Iptables Tutorial 1.1.11Oskar Andreasson (blueflux@koffein.net)Copyright (C) 2001 by Oskar Andreasson ¿ÕàÕÒÞÔ: °ÝÔàÕÙ ºØáÕÛÕÒ kis_an@mail.ru¾àØÓØÝÐÛ ÜÞÖÝÞ ÝÐÙâØ ßÞ ÐÔàÕáã: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
´ÞßãáÚÐÕâáï ÚÞߨàÞÒÐÝØÕ Ø/ØÛØ ÜÞÔØäØÚÐæØï ÔÐÝÝÞÓÞ
ÔÞÚãÜÕÝâÐ ØÛØ ÕÓÞ çÐáâØ, Ò áÞÞâÒÕâáâÒØØ á áÞÓÛÐèÕÝØïÜØ,
ßàØÝïâëÜØ Ò GNU Free Documentation License, ÒÕàáØØ 1.1.
½ÕØ×ÜÕÝïÕÜëÜØ àÐ×ÔÕÛÐÜØ ïÒÛïîâáï àÐ×ÔÕÛ
"²ÒÕÔÕÝØÕ" Ø ÒáÕ ßÞÔàÐ×ÔÕÛë íâÞÓÞ àÐ×ÔÕÛÐ, Ð âÐÚ
ÖÕ àÐ×ÔÕÛë, ÝÐçØÝÐîéØÕáï áÛÞÒÐÜØ "Original Author:
Oskar Andreasson", ²áÕ áæÕÝÐàØØ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ ßÞÔßÐÔÐîâ ßÞÔ ÔÕÙáâÒØÕ GNU General Public License. ²áÕ ÞÝØ ïÒÛïîâáï áÒÞÑÞÔÝÞ àÐáßàÞáâàÐÝïÕÜëÜØ Ø ÜÞÓãâ ÚÞߨàÞÒÐâìáï Ø/ØÛØ ÜÞÔØäØæØàÞÒÐâìáï Ò áÞÞâÒÕâáâÒØØ á ãáÛÞÒØïÜØ GNU General Public License ÒÕàáØØ 2. ²áÕ áæÕÝÐàØØ àÐáßàÞáâàÐÝïîâáï Ò ÝÐÔÕÖÔÕ ÝÐ âÞ, çâÞ ÞÝØ ÑãÔãâ ßÞÛÕ×Ýë ÒÐÜ, ÝÞ ±µ· º°º¸Å »¸±¾ ³°À°½Â¸¹. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú âÕÚáâã GNU General Public License. Á ÔÐÝÝëÜ ÔÞÚãÜÕÝâÞÜ ÔÞÛÖÝÐ àÐáßàÞáâàÐÝïâìáï ÚÞߨï GNU General Public License, Ò áÕ򾯯 "GNU General Public License"; Ò áÛãçÐÕ ÕÕ ÞâáãâáâÒØï Òë ÜÞÖÕâÕ ÝÐߨáÐâì ßÞ ÐÔàÕáã Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ÁÞÔÕàÖÐÝØÕ
²ÒÕÔÕÝØÕ¾Ñ ÐÒâÞàÕÏ çÕÛÞÒÕÚ, ÚÞâÞàëÙ ØÜÕÕâ ÝÐ áÒÞÕÜ ßÞßÕçÕÝØØ ÔÞáâÐâÞçÝÞ ÜÝÞÓÞ áâÐàÕÝìÚØå ÚÞÜßìîâÕàÞÒ, ÞÑêÕÔØÝÕÝÝëå ÜÝÞî Ò ÛÞÚÐÛìÝãî áÕâì á ÒëåÞÔÞÜ Ò ¸ÝâÕàÝÕâ, Ø ÞÑÕáßÕçØÒÐîéØÙ Øå ÑÕ×ÞßÐáÝÞáâì. ¸ Ò íâÞÜ ÞâÝÞèÕÝØØ ßÕàÕåÞÔ Þâ ipchains Ú iptables ïÒÛïÕâáï ÞßàÐÒÔÐÝÝëÜ. ÀÐÝÕÕ ÔÛï ßÞÒëèÕÝØï ÑÕ×ÞßÐáÝÞáâØ áÒÞÕÙ áÕâØ, Òë ÜÞÓÛØ ÞâáÕÚÐâì ÒáÕ ßÐÚÕâë, ×ÐÚàëÒÐï ÞßàÕÔÕÛÕÝÝëÕ ßÞàâë, ÞÔÝÐÚÞ íâÞ ßÞàÞÖÔÐÛÞ ßàÞÑÛÕÜë á ßÐááØÒÝëÜ FTP (passive FTP) ØÛØ ØáåÞÔïéØÜ DCC Ò IRC (outgoing DCC in IRC), ÔÛï ÚÞâÞàëå ßÞàâë ÝÐ áÕàÒÕàÕ ÝÐ×ÝÐçÐîâáï ÔØÝÐÜØçÕáÚØ Ø ßÞâÞÜ áÞÞÑéÐîâáï ÚÛØÕÝâã ÔÛï ÒëßÞÛÝÕÝØï áÞÕÔØÝÕÝØï. ² áÐÜÞÜ ÝÐçÐÛÕ ï áâÞÛÚÝãÛáï á ÝÕÚÞâÞàëÜØ 'ÑÞÛÕ×ÝïÜØ', ßÕàÕÚÞçÕÒÐÒèØÜØ Ø× ipchains, Ø áçØâÐÛ ÚÞÔ iptables ÝÕ áÞÒáÕÜ ÓÞâÞÒëÜ Ú ÞÚÞÝçÐâÕÛìÝÞÜã ÒëßãáÚã. ÁÕÓÞÔÝï ÖÕ ï ÜÞÓ Ñë ßÞàÕÚÞÜÕÝÔÞÒÐâì ÒáÕÜ, ÚâÞ ØáßÞÛì×ãÕâ Ò áÒÞÕÙ àÐÑÞâÕ ipchains Ø ipfwadm 'ßÕàÕáÕáâì' ÝÐ iptables! ¿ÞáÒïéÕÝØï¿àÕÖÔÕ ÒáÕÓÞ ï åÞâÕÛ Ñë ßÞáÒïâØâì ÔÐÝÝëÙ ÔÞÚãÜÕÝâ ÜÞÕÙ ×ÐÜÕçÐâÕÛìÝÞÙ ßÞÔàãÓÕ ½ØÝÕÛì (Ninel). ¾ÝÐ ßÞÔÔÕàÖØÒÐÕâ ÜÕÝï ÑÞÛìèÕ, çÕÜ ï ÚÞÓÔÐ ÛØÑÞ áÜÞÓã ßÞÔÔÕàÖÐâì ÕÕ. ²Þ-ÒâÞàëå - ÒáÕÜ àÐ×àÐÑÞâçØÚÐÜ Linux áÔÕÛÐÒèØÜ íâã ×ÐÜÕçÐâÕÛìÝãî ÞßÕàÐæØÞÝÝãî áØáâÕÜã, ×Ð Øå ÝÕÒÕàÞïâÝÞ ÝÐßàïÖÕÝÝëÙ âàãÔ. ¿ÞçÕÜã ÑëÛÞ ÝÐߨáÐÝÞ ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞÁÚÐÖÕÜ âÐÚ, ï ßÞáçØâÐÛ, çâÞ áãéÕáâÒãÕâ ÔÞáÐÔÝëÙ ßàÞÑÕÛ Ò HOWTO ßÞ çÐáâØ ØÝäÞàÜÐæØØ ÞÑ iptables Ø äãÝÚæØïå áÕâÕÒÞÓÞ äØÛìâàÐ (netfilter), àÕÐÛØ×ÞÒÐÝÝëå Ò ÝÞÒÞÙ áÕàØØ ïÔÕà 2.4.x Linux. ºàÞÜÕ ÒáÕÓÞ ßàÞçÕÓÞ, ï ßÞßëâÐÛáï ÞâÒÕâØâì ÝÐ ÝÕÚÞâÞàëÕ ÒÞßàÞáë ßÞ ßÞÒÞÔã ÝÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ, ÝÐßàØÜÕà ßàÞÒÕàÚØ áâÐâãáÐ (ÑÞÛÕÕ ÛãçèÕÓÞ âÕàÜØÝÐ ÝÕ ÝÐèÕÛ :(( ßàØÜ. ßÕàÕÒ.) ßÐÚÕâÞÒ (state matching), ÚÞâÞàÐï ÔÕÛÐÕâ ÒÞ×ÜÞÖÝëÜ passive FTP ÝÐ ÒÐè áÕàÒÕà, ÝÞ ÝÕ ßàÞßãáÚÐÕâ ØáåÞÔïéØÙ âàÐääØÚ DCC Þâ IRC. ²áÕ ßàØÜÕàë ï ÑãÔã ÑàÐâì Ø× äÐÙÛÐ rc.firewall.txt ÚÞâÞàëÙ Òë ÜÞÖÕâÕ ÒáâÐÒØâì Ò /etc/rc.d/. ´Ûï âÕå, ÚÞÜã íâÞ ØÝâÕàÕáÝÞ, ÓÞâÞÒ áÞÞÑéØâì, çâÞ íâÞâ äÐÙÛ ßÕàÒÞÝÐçÐÛìÝÞ ÑëÛ ÞáÝÞÒÐÝ ÝÐ masquerading HOWTO. ÂÐÜ ÖÕ Òë ÝÐÙÔÕâÕ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ rc.flush-iptables.txt, ÝÐߨáÐÝÝëÙ ÜÝÞî. ²ë âÐÚ ÖÕ ÜÞÖÕâÕ ÕÓÞ ØáßÞÛì×ÞÒÐâì, ßàØ ÝÕÞÑåÞÔØÜÞáâØ àÐáèØàïï ßÞÔ áÒÞî ÚÞÝäØÓãàÐæØî. ºÐÚ ÞÝ ÑëÛ ÝÐߨáÐÝÏ ×ÐÔÐÒÐÛ ÒÞßàÞáë ¼ÐàÚã ±ãçÕàã (Marc Boucher) Ø ÔàãÓØÜ çÛÕÝÐÜ ÚÞÜÐÝÔë àÐ×àÐÑÞâÚØ netfilter. ¿ÞÛì×ãïáì áÛãçÐÕÜ, ÒëàÐÖÐî ÞÓàÞÜÝãî ßàØ×ÝÐâÕÛìÝÞáâì ×Ð Øå ßÞÜÞéì Ò áÞ×ÔÐÝØØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, ÚÞâÞàÞÕ ÑëÛÞ áÞ×ÔÐÝÞ ÔÛï boingworld.com. ² ÝÕÜ Òë ßàÞÙÔÕâÕ ßàÞæÕáá ÝÐáâàÞÙÚØ èÐÓ ×Ð èÐÓÞÜ Ø, ÝÐÔÕîáì, çâÞ Ú ÚÞÝæã Ø×ãçÕÝØï ÔÞÚãÜÕÝâÐ Òë ÑãÔÕâÕ ×ÝÐâì Þ ßÐÚÕâÕ iptables ×ÝÐçØâÕÛìÝÞ ÑÞÛìèÕ. ±ÞÛìèÐï çÐáâì ÜÐâÕàØÐÛÐ ÑÐרàãÕâáï ÝÐ äÐÙÛÕ rc.firewall.txt, âÐÚ ÚÐÚ ï áçØâÐî, çâÞ àÐááÜÞâàÕÝØÕ ßàØÜÕàÐ -- ÛãçèØÙ áßÞáÞÑ Ø×ãçÕÝØï iptables. Ï ßàÞÙÔã ßÞ ÞáÝÞÒÝëÜ æÕßÞçÚÐÜ ßàÐÒØÛ Ò ßÞàïÔÚÕ Øå áÛÕÔÞÒÐÝØï. ÍâÞ ÝÕáÚÞÛìÚÞ ãáÛÞÖÝïÕâ Ø×ãçÕÝØÕ, ×ÐâÞ Ø×ÛÞÖÕÝØÕ áâÐÝÞÒØâáï ÛÞÓØçÝÕÕ. ¸, ÒáïÚØÙ àÐ×, ÚÞÓÔÐ ã ÒÐá ÒÞ×ÝØÚÝãâ ×ÐâàãÔÝÕÝØï, Òë ÜÞÖÕâÕ ÞÑàÐéÐâìáï Ú íâÞÜã àãÚÞÒÞÔáâÒã. ºÐÚ çØâÐâì íâÞâ ÔÞÚãÜÕÝâÍâÞâ ÔÞÚãÜÕÝâ ÝÐߨáÐÝ, âÐÚ çâÞÑë ÞÑÛÕÓçØâì çØâÐâÕÛïÜ ßÞÝØÜÐÝØÕ ×ÐÜÕçÐâÕÛìÝÞÓÞ ÜØàÐ iptables. ·ÔÕáì Òë ÝÕ ÝÐÙÔÕâÕ ØÝäÞàÜÐæØØ ÞÑ ÞèØÑÚÐå Ò iptables ØÛØ Ò netfilter. µáÛØ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ, âÞ ÜÞÖÕâÕ áÒï×ïâìáï á ÚÞÜÐÝÔÞÙ àÐ×àÐÑÞâçØÚÞÒ, Ð ÞÝØ Ò ÞâÒÕâ ÜÞÓãâ áÞÞÑéØâì ÒÐÜ ÔÕÙáâÒØâÕÛìÝÞ ÛØ áãéÕáâÒãÕâ âÐÚÐï ÞèØÑÚÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì iptables Ø netfilter ßàÐÚâØçÕáÚØ ÝÕ áÞÔÕàÖÐâ ÞèØÑÞÚ, åÞâï Ø×àÕÔÚÐ ÞÔÝÐ - ÔÒÕ "ßàÞáÚÐÚØÒÐîâ". ¸ÝäÞàÜÐæØï Þ âÐÚØå ÞèØÑÚÐå ÞÑï×ÐâÕÛìÝÞ ßÞïÒÛïÕâáï ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter. ²ëèÕáÚÐ×ÐÝÝÞÕ âÐÚÖÕ Þ×ÝÐçÐÕâ, çâÞ ßàØ ÝÐߨáÐÝØØ ÝÐÑÞàÞÒ ßàÐÒØÛ, ßàØÛÐÓÐÕÜëå Ú ÔÐÝÝÞÜã àãÚÞÒÞÔáâÒã, ÝÕ ãçØâëÒÐÛÞáì ÒÞ×ÜÞÖÝÞÕ ÝÐÛØçØÕ ÚÐÚØå-ÛØÑÞ ÞèØÑÞÚ ÒÝãâàØ netfilter. ¾áÝÞÒÝÐï æÕÛì ßàØÜÕàÞÒ - ßÞÚÐ×Ðâì ßÞàïÔÞÚ ÝÐߨáÐÝØï ÝÐÑÞàÐ ßàÐÒØÛ Ø ßàÞÑÛÕÜë, á ÚÞâÞàëÜØ Òë ÜÞÖÕâÕ áâÞÛÚÝãâìáï. ½ÐßàØÜÕà Ò íâÞÜ ÔÞÚãÜÕÝâÕ ÝÕ ßÞïáÝïÕâáï ÚÐÚ ×ÐÚàëâì ãï×ÒØÜÞáâì Apache 1.2.12 ÝÐ HTTP ßÞàâã (äÐÚâØçÕáÚØ Ò ßàØÜÕàÐå Òë ÝÐÙÔÕâÕ ÚÐÚ ×ÐÚàëâì íâÞâ ßÞàâ, ÝÞ ßÞ ÔàãÓÞÙ ßàØçØÝÕ). ÍâÞâ ÔÞÚãÜÕÝâ ÑëÛ ÝÐߨáÐÝ á æÕÛìî ÔÐâì ÝÐçØÝÐîéØÜ åÞàÞèØÙ Ø ßàÞáâÞÙ ãçÕÑÝØÚ ßÞ iptables Ø Ò âÞ ÖÕ ÒàÕÜï ÔÞáâÐâÞçÝÞ ßÞÛÝëÙ. ¾Ý ÝÕ áÞÔÕàÖØâ ØÝäÞàÜÐæØØ ßÞ ÔÕÙáâÒØïÜ Ø ÚàØâÕàØïÜ Ø× patch-o-matic ßÞ âÞÙ ßàÞáâÞÙ ßàØçØÝÕ, çâÞ ßÞâàÕÑÞÒÐÛÞáì Ñë áÛØèÚÞÜ ÜÝÞÓÞ ãáØÛØÙ, çâÞÑë ×ÐßÞÜÝØâì ÒÕáì áߨáÞÚ Ø×ÜÕÝÕÝØÙ. µáÛØ ã ÒÐá ÒÞ×ÝØÚÝÕâ ÝÕÞÑåÞÔØÜÞáâì Ò ßÞÛãçÕÝØØ ØÝäÞàÜÐæØØ ßÞ ÜÞÔØäØÚÐæØïÜ patch-o-matic, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐéÐâìáï Ú ÔÞÚãÜÕÝâÐæØØ, ÚÞâÞàÐï áÞßàÞÒÞÖÔÐÕâ ÚÞÝÚàÕâÝëÙ patch-o-matic, ÞÝÐ ÔÞáâãàÝÐ ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter. ÂÕàÜØÝë, ØáßÞÛì×ãÕÜëÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕÍâÞâ ÔÞÚãÜÕÝâ áÞÔÕàÖØâ ÝÕáÚÞÛìÚÞ âÕàÜØÝÞÒ, ÚÞâÞàëÕ áÛÕÔãÕâ ßÞïáÝØâì ßàÕÖÔÕ, çÕÜ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ. ¿ÞâÞÚ (Stream) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐîâáï Ø ßàØÝØÜÐîâáï ßÐÚÕâë. Ï ØáßÞÛì×ÞÒÐÛ íâÞâ âÕàÜØÝ ÔÛï ÞÑÞ×ÝÐçÕÝØï áÞÕÔØÝÕÝØÙ, çÕàÕ× ÚÞâÞàëÕ ßÕàÕÔÐÕâáï ßÞ ÜÕÝìèÕÙ ÜÕàÕ 2 ßÐÚÕâÐ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå. ² áÛãçÐÕ TCP íâÞ ÜÞÖÕâ Þ×ÝÐçÐâì áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐÕâáï SYN ßÐÚÕâ Ø ×ÐâÕÜ ßàØÝØÜÐÕâáï SYN/ACK ßÐÚÕâ. ½Þ íâÞ âÐÚ ÖÕ ÜÞÖÕâ ßÞÔàÐ×ãÜÕÒÐâì Ø ßÕàÕÔÐçã SYN ßÐÚÕâÐ Ø ßàØÕÜ áÞÞÑéÕÝØï ICMP Host unreachable. ´àãÓØÜØ áÛÞÒÐÜØ, ï ØáßÞÛì×ãî íâÞâ âÕàÜØÝ Ò ÔÞáâÐâÞçÝÞ èØàÞÚÞÜ ÔØÐßÐ×ÞÝÕ ßàØÜÕÝÕÝØÙ. ÁÞáâÞïÝØÕ (State) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞáâÞïÝØÕ, Ò ÚÞâÞàÞÜ ÝÐåÞÔØâáï ßÐÚÕâ, áÞÓÛÐáÝÞ RFC 793 - Transmission Control Protocol , Ð âÐÚÖÕ âàÐÚâÞÒÚÐÜ, ØáßÞÛì×ãÕÜëÜ Ò netfilter/iptables. ¿ÞÔÓÞâÞÒÚÐÆÕÛìî ÔÐÝÝÞÙ ÓÛÐÒë ïÒÛïÕâáï ÞÚÐ×ÐÝØÕ ßÞÜÞéØ Ò ßÞÝØÜÐÝØØ âÞÙ àÞÛØ, ÚÞâÞàãî netfilter Ø iptables ØÓàÐîâ Ò Linux áÕÓÞÔÝï. ÂÐÚ ÖÕ ÞÝÐ ÔÞÛÖÝÐ ßÞÜÞçì ÒÐÜ ãáâÐÝÞÒØâì Ø ÝÐáâàÞØâì ÜÕÖáÕâÕÒÞÙ íÚàÐÝ (firewall). ³ÔÕ Ò×ïâì iptables¿ÐÚÕâë iptables ÜÞÓãâ Ñëâì ×ÐÓàãÖÕÝë á ÔÞÜÐèÝÕÙ áâàÐÝØæë netfilter. ´Ûï àÐÑÞâë á iptables áÞÞâÒÕâáâÒãîéØÜ ÞÑàÐ×ÞÜ ÔÞÛÖÝÞ Ñëâì áÚÞÝäØÓãàØàÞÒÐÝÞ ïÔàÞ ÒÐèÕÙ Linux-áØáâÕÜë. ½ÐáâàÞÙÚÐ ïÔàÐ ÑãÔÕâ ÞÑáãÖÔÐâìáï ÝØÖÕ. ½ÐáâàÞÙÚÐ ïÔàдÛï ÞÑÕáßÕçÕÝØï ÑÐ×ÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ iptables, á ßÞÜÞéìî ãâØÛØâë make config ØÛØ ÕÙ ßÞÔÞÑÝëå (make menuconfig ØÛØ make xconfig ßàØÜ. ßÕàÕÒ.), Ò ïÔàÞ ÔÞÛÖÝë Ñëâì ÒÚÛîçÕÝë áÛÕÔãîéØÕ ÞßæØØ:
¸ ÚÞÝÕçÝÞ ÝãÖÝÞ ÔÞÑÐÒØâì ÔàÐÙÒÕàë ÔÛï ÒÐèØå ãáâàÞÙáâÒ, â.Õ. ÔÛï ÚÐàâë Ethernet , PPP Ø SLIP. ´Ûï ØáßÞÛì×ÞÒÐÝØï àÐáèØàÕÝÝëå ÒÞ×ÜÞÖÝÞáâÕÙ IPTables ßàØÔÕâáï ÒÚÛîçØâì Ò ïÔàÞ ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ ÞßæØØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÞßæØÙ ÔÛï ïÔàÐ 2.4.9 Ø Øå ÚàÐâÚÞÕ ÞߨáÐÝØÕ.
ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ï ÔÐÛ ÚàÐâÚãî åÐàÐÚâÕàØáâØÚã ÚÐÖÔÞÜã ÜÞÔãÛî. ´ÐÝÝëÕ ÞßæØØ ÔÞáâãßÝë Ò ïÔàÕ ÒÕàáØØ 2.4.9. ´Ûï àÐÑÞâë áæÕÝÐàØï rc.firewall.txt ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ÔÞÑÐÒØâì Ò ïÔàÞ áÛÕÔãîéØÕ ÞßæØØ ØÛØ áÞÑàÐâì áÞÞâÒÕâáâÒãîéØÕ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÞßæØïÜ, ÝÕÞÑåÞÔØÜëÜ ÔÛï àÐÑÞâë ÔàãÓØå áæÕÝÐàØÕÒ, ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî á ßàØÜÕàÐÜØ íâØå áæÕÝÐàØÕÒ.
²ëèÕ ßàØÒÕÔÕÝ áߨáÞÚ ÜØÝØÜÐÛìÝÞ ÝÕÞÑåÞÔØÜëå ÞßæØÙ ïÔàÐ ÔÛï áæÕÝÐàØï rc.firewall.txt ¿ÕàÕçÕÝì ÞßæØÙ, ÝÕÞÑåÞÔØÜëå ÔÛï ÔàãÓØå ßàØÜÕàÞÒ áæÕÝÐàØÕÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áÞÞâÒÕâáâÒãîéØå àÐ×ÔÕÛÐå ÝØÖÕ. ÁÕÙçÐá ÖÕ Üë ÞáâÐÝÞÒØÜáï ÝÐ ÓÛÐÒÝÞÜ áæÕÝÐàØØ Ø ÝÐçÝÕÜ ÕÓÞ Ø×ãçÕÝØÕ. ÃáâÐÝÞÒÚÐ ßÐÚÕâв ßÕàÒãî ÞçÕàÕÔì ßÞáÜÞâàØÜ ÚÐÚ áÞÑàÐâì (áÚÞÜßØÛØàÞÒÐâì) ßÐÚÕâ iptables. ÁÑÞàÚÐ ßÐÚÕâÐ Ò ×ÝÐçØâÕÛìÝÞÙ áâÕßÕÝØ ×ÐÒØáØâ Þâ ÚÞÝäØÓãàÐæØØ ïÔàÐ Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕÚÞâÞàëÕ ÔØáâàØÑãâØÒë ßàÕÔßÞÛÐÓÐîâ ßàÕÔãáâÐÝÞÒÚã ßÐÚÕâÐ iptables, ÞÔØÝ Ø× ÝØå -- Red Hat 7.1. ¾ÔÝÐÚÞ Ò RedHat 7.1 íâÞâ ßÐÚÕâ ßÞ ãÜÞÛçÐÝØî ÒëÚÛîçÕÝ, ßÞíâÞÜã ÝØÖÕ Üë àÐááÜÞâàØÜ ÚÐÚ ÕÓÞ ÒÚÛîçØâì Ò ÔÐÝÝÞÜ Ø Ò ÔàãÓØå ÔØáâàØÑãâØÒÐå. ÁÑÞàÚÐ ßÐÚÕâдÛï ÝÐçÐÛÐ ßÐÚÕâ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ iptables ÝãÖÝÞ àÐáßÐÚÞÒÐâì. ¼ë ÑãÔÕÜ àÐááÜÐâàØÒÐâì ßÐÚÕâ iptables 1.2.6a Ø ïÔàÞ 2.4.9. ÀÐáßÐÚãÕÜ ÚÐÚ ÞÑëçÝÞ, ÚÞÜÐÝÔÞÙ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. µáÛØ àÐáßÐÚÞÒÚÐ ßàÞèÛÐ ãÔÐçÝÞ, âÞ ßÐÚÕâ ÑãÔÕâ àÐ×ÜÕéÕÝ Ò ÚÐâÐÛÞÓÕ iptables-1.2.6a. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú äÐÙÛã iptables-1.2.6a/INSTALL, ÚÞâÞàëÙ áÞÔÕàÖØâ ßÞÔàÞÑÝãî ØÝäÞàÜÐæØî ßÞ áÑÞàÚÕ Ø ãáâÐÝÞÒÚÕ ßÐÚÕâÐ. ´ÐÛÕÕ ÝÕÞÑåÞÔØÜÞ ßàÞÒÕàØâì ÒÚÛîçÕÝØÕ Ò ïÔàÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ Ø ÞßæØÙ. ÈÐÓØ, ÞߨáëÒÐÕÜëÕ ×ÔÕáì, ÑãÔãâ ÚÐáÐâìáï âÞÛìÚÞ ÝÐÛÞÖÕÝØï ÝÐ ïÔàÞ "×ÐßÛÐâ" (patches). ½Ð íâÞÜ èÐÓÕ Üë ãáâÐÝÞÒØÜ ÞÑÝÞÒÛÕÝØï, ÚÞâÞàëÕ, ÚÐÚ ÞÖØÔÐÕâáï, ÑãÔãâ ÒÚÛîçÕÝë Ò ïÔàÞ Ò ÑãÔãéÕÜ.
make pending-patches KERNEL_DIR=/usr/src/linux/ ¿ÕàÕÜÕÝÝÐï KERNEL_DIR ÔÞÛÖÝÐ áÞÔÕàÖÐâì ßãâì Ú ØáåÞÔÝëÜ âÕÚáâÐÜ ÒÐèÕÓÞ ïÔàÐ. ¾ÑëçÝÞ íâÞ /usr/src/linux/. µáÛØ ØáåÞÔÝëÕ âÕÚáâë ã ÒÐá àÐáßÞÛÞÖÕÝë Ò ÔàãÓÞÜ ÜÕáâÕ, âÞ, áÞÞâÒÕâáâÒÕÝÝÞ, Òë ÔÞÛÖÝë ãÚÐ×Ðâì áÒÞÙ ßãâì.
make most-of-pom KERNEL_DIR=/usr/src/linux/ ² ßàÞæÕááÕ ÒëßÞÛÝÕÝØï ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔë ã ÒÐá ÑãÔÕâ ×ÐßàÐèØÒÐâìáï ßÞÔâÒÕàÖÔÕÝØÕ ÝÐ ÞÑÝÞÒÛÕÝØÕ ÚÐÖÔÞÓÞ àÐ×ÔÕÛÐ Ø× âÞÓÞ, çâÞ Ò ÜØàÕ netfilter ÝÐ×ëÒÐÕâáï patch-o-matic. ÇâÞÑë ãáâÐÝÞÒØâì ÒáÕ "×ÐßÛÐâÚØ" Ø× patch-o-matic, ÒÐÜ ÝãÖÝÞ ÒëßÞÛÝØâì áÛÕÔãîéãî ÚÞÜÐÝÔã: make patch-o-matic KERNEL_DIR=/usr/src/linux/ ½Õ ×ÐÑãÔìâÕ ÒÝØÜÐâÕÛìÝÞ Ø ÔÞ ÚÞÝæÐ ßàÞçØâÐâì áßàÐÒÚã ßÞ ÚÐÖÔÞÙ "×ÐßÛÐâÚÕ" ÔÞ âÞÓÞ ÚÐÚ Òë ÑãÔÕâÕ ãáâÐÝÐÒÛØÒÐâì çâÞ-ÛØÑÞ, ßÞáÚÞÛìÚã ÞÔÝØ "×ÐßÛÐâÚØ" ÜÞÓãâ ÞÚÐ×Ðâìáï ÝÕáÞÒÜÕáâØÜë á ÔàãÓØÜØ, Ð ÝÕÚÞâÞàëÕ -- ßàØ áÞÒÜÕáâÝÞÜ ÝÐÛÞÖÕÝØØ ÔÐÖÕ àÐ×àãèØâì ïÔàÞ.
¿ÞáÛÕ ×ÐÒÕàèÕÝØï ÞÑÝÞÒÛÕÝØï, ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ßÕàÕáÞÑàÐâì ïÔàÞ, ÔÞÑÐÒØÒ Ò ÝÕÓÞ âÞÛìÚÞ çâÞ ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï. ½Õ ×ÐÑãÔìâÕ áÝÐçÐÛÐ ÒëßÞÛÝØâì ÚÞÝäØÓãàØàÞÒÐÝØÕ ïÔàÐ, ßÞáÚÞÛìÚã ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï áÚÞàÕÕ ÒáÕÓÞ ÞÚÐÖãâáï ÒëÚÛîçÕÝÝëÜØ. ² ßàØÝæØßÕ, ÜÞÖÝÞ ßÞÔÞÖÔÐâì á ÚÞÜߨÛïæØÕÙ ïÔàÐ ÔÞ âÕå ßÞà ßÞÚÐ Òë ÝÕ ×ÐÚÞÝçØâÕ ãáâÐÝÞÒÚã iptables. ¿àÞÔÞÛÖÐï áÑÞàÚã iptables, ×ÐßãáâØâÕ ÚÞÜÐÝÔã: make KERNEL_DIR=/usr/src/linux/ µáÛØ Ò ßàÞæÕááÕ áÑÞàÚØ ÒÞ×ÝØÚÛØ ÚÐÚØÕ ÛØÑÞ ßàÞÑÛÕÜë, âÞ ÜÞÖÕâÕ ßÞßëâÐâìáï àÐ×àÕèØâì Øå áÐÜÞáâÞïâÕÛìÝÞ, ÛØÑÞ ÞÑàÐâØâìáï ÝÐ netfilter mailing list, ÓÔÕ ÒÐÜ áÜÞÓãâ ßÞÜÞçì. ÂÐÜ Òë ÝÐÙÔÕâÕ ßÞïáÝÕÝØï, çâÞ ÜÞÓÛÞ Ñëâì áÔÕÛÐÝÞ ÒÐÜØ ÝÕßàÐÒØÛìÝÞ ßàØ ãáâÐÝÞÒÚÕ, âÐÚ çâÞ áàÐ×ã ÝÕ ßÐÝØÚãÙâÕ. µáÛØ íâÞ ÝÕ ßÞÜÞÓÛÞ -- ßÞáâÐàÐÙâÕáì ßÞàÐ×ÜëáÛØâì ÛÞÓØçÕáÚØ, ÒÞ×ÜÞÖÝÞ íâÞ ßÞÜÞÖÕâ. ¸ÛØ ÞÑàÐâØâÕáì Ú ÚÞÜã-ÝØÑãÔì ×ÝÐîéÕÜã. µáÛØ ÒáÕ ßàÞèÛÞ ÓÛÐÔÚÞ, âÞ áÛÕÔÞÒÐâÕÛìÝÞ Òë ÓÞâÞÒë Ú ãáâÐÝÞÒÚÕ ØáßÞÛÝïÕÜëå ÜÞÔãÛÕÙ (binaries), ÔÛï çÕÓÞ ×ÐßãáâØâÕ áÛÕÔãîéãî ÚÞÜÐÝÔã: make install KERNEL_DIR=/usr/src/linux/ ½ÐÔÕîáì, çâÞ ×ÔÕáì-âÞ ßàÞÑÛÕÜ ÝÕ ÒÞ×ÝØÚÛÞ! ÂÕßÕàì ÔÛï ØáßÞÛì×ÞÒÐÝØï ßÐÚÕâÐ iptables ÒÐÜ ÞßàÕÔÕÛÕÝÝÞ ßÞâàÕÑãÕâáï ßÕàÕáÞÑàÐâì Ø ãáâÐÝÞÒØâì ïÔàÞ, ÕáÛØ Òë ÔÞ áØå ßÞà íâÞÓÞ ÝÕ áÔÕÛÐÛØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ãáâÐÝÞÒÚÕ ßÐÚÕâÐ Òë ÝÐÙÔÕâÕ Ò äÐÙÛÕ INSTALL. ÃáâÐÝÞÒÚÐ Ò Red Hat 7.1RedHAt 7.1, á ãáâÐÝÞÒÛÕÝÝëÜ ïÔàÞÜ 2.4.x ãÖÕ ÒÚÛîçÐÕâ ßàÕÔãáâÐÝÞÒÛÕÝÝëÕ netfilter Ø iptables. ¾ÔÝÐÚÞ, ÔÛï áÞåàÐÝÕÝØï ÞÑàÐâÝÞÙ áÞÒÜÕáâØÜÞáâØ á ßàÕÔëÔãéØÜØ ÔØáâàØÑãâØÒÐÜØ, ßÞ ãÜÞÛçÐÝØî àÐÑÞâÐÕâ ßÐÚÕâ ipchains. ÁÕÙçÐá Üë ÚÞàÞâÚÞ àÐ×ÑÕàÕÜ - ÚÐÚ ãÔÐÛØâì ipchains Ø ×ÐßãáâØâì ÒÜÕáâÞ ÝÕÓÞ iptables.
´Ûï ÝÐçÐÛÐ ÝãÖÝÞ ÞâÚÛîçØâì ipchains, çâÞÑë ßàÕÔÞâÒàÐâØâì ×ÐÓàã×Úã áÞÞâÒÕâáâÒãîéØå ÜÞÔãÛÕÙ Ò ÑãÔãéÕÜ. ÇâÞÑë ÔÞÑØâìáï íâÞÓÞ, ÝÐÜ ßÞâàÕÑãÕâáï Ø×ÜÕÝØâì ØÜÕÝÐ ÝÕÚÞâÞàëå äÐÙÛÞÒ Ò ÔÕàÕÒÕ ÚÐâÐÛÞÓÞÒ /etc/rc.d/. ÁÛÕÔãîéÐï ÚÞÜÐÝÔÐ, ÒëßÞÛÝØâ âàÕÑãÕÜëÕ ÔÕÙáâÒØï: chkconfig --level 0123456 ipchains off ² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï íâÞÙ ÚÞÜÐÝÔë, Ò ÝÕÚÞâÞàëå ØÜÕÝÐå äÐÙÛÞÒ áØÜÒÞÛ S (ÚÞâÞàëÙ áÞÞÑéÐÕâ, çâÞ ÔÐÝÝëÙ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ ÝÐ ×ÐßãáÚÕ áØáâÕÜë) ÑãÔÕâ ×ÐÜÕÝÕÝ áØÜÒÞÛÞÜ K (Þâ áÛÞÒÐ Kill, ÚÞâÞàëÙ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ, ßàØ ×ÐÒÕàèÕÝØØ àÐÑÞâë áØáâÕÜë. ÂÐÚØÜ ÞÑàÐ×ÞÜ Üë ßÞÛãçØÜ ØÜÕÝÐ ááëÛÞÚ K92ipchains, ßàÕÔÞâÒàÐâØÒ âÕÜ áÐÜëÜ ×ÐßãáÚ íâÞÓÞ áÕàÒØáÐ Ò ÑãÔãéÕÜ. ¾ÔÝÐÚÞ ipchains ßÞ-ßàÕÖÝÕÜã ÞáâÐîâáï Ò àÐÑÞâÕ. ÂÕßÕàì ÝÐÔÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã, ÚÞâÞàÐï ÞáâÐÝÞÒØâ íâÞâ áÕàÒØá. service ipchains stop ¸ Ò ×ÐÚÛîçÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐßãáâØâì áÕàÒØá iptables. ´Ûï íâÞÓÞ, ÒÞ-ßÕàÒëå, ÝÐÔÞ ÞßàÕÔÕÛØâìáï á ãàÞÒÝïÜØ ×ÐßãáÚÐ ÞßÕàÐæØÞÝÝÞÙ áØáâÕÜë, ÝÐ ÚÞâÞàëå ÝãÖÝÞ áâÐàâÞÒÐâì íâÞâ áÕàÒØá. ¾ÑëçÝÞ íâÞ ãàÞÒÝØ 2, 3 Ø 5. ¾Ñ íâØå ãàÞÒÝïå Üë ×ÝÐÕÜ:
ÇâÞÑë ×ÐßãáâØâì iptables ÝÐ íâØå ãàÞÒÝïå ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã: chkconfig --level 235 iptables on ÅÞçÕâáï ãßÞÜïÝãâì ÞÑ ãàÞÒÝïå, ÝÐ ÚÞâÞàëå ÝÕ âàÕÑãÕâáï ×ÐßãáÚÐ iptables: ÃàÞÒÕÝì 1 -- ÞÔÝÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ àÐÑÞâë, ÚÐÚ ßàÐÒØÛÞ ØáßÞÛì×ãÕâáï Ò íÚáâàÕÝÝëå áÛãçÐïå, ÚÞÓÔÐ Üë "ßÞÔÝØÜÐÕÜ" "ãßÐÒèãî" áØáâÕÜã. ÃàÞÒÕÝì 4 -- ÒÞÞÑéÕ ÝÕ ÔÞÛÖÕÝ ØáßÞÛì×ÞÒÐâìáï. ÃàÞÒÕÝì ÒëßÞÛÝÕÝØï 6 -- íâÞ ãàÞÒÕÝì ÞáâÐÝÞÒÚØ áØáâÕÜë ßàØ ÒëÚÛîçÕÝØØ ØÛØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ. ´Ûï ÐÚâØÒÐæØØ áÕàÒØáÐ iptables ßÞÔÐÔØÜ ÚÞÜÐÝÔã: service iptables start ¸âÐÚ, Üë ×ÐßãáâØÛØ iptables, ÝÞ ã ÝÐá ßÞÚÐ ÕéÕ ÝÕâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ÇâÞÑë ÔÞÑÐÒØâì ÝÞÒëÕ ßàÐÒØÛÐ Ò Red Hat 7.1 ÜÞÖÝÞ ßÞÙâØ ÔÒãÜï ßãâïÜØ, ÒÞ-ßÕàÒëå: ßÞÔßàÐÒØâì äÐÙÛ /etc/rc.d/init.d/iptables, ÝÞ íâÞâ áßÞáÞÑ ØÜÕÕâ âÞ ÝÕÓÐâØÒÝÞÕ áÒÞÙáâÒÞ, çâÞ ßàØ ÞÑÝÞÒÛÕÝØØ iptables Ø× RPM-ßÐÚÕâÞÒ ÒáÕ ÒÐèØ ßàÐÒØÛÐ ÑãÔãâ ãâÕàïÝë, Ð ÒÞ-ÒâÞàëå: ×ÐÝÕáâØ ßàÐÒØÛÐ Ø áÞåàÐÝØâì Øå ÚÞÜÐÝÔÞÙ iptables-save, áÞåàÐÝÕÝÝëÕ âÐÚØÜ ÞÑàÐ×ÞÜ ßàÐÒØÛÐ ÑãÔãâ ÐÒâÞÜÐâØçÕáÚØ ÒÞááâÐÝÐÒÛØÒÐâìáï ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë. ² áÛãçÐÕ, ÕáÛØ Òë Ø×ÑàÐÛØ ßÕàÒëÙ ÒÐàØÐÝâ ãáâÐÝÞÒÚØ ßàÐÒØÛ Ò iptables, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ×ÐÝÕáâØ Øå Ò áÕÚæØî start áæÕÝÐàØï /etc/rc.d/init.d/iptables (ÔÛï ãáâÐÝÞÒÚØ ßàÐÒØÛ ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë) ØÛØ Ò äãÝÚæØî start(). ´Ûï ÒëßÞÛÝÕÝØï ÔÕÙáâÒØÙ ßàØ ÞáâÐÝÞÒÚÕ áØáâÕÜë -- ÒÝÕáØâÕ áÞÞâÒÕâáâÒãîéØÕ Ø×ÜÕÝÕÝØï Ò áÕÚæØî stop) ØÛØ Ò äãÝÚæØî stop(). ÂÐÚ ÖÕ ÝÕ ×ÐÑãÔìâÕ ßàÞ áÕ򾯯 restart Ø condrestart. ÅÞçÕâáï ÕéÕ àÐ× ÝÐßÞÜÝØâì, çâÞ Ò áÛãçÐÕ ÞÑÝÞÒÛÕÝØï iptables Ø× RPM-ßÐÚÕâÞÒ ØÛØ çÕàÕ× ÐÒâÞÜÐâØçÕáÚÞÕ ÞÑÝÞÒÛÕÝØÕ ßÞ áÕâØ, Òë ÜÞÖÕâÕ ãâÕàïâì ÒáÕ Ø×ÜÕÝÕÝØï, ÒÝÕáÕÝÝëÕ Ò äÐÙÛ /etc/rc.d/init.d/iptables. ²âÞàÞÙ áßÞáÞÑ ×ÐÓàã×ÚØ ßàÐÒØÛ ßàÕÔßÞçâØâÕÛìÝÕÕ. ¾Ý ßàÕÔßÞÛÐÓÐÕâ áÛÕÔãîéØÕ èÐÓØ. ´Ûï ÝÐçÐÛÐ -- ×ÐߨèØâÕ ßàÐÒØÛÐ Ò äÐÙÛ ØÛØ ÝÕßÞáàÕÔáâÒÕÝÝÞ, çÕàÕ× ÚÞÜÐÝÔã iptables, áÜÞâàï çâÞ ÔÛï ÒÐá ßàÕÔßÞçâØâÕÛìÝÕÕ. ·ÐâÕÜ ØáßÞÛÝØâÕ ÚÞÜÐÝÔã iptables-save. ÍâÐ ÚÞÜÐÝÔÐ íÚÒØÒÐÛÕÝâÝÐ ÚÞÜÐÝÔÕ iptables-save > /etc/sysconfig/iptables. ² àÕ×ãÛìâÐâÕ, ÒÕáì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ áÞåàÐÝÕÝ Ò äÐÙÛÕ /etc/sysconfig/iptables, ÚÞâÞàëÙ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕâáï ßàØ ×ÐßãáÚÕ áÕàÒØáÐ iptables. ´àãÓØÜ áßÞáÞÑÞÜ áÞåàÐÝØâì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ ßÞÔÐçÐ ÚÞÜÐÝÔë service iptables save, ÚÞâÞàÐï ßÞÛÝÞáâìî ØÔÕÝâØçÝÐ ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔÕ. ²ßÞáÛÕÔáâÒØØ, ßàØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ, áæÕÝÐàØÙ iptables Ø× rc.d ÑãÔÕâ ÒëßÞÛÝïâì ÚÞÜÐÝÔã iptables-restore ÔÛï ×ÐÓàã×ÚØ ÝÐÑÞàÐ ßàÐÒØÛ Ø× äÐÙÛÐ /etc/sysconfig/iptables. ½ã Ø ÝÐÚÞÝÕæ, Ò ×ÐÒÕàèÕÝØÕ ãáâÐÝÞÒÚØ, ÝÕßÛÞåÞ ÑëÛÞ Ñë ãÔÐÛØâì áâÐàãî ÒÕàáØî ipchains. rpm -e ipchains ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ò ÚÐÖÔÞÙ âÐÑÛØæÕ. ÍâÐ ØÝäÞàÜÐæØï ÑãÔÕâ ÞçÕÝì ÒÐÖÝÐ ÔÛï ÒÐá ßÞ×ÔÝÕÕ, ÚÞÓÔÐ Òë ÝÐçÝÕâÕ áâàÞØâì áÒÞØ ÝÐÑÞàë ßàÐÒØÛ, ÞáÞÑÕÝÝÞ ÚÞÓÔÐ Ò ÝÐÑÞàë ßàÐÒØÛ ÑãÔãâ ÒÚÛîçÐâìáï âÐÚØÕ ÔÕÙáâÒØï ÚÐÚ DNAT, SNAT Ø ÚÞÝÕçÝÞ ÖÕ TOS. ¾ÑéØÕ ßÞÛÞÖÕÝØïºÞÓÔÐ ßÐÚÕâ ßàØåÞÔØâ ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, âÞ ÞÝ áßÕàÒÐ ßÞßÐÔÐÕâ ÝÐ áÕâÕÒÞÕ ãáâàÞÙáâÒÞ, ßÕàÕåÒÐâëÒÐÕâáï áÞÞâÒÕâáâÒãîéØÜ ÔàÐÙÒÕàÞÜ Ø ÔÐÛÕÕ ßÕàÕÔÐÕâáï Ò ïÔàÞ. ´ÐÛÕÕ ßÐÚÕâ ßàÞåÞÔØâ àïÔ âÐÑÛØæ Ø ×ÐâÕÜ ßÕàÕÔÐÕâáï ÛØÑÞ ÛÞÚÐÛìÝÞÜã ßàØÛÞÖÕÝØî, ÛØÑÞ ßÕàÕßàÐÒÛïÕâáï ÝÐ ÔàãÓãî ÜÐèØÝã. ¿ÞàïÔÞÚ áÛÕÔÞÒÐÝØï ßÐÚÕâÐ ßàØÒÞÔØâáï ÝØÖÕ. ÂÐÑÛØæÐ 1. ¿ÞàïÔÞÚ ÔÒØÖÕÝØï âàÐÝרâÝëå ßÐÚÕâÞÒ
ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ßÐÚÕâ ßàÞåÞÔØâ ÝÕáÚÞÛìÚÞ íâÐßÞÒ, ßàÕÖÔÕ çÕÜ ÞÝ ÑãÔÕâ ßÕàÕÔÐÝ ÔÐÛÕÕ. ½Ð ÚÐÖÔÞÜ Ø× ÝØå ßÐÚÕâ ÜÞÖÕâ Ñëâì ÞáâÐÝÞÒÛÕÝ, ÑãÔì âÞ æÕßÞçÚÐ iptables ØÛØ çâÞ ÛØÑÞ ÕéÕ, ÝÞ ÝÐá ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ØÝâÕàÕáãÕâ iptables. ·ÐÜÕâìâÕ, çâÞ ÝÕâ ÚÐÚØå ÛØÑÞ æÕßÞçÕÚ, áßÕæØäØçÝëå ÔÛï ÞâÔÕÛìÝëå ØÝâÕàäÕÙáÞÒ ØÛØ çÕÓÞ ÛØÑÞ ßÞÔÞÑÝÞÓÞ. ÆÕßÞçÚã FORWARD ßàÞåÞÔïâ ²Áµ ßÐÚÕâë, ÚÞâÞàëÕ ÔÒØÖãâáï çÕàÕ× ÝÐè ÑàÐÝÔÜÐãíà/àãâÕà. ½ØÖÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÐ, ßàÕÔÝÐ×ÝÐçÕÝÝÞÓÞ ÛÞÚÐÛìÝÞÜã ßàÞæÕááã/ßàØÛÞÖÕÝØî ÂÐÑÛØæÐ 2. ´Ûï ÛÞÚÐÛìÝÞÓÞ ßàØÛÞÖÕÝØï
²ÐÖÝÞ ßÞÜÝØâì, çâÞ ÝÐ íâÞâ àÐ× ßÐÚÕâë ØÔãâ çÕàÕ× æÕßÞçÚã INPUT, Ð ÝÕ çÕàÕ× FORWARD. ¸ Ò ×ÐÚÛîçÕÝØÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÞÒ, áÞ×ÔÐÝÝëå ÛÞÚÐÛìÝëÜØ ßàÞæÕááÐÜØ. ÂÐÑÛØæÐ 3. ¾â ÛÞÚÐÛìÝëå ßàÞæÕááÞÒ
ÂÕßÕàì Üë ×ÝÐÕÜ, çâÞ Õáâì âàØ àÐ×ÛØçÝëå ÒÐàØÐÝâÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ. ÀØáãÝÞÚ ÝØÖÕ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÔÕÜÞÝáâàØàãÕâ íâÞ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áæÕÝÐàØØ rc.test-iptables.txt, Ò ÚÞâÞàÞÜ ßàØÒÞÔØâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜëå ÔÛï ßÞÝØÜÐÝØï ßÞàïÔÚÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ. ÂÐÑÛØæÐ MangleºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, íâÐ âÐÑÛØæÐ ßàÕÔÝÐ×ÝÐçÕÝÐ, ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÚØ ßÐÚÕâÞÒ (mangle - ØáÚÐÖÐâì, Ø×ÜÕÝïâì. ßàØÜ. ßÕàÕÒ.). Â.Õ. Ò íâÞÙ âÐÑÛØæÕ Òë ÜÞÖÕâÕ ãáâÐÝÐÒÛØÒÐâì ÑØâë TOS (Type Of Service) Ø â.Ô.
² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ
´ÕÙáâÒØÕ TOS ÒëßÞÛÝïÕâ ãáâÐÝÞÒÚã ÑØâÞÒ ßÞÛï Type of Service Ò ßÐÚÕâÕ. ÍâÞ ßÞÛÕ ØáßÞÛì×ãÕâáï ÔÛï ÝÐ×ÝÐçÕÝØï áÕâÕÒÞÙ ßÞÛØâØÚØ ÞÑáÛãÖØÒÐÝØï ßÐÚÕâÐ, â.Õ. ×ÐÔÐÕâ ÖÕÛÐÕÜëÙ ÒÐàØÐÝâ ÜÐàèàãâØ×ÐæØØ. ¾ÔÝÐÚÞ, áÛÕÔãÕâ ×ÐÜÕâØâì, çâÞ ÔÐÝÝÞÕ áÒÞÙáâÒÞ Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ØáßÞÛì×ãÕâáï ÝÐ ÝÕ×ÝÐçØâÕÛìÝÞÜ ÚÞÛØçÕáâÒÕ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ.´àãÓØÜØ áÛÞÒÐÜØ, ÝÕ áÛÕÔãÕâ Ø×ÜÕÝïâì áÞáâÞïÝØÕ íâÞÓÞ ßÞÛï ÔÛï ßÐÚÕâÞÒ, ãåÞÔïéØå Ò ¸ÝâÕàÝÕâ, ßÞâÞÜã çâÞ ÝÐ àãâÕàÐå, ÚÞâÞàëÕ âÐÚØ ÞÑáÛãÖØÒÐîâ íâÞ ßÞÛÕ, ÜÞÖÕâ Ñëâì ßàØÝïâÞ ÝÕßàÐÒØÛìÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ. ´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ×ÝÐçÕÝØï ßÞÛï TTL (Time To Live) ßÐÚÕâÐ. µáâì ÞÔÝÞ ÝÕßÛÞåÞÕ ßàØÜÕÝÕÝØÕ íâÞÜã ÔÕÙáâÒØî. ¼ë ÜÞÖÕÜ ßàØáÒÐØÒÐâì ÞßàÕÔÕÛÕÝÝÞÕ ×ÝÐçÕÝØÕ íâÞÜã ßÞÛî, çâÞÑë áÚàëâì ÝÐè ÑàÐÝÔÜÐãíà Þâ çÕàÕáçãà ÛîÑÞßëâÝëå ßàÞÒÐÙÔÕàÞÒ (Internet Service Providers). ´ÕÛÞ Ò âÞÜ, çâÞ ÞâÔÕÛìÝëÕ ßàÞÒÐÙÔÕàë ÞçÕÝì ÝÕ ÛîÑïâ ÚÞÓÔÐ ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ àÐ×ÔÕÛïÕâáï ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. Ø âÞÓÔÐ ÞÝØ ÝÐçØÝÐîâ ßàÞÒÕàïâì ×ÝÐçÕÝØÕ TTL ßàØåÞÔïéØå ßÐÚÕâÞÒ Ø ØáßÞÛì×ãîâ ÕÓÞ ÚÐÚ ÞÔØÝ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, ÞÔØÝ ÚÞÜßìîâÕà "áØÔØâ" ÝÐ ßÞÔÚÛîçÕÝØØ ØÛØ ÝÕáÚÞÛìÚÞ. ´ÕÙáâÒØÕ MARK ãáâÐÝÐÒÛØÒÐÕâ áßÕæØÐÛìÝãî ÜÕâÚã ÝÐ ßÐÚÕâ, ÚÞâÞàÐï ×ÐâÕÜ ÜÞÖÕâ Ñëâì ßàÞÒÕàÕÝÐ ÔàãÓØÜØ ßàÐÒØÛÐÜØ Ò iptables ØÛØ ÔàãÓØÜØ ßàÞÓàÐÜÜÐÜØ, ÝÐßàØÜÕà iproute2. Á ßÞÜÞéìî "ÜÕâÞÚ" Üë ÜÞÖÕÜ ãßàÐÒÛïâì ÜÐàèàãâØ×ÐæØÕÙ ßÐÚÕâÞÒ, ÞÓàÐÝØçØÒÐâì âàÐääØÚ Ø â.ß. ÂÐÑÛØæÐ NatÍâÐ âÐÑÛØæÐ ØáßÞÛì×ãÕâáï ÔÛï ÒëßÞÛÝÕÝØï ßàÕÞÑàÐ×ÞÒÐÝØÙ áÕâÕÒëå ÐÔàÕáÞÒ NAT (Network Address Translation) ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì àÐÝÕÕ, âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ ßàÞåÞÔØâ çÕàÕ× æÕßÞçÚØ íâÞÙ âÐÑÛØæë, âàÐÝáÛïæØï ÐÔàÕáÞÒ ØÛØ ÜÐáÚØàÞÒÚÐ ßàØÜÕÝïîâáï ÚÞ ÒáÕÜ ßÞáÛÕÔãîéØÜ ßÐÚÕâÐÜ Ò ßÞâÞÚÕ ÐÒâÞÜÐâØçÕáÚØ. ´Ûï íâÞÙ âÐÑÛØæë åÐàÐÚâÕàÝë ÔÕÙáâÒØï:
´ÕÙáâÒØÕ DNAT (Destination Network Address Translation) ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ ÝÐ×ÝÐçÕÝØï Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ. ´àãÓØÜØ áÛÞÒÐÜØ, íâØÜ ÔÕÙáâÒØÕÜ ßàÞØ×ÒÞÔØâáï ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ ÝÐ ÔàãÓØÕ ÐÔàÕáÐ, ÞâÛØçÝëÕ Þâ ãÚÐ×ÐÝÝëå Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ. SNAT (Source Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï ØáåÞÔÝëå ÐÔàÕáÞÒ ßÐÚÕâÞÒ. Á ßÞÜÞéìî íâÞÓÞ ÔÕÙáâÒØï ÜÞÖÝÞ áÚàëâì áâàãÚâãàã ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø àÐ×ÔÕÛØâì ÕÔØÝáâÒÕÝÝëÙ ÒÝÕèÝØÙ IP ÐÔàÕá ÜÕÖÔã ÚÞÜßìîâÕàÐÜØ ÛÞÚÐÛìÝÞÙ áÕâØ ÔÛï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ. ² íâÞÜ áÛãçÐÕ ÑàÐÝÔÜÐãíà, á ßÞÜÞéìî SNAT, ÐÒâÞÜÐâØçÕáÚØ ßàÞØ×ÒÞÔØâ ßàïÜÞÕ Ø ÞÑàÐâÝÞÕ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ, âÕÜ áÐÜëÜ ÔÐÒÐï ÒÞ×ÜÞÖÝÞáâì ÒëßÞÛÝïâì ßÞÔÚÛîçÕÝØÕ Ú áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâÕ á ÚÞÜßìîâÕàÞÒ Ò ÛÞÚÐÛìÝÞÙ áÕâØ. ¼ÐáÚØàÞÒÚÐ (MASQUERADE) ßàØÜÕÝïÕâáï Ò âÕå ÖÕ æÕÛïå, çâÞ Ø SNAT, ÝÞ Ò ÞâÛØçØÕ Þâ ßÞáÛÕÔÝÕÙ, MASQUERADE ÔÐÕâ ÑÞÛÕÕ áØÛìÝãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ ÚÐÖÔëÙ àÐ×, ÚÞÓÔÐ âàÕÑãÕâáï ÒëßÞÛÝÕÝØÕ íâÞÓÞ ÔÕÙáâÒØï - ßàÞØ×ÒÞÔØâáï ×ÐßàÞá IP ÐÔàÕáÐ ÔÛï ãÚÐ×ÐÝÝÞÓÞ Ò ÔÕÙáâÒØØ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, Ò âÞ ÒàÕÜï ÚÐÚ ÔÛï SNAT IP ÐÔàÕá ãÚÐ×ëÒÐÕâáï ÝÕßÞáàÕÔáâÒÕÝÝÞ. ¾ÔÝÐÚÞ, ÑÛÐÓÞÔÐàï âÐÚÞÜã ÞâÛØçØî, MASQUERADE ÜÞÖÕâ àÐÑÞâÐâì Ò áÛãçÐïå á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, â.Õ. ÚÞÓÔÐ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ, áÚÐÖÕÜ çÕàÕ× PPP, SLIP ØÛØ DHCP. ÂÐÑÛØæÐ FilterºÐÚ áÛÕÔãÕâ Ø× ÝÐ×ÒÐÝØï, Ò íâÞÙ âÐÑÛØæÕ ÔÞÛÖÝë áÞÔÕàÖÐâìáï ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÒëßÞÛÝÕÝØï äØÛìâàÐæØØ ßÐÚÕâÞÒ. ¿ÐÚÕâë ÜÞÓãâ ßàÞßãáÚÐâìáï ÔÐÛÕÕ, ÛØÑÞ ÞâÒÕàÓÐâìáï, Ò ×ÐÒØáØÜÞáâØ Þâ Øå áÞÔÕàÖØÜÞÓÞ. ºÞÝÕçÝÞ ÖÕ, Üë ÜÞÖÕÜ ÞâäØÛìâàÞÒëÒÐâì ßÐÚÕâë Ø Ò ÔàãÓØå âÐÑÛØæÐå, ÝÞ íâÐ âÐÑÛØæÐ áãéÕáâÒãÕâ ØÜÕÝÝÞ ÔÛï ÝãÖÔ äØÛìâàÐæØØ. ² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÑÞÛìèØÝáâÒÐ Ø× áãéÕáâÒãîéØå ÔÕÙáâÒØÙ, ÞÔÝÐÚÞ àïÔ ÔÕÙáâÒØÙ, ÚÞâÞàëÕ Üë àÐááÜÞâàÕÛØ ÒëèÕ Ò íâÞÙ ÓÛÐÒÕ, ÔÞÛÖÝë ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàØáãéØå ØÜ âÐÑÛØæÐå. ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï² ÔÐÝÝÞÙ ÓÛÐÒÕ ÒáÕ ÒÝØÜÐÝØÕ ÑãÔÕâ ãÔÕÛÕÝÞ ÜÕåÐÝØ×Üã ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÐÚÕâÐ (state machine). ¿ÞáÛÕ ÕÕ ßàÞçâÕÝØï Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞáâÐâÞçÝÞ ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ àÐÑÞâã íâÞÓÞ ÜÕåÐÝØ×ÜÐ. ÂÐÚÖÕ ÑãÔÕâ àÐááÜÞâàÕÝ ×ÝÐçØâÕÛìÝëÙ ÞÑêÕÜ ßÞïáÝïîéØå ßàØÜÕàÞÒ. ²ÒÕÔÕÝØÕ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï (state machine) ïÒÛïÕâáï çÐáâìî iptables Ø Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ÔÞÛÖÕÝ Ñë âÐÚ ÝÐ×ëÒÐâìáï, ßÞáÚÞÛìÚã äÐÚâØçÕáÚØ ïÒÛïÕâáï ÜÕåÐÝØ×ÜÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ. ¾ÔÝÐÚÞ ×ÝÐçØâÕÛìÝÞÜã ÚÞÛØçÕáâÒã ÛîÔÕÙ ÞÝ Ø×ÒÕáâÕÝ ØÜÕÝÝÞ ÚÐÚ "ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï" (state machine). ² ÔÐÝÝÞÙ ÓÛÐÒÕ íâØ ÝÐ×ÒÐÝØï ÑãÔãâ ØáßÞÛì×ÞÒÐâìáï ÚÐÚ áØÝÞÝØÜë. ÂàÐááØàÞÒéØÚ áÞÕÔØÝÕÝØÙ áÞ×ÔÐÝ âÐÚ, çâÞÑë netfilter ÜÞÓ ßÞÛãçØâì ØÝäÞàÜÐæØî Þ áÞáâÞïÝØØ ÚÞÝÚàÕâÝÞÓÞ áÞÕÔØÝÕÝØï. ½ÐÛØçØÕ íâÞÓÞ ÜÕåÐÝØ×ÜÐ ßÞ×ÒÞÛØâ ÒÐÜ áÞ×ÔÐÒÐâì ÑÞÛÕÕ ÝÐÔÕÖÝëÕ ÝÐÑÞàë ßàÐÒØÛ. ² ßàÕÔÕÛÐå iptables, áÞÕÔØÝÕÝØÕ ÜÞÖÕâ ØÜÕâì ÞÔÝÞ Ø× 4-å ÑÐ×ÞÒëå áÞáâÞïÝØÙ: NEW, ESTABLISHED, RELATED Ø INVALID. ¿Þ×ÔÝÕÕ, ÑÞÛÕÕ ßÞÔàÞÑÝÞ, Üë ÞáâÐÝÞÒØÜáï ÝÐ ÚÐÖÔÞÜ Ø× ÝØå. ´Ûï ãßàÐÒÛÕÝØï ßÐÚÕâÐÜØ, ÝÐ ÞáÝÞÒÕ Øå áÞáâÞïÝØï, ØáßÞÛì×ãÕâáï ÚàØâÕàØÙ --state. ÂàÐááØàÞÒéØÚ ÞßàÕÔÕÛïÕâ 4 ÞáÝÞÒÝëå áÞáâÞïÝØï ÚÐÖÔÞÓÞ TCP ØÛØ UDP ßÐÚÕâÐ Ø ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ åÐàÐÚâÕàØáâØÚØ. ´Ûï TCP Ø UDP ßÐÚÕâÞÒ íâÞ IP ÐÔàÕá ÞâßàÐÒØâÕÛï, IP ÐÔàÕá ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞàâ ßÞÛãçÐâÕÛï. ² ßàÕÔëÔãéØå ÒÕàáØïå ïÔàÐ ØÜÕÛÐáì ÒÞ×ÜÞÖÝÞáâì ÒÚÛîçÕÝØï/ÒëÚÛîçÕÝØï ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ ßÐÚÕâÞÒ. ¾ÔÝÐÚÞ, ßÞáÛÕ âÞÓÞ ÚÐÚ âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ÑëÛÐ ÒÚÛîçÕÝÐ Ò áÞáâÐÒ iptables/netfilter, ÝÐÔÞÑÝÞáâì Ò íâÞÜ ÞâßÐÛÐ. ¿àØçØÝÐ Ò âÞÜ, çâÞ âàÐááØàÞÒéØÚ ÝÕ Ò áÞáâÞïÝØØ ÒëßÞÛÝïâì ÒÞ×ÛÞÖÕÝÝëÕ ÝÐ ÝÕÓÞ äãÝ򾯯 ÑÕ× ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ Ø ßÞíâÞÜã ÞÝÐ ÒÚÛîçÕÝÐ ßÞáâÞïÝÝÞ. µÕ ÝÕÛì×ï ÞâÚÛîçØâì ØÝÐçÕ ÚÐÚ ÞâÚÛîçØÒ âàÐááØàÞÒÚã áÞÕÔØÝÕÝØÙ. ÂàÐááØàÞÒÚÐ ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ PREROUTING. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ iptables ßàÞØ×ÒÞÔØâ ÒáÕ ÒëçØáÛÕÝØï, áÒï×ÐÝÝëÕ á ÞßàÕÔÕÛÕÝØÕÜ áÞáâÞïÝØï, Ò ßàÕÔÕÛÐå íâÞÙ æÕßÞçÚØ. ºÞÓÔÐ ÞâßàÐÒÛïÕâáï ØÝØæØØàãîéØÙ ßÐÚÕâ Ò ßÞâÞÚÕ, âÞ ÕÜã ßàØáÒÐØÒÐÕâáï áÞáâÞïÝØÕ NEW, Ð ÚÞÓÔÐ ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï Ø×ÜÕÝïÕâáï ÝÐ ESTABLISHED, Ø âÐÚ ÔÐÛÕÕ. ÂÐÑÛØæÐ âàÐááØàÞÒÚØºàÐâÚÞ àÐááÜÞâàØÜ âÐÑÛØæã âàÐááØàÞÒéØÚÐ, ÚÞâÞàãî ÜÞÖÝÞ
ÝÐÙâØ Ò äÐÙÛÕ tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2 ² íâÞÜ ßàØÜÕàÕ áÞÔÕàÖØâáï Òáï ØÝäÞàÜÐæØï, ÚÞâÞàÐï Ø×ÒÕáâÝÐ âàÐááØàÞÒéØÚã, ßÞ ÚÞÝÚàÕâÝÞÜã áÞÕÔØÝÕÝØî. ¿ÕàÒÞÕ, çâÞ ÜÞÖÝÞ ãÒØÔÕâì - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ, Ò ÔÐÝÝÞÜ áÛãçÐÕ - tcp. ´ÐÛÕÕ áÛÕÔãÕâ ÝÕÚÞâÞàÞÕ çØáÛÞ Ò ÞÑëçÝÞÜ ÔÕáïâØçÝÞÜ ßàÕÔáâÐÒÛÕÝØØ. ¿ÞáÛÕ ÝÕÓÞ áÛÕÔãÕâ çØáÛÞ, ÞßàÕÔÕÛïîéÕÕ "ÒàÕÜï ÖØ×ÝØ" (â.Õ. ÚÞÛØçÕáâÒÞ áÕÚãÝÔ, çÕàÕ× ÚÞâÞàÞÕ ØÝäÞàÜÐæØï Þ áÞÕÔØÝÕÝØØ ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë) ×ÐßØáØ Ò âÐÑÛØæÕ. ´Ûï ÝÐèÕÓÞ áÛãçÐï, ×Ðߨáì Ò âÐÑÛØæÕ ÑãÔÕâ åàÐÝØâìáï ÕéÕ 117 áÕÚãÝÔ, ÕáÛØ ÚÞÝÕçÝÞ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÑÞÛÕÕ ÝÕ ßàÞáÛÕÔãÕâ ÝØ ÞÔÝÞÓÞ ßÐÚÕâÐ, Ò ßàÞâØÒÝÞÜ áÛãçÐÕ íâÞ ×ÝÐçÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ Ò ×ÝÐçÕÝØÕ ßÞ ãÜÞÛçÐÝØî ÔÛï ×ÐÔÐÝÝÞÓÞ áÞáâÞïÝØï. ÍâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1 ÚÐÖÔãî áÕÚãÝÔã. ´ÐÛÕÕ áÛÕÔãÕâ äÐÚâØçÕáÚÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ´Ûï ÝÐèÕÓÞ ßàØÜÕàÐ áÞáâÞïÝØÕ ØÜÕÕâ ×ÝÐçÕÝØÕ SYN_SENT. ²ÝãâàÕÝÝÕÕ ßàÕÔáâÐÒÛÕÝØÕ áÞáâÞïÝØï ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ÒÝÕèÝÕÓÞ. ·ÝÐçÕÝØÕ SYN_SENT ÓÞÒÞàØâ Þ âÞÜ, çâÞ çÕàÕ× ÔÐÝÝÞÕ áÞÕÔØÝÕÝØÕ ßàÞáÛÕÔÞÒÐÛ ÕÔØÝáâÒÕÝÝëÙ ßÐÚÕâ TCP SYN. ´ÐÛÕÕ àÐáßÞÛÞÖÕÝë ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ ÚÛîçÕÒÞÕ áÛÞÒÞ, ÚÞâÞàÞÕ áÞÞÑéÐÕâ Þ âÞÜ, çâÞ ÞâÒÕâÝÞÓÞ âàÐäØÚÐ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÕéÕ ÝÕ ÑëÛÞ. ¸ ÝÐÚÞÝÕæ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ØÝäÞàÜÐæØï ßÞ ÞÖØÔÐÕÜÞÜã ßÐÚÕâã, íâÞ IP ÐÔàÕáÐ ÞâßàÐÒØâÕÛï/ßÞÛãçÐâÕÛï (âÕ ÖÕ áÐÜëÕ, âÞÛìÚÞ ßÞÜÕÝïÒèØÕáï ÜÕáâÐÜØ, ßÞáÚÞÛìÚã ÞÖØÔÐÕâáï ÞâÒÕâÝëÙ ßÐÚÕâ), âÞ ÖÕ ÚÐáÐÕâáï Ø ßÞàâÞÒ.
¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ ÞâÒÕâÐ âàÐááØàÞÒéØÚ áÝØÜÕâ äÛÐÓ
ÁÞáâÞïÝØïºÐÚ Òë ãÖÕ ÒØÔÕÛØ, ßÐÚÕâë ÜÞÓãâ ØÜÕâì ÝÕáÚÞÛìÚÞ àÐ×ÛØçÝëå áÞáâÞïÝØÙ Ò ßàÕÔÕÛÐå ïÔàÐ, Ò ×ÐÒØáØÜÞáâØ Þâ âØßÐ ßàÞâÞÚÞÛÐ. ¾ÔÝÐÚÞ, ÒÝÕ ïÔàÐ ØÜÕÕâáï âÞÛìÚÞ 4 áÞáâÞïÝØï, ÚÐÚ ÑëÛÞ áÚÐ×ÐÝÞ ÒëèÕ. ² ÞáÝÞÒÝÞÜ áÞáâÞïÝØÕ ßÐÚÕâÐ ØáßÞÛì×ãÕâáï Ò ÚàØâÕàØØ --state. ´ÞßãáâØÜëÜØ ïÒÛïîâáï áÞáâÞïÝØï NEW, ESTABLISHED, RELATED Ø INVALID. ² âÐÑÛØæÕ, ßàØÒÞÔØÜÞÙ ÝØÖÕ, àÐááÜâàØÒÐîâáï ÚÐÖÔÞÕ Ø× ÒÞ×ÜÞÖÝëå áÞáâÞïÝØÙ. Table 1. ¿ÕàÕçÕÝì áÞáâÞïÝØÙ
ÍâØ çÕâëàÕ áÞáâÞïÝØï ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÚàØâÕàØØ --state. ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÞ×ÒÞÛïÕâ áâàÞØâì çàÕ×ÒëçÐÙÝÞ ÜÞéÝãî Ø íääÕÚâØÒÝãî ×ÐéØâã. ÀÐÝìèÕ ÝÐÜ ßàØåÞÔØÛÞáì ÞâÚàëÒÐâì ÒáÕ ßÞàâë ÒëèÕ 1024, çâÞÑë ßàÞßãáâØâì ÞÑàÐâÝëÙ âàÐäØÚ Ò ÛÞÚÐÛìÝãî áÕâì, âÕßÕàì ÖÕ, ßàØ ÝÐÛØçØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï, ÝÕÞÑåÞÔØÜÞáâì Ò íâÞÜ ÞâßÐÛÐ, ßÞáÚÞÛìÚã âÕßÕàì áâÐÛÞ ÒÞ×ÜÞÖÝëÜ "ÞâÚàëÒÐâì" ÔÞáâãß âÞÛìÚÞ ÔÛï ÞÑàÐâÝÞÓÞ (ÞâÒÕâÝÞÓÞ) âàÐäØÚÐ. TCP áÞÕÔØÝÕÝØï² íâÞÜ Ø Ò ßÞáÛÕÔãîéØå àÐ×ÔÕÛÐå Üë ßÞÑÛØÖÕ àÐááÜÞâàØÜ ßàØ×ÝÐÚØ áÞáâÞïÝØÙ Ø ßÞàïÔÞÚ Øå ÞÑàÐÑÞâÚØ ÚÐÖÔëÜ Ø× âàÕå ÑÐ×ÞÒëå ßàÞâÞÚÞÛÞÒ TCP, UDP Ø ICMP, Ð âÐÚ ÖÕ ÚÞáÝÕÜáï áÛãçÐï, ÚÞÓÔÐ ßàÞâÞÚÞÛ áÞÕÔØÝÕÝØï ÝÕ ÜÞÖÕâ Ñëâì ÚÛÐááØäØæØàÞÒÐÝ ÝÐ ßàØÝÐÔÛÕÖÝÞáâì Ú âàÕÜ, ÒëèÕãÚÐ×ÐÝÝëÜ, ßàÞâÞÚÞÛÐÜ. ½ÐçÝÕÜ àÐááÜÞâàÕÝØÕ á ßàÞâÞÚÞÛÐ TCP, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÜÝÞÖÕáâÒÞ ØÝâÕàÕáÝÕÙèØå ÞáÞÑÕÝÝÞáâÕÙ Ò ÞâÝÞèÕÝØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï Ò iptables. TCP áÞÕÔØÝÕÝØÕ ÒáÕÓÔÐ ãáâÐÝÐÒÛØÒÐÕâáï ßÕàÕÔÐçÕÙ âàÕå ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÝØæØÐÛØ×Øàãîâ Ø ãáâÐÝÐÒÛØÒÐîâ áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ Ò ÔÐÛìÝÕÙèÕÜ ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÔÐÝÝëÕ. ÁÕááØï ÝÐçØÝÐÕâáï á ßÕàÕÔÐçØ SYN ßÐÚÕâÐ, Ò ÞâÒÕâ ÝÐ ÚÞâÞàëÙ ßÕàÕÔÐÕâáï SYN/ACK ßÐÚÕâ Ø ßÞÔâÒÕàÖÔÐÕâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ßÐÚÕâ ACK. ¿ÞáÛÕ íâÞÓÞ áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ãáâÐÝÞÒÛÕÝÝëÜ Ø ÓÞâÞÒëÜ Ú ßÕàÕÔÐçÕ ÔÐÝÝëå. ¼ÞÖÕâ ÒÞ×ÝØÚÝãâì ÒÞßàÞá: "° ÚÐÚ ÖÕ âàÐááØàãÕâáï áÞÕÔØÝÕÝØÕ?". ² ÔÕÙáâÒØâÕÛìÝÞáâØ ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ. ´Ûï ÒáÕå âØßÞÒ áÞÕÔØÝÕÝØÙ, âàÐááØàÞÒÚÐ ßàÞåÞÔØâ ßàÐÚâØçÕáÚØ ÞÔØÝÐÚÞÒÞ. ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ, ÓÔÕ ßÞÚÐ×ÐÝë ÒáÕ áâÐÔØØ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ºÐÚ ÒØÔØâÕ, âàÐááØàÞÒéØÚ, á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï, äÐÚâØçÕáÚØ ÝÕ áÛÕÔØâ ×Ð åÞÔÞÜ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ¿àÞáâÞ, ÚÐÚ âÞÛìÚÞ âàÐááØàÞÒéØÚ "ãÒØÔÕÛ" ßÕàÒëÙ (SYN) ßÐÚÕâ, âÞ ßàØáÒÐØÒÐÕâ ÕÜã áâÐâãá NEW. ºÐÚ âÞÛìÚÞ çÕàÕ× âàÐááØàÞÒéØÚÐ ßàÞåÞÔØâ ÒâÞàÞÙ ßÐÚÕâ (SYN/ACK), âÞ áÞÕÔØÝÕÝØî ßàØáÒÐØÒÐÕâáï áâÐâãá ESTABLISHED. ¿ÞçÜã ØÜÕÝÝÞ ÒâÞàÞÙ ßÐÚÕâ? ÁÕÙçÐá àÐ×ÑÕàÕÜáï. ÁâàÞï áÒÞÙ ÝÐÑÞà ßàÐÒØÛ, Òë ÜÞÖÕâÕ ßÞ×ÒÞÛØâì ßÞÚØÔÐâì ÛÞÚÐÛìÝãî áÕâì ßÐÚÕâÐÜ áÞ áâÐâãáÞÜ NEW Ø ESTABLISHED, Ð ÒÞ ÒåÞÔïéÕÜ âàÐäØÚÕ ßàÞßãáÚÐâì ßÐÚÕâë âÞÛìÚÞ áÞ áâÐâãáÞÜ ESTABLISHED Ø ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ¸ ÝÐÞÑÞàÞâ, ÕáÛØ Ñë âàÐááØàÞÒéØÚ ßàÞÔÞÛÖÐÛ Ñë áçØâÐâì áÞÕÔØÝÕÝØÕ ÚÐÚ NEW, âÞ äÐÚâØçÕáÚØ ÒÐÜ ÝØÚÞÓÔÐ ÝÕ ãÔÐÛÞáì Ñë ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á "ÒÝÕèÝØÜ ÜØàÞÜ", ÛØÑÞ ßàØèÛÞáì Ñë ßÞ×ÒÞÛØâì ßàÞåÞÖÔÕÝØÕ NEW ßÐÚÕâÞÒ Ò ÛÞÚÐÛìÝãî áÕâì. Á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï ÒáÕ ÒëÓÛïÔØâ ÔÞáâÐâÞçÝÞ
ßàÞáâÞ, ÞÔÝÐÚÞ ÕáÛØ ßÞáÜÞâàÕâì á âÞçÚØ ×àÕÝØï ïÔàÐ, âÞ ÒáÕ
ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ áÛÞÖÝÕÕ. ÀÐááÜÞâàØÜ ßÞàïÔÞÚ Ø×ÜÕÝÕÝØï
áÞáâÞïÝØï áÞÕÔØÝÕÝØï Ò âÐÑÛØæÕ
tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 ºÐÚ ÒØÔØâÕ, ×Ðߨáì Ò âÐÑÛØæÕ ÞâàÐÖÐÕâ âÞçÝÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï: ÑëÛ ÞâÜÕçÕÝ äÐÚâ ßÕàÕÔÐçØ ßÐÚÕâÐ SYN (äÛÐÓ SYN_SENT), ÝÐ ÚÞâÞàëÙ ÞâÒÕâÐ ßÞÚÐ ÝÕ ÑëÛÞ (äÛÐÓ [UNREPLIED]). ¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ-ÞâÒÕâÐ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÛÕÔãîéÕÕ ÒÝãâàÕÝÝÕÕ áÞáâÞïÝØÕ: tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 Â.Õ. ×Ðߨáì áÞÞÑéÐÕâ, çâÞ ÞÑàÐâÝÞ ßàÞèÕÛ ßÐÚÕâ SYN/ACK.
½Ð íâÞâ àÐ× áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ
tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1 áÞÕÔØÝÕÝØÕ ßÕàÕåÞÔØâ Ò áÞáâÞïÝØÕ
¿àØ ×ÐÚàëâØØ, TCP áÞÕÔØÝÕÝØÕ ßàÞåÞÔØâ çÕàÕ× áÛÕÔãîéØÕ áÞáâÞïÝØï. ºÐÚ ÒØÔÝÞ Ø× àØáãÝÚÐ, áÞÕÔØÝÕÝØÕ ÝÕ ×ÐÚàëÒÐÕâáï ÔÞ âÕå ßÞà ßÞÚÐ ÝÕ ÑãÔÕâ ßÕàÕÔÐÝ ßÞáÛÕÔÝØÙ ßÐÚÕâ ACK. ¾ÑàÐâØâÕ ÒÝØÜßÝØÕ, íâÐ ÚÐàâØÝÚÐ ÞߨáëÒÐÕâ ÝÞàÜÐÛìÝëÙ ßàÞæÕáá ×ÐÚàëâØï áÞÕÔØÝÕÝØï. ºàÞÜÕ âÞÓÞ, ÕáÛØ áÞÕÔØÝÕÝØÕ ÞâÒÕàÓÐÕâáï, âÞ ÞÝÞ ÜÞÖÕâ Ñëâì ×ÐÚàëâÞ ßÕàÕÔÐçÕÙ ßÐÚÕâÐ RST (áÑàÞá). ² íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ×ÐÚàëâÞ ßÞ ØáâÕçÕÝØÕ ßàÕÔÞßàÕÔÕÛÕÝÝÞÓÞ ÒàÕÜÕÝØ. ¿àØ ×ÐÚàëâØØ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ
µáÛØ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï ßÞ ßÞÛãçÕÝØØ ßÐÚÕâÐ RST, âÞ
ÞÝÞ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ ÂÐÑÛØæÐ 2. ²ÝãâàÕÝÝØÕ áÞáâÞïÝØï
ÍâØ ×ÝÐçÕÝØï ÜÞÓãâ ÝÕáÚÞÛìÚÞ Ø×ÜÕÝïâìáï Þâ ÒÕàáØØ Ú
ÒÕàáØØ ïÔàÐ, ÚàÞÜÕ âÞÓÞ, ÞÝØ ÜÞÓãâ Ñëâì Ø×ÜÕÝÕÝë çÕàÕ×
ØÝâÕàäÕÙá äÐÙÛÞÒÞÙ áØáâÕÜë /proc (ßÕàÕÜÕÝÝëÕ
UDP áÞÕÔØÝÕÝØï¿Þ áãâØ áÒÞÕÙ, UDP áÞÕÔØÝÕÝØï ÝÕ ØÜÕîâ ßàØ×ÝÐÚÐ áÞáâÞïÝØï. ÍâÞÜã ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàØçØÝ, ÞáÝÞÒÝÐï Ø× ÝØå áÞáâÞØâ Ò âÞÜ, çâÞ íâÞâ ßàÞâÞÚÞÛ ÝÕ ßàÕÔãáÜÐâàØÒÐÕâ ãáâÐÝÞÒÛÕÝØï Ø ×ÐÚàëâØï áÞÕÔØÝÕÝØï, ÝÞ áÐÜëÙ ÑÞÛìèÞÙ ÝÕÔÞáâÐâÞÚ - ÞâáãâáâÒØÕ ØÝäÞàÜÐæØØ ÞÑ ÞçÕàÕÔÝÞáâØ ßÞáâãßÛÕÝØï ßÐÚÕâÞÒ. ¿àØÝïÒ ÔÒÕ UDP ÔÐâÐÓàÐÜÜë, ÝÕÒÞ×ÜÞÖÝÞ ã×ÝÐâì âÞçÝÞ Ò ÚÐÚÞÜ ßÞàïÔÚÕ ÞÝØ ÑëÛØ ÞâßàÐÒÛÕÝë. ¾ÔÝÐÚÞ, ÔÐÖÕ Ò íâÞÙ áØâãÐæØØ ÕéÕ ÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ½ØÖÕ ßàØÒÞÔØâáï àØáãÝÞÚ âÞÓÞ, ÚÐÚ ÒëÓÛïÔØâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï á âÞçÚØ ×àÕÝØï âàÐááØàÞÒéØÚÐ. ºÐÚ ÒØÔØâÕ, áÞáâÞïÝØÕ UDP áÞÕÔØÝÕÝØï ÞßàÕÔÕÛïÕâáï ßÞçâØ âÐÚ ÖÕ ÚÐÚ Ø áÞáâÞïÝØÕ TCP áÞÕÔØÝÕÝØï, á âÞçÚØ ×àÕÝØï Ø× ßÞÛì×ÞÒÐâÕÛìáÚÞÓÞ ßàÞáâàÐÝáâÒÐ. ¸×ÝãâàØ ÖÕ íâÞ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ØÝÐçÕ, åÞâï Ø ÒÞ ÜÝÞÓÞÜ ßÞåÞÖÕ. ´Ûï ÝÐçÐÛÐ ßÞáÜÞâàØÜ ÝÐ ×Ðߨáì, ßÞïÒØÒèãîáï ßÞáÛÕ ßÕàÕÔÐçØ ßÕàÒÞÓÞ ßÐÚÕâÐ UDP. udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1 ¿ÕàÒÞÕ, çâÞ Üë ÒØÔØÜ - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ (udp) Ø ÕÓÞ ÝÞÜÕà (áÜ. /etc/protocols ßàØÜ. ßÕàÕÒ.). ÂàÕâìÕ ×ÝÐçÕÝØÕ - ÞáâÐÒèÕÕáï "ÒàÕÜï ÖØ×ÝØ" ×ÐßØáØ Ò áÕÚãÝÔÐå. ´ÐÛÕÕ áÛÕÔãîâ åÐàÐÚâÕàØáâØÚØ ßÐÚÕâÐ, ßàÞèÕÔèÕÓÞ çÕàÕ× ÑàÐÝÔÜÐãíà - íâÞ ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ, çâÞ íâÞ ßÕàÒëÙ ßÐÚÕâ Ò áÕááØØ (äÛÐÓ [UNREPLIED]). ¸ ×ÐÒÕàèÐîâ ×Ðߨáì ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ. ÂÐÙÜÐãâ âÐÚÞÙ ×ÐßØáØ ßÞ ãÜÞÛçÐÝØî áÞáâÐÒÛïÕâ 30 áÕÚãÝÔ. udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1 ¿ÞáÛÕ âÞÓÞ ÚÐÚ áÕàÒÕà "ãÒØÔÕÛ" ÞâÒÕâ ÝÐ ßÕàÒëÙ ßÐÚÕâ, áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ESTABLISHED (ãáâÐÝÞÒÛÕÝÝëÜ), ÞÔÝÐÚÞ ÕÔØÝáâÒÕÝÝÞÕ ÞâÛØçØÕ Þâ ßàÕÔëÔãéÕÙ ×ÐßØáØ áÞáâÞØâ Ò ÞâáãâáâÒØØ äÛÐÓÐ [UNRREPLIED] Ø, ÚàÞÜÕ âÞÓÞ, âÐÙÜÐãâ ÔÛï ×ÐßØáØ áâÐÛ àÐÒÝëÜ 180 áÕÚãÝÔÐÜ. ¿ÞáÛÕ íâÞÓÞ ÜÞÖÕâ âÞÛìÚÞ ÔÞÑÐÒØâìáï äÛÐÓ [ASSURED] (ãÒÕàÕÝÝÞÕ áÞÕÔØÝÕÝØÕ), ÚÞâÞàëÙ ÑëÛ ÞߨáÐÝ ÒëèÕ. ÄÛÐÓ [ASSURED] ãáâÐÝÐÒÛØÒÐÕâáï âÞÛìÚÞ ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÝÕÚÞâÞàÞÓÞ ÚÞÛØçÕáâÒÐ ßÐÚÕâÞÒ çÕàÕ× áÞÕÔØÝÕÝØÕ. udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1 ÂÕßÕàì áÞÕÔØÝÕÝØÕ áâÐÛÞ "ãÒÕàÕÝÝëÜ". ·Ðߨáì Ò âÐÑÛØæÕ ÒëÓÛïÔØâ ßàÐÚâØçÕáÚØ âÐÚ ÖÕ ÚÐÚ Ø Ò ßàÕÔëÔãéÕÜ ßàØÜÕàÕ, ×Ð ØáÚÛîçÕÝØÕÜ äÛÐÓÐ [ASSURED]. µáÛØ Ò âÕçÕÝØÕ 180 áÕÚãÝÔ çÕàÕ× áÞÕÔØÝÕÝØÕ ÝÕ ßàÞÙÔÕâ åÞâïÑë ÞÔØÝ ßÐÚÕâ, âÞ ×Ðߨáì ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë. ÍâÞ ÔÞáâÐâÞçÝÞ ÜÐÛÕÝìÚØÙ ßàÞÜÕÖãâÞÚ ÒàÕÜÕÝØ, ÝÞ ÕÓÞ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ ÔÛï ÑÞÛìèØÝáâÒÐ ßàØÜÕÝÕÝØÙ. "²àÕÜï ÖØ×ÝØ" ÞâáçØâëÒÐÕâáï Þâ ÜÞÜÕÝâÐ ßàÞåÞÖÔÕÝØï ßÞáÛÕÔÝÕÓÞ ßÐÚÕâÐ Ø ßàØ ßÞïÒÛÕÝØØ ÝÞÒÞÓÞ, ÒàÕÜï ßÕàÕãáâÐÝÐÒÛØÒÐÕâáï Ò áÒÞÕ ÝÐçÐÛìÝÞÕ ×ÝÐçÕÝØÕ. ICMP áÞÕÔØÝÕÝØïICMP ßÐÚÕâë ØáßÞÛì×ãîâáï âÞÛìÚÞ ÔÛï ßÕàÕÔÐçØ ãßàÐÒÛïîéØå áÞÞÑéÕÝØÙ Ø ÝÕ ÞàÓÐÝØ×ãîâ ßÞáâÞïÝÝÞÓÞ áÞÕÔØÝÕÝØï. ¾ÔÝÐÚÞ, áãéÕáâÒãÕâ 4 âØßÐ ICMP ßÐÚÕâÞÒ, ÚÞâÞàëÕ ÒÞ×ÑãÖÔÐîâ ßÕàÕÔÐçã ÞâÒÕâÐ, ßÞíâÞÜã ÞÝØ ÜÞÓãâ ØÜÕâì ÔÒÐ áÞáâÞïÝØï: NEW Ø ESTABLISHED. º íâØÜ ßÐÚÕâÐÜ ÞâÝÞáïâáï ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply Ø ICMP Address Mask Request/Address Mask Reply. ¸× ÝØå ICMP Timestamp Request/Timestamp Reply Ø ICMP Information Request/Information Reply áçØâÐîâáï ãáâÐàÕÒèØÜØ Ø ßÞíâÞÜã, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÜÞÓãâ ÑÕ×ÑÞÛÕ×ÝÕÝÝÞ áÑàÐáëÒÐâìáï (DROP). ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ. ºÐÚ ÒØÔÝÞ Ø× íâÞÓÞ àØáãÝÚÐ, áÕàÒÕà ÒëßÞÛÝïÕâ Echo
Request (íåÞ-×ÐßàÞá) Ú ÚÛØÕÝâã, ÚÞâÞàëÙ (×ÐßàÞá)
àÐáßÞ×ÝÐÕâáï ÑàÐÝÔÜÐãíàÞÜ ÚÐÚ NEW. ½Ð íâÞâ
×ÐßàÞá ÚÛØÕÝâ ÞâÒÕçÐÕâ ßÐÚÕâÞÜ Echo Reply, Ø âÕßÕàì ßÐÚÕâ
àÐáßÞ×ÝÐÕâáï ÚÐÚ ØÜÕîéØÙ áÞáâÞïÝØÕ
ESTABLISHED. ¿ÞáÛÕ ßàÞåÞÖÔÕÝØï ßÕàÒÞÓÞ
ßÐÚÕâÐ (Echo Request) Ò icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1 ÍâÐ ×Ðߨáì ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ×ÐߨáÕÙ, áÒÞÙáâÒÕÝÝëå
ßàÞâÞÚÞÛÐÜ TCP Ø UDP, åÞâï âÞçÝÞ âÐÚ ÖÕ ßàØáãâáâÒãîâ Ø
ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ Ø ÒàÕÜï âÐÙÜÐãâÐ Ø ÐÔàÕáÐ ßÕàÕÔÐâçØÚÐ Ø
ßàØÕÜÝØÚÐ, ÝÞ ÔÐÛÕÕ ßÞïÒÛïîâáï âàØ ÝÞÒëå ßÞÛï - ÁÛÕÔãîéÕÕ ßÞÛÕ - äÛÐÓ [UNREPLIED], ÚÞâÞàëÙ ÒáâàÕçÐÛáï ÝÐÜ àÐÝÕÕ. ¾Ý Þ×ÝÐçÐÕâ, çâÞ ßàØÑëÛ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ. ·ÐÒÕàèÐÕâáï ×Ðߨáì åÐàÐÚâÕàØáâØÚÐÜØ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ÞâÒÕâÐ. ÁîÔÐ ÒÚÛîçÐîâáï ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ÇâÞ ÚÐáÐÕâáï âØßÐ Ø ÚÞÔÐ ICMP ßÐÚÕâÐ, âÞ ÞÝØ áÞÞâÒÕâáâÒãîâ ßàÐÒØÛìÝëÜ ×ÝÐçÕÝØïÜ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ICMP Echo Reply. ¸ÔÕÝâØäØÚÐâÞà ßÐÚÕâÐ-ÞâÒÕâÐ âÞâ ÖÕ, çâÞ Ø Ò ßÐÚÕâÕ ×ÐßàÞáÐ. ¿ÐÚÕâ ÞâÒÕâÐ àÐáßÞ×ÝÐÕâáï ãÖÕ ÚÐÚ ESTABLISHED. ¾ÔÝÐÚÞ, Üë ×ÝÐÕÜ, çâÞ ßÞáÛÕ ßÕàÕÔÐçØ ßÐÚÕâÐ ÞâÒÕâÐ, çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ãÖÕ ÝØçÕÓÞ ÝÕ ÞÖØÔÐÕâáï, ßÞíâÞÜã ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÞâÒÕâÐ çÕàÕ× netfilter, ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ãÝØçâÞÖÐÕâáï. ² ÛîÑÞÜ áÛãçÐÕ ×ÐßàÞá àÐááÜÐâàØÒÐÕâáï ÚÐÚ NEW, Ð ÞâÒÕâ ÚÐÚ ESTABLISHED. ·ÐÜÕâìâÕ, çâÞ ßàØ íâÞÜ ßÐÚÕâ ÞâÒÕâÐ ÔÞÛÖÕÝ áÞÒßÐÔÐâì ßÞ áÒÞØÜ åÐàÐÚâÕàØáâØÚÐÜ (ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, âØß, ÚÞÔ Ø ØÔÕÝâØäØÚÐâÞà) á ãÚÐ×ÐÝÝëÜØ Ò ×ÐßØáØ Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ. ICMP ×ÐßàÞáë ØÜÕîâ âÐÙÜÐãâ, ßÞ-ãÜÞÛçÐÝØî, 30 áÕÚãÝÔ.
ÍâÞÓÞ ÒàÕÜÕÝØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ.
²àÕÜï âÐÙÜÐãâÐ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò
·ÝÐçØâÕÛìÝÐï çÐáâì ICMP ØáßÞÛì×ãÕâáï ÔÛï ßÕàÕÔÐçØ
áÞÞÑéÕÝØÙ Þ âÞÜ, çâÞ ßàÞØáåÞÔØâ á âÕÜ ØÛØ ØÝëÜ UDP ØÛØ TCP
áÞÕÔØÝÕÝØÕÜ. ²áÒïר á íâØÜ ÞÝØ ÞçÕÝì çÐáâÞ àÐáßÞ×ÝÐîâáï ÚÐÚ
áÒï×ÐÝÝëÕ (RELATED) á áãéÕáâÒãîéØÜ
áÞÕÔØÝÕÝØÕÜ. ¿àÞáâëÜ ßàØÜÕàÞÜ ÜÞÓãâ áÛãÖØâì áÞÞÑéÕÝØï
² íâÞÜ ßàØÜÕàÕ ÝÕÚÞâÞàÞÜã ã×Ûã ßÕàÕÔÐÕâáï ×ÐßàÞá ÝÐ
áÞÕÔØÝÕÝØÕ (SYN ßÐÚÕâ). ¾Ý ßàØÞÑàÕâÐÕâ áâÐâãá
NEW ÝÐ ÑàÐÝÔÜÐãíàÕ. ¾ÔÝÐÚÞ, Ò íâÞâ ÜÞÜÕÝâ
ÒàÕÜÕÝØ, áÕâì ÞÚÐ×ëÒÐÕâáï ÝÕÔÞáâãßÝÞÙ, ßÞíâÞÜã àÞãâÕà
ÒÞ×ÒàÐéÐÕâ ßÐÚÕâ ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ Ø á UDP áÞÕÔØÝÕÝØïÜØ, ÕáÛØ ÞÑÝÐàãÖØÒÐîâáï ßÞÔÞÑÝëÕ ßàÞÑÛÕÜë. ²áÕ áÞÞÑéÕÝØï ICMP, ßÕàÕÔÐÒÐÕÜëÕ Ò ÞâÒÕâ ÝÐ UDP áÞÕÔØÝÕÝØÕ, àÐááÜÐâàØÒÐîâáï ÚÐÚ RELATED. ²×ÓÛïÝØâÕ ÝÐ áÛÕÔãîéØÙ àØáãÝÞÚ. ´ÐâÐÓàÐÜÜÐ UDP ßÕàÕÔÐÕâáï ÝÐ áÕàÒÕà. ÁÞÕÔØÝÕÝØî
ßàØáÒÐØÒÐÕâáï áâÐâãá NEW. ¾ÔÝÐÚÞ ÔÞáâãß Ú
áÕâØ ×ÐßàÕéÕÝ (ÑàÐÝÔÜÐãíàÞÜ ØÛØ àÞãâÕàÞÜ), ßÞíâÞÜã ÞÑàÐâÝÞ
ÒÞ×ÒàÐéÐÕâáï áÞÞÑéÕÝØÕ ¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî² ÝÕÚÞâÞàëå áÛãçÐïå ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝÕ ÜÞÖÕâ àÐáßÞ×ÝÐâì ßàÞâÞÚÞÛ ÞÑÜÕÝÐ Ø, áÞÞâÒÕâáâÒÕÝÝÞ, ÝÕ ÜÞÖÕâ ÒëÑàÐâì áâàÐâÕÓØî ÞÑàÐÑÞâÚØ íâÞÓÞ áÞÕÔØÝÕÝØï. ² íâÞÜ áÛãçÐÕ ÞÝ ßÕàÕåÞÔØâ Ú ×ÐÔÐÝÝÞÜã ßÞ-ãÜÞÛçÐÝØî ßÞÒÕÔÕÝØî. ¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï, ÝÐßàØÜÕà ßàØ ÞÑáÛãÖØÒÐÝØØ ßàÞâÞÚÞÛÞÒ NETBLT, MUX Ø EGP. ¿ÞÒÕÔÕÝØÕ ßÞ-ÜÞÛçÐÝØî ÒÞ ÜÝÞÓÞÜ áåÞÖÕ á âàÐááØàÞÒÚÞÙ UDP áÞÕÔØÝÕÝØÙ. ¿ÕàÒÞÜã ßÐÚÕâã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, Ð ÒáÕÜ ßÞáÛÕÔãîéØÜ - áâÐâãá ESTABLISHED. ¿àØ ØáßÞÛì×ÞÒÐÝØØ ßÞÒÕÔÕÝØï ßÞ-ãÜÞÛçÐÝØî, ÔÛï ÒáÕå
ßÐÚÕâÞÒ ØáßÞÛì×ãÕâáï ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ âÐÙÜÐãâÐ,
ÚÞâÞàÞÕ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò
ÂàÐááØàÞÒÚÐ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ¸ÜÕÕâáï àïÔ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ, ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ ÚÞâÞàëå ÑÞÛÕÕ áÛÞÖÝÐ. ¿àÜÕàÞÜ ÜÞÓãâ áÛãÖØâì ßàÞâÞÚÞÛë ICQ, IRC Ø FTP. ºÐÖÔëÙ Ø× íâØå ßàÞâÞÚÞÛÞÒ ÝÕáÕâ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÁÞÞâÒÕâáâÒÕÝÝÞ ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ âÐÚØå áÞÕÔÝÕÝØÙ âàÕÑãÕâ ßÞÔÚÛîçÕÝØï ÔÞßÞÛÝØâÕÛìÝëå ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ. ² ÚÐçÕáâÒÕ ßÕàÒÞÓÞ ßàØÜÕàÐ àÐááÜÞâàØÜ ßàÞâÞÚÞÛ FTP. ¿àÞâÞÚÞÛ FTP áÝÐçÐÛÐ ÞâÚàëÒÐÕâ ÞÔØÝÞçÝÞÕ áÞÕÔØÝÕÝØÕ, ÚÞâÞàÞÕ ÝÐ×ëÒÐÕâáï "áÕÐÝáÞÜ ãßàÐÒÛÕÝØï FTP" (FTP control session). ¿àØ ÒëßÞÛÝÕÝØØ ÚÞÜÐÝÔ Ò ßàÕÔÕÛÐå íâÞÓÞ áÕÐÝáÐ, ÔÛï ßÕàÕÔÐçØ áÞßãâáâÒãîéØå ÔÐÝÝëå ÞâÚàëÒÐîâáï ÔÞßÞÛÝØâÕÛìÝëÕ ßÞàâë. ÍâØ áÞÕÔØÝÕÝØï ÜÞÓãâ Ñëâì ÐÚâØÒÝëÜØ ØÛØ ßÐááØÒÝëÜØ. ¿àØ áÞ×ÔÐÝØØ ÐÚâØÒÝÞÓÞ áÞÕÔØÝÕÝØï ÚÛÕÝâ ßÕàÕÔÐÕâ FTP áÕàÒÕàã ÝÞÜÕà ßÞàâÐ Ø IP ÐÔàÕá ÔÛï áÞÕÔØÝÕÝØï. ·ÐâÕÜ ÚÛÕÝâ ÞâÚàëÒÐÕâ ßÞàâ, áÕàÒÕà ßÞÔÚÛîçÐÕâ Ú ×ÐÔÐÝÝÞÜã ßÞàâã ÚÛØÕÝâÐ áÒÞÙ ßÞàâ á ÝÞÜÕàÞÜ 20 (Ø×ÒÕáâÝëÙ ÚÐÚ FTP-Data) Ø ßÕàÕÔÐÕâ ÔÐÝÝëÕ çÕàÕ× ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ. ¿àÞÑÛÕÜÐ áÞáâÞØâ Ò âÞÜ, çâÞ ÑàÐÝÔÜÐãíà ÝØçÕÓÞ ÝÕ ×ÝÐÕâ ÞÑ íâØå ÔÞßÞÛÝØâÕÛìÝëå ßÞÔÚÛîçÕÝØïå, ßÞáÚÞÛìÚã Òáï ØÝäÞàÜÐæØï Þ ÝØå ßÕàÕÔÐÕâáï çÕàÕ× ÞÑÛÐáâì ÔÐÝÝëå ßÐÚÕâÐ. ¸×-×Ð íâÞÓÞ ÑàÐÝÔÜÐãíà ÝÕ ßÞ×ÒÞÛØâ áÕàÒÕàã áÞÕÔØÝØâìáï á ãÚÐ×ÐÝÝëÜ ßÞàâÞÜ ÚÛØÕÝâÐ. ÀÕèÕÝØÕ ßàÞÑÛÕÜë áÞáâÞØâ Ò ÔÞÑÐÒÛÕÝØØ áßÕæØÐÛìÝÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï âàÐááØàÞÒÚØ, ÚÞâÞàëÙ ÞâáÛÕÖØÒÐÕâ, áßÕæØäØçÝãî ÔÛï ÔÐÝÝÞÓÞ ßàÞâÞÚÞÛÐ, ØÝäÞàÜÐæØî Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÞÒ, ßÕàÕÔÐÒÐÕÜëå Ò àÐÜÚÐå áÕÐÝáÐ ãßàÐÒÛÕÝØï. ¿àØ áÞ×ÔÐÝØØ âÐÚÞÓÞ áÞÕÔØÝÕÝØï, ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÚÞààÕÚâÝÞ ÒÞáßàØÜÕâ ßÕàÕÔÐÒÐÕÜãî ØÝäÞàÜÐæØî Ø áÞ×ÔÐáâ áÞÞâÒÕâáâÒãîéãî ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ áÞ áâÐâãáÞÜ RELATED, ÑÛÐÓÞÔÐàï çÕÜã áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ÀØáãÝÞÚ ÝØÖÕ ßÞïáÝïÕâ ßÞàïÔÞÚ ÒëßÞÛÝÕÝØï ßÞÔÞÑÝÞÓÞ áÞÕÔØÝÕÝØï. ¿ÐááØÒÝëÙ FTP ÔÕÙáâÒãÕâ ßàÞâØÒÞßÞÛÞÖÝëÜ ÞÑàÐ×ÞÜ. ºÛØÕÝâ ßÞáëÛÐÕâ ×ÐßàÞá áÕàÒÕàã ÝÐ ßÞÛãçÕÝØÕ ÔÐÝÝëå, Ð áÕàÒÕà ÒÞ×ÒàÐéÐÕâ ÚÛØÕÝâã IP ÐÔàÕá Ø ÝÞÜÕà ßÞàâÐ ÔÛï ßÞÔÚÛîçÕÝØï. ºÛØÕÝâ ßÞÔÚÛîçÐÕâ áÒÞÙ 20-Ù ßÞàâ (FTP-data) Ú ãÚÐ×ÐÝÝÞÜã ßÞàâã áÕàÒÕàÐ Ø ßÞÛãçÐÕâ ×ÐßàÞèÕÝÝëÕ ÔÐÝÝëÕ. µáÛØ ÒÐè FTP áÕàÒÕà ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, âÞ ÒÐÜ ßÞâàÕÑãÕâáï íâÞâ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÔÛï âÞÓÞ, çâÞÑë áÕàÒÕà áÜÞÓ ÞÑáÛãÖØÒÐâì ÚÛØÕÝâÞÒ Ø× ¸ÝâÕàÝÕâ. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï áÛãçÐï, ÚÞÓÔÐ Òë åÞâØâÕ ÞÓàÐÝØçØâì áÒÞØå ßÞÛì×ÞÒÐâÕÛÕÙ âÞÛìÚÞ ÒÞ×ÜÞÖÝÞáâìî ßÞÔÚÛîçÕÝØï Ú HTTP Ø FTP áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâ Ø ×ÐÚàëâì ÒáÕ ÞáâÐÛìÝëÕ ßÞàâë. ÀØáãÝÞÚ ÝØÖÕ ßÞÚÐ×ëÒÐÕâ ÚÐÚ ÒëßÞÛÝïÕâáï ßÐááØÒÝÞÕ áÞÕÔØÝÕÝØÕ FTP. ½ÕÚÞâÞàëÕ ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ãÖÕ ÒÚÛîçÕÝë Ò áÞáâÐÒ ïÔàÐ. µáÛØ Ñëâì ÑÞÛÕÕ âÞçÝëÜ, âÞ Ò áÞáâÐÒ ïÔàÐ ÒÚÛîçÕÝë ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞâÞÚÞÛÞÒ FTP Ø IRC. µáÛØ Ò ÒÐèÕÜ àÐáßÞàïÖÕÝØØ ÝÕâ ÝÕÞÑåÞÔØÜÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâìáï Ú patch-o-matic, ÚÞâÞàëÙ áÞÔÕàÖØâ ÑÞÛìèÞÕ ÚÞÛØçÕáâÒÞ ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ ÔÛï âàÐááØàÞÒÚØ âÐÚØå ßàÞâÞÚÞÛÞÒ, ÚÐÚ ntalk ØÛØ H.323. µáÛØ Ø ×ÔÕáì Òë ÝÕ ÝÐèÛØ âÞ, çâÞ ÒÐÜ ÝãÖÝÞ, âÞ ã ÒÐá Õáâì ÕéÕ ÒÐàØÐÝâë: Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú CVS iptables, ÕáÛØ ØáÚÞÜëÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÕéÕ ÝÕ ÑëÛ ÒÚÛîçÕÝ Ò patch-o-matic, ÛØÑÞ ÜÞÖÕâÕ ÒÞÙâØ Ò ÚÞÝâÐÚâ á àÐ×àÐÑÞâçØÚÐÜØ netfilter Ø ã×ÝÐâì ã ÝØå, ØÜÕÕâáï ÛØ ßÞÔÞÑÝëÙ ÜÞÔãÛì Ø ßÛÐÝØàãÕâáï ÛØ ÞÝ Ú ÒëßãáÚã. µáÛØ Ø âãâ Òë ßÞâÕàßÕÛØ ÝÕãÔÐçã, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ áÛÕÔãÕâ ßàÞçØâÐâì Rusty Russells Unreliable Netfilter Hacking HOWTO. ²áßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÜÞÓãâ Ñëâì áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ Ò ÒØÔÕ ßÞÔÓàãÖÐÕÜëå ÜÞÔãÛÕÙ ïÔàÐ, âÐÚ Ø áâÐâØçÕáÚØ. µáÛØ ÞÝØ áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ ÜÞÔãÛØ, âÞ Òë ÜÞÖÕâÕ ×ÐÓàãרâì Øå ÚÞÜÐÝÔÞÙ modprobe ip_conntrack_* ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï
áÞáâÞïÝØï ÝÕ ØÜÕÕâ ÝØÚÐÚÞÓÞ ÞâÝÞèÕÝØï Ú âàÐÝáÛïæØØ áÕâÕÒëå
ÐÔàÕáÞÒ (NAT), ßÞíâÞÜã ÒÐÜ ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÑÞÛìèÕÕ
ÚÞÛØçÕáâÒÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ, ÕáÛØ Òë ÒëßÞÛÝïÕâÕ âÐÚãî
âàÐÝáÛïæØî. ´ÞßãáâØÜ, çâÞ Òë ÒëßÞÛÝïÕâÕ âàÐÝáÛïæØî ÐÔàÕáÞÒ
Ø âàÐááØàÞÒÚã FTP áÞÕÔØÝÕÝØÙ, âÞÓÔÐ ÒÐÜ ÝÕÞÑåÞÔØÜ âÐÚ ÖÕ Ø
áÞÞâÒÕâáâÒãîéØÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì NAT. ¸ÜÕÝÐ
ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ NAT ÝÐçØÝÐîâáï á
ºÐÚ áâàÞØâì ßàÐÒØÛв ÔÐÝÝÞÙ ÓÛÐÒÕ ÑãÔÕâ ÞÑáãÖÔÐâìáï ßÞàïÔÞÚ ßÞáâàÞÕÝØï áÞÑáâÒÕÝÝëå ßàÐÒØÛ ÔÛï iptables. ºÐÖÔÐï áâàÞÚÐ, ÚÞâÞàãî Òë ÒáâÐÒÛïÕâÕ Ò âã ØÛØ ØÝãî æÕßÞçÚã, ÔÞÛÖÝÐ áÞÔÕàÖÐâì ÞâÔÕÛìÝÞÕ ßàÐÒØÛÞ. ¼ë âÐÚ ÖÕ ÞÑáãÔØÜ ÞáÝÞÒÝëÕ ßàÞÒÕàÚØ Ø ÔÕÙáâÒØï Ø ßÞàïÔÞÚ áÞ×ÔÐÝØï áÒÞØå áÞÑáâÒÕÝÝëå æÕßÞçÕÚ ßàÐÒØÛ. ¾áÝÞÒëºÐÚ ãÖÕ ÓÞÒÞàØÛÞáì ÒëèÕ, ÚÐÖÔÞÕ ßàÐÒØÛÞ -- íâÞ áâàÞÚÐ, áÞÔÕàÖÐéÐï Ò áÕÑÕ ÚàØâÕàØØ ÞßàÕÔÕÛïîéØÕ, ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ, Ø ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì Ò áÛãçÐÕ ÒëßÞÛÝÕÝØï ÚàØâÕàØï. ² ÞÑéÕÜ ÒØÔÕ ßàÐÒØÛÐ ×ÐߨáëÒÐîâáï ßàØÜÕàÝÞ âÐÚ: iptables [-t table] command [match] [target/jump] ½ØÓÔÕ ÝÕ ãâÒÕàÖÔÐÕâáï, çâÞ ÞߨáÐÝØÕ ÔÕÙáâÒØï (target/jump) ÔÞÛÖÝÞ áâÞïâì ßÞáÛÕÔÝØÜ Ò áâàÞÚÕ, Üë, ÞÔÝÐÚÞ, ÑãÔÕÜ ßàØÔÕàÖØÒÐâìáï ØÜÕÝÝÞ âÐÚÞÙ ÝÞâÐæØØ ÔÛï ãÔÞÑÞçØâÐÕÜÞáâØ. µáÛØ Ò ßàÐÒØÛÞ ÝÕ ÒÚÛîçÐÕâáï áßÕæØäØÚÐâÞà [-t table], âÞ ßÞ ãÜÞÛçÐÝØî ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæë filter, ÕáÛØ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÔàãÓÞÙ âÐÑÛØæë, âÞ íâÞ âàÕÑãÕâáï ãÚÐ×Ðâì ïÒÝÞ. ÁßÕæØäØÚÐâÞà âÐÑÛØæë âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×ëÒÐâì Ò ÛîÑÞÜ ÜÕáâÕ áâàÞÚØ ßàÐÒØÛÐ, ÞÔÝÐÚÞ ÑÞÛÕÕ ØÛØ ÜÕÝÕÕ áâÐÝÔÐàâÞÜ áçØâÐÕâáï ãÚÐ×ÐÝØÕ âÐÑÛØæë Ò ÝÐçÐÛÕ ßàÐÒØÛÐ. ´ÐÛÕÕ, ÝÕßÞáàÕÔáâÒÕÝÝÞ ×Ð ØÜÕÝÕÜ âÐÑÛØæë, ÔÞÛÖÝÐ áâÞïâì ÚÞÜÐÝÔÐ. µáÛØ áßÕæØäØÚÐâÞàÐ âÐÑÛØæë ÝÕâ, âÞ ÚÞÜÐÝÔÐ ÒáÕÓÔÐ ÔÞÛÖÝÐ áâÞïâì ßÕàÒÞÙ. ºÞÜÐÝÔÐ ÞßàÕÔÕÛïÕâ ÔÕÙáâÒØÕ iptables, ÝÐßàØÜÕà: ÒáâÐÒØâì ßàÐÒØÛÞ, ØÛØ ÔÞÑÐÒØâì ßàÐÒØÛÞ Ò ÚÞÝÕæ æÕßÞçÚØ, ØÛØ ãÔÐÛØâì ßàÐÒØÛÞ Ø â.ß. ÀÐ×ÔÕÛ matches ×ÐÔÐÕâ ÚàØâÕàØØ ßàÞÒÕàÚØ, ßÞ ÚÞâÞàëÜ ÞßàÕÔÕÛïÕâáï ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ÔÕÙáâÒØÕ íâÞÓÞ ßàÐÒØÛÐ ØÛØ ÝÕâ. ·ÔÕáì Üë ÜÞÖÕÜ ãÚÐ×Ðâì áÐÜëÕ àÐ×ÝëÕ ÚàØâÕàØØ -- Ø IP-ÐÔàÕá ØáâÞçÝØÚÐ ßÐÚÕâÐ ØÛØ áÕâØ, Ø áÕâÕÒÞÙ ØÝâÕàäÕÙá Ø â.Ô. ÁãéÕáâÒãÕâ ÜÝÞÖÕáâÒÞ ÚàØâÕàØÕÒ, ÚÞâÞàëÕ Üë àÐááÜÞâàØÜ Ò ÔÐÝÝÞÙ ÓÛÐÒÕ. ¸ ÝÐÚÞÝÕæ target ãÚÐ×ëÒÐÕâ, ÚÐÚÞÕ ÔÕÙáâÒØÕ ÔÞÛÖÝÞ Ñëâì ÒëßÞÛÝÕÝÞ ßàØ ãáÛÞÒØØ ÒëßÞÛÝÕÝØï ÚàØâÕàØÕÒ Ò ßàÐÒØÛÕ. ·ÔÕáì ÜÞÖÝÞ ×ÐáâÐÒØâì ïÔàÞ ßÕàÕÔÐâì ßÐÚÕâ Ò ÔàãÓãî æÕßÞçÚã ßàÐÒØÛ, "áÑàÞáØâì" ßÐÚÕâ Ø ×ÐÑëâì ßàÞ ÝÕÓÞ, ÒëÔÐâì ÝÐ ØáâÞçÝØÚ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ Ø â.ß. ÂÐÑÛØæë¾ßæØï -t ãÚÐ×ëÒÐÕâ ÝÐ ØáßÞÛì×ãÕÜãî âÐÑÛØæã. ¿Þ ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï âÐÑÛØæÐ filter. Á ÚÛîçÞÜ -t ßàØÜÕÝïîâáï áÛÕÔãîéØÕ ÞßæØØ. ÂÐÑÛØæÐ 1. ÂÐÑÛØæë
²ëèÕ Üë àÐááÜÞâàÕÛØ ÞáÝÞÒÝëÕ ÞâÛØçØï âàÕå ØÜÕîéØåáï âÐÑÛØæ. ºÐÖÔÐï Ø× ÝØå ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò áÒÞØå æÕÛïå, Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕæÕÛÕÒÞÕ ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæ ÜÞÖÕâ ßàØÒÕáâØ Ú ÞáÛÐÑÛÕÝØî ×ÐéØâë ÑàÐÝÔÜÐãíàÐ Ø áÕâØ, ÝÐåÞÔïéÕÙáï ×Ð ÝØÜ. ¿Þ×ÔÝÕÕ, Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ, Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ íâÞÜ. ºÞÜÐÝÔë½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÚÞÜÐÝÔ Ø ßàÐÒØÛÐ Øå ØáßÞÛì×ÞÒÐÝØï. ¿ÞáàÕÔáâÒÞÜ ÚÞÜÐÝÔ Üë áÞÞÑéÐÕÜ iptables çâÞ Üë ßàÕÔßÞÛÐÓÐÕÜ áÔÕÛÐâì. ¾ÑëçÝÞ ßàÕÔßÞÛÐÓÐÕâáï ÞÔÝÞ Ø× ÔÒãå ÔÕÙáâÒØÙ -- íâÞ ÔÞÑÐÒÛÕÝØÕ ÝÞÒÞÓÞ ßàÐÒØÛÐ Ò æÕßÞçÚã ØÛØ ãÔÐÛÕÝØÕ áãéÕáâÒãîéÕÓÞ ßàÐÒØÛÐ Ø× âÞÙ ØÛØ ØÝÞÙ âÐÑÛØæë. ´ÐÛÕÕ ßàØÒÕÔÕÝë ÚÞÜÐÝÔë, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï Ò iptables. ÂÐÑÛØæÐ 2. ºÞÜÐÝÔë
ºÞÜÐÝÔÐ ÔÞÛÖÝÐ Ñëâì ãÚÐ×ÐÝÐ ÒáÕÓÔÐ. ÁߨáÞÚ ÔÞáâãßÝëå ÚÞÜÐÝÔ ÜÞÖÝÞ ßàÞáÜÞâàÕâì á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -h ØÛØ, çâÞ âÞÖÕ áÐÜÞÕ, iptables --help. ½ÕÚÞâÞàëÕ ÚÞÜÐÝÔë ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï áÞÒÜÕáâÝÞ á ÔÞßÞÛÝØâÕÛìÝëÜØ ÚÛîçÐÜØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÞߨáëÒÐÕâáï àÕ×ãÛìâÐâ Øå ÔÕÙáâÒØï. ¿àØ íâÞÜ ×ÐÜÕâìâÕ, çâÞ ×ÔÕáì ÝÕ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ßàØ ßÞáâàÞÕÝØØ ÚàØâÕàØÕÒ (matches) ØÛØ ÔÕÙáâÒØÙ (targets). ÍâØ ÞßæØØ Üë ÑãÔÕÜ ÞÑáãÖÔÐâì ÔÐÛÕÕ. ÂÐÑÛØæÐ 3. ºÛîçØ
ºàØâÕàØØ·ÔÕáì Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ ÚàØâÕàØïå ÒëÔÕÛÕÝØï ßÐÚÕâÞÒ. Ï àÐ×ÑØÛ ÒáÕ ÚàØâÕàØØ ÝÐ ßïâì Óàãßß. ¿ÕàÒÐï -- ÞÑéØÕ ÚàØâÕàØØ ÚÞâÞàëÕ ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÛîÑëå ßàÐÒØÛÐå. ²âÞàÐï - TCP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú TCP ßÐÚÕâÐÜ. ÂàÕâìï -- UDP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú UDP ßÐÚÕâÐÜ. ÇÕâÒÕàâÐï - ICMP ÚàØâÕàØØ ÔÛï àÐÑÞâë á ICMP ßÐÚÕâÐÜØ. ¸ ÝÐÚÞÝÕæ ßïâÐï -- áßÕæØÐÛìÝëÕ ÚàØâÕàØØ, âÐÚØÕ ÚÐÚ state, owner, limit Ø ßà. ¾ÑéØÕ ÚàØâÕàØØ·ÔÕáì Üë àÐááÜÞâàØÜ ¾ÑéØÕ ÚàØâÕàØØ. ¾ÑéØÕ ÚàØâÕàØØ ÔÞßãáâØÜÞ ãßÞâàÕÑÛïâì Ò ÛîÑëå ßàÐÒØÛÐå Ø ÝÕ ×ÐÒØáïâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø ÝÕ âàÕÑãîâ ßÞÔÓàã×ÚØ ÜÞÔãÛÕÙ àÐáèØàÕÝØï. ² íâã Óàãßßã ï ÔÞÑÐÒØÛ ÚàØâÕàØÙ --protocol ÝÕáÜÞâàï ÝÐ âÞ, çâÞ ÞÝ ØáßÞÛì×ãÕâáï Ò ÝÕÚÞâÞàëå áßÕæØäØçÝëå Þâ ßàÞâÞÚÞÛÐ àÐáèØàÕÝØïå. ½ÐßàØÜÕà, Üë àÕèØÛØ ØáßÞÛì×ÞÒÐâì TCP ÚàØâÕàØÙ, âÞÓÔÐ ÝÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ØáßÞÛì×ÞÒÐâì Ø ÚàØâÕàØÙ --protocol ÚÞâÞàÞÜã Ò ÚÐçÕáâÒÕ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ÚÛîçÐ ßÕàÕÔÐÕâáï ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ -- TCP. ¾ÔÝÐÚÞ --protocol áÐÜ ßÞ áÕÑÕ ïÒÛïÕâáï ÚàØâÕàØÕÜ, ÚÞâÞàëÙ ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï âØßÐ ßàÞâÞÚÞÛÐ. ÂÐÑÛØæÐ 4. ¾ÑéØÕ ÚàØâÕàØØ
½ÕïÒÝëÕ ÚàØâÕàØØ² íâÞÜ àÐ×ÔÕÛÕ Üë àÐááÜÞâàØÜ ÝÕïÒÝëÕ ÚàØâÕàØØ, âÞçÝÕÕ, âÕ ÚàØâÕàØØ, ÚÞâÞàëÕ ßÞÔÓàãÖÐîâáï ÝÕïÒÝÞ Ø áâÐÝÞÒïâáï ÔÞáâãßÝë, ÝÐßàØÜÕà ßàØ ãÚÐ×ÐÝØØ ÚàØâÕàØï --protocol. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ âàØ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕÜëå àÐáèØàÕÝØï, íâÞ TCP ÚàØâÕàØØ, UDP ÚàØâÕàØØ Ø ICMP ÚàØâÕàØØ (ßàØ ßÞáâàÞÕÝØØ áÒÞØå ßàÐÒØÛ ï áâÞÛÚÝãÛáï á ÝÕÞÑåÞÔØÜÞáâìî ×ÐÓàã×ÚØ ãÚÐ×ÐÝÝëå àÐáèØàÕÝØÙ ïÒÝÞ, â.Õ. àÐáèØàÕÝØï ÝÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ. ßàØÜ. ßÕàÕÒ.). ·ÐÓàã×ÚÐ íâØå àÐáèØàÕÝØÙ ÜÞÖÕâ ßàÞØ×ÒÞÔØâìáï Ø ïÒÝëÜ ÞÑàÐ×ÞÜ á ßÞÜÞéìî ÚÛîçÐ -m, -match, ÝÐßàØÜÕà -m tcp. TCP ÚàØâÕàØØÍâÞ àÐáèØàÕÝØÕ ×ÐÒØáØâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø àÐÑÞâÐÕâ âÞÛìÚÞ á TCP ßÐÚÕâÐÜØ. ÇâÞÑë ØáßÞÛì×ÞÒÐâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÚàØâÕàØØ, ÒÐÜ ßÞâàÕÑãÕâáï Ò ßàÐÒØÛÐå ãÚÐ×ëÒÐâì âØß ßàÞâÞÚÞÛÐ --protocol tcp. ²ÐÖÝÞ: ÚàØâÕàØÙ --protocol tcp ÞÑï×ÐâÕÛìÝÞ ÔÞÛÖÕÝ áâÞïâì ßÕàÕÔ áßÕæØäØçÝëÜ ÚàØâÕàØÕÜ. ÍâØ àÐáèØàÕÝØï ×ÐÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ÚÐÚ ÔÛï tcp ßàÞâÞÚÞÛÐ, âÐÚ Ø ÔÛï udp Ø icmp ßàÞâÞÚÞÛÞÒ.(¾ ÝÕïÒÝÞÙ ×ÐÓàã×ÚÕ àÐáèØàÕÝØÙ ï ãÖÕ ãßÞÜØÝÐÛ ÒëèÕ ßàØÜ. ßÕàÕÒ.). ÂÐÑÛØæÐ 5. TCP ÚàØâÕàØØ
UDP ÚàØâÕàØØ² ÔÐÝÝÞÜ àÐ×ÔÕÛÕ ÑãÔãâ àÐááÜÐâàØÒÐâìáï ÚàØâÕàØØ, áßÕæØäØçÝëÕ âÞÛìÚÞ ÔÛï ßàÞâÞÚÞÛÐ UDP. ÍâØ àÐáèØàÕÝØï ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ßàØ ãÚÐ×ÐÝØØ âØßÐ ßàÞâÞÚÞÛÐ --protocol UDP. ²ÐÖÝÞ ÞâÜÕâØâì, çâÞ ßÐÚÕâë UDP ÝÕ ÞàØÕÝâØàÞÒÐÝë ÝÐ ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ, Ø ßÞíâÞÜã ÝÕ ØÜÕîâ àÐ×ÛØçÝëå äÛÐÓÞÒ ÚÞâÞàëÕ ÔÐîâ ÒÞ×ÜÞÖÝÞáâì áãÔØâì Þ ßàÕÔÝÐ×ÝÐçÕÝØØ ÔÐâÐÓàÐÜÜë. ¿ÞÛãçÕÝØÕ UDP ßÐÚÕâÞÒ ÝÕ âàÕÑãÕâ ÚÐÚÞÓÞ ÛØÑÞ ßÞÔâÒÕàÖÔÕÝØï áÞ áâÞàÞÝë ßÞÛãçÐâÕÛï. µáÛØ ÞÝØ ßÞâÕàïÝë, âÞ ÞÝØ ßàÞáâÞ ßÞâÕàïÝë (ÝÕ Òë×ëÒÐï ßÕàÕÔÐçã ICMP áÞÞÑéÕÝØï ÞÑ ÞèØÑÚÕ). ÍâÞ ßàÕÔßÞÛÐÓÐÕâ ÝÐÛØçØÕ ×ÝÐçØâÕÛìÝÞ ÜÕÝìèÕÓÞ çØáÛÐ ÔÞßÞÛÝØâÕÛìÝëå ÚàØâÕàØÕÒ, Ò ÞâÛØçØÕ Þâ TCP ßÐÚÕâÞÒ. ²ÐÖÝÞ: ÅÞàÞèØÙ ÑàÐÝÔÜÐãíà ÔÞÛÖÕÝ àÐÑÞâÐâì á ßÐÚÕâÐÜØ ÛîÑÞÓÞ âØßÐ, UDP ØÛØ ICMP, ÚÞâÞàëÕ áçØâÐîâáï ÝÕ ÞàØÕÝâØàÞÒÐÝÝëÜØ ÝÐ áÞÕÔØÝÕÝØÕ, âÐÚ ÖÕ åÞàÞèÞ ÚÐÚ Ø á TCP ßÐÚÕâÐÜØ. ¾Ñ íâÞÜ Üë ßÞÓÞÒÞàØÜ ßÞ×ÔÝÕÕ, Ò áÛÕÔãîéØå ÓÛÐÒÐå. ÂÐÑÛØæÐ 6. UDP ÚàØâÕàØØ
ICMP ÚàØâÕàØØÍâÞâ ßàÞâÞÚÞÛ ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, ÔÛï ßÕàÕÔÐçØ áÞÞÑéÕÝØÙ ÞÑ ÞèØÑÚÐå Ø ÔÛï ãßàÐÒÛÕÝØï áÞÕÔØÝÕÝØÕÜ. ¾Ý ÝÕ ïÒÛïÕâáï ßÞÔçØÝÕÝÝëÜ IP ßàÞâÞÚÞÛã, ÝÞ âÕáÝÞ á ÝØÜ Ò×ÐØÜÞÔÕÙáâÒãÕâ, ßÞáÚÞÛìÚã ßÞÜÞÓÐÕâ ÞÑàÐÑÐâëÒÐâì ÞèØÑÞçÝëÕ áØâãÐæØØ. ·ÐÓÞÛÞÒÚØ ICMP ßÐÚÕâÞÒ ÞçÕÝì ßÞåÞÖØ ÝÐ IP ×ÐÓÞÛÞÒÚØ, ÝÞ ØÜÕîâ Ø ÞâÛØçØï. ³ÛÐÒÝÞÕ áÒÞÙáâÒÞ íâÞÓÞ ßàÞâÞÚÞÛÐ ×ÐÚÛîçÐÕâáï Ò âØßÕ ×ÐÓÞÛÞÒÚÐ, ÚÞâÞàëÙ áÞÔÕàÖØâ ØÝäÞàÜÐæØî Þ âÞÜ, çâÞ íâÞ ×Ð ßÐÚÕâ. ½ÐßàØÜÕà, ÚÞÓÔÐ Üë ßëâÐÕÜáï áÞÕÔØÝØâìáï á ÝÕÔÞáâãßÝëÜ åÞáâÞÜ, âÞ Üë ßÞÛãçØÜ Ò ÞâÒÕâ áÞÞÑéÕÝØÕ ICMP host unreachable. ¿ÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ, Òë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ò ßàØÛÞÖÕÝØØ âØßë ICMP. ÁãéÕáâÒãÕâ âÞÛìÚÞ ÞÔØÝ áßÕæØäØçÝëÙ ÚàØâÕàØÙ ÔÛï ICMP ßÐÚÕâÞÒ. ÍâÞ àÐáèØàÕÝØÕ ×ÐÓàãÖÐÕâáï ÐÒâÞÜÐâØçÕáÚØ, ÚÞÓÔÐ Üë ãÚÐ×ëÒÐÕÜ ÚàØâÕàØÙ --protocol ICMP. ·ÐÜÕâìâÕ, çâÞ ÔÛï ßàÞÒÕàÚØ ICMP ßÐÚÕâÞÒ ÜÞÓãâ ãßÞâàÕÑÛïâìáï Ø ÞÑéØÕ ÚàØâÕàØØ, ßÞáÚÞÛìÚã Ø×ÒÕáâÝë Ø ÐÔàÕá ØáâÞçÝØÚÐ Ø ÐÔàÕá ÝÐ×ÝÐçÕÝØï Ø ßà. ÂÐÑÛØæÐ 7. ICMP ÚàØâÕàØØ
ÏÒÝëÕ ÚàØâÕàØØ¿ÕàÕÔ ØáßÞÛì×ÞÒÐÝØÕÜ íâØå àÐáèØàÕÝØÙ, ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÓàãÖÕÝë ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m ØÛØ --match. ÂÐÚ, ÝÐßàØÜÕà, ÕáÛØ Üë áÞÑØàÐÕÜáï ØáßÞÛì×ÞÒÐâì ÚàØâÕàØØ state, âÞ Üë ÔÞÛÖÝë ïÒÝÞ ãÚÐ×Ðâì íâÞ Ò áâàÞÚÕ ßàÐÒØÛÐ: -m state ÛÕÒÕÕ ØáßÞÛì×ãÕÜÞÓÞ ÚàØâÕàØï. ½ÕÚÞâÞàëÕ Ø× íâØå ÚàØâÕàØÕÒ ßÞÚÐ ÕéÕ ÝÐåÞÔïâáï Ò áâÐÔØØ àÐ×àÐÑÞâÚØ, Ð ßÞáÕÜã ÜÞÓãâ àÐÑÞâÐâì ÝÕ ÒáÕÓÔÐ, ÞÔÝÐÚÞ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÞÝØ àÐÑÞâÐîâ ÒßÞÛÝÕ ãáâÞÙçØÒÞ. ²áÕ ÞâÛØçØÕ ÜÕÖÔã ïÒÝëÜØ Ø ÝÕïÒÝëÜØ ÚàØâÕàØïÜØ ×ÐÚÛîçÐÕâáï âÞÛìÚÞ Ò âÞÜ, çâÞ ßÕàÒëÕ ÝãÖÝÞ ßÞÔÓàãÖÐâì ïÒÝÞ, Ð ÒâÞàëÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ. MAC ÚàØâÕàØÙÂÐÑÛØæÐ 8. MAC ÚàØâÕàØØ MAC ÚàØâÕàØÙ ØáßÞÛì×ãÕâáï ÔÛï ßàÞÒÕàÚØ ØáåÞÔÝÞÓÞ MAC-ÐÔàÕáÐ ßÐÚÕâÐ. ¼ÞÔãÛì -m mac, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì, ßàÕÔÞáâÐÒÛïÕâ ÕÔØÝáâÒÕÝÝëÙ ÚàØâÕàØÙ, ÝÞ ÒÞ×ÜÞÖÝÞ Ò ÑãÔãéÕÜ ÞÝ ÑãÔÕâ àÐáèØàÕÝ Ø áâÐÝÕâ ÑÞÛÕÕ ßÞÛÕ×ÕÝ.
ºàØâÕàØÙ limit´ÞÛÖÕÝ ßÞÔÓàãÖÐâìáï ïÒÝÞ ÚÛîçÞÜ -m limit. ¿àÕÚàÐáÝÞ ßÞÔåÞÔØâ ÔÛï ßàÐÒØÛ, ßàÞØ×ÒÞÔïéØå ×Ðߨáì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (logging) Ø â.ß. ´ÞÑÐÒÛïï íâÞâ ÚàØâÕàØÙ, Üë âÕÜ áÐÜëÜ ãáâÐÝÐÒÛØÒÐÕÜ ßàÕÔÕÛìÝÞÕ çØáÛÞ ßÐÚÕâÞÒ Ò ÕÔØÝØæã ÒàÕÜÕÝØ, ÚÞâÞàÞÕ áßÞáÞÑÝÞ ßàÞßãáâØâì ßàÐÒØÛÞ. ¼ÞÖÝÞ ØáßÞÛì×ÞÒÐâì áØÜÒÞÛ ! ÔÛï ØÝÒÕàáØØ, ÝÐßàØÜÕà -m ! limit. ² íâÞÜ áÛãçÐÕ ßÞÔàÐ×ãÜÕÒÐÕâáï, çâÞ ßÐÚÕâë ÑãÔãâ ßàÞåÞÔØâì ßàÐÒØÛÞ âÞÛìÚÞ ßÞáÛÕ ßàÕÒëèÕÝØï ÞÓàÐÝØçÕÝØï. ÂÐÑÛØæÐ 9. ºàØâÕàØÙ limit
¾â ßÕàÕÒÞÔçØÚÐ: ¾çÕÝì ÔÞÛÓÞÕ ÒàÕÜï ÜÞÕ ßÞÝØÜÐÝØÕ ÚàØâÕàØÕÒ limit ÝÐåÞÔØÛÞáì ÝÐ ØÝâãØâØÒÝÞÜ ãàÞÒÝÕ, ßÞÚÐ ²ÛÐÔØÜØà ÅÞÛÜÐÝÞÒ (áÝØÜÐî èÛïßã Ò ÓÛãÑÞçÐÙèÕÜ ßÞÚÛÞÝÕ) ÝÕ ÞÑêïáÝØÛ ÜÝÕ ßàÞáâÞ Ø ßÞÝïâÝÞ ÕÓÞ áãâì. ¿ÞáâÐàÐîáì ßÕàÕÔÐâì ÕÓÞ ßÞïáÝÕÝØï:
¿àØÝæØß, ÚÞâÞàëÙ ßàÞáâÞ àÕÐÛØ×ãÕâáï ÝÐ C Ø èØàÞÚÞ ØáßÞÛì×ãÕâáï ÒÞ ÜÝÞÓØå ÐÛÓÞàØâÜÐå-ÞÓàÐÝØçØâÕÛïå. ÀÐáèØàÕÝØÕ MultiportÀÐáèØàÕÝØÕ multiport ßÞ×ÒÞÛïÕâ ãÚÐ×ëÒÐâì Ò âÕÚáâÕ ßàÐÒØÛÐ ÝÕáÚÞÛìÚÞ ßÞàâÞÒ Ø ÔØÐßÐ×ÞÝÞÒ ßÞàâÞÒ.
ÂÐÑÛØæÐ 10. ÀÐáèØàÕÝØÕ Multiport
ÀÐáèØàÕÝØÕ MarkÀÐáèØàÕÝØÕ mark ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì "ßÞÜÕâØâì" ßÐÚÕâë áßÕæØÐÛìÝëÜ ÞÑàÐ×ÞÜ. Mark - áßÕæØÐÛìÝÞÕ ßÞÛÕ, ÚÞâÞàÞÕ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ÞÑÛÐáâØ ßÐÜïâØ ïÔàÐ Ø áÒï×ÐÝÞ á ÚÞÝÚàÕâÝëÜ ßÐÚÕâÞÜ. ¼ÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ò áÐÜëå àÐ×ÝÞÞÑàÐ×Ýëå æÕÛïå, ÝÐßàØÜÕà, ÞÓàÐÝØçÕÝØÕ âàÐäØÚÐ Ø äØÛìâàÐæØï. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ ÕÔØÝáâÒÕÝÝÐï ÒÞ×ÜÞÖÝÞáâì ãáâÐÝÞÒÚØ ÜÕâÚØ ÝÐ ßÐÚÕâ Ò Linux -- íâÞ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï MARK. ¿ÞÛÕ mark ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÑÕ××ÝÐÚÞÒÞÕ æÕÛÞÕ çØáÛÞ Ò ÔØÐßÐ×ÞÝÕ Þâ 0 ÔÞ 4294967296 ÔÛï 32-ÑØâÝëå áØáâÕÜ. ÂÐÑÛØæÐ 11. ÀÐáèØàÕÝØÕ mark
ÀÐáèØàÕÝØÕ ownerÀÐáèØàÕÝØÕ owner ßàÕÔÝÐ×ÝÐçÕÝÞ ÔÛï ßàÞÒÕàÚØ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ. ¸×ÝÐçÐÛìÝÞ ÔÐÝÝÞÕ àÐáèØàÕÝØÕ ÑëÛÞ ÝÐߨáÐÝÞ ÚÐÚ ßàØÜÕà ÔÕÜÞÝáâàÐæØØ ÒÞ×ÜÞÖÝÞáâÕÙ iptables. ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì íâÞâ ÚàØâÕàØÙ âÞÛìÚÞ Ò æÕßÞçÚÕ OUTPUT. ÂÐÚÞÕ ÞÓàÐÝØçÕÝØÕ ÝÐÛÞÖÕÝÞ ßÞâÞÜã, çâÞ ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛìÝÞÓÞ ÜÕåÐÝØ×ÜÐ ßÕàÕÔÐçØ ØÝäÞàÜÐæØØ Þ "ÒÛÐÔÕÛìæÕ" ßÞ áÕâØ. ÁßàÐÒÕÔÛØÒÞáâØ àÐÔØ áÛÕÔãÕâ ÞâÜÕâØâì, çâÞ ÔÛï ÝÕÚÞâÞàëå ßÐÚÕâÞÒ ÝÕÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì "ÒÛÐÔÕÛìæÐ" Ò íâÞÙ æÕßÞçÚÕ. º âÐÚÞÓÞ àÞÔÐ ßÐÚÕâÐÜ ÞâÝÞáïâáï àÐ×ÛØçÝëÕ ICMP responses. ¿ÞíâÞÜã ÝÕ áÛÕÔãÕâ ãßÞâàÕÑÛïâì íâÞâ ÚàØâÕàØÙ Ú ICMP responses ßÐÚÕâÐÜ. ÂÐÑÛØæÐ 12. ÀÐáèØàÕÝØÕ owner
ºàØâÕàØÙ stateºàØâÕàØÙ state ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ÚÞÔÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ Ø ßÞ×ÒÞÛïÕâ ÝÐÜ ßÞÛãçÐâì ØÝäÞàÜÐæØî Þ âàÐááØàÞÒÞçÝÞÜ ßàØ×ÝÐÚÕ áÞáâÞïÝØï áÞÕÔØÝÕÝØï, çâÞ ßÞ×ÒÞÛïÕâ áãÔØâì Þ áÞáâÞïÝØØ áÞÕÔØÝÕÝØï, ßàØçÕÜ ÔÐÖÕ ÔÛï âÐÚØå ßàÞâÞÚÞÛÞÒ ÚÐÚ ICMP Ø UDP. ´ÐÝÝÞÕ àÐáèØàÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐÓàãÖÐâì ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m state. ±ÞÛÕÕ ßÞÔàÞÑÝÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï áÞÕÔØÝÕÝØï ÞÑáãÖÔÐÕâáï Ò àÐ×ÔÕÛÕ ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï . ÂÐÑÛØæÐ 13. ºàØâÕàØØ state
ºàØâÕàØÙ "ÜãáÞàÐ" (Unclean match)ºàØâÕàØÙ unclean ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÔÛï ÕÓÞ ØáßÞÛì×ÞÒÐÝØï ÔÞáâÐâÞçÝÞ ïÒÝÞ ×ÐÓàãרâì ÜÞÔãÛì. ±ãÔìâÕ ÞáâÞàÞÖÝë, ÔÐÝÝëÙ ÜÞÔãÛì ÝÐåÞÔØâáï ÕéÕ ÝÐ áâÐÔØØ àÐ×àÐÑÞâÚØ Ø ßÞíâÞÜã Ò ÝÕÚÞâÞàëå áØâãÐæØïå ÜÞÖÕâ àÐÑÞâÐâì ÝÕÚÞààÕÚâÝÞ. ´ÐÝÝÐï ßàÞÒÕàÚÐ ßàÞØ×ÒÞÔØâáï ÔÛï ÒëçÛÕÝÕÝØï ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÜÕîâ àÐáåÞÖÔÕÝØï á ßàØÝïâëÜØ áâÐÝÔÐàâÐÜØ, íâÞ ÜÞÓãâ Ñëâì ßÐÚÕâë á ßÞÒàÕÖÔÕÝÝëÜ ×ÐÓÞÛÞÒÚÞÜ ØÛØ á ÝÕÒÕàÝÞÙ ÚÞÝâàÞÛìÝÞÙ áãÜÜÞÙ Ø ßà., ÞÔÝÐÚÞ ØáßÞÛì×ÞÒÐÝØÕ íâÞÙ ßàÞÒÕàÚØ ÜÞÖÕâ ßàØÒÕáâØ Ú àÐ×àëÒã Ø ÒßÞÛÝÕ ÚÞààÕÚâÝÞÓÞ áÞÕÔØÝÕÝØï. ºàØâÕàØÙ TOSºàØâÕàØÙ TOS ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕÔÕÝØï ßàÞÒÕàÚØ ÑØâÞÒ ßÞÛï TOS. TOS -- Type Of Service -- ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ 8-ÜØ ÑØâÞÒÞÕ, ßÞÛÕ Ò ×ÐÓÞÛÞÒÚÕ IP-ßÐÚÕâÐ. ¼ÞÔãÛì ÔÞÛÖÕÝ ×ÐÓàãÖÐâìáï ïÒÝÞ, ÚÛîçÞÜ -m tos. ¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ßàØÒÞÔØâáï
ÞߨáÐÝØÕ ßÞÛï TOS, Ò×ïâÞÕ ÝÕ Ø× ÞàØÓØÝÐÛÐ, ßÞáÚÞÛìÚã
ÞàØÓØÝÐÛìÝÞÕ ÞߨáÐÝØÕ ï ÝÐåÞÖã ÝÕáÚÞÛìÚÞ âãÜÐÝÝëÜ. ÂÐÑÛØæÐ 14. ºàØâÕàØÙ TOS
ºàØâÕàØÙ TTLTTL (Time To Live) ïÒÛïÕâáï çØáÛÞÒëÜ ßÞÛÕÜ Ò IP ×ÐÓÞÛÞÒÚÕ. ¿àØ ßàÞåÞÖÔÕÝØØ ÞçÕàÕÔÝÞÓÞ ÜÐàèàãâØ×ÐâÞàÐ, íâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1. µáÛØ çØáÛÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî, âÞ ÞâßàÐÒØâÕÛî ßÐÚÕâÐ ÑãÔÕâ ßÕàÕÔÐÝÞ ICMP áÞÞÑéÕÝØÕ âØßÐ 11 á ÚÞÔÞÜ 0 (TTL equals 0 during transit) ØÛØ á ÚÞÔÞÜ 1 (TTL equals 0 during reassembly) . ´Ûï ØáßÞÛì×ÞÒÐÝØï íâÞÓÞ ÚàØâÕàØï ÝÕÞÑåÞÔØÜÞ ïÒÝÞ ×ÐÓàãÖÐâì ÜÞÔãÛì ÚÛîçÞÜ -m ttl. ¾â ßÕàÕÒÞÔçØÚÐ: ¾ßïâì ÞÑÝÐàãÖØÛÞáì
ÝÕÚÞâÞàÞÕ ÝÕáÞÞâÒÕâáâÒØÕ ÞàØÓØÝÐÛìÝÞÓÞ âÕÚáâÐ á
ÔÕÙáâÒØâÕÛìÝÞáâìî, ßÞ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï iptables 1.2.6a, Þ
ÚÞâÞàÞÙ áÞÑáâÒÕÝÝÞ Ø ØÔÕâ àÕçì, áãéÕáâÒãÕâ âàØ àÐ×ÛØçÝëå
ÚàØâÕàØï ßàÞÒÕàÚØ ßÞÛï TTL, íâÞ -m ttl --ttl-eq
çØáÛÞ, -m ttl --ttl-lt çØáÛÞ Ø
-m ttl --ttl-gt çØáÛÞ. ½Ð×ÝÐçÕÝØÕ íâØå
ÚàØâÕàØÕÒ ÒØÔÝÞ ãÖÕ Ø× Øå áØÝâÐÚáØáÐ. ÂÐÑÛØæÐ 15. ºàØâÕàØÙ TTL
´ÕÙáâÒØï Ø ßÕàÕåÞÔë´ÕÙáâÒØï Ø ßÕàÕåÞÔë áÞÞÑéÐîâ ßàÐÒØÛã, çâÞ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÞâÒÕáâÒãÕâ ×ÐÔÐÝÝÞÜã ÚàØâÕàØî. ÇÐéÕ ÒáÕÓÞ ãßÞâàÕÑÛïîâáï ÔÕÙáâÒØï ACCEPT Ø DROP. ¾ÔÝÐÚÞ, ÔÐÒÐÙâÕ ÚàÐâÚÞ àÐááÜÞâàØÜ ßÞÝïâØÕ ßÕàÕåÞÔÞÒ. ¾ßØáÐÝØÕ ßÕàÕåÞÔÞÒ Ò ßàÐÒØÛÐå ÒëÓÛïÔØâ âÞçÝÞ âÐÚ ÖÕ ÚÐÚ Ø ÞߨáÐÝØÕ ÔÕÙáâÒØÙ, â.Õ. áâÐÒØâáï ÚÛîç -j Ø ãÚÐ×ëÒÐÕâáï ÝÐ×ÒÐÝØÕ æÕßÞçÚØ ßàÐÒØÛ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ. ½Ð ßÕàÕåÞÔë ÝÐÚÛÐÔëÒÐÕâáï àïÔ ÞÓàÐÝØçÕÝØÙ, ßÕàÒÞÕ - æÕßÞçÚÐ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ, ÔÞÛÖÝÐ ÝÐåÞÔØâìáï Ò âÞÙ ÖÕ âÐÑÛØæÕ, çâÞ Ø æÕßÞçÚÐ, Ø× ÚÞâÞàÞÙ íâÞâ ßÕàÕåÞÔ ÒëßÞÛÝïÕâáï, ÒâÞàÞÕ - æÕßÞçÚÐ , ïÒÛïîéÐïáï æÕÛìî ßÕàÕåÞÔÐ ÔÞÛÖÝÐ Ñëâì áÞ×ÔÐÝÐ ÔÞ âÞÓÞ ÚÐÚ ÝÐ ÝÕÕ ÑãÔãâ ÒëßÞÛÝïâìáï ßÕàÕåÞÔë. ½ÐßàØÜÕà, áÞ×ÔÐÔØÜ æÕßÞçÚã tcp_packets Ò âÐÑÛØæÕ filter á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -N tcp_packets. ÂÕßÕàì Üë ÜÞÖÕÜ ÒëßÞÛÝïâì ßÕàÕåÞÔë ÝÐ íâã æÕßÞçÚã ßÞÔÞÑÝÞ iptables -A INPUT -p tcp -j tcp_packets. Â.Õ. ÒáâàÕâØÒ ßÐÚÕâ ßàÞâÞÚÞÛÐ tcp, iptables ßàÞØ×ÒÕÔÕâ ßÕàÕåÞÔ ÝÐ æÕßÞçÚã tcp_packets Ø ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ íâÞÙ æÕßÞçÚÕ. µáÛØ ßÐÚÕâ ÔÞáâØÓ ÚÞÝæÐ æÕßÞçÚØ âÞ ÞÝ ÑãÔÕâ ÒÞ×ÒàÐéÕÝ Ò Òë×ëÒÐîéãî æÕßÞçÚã (Ò ÝÐèÕÜ áÛãçÐÕ íâÞ æÕßÞçÚÐ INPUT) Ø ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßàÞÔÞÛÖØâáï á ßàÐÒØÛÐ, áÛÕÔãîéÕÓÞ ×Ð ßàÐÒØÛÞÜ, Òë×ÒÐÒèÕÜ ßÕàÕåÞÔ. µáÛØ Ú ßÐÚÕâã ÒÞ ÒÛÞÖÕÝÝÞÙ æÕßÞçÚÕ ÑãÔÕâ ßàØÜÕÝÕÝÞ ÔÕÙáâÒØÕ ACCEPT, âÞ ÐÒâÞÜÐâØçÕáÚØ ßÐÚÕâ ÑãÔÕâ áçØâÐâìáï ßàØÝïâëÜ Ø Ò Òë×ëÒÐîéÕÙ æÕßÞçÚÕ Ø ãÖÕ ÝÕ ÑãÔÕâ ßàÞÔÞÛÖÐâì ÔÒØÖÕÝØÕ ßÞ Òë×ëÒÐîéØÜ æÕßÞçÚÐÜ. ¾ÔÝÐÚÞ ßÐÚÕâ ßÞÙÔÕâ ßÞ ÔàãÓØÜ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï æÕßÞçÕÚ Ø âÐÑÛØæ Òë áÜÞÖÕâÕ ßÞÛãçØâì Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ. ´ÕÙáâÒØÕ - íâÞ ßàÕÔÞßàÕÔÕÛÕÝÝÐï ÚÞÜÐÝÔÐ, ÞߨáëÒÐîéÐï ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÒßÐÛ á ×ÐÔÐÝÝëÜ ÚàØâÕàØÕÜ. ½ÐßàØÜÕà, ÜÞÖÝÞ ßàØÜÕÝØâì ÔÕÙáâÒØÕ DROP ØÛØ ACCEPT Ú ßÐÚÕâã, Ò ×ÐÒØáØÜÞáâØ Þâ ÝÐèØå ÝãÖÔ. ÁãéÕáâÒãÕâ Ø àïÔ ÔàãÓØå ÔÕÙáâÒØÙ, ÚÞâÞàëÕ ÞߨáëÒÐîâáï ÝØÖÕ Ò íâÞÙ áÕ򾯯. ² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï ÞÔÝØå ÔÕÙáâÒØÙ, ßÐÚÕâ ßàÕÚàÐéÐÕâ áÒÞÕ ßàÞåÞÖÔÕÝØÕ ßÞ æÕßÞçÚÕ, ÝÐßàØÜÕà DROP Ø ACCEPT, Ò àÕ×ãÛìâÐâÕ ÔàãÓØå, ßÞáÛÕ ÒëßÞÛÝÕÝØï ÝÕÚØå ÞßÕàÐæØÙ, ßàÞÔÞÛÖÐÕâ ßàÞÒÕàÚã, ÝÐßàØÜÕà, LOG, Ò àÕ×ãÛìâÐâÕ àÐÑÞâë âàÕâìØå ÔÐÖÕ ÒØÔÞØ×ÜÕÝïÕâáï, ÝÐßàØÜÕà DNAT Ø SNAT, TTL Ø TOS, ÝÞ âÐÚ ÖÕ ßàÞÔÞÛÖÐÕâ ßàÞÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ. ´ÕÙáâÒØÕ ACCEPT´ÐÝÝÐï ÞßÕàÐæØï ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ. µáÛØ ÝÐÔ ßÐÚÕâÞÜ ÒëßÞÛÝïÕâáï ÔÕÙáâÒØÕ ACCEPT, âÞ ßÐÚÕâ ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ (Ø ÒáÕÜ Òë×ÒÐÒèØÜ æÕßÞçÚÐÜ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ) Ø áçØâÐÕâáï ¿À¸½ÏÂ˼ (âÞ ÑØèì ßàÞßãáÚÐÕâáï), âÕÜ ÝÕ ÜÕÝÕÕ, ßÐÚÕâ ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå Ø ÜÞÖÕâ Ñëâì ÞâÒÕàÓÝãâ âÐÜ. ´ÕÙáâÒØÕ ×ÐÔÐÕâáï á ßÞÜÞéìî ÚÛîçÐ -j ACCEPT. ´ÕÙáâÒØÕ DROP´ÐÝÝÞÕ ÔÕÙáâÒØÕ ßàÞáâÞ "áÑàÐáëÒÐÕâ" ßÐÚÕâ Ø iptables "×ÐÑëÒÐÕâ" Þ ÕÓÞ áãéÕáâÒÞÒÐÝØØ. "ÁÑàÞèÕÝÝëÕ" ßÐÚÕâë ßàÕÚàÐéÐîâ áÒÞÕ ÔÒØÖÕÝØÕ ßÞÛÝÞáâìî, â.Õ. ÞÝØ ÝÕ ßÕàÕÔÐîâáï Ò ÔàãÓØÕ âÐÑÛØæë, ÚÐÚ íâÞ ßàÞØáåÞÔØâ Ò áÛãçÐÕ á ÔÕÙáâÒØÕÜ ACCEPT. ÁÛÕÔãÕâ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ ØÜÕâì ÝÕÓÐâØÒÝëÕ ßÞáÛÕÔáâÒØï, ßÞáÚÞÛìÚã ÜÞÖÕâ ÞáâÐÒÛïâì ÝÕ×ÐÚàëâëÕ "ÜÕàâÒëÕ" áÞÚÕâë ÚÐÚ ÝÐ áâÞàÞÝÕ áÕàÒÕàÐ, âÐÚ Ø ÝÐ áâÞàÞÝÕ ÚÛØÕÝâÐ, ÝÐØÛãçèØÜ áßÞáÞÑÞÜ ×ÐéØâë ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï REJECT ÞáÞÑÕÝÝÞ ßàØ ×ÐéØâÕ Þâ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ´ÕÙáâÒØÕ QUEUE´ÕÙáâÒØÕ QUEUE áâÐÒØâ ßÐÚÕâ Ò ÞçÕàÕÔì ÝÐ ÞÑàÐÑÞâÚã ßÞÛì×ÞÒÐâÕÛìáÚÞÜã ßàÞæÕááã. ¾ÝÞ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÔÛï ÝãÖÔ ãçÕâÐ, ßàÞÚáØàÞÒÐÝØï ØÛØ ÔÞßÞÛÝØâÕÛìÝÞÙ äØÛìâàÐæØØ ßÐÚÕâÞÒ.¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ÐÒâÞà ßàÞáâàÐÝÝÞ àÐááãÖÔÐÕâ Þ âÞÜ, çâÞ ÞÑáãÖÔÕÝØÕ ÔÐÝÝÞÙ âÕÜë ÔÐÛÕÚÞ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ø ßà., ßÞíâÞÜã, ÝÕ ÜãÔàáâÒãï ÛãÚÐÒÞ, ßàØÒÕÔã ×ÔÕáì ÒëÔÕàÖÚã Ø× Linux 2.4 Packet Filtering HOWTO Ò ßÕàÕÒÞÔÕ µÒÓÕÝØï ´ÐÝØÛìçÕÝÚÞ aka virii5, eugene@kriljon.ru "...´Ûï âÞÓÞ çâÞÑë íâÐ æÕÛì ÑëÛÐ ßÞÛÕ×ÝÐ, ÝÕÞÑåÞÔØÜë ÕéÕ ÔÒÐ ÚÞÜßÞÝÕÝâÐ:
# modprobe iptable_filter # modprobe ip_queue # iptables -A OUTPUT -p icmp -j QUEUEÁ íâØÜ ßàÐÒØÛÞÜ, áÞ×ÔÐÝÝëÕ ÛÞÚÐÛìÝÞ ßÐÚÕâë ICMP âØßÐ (âÐÚØÕ, çâÞ áÞ×ÔÐîâáï áÚÐÖÕÜ ßàØ ßÞÜÞéØ ÚÞÜÐÝÔë ping) ßÞßÐÔÐîâ Ò ÜÞÔãÛì ip_queue, ÚÞâÞàëÙ ×ÐâÕÜ ßëâÐÕâáï ßÕàÕÔÐâì Øå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ. µáÛØ ÝØ ÞÔÝÞ Ø× âÐÚØå ßàØÛÞÖÕÝØÙ ÝÕ ÝÐÙÔÕÝÞ, ßÐÚÕâë áÑàÐáëÒÐîâáï. ÇâÞÑë ÝÐߨáÐâì ßÞÛì×ÞÒÐâÕÛìáÚãî ßàÞÓàÐÜÜã ÞÑàÐÑÞâÚØ ßÐÚÕâÞÒ, ØáßÞÛì×ãÙâÕ libipq API. ¾ÝÞ àÐáßàÞáâàÐÝïÕâáï á ßÐÚÕâÞÜ iptables. ¿àØÜÕàë ÜÞÖÝÞ ÝÐÙâØ Ò testsuite tools (ÝÐßàØÜÕà redirect.c) ÝÐ CVS. ÁâÐâãá ip_queue ÜÞÖÝÞ ßàÞÒÕàØâì á ßÞÜÞéìî: /proc/net/ip_queue
¼ÐÚáØÜÐÛìÝãî ÔÛØÝÝã ÞçÕàÕÔØ (âÞ Õáâì, çØáÛÞ ßÐÚÕâÞÒ
ßÕàÕÔÐÒÐÕÜëå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ ÑÕ×
ßÞÔâÒÕàÖÔÕÝØï ÞÑàÐÑÞâÚØ) ÜÞÖÝÞ ÚÞÝâàÞÛØàÞÒÐâì á ßÞÜÞéìî:
/proc/sys/net/ipv4/ip_queue_maxlen ¿Þ
ãÜÞÛçÐÝØî - ÜÐÚáØÜÐÛìÝÐï ÔÛØÝÝÐ ÞçÕàÕÔØ àÐÒÝÐ 1024. ºÐÚ
âÞÛìÚÞ íâÞâ ßàÕÔÕÛ ÔÞáâØÓÐÕâáï, ÝÞÒëÕ ßÐÚÕâë ÑãÔãâ
áÑàÐáëÒÐâìáï, ßÞÚÐ ÞçÕàÕÔì ÝÕ áÝØ×Øâìáï ÝØÖÕ ÔÐÝÝÞÓÞ
ßàÕÔÕÛÐ. ÅÞàÞèØÕ ßàÞâÞÚÞÛë, âÐÚØÕ ÚÐÚ TCP ØÝâÕàßàÕâØàãîâ
áÑàÞèÕÝÝëÕ ßÐÚÕâë ÚÐÚ ßÕàÕÓàãÖÕÝÝÞáâì ÚÐÝÐÛÐ ßÕàÕÔÐçØ, Ø
ãáßÕèÝÞ á íâØÜ áßàÐÒÛïîâáï (ÝÐáÚÞÛìÚÞ ï ßÞÜÝî, ßÐÚÕâ
ÑãÔÕâ ßàÞáâÞ ßÕàÕáÛÐÝ ×ÐÝÞÒÞ ãÔÐÛÕÝÝÞÙ áâÞàÞÝÞÙ, ßàØÜ.
ßÕàÕÒÞÔ.). ¾ÔÝÐÚÞ, ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÝÕÚÞâÞàÞÓÞ àÞÔÐ
íÚáßÕàÕÜÕÝâØàÞÒÐÝØÕ, çâÞÑë ÞßàÕÔÕÛØâì ÞßâØÜÐÛìÝãî ÔÛØÝÝã
ÞçÕàÕÔØ Ò ÚÐÖÔÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ, ÕáÛØ ßÞ ãÜÞÛçÐÝØî
ÞçÕàÕÔì áÛØèÚÞÜ ÜÐÛÐ..."´ÕÙáâÒØÕ RETURN´ÕÙáâÒØÕ RETURN ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ âÕÚãéÕÙ æÕßÞçÚÕ ßàÐÒØÛ Ø ßàÞØ×ÒÞÔØâ ÒÞ×ÒàÐâ Ò Òë×ëÒÐîéãî æÕßÞçÚã, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ, ØÛØ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÛÕÖØâ ÝÐ áÐÜÞÜ ÒÕàåÝÕÜ ãàÞÒÝÕ (ÝÐßàØÜÕà INPUT), âÞ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî. ¾ÑëçÝÞ, Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ÝÐ×ÝÐçÐîâ ÔÕÙáâÒØï ACCEPT ØÛØ DROP . ´Ûï ßàØÜÕàÐ, ÔÞßãáâØÜ, çâÞ ßÐÚÕâ ØÔÕâ ßÞ æÕßÞçÚÕ INPUT Ø ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßÕàÕåÞÔ ÒÞ ÒÛÞÖÕÝÝãî æÕßÞçÚã - --jump EXAMPLE_CHAIN. ´ÐÛÕÕ, Ò æÕßÞçÚÕ EXAMPLE_CHAIN ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN. ÂÞÓÔÐ ßàÞØ×ÞÙÔÕâ ÒÞ×ÒàÐâ ßÐÚÕâÐ Ò æÕßÞçÚã INPUT. ´àãÓÞÙ ßàØÜÕà, ßãáâì ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN Ò æÕßÞçÚÕ INPUT. ÂÞÓÔÐ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî æÕßÞçÚØ INPUT. ´ÕÙáâÒØÕ LOGLOG - ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ áÛãÖØâ ÔÛï ÖãàÝÐÛØàÞÒÐÝØï ÞâÔÕÛìÝëå ßÐÚÕâÞÒ Ø áÞÑëâØÙ. ² ÖãàÝÐÛ ÜÞÓãâ ×ÐÝÞáØâìáï ×ÐÓÞÛÞÒÚØ IP ßÐÚÕâÞÒ Ø ÔàãÓÐï ØÝâÕàÕáãîéÐï ÒÐá ØÝäÞàÜÐæØï. ¸ÝäÞàÜÐæØï Ø× ÖãàÝÐÛÐ ÜÞÖÕâ Ñëâì ×ÐâÕÜ ßàÞçØâÐÝÐ á ßÞÜÞéìî dmesg ØÛØ syslogd ÛØÑÞ á ßÞÜÞéìî ÔàãÓØå ßàÞÓàÐÜÜ. ¿àÕÒÞáåÞÔÝÞÕ áàÕÔáâÒÞ ÔÛï ÞâÛÐÔÚØ ÒÐèØå ßàÐÒØÛ. ½ÕßÛÞåÞ ÑëÛÞ Ñë ÝÐ ßÕàØÞÔ ÞâÛÐÔÚØ ßàÐÒØÛ ÒÜÕáâÞ ÔÕÙáâÒØï DROP ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ LOG, çâÞÑë ÔÞ ÚÞÝæÐ ãÑÕÔØâìáï, çâÞ ÒÐè ÑàÐÝÔÜÐãíà àÐÑÞâÐÕâ ÑÕ×ãßàÕçÝÞ. ¾ÑàÐâØâÕ ÒÐèÕ ÒÝØÜÐÝØÕ âÐÚ ÖÕ ÝÐ ÔÕÙáâÒØÕ ULOG, ÚÞâÞàÞÕ ÝÐÒÕàÝïÚÐ ×ÐØÝâÕàÕáãÕâ ÒÐá áÒÞØÜØ ÒÞ×ÜÞÖÝÞáâïÜØ, ßÞáÚÞÛìÚã ßÞ×ÒÞÛïÕâ ÒëßÞÛÝïâì ×Ðߨáì ÖãàÝÐÛØàãÕÜÞÙ ØÝäÞàÜÐæØØ ÝÕ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, Ð Ò ÑÐ×ã ÔÐÝÝëå MySQL Ø â.ß.. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ - ÕáÛØ ã ÒÐá ØÜÕîâáï ßàÞÑÛÕÜë á ×Ðߨáìî Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, âÞ íâÞ ßàÞÑÛÕÜë ÝÕ iptables ØÛØ netfilter, Ð syslogd. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÚÞÝäØÓãàØàÞÒÐÝØî syslogd ÞÑàÐéÐÙâÕáì Ú man syslog.conf. LOG ØÜÕÕâ ßïâì ÚÛîçÕÙ, ÚÞâÞàëÕ ßÕàÕçØáÛÕÝë ÝØÖÕ. ÂÐÑÛØæÐ 17. ºÛîçØ ÔÛï ÔÕÙáâÒØï LOG
´ÕÙáâÒØÕ MARK¸áßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÜÕâÞÚ ÔÛï ÞßàÕÔÕÛÕÝÝëå ßÐÚÕâÞÒ. ÍâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàÕÔÕÛÐå âÐÑÛØæë mangle. ÃáâÐÝÞÒÚÐ ÜÕâÞÚ ÞÑëçÝÞ ØáßÞÛì×ãÕâáï ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ ßÞ àÐ×ÛØçÝëÜ ÜÐàèàãâÐÜ, ÔÛï ÞÓàÐÝØçÕÝØï âàÐäØÚÐ Ø â.ß.. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú LARTC HOWTO. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ "ÜÕâÚÐ" ßÐÚÕâÐ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ßÕàØÞÔ ÒàÕÜÕÝØ ßÞÚÐ ßÐÚÕâ ÝÕ ßÞÚØÝãÛ ÑàÐÝÔÜÐãíà, â.Õ. ÜÕâÚÐ ÝÕ ßÕàÕÔÐÕâáï ßÞ áÕâØ. µáÛØ ÝÕÞÑåÞÔØÜÞ ÚÐÚ-âÞ ßÞÜÕâØâì ßÐÚÕâë, çâÞÑë ØáßÞÛì×ÞÒÐâì ÜÐàÚØàÞÒÚã ÝÐ ÔàãÓÞÙ ÜÐèØÝÕ, âÞ ÜÞÖÕâÕ ßÞßàÞÑÞÒÐâì ÜÐÝØßãÛØàÞÒÐâì ÑØâÐÜØ ßÞÛï TOS. ´ÕÙáâÒØÕ REJECTREJECT ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, Ò âÕå ÖÕ áÐÜëå áØâãÐæØïå, çâÞ Ø DROP, ÝÞ Ò ÞâÛØçØÕ Þâ DROP, ÚÞÜÐÝÔÐ REJECT ÒëÔÐÕâ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ ÝÐ åÞáâ, ßÕàÕÔÐÒèØÙ ßÐÚÕâ. ´ÕÙáâÒØÕ REJECT ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì "àÐÑÞâÐÕâ" âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø OUTPUT (Ø ÒÞ ÒÛÞÖÕÝÝëå Ò ÝØå æÕßÞçÚÐå). ¿ÞÚÐ áãéÕáâÒãÕâ âÞÛìÚÞ ÕÔØÝáâÒÕÝÝëÙ ÚÛîç, ãßàÐÒÛïîéØÙ ßÞÒÕÔÕÝØÕÜ ÚÞÜÐÝÔë REJECT. ÂÐÑÛØæÐ 19. ´ÕÙáâÒØÕ REJECT
´ÕÙáâÒØÕ TOSºÞÜÐÝÔÐ TOS ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÑØâÞÒ Ò ßÞÛÕ Type of Service IP ×ÐÓÞÛÞÒÚÐ. ¿ÞÛÕ TOS áÞÔÕàÖØâ 8 ÑØâ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ. ÍâÞ ÞÔØÝ Ø× ÝÕáÚÞÛìÚØå ßÞÛÕÙ, ØáßÞÛì×ãÕÜëå iproute2. ÂÐÚ ÖÕ ÒÐÖÝÞ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ßÞÛÕ ÜÞÖÕâ ÞÑàÐÑÐâëÒÐâìáï àÐ×ÛØçÝëÜØ ÜÐàèàãâØ×ÐâÞàÐÜØ á æÕÛìî ÒëÑÞàÐ ÜÐàèàãâÐ ÔÒØÖÕÝØï ßÐÚÕâÐ. ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì ÒëèÕ, íâÞ ßÞÛÕ, Ò ÞâÛØçØÕ Þâ MARK, áÞåàÐÝïÕâ áÒÞÕ ×ÝÐçÕÝØÕ ßàØ ÔÒØÖÕÝØØ ßÞ áÕâØ, Ð ßÞíâÞÜã ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì, ÑÞÛìèØÝáâÒÞ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ ÝØÚÐÚ ÝÕ ÞÑàÐÑÐâëÒÐîâ íâÞ ßÞÛÕ, ÞÔÝÐÚÞ Õáâì Ø âÐÚØÕ, ÚÞâÞàëÕ áÜÞâàïâ ÝÐ ÝÕÓÞ. µáÛØ Òë ØáßÞÛì×ãÕâÕ íâÞ ßÞÛÕ Ò áÒÞØå ÝãÖÔÐå, âÞ ßÞÔÞÑÝëÕ ÜÐàèàãâØ×ÐâÞàë ÜÞÓãâ ßàØÝïâì ÝÕÒÕàÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ, ßÞíâÞÜã, ÛãçèÕ ÒáÕÓÞ ØáßÞÛì×ÞÒÐâì íâÞ ßÞÛÕ ÔÛï áÒÞØå ÝãÖÔ âÞÛìÚÞ Ò ßàÕÔÕÛÐå ÒÐèÕÙ WAN ØÛØ LAN.
ºÞÜÐÝÔÐ TOS ØÜÕÕâ âÞÛìÚÞ ÞÔØÝ ÚÛîç, ÚÞâÞàëÙ ÞߨáÐÝ ÝØÖÕ. ÂÐÑÛØæÐ 20. ´ÕÙáâÒØÕ TOS
´ÕÙáâÒØÕ MIRRORºÞÜÐÝÔÐ MIRROR ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ âÞÛìÚÞ ÔÛï íÚáßÕàØÜÕÝâÞÒ Ø Ò ÔÕÜÞÝáâàÐæØÞÝÝëå æÕÛïå, ßÞáÚÞÛìÚã íâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ßàØÒÕáâØ Ú "×ÐæØÚÛØÒÐÝØî" ßÐÚÕâÐ Ø Ò àÕ×ãÛìâÐâÕ Ú "¾âÚÐ×ã Þâ ÞÑáÛãÖØÒÐÝØï". ² àÕ×ãÛìâÐâÕ ÔÕÙáâÒØï MIRROR Ò ßÐÚÕâÕ, ßÞÛï source Ø destination ÜÕÝïîâáï ÜÕáâÐÜØ (invert the source and destination fields) Ø ßÐÚÕâ ÞâßàÐÒÛïÕâáï Ò áÕâì. ¸áßÞÛì×ÞÒÐÝØÕ íâÞÙ ÚÞÜÐÝÔë ÜÞÖÕâ ØÜÕâì ÒÕáìÜÐ ×ÐÑÐÒÝëÙ àÕ×ãÛìâÐâ, ÝÐÒÕàÝÞÕ, áÞ áâÞàÞÝë ÔÞÒÞÛìÝÞ ßÞâÕèÝÞ ÝÐÑÛîÔÐâì, ÚÐÚ ÚãÛìåÐæÚÕà ßëâÐÕâáï "Ò×ÛÞÜÐâì" áÒÞÙ áÞÑáâÒÕÝÝëÙ ÚÞÜßìîâÕà! ´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø PREROUTING, Ø Ò æÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø× íâØå âàÕå. ¿ÐÚÕâë, ÞâßàÐÒÛïÕÜëÕ Ò áÕâì ÔÕÙáâÒØÕÜ MIRROR ÑÞÛìèÕ ÝÕ ßÞÔÒÕàÓÐîâáï äØÛìâàÐæØØ, âàÐááØàÞÒÚÕ ØÛØ NAT, Ø×ÑÕÓÐï âÕÜ áÐÜëÜ "×ÐæØÚÛØÒÐÝØï" Ø ÔàãÓØå ÝÕßàØïâÝÞáâÕÙ. ¾ÔÝÐÚÞ íâÞ ÝÕ Þ×ÝÐçÐÕâ, çâÞ ßàÞÑÛÕÜ á íâØÜ ÔÕÙáâÒØÕÜ ÝÕâ. ´ÐÒÐÙâÕ, Ú ßàØÜÕàã, ßàÕÔáâÐÒØÜ, çâÞ ÝÐ åÞáâÕ, ØáßÞÛì×ãîéÕÜ ÔÕÙáâÒØÕ MIRROR äÐÑàØÚãÕâáï ßÐÚÕâ, á TTL àÐÒÝëÜ 255, ÝÐ íâÞâ ÖÕ áÐÜëÙ åÞáâ Ø ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ "×ÕàÚÐÛØàãîéÕÓÞ" ßàÐÒØÛÐ. ¿ÐÚÕâ "ÞâàÐÖÐÕâáï" ÝÐ íâÞâ ÖÕ åÞáâ, Ð ßÞáÚÞÛìÚã ÜÕÖÔã "ßàØÕÜÝØÚÞÜ" Ø "ßÕàÕÔÐâçØÚÞÜ" âÞÛìÚÞ 1 åÞß (hop) âÞ ßÐÚÕâ ÑãÔÕâ ßàëÓÐâì âãÔÐ Ø ÞÑàÐâÝÞ 255 àÐ×. ½ÕßÛÞåÞ ÔÛï ÚàïÚÕàÐ, ÒÕÔì, ßàØ ÒÕÛØçØÝÕ ßÐÚÕâÐ 1500 ÑÐÙâ, Üë ßÞâÕàïÕÜ ÔÞ 380 ºÑÐÙâ âàÐäØÚÐ! ´ÕÙáâÒØÕ SNATSNAT ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (Source Network Address Translation), â.Õ. Ø×ÜÕÝÕÝØÕ ØáåÞÔïéÕÓÞ IP ÐÔàÕáÐ Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. ½ÐßàØÜÕà, íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ ÔàãÓØÜ ÚÞÜßìîâÕàÐÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ØÜÕï ÛØèì ÞÔØÝ ãÝØÚÐÛìÝëÙ IP ÐÔàÕá. ´Ûï íâÞÓÞ. ÝÕÞÑåÞÔØÜÞ ÒÚÛîçØâì ßÕàÕáëÛÚã ßÐÚÕâÞÒ (forwarding) Ò ïÔàÕ Ø ×ÐâÕÜ áÞ×ÔÐâì ßàÐÒØÛÐ, ÚÞâÞàëÕ ÑãÔãâ âàÐÝáÛØàÞÒÐâì ØáåÞÔïéØÕ IP ÐÔàÕáÐ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ò àÕÐÛìÝëÙ ÒÝÕèÝØÙ ÐÔàÕá. ² àÕ×ãÛìâÐâÕ, ÒÝÕèÝØÙ ÜØà ÝØçÕÓÞ ÝÕ ÑãÔÕâ ×ÝÐâì Þ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÝ ÑãÔÕâ áçØâÐâì, çâÞ ×ÐßàÞáë ßàØèÛØ á ÝÐèÕÓÞ ÑàÐÝÔÜÐãíàÐ. SNAT ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ Ò âÐÑÛØæÕ nat, Ò æÕßÞçÚÕ POSTROUTING. ´àãÓØÜØ áÛÞÒÐÜØ, âÞÛìÚÞ ×ÔÕáì ÔÞßãáÚÐÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔïéØå ÐÔàÕáÞÒ. µáÛØ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ ßÞÔÒÕàÓáï ßàÕÞÑàÐ×ÞÒÐÝØî ØáåÞÔïéÕÓÞ ÐÔàÕáÐ, âÞ ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë, Ø× íâÞÓÞ ÖÕ áÞÕÔØÝÕÝØï, ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ ßÞÙÔãâ çÕàÕ× íâã æÕßÞçÚã ßàÐÒØÛ. ÂÐÑÛØæÐ 21. ´ÕÙáâÒØÕ SNAT
´ÕÙáâÒØÕ DNATDNAT (Destination Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÐ ÜÕáâÐ ÝÐ×ÝÐçÕÝØï Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. µáÛØ ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ ßàÐÒØÛÐ, ÒëßÞÛÝïîéÕÓÞ DNAT, âÞ íâÞâ ßÐÚÕâ, Ø ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë Ø× íâÞÓÞ ÖÕ ßÞâÞÚÐ, ÑãÔãâ ßÞÔÒÕàÓÝãâë ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï Ø ßÕàÕÔÐÝë ÝÐ âàÕÑãÕÜÞÕ ãáâàÞÙáâÒÞ, åÞáâ ØÛØ áÕâì. ´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ, Ú ßàØÜÕàã, ãáßÕèÝÞ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú ÒÐèÕÜã web-áÕàÒÕàã, ÝÐåÞÔïéÕÜãáï Ò ÛÞÚÐÛìÝÞÙ áÕâØ, Ø ÝÕ ØÜÕîéÕÜã àÕÐÛìÝÞÓÞ IP ÐÔàÕáÐ. ´Ûï íâÞÓÞ Òë áâàÞØâÕ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßÕàÕåÒÐâëÒÐÕâ ßÐÚÕâë, ØÔãéØÕ ÝÐ HTTP ßÞàâ ÑàÐÝÔÜÐãíàÐ Ø ÒëßÞÛÝïï DNAT ßÕàÕÔÐÕâÕ Øå ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá web-áÕàÒÕàÐ. ´Ûï íâÞÓÞ ÔÕÙáâÒØï âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ, âÞÓÔÐ ÒëÑÞà ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ ÑãÔÕâ ßàÞØ×ÒÞÔØâìáï áÛãçÐÙÝÐÜ ÞÑàÐ×ÞÜ. ´ÕÙáâÒØÕ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat, Ø ÒÞ ÒÛÞÖÕÝÝëå ßÞÔ-æÕßÞçÚÐå. ÂÐÑÛØæÐ 22. ´ÕÙáâÒØÕ DNAT
´ÕÙáâÒØÕ DNAT ÔÞáâÐâÞçÝÞ áÛÞÖÝÞ Ò ØáßÞÛì×ÞÒÐÝØØ Ø âàÕÑãÕâ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ßÞïáÝÕÝØï. ÀÐááÜÞâàØÜ ßàÞáâÞÙ ßàØÜÕà. à ÝÐá Õáâì WEB áÕàÒÕà Ø Üë åÞâØÜ àÐ×àÕèØâì ÔÞáâãß Ú ÝÕÜã Ø× ¸ÝâÕàÝÕâ. ¼ë ØÜÕÕÜ âÞÛìÚÞ ÞÔØÝ àÕÐÛìÝëÙ IP ÐÔàÕá, Ð WEB-áÕàÒÕà àÐáßÞÛÞÖÕÝ Ò ÛÞÚÐÛìÝÞÙ áÕâØ. ÀÕÐÛìÝëÙ IP ÐÔàÕá $INET_IP ÝÐ×ÝÐçÕÝ ÑàÐÝÔÜÐãíàã, HTTP áÕàÒÕà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÔàÕá $HTTP_IP Ø, ÝÐÚÞÝÕæ ÑàÐÝÔÜÐãíà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÛàÕá $LAN_IP. ´Ûï ÝÐçÐÛÐ ÔÞÑÐÒØÜ ßàÞáâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã PREROUTING âÐÑÛØæë nat. iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP ² áÞÞâÒÕâáâÒØØ á íâØÜ ßàÐÒØÛÞÜ, ÒáÕ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ 80-Ù ßÞàâ ÐÔàÕáÐ $INET_IP ßÕàÕÝÐßàÐÒÛïîâáï ÝÐ ÝÐè ÒÝãâàÕÝÝØÙ WEB-áÕàÒÕà. µáÛØ âÕßÕàì ÞÑàÐâØâìáï Ú WEB-áÕàÒÕàã Ø× ¸ÝâÕàÝÕâ, âÞ ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ½Þ çâÞ ÖÕ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ßÞßàÞÑÞÒÐâì áÞÕÔØÝØâìáï á ÝØÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ? ÁÞÕÔØÝÕÝØÕ ßàÞáâÞ ÝÕ ãáâÐÝÞÒØâáï. ´ÐÒÐÙâÕ ßÞáÜÞâàØÜ ÚÐÚ ÜÐàèàãâØ×Øàãîâáï ßÐÚÕâë, ØÔãéØÕ Ø× ¸ÝâÕàÝÕâ ÝÐ ÝÐè WEB-áÕàÒÕà. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ¸ÝâÕàÝÕâ àÐÒÝëÜ $EXT_BOX.
° âÕßÕàì ßÞáÜÞâàØÜ, çâÞ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ×ÐßàÞá ßÞáëÛÐÕâáï á ã×ÛÐ, àÐáßÞÛÞÖÕÝÝÞÓÞ Ò âÞÙ ÖÕ ÛÞÚÐÛìÝÞÙ áÕâØ. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ÛÞÚÐÛìÝÞÙ áÕâØ àÐÒÝëÜ $LAN_BOX.
¿àÞÑÛÕÜÐ àÕèÐÕâáï ÔÞÒÞÛìÝÞ ßàÞáâÞ á ßÞÜÞéìî SNAT. ½ØÖÕ ßàØÒÞÔØâáï ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ íâã äãÝÚæØî. ÍâÞ ßàÐÒØÛÞ ÒëÝãÖÔÐÕâ HTTP áÕàÒÕà ßÕàÕÔÐÒÐâì ÞâÒÕâë ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, ÚÞâÞàëÕ ×ÐâÕÜ ÑãÔãâ ßÕàÕÔÐÝë ÚÛØÕÝâã. iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP ·ÐßÞÜÝØâÕ, æÕßÞçÚÐ POSTROUTING ÞÑàÐÑÐâëÒÐÕâáï áÐÜÞÙ ßÞáÛÕÔÝÕÙ Ø Ú íâÞÜã ÜÞÜÕÝâã ßÐÚÕâ ãÖÕ ßàÞèÕÛ ßàÞæÕÔãàã ßàÕÞÑàÐ×ÞÒÐÝØï DNAT, ßÞíâÞÜã ÚàØâÕàØÙ áâàÞØâáï ÝÐ ÑÐ×Õ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï $HTTP_IP. µáÛØ Òë ÔãÜÐÕâÕ, çâÞ ÝÐ íâÞÜ ÜÞÖÝÞ ÞáâÐÝÞÒØâìáï, âÞ Òë ÞèØÑÐÕâÕáì! ¿àÕÔáâÐÒØÜ áÕÑÕ áØâãÐæØî, ÚÞÓÔÐ Ò ÚÐçÕáâÒÕ ÚÛØÕÝâÐ ÒëáâãßÐÕâ áÐÜ ÑàÐÝÔÜÐãíà. ÂÞÓÔÐ, Ú áÞÖÐÛÕÝØî, ßÐÚÕâë ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÝÐ ÛÞÚÐÛìÝëÙ ßÞàâ á ÝÞÜÕàÞÜ 80 áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ, Ð ÝÕ ÝÐ $HTTP_IP. ÇâÞÑëàÐ×àÕèØâì Ø íâã ßàÞÑÛÕÜã, ÔÞÑÐÒØÜ ßàÐÒØÛÞ iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP ÂÕßÕàì ÝØÚÐÚØå ßàÞÑÛÕÜ, á ÔÞáâãßÞÜ Ú ÝÐèÕÜã WEB-áÕàÒÕàã, ãÖÕ ÝÕ ÔÞÛÖÝÞ ÒÞ×ÝØÚÐâì. ´ÕÙáâÒØÕ MASQUERADE¼ÐáÚÐàÐÔØÝÓ (MASQUERADE) Ò ÞáÝÞÒÕ áÒÞÕÙ ßàÕÔáâÐÒÛïÕâ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø SNAT âÞÛìÚÞ ÝÕ ØÜÕÕâ ÚÛîçÐ --to-source. ¿àØçØÝÞÙ âÞÜã âÞ, çâÞ ÜÐáÚÐàÐÔØÝÓ ÜÞÖÕâ àÐÑÞâÐâì, ÝÐßàØÜÕà, á dialup ßÞÔÚÛîçÕÝØÕÜ ØÛØ DHCP, â.Õ. Ò âÕå áÛãçÐïå, ÚÞÓÔÐ IP ÐÔàÕá ßàØáÒÐØÒÐÕâáï ãáâàÞÙáâÒã ÔØÝÐÜØçÕáÚØ. µáÛØ ã ÒÐá ØÜÕÕâáï ÔØÝÐÜØçÕáÚÞÕ ßÞÔÚÛîçÕÝØÕ, âÞ ÝãÖÝÞ ØáßÞÛì×ÞÒÐâì ÜÐáÚÐàÐÔØÝÓ, ÕáÛØ ÖÕ ã ÒÐá áâÐâØçÕáÚÞÕ IP ßÞÔÚÛîçÕÝØÕ, âÞ ÑÕááßÞàÝÞ ÛãçèØÜ ÒëåÞÔÞÜ ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï SNAT. ¼ÐáÚÐàÐÔØÝÓ ßÞÔàÐ×ãÜÕÒÐÕâ ßÞÛãçÕÝØÕ IP ÐÔàÕáÐ Þâ ×ÐÔÐÝÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, ÒÜÕáâÞ ßàïÜÞÓÞ ÕÓÞ ãÚÐ×ÐÝØï, ÚÐÚ íâÞ ÔÕÛÐÕâáï á ßÞÜÞéìî ÚÛîçÐ --to-source Ò ÔÕÙáâÒØØ SNAT. ´ÕÙáâÒØÕ MASQUERADE ØÜÕÕâ åÞàÞèÕÕ áÒÞÙáâÒÞ - "×ÐÑëÒÐâì" áÞÕÔØÝÕÝØï ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ. ² áÛãçÐÕ ÖÕ SNAT, Ò íâÞÙ áØâãÐæØØ, Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ÞáâÐîâáï ÔÐÝÝëÕ Þ ßÞâÕàïÝÝëå áÞÕÔØÝÕÝØïå, Ø íâØ ÔÐÝÝëÕ ÜÞÓãâ áÞåàÐÝïâìáï ÔÞ áãâÞÚ, ßÞÓÛÞéÐï æÕÝÝãî ßÐÜïâì. ÍääÕÚâ "×ÐÑëÒçØÒÞáâØ" áÒï×ÐÝ á âÕÜ, çâÞ ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, Õáâì ÒÕàÞïâÝÞáâì ÝÐ áÛÕÔãîéÕÜ ×ÐßãáÚÕ ßÞÛãçØâì ÔàãÓÞÙ IP ÐÔàÕá, ÝÞ Ò íâÞÜ áÛãçÐÕ ÛîÑëÕ áÞÕÔØÝÕÝØï ÒáÕ àÐÒÝÞ ÑãÔãâ ßÞâÕàïÝë, Ø ÑëÛÞ Ñë ÓÛãßÞ åàÐÝØâì âàÐááØàÞÒÞçÝãî ØÝäÞàÜÐæØî. ºÐÚ Òë ãÖÕ ßÞÝïÛØ, ÔÕÙáâÒØÕ MASQUERADE ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÒÜÕáâÞ SNAT, ÔÐÖÕ ÕáÛØ Òë ØÜÕÕâÕ ßÞáâÞïÝÝëÙ IP ÐÔàÕá, ÞÔÝÐÚÞ, ÝÕÒרàÐï ÝÐ ßÞÛÞÖØâÕÛìÝëÕ çÕàâë, ÜÐáÚÐàÐÔØÝÓ ÝÕ áÛÕÔãÕâ áçØâÐâì ßàÕÔßÞçâØâÕÛìÝëÜ Ò íâÞÜ áÛãçÐÕ, ßÞáÚÞÛìÚã ÞÝ ÔÐÕâ ÑÞÛìèãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã. ´ÕÙáâÒØÕ MASQUERADE ÔÞßãáÚÐÕâáï ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat, âÐÚ ÖÕ ÚÐÚ Ø ÔÕÙáâÒØÕ SNAT. MASQUERADE ØÜÕÕâ ÚÛîç, ÞߨáëÒÐÕÜëÙ ÝØÖÕ, ØáßÞÛì×ÞÒÐÝØÕ ÚÞâÞàÞÓÞ ÝÕÞÑï×ÐâÕÛìÝÞ. ÂÐÑÛØæÐ 23. ´ÕÙáâÒØÕ MASQUERADE
´ÕÙáâÒØÕ REDIRECT²ëßÞÛÝïÕâ ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ Ø ßÞâÞÚÞÒ ÝÐ ÔàãÓÞÙ ßÞàâ âÞÙ ÖÕ áÐÜÞÙ ÜÐèØÝë. º ßàØÜÕàã, ÜÞÖÝÞ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ HTTP ßÞàâ ßÕàÕÝÐßàÐÒØâì ÝÐ ßÞàâ HTTP proxy. ´ÕÙáâÒØÕ REDIRECT ÞçÕÝì ãÔÞÑÝÞ ÔÛï ÒëßÞÛÝÕÝØï "ßàÞ×àÐçÝÞÓÞ" ßàÞÚáØàÞÒÐÝØï (transparent proxying), ÚÞÓÔÐ ÜÐèØÝë Ò ÛÞÚÐÛìÝÞÙ áÕâØ ÔÐÖÕ ÝÕ ßÞÔÞ×àÕÒÐîâ Þ áãéÕáâÒÞÒÐÝØØ ßàÞÚáØ. REDIRECT ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat. ½ã Ø ÚÞÝÕçÝÞ ÖÕ íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ÒëßÞÛÝïâì Ò ßÞÔæÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø ÒëèÕãÚÐ×ÐÝÝëå. ´Ûï ÔÕÙáâÒØï REDIRECT ßàÕÔãáÜÞâàÕÝ âÞÛìÚÞ ÞÔØÝ ÚÛîç. ÂÐÑÛØæÐ 24. ´ÕÙáâÒØÕ REDIRECT
´ÕÙáâÒØÕ TTL´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï áÞÔÕàÖØÜÞÓÞ ßÞÛï Time To Live Ò IP ×ÐÓÞÛÞÒÚÕ. ¾ÔØÝ Ø× ÒÐàØÐÝâÞÒ ßàØÜÕÝÕÝØï íâÞÓÞ ÔÕÙáâÒØï - íâÞ ãáâÐÝÐÒÛØÒÐâì ×ÝÐçÕÝØÕ ßÞÛï Time To Live ²¾ ²ÁµÅ ØáåÞÔïéØå ßÐÚÕâÐå Ò ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ. ´Ûï çÕÓÞ íâÞ?! µáâì ÝÕÚÞâÞàëÕ ßàÞÒÐÙÔÕàë, ÚÞâÞàëÕ ÞçÕÝì ÝÕ ÛîÑïâ, ÚÞÓÔÐ ÞÔÝØÜ ßÞÔÚÛîçÕÝØÕÜ ßÞÛì×ãÕâáï ÝÕáÚÞÛìÚÞ ÚÞÜßìîâÕàÞÒ, ÕáÛØ Üë ÝÐçØÝÐÕÜ ãáâÐÝÐÒÛØÒÐâì ÝÐ ÒáÕ ßÐÚÕâë ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ TTL, âÞ âÕÜ áÐÜëÜ Üë ÛØèÐÕÜ ßàÞÒÐÙÔÕàÐ ÞÔÝÞÓÞ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, çâÞ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâã àÐ×ÔÕÛïÕâáï ÜÕÖÔã ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. ´Ûï ßàØÜÕàÐ ÜÞÖÝÞ ßàØÒÕáâØ çØáÛÞ TTL = 64, ÚÞâÞàÞÕ ïÒÛïÕâáï áâÐÝÔÐàâÝëÜ ÔÛï ïÔàÐ Linux. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ßÞ ãáâÐÝÞÒÚÕ ×ÝÐçÕÝØï ßÞ-ãÜÞÛçÐÝØî ÞÑàÐéÐÙâÕáì Ú ip-sysctl.txt, ÚÞâÞàëÙ Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë. ´ÕÙáâÒØÕ TTL ÜÞÖÝÞ ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò âÐÑÛØæÕ mangle Ø ÝØÓÔÕ ÑÞÛìèÕ. ´Ûï ÔÐÝÝÞÓÞ ÔÕÙáâÒØï ßàÕÔãáÜÞâàÕÝÞ 3 ÚÛîçÐ, ÞߨáëÒÐÕÜëå ÝØÖÕ. ÂÐÑÛØæÐ 25. ´ÕÙáâÒØÕ TTL
ULOG target´ÕÙáâÒØÕ ULOG ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ÖãàÝÐÛØàÞÒÐÝØï ßÐÚÕâÞÒ Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàÞáâàÐÝáâÒÞ. ¾ÝÞ ×ÐÜÕÝïÕâ âàÐÔØæØÞÝÝÞÕ ÔÕÙáâÒØÕ LOG, ÑÐרàãîéÕÕáï ÝÐ áØáâÕÜÝÞÜ ÖãàÝÐÛÕ. ¿àØ ØáßÞÛì×ÞÒÐÝØØ íâÞÓÞ ÔÕÙáâÒØï, ßÐÚÕâ, çÕàÕ× áÞÚÕâë netlink, ßÕàÕÔÐÕâáï áßÕæØÐÛìÝÞÜã ÔÕÜÞÝã ÚÞâÞàëÙ ÜÞÖÕâ ÒëßÞÛÝïâì ÞçÕÝì ÔÕâÐÛìÝÞÕ ÖãàÝÐÛØàÞÒÐÝØÕ Ò àÐ×ÛØçÝëå äÞàÜÐâÐå (ÞÑëçÝëÙ âÕÚáâÞÒëÙ äÐÙÛ, ÑÐ×Ð ÔÐÝÝëå MySQL Ø ßà.) Ø Ú âÞÜã ÖÕ ßÞÔÔÕàÖØÒÐÕâ ÒÞ×ÜÞÖÝÞáâì ÔÞÑÐÒÛÕÝØï ÝÐÔáâàÞÕÚ (ßÛÐÓØÝÞÒ) ÔÛï äÞàÜØàÞÒÐÝØï àÐ×ÛØçÝëå ÒëåÞÔÝëå äÞàÜÐâÞÒ Ø ÞÑàÐÑÞâÚØ áÕâÕÒëå ßàÞâÞÚÞÛÞÒ. ¿ÞÛì×ÞÒÐâÕÛìáÚãî çÐáâì ULOGD Òë ÜÞÖÕâÕ ßÞÛãçØâì ÝÐ ÔÞÜÐèÝÕÙ áâàÐÝØæÕ ULOGD project. Table 26. ULOG target
ÄÐÙÛ rc.firewall² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ÝÐáâàÞÙÚã ÑàÐÝÔÜÐãíàÐ ÝÐ ßàØÜÕàÕ áæÕÝÐàØï rc.firewall.txt. ¼ë ÑãÔÕÜ ÑàÐâì ÚÐÖÔãî ÑÐ×ÞÒãî ÝÐáâàÞÙÚã Ø àÐááÜÐâàØÒÐâì ÚÐÚ ÞÝÐ àÐÑÞâÐÕâ Ø çâÞ ÔÕÛÐÕâ. ÍâÞ ÜÞÖÕâ ÝÐâÞÛÚÝãâì ÒÐá ÝÐ àÕèÕÝØÕ ÒÐèØå áÞÑáâÒÕÝÝëå ×ÐÔÐç. ´Ûï ×ÐßãáÚÐ íâÞÓÞ áæÕÝÐàØï ÒÐÜ ßÞâàÕÑãÕâáï ÒÝÕáâØ Ò ÝÕÓÞ Ø×ÜÕÝÕÝØï âÐÚØÜ ÞÑàÐ×ÞÜ, çâÞÑë ÞÝ ÜÞÓ àÐÑÞâÐâì á ÒÐèÕÙ ÚÞÝäØÓãàÐæØÕÙ áÕâØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ ÔÞáâÐâÞçÝÞ Ø×ÜÕÝØâì âÞÛìÚÞ ßÕàÕÜÕÝÝëÕ.
¿àØÜÕà rc.firewall¸âÐÚ, ÒáÕ ÓÞâÞÒÞ ÔÛï àÐ×ÑÞàÐ äÐÙÛÐ ßàØÜÕàÐ rc.firewall.txt (áæÕÝÐàØÙ ÒÚÛîçÕÝ Ò áÞáâÐÒ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ò ßàØÛÞÖÕÝØØ ¿àØÜÕàë áæÕÝÐàØÕÒ). ¾Ý ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ÝÞ âÞÛìÚÞ Ø×-×Ð ÑÞÛìèÞÓÞ ÚÞÛØçÕáâÒÐ ÚÞÜÜÕÝâÐàØÕÒ. ÁÕÙçÐá ï ßàÕÔÛÐÓÐî ÒÐÜ ßàÞáÜÞâàÕâì íâÞâ äÐÙÛ, çâÞÑë ßÞÛãçØâì ßàÕÔáâÐÒÛÕÝØÕ Þ ÕÓÞ áÞÔÕàÖØÜÞÜ Ø ×ÐâÕÜ ÒÕàÝãâìáï áîÔÐ ×Ð ÑÞÛÕÕ ßÞÔàÞÑÝëÜØ ßÞïáÝÕÝØïÜØ. ¾ßØáÐÝØÕ áæÕÝÐàØï rc.firewallºÞÝäØÓãàÐæØï¿ÕàÒÐï çÐáâì äÐÙÛÐ rc.firewall.txt ïÒÛïÕâáï ÚÞÝäØÓãàÐæØÞÝÝëÜ àÐ×ÔÕÛÞÜ. ·ÔÕáì ×ÐÔÐîâáï ÞáÝÞÒÝëÕ ÝÐáâàÞÙÚØ ÑàÐÝÔÜÐãíàÐ, ÚÞâÞàëÕ ×ÐÒØáïâ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ áÕâØ. ½ÐßàØÜÕà IP ÐÔàÕáÐ - ÝÐÒÕàÝïÚÐ ÔÞÛÖÝë Ñëâì Ø×ÜÕÝÕÝë ÝÐ ÒÐèØ áÞÑáâÒÕÝÝëÕ. ¿ÕàÕÜÕÝÝÐï $INET_IP ÔÞÛÖÝÐ áÞÔÕàÖÐâì àÕÐÛìÝëÙ IP ÐÔàÕá, ÕáÛØ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ çÕàÕ× DHCP, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâì ÒÝØÜÐÝØÕ ÝÐ áÚàØßâ rc.DHCP.firewall.txt, °ÝÐÛÞÓØçÝÞ $INET_IFACE ÔÞÛÖÝÐ ãÚÐ×ëÒÐâì ÒÐèÕ ãáâàÞÙáâÒÞ, çÕàÕ× ÚÞâÞàÞÕ ÞáãéÕáâÒÛïÕâáï ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ. ÍâÞ ÜÞÖÕâ Ñëâì, Ú ßàØÜÕàã, eth0, eth1, ppp0, tr0 Ø ßà. ÍâÞâ áæÕÝÐàØÙ ÝÕ áÞÔÕàÖØâ ÚÐÚØå ÛØÑÞ ÝÐáâàÞÕÚ, áßÕæØäØçÝëå ÔÛï DHCP, PPPoE, ßÞíâÞÜã íâØ àÐ×ÔÕÛë ÝÕ ×ÐßÞÛÝÕÝë. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï Ø ÔàãÓØå "ßãáâëå" àÐ×ÔÕÛÞÒ. ÍâÞ áÔÕÛÐÝÞ ßàÕÔÝÐÜÕàÕÝÝÞ, çâÞÑë Òë ÜÞÓÛØ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÒØÔÕâì àÐ×ÝØæã ÜÕÖÔã áæÕÝÐàØïÜØ. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßÞÛÝØâì íâØ àÐ×ÔÕÛë, âÞ Òë ÜÞÖÕâÕ Ò×ïâì Øå Ø× ÔàãÓØå áÚàØßâÞÒ, ØÛØ ÝÐߨáÐâì áÒÞÙ áÞÑáâÒÕÝÝëÙ. ÀÐ×ÔÕÛ Local Area Network ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÝÐáâàÞÙÚØ, áÞÞâÒÕâáâÒãîéØÕ ÚÞÝäØÓãàÐæØØ ÒÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ. ²ë ÔÞÛÖÝë ãÚÐ×Ðâì ÛÞÚÐÛìÝëÙ IP ÐÔàÕá ÑàÐÝÔÜÐãíàÐ, ØÝâÕàäÕÙá, ßÞÔÚÛîçÕÝÝëÙ Ú ÛÞÚÐÛìÝÞÙ áÕâØ, ÜÐáÚã ßÞÔáÕâØ Ø èØàÞÚÞÒÕéÐâÕÛìÝëÙ ÐÔàÕá. ´ÐÛÕÕ áÛÕÔãÕâ áÕÚæØï Localhost Configuration, ÚÞâÞàãî Ø×ÜÕÝïâì ÒÐÜ ÕÔÒÐ ÛØ ßàØÔÕâáï. ² íâÞÙ áÕ򾯯 ãÚÐ×ëÒÐÕâáï ÛÞÚÐÛìÝëÙ ØÝâÕàäÕÙá lo Ø ÛÞÚÐÛìÝëÙ IP ÐÔàÕá 127.0.0.1. ·Ð àÐ×ÔÕÛÞÜ Localhost Configuration, áÛÕÔãÕâ áÕÚæØï Iptables Configuration. ·ÔÕáì áÞ×ÔÐÕâáï ßÕàÕÜÕÝÝÐï $IPTABLES, áÞÔÕàÖÐéÐï ßãâì Ú äÐÙÛã iptables (/usr/local/sbin/iptables). µáÛØ Òë ãáâÐÝÐÒÛØÒÐÛØ iptables Ø× ØáåÞÔÝëå ÜÞÔãÛÕÙ, âÞ ã ÒÐá ßãâì Ú iptables ÜÞÖÕâ ÝÕáÚÞÛìÚÞ ÞâÛØçÐâìáï Þâ ßàØÒÕÔÕÝÝÞÓÞ Ò áæÕÝÐàØØ, ÞÔÝÐÚÞ Ò ÑÞÛìèØÝáâÒÕ ÔØáâàØÑãâØÒÞÒ iptables àÐáßÞÛÞÖÕÝÐ ØÜÕÝÝÞ ×ÔÕáì. ·ÐÓàã×ÚÐ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ² ßÕàÒãî ÞçÕàÕÔì, ÚÞÜÐÝÔÞÙ /sbin/depmod -a, ÒëßÞÛÝïÕâáï ßàÞÒÕàÚÐ ×ÐÒØáØÜÞáâÕÙ ÜÞÔãÛÕÙ ßÞáÛÕ çÕÓÞ ßàÞØ×ÒÞÔØâáï ßÞÔÓàã×ÚÐ ÜÞÔãÛÕÙ, ÝÕÞÑåÞÔØÜëå ÔÛï àÐÑÞâë áæÕÝÐàØï. ÁâÐàÐÙâÕáì Ò ÒÐèØå áæÕÝÐàØïå ×ÐÓàãÖÐâì âÞÛìÚÞ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ.
² áÛÕÔãîéÕÙ áÕ򾯯 ßàØÒÞÔØâáï àïÔ ÜÞÔãÛÕÙ, ÚÞâÞàëÕ ÝÕ ØáßÞÛì×ãîâáï Ò ÔÐÝÝÞÜ áæÕÝÐàØØ, ÝÞ ßÕàÕçØáÛÕÝë ÔÛï ßàØÜÕàÐ. ÂÐÚ ÝÐßàØÜÕà ÜÞÔãÛì ipt_owner, ÚÞâÞàëÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú áÕâØ á ÒÐèÕÙ ÜÐèØÝë âÞÛìÚÞ ÞßàÕÔÕÛÕÝÝÞÜã ÚàãÓã ßÞÛì×ÞÒÐâÕÛÕÙ, ßÞÒëèÐï, âÕÜ áÐÜëÜ ãàÞÒÕÝì ÑÕ×ÞßÐáÝÞáâØ. ¸ÝäÞàÜÐæØî ßÞ ÚàØâÕàØïÜ ipt_owner, áÜÞâàØâÕ Ò ÀÐáèØàÕÝØÕ Owner Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ. ¼ë ÜÞÖÕÜ ×ÐÓàãרâì ÔÞßÞÛÝØâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞÒÕàÚØ "áÞáâÞïÝØï" ßÐÚÕâÞÒ (state matching). ²áÕ ÜÞÔãÛØ, àÐáèØàïîéØÕ ÒÞ×ÜÞÖÝÞáâØ ßàÞÒÕàÚØ áÞáâÞïÝØï ßÐÚÕâÞÒ, ØÜÕÝãîâáï ÚÐÚ ip_conntrack_* Ø ip_nat_*. Á ßÞÜÞéìî íâØå ÜÞÔãÛÕÙ ÞáãéÕáâÒÛïÕâáï âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ßÞ áßÕæØäØçÝëÜ ßàÞâÞÚÞÛÐÜ. ½ÐßàØÜÕà: ßàÞâÞÚÞÛ FTP ïÒÛïÕâáï ÚÞÜßÛÕÚáÝëÜ ßàÞâÞÚÞÛÞÜ ßÞ ÞßàÕÔÕÛÕÝØî, ÞÝ ßÕàÕÔÐÕâ ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÂÐÚ, ÕáÛØ ÝÐè ÛÞÚÐÛìÝëÙ åÞáâ ßÕàÕÔÐÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, ßàÞØ×ÒÞÔïéØÙ âàÐÝáÛïæØî ÐÔàÕáÞÒ, ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ á FTP áÕàÒÕàÞÜ Ò ¸ÝâÕàÝÕâ, âÞ ÒÝãâàØ ßÐÚÕâÐ ßÕàÕÔÐÕâáï ÛÞÚÐÛìÝëÙ IP ÐÔàÕá åÞáâÐ. ° ßÞáÚÞÛìÚã, IP ÐÔàÕáÐ, ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, áçØâÐîâáï ÞèØÑÞçÝëÜØ Ò ¸ÝâÕàÝÕâ, âÞ áÕàÒÕà ÝÕ ÑãÔÕâ ×ÝÐâì çâÞ ÔÕÛÐâì á íâØÜ ×ÐßàÞáÞÜ, Ò àÕ×ãÛìâÐâÕ áÞÕÔØÝÕÝØÕ ÝÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ²áßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì FTP NAT ÒëßÞÛÝïÕâ ÒáÕ ÝÕÞÑåÞÔØÜëÕ ÔÕÙáâÒØï ßÞ ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÞÒ, ßÞíâÞÜã FTP áÕàÒÕà äÐÚâØçÕáÚØ ßÞÛãçØâ ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ Þâ ØÜÕÝØ ÝÐèÕÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ Ø áÜÞÖÕâ ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ. ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ ßàØ ØáßÞÛì×ÞÒÐÝØØ DCC ÔÛï ßÕàÕÔÐçØ äÐÙÛÞÒ Ø çÐâÞÒ. ÃáâÐÝÞÒÚÐ áÞÕÔØÝÕÝØÙ íâÞÓÞ âØßÐ âàÕÑãÕâ ßÕàÕÔÐçØ IP ÐÔàÕáÐ Ø ßÞàâÐ ßÞ ßàÞâÞÚÞÛã IRC, ÚÞâÞàëÙ âÐÚ ÖÕ ßàÞåÞÔØâ çÕàÕ× âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ ÝÐ ÑàÐÝÔÜÐãíàÕ. ±Õ× áßÕæØÐÛìÝÞÓÞ ÜÞÔãÛï àÐáèØàÕÝØï àÐÑÞâÞáßÞáÞÑÝÞáâì ßàÞâÞÚÞÛÞÒ FTP Ø IRC áâÐÝÞÒØâáï ÒÕáìÜÐ áÞÜÝØâÕÛìÝÞÙ. ½ÐßàØÜÕà, Òë ÜÞÖÕâÕ ßàØÝØÜÐâì äÐÙÛë çÕàÕ× DCC, ÝÞ ÝÕ ÜÞÖÕâÕ ÞâßàÐÒÛïâì. ÍâÞ ÞÑãáÛÞÒÛØÒÐÕâáï âÕÜ, ÚÐÚ DCC "×ÐßãáÚÐÕâ" áÞÕÔØÝÕÝØÕ. ²ë áÞÞÑéÐÕâÕ ßàØÝØÜÐîéÕÜã ã×Ûã Þ áÒÞÕÜ ÖÕÛÐÝØØ ßÕàÕÔÐâì äÐÙÛ Ø ÚãÔÐ ÞÝ ÔÞÛÖÕÝ ßÞÔÚÛîçØâìáï. ±Õ× ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï DCC áÞÕÔØÝÕÝØÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÕáÛØ Ñë Üë ßÞâàÕÑÞÒÐÛØ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ÒÝÕèÝÕÓÞ ßàØÕÜÝØÚÐ á ã×ÛÞÜ Ò ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞéÕ ÓÞÒÞàï âÐÚÞÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ "ÞÑàãèÕÝÞ". ¿àØ ØáßÞÛì×ÞÒÐÝØØ ÖÕ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï ÒáÕ àÐÑÞâÐÕâ ßàÕÚàÐáÝÞ. ßÞáÚÞÛìÚã ßàØÕÜÝØÚã ßÕàÕÔÐÕâáï ÚÞààÕÚâÝëÙ IP ÐÔàÕá ÔÛï ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ÜÞÔãÛïÜ conntrack Ø nat çØâÐÙâÕ Ò ßàØÛÞÖÕÝØØ ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë. ÂÐÚ ÖÕ ÝÕ ×ÐÑëÒÐÙâÕ Þ ÔÞÚãÜÕÝâÐæØØ, ÒÚÛîçÐÕÜÞÙ Ò ßÐÚÕâ iptables. ÇâÞÑë ØÜÕâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ, ÒÐÜ ßÞâàÕÑãÕâáï ãáâÐÝÞÒØâì patch-o-matic Ø ßÕàÕáÞÑàÐâì ïÔàÞ. ºÐÚ íâÞ áÔÕÛÐâì - ÞÑêïáÝïÕâáï ÒëèÕ Ò ÓÛÐÒÕ ¿ÞÔÓÞâÞÒÚÐ.
½ÐáâàÞÙÚÐ /proc·ÔÕáì Üë ×ÐßãáÚÐÕÜ ßÕàÕáëÛÚã ßÐÚÕâÞÒ (IP forwarding), ×ÐߨáÐÒ ÕÔØÝØæã Ò äÐÙÛ /proc/sys/net/ipv4/ip_forward âÐÚØÜ áßÞáÞÑÞÜ: echo "1" > /proc/sys/net/ipv4/ip_forward
µáÛØ ÒÐÜ ÝÕÞÑåÞÔØÜÐ ßÞÔÔÕàÖÚÐ ÔØÝÐÜØçÕáÚÞÓÞ IP, (ßàØ ØáßÞÛì×ÞÒÐÝØØ SLIP, PPP ØÛØ DHCP) Òë ÜÞÖÕâÕ àÐáÚÞÜÜÕÝâÐàØâì áâàÞÚã: echo "1" > /proc/sys/net/ipv4/ip_dynaddr µáÛØ ÒÐÜ âàÕÑãÕâáï ÒÚÛîçØâì ÛîÑëÕ ÔàãÓØÕ ÞßæØØ, Òë ÔÞÛÖÝë ÞÑàÐéÐâìáï Ú áÞÞâÒÕâáâÒãîéÕÙ ÔÞÚãÜÕÝâÐæØØ ßÞ íâØÜ ÞßæØïÜ. ÅÞàÞèØÙ Ø ÛÐÚÞÝØçÝëÙ ÔÞÚãÜÕÝâ ßÞ äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc ßÞáâÐÒÛïÕâáï ÒÜÕáâÕ á ïÔàÞÜ. ÁáëÛÚØ ÝÐ ÝÐ ÔàãÓØÕ ÔÞÚãÜÕÝâë Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ´àãÓØÕ àÕáãàáë Ø ááëÛÚØ.
ÀÐ×ÜÕéÕÝØÕ ßàÐÒØÛ Ò ÔàãÓØå æÕßÞçÚÐå·ÔÕáì Üë ßÞÓÞÒÞàØÜ Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, Ò çÐáâÝÞáâØ - Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, ÞßàÕÔÕÛïÕÜëå Ò áæÕÝÐàØØ rc.firewall.txt. ¼ÞÙ ÒÐàØÐÝâ àÐ×ÔÕÛÕÝØï ßàÐÒØÛ ßÞ ÔÞßÞÛÝØâÕÛìÝëÜ æÕßÞçÚÐÜ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÝÕßàØÕÜÛÕÜëÜ Ò âÞÜ ØÛØ ØÝÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ. Ï ÝÐÔÕîáì, çâÞ áÜÞÓã ßÞÚÐ×Ðâì ÒÐÜ ÒÞ×ÜÞÖÝëÕ "ßÞÔÒÞÔÝëÕ ÚÐÜÝØ". ´ÐÝÝëÙ àÐ×ÔÕÛ âÕáÝÞ ßÕàÕÚÛØÚÐÕâáï á ÓÛÐÒÞÙ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ø áÞÒÕàèÕÝÝÞ ÝÕÛØèÝØÜ ÑãÔÕâ ÕéÕ àÐ×, åÞâï Ñë ÑÕÓÛÞ, ßàÞáÜÞâàÕâì ÕÕ. ÀÐáßàÕÔÕÛØÒ ÝÐÑÞà ßàÐÒØÛ ßÞ ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ, ï ÔÞÑØÛáï íÚÞÝÞÜØØ ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, ÑÕ× ßÞâÕàØ ãàÞÒÝï ÑÕ×ÞßÐáÝÞáâØ áØáâÕÜë Ø çØâÐÑÕÛìÝÞáâØ áæÕÝÐàØÕÒ. ²ÜÕáâÞ âÞÓÞ, çâÞÑë ßàÞßãáÚÐâì TCP ßÐÚÕâë çÕàÕ× ÒÕáì ÝÐÑÞà ßàÐÒØÛ (Ø ÔÛï ICMP, Ø ÔÛï UDP), ï ßàÞáâÞ ÞâÑØàÐî TCP ßÐÚÕâë Ø ßàÞßãáÚÐî Øå çÕàÕ× ßÞÛì×ÞÒÐâÕÛìáÚãî æÕßÞçÚã, ßàÕÔÝÐ×ÝÐçÕÝÝãî ØÜÕÝÝÞ ÔÛï TCP ßÐÚÕâÞÒ, çâÞ ßàØÒÞÔØâ Ú ãÜÕÝìèÕÝØî ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ½Ð áÛÕÔãîéÕÙ ÚÐàâØÝÚÕ áåÕÜÐâØçÝÞ ßàØÒÞÔØâáï ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ çÕàÕ× netfilter. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ÚÐàâØÝÚÐ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ÞÓàÐÝØçÕÝÝÞ ßÞ áàÐÒÝÕÝØî áÞ áåÕÜÞÙ, ßàØÒÕÔÕÝÝÞÙ Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ. ¾áÝÞÒÝÞÕ ÝÐ×ÝÐçÕÝØÕ àØáãÝÚÐ - ÞáÒÕÖØâì ÝÐèã ßÐÜïâì. ² æÕÛÞÜ, ÔÐÝÝëÙ ßàØÜÕà áæÕÝÐàØï ÞáÝÞÒÐÝ ÝÐ ßàÕÔßÞÛÞÖÕÝØØ, çâÞ Üë ØÜÕÕÜ ÞÔÝã ÛÞÚÐÛìÝãî áÕâì, ÞÔØÝ ÑàÐÝÔÜÐãíà (firewall) Ø ÕÔØÝáâÒÕÝÝÞÕ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ, á ßÞáâÞïÝÝëÜ IP ÐÔàÕáÞÜ (Ò ßàÞâØÒÞßÞÛÞÖÝÞáâì PPP, SLIP, DHCP Ø ßàÞçØÜ). ÂÐÚ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï, çâÞ ÔÞáâãß Ú áÕàÒØáÐÜ ¸ÝâÕàÝÕâ ØÔÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, çâÞ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ø ßÞíâÞÜã ÝÕ áÞÑØàÐÕÜáï ÑÛÞÚØàÞÒÐâì âàÐääØÚ, ØáåÞÔïéØÙ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÔÝÐÚÞ ¸ÝâÕàÝÕâ ÝÕ ÜÞÖÕâ áçØâÐâìáï ÔÞÒÕàØâÕÛìÝÞÙ áÕâìî Ø ßÞíâÞÜã ÝÕÞÑåÞÔØÜÞ ÞÓàÐÝØçØâì ÒÞ×ÜÞÖÝÞáâì ÔÞáâãßÐ Ò ÝÐèã ÛÞÚÐÛìÝãî áÕâì Ø×ÒÝÕ. ¼ë áÞÑØàÐÕÜáï ØáåÞÔØâì Ø× ßàØÝæØßÐ "²áÕ çâÞ ÝÕ àÐ×àÕèÕÝÞ - âÞ ×ÐßàÕéÕÝÞ". ´Ûï ÒëßÞÛÝÕÝØï ßÞáÛÕÔÝÕÓÞ ÞÓàÐÝØçÕÝØï, Üë ãáâÐÝÐÒÛØÒÐÕÜ ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî - DROP. ÂÕÜ áÐÜëÜ Üë ÞâáÕÚÐÕÜ áÞÕÔØÝÕÝØï, ÚÞâÞàëÕ ïÒÝÞ ÝÕ àÐ×àÕèÕÝë. ° âÕßÕàì ÔÐÒÐÙâÕ àÐááÜÞâàØÜ çâÞ ÝÐÜ ÝãÖÝÞ áÔÕÛÐâì Ø ÚÐÚ. ´Ûï ÝÐçÐÛÐ - ßÞ×ÒÞÛØÜ áÞÕÔØÝÕÝØï Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á ¸ÝâÕàÝÕâ. ´Ûï íâÞÓÞ ÝÐÜ ßÞâàÕÑãÕâáï ÒëßÞÛÝØâì ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (NAT). ´ÕÛÐÕâáï íâÞ Ò æÕßÞçÚÕ PREROUTING (Ï ßÞÛÐÓÐî, çâÞ ×ÔÕáì ÐÒâÞà ßàÞáâÞ ÔÞßãáâØÛ ÞßÕçÐâÚã, ßÞáÚÞÛìÚã Ò âÕÚáâÕ áæÕÝÐàØï ×ÐßÞÛÝïÕâáï æÕßÞçÚÐ POSTROUTING, ÔÐ Ø Üë ãÖÕ ×ÝÐÕÜ, çâÞ SNAT ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat ßàØÜ. ßÕàÕÒ.), ÚÞâÞàÐï ×ÐßÞÛÝïÕâáï ßÞáÛÕÔÝÕÙ Ò ÝÐèÕÜ áæÕÝÐàØØ. ¿ÞÔàÐ×ãÜÕÒÐÕâáï, âÐÚÖÕ, ÒëßÞÛÝÕÝØÕ ÝÕÚÞâÞàÞÙ äØÛìâàÐæØØ Ò æÕßÞçÚÕ FORWARD. µáÛØ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞßãáÚÐï ÒÕáì âàÐääØÚ Ò ¸ÝâÕàÝÕâ, âÞ íâÞ ÕéÕ ÝÕ Þ×ÝÐçÐÕâ ÔÞÒÕàØï Ú ¸ÝâÕàÝÕâ Ø, áÛÕÔÞÒÐâÕÛìÝÞ ÝÕÞÑåÞÔØÜÞ ÒÒÞÔØâì ÞÓàÐÝØçÕÝØï ÝÐ ÔÞáâãß Ú ÝÐèØÜ ÚÞÜßìîâÕàÐÜ Ø×ÒÝÕ. ² ÝÐèÕÜ áÛãçÐÕ Üë ÔÞßãáÚÐÕÜ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ Ò ÝÐèã áÕâì âÞÛìÚÞ Ò áÛãçÐÕ ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï, ÛØÑÞ Ò áÛãçÐÕ ÞâÚàëâØï ÝÞÒÞÓÞ áÞÕÔØÝÕÝØï, ÝÞ Ò àÐÜÚÐå ãÖÕ áãéÕáâÒãîéÕÓÞ (ESTABLISHED Ø RELATED). ÇâÞ ÚÐáÐÕâáï ÜÐèØÝë-ÑàÐÝÔÜÐãíàÐ - ÝÕÞÑåÞÔØÜÞ ÔÞ ÜØÝØÜãÜÐ áÒÕáâØ áÕàÒØáë, àÐÑÞâÐîéØÕ á ¸ÝâÕàÝÕâ. ÁÛÕÔÞÒÐâÕÛìÝÞ Üë ÔÞßãáÚÐÕÜ âÞÛìÚÞ HTTP, FTP, SSH Ø IDENTD ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã. ²áÕ íâØ ßàÞâÞÚÞÛë Üë ÑãÔÕÜ áçØâÐâì ÔÞßãáâØÜëÜØ Ò æÕßÞçÚÕ INPUT, áÞÞâÒÕâáâÒÕÝÝÞ ÝÐÜ ÝÕÞÑåÞÔØÜÞ àÐ×àÕèØâì "ÞâÒÕâÝëÙ" âàÐääØÚ Ò æÕßÞçÚÕ OUTPUT. ¿ÞáÚÞÛìÚã Üë ßàÕÔßÞÛÐÓÐÕÜ ÔÞÒÕàØâÕÛìÝëÕ Ò×ÐØÜÞÞâÝÞèÕÝØï á ÛÞÚÐÛìÝÞÙ áÕâìî, âÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÐ ÔÛï ÔØÐßÐ×ÞÝÐ ÐÔàÕáÞÒ ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø ÔÛï ÛÞÚÐÛìÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ Ø ÛÞÚÐÛìÝÞÓÞ IP ÐÔàÕáÐ (127.0.0.1). ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, áãéÕáâÒãÕâ àïÔ ÔØÐßÐ×ÞÝÞÒ ÐÔàÕáÞÒ, ÒëÔÕÛÕÝÝëå áßÕæØÐÛìÝÞ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, íâØ ÐÔàÕáÐ áçØâÐîâáï Ò ¸ÝâÕàÝÕâ ÞèØÑÞçÝëÜØ Ø ÚÐÚ ßàÐÒØÛÞ ÝÕ ÞÑáÛãÖØÒÐîâáï. ¿ÞíâÞÜã Ø Üë ×ÐßàÕâØÜ ÛîÑÞÙ âàÐääØÚ Ø× ¸ÝâÕàÝÕâ á ØáåÞÔïéØÜ ÐÔàÕáÞÜ, ßàØÝÐÔÛÕÖÐéØÜ ÔØÐßÐ×ÞÝÐÜ ÛÞÚÐÛìÝëå áÕâÕÙ. ¸ Ò ×ÐÚÛîçÕÝØÕ ßàÞçØâÐÙâÕ ÓÛÐÒã ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë. ÂÐÚ ÚÐÚ ã ÝÐá àÐÑÞâÐÕâ FTP áÕàÒÕà, âÞ ßàÐÒØÛÐ, ÞÑáÛãÖØÒÐîéØÕ áÞÕÔØÝÕÝØï á íâØÜ áÕàÒÕàÞÜ, ÖÕÛÐâÕÛìÝÞ ÑëÛÞ Ñë ßÞÜÕáâØâì Ò ÝÐçÐÛÞ æÕßÞçÚØ INPUT, ÔÞÑØÒÐïáì âÕÜ áÐÜëÜ ãÜÕÝìèÕÝØï ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ² æÕÛÞÜ ÖÕ, ÝÐÔÞ ßÞÝØÜÐâì, çâÞ çÕÜ ÜÕÝìèÕ ßàÐÒØÛ ßàÞåÞÔØâ ßÐÚÕâ, âÕÜ ÑÞÛìèÕ íÚÞÝÞÜØï ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, âÕÜ ÝØÖÕ ÝÐÓàã×ÚÐ ÝÐ áØáâÕÜã. Á íâÞÙ æÕÛìî ï àÐ×ÑØÛ ÝÐÑÞà ßàÐÒØÛ ÝÐ ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ. ² ÝÐèÕÜ ßàØÜÕàÕ ï àÐ×ÑØÛ ßÐÚÕâë ÝÐ Óàãßßë ßÞ Øå ßàØÝÐÔÛÕÖÝÞáâØ Ú âÞÜã ØÛØ ØÝÞÜã ßàÞâÞÚÞÛã. ´Ûï ÚÐÖÔÞÓÞ âØßÐ ßàÞâÞÚÞÛÐ áÞ×ÔÐÝÐ áÒÞï æÕßÞçÚÐ ßàÐÒØÛ, ÝÐßàØÜÕà, tcp_packets, ÚÞâÞàÐï áÞÔÕàÖØâ ßàÐÒØÛÐ ÔÛï ßàÞÒÕàÚØ ÒáÕå ÔÞßãáâØÜëå TCP ßÞàâÞÒ Ø ßàÞâÞÚÞÛÞÒ. ´Ûï ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ ßÐÚÕâÞÒ, ßàÞèÕÔèØå çÕàÕ× ÞÔÝã æÕßÞçÚã, ÜÞÖÕâ Ñëâì áÞ×ÔÐÝÐ ÔàãÓÐï. ² ÝÐèÕÜ áÛãçÐÕ âÐÚÞÒÞÙ ïÒÛïÕâáï æÕßÞçÚÐ allowed. ² íâÞÙ æÕßÞçÚÕ ßàÞØ×ÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ ÞâÔÕÛìÝëå åÐàÐÚâÕàØáâØÚ TCP ßÐÚÕâÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßàØÝïâì ÞÚÞÝçÐâÕÛìÝÞÕ àÕèÕÝØÕ Þ ßàÞßãáÚÕ. ICMP ßÐÚÕâë áÛÕÔãîâ çÕàÕ× æÕßÞçÚã icmp_packets. ·ÔÕáì Üë ßàÞáâÞ ßàÞßãáÚÐÕÜ ÒáÕ ICMP ßÐÚÕâë á ãÚÐ×ÐÝÝëÜ ÚÞÔÞÜ áÞÞÑéÕÝØï. ¸ ÝÐÚÞÝÕæ UDP ßÐÚÕâë. ¾ÝØ ßàÞåÞÔïâ çÕàÕ× æÕßÞçÚã udpincoming_packets, ÚÞâÞàÐï ÞÑàÐÑÐâëÒÐÕâ ÒåÞÔïéØÕ UDP ßÐÚÕâë. µáÛØ ÞÝØ ßàØÝÐÔÛÕÖÐâ ÔÞßãáâØÜëÜ áÕàÒØáÐÜ, âÞ ÞÝØ ßàÞßãáÚÐîâáï ÑÕ× ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ. ¿ÞáÚÞÛìÚã Üë àÐááÜÐâàØÒÐÕÜ áàÐÒÝØâÕÛìÝÞ ÝÕÑÞÛìèãî áÕâì, âÞ ÝÐè ÑàÐÝÔÜÐãíà ØáßÞÛì×ãÕâáï ÕéÕ Ø Ò ÚÐçÕáâÒÕ àÐÑÞçÕÙ áâÐÝæØØ, ßÞíâÞÜã Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ Ø á áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ. ¸ Ò ×ÐÒÕàèÕÝØÕ Þ æÕßÞçÚÕ OUTPUT. ¼ë ÝÕ ÒëßÞÛÝïÕÜ ÚÐÚØå ÛØÑÞ áßÕæØäØçÝëå ÑÛÞÚØàÞÒÞÚ ÔÛï ßÞÛì×ÞÒÐâÕÛÕÙ, ÞÔÝÐÚÞ Üë ÝÕ åÞâØÜ, çâÞÑë ÚâÞ ÛØÑÞ, ØáßÞÛì×ãï ÝÐè ÑàÐÝÔÜÐãíà ÒëÔÐÒÐÛ Ò áÕâì "ßÞÔÔÕÛìÝëÕ" ßÐÚÕâë, ßÞíâÞÜã Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛÐ, ßÞ×ÒÞÛïîéØÕ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ âÞÛìÚÞ á ÝÐèØÜ ÐÔàÕáÞÜ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÝÐèØÜ ÛÞÚÐÛìÝëÜ ÐÔàÕáÞÜ (127.0.0.1) Ø á ÝÐèØÜ ÐÔàÕáÞÜ Ò ¸ÝâÕàÝÕâ. Á íâØå ÐÔàÕáÞÒ ßÐÚÕâë ßàÞßãáÚÐîâáï æÕßÞçÚÞÙ OUTPUT, ÒáÕ ÞáâÐÛìÝëÕ (áÚÞàÕÕ ÒáÕÓÞ áäÐÛìáØäØæØàÞÒÐÝÝëÕ) ÞâáÕÚÐîâáï ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî DROP. ÃáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî¿àÕÖÔÕ, çÕÜ ßàØáâãߨâì Ú áÞ×ÔÐÝØî ÝÐÑÞàÐ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜÞ ÞßàÕÔÕÛØâìáï á ßÞÛØâØÚÐÜØ æÕßÞçÕÚ ßÞ-ãÜÞÛçÐÝØî. ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ãáâÐÝÐÒÛØÒÐÕâáï ÚÞÜÐÝÔÞÙ, ßÞÔÞÑÝÞÙ ßàØÒÞÔØÜÞÙ ÝØÖÕ iptables -P <chain name> <policy> ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ßàØÜÕÝïÕâáï Ú ßÐÚÕâã, ÝÕ ßÞßÐÒèÕÜã ßÞÔ ÔÕÙáâÒØÕ ÝØ ÞÔÝÞÓÞ Ø× ßàÐÒØÛ Ò æÕßÞçÚÕ. (½ÕÑÞÛìèÞÕ ãâÞçÝÕÝØÕ, ÚÞÜÐÝÔÐ iptables -P ßàØÜÕÝØÜР¾»Ìº¾ º ²ÁÂÀ¾µ½½Ë¼ æÕßÞçÚÐÜ, â.Õ. INPUT, FORWARD, OUTPUT Ø â.ß., Ø ÝÕ ßàØÜÕÝØÜÐ Ú ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ. ßàØÜ. ßÕàÕÒ.). ÁÞ×ÔÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ¸âÐÚ, ã ÒÐá ßÕàÕÔ ÓÛÐ×ÐÜØ ÝÐÒÕàÝïÚÐ ãÖÕ áâÞØâ ÚÐàâØÝÚÐ ÔÒØÖÕÝØï ßÐÚÕâÞÒ çÕàÕ× àÐ×ÛØçÝëÕ æÕßÞçÚØ, Ø ÚÐÚ íâØ æÕßÞçÚØ Ò×ÐØÜÞÔÕÙáâÒãîâ ÜÕÖÔã áÞÑÞÙ! ²ë ãÖÕ ÔÞÛÖÝë ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ æÕÛØ Ø ÝÐ×ÝÐçÕÝØÕ ÔÐÝÝÞÓÞ áæÕÝÐàØï. ´ÐÒÐÙâÕ ÝÐçÝÕÜ áÞ×ÔÐÒÐâì æÕßÞçÚØ Ø ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÝØå. ¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ áÞ×ÔÐâì ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ á ßÞÜÞéìî ÚÞÜÐÝÔë -N. ÁàÐ×ã ßÞáÛÕ áÞ×ÔÐÝØï æÕßÞçÚØ ÕéÕ ÝÕ ØÜÕîâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ² ÝÐèÕÜ ßàØÜÕàÕ áÞ×ÔÐîâáï æÕßÞçÚØ icmp_packets, tcp_packets, udpincoming_packets Ø æÕßÞçÚÐ allowed, ÚÞâÞàÐï Òë×ëÒÐÕâáï Ø× æÕßÞçÚØ tcp_packets. ²åÞÔïéØÕ ßÐÚÕâë á ØÝâÕàäÕÙáÐ $INET_IFACE (â.Õ. Ø× ¸ÝâÕàÝÕâ), ßÞ ßàÞâÞÚÞÛã ICMP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ßÐÚÕâë ßàÞâÞÚÞÛÐ TCP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã tcp_packets Ø ÒåÞÔïéØÕ ßÐÚÕâë UDP á ØÝâÕàäÕÙáÐ eth0 ØÔãâ Ò æÕßÞçÚã udpincoming_packets. ÆÕßÞçÚÐ bad_tcp_packetsÍâÐ æÕßÞçÚÐ ßàÕÔÝÐ×ÝÐçÕÝÐ ÔÛï ÞâäØÛìâàÞÒëÒÐÝØï ßÐÚÕâÞÒ á "ÝÕßàÐÒØÛìÝëÜØ" ×ÐÓÞÛÞÒÚÐÜØ Ø àÕèÕÝØï àïÔÐ ÔàãÓØå ßàÞÑÛÕÜ. ·ÔÕáì ÞâäØÛìâàÞÒëÒÐîâáï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ àÐáßÞ×ÝÐîâáï ÚÐÚ NEW, ÝÞ ÝÕ ïÒÛïîâáï SYN ßÐÚÕâÐÜØ. ÍâÐ æÕßÞçÚÐ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÐ ÔÛï ×ÐéØâë Þâ ÒâÞàÖÕÝØï Ø áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ÁîÔÐ, âÐÚ ÖÕ, ÔÞÑÐÒÛÕÝÞ ßàÐÒØÛÞ ÔÛï ÞâáÕØÒÐÝØï ßÐÚÕâÞÒ áÞ áâÐâãáÞÜ INVALID. ÆÕßÞçÚÐ allowedTCP ßÐÚÕâ, áÛÕÔãï á ØÝâÕàäÕÙáÐ $INET_IFACE, ßÞßÐÔÐÕâ Ò æÕßÞçÚã tcp_packets, ÕáÛØ ßÐÚÕâ áÛÕÔãÕâ ÝÐ àÐ×àÕèÕÝÝëÙ ßÞàâ, âÞ ßÞáÛÕ íâÞÓÞ ßàÞÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ. ¿ÕàÒÞÕ ßàÐÒØÛÞ ßàÞÒÕàïÕâ, ïÒÛïÕâáï ÛØ ßÐÚÕâ SYN ßÐÚÕâÞÜ, â.Õ. ×ÐßàÞáÞÜ ÝÐ áÞÕÔØÝÕÝØÕ. ÂÐÚÞÙ ßÐÚÕâ Üë áçØâÐÕÜ ÔÞßãáâØÜëÜ Ø ßàÞßãáÚÐÕÜ. ÁÛÕÔãîéÕÕ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒáÕ ßÐÚÕâë á ßàØ×ÝÐÚÞÜ ESTABLISHED ØÛØ RELATED. ºÞÓÔÐ áÞÕÔØÝÕÝØÕ ãáâÐÝÐÒÛØÒÐÕâáï SYN ßÐÚÕâÞÜ, Ø ÝÐ íâÞâ ×ÐßàÞá ÑëÛ ÞâßàÐÒÛÕÝ ßÞÛÞÖØâÕÛìÝëÙ ÞâÒÕâ, âÞ ÞÝÞ ßÞÛãçÐÕâ áâÐâãá ESTABLISHED. ¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ Ò íâÞÙ æÕßÞçÚÕ áÑàÐáëÒÐîâáï ÒáÕ ÞáâÐÛìÝëÕ TCP ßÐÚÕâë. ¿ÞÔ íâÞ ßàÐÒØÛÞ ßÞßÐÔÐîâ ßÐÚÕâë Ø× ÝÕáãéÕáâÒãîéÕÓÞ áÞÕÔØÝÕÝØï, ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN, ÚÞâÞàëÕ ßëâÐîâáï ×ÐßãáâØâì áÞÕÔØÝÕÝØÕ. ½Õ SYN ßÐÚÕâë ßàÐÚâØçÕáÚØ ÝÕ ØáßÞÛì×ãîâáï ÔÛï ×ÐßãáÚÐ áÞÕÔØÝÕÝØï, ×Ð ØáÚÛîçÕÝØÕÜ áÛãçÐÕÒ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ½ÐáÚÞÛìÚÞ ï ×ÝÐî, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛØ×ÐæØØ TCP/IP, ÚÞâÞàÐï ßÞÔÔÕàÖØÒÐÛÐ Ñë ÞâÚàëâØÕ áÞÕÔØÝÕÝØï ØÝÐçÕ, çÕÜ ßÕàÕÔÐçÐ SYN ßÐÚÕâÐ, ßÞíâÞÜã ÝÐ 99% ÜÞÖÝÞ Ñëâì ãÒÕàÕÝÝëÜ, çâÞ áÑàÞèÕÝë ßÐÚÕâë, ßÞáÛÐÝÝëÕ áÚÐÝÕàÞÜ ßÞàâÞÒ. ÆÕßÞçÚÐ ÔÛï TCP¸âÐÚ, Üë ßÞÔÞèÛØ Ú TCP áÞÕÔØÝÕÝØïÜ. ·ÔÕáì Üë ãÚÐ×ëÒÐÕÜ, ÚÐÚØÕ ßÞàâë ÜÞÓãâ Ñëâì ÔÞáâãßÝë Ø× Internet. ½ÕáÜÞâàï ÝÐ âÞ, çâÞ ÔÐÖÕ ÕáÛØ ßÐÚÕâ ßàÞèÕÛ ßàÞÒÕàÚã ×ÔÕáì, Üë ÒáÕ àÐÒÝÞ ÒáÕ ßÐÚÕâë ßÕàÕÔÐÕÜ Ò æÕßÞçÚã allowed ÔÛï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ. Ï ÞâÚàëÛ TCP ßÞàâ á ÝÞÜÕàÞÜ 21, ÚÞâÞàëÙ ïÒÛïÕâáï ßÞàâÞÜ ãßàÐÒÛÕÝØï FTP áÞÕÔØÝÕÝØïÜØ. Ø ÔÐÛÕÕ, ï àÐ×àÕèÐî ÒáÕ RELATED áÞÕÔØÝÕÝØï, àÐ×àÕèÐï, âÕÜ áÐÜëÜ, PASSIVE FTP, ßàØ ãáÛÞÒØØ, çâÞ ÑëÛ ×ÐÓàãÖÕÝ ÜÞÔãÛì ip_conntrack_ftp. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßàÕâØâì FTP áÞÕÔØÝÕÝØï, âÞ ÒÐÜ ßÞâàÕÑãÕâáï ÒëÓàãרâì ÜÞÔãÛì ip_conntrack_ftp Ø ãÔÐÛØâì áâàÞÚã $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed Ø× áæÕÝÐàØï rc.firewall.txt. ¿Þàâ 22 - íâÞ SSH, ÚÞâÞàëÙ ÝÐÜÝÞÓÞ ÑÞÛÕÕ ÑÕ×ÞßÐáÕÝ çÕÜ telnet ÝÐ 23 ßÞàâã. µáÛØ ²ÐÜ Ò×ÔãÜÐÕâáï ßàÕÔÞáâÐÒØâì ÔÞáâãß Ú ÚÞÜÐÝÔÝÞÙ ÞÑÞÛÞçÚÕ (shell) ÚÞÜã Ñë âÞ ÝØ ÑëÛÞ Ø× ¸ÝâÕàÝÕâ, âÞ ÛãçèÕ ÚÞÝÕçÝÞ ßÞÛì×ÞÒÐâìáï SSH. ¾ÔÝÐÚÞ , åÞçã ×ÐÜÕâØâì, çâÞ ÒÞÞÑéÕ-âÞ áçØâÐÕâáï ÔãàÝëÜ âÞÝÞÜ ßàÕÔÞáâÐÒÛïâì ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã ÛîÑÞÜã ÚàÞÜÕ ÒÐá áÐÜØå. ²Ðè áÕâÕÒÞÙ íÚàÐÝ ÔÞÛÖÕÝ ØÜÕâì âÞÛìÚÞ âÕ áÕàÒØáë, ÚÞâÞàëÕ ÔÕÙáâÒØâÕÛìÝÞ ÝÕÞÑåÞÔØÜë Ø ÝÕ ÑÞÛÕÕ âÞÓÞ. ¿Þàâ 80 - íâÞ ßÞàâ HTTP, ÔàãÓØÜ áÛÞÒÐÜØ - web áÕàÒÕà, ãÑÕàØâÕ íâÞ ßàÐÒØÛÞ, ÕáÛØ ã ÒÐá ÝÕâ web áÕàÒÕàÐ. ¸ ÝÐÚÞÝÕæ ßÞàâ 113, ÞâÒÕâáâÒÕÝÝëÙ ×Ð áÛãÖÑã IDENTD Ø ØáßÞÛì×ãîéØÙáï ÝÕÚÞâÞàëÜØ ßàÞâÞÚÞÛÐÜØ âØßÐ IRC, Ø ßà. ÆÕßÞçÚÐ ÔÛï UDP¿ÐÚÕâë UDP Ø× æÕßÞçÚØ INPUT áÛÕÔãîâ Ò æÕßÞçÚã udpincoming_packets ºÐÚ Ø Ò áÛãçÐÕ á TCP ßÐÚÕâÐÜØ, ×ÔÕáì ÞÝØ ßàÞÒÕàïîâáï ÝÐ ÔÞßãáâØÜÞáâì ßÞ ÝÞÜÕàã ßÞàâÐ ÝÐ×ÝÐçÕÝØï. ¾âÚàëâëÜ ÔÛï UDP ßÐÚÕâÞÒ ïÒÛïÕâáï ßÞàâ 53, ÝÐ ÚÞâÞàÞÜ "áØÔØâ" DNS. µáÛØ Üë åÞâØÜ ßÞÛì×ÞÒÐâìáï áØÜÒÞÛØçÕáÚØÜØ ØÜÕÝÐÜØ ã×ÛÞÒ, Ð ÝÕ Øå IP ÐÔàÕáÐÜØ, âÞ ÕáâÕáâÒÕÝÝÞ ÝÐÔÞ ßÞ×ÒÞÛØâì àÐÑÞâÐâì áÛãÖÑÕ ÔÞÜÕÝÝëå ØÜÕÝ. Ï ÛØçÝÞ àÐ×àÕèÐî ßÞàâ 123, ÝÐ ÚÞâÞàÞÜ àÐÑÞâÐÕâ NTP (network time protocol). ÍâÞÙ áÛãÖÑÞÙ ÞÑëçÝÞ ßÞÛì×ãîâáï ÔÛï ßàØÕÜÐ ÞçÕÝì âÞçÝÞÓÞ ÒàÕÜÕÝØ á áÕàÒÕàÞÒ ÒàÕÜÕÝØ Ò ¸ÝâÕàÝÕâ. ¿Þàâ 2074 ØáßÞÛì×ãÕâáï ÝÕÚÞâÞàëÜØ ÜãÛìâØÜÕÔØÙÝëÜØ ßàØÛÞÖÕÝØïÜØ, ßÞÔÞÑÝÞ speak freely, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ßÕàÕÔÐçØ ÓÞÛÞáÐ Ò àÕÖØÜÕ àÕÐÛìÝÞÓÞ ÒàÕÜÕÝØ. ¸ ÝÐÚÞÝÕæ - ICQ, ÝÐ ßÞàâã 4000. ÍâÞ èØàÞÚÞ Ø×ÒÕáâÝëÙ ßàÞâÞÚÞÛ, ØáßÞÛì×ãÕÜëÙ ICQ-ßàØÛÞÖÕÝØïÜØ Ï ßÞÛÐÓÐî ÝÕ áÛÕÔãÕâ ÞÑêïáÝïâì ÒÐÜ çâÞ íâÞ âÐÚÞÕ. ÆÕßÞçÚÐ ÔÛï ICMP·ÔÕáì ßàØÝØÜÐÕâáï àÕèÕÝØÕ Þ ßàÞßãáÚÕ ICMP ßÐÚÕâÞÒ. µáÛØ ßÐÚÕâ ßàØåÞÔØâ á eth0 Ò æÕßÞçÚã INPUT, âÞ ÔÐÛÕÕ ÞÝ ßÕàÕÝÐßàÐÒÛïÕâáï Ò æÕßÞçÚã icmp_packets. ² íâÞÙ æÕßÞçÚÕ ßàÞÒÕàïÕâáï âØß ICMP áÞÞÑéÕÝØï. ¿àÞßãáÚÐîâáï âÞÛìÚÞ ICMP Echo Replies, Destination unreachable, Redirect Ø Time Exceeded. ¿àØ ßàØÝïâØØ àÕèÕÝØï ï ØáåÞÖã Ø× áÛÕÔãîéØå áÞÞÑàÐÖÕÝØÙ: ICMP Echo Replies ßÐÚÕâë ßàØåÞÔïâ Ò ÞâÒÕâ, ÚÞÓÔÐ Òë Ú ßàØÜÕàã ÒëßÞÛÝïÕâÕ ping ÔàãÓÞÓÞ ã×ÛÐ áÕâØ, ÕáÛØ ×ÐßàÕâØâì íâÞ áÞÞÑéÕÝØÕ, âÞ Üë ÛØèØÜáï ÒÞ×ÜÞÖÝÞáâØ ßÞÛì×ÞÒÐâìáï äãÝÚæØÕÙ ping. Destination Unreachable ßàØåÞÔØâ, ÕáÛØ ÚÐÚÞÙ ÛØÑÞ ã×ÕÛ áÕâØ ÝÕÔÞáâãßÕÝ, ÝÐßàØÜÕà, ÒëßÞÛÝïï HTTP ×ÐßàÞá ÝÐ ÝÕÔÞáâãßÝëÙ åÞáâ, ßÞáÛÕÔÝØÙ ÜÐàèàãâØ×ÐâÞà, ÚÞâÞàëÙ ÝÕ áÜÞÓ ÝÐÙâØ ÜÐàèàãâ Ú ã×Ûã, ÒÕàÝÕâ ÝÐÜ áÞÞÑéÕÝØÕ Destination Unreachable. ÂÕÜ áÐÜëÜ ÝÐÜ ÝÕ ßàØÔÕâáï ÖÔÐâì ßÞÚÐ ØáâÕçÕâ ÒàÕÜï ÞÖØÔÐÝØï (time out) ÝÐèÕÓÞ ÑàÐã×ÕàÐ, ÚÞâÞàëÙ ßÞ-ãÜÞÛçÐÝØî ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ßÞàïÔÚÐ 60 áÕÚãÝÔ Ø ÒëèÕ Time Exceeded. ²Þ ÒàÕÜï ÔÒØÖÕÝØï ßÐÚÕâÐ ßÞ áÕâØ, ÝÐ ÚÐÖÔÞÜ ÜÐàèàãâØ×ÐâÞàÕ ßÞÛÕ TTL, Ò ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ, ãÜÕÝìèÐÕâáï ÝÐ 1. ºÐÚ âÞÛìÚÞ ßÞÛÕ TTL áâÐÝÕâ àÐÒÝëÜ ÝãÛî, âÞ ÜÐàèàãâØ×ÐâÞàÞÜ ÑãÔÕâ ßÞáÛÐÝÞ áÞÞÑéÕÝØÕ Time Exceeded. ½ÐßàØÜÕà, ÚÞÓÔÐ Òë ÒëßÞÛÝïÕâÕ âàÐááØàÞÒÚã (traceroute) ÚÐÚÞÓÞ ÛØÑÞ ã×ÛÐ, âÞ ßÞÛÕ TTL ãáâÐÝÐÒÛØÒÐÕâáï àÐÒÝëÜ 1, ÝÐ ßÕàÒÞÜ ÖÕ ÜÐàèàãâØ×ÐâÞàÕ ÞÝÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî Ø Ú ÝÐÜ ßàØåÞÔØâ áÞÞÑéÕÝØÕ Time Exceeded, ÔÐÛÕÕ, ãáâÐÝÐÒÛØÒÐÕÜ TTL = 2 Ø ÒâÞàÞÙ ÜÐàèàãâØ×ÐâÞà ßÕàÕÔÐÕâ ÝÐÜ Time Exceeded, Ø âÐÚ ÔÐÛÕÕ, ßÞÚÐ ÝÕ ßÞÛãçØÜ ÞâÒÕâ á áÐÜÞÓÞ ã×ÛÐ. ÁߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ áÜÞâàØâÕ Ò ßàØÛÞÖÕÝØØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ICMP Òë ÜÞÖÕâÕ ßÞÛãçØâì Ò áÛÕÔãîéØå ÔÞÚãÜÕÝâÐå:
±ãÔìâÕ ÒÝØÜÐâÕÛìÝë ßàØ ÑÛÞÚØàÞÒÐÝØØ ICMP ßÐÚÕâÞÒ, ÒÞ×ÜÞÖÝÞ ï ÝÕ ßàÐÒ, ÑÛÞÚØàãï ÚÐÚØÕ-âÞ Ø× ÝØå, ÜÞÖÕâ ÞÚÐ×Ðâìáï âÐÚ, çâÞ ÔÛï ÒÐá íâÞ ÝÕßàØÕÜÛÕÜÞ. ÆÕßÞçÚÐ INPUTÆÕßÞçÚÐ INPUT, ÚÐÚ ï ãÖÕ ßØáÐÛ, ÔÛï ÒëßÞÛÝÕÝØï ÞáÝÞÒÝÞÙ àÐÑÞâë ØáßÞÛì×ãÕâ ÔàãÓØÕ æÕßÞçÚØ, ×Ð áçÕâ çÕÓÞ áÝØÖÐï ÝÐÓàã×Úã ÝÐ áÕâÕÒÞÙ äØÛìâà. ÍääÕÚâ ßàØÜÕÝÕÝØï âÐÚÞÓÞ ÒÐàØÐÝâÐ ÞàÓÐÝØ×ÐæØØ ßàÐÒØÛ ÛãçèÕ ×ÐÜÕâÕÝ ÝÐ ÜÕÔÛÕÝÝëå ÜÐèØÝÐå, ÚÞâÞàëÕ Ò ÔàãÓÞÜ áÛãçÐÕ ÝÐçØÝÐîâ "âÕàïâì" ßÐÚÕâë ßàØ ÒëáÞÚÞÙ ÝÐÓàã×ÚÕ. ¿ÕàÒëÜ ÖÕ ßàÐÒØÛÞÜ Üë ßëâÐÕÜáï ÞâÑàÞáØâì "ßÛÞåØÕ" ßÐÚÕâë. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî ÞâÝÞáØâÕÛìÝÞ ßÐÚÕâÞÒ á ßàØ×ÝÐÚÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN. ² ÝÕÚÞâÞàëå ÞáÞÑÕÝÝëå áØâãÐæØïå âÐÚØÕ ßÐÚÕâë ÜÞÓãâ áçØâÐâìáï ÔÞßãáâØÜëÜØ, ÝÞ Ò 99% áÛãçÐÕÒ ÛãçèÕ Øå "ÞáâÐÝÞÒØâì". ¿ÞíâÞÜã âÐÚØÕ ßÐÚÕâë ×ÐÝÞáïâáï Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (ÛÞÓØàãîâáï) Ø "áÑàÐáëÒÐîâáï". ´ÐÛÕÕ, ÒáÕ ICMP ßÐÚÕâë, ßàØåÞÔïéØÕ Ò æÕßÞçÚã INPUT á ØÝâÕàäÕÙáÐ $INET_IFACE, Ò ÜÞÕÜ áÛãçÐÕ íâÞ eth0, ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ÚÞâÞàãî Üë àÐááÜÞâàÕÛØ àÐÝÕÕ. ÁÛÕÔãîéØÜ ßàÐÒØÛÞÜ ÒáÕ TCP ßÐÚÕâë á ØÝâÕàäÕÙáÐ$INET_IFACE ßÕàÕÔÐîâáï Ò æÕßÞçÚãtcp_packets. ¸ ÝÐÚÞÝÕæ ÒáÕ UDP ßÐÚÕâë ÞâßàÐÒÛïîâáï Ò æÕßÞçÚã udpincoming_packets. ² ÚÞÝæÕ Üë ßÞ×ÒÞÛïÕÜ ßàÞÙâØ ÒáÕÜã, çâÞ ÔÒØÖÕâáï á ÝÐèÕÓÞ $LOCALHOST_IP ÐÔàÕáÐ, ÚÞâÞàëÙ ÞÑëçÝÞ ÑëÒÐÕâ 127.0.0.1, ÒáÕ çâÞ ØÔÕâ á $LAN_IP ÐÔàÕáÐ, ÚÞâÞàëÙ Ò ÜÞÕÜ áÛãçÐÕ 192.168.0.2, ×ÐÞÔÝÞ ßàÞßãáÚÐÕÜ Ø ÒáÕ, çâÞ ØÔÕâ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á $LAN_IP_RANGE, ÔÛï ÜÕÝï íâÞ 192.168.0.0/24. Ï ßàÞßãáÚÐî ÒáÕ, çâÞ ØÔÕâ á ÜÞÕÓÞ áÞÑáâÒÕÝÝÞÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ, Ø ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED. ÂÐÚ ÖÕ áçØâÐÕâáï ÔÞßãáâØÜëÜ èØàÞÚÞÒÕéÐâÕÛìÝëÙ âàÐääØÚ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÝÕÚÞâÞàëÕ ßàØÛÞÖÕÝØï ×ÐÒØáïâ Þâ èØàÞÚÞÒÕéÐâÕÛìÝëå áÞÞÑéÕÝØÙ, ÝÐßàØÜÕà Samba, Ø ÝÕ áÜÞÓãâ ÒëßÞÛÝïâì áÒÞØ äãÝ򾯯 ÑÕ× ÝØå. ¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ, ßÕàÕÔ âÕÜ ÚÐÚ ÚÞ ÒáÕÜ ÝÕ ßàØÝïâëÜ ïÒÝÞ ßÐÚÕâÐÜ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî, âàÐääØÚ ÖãàÝÐÛØàãÕâáï, ÝÐ áÛãçÐÙ ÝÕÞÑåÞÔØÜÞáâØ ßÞØáÚÐ ßàØçØÝ ÒÞ×ÝØÚÐîéØå ßàÞÑÛÕÜ. ¿àØ íâÞÜ Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛã, ÞÓàÐÝØçÕÝØÕ ÝÐ ÚÞÛØçÕáâÒÞ ÛÞÓØàãÕÜëå ßÐÚÕâÞÒ - ÝÕ ÑÞÛÕÕ 3-å Ò ÜØÝãâã, çâÞÑë ßàÕÔÞâÒàÐâØâì çàÕ×ÜÕàÝÞÕ àÐ×ÔãÒÐÝØÕ ÖãàÝÐÛÐ. ²áÕ çâÞ ÝÕ ÑëÛÞ ïÒÝÞ ßàÞßãéÕÝÞ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßÞÔÒÕàÓÝãâÞ ÔÕÙáâÒØî DROP, ßÞáÚÞÛìÚã ØÜÕÝÝÞ íâÞ ÔÕÙáâÒØÕ ÝÐ×ÝÐçÕÝÞ Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî. ÆÕßÞçÚÐ OUTPUTºÐÚ ï ãÖÕ ãßÞÜØÝÐÛ àÐÝÕÕ, Ò ÜÞÕÜ áÛãçÐÕ ÚÞÜßìîâÕà ØáßÞÛì×ãÕâáï ÚÐÚ ÑàÐÝÔÜÐãíà Ø ÞÔÝÞÒàÕÜÕÝÝÞ ÚÐÚ àÐÑÞçÐï áâÐÝæØï. ¿ÞíâÞÜã ï ßÞ×ÒÞÛïî ßÞÚØÔÐâì ÜÞÙ åÞáâ ÒáÕÜã, çâÞ ØÜÕÕâ ØáåÞÔÝëÙ ÐÔàÕá $LOCALHOST_IP, $LAN_IP ØÛØ $STATIC_IP. ÁÔÕÛÐÝÞ íâÞ ÔÛï ×ÐéØâë Þâ âàÐäØÚÐ, ÚÞâÞàëÙ ÜÞÖÕâ áäÐÛìáØæØàÞÒÐâì ÝÕ ÞçÕÝì åÞàÞèØÙ çÕÛÞÒÕÚ ÝÐ ÜÞÕÙ ÜÐèØÝÕ. ¸ Ò ÔÞÒÕàèÕÝØÕ ÚÞ ÒáÕÜã, ï ÖãàÝÐÛØàãî "áÑàÞèÕÝÝëÕ" ßÐÚÕâë, ÝÐ áÛãçÐÙ ßÞØáÚÐ ÞèØÑÞÚ ØÛØ Ò æÕÛïå ÒëïÒÛÕÝØï áäÐÛìáØäØæØàÞÒÐÝÝëå ßÐÚÕâÞÒ. ºÞ ÒáÕÜ ßÐÚÕâÐÜ, ÝÕ ßàÞèÕÔèØÜ ÝØ ÞÔÝÞ Ø× ßàÐÒØÛ, ßàØÜÕÝïÕâáï ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî - DROP. ÆÕßÞçÚÐ FORWARDºÐÚ ÞÑëçÝÞ, Üë àÐ×àÕèÕÜ ÔÒØÖÕÝØÕ ßÐÚÕâÞÒ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ ÑÕ× ÞÓàÐÝØçÕÝØÙ ßàÐÒØÛÞÜ. /usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT µáâÕáâÒÕÝÝÞ, ÝãÖÝÞ ßàÞßãáâØâì ÞâÒÕâÝëÕ ßÐÚÕâë Ò ÛÞÚÐÛìÝãî áÕâì, ßÞíâÞÜã áÛÕÔãîéØÜ ßàÐÒØÛÞÜ Üë ßàÞßãáÚÐÕÜ ÒáÕ, çâÞ ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED, â.Õ. Üë ßàÞßãáÚÐÕÜ ßÐÚÕâë ßÞ áÞÕÔØÝÕÝØî ãáâÐÝÞÒÛÕÝÝÞÜã ¸· ÛÞÚÐÛìÝÞÙ áÕâØ. ¸ ßÕàÕÔ âÕÜ ÚÐÚ áÑàÞáØâì ÒáÕ ÝÕÔÞßãáâØÜëÕ ßÐÚÕâë ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî, Üë ÖãàÝÐÛØàãÕÜ âàÐääØÚ ãáâÐÝÞÒØÒ ßàÕÔÕÛ 3 ×ÐßØáØ ×Ð ÜØÝãâã. ÆÕßÞçÚÐ PREROUTING âÐÑÛØæë nat·ÔÕáì ÒëßÞÛÝïÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßÐÚÕâë ßÞßÐÔãâ Ò æÕßÞçÚã INPUT ØÛØ FORWARD. µéÕ àÐ× åÞçã ÝÐßÞÜÝØâì, çâÞ íâÐ æÕßÞçÚÐ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝÐ ÝØ ÔÛï ÚÐÚÞÓÞ ÒØÔÐ äØÛìâàÐæØØ, Ð âÞÛìÚÞ ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã Ò íâã æÕßÞçÚã ßÞßÐÔÐÕâ âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ. ´Ûï ÝÐçÐÛÐ Üë ÞâáÕÚÐÕÜ ÒáÕ ßÐÚÕâë á ×ÐÒÕÔÞÜÞ ÝÕÒÕàÝëÜØ ØáåÞÔÝëÜØ ÐÔàÕáÐÜØ, âÐÚØÜØ ÚÐÚ ÐÔàÕáÐ Ø× ÔØÐßÐ×ÞÝÞÒ, ÒëÔÕÛÕÝÝëÜØ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ: 192.168.x.x, 10.x.x.x ØÛØ 172.16.x.x. ¿ÞÔÞÑÝÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ø ÔÛï ÞÑàÐâÝÞÓÞ ÝÐßàÐÒÛÕÝØï, áÑàÐáëÒÐï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ ÝÕ ßàØÝÐÔÛÕÖÐâ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ. ·ÐßãáÚ Network Address Translation¸ ×ÐÚÛîçØâÕÛìÝëÙ àÐ×ÔÕÛ - ÝÐáâàÞÙÚÐ SNAT. ¿Þ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï ÜÕÝï. ¿àÕÖÔÕ ÒáÕÓÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÞ Ò âÐÑÛØæã nat, Ò æÕßÞçÚã POSTROUTING, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔÝëå ÐÔàÕáÞÒ ÒáÕå ßÐÚÕâÞÒ, ØáåÞÔïéØå á ØÝâÕàäÕÙáÐ, ßÞÔÚÛîçÕÝÝÞÓÞ Ú Internet. ´Ûï ÜÕÝï - íâÞ eth0. ² áæÕÝÐàØØ ÞßàÕÔÕÛÕÝ àïÔ ßÕàÕÜÕÝÝëå, á ßÞÜÞéìî ÚÞâÞàëå ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ÐÒâÞÜÐâØçÕáÚÞÙ ÝÐáâàÞÙÚØ áæÕÝÐàØï. ºàÞÜÕ âÞÓÞ, ØáßÞÛì×ÞÒÐÝØÕ ßÕàÕÜÕÝÝëå ßÞÒëèÐÕâ ãÔÞÑÞçØâÐÕÜÞáâì áÚàØßâÞÒ. ºÛîçÞÜ -t ×ÐÔÐÕâáï ØÜï âÐÑÛØæë, Ò ÔÐÝÝÞÜ áÛãçÐÕ nat. ºÞÜÐÝÔÐ -A ÔÞÑÐÒÛïÕâ (Add) ÝÞÒÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã POSTROUTING, ÚàØâÕàØÙ -o $INET_IFACE ×ÐÔÐÕâ ØáåÞÔïéØÙ ØÝâÕàäÕÙá, Ø Ò ÚÞÝæÕ ßàÐÒØÛÐ ×ÐÔÐÕÜ ÔÕÙáâÒØÕ ÝÐÔ ßÐÚÕâÞÜ - SNAT. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ÒáÕ ßÐÚÕâë, ßÞÔÞèÕÔèØÕ ßÞÔ ×ÐÔÐÝÝëÙ ÚàØâÕàØÙ ÑãÔãâ "×ÐÜÐáÚØàÞÒÐÝë", â.Õ. ÑãÔãâ ÒëÓÛïÔÕâì âÐÚ, ÚÐÚ ÑãÔâÞ ÞÝØ ÞâßàÐÒÛÕÝë á ÝÐèÕÓÞ ã×ÛÐ. ½Õ ×ÐÑãÔìâÕ ãÚÐ×Ðâì ÚÛîç --to-source á áÞÞâÒÕâáâÒãîéØÜ IP ÐÔàÕáÞÜ ÔÛï ØáåÞÔïéØå ßÐÚÕâÞÒ ² íâÞÜ áæÕÝÐàØÕ ï ØáßÞÛì×ãî SNAT ÒÜÕáâÞ MASQUERADE ßÞ àïÔã ßàØçØÝ. ¿ÕàÒÐï - ßàÕÔßÞÛÐÓÐÕâáï, çâÞ íâÞâ áæÕÝÐàØÙ ÔÞÛÖÕÝ àÐÑÞâÐâì ÝÐ áÕâÕÒÞÜ ã×ÛÕ, ÚÞâÞàëÙ ØÜÕÕâ ßÞáâÞïÝÝëÙ IP ÐÔàÕá. ÁÛÕÔãîéÐï áÞáâÞØâ Ò âÞÜ, çâÞ SNAT àÐÑÞâÐÕâ ÑëáâàÕÕ Ø ÑÞÛÕÕ íääÕÚâØÒÝÞ. ºÞÝÕçÝÞ, ÕáÛØ Òë ÝÕ ØÜÕÕâÕ ßÞáâÞïÝÝÞÓÞ IP ÐÔàÕáÐ, âÞ Òë ÔÞÛÖÝë ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ MASQUERADE, ÚÞâÞàÞÕ ßàÕÔÞáâÐÒÛïÕâ ÑÞÛÕÕ ßàÞáâÞÙ áßÞáÞÑ âàÐÝáÛïæØØ ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã ÞÝÞ ÐÒâÞÜÐâØçÕáÚØ ÞßàÕÔÕÛïÕâ IP ÐÔàÕá, ßàØáÒÞÕÝÝëÙ ×ÐÔÐÝÝÞÜã ØÝâÕàäÕÙáã. ¾ÔÝÐÚÞ, ßÞ áàÐÒÝÕÝØî á SNAT íâÞ ÔÕÙáâÒØÕ âàÕÑãÕâ ÝÕáÚÞÛìÚÞ ÑÞÛìèØå ÒëçØáÛØâÕÛìÝëå àÕáãàáÞÒ, åÞâï Ø ÝÕ ×ÝÐçØâÕÛìÝÞ. µáÛØ ÒÐÜ ÝãÖÕÝ ßàØÜÕà àÐÑÞâë MASQUERADE, âÞ ÞÑàÐéÐÙâÕáì Ú áæÕÝÐàØî rc.DHCP.firewall.txt. ¿àØÜÕàë áæÕÝÐàØÕÒÆÕÛì íâÞÙ ÓÛÐÒë áÞáâÞØâ Ò âÞÜ, çâÞÑë ÔÐâì ÚàÐâÚÞÕ ÞߨáÐÝØÕ ÚÐÖÔÞÓÞ áæÕÝÐàØï, Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. ÍâØ áæÕÝÐàØØ ÝÕ áÞÒÕàèÕÝÝë, Ø ÞÝØ ÝÕ ÜÞÓãâ ßÞÛÝÞáâìî áÞÞâÒÕâáâÒÞÒÐâì ÒÐèØÜ ÝãÖÔÐÜ. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ Òë ÔÞÛÖÝë áÐÜØ "ßÞÔÞÓÝÐâì" íâØ áæÕÝÐàØØ ßÞÔ áÕÑï. ¿ÞáÛÕÔãîéÐï çÐáâì àãÚÞÒÞÔáâÒÐ ßàØ×ÒÐÝÐ ÞÑÛÕÓçØâì ÒÐÜ íâã ßÞÔÓÞÝÚã. ÁâàãÚâãàÐ äÐÙÛÐ rc.firewall.txt²áÕ áæÕÝÐàØØ, ÞߨáÐÝÝëÕ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ, ØÜÕîâ ÞßàÕÔÕÛÕÝÝãî áâàãÚâãàã. ÁÔÕÛÐÝÞ íâÞ ÔÛï âÞÓÞ, çâÞÑë áæÕÝÐàØØ ÑëÛØ ÜÐÚáØÜÐÛìÝÞ ßÞåÞÖØ ÔàãÓ ÝÐ ÔàãÓÐ, ÞÑÛÕÓçÐï âÕÜ áÐÜëÜ ßÞØáÚ àÐ×ÛØçØÙ ÜÕÖÔã ÝØÜØ. ÍâÐ áâàãÚâãàÐ ÔÞÒÞÛìÝÞ åÞàÞèÞ ÞߨáëÒÐÕâáï Ò íâÞÙ ÓÛÐÒÕ. ·ÔÕáì ï ÝÐÔÕîáì ÔÐâì ÒÐÜ ßÞÝØÜÐÝØÕ, ßÞçÕÜã ÒáÕ áæÕÝÐàØØ ÑëÛØ ÝÐߨáÐÝë ØÜÕÝÝÞ âÐÚ Ø ßÞçÕÜã ï ÒëÑàÐÛ ØÜÕÝÝÞ íâã áâàãÚâãàã.
ÁâàãÚâãàÐÍâÞ - áâàãÚâãàÐ, ÚÞâÞàÞÙ áÛÕÔãîâ ÒáÕ áæÕÝÐàØØ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. µáÛØ Òë ÞÑÝÐàãÖØâÕ, çâÞ íâÞ ÝÕ âÐÚ, âÞ áÚÞàÕÕ ÒáÕÓÞ íâÞ ÜÞï ÞèØÑÚÐ, ÕáÛØ ÚÞÝÕçÝÞ ï ÝÕ ÞÑêïáÝØÛ, ßÞçÕÜã ï ÝÐàãèØÛ íâã áâàãÚâãàã.
½ÐÔÕîáì, çâÞ ï ÞÑêïáÝØÛ ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ, ÚÐÚ ÚÐÖÔëÙ áæÕÝÐàØÙ áâàãÚâãàØàÞÒÐÝ Ø ßÞçÕÜã ÞÝØ áâàãÚâãàØàÞÒÐÝë âÐÚØÜ áßÞáÞÑÞÜ.
rc.firewall.txtÁæÕÝÐàØÙ rc.firewall.txt - ÞáÝÞÒÝÞÕ ïÔàÞ, ÝÐ ÚÞâÞàÞÜ ÞáÝÞÒëÒÐÕâáï ÞáâÐÛìÝÐï çÐáâì áæÕÝÐàØÕÒ. ³ÛÐÒÐ rc.firewall file ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ ÞߨáëÒÐÕâ áæÕÝÐàØÙ. ÁæÕÝÐàØÙ ÝÐߨáÐÝ ÔÛï ÔÞÜÐèÝÕÙ áÕâØ, ÓÔÕ Òë ØÜÕÕâÕ ÞÔÝã »¾º°»Ì½ÃÎ ÁµÂÌ Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ÍâÞâ áæÕÝÐàØÙ âÐÚÖÕ ØáåÞÔØâ Ø× ßàÕÔßÞÛÞÖÕÝØï, çâÞ Òë ØÜÕÕâÕ áâÐâØçÕáÚØÙ IP ÐÔàÕá, Ø áÛÕÔÞÒÐâÕÛìÝÞ ÝÕ ØáßÞÛì×ãÕâÕ DHCP, PPP, SLIP ÛØÑÞ ÚÐÚÞÙ âÞ ÔàãÓÞÙ ßàÞâÞÚÞÛ, ÚÞâÞàëÙ ÝÐ×ÝÐçÐÕâ IP ÔØÝÐÜØçÕáÚØ. ² ßàÞâØÒÝÞÜ áÛãçÐÕ ÒÞ×ìÜØâÕ ×Ð ÞáÝÞÒã áæÕÝÐàØÙ rc.DHCP.firewall.txt. ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ
rc.DMZ.firewall.txtÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ
ÁæÕÝÐàØÙ rc.DMZ.firewall.txt ÑëÛ ÝÐߨáÐÝ ÔÛï âÕå, ÚâÞ ØÜÕÕâ ÔÞÒÕàØâÕÛìÝãî ÛÞÚÐÛìÝãî áÕâì, ÞÔÝã "´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝãî ·ÞÝã" Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ´Ûï ÔÞáâãßÐ Ú áÕàÒÕàÐÜ ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝë Ø×ÒÝÕ, ØáßÞÛì×ãÕâáï NAT "ÞÔØÝ Ú ÞÔÝÞÜã", âÞ Õáâì, ²ë ÔÞÛÖÝë ×ÐáâÐÒØâì ÑàÐÝÔÜÐãíà àÐáßÞ×ÝÐÒÐâì ßÐÚÕâë ÑÞÛÕÕ çÕÜ ÔÛï ÞÔÝÞÓÞ IP ÐÔàÕáÐ. ÁæÕÝÐàØÙ àÐÑÞâÐÕâ á ÔÒãÜï ÒÝãâàÕÝÝØÜØ áÕâïÜØ, ÚÐÚ íâÞ ßàÞÔÕÜÞÝáâàØàÞÒÐÝÞ ÝÐ àØáãÝÚÕ. ¾ÔÝÐ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ IP ÐÔàÕáÞÒ 192.168.0.0/24 Ø ïÒÛïÕâáï ´ÞÒÕàØâÕÛìÝÞÙ ²ÝãâàÕÝÝÕÙ ÁÕâìî. ´àãÓÐï ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 192.168.1.0/24 Ø ÝÐ×ëÒÐÕâáï ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝÞÙ (DMZ), ÔÛï ÚÞâÞàÞÙ Üë ÑãÔÕÜ ÒëßÞÛÝïâì ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (NAT) "ÞÔØÝ Ú ÞÔÝÞÜã". ½ÐßàØÜÕà, ÕáÛØ ÚâÞ - âÞ Ø× ¸ÝâÕàÝÕâ ßÞáëÛÐÕâ ßÐÚÕâ ÝÐèÕÜã DNS_IP, âÞ Üë ÒëßÞÛÝïÕÜ DNAT, ÚÞâÞàëÙ ×ÐÜÕéÐÕâ ÐÔàÕá ÝÐ×ÝÐçÕÝØï ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá áÕàÒÕàÐ DNS Ò DMZ. µáÛØ Ñë DNAT ÝÕ ÒëßÞÛÝïÛáï, âÞ DNS ÝÕ áÜÞÓ Ñë ßÞÛãçØâì ×ÐßàÞá, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÐÔàÕá DMZ_DNS_IP, Ð ÝÕ DNS_IP. ÂàÐÝáÛïæØï ÒëßÞÛÝïÕâáï áÛÕÔãîéØÜ ßàÐÒØÛÞÜ. $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP ´Ûï ÝÐçÐÛÐ ÝÐßÞÜÝî, çâÞ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÕ PREROUTING âÐÑÛØæë nat. ÁÞÓÛÐáÝÞ íâÞÜã ßàÐÒØÛã, ßÐÚÕâ ÔÞÛÖÕÝ ßàØåÞÔØâì ßÞ ßàÞâÞÚÞÛã TCP ÝÐ $INET_IFACE á ÐÔàÕáÐâÞÜ IP, ÚÞâÞàëÙ áÞÞâÒÕâáâÒãÕâ ÝÐèÕÜã $DNS_IP, Ø ÝÐßàÐÒÛÕÝ ÝÐ ßÞàâ 53. µáÛØ ÒáâàÕçÕÝ âÐÚÞÙ ßÐÚÕâ, âÞ ÒëßÞÛÝïÕâáï ßÞÔÜÕÝÐ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ØÛØ DNAT. ´ÕÙáâÒØî DNAT ßÕàÕÔÐÕâáï ÐÔàÕá ÔÛï ßÞÔÜÕÝë á ßÞÜÞéìî ÚÛîçÐ --to-destination $DMZ_DNS_IP. ºÞÓÔÐ çÕàÕ× ÑàÐÝÔÜÐãíà ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÕâÕÒëÜ ÚÞÔÞÜ ïÔàÐ ÐÔàÕá ÞâßàÐÒØâÕÛï ÑãÔÕâ ÐÒâÞÜÐâØçÕáÚØ Ø×ÜÕÝÕÝ á $DMZ_DNS_IP ÝÐ $DNS_IP, ÔàãÓØÜØ áÛÞÒÐÜØ ÞÑàÐâÝÐï ÔÕâàÐÝáÛïæØï ÐÔàÕáÞÒ ÒëßÞÛÝïÕâáï ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ âàÕÑãÕâ áÞ×ÔÐÝØï ÔÞßÞÛÝØâÕÛìÝëå ßàÐÒØÛ. ÂÕßÕàì Òë ãÖÕ ÔÞÛÖÝë ßÞÝØÜÐâì ÚÐÚ àÐÑÞâÐÕâ DNAT, çâÞÑë áÐÜÞáâÞïâÕÛìÝÞ àÐ×ÞÑàÐâìáï Ò âÕÚáâÕ áæÕÝÐàØï ÑÕ× ÚÐÚØå ÛØÑÞ ßàÞÑÛÕÜ. µáÛØ çâÞ-âÞ ÔÛï ÒÐá ÞáâÐÛÞáì ÝÕ ïáÝëÜ Ø íâÞ ÝÕ ÑëÛÞ àÐááÜÞâàÕÝÞ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ, âÞ Òë ÜÞÖÕâÕ áÞÞÑéØâì ÜÝÕ ÞÑ íâÞÜ - ÒÕàÞïâÝÞ íâÞ ÜÞï ÞèØÑÚÐ. rc.DHCP.firewall.txtÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ
ÁæÕÝÐàØÙ rc.DHCP.firewall.txt ÞçÕÝì ßÞåÞÖ ÝÐ ÞàØÓØÝÐÛ rc.firewall.txt. ¾ÔÝÐÚÞ, íâÞâ áæÕÝÐàØÙ ÑÞÛìèÕ ÝÕ ØáßÞÛì×ãÕâ ßÕàÕÜÕÝÝãî STATIC_IP, íâÞ Ø ïÒÛïÕâáï ÞáÝÞÒÝëÜ ÞâÛØçØÕÜ Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt. ¿àØçØÝÐ Ò âÞÜ, çâÞ rc.firewall.txt ÝÕ ÑãÔÕâ àÐÑÞâÐâì Ò áÛãçÐÕ ÔØÝÐÜØçÕáÚÞÓÞ IP ÐÔàÕáÐ. ¸×ÜÕÝÕÝØï, ßÞ áàÐÒÝÕÝØî á ÞàØÓØÝÐÛÞÜ - ÜØÝØÜÐÛìÝë. ÍâÞâ áæÕÝÐàØÙ ÑãÔÕâ ßÞÛÕ×ÕÝ Ò áÛãçÐÕ DHCP, PPP Ø SLIP ßÞÔÚÛîçÕÝØï Ú ¸ÝâÕàÝÕâ. ³ÛÐÒÝÞÕ ÞâÛØçØÕ ÔÐÝÝÞÓÞ áÚàØßâÐ áÞáâÞØâ Ò ãÔÐÛÕÝØØ
ßÕàÕÜÕÝÝÞÙ STATIC_IP Ø ÒáÕå ááëÛÞÚ ÝÐ íâã ßÕàÕÜÕÝÝãî.
²ÜÕáâÞ ÝÕÕ âÕßÕàì ØáßÞÛì×ãÕâáï ßÕàÕÜÕÝÝÐï INET_IFACE.
´àãÓØÜØ áÛÞÒÐÜØ -d $STATIC_IP ×ÐÜÕÝïÕâáï ÝÐ
-i $INET_IFACE. ÁÞÑáâÒÕÝÝÞ
íâÞ ÒáÕ, çâÞ ÝãÖÝÞ Ø×ÜÕÝØâì Ò ÔÕÙáâÒØâÕÛìÝÞáâØ. ¼ë ÑÞÛìèÕ ÝÕ ÜÞÖÕÜ ãáâÐÝÐÒÛØÒÐâì ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT ßÞÔÞÑÝëå íâÞÜã: --in-interface $LAN_IFACE --dst $INET_IP. ÍâÞ Ò áÒÞî ÞçÕàÕÔì ÒëÝãÖÔÐÕâ ÝÐá áâàÞØâì ßàÐÒØÛÐ ÞáÝÞÒëÒÐïáì âÞÛìÚÞ ÝÐ áÕâÕÒÞÜ ØÝâÕàäÕÙáÕ. ½ÐßàØÜÕà, ßãáâì ÝÐ ÑàÐÝÔÜÐãíàÕ ×ÐßãéÕÝ HTTP áÕàÒÕà. µáÛØ Üë ßàØåÞÔØÜ ÝÐ ÓÛÐÒÝãî áâàÐÝØçÚã, áÞÔÕàÖÐéãî áâÐâØçÕáÚãî ááëÛÚã ÞÑàÐâÝÞ ÝÐ íâÞâ ÖÕ áÕàÒÕà, ÚÞâÞàëÙ àÐÑÞâÐÕâ ßÞÔ ÔØÝÐÜØçÕáÚØÜ ÐÔàÕáÞÜ, âÞ Üë ÜÞÖÕÜ "ÞÓàÕáâØ" ÝÕÜÐÛÞ ßàÞÑÛÕÜ. ÅÞáâ, ÚÞâÞàëÙ ßàÞåÞÔØâ çÕàÕ× NAT, ×ÐßàÞáØâ çÕàÕ× DNS IP ÐÔàÕá HTTP áÕàÒÕàÐ, ßÞáÛÕ çÕÓÞ ßÞßàÞÑãÕâ ßÞÛãçØâì ÔÞáâãß Ú íâÞÜã IP. µáÛØ ÑàÐÝÔÜÐãíà ßàÞØ×ÒÞÔØâ äØÛìâàÐæØî ßÞ ØÝâÕàäÕÙáã Ø IP ÐÔàÕáã, âÞ åÞáâ ÝÕ áÜÞÖÕâ ßÞÛãçØâì ÞâÒÕâ, ßÞáÚÞÛìÚã æÕßÞçÚÐ INPUT ÞâäØÛìâàãÕâ âÐÚÞÙ ×ÐßàÞá. (ÁÚÞàÕÕ ÒáÕÓÞ ÐÒâÞà ØÜÕÕâ ÒÒØÔã áÚàØßâ rc.firewall.txt ßàØÜ. ßÕàÕÒ.) ÍâÞ âÐÚ ÖÕ áßàÐÒÕÔÛØÒÞ Ø ÔÛï ÝÕÚÞâÞàëå áÛãçÐÕÒ ÚÞÓÔÐ Üë ØÜÕÕÜ áâÐâØçÕáÚØÙ IP ÐÔàÕá, ÝÞ âÞÓÔÐ íâÞ ÜÞÖÝÞ ÞÑÞÙâØ, ØáßÞÛì×ãï ßàÐÒØÛÐ, ÚÞâÞàëÕ ßàÞÒÕàïîâ ßÐÚÕâë, ßàØåÞÔïéØÕ á LAN ØÝâÕàäÕÙáÐ ÝÐ ÝÐè INET_IP Ø ÒëßÞÛÝïâì ACCEPT ÔÛï ÝØå. ¿ÞáÛÕ ÒáÕÓÞ ÒëèÕáÚÐ×ÐÝÝÞÓÞ, ÝÕ âÐÚÞÙ ãÖ ßÛÞåÞÙ ÜÞÖÕâ ßÞÚÐ×Ðâìáï ÜëáÛì Þ áÞ×ÔÐÝØØ áæÕÝÐàØï, ÚÞâÞàëÙ Ñë ÞÑàÐÑÐâëÒÐÛ ÔØÝÐÜØçÕáÚØÙ IP. ½ÐßàØÜÕà, ÜÞÖÝÞ ÑëÛÞ Ñë ÝÐߨáÐâì áÚàØßâ, ÚÞâÞàëÙ ßÞÛãçÐÕâ IP ÐÔàÕá çÕàÕ× ifconfig Ø ßÞÔáâÐÒÛïÕâ ÕÓÞ Ò âÕÚáâ áæÕÝÐàØï (ÓÔÕ ÞßàÕÔÕÛïÕâáï áÞÞâÒÕâáâÒãîéÐï ßÕàÕÜÕÝÝÐï), ÚÞâÞàëÙ "ßÞÔÝØÜÐÕâ" áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ. ·ÐÜÕçÐâÕÛìÝëÙ áÐÙâ linuxguruz.org ØÜÕÕâ ÞÓàÞÜÝãî ÚÞÛÛÕÚæØî áÚàØßâÞÒ, ÔÞáâãßÝëå ÔÛï áÚÐçØÒÐÝØï. ÁáëÛÚã ÝÐ linuxguruz.org Òë ÝÐÙÔÕâÕ Ò ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë.
ÂÐÚÖÕ, ÜÞÖÝÞ ÔÞÑÐÒØâì Ò ÒÐèØ áæÕÝÐàØØ çâÞ ÝØÑãÔì ÒàÞÔÕ íâÞÓÞ: INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` ²ëèÕ ßàØÒÕÔÕÝÝÐï ÚÞÜÐÝÔÐ ßÞÛãçÐÕâ ÔØÝÐÜØçÕáÚØÙ IP Þâ ØÝâÕàäÕÙáÐ, ÞÔÝÐÚÞ ã âÐÚÞÓÞ ßÞÔåÞÔÐ Õáâì áÕàìÕ×ÝëÕ ÝÕÔÞáâÐâÚØ, ÞߨáÐÝÝëÕ ÝØÖÕ.
rc.UTIN.firewall.txtÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ
ÁæÕÝÐàØÙ rc.UTIN.firewall.txt, Ò ÞâÛØçØÕ Þâ ÔàãÓØå áæÕÝÐàØÕÒ, ÑÛÞÚØàãÕâ LAN, ÚÞâÞàÐï ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ. ¼ë ÔÞÒÕàïÕÜ ÒÝãâàÕÝÝØÜ ßÞÛì×ÞÒÐâÕÛïÜ ÝÕ ÑÞÛìèÕ çÕÜ ßÞÛì×ÞÒÐâÕÛïÜ Ø× Internet. ´àãÓØÜØ áÛÞÒÐÜØ, Üë ÝÕ ÔÞÒÕàïÕÜ ÝØÚÞÜã, ÝØ Ò ¸ÝâÕàÝÕâ, ÝØ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÚÞâÞàëÜØ Üë áÒï×ÐÝë. ¿ÞíâÞÜã ÔÞáâãß Ú ¸ÝâÕàÝÕâ ÞÓàÐÝØçØÒÐÕâáï âÞÛìÚÞ ßàÞâÞÚÞÛÐÜØ POP3, HTTP Ø FTP. ÍâÞâ áæÕÝÐàØÙ áÛÕÔãÕâ ×ÞÛÞâÞÜã ßàÐÒØÛã - "ÝÕ ÔÞÒÕàïÙ ÝØÚÞÜã, ÔÐÖÕ áÞÑáâÒÕÝÝëÜ áÛãÖÐéØÜ". ÍâÞ ÓàãáâÝÞ ÝÞ äÐÚâ, çâÞ ÑÞÛìèÐï çÐáâì ÐâÐÚ Ø Ò×ÛÞÜÞÒ, ÚÞâÞàëÜ ßÞÔÒÕàÓÐÕâáï ÚÞÜßÐÝØï, ßàÞØ×ÒÞÔØâáï áÛãÖÐéØÜØ ÚÞÜßÐÝØÙ Ø× ÛÞÚÐÛìÝëå áÕâÕÙ. ÍâÞâ áæÕÝÐàØÙ, ÝÐÔÕîáì, ÔÐáâ ÝÕÚÞâÞàëÕ áÒÕÔÕÝØï, ÚÞâÞàëÕ ßÞÜÞÓãâ ÒÐÜ ãáØÛØâì ÒÐèã ÜÕÖáÕâÕÒãî ×ÐéØâã. ¾Ý ÜÐÛÞ ÞâÛØçÐÕâáï Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt, ÝÞ áÞÔÕàÖØâ ßÞÔáÚÐ×ÚØ Þ âÞÜ, çâÞ Üë ÞÑëçÝÞ ßàÞßãáÚÐÕÜ. rc.test-iptables.txtÁæÕÝÐàØÙ rc.test-iptables.txt ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕàÚØ àÐ×ÛØçÝëå æÕßÞçÕÚ ÝÞ ÜÞÖÕâ ßÞâàÕÑÞÒÐâì ÔÞßÞÛÝØâÕÛìÝëå ÝÐáâàÞÕÚ, Ò ×ÐÒØáØÜÞáâØ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ, ÝÐßàØÜÕà, ÒÚÛîçÕÝØï ip_forwarding ØÛØ ÝÐáâàÞÙÚØ masquerading Ø â.ß. ÂÕÜ ÝÕ ÜÕÝÕÕ Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ á ÑÐ×ÞÒëÜØ ÝÐáâàÞÙÚÐÜØ, ÚÞÓÔÐ ÝÐáâàÞÕÝë ÞáÝÞÒÝëÕ âÐÑÛØæë, íâÞâ áæÕÝÐàØÙ ÑãÔÕâ àÐÑÞâÞáßÞáÞÑÕÝ. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, Ò íâÞÜ áæÕÝÐàØØ ßàÞØ×ÒÞÔØâáï ãáâÐÝÞÒÚÐ ÔÕÙáâÒØÙ LOG ÝÐ ping-×ÐßàÞáë Ø ping-ÞâÒÕâë. ÂÐÚØÜ áßÞáÞÑÞÜ ßÞïÒÛïÕâáï ÒÞ×ÜÞÖÝÞáâì ×ÐäØÚáØàÞÒÐâì Ò áØáâÕÜÝÞÜ ÖãàÝÐÛÕ ÚÐÚØÕ æÕßÞçÚØ ßàÞåÞÔØÛØáì Ø Ò ÚÐÚÞÜ ßÞàïÔÚÕ. ·ÐßãáâØâÕ áæÕÝÐàØÙ Ø ×ÐâÕÜ ÒëßÞÛÝØâÕ áÛÕÔãîéØÕ ÚÞÜÐÝÔë: ping -c 1 host.on.the.internet ¸ ÒÞ ÒàÕÜï ØáßÞÛÝÕÝØï ßÕàÒÞÙ ÚÞÜÐÝÔë ÒëßÞÛÝØâÕ tail -n 0 -f /var/log/messages. ÂÕßÕàì Òë ÔÞÛÖÝë ïáÝÞ ÒØÔÕâì ÒáÕ ØáßÞÛì×ãÕÜëÕ æÕßÞçÚØ Ø ßÞàïÔÞÚ Øå ßàÞåÞÖÔÕÝØï.
rc.flush-iptables.txtÁæÕÝÐàØÙ rc.flush-iptables.txt Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ØÜÕÕâ áÐÜÞáâÞïâÕÛìÝÞÙ æÕÝÝÞáâØ ßÞáÚÞÛìÚã ÞÝ áÑàÐáëÒÐÕâ ÒáÕ ÒÐèØ âÐÑÛØæë Ø æÕßÞçÚØ. ² ÝÐçÐÛÕ áæÕÝÐàØï, ãáâÐÝÐÒÛØÒÐîâáï ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ACCEPT ÔÛï æÕßÞçÕÚ INPUT, OUTPUT Ø FORWARD Ò âÐÑÛØæÕ filter. ¿ÞáÛÕ íâÞÓÞ áÑàÐáëÒÐîâáï Ò ×ÐÔÐÝÝãî ßÞ-ãÜÞÛçÐÝØî ßÞÛØâØÚØ ÔÛï æÕßÞçÕÚ PREROUTING, POSTROUTING Ø OUTPUT âÐÑÛØæë nat. ÍâØ ÔÕÙáâÒØï ÒëßÞÛÝïîâáï ßÕàÒëÜØ, çâÞÑë ÝÕ ÒÞ×ÝØÚÐÛÞ ßàÞÑÛÕÜ á ×ÐÚàëâëÜØ áÞÕÔØÝÕÝØïÜØ Ø ÑÛÞÚØàãÕÜëÜØ ßÐÚÕâÐÜØ. ÄÐÚâØçÕáÚØ, íâÞâ áæÕÝÐàØÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßÞÔÓÞâÞÒÚØ ÑàÐÝÔÜÐãíàÐ Ú ÝÐáâàÞÙÚÕ Ø ßàØ ÞâÛÐÔÚÕ ÒÐèØå áæÕÝÐàØÕÒ, ßÞíâÞÜã ×ÔÕáì Üë ×ÐÑÞâØÜáï âÞÛìÚÞ ÞÑ ÞçØáâÚÕ ÝÐÑÞàÐ ßàÐÒØÛ Ø ãáâÐÝÞÒÚÕ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî. ºÞÓÔÐ ÒëßÞÛÝÕÝÐ ãáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî, Üë ßÕàÕåÞÔØÜ Ú ÞçØáâÚÕ áÞÔÕàÖØÜÞÓÞ æÕßÞçÕÚ Ò âÐÑÛØæÐå filter Ø nat, Ð ×ÐâÕÜ ßàÞØ×ÒÞÔØâáï ãÔÐÛÕÝØÕ ÒáÕå, ÞßàÕÔÕÛÕÝÝëå ßÞÛì×ÞÒÐâÕÛÕÜ, æÕßÞçÕÚ. ¿ÞáÛÕ íâÞÓÞ àÐÑÞâÐ áÚàØßâÐ ×ÐÒÕàèÐÕâáï. µáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞÑÐÒØâì Ò áæÕÝÐàØÙ áÞÞâÒÕâáâÒãîéØÕ áâàÞÚØ ÔÛï ÞÑàÐÑÞâÚØ íâÞÙ âÐÑÛØæë.
´ÕâÐÛìÝÞÕ ÞߨáÐÝØÕ áßÕæØÐÛìÝëå ÚÞÜÐÝÔ²ëÒÞÔ áߨáÚÐ ÝÐÑÞàÐ ßàÐÒØÛÇâÞÑë ÒëÒÕáâØ áߨáÞÚ ßàÐÒØÛ ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã iptables á ÚÛîçÞÜ L, ÚÞâÞàëÙ ÚàÐâÚÞ ÑëÛ ÞߨáÐÝ àÐÝÕÕ Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ. ²ëÓÛïÔØâ íâÞ ßàØÜÕàÝÞ âÐÚ: iptables -L ÍâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ ÝÐ íÚàÐÝ áߨáÞÚ ßàÐÒØÛ Ò ãÔÞÑÞçØâÐÕÜÞÜ ÒØÔÕ. ½ÞÜÕàÐ ßÞàâÞÒ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ áÛãÖÑ Ò áÞÞâÒÕâáâÒØØ á äÐÙÛÞÜ /etc/services, IP ÐÔàÕáÐ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ åÞáâÞÒ çÕàÕ× àÐ×àÕèÕÝØÕ ØÜÕÝ Ò áÛãÖÑÕ DNS. Á àÐ×àÕèÕÝØÕÜ (resolving) ØÜÕÝ ÜÞÓãâ ÒÞ×ÝØÚÝãâì ÝÕÚÞâÞàëÕ ßàÞÑÛÕÜë, ÝÐßàØÜÕà, ØÜÕï áÕâì 192.168.0.0/16 áÛãÖÑÐ DNS ÝÕ áÜÞÖÕâ ÞßàÕÔÕÛØâì ØÜï åÞáâÐ á ÐÔàÕáÞÜ 192.168.1.1, Ò àÕ×ãÛìâÐâÕ ßàÞØ×ÞÙÔÕâ ßÞÔÒØáÐÝØÕ ÚÞÜÐÝÔë. ÇâÞÑë ÞÑÞÙâØ íâã ßàÞÑÛÕÜã áÛÕÔãÕâ ÒëßÞÛÝØâì ÒëÒÞÔ áߨáÚÐ ßàÐÒØÛ á ÔÞßÞÛÝØâÕÛìÝëÜ ÚÛîçÞÜ: iptables -L -n ÇâÞÑë ÒëÒÕáâØ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ æÕßÞçÚÐå Ø ßàÐÒØÛÐå, ÒëßÞÛÝØâÕ iptables -L -n -v ¸ÜÕÕâáï àïÔ äÐÙÛÞÒ Ò äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc, ÚÞâÞàëÕ áÞÔÕàÖÐâ ÔÞáâÐâÞçÝÞ ØÝâÕàÕáÝãî ÔÛï ÝÐá ØÝäÞàÜÐæØî. ½ÐßàØÜÕà, ÔÞßãáâØÜ ÝÐÜ ×ÐåÞâÕÛÞáì ßàÞáÜÞâàÕâì áߨáÞÚ áÞÕÔØÝÕÝØÙ Ò âÐÑÛØæÕ conntrack. ÍâÞ ÞáÝÞÒÝÐï âÐÑÛØæÐ, ÚÞâÞàÐï áÞÔÕàÖØâ áߨáÞÚ âàÐááØàãÕÜëå áÞÕÔØÝÕÝØÙ Ø Ò ÚÐÚÞÜ áÞáâÞïÝØØ ÚÐÖÔÞÕ Ø× ÝØå ÝÐåÞÔØâáï. ´Ûï ßàÞáÜÞâàÐ âÐÑÛØæë ÒëßÞÛÝØâÕ ÚÞÜÐÝÔã cat /proc/net/conntrack | less ¸×ÜÕÝÕÝØÕ Ø ÞçØáâÚÐ ÒÐèØå âÐÑÛØæ¿Þ ÜÕàÕ âÞÓÞ ÚÐÚ Òë ßàÞÔÞÛÖØâÕ ãÓÛãÑÛïâìáï Ò ØááÛÕÔÞÒÐÝØÕ iptables, ßÕàÕÔ ÒÐÜØ ÒáÕ ÐÚâãÐÛìÝÕÕ ÑãÔÕâ ÒáâÐÒÐâì ÒÞßàÞá ÞÑ ãÔÐÛÕÝØØ ÞâÔÕÛìÝëå ßàÐÒØÛ Ø× æÕßÞçÕÚ ÑÕ× ÝÕÞÑåÞÔØÜÞáâØ ßÕàÕ×ÐÓàã×ÚØ ÜÐèØÝë. ÁÕÙçÐá ï ßÞßàÞÑãî ÝÐ ÝÕÓÞ ÞâÒÕâØâì. µáÛØ Òë ßÞ ÞèØÑÚÕ ÔÞÑÐÒØÛØ ÚÐÚÞÕ ÛØÑÞ ßàÐÒØÛÞ, âÞ ÒÐÜ ÝãÖÝÞ âÞÛìÚÞ ×ÐÜÕÝØâì ÚÞÜÐÝÔã -A ÝÐ ÚÞÜÐÝÔã -D Ò áâàÞÚÕ ßàÐÒØÛÐ. iptables ÝÐÙÔÕâ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ Ø ãÔÐÛØâ ÕÓÞ. µáÛØ ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÚÞâÞàëÕ ÒëÓÛïÔïâ ÚÐÚ ×ÐÔÐÝÝëÙ èÐÑÛÞÝ ÔÛï ãÔÐÛÕÝØï, âÞ ÑãÔÕâ áâÕàâÞ ßÕàÒÞÕ Ø× ÝÐÙÔÕÝÝëå ßàÐÒØÛ. µáÛØ âÐÚÞÙ ßÞàïÔÞÚ ÒÕéÕÙ ÒÐá ÝÕ ãáâàÐØÒÐÕâ, âÞ ÚÞÜÐÝÔÕ -D, Ò ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ, ÜÞÖÝÞ ßÕàÕÔÐâì ÝÞÜÕà ãÔÐÛïÕÜÞÙ áâàÞÚØ., ÝÐßàØÜÕà, ÚÞÜÐÝÔÐ iptables -D INPUT 10 áÞâàÕâ ÔÕáïâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚÕ INPUT. (ÇâÞÑë ã×ÝÐâì ÝÞÜÕà ßàÐÒØÛÐ, ßÞÔÐÙâÕ ÚÞÜÐÝÔã iptables -L ½°·²°½¸µ_Ƶ¿¾Çº¸ --line-numbers, âÞÓÔÐ ßàÐÒØÛÐ ÑãÔãâ ÒëÒÞÔØâìáï áÞ áÒÞØÜØ ÝÞÜÕàÐÜØ ßàØÜ. ßÕàÕÒ.) ´Ûï ãÔÐÛÕÝØï áÞÔÕàÖØÜÞÓÞ æÕÛÞÙ æÕßÞçÚØ ØáßÞÛì×ãÙâÕ ÚÞÜÐÝÔã -F. ½ÐßàØÜÕà: iptables -F INPUT - áÞâàÕâ ÒáÕ ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT, ÞÔÝÐÚÞ íâÐ ÚÞÜÐÝÔÐ ÝÕ Ø×ÜÕÝïÕâ ßÞÛØâØÚØ æÕßÞçÚØ ßÞ-ãÜÞÛçÐÝØî, âÐÚ çâÞ ÕáÛØ ÞÝÐ ãáâÐÝÞÒÛÕÝÐ ÚÐÚ DROP âÞ ÑãÔÕâ ÑÛÞÚØàÞÒÐâìáï ÒáÕ, çâÞ ßÞßÐÔÐÕâ Ò æÕßÞçÚã INPUT. ÇâÞÑë áÑàÞáØâì ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî, ÝãÖÝÞ ßàÞáâÞ ãáâÐÝÞÒØâì ÕÕ Ò ßÕàÒÞÝÐçÐÛìÝÞÕ áÞáâÞïÝØÕ, ÝÐßàØÜÕà iptables -P INPUT ACCEPT. ¼ÝÞî ÑëÛ ÝÐߨáÐÝ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ (ÞߨáÐÝÝëÙ ÝÕáÚÞÛìÚÞ ÒëèÕ) ÚÞâÞàëÙ ßàÞØ×ÒÞÔØâ ÞçØáâÚã ÒáÕå âÐÑÛØæ Ø æÕßÞçÕÚ, Ø ßÕàÕãáâÐÝÐÒÛØÒÐÕâ ßÞÛØâØÚØ æÕßÞçÕÚ Ò iptables. ·ÐÜÕâìâÕ âÞÛìÚÞ, çâÞ ÕáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÒÝÕáâØ ÔÞßÞÛÝÕÝØï Ò íâÞâ áæÕÝÐàØÙ, ßÞáÚÞÛìÚã ÞÝ ÕÕ ÝÕ ÞÑàÐÑÐâëÒÐÕâ. ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ²ë ÜÞÖÕâÕ áâÞÛÚÝãâìáï á ÝÕáÚÞÛìÚØÜØ ßàÞÑÛÕÜÐÜØ ßàØ ßÞßëâÚÕ ×ÐÓàãרâì âÞâ ØÛØ ØÝÞÙ ÜÞÔãÛì. ½ÐßàØÜÕà, ÜÞÖÕâ Ñëâì ÒëÔÐÝÞ áÞÞÑéÕÝØÕ ÞÑ ÞâáãâáâÒØØ ×ÐßàÐèØÒÐÕÜÞÓÞ ÜÞÔãÛï insmod: iptable_filter: no module by that name found ¿ÞÚÐ ÕéÕ ÝÕâ ßàØçØÝ ÔÛï ÑÕáßÞÚÞÙáâÒÐ. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ ×ÐßàÐèØÒÐÕÜëÙ ÜÞÔãÛì (ØÛØ ÜÞÔãÛØ) ÑëÛ áÒï×ÐÝ á ïÔàÞÜ áâÐâØçÕáÚØ. ÍâÞ ßÕàÒÞÕ, çâÞ Òë ÔÞÛÖÝë ßàÞÒÕàØâì. ´Ûï íâÞÓÞ ßàÞáâÞ ×ÐßãáâØâÕ ÚÞÜÐÝÔã iptables -t filter -L µáÛØ ÒáÕ ÝÞàÜÐÛìÝÞ, âÞ íâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ Ò âÕàÜØÝÐÛÕ áߨáÞÚ ÒáÕå æÕßÞçÕÚ Ø× âÐÑÛØæë filter. ²ëÒÞÔ ÔÞÛÖÕÝ ÒëÓÛïÔÕâì ßàØÜÕàÝÞ âÐÚ: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination µáÛØ âÐÑÛØæÐ filter ÞâáãâáâÒãÕâ, âÞ ÒëÒÞÔ ÑãÔÕâ ßàØÜÕàÝÞ áÛÕÔãîéØÜ iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. ÍâÞ ãÖÕ áÕàìÕ×ÝÕÕ, âÐÚ ÚÐÚ íâÞ áÞÞÑéÕÝØÕ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ ÛØÑÞ Òë ×ÐÑëÛØ ãáâÐÝÞÒØâì ÜÞÔãÛØ, ÛØÑÞ Òë ×ÐÑëÛØ ÒëßÞÛÝØâì depmod -a, ÛØÑÞ Òë ÒÞÞÑéÕ ÝÕ áÚÞÜßØÛØàÞÒÐÛØ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ ´Ûï àÕèÕÝØï ßÕàÒÞÙ ßàÞÑÛÕÜë ×ÐßãáâØâÕ ÚÞÜÐÝÔã make modules_install Ò ÚÐâÐÛÞÓÕ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ ïÔàÐ. ²âÞàÐï ßàÞÑÛÕÜÐ àÕèÐÕâáï ×ÐßãáÚÞÜ ÚÞÜÐÝÔë depmod -a. ÀÐ×àÕèÕÝØÕ âàÕâìÕÙ ßàÞÑÛÕÜë ãÖÕ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, Ø Ò íâÞÜ áÛãçÐÕ àÕÚÞÜÕÝÔãî ßÞáÕâØâì ÔÞÜÐèÝîî áâàÐÝØçÚã Linux Documentation Project. (²×ÓÛïÝØâÕ ÕéÕ àÐ× Ò ÝÐçÐÛÞ ÔÞÚãÜÕÝâÐ, ÓÔÕ ÞߨáëÒÐÕâáï ßàÞæÕáá ãáâÐÝÞÒÚØ iptables. ßàØÜ. ßÕàÕÒ.) ´àãÓØÕ ÞèØÑÚØ, ÚÞâÞàëÕ Òë ÜÞÖÕâÕ ßÞÛãçØâì ßàØ ×ÐßãáÚÕ iptables: iptables: No chain/target/match by that name ÍâÐ ÞèØÑÚÐ áÞÞÑéÐÕâ, çâÞ ÝÕâ âÐÚÞÙ æÕßÞçÚØ, ÔÕÙáâÒØï ØÛØ ÚàØâÕàØï. ÍâÞ ÜÞÖÕâ ×ÐÒØáÕâì Þâ ÞÓàÞÜÝÞÓÞ çØáÛÐ äÐÚâÞàÞÒ, ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ, çâÞ Òë ßëâÐÕâÕáì ØáßÞÛì×ÞÒÐâì ÝÕáãéÕáâÒãîéãî (ØÛØ ÕéÕ ÝÕ ÞßàÕÔÕÛÕÝÝãî) æÕßÞçÚã, ÝÕáãéÕáâÒãîéÕÕ ÔÕÙáâÒØÕ ØÛØ ÚàØâÕàØÙ. »ØÑÞ ßÞâÞÜã, çâÞ ÝÕ ×ÐÓàãÖÕÝ ÝÕÞÑåÞÔØÜëÙ ÜÞÔãÛì. Passive FTP ÑÕ× DCCÍâÞ ÞÔÝÐ Ø× ×ÐÜÕçÐâÕÛìÝëå ÞáÞÑÕÝÝÞáâÕÙ ÝÞÒëå iptables, ßÞÔÔÕàÖØÒÐÕÜëå ïÔàÐÜØ áÕàØØ 2.4.x, ÚÞÓÔÐ Òë ÜÞÖÕâÕ àÐ×àÕèØâì Passive FTP, Ø ×ÐßàÕâØâì ßÕàÕÔÐçã ßÞ DCC á ßÞÜÞéìî ÝÞÒÞÓÞ âàÐááØàÞÒÞçÝÞÓÞ ÚÞÔÐ. ²ë ÜÞÖÕâÕ áßàÞáØâì "ºÐÚ íâÞ?", ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ. ÇâÞÑë áÔÕÛÐâì íâÞ ÒÞ×ÜÞÖÝëÜ, ÒÐÜ ßÞâàÕÑãÕâáï áÚÞÜßØÛØàÞÒÐâì ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp Ø ip_nat_ftp ÚÐÚ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ, Ð ÝÕ ÚÐÚ áâÐâØçÕáÚØÙ ÚÞÔ Ò ïÔàÕ. ÇâÞ íâØ ÜÞÔãÛØ ÔÕÛÐîâ, âÐÚ ÞÝØ ÔÞÑÐÒÛïîâ ßÞÔÔÕàÖÚã âàÐááØàÞÒÚØ Ø NAT ÔÛï Passive FTP Ø DCC send. ±Õ× íâØå ÜÞÔãÛÕÙ áÕâÕÒÞÙ ÚÞÔ ïÔàÐ ÝÕ áÜÞÖÕâ ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì áÞÕÔØÝÕÝØï íâÞÓÞ âØßÐ. µáÛØ, Ú ßàØÜÕàã, Òë åÞâØâÕ àÐ×àÕèØâì Passive FTP Ø ßàØ íâÞÜ ×ÐßàÕâØâì DCC send, âÞ ÒÐÜ âàÕÑãÕâáï ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ×ÐâÕÜ ÔÞÑÐÒØâì ßàÐÒØÛÞ: iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT ºÞâÞàÞÕ ßÞ×ÒÞÛØâ ÒëßÞÛÝÕÝØÕ áÞÕÔØÝÕÝØÙ Passive FTP, ÝÞ ÝÕ DCC. µáÛØ ÝãÖÝÞ ÝÐÞÑÞàÞâ ×ÐßàÕâØâì Passive FTP Ø àÐ×àÕèØâì DCC, âÞ ÒÐÜ ÝÐÔÞ á âÞçÝÞáâìî ÔÞ ÝÐÞÑÞàÞâ ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp. ·ÐÜÕâìâÕ, çâÞ ÜÞÔãÛØ ip_nat_* ÝÕÞÑåÞÔØÜë âÞÛìÚÞ Ò âÞÜ áÛãçÐÕ, ÕáÛØ ÒÐè ÑàÐÝÔÜÐãíà ÒëßÞÛÝïÕâ ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (Network Adress Translation) ØÛØ ÜÐáÚÐàÐÔØÝÓ ßàØ ßÞÔÚÛîçÕÝØØ ÛÞÚÐÛìÝëå ã×ÛÞÒ ã ¸ÝâÕàÝÕâ. ´Ûï ßÞÛãçÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØØ ÞâÝÞáØâÕÛìÝÞ Active Ø Passive FTP, çØâÐÙâÕ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. ÍâÞâ RFC áÞÔÕàÖØâ ØÝäÞàÜÐæØî ÞâÝÞáØâÕÛìÝÞ ßàÞâÞÚÞÛÐ FTP, Active Ø Passive FTP Ø ÚÐÚ ÞÝØ àÐÑÞâÐîâ. ºÐÚ ÞߨáëÒÐÕâ íâÞâ ÔÞÚãÜÕÝâ, Ò áÛãçÐÕ Active FTP, ÚÛØÕÝâ ßÞáëÛÐÕâ áÕàÒÕàã áÒÞÙ IP Ø ßÞàâ, ÒëÑàÐÝÝëÙ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ ã áÕÑï ÔÛï áÒïר. ·ÐâÕÜ áÕàÒÕà áÞÕÔØÝïÕâáï á íâØÜ ßÞàâÞÜ ÝÐ ÚÛØÕÝâÕ. ² áÛãçÐÕ, ÕáÛØ ÒÐè ÚÛØÕÝâ ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, ÒëßÞÛÝïîéØÜ NAT, âÞÓÔÐ àÐ×ÔÕÛ ÔÐÝÝëå ßÐÚÕâÞÒ ÔÞÛÖÕÝ Ñëâì ßàÕÞÑàÐ×ÞÒÐÝ âÐÚ ÚÐÚ íâÞ ÔÕÛÐÕâ ÜÞÔãÛì ip_nat_ftp. ² Passive FTP ßÞàïÔÞÚ ÔÕÙáâÒØÙ ßÞÛÝÞáâìî Ø×ÜÕÝÕÝ. ºÛØÕÝâ áÞÞÑéÐÕâ áÕàÒÕàã, çâÞ åÞçÕâ ßÞáÛÐâì ØÛØ ßàØÝïâì ÔÐÝÝëÕ, Ð áÕàÒÕà Ò ÞâÒÕâÕ áÞÞÑéÐÕâ ÚÛØÕÝâã Ú ÚÐÚÞÜã ÐÔàÕáã ÝãÖÝÞ ßÞÔÚÛîçØâìáï Ø ÚÐÚÞÙ ßÞàâ ØáßÞÛì×ÞÒÐâì. ¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYNÍâÞ áÒÞÙáâÒÞ iptables ÝÕÔÞáâÐâÞçÝÞ åÞàÞèÞ ×ÐÔÞÚãÜÕÝâØàÞÒÐÝÞ, Ð ßÞíâÞÜã ÜÝÞÓØÕ ÜÞÓãâ ãÔÕÛØâì ÕÜã ÝÕÔÞáâÐâÞçÝÞÕ ÒÝØÜÐÝØÕ (ÒÚÛîçÐï Ø ÜÕÝï). µáÛØ Òë ØáßÞÛì×ãÕâÕ ßàÐÒØÛÐ, ÞßàÕÔÕÛïîéØÕ áâÐâãá ßÐÚÕâÐ NEW, ÝÞ ÝÕ ßàÞÒÕàïÕâÕ áÞáâÞïÝØÕ ÑØâÐ SYN, âÞ ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN áÜÞÓãâ "ßàÞáÞçØâìáï" çÕàÕ× ÒÐèã ×ÐéØâã. ÅÞâï, Ò áÛãçÐÕ, ÚÞÓÔÐ Üë ØáßÞÛì×ãÕÜ ÝÕáÚÞÛìÚÞ ÑàÐÝÔÜÐãíàÞÒ, âÐÚÞÙ ßÐÚÕâ ÜÞÖÕâ ÞÚÐ×Ðâìáï çÐáâìî ESTABLISHED áÞÕÔØÝÕÝØï, ãáâÐÝÞÒÛÕÝÝÞÓÞ çÕàÕ× ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¿àÞßãáÚÐï ßÞÔÞÑÝëÕ ßÐÚÕâë, Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÒÜÕáâÝãî àÐÑÞâã ÔÒãå ØÛØ ÑÞÛÕÕ ÑàÐÝÔÜÐãíàÞÒ, ßàØ íâÞÜ Üë ÜÞÖÕÜ ÛîÑÞÙ Ø× ÝØå ÞáâÐÝÞÒØâì ÝÕ ÑÞïáì àÐ×ÞàÒÐâì ãáâÐÝÞÒÛÕÝÝëÕ áÞÕÔØÝÕÝØï, ¿ÞáÚÞÛìÚã äãÝ򾯯 ßÞ ßÕàÕÔÐçÕ ÔÐÝÝëå âãâ ÖÕ ÒÞ×ìÜÕâ ÝÐ áÕÑï ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¾ÔÝÐÚÞ íâÞ ßÞ×ÒÞÛØâ ãáâÐÝÐÒÛØÒÐâì ßàÐÚâØçÕáÚØ ÛîÑÞÕ TCP áÞÕÔØÝÕÝØÕ. ²Þ Ø×ÑÕÖÐÝØÕ íâÞÓÞ áÛÕÔãÕâ ÔÞÑÐÒØâì áÛÕÔãîéØÕ ßàÐÒØÛÐ Ò æÕßÞçÚØ INPUT, OUTPUT Ø FORWARD: $IPTABLES -A INPUT -p tcp ! --syn -m
state --state NEW -j LOG --log-prefix "New not
syn:"
¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ØÜÕîâáï ÝÕÚÞâÞàëÕ ÝÕßàØïâÝÞáâØ á ÒëèÕßàØÒÕÔÕÝÝëÜØ ßàÐÒØÛÐÜØ Ø ßÛÞåÞÙ àÕÐÛØ×ÐæØÕÙ TCP/IP Þâ Microsoft. ´ÕÛÞ Ò âÞÜ, çâÞ ßàØ ÝÕÚÞâÞàëå ãáÛÞÒØïå, ßÐÚÕâë, áÓÕÝÕàØàÞÒÐÝÝëÕ ßàÞÓàÐÜÜÐÜØ Þâ Microsoft ÜÐàÚØàãîâáï ÚÐÚ NEW Ø áÞÓÛÐáÝÞ íâØÜ ßàÐÒØÛÐÜ ÑãÔãâ áÑàÞèÕÝë. ÍâÞ, ÞÔÝÐÚÞ, ÝÕ ßàØÒÞÔØâ Ú àÐ×àãèÕÝØî áÞÕÔØÝÕÝØÙ, ÝÐáÚÞÛìÚÞ ï ×ÝÐî. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ, ÚÞÓÔÐ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï, Ø ßÞáëÛÐÕâáï ×ÐÒÕàèÐîéØÙ ßÐÚÕâ FIN/ACK, âÞ netfilter ×ÐÚàëÒÐÕâ íâÞ áÞÕÔØÝÕÝØÕ Ø ãÔÐÛïÕâ ÕÓÞ Ø× âÐÑÛØæë conntrack. ² íâÞâ ÜÞÜÕÝâ, ÔÕäÕÚâØÒÝëÙ ÚÞÔ Microsoft ßÞáëÛÐÕâ ÔàãÓÞÙ ßÐÚÕâ, ÚÞâÞàÞÜã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, ÝÞ Ò íâÞÜ ßÐÚÕâÕ ÝÕ ãáâÐÝÞÒÛÕÝ ÑØâ SYN Ø, áÛÕÔÞÒÐâÕÛìÝÞ áÞÞâÒÕâáâÒãÕâ ÒëèÕãßÞÜïÝãâëÜ ßàÐÒØÛÐÜ. ºÞàÞçÕ ÓÞÒÞàï - ÞáÞÑÞ ÝÕ ßÕàÕÖØÒÐÙâÕ ßÞ ßÞÒÞÔã íâØå ßàÐÒØÛ. ² áÛãçÐÕ çÕÓÞ - Òë áÜÞÖÕâÕ ßàÞáÜÞâàÕâì áØáâÕÜÝëÙ ÖãàÝÐÛ, ÚãÔÐ ÛÞÓØàãîâáï ÞâÑàÐáëÒÐÕÜëÕ ßÐÚÕâë (áÜ. ßàÐÒØÛÐ ÒëèÕ) Ø àÐ×ÞÑàÐâìáï á ÝØÜØ. ¸ÜÕÕâáï ÕéÕ ÞÔÝÐ Ø×ÒÕáâÝÐï ßàÞÑÛÕÜÐ á íâØÜØ ßàÐÒØÛÐÜØ. µáÛØ ÚâÞ - âÞ Ò ÝÐáâÞïéÕÕ ÒàÕÜï áÒï×ÐÝ á ÑàÐÝÔÜÐãíàÞÜ, ÝÐßàØÜÕà Ø× LAN, Ø ÐÚâØÒØàãÕâ PPP, âÞ Ò íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãÝØçâÞÖÕÝÞ. ÍâÞ ßàÞØáåÞÔØâ Ò ÜÞÜÕÝâ, ÚÞÓÔÐ ×ÐÓàãÖÐîâáï ØÛØ ÒëÓàãÖÐîâáï conntrack Ø nat ÜÞÔãÛØ. ´àãÓÞÙ áßÞáÞÑ ßÞÛãçØâì íâã ßàÞÑÛÕÜã áÞáâÞØâ Ò âÞÜ, çâÞÑë ÒëßÞÛÝØâì rc.firewall.txt áæÕÝÐàØÙ Ø× ßÞÔÚÛîçÕÝØï telnet á ÔàãÓÞÓÞ ÚÞÜßìîâÕàÐ. ´Ûï íâÞÓÞ Òë áÞÕÔØÝïÕâÕáì ßÞ telnet á ÑàÐÝÔÜÐãíàÞÜ. ·ÐßãáÚÐÕâÕ rc.firewall.txt, Ò ßàÞæÕááÕ ØáßÞÛÝÕÝØï ÚÞâÞàÞÓÞ, ×ÐßãáÚÐîâáï ÜÞÔãÛØ âàÐááØàÞÒÚØ ßÞÔÚÛîçÕÝØÙ, Óàã×ïâáï ßàÐÒØÛÐ "NEW not SYN". ºÞÓÔÐ ÚÛØÕÝâ telnet ØÛØ daemon ßàÞÑãîâ ßÞáÛÐâì çâÞ ÝØÑãÔì, âÞ íâÞ ßÞÔÚÛîçÕÝØÕ ÑãÔÕâ àÐáßÞ×ÝÐÝÞ âàÐááØàÞÒÞçÝëÜ ÚÞÔÞÜ ÚÐÚ NEW, ÝÞ ßÐÚÕâë ÝÕ ØÜÕîâ ãáâÐÝÞÒÛÕÝÝÞÓÞ ÑØâÐ SYN, âÐÚ ÚÐÚ ÞÝØ, äÐÚâØçÕáÚØ, ïÒÛïîâáï çÐáâìî ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßÐÚÕâ ÑãÔÕâ áÞÞâÒÕâáâÒÞÒÐâì ßàÐÒØÛÐÜ Ò àÕ×ãÛìâÐâÕ çÕÓÞ ÑãÔÕâ ×ÐÖãàÝÐÛØàÞÒÐÝ Ø áÑàÞèÕÝ. ¿ÞáâÐÒéØÚØ ãáÛãÓ Internet, ØáßÞÛì×ãîéØÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ IP-ÐÔàÕáÐÏ ÔÞÑÐÒØÛ íâÞâ àÐ×ÔÕÛ çâÞÑë ßàÕÔãßàÕÔØâì ÒÐá Þ âãßÞÒÐâëå Internet Service Providers, ÚÞâÞàëÕ ÝÐ×ÝÐçÐîâ IP ÐÔàÕáÐ, ÞâÒÕÔÕÝÝëÕ IANA ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ. ½ÐßàØÜÕà, Swedish Internet Service Provider Ø âÕÛÕäÞÝÝÐï ÜÞÝÞßÞÛØï Telia ØáßÞÛì×ãîâ âÐÚØÕ ÐÔàÕáÐ, ÝÐßàØÜÕà, ÔÛï Øå áÕàÒÕàÞÒ DNS, ÚÞâÞàëÕ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 10.x.x.x. ¿àÞÑÛÕÜÐ, á ÚÞâÞàÞÙ Òë ÑãÔÕâÕ ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ áâÐÛÚØÒÐâìáï, áÞáâÞØâ Ò âÞÜ, çâÞ Üë, Ò áÒÞØå áæÕÝÐàØïå, ÝÕ ßÞ×ÒÞÛïÕÜ ßÞÔÚÛîçÕÝØï á ÛîÑëå IP Ò ÔØÐßÐ×ÞÝÕ 10.x.x.x, Ø×-×Ð ÒÞ×ÜÞÖÝÞáâØ äÐÛìáØäØÚÐæØØ ßÐÚÕâÞÒ. µáÛØ Òë áâÞÛÚÝÕâÕáì á âÐÚÞÙ áØâãÐæØÕÙ, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ ßàØÔÕâáï áÝïâì çÐáâì ßàÐÒØÛ. ¸ÛØ ãáâÐÝÞÒØâì ßàÐÒØÛÐ, ßàÞßãáÚÐîéØÕ âàÐääØÚ á íâØå áÕàÒÕàÞÒ, àÐÝÕÕ æÕßÞçÚØ INPUT, ÝÐßàØÜÕà âÐÚ: /usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT ÅÞâÕÛÞáì Ñë ÝÐßÞÜÝØâì ßÞÔÞÑÝëÜ ßàÞÒÐÙÔÕàÐÜ, çâÞ íâØ ÔØÐßÐ×ÞÝë ÐÔàÕáÞÒ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝë ÔÛï ØáßÞÛì×ÞÒÐÝØï Ò ¸ÝâÕàÝÕâ. ´Ûï ÚÞàßÞàÐâØÒÝëå áÕâÕÙ - ßÞÖÐÛãÙáâÐ, ÔÛï ÒÐèØå áÞÑáâÒÕÝÝëå ÔÞÜÐèÝØå áÕâÕÙ - ßàÕÚàÐáÝÞ! ½Þ Òë ÝÕ ÔÞÛÖÝë ÒëÝãÖÔÐâì ÝÐá "ÞâÚàëÒÐâìáï" ßÞ ÒÐèÕÙ ßàØåÞâØ. ºÐÚ àÐ×àÕèØâì ßàÞåÞÖÔÕÝØÕ DHCP ×ÐßàÞáÞÒ çÕàÕ× iptables² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ×ÐÔÐçÐ ÔÞáâÐâÞçÝÞ ßàÞáâÐ, ÕáÛØ ÒÐÜ Ø×ÒÕáâÝë ßàØÝæØßë àÐÑÞâë ßàÞâÞÚÞÛÐ DHCP. ¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ ×ÝÐâì, çâÞ DHCP àÐÑÞâÐÕâ ßÞ ßàÞâÞÚÞÛã UDP. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßàÞâÞÚÞÛ ïÒÛïÕâáï ßÕàÒëÜ ÚàØâÕàØÕÜ. ´ÐÛÕÕ, ÝÕÞÑåÞÔØÜÞ ãâÞçÝØâì ØÝâÕàäÕÙá, ÝÐßàØÜÕà, ÕáÛØ DHCP ×ÐßàÞáë ØÔãâ çÕàÕ× $LAN_IFACE, âÞ ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ DHCP áÛÕÔãÕâ àÐ×àÕèØâì âÞÛìÚÞ çÕàÕ× íâÞâ ØÝâÕàäÕÙá. ¸ ÝÐÚÞÝÕæ, çâÞÑë áÔÕÛÐâì ßàÐÒØÛÞ ÑÞÛÕÕ ÞßàÕÔÕÛÕÝÝëÜ, áÛÕÔãÕâ ãâÞçÝØâì ßÞàâë. DHCP ØáßÞÛì×ãÕâ ßÞàâë 67 Ø 68. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ØáÚÞÜÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ÒëÓÛïÔÕâì áÛÕÔãîéØÜ ÞÑàÐ×ÞÜ: $IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, íâÞ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒÕáì âàÐäØÚ ßÞ ßàÞâÞÚÞÛã UDP çÕàÕ× ßÞàâë 67 Ø 68, ÞÔÝÐÚÞ íâÞ ÝÕ ÔÞÛÖÝÞ ÒÐá ÞáÞÑÕÝÝÞ áÜãéÐâì, ßÞáÚÞÛìÚã ÞÝÞ àÐ×àÕèÐÕâ ÛØèì ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ Þâ ã×ÛÞÒ áÕâØ, ßëâÐîéØåáï ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á ßÞàâÐÜØ 67 Ø 68. ÍâÞÓÞ ßàÐÒØÛÐ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ, çâÞÑë ßÞ×ÒÞÛØâì ÒëßÞÛÝÕÝØÕ DHCP ×ÐßàÞáÞÒ Ø ßàØ íâÞÜ ÝÕ áÛØèÚÞÜ èØàÞÚÞ "ÞâÚàëâì ÒÞàÞâÐ". µáÛØ ÒÐá ÞçÕÝì ÑÕáßÞÚÞØâ ßàÞÑÛÕÜÐ ÑÕ×ÞßÐáÝÞáâØ, âÞ Òë ÒßÞÛÝÕ ÜÞÖÕâÕ ãÖÕáâÞçØâì íâÞ ßàÐÒØÛÞ. ¿àÞÑÛÕÜë mIRC DCCmIRC ØáßÞÛì×ãÕâ áßÕæØäØçÝëÕ ÝÐáâàÞÙÚØ, ÚÞâÞàëÕ ßÞ×ÒÞÛïîâ áÞÕÔØÝïâìáï çÕàÕ× ÑàÐÝÔÜÐãíà Ø ÞÑàÐÑÐâëÒÐâì DCC áÞÕÔØÝÕÝØï ÔÞÛÖÝëÜ ÞÑàÐ×ÞÜ. µáÛØ íâØ ÝÐáâàÞÙÚØ ØáßÞÛì×ãîâáï áÞÒÜÕáâÝÞ á iptables, âÞçÝÕÕ á ÜÞÔãÛïÜØ ip_conntrack_irc Ø ip_nat_irc, âÞ íâÐ áÒï×ÚÐ ßàÞáâÞ ÝÕ ÑãÔÕâ àÐÑÞâÐâì. ¿àÞÑÛÕÜÐ ×ÐÚÛîçÐÕâáï Ò âÞÜ, çâÞ mIRC ÐÒâÞÜÐâØçÕáÚØ ÒëßÞÛÝïÕâ âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ (NAT) ÒÝãâàØ ßÐÚÕâÞÒ. ² àÕ×ãÛìâÐâÕ, ÚÞÓÔÐ ßÐÚÕâ ßÞßÐÔÐÕâ Ò iptables, ÞÝÐ ßàÞáâÞ ÝÕ ×ÝÐÕâ, çâÞ á ÝØÜ ÔÕÛÐâì. mIRC ÝÕ ÞÖØÔÐÕâ, çâÞ ÑàÐÝÔÜÐãíà ÑãÔÕâ ÝÐáâÞÛìÚÞ "ãÜÝëÜ", çâÞÑë ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì IRC, Ø ßÞíâÞÜã áÐÜÞáâÞïâÕÛìÝÞ ×ÐßàÐèØÒÐÕâ áÒÞÙ IP ã áÕàÒÕàÐ Ø ×ÐâÕÜ ßÞÔáâÐÒÛïÕâ ÕÓÞ, ßàØ ßÕàÕÔÐçÕ DCC ×ÐßàÞáÐ. ²ÚÛîçÕÝØÕ ÞßæØØ "I am behind a firewall" ("Ï ×Ð ÑàÐÝÔÜÐãíàÞÜ") Ø ØáßÞÛì×ÞÒÐÝØÕ ÜÞÔãÛÕÙ ip_conntrack_irc Ø ip_nat_irc ßàØÒÞÔØâ Ú âÞÜã, çâÞ netfilter ߨèÕâ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ áÞÞÑéÕÝØÕ "Forged DCC send packet". à íâÞÙ ßàÞÑÛÕÜë Õáâì ßàÞáâÞÕ àÕèÕÝØÕ - ÞâÚÛîçØâÕ íâã ÞßæØî Ò mIRC Ø ßÞ×ÒÞÛìâÕ iptables ÒëßÞÛÝïâì Òáî àÐÑÞâã. ÂØßë ICMPÍâÞ ßÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ: ÂÐÑÛØæÐ 1. ÂØßë ICMP
ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë·ÔÕáì ßàØÒÕÔÕÝ áߨáÞÚ ááëÛÞÚ, ÓÔÕ Òë áÜÞÖÕâÕ ßÞÛãçØâì ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî :
¸ ÚÞÝÕçÝÞ ÖÕ ØáåÞÔÝëÙ ÚÞÔ iptables, ÔÞÚãÜÕÝâÐæØï Ø ÛîÔØ, ÚÞâÞàëÕ ßÞÜÞÓÐÛØ ÜÝÕ. ±ÛÐÓÞÔÐàÝÞáâØÏ åÞâÕÛ Ñë ÒëàÐרâì ÞáÞÑãî ßàØ×ÝÐâÕÛìÝÞáâì ÛîÔïÜ, ÚÞâÞàëÕ ÞÚÐ×ÐÛØ ÜÝÕ ÝÕÞæÕÝØÜãî ßÞÜÞéì ßàØ áÞ×ÔÐÝØØ íâÞÓÞ ÔÞÚãÜÕÝâÐ.:
ÅàÞÝÞÛÞÓØïVersion 1.1.11 (27 May 2002) GNU Free Documentation LicenseVersion 1.1, March 2000
0. PREAMBLEThe purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others. This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software. We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONSThis License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language. A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them. The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque". Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only. The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text. 2. VERBATIM COPYINGYou may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3. You may also lend copies, under the same conditions stated above, and you may publicly display copies. 3. COPYING IN QUANTITYIf you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects. If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages. If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public. It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document. 4. MODIFICATIONSYou may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles. You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard. You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one. The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version. 5. COMBINING DOCUMENTSYou may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice. The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work. In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements." 6. COLLECTIONS OF DOCUMENTSYou may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects. You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document. 7. AGGREGATION WITH INDEPENDENT WORKSA compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document. If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate. 8. TRANSLATIONTranslation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail. 9. TERMINATIONYou may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 10. FUTURE REVISIONS OF THIS LICENSEThe Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/. Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. How to use this License for your documentsTo use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:
If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts. If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software. GNU General Public LicenseVersion 2, June 1991
0. PreambleThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. 1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
END OF TERMS AND CONDITIONS 2. How to Apply These Terms to Your New ProgramsIf you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.
Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode:
The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:
This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. Example scripts codebaseExample rc.firewall script#!/bin/sh Example rc.DMZ.firewall script#!/bin/sh Example rc.UTIN.firewall script#!/bin/sh Example rc.DHCP.firewall script#!/bin/sh Example rc.flush-iptables script#!/bin/sh Example rc.test-iptables script#!/bin/bash |