÄÎÙÍ ÔÅËÓÔÁÍ ×ÁÛÅÇÏ ÑÄÒÁ. ïÂÙÞÎÏ ÜÔÏ /usr/src/linux/. åÓÌÉ ÉÓÈÏÄÎÙÅ ÔÅËÓÔÙ Õ ×ÁÓ ÒÁÓÐÏÌÏÖÅÎÙ × ÄÒÕÇÏÍ ÍÅÓÔÅ, ÔÏ, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ×Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ Ó×ÏÊ ÐÕÔØ.

Note

úÄÅÓØ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÎÅÓËÏÌØËÏ ÏÂÎÏ×ÌÅÎÉÊ É ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ ÏÐÒÅÄÅÌÅÎÎÏ ×ÏÊÄÕÔ × ÓÏÓÔÁ× ÑÄÒÁ, ÎÏ ÎÅÓËÏÌØËÏ ÐÏÚÄÎÅÅ, ÓÅÊÞÁÓ ÖÅ ÍÙ ×ÏÚØÍÅÍ ÉÈ ÏÔÓÀÄÁ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ

make most-of-pom KERNEL_DIR=/usr/src/linux/

÷ ÐÒÏÃÅÓÓÅ ×ÙÐÏÌÎÅÎÉÑ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÙ Õ ×ÁÓ ÂÕÄÅÔ ÚÁÐÒÁÛÉ×ÁÔØÓÑ ÐÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÏÂÎÏ×ÌÅÎÉÅ ËÁÖÄÏÇÏ ÒÁÚÄÅÌÁ ÉÚ ÔÏÇÏ, ÞÔÏ × ÍÉÒÅ netfilter ÎÁÚÙ×ÁÅÔÓÑ patch-o-matic. þÔÏÂÙ ÕÓÔÁÎÏ×ÉÔØ ×ÓÅ "ÚÁÐÌÁÔËÉ" ÉÚ patch-o-matic, ×ÁÍ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

îÅ ÚÁÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÏ É ÄÏ ËÏÎÃÁ ÐÒÏÞÉÔÁÔØ ÓÐÒÁ×ËÕ ÐÏ ËÁÖÄÏÊ "ÚÁÐÌÁÔËÅ" ÄÏ ÔÏÇÏ ËÁË ×Ù ÂÕÄÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÞÔÏ-ÌÉÂÏ, ÐÏÓËÏÌØËÕ ÏÄÎÉ "ÚÁÐÌÁÔËÉ" ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÎÅÓÏ×ÍÅÓÔÉÍÙ Ó ÄÒÕÇÉÍÉ, Á ÎÅËÏÔÏÒÙÅ -- ÐÒÉ ÓÏ×ÍÅÓÔÎÏÍ ÎÁÌÏÖÅÎÉÉ ÄÁÖÅ ÒÁÚÒÕÛÉÔØ ÑÄÒÏ.

Note

÷Ù ÍÏÖÅÔÅ ×ÏÏÂÝÅ ÐÒÏÐÕÓÔÉÔØ ÏÂÎÏ×ÌÅÎÉÅ ÑÄÒÁ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÓÏÂÏÊ ÎÕÖÄÙ × ÔÁËÏÍ ÏÂÎÏ×ÌÅÎÉÉ ÎÅÔ, ÏÄÎÁËÏ patch-o-matic ÓÏÄÅÒÖÉÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÉÎÔÅÒÅÓÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ, É Õ ×ÁÓ ×ÐÏÌÎÅ ÍÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ÖÅÌÁÎÉÅ ÐÏÓÍÏÔÒÅÔØ ÎÁ ÎÉÈ. îÉÞÅÇÏ ÓÔÒÁÛÎÏÇÏ ÎÅ ÓÌÕÞÉÔÓÑ, ÅÓÌÉ ×Ù ÚÁÐÕÓÔÉÔÅ ÜÔÉ ËÏÍÁÎÄÙ É ÐÏÓÍÏÔÒÉÔÅ ËÁËÉÅ ÏÂÎÏ×ÌÅÎÉÑ ÉÍÅÀÔÓÑ.

ðÏÓÌÅ ÚÁ×ÅÒÛÅÎÉÑ ÏÂÎÏ×ÌÅÎÉÑ, ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ, ÄÏÂÁ×É× × ÎÅÇÏ ÔÏÌØËÏ ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ. îÅ ÚÁÂÕÄØÔÅ ÓÎÁÞÁÌÁ ×ÙÐÏÌÎÉÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÅ ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ ÓËÏÒÅÅ ×ÓÅÇÏ ÏËÁÖÕÔÓÑ ×ÙËÌÀÞÅÎÎÙÍÉ. ÷ ÐÒÉÎÃÉÐÅ, ÍÏÖÎÏ ÐÏÄÏÖÄÁÔØ Ó ËÏÍÐÉÌÑÃÉÅÊ ÑÄÒÁ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ×Ù ÎÅ ÚÁËÏÎÞÉÔÅ ÕÓÔÁÎÏ×ËÕ iptables.

ðÒÏÄÏÌÖÁÑ ÓÂÏÒËÕ iptables, ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:

make KERNEL_DIR=/usr/src/linux/

åÓÌÉ × ÐÒÏÃÅÓÓÅ ÓÂÏÒËÉ ×ÏÚÎÉËÌÉ ËÁËÉÅ ÌÉÂÏ ÐÒÏÂÌÅÍÙ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÙÔÁÔØÓÑ ÒÁÚÒÅÛÉÔØ ÉÈ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ, ÌÉÂÏ ÏÂÒÁÔÉÔØÓÑ ÎÁ netfilter mailing list, ÇÄÅ ×ÁÍ ÓÍÏÇÕÔ ÐÏÍÏÞØ. ôÁÍ ×Ù ÎÁÊÄÅÔÅ ÐÏÑÓÎÅÎÉÑ, ÞÔÏ ÍÏÇÌÏ ÂÙÔØ ÓÄÅÌÁÎÏ ×ÁÍÉ ÎÅÐÒÁ×ÉÌØÎÏ ÐÒÉ ÕÓÔÁÎÏ×ËÅ, ÔÁË ÞÔÏ ÓÒÁÚÕ ÎÅ ÐÁÎÉËÕÊÔÅ. åÓÌÉ ÜÔÏ ÎÅ ÐÏÍÏÇÌÏ -- ÐÏÓÔÁÒÁÊÔÅÓØ ÐÏÒÁÚÍÙÓÌÉÔØ ÌÏÇÉÞÅÓËÉ, ×ÏÚÍÏÖÎÏ ÜÔÏ ÐÏÍÏÖÅÔ. éÌÉ ÏÂÒÁÔÉÔÅÓØ Ë ËÏÍÕ-ÎÉÂÕÄØ ÚÎÁÀÝÅÍÕ.

åÓÌÉ ×ÓÅ ÐÒÏÛÌÏ ÇÌÁÄËÏ, ÔÏ ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÇÏÔÏ×Ù Ë ÕÓÔÁÎÏ×ËÅ ÉÓÐÏÌÎÑÅÍÙÈ ÍÏÄÕÌÅÊ (binaries), ÄÌÑ ÞÅÇÏ ÚÁÐÕÓÔÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make install KERNEL_DIR=/usr/src/linux/

îÁÄÅÀÓØ, ÞÔÏ ÚÄÅÓØ-ÔÏ ÐÒÏÂÌÅÍ ÎÅ ×ÏÚÎÉËÌÏ! ôÅÐÅÒØ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÐÁËÅÔÁ iptables ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÐÅÒÅÓÏÂÒÁÔØ É ÕÓÔÁÎÏ×ÉÔØ ÑÄÒÏ, ÅÓÌÉ ×Ù ÄÏ ÓÉÈ ÐÏÒ ÜÔÏÇÏ ÎÅ ÓÄÅÌÁÌÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ ×Ù ÎÁÊÄÅÔÅ × ÆÁÊÌÅ INSTALL.


õÓÔÁÎÏ×ËÁ × Red Hat 7.1

RedHAt 7.1, Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÑÄÒÏÍ 2.4.x ÕÖÅ ×ËÌÀÞÁÅÔ ÐÒÅÄÕÓÔÁÎÏ×ÌÅÎÎÙÅ netfilter É iptables. ïÄÎÁËÏ, ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÐÒÅÄÙÄÕÝÉÍÉ ÄÉÓÔÒÉÂÕÔÉ×ÁÍÉ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÒÁÂÏÔÁÅÔ ÐÁËÅÔ ipchains. óÅÊÞÁÓ ÍÙ ËÏÒÏÔËÏ ÒÁÚÂÅÒÅÍ - ËÁË ÕÄÁÌÉÔØ ipchains É ÚÁÐÕÓÔÉÔØ ×ÍÅÓÔÏ ÎÅÇÏ iptables.

Note

÷ÅÒÓÉÑ iptables × Red Hat 7.1 ÓÉÌØÎÏ ÕÓÔÁÒÅÌÁ É, ÎÁ×ÅÒÎÏÅ ÎÅÐÌÏÈÉÍ ÒÅÛÅÎÉÅÍ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÉÔØ ÂÏÌÅÅ ÎÏ×ÕÀ ×ÅÒÓÉÀ iptables.

äÌÑ ÎÁÞÁÌÁ ÎÕÖÎÏ ÏÔËÌÀÞÉÔØ ipchains, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÚÁÇÒÕÚËÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÍÏÄÕÌÅÊ × ÂÕÄÕÝÅÍ. þÔÏÂÙ ÄÏÂÉÔØÓÑ ÜÔÏÇÏ, ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÉÚÍÅÎÉÔØ ÉÍÅÎÁ ÎÅËÏÔÏÒÙÈ ÆÁÊÌÏ× × ÄÅÒÅ×Å ËÁÔÁÌÏÇÏ× /etc/rc.d/. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ, ×ÙÐÏÌÎÉÔ ÔÒÅÂÕÅÍÙÅ ÄÅÊÓÔ×ÉÑ:

chkconfig --level 0123456 ipchains off

÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ, × ÎÅËÏÔÏÒÙÈ ÉÍÅÎÁÈ ÆÁÊÌÏ× ÓÉÍ×ÏÌ S (ËÏÔÏÒÙÊ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÄÁÎÎÙÊ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ ÎÁ ÚÁÐÕÓËÅ ÓÉÓÔÅÍÙ) ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÓÉÍ×ÏÌÏÍ K (ÏÔ ÓÌÏ×Á Kill, ËÏÔÏÒÙÊ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ, ÐÒÉ ÚÁ×ÅÒÛÅÎÉÉ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ. ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÉÍ ÉÍÅÎÁ ÓÓÙÌÏË K92ipchains, ÐÒÅÄÏÔ×ÒÁÔÉ× ÔÅÍ ÓÁÍÙÍ ÚÁÐÕÓË ÜÔÏÇÏ ÓÅÒ×ÉÓÁ × ÂÕÄÕÝÅÍ.

ïÄÎÁËÏ ipchains ÐÏ-ÐÒÅÖÎÅÍÕ ÏÓÔÁÀÔÓÑ × ÒÁÂÏÔÅ. ôÅÐÅÒØ ÎÁÄÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ, ËÏÔÏÒÁÑ ÏÓÔÁÎÏ×ÉÔ ÜÔÏÔ ÓÅÒ×ÉÓ.

service ipchains stop

é × ÚÁËÌÀÞÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÐÕÓÔÉÔØ ÓÅÒ×ÉÓ iptables. äÌÑ ÜÔÏÇÏ, ×Ï-ÐÅÒ×ÙÈ, ÎÁÄÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÕÒÏ×ÎÑÍÉ ÚÁÐÕÓËÁ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÎÁ ËÏÔÏÒÙÈ ÎÕÖÎÏ ÓÔÁÒÔÏ×ÁÔØ ÜÔÏÔ ÓÅÒ×ÉÓ. ïÂÙÞÎÏ ÜÔÏ ÕÒÏ×ÎÉ 2, 3 É 5. ï ÜÔÉÈ ÕÒÏ×ÎÑÈ ÍÙ ÚÎÁÅÍ:

  • 2. íÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÂÅÚ ÐÏÄÄÅÒÖËÉ NFS ÉÌÉ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É 3, ÎÏ ÂÅÚ ÓÅÔÅ×ÏÊ ÐÏÄÄÅÒÖËÉ.
  • 3. ðÏÌÎÏÆÕÎËÃÉÏÎÁÌØÎÙÊ ÍÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ.
  • 5. X11. äÁÎÎÙÊ ÕÒÏ×ÅÎØ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÚÁÇÒÕÚËÉ Xwindows.

þÔÏÂÙ ÚÁÐÕÓÔÉÔØ iptables ÎÁ ÜÔÉÈ ÕÒÏ×ÎÑÈ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ:

chkconfig --level 235 iptables on

èÏÞÅÔÓÑ ÕÐÏÍÑÎÕÔØ Ï ÕÒÏ×ÎÑÈ, ÎÁ ËÏÔÏÒÙÈ ÎÅ ÔÒÅÂÕÅÔÓÑ ÚÁÐÕÓËÁ iptables: õÒÏ×ÅÎØ 1 -- ÏÄÎÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÒÁÂÏÔÙ, ËÁË ÐÒÁ×ÉÌÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÜËÓÔÒÅÎÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÍÙ "ÐÏÄÎÉÍÁÅÍ" "ÕÐÁ×ÛÕÀ" ÓÉÓÔÅÍÕ. õÒÏ×ÅÎØ 4 -- ×ÏÏÂÝÅ ÎÅ ÄÏÌÖÅÎ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ. õÒÏ×ÅÎØ ×ÙÐÏÌÎÅÎÉÑ 6 -- ÜÔÏ ÕÒÏ×ÅÎØ ÏÓÔÁÎÏ×ËÉ ÓÉÓÔÅÍÙ ÐÒÉ ×ÙËÌÀÞÅÎÉÉ ÉÌÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ.

äÌÑ ÁËÔÉ×ÁÃÉÉ ÓÅÒ×ÉÓÁ iptables ÐÏÄÁÄÉÍ ËÏÍÁÎÄÕ:

service iptables start

éÔÁË, ÍÙ ÚÁÐÕÓÔÉÌÉ iptables, ÎÏ Õ ÎÁÓ ÐÏËÁ ÅÝÅ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. þÔÏÂÙ ÄÏÂÁ×ÉÔØ ÎÏ×ÙÅ ÐÒÁ×ÉÌÁ × Red Hat 7.1 ÍÏÖÎÏ ÐÏÊÔÉ Ä×ÕÍÑ ÐÕÔÑÍÉ, ×Ï-ÐÅÒ×ÙÈ: ÐÏÄÐÒÁ×ÉÔØ ÆÁÊÌ /etc/rc.d/init.d/iptables, ÎÏ ÜÔÏÔ ÓÐÏÓÏ ÉÍÅÅÔ ÔÏ ÎÅÇÁÔÉ×ÎÏÅ Ó×ÏÊÓÔ×Ï, ÞÔÏ ÐÒÉ ÏÂÎÏ×ÌÅÎÉÉ iptables ÉÚ RPM-ÐÁËÅÔÏ× ×ÓÅ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÕÔÅÒÑÎÙ, Á ×Ï-×ÔÏÒÙÈ: ÚÁÎÅÓÔÉ ÐÒÁ×ÉÌÁ É ÓÏÈÒÁÎÉÔØ ÉÈ ËÏÍÁÎÄÏÊ iptables-save, ÓÏÈÒÁÎÅÎÎÙÅ ÔÁËÉÍ ÏÂÒÁÚÏÍ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ.

÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÉÚÂÒÁÌÉ ÐÅÒ×ÙÊ ×ÁÒÉÁÎÔ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ × iptables, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÚÁÎÅÓÔÉ ÉÈ × ÓÅËÃÉÀ start ÓÃÅÎÁÒÉÑ /etc/rc.d/init.d/iptables (ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ) ÉÌÉ × ÆÕÎËÃÉÀ start(). äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÄÅÊÓÔ×ÉÊ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÉÓÔÅÍÙ -- ×ÎÅÓÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÓÅËÃÉÀ stop) ÉÌÉ × ÆÕÎËÃÉÀ stop(). ôÁË ÖÅ ÎÅ ÚÁÂÕÄØÔÅ ÐÒÏ ÓÅËÃÉÉ restart É condrestart. èÏÞÅÔÓÑ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÓÌÕÞÁÅ ÏÂÎÏ×ÌÅÎÉÑ iptables ÉÚ RPM-ÐÁËÅÔÏ× ÉÌÉ ÞÅÒÅÚ Á×ÔÏÍÁÔÉÞÅÓËÏÅ ÏÂÎÏ×ÌÅÎÉÅ ÐÏ ÓÅÔÉ, ×Ù ÍÏÖÅÔÅ ÕÔÅÒÑÔØ ×ÓÅ ÉÚÍÅÎÅÎÉÑ, ×ÎÅÓÅÎÎÙÅ × ÆÁÊÌ /etc/rc.d/init.d/iptables.

÷ÔÏÒÏÊ ÓÐÏÓÏ ÚÁÇÒÕÚËÉ ÐÒÁ×ÉÌ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. ïÎ ÐÒÅÄÐÏÌÁÇÁÅÔ ÓÌÅÄÕÀÝÉÅ ÛÁÇÉ. äÌÑ ÎÁÞÁÌÁ -- ÚÁÐÉÛÉÔÅ ÐÒÁ×ÉÌÁ × ÆÁÊÌ ÉÌÉ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ, ÞÅÒÅÚ ËÏÍÁÎÄÕ iptables, ÓÍÏÔÒÑ ÞÔÏ ÄÌÑ ×ÁÓ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. úÁÔÅÍ ÉÓÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables-save. üÔÁ ËÏÍÁÎÄÁ ÜË×É×ÁÌÅÎÔÎÁ ËÏÍÁÎÄÅ iptables-save > /etc/sysconfig/iptables. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎ × ÆÁÊÌÅ /etc/sysconfig/iptables, ËÏÔÏÒÙÊ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÔÓÑ ÐÒÉ ÚÁÐÕÓËÅ ÓÅÒ×ÉÓÁ iptables. äÒÕÇÉÍ ÓÐÏÓÏÂÏÍ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÐÏÄÁÞÁ ËÏÍÁÎÄÙ service iptables save, ËÏÔÏÒÁÑ ÐÏÌÎÏÓÔØÀ ÉÄÅÎÔÉÞÎÁ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÅ. ÷ÐÏÓÌÅÄÓÔ×ÉÉ, ÐÒÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ, ÓÃÅÎÁÒÉÊ iptables ÉÚ rc.d ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØ ËÏÍÁÎÄÕ iptables-restore ÄÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ /etc/sysconfig/iptables.

îÕ É ÎÁËÏÎÅÃ, × ÚÁ×ÅÒÛÅÎÉÅ ÕÓÔÁÎÏ×ËÉ, ÎÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÕÄÁÌÉÔØ ÓÔÁÒÕÀ ×ÅÒÓÉÀ ipchains.

rpm -e  ipchains

ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË × ËÁÖÄÏÊ ÔÁÂÌÉÃÅ. üÔÁ ÉÎÆÏÒÍÁÃÉÑ ÂÕÄÅÔ ÏÞÅÎØ ×ÁÖÎÁ ÄÌÑ ×ÁÓ ÐÏÚÄÎÅÅ, ËÏÇÄÁ ×Ù ÎÁÞÎÅÔÅ ÓÔÒÏÉÔØ Ó×ÏÉ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ × ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÂÕÄÕÔ ×ËÌÀÞÁÔØÓÑ ÔÁËÉÅ ÄÅÊÓÔ×ÉÑ ËÁË DNAT, SNAT É ËÏÎÅÞÎÏ ÖÅ TOS.


ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ

ëÏÇÄÁ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÏ ÏÎ ÓÐÅÒ×Á ÐÏÐÁÄÁÅÔ ÎÁ ÓÅÔÅ×ÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÐÅÒÅÈ×ÁÔÙ×ÁÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÄÒÁÊ×ÅÒÏÍ É ÄÁÌÅÅ ÐÅÒÅÄÁÅÔÓÑ × ÑÄÒÏ. äÁÌÅÅ ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÒÑÄ ÔÁÂÌÉÃ É ÚÁÔÅÍ ÐÅÒÅÄÁÅÔÓÑ ÌÉÂÏ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ, ÌÉÂÏ ÐÅÒÅÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÄÒÕÇÕÀ ÍÁÛÉÎÕ. ðÏÒÑÄÏË ÓÌÅÄÏ×ÁÎÉÑ ÐÁËÅÔÁ ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ.

ôÁÂÌÉÃÁ 1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÜÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÂÉÔÏ× TOS É ÐÒ..
4 nat PREROUTING üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Destination Network Address Translation). Source Network Address Translation ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÚÄÎÅÅ, × ÄÒÕÇÏÊ ÃÅÐÏÞËÅ. ìÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÑ × ÜÔÏÊ ÃÅÐÏÞËÅ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÄÁÌØÎÅÊÛÅÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, Ô.Å. × ÜÔÏÊ ÔÏÞËÅ ÒÅÛÁÅÔÓÑ ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ - ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ÉÌÉ ÎÁ ÄÒÕÇÏÊ ÕÚÅÌ ÓÅÔÉ.
6 filter FORWARD ÷ ÃÅÐÏÞËÕ FORWARD ÐÏÐÁÄÁÀÔ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÉÄÕÔ ÎÁ ÄÒÕÇÏÊ ÈÏÓÔ ÷ÓÑ ÆÉÌØÔÒÁÃÉÑ ÔÒÁÎÚÉÔÎÏÇÏ ÔÒÁÆÉËÁ ÄÏÌÖÎÁ ×ÙÐÏÌÎÑÔØÓÑ ÚÄÅÓØ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÏÈÏÄÉÔ ÔÒÁÆÆÉË × ÏÂÏÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÏÂÑÚÁÔÅÌØÎÏ ÕÞÉÔÙ×ÁÊÔÅ ÜÔÏ ÏÂÓÔÏÑÔÅÌØÓÔ×Ï ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÐÒÁ×ÉÌ ÆÉÌØÔÒÁÃÉÉ.
7 nat POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ × ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÄÌÑ Source Network Address Translation. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÅÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÂÅÚ ÏÓÏÂÏÊ ÎÁ ÔÏ ÎÅÏÂÈÏÄÉÍÏÓÔÉ. úÄÅÓØ ÖÅ ×ÙÐÏÌÎÑÅÔÓÑ É ÍÁÓËÉÒÏ×ËÁ (Masquerading).
8     ÷ÙÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth1).
9     ëÁÂÅÌØ (ÐÕÓÔØ ÂÕÄÅÔ LAN).

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÎÅÓËÏÌØËÏ ÜÔÁÐÏ×, ÐÒÅÖÄÅ ÞÅÍ ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÄÁÌÅÅ. îÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÐÁËÅÔ ÍÏÖÅÔ ÂÙÔØ ÏÓÔÁÎÏ×ÌÅÎ, ÂÕÄØ ÔÏ ÃÅÐÏÞËÁ iptables ÉÌÉ ÞÔÏ ÌÉÂÏ ÅÝÅ, ÎÏ ÎÁÓ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÎÔÅÒÅÓÕÅÔ iptables. úÁÍÅÔØÔÅ, ÞÔÏ ÎÅÔ ËÁËÉÈ ÌÉÂÏ ÃÅÐÏÞÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ ÏÔÄÅÌØÎÙÈ ÉÎÔÅÒÆÅÊÓÏ× ÉÌÉ ÞÅÇÏ ÌÉÂÏ ÐÏÄÏÂÎÏÇÏ. ãÅÐÏÞËÕ FORWARD ÐÒÏÈÏÄÑÔ ÷óå ÐÁËÅÔÙ, ËÏÔÏÒÙÅ Ä×ÉÖÕÔÓÑ ÞÅÒÅÚ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ/ÒÕÔÅÒ. îÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÏÇÏ ÌÏËÁÌØÎÏÍÕ ÐÒÏÃÅÓÓÕ/ÐÒÉÌÏÖÅÎÉÀ

ôÁÂÌÉÃÁ 2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅt
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     ÷ÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× TOS É ÐÒ.
4 nat PREROUTING ðÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (Destination Network Address Translation). æÉÌØÔÒÁÃÉÑ ÐÁËÅÔÏ× ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
6 filter INPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÆÉÌØÔÒÁÃÉÑ ×ÈÏÄÑÝÅÇÏ ÔÒÁÆÉËÁ. ðÏÍÎÉÔÅ, ÞÔÏ ×ÓÅ ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ, ÁÄÒÅÓÏ×ÁÎÎÙÅ ÎÁÍ, ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÔÏÇÏ Ó ËÁËÏÇÏ ÉÎÔÅÒÆÅÊÓÁ ÏÎÉ ÐÏÓÔÕÐÉÌÉ.
7     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ/ÐÒÉÌÏÖÅÎÉÅ

÷ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÎÁ ÜÔÏÔ ÒÁÚ ÐÁËÅÔÙ ÉÄÕÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ INPUT, Á ÎÅ ÞÅÒÅÚ FORWARD. é × ÚÁËÌÀÞÅÎÉÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ.

ôÁÂÌÉÃÁ 3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ
2 Mangle OUTPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ×ÎÅÓÅÎÉÅ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ. æÉÌØÔÒÁÃÉÑ, ×ÙÐÏÌÎÑÅÍÁÑ × ÜÔÏÊ ÃÅÐÏÞËÅ, ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ.
3 Nat OUTPUT îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÒÁÂÏÔÁÅÔ. íÏÖÅÔ ËÔÏ ÚÎÁÅÔ ËÏÇÄÁ ÉÓÐÒÁ×ÑÔ ÜÔÕ ÏÛÉÂËÕ?
4 Filter OUTPUT úÄÅÓØ ÆÉÌØÔÒÕÅÔÓÑ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. úÄÅÓØ ÒÅÛÁÅÔÓÑ - ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ ÄÁÌØÛÅ.
6 Nat POSTROUTING úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ Source Network Address Translation. îÅ ÓÌÅÄÕÅÔ × ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÖÅÌÁÔÅÌØÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ×. ïÄÎÁËÏ É ÚÄÅÓØ ÍÏÖÎÏ ÏÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÁËÅÔÙ, ÐÒÉÍÅÎÑÑ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.
7     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
8     ëÁÂÅÌØ (Ô.Å., Internet)

ôÅÐÅÒØ ÍÙ ÚÎÁÅÍ, ÞÔÏ ÅÓÔØ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ×ÁÒÉÁÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×. òÉÓÕÎÏË ÎÉÖÅ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÜÔÏ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÃÅÎÁÒÉÉ rc.test-iptables.txt, × ËÏÔÏÒÏÍ ÐÒÉ×ÏÄÉÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÐÏÎÉÍÁÎÉÑ ÐÏÒÑÄËÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×.


ôÁÂÌÉÃÁ Mangle

ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÜÔÁ ÔÁÂÌÉÃÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ× (mangle - ÉÓËÁÖÁÔØ, ÉÚÍÅÎÑÔØ. ÐÒÉÍ. ÐÅÒÅ×.). ô.Å. × ÜÔÏÊ ÔÁÂÌÉÃÅ ×Ù ÍÏÖÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÂÉÔÙ TOS (Type Of Service) É Ô.Ä.

Caution

åÝÅ ÒÁÚ ÎÁÐÏÍÉÎÁÀ ×ÁÍ, ÞÔÏ × ÜÔÏÊ ÔÁÂÌÉÃÅ ÎÅ ÓÌÅÄÕÅÔ ÐÒÏÉÚ×ÏÄÉÔØ ÌÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÀ, ÍÁÓËÉÒÏ×ËÕ ÉÌÉ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (DNAT, SNAT).

÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ

  • TOS

  • TTL

  • MARK

äÅÊÓÔ×ÉÅ TOS ×ÙÐÏÌÎÑÅÔ ÕÓÔÁÎÏ×ËÕ ÂÉÔÏ× ÐÏÌÑ Type of Service × ÐÁËÅÔÅ. üÔÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÚÎÁÞÅÎÉÑ ÓÅÔÅ×ÏÊ ÐÏÌÉÔÉËÉ ÏÂÓÌÕÖÉ×ÁÎÉÑ ÐÁËÅÔÁ, Ô.Å. ÚÁÄÁÅÔ ÖÅÌÁÅÍÙÊ ×ÁÒÉÁÎÔ ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÄÎÁËÏ, ÓÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÏÅ Ó×ÏÊÓÔ×Ï × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÎÁ ÎÅÚÎÁÞÉÔÅÌØÎÏÍ ËÏÌÉÞÅÓÔ×Å ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ.äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÚÍÅÎÑÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ÄÌÑ ÐÁËÅÔÏ×, ÕÈÏÄÑÝÉÈ × éÎÔÅÒÎÅÔ, ÐÏÔÏÍÕ ÞÔÏ ÎÁ ÒÕÔÅÒÁÈ, ËÏÔÏÒÙÅ ÔÁËÉ ÏÂÓÌÕÖÉ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÍÏÖÅÔ ÂÙÔØ ÐÒÉÎÑÔÏ ÎÅÐÒÁ×ÉÌØÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ.

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÚÎÁÞÅÎÉÑ ÐÏÌÑ TTL (Time To Live) ÐÁËÅÔÁ. åÓÔØ ÏÄÎÏ ÎÅÐÌÏÈÏÅ ÐÒÉÍÅÎÅÎÉÅ ÜÔÏÍÕ ÄÅÊÓÔ×ÉÀ. íÙ ÍÏÖÅÍ ÐÒÉÓ×ÁÉ×ÁÔØ ÏÐÒÅÄÅÌÅÎÎÏÅ ÚÎÁÞÅÎÉÅ ÜÔÏÍÕ ÐÏÌÀ, ÞÔÏÂÙ ÓËÒÙÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÏÔ ÞÅÒÅÓÞÕÒ ÌÀÂÏÐÙÔÎÙÈ ÐÒÏ×ÁÊÄÅÒÏ× (Internet Service Providers). äÅÌÏ × ÔÏÍ, ÞÔÏ ÏÔÄÅÌØÎÙÅ ÐÒÏ×ÁÊÄÅÒÙ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ ËÏÇÄÁ ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. É ÔÏÇÄÁ ÏÎÉ ÎÁÞÉÎÁÀÔ ÐÒÏ×ÅÒÑÔØ ÚÎÁÞÅÎÉÅ TTL ÐÒÉÈÏÄÑÝÉÈ ÐÁËÅÔÏ× É ÉÓÐÏÌØÚÕÀÔ ÅÇÏ ËÁË ÏÄÉÎ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÏÄÉÎ ËÏÍÐØÀÔÅÒ "ÓÉÄÉÔ" ÎÁ ÐÏÄËÌÀÞÅÎÉÉ ÉÌÉ ÎÅÓËÏÌØËÏ.

äÅÊÓÔ×ÉÅ MARK ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÓÐÅÃÉÁÌØÎÕÀ ÍÅÔËÕ ÎÁ ÐÁËÅÔ, ËÏÔÏÒÁÑ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÐÒÏ×ÅÒÅÎÁ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ × iptables ÉÌÉ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ, ÎÁÐÒÉÍÅÒ iproute2. ó ÐÏÍÏÝØÀ "ÍÅÔÏË" ÍÙ ÍÏÖÅÍ ÕÐÒÁ×ÌÑÔØ ÍÁÒÛÒÕÔÉÚÁÃÉÅÊ ÐÁËÅÔÏ×, ÏÇÒÁÎÉÞÉ×ÁÔØ ÔÒÁÆÆÉË É Ô.Ð.


ôÁÂÌÉÃÁ Nat

üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÊ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× NAT (Network Address Translation) ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ÒÁÎÅÅ, ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÃÅÐÏÞËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ, ÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÉÒÏ×ËÁ ÐÒÉÍÅÎÑÀÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ × ÐÏÔÏËÅ Á×ÔÏÍÁÔÉÞÅÓËÉ. äÌÑ ÜÔÏÊ ÔÁÂÌÉÃÙ ÈÁÒÁËÔÅÒÎÙ ÄÅÊÓÔ×ÉÑ:

  • DNAT

  • SNAT

  • MASQUERADE

äÅÊÓÔ×ÉÅ DNAT (Destination Network Address Translation) ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× ÎÁ ÄÒÕÇÉÅ ÁÄÒÅÓÁ, ÏÔÌÉÞÎÙÅ ÏÔ ÕËÁÚÁÎÎÙÈ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×.

SNAT (Source Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ÐÁËÅÔÏ×. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÍÏÖÎÏ ÓËÒÙÔØ ÓÔÒÕËÔÕÒÕ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÒÁÚÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP ÁÄÒÅÓ ÍÅÖÄÕ ËÏÍÐØÀÔÅÒÁÍÉ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÒÁÎÄÍÁÕÜÒ, Ó ÐÏÍÏÝØÀ SNAT, Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÑÍÏÅ É ÏÂÒÁÔÎÏÅ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ×, ÔÅÍ ÓÁÍÙÍ ÄÁ×ÁÑ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ ÐÏÄËÌÀÞÅÎÉÅ Ë ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔÅ Ó ËÏÍÐØÀÔÅÒÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

íÁÓËÉÒÏ×ËÁ (MASQUERADE) ÐÒÉÍÅÎÑÅÔÓÑ × ÔÅÈ ÖÅ ÃÅÌÑÈ, ÞÔÏ É SNAT, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ ÐÏÓÌÅÄÎÅÊ, MASQUERADE ÄÁÅÔ ÂÏÌÅÅ ÓÉÌØÎÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ËÁÖÄÙÊ ÒÁÚ, ËÏÇÄÁ ÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÅÎÉÅ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÐÒÏÉÚ×ÏÄÉÔÓÑ ÚÁÐÒÏÓ IP ÁÄÒÅÓÁ ÄÌÑ ÕËÁÚÁÎÎÏÇÏ × ÄÅÊÓÔ×ÉÉ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, × ÔÏ ×ÒÅÍÑ ËÁË ÄÌÑ SNAT IP ÁÄÒÅÓ ÕËÁÚÙ×ÁÅÔÓÑ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ. ïÄÎÁËÏ, ÂÌÁÇÏÄÁÒÑ ÔÁËÏÍÕ ÏÔÌÉÞÉÀ, MASQUERADE ÍÏÖÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÑÈ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, Ô.Å. ËÏÇÄÁ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ, ÓËÁÖÅÍ ÞÅÒÅÚ PPP, SLIP ÉÌÉ DHCP.


ôÁÂÌÉÃÁ Filter

ëÁË ÓÌÅÄÕÅÔ ÉÚ ÎÁÚ×ÁÎÉÑ, × ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÌÖÎÙ ÓÏÄÅÒÖÁÔØÓÑ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ðÁËÅÔÙ ÍÏÇÕÔ ÐÒÏÐÕÓËÁÔØÓÑ ÄÁÌÅÅ, ÌÉÂÏ ÏÔ×ÅÒÇÁÔØÓÑ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÉÍÏÇÏ. ëÏÎÅÞÎÏ ÖÅ, ÍÙ ÍÏÖÅÍ ÏÔÆÉÌØÔÒÏ×Ù×ÁÔØ ÐÁËÅÔÙ É × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, ÎÏ ÜÔÁ ÔÁÂÌÉÃÁ ÓÕÝÅÓÔ×ÕÅÔ ÉÍÅÎÎÏ ÄÌÑ ÎÕÖÄ ÆÉÌØÔÒÁÃÉÉ. ÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÏÌØÛÉÎÓÔ×Á ÉÚ ÓÕÝÅÓÔ×ÕÀÝÉÈ ÄÅÊÓÔ×ÉÊ, ÏÄÎÁËÏ ÒÑÄ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ×ÙÛÅ × ÜÔÏÊ ÇÌÁ×Å, ÄÏÌÖÎÙ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÉÓÕÝÉÈ ÉÍ ÔÁÂÌÉÃÁÈ.


íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ×ÓÅ ×ÎÉÍÁÎÉÅ ÂÕÄÅÔ ÕÄÅÌÅÎÏ ÍÅÈÁÎÉÚÍÕ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÁ (state machine). ðÏÓÌÅ ÅÅ ÐÒÏÞÔÅÎÉÑ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÓÔÁÔÏÞÎÏ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÒÁÂÏÔÕ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ. ôÁËÖÅ ÂÕÄÅÔ ÒÁÓÓÍÏÔÒÅÎ ÚÎÁÞÉÔÅÌØÎÙÊ ÏÂßÅÍ ÐÏÑÓÎÑÀÝÉÈ ÐÒÉÍÅÒÏ×.

÷×ÅÄÅÎÉÅ

íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ (state machine) Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ iptables É × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÄÏÌÖÅÎ ÂÙ ÔÁË ÎÁÚÙ×ÁÔØÓÑ, ÐÏÓËÏÌØËÕ ÆÁËÔÉÞÅÓËÉ Ñ×ÌÑÅÔÓÑ ÍÅÈÁÎÉÚÍÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ. ïÄÎÁËÏ ÚÎÁÞÉÔÅÌØÎÏÍÕ ËÏÌÉÞÅÓÔ×Õ ÌÀÄÅÊ ÏÎ ÉÚ×ÅÓÔÅÎ ÉÍÅÎÎÏ ËÁË "ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ" (state machine). ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÜÔÉ ÎÁÚ×ÁÎÉÑ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÓÉÎÏÎÉÍÙ. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÓÏÚÄÁÎ ÔÁË, ÞÔÏÂÙ netfilter ÍÏÇ ÐÏÌÕÞÉÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÓÔÏÑÎÉÉ ËÏÎËÒÅÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. îÁÌÉÞÉÅ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÏÚ×ÏÌÉÔ ×ÁÍ ÓÏÚÄÁ×ÁÔØ ÂÏÌÅÅ ÎÁÄÅÖÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ.

÷ ÐÒÅÄÅÌÁÈ iptables, ÓÏÅÄÉÎÅÎÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÄÎÏ ÉÚ 4-È ÂÁÚÏ×ÙÈ ÓÏÓÔÏÑÎÉÊ: NEW, ESTABLISHED, RELATED É INVALID. ðÏÚÄÎÅÅ, ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ, ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ. äÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁÍÉ, ÎÁ ÏÓÎÏ×Å ÉÈ ÓÏÓÔÏÑÎÉÑ, ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÊ --state. ôÒÁÓÓÉÒÏ×ÝÉË ÏÐÒÅÄÅÌÑÅÔ 4 ÏÓÎÏ×ÎÙÈ ÓÏÓÔÏÑÎÉÑ ËÁÖÄÏÇÏ TCP ÉÌÉ UDP ÐÁËÅÔÁ É ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÈÁÒÁËÔÅÒÉÓÔÉËÉ. äÌÑ TCP É UDP ÐÁËÅÔÏ× ÜÔÏ IP ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ, IP ÁÄÒÅÓ ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÒÔ ÐÏÌÕÞÁÔÅÌÑ.

÷ ÐÒÅÄÙÄÕÝÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ ÉÍÅÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ ×ËÌÀÞÅÎÉÑ/×ÙËÌÀÞÅÎÉÑ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÐÏÓÌÅ ÔÏÇÏ ËÁË ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÂÙÌÁ ×ËÌÀÞÅÎÁ × ÓÏÓÔÁ× iptables/netfilter, ÎÁÄÏÂÎÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ ÔÒÁÓÓÉÒÏ×ÝÉË ÎÅ × ÓÏÓÔÏÑÎÉÉ ×ÙÐÏÌÎÑÔØ ×ÏÚÌÏÖÅÎÎÙÅ ÎÁ ÎÅÇÏ ÆÕÎËÃÉÉ ÂÅÚ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ É ÐÏÜÔÏÍÕ ÏÎÁ ×ËÌÀÞÅÎÁ ÐÏÓÔÏÑÎÎÏ. åÅ ÎÅÌØÚÑ ÏÔËÌÀÞÉÔØ ÉÎÁÞÅ ËÁË ÏÔËÌÀÞÉ× ÔÒÁÓÓÉÒÏ×ËÕ ÓÏÅÄÉÎÅÎÉÊ.

ôÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ PREROUTING. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ iptables ÐÒÏÉÚ×ÏÄÉÔ ×ÓÅ ×ÙÞÉÓÌÅÎÉÑ, Ó×ÑÚÁÎÎÙÅ Ó ÏÐÒÅÄÅÌÅÎÉÅÍ ÓÏÓÔÏÑÎÉÑ, × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÃÅÐÏÞËÉ. ëÏÇÄÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÉÎÉÃÉÉÒÕÀÝÉÊ ÐÁËÅÔ × ÐÏÔÏËÅ, ÔÏ ÅÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ NEW, Á ËÏÇÄÁ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÚÍÅÎÑÅÔÓÑ ÎÁ ESTABLISHED, É ÔÁË ÄÁÌÅÅ.


ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ

ëÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÔÁÂÌÉÃÕ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ËÏÔÏÒÕÀ ÍÏÖÎÏ ÎÁÊÔÉ × ÆÁÊÌÅ /proc/net/ip_conntrack. úÄÅÓØ ÓÏÄÅÒÖÉÔÓÑ ÓÐÉÓÏË ×ÓÅÈ ÁËÔÉ×ÎÙÈ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ÍÏÄÕÌØ ip_conntrack ÚÁÇÒÕÖÅÎ, ÔÏ ËÏÍÁÎÄÁ cat /proc/net/ip_conntrak ÄÏÌÖÎÁ ×Ù×ÅÓÔÉ ÎÅÞÔÏ, ÐÏÄÏÂÎÏÅ:

tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÓÏÄÅÒÖÉÔÓÑ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ, ËÏÔÏÒÁÑ ÉÚ×ÅÓÔÎÁ ÔÒÁÓÓÉÒÏ×ÝÉËÕ, ÐÏ ËÏÎËÒÅÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. ðÅÒ×ÏÅ, ÞÔÏ ÍÏÖÎÏ Õ×ÉÄÅÔØ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ - tcp. äÁÌÅÅ ÓÌÅÄÕÅÔ ÎÅËÏÔÏÒÏÅ ÞÉÓÌÏ × ÏÂÙÞÎÏÍ ÄÅÓÑÔÉÞÎÏÍ ÐÒÅÄÓÔÁ×ÌÅÎÉÉ. ðÏÓÌÅ ÎÅÇÏ ÓÌÅÄÕÅÔ ÞÉÓÌÏ, ÏÐÒÅÄÅÌÑÀÝÅÅ "×ÒÅÍÑ ÖÉÚÎÉ" (Ô.Å. ËÏÌÉÞÅÓÔ×Ï ÓÅËÕÎÄ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ) ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ. äÌÑ ÎÁÛÅÇÏ ÓÌÕÞÁÑ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÂÕÄÅÔ ÈÒÁÎÉÔØÓÑ ÅÝÅ 117 ÓÅËÕÎÄ, ÅÓÌÉ ËÏÎÅÞÎÏ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÂÏÌÅÅ ÎÅ ÐÒÏÓÌÅÄÕÅÔ ÎÉ ÏÄÎÏÇÏ ÐÁËÅÔÁ, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÚÎÁÞÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ × ÚÎÁÞÅÎÉÅ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÇÏ ÓÏÓÔÏÑÎÉÑ. üÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1 ËÁÖÄÕÀ ÓÅËÕÎÄÕ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÆÁËÔÉÞÅÓËÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. äÌÑ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ ÓÏÓÔÏÑÎÉÅ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ SYN_SENT. ÷ÎÕÔÒÅÎÎÅÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ×ÎÅÛÎÅÇÏ. úÎÁÞÅÎÉÅ SYN_SENT ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÓÌÅÄÏ×ÁÌ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÐÁËÅÔ TCP SYN. äÁÌÅÅ ÒÁÓÐÏÌÏÖÅÎÙ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï, ËÏÔÏÒÏÅ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÔ×ÅÔÎÏÇÏ ÔÒÁÆÉËÁ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÅÝÅ ÎÅ ÂÙÌÏ. é ÎÁËÏÎÅà ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÉÎÆÏÒÍÁÃÉÑ ÐÏ ÏÖÉÄÁÅÍÏÍÕ ÐÁËÅÔÕ, ÜÔÏ IP ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ/ÐÏÌÕÞÁÔÅÌÑ (ÔÅ ÖÅ ÓÁÍÙÅ, ÔÏÌØËÏ ÐÏÍÅÎÑ×ÛÉÅÓÑ ÍÅÓÔÁÍÉ, ÐÏÓËÏÌØËÕ ÏÖÉÄÁÅÔÓÑ ÏÔ×ÅÔÎÙÊ ÐÁËÅÔ), ÔÏ ÖÅ ËÁÓÁÅÔÓÑ É ÐÏÒÔÏ×.

Note

óÏ×ÓÅÍ ÎÅÄÁ×ÎÏ, × patch-o-matic, ÐÏÑ×ÉÌÁÓØ ÚÁÐÌÁÔÁ tcp-window-tracking, ËÏÔÏÒÁÑ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÚÎÁÞÅÎÉÊ ×ÓÅÈ ÔÁÊÍÁÕÔÏ× ÞÅÒÅÚ ÓÐÅÃÉÁÌØÎÙÅ ÐÅÒÅÍÅÎÎÙÅ, Ô.Å. ÐÏÚ×ÏÌÑÅÔ ÉÚÍÅÎÑÔØ ÉÈ "ÎÁ ÌÅÔÕ". ôÁËÉÍ ÏÂÒÁÚÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÉÚÍÅÎÅÎÉÑ ÔÁÊÍÁÕÔÏ× ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÓÂÏÒËÉ ÑÄÒÁ.

éÚÍÅÎÅÎÉÑ ×ÎÏÓÑÔÓÑ Ó ÐÏÍÏÝØÀ ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÉÓÔÅÍÎÙÈ ×ÙÚÏ×Ï×, ÞÅÒÅÚ ËÁÔÁÌÏÇ /proc/sys/net/ipv4/netfilter. ïÓÏÂÏÅ ×ÎÉÍÁÎÉÅ ÏÂÒÁÔÉÔÅ ÎÁ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ /proc/sys/net/ipv4/netfilter/ip_ct_* .



ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ ÏÔ×ÅÔÁ ÔÒÁÓÓÉÒÏ×ÝÉË ÓÎÉÍÅÔ ÆÌÁÇ [UNREPLIED] É ÚÁÍÅÎÉÔ ÅÇÏ ÆÌÁÇÏÍ [ASSURED]. üÔÏÔ ÆÌÁÇ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÏ Õ×ÅÒÅÎÎÏ É ÜÔÁ ÚÁÐÉÓØ ÎÅ ÂÕÄÅÔ ÓÔÅÒÔÁ ÐÏ ÄÏÓÔÉÖÅÎÉÉ ÍÁËÓÉÍÁÌØÎÏ ×ÏÚÍÏÖÎÏÇÏ ËÏÌÉÞÅÓÔ×Á ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ. íÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÚÁÐÉÓÅÊ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØÓÑ × ÔÁÂÌÉÃÅ, ÚÁ×ÉÓÉÔ ÏÔ ÚÎÁÞÅÎÉÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎÏ ×ÙÚÏ×ÏÍ ÆÕÎËÃÉÉ ipsysctl × ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ. äÌÑ ÏÂßÅÍÁ ïúõ 128 í ÜÔÏ ÚÎÁÞÅÎÉÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 8192 ÚÁÐÉÓÑÍ, ÄÌÑ 256 í - 16376. ÷Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ É ÉÚÍÅÎÉÔØ ÜÔÏ ÚÎÁÞÅÎÉÅ ÞÅÒÅÚ /proc/sys/net/ipv4/ip_conntrack_max.


óÏÓÔÏÑÎÉÑ

ëÁË ×Ù ÕÖÅ ×ÉÄÅÌÉ, ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÎÅÓËÏÌØËÏ ÒÁÚÌÉÞÎÙÈ ÓÏÓÔÏÑÎÉÊ × ÐÒÅÄÅÌÁÈ ÑÄÒÁ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ïÄÎÁËÏ, ×ÎÅ ÑÄÒÁ ÉÍÅÅÔÓÑ ÔÏÌØËÏ 4 ÓÏÓÔÏÑÎÉÑ, ËÁË ÂÙÌÏ ÓËÁÚÁÎÏ ×ÙÛÅ. ÷ ÏÓÎÏ×ÎÏÍ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÁ ÉÓÐÏÌØÚÕÅÔÓÑ × ËÒÉÔÅÒÉÉ --state. äÏÐÕÓÔÉÍÙÍÉ Ñ×ÌÑÀÔÓÑ ÓÏÓÔÏÑÎÉÑ NEW, ESTABLISHED, RELATED É INVALID. ÷ ÔÁÂÌÉÃÅ, ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ, ÒÁÓÓÍÔÒÉ×ÁÀÔÓÑ ËÁÖÄÏÅ ÉÚ ×ÏÚÍÏÖÎÙÈ ÓÏÓÔÏÑÎÉÊ.

Table 1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ

óÏÓÔÏÑÎÉÅ ïÐÉÓÁÎÉÅ
NEW ðÒÉÚÎÁË NEW ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ, ËÏÔÏÒÙÊ Õ×ÉÄÅÌ ÍÏÄÕÌØ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. îÁÐÒÉÍÅÒ ÅÓÌÉ ÐÏÌÕÞÅÎ SYN ÐÁËÅÔ Ñ×ÌÑÀÝÉÊÓÑ ÐÅÒ×ÙÍ ÐÁËÅÔÏÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ÏÎ ÐÏÌÕÞÉÔ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ, ÐÁËÅÔ ÍÏÖÅÔ É ÎÅ ÂÙÔØ SYN ÐÁËÅÔÏÍ É ÔÅÍ ÎÅ ÍÅÎÅÅ ÐÏÌÕÞÉÔØ ÓÔÁÔÕÓ NEW. üÔÏ ÍÏÖÅÔ ÐÏÒÏÄÉÔØ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÒÏÂÌÅÍÙ × ÏÔÄÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ÎÏ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ É ×ÅÓØÍÁ ÐÏÌÅÚÎÙÍ, ÎÁÐÒÉÍÅÒ ËÏÇÄÁ ÖÅÌÁÔÅÌØÎÏ "ÐÏÄÈ×ÁÔÉÔØ" ÓÏÅÄÉÎÅÎÉÑ, "ÐÏÔÅÒÑÎÎÙÅ" ÄÒÕÇÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ ÉÌÉ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÔÁÊÍÁÕÔ ÓÏÅÄÉÎÅÎÉÑ ÕÖÅ ÉÓÔÅË, ÎÏ ÓÁÍÏ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÙÌÏ ÚÁËÒÙÔÏ.
ESTABLISHED ðÒÉÚÎÁË ESTABLISHED ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÎÅ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. óÈÅÍÁ ÕÓÔÁÎÏ×ËÉ ÐÒÉÚÎÁËÁ ESTABLISHED ÄÏÓÔÁÔÏÞÎÁ ÐÒÏÓÔÁ ÄÌÑ ÐÏÎÉÍÁÎÉÑ. åÄÉÎÓÔ×ÅÎÎÏÅ ÔÒÅÂÏ×ÁÎÉÅ, ÐÒÅÄßÑ×ÌÑÅÍÏÅ Ë ÓÏÅÄÉÎÅÎÉÀ, ÄÌÑ ÐÅÒÅÈÏÄÁ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÎÅÏÂÈÏÄÉÍÏ ÞÔÏÂÙ ÏÄÉÎ ÈÏÓÔ ÐÅÒÅÄÁÌ ÐÁËÅÔ É ÐÏÌÕÞÉÌ ÎÁ ÎÅÇÏ ÏÔ×ÅÔ ÏÔ ÄÒÕÇÏÇÏ ÈÏÓÔÁ. ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÏÔ×ÅÔÁ ÐÒÉÚÎÁË ÓÏÅÄÉÎÅÎÉÑ NEW ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÎÁ ESTABLISHED.
RELATED óÏÓÔÏÑÎÉÅ RELATED ÏÄÎÏ ÉÚ ÓÁÍÙÈ "ÈÉÔÒÙÈ". óÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ RELATED ÅÓÌÉ ÏÎÏ Ó×ÑÚÁÎÏ Ó ÄÒÕÇÉÍ ÓÏÅÄÉÎÅÎÉÅÍ, ÉÍÅÀÝÉÍ ÐÒÉÚÎÁË ESTABLISHED. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÐÒÉÚÎÁË RELATED ÔÏÇÄÁ, ËÏÇÄÁ ÏÎÏ ÉÎÉÃÉÉÒÏ×ÁÎÏ ÉÚ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÉÍÅÀÝÅÇÏ ÐÒÉÚÎÁË ESTABLISHED. èÏÒÏÛÉÍ ÐÒÉÍÅÒÏÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË RELATED, Ñ×ÌÑÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ FTP-data, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ Ó×ÑÚÁÎÎÙÍ Ó ÐÏÒÔÏÍ FTP control, Á ÔÁË ÖÅ DCC ÓÏÅÄÉÎÅÎÉÅ, ÚÁÐÕÝÅÎÎÏÅ ÉÚ IRC. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÂÏÌØÛÉÎÓÔ×Ï ÐÒÏÔÏËÏÌÏ× TCP É ÎÅËÏÔÏÒÙÅ ÉÚ ÐÒÏÔÏËÏÌÏ× UDP, ËÏÔÏÒÙÅ ÐÏÌÁÇÁÀÔÓÑ ÎÁ ÜÔÏÔ ÍÅÈÁÎÉÚÍ, ×ÅÓØÍÁ ÓÌÏÖÎÙ É ÐÅÒÅÄÁÀÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ TCP ÉÌÉ UDP ÐÁËÅÔÏ× É ÐÏÜÔÏÍÕ ÔÒÅÂÕÀÔ ÎÁÌÉÞÉÑ ÓÐÅÃÉÁÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ËÏÒÒÅËÔÎÏÊ ÒÁÂÏÔÙ.
INVALID ðÒÉÚÎÁË INVALID ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ ÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÄÅÎÔÉÆÉÃÉÒÏ×ÁÎ É ÐÏÜÔÏÍÕ ÎÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÐÒÅÄÅÌÅÎÎÏÇÏ ÓÔÁÔÕÓÁ. üÔÏ ÍÏÖÅÔ ÐÒÏÉÓÈÏÄÉÔØ ÐÏ ÒÁÚÎÙÍ ÐÒÉÞÉÎÁÍ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÎÅÈ×ÁÔËÅ ÐÁÍÑÔÉ ÉÌÉ ÐÒÉ ÐÏÌÕÞÅÎÉÉ ICMP ÓÏÏÂÝÅÎÉÑ, ËÏÔÏÒÏÅ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ËÁËÏÍÕ ÌÉÂÏ ÉÚ×ÅÓÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. îÁ×ÅÒÎÏÅ ÎÁÉÌÕÞÛÉÍ ×ÁÒÉÁÎÔÏÍ ÂÙÌÏ ÂÙ ÐÒÉÍÅÎÅÎÉÅ ÄÅÊÓÔ×ÉÑ DROP Ë ÔÁËÉÍ ÐÁËÅÔÁÍ.

üÔÉ ÞÅÔÙÒÅ ÓÏÓÔÏÑÎÉÑ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ËÒÉÔÅÒÉÉ --state. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÏÚ×ÏÌÑÅÔ ÓÔÒÏÉÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÍÏÝÎÕÀ É ÜÆÆÅËÔÉ×ÎÕÀ ÚÁÝÉÔÕ. òÁÎØÛÅ ÎÁÍ ÐÒÉÈÏÄÉÌÏÓØ ÏÔËÒÙ×ÁÔØ ×ÓÅ ÐÏÒÔÙ ×ÙÛÅ 1024, ÞÔÏÂÙ ÐÒÏÐÕÓÔÉÔØ ÏÂÒÁÔÎÙÊ ÔÒÁÆÉË × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÔÅÐÅÒØ ÖÅ, ÐÒÉ ÎÁÌÉÞÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ, ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ, ÐÏÓËÏÌØËÕ ÔÅÐÅÒØ ÓÔÁÌÏ ×ÏÚÍÏÖÎÙÍ "ÏÔËÒÙ×ÁÔØ" ÄÏÓÔÕÐ ÔÏÌØËÏ ÄÌÑ ÏÂÒÁÔÎÏÇÏ (ÏÔ×ÅÔÎÏÇÏ) ÔÒÁÆÉËÁ.


TCP ÓÏÅÄÉÎÅÎÉÑ

÷ ÜÔÏÍ É × ÐÏÓÌÅÄÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÍÙ ÐÏÂÌÉÖÅ ÒÁÓÓÍÏÔÒÉÍ ÐÒÉÚÎÁËÉ ÓÏÓÔÏÑÎÉÊ É ÐÏÒÑÄÏË ÉÈ ÏÂÒÁÂÏÔËÉ ËÁÖÄÙÍ ÉÚ ÔÒÅÈ ÂÁÚÏ×ÙÈ ÐÒÏÔÏËÏÌÏ× TCP, UDP É ICMP, Á ÔÁË ÖÅ ËÏÓÎÅÍÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ÐÒÏÔÏËÏÌ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÍÏÖÅÔ ÂÙÔØ ËÌÁÓÓÉÆÉÃÉÒÏ×ÁÎ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ Ë ÔÒÅÍ, ×ÙÛÅÕËÁÚÁÎÎÙÍ, ÐÒÏÔÏËÏÌÁÍ. îÁÞÎÅÍ ÒÁÓÓÍÏÔÒÅÎÉÅ Ó ÐÒÏÔÏËÏÌÁ TCP, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÍÎÏÖÅÓÔ×Ï ÉÎÔÅÒÅÓÎÅÊÛÉÈ ÏÓÏÂÅÎÎÏÓÔÅÊ × ÏÔÎÏÛÅÎÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ × iptables.

TCP ÓÏÅÄÉÎÅÎÉÅ ×ÓÅÇÄÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÅÒÅÄÁÞÅÊ ÔÒÅÈ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÎÉÃÉÁÌÉÚÉÒÕÀÔ É ÕÓÔÁÎÁ×ÌÉ×ÁÀÔ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ × ÄÁÌØÎÅÊÛÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÄÁÎÎÙÅ. óÅÓÓÉÑ ÎÁÞÉÎÁÅÔÓÑ Ó ÐÅÒÅÄÁÞÉ SYN ÐÁËÅÔÁ, × ÏÔ×ÅÔ ÎÁ ËÏÔÏÒÙÊ ÐÅÒÅÄÁÅÔÓÑ SYN/ACK ÐÁËÅÔ É ÐÏÄÔ×ÅÒÖÄÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÐÁËÅÔ ACK. ðÏÓÌÅ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ É ÇÏÔÏ×ÙÍ Ë ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ. íÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ×ÏÐÒÏÓ: "á ËÁË ÖÅ ÔÒÁÓÓÉÒÕÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ?". ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ.

äÌÑ ×ÓÅÈ ÔÉÐÏ× ÓÏÅÄÉÎÅÎÉÊ, ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÈÏÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÏÄÉÎÁËÏ×Ï. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ, ÇÄÅ ÐÏËÁÚÁÎÙ ×ÓÅ ÓÔÁÄÉÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÁË ×ÉÄÉÔÅ, ÔÒÁÓÓÉÒÏ×ÝÉË, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÆÁËÔÉÞÅÓËÉ ÎÅ ÓÌÅÄÉÔ ÚÁ ÈÏÄÏÍ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ðÒÏÓÔÏ, ËÁË ÔÏÌØËÏ ÔÒÁÓÓÉÒÏ×ÝÉË "Õ×ÉÄÅÌ" ÐÅÒ×ÙÊ (SYN) ÐÁËÅÔ, ÔÏ ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ NEW. ëÁË ÔÏÌØËÏ ÞÅÒÅÚ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÒÏÈÏÄÉÔ ×ÔÏÒÏÊ ÐÁËÅÔ (SYN/ACK), ÔÏ ÓÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ ESTABLISHED. ðÏÞÍÕ ÉÍÅÎÎÏ ×ÔÏÒÏÊ ÐÁËÅÔ? óÅÊÞÁÓ ÒÁÚÂÅÒÅÍÓÑ. óÔÒÏÑ Ó×ÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×Ù ÍÏÖÅÔÅ ÐÏÚ×ÏÌÉÔØ ÐÏËÉÄÁÔØ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÐÁËÅÔÁÍ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ESTABLISHED, Á ×Ï ×ÈÏÄÑÝÅÍ ÔÒÁÆÉËÅ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÔÏÌØËÏ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED É ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. é ÎÁÏÂÏÒÏÔ, ÅÓÌÉ ÂÙ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÒÏÄÏÌÖÁÌ ÂÙ ÓÞÉÔÁÔØ ÓÏÅÄÉÎÅÎÉÅ ËÁË NEW, ÔÏ ÆÁËÔÉÞÅÓËÉ ×ÁÍ ÎÉËÏÇÄÁ ÎÅ ÕÄÁÌÏÓØ ÂÙ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó "×ÎÅÛÎÉÍ ÍÉÒÏÍ", ÌÉÂÏ ÐÒÉÛÌÏÓØ ÂÙ ÐÏÚ×ÏÌÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ NEW ÐÁËÅÔÏ× × ÌÏËÁÌØÎÕÀ ÓÅÔØ.

ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ, ÏÄÎÁËÏ ÅÓÌÉ ÐÏÓÍÏÔÒÅÔØ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ, ÔÏ ×ÓÅ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÓÌÏÖÎÅÅ. òÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÉÚÍÅÎÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ × ÔÁÂÌÉÃÅ /proc/net/ip_conntrack. ðÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ SYN.

tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ëÁË ×ÉÄÉÔÅ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÏÔÒÁÖÁÅÔ ÔÏÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ: ÂÙÌ ÏÔÍÅÞÅÎ ÆÁËÔ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ SYN (ÆÌÁÇ SYN_SENT), ÎÁ ËÏÔÏÒÙÊ ÏÔ×ÅÔÁ ÐÏËÁ ÎÅ ÂÙÌÏ (ÆÌÁÇ [UNREPLIED]). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÌÅÄÕÀÝÅÅ ×ÎÕÔÒÅÎÎÅÅ ÓÏÓÔÏÑÎÉÅ:

tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ô.Å. ÚÁÐÉÓØ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÏÂÒÁÔÎÏ ÐÒÏÛÅÌ ÐÁËÅÔ SYN/ACK. îÁ ÜÔÏÔ ÒÁÚ ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ SYN_RECV. üÔÏ ÓÏÓÔÏÑÎÉÅ ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ SYN ÂÙÌ ÂÌÁÇÏÐÏÌÕÞÎÏ ÄÏÓÔÁ×ÌÅÎ ÐÏÌÕÞÁÔÅÌÀ É × ÏÔ×ÅÔ ÎÁ ÎÅÇÏ ÐÒÉÛÅÌ ÐÁËÅÔ-ÐÏÄÔ×ÅÒÖÄÅÎÉÅ (SYN/ACK). ëÒÏÍÅ ÔÏÇÏ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ "Õ×ÉÄÅ×" ÐÁËÅÔÙ, ÓÌÅÄÕÀÝÉÅ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÓÎÉÍÁÅÔ ÆÌÁÇ [UNREPLIED]. é ÎÁËÏÎÅà ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÚÁËÌÀÞÉÔÅÌØÎÏÇÏ ACK-ÐÁËÅÔÁ, × ÐÒÏÃÅÄÕÒÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ

tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅÈÏÄÉÔ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ). ðÏÓÌÅ ÐÒÉÅÍÁ ÎÅÓËÏÌØËÉÈ ÐÁËÅÔÏ× ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ, Ë ÎÅÍÕ ÄÏÂÁ×ÉÔÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ).

ðÒÉ ÚÁËÒÙÔÉÉ, TCP ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÓÌÅÄÕÀÝÉÅ ÓÏÓÔÏÑÎÉÑ.



ëÁË ×ÉÄÎÏ ÉÚ ÒÉÓÕÎËÁ, ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÚÁËÒÙ×ÁÅÔÓÑ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÐÏÓÌÅÄÎÉÊ ÐÁËÅÔ ACK. ïÂÒÁÔÉÔÅ ×ÎÉÍÐÎÉÅ, ÜÔÁ ËÁÒÔÉÎËÁ ÏÐÉÓÙ×ÁÅÔ ÎÏÒÍÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÅÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÏÔ×ÅÒÇÁÅÔÓÑ, ÔÏ ÏÎÏ ÍÏÖÅÔ ÂÙÔØ ÚÁËÒÙÔÏ ÐÅÒÅÄÁÞÅÊ ÐÁËÅÔÁ RST (ÓÂÒÏÓ). ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÚÁËÒÙÔÏ ÐÏ ÉÓÔÅÞÅÎÉÅ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÏÇÏ ×ÒÅÍÅÎÉ.

ðÒÉ ÚÁËÒÙÔÉÉ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ TIME_WAIT, ÐÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ ËÏÔÏÒÏÇÏ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 2 ÍÉÎÕÔÁÍ, × ÔÅÞÅÎÉÅ ËÏÔÏÒÏÇÏ ÅÝÅ ×ÏÚÍÏÖÎÏ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. üÔÏ Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ "ÂÕÆÅÒÎÙÍ ×ÒÅÍÅÎÅÍ", ËÏÔÏÒÏÅ ÄÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏÊÔÉ ÐÁËÅÔÁÍ, "Õ×ÑÚÛÉÍ" ÎÁ ÔÏÍ ÉÌÉ ÉÎÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ (ÒÏÕÔÅÒÅ).

åÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÐÏ ÐÏÌÕÞÅÎÉÉ ÐÁËÅÔÁ RST, ÔÏ ÏÎÏ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ CLOSE. ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ ÄÏ ÆÁËÔÉÞÅÓËÏÇÏ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 10 ÓÅËÕÎÄ. ðÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÐÁËÅÔÙ RST ÎÅ ÐÅÒÅÄÁÅÔÓÑ É ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÓÒÁÚÕ ÖÅ. ëÒÏÍÅ ÔÏÇÏ ÉÍÅÅÔÓÑ ÒÑÄ ÄÒÕÇÉÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ. ÷ ÔÁÂÌÉÃÅ ÎÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ×ÏÚÍÏÖÎÙÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ ÓÏÅÄÉÎÅÎÉÑ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÍ ÒÁÚÍÅÒÙ ÔÁÊÍÁÕÔÏ×.

ôÁÂÌÉÃÁ 2. ÷ÎÕÔÒÅÎÎÉÅ ÓÏÓÔÏÑÎÉÑ

óÏÓÔÏÑÎÉÅ ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ
NONE 30 ÍÉÎÕÔ
ESTABLISHED 5 ÄÎÅÊ
SYN_SENT 2 ÍÉÎÕÔÙ
SYN_RECV 60 ÓÅËÕÎÄ
FIN_WAIT 2 ÍÉÎÕÔÙ
TIME_WAIT 2 ÍÉÎÕÔÙ
CLOSE 10 ÓÅËÕÎÄ
CLOSE_WAIT 12 ÞÁÓÏ×
LAST_ACK 30 ÓÅËÕÎÄ
LISTEN> 2 ÍÉÎÕÔÙ


üÔÉ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÎÅÓËÏÌØËÏ ÉÚÍÅÎÑÔØÓÑ ÏÔ ×ÅÒÓÉÉ Ë ×ÅÒÓÉÉ ÑÄÒÁ, ËÒÏÍÅ ÔÏÇÏ, ÏÎÉ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc (ÐÅÒÅÍÅÎÎÙÅ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). úÎÁÞÅÎÉÑ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÓÏÔÙÈ ÄÏÌÑÈ ÓÅËÕÎÄÙ, ÔÁË ÞÔÏ ÞÉÓÌÏ 3000 ÏÚÎÁÞÁÅÔ 30 ÓÅËÕÎÄ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÉËÁË ÎÅ ÏÔÏÂÒÁÖÁÅÔ ÓÏÓÔÏÑÎÉÅ ÆÌÁÇÏ× TCP ÐÁËÅÔÏ×. ëÁË ÐÒÁ×ÉÌÏ - ÜÔÏ ÐÌÏÈÏ, ÐÏÓËÏÌØËÕ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ, ÎÅ ÔÏÌØËÏ ÐÁËÅÔÁÍ SYN.

üÔÁ ÐÒÏÂÌÅÍÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.


UDP ÓÏÅÄÉÎÅÎÉÑ



ðÏ ÓÕÔÉ Ó×ÏÅÊ, UDP ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÉÍÅÀÔ ÐÒÉÚÎÁËÁ ÓÏÓÔÏÑÎÉÑ. üÔÏÍÕ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÉÞÉÎ, ÏÓÎÏ×ÎÁÑ ÉÚ ÎÉÈ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÜÔÏÔ ÐÒÏÔÏËÏÌ ÎÅ ÐÒÅÄÕÓÍÁÔÒÉ×ÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÑ É ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ ÓÁÍÙÊ ÂÏÌØÛÏÊ ÎÅÄÏÓÔÁÔÏË - ÏÔÓÕÔÓÔ×ÉÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÞÅÒÅÄÎÏÓÔÉ ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ×. ðÒÉÎÑ× Ä×Å UDP ÄÁÔÁÇÒÁÍÍÙ, ÎÅ×ÏÚÍÏÖÎÏ ÕÚÎÁÔØ ÔÏÞÎÏ × ËÁËÏÍ ÐÏÒÑÄËÅ ÏÎÉ ÂÙÌÉ ÏÔÐÒÁ×ÌÅÎÙ. ïÄÎÁËÏ, ÄÁÖÅ × ÜÔÏÊ ÓÉÔÕÁÃÉÉ ÅÝÅ ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÒÉÓÕÎÏË ÔÏÇÏ, ËÁË ×ÙÇÌÑÄÉÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.



ëÁË ×ÉÄÉÔÅ, ÓÏÓÔÏÑÎÉÅ UDP ÓÏÅÄÉÎÅÎÉÑ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÞÔÉ ÔÁË ÖÅ ËÁË É ÓÏÓÔÏÑÎÉÅ TCP ÓÏÅÄÉÎÅÎÉÑ, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÉÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á. éÚÎÕÔÒÉ ÖÅ ÜÔÏ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÉÎÁÞÅ, ÈÏÔÑ É ×Ï ÍÎÏÇÏÍ ÐÏÈÏÖÅ. äÌÑ ÎÁÞÁÌÁ ÐÏÓÍÏÔÒÉÍ ÎÁ ÚÁÐÉÓØ, ÐÏÑ×É×ÛÕÀÓÑ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ UDP.

udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÅÒ×ÏÅ, ÞÔÏ ÍÙ ×ÉÄÉÍ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ (udp) É ÅÇÏ ÎÏÍÅÒ (ÓÍ. /etc/protocols ÐÒÉÍ. ÐÅÒÅ×.). ôÒÅÔØÅ ÚÎÁÞÅÎÉÅ - ÏÓÔÁ×ÛÅÅÓÑ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ. äÁÌÅÅ ÓÌÅÄÕÀÔ ÈÁÒÁËÔÅÒÉÓÔÉËÉ ÐÁËÅÔÁ, ÐÒÏÛÅÄÛÅÇÏ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ - ÜÔÏ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÅÓÓÉÉ (ÆÌÁÇ [UNREPLIED]). é ÚÁ×ÅÒÛÁÀÔ ÚÁÐÉÓØ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ. ôÁÊÍÁÕÔ ÔÁËÏÊ ÚÁÐÉÓÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÓÔÁ×ÌÑÅÔ 30 ÓÅËÕÎÄ.

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÏÓÌÅ ÔÏÇÏ ËÁË ÓÅÒ×ÅÒ "Õ×ÉÄÅÌ" ÏÔ×ÅÔ ÎÁ ÐÅÒ×ÙÊ ÐÁËÅÔ, ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ), ÏÄÎÁËÏ ÅÄÉÎÓÔ×ÅÎÎÏÅ ÏÔÌÉÞÉÅ ÏÔ ÐÒÅÄÙÄÕÝÅÊ ÚÁÐÉÓÉ ÓÏÓÔÏÉÔ × ÏÔÓÕÔÓÔ×ÉÉ ÆÌÁÇÁ [UNRREPLIED] É, ËÒÏÍÅ ÔÏÇÏ, ÔÁÊÍÁÕÔ ÄÌÑ ÚÁÐÉÓÉ ÓÔÁÌ ÒÁ×ÎÙÍ 180 ÓÅËÕÎÄÁÍ. ðÏÓÌÅ ÜÔÏÇÏ ÍÏÖÅÔ ÔÏÌØËÏ ÄÏÂÁ×ÉÔØÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ), ËÏÔÏÒÙÊ ÂÙÌ ÏÐÉÓÁÎ ×ÙÛÅ. æÌÁÇ [ASSURED] ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÎÅËÏÔÏÒÏÇÏ ËÏÌÉÞÅÓÔ×Á ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ.

udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1

ôÅÐÅÒØ ÓÏÅÄÉÎÅÎÉÅ ÓÔÁÌÏ "Õ×ÅÒÅÎÎÙÍ". úÁÐÉÓØ × ÔÁÂÌÉÃÅ ×ÙÇÌÑÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÔÁË ÖÅ ËÁË É × ÐÒÅÄÙÄÕÝÅÍ ÐÒÉÍÅÒÅ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÆÌÁÇÁ [ASSURED]. åÓÌÉ × ÔÅÞÅÎÉÅ 180 ÓÅËÕÎÄ ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÐÒÏÊÄÅÔ ÈÏÔÑÂÙ ÏÄÉÎ ÐÁËÅÔ, ÔÏ ÚÁÐÉÓØ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ. üÔÏ ÄÏÓÔÁÔÏÞÎÏ ÍÁÌÅÎØËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ÎÏ ÅÇÏ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ ÄÌÑ ÂÏÌØÛÉÎÓÔ×Á ÐÒÉÍÅÎÅÎÉÊ. "÷ÒÅÍÑ ÖÉÚÎÉ" ÏÔÓÞÉÔÙ×ÁÅÔÓÑ ÏÔ ÍÏÍÅÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÐÁËÅÔÁ É ÐÒÉ ÐÏÑ×ÌÅÎÉÉ ÎÏ×ÏÇÏ, ×ÒÅÍÑ ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ × Ó×ÏÅ ÎÁÞÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ.


ICMP ÓÏÅÄÉÎÅÎÉÑ

ICMP ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÅÒÅÄÁÞÉ ÕÐÒÁ×ÌÑÀÝÉÈ ÓÏÏÂÝÅÎÉÊ É ÎÅ ÏÒÇÁÎÉÚÕÀÔ ÐÏÓÔÏÑÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ïÄÎÁËÏ, ÓÕÝÅÓÔ×ÕÅÔ 4 ÔÉÐÁ ICMP ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ×ÏÚÂÕÖÄÁÀÔ ÐÅÒÅÄÁÞÕ ÏÔ×ÅÔÁ, ÐÏÜÔÏÍÕ ÏÎÉ ÍÏÇÕÔ ÉÍÅÔØ Ä×Á ÓÏÓÔÏÑÎÉÑ: NEW É ESTABLISHED. ë ÜÔÉÍ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply É ICMP Address Mask Request/Address Mask Reply. éÚ ÎÉÈ ICMP Timestamp Request/Timestamp Reply É ICMP Information Request/Information Reply ÓÞÉÔÁÀÔÓÑ ÕÓÔÁÒÅ×ÛÉÍÉ É ÐÏÜÔÏÍÕ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÍÏÇÕÔ ÂÅÚÂÏÌÅÚÎÅÎÎÏ ÓÂÒÁÓÙ×ÁÔØÓÑ (DROP). ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ.



ëÁË ×ÉÄÎÏ ÉÚ ÜÔÏÇÏ ÒÉÓÕÎËÁ, ÓÅÒ×ÅÒ ×ÙÐÏÌÎÑÅÔ Echo Request (ÜÈÏ-ÚÁÐÒÏÓ) Ë ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ (ÚÁÐÒÏÓ) ÒÁÓÐÏÚÎÁÅÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ ËÁË NEW. îÁ ÜÔÏÔ ÚÁÐÒÏÓ ËÌÉÅÎÔ ÏÔ×ÅÞÁÅÔ ÐÁËÅÔÏÍ Echo Reply, É ÔÅÐÅÒØ ÐÁËÅÔ ÒÁÓÐÏÚÎÁÅÔÓÑ ËÁË ÉÍÅÀÝÉÊ ÓÏÓÔÏÑÎÉÅ ESTABLISHED. ðÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ (Echo Request) × ip_conntrack ÐÏÑ×ÌÑÅÔÓÑ ÚÁÐÉÓØ:

icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1

üÔÁ ÚÁÐÉÓØ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÚÁÐÉÓÅÊ, Ó×ÏÊÓÔ×ÅÎÎÙÈ ÐÒÏÔÏËÏÌÁÍ TCP É UDP, ÈÏÔÑ ÔÏÞÎÏ ÔÁË ÖÅ ÐÒÉÓÕÔÓÔ×ÕÀÔ É ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ É ×ÒÅÍÑ ÔÁÊÍÁÕÔÁ É ÁÄÒÅÓÁ ÐÅÒÅÄÁÔÞÉËÁ É ÐÒÉÅÍÎÉËÁ, ÎÏ ÄÁÌÅÅ ÐÏÑ×ÌÑÀÔÓÑ ÔÒÉ ÎÏ×ÙÈ ÐÏÌÑ - type, code É id. ðÏÌÅ type ÓÏÄÅÒÖÉÔ ÔÉÐ ICMP, ÐÏÌÅ code - ËÏÄ ICMP. úÎÁÞÅÎÉÑ ÔÉÐÏ× É ËÏÄÏ× ICMP ÐÒÉ×ÏÄÑÔÓÑ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. é ÐÏÓÌÅÄÎÅÅ ÐÏÌÅ id ÓÏÄÅÒÖÉÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ. ëÁÖÄÙÊ ICMP-ÐÁËÅÔ ÉÍÅÅÔ Ó×ÏÊ ÉÄÅÎÔÉÆÉËÁÔÏÒ. ëÏÇÄÁ ÐÒÉÅÍÎÉË, × ÏÔ×ÅÔ ÎÁ ICMP-ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔ ÏÔ×ÅÔ, ÏÎ ÐÏÄÓÔÁ×ÌÑÅÔ × ÐÁËÅÔ ÏÔ×ÅÔÁ ÜÔÏÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ, ÐÅÒÅÄÁÔÞÉË ÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÒÁÓÐÏÚÎÁÔØ × ÏÔ×ÅÔ ÎÁ ËÁËÏÊ ÚÁÐÒÏÓ ÐÒÉÛÅÌ ÏÔ×ÅÔ.

óÌÅÄÕÀÝÅÅ ÐÏÌÅ - ÆÌÁÇ [UNREPLIED], ËÏÔÏÒÙÊ ×ÓÔÒÅÞÁÌÓÑ ÎÁÍ ÒÁÎÅÅ. ïÎ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉÂÙÌ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. úÁ×ÅÒÛÁÅÔÓÑ ÚÁÐÉÓØ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍÉ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ÏÔ×ÅÔÁ. óÀÄÁ ×ËÌÀÞÁÀÔÓÑ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. þÔÏ ËÁÓÁÅÔÓÑ ÔÉÐÁ É ËÏÄÁ ICMP ÐÁËÅÔÁ, ÔÏ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌØÎÙÍ ÚÎÁÞÅÎÉÑÍ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ICMP Echo Reply. éÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ ÔÏÔ ÖÅ, ÞÔÏ É × ÐÁËÅÔÅ ÚÁÐÒÏÓÁ.

ðÁËÅÔ ÏÔ×ÅÔÁ ÒÁÓÐÏÚÎÁÅÔÓÑ ÕÖÅ ËÁË ESTABLISHED. ïÄÎÁËÏ, ÍÙ ÚÎÁÅÍ, ÞÔÏ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÏÔ×ÅÔÁ, ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÖÅ ÎÉÞÅÇÏ ÎÅ ÏÖÉÄÁÅÔÓÑ, ÐÏÜÔÏÍÕ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÏÔ×ÅÔÁ ÞÅÒÅÚ netfilter, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ.

÷ ÌÀÂÏÍ ÓÌÕÞÁÅ ÚÁÐÒÏÓ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ËÁË NEW, Á ÏÔ×ÅÔ ËÁË ESTABLISHED. úÁÍÅÔØÔÅ, ÞÔÏ ÐÒÉ ÜÔÏÍ ÐÁËÅÔ ÏÔ×ÅÔÁ ÄÏÌÖÅÎ ÓÏ×ÐÁÄÁÔØ ÐÏ Ó×ÏÉÍ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍ (ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÔÉÐ, ËÏÄ É ÉÄÅÎÔÉÆÉËÁÔÏÒ) Ó ÕËÁÚÁÎÎÙÍÉ × ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.

ICMP ÚÁÐÒÏÓÙ ÉÍÅÀÔ ÔÁÊÍÁÕÔ, ÐÏ-ÕÍÏÌÞÁÎÉÀ, 30 ÓÅËÕÎÄ. üÔÏÇÏ ×ÒÅÍÅÎÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ. ÷ÒÅÍÑ ÔÁÊÍÁÕÔÁ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( îÁÐÏÍÉÎÁÀ, ÞÔÏ ÐÅÒÅÍÅÎÎÙÅ ÔÉÐÁ /proc/sys/net/ipv4/netfilter/ip_ct_* ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ ÔÏÌØËÏ ÐÏÓÌÅ ÕÓÔÁÎÏ×ËÉ "ÚÁÐÌÁÔÙ" tcp-window-tracking ÉÚ patch-o-matic ÐÒÉÍ. ÐÅÒÅ×.).

úÎÁÞÉÔÅÌØÎÁÑ ÞÁÓÔØ ICMP ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÔÏÍ, ÞÔÏ ÐÒÏÉÓÈÏÄÉÔ Ó ÔÅÍ ÉÌÉ ÉÎÙÍ UDP ÉÌÉ TCP ÓÏÅÄÉÎÅÎÉÅÍ. ÷Ó×ÑÚÉ Ó ÜÔÉÍ ÏÎÉ ÏÞÅÎØ ÞÁÓÔÏ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË Ó×ÑÚÁÎÎÙÅ (RELATED) Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ ÓÏÅÄÉÎÅÎÉÅÍ. ðÒÏÓÔÙÍ ÐÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÓÏÏÂÝÅÎÉÑ ICMP Host Unreachable ÉÌÉ ICMP Network Unreachable. ïÎÉ ×ÓÅÇÄÁ ÐÏÒÏÖÁÀÔÓÑ ÐÒÉ ÐÏÐÙÔËÅ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕÚÌÏÍ ÓÅÔÉ ËÏÇÄÁ ÜÔÏÔ ÕÚÅÌ ÉÌÉ ÓÅÔØ ÎÅÄÏÓÔÕÐÎÙ, × ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ×ÅÒÎÅÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ICMP ÐÁËÅÔ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎ ËÁË RELATED. îÁ ÒÉÓÕÎËÅ ÎÉÖÅ ÐÏËÁÚÁÎÏ ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ.

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÎÅËÏÔÏÒÏÍÕ ÕÚÌÕ ÐÅÒÅÄÁÅÔÓÑ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (SYN ÐÁËÅÔ). ïÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ NEW ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. ïÄÎÁËÏ, × ÜÔÏÔ ÍÏÍÅÎÔ ×ÒÅÍÅÎÉ, ÓÅÔØ ÏËÁÚÙ×ÁÅÔÓÑ ÎÅÄÏÓÔÕÐÎÏÊ, ÐÏÜÔÏÍÕ ÒÏÕÔÅÒ ×ÏÚ×ÒÁÝÁÅÔ ÐÁËÅÔ ICMP Network Unreachable. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏÔ ÐÁËÅÔ ËÁË RELATED, ÂÌÁÇÏÄÁÒÑ ÕÖÅ ÉÍÅÀÝÅÊÓÑ ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ, ÔÁË ÞÔÏ ÐÁËÅÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÏÂÏÒ×ÅÔ ÎÅÕÄÁÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ. ôÅÍ ×ÒÅÍÅÎÅÍ, ÂÒÁÎÄÍÁÕÜÒ ÕÎÉÞÔÏÖÉÔ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ, ÐÏÓËÏÌØËÕ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ÂÙÌÏ ÐÏÌÕÞÅÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ.

ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ É Ó UDP ÓÏÅÄÉÎÅÎÉÑÍÉ, ÅÓÌÉ ÏÂÎÁÒÕÖÉ×ÁÀÔÓÑ ÐÏÄÏÂÎÙÅ ÐÒÏÂÌÅÍÙ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ICMP, ÐÅÒÅÄÁ×ÁÅÍÙÅ × ÏÔ×ÅÔ ÎÁ UDP ÓÏÅÄÉÎÅÎÉÅ, ÒÁÓÓÍÁÔÒÉ×ÁÀÔÓÑ ËÁË RELATED. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÓÌÅÄÕÀÝÉÊ ÒÉÓÕÎÏË.



äÁÔÁÇÒÁÍÍÁ UDP ÐÅÒÅÄÁÅÔÓÑ ÎÁ ÓÅÒ×ÅÒ. óÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ ÄÏÓÔÕÐ Ë ÓÅÔÉ ÚÁÐÒÅÝÅÎ (ÂÒÁÎÄÍÁÕÜÒÏÍ ÉÌÉ ÒÏÕÔÅÒÏÍ), ÐÏÜÔÏÍÕ ÏÂÒÁÔÎÏ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ ICMP Network Prohibited. âÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏ ÓÏÏÂÝÅÎÉÅ ËÁË Ó×ÑÚÁÎÎÏÅ Ó ÏÔËÒÙÔÙÍ UDP ÓÏÅÄÉÎÅÎÉÅÍ, ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ RELATED É ÐÅÒÅÄÁÅÔ ËÌÉÅÎÔÕ. ðÏÓÌÅ ÞÅÇÏ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ, Á ËÌÉÅÎÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÏÂÒÙ×ÁÅÔ ÓÏÅÄÉÎÅÎÉÅ.


ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ

÷ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÍÏÖÅÔ ÒÁÓÐÏÚÎÁÔØ ÐÒÏÔÏËÏÌ ÏÂÍÅÎÁ É, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÎÅ ÍÏÖÅÔ ×ÙÂÒÁÔØ ÓÔÒÁÔÅÇÉÀ ÏÂÒÁÂÏÔËÉ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÏÎ ÐÅÒÅÈÏÄÉÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏ×ÅÄÅÎÉÀ. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÏÂÓÌÕÖÉ×ÁÎÉÉ ÐÒÏÔÏËÏÌÏ× NETBLT, MUX É EGP. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÍÏÌÞÁÎÉÀ ×Ï ÍÎÏÇÏÍ ÓÈÏÖÅ Ó ÔÒÁÓÓÉÒÏ×ËÏÊ UDP ÓÏÅÄÉÎÅÎÉÊ. ðÅÒ×ÏÍÕ ÐÁËÅÔÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, Á ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ - ÓÔÁÔÕÓ ESTABLISHED.

ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÐÏ×ÅÄÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ× ÉÓÐÏÌØÚÕÅÔÓÑ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ ÔÁÊÍÁÕÔÁ, ËÏÔÏÒÏÅ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ðÏ-ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÚÎÁÞÅÎÉÅ ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ, ÉÌÉ 6 ÍÉÎÕÔÁÍ (ÄÁ, ÄÁ, ÉÍÅÎÎÏ ÔÁË É ÕËÁÚÁÎÏ × ÏÒÉÇÉÎÁÌØÎÏÍ ÔÅËÓÔÅ. ðÏÄÏÚÒÅ×ÁÀ, ÞÔÏ Á×ÔÏÒ ÐÒÏÓÔÏ ÏÐÉÓáÌÓÑ É × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÌÅÄÕÅÔ ÐÏÎÉÍÁÔØ "600 ÓÅËÕÎÄ ÉÌÉ 10 ÍÉÎÕÔ". ëÓÔÁÔÉ, × ÉÓÈÏÄÎÏÍ ËÏÄÅ (/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c ÚÎÁÞÅÎÉÅ GENERIC_TIMEOUT ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ. ÐÒÉÍ. ÐÅÒÅ×.). ÷ ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÔÒÁÆÉËÁ, ÜÔÏ ×ÒÅÍÑ ÍÏÖÅÔ ÍÅÎÑÔØÓÑ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÞÅÒÅÚ ÓÐÕÔÎÉË.


ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×

éÍÅÅÔÓÑ ÒÑÄ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×, ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ËÏÔÏÒÙÈ ÂÏÌÅÅ ÓÌÏÖÎÁ. ðÒÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÐÒÏÔÏËÏÌÙ ICQ, IRC É FTP. ëÁÖÄÙÊ ÉÚ ÜÔÉÈ ÐÒÏÔÏËÏÌÏ× ÎÅÓÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ÔÁËÉÈ ÓÏÅÄÎÅÎÉÊ ÔÒÅÂÕÅÔ ÐÏÄËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ.

÷ ËÁÞÅÓÔ×Å ÐÅÒ×ÏÇÏ ÐÒÉÍÅÒÁ ÒÁÓÓÍÏÔÒÉÍ ÐÒÏÔÏËÏÌ FTP. ðÒÏÔÏËÏÌ FTP ÓÎÁÞÁÌÁ ÏÔËÒÙ×ÁÅÔ ÏÄÉÎÏÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ËÏÔÏÒÏÅ ÎÁÚÙ×ÁÅÔÓÑ "ÓÅÁÎÓÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP" (FTP control session). ðÒÉ ×ÙÐÏÌÎÅÎÉÉ ËÏÍÁÎÄ × ÐÒÅÄÅÌÁÈ ÜÔÏÇÏ ÓÅÁÎÓÁ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÐÕÔÓÔ×ÕÀÝÉÈ ÄÁÎÎÙÈ ÏÔËÒÙ×ÁÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ. üÔÉ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÁËÔÉ×ÎÙÍÉ ÉÌÉ ÐÁÓÓÉ×ÎÙÍÉ. ðÒÉ ÓÏÚÄÁÎÉÉ ÁËÔÉ×ÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ËÌÅÎÔ ÐÅÒÅÄÁÅÔ FTP ÓÅÒ×ÅÒÕ ÎÏÍÅÒ ÐÏÒÔÁ É IP ÁÄÒÅÓ ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ. úÁÔÅÍ ËÌÅÎÔ ÏÔËÒÙ×ÁÅÔ ÐÏÒÔ, ÓÅÒ×ÅÒ ÐÏÄËÌÀÞÁÅÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏÒÔÕ ËÌÉÅÎÔÁ Ó×ÏÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 20 (ÉÚ×ÅÓÔÎÙÊ ËÁË FTP-Data) É ÐÅÒÅÄÁÅÔ ÄÁÎÎÙÅ ÞÅÒÅÚ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ.

ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÎÉÞÅÇÏ ÎÅ ÚÎÁÅÔ Ï ÜÔÉÈ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÏÄËÌÀÞÅÎÉÑÈ, ÐÏÓËÏÌØËÕ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÎÉÈ ÐÅÒÅÄÁÅÔÓÑ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ ÐÁËÅÔÁ. éÚ-ÚÁ ÜÔÏÇÏ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÐÏÚ×ÏÌÉÔ ÓÅÒ×ÅÒÕ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕËÁÚÁÎÎÙÍ ÐÏÒÔÏÍ ËÌÉÅÎÔÁ.

òÅÛÅÎÉÅ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ÔÒÁÓÓÉÒÏ×ËÉ, ËÏÔÏÒÙÊ ÏÔÓÌÅÖÉ×ÁÅÔ, ÓÐÅÃÉÆÉÞÎÕÀ ÄÌÑ ÄÁÎÎÏÇÏ ÐÒÏÔÏËÏÌÁ, ÉÎÆÏÒÍÁÃÉÀ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÒÁÍËÁÈ ÓÅÁÎÓÁ ÕÐÒÁ×ÌÅÎÉÑ. ðÒÉ ÓÏÚÄÁÎÉÉ ÔÁËÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ËÏÒÒÅËÔÎÏ ×ÏÓÐÒÉÍÅÔ ÐÅÒÅÄÁ×ÁÅÍÕÀ ÉÎÆÏÒÍÁÃÉÀ É ÓÏÚÄÁÓÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏ ÓÔÁÔÕÓÏÍ RELATED, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. òÉÓÕÎÏË ÎÉÖÅ ÐÏÑÓÎÑÅÔ ÐÏÒÑÄÏË ×ÙÐÏÌÎÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.



ðÁÓÓÉ×ÎÙÊ FTP ÄÅÊÓÔ×ÕÅÔ ÐÒÏÔÉ×ÏÐÏÌÏÖÎÙÍ ÏÂÒÁÚÏÍ. ëÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÚÁÐÒÏÓ ÓÅÒ×ÅÒÕ ÎÁ ÐÏÌÕÞÅÎÉÅ ÄÁÎÎÙÈ, Á ÓÅÒ×ÅÒ ×ÏÚ×ÒÁÝÁÅÔ ËÌÉÅÎÔÕ IP ÁÄÒÅÓ É ÎÏÍÅÒ ÐÏÒÔÁ ÄÌÑ ÐÏÄËÌÀÞÅÎÉÑ. ëÌÉÅÎÔ ÐÏÄËÌÀÞÁÅÔ Ó×ÏÊ 20-Ê ÐÏÒÔ (FTP-data) Ë ÕËÁÚÁÎÎÏÍÕ ÐÏÒÔÕ ÓÅÒ×ÅÒÁ É ÐÏÌÕÞÁÅÔ ÚÁÐÒÏÛÅÎÎÙÅ ÄÁÎÎÙÅ. åÓÌÉ ×ÁÛ FTP ÓÅÒ×ÅÒ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÏÔ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÅÒ×ÅÒ ÓÍÏÇ ÏÂÓÌÕÖÉ×ÁÔØ ËÌÉÅÎÔÏ× ÉÚ éÎÔÅÒÎÅÔ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ×Ù ÈÏÔÉÔÅ ÏÇÒÁÎÉÞÉÔØ Ó×ÏÉÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÔÏÌØËÏ ×ÏÚÍÏÖÎÏÓÔØÀ ÐÏÄËÌÀÞÅÎÉÑ Ë HTTP É FTP ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔ É ÚÁËÒÙÔØ ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÏÒÔÙ. òÉÓÕÎÏË ÎÉÖÅ ÐÏËÁÚÙ×ÁÅÔ ËÁË ×ÙÐÏÌÎÑÅÔÓÑ ÐÁÓÓÉ×ÎÏÅ ÓÏÅÄÉÎÅÎÉÅ FTP.



îÅËÏÔÏÒÙÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÕÖÅ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. åÓÌÉ ÂÙÔØ ÂÏÌÅÅ ÔÏÞÎÙÍ, ÔÏ × ÓÏÓÔÁ× ÑÄÒÁ ×ËÌÀÞÅÎÙ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏÔÏËÏÌÏ× FTP É IRC. åÓÌÉ × ×ÁÛÅÍ ÒÁÓÐÏÒÑÖÅÎÉÉ ÎÅÔ ÎÅÏÂÈÏÄÉÍÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØÓÑ Ë patch-o-matic, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ÔÒÁÓÓÉÒÏ×ËÉ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ×, ËÁË ntalk ÉÌÉ H.323. åÓÌÉ É ÚÄÅÓØ ×Ù ÎÅ ÎÁÛÌÉ ÔÏ, ÞÔÏ ×ÁÍ ÎÕÖÎÏ, ÔÏ Õ ×ÁÓ ÅÓÔØ ÅÝÅ ×ÁÒÉÁÎÔÙ: ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë CVS iptables, ÅÓÌÉ ÉÓËÏÍÙÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÅÝÅ ÎÅ ÂÙÌ ×ËÌÀÞÅÎ × patch-o-matic, ÌÉÂÏ ÍÏÖÅÔÅ ×ÏÊÔÉ × ËÏÎÔÁËÔ Ó ÒÁÚÒÁÂÏÔÞÉËÁÍÉ netfilter É ÕÚÎÁÔØ Õ ÎÉÈ, ÉÍÅÅÔÓÑ ÌÉ ÐÏÄÏÂÎÙÊ ÍÏÄÕÌØ É ÐÌÁÎÉÒÕÅÔÓÑ ÌÉ ÏÎ Ë ×ÙÐÕÓËÕ. åÓÌÉ É ÔÕÔ ×Ù ÐÏÔÅÒÐÅÌÉ ÎÅÕÄÁÞÕ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÓÌÅÄÕÅÔ ÐÒÏÞÉÔÁÔØ Rusty Russells Unreliable Netfilter Hacking HOWTO.

÷ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÍÏÇÕÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ. åÓÌÉ ÏÎÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË ÍÏÄÕÌÉ, ÔÏ ×Ù ÍÏÖÅÔÅ ÚÁÇÒÕÚÉÔØ ÉÈ ËÏÍÁÎÄÏÊ

modprobe ip_conntrack_*

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÉÍÅÅÔ ÎÉËÁËÏÇÏ ÏÔÎÏÛÅÎÉÑ Ë ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT), ÐÏÜÔÏÍÕ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ, ÅÓÌÉ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÁËÕÀ ÔÒÁÎÓÌÑÃÉÀ. äÏÐÕÓÔÉÍ, ÞÔÏ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ× É ÔÒÁÓÓÉÒÏ×ËÕ FTP ÓÏÅÄÉÎÅÎÉÊ, ÔÏÇÄÁ ×ÁÍ ÎÅÏÂÈÏÄÉÍ ÔÁË ÖÅ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ NAT. éÍÅÎÁ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ NAT ÎÁÞÉÎÁÀÔÓÑ Ó ip_nat, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÅÍ Ï ÉÍÅÎÁÈ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÍÏÄÕÌØ ÎÁÚÙ×ÁÅÔÓÑ ip_nat_ftp. äÌÑ ÐÒÏÔÏËÏÌÁ IRC ÔÁËÏÊ ÍÏÄÕÌØ ÂÕÄÅÔ ÎÁÚÙ×ÁÔØÓÑ ip_nat_irc. ôÏÍÕ ÖÅ ÓÁÍÏÍÕ ÓÏÇÌÁÛÅÎÉÀ ÓÌÅÄÕÀÔ É ÎÁÚ×ÁÎÉÑ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ÎÁÐÒÉÍÅÒ: ip_conntrack_ftp É ip_conntrack_irc.


ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÐÏÒÑÄÏË ÐÏÓÔÒÏÅÎÉÑ ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌ ÄÌÑ iptables. ëÁÖÄÁÑ ÓÔÒÏËÁ, ËÏÔÏÒÕÀ ×Ù ×ÓÔÁ×ÌÑÅÔÅ × ÔÕ ÉÌÉ ÉÎÕÀ ÃÅÐÏÞËÕ, ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÏÔÄÅÌØÎÏÅ ÐÒÁ×ÉÌÏ. íÙ ÔÁË ÖÅ ÏÂÓÕÄÉÍ ÏÓÎÏ×ÎÙÅ ÐÒÏ×ÅÒËÉ É ÄÅÊÓÔ×ÉÑ É ÐÏÒÑÄÏË ÓÏÚÄÁÎÉÑ Ó×ÏÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÃÅÐÏÞÅË ÐÒÁ×ÉÌ.


ïÓÎÏ×Ù

ëÁË ÕÖÅ ÇÏ×ÏÒÉÌÏÓØ ×ÙÛÅ, ËÁÖÄÏÅ ÐÒÁ×ÉÌÏ -- ÜÔÏ ÓÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ × ÓÅÂÅ ËÒÉÔÅÒÉÉ ÏÐÒÅÄÅÌÑÀÝÉÅ, ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ, É ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ × ÓÌÕÞÁÅ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÑ. ÷ ÏÂÝÅÍ ×ÉÄÅ ÐÒÁ×ÉÌÁ ÚÁÐÉÓÙ×ÁÀÔÓÑ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables [-t table] command [match] [target/jump]

îÉÇÄÅ ÎÅ ÕÔ×ÅÒÖÄÁÅÔÓÑ, ÞÔÏ ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÑ (target/jump) ÄÏÌÖÎÏ ÓÔÏÑÔØ ÐÏÓÌÅÄÎÉÍ × ÓÔÒÏËÅ, ÍÙ, ÏÄÎÁËÏ, ÂÕÄÅÍ ÐÒÉÄÅÒÖÉ×ÁÔØÓÑ ÉÍÅÎÎÏ ÔÁËÏÊ ÎÏÔÁÃÉÉ ÄÌÑ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ × ÐÒÁ×ÉÌÏ ÎÅ ×ËÌÀÞÁÅÔÓÑ ÓÐÅÃÉÆÉËÁÔÏÒ [-t table], ÔÏ ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉÃÙ filter, ÅÓÌÉ ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÒÕÇÏÊ ÔÁÂÌÉÃÙ, ÔÏ ÜÔÏ ÔÒÅÂÕÅÔÓÑ ÕËÁÚÁÔØ Ñ×ÎÏ. óÐÅÃÉÆÉËÁÔÏÒ ÔÁÂÌÉÃÙ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ × ÌÀÂÏÍ ÍÅÓÔÅ ÓÔÒÏËÉ ÐÒÁ×ÉÌÁ, ÏÄÎÁËÏ ÂÏÌÅÅ ÉÌÉ ÍÅÎÅÅ ÓÔÁÎÄÁÒÔÏÍ ÓÞÉÔÁÅÔÓÑ ÕËÁÚÁÎÉÅ ÔÁÂÌÉÃÙ × ÎÁÞÁÌÅ ÐÒÁ×ÉÌÁ.

äÁÌÅÅ, ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÚÁ ÉÍÅÎÅÍ ÔÁÂÌÉÃÙ, ÄÏÌÖÎÁ ÓÔÏÑÔØ ËÏÍÁÎÄÁ. åÓÌÉ ÓÐÅÃÉÆÉËÁÔÏÒÁ ÔÁÂÌÉÃÙ ÎÅÔ, ÔÏ ËÏÍÁÎÄÁ ×ÓÅÇÄÁ ÄÏÌÖÎÁ ÓÔÏÑÔØ ÐÅÒ×ÏÊ. ëÏÍÁÎÄÁ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ iptables, ÎÁÐÒÉÍÅÒ: ×ÓÔÁ×ÉÔØ ÐÒÁ×ÉÌÏ, ÉÌÉ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ, ÉÌÉ ÕÄÁÌÉÔØ ÐÒÁ×ÉÌÏ É Ô.Ð.

òÁÚÄÅÌ matches ÚÁÄÁÅÔ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ, ÐÏ ËÏÔÏÒÙÍ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÁ ÉÌÉ ÎÅÔ. úÄÅÓØ ÍÙ ÍÏÖÅÍ ÕËÁÚÁÔØ ÓÁÍÙÅ ÒÁÚÎÙÅ ËÒÉÔÅÒÉÉ -- É IP-ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ ÉÌÉ ÓÅÔÉ, É ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É Ô.Ä. óÕÝÅÓÔ×ÕÅÔ ÍÎÏÖÅÓÔ×Ï ËÒÉÔÅÒÉÅ×, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ × ÄÁÎÎÏÊ ÇÌÁ×Å.

é ÎÁËÏÎÅà target ÕËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÌÖÎÏ ÂÙÔØ ×ÙÐÏÌÎÅÎÏ ÐÒÉ ÕÓÌÏ×ÉÉ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÅ× × ÐÒÁ×ÉÌÅ. úÄÅÓØ ÍÏÖÎÏ ÚÁÓÔÁ×ÉÔØ ÑÄÒÏ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × ÄÒÕÇÕÀ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ, "ÓÂÒÏÓÉÔØ" ÐÁËÅÔ É ÚÁÂÙÔØ ÐÒÏ ÎÅÇÏ, ×ÙÄÁÔØ ÎÁ ÉÓÔÏÞÎÉË ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ É Ô.Ð.


ôÁÂÌÉÃÙ

ïÐÃÉÑ -t ÕËÁÚÙ×ÁÅÔ ÎÁ ÉÓÐÏÌØÚÕÅÍÕÀ ÔÁÂÌÉÃÕ. ðÏ ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁÂÌÉÃÁ filter. ó ËÌÀÞÏÍ -t ÐÒÉÍÅÎÑÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ.

ôÁÂÌÉÃÁ 1. ôÁÂÌÉÃÙ

ôÁÂÌÉÃÁ ïÐÉÓÁÎÉÅ
nat ôÁÂÌÉÃÁ nat ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Address Translation). þÅÒÅÚ ÜÔÕ ÔÁÂÌÉÃÕ ÐÒÏÈÏÄÉÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ. ðÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ× Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉÍÅÎÑÅÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ. üÔÏ ÏÄÉÎ ÉÚ ÆÁËÔÏÒÏ×, ÉÓÈÏÄÑ ÉÚ ËÏÔÏÒÙÈ ÍÙ ÎÅ ÄÏÌÖÎÙ ÏÓÕÝÅÓÔ×ÌÑÔØ ËÁËÕÀ-ÌÉÂÏ ÆÉÌØÔÒÁÃÉÀ × ÜÔÏÊ ÔÁÂÌÉÃÅ. ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÒÁÂÏÔÁÅÔ. é ÐÏÓÌÅÄÎÑÑ ÃÅÐÏÞËÁ × ÜÔÏÊ ÔÁÂÌÉÃÅ -- POSTROUTING, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ× ÐÅÒÅÄ ×ÙÄÁÞÅÊ ÉÈ ×Ï ×ÎÅ.
mangle üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ×. ðÒÉÍÅÒÏÍ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÉÚÍÅÎÅÎÉÅ ÐÏÌÑ TTL, TOS ÉÌÉ MARK. ÷ÁÖÎÏ: × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÐÏÌÅ MARK ÎÅ ÉÚÍÅÎÑÅÔÓÑ, ÎÏ × ÐÁÍÑÔÉ ÑÄÒÁ ÚÁ×ÏÄÉÔÓÑ ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ÄÁÎÎÙÊ ÐÁËÅÔ ×ÓÅ ×ÒÅÍÑ ÅÇÏ ÐÒÏÈÏÖÄÅÎÉÑ ÞÅÒÅÚ ÍÁÛÉÎÕ, ÔÁË ÞÔÏ ÄÒÕÇÉÅ ÐÒÁ×ÉÌÁ É ÐÒÉÌÏÖÅÎÉÑ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ (É ÔÏÌØËÏ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ) ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÃÅÌÑÈ. ôÁÂÌÉÃÁ ÉÍÅÅÔ Ä×Å ÃÅÐÏÞËÉ PREROUTING É OUTPUT. PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. OUTPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÏÔ ÐÒÉÌÏÖÅÎÉÊ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. úÁÍÅÔØÔÅ, ÞÔÏ ÔÁÂÌÉÃÁ mangle ÎÉ × ËÏÅÍ ÓÌÕÞÁÅ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇÁ (Network Address Translation, Masquerading), ÐÏÓËÏÌØËÕ ÄÌÑ ÜÔÉÈ ÃÅÌÅÊ ÉÍÅÅÔÓÑ ÔÁÂÌÉÃÁ nat.
filter ôÁÂÌÉÃÁ filter ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. äÌÑ ÐÒÉÍÅÒÁ, ÚÄÅÓØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÉÔØ DROP, LOG, ACCEPT ÉÌÉ REJECT ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÓÌÏÖÎÏÓÔÅÊ, ËÁË × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. éÍÅÅÔÓÑ ÔÒÉ ×ÓÔÒÏÅÎÎÙÈ ÃÅÐÏÞËÉ. ðÅÒ×ÁÑ -- FORWARD, ÉÓÐÏÌØÚÕÅÍÁÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ ÔÒÁÎÚÉÔÏÍ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÕ INPUT ÐÒÏÈÏÄÑÔ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÌÏËÁÌØÎÙÍ ÐÒÉÌÏÖÅÎÉÑÍ (ÂÒÁÎÄÍÁÕÜÒÕ). é ÃÅÐÏÞËÁ OUTPUT -- ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ÎÁ ÓÁÍÏÍ ÂÒÁÎÄÍÁÕÜÒÅ.

÷ÙÛÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÏÓÎÏ×ÎÙÅ ÏÔÌÉÞÉÑ ÔÒÅÈ ÉÍÅÀÝÉÈÓÑ ÔÁÂÌÉÃ. ëÁÖÄÁÑ ÉÚ ÎÉÈ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × Ó×ÏÉÈ ÃÅÌÑÈ, É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅÃÅÌÅ×ÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉà ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÏÓÌÁÂÌÅÎÉÀ ÚÁÝÉÔÙ ÂÒÁÎÄÍÁÕÜÒÁ É ÓÅÔÉ, ÎÁÈÏÄÑÝÅÊÓÑ ÚÁ ÎÉÍ. ðÏÚÄÎÅÅ, × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÏÍ.


ëÏÍÁÎÄÙ

îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ËÏÍÁÎÄ É ÐÒÁ×ÉÌÁ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ. ðÏÓÒÅÄÓÔ×ÏÍ ËÏÍÁÎÄ ÍÙ ÓÏÏÂÝÁÅÍ iptables ÞÔÏ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÓÄÅÌÁÔØ. ïÂÙÞÎÏ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÏÄÎÏ ÉÚ Ä×ÕÈ ÄÅÊÓÔ×ÉÊ -- ÜÔÏ ÄÏÂÁ×ÌÅÎÉÅ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ ÉÌÉ ÕÄÁÌÅÎÉÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÐÒÁ×ÉÌÁ ÉÚ ÔÏÊ ÉÌÉ ÉÎÏÊ ÔÁÂÌÉÃÙ. äÁÌÅÅ ÐÒÉ×ÅÄÅÎÙ ËÏÍÁÎÄÙ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ × iptables.

ôÁÂÌÉÃÁ 2. ëÏÍÁÎÄÙ

ëÏÍÁÎÄÁ
ðÒÉÍÅÒ
ðÏÑÓÎÅÎÉÑ
-A, --append
iptables -A INPUT ...
äÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ.
-D, --delete
iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
õÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ ÉÚ ÃÅÐÏÞËÉ. ëÏÍÁÎÄÁ ÉÍÅÅÔ Ä×Á ÆÏÒÍÁÔÁ ÚÁÐÉÓÉ, ÐÅÒ×ÙÊ -- ËÏÇÄÁ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ Ó ÏÐÃÉÅÊ -D (ÓÍ. ÐÅÒ×ÙÊ ÐÒÉÍÅÒ), ×ÔÏÒÏÊ -- ÐÏÒÑÄËÏ×ÙÊ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ. åÓÌÉ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ, ÔÏ ÕÄÁÌÑÅÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÉÍÅÅÔ × ÓÅÂÅ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÅÓÌÉ ÚÁÄÁÅÔÓÑ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÔÏ ÂÕÄÅÔ ÕÄÁÌÅÎÏ ÐÒÁ×ÉÌÏ Ó ÚÁÄÁÎÎÙÍ ÎÏÍÅÒÏÍ. óÞÅÔ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÁÈ ÎÁÞÉÎÁÅÔÓÑ Ó 1.
-R, --replace
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
äÁÎÎÁÑ ËÏÍÁÎÄÁ ÚÁÍÅÎÑÅÔ ÏÄÎÏ ÐÒÁ×ÉÌÏ ÄÒÕÇÉÍ. ÷ ÏÓÎÏ×ÎÏÍ ÏÎÁ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ×ÒÅÍÑ ÏÔÌÁÄËÉ ÎÏ×ÙÈ ÐÒÁ×ÉÌ.
-I, --insert
iptables -I INPUT 1 --dport 80 -j ACCEPT
÷ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ. þÉÓÌÏ, ÓÌÅÄÕÀÝÅÅ ÚÁ ÉÍÅÎÅÍ ÃÅÐÏÞËÉ ÕËÁÚÙ×ÁÅÔ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÅÒÅÄ ËÏÔÏÒÙÍ ÎÕÖÎÏ ×ÓÔÁ×ÉÔØ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÞÉÓÌÏ ÚÁÄÁÅÔ ÎÏÍÅÒ ÄÌÑ ×ÓÔÁ×ÌÑÅÍÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÐÒÉÍÅÒÅ ×ÙÛÅ, ÕËÁÚÙ×ÁÅÔÓÑ, ÞÔÏ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÏÌÖÎÏ ÂÙÔØ 1-Í × ÃÅÐÏÞËÅ INPUT.
-L, --list
iptables -L INPUT
÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ, × ÄÁÎÎÏÍ ÐÒÉÍÅÒÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×Ù×ÏÄ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞËÉ INPUT. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ×Ù×ÏÄÉÔÓÑ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÄÌÑ ×ÓÅÈ ÃÅÐÏÞÅË. æÏÒÍÁÔ ×Ù×ÏÄÁ ÚÁ×ÉÓÉÔ ÏÔ ÎÁÌÉÞÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ × ËÏÍÁÎÄÅ, ÎÁÐÒÉÍÅÒ -n, -v, É ÐÒ.
-F, --flush
iptables -F INPUT
óÂÒÏÓ (ÕÄÁÌÅÎÉÅ) ×ÓÅÈ ÐÒÁ×ÉÌ ÉÚ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ (ÔÁÂÌÉÃÙ). åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ É ÔÁÂÌÉÃÙ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÕÄÁÌÑÀÔÓÑ ×ÓÅ ÐÒÁ×ÉÌÁ, ×Ï ×ÓÅÈ ÃÅÐÏÞËÁÈ.
-Z, --zero
iptables -Z INPUT
ïÂÎÕÌÅÎÉÅ ×ÓÅÈ ÓÞÅÔÞÉËÏ× × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÀÔÓÑ ×ÓÅ ÃÅÐÏÞËÉ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ËÌÀÞÁ -v ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ -L, ÎÁ ×Ù×ÏÄ ÂÕÄÕÔ ÐÏÄÁÎÙ É ÓÏÓÔÏÑÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ×, ÐÏÐÁ×ÛÉÈ ÐÏÄ ÄÅÊÓÔ×ÉÅ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. äÏÐÕÓËÁÅÔÓÑ ÓÏ×ÍÅÓÔÎÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÍÁÎÄ -L É -Z. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ×ÙÄÁÎ ÓÎÁÞÁÌÁ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÓÏ ÓÞÅÔÞÉËÁÍÉ, Á ÚÁÔÅÍ ÐÒÏÉÚÏÊÄÅÔ ÏÂÎÕÌÅÎÉÅ ÓÞÅÔÞÉËÏ×.
-N, --new-chain
iptables -N allowed
óÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÚÁÄÁÎÎÙÍ ÉÍÅÎÅÍ × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÉÍÅÎÅÍ allowed. éÍÑ ÃÅÐÏÞËÉ ÄÏÌÖÎÏ ÂÙÔØ ÕÎÉËÁÌØÎÙÍ É ÎÅ ÄÏÌÖÎÏ ÓÏ×ÐÁÄÁÔØ Ó ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÍÉ ÉÍÅÎÁÍÉ ÃÅÐÏÞÅË É ÄÅÊÓÔ×ÉÊ (DROP, REJECT É Ô.Ð.)
-X, --delete-chain
iptables -X allowed
õÄÁÌÅÎÉÅ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ ÉÚ ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÙ. õÄÁÌÑÅÍÁÑ ÃÅÐÏÞËÁ ÎÅ ÄÏÌÖÎÁ ÉÍÅÔØ ÐÒÁ×ÉÌ É ÎÅ ÄÏÌÖÎÏ ÂÙÔØ ÓÓÙÌÏË ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË ÎÁ ÕÄÁÌÑÅÍÕÀ ÃÅÐÏÞËÕ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÁÎÏ, ÔÏ ÂÕÄÕÔ ÕÄÁÌÅÎÙ ×ÓÅ ÃÅÐÏÞËÉ, ÏÐÒÅÄÅÌÅÎÎÙÅ ËÏÍÁÎÄÏÊ -N × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ.
-P, --policy
iptables -P INPUT DROP
ïÐÒÅÄÅÌÑÅÔ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ. ðÏÌÉÔÉËÁ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ, ÐÒÉÍÅÎÑÅÍÏÅ Ë ÐÁËÅÔÁÍ ÎÅ ÐÏÐÁ×ÛÉÍ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. ÷ ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ DROP, ACCEPT É REJECT.
-E, --rename-chain
iptables -E allowed disallowed
ëÏÍÁÎÄÁ -E ×ÙÐÏÌÎÑÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÃÅÐÏÞËÉ. ÷ ÐÒÉÍÅÒÅ ÃÅÐÏÞËÁ allowed ÂÕÄÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÁ × ÃÅÐÏÞËÕ disallowed. üÔÉ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÑ ÎÅ ÉÚÍÅÎÑÀÔ ÐÏÒÑÄÏË ÒÁÂÏÔÙ, Á ÎÏÓÑÔ ÔÏÌØËÏ ËÏÓÍÅÔÉÞÅÓËÉÊ ÈÁÒÁËÔÅÒ.

ëÏÍÁÎÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÕËÁÚÁÎÁ ×ÓÅÇÄÁ. óÐÉÓÏË ÄÏÓÔÕÐÎÙÈ ËÏÍÁÎÄ ÍÏÖÎÏ ÐÒÏÓÍÏÔÒÅÔØ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -h ÉÌÉ, ÞÔÏ ÔÏÖÅ ÓÁÍÏÅ, iptables --help. îÅËÏÔÏÒÙÅ ËÏÍÁÎÄÙ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍÉ ËÌÀÞÁÍÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÏÐÉÓÙ×ÁÅÔÓÑ ÒÅÚÕÌØÔÁÔ ÉÈ ÄÅÊÓÔ×ÉÑ. ðÒÉ ÜÔÏÍ ÚÁÍÅÔØÔÅ, ÞÔÏ ÚÄÅÓØ ÎÅ ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ËÒÉÔÅÒÉÅ× (matches) ÉÌÉ ÄÅÊÓÔ×ÉÊ (targets). üÔÉ ÏÐÃÉÉ ÍÙ ÂÕÄÅÍ ÏÂÓÕÖÄÁÔØ ÄÁÌÅÅ.

ôÁÂÌÉÃÁ 3. ëÌÀÞÉ

ëÌÀÞ
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ
ïÐÉÓÁÎÉÅ
-v, --verbose
--list, --append, --insert, --delete, --replace
äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÉÎÆÏÒÍÁÔÉ×ÎÏÓÔÉ ×Ù×ÏÄÁ É, ËÁË ÐÒÁ×ÉÌÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ --list. ÷ ÓÌÕÞÁÅ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ËÏÍÁÎÄÏÊ --list, × ×Ù×ÏÄ ÜÔÏÊ ËÏÍÁÎÄÙ ×ËÌÀÞÁÀÔÓÑ ÔÁË ÖÅ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ, ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ× É ÂÁÊÔ ÄÌÑ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. æÏÒÍÁÔ ×Ù×ÏÄÁ ÓÞÅÔÞÉËÏ× ÐÒÅÄÐÏÌÁÇÁÅÔ ×Ù×ÏÄ ËÒÏÍÅ ÃÉÆÒ ÞÉÓÌÁ ÅÝÅ É ÓÉÍ×ÏÌØÎÙÅ ÍÎÏÖÉÔÅÌÉ K (x1000), M (x1,000,000) É G (x1,000,000,000). äÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÚÁÓÔÁ×ÉÔØ ËÏÍÁÎÄÕ --list ×Ù×ÏÄÉÔØ ÐÏÌÎÏÅ ÞÉÓÌÏ (ÂÅÚ ÕÐÏÔÒÅÂÌÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ) ÔÒÅÂÕÅÔÓÑ ÐÒÉÍÅÎÑÔØ ËÌÀÞ -x, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ. åÓÌÉ ËÌÀÞ -v, --verbose ÉÓÐÏÌØÚÕÅÔÓÑ Ó ËÏÍÁÎÄÁÍÉ --append, --insert, --delete ÉÌÉ --replace, ÔÏ ÔÏ ÎÁ ×Ù×ÏÄ ÂÕÄÅÔ ×ÙÄÁÎ ÐÏÄÒÏÂÎÙÊ ÏÔÞÅÔ Ï ÐÒÏÉÚ×ÅÄÅÎÎÏÊ ÏÐÅÒÁÃÉÉ.
-x, --exact
--list
äÌÑ ×ÓÅÈ ÞÉÓÅÌ × ×ÙÈÏÄÎÙÈ ÄÁÎÎÙÈ ×Ù×ÏÄÑÔÓÑ ÉÈ ÔÏÞÎÙÅ ÚÎÁÞÅÎÉÑ ÂÅÚ ÏËÒÕÇÌÅÎÉÑ É ÂÅÚ ÐÒÉÍÅÎÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ K, M, G. ÷ÁÖÎÏ ÔÏ, ÞÔÏ ÄÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list É ÎÅ ÐÒÉÍÅÎÑÅÔÓÑ Ó ÄÒÕÇÉÍÉ ËÏÍÁÎÄÁÍÉ.
-n, --numeric
--list
úÁÓÔÁ×ÌÑÅÔ iptables ×Ù×ÏÄÉÔØ IP-ÁÄÒÅÓÁ É ÎÏÍÅÒÁ ÐÏÒÔÏ× × ÞÉÓÌÏ×ÏÍ ×ÉÄÅ ÐÒÅÄÏÔ×ÒÁÝÁÑ ÐÏÐÙÔËÉ ÐÒÅÏÂÒÁÚÏ×ÁÔØ ÉÈ × ÓÉÍ×ÏÌÉÞÅÓËÉÅ ÉÍÅÎÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
--line-numbers
--list
ëÌÀÞ --line-numbers ×ËÌÀÞÁÅÔ ÒÅÖÉÍ ×Ù×ÏÄÁ ÎÏÍÅÒÏ× ÓÔÒÏË ÐÒÉ ÏÔÏÂÒÁÖÅÎÉÉ ÓÐÉÓËÁ ÐÒÁ×ÉÌ ËÏÍÁÎÄÏÊ --list. îÏÍÅÒ ÓÔÒÏËÉ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÏÚÉÃÉÉ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ. üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
-c, --set-counters
--insert, --append, --replace
üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÓÏÚÄÁÎÉÉ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. îÁÐÒÉÍÅÒ, ËÌÀÞ --set-counters 20 4000ÕÓÔÁÎÏ×ÉÔ ÓÞÅÔÞÉË ÐÁËÅÔÏ× = 20, Á ÓÞÅÔÞÉË ÂÁÊÔ = 4000.
--modprobe
All
ëÌÀÞ --modprobe ÏÐÒÅÄÅÌÑÅÔ ËÏÍÁÎÄÕ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ ÑÄÒÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ × ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛÁ ËÏÍÁÎÄÁ modprobe ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÐÕÔÉ ÐÏÉÓËÁ (searchpath). üÔÏÔ ËÌÀÞ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ Ó ÌÀÂÏÊ ËÏÍÁÎÄÏÊ.

ëÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÒÉÔÅÒÉÑÈ ×ÙÄÅÌÅÎÉÑ ÐÁËÅÔÏ×. ñ ÒÁÚÂÉÌ ×ÓÅ ËÒÉÔÅÒÉÉ ÎÁ ÐÑÔØ ÇÒÕÐÐ. ðÅÒ×ÁÑ -- ÏÂÝÉÅ ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ. ÷ÔÏÒÁÑ - TCP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë TCP ÐÁËÅÔÁÍ. ôÒÅÔØÑ -- UDP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë UDP ÐÁËÅÔÁÍ. þÅÔ×ÅÒÔÁÑ - ICMP ËÒÉÔÅÒÉÉ ÄÌÑ ÒÁÂÏÔÙ Ó ICMP ÐÁËÅÔÁÍÉ. é ÎÁËÏÎÅà ÐÑÔÁÑ -- ÓÐÅÃÉÁÌØÎÙÅ ËÒÉÔÅÒÉÉ, ÔÁËÉÅ ËÁË state, owner, limit É ÐÒ.


ïÂÝÉÅ ËÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ïÂÝÉÅ ËÒÉÔÅÒÉÉ. ïÂÝÉÅ ËÒÉÔÅÒÉÉ ÄÏÐÕÓÔÉÍÏ ÕÐÏÔÒÅÂÌÑÔØ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ É ÎÅ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÎÅ ÔÒÅÂÕÀÔ ÐÏÄÇÒÕÚËÉ ÍÏÄÕÌÅÊ ÒÁÓÛÉÒÅÎÉÑ. ÷ ÜÔÕ ÇÒÕÐÐÕ Ñ ÄÏÂÁ×ÉÌ ËÒÉÔÅÒÉÊ --protocol ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÎÅËÏÔÏÒÙÈ ÓÐÅÃÉÆÉÞÎÙÈ ÏÔ ÐÒÏÔÏËÏÌÁ ÒÁÓÛÉÒÅÎÉÑÈ. îÁÐÒÉÍÅÒ, ÍÙ ÒÅÛÉÌÉ ÉÓÐÏÌØÚÏ×ÁÔØ TCP ËÒÉÔÅÒÉÊ, ÔÏÇÄÁ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ É ËÒÉÔÅÒÉÊ --protocol ËÏÔÏÒÏÍÕ × ËÁÞÅÓÔ×Å ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ËÌÀÞÁ ÐÅÒÅÄÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ -- TCP. ïÄÎÁËÏ --protocol ÓÁÍ ÐÏ ÓÅÂÅ Ñ×ÌÑÅÔÓÑ ËÒÉÔÅÒÉÅÍ, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ.

ôÁÂÌÉÃÁ 4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ -p, --protocol
ðÒÉÍÅÒ iptables -A INPUT -p tcp
ïÐÉÓÁÎÉÅ üÔÏÔ ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ðÒÉÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× ÍÏÇÕÔ ÂÙÔØ TCP, UDP É ICMP. óÐÉÓÏË ÐÒÏÔÏËÏÌÏ× ÍÏÖÎÏ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/p rotocols. ðÒÅÖÄÅ ×ÓÅÇÏ, × ËÁÞÅÓÔ×Å ÉÍÅÎÉ ÐÒÏÔÏËÏÌÁ × ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÎÏ ÐÅÒÅÄÁ×ÁÔØ ÔÒÉ ×ÙÛÅÕÐÏÍÑÎÕÔÙÈ ÐÒÏÔÏËÏÌÁ, Á ÔÁËÖÅ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï ALL. ÷ ËÁÞÅÓÔ×Å ÐÒÏÔÏËÏÌÁ ÄÏÐÕÓËÁÅÔÓÑ ÐÅÒÅÄÁ×ÁÔØ ÞÉÓÌÏ - ÎÏÍÅÒ ÐÒÏÔÏËÏÌÁ, ÔÁË ÎÁÐÒÉÍÅÒ, 255 ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÒÏÔÏËÏÌÕ RAW IP. óÏÏÔ×ÅÔÓÔ×ÉÑ ÍÅÖÄÕ ÎÏÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× É ÉÈ ÉÍÅÎÁÍÉ ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/protocols, ËÏÔÏÒÙÊ ÕÖÅ ÕÐÏÍÉÎÁÌÓÑ. ëÒÉÔÅÒÉÀ ÍÏÖÅÔ ÐÅÒÅÄÁ×ÁÔØÓÑ É ÓÐÉÓÏË ÐÒÏÔÏËÏÌÏ×, ÒÁÚÄÅÌÅÎÎÙÈ ÚÁÐÑÔÙÍÉ, ÎÁÐÒÉÍÅÒ ÔÁË: udp,tcp (èÏÔÑ Á×ÔÏÒ É ÕËÁÚÙ×ÁÅÔ ÎÁ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÓÐÉÓËÁ ÐÒÏÔÏËÏÌÏ×, ÔÅÍ ÎÅ ÍÅÎÅÅ ÎÉËÏÍÕ ÅÝÅ ÎÅ ÕÄÁÌÏÓØ ÓÄÅÌÁÔØ ÜÔÏÇÏ! ëÓÔÁÔÉ, man iptables Ñ×ÎÏ ÏÇÏ×ÁÒÉ×ÁÅÔ, ÞÔÏ × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÍÏÖÅÔ ÂÙÔØ ÕËÁÚÁÎ ÔÏÌØËÏ ÏÄÉÎ ÐÒÏÔÏËÏÌ. íÏÖÅÔ ÂÙÔØ ÜÔÏ ÒÁÓÛÉÒÅÎÉÅ ÉÍÅÅÔÓÑ × patch-o-matic? ÐÒÉÍ. ÐÅÒÅ×.) åÓÌÉ ÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ ÐÅÒÅÄÁÅÔÓÑ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ 0, ÔÏ ÜÔÏ ÜË×É×ÁÌÅÎÔÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ÓÐÅÃÉÆÉËÁÔÏÒÁ ALL, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÇÄÁ ËÒÉÔÅÒÉÊ --protocol ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ. äÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÐÅÒÅÄ ÉÍÅÎÅÍ ÐÒÏÔÏËÏÌÁ (ÓÐÉÓËÏÍ ÐÒÏÔÏËÏÌÏ×) ÉÓÐÏÌØÚÕÅÔÓÑ ÓÉÍ×ÏÌ !, ÎÁÐÒÉÍÅÒ --protocol ! tcp ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÁËÅÔÙ ÌÀÂÏÇÏ ÐÒÏÔÏËÏÌÁ, ËÒÏÍÅ tcp.
ëÒÉÔÅÒÉÊ -s, --src, --source
ðÒÉÍÅÒ iptables -A INPUT -s 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ. áÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÔÁË, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏÇÄÁ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ. á ÍÏÖÎÏ ÕËÁÚÁÔØ ÁÄÒÅÓ × ×ÉÄÅ address/mask, ÎÁÐÒÉÍÅÒ ËÁË 192.168.0.0/255.255.255.0, ÉÌÉ ÂÏÌÅÅ ÓÏ×ÒÅÍÅÎÎÙÍ ÓÐÏÓÏÂÏÍ 192.168.0.0/24, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÑ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ× ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ !, ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÐÅÒÅÄ ÁÄÒÅÓÏÍ, ÏÚÎÁÞÁÅÔ ÌÏÇÉÞÅÓËÏÅ ÏÔÒÉÃÁÎÉÅ, Ô.Å. --source ! 192.168.0.0/24 ÏÚÎÁÞÁÅÔ ÌÀÂÏÊ ÁÄÒÅÓ ËÒÏÍÅ ÁÄÒÅÓÏ× 192.168.0.x
ëÒÉÔÅÒÉÊ -d, --dst, --destination
ðÒÉÍÅÒ iptables -A INPUT -d 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÐÏÌÕÞÁÔÅÌÑ. éÍÅÅÔ ÓÉÎÔÁËÓÉÓ ÓÈÏÖÉÊ Ó ËÒÉÔÅÒÉÅÍ --source, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÔÏÇÏ, ÞÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÁÄÒÅÓ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ôÏÞÎÏ ÔÁË ÖÅ ÍÏÖÅÔ ÏÐÒÅÄÅÌÑÔØ ËÁË ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ, ÔÁË É ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×. óÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ.
ëÒÉÔÅÒÉÊ -i, --in-interface
ðÒÉÍÅÒ iptables -A INPUT -i eth0
ïÐÉÓÁÎÉÅ éÎÔÅÒÆÅÊÓ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÐÏÌÕÞÅÎ ÐÁËÅÔ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, × ÌÀÂÙÈ ÄÒÕÇÉÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ×ÙÚÙ×ÁÔØ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -i +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -i PPP+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ PPP ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -i ! eth+ -- ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth.
ëÒÉÔÅÒÉÊ -o, --out-interface
ðÒÉÍÅÒ iptables -A FORWARD -o eth0
ïÐÉÓÁÎÉÅ úÁÄÁÅÔ ÉÍÑ ×ÙÈÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ OUTPUT, FORWARD É POSTROUTING, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ÇÅÎÅÒÉÒÏ×ÁÔØÓÑ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -o +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -o eth+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ eth ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -o ! eth+ - ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth
ëÒÉÔÅÒÉÊ -f, --fragment
ðÒÉÍÅÒ iptables -A INPUT -f
ïÐÉÓÁÎÉÅ ðÒÁ×ÉÌÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ ÎÁ ×ÓÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÏÇÏ ÐÁËÅÔÁ, ËÒÏÍÅ ÐÅÒ×ÏÇÏ, ÓÄÅÌÁÎÏ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅÔ ×ÏÚÍÏÖÎÏÓÔÉ ÏÐÒÅÄÅÌÉÔØ ÉÓÈÏÄÑÝÉÊ/×ÈÏÄÑÝÉÊ ÐÏÒÔ ÄÌÑ ÆÒÁÇÍÅÎÔÁ ÐÁËÅÔÁ, Á ÄÌÑ ICMP-ÐÁËÅÔÏ× ÏÐÒÅÄÅÌÉÔØ ÉÈ ÔÉÐ. ó ÐÏÍÏÝØÀ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× ÍÏÇÕÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÁÔÁËÉ ÎÁ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÁË ËÁË ÆÒÁÇÍÅÎÔÙ ÐÁËÅÔÏ× ÍÏÇÕÔ ÎÅ ÏÔÌÁ×ÌÉ×ÁÔØÓÑ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ. ëÁË É ÒÁÎØÛÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÓÉÍ×ÏÌÁ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ ÒÅÚÕÌØÔÁÔÁ ÓÒÁ×ÎÅÎÉÑ. ÔÏÌØËÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÉÍ×ÏÌ ! ÄÏÌÖÅÎ ÐÒÅÄÛÅÓÔ×Ï×ÁÔØ ËÒÉÔÅÒÉÀ -f, ÎÁÐÒÉÍÅÒ ! -f. éÎ×ÅÒÓÉÑ ËÒÉÔÅÒÉÑ ÔÒÁËÔÕÅÔÓÑ ËÁË "×ÓÅ ÐÅÒ×ÙÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× É/ÉÌÉ ÎÅÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÅ ÐÁËÅÔÙ, ÎÏ ÎÅ ×ÔÏÒÙÅ É ÐÏÓÌÅÄÕÀÝÉÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×".

îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ

÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ, ÔÏÞÎÅÅ, ÔÅ ËÒÉÔÅÒÉÉ, ËÏÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ ÎÅÑ×ÎÏ É ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÕËÁÚÁÎÉÉ ËÒÉÔÅÒÉÑ --protocol. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÍÙÈ ÒÁÓÛÉÒÅÎÉÑ, ÜÔÏ TCP ËÒÉÔÅÒÉÉ, UDP ËÒÉÔÅÒÉÉ É ICMP ËÒÉÔÅÒÉÉ (ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅÏÂÈÏÄÉÍÏÓÔØÀ ÚÁÇÒÕÚËÉ ÕËÁÚÁÎÎÙÈ ÒÁÓÛÉÒÅÎÉÊ Ñ×ÎÏ, Ô.Å. ÒÁÓÛÉÒÅÎÉÑ ÎÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ. ÐÒÉÍ. ÐÅÒÅ×.). úÁÇÒÕÚËÁ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ É Ñ×ÎÙÍ ÏÂÒÁÚÏÍ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m, -match, ÎÁÐÒÉÍÅÒ -m tcp.


TCP ËÒÉÔÅÒÉÉ

üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁ×ÉÓÉÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó TCP ÐÁËÅÔÁÍÉ. þÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ËÒÉÔÅÒÉÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ × ÐÒÁ×ÉÌÁÈ ÕËÁÚÙ×ÁÔØ ÔÉÐ ÐÒÏÔÏËÏÌÁ --protocol tcp. ÷ÁÖÎÏ: ËÒÉÔÅÒÉÊ --protocol tcp ÏÂÑÚÁÔÅÌØÎÏ ÄÏÌÖÅÎ ÓÔÏÑÔØ ÐÅÒÅÄ ÓÐÅÃÉÆÉÞÎÙÍ ËÒÉÔÅÒÉÅÍ. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÚÁÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ËÁË ÄÌÑ tcp ÐÒÏÔÏËÏÌÁ, ÔÁË É ÄÌÑ udp É icmp ÐÒÏÔÏËÏÌÏ×.(ï ÎÅÑ×ÎÏÊ ÚÁÇÒÕÚËÅ ÒÁÓÛÉÒÅÎÉÊ Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ×ÙÛÅ ÐÒÉÍ. ÐÅÒÅ×.).

ôÁÂÌÉÃÁ 5. TCP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --sport 22
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --dport 22
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. áÒÇÕÍÅÎÔÙ ÚÁÄÁÀÔÓÑ × ÔÏÍ ÖÅ ÆÏÒÍÁÔÅ, ÞÔÏ É ÄÌÑ --source-port.
ëÒÉÔÅÒÉÊ --tcp-flags
ðÒÉÍÅÒ iptables -p tcp --tcp-flags SYN,ACK,FIN SYN
ïÐÉÓÁÎÉÅ ïÐÒÅÄÅÌÑÅÔ ÍÁÓËÕ É ÆÌÁÇÉ tcp-ÐÁËÅÔÁ. ðÁËÅÔ ÓÞÉÔÁÅÔÓÑ ÕÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ËÒÉÔÅÒÉÀ, ÅÓÌÉ ÉÚ ÐÅÒÅÞÉÓÌÅÎÎÙÈ ÆÌÁÇÏ× × ÐÅÒ×ÏÍ ÓÐÉÓËÅ × ÅÄÉÎÉÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÙ ÆÌÁÇÉ ÉÚ ×ÔÏÒÏÇÏ ÓÐÉÓËÁ. ôÁË ÄÌÑ ×ÙÛÅÕËÁÚÁÎÎÏÇÏ ÐÒÉÍÅÒÁ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ Õ ËÏÔÏÒÙÈ ÆÌÁÇ SYN ÕÓÔÁÎÏ×ÌÅÎ, Á ÆÌÁÇÉ FIN É ACK ÓÂÒÏÛÅÎÙ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÏ× ËÒÉÔÅÒÉÑ ÍÏÇÕÔ ×ÙÓÔÕÐÁÔØ ÆÌÁÇÉ SYN, ACK, FIN, RST, URG, PSH, Á ÔÁË ÖÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÉÄÅÎÔÉÆÉËÁÔÏÒÙ ALL É NONE. ALL -- ÚÎÁÞÉÔ ÷óå ÆÌÁÇÉ É NONE - îé ïäéî ÆÌÁÇ. ôÁË, ËÒÉÔÅÒÉÊ --tcp-flags ALL NONE ÏÚÎÁÞÁÅÔ, ÞÔÏ ×ÓÅ ÆÌÁÇÉ × ÐÁËÅÔÅ ÄÏÌÖÎÙ ÂÙÔØ ÓÂÒÏÛÅÎÙ. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÏÚÎÁÞÁÅÔ ÉÎ×ÅÒÓÉÀ ËÒÉÔÅÒÉÑ ÷ÁÖÎÏ: ÉÍÅÎÁ ÆÌÁÇÏ× × ËÁÖÄÏÍ ÓÐÉÓËÅ ÄÏÌÖÎÙ ÒÁÚÄÅÌÑÔØÓÑ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ ÓÌÕÖÁÔ ÄÌÑ ÒÁÚÄÅÌÅÎÉÑ ÓÐÉÓËÏ×.
ëÒÉÔÅÒÉÊ --syn
ðÒÉÍÅÒ iptables -p tcp --syn
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ --syn Ñ×ÌÑÅÔÓÑ ÐÏ ÓÕÔÉ ÒÅÌÉËÔÏÍ, ÐÅÒÅËÏÞÅ×Á×ÛÉÍ ÉÚ ipchains. ëÒÉÔÅÒÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÆÌÁÇÏÍ SYN É ÓÂÒÏÛÅÎÎÙÍÉ ÆÌÁÇÁÍÉ ACK É FIN. üÔÏÔ ËÒÉÔÅÒÉÊ ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --tcp-flags SYN,ACK,FIN SYN. ôÁËÉÅ ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÏÔËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ TCP. úÁÂÌÏËÉÒÏ×Á× ÔÁËÉÅ ÐÁËÅÔÙ, ×Ù ÎÁÄÅÖÎÏ ÚÁÂÌÏËÉÒÕÅÔÅ ×ÓÅ ×ÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÏÄÎÁËÏ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÎÅ ÓÐÏÓÏÂÅÎ ÚÁÂÌÏËÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÎ×ÅÒÔÉÒÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ ÓÉÍ×ÏÌÏÍ !. ôÁË ËÒÉÔÅÒÉÊ ! --syn ÏÚÎÁÞÁÅÔ ×ÓÅ ÐÁËÅÔÙ, ÎÅ Ñ×ÌÑÀÝÉÅÓÑ ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, Ô.Å. ×ÓÅ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍÉ ÆÌÁÇÁÍÉ FIN ÉÌÉ ACK.
ëÒÉÔÅÒÉÊ --tcp-option
ðÒÉÍÅÒ iptables -p tcp --tcp-option 16
ïÐÉÓÁÎÉÅ õÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ÕÓÌÏ×ÉÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÂÕÄÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÁËÅÔ, TCP ÐÁÒÁÍÅÔÒ ËÏÔÏÒÏÇÏ ÒÁ×ÅÎ ÚÁÄÁÎÎÏÍÕ ÞÉÓÌÕ. ðÁËÅÔ, ËÏÔÏÒÙÊ ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÐÏÌÎÏÇÏ TCP ÚÁÇÏÌÏ×ËÁ, ÂÕÄÅÔ ÓÂÒÏÛÅÎ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÐÏÐÙÔËÅ ÉÚÕÞÅÎÉÑ ÅÇÏ TCP ÐÁÒÁÍÅÔÒÁ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!].

UDP ËÒÉÔÅÒÉÉ

÷ ÄÁÎÎÏÍ ÒÁÚÄÅÌÅ ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÒÉÔÅÒÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ UDP. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÕËÁÚÁÎÉÉ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ --protocol UDP. ÷ÁÖÎÏ ÏÔÍÅÔÉÔØ, ÞÔÏ ÐÁËÅÔÙ UDP ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÙ ÎÁ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, É ÐÏÜÔÏÍÕ ÎÅ ÉÍÅÀÔ ÒÁÚÌÉÞÎÙÈ ÆÌÁÇÏ× ËÏÔÏÒÙÅ ÄÁÀÔ ×ÏÚÍÏÖÎÏÓÔØ ÓÕÄÉÔØ Ï ÐÒÅÄÎÁÚÎÁÞÅÎÉÉ ÄÁÔÁÇÒÁÍÍÙ. ðÏÌÕÞÅÎÉÅ UDP ÐÁËÅÔÏ× ÎÅ ÔÒÅÂÕÅÔ ËÁËÏÇÏ ÌÉÂÏ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌÕÞÁÔÅÌÑ. åÓÌÉ ÏÎÉ ÐÏÔÅÒÑÎÙ, ÔÏ ÏÎÉ ÐÒÏÓÔÏ ÐÏÔÅÒÑÎÙ (ÎÅ ×ÙÚÙ×ÁÑ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ). üÔÏ ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ ÚÎÁÞÉÔÅÌØÎÏ ÍÅÎØÛÅÇÏ ÞÉÓÌÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÒÉÔÅÒÉÅ×, × ÏÔÌÉÞÉÅ ÏÔ TCP ÐÁËÅÔÏ×. ÷ÁÖÎÏ: èÏÒÏÛÉÊ ÂÒÁÎÄÍÁÕÜÒ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ Ó ÐÁËÅÔÁÍÉ ÌÀÂÏÇÏ ÔÉÐÁ, UDP ÉÌÉ ICMP, ËÏÔÏÒÙÅ ÓÞÉÔÁÀÔÓÑ ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÎÙÍÉ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÔÁË ÖÅ ÈÏÒÏÛÏ ËÁË É Ó TCP ÐÁËÅÔÁÍÉ. ï ÜÔÏÍ ÍÙ ÐÏÇÏ×ÏÒÉÍ ÐÏÚÄÎÅÅ, × ÓÌÅÄÕÀÝÉÈ ÇÌÁ×ÁÈ.

ôÁÂÌÉÃÁ 6. UDP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --sport 53
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --dport 53
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ ÐÒÉÎÑÔÏÍÕ × ËÒÉÔÅÒÉÉ --source-port.

ICMP ËÒÉÔÅÒÉÉ

üÔÏÔ ÐÒÏÔÏËÏÌ ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÏÛÉÂËÁÈ É ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÅÍ. ïÎ ÎÅ Ñ×ÌÑÅÔÓÑ ÐÏÄÞÉÎÅÎÎÙÍ IP ÐÒÏÔÏËÏÌÕ, ÎÏ ÔÅÓÎÏ Ó ÎÉÍ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÅÔ, ÐÏÓËÏÌØËÕ ÐÏÍÏÇÁÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ ÏÛÉÂÏÞÎÙÅ ÓÉÔÕÁÃÉÉ. úÁÇÏÌÏ×ËÉ ICMP ÐÁËÅÔÏ× ÏÞÅÎØ ÐÏÈÏÖÉ ÎÁ IP ÚÁÇÏÌÏ×ËÉ, ÎÏ ÉÍÅÀÔ É ÏÔÌÉÞÉÑ. çÌÁ×ÎÏÅ Ó×ÏÊÓÔ×Ï ÜÔÏÇÏ ÐÒÏÔÏËÏÌÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÉÐÅ ÚÁÇÏÌÏ×ËÁ, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÚÁ ÐÁËÅÔ. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ÍÙ ÐÙÔÁÅÍÓÑ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÅÄÏÓÔÕÐÎÙÍ ÈÏÓÔÏÍ, ÔÏ ÍÙ ÐÏÌÕÞÉÍ × ÏÔ×ÅÔ ÓÏÏÂÝÅÎÉÅ ICMP host unreachable. ðÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÐÒÉÌÏÖÅÎÉÉ ÔÉÐÙ ICMP. óÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÏÄÉÎ ÓÐÅÃÉÆÉÞÎÙÊ ËÒÉÔÅÒÉÊ ÄÌÑ ICMP ÐÁËÅÔÏ×. üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁÇÒÕÖÁÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ, ËÏÇÄÁ ÍÙ ÕËÁÚÙ×ÁÅÍ ËÒÉÔÅÒÉÊ --protocol ICMP. úÁÍÅÔØÔÅ, ÞÔÏ ÄÌÑ ÐÒÏ×ÅÒËÉ ICMP ÐÁËÅÔÏ× ÍÏÇÕÔ ÕÐÏÔÒÅÂÌÑÔØÓÑ É ÏÂÝÉÅ ËÒÉÔÅÒÉÉ, ÐÏÓËÏÌØËÕ ÉÚ×ÅÓÔÎÙ É ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ É ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÒ.

ôÁÂÌÉÃÁ 7. ICMP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --icmp-type
ðÒÉÍÅÒ iptables -A INPUT -p icmp --icmp-type 8
ïÐÉÓÁÎÉÅ ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ÏÐÒÅÄÅÌÑÅÔÓÑ ÎÏÍÅÒÏÍ ÉÌÉ ÉÍÅÎÅÍ. þÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÏÐÒÅÄÅÌÑÀÔÓÑ × RFC 792. þÔÏÂÙ ÐÏÌÕÞÉÔØ ÓÐÉÓÏË ÉÍÅÎ ICMP ÚÎÁÞÅÎÉÊ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables --protocol icmp --help, ÉÌÉ ÐÏÓÍÏÔÒÉÔÅ ÐÒÉÌÏÖÅÎÉÅ ÔÉÐÙ ICMP. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ËÒÉÔÅÒÉÊ, ÎÁÐÒÉÍÅÒ --icmp-type ! 8.

ñ×ÎÙÅ ËÒÉÔÅÒÉÉ

ðÅÒÅÄ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ, ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m ÉÌÉ --match. ôÁË, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ËÒÉÔÅÒÉÉ state, ÔÏ ÍÙ ÄÏÌÖÎÙ Ñ×ÎÏ ÕËÁÚÁÔØ ÜÔÏ × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ: -m state ÌÅ×ÅÅ ÉÓÐÏÌØÚÕÅÍÏÇÏ ËÒÉÔÅÒÉÑ. îÅËÏÔÏÒÙÅ ÉÚ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏËÁ ÅÝÅ ÎÁÈÏÄÑÔÓÑ × ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ, Á ÐÏÓÅÍÕ ÍÏÇÕÔ ÒÁÂÏÔÁÔØ ÎÅ ×ÓÅÇÄÁ, ÏÄÎÁËÏ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÏÎÉ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ÕÓÔÏÊÞÉ×Ï. ÷ÓÅ ÏÔÌÉÞÉÅ ÍÅÖÄÕ Ñ×ÎÙÍÉ É ÎÅÑ×ÎÙÍÉ ËÒÉÔÅÒÉÑÍÉ ÚÁËÌÀÞÁÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ, ÞÔÏ ÐÅÒ×ÙÅ ÎÕÖÎÏ ÐÏÄÇÒÕÖÁÔØ Ñ×ÎÏ, Á ×ÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ.


MAC ËÒÉÔÅÒÉÊ

ôÁÂÌÉÃÁ 8. MAC ËÒÉÔÅÒÉÉ

MAC ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÉÓÈÏÄÎÏÇÏ MAC-ÁÄÒÅÓÁ ÐÁËÅÔÁ. íÏÄÕÌØ -m mac, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÒÉÔÅÒÉÊ, ÎÏ ×ÏÚÍÏÖÎÏ × ÂÕÄÕÝÅÍ ÏÎ ÂÕÄÅÔ ÒÁÓÛÉÒÅÎ É ÓÔÁÎÅÔ ÂÏÌÅÅ ÐÏÌÅÚÅÎ.

Note

íÏÄÕÌØ ÒÁÓÛÉÒÅÎÉÑ ÄÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m mac. õÐÏÍÉÎÁÀ Ñ Ï ÜÔÏÍ ÐÏÔÏÍÕ, ÞÔÏ ÍÎÏÇÉÅ, ÚÁÂÙ× ÕËÁÚÁÔØ ÜÔÏÔ ËÌÀÞ, ÕÄÉ×ÌÑÀÔÓÑ, ÐÏÞÅÍÕ ÎÅ ÒÁÂÏÔÁÅÔ ÜÔÏÔ ËÒÉÔÅÒÉÊ.

ëÒÉÔÅÒÉÊ --mac-source
ðÒÉÍÅÒ iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
ïÐÉÓÁÎÉÅ MAC ÁÄÒÅÓ ÓÅÔÅ×ÏÇÏ ÕÚÌÁ, ÐÅÒÅÄÁ×ÛÅÇÏ ÐÁËÅÔ. MAC ÁÄÒÅÓ ÄÏÌÖÅÎ ÕËÁÚÙ×ÁÔØÓÑ × ÆÏÒÍÅ XX:XX:XX:XX:XX:XX. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÎÁÐÒÉÍÅÒ --mac-source ! 00:00:00:00:00:01, ÞÔÏ ÏÚÎÁÞÁÅÔ - ÐÁËÅÔ Ó ÌÀÂÏÇÏ ÕÚÌÁ, ËÒÏÍÅ ÕÚÌÁ, ËÏÔÏÒÙÊ ÉÍÅÅÔ MAC ÁÄÒÅÓ 00:00:00:00:00:01 üÔÏÔ ËÒÉÔÅÒÉÊ ÉÍÅÅÔ ÓÍÙÓÌ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING, FORWARD É INPUT É ÎÉÇÄÅ ÂÏÌÅÅ.

ëÒÉÔÅÒÉÊ limit

äÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m limit. ðÒÅËÒÁÓÎÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÐÒÁ×ÉÌ, ÐÒÏÉÚ×ÏÄÑÝÉÈ ÚÁÐÉÓØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (logging) É Ô.Ð. äÏÂÁ×ÌÑÑ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÍÙ ÔÅÍ ÓÁÍÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÅÄÅÌØÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× × ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, ËÏÔÏÒÏÅ ÓÐÏÓÏÂÎÏ ÐÒÏÐÕÓÔÉÔØ ÐÒÁ×ÉÌÏ. íÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÉÍ×ÏÌ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ, ÎÁÐÒÉÍÅÒ -m ! limit. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÞÔÏ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÈÏÄÉÔØ ÐÒÁ×ÉÌÏ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÅ×ÙÛÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÑ.

ôÁÂÌÉÃÁ 9. ëÒÉÔÅÒÉÊ limit

ëÒÉÔÅÒÉÊ --limit
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit 3/hour
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÁËÅÔÏ× ÚÁ ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, Ë ËÏÔÏÒÏÍÕ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÐÒÉ ÓÏ×ÐÁÄÅÎÉÉ ×ÓÅÈ ÐÒÏÞÉÈ ÕÓÌÏ×ÉÊ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ÕËÁÚÙ×ÁÅÔÓÑ ÞÉÓÌÏ ÐÁËÅÔÏ× É ×ÒÅÍÑ. äÏÐÕÓÔÉÍÙÍÉ ÓÞÉÔÁÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÅÄÉÎÉÃÙ ÉÚÍÅÒÅÎÉÑ ×ÒÅÍÅÎÉ: /second /minute /hour /day. ðÏ ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÑÔÏ ÚÎÁÞÅÎÉÅ 3 ÐÁËÅÔÁ × ÞÁÓ, ÉÌÉ 3/hour. éÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!] × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÎÅÄÏÐÕÓÔÉÍ.
ëÒÉÔÅÒÉÊ --limit-burst
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit-burst 5
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÞÉÓÌÁ burst limit ÄÌÑ ËÒÉÔÅÒÉÑ limit. üÔÏ ÞÉÓÌÏ Õ×ÅÌÉÞÉ×ÁÅÔÓÑ ÎÁ ÅÄÉÎÉÃÕ ÅÓÌÉ ÐÏÌÕÞÅÎ ÐÁËÅÔ, ÐÏÄÐÁÄÁÀÝÉÊ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÄÁÎÎÏÇÏ ÐÒÁ×ÉÌÁ, É ÐÒÉ ÜÔÏÍ ÓÒÅÄÎÑÑ ÓËÏÒÏÓÔØ (ÚÁÄÁ×ÁÅÍÁÑ ËÌÀÞÏÍ --limit) ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ× ÕÖÅ ÄÏÓÔÉÇÎÕÔÁ. ôÁË ÐÒÏÉÓÈÏÄÉÔ ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÞÉÓÌÏ burst limit ÎÅ ÄÏÓÔÉÇÎÅÔ ÍÁËÓÉÍÁÌØÎÏÇÏ ÚÎÁÞÅÎÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍÏÇÏ ËÌÀÞÏÍ --limit-burst. ðÏÓÌÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÏ ÎÁÞÉÎÁÅÔ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÓÏ ÓËÏÒÏÓÔØÀ, ÚÁÄÁ×ÁÅÍÏÊ ËÌÀÞÏÍ --limit. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÉÍÁÅÔÓÑ ÒÁ×ÎÙÍ 5. äÌÑ ÄÅÍÏÎÓÔÒÁÃÉÉ ÐÒÉÎÃÉÐÏ× ÒÁÂÏÔÙ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ Ñ ÎÁÐÉÓÁÌ ÓÃÅÎÁÒÉÊ limit-test.txt. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×Ù Õ×ÉÄÉÔÅ ËÁË ÒÁÂÏÔÁÅÔ ËÒÉÔÅÒÉÊ limit, ÐÒÏÓÔÏ ÐÏÓÙÌÁÑ ping-ÐÁËÅÔÙ Ó ÒÁÚÌÉÞÎÙÍÉ ×ÒÅÍÅÎÎùÍÉ ÉÎÔÅÒ×ÁÌÁÍÉ.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÞÅÎØ ÄÏÌÇÏÅ ×ÒÅÍÑ ÍÏÅ ÐÏÎÉÍÁÎÉÅ ËÒÉÔÅÒÉÅ× limit ÎÁÈÏÄÉÌÏÓØ ÎÁ ÉÎÔÕÉÔÉ×ÎÏÍ ÕÒÏ×ÎÅ, ÐÏËÁ ÷ÌÁÄÉÍÉÒ èÏÌÍÁÎÏ× (ÓÎÉÍÁÀ ÛÌÑÐÕ × ÇÌÕÂÏÞÁÊÛÅÍ ÐÏËÌÏÎÅ) ÎÅ ÏÂßÑÓÎÉÌ ÍÎÅ ÐÒÏÓÔÏ É ÐÏÎÑÔÎÏ ÅÇÏ ÓÕÔØ. ðÏÓÔÁÒÁÀÓØ ÐÅÒÅÄÁÔØ ÅÇÏ ÐÏÑÓÎÅÎÉÑ:

  1. òÁÓÛÉÒÅÎÉÅ -m limit ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÎÁÌÉÞÉÅ ËÌÀÞÅÊ --limit É --limit-burst. åÓÌÉ ×Ù ÎÅ ÕËÁÚÙ×ÁÅÔÅ ÜÔÉ ËÌÀÞÉ, ÔÏ ÏÎÉ ÐÒÉÎÉÍÁÀÔ ÚÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ.
  2. ëÌÀÞ --limit-burst - ÜÔÏ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÓÞÅÔÞÉËÁ ÐÁËÅÔÏ×, ÐÒÉ ËÏÔÏÒÏÍ ÓÒÁÂÁÔÙ×ÁÅÔ ÏÇÒÁÎÉÞÅÎÉÅ.
  3. ëÌÀÞ --limit - ÜÔÏ ÓËÏÒÏÓÔØ, Ó ËÏÔÏÒÏÊ ÓÞÅÔÞÉË burst limit "ÏÔËÒÕÞÉ×ÁÅÔÓÑ ÎÁÚÁÄ".

ðÒÉÎÃÉÐ, ËÏÔÏÒÙÊ ÐÒÏÓÔÏ ÒÅÁÌÉÚÕÅÔÓÑ ÎÁ C É ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ÍÎÏÇÉÈ ÁÌÇÏÒÉÔÍÁÈ-ÏÇÒÁÎÉÞÉÔÅÌÑÈ.




òÁÓÛÉÒÅÎÉÅ Multiport

òÁÓÛÉÒÅÎÉÅ multiport ÐÏÚ×ÏÌÑÅÔ ÕËÁÚÙ×ÁÔØ × ÔÅËÓÔÅ ÐÒÁ×ÉÌÁ ÎÅÓËÏÌØËÏ ÐÏÒÔÏ× É ÄÉÁÐÁÚÏÎÏ× ÐÏÒÔÏ×.

Note

÷Ù ÎÅ ÓÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÔÁÎÄÁÒÔÎÕÀ ÐÒÏ×ÅÒËÕ ÐÏÒÔÏ× É ÒÁÓÛÉÒÅÎÉÅ -m multiport (ÎÁÐÒÉÍÅÒ --sport 1024:63353 -m multiport --dport 21,23,80) ÏÄÎÏ×ÒÅÍÅÎÎÏ. ðÏÄÏÂÎÙÅ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÐÒÏÓÔÏ ÏÔ×ÅÒÇÁÔØÓÑ iptables.

ôÁÂÌÉÃÁ 10. òÁÓÛÉÒÅÎÉÅ Multiport

ëÒÉÔÅÒÉÊ --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ÉÓÈÏÄÑÝÉÈ ÐÏÒÔÏ×. ó ÐÏÍÏÝØÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÏ 15 ÒÁÚÌÉÞÎÙÈ ÐÏÒÔÏ×. îÁÚ×ÁÎÉÑ ÐÏÒÔÏ× × ÓÐÉÓËÅ ÄÏÌÖÎÙ ÏÔÄÅÌÑÔØÓÑ ÄÒÕÇ ÏÔ ÄÒÕÇÁ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ × ÓÐÉÓËÅ ÎÅ ÄÏÐÕÓÔÉÍÙ. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÓÏ×ÍÅÓÔÎÏ Ó ËÒÉÔÅÒÉÑÍÉ the -p tcp ÉÌÉ -p udp. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÒÁÓÛÉÒÅÎÎÁÑ ×ÅÒÓÉÑ ÏÂÙÞÎÏÇÏ ËÒÉÔÅÒÉÑ --source-port.
ëÒÉÔÅÒÉÊ --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ×ÈÏÄÎÙÈ ÐÏÒÔÏ×. æÏÒÍÁÔ ÚÁÄÁÎÉÑ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ -m multiport --source-port
ëÒÉÔÅÒÉÊ --port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ËÁË ÉÓÈÏÄÑÝÉÊ ÔÁË É ×ÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --source-port É --destination-port. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ ÞÔÏ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ÐÏÒÔÙ ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÊ, Ô.Å. ÅÓÌÉ ×Ù ÐÉÛÅÔÅ-multiport --port 80, ÔÏ ÐÏÄ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ Ó ÐÏÒÔÁ 80 ÎÁ ÐÏÒÔ 80. .

òÁÓÛÉÒÅÎÉÅ Mark

òÁÓÛÉÒÅÎÉÅ mark ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ "ÐÏÍÅÔÉÔØ" ÐÁËÅÔÙ ÓÐÅÃÉÁÌØÎÙÍ ÏÂÒÁÚÏÍ. Mark - ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ, ËÏÔÏÒÏÅ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÏÂÌÁÓÔÉ ÐÁÍÑÔÉ ÑÄÒÁ É Ó×ÑÚÁÎÏ Ó ËÏÎËÒÅÔÎÙÍ ÐÁËÅÔÏÍ. íÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÁÍÙÈ ÒÁÚÎÏÏÂÒÁÚÎÙÈ ÃÅÌÑÈ, ÎÁÐÒÉÍÅÒ, ÏÇÒÁÎÉÞÅÎÉÅ ÔÒÁÆÉËÁ É ÆÉÌØÔÒÁÃÉÑ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÅÄÉÎÓÔ×ÅÎÎÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÕÓÔÁÎÏ×ËÉ ÍÅÔËÉ ÎÁ ÐÁËÅÔ × Linux -- ÜÔÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ MARK. ðÏÌÅ mark ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÂÅÚÚÎÁËÏ×ÏÅ ÃÅÌÏÅ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 4294967296 ÄÌÑ 32-ÂÉÔÎÙÈ ÓÉÓÔÅÍ.

ôÁÂÌÉÃÁ 11. òÁÓÛÉÒÅÎÉÅ mark

ëÒÉÔÅÒÉÊ --mark
ðÒÉÍÅÒ iptables -t mangle -A INPUT -m mark --mark 1
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÂÙÌÉ ÐÒÅÄ×ÁÒÉÔÅÌØÎÏ "ÐÏÍÅÞÅÎÙ". íÅÔËÉ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÄÅÊÓÔ×ÉÅÍ MARK, ËÏÔÏÒÏÅ ÍÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÎÉÖÅ. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÏÈÏÄÑÝÉÅ ÞÅÒÅÚ netfilter ÉÍÅÀÔ ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ mark. úÁÐÏÍÎÉÔÅ, ÞÔÏ ÎÅÔ ÎÉËÁËÏÊ ×ÏÚÍÏÖÎÏÓÔÉ ÐÅÒÅÄÁÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ×ÍÅÓÔÅ Ó ÐÁËÅÔÏÍ × ÓÅÔØ. ðÏÌÅ mark Ñ×ÌÑÅÔÓÑ ÃÅÌÙÍ ÂÅÚÚÎÁËÏ×ÙÍ, ÔÁËÉÍ ÏÂÒÁÚÏÍ ÍÏÖÎÏ ÓÏÚÄÁÔØ ÎÅ ÂÏÌÅÅ 65535 ÒÁÚÌÉÞÎÙÈ ÍÅÔÏË. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÕ Ó ÍÅÔËÁÍ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ËÒÉÔÅÒÉÊ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ ÐÏÄÏÂÎÙÍ ÏÂÒÁÚÏÍ: --mark 1/1. åÓÌÉ ÕËÁÚÙ×ÁÅÔÓÑ ÍÁÓËÁ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÌÏÇÉÞÅÓËÏÅ AND ÍÅÔËÉ É ÍÁÓËÉ.

òÁÓÛÉÒÅÎÉÅ owner

òÁÓÛÉÒÅÎÉÅ owner ÐÒÅÄÎÁÚÎÁÞÅÎÏ ÄÌÑ ÐÒÏ×ÅÒËÉ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ. éÚÎÁÞÁÌØÎÏ ÄÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ËÁË ÐÒÉÍÅÒ ÄÅÍÏÎÓÔÒÁÃÉÉ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÔÏÌØËÏ × ÃÅÐÏÞËÅ OUTPUT. ôÁËÏÅ ÏÇÒÁÎÉÞÅÎÉÅ ÎÁÌÏÖÅÎÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌØÎÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÅÒÅÄÁÞÉ ÉÎÆÏÒÍÁÃÉÉ Ï "×ÌÁÄÅÌØÃÅ" ÐÏ ÓÅÔÉ. óÐÒÁ×ÅÄÌÉ×ÏÓÔÉ ÒÁÄÉ ÓÌÅÄÕÅÔ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÌÑ ÎÅËÏÔÏÒÙÈ ÐÁËÅÔÏ× ÎÅ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ "×ÌÁÄÅÌØÃÁ" × ÜÔÏÊ ÃÅÐÏÞËÅ. ë ÔÁËÏÇÏ ÒÏÄÁ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ÒÁÚÌÉÞÎÙÅ ICMP responses. ðÏÜÔÏÍÕ ÎÅ ÓÌÅÄÕÅÔ ÕÐÏÔÒÅÂÌÑÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ Ë ICMP responses ÐÁËÅÔÁÍ.

ôÁÂÌÉÃÁ 12. òÁÓÛÉÒÅÎÉÅ owner

ëÒÉÔÅÒÉÊ --uid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --uid-owner 500
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÏ User ID (UID). ðÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÒÏ×ÅÒËÁ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ, Ë ÐÒÉÍÅÒÕ, ÄÌÑ ÂÌÏËÉÒÏ×ËÉ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÏÔÄÅÌØÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.
ëÒÉÔÅÒÉÊ --gid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --gid-owner 0
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Group ID (GID).
ëÒÉÔÅÒÉÊ --pid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --pid-owner 78
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Process ID (PID). üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÅÎ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÚ×ÏÌÉÔØ ÐÅÒÅÄÁÞÕ ÐÁËÅÔÏ× ÎÁ HTTP ÐÏÒÔ ÔÏÌØËÏ ÏÔ ÚÁÄÁÎÎÏÇÏ ÄÅÍÏÎÁ, ÔÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÎÁÐÉÓÁÔØ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ PID ÐÒÏÃÅÓÓÁ (ÈÏÔÑÂÙ ÞÅÒÅÚ ps) É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÎÁÊÄÅÎÎÙÊ PID × ÐÒÁ×ÉÌÁ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × pid-owner.txt.
ëÒÉÔÅÒÉÊ --sid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --sid-owner 100
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ Session ID ÐÁËÅÔÁ. úÎÁÞÅÎÉÅ SID ÎÁÓÌÅÄÕÀÔÓÑ ÄÏÞÅÒÎÉÍÉ ÐÒÏÃÅÓÓÁÍÉ ÏÔ "ÒÏÄÉÔÅÌÑ", ÔÁË, ÎÁÐÒÉÍÅÒ, ×ÓÅ ÐÒÏÃÅÓÓÙ HTTPD ÉÍÅÀÔ ÏÄÉÎ É ÔÏÔ ÖÅ SID (ÐÒÉÍÅÒÏÍ ÔÁËÉÈ ÐÒÏÃÅÓÓÏ× ÍÏÇÕÔ ÓÌÕÖÉÔØ HTTPD Apache É Roxen). ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × sid-owner.txt. üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÎÏ ÚÁÐÕÓËÁÔØ ÐÏ ×ÒÅÍÅÎÉ ÄÌÑ ÐÒÏ×ÅÒËÉ ÎÁÌÉÞÉÑ ÐÒÏÃÅÓÓÁ HTTPD, É × ÓÌÕÞÁÅ ÏÔÓÕÔÓÔ×ÉÑ - ÐÅÒÅÚÁÐÕÓÔÉÔØ "ÕÐÁ×ÛÉÊ" ÐÒÏÃÅÓÓ, ÐÏÓÌÅ ÞÅÇÏ ÓÂÒÏÓÉÔØ ÓÏÄÅÒÖÉÍÏÅ ÃÅÐÏÞËÉ OUTPUT É ××ÅÓÔÉ ÅÅ ÓÎÏ×Á.

ëÒÉÔÅÒÉÊ state

ëÒÉÔÅÒÉÊ state ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÄÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ É ÐÏÚ×ÏÌÑÅÔ ÎÁÍ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÒÁÓÓÉÒÏ×ÏÞÎÏÍ ÐÒÉÚÎÁËÅ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÞÔÏ ÐÏÚ×ÏÌÑÅÔ ÓÕÄÉÔØ Ï ÓÏÓÔÏÑÎÉÉ ÓÏÅÄÉÎÅÎÉÑ, ÐÒÉÞÅÍ ÄÁÖÅ ÄÌÑ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ× ËÁË ICMP É UDP. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÖÁÔØ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m state. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ .

ôÁÂÌÉÃÁ 13. ëÒÉÔÅÒÉÉ state

ëÒÉÔÅÒÉÊ --state
ðÒÉÍÅÒ iptables -A INPUT -m state --state RELATED,ESTABLISHED
ïÐÉÓÁÎÉÅ ðÒÏ×ÅÒÑÅÔÓÑ ÐÒÉÚÎÁË ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ (state) îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ 4 ÓÏÓÔÏÑÎÉÑ: INVALID, ESTABLISHED, NEW É RELATED. INVALID ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ Ó×ÑÚÁÎ Ó ÎÅÉÚ×ÅÓÔÎÙÍ ÐÏÔÏËÏÍ ÉÌÉ ÓÏÅÄÉÎÅÎÉÅÍ É, ×ÏÚÍÏÖÎÏ ÓÏÄÅÒÖÉÔ ÏÛÉÂËÕ × ÄÁÎÎÙÈ ÉÌÉ × ÚÁÇÏÌÏ×ËÅ. ESTABLISHED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÁËÅÔÙ ÉÄÕÔ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. NEW ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ÉÌÉ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÏÄÎÏÎÁÐÒÁ×ÌÅÎÎÏÍÕ ÐÏÔÏËÕ. é ÎÁËÏÎÅÃ, RELATED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÍÕ ÓÏÅÄÉÎÅÎÉÀ, ÎÏ ÐÒÉ ÜÔÏÍ ÏÎ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ðÒÉÍÅÒÏÍ ÔÏÍÕ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÐÅÒÅÄÁÞÁ ÄÁÎÎÙÈ ÐÏ FTP, ÉÌÉ ×ÙÄÁÞÁ ÓÏÏÂÝÅÎÉÑ ICMP Ï ÏÛÉÂËÅ, ËÏÔÏÒÏÅ Ó×ÑÚÁÎÏ Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ TCP ÉÌÉ UDP ÓÏÅÄÉÎÅÎÉÅÍ. úÁÍÅÞÕ, ÞÔÏ ÐÒÉÚÎÁË NEW ÜÔÏ ÎÅ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÂÉÔ SYN × ÐÁËÅÔÁÈ TCP, ÐÏÓÒÅÄÓÔ×ÏÍ ËÏÔÏÒÙÈ ÏÔËÒÙ×ÁÅÔÓÑ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ, É, ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ, ÍÏÇÕÔ ÂÙÔØ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÎÙ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÄÌÑ ÚÁÝÉÔÙ ÓÅÔÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÏÄÉÎ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÜÔÁ ÐÒÏÂÌÅÍÁ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ðÒÉÚÎÁË NEW × ÐÁËÅÔÁÈ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.

ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)

ëÒÉÔÅÒÉÊ unclean ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÄÌÑ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÄÏÓÔÁÔÏÞÎÏ Ñ×ÎÏ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌØ. âÕÄØÔÅ ÏÓÔÏÒÏÖÎÙ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÁÈÏÄÉÔÓÑ ÅÝÅ ÎÁ ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ É ÐÏÜÔÏÍÕ × ÎÅËÏÔÏÒÙÈ ÓÉÔÕÁÃÉÑÈ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ ÎÅËÏÒÒÅËÔÎÏ. äÁÎÎÁÑ ÐÒÏ×ÅÒËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÌÑ ×ÙÞÌÅÎÅÎÉÑ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÍÅÀÔ ÒÁÓÈÏÖÄÅÎÉÑ Ó ÐÒÉÎÑÔÙÍÉ ÓÔÁÎÄÁÒÔÁÍÉ, ÜÔÏ ÍÏÇÕÔ ÂÙÔØ ÐÁËÅÔÙ Ó ÐÏ×ÒÅÖÄÅÎÎÙÍ ÚÁÇÏÌÏ×ËÏÍ ÉÌÉ Ó ÎÅ×ÅÒÎÏÊ ËÏÎÔÒÏÌØÎÏÊ ÓÕÍÍÏÊ É ÐÒ., ÏÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ÐÒÏ×ÅÒËÉ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÒÁÚÒÙ×Õ É ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.


ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ TOS ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÐÒÏ×ÅÒËÉ ÂÉÔÏ× ÐÏÌÑ TOS. TOS -- Type Of Service -- ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ 8-ÍÉ ÂÉÔÏ×ÏÅ, ÐÏÌÅ × ÚÁÇÏÌÏ×ËÅ IP-ÐÁËÅÔÁ. íÏÄÕÌØ ÄÏÌÖÅÎ ÚÁÇÒÕÖÁÔØÓÑ Ñ×ÎÏ, ËÌÀÞÏÍ -m tos.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÏÐÉÓÁÎÉÅ ÐÏÌÑ TOS, ×ÚÑÔÏÅ ÎÅ ÉÚ ÏÒÉÇÉÎÁÌÁ, ÐÏÓËÏÌØËÕ ÏÒÉÇÉÎÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ Ñ ÎÁÈÏÖÕ ÎÅÓËÏÌØËÏ ÔÕÍÁÎÎÙÍ.
äÁÎÎÏÅ ÐÏÌÅ ÓÌÕÖÉÔ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. õÓÔÁÎÏ×ËÁ ÌÀÂÏÇÏ ÂÉÔÁ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÂÒÁÂÏÔÁÎ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÎÅ ÔÁË ËÁË ÐÁËÅÔ ÓÏ ÓÂÒÏÛÅÎÎÙÍÉ ÂÉÔÁÍÉ TOS. ëÁÖÄÙÊ ÂÉÔ ÐÏÌÑ TOS ÉÍÅÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ. ÷ ÐÁËÅÔÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ ÔÏÌØËÏ ÏÄÉÎ ÉÚ ÂÉÔÏ× ÜÔÏÇÏ ÐÏÌÑ, ÐÏÜÔÏÍÕ ËÏÍÂÉÎÁÃÉÉ ÎÅ ÄÏÐÕÓÔÉÍÙ. ëÁÖÄÙÊ ÂÉÔ ÏÐÒÅÄÅÌÑÅÔ ÔÉÐ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ:
íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ
éÓÐÏÌØÚÕÅÔÓÑ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ×ÒÅÍÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÄÏÌÖÎÏ ÂÙÔØ ÍÉÎÉÍÁÌØÎÙÍ, Ô.Å., ÅÓÌÉ ÅÓÔØ ×ÏÚÍÏÖÎÏÓÔØ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÄÌÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÊ ËÁÎÁÌ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÅÓÔØ ×ÙÂÏÒ ÍÅÖÄÕ ÏÐÔÏ×ÏÌÏËÏÎÎÏÊ ÌÉÎÉÅÊ É ÓÐÕÔÎÉËÏ×ÙÍ ËÁÎÁÌÏÍ, ÔÏ ÐÒÅÄÐÏÞÔÅÎÉÅ ÂÕÄÅÔ ÏÔÄÁÎÏ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÍÕ ÏÐÔÏ×ÏÌÏËÎÕ.
íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ
õËÁÚÙ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÐÒÁ×ÌÅÎ ÞÅÒÅÚ ËÁÎÁÌ Ó ÍÁËÓÉÍÁÌØÎÏÊ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔØÀ. îÁÐÒÉÍÅÒ ÓÐÕÔÎÉËÏ×ÙÅ ËÁÎÁÌÙ, ÏÂÌÁÄÁÑ ÂÏÌØÛÅÊ ÚÁÄÅÒÖËÏÊ ÉÍÅÀÔ ×ÙÓÏËÕÀ ÐÒÏÐÕÓËÎÕÀ ÓÐÏÓÏÂÎÏÓÔØ.
íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ
÷ÙÂÉÒÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏ ÎÁÄÅÖÎÙÊ ÍÁÒÛÒÕÔ ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏ×ÔÏÒÎÏÊ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ. ðÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ PPP É SLIP ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏ Ó×ÏÅÊ ÎÁÄÅÖÎÏÓÔÉ ÕÓÔÕÐÁÀÔ, Ë ÐÒÉÍÅÒÕ, ÓÅÔÑÍ X.25, ÐÏÜÔÏÍÕ, ÓÅÔÅ×ÏÊ ÐÒÏ×ÁÊÄÅÒ ÍÏÖÅÔ ÐÒÅÄÕÓÍÏÔÒÅÔØ ÓÐÅÃÉÁÌØÎÙÊ ÍÁÒÛÒÕÔ Ó ÐÏ×ÙÛÅÎÎÏÊ ÎÁÄÅÖÎÏÓÔØÀ.
íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ
ðÒÉÍÅÎÑÅÔÓÑ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ×ÁÖÎÏ ÍÉÎÉÍÉÚÉÒÏ×ÁÔØ ÚÁÔÒÁÔÙ (× ÓÍÙÓÌÅ ÄÅÎØÇÉ) ÎÁ ÐÅÒÅÄÁÞÕ ÄÁÎÎÙÈ. îÁÐÒÉÍÅÒ, ÐÒÉ ÐÅÒÅÄÁÞÅ ÞÅÒÅÚ ÏËÅÁÎ (ÎÁ ÄÒÕÇÏÊ ËÏÎÔÉÎÅÎÔ) ÁÒÅÎÄÁ ÓÐÕÔÎÉËÏ×ÏÇÏ ËÁÎÁÌÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÅÛÅ×ÌÅ, ÞÅÍ ÁÒÅÎÄÁ ÏÐÔÏ×ÏÌÏËÏÎÎÏÇÏ ËÁÂÅÌÑ. õÓÔÁÎÏ×ËÁ ÄÁÎÎÏÇÏ ÂÉÔÁ ×ÐÏÌÎÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÂÏÌÅÅ "ÄÅÛÅ×ÏÍÕ" ÍÁÒÛÒÕÔÕ.
ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ
÷ ÄÁÎÎÏÊ ÓÉÔÕÁÃÉÉ ×ÓÅ ÂÉÔÙ ÐÏÌÑ TOS ÓÂÒÏÛÅÎÙ. íÁÒÛÒÕÔÉÚÁÃÉÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÐÏÌÎÏÓÔØÀ ÏÔÄÁÅÔÓÑ ÎÁ ÕÓÍÏÔÒÅÎÉÅ ÐÒÏ×ÁÊÄÅÒÁ.

ôÁÂÌÉÃÁ 14. ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ --tos
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m tos --tos 0x16
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÂÉÔÏ× TOS, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÌÉÓØ ×ÙÛÅ. ëÁË ÐÒÁ×ÉÌÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ×ÐÏÌÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ Ó ÃÅÌØÀ "ÍÁÒËÉÒÏ×ËÉ" ÐÁËÅÔÏ× ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó iproute2 É ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ × linux. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ËÒÉÔÅÒÉÀ ÍÏÖÅÔ ÂÙÔØ ÐÅÒÅÄÁÎÏ ÄÅÓÑÔÉÞÎÏÅ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÅ ÞÉÓÌÏ, ÉÌÉ ÍÎÅÍÏÎÉÞÅÓËÏÅ ÏÐÉÓÁÎÉÅ ÂÉÔÁ, ÍÎÅÍÏÎÉËÉ É ÉÈ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -m tos -h. îÉÖÅ ÐÒÉ×ÏÄÑÔÓÑ ÍÎÅÍÏÎÉËÉ É ÉÈ ÚÎÁÞÅÎÉÑ.
Minimize-Delay 16 (0x10) (íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ),
Maximize-Throughput 8 (0x08) (íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ),
Maximize-Reliability 4 (0x04) (íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ),
Minimize-Cost 2 (0x02) (íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ),
Normal-Service 0 (0x00) (ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ).

ëÒÉÔÅÒÉÊ TTL

TTL (Time To Live) Ñ×ÌÑÅÔÓÑ ÞÉÓÌÏ×ÙÍ ÐÏÌÅÍ × IP ÚÁÇÏÌÏ×ËÅ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ÏÞÅÒÅÄÎÏÇÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÜÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. åÓÌÉ ÞÉÓÌÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÏÔÐÒÁ×ÉÔÅÌÀ ÐÁËÅÔÁ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ICMP ÓÏÏÂÝÅÎÉÅ ÔÉÐÁ 11 Ó ËÏÄÏÍ 0 (TTL equals 0 during transit) ÉÌÉ Ó ËÏÄÏÍ 1 (TTL equals 0 during reassembly) . äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÎÅÏÂÈÏÄÉÍÏ Ñ×ÎÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌØ ËÌÀÞÏÍ -m ttl.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÐÑÔØ ÏÂÎÁÒÕÖÉÌÏÓØ ÎÅËÏÔÏÒÏÅ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÅ ÏÒÉÇÉÎÁÌØÎÏÇÏ ÔÅËÓÔÁ Ó ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔØÀ, ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ iptables 1.2.6a, Ï ËÏÔÏÒÏÊ ÓÏÂÓÔ×ÅÎÎÏ É ÉÄÅÔ ÒÅÞØ, ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ËÒÉÔÅÒÉÑ ÐÒÏ×ÅÒËÉ ÐÏÌÑ TTL, ÜÔÏ -m ttl --ttl-eq ÞÉÓÌÏ, -m ttl --ttl-lt ÞÉÓÌÏ É -m ttl --ttl-gt ÞÉÓÌÏ. îÁÚÎÁÞÅÎÉÅ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ×ÉÄÎÏ ÕÖÅ ÉÚ ÉÈ ÓÉÎÔÁËÓÉÓÁ.
ôÅÍ ÎÅ ÍÅÎÅÅ, Ñ ×ÓÅ ÔÁËÉ ÐÒÉ×ÅÄÕ ÐÅÒÅ×ÏÄ ÏÒÉÇÉÎÁÌÁ:

ôÁÂÌÉÃÁ 15. ëÒÉÔÅÒÉÊ TTL

ëÒÉÔÅÒÉÊ --ttl
ðÒÉÍÅÒ iptables -A OUTPUT -m ttl --ttl 60
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÏÌÑ TTL ÎÁ ÒÁ×ÅÎÓÔ×Ï ÚÁÄÁÎÎÏÍÕ ÚÎÁÞÅÎÉÀ. äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÐÒÉ ÎÁÌÁÄËÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÁÐÒÉÍÅÒ: ÄÌÑ ÓÌÕÞÁÅ×, ËÏÇÄÁ ËÁËÁÑ ÌÉÂÏ ÍÁÛÉÎÁ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÎÅ ÍÏÖÅÔ ÐÏÄËÌÀÞÉÔØÓÑ Ë ÓÅÒ×ÅÒÕ × éÎÔÅÒÎÅÔÅ, ÉÌÉ ÄÌÑ ÐÏÉÓËÁ "ÔÒÏÑÎÏ×" É ÐÒ. ÷ÏÂÝÅÍ, ÏÂÌÁÓÔÉ ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÐÏÌÑ ÏÇÒÁÎÉÞÉ×ÁÀÔÓÑ ÔÏÌØËÏ ×ÁÛÅÊ ÆÁÎÔÁÚÉÅÊ. åÝÅ ÏÄÉÎ ÐÒÉÍÅÒ: ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÅÔ ÂÙÔØ ÎÁÐÒÁ×ÌÅÎÏ ÎÁ ÐÏÉÓË ÍÁÛÉÎ Ó ÎÅËÁÞÅÓÔ×ÅÎÎÏÊ ÒÅÁÌÉÚÁÃÉÅÊ ÓÔÅËÁ TCP/IP ÉÌÉ Ó ÏÛÉÂËÁÍÉ × ËÏÎÆÉÇÕÒÁÃÉÉ ïó.

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ ÓÏÏÂÝÁÀÔ ÐÒÁ×ÉÌÕ, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏÏÔ×ÅÓÔ×ÕÅÔ ÚÁÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ. þÁÝÅ ×ÓÅÇÏ ÕÐÏÔÒÅÂÌÑÀÔÓÑ ÄÅÊÓÔ×ÉÑ ACCEPT É DROP. ïÄÎÁËÏ, ÄÁ×ÁÊÔÅ ËÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÐÏÎÑÔÉÅ ÐÅÒÅÈÏÄÏ×.

ïÐÉÓÁÎÉÅ ÐÅÒÅÈÏÄÏ× × ÐÒÁ×ÉÌÁÈ ×ÙÇÌÑÄÉÔ ÔÏÞÎÏ ÔÁË ÖÅ ËÁË É ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÊ, Ô.Å. ÓÔÁ×ÉÔÓÑ ËÌÀÞ -j É ÕËÁÚÙ×ÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ ÐÒÁ×ÉÌ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ. îÁ ÐÅÒÅÈÏÄÙ ÎÁËÌÁÄÙ×ÁÅÔÓÑ ÒÑÄ ÏÇÒÁÎÉÞÅÎÉÊ, ÐÅÒ×ÏÅ - ÃÅÐÏÞËÁ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ, ÄÏÌÖÎÁ ÎÁÈÏÄÉÔØÓÑ × ÔÏÊ ÖÅ ÔÁÂÌÉÃÅ, ÞÔÏ É ÃÅÐÏÞËÁ, ÉÚ ËÏÔÏÒÏÊ ÜÔÏÔ ÐÅÒÅÈÏÄ ×ÙÐÏÌÎÑÅÔÓÑ, ×ÔÏÒÏÅ - ÃÅÐÏÞËÁ , Ñ×ÌÑÀÝÁÑÓÑ ÃÅÌØÀ ÐÅÒÅÈÏÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÏ ÔÏÇÏ ËÁË ÎÁ ÎÅÅ ÂÕÄÕÔ ×ÙÐÏÌÎÑÔØÓÑ ÐÅÒÅÈÏÄÙ. îÁÐÒÉÍÅÒ, ÓÏÚÄÁÄÉÍ ÃÅÐÏÞËÕ tcp_packets × ÔÁÂÌÉÃÅ filter Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -N tcp_packets. ôÅÐÅÒØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ ÐÅÒÅÈÏÄÙ ÎÁ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÄÏÂÎÏ iptables -A INPUT -p tcp -j tcp_packets. ô.Å. ×ÓÔÒÅÔÉ× ÐÁËÅÔ ÐÒÏÔÏËÏÌÁ tcp, iptables ÐÒÏÉÚ×ÅÄÅÔ ÐÅÒÅÈÏÄ ÎÁ ÃÅÐÏÞËÕ tcp_packets É ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÜÔÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÐÁËÅÔ ÄÏÓÔÉÇ ËÏÎÃÁ ÃÅÐÏÞËÉ ÔÏ ÏÎ ÂÕÄÅÔ ×ÏÚ×ÒÁÝÅÎ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ (× ÎÁÛÅÍ ÓÌÕÞÁÅ ÜÔÏ ÃÅÐÏÞËÁ INPUT) É Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÒÏÄÏÌÖÉÔÓÑ Ó ÐÒÁ×ÉÌÁ, ÓÌÅÄÕÀÝÅÇÏ ÚÁ ÐÒÁ×ÉÌÏÍ, ×ÙÚ×Á×ÛÅÍ ÐÅÒÅÈÏÄ. åÓÌÉ Ë ÐÁËÅÔÕ ×Ï ×ÌÏÖÅÎÎÏÊ ÃÅÐÏÞËÅ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÁËÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÒÉÎÑÔÙÍ É × ×ÙÚÙ×ÁÀÝÅÊ ÃÅÐÏÞËÅ É ÕÖÅ ÎÅ ÂÕÄÅÔ ÐÒÏÄÏÌÖÁÔØ Ä×ÉÖÅÎÉÅ ÐÏ ×ÙÚÙ×ÁÀÝÉÍ ÃÅÐÏÞËÁÍ. ïÄÎÁËÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÄÒÕÇÉÍ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÃÅÐÏÞÅË É ÔÁÂÌÉà ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

äÅÊÓÔ×ÉÅ - ÜÔÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÁÑ ËÏÍÁÎÄÁ, ÏÐÉÓÙ×ÁÀÝÁÑ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÐÒÉÍÅÎÉÔØ ÄÅÊÓÔ×ÉÅ DROP ÉÌÉ ACCEPT Ë ÐÁËÅÔÕ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÎÁÛÉÈ ÎÕÖÄ. óÕÝÅÓÔ×ÕÅÔ É ÒÑÄ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔÓÑ ÎÉÖÅ × ÜÔÏÊ ÓÅËÃÉÉ. ÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÏÄÎÉÈ ÄÅÊÓÔ×ÉÊ, ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ó×ÏÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ, ÎÁÐÒÉÍÅÒ DROP É ACCEPT, × ÒÅÚÕÌØÔÁÔÅ ÄÒÕÇÉÈ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ÎÅËÉÈ ÏÐÅÒÁÃÉÊ, ÐÒÏÄÏÌÖÁÅÔ ÐÒÏ×ÅÒËÕ, ÎÁÐÒÉÍÅÒ, LOG, × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ÔÒÅÔØÉÈ ÄÁÖÅ ×ÉÄÏÉÚÍÅÎÑÅÔÓÑ, ÎÁÐÒÉÍÅÒ DNAT É SNAT, TTL É TOS, ÎÏ ÔÁË ÖÅ ÐÒÏÄÏÌÖÁÅÔ ÐÒÏÄ×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ.


äÅÊÓÔ×ÉÅ ACCEPT

äÁÎÎÁÑ ÏÐÅÒÁÃÉÑ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ. åÓÌÉ ÎÁÄ ÐÁËÅÔÏÍ ×ÙÐÏÌÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ (É ×ÓÅÍ ×ÙÚ×Á×ÛÉÍ ÃÅÐÏÞËÁÍ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ) É ÓÞÉÔÁÅÔÓÑ ðòéîñôùí (ÔÏ ÂÉÛØ ÐÒÏÐÕÓËÁÅÔÓÑ), ÔÅÍ ÎÅ ÍÅÎÅÅ, ÐÁËÅÔ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ É ÍÏÖÅÔ ÂÙÔØ ÏÔ×ÅÒÇÎÕÔ ÔÁÍ. äÅÊÓÔ×ÉÅ ÚÁÄÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -j ACCEPT.


äÅÊÓÔ×ÉÅ DROP

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÐÒÏÓÔÏ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ É iptables "ÚÁÂÙ×ÁÅÔ" Ï ÅÇÏ ÓÕÝÅÓÔ×Ï×ÁÎÉÉ. "óÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ ÐÒÅËÒÁÝÁÀÔ Ó×ÏÅ Ä×ÉÖÅÎÉÅ ÐÏÌÎÏÓÔØÀ, Ô.Å. ÏÎÉ ÎÅ ÐÅÒÅÄÁÀÔÓÑ × ÄÒÕÇÉÅ ÔÁÂÌÉÃÙ, ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÓÌÕÞÁÅ Ó ÄÅÊÓÔ×ÉÅÍ ACCEPT. óÌÅÄÕÅÔ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ, ÐÏÓËÏÌØËÕ ÍÏÖÅÔ ÏÓÔÁ×ÌÑÔØ ÎÅÚÁËÒÙÔÙÅ "ÍÅÒÔ×ÙÅ" ÓÏËÅÔÙ ËÁË ÎÁ ÓÔÏÒÏÎÅ ÓÅÒ×ÅÒÁ, ÔÁË É ÎÁ ÓÔÏÒÏÎÅ ËÌÉÅÎÔÁ, ÎÁÉÌÕÞÛÉÍ ÓÐÏÓÏÂÏÍ ÚÁÝÉÔÙ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ REJECT ÏÓÏÂÅÎÎÏ ÐÒÉ ÚÁÝÉÔÅ ÏÔ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×.


äÅÊÓÔ×ÉÅ QUEUE

äÅÊÓÔ×ÉÅ QUEUE ÓÔÁ×ÉÔ ÐÁËÅÔ × ÏÞÅÒÅÄØ ÎÁ ÏÂÒÁÂÏÔËÕ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÍÕ ÐÒÏÃÅÓÓÕ. ïÎÏ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÎÕÖÄ ÕÞÅÔÁ, ÐÒÏËÓÉÒÏ×ÁÎÉÑ ÉÌÉ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ Á×ÔÏÒ ÐÒÏÓÔÒÁÎÎÏ ÒÁÓÓÕÖÄÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÓÕÖÄÅÎÉÅ ÄÁÎÎÏÊ ÔÅÍÙ ÄÁÌÅËÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ É ÐÒ., ÐÏÜÔÏÍÕ, ÎÅ ÍÕÄÒÓÔ×ÕÑ ÌÕËÁ×Ï, ÐÒÉ×ÅÄÕ ÚÄÅÓØ ×ÙÄÅÒÖËÕ ÉÚ Linux 2.4 Packet Filtering HOWTO × ÐÅÒÅ×ÏÄÅ å×ÇÅÎÉÑ äÁÎÉÌØÞÅÎËÏ aka virii5, eugene@kriljon.ru

"...äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÜÔÁ ÃÅÌØ ÂÙÌÁ ÐÏÌÅÚÎÁ, ÎÅÏÂÈÏÄÉÍÙ ÅÝÅ Ä×Á ËÏÍÐÏÎÅÎÔÁ:

  • "queue handler" - ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ, ËÏÔÏÒÙÊ ×ÙÐÏÌÎÑÅÔ ÒÁÂÏÔÕ ÐÏ ÐÅÒÅÄÁÞÅ ÐÁËÅÔÏ× ÍÅÖÄÕ ÑÄÒÏÍ É ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÐÒÉÌÏÖÅÎÉÅÍ; É
  • ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ËÏÔÏÒÏÅ ÂÕÄÅÔ ÐÏÌÕÞÁÔØ, ×ÏÚÍÏÖÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ, É ÒÅÛÁÔØ ÓÕÄØÂÕ ÐÁËÅÔÏ×.
óÔÁÎÄÁÒÔÎÙÊ ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ ÄÌÑ IPv4 - ÍÏÄÕÌØ ip-queue, ËÏÔÏÒÙÊ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÑÄÒÏÍ É ÐÏÍÅÞÅÎ ËÁË ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÙÊ. îÉÖÅ ÄÁÎ ÐÒÉÍÅÒ, ËÁË ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ iptables ÄÌÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ:
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÏ ÐÁËÅÔÙ ICMP ÔÉÐÁ (ÔÁËÉÅ, ÞÔÏ ÓÏÚÄÁÀÔÓÑ ÓËÁÖÅÍ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÁÎÄÙ ping) ÐÏÐÁÄÁÀÔ × ÍÏÄÕÌØ ip_queue, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÐÙÔÁÅÔÓÑ ÐÅÒÅÄÁÔØ ÉÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ. åÓÌÉ ÎÉ ÏÄÎÏ ÉÚ ÔÁËÉÈ ÐÒÉÌÏÖÅÎÉÊ ÎÅ ÎÁÊÄÅÎÏ, ÐÁËÅÔÙ ÓÂÒÁÓÙ×ÁÀÔÓÑ. þÔÏÂÙ ÎÁÐÉÓÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÐÒÏÇÒÁÍÍÕ ÏÂÒÁÂÏÔËÉ ÐÁËÅÔÏ×, ÉÓÐÏÌØÚÕÊÔÅ libipq API. ïÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÐÁËÅÔÏÍ iptables. ðÒÉÍÅÒÙ ÍÏÖÎÏ ÎÁÊÔÉ × testsuite tools (ÎÁÐÒÉÍÅÒ redirect.c) ÎÁ CVS. óÔÁÔÕÓ ip_queue ÍÏÖÎÏ ÐÒÏ×ÅÒÉÔØ Ó ÐÏÍÏÝØÀ: /proc/net/ip_queue íÁËÓÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ (ÔÏ ÅÓÔØ, ÞÉÓÌÏ ÐÁËÅÔÏ× ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÏÂÒÁÂÏÔËÉ) ÍÏÖÎÏ ËÏÎÔÒÏÌÉÒÏ×ÁÔØ Ó ÐÏÍÏÝØÀ: /proc/sys/net/ipv4/ip_queue_maxlen ðÏ ÕÍÏÌÞÁÎÉÀ - ÍÁËÓÉÍÁÌØÎÁÑ ÄÌÉÎÎÁ ÏÞÅÒÅÄÉ ÒÁ×ÎÁ 1024. ëÁË ÔÏÌØËÏ ÜÔÏÔ ÐÒÅÄÅÌ ÄÏÓÔÉÇÁÅÔÓÑ, ÎÏ×ÙÅ ÐÁËÅÔÙ ÂÕÄÕÔ ÓÂÒÁÓÙ×ÁÔØÓÑ, ÐÏËÁ ÏÞÅÒÅÄØ ÎÅ ÓÎÉÚÉÔØÓÑ ÎÉÖÅ ÄÁÎÎÏÇÏ ÐÒÅÄÅÌÁ. èÏÒÏÛÉÅ ÐÒÏÔÏËÏÌÙ, ÔÁËÉÅ ËÁË TCP ÉÎÔÅÒÐÒÅÔÉÒÕÀÔ ÓÂÒÏÛÅÎÎÙÅ ÐÁËÅÔÙ ËÁË ÐÅÒÅÇÒÕÖÅÎÎÏÓÔØ ËÁÎÁÌÁ ÐÅÒÅÄÁÞÉ, É ÕÓÐÅÛÎÏ Ó ÜÔÉÍ ÓÐÒÁ×ÌÑÀÔÓÑ (ÎÁÓËÏÌØËÏ Ñ ÐÏÍÎÀ, ÐÁËÅÔ ÂÕÄÅÔ ÐÒÏÓÔÏ ÐÅÒÅÓÌÁÎ ÚÁÎÏ×Ï ÕÄÁÌÅÎÎÏÊ ÓÔÏÒÏÎÏÊ, ÐÒÉÍ. ÐÅÒÅ×ÏÄ.). ïÄÎÁËÏ, ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÅËÏÔÏÒÏÇÏ ÒÏÄÁ ÜËÓÐÅÒÅÍÅÎÔÉÒÏ×ÁÎÉÅ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ ÏÐÔÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ × ËÁÖÄÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÞÅÒÅÄØ ÓÌÉÛËÏÍ ÍÁÌÁ..."




äÅÊÓÔ×ÉÅ RETURN

äÅÊÓÔ×ÉÅ RETURN ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÔÅËÕÝÅÊ ÃÅÐÏÞËÅ ÐÒÁ×ÉÌ É ÐÒÏÉÚ×ÏÄÉÔ ×ÏÚ×ÒÁÔ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ, ÉÌÉ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÌÅÖÉÔ ÎÁ ÓÁÍÏÍ ×ÅÒÈÎÅÍ ÕÒÏ×ÎÅ (ÎÁÐÒÉÍÅÒ INPUT), ÔÏ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ïÂÙÞÎÏ, × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÎÁÚÎÁÞÁÀÔ ÄÅÊÓÔ×ÉÑ ACCEPT ÉÌÉ DROP .

äÌÑ ÐÒÉÍÅÒÁ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÐÁËÅÔ ÉÄÅÔ ÐÏ ÃÅÐÏÞËÅ INPUT É ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÈÏÄ ×Ï ×ÌÏÖÅÎÎÕÀ ÃÅÐÏÞËÕ - --jump EXAMPLE_CHAIN. äÁÌÅÅ, × ÃÅÐÏÞËÅ EXAMPLE_CHAIN ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN. ôÏÇÄÁ ÐÒÏÉÚÏÊÄÅÔ ×ÏÚ×ÒÁÔ ÐÁËÅÔÁ × ÃÅÐÏÞËÕ INPUT. äÒÕÇÏÊ ÐÒÉÍÅÒ, ÐÕÓÔØ ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN × ÃÅÐÏÞËÅ INPUT. ôÏÇÄÁ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÃÅÐÏÞËÉ INPUT.


äÅÊÓÔ×ÉÅ LOG

LOG - ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÓÌÕÖÉÔ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× É ÓÏÂÙÔÉÊ. ÷ ÖÕÒÎÁÌ ÍÏÇÕÔ ÚÁÎÏÓÉÔØÓÑ ÚÁÇÏÌÏ×ËÉ IP ÐÁËÅÔÏ× É ÄÒÕÇÁÑ ÉÎÔÅÒÅÓÕÀÝÁÑ ×ÁÓ ÉÎÆÏÒÍÁÃÉÑ. éÎÆÏÒÍÁÃÉÑ ÉÚ ÖÕÒÎÁÌÁ ÍÏÖÅÔ ÂÙÔØ ÚÁÔÅÍ ÐÒÏÞÉÔÁÎÁ Ó ÐÏÍÏÝØÀ dmesg ÉÌÉ syslogd ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÄÒÕÇÉÈ ÐÒÏÇÒÁÍÍ. ðÒÅ×ÏÓÈÏÄÎÏÅ ÓÒÅÄÓÔ×Ï ÄÌÑ ÏÔÌÁÄËÉ ×ÁÛÉÈ ÐÒÁ×ÉÌ. îÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÎÁ ÐÅÒÉÏÄ ÏÔÌÁÄËÉ ÐÒÁ×ÉÌ ×ÍÅÓÔÏ ÄÅÊÓÔ×ÉÑ DROP ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ LOG, ÞÔÏÂÙ ÄÏ ËÏÎÃÁ ÕÂÅÄÉÔØÓÑ, ÞÔÏ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ÒÁÂÏÔÁÅÔ ÂÅÚÕÐÒÅÞÎÏ. ïÂÒÁÔÉÔÅ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÔÁË ÖÅ ÎÁ ÄÅÊÓÔ×ÉÅ ULOG, ËÏÔÏÒÏÅ ÎÁ×ÅÒÎÑËÁ ÚÁÉÎÔÅÒÅÓÕÅÔ ×ÁÓ Ó×ÏÉÍÉ ×ÏÚÍÏÖÎÏÓÔÑÍÉ, ÐÏÓËÏÌØËÕ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØ ÚÁÐÉÓØ ÖÕÒÎÁÌÉÒÕÅÍÏÊ ÉÎÆÏÒÍÁÃÉÉ ÎÅ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á × ÂÁÚÕ ÄÁÎÎÙÈ MySQL É Ô.Ð..

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÅÓÌÉ Õ ×ÁÓ ÉÍÅÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÚÁÐÉÓØÀ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ÔÏ ÜÔÏ ÐÒÏÂÌÅÍÙ ÎÅ iptables ÉÌÉ netfilter, Á syslogd. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÀ syslogd ÏÂÒÁÝÁÊÔÅÓØ Ë man syslog.conf.

LOG ÉÍÅÅÔ ÐÑÔØ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÐÅÒÅÞÉÓÌÅÎÙ ÎÉÖÅ.

ôÁÂÌÉÃÁ 17. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ LOG

ëÌÀÞ --log-level
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-level debug
ïÐÉÓÁÎÉÅ éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÚÁÄÁÎÉÑ ÕÒÏ×ÎÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ (log level). ðÏÌÎÙÊ ÓÐÉÓÏË ÕÒÏ×ÎÅÊ ×Ù ÎÁÊÄÅÔÅ × ÒÕËÏ×ÏÄÓÔ×Å (man) ÐÏ syslog.conf. ïÂÙÞÎÏ, ÍÏÖÎÏ ÚÁÄÁÔØ ÓÌÅÄÕÀÝÉÅ ÕÒÏ×ÎÉ: debug, info, notice, warning, warn, err, error, crit, alert, emerg É panic. ëÌÀÞÅ×ÏÅ ÓÌÏ×Ï error ÏÚÎÁÞÁÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É err, warn - warning É panic - emerg. ÷ÁÖÎÏ: × ÐÏÓÌÅÄÎÉÈ ÔÒÅÈ ÐÁÒÁÈ ÓÌÏ× ÎÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ error, warn É panic. ðÒÉÏÒÉÔÅÔ ÏÐÒÅÄÅÌÑÅÔ ÒÁÚÌÉÞÉÑ × ÔÏÍ ËÁË ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ ÓÏÏÂÝÅÎÉÑ × ÖÕÒÎÁÌ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ÚÁÎÏÓÑÔÓÑ × ÖÕÒÎÁÌ ÓÒÅÄÓÔ×ÁÍÉ ÑÄÒÁ. åÓÌÉ ×Ù ÕÓÔÁÎÏ×ÉÔÅ ÓÔÒÏËÕ kern.=info /var/log/iptables × ÆÁÊÌÅ syslog.conf, ÔÏ ×ÓÅ ×ÁÛÉ ÓÏÏÂÝÅÎÉÑ ÉÚ iptables, ÉÓÐÏÌØÚÕÀÝÉÅ ÕÒÏ×ÅÎØ info, ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ × ÆÁÊÌ /var/log/iptables ïÄÎÁËÏ, × ÜÔÏÔ ÆÁÊÌ ÐÏÐÁÄÕÔ É ÄÒÕÇÉÅ ÓÏÏÂÝÅÎÉÑ, ÐÏÓÔÕÐÁÀÝÉÅ ÉÚ ÄÒÕÇÉÈ ÐÏÄÓÉÓÔÅÍ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÕÒÏ×ÅÎØ info. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ syslog É syslog.conf Ñ ÒÅËÏÍÅÎÄÕÀ ÏÂÒÁÝÁÔØÓÑ Ë manpages É HOWTO.
ëÌÀÞ --log-prefix
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
ïÐÉÓÁÎÉÅ ëÌÀÞ ÚÁÄÁÅÔ ÔÅËÓÔ (ÐÒÅÆÉËÓ), ËÏÔÏÒÙÍ ÂÕÄÕÔ ÐÒÅÄ×ÁÒÑÔØÓÑ ×ÓÅ ÓÏÏÂÝÅÎÉÑ iptables. óÏÏÂÝÅÎÉÑ ÓÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÅÆÉËÓÏÍ ÚÁÔÅÍ ÌÅÇËÏ ÍÏÖÎÏ ÎÁÊÔÉ, Ë ÐÒÉÍÅÒÕ, Ó ÐÏÍÏÝØÀ grep. ðÒÅÆÉËÓ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØ ÄÏ 29 ÓÉÍ×ÏÌÏ×, ×ËÌÀÞÁÑ É ÐÒÏÂÅÌÙ.
ëÌÀÞ --log-tcp-sequence
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÖÕÒÎÁÌ ÎÏÍÅÒ TCP Sequence ÐÁËÅÔÁ. îÏÍÅÒ TCP Sequence ÉÄÅÎÔÉÆÉÃÉÒÕÅÔ ËÁÖÄÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ É ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÑÄÏË "ÓÂÏÒËÉ" ÐÏÔÏËÁ. üÔÏÔ ËÌÀÞ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÅÎ ÄÌÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ, ÅÓÌÉ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÅÛÁÅÔ ÄÏÓÔÕÐ "îá þôåîéå" ×ÓÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ. ëÁË É ÌÀÂÏÊ ÄÒÕÇÏÊ ÖÕÒÎÁÌ, ÓÏÄÅÒÖÁÝÉÊ ÓÏÏÂÝÅÎÉÑ ÏÔ iptables.
ëÌÀÞ --log-tcp-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-tcp-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ TCP ÐÁËÅÔÁ. ôÁËÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÁ ÐÒÉ ÏÔÌÁÄËÅ. üÔÏÔ ËÌÀÞ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÁÒÁÍÅÔÒÏ×, ËÁË É ÂÏÌØÛÉÎÓÔ×Ï ËÌÀÞÅÊ ÄÅÊÓÔ×ÉÑ LOG.
ëÌÀÞ --log-ip-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-ip-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ IP ÐÁËÅÔÁ. ÷Ï ÍÎÏÇÏÍ ÓÈÏÖ Ó ËÌÀÞÏÍ --log-tcp-options, ÎÏ ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó IP ÚÁÇÏÌÏ×ËÏÍ.

äÅÊÓÔ×ÉÅ MARK

éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÍÅÔÏË ÄÌÑ ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÁËÅÔÏ×. üÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle. õÓÔÁÎÏ×ËÁ ÍÅÔÏË ÏÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ× ÐÏ ÒÁÚÌÉÞÎÙÍ ÍÁÒÛÒÕÔÁÍ, ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÔÒÁÆÉËÁ É Ô.Ð.. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë LARTC HOWTO. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ "ÍÅÔËÁ" ÐÁËÅÔÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÐÅÒÉÏÄ ×ÒÅÍÅÎÉ ÐÏËÁ ÐÁËÅÔ ÎÅ ÐÏËÉÎÕÌ ÂÒÁÎÄÍÁÕÜÒ, Ô.Å. ÍÅÔËÁ ÎÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÓÅÔÉ. åÓÌÉ ÎÅÏÂÈÏÄÉÍÏ ËÁË-ÔÏ ÐÏÍÅÔÉÔØ ÐÁËÅÔÙ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÒËÉÒÏ×ËÕ ÎÁ ÄÒÕÇÏÊ ÍÁÛÉÎÅ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÒÏÂÏ×ÁÔØ ÍÁÎÉÐÕÌÉÒÏ×ÁÔØ ÂÉÔÁÍÉ ÐÏÌÑ TOS.

ôÁÂÌÉÃÁ 18. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ MARK

ëÌÀÞ --set-mark
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-mark ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÅÔËÕ ÎÁ ÐÁËÅÔ. ðÏÓÌÅ ËÌÀÞÁ --set-mark ÄÏÌÖÎÏ ÓÌÅÄÏ×ÁÔØ ÃÅÌÏÅ ÂÅÚÚÎÁËÏ×ÏÅ ÞÉÓÌÏ.

äÅÊÓÔ×ÉÅ REJECT

REJECT ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, × ÔÅÈ ÖÅ ÓÁÍÙÈ ÓÉÔÕÁÃÉÑÈ, ÞÔÏ É DROP, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ DROP, ËÏÍÁÎÄÁ REJECT ×ÙÄÁÅÔ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ ÎÁ ÈÏÓÔ, ÐÅÒÅÄÁ×ÛÉÊ ÐÁËÅÔ. äÅÊÓÔ×ÉÅ REJECT ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ "ÒÁÂÏÔÁÅÔ" ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É OUTPUT (É ×Ï ×ÌÏÖÅÎÎÙÈ × ÎÉÈ ÃÅÐÏÞËÁÈ). ðÏËÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÌÀÞ, ÕÐÒÁ×ÌÑÀÝÉÊ ÐÏ×ÅÄÅÎÉÅÍ ËÏÍÁÎÄÙ REJECT.

ôÁÂÌÉÃÁ 19. äÅÊÓÔ×ÉÅ REJECT

ëÌÀÞ --reject-with
ðÒÉÍÅÒ iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
ïÐÉÓÁÎÉÅ õËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÓÏÏÂÝÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÐÅÒÅÄÁÔØ × ÏÔ×ÅÔ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. ðÒÉ ÐÒÉÍÅÎÅÎÉÉ ÄÅÊÓÔ×ÉÑ REJECT Ë ÐÁËÅÔÕ, ÓÎÁÞÁÌÁ ÎÁ ÈÏÓÔ-ÏÔÐÒÁ×ÉÔÅÌØ ÂÕÄÅÔ ÏÔÏÓÌÁÎ ÕËÁÚÁÎÎÙÊ ÏÔ×ÅÔ, Á ÚÁÔÅÍ ÐÁËÅÔ ÂÕÄÅÔ "ÓÂÒÏÛÅÎ". äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÌÅÄÕÀÝÉÅ ÔÉÐÙ ÏÔ×ÅÔÏ×: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited É icmp-host-prohibited. ðÏ-ÕÍÏÌÞÁÎÉÀ ÐÅÒÅÄÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ port-unreachable. ÷ÓÅ ×ÙÛÅÕËÁÚÁÎÎÙÅ ÔÉÐÙ ÏÔ×ÅÔÏ× Ñ×ÌÑÀÔÓÑ ICMP error messages. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÔÉÐÁÍ ICMP ÓÏÏÂÝÅÎÉÊ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. ÷ ÚÁËÌÀÞÅÎÉÅ ÕËÁÖÅÍ ÅÝÅ ÏÄÉÎ ÔÉÐ ÏÔ×ÅÔÁ - tcp-reset, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ TCP. åÓÌÉ ÕËÁÚÁÎÏ ÚÎÁÞÅÎÉÅ tcp-reset, ÔÏ ÄÅÊÓÔ×ÉÅ REJECT ÐÅÒÅÄÁÓÔ × ÏÔ×ÅÔ ÐÁËÅÔ TCP RST, ÐÁËÅÔÙ TCP RST ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁËÒÙÔÉÑ TCP ÓÏÅÄÉÎÅÎÉÊ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë RFC 793 - Transmission Control Protocol. (óÐÉÓÏË ÔÉÐÏ× ICMP ÏÔ×ÅÔÏ× É ÉÈ ÁÌÉÁÓÏ× ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ××ÅÄÑ ËÏÍÁÎÄÕ iptables -j REJECT -hÐÒÉÍ. ÐÅÒÅ×.).

äÅÊÓÔ×ÉÅ TOS

ëÏÍÁÎÄÁ TOS ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× × ÐÏÌÅ Type of Service IP ÚÁÇÏÌÏ×ËÁ. ðÏÌÅ TOS ÓÏÄÅÒÖÉÔ 8 ÂÉÔ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ×. üÔÏ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ÐÏÌÅÊ, ÉÓÐÏÌØÚÕÅÍÙÈ iproute2. ôÁË ÖÅ ×ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÐÏÌÅ ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØÓÑ ÒÁÚÌÉÞÎÙÍÉ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁÍÉ Ó ÃÅÌØÀ ×ÙÂÏÒÁ ÍÁÒÛÒÕÔÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ÜÔÏ ÐÏÌÅ, × ÏÔÌÉÞÉÅ ÏÔ MARK, ÓÏÈÒÁÎÑÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ Ä×ÉÖÅÎÉÉ ÐÏ ÓÅÔÉ, Á ÐÏÜÔÏÍÕ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÂÏÌØÛÉÎÓÔ×Ï ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ ÎÉËÁË ÎÅ ÏÂÒÁÂÁÔÙ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÏÄÎÁËÏ ÅÓÔØ É ÔÁËÉÅ, ËÏÔÏÒÙÅ ÓÍÏÔÒÑÔ ÎÁ ÎÅÇÏ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÎÕÖÄÁÈ, ÔÏ ÐÏÄÏÂÎÙÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÙ ÍÏÇÕÔ ÐÒÉÎÑÔØ ÎÅ×ÅÒÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ, ÐÏÜÔÏÍÕ, ÌÕÞÛÅ ×ÓÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ×ÁÛÅÊ WAN ÉÌÉ LAN.

Caution

äÅÊÓÔ×ÉÅ TOS ×ÏÓÐÒÉÎÉÍÁÅÔ ÔÏÌØËÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÙÅ ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ É ÍÎÅÍÏÎÉËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × linux/ip.h. åÓÌÉ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÏÉÚ×ÏÌØÎÙÅ ÚÎÁÞÅÎÉÑ × ÐÏÌÅ TOS, ÔÏ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ "ÚÁÐÌÁÔÏÊ" FTOS ÏÔ Matthew G. Marsh. ïÄÎÁËÏ, ÂÕÄØÔÅ ËÒÁÊÎÅ ÏÓÔÏÒÏÖÎÙ Ó ÜÔÏÊ "ÚÁÐÌÁÔÏÊ". îÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÔÁÎÄÁÒÔÎÙÅ ÚÎÁÞÅÎÉÑ TOS ÉÎÁÞÅ ËÁË × ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ.

Note

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle.

Note

÷ ÎÅËÏÔÏÒÙÈ ÓÔÁÒÙÈ ×ÅÒÓÉÑÈ iptables (1.2.2 É ÎÉÖÅ) ÜÔÏ ÄÅÊÓÔ×ÉÅ ÒÅÁÌÉÚÏ×ÁÎÏ Ó ÏÛÉÂËÏÊ (ÎÅ ÉÓÐÒÁ×ÌÑÅÔÓÑ ËÏÎÔÒÏÌØÎÁÑ ÓÕÍÍÁ ÐÁËÅÔÁ), Á ÜÔÏ ×ÅÄÅÔ Ë ÎÁÒÕÛÅÎÉÀ ÐÒÏÔÏËÏÌÁ ÏÂÍÅÎÁ É × ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÅ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÒÁÂÏÔÁÀÔ.

ëÏÍÁÎÄÁ TOS ÉÍÅÅÔ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ.

ôÁÂÌÉÃÁ 20. äÅÊÓÔ×ÉÅ TOS

ëÌÀÞ --set-tos
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-tos ÏÐÒÅÄÅÌÑÅÔ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ × ÄÅÓÑÔÉÞÎÏÍ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÍ ×ÉÄÅ. ðÏÓËÏÌØËÕ ÐÏÌÅ TOS Ñ×ÌÑÅÔÓÑ 8-ÂÉÔÎÙÍ, ÔÏ ×Ù ÍÏÖÅÔÅ ÕËÁÚÁÔØ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 255 (0x00 - 0xFF). ïÄÎÁËÏ, ÂÏÌØÛÉÎÓÔ×Ï ÚÎÁÞÅÎÉÊ ÜÔÏÇÏ ÐÏÌÑ ÎÉËÁË ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ × ÂÕÄÕÝÉÈ ÒÅÁÌÉÚÁÃÉÑÈ TCP/IP ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ, ÐÏÜÔÏÍÕ, ×Ï-ÉÚÂÅÖÁÎÉÅ ÏÛÉÂÏË, ÌÕÞÛÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÎÅÍÏÎÉÞÅÓËÉÅ ÏÂÏÚÎÁÞÅÎÉÑ: Minimize-Delay (16 ÉÌÉ 0x10), Maximize-Throughput (8 ÉÌÉ 0x08), Maximize-Reliability (4 ÉÌÉ 0x04), Minimize-Cost (2 ÉÌÉ 0x02) ÉÌÉ Normal-Service (0 ÉÌÉ 0x00). ðÏ-ÕÍÏÌÞÁÎÉÀ ÂÏÌØÛÉÎÓÔ×Ï ÐÁËÅÔÏ× ÉÍÅÀÔ ÐÒÉÚÎÁË Normal-Service, ÉÌÉ 0. óÐÉÓÏË ÍÎÅÍÏÎÉË ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ, ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -j TOS -h.

äÅÊÓÔ×ÉÅ MIRROR

ëÏÍÁÎÄÁ MIRROR ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÔÏÌØËÏ ÄÌÑ ÜËÓÐÅÒÉÍÅÎÔÏ× É × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ, ÐÏÓËÏÌØËÕ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁÃÉËÌÉ×ÁÎÉÀ" ÐÁËÅÔÁ É × ÒÅÚÕÌØÔÁÔÅ Ë "ïÔËÁÚÕ ÏÔ ÏÂÓÌÕÖÉ×ÁÎÉÑ". ÷ ÒÅÚÕÌØÔÁÔÅ ÄÅÊÓÔ×ÉÑ MIRROR × ÐÁËÅÔÅ, ÐÏÌÑ source É destination ÍÅÎÑÀÔÓÑ ÍÅÓÔÁÍÉ (invert the source and destination fields) É ÐÁËÅÔ ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÅÔØ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ËÏÍÁÎÄÙ ÍÏÖÅÔ ÉÍÅÔØ ×ÅÓØÍÁ ÚÁÂÁ×ÎÙÊ ÒÅÚÕÌØÔÁÔ, ÎÁ×ÅÒÎÏÅ, ÓÏ ÓÔÏÒÏÎÙ ÄÏ×ÏÌØÎÏ ÐÏÔÅÛÎÏ ÎÁÂÌÀÄÁÔØ, ËÁË ËÕÌØÈÁÃËÅÒ ÐÙÔÁÅÔÓÑ "×ÚÌÏÍÁÔØ" Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ËÏÍÐØÀÔÅÒ!

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, É × ÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ ÉÚ ÜÔÉÈ ÔÒÅÈ. ðÁËÅÔÙ, ÏÔÐÒÁ×ÌÑÅÍÙÅ × ÓÅÔØ ÄÅÊÓÔ×ÉÅÍ MIRROR ÂÏÌØÛÅ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÆÉÌØÔÒÁÃÉÉ, ÔÒÁÓÓÉÒÏ×ËÅ ÉÌÉ NAT, ÉÚÂÅÇÁÑ ÔÅÍ ÓÁÍÙÍ "ÚÁÃÉËÌÉ×ÁÎÉÑ" É ÄÒÕÇÉÈ ÎÅÐÒÉÑÔÎÏÓÔÅÊ. ïÄÎÁËÏ ÜÔÏ ÎÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÏÂÌÅÍ Ó ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÎÅÔ. äÁ×ÁÊÔÅ, Ë ÐÒÉÍÅÒÕ, ÐÒÅÄÓÔÁ×ÉÍ, ÞÔÏ ÎÁ ÈÏÓÔÅ, ÉÓÐÏÌØÚÕÀÝÅÍ ÄÅÊÓÔ×ÉÅ MIRROR ÆÁÂÒÉËÕÅÔÓÑ ÐÁËÅÔ, Ó TTL ÒÁ×ÎÙÍ 255, ÎÁ ÜÔÏÔ ÖÅ ÓÁÍÙÊ ÈÏÓÔ É ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ "ÚÅÒËÁÌÉÒÕÀÝÅÇÏ" ÐÒÁ×ÉÌÁ. ðÁËÅÔ "ÏÔÒÁÖÁÅÔÓÑ" ÎÁ ÜÔÏÔ ÖÅ ÈÏÓÔ, Á ÐÏÓËÏÌØËÕ ÍÅÖÄÕ "ÐÒÉÅÍÎÉËÏÍ" É "ÐÅÒÅÄÁÔÞÉËÏÍ" ÔÏÌØËÏ 1 ÈÏÐ (hop) ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÐÒÙÇÁÔØ ÔÕÄÁ É ÏÂÒÁÔÎÏ 255 ÒÁÚ. îÅÐÌÏÈÏ ÄÌÑ ËÒÑËÅÒÁ, ×ÅÄØ, ÐÒÉ ×ÅÌÉÞÉÎÅ ÐÁËÅÔÁ 1500 ÂÁÊÔ, ÍÙ ÐÏÔÅÒÑÅÍ ÄÏ 380 ëÂÁÊÔ ÔÒÁÆÉËÁ!


äÅÊÓÔ×ÉÅ SNAT

SNAT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Source Network Address Translation), Ô.Å. ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÑÝÅÇÏ IP ÁÄÒÅÓÁ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. îÁÐÒÉÍÅÒ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÄÒÕÇÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP ÁÄÒÅÓ. äÌÑ ÜÔÏÇÏ. ÎÅÏÂÈÏÄÉÍÏ ×ËÌÀÞÉÔØ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (forwarding) × ÑÄÒÅ É ÚÁÔÅÍ ÓÏÚÄÁÔØ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÔÒÁÎÓÌÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ IP ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ × ÒÅÁÌØÎÙÊ ×ÎÅÛÎÉÊ ÁÄÒÅÓ. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÎÅÛÎÉÊ ÍÉÒ ÎÉÞÅÇÏ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ Ï ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÎ ÂÕÄÅÔ ÓÞÉÔÁÔØ, ÞÔÏ ÚÁÐÒÏÓÙ ÐÒÉÛÌÉ Ó ÎÁÛÅÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

SNAT ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ nat, × ÃÅÐÏÞËÅ POSTROUTING. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÏÌØËÏ ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÑÝÉÈ ÁÄÒÅÓÏ×. åÓÌÉ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ ÐÏÄ×ÅÒÇÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ, ÔÏ ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ, ÉÚ ÜÔÏÇÏ ÖÅ ÓÏÅÄÉÎÅÎÉÑ, ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÐÏÊÄÕÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ.

ôÁÂÌÉÃÁ 21. äÅÊÓÔ×ÉÅ SNAT

ëÌÀÞ --to-source
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-source ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÁÄÒÅÓÁ, ÐÒÉÓ×ÁÅÍÏ×ÏÇÏ ÐÁËÅÔÕ. ÷ÓÅ ÐÒÏÓÔÏ, ×Ù ÕËÁÚÙ×ÁÅÔÅ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÏÄÓÔÁ×ÌÅÎ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ × ËÁÞÅÓÔ×Å ÉÓÈÏÄÑÝÅÇÏ. åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÐÅÒÅÒÁÓÐÒÅÄÅÌÑÔØ ÎÁÇÒÕÚËÕ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ, ÔÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÇÄÅ ÎÁÞÁÌØÎÙÊ É ËÏÎÅÞÎÙÊ ÁÄÒÅÓÁ ÄÉÁÐÁÚÏÎÁ ÒÁÚÄÅÌÑÀÔÓÑ ÄÅÆÉÓÏÍ, ÎÁÐÒÉÍÅÒ: 194.236.50.155-194.236.50.160. ôÏÇÄÁ, ËÏÎËÒÅÔÎÙÊ IP ÁÄÒÅÓ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÉÚ ÄÉÁÐÁÚÏÎÁ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ. äÏÐÏÌÎÉÔÅÌØÎÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÄÌÑ ÎÕÖÄ SNAT. ÷ÓÅ ÉÓÈÏÄÑÝÉÅ ÐÏÒÔÙ ÂÕÄÕÔ ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅËÁÒÔÉÒÏ×ÁÔØÓÑ × ÚÁÄÁÎÎÙÊ ÄÉÁÐÁÚÏÎ. iptables ÓÔÁÒÁÅÔÓÑ, ÐÏ-×ÏÚÍÏÖÎÏÓÔÉ, ÉÚÂÅÇÁÔØ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×, ÏÄÎÁËÏ ÎÅ ×ÓÅÇÄÁ ÜÔÏ ×ÏÚÍÏÖÎÏ, É ÔÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÅ . åÓÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÅ ÚÁÄÁÎ, ÔÏ ÉÓÈÏÄÎÙÅ ÐÏÒÔÙ ÎÉÖÅ 512 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 0-511, ÐÏÒÔÙ × ÄÉÁÐÁÚÏÎÅ 512-1023 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 512-1023, É, ÎÁËÏÎÅà ÐÏÒÔÙ ÉÚ ÄÉÁÐÁÚÏÎÁ 1024-65535 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 1024-65535. þÔÏ ËÁÓÁÅÔÓÑ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ, ÔÏ ÏÎÉ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÀ.

äÅÊÓÔ×ÉÅ DNAT

DNAT (Destination Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. åÓÌÉ ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÒÁ×ÉÌÁ, ×ÙÐÏÌÎÑÀÝÅÇÏ DNAT, ÔÏ ÜÔÏÔ ÐÁËÅÔ, É ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ ÉÚ ÜÔÏÇÏ ÖÅ ÐÏÔÏËÁ, ÂÕÄÕÔ ÐÏÄ×ÅÒÇÎÕÔÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÎÙ ÎÁ ÔÒÅÂÕÅÍÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÈÏÓÔ ÉÌÉ ÓÅÔØ. äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ, Ë ÐÒÉÍÅÒÕ, ÕÓÐÅÛÎÏ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ×ÁÛÅÍÕ web-ÓÅÒ×ÅÒÕ, ÎÁÈÏÄÑÝÅÍÕÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, É ÎÅ ÉÍÅÀÝÅÍÕ ÒÅÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÔÒÏÉÔÅ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÎÁ HTTP ÐÏÒÔ ÂÒÁÎÄÍÁÕÜÒÁ É ×ÙÐÏÌÎÑÑ DNAT ÐÅÒÅÄÁÅÔÅ ÉÈ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ web-ÓÅÒ×ÅÒÁ. äÌÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÔÏÇÄÁ ×ÙÂÏÒ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÓÌÕÞÁÊÎÁÍ ÏÂÒÁÚÏÍ.

äÅÊÓÔ×ÉÅ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat, É ×Ï ×ÌÏÖÅÎÎÙÈ ÐÏÄ-ÃÅÐÏÞËÁÈ.

ôÁÂÌÉÃÁ 22. äÅÊÓÔ×ÉÅ DNAT

ëÌÀÞ --to-destination
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-destination ÕËÁÚÙ×ÁÅÔ, ËÁËÏÊ IP ÁÄÒÅÓ ÄÏÌÖÅÎ ÂÙÔØ ÐÏÄÓÔÁ×ÌÅÎ × ËÁÞÅÓÔ×Å ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ×Ï ×ÓÅÈ ÐÁËÅÔÁÈ, ÐÒÉÛÅÄÛÉÈ ÎÁ ÁÄÒÅÓ 15.45.23.67, ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÂÕÄÅÔ ÉÚÍÅÎÅÎ ÎÁ ÏÄÉÎ ÉÚ ÄÉÁÐÁÚÏÎÁ ÏÔ 192.168.1.1 ÄÏ 192.168.1.10. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ×ÓÅ ÐÁËÅÔÙ ÉÚ ÏÄÎÏÇÏ ÐÏÔÏËÁ ÂÕÄÕÔ ÎÁÐÒÁ×ÌÑÔØÓÑ ÎÁ ÏÄÉÎ É ÔÏÔ ÖÅ ÁÄÒÅÓ, Á ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÏÄÉÎ ÉÚ ÁÄÒÅÓÏ× × ÕËÁÚÁÎÎÏÍ ÄÉÁÐÁÚÏÎÅ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ. íÏÖÎÏ ÔÁËÖÅ ÏÐÒÅÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP ÁÄÒÅÓ. íÏÖÎÏ ÄÏÐÏÌÎÉÔÅÌØÎÏ ÕËÁÚÁÔØ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÎÁ ËÏÔÏÒÙÊ (ËÏÔÏÒÙÅ) ÂÕÄÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎ ÔÒÁÆÆÉË. äÌÑ ÜÔÏÇÏ ÐÏÓÌÅ ip ÁÄÒÅÓÁ ÞÅÒÅÚ Ä×ÏÅÔÏÞÉÅ ÕËÁÖÉÔÅ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ --to-destination 192.168.1.1:80, Á ÕËÁÚÁÎÉÅ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ×ÙÇÌÑÄÉÔ ÔÁË: --to-destination 192.168.1.1:80-100. ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÓÉÎÔÁËÓÉÓ ÄÅÊÓÔ×ÉÊ DNAT É SNAT ×Ï ÍÎÏÇÏÍ ÓÈÏÖ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÕËÁÚÁÎÉÅ ÐÏÒÔÏ× ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ ÐÒÉ ÒÁÂÏÔÅ Ó ÐÒÏÔÏËÏÌÏÍ TCP ÉÌÉ UDP, ÐÒÉ ÎÁÌÉÞÉÉ ÏÐÃÉÉ --protocol × ËÒÉÔÅÒÉÉ.

äÅÊÓÔ×ÉÅ DNAT ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÎÏ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÔÒÅÂÕÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ÐÏÑÓÎÅÎÉÑ. òÁÓÓÍÏÔÒÉÍ ÐÒÏÓÔÏÊ ÐÒÉÍÅÒ. õ ÎÁÓ ÅÓÔØ WEB ÓÅÒ×ÅÒ É ÍÙ ÈÏÔÉÍ ÒÁÚÒÅÛÉÔØ ÄÏÓÔÕÐ Ë ÎÅÍÕ ÉÚ éÎÔÅÒÎÅÔ. íÙ ÉÍÅÅÍ ÔÏÌØËÏ ÏÄÉÎ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, Á WEB-ÓÅÒ×ÅÒ ÒÁÓÐÏÌÏÖÅÎ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. òÅÁÌØÎÙÊ IP ÁÄÒÅÓ $INET_IP ÎÁÚÎÁÞÅÎ ÂÒÁÎÄÍÁÕÜÒÕ, HTTP ÓÅÒ×ÅÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ $HTTP_IP É, ÎÁËÏÎÅà ÂÒÁÎÄÍÁÕÜÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÌÒÅÓ $LAN_IP. äÌÑ ÎÁÞÁÌÁ ÄÏÂÁ×ÉÍ ÐÒÏÓÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ PREROUTING ÔÁÂÌÉÃÙ nat.

iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

÷ ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ 80-Ê ÐÏÒÔ ÁÄÒÅÓÁ $INET_IP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ ÎÁ ÎÁÛ ×ÎÕÔÒÅÎÎÉÊ WEB-ÓÅÒ×ÅÒ. åÓÌÉ ÔÅÐÅÒØ ÏÂÒÁÔÉÔØÓÑ Ë WEB-ÓÅÒ×ÅÒÕ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. îÏ ÞÔÏ ÖÅ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÐÏÐÒÏÂÏ×ÁÔØ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÉÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ? óÏÅÄÉÎÅÎÉÅ ÐÒÏÓÔÏ ÎÅ ÕÓÔÁÎÏ×ÉÔÓÑ. äÁ×ÁÊÔÅ ÐÏÓÍÏÔÒÉÍ ËÁË ÍÁÒÛÒÕÔÉÚÉÒÕÀÔÓÑ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÉÚ éÎÔÅÒÎÅÔ ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × éÎÔÅÒÎÅÔ ÒÁ×ÎÙÍ $EXT_BOX.
  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ ËÌÉÅÎÔÓËÉÊ ÕÚÅÌ Ó ÁÄÒÅÓÏÍ $EXT_BOX É ÎÁÐÒÁ×ÌÑÅÔÓÑ ÎÁ $INET_IP

  2. ðÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ.

  3. âÒÁÎÄÍÁÕÜÒ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍ ÐÒÁ×ÉÌÏÍ, ÐÏÄÍÅÎÑÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÅÔ ÅÇÏ ÄÁÌØÛÅ, × ÄÒÕÇÉÅ ÃÅÐÏÞËÉ.

  4. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ÎÁ $HTTP_IP.

  5. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ HTTP ÓÅÒ×ÅÒ É ÓÅÒ×ÅÒ ÐÅÒÅÄÁÅÔ ÏÔ×ÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÅÓÌÉ × ÔÁÂÌÉÃÅ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÏÎ ÏÂÏÚÎÁÞÅÎ ËÁË ÛÌÀÚ ÄÌÑ $EXT_BOX. ëÁË ÐÒÁ×ÉÌÏ, ÏÎ ÎÁÚÎÁÞÁÅÔÓÑ ÛÌÀÚÏÍ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ HTTP ÓÅÒ×ÅÒÁ.

  6. âÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÏÂÒÁÔÎÕÀ ÐÏÄÓÔÁÎÏ×ËÕ ÁÄÒÅÓÁ × ÐÁËÅÔÅ, ÔÅÐÅÒØ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÂÙÌ ÓÆÏÒÍÉÒÏ×ÁÎ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ.

  7. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ËÌÉÅÎÔÕ $EXT_BOX.



á ÔÅÐÅÒØ ÐÏÓÍÏÔÒÉÍ, ÞÔÏ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔÓÑ Ó ÕÚÌÁ, ÒÁÓÐÏÌÏÖÅÎÎÏÇÏ × ÔÏÊ ÖÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÒÁ×ÎÙÍ $LAN_BOX.

  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ $LAN_BOX.

  2. ðÏÓÔÕÐÁÅÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ.

  3. ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÓÔÁÎÏ×ËÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ, ÏÄÎÁËÏ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÎÅ ÐÏÄÍÅÎÑÅÔÓÑ, Ô.Å. ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ ÏÓÔÁÅÔÓÑ × ÐÁËÅÔÅ ÂÅÚ ÉÚÍÅÎÅÎÉÑ.

  4. ðÁËÅÔ ÐÏËÉÄÁÅÔ ÂÒÁÎÄÍÁÕÜÒ É ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ HTTP ÓÅÒ×ÅÒ.

  5. HTTP ÓÅÒ×ÅÒ, ÇÏÔÏ×ÑÓØ Ë ÏÔÐÒÁ×ËÅ ÏÔ×ÅÔÁ, ÏÂÎÁÒÕÖÉ×ÁÅÔ, ÞÔÏ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ (ÐÏÓËÏÌØËÕ ÐÁËÅÔ ÚÁÐÒÏÓÁ ÓÏÄÅÒÖÁÌ ÏÒÉÇÉÎÁÌØÎÙÊ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÔÅÐÅÒØ ÐÒÅ×ÒÁÔÉÌÓÑ × ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ) É ÐÏÜÔÏÍÕ ÏÔÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ $LAN_BOX.

  6. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ $LAN_BOX. ëÌÉÅÎÔ ÐÕÔÁÅÔÓÑ, ÐÏÓËÏÌØËÕ ÏÔ×ÅÔ ÐÒÉÛÅÌ ÎÅ Ó ÔÏÇÏ ÕÚÌÁ, ÎÁ ËÏÔÏÒÙÊ ÏÔÐÒÁ×ÌÑÌÓÑ ÚÁÐÒÏÓ. ðÏÜÔÏÍÕ ËÌÉÅÎÔ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ ÏÔ×ÅÔÁ É ÐÒÏÄÏÌÖÁÅÔ ÖÄÁÔØ "ÎÁÓÔÏÑÝÉÊ" ÏÔ×ÅÔ.



ðÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ Ó ÐÏÍÏÝØÀ SNAT. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÜÔÕ ÆÕÎËÃÉÀ. üÔÏ ÐÒÁ×ÉÌÏ ×ÙÎÕÖÄÁÅÔ HTTP ÓÅÒ×ÅÒ ÐÅÒÅÄÁ×ÁÔØ ÏÔ×ÅÔÙ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÅ ÚÁÔÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ËÌÉÅÎÔÕ.

iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

úÁÐÏÍÎÉÔÅ, ÃÅÐÏÞËÁ POSTROUTING ÏÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÓÁÍÏÊ ÐÏÓÌÅÄÎÅÊ É Ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÐÁËÅÔ ÕÖÅ ÐÒÏÛÅÌ ÐÒÏÃÅÄÕÒÕ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ DNAT, ÐÏÜÔÏÍÕ ËÒÉÔÅÒÉÊ ÓÔÒÏÉÔÓÑ ÎÁ ÂÁÚÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ $HTTP_IP.

åÓÌÉ ×Ù ÄÕÍÁÅÔÅ, ÞÔÏ ÎÁ ÜÔÏÍ ÍÏÖÎÏ ÏÓÔÁÎÏ×ÉÔØÓÑ, ÔÏ ×Ù ÏÛÉÂÁÅÔÅÓØ! ðÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÓÉÔÕÁÃÉÀ, ËÏÇÄÁ × ËÁÞÅÓÔ×Å ËÌÉÅÎÔÁ ×ÙÓÔÕÐÁÅÔ ÓÁÍ ÂÒÁÎÄÍÁÕÜÒ. ôÏÇÄÁ, Ë ÓÏÖÁÌÅÎÉÀ, ÐÁËÅÔÙ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÎÁ ÌÏËÁÌØÎÙÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 80 ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ, Á ÎÅ ÎÁ $HTTP_IP. þÔÏÂÙÒÁÚÒÅÛÉÔØ É ÜÔÕ ÐÒÏÂÌÅÍÕ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ

iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

ôÅÐÅÒØ ÎÉËÁËÉÈ ÐÒÏÂÌÅÍ, Ó ÄÏÓÔÕÐÏÍ Ë ÎÁÛÅÍÕ WEB-ÓÅÒ×ÅÒÕ, ÕÖÅ ÎÅ ÄÏÌÖÎÏ ×ÏÚÎÉËÁÔØ.


äÅÊÓÔ×ÉÅ MASQUERADE

íÁÓËÁÒÁÄÉÎÇ (MASQUERADE) × ÏÓÎÏ×Å Ó×ÏÅÊ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É SNAT ÔÏÌØËÏ ÎÅ ÉÍÅÅÔ ËÌÀÞÁ --to-source. ðÒÉÞÉÎÏÊ ÔÏÍÕ ÔÏ, ÞÔÏ ÍÁÓËÁÒÁÄÉÎÇ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, ÎÁÐÒÉÍÅÒ, Ó dialup ÐÏÄËÌÀÞÅÎÉÅÍ ÉÌÉ DHCP, Ô.Å. × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ IP ÁÄÒÅÓ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÕÓÔÒÏÊÓÔ×Õ ÄÉÎÁÍÉÞÅÓËÉ. åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÎÕÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÁÒÁÄÉÎÇ, ÅÓÌÉ ÖÅ Õ ×ÁÓ ÓÔÁÔÉÞÅÓËÏÅ IP ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÂÅÓÓÐÏÒÎÏ ÌÕÞÛÉÍ ×ÙÈÏÄÏÍ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ SNAT.

íÁÓËÁÒÁÄÉÎÇ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÏÌÕÞÅÎÉÅ IP ÁÄÒÅÓÁ ÏÔ ÚÁÄÁÎÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, ×ÍÅÓÔÏ ÐÒÑÍÏÇÏ ÅÇÏ ÕËÁÚÁÎÉÑ, ËÁË ÜÔÏ ÄÅÌÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-source × ÄÅÊÓÔ×ÉÉ SNAT. äÅÊÓÔ×ÉÅ MASQUERADE ÉÍÅÅÔ ÈÏÒÏÛÅÅ Ó×ÏÊÓÔ×Ï - "ÚÁÂÙ×ÁÔØ" ÓÏÅÄÉÎÅÎÉÑ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. ÷ ÓÌÕÞÁÅ ÖÅ SNAT, × ÜÔÏÊ ÓÉÔÕÁÃÉÉ, × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÏÓÔÁÀÔÓÑ ÄÁÎÎÙÅ Ï ÐÏÔÅÒÑÎÎÙÈ ÓÏÅÄÉÎÅÎÉÑÈ, É ÜÔÉ ÄÁÎÎÙÅ ÍÏÇÕÔ ÓÏÈÒÁÎÑÔØÓÑ ÄÏ ÓÕÔÏË, ÐÏÇÌÏÝÁÑ ÃÅÎÎÕÀ ÐÁÍÑÔØ. üÆÆÅËÔ "ÚÁÂÙ×ÞÉ×ÏÓÔÉ" Ó×ÑÚÁÎ Ó ÔÅÍ, ÞÔÏ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, ÅÓÔØ ×ÅÒÏÑÔÎÏÓÔØ ÎÁ ÓÌÅÄÕÀÝÅÍ ÚÁÐÕÓËÅ ÐÏÌÕÞÉÔØ ÄÒÕÇÏÊ IP ÁÄÒÅÓ, ÎÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÌÀÂÙÅ ÓÏÅÄÉÎÅÎÉÑ ×ÓÅ ÒÁ×ÎÏ ÂÕÄÕÔ ÐÏÔÅÒÑÎÙ, É ÂÙÌÏ ÂÙ ÇÌÕÐÏ ÈÒÁÎÉÔØ ÔÒÁÓÓÉÒÏ×ÏÞÎÕÀ ÉÎÆÏÒÍÁÃÉÀ.

ëÁË ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÄÅÊÓÔ×ÉÅ MASQUERADE ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ×ÍÅÓÔÏ SNAT, ÄÁÖÅ ÅÓÌÉ ×Ù ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ, ÏÄÎÁËÏ, ÎÅ×ÚÉÒÁÑ ÎÁ ÐÏÌÏÖÉÔÅÌØÎÙÅ ÞÅÒÔÙ, ÍÁÓËÁÒÁÄÉÎÇ ÎÅ ÓÌÅÄÕÅÔ ÓÞÉÔÁÔØ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÙÍ × ÜÔÏÍ ÓÌÕÞÁÅ, ÐÏÓËÏÌØËÕ ÏÎ ÄÁÅÔ ÂÏÌØÛÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ.

äÅÊÓÔ×ÉÅ MASQUERADE ÄÏÐÕÓËÁÅÔÓÑ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat, ÔÁË ÖÅ ËÁË É ÄÅÊÓÔ×ÉÅ SNAT. MASQUERADE ÉÍÅÅÔ ËÌÀÞ, ÏÐÉÓÙ×ÁÅÍÙÊ ÎÉÖÅ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÔÏÒÏÇÏ ÎÅÏÂÑÚÁÔÅÌØÎÏ.

ôÁÂÌÉÃÁ 23. äÅÊÓÔ×ÉÅ MASQUERADE

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÐÏÒÔÁ ÉÓÔÏÞÎÉËÁ ÉÌÉ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ÉÓÈÏÄÑÝÅÇÏ ÐÁËÅÔÁ. íÏÖÎÏ ÕËÁÚÁÔØ ÏÄÉÎ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ: --to-ports 1025, ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ËÁË ÚÄÅÓØ: --to-ports 1024-3000. ÜÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ REDIRECT

÷ÙÐÏÌÎÑÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× É ÐÏÔÏËÏ× ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÔÏÊ ÖÅ ÓÁÍÏÊ ÍÁÛÉÎÙ. ë ÐÒÉÍÅÒÕ, ÍÏÖÎÏ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ HTTP ÐÏÒÔ ÐÅÒÅÎÁÐÒÁ×ÉÔØ ÎÁ ÐÏÒÔ HTTP proxy. äÅÊÓÔ×ÉÅ REDIRECT ÏÞÅÎØ ÕÄÏÂÎÏ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ "ÐÒÏÚÒÁÞÎÏÇÏ" ÐÒÏËÓÉÒÏ×ÁÎÉÑ (transparent proxying), ËÏÇÄÁ ÍÁÛÉÎÙ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÁÖÅ ÎÅ ÐÏÄÏÚÒÅ×ÁÀÔ Ï ÓÕÝÅÓÔ×Ï×ÁÎÉÉ ÐÒÏËÓÉ.

REDIRECT ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. îÕ É ËÏÎÅÞÎÏ ÖÅ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ×ÙÐÏÌÎÑÔØ × ÐÏÄÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ É ×ÙÛÅÕËÁÚÁÎÎÙÈ. äÌÑ ÄÅÊÓÔ×ÉÑ REDIRECT ÐÒÅÄÕÓÍÏÔÒÅÎ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ.

ôÁÂÌÉÃÁ 24. äÅÊÓÔ×ÉÅ REDIRECT

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ. âÅÚ ÕËÁÚÁÎÉÑ ËÌÀÞÁ --to-ports, ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÑ ÎÅ ÐÒÏÉÓÈÏÄÉÔ, Ô.Å. ÐÁËÅÔ ÉÄÅÔ ÎÁ ÔÏÔ ÐÏÒÔ, ËÕÄÁ É ÂÙÌ ÎÁÚÎÁÞÅÎ. ÷ ÐÒÉÍÅÒÅ, ÐÒÉ×ÅÄÅÎÎÏÍ ×ÙÛÅ, --to-ports 8080 ÕËÁÚÁÎ ÏÄÉÎ ÐÏÒÔ ÎÁÚÎÁÞÅÎÉÑ. åÓÌÉ ÎÕÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÔÏ ÍÙ ÄÏÌÖÎÙ ÎÁÐÉÓÁÔØ ÎÅÞÔÏ ÐÏÄÏÂÎÏÅ --to-ports 8080-8090. üÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ TTL

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÐÏÌÑ Time To Live × IP ÚÁÇÏÌÏ×ËÅ. ïÄÉÎ ÉÚ ×ÁÒÉÁÎÔÏ× ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÜÔÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÅ ÐÏÌÑ Time To Live ÷ï ÷óåè ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÁÈ × ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ. äÌÑ ÞÅÇÏ ÜÔÏ?! åÓÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏ×ÁÊÄÅÒÙ, ËÏÔÏÒÙÅ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ, ËÏÇÄÁ ÏÄÎÉÍ ÐÏÄËÌÀÞÅÎÉÅÍ ÐÏÌØÚÕÅÔÓÑ ÎÅÓËÏÌØËÏ ËÏÍÐØÀÔÅÒÏ×, ÅÓÌÉ ÍÙ ÎÁÞÉÎÁÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÎÁ ×ÓÅ ÐÁËÅÔÙ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ TTL, ÔÏ ÔÅÍ ÓÁÍÙÍ ÍÙ ÌÉÛÁÅÍ ÐÒÏ×ÁÊÄÅÒÁ ÏÄÎÏÇÏ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÞÔÏ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔÕ ÒÁÚÄÅÌÑÅÔÓÑ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. äÌÑ ÐÒÉÍÅÒÁ ÍÏÖÎÏ ÐÒÉ×ÅÓÔÉ ÞÉÓÌÏ TTL = 64, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ ÓÔÁÎÄÁÒÔÎÙÍ ÄÌÑ ÑÄÒÁ Linux.

úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÕÓÔÁÎÏ×ËÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÂÒÁÝÁÊÔÅÓØ Ë ip-sysctl.txt, ËÏÔÏÒÙÊ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

äÅÊÓÔ×ÉÅ TTL ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ mangle É ÎÉÇÄÅ ÂÏÌØÛÅ. äÌÑ ÄÁÎÎÏÇÏ ÄÅÊÓÔ×ÉÑ ÐÒÅÄÕÓÍÏÔÒÅÎÏ 3 ËÌÀÞÁ, ÏÐÉÓÙ×ÁÅÍÙÈ ÎÉÖÅ.

ôÁÂÌÉÃÁ 25. äÅÊÓÔ×ÉÅ TTL

ëÌÀÞ --ttl-set
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÅ TTL × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. ïÐÔÉÍÁÌØÎÙÍ ÓÞÉÔÁÅÔÓÑ ÚÎÁÞÅÎÉÅ ÏËÏÌÏ 64. üÔÏ ÎÅ ÓÌÉÛËÏÍ ÍÎÏÇÏ, ÎÏ É ÎÅ ÓÌÉÛËÏÍ ÍÁÌÏ îÅ ÚÁÄÁ×ÁÊÔÅ ÓÌÉÛËÏÍ ÂÏÌØÛÏÅ ÚÎÁÞÅÎÉÅ, ÜÔÏ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÐÒÉÑÔÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ ÄÌÑ ×ÁÛÅÊ ÓÅÔÉ. ðÒÅÄÓÔÁרÔÅ ÓÅÂÅ, ÞÔÏ ÐÁËÅÔ "ÚÁÃÉËÌÉ×ÁÅÔÓÑ" ÍÅÖÄÕ Ä×ÕÍÑ ÎÅÐÒÁ×ÉÌØÎÏ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÎÙÍÉ ÒÏÕÔÅÒÁÍÉ, ÔÏÇÄÁ, ÐÒÉ ÂÏÌØÛÉÈ ÚÎÁÞÅÎÉÑÈ TTL, ÅÓÔØ ÒÉÓË "ÐÏÔÅÒÑÔØ" ÚÎÁÞÉÔÅÌØÎÕÀ ÄÏÌÀ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔÉ ËÁÎÁÌÁ.
ëÌÀÞ --ttl-dec
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1
ïÐÉÓÁÎÉÅ õÍÅÎØÛÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ TTL ÒÁ×ÎÏÅ 53 É ÍÙ ×ÙÐÏÌÎÑÅÍ ËÏÍÁÎÄÕ --ttl-dec 3, ÔÏÇÄÁ ÐÁËÅÔ ÐÏËÉÎÅÔ ÎÁÛ ÈÏÓÔ Ó ÐÏÌÅÍ TTL ÒÁ×ÎÙÍ 49. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÓÅÔÅ×ÏÊ ËÏÄ Á×ÔÏÍÁÔÉÞÅÓËÉ ÕÍÅÎØÛÉÔ ÚÎÁÞÅÎÉÅ TTL ÎÁ 1, ÐÏÜÔÏÍÕ, ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ 53 - 3 - 1 = 49. åóìé ëôï-îéâõäø íïöåô ðòé÷åóôé ðòéíåò ðòáëôéþåóëé ãåîîïçï ðòéíåîåîéñ üôïê ïðãéé, óïïâýéôå íîå!
ëÌÀÞ --ttl-inc
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1
ïÐÉÓÁÎÉÅ õ×ÅÌÉÞÉ×ÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. ÷ÏÚØÍÅÍ ÐÒÅÄÙÄÕÝÉÊ ÐÒÉÍÅÒ, ÐÕÓÔØ Ë ÎÁÍ ÐÏÓÔÕÐÁÅÔ ÐÁËÅÔ Ó TTL = 53, ÔÏÇÄÁ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ËÏÍÁÎÄÙ --ttl-inc 4, ÎÁ ×ÙÈÏÄÅ Ó ÎÁÛÅÇÏ ÈÏÓÔÁ, ÐÁËÅÔ ÂÕÄÅÔ ÉÍÅÔØ TTL = 56, ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï Á×ÔÏÍÁÔÉÞÅÓËÏÍ ÕÍÅÎØÛÅÎÉÉ ÐÏÌÑ TTL ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ ×ÙÒÁÖÅÎÉÅ 53 + 4 - 1 = 56. õ×ÅÌÉÞÅÎÉÅ ÐÏÌÑ TTL ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÍÅÎÅÅ "ÚÁÍÅÔÎÙÍ" ÄÌÑ ÔÒÁÓÓÉÒÏ×ÝÉËÏ× (traceroutes). ðÒÏÇÒÁÍÍÙ ÔÒÁÓÓÉÒÏ×ËÉ ÌÀÂÑÔ ÚÁ ÃÅÎÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÒÉ ÐÏÉÓËÅ ÐÒÏÂÌÅÍÎÙÈ ÕÞÁÓÔËÏ× ÓÅÔÉ, É ÎÅÎÁ×ÉÄÑÔ ÚÁ ÜÔÏ ÖÅ, ÐÏÓËÏÌØËÕ ÜÔÁ ÉÎÆÏÒÍÁÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÒÑËÅÒÁÍÉ × ÎÅÂÌÁÇÏ×ÉÄÎÙÈ ÃÅÌÑÈ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × ttl-inc.txt.

ULOG target

äÅÊÓÔ×ÉÅ ULOG ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï. ïÎÏ ÚÁÍÅÎÑÅÔ ÔÒÁÄÉÃÉÏÎÎÏÅ ÄÅÊÓÔ×ÉÅ LOG, ÂÁÚÉÒÕÀÝÅÅÓÑ ÎÁ ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ, ÐÁËÅÔ, ÞÅÒÅÚ ÓÏËÅÔÙ netlink, ÐÅÒÅÄÁÅÔÓÑ ÓÐÅÃÉÁÌØÎÏÍÕ ÄÅÍÏÎÕ ËÏÔÏÒÙÊ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØ ÏÞÅÎØ ÄÅÔÁÌØÎÏÅ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÅ × ÒÁÚÌÉÞÎÙÈ ÆÏÒÍÁÔÁÈ (ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ, ÂÁÚÁ ÄÁÎÎÙÈ MySQL É ÐÒ.) É Ë ÔÏÍÕ ÖÅ ÐÏÄÄÅÒÖÉ×ÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÂÁ×ÌÅÎÉÑ ÎÁÄÓÔÒÏÅË (ÐÌÁÇÉÎÏ×) ÄÌÑ ÆÏÒÍÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ×ÙÈÏÄÎÙÈ ÆÏÒÍÁÔÏ× É ÏÂÒÁÂÏÔËÉ ÓÅÔÅ×ÙÈ ÐÒÏÔÏËÏÌÏ×. ðÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÞÁÓÔØ ULOGD ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÎÁ ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÅ ULOGD project.

Table 26. ULOG target

ëÌÀÞ --ulog-nlgroup
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-nlgroup ÓÏÏÂÝÁÅÔ ULOG × ËÁËÕÀ ÇÒÕÐÐÕ netlink ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÄÁÎ ÐÁËÅÔ. ÷ÓÅÇÏ ÓÕÝÅÓÔ×ÕÅÔ 32 ÇÒÕÐÐÙ (ÏÔ 1 ÄÏ 32). åÓÌÉ ×Ù ÖÅÌÁÅÔÅ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × 5-À ÇÒÕÐÐÕ, ÔÏ ÍÏÖÎÏ ÐÒÏÓÔÏ ÕËÁÚÁÔØ --ulog-nlgroup 5. ðÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ 1-Ñ ÇÒÕÐÐÁ.
ëÌÀÞ --ulog-prefix
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-prefix ÉÍÅÅÔ ÔÏÔ ÖÅ ÓÍÙÓÌ, ÞÔÏ É ÁÎÁÌÏÇÉÞÎÁÑ ÏÐÃÉÑ × ÄÅÊÓÔ×ÉÉ LOG. äÌÉÎÁ ÓÔÒÏËÉ ÐÒÅÆÉËÓÁ ÎÅ ÄÏÌÖÎÁ ÐÒÅ×ÙÛÁÔØ 32 ÓÉÍ×ÏÌÁ.
ëÌÀÞ --ulog-cprange
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-cprange ÏÐÒÅÄÅÌÑÅÔ, ËÁËÕÀ ÄÏÌÀ ÐÁËÅÔÁ, × ÂÁÊÔÁÈ, ÎÁÄÏ ÐÅÒÅÄÁ×ÁÔØ ÄÅÍÏÎÕ ULOG. åÓÌÉ ÕËÁÚÁÔØ ÞÉÓÌÏ 100, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ÔÏÌØËÏ 100 ÂÁÊÔ ÉÚ ÐÁËÅÔÁ, ÜÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ É ÎÅËÏÔÏÒÁÑ ÞÁÓÔØ ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. åÓÌÉ ÕËÁÚÁÔØ 0, ÔÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ×ÅÓØ ÐÁËÅÔ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÅÇÏ ÒÁÚÍÅÒÁ. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÒÁ×ÎÏ 0.
ëÌÀÞ --ulog-qthreshold
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-qthreshold ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ × ÏÂÌÁÓÔÉ ÑÄÒÁ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÚÁÄÁÔØ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ ÒÁ×ÎÏÊ 10, ËÁË × ÐÒÉÍÅÒÅ, ÔÏ ÑÄÒÏ ÂÕÄÅÔ ÎÁËÁÐÌÉ×ÁÔØ ÖÕÒÎÁÌÉÒÕÅÍÙÅ ÐÁËÅÔÙ ×Ï ×ÎÕÔÒÅÎÎÅÍ ÂÕÆÅÒÅ É ÐÅÒÅÄÁ×ÁÔØ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï ÇÒÕÐÐÁÍÉ ÐÏ 10 ÐÁËÅÔÏ×. ðÏ-ÕÍÏÌÞÁÎÉÀ ÒÁÚÍÅÒ ÂÕÆÅÒÁ ÒÁ×ÅÎ 1 ÉÚ-ÚÁ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÒÁÎÎÉÍÉ ×ÅÒÓÉÑÍÉ ulogd, ËÏÔÏÒÙÅ ÎÅ ÍÏÇÌÉ ÐÒÉÎÉÍÁÔØ ÇÒÕÐÐÙ ÐÁËÅÔÏ×.


æÁÊÌ rc.firewall

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÁÓÔÒÏÊËÕ ÂÒÁÎÄÍÁÕÜÒÁ ÎÁ ÐÒÉÍÅÒÅ ÓÃÅÎÁÒÉÑ rc.firewall.txt. íÙ ÂÕÄÅÍ ÂÒÁÔØ ËÁÖÄÕÀ ÂÁÚÏ×ÕÀ ÎÁÓÔÒÏÊËÕ É ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ É ÞÔÏ ÄÅÌÁÅÔ. üÔÏ ÍÏÖÅÔ ÎÁÔÏÌËÎÕÔØ ×ÁÓ ÎÁ ÒÅÛÅÎÉÅ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÚÁÄÁÞ. äÌÑ ÚÁÐÕÓËÁ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÎÅÓÔÉ × ÎÅÇÏ ÉÚÍÅÎÅÎÉÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏÂÙ ÏÎ ÍÏÇ ÒÁÂÏÔÁÔØ Ó ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÅÊ ÓÅÔÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÄÏÓÔÁÔÏÞÎÏ ÉÚÍÅÎÉÔØ ÔÏÌØËÏ ÐÅÒÅÍÅÎÎÙÅ.

Note

ðÒÉÍÅÞÁÔÅÌØÎÏ, ÞÔÏ ÅÓÔØ ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÙÅ ÓÐÏÓÏÂÙ ÚÁÄÁÎÉÑ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÏÄÎÁËÏ Ñ ÉÓÈÏÄÉÌ ÉÚ ÍÙÓÌÉ Ï ÂÏÌØÛÅÊ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ ÓÃÅÎÁÒÉÑ, ÔÁË, ÞÔÏÂÙ ËÁÖÄÙÊ ÓÍÏÇ ÐÏÎÑÔØ ÅÇÏ ÂÅÚ ÇÌÕÂÏËÉÈ ÐÏÚÎÁÎÉÊ ÏÂÏÌÏÞËÉ BASH.


ðÒÉÍÅÒ rc.firewall

éÔÁË, ×ÓÅ ÇÏÔÏ×Ï ÄÌÑ ÒÁÚÂÏÒÁ ÆÁÊÌÁ ÐÒÉÍÅÒÁ rc.firewall.txt (ÓÃÅÎÁÒÉÊ ×ËÌÀÞÅÎ × ÓÏÓÔÁ× ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ × ÐÒÉÌÏÖÅÎÉÉ ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×). ïÎ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÎÏ ÔÏÌØËÏ ÉÚ-ÚÁ ÂÏÌØÛÏÇÏ ËÏÌÉÞÅÓÔ×Á ËÏÍÍÅÎÔÁÒÉÅ×. óÅÊÞÁÓ Ñ ÐÒÅÄÌÁÇÁÀ ×ÁÍ ÐÒÏÓÍÏÔÒÅÔØ ÜÔÏÔ ÆÁÊÌ, ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ÓÏÄÅÒÖÉÍÏÍ É ÚÁÔÅÍ ×ÅÒÎÕÔØÓÑ ÓÀÄÁ ÚÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÙÍÉ ÐÏÑÓÎÅÎÉÑÍÉ.


ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall

ëÏÎÆÉÇÕÒÁÃÉÑ

ðÅÒ×ÁÑ ÞÁÓÔØ ÆÁÊÌÁ rc.firewall.txt Ñ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÍ ÒÁÚÄÅÌÏÍ. úÄÅÓØ ÚÁÄÁÀÔÓÑ ÏÓÎÏ×ÎÙÅ ÎÁÓÔÒÏÊËÉ ÂÒÁÎÄÍÁÕÜÒÁ, ËÏÔÏÒÙÅ ÚÁ×ÉÓÑÔ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÉ. îÁÐÒÉÍÅÒ IP ÁÄÒÅÓÁ - ÎÁ×ÅÒÎÑËÁ ÄÏÌÖÎÙ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÎÁ ×ÁÛÉ ÓÏÂÓÔ×ÅÎÎÙÅ. ðÅÒÅÍÅÎÎÁÑ $INET_IP ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, ÅÓÌÉ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ DHCP, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÓËÒÉÐÔ rc.DHCP.firewall.txt, áÎÁÌÏÇÉÞÎÏ $INET_IFACE ÄÏÌÖÎÁ ÕËÁÚÙ×ÁÔØ ×ÁÛÅ ÕÓÔÒÏÊÓÔ×Ï, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ. üÔÏ ÍÏÖÅÔ ÂÙÔØ, Ë ÐÒÉÍÅÒÕ, eth0, eth1, ppp0, tr0 É ÐÒ.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÎÅ ÓÏÄÅÒÖÉÔ ËÁËÉÈ ÌÉÂÏ ÎÁÓÔÒÏÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ DHCP, PPPoE, ÐÏÜÔÏÍÕ ÜÔÉ ÒÁÚÄÅÌÙ ÎÅ ÚÁÐÏÌÎÅÎÙ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ É ÄÒÕÇÉÈ "ÐÕÓÔÙÈ" ÒÁÚÄÅÌÏ×. üÔÏ ÓÄÅÌÁÎÏ ÐÒÅÄÎÁÍÅÒÅÎÎÏ, ÞÔÏÂÙ ×Ù ÍÏÇÌÉ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ×ÉÄÅÔØ ÒÁÚÎÉÃÕ ÍÅÖÄÕ ÓÃÅÎÁÒÉÑÍÉ. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÏÌÎÉÔØ ÜÔÉ ÒÁÚÄÅÌÙ, ÔÏ ×Ù ÍÏÖÅÔÅ ×ÚÑÔØ ÉÈ ÉÚ ÄÒÕÇÉÈ ÓËÒÉÐÔÏ×, ÉÌÉ ÎÁÐÉÓÁÔØ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ.

òÁÚÄÅÌ Local Area Network ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÁÓÔÒÏÊËÉ, ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ËÏÎÆÉÇÕÒÁÃÉÉ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. ÷Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÂÒÁÎÄÍÁÕÜÒÁ, ÉÎÔÅÒÆÅÊÓ, ÐÏÄËÌÀÞÅÎÎÙÊ Ë ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÍÁÓËÕ ÐÏÄÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Localhost Configuration, ËÏÔÏÒÕÀ ÉÚÍÅÎÑÔØ ×ÁÍ ÅÄ×Á ÌÉ ÐÒÉÄÅÔÓÑ. ÷ ÜÔÏÊ ÓÅËÃÉÉ ÕËÁÚÙ×ÁÅÔÓÑ ÌÏËÁÌØÎÙÊ ÉÎÔÅÒÆÅÊÓ lo É ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ 127.0.0.1. úÁ ÒÁÚÄÅÌÏÍ Localhost Configuration, ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Iptables Configuration. úÄÅÓØ ÓÏÚÄÁÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ $IPTABLES, ÓÏÄÅÒÖÁÝÁÑ ÐÕÔØ Ë ÆÁÊÌÕ iptables (/usr/local/sbin/iptables). åÓÌÉ ×Ù ÕÓÔÁÎÁ×ÌÉ×ÁÌÉ iptables ÉÚ ÉÓÈÏÄÎÙÈ ÍÏÄÕÌÅÊ, ÔÏ Õ ×ÁÓ ÐÕÔØ Ë iptables ÍÏÖÅÔ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÔØÓÑ ÏÔ ÐÒÉ×ÅÄÅÎÎÏÇÏ × ÓÃÅÎÁÒÉÉ, ÏÄÎÁËÏ × ÂÏÌØÛÉÎÓÔ×Å ÄÉÓÔÒÉÂÕÔÉ×Ï× iptables ÒÁÓÐÏÌÏÖÅÎÁ ÉÍÅÎÎÏ ÚÄÅÓØ.


úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ËÏÍÁÎÄÏÊ /sbin/depmod -a, ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÏ×ÅÒËÁ ÚÁ×ÉÓÉÍÏÓÔÅÊ ÍÏÄÕÌÅÊ ÐÏÓÌÅ ÞÅÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÇÒÕÚËÁ ÍÏÄÕÌÅÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. óÔÁÒÁÊÔÅÓØ × ×ÁÛÉÈ ÓÃÅÎÁÒÉÑÈ ÚÁÇÒÕÖÁÔØ ÔÏÌØËÏ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ.

Caution

÷ Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ Ñ ÐÒÉÎÕÄÉÔÅÌØÎÏ ÚÁÇÒÕÖÁÀ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ, ×Ï ÉÚÂÅÖÁÎÉÅ ÏÔËÁÚÏ×. åÓÌÉ ÐÒÏÉÓÈÏÄÉÔ ÏÛÉÂËÁ ×Ï ×ÒÅÍÑ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ, ÔÏ ÐÒÉÞÉÎ ÍÏÖÅÔ ÂÙÔØ ÍÎÏÖÅÓÔ×Ï, ÎÏ ÏÓÎÏ×ÎÏÊ ÐÒÉÞÉÎÏÊ Ñ×ÌÑÅÔÓÑ ÔÏ, ÞÔÏ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÒÁÚÄÅÌÕ ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ.

÷ ÓÌÅÄÕÀÝÅÊ ÓÅËÃÉÉ ÐÒÉ×ÏÄÉÔÓÑ ÒÑÄ ÍÏÄÕÌÅÊ, ËÏÔÏÒÙÅ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ × ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ, ÎÏ ÐÅÒÅÞÉÓÌÅÎÙ ÄÌÑ ÐÒÉÍÅÒÁ. ôÁË ÎÁÐÒÉÍÅÒ ÍÏÄÕÌØ ipt_owner, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ÓÅÔÉ Ó ×ÁÛÅÊ ÍÁÛÉÎÙ ÔÏÌØËÏ ÏÐÒÅÄÅÌÅÎÎÏÍÕ ËÒÕÇÕ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÐÏ×ÙÛÁÑ, ÔÅÍ ÓÁÍÙÍ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ. éÎÆÏÒÍÁÃÉÀ ÐÏ ËÒÉÔÅÒÉÑÍ ipt_owner, ÓÍÏÔÒÉÔÅ × òÁÓÛÉÒÅÎÉÅ Owner × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ.

íÙ ÍÏÖÅÍ ÚÁÇÒÕÚÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏ×ÅÒËÉ "ÓÏÓÔÏÑÎÉÑ" ÐÁËÅÔÏ× (state matching). ÷ÓÅ ÍÏÄÕÌÉ, ÒÁÓÛÉÒÑÀÝÉÅ ×ÏÚÍÏÖÎÏÓÔÉ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ×, ÉÍÅÎÕÀÔÓÑ ËÁË ip_conntrack_* É ip_nat_*. ó ÐÏÍÏÝØÀ ÜÔÉÈ ÍÏÄÕÌÅÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÏÔÏËÏÌÁÍ. îÁÐÒÉÍÅÒ: ÐÒÏÔÏËÏÌ FTP Ñ×ÌÑÅÔÓÑ ËÏÍÐÌÅËÓÎÙÍ ÐÒÏÔÏËÏÌÏÍ ÐÏ ÏÐÒÅÄÅÌÅÎÉÀ, ÏÎ ÐÅÒÅÄÁÅÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. ôÁË, ÅÓÌÉ ÎÁÛ ÌÏËÁÌØÎÙÊ ÈÏÓÔ ÐÅÒÅÄÁÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÐÒÏÉÚ×ÏÄÑÝÉÊ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ×, ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ Ó FTP ÓÅÒ×ÅÒÏÍ × éÎÔÅÒÎÅÔ, ÔÏ ×ÎÕÔÒÉ ÐÁËÅÔÁ ÐÅÒÅÄÁÅÔÓÑ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÈÏÓÔÁ. á ÐÏÓËÏÌØËÕ, IP ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÓÞÉÔÁÀÔÓÑ ÏÛÉÂÏÞÎÙÍÉ × éÎÔÅÒÎÅÔ, ÔÏ ÓÅÒ×ÅÒ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ ÞÔÏ ÄÅÌÁÔØ Ó ÜÔÉÍ ÚÁÐÒÏÓÏÍ, × ÒÅÚÕÌØÔÁÔÅ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ FTP NAT ×ÙÐÏÌÎÑÅÔ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÄÅÊÓÔ×ÉÑ ÐÏ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÏ×, ÐÏÜÔÏÍÕ FTP ÓÅÒ×ÅÒ ÆÁËÔÉÞÅÓËÉ ÐÏÌÕÞÉÔ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÏÔ ÉÍÅÎÉ ÎÁÛÅÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ É ÓÍÏÖÅÔ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ. ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ DCC ÄÌÑ ÐÅÒÅÄÁÞÉ ÆÁÊÌÏ× É ÞÁÔÏ×. õÓÔÁÎÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÜÔÏÇÏ ÔÉÐÁ ÔÒÅÂÕÅÔ ÐÅÒÅÄÁÞÉ IP ÁÄÒÅÓÁ É ÐÏÒÔÁ ÐÏ ÐÒÏÔÏËÏÌÕ IRC, ËÏÔÏÒÙÊ ÔÁË ÖÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. âÅÚ ÓÐÅÃÉÁÌØÎÏÇÏ ÍÏÄÕÌÑ ÒÁÓÛÉÒÅÎÉÑ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ÐÒÏÔÏËÏÌÏ× FTP É IRC ÓÔÁÎÏ×ÉÔÓÑ ×ÅÓØÍÁ ÓÏÍÎÉÔÅÌØÎÏÊ. îÁÐÒÉÍÅÒ, ×Ù ÍÏÖÅÔÅ ÐÒÉÎÉÍÁÔØ ÆÁÊÌÙ ÞÅÒÅÚ DCC, ÎÏ ÎÅ ÍÏÖÅÔÅ ÏÔÐÒÁ×ÌÑÔØ. üÔÏ ÏÂÕÓÌÏ×ÌÉ×ÁÅÔÓÑ ÔÅÍ, ËÁË DCC "ÚÁÐÕÓËÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ. ÷Ù ÓÏÏÂÝÁÅÔÅ ÐÒÉÎÉÍÁÀÝÅÍÕ ÕÚÌÕ Ï Ó×ÏÅÍ ÖÅÌÁÎÉÉ ÐÅÒÅÄÁÔØ ÆÁÊÌ É ËÕÄÁ ÏÎ ÄÏÌÖÅÎ ÐÏÄËÌÀÞÉÔØÓÑ. âÅÚ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ DCC ÓÏÅÄÉÎÅÎÉÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÅÓÌÉ ÂÙ ÍÙ ÐÏÔÒÅÂÏ×ÁÌÉ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ×ÎÅÛÎÅÇÏ ÐÒÉÅÍÎÉËÁ Ó ÕÚÌÏÍ × ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÝÅ ÇÏ×ÏÒÑ ÔÁËÏÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ "ÏÂÒÕÛÅÎÏ". ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÖÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ×ÓÅ ÒÁÂÏÔÁÅÔ ÐÒÅËÒÁÓÎÏ. ÐÏÓËÏÌØËÕ ÐÒÉÅÍÎÉËÕ ÐÅÒÅÄÁÅÔÓÑ ËÏÒÒÅËÔÎÙÊ IP ÁÄÒÅÓ ÄÌÑ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÍÏÄÕÌÑÍ conntrack É nat ÞÉÔÁÊÔÅ × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ÖÅ ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï ÄÏËÕÍÅÎÔÁÃÉÉ, ×ËÌÀÞÁÅÍÏÊ × ÐÁËÅÔ iptables. þÔÏÂÙ ÉÍÅÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÕÓÔÁÎÏ×ÉÔØ patch-o-matic É ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ. ëÁË ÜÔÏ ÓÄÅÌÁÔØ - ÏÂßÑÓÎÑÅÔÓÑ ×ÙÛÅ × ÇÌÁ×Å ðÏÄÇÏÔÏ×ËÁ.

Note

úÁÍÅÔØÔÅ, ÞÔÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_nat_irc É ip_nat_ftp ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÈÏÔÉÔÅ, ÞÔÏÂÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÐÒÏÉÚ×ÏÄÉÌÏÓØ ËÏÒÒÅËÔÎÏ Ó ÐÒÏÔÏËÏÌÁÍÉ FTP É IRC. ôÁË ÖÅ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÐÏÄÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_conntrack_ftp ÄÏ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ NAT.


îÁÓÔÒÏÊËÁ /proc

úÄÅÓØ ÍÙ ÚÁÐÕÓËÁÅÍ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (IP forwarding), ÚÁÐÉÓÁ× ÅÄÉÎÉÃÕ × ÆÁÊÌ /proc/sys/net/ipv4/ip_forward ÔÁËÉÍ ÓÐÏÓÏÂÏÍ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Caution

îÁ×ÅÒÎÏÅ ÓÔÏÉÔ ÚÁÄÕÍÁÔØÓÑ ÎÁÄ ÔÅÍ ÇÄÅ É ËÏÇÄÁ ×ËÌÀÞÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding). ÷ ÜÔÏÍ É × ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÑÈ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÍÙ ×ËÌÀÞÁÅÍ ÐÅÒÅÓÙÌËÕ ÄÏ ÔÏÇÏ ËÁË ÓÏÚÄÁÄÉÍ ËÁËÉÅ ÌÉÂÏ ÐÒÁ×ÉÌÁ iptables. ïÔ ÎÁÞÁÌÁ ÒÁÂÏÔÙ ÐÅÒÅÓÙÌËÉ (IP forwarding) ÄÏ ÍÏÍÅÎÔÁ, ËÏÇÄÁ ÂÕÄÕÔ ÓÏÚÄÁÎÙ ÎÅÏÂÈÏÄÉÍÙÅ ÐÒÁ×ÉÌÁ, ÐÒÉ ÎÁÛÅÍ ×ÁÒÉÁÎÔÅ, ÍÏÖÅÔ ÐÒÏÊÔÉ ÏÔ ÎÅÓËÏÌØËÉÈ ÍÉÌÌÉÓÅËÕÎÄ ÄÏ ÍÉÎÕÔ, ×ÓÅ ÚÁ×ÉÓÉÔ ÏÔ ÏÂßÅÍÁ ÒÁÂÏÔÙ, ×ÙÐÏÌÎÑÅÍÏÊ ÓÃÅÎÁÒÉÅÍ É ÂÙÓÔÒÏÄÅÊÓÔ×ÉÑ ËÏÎËÒÅÔÎÏÇÏ ËÏÍÐØÀÔÅÒÁ. ðÏÎÑÔÎÏ, ÞÔÏ ÜÔÏ ÄÁÅÔ ÎÅËÏÔÏÒÙÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ËÏÇÄÁ ÚÌÏÕÍÙÛÌÅÎÎÉË ÍÏÖÅÔ ÐÒÏÎÉËÎÕÔØ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ðÏÜÔÏÍÕ, × ÒÅÁÌØÎÏÊ ÓÉÔÕÁÃÉÉ ÚÁÐÕÓËÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding) ÓÌÅÄÕÅÔ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ×ÓÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ. úÄÅÓØ ÖÅ Ñ ÐÏÍÅÓÔÉÌ ×ËÌÀÞÅÎÉÅ ÐÅÒÅÓÙÌËÉ × ÎÁÞÁÌÅ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÃÅÌÑÈ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ ×ÁÍ ÎÅÏÂÈÏÄÉÍÁ ÐÏÄÄÅÒÖËÁ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP, (ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ SLIP, PPP ÉÌÉ DHCP) ×Ù ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÁÒÉÔØ ÓÔÒÏËÕ:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

åÓÌÉ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ×ËÌÀÞÉÔØ ÌÀÂÙÅ ÄÒÕÇÉÅ ÏÐÃÉÉ, ×Ù ÄÏÌÖÎÙ ÏÂÒÁÝÁÔØÓÑ Ë ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÊ ÄÏËÕÍÅÎÔÁÃÉÉ ÐÏ ÜÔÉÍ ÏÐÃÉÑÍ. èÏÒÏÛÉÊ É ÌÁËÏÎÉÞÎÙÊ ÄÏËÕÍÅÎÔ ÐÏ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÐÏÓÔÁ×ÌÑÅÔÓÑ ×ÍÅÓÔÅ Ó ÑÄÒÏÍ. óÓÙÌËÉ ÎÁ ÎÁ ÄÒÕÇÉÅ ÄÏËÕÍÅÎÔÙ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ äÒÕÇÉÅ ÒÅÓÕÒÓÙ É ÓÓÙÌËÉ.

Note

óÃÅÎÁÒÉÊ rc.firewall.txt É ×ÓÅ ÏÓÔÁÌØÎÙÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÓÏÄÅÒÖÁÔ ÎÅÂÏÌØÛÕÀ ÐÏ ÒÁÚÍÅÒÁÍ ÓÅËÃÉÀ ÎÅ ÔÒÅÂÕÅÍÙÈ (non-required) ÎÁÓÔÒÏÅË proc. ëÁË ÂÙ ÐÒÉ×ÌÅËÁÔÅÌØÎÏ ÎÅ ×ÙÇÌÑÄÅÌÉ ÜÔÉ ÏÐÃÉÉ - ÎÅ ×ËÌÀÞÁÊÔÅ ÉÈ, ÐÏËÁ ÎÅ ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÄÏÓÔÁÔÏÞÎÏ ÞÅÔËÏ ÐÒÅÄÓÔÁ×ÌÑÅÔÅ ÓÅÂÅ ÆÕÎËÃÉÉ, ËÏÔÏÒÙÅ ÏÎÉ ×ÙÐÏÌÎÑÀÔ.


òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ

úÄÅÓØ ÍÙ ÐÏÇÏ×ÏÒÉÍ Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, × ÞÁÓÔÎÏÓÔÉ - Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, ÏÐÒÅÄÅÌÑÅÍÙÈ × ÓÃÅÎÁÒÉÉ rc.firewall.txt. íÏÊ ×ÁÒÉÁÎÔ ÒÁÚÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÐÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÃÅÐÏÞËÁÍ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅÐÒÉÅÍÌÅÍÙÍ × ÔÏÍ ÉÌÉ ÉÎÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ. ñ ÎÁÄÅÀÓØ, ÞÔÏ ÓÍÏÇÕ ÐÏËÁÚÁÔØ ×ÁÍ ×ÏÚÍÏÖÎÙÅ "ÐÏÄ×ÏÄÎÙÅ ËÁÍÎÉ". äÁÎÎÙÊ ÒÁÚÄÅÌ ÔÅÓÎÏ ÐÅÒÅËÌÉËÁÅÔÓÑ Ó ÇÌÁ×ÏÊ ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË É ÓÏ×ÅÒÛÅÎÎÏ ÎÅÌÉÛÎÉÍ ÂÕÄÅÔ ÅÝÅ ÒÁÚ, ÈÏÔÑ ÂÙ ÂÅÇÌÏ, ÐÒÏÓÍÏÔÒÅÔØ ÅÅ.

òÁÓÐÒÅÄÅÌÉ× ÎÁÂÏÒ ÐÒÁ×ÉÌ ÐÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ, Ñ ÄÏÂÉÌÓÑ ÜËÏÎÏÍÉÉ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÂÅÚ ÐÏÔÅÒÉ ÕÒÏ×ÎÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ É ÞÉÔÁÂÅÌØÎÏÓÔÉ ÓÃÅÎÁÒÉÅ×. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÐÕÓËÁÔØ TCP ÐÁËÅÔÙ ÞÅÒÅÚ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ (É ÄÌÑ ICMP, É ÄÌÑ UDP), Ñ ÐÒÏÓÔÏ ÏÔÂÉÒÁÀ TCP ÐÁËÅÔÙ É ÐÒÏÐÕÓËÁÀ ÉÈ ÞÅÒÅÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÃÅÐÏÞËÕ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÕÀ ÉÍÅÎÎÏ ÄÌÑ TCP ÐÁËÅÔÏ×, ÞÔÏ ÐÒÉ×ÏÄÉÔ Ë ÕÍÅÎØÛÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. îÁ ÓÌÅÄÕÀÝÅÊ ËÁÒÔÉÎËÅ ÓÈÅÍÁÔÉÞÎÏ ÐÒÉ×ÏÄÉÔÓÑ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ netfilter. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ËÁÒÔÉÎËÁ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÏÇÒÁÎÉÞÅÎÎÏ ÐÏ ÓÒÁ×ÎÅÎÉÀ ÓÏ ÓÈÅÍÏÊ, ÐÒÉ×ÅÄÅÎÎÏÊ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

ïÓÎÏ×ÎÏÅ ÎÁÚÎÁÞÅÎÉÅ ÒÉÓÕÎËÁ - ÏÓ×ÅÖÉÔØ ÎÁÛÕ ÐÁÍÑÔØ. ÷ ÃÅÌÏÍ, ÄÁÎÎÙÊ ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÓÎÏ×ÁÎ ÎÁ ÐÒÅÄÐÏÌÏÖÅÎÉÉ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÏÄÎÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ (firewall) É ÅÄÉÎÓÔ×ÅÎÎÏÅ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ, Ó ÐÏÓÔÏÑÎÎÙÍ IP ÁÄÒÅÓÏÍ (× ÐÒÏÔÉ×ÏÐÏÌÏÖÎÏÓÔØ PPP, SLIP, DHCP É ÐÒÏÞÉÍ). ôÁË ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÄÏÓÔÕÐ Ë ÓÅÒ×ÉÓÁÍ éÎÔÅÒÎÅÔ ÉÄÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÞÔÏ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ É ÐÏÜÔÏÍÕ ÎÅ ÓÏÂÉÒÁÅÍÓÑ ÂÌÏËÉÒÏ×ÁÔØ ÔÒÁÆÆÉË, ÉÓÈÏÄÑÝÉÊ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÄÎÁËÏ éÎÔÅÒÎÅÔ ÎÅ ÍÏÖÅÔ ÓÞÉÔÁÔØÓÑ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔØÀ É ÐÏÜÔÏÍÕ ÎÅÏÂÈÏÄÉÍÏ ÏÇÒÁÎÉÞÉÔØ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÓÔÕÐÁ × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÉÚ×ÎÅ. íÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÈÏÄÉÔØ ÉÚ ÐÒÉÎÃÉÐÁ "÷ÓÅ ÞÔÏ ÎÅ ÒÁÚÒÅÛÅÎÏ - ÔÏ ÚÁÐÒÅÝÅÎÏ". äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÏÇÒÁÎÉÞÅÎÉÑ, ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ôÅÍ ÓÁÍÙÍ ÍÙ ÏÔÓÅËÁÅÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ Ñ×ÎÏ ÎÅ ÒÁÚÒÅÛÅÎÙ.

á ÔÅÐÅÒØ ÄÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÞÔÏ ÎÁÍ ÎÕÖÎÏ ÓÄÅÌÁÔØ É ËÁË.

äÌÑ ÎÁÞÁÌÁ - ÐÏÚ×ÏÌÉÍ ÓÏÅÄÉÎÅÎÉÑ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó éÎÔÅÒÎÅÔ. äÌÑ ÜÔÏÇÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT). äÅÌÁÅÔÓÑ ÜÔÏ × ÃÅÐÏÞËÅ PREROUTING (ñ ÐÏÌÁÇÁÀ, ÞÔÏ ÚÄÅÓØ Á×ÔÏÒ ÐÒÏÓÔÏ ÄÏÐÕÓÔÉÌ ÏÐÅÞÁÔËÕ, ÐÏÓËÏÌØËÕ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ POSTROUTING, ÄÁ É ÍÙ ÕÖÅ ÚÎÁÅÍ, ÞÔÏ SNAT ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÚÁÐÏÌÎÑÅÔÓÑ ÐÏÓÌÅÄÎÅÊ × ÎÁÛÅÍ ÓÃÅÎÁÒÉÉ. ðÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÔÁËÖÅ, ×ÙÐÏÌÎÅÎÉÅ ÎÅËÏÔÏÒÏÊ ÆÉÌØÔÒÁÃÉÉ × ÃÅÐÏÞËÅ FORWARD. åÓÌÉ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÐÕÓËÁÑ ×ÅÓØ ÔÒÁÆÆÉË × éÎÔÅÒÎÅÔ, ÔÏ ÜÔÏ ÅÝÅ ÎÅ ÏÚÎÁÞÁÅÔ ÄÏ×ÅÒÉÑ Ë éÎÔÅÒÎÅÔ É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ××ÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÄÏÓÔÕÐ Ë ÎÁÛÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ×ÎÅ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÍÙ ÄÏÐÕÓËÁÅÍ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× × ÎÁÛÕ ÓÅÔØ ÔÏÌØËÏ × ÓÌÕÞÁÅ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÌÉÂÏ × ÓÌÕÞÁÅ ÏÔËÒÙÔÉÑ ÎÏ×ÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ × ÒÁÍËÁÈ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ (ESTABLISHED É RELATED).

þÔÏ ËÁÓÁÅÔÓÑ ÍÁÛÉÎÙ-ÂÒÁÎÄÍÁÕÜÒÁ - ÎÅÏÂÈÏÄÉÍÏ ÄÏ ÍÉÎÉÍÕÍÁ Ó×ÅÓÔÉ ÓÅÒ×ÉÓÙ, ÒÁÂÏÔÁÀÝÉÅ Ó éÎÔÅÒÎÅÔ. óÌÅÄÏ×ÁÔÅÌØÎÏ ÍÙ ÄÏÐÕÓËÁÅÍ ÔÏÌØËÏ HTTP, FTP, SSH É IDENTD ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ. ÷ÓÅ ÜÔÉ ÐÒÏÔÏËÏÌÙ ÍÙ ÂÕÄÅÍ ÓÞÉÔÁÔØ ÄÏÐÕÓÔÉÍÙÍÉ × ÃÅÐÏÞËÅ INPUT, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ "ÏÔ×ÅÔÎÙÊ" ÔÒÁÆÆÉË × ÃÅÐÏÞËÅ OUTPUT. ðÏÓËÏÌØËÕ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÄÏ×ÅÒÉÔÅÌØÎÙÅ ×ÚÁÉÍÏÏÔÎÏÛÅÎÉÑ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ, ÔÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ ÄÌÑ ÄÉÁÐÁÚÏÎÁ ÁÄÒÅÓÏ× ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÄÌÑ ÌÏËÁÌØÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ É ÌÏËÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ (127.0.0.1). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÓÕÝÅÓÔ×ÕÅÔ ÒÑÄ ÄÉÁÐÁÚÏÎÏ× ÁÄÒÅÓÏ×, ×ÙÄÅÌÅÎÎÙÈ ÓÐÅÃÉÁÌØÎÏ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÜÔÉ ÁÄÒÅÓÁ ÓÞÉÔÁÀÔÓÑ × éÎÔÅÒÎÅÔ ÏÛÉÂÏÞÎÙÍÉ É ËÁË ÐÒÁ×ÉÌÏ ÎÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ. ðÏÜÔÏÍÕ É ÍÙ ÚÁÐÒÅÔÉÍ ÌÀÂÏÊ ÔÒÁÆÆÉË ÉÚ éÎÔÅÒÎÅÔ Ó ÉÓÈÏÄÑÝÉÍ ÁÄÒÅÓÏÍ, ÐÒÉÎÁÄÌÅÖÁÝÉÍ ÄÉÁÐÁÚÏÎÁÍ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. é × ÚÁËÌÀÞÅÎÉÅ ÐÒÏÞÉÔÁÊÔÅ ÇÌÁ×Õ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ.

ôÁË ËÁË Õ ÎÁÓ ÒÁÂÏÔÁÅÔ FTP ÓÅÒ×ÅÒ, ÔÏ ÐÒÁ×ÉÌÁ, ÏÂÓÌÕÖÉ×ÁÀÝÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÜÔÉÍ ÓÅÒ×ÅÒÏÍ, ÖÅÌÁÔÅÌØÎÏ ÂÙÌÏ ÂÙ ÐÏÍÅÓÔÉÔØ × ÎÁÞÁÌÏ ÃÅÐÏÞËÉ INPUT, ÄÏÂÉ×ÁÑÓØ ÔÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÅÎÉÑ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. ÷ ÃÅÌÏÍ ÖÅ, ÎÁÄÏ ÐÏÎÉÍÁÔØ, ÞÔÏ ÞÅÍ ÍÅÎØÛÅ ÐÒÁ×ÉÌ ÐÒÏÈÏÄÉÔ ÐÁËÅÔ, ÔÅÍ ÂÏÌØÛÅ ÜËÏÎÏÍÉÑ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÔÅÍ ÎÉÖÅ ÎÁÇÒÕÚËÁ ÎÁ ÓÉÓÔÅÍÕ. ó ÜÔÏÊ ÃÅÌØÀ Ñ ÒÁÚÂÉÌ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ.

÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ Ñ ÒÁÚÂÉÌ ÐÁËÅÔÙ ÎÁ ÇÒÕÐÐÙ ÐÏ ÉÈ ÐÒÉÎÁÄÌÅÖÎÏÓÔÉ Ë ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÐÒÏÔÏËÏÌÕ. äÌÑ ËÁÖÄÏÇÏ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ ÓÏÚÄÁÎÁ Ó×ÏÑ ÃÅÐÏÞËÁ ÐÒÁ×ÉÌ, ÎÁÐÒÉÍÅÒ, tcp_packets, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÒÏ×ÅÒËÉ ×ÓÅÈ ÄÏÐÕÓÔÉÍÙÈ TCP ÐÏÒÔÏ× É ÐÒÏÔÏËÏÌÏ×. äÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÏÄÎÕ ÃÅÐÏÞËÕ, ÍÏÖÅÔ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÒÕÇÁÑ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÔÁËÏ×ÏÊ Ñ×ÌÑÅÔÓÑ ÃÅÐÏÞËÁ allowed. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ ÏÔÄÅÌØÎÙÈ ÈÁÒÁËÔÅÒÉÓÔÉË TCP ÐÁËÅÔÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÒÉÎÑÔØ ÏËÏÎÞÁÔÅÌØÎÏÅ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ. ICMP ÐÁËÅÔÙ ÓÌÅÄÕÀÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ icmp_packets. úÄÅÓØ ÍÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ ICMP ÐÁËÅÔÙ Ó ÕËÁÚÁÎÎÙÍ ËÏÄÏÍ ÓÏÏÂÝÅÎÉÑ. é ÎÁËÏÎÅà UDP ÐÁËÅÔÙ. ïÎÉ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ udpincoming_packets, ËÏÔÏÒÁÑ ÏÂÒÁÂÁÔÙ×ÁÅÔ ×ÈÏÄÑÝÉÅ UDP ÐÁËÅÔÙ. åÓÌÉ ÏÎÉ ÐÒÉÎÁÄÌÅÖÁÔ ÄÏÐÕÓÔÉÍÙÍ ÓÅÒ×ÉÓÁÍ, ÔÏ ÏÎÉ ÐÒÏÐÕÓËÁÀÔÓÑ ÂÅÚ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ðÏÓËÏÌØËÕ ÍÙ ÒÁÓÓÍÁÔÒÉ×ÁÅÍ ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÕÀ ÓÅÔØ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÉÓÐÏÌØÚÕÅÔÓÑ ÅÝÅ É × ËÁÞÅÓÔ×Å ÒÁÂÏÞÅÊ ÓÔÁÎÃÉÉ, ÐÏÜÔÏÍÕ ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ É Ó ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

é × ÚÁ×ÅÒÛÅÎÉÅ Ï ÃÅÐÏÞËÅ OUTPUT. íÙ ÎÅ ×ÙÐÏÌÎÑÅÍ ËÁËÉÈ ÌÉÂÏ ÓÐÅÃÉÆÉÞÎÙÈ ÂÌÏËÉÒÏ×ÏË ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÏÄÎÁËÏ ÍÙ ÎÅ ÈÏÔÉÍ, ÞÔÏÂÙ ËÔÏ ÌÉÂÏ, ÉÓÐÏÌØÚÕÑ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÄÁ×ÁÌ × ÓÅÔØ "ÐÏÄÄÅÌØÎÙÅ" ÐÁËÅÔÙ, ÐÏÜÔÏÍÕ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÁ, ÐÏÚ×ÏÌÑÀÝÉÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÔÏÌØËÏ Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ÎÁÛÉÍ ÌÏËÁÌØÎÙÍ ÁÄÒÅÓÏÍ (127.0.0.1) É Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × éÎÔÅÒÎÅÔ. ó ÜÔÉÈ ÁÄÒÅÓÏ× ÐÁËÅÔÙ ÐÒÏÐÕÓËÁÀÔÓÑ ÃÅÐÏÞËÏÊ OUTPUT, ×ÓÅ ÏÓÔÁÌØÎÙÅ (ÓËÏÒÅÅ ×ÓÅÇÏ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÅ) ÏÔÓÅËÁÀÔÓÑ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.


õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ

ðÒÅÖÄÅ, ÞÅÍ ÐÒÉÓÔÕÐÉÔØ Ë ÓÏÚÄÁÎÉÀ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÐÏÌÉÔÉËÁÍÉ ÃÅÐÏÞÅË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÏÍÁÎÄÏÊ, ÐÏÄÏÂÎÏÊ ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ

iptables -P <chain name> <policy>

ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÐÒÉÍÅÎÑÅÔÓÑ Ë ÐÁËÅÔÕ, ÎÅ ÐÏÐÁ×ÛÅÍÕ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. (îÅÂÏÌØÛÏÅ ÕÔÏÞÎÅÎÉÅ, ËÏÍÁÎÄÁ iptables -P ÐÒÉÍÅÎÉÍÁ ôïìøëï ë ÷óôòïåîîùí ÃÅÐÏÞËÁÍ, Ô.Å. INPUT, FORWARD, OUTPUT É Ô.Ð., É ÎÅ ÐÒÉÍÅÎÉÍÁ Ë ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ. ÐÒÉÍ. ÐÅÒÅ×.).


óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË

éÔÁË, Õ ×ÁÓ ÐÅÒÅÄ ÇÌÁÚÁÍÉ ÎÁ×ÅÒÎÑËÁ ÕÖÅ ÓÔÏÉÔ ËÁÒÔÉÎËÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ, É ËÁË ÜÔÉ ÃÅÐÏÞËÉ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÀÔ ÍÅÖÄÕ ÓÏÂÏÊ! ÷Ù ÕÖÅ ÄÏÌÖÎÙ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÃÅÌÉ É ÎÁÚÎÁÞÅÎÉÅ ÄÁÎÎÏÇÏ ÓÃÅÎÁÒÉÑ. äÁ×ÁÊÔÅ ÎÁÞÎÅÍ ÓÏÚÄÁ×ÁÔØ ÃÅÐÏÞËÉ É ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ÎÉÈ.

ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÓÏÚÄÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ -N. óÒÁÚÕ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ÃÅÐÏÞËÉ ÅÝÅ ÎÅ ÉÍÅÀÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÀÔÓÑ ÃÅÐÏÞËÉ icmp_packets, tcp_packets, udpincoming_packets É ÃÅÐÏÞËÁ allowed, ËÏÔÏÒÁÑ ×ÙÚÙ×ÁÅÔÓÑ ÉÚ ÃÅÐÏÞËÉ tcp_packets. ÷ÈÏÄÑÝÉÅ ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE (Ô.Å. ÉÚ éÎÔÅÒÎÅÔ), ÐÏ ÐÒÏÔÏËÏÌÕ ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÁ TCP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets É ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ UDP Ó ÉÎÔÅÒÆÅÊÓÁ eth0 ÉÄÕÔ × ÃÅÐÏÞËÕ udpincoming_packets.


ãÅÐÏÞËÁ bad_tcp_packets

üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÏÔÆÉÌØÔÒÏ×Ù×ÁÎÉÑ ÐÁËÅÔÏ× Ó "ÎÅÐÒÁ×ÉÌØÎÙÍÉ" ÚÁÇÏÌÏ×ËÁÍÉ É ÒÅÛÅÎÉÑ ÒÑÄÁ ÄÒÕÇÉÈ ÐÒÏÂÌÅÍ. úÄÅÓØ ÏÔÆÉÌØÔÒÏ×Ù×ÁÀÔÓÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË NEW, ÎÏ ÎÅ Ñ×ÌÑÀÔÓÑ SYN ÐÁËÅÔÁÍÉ. üÔÁ ÃÅÐÏÞËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ×ÔÏÒÖÅÎÉÑ É ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. óÀÄÁ, ÔÁË ÖÅ, ÄÏÂÁ×ÌÅÎÏ ÐÒÁ×ÉÌÏ ÄÌÑ ÏÔÓÅÉ×ÁÎÉÑ ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ INVALID.


ãÅÐÏÞËÁ allowed

TCP ÐÁËÅÔ, ÓÌÅÄÕÑ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ tcp_packets, ÅÓÌÉ ÐÁËÅÔ ÓÌÅÄÕÅÔ ÎÁ ÒÁÚÒÅÛÅÎÎÙÊ ÐÏÒÔ, ÔÏ ÐÏÓÌÅ ÜÔÏÇÏ ÐÒÏ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ.

ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÐÒÏ×ÅÒÑÅÔ, Ñ×ÌÑÅÔÓÑ ÌÉ ÐÁËÅÔ SYN ÐÁËÅÔÏÍ, Ô.Å. ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ôÁËÏÊ ÐÁËÅÔ ÍÙ ÓÞÉÔÁÅÍ ÄÏÐÕÓÔÉÍÙÍ É ÐÒÏÐÕÓËÁÅÍ. óÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÓÅ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ ESTABLISHED ÉÌÉ RELATED. ëÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ SYN ÐÁËÅÔÏÍ, É ÎÁ ÜÔÏÔ ÚÁÐÒÏÓ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÏÌÏÖÉÔÅÌØÎÙÊ ÏÔ×ÅÔ, ÔÏ ÏÎÏ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ ESTABLISHED. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÜÔÏÊ ÃÅÐÏÞËÅ ÓÂÒÁÓÙ×ÁÀÔÓÑ ×ÓÅ ÏÓÔÁÌØÎÙÅ TCP ÐÁËÅÔÙ. ðÏÄ ÜÔÏ ÐÒÁ×ÉÌÏ ÐÏÐÁÄÁÀÔ ÐÁËÅÔÙ ÉÚ ÎÅÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ËÏÔÏÒÙÅ ÐÙÔÁÀÔÓÑ ÚÁÐÕÓÔÉÔØ ÓÏÅÄÉÎÅÎÉÅ. îÅ SYN ÐÁËÅÔÙ ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁÐÕÓËÁ ÓÏÅÄÉÎÅÎÉÑ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÓÌÕÞÁÅ× ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. îÁÓËÏÌØËÏ Ñ ÚÎÁÀ, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌÉÚÁÃÉÉ TCP/IP, ËÏÔÏÒÁÑ ÐÏÄÄÅÒÖÉ×ÁÌÁ ÂÙ ÏÔËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÎÁÞÅ, ÞÅÍ ÐÅÒÅÄÁÞÁ SYN ÐÁËÅÔÁ, ÐÏÜÔÏÍÕ ÎÁ 99% ÍÏÖÎÏ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÓÂÒÏÛÅÎÙ ÐÁËÅÔÙ, ÐÏÓÌÁÎÎÙÅ ÓËÁÎÅÒÏÍ ÐÏÒÔÏ×.


ãÅÐÏÞËÁ ÄÌÑ TCP

éÔÁË, ÍÙ ÐÏÄÏÛÌÉ Ë TCP ÓÏÅÄÉÎÅÎÉÑÍ. úÄÅÓØ ÍÙ ÕËÁÚÙ×ÁÅÍ, ËÁËÉÅ ÐÏÒÔÙ ÍÏÇÕÔ ÂÙÔØ ÄÏÓÔÕÐÎÙ ÉÚ Internet. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÄÁÖÅ ÅÓÌÉ ÐÁËÅÔ ÐÒÏÛÅÌ ÐÒÏ×ÅÒËÕ ÚÄÅÓØ, ÍÙ ×ÓÅ ÒÁ×ÎÏ ×ÓÅ ÐÁËÅÔÙ ÐÅÒÅÄÁÅÍ × ÃÅÐÏÞËÕ allowed ÄÌÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ñ ÏÔËÒÙÌ TCP ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 21, ËÏÔÏÒÙÊ Ñ×ÌÑÅÔÓÑ ÐÏÒÔÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP ÓÏÅÄÉÎÅÎÉÑÍÉ. É ÄÁÌÅÅ, Ñ ÒÁÚÒÅÛÁÀ ×ÓÅ RELATED ÓÏÅÄÉÎÅÎÉÑ, ÒÁÚÒÅÛÁÑ, ÔÅÍ ÓÁÍÙÍ, PASSIVE FTP, ÐÒÉ ÕÓÌÏ×ÉÉ, ÞÔÏ ÂÙÌ ÚÁÇÒÕÖÅÎ ÍÏÄÕÌØ ip_conntrack_ftp. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÒÅÔÉÔØ FTP ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÇÒÕÚÉÔØ ÍÏÄÕÌØ ip_conntrack_ftp É ÕÄÁÌÉÔØ ÓÔÒÏËÕ $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ÉÚ ÓÃÅÎÁÒÉÑ rc.firewall.txt.

ðÏÒÔ 22 - ÜÔÏ SSH, ËÏÔÏÒÙÊ ÎÁÍÎÏÇÏ ÂÏÌÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ telnet ÎÁ 23 ÐÏÒÔÕ. åÓÌÉ ÷ÁÍ ×ÚÄÕÍÁÅÔÓÑ ÐÒÅÄÏÓÔÁ×ÉÔØ ÄÏÓÔÕÐ Ë ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÅ (shell) ËÏÍÕ ÂÙ ÔÏ ÎÉ ÂÙÌÏ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ÌÕÞÛÅ ËÏÎÅÞÎÏ ÐÏÌØÚÏ×ÁÔØÓÑ SSH. ïÄÎÁËÏ , ÈÏÞÕ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÏÏÂÝÅ-ÔÏ ÓÞÉÔÁÅÔÓÑ ÄÕÒÎÙÍ ÔÏÎÏÍ ÐÒÅÄÏÓÔÁ×ÌÑÔØ ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ ÌÀÂÏÍÕ ËÒÏÍÅ ×ÁÓ ÓÁÍÉÈ. ÷ÁÛ ÓÅÔÅ×ÏÊ ÜËÒÁÎ ÄÏÌÖÅÎ ÉÍÅÔØ ÔÏÌØËÏ ÔÅ ÓÅÒ×ÉÓÙ, ËÏÔÏÒÙÅ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÙ É ÎÅ ÂÏÌÅÅ ÔÏÇÏ.

ðÏÒÔ 80 - ÜÔÏ ÐÏÒÔ HTTP, ÄÒÕÇÉÍ ÓÌÏ×ÁÍÉ - web ÓÅÒ×ÅÒ, ÕÂÅÒÉÔÅ ÜÔÏ ÐÒÁ×ÉÌÏ, ÅÓÌÉ Õ ×ÁÓ ÎÅÔ web ÓÅÒ×ÅÒÁ.

é ÎÁËÏÎÅà ÐÏÒÔ 113, ÏÔ×ÅÔÓÔ×ÅÎÎÙÊ ÚÁ ÓÌÕÖÂÕ IDENTD É ÉÓÐÏÌØÚÕÀÝÉÊÓÑ ÎÅËÏÔÏÒÙÍÉ ÐÒÏÔÏËÏÌÁÍÉ ÔÉÐÁ IRC, É ÐÒ.


ãÅÐÏÞËÁ ÄÌÑ UDP

ðÁËÅÔÙ UDP ÉÚ ÃÅÐÏÞËÉ INPUT ÓÌÅÄÕÀÔ × ÃÅÐÏÞËÕ udpincoming_packets ëÁË É × ÓÌÕÞÁÅ Ó TCP ÐÁËÅÔÁÍÉ, ÚÄÅÓØ ÏÎÉ ÐÒÏ×ÅÒÑÀÔÓÑ ÎÁ ÄÏÐÕÓÔÉÍÏÓÔØ ÐÏ ÎÏÍÅÒÕ ÐÏÒÔÁ ÎÁÚÎÁÞÅÎÉÑ.

ïÔËÒÙÔÙÍ ÄÌÑ UDP ÐÁËÅÔÏ× Ñ×ÌÑÅÔÓÑ ÐÏÒÔ 53, ÎÁ ËÏÔÏÒÏÍ "ÓÉÄÉÔ" DNS. åÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÌØÚÏ×ÁÔØÓÑ ÓÉÍ×ÏÌÉÞÅÓËÉÍÉ ÉÍÅÎÁÍÉ ÕÚÌÏ×, Á ÎÅ ÉÈ IP ÁÄÒÅÓÁÍÉ, ÔÏ ÅÓÔÅÓÔ×ÅÎÎÏ ÎÁÄÏ ÐÏÚ×ÏÌÉÔØ ÒÁÂÏÔÁÔØ ÓÌÕÖÂÅ ÄÏÍÅÎÎÙÈ ÉÍÅÎ.

ñ ÌÉÞÎÏ ÒÁÚÒÅÛÁÀ ÐÏÒÔ 123, ÎÁ ËÏÔÏÒÏÍ ÒÁÂÏÔÁÅÔ NTP (network time protocol). üÔÏÊ ÓÌÕÖÂÏÊ ÏÂÙÞÎÏ ÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÒÉÅÍÁ ÏÞÅÎØ ÔÏÞÎÏÇÏ ×ÒÅÍÅÎÉ Ó ÓÅÒ×ÅÒÏ× ×ÒÅÍÅÎÉ × éÎÔÅÒÎÅÔ.

ðÏÒÔ 2074 ÉÓÐÏÌØÚÕÅÔÓÑ ÎÅËÏÔÏÒÙÍÉ ÍÕÌØÔÉÍÅÄÉÊÎÙÍÉ ÐÒÉÌÏÖÅÎÉÑÍÉ, ÐÏÄÏÂÎÏ speak freely, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÇÏÌÏÓÁ × ÒÅÖÉÍÅ ÒÅÁÌØÎÏÇÏ ×ÒÅÍÅÎÉ.

é ÎÁËÏÎÅà - ICQ, ÎÁ ÐÏÒÔÕ 4000. üÔÏ ÛÉÒÏËÏ ÉÚ×ÅÓÔÎÙÊ ÐÒÏÔÏËÏÌ, ÉÓÐÏÌØÚÕÅÍÙÊ ICQ-ÐÒÉÌÏÖÅÎÉÑÍÉ ñ ÐÏÌÁÇÁÀ ÎÅ ÓÌÅÄÕÅÔ ÏÂßÑÓÎÑÔØ ×ÁÍ ÞÔÏ ÜÔÏ ÔÁËÏÅ.


ãÅÐÏÞËÁ ÄÌÑ ICMP

úÄÅÓØ ÐÒÉÎÉÍÁÅÔÓÑ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ ICMP ÐÁËÅÔÏ×. åÓÌÉ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ Ó eth0 × ÃÅÐÏÞËÕ INPUT, ÔÏ ÄÁÌÅÅ ÏÎ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏ×ÅÒÑÅÔÓÑ ÔÉÐ ICMP ÓÏÏÂÝÅÎÉÑ. ðÒÏÐÕÓËÁÀÔÓÑ ÔÏÌØËÏ ICMP Echo Replies, Destination unreachable, Redirect É Time Exceeded.

ðÒÉ ÐÒÉÎÑÔÉÉ ÒÅÛÅÎÉÑ Ñ ÉÓÈÏÖÕ ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÏÏÂÒÁÖÅÎÉÊ: ICMP Echo Replies ÐÁËÅÔÙ ÐÒÉÈÏÄÑÔ × ÏÔ×ÅÔ, ËÏÇÄÁ ×Ù Ë ÐÒÉÍÅÒÕ ×ÙÐÏÌÎÑÅÔÅ ping ÄÒÕÇÏÇÏ ÕÚÌÁ ÓÅÔÉ, ÅÓÌÉ ÚÁÐÒÅÔÉÔØ ÜÔÏ ÓÏÏÂÝÅÎÉÅ, ÔÏ ÍÙ ÌÉÛÉÍÓÑ ×ÏÚÍÏÖÎÏÓÔÉ ÐÏÌØÚÏ×ÁÔØÓÑ ÆÕÎËÃÉÅÊ ping.

Destination Unreachable ÐÒÉÈÏÄÉÔ, ÅÓÌÉ ËÁËÏÊ ÌÉÂÏ ÕÚÅÌ ÓÅÔÉ ÎÅÄÏÓÔÕÐÅÎ, ÎÁÐÒÉÍÅÒ, ×ÙÐÏÌÎÑÑ HTTP ÚÁÐÒÏÓ ÎÁ ÎÅÄÏÓÔÕÐÎÙÊ ÈÏÓÔ, ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ, ËÏÔÏÒÙÊ ÎÅ ÓÍÏÇ ÎÁÊÔÉ ÍÁÒÛÒÕÔ Ë ÕÚÌÕ, ×ÅÒÎÅÔ ÎÁÍ ÓÏÏÂÝÅÎÉÅ Destination Unreachable. ôÅÍ ÓÁÍÙÍ ÎÁÍ ÎÅ ÐÒÉÄÅÔÓÑ ÖÄÁÔØ ÐÏËÁ ÉÓÔÅÞÅÔ ×ÒÅÍÑ ÏÖÉÄÁÎÉÑ (time out) ÎÁÛÅÇÏ ÂÒÁÕÚÅÒÁ, ËÏÔÏÒÙÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÐÏÒÑÄËÁ 60 ÓÅËÕÎÄ É ×ÙÛÅ

Time Exceeded. ÷Ï ×ÒÅÍÑ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ ÐÏ ÓÅÔÉ, ÎÁ ËÁÖÄÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÐÏÌÅ TTL, × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ, ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. ëÁË ÔÏÌØËÏ ÐÏÌÅ TTL ÓÔÁÎÅÔ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÂÕÄÅÔ ÐÏÓÌÁÎÏ ÓÏÏÂÝÅÎÉÅ Time Exceeded. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÓÓÉÒÏ×ËÕ (traceroute) ËÁËÏÇÏ ÌÉÂÏ ÕÚÌÁ, ÔÏ ÐÏÌÅ TTL ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 1, ÎÁ ÐÅÒ×ÏÍ ÖÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÏÎÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ É Ë ÎÁÍ ÐÒÉÈÏÄÉÔ ÓÏÏÂÝÅÎÉÅ Time Exceeded, ÄÁÌÅÅ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ TTL = 2 É ×ÔÏÒÏÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÐÅÒÅÄÁÅÔ ÎÁÍ Time Exceeded, É ÔÁË ÄÁÌÅÅ, ÐÏËÁ ÎÅ ÐÏÌÕÞÉÍ ÏÔ×ÅÔ Ó ÓÁÍÏÇÏ ÕÚÌÁ.

óÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ ÓÍÏÔÒÉÔÅ × ÐÒÉÌÏÖÅÎÉÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ICMP ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÓÌÅÄÕÀÝÉÈ ÄÏËÕÍÅÎÔÁÈ:

âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÂÌÏËÉÒÏ×ÁÎÉÉ ICMP ÐÁËÅÔÏ×, ×ÏÚÍÏÖÎÏ Ñ ÎÅ ÐÒÁ×, ÂÌÏËÉÒÕÑ ËÁËÉÅ-ÔÏ ÉÚ ÎÉÈ, ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÔÁË, ÞÔÏ ÄÌÑ ×ÁÓ ÜÔÏ ÎÅÐÒÉÅÍÌÅÍÏ.


ãÅÐÏÞËÁ INPUT

ãÅÐÏÞËÁ INPUT, ËÁË Ñ ÕÖÅ ÐÉÓÁÌ, ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÓÎÏ×ÎÏÊ ÒÁÂÏÔÙ ÉÓÐÏÌØÚÕÅÔ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ, ÚÁ ÓÞÅÔ ÞÅÇÏ ÓÎÉÖÁÑ ÎÁÇÒÕÚËÕ ÎÁ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ. üÆÆÅËÔ ÐÒÉÍÅÎÅÎÉÑ ÔÁËÏÇÏ ×ÁÒÉÁÎÔÁ ÏÒÇÁÎÉÚÁÃÉÉ ÐÒÁ×ÉÌ ÌÕÞÛÅ ÚÁÍÅÔÅÎ ÎÁ ÍÅÄÌÅÎÎÙÈ ÍÁÛÉÎÁÈ, ËÏÔÏÒÙÅ × ÄÒÕÇÏÍ ÓÌÕÞÁÅ ÎÁÞÉÎÁÀÔ "ÔÅÒÑÔØ" ÐÁËÅÔÙ ÐÒÉ ×ÙÓÏËÏÊ ÎÁÇÒÕÚËÅ.

ðÅÒ×ÙÍ ÖÅ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÙÔÁÅÍÓÑ ÏÔÂÒÏÓÉÔØ "ÐÌÏÈÉÅ" ÐÁËÅÔÙ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÁËÅÔÏ× Ó ÐÒÉÚÎÁËÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. ÷ ÎÅËÏÔÏÒÙÈ ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ ÔÁËÉÅ ÐÁËÅÔÙ ÍÏÇÕÔ ÓÞÉÔÁÔØÓÑ ÄÏÐÕÓÔÉÍÙÍÉ, ÎÏ × 99% ÓÌÕÞÁÅ× ÌÕÞÛÅ ÉÈ "ÏÓÔÁÎÏ×ÉÔØ". ðÏÜÔÏÍÕ ÔÁËÉÅ ÐÁËÅÔÙ ÚÁÎÏÓÑÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (ÌÏÇÉÒÕÀÔÓÑ) É "ÓÂÒÁÓÙ×ÁÀÔÓÑ".

äÁÌÅÅ, ×ÓÅ ICMP ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ × ÃÅÐÏÞËÕ INPUT Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, × ÍÏÅÍ ÓÌÕÞÁÅ ÜÔÏ eth0, ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ËÏÔÏÒÕÀ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÒÁÎÅÅ. óÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ×ÓÅ TCP ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ$INET_IFACE ÐÅÒÅÄÁÀÔÓÑ × ÃÅÐÏÞËÕtcp_packets. é ÎÁËÏÎÅà ×ÓÅ UDP ÐÁËÅÔÙ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ udpincoming_packets.

÷ ËÏÎÃÅ ÍÙ ÐÏÚ×ÏÌÑÅÍ ÐÒÏÊÔÉ ×ÓÅÍÕ, ÞÔÏ Ä×ÉÖÅÔÓÑ Ó ÎÁÛÅÇÏ $LOCALHOST_IP ÁÄÒÅÓÁ, ËÏÔÏÒÙÊ ÏÂÙÞÎÏ ÂÙ×ÁÅÔ 127.0.0.1, ×ÓÅ ÞÔÏ ÉÄÅÔ Ó $LAN_IP ÁÄÒÅÓÁ, ËÏÔÏÒÙÊ × ÍÏÅÍ ÓÌÕÞÁÅ 192.168.0.2, ÚÁÏÄÎÏ ÐÒÏÐÕÓËÁÅÍ É ×ÓÅ, ÞÔÏ ÉÄÅÔ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó $LAN_IP_RANGE, ÄÌÑ ÍÅÎÑ ÜÔÏ 192.168.0.0/24. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ, ÞÔÏ ÉÄÅÔ Ó ÍÏÅÇÏ ÓÏÂÓÔ×ÅÎÎÏÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ, É ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED. ôÁË ÖÅ ÓÞÉÔÁÅÔÓÑ ÄÏÐÕÓÔÉÍÙÍ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÔÒÁÆÆÉË ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÅËÏÔÏÒÙÅ ÐÒÉÌÏÖÅÎÉÑ ÚÁ×ÉÓÑÔ ÏÔ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÈ ÓÏÏÂÝÅÎÉÊ, ÎÁÐÒÉÍÅÒ Samba, É ÎÅ ÓÍÏÇÕÔ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ ÂÅÚ ÎÉÈ.

ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ, ÐÅÒÅÄ ÔÅÍ ËÁË ËÏ ×ÓÅÍ ÎÅ ÐÒÉÎÑÔÙÍ Ñ×ÎÏ ÐÁËÅÔÁÍ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÒÁÆÆÉË ÖÕÒÎÁÌÉÒÕÅÔÓÑ, ÎÁ ÓÌÕÞÁÊ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏÉÓËÁ ÐÒÉÞÉÎ ×ÏÚÎÉËÁÀÝÉÈ ÐÒÏÂÌÅÍ. ðÒÉ ÜÔÏÍ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÕ, ÏÇÒÁÎÉÞÅÎÉÅ ÎÁ ËÏÌÉÞÅÓÔ×Ï ÌÏÇÉÒÕÅÍÙÈ ÐÁËÅÔÏ× - ÎÅ ÂÏÌÅÅ 3-È × ÍÉÎÕÔÕ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÞÒÅÚÍÅÒÎÏÅ ÒÁÚÄÕ×ÁÎÉÅ ÖÕÒÎÁÌÁ.

÷ÓÅ ÞÔÏ ÎÅ ÂÙÌÏ Ñ×ÎÏ ÐÒÏÐÕÝÅÎÏ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÏÄ×ÅÒÇÎÕÔÏ ÄÅÊÓÔ×ÉÀ DROP, ÐÏÓËÏÌØËÕ ÉÍÅÎÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÎÁÚÎÁÞÅÎÏ × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ.


ãÅÐÏÞËÁ OUTPUT

ëÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ÒÁÎÅÅ, × ÍÏÅÍ ÓÌÕÞÁÅ ËÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÂÒÁÎÄÍÁÕÜÒ É ÏÄÎÏ×ÒÅÍÅÎÎÏ ËÁË ÒÁÂÏÞÁÑ ÓÔÁÎÃÉÑ. ðÏÜÔÏÍÕ Ñ ÐÏÚ×ÏÌÑÀ ÐÏËÉÄÁÔØ ÍÏÊ ÈÏÓÔ ×ÓÅÍÕ, ÞÔÏ ÉÍÅÅÔ ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ $LOCALHOST_IP, $LAN_IP ÉÌÉ $STATIC_IP. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÔÒÁÆÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÓÆÁÌØÓÉÃÉÒÏ×ÁÔØ ÎÅ ÏÞÅÎØ ÈÏÒÏÛÉÊ ÞÅÌÏ×ÅË ÎÁ ÍÏÅÊ ÍÁÛÉÎÅ. é × ÄÏ×ÅÒÛÅÎÉÅ ËÏ ×ÓÅÍÕ, Ñ ÖÕÒÎÁÌÉÒÕÀ "ÓÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ, ÎÁ ÓÌÕÞÁÊ ÐÏÉÓËÁ ÏÛÉÂÏË ÉÌÉ × ÃÅÌÑÈ ×ÙÑ×ÌÅÎÉÑ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×. ëÏ ×ÓÅÍ ÐÁËÅÔÁÍ, ÎÅ ÐÒÏÛÅÄÛÉÍ ÎÉ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ, ÐÒÉÍÅÎÑÅÔÓÑ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP.


ãÅÐÏÞËÁ FORWARD

ëÁË ÏÂÙÞÎÏ, ÍÙ ÒÁÚÒÅÛÅÍ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÏ× ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ ÐÒÁ×ÉÌÏÍ.

/usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT

åÓÔÅÓÔ×ÅÎÎÏ, ÎÕÖÎÏ ÐÒÏÐÕÓÔÉÔØ ÏÔ×ÅÔÎÙÅ ÐÁËÅÔÙ × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÐÏÜÔÏÍÕ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ, ÞÔÏ ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED, Ô.Å. ÍÙ ÐÒÏÐÕÓËÁÅÍ ÐÁËÅÔÙ ÐÏ ÓÏÅÄÉÎÅÎÉÀ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ éú ÌÏËÁÌØÎÏÊ ÓÅÔÉ. é ÐÅÒÅÄ ÔÅÍ ËÁË ÓÂÒÏÓÉÔØ ×ÓÅ ÎÅÄÏÐÕÓÔÉÍÙÅ ÐÁËÅÔÙ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÖÕÒÎÁÌÉÒÕÅÍ ÔÒÁÆÆÉË ÕÓÔÁÎÏ×É× ÐÒÅÄÅÌ 3 ÚÁÐÉÓÉ ÚÁ ÍÉÎÕÔÕ.


ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat

úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÁËÅÔÙ ÐÏÐÁÄÕÔ × ÃÅÐÏÞËÕ INPUT ÉÌÉ FORWARD. åÝÅ ÒÁÚ ÈÏÞÕ ÎÁÐÏÍÎÉÔØ, ÞÔÏ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÎÉ ÄÌÑ ËÁËÏÇÏ ×ÉÄÁ ÆÉÌØÔÒÁÃÉÉ, Á ÔÏÌØËÏ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ × ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÅÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ.

äÌÑ ÎÁÞÁÌÁ ÍÙ ÏÔÓÅËÁÅÍ ×ÓÅ ÐÁËÅÔÙ Ó ÚÁ×ÅÄÏÍÏ ÎÅ×ÅÒÎÙÍÉ ÉÓÈÏÄÎÙÍÉ ÁÄÒÅÓÁÍÉ, ÔÁËÉÍÉ ËÁË ÁÄÒÅÓÁ ÉÚ ÄÉÁÐÁÚÏÎÏ×, ×ÙÄÅÌÅÎÎÙÍÉ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ: 192.168.x.x, 10.x.x.x ÉÌÉ 172.16.x.x. ðÏÄÏÂÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ É ÄÌÑ ÏÂÒÁÔÎÏÇÏ ÎÁÐÒÁ×ÌÅÎÉÑ, ÓÂÒÁÓÙ×ÁÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÎÅ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ.


úÁÐÕÓË Network Address Translation

é ÚÁËÌÀÞÉÔÅÌØÎÙÊ ÒÁÚÄÅÌ - ÎÁÓÔÒÏÊËÁ SNAT. ðÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ ÍÅÎÑ. ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÏ × ÔÁÂÌÉÃÕ nat, × ÃÅÐÏÞËÕ POSTROUTING, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ×ÓÅÈ ÐÁËÅÔÏ×, ÉÓÈÏÄÑÝÉÈ Ó ÉÎÔÅÒÆÅÊÓÁ, ÐÏÄËÌÀÞÅÎÎÏÇÏ Ë Internet. äÌÑ ÍÅÎÑ - ÜÔÏ eth0. ÷ ÓÃÅÎÁÒÉÉ ÏÐÒÅÄÅÌÅÎ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÎÁÓÔÒÏÊËÉ ÓÃÅÎÁÒÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÐÅÒÅÍÅÎÎÙÈ ÐÏ×ÙÛÁÅÔ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔØ ÓËÒÉÐÔÏ×. ëÌÀÞÏÍ -t ÚÁÄÁÅÔÓÑ ÉÍÑ ÔÁÂÌÉÃÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ nat. ëÏÍÁÎÄÁ -A ÄÏÂÁ×ÌÑÅÔ (Add) ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ POSTROUTING, ËÒÉÔÅÒÉÊ -o $INET_IFACE ÚÁÄÁÅÔ ÉÓÈÏÄÑÝÉÊ ÉÎÔÅÒÆÅÊÓ, É × ËÏÎÃÅ ÐÒÁ×ÉÌÁ ÚÁÄÁÅÍ ÄÅÊÓÔ×ÉÅ ÎÁÄ ÐÁËÅÔÏÍ - SNAT. ôÁËÉÍ ÏÂÒÁÚÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÄÏÛÅÄÛÉÅ ÐÏÄ ÚÁÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÂÕÄÕÔ "ÚÁÍÁÓËÉÒÏ×ÁÎÙ", Ô.Å. ÂÕÄÕÔ ×ÙÇÌÑÄÅÔØ ÔÁË, ËÁË ÂÕÄÔÏ ÏÎÉ ÏÔÐÒÁ×ÌÅÎÙ Ó ÎÁÛÅÇÏ ÕÚÌÁ. îÅ ÚÁÂÕÄØÔÅ ÕËÁÚÁÔØ ËÌÀÞ --to-source Ó ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ IP ÁÄÒÅÓÏÍ ÄÌÑ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×

÷ ÜÔÏÍ ÓÃÅÎÁÒÉÅ Ñ ÉÓÐÏÌØÚÕÀ SNAT ×ÍÅÓÔÏ MASQUERADE ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÅÒ×ÁÑ - ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ ÎÁ ÓÅÔÅ×ÏÍ ÕÚÌÅ, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ. óÌÅÄÕÀÝÁÑ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ SNAT ÒÁÂÏÔÁÅÔ ÂÙÓÔÒÅÅ É ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÏ. ëÏÎÅÞÎÏ, ÅÓÌÉ ×Ù ÎÅ ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÏÇÏ IP ÁÄÒÅÓÁ, ÔÏ ×Ù ÄÏÌÖÎÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ MASQUERADE, ËÏÔÏÒÏÅ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÂÏÌÅÅ ÐÒÏÓÔÏÊ ÓÐÏÓÏ ÔÒÁÎÓÌÑÃÉÉ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ ÏÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÅÔ IP ÁÄÒÅÓ, ÐÒÉÓ×ÏÅÎÎÙÊ ÚÁÄÁÎÎÏÍÕ ÉÎÔÅÒÆÅÊÓÕ. ïÄÎÁËÏ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó SNAT ÜÔÏ ÄÅÊÓÔ×ÉÅ ÔÒÅÂÕÅÔ ÎÅÓËÏÌØËÏ ÂÏÌØÛÉÈ ×ÙÞÉÓÌÉÔÅÌØÎÙÈ ÒÅÓÕÒÓÏ×, ÈÏÔÑ É ÎÅ ÚÎÁÞÉÔÅÌØÎÏ. åÓÌÉ ×ÁÍ ÎÕÖÅÎ ÐÒÉÍÅÒ ÒÁÂÏÔÙ MASQUERADE, ÔÏ ÏÂÒÁÝÁÊÔÅÓØ Ë ÓÃÅÎÁÒÉÀ rc.DHCP.firewall.txt.


ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

ãÅÌØ ÜÔÏÊ ÇÌÁ×Ù ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ÄÁÔØ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ ËÁÖÄÏÇÏ ÓÃÅÎÁÒÉÑ, × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. üÔÉ ÓÃÅÎÁÒÉÉ ÎÅ ÓÏ×ÅÒÛÅÎÎÙ, É ÏÎÉ ÎÅ ÍÏÇÕÔ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ×ÁÛÉÍ ÎÕÖÄÁÍ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÓÁÍÉ "ÐÏÄÏÇÎÁÔØ" ÜÔÉ ÓÃÅÎÁÒÉÉ ÐÏÄ ÓÅÂÑ. ðÏÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ ÒÕËÏ×ÏÄÓÔ×Á ÐÒÉÚ×ÁÎÁ ÏÂÌÅÇÞÉÔØ ×ÁÍ ÜÔÕ ÐÏÄÇÏÎËÕ.


óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt

÷ÓÅ ÓÃÅÎÁÒÉÉ, ÏÐÉÓÁÎÎÙÅ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÉÍÅÀÔ ÏÐÒÅÄÅÌÅÎÎÕÀ ÓÔÒÕËÔÕÒÕ. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÍÁËÓÉÍÁÌØÎÏ ÐÏÈÏÖÉ ÄÒÕÇ ÎÁ ÄÒÕÇÁ, ÏÂÌÅÇÞÁÑ ÔÅÍ ÓÁÍÙÍ ÐÏÉÓË ÒÁÚÌÉÞÉÊ ÍÅÖÄÕ ÎÉÍÉ. üÔÁ ÓÔÒÕËÔÕÒÁ ÄÏ×ÏÌØÎÏ ÈÏÒÏÛÏ ÏÐÉÓÙ×ÁÅÔÓÑ × ÜÔÏÊ ÇÌÁ×Å. úÄÅÓØ Ñ ÎÁÄÅÀÓØ ÄÁÔØ ×ÁÍ ÐÏÎÉÍÁÎÉÅ, ÐÏÞÅÍÕ ×ÓÅ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÎÁÐÉÓÁÎÙ ÉÍÅÎÎÏ ÔÁË É ÐÏÞÅÍÕ Ñ ×ÙÂÒÁÌ ÉÍÅÎÎÏ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÜÔÁ ÓÔÒÕËÔÕÒÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÁÌÅËÏ ÎÅÏÐÔÉÍÁÌØÎÏÊ ÄÌÑ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×. üÔÁ ÓÔÒÕËÔÕÒÁ ×ÙÂÒÁÎÁ ÌÉÛØ ÄÌÑ ÌÕÞÛÅÇÏ ÏÂßÑÓÎÅÎÉÑ ÈÏÄÁ ÍÏÉÈ ÍÙÓÌÅÊ.


óÔÒÕËÔÕÒÁ

üÔÏ - ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÏÊ ÓÌÅÄÕÀÔ ×ÓÅ ÓÃÅÎÁÒÉÉ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. åÓÌÉ ×Ù ÏÂÎÁÒÕÖÉÔÅ, ÞÔÏ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ, ÅÓÌÉ ËÏÎÅÞÎÏ Ñ ÎÅ ÏÂßÑÓÎÉÌ, ÐÏÞÅÍÕ Ñ ÎÁÒÕÛÉÌ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

  1. Configuration - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÌÖÎÙ ÚÁÄÁÔØ ÐÁÒÁÍÅÔÒÙ ËÏÎÆÉÇÕÒÁÃÉÉ, ÄÌÑ ÓÃÅÎÁÒÉÑ. ðÁÒÁÍÅÔÒÙ ëÏÎÆÉÇÕÒÁÃÉÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÄÏÌÖÎÙ ÂÙÔØ ÏÐÉÓÁÎÙ ÐÅÒ×ÙÍÉ × ÌÀÂÏÍ ÓÃÅÎÁÒÉÉ.

    1. Internet - üÔÏ ÒÁÚÄÅÌ ËÏÎÆÉÇÕÒÁÃÉÉ, ÏÐÉÓÙ×ÁÀÝÅÊ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÒÁÚÄÅÌ ÍÏÖÅÔ ÂÙÔØ ÏÐÕÝÅÎ, ÅÓÌÉ ×Ù ÎÅ ÐÏÄËÌÀÞÅÎÙ Ë éÎÔÅÒÎÅÔ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÍÏÖÅÔ ÉÍÅÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÐÏÄÒÁÚÄÅÌÏ× ÞÅÍ, ÚÄÅÓØ ÐÅÒÅÞÉÓÌÅÎÏ, ÎÏ ÔÏÌØËÏ ÔÅ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔ ÎÁÛÅ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet.

      1. DHCP - åÓÌÉ ÉÍÅÀÔÓÑ ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ DHCP ÎÁÓÔÒÏÊËÉ, ÔÏ ÏÎÉ ÄÏÂÁ×ÌÑÀÔÓÑ ÚÄÅÓØ.

      2. PPPoE - ïÐÉÓÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ ÎÁÓÔÒÏÊËÉ PPPOE ÐÏÄËÌÀÞÅÎÉÑ.

    2. LAN - åÓÌÉ ÉÍÅÅÔÓÑ ÌÀÂÁÑ ìïëáìøîáñ óåôø ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ÚÄÅÓØ ÕËÁÚÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ, ÉÍÅÀÝÉÅ ÏÔÎÏÛÅÎÉÅ Ë ÎÅÊ. îÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ÜÔÏÔ ÒÁÚÄÅÌ ÂÕÄÅÔ ÐÒÉÓÕÔÓÔ×Ï×ÁÔØ ÐÏÞÔÉ ×ÓÅÇÄÁ.

    3. DMZ - úÄÅÓØ ÄÏÂÁ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÚÏÎÙ DMZ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÜÔÏÇÏ ÒÁÚÄÅÌÁ ÎÅ ÂÕÄÅÔ, Ô.Ë. ÌÀÂÁÑ ÎÏÒÍÁÌØÎÁÑ ÄÏÍÁÛÎÑÑ ÓÅÔØ, ÉÌÉ ÍÁÌÅÎØËÁÑ ÌÏËÁÌØÎÁÑ ÓÅÔØ, ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÅÅ. (DMZ - de-militarized zone. óËÏÒÅÅ ×ÓÅÇÏ ÐÏÄ ÜÔÏ ÐÏÎÑÔÉÅ Á×ÔÏÒ ÐÏÄ×ÅÌ ÎÅÂÏÌØÛÕÀ ÐÏÄÓÅÔØ, × ËÏÔÏÒÏÊ ÒÁÓÐÏÌÏÖÅÎÙ ÓÅÒ×ÅÒÙ, ÎÁÐÒÉÍÅÒ: DNS, MAIL, WEB É Ô.Ð, É ÎÅÔ ÎÉ ÏÄÎÏÊ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÍÁÛÉÎÙ. ÐÒÉÍ. ÐÅÒÅ×.)

    4. Localhost - üÔÉ ÐÁÒÁÍÅÔÒÙ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÍÕ ÂÒÁÎÄÍÁÕÜÒÕ (localhost). ÷ ×ÁÛÅÍ ÓÌÕÞÁÅ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ ×ÒÑÄ ÌÉ ÉÚÍÅÎÑÔÓÑ, ÎÏ, ÔÅÍ ÎÅ ÍÅÎÅÅ, Ñ ÓÏÚÄÁÌ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.èÏÔÅÌÏÓØ ÂÙ ÎÁÄÅÑÔØÓÑ, ÞÔÏ Õ ×ÁÓ ÎÅ ÂÕÄÅÔ ÐÒÉÞÉÎ ÉÚÍÅÎÑÔØ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.

    5. iptables - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï iptables. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÄÏÓÔÁÔÏÞÎÏ ÂÕÄÅÔ ÔÏÌØËÏ ÏÄÎÏÊ ÐÅÒÅÍÅÎÎÏÊ, ËÏÔÏÒÁÑ ÕËÁÚÙ×ÁÅÔ ÐÕÔØ Ë iptables.

    6. Other - úÄÅÓØ ÒÁÓÐÏÌÁÇÁÀÔÓÑ ÐÒÏÞÉÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÎÅ ÏÔÎÏÓÑÔÓÑ É Ë ÏÄÎÏÍÕ ÉÚ ×ÙÛÅÕËÁÚÁÎÎÙÈ ÒÁÚÄÅÌÏ×.

  2. Module loading - üÔÏÔ ÒÁÚÄÅÌ ÓÃÅÎÁÒÉÅ× ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÍÏÄÕÌÅÊ. ðÅÒ×ÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ, × ÔÏ ×ÒÅÍÑ ËÁË ×ÔÏÒÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ.

    Note

    ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ. îÅËÏÔÏÒÙÅ ÍÏÄÕÌÉ, ÏÔ×ÅÞÁÀÝÉÅ ÚÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ,, ÍÏÇÕÔ ÂÙÔØ ÕËÁÚÁÎÙ ÄÁÖÅ ÅÓÌÉ ÏÎÉ ÎÅ ÔÒÅÂÕÀÔÓÑ. ïÂÙÞÎÏ, × ÔÁËÉÈ ÓÌÕÞÁÑÈ, ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÔÍÅÞÁÅÔ ÜÔÕ ÏÓÏÂÅÎÎÏÓÔØ.

    1. Required modules - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÍÏÄÕÌÉ, ÎÅÏÂÈÏÄÉÍÙÅ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ.

    2. Non-required modules - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÍÏÄÕÌÉ, ËÏÔÏÒÙÅ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÎÏÒÍÁÌØÎÏÊ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. ÷ÓÅ ÜÔÉ ÍÏÄÕÌÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. åÓÌÉ ×ÁÍ ÏÎÉ ÐÏÔÒÅÂÕÀÔÓÑ, ÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏÓÔÏ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ ÉÈ.

  3. proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÏÔ×ÅÞÁÅÔ ÚÁ ÎÁÓÔÒÏÊËÕ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc. åÓÌÉ ÜÔÉ ÐÁÒÁÍÅÔÒÙ ÎÅÏÂÈÏÄÉÍÙ - ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ, ÅÓÌÉ ÎÅÔ, ÔÏ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ ÐÏ-ÕÍÏÌÞÁÎÉÀ, É ÕËÁÚÁÎÙ ËÁË ÎÅ-ÔÒÅÂÕÅÍÙÅ. âÏÌØÛÉÎÓÔ×Ï ÐÏÌÅÚÎÙÈ ÎÁÓÔÒÏÅË /proc ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ × ÐÒÉÍÅÒÁÈ, ÎÏ ÄÁÌÅËÏ ÎÅ ×ÓÅ.

    1. Required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ×ÓÅ ÔÒÅÂÕÅÍÙÅ ÓÃÅÎÁÒÉÅÍ ÎÁÓÔÒÏÊËÁ ÄÌÑ /proc. üÔÏ ÍÏÇÕÔ ÂÙÔØ ÎÁÓÔÒÏÊËÉ ÄÌÑ ÚÁÐÕÓËÁ ÓÉÓÔÅÍÙ ÚÁÝÉÔÙ, ×ÏÚÍÏÖÎÏ, ÄÏÂÁ×ÌÑÀÔ ÓÐÅÃÉÁÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ ÉÌÉ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.

    2. Non-required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÎÁÓÔÒÏÊËÉ /proc, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÐÏÌÅÚÎÙÍÉ × ÂÕÄÕÝÅÍ. ÷ÓÅ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ, ÔÁË ËÁË ÏÎÉ ÆÁËÔÉÞÅÓËÉ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. üÔÏÔ ÓÐÉÓÏË ÂÕÄÅÔ ÓÏÄÅÒÖÁÔØ ÄÁÌÅËÏ ÎÅ ×ÓÅ ÎÁÓÔÒÏÊËÉ /proc.

  4. rules set up - ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÓËÒÉÐÔ, ËÁË ÐÒÁ×ÉÌÏ, ÕÖÅ ÐÏÄÇÏÔÏ×ÌÅÎ Ë ÔÏÍÕ, ÞÔÏÂÙ ×ÓÔÁ×ÌÑÔØ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ñ ÒÁÚÂÉÌ ×ÓÅ ÐÒÁ×ÉÌÁ ÐÏ ÔÁÂÌÉÃÁÍ É ÃÅÐÏÞËÁÍ. ìÀÂÙÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÐÒÅÖÄÅ, ÞÅÍ ÍÙ ÓÍÏÖÅÍ ÉÈ ÉÓÐÏÌØÚÏ×ÁÔØ. ñ ÕËÁÚÙ×ÁÀ ÃÅÐÏÞËÉ É ÉÈ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ × ÔÏÍ ÖÅ ÐÏÒÑÄËÅ, × ËÁËÏÍ ÏÎÉ ×Ù×ÏÄÑÔÓÑ ËÏÍÁÎÄÏÊ iptables -L.

    1. Filter table - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÐÒÏÈÏÄÉÍ ÔÁÂÌÉÃÕ ÆÉÌØÔÒÁ. äÌÑ ÎÁÞÁÌÁ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÔÁÂÌÉÃÅ.

      1. Set policies - îÁÚÎÁÞÅÎÉÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÓÉÓÔÅÍÎÙÈ ÃÅÐÏÞÅË. ïÂÙÞÎÏ Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ DROP ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter, É ÂÕÄÕ ÐÒÏÐÕÓËÁÔØ ÐÏÔÏËÉ, ËÏÔÏÒÙÅ ÉÄÕÔ ÉÚÎÕÔÒÉ. ôÅÍ ÓÁÍÙÍ ÍÙ ÉÚÂÁ×ÉÍÓÑ ÏÔ ×ÓÅÇÏ, ÞÔÏ ÎÁÍ ÎÅÕÇÏÄÎÏ.

      2. Create user specified chains - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ, ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ, ËÏÔÏÒÙÅ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÐÏÚÖÅ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ. íÙ ÎÅ ÓÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÃÅÐÏÞËÉ × ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÎÅ ÓÏÚÄÁÄÉÍ ÉÈ.

      3. Create content in user specified chains - ðÏÓÌÅ ÓÏÚÄÁÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË, ÍÙ ÍÏÖÅÍ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ. åÄÉÎÓÔ×ÅÎÎÁÑ ÐÒÉÞÉÎÁ, ÐÏ ËÏÔÏÒÏÊ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË ÏÐÒÅÄÅÌÑÀÔÓÑ ÚÄÅÓØ - ÜÔÏ ÂÌÉÚÏÓÔØ Ë ËÏÍÁÎÄÁÍ, ÓÏÚÄÁÀÝÉÍ ÜÔÉ ÃÅÐÏÞËÉ. ÷Ù ÖÅ ÍÏÖÅÔÅ ÒÁÚÍÅÝÁÔØ ÐÒÁ×ÉÌÁ × ÄÒÕÇÏÍ ÍÅÓÔÅ ×ÁÛÅÇÏ ÓÃÅÎÁÒÉÑ.

      4. INPUT chain - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÄÏÂÁ×ÌÑÀÔÓÑ ÐÒÁ×ÉÌÁ ÄÌÑ ÃÅÐÏÞËÉ INPUT.

        Note

        ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ, Ñ ÓÔÁÒÁÌÓÑ ÓÌÅÄÏ×ÁÔØ ÐÏÒÑÄËÕ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔÓÑ × ×Ù×ÏÄÅ ËÏÍÁÎÄÙ iptables -L. îÅÔ ÓÅÒØÅÚÎÙÈ ÐÒÉÞÉÎ, ÞÔÏÂÙ ÓÏÂÌÀÄÁÔØ ÜÔÕ ÓÔÒÕËÔÕÒÕ, ÏÄÎÁËÏ, ÐÒÏÂÕÊÔÅ ÉÚÂÅÖÁÔØ ÓÍÅÛÉ×ÁÎÉÑ ÄÁÎÎÙÈ ÉÚ ÒÁÚÌÉÞÎÙÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÔÁË ËÁË ÓÔÁÎÅÔ ÎÁÍÎÏÇÏ ÔÑÖÅÌÅÅ ÞÉÔÁÔØ ÔÁËÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ É ×ÙÉÓËÉ×ÁÔØ ×ÏÚÍÏÖÎÙÅ ÐÒÏÂÌÅÍÙ.

      5. FORWARD chain - úÄÅÓØ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ FORWARD

      6. OUTPUT chain - óÁÍÏÊ ÐÏÓÌÅÄÎÅÊ × ÔÁÂÌÉÃÅ filter, ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ OUTPUT.

    2. nat table - ðÏÓÌÅ ÔÁÂÌÉÃÙ filter ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÔÁÂÌÉÃÅ nat. óÄÅÌÁÎÏ ÜÔÏ ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÒÅÖÄÅ ×ÓÅÇÏ - ÎÅ ÓÌÅÄÕÅÔ ÚÁÐÕÓËÁÔØ ÍÅÈÁÎÉÚÍ NAT ÎÁ ÒÁÎÎÅÊ ÓÔÁÄÉÉ, ËÏÇÄÁ ÅÝÅ ×ÏÚÍÏÖÎÁ ÐÅÒÅÄÁÞÁ ÐÁËÅÔÏ× ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ (ÔÏ ÅÓÔØ, ËÏÇÄÁ NAT ÕÖÅ ×ËÌÀÞÅÎÁ, ÎÏ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ ÆÉÌØÔÒÁÃÉÉ). ôÁËÖÅ, Ñ ÒÁÓÓÍÁÔÒÉ×ÁÀ ÔÁÂÌÉÃÕ nat ËÁË Ó×ÏÅÇÏ ÒÏÄÁ ÕÒÏ×ÅÎØ, ËÏÔÏÒÙÊ ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÔÁÂÌÉÃÙ filter. ôÁÂÌÉÃÁ filter Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ ÑÄÒÏÍ, × ÔÏ ×ÒÅÍÑ ËÁË nat - ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÑÄÒÁ, Á ÔÁÂÌÉÃÁ mangle. ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÔÁÂÌÉÃÙ nat. üÔÏ ÍÏÖÅÔ ÂÙÔØ ÎÅ ÓÏ×ÓÅÍ ÐÒÁ×ÉÌØÎÏ, ÎÏ ÎÅ ÔÁË ÄÁÌÅËÏ ÏÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.

    3. Set policies - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ×ÓÀ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ, Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ ACCEPT. üÔÁ ÔÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÍÙ ÎÅ ÄÏÌÖÎÙ ÚÄÅÓØ "×ÙÂÒÁÓÙ×ÁÔØ" (DROP) ÐÁËÅÔÙ. åÓÔØ ÒÑÄ ÎÅÐÒÉÑÔÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ× ËÏÔÏÒÙÅ ÉÍÅÀÔ ÍÅÓÔÏ ÂÙÔØ × ÔÁËÉÈ ÓÌÕÞÁÑÈ ÉÚ-ÚÁ ÎÁÛÉÈ ÐÒÅÄÐÏÌÏÖÅÎÉÊ. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ ÐÁËÅÔÙ × ÜÔÉÈ ÃÅÐÏÞËÁÈ, ÐÏÓËÏÌØËÕ ÎÅ ×ÉÖÕ ÎÉËÁËÉÈ ÐÒÉÞÉÎ ÎÅ ÄÅÌÁÔØ ÜÔÏÇÏ.

    4. Create user specified chains - úÄÅÓØ ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÌÑ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ Õ ÍÅÎÑ ÉÈ ÎÅÔ, ÎÏ Ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÄÏ ÉÈ ÆÁËÔÉÞÅÓËÏÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ.

    5. Create content in user specified chains - äÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÔÁÂÌÉÃÙ nat. ðÒÉÎÃÉÐ ÒÁÚÍÅÝÅÎÉÑ ÐÒÁ×ÉÌ ÚÄÅÓØ ÔÏÔ ÖÅ ÞÔÏ É × ÔÁÂÌÉÃÅ filtert. ñ ÄÏÂÁ×ÌÑÀ ÉÈ ÚÄÅÓØ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ×ÉÖÕ ÐÒÉÞÉÎ ×ÙÎÏÓÉÔØ ÉÈ × ÄÒÕÇÏÅ ÍÅÓÔÏ.

    6. PREROUTING chain - ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ DNAT. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× DNAT ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ, ÉÌÉ ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÁ, ÞÔÏÂÙ ÎÅ "ÏÔËÒÙ×ÁÔØ ×ÏÒÏÔÁ" × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÓÌÉÛËÏÍ ÛÉÒÏËÏ. ÷ ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ ÜÔÏ ÐÒÁ×ÉÌÏ ×ËÌÀÞÅÎÏ, ÔÁË ËÁË ÅÄÉÎÓÔ×ÅÎÎÁÑ ÃÅÌØ ÜÔÉÈ ÓÃÅÎÁÒÉÅ× ÓÏÓÔÏÉÔ × ÐÒÅÄÏÓÔÁ×ÌÅÎÉÉ ÕÓÌÕÇ, ËÏÔÏÒÙÅ ÂÅÚ DNAT ÎÅ×ÏÚÍÏÖÎÙ.

    7. POSTROUTING chain - ãÅÐÏÞËÁ POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÓÃÅÎÁÒÉÑÍÉ, ËÏÔÏÒÙÅ Ñ ÎÁÐÉÓÁÌ, ÔÁË ËÁË × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÉÍÅÅÔÓÑ ÏÄÎÁ ÉÌÉ ÂÏÌÅÅ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ËÏÔÏÒÙÅ ÍÙ ÈÏÔÉÍ ÐÏÄËÌÀÞÉÔØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ SNAT, ÎÏ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ, ÍÙ ×ÙÎÕÖÄÅÎÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ MASQUERADE.

    8. OUTPUT chain - ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ×ÏÏÂÝÅ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ×. îÏ Ñ ÐÏËÁ ÎÅ ÎÁÛÅÌ ÓÅÒØÅÚÎÙÈ ÏÓÎÏ×ÁÎÉÊ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÃÅÐÏÞËÉ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÕ ÃÅÐÏÞËÕ, ÞÅÒËÎÉÔÅ ÍÎÅ ÐÁÒÕ ÓÔÒÏË, É Ñ ×ÎÅÓÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï.

  5. mangle table - ôÁÂÌÉÃÁ mangle - ÐÏÓÌÅÄÎÑÑ ÔÁÂÌÉÃÁ ÎÁ ÐÕÔÉ ÐÁËÅÔÏ×. ïÂÙÞÎÏ Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÜÔÕ ÔÁÂÌÉÃÕ ×ÏÏÂÝÅ, ÔÁË ËÁË ÏÂÙÞÎÏ ÎÅ ×ÏÚÎÉËÁÅÔ ÐÏÔÒÅÂÎÏÓÔÅÊ × ÞÅÍ ÌÉÂÏ, ÔÉÐÁ ÉÚÍÅÎÅÎÉÑ TTL ÐÏÌÑ ÉÌÉ ÐÏÌÑ TOS É ÐÒ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÏÓÔÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÐÕÓÔÙÍ × ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ, Ó ÎÅÓËÏÌØËÉÍÉ ÉÓËÌÀÞÅÎÉÑÍÉ, ÇÄÅ Ñ ÄÏÂÁ×ÉÌ, ÎÅÓËÏÌØËÏ ÐÒÉÍÅÒÏ× ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÔÁÂÌÉÃÙ.

    1. Set policies - úÄÅÓØ ÚÁÄÁÅÔÓÑ ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. úÄÅÓØ ÓÕÝÅÓÔ×ÕÀÔ ÔÅ ÖÅ ÏÇÒÁÎÉÞÅÎÉÑ, ÞÔÏ É ÄÌÑ ÔÁÂÌÉÃÙ nat. ôÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÄÏÌÖÎÙ ÉÚÂÅÇÁÔØ ÜÔÏÇÏ. ñ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÌ ÎÉËÁËÏÊ ÐÏÌÉÔÉËÉ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ× ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ mangle, É ×ÁÍ ÓÌÅÄÕÔ ÐÏÓÔÕÐÁÔØ ÔÁË ÖÅ.

    2. Create user specified chains - óÏÚÄÁÀÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ. ôÁË ËÁË Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÔÁÂÌÉÃÕ mangle × ÓÃÅÎÁÒÉÑÈ, Ñ ÎÅ ÓÔÁÌ ÓÏÚÄÁ×ÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË. ïÄÎÁËÏ, ÜÔÏÔ ÒÁÚÄÅÌ ÂÙÌ ÄÏÂÁ×ÌÅÎ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ.

    3. Create content in userspecified chains - åÓÌÉ ×Ù ÓÏÚÄÁÌÉ ËÁËÉÅ ÌÉÂÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ, ×Ù ÍÏÖÅÔÅ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ ÚÄÅÓØ.

    4. PREROUTING - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    5. INPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    6. FORWARD chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    7. OUTPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    8. POSTROUTING chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

îÁÄÅÀÓØ, ÞÔÏ Ñ ÏÂßÑÓÎÉÌ ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ, ËÁË ËÁÖÄÙÊ ÓÃÅÎÁÒÉÊ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎ É ÐÏÞÅÍÕ ÏÎÉ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ.

Caution

ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÜÔÉ ÏÐÉÓÁÎÉÑ ÞÒÅÚ×ÙÞÁÊÎÏ ËÒÁÔËÉ, É Ñ×ÌÑÀÔÓÑ ÌÉÛØ ËÒÁÔËÉÍ ÐÏÑÓÎÅÎÉÅÍ ÔÏÇÏ, ÐÏÞÅÍÕ ÓÃÅÎÁÒÉÉ ÉÍÅÀÔ ÔÁËÕÀ ÓÔÒÕËÔÕÒÕ. ñ ÎÅ ÐÒÅÔÅÎÄÕÀ ÎÁ ÉÓÔÉÎÕ × ÐÏÓÌÅÄÎÅÊ ÉÎÓÔÁÎÃÉÉ É ÎÅ ÕÔ×ÅÒÖÄÁÀ, ÞÔÏ ÜÔÏ - ÅÄÉÎÓÔ×ÅÎÎÙÊ É ÌÕÞÛÉÊ ×ÁÒÉÁÎÔ.


rc.firewall.txt

óÃÅÎÁÒÉÊ rc.firewall.txt - ÏÓÎÏ×ÎÏÅ ÑÄÒÏ, ÎÁ ËÏÔÏÒÏÍ ÏÓÎÏ×Ù×ÁÅÔÓÑ ÏÓÔÁÌØÎÁÑ ÞÁÓÔØ ÓÃÅÎÁÒÉÅ×. çÌÁ×Á rc.firewall file ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ ÏÐÉÓÙ×ÁÅÔ ÓÃÅÎÁÒÉÊ. óÃÅÎÁÒÉÊ ÎÁÐÉÓÁÎ ÄÌÑ ÄÏÍÁÛÎÅÊ ÓÅÔÉ, ÇÄÅ ×Ù ÉÍÅÅÔÅ ÏÄÎÕ ìïëáìøîõà óåôø É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÓÃÅÎÁÒÉÊ ÔÁËÖÅ ÉÓÈÏÄÉÔ ÉÚ ÐÒÅÄÐÏÌÏÖÅÎÉÑ, ÞÔÏ ×Ù ÉÍÅÅÔÅ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅ ÉÓÐÏÌØÚÕÅÔÅ DHCP, PPP, SLIP ÌÉÂÏ ËÁËÏÊ ÔÏ ÄÒÕÇÏÊ ÐÒÏÔÏËÏÌ, ËÏÔÏÒÙÊ ÎÁÚÎÁÞÁÅÔ IP ÄÉÎÁÍÉÞÅÓËÉ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×ÏÚØÍÉÔÅ ÚÁ ÏÓÎÏ×Õ ÓÃÅÎÁÒÉÊ rc.DHCP.firewall.txt.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG



rc.DMZ.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DMZ.firewall.txt ÂÙÌ ÎÁÐÉÓÁÎ ÄÌÑ ÔÅÈ, ËÔÏ ÉÍÅÅÔ ÄÏ×ÅÒÉÔÅÌØÎÕÀ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÎÕ "äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÕÀ úÏÎÕ" É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. äÌÑ ÄÏÓÔÕÐÁ Ë ÓÅÒ×ÅÒÁÍ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÙ ÉÚ×ÎÅ, ÉÓÐÏÌØÚÕÅÔÓÑ NAT "ÏÄÉÎ Ë ÏÄÎÏÍÕ", ÔÏ ÅÓÔØ, ÷Ù ÄÏÌÖÎÙ ÚÁÓÔÁ×ÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁ×ÁÔØ ÐÁËÅÔÙ ÂÏÌÅÅ ÞÅÍ ÄÌÑ ÏÄÎÏÇÏ IP ÁÄÒÅÓÁ.

óÃÅÎÁÒÉÊ ÒÁÂÏÔÁÅÔ Ó Ä×ÕÍÑ ×ÎÕÔÒÅÎÎÉÍÉ ÓÅÔÑÍÉ, ËÁË ÜÔÏ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÎÏ ÎÁ ÒÉÓÕÎËÅ. ïÄÎÁ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ IP ÁÄÒÅÓÏ× 192.168.0.0/24 É Ñ×ÌÑÅÔÓÑ äÏ×ÅÒÉÔÅÌØÎÏÊ ÷ÎÕÔÒÅÎÎÅÊ óÅÔØÀ. äÒÕÇÁÑ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 192.168.1.0/24 É ÎÁÚÙ×ÁÅÔÓÑ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÏÊ (DMZ), ÄÌÑ ËÏÔÏÒÏÊ ÍÙ ÂÕÄÅÍ ×ÙÐÏÌÎÑÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (NAT) "ÏÄÉÎ Ë ÏÄÎÏÍÕ". îÁÐÒÉÍÅÒ, ÅÓÌÉ ËÔÏ - ÔÏ ÉÚ éÎÔÅÒÎÅÔ ÐÏÓÙÌÁÅÔ ÐÁËÅÔ ÎÁÛÅÍÕ DNS_IP, ÔÏ ÍÙ ×ÙÐÏÌÎÑÅÍ DNAT, ËÏÔÏÒÙÊ ÚÁÍÅÝÁÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ ÓÅÒ×ÅÒÁ DNS × DMZ. åÓÌÉ ÂÙ DNAT ÎÅ ×ÙÐÏÌÎÑÌÓÑ, ÔÏ DNS ÎÅ ÓÍÏÇ ÂÙ ÐÏÌÕÞÉÔØ ÚÁÐÒÏÓ, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÁÄÒÅÓ DMZ_DNS_IP, Á ÎÅ DNS_IP. ôÒÁÎÓÌÑÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

äÌÑ ÎÁÞÁÌÁ ÎÁÐÏÍÎÀ, ÞÔÏ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat. óÏÇÌÁÓÎÏ ÜÔÏÍÕ ÐÒÁ×ÉÌÕ, ÐÁËÅÔ ÄÏÌÖÅÎ ÐÒÉÈÏÄÉÔØ ÐÏ ÐÒÏÔÏËÏÌÕ TCP ÎÁ $INET_IFACE Ó ÁÄÒÅÓÁÔÏÍ IP, ËÏÔÏÒÙÊ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÁÛÅÍÕ $DNS_IP, É ÎÁÐÒÁ×ÌÅÎ ÎÁ ÐÏÒÔ 53. åÓÌÉ ×ÓÔÒÅÞÅÎ ÔÁËÏÊ ÐÁËÅÔ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÄÍÅÎÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÉÌÉ DNAT. äÅÊÓÔ×ÉÀ DNAT ÐÅÒÅÄÁÅÔÓÑ ÁÄÒÅÓ ÄÌÑ ÐÏÄÍÅÎÙ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-destination $DMZ_DNS_IP. ëÏÇÄÁ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÂÕÄÅÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ÉÚÍÅÎÅÎ Ó $DMZ_DNS_IP ÎÁ $DNS_IP, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÂÒÁÔÎÁÑ ÄÅÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ×ÙÐÏÌÎÑÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÔÒÅÂÕÅÔ ÓÏÚÄÁÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÒÁ×ÉÌ.

ôÅÐÅÒØ ×Ù ÕÖÅ ÄÏÌÖÎÙ ÐÏÎÉÍÁÔØ ËÁË ÒÁÂÏÔÁÅÔ DNAT, ÞÔÏÂÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÒÁÚÏÂÒÁÔØÓÑ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÐÒÏÂÌÅÍ. åÓÌÉ ÞÔÏ-ÔÏ ÄÌÑ ×ÁÓ ÏÓÔÁÌÏÓØ ÎÅ ÑÓÎÙÍ É ÜÔÏ ÎÅ ÂÙÌÏ ÒÁÓÓÍÏÔÒÅÎÏ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ, ÔÏ ×Ù ÍÏÖÅÔÅ ÓÏÏÂÝÉÔØ ÍÎÅ Ï ÜÔÏÍ - ×ÅÒÏÑÔÎÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ.


rc.DHCP.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DHCP.firewall.txt ÏÞÅÎØ ÐÏÈÏÖ ÎÁ ÏÒÉÇÉÎÁÌ rc.firewall.txt. ïÄÎÁËÏ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÏÌØÛÅ ÎÅ ÉÓÐÏÌØÚÕÅÔ ÐÅÒÅÍÅÎÎÕÀ STATIC_IP, ÜÔÏ É Ñ×ÌÑÅÔÓÑ ÏÓÎÏ×ÎÙÍ ÏÔÌÉÞÉÅÍ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ rc.firewall.txt ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÅ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP ÁÄÒÅÓÁ. éÚÍÅÎÅÎÉÑ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÏÒÉÇÉÎÁÌÏÍ - ÍÉÎÉÍÁÌØÎÙ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÐÏÌÅÚÅÎ × ÓÌÕÞÁÅ DHCP, PPP É SLIP ÐÏÄËÌÀÞÅÎÉÑ Ë éÎÔÅÒÎÅÔ.

çÌÁ×ÎÏÅ ÏÔÌÉÞÉÅ ÄÁÎÎÏÇÏ ÓËÒÉÐÔÁ ÓÏÓÔÏÉÔ × ÕÄÁÌÅÎÉÉ ÐÅÒÅÍÅÎÎÏÊ STATIC_IP É ×ÓÅÈ ÓÓÙÌÏË ÎÁ ÜÔÕ ÐÅÒÅÍÅÎÎÕÀ. ÷ÍÅÓÔÏ ÎÅÅ ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ INET_IFACE. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -d $STATIC_IP ÚÁÍÅÎÑÅÔÓÑ ÎÁ -i $INET_IFACE. óÏÂÓÔ×ÅÎÎÏ ÜÔÏ ×ÓÅ, ÞÔÏ ÎÕÖÎÏ ÉÚÍÅÎÉÔØ × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.
(èÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÐÏÄ STATIC_IP Á×ÔÏÒ ÐÏÎÉÍÁÅÔ ÐÅÒÅÍÅÎÎÕÀ INET_IP ÐÒÉÍ. ÐÅÒÅ×.)

íÙ ÂÏÌØÛÅ ÎÅ ÍÏÖÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT ÐÏÄÏÂÎÙÈ ÜÔÏÍÕ: --in-interface $LAN_IFACE --dst $INET_IP. üÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ ×ÙÎÕÖÄÁÅÔ ÎÁÓ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ ÏÓÎÏ×Ù×ÁÑÓØ ÔÏÌØËÏ ÎÁ ÓÅÔÅ×ÏÍ ÉÎÔÅÒÆÅÊÓÅ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÚÁÐÕÝÅÎ HTTP ÓÅÒ×ÅÒ. åÓÌÉ ÍÙ ÐÒÉÈÏÄÉÍ ÎÁ ÇÌÁ×ÎÕÀ ÓÔÒÁÎÉÞËÕ, ÓÏÄÅÒÖÁÝÕÀ ÓÔÁÔÉÞÅÓËÕÀ ÓÓÙÌËÕ ÏÂÒÁÔÎÏ ÎÁ ÜÔÏÔ ÖÅ ÓÅÒ×ÅÒ, ËÏÔÏÒÙÊ ÒÁÂÏÔÁÅÔ ÐÏÄ ÄÉÎÁÍÉÞÅÓËÉÍ ÁÄÒÅÓÏÍ, ÔÏ ÍÙ ÍÏÖÅÍ "ÏÇÒÅÓÔÉ" ÎÅÍÁÌÏ ÐÒÏÂÌÅÍ. èÏÓÔ, ËÏÔÏÒÙÊ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ NAT, ÚÁÐÒÏÓÉÔ ÞÅÒÅÚ DNS IP ÁÄÒÅÓ HTTP ÓÅÒ×ÅÒÁ, ÐÏÓÌÅ ÞÅÇÏ ÐÏÐÒÏÂÕÅÔ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÜÔÏÍÕ IP. åÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÆÉÌØÔÒÁÃÉÀ ÐÏ ÉÎÔÅÒÆÅÊÓÕ É IP ÁÄÒÅÓÕ, ÔÏ ÈÏÓÔ ÎÅ ÓÍÏÖÅÔ ÐÏÌÕÞÉÔØ ÏÔ×ÅÔ, ÐÏÓËÏÌØËÕ ÃÅÐÏÞËÁ INPUT ÏÔÆÉÌØÔÒÕÅÔ ÔÁËÏÊ ÚÁÐÒÏÓ. (óËÏÒÅÅ ×ÓÅÇÏ Á×ÔÏÒ ÉÍÅÅÔ ××ÉÄÕ ÓËÒÉÐÔ rc.firewall.txt ÐÒÉÍ. ÐÅÒÅ×.) üÔÏ ÔÁË ÖÅ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÅ× ËÏÇÄÁ ÍÙ ÉÍÅÅÍ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, ÎÏ ÔÏÇÄÁ ÜÔÏ ÍÏÖÎÏ ÏÂÏÊÔÉ, ÉÓÐÏÌØÚÕÑ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÒÏ×ÅÒÑÀÔ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ Ó LAN ÉÎÔÅÒÆÅÊÓÁ ÎÁ ÎÁÛ INET_IP É ×ÙÐÏÌÎÑÔØ ACCEPT ÄÌÑ ÎÉÈ.

ðÏÓÌÅ ×ÓÅÇÏ ×ÙÛÅÓËÁÚÁÎÎÏÇÏ, ÎÅ ÔÁËÏÊ ÕÖ ÐÌÏÈÏÊ ÍÏÖÅÔ ÐÏËÁÚÁÔØÓÑ ÍÙÓÌØ Ï ÓÏÚÄÁÎÉÉ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ ÂÙ ÏÂÒÁÂÁÔÙ×ÁÌ ÄÉÎÁÍÉÞÅÓËÉÊ IP. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÂÙÌÏ ÂÙ ÎÁÐÉÓÁÔØ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ IP ÁÄÒÅÓ ÞÅÒÅÚ ifconfig É ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ (ÇÄÅ ÏÐÒÅÄÅÌÑÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÁÑ ÐÅÒÅÍÅÎÎÁÑ), ËÏÔÏÒÙÊ "ÐÏÄÎÉÍÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ. úÁÍÅÞÁÔÅÌØÎÙÊ ÓÁÊÔ linuxguruz.org ÉÍÅÅÔ ÏÇÒÏÍÎÕÀ ËÏÌÌÅËÃÉÀ ÓËÒÉÐÔÏ×, ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓËÁÞÉ×ÁÎÉÑ. óÓÙÌËÕ ÎÁ linuxguruz.org ×Ù ÎÁÊÄÅÔÅ × óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÅÎÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ rc.firewall.txt. ñ ÎÁÓÔÏÑÔÅÌØÎÏ ÒÅËÏÍÅÎÄÕÀ ×ÁÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÃÅÎÁÒÉÊ rc.firewall.txt, ÅÓÌÉ ÜÔÏ ×ÏÚÍÏÖÎÏ, ÔÁË ËÁË rc.DHCP.firewall.txt ÂÏÌÅÅ ÏÔËÒÙÔ ÄÌÑ ÎÁÐÁÄÅÎÉÊ ÉÚ×ÎÅ.

ôÁËÖÅ, ÍÏÖÎÏ ÄÏÂÁ×ÉÔØ × ×ÁÛÉ ÓÃÅÎÁÒÉÉ ÞÔÏ ÎÉÂÕÄØ ×ÒÏÄÅ ÜÔÏÇÏ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`

÷ÙÛÅ ÐÒÉ×ÅÄÅÎÎÁÑ ËÏÍÁÎÄÁ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP ÏÔ ÉÎÔÅÒÆÅÊÓÁ, ÏÄÎÁËÏ Õ ÔÁËÏÇÏ ÐÏÄÈÏÄÁ ÅÓÔØ ÓÅÒØÅÚÎÙÅ ÎÅÄÏÓÔÁÔËÉ, ÏÐÉÓÁÎÎÙÅ ÎÉÖÅ.

  1. åÓÌÉ ÓËÒÉÐÔ ÚÁÐÕÓËÁÅÔÓÑ ÉÚ ÄÒÕÇÏÇÏ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ × Ó×ÏÀ ÏÞÅÒÅÄØ ÚÁÐÕÓËÁÅÔÓÑ ÄÅÍÏÎÏÍ PPP, ÔÏ ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁ×ÉÓÁÎÉÀ" ×ÓÅÈ, ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÓÏÅÄÉÎÅÎÉÊ, ÉÚ-ÚÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÏÔÂÒÁËÏ×Ù×ÁÀÔ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. (ÓÍÏÔÒÉ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN). ðÒÏÂÌÅÍÕ ËÏÎÅÞÎÏ ÍÏÖÎÏ ÒÁÚÒÅÛÉÔØ ÕÄÁÌÅÎÉÅÍ ÜÔÉÈ ÐÒÁ×ÉÌ, ÎÏ ÔÁËÏÅ ÒÅÛÅÎÉÅ ÄÏ×ÏÌØÎÏ ÓÏÍÎÉÔÅÌØÎÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ.

  2. ðÒÅÄÐÏÌÏÖÉÍ, ÞÔÏ Õ ×ÁÓ ÅÓÔØ ÎÁÂÏÒ ÓÔÁÔÉÞÅÓËÉÈ ÐÒÁ×ÉÌ, ÄÏ×ÏÌØÎÏ ÇÒÕÂÏ ÂÕÄÅÔ ÐÏÓÔÏÑÎÎÏ ÓÔÉÒÁÔØ É ÄÏÂÁ×ÌÑÔØ ÐÒÁ×ÉÌÁ, Ë ÔÏÍÕ ÖÅ ÒÉÓËÕÑ ÐÏ×ÒÅÄÉÔØ ÓÕÝÅÓÔ×ÕÀÝÉÅ. For example, if you want to block hosts on your LAN to connect to the firewall, but at the same time operate a script from the PPP daemon, how would you do it without erasing your already active rules blocking the LAN?

  3. üÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÉÚÌÉÛÎÉÍ ÕÓÌÏÖÎÅÎÉÑÍ, ÞÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ, ×ÌÅÞÅÔ ÏÓÌÁÂÌÅÎÉÅ ÚÁÝÉÔÙ. þÅÍ ÐÒÏÝÅ ÓËÒÉÐÔ, ÔÅÍ ÐÒÏÝÅ ÅÇÏ ÓÏÐÒÏ×ÏÖÄÁÔØ.


rc.UTIN.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.UTIN.firewall.txt, × ÏÔÌÉÞÉÅ ÏÔ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÂÌÏËÉÒÕÅÔ LAN, ËÏÔÏÒÁÑ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ. íÙ ÄÏ×ÅÒÑÅÍ ×ÎÕÔÒÅÎÎÉÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÎÅ ÂÏÌØÛÅ ÞÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÉÚ Internet. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÎÅ ÄÏ×ÅÒÑÅÍ ÎÉËÏÍÕ, ÎÉ × éÎÔÅÒÎÅÔ, ÎÉ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ËÏÔÏÒÙÍÉ ÍÙ Ó×ÑÚÁÎÙ. ðÏÜÔÏÍÕ ÄÏÓÔÕÐ Ë éÎÔÅÒÎÅÔ ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÒÏÔÏËÏÌÁÍÉ POP3, HTTP É FTP.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÓÌÅÄÕÅÔ ÚÏÌÏÔÏÍÕ ÐÒÁ×ÉÌÕ - "ÎÅ ÄÏ×ÅÒÑÊ ÎÉËÏÍÕ, ÄÁÖÅ ÓÏÂÓÔ×ÅÎÎÙÍ ÓÌÕÖÁÝÉÍ". üÔÏ ÇÒÕÓÔÎÏ ÎÏ ÆÁËÔ, ÞÔÏ ÂÏÌØÛÁÑ ÞÁÓÔØ ÁÔÁË É ×ÚÌÏÍÏ×, ËÏÔÏÒÙÍ ÐÏÄ×ÅÒÇÁÅÔÓÑ ËÏÍÐÁÎÉÑ, ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÌÕÖÁÝÉÍÉ ËÏÍÐÁÎÉÊ ÉÚ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. üÔÏÔ ÓÃÅÎÁÒÉÊ, ÎÁÄÅÀÓØ, ÄÁÓÔ ÎÅËÏÔÏÒÙÅ Ó×ÅÄÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏÍÏÇÕÔ ×ÁÍ ÕÓÉÌÉÔØ ×ÁÛÕ ÍÅÖÓÅÔÅ×ÕÀ ÚÁÝÉÔÕ. ïÎ ÍÁÌÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt, ÎÏ ÓÏÄÅÒÖÉÔ ÐÏÄÓËÁÚËÉ Ï ÔÏÍ, ÞÔÏ ÍÙ ÏÂÙÞÎÏ ÐÒÏÐÕÓËÁÅÍ.


rc.test-iptables.txt

óÃÅÎÁÒÉÊ rc.test-iptables.txt ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞÅË ÎÏ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÎÁÓÔÒÏÅË, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÎÁÐÒÉÍÅÒ, ×ËÌÀÞÅÎÉÑ ip_forwarding ÉÌÉ ÎÁÓÔÒÏÊËÉ masquerading É Ô.Ð. ôÅÍ ÎÅ ÍÅÎÅÅ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× Ó ÂÁÚÏ×ÙÍÉ ÎÁÓÔÒÏÊËÁÍÉ, ËÏÇÄÁ ÎÁÓÔÒÏÅÎÙ ÏÓÎÏ×ÎÙÅ ÔÁÂÌÉÃÙ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÒÁÂÏÔÏÓÐÏÓÏÂÅÎ. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, × ÜÔÏÍ ÓÃÅÎÁÒÉÉ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÓÔÁÎÏ×ËÁ ÄÅÊÓÔ×ÉÊ LOG ÎÁ ping-ÚÁÐÒÏÓÙ É ping-ÏÔ×ÅÔÙ. ôÁËÉÍ ÓÐÏÓÏÂÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÚÁÆÉËÓÉÒÏ×ÁÔØ × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ ËÁËÉÅ ÃÅÐÏÞËÉ ÐÒÏÈÏÄÉÌÉÓØ É × ËÁËÏÍ ÐÏÒÑÄËÅ. úÁÐÕÓÔÉÔÅ ÓÃÅÎÁÒÉÊ É ÚÁÔÅÍ ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:

ping -c 1 host.on.the.internet

é ×Ï ×ÒÅÍÑ ÉÓÐÏÌÎÅÎÉÑ ÐÅÒ×ÏÊ ËÏÍÁÎÄÙ ×ÙÐÏÌÎÉÔÅ tail -n 0 -f /var/log/messages. ôÅÐÅÒØ ×Ù ÄÏÌÖÎÙ ÑÓÎÏ ×ÉÄÅÔØ ×ÓÅ ÉÓÐÏÌØÚÕÅÍÙÅ ÃÅÐÏÞËÉ É ÐÏÒÑÄÏË ÉÈ ÐÒÏÈÏÖÄÅÎÉÑ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÙÌ ÎÁÐÉÓÁÎ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÍÅÔØ ÐÒÁ×ÉÌÁ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÏÄÏÂÎÏ ÜÔÉÍ, ËÏÔÏÒÙÅ ÒÅÇÉÓÔÒÉÒÕÀÔ ×ÓÅ ÐÁËÅÔÙ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×Ù ÒÉÓËÕÅÔÅ ÓÔÁÔØ ÌÅÇËÏÊ ÄÏÂÙÞÅÊ ÄÌÑ ÚÌÏÕÍÙÛÌÅÎÎÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÚÁÓÙÐÁÔØ ×ÁÓ ÐÁËÅÔÁÍÉ, "ÒÁÚÄÕÔØ" ×ÁÛ ÌÏÇ, ÞÔÏ ÍÏÖÅÔ ×ÙÚ×ÁÔØ "ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ", Á ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅÊÔÉ Ë ÒÅÁÌØÎÏÍÕ ×ÚÌÏÍÕ ×ÁÛÅÊ ÓÉÓÔÅÍÙ ÎÅ ÂÏÑÓØ ÂÙÔØ ÏÂÎÁÒÕÖÅÎÎÙÍ, ÐÏÓËÏÌØËÕ ÎÅ ÓÍÏÖÅÔ ÂÙÔØ ÚÁÒÅÇÉÓÔÒÉÒÏ×ÁÎ ÓÉÓÔÅÍÏÊ.


rc.flush-iptables.txt

óÃÅÎÁÒÉÊ rc.flush-iptables.txt × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÉÍÅÅÔ ÓÁÍÏÓÔÏÑÔÅÌØÎÏÊ ÃÅÎÎÏÓÔÉ ÐÏÓËÏÌØËÕ ÏÎ ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ×ÁÛÉ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ. ÷ ÎÁÞÁÌÅ ÓÃÅÎÁÒÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ACCEPT ÄÌÑ ÃÅÐÏÞÅË INPUT, OUTPUT É FORWARD × ÔÁÂÌÉÃÅ filter. ðÏÓÌÅ ÜÔÏÇÏ ÓÂÒÁÓÙ×ÁÀÔÓÑ × ÚÁÄÁÎÎÕÀ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏÌÉÔÉËÉ ÄÌÑ ÃÅÐÏÞÅË PREROUTING, POSTROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. üÔÉ ÄÅÊÓÔ×ÉÑ ×ÙÐÏÌÎÑÀÔÓÑ ÐÅÒ×ÙÍÉ, ÞÔÏÂÙ ÎÅ ×ÏÚÎÉËÁÌÏ ÐÒÏÂÌÅÍ Ó ÚÁËÒÙÔÙÍÉ ÓÏÅÄÉÎÅÎÉÑÍÉ É ÂÌÏËÉÒÕÅÍÙÍÉ ÐÁËÅÔÁÍÉ. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÇÏÔÏ×ËÉ ÂÒÁÎÄÍÁÕÜÒÁ Ë ÎÁÓÔÒÏÊËÅ É ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×, ÐÏÜÔÏÍÕ ÚÄÅÓØ ÍÙ ÚÁÂÏÔÉÍÓÑ ÔÏÌØËÏ Ï ÏÞÉÓÔËÅ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÕÓÔÁÎÏ×ËÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ.

ëÏÇÄÁ ×ÙÐÏÌÎÅÎÁ ÕÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÏÞÉÓÔËÅ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÁÈ filter É nat, Á ÚÁÔÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÄÁÌÅÎÉÅ ×ÓÅÈ, ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, ÃÅÐÏÞÅË. ðÏÓÌÅ ÜÔÏÇÏ ÒÁÂÏÔÁ ÓËÒÉÐÔÁ ÚÁ×ÅÒÛÁÅÔÓÑ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÂÁ×ÉÔØ × ÓÃÅÎÁÒÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÓÔÒÏËÉ ÄÌÑ ÏÂÒÁÂÏÔËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ.

Note

÷ ÚÁËÌÀÞÅÎÉÅ ÐÁÒÕ ÓÌÏ×. ïÞÅÎØ ÍÎÏÇÉÅ ÓÐÒÁÛÉ×ÁÀÔ ÍÅÎÑ, Á ÐÏÞÅÍÕ ÂÙ ÎÅ ÐÏÍÅÓÔÉÔØ ×ÙÚÏ× ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ × rc.firewal, ÎÁÐÉÓÁ× ÞÔÏ ÎÉÂÕÄØ ÔÉÐÁ rc.firewall start ÄÌÑ ÚÁÐÕÓËÁ ÓËÒÉÐÔÁ. ñ ÎÅ ÓÄÅÌÁÌ ÜÔÏÇÏ ÄÏ ÓÉÈ ÐÏÒ, ÐÏÔÏÍÕ ÞÔÏ ÓÞÉÔÁÀ, ÞÔÏ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÄÏÌÖÅÎ ÎÅÓÔÉ × ÓÅÂÅ ÏÓÎÏ×ÎÙÅ ÉÄÅÉ É ÎÅ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÇÒÕÖÅÎ ÒÁÚÎÏÏÂÒÁÚÎÙÍÉ ÓÃÅÎÁÒÉÑÍÉ ÓÏ ÓÔÒÁÎÎÙÍ ÓÉÎÔÁËÓÉÓÏÍ. äÏÂÁ×ÌÅÎÉÅ ÓÐÅÃÉÆÉÞÎÏÇÏ ÓÉÎÔÁËÓÉÓÁ ÄÅÌÁÅÔ ÓÃÅÎÁÒÉÉ ÍÅÎÅÅ ÞÉÔÁÂÅÌØÎÙÍÉ, Á ÓÁÍ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÂÏÌÅÅ ÓÌÏÖÎÙÍ × ÐÏÎÉÍÁÎÉÉ, ÐÏÜÔÏÍÕ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÏÓÔÁÅÔÓÑ ÔÁËÉÍ, ËÁËÏ×Ï ÏÎÏ ÅÓÔØ, É ÐÒÏÄÏÌÖÉÔ ÏÓÔÁ×ÁÔØÓÑ ÔÁËÉÍ.


äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ

÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ

þÔÏÂÙ ×Ù×ÅÓÔÉ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ iptables Ó ËÌÀÞÏÍ L, ËÏÔÏÒÙÊ ËÒÁÔËÏ ÂÙÌ ÏÐÉÓÁÎ ÒÁÎÅÅ × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. ÷ÙÇÌÑÄÉÔ ÜÔÏ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables -L

üÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÎÁ ÜËÒÁÎ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÕÄÏÂÏÞÉÔÁÅÍÏÍ ×ÉÄÅ. îÏÍÅÒÁ ÐÏÒÔÏ× ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÓÌÕÖÂ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÆÁÊÌÏÍ /etc/services, IP ÁÄÒÅÓÁ ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÈÏÓÔÏ× ÞÅÒÅÚ ÒÁÚÒÅÛÅÎÉÅ ÉÍÅÎ × ÓÌÕÖÂÅ DNS. ó ÒÁÚÒÅÛÅÎÉÅÍ (resolving) ÉÍÅÎ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏÂÌÅÍÙ, ÎÁÐÒÉÍÅÒ, ÉÍÅÑ ÓÅÔØ 192.168.0.0/16 ÓÌÕÖÂÁ DNS ÎÅ ÓÍÏÖÅÔ ÏÐÒÅÄÅÌÉÔØ ÉÍÑ ÈÏÓÔÁ Ó ÁÄÒÅÓÏÍ 192.168.1.1, × ÒÅÚÕÌØÔÁÔÅ ÐÒÏÉÚÏÊÄÅÔ ÐÏÄ×ÉÓÁÎÉÅ ËÏÍÁÎÄÙ. þÔÏÂÙ ÏÂÏÊÔÉ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÌÅÄÕÅÔ ×ÙÐÏÌÎÉÔØ ×Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ËÌÀÞÏÍ:

iptables -L -n

þÔÏÂÙ ×Ù×ÅÓÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÃÅÐÏÞËÁÈ É ÐÒÁ×ÉÌÁÈ, ×ÙÐÏÌÎÉÔÅ

iptables -L -n -v

éÍÅÅÔÓÑ ÒÑÄ ÆÁÊÌÏ× × ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc, ËÏÔÏÒÙÅ ÓÏÄÅÒÖÁÔ ÄÏÓÔÁÔÏÞÎÏ ÉÎÔÅÒÅÓÎÕÀ ÄÌÑ ÎÁÓ ÉÎÆÏÒÍÁÃÉÀ. îÁÐÒÉÍÅÒ, ÄÏÐÕÓÔÉÍ ÎÁÍ ÚÁÈÏÔÅÌÏÓØ ÐÒÏÓÍÏÔÒÅÔØ ÓÐÉÓÏË ÓÏÅÄÉÎÅÎÉÊ × ÔÁÂÌÉÃÅ conntrack. üÔÏ ÏÓÎÏ×ÎÁÑ ÔÁÂÌÉÃÁ, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ É × ËÁËÏÍ ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÅ ÉÚ ÎÉÈ ÎÁÈÏÄÉÔÓÑ. äÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉÃÙ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ

cat /proc/net/conntrack | less


éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ

ðÏ ÍÅÒÅ ÔÏÇÏ ËÁË ×Ù ÐÒÏÄÏÌÖÉÔÅ ÕÇÌÕÂÌÑÔØÓÑ × ÉÓÓÌÅÄÏ×ÁÎÉÅ iptables, ÐÅÒÅÄ ×ÁÍÉ ×ÓÅ ÁËÔÕÁÌØÎÅÅ ÂÕÄÅÔ ×ÓÔÁ×ÁÔØ ×ÏÐÒÏÓ Ï ÕÄÁÌÅÎÉÉ ÏÔÄÅÌØÎÙÈ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞÅË ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÚÁÇÒÕÚËÉ ÍÁÛÉÎÙ. óÅÊÞÁÓ Ñ ÐÏÐÒÏÂÕÀ ÎÁ ÎÅÇÏ ÏÔ×ÅÔÉÔØ. åÓÌÉ ×Ù ÐÏ ÏÛÉÂËÅ ÄÏÂÁ×ÉÌÉ ËÁËÏÅ ÌÉÂÏ ÐÒÁ×ÉÌÏ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÔÏÌØËÏ ÚÁÍÅÎÉÔØ ËÏÍÁÎÄÕ -A ÎÁ ËÏÍÁÎÄÕ -D × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ. iptables ÎÁÊÄÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ É ÕÄÁÌÉÔ ÅÇÏ. åÓÌÉ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ×ÙÇÌÑÄÑÔ ËÁË ÚÁÄÁÎÎÙÊ ÛÁÂÌÏÎ ÄÌÑ ÕÄÁÌÅÎÉÑ, ÔÏ ÂÕÄÅÔ ÓÔÅÒÔÏ ÐÅÒ×ÏÅ ÉÚ ÎÁÊÄÅÎÎÙÈ ÐÒÁ×ÉÌ. åÓÌÉ ÔÁËÏÊ ÐÏÒÑÄÏË ×ÅÝÅÊ ×ÁÓ ÎÅ ÕÓÔÒÁÉ×ÁÅÔ, ÔÏ ËÏÍÁÎÄÅ -D, × ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ, ÍÏÖÎÏ ÐÅÒÅÄÁÔØ ÎÏÍÅÒ ÕÄÁÌÑÅÍÏÊ ÓÔÒÏËÉ., ÎÁÐÒÉÍÅÒ, ËÏÍÁÎÄÁ iptables -D INPUT 10 ÓÏÔÒÅÔ ÄÅÓÑÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ INPUT. (þÔÏÂÙ ÕÚÎÁÔØ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÏÄÁÊÔÅ ËÏÍÁÎÄÕ iptables -L îáú÷áîéå_ãåðïþëé --line-numbers, ÔÏÇÄÁ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ×Ù×ÏÄÉÔØÓÑ ÓÏ Ó×ÏÉÍÉ ÎÏÍÅÒÁÍÉ ÐÒÉÍ. ÐÅÒÅ×.)

äÌÑ ÕÄÁÌÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÌÏÊ ÃÅÐÏÞËÉ ÉÓÐÏÌØÚÕÊÔÅ ËÏÍÁÎÄÕ -F. îÁÐÒÉÍÅÒ: iptables -F INPUT - ÓÏÔÒÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT, ÏÄÎÁËÏ ÜÔÁ ËÏÍÁÎÄÁ ÎÅ ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÁË ÞÔÏ ÅÓÌÉ ÏÎÁ ÕÓÔÁÎÏ×ÌÅÎÁ ËÁË DROP ÔÏ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØÓÑ ×ÓÅ, ÞÔÏ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT. þÔÏÂÙ ÓÂÒÏÓÉÔØ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÎÕÖÎÏ ÐÒÏÓÔÏ ÕÓÔÁÎÏ×ÉÔØ ÅÅ × ÐÅÒ×ÏÎÁÞÁÌØÎÏÅ ÓÏÓÔÏÑÎÉÅ, ÎÁÐÒÉÍÅÒ iptables -P INPUT ACCEPT.

íÎÏÀ ÂÙÌ ÎÁÐÉÓÁÎ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ (ÏÐÉÓÁÎÎÙÊ ÎÅÓËÏÌØËÏ ×ÙÛÅ) ËÏÔÏÒÙÊ ÐÒÏÉÚ×ÏÄÉÔ ÏÞÉÓÔËÕ ×ÓÅÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, É ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞÅË × iptables. úÁÍÅÔØÔÅ ÔÏÌØËÏ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÄÏÐÏÌÎÅÎÉÑ × ÜÔÏÔ ÓÃÅÎÁÒÉÊ, ÐÏÓËÏÌØËÕ ÏÎ ÅÅ ÎÅ ÏÂÒÁÂÁÔÙ×ÁÅÔ.


ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ

ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ

÷Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÓËÏÌØËÉÍÉ ÐÒÏÂÌÅÍÁÍÉ ÐÒÉ ÐÏÐÙÔËÅ ÚÁÇÒÕÚÉÔØ ÔÏÔ ÉÌÉ ÉÎÏÊ ÍÏÄÕÌØ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ×ÙÄÁÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÔÓÕÔÓÔ×ÉÉ ÚÁÐÒÁÛÉ×ÁÅÍÏÇÏ ÍÏÄÕÌÑ

insmod: iptable_filter: no module by that name found

ðÏËÁ ÅÝÅ ÎÅÔ ÐÒÉÞÉÎ ÄÌÑ ÂÅÓÐÏËÏÊÓÔ×Á. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÚÁÐÒÁÛÉ×ÁÅÍÙÊ ÍÏÄÕÌØ (ÉÌÉ ÍÏÄÕÌÉ) ÂÙÌ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. üÔÏ ÐÅÒ×ÏÅ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ. äÌÑ ÜÔÏÇÏ ÐÒÏÓÔÏ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ

iptables -t filter -L

åÓÌÉ ×ÓÅ ÎÏÒÍÁÌØÎÏ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ × ÔÅÒÍÉÎÁÌÅ ÓÐÉÓÏË ×ÓÅÈ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃÙ filter. ÷Ù×ÏÄ ÄÏÌÖÅÎ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

åÓÌÉ ÔÁÂÌÉÃÁ filter ÏÔÓÕÔÓÔ×ÕÅÔ, ÔÏ ×Ù×ÏÄ ÂÕÄÅÔ ÐÒÉÍÅÒÎÏ ÓÌÅÄÕÀÝÉÍ

iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

üÔÏ ÕÖÅ ÓÅÒØÅÚÎÅÅ, ÔÁË ËÁË ÜÔÏ ÓÏÏÂÝÅÎÉÅ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ÕÓÔÁÎÏ×ÉÔØ ÍÏÄÕÌÉ, ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ×ÙÐÏÌÎÉÔØ depmod -a, ÌÉÂÏ ×Ù ×ÏÏÂÝÅ ÎÅ ÓËÏÍÐÉÌÉÒÏ×ÁÌÉ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ äÌÑ ÒÅÛÅÎÉÑ ÐÅÒ×ÏÊ ÐÒÏÂÌÅÍÙ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ make modules_install × ËÁÔÁÌÏÇÅ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ ÑÄÒÁ. ÷ÔÏÒÁÑ ÐÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÚÁÐÕÓËÏÍ ËÏÍÁÎÄÙ depmod -a. òÁÚÒÅÛÅÎÉÅ ÔÒÅÔØÅÊ ÐÒÏÂÌÅÍÙ ÕÖÅ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, É × ÜÔÏÍ ÓÌÕÞÁÅ ÒÅËÏÍÅÎÄÕÀ ÐÏÓÅÔÉÔØ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ Linux Documentation Project. (÷ÚÇÌÑÎÉÔÅ ÅÝÅ ÒÁÚ × ÎÁÞÁÌÏ ÄÏËÕÍÅÎÔÁ, ÇÄÅ ÏÐÉÓÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ iptables. ÐÒÉÍ. ÐÅÒÅ×.)

äÒÕÇÉÅ ÏÛÉÂËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÐÒÉ ÚÁÐÕÓËÅ iptables:

iptables: No chain/target/match by that name

üÔÁ ÏÛÉÂËÁ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÎÅÔ ÔÁËÏÊ ÃÅÐÏÞËÉ, ÄÅÊÓÔ×ÉÑ ÉÌÉ ËÒÉÔÅÒÉÑ. üÔÏ ÍÏÖÅÔ ÚÁ×ÉÓÅÔØ ÏÔ ÏÇÒÏÍÎÏÇÏ ÞÉÓÌÁ ÆÁËÔÏÒÏ×, ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ×Ù ÐÙÔÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÕÝÅÓÔ×ÕÀÝÕÀ (ÉÌÉ ÅÝÅ ÎÅ ÏÐÒÅÄÅÌÅÎÎÕÀ) ÃÅÐÏÞËÕ, ÎÅÓÕÝÅÓÔ×ÕÀÝÅÅ ÄÅÊÓÔ×ÉÅ ÉÌÉ ËÒÉÔÅÒÉÊ. ìÉÂÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ÚÁÇÒÕÖÅÎ ÎÅÏÂÈÏÄÉÍÙÊ ÍÏÄÕÌØ.


Passive FTP ÂÅÚ DCC

üÔÏ ÏÄÎÁ ÉÚ ÚÁÍÅÞÁÔÅÌØÎÙÈ ÏÓÏÂÅÎÎÏÓÔÅÊ ÎÏ×ÙÈ iptables, ÐÏÄÄÅÒÖÉ×ÁÅÍÙÈ ÑÄÒÁÍÉ ÓÅÒÉÉ 2.4.x, ËÏÇÄÁ ×Ù ÍÏÖÅÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP, É ÚÁÐÒÅÔÉÔØ ÐÅÒÅÄÁÞÕ ÐÏ DCC Ó ÐÏÍÏÝØÀ ÎÏ×ÏÇÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÏÇÏ ËÏÄÁ. ÷Ù ÍÏÖÅÔÅ ÓÐÒÏÓÉÔØ "ëÁË ÜÔÏ?", ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ. þÔÏÂÙ ÓÄÅÌÁÔØ ÜÔÏ ×ÏÚÍÏÖÎÙÍ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÓËÏÍÐÉÌÉÒÏ×ÁÔØ ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp É ip_nat_ftp ËÁË ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ, Á ÎÅ ËÁË ÓÔÁÔÉÞÅÓËÉÊ ËÏÄ × ÑÄÒÅ. þÔÏ ÜÔÉ ÍÏÄÕÌÉ ÄÅÌÁÀÔ, ÔÁË ÏÎÉ ÄÏÂÁ×ÌÑÀÔ ÐÏÄÄÅÒÖËÕ ÔÒÁÓÓÉÒÏ×ËÉ É NAT ÄÌÑ Passive FTP É DCC send. âÅÚ ÜÔÉÈ ÍÏÄÕÌÅÊ ÓÅÔÅ×ÏÊ ËÏÄ ÑÄÒÁ ÎÅ ÓÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ ÓÏÅÄÉÎÅÎÉÑ ÜÔÏÇÏ ÔÉÐÁ.

åÓÌÉ, Ë ÐÒÉÍÅÒÕ, ×Ù ÈÏÔÉÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP É ÐÒÉ ÜÔÏÍ ÚÁÐÒÅÔÉÔØ DCC send, ÔÏ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É ÚÁÔÅÍ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ:

iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT

ëÏÔÏÒÏÅ ÐÏÚ×ÏÌÉÔ ×ÙÐÏÌÎÅÎÉÅ ÓÏÅÄÉÎÅÎÉÊ Passive FTP, ÎÏ ÎÅ DCC. åÓÌÉ ÎÕÖÎÏ ÎÁÏÂÏÒÏÔ ÚÁÐÒÅÔÉÔØ Passive FTP É ÒÁÚÒÅÛÉÔØ DCC, ÔÏ ×ÁÍ ÎÁÄÏ Ó ÔÏÞÎÏÓÔØÀ ÄÏ ÎÁÏÂÏÒÏÔ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp. úÁÍÅÔØÔÅ, ÞÔÏ ÍÏÄÕÌÉ ip_nat_* ÎÅÏÂÈÏÄÉÍÙ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÐÏÌÎÑÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇ ÐÒÉ ÐÏÄËÌÀÞÅÎÉÉ ÌÏËÁÌØÎÙÈ ÕÚÌÏ× Õ éÎÔÅÒÎÅÔ.

äÌÑ ÐÏÌÕÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÉ ÏÔÎÏÓÉÔÅÌØÎÏ Active É Passive FTP, ÞÉÔÁÊÔÅ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. üÔÏÔ RFC ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÒÏÔÏËÏÌÁ FTP, Active É Passive FTP É ËÁË ÏÎÉ ÒÁÂÏÔÁÀÔ. ëÁË ÏÐÉÓÙ×ÁÅÔ ÜÔÏÔ ÄÏËÕÍÅÎÔ, × ÓÌÕÞÁÅ Active FTP, ËÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÓÅÒ×ÅÒÕ Ó×ÏÊ IP É ÐÏÒÔ, ×ÙÂÒÁÎÎÙÊ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ Õ ÓÅÂÑ ÄÌÑ Ó×ÑÚÉ. úÁÔÅÍ ÓÅÒ×ÅÒ ÓÏÅÄÉÎÑÅÔÓÑ Ó ÜÔÉÍ ÐÏÒÔÏÍ ÎÁ ËÌÉÅÎÔÅ. ÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ×ÙÐÏÌÎÑÀÝÉÍ NAT, ÔÏÇÄÁ ÒÁÚÄÅÌ ÄÁÎÎÙÈ ÐÁËÅÔÏ× ÄÏÌÖÅÎ ÂÙÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎ ÔÁË ËÁË ÜÔÏ ÄÅÌÁÅÔ ÍÏÄÕÌØ ip_nat_ftp. ÷ Passive FTP ÐÏÒÑÄÏË ÄÅÊÓÔ×ÉÊ ÐÏÌÎÏÓÔØÀ ÉÚÍÅÎÅÎ. ëÌÉÅÎÔ ÓÏÏÂÝÁÅÔ ÓÅÒ×ÅÒÕ, ÞÔÏ ÈÏÞÅÔ ÐÏÓÌÁÔØ ÉÌÉ ÐÒÉÎÑÔØ ÄÁÎÎÙÅ, Á ÓÅÒ×ÅÒ × ÏÔ×ÅÔÅ ÓÏÏÂÝÁÅÔ ËÌÉÅÎÔÕ Ë ËÁËÏÍÕ ÁÄÒÅÓÕ ÎÕÖÎÏ ÐÏÄËÌÀÞÉÔØÓÑ É ËÁËÏÊ ÐÏÒÔ ÉÓÐÏÌØÚÏ×ÁÔØ.


ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN

üÔÏ Ó×ÏÊÓÔ×Ï iptables ÎÅÄÏÓÔÁÔÏÞÎÏ ÈÏÒÏÛÏ ÚÁÄÏËÕÍÅÎÔÉÒÏ×ÁÎÏ, Á ÐÏÜÔÏÍÕ ÍÎÏÇÉÅ ÍÏÇÕÔ ÕÄÅÌÉÔØ ÅÍÕ ÎÅÄÏÓÔÁÔÏÞÎÏÅ ×ÎÉÍÁÎÉÅ (×ËÌÀÞÁÑ É ÍÅÎÑ). åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÐÒÁ×ÉÌÁ, ÏÐÒÅÄÅÌÑÀÝÉÅ ÓÔÁÔÕÓ ÐÁËÅÔÁ NEW, ÎÏ ÎÅ ÐÒÏ×ÅÒÑÅÔÅ ÓÏÓÔÏÑÎÉÅ ÂÉÔÁ SYN, ÔÏ ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÓÍÏÇÕÔ "ÐÒÏÓÏÞÉÔØÓÑ" ÞÅÒÅÚ ×ÁÛÕ ÚÁÝÉÔÕ. èÏÔÑ, × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÙ ÉÓÐÏÌØÚÕÅÍ ÎÅÓËÏÌØËÏ ÂÒÁÎÄÍÁÕÜÒÏ×, ÔÁËÏÊ ÐÁËÅÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÞÁÓÔØÀ ESTABLISHED ÓÏÅÄÉÎÅÎÉÑ, ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÞÅÒÅÚ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ðÒÏÐÕÓËÁÑ ÐÏÄÏÂÎÙÅ ÐÁËÅÔÙ, ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏ×ÍÅÓÔÎÕÀ ÒÁÂÏÔÕ Ä×ÕÈ ÉÌÉ ÂÏÌÅÅ ÂÒÁÎÄÍÁÕÜÒÏ×, ÐÒÉ ÜÔÏÍ ÍÙ ÍÏÖÅÍ ÌÀÂÏÊ ÉÚ ÎÉÈ ÏÓÔÁÎÏ×ÉÔØ ÎÅ ÂÏÑÓØ ÒÁÚÏÒ×ÁÔØ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÓÏÅÄÉÎÅÎÉÑ, ðÏÓËÏÌØËÕ ÆÕÎËÃÉÉ ÐÏ ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ ÔÕÔ ÖÅ ×ÏÚØÍÅÔ ÎÁ ÓÅÂÑ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ïÄÎÁËÏ ÜÔÏ ÐÏÚ×ÏÌÉÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁËÔÉÞÅÓËÉ ÌÀÂÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ. ÷Ï ÉÚÂÅÖÁÎÉÅ ÜÔÏÇÏ ÓÌÅÄÕÅÔ ÄÏÂÁ×ÉÔØ ÓÌÅÄÕÀÝÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÉ INPUT, OUTPUT É FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

÷ÙÛÅÐÒÉ×ÅÄÅÎÎÙÅ ÐÒÁ×ÉÌÁ ÐÏÚÁÂÏÔÑÔÓÑ Ï ÜÔÏÊ ÐÒÏÂÌÅÍÅ. âÕÄØÔÅ ÞÒÅÚ×ÙÞÁÊÎÏ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ÐÒÁ×ÉÌ ÐÒÉÎÉÍÁÀÝÉÈ ÒÅÛÅÎÉÅ ÎÁ ÏÓÎÏ×Å ÓÔÁÔÕÓÁ ÐÁËÅÔÁ.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÉÍÅÀÔÓÑ ÎÅËÏÔÏÒÙÅ ÎÅÐÒÉÑÔÎÏÓÔÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍÉ ÐÒÁ×ÉÌÁÍÉ É ÐÌÏÈÏÊ ÒÅÁÌÉÚÁÃÉÅÊ TCP/IP ÏÔ Microsoft. äÅÌÏ × ÔÏÍ, ÞÔÏ ÐÒÉ ÎÅËÏÔÏÒÙÈ ÕÓÌÏ×ÉÑÈ, ÐÁËÅÔÙ, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÅ ÐÒÏÇÒÁÍÍÁÍÉ ÏÔ Microsoft ÍÁÒËÉÒÕÀÔÓÑ ËÁË NEW É ÓÏÇÌÁÓÎÏ ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ÂÕÄÕÔ ÓÂÒÏÛÅÎÙ. üÔÏ, ÏÄÎÁËÏ, ÎÅ ÐÒÉ×ÏÄÉÔ Ë ÒÁÚÒÕÛÅÎÉÀ ÓÏÅÄÉÎÅÎÉÊ, ÎÁÓËÏÌØËÏ Ñ ÚÎÁÀ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ, ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ, É ÐÏÓÙÌÁÅÔÓÑ ÚÁ×ÅÒÛÁÀÝÉÊ ÐÁËÅÔ FIN/ACK, ÔÏ netfilter ÚÁËÒÙ×ÁÅÔ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ É ÕÄÁÌÑÅÔ ÅÇÏ ÉÚ ÔÁÂÌÉÃÙ conntrack. ÷ ÜÔÏÔ ÍÏÍÅÎÔ, ÄÅÆÅËÔÉ×ÎÙÊ ËÏÄ Microsoft ÐÏÓÙÌÁÅÔ ÄÒÕÇÏÊ ÐÁËÅÔ, ËÏÔÏÒÏÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, ÎÏ × ÜÔÏÍ ÐÁËÅÔÅ ÎÅ ÕÓÔÁÎÏ×ÌÅÎ ÂÉÔ SYN É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÙÛÅÕÐÏÍÑÎÕÔÙÍ ÐÒÁ×ÉÌÁÍ. ëÏÒÏÞÅ ÇÏ×ÏÒÑ - ÏÓÏÂÏ ÎÅ ÐÅÒÅÖÉ×ÁÊÔÅ ÐÏ ÐÏ×ÏÄÕ ÜÔÉÈ ÐÒÁ×ÉÌ. ÷ ÓÌÕÞÁÅ ÞÅÇÏ - ×Ù ÓÍÏÖÅÔÅ ÐÒÏÓÍÏÔÒÅÔØ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ËÕÄÁ ÌÏÇÉÒÕÀÔÓÑ ÏÔÂÒÁÓÙ×ÁÅÍÙÅ ÐÁËÅÔÙ (ÓÍ. ÐÒÁ×ÉÌÁ ×ÙÛÅ) É ÒÁÚÏÂÒÁÔØÓÑ Ó ÎÉÍÉ.

éÍÅÅÔÓÑ ÅÝÅ ÏÄÎÁ ÉÚ×ÅÓÔÎÁÑ ÐÒÏÂÌÅÍÁ Ó ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. åÓÌÉ ËÔÏ - ÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ Ó×ÑÚÁÎ Ó ÂÒÁÎÄÍÁÕÜÒÏÍ, ÎÁÐÒÉÍÅÒ ÉÚ LAN, É ÁËÔÉ×ÉÒÕÅÔ PPP, ÔÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÎÉÞÔÏÖÅÎÏ. üÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÍÏÍÅÎÔ, ËÏÇÄÁ ÚÁÇÒÕÖÁÀÔÓÑ ÉÌÉ ×ÙÇÒÕÖÁÀÔÓÑ conntrack É nat ÍÏÄÕÌÉ. äÒÕÇÏÊ ÓÐÏÓÏ ÐÏÌÕÞÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ×ÙÐÏÌÎÉÔØ rc.firewall.txt ÓÃÅÎÁÒÉÊ ÉÚ ÐÏÄËÌÀÞÅÎÉÑ telnet Ó ÄÒÕÇÏÇÏ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÏÅÄÉÎÑÅÔÅÓØ ÐÏ telnet Ó ÂÒÁÎÄÍÁÕÜÒÏÍ. úÁÐÕÓËÁÅÔÅ rc.firewall.txt, × ÐÒÏÃÅÓÓÅ ÉÓÐÏÌÎÅÎÉÑ ËÏÔÏÒÏÇÏ, ÚÁÐÕÓËÁÀÔÓÑ ÍÏÄÕÌÉ ÔÒÁÓÓÉÒÏ×ËÉ ÐÏÄËÌÀÞÅÎÉÊ, ÇÒÕÚÑÔÓÑ ÐÒÁ×ÉÌÁ "NEW not SYN". ëÏÇÄÁ ËÌÉÅÎÔ telnet ÉÌÉ daemon ÐÒÏÂÕÀÔ ÐÏÓÌÁÔØ ÞÔÏ ÎÉÂÕÄØ, ÔÏ ÜÔÏ ÐÏÄËÌÀÞÅÎÉÅ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÙÍ ËÏÄÏÍ ËÁË NEW, ÎÏ ÐÁËÅÔÙ ÎÅ ÉÍÅÀÔ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÂÉÔÁ SYN, ÔÁË ËÁË ÏÎÉ, ÆÁËÔÉÞÅÓËÉ, Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÁËÅÔ ÂÕÄÅÔ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ÐÒÁ×ÉÌÁÍ × ÒÅÚÕÌØÔÁÔÅ ÞÅÇÏ ÂÕÄÅÔ ÚÁÖÕÒÎÁÌÉÒÏ×ÁÎ É ÓÂÒÏÛÅÎ.


ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁ

ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÞÔÏÂÙ ÐÒÅÄÕÐÒÅÄÉÔØ ×ÁÓ Ï ÔÕÐÏ×ÁÔÙÈ Internet Service Providers, ËÏÔÏÒÙÅ ÎÁÚÎÁÞÁÀÔ IP ÁÄÒÅÓÁ, ÏÔ×ÅÄÅÎÎÙÅ IANA ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. îÁÐÒÉÍÅÒ, Swedish Internet Service Provider É ÔÅÌÅÆÏÎÎÁÑ ÍÏÎÏÐÏÌÉÑ Telia ÉÓÐÏÌØÚÕÀÔ ÔÁËÉÅ ÁÄÒÅÓÁ, ÎÁÐÒÉÍÅÒ, ÄÌÑ ÉÈ ÓÅÒ×ÅÒÏ× DNS, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 10.x.x.x. ðÒÏÂÌÅÍÁ, Ó ËÏÔÏÒÏÊ ×Ù ÂÕÄÅÔÅ ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ ÓÔÁÌËÉ×ÁÔØÓÑ, ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÍÙ, × Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ, ÎÅ ÐÏÚ×ÏÌÑÅÍ ÐÏÄËÌÀÞÅÎÉÑ Ó ÌÀÂÙÈ IP × ÄÉÁÐÁÚÏÎÅ 10.x.x.x, ÉÚ-ÚÁ ×ÏÚÍÏÖÎÏÓÔÉ ÆÁÌØÓÉÆÉËÁÃÉÉ ÐÁËÅÔÏ×. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÁËÏÊ ÓÉÔÕÁÃÉÅÊ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÐÒÉÄÅÔÓÑ ÓÎÑÔØ ÞÁÓÔØ ÐÒÁ×ÉÌ. éÌÉ ÕÓÔÁÎÏ×ÉÔØ ÐÒÁ×ÉÌÁ, ÐÒÏÐÕÓËÁÀÝÉÅ ÔÒÁÆÆÉË Ó ÜÔÉÈ ÓÅÒ×ÅÒÏ×, ÒÁÎÅÅ ÃÅÐÏÞËÉ INPUT, ÎÁÐÒÉÍÅÒ ÔÁË:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT

èÏÔÅÌÏÓØ ÂÙ ÎÁÐÏÍÎÉÔØ ÐÏÄÏÂÎÙÍ ÐÒÏ×ÁÊÄÅÒÁÍ, ÞÔÏ ÜÔÉ ÄÉÁÐÁÚÏÎÙ ÁÄÒÅÓÏ× ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × éÎÔÅÒÎÅÔ. äÌÑ ËÏÒÐÏÒÁÔÉ×ÎÙÈ ÓÅÔÅÊ - ÐÏÖÁÌÕÊÓÔÁ, ÄÌÑ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÏÍÁÛÎÉÈ ÓÅÔÅÊ - ÐÒÅËÒÁÓÎÏ! îÏ ×Ù ÎÅ ÄÏÌÖÎÙ ×ÙÎÕÖÄÁÔØ ÎÁÓ "ÏÔËÒÙ×ÁÔØÓÑ" ÐÏ ×ÁÛÅÊ ÐÒÉÈÏÔÉ.


ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables

÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ÚÁÄÁÞÁ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ, ÅÓÌÉ ×ÁÍ ÉÚ×ÅÓÔÎÙ ÐÒÉÎÃÉÐÙ ÒÁÂÏÔÙ ÐÒÏÔÏËÏÌÁ DHCP. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ, ÞÔÏ DHCP ÒÁÂÏÔÁÅÔ ÐÏ ÐÒÏÔÏËÏÌÕ UDP. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÒÏÔÏËÏÌ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ËÒÉÔÅÒÉÅÍ. äÁÌÅÅ, ÎÅÏÂÈÏÄÉÍÏ ÕÔÏÞÎÉÔØ ÉÎÔÅÒÆÅÊÓ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ DHCP ÚÁÐÒÏÓÙ ÉÄÕÔ ÞÅÒÅÚ $LAN_IFACE, ÔÏ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× DHCP ÓÌÅÄÕÅÔ ÒÁÚÒÅÛÉÔØ ÔÏÌØËÏ ÞÅÒÅÚ ÜÔÏÔ ÉÎÔÅÒÆÅÊÓ. é ÎÁËÏÎÅÃ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÐÒÁ×ÉÌÏ ÂÏÌÅÅ ÏÐÒÅÄÅÌÅÎÎÙÍ, ÓÌÅÄÕÅÔ ÕÔÏÞÎÉÔØ ÐÏÒÔÙ. DHCP ÉÓÐÏÌØÚÕÅÔ ÐÏÒÔÙ 67 É 68. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÉÓËÏÍÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ×ÙÇÌÑÄÅÔØ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:

$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÜÔÏ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÞÅÒÅÚ ÐÏÒÔÙ 67 É 68, ÏÄÎÁËÏ ÜÔÏ ÎÅ ÄÏÌÖÎÏ ×ÁÓ ÏÓÏÂÅÎÎÏ ÓÍÕÝÁÔØ, ÐÏÓËÏÌØËÕ ÏÎÏ ÒÁÚÒÅÛÁÅÔ ÌÉÛØ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× ÏÔ ÕÚÌÏ× ÓÅÔÉ, ÐÙÔÁÀÝÉÈÓÑ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó ÐÏÒÔÁÍÉ 67 É 68. üÔÏÇÏ ÐÒÁ×ÉÌÁ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ, ÞÔÏÂÙ ÐÏÚ×ÏÌÉÔØ ×ÙÐÏÌÎÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× É ÐÒÉ ÜÔÏÍ ÎÅ ÓÌÉÛËÏÍ ÛÉÒÏËÏ "ÏÔËÒÙÔØ ×ÏÒÏÔÁ". åÓÌÉ ×ÁÓ ÏÞÅÎØ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÔÏ ×Ù ×ÐÏÌÎÅ ÍÏÖÅÔÅ ÕÖÅÓÔÏÞÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ.


ðÒÏÂÌÅÍÙ mIRC DCC

mIRC ÉÓÐÏÌØÚÕÅÔ ÓÐÅÃÉÆÉÞÎÙÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÐÏÚ×ÏÌÑÀÔ ÓÏÅÄÉÎÑÔØÓÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ É ÏÂÒÁÂÁÔÙ×ÁÔØ DCC ÓÏÅÄÉÎÅÎÉÑ ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ. åÓÌÉ ÜÔÉ ÎÁÓÔÒÏÊËÉ ÉÓÐÏÌØÚÕÀÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó iptables, ÔÏÞÎÅÅ Ó ÍÏÄÕÌÑÍÉ ip_conntrack_irc É ip_nat_irc, ÔÏ ÜÔÁ Ó×ÑÚËÁ ÐÒÏÓÔÏ ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ. ðÒÏÂÌÅÍÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ mIRC Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÙÐÏÌÎÑÅÔ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) ×ÎÕÔÒÉ ÐÁËÅÔÏ×. ÷ ÒÅÚÕÌØÔÁÔÅ, ËÏÇÄÁ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × iptables, ÏÎÁ ÐÒÏÓÔÏ ÎÅ ÚÎÁÅÔ, ÞÔÏ Ó ÎÉÍ ÄÅÌÁÔØ. mIRC ÎÅ ÏÖÉÄÁÅÔ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÂÕÄÅÔ ÎÁÓÔÏÌØËÏ "ÕÍÎÙÍ", ÞÔÏÂÙ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ IRC, É ÐÏÜÔÏÍÕ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÚÁÐÒÁÛÉ×ÁÅÔ Ó×ÏÊ IP Õ ÓÅÒ×ÅÒÁ É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ, ÐÒÉ ÐÅÒÅÄÁÞÅ DCC ÚÁÐÒÏÓÁ.

÷ËÌÀÞÅÎÉÅ ÏÐÃÉÉ "I am behind a firewall" ("ñ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ") É ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÍÏÄÕÌÅÊ ip_conntrack_irc É ip_nat_irc ÐÒÉ×ÏÄÉÔ Ë ÔÏÍÕ, ÞÔÏ netfilter ÐÉÛÅÔ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÓÏÏÂÝÅÎÉÅ "Forged DCC send packet".

õ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÅÓÔØ ÐÒÏÓÔÏÅ ÒÅÛÅÎÉÅ - ÏÔËÌÀÞÉÔÅ ÜÔÕ ÏÐÃÉÀ × mIRC É ÐÏÚ×ÏÌØÔÅ iptables ×ÙÐÏÌÎÑÔØ ×ÓÀ ÒÁÂÏÔÕ.


ôÉÐÙ ICMP

üÔÏ ÐÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ:

ôÁÂÌÉÃÁ 1. ôÉÐÙ ICMP

TYPE CODE Description Query Error
0 0 Echo Reply x  
3 0 Network Unreachable   x
3 1 Host Unreachable   x
3 2 Protocol Unreachable   x
3 3 Port Unreachable   x
3 4 Fragmentation needed but no frag. bit set   x
3 5 Source routing failed   x
3 6 Destination network unknown   x
3 7 Destination host unknown   x
3 8 Source host isolated (obsolete)   x
3 9 Destination network administratively prohibited   x
3 10 Destination host administratively prohibited   x
3 11 Network unreachable for TOS   x
3 12 Host unreachable for TOS   x
3 13 Communication administratively prohibited by filtering   x
3 14 Host precedence violation   x
3 15 Precedence cutoff in effect   x
4 0 Source quench    
5 0 Redirect for network    
5 1 Redirect for host    
5 2 Redirect for TOS and network    
5 3 Redirect for TOS and host    
8 0 Echo request x  
9 0 Router advertisement    
10 0 Route sollicitation    
11 0 TTL equals 0 during transit   x
11 1 TTL equals 0 during reassembly   x
12 0 IP header bad (catchall error)   x
12 1 Required options missing   x
13 0 Timestamp request (obsolete) x  
14 Timestamp reply (obsolete) x  
15 0 Information request (obsolete) x  
16 0 Information reply (obsolete) x  
17 0 Address mask request x  
18 0 Address mask reply x  

óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ

úÄÅÓØ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÓÓÙÌÏË, ÇÄÅ ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ :

  • ip-sysctl.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ, ÎÏ ÈÏÒÏÛÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÏÒÇÁÎÉÚÁÃÉÉ ÓÅÔÅ×ÏÇÏ ËÏÄÁ ÑÄÒÁ.

  • ip_dynaddr.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÐÁÒÁÍÅÔÒÁÍ ÎÁÓÔÒÏÊËÉ ip_dynaddr, ÄÏÓÔÕÐÎÙÍ ÞÅÒÅÚ sysctl É ÆÁÊÌÏ×ÕÀ ÓÉÓÔÅÍÕ /proc.

  • iptables.8 - íÁÎÙ ÄÌÑ iptables 1.2.4 × ÆÏÒÍÁÔÅ HTML ðÒÅËÒÁÓÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÄÌÑ ÓÏÚÄÁÎÉÑ ÐÒÁ×ÉÌ × iptables. ÷ÓÅÇÄÁ ÐÏÌÅÚÎÏ ÉÍÅÔØ ÐÏÄ ÒÕËÏÊ.

  • http://netfilter.filewatcher.org/ - ïÆÉÃÉÁÌØÎÙÊ ÓÁÊÔ netfilter É iptables. îÅÏÂÈÏÄÉÍ ÄÌÑ ×ÓÅÈ ÖÅÌÁÀÝÉÈ ÕÓÔÁÎÏ×ÉÔØ iptables É netfilter × linux.

  • http://netfilter.filewatcher.org/netfilter-faq.html - ïÆÉÃÉÁÌØÎÙÊ FAQ (Frequently Asked Questions) ÐÏ netfilter .

  • http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html - Rusty Russells Unreliable Guide to packet filtering. ðÒÅËÒÁÓÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ ÏÓÎÏ×ÁÍ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× Ó ÐÏÍÏÝØÀ iptables, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÒÁÚÒÁÂÏÔÞÉËÏ× iptables É netfilter.

  • http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html - Rusty Russells Unreliable Guide to Network Address Translation. úÁÍÅÞÁÔÅÌØÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ Network Address Translation × iptables É netfilter, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÏÓÎÏ×ÎÙÈ ÒÁÚÒÁÂÏÔÞÉËÏ× òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html - Rusty Russells Unreliable Netfilter Hacking HOWTO. ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÄÏËÕÍÅÎÔÏ× ÐÏ ÓÏÚÄÁÎÉÀ ËÏÄÁ ÄÌÑ ÒÁÂÏÔÙ Ó netfilter É iptables. ôÁË ÖÅ ÎÁÐÉÓÁÎ òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://www.linuxguruz.org/iptables/ - óÏÄÅÒÖÉÔ ÍÎÏÖÅÓÔ×Ï ÓÓÙÌÏË × éÎÔÅÒÎÅÔ ÐÏ ÔÅÍÁÔÉËÅ. éÍÅÅÔÓÑ ÓÐÉÓÏË ÓÃÅÎÁÒÉÅ× iptables ÄÌÑ ÒÁÚÌÉÞÎÙÈ ÐÒÉÍÅÎÅÎÉÊ.

  • http://www.islandsoft.net/veerapen.html - ïÔÌÉÞÎÏÅ ÏÂÓÕÖÄÅÎÉÅ ÐÏ Á×ÔÏÍÁÔÉÚÁÃÉÉ ÒÁÂÏÔÙ iptables, ÎÁÐÒÉÍÅÒ: ËÁË, ×ÎÅÓÅÎÉÅÍ ÎÅÚÎÁÞÉÔÅÌØÎÙÈ ÉÚÍÅÎÅÎÉÊ, ÚÁÓÔÁ×ÉÔØ ×ÁÛ ËÏÍÐØÀÔÅÒ Á×ÔÏÍÁÔÉÞÅÓËÉ ÄÏÂÁ×ÌÑÔØ "ÎÅÕÇÏÄÎÙÅ" ÓÁÊÔÙ × ÓÐÅÃÉÁÌØÎÙÊ ÓÐÉÓÏË (banlist) × iptables.

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ðÒÅËÒÁÓÎÏÅ ÏÐÉÓÁÎÉÅ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ×ÁÍ ÉÎÔÅÒÅÓÎÁ ÔÅÍÁ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÜÔÏ ÐÒÏÞÉÔÁÔØ.

  • http://www.docum.org - ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÓÁÊÔÏ×, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ËÏÍÁÎÄÁÈ Linux CBQ, tc É ip. ðÏÄÄÅÒÖÉ×ÁÅÔ ÓÁÊÔ - Stef Coene.

  • http://lists.samba.org/mailman/listinfo/netfilter- ïÆÉÃÉÁÌØÎÙÊ ÓÐÉÓÏË ÁÄÒÅÓÏ× (mailing-list) ÐÏ netfilter. þÒÅÚ×ÙÞÁÊÎÏ ÐÏÌÅÚÅÎ ÄÌÑ ÒÁÚÒÅÛÅÎÉÑ ×ÏÐÒÏÓÏ× ÐÏ iptables É netfilter.

é ËÏÎÅÞÎÏ ÖÅ ÉÓÈÏÄÎÙÊ ËÏÄ iptables, ÄÏËÕÍÅÎÔÁÃÉÑ É ÌÀÄÉ, ËÏÔÏÒÙÅ ÐÏÍÏÇÁÌÉ ÍÎÅ.


âÌÁÇÏÄÁÒÎÏÓÔÉ

ñ ÈÏÔÅÌ ÂÙ ×ÙÒÁÚÉÔØ ÏÓÏÂÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÌÀÄÑÍ, ËÏÔÏÒÙÅ ÏËÁÚÁÌÉ ÍÎÅ ÎÅÏÃÅÎÉÍÕÀ ÐÏÍÏÝØ ÐÒÉ ÓÏÚÄÁÎÉÉ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ.:

  • Fabrice Marie, ëÁË ÇÌÁ×ÎÏÍÕ ÒÅÄÁËÔÏÒÕ, ÚÁ ÉÓÐÒÁ×ÌÅÎÉÅ ÍÏÉÈ ÖÕÔËÉÈ ÏÛÉÂÏË. á ÔÁË ÖÅ ÏÇÒÏÍÎÏÅ ÓÐÁÓÉÂÏ ÚÁ ÐÅÒÅ×ÏÄ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ × ÆÏÒÍÁÔ DocBook.

  • Marc Boucher, úÁ ÐÏÍÏÝØ ÐÏ ÎÅËÏÔÏÒÙÍ ÁÓÐÅËÔÁÍ ÒÁÂÏÔÙ ËÏÄÁ, ÏÐÒÅÄÅÌÑÀÝÅÇÏ ÓÔÁÔÕÓ ÐÁËÅÔÏ× (state matching code).

  • Frode E. Nyboe, úÁ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÅ ÐÒÁ×ÉÌ rc.firewall, ÚÁ ×ÄÏÈÎÏ×ÌÅÎÉÅ ÍÅÎÑ ÎÁ ÐÅÒÅÐÉÓÙ×ÁÎÉÅ ÐÒÁ×ÉÌ É ÚÁ ××ÅÄÅÎÉÅ ÎÅÓËÏÌØËÉÈ ÔÁÂÌÉÃ × ÜÔÏÔ ÖÅ ÆÁÊÌ.

  • Chapman Brad, Alexander W. Janssen, úÁ ÐÏÍÏÝØ × ÐÏÎÉÍÁÎÉÉ ÐÏÒÑÄËÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÁÍÉ ÏÓÎÏ×ÎÙÈ ÔÁÂÌÉà NAT É filter.

  • Michiel Brandenburg, Myles Uyema, úÁ ÐÏÍÏÝØ × ÐÏÌÕÞÅÎÉÉ ÒÁÂÏÔÏÓÐÏÓÏÂÎÙÈ ÐÒÁ×ÉÌ, ÉÓÐÏÌØÚÕÀÝÉÈ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ ÓÔÁÔÕÓÁ (state matching).

  • Kent `Artech' Stahre, úÁ ÐÏÍÏÝØ Ó ËÁÒÔÉÎËÁÍÉ. ñ ÚÎÁÀ, ÞÔÏ Ñ ÐÌÏÈÏÊ ÏÆÏÒÍÉÔÅÌØ, Á ×Ù ÌÕÞÛÉÅ ÉÚ ÔÅÈ ËÏÇÏ Ñ ÚÎÁÀ ;). á ÔÁË ÖÅ ÓÐÁÓÉÂÏ ÚÁ ÐÏÉÓË ÏÛÉÂÏË × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ.

  • Anders 'DeZENT' Johansson, úÁ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÔÒÁÎÎÙÈ ÐÒÏ×ÁÊÄÅÒÁÈ (ISP), ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ.

  • Jeremy `Spliffy' Smith, ÚÁ ÍÎÏÇÏÞÉÓÌÅÎÎÙÅ ÐÏÄÓËÁÚËÉ É ÚÁ ×ÙÌÁ×ÌÉ×ÁÎÉÅ ÍÏÉÈ ÏÛÉÂÏË.

é ËÏÎÅÞÎÏ ÖÅ ×ÓÅÈ, ËÔÏ ÏÔ×ÅÞÁÌ ÎÁ ÍÏÉ ×ÏÐÒÏÓÙ, ×ÙÓËÁÚÙ×ÁÌ Ó×ÏÉ ÓÕÖÄÅÎÉÑ Ï ÜÔÏÍ ÄÏËÕÍÅÎÔÅ. ïÞÅÎØ ÓÏÖÁÌÅÀ, ÞÔÏ ÎÅ ÍÏÇÕ ÕÐÏÍÑÎÕÔØ ×ÓÅÈ.

èÒÏÎÏÌÏÇÉÑ

Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.

Version1.1.9(21March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:VinceHerried,ToganMuftuoglu,GalenJohnson,KellyAshe,Janne
Johansson,ThomasSmets,PeterHorst,MitchLanders,NeilJolly,JelleKalf,
JasonLamandEvanNemerson

Version1.1.8(5March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson

Version1.1.7(4February2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:ParimiRavi,PhilSchultz,StevenMcClintoc,BillDossett,
DaveWreski,ErikSj?lund,AdamMansbridge,VasooVeerapen,Aladdinand
RustyRussell.

Version1.1.6(7December2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:JimRamsey,PhilSchultz,G?ranBÈge,DougMonroe,Jasper
Aikema,KurtLieber,ChrisTallon,ChrisMartin,JonasPasche,Jan
Labanowski,RodrigoR.Branco,JaccovanKollandDaveWreski

Version1.1.5(14November2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:FabriceMarie,MerijnScheringandKurtLieber

Version1.1.4(6November2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:StigW.Jensen,SteveHnizdur,ChrisPlutaandKurtLieber

Version1.1.3(9October2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:JoniChu,N.EmileAkabi-DavisandJelleKalf

Version1.1.2(29September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.1.1(26September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:DaveRichardson

Version1.1.0(15September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.9(9September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.8(7September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.7(23August2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie

Version1.0.6
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.5
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie


GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<onelinetogivetheprogram'snameandabriefideaofwhatitdoes.>
Copyright(C)<year><nameofauthor>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne,Inc.,herebydisclaimsallcopyrightinterestintheprogram
`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.

<signatureofTyCoon>,1April1989
TyCoon,PresidentofVice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


Example scripts codebase

Example rc.firewall script

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DMZ.firewall script

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.UTIN.firewall script

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DHCP.firewall script

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# adress for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.flush-iptables script

#!/bin/sh

# rc.flush-iptables - Resets iptables to default values. 

# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



    


Example rc.test-iptables script

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"




    

ëÏÎÅÃ.