Iptables Tutorial 1.1.14Oskar Andreasson
Copyright (C) 2001-2002 by Oskar Andreasson ðÅÒÅ×ÏÄ: áÎÄÒÅÊ ëÉÓÅÌÅ× kis_an@mail.ruðÏÓÌÅÄÎÀÀ ×ÅÒÓÉÀ ÄÏËÕÍÅÎÔÁ ÍÏÖÎÏ ÎÁÊÔÉ ÐÏ ÁÄÒÅÓÕ: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
äÏÐÕÓËÁÅÔÓÑ ËÏÐÉÒÏ×ÁÎÉÅ É/ÉÌÉ ÍÏÄÉÆÉËÁÃÉÑ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ ÉÌÉ ÅÇÏ ÞÁÓÔÉ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÑÍÉ, ÐÒÉÎÑÔÙÍÉ × GNU
Free Documentation License, ×ÅÒÓÉÉ 1.1. îÅÉÚÍÅÎÑÅÍÙÍÉ ÒÁÚÄÅÌÁÍÉ Ñ×ÌÑÀÔÓÑ ÒÁÚÄÅÌ "÷×ÅÄÅÎÉÅ" É ×ÓÅ ÐÏÄÒÁÚÄÅÌÙ ÜÔÏÇÏ
ÒÁÚÄÅÌÁ, Á ÔÁË ÖÅ ÒÁÚÄÅÌÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ ÓÌÏ×ÁÍÉ "Original Author: Oskar Andreasson", ÷ÓÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å ÐÏÄÐÁÄÁÀÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ GNU General Public License. ÷ÓÅ ÏÎÉ Ñ×ÌÑÀÔÓÑ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÍÙÍÉ É ÍÏÇÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ É/ÉÌÉ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÕÓÌÏ×ÉÑÍÉ GNU General Public License ×ÅÒÓÉÉ 2. ÷ÓÅ ÓÃÅÎÁÒÉÉ ÒÁÓÐÒÏÓÔÒÁÎÑÀÔÓÑ × ÎÁÄÅÖÄÅ ÎÁ ÔÏ, ÞÔÏ ÏÎÉ ÂÕÄÕÔ ÐÏÌÅÚÎÙ ×ÁÍ, ÎÏ âåú ëáëéè ìéâï çáòáîôéê. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÔÅËÓÔÕ GNU General Public License. ó ÄÁÎÎÙÍ ÄÏËÕÍÅÎÔÏÍ ÄÏÌÖÎÁ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ËÏÐÉÑ GNU General Public License, × ÓÅËÃÉÉ "GNU General Public License"; × ÓÌÕÞÁÅ ÅÅ ÏÔÓÕÔÓÔ×ÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÐÉÓÁÔØ ÐÏ ÁÄÒÅÓÕ Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ðÏÓ×ÑÝÅÎÉÑðÒÅÖÄÅ ×ÓÅÇÏ Ñ ÈÏÔÅÌ ÂÙ ÐÏÓ×ÑÔÉÔØ ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ ÍÏÅÊ ÚÁÍÅÞÁÔÅÌØÎÏÊ ÐÏÄÒÕÇÅ îÉÎÅÌØ (Ninel). ïÎÁ ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÅÎÑ ÂÏÌØÛÅ, ÞÅÍ Ñ ËÏÇÄÁ ÌÉÂÏ ÓÍÏÇÕ ÐÏÄÄÅÒÖÁÔØ ÅÅ. ÷Ï-×ÔÏÒÙÈ - ×ÓÅÍ ÒÁÚÒÁÂÏÔÞÉËÁÍ Linux ÓÄÅÌÁ×ÛÉÍ ÜÔÕ ÚÁÍÅÞÁÔÅÌØÎÕÀ ÏÐÅÒÁÃÉÏÎÎÕÀ ÓÉÓÔÅÍÕ, ÚÁ ÉÈ ÎÅ×ÅÒÏÑÔÎÏ ÎÁÐÒÑÖÅÎÎÙÊ ÔÒÕÄ. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
óÏÄÅÒÖÁÎÉÅ
ï Á×ÔÏÒÅñ ÞÅÌÏ×ÅË, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÎÁ Ó×ÏÅÍ ÐÏÐÅÞÅÎÉÉ ÄÏÓÔÁÔÏÞÎÏ ÍÎÏÇÏ ÓÔÁÒÅÎØËÉÈ ËÏÍÐØÀÔÅÒÏ×, ÏÂßÅÄÉÎÅÎÎÙÈ ÍÎÏÀ × ÌÏËÁÌØÎÕÀ ÓÅÔØ Ó ×ÙÈÏÄÏÍ × éÎÔÅÒÎÅÔ, É ÏÂÅÓÐÅÞÉ×ÁÀÝÉÊ ÉÈ ÂÅÚÏÐÁÓÎÏÓÔØ. é × ÜÔÏÍ ÏÔÎÏÛÅÎÉÉ ÐÅÒÅÈÏÄ ÏÔ ipchains Ë iptables Ñ×ÌÑÅÔÓÑ ÏÐÒÁ×ÄÁÎÎÙÍ. òÁÎÅÅ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó×ÏÅÊ ÓÅÔÉ, ×Ù ÍÏÇÌÉ ÏÔÓÅËÁÔØ ×ÓÅ ÐÁËÅÔÙ, ÚÁËÒÙ×ÁÑ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÏÒÔÙ, ÏÄÎÁËÏ ÜÔÏ ÐÏÒÏÖÄÁÌÏ ÐÒÏÂÌÅÍÙ Ó ÐÁÓÓÉ×ÎÙÍ FTP (passive FTP) ÉÌÉ ÉÓÈÏÄÑÝÉÍ DCC × IRC (outgoing DCC in IRC), ÄÌÑ ËÏÔÏÒÙÈ ÐÏÒÔÙ ÎÁ ÓÅÒ×ÅÒÅ ÎÁÚÎÁÞÁÀÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ É ÐÏÔÏÍ ÓÏÏÂÝÁÀÔÓÑ ËÌÉÅÎÔÕ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÓÁÍÏÍ ÎÁÞÁÌÅ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅËÏÔÏÒÙÍÉ 'ÂÏÌÅÚÎÑÍÉ', ÐÅÒÅËÏÞÅ×Á×ÛÉÍÉ ÉÚ ipchains, É ÓÞÉÔÁÌ ËÏÄ iptables ÎÅ ÓÏ×ÓÅÍ ÇÏÔÏ×ÙÍ Ë ÏËÏÎÞÁÔÅÌØÎÏÍÕ ×ÙÐÕÓËÕ. óÅÇÏÄÎÑ ÖÅ Ñ ÍÏÇ ÂÙ ÐÏÒÅËÏÍÅÎÄÏ×ÁÔØ ×ÓÅÍ, ËÔÏ ÉÓÐÏÌØÚÕÅÔ × Ó×ÏÅÊ ÒÁÂÏÔÅ ipchains É ipfwadm 'ÐÅÒÅÓÅÓÔØ' ÎÁ iptables! ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔüÔÏÔ ÄÏËÕÍÅÎÔ ÎÁÐÉÓÁÎ, ÔÁË ÞÔÏÂÙ ÏÂÌÅÇÞÉÔØ ÞÉÔÁÔÅÌÑÍ ÐÏÎÉÍÁÎÉÅ ÚÁÍÅÞÁÔÅÌØÎÏÇÏ ÍÉÒÁ iptables. úÄÅÓØ ×Ù ÎÅ ÎÁÊÄÅÔÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÛÉÂËÁÈ × iptables ÉÌÉ × netfilter. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ, ÔÏ ÍÏÖÅÔÅ Ó×ÑÚÑÔØÓÑ Ó ËÏÍÁÎÄÏÊ ÒÁÚÒÁÂÏÔÞÉËÏ×, Á ÏÎÉ × ÏÔ×ÅÔ ÍÏÇÕÔ ÓÏÏÂÝÉÔØ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÌÉ ÓÕÝÅÓÔ×ÕÅÔ ÔÁËÁÑ ÏÛÉÂËÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ iptables É netfilter ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÓÏÄÅÒÖÁÔ ÏÛÉÂÏË, ÈÏÔÑ ÉÚÒÅÄËÁ ÏÄÎÁ - Ä×Å "ÐÒÏÓËÁËÉ×ÁÀÔ". éÎÆÏÒÍÁÃÉÑ Ï ÔÁËÉÈ ÏÛÉÂËÁÈ ÏÂÑÚÁÔÅÌØÎÏ ÐÏÑ×ÌÑÅÔÓÑ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter. ÷ÙÛÅÓËÁÚÁÎÎÏÅ ÔÁËÖÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÐÒÉÌÁÇÁÅÍÙÈ Ë ÄÁÎÎÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ, ÎÅ ÕÞÉÔÙ×ÁÌÏÓØ ×ÏÚÍÏÖÎÏÅ ÎÁÌÉÞÉÅ ËÁËÉÈ-ÌÉÂÏ ÏÛÉÂÏË ×ÎÕÔÒÉ netfilter. ïÓÎÏ×ÎÁÑ ÃÅÌØ ÐÒÉÍÅÒÏ× - ÐÏËÁÚÁÔØ ÐÏÒÑÄÏË ÎÁÐÉÓÁÎÉÑ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÐÒÏÂÌÅÍÙ, Ó ËÏÔÏÒÙÍÉ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ. îÁÐÒÉÍÅÒ × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÎÅ ÐÏÑÓÎÑÅÔÓÑ ËÁË ÚÁËÒÙÔØ ÕÑÚ×ÉÍÏÓÔØ Apache 1.2.12 ÎÁ HTTP ÐÏÒÔÕ (ÆÁËÔÉÞÅÓËÉ × ÐÒÉÍÅÒÁÈ ×Ù ÎÁÊÄÅÔÅ ËÁË ÚÁËÒÙÔØ ÜÔÏÔ ÐÏÒÔ, ÎÏ ÐÏ ÄÒÕÇÏÊ ÐÒÉÞÉÎÅ). üÔÏÔ ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÄÁÔØ ÎÁÞÉÎÁÀÝÉÍ ÈÏÒÏÛÉÊ, ÐÒÏÓÔÏÊ É × ÔÏ ÖÅ ×ÒÅÍÑ ÄÏÓÔÁÔÏÞÎÏ ÐÏÌÎÙÊ ÕÞÅÂÎÉË ÐÏ iptables. ïÎ ÎÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÄÅÊÓÔ×ÉÑÍ É ËÒÉÔÅÒÉÑÍ ÉÚ patch-o-matic ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÐÏÔÒÅÂÏ×ÁÌÏÓØ ÂÙ ÓÌÉÛËÏÍ ÍÎÏÇÏ ÕÓÉÌÉÊ, ÞÔÏÂÙ ÚÁÐÏÍÎÉÔØ ×ÅÓØ ÓÐÉÓÏË ÉÚÍÅÎÅÎÉÊ. åÓÌÉ Õ ×ÁÓ ×ÏÚÎÉËÎÅÔ ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÐÏÌÕÞÅÎÉÉ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÍÏÄÉÆÉËÁÃÉÑÍ patch-o-matic, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÝÁÔØÓÑ Ë ÄÏËÕÍÅÎÔÁÃÉÉ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ËÏÎËÒÅÔÎÙÊ patch-o-matic, ÏÎÁ ÄÏÓÔÕÐÎÁ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter. ôÉÐÏÇÒÁÆÓËÉÅ ÓÏÇÌÁÛÅÎÉÑ÷ ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ÐÒÉÎÑÔÙ ÓÌÅÄÕÀÝÉÅ ÓÏÇÌÁÛÅÎÉÑ ÐÏ ×ÙÄÅÌÅÎÉÀ ÉÎÆÏÒÍÁÃÉÉ ÒÁÚÌÉÞÎÏÇÏ ÒÏÄÁ:
÷×ÅÄÅÎÉÅðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×ÏóËÁÖÅÍ ÔÁË, Ñ ÐÏÓÞÉÔÁÌ, ÞÔÏ ÓÕÝÅÓÔ×ÕÅÔ ÄÏÓÁÄÎÙÊ ÐÒÏÂÅÌ × HOWTO ÐÏ ÞÁÓÔÉ ÉÎÆÏÒÍÁÃÉÉ Ï iptables É ÆÕÎËÃÉÑÈ ÓÅÔÅ×ÏÇÏ ÆÉÌØÔÒÁ (netfilter), ÒÅÁÌÉÚÏ×ÁÎÎÙÈ × ÎÏ×ÏÊ ÓÅÒÉÉ ÑÄÅÒ 2.4.x Linux. ëÒÏÍÅ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, Ñ ÐÏÐÙÔÁÌÓÑ ÏÔ×ÅÔÉÔØ ÎÁ ÎÅËÏÔÏÒÙÅ ×ÏÐÒÏÓÙ ÐÏ ÐÏ×ÏÄÕ ÎÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ, ÎÁÐÒÉÍÅÒ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× (state matching). âÏÌØÛÉÎÓÔ×Ï ÉÚ ÎÉÈ ÐÒÏÉÌÌÀÓÔÒÉÒÏ×ÁÎÙ × ÆÁÊÌÅ ÓËÒÉÐÔÁ rc.firewall.txt ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ×ÓÔÁ×ÉÔØ × /etc/rc.d/. äÌÑ ÔÅÈ, ËÏÍÕ ÉÎÔÅÒÅÓÎÏ, ÇÏÔÏ× ÓÏÏÂÝÉÔØ, ÞÔÏ ÜÔÏÔ ÆÁÊÌ ÐÅÒ×ÏÎÁÞÁÌØÎÏ ÂÙÌ ÏÓÎÏ×ÁÎ ÎÁ masquerading HOWTO. ôÁÍ ÖÅ ×Ù ÎÁÊÄÅÔÅ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ rc.flush-iptables.txt, ÎÁÐÉÓÁÎÎÙÊ ÍÎÏÀ, ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ, ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ, ÐÒÉ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÒÁÓÛÉÒÑÑ ÐÏÄ Ó×ÏÀ ËÏÎÆÉÇÕÒÁÃÉÀ. ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎñ ËÏÎÓÕÌØÔÉÒÏ×ÁÌÓÑ Ó íÁÒËÏÍ âÕÞÅÒÏÍ (Marc Boucher) É ÄÒÕÇÉÍÉ ÞÌÅÎÁÍÉ ËÏÍÁÎÄÙ ÒÁÚÒÁÂÏÔÞÉËÏ× netfilter. ðÏÌØÚÕÑÓØ ÓÌÕÞÁÅÍ, ×ÙÒÁÖÁÀ ÏÇÒÏÍÎÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÚÁ ÉÈ ÐÏÍÏÝØ × ÓÏÚÄÁÎÉÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, ËÏÔÏÒÏÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÌÑ boingworld.com. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ ×Ù ÐÒÏÊÄÅÔÅ ÐÒÏÃÅÓÓ ÎÁÓÔÒÏÊËÉ ÛÁÇ ÚÁ ÛÁÇÏÍ É, ÎÁÄÅÀÓØ, ÞÔÏ Ë ËÏÎÃÕ ÉÚÕÞÅÎÉÑ ÅÇÏ ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ Ï ÐÁËÅÔÅ iptables ÚÎÁÞÉÔÅÌØÎÏ ÂÏÌØÛÅ. âÏÌØÛÁÑ ÞÁÓÔØ ÍÁÔÅÒÉÁÌÁ ÂÁÚÉÒÕÅÔÓÑ ÎÁ ÆÁÊÌÅ rc.firewall.txt, ÔÁË ËÁË Ñ ÓÞÉÔÁÀ, ÞÔÏ ÒÁÓÓÍÏÔÒÅÎÉÅ ÐÒÉÍÅÒÁ -- ÌÕÞÛÉÊ ÓÐÏÓÏ ÉÚÕÞÅÎÉÑ iptables. ñ ÐÒÏÊÄÕ ÐÏ ÏÓÎÏ×ÎÙÍ ÃÅÐÏÞËÁÍ ÐÒÁ×ÉÌ × ÐÏÒÑÄËÅ ÉÈ ÓÌÅÄÏ×ÁÎÉÑ. üÔÏ ÎÅÓËÏÌØËÏ ÕÓÌÏÖÎÑÅÔ ÉÚÕÞÅÎÉÅ, ÚÁÔÏ ÉÚÌÏÖÅÎÉÅ ÓÔÁÎÏ×ÉÔÓÑ ÌÏÇÉÞÎÅÅ. é, ×ÓÑËÉÊ ÒÁÚ, ËÏÇÄÁ Õ ×ÁÓ ×ÏÚÎÉËÎÕÔ ÚÁÔÒÕÄÎÅÎÉÑ, ×Ù ÍÏÖÅÔÅ ÏÂÒÁÝÁÔØÓÑ Ë ÜÔÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ. ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅüÔÏÔ ÄÏËÕÍÅÎÔ ÓÏÄÅÒÖÉÔ ÎÅÓËÏÌØËÏ ÔÅÒÍÉÎÏ×, ËÏÔÏÒÙÅ ÓÌÅÄÕÅÔ ÐÏÑÓÎÉÔØ ÐÒÅÖÄÅ, ÞÅÍ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ. "ðÏÔÏË" (Stream) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÀÔÓÑ É ÐÒÉÎÉÍÁÀÔÓÑ ÐÁËÅÔÙ. ñ ÉÓÐÏÌØÚÏ×ÁÌ ÜÔÏÔ ÔÅÒÍÉÎ ÄÌÑ ÏÂÏÚÎÁÞÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ, ÞÅÒÅÚ ËÏÔÏÒÙÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÍÅÎØÛÅÊ ÍÅÒÅ 2 ÐÁËÅÔÁ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ÷ ÓÌÕÞÁÅ TCP ÜÔÏ ÍÏÖÅÔ ÏÚÎÁÞÁÔØ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÅÔÓÑ SYN ÐÁËÅÔ É ÚÁÔÅÍ ÐÒÉÎÉÍÁÅÔÓÑ SYN/ACK ÐÁËÅÔ. îÏ ÜÔÏ ÔÁË ÖÅ ÍÏÖÅÔ ÐÏÄÒÁÚÕÍÅ×ÁÔØ É ÐÅÒÅÄÁÞÕ SYN ÐÁËÅÔÁ É ÐÒÉÅÍ ÓÏÏÂÝÅÎÉÑ ICMP Host unreachable. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÉÓÐÏÌØÚÕÀ ÜÔÏÔ ÔÅÒÍÉÎ × ÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏËÏÍ ÄÉÁÐÁÚÏÎÅ ÐÒÉÍÅÎÅÎÉÊ. "óÏÓÔÏÑÎÉÅ" (State) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ, × ËÏÔÏÒÏÍ ÎÁÈÏÄÉÔÓÑ ÐÁËÅÔ, ÓÏÇÌÁÓÎÏ RFC 793 - Transmission Control Protocol , Á ÔÁËÖÅ ÔÒÁËÔÏ×ËÁÍ, ÉÓÐÏÌØÚÕÅÍÙÍ × netfilter/iptables. èÏÞÕ ÏÂÒÁÔÉÔØ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÊ ÐÁËÅÔÏ×, ËÁË ÄÌÑ ×ÎÕÔÒÅÎÎÉÈ ÔÁË É ÄÌÑ ×ÎÅÛÎÉÈ ÓÏÓÔÏÑÎÉÊ, ÉÓÐÏÌØÚÕÅÍÙÅ Netfilter, ÎÅ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÕËÁÚÁÎÎÏÍÕ ×ÙÛÅ RFC 793. "ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï" (User space) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ Ñ ÐÏÄÒÁÚÕÍÅ×ÁÀ ×ÓÅ, ÞÔÏ ÒÁÓÐÏÌÏÖÅÎÏ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, ÎÁÐÒÉÍÅÒ: ËÏÍÅÎÄÁ iptables -h ×ÙÐÏÌÎÑÅÔÓÑ ÚÁ ÐÒÅÄÅÌÁÍÉ ÑÄÒÁ, × ÔÏ ×ÒÅÍÑ ËÁË iptables -A FORWARD -p tcp -j ACCEPT ×ÙÐÏÌÎÑÅÔÓÑ (ÞÁÓÔÉÞÎÏ) × ÐÒÏÓÔÒÁÎÓÔ×Å ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÏÎÁ ÄÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ Ë ÉÍÅÀÝÅÍÕÓÑ ÎÁÂÏÒÕ. "ðÒÏÓÔÒÁÎÓÔ×Ï ÑÄÒÁ" (Kernel space) - × ÂÏÌØÛÅÊ ÉÌÉ ÍÅÎØÛÅÊ ÓÔÅÐÅÎÉ Ñ×ÌÑÅÔÓÑ ÕÔ×ÅÒÖÄÅÎÉÅÍ, ÏÂÒÁÔÎÙÍ ÔÅÒÍÉÎÕ "ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï". ðÏÄÒÁÚÕÍÅ×ÁÅÔ ÍÅÓÔÏ ÉÓÐÏÌÎÅÎÉÑ - × ÐÒÅÄÅÌÁÈ ÑÄÒÁ. "Userland" - ÓÍ. "ðÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï". ðÏÄÇÏÔÏ×ËÁãÅÌØÀ ÄÁÎÎÏÊ ÇÌÁ×Ù Ñ×ÌÑÅÔÓÑ ÏËÁÚÁÎÉÅ ÐÏÍÏÝÉ × ÐÏÎÉÍÁÎÉÉ ÔÏÊ ÒÏÌÉ, ËÏÔÏÒÕÀ netfilter É iptables ÉÇÒÁÀÔ × Linux ÓÅÇÏÄÎÑ. ôÁË ÖÅ ÏÎÁ ÄÏÌÖÎÁ ÐÏÍÏÞØ ×ÁÍ ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÖÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall). çÄÅ ×ÚÑÔØ iptablesðÁËÅÔÙ iptables ÍÏÇÕÔ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ó ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÙ netfilter. äÌÑ ÒÁÂÏÔÙ Ó iptables ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÏÂÒÁÚÏÍ ÄÏÌÖÎÏ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÏ ÑÄÒÏ ×ÁÛÅÊ Linux-ÓÉÓÔÅÍÙ. îÁÓÔÒÏÊËÁ ÑÄÒÁ ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÎÉÖÅ. îÁÓÔÒÏÊËÁ ÑÄÒÁäÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, Ó ÐÏÍÏÝØÀ ÕÔÉÌÉÔÙ make config ÉÌÉ ÅÊ ÐÏÄÏÂÎÙÈ (make menuconfig ÉÌÉ make xconfig ÐÒÉÍ. ÐÅÒÅ×.), × ÑÄÒÏ ÄÏÌÖÎÙ ÂÙÔØ ×ËÌÀÞÅÎÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ: CONFIG_PACKET -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÐÒÉÌÏÖÅÎÉÊ, ÒÁÂÏÔÁÀÝÉÈ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ Ó ÓÅÔÅ×ÙÍÉ ÕÓÔÒÏÊÓÔ×ÁÍÉ, ÎÁÐÒÉÍÅÒ: tcpdump ÉÌÉ snort. CONFIG_NETFILTER -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ, ÅÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ËÏÍÐØÀÔÅÒ × ËÁÞÅÓÔ×Å ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (firewall) ÉÌÉ ÛÌÀÚÁ (gateway) × éÎÔÅÒÎÅÔ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ×ÁÍ ÏÎÁ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÎÁÄÏÂÉÔÓÑ, ÉÎÁÞÅ ÚÁÞÅÍ ÔÏÇÄÁ ÞÉÔÁÔØ ÜÔÏ ÒÕËÏ×ÏÄÓÔ×Ï! é ËÏÎÅÞÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ÄÒÁÊ×ÅÒÙ ÄÌÑ ×ÁÛÉÈ ÕÓÔÒÏÊÓÔ×, Ô.Å. ÄÌÑ ËÁÒÔÙ Ethernet , PPP É SLIP. äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÒÁÓÛÉÒÅÎÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ IPTables ÐÒÉÄÅÔÓÑ ×ËÌÀÞÉÔØ × ÑÄÒÏ ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÏÐÃÉÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÏÐÃÉÊ ÄÌÑ ÑÄÒÁ 2.4.9 É ÉÈ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ. CONFIG_IP_NF_CONNTRACK -- ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ, ÓÒÅÄÉ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× É ÍÁÓËÁÒÁÄÉÎÇÅ (NAT and Masquerading). åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÔÒÏÉÔØ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall) ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÔÏ ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÁ ÏÐÃÉÑ. ë ÐÒÉÍÅÒÕ, ÜÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÈÏÄÉÍ ÄÌÑ ÒÁÂÏÔÙ rc.firewall.txt. CONFIG_IP_NF_FTP -- ôÒÁÓÓÉÒÏ×ËÁ FTP ÓÏÅÄÉÎÅÎÉÊ. ïÂÍÅÎ ÐÏ FTP ÉÄÅÔ ÓÌÉÛËÏÍ ÉÎÔÅÎÓÉ×ÎÏ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÂÙÞÎÙÅ ÍÅÔÏÄÙ ÔÒÁÓÓÉÒÏ×ËÉ. åÓÌÉ ÎÅ ÄÏÂÁ×ÉÔØ ÜÔÏÔ ÍÏÄÕÌØ, ÔÏ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÒÕÄÎÏÓÔÑÍÉ ÐÒÉ ÐÅÒÅÄÁÞÅ ÐÒÏÔÏËÏÌÁ FTP ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall). CONFIG_IP_NF_IPTABLES -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÊ ÆÉÌØÔÒÁÃÉÉ, ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) É ÍÁÓËÁÒÁÄÉÎÇÁ (masquerading). âÅÚ ÎÅÅ ×Ù ×ÏÏÂÝÅ ÎÉÞÅÇÏ ÎÅ ÓÍÏÖÅÔÅ ÄÅÌÁÔØ Ó iptables. CONFIG_IP_NF_MATCH_LIMIT -- üÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÑÚÁÔÅÌÅÎ, ÏÄÎÁËÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÁÈ rc.firewall.txt. ïÎ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÏÇÒÁÎÉÞÅÎÉÑ ËÏÌÉÞÅÓÔ×Á ÐÒÏ×ÅÒÏË ÄÌÑ ÎÅËÏÔÏÒÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, -m limit -limit 3/minute ÕËÁÚÙ×ÁÅÔ, ÞÔÏ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÐÒÏÐÕÓÔÉÔØ ÎÅ ÂÏÌÅÅ 3-È ÐÁËÅÔÏ× × ÍÉÎÕÔÕ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÎÁÐÁÄÅÎÉÊ ÔÉÐÁ ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ. CONFIG_IP_NF_MATCH_MAC -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÓÎÏ×ÁÎÎÙÅ ÎÁ MAC-ÁÄÒÅÓÁÃÉÉ. ëÁË ÉÚ×ÅÓÔÎÏ, ËÁÖÄÁÑ ÓÅÔÅ×ÁÑ ËÁÒÔÁ ÉÍÅÅÔ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ÕÎÉËÁÌØÎÙÊ Ethernet-ÁÄÒÅÓ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÓÕÝÅÓÔ×ÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÂÌÏËÉÒÏ×ÁÔØ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ Ó ÏÐÒÅÄÅÌÅÎÎÙÈ MAC-ÁÄÒÅÓÏ× (Ô.Å. Ó ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÅÔÅ×ÙÈ ËÁÒÔ). óÌÅÄÕÅÔ, ÏÄÎÁËÏ, ÏÔÍÅÔÉÔØ ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ × rc.firewall.txt ÉÌÉ ÇÄÅ ÌÉÂÏ ÅÝÅ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å. CONFIG_IP_NF_MATCH_MARK -- æÕÎËÃÉÑ ÍÁÒËÉÒÏ×ËÉ ÐÁËÅÔÏ× (MARK). îÁÐÒÉÍÅÒ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÆÕÎËÃÉÉ MARK ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÏÍÅÔÉÔØ ÔÒÅÂÕÅÍÙÅ ÐÁËÅÔÙ, Á ÚÁÔÅÍ, × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ ÍÅÔËÉ, ÐÒÉÎÉÍÁÔØ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÏÍÅÞÅÎÎÏÇÏ ÐÁËÅÔÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ÆÕÎËÃÉÉ MARK ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ. CONFIG_IP_NF_MATCH_MULTIPORT -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ Ó ÐÒÏ×ÅÒËÏÊ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ ÐÁËÅÔÁ Ë ÄÉÁÐÁÚÏÎÕ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÉÓÔÏÞÎÉËÁ/ÐÒÉÅÍÎÉËÁ. CONFIG_IP_NF_MATCH_TOS -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÔÔÁÌËÉ×ÁÑÓØ ÏÔ ÓÏÓÔÏÑÎÉÑ ÐÏÌÑ TOS × ÐÁËÅÔÅ. ðÏÌÅ TOS ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ Type Of Service. ôÁË ÖÅ ÓÔÁÎÏ×ÉÔÓÑ ×ÏÚÍÏÖÎÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ É ÓÂÒÁÓÙ×ÁÔØ ÂÉÔÙ ÜÔÏÇÏ ÐÏÌÑ × ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌÁÈ × ÔÁÂÌÉÃÅ mangle ÉÌÉ ËÏÍÁÎÄÁÍÉ ip/tc. CONFIG_IP_NF_MATCH_TCPMSS -- üÔÁ ÏÐÃÉÑ ÄÏÂÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏ×ÅÒËÉ ÐÏÌÑ MSS ÄÌÑ TCP-ÐÁËÅÔÏ×. CONFIG_IP_NF_MATCH_STATE -- üÔÏ ÏÄÎÏ ÉÚ ÓÁÍÙÈ ÓÅÒØÅÚÎÙÈ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÊ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ipchains. üÔÏÔ ÍÏÄÕÌØ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÕÐÒÁ×ÌÅÎÉÑ TCP ÐÁËÅÔÁÍÉ, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ (state). ë ÐÒÉÍÅÒÕ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ, Ó ÔÒÁÆÆÉËÏÍ × ÏÂÁ ËÏÎÃÁ, ÔÏÇÄÁ ÐÁËÅÔ ÐÏÌÕÞÅÎÎÙÊ ÐÏ ÔÁËÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ -- ÐÒÉÍ. ÒÅÄ). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÅ rc.firewall.txt . CONFIG_IP_NF_MATCH_UNCLEAN -- üÔÏÔ ÍÏÄÕÌØ ÒÅÁÌÉÚÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ IP, TCP, UDP É ICMP ÐÁËÅÔÏ× ÎÁ ÐÒÅÄÍÅÔ ÎÁÌÉÞÉÑ × ÎÉÈ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÊ, "ÓÔÒÁÎÎÏÓÔÅÊ", ÏÛÉÂÏË. õÓÔÁÎÏ×É× ÅÇÏ ÍÙ, Ë ÐÒÉÍÅÒÕ, ÐÏÌÕÞÉÍ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔÓÅËÁÔØ" ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ. ïÄÎÁËÏ ÈÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÐÏËÁ ÎÁÈÏÄÉÔÓÑ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÅ ×Ï ×ÓÅÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÏÄÉÎÁËÏ×Ï, ÐÏÜÔÏÍÕ ÎÉËÏÇÄÁ ÎÅÌØÚÑ ÂÕÄÅÔ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÍÙ ÎÅ "ÓÂÒÏÓÉÌÉ" ×ÐÏÌÎÅ ÐÒÁ×ÉÌØÎÙÅ ÐÁËÅÔÙ. CONFIG_IP_NF_MATCH_OWNER - ðÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÓÏÅÄÉÎÅÎÉÑ (socket). äÌÑ ÐÒÉÍÅÒÁ, ÍÙ ÍÏÖÅÍ ÐÏÚ×ÏÌÉÔØ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ root ×ÙÈÏÄÉÔØ × Internet. üÔÏÔ ÍÏÄÕÌØ ÂÙÌ ÎÁÐÉÓÁÎ ËÁË ÐÒÉÍÅÒ ÒÁÂÏÔÙ Ó iptables. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÉÍÅÅÔ ÓÔÁÔÕÓ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ É ÍÏÖÅÔ ÎÅ ×ÓÅÇÄÁ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ. CONFIG_IP_NF_FILTER -- òÅÁÌÉÚÁÃÉÑ ÔÁÂÌÉÃÙ filter × ËÏÔÏÒÏÊ × ÏÓÎÏ×ÎÏÍ É ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÆÉÌØÔÒÁÃÉÑ. ÷ ÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÎÁÈÏÄÑÔÓÑ ÃÅÐÏÞËÉ INPUT, FORWARD É OUTPUT. üÔÏÔ ÍÏÄÕÌØ ÏÂÑÚÁÔÅÌÅÎ, ÅÓÌÉ ×Ù ÐÌÁÎÉÒÕÅÔÅ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ×. CONFIG_IP_NF_TARGET_REJECT -- äÏÂÁ×ÌÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ × ÏÔ×ÅÔ ÎÁ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÏÔ×ÅÒÇÁÅÔÓÑ ÚÁÄÁÎÎÙÍ ÐÒÁ×ÉÌÏÍ. úÁÐÏÍÎÉÔÅ, ÞÔÏ TCP ÓÏÅÄÉÎÅÎÉÑ, × ÏÔÌÉÞÉÅ ÏÔ UDP É ICMP, ×ÓÅÇÄÁ ÚÁ×ÅÒÛÁÀÔÓÑ ÉÌÉ ÏÔ×ÅÒÇÁÀÔÓÑ ÐÁËÅÔÏÍ TCP RST. CONFIG_IP_NF_TARGET_MIRROR -- ÷ÏÚÍÏÖÎÏÓÔØ ÏÔÐÒÁ×ËÉ ÐÏÌÕÞÅÎÎÏÇÏ ÐÁËÅÔÁ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎÉÅ). îÁÐÒÉÍÅÒ, ÅÓÌÉ ÎÁÚÎÁÞÉÔØ ÄÅÊÓÔ×ÉÅ MIRROR ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ × ÐÏÒÔ HTTP ÞÅÒÅÚ ÎÁÛÕ ÃÅÐÏÞËÕ INPUT (Ô.Å. ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ ÐÒÉÍ. ÐÅÒÅ×.), ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÅÎ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎ) É, × ÒÅÚÕÌØÔÁÔÅ, ÏÔÐÒÁ×ÉÔÅÌØ Õ×ÉÄÉÔ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ. (ôÕÔ ÏÄÎÉ ÓÐÌÏÛÎÙÅ "ÅÓÌÉ": åÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÓÔÏÉÔ WEB-ÓÅÒ×ÅÒ, ÅÓÌÉ ÏÎ ÒÁÂÏÔÁÅÔ ÎÁ ÔÏÍ ÖÅ ÐÏÒÔÕ, ÅÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÅÓÔØ ÄÏÍÁÛÎÑÑ ÓÔÒÁÎÉÞËÁ, É Ô.Ä. . óÕÔØ-ÔÏ ÓÏÂÓÔ×ÅÎÎÏ Ó×ÏÄÉÔÓÑ Ë ÔÏÍÕ, ÞÔÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÏÔÐÒÁ×ÉÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÏÎ ÏÔÐÒÁ×ÉÌ ÎÁ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÍÁÛÉÎÕ, Á ÐÒÏÝÅ ÇÏ×ÏÒÑ, ÄÅÊÓÔ×ÉÅ MIRROR ÍÅÎÑÅÔ ÍÅÓÔÁÍÉ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ É ×ÙÄÁÅÔ ÉÚÍÅÎÅÎÎÙÊ ÐÅËÅÔ × ÓÅÔØ ÐÒÉÍ. ÐÅÒÅ×.) CONFIG_IP_NF_NAT -- NAT. ôÒÁÎÓÌÑÃÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× × ÒÁÚÌÉÞÎÙÈ ÅÅ ×ÉÄÁÈ. ó ÐÏÍÏÝØÀ ÜÔÏÊ ÏÐÃÉÉ ×Ù ÓÍÏÖÅÔÅ ÄÁÔØ ×ÙÈÏÄ × éÎÔÅÒÎÅÔ ×ÓÅÍ ËÏÍÐØÀÔÅÒÁÍ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP-ÁÄÒÅÓ. üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÒÁÂÏÔÙ ÐÒÉÍÅÒÁ rc.firewall.txt. CONFIG_IP_NF_TARGET_MASQUERADE -- íÁÓËÁÒÁÄÉÎÇ. ÷ ÏÔÌÉÞÉÅ ÏÔ NAT, ÍÁÓËÁÒÁÄÉÎÇ ÉÓÐÏÌØÚÕÅÔÓÑ × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÚÁÒÁÎÅÅ ÎÅÉÚ×ÅÓÔÅÎ ÎÁÛ IP-ÁÄÒÅÓ × éÎÔÅÒÎÅÔÅ, Ô.Å. ÄÌÑ ÓÌÕÞÁÅ× DHCP, PPP, SLIP ÉÌÉ ËÁËÏÇÏ-ÌÉÂÏ ÄÒÕÇÏÇÏ ÓÐÏÓÏÂÁ ÐÏÄËÌÀÞÅÎÉÑ, ÐÏÄÒÁÚÕÍÅ×ÁÀÝÅÇÏ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÌÕÞÅÎÉÅ IP-ÁÄÒÅÓÁ. íÁÓËÁÒÁÄÉÎÇ ÄÁÅÔ ÎÅÓËÏÌØËÏ ÂÏÌÅÅ ×ÙÓÏËÕÀ ÎÁÇÒÕÚËÕ ÎÁ ËÏÍÐØÀÔÅÒ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó NAT, ÏÄÎÁËÏ ÏÎ ÒÁÂÏÔÁÅÔ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ÎÅ×ÏÚÍÏÖÎÏ ÚÁÒÁÎÅÅ ÕËÁÚÁÔØ ÓÏÂÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP-ÁÄÒÅÓ. CONFIG_IP_NF_TARGET_REDIRECT -- ðÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ. ïÂÙÞÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÐÒÏËÓÉ. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓÔÉÔØ ÐÁËÅÔ ÄÁÌØÛÅ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ ÉÍÅÅÍ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ "ÐÒÏÚÒÁÞÎÏÅ ÐÒÏËÓÉÒÏ×ÁÎÉÅ". CONFIG_IP_NF_TARGET_LOG -- äÏÂÁ×ÌÑÅÔ ÄÅÊÓÔ×ÉÅ LOG × iptables. íÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÍÏÄÕÌØ ÄÌÑ ÆÉËÓÁÃÉÉ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ (syslog). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ×ÅÓØÍÁ ÐÏÌÅÚÎÏÊ ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×. CONFIG_IP_NF_TARGET_TCPMSS -- üÔÁ ÏÐÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÊ, ÎÁËÌÁÄÙ×ÁÅÍÙÈ ÎÅËÏÔÏÒÙÍÉ ÐÒÏ×ÁÊÄÅÒÁÍÉ (Internet Service Providers), ËÏÔÏÒÙÅ ÂÌÏËÉÒÕÀÔ ICMP Fragmentation Needed ÐÁËÅÔÙ. ÷ ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÈ ÏÇÒÁÎÉÞÅÎÉÊ ÓÅÒ×ÅÒÙ ÐÒÏ×ÁÊÄÅÒÏ× ÍÏÇÕÔ ÎÅ ÐÅÒÅÄÁ×ÁÔØ web-ÓÔÒÁÎÉÃÙ, ssh ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, × ÔÏ ×ÒÅÍÑ ËÁË scp ÏÂÒÙ×ÁÅÔÓÑ ÐÏÓÌÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ É ÐÒ. äÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÏÇÒÁÎÉÞÅÎÉÊ ÍÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ TCPMSS ÏÇÒÁÎÉÞÉ×ÁÑ ÚÎÁÞÅÎÉÅ MSS (Maximum Segment Size) (ÏÂÙÞÎÏ MSS ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÒÁÚÍÅÒÏÍ MTU ÉÓÈÏÄÑÝÅÇÏ ÉÎÔÅÒÆÅÊÓÁ ÍÉÎÕÓ 40 ÂÁÊÔ ÐÒÉÍ. ÐÅÒÅ×.). ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÅÏÄÏÌÅÔØ ÔÏ, ÞÔÏ Á×ÔÏÒÙ netfilter ÎÁÚÙ×ÁÀÔ "ÐÒÅÓÔÕÐÎÏÊ ÂÅÚÍÏÚÇÌÏÓÔØÀ ÐÒÏ×ÁÊÄÅÒÏ× ÉÌÉ ÓÅÒ×ÅÒÏ×" ("criminally braindead ISPs or servers") × ÓÐÒÁ×ËÅ ÐÏ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ. CONFIG_IP_NF_COMPAT_IPCHAINS -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ÂÏÌÅÅ ÓÔÁÒÏÊ ÔÅÈÎÏÌÏÇÉÅÊ ipchains. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÓÏ×ÍÅÓÔÉÍÏÓÔØ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎÁ É × ÑÄÒÁÈ ÓÅÒÉÉ 2.6.x. CONFIG_IP_NF_COMPAT_IPFWADM -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ipfwadm, ÎÅ ÓÍÏÔÒÑ ÎÁ ÔÏ ÞÔÏ ÜÔÏ ÏÞÅÎØ ÓÔÁÒÏÅ ÓÒÅÄÓÔ×Ï ÐÏÓÔÒÏÅÎÉÑ ÂÒÁÎÄÍÁÕÜÒÏ×. ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, Ñ ÄÁÌ ËÒÁÔËÕÀ ÈÁÒÁËÔÅÒÉÓÔÉËÕ ËÁÖÄÏÍÕ ÍÏÄÕÌÀ. äÁÎÎÙÅ ÏÐÃÉÉ ÄÏÓÔÕÐÎÙ × ÑÄÒÅ ×ÅÒÓÉÉ 2.4.9. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ - ÓÏ×ÅÔÕÀ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÒÁÓÛÉÒÅÎÉÑ patch-o-matic, ËÏÔÏÒÙÅ ÄÏÂÁ×ÌÑÀÔ ÄÏÓÔÁÔÏÞÎÏ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÆÕÎËÃÉÊ Ë Netfilter. Patch-o-matic - ÜÔÏ ÎÁÂÏÒ ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ, ËÁË ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, × ÂÕÄÕÝÅÍ ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. äÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ rc.firewall.txt ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÄÏÂÁ×ÉÔØ × ÑÄÒÏ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÉÌÉ ÓÏÂÒÁÔØ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÏÐÃÉÑÍ, ÎÅÏÂÈÏÄÉÍÙÍ ÄÌÑ ÒÁÂÏÔÙ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ Ó ÐÒÉÍÅÒÁÍÉ ÜÔÉÈ ÓÃÅÎÁÒÉÅ×.
÷ÙÛÅ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÍÉÎÉÍÁÌØÎÏ ÎÅÏÂÈÏÄÉÍÙÈ ÏÐÃÉÊ ÑÄÒÁ ÄÌÑ ÓÃÅÎÁÒÉÑ rc.firewall.txt ðÅÒÅÞÅÎØ ÏÐÃÉÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÄÒÕÇÉÈ ÐÒÉÍÅÒÏ× ÓÃÅÎÁÒÉÅ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÎÉÖÅ. óÅÊÞÁÓ ÖÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÇÌÁ×ÎÏÍ ÓÃÅÎÁÒÉÉ É ÎÁÞÎÅÍ ÅÇÏ ÉÚÕÞÅÎÉÅ. õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÐÏÓÍÏÔÒÉÍ ËÁË ÓÏÂÒÁÔØ (ÓËÏÍÐÉÌÉÒÏ×ÁÔØ) ÐÁËÅÔ iptables. óÂÏÒËÁ ÐÁËÅÔÁ × ÚÎÁÞÉÔÅÌØÎÏÊ ÓÔÅÐÅÎÉ ÚÁ×ÉÓÉÔ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅËÏÔÏÒÙÅ ÄÉÓÔÒÉÂÕÔÉ×Ù ÐÒÅÄÐÏÌÁÇÁÀÔ ÐÒÅÄÕÓÔÁÎÏ×ËÕ ÐÁËÅÔÁ iptables, ÏÄÉÎ ÉÚ ÎÉÈ -- Red Hat. ïÄÎÁËÏ, × RedHat ÜÔÏÔ ÐÁËÅÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ×ÙËÌÀÞÅÎ, ÐÏÜÔÏÍÕ ÎÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ËÁË ÅÇÏ ×ËÌÀÞÉÔØ × ÄÁÎÎÏÍ É × ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ. óÂÏÒËÁ ÐÁËÅÔÁäÌÑ ÎÁÞÁÌÁ ÐÁËÅÔ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ iptables ÎÕÖÎÏ ÒÁÓÐÁËÏ×ÁÔØ. íÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÐÁËÅÔ iptables 1.2.6a É ÑÄÒÏ 2.4.9. òÁÓÐÁËÕÅÍ ËÁË ÏÂÙÞÎÏ, ËÏÍÁÎÄÏÊ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. åÓÌÉ ÒÁÓÐÁËÏ×ËÁ ÐÒÏÛÌÁ ÕÄÁÞÎÏ, ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÒÁÚÍÅÝÅÎ × ËÁÔÁÌÏÇÅ iptables-1.2.6a. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë ÆÁÊÌÕ iptables-1.2.6a/INSTALL, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÐÏÄÒÏÂÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÓÂÏÒËÅ É ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ. äÁÌÅÅ ÎÅÏÂÈÏÄÉÍÏ ÐÒÏ×ÅÒÉÔØ ×ËÌÀÞÅÎÉÅ × ÑÄÒÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ É ÏÐÃÉÊ. ûÁÇÉ, ÏÐÉÓÙ×ÁÅÍÙÅ ÚÄÅÓØ, ÂÕÄÕÔ ËÁÓÁÔØÓÑ ÔÏÌØËÏ ÎÁÌÏÖÅÎÉÑ ÎÁ ÑÄÒÏ "ÚÁÐÌÁÔ" (patches). îÁ ÜÔÏÍ ÛÁÇÅ ÍÙ ÕÓÔÁÎÏ×ÉÍ ÏÂÎÏ×ÌÅÎÉÑ, ËÏÔÏÒÙÅ, ËÁË ÏÖÉÄÁÅÔÓÑ, ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÑÄÒÏ × ÂÕÄÕÝÅÍ.
ðÅÒÅÍÅÎÎÁÑ KERNEL_DIR ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÐÕÔØ Ë ÉÓÈÏÄÎÙÍ ÔÅËÓÔÁÍ ×ÁÛÅÇÏ ÑÄÒÁ. ïÂÙÞÎÏ ÜÔÏ /usr/src/linux/. åÓÌÉ ÉÓÈÏÄÎÙÅ ÔÅËÓÔÙ Õ ×ÁÓ ÒÁÓÐÏÌÏÖÅÎÙ × ÄÒÕÇÏÍ ÍÅÓÔÅ, ÔÏ, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ×Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ Ó×ÏÊ ÐÕÔØ.
÷ ÐÒÏÃÅÓÓÅ ×ÙÐÏÌÎÅÎÉÑ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÙ Õ ×ÁÓ ÂÕÄÅÔ ÚÁÐÒÁÛÉ×ÁÔØÓÑ ÐÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÏÂÎÏ×ÌÅÎÉÅ ËÁÖÄÏÇÏ ÒÁÚÄÅÌÁ ÉÚ ÔÏÇÏ, ÞÔÏ × ÍÉÒÅ netfilter ÎÁÚÙ×ÁÅÔÓÑ patch-o-matic. þÔÏÂÙ ÕÓÔÁÎÏ×ÉÔØ ×ÓÅ "ÚÁÐÌÁÔËÉ" ÉÚ patch-o-matic, ×ÁÍ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:
îÅ ÚÁÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÏ É ÄÏ ËÏÎÃÁ ÐÒÏÞÉÔÁÔØ ÓÐÒÁ×ËÕ ÐÏ ËÁÖÄÏÊ "ÚÁÐÌÁÔËÅ" ÄÏ ÔÏÇÏ ËÁË ×Ù ÂÕÄÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÞÔÏ-ÌÉÂÏ, ÐÏÓËÏÌØËÕ ÏÄÎÉ "ÚÁÐÌÁÔËÉ" ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÎÅÓÏ×ÍÅÓÔÉÍÙ Ó ÄÒÕÇÉÍÉ, Á ÎÅËÏÔÏÒÙÅ -- ÐÒÉ ÓÏ×ÍÅÓÔÎÏÍ ÎÁÌÏÖÅÎÉÉ ÄÁÖÅ ÒÁÚÒÕÛÉÔØ ÑÄÒÏ.
ðÏÓÌÅ ÚÁ×ÅÒÛÅÎÉÑ ÏÂÎÏ×ÌÅÎÉÑ, ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ, ÄÏÂÁ×É× × ÎÅÇÏ ÔÏÌØËÏ ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ. îÅ ÚÁÂÕÄØÔÅ ÓÎÁÞÁÌÁ ×ÙÐÏÌÎÉÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÅ ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ ÓËÏÒÅÅ ×ÓÅÇÏ ÏËÁÖÕÔÓÑ ×ÙËÌÀÞÅÎÎÙÍÉ. ÷ ÐÒÉÎÃÉÐÅ, ÍÏÖÎÏ ÐÏÄÏÖÄÁÔØ Ó ËÏÍÐÉÌÑÃÉÅÊ ÑÄÒÁ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ×Ù ÎÅ ÚÁËÏÎÞÉÔÅ ÕÓÔÁÎÏ×ËÕ iptables. ðÒÏÄÏÌÖÁÑ ÓÂÏÒËÕ iptables, ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:
åÓÌÉ × ÐÒÏÃÅÓÓÅ ÓÂÏÒËÉ ×ÏÚÎÉËÌÉ ËÁËÉÅ ÌÉÂÏ ÐÒÏÂÌÅÍÙ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÙÔÁÔØÓÑ ÒÁÚÒÅÛÉÔØ ÉÈ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ, ÌÉÂÏ ÏÂÒÁÔÉÔØÓÑ ÎÁ netfilter mailing list, ÇÄÅ ×ÁÍ ÓÍÏÇÕÔ ÐÏÍÏÞØ. ôÁÍ ×Ù ÎÁÊÄÅÔÅ ÐÏÑÓÎÅÎÉÑ, ÞÔÏ ÍÏÇÌÏ ÂÙÔØ ÓÄÅÌÁÎÏ ×ÁÍÉ ÎÅÐÒÁ×ÉÌØÎÏ ÐÒÉ ÕÓÔÁÎÏ×ËÅ, ÔÁË ÞÔÏ ÓÒÁÚÕ ÎÅ ÐÁÎÉËÕÊÔÅ. åÓÌÉ ÜÔÏ ÎÅ ÐÏÍÏÇÌÏ -- ÐÏÓÔÁÒÁÊÔÅÓØ ÐÏÒÁÚÍÙÓÌÉÔØ ÌÏÇÉÞÅÓËÉ, ×ÏÚÍÏÖÎÏ ÜÔÏ ÐÏÍÏÖÅÔ. éÌÉ ÏÂÒÁÔÉÔÅÓØ Ë ËÏÍÕ-ÎÉÂÕÄØ ÚÎÁÀÝÅÍÕ. åÓÌÉ ×ÓÅ ÐÒÏÛÌÏ ÇÌÁÄËÏ, ÔÏ ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÇÏÔÏ×Ù Ë ÕÓÔÁÎÏ×ËÅ ÉÓÐÏÌÎÑÅÍÙÈ ÍÏÄÕÌÅÊ (binaries), ÄÌÑ ÞÅÇÏ ÚÁÐÕÓÔÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:
îÁÄÅÀÓØ, ÞÔÏ ÚÄÅÓØ-ÔÏ ÐÒÏÂÌÅÍ ÎÅ ×ÏÚÎÉËÌÏ! ôÅÐÅÒØ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÐÁËÅÔÁ iptables ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÐÅÒÅÓÏÂÒÁÔØ É ÕÓÔÁÎÏ×ÉÔØ ÑÄÒÏ, ÅÓÌÉ ×Ù ÄÏ ÓÉÈ ÐÏÒ ÜÔÏÇÏ ÎÅ ÓÄÅÌÁÌÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ ×Ù ÎÁÊÄÅÔÅ × ÆÁÊÌÅ INSTALL. õÓÔÁÎÏ×ËÁ × Red Hat 7.1RedHAt 7.1, Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÑÄÒÏÍ 2.4.x ÕÖÅ ×ËÌÀÞÁÅÔ ÐÒÅÄÕÓÔÁÎÏ×ÌÅÎÎÙÅ netfilter É iptables. ïÄÎÁËÏ, ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÐÒÅÄÙÄÕÝÉÍÉ ÄÉÓÔÒÉÂÕÔÉ×ÁÍÉ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÒÁÂÏÔÁÅÔ ÐÁËÅÔ ipchains. óÅÊÞÁÓ ÍÙ ËÏÒÏÔËÏ ÒÁÚÂÅÒÅÍ - ËÁË ÕÄÁÌÉÔØ ipchains É ÚÁÐÕÓÔÉÔØ ×ÍÅÓÔÏ ÎÅÇÏ iptables.
äÌÑ ÎÁÞÁÌÁ ÎÕÖÎÏ ÏÔËÌÀÞÉÔØ ipchains, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÚÁÇÒÕÚËÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÍÏÄÕÌÅÊ × ÂÕÄÕÝÅÍ. þÔÏÂÙ ÄÏÂÉÔØÓÑ ÜÔÏÇÏ, ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÉÚÍÅÎÉÔØ ÉÍÅÎÁ ÎÅËÏÔÏÒÙÈ ÆÁÊÌÏ× × ÄÅÒÅ×Å ËÁÔÁÌÏÇÏ× /etc/rc.d/. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ, ×ÙÐÏÌÎÉÔ ÔÒÅÂÕÅÍÙÅ ÄÅÊÓÔ×ÉÑ:
÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ, × ÎÅËÏÔÏÒÙÈ ÉÍÅÎÁÈ ÆÁÊÌÏ× ÓÉÍ×ÏÌ S (ËÏÔÏÒÙÊ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÄÁÎÎÙÊ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ ÎÁ ÚÁÐÕÓËÅ ÓÉÓÔÅÍÙ) ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÓÉÍ×ÏÌÏÍ K (ÏÔ ÓÌÏ×Á Kill, ËÏÔÏÒÙÊ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ, ÐÒÉ ÚÁ×ÅÒÛÅÎÉÉ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ. ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÉÍ ÉÍÅÎÁ ÓÓÙÌÏË K92ipchains, ÐÒÅÄÏÔ×ÒÁÔÉ× ÔÅÍ ÓÁÍÙÍ ÚÁÐÕÓË ÜÔÏÇÏ ÓÅÒ×ÉÓÁ × ÂÕÄÕÝÅÍ. ïÄÎÁËÏ ipchains ÐÏ-ÐÒÅÖÎÅÍÕ ÏÓÔÁÀÔÓÑ × ÒÁÂÏÔÅ. ôÅÐÅÒØ ÎÁÄÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ, ËÏÔÏÒÁÑ ÏÓÔÁÎÏ×ÉÔ ÜÔÏÔ ÓÅÒ×ÉÓ.
é × ÚÁËÌÀÞÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÐÕÓÔÉÔØ ÓÅÒ×ÉÓ iptables. äÌÑ ÜÔÏÇÏ, ×Ï-ÐÅÒ×ÙÈ, ÎÁÄÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÕÒÏ×ÎÑÍÉ ÚÁÐÕÓËÁ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÎÁ ËÏÔÏÒÙÈ ÎÕÖÎÏ ÓÔÁÒÔÏ×ÁÔØ ÜÔÏÔ ÓÅÒ×ÉÓ. ïÂÙÞÎÏ ÜÔÏ ÕÒÏ×ÎÉ 2, 3 É 5. ï ÜÔÉÈ ÕÒÏ×ÎÑÈ ÍÙ ÚÎÁÅÍ:
þÔÏÂÙ ÚÁÐÕÓÔÉÔØ iptables ÎÁ ÜÔÉÈ ÕÒÏ×ÎÑÈ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ:
èÏÞÅÔÓÑ ÕÐÏÍÑÎÕÔØ Ï ÕÒÏ×ÎÑÈ, ÎÁ ËÏÔÏÒÙÈ ÎÅ ÔÒÅÂÕÅÔÓÑ ÚÁÐÕÓËÁ iptables: õÒÏ×ÅÎØ 1 -- ÏÄÎÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÒÁÂÏÔÙ, ËÁË ÐÒÁ×ÉÌÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÜËÓÔÒÅÎÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÍÙ "ÐÏÄÎÉÍÁÅÍ" "ÕÐÁ×ÛÕÀ" ÓÉÓÔÅÍÕ. õÒÏ×ÅÎØ 4 -- ×ÏÏÂÝÅ ÎÅ ÄÏÌÖÅÎ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ. õÒÏ×ÅÎØ ×ÙÐÏÌÎÅÎÉÑ 6 -- ÜÔÏ ÕÒÏ×ÅÎØ ÏÓÔÁÎÏ×ËÉ ÓÉÓÔÅÍÙ ÐÒÉ ×ÙËÌÀÞÅÎÉÉ ÉÌÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÁËÔÉ×ÁÃÉÉ ÓÅÒ×ÉÓÁ iptables ÐÏÄÁÄÉÍ ËÏÍÁÎÄÕ:
éÔÁË, ÍÙ ÚÁÐÕÓÔÉÌÉ iptables, ÎÏ Õ ÎÁÓ ÐÏËÁ ÅÝÅ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. þÔÏÂÙ ÄÏÂÁ×ÉÔØ ÎÏ×ÙÅ ÐÒÁ×ÉÌÁ × Red Hat 7.1 ÍÏÖÎÏ ÐÏÊÔÉ Ä×ÕÍÑ ÐÕÔÑÍÉ, ×Ï-ÐÅÒ×ÙÈ: ÐÏÄÐÒÁ×ÉÔØ ÆÁÊÌ /etc/rc.d/init.d/iptables, ÎÏ ÜÔÏÔ ÓÐÏÓÏ ÉÍÅÅÔ ÔÏ ÎÅÇÁÔÉ×ÎÏÅ Ó×ÏÊÓÔ×Ï, ÞÔÏ ÐÒÉ ÏÂÎÏ×ÌÅÎÉÉ iptables ÉÚ RPM-ÐÁËÅÔÏ× ×ÓÅ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÕÔÅÒÑÎÙ, Á ×Ï-×ÔÏÒÙÈ: ÚÁÎÅÓÔÉ ÐÒÁ×ÉÌÁ É ÓÏÈÒÁÎÉÔØ ÉÈ ËÏÍÁÎÄÏÊ iptables-save, ÓÏÈÒÁÎÅÎÎÙÅ ÔÁËÉÍ ÏÂÒÁÚÏÍ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ. ÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÉÚÂÒÁÌÉ ÐÅÒ×ÙÊ ×ÁÒÉÁÎÔ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ × iptables, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÚÁÎÅÓÔÉ ÉÈ × ÓÅËÃÉÀ start ÓÃÅÎÁÒÉÑ /etc/rc.d/init.d/iptables (ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ) ÉÌÉ × ÆÕÎËÃÉÀ start(). äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÄÅÊÓÔ×ÉÊ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÉÓÔÅÍÙ -- ×ÎÅÓÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÓÅËÃÉÀ stop) ÉÌÉ × ÆÕÎËÃÉÀ stop(). ôÁË ÖÅ ÎÅ ÚÁÂÕÄØÔÅ ÐÒÏ ÓÅËÃÉÉ restart É condrestart. èÏÞÅÔÓÑ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÓÌÕÞÁÅ ÏÂÎÏ×ÌÅÎÉÑ iptables ÉÚ RPM-ÐÁËÅÔÏ× ÉÌÉ ÞÅÒÅÚ Á×ÔÏÍÁÔÉÞÅÓËÏÅ ÏÂÎÏ×ÌÅÎÉÅ ÐÏ ÓÅÔÉ, ×Ù ÍÏÖÅÔÅ ÕÔÅÒÑÔØ ×ÓÅ ÉÚÍÅÎÅÎÉÑ, ×ÎÅÓÅÎÎÙÅ × ÆÁÊÌ /etc/rc.d/init.d/iptables. ÷ÔÏÒÏÊ ÓÐÏÓÏ ÚÁÇÒÕÚËÉ ÐÒÁ×ÉÌ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. ïÎ ÐÒÅÄÐÏÌÁÇÁÅÔ ÓÌÅÄÕÀÝÉÅ ÛÁÇÉ. äÌÑ ÎÁÞÁÌÁ -- ÚÁÐÉÛÉÔÅ ÐÒÁ×ÉÌÁ × ÆÁÊÌ ÉÌÉ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ, ÞÅÒÅÚ ËÏÍÁÎÄÕ iptables, ÓÍÏÔÒÑ ÞÔÏ ÄÌÑ ×ÁÓ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. úÁÔÅÍ ÉÓÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables-save. üÔÁ ËÏÍÁÎÄÁ ÜË×É×ÁÌÅÎÔÎÁ ËÏÍÁÎÄÅ iptables-save > /etc/sysconfig/iptables. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎ × ÆÁÊÌÅ /etc/sysconfig/iptables, ËÏÔÏÒÙÊ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÔÓÑ ÐÒÉ ÚÁÐÕÓËÅ ÓÅÒ×ÉÓÁ iptables. äÒÕÇÉÍ ÓÐÏÓÏÂÏÍ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÐÏÄÁÞÁ ËÏÍÁÎÄÙ service iptables save, ËÏÔÏÒÁÑ ÐÏÌÎÏÓÔØÀ ÉÄÅÎÔÉÞÎÁ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÅ. ÷ÐÏÓÌÅÄÓÔ×ÉÉ, ÐÒÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ, ÓÃÅÎÁÒÉÊ iptables ÉÚ rc.d ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØ ËÏÍÁÎÄÕ iptables-restore ÄÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ /etc/sysconfig/iptables. îÕ É ÎÁËÏÎÅÃ, × ÚÁ×ÅÒÛÅÎÉÅ ÕÓÔÁÎÏ×ËÉ, ÎÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÕÄÁÌÉÔØ ÓÔÁÒÙÅ ×ÅÒÓÉÉ ipchains É iptables. üÔÏ ÎÅÏÂÈÏÄÉÍÏ ÓÄÅÌÁÔØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÉÓÔÅÍÁ ÎÅ "ÐÅÒÅÐÕÔÁÌÁ" ÓÔÁÒÙÊ ÐÁËÅÔ iptables Ó ×ÎÏר ÕÓÔÁÎÏ×ÌÅÎÎÙÍ. õÄÁÌÅÎÉÅ ÓÔÁÒÏÇÏ ÐÁËÅÔÁ iptables ÎÅÏÂÈÏÄÉÍÏ ÐÒÏÉÚ×ÅÓÔÉ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÐÒÏÉÚ×ÏÄÉÌÉ ÕÓÔÁÎÏ×ËÕ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×. äÅÌÏ × ÔÏÍ, ÞÔÏ RPM ÐÁËÅÔÙ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÎÅÓËÏÌØËÏ ÉÎÏÅ ÍÅÓÔÏ ÎÅÖÅÌÉ ÐÁËÅÔÙ, ÓÏÂÒÁÎÎÙÅ ÉÚ ÉÓÈÏÄÎÙÈ ÔÅËÓÔÏ×, Á ÐÏÜÔÏÍÕ ÎÏ×ÙÊ ÐÁËÅÔ ÎÅ "ÚÁÔÉÒÁÅÔ" ÓÔÁÒÙÊ. þÔÏÂÙ ×ÙÐÏÌÎÉÔØ ÄÅÉÎÓÔÁÌÌÑÃÉÀ ÐÒÅÄÙÄÕÝÅÊ ×ÅÒÓÉÉ iptables ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:
áÎÁÌÏÇÉÞÎÙÍ ÏÂÒÁÚÏÍ ÕÄÁÌÉÍ É ipchains, ÐÏÓËÏÌØËÕ ÏÓÔÁ×ÌÑÔØ ÜÔÏÔ ÐÁËÅÔ × ÓÉÓÔÅÍÅ ÂÏÌÅÅ ÎÅÔ ÎÉËÁËÏÇÏ ÓÍÙÓÌÁ.
ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË × ËÁÖÄÏÊ ÔÁÂÌÉÃÅ. üÔÁ ÉÎÆÏÒÍÁÃÉÑ ÂÕÄÅÔ ÏÞÅÎØ ×ÁÖÎÁ ÄÌÑ ×ÁÓ ÐÏÚÄÎÅÅ, ËÏÇÄÁ ×Ù ÎÁÞÎÅÔÅ ÓÔÒÏÉÔØ Ó×ÏÉ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ × ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÂÕÄÕÔ ×ËÌÀÞÁÔØÓÑ ÔÁËÉÅ ÄÅÊÓÔ×ÉÑ ËÁË DNAT, SNAT É ËÏÎÅÞÎÏ ÖÅ TOS. ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑëÏÇÄÁ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÏ ÏÎ ÓÐÅÒ×Á ÐÏÐÁÄÁÅÔ ÎÁ ÓÅÔÅ×ÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÐÅÒÅÈ×ÁÔÙ×ÁÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÄÒÁÊ×ÅÒÏÍ É ÄÁÌÅÅ ÐÅÒÅÄÁÅÔÓÑ × ÑÄÒÏ. äÁÌÅÅ ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÒÑÄ ÔÁÂÌÉÃ É ÚÁÔÅÍ ÐÅÒÅÄÁÅÔÓÑ ÌÉÂÏ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ, ÌÉÂÏ ÐÅÒÅÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÄÒÕÇÕÀ ÍÁÛÉÎÕ. ðÏÒÑÄÏË ÓÌÅÄÏ×ÁÎÉÑ ÐÁËÅÔÁ ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ. ôÁÂÌÉÃÁ 1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×
ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÎÅÓËÏÌØËÏ ÜÔÁÐÏ×, ÐÒÅÖÄÅ ÞÅÍ ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÄÁÌÅÅ. îÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÐÁËÅÔ ÍÏÖÅÔ ÂÙÔØ ÏÓÔÁÎÏ×ÌÅÎ, ÂÕÄØ ÔÏ ÃÅÐÏÞËÁ iptables ÉÌÉ ÞÔÏ ÌÉÂÏ ÅÝÅ, ÎÏ ÎÁÓ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÎÔÅÒÅÓÕÅÔ iptables. úÁÍÅÔØÔÅ, ÞÔÏ ÎÅÔ ËÁËÉÈ ÌÉÂÏ ÃÅÐÏÞÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ ÏÔÄÅÌØÎÙÈ ÉÎÔÅÒÆÅÊÓÏ× ÉÌÉ ÞÅÇÏ ÌÉÂÏ ÐÏÄÏÂÎÏÇÏ. ãÅÐÏÞËÕ FORWARD ÐÒÏÈÏÄÑÔ ÷óå ÐÁËÅÔÙ, ËÏÔÏÒÙÅ Ä×ÉÖÕÔÓÑ ÞÅÒÅÚ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ/ÒÏÕÔÅÒ. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÃÅÐÏÞËÕ INPUT ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×, ÏÎÉ ÔÕÄÁ ÐÒÏÓÔÏ ÎÅ ÐÏÐÁÄÁÀÔ! þÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ Ä×ÉÖÕÔÓÑ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÁÎÎÏÍÕ ÈÏÓÔÕ! á ÔÅÐÅÒØ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÏÇÏ ÌÏËÁÌØÎÏÍÕ ÐÒÏÃÅÓÓÕ/ÐÒÉÌÏÖÅÎÉÀ ôÁÂÌÉÃÁ 2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ
÷ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÎÁ ÜÔÏÔ ÒÁÚ ÐÁËÅÔÙ ÉÄÕÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ INPUT, Á ÎÅ ÞÅÒÅÚ FORWARD. é × ÚÁËÌÀÞÅÎÉÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ. ôÁÂÌÉÃÁ 3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×
ôÅÐÅÒØ ÍÙ ÚÎÁÅÍ, ÞÔÏ ÅÓÔØ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ×ÁÒÉÁÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×. òÉÓÕÎÏË ÎÉÖÅ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÜÔÏ. üÔÏÔ ÒÉÓÕÎÏË ÄÁÅÔ ÄÏ×ÏÌØÎÏ ÑÓÎÏÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ. ÷ ÐÅÒ×ÏÊ ÔÏÞËÅ ÐÒÉÎÑÔÉÑ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ (routing decision) ×ÓÅ ÐÁËÅÔÙ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÙÅ ÄÁÎÎÏÍÕ ÈÏÓÔÕ ÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ INPUT, ÏÓÔÁÌØÎÙÅ - × ÃÅÐÏÞËÕ FORWARD. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÔÁËÖÅ ÎÁ ÔÏÔ ÆÁËÔ, ÞÔÏ ÐÁËÅÔÙ, Ó ÁÄÒÅÓÏÍ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÂÒÁÎÄÍÁÕÜÒ, ÍÏÇÕÔ ÐÒÅÔÅÒÐÅÔØ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÏÇÏ ÁÄÒÅÓÁ (DNAT) × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat É ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÄÁÌØÎÅÊÛÁÑ ÍÁÒÛÒÕÔÉÚÁÃÉÑ × ÐÅÒ×ÏÊ ÔÏÞËÅ ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØÓÑ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÐÒÏÉÚ×ÅÄÅÎÎÙÈ ÉÚÍÅÎÅÎÉÊ.
ôÁÂÌÉÃÁ MangleëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÜÔÁ ÔÁÂÌÉÃÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ× (mangle - ÉÓËÁÖÁÔØ, ÉÚÍÅÎÑÔØ. ÐÒÉÍ. ÐÅÒÅ×.). ô.Å. × ÜÔÏÊ ÔÁÂÌÉÃÅ ×Ù ÍÏÖÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÂÉÔÙ TOS (Type Of Service) É Ô.Ä.
÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ
äÅÊÓÔ×ÉÅ TOS ×ÙÐÏÌÎÑÅÔ ÕÓÔÁÎÏ×ËÕ ÂÉÔÏ× ÐÏÌÑ Type of Service × ÐÁËÅÔÅ. üÔÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÚÎÁÞÅÎÉÑ ÓÅÔÅ×ÏÊ ÐÏÌÉÔÉËÉ ÏÂÓÌÕÖÉ×ÁÎÉÑ ÐÁËÅÔÁ, Ô.Å. ÚÁÄÁÅÔ ÖÅÌÁÅÍÙÊ ×ÁÒÉÁÎÔ ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÄÎÁËÏ, ÓÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÏÅ Ó×ÏÊÓÔ×Ï × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÎÁ ÎÅÚÎÁÞÉÔÅÌØÎÏÍ ËÏÌÉÞÅÓÔ×Å ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ.äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÚÍÅÎÑÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ÄÌÑ ÐÁËÅÔÏ×, ÕÈÏÄÑÝÉÈ × éÎÔÅÒÎÅÔ, ÐÏÔÏÍÕ ÞÔÏ ÎÁ ÒÕÔÅÒÁÈ, ËÏÔÏÒÙÅ ÔÁËÉ ÏÂÓÌÕÖÉ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÍÏÖÅÔ ÂÙÔØ ÐÒÉÎÑÔÏ ÎÅÐÒÁ×ÉÌØÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ. äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÚÎÁÞÅÎÉÑ ÐÏÌÑ TTL (Time To Live) ÐÁËÅÔÁ. åÓÔØ ÏÄÎÏ ÎÅÐÌÏÈÏÅ ÐÒÉÍÅÎÅÎÉÅ ÜÔÏÍÕ ÄÅÊÓÔ×ÉÀ. íÙ ÍÏÖÅÍ ÐÒÉÓ×ÁÉ×ÁÔØ ÏÐÒÅÄÅÌÅÎÎÏÅ ÚÎÁÞÅÎÉÅ ÜÔÏÍÕ ÐÏÌÀ, ÞÔÏÂÙ ÓËÒÙÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÏÔ ÞÅÒÅÓÞÕÒ ÌÀÂÏÐÙÔÎÙÈ ÐÒÏ×ÁÊÄÅÒÏ× (Internet Service Providers). äÅÌÏ × ÔÏÍ, ÞÔÏ ÏÔÄÅÌØÎÙÅ ÐÒÏ×ÁÊÄÅÒÙ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ ËÏÇÄÁ ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. É ÔÏÇÄÁ ÏÎÉ ÎÁÞÉÎÁÀÔ ÐÒÏ×ÅÒÑÔØ ÚÎÁÞÅÎÉÅ TTL ÐÒÉÈÏÄÑÝÉÈ ÐÁËÅÔÏ× É ÉÓÐÏÌØÚÕÀÔ ÅÇÏ ËÁË ÏÄÉÎ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÏÄÉÎ ËÏÍÐØÀÔÅÒ "ÓÉÄÉÔ" ÎÁ ÐÏÄËÌÀÞÅÎÉÉ ÉÌÉ ÎÅÓËÏÌØËÏ. äÅÊÓÔ×ÉÅ MARK ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÓÐÅÃÉÁÌØÎÕÀ ÍÅÔËÕ ÎÁ ÐÁËÅÔ, ËÏÔÏÒÁÑ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÐÒÏ×ÅÒÅÎÁ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ × iptables ÉÌÉ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ, ÎÁÐÒÉÍÅÒ iproute2. ó ÐÏÍÏÝØÀ "ÍÅÔÏË" ÍÙ ÍÏÖÅÍ ÕÐÒÁ×ÌÑÔØ ÍÁÒÛÒÕÔÉÚÁÃÉÅÊ ÐÁËÅÔÏ×, ÏÇÒÁÎÉÞÉ×ÁÔØ ÔÒÁÆÆÉË É Ô.Ð. ôÁÂÌÉÃÁ NatüÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÊ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× NAT (Network Address Translation) ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ÒÁÎÅÅ, ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÃÅÐÏÞËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ, ÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÉÒÏ×ËÁ ÐÒÉÍÅÎÑÀÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ × ÐÏÔÏËÅ Á×ÔÏÍÁÔÉÞÅÓËÉ. äÌÑ ÜÔÏÊ ÔÁÂÌÉÃÙ ÈÁÒÁËÔÅÒÎÙ ÄÅÊÓÔ×ÉÑ:
äÅÊÓÔ×ÉÅ DNAT (Destination Network Address Translation) ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× ÎÁ ÄÒÕÇÉÅ ÁÄÒÅÓÁ, ÏÔÌÉÞÎÙÅ ÏÔ ÕËÁÚÁÎÎÙÈ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. SNAT (Source Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ÐÁËÅÔÏ×. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÍÏÖÎÏ ÓËÒÙÔØ ÓÔÒÕËÔÕÒÕ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÒÁÚÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP ÁÄÒÅÓ ÍÅÖÄÕ ËÏÍÐØÀÔÅÒÁÍÉ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÒÁÎÄÍÁÕÜÒ, Ó ÐÏÍÏÝØÀ SNAT, Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÑÍÏÅ É ÏÂÒÁÔÎÏÅ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ×, ÔÅÍ ÓÁÍÙÍ ÄÁ×ÁÑ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ ÐÏÄËÌÀÞÅÎÉÅ Ë ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔÅ Ó ËÏÍÐØÀÔÅÒÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. íÁÓËÉÒÏ×ËÁ (MASQUERADE) ÐÒÉÍÅÎÑÅÔÓÑ × ÔÅÈ ÖÅ ÃÅÌÑÈ, ÞÔÏ É SNAT, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ ÐÏÓÌÅÄÎÅÊ, MASQUERADE ÄÁÅÔ ÂÏÌÅÅ ÓÉÌØÎÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ËÁÖÄÙÊ ÒÁÚ, ËÏÇÄÁ ÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÅÎÉÅ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÐÒÏÉÚ×ÏÄÉÔÓÑ ÚÁÐÒÏÓ IP ÁÄÒÅÓÁ ÄÌÑ ÕËÁÚÁÎÎÏÇÏ × ÄÅÊÓÔ×ÉÉ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, × ÔÏ ×ÒÅÍÑ ËÁË ÄÌÑ SNAT IP ÁÄÒÅÓ ÕËÁÚÙ×ÁÅÔÓÑ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ. ïÄÎÁËÏ, ÂÌÁÇÏÄÁÒÑ ÔÁËÏÍÕ ÏÔÌÉÞÉÀ, MASQUERADE ÍÏÖÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÑÈ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, Ô.Å. ËÏÇÄÁ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ, ÓËÁÖÅÍ ÞÅÒÅÚ PPP, SLIP ÉÌÉ DHCP. ôÁÂÌÉÃÁ FilterëÁË ÓÌÅÄÕÅÔ ÉÚ ÎÁÚ×ÁÎÉÑ, × ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÌÖÎÙ ÓÏÄÅÒÖÁÔØÓÑ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ðÁËÅÔÙ ÍÏÇÕÔ ÐÒÏÐÕÓËÁÔØÓÑ ÄÁÌÅÅ, ÌÉÂÏ ÏÔ×ÅÒÇÁÔØÓÑ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÉÍÏÇÏ. ëÏÎÅÞÎÏ ÖÅ, ÍÙ ÍÏÖÅÍ ÏÔÆÉÌØÔÒÏ×Ù×ÁÔØ ÐÁËÅÔÙ É × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, ÎÏ ÜÔÁ ÔÁÂÌÉÃÁ ÓÕÝÅÓÔ×ÕÅÔ ÉÍÅÎÎÏ ÄÌÑ ÎÕÖÄ ÆÉÌØÔÒÁÃÉÉ. ÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÏÌØÛÉÎÓÔ×Á ÉÚ ÓÕÝÅÓÔ×ÕÀÝÉÈ ÄÅÊÓÔ×ÉÊ, ÏÄÎÁËÏ ÒÑÄ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ×ÙÛÅ × ÜÔÏÊ ÇÌÁ×Å, ÄÏÌÖÎÙ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÉÓÕÝÉÈ ÉÍ ÔÁÂÌÉÃÁÈ. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ×ÓÅ ×ÎÉÍÁÎÉÅ ÂÕÄÅÔ ÕÄÅÌÅÎÏ ÍÅÈÁÎÉÚÍÕ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÁ (state machine). ðÏÓÌÅ ÅÅ ÐÒÏÞÔÅÎÉÑ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÓÔÁÔÏÞÎÏ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÒÁÂÏÔÕ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ. ôÁËÖÅ ÂÕÄÅÔ ÒÁÓÓÍÏÔÒÅÎ ÚÎÁÞÉÔÅÌØÎÙÊ ÏÂßÅÍ ÐÏÑÓÎÑÀÝÉÈ ÐÒÉÍÅÒÏ×. ÷×ÅÄÅÎÉÅíÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ (state machine) Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ iptables É × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÄÏÌÖÅÎ ÂÙ ÔÁË ÎÁÚÙ×ÁÔØÓÑ, ÐÏÓËÏÌØËÕ ÆÁËÔÉÞÅÓËÉ Ñ×ÌÑÅÔÓÑ ÍÅÈÁÎÉÚÍÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ. ïÄÎÁËÏ ÚÎÁÞÉÔÅÌØÎÏÍÕ ËÏÌÉÞÅÓÔ×Õ ÌÀÄÅÊ ÏÎ ÉÚ×ÅÓÔÅÎ ÉÍÅÎÎÏ ËÁË "ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ" (state machine). ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÜÔÉ ÎÁÚ×ÁÎÉÑ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÓÉÎÏÎÉÍÙ. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÓÏÚÄÁÎ ÔÁË, ÞÔÏÂÙ netfilter ÍÏÇ ÐÏÌÕÞÉÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÓÔÏÑÎÉÉ ËÏÎËÒÅÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. îÁÌÉÞÉÅ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÏÚ×ÏÌÉÔ ×ÁÍ ÓÏÚÄÁ×ÁÔØ ÂÏÌÅÅ ÎÁÄÅÖÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ÷ ÐÒÅÄÅÌÁÈ iptables, ÓÏÅÄÉÎÅÎÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÄÎÏ ÉÚ 4-È ÂÁÚÏ×ÙÈ ÓÏÓÔÏÑÎÉÊ: NEW, ESTABLISHED, RELATED É INVALID. ðÏÚÄÎÅÅ, ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ, ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ. äÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁÍÉ, ÎÁ ÏÓÎÏ×Å ÉÈ ÓÏÓÔÏÑÎÉÑ, ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÊ --state. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÐÅÃÉÁÌØÎÙÍ ËÏÄÏÍ ÑÄÒÁ - ÔÒÁÓÓÉÒÏ×ÝÉËÏÍ (conntrack). ëÏÄ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÍÏÖÅÔ ÂÙÔØ, ËÁË ÐÏÄÇÒÕÖÁÅÍÙÍ ÍÏÄÕÌÅÍ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÎÁÍ ÐÏÔÒÅÂÎÁ ÂÏÌÅÅ ÓÐÅÃÉÆÉÞÎÁÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ, ÞÅÍ ÔÁ, ËÏÔÏÒÕÀ ÐÏÓÔÁ×ÌÑÅÔ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÜÔÏÍÕ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÏÂÒÁÂÏÔÞÉËÉ ÒÁÚÌÉÞÎÙÈ ÐÒÏÔÏËÏÌÏ×, ÎÁÐÒÉÍÅÒ TCP, UDP ÉÌÉ ICMP. óÏÂÒÁÎÎÁÑ ÉÍÉ ÉÎÆÏÒÍÁÃÉÑ ÚÁÔÅÍ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÄÅÎÔÉÆÉËÁÃÉÉ É ÏÐÒÅÄÅÌÅÎÉÑ ÔÅËÕÝÅÇÏ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. îÁÐÒÉÍÅÒ - ÓÏÅÄÉÎÅÎÉÅ ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÏÄÎÏÚÎÁÞÎÏ ÉÄÅÎÔÉÆÉÃÉÒÕÅÔÓÑ ÐÏ IP-ÁÄÒÅÓÁÍ É ÐÏÒÔÁÍ ÉÓÔÏÞÎÉËÁ É ÐÒÉÅÍÎÉËÁ. ÷ ÐÒÅÄÙÄÕÝÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ ÉÍÅÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ ×ËÌÀÞÅÎÉÑ/×ÙËÌÀÞÅÎÉÑ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÐÏÓÌÅ ÔÏÇÏ ËÁË ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÂÙÌÁ ×ËÌÀÞÅÎÁ × ÓÏÓÔÁ× iptables/netfilter, ÎÁÄÏÂÎÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ ÔÒÁÓÓÉÒÏ×ÝÉË ÎÅ × ÓÏÓÔÏÑÎÉÉ ×ÙÐÏÌÎÑÔØ ×ÏÚÌÏÖÅÎÎÙÅ ÎÁ ÎÅÇÏ ÆÕÎËÃÉÉ ÂÅÚ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ É ÐÏÜÔÏÍÕ ÏÎÁ ×ËÌÀÞÅÎÁ ÐÏÓÔÏÑÎÎÏ. åÅ ÎÅÌØÚÑ ÏÔËÌÀÞÉÔØ ÉÎÁÞÅ ËÁË ÏÔËÌÀÞÉ× ÔÒÁÓÓÉÒÏ×ËÕ ÓÏÅÄÉÎÅÎÉÊ. äÅÆÒÁÇÍÅÎÔÁÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ×ÓÅÇÄÁ, ÅÓÌÉ ÔÒÁÓÓÉÒÏ×ÝÉË ×ËÌÀÞÅÎ. ôÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ PREROUTING, ÉÓËÌÀÞÁÑ ÓÌÕÞÁÉ, ËÏÇÄÁ ÐÁËÅÔÙ ÇÅÎÅÒÉÒÕÀÔÓÑ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, × ÜÔÏÍ ÓÌÕÞÁÅ ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ OUTPUT. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ iptables ÐÒÏÉÚ×ÏÄÉÔ ×ÓÅ ×ÙÞÉÓÌÅÎÉÑ, Ó×ÑÚÁÎÎÙÅ Ó ÏÐÒÅÄÅÌÅÎÉÅÍ ÓÏÓÔÏÑÎÉÑ, × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÃÅÐÏÞËÉ. ëÏÇÄÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ, ÔÏ × ÃÅÐÏÞËÅ OUTPUT ÅÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ NEW, Á ËÏÇÄÁ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ , × ÃÅÐÏÞËÅ PREROUTING, ÉÚÍÅÎÑÅÔÓÑ ÎÁ ESTABLISHED, É ÔÁË ÄÁÌÅÅ. åÓÌÉ ÖÅ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÉÚ×ÎÅ, ÔÏ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÐÅÒ×ÏÍÕ ÐÁËÅÔÕ × ÃÅÐÏÞËÅ PREROUTING. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÏÐÒÅÄÅÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ× ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÐÒÅÄÅÌÁÈ ÃÅÐÏÞÅË PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉëÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÔÁÂÌÉÃÕ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ËÏÔÏÒÕÀ ÍÏÖÎÏ ÎÁÊÔÉ × ÆÁÊÌÅ tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2 ÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÓÏÄÅÒÖÉÔÓÑ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ, ËÏÔÏÒÁÑ ÉÚ×ÅÓÔÎÁ ÔÒÁÓÓÉÒÏ×ÝÉËÕ, ÐÏ ËÏÎËÒÅÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. ðÅÒ×ÏÅ, ÞÔÏ ÍÏÖÎÏ Õ×ÉÄÅÔØ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ - tcp. äÁÌÅÅ ÓÌÅÄÕÅÔ ÎÅËÏÔÏÒÏÅ ÞÉÓÌÏ × ÏÂÙÞÎÏÍ ÄÅÓÑÔÉÞÎÏÍ ÐÒÅÄÓÔÁ×ÌÅÎÉÉ. ðÏÓÌÅ ÎÅÇÏ ÓÌÅÄÕÅÔ ÞÉÓÌÏ, ÏÐÒÅÄÅÌÑÀÝÅÅ "×ÒÅÍÑ ÖÉÚÎÉ" (Ô.Å. ËÏÌÉÞÅÓÔ×Ï ÓÅËÕÎÄ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ) ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ. äÌÑ ÎÁÛÅÇÏ ÓÌÕÞÁÑ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÂÕÄÅÔ ÈÒÁÎÉÔØÓÑ ÅÝÅ 117 ÓÅËÕÎÄ, ÅÓÌÉ ËÏÎÅÞÎÏ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÂÏÌÅÅ ÎÅ ÐÒÏÓÌÅÄÕÅÔ ÎÉ ÏÄÎÏÇÏ ÐÁËÅÔÁ, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÚÎÁÞÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ × ÚÎÁÞÅÎÉÅ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÇÏ ÓÏÓÔÏÑÎÉÑ. üÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1 ËÁÖÄÕÀ ÓÅËÕÎÄÕ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÆÁËÔÉÞÅÓËÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. äÌÑ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ ÓÏÓÔÏÑÎÉÅ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ SYN_SENT. ÷ÎÕÔÒÅÎÎÅÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ×ÎÅÛÎÅÇÏ. úÎÁÞÅÎÉÅ SYN_SENT ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÓÌÅÄÏ×ÁÌ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÐÁËÅÔ TCP SYN. äÁÌÅÅ ÒÁÓÐÏÌÏÖÅÎÙ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï, ËÏÔÏÒÏÅ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÔ×ÅÔÎÏÇÏ ÔÒÁÆÉËÁ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÅÝÅ ÎÅ ÂÙÌÏ. é ÎÁËÏÎÅà ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÉÎÆÏÒÍÁÃÉÑ ÐÏ ÏÖÉÄÁÅÍÏÍÕ ÐÁËÅÔÕ, ÜÔÏ IP ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ/ÐÏÌÕÞÁÔÅÌÑ (ÔÅ ÖÅ ÓÁÍÙÅ, ÔÏÌØËÏ ÐÏÍÅÎÑ×ÛÉÅÓÑ ÍÅÓÔÁÍÉ, ÐÏÓËÏÌØËÕ ÏÖÉÄÁÅÔÓÑ ÏÔ×ÅÔÎÙÊ ÐÁËÅÔ), ÔÏ ÖÅ ËÁÓÁÅÔÓÑ É ÐÏÒÔÏ×. úÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÍÏÇÕÔ ÐÒÉÎÉÍÁÔØ ÒÑÄ ÚÎÁÞÅÎÉÊ, ×ÓÅ ÏÎÉ ÏÐÒÅÄÅÌÅÎÙ × ÚÁÇÏÌÏ×ÏÞÎÙÈ ÆÁÊÌÁÈ
ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ ÏÔ×ÅÔÁ ÔÒÁÓÓÉÒÏ×ÝÉË ÓÎÉÍÅÔ ÆÌÁÇ óÏÓÔÏÑÎÉÑëÁË ×Ù ÕÖÅ ×ÉÄÅÌÉ, ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÎÅÓËÏÌØËÏ ÒÁÚÌÉÞÎÙÈ ÓÏÓÔÏÑÎÉÊ × ÐÒÅÄÅÌÁÈ ÑÄÒÁ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ïÄÎÁËÏ, ×ÎÅ ÑÄÒÁ ÉÍÅÅÔÓÑ ÔÏÌØËÏ 4 ÓÏÓÔÏÑÎÉÑ, ËÁË ÂÙÌÏ ÓËÁÚÁÎÏ ×ÙÛÅ. ÷ ÏÓÎÏ×ÎÏÍ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÁ ÉÓÐÏÌØÚÕÅÔÓÑ × ËÒÉÔÅÒÉÉ --state. äÏÐÕÓÔÉÍÙÍÉ Ñ×ÌÑÀÔÓÑ ÓÏÓÔÏÑÎÉÑ NEW, ESTABLISHED, RELATED É INVALID. ÷ ÔÁÂÌÉÃÅ, ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ, ÒÁÓÓÍÔÒÉ×ÁÀÔÓÑ ËÁÖÄÏÅ ÉÚ ×ÏÚÍÏÖÎÙÈ ÓÏÓÔÏÑÎÉÊ. Table 1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ
üÔÉ ÞÅÔÙÒÅ ÓÏÓÔÏÑÎÉÑ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ËÒÉÔÅÒÉÉ --state. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÏÚ×ÏÌÑÅÔ ÓÔÒÏÉÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÍÏÝÎÕÀ É ÜÆÆÅËÔÉ×ÎÕÀ ÚÁÝÉÔÕ. òÁÎØÛÅ ÎÁÍ ÐÒÉÈÏÄÉÌÏÓØ ÏÔËÒÙ×ÁÔØ ×ÓÅ ÐÏÒÔÙ ×ÙÛÅ 1024, ÞÔÏÂÙ ÐÒÏÐÕÓÔÉÔØ ÏÂÒÁÔÎÙÊ ÔÒÁÆÉË × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÔÅÐÅÒØ ÖÅ, ÐÒÉ ÎÁÌÉÞÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ, ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ, ÐÏÓËÏÌØËÕ ÔÅÐÅÒØ ÓÔÁÌÏ ×ÏÚÍÏÖÎÙÍ "ÏÔËÒÙ×ÁÔØ" ÄÏÓÔÕÐ ÔÏÌØËÏ ÄÌÑ ÏÂÒÁÔÎÏÇÏ (ÏÔ×ÅÔÎÏÇÏ) ÔÒÁÆÉËÁ. TCP ÓÏÅÄÉÎÅÎÉÑ÷ ÜÔÏÍ É × ÐÏÓÌÅÄÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÍÙ ÐÏÂÌÉÖÅ ÒÁÓÓÍÏÔÒÉÍ ÐÒÉÚÎÁËÉ ÓÏÓÔÏÑÎÉÊ É ÐÏÒÑÄÏË ÉÈ ÏÂÒÁÂÏÔËÉ ËÁÖÄÙÍ ÉÚ ÔÒÅÈ ÂÁÚÏ×ÙÈ ÐÒÏÔÏËÏÌÏ× TCP, UDP É ICMP, Á ÔÁË ÖÅ ËÏÓÎÅÍÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ÐÒÏÔÏËÏÌ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÍÏÖÅÔ ÂÙÔØ ËÌÁÓÓÉÆÉÃÉÒÏ×ÁÎ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ Ë ÔÒÅÍ, ×ÙÛÅÕËÁÚÁÎÎÙÍ, ÐÒÏÔÏËÏÌÁÍ. îÁÞÎÅÍ ÒÁÓÓÍÏÔÒÅÎÉÅ Ó ÐÒÏÔÏËÏÌÁ TCP, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÍÎÏÖÅÓÔ×Ï ÉÎÔÅÒÅÓÎÅÊÛÉÈ ÏÓÏÂÅÎÎÏÓÔÅÊ × ÏÔÎÏÛÅÎÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ × iptables. TCP ÓÏÅÄÉÎÅÎÉÅ ×ÓÅÇÄÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÅÒÅÄÁÞÅÊ ÔÒÅÈ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÎÉÃÉÁÌÉÚÉÒÕÀÔ É ÕÓÔÁÎÁ×ÌÉ×ÁÀÔ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ × ÄÁÌØÎÅÊÛÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÄÁÎÎÙÅ. óÅÓÓÉÑ ÎÁÞÉÎÁÅÔÓÑ Ó ÐÅÒÅÄÁÞÉ SYN ÐÁËÅÔÁ, × ÏÔ×ÅÔ ÎÁ ËÏÔÏÒÙÊ ÐÅÒÅÄÁÅÔÓÑ SYN/ACK ÐÁËÅÔ É ÐÏÄÔ×ÅÒÖÄÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÐÁËÅÔ ACK. ðÏÓÌÅ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ É ÇÏÔÏ×ÙÍ Ë ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ. íÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ×ÏÐÒÏÓ: "á ËÁË ÖÅ ÔÒÁÓÓÉÒÕÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ?". ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ. äÌÑ ×ÓÅÈ ÔÉÐÏ× ÓÏÅÄÉÎÅÎÉÊ, ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÈÏÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÏÄÉÎÁËÏ×Ï. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ, ÇÄÅ ÐÏËÁÚÁÎÙ ×ÓÅ ÓÔÁÄÉÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÁË ×ÉÄÉÔÅ, ÔÒÁÓÓÉÒÏ×ÝÉË, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÆÁËÔÉÞÅÓËÉ ÎÅ ÓÌÅÄÉÔ ÚÁ ÈÏÄÏÍ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ðÒÏÓÔÏ, ËÁË ÔÏÌØËÏ ÔÒÁÓÓÉÒÏ×ÝÉË "Õ×ÉÄÅÌ" ÐÅÒ×ÙÊ (SYN) ÐÁËÅÔ, ÔÏ ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ NEW. ëÁË ÔÏÌØËÏ ÞÅÒÅÚ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÒÏÈÏÄÉÔ ×ÔÏÒÏÊ ÐÁËÅÔ (SYN/ACK), ÔÏ ÓÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ ESTABLISHED. ðÏÞÍÕ ÉÍÅÎÎÏ ×ÔÏÒÏÊ ÐÁËÅÔ? óÅÊÞÁÓ ÒÁÚÂÅÒÅÍÓÑ. óÔÒÏÑ Ó×ÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×Ù ÍÏÖÅÔÅ ÐÏÚ×ÏÌÉÔØ ÐÏËÉÄÁÔØ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÐÁËÅÔÁÍ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ESTABLISHED, Á ×Ï ×ÈÏÄÑÝÅÍ ÔÒÁÆÉËÅ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÔÏÌØËÏ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED É ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. é ÎÁÏÂÏÒÏÔ, ÅÓÌÉ ÂÙ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÒÏÄÏÌÖÁÌ ÂÙ ÓÞÉÔÁÔØ ÓÏÅÄÉÎÅÎÉÅ ËÁË NEW, ÔÏ ÆÁËÔÉÞÅÓËÉ ×ÁÍ ÎÉËÏÇÄÁ ÎÅ ÕÄÁÌÏÓØ ÂÙ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó "×ÎÅÛÎÉÍ ÍÉÒÏÍ", ÌÉÂÏ ÐÒÉÛÌÏÓØ ÂÙ ÐÏÚ×ÏÌÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ NEW ÐÁËÅÔÏ× × ÌÏËÁÌØÎÕÀ ÓÅÔØ. ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ, ÏÄÎÁËÏ ÅÓÌÉ ÐÏÓÍÏÔÒÅÔØ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ, ÔÏ ×ÓÅ ×ÙÇÌÑÄÉÔ
ÎÅÓËÏÌØËÏ ÓÌÏÖÎÅÅ. òÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÉÚÍÅÎÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ × ÔÁÂÌÉÃÅ tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 ëÁË ×ÉÄÉÔÅ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÏÔÒÁÖÁÅÔ ÔÏÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ: ÂÙÌ ÏÔÍÅÞÅÎ ÆÁËÔ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ SYN (ÆÌÁÇ SYN_SENT), ÎÁ ËÏÔÏÒÙÊ ÏÔ×ÅÔÁ ÐÏËÁ ÎÅ ÂÙÌÏ (ÆÌÁÇ [UNREPLIED]). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÌÅÄÕÀÝÅÅ ×ÎÕÔÒÅÎÎÅÅ ÓÏÓÔÏÑÎÉÅ: tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 ô.Å. ÚÁÐÉÓØ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÏÂÒÁÔÎÏ ÐÒÏÛÅÌ ÐÁËÅÔ SYN/ACK. îÁ ÜÔÏÔ ÒÁÚ ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ
tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅÈÏÄÉÔ × ÓÏÓÔÏÑÎÉÅ ðÒÉ ÚÁËÒÙÔÉÉ, TCP ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÓÌÅÄÕÀÝÉÅ ÓÏÓÔÏÑÎÉÑ. ëÁË ×ÉÄÎÏ ÉÚ ÒÉÓÕÎËÁ, ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÚÁËÒÙ×ÁÅÔÓÑ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÐÏÓÌÅÄÎÉÊ ÐÁËÅÔ ACK. ïÂÒÁÔÉÔÅ ×ÎÉÍÐÎÉÅ, ÜÔÁ ËÁÒÔÉÎËÁ ÏÐÉÓÙ×ÁÅÔ ÎÏÒÍÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÅÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÏÔ×ÅÒÇÁÅÔÓÑ, ÔÏ ÏÎÏ ÍÏÖÅÔ ÂÙÔØ ÚÁËÒÙÔÏ ÐÅÒÅÄÁÞÅÊ ÐÁËÅÔÁ RST (ÓÂÒÏÓ). ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÚÁËÒÙÔÏ ÐÏ ÉÓÔÅÞÅÎÉÅ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÏÇÏ ×ÒÅÍÅÎÉ. ðÒÉ ÚÁËÒÙÔÉÉ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ åÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÐÏ ÐÏÌÕÞÅÎÉÉ ÐÁËÅÔÁ RST, ÔÏ ÏÎÏ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ ôÁÂÌÉÃÁ 2. ÷ÎÕÔÒÅÎÎÉÅ ÓÏÓÔÏÑÎÉÑ
üÔÉ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÎÅÓËÏÌØËÏ ÉÚÍÅÎÑÔØÓÑ ÏÔ ×ÅÒÓÉÉ Ë ×ÅÒÓÉÉ ÑÄÒÁ, ËÒÏÍÅ ÔÏÇÏ, ÏÎÉ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ
ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc (ÐÅÒÅÍÅÎÎÙÅ
UDP ÓÏÅÄÉÎÅÎÉÑðÏ ÓÕÔÉ Ó×ÏÅÊ, UDP ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÉÍÅÀÔ ÐÒÉÚÎÁËÁ ÓÏÓÔÏÑÎÉÑ. üÔÏÍÕ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÉÞÉÎ, ÏÓÎÏ×ÎÁÑ ÉÚ ÎÉÈ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÜÔÏÔ ÐÒÏÔÏËÏÌ ÎÅ ÐÒÅÄÕÓÍÁÔÒÉ×ÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÑ É ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ ÓÁÍÙÊ ÂÏÌØÛÏÊ ÎÅÄÏÓÔÁÔÏË - ÏÔÓÕÔÓÔ×ÉÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÞÅÒÅÄÎÏÓÔÉ ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ×. ðÒÉÎÑ× Ä×Å UDP ÄÁÔÁÇÒÁÍÍÙ, ÎÅ×ÏÚÍÏÖÎÏ ÕÚÎÁÔØ ÔÏÞÎÏ × ËÁËÏÍ ÐÏÒÑÄËÅ ÏÎÉ ÂÙÌÉ ÏÔÐÒÁ×ÌÅÎÙ. ïÄÎÁËÏ, ÄÁÖÅ × ÜÔÏÊ ÓÉÔÕÁÃÉÉ ÅÝÅ ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÒÉÓÕÎÏË ÔÏÇÏ, ËÁË ×ÙÇÌÑÄÉÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. ëÁË ×ÉÄÉÔÅ, ÓÏÓÔÏÑÎÉÅ UDP ÓÏÅÄÉÎÅÎÉÑ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÞÔÉ ÔÁË ÖÅ ËÁË É ÓÏÓÔÏÑÎÉÅ TCP ÓÏÅÄÉÎÅÎÉÑ, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÉÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á. éÚÎÕÔÒÉ ÖÅ ÜÔÏ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÉÎÁÞÅ, ÈÏÔÑ É ×Ï ÍÎÏÇÏÍ ÐÏÈÏÖÅ. äÌÑ ÎÁÞÁÌÁ ÐÏÓÍÏÔÒÉÍ ÎÁ ÚÁÐÉÓØ, ÐÏÑ×É×ÛÕÀÓÑ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ UDP. udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1 ðÅÒ×ÏÅ, ÞÔÏ ÍÙ ×ÉÄÉÍ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ (udp) É ÅÇÏ ÎÏÍÅÒ (ÓÍ. /etc/protocols ÐÒÉÍ. ÐÅÒÅ×.). ôÒÅÔØÅ ÚÎÁÞÅÎÉÅ - ÏÓÔÁ×ÛÅÅÓÑ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ. äÁÌÅÅ ÓÌÅÄÕÀÔ ÈÁÒÁËÔÅÒÉÓÔÉËÉ ÐÁËÅÔÁ, ÐÒÏÛÅÄÛÅÇÏ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ - ÜÔÏ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÅÓÓÉÉ (ÆÌÁÇ [UNREPLIED]). é ÚÁ×ÅÒÛÁÀÔ ÚÁÐÉÓØ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ. ôÁÊÍÁÕÔ ÔÁËÏÊ ÚÁÐÉÓÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÓÔÁ×ÌÑÅÔ 30 ÓÅËÕÎÄ. udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1 ðÏÓÌÅ ÔÏÇÏ ËÁË ÓÅÒ×ÅÒ "Õ×ÉÄÅÌ" ÏÔ×ÅÔ ÎÁ ÐÅÒ×ÙÊ ÐÁËÅÔ, ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ), ÏÄÎÁËÏ ÅÄÉÎÓÔ×ÅÎÎÏÅ ÏÔÌÉÞÉÅ ÏÔ ÐÒÅÄÙÄÕÝÅÊ ÚÁÐÉÓÉ ÓÏÓÔÏÉÔ × ÏÔÓÕÔÓÔ×ÉÉ ÆÌÁÇÁ [UNRREPLIED] É, ËÒÏÍÅ ÔÏÇÏ, ÔÁÊÍÁÕÔ ÄÌÑ ÚÁÐÉÓÉ ÓÔÁÌ ÒÁ×ÎÙÍ 180 ÓÅËÕÎÄÁÍ. ðÏÓÌÅ ÜÔÏÇÏ ÍÏÖÅÔ ÔÏÌØËÏ ÄÏÂÁ×ÉÔØÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ), ËÏÔÏÒÙÊ ÂÙÌ ÏÐÉÓÁÎ ×ÙÛÅ. æÌÁÇ [ASSURED] ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÎÅËÏÔÏÒÏÇÏ ËÏÌÉÞÅÓÔ×Á ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ. udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1 ôÅÐÅÒØ ÓÏÅÄÉÎÅÎÉÅ ÓÔÁÌÏ "Õ×ÅÒÅÎÎÙÍ". úÁÐÉÓØ × ÔÁÂÌÉÃÅ ×ÙÇÌÑÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÔÁË ÖÅ ËÁË É × ÐÒÅÄÙÄÕÝÅÍ ÐÒÉÍÅÒÅ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÆÌÁÇÁ [ASSURED]. åÓÌÉ × ÔÅÞÅÎÉÅ 180 ÓÅËÕÎÄ ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÐÒÏÊÄÅÔ ÈÏÔÑÂÙ ÏÄÉÎ ÐÁËÅÔ, ÔÏ ÚÁÐÉÓØ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ. üÔÏ ÄÏÓÔÁÔÏÞÎÏ ÍÁÌÅÎØËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ÎÏ ÅÇÏ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ ÄÌÑ ÂÏÌØÛÉÎÓÔ×Á ÐÒÉÍÅÎÅÎÉÊ. "÷ÒÅÍÑ ÖÉÚÎÉ" ÏÔÓÞÉÔÙ×ÁÅÔÓÑ ÏÔ ÍÏÍÅÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÐÁËÅÔÁ É ÐÒÉ ÐÏÑ×ÌÅÎÉÉ ÎÏ×ÏÇÏ, ×ÒÅÍÑ ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ × Ó×ÏÅ ÎÁÞÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ. ICMP ÓÏÅÄÉÎÅÎÉÑICMP ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÅÒÅÄÁÞÉ ÕÐÒÁ×ÌÑÀÝÉÈ ÓÏÏÂÝÅÎÉÊ É ÎÅ ÏÒÇÁÎÉÚÕÀÔ ÐÏÓÔÏÑÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ïÄÎÁËÏ, ÓÕÝÅÓÔ×ÕÅÔ 4 ÔÉÐÁ ICMP ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ×ÏÚÂÕÖÄÁÀÔ ÐÅÒÅÄÁÞÕ ÏÔ×ÅÔÁ, ÐÏÜÔÏÍÕ ÏÎÉ ÍÏÇÕÔ ÉÍÅÔØ Ä×Á ÓÏÓÔÏÑÎÉÑ: NEW É ESTABLISHED. ë ÜÔÉÍ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply É ICMP Address Mask Request/Address Mask Reply. éÚ ÎÉÈ ICMP Timestamp Request/Timestamp Reply É ICMP Information Request/Information Reply ÓÞÉÔÁÀÔÓÑ ÕÓÔÁÒÅ×ÛÉÍÉ É ÐÏÜÔÏÍÕ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÍÏÇÕÔ ÂÅÚÂÏÌÅÚÎÅÎÎÏ ÓÂÒÁÓÙ×ÁÔØÓÑ (DROP). ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ. ëÁË ×ÉÄÎÏ ÉÚ ÜÔÏÇÏ ÒÉÓÕÎËÁ, ÓÅÒ×ÅÒ ×ÙÐÏÌÎÑÅÔ Echo Request (ÜÈÏ-ÚÁÐÒÏÓ) Ë ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ (ÚÁÐÒÏÓ) ÒÁÓÐÏÚÎÁÅÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ
ËÁË NEW. îÁ ÜÔÏÔ ÚÁÐÒÏÓ ËÌÉÅÎÔ ÏÔ×ÅÞÁÅÔ ÐÁËÅÔÏÍ Echo Reply, É ÔÅÐÅÒØ ÐÁËÅÔ ÒÁÓÐÏÚÎÁÅÔÓÑ ËÁË ÉÍÅÀÝÉÊ ÓÏÓÔÏÑÎÉÅ
ESTABLISHED. ðÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ (Echo Request) × icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1 üÔÁ ÚÁÐÉÓØ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÚÁÐÉÓÅÊ, Ó×ÏÊÓÔ×ÅÎÎÙÈ ÐÒÏÔÏËÏÌÁÍ TCP É UDP, ÈÏÔÑ ÔÏÞÎÏ ÔÁË ÖÅ ÐÒÉÓÕÔÓÔ×ÕÀÔ É ÎÁÚ×ÁÎÉÅ
ÐÒÏÔÏËÏÌÁ É ×ÒÅÍÑ ÔÁÊÍÁÕÔÁ É ÁÄÒÅÓÁ ÐÅÒÅÄÁÔÞÉËÁ É ÐÒÉÅÍÎÉËÁ, ÎÏ ÄÁÌÅÅ ÐÏÑ×ÌÑÀÔÓÑ ÔÒÉ ÎÏ×ÙÈ ÐÏÌÑ - óÌÅÄÕÀÝÅÅ ÐÏÌÅ - ÆÌÁÇ [UNREPLIED], ËÏÔÏÒÙÊ ×ÓÔÒÅÞÁÌÓÑ ÎÁÍ ÒÁÎÅÅ. ïÎ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉÂÙÌ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. úÁ×ÅÒÛÁÅÔÓÑ ÚÁÐÉÓØ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍÉ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ÏÔ×ÅÔÁ. óÀÄÁ ×ËÌÀÞÁÀÔÓÑ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. þÔÏ ËÁÓÁÅÔÓÑ ÔÉÐÁ É ËÏÄÁ ICMP ÐÁËÅÔÁ, ÔÏ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌØÎÙÍ ÚÎÁÞÅÎÉÑÍ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ICMP Echo Reply. éÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ ÔÏÔ ÖÅ, ÞÔÏ É × ÐÁËÅÔÅ ÚÁÐÒÏÓÁ. ðÁËÅÔ ÏÔ×ÅÔÁ ÒÁÓÐÏÚÎÁÅÔÓÑ ÕÖÅ ËÁË ESTABLISHED. ïÄÎÁËÏ, ÍÙ ÚÎÁÅÍ, ÞÔÏ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÏÔ×ÅÔÁ, ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÖÅ ÎÉÞÅÇÏ ÎÅ ÏÖÉÄÁÅÔÓÑ, ÐÏÜÔÏÍÕ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÏÔ×ÅÔÁ ÞÅÒÅÚ netfilter, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ. ÷ ÌÀÂÏÍ ÓÌÕÞÁÅ ÚÁÐÒÏÓ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ËÁË NEW, Á ÏÔ×ÅÔ ËÁË ESTABLISHED. úÁÍÅÔØÔÅ, ÞÔÏ ÐÒÉ ÜÔÏÍ ÐÁËÅÔ ÏÔ×ÅÔÁ ÄÏÌÖÅÎ ÓÏ×ÐÁÄÁÔØ ÐÏ Ó×ÏÉÍ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍ (ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÔÉÐ, ËÏÄ É ÉÄÅÎÔÉÆÉËÁÔÏÒ) Ó ÕËÁÚÁÎÎÙÍÉ × ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. ICMP ÚÁÐÒÏÓÙ ÉÍÅÀÔ ÔÁÊÍÁÕÔ, ÐÏ-ÕÍÏÌÞÁÎÉÀ, 30 ÓÅËÕÎÄ. üÔÏÇÏ ×ÒÅÍÅÎÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ. ÷ÒÅÍÑ ÔÁÊÍÁÕÔÁ
ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × úÎÁÞÉÔÅÌØÎÁÑ ÞÁÓÔØ ICMP ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÔÏÍ, ÞÔÏ ÐÒÏÉÓÈÏÄÉÔ Ó ÔÅÍ ÉÌÉ ÉÎÙÍ UDP ÉÌÉ TCP ÓÏÅÄÉÎÅÎÉÅÍ.
÷Ó×ÑÚÉ Ó ÜÔÉÍ ÏÎÉ ÏÞÅÎØ ÞÁÓÔÏ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË Ó×ÑÚÁÎÎÙÅ (RELATED) Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ ÓÏÅÄÉÎÅÎÉÅÍ. ðÒÏÓÔÙÍ
ÐÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÓÏÏÂÝÅÎÉÑ ÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÎÅËÏÔÏÒÏÍÕ ÕÚÌÕ ÐÅÒÅÄÁÅÔÓÑ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (SYN ÐÁËÅÔ). ïÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ NEW ÎÁ
ÂÒÁÎÄÍÁÕÜÒÅ. ïÄÎÁËÏ, × ÜÔÏÔ ÍÏÍÅÎÔ ×ÒÅÍÅÎÉ, ÓÅÔØ ÏËÁÚÙ×ÁÅÔÓÑ ÎÅÄÏÓÔÕÐÎÏÊ, ÐÏÜÔÏÍÕ ÒÏÕÔÅÒ ×ÏÚ×ÒÁÝÁÅÔ ÐÁËÅÔ ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ É Ó UDP ÓÏÅÄÉÎÅÎÉÑÍÉ, ÅÓÌÉ ÏÂÎÁÒÕÖÉ×ÁÀÔÓÑ ÐÏÄÏÂÎÙÅ ÐÒÏÂÌÅÍÙ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ICMP, ÐÅÒÅÄÁ×ÁÅÍÙÅ × ÏÔ×ÅÔ ÎÁ UDP ÓÏÅÄÉÎÅÎÉÅ, ÒÁÓÓÍÁÔÒÉ×ÁÀÔÓÑ ËÁË RELATED. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÓÌÅÄÕÀÝÉÊ ÒÉÓÕÎÏË. äÁÔÁÇÒÁÍÍÁ UDP ÐÅÒÅÄÁÅÔÓÑ ÎÁ ÓÅÒ×ÅÒ. óÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ ÄÏÓÔÕÐ Ë ÓÅÔÉ ÚÁÐÒÅÝÅÎ
(ÂÒÁÎÄÍÁÕÜÒÏÍ ÉÌÉ ÒÏÕÔÅÒÏÍ), ÐÏÜÔÏÍÕ ÏÂÒÁÔÎÏ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ÷ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÍÏÖÅÔ ÒÁÓÐÏÚÎÁÔØ ÐÒÏÔÏËÏÌ ÏÂÍÅÎÁ É, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÎÅ ÍÏÖÅÔ ×ÙÂÒÁÔØ ÓÔÒÁÔÅÇÉÀ ÏÂÒÁÂÏÔËÉ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÏÎ ÐÅÒÅÈÏÄÉÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏ×ÅÄÅÎÉÀ. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÏÂÓÌÕÖÉ×ÁÎÉÉ ÐÒÏÔÏËÏÌÏ× NETBLT, MUX É EGP. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÍÏÌÞÁÎÉÀ ×Ï ÍÎÏÇÏÍ ÓÈÏÖÅ Ó ÔÒÁÓÓÉÒÏ×ËÏÊ UDP ÓÏÅÄÉÎÅÎÉÊ. ðÅÒ×ÏÍÕ ÐÁËÅÔÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, Á ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ - ÓÔÁÔÕÓ ESTABLISHED. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÐÏ×ÅÄÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ× ÉÓÐÏÌØÚÕÅÔÓÑ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ ÔÁÊÍÁÕÔÁ, ËÏÔÏÒÏÅ ÍÏÖÎÏ
ÉÚÍÅÎÉÔØ × ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×éÍÅÅÔÓÑ ÒÑÄ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×, ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ËÏÔÏÒÙÈ ÂÏÌÅÅ ÓÌÏÖÎÁ. ðÒÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÐÒÏÔÏËÏÌÙ ICQ, IRC É FTP. ëÁÖÄÙÊ ÉÚ ÜÔÉÈ ÐÒÏÔÏËÏÌÏ× ÎÅÓÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ÔÁËÉÈ ÓÏÅÄÎÅÎÉÊ ÔÒÅÂÕÅÔ ÐÏÄËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ. ÷ ËÁÞÅÓÔ×Å ÐÅÒ×ÏÇÏ ÐÒÉÍÅÒÁ ÒÁÓÓÍÏÔÒÉÍ ÐÒÏÔÏËÏÌ FTP. ðÒÏÔÏËÏÌ FTP ÓÎÁÞÁÌÁ ÏÔËÒÙ×ÁÅÔ ÏÄÉÎÏÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ËÏÔÏÒÏÅ ÎÁÚÙ×ÁÅÔÓÑ "ÓÅÁÎÓÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP" (FTP control session). ðÒÉ ×ÙÐÏÌÎÅÎÉÉ ËÏÍÁÎÄ × ÐÒÅÄÅÌÁÈ ÜÔÏÇÏ ÓÅÁÎÓÁ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÐÕÔÓÔ×ÕÀÝÉÈ ÄÁÎÎÙÈ ÏÔËÒÙ×ÁÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ. üÔÉ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÁËÔÉ×ÎÙÍÉ ÉÌÉ ÐÁÓÓÉ×ÎÙÍÉ. ðÒÉ ÓÏÚÄÁÎÉÉ ÁËÔÉ×ÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ËÌÅÎÔ ÐÅÒÅÄÁÅÔ FTP ÓÅÒ×ÅÒÕ ÎÏÍÅÒ ÐÏÒÔÁ É IP ÁÄÒÅÓ ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ. úÁÔÅÍ ËÌÅÎÔ ÏÔËÒÙ×ÁÅÔ ÐÏÒÔ, ÓÅÒ×ÅÒ ÐÏÄËÌÀÞÁÅÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏÒÔÕ ËÌÉÅÎÔÁ Ó×ÏÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 20 (ÉÚ×ÅÓÔÎÙÊ ËÁË FTP-Data) É ÐÅÒÅÄÁÅÔ ÄÁÎÎÙÅ ÞÅÒÅÚ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ. ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÎÉÞÅÇÏ ÎÅ ÚÎÁÅÔ Ï ÜÔÉÈ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÏÄËÌÀÞÅÎÉÑÈ, ÐÏÓËÏÌØËÕ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÎÉÈ ÐÅÒÅÄÁÅÔÓÑ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ ÐÁËÅÔÁ. éÚ-ÚÁ ÜÔÏÇÏ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÐÏÚ×ÏÌÉÔ ÓÅÒ×ÅÒÕ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕËÁÚÁÎÎÙÍ ÐÏÒÔÏÍ ËÌÉÅÎÔÁ. òÅÛÅÎÉÅ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ÔÒÁÓÓÉÒÏ×ËÉ, ËÏÔÏÒÙÊ ÏÔÓÌÅÖÉ×ÁÅÔ, ÓÐÅÃÉÆÉÞÎÕÀ ÄÌÑ ÄÁÎÎÏÇÏ ÐÒÏÔÏËÏÌÁ, ÉÎÆÏÒÍÁÃÉÀ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÒÁÍËÁÈ ÓÅÁÎÓÁ ÕÐÒÁ×ÌÅÎÉÑ. ðÒÉ ÓÏÚÄÁÎÉÉ ÔÁËÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ËÏÒÒÅËÔÎÏ ×ÏÓÐÒÉÍÅÔ ÐÅÒÅÄÁ×ÁÅÍÕÀ ÉÎÆÏÒÍÁÃÉÀ É ÓÏÚÄÁÓÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏ ÓÔÁÔÕÓÏÍ RELATED, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. òÉÓÕÎÏË ÎÉÖÅ ÐÏÑÓÎÑÅÔ ÐÏÒÑÄÏË ×ÙÐÏÌÎÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ðÁÓÓÉ×ÎÙÊ FTP ÄÅÊÓÔ×ÕÅÔ ÐÒÏÔÉ×ÏÐÏÌÏÖÎÙÍ ÏÂÒÁÚÏÍ. ëÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÚÁÐÒÏÓ ÓÅÒ×ÅÒÕ ÎÁ ÐÏÌÕÞÅÎÉÅ ÄÁÎÎÙÈ, Á ÓÅÒ×ÅÒ ×ÏÚ×ÒÁÝÁÅÔ ËÌÉÅÎÔÕ IP ÁÄÒÅÓ É ÎÏÍÅÒ ÐÏÒÔÁ ÄÌÑ ÐÏÄËÌÀÞÅÎÉÑ. ëÌÉÅÎÔ ÐÏÄËÌÀÞÁÅÔ Ó×ÏÊ 20-Ê ÐÏÒÔ (FTP-data) Ë ÕËÁÚÁÎÎÏÍÕ ÐÏÒÔÕ ÓÅÒ×ÅÒÁ É ÐÏÌÕÞÁÅÔ ÚÁÐÒÏÛÅÎÎÙÅ ÄÁÎÎÙÅ. åÓÌÉ ×ÁÛ FTP ÓÅÒ×ÅÒ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÏÔ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÅÒ×ÅÒ ÓÍÏÇ ÏÂÓÌÕÖÉ×ÁÔØ ËÌÉÅÎÔÏ× ÉÚ éÎÔÅÒÎÅÔ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ×Ù ÈÏÔÉÔÅ ÏÇÒÁÎÉÞÉÔØ Ó×ÏÉÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÔÏÌØËÏ ×ÏÚÍÏÖÎÏÓÔØÀ ÐÏÄËÌÀÞÅÎÉÑ Ë HTTP É FTP ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔ É ÚÁËÒÙÔØ ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÏÒÔÙ. òÉÓÕÎÏË ÎÉÖÅ ÐÏËÁÚÙ×ÁÅÔ ËÁË ×ÙÐÏÌÎÑÅÔÓÑ ÐÁÓÓÉ×ÎÏÅ ÓÏÅÄÉÎÅÎÉÅ FTP. îÅËÏÔÏÒÙÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÕÖÅ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. åÓÌÉ ÂÙÔØ ÂÏÌÅÅ ÔÏÞÎÙÍ, ÔÏ × ÓÏÓÔÁ× ÑÄÒÁ ×ËÌÀÞÅÎÙ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏÔÏËÏÌÏ× FTP É IRC. åÓÌÉ × ×ÁÛÅÍ ÒÁÓÐÏÒÑÖÅÎÉÉ ÎÅÔ ÎÅÏÂÈÏÄÉÍÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØÓÑ Ë patch-o-matic, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ÔÒÁÓÓÉÒÏ×ËÉ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ×, ËÁË ntalk ÉÌÉ H.323. åÓÌÉ É ÚÄÅÓØ ×Ù ÎÅ ÎÁÛÌÉ ÔÏ, ÞÔÏ ×ÁÍ ÎÕÖÎÏ, ÔÏ Õ ×ÁÓ ÅÓÔØ ÅÝÅ ×ÁÒÉÁÎÔÙ: ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë CVS iptables, ÅÓÌÉ ÉÓËÏÍÙÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÅÝÅ ÎÅ ÂÙÌ ×ËÌÀÞÅÎ × patch-o-matic, ÌÉÂÏ ÍÏÖÅÔÅ ×ÏÊÔÉ × ËÏÎÔÁËÔ Ó ÒÁÚÒÁÂÏÔÞÉËÁÍÉ netfilter É ÕÚÎÁÔØ Õ ÎÉÈ, ÉÍÅÅÔÓÑ ÌÉ ÐÏÄÏÂÎÙÊ ÍÏÄÕÌØ É ÐÌÁÎÉÒÕÅÔÓÑ ÌÉ ÏÎ Ë ×ÙÐÕÓËÕ. åÓÌÉ É ÔÕÔ ×Ù ÐÏÔÅÒÐÅÌÉ ÎÅÕÄÁÞÕ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÓÌÅÄÕÅÔ ÐÒÏÞÉÔÁÔØ Rusty Russells Unreliable Netfilter Hacking HOWTO. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÍÏÇÕÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ. åÓÌÉ ÏÎÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË ÍÏÄÕÌÉ, ÔÏ ×Ù ÍÏÖÅÔÅ ÚÁÇÒÕÚÉÔØ ÉÈ ËÏÍÁÎÄÏÊ modprobe ip_conntrack_* ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÉÍÅÅÔ ÎÉËÁËÏÇÏ ÏÔÎÏÛÅÎÉÑ Ë ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT),
ÐÏÜÔÏÍÕ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ, ÅÓÌÉ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÁËÕÀ ÔÒÁÎÓÌÑÃÉÀ. äÏÐÕÓÔÉÍ, ÞÔÏ
×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ× É ÔÒÁÓÓÉÒÏ×ËÕ FTP ÓÏÅÄÉÎÅÎÉÊ, ÔÏÇÄÁ ×ÁÍ ÎÅÏÂÈÏÄÉÍ ÔÁË ÖÅ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ
ÍÏÄÕÌØ NAT. éÍÅÎÁ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ NAT ÎÁÞÉÎÁÀÔÓÑ Ó ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÐÏÒÑÄÏË ÐÏÓÔÒÏÅÎÉÑ ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌ ÄÌÑ iptables. ëÁÖÄÁÑ ÓÔÒÏËÁ, ËÏÔÏÒÕÀ ×Ù ×ÓÔÁ×ÌÑÅÔÅ × ÔÕ ÉÌÉ ÉÎÕÀ ÃÅÐÏÞËÕ, ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÏÔÄÅÌØÎÏÅ ÐÒÁ×ÉÌÏ. íÙ ÔÁË ÖÅ ÏÂÓÕÄÉÍ ÏÓÎÏ×ÎÙÅ ÐÒÏ×ÅÒËÉ É ÄÅÊÓÔ×ÉÑ É ÐÏÒÑÄÏË ÓÏÚÄÁÎÉÑ Ó×ÏÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÃÅÐÏÞÅË ÐÒÁ×ÉÌ. ïÓÎÏ×ÙëÁË ÕÖÅ ÇÏ×ÏÒÉÌÏÓØ ×ÙÛÅ, ËÁÖÄÏÅ ÐÒÁ×ÉÌÏ -- ÜÔÏ ÓÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ × ÓÅÂÅ ËÒÉÔÅÒÉÉ ÏÐÒÅÄÅÌÑÀÝÉÅ, ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ, É ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ × ÓÌÕÞÁÅ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÑ. ÷ ÏÂÝÅÍ ×ÉÄÅ ÐÒÁ×ÉÌÁ ÚÁÐÉÓÙ×ÁÀÔÓÑ ÐÒÉÍÅÒÎÏ ÔÁË: iptables [-t table] command [match] [target/jump] îÉÇÄÅ ÎÅ ÕÔ×ÅÒÖÄÁÅÔÓÑ, ÞÔÏ ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÑ (target/jump) ÄÏÌÖÎÏ ÓÔÏÑÔØ ÐÏÓÌÅÄÎÉÍ × ÓÔÒÏËÅ, ÍÙ, ÏÄÎÁËÏ, ÂÕÄÅÍ ÐÒÉÄÅÒÖÉ×ÁÔØÓÑ ÉÍÅÎÎÏ ÔÁËÏÊ ÎÏÔÁÃÉÉ ÄÌÑ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ. åÓÌÉ × ÐÒÁ×ÉÌÏ ÎÅ ×ËÌÀÞÁÅÔÓÑ ÓÐÅÃÉÆÉËÁÔÏÒ [-t table], ÔÏ ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉÃÙ filter, ÅÓÌÉ ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÒÕÇÏÊ ÔÁÂÌÉÃÙ, ÔÏ ÜÔÏ ÔÒÅÂÕÅÔÓÑ ÕËÁÚÁÔØ Ñ×ÎÏ. óÐÅÃÉÆÉËÁÔÏÒ ÔÁÂÌÉÃÙ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ × ÌÀÂÏÍ ÍÅÓÔÅ ÓÔÒÏËÉ ÐÒÁ×ÉÌÁ, ÏÄÎÁËÏ ÂÏÌÅÅ ÉÌÉ ÍÅÎÅÅ ÓÔÁÎÄÁÒÔÏÍ ÓÞÉÔÁÅÔÓÑ ÕËÁÚÁÎÉÅ ÔÁÂÌÉÃÙ × ÎÁÞÁÌÅ ÐÒÁ×ÉÌÁ. äÁÌÅÅ, ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÚÁ ÉÍÅÎÅÍ ÔÁÂÌÉÃÙ, ÄÏÌÖÎÁ ÓÔÏÑÔØ ËÏÍÁÎÄÁ. åÓÌÉ ÓÐÅÃÉÆÉËÁÔÏÒÁ ÔÁÂÌÉÃÙ ÎÅÔ, ÔÏ ËÏÍÁÎÄÁ ×ÓÅÇÄÁ ÄÏÌÖÎÁ ÓÔÏÑÔØ ÐÅÒ×ÏÊ. ëÏÍÁÎÄÁ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ iptables, ÎÁÐÒÉÍÅÒ: ×ÓÔÁ×ÉÔØ ÐÒÁ×ÉÌÏ, ÉÌÉ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ, ÉÌÉ ÕÄÁÌÉÔØ ÐÒÁ×ÉÌÏ É Ô.Ð. òÁÚÄÅÌ match ÚÁÄÁÅÔ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ, ÐÏ ËÏÔÏÒÙÍ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÁ ÉÌÉ ÎÅÔ. úÄÅÓØ ÍÙ ÍÏÖÅÍ ÕËÁÚÁÔØ ÓÁÍÙÅ ÒÁÚÎÙÅ ËÒÉÔÅÒÉÉ -- É IP-ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ ÉÌÉ ÓÅÔÉ, É ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É Ô.Ä. óÕÝÅÓÔ×ÕÅÔ ÍÎÏÖÅÓÔ×Ï ËÒÉÔÅÒÉÅ×, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ × ÄÁÎÎÏÊ ÇÌÁ×Å. é ÎÁËÏÎÅà target ÕËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÌÖÎÏ ÂÙÔØ ×ÙÐÏÌÎÅÎÏ ÐÒÉ ÕÓÌÏ×ÉÉ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÅ× × ÐÒÁ×ÉÌÅ. úÄÅÓØ ÍÏÖÎÏ ÚÁÓÔÁ×ÉÔØ ÑÄÒÏ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × ÄÒÕÇÕÀ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ, "ÓÂÒÏÓÉÔØ" ÐÁËÅÔ É ÚÁÂÙÔØ ÐÒÏ ÎÅÇÏ, ×ÙÄÁÔØ ÎÁ ÉÓÔÏÞÎÉË ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ É Ô.Ð. ôÁÂÌÉÃÙïÐÃÉÑ -t ÕËÁÚÙ×ÁÅÔ ÎÁ ÉÓÐÏÌØÚÕÅÍÕÀ ÔÁÂÌÉÃÕ. ðÏ ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁÂÌÉÃÁ filter. ó ËÌÀÞÏÍ -t ÐÒÉÍÅÎÑÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ. ôÁÂÌÉÃÁ 1. ôÁÂÌÉÃÙ
÷ÙÛÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÏÓÎÏ×ÎÙÅ ÏÔÌÉÞÉÑ ÔÒÅÈ ÉÍÅÀÝÉÈÓÑ ÔÁÂÌÉÃ. ëÁÖÄÁÑ ÉÚ ÎÉÈ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × Ó×ÏÉÈ ÃÅÌÑÈ, É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅÃÅÌÅ×ÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉà ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÏÓÌÁÂÌÅÎÉÀ ÚÁÝÉÔÙ ÂÒÁÎÄÍÁÕÜÒÁ É ÓÅÔÉ, ÎÁÈÏÄÑÝÅÊÓÑ ÚÁ ÎÉÍ. ðÏÚÄÎÅÅ, × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÏÍ. ëÏÍÁÎÄÙîÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ËÏÍÁÎÄ É ÐÒÁ×ÉÌÁ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ. ðÏÓÒÅÄÓÔ×ÏÍ ËÏÍÁÎÄ ÍÙ ÓÏÏÂÝÁÅÍ iptables ÞÔÏ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÓÄÅÌÁÔØ. ïÂÙÞÎÏ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÏÄÎÏ ÉÚ Ä×ÕÈ ÄÅÊÓÔ×ÉÊ -- ÜÔÏ ÄÏÂÁ×ÌÅÎÉÅ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ ÉÌÉ ÕÄÁÌÅÎÉÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÐÒÁ×ÉÌÁ ÉÚ ÔÏÊ ÉÌÉ ÉÎÏÊ ÔÁÂÌÉÃÙ. äÁÌÅÅ ÐÒÉ×ÅÄÅÎÙ ËÏÍÁÎÄÙ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ × iptables. ôÁÂÌÉÃÁ 2. ëÏÍÁÎÄÙ
ëÏÍÁÎÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÕËÁÚÁÎÁ ×ÓÅÇÄÁ. óÐÉÓÏË ÄÏÓÔÕÐÎÙÈ ËÏÍÁÎÄ ÍÏÖÎÏ ÐÒÏÓÍÏÔÒÅÔØ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -h ÉÌÉ, ÞÔÏ ÔÏÖÅ ÓÁÍÏÅ, iptables --help. îÅËÏÔÏÒÙÅ ËÏÍÁÎÄÙ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍÉ ËÌÀÞÁÍÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÏÐÉÓÙ×ÁÅÔÓÑ ÒÅÚÕÌØÔÁÔ ÉÈ ÄÅÊÓÔ×ÉÑ. ðÒÉ ÜÔÏÍ ÚÁÍÅÔØÔÅ, ÞÔÏ ÚÄÅÓØ ÎÅ ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ËÒÉÔÅÒÉÅ× (matches) ÉÌÉ ÄÅÊÓÔ×ÉÊ (targets). üÔÉ ÏÐÃÉÉ ÍÙ ÂÕÄÅÍ ÏÂÓÕÖÄÁÔØ ÄÁÌÅÅ. ôÁÂÌÉÃÁ 3. ëÌÀÞÉ
ëÒÉÔÅÒÉÉúÄÅÓØ ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÒÉÔÅÒÉÑÈ ×ÙÄÅÌÅÎÉÑ ÐÁËÅÔÏ×. ñ ÒÁÚÂÉÌ ×ÓÅ ËÒÉÔÅÒÉÉ ÎÁ ÐÑÔØ ÇÒÕÐÐ. ðÅÒ×ÁÑ -- ÏÂÝÉÅ ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ. ÷ÔÏÒÁÑ - TCP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë TCP ÐÁËÅÔÁÍ. ôÒÅÔØÑ -- UDP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë UDP ÐÁËÅÔÁÍ. þÅÔ×ÅÒÔÁÑ - ICMP ËÒÉÔÅÒÉÉ ÄÌÑ ÒÁÂÏÔÙ Ó ICMP ÐÁËÅÔÁÍÉ. é ÎÁËÏÎÅà ÐÑÔÁÑ -- ÓÐÅÃÉÁÌØÎÙÅ ËÒÉÔÅÒÉÉ, ÔÁËÉÅ ËÁË state, owner, limit É ÐÒ. ïÂÝÉÅ ËÒÉÔÅÒÉÉúÄÅÓØ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ïÂÝÉÅ ËÒÉÔÅÒÉÉ. ïÂÝÉÅ ËÒÉÔÅÒÉÉ ÄÏÐÕÓÔÉÍÏ ÕÐÏÔÒÅÂÌÑÔØ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ É ÎÅ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÎÅ ÔÒÅÂÕÀÔ ÐÏÄÇÒÕÚËÉ ÍÏÄÕÌÅÊ ÒÁÓÛÉÒÅÎÉÑ. ÷ ÜÔÕ ÇÒÕÐÐÕ Ñ ÄÏÂÁ×ÉÌ ËÒÉÔÅÒÉÊ --protocol ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÎÅËÏÔÏÒÙÈ ÓÐÅÃÉÆÉÞÎÙÈ ÏÔ ÐÒÏÔÏËÏÌÁ ÒÁÓÛÉÒÅÎÉÑÈ. îÁÐÒÉÍÅÒ, ÍÙ ÒÅÛÉÌÉ ÉÓÐÏÌØÚÏ×ÁÔØ TCP ËÒÉÔÅÒÉÊ, ÔÏÇÄÁ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ É ËÒÉÔÅÒÉÊ --protocol ËÏÔÏÒÏÍÕ × ËÁÞÅÓÔ×Å ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ËÌÀÞÁ ÐÅÒÅÄÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ -- TCP. ïÄÎÁËÏ --protocol ÓÁÍ ÐÏ ÓÅÂÅ Ñ×ÌÑÅÔÓÑ ËÒÉÔÅÒÉÅÍ, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ôÁÂÌÉÃÁ 4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ
îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ, ÔÏÞÎÅÅ, ÔÅ ËÒÉÔÅÒÉÉ, ËÏÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ ÎÅÑ×ÎÏ É ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÕËÁÚÁÎÉÉ ËÒÉÔÅÒÉÑ --protocol. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÍÙÈ ÒÁÓÛÉÒÅÎÉÑ, ÜÔÏ TCP ËÒÉÔÅÒÉÉ, UDP ËÒÉÔÅÒÉÉ É ICMP ËÒÉÔÅÒÉÉ (ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅÏÂÈÏÄÉÍÏÓÔØÀ ÚÁÇÒÕÚËÉ ÕËÁÚÁÎÎÙÈ ÒÁÓÛÉÒÅÎÉÊ Ñ×ÎÏ, Ô.Å. ÒÁÓÛÉÒÅÎÉÑ ÎÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ. ÐÒÉÍ. ÐÅÒÅ×.). úÁÇÒÕÚËÁ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ É Ñ×ÎÙÍ ÏÂÒÁÚÏÍ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m, -match, ÎÁÐÒÉÍÅÒ -m tcp. TCP ËÒÉÔÅÒÉÉüÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁ×ÉÓÉÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó TCP ÐÁËÅÔÁÍÉ. þÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ËÒÉÔÅÒÉÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ × ÐÒÁ×ÉÌÁÈ ÕËÁÚÙ×ÁÔØ ÔÉÐ ÐÒÏÔÏËÏÌÁ --protocol tcp. ÷ÁÖÎÏ: ËÒÉÔÅÒÉÊ --protocol tcp ÏÂÑÚÁÔÅÌØÎÏ ÄÏÌÖÅÎ ÓÔÏÑÔØ ÐÅÒÅÄ ÓÐÅÃÉÆÉÞÎÙÍ ËÒÉÔÅÒÉÅÍ. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÚÁÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ËÁË ÄÌÑ tcp ÐÒÏÔÏËÏÌÁ, ÔÁË É ÄÌÑ udp É icmp ÐÒÏÔÏËÏÌÏ×.(ï ÎÅÑ×ÎÏÊ ÚÁÇÒÕÚËÅ ÒÁÓÛÉÒÅÎÉÊ Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ×ÙÛÅ ÐÒÉÍ. ÐÅÒÅ×.). ôÁÂÌÉÃÁ 5. TCP ËÒÉÔÅÒÉÉ
UDP ËÒÉÔÅÒÉÉ÷ ÄÁÎÎÏÍ ÒÁÚÄÅÌÅ ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÒÉÔÅÒÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ UDP. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÕËÁÚÁÎÉÉ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ --protocol UDP. ÷ÁÖÎÏ ÏÔÍÅÔÉÔØ, ÞÔÏ ÐÁËÅÔÙ UDP ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÙ ÎÁ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, É ÐÏÜÔÏÍÕ ÎÅ ÉÍÅÀÔ ÒÁÚÌÉÞÎÙÈ ÆÌÁÇÏ× ËÏÔÏÒÙÅ ÄÁÀÔ ×ÏÚÍÏÖÎÏÓÔØ ÓÕÄÉÔØ Ï ÐÒÅÄÎÁÚÎÁÞÅÎÉÉ ÄÁÔÁÇÒÁÍÍÙ. ðÏÌÕÞÅÎÉÅ UDP ÐÁËÅÔÏ× ÎÅ ÔÒÅÂÕÅÔ ËÁËÏÇÏ ÌÉÂÏ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌÕÞÁÔÅÌÑ. åÓÌÉ ÏÎÉ ÐÏÔÅÒÑÎÙ, ÔÏ ÏÎÉ ÐÒÏÓÔÏ ÐÏÔÅÒÑÎÙ (ÎÅ ×ÙÚÙ×ÁÑ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ). üÔÏ ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ ÚÎÁÞÉÔÅÌØÎÏ ÍÅÎØÛÅÇÏ ÞÉÓÌÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÒÉÔÅÒÉÅ×, × ÏÔÌÉÞÉÅ ÏÔ TCP ÐÁËÅÔÏ×. ÷ÁÖÎÏ: èÏÒÏÛÉÊ ÂÒÁÎÄÍÁÕÜÒ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ Ó ÐÁËÅÔÁÍÉ ÌÀÂÏÇÏ ÔÉÐÁ, UDP ÉÌÉ ICMP, ËÏÔÏÒÙÅ ÓÞÉÔÁÀÔÓÑ ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÎÙÍÉ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÔÁË ÖÅ ÈÏÒÏÛÏ ËÁË É Ó TCP ÐÁËÅÔÁÍÉ. ï ÜÔÏÍ ÍÙ ÐÏÇÏ×ÏÒÉÍ ÐÏÚÄÎÅÅ, × ÓÌÅÄÕÀÝÉÈ ÇÌÁ×ÁÈ. ôÁÂÌÉÃÁ 6. UDP ËÒÉÔÅÒÉÉ
ICMP ËÒÉÔÅÒÉÉüÔÏÔ ÐÒÏÔÏËÏÌ ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÏÛÉÂËÁÈ É ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÅÍ. ïÎ ÎÅ Ñ×ÌÑÅÔÓÑ ÐÏÄÞÉÎÅÎÎÙÍ IP ÐÒÏÔÏËÏÌÕ, ÎÏ ÔÅÓÎÏ Ó ÎÉÍ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÅÔ, ÐÏÓËÏÌØËÕ ÐÏÍÏÇÁÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ ÏÛÉÂÏÞÎÙÅ ÓÉÔÕÁÃÉÉ. úÁÇÏÌÏ×ËÉ ICMP ÐÁËÅÔÏ× ÏÞÅÎØ ÐÏÈÏÖÉ ÎÁ IP ÚÁÇÏÌÏ×ËÉ, ÎÏ ÉÍÅÀÔ É ÏÔÌÉÞÉÑ. çÌÁ×ÎÏÅ Ó×ÏÊÓÔ×Ï ÜÔÏÇÏ ÐÒÏÔÏËÏÌÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÉÐÅ ÚÁÇÏÌÏ×ËÁ, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÚÁ ÐÁËÅÔ. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ÍÙ ÐÙÔÁÅÍÓÑ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÅÄÏÓÔÕÐÎÙÍ ÈÏÓÔÏÍ, ÔÏ ÍÙ ÐÏÌÕÞÉÍ × ÏÔ×ÅÔ ÓÏÏÂÝÅÎÉÅ ICMP host unreachable. ðÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÐÒÉÌÏÖÅÎÉÉ ÔÉÐÙ ICMP. óÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÏÄÉÎ ÓÐÅÃÉÆÉÞÎÙÊ ËÒÉÔÅÒÉÊ ÄÌÑ ICMP ÐÁËÅÔÏ×. üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁÇÒÕÖÁÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ, ËÏÇÄÁ ÍÙ ÕËÁÚÙ×ÁÅÍ ËÒÉÔÅÒÉÊ --protocol ICMP. úÁÍÅÔØÔÅ, ÞÔÏ ÄÌÑ ÐÒÏ×ÅÒËÉ ICMP ÐÁËÅÔÏ× ÍÏÇÕÔ ÕÐÏÔÒÅÂÌÑÔØÓÑ É ÏÂÝÉÅ ËÒÉÔÅÒÉÉ, ÐÏÓËÏÌØËÕ ÉÚ×ÅÓÔÎÙ É ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ É ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÒ. ôÁÂÌÉÃÁ 7. ICMP ËÒÉÔÅÒÉÉ
ñ×ÎÙÅ ËÒÉÔÅÒÉÉðÅÒÅÄ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ, ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m ÉÌÉ --match. ôÁË, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ËÒÉÔÅÒÉÉ state, ÔÏ ÍÙ ÄÏÌÖÎÙ Ñ×ÎÏ ÕËÁÚÁÔØ ÜÔÏ × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ: -m state ÌÅ×ÅÅ ÉÓÐÏÌØÚÕÅÍÏÇÏ ËÒÉÔÅÒÉÑ. îÅËÏÔÏÒÙÅ ÉÚ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏËÁ ÅÝÅ ÎÁÈÏÄÑÔÓÑ × ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ, Á ÐÏÓÅÍÕ ÍÏÇÕÔ ÒÁÂÏÔÁÔØ ÎÅ ×ÓÅÇÄÁ, ÏÄÎÁËÏ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÏÎÉ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ÕÓÔÏÊÞÉ×Ï. ÷ÓÅ ÏÔÌÉÞÉÅ ÍÅÖÄÕ Ñ×ÎÙÍÉ É ÎÅÑ×ÎÙÍÉ ËÒÉÔÅÒÉÑÍÉ ÚÁËÌÀÞÁÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ, ÞÔÏ ÐÅÒ×ÙÅ ÎÕÖÎÏ ÐÏÄÇÒÕÖÁÔØ Ñ×ÎÏ, Á ×ÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ. MAC ËÒÉÔÅÒÉÊôÁÂÌÉÃÁ 8. MAC ËÒÉÔÅÒÉÉ MAC ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÉÓÈÏÄÎÏÇÏ MAC-ÁÄÒÅÓÁ ÐÁËÅÔÁ. íÏÄÕÌØ -m mac, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÒÉÔÅÒÉÊ, ÎÏ ×ÏÚÍÏÖÎÏ × ÂÕÄÕÝÅÍ ÏÎ ÂÕÄÅÔ ÒÁÓÛÉÒÅÎ É ÓÔÁÎÅÔ ÂÏÌÅÅ ÐÏÌÅÚÅÎ.
ëÒÉÔÅÒÉÊ limitäÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m limit. ðÒÅËÒÁÓÎÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÐÒÁ×ÉÌ, ÐÒÏÉÚ×ÏÄÑÝÉÈ ÚÁÐÉÓØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (logging) É Ô.Ð. äÏÂÁ×ÌÑÑ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÍÙ ÔÅÍ ÓÁÍÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÅÄÅÌØÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× × ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, ËÏÔÏÒÏÅ ÓÐÏÓÏÂÎÏ ÐÒÏÐÕÓÔÉÔØ ÐÒÁ×ÉÌÏ. íÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÉÍ×ÏÌ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ, ÎÁÐÒÉÍÅÒ -m ! limit. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÞÔÏ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÈÏÄÉÔØ ÐÒÁ×ÉÌÏ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÅ×ÙÛÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÑ. ôÁÂÌÉÃÁ 9. ëÒÉÔÅÒÉÊ limit
ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÞÅÎØ ÄÏÌÇÏÅ ×ÒÅÍÑ ÍÏÅ ÐÏÎÉÍÁÎÉÅ ËÒÉÔÅÒÉÅ× limit ÎÁÈÏÄÉÌÏÓØ ÎÁ ÉÎÔÕÉÔÉ×ÎÏÍ ÕÒÏ×ÎÅ, ÐÏËÁ ÷ÌÁÄÉÍÉÒ èÏÌÍÁÎÏ× (ÓÎÉÍÁÀ ÛÌÑÐÕ × ÇÌÕÂÏÞÁÊÛÅÍ ÐÏËÌÏÎÅ) ÎÅ ÏÂßÑÓÎÉÌ ÍÎÅ ÐÒÏÓÔÏ É ÐÏÎÑÔÎÏ ÅÇÏ ÓÕÔØ. ðÏÓÔÁÒÁÀÓØ ÐÅÒÅÄÁÔØ ÅÇÏ ÐÏÑÓÎÅÎÉÑ:
ðÒÉÎÃÉÐ, ËÏÔÏÒÙÊ ÐÒÏÓÔÏ ÒÅÁÌÉÚÕÅÔÓÑ ÎÁ C É ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ÍÎÏÇÉÈ ÁÌÇÏÒÉÔÍÁÈ-ÏÇÒÁÎÉÞÉÔÅÌÑÈ. òÁÓÛÉÒÅÎÉÅ MultiportòÁÓÛÉÒÅÎÉÅ multiport ÐÏÚ×ÏÌÑÅÔ ÕËÁÚÙ×ÁÔØ × ÔÅËÓÔÅ ÐÒÁ×ÉÌÁ ÎÅÓËÏÌØËÏ ÐÏÒÔÏ× É ÄÉÁÐÁÚÏÎÏ× ÐÏÒÔÏ×.
ôÁÂÌÉÃÁ 10. òÁÓÛÉÒÅÎÉÅ Multiport
òÁÓÛÉÒÅÎÉÅ MarkòÁÓÛÉÒÅÎÉÅ mark ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ "ÐÏÍÅÔÉÔØ" ÐÁËÅÔÙ ÓÐÅÃÉÁÌØÎÙÍ ÏÂÒÁÚÏÍ. Mark - ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ, ËÏÔÏÒÏÅ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÏÂÌÁÓÔÉ ÐÁÍÑÔÉ ÑÄÒÁ É Ó×ÑÚÁÎÏ Ó ËÏÎËÒÅÔÎÙÍ ÐÁËÅÔÏÍ. íÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÁÍÙÈ ÒÁÚÎÏÏÂÒÁÚÎÙÈ ÃÅÌÑÈ, ÎÁÐÒÉÍÅÒ, ÏÇÒÁÎÉÞÅÎÉÅ ÔÒÁÆÉËÁ É ÆÉÌØÔÒÁÃÉÑ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÅÄÉÎÓÔ×ÅÎÎÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÕÓÔÁÎÏ×ËÉ ÍÅÔËÉ ÎÁ ÐÁËÅÔ × Linux -- ÜÔÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ MARK. ðÏÌÅ mark ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÂÅÚÚÎÁËÏ×ÏÅ ÃÅÌÏÅ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 4294967296 ÄÌÑ 32-ÂÉÔÎÙÈ ÓÉÓÔÅÍ. ôÁÂÌÉÃÁ 11. òÁÓÛÉÒÅÎÉÅ mark
òÁÓÛÉÒÅÎÉÅ owneròÁÓÛÉÒÅÎÉÅ owner ÐÒÅÄÎÁÚÎÁÞÅÎÏ ÄÌÑ ÐÒÏ×ÅÒËÉ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ. éÚÎÁÞÁÌØÎÏ ÄÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ËÁË ÐÒÉÍÅÒ ÄÅÍÏÎÓÔÒÁÃÉÉ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÔÏÌØËÏ × ÃÅÐÏÞËÅ OUTPUT. ôÁËÏÅ ÏÇÒÁÎÉÞÅÎÉÅ ÎÁÌÏÖÅÎÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌØÎÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÅÒÅÄÁÞÉ ÉÎÆÏÒÍÁÃÉÉ Ï "×ÌÁÄÅÌØÃÅ" ÐÏ ÓÅÔÉ. óÐÒÁ×ÅÄÌÉ×ÏÓÔÉ ÒÁÄÉ ÓÌÅÄÕÅÔ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÌÑ ÎÅËÏÔÏÒÙÈ ÐÁËÅÔÏ× ÎÅ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ "×ÌÁÄÅÌØÃÁ" × ÜÔÏÊ ÃÅÐÏÞËÅ. ë ÔÁËÏÇÏ ÒÏÄÁ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ÒÁÚÌÉÞÎÙÅ ICMP responses. ðÏÜÔÏÍÕ ÎÅ ÓÌÅÄÕÅÔ ÕÐÏÔÒÅÂÌÑÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ Ë ICMP responses ÐÁËÅÔÁÍ. ôÁÂÌÉÃÁ 12. òÁÓÛÉÒÅÎÉÅ owner
ëÒÉÔÅÒÉÊ stateëÒÉÔÅÒÉÊ state ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÄÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ É ÐÏÚ×ÏÌÑÅÔ ÎÁÍ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÒÁÓÓÉÒÏ×ÏÞÎÏÍ ÐÒÉÚÎÁËÅ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÞÔÏ ÐÏÚ×ÏÌÑÅÔ ÓÕÄÉÔØ Ï ÓÏÓÔÏÑÎÉÉ ÓÏÅÄÉÎÅÎÉÑ, ÐÒÉÞÅÍ ÄÁÖÅ ÄÌÑ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ× ËÁË ICMP É UDP. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÖÁÔØ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m state. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ . ôÁÂÌÉÃÁ 13. ëÒÉÔÅÒÉÉ state
ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)ëÒÉÔÅÒÉÊ unclean ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÄÌÑ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÄÏÓÔÁÔÏÞÎÏ Ñ×ÎÏ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌØ. âÕÄØÔÅ ÏÓÔÏÒÏÖÎÙ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÁÈÏÄÉÔÓÑ ÅÝÅ ÎÁ ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ É ÐÏÜÔÏÍÕ × ÎÅËÏÔÏÒÙÈ ÓÉÔÕÁÃÉÑÈ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ ÎÅËÏÒÒÅËÔÎÏ. äÁÎÎÁÑ ÐÒÏ×ÅÒËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÌÑ ×ÙÞÌÅÎÅÎÉÑ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÍÅÀÔ ÒÁÓÈÏÖÄÅÎÉÑ Ó ÐÒÉÎÑÔÙÍÉ ÓÔÁÎÄÁÒÔÁÍÉ, ÜÔÏ ÍÏÇÕÔ ÂÙÔØ ÐÁËÅÔÙ Ó ÐÏ×ÒÅÖÄÅÎÎÙÍ ÚÁÇÏÌÏ×ËÏÍ ÉÌÉ Ó ÎÅ×ÅÒÎÏÊ ËÏÎÔÒÏÌØÎÏÊ ÓÕÍÍÏÊ É ÐÒ., ÏÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ÐÒÏ×ÅÒËÉ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÒÁÚÒÙ×Õ É ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ëÒÉÔÅÒÉÊ TOSëÒÉÔÅÒÉÊ TOS ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÐÒÏ×ÅÒËÉ ÂÉÔÏ× ÐÏÌÑ TOS. TOS -- Type Of Service -- ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ 8-ÍÉ ÂÉÔÏ×ÏÅ, ÐÏÌÅ × ÚÁÇÏÌÏ×ËÅ IP-ÐÁËÅÔÁ. íÏÄÕÌØ ÄÏÌÖÅÎ ÚÁÇÒÕÖÁÔØÓÑ Ñ×ÎÏ, ËÌÀÞÏÍ -m tos. ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÏÐÉÓÁÎÉÅ ÐÏÌÑ TOS, ×ÚÑÔÏÅ ÎÅ ÉÚ ÏÒÉÇÉÎÁÌÁ, ÐÏÓËÏÌØËÕ ÏÒÉÇÉÎÁÌØÎÏÅ
ÏÐÉÓÁÎÉÅ Ñ ÎÁÈÏÖÕ ÎÅÓËÏÌØËÏ ÔÕÍÁÎÎÙÍ. ôÁÂÌÉÃÁ 14. ëÒÉÔÅÒÉÊ TOS
ëÒÉÔÅÒÉÊ TTLTTL (Time To Live) Ñ×ÌÑÅÔÓÑ ÞÉÓÌÏ×ÙÍ ÐÏÌÅÍ × IP ÚÁÇÏÌÏ×ËÅ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ÏÞÅÒÅÄÎÏÇÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÜÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. åÓÌÉ ÞÉÓÌÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÏÔÐÒÁ×ÉÔÅÌÀ ÐÁËÅÔÁ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ICMP ÓÏÏÂÝÅÎÉÅ ÔÉÐÁ 11 Ó ËÏÄÏÍ 0 (TTL equals 0 during transit) ÉÌÉ Ó ËÏÄÏÍ 1 (TTL equals 0 during reassembly) . äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÎÅÏÂÈÏÄÉÍÏ Ñ×ÎÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌØ ËÌÀÞÏÍ -m ttl. ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÐÑÔØ ÏÂÎÁÒÕÖÉÌÏÓØ ÎÅËÏÔÏÒÏÅ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÅ ÏÒÉÇÉÎÁÌØÎÏÇÏ ÔÅËÓÔÁ Ó ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔØÀ,
ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ iptables 1.2.6a, Ï ËÏÔÏÒÏÊ ÓÏÂÓÔ×ÅÎÎÏ É ÉÄÅÔ ÒÅÞØ, ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ËÒÉÔÅÒÉÑ ÐÒÏ×ÅÒËÉ ÐÏÌÑ TTL, ÜÔÏ
-m ttl --ttl-eq ÞÉÓÌÏ, -m ttl --ttl-lt ÞÉÓÌÏ É -m ttl --ttl-gt ÞÉÓÌÏ.
îÁÚÎÁÞÅÎÉÅ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏÎÑÔÎÏ ÕÖÅ ÉÚ ÉÈ ÓÉÎÔÁËÓÉÓÁ. ôÁÂÌÉÃÁ 15. ëÒÉÔÅÒÉÊ TTL
äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙäÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ ÓÏÏÂÝÁÀÔ ÐÒÁ×ÉÌÕ, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏÏÔ×ÅÓÔ×ÕÅÔ ÚÁÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ. þÁÝÅ ×ÓÅÇÏ ÕÐÏÔÒÅÂÌÑÀÔÓÑ ÄÅÊÓÔ×ÉÑ ACCEPT É DROP. ïÄÎÁËÏ, ÄÁ×ÁÊÔÅ ËÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÐÏÎÑÔÉÅ ÐÅÒÅÈÏÄÏ×. ïÐÉÓÁÎÉÅ ÐÅÒÅÈÏÄÏ× × ÐÒÁ×ÉÌÁÈ ×ÙÇÌÑÄÉÔ ÔÏÞÎÏ ÔÁË ÖÅ ËÁË É ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÊ, Ô.Å. ÓÔÁ×ÉÔÓÑ ËÌÀÞ -j É ÕËÁÚÙ×ÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ ÐÒÁ×ÉÌ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ. îÁ ÐÅÒÅÈÏÄÙ ÎÁËÌÁÄÙ×ÁÅÔÓÑ ÒÑÄ ÏÇÒÁÎÉÞÅÎÉÊ, ÐÅÒ×ÏÅ - ÃÅÐÏÞËÁ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ, ÄÏÌÖÎÁ ÎÁÈÏÄÉÔØÓÑ × ÔÏÊ ÖÅ ÔÁÂÌÉÃÅ, ÞÔÏ É ÃÅÐÏÞËÁ, ÉÚ ËÏÔÏÒÏÊ ÜÔÏÔ ÐÅÒÅÈÏÄ ×ÙÐÏÌÎÑÅÔÓÑ, ×ÔÏÒÏÅ - ÃÅÐÏÞËÁ , Ñ×ÌÑÀÝÁÑÓÑ ÃÅÌØÀ ÐÅÒÅÈÏÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÏ ÔÏÇÏ ËÁË ÎÁ ÎÅÅ ÂÕÄÕÔ ×ÙÐÏÌÎÑÔØÓÑ ÐÅÒÅÈÏÄÙ. îÁÐÒÉÍÅÒ, ÓÏÚÄÁÄÉÍ ÃÅÐÏÞËÕ tcp_packets × ÔÁÂÌÉÃÅ filter Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -N tcp_packets ôÅÐÅÒØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ ÐÅÒÅÈÏÄÙ ÎÁ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÄÏÂÎÏ iptables -A INPUT -p tcp -j tcp_packets ô.Å. ×ÓÔÒÅÔÉ× ÐÁËÅÔ ÐÒÏÔÏËÏÌÁ tcp, iptables ÐÒÏÉÚ×ÅÄÅÔ ÐÅÒÅÈÏÄ ÎÁ ÃÅÐÏÞËÕ tcp_packets É ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÜÔÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÐÁËÅÔ ÄÏÓÔÉÇ ËÏÎÃÁ ÃÅÐÏÞËÉ ÔÏ ÏÎ ÂÕÄÅÔ ×ÏÚ×ÒÁÝÅÎ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ (× ÎÁÛÅÍ ÓÌÕÞÁÅ ÜÔÏ ÃÅÐÏÞËÁ INPUT) É Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÒÏÄÏÌÖÉÔÓÑ Ó ÐÒÁ×ÉÌÁ, ÓÌÅÄÕÀÝÅÇÏ ÚÁ ÐÒÁ×ÉÌÏÍ, ×ÙÚ×Á×ÛÅÍ ÐÅÒÅÈÏÄ. åÓÌÉ Ë ÐÁËÅÔÕ ×Ï ×ÌÏÖÅÎÎÏÊ ÃÅÐÏÞËÅ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÁËÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÒÉÎÑÔÙÍ É × ×ÙÚÙ×ÁÀÝÅÊ ÃÅÐÏÞËÅ É ÕÖÅ ÎÅ ÂÕÄÅÔ ÐÒÏÄÏÌÖÁÔØ Ä×ÉÖÅÎÉÅ ÐÏ ×ÙÚÙ×ÁÀÝÉÍ ÃÅÐÏÞËÁÍ. ïÄÎÁËÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÄÒÕÇÉÍ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÃÅÐÏÞÅË É ÔÁÂÌÉà ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË. äÅÊÓÔ×ÉÅ - ÜÔÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÁÑ ËÏÍÁÎÄÁ, ÏÐÉÓÙ×ÁÀÝÁÑ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÐÒÉÍÅÎÉÔØ ÄÅÊÓÔ×ÉÅ DROP ÉÌÉ ACCEPT Ë ÐÁËÅÔÕ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÎÁÛÉÈ ÎÕÖÄ. óÕÝÅÓÔ×ÕÅÔ É ÒÑÄ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔÓÑ ÎÉÖÅ × ÜÔÏÊ ÓÅËÃÉÉ. ÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÏÄÎÉÈ ÄÅÊÓÔ×ÉÊ, ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ó×ÏÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ, ÎÁÐÒÉÍÅÒ DROP É ACCEPT, × ÒÅÚÕÌØÔÁÔÅ ÄÒÕÇÉÈ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ÎÅËÉÈ ÏÐÅÒÁÃÉÊ, ÐÒÏÄÏÌÖÁÅÔ ÐÒÏ×ÅÒËÕ, ÎÁÐÒÉÍÅÒ, LOG, × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ÔÒÅÔØÉÈ ÄÁÖÅ ×ÉÄÏÉÚÍÅÎÑÅÔÓÑ, ÎÁÐÒÉÍÅÒ DNAT É SNAT, TTL É TOS, ÎÏ ÔÁË ÖÅ ÐÒÏÄÏÌÖÁÅÔ ÐÒÏÄ×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ. äÅÊÓÔ×ÉÅ ACCEPTäÁÎÎÁÑ ÏÐÅÒÁÃÉÑ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ. åÓÌÉ ÎÁÄ ÐÁËÅÔÏÍ ×ÙÐÏÌÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ (É ×ÓÅÍ ×ÙÚ×Á×ÛÉÍ ÃÅÐÏÞËÁÍ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ) É ÓÞÉÔÁÅÔÓÑ ðòéîñôùí (ÔÏ ÂÉÛØ ÐÒÏÐÕÓËÁÅÔÓÑ), ÔÅÍ ÎÅ ÍÅÎÅÅ, ÐÁËÅÔ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ É ÍÏÖÅÔ ÂÙÔØ ÏÔ×ÅÒÇÎÕÔ ÔÁÍ. äÅÊÓÔ×ÉÅ ÚÁÄÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -j ACCEPT. äÅÊÓÔ×ÉÅ DROPäÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÐÒÏÓÔÏ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ É iptables "ÚÁÂÙ×ÁÅÔ" Ï ÅÇÏ ÓÕÝÅÓÔ×Ï×ÁÎÉÉ. "óÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ ÐÒÅËÒÁÝÁÀÔ Ó×ÏÅ Ä×ÉÖÅÎÉÅ ÐÏÌÎÏÓÔØÀ, Ô.Å. ÏÎÉ ÎÅ ÐÅÒÅÄÁÀÔÓÑ × ÄÒÕÇÉÅ ÔÁÂÌÉÃÙ, ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÓÌÕÞÁÅ Ó ÄÅÊÓÔ×ÉÅÍ ACCEPT. óÌÅÄÕÅÔ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ, ÐÏÓËÏÌØËÕ ÍÏÖÅÔ ÏÓÔÁ×ÌÑÔØ ÎÅÚÁËÒÙÔÙÅ "ÍÅÒÔ×ÙÅ" ÓÏËÅÔÙ ËÁË ÎÁ ÓÔÏÒÏÎÅ ÓÅÒ×ÅÒÁ, ÔÁË É ÎÁ ÓÔÏÒÏÎÅ ËÌÉÅÎÔÁ, ÎÁÉÌÕÞÛÉÍ ÓÐÏÓÏÂÏÍ ÚÁÝÉÔÙ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ REJECT ÏÓÏÂÅÎÎÏ ÐÒÉ ÚÁÝÉÔÅ ÏÔ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. äÅÊÓÔ×ÉÅ QUEUEäÅÊÓÔ×ÉÅ QUEUE ÓÔÁ×ÉÔ ÐÁËÅÔ × ÏÞÅÒÅÄØ ÎÁ ÏÂÒÁÂÏÔËÕ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÍÕ ÐÒÏÃÅÓÓÕ. ïÎÏ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÎÕÖÄ ÕÞÅÔÁ, ÐÒÏËÓÉÒÏ×ÁÎÉÑ ÉÌÉ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ Á×ÔÏÒ ÐÒÏÓÔÒÁÎÎÏ ÒÁÓÓÕÖÄÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÓÕÖÄÅÎÉÅ ÄÁÎÎÏÊ ÔÅÍÙ ÄÁÌÅËÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ É ÐÒ., ÐÏÜÔÏÍÕ, ÎÅ ÍÕÄÒÓÔ×ÕÑ ÌÕËÁ×Ï, ÐÒÉ×ÅÄÕ ÚÄÅÓØ ×ÙÄÅÒÖËÕ ÉÚ Linux 2.4 Packet Filtering HOWTO × ÐÅÒÅ×ÏÄÅ å×ÇÅÎÉÑ äÁÎÉÌØÞÅÎËÏ aka virii5, eugene@kriljon.ru "...äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÜÔÁ ÃÅÌØ ÂÙÌÁ ÐÏÌÅÚÎÁ, ÎÅÏÂÈÏÄÉÍÙ ÅÝÅ Ä×Á ËÏÍÐÏÎÅÎÔÁ:
# modprobe iptable_filter # modprobe ip_queue # iptables -A OUTPUT -p icmp -j QUEUEó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÏ ÐÁËÅÔÙ ICMP ÔÉÐÁ (ÔÁËÉÅ, ÞÔÏ ÓÏÚÄÁÀÔÓÑ ÓËÁÖÅÍ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÁÎÄÙ ping) ÐÏÐÁÄÁÀÔ × ÍÏÄÕÌØ ip_queue, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÐÙÔÁÅÔÓÑ ÐÅÒÅÄÁÔØ ÉÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ. åÓÌÉ ÎÉ ÏÄÎÏ ÉÚ ÔÁËÉÈ ÐÒÉÌÏÖÅÎÉÊ ÎÅ ÎÁÊÄÅÎÏ, ÐÁËÅÔÙ ÓÂÒÁÓÙ×ÁÀÔÓÑ. þÔÏÂÙ ÎÁÐÉÓÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÐÒÏÇÒÁÍÍÕ ÏÂÒÁÂÏÔËÉ ÐÁËÅÔÏ×, ÉÓÐÏÌØÚÕÊÔÅ libipq API. ïÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÐÁËÅÔÏÍ iptables. ðÒÉÍÅÒÙ ÍÏÖÎÏ ÎÁÊÔÉ × testsuite tools (ÎÁÐÒÉÍÅÒ redirect.c) ÎÁ CVS. óÔÁÔÕÓ ip_queue ÍÏÖÎÏ ÐÒÏ×ÅÒÉÔØ Ó ÐÏÍÏÝØÀ: /proc/net/ip_queue íÁËÓÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ (ÔÏ ÅÓÔØ, ÞÉÓÌÏ ÐÁËÅÔÏ× ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ
ÐÒÉÌÏÖÅÎÉÅ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÏÂÒÁÂÏÔËÉ) ÍÏÖÎÏ ËÏÎÔÒÏÌÉÒÏ×ÁÔØ Ó ÐÏÍÏÝØÀ: /proc/sys/net/ipv4/ip_queue_maxlen ðÏ
ÕÍÏÌÞÁÎÉÀ - ÍÁËÓÉÍÁÌØÎÁÑ ÄÌÉÎÎÁ ÏÞÅÒÅÄÉ ÒÁ×ÎÁ 1024. ëÁË ÔÏÌØËÏ ÜÔÏÔ ÐÒÅÄÅÌ ÄÏÓÔÉÇÁÅÔÓÑ, ÎÏ×ÙÅ ÐÁËÅÔÙ ÂÕÄÕÔ ÓÂÒÁÓÙ×ÁÔØÓÑ, ÐÏËÁ
ÏÞÅÒÅÄØ ÎÅ ÓÎÉÚÉÔØÓÑ ÎÉÖÅ ÄÁÎÎÏÇÏ ÐÒÅÄÅÌÁ. èÏÒÏÛÉÅ ÐÒÏÔÏËÏÌÙ, ÔÁËÉÅ ËÁË TCP ÉÎÔÅÒÐÒÅÔÉÒÕÀÔ ÓÂÒÏÛÅÎÎÙÅ ÐÁËÅÔÙ ËÁË
ÐÅÒÅÇÒÕÖÅÎÎÏÓÔØ ËÁÎÁÌÁ ÐÅÒÅÄÁÞÉ, É ÕÓÐÅÛÎÏ Ó ÜÔÉÍ ÓÐÒÁ×ÌÑÀÔÓÑ (ÎÁÓËÏÌØËÏ Ñ ÐÏÍÎÀ, ÐÁËÅÔ ÂÕÄÅÔ ÐÒÏÓÔÏ ÐÅÒÅÓÌÁÎ ÚÁÎÏ×Ï ÕÄÁÌÅÎÎÏÊ
ÓÔÏÒÏÎÏÊ, ÐÒÉÍ. ÐÅÒÅ×ÏÄ.). ïÄÎÁËÏ, ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÅËÏÔÏÒÏÇÏ ÒÏÄÁ ÜËÓÐÅÒÅÍÅÎÔÉÒÏ×ÁÎÉÅ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ ÏÐÔÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ
ÏÞÅÒÅÄÉ × ËÁÖÄÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÞÅÒÅÄØ ÓÌÉÛËÏÍ ÍÁÌÁ..."äÅÊÓÔ×ÉÅ RETURNäÅÊÓÔ×ÉÅ RETURN ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÔÅËÕÝÅÊ ÃÅÐÏÞËÅ ÐÒÁ×ÉÌ É ÐÒÏÉÚ×ÏÄÉÔ ×ÏÚ×ÒÁÔ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ, ÉÌÉ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÌÅÖÉÔ ÎÁ ÓÁÍÏÍ ×ÅÒÈÎÅÍ ÕÒÏ×ÎÅ (ÎÁÐÒÉÍÅÒ INPUT), ÔÏ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ïÂÙÞÎÏ, × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÎÁÚÎÁÞÁÀÔ ÄÅÊÓÔ×ÉÑ ACCEPT ÉÌÉ DROP . äÌÑ ÐÒÉÍÅÒÁ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÐÁËÅÔ ÉÄÅÔ ÐÏ ÃÅÐÏÞËÅ INPUT É ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÈÏÄ ×Ï ×ÌÏÖÅÎÎÕÀ ÃÅÐÏÞËÕ - --jump EXAMPLE_CHAIN. äÁÌÅÅ, × ÃÅÐÏÞËÅ EXAMPLE_CHAIN ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN. ôÏÇÄÁ ÐÒÏÉÚÏÊÄÅÔ ×ÏÚ×ÒÁÔ ÐÁËÅÔÁ × ÃÅÐÏÞËÕ INPUT. äÒÕÇÏÊ ÐÒÉÍÅÒ, ÐÕÓÔØ ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN × ÃÅÐÏÞËÅ INPUT. ôÏÇÄÁ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÃÅÐÏÞËÉ INPUT. äÅÊÓÔ×ÉÅ LOGLOG - ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÓÌÕÖÉÔ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× É ÓÏÂÙÔÉÊ. ÷ ÖÕÒÎÁÌ ÍÏÇÕÔ ÚÁÎÏÓÉÔØÓÑ ÚÁÇÏÌÏ×ËÉ IP ÐÁËÅÔÏ× É ÄÒÕÇÁÑ ÉÎÔÅÒÅÓÕÀÝÁÑ ×ÁÓ ÉÎÆÏÒÍÁÃÉÑ. éÎÆÏÒÍÁÃÉÑ ÉÚ ÖÕÒÎÁÌÁ ÍÏÖÅÔ ÂÙÔØ ÚÁÔÅÍ ÐÒÏÞÉÔÁÎÁ Ó ÐÏÍÏÝØÀ dmesg ÉÌÉ syslogd ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÄÒÕÇÉÈ ÐÒÏÇÒÁÍÍ. ðÒÅ×ÏÓÈÏÄÎÏÅ ÓÒÅÄÓÔ×Ï ÄÌÑ ÏÔÌÁÄËÉ ×ÁÛÉÈ ÐÒÁ×ÉÌ. îÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÎÁ ÐÅÒÉÏÄ ÏÔÌÁÄËÉ ÐÒÁ×ÉÌ ×ÍÅÓÔÏ ÄÅÊÓÔ×ÉÑ DROP ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ LOG, ÞÔÏÂÙ ÄÏ ËÏÎÃÁ ÕÂÅÄÉÔØÓÑ, ÞÔÏ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ÒÁÂÏÔÁÅÔ ÂÅÚÕÐÒÅÞÎÏ. ïÂÒÁÔÉÔÅ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÔÁË ÖÅ ÎÁ ÄÅÊÓÔ×ÉÅ ULOG, ËÏÔÏÒÏÅ ÎÁ×ÅÒÎÑËÁ ÚÁÉÎÔÅÒÅÓÕÅÔ ×ÁÓ Ó×ÏÉÍÉ ×ÏÚÍÏÖÎÏÓÔÑÍÉ, ÐÏÓËÏÌØËÕ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØ ÚÁÐÉÓØ ÖÕÒÎÁÌÉÒÕÅÍÏÊ ÉÎÆÏÒÍÁÃÉÉ ÎÅ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á × ÂÁÚÕ ÄÁÎÎÙÈ MySQL É Ô.Ð.. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÅÓÌÉ Õ ×ÁÓ ÉÍÅÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÚÁÐÉÓØÀ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ÔÏ ÜÔÏ ÐÒÏÂÌÅÍÙ ÎÅ iptables ÉÌÉ netfilter, Á syslogd. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÀ syslogd ÏÂÒÁÝÁÊÔÅÓØ Ë man syslog.conf. LOG ÉÍÅÅÔ ÐÑÔØ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÐÅÒÅÞÉÓÌÅÎÙ ÎÉÖÅ. ôÁÂÌÉÃÁ 17. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ LOG
äÅÊÓÔ×ÉÅ MARKéÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÍÅÔÏË ÄÌÑ ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÁËÅÔÏ×. üÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle. õÓÔÁÎÏ×ËÁ ÍÅÔÏË ÏÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ× ÐÏ ÒÁÚÌÉÞÎÙÍ ÍÁÒÛÒÕÔÁÍ, ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÔÒÁÆÉËÁ É Ô.Ð.. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë LARTC HOWTO. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ "ÍÅÔËÁ" ÐÁËÅÔÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÐÅÒÉÏÄ ×ÒÅÍÅÎÉ ÐÏËÁ ÐÁËÅÔ ÎÅ ÐÏËÉÎÕÌ ÂÒÁÎÄÍÁÕÜÒ, Ô.Å. ÍÅÔËÁ ÎÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÓÅÔÉ. åÓÌÉ ÎÅÏÂÈÏÄÉÍÏ ËÁË-ÔÏ ÐÏÍÅÔÉÔØ ÐÁËÅÔÙ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÒËÉÒÏ×ËÕ ÎÁ ÄÒÕÇÏÊ ÍÁÛÉÎÅ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÒÏÂÏ×ÁÔØ ÍÁÎÉÐÕÌÉÒÏ×ÁÔØ ÂÉÔÁÍÉ ÐÏÌÑ TOS. äÅÊÓÔ×ÉÅ REJECTREJECT ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, × ÔÅÈ ÖÅ ÓÁÍÙÈ ÓÉÔÕÁÃÉÑÈ, ÞÔÏ É DROP, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ DROP, ËÏÍÁÎÄÁ REJECT ×ÙÄÁÅÔ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ ÎÁ ÈÏÓÔ, ÐÅÒÅÄÁ×ÛÉÊ ÐÁËÅÔ. äÅÊÓÔ×ÉÅ REJECT ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ "ÒÁÂÏÔÁÅÔ" ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É OUTPUT (É ×Ï ×ÌÏÖÅÎÎÙÈ × ÎÉÈ ÃÅÐÏÞËÁÈ). ðÏËÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÌÀÞ, ÕÐÒÁ×ÌÑÀÝÉÊ ÐÏ×ÅÄÅÎÉÅÍ ËÏÍÁÎÄÙ REJECT. ôÁÂÌÉÃÁ 19. äÅÊÓÔ×ÉÅ REJECT
äÅÊÓÔ×ÉÅ TOSëÏÍÁÎÄÁ TOS ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× × ÐÏÌÅ Type of Service IP ÚÁÇÏÌÏ×ËÁ. ðÏÌÅ TOS ÓÏÄÅÒÖÉÔ 8 ÂÉÔ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ×. üÔÏ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ÐÏÌÅÊ, ÉÓÐÏÌØÚÕÅÍÙÈ iproute2. ôÁË ÖÅ ×ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÐÏÌÅ ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØÓÑ ÒÁÚÌÉÞÎÙÍÉ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁÍÉ Ó ÃÅÌØÀ ×ÙÂÏÒÁ ÍÁÒÛÒÕÔÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ÜÔÏ ÐÏÌÅ, × ÏÔÌÉÞÉÅ ÏÔ MARK, ÓÏÈÒÁÎÑÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ Ä×ÉÖÅÎÉÉ ÐÏ ÓÅÔÉ, Á ÐÏÜÔÏÍÕ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÂÏÌØÛÉÎÓÔ×Ï ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ ÎÉËÁË ÎÅ ÏÂÒÁÂÁÔÙ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÏÄÎÁËÏ ÅÓÔØ É ÔÁËÉÅ, ËÏÔÏÒÙÅ ÓÍÏÔÒÑÔ ÎÁ ÎÅÇÏ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÎÕÖÄÁÈ, ÔÏ ÐÏÄÏÂÎÙÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÙ ÍÏÇÕÔ ÐÒÉÎÑÔØ ÎÅ×ÅÒÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ, ÐÏÜÔÏÍÕ, ÌÕÞÛÅ ×ÓÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ×ÁÛÅÊ WAN ÉÌÉ LAN.
ëÏÍÁÎÄÁ TOS ÉÍÅÅÔ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ. ôÁÂÌÉÃÁ 20. äÅÊÓÔ×ÉÅ TOS
äÅÊÓÔ×ÉÅ MIRRORëÏÍÁÎÄÁ MIRROR ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÔÏÌØËÏ ÄÌÑ ÜËÓÐÅÒÉÍÅÎÔÏ× É × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ, ÐÏÓËÏÌØËÕ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁÃÉËÌÉ×ÁÎÉÀ" ÐÁËÅÔÁ É × ÒÅÚÕÌØÔÁÔÅ Ë "ïÔËÁÚÕ ÏÔ ÏÂÓÌÕÖÉ×ÁÎÉÑ". ÷ ÒÅÚÕÌØÔÁÔÅ ÄÅÊÓÔ×ÉÑ MIRROR × ÐÁËÅÔÅ, ÐÏÌÑ source É destination ÍÅÎÑÀÔÓÑ ÍÅÓÔÁÍÉ (invert the source and destination fields) É ÐÁËÅÔ ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÅÔØ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ËÏÍÁÎÄÙ ÍÏÖÅÔ ÉÍÅÔØ ×ÅÓØÍÁ ÚÁÂÁ×ÎÙÊ ÒÅÚÕÌØÔÁÔ, ÎÁ×ÅÒÎÏÅ, ÓÏ ÓÔÏÒÏÎÙ ÄÏ×ÏÌØÎÏ ÐÏÔÅÛÎÏ ÎÁÂÌÀÄÁÔØ, ËÁË ËÕÌØÈÁÃËÅÒ ÐÙÔÁÅÔÓÑ "×ÚÌÏÍÁÔØ" Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ËÏÍÐØÀÔÅÒ! äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, É × ÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ ÉÚ ÜÔÉÈ ÔÒÅÈ. ðÁËÅÔÙ, ÏÔÐÒÁ×ÌÑÅÍÙÅ × ÓÅÔØ ÄÅÊÓÔ×ÉÅÍ MIRROR ÂÏÌØÛÅ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÆÉÌØÔÒÁÃÉÉ, ÔÒÁÓÓÉÒÏ×ËÅ ÉÌÉ NAT, ÉÚÂÅÇÁÑ ÔÅÍ ÓÁÍÙÍ "ÚÁÃÉËÌÉ×ÁÎÉÑ" É ÄÒÕÇÉÈ ÎÅÐÒÉÑÔÎÏÓÔÅÊ. ïÄÎÁËÏ ÜÔÏ ÎÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÏÂÌÅÍ Ó ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÎÅÔ. äÁ×ÁÊÔÅ, Ë ÐÒÉÍÅÒÕ, ÐÒÅÄÓÔÁ×ÉÍ, ÞÔÏ ÎÁ ÈÏÓÔÅ, ÉÓÐÏÌØÚÕÀÝÅÍ ÄÅÊÓÔ×ÉÅ MIRROR ÆÁÂÒÉËÕÅÔÓÑ ÐÁËÅÔ, Ó TTL ÒÁ×ÎÙÍ 255, ÎÁ ÜÔÏÔ ÖÅ ÓÁÍÙÊ ÈÏÓÔ É ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ "ÚÅÒËÁÌÉÒÕÀÝÅÇÏ" ÐÒÁ×ÉÌÁ. ðÁËÅÔ "ÏÔÒÁÖÁÅÔÓÑ" ÎÁ ÜÔÏÔ ÖÅ ÈÏÓÔ, Á ÐÏÓËÏÌØËÕ ÍÅÖÄÕ "ÐÒÉÅÍÎÉËÏÍ" É "ÐÅÒÅÄÁÔÞÉËÏÍ" ÔÏÌØËÏ 1 ÈÏÐ (hop) ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÐÒÙÇÁÔØ ÔÕÄÁ É ÏÂÒÁÔÎÏ 255 ÒÁÚ. îÅÐÌÏÈÏ ÄÌÑ ËÒÑËÅÒÁ, ×ÅÄØ, ÐÒÉ ×ÅÌÉÞÉÎÅ ÐÁËÅÔÁ 1500 ÂÁÊÔ, ÍÙ ÐÏÔÅÒÑÅÍ ÄÏ 380 ëÂÁÊÔ ÔÒÁÆÉËÁ! äÅÊÓÔ×ÉÅ SNATSNAT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Source Network Address Translation), Ô.Å. ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÑÝÅÇÏ IP ÁÄÒÅÓÁ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. îÁÐÒÉÍÅÒ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÄÒÕÇÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP ÁÄÒÅÓ. äÌÑ ÜÔÏÇÏ. ÎÅÏÂÈÏÄÉÍÏ ×ËÌÀÞÉÔØ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (forwarding) × ÑÄÒÅ É ÚÁÔÅÍ ÓÏÚÄÁÔØ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÔÒÁÎÓÌÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ IP ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ × ÒÅÁÌØÎÙÊ ×ÎÅÛÎÉÊ ÁÄÒÅÓ. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÎÅÛÎÉÊ ÍÉÒ ÎÉÞÅÇÏ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ Ï ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÎ ÂÕÄÅÔ ÓÞÉÔÁÔØ, ÞÔÏ ÚÁÐÒÏÓÙ ÐÒÉÛÌÉ Ó ÎÁÛÅÇÏ ÂÒÁÎÄÍÁÕÜÒÁ. SNAT ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ nat, × ÃÅÐÏÞËÅ POSTROUTING. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÏÌØËÏ ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÑÝÉÈ ÁÄÒÅÓÏ×. åÓÌÉ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ ÐÏÄ×ÅÒÇÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ, ÔÏ ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ, ÉÚ ÜÔÏÇÏ ÖÅ ÓÏÅÄÉÎÅÎÉÑ, ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÐÏÊÄÕÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ. ôÁÂÌÉÃÁ 21. äÅÊÓÔ×ÉÅ SNAT
äÅÊÓÔ×ÉÅ DNATDNAT (Destination Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. åÓÌÉ ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÒÁ×ÉÌÁ, ×ÙÐÏÌÎÑÀÝÅÇÏ DNAT, ÔÏ ÜÔÏÔ ÐÁËÅÔ, É ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ ÉÚ ÜÔÏÇÏ ÖÅ ÐÏÔÏËÁ, ÂÕÄÕÔ ÐÏÄ×ÅÒÇÎÕÔÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÎÙ ÎÁ ÔÒÅÂÕÅÍÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÈÏÓÔ ÉÌÉ ÓÅÔØ. äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ, Ë ÐÒÉÍÅÒÕ, ÕÓÐÅÛÎÏ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ×ÁÛÅÍÕ web-ÓÅÒ×ÅÒÕ, ÎÁÈÏÄÑÝÅÍÕÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, É ÎÅ ÉÍÅÀÝÅÍÕ ÒÅÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÔÒÏÉÔÅ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÎÁ HTTP ÐÏÒÔ ÂÒÁÎÄÍÁÕÜÒÁ É ×ÙÐÏÌÎÑÑ DNAT ÐÅÒÅÄÁÅÔÅ ÉÈ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ web-ÓÅÒ×ÅÒÁ. äÌÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÔÏÇÄÁ ×ÙÂÏÒ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÓÌÕÞÁÊÎÁÍ ÏÂÒÁÚÏÍ. äÅÊÓÔ×ÉÅ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat, É ×Ï ×ÌÏÖÅÎÎÙÈ ÐÏÄ-ÃÅÐÏÞËÁÈ. ÷ÁÖÎÏ ÚÁÐÏÍÎÉÔØ, ÞÔÏ ×ÌÏÖÅÎÎÙÅ ÐÏÄÃÅÐÏÞËÉ, ÒÅÁÌÉÚÕÀÝÉÅ DNAT ÎÅ ÄÏÌÖÎÙ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ËÒÏÍÅ PREROUTING É OUTPUT. ôÁÂÌÉÃÁ 22. äÅÊÓÔ×ÉÅ DNAT
äÅÊÓÔ×ÉÅ DNAT ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÎÏ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÔÒÅÂÕÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ÐÏÑÓÎÅÎÉÑ. òÁÓÓÍÏÔÒÉÍ ÐÒÏÓÔÏÊ ÐÒÉÍÅÒ. õ ÎÁÓ ÅÓÔØ WEB ÓÅÒ×ÅÒ É ÍÙ ÈÏÔÉÍ ÒÁÚÒÅÛÉÔØ ÄÏÓÔÕÐ Ë ÎÅÍÕ ÉÚ éÎÔÅÒÎÅÔ. íÙ ÉÍÅÅÍ ÔÏÌØËÏ ÏÄÉÎ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, Á WEB-ÓÅÒ×ÅÒ ÒÁÓÐÏÌÏÖÅÎ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. òÅÁÌØÎÙÊ IP ÁÄÒÅÓ $INET_IP ÎÁÚÎÁÞÅÎ ÂÒÁÎÄÍÁÕÜÒÕ, HTTP ÓÅÒ×ÅÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ $HTTP_IP É, ÎÁËÏÎÅà ÂÒÁÎÄÍÁÕÜÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÌÒÅÓ $LAN_IP. äÌÑ ÎÁÞÁÌÁ ÄÏÂÁ×ÉÍ ÐÒÏÓÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ PREROUTING ÔÁÂÌÉÃÙ nat. iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP ÷ ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ 80-Ê ÐÏÒÔ ÁÄÒÅÓÁ $INET_IP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ ÎÁ ÎÁÛ ×ÎÕÔÒÅÎÎÉÊ WEB-ÓÅÒ×ÅÒ. åÓÌÉ ÔÅÐÅÒØ ÏÂÒÁÔÉÔØÓÑ Ë WEB-ÓÅÒ×ÅÒÕ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. îÏ ÞÔÏ ÖÅ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÐÏÐÒÏÂÏ×ÁÔØ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÉÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ? óÏÅÄÉÎÅÎÉÅ ÐÒÏÓÔÏ ÎÅ ÕÓÔÁÎÏ×ÉÔÓÑ. äÁ×ÁÊÔÅ ÐÏÓÍÏÔÒÉÍ ËÁË ÍÁÒÛÒÕÔÉÚÉÒÕÀÔÓÑ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÉÚ éÎÔÅÒÎÅÔ ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × éÎÔÅÒÎÅÔ ÒÁ×ÎÙÍ $EXT_BOX.
á ÔÅÐÅÒØ ÐÏÓÍÏÔÒÉÍ, ÞÔÏ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔÓÑ Ó ÕÚÌÁ, ÒÁÓÐÏÌÏÖÅÎÎÏÇÏ × ÔÏÊ ÖÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÒÁ×ÎÙÍ $LAN_BOX.
ðÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ Ó ÐÏÍÏÝØÀ SNAT. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÜÔÕ ÆÕÎËÃÉÀ. üÔÏ ÐÒÁ×ÉÌÏ ×ÙÎÕÖÄÁÅÔ HTTP ÓÅÒ×ÅÒ ÐÅÒÅÄÁ×ÁÔØ ÏÔ×ÅÔÙ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÅ ÚÁÔÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ËÌÉÅÎÔÕ. iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP úÁÐÏÍÎÉÔÅ, ÃÅÐÏÞËÁ POSTROUTING ÏÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÓÁÍÏÊ ÐÏÓÌÅÄÎÅÊ É Ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÐÁËÅÔ ÕÖÅ ÐÒÏÛÅÌ ÐÒÏÃÅÄÕÒÕ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ DNAT, ÐÏÜÔÏÍÕ ËÒÉÔÅÒÉÊ ÓÔÒÏÉÔÓÑ ÎÁ ÂÁÚÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ $HTTP_IP. åÓÌÉ ×Ù ÄÕÍÁÅÔÅ, ÞÔÏ ÎÁ ÜÔÏÍ ÍÏÖÎÏ ÏÓÔÁÎÏ×ÉÔØÓÑ, ÔÏ ×Ù ÏÛÉÂÁÅÔÅÓØ! ðÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÓÉÔÕÁÃÉÀ, ËÏÇÄÁ × ËÁÞÅÓÔ×Å ËÌÉÅÎÔÁ ×ÙÓÔÕÐÁÅÔ ÓÁÍ ÂÒÁÎÄÍÁÕÜÒ. ôÏÇÄÁ, Ë ÓÏÖÁÌÅÎÉÀ, ÐÁËÅÔÙ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÎÁ ÌÏËÁÌØÎÙÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 80 ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ, Á ÎÅ ÎÁ $HTTP_IP. þÔÏÂÙÒÁÚÒÅÛÉÔØ É ÜÔÕ ÐÒÏÂÌÅÍÕ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP ôÅÐÅÒØ ÎÉËÁËÉÈ ÐÒÏÂÌÅÍ, Ó ÄÏÓÔÕÐÏÍ Ë ÎÁÛÅÍÕ WEB-ÓÅÒ×ÅÒÕ, ÕÖÅ ÎÅ ÄÏÌÖÎÏ ×ÏÚÎÉËÁÔØ. äÅÊÓÔ×ÉÅ MASQUERADEíÁÓËÁÒÁÄÉÎÇ (MASQUERADE) × ÏÓÎÏ×Å Ó×ÏÅÊ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É SNAT ÔÏÌØËÏ ÎÅ ÉÍÅÅÔ ËÌÀÞÁ --to-source. ðÒÉÞÉÎÏÊ ÔÏÍÕ ÔÏ, ÞÔÏ ÍÁÓËÁÒÁÄÉÎÇ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, ÎÁÐÒÉÍÅÒ, Ó dialup ÐÏÄËÌÀÞÅÎÉÅÍ ÉÌÉ DHCP, Ô.Å. × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ IP ÁÄÒÅÓ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÕÓÔÒÏÊÓÔ×Õ ÄÉÎÁÍÉÞÅÓËÉ. åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÎÕÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÁÒÁÄÉÎÇ, ÅÓÌÉ ÖÅ Õ ×ÁÓ ÓÔÁÔÉÞÅÓËÏÅ IP ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÂÅÓÓÐÏÒÎÏ ÌÕÞÛÉÍ ×ÙÈÏÄÏÍ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ SNAT. íÁÓËÁÒÁÄÉÎÇ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÏÌÕÞÅÎÉÅ IP ÁÄÒÅÓÁ ÏÔ ÚÁÄÁÎÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, ×ÍÅÓÔÏ ÐÒÑÍÏÇÏ ÅÇÏ ÕËÁÚÁÎÉÑ, ËÁË ÜÔÏ ÄÅÌÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-source × ÄÅÊÓÔ×ÉÉ SNAT. äÅÊÓÔ×ÉÅ MASQUERADE ÉÍÅÅÔ ÈÏÒÏÛÅÅ Ó×ÏÊÓÔ×Ï - "ÚÁÂÙ×ÁÔØ" ÓÏÅÄÉÎÅÎÉÑ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. ÷ ÓÌÕÞÁÅ ÖÅ SNAT, × ÜÔÏÊ ÓÉÔÕÁÃÉÉ, × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÏÓÔÁÀÔÓÑ ÄÁÎÎÙÅ Ï ÐÏÔÅÒÑÎÎÙÈ ÓÏÅÄÉÎÅÎÉÑÈ, É ÜÔÉ ÄÁÎÎÙÅ ÍÏÇÕÔ ÓÏÈÒÁÎÑÔØÓÑ ÄÏ ÓÕÔÏË, ÐÏÇÌÏÝÁÑ ÃÅÎÎÕÀ ÐÁÍÑÔØ. üÆÆÅËÔ "ÚÁÂÙ×ÞÉ×ÏÓÔÉ" Ó×ÑÚÁÎ Ó ÔÅÍ, ÞÔÏ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, ÅÓÔØ ×ÅÒÏÑÔÎÏÓÔØ ÎÁ ÓÌÅÄÕÀÝÅÍ ÚÁÐÕÓËÅ ÐÏÌÕÞÉÔØ ÄÒÕÇÏÊ IP ÁÄÒÅÓ, ÎÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÌÀÂÙÅ ÓÏÅÄÉÎÅÎÉÑ ×ÓÅ ÒÁ×ÎÏ ÂÕÄÕÔ ÐÏÔÅÒÑÎÙ, É ÂÙÌÏ ÂÙ ÇÌÕÐÏ ÈÒÁÎÉÔØ ÔÒÁÓÓÉÒÏ×ÏÞÎÕÀ ÉÎÆÏÒÍÁÃÉÀ. ëÁË ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÄÅÊÓÔ×ÉÅ MASQUERADE ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ×ÍÅÓÔÏ SNAT, ÄÁÖÅ ÅÓÌÉ ×Ù ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ, ÏÄÎÁËÏ, ÎÅ×ÚÉÒÁÑ ÎÁ ÐÏÌÏÖÉÔÅÌØÎÙÅ ÞÅÒÔÙ, ÍÁÓËÁÒÁÄÉÎÇ ÎÅ ÓÌÅÄÕÅÔ ÓÞÉÔÁÔØ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÙÍ × ÜÔÏÍ ÓÌÕÞÁÅ, ÐÏÓËÏÌØËÕ ÏÎ ÄÁÅÔ ÂÏÌØÛÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. äÅÊÓÔ×ÉÅ MASQUERADE ÄÏÐÕÓËÁÅÔÓÑ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat, ÔÁË ÖÅ ËÁË É ÄÅÊÓÔ×ÉÅ SNAT. MASQUERADE ÉÍÅÅÔ ËÌÀÞ, ÏÐÉÓÙ×ÁÅÍÙÊ ÎÉÖÅ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÔÏÒÏÇÏ ÎÅÏÂÑÚÁÔÅÌØÎÏ. ôÁÂÌÉÃÁ 23. äÅÊÓÔ×ÉÅ MASQUERADE
äÅÊÓÔ×ÉÅ REDIRECT÷ÙÐÏÌÎÑÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× É ÐÏÔÏËÏ× ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÔÏÊ ÖÅ ÓÁÍÏÊ ÍÁÛÉÎÙ. ë ÐÒÉÍÅÒÕ, ÍÏÖÎÏ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ HTTP ÐÏÒÔ ÐÅÒÅÎÁÐÒÁ×ÉÔØ ÎÁ ÐÏÒÔ HTTP proxy. äÅÊÓÔ×ÉÅ REDIRECT ÏÞÅÎØ ÕÄÏÂÎÏ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ "ÐÒÏÚÒÁÞÎÏÇÏ" ÐÒÏËÓÉÒÏ×ÁÎÉÑ (transparent proxying), ËÏÇÄÁ ÍÁÛÉÎÙ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÁÖÅ ÎÅ ÐÏÄÏÚÒÅ×ÁÀÔ Ï ÓÕÝÅÓÔ×Ï×ÁÎÉÉ ÐÒÏËÓÉ. REDIRECT ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. îÕ É ËÏÎÅÞÎÏ ÖÅ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ×ÙÐÏÌÎÑÔØ × ÐÏÄÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ É ×ÙÛÅÕËÁÚÁÎÎÙÈ. äÌÑ ÄÅÊÓÔ×ÉÑ REDIRECT ÐÒÅÄÕÓÍÏÔÒÅÎ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ. ôÁÂÌÉÃÁ 24. äÅÊÓÔ×ÉÅ REDIRECT
äÅÊÓÔ×ÉÅ TTLäÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÐÏÌÑ Time To Live × IP ÚÁÇÏÌÏ×ËÅ. ïÄÉÎ ÉÚ ×ÁÒÉÁÎÔÏ× ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÜÔÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÅ ÐÏÌÑ Time To Live ÷ï ÷óåè ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÁÈ × ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ. äÌÑ ÞÅÇÏ ÜÔÏ?! åÓÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏ×ÁÊÄÅÒÙ, ËÏÔÏÒÙÅ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ, ËÏÇÄÁ ÏÄÎÉÍ ÐÏÄËÌÀÞÅÎÉÅÍ ÐÏÌØÚÕÅÔÓÑ ÎÅÓËÏÌØËÏ ËÏÍÐØÀÔÅÒÏ×, ÅÓÌÉ ÍÙ ÎÁÞÉÎÁÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÎÁ ×ÓÅ ÐÁËÅÔÙ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ TTL, ÔÏ ÔÅÍ ÓÁÍÙÍ ÍÙ ÌÉÛÁÅÍ ÐÒÏ×ÁÊÄÅÒÁ ÏÄÎÏÇÏ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÞÔÏ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔÕ ÒÁÚÄÅÌÑÅÔÓÑ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. äÌÑ ÐÒÉÍÅÒÁ ÍÏÖÎÏ ÐÒÉ×ÅÓÔÉ ÞÉÓÌÏ TTL = 64, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ ÓÔÁÎÄÁÒÔÎÙÍ ÄÌÑ ÑÄÒÁ Linux. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÕÓÔÁÎÏ×ËÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÂÒÁÝÁÊÔÅÓØ Ë ip-sysctl.txt, ËÏÔÏÒÙÊ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ. äÅÊÓÔ×ÉÅ TTL ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ mangle É ÎÉÇÄÅ ÂÏÌØÛÅ. äÌÑ ÄÁÎÎÏÇÏ ÄÅÊÓÔ×ÉÑ ÐÒÅÄÕÓÍÏÔÒÅÎÏ 3 ËÌÀÞÁ, ÏÐÉÓÙ×ÁÅÍÙÈ ÎÉÖÅ. ôÁÂÌÉÃÁ 25. äÅÊÓÔ×ÉÅ TTL
ULOG targetäÅÊÓÔ×ÉÅ ULOG ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï. ïÎÏ ÚÁÍÅÎÑÅÔ ÔÒÁÄÉÃÉÏÎÎÏÅ ÄÅÊÓÔ×ÉÅ LOG, ÂÁÚÉÒÕÀÝÅÅÓÑ ÎÁ ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ, ÐÁËÅÔ, ÞÅÒÅÚ ÓÏËÅÔÙ netlink, ÐÅÒÅÄÁÅÔÓÑ ÓÐÅÃÉÁÌØÎÏÍÕ ÄÅÍÏÎÕ ËÏÔÏÒÙÊ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØ ÏÞÅÎØ ÄÅÔÁÌØÎÏÅ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÅ × ÒÁÚÌÉÞÎÙÈ ÆÏÒÍÁÔÁÈ (ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ, ÂÁÚÁ ÄÁÎÎÙÈ MySQL É ÐÒ.) É Ë ÔÏÍÕ ÖÅ ÐÏÄÄÅÒÖÉ×ÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÂÁ×ÌÅÎÉÑ ÎÁÄÓÔÒÏÅË (ÐÌÁÇÉÎÏ×) ÄÌÑ ÆÏÒÍÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ×ÙÈÏÄÎÙÈ ÆÏÒÍÁÔÏ× É ÏÂÒÁÂÏÔËÉ ÓÅÔÅ×ÙÈ ÐÒÏÔÏËÏÌÏ×. ðÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÞÁÓÔØ ULOGD ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÎÁ ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÅ ULOGD project. Table 26. ULOG target
æÁÊÌ rc.firewall÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÁÓÔÒÏÊËÕ ÂÒÁÎÄÍÁÕÜÒÁ ÎÁ ÐÒÉÍÅÒÅ ÓÃÅÎÁÒÉÑ rc.firewall.txt. íÙ ÂÕÄÅÍ ÂÒÁÔØ ËÁÖÄÕÀ ÂÁÚÏ×ÕÀ ÎÁÓÔÒÏÊËÕ É ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ É ÞÔÏ ÄÅÌÁÅÔ. üÔÏ ÍÏÖÅÔ ÎÁÔÏÌËÎÕÔØ ×ÁÓ ÎÁ ÒÅÛÅÎÉÅ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÚÁÄÁÞ. äÌÑ ÚÁÐÕÓËÁ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÎÅÓÔÉ × ÎÅÇÏ ÉÚÍÅÎÅÎÉÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏÂÙ ÏÎ ÍÏÇ ÒÁÂÏÔÁÔØ Ó ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÅÊ ÓÅÔÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÄÏÓÔÁÔÏÞÎÏ ÉÚÍÅÎÉÔØ ÔÏÌØËÏ ÐÅÒÅÍÅÎÎÙÅ.
ðÒÉÍÅÒ rc.firewalléÔÁË, ×ÓÅ ÇÏÔÏ×Ï ÄÌÑ ÒÁÚÂÏÒÁ ÆÁÊÌÁ ÐÒÉÍÅÒÁ rc.firewall.txt (ÓÃÅÎÁÒÉÊ ×ËÌÀÞÅÎ × ÓÏÓÔÁ× ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ × ÐÒÉÌÏÖÅÎÉÉ ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×). ïÎ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÎÏ ÔÏÌØËÏ ÉÚ-ÚÁ ÂÏÌØÛÏÇÏ ËÏÌÉÞÅÓÔ×Á ËÏÍÍÅÎÔÁÒÉÅ×. óÅÊÞÁÓ Ñ ÐÒÅÄÌÁÇÁÀ ×ÁÍ ÐÒÏÓÍÏÔÒÅÔØ ÜÔÏÔ ÆÁÊÌ, ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ÓÏÄÅÒÖÉÍÏÍ É ÚÁÔÅÍ ×ÅÒÎÕÔØÓÑ ÓÀÄÁ ÚÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÙÍÉ ÐÏÑÓÎÅÎÉÑÍÉ. ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewallëÏÎÆÉÇÕÒÁÃÉÑðÅÒ×ÁÑ ÞÁÓÔØ ÆÁÊÌÁ rc.firewall.txt Ñ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÍ ÒÁÚÄÅÌÏÍ. úÄÅÓØ ÚÁÄÁÀÔÓÑ ÏÓÎÏ×ÎÙÅ ÎÁÓÔÒÏÊËÉ ÂÒÁÎÄÍÁÕÜÒÁ, ËÏÔÏÒÙÅ ÚÁ×ÉÓÑÔ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÉ. îÁÐÒÉÍÅÒ IP ÁÄÒÅÓÁ - ÎÁ×ÅÒÎÑËÁ ÄÏÌÖÎÙ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÎÁ ×ÁÛÉ ÓÏÂÓÔ×ÅÎÎÙÅ. ðÅÒÅÍÅÎÎÁÑ $INET_IP ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, ÅÓÌÉ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ DHCP, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÓËÒÉÐÔ rc.DHCP.firewall.txt, áÎÁÌÏÇÉÞÎÏ $INET_IFACE ÄÏÌÖÎÁ ÕËÁÚÙ×ÁÔØ ×ÁÛÅ ÕÓÔÒÏÊÓÔ×Ï, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ. üÔÏ ÍÏÖÅÔ ÂÙÔØ, Ë ÐÒÉÍÅÒÕ, eth0, eth1, ppp0, tr0 É ÐÒ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÎÅ ÓÏÄÅÒÖÉÔ ËÁËÉÈ ÌÉÂÏ ÎÁÓÔÒÏÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ DHCP, PPPoE, ÐÏÜÔÏÍÕ ÜÔÉ ÒÁÚÄÅÌÙ ÎÅ ÚÁÐÏÌÎÅÎÙ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ É ÄÒÕÇÉÈ "ÐÕÓÔÙÈ" ÒÁÚÄÅÌÏ×. üÔÏ ÓÄÅÌÁÎÏ ÐÒÅÄÎÁÍÅÒÅÎÎÏ, ÞÔÏÂÙ ×Ù ÍÏÇÌÉ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ×ÉÄÅÔØ ÒÁÚÎÉÃÕ ÍÅÖÄÕ ÓÃÅÎÁÒÉÑÍÉ. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÏÌÎÉÔØ ÜÔÉ ÒÁÚÄÅÌÙ, ÔÏ ×Ù ÍÏÖÅÔÅ ×ÚÑÔØ ÉÈ ÉÚ ÄÒÕÇÉÈ ÓËÒÉÐÔÏ×, ÉÌÉ ÎÁÐÉÓÁÔØ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ. òÁÚÄÅÌ Local Area Network ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÁÓÔÒÏÊËÉ, ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ËÏÎÆÉÇÕÒÁÃÉÉ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. ÷Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÂÒÁÎÄÍÁÕÜÒÁ, ÉÎÔÅÒÆÅÊÓ, ÐÏÄËÌÀÞÅÎÎÙÊ Ë ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÍÁÓËÕ ÐÏÄÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Localhost Configuration, ËÏÔÏÒÕÀ ÉÚÍÅÎÑÔØ ×ÁÍ ÅÄ×Á ÌÉ ÐÒÉÄÅÔÓÑ. ÷ ÜÔÏÊ ÓÅËÃÉÉ ÕËÁÚÙ×ÁÅÔÓÑ ÌÏËÁÌØÎÙÊ ÉÎÔÅÒÆÅÊÓ lo É ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ 127.0.0.1. úÁ ÒÁÚÄÅÌÏÍ Localhost Configuration, ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Iptables Configuration. úÄÅÓØ ÓÏÚÄÁÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ $IPTABLES, ÓÏÄÅÒÖÁÝÁÑ ÐÕÔØ Ë ÆÁÊÌÕ iptables (/usr/local/sbin/iptables). åÓÌÉ ×Ù ÕÓÔÁÎÁ×ÌÉ×ÁÌÉ iptables ÉÚ ÉÓÈÏÄÎÙÈ ÍÏÄÕÌÅÊ, ÔÏ Õ ×ÁÓ ÐÕÔØ Ë iptables ÍÏÖÅÔ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÔØÓÑ ÏÔ ÐÒÉ×ÅÄÅÎÎÏÇÏ × ÓÃÅÎÁÒÉÉ, ÏÄÎÁËÏ × ÂÏÌØÛÉÎÓÔ×Å ÄÉÓÔÒÉÂÕÔÉ×Ï× iptables ÒÁÓÐÏÌÏÖÅÎÁ ÉÍÅÎÎÏ ÚÄÅÓØ. úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ËÏÍÁÎÄÏÊ /sbin/depmod -a, ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÏ×ÅÒËÁ ÚÁ×ÉÓÉÍÏÓÔÅÊ ÍÏÄÕÌÅÊ ÐÏÓÌÅ ÞÅÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÇÒÕÚËÁ ÍÏÄÕÌÅÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. óÔÁÒÁÊÔÅÓØ × ×ÁÛÉÈ ÓÃÅÎÁÒÉÑÈ ÚÁÇÒÕÖÁÔØ ÔÏÌØËÏ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ. îÁÐÒÉÍÅÒ, ÐÏ ËÁËÉÍ ÔÏ ÐÒÉÞÉÎÁÍ ÍÙ ÓÏÂÒÁÌÉ ÐÏÄÄÅÒÖËÕ ÄÅÊÓÔ×ÉÊ LOG, REJECT É MASQUERADE × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ É ÔÅÐÅÒØ ÓÏÂÉÒÁÅÍÓÑ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÉÓÐÏÌØÚÕÀÝÉÅ ÜÔÉ ÄÅÊÓÔ×ÉÑ, ÔÏÇÄÁ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÍÏÄÕÌÉ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÚÉÔØ ËÏÍÁÎÄÁÍÉ: /sbin/insmod ipt_LOG /sbin/insmod ipt_REJECT /sbin/insmod ipt_MASQUERADE
÷ ÓÌÅÄÕÀÝÅÊ ÓÅËÃÉÉ ÐÒÉ×ÏÄÉÔÓÑ ÒÑÄ ÍÏÄÕÌÅÊ, ËÏÔÏÒÙÅ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ × ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ, ÎÏ ÐÅÒÅÞÉÓÌÅÎÙ ÄÌÑ ÐÒÉÍÅÒÁ. ôÁË ÎÁÐÒÉÍÅÒ ÍÏÄÕÌØ ipt_owner, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ÓÅÔÉ Ó ×ÁÛÅÊ ÍÁÛÉÎÙ ÔÏÌØËÏ ÏÐÒÅÄÅÌÅÎÎÏÍÕ ËÒÕÇÕ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÐÏ×ÙÛÁÑ, ÔÅÍ ÓÁÍÙÍ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ. éÎÆÏÒÍÁÃÉÀ ÐÏ ËÒÉÔÅÒÉÑÍ ipt_owner, ÓÍÏÔÒÉÔÅ × òÁÓÛÉÒÅÎÉÅ Owner × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. íÙ ÍÏÖÅÍ ÚÁÇÒÕÚÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏ×ÅÒËÉ "ÓÏÓÔÏÑÎÉÑ" ÐÁËÅÔÏ× (state matching). ÷ÓÅ ÍÏÄÕÌÉ, ÒÁÓÛÉÒÑÀÝÉÅ ×ÏÚÍÏÖÎÏÓÔÉ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ×, ÉÍÅÎÕÀÔÓÑ ËÁË ip_conntrack_* É ip_nat_*. ó ÐÏÍÏÝØÀ ÜÔÉÈ ÍÏÄÕÌÅÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÏÔÏËÏÌÁÍ. îÁÐÒÉÍÅÒ: ÐÒÏÔÏËÏÌ FTP Ñ×ÌÑÅÔÓÑ ËÏÍÐÌÅËÓÎÙÍ ÐÒÏÔÏËÏÌÏÍ ÐÏ ÏÐÒÅÄÅÌÅÎÉÀ, ÏÎ ÐÅÒÅÄÁÅÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. ôÁË, ÅÓÌÉ ÎÁÛ ÌÏËÁÌØÎÙÊ ÈÏÓÔ ÐÅÒÅÄÁÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÐÒÏÉÚ×ÏÄÑÝÉÊ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ×, ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ Ó FTP ÓÅÒ×ÅÒÏÍ × éÎÔÅÒÎÅÔ, ÔÏ ×ÎÕÔÒÉ ÐÁËÅÔÁ ÐÅÒÅÄÁÅÔÓÑ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÈÏÓÔÁ. á ÐÏÓËÏÌØËÕ, IP ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÓÞÉÔÁÀÔÓÑ ÏÛÉÂÏÞÎÙÍÉ × éÎÔÅÒÎÅÔ, ÔÏ ÓÅÒ×ÅÒ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ ÞÔÏ ÄÅÌÁÔØ Ó ÜÔÉÍ ÚÁÐÒÏÓÏÍ, × ÒÅÚÕÌØÔÁÔÅ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ FTP NAT ×ÙÐÏÌÎÑÅÔ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÄÅÊÓÔ×ÉÑ ÐÏ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÏ×, ÐÏÜÔÏÍÕ FTP ÓÅÒ×ÅÒ ÆÁËÔÉÞÅÓËÉ ÐÏÌÕÞÉÔ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÏÔ ÉÍÅÎÉ ÎÁÛÅÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ É ÓÍÏÖÅÔ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ. ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ DCC ÄÌÑ ÐÅÒÅÄÁÞÉ ÆÁÊÌÏ× É ÞÁÔÏ×. õÓÔÁÎÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÜÔÏÇÏ ÔÉÐÁ ÔÒÅÂÕÅÔ ÐÅÒÅÄÁÞÉ IP ÁÄÒÅÓÁ É ÐÏÒÔÁ ÐÏ ÐÒÏÔÏËÏÌÕ IRC, ËÏÔÏÒÙÊ ÔÁË ÖÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. âÅÚ ÓÐÅÃÉÁÌØÎÏÇÏ ÍÏÄÕÌÑ ÒÁÓÛÉÒÅÎÉÑ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ÐÒÏÔÏËÏÌÏ× FTP É IRC ÓÔÁÎÏ×ÉÔÓÑ ×ÅÓØÍÁ ÓÏÍÎÉÔÅÌØÎÏÊ. îÁÐÒÉÍÅÒ, ×Ù ÍÏÖÅÔÅ ÐÒÉÎÉÍÁÔØ ÆÁÊÌÙ ÞÅÒÅÚ DCC, ÎÏ ÎÅ ÍÏÖÅÔÅ ÏÔÐÒÁ×ÌÑÔØ. üÔÏ ÏÂÕÓÌÏ×ÌÉ×ÁÅÔÓÑ ÔÅÍ, ËÁË DCC "ÚÁÐÕÓËÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ. ÷Ù ÓÏÏÂÝÁÅÔÅ ÐÒÉÎÉÍÁÀÝÅÍÕ ÕÚÌÕ Ï Ó×ÏÅÍ ÖÅÌÁÎÉÉ ÐÅÒÅÄÁÔØ ÆÁÊÌ É ËÕÄÁ ÏÎ ÄÏÌÖÅÎ ÐÏÄËÌÀÞÉÔØÓÑ. âÅÚ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ DCC ÓÏÅÄÉÎÅÎÉÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÅÓÌÉ ÂÙ ÍÙ ÐÏÔÒÅÂÏ×ÁÌÉ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ×ÎÅÛÎÅÇÏ ÐÒÉÅÍÎÉËÁ Ó ÕÚÌÏÍ × ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÝÅ ÇÏ×ÏÒÑ ÔÁËÏÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ "ÏÂÒÕÛÅÎÏ". ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÖÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ×ÓÅ ÒÁÂÏÔÁÅÔ ÐÒÅËÒÁÓÎÏ. ÐÏÓËÏÌØËÕ ÐÒÉÅÍÎÉËÕ ÐÅÒÅÄÁÅÔÓÑ ËÏÒÒÅËÔÎÙÊ IP ÁÄÒÅÓ ÄÌÑ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÍÏÄÕÌÑÍ conntrack É nat ÞÉÔÁÊÔÅ × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ÖÅ ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï ÄÏËÕÍÅÎÔÁÃÉÉ, ×ËÌÀÞÁÅÍÏÊ × ÐÁËÅÔ iptables. þÔÏÂÙ ÉÍÅÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÕÓÔÁÎÏ×ÉÔØ patch-o-matic É ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ. ëÁË ÜÔÏ ÓÄÅÌÁÔØ - ÏÂßÑÓÎÑÅÔÓÑ ×ÙÛÅ × ÇÌÁ×Å ðÏÄÇÏÔÏ×ËÁ.
îÁÓÔÒÏÊËÁ /procúÄÅÓØ ÍÙ ÚÁÐÕÓËÁÅÍ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (IP forwarding), ÚÁÐÉÓÁ× ÅÄÉÎÉÃÕ × ÆÁÊÌ /proc/sys/net/ipv4/ip_forward ÔÁËÉÍ ÓÐÏÓÏÂÏÍ: echo "1" > /proc/sys/net/ipv4/ip_forward
åÓÌÉ ×ÁÍ ÎÅÏÂÈÏÄÉÍÁ ÐÏÄÄÅÒÖËÁ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP, (ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ SLIP, PPP ÉÌÉ DHCP) ×Ù ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÁÒÉÔØ ÓÔÒÏËÕ: echo "1" > /proc/sys/net/ipv4/ip_dynaddr åÓÌÉ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ×ËÌÀÞÉÔØ ÌÀÂÙÅ ÄÒÕÇÉÅ ÏÐÃÉÉ, ×Ù ÄÏÌÖÎÙ ÏÂÒÁÝÁÔØÓÑ Ë ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÊ ÄÏËÕÍÅÎÔÁÃÉÉ ÐÏ ÜÔÉÍ ÏÐÃÉÑÍ. èÏÒÏÛÉÊ É ÌÁËÏÎÉÞÎÙÊ ÄÏËÕÍÅÎÔ ÐÏ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÐÏÓÔÁ×ÌÑÅÔÓÑ ×ÍÅÓÔÅ Ó ÑÄÒÏÍ. óÓÙÌËÉ ÎÁ ÎÁ ÄÒÕÇÉÅ ÄÏËÕÍÅÎÔÙ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ äÒÕÇÉÅ ÒÅÓÕÒÓÙ É ÓÓÙÌËÉ.
òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈúÄÅÓØ ÍÙ ÐÏÇÏ×ÏÒÉÍ Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, × ÞÁÓÔÎÏÓÔÉ - Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, ÏÐÒÅÄÅÌÑÅÍÙÈ × ÓÃÅÎÁÒÉÉ rc.firewall.txt. íÏÊ ×ÁÒÉÁÎÔ ÒÁÚÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÐÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÃÅÐÏÞËÁÍ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅÐÒÉÅÍÌÅÍÙÍ × ÔÏÍ ÉÌÉ ÉÎÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ. ñ ÎÁÄÅÀÓØ, ÞÔÏ ÓÍÏÇÕ ÐÏËÁÚÁÔØ ×ÁÍ ×ÏÚÍÏÖÎÙÅ "ÐÏÄ×ÏÄÎÙÅ ËÁÍÎÉ". äÁÎÎÙÊ ÒÁÚÄÅÌ ÔÅÓÎÏ ÐÅÒÅËÌÉËÁÅÔÓÑ Ó ÇÌÁ×ÏÊ ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË É ÓÏ×ÅÒÛÅÎÎÏ ÎÅÌÉÛÎÉÍ ÂÕÄÅÔ ÅÝÅ ÒÁÚ, ÈÏÔÑ ÂÙ ÂÅÇÌÏ, ÐÒÏÓÍÏÔÒÅÔØ ÅÅ. òÁÓÐÒÅÄÅÌÉ× ÎÁÂÏÒ ÐÒÁ×ÉÌ ÐÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ, Ñ ÄÏÂÉÌÓÑ ÜËÏÎÏÍÉÉ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÂÅÚ ÐÏÔÅÒÉ ÕÒÏ×ÎÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ É ÞÉÔÁÂÅÌØÎÏÓÔÉ ÓÃÅÎÁÒÉÅ×. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÐÕÓËÁÔØ TCP ÐÁËÅÔÙ ÞÅÒÅÚ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ (É ÄÌÑ ICMP, É ÄÌÑ UDP), Ñ ÐÒÏÓÔÏ ÏÔÂÉÒÁÀ TCP ÐÁËÅÔÙ É ÐÒÏÐÕÓËÁÀ ÉÈ ÞÅÒÅÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÃÅÐÏÞËÕ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÕÀ ÉÍÅÎÎÏ ÄÌÑ TCP ÐÁËÅÔÏ×, ÞÔÏ ÐÒÉ×ÏÄÉÔ Ë ÕÍÅÎØÛÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. îÁ ÓÌÅÄÕÀÝÅÊ ËÁÒÔÉÎËÅ ÓÈÅÍÁÔÉÞÎÏ ÐÒÉ×ÏÄÉÔÓÑ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ netfilter. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ËÁÒÔÉÎËÁ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÏÇÒÁÎÉÞÅÎÎÏ ÐÏ ÓÒÁ×ÎÅÎÉÀ ÓÏ ÓÈÅÍÏÊ, ÐÒÉ×ÅÄÅÎÎÏÊ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË. ïÓÎÏ×ÎÏÅ ÎÁÚÎÁÞÅÎÉÅ ÒÉÓÕÎËÁ - ÏÓ×ÅÖÉÔØ ÎÁÛÕ ÐÁÍÑÔØ. ÷ ÃÅÌÏÍ, ÄÁÎÎÙÊ ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÓÎÏ×ÁÎ ÎÁ ÐÒÅÄÐÏÌÏÖÅÎÉÉ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÏÄÎÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ (firewall) É ÅÄÉÎÓÔ×ÅÎÎÏÅ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ, Ó ÐÏÓÔÏÑÎÎÙÍ IP ÁÄÒÅÓÏÍ (× ÐÒÏÔÉ×ÏÐÏÌÏÖÎÏÓÔØ PPP, SLIP, DHCP É ÐÒÏÞÉÍ). ôÁË ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÄÏÓÔÕÐ Ë ÓÅÒ×ÉÓÁÍ éÎÔÅÒÎÅÔ ÉÄÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÞÔÏ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ É ÐÏÜÔÏÍÕ ÎÅ ÓÏÂÉÒÁÅÍÓÑ ÂÌÏËÉÒÏ×ÁÔØ ÔÒÁÆÆÉË, ÉÓÈÏÄÑÝÉÊ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÄÎÁËÏ éÎÔÅÒÎÅÔ ÎÅ ÍÏÖÅÔ ÓÞÉÔÁÔØÓÑ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔØÀ É ÐÏÜÔÏÍÕ ÎÅÏÂÈÏÄÉÍÏ ÏÇÒÁÎÉÞÉÔØ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÓÔÕÐÁ × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÉÚ×ÎÅ. íÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÈÏÄÉÔØ ÉÚ ÐÒÉÎÃÉÐÁ "÷ÓÅ ÞÔÏ ÎÅ ÒÁÚÒÅÛÅÎÏ - ÔÏ ÚÁÐÒÅÝÅÎÏ". äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÏÇÒÁÎÉÞÅÎÉÑ, ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ôÅÍ ÓÁÍÙÍ ÍÙ ÏÔÓÅËÁÅÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ Ñ×ÎÏ ÎÅ ÒÁÚÒÅÛÅÎÙ. á ÔÅÐÅÒØ ÄÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÞÔÏ ÎÁÍ ÎÕÖÎÏ ÓÄÅÌÁÔØ É ËÁË. äÌÑ ÎÁÞÁÌÁ - ÐÏÚ×ÏÌÉÍ ÓÏÅÄÉÎÅÎÉÑ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó éÎÔÅÒÎÅÔ. äÌÑ ÜÔÏÇÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT). äÅÌÁÅÔÓÑ ÜÔÏ × ÃÅÐÏÞËÅ PREROUTING (ñ ÐÏÌÁÇÁÀ, ÞÔÏ ÚÄÅÓØ Á×ÔÏÒ ÐÒÏÓÔÏ ÄÏÐÕÓÔÉÌ ÏÐÅÞÁÔËÕ, ÐÏÓËÏÌØËÕ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ POSTROUTING, ÄÁ É ÍÙ ÕÖÅ ÚÎÁÅÍ, ÞÔÏ SNAT ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÚÁÐÏÌÎÑÅÔÓÑ ÐÏÓÌÅÄÎÅÊ × ÎÁÛÅÍ ÓÃÅÎÁÒÉÉ. ðÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÔÁËÖÅ, ×ÙÐÏÌÎÅÎÉÅ ÎÅËÏÔÏÒÏÊ ÆÉÌØÔÒÁÃÉÉ × ÃÅÐÏÞËÅ FORWARD. åÓÌÉ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÐÕÓËÁÑ ×ÅÓØ ÔÒÁÆÆÉË × éÎÔÅÒÎÅÔ, ÔÏ ÜÔÏ ÅÝÅ ÎÅ ÏÚÎÁÞÁÅÔ ÄÏ×ÅÒÉÑ Ë éÎÔÅÒÎÅÔ É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ××ÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÄÏÓÔÕÐ Ë ÎÁÛÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ×ÎÅ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÍÙ ÄÏÐÕÓËÁÅÍ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× × ÎÁÛÕ ÓÅÔØ ÔÏÌØËÏ × ÓÌÕÞÁÅ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÌÉÂÏ × ÓÌÕÞÁÅ ÏÔËÒÙÔÉÑ ÎÏ×ÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ × ÒÁÍËÁÈ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ (ESTABLISHED É RELATED). þÔÏ ËÁÓÁÅÔÓÑ ÍÁÛÉÎÙ-ÂÒÁÎÄÍÁÕÜÒÁ - ÎÅÏÂÈÏÄÉÍÏ ÄÏ ÍÉÎÉÍÕÍÁ Ó×ÅÓÔÉ ÓÅÒ×ÉÓÙ, ÒÁÂÏÔÁÀÝÉÅ Ó éÎÔÅÒÎÅÔ. óÌÅÄÏ×ÁÔÅÌØÎÏ ÍÙ ÄÏÐÕÓËÁÅÍ ÔÏÌØËÏ HTTP, FTP, SSH É IDENTD ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ. ÷ÓÅ ÜÔÉ ÐÒÏÔÏËÏÌÙ ÍÙ ÂÕÄÅÍ ÓÞÉÔÁÔØ ÄÏÐÕÓÔÉÍÙÍÉ × ÃÅÐÏÞËÅ INPUT, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ "ÏÔ×ÅÔÎÙÊ" ÔÒÁÆÆÉË × ÃÅÐÏÞËÅ OUTPUT. ðÏÓËÏÌØËÕ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÄÏ×ÅÒÉÔÅÌØÎÙÅ ×ÚÁÉÍÏÏÔÎÏÛÅÎÉÑ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ, ÔÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ ÄÌÑ ÄÉÁÐÁÚÏÎÁ ÁÄÒÅÓÏ× ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÄÌÑ ÌÏËÁÌØÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ É ÌÏËÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ (127.0.0.1). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÓÕÝÅÓÔ×ÕÅÔ ÒÑÄ ÄÉÁÐÁÚÏÎÏ× ÁÄÒÅÓÏ×, ×ÙÄÅÌÅÎÎÙÈ ÓÐÅÃÉÁÌØÎÏ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÜÔÉ ÁÄÒÅÓÁ ÓÞÉÔÁÀÔÓÑ × éÎÔÅÒÎÅÔ ÏÛÉÂÏÞÎÙÍÉ É ËÁË ÐÒÁ×ÉÌÏ ÎÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ. ðÏÜÔÏÍÕ É ÍÙ ÚÁÐÒÅÔÉÍ ÌÀÂÏÊ ÔÒÁÆÆÉË ÉÚ éÎÔÅÒÎÅÔ Ó ÉÓÈÏÄÑÝÉÍ ÁÄÒÅÓÏÍ, ÐÒÉÎÁÄÌÅÖÁÝÉÍ ÄÉÁÐÁÚÏÎÁÍ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. é × ÚÁËÌÀÞÅÎÉÅ ÐÒÏÞÉÔÁÊÔÅ ÇÌÁ×Õ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ËÁË Õ ÎÁÓ ÒÁÂÏÔÁÅÔ FTP ÓÅÒ×ÅÒ, ÔÏ ÐÒÁ×ÉÌÁ, ÏÂÓÌÕÖÉ×ÁÀÝÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÜÔÉÍ ÓÅÒ×ÅÒÏÍ, ÖÅÌÁÔÅÌØÎÏ ÂÙÌÏ ÂÙ ÐÏÍÅÓÔÉÔØ × ÎÁÞÁÌÏ ÃÅÐÏÞËÉ INPUT, ÄÏÂÉ×ÁÑÓØ ÔÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÅÎÉÑ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. ÷ ÃÅÌÏÍ ÖÅ, ÎÁÄÏ ÐÏÎÉÍÁÔØ, ÞÔÏ ÞÅÍ ÍÅÎØÛÅ ÐÒÁ×ÉÌ ÐÒÏÈÏÄÉÔ ÐÁËÅÔ, ÔÅÍ ÂÏÌØÛÅ ÜËÏÎÏÍÉÑ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÔÅÍ ÎÉÖÅ ÎÁÇÒÕÚËÁ ÎÁ ÓÉÓÔÅÍÕ. ó ÜÔÏÊ ÃÅÌØÀ Ñ ÒÁÚÂÉÌ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ Ñ ÒÁÚÂÉÌ ÐÁËÅÔÙ ÎÁ ÇÒÕÐÐÙ ÐÏ ÉÈ ÐÒÉÎÁÄÌÅÖÎÏÓÔÉ Ë ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÐÒÏÔÏËÏÌÕ. äÌÑ ËÁÖÄÏÇÏ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ ÓÏÚÄÁÎÁ Ó×ÏÑ ÃÅÐÏÞËÁ ÐÒÁ×ÉÌ, ÎÁÐÒÉÍÅÒ, tcp_packets, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÒÏ×ÅÒËÉ ×ÓÅÈ ÄÏÐÕÓÔÉÍÙÈ TCP ÐÏÒÔÏ× É ÐÒÏÔÏËÏÌÏ×. äÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÏÄÎÕ ÃÅÐÏÞËÕ, ÍÏÖÅÔ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÒÕÇÁÑ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÔÁËÏ×ÏÊ Ñ×ÌÑÅÔÓÑ ÃÅÐÏÞËÁ allowed. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ ÏÔÄÅÌØÎÙÈ ÈÁÒÁËÔÅÒÉÓÔÉË TCP ÐÁËÅÔÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÒÉÎÑÔØ ÏËÏÎÞÁÔÅÌØÎÏÅ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ. ICMP ÐÁËÅÔÙ ÓÌÅÄÕÀÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ icmp_packets. úÄÅÓØ ÍÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ ICMP ÐÁËÅÔÙ Ó ÕËÁÚÁÎÎÙÍ ËÏÄÏÍ ÓÏÏÂÝÅÎÉÑ. é ÎÁËÏÎÅà UDP ÐÁËÅÔÙ. ïÎÉ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ udp_packets, ËÏÔÏÒÁÑ ÏÂÒÁÂÁÔÙ×ÁÅÔ ×ÈÏÄÑÝÉÅ UDP ÐÁËÅÔÙ. åÓÌÉ ÏÎÉ ÐÒÉÎÁÄÌÅÖÁÔ ÄÏÐÕÓÔÉÍÙÍ ÓÅÒ×ÉÓÁÍ, ÔÏ ÏÎÉ ÐÒÏÐÕÓËÁÀÔÓÑ ÂÅÚ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ. ðÏÓËÏÌØËÕ ÍÙ ÒÁÓÓÍÁÔÒÉ×ÁÅÍ ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÕÀ ÓÅÔØ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÉÓÐÏÌØÚÕÅÔÓÑ ÅÝÅ É × ËÁÞÅÓÔ×Å ÒÁÂÏÞÅÊ ÓÔÁÎÃÉÉ, ÐÏÜÔÏÍÕ ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ É Ó ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ. é × ÚÁ×ÅÒÛÅÎÉÅ Ï ÃÅÐÏÞËÅ OUTPUT. íÙ ÎÅ ×ÙÐÏÌÎÑÅÍ ËÁËÉÈ ÌÉÂÏ ÓÐÅÃÉÆÉÞÎÙÈ ÂÌÏËÉÒÏ×ÏË ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÏÄÎÁËÏ ÍÙ ÎÅ ÈÏÔÉÍ, ÞÔÏÂÙ ËÔÏ ÌÉÂÏ, ÉÓÐÏÌØÚÕÑ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÄÁ×ÁÌ × ÓÅÔØ "ÐÏÄÄÅÌØÎÙÅ" ÐÁËÅÔÙ, ÐÏÜÔÏÍÕ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÁ, ÐÏÚ×ÏÌÑÀÝÉÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÔÏÌØËÏ Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ÎÁÛÉÍ ÌÏËÁÌØÎÙÍ ÁÄÒÅÓÏÍ (127.0.0.1) É Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × éÎÔÅÒÎÅÔ. ó ÜÔÉÈ ÁÄÒÅÓÏ× ÐÁËÅÔÙ ÐÒÏÐÕÓËÁÀÔÓÑ ÃÅÐÏÞËÏÊ OUTPUT, ×ÓÅ ÏÓÔÁÌØÎÙÅ (ÓËÏÒÅÅ ×ÓÅÇÏ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÅ) ÏÔÓÅËÁÀÔÓÑ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP. õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀðÒÅÖÄÅ, ÞÅÍ ÐÒÉÓÔÕÐÉÔØ Ë ÓÏÚÄÁÎÉÀ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÐÏÌÉÔÉËÁÍÉ ÃÅÐÏÞÅË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÏÍÁÎÄÏÊ, ÐÏÄÏÂÎÏÊ ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ iptables -P <chain name> <policy> ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÐÒÉÍÅÎÑÅÔÓÑ Ë ÐÁËÅÔÕ, ÎÅ ÐÏÐÁ×ÛÅÍÕ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. (îÅÂÏÌØÛÏÅ ÕÔÏÞÎÅÎÉÅ, ËÏÍÁÎÄÁ iptables -P ÐÒÉÍÅÎÉÍÁ ôïìøëï ë ÷óôòïåîîùí ÃÅÐÏÞËÁÍ, Ô.Å. INPUT, FORWARD, OUTPUT É Ô.Ð., É ÎÅ ÐÒÉÍÅÎÉÍÁ Ë ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ. ÐÒÉÍ. ÐÅÒÅ×.).
óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅËéÔÁË, Õ ×ÁÓ ÐÅÒÅÄ ÇÌÁÚÁÍÉ ÎÁ×ÅÒÎÑËÁ ÕÖÅ ÓÔÏÉÔ ËÁÒÔÉÎËÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ, É ËÁË ÜÔÉ ÃÅÐÏÞËÉ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÀÔ ÍÅÖÄÕ ÓÏÂÏÊ! ÷Ù ÕÖÅ ÄÏÌÖÎÙ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÃÅÌÉ É ÎÁÚÎÁÞÅÎÉÅ ÄÁÎÎÏÇÏ ÓÃÅÎÁÒÉÑ. äÁ×ÁÊÔÅ ÎÁÞÎÅÍ ÓÏÚÄÁ×ÁÔØ ÃÅÐÏÞËÉ É ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ÎÉÈ. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÓÏÚÄÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ -N. óÒÁÚÕ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ÃÅÐÏÞËÉ ÅÝÅ ÎÅ ÉÍÅÀÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÀÔÓÑ ÃÅÐÏÞËÉ icmp_packets, tcp_packets, udp_packets É ÃÅÐÏÞËÁ allowed, ËÏÔÏÒÁÑ ×ÙÚÙ×ÁÅÔÓÑ ÉÚ ÃÅÐÏÞËÉ tcp_packets. ÷ÈÏÄÑÝÉÅ ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE (Ô.Å. ÉÚ éÎÔÅÒÎÅÔ), ÐÏ ÐÒÏÔÏËÏÌÕ ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÁ TCP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets É ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ UDP Ó ÉÎÔÅÒÆÅÊÓÁ eth0 ÉÄÕÔ × ÃÅÐÏÞËÕ udp_packets. ãÅÐÏÞËÁ bad_tcp_packetsüÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÏÔÆÉÌØÔÒÏ×Ù×ÁÎÉÑ ÐÁËÅÔÏ× Ó "ÎÅÐÒÁ×ÉÌØÎÙÍÉ" ÚÁÇÏÌÏ×ËÁÍÉ É ÒÅÛÅÎÉÑ ÒÑÄÁ ÄÒÕÇÉÈ ÐÒÏÂÌÅÍ. úÄÅÓØ ÏÔÆÉÌØÔÒÏ×Ù×ÁÀÔÓÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË NEW, ÎÏ ÎÅ Ñ×ÌÑÀÔÓÑ SYN ÐÁËÅÔÁÍÉ. üÔÁ ÃÅÐÏÞËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ×ÔÏÒÖÅÎÉÑ É ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. óÀÄÁ, ÔÁË ÖÅ, ÄÏÂÁ×ÌÅÎÏ ÐÒÁ×ÉÌÏ ÄÌÑ ÏÔÓÅÉ×ÁÎÉÑ ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ INVALID. ãÅÐÏÞËÁ allowedTCP ÐÁËÅÔ, ÓÌÅÄÕÑ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ tcp_packets, ÅÓÌÉ ÐÁËÅÔ ÓÌÅÄÕÅÔ ÎÁ ÒÁÚÒÅÛÅÎÎÙÊ ÐÏÒÔ, ÔÏ ÐÏÓÌÅ ÜÔÏÇÏ ÐÒÏ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ. ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÐÒÏ×ÅÒÑÅÔ, Ñ×ÌÑÅÔÓÑ ÌÉ ÐÁËÅÔ SYN ÐÁËÅÔÏÍ, Ô.Å. ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ôÁËÏÊ ÐÁËÅÔ ÍÙ ÓÞÉÔÁÅÍ ÄÏÐÕÓÔÉÍÙÍ É ÐÒÏÐÕÓËÁÅÍ. óÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÓÅ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ ESTABLISHED ÉÌÉ RELATED. ëÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ SYN ÐÁËÅÔÏÍ, É ÎÁ ÜÔÏÔ ÚÁÐÒÏÓ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÏÌÏÖÉÔÅÌØÎÙÊ ÏÔ×ÅÔ, ÔÏ ÏÎÏ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ ESTABLISHED. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÜÔÏÊ ÃÅÐÏÞËÅ ÓÂÒÁÓÙ×ÁÀÔÓÑ ×ÓÅ ÏÓÔÁÌØÎÙÅ TCP ÐÁËÅÔÙ. ðÏÄ ÜÔÏ ÐÒÁ×ÉÌÏ ÐÏÐÁÄÁÀÔ ÐÁËÅÔÙ ÉÚ ÎÅÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ËÏÔÏÒÙÅ ÐÙÔÁÀÔÓÑ ÚÁÐÕÓÔÉÔØ ÓÏÅÄÉÎÅÎÉÅ. îÅ SYN ÐÁËÅÔÙ ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁÐÕÓËÁ ÓÏÅÄÉÎÅÎÉÑ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÓÌÕÞÁÅ× ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. îÁÓËÏÌØËÏ Ñ ÚÎÁÀ, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌÉÚÁÃÉÉ TCP/IP, ËÏÔÏÒÁÑ ÐÏÄÄÅÒÖÉ×ÁÌÁ ÂÙ ÏÔËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÎÁÞÅ, ÞÅÍ ÐÅÒÅÄÁÞÁ SYN ÐÁËÅÔÁ, ÐÏÜÔÏÍÕ ÎÁ 99% ÍÏÖÎÏ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÓÂÒÏÛÅÎÙ ÐÁËÅÔÙ, ÐÏÓÌÁÎÎÙÅ ÓËÁÎÅÒÏÍ ÐÏÒÔÏ×. ãÅÐÏÞËÁ ÄÌÑ TCPéÔÁË, ÍÙ ÐÏÄÏÛÌÉ Ë TCP ÓÏÅÄÉÎÅÎÉÑÍ. úÄÅÓØ ÍÙ ÕËÁÚÙ×ÁÅÍ, ËÁËÉÅ ÐÏÒÔÙ ÍÏÇÕÔ ÂÙÔØ ÄÏÓÔÕÐÎÙ ÉÚ Internet. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÄÁÖÅ ÅÓÌÉ ÐÁËÅÔ ÐÒÏÛÅÌ ÐÒÏ×ÅÒËÕ ÚÄÅÓØ, ÍÙ ×ÓÅ ÒÁ×ÎÏ ×ÓÅ ÐÁËÅÔÙ ÐÅÒÅÄÁÅÍ × ÃÅÐÏÞËÕ allowed ÄÌÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ. ñ ÏÔËÒÙÌ TCP ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 21, ËÏÔÏÒÙÊ Ñ×ÌÑÅÔÓÑ ÐÏÒÔÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP ÓÏÅÄÉÎÅÎÉÑÍÉ. É ÄÁÌÅÅ, Ñ ÒÁÚÒÅÛÁÀ ×ÓÅ RELATED ÓÏÅÄÉÎÅÎÉÑ, ÒÁÚÒÅÛÁÑ, ÔÅÍ ÓÁÍÙÍ, PASSIVE FTP, ÐÒÉ ÕÓÌÏ×ÉÉ, ÞÔÏ ÂÙÌ ÚÁÇÒÕÖÅÎ ÍÏÄÕÌØ ip_conntrack_ftp. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÒÅÔÉÔØ FTP ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÇÒÕÚÉÔØ ÍÏÄÕÌØ ip_conntrack_ftp É ÕÄÁÌÉÔØ ÓÔÒÏËÕ $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ÉÚ ÓÃÅÎÁÒÉÑ rc.firewall.txt. ðÏÒÔ 22 - ÜÔÏ SSH, ËÏÔÏÒÙÊ ÎÁÍÎÏÇÏ ÂÏÌÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ telnet ÎÁ 23 ÐÏÒÔÕ. åÓÌÉ ÷ÁÍ ×ÚÄÕÍÁÅÔÓÑ ÐÒÅÄÏÓÔÁ×ÉÔØ ÄÏÓÔÕÐ Ë ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÅ (shell) ËÏÍÕ ÂÙ ÔÏ ÎÉ ÂÙÌÏ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ÌÕÞÛÅ ËÏÎÅÞÎÏ ÐÏÌØÚÏ×ÁÔØÓÑ SSH. ïÄÎÁËÏ , ÈÏÞÕ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÏÏÂÝÅ-ÔÏ ÓÞÉÔÁÅÔÓÑ ÄÕÒÎÙÍ ÔÏÎÏÍ ÐÒÅÄÏÓÔÁ×ÌÑÔØ ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ ÌÀÂÏÍÕ ËÒÏÍÅ ×ÁÓ ÓÁÍÉÈ. ÷ÁÛ ÓÅÔÅ×ÏÊ ÜËÒÁÎ ÄÏÌÖÅÎ ÉÍÅÔØ ÔÏÌØËÏ ÔÅ ÓÅÒ×ÉÓÙ, ËÏÔÏÒÙÅ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÙ É ÎÅ ÂÏÌÅÅ ÔÏÇÏ. ðÏÒÔ 80 - ÜÔÏ ÐÏÒÔ HTTP, ÄÒÕÇÉÍ ÓÌÏ×ÁÍÉ - web ÓÅÒ×ÅÒ, ÕÂÅÒÉÔÅ ÜÔÏ ÐÒÁ×ÉÌÏ, ÅÓÌÉ Õ ×ÁÓ ÎÅÔ web ÓÅÒ×ÅÒÁ. é ÎÁËÏÎÅà ÐÏÒÔ 113, ÏÔ×ÅÔÓÔ×ÅÎÎÙÊ ÚÁ ÓÌÕÖÂÕ IDENTD É ÉÓÐÏÌØÚÕÀÝÉÊÓÑ ÎÅËÏÔÏÒÙÍÉ ÐÒÏÔÏËÏÌÁÍÉ ÔÉÐÁ IRC, É ÐÒ. ãÅÐÏÞËÁ ÄÌÑ UDPðÁËÅÔÙ UDP ÉÚ ÃÅÐÏÞËÉ INPUT ÓÌÅÄÕÀÔ × ÃÅÐÏÞËÕ udp_packets ëÁË É × ÓÌÕÞÁÅ Ó TCP ÐÁËÅÔÁÍÉ, ÚÄÅÓØ ÏÎÉ ÐÒÏ×ÅÒÑÀÔÓÑ ÎÁ ÄÏÐÕÓÔÉÍÏÓÔØ ÐÏ ÎÏÍÅÒÕ ÐÏÒÔÁ ÎÁÚÎÁÞÅÎÉÑ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÍÙ ÎÅ ÐÒÏ×ÅÒÑÅÍ ÉÓÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ, ÐÏÓËÏÌØËÕ Ï ÜÔÏÍ ÚÁÂÏÔÉÔÓÑ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ. ïÔËÒÙ×ÁÀÔÓÑ ÔÏÌØËÏ ÔÅ ÐÏÒÔÙ, ËÏÔÏÒÙÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ ÓÅÒ×ÅÒÁÍÉ ÉÌÉ ÄÅÍÏÎÁÍÉ ÎÁ ÎÁÛÅÍ ÂÒÁÎÄÍÁÕÜÒÅ. ðÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÏÓÔÕÐÁÀÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ ÐÏ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÓÏÅÄÉÎÅÎÉÑÍ (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ) ÐÒÏÐÕÓËÁÀÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ Á×ÔÏÍÁÔÉÞÅÓËÉ, ÐÏÓËÏÌØËÕ ÉÍÅÀÔ ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÉÌÉ RELATED. ëÁË ×ÉÄÎÏ ÉÚ ÔÅËÓÔÁ ÓÃÅÎÁÒÉÑ, ÐÏÒÔ 53, ÎÁ ËÏÔÏÒÏÍ "ÓÉÄÉÔ" DNS, ÄÌÑ UDP ÐÁËÅÔÏ× ÚÁËÒÙÔ, ÔÏ ÅÓÔØ ÐÒÁ×ÉÌÏ, ÏÔËÒÙ×ÁÀÝÅÅ 53-Ê ÐÏÒÔ × ÓÃÅÎÁÒÉÉ ÐÒÉÓÕÔÓÔ×ÕÅÔ, ÎÏ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ. åÓÌÉ ×Ù ÐÏÖÅÌÁÅÔÅ ÚÁÐÕÓÔÉÔØ DNS ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ, ÔÏ ÜÔÏ ÐÒÁ×ÉÌÏ ÓÌÅÄÕÅÔ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ. ñ ÌÉÞÎÏ ÒÁÚÒÅÛÁÀ ÐÏÒÔ 123, ÎÁ ËÏÔÏÒÏÍ ÒÁÂÏÔÁÅÔ NTP (network time protocol). üÔÏÊ ÓÌÕÖÂÏÊ ÏÂÙÞÎÏ ÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÒÉÅÍÁ ÔÏÞÎÏÇÏ ×ÒÅÍÅÎÉ Ó ÓÅÒ×ÅÒÏ× ×ÒÅÍÅÎÉ × éÎÔÅÒÎÅÔ. ïÄÎÁËÏ, ×ÅÒÏÑÔÎÅÅ ×ÓÅÇÏ, ÞÔÏ ×Ù ÎÅ ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏÔ ÐÒÏÔÏËÏÌ, ÐÏÜÔÏÍÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÅ ÐÒÁ×ÉÌÏ × ÓÃÅÎÁÒÉÉ ÔÁË ÖÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ. ðÏÒÔ 2074 ÉÓÐÏÌØÚÕÅÔÓÑ ÎÅËÏÔÏÒÙÍÉ ÍÕÌØÔÉÍÅÄÉÊÎÙÍÉ ÐÒÉÌÏÖÅÎÉÑÍÉ, ÐÏÄÏÂÎÏ speak freely, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÇÏÌÏÓÁ × ÒÅÖÉÍÅ ÒÅÁÌØÎÏÇÏ ×ÒÅÍÅÎÉ. é ÎÁËÏÎÅà - ICQ, ÎÁ ÐÏÒÔÕ 4000. üÔÏ ÛÉÒÏËÏ ÉÚ×ÅÓÔÎÙÊ ÐÒÏÔÏËÏÌ, ÉÓÐÏÌØÚÕÅÍÙÊ ICQ-ÐÒÉÌÏÖÅÎÉÑÍÉ ñ ÐÏÌÁÇÁÀ ÎÅ ÓÌÅÄÕÅÔ ÏÂßÑÓÎÑÔØ ×ÁÍ ÞÔÏ ÜÔÏ ÔÁËÏÅ. ëÒÏÍÅ ÔÏÇÏ × ÓÃÅÎÁÒÉÉ ÐÒÉ×ÅÄÅÎÙ ÅÝÅ Ä×Á ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. éÍÉ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ, ÅÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÞÒÅÚÍÅÒÎÏ ÎÁÇÒÕÖÅÎ. ðÅÒ×ÏÅ - ÂÌÏËÉÒÕÅÔ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ ÐÏÒÔÙ ÓÏ 135 ÐÏ 139. üÔÉ ÐÏÒÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÏÔÏËÏÌÁÍÉ SMB É NetBIOS ÏÔ Microsoft. ôÁËÉÍ ÏÂÒÁÚÏÍ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÐÒÅÄÏÔ×ÒÁÝÁÅÔ ÐÅÒÅÐÏÌÎÅÎÉÅ ÔÁÂÌÉÃÙ ÔÒÁÓÓÉÒÏ×ÝÉËÁ × ÓÅÔÑÈ Microsoft Network. ÷ÔÏÒÏÅ ÐÒÁ×ÉÌÏ ÂÌÏËÉÒÕÅÔ DHCP ÚÁÐÒÏÓÙ ÉÚ×ÎÅ. üÔÏ ÐÒÁ×ÉÌÏ ÏÐÒÅÄÅÌÅÎÎÏ ÉÍÅÅÔ ÓÍÙÓÌ ÅÓÌÉ ×ÎÅÛÎÑÑ ÓÅÔØ ÓÏÄÅÒÖÉÔ ÎÅËÏÍÍÕÔÉÒÕÅÍÙÅ ÓÅÇÍÅÎÔÙ, ÇÄÅ IP ÁÄÒÅÓÁ ×ÙÄÅÌÑÀÔÓÑ ËÌÉÅÎÔÁÍ ÄÉÎÁÍÉÞÅÓËÉ. ë ÔÏÍÕ ÖÅ ÏÎÏ ÐÒÅÄÏÔ×ÒÁÝÁÅÔ "ÒÁÚÄÕ×ÁÎÉÅ" ÌÏÇÏ× (×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÎÅ ÂÙÌÉ ÏÔ×ÅÒÇÎÕÔÙ ÉÌÉ ÐÒÉÎÑÔÙ Ñ×ÎÏ, ÌÏÇÉÒÕÀÔÓÑ × ÖÕÒÎÁÌ ÐÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÃÅÐÏÞËÅ INPUT). ãÅÐÏÞËÁ ÄÌÑ ICMPúÄÅÓØ ÐÒÉÎÉÍÁÅÔÓÑ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ ICMP ÐÁËÅÔÏ×. åÓÌÉ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ Ó eth0 × ÃÅÐÏÞËÕ INPUT, ÔÏ ÄÁÌÅÅ ÏÎ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏ×ÅÒÑÅÔÓÑ ÔÉÐ ICMP ÓÏÏÂÝÅÎÉÑ. ðÒÏÐÕÓËÁÀÔÓÑ ÔÏÌØËÏ ICMP Echo Request, TTL equals 0 during transit É TTL equals 0 during reassembly. ÷ÓÅ ÏÓÔÁÌØÎÙÅ ÔÉÐÙ ICMP ÓÏÏÂÝÅÎÉÊ ÄÏÌÖÎÙ ÐÒÏÈÏÄÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÂÅÓÐÒÅÐÑÔÓÔ×ÅÎÎÏ, ÐÏÓËÏÌØËÕ ÂÕÄÕÔ ÉÍÅÔØ ÓÏÓÔÏÑÎÉÅ RELATED.
ðÒÉ ÐÒÉÎÑÔÉÉ ÒÅÛÅÎÉÑ Ñ ÉÓÈÏÖÕ ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÏÏÂÒÁÖÅÎÉÊ: ICMP Echo Request ÐÁËÅÔÙ ÐÏÓÙÌÁÀÔÓÑ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ, ÄÌÑ ÐÒÏ×ÅÒËÉ ÄÏÓÔÕÐÎÏÓÔÉ ÈÏÓÔÁ. åÓÌÉ ÕÄÁÌÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÂÕÄÅÔ "ÏÔËÌÉËÁÔØÓÑ" × ÏÔ×ÅÔ ÎÁ ICMP Echo Request, ÞÔÏ ÓÄÅÌÁÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÕÔÉÌÉÔÙ ping É ÐÏÄÏÂÎÙÈ ÅÊ, ÐÏ ÏÔÎÏÛÅÎÉÀ Ë ÂÒÁÎÄÍÁÕÜÒÕ, ÂÅÓÐÏÌÅÚÎÙÍÉ. Time Exceeded (Ô.Å., TTL equals 0 during transit É TTL equals 0 during reassembly). ÷Ï ×ÒÅÍÑ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ ÐÏ ÓÅÔÉ, ÎÁ ËÁÖÄÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÐÏÌÅ TTL, × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ, ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. ëÁË ÔÏÌØËÏ ÐÏÌÅ TTL ÓÔÁÎÅÔ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÂÕÄÅÔ ÐÏÓÌÁÎÏ ÓÏÏÂÝÅÎÉÅ Time Exceeded. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÓÓÉÒÏ×ËÕ (traceroute) ËÁËÏÇÏ ÌÉÂÏ ÕÚÌÁ, ÔÏ ÐÏÌÅ TTL ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 1, ÎÁ ÐÅÒ×ÏÍ ÖÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÏÎÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ É Ë ÎÁÍ ÐÒÉÈÏÄÉÔ ÓÏÏÂÝÅÎÉÅ Time Exceeded, ÄÁÌÅÅ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ TTL = 2 É ×ÔÏÒÏÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÐÅÒÅÄÁÅÔ ÎÁÍ Time Exceeded, É ÔÁË ÄÁÌÅÅ, ÐÏËÁ ÎÅ ÐÏÌÕÞÉÍ ÏÔ×ÅÔ Ó ÓÁÍÏÇÏ ÕÚÌÁ. óÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ ÓÍÏÔÒÉÔÅ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ICMP ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÓÌÅÄÕÀÝÉÈ ÄÏËÕÍÅÎÔÁÈ:
ãÅÐÏÞËÁ INPUTãÅÐÏÞËÁ INPUT, ËÁË Ñ ÕÖÅ ÐÉÓÁÌ, ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÓÎÏ×ÎÏÊ ÒÁÂÏÔÙ ÉÓÐÏÌØÚÕÅÔ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ, ÚÁ ÓÞÅÔ ÞÅÇÏ ÓÎÉÖÁÑ ÎÁÇÒÕÚËÕ ÎÁ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ. üÆÆÅËÔ ÐÒÉÍÅÎÅÎÉÑ ÔÁËÏÇÏ ×ÁÒÉÁÎÔÁ ÏÒÇÁÎÉÚÁÃÉÉ ÐÒÁ×ÉÌ ÌÕÞÛÅ ÚÁÍÅÔÅÎ ÎÁ ÍÅÄÌÅÎÎÙÈ ÍÁÛÉÎÁÈ, ËÏÔÏÒÙÅ × ÄÒÕÇÏÍ ÓÌÕÞÁÅ ÎÁÞÉÎÁÀÔ "ÔÅÒÑÔØ" ÐÁËÅÔÙ ÐÒÉ ×ÙÓÏËÏÊ ÎÁÇÒÕÚËÅ. äÏÓÔÉÇÁÅÔÓÑ ÜÔÏ ÒÁÚÂÉÅÎÉÅÍ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÐÏ ÎÅËÏÔÏÒÏÍÕ ÐÒÉÚÎÁËÕ É ×ÙÄÅÌÅÎÉÅ ÉÈ × ÏÔÄÅÌØÎÙÅ ÃÅÐÏÞËÉ. ôÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÁÅÔÓÑ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ, ËÏÔÏÒÏÅ ÐÒÏÈÏÄÉÔ ËÁÖÄÙÊ ÐÁËÅÔ. ðÅÒ×ÙÍ ÖÅ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÙÔÁÅÍÓÑ ÏÔÂÒÏÓÉÔØ "ÐÌÏÈÉÅ" ÐÁËÅÔÙ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÁËÅÔÏ× Ó ÐÒÉÚÎÁËÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. ÷ ÎÅËÏÔÏÒÙÈ ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ ÔÁËÉÅ ÐÁËÅÔÙ ÍÏÇÕÔ ÓÞÉÔÁÔØÓÑ ÄÏÐÕÓÔÉÍÙÍÉ, ÎÏ × 99% ÓÌÕÞÁÅ× ÌÕÞÛÅ ÉÈ "ÏÓÔÁÎÏ×ÉÔØ". ðÏÜÔÏÍÕ ÔÁËÉÅ ÐÁËÅÔÙ ÚÁÎÏÓÑÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (ÌÏÇÉÒÕÀÔÓÑ) É "ÓÂÒÁÓÙ×ÁÀÔÓÑ". äÁÌÅÅ ÓÌÅÄÕÅÔ ÃÅÌÁÑ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÁÑ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË, ÉÄÕÝÉÊ ÉÚ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔÉ, ËÏÔÏÒÁÑ ×ËÌÀÞÁÅÔ × ÓÅÂÑ ÓÅÔÅ×ÏÊ ÁÄÁÐÔÅÒ, Ó×ÑÚÁÎÎÙÊ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ É ÌÏËÁÌØÎÙÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (lo) É ÉÍÅÀÝÉÊ ÉÓÈÏÄÎÙÅ ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ (×ËÌÀÞÁÑ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ). üÔÁ ÇÒÕÐÐÁ ÐÒÁ×ÉÌ ÓÔÏÉÔ ÐÅÒ×ÏÊ ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÌÏËÁÌØÎÁÑ ÓÅÔØ ÇÅÎÅÒÉÒÕÅÔ ÚÎÁÞÉÔÅÌØÎÏ ÂïÌØÛÉÊ ÔÒÁÆÉË ÞÅÍ ÔÒÁÆÉË ÉÚ Internet. ðÏÜÔÏÍÕ, ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ×ÓÅÇÄÁ ÓÔÁÒÁÊÔÅÓØ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÕËÁÚÙ×ÁÑ ÐÅÒ×ÙÍÉ ÔÅ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÏÂÓÌÕÖÉ×ÁÔØ ÂÏÌØÛÉÊ ÔÒÁÆÉË. ðÏÓÌÅ ÜÔÏÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÁÎÁÌÉÚ ÔÒÁÆÉËÁ, ÉÄÕÝÅÇÏ ÉÚ Internet. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ × ÃÅÐÏÞËÕ INPUT Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE ÒÁÓÐÒÅÄÅÌÑÀÔÓÑ ÐÏ ×ÌÏÖÅÎÎÙÍ ÃÅÐÏÞËÁÍ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. TCP ÐÁËÅÔÙ ÐÅÒÅÄÁÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets, UDP ÐÁËÅÔÙ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ udp_packets É ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ëÁË ÐÒÁ×ÉÌÏ, ÂÏÌØÛÕÀ ÞÁÓÔØ ÔÒÁÆÉËÁ "ÓßÅÄÁÀÔ" TCP ÐÁËÅÔÙ, ÐÏÔÏÍ UDP É ÍÅÎØÛÉÊ ÏÂßÅÍ ÐÒÉÈÏÄÉÔÓÑ ÎÁ ÄÏÌÀ ICMP, ÏÄÎÁËÏ × ×ÁÛÅÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÐÒÅÄÐÏÌÏÖÅÎÉÅ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅ×ÅÒÎÙÍ. ïÞÅÎØ ×ÁÖÎÏ ÕÞÉÔÙ×ÁÔØ ÏÂßÅÍ ÔÒÁÆÉËÁ, ÐÒÏÈÏÄÑÝÅÇÏ ÞÅÒÅÚ ÎÁÂÏÒ ÐÒÁ×ÉÌ. õÞÅÔ ÏÂßÅÍÁ ÔÒÁÆÉËÁ - ÁÂÓÏÌÀÔÎÁÑ ÎÅÏÂÈÏÄÉÍÏÓÔØ. ÷ ÓÌÕÞÁÅ ÎÅÏÐÔÉÍÁÌØÎÏÇÏ ÒÁÓÐÒÅÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÄÁÖÅ ÍÁÛÉÎÕ ËÌÁÓÓÁ Pentium III É ×ÙÛÅ, Ó ÓÅÔÅ×ÏÊ ËÁÒÔÏÊ 100 íÂÉÔ É ÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÅÒÅÄÁ×ÁÅÍÙÈ ÄÁÎÎÙÈ ÐÏ ÓÅÔÉ, ÄÏ×ÏÌØÎÏ ÌÅÇËÏ ÍÏÖÎÏ "ÐÏÓÔÁ×ÉÔØ ÎÁ ËÏÌÅÎÉ" ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÉÍ ÏÂßÅÍÏÍ ÐÒÁ×ÉÌ. äÁÌÅÅ ÓÌÅÄÕÅÔ ×ÅÓØÍÁ ÓÐÅÃÉÆÉÞÅÓËÏÅ ÐÒÁ×ÉÌÏ (ÐÏ-ÕÍÏÌÞÁÎÉÀ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÏ). äÅÌÏ × ÔÏÍ, ÞÔÏ ËÌÉÅÎÔÙ Microsoft Network ÉÍÅÀÔ "ÄÕÒÎÕÀ ÐÒÉ×ÙÞËÕ" ×ÙÄÁ×ÁÔØ ÏÇÒÏÍÎÏÅ ËÏÌÉÞÅÓÔ×Ï Multicast (ÇÒÕÐÐÏ×ÙÈ) ÐÁËÅÔÏ× × ÄÉÁÐÁÚÏÎÅ ÁÄÒÅÓÏ× 224.0.0.0/8. ðÏÜÔÏÍÕ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÌÑ ÐÒÅÄÏÔ×ÒÁÝÅÎÉÑ "ÚÁÓÏÒÅÎÉÑ" ÌÏÇÏ× × ÓÌÕÞÁÅ, ÅÓÌÉ Ó ×ÎÅÛÎÅÊ ÓÔÏÒÏÎÙ ÉÍÅÅÔÓÑ ËÁËÁÑ ÌÉÂÏ ÓÅÔØ Microsoft Network. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ, ÐÅÒÅÄ ÔÅÍ ËÁË ËÏ ×ÓÅÍ ÎÅ ÐÒÉÎÑÔÙÍ Ñ×ÎÏ ÐÁËÅÔÁÍ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÒÁÆÆÉË ÖÕÒÎÁÌÉÒÕÅÔÓÑ, ÎÁ ÓÌÕÞÁÊ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏÉÓËÁ ÐÒÉÞÉÎ ×ÏÚÎÉËÁÀÝÉÈ ÐÒÏÂÌÅÍ. ðÒÉ ÜÔÏÍ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÕ, ÏÇÒÁÎÉÞÅÎÉÅ ÎÁ ËÏÌÉÞÅÓÔ×Ï ÌÏÇÉÒÕÅÍÙÈ ÐÁËÅÔÏ× - ÎÅ ÂÏÌÅÅ 3-È × ÍÉÎÕÔÕ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÞÒÅÚÍÅÒÎÏÅ ÒÁÚÄÕ×ÁÎÉÅ ÖÕÒÎÁÌÁ. ÷ÓÅ ÞÔÏ ÎÅ ÂÙÌÏ Ñ×ÎÏ ÐÒÏÐÕÝÅÎÏ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÏÄ×ÅÒÇÎÕÔÏ ÄÅÊÓÔ×ÉÀ DROP, ÐÏÓËÏÌØËÕ ÉÍÅÎÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÎÁÚÎÁÞÅÎÏ × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ãÅÐÏÞËÁ OUTPUTëÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ÒÁÎÅÅ, × ÍÏÅÍ ÓÌÕÞÁÅ ËÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÂÒÁÎÄÍÁÕÜÒ É ÏÄÎÏ×ÒÅÍÅÎÎÏ ËÁË ÒÁÂÏÞÁÑ ÓÔÁÎÃÉÑ. ðÏÜÔÏÍÕ Ñ ÐÏÚ×ÏÌÑÀ ÐÏËÉÄÁÔØ ÍÏÊ ÈÏÓÔ ×ÓÅÍÕ, ÞÔÏ ÉÍÅÅÔ ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ $LOCALHOST_IP, $LAN_IP ÉÌÉ $STATIC_IP. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÔÒÁÆÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÓÆÁÌØÓÉÃÉÒÏ×ÁÔØ ÎÅ ÏÞÅÎØ ÈÏÒÏÛÉÊ ÞÅÌÏ×ÅË ÎÁ ÍÏÅÊ ÍÁÛÉÎÅ. é × ÄÏ×ÅÒÛÅÎÉÅ ËÏ ×ÓÅÍÕ, Ñ ÖÕÒÎÁÌÉÒÕÀ "ÓÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ, ÎÁ ÓÌÕÞÁÊ ÐÏÉÓËÁ ÏÛÉÂÏË ÉÌÉ × ÃÅÌÑÈ ×ÙÑ×ÌÅÎÉÑ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×. ëÏ ×ÓÅÍ ÐÁËÅÔÁÍ, ÎÅ ÐÒÏÛÅÄÛÉÍ ÎÉ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ, ÐÒÉÍÅÎÑÅÔÓÑ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ãÅÐÏÞËÁ FORWARDãÅÐÏÞËÁ FORWARD ÓÏÄÅÒÖÉÔ ÏÞÅÎØ ÎÅÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÒÁ×ÉÌ. ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÎÁÐÒ×ÌÑÅÔ ×ÓÅ TCP ÐÁËÅÔÙ ÎÁ ÐÒÏ×ÅÒËÕ × ÃÅÐÏÞËÕ bad_tcp_packets, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁË ÖÅ É × ÃÅÐÏÞËÅ INPUT. ãÅÐÏÞËÁ bad_tcp_packets ÓÏÚÄÁÎÁ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏ ÍÏÖÅÔ ×ÙÚÙ×ÁÔØÓÑ ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË, ÎÅ×ÚÉÒÁÑ ÎÁ ÔÏ, ËÕÄÁ ÎÁÐÒÁ×ÌÑÅÔÓÑ ÐÁËÅÔ. ðÏÓÌÅ ÐÒÏ×ÅÒËÉ TCP ÐÁËÅÔÏ×, ËÁË ÏÂÙÞÎÏ, ÍÙ ÒÁÚÒÅÛÅÍ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÏ× ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. åÓÔÅÓÔ×ÅÎÎÏ, ÎÕÖÎÏ ÐÒÏÐÕÓÔÉÔØ ÏÔ×ÅÔÎÙÅ ÐÁËÅÔÙ × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÐÏÜÔÏÍÕ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ, ÞÔÏ ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED, Ô.Å. ÍÙ ÐÒÏÐÕÓËÁÅÍ ÐÁËÅÔÙ ÐÏ ÓÏÅÄÉÎÅÎÉÀ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ éú ÌÏËÁÌØÎÏÊ ÓÅÔÉ. é ÐÅÒÅÄ ÔÅÍ ËÁË ÓÂÒÏÓÉÔØ ×ÓÅ ÎÅÄÏÐÕÓÔÉÍÙÅ ÐÁËÅÔÙ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÖÕÒÎÁÌÉÒÕÅÍ ÔÒÁÆÆÉË ÕÓÔÁÎÏ×É× ÐÒÅÄÅÌ 3 ÚÁÐÉÓÉ ÚÁ ÍÉÎÕÔÕ. ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat÷ ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÉÍÅÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ É ÅÄÉÎÓÔ×ÅÎÎÏ, ÐÏÞÅÍÕ Ñ ÐÒÉ×ÏÖÕ ÅÅ ÏÐÉÓÁÎÉÅ ÚÄÅÓØ, ÜÔÏ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÄÁÎÎÏÊ ÃÅÐÏÞËÅ ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (DNAT) ÐÅÒÅÄ ÔÅÍ ËÁË ÐÁËÅÔÙ ÐÏÐÁÄÕÔ × ÃÅÐÏÞËÕ INPUT ÉÌÉ FORWARD. åÝÅ ÒÁÚ ÈÏÞÕ ÎÁÐÏÍÎÉÔØ, ÞÔÏ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÎÉ ÄÌÑ ËÁËÏÇÏ ×ÉÄÁ ÆÉÌØÔÒÁÃÉÉ, Á ÔÏÌØËÏ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ × ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÅÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ. úÁÐÕÓË Network Address Translationé ÚÁËÌÀÞÉÔÅÌØÎÙÊ ÒÁÚÄÅÌ - ÎÁÓÔÒÏÊËÁ SNAT. ðÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ ÍÅÎÑ. ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÏ × ÔÁÂÌÉÃÕ nat, × ÃÅÐÏÞËÕ POSTROUTING, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ×ÓÅÈ ÐÁËÅÔÏ×, ÉÓÈÏÄÑÝÉÈ Ó ÉÎÔÅÒÆÅÊÓÁ, ÐÏÄËÌÀÞÅÎÎÏÇÏ Ë Internet. ÷ ÓÃÅÎÁÒÉÉ ÏÐÒÅÄÅÌÅÎ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÎÁÓÔÒÏÊËÉ ÓÃÅÎÁÒÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÐÅÒÅÍÅÎÎÙÈ ÐÏ×ÙÛÁÅÔ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔØ ÓËÒÉÐÔÏ×. ëÌÀÞÏÍ -t ÚÁÄÁÅÔÓÑ ÉÍÑ ÔÁÂÌÉÃÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ nat. ëÏÍÁÎÄÁ -A ÄÏÂÁ×ÌÑÅÔ (Add) ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ POSTROUTING, ËÒÉÔÅÒÉÊ -o $INET_IFACE ÚÁÄÁÅÔ ÉÓÈÏÄÑÝÉÊ ÉÎÔÅÒÆÅÊÓ, É × ËÏÎÃÅ ÐÒÁ×ÉÌÁ ÚÁÄÁÅÍ ÄÅÊÓÔ×ÉÅ ÎÁÄ ÐÁËÅÔÏÍ - SNAT. ôÁËÉÍ ÏÂÒÁÚÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÄÏÛÅÄÛÉÅ ÐÏÄ ÚÁÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÂÕÄÕÔ "ÚÁÍÁÓËÉÒÏ×ÁÎÙ", Ô.Å. ÂÕÄÕÔ ×ÙÇÌÑÄÅÔØ ÔÁË, ËÁË ÂÕÄÔÏ ÏÎÉ ÏÔÐÒÁ×ÌÅÎÙ Ó ÎÁÛÅÇÏ ÕÚÌÁ. îÅ ÚÁÂÕÄØÔÅ ÕËÁÚÁÔØ ËÌÀÞ --to-source Ó ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ IP ÁÄÒÅÓÏÍ ÄÌÑ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ× ÷ ÜÔÏÍ ÓÃÅÎÁÒÉÅ Ñ ÉÓÐÏÌØÚÕÀ SNAT ×ÍÅÓÔÏ MASQUERADE ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÅÒ×ÁÑ - ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ ÎÁ ÓÅÔÅ×ÏÍ ÕÚÌÅ, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ. óÌÅÄÕÀÝÁÑ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ SNAT ÒÁÂÏÔÁÅÔ ÂÙÓÔÒÅÅ É ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÏ. ëÏÎÅÞÎÏ, ÅÓÌÉ ×Ù ÎÅ ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÏÇÏ IP ÁÄÒÅÓÁ, ÔÏ ×Ù ÄÏÌÖÎÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ MASQUERADE, ËÏÔÏÒÏÅ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÂÏÌÅÅ ÐÒÏÓÔÏÊ ÓÐÏÓÏ ÔÒÁÎÓÌÑÃÉÉ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ ÏÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÅÔ IP ÁÄÒÅÓ, ÐÒÉÓ×ÏÅÎÎÙÊ ÚÁÄÁÎÎÏÍÕ ÉÎÔÅÒÆÅÊÓÕ. ïÄÎÁËÏ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó SNAT ÜÔÏ ÄÅÊÓÔ×ÉÅ ÔÒÅÂÕÅÔ ÎÅÓËÏÌØËÏ ÂÏÌØÛÉÈ ×ÙÞÉÓÌÉÔÅÌØÎÙÈ ÒÅÓÕÒÓÏ×, ÈÏÔÑ É ÎÅ ÚÎÁÞÉÔÅÌØÎÏ. åÓÌÉ ×ÁÍ ÎÕÖÅÎ ÐÒÉÍÅÒ ÒÁÂÏÔÙ MASQUERADE, ÔÏ ÏÂÒÁÝÁÊÔÅÓØ Ë ÓÃÅÎÁÒÉÀ rc.DHCP.firewall.txt. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×ãÅÌØ ÜÔÏÊ ÇÌÁ×Ù ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ÄÁÔØ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ ËÁÖÄÏÇÏ ÓÃÅÎÁÒÉÑ, × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. üÔÉ ÓÃÅÎÁÒÉÉ ÎÅ ÓÏ×ÅÒÛÅÎÎÙ, É ÏÎÉ ÎÅ ÍÏÇÕÔ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ×ÁÛÉÍ ÎÕÖÄÁÍ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÓÁÍÉ "ÐÏÄÏÇÎÁÔØ" ÜÔÉ ÓÃÅÎÁÒÉÉ ÐÏÄ ÓÅÂÑ. ðÏÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ ÒÕËÏ×ÏÄÓÔ×Á ÐÒÉÚ×ÁÎÁ ÏÂÌÅÇÞÉÔØ ×ÁÍ ÜÔÕ ÐÏÄÇÏÎËÕ. óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt÷ÓÅ ÓÃÅÎÁÒÉÉ, ÏÐÉÓÁÎÎÙÅ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÉÍÅÀÔ ÏÐÒÅÄÅÌÅÎÎÕÀ ÓÔÒÕËÔÕÒÕ. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÍÁËÓÉÍÁÌØÎÏ ÐÏÈÏÖÉ ÄÒÕÇ ÎÁ ÄÒÕÇÁ, ÏÂÌÅÇÞÁÑ ÔÅÍ ÓÁÍÙÍ ÐÏÉÓË ÒÁÚÌÉÞÉÊ ÍÅÖÄÕ ÎÉÍÉ. üÔÁ ÓÔÒÕËÔÕÒÁ ÄÏ×ÏÌØÎÏ ÈÏÒÏÛÏ ÏÐÉÓÙ×ÁÅÔÓÑ × ÜÔÏÊ ÇÌÁ×Å. úÄÅÓØ Ñ ÎÁÄÅÀÓØ ÄÁÔØ ×ÁÍ ÐÏÎÉÍÁÎÉÅ, ÐÏÞÅÍÕ ×ÓÅ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÎÁÐÉÓÁÎÙ ÉÍÅÎÎÏ ÔÁË É ÐÏÞÅÍÕ Ñ ×ÙÂÒÁÌ ÉÍÅÎÎÏ ÜÔÕ ÓÔÒÕËÔÕÒÕ.
óÔÒÕËÔÕÒÁüÔÏ - ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÏÊ ÓÌÅÄÕÀÔ ×ÓÅ ÓÃÅÎÁÒÉÉ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. åÓÌÉ ×Ù ÏÂÎÁÒÕÖÉÔÅ, ÞÔÏ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ, ÅÓÌÉ ËÏÎÅÞÎÏ Ñ ÎÅ ÏÂßÑÓÎÉÌ, ÐÏÞÅÍÕ Ñ ÎÁÒÕÛÉÌ ÜÔÕ ÓÔÒÕËÔÕÒÕ.
îÁÄÅÀÓØ, ÞÔÏ Ñ ÏÂßÑÓÎÉÌ ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ, ËÁË ËÁÖÄÙÊ ÓÃÅÎÁÒÉÊ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎ É ÐÏÞÅÍÕ ÏÎÉ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ.
rc.firewall.txtóÃÅÎÁÒÉÊ rc.firewall.txt - ÏÓÎÏ×ÎÏÅ ÑÄÒÏ, ÎÁ ËÏÔÏÒÏÍ ÏÓÎÏ×Ù×ÁÅÔÓÑ ÏÓÔÁÌØÎÁÑ ÞÁÓÔØ ÓÃÅÎÁÒÉÅ×. çÌÁ×Á rc.firewall file ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ ÏÐÉÓÙ×ÁÅÔ ÓÃÅÎÁÒÉÊ. óÃÅÎÁÒÉÊ ÎÁÐÉÓÁÎ ÄÌÑ ÄÏÍÁÛÎÅÊ ÓÅÔÉ, ÇÄÅ ×Ù ÉÍÅÅÔÅ ÏÄÎÕ ìïëáìøîõà óåôø É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÓÃÅÎÁÒÉÊ ÔÁËÖÅ ÉÓÈÏÄÉÔ ÉÚ ÐÒÅÄÐÏÌÏÖÅÎÉÑ, ÞÔÏ ×Ù ÉÍÅÅÔÅ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅ ÉÓÐÏÌØÚÕÅÔÅ DHCP, PPP, SLIP ÌÉÂÏ ËÁËÏÊ ÔÏ ÄÒÕÇÏÊ ÐÒÏÔÏËÏÌ, ËÏÔÏÒÙÊ ÎÁÚÎÁÞÁÅÔ IP ÄÉÎÁÍÉÞÅÓËÉ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×ÏÚØÍÉÔÅ ÚÁ ÏÓÎÏ×Õ ÓÃÅÎÁÒÉÊ rc.DHCP.firewall.txt. óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ
rc.DMZ.firewall.txtóÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ
óÃÅÎÁÒÉÊ rc.DMZ.firewall.txt ÂÙÌ ÎÁÐÉÓÁÎ ÄÌÑ ÔÅÈ, ËÔÏ ÉÍÅÅÔ ÄÏ×ÅÒÉÔÅÌØÎÕÀ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÎÕ "äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÕÀ úÏÎÕ" É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. äÌÑ ÄÏÓÔÕÐÁ Ë ÓÅÒ×ÅÒÁÍ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÙ ÉÚ×ÎÅ, ÉÓÐÏÌØÚÕÅÔÓÑ NAT "ÏÄÉÎ Ë ÏÄÎÏÍÕ", ÔÏ ÅÓÔØ, ÷Ù ÄÏÌÖÎÙ ÚÁÓÔÁ×ÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁ×ÁÔØ ÐÁËÅÔÙ ÂÏÌÅÅ ÞÅÍ ÄÌÑ ÏÄÎÏÇÏ IP ÁÄÒÅÓÁ. óÃÅÎÁÒÉÊ ÒÁÂÏÔÁÅÔ Ó Ä×ÕÍÑ ×ÎÕÔÒÅÎÎÉÍÉ ÓÅÔÑÍÉ, ËÁË ÜÔÏ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÎÏ ÎÁ ÒÉÓÕÎËÅ. ïÄÎÁ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ IP ÁÄÒÅÓÏ× 192.168.0.0/24 É Ñ×ÌÑÅÔÓÑ äÏ×ÅÒÉÔÅÌØÎÏÊ ÷ÎÕÔÒÅÎÎÅÊ óÅÔØÀ. äÒÕÇÁÑ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 192.168.1.0/24 É ÎÁÚÙ×ÁÅÔÓÑ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÏÊ (DMZ), ÄÌÑ ËÏÔÏÒÏÊ ÍÙ ÂÕÄÅÍ ×ÙÐÏÌÎÑÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (NAT) "ÏÄÉÎ Ë ÏÄÎÏÍÕ". îÁÐÒÉÍÅÒ, ÅÓÌÉ ËÔÏ - ÔÏ ÉÚ éÎÔÅÒÎÅÔ ÐÏÓÙÌÁÅÔ ÐÁËÅÔ ÎÁÛÅÍÕ DNS_IP, ÔÏ ÍÙ ×ÙÐÏÌÎÑÅÍ DNAT, ËÏÔÏÒÙÊ ÚÁÍÅÝÁÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ ÓÅÒ×ÅÒÁ DNS × DMZ. åÓÌÉ ÂÙ DNAT ÎÅ ×ÙÐÏÌÎÑÌÓÑ, ÔÏ DNS ÎÅ ÓÍÏÇ ÂÙ ÐÏÌÕÞÉÔØ ÚÁÐÒÏÓ, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÁÄÒÅÓ DMZ_DNS_IP, Á ÎÅ DNS_IP. ôÒÁÎÓÌÑÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ. $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP äÌÑ ÎÁÞÁÌÁ ÎÁÐÏÍÎÀ, ÞÔÏ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat. óÏÇÌÁÓÎÏ ÜÔÏÍÕ ÐÒÁ×ÉÌÕ, ÐÁËÅÔ ÄÏÌÖÅÎ ÐÒÉÈÏÄÉÔØ ÐÏ ÐÒÏÔÏËÏÌÕ TCP ÎÁ $INET_IFACE Ó ÁÄÒÅÓÁÔÏÍ IP, ËÏÔÏÒÙÊ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÁÛÅÍÕ $DNS_IP, É ÎÁÐÒÁ×ÌÅÎ ÎÁ ÐÏÒÔ 53. åÓÌÉ ×ÓÔÒÅÞÅÎ ÔÁËÏÊ ÐÁËÅÔ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÄÍÅÎÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÉÌÉ DNAT. äÅÊÓÔ×ÉÀ DNAT ÐÅÒÅÄÁÅÔÓÑ ÁÄÒÅÓ ÄÌÑ ÐÏÄÍÅÎÙ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-destination $DMZ_DNS_IP. ëÏÇÄÁ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÂÕÄÅÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ÉÚÍÅÎÅÎ Ó $DMZ_DNS_IP ÎÁ $DNS_IP, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÂÒÁÔÎÁÑ ÄÅÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ×ÙÐÏÌÎÑÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÔÒÅÂÕÅÔ ÓÏÚÄÁÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÒÁ×ÉÌ. ôÅÐÅÒØ ×Ù ÕÖÅ ÄÏÌÖÎÙ ÐÏÎÉÍÁÔØ ËÁË ÒÁÂÏÔÁÅÔ DNAT, ÞÔÏÂÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÒÁÚÏÂÒÁÔØÓÑ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÐÒÏÂÌÅÍ. åÓÌÉ ÞÔÏ-ÔÏ ÄÌÑ ×ÁÓ ÏÓÔÁÌÏÓØ ÎÅ ÑÓÎÙÍ É ÜÔÏ ÎÅ ÂÙÌÏ ÒÁÓÓÍÏÔÒÅÎÏ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ, ÔÏ ×Ù ÍÏÖÅÔÅ ÓÏÏÂÝÉÔØ ÍÎÅ Ï ÜÔÏÍ - ×ÅÒÏÑÔÎÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ. rc.DHCP.firewall.txtóÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ
óÃÅÎÁÒÉÊ rc.DHCP.firewall.txt ÏÞÅÎØ ÐÏÈÏÖ ÎÁ ÏÒÉÇÉÎÁÌ rc.firewall.txt. ïÄÎÁËÏ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÏÌØÛÅ ÎÅ ÉÓÐÏÌØÚÕÅÔ ÐÅÒÅÍÅÎÎÕÀ STATIC_IP, ÜÔÏ É Ñ×ÌÑÅÔÓÑ ÏÓÎÏ×ÎÙÍ ÏÔÌÉÞÉÅÍ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ rc.firewall.txt ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÅ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP ÁÄÒÅÓÁ. éÚÍÅÎÅÎÉÑ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÏÒÉÇÉÎÁÌÏÍ - ÍÉÎÉÍÁÌØÎÙ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÐÏÌÅÚÅÎ × ÓÌÕÞÁÅ DHCP, PPP É SLIP ÐÏÄËÌÀÞÅÎÉÑ Ë éÎÔÅÒÎÅÔ. çÌÁ×ÎÏÅ ÏÔÌÉÞÉÅ ÄÁÎÎÏÇÏ ÓËÒÉÐÔÁ ÓÏÓÔÏÉÔ × ÕÄÁÌÅÎÉÉ ÐÅÒÅÍÅÎÎÏÊ STATIC_IP É ×ÓÅÈ ÓÓÙÌÏË ÎÁ ÜÔÕ ÐÅÒÅÍÅÎÎÕÀ. ÷ÍÅÓÔÏ ÎÅÅ ÔÅÐÅÒØ
ÉÓÐÏÌØÚÕÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ INET_IFACE. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -d $STATIC_IP ÚÁÍÅÎÑÅÔÓÑ ÎÁ -i $INET_IFACE. óÏÂÓÔ×ÅÎÎÏ ÜÔÏ ×ÓÅ, ÞÔÏ ÎÕÖÎÏ ÉÚÍÅÎÉÔØ × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ. íÙ ÂÏÌØÛÅ ÎÅ ÍÏÖÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT ÐÏÄÏÂÎÙÈ ÜÔÏÍÕ: --in-interface $LAN_IFACE --dst $INET_IP. üÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ ×ÙÎÕÖÄÁÅÔ ÎÁÓ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ ÏÓÎÏ×Ù×ÁÑÓØ ÔÏÌØËÏ ÎÁ ÓÅÔÅ×ÏÍ ÉÎÔÅÒÆÅÊÓÅ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÚÁÐÕÝÅÎ HTTP ÓÅÒ×ÅÒ. åÓÌÉ ÍÙ ÐÒÉÈÏÄÉÍ ÎÁ ÇÌÁ×ÎÕÀ ÓÔÒÁÎÉÞËÕ, ÓÏÄÅÒÖÁÝÕÀ ÓÔÁÔÉÞÅÓËÕÀ ÓÓÙÌËÕ ÏÂÒÁÔÎÏ ÎÁ ÜÔÏÔ ÖÅ ÓÅÒ×ÅÒ, ËÏÔÏÒÙÊ ÒÁÂÏÔÁÅÔ ÐÏÄ ÄÉÎÁÍÉÞÅÓËÉÍ ÁÄÒÅÓÏÍ, ÔÏ ÍÙ ÍÏÖÅÍ "ÏÇÒÅÓÔÉ" ÎÅÍÁÌÏ ÐÒÏÂÌÅÍ. èÏÓÔ, ËÏÔÏÒÙÊ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ NAT, ÚÁÐÒÏÓÉÔ ÞÅÒÅÚ DNS IP ÁÄÒÅÓ HTTP ÓÅÒ×ÅÒÁ, ÐÏÓÌÅ ÞÅÇÏ ÐÏÐÒÏÂÕÅÔ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÜÔÏÍÕ IP. åÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÆÉÌØÔÒÁÃÉÀ ÐÏ ÉÎÔÅÒÆÅÊÓÕ É IP ÁÄÒÅÓÕ, ÔÏ ÈÏÓÔ ÎÅ ÓÍÏÖÅÔ ÐÏÌÕÞÉÔØ ÏÔ×ÅÔ, ÐÏÓËÏÌØËÕ ÃÅÐÏÞËÁ INPUT ÏÔÆÉÌØÔÒÕÅÔ ÔÁËÏÊ ÚÁÐÒÏÓ. (óËÏÒÅÅ ×ÓÅÇÏ Á×ÔÏÒ ÉÍÅÅÔ ××ÉÄÕ ÓËÒÉÐÔ rc.firewall.txt ÐÒÉÍ. ÐÅÒÅ×.) üÔÏ ÔÁË ÖÅ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÅ× ËÏÇÄÁ ÍÙ ÉÍÅÅÍ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, ÎÏ ÔÏÇÄÁ ÜÔÏ ÍÏÖÎÏ ÏÂÏÊÔÉ, ÉÓÐÏÌØÚÕÑ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÒÏ×ÅÒÑÀÔ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ Ó LAN ÉÎÔÅÒÆÅÊÓÁ ÎÁ ÎÁÛ INET_IP É ×ÙÐÏÌÎÑÔØ ACCEPT ÄÌÑ ÎÉÈ. ðÏÓÌÅ ×ÓÅÇÏ ×ÙÛÅÓËÁÚÁÎÎÏÇÏ, ÎÅ ÔÁËÏÊ ÕÖ ÐÌÏÈÏÊ ÍÏÖÅÔ ÐÏËÁÚÁÔØÓÑ ÍÙÓÌØ Ï ÓÏÚÄÁÎÉÉ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ ÂÙ ÏÂÒÁÂÁÔÙ×ÁÌ ÄÉÎÁÍÉÞÅÓËÉÊ IP. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÂÙÌÏ ÂÙ ÎÁÐÉÓÁÔØ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ IP ÁÄÒÅÓ ÞÅÒÅÚ ifconfig É ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ (ÇÄÅ ÏÐÒÅÄÅÌÑÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÁÑ ÐÅÒÅÍÅÎÎÁÑ), ËÏÔÏÒÙÊ "ÐÏÄÎÉÍÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ. úÁÍÅÞÁÔÅÌØÎÙÊ ÓÁÊÔ linuxguruz.org ÉÍÅÅÔ ÏÇÒÏÍÎÕÀ ËÏÌÌÅËÃÉÀ ÓËÒÉÐÔÏ×, ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓËÁÞÉ×ÁÎÉÑ. óÓÙÌËÕ ÎÁ linuxguruz.org ×Ù ÎÁÊÄÅÔÅ × óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.
ôÁËÖÅ, ÍÏÖÎÏ ÄÏÂÁ×ÉÔØ × ×ÁÛÉ ÓÃÅÎÁÒÉÉ ÞÔÏ ÎÉÂÕÄØ ×ÒÏÄÅ ÜÔÏÇÏ: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` ÷ÙÛÅ ÐÒÉ×ÅÄÅÎÎÁÑ ËÏÍÁÎÄÁ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP ÏÔ ÉÎÔÅÒÆÅÊÓÁ, ÏÄÎÁËÏ Õ ÔÁËÏÇÏ ÐÏÄÈÏÄÁ ÅÓÔØ ÓÅÒØÅÚÎÙÅ ÎÅÄÏÓÔÁÔËÉ, ÏÐÉÓÁÎÎÙÅ ÎÉÖÅ.
rc.UTIN.firewall.txtóÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ
óÃÅÎÁÒÉÊ rc.UTIN.firewall.txt, × ÏÔÌÉÞÉÅ ÏÔ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÂÌÏËÉÒÕÅÔ LAN, ËÏÔÏÒÁÑ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ. íÙ ÄÏ×ÅÒÑÅÍ ×ÎÕÔÒÅÎÎÉÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÎÅ ÂÏÌØÛÅ ÞÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÉÚ Internet. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÎÅ ÄÏ×ÅÒÑÅÍ ÎÉËÏÍÕ, ÎÉ × éÎÔÅÒÎÅÔ, ÎÉ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ËÏÔÏÒÙÍÉ ÍÙ Ó×ÑÚÁÎÙ. ðÏÜÔÏÍÕ ÄÏÓÔÕÐ Ë éÎÔÅÒÎÅÔ ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÒÏÔÏËÏÌÁÍÉ POP3, HTTP É FTP. üÔÏÔ ÓÃÅÎÁÒÉÊ ÓÌÅÄÕÅÔ ÚÏÌÏÔÏÍÕ ÐÒÁ×ÉÌÕ - "ÎÅ ÄÏ×ÅÒÑÊ ÎÉËÏÍÕ, ÄÁÖÅ ÓÏÂÓÔ×ÅÎÎÙÍ ÓÌÕÖÁÝÉÍ". üÔÏ ÇÒÕÓÔÎÏ ÎÏ ÆÁËÔ, ÞÔÏ ÂÏÌØÛÁÑ ÞÁÓÔØ ÁÔÁË É ×ÚÌÏÍÏ×, ËÏÔÏÒÙÍ ÐÏÄ×ÅÒÇÁÅÔÓÑ ËÏÍÐÁÎÉÑ, ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÌÕÖÁÝÉÍÉ ËÏÍÐÁÎÉÊ ÉÚ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. üÔÏÔ ÓÃÅÎÁÒÉÊ, ÎÁÄÅÀÓØ, ÄÁÓÔ ÎÅËÏÔÏÒÙÅ Ó×ÅÄÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏÍÏÇÕÔ ×ÁÍ ÕÓÉÌÉÔØ ×ÁÛÕ ÍÅÖÓÅÔÅ×ÕÀ ÚÁÝÉÔÕ. ïÎ ÍÁÌÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt, ÎÏ ÓÏÄÅÒÖÉÔ ÐÏÄÓËÁÚËÉ Ï ÔÏÍ, ÞÔÏ ÍÙ ÏÂÙÞÎÏ ÐÒÏÐÕÓËÁÅÍ. rc.test-iptables.txtóÃÅÎÁÒÉÊ rc.test-iptables.txt ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞÅË ÎÏ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÎÁÓÔÒÏÅË, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÎÁÐÒÉÍÅÒ, ×ËÌÀÞÅÎÉÑ ip_forwarding ÉÌÉ ÎÁÓÔÒÏÊËÉ masquerading É Ô.Ð. ôÅÍ ÎÅ ÍÅÎÅÅ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× Ó ÂÁÚÏ×ÙÍÉ ÎÁÓÔÒÏÊËÁÍÉ, ËÏÇÄÁ ÎÁÓÔÒÏÅÎÙ ÏÓÎÏ×ÎÙÅ ÔÁÂÌÉÃÙ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÒÁÂÏÔÏÓÐÏÓÏÂÅÎ. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, × ÜÔÏÍ ÓÃÅÎÁÒÉÉ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÓÔÁÎÏ×ËÁ ÄÅÊÓÔ×ÉÊ LOG ÎÁ ping-ÚÁÐÒÏÓÙ É ping-ÏÔ×ÅÔÙ. ôÁËÉÍ ÓÐÏÓÏÂÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÚÁÆÉËÓÉÒÏ×ÁÔØ × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ ËÁËÉÅ ÃÅÐÏÞËÉ ÐÒÏÈÏÄÉÌÉÓØ É × ËÁËÏÍ ÐÏÒÑÄËÅ. úÁÐÕÓÔÉÔÅ ÓÃÅÎÁÒÉÊ É ÚÁÔÅÍ ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ: ping -c 1 host.on.the.internet é ×Ï ×ÒÅÍÑ ÉÓÐÏÌÎÅÎÉÑ ÐÅÒ×ÏÊ ËÏÍÁÎÄÙ ×ÙÐÏÌÎÉÔÅ tail -n 0 -f /var/log/messages. ôÅÐÅÒØ ×Ù ÄÏÌÖÎÙ ÑÓÎÏ ×ÉÄÅÔØ ×ÓÅ ÉÓÐÏÌØÚÕÅÍÙÅ ÃÅÐÏÞËÉ É ÐÏÒÑÄÏË ÉÈ ÐÒÏÈÏÖÄÅÎÉÑ.
rc.flush-iptables.txtóÃÅÎÁÒÉÊ rc.flush-iptables.txt × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÉÍÅÅÔ ÓÁÍÏÓÔÏÑÔÅÌØÎÏÊ ÃÅÎÎÏÓÔÉ ÐÏÓËÏÌØËÕ ÏÎ ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ×ÁÛÉ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ. ÷ ÎÁÞÁÌÅ ÓÃÅÎÁÒÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ACCEPT ÄÌÑ ÃÅÐÏÞÅË INPUT, OUTPUT É FORWARD × ÔÁÂÌÉÃÅ filter. ðÏÓÌÅ ÜÔÏÇÏ ÓÂÒÁÓÙ×ÁÀÔÓÑ × ÚÁÄÁÎÎÕÀ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏÌÉÔÉËÉ ÄÌÑ ÃÅÐÏÞÅË PREROUTING, POSTROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. üÔÉ ÄÅÊÓÔ×ÉÑ ×ÙÐÏÌÎÑÀÔÓÑ ÐÅÒ×ÙÍÉ, ÞÔÏÂÙ ÎÅ ×ÏÚÎÉËÁÌÏ ÐÒÏÂÌÅÍ Ó ÚÁËÒÙÔÙÍÉ ÓÏÅÄÉÎÅÎÉÑÍÉ É ÂÌÏËÉÒÕÅÍÙÍÉ ÐÁËÅÔÁÍÉ. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÇÏÔÏ×ËÉ ÂÒÁÎÄÍÁÕÜÒÁ Ë ÎÁÓÔÒÏÊËÅ É ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×, ÐÏÜÔÏÍÕ ÚÄÅÓØ ÍÙ ÚÁÂÏÔÉÍÓÑ ÔÏÌØËÏ Ï ÏÞÉÓÔËÅ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÕÓÔÁÎÏ×ËÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ëÏÇÄÁ ×ÙÐÏÌÎÅÎÁ ÕÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÏÞÉÓÔËÅ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÁÈ filter É nat, Á ÚÁÔÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÄÁÌÅÎÉÅ ×ÓÅÈ, ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, ÃÅÐÏÞÅË. ðÏÓÌÅ ÜÔÏÇÏ ÒÁÂÏÔÁ ÓËÒÉÐÔÁ ÚÁ×ÅÒÛÁÅÔÓÑ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÂÁ×ÉÔØ × ÓÃÅÎÁÒÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÓÔÒÏËÉ ÄÌÑ ÏÂÒÁÂÏÔËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ.
äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌþÔÏÂÙ ×Ù×ÅÓÔÉ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ iptables Ó ËÌÀÞÏÍ L, ËÏÔÏÒÙÊ ËÒÁÔËÏ ÂÙÌ ÏÐÉÓÁÎ ÒÁÎÅÅ × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. ÷ÙÇÌÑÄÉÔ ÜÔÏ ÐÒÉÍÅÒÎÏ ÔÁË: iptables -L üÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÎÁ ÜËÒÁÎ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÕÄÏÂÏÞÉÔÁÅÍÏÍ ×ÉÄÅ. îÏÍÅÒÁ ÐÏÒÔÏ× ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÓÌÕÖÂ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÆÁÊÌÏÍ /etc/services, IP ÁÄÒÅÓÁ ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÈÏÓÔÏ× ÞÅÒÅÚ ÒÁÚÒÅÛÅÎÉÅ ÉÍÅÎ × ÓÌÕÖÂÅ DNS. ó ÒÁÚÒÅÛÅÎÉÅÍ (resolving) ÉÍÅÎ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏÂÌÅÍÙ, ÎÁÐÒÉÍÅÒ, ÉÍÅÑ ÓÅÔØ 192.168.0.0/16 ÓÌÕÖÂÁ DNS ÎÅ ÓÍÏÖÅÔ ÏÐÒÅÄÅÌÉÔØ ÉÍÑ ÈÏÓÔÁ Ó ÁÄÒÅÓÏÍ 192.168.1.1, × ÒÅÚÕÌØÔÁÔÅ ÐÒÏÉÚÏÊÄÅÔ ÐÏÄ×ÉÓÁÎÉÅ ËÏÍÁÎÄÙ. þÔÏÂÙ ÏÂÏÊÔÉ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÌÅÄÕÅÔ ×ÙÐÏÌÎÉÔØ ×Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ËÌÀÞÏÍ: iptables -L -n þÔÏÂÙ ×Ù×ÅÓÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÃÅÐÏÞËÁÈ É ÐÒÁ×ÉÌÁÈ, ×ÙÐÏÌÎÉÔÅ iptables -L -n -v éÍÅÅÔÓÑ ÒÑÄ ÆÁÊÌÏ× × ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc, ËÏÔÏÒÙÅ ÓÏÄÅÒÖÁÔ ÄÏÓÔÁÔÏÞÎÏ ÉÎÔÅÒÅÓÎÕÀ ÄÌÑ ÎÁÓ ÉÎÆÏÒÍÁÃÉÀ. îÁÐÒÉÍÅÒ, ÄÏÐÕÓÔÉÍ ÎÁÍ ÚÁÈÏÔÅÌÏÓØ ÐÒÏÓÍÏÔÒÅÔØ ÓÐÉÓÏË ÓÏÅÄÉÎÅÎÉÊ × ÔÁÂÌÉÃÅ conntrack. üÔÏ ÏÓÎÏ×ÎÁÑ ÔÁÂÌÉÃÁ, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ É × ËÁËÏÍ ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÅ ÉÚ ÎÉÈ ÎÁÈÏÄÉÔÓÑ. äÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉÃÙ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ cat /proc/net/conntrack | less éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃðÏ ÍÅÒÅ ÔÏÇÏ ËÁË ×Ù ÐÒÏÄÏÌÖÉÔÅ ÕÇÌÕÂÌÑÔØÓÑ × ÉÓÓÌÅÄÏ×ÁÎÉÅ iptables, ÐÅÒÅÄ ×ÁÍÉ ×ÓÅ ÁËÔÕÁÌØÎÅÅ ÂÕÄÅÔ ×ÓÔÁ×ÁÔØ ×ÏÐÒÏÓ Ï ÕÄÁÌÅÎÉÉ ÏÔÄÅÌØÎÙÈ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞÅË ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÚÁÇÒÕÚËÉ ÍÁÛÉÎÙ. óÅÊÞÁÓ Ñ ÐÏÐÒÏÂÕÀ ÎÁ ÎÅÇÏ ÏÔ×ÅÔÉÔØ. åÓÌÉ ×Ù ÐÏ ÏÛÉÂËÅ ÄÏÂÁ×ÉÌÉ ËÁËÏÅ ÌÉÂÏ ÐÒÁ×ÉÌÏ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÔÏÌØËÏ ÚÁÍÅÎÉÔØ ËÏÍÁÎÄÕ -A ÎÁ ËÏÍÁÎÄÕ -D × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ. iptables ÎÁÊÄÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ É ÕÄÁÌÉÔ ÅÇÏ. åÓÌÉ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ×ÙÇÌÑÄÑÔ ËÁË ÚÁÄÁÎÎÙÊ ÛÁÂÌÏÎ ÄÌÑ ÕÄÁÌÅÎÉÑ, ÔÏ ÂÕÄÅÔ ÓÔÅÒÔÏ ÐÅÒ×ÏÅ ÉÚ ÎÁÊÄÅÎÎÙÈ ÐÒÁ×ÉÌ. åÓÌÉ ÔÁËÏÊ ÐÏÒÑÄÏË ×ÅÝÅÊ ×ÁÓ ÎÅ ÕÓÔÒÁÉ×ÁÅÔ, ÔÏ ËÏÍÁÎÄÅ -D, × ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ, ÍÏÖÎÏ ÐÅÒÅÄÁÔØ ÎÏÍÅÒ ÕÄÁÌÑÅÍÏÊ ÓÔÒÏËÉ., ÎÁÐÒÉÍÅÒ, ËÏÍÁÎÄÁ iptables -D INPUT 10 ÓÏÔÒÅÔ ÄÅÓÑÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ INPUT. (þÔÏÂÙ ÕÚÎÁÔØ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÏÄÁÊÔÅ ËÏÍÁÎÄÕ iptables -L îáú÷áîéå_ãåðïþëé --line-numbers, ÔÏÇÄÁ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ×Ù×ÏÄÉÔØÓÑ ÓÏ Ó×ÏÉÍÉ ÎÏÍÅÒÁÍÉ ÐÒÉÍ. ÐÅÒÅ×.) äÌÑ ÕÄÁÌÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÌÏÊ ÃÅÐÏÞËÉ ÉÓÐÏÌØÚÕÊÔÅ ËÏÍÁÎÄÕ -F. îÁÐÒÉÍÅÒ: iptables -F INPUT - ÓÏÔÒÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT, ÏÄÎÁËÏ ÜÔÁ ËÏÍÁÎÄÁ ÎÅ ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÁË ÞÔÏ ÅÓÌÉ ÏÎÁ ÕÓÔÁÎÏ×ÌÅÎÁ ËÁË DROP ÔÏ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØÓÑ ×ÓÅ, ÞÔÏ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT. þÔÏÂÙ ÓÂÒÏÓÉÔØ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÎÕÖÎÏ ÐÒÏÓÔÏ ÕÓÔÁÎÏ×ÉÔØ ÅÅ × ÐÅÒ×ÏÎÁÞÁÌØÎÏÅ ÓÏÓÔÏÑÎÉÅ, ÎÁÐÒÉÍÅÒ iptables -P INPUT ACCEPT. íÎÏÀ ÂÙÌ ÎÁÐÉÓÁÎ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ (ÏÐÉÓÁÎÎÙÊ ÎÅÓËÏÌØËÏ ×ÙÛÅ) ËÏÔÏÒÙÊ ÐÒÏÉÚ×ÏÄÉÔ ÏÞÉÓÔËÕ ×ÓÅÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, É ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞÅË × iptables. úÁÍÅÔØÔÅ ÔÏÌØËÏ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÄÏÐÏÌÎÅÎÉÑ × ÜÔÏÔ ÓÃÅÎÁÒÉÊ, ÐÏÓËÏÌØËÕ ÏÎ ÅÅ ÎÅ ÏÂÒÁÂÁÔÙ×ÁÅÔ. ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ÷Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÓËÏÌØËÉÍÉ ÐÒÏÂÌÅÍÁÍÉ ÐÒÉ ÐÏÐÙÔËÅ ÚÁÇÒÕÚÉÔØ ÔÏÔ ÉÌÉ ÉÎÏÊ ÍÏÄÕÌØ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ×ÙÄÁÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÔÓÕÔÓÔ×ÉÉ ÚÁÐÒÁÛÉ×ÁÅÍÏÇÏ ÍÏÄÕÌÑ insmod: iptable_filter: no module by that name found ðÏËÁ ÅÝÅ ÎÅÔ ÐÒÉÞÉÎ ÄÌÑ ÂÅÓÐÏËÏÊÓÔ×Á. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÚÁÐÒÁÛÉ×ÁÅÍÙÊ ÍÏÄÕÌØ (ÉÌÉ ÍÏÄÕÌÉ) ÂÙÌ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. üÔÏ ÐÅÒ×ÏÅ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ. äÌÑ ÜÔÏÇÏ ÐÒÏÓÔÏ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ iptables -t filter -L åÓÌÉ ×ÓÅ ÎÏÒÍÁÌØÎÏ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ × ÔÅÒÍÉÎÁÌÅ ÓÐÉÓÏË ×ÓÅÈ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃÙ filter. ÷Ù×ÏÄ ÄÏÌÖÅÎ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination åÓÌÉ ÔÁÂÌÉÃÁ filter ÏÔÓÕÔÓÔ×ÕÅÔ, ÔÏ ×Ù×ÏÄ ÂÕÄÅÔ ÐÒÉÍÅÒÎÏ ÓÌÅÄÕÀÝÉÍ iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. üÔÏ ÕÖÅ ÓÅÒØÅÚÎÅÅ, ÔÁË ËÁË ÜÔÏ ÓÏÏÂÝÅÎÉÅ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ÕÓÔÁÎÏ×ÉÔØ ÍÏÄÕÌÉ, ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ×ÙÐÏÌÎÉÔØ depmod -a, ÌÉÂÏ ×Ù ×ÏÏÂÝÅ ÎÅ ÓËÏÍÐÉÌÉÒÏ×ÁÌÉ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ äÌÑ ÒÅÛÅÎÉÑ ÐÅÒ×ÏÊ ÐÒÏÂÌÅÍÙ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ make modules_install × ËÁÔÁÌÏÇÅ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ ÑÄÒÁ. ÷ÔÏÒÁÑ ÐÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÚÁÐÕÓËÏÍ ËÏÍÁÎÄÙ depmod -a. òÁÚÒÅÛÅÎÉÅ ÔÒÅÔØÅÊ ÐÒÏÂÌÅÍÙ ÕÖÅ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, É × ÜÔÏÍ ÓÌÕÞÁÅ ÒÅËÏÍÅÎÄÕÀ ÐÏÓÅÔÉÔØ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ Linux Documentation Project. (÷ÚÇÌÑÎÉÔÅ ÅÝÅ ÒÁÚ × ÎÁÞÁÌÏ ÄÏËÕÍÅÎÔÁ, ÇÄÅ ÏÐÉÓÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ iptables. ÐÒÉÍ. ÐÅÒÅ×.) äÒÕÇÉÅ ÏÛÉÂËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÐÒÉ ÚÁÐÕÓËÅ iptables: iptables: No chain/target/match by that name üÔÁ ÏÛÉÂËÁ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÎÅÔ ÔÁËÏÊ ÃÅÐÏÞËÉ, ÄÅÊÓÔ×ÉÑ ÉÌÉ ËÒÉÔÅÒÉÑ. üÔÏ ÍÏÖÅÔ ÚÁ×ÉÓÅÔØ ÏÔ ÏÇÒÏÍÎÏÇÏ ÞÉÓÌÁ ÆÁËÔÏÒÏ×, ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ×Ù ÐÙÔÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÕÝÅÓÔ×ÕÀÝÕÀ (ÉÌÉ ÅÝÅ ÎÅ ÏÐÒÅÄÅÌÅÎÎÕÀ) ÃÅÐÏÞËÕ, ÎÅÓÕÝÅÓÔ×ÕÀÝÅÅ ÄÅÊÓÔ×ÉÅ ÉÌÉ ËÒÉÔÅÒÉÊ. ìÉÂÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ÚÁÇÒÕÖÅÎ ÎÅÏÂÈÏÄÉÍÙÊ ÍÏÄÕÌØ. Passive FTP ÂÅÚ DCCüÔÏ ÏÄÎÁ ÉÚ ÚÁÍÅÞÁÔÅÌØÎÙÈ ÏÓÏÂÅÎÎÏÓÔÅÊ ÎÏ×ÙÈ iptables, ÐÏÄÄÅÒÖÉ×ÁÅÍÙÈ ÑÄÒÁÍÉ ÓÅÒÉÉ 2.4.x, ËÏÇÄÁ ×Ù ÍÏÖÅÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP, É ÚÁÐÒÅÔÉÔØ ÐÅÒÅÄÁÞÕ ÐÏ DCC Ó ÐÏÍÏÝØÀ ÎÏ×ÏÇÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÏÇÏ ËÏÄÁ. ÷Ù ÍÏÖÅÔÅ ÓÐÒÏÓÉÔØ "ëÁË ÜÔÏ?", ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ. þÔÏÂÙ ÓÄÅÌÁÔØ ÜÔÏ ×ÏÚÍÏÖÎÙÍ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÓËÏÍÐÉÌÉÒÏ×ÁÔØ ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp É ip_nat_ftp ËÁË ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ, Á ÎÅ ËÁË ÓÔÁÔÉÞÅÓËÉÊ ËÏÄ × ÑÄÒÅ. þÔÏ ÜÔÉ ÍÏÄÕÌÉ ÄÅÌÁÀÔ, ÔÁË ÏÎÉ ÄÏÂÁ×ÌÑÀÔ ÐÏÄÄÅÒÖËÕ ÔÒÁÓÓÉÒÏ×ËÉ É NAT ÄÌÑ Passive FTP É DCC send. âÅÚ ÜÔÉÈ ÍÏÄÕÌÅÊ ÓÅÔÅ×ÏÊ ËÏÄ ÑÄÒÁ ÎÅ ÓÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ ÓÏÅÄÉÎÅÎÉÑ ÜÔÏÇÏ ÔÉÐÁ. åÓÌÉ, Ë ÐÒÉÍÅÒÕ, ×Ù ÈÏÔÉÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP É ÐÒÉ ÜÔÏÍ ÚÁÐÒÅÔÉÔØ DCC send, ÔÏ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É ÚÁÔÅÍ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ: iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT ëÏÔÏÒÏÅ ÐÏÚ×ÏÌÉÔ ×ÙÐÏÌÎÅÎÉÅ ÓÏÅÄÉÎÅÎÉÊ Passive FTP, ÎÏ ÎÅ DCC. åÓÌÉ ÎÕÖÎÏ ÎÁÏÂÏÒÏÔ ÚÁÐÒÅÔÉÔØ Passive FTP É ÒÁÚÒÅÛÉÔØ DCC, ÔÏ ×ÁÍ ÎÁÄÏ Ó ÔÏÞÎÏÓÔØÀ ÄÏ ÎÁÏÂÏÒÏÔ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp. úÁÍÅÔØÔÅ, ÞÔÏ ÍÏÄÕÌÉ ip_nat_* ÎÅÏÂÈÏÄÉÍÙ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÐÏÌÎÑÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇ ÐÒÉ ÐÏÄËÌÀÞÅÎÉÉ ÌÏËÁÌØÎÙÈ ÕÚÌÏ× Õ éÎÔÅÒÎÅÔ. äÌÑ ÐÏÌÕÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÉ ÏÔÎÏÓÉÔÅÌØÎÏ Active É Passive FTP, ÞÉÔÁÊÔÅ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. üÔÏÔ RFC ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÒÏÔÏËÏÌÁ FTP, Active É Passive FTP É ËÁË ÏÎÉ ÒÁÂÏÔÁÀÔ. ëÁË ÏÐÉÓÙ×ÁÅÔ ÜÔÏÔ ÄÏËÕÍÅÎÔ, × ÓÌÕÞÁÅ Active FTP, ËÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÓÅÒ×ÅÒÕ Ó×ÏÊ IP É ÐÏÒÔ, ×ÙÂÒÁÎÎÙÊ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ Õ ÓÅÂÑ ÄÌÑ Ó×ÑÚÉ. úÁÔÅÍ ÓÅÒ×ÅÒ ÓÏÅÄÉÎÑÅÔÓÑ Ó ÜÔÉÍ ÐÏÒÔÏÍ ÎÁ ËÌÉÅÎÔÅ. ÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ×ÙÐÏÌÎÑÀÝÉÍ NAT, ÔÏÇÄÁ ÒÁÚÄÅÌ ÄÁÎÎÙÈ ÐÁËÅÔÏ× ÄÏÌÖÅÎ ÂÙÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎ ÔÁË ËÁË ÜÔÏ ÄÅÌÁÅÔ ÍÏÄÕÌØ ip_nat_ftp. ÷ Passive FTP ÐÏÒÑÄÏË ÄÅÊÓÔ×ÉÊ ÐÏÌÎÏÓÔØÀ ÉÚÍÅÎÅÎ. ëÌÉÅÎÔ ÓÏÏÂÝÁÅÔ ÓÅÒ×ÅÒÕ, ÞÔÏ ÈÏÞÅÔ ÐÏÓÌÁÔØ ÉÌÉ ÐÒÉÎÑÔØ ÄÁÎÎÙÅ, Á ÓÅÒ×ÅÒ × ÏÔ×ÅÔÅ ÓÏÏÂÝÁÅÔ ËÌÉÅÎÔÕ Ë ËÁËÏÍÕ ÁÄÒÅÓÕ ÎÕÖÎÏ ÐÏÄËÌÀÞÉÔØÓÑ É ËÁËÏÊ ÐÏÒÔ ÉÓÐÏÌØÚÏ×ÁÔØ. ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYNüÔÏ Ó×ÏÊÓÔ×Ï iptables ÎÅÄÏÓÔÁÔÏÞÎÏ ÈÏÒÏÛÏ ÚÁÄÏËÕÍÅÎÔÉÒÏ×ÁÎÏ, Á ÐÏÜÔÏÍÕ ÍÎÏÇÉÅ ÍÏÇÕÔ ÕÄÅÌÉÔØ ÅÍÕ ÎÅÄÏÓÔÁÔÏÞÎÏÅ ×ÎÉÍÁÎÉÅ (×ËÌÀÞÁÑ É ÍÅÎÑ). åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÐÒÁ×ÉÌÁ, ÏÐÒÅÄÅÌÑÀÝÉÅ ÓÔÁÔÕÓ ÐÁËÅÔÁ NEW, ÎÏ ÎÅ ÐÒÏ×ÅÒÑÅÔÅ ÓÏÓÔÏÑÎÉÅ ÂÉÔÁ SYN, ÔÏ ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÓÍÏÇÕÔ "ÐÒÏÓÏÞÉÔØÓÑ" ÞÅÒÅÚ ×ÁÛÕ ÚÁÝÉÔÕ. èÏÔÑ, × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÙ ÉÓÐÏÌØÚÕÅÍ ÎÅÓËÏÌØËÏ ÂÒÁÎÄÍÁÕÜÒÏ×, ÔÁËÏÊ ÐÁËÅÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÞÁÓÔØÀ ESTABLISHED ÓÏÅÄÉÎÅÎÉÑ, ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÞÅÒÅÚ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ðÒÏÐÕÓËÁÑ ÐÏÄÏÂÎÙÅ ÐÁËÅÔÙ, ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏ×ÍÅÓÔÎÕÀ ÒÁÂÏÔÕ Ä×ÕÈ ÉÌÉ ÂÏÌÅÅ ÂÒÁÎÄÍÁÕÜÒÏ×, ÐÒÉ ÜÔÏÍ ÍÙ ÍÏÖÅÍ ÌÀÂÏÊ ÉÚ ÎÉÈ ÏÓÔÁÎÏ×ÉÔØ ÎÅ ÂÏÑÓØ ÒÁÚÏÒ×ÁÔØ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÓÏÅÄÉÎÅÎÉÑ, ðÏÓËÏÌØËÕ ÆÕÎËÃÉÉ ÐÏ ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ ÔÕÔ ÖÅ ×ÏÚØÍÅÔ ÎÁ ÓÅÂÑ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ïÄÎÁËÏ ÜÔÏ ÐÏÚ×ÏÌÉÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁËÔÉÞÅÓËÉ ÌÀÂÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ. ÷Ï ÉÚÂÅÖÁÎÉÅ ÜÔÏÇÏ ÓÌÅÄÕÅÔ ÄÏÂÁ×ÉÔØ ÓÌÅÄÕÀÝÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÉ INPUT, OUTPUT É FORWARD: $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not
syn:"
ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÉÍÅÀÔÓÑ ÎÅËÏÔÏÒÙÅ ÎÅÐÒÉÑÔÎÏÓÔÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍÉ ÐÒÁ×ÉÌÁÍÉ É ÐÌÏÈÏÊ ÒÅÁÌÉÚÁÃÉÅÊ TCP/IP ÏÔ Microsoft. äÅÌÏ × ÔÏÍ, ÞÔÏ ÐÒÉ ÎÅËÏÔÏÒÙÈ ÕÓÌÏ×ÉÑÈ, ÐÁËÅÔÙ, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÅ ÐÒÏÇÒÁÍÍÁÍÉ ÏÔ Microsoft ÍÁÒËÉÒÕÀÔÓÑ ËÁË NEW É ÓÏÇÌÁÓÎÏ ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ÂÕÄÕÔ ÓÂÒÏÛÅÎÙ. üÔÏ, ÏÄÎÁËÏ, ÎÅ ÐÒÉ×ÏÄÉÔ Ë ÒÁÚÒÕÛÅÎÉÀ ÓÏÅÄÉÎÅÎÉÊ, ÎÁÓËÏÌØËÏ Ñ ÚÎÁÀ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ, ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ, É ÐÏÓÙÌÁÅÔÓÑ ÚÁ×ÅÒÛÁÀÝÉÊ ÐÁËÅÔ FIN/ACK, ÔÏ netfilter ÚÁËÒÙ×ÁÅÔ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ É ÕÄÁÌÑÅÔ ÅÇÏ ÉÚ ÔÁÂÌÉÃÙ conntrack. ÷ ÜÔÏÔ ÍÏÍÅÎÔ, ÄÅÆÅËÔÉ×ÎÙÊ ËÏÄ Microsoft ÐÏÓÙÌÁÅÔ ÄÒÕÇÏÊ ÐÁËÅÔ, ËÏÔÏÒÏÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, ÎÏ × ÜÔÏÍ ÐÁËÅÔÅ ÎÅ ÕÓÔÁÎÏ×ÌÅÎ ÂÉÔ SYN É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÙÛÅÕÐÏÍÑÎÕÔÙÍ ÐÒÁ×ÉÌÁÍ. ëÏÒÏÞÅ ÇÏ×ÏÒÑ - ÏÓÏÂÏ ÎÅ ÐÅÒÅÖÉ×ÁÊÔÅ ÐÏ ÐÏ×ÏÄÕ ÜÔÉÈ ÐÒÁ×ÉÌ. ÷ ÓÌÕÞÁÅ ÞÅÇÏ - ×Ù ÓÍÏÖÅÔÅ ÐÒÏÓÍÏÔÒÅÔØ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ËÕÄÁ ÌÏÇÉÒÕÀÔÓÑ ÏÔÂÒÁÓÙ×ÁÅÍÙÅ ÐÁËÅÔÙ (ÓÍ. ÐÒÁ×ÉÌÁ ×ÙÛÅ) É ÒÁÚÏÂÒÁÔØÓÑ Ó ÎÉÍÉ. éÍÅÅÔÓÑ ÅÝÅ ÏÄÎÁ ÉÚ×ÅÓÔÎÁÑ ÐÒÏÂÌÅÍÁ Ó ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. åÓÌÉ ËÔÏ - ÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ Ó×ÑÚÁÎ Ó ÂÒÁÎÄÍÁÕÜÒÏÍ, ÎÁÐÒÉÍÅÒ ÉÚ LAN, É ÁËÔÉ×ÉÒÕÅÔ PPP, ÔÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÎÉÞÔÏÖÅÎÏ. üÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÍÏÍÅÎÔ, ËÏÇÄÁ ÚÁÇÒÕÖÁÀÔÓÑ ÉÌÉ ×ÙÇÒÕÖÁÀÔÓÑ conntrack É nat ÍÏÄÕÌÉ. äÒÕÇÏÊ ÓÐÏÓÏ ÐÏÌÕÞÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ×ÙÐÏÌÎÉÔØ rc.firewall.txt ÓÃÅÎÁÒÉÊ ÉÚ ÐÏÄËÌÀÞÅÎÉÑ telnet Ó ÄÒÕÇÏÇÏ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÏÅÄÉÎÑÅÔÅÓØ ÐÏ telnet Ó ÂÒÁÎÄÍÁÕÜÒÏÍ. úÁÐÕÓËÁÅÔÅ rc.firewall.txt, × ÐÒÏÃÅÓÓÅ ÉÓÐÏÌÎÅÎÉÑ ËÏÔÏÒÏÇÏ, ÚÁÐÕÓËÁÀÔÓÑ ÍÏÄÕÌÉ ÔÒÁÓÓÉÒÏ×ËÉ ÐÏÄËÌÀÞÅÎÉÊ, ÇÒÕÚÑÔÓÑ ÐÒÁ×ÉÌÁ "NEW not SYN". ëÏÇÄÁ ËÌÉÅÎÔ telnet ÉÌÉ daemon ÐÒÏÂÕÀÔ ÐÏÓÌÁÔØ ÞÔÏ ÎÉÂÕÄØ, ÔÏ ÜÔÏ ÐÏÄËÌÀÞÅÎÉÅ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÙÍ ËÏÄÏÍ ËÁË NEW, ÎÏ ÐÁËÅÔÙ ÎÅ ÉÍÅÀÔ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÂÉÔÁ SYN, ÔÁË ËÁË ÏÎÉ, ÆÁËÔÉÞÅÓËÉ, Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÁËÅÔ ÂÕÄÅÔ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ÐÒÁ×ÉÌÁÍ × ÒÅÚÕÌØÔÁÔÅ ÞÅÇÏ ÂÕÄÅÔ ÚÁÖÕÒÎÁÌÉÒÏ×ÁÎ É ÓÂÒÏÛÅÎ. ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÞÔÏÂÙ ÐÒÅÄÕÐÒÅÄÉÔØ ×ÁÓ Ï ÔÕÐÏ×ÁÔÙÈ Internet Service Providers, ËÏÔÏÒÙÅ ÎÁÚÎÁÞÁÀÔ IP ÁÄÒÅÓÁ, ÏÔ×ÅÄÅÎÎÙÅ IANA ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. îÁÐÒÉÍÅÒ, Swedish Internet Service Provider É ÔÅÌÅÆÏÎÎÁÑ ÍÏÎÏÐÏÌÉÑ Telia ÉÓÐÏÌØÚÕÀÔ ÔÁËÉÅ ÁÄÒÅÓÁ, ÎÁÐÒÉÍÅÒ, ÄÌÑ ÉÈ ÓÅÒ×ÅÒÏ× DNS, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 10.x.x.x. ðÒÏÂÌÅÍÁ, Ó ËÏÔÏÒÏÊ ×Ù ÂÕÄÅÔÅ ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ ÓÔÁÌËÉ×ÁÔØÓÑ, ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÍÙ, × Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ, ÎÅ ÐÏÚ×ÏÌÑÅÍ ÐÏÄËÌÀÞÅÎÉÑ Ó ÌÀÂÙÈ IP × ÄÉÁÐÁÚÏÎÅ 10.x.x.x, ÉÚ-ÚÁ ×ÏÚÍÏÖÎÏÓÔÉ ÆÁÌØÓÉÆÉËÁÃÉÉ ÐÁËÅÔÏ×. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÁËÏÊ ÓÉÔÕÁÃÉÅÊ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÐÒÉÄÅÔÓÑ ÓÎÑÔØ ÞÁÓÔØ ÐÒÁ×ÉÌ. éÌÉ ÕÓÔÁÎÏ×ÉÔØ ÐÒÁ×ÉÌÁ, ÐÒÏÐÕÓËÁÀÝÉÅ ÔÒÁÆÆÉË Ó ÜÔÉÈ ÓÅÒ×ÅÒÏ×, ÒÁÎÅÅ ÃÅÐÏÞËÉ INPUT, ÎÁÐÒÉÍÅÒ ÔÁË: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT èÏÔÅÌÏÓØ ÂÙ ÎÁÐÏÍÎÉÔØ ÐÏÄÏÂÎÙÍ ÐÒÏ×ÁÊÄÅÒÁÍ, ÞÔÏ ÜÔÉ ÄÉÁÐÁÚÏÎÙ ÁÄÒÅÓÏ× ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × éÎÔÅÒÎÅÔ. äÌÑ ËÏÒÐÏÒÁÔÉ×ÎÙÈ ÓÅÔÅÊ - ÐÏÖÁÌÕÊÓÔÁ, ÄÌÑ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÏÍÁÛÎÉÈ ÓÅÔÅÊ - ÐÒÅËÒÁÓÎÏ! îÏ ×Ù ÎÅ ÄÏÌÖÎÙ ×ÙÎÕÖÄÁÔØ ÎÁÓ "ÏÔËÒÙ×ÁÔØÓÑ" ÐÏ ×ÁÛÅÊ ÐÒÉÈÏÔÉ. ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ÚÁÄÁÞÁ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ, ÅÓÌÉ ×ÁÍ ÉÚ×ÅÓÔÎÙ ÐÒÉÎÃÉÐÙ ÒÁÂÏÔÙ ÐÒÏÔÏËÏÌÁ DHCP. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ, ÞÔÏ DHCP ÒÁÂÏÔÁÅÔ ÐÏ ÐÒÏÔÏËÏÌÕ UDP. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÒÏÔÏËÏÌ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ËÒÉÔÅÒÉÅÍ. äÁÌÅÅ, ÎÅÏÂÈÏÄÉÍÏ ÕÔÏÞÎÉÔØ ÉÎÔÅÒÆÅÊÓ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ DHCP ÚÁÐÒÏÓÙ ÉÄÕÔ ÞÅÒÅÚ $LAN_IFACE, ÔÏ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× DHCP ÓÌÅÄÕÅÔ ÒÁÚÒÅÛÉÔØ ÔÏÌØËÏ ÞÅÒÅÚ ÜÔÏÔ ÉÎÔÅÒÆÅÊÓ. é ÎÁËÏÎÅÃ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÐÒÁ×ÉÌÏ ÂÏÌÅÅ ÏÐÒÅÄÅÌÅÎÎÙÍ, ÓÌÅÄÕÅÔ ÕÔÏÞÎÉÔØ ÐÏÒÔÙ. DHCP ÉÓÐÏÌØÚÕÅÔ ÐÏÒÔÙ 67 É 68. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÉÓËÏÍÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ×ÙÇÌÑÄÅÔØ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ: $IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÜÔÏ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÞÅÒÅÚ ÐÏÒÔÙ 67 É 68, ÏÄÎÁËÏ ÜÔÏ ÎÅ ÄÏÌÖÎÏ ×ÁÓ ÏÓÏÂÅÎÎÏ ÓÍÕÝÁÔØ, ÐÏÓËÏÌØËÕ ÏÎÏ ÒÁÚÒÅÛÁÅÔ ÌÉÛØ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× ÏÔ ÕÚÌÏ× ÓÅÔÉ, ÐÙÔÁÀÝÉÈÓÑ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó ÐÏÒÔÁÍÉ 67 É 68. üÔÏÇÏ ÐÒÁ×ÉÌÁ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ, ÞÔÏÂÙ ÐÏÚ×ÏÌÉÔØ ×ÙÐÏÌÎÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× É ÐÒÉ ÜÔÏÍ ÎÅ ÓÌÉÛËÏÍ ÛÉÒÏËÏ "ÏÔËÒÙÔØ ×ÏÒÏÔÁ". åÓÌÉ ×ÁÓ ÏÞÅÎØ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÔÏ ×Ù ×ÐÏÌÎÅ ÍÏÖÅÔÅ ÕÖÅÓÔÏÞÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ. ðÒÏÂÌÅÍÙ mIRC DCCmIRC ÉÓÐÏÌØÚÕÅÔ ÓÐÅÃÉÆÉÞÎÙÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÐÏÚ×ÏÌÑÀÔ ÓÏÅÄÉÎÑÔØÓÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ É ÏÂÒÁÂÁÔÙ×ÁÔØ DCC ÓÏÅÄÉÎÅÎÉÑ ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ. åÓÌÉ ÜÔÉ ÎÁÓÔÒÏÊËÉ ÉÓÐÏÌØÚÕÀÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó iptables, ÔÏÞÎÅÅ Ó ÍÏÄÕÌÑÍÉ ip_conntrack_irc É ip_nat_irc, ÔÏ ÜÔÁ Ó×ÑÚËÁ ÐÒÏÓÔÏ ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ. ðÒÏÂÌÅÍÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ mIRC Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÙÐÏÌÎÑÅÔ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) ×ÎÕÔÒÉ ÐÁËÅÔÏ×. ÷ ÒÅÚÕÌØÔÁÔÅ, ËÏÇÄÁ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × iptables, ÏÎÁ ÐÒÏÓÔÏ ÎÅ ÚÎÁÅÔ, ÞÔÏ Ó ÎÉÍ ÄÅÌÁÔØ. mIRC ÎÅ ÏÖÉÄÁÅÔ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÂÕÄÅÔ ÎÁÓÔÏÌØËÏ "ÕÍÎÙÍ", ÞÔÏÂÙ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ IRC, É ÐÏÜÔÏÍÕ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÚÁÐÒÁÛÉ×ÁÅÔ Ó×ÏÊ IP Õ ÓÅÒ×ÅÒÁ É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ, ÐÒÉ ÐÅÒÅÄÁÞÅ DCC ÚÁÐÒÏÓÁ. ÷ËÌÀÞÅÎÉÅ ÏÐÃÉÉ "I am behind a firewall" ("ñ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ") É ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÍÏÄÕÌÅÊ ip_conntrack_irc É ip_nat_irc ÐÒÉ×ÏÄÉÔ Ë ÔÏÍÕ, ÞÔÏ netfilter ÐÉÛÅÔ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÓÏÏÂÝÅÎÉÅ "Forged DCC send packet". õ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÅÓÔØ ÐÒÏÓÔÏÅ ÒÅÛÅÎÉÅ - ÏÔËÌÀÞÉÔÅ ÜÔÕ ÏÐÃÉÀ × mIRC É ÐÏÚ×ÏÌØÔÅ iptables ×ÙÐÏÌÎÑÔØ ×ÓÀ ÒÁÂÏÔÕ. ôÉÐÙ ICMPüÔÏ ÐÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ: ôÁÂÌÉÃÁ 1. ôÉÐÙ ICMP
óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙúÄÅÓØ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÓÓÙÌÏË, ÇÄÅ ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ :
é ËÏÎÅÞÎÏ ÖÅ ÉÓÈÏÄÎÙÊ ËÏÄ iptables, ÄÏËÕÍÅÎÔÁÃÉÑ É ÌÀÄÉ, ËÏÔÏÒÙÅ ÐÏÍÏÇÁÌÉ ÍÎÅ. âÌÁÇÏÄÁÒÎÏÓÔÉñ ÈÏÔÅÌ ÂÙ ×ÙÒÁÚÉÔØ ÏÓÏÂÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÌÀÄÑÍ, ËÏÔÏÒÙÅ ÏËÁÚÁÌÉ ÍÎÅ ÎÅÏÃÅÎÉÍÕÀ ÐÏÍÏÝØ ÐÒÉ ÓÏÚÄÁÎÉÉ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ.:
èÒÏÎÏÌÏÇÉÑVersion 1.1.14 (14 Oct 2002) GNU Free Documentation LicenseVersion 1.1, March 2000
0. PREAMBLEThe purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONSThis License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. 2. VERBATIM COPYINGYou may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. 3. COPYING IN QUANTITYIf you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. 4. MODIFICATIONSYou may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. 5. COMBINING DOCUMENTSYou may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements." 6. COLLECTIONS OF DOCUMENTSYou may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. 7. AGGREGATION WITH INDEPENDENT WORKSA compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate. 8. TRANSLATIONTranslation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail. 9. TERMINATIONYou may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 10. FUTURE REVISIONS OF THIS LICENSEThe Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. How to use this License for your documentsTo use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:
If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software. GNU General Public LicenseVersion 2, June 1991
0. PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
END OF TERMS AND CONDITIONS 2. How to Apply These Terms to Your New ProgramsIf you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:
This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×ðÒÉÍÅÒ rc.firewall#!/bin/sh ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DMZ.firewall#!/bin/sh ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.UTIN.firewall#!/bin/sh ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DHCP.firewall#!/bin/sh ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.flush-iptables#!/bin/sh ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.test-iptables#!/bin/bash |