áÒÈÉ× ÄÏËÕÍÅÎÔÁÃÉÉ OpenNet.ru / òÁÚÄÅÌ "âÅÚÏÐÁÓÎÏÓÔØ" / éÎÄÅËÓ

Iptables Tutorial 1.1.11

Oskar Andreasson (blueflux@koffein.net)

Copyright (C) 2001 by Oskar Andreasson

¿ÕàÕÒÞÔ: °ÝÔàÕÙ ºØáÕÛÕÒ kis_an@mail.ru
¾àØÓØÝÐÛ ÜÞÖÝÞ ÝÐÙâØ ßÞ ÐÔàÕáã: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html

´ÞßãáÚÐÕâáï ÚÞߨàÞÒÐÝØÕ Ø/ØÛØ ÜÞÔØäØÚÐæØï ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ ØÛØ ÕÓÞ çÐáâØ, Ò áÞÞâÒÕâáâÒØØ á áÞÓÛÐèÕÝØïÜØ, ßàØÝïâëÜØ Ò GNU Free Documentation License, ÒÕàáØØ 1.1. ½ÕØ×ÜÕÝïÕÜëÜØ àÐ×ÔÕÛÐÜØ ïÒÛïîâáï àÐ×ÔÕÛ "²ÒÕÔÕÝØÕ" Ø ÒáÕ ßÞÔàÐ×ÔÕÛë íâÞÓÞ àÐ×ÔÕÛÐ, Ð âÐÚ ÖÕ àÐ×ÔÕÛë, ÝÐçØÝÐîéØÕáï áÛÞÒÐÜØ "Original Author: Oskar Andreasson",
ºÞߨï GNU Free Documentation License ÒÚÛîçÕÝÐ Ò ÔÐÝÝëÙ ÔÞÚãÜÕÝâ Ø ÝÐåÞÔØâáï Ò áÕ򾯯 "GNU Free Documentation License".

²áÕ áæÕÝÐàØØ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ ßÞÔßÐÔÐîâ ßÞÔ ÔÕÙáâÒØÕ GNU General Public License. ²áÕ ÞÝØ ïÒÛïîâáï áÒÞÑÞÔÝÞ àÐáßàÞáâàÐÝïÕÜëÜØ Ø ÜÞÓãâ ÚÞߨàÞÒÐâìáï Ø/ØÛØ ÜÞÔØäØæØàÞÒÐâìáï Ò áÞÞâÒÕâáâÒØØ á ãáÛÞÒØïÜØ GNU General Public License ÒÕàáØØ 2.

²áÕ áæÕÝÐàØØ àÐáßàÞáâàÐÝïîâáï Ò ÝÐÔÕÖÔÕ ÝÐ âÞ, çâÞ ÞÝØ ÑãÔãâ ßÞÛÕ×Ýë ÒÐÜ, ÝÞ ±µ· º°º¸Å »¸±¾ ³°À°½Â¸¹. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú âÕÚáâã GNU General Public License.

Á ÔÐÝÝëÜ ÔÞÚãÜÕÝâÞÜ ÔÞÛÖÝÐ àÐáßàÞáâàÐÝïâìáï ÚÞߨï GNU General Public License, Ò áÕ򾯯 "GNU General Public License"; Ò áÛãçÐÕ ÕÕ ÞâáãâáâÒØï Òë ÜÞÖÕâÕ ÝÐߨáÐâì ßÞ ÐÔàÕáã Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


ÁÞÔÕàÖÐÝØÕ

²ÒÕÔÕÝØÕ
¾Ñ ÐÒâÞàÕ
¿ÞáÒïéÕÝØï
¿ÞçÕÜã ÑëÛÞ ÝÐߨáÐÝÞ ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ
ºÐÚ ÔÞÚãÜÕÝâ ÑëÛ ÝÐߨáÐÝ
ºÐÚ çØâÐâì íâÞâ ÔÞÚãÜÕÝâ
ÂÕàÜØÝë, ØáßÞÛì×ãÕÜëÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ
¿ÞÔÓÞâÞÒÚÐ
³ÔÕ Ò×ïâì iptables
½ÐáâàÞÙÚÐ ïÔàÐ
ÃáâÐÝÞÒÚÐ ßÐÚÕâÐ
ÁÑÞàÚÐ ßÐÚÕâÐ
ÃáâÐÝÞÒÚÐ Ò Red Hat 7.1
¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ
¾ÑéØÕ ßÞÛÞÖÕÝØï
ÂÐÑÛØæÐ Mangle
ÂÐÑÛØæÐ Nat
ÂÐÑÛØæÐ Filter
¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï
²ÒÕÔÕÝØÕ
ÂÐÑÛØæÐ âàÐááØàÞÒÚØ
ÁÞáâÞïÝØï
TCP áÞÕÔØÝÕÝØï
UDP áÞÕÔØÝÕÝØï
ICMP áÞÕÔØÝÕÝØï
¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî
ÂàÐááØàÞÒÚÐ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ
ºÐÚ áâàÞØâì ßàÐÒØÛÐ
¾áÝÞÒë
ÂÐÑÛØæë
ºÞÜÐÝÔë
ºàØâÕàØØ
¾ÑéØÕ ÚàØâÕàØØ
½ÕïÒÝëÕ ÚàØâÕàØØ
ÏÒÝëÕ ÚàØâÕàØØ
´ÕÙáâÒØï Ø ßÕàÕåÞÔë
´ÕÙáâÒØÕ ACCEPT
´ÕÙáâÒØÕ DROP
´ÕÙáâÒØÕ QUEUE
´ÕÙáâÒØÕ RETURN
´ÕÙáâÒØÕ LOG
´ÕÙáâÒØÕ MARK
´ÕÙáâÒØÕ REJECT
´ÕÙáâÒØÕ TOS
´ÕÙáâÒØÕ MIRROR
´ÕÙáâÒØÕ SNAT
´ÕÙáâÒØÕ DNAT
´ÕÙáâÒØÕ MASQUERADE
´ÕÙáâÒØÕ REDIRECT
´ÕÙáâÒØÕ TTL
´ÕÙáâÒØÕ ULOG
ÄÐÙÛ rc.firewall
¿àØÜÕà rc.firewall
¾ßØáÐÝØÕ áæÕÝÐàØï rc.firewall
ºÞÝäØÓãàÐæØï
·ÐÓàã×ÚÐ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ
½ÐáâàÞÙÚÐ /proc
ÀÐ×ÜÕéÕÝØÕ ßàÐÒØÛ Ò ÔàãÓØå æÕßÞçÚÐå
ÃáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî
ÁÞ×ÔÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ
ÆÕßÞçÚÐ bad_tcp_packets
ÆÕßÞçÚÐ allowed
ÆÕßÞçÚÐ ÔÛï TCP
ÆÕßÞçÚÐ ÔÛï UDP
ÆÕßÞçÚÐ ÔÛï ICMP
ÆÕßÞçÚÐ INPUT
ÆÕßÞçÚÐ OUTPUT
ÆÕßÞçÚÐ FORWARD
ÆÕßÞçÚÐ PREROUTING âÐÑÛØæë nat
·ÐßãáÚ Network Address Translation
¿àØÜÕàë áæÕÝÐàØÕÒ
ÁâàãÚâãàÐ äÐÙÛÐ rc.firewall.txt
ÁâàãÚâãàÐ
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
´ÕâÐÛìÝÞÕ ÞߨáÐÝØÕ áßÕæØÐÛìÝëå ÚÞÜÐÝÔ
²ëÒÞÔ áߨáÚÐ ÝÐÑÞàÐ ßàÐÒØÛ
¸×ÜÕÝÕÝØÕ Ø ÞçØáâÚÐ ÒÐèØå âÐÑÛØæ
¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë
¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ
Passive FTP ÑÕ× DCC
¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN
¿ÞáâÐÒéØÚØ ãáÛãÓ ¸ÝâÕàÝÕâÐ (ISP), ØáßÞÛì×ãîéØÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÐÔàÕáÐ IP
ºÐÚ àÐ×àÕèØâì ßàÞåÞÖÔÕÝØÕ DHCP ×ÐßàÞáÞÒ çÕàÕ× iptables
¿àÞÑÛÕÜë mIRC DCC
ÂØßë ICMP
ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë
±ÛÐÓÞÔÐàÝÞáâØ
ÅàÞÝÞÛÞÓØï
GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
¿àØÜÕàë áæÕÝÐàØÕÒ
¿àØÜÕà áæÕÝÐàØï rc.firewall
¿àØÜÕà áæÕÝÐàØï rc.firewall
¿àØÜÕà áæÕÝÐàØï rc.DMZ.firewall
¿àØÜÕà áæÕÝÐàØï rc.UTIN.firewall
¿àØÜÕà áæÕÝÐàØï rc.DHCP.firewall
¿àØÜÕà áæÕÝÐàØï rc.flush-iptables
rc.test-iptables

²ÒÕÔÕÝØÕ

¾Ñ ÐÒâÞàÕ

Ï çÕÛÞÒÕÚ, ÚÞâÞàëÙ ØÜÕÕâ ÝÐ áÒÞÕÜ ßÞßÕçÕÝØØ ÔÞáâÐâÞçÝÞ ÜÝÞÓÞ áâÐàÕÝìÚØå ÚÞÜßìîâÕàÞÒ, ÞÑêÕÔØÝÕÝÝëå ÜÝÞî Ò ÛÞÚÐÛìÝãî áÕâì á ÒëåÞÔÞÜ Ò ¸ÝâÕàÝÕâ, Ø ÞÑÕáßÕçØÒÐîéØÙ Øå ÑÕ×ÞßÐáÝÞáâì. ¸ Ò íâÞÜ ÞâÝÞèÕÝØØ ßÕàÕåÞÔ Þâ ipchains Ú iptables ïÒÛïÕâáï ÞßàÐÒÔÐÝÝëÜ. ÀÐÝÕÕ ÔÛï ßÞÒëèÕÝØï ÑÕ×ÞßÐáÝÞáâØ áÒÞÕÙ áÕâØ, Òë ÜÞÓÛØ ÞâáÕÚÐâì ÒáÕ ßÐÚÕâë, ×ÐÚàëÒÐï ÞßàÕÔÕÛÕÝÝëÕ ßÞàâë, ÞÔÝÐÚÞ íâÞ ßÞàÞÖÔÐÛÞ ßàÞÑÛÕÜë á ßÐááØÒÝëÜ FTP (passive FTP) ØÛØ ØáåÞÔïéØÜ DCC Ò IRC (outgoing DCC in IRC), ÔÛï ÚÞâÞàëå ßÞàâë ÝÐ áÕàÒÕàÕ ÝÐ×ÝÐçÐîâáï ÔØÝÐÜØçÕáÚØ Ø ßÞâÞÜ áÞÞÑéÐîâáï ÚÛØÕÝâã ÔÛï ÒëßÞÛÝÕÝØï áÞÕÔØÝÕÝØï. ² áÐÜÞÜ ÝÐçÐÛÕ ï áâÞÛÚÝãÛáï á ÝÕÚÞâÞàëÜØ 'ÑÞÛÕ×ÝïÜØ', ßÕàÕÚÞçÕÒÐÒèØÜØ Ø× ipchains, Ø áçØâÐÛ ÚÞÔ iptables ÝÕ áÞÒáÕÜ ÓÞâÞÒëÜ Ú ÞÚÞÝçÐâÕÛìÝÞÜã ÒëßãáÚã. ÁÕÓÞÔÝï ÖÕ ï ÜÞÓ Ñë ßÞàÕÚÞÜÕÝÔÞÒÐâì ÒáÕÜ, ÚâÞ ØáßÞÛì×ãÕâ Ò áÒÞÕÙ àÐÑÞâÕ ipchains Ø ipfwadm 'ßÕàÕáÕáâì' ÝÐ iptables!


¿ÞáÒïéÕÝØï

¿àÕÖÔÕ ÒáÕÓÞ ï åÞâÕÛ Ñë ßÞáÒïâØâì ÔÐÝÝëÙ ÔÞÚãÜÕÝâ ÜÞÕÙ ×ÐÜÕçÐâÕÛìÝÞÙ ßÞÔàãÓÕ ½ØÝÕÛì (Ninel). ¾ÝÐ ßÞÔÔÕàÖØÒÐÕâ ÜÕÝï ÑÞÛìèÕ, çÕÜ ï ÚÞÓÔÐ ÛØÑÞ áÜÞÓã ßÞÔÔÕàÖÐâì ÕÕ.

²Þ-ÒâÞàëå - ÒáÕÜ àÐ×àÐÑÞâçØÚÐÜ Linux áÔÕÛÐÒèØÜ íâã ×ÐÜÕçÐâÕÛìÝãî ÞßÕàÐæØÞÝÝãî áØáâÕÜã, ×Ð Øå ÝÕÒÕàÞïâÝÞ ÝÐßàïÖÕÝÝëÙ âàãÔ.


¿ÞçÕÜã ÑëÛÞ ÝÐߨáÐÝÞ ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ

ÁÚÐÖÕÜ âÐÚ, ï ßÞáçØâÐÛ, çâÞ áãéÕáâÒãÕâ ÔÞáÐÔÝëÙ ßàÞÑÕÛ Ò HOWTO ßÞ çÐáâØ ØÝäÞàÜÐæØØ ÞÑ iptables Ø äãÝÚæØïå áÕâÕÒÞÓÞ äØÛìâàÐ (netfilter), àÕÐÛØ×ÞÒÐÝÝëå Ò ÝÞÒÞÙ áÕàØØ ïÔÕà 2.4.x Linux. ºàÞÜÕ ÒáÕÓÞ ßàÞçÕÓÞ, ï ßÞßëâÐÛáï ÞâÒÕâØâì ÝÐ ÝÕÚÞâÞàëÕ ÒÞßàÞáë ßÞ ßÞÒÞÔã ÝÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ, ÝÐßàØÜÕà ßàÞÒÕàÚØ áâÐâãáÐ (ÑÞÛÕÕ ÛãçèÕÓÞ âÕàÜØÝÐ ÝÕ ÝÐèÕÛ :(( ßàØÜ. ßÕàÕÒ.) ßÐÚÕâÞÒ (state matching), ÚÞâÞàÐï ÔÕÛÐÕâ ÒÞ×ÜÞÖÝëÜ passive FTP ÝÐ ÒÐè áÕàÒÕà, ÝÞ ÝÕ ßàÞßãáÚÐÕâ ØáåÞÔïéØÙ âàÐääØÚ DCC Þâ IRC. ²áÕ ßàØÜÕàë ï ÑãÔã ÑàÐâì Ø× äÐÙÛÐ rc.firewall.txt ÚÞâÞàëÙ Òë ÜÞÖÕâÕ ÒáâÐÒØâì Ò /etc/rc.d/. ´Ûï âÕå, ÚÞÜã íâÞ ØÝâÕàÕáÝÞ, ÓÞâÞÒ áÞÞÑéØâì, çâÞ íâÞâ äÐÙÛ ßÕàÒÞÝÐçÐÛìÝÞ ÑëÛ ÞáÝÞÒÐÝ ÝÐ masquerading HOWTO.

ÂÐÜ ÖÕ Òë ÝÐÙÔÕâÕ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ rc.flush-iptables.txt, ÝÐߨáÐÝÝëÙ ÜÝÞî. ²ë âÐÚ ÖÕ ÜÞÖÕâÕ ÕÓÞ ØáßÞÛì×ÞÒÐâì, ßàØ ÝÕÞÑåÞÔØÜÞáâØ àÐáèØàïï ßÞÔ áÒÞî ÚÞÝäØÓãàÐæØî.


ºÐÚ ÞÝ ÑëÛ ÝÐߨáÐÝ

Ï ×ÐÔÐÒÐÛ ÒÞßàÞáë ¼ÐàÚã ±ãçÕàã (Marc Boucher) Ø ÔàãÓØÜ çÛÕÝÐÜ ÚÞÜÐÝÔë àÐ×àÐÑÞâÚØ netfilter. ¿ÞÛì×ãïáì áÛãçÐÕÜ, ÒëàÐÖÐî ÞÓàÞÜÝãî ßàØ×ÝÐâÕÛìÝÞáâì ×Ð Øå ßÞÜÞéì Ò áÞ×ÔÐÝØØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, ÚÞâÞàÞÕ ÑëÛÞ áÞ×ÔÐÝÞ ÔÛï boingworld.com. ² ÝÕÜ Òë ßàÞÙÔÕâÕ ßàÞæÕáá ÝÐáâàÞÙÚØ èÐÓ ×Ð èÐÓÞÜ Ø, ÝÐÔÕîáì, çâÞ Ú ÚÞÝæã Ø×ãçÕÝØï ÔÞÚãÜÕÝâÐ Òë ÑãÔÕâÕ ×ÝÐâì Þ ßÐÚÕâÕ iptables ×ÝÐçØâÕÛìÝÞ ÑÞÛìèÕ. ±ÞÛìèÐï çÐáâì ÜÐâÕàØÐÛÐ ÑÐרàãÕâáï ÝÐ äÐÙÛÕ rc.firewall.txt, âÐÚ ÚÐÚ ï áçØâÐî, çâÞ àÐááÜÞâàÕÝØÕ ßàØÜÕàÐ -- ÛãçèØÙ áßÞáÞÑ Ø×ãçÕÝØï iptables. Ï ßàÞÙÔã ßÞ ÞáÝÞÒÝëÜ æÕßÞçÚÐÜ ßàÐÒØÛ Ò ßÞàïÔÚÕ Øå áÛÕÔÞÒÐÝØï. ÍâÞ ÝÕáÚÞÛìÚÞ ãáÛÞÖÝïÕâ Ø×ãçÕÝØÕ, ×ÐâÞ Ø×ÛÞÖÕÝØÕ áâÐÝÞÒØâáï ÛÞÓØçÝÕÕ. ¸, ÒáïÚØÙ àÐ×, ÚÞÓÔÐ ã ÒÐá ÒÞ×ÝØÚÝãâ ×ÐâàãÔÝÕÝØï, Òë ÜÞÖÕâÕ ÞÑàÐéÐâìáï Ú íâÞÜã àãÚÞÒÞÔáâÒã.


ºÐÚ çØâÐâì íâÞâ ÔÞÚãÜÕÝâ

ÍâÞâ ÔÞÚãÜÕÝâ ÝÐߨáÐÝ, âÐÚ çâÞÑë ÞÑÛÕÓçØâì çØâÐâÕÛïÜ ßÞÝØÜÐÝØÕ ×ÐÜÕçÐâÕÛìÝÞÓÞ ÜØàÐ iptables. ·ÔÕáì Òë ÝÕ ÝÐÙÔÕâÕ ØÝäÞàÜÐæØØ ÞÑ ÞèØÑÚÐå Ò iptables ØÛØ Ò netfilter. µáÛØ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ, âÞ ÜÞÖÕâÕ áÒï×ïâìáï á ÚÞÜÐÝÔÞÙ àÐ×àÐÑÞâçØÚÞÒ, Ð ÞÝØ Ò ÞâÒÕâ ÜÞÓãâ áÞÞÑéØâì ÒÐÜ ÔÕÙáâÒØâÕÛìÝÞ ÛØ áãéÕáâÒãÕâ âÐÚÐï ÞèØÑÚÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì iptables Ø netfilter ßàÐÚâØçÕáÚØ ÝÕ áÞÔÕàÖÐâ ÞèØÑÞÚ, åÞâï Ø×àÕÔÚÐ ÞÔÝÐ - ÔÒÕ "ßàÞáÚÐÚØÒÐîâ". ¸ÝäÞàÜÐæØï Þ âÐÚØå ÞèØÑÚÐå ÞÑï×ÐâÕÛìÝÞ ßÞïÒÛïÕâáï ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter.

²ëèÕáÚÐ×ÐÝÝÞÕ âÐÚÖÕ Þ×ÝÐçÐÕâ, çâÞ ßàØ ÝÐߨáÐÝØØ ÝÐÑÞàÞÒ ßàÐÒØÛ, ßàØÛÐÓÐÕÜëå Ú ÔÐÝÝÞÜã àãÚÞÒÞÔáâÒã, ÝÕ ãçØâëÒÐÛÞáì ÒÞ×ÜÞÖÝÞÕ ÝÐÛØçØÕ ÚÐÚØå-ÛØÑÞ ÞèØÑÞÚ ÒÝãâàØ netfilter. ¾áÝÞÒÝÐï æÕÛì ßàØÜÕàÞÒ - ßÞÚÐ×Ðâì ßÞàïÔÞÚ ÝÐߨáÐÝØï ÝÐÑÞàÐ ßàÐÒØÛ Ø ßàÞÑÛÕÜë, á ÚÞâÞàëÜØ Òë ÜÞÖÕâÕ áâÞÛÚÝãâìáï. ½ÐßàØÜÕà Ò íâÞÜ ÔÞÚãÜÕÝâÕ ÝÕ ßÞïáÝïÕâáï ÚÐÚ ×ÐÚàëâì ãï×ÒØÜÞáâì Apache 1.2.12 ÝÐ HTTP ßÞàâã (äÐÚâØçÕáÚØ Ò ßàØÜÕàÐå Òë ÝÐÙÔÕâÕ ÚÐÚ ×ÐÚàëâì íâÞâ ßÞàâ, ÝÞ ßÞ ÔàãÓÞÙ ßàØçØÝÕ).

ÍâÞâ ÔÞÚãÜÕÝâ ÑëÛ ÝÐߨáÐÝ á æÕÛìî ÔÐâì ÝÐçØÝÐîéØÜ åÞàÞèØÙ Ø ßàÞáâÞÙ ãçÕÑÝØÚ ßÞ iptables Ø Ò âÞ ÖÕ ÒàÕÜï ÔÞáâÐâÞçÝÞ ßÞÛÝëÙ. ¾Ý ÝÕ áÞÔÕàÖØâ ØÝäÞàÜÐæØØ ßÞ ÔÕÙáâÒØïÜ Ø ÚàØâÕàØïÜ Ø× patch-o-matic ßÞ âÞÙ ßàÞáâÞÙ ßàØçØÝÕ, çâÞ ßÞâàÕÑÞÒÐÛÞáì Ñë áÛØèÚÞÜ ÜÝÞÓÞ ãáØÛØÙ, çâÞÑë ×ÐßÞÜÝØâì ÒÕáì áߨáÞÚ Ø×ÜÕÝÕÝØÙ. µáÛØ ã ÒÐá ÒÞ×ÝØÚÝÕâ ÝÕÞÑåÞÔØÜÞáâì Ò ßÞÛãçÕÝØØ ØÝäÞàÜÐæØØ ßÞ ÜÞÔØäØÚÐæØïÜ patch-o-matic, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐéÐâìáï Ú ÔÞÚãÜÕÝâÐæØØ, ÚÞâÞàÐï áÞßàÞÒÞÖÔÐÕâ ÚÞÝÚàÕâÝëÙ patch-o-matic, ÞÝÐ ÔÞáâãàÝÐ ÝÐ ÓÛÐÒÝÞÙ áâàÐÝØæÕ netfilter.


ÂÕàÜØÝë, ØáßÞÛì×ãÕÜëÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ

ÍâÞâ ÔÞÚãÜÕÝâ áÞÔÕàÖØâ ÝÕáÚÞÛìÚÞ âÕàÜØÝÞÒ, ÚÞâÞàëÕ áÛÕÔãÕâ ßÞïáÝØâì ßàÕÖÔÕ, çÕÜ Òë áâÞÛÚÝÕâÕáì á ÝØÜØ.

¿ÞâÞÚ (Stream) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐîâáï Ø ßàØÝØÜÐîâáï ßÐÚÕâë. Ï ØáßÞÛì×ÞÒÐÛ íâÞâ âÕàÜØÝ ÔÛï ÞÑÞ×ÝÐçÕÝØï áÞÕÔØÝÕÝØÙ, çÕàÕ× ÚÞâÞàëÕ ßÕàÕÔÐÕâáï ßÞ ÜÕÝìèÕÙ ÜÕàÕ 2 ßÐÚÕâÐ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå. ² áÛãçÐÕ TCP íâÞ ÜÞÖÕâ Þ×ÝÐçÐâì áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ ßÕàÕÔÐÕâáï SYN ßÐÚÕâ Ø ×ÐâÕÜ ßàØÝØÜÐÕâáï SYN/ACK ßÐÚÕâ. ½Þ íâÞ âÐÚ ÖÕ ÜÞÖÕâ ßÞÔàÐ×ãÜÕÒÐâì Ø ßÕàÕÔÐçã SYN ßÐÚÕâÐ Ø ßàØÕÜ áÞÞÑéÕÝØï ICMP Host unreachable. ´àãÓØÜØ áÛÞÒÐÜØ, ï ØáßÞÛì×ãî íâÞâ âÕàÜØÝ Ò ÔÞáâÐâÞçÝÞ èØàÞÚÞÜ ÔØÐßÐ×ÞÝÕ ßàØÜÕÝÕÝØÙ.

ÁÞáâÞïÝØÕ (State) - ßÞÔ íâØÜ âÕàÜØÝÞÜ ßÞÔàÐ×ãÜÕÒÐÕâáï áÞáâÞïÝØÕ, Ò ÚÞâÞàÞÜ ÝÐåÞÔØâáï ßÐÚÕâ, áÞÓÛÐáÝÞ RFC 793 - Transmission Control Protocol , Ð âÐÚÖÕ âàÐÚâÞÒÚÐÜ, ØáßÞÛì×ãÕÜëÜ Ò netfilter/iptables.


¿ÞÔÓÞâÞÒÚÐ

ÆÕÛìî ÔÐÝÝÞÙ ÓÛÐÒë ïÒÛïÕâáï ÞÚÐ×ÐÝØÕ ßÞÜÞéØ Ò ßÞÝØÜÐÝØØ âÞÙ àÞÛØ, ÚÞâÞàãî netfilter Ø iptables ØÓàÐîâ Ò Linux áÕÓÞÔÝï. ÂÐÚ ÖÕ ÞÝÐ ÔÞÛÖÝÐ ßÞÜÞçì ÒÐÜ ãáâÐÝÞÒØâì Ø ÝÐáâàÞØâì ÜÕÖáÕâÕÒÞÙ íÚàÐÝ (firewall).


³ÔÕ Ò×ïâì iptables

¿ÐÚÕâë iptables ÜÞÓãâ Ñëâì ×ÐÓàãÖÕÝë á ÔÞÜÐèÝÕÙ áâàÐÝØæë netfilter. ´Ûï àÐÑÞâë á iptables áÞÞâÒÕâáâÒãîéØÜ ÞÑàÐ×ÞÜ ÔÞÛÖÝÞ Ñëâì áÚÞÝäØÓãàØàÞÒÐÝÞ ïÔàÞ ÒÐèÕÙ Linux-áØáâÕÜë. ½ÐáâàÞÙÚÐ ïÔàÐ ÑãÔÕâ ÞÑáãÖÔÐâìáï ÝØÖÕ.


½ÐáâàÞÙÚÐ ïÔàÐ

´Ûï ÞÑÕáßÕçÕÝØï ÑÐ×ÞÒëå ÒÞ×ÜÞÖÝÞáâÕÙ iptables, á ßÞÜÞéìî ãâØÛØâë make config ØÛØ ÕÙ ßÞÔÞÑÝëå (make menuconfig ØÛØ make xconfig ßàØÜ. ßÕàÕÒ.), Ò ïÔàÞ ÔÞÛÖÝë Ñëâì ÒÚÛîçÕÝë áÛÕÔãîéØÕ ÞßæØØ:

CONFIG_PACKET -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï ßàØÛÞÖÕÝØÙ, àÐÑÞâÐîéØå ÝÕßÞáàÕÔáâÒÕÝÝÞ á áÕâÕÒëÜØ ãáâàÞÙáâÒÐÜØ, ÝÐßàØÜÕà: tcpdump ØÛØ snort.

CONFIG_NETFILTER -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ, ÕáÛØ Òë áÞÑØàÐÕâÕáì ØáßÞÛì×ÞÒÐâì ÚÞÜßìîâÕà Ò ÚÐçÕáâÒÕ áÕâÕÒÞÓÞ íÚàÐÝÐ (firewall) ØÛØ èÛî×Ð (gateway) Ò ¸ÝâÕàÝÕâ. ´àãÓØÜØ áÛÞÒÐÜØ, ÒÐÜ ÞÝÐ ÞßàÕÔÕÛÕÝÝÞ ßÞÝÐÔÞÑØâáï, ØÝÐçÕ ×ÐçÕÜ âÞÓÔÐ çØâÐâì íâÞ àãÚÞÒÞÔáâÒÞ!

¸ ÚÞÝÕçÝÞ ÝãÖÝÞ ÔÞÑÐÒØâì ÔàÐÙÒÕàë ÔÛï ÒÐèØå ãáâàÞÙáâÒ, â.Õ. ÔÛï ÚÐàâë Ethernet , PPP Ø SLIP. ´Ûï ØáßÞÛì×ÞÒÐÝØï àÐáèØàÕÝÝëå ÒÞ×ÜÞÖÝÞáâÕÙ IPTables ßàØÔÕâáï ÒÚÛîçØâì Ò ïÔàÞ ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ ÞßæØØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÞßæØÙ ÔÛï ïÔàÐ 2.4.9 Ø Øå ÚàÐâÚÞÕ ÞߨáÐÝØÕ.

CONFIG_IP_NF_CONNTRACK -- ÂàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ. ÂàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ, áàÕÔØ ÒáÕÓÞ ßàÞçÕÓÞ, ØáßÞÛì×ãÕâáï ßàØ âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ Ø ÜÐáÚÐàÐÔØÝÓÕ (NAT and Masquerading). µáÛØ Òë áÞÑØàÐÕâÕáì áâàÞØâì áÕâÕÒÞÙ íÚàÐÝ (firewall) ÔÛï ÛÞÚÐÛìÝÞÙ áÕâØ, âÞ ÒÐÜ ÞßàÕÔÕÛÕÝÝÞ ßÞâàÕÑãÕâáï íâÐ ÞßæØï. º ßàØÜÕàã, íâÞâ ÜÞÔãÛì ÝÕÞÑåÞÔØÜ ÔÛï àÐÑÞâë rc.firewall.txt.

CONFIG_IP_NF_FTP -- ÂàÐááØàÞÒÚÐ FTP áÞÕÔØÝÕÝØÙ. ¾ÑÜÕÝ ßÞ FTP ØÔÕâ áÛØèÚÞÜ ØÝâÕÝáØÒÝÞ, çâÞÑë ØáßÞÛì×ÞÒÐâì ÞÑëçÝëÕ ÜÕâÞÔë âàÐááØàÞÒÚØ. µáÛØ ÝÕ ÔÞÑÐÒØâì íâÞâ ÜÞÔãÛì, âÞ Òë áâÞÛÚÝÕâÕáì á âàãÔÝÞáâïÜØ ßàØ ßÕàÕÔÐçÕ ßàÞâÞÚÞÛÐ FTP çÕàÕ× áÕâÕÒÞÙ íÚàÐÝ (firewall).

CONFIG_IP_NF_IPTABLES -- ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï ÒëßÞÛÝÕÝØï ÞßÕàÐæØÙ äØÛìâàÐæØØ, ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (NAT) Ø ÜÐáÚÐàÐÔØÝÓÐ (masquerading). ±Õ× ÝÕÕ Òë ÒÞÞÑéÕ ÝØçÕÓÞ ÝÕ áÜÞÖÕâÕ ÔÕÛÐâì á iptables.

CONFIG_IP_NF_MATCH_LIMIT -- ÍâÞâ ÜÞÔãÛì ÝÕÞÑï×ÐâÕÛÕÝ, ÞÔÝÐÚÞ ÞÝ ØáßÞÛì×ãÕâáï Ò ßàØÜÕàÐå rc.firewall.txt. ¾Ý ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ÞÓàÐÝØçÕÝØï ÚÞÛØçÕáâÒÐ ßàÞÒÕàÞÚ ÔÛï ÝÕÚÞâÞàÞÓÞ ßàÐÒØÛÐ. ½ÐßàØÜÕà, -m limit -limit 3/minute ãÚÐ×ëÒÐÕâ, çâÞ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ßàÞßãáâØâì ÝÕ ÑÞÛÕÕ 3-å ßÐÚÕâÞÒ Ò ÜØÝãâã. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ÔÐÝÝëÙ ÜÞÔãÛì ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ×ÐéØâë Þâ ÝÐßÐÔÕÝØÙ âØßÐ ¾âÚÐ× Ò ÞÑáÛãÖØÒÐÝØØ.

CONFIG_IP_NF_MATCH_MAC -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ, ÞáÝÞÒÐÝÝëÕ ÝÐ MAC-ÐÔàÕáÐæØØ. ºÐÚ Ø×ÒÕáâÝÞ, ÚÐÖÔÐï áÕâÕÒÐï ÚÐàâÐ ØÜÕÕâ áÒÞÙ áÞÑáâÒÕÝÝëÙ ãÝØÚÐÛìÝëÙ Ethernet-ÐÔàÕá, âÐÚØÜ ÞÑàÐ×ÞÜ, áãéÕáâÒãÕâ ÒÞ×ÜÞÖÝÞáâì ÑÛÞÚØàÞÒÐâì ßÐÚÕâë, ßÞáâãßÐîéØÕ á ÞßàÕÔÕÛÕÝÝëå MAC-ÐÔàÕáÞÒ (â.Õ. á ÞßàÕÔÕÛÕÝÝëå áÕâÕÒëå ÚÐàâ). ÁÛÕÔãÕâ, ÞÔÝÐÚÞ, ÞâÜÕâØâì çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ÝÕ ØáßÞÛì×ãÕâáï Ò rc.firewall.txt ØÛØ ÓÔÕ ÛØÑÞ ÕéÕ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ.

CONFIG_IP_NF_MATCH_MARK -- ÄãÝÚæØï ÜÐàÚØàÞÒÚØ ßÐÚÕâÞÒ (MARK). ½ÐßàØÜÕà, ßàØ ØáßÞÛì×ÞÒÐÝØØ äãÝ򾯯 MARK Üë ßÞÛãçÐÕÜ ÒÞ×ÜÞÖÝÞáâì ßÞÜÕâØâì âàÕÑãÕÜëÕ ßÐÚÕâë, Ð ×ÐâÕÜ, Ò ÔàãÓØå âÐÑÛØæÐå, Ò ×ÐÒØáØÜÞáâØ Þâ ×ÝÐçÕÝØï ÜÕâÚØ, ßàØÝØÜÐâì àÕèÕÝØÕ Þ ÜÐàèàãâØ×ÐæØØ ßÞÜÕçÕÝÝÞÓÞ ßÐÚÕâÐ. ±ÞÛÕÕ ßÞÔàÞÑÝÞÕ ÞߨáÐÝØÕ äãÝ򾯯 MARK ßàØÒÞÔØâáï ÝØÖÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ.

CONFIG_IP_NF_MATCH_MULTIPORT -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ á ßàÞÒÕàÚÞÙ ÝÐ ßàØÝÐÔÛÕÖÝÞáâì ßÐÚÕâÐ Ú ÔØÐßÐ×ÞÝã ÝÞÜÕàÞÒ ßÞàâÞÒ ØáâÞçÝØÚÐ/ßàØÕÜÝØÚÐ.

CONFIG_IP_NF_MATCH_TOS -- ÍâÞâ ÜÞÔãÛì ßÞ×ÒÞÛØâ áâàÞØâì ßàÐÒØÛÐ, ÞââÐÛÚØÒÐïáì Þâ áÞáâÞïÝØï ßÞÛï TOS Ò ßÐÚÕâÕ. ¿ÞÛÕ TOS ãáâÐÝÐÒÛØÒÐÕâáï ÔÛï Type Of Service. ÂÐÚ ÖÕ áâÐÝÞÒØâáï ÒÞ×ÜÞÖÝëÜ ãáâÐÝÐÒÛØÒÐâì Ø áÑàÐáëÒÐâì ÑØâë íâÞÓÞ ßÞÛï Ò áÞÑáâÒÕÝÝëå ßàÐÒØÛÐå Ò âÐÑÛØæÕ mangle ØÛØ ÚÞÜÐÝÔÐÜØ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS -- ÍâÐ ÞßæØï ÔÞÑÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ßàÞÒÕàÚØ ßÞÛï MSS ÔÛï TCP-ßÐÚÕâÞÒ.

CONFIG_IP_NF_MATCH_STATE -- ÍâÞ ÞÔÝÞ Ø× áÐÜëå áÕàìÕ×Ýëå ãáÞÒÕàèÕÝáâÒÞÒÐÝØÙ ßÞ áàÐÒÝÕÝØî á ipchains. ÍâÞâ ÜÞÔãÛì ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ãßàÐÒÛÕÝØï TCP ßÐÚÕâÐÜØ, ÞáÝÞÒëÒÐïáì ÝÐ Øå áÞáâÞïÝØØ (state). º ßàØÜÕàã, ÔÞßãáâØÜ, çâÞ Üë ØÜÕÕÜ ãáâÐÝÞÒÛÕÝÝÞÕ TCP áÞÕÔØÝÕÝØÕ, á âàÐääØÚÞÜ Ò ÞÑÐ ÚÞÝæÐ, âÞÓÔÐ ßÐÚÕâ ßÞÛãçÕÝÝëÙ ßÞ âÐÚÞÜã áÞÕÔØÝÕÝØî ÑãÔÕâ áçØâÐâìáï ESTABLISHED (ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ -- ßàØÜ. àÕÔ). ÍâÐ ÒÞ×ÜÞÖÝÞáâì èØàÞÚÞ ØáßÞÛì×ãÕâáï Ò ßàØÜÕàÕ rc.firewall.txt .

CONFIG_IP_NF_MATCH_UNCLEAN -- ÍâÞâ ÜÞÔãÛì àÕÐÛØ×ãÕâ ÒÞ×ÜÞÖÝÞáâì ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ IP, TCP, UDP Ø ICMP ßÐÚÕâÞÒ ÝÐ ßàÕÔÜÕâ ÝÐÛØçØï Ò ÝØå ÝÕáÞÞâÒÕâáâÒØÙ, "áâàÐÝÝÞáâÕÙ", ÞèØÑÞÚ. ÃáâÐÝÞÒØÒ ÕÓÞ Üë, Ú ßàØÜÕàã, ßÞÛãçØÜ ÒÞ×ÜÞÖÝÞáâì "ÞâáÕÚÐâì" ßÞÔÞÑÝÞÓÞ àÞÔÐ ßÐÚÕâë. ¾ÔÝÐÚÞ åÞçÕâáï ÞâÜÕâØâì, çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ßÞÚÐ ÝÐåÞÔØâáï ÝÐ íÚáßÕàØÜÕÝâÐÛìÝÞÙ áâÐÔØØ Ø ÝÕ ÒÞ ÒáÕå áÛãçÐïå ÑãÔÕâ àÐÑÞâÐâì ÞÔØÝÐÚÞÒÞ, ßÞíâÞÜã ÝØÚÞÓÔÐ ÝÕÛì×ï ÑãÔÕâ Ñëâì ãÒÕàÕÝÝëÜ, çâÞ Üë ÝÕ "áÑàÞáØÛØ" ÒßÞÛÝÕ ßàÐÒØÛìÝëÕ ßÐÚÕâë.

CONFIG_IP_NF_MATCH_OWNER - ¿àÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" áÞÕÔØÝÕÝØï (socket). ´Ûï ßàØÜÕàÐ, Üë ÜÞÖÕÜ ßÞ×ÒÞÛØâì âÞÛìÚÞ ßÞÛì×ÞÒÐâÕÛî root ÒëåÞÔØâì Ò Internet. ÍâÞâ ÜÞÔãÛì ÑëÛ ÝÐߨáÐÝ ÚÐÚ ßàØÜÕà àÐÑÞâë á iptables. ÁÛÕÔãÕâ ×ÐÜÕâØâì, çâÞ ÔÐÝÝëÙ ÜÞÔãÛì ØÜÕÕâ áâÐâãá íÚáßÕàØÜÕÝâÐÛìÝÞÓÞ Ø ÜÞÖÕâ ÝÕ ÒáÕÓÔÐ ÒëßÞÛÝïâì áÒÞØ äãÝ򾯯.

CONFIG_IP_NF_FILTER -- ÀÕÐÛØ×ÐæØï âÐÑÛØæë filter Ò ÚÞâÞàÞÙ Ò ÞáÝÞÒÝÞÜ Ø ÞáãéÕáâÒÛïÕâáï äØÛìâàÐæØï. ² ÔÐÝÝÞÙ âÐÑÛØæÕ ÝÐåÞÔïâáï æÕßÞçÚØ INPUT, FORWARD Ø OUTPUT. ÍâÞâ ÜÞÔãÛì ÞÑï×ÐâÕÛÕÝ, ÕáÛØ Òë ßÛÐÝØàãÕâÕ ÞáãéÕáâÒÛïâì äØÛìâàÐæØî ßÐÚÕâÞÒ.

CONFIG_IP_NF_TARGET_REJECT -- ´ÞÑÐÒÛïÕâáï ÔÕÙáâÒØÕ REJECT, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßÕàÕÔÐçã ICMP áÞÞÑéÕÝØï ÞÑ ÞèØÑÚÕ Ò ÞâÒÕâ ÝÐ ÒåÞÔïéØÙ ßÐÚÕâ, ÚÞâÞàëÙ ÞâÒÕàÓÐÕâáï ×ÐÔÐÝÝëÜ ßàÐÒØÛÞÜ. ·ÐßÞÜÝØâÕ, çâÞ TCP áÞÕÔØÝÕÝØï, Ò ÞâÛØçØÕ Þâ UDP Ø ICMP, ÒáÕÓÔÐ ×ÐÒÕàèÐîâáï ØÛØ ÞâÒÕàÓÐîâáï ßÐÚÕâÞÜ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR -- ²Þ×ÜÞÖÝÞáâì ÞâßàÐÒÚØ ßÞÛãçÕÝÝÞÓÞ ßÐÚÕâÐ ÞÑàÐâÝÞ (ÞâàÐÖÕÝØÕ). ½ÐßàØÜÕà, ÕáÛØ ÝÐ×ÝÐçØâì ÔÕÙáâÒØÕ MIRROR ÔÛï ßÐÚÕâÞÒ, ØÔãéØå Ò ßÞàâ HTTP çÕàÕ× ÝÐèã æÕßÞçÚã INPUT (â.Õ. ÝÐ ÝÐè WEB-áÕàÒÕà ßàØÜ. ßÕàÕÒ.), âÞ ßÐÚÕâ ÑãÔÕâ ÞâßàÐÒÛÕÝ ÞÑàÐâÝÞ (ÞâàÐÖÕÝ) Ø, Ò àÕ×ãÛìâÐâÕ, ÞâßàÐÒØâÕÛì ãÒØÔØâ áÒÞî áÞÑáâÒÕÝÝãî ÔÞÜÐèÝîî áâàÐÝØçÚã. (Âãâ ÞÔÝØ áßÛÞèÝëÕ "ÕáÛØ": µáÛØ ã ÞâßàÐÒØâÕÛï áâÞØâ WEB-áÕàÒÕà, ÕáÛØ ÞÝ àÐÑÞâÐÕâ ÝÐ âÞÜ ÖÕ ßÞàâã, ÕáÛØ ã ÞâßàÐÒØâÕÛï Õáâì ÔÞÜÐèÝïï áâàÐÝØçÚÐ, Ø â.Ô. . Áãâì-âÞ áÞÑáâÒÕÝÝÞ áÒÞÔØâáï Ú âÞÜã, çâÞ á âÞçÚØ ×àÕÝØï ÞâßàÐÒØâÕÛï ÒáÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÑãÔâÞ Ñë ßÐÚÕâ ÞÝ ÞâßàÐÒØÛ ÝÐ áÒÞî áÞÑáâÒÕÝÝãî ÜÐèØÝã, Ð ßàÞéÕ ÓÞÒÞàï, ÔÕÙáâÒØÕ MIRROR ÜÕÝïÕâ ÜÕáâÐÜØ ÐÔàÕá ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï Ø ÒëÔÐÕâ Ø×ÜÕÝÕÝÝëÙ ßÕÚÕâ Ò áÕâì ßàØÜ. ßÕàÕÒ.)

CONFIG_IP_NF_NAT -- NAT. ÂàÐÝáÛïæØï áÕâÕÒëå ÐÔàÕáÞÒ Ò àÐ×ÛØçÝëå ÕÕ ÒØÔÐå. Á ßÞÜÞéìî íâÞÙ ÞßæØØ Òë áÜÞÖÕâÕ ÔÐâì ÒëåÞÔ Ò ¸ÝâÕàÝÕâ ÒáÕÜ ÚÞÜßìîâÕàÐÜ ÒÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ØÜÕï ÛØèì ÞÔØÝ ãÝØÚÐÛìÝëÙ IP-ÐÔàÕá. ÍâÐ ÞßæØï ÝÕÞÑåÞÔØÜÐ ÔÛï àÐÑÞâë ßàØÜÕàÐ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE -- ¼ÐáÚÐàÐÔØÝÓ. ² ÞâÛØçØÕ Þâ NAT, ÜÐáÚÐàÐÔØÝÓ ØáßÞÛì×ãÕâáï Ò âÕå áÛãçÐïå, ÚÞÓÔÐ ×ÐàÐÝÕÕ ÝÕØ×ÒÕáâÕÝ ÝÐè IP-ÐÔàÕá Ò ¸ÝâÕàÝÕâÕ, â.Õ. ÔÛï áÛãçÐÕÒ DHCP, PPP, SLIP ØÛØ ÚÐÚÞÓÞ-ÛØÑÞ ÔàãÓÞÓÞ áßÞáÞÑÐ ßÞÔÚÛîçÕÝØï, ßÞÔàÐ×ãÜÕÒÐîéÕÓÞ ÔØÝÐÜØçÕáÚÞÕ ßÞÛãçÕÝØÕ IP-ÐÔàÕáÐ. ¼ÐáÚÐàÐÔØÝÓ ÔÐÕâ ÝÕáÚÞÛìÚÞ ÑÞÛÕÕ ÒëáÞÚãî ÝÐÓàã×Úã ÝÐ ÚÞÜßìîâÕà, ßÞ áàÐÒÝÕÝØî á NAT, ÞÔÝÐÚÞ ÞÝ àÐÑÞâÐÕâ Ò áØâãÐæØïå, ÚÞÓÔÐ ÝÕÒÞ×ÜÞÖÝÞ ×ÐàÐÝÕÕ ãÚÐ×Ðâì áÞÑáâÒÕÝÝëÙ ÒÝÕèÝØÙ IP-ÐÔàÕá.

CONFIG_IP_NF_TARGET_REDIRECT -- ¿ÕàÕÝÐßàÐÒÛÕÝØÕ. ¾ÑëçÝÞ íâÞ ÔÕÙáâÒØÕ ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ßàÞÚáØ. ²ÜÕáâÞ âÞÓÞ, çâÞÑë ßàÞáâÞ ßàÞßãáâØâì ßÐÚÕâ ÔÐÛìèÕ, íâÞ ÔÕÙáâÒØÕ ßÕàÕÝÐßàÐÒÛïÕâ ßÐÚÕâ ÝÐ ÔàãÓÞÙ ßÞàâ áÕâÕÒÞÓÞ íÚàÐÝÐ. ´àãÓØÜØ áÛÞÒÐÜØ, Üë âÐÚØÜ áßÞáÞÑÞÜ ØÜÕÕÜ ÒÞ×ÜÞÖÝÞáâì ÒëßÞÛÝïâì "ßàÞ×àÐçÝÞÕ ßàÞÚáØàÞÒÐÝØÕ".

CONFIG_IP_NF_TARGET_LOG -- ´ÞÑÐÒÛïÕâ ÔÕÙáâÒØÕ LOG Ò iptables. ¼ë ÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì íâÞâ ÜÞÔãÛì ÔÛï äØÚáÐæØØ ÞâÔÕÛìÝëå ßÐÚÕâÞÒ Ò áØáâÕÜÝÞÜ ÖãàÝÐÛÕ (syslog). ÍâÐ ÒÞ×ÜÞÖÝÞáâì ÜÞÖÕâ ÞÚÐ×Ðâìáï ÒÕáìÜÐ ßÞÛÕ×ÝÞÙ ßàØ ÞâÛÐÔÚÕ ÒÐèØå áæÕÝÐàØÕÒ.

CONFIG_IP_NF_TARGET_TCPMSS -- ÍâÐ ÞßæØï ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÞÔÞÛÕÝØï ÞÓàÐÝØçÕÝØÙ, ÝÐÚÛÐÔëÒÐÕÜëå ÝÕÚÞâÞàëÜØ ßàÞÒÐÙÔÕàÐÜØ (Internet Service Providers), ÚÞâÞàëÕ ÑÛÞÚØàãîâ ICMP Fragmentation Needed ßÐÚÕâë. ² àÕ×ãÛìâÐâÕ âÐÚØå ÞÓàÐÝØçÕÝØÙ áÕàÒÕàë ßàÞÒÐÙÔÕàÞÒ ÜÞÓãâ ÝÕ ßÕàÕÔÐÒÐâì web-áâàÐÝØæë, ssh ÜÞÖÕâ àÐÑÞâÐâì, Ò âÞ ÒàÕÜï ÚÐÚ scp ÞÑàëÒÐÕâáï ßÞáÛÕ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï Ø ßà. ´Ûï ßàÕÞÔÞÛÕÝØï ßÞÔÞÑÝÞÓÞ àÞÔÐ ÞÓàÐÝØçÕÝØÙ Üë ÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ TCPMSS ÞÓàÐÝØçØÒÐï ×ÝÐçÕÝØÕ MSS (Maximum Segment Size) (ÞÑëçÝÞ MSS ÞÓàÐÝØçØÒÐÕâáï àÐ×ÜÕàÞÜ MTU ØáåÞÔïéÕÓÞ ØÝâÕàäÕÙáÐ ÜØÝãá 40 ÑÐÙâ ßàØÜ. ßÕàÕÒ.). ÂÐÚØÜ ÞÑàÐ×ÞÜ Üë ßÞÛãçÐÕÜ ÒÞ×ÜÞÖÝÞáâì ßàÕÞÔÞÛÕâì âÞ, çâÞ ÐÒâÞàë netfilter ÝÐ×ëÒÐîâ "ßàÕáâãßÝÞÙ ÑÕ×ÜÞ×ÓÛÞáâìî ßàÞÒÐÙÔÕàÞÒ Ø áÕàÒÕàÞÒ" ("criminally braindead ISPs or servers") Ò áßàÐÒÚÕ ßÞ ÚÞÝäØÓãàÐæØØ ïÔàÐ.

CONFIG_IP_NF_COMPAT_IPCHAINS -- ´ÞÑÐÒÛïÕâ áÞÒÜÕáâØÜÞáâì á ÑÞÛÕÕ áâÐàÞÙ âÕåÝÞÛÞÓØÕÙ ipchains. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ ßÞÔÞÑÝÞÓÞ àÞÔÐ áÞÒÜÕáâØÜÞáâì ÑãÔÕâ áÞåàÐÝÕÝÐ Ø Ò ïÔàÐå áÕàØØ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM -- ´ÞÑÐÒÛïÕâ áÞÒÜÕáâØÜÞáâì á ipfwadm, ÝÕ áÜÞâàï ÝÐ âÞ çâÞ íâÞ ÞçÕÝì áâÐàÞÕ áàÕÔáâÒÞ ßÞáâàÞÕÝØï ÑàÐÝÔÜÐãíàÞÒ.

ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ï ÔÐÛ ÚàÐâÚãî åÐàÐÚâÕàØáâØÚã ÚÐÖÔÞÜã ÜÞÔãÛî. ´ÐÝÝëÕ ÞßæØØ ÔÞáâãßÝë Ò ïÔàÕ ÒÕàáØØ 2.4.9.

´Ûï àÐÑÞâë áæÕÝÐàØï rc.firewall.txt ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ÔÞÑÐÒØâì Ò ïÔàÞ áÛÕÔãîéØÕ ÞßæØØ ØÛØ áÞÑàÐâì áÞÞâÒÕâáâÒãîéØÕ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÞßæØïÜ, ÝÕÞÑåÞÔØÜëÜ ÔÛï àÐÑÞâë ÔàãÓØå áæÕÝÐàØÕÒ, ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî á ßàØÜÕàÐÜØ íâØå áæÕÝÐàØÕÒ.

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_CONNTRACK
  • CONFIG_IP_NF_FTP
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_TARGET_LOG
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_TARGET_MASQUERADE

²ëèÕ ßàØÒÕÔÕÝ áߨáÞÚ ÜØÝØÜÐÛìÝÞ ÝÕÞÑåÞÔØÜëå ÞßæØÙ ïÔàÐ ÔÛï áæÕÝÐàØï rc.firewall.txt ¿ÕàÕçÕÝì ÞßæØÙ, ÝÕÞÑåÞÔØÜëå ÔÛï ÔàãÓØå ßàØÜÕàÞÒ áæÕÝÐàØÕÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áÞÞâÒÕâáâÒãîéØå àÐ×ÔÕÛÐå ÝØÖÕ. ÁÕÙçÐá ÖÕ Üë ÞáâÐÝÞÒØÜáï ÝÐ ÓÛÐÒÝÞÜ áæÕÝÐàØØ Ø ÝÐçÝÕÜ ÕÓÞ Ø×ãçÕÝØÕ.


ÃáâÐÝÞÒÚÐ ßÐÚÕâÐ

² ßÕàÒãî ÞçÕàÕÔì ßÞáÜÞâàØÜ ÚÐÚ áÞÑàÐâì (áÚÞÜßØÛØàÞÒÐâì) ßÐÚÕâ iptables. ÁÑÞàÚÐ ßÐÚÕâÐ Ò ×ÝÐçØâÕÛìÝÞÙ áâÕßÕÝØ ×ÐÒØáØâ Þâ ÚÞÝäØÓãàÐæØØ ïÔàÐ Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕÚÞâÞàëÕ ÔØáâàØÑãâØÒë ßàÕÔßÞÛÐÓÐîâ ßàÕÔãáâÐÝÞÒÚã ßÐÚÕâÐ iptables, ÞÔØÝ Ø× ÝØå -- Red Hat 7.1. ¾ÔÝÐÚÞ Ò RedHat 7.1 íâÞâ ßÐÚÕâ ßÞ ãÜÞÛçÐÝØî ÒëÚÛîçÕÝ, ßÞíâÞÜã ÝØÖÕ Üë àÐááÜÞâàØÜ ÚÐÚ ÕÓÞ ÒÚÛîçØâì Ò ÔÐÝÝÞÜ Ø Ò ÔàãÓØå ÔØáâàØÑãâØÒÐå.

ÁÑÞàÚÐ ßÐÚÕâÐ

´Ûï ÝÐçÐÛÐ ßÐÚÕâ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ iptables ÝãÖÝÞ àÐáßÐÚÞÒÐâì. ¼ë ÑãÔÕÜ àÐááÜÐâàØÒÐâì ßÐÚÕâ iptables 1.2.6a Ø ïÔàÞ 2.4.9. ÀÐáßÐÚãÕÜ ÚÐÚ ÞÑëçÝÞ, ÚÞÜÐÝÔÞÙ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. µáÛØ àÐáßÐÚÞÒÚÐ ßàÞèÛÐ ãÔÐçÝÞ, âÞ ßÐÚÕâ ÑãÔÕâ àÐ×ÜÕéÕÝ Ò ÚÐâÐÛÞÓÕ iptables-1.2.6a. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú äÐÙÛã iptables-1.2.6a/INSTALL, ÚÞâÞàëÙ áÞÔÕàÖØâ ßÞÔàÞÑÝãî ØÝäÞàÜÐæØî ßÞ áÑÞàÚÕ Ø ãáâÐÝÞÒÚÕ ßÐÚÕâÐ.

´ÐÛÕÕ ÝÕÞÑåÞÔØÜÞ ßàÞÒÕàØâì ÒÚÛîçÕÝØÕ Ò ïÔàÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ Ø ÞßæØÙ. ÈÐÓØ, ÞߨáëÒÐÕÜëÕ ×ÔÕáì, ÑãÔãâ ÚÐáÐâìáï âÞÛìÚÞ ÝÐÛÞÖÕÝØï ÝÐ ïÔàÞ "×ÐßÛÐâ" (patches). ½Ð íâÞÜ èÐÓÕ Üë ãáâÐÝÞÒØÜ ÞÑÝÞÒÛÕÝØï, ÚÞâÞàëÕ, ÚÐÚ ÞÖØÔÐÕâáï, ÑãÔãâ ÒÚÛîçÕÝë Ò ïÔàÞ Ò ÑãÔãéÕÜ.

Note

½ÕÚÞâÞàëÕ Ø× ÝØå ÝÐåÞÔïâáï ßÞÚÐ ÝÐ íÚáßÕàØÜÕÝâÐÛìÝÞÙ áâÐÔØØ, ÞÔÝÐÚÞ áàÕÔØ ÝØå Õáâì çàÕ×ÒëçÐÙÝÞ ØÝâÕàÕáÝëÕ äãÝ򾯯 Ø ÔÕÙáâÒØï. ²ëßÞÛÝØÜ íâÞâ èÐÓ, ÝÐÑàÐÒ ÚÞÜÐÝÔã (ÕáâÕáâÒÕÝÝÞ, ÞÑÛÐÔÐï ßàÐÒÐÜØ ßÞÛì×ÞÒÐâÕÛï root)

make pending-patches KERNEL_DIR=/usr/src/linux/

¿ÕàÕÜÕÝÝÐï KERNEL_DIR ÔÞÛÖÝÐ áÞÔÕàÖÐâì ßãâì Ú ØáåÞÔÝëÜ âÕÚáâÐÜ ÒÐèÕÓÞ ïÔàÐ. ¾ÑëçÝÞ íâÞ /usr/src/linux/. µáÛØ ØáåÞÔÝëÕ âÕÚáâë ã ÒÐá àÐáßÞÛÞÖÕÝë Ò ÔàãÓÞÜ ÜÕáâÕ, âÞ, áÞÞâÒÕâáâÒÕÝÝÞ, Òë ÔÞÛÖÝë ãÚÐ×Ðâì áÒÞÙ ßãâì.

Note

·ÔÕáì ßàÕÔßÞÛÐÓÐÕâáï ÒëßÞÛÝØâì ÝÕáÚÞÛìÚÞ ÞÑÝÞÒÛÕÝØÙ Ø ÔÞßÞÛÝÕÝØÙ, ÚÞâÞàëÕ ÞßàÕÔÕÛÕÝÝÞ ÒÞÙÔãâ Ò áÞáâÐÒ ïÔàÐ, ÝÞ ÝÕáÚÞÛìÚÞ ßÞ×ÔÝÕÕ, áÕÙçÐá ÖÕ Üë ÒÞ×ìÜÕÜ Øå ÞâáîÔÐ ÒëßÞÛÝØÒ ÚÞÜÐÝÔã

make most-of-pom KERNEL_DIR=/usr/src/linux/

² ßàÞæÕááÕ ÒëßÞÛÝÕÝØï ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔë ã ÒÐá ÑãÔÕâ ×ÐßàÐèØÒÐâìáï ßÞÔâÒÕàÖÔÕÝØÕ ÝÐ ÞÑÝÞÒÛÕÝØÕ ÚÐÖÔÞÓÞ àÐ×ÔÕÛÐ Ø× âÞÓÞ, çâÞ Ò ÜØàÕ netfilter ÝÐ×ëÒÐÕâáï patch-o-matic. ÇâÞÑë ãáâÐÝÞÒØâì ÒáÕ "×ÐßÛÐâÚØ" Ø× patch-o-matic, ÒÐÜ ÝãÖÝÞ ÒëßÞÛÝØâì áÛÕÔãîéãî ÚÞÜÐÝÔã:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

½Õ ×ÐÑãÔìâÕ ÒÝØÜÐâÕÛìÝÞ Ø ÔÞ ÚÞÝæÐ ßàÞçØâÐâì áßàÐÒÚã ßÞ ÚÐÖÔÞÙ "×ÐßÛÐâÚÕ" ÔÞ âÞÓÞ ÚÐÚ Òë ÑãÔÕâÕ ãáâÐÝÐÒÛØÒÐâì çâÞ-ÛØÑÞ, ßÞáÚÞÛìÚã ÞÔÝØ "×ÐßÛÐâÚØ" ÜÞÓãâ ÞÚÐ×Ðâìáï ÝÕáÞÒÜÕáâØÜë á ÔàãÓØÜØ, Ð ÝÕÚÞâÞàëÕ -- ßàØ áÞÒÜÕáâÝÞÜ ÝÐÛÞÖÕÝØØ ÔÐÖÕ àÐ×àãèØâì ïÔàÞ.

Note

²ë ÜÞÖÕâÕ ÒÞÞÑéÕ ßàÞßãáâØâì ÞÑÝÞÒÛÕÝØÕ ïÔàÐ, ÔàãÓØÜØ áÛÞÒÐÜØ ÞáÞÑÞÙ ÝãÖÔë Ò âÐÚÞÜ ÞÑÝÞÒÛÕÝØØ ÝÕâ, ÞÔÝÐÚÞ patch-o-matic áÞÔÕàÖØâ ÔÕÙáâÒØâÕÛìÝÞ ØÝâÕàÕáÝëÕ ÞÑÝÞÒÛÕÝØï, Ø ã ÒÐá ÒßÞÛÝÕ ÜÞÖÕâ ÒÞ×ÝØÚÝãâì ÖÕÛÐÝØÕ ßÞáÜÞâàÕâì ÝÐ ÝØå. ½ØçÕÓÞ áâàÐèÝÞÓÞ ÝÕ áÛãçØâáï, ÕáÛØ Òë ×ÐßãáâØâÕ íâØ ÚÞÜÐÝÔë Ø ßÞáÜÞâàØâÕ ÚÐÚØÕ ÞÑÝÞÒÛÕÝØï ØÜÕîâáï.

¿ÞáÛÕ ×ÐÒÕàèÕÝØï ÞÑÝÞÒÛÕÝØï, ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ßÕàÕáÞÑàÐâì ïÔàÞ, ÔÞÑÐÒØÒ Ò ÝÕÓÞ âÞÛìÚÞ çâÞ ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï. ½Õ ×ÐÑãÔìâÕ áÝÐçÐÛÐ ÒëßÞÛÝØâì ÚÞÝäØÓãàØàÞÒÐÝØÕ ïÔàÐ, ßÞáÚÞÛìÚã ãáâÐÝÞÒÛÕÝÝëÕ ÞÑÝÞÒÛÕÝØï áÚÞàÕÕ ÒáÕÓÞ ÞÚÐÖãâáï ÒëÚÛîçÕÝÝëÜØ. ² ßàØÝæØßÕ, ÜÞÖÝÞ ßÞÔÞÖÔÐâì á ÚÞÜߨÛïæØÕÙ ïÔàÐ ÔÞ âÕå ßÞà ßÞÚÐ Òë ÝÕ ×ÐÚÞÝçØâÕ ãáâÐÝÞÒÚã iptables.

¿àÞÔÞÛÖÐï áÑÞàÚã iptables, ×ÐßãáâØâÕ ÚÞÜÐÝÔã:

make KERNEL_DIR=/usr/src/linux/

µáÛØ Ò ßàÞæÕááÕ áÑÞàÚØ ÒÞ×ÝØÚÛØ ÚÐÚØÕ ÛØÑÞ ßàÞÑÛÕÜë, âÞ ÜÞÖÕâÕ ßÞßëâÐâìáï àÐ×àÕèØâì Øå áÐÜÞáâÞïâÕÛìÝÞ, ÛØÑÞ ÞÑàÐâØâìáï ÝÐ netfilter mailing list, ÓÔÕ ÒÐÜ áÜÞÓãâ ßÞÜÞçì. ÂÐÜ Òë ÝÐÙÔÕâÕ ßÞïáÝÕÝØï, çâÞ ÜÞÓÛÞ Ñëâì áÔÕÛÐÝÞ ÒÐÜØ ÝÕßàÐÒØÛìÝÞ ßàØ ãáâÐÝÞÒÚÕ, âÐÚ çâÞ áàÐ×ã ÝÕ ßÐÝØÚãÙâÕ. µáÛØ íâÞ ÝÕ ßÞÜÞÓÛÞ -- ßÞáâÐàÐÙâÕáì ßÞàÐ×ÜëáÛØâì ÛÞÓØçÕáÚØ, ÒÞ×ÜÞÖÝÞ íâÞ ßÞÜÞÖÕâ. ¸ÛØ ÞÑàÐâØâÕáì Ú ÚÞÜã-ÝØÑãÔì ×ÝÐîéÕÜã.

µáÛØ ÒáÕ ßàÞèÛÞ ÓÛÐÔÚÞ, âÞ áÛÕÔÞÒÐâÕÛìÝÞ Òë ÓÞâÞÒë Ú ãáâÐÝÞÒÚÕ ØáßÞÛÝïÕÜëå ÜÞÔãÛÕÙ (binaries), ÔÛï çÕÓÞ ×ÐßãáâØâÕ áÛÕÔãîéãî ÚÞÜÐÝÔã:

make install KERNEL_DIR=/usr/src/linux/

½ÐÔÕîáì, çâÞ ×ÔÕáì-âÞ ßàÞÑÛÕÜ ÝÕ ÒÞ×ÝØÚÛÞ! ÂÕßÕàì ÔÛï ØáßÞÛì×ÞÒÐÝØï ßÐÚÕâÐ iptables ÒÐÜ ÞßàÕÔÕÛÕÝÝÞ ßÞâàÕÑãÕâáï ßÕàÕáÞÑàÐâì Ø ãáâÐÝÞÒØâì ïÔàÞ, ÕáÛØ Òë ÔÞ áØå ßÞà íâÞÓÞ ÝÕ áÔÕÛÐÛØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ãáâÐÝÞÒÚÕ ßÐÚÕâÐ Òë ÝÐÙÔÕâÕ Ò äÐÙÛÕ INSTALL.


ÃáâÐÝÞÒÚÐ Ò Red Hat 7.1

RedHAt 7.1, á ãáâÐÝÞÒÛÕÝÝëÜ ïÔàÞÜ 2.4.x ãÖÕ ÒÚÛîçÐÕâ ßàÕÔãáâÐÝÞÒÛÕÝÝëÕ netfilter Ø iptables. ¾ÔÝÐÚÞ, ÔÛï áÞåàÐÝÕÝØï ÞÑàÐâÝÞÙ áÞÒÜÕáâØÜÞáâØ á ßàÕÔëÔãéØÜØ ÔØáâàØÑãâØÒÐÜØ, ßÞ ãÜÞÛçÐÝØî àÐÑÞâÐÕâ ßÐÚÕâ ipchains. ÁÕÙçÐá Üë ÚÞàÞâÚÞ àÐ×ÑÕàÕÜ - ÚÐÚ ãÔÐÛØâì ipchains Ø ×ÐßãáâØâì ÒÜÕáâÞ ÝÕÓÞ iptables.

Note

²ÕàáØï iptables Ò Red Hat 7.1 áØÛìÝÞ ãáâÐàÕÛÐ Ø, ÝÐÒÕàÝÞÕ ÝÕßÛÞåØÜ àÕèÕÝØÕÜ ÑãÔÕâ ãáâÐÝÞÒØâì ÑÞÛÕÕ ÝÞÒãî ÒÕàáØî iptables.

´Ûï ÝÐçÐÛÐ ÝãÖÝÞ ÞâÚÛîçØâì ipchains, çâÞÑë ßàÕÔÞâÒàÐâØâì ×ÐÓàã×Úã áÞÞâÒÕâáâÒãîéØå ÜÞÔãÛÕÙ Ò ÑãÔãéÕÜ. ÇâÞÑë ÔÞÑØâìáï íâÞÓÞ, ÝÐÜ ßÞâàÕÑãÕâáï Ø×ÜÕÝØâì ØÜÕÝÐ ÝÕÚÞâÞàëå äÐÙÛÞÒ Ò ÔÕàÕÒÕ ÚÐâÐÛÞÓÞÒ /etc/rc.d/. ÁÛÕÔãîéÐï ÚÞÜÐÝÔÐ, ÒëßÞÛÝØâ âàÕÑãÕÜëÕ ÔÕÙáâÒØï:

chkconfig --level 0123456 ipchains off

² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï íâÞÙ ÚÞÜÐÝÔë, Ò ÝÕÚÞâÞàëå ØÜÕÝÐå äÐÙÛÞÒ áØÜÒÞÛ S (ÚÞâÞàëÙ áÞÞÑéÐÕâ, çâÞ ÔÐÝÝëÙ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ ÝÐ ×ÐßãáÚÕ áØáâÕÜë) ÑãÔÕâ ×ÐÜÕÝÕÝ áØÜÒÞÛÞÜ K (Þâ áÛÞÒÐ Kill, ÚÞâÞàëÙ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ áæÕÝÐàØÙ ÞâàÐÑÐâëÒÐÕâ, ßàØ ×ÐÒÕàèÕÝØØ àÐÑÞâë áØáâÕÜë. ÂÐÚØÜ ÞÑàÐ×ÞÜ Üë ßÞÛãçØÜ ØÜÕÝÐ ááëÛÞÚ K92ipchains, ßàÕÔÞâÒàÐâØÒ âÕÜ áÐÜëÜ ×ÐßãáÚ íâÞÓÞ áÕàÒØáÐ Ò ÑãÔãéÕÜ.

¾ÔÝÐÚÞ ipchains ßÞ-ßàÕÖÝÕÜã ÞáâÐîâáï Ò àÐÑÞâÕ. ÂÕßÕàì ÝÐÔÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã, ÚÞâÞàÐï ÞáâÐÝÞÒØâ íâÞâ áÕàÒØá.

service ipchains stop

¸ Ò ×ÐÚÛîçÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐßãáâØâì áÕàÒØá iptables. ´Ûï íâÞÓÞ, ÒÞ-ßÕàÒëå, ÝÐÔÞ ÞßàÕÔÕÛØâìáï á ãàÞÒÝïÜØ ×ÐßãáÚÐ ÞßÕàÐæØÞÝÝÞÙ áØáâÕÜë, ÝÐ ÚÞâÞàëå ÝãÖÝÞ áâÐàâÞÒÐâì íâÞâ áÕàÒØá. ¾ÑëçÝÞ íâÞ ãàÞÒÝØ 2, 3 Ø 5. ¾Ñ íâØå ãàÞÒÝïå Üë ×ÝÐÕÜ:

  • 2. ¼ÝÞÓÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ ÑÕ× ßÞÔÔÕàÖÚØ NFS ØÛØ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø 3, ÝÞ ÑÕ× áÕâÕÒÞÙ ßÞÔÔÕàÖÚØ.
  • 3. ¿ÞÛÝÞäãÝÚæØÞÝÐÛìÝëÙ ÜÝÞÓÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ.
  • 5. X11. ´ÐÝÝëÙ ãàÞÒÕÝì ØáßÞÛì×ãÕâáï ÔÛï ÐÒâÞÜÐâØçÕáÚÞÙ ×ÐÓàã×ÚØ Xwindows.

ÇâÞÑë ×ÐßãáâØâì iptables ÝÐ íâØå ãàÞÒÝïå ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã:

chkconfig --level 235 iptables on

ÅÞçÕâáï ãßÞÜïÝãâì ÞÑ ãàÞÒÝïå, ÝÐ ÚÞâÞàëå ÝÕ âàÕÑãÕâáï ×ÐßãáÚÐ iptables: ÃàÞÒÕÝì 1 -- ÞÔÝÞßÞÛì×ÞÒÐâÕÛìáÚØÙ àÕÖØÜ àÐÑÞâë, ÚÐÚ ßàÐÒØÛÞ ØáßÞÛì×ãÕâáï Ò íÚáâàÕÝÝëå áÛãçÐïå, ÚÞÓÔÐ Üë "ßÞÔÝØÜÐÕÜ" "ãßÐÒèãî" áØáâÕÜã. ÃàÞÒÕÝì 4 -- ÒÞÞÑéÕ ÝÕ ÔÞÛÖÕÝ ØáßÞÛì×ÞÒÐâìáï. ÃàÞÒÕÝì ÒëßÞÛÝÕÝØï 6 -- íâÞ ãàÞÒÕÝì ÞáâÐÝÞÒÚØ áØáâÕÜë ßàØ ÒëÚÛîçÕÝØØ ØÛØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ.

´Ûï ÐÚâØÒÐæØØ áÕàÒØáÐ iptables ßÞÔÐÔØÜ ÚÞÜÐÝÔã:

service iptables start

¸âÐÚ, Üë ×ÐßãáâØÛØ iptables, ÝÞ ã ÝÐá ßÞÚÐ ÕéÕ ÝÕâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ÇâÞÑë ÔÞÑÐÒØâì ÝÞÒëÕ ßàÐÒØÛÐ Ò Red Hat 7.1 ÜÞÖÝÞ ßÞÙâØ ÔÒãÜï ßãâïÜØ, ÒÞ-ßÕàÒëå: ßÞÔßàÐÒØâì äÐÙÛ /etc/rc.d/init.d/iptables, ÝÞ íâÞâ áßÞáÞÑ ØÜÕÕâ âÞ ÝÕÓÐâØÒÝÞÕ áÒÞÙáâÒÞ, çâÞ ßàØ ÞÑÝÞÒÛÕÝØØ iptables Ø× RPM-ßÐÚÕâÞÒ ÒáÕ ÒÐèØ ßàÐÒØÛÐ ÑãÔãâ ãâÕàïÝë, Ð ÒÞ-ÒâÞàëå: ×ÐÝÕáâØ ßàÐÒØÛÐ Ø áÞåàÐÝØâì Øå ÚÞÜÐÝÔÞÙ iptables-save, áÞåàÐÝÕÝÝëÕ âÐÚØÜ ÞÑàÐ×ÞÜ ßàÐÒØÛÐ ÑãÔãâ ÐÒâÞÜÐâØçÕáÚØ ÒÞááâÐÝÐÒÛØÒÐâìáï ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë.

² áÛãçÐÕ, ÕáÛØ Òë Ø×ÑàÐÛØ ßÕàÒëÙ ÒÐàØÐÝâ ãáâÐÝÞÒÚØ ßàÐÒØÛ Ò iptables, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ×ÐÝÕáâØ Øå Ò áÕÚæØî start áæÕÝÐàØï /etc/rc.d/init.d/iptables (ÔÛï ãáâÐÝÞÒÚØ ßàÐÒØÛ ßàØ ×ÐÓàã×ÚÕ áØáâÕÜë) ØÛØ Ò äãÝÚæØî start(). ´Ûï ÒëßÞÛÝÕÝØï ÔÕÙáâÒØÙ ßàØ ÞáâÐÝÞÒÚÕ áØáâÕÜë -- ÒÝÕáØâÕ áÞÞâÒÕâáâÒãîéØÕ Ø×ÜÕÝÕÝØï Ò áÕÚæØî stop) ØÛØ Ò äãÝÚæØî stop(). ÂÐÚ ÖÕ ÝÕ ×ÐÑãÔìâÕ ßàÞ áÕ򾯯 restart Ø condrestart. ÅÞçÕâáï ÕéÕ àÐ× ÝÐßÞÜÝØâì, çâÞ Ò áÛãçÐÕ ÞÑÝÞÒÛÕÝØï iptables Ø× RPM-ßÐÚÕâÞÒ ØÛØ çÕàÕ× ÐÒâÞÜÐâØçÕáÚÞÕ ÞÑÝÞÒÛÕÝØÕ ßÞ áÕâØ, Òë ÜÞÖÕâÕ ãâÕàïâì ÒáÕ Ø×ÜÕÝÕÝØï, ÒÝÕáÕÝÝëÕ Ò äÐÙÛ /etc/rc.d/init.d/iptables.

²âÞàÞÙ áßÞáÞÑ ×ÐÓàã×ÚØ ßàÐÒØÛ ßàÕÔßÞçâØâÕÛìÝÕÕ. ¾Ý ßàÕÔßÞÛÐÓÐÕâ áÛÕÔãîéØÕ èÐÓØ. ´Ûï ÝÐçÐÛÐ -- ×ÐߨèØâÕ ßàÐÒØÛÐ Ò äÐÙÛ ØÛØ ÝÕßÞáàÕÔáâÒÕÝÝÞ, çÕàÕ× ÚÞÜÐÝÔã iptables, áÜÞâàï çâÞ ÔÛï ÒÐá ßàÕÔßÞçâØâÕÛìÝÕÕ. ·ÐâÕÜ ØáßÞÛÝØâÕ ÚÞÜÐÝÔã iptables-save. ÍâÐ ÚÞÜÐÝÔÐ íÚÒØÒÐÛÕÝâÝÐ ÚÞÜÐÝÔÕ iptables-save > /etc/sysconfig/iptables. ² àÕ×ãÛìâÐâÕ, ÒÕáì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ áÞåàÐÝÕÝ Ò äÐÙÛÕ /etc/sysconfig/iptables, ÚÞâÞàëÙ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕâáï ßàØ ×ÐßãáÚÕ áÕàÒØáÐ iptables. ´àãÓØÜ áßÞáÞÑÞÜ áÞåàÐÝØâì ÝÐÑÞà ßàÐÒØÛ ÑãÔÕâ ßÞÔÐçÐ ÚÞÜÐÝÔë service iptables save, ÚÞâÞàÐï ßÞÛÝÞáâìî ØÔÕÝâØçÝÐ ÒëèÕßàØÒÕÔÕÝÝÞÙ ÚÞÜÐÝÔÕ. ²ßÞáÛÕÔáâÒØØ, ßàØ ßÕàÕ×ÐÓàã×ÚÕ ÚÞÜßìîâÕàÐ, áæÕÝÐàØÙ iptables Ø× rc.d ÑãÔÕâ ÒëßÞÛÝïâì ÚÞÜÐÝÔã iptables-restore ÔÛï ×ÐÓàã×ÚØ ÝÐÑÞàÐ ßàÐÒØÛ Ø× äÐÙÛÐ /etc/sysconfig/iptables.

½ã Ø ÝÐÚÞÝÕæ, Ò ×ÐÒÕàèÕÝØÕ ãáâÐÝÞÒÚØ, ÝÕßÛÞåÞ ÑëÛÞ Ñë ãÔÐÛØâì áâÐàãî ÒÕàáØî ipchains.

rpm -e  ipchains

¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ

² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ò ÚÐÖÔÞÙ âÐÑÛØæÕ. ÍâÐ ØÝäÞàÜÐæØï ÑãÔÕâ ÞçÕÝì ÒÐÖÝÐ ÔÛï ÒÐá ßÞ×ÔÝÕÕ, ÚÞÓÔÐ Òë ÝÐçÝÕâÕ áâàÞØâì áÒÞØ ÝÐÑÞàë ßàÐÒØÛ, ÞáÞÑÕÝÝÞ ÚÞÓÔÐ Ò ÝÐÑÞàë ßàÐÒØÛ ÑãÔãâ ÒÚÛîçÐâìáï âÐÚØÕ ÔÕÙáâÒØï ÚÐÚ DNAT, SNAT Ø ÚÞÝÕçÝÞ ÖÕ TOS.


¾ÑéØÕ ßÞÛÞÖÕÝØï

ºÞÓÔÐ ßÐÚÕâ ßàØåÞÔØâ ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, âÞ ÞÝ áßÕàÒÐ ßÞßÐÔÐÕâ ÝÐ áÕâÕÒÞÕ ãáâàÞÙáâÒÞ, ßÕàÕåÒÐâëÒÐÕâáï áÞÞâÒÕâáâÒãîéØÜ ÔàÐÙÒÕàÞÜ Ø ÔÐÛÕÕ ßÕàÕÔÐÕâáï Ò ïÔàÞ. ´ÐÛÕÕ ßÐÚÕâ ßàÞåÞÔØâ àïÔ âÐÑÛØæ Ø ×ÐâÕÜ ßÕàÕÔÐÕâáï ÛØÑÞ ÛÞÚÐÛìÝÞÜã ßàØÛÞÖÕÝØî, ÛØÑÞ ßÕàÕßàÐÒÛïÕâáï ÝÐ ÔàãÓãî ÜÐèØÝã. ¿ÞàïÔÞÚ áÛÕÔÞÒÐÝØï ßÐÚÕâÐ ßàØÒÞÔØâáï ÝØÖÕ.

ÂÐÑÛØæÐ 1. ¿ÞàïÔÞÚ ÔÒØÖÕÝØï âàÐÝרâÝëå ßÐÚÕâÞÒ

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕ
1     ºÐÑÕÛì (â.Õ. ¸ÝâÕàÝÕâ)
2     ÁÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
3 mangle PREROUTING ¾ÑëçÝÞ íâÐ æÕßÞçÚÐ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ, ÝÐßàØÜÕà ÔÛï Ø×ÜÕÝÕÝØï ÑØâÞÒ TOS Ø ßà..
4 nat PREROUTING ÍâÐ æÕßÞçÚÐ ØáßÞÛì×ãÕâáï ÔÛï âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ (Destination Network Address Translation). Source Network Address Translation ÒëßÞÛÝïÕâáï ßÞ×ÔÝÕÕ, Ò ÔàãÓÞÙ æÕßÞçÚÕ. »îÑÞÓÞ àÞÔÐ äØÛìâàÐæØï Ò íâÞÙ æÕßÞçÚÕ ÜÞÖÕâ ßàÞØ×ÒÞÔØâìáï âÞÛìÚÞ Ò ØáÚÛîçØâÕÛìÝëå áÛãçÐïå
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÔÐÛìÝÕÙèÕÙ ÜÐàèàãâØ×ÐæØØ, â.Õ. Ò íâÞÙ âÞçÚÕ àÕèÐÕâáï ÚãÔÐ ßÞÙÔÕâ ßÐÚÕâ - ÛÞÚÐÛìÝÞÜã ßàØÛÞÖÕÝØî ØÛØ ÝÐ ÔàãÓÞÙ ã×ÕÛ áÕâØ.
6 filter FORWARD ² æÕßÞçÚã FORWARD ßÞßÐÔÐîâ âÞÛìÚÞ âÕ ßÐÚÕâë, ÚÞâÞàëÕ ØÔãâ ÝÐ ÔàãÓÞÙ åÞáâ ²áï äØÛìâàÐæØï âàÐÝרâÝÞÓÞ âàÐäØÚÐ ÔÞÛÖÝÐ ÒëßÞÛÝïâìáï ×ÔÕáì. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ çÕàÕ× íâã æÕßÞçÚã ßàÞåÞÔØâ âàÐääØÚ Ò ÞÑÞØå ÝÐßàÐÒÛÕÝØïå, ÞÑï×ÐâÕÛìÝÞ ãçØâëÒÐÙâÕ íâÞ ÞÑáâÞïâÕÛìáâÒÞ ßàØ ÝÐߨáÐÝØØ ßàÐÒØÛ äØÛìâàÐæØØ.
7 nat POSTROUTING ÍâÐ æÕßÞçÚÐ ßàÕÔÝÐ×ÝÐçÕÝÐ Ò ßÕàÒãî ÞçÕàÕÔì ÔÛï Source Network Address Translation. ½Õ ØáßÞÛì×ãÙâÕ ÕÕ ÔÛï äØÛìâàÐæØØ ÑÕ× ÞáÞÑÞÙ ÝÐ âÞ ÝÕÞÑåÞÔØÜÞáâØ. ·ÔÕáì ÖÕ ÒëßÞÛÝïÕâáï Ø ÜÐáÚØàÞÒÚÐ (Masquerading).
8     ²ëåÞÔÝÞÙ áÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth1).
9     ºÐÑÕÛì (ßãáâì ÑãÔÕâ LAN).

ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, ßÐÚÕâ ßàÞåÞÔØâ ÝÕáÚÞÛìÚÞ íâÐßÞÒ, ßàÕÖÔÕ çÕÜ ÞÝ ÑãÔÕâ ßÕàÕÔÐÝ ÔÐÛÕÕ. ½Ð ÚÐÖÔÞÜ Ø× ÝØå ßÐÚÕâ ÜÞÖÕâ Ñëâì ÞáâÐÝÞÒÛÕÝ, ÑãÔì âÞ æÕßÞçÚÐ iptables ØÛØ çâÞ ÛØÑÞ ÕéÕ, ÝÞ ÝÐá ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ØÝâÕàÕáãÕâ iptables. ·ÐÜÕâìâÕ, çâÞ ÝÕâ ÚÐÚØå ÛØÑÞ æÕßÞçÕÚ, áßÕæØäØçÝëå ÔÛï ÞâÔÕÛìÝëå ØÝâÕàäÕÙáÞÒ ØÛØ çÕÓÞ ÛØÑÞ ßÞÔÞÑÝÞÓÞ. ÆÕßÞçÚã FORWARD ßàÞåÞÔïâ ²Áµ ßÐÚÕâë, ÚÞâÞàëÕ ÔÒØÖãâáï çÕàÕ× ÝÐè ÑàÐÝÔÜÐãíà/àãâÕà. ½ØÖÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÐ, ßàÕÔÝÐ×ÝÐçÕÝÝÞÓÞ ÛÞÚÐÛìÝÞÜã ßàÞæÕááã/ßàØÛÞÖÕÝØî

ÂÐÑÛØæÐ 2. ´Ûï ÛÞÚÐÛìÝÞÓÞ ßàØÛÞÖÕÝØï

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕt
1     ºÐÑÕÛì (â.Õ. ¸ÝâÕàÝÕâ)
2     ²åÞÔÝÞÙ áÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
3 mangle PREROUTING ¾ÑëçÝÞ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ, ÝÐßàØÜÕà ÔÛï ãáâÐÝÞÒÚØ ÑØâÞÒ TOS Ø ßà.
4 nat PREROUTING ¿àÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (Destination Network Address Translation). ÄØÛìâàÐæØï ßÐÚÕâÞÒ ×ÔÕáì ÔÞßãáÚÐÕâáï âÞÛìÚÞ Ò ØáÚÛîçØâÕÛìÝëå áÛãçÐïå.
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ.
6 filter INPUT ·ÔÕáì ßàÞØ×ÒÞÔØâáï äØÛìâàÐæØï ÒåÞÔïéÕÓÞ âàÐäØÚÐ. ¿ÞÜÝØâÕ, çâÞ ÒáÕ ÒåÞÔïéØÕ ßÐÚÕâë, ÐÔàÕáÞÒÐÝÝëÕ ÝÐÜ, ßàÞåÞÔïâ çÕàÕ× íâã æÕßÞçÚã, ÝÕ×ÐÒØáØÜÞ Þâ âÞÓÞ á ÚÐÚÞÓÞ ØÝâÕàäÕÙáÐ ÞÝØ ßÞáâãßØÛØ.
7     »ÞÚÐÛìÝëÙ ßàÞæÕáá/ßàØÛÞÖÕÝØÕ

²ÐÖÝÞ ßÞÜÝØâì, çâÞ ÝÐ íâÞâ àÐ× ßÐÚÕâë ØÔãâ çÕàÕ× æÕßÞçÚã INPUT, Ð ÝÕ çÕàÕ× FORWARD. ¸ Ò ×ÐÚÛîçÕÝØÕ Üë àÐááÜÞâàØÜ ßÞàïÔÞÚ ÔÒØÖÕÝØï ßÐÚÕâÞÒ, áÞ×ÔÐÝÝëå ÛÞÚÐÛìÝëÜØ ßàÞæÕááÐÜØ.

ÂÐÑÛØæÐ 3. ¾â ÛÞÚÐÛìÝëå ßàÞæÕááÞÒ

ÈÐÓ ÂÐÑÛØæÐ ÆÕßÞçÚÐ ¿àØÜÕçÐÝØÕ
1     »ÞÚÐÛìÝëÙ ßàÞæÕáá
2 Mangle OUTPUT ·ÔÕáì ßàÞØ×ÒÞÔØâáï ÒÝÕáÕÝØÕ Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ. ÄØÛìâàÐæØï, ÒëßÞÛÝïÕÜÐï Ò íâÞÙ æÕßÞçÚÕ, ÜÞÖÕâ ØÜÕâì ÝÕÓÐâØÒÝëÕ ßÞáÛÕÔáâÒØï.
3 Nat OUTPUT ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì íâÐ æÕßÞçÚÐ ÝÕ àÐÑÞâÐÕâ. ¼ÞÖÕâ ÚâÞ ×ÝÐÕâ ÚÞÓÔÐ ØáßàÐÒïâ íâã ÞèØÑÚã?
4 Filter OUTPUT ·ÔÕáì äØÛìâàãÕâáï ØáåÞÔïéØÙ âàÐääØÚ.
5     ¿àØÝïâØÕ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. ·ÔÕáì àÕèÐÕâáï - ÚãÔÐ ßÞÙÔÕâ ßÐÚÕâ ÔÐÛìèÕ.
6 Nat POSTROUTING ·ÔÕáì ÒëßÞÛÝïÕâáï Source Network Address Translation. ½Õ áÛÕÔãÕâ Ò íâÞÙ æÕßÞçÚÕ ßàÞØ×ÒÞÔØâì äØÛìâàÐæØî ßÐÚÕâÞÒ ÒÞ Ø×ÑÕÖÐÝØÕ ÝÕÖÕÛÐâÕÛìÝëå ßÞÑÞçÝëå íääÕÚâÞÒ. ¾ÔÝÐÚÞ Ø ×ÔÕáì ÜÞÖÝÞ ÞáâÐÝÐÒÛØÒÐâì ßÐÚÕâë, ßàØÜÕÝïï ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî DROP.
7     ÁÕâÕÒÞÙ ØÝâÕàäÕÙá (ÝÐßàØÜÕà, eth0)
8     ºÐÑÕÛì (â.Õ., Internet)

ÂÕßÕàì Üë ×ÝÐÕÜ, çâÞ Õáâì âàØ àÐ×ÛØçÝëå ÒÐàØÐÝâÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ. ÀØáãÝÞÚ ÝØÖÕ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÔÕÜÞÝáâàØàãÕâ íâÞ.

´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò áæÕÝÐàØØ rc.test-iptables.txt, Ò ÚÞâÞàÞÜ ßàØÒÞÔØâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜëå ÔÛï ßÞÝØÜÐÝØï ßÞàïÔÚÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ.


ÂÐÑÛØæÐ Mangle

ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, íâÐ âÐÑÛØæÐ ßàÕÔÝÐ×ÝÐçÕÝÐ, ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÚØ ßÐÚÕâÞÒ (mangle - ØáÚÐÖÐâì, Ø×ÜÕÝïâì. ßàØÜ. ßÕàÕÒ.). Â.Õ. Ò íâÞÙ âÐÑÛØæÕ Òë ÜÞÖÕâÕ ãáâÐÝÐÒÛØÒÐâì ÑØâë TOS (Type Of Service) Ø â.Ô.

Caution

µéÕ àÐ× ÝÐßÞÜØÝÐî ÒÐÜ, çâÞ Ò íâÞÙ âÐÑÛØæÕ ÝÕ áÛÕÔãÕâ ßàÞØ×ÒÞÔØâì ÛîÑÞÓÞ àÞÔÐ äØÛìâàÐæØî, ÜÐáÚØàÞÒÚã ØÛØ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (DNAT, SNAT).

² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ

  • TOS

  • TTL

  • MARK

´ÕÙáâÒØÕ TOS ÒëßÞÛÝïÕâ ãáâÐÝÞÒÚã ÑØâÞÒ ßÞÛï Type of Service Ò ßÐÚÕâÕ. ÍâÞ ßÞÛÕ ØáßÞÛì×ãÕâáï ÔÛï ÝÐ×ÝÐçÕÝØï áÕâÕÒÞÙ ßÞÛØâØÚØ ÞÑáÛãÖØÒÐÝØï ßÐÚÕâÐ, â.Õ. ×ÐÔÐÕâ ÖÕÛÐÕÜëÙ ÒÐàØÐÝâ ÜÐàèàãâØ×ÐæØØ. ¾ÔÝÐÚÞ, áÛÕÔãÕâ ×ÐÜÕâØâì, çâÞ ÔÐÝÝÞÕ áÒÞÙáâÒÞ Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ØáßÞÛì×ãÕâáï ÝÐ ÝÕ×ÝÐçØâÕÛìÝÞÜ ÚÞÛØçÕáâÒÕ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ.´àãÓØÜØ áÛÞÒÐÜØ, ÝÕ áÛÕÔãÕâ Ø×ÜÕÝïâì áÞáâÞïÝØÕ íâÞÓÞ ßÞÛï ÔÛï ßÐÚÕâÞÒ, ãåÞÔïéØå Ò ¸ÝâÕàÝÕâ, ßÞâÞÜã çâÞ ÝÐ àãâÕàÐå, ÚÞâÞàëÕ âÐÚØ ÞÑáÛãÖØÒÐîâ íâÞ ßÞÛÕ, ÜÞÖÕâ Ñëâì ßàØÝïâÞ ÝÕßàÐÒØÛìÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ.

´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ×ÝÐçÕÝØï ßÞÛï TTL (Time To Live) ßÐÚÕâÐ. µáâì ÞÔÝÞ ÝÕßÛÞåÞÕ ßàØÜÕÝÕÝØÕ íâÞÜã ÔÕÙáâÒØî. ¼ë ÜÞÖÕÜ ßàØáÒÐØÒÐâì ÞßàÕÔÕÛÕÝÝÞÕ ×ÝÐçÕÝØÕ íâÞÜã ßÞÛî, çâÞÑë áÚàëâì ÝÐè ÑàÐÝÔÜÐãíà Þâ çÕàÕáçãà ÛîÑÞßëâÝëå ßàÞÒÐÙÔÕàÞÒ (Internet Service Providers). ´ÕÛÞ Ò âÞÜ, çâÞ ÞâÔÕÛìÝëÕ ßàÞÒÐÙÔÕàë ÞçÕÝì ÝÕ ÛîÑïâ ÚÞÓÔÐ ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ àÐ×ÔÕÛïÕâáï ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. Ø âÞÓÔÐ ÞÝØ ÝÐçØÝÐîâ ßàÞÒÕàïâì ×ÝÐçÕÝØÕ TTL ßàØåÞÔïéØå ßÐÚÕâÞÒ Ø ØáßÞÛì×ãîâ ÕÓÞ ÚÐÚ ÞÔØÝ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, ÞÔØÝ ÚÞÜßìîâÕà "áØÔØâ" ÝÐ ßÞÔÚÛîçÕÝØØ ØÛØ ÝÕáÚÞÛìÚÞ.

´ÕÙáâÒØÕ MARK ãáâÐÝÐÒÛØÒÐÕâ áßÕæØÐÛìÝãî ÜÕâÚã ÝÐ ßÐÚÕâ, ÚÞâÞàÐï ×ÐâÕÜ ÜÞÖÕâ Ñëâì ßàÞÒÕàÕÝÐ ÔàãÓØÜØ ßàÐÒØÛÐÜØ Ò iptables ØÛØ ÔàãÓØÜØ ßàÞÓàÐÜÜÐÜØ, ÝÐßàØÜÕà iproute2. Á ßÞÜÞéìî "ÜÕâÞÚ" Üë ÜÞÖÕÜ ãßàÐÒÛïâì ÜÐàèàãâØ×ÐæØÕÙ ßÐÚÕâÞÒ, ÞÓàÐÝØçØÒÐâì âàÐääØÚ Ø â.ß.


ÂÐÑÛØæÐ Nat

ÍâÐ âÐÑÛØæÐ ØáßÞÛì×ãÕâáï ÔÛï ÒëßÞÛÝÕÝØï ßàÕÞÑàÐ×ÞÒÐÝØÙ áÕâÕÒëå ÐÔàÕáÞÒ NAT (Network Address Translation) ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì àÐÝÕÕ, âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ ßàÞåÞÔØâ çÕàÕ× æÕßÞçÚØ íâÞÙ âÐÑÛØæë, âàÐÝáÛïæØï ÐÔàÕáÞÒ ØÛØ ÜÐáÚØàÞÒÚÐ ßàØÜÕÝïîâáï ÚÞ ÒáÕÜ ßÞáÛÕÔãîéØÜ ßÐÚÕâÐÜ Ò ßÞâÞÚÕ ÐÒâÞÜÐâØçÕáÚØ. ´Ûï íâÞÙ âÐÑÛØæë åÐàÐÚâÕàÝë ÔÕÙáâÒØï:

  • DNAT

  • SNAT

  • MASQUERADE

´ÕÙáâÒØÕ DNAT (Destination Network Address Translation) ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ ÝÐ×ÝÐçÕÝØï Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ. ´àãÓØÜØ áÛÞÒÐÜØ, íâØÜ ÔÕÙáâÒØÕÜ ßàÞØ×ÒÞÔØâáï ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ ÝÐ ÔàãÓØÕ ÐÔàÕáÐ, ÞâÛØçÝëÕ Þâ ãÚÐ×ÐÝÝëå Ò ×ÐÓÞÛÞÒÚÐå ßÐÚÕâÞÒ.

SNAT (Source Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï ØáåÞÔÝëå ÐÔàÕáÞÒ ßÐÚÕâÞÒ. Á ßÞÜÞéìî íâÞÓÞ ÔÕÙáâÒØï ÜÞÖÝÞ áÚàëâì áâàãÚâãàã ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø àÐ×ÔÕÛØâì ÕÔØÝáâÒÕÝÝëÙ ÒÝÕèÝØÙ IP ÐÔàÕá ÜÕÖÔã ÚÞÜßìîâÕàÐÜØ ÛÞÚÐÛìÝÞÙ áÕâØ ÔÛï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ. ² íâÞÜ áÛãçÐÕ ÑàÐÝÔÜÐãíà, á ßÞÜÞéìî SNAT, ÐÒâÞÜÐâØçÕáÚØ ßàÞØ×ÒÞÔØâ ßàïÜÞÕ Ø ÞÑàÐâÝÞÕ ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ, âÕÜ áÐÜëÜ ÔÐÒÐï ÒÞ×ÜÞÖÝÞáâì ÒëßÞÛÝïâì ßÞÔÚÛîçÕÝØÕ Ú áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâÕ á ÚÞÜßìîâÕàÞÒ Ò ÛÞÚÐÛìÝÞÙ áÕâØ.

¼ÐáÚØàÞÒÚÐ (MASQUERADE) ßàØÜÕÝïÕâáï Ò âÕå ÖÕ æÕÛïå, çâÞ Ø SNAT, ÝÞ Ò ÞâÛØçØÕ Þâ ßÞáÛÕÔÝÕÙ, MASQUERADE ÔÐÕâ ÑÞÛÕÕ áØÛìÝãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ ÚÐÖÔëÙ àÐ×, ÚÞÓÔÐ âàÕÑãÕâáï ÒëßÞÛÝÕÝØÕ íâÞÓÞ ÔÕÙáâÒØï - ßàÞØ×ÒÞÔØâáï ×ÐßàÞá IP ÐÔàÕáÐ ÔÛï ãÚÐ×ÐÝÝÞÓÞ Ò ÔÕÙáâÒØØ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, Ò âÞ ÒàÕÜï ÚÐÚ ÔÛï SNAT IP ÐÔàÕá ãÚÐ×ëÒÐÕâáï ÝÕßÞáàÕÔáâÒÕÝÝÞ. ¾ÔÝÐÚÞ, ÑÛÐÓÞÔÐàï âÐÚÞÜã ÞâÛØçØî, MASQUERADE ÜÞÖÕâ àÐÑÞâÐâì Ò áÛãçÐïå á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, â.Õ. ÚÞÓÔÐ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ, áÚÐÖÕÜ çÕàÕ× PPP, SLIP ØÛØ DHCP.


ÂÐÑÛØæÐ Filter

ºÐÚ áÛÕÔãÕâ Ø× ÝÐ×ÒÐÝØï, Ò íâÞÙ âÐÑÛØæÕ ÔÞÛÖÝë áÞÔÕàÖÐâìáï ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÒëßÞÛÝÕÝØï äØÛìâàÐæØØ ßÐÚÕâÞÒ. ¿ÐÚÕâë ÜÞÓãâ ßàÞßãáÚÐâìáï ÔÐÛÕÕ, ÛØÑÞ ÞâÒÕàÓÐâìáï, Ò ×ÐÒØáØÜÞáâØ Þâ Øå áÞÔÕàÖØÜÞÓÞ. ºÞÝÕçÝÞ ÖÕ, Üë ÜÞÖÕÜ ÞâäØÛìâàÞÒëÒÐâì ßÐÚÕâë Ø Ò ÔàãÓØå âÐÑÛØæÐå, ÝÞ íâÐ âÐÑÛØæÐ áãéÕáâÒãÕâ ØÜÕÝÝÞ ÔÛï ÝãÖÔ äØÛìâàÐæØØ. ² íâÞÙ âÐÑÛØæÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÑÞÛìèØÝáâÒÐ Ø× áãéÕáâÒãîéØå ÔÕÙáâÒØÙ, ÞÔÝÐÚÞ àïÔ ÔÕÙáâÒØÙ, ÚÞâÞàëÕ Üë àÐááÜÞâàÕÛØ ÒëèÕ Ò íâÞÙ ÓÛÐÒÕ, ÔÞÛÖÝë ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàØáãéØå ØÜ âÐÑÛØæÐå.


¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï

² ÔÐÝÝÞÙ ÓÛÐÒÕ ÒáÕ ÒÝØÜÐÝØÕ ÑãÔÕâ ãÔÕÛÕÝÞ ÜÕåÐÝØ×Üã ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÐÚÕâÐ (state machine). ¿ÞáÛÕ ÕÕ ßàÞçâÕÝØï Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞáâÐâÞçÝÞ ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ àÐÑÞâã íâÞÓÞ ÜÕåÐÝØ×ÜÐ. ÂÐÚÖÕ ÑãÔÕâ àÐááÜÞâàÕÝ ×ÝÐçØâÕÛìÝëÙ ÞÑêÕÜ ßÞïáÝïîéØå ßàØÜÕàÞÒ.

²ÒÕÔÕÝØÕ

¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï (state machine) ïÒÛïÕâáï çÐáâìî iptables Ø Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ÔÞÛÖÕÝ Ñë âÐÚ ÝÐ×ëÒÐâìáï, ßÞáÚÞÛìÚã äÐÚâØçÕáÚØ ïÒÛïÕâáï ÜÕåÐÝØ×ÜÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ. ¾ÔÝÐÚÞ ×ÝÐçØâÕÛìÝÞÜã ÚÞÛØçÕáâÒã ÛîÔÕÙ ÞÝ Ø×ÒÕáâÕÝ ØÜÕÝÝÞ ÚÐÚ "ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï" (state machine). ² ÔÐÝÝÞÙ ÓÛÐÒÕ íâØ ÝÐ×ÒÐÝØï ÑãÔãâ ØáßÞÛì×ÞÒÐâìáï ÚÐÚ áØÝÞÝØÜë. ÂàÐááØàÞÒéØÚ áÞÕÔØÝÕÝØÙ áÞ×ÔÐÝ âÐÚ, çâÞÑë netfilter ÜÞÓ ßÞÛãçØâì ØÝäÞàÜÐæØî Þ áÞáâÞïÝØØ ÚÞÝÚàÕâÝÞÓÞ áÞÕÔØÝÕÝØï. ½ÐÛØçØÕ íâÞÓÞ ÜÕåÐÝØ×ÜÐ ßÞ×ÒÞÛØâ ÒÐÜ áÞ×ÔÐÒÐâì ÑÞÛÕÕ ÝÐÔÕÖÝëÕ ÝÐÑÞàë ßàÐÒØÛ.

² ßàÕÔÕÛÐå iptables, áÞÕÔØÝÕÝØÕ ÜÞÖÕâ ØÜÕâì ÞÔÝÞ Ø× 4-å ÑÐ×ÞÒëå áÞáâÞïÝØÙ: NEW, ESTABLISHED, RELATED Ø INVALID. ¿Þ×ÔÝÕÕ, ÑÞÛÕÕ ßÞÔàÞÑÝÞ, Üë ÞáâÐÝÞÒØÜáï ÝÐ ÚÐÖÔÞÜ Ø× ÝØå. ´Ûï ãßàÐÒÛÕÝØï ßÐÚÕâÐÜØ, ÝÐ ÞáÝÞÒÕ Øå áÞáâÞïÝØï, ØáßÞÛì×ãÕâáï ÚàØâÕàØÙ --state. ÂàÐááØàÞÒéØÚ ÞßàÕÔÕÛïÕâ 4 ÞáÝÞÒÝëå áÞáâÞïÝØï ÚÐÖÔÞÓÞ TCP ØÛØ UDP ßÐÚÕâÐ Ø ÝÕÚÞâÞàëÕ ÔÞßÞÛÝØâÕÛìÝëÕ åÐàÐÚâÕàØáâØÚØ. ´Ûï TCP Ø UDP ßÐÚÕâÞÒ íâÞ IP ÐÔàÕá ÞâßàÐÒØâÕÛï, IP ÐÔàÕá ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞàâ ßÞÛãçÐâÕÛï.

² ßàÕÔëÔãéØå ÒÕàáØïå ïÔàÐ ØÜÕÛÐáì ÒÞ×ÜÞÖÝÞáâì ÒÚÛîçÕÝØï/ÒëÚÛîçÕÝØï ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ ßÐÚÕâÞÒ. ¾ÔÝÐÚÞ, ßÞáÛÕ âÞÓÞ ÚÐÚ âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ÑëÛÐ ÒÚÛîçÕÝÐ Ò áÞáâÐÒ iptables/netfilter, ÝÐÔÞÑÝÞáâì Ò íâÞÜ ÞâßÐÛÐ. ¿àØçØÝÐ Ò âÞÜ, çâÞ âàÐááØàÞÒéØÚ ÝÕ Ò áÞáâÞïÝØØ ÒëßÞÛÝïâì ÒÞ×ÛÞÖÕÝÝëÕ ÝÐ ÝÕÓÞ äãÝ򾯯 ÑÕ× ßÞÔÔÕàÖÚØ ÔÕäàÐÓÜÕÝâÐæØØ Ø ßÞíâÞÜã ÞÝÐ ÒÚÛîçÕÝÐ ßÞáâÞïÝÝÞ. µÕ ÝÕÛì×ï ÞâÚÛîçØâì ØÝÐçÕ ÚÐÚ ÞâÚÛîçØÒ âàÐááØàÞÒÚã áÞÕÔØÝÕÝØÙ.

ÂàÐááØàÞÒÚÐ ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ PREROUTING. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ iptables ßàÞØ×ÒÞÔØâ ÒáÕ ÒëçØáÛÕÝØï, áÒï×ÐÝÝëÕ á ÞßàÕÔÕÛÕÝØÕÜ áÞáâÞïÝØï, Ò ßàÕÔÕÛÐå íâÞÙ æÕßÞçÚØ. ºÞÓÔÐ ÞâßàÐÒÛïÕâáï ØÝØæØØàãîéØÙ ßÐÚÕâ Ò ßÞâÞÚÕ, âÞ ÕÜã ßàØáÒÐØÒÐÕâáï áÞáâÞïÝØÕ NEW, Ð ÚÞÓÔÐ ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï Ø×ÜÕÝïÕâáï ÝÐ ESTABLISHED, Ø âÐÚ ÔÐÛÕÕ.


ÂÐÑÛØæÐ âàÐááØàÞÒÚØ

ºàÐâÚÞ àÐááÜÞâàØÜ âÐÑÛØæã âàÐááØàÞÒéØÚÐ, ÚÞâÞàãî ÜÞÖÝÞ ÝÐÙâØ Ò äÐÙÛÕ /proc/net/ip_conntrack. ·ÔÕáì áÞÔÕàÖØâáï áߨáÞÚ ÒáÕå ÐÚâØÒÝëå áÞÕÔØÝÕÝØÙ. µáÛØ ÜÞÔãÛì ip_conntrack ×ÐÓàãÖÕÝ, âÞ ÚÞÜÐÝÔÐ cat /proc/net/ip_conntrak ÔÞÛÖÝÐ ÒëÒÕáâØ ÝÕçâÞ, ßÞÔÞÑÝÞÕ:

tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2

² íâÞÜ ßàØÜÕàÕ áÞÔÕàÖØâáï Òáï ØÝäÞàÜÐæØï, ÚÞâÞàÐï Ø×ÒÕáâÝÐ âàÐááØàÞÒéØÚã, ßÞ ÚÞÝÚàÕâÝÞÜã áÞÕÔØÝÕÝØî. ¿ÕàÒÞÕ, çâÞ ÜÞÖÝÞ ãÒØÔÕâì - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ, Ò ÔÐÝÝÞÜ áÛãçÐÕ - tcp. ´ÐÛÕÕ áÛÕÔãÕâ ÝÕÚÞâÞàÞÕ çØáÛÞ Ò ÞÑëçÝÞÜ ÔÕáïâØçÝÞÜ ßàÕÔáâÐÒÛÕÝØØ. ¿ÞáÛÕ ÝÕÓÞ áÛÕÔãÕâ çØáÛÞ, ÞßàÕÔÕÛïîéÕÕ "ÒàÕÜï ÖØ×ÝØ" (â.Õ. ÚÞÛØçÕáâÒÞ áÕÚãÝÔ, çÕàÕ× ÚÞâÞàÞÕ ØÝäÞàÜÐæØï Þ áÞÕÔØÝÕÝØØ ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë) ×ÐßØáØ Ò âÐÑÛØæÕ. ´Ûï ÝÐèÕÓÞ áÛãçÐï, ×Ðߨáì Ò âÐÑÛØæÕ ÑãÔÕâ åàÐÝØâìáï ÕéÕ 117 áÕÚãÝÔ, ÕáÛØ ÚÞÝÕçÝÞ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÑÞÛÕÕ ÝÕ ßàÞáÛÕÔãÕâ ÝØ ÞÔÝÞÓÞ ßÐÚÕâÐ, Ò ßàÞâØÒÝÞÜ áÛãçÐÕ íâÞ ×ÝÐçÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ Ò ×ÝÐçÕÝØÕ ßÞ ãÜÞÛçÐÝØî ÔÛï ×ÐÔÐÝÝÞÓÞ áÞáâÞïÝØï. ÍâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1 ÚÐÖÔãî áÕÚãÝÔã. ´ÐÛÕÕ áÛÕÔãÕâ äÐÚâØçÕáÚÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ´Ûï ÝÐèÕÓÞ ßàØÜÕàÐ áÞáâÞïÝØÕ ØÜÕÕâ ×ÝÐçÕÝØÕ SYN_SENT. ²ÝãâàÕÝÝÕÕ ßàÕÔáâÐÒÛÕÝØÕ áÞáâÞïÝØï ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ÒÝÕèÝÕÓÞ. ·ÝÐçÕÝØÕ SYN_SENT ÓÞÒÞàØâ Þ âÞÜ, çâÞ çÕàÕ× ÔÐÝÝÞÕ áÞÕÔØÝÕÝØÕ ßàÞáÛÕÔÞÒÐÛ ÕÔØÝáâÒÕÝÝëÙ ßÐÚÕâ TCP SYN. ´ÐÛÕÕ àÐáßÞÛÞÖÕÝë ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, ßÞàâ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ ÚÛîçÕÒÞÕ áÛÞÒÞ, ÚÞâÞàÞÕ áÞÞÑéÐÕâ Þ âÞÜ, çâÞ ÞâÒÕâÝÞÓÞ âàÐäØÚÐ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ÕéÕ ÝÕ ÑëÛÞ. ¸ ÝÐÚÞÝÕæ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ØÝäÞàÜÐæØï ßÞ ÞÖØÔÐÕÜÞÜã ßÐÚÕâã, íâÞ IP ÐÔàÕáÐ ÞâßàÐÒØâÕÛï/ßÞÛãçÐâÕÛï (âÕ ÖÕ áÐÜëÕ, âÞÛìÚÞ ßÞÜÕÝïÒèØÕáï ÜÕáâÐÜØ, ßÞáÚÞÛìÚã ÞÖØÔÐÕâáï ÞâÒÕâÝëÙ ßÐÚÕâ), âÞ ÖÕ ÚÐáÐÕâáï Ø ßÞàâÞÒ.

Note

ÁÞÒáÕÜ ÝÕÔÐÒÝÞ, Ò patch-o-matic, ßÞïÒØÛÐáì ×ÐßÛÐâÐ tcp-window-tracking, ÚÞâÞàÐï ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ßÕàÕÔÐçØ ×ÝÐçÕÝØÙ ÒáÕå âÐÙÜÐãâÞÒ çÕàÕ× áßÕæØÐÛìÝëÕ ßÕàÕÜÕÝÝëÕ, â.Õ. ßÞ×ÒÞÛïÕâ Ø×ÜÕÝïâì Øå "ÝÐ ÛÕâã". ÂÐÚØÜ ÞÑàÐ×ÞÜ ßÞïÒÛïÕâáï ÒÞ×ÜÞÖÝÞáâì Ø×ÜÕÝÕÝØï âÐÙÜÐãâÞÒ ÑÕ× ÝÕÞÑåÞÔØÜÞáâØ ßÕàÕáÑÞàÚØ ïÔàÐ.

¸×ÜÕÝÕÝØï ÒÝÞáïâáï á ßÞÜÞéìî ÞßàÕÔÕÛÕÝÝëå áØáâÕÜÝëå Òë×ÞÒÞÒ, çÕàÕ× ÚÐâÐÛÞÓ /proc/sys/net/ipv4/netfilter. ¾áÞÑÞÕ ÒÝØÜÐÝØÕ ÞÑàÐâØâÕ ÝÐ àïÔ ßÕàÕÜÕÝÝëå /proc/sys/net/ipv4/netfilter/ip_ct_* .



¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ ÞâÒÕâÐ âàÐááØàÞÒéØÚ áÝØÜÕâ äÛÐÓ [UNREPLIED] Ø ×ÐÜÕÝØâ ÕÓÞ äÛÐÓÞÜ [ASSURED]. ÍâÞâ äÛÐÓ áÞÞÑéÐÕâ, çâÞ áÞÕÔØÝÕÝØÕ ãáâÐÝÞÒÛÕÝÞ ãÒÕàÕÝÝÞ Ø íâÐ ×Ðߨáì ÝÕ ÑãÔÕâ áâÕàâÐ ßÞ ÔÞáâØÖÕÝØØ ÜÐÚáØÜÐÛìÝÞ ÒÞ×ÜÞÖÝÞÓÞ ÚÞÛØçÕáâÒÐ âàÐááØàãÕÜëå áÞÕÔØÝÕÝØÙ. ¼ÐÚáØÜÐÛìÝÞÕ ÚÞÛØçÕáâÒÞ ×ÐߨáÕÙ, ÚÞâÞàÞÕ ÜÞÖÕâ áÞÔÕàÖÐâìáï Ò âÐÑÛØæÕ, ×ÐÒØáØâ Þâ ×ÝÐçÕÝØï ßÞ ãÜÞÛçÐÝØî, ÚÞâÞàÞÕ ÜÞÖÕâ Ñëâì ãáâÐÝÞÒÛÕÝÞ Òë×ÞÒÞÜ äãÝ򾯯 ipsysctl Ò ßÞáÛÕÔÝØå ÒÕàáØïå ïÔàÐ. ´Ûï ÞÑêÕÜÐ ¾·Ã 128 ¼Ñ íâÞ ×ÝÐçÕÝØÕ áÞÞâÒÕâáâÒãÕâ 8192 ×ÐߨáïÜ, ÔÛï 256 ¼Ñ - 16376. ²ë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ø Ø×ÜÕÝØâì íâÞ ×ÝÐçÕÝØÕ çÕàÕ× /proc/sys/net/ipv4/ip_conntrack_max.


ÁÞáâÞïÝØï

ºÐÚ Òë ãÖÕ ÒØÔÕÛØ, ßÐÚÕâë ÜÞÓãâ ØÜÕâì ÝÕáÚÞÛìÚÞ àÐ×ÛØçÝëå áÞáâÞïÝØÙ Ò ßàÕÔÕÛÐå ïÔàÐ, Ò ×ÐÒØáØÜÞáâØ Þâ âØßÐ ßàÞâÞÚÞÛÐ. ¾ÔÝÐÚÞ, ÒÝÕ ïÔàÐ ØÜÕÕâáï âÞÛìÚÞ 4 áÞáâÞïÝØï, ÚÐÚ ÑëÛÞ áÚÐ×ÐÝÞ ÒëèÕ. ² ÞáÝÞÒÝÞÜ áÞáâÞïÝØÕ ßÐÚÕâÐ ØáßÞÛì×ãÕâáï Ò ÚàØâÕàØØ --state. ´ÞßãáâØÜëÜØ ïÒÛïîâáï áÞáâÞïÝØï NEW, ESTABLISHED, RELATED Ø INVALID. ² âÐÑÛØæÕ, ßàØÒÞÔØÜÞÙ ÝØÖÕ, àÐááÜâàØÒÐîâáï ÚÐÖÔÞÕ Ø× ÒÞ×ÜÞÖÝëå áÞáâÞïÝØÙ.

Table 1. ¿ÕàÕçÕÝì áÞáâÞïÝØÙ

ÁÞáâÞïÝØÕ ¾ßØáÐÝØÕ
NEW ¿àØ×ÝÐÚ NEW áÞÞÑéÐÕâ Þ âÞÜ, çâÞ ßÐÚÕâ ïÒÛïÕâáï ßÕàÒëÜ ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ íâÞ ßÕàÒëÙ ßÐÚÕâ Ò ÔÐÝÝÞÜ áÞÕÔØÝÕÝØØ, ÚÞâÞàëÙ ãÒØÔÕÛ ÜÞÔãÛì âàÐááØàÞÒéØÚÐ. ½ÐßàØÜÕà ÕáÛØ ßÞÛãçÕÝ SYN ßÐÚÕâ ïÒÛïîéØÙáï ßÕàÒëÜ ßÐÚÕâÞÜ ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï, âÞ ÞÝ ßÞÛãçØâ áâÐâãá NEW. ¾ÔÝÐÚÞ, ßÐÚÕâ ÜÞÖÕâ Ø ÝÕ Ñëâì SYN ßÐÚÕâÞÜ Ø âÕÜ ÝÕ ÜÕÝÕÕ ßÞÛãçØâì áâÐâãá NEW. ÍâÞ ÜÞÖÕâ ßÞàÞÔØâì ÞßàÕÔÕÛÕÝÝëÕ ßàÞÑÛÕÜë Ò ÞâÔÕÛìÝëå áÛãçÐïå, ÝÞ ÜÞÖÕâ ÞÚÐ×Ðâìáï Ø ÒÕáìÜÐ ßÞÛÕ×ÝëÜ, ÝÐßàØÜÕà ÚÞÓÔÐ ÖÕÛÐâÕÛìÝÞ "ßÞÔåÒÐâØâì" áÞÕÔØÝÕÝØï, "ßÞâÕàïÝÝëÕ" ÔàãÓØÜØ ÑàÐÝÔÜÐãíàÐÜØ ØÛØ Ò áÛãçÐïå, ÚÞÓÔÐ âÐÙÜÐãâ áÞÕÔØÝÕÝØï ãÖÕ ØáâÕÚ, ÝÞ áÐÜÞ áÞÕÔØÝÕÝØÕ ÝÕ ÑëÛÞ ×ÐÚàëâÞ.
ESTABLISHED ¿àØ×ÝÐÚ ESTABLISHED ÓÞÒÞàØâ Þ âÞÜ, çâÞ íâÞ ÝÕ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ. ÁåÕÜÐ ãáâÐÝÞÒÚØ ßàØ×ÝÐÚÐ ESTABLISHED ÔÞáâÐâÞçÝÐ ßàÞáâÐ ÔÛï ßÞÝØÜÐÝØï. µÔØÝáâÒÕÝÝÞÕ âàÕÑÞÒÐÝØÕ, ßàÕÔêïÒÛïÕÜÞÕ Ú áÞÕÔØÝÕÝØî, ÔÛï ßÕàÕåÞÔÐ Ò áÞáâÞïÝØÕ ESTABLISHED ÝÕÞÑåÞÔØÜÞ çâÞÑë ÞÔØÝ åÞáâ ßÕàÕÔÐÛ ßÐÚÕâ Ø ßÞÛãçØÛ ÝÐ ÝÕÓÞ ÞâÒÕâ Þâ ÔàãÓÞÓÞ åÞáâÐ. ¿ÞáÛÕ ßÞÛãçÕÝØï ÞâÒÕâÐ ßàØ×ÝÐÚ áÞÕÔØÝÕÝØï NEW ÑãÔÕâ ×ÐÜÕÝÕÝ ÝÐ ESTABLISHED.
RELATED ÁÞáâÞïÝØÕ RELATED ÞÔÝÞ Ø× áÐÜëå "åØâàëå". ÁÞÕÔØÝÕÝØÕ ßÞÛãçÐÕâ áâÐâãá RELATED ÕáÛØ ÞÝÞ áÒï×ÐÝÞ á ÔàãÓØÜ áÞÕÔØÝÕÝØÕÜ, ØÜÕîéØÜ ßàØ×ÝÐÚ ESTABLISHED. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ áÞÕÔØÝÕÝØÕ ßÞÛãçÐÕâ ßàØ×ÝÐÚ RELATED âÞÓÔÐ, ÚÞÓÔÐ ÞÝÞ ØÝØæØØàÞÒÐÝÞ Ø× ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï, ØÜÕîéÕÓÞ ßàØ×ÝÐÚ ESTABLISHED. ÅÞàÞèØÜ ßàØÜÕàÞÜ áÞÕÔØÝÕÝØï, ÚÞâÞàÞÕ ÜÞÖÕâ àÐááÜÐâàØÒÐâìáï ÚÐÚ RELATED, ïÒÛïÕâáï áÞÕÔØÝÕÝØÕ FTP-data, ÚÞâÞàÞÕ ïÒÛïÕâáï áÒï×ÐÝÝëÜ á ßÞàâÞÜ FTP control, Ð âÐÚ ÖÕ DCC áÞÕÔØÝÕÝØÕ, ×ÐßãéÕÝÝÞÕ Ø× IRC. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ ÑÞÛìèØÝáâÒÞ ßàÞâÞÚÞÛÞÒ TCP Ø ÝÕÚÞâÞàëÕ Ø× ßàÞâÞÚÞÛÞÒ UDP, ÚÞâÞàëÕ ßÞÛÐÓÐîâáï ÝÐ íâÞâ ÜÕåÐÝØ×Ü, ÒÕáìÜÐ áÛÞÖÝë Ø ßÕàÕÔÐîâ ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ çÕàÕ× ÞÑÛÐáâì ÔÐÝÝëå TCP ØÛØ UDP ßÐÚÕâÞÒ Ø ßÞíâÞÜã âàÕÑãîâ ÝÐÛØçØï áßÕæØÐÛìÝëå ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ ÔÛï ÚÞààÕÚâÝÞÙ àÐÑÞâë.
INVALID ¿àØ×ÝÐÚ INVALID ÓÞÒÞàØâ Þ âÞÜ, çâÞ ßÐÚÕâ ÝÕ ÜÞÖÕâ Ñëâì ØÔÕÝâØäØæØàÞÒÐÝ Ø ßÞíâÞÜã ÝÕ ÜÞÖÕâ ØÜÕâì ÞßàÕÔÕÛÕÝÝÞÓÞ áâÐâãáÐ. ÍâÞ ÜÞÖÕâ ßàÞØáåÞÔØâì ßÞ àÐ×ÝëÜ ßàØçØÝÐÜ, ÝÐßàØÜÕà ßàØ ÝÕåÒÐâÚÕ ßÐÜïâØ ØÛØ ßàØ ßÞÛãçÕÝØØ ICMP áÞÞÑéÕÝØï, ÚÞâÞàÞÕ ÝÕ áÞÞâÒÕâáâÒãÕâ ÚÐÚÞÜã ÛØÑÞ Ø×ÒÕáâÝÞÜã áÞÕÔØÝÕÝØî. ½ÐÒÕàÝÞÕ ÝÐØÛãçèØÜ ÒÐàØÐÝâÞÜ ÑëÛÞ Ñë ßàØÜÕÝÕÝØÕ ÔÕÙáâÒØï DROP Ú âÐÚØÜ ßÐÚÕâÐÜ.

ÍâØ çÕâëàÕ áÞáâÞïÝØï ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÚàØâÕàØØ --state. ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ßÞ×ÒÞÛïÕâ áâàÞØâì çàÕ×ÒëçÐÙÝÞ ÜÞéÝãî Ø íääÕÚâØÒÝãî ×ÐéØâã. ÀÐÝìèÕ ÝÐÜ ßàØåÞÔØÛÞáì ÞâÚàëÒÐâì ÒáÕ ßÞàâë ÒëèÕ 1024, çâÞÑë ßàÞßãáâØâì ÞÑàÐâÝëÙ âàÐäØÚ Ò ÛÞÚÐÛìÝãî áÕâì, âÕßÕàì ÖÕ, ßàØ ÝÐÛØçØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï, ÝÕÞÑåÞÔØÜÞáâì Ò íâÞÜ ÞâßÐÛÐ, ßÞáÚÞÛìÚã âÕßÕàì áâÐÛÞ ÒÞ×ÜÞÖÝëÜ "ÞâÚàëÒÐâì" ÔÞáâãß âÞÛìÚÞ ÔÛï ÞÑàÐâÝÞÓÞ (ÞâÒÕâÝÞÓÞ) âàÐäØÚÐ.


TCP áÞÕÔØÝÕÝØï

² íâÞÜ Ø Ò ßÞáÛÕÔãîéØå àÐ×ÔÕÛÐå Üë ßÞÑÛØÖÕ àÐááÜÞâàØÜ ßàØ×ÝÐÚØ áÞáâÞïÝØÙ Ø ßÞàïÔÞÚ Øå ÞÑàÐÑÞâÚØ ÚÐÖÔëÜ Ø× âàÕå ÑÐ×ÞÒëå ßàÞâÞÚÞÛÞÒ TCP, UDP Ø ICMP, Ð âÐÚ ÖÕ ÚÞáÝÕÜáï áÛãçÐï, ÚÞÓÔÐ ßàÞâÞÚÞÛ áÞÕÔØÝÕÝØï ÝÕ ÜÞÖÕâ Ñëâì ÚÛÐááØäØæØàÞÒÐÝ ÝÐ ßàØÝÐÔÛÕÖÝÞáâì Ú âàÕÜ, ÒëèÕãÚÐ×ÐÝÝëÜ, ßàÞâÞÚÞÛÐÜ. ½ÐçÝÕÜ àÐááÜÞâàÕÝØÕ á ßàÞâÞÚÞÛÐ TCP, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÜÝÞÖÕáâÒÞ ØÝâÕàÕáÝÕÙèØå ÞáÞÑÕÝÝÞáâÕÙ Ò ÞâÝÞèÕÝØØ ÜÕåÐÝØ×ÜÐ ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï Ò iptables.

TCP áÞÕÔØÝÕÝØÕ ÒáÕÓÔÐ ãáâÐÝÐÒÛØÒÐÕâáï ßÕàÕÔÐçÕÙ âàÕå ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÝØæØÐÛØ×Øàãîâ Ø ãáâÐÝÐÒÛØÒÐîâ áÞÕÔØÝÕÝØÕ, çÕàÕ× ÚÞâÞàÞÕ Ò ÔÐÛìÝÕÙèÕÜ ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÔÐÝÝëÕ. ÁÕááØï ÝÐçØÝÐÕâáï á ßÕàÕÔÐçØ SYN ßÐÚÕâÐ, Ò ÞâÒÕâ ÝÐ ÚÞâÞàëÙ ßÕàÕÔÐÕâáï SYN/ACK ßÐÚÕâ Ø ßÞÔâÒÕàÖÔÐÕâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ßÐÚÕâ ACK. ¿ÞáÛÕ íâÞÓÞ áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ãáâÐÝÞÒÛÕÝÝëÜ Ø ÓÞâÞÒëÜ Ú ßÕàÕÔÐçÕ ÔÐÝÝëå. ¼ÞÖÕâ ÒÞ×ÝØÚÝãâì ÒÞßàÞá: "° ÚÐÚ ÖÕ âàÐááØàãÕâáï áÞÕÔØÝÕÝØÕ?". ² ÔÕÙáâÒØâÕÛìÝÞáâØ ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ.

´Ûï ÒáÕå âØßÞÒ áÞÕÔØÝÕÝØÙ, âàÐááØàÞÒÚÐ ßàÞåÞÔØâ ßàÐÚâØçÕáÚØ ÞÔØÝÐÚÞÒÞ. ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ, ÓÔÕ ßÞÚÐ×ÐÝë ÒáÕ áâÐÔØØ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ºÐÚ ÒØÔØâÕ, âàÐááØàÞÒéØÚ, á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï, äÐÚâØçÕáÚØ ÝÕ áÛÕÔØâ ×Ð åÞÔÞÜ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï. ¿àÞáâÞ, ÚÐÚ âÞÛìÚÞ âàÐááØàÞÒéØÚ "ãÒØÔÕÛ" ßÕàÒëÙ (SYN) ßÐÚÕâ, âÞ ßàØáÒÐØÒÐÕâ ÕÜã áâÐâãá NEW. ºÐÚ âÞÛìÚÞ çÕàÕ× âàÐááØàÞÒéØÚÐ ßàÞåÞÔØâ ÒâÞàÞÙ ßÐÚÕâ (SYN/ACK), âÞ áÞÕÔØÝÕÝØî ßàØáÒÐØÒÐÕâáï áâÐâãá ESTABLISHED. ¿ÞçÜã ØÜÕÝÝÞ ÒâÞàÞÙ ßÐÚÕâ? ÁÕÙçÐá àÐ×ÑÕàÕÜáï. ÁâàÞï áÒÞÙ ÝÐÑÞà ßàÐÒØÛ, Òë ÜÞÖÕâÕ ßÞ×ÒÞÛØâì ßÞÚØÔÐâì ÛÞÚÐÛìÝãî áÕâì ßÐÚÕâÐÜ áÞ áâÐâãáÞÜ NEW Ø ESTABLISHED, Ð ÒÞ ÒåÞÔïéÕÜ âàÐäØÚÕ ßàÞßãáÚÐâì ßÐÚÕâë âÞÛìÚÞ áÞ áâÐâãáÞÜ ESTABLISHED Ø ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ¸ ÝÐÞÑÞàÞâ, ÕáÛØ Ñë âàÐááØàÞÒéØÚ ßàÞÔÞÛÖÐÛ Ñë áçØâÐâì áÞÕÔØÝÕÝØÕ ÚÐÚ NEW, âÞ äÐÚâØçÕáÚØ ÒÐÜ ÝØÚÞÓÔÐ ÝÕ ãÔÐÛÞáì Ñë ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á "ÒÝÕèÝØÜ ÜØàÞÜ", ÛØÑÞ ßàØèÛÞáì Ñë ßÞ×ÒÞÛØâì ßàÞåÞÖÔÕÝØÕ NEW ßÐÚÕâÞÒ Ò ÛÞÚÐÛìÝãî áÕâì.

Á âÞçÚØ ×àÕÝØï ßÞÛì×ÞÒÐâÕÛï ÒáÕ ÒëÓÛïÔØâ ÔÞáâÐâÞçÝÞ ßàÞáâÞ, ÞÔÝÐÚÞ ÕáÛØ ßÞáÜÞâàÕâì á âÞçÚØ ×àÕÝØï ïÔàÐ, âÞ ÒáÕ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ áÛÞÖÝÕÕ. ÀÐááÜÞâàØÜ ßÞàïÔÞÚ Ø×ÜÕÝÕÝØï áÞáâÞïÝØï áÞÕÔØÝÕÝØï Ò âÐÑÛØæÕ /proc/net/ip_conntrack. ¿ÞáÛÕ ßÕàÕÔÐçØ ßÕàÒÞÓÞ ßÐÚÕâÐ SYN.

tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ºÐÚ ÒØÔØâÕ, ×Ðߨáì Ò âÐÑÛØæÕ ÞâàÐÖÐÕâ âÞçÝÞÕ áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï: ÑëÛ ÞâÜÕçÕÝ äÐÚâ ßÕàÕÔÐçØ ßÐÚÕâÐ SYN (äÛÐÓ SYN_SENT), ÝÐ ÚÞâÞàëÙ ÞâÒÕâÐ ßÞÚÐ ÝÕ ÑëÛÞ (äÛÐÓ [UNREPLIED]). ¿ÞáÛÕ ßÞÛãçÕÝØï ßÐÚÕâÐ-ÞâÒÕâÐ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÛÕÔãîéÕÕ ÒÝãâàÕÝÝÕÕ áÞáâÞïÝØÕ:

tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

Â.Õ. ×Ðߨáì áÞÞÑéÐÕâ, çâÞ ÞÑàÐâÝÞ ßàÞèÕÛ ßÐÚÕâ SYN/ACK. ½Ð íâÞâ àÐ× áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ SYN_RECV. ÍâÞ áÞáâÞïÝØÕ ÓÞÒÞàØâ Þ âÞÜ, çâÞ ßÐÚÕâ SYN ÑëÛ ÑÛÐÓÞßÞÛãçÝÞ ÔÞáâÐÒÛÕÝ ßÞÛãçÐâÕÛî Ø Ò ÞâÒÕâ ÝÐ ÝÕÓÞ ßàØèÕÛ ßÐÚÕâ-ßÞÔâÒÕàÖÔÕÝØÕ (SYN/ACK). ºàÞÜÕ âÞÓÞ, ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï "ãÒØÔÕÒ" ßÐÚÕâë, áÛÕÔãîéØÕ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå, áÝØÜÐÕâ äÛÐÓ [UNREPLIED]. ¸ ÝÐÚÞÝÕæ ßÞáÛÕ ßÕàÕÔÐçØ ×ÐÚÛîçØâÕÛìÝÞÓÞ ACK-ßÐÚÕâÐ, Ò ßàÞæÕÔãàÕ ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï

tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

áÞÕÔØÝÕÝØÕ ßÕàÕåÞÔØâ Ò áÞáâÞïÝØÕ ESTABLISHED (ãáâÐÝÞÒÛÕÝÝÞÕ). ¿ÞáÛÕ ßàØÕÜÐ ÝÕáÚÞÛìÚØå ßÐÚÕâÞÒ çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ, Ú ÝÕÜã ÔÞÑÐÒØâáï äÛÐÓ [ASSURED] (ãÒÕàÕÝÝÞÕ).

¿àØ ×ÐÚàëâØØ, TCP áÞÕÔØÝÕÝØÕ ßàÞåÞÔØâ çÕàÕ× áÛÕÔãîéØÕ áÞáâÞïÝØï.



ºÐÚ ÒØÔÝÞ Ø× àØáãÝÚÐ, áÞÕÔØÝÕÝØÕ ÝÕ ×ÐÚàëÒÐÕâáï ÔÞ âÕå ßÞà ßÞÚÐ ÝÕ ÑãÔÕâ ßÕàÕÔÐÝ ßÞáÛÕÔÝØÙ ßÐÚÕâ ACK. ¾ÑàÐâØâÕ ÒÝØÜßÝØÕ, íâÐ ÚÐàâØÝÚÐ ÞߨáëÒÐÕâ ÝÞàÜÐÛìÝëÙ ßàÞæÕáá ×ÐÚàëâØï áÞÕÔØÝÕÝØï. ºàÞÜÕ âÞÓÞ, ÕáÛØ áÞÕÔØÝÕÝØÕ ÞâÒÕàÓÐÕâáï, âÞ ÞÝÞ ÜÞÖÕâ Ñëâì ×ÐÚàëâÞ ßÕàÕÔÐçÕÙ ßÐÚÕâÐ RST (áÑàÞá). ² íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ×ÐÚàëâÞ ßÞ ØáâÕçÕÝØÕ ßàÕÔÞßàÕÔÕÛÕÝÝÞÓÞ ÒàÕÜÕÝØ.

¿àØ ×ÐÚàëâØØ, áÞÕÔØÝÕÝØÕ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ TIME_WAIT, ßàÞÔÞÛÖØâÕÛìÝÞáâì ÚÞâÞàÞÓÞ, ßÞ ãÜÞÛçÐÝØî áÞÞâÒÕâáâÒãÕâ 2 ÜØÝãâÐÜ, Ò âÕçÕÝØÕ ÚÞâÞàÞÓÞ ÕéÕ ÒÞ×ÜÞÖÝÞ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ çÕàÕ× ÑàÐÝÔÜÐãíà. ÍâÞ ïÒÛïÕâáï áÒÞÕÓÞ àÞÔÐ "ÑãäÕàÝëÜ ÒàÕÜÕÝÕÜ", ÚÞâÞàÞÕ ÔÐÕâ ÒÞ×ÜÞÖÝÞáâì ßàÞÙâØ ßÐÚÕâÐÜ, "ãÒï×èØÜ" ÝÐ âÞÜ ØÛØ ØÝÞÜ ÜÐàèàãâØ×ÐâÞàÕ (àÞãâÕàÕ).

µáÛØ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï ßÞ ßÞÛãçÕÝØØ ßÐÚÕâÐ RST, âÞ ÞÝÞ ßÕàÕÒÞÔØâáï Ò áÞáâÞïÝØÕ CLOSE. ²àÕÜï ÞÖØÔÐÝØï ÔÞ äÐÚâØçÕáÚÞÓÞ ×ÐÚàëâØï áÞÕÔØÝÕÝØï, ßÞ ãÜÞÛçÐÝØî ãáâÐÝÐÒÛØÒÐÕâáï àÐÒÝëÜ 10 áÕÚãÝÔ. ¿ÞÔâÒÕàÖÔÕÝØÕ ÝÐ ßÐÚÕâë RST ÝÕ ßÕàÕÔÐÕâáï Ø áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï áàÐ×ã ÖÕ. ºàÞÜÕ âÞÓÞ ØÜÕÕâáï àïÔ ÔàãÓØå ÒÝãâàÕÝÝØå áÞáâÞïÝØÙ. ² âÐÑÛØæÕ ÝØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÒÞ×ÜÞÖÝëå ÒÝãâàÕÝÝØå áÞáâÞïÝØÙ áÞÕÔØÝÕÝØï Ø áÞÞâÒÕâáâÒãîéØÕ ØÜ àÐ×ÜÕàë âÐÙÜÐãâÞÒ.

ÂÐÑÛØæÐ 2. ²ÝãâàÕÝÝØÕ áÞáâÞïÝØï

ÁÞáâÞïÝØÕ ²àÕÜï ÞÖØÔÐÝØï
NONE 30 ÜØÝãâ
ESTABLISHED 5 ÔÝÕÙ
SYN_SENT 2 ÜØÝãâë
SYN_RECV 60 áÕÚãÝÔ
FIN_WAIT 2 ÜØÝãâë
TIME_WAIT 2 ÜØÝãâë
CLOSE 10 áÕÚãÝÔ
CLOSE_WAIT 12 çÐáÞÒ
LAST_ACK 30 áÕÚãÝÔ
LISTEN> 2 ÜØÝãâë


ÍâØ ×ÝÐçÕÝØï ÜÞÓãâ ÝÕáÚÞÛìÚÞ Ø×ÜÕÝïâìáï Þâ ÒÕàáØØ Ú ÒÕàáØØ ïÔàÐ, ÚàÞÜÕ âÞÓÞ, ÞÝØ ÜÞÓãâ Ñëâì Ø×ÜÕÝÕÝë çÕàÕ× ØÝâÕàäÕÙá äÐÙÛÞÒÞÙ áØáâÕÜë /proc (ßÕàÕÜÕÝÝëÕ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). ·ÝÐçÕÝØï ãáâÐÝÐÒÛØÒÐîâáï Ò áÞâëå ÔÞÛïå áÕÚãÝÔë, âÐÚ çâÞ çØáÛÞ 3000 Þ×ÝÐçÐÕâ 30 áÕÚãÝÔ.

Note ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ áÞ áâÞàÞÝë ßÞÛì×ÞÒÐâÕÛï, ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝØÚÐÚ ÝÕ ÞâÞÑàÐÖÐÕâ áÞáâÞïÝØÕ äÛÐÓÞÒ TCP ßÐÚÕâÞÒ. ºÐÚ ßàÐÒØÛÞ - íâÞ ßÛÞåÞ, ßÞáÚÞÛìÚã áÞáâÞïÝØÕ NEW ßàØáÒÐØÒÐÕâáï, ÝÕ âÞÛìÚÞ ßÐÚÕâÐÜ SYN.

ÍâÐ ßàÞÑÛÕÜÐ ÑÞÛÕÕ ßÞÔàÞÑÝÞ ÞÑáãÖÔÐÕâáï Ò àÐ×ÔÕÛÕ ¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN.


UDP áÞÕÔØÝÕÝØï



¿Þ áãâØ áÒÞÕÙ, UDP áÞÕÔØÝÕÝØï ÝÕ ØÜÕîâ ßàØ×ÝÐÚÐ áÞáâÞïÝØï. ÍâÞÜã ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàØçØÝ, ÞáÝÞÒÝÐï Ø× ÝØå áÞáâÞØâ Ò âÞÜ, çâÞ íâÞâ ßàÞâÞÚÞÛ ÝÕ ßàÕÔãáÜÐâàØÒÐÕâ ãáâÐÝÞÒÛÕÝØï Ø ×ÐÚàëâØï áÞÕÔØÝÕÝØï, ÝÞ áÐÜëÙ ÑÞÛìèÞÙ ÝÕÔÞáâÐâÞÚ - ÞâáãâáâÒØÕ ØÝäÞàÜÐæØØ ÞÑ ÞçÕàÕÔÝÞáâØ ßÞáâãßÛÕÝØï ßÐÚÕâÞÒ. ¿àØÝïÒ ÔÒÕ UDP ÔÐâÐÓàÐÜÜë, ÝÕÒÞ×ÜÞÖÝÞ ã×ÝÐâì âÞçÝÞ Ò ÚÐÚÞÜ ßÞàïÔÚÕ ÞÝØ ÑëÛØ ÞâßàÐÒÛÕÝë. ¾ÔÝÐÚÞ, ÔÐÖÕ Ò íâÞÙ áØâãÐæØØ ÕéÕ ÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì áÞáâÞïÝØÕ áÞÕÔØÝÕÝØï. ½ØÖÕ ßàØÒÞÔØâáï àØáãÝÞÚ âÞÓÞ, ÚÐÚ ÒëÓÛïÔØâ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï á âÞçÚØ ×àÕÝØï âàÐááØàÞÒéØÚÐ.



ºÐÚ ÒØÔØâÕ, áÞáâÞïÝØÕ UDP áÞÕÔØÝÕÝØï ÞßàÕÔÕÛïÕâáï ßÞçâØ âÐÚ ÖÕ ÚÐÚ Ø áÞáâÞïÝØÕ TCP áÞÕÔØÝÕÝØï, á âÞçÚØ ×àÕÝØï Ø× ßÞÛì×ÞÒÐâÕÛìáÚÞÓÞ ßàÞáâàÐÝáâÒÐ. ¸×ÝãâàØ ÖÕ íâÞ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ØÝÐçÕ, åÞâï Ø ÒÞ ÜÝÞÓÞÜ ßÞåÞÖÕ. ´Ûï ÝÐçÐÛÐ ßÞáÜÞâàØÜ ÝÐ ×Ðߨáì, ßÞïÒØÒèãîáï ßÞáÛÕ ßÕàÕÔÐçØ ßÕàÒÞÓÞ ßÐÚÕâÐ UDP.

udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

¿ÕàÒÞÕ, çâÞ Üë ÒØÔØÜ - íâÞ ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ (udp) Ø ÕÓÞ ÝÞÜÕà (áÜ. /etc/protocols ßàØÜ. ßÕàÕÒ.). ÂàÕâìÕ ×ÝÐçÕÝØÕ - ÞáâÐÒèÕÕáï "ÒàÕÜï ÖØ×ÝØ" ×ÐßØáØ Ò áÕÚãÝÔÐå. ´ÐÛÕÕ áÛÕÔãîâ åÐàÐÚâÕàØáâØÚØ ßÐÚÕâÐ, ßàÞèÕÔèÕÓÞ çÕàÕ× ÑàÐÝÔÜÐãíà - íâÞ ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ·ÔÕáì ÖÕ ÒØÔÝÞ, çâÞ íâÞ ßÕàÒëÙ ßÐÚÕâ Ò áÕááØØ (äÛÐÓ [UNREPLIED]). ¸ ×ÐÒÕàèÐîâ ×Ðߨáì ÐÔàÕáÐ Ø ßÞàâë ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ. ÂÐÙÜÐãâ âÐÚÞÙ ×ÐßØáØ ßÞ ãÜÞÛçÐÝØî áÞáâÐÒÛïÕâ 30 áÕÚãÝÔ.

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

¿ÞáÛÕ âÞÓÞ ÚÐÚ áÕàÒÕà "ãÒØÔÕÛ" ÞâÒÕâ ÝÐ ßÕàÒëÙ ßÐÚÕâ, áÞÕÔØÝÕÝØÕ áçØâÐÕâáï ESTABLISHED (ãáâÐÝÞÒÛÕÝÝëÜ), ÞÔÝÐÚÞ ÕÔØÝáâÒÕÝÝÞÕ ÞâÛØçØÕ Þâ ßàÕÔëÔãéÕÙ ×ÐßØáØ áÞáâÞØâ Ò ÞâáãâáâÒØØ äÛÐÓÐ [UNRREPLIED] Ø, ÚàÞÜÕ âÞÓÞ, âÐÙÜÐãâ ÔÛï ×ÐßØáØ áâÐÛ àÐÒÝëÜ 180 áÕÚãÝÔÐÜ. ¿ÞáÛÕ íâÞÓÞ ÜÞÖÕâ âÞÛìÚÞ ÔÞÑÐÒØâìáï äÛÐÓ [ASSURED] (ãÒÕàÕÝÝÞÕ áÞÕÔØÝÕÝØÕ), ÚÞâÞàëÙ ÑëÛ ÞߨáÐÝ ÒëèÕ. ÄÛÐÓ [ASSURED] ãáâÐÝÐÒÛØÒÐÕâáï âÞÛìÚÞ ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÝÕÚÞâÞàÞÓÞ ÚÞÛØçÕáâÒÐ ßÐÚÕâÞÒ çÕàÕ× áÞÕÔØÝÕÝØÕ.

udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1

ÂÕßÕàì áÞÕÔØÝÕÝØÕ áâÐÛÞ "ãÒÕàÕÝÝëÜ". ·Ðߨáì Ò âÐÑÛØæÕ ÒëÓÛïÔØâ ßàÐÚâØçÕáÚØ âÐÚ ÖÕ ÚÐÚ Ø Ò ßàÕÔëÔãéÕÜ ßàØÜÕàÕ, ×Ð ØáÚÛîçÕÝØÕÜ äÛÐÓÐ [ASSURED]. µáÛØ Ò âÕçÕÝØÕ 180 áÕÚãÝÔ çÕàÕ× áÞÕÔØÝÕÝØÕ ÝÕ ßàÞÙÔÕâ åÞâïÑë ÞÔØÝ ßÐÚÕâ, âÞ ×Ðߨáì ÑãÔÕâ ãÔÐÛÕÝÐ Ø× âÐÑÛØæë. ÍâÞ ÔÞáâÐâÞçÝÞ ÜÐÛÕÝìÚØÙ ßàÞÜÕÖãâÞÚ ÒàÕÜÕÝØ, ÝÞ ÕÓÞ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ ÔÛï ÑÞÛìèØÝáâÒÐ ßàØÜÕÝÕÝØÙ. "²àÕÜï ÖØ×ÝØ" ÞâáçØâëÒÐÕâáï Þâ ÜÞÜÕÝâÐ ßàÞåÞÖÔÕÝØï ßÞáÛÕÔÝÕÓÞ ßÐÚÕâÐ Ø ßàØ ßÞïÒÛÕÝØØ ÝÞÒÞÓÞ, ÒàÕÜï ßÕàÕãáâÐÝÐÒÛØÒÐÕâáï Ò áÒÞÕ ÝÐçÐÛìÝÞÕ ×ÝÐçÕÝØÕ.


ICMP áÞÕÔØÝÕÝØï

ICMP ßÐÚÕâë ØáßÞÛì×ãîâáï âÞÛìÚÞ ÔÛï ßÕàÕÔÐçØ ãßàÐÒÛïîéØå áÞÞÑéÕÝØÙ Ø ÝÕ ÞàÓÐÝØ×ãîâ ßÞáâÞïÝÝÞÓÞ áÞÕÔØÝÕÝØï. ¾ÔÝÐÚÞ, áãéÕáâÒãÕâ 4 âØßÐ ICMP ßÐÚÕâÞÒ, ÚÞâÞàëÕ ÒÞ×ÑãÖÔÐîâ ßÕàÕÔÐçã ÞâÒÕâÐ, ßÞíâÞÜã ÞÝØ ÜÞÓãâ ØÜÕâì ÔÒÐ áÞáâÞïÝØï: NEW Ø ESTABLISHED. º íâØÜ ßÐÚÕâÐÜ ÞâÝÞáïâáï ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply Ø ICMP Address Mask Request/Address Mask Reply. ¸× ÝØå ICMP Timestamp Request/Timestamp Reply Ø ICMP Information Request/Information Reply áçØâÐîâáï ãáâÐàÕÒèØÜØ Ø ßÞíâÞÜã, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÜÞÓãâ ÑÕ×ÑÞÛÕ×ÝÕÝÝÞ áÑàÐáëÒÐâìáï (DROP). ²×ÓÛïÝØâÕ ÝÐ àØáãÝÞÚ ÝØÖÕ.



ºÐÚ ÒØÔÝÞ Ø× íâÞÓÞ àØáãÝÚÐ, áÕàÒÕà ÒëßÞÛÝïÕâ Echo Request (íåÞ-×ÐßàÞá) Ú ÚÛØÕÝâã, ÚÞâÞàëÙ (×ÐßàÞá) àÐáßÞ×ÝÐÕâáï ÑàÐÝÔÜÐãíàÞÜ ÚÐÚ NEW. ½Ð íâÞâ ×ÐßàÞá ÚÛØÕÝâ ÞâÒÕçÐÕâ ßÐÚÕâÞÜ Echo Reply, Ø âÕßÕàì ßÐÚÕâ àÐáßÞ×ÝÐÕâáï ÚÐÚ ØÜÕîéØÙ áÞáâÞïÝØÕ ESTABLISHED. ¿ÞáÛÕ ßàÞåÞÖÔÕÝØï ßÕàÒÞÓÞ ßÐÚÕâÐ (Echo Request) Ò ip_conntrack ßÞïÒÛïÕâáï ×Ðߨáì:

icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1

ÍâÐ ×Ðߨáì ÝÕáÚÞÛìÚÞ ÞâÛØçÐÕâáï Þâ ×ÐߨáÕÙ, áÒÞÙáâÒÕÝÝëå ßàÞâÞÚÞÛÐÜ TCP Ø UDP, åÞâï âÞçÝÞ âÐÚ ÖÕ ßàØáãâáâÒãîâ Ø ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ Ø ÒàÕÜï âÐÙÜÐãâÐ Ø ÐÔàÕáÐ ßÕàÕÔÐâçØÚÐ Ø ßàØÕÜÝØÚÐ, ÝÞ ÔÐÛÕÕ ßÞïÒÛïîâáï âàØ ÝÞÒëå ßÞÛï - type, code Ø id. ¿ÞÛÕ type áÞÔÕàÖØâ âØß ICMP, ßÞÛÕ code - ÚÞÔ ICMP. ·ÝÐçÕÝØï âØßÞÒ Ø ÚÞÔÞÒ ICMP ßàØÒÞÔïâáï Ò ßàØÛÞÖÕÝØØ ÂØßë ICMP. ¸ ßÞáÛÕÔÝÕÕ ßÞÛÕ id áÞÔÕàÖØâ ØÔÕÝâØäØÚÐâÞà ßÐÚÕâÐ. ºÐÖÔëÙ ICMP-ßÐÚÕâ ØÜÕÕâ áÒÞÙ ØÔÕÝâØäØÚÐâÞà. ºÞÓÔÐ ßàØÕÜÝØÚ, Ò ÞâÒÕâ ÝÐ ICMP-×ÐßàÞá ßÞáëÛÐÕâ ÞâÒÕâ, ÞÝ ßÞÔáâÐÒÛïÕâ Ò ßÐÚÕâ ÞâÒÕâÐ íâÞâ ØÔÕÝâØäØÚÐâÞà, ÑÛÐÓÞÔÐàï çÕÜã, ßÕàÕÔÐâçØÚ ÜÞÖÕâ ÚÞààÕÚâÝÞ àÐáßÞ×ÝÐâì Ò ÞâÒÕâ ÝÐ ÚÐÚÞÙ ×ÐßàÞá ßàØèÕÛ ÞâÒÕâ.

ÁÛÕÔãîéÕÕ ßÞÛÕ - äÛÐÓ [UNREPLIED], ÚÞâÞàëÙ ÒáâàÕçÐÛáï ÝÐÜ àÐÝÕÕ. ¾Ý Þ×ÝÐçÐÕâ, çâÞ ßàØÑëÛ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ. ·ÐÒÕàèÐÕâáï ×Ðߨáì åÐàÐÚâÕàØáâØÚÐÜØ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ÞâÒÕâÐ. ÁîÔÐ ÒÚÛîçÐîâáï ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï. ÇâÞ ÚÐáÐÕâáï âØßÐ Ø ÚÞÔÐ ICMP ßÐÚÕâÐ, âÞ ÞÝØ áÞÞâÒÕâáâÒãîâ ßàÐÒØÛìÝëÜ ×ÝÐçÕÝØïÜ ÞÖØÔÐÕÜÞÓÞ ßÐÚÕâÐ ICMP Echo Reply. ¸ÔÕÝâØäØÚÐâÞà ßÐÚÕâÐ-ÞâÒÕâÐ âÞâ ÖÕ, çâÞ Ø Ò ßÐÚÕâÕ ×ÐßàÞáÐ.

¿ÐÚÕâ ÞâÒÕâÐ àÐáßÞ×ÝÐÕâáï ãÖÕ ÚÐÚ ESTABLISHED. ¾ÔÝÐÚÞ, Üë ×ÝÐÕÜ, çâÞ ßÞáÛÕ ßÕàÕÔÐçØ ßÐÚÕâÐ ÞâÒÕâÐ, çÕàÕ× íâÞ áÞÕÔØÝÕÝØÕ ãÖÕ ÝØçÕÓÞ ÝÕ ÞÖØÔÐÕâáï, ßÞíâÞÜã ßÞáÛÕ ßàÞåÞÖÔÕÝØï ÞâÒÕâÐ çÕàÕ× netfilter, ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ãÝØçâÞÖÐÕâáï.

² ÛîÑÞÜ áÛãçÐÕ ×ÐßàÞá àÐááÜÐâàØÒÐÕâáï ÚÐÚ NEW, Ð ÞâÒÕâ ÚÐÚ ESTABLISHED. ·ÐÜÕâìâÕ, çâÞ ßàØ íâÞÜ ßÐÚÕâ ÞâÒÕâÐ ÔÞÛÖÕÝ áÞÒßÐÔÐâì ßÞ áÒÞØÜ åÐàÐÚâÕàØáâØÚÐÜ (ÐÔàÕáÐ ÞâßàÐÒØâÕÛï Ø ßÞÛãçÐâÕÛï, âØß, ÚÞÔ Ø ØÔÕÝâØäØÚÐâÞà) á ãÚÐ×ÐÝÝëÜØ Ò ×ÐßØáØ Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ.

ICMP ×ÐßàÞáë ØÜÕîâ âÐÙÜÐãâ, ßÞ-ãÜÞÛçÐÝØî, 30 áÕÚãÝÔ. ÍâÞÓÞ ÒàÕÜÕÝØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ. ²àÕÜï âÐÙÜÐãâÐ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( ½ÐßÞÜØÝÐî, çâÞ ßÕàÕÜÕÝÝëÕ âØßÐ /proc/sys/net/ipv4/netfilter/ip_ct_* áâÐÝÞÒïâáï ÔÞáâãßÝë âÞÛìÚÞ ßÞáÛÕ ãáâÐÝÞÒÚØ "×ÐßÛÐâë" tcp-window-tracking Ø× patch-o-matic ßàØÜ. ßÕàÕÒ.).

·ÝÐçØâÕÛìÝÐï çÐáâì ICMP ØáßÞÛì×ãÕâáï ÔÛï ßÕàÕÔÐçØ áÞÞÑéÕÝØÙ Þ âÞÜ, çâÞ ßàÞØáåÞÔØâ á âÕÜ ØÛØ ØÝëÜ UDP ØÛØ TCP áÞÕÔØÝÕÝØÕÜ. ²áÒïר á íâØÜ ÞÝØ ÞçÕÝì çÐáâÞ àÐáßÞ×ÝÐîâáï ÚÐÚ áÒï×ÐÝÝëÕ (RELATED) á áãéÕáâÒãîéØÜ áÞÕÔØÝÕÝØÕÜ. ¿àÞáâëÜ ßàØÜÕàÞÜ ÜÞÓãâ áÛãÖØâì áÞÞÑéÕÝØï ICMP Host Unreachable ØÛØ ICMP Network Unreachable. ¾ÝØ ÒáÕÓÔÐ ßÞàÞÖÐîâáï ßàØ ßÞßëâÚÕ áÞÕÔØÝØâìáï á ã×ÛÞÜ áÕâØ ÚÞÓÔÐ íâÞâ ã×ÕÛ ØÛØ áÕâì ÝÕÔÞáâãßÝë, Ò íâÞÜ áÛãçÐÕ ßÞáÛÕÔÝØÙ ÜÐàèàãâØ×ÐâÞà ÒÕàÝÕâ áÞÞâÒÕâáâÒãîéØÙ ICMP ßÐÚÕâ, ÚÞâÞàëÙ ÑãÔÕâ àÐáßÞ×ÝÐÝ ÚÐÚ RELATED. ½Ð àØáãÝÚÕ ÝØÖÕ ßÞÚÐ×ÐÝÞ ÚÐÚ íâÞ ßàÞØáåÞÔØâ.

² íâÞÜ ßàØÜÕàÕ ÝÕÚÞâÞàÞÜã ã×Ûã ßÕàÕÔÐÕâáï ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ (SYN ßÐÚÕâ). ¾Ý ßàØÞÑàÕâÐÕâ áâÐâãá NEW ÝÐ ÑàÐÝÔÜÐãíàÕ. ¾ÔÝÐÚÞ, Ò íâÞâ ÜÞÜÕÝâ ÒàÕÜÕÝØ, áÕâì ÞÚÐ×ëÒÐÕâáï ÝÕÔÞáâãßÝÞÙ, ßÞíâÞÜã àÞãâÕà ÒÞ×ÒàÐéÐÕâ ßÐÚÕâ ICMP Network Unreachable. ÂàÐááØàÞÒéØÚ áÞÕÔØÝÕÝØÙ àÐáßÞ×ÝÐÕâ íâÞâ ßÐÚÕâ ÚÐÚ RELATED, ÑÛÐÓÞÔÐàï ãÖÕ ØÜÕîéÕÙáï ×ÐßØáØ Ò âÐÑÛØæÕ, âÐÚ çâÞ ßÐÚÕâ ÑÛÐÓÞßÞÛãçÝÞ ÑãÔÕâ ßÕàÕÔÐÝ ÚÛØÕÝâã, ÚÞâÞàëÙ ×ÐâÕÜ ÞÑÞàÒÕâ ÝÕãÔÐçÝÞÕ áÞÕÔØÝÕÝØÕ. ÂÕÜ ÒàÕÜÕÝÕÜ, ÑàÐÝÔÜÐãíà ãÝØçâÞÖØâ ×Ðߨáì Ò âÐÑÛØæÕ, ßÞáÚÞÛìÚã ÔÛï ÔÐÝÝÞÓÞ áÞÕÔØÝÕÝØï ÑëÛÞ ßÞÛãçÕÝÞ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ.

ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ Ø á UDP áÞÕÔØÝÕÝØïÜØ, ÕáÛØ ÞÑÝÐàãÖØÒÐîâáï ßÞÔÞÑÝëÕ ßàÞÑÛÕÜë. ²áÕ áÞÞÑéÕÝØï ICMP, ßÕàÕÔÐÒÐÕÜëÕ Ò ÞâÒÕâ ÝÐ UDP áÞÕÔØÝÕÝØÕ, àÐááÜÐâàØÒÐîâáï ÚÐÚ RELATED. ²×ÓÛïÝØâÕ ÝÐ áÛÕÔãîéØÙ àØáãÝÞÚ.



´ÐâÐÓàÐÜÜÐ UDP ßÕàÕÔÐÕâáï ÝÐ áÕàÒÕà. ÁÞÕÔØÝÕÝØî ßàØáÒÐØÒÐÕâáï áâÐâãá NEW. ¾ÔÝÐÚÞ ÔÞáâãß Ú áÕâØ ×ÐßàÕéÕÝ (ÑàÐÝÔÜÐãíàÞÜ ØÛØ àÞãâÕàÞÜ), ßÞíâÞÜã ÞÑàÐâÝÞ ÒÞ×ÒàÐéÐÕâáï áÞÞÑéÕÝØÕ ICMP Network Prohibited. ±àÐÝÔÜÐãíà àÐáßÞ×ÝÐÕâ íâÞ áÞÞÑéÕÝØÕ ÚÐÚ áÒï×ÐÝÝÞÕ á ÞâÚàëâëÜ UDP áÞÕÔØÝÕÝØÕÜ, ßàØáÒÐØÒÐÕâ ÕÜã áâÐâãá RELATED Ø ßÕàÕÔÐÕâ ÚÛØÕÝâã. ¿ÞáÛÕ çÕÓÞ ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ãÝØçâÞÖÐÕâáï, Ð ÚÛØÕÝâ ÑÛÐÓÞßÞÛãçÝÞ ÞÑàëÒÐÕâ áÞÕÔØÝÕÝØÕ.


¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî

² ÝÕÚÞâÞàëå áÛãçÐïå ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝÕ ÜÞÖÕâ àÐáßÞ×ÝÐâì ßàÞâÞÚÞÛ ÞÑÜÕÝÐ Ø, áÞÞâÒÕâáâÒÕÝÝÞ, ÝÕ ÜÞÖÕâ ÒëÑàÐâì áâàÐâÕÓØî ÞÑàÐÑÞâÚØ íâÞÓÞ áÞÕÔØÝÕÝØï. ² íâÞÜ áÛãçÐÕ ÞÝ ßÕàÕåÞÔØâ Ú ×ÐÔÐÝÝÞÜã ßÞ-ãÜÞÛçÐÝØî ßÞÒÕÔÕÝØî. ¿ÞÒÕÔÕÝØÕ ßÞ-ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï, ÝÐßàØÜÕà ßàØ ÞÑáÛãÖØÒÐÝØØ ßàÞâÞÚÞÛÞÒ NETBLT, MUX Ø EGP. ¿ÞÒÕÔÕÝØÕ ßÞ-ÜÞÛçÐÝØî ÒÞ ÜÝÞÓÞÜ áåÞÖÕ á âàÐááØàÞÒÚÞÙ UDP áÞÕÔØÝÕÝØÙ. ¿ÕàÒÞÜã ßÐÚÕâã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, Ð ÒáÕÜ ßÞáÛÕÔãîéØÜ - áâÐâãá ESTABLISHED.

¿àØ ØáßÞÛì×ÞÒÐÝØØ ßÞÒÕÔÕÝØï ßÞ-ãÜÞÛçÐÝØî, ÔÛï ÒáÕå ßÐÚÕâÞÒ ØáßÞÛì×ãÕâáï ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ âÐÙÜÐãâÐ, ÚÞâÞàÞÕ ÜÞÖÝÞ Ø×ÜÕÝØâì Ò /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ¿Þ-ãÜÞÛçÐÝØî íâÞ ×ÝÐçÕÝØÕ àÐÒÝÞ 600 áÕÚãÝÔÐÜ, ØÛØ 6 ÜØÝãâÐÜ (ÔÐ, ÔÐ, ØÜÕÝÝÞ âÐÚ Ø ãÚÐ×ÐÝÞ Ò ÞàØÓØÝÐÛìÝÞÜ âÕÚáâÕ. ¿ÞÔÞ×àÕÒÐî, çâÞ ÐÒâÞà ßàÞáâÞ Þߨá°Ûáï Ø Ò ÔÐÝÝÞÜ áÛãçÐÕ áÛÕÔãÕâ ßÞÝØÜÐâì "600 áÕÚãÝÔ ØÛØ 10 ÜØÝãâ". ºáâÐâØ, Ò ØáåÞÔÝÞÜ ÚÞÔÕ (/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c ×ÝÐçÕÝØÕ GENERIC_TIMEOUT àÐÒÝÞ 600 áÕÚãÝÔÐÜ. ßàØÜ. ßÕàÕÒ.). ² ×ÐÒØáØÜÞáâØ Þâ âØßÐ âàÐäØÚÐ, íâÞ ÒàÕÜï ÜÞÖÕâ ÜÕÝïâìáï, ÞáÞÑÕÝÝÞ ÚÞÓÔÐ áÞÕÔØÝÕÝØÕ ãáâÐÝÐÒÛØÒÐÕâáï çÕàÕ× áßãâÝØÚ.


ÂàÐááØàÞÒÚÐ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ

¸ÜÕÕâáï àïÔ ÚÞÜßÛÕÚáÝëå ßàÞâÞÚÞÛÞÒ, ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ ÚÞâÞàëå ÑÞÛÕÕ áÛÞÖÝÐ. ¿àÜÕàÞÜ ÜÞÓãâ áÛãÖØâì ßàÞâÞÚÞÛë ICQ, IRC Ø FTP. ºÐÖÔëÙ Ø× íâØå ßàÞâÞÚÞÛÞÒ ÝÕáÕâ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÁÞÞâÒÕâáâÒÕÝÝÞ ÚÞààÕÚâÝÐï âàÐááØàÞÒÚÐ âÐÚØå áÞÕÔÝÕÝØÙ âàÕÑãÕâ ßÞÔÚÛîçÕÝØï ÔÞßÞÛÝØâÕÛìÝëå ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ.

² ÚÐçÕáâÒÕ ßÕàÒÞÓÞ ßàØÜÕàÐ àÐááÜÞâàØÜ ßàÞâÞÚÞÛ FTP. ¿àÞâÞÚÞÛ FTP áÝÐçÐÛÐ ÞâÚàëÒÐÕâ ÞÔØÝÞçÝÞÕ áÞÕÔØÝÕÝØÕ, ÚÞâÞàÞÕ ÝÐ×ëÒÐÕâáï "áÕÐÝáÞÜ ãßàÐÒÛÕÝØï FTP" (FTP control session). ¿àØ ÒëßÞÛÝÕÝØØ ÚÞÜÐÝÔ Ò ßàÕÔÕÛÐå íâÞÓÞ áÕÐÝáÐ, ÔÛï ßÕàÕÔÐçØ áÞßãâáâÒãîéØå ÔÐÝÝëå ÞâÚàëÒÐîâáï ÔÞßÞÛÝØâÕÛìÝëÕ ßÞàâë. ÍâØ áÞÕÔØÝÕÝØï ÜÞÓãâ Ñëâì ÐÚâØÒÝëÜØ ØÛØ ßÐááØÒÝëÜØ. ¿àØ áÞ×ÔÐÝØØ ÐÚâØÒÝÞÓÞ áÞÕÔØÝÕÝØï ÚÛÕÝâ ßÕàÕÔÐÕâ FTP áÕàÒÕàã ÝÞÜÕà ßÞàâÐ Ø IP ÐÔàÕá ÔÛï áÞÕÔØÝÕÝØï. ·ÐâÕÜ ÚÛÕÝâ ÞâÚàëÒÐÕâ ßÞàâ, áÕàÒÕà ßÞÔÚÛîçÐÕâ Ú ×ÐÔÐÝÝÞÜã ßÞàâã ÚÛØÕÝâÐ áÒÞÙ ßÞàâ á ÝÞÜÕàÞÜ 20 (Ø×ÒÕáâÝëÙ ÚÐÚ FTP-Data) Ø ßÕàÕÔÐÕâ ÔÐÝÝëÕ çÕàÕ× ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ.

¿àÞÑÛÕÜÐ áÞáâÞØâ Ò âÞÜ, çâÞ ÑàÐÝÔÜÐãíà ÝØçÕÓÞ ÝÕ ×ÝÐÕâ ÞÑ íâØå ÔÞßÞÛÝØâÕÛìÝëå ßÞÔÚÛîçÕÝØïå, ßÞáÚÞÛìÚã Òáï ØÝäÞàÜÐæØï Þ ÝØå ßÕàÕÔÐÕâáï çÕàÕ× ÞÑÛÐáâì ÔÐÝÝëå ßÐÚÕâÐ. ¸×-×Ð íâÞÓÞ ÑàÐÝÔÜÐãíà ÝÕ ßÞ×ÒÞÛØâ áÕàÒÕàã áÞÕÔØÝØâìáï á ãÚÐ×ÐÝÝëÜ ßÞàâÞÜ ÚÛØÕÝâÐ.

ÀÕèÕÝØÕ ßàÞÑÛÕÜë áÞáâÞØâ Ò ÔÞÑÐÒÛÕÝØØ áßÕæØÐÛìÝÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï âàÐááØàÞÒÚØ, ÚÞâÞàëÙ ÞâáÛÕÖØÒÐÕâ, áßÕæØäØçÝãî ÔÛï ÔÐÝÝÞÓÞ ßàÞâÞÚÞÛÐ, ØÝäÞàÜÐæØî Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÞÒ, ßÕàÕÔÐÒÐÕÜëå Ò àÐÜÚÐå áÕÐÝáÐ ãßàÐÒÛÕÝØï. ¿àØ áÞ×ÔÐÝØØ âÐÚÞÓÞ áÞÕÔØÝÕÝØï, ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÚÞààÕÚâÝÞ ÒÞáßàØÜÕâ ßÕàÕÔÐÒÐÕÜãî ØÝäÞàÜÐæØî Ø áÞ×ÔÐáâ áÞÞâÒÕâáâÒãîéãî ×Ðߨáì Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ áÞ áâÐâãáÞÜ RELATED, ÑÛÐÓÞÔÐàï çÕÜã áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ÀØáãÝÞÚ ÝØÖÕ ßÞïáÝïÕâ ßÞàïÔÞÚ ÒëßÞÛÝÕÝØï ßÞÔÞÑÝÞÓÞ áÞÕÔØÝÕÝØï.



¿ÐááØÒÝëÙ FTP ÔÕÙáâÒãÕâ ßàÞâØÒÞßÞÛÞÖÝëÜ ÞÑàÐ×ÞÜ. ºÛØÕÝâ ßÞáëÛÐÕâ ×ÐßàÞá áÕàÒÕàã ÝÐ ßÞÛãçÕÝØÕ ÔÐÝÝëå, Ð áÕàÒÕà ÒÞ×ÒàÐéÐÕâ ÚÛØÕÝâã IP ÐÔàÕá Ø ÝÞÜÕà ßÞàâÐ ÔÛï ßÞÔÚÛîçÕÝØï. ºÛØÕÝâ ßÞÔÚÛîçÐÕâ áÒÞÙ 20-Ù ßÞàâ (FTP-data) Ú ãÚÐ×ÐÝÝÞÜã ßÞàâã áÕàÒÕàÐ Ø ßÞÛãçÐÕâ ×ÐßàÞèÕÝÝëÕ ÔÐÝÝëÕ. µáÛØ ÒÐè FTP áÕàÒÕà ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, âÞ ÒÐÜ ßÞâàÕÑãÕâáï íâÞâ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÔÛï âÞÓÞ, çâÞÑë áÕàÒÕà áÜÞÓ ÞÑáÛãÖØÒÐâì ÚÛØÕÝâÞÒ Ø× ¸ÝâÕàÝÕâ. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï áÛãçÐï, ÚÞÓÔÐ Òë åÞâØâÕ ÞÓàÐÝØçØâì áÒÞØå ßÞÛì×ÞÒÐâÕÛÕÙ âÞÛìÚÞ ÒÞ×ÜÞÖÝÞáâìî ßÞÔÚÛîçÕÝØï Ú HTTP Ø FTP áÕàÒÕàÐÜ Ò ¸ÝâÕàÝÕâ Ø ×ÐÚàëâì ÒáÕ ÞáâÐÛìÝëÕ ßÞàâë. ÀØáãÝÞÚ ÝØÖÕ ßÞÚÐ×ëÒÐÕâ ÚÐÚ ÒëßÞÛÝïÕâáï ßÐááØÒÝÞÕ áÞÕÔØÝÕÝØÕ FTP.



½ÕÚÞâÞàëÕ ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ãÖÕ ÒÚÛîçÕÝë Ò áÞáâÐÒ ïÔàÐ. µáÛØ Ñëâì ÑÞÛÕÕ âÞçÝëÜ, âÞ Ò áÞáâÐÒ ïÔàÐ ÒÚÛîçÕÝë ÒáßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞâÞÚÞÛÞÒ FTP Ø IRC. µáÛØ Ò ÒÐèÕÜ àÐáßÞàïÖÕÝØØ ÝÕâ ÝÕÞÑåÞÔØÜÞÓÞ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâìáï Ú patch-o-matic, ÚÞâÞàëÙ áÞÔÕàÖØâ ÑÞÛìèÞÕ ÚÞÛØçÕáâÒÞ ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ ÔÛï âàÐááØàÞÒÚØ âÐÚØå ßàÞâÞÚÞÛÞÒ, ÚÐÚ ntalk ØÛØ H.323. µáÛØ Ø ×ÔÕáì Òë ÝÕ ÝÐèÛØ âÞ, çâÞ ÒÐÜ ÝãÖÝÞ, âÞ ã ÒÐá Õáâì ÕéÕ ÒÐàØÐÝâë: Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú CVS iptables, ÕáÛØ ØáÚÞÜëÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì ÕéÕ ÝÕ ÑëÛ ÒÚÛîçÕÝ Ò patch-o-matic, ÛØÑÞ ÜÞÖÕâÕ ÒÞÙâØ Ò ÚÞÝâÐÚâ á àÐ×àÐÑÞâçØÚÐÜØ netfilter Ø ã×ÝÐâì ã ÝØå, ØÜÕÕâáï ÛØ ßÞÔÞÑÝëÙ ÜÞÔãÛì Ø ßÛÐÝØàãÕâáï ÛØ ÞÝ Ú ÒëßãáÚã. µáÛØ Ø âãâ Òë ßÞâÕàßÕÛØ ÝÕãÔÐçã, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ áÛÕÔãÕâ ßàÞçØâÐâì Rusty Russells Unreliable Netfilter Hacking HOWTO.

²áßÞÜÞÓÐâÕÛìÝëÕ ÜÞÔãÛØ ÜÞÓãâ Ñëâì áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ Ò ÒØÔÕ ßÞÔÓàãÖÐÕÜëå ÜÞÔãÛÕÙ ïÔàÐ, âÐÚ Ø áâÐâØçÕáÚØ. µáÛØ ÞÝØ áÚÞÜßØÛØàÞÒÐÝë ÚÐÚ ÜÞÔãÛØ, âÞ Òë ÜÞÖÕâÕ ×ÐÓàãרâì Øå ÚÞÜÐÝÔÞÙ

modprobe ip_conntrack_*

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï ÝÕ ØÜÕÕâ ÝØÚÐÚÞÓÞ ÞâÝÞèÕÝØï Ú âàÐÝáÛïæØØ áÕâÕÒëå ÐÔàÕáÞÒ (NAT), ßÞíâÞÜã ÒÐÜ ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÑÞÛìèÕÕ ÚÞÛØçÕáâÒÞ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ, ÕáÛØ Òë ÒëßÞÛÝïÕâÕ âÐÚãî âàÐÝáÛïæØî. ´ÞßãáâØÜ, çâÞ Òë ÒëßÞÛÝïÕâÕ âàÐÝáÛïæØî ÐÔàÕáÞÒ Ø âàÐááØàÞÒÚã FTP áÞÕÔØÝÕÝØÙ, âÞÓÔÐ ÒÐÜ ÝÕÞÑåÞÔØÜ âÐÚ ÖÕ Ø áÞÞâÒÕâáâÒãîéØÙ ÒáßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì NAT. ¸ÜÕÝÐ ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ NAT ÝÐçØÝÐîâáï á ip_nat, Ò áÞÞâÒÕâáâÒØØ á áÞÓÛÐèÕÝØÕÜ ÞÑ ØÜÕÝÐå. ² ÔÐÝÝÞÜ áÛãçÐÕ ÜÞÔãÛì ÝÐ×ëÒÐÕâáï ip_nat_ftp. ´Ûï ßàÞâÞÚÞÛÐ IRC âÐÚÞÙ ÜÞÔãÛì ÑãÔÕâ ÝÐ×ëÒÐâìáï ip_nat_irc. ÂÞÜã ÖÕ áÐÜÞÜã áÞÓÛÐèÕÝØî áÛÕÔãîâ Ø ÝÐ×ÒÐÝØï ÒáßÞÜÞÓÐâÕÛìÝëå ÜÞÔãÛÕÙ âàÐááØàÞÒéØÚÐ, ÝÐßàØÜÕà: ip_conntrack_ftp Ø ip_conntrack_irc.


ºÐÚ áâàÞØâì ßàÐÒØÛÐ

² ÔÐÝÝÞÙ ÓÛÐÒÕ ÑãÔÕâ ÞÑáãÖÔÐâìáï ßÞàïÔÞÚ ßÞáâàÞÕÝØï áÞÑáâÒÕÝÝëå ßàÐÒØÛ ÔÛï iptables. ºÐÖÔÐï áâàÞÚÐ, ÚÞâÞàãî Òë ÒáâÐÒÛïÕâÕ Ò âã ØÛØ ØÝãî æÕßÞçÚã, ÔÞÛÖÝÐ áÞÔÕàÖÐâì ÞâÔÕÛìÝÞÕ ßàÐÒØÛÞ. ¼ë âÐÚ ÖÕ ÞÑáãÔØÜ ÞáÝÞÒÝëÕ ßàÞÒÕàÚØ Ø ÔÕÙáâÒØï Ø ßÞàïÔÞÚ áÞ×ÔÐÝØï áÒÞØå áÞÑáâÒÕÝÝëå æÕßÞçÕÚ ßàÐÒØÛ.


¾áÝÞÒë

ºÐÚ ãÖÕ ÓÞÒÞàØÛÞáì ÒëèÕ, ÚÐÖÔÞÕ ßàÐÒØÛÞ -- íâÞ áâàÞÚÐ, áÞÔÕàÖÐéÐï Ò áÕÑÕ ÚàØâÕàØØ ÞßàÕÔÕÛïîéØÕ, ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ, Ø ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì Ò áÛãçÐÕ ÒëßÞÛÝÕÝØï ÚàØâÕàØï. ² ÞÑéÕÜ ÒØÔÕ ßàÐÒØÛÐ ×ÐߨáëÒÐîâáï ßàØÜÕàÝÞ âÐÚ:

iptables [-t table] command [match] [target/jump]

½ØÓÔÕ ÝÕ ãâÒÕàÖÔÐÕâáï, çâÞ ÞߨáÐÝØÕ ÔÕÙáâÒØï (target/jump) ÔÞÛÖÝÞ áâÞïâì ßÞáÛÕÔÝØÜ Ò áâàÞÚÕ, Üë, ÞÔÝÐÚÞ, ÑãÔÕÜ ßàØÔÕàÖØÒÐâìáï ØÜÕÝÝÞ âÐÚÞÙ ÝÞâÐæØØ ÔÛï ãÔÞÑÞçØâÐÕÜÞáâØ.

µáÛØ Ò ßàÐÒØÛÞ ÝÕ ÒÚÛîçÐÕâáï áßÕæØäØÚÐâÞà [-t table], âÞ ßÞ ãÜÞÛçÐÝØî ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæë filter, ÕáÛØ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ ÔàãÓÞÙ âÐÑÛØæë, âÞ íâÞ âàÕÑãÕâáï ãÚÐ×Ðâì ïÒÝÞ. ÁßÕæØäØÚÐâÞà âÐÑÛØæë âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×ëÒÐâì Ò ÛîÑÞÜ ÜÕáâÕ áâàÞÚØ ßàÐÒØÛÐ, ÞÔÝÐÚÞ ÑÞÛÕÕ ØÛØ ÜÕÝÕÕ áâÐÝÔÐàâÞÜ áçØâÐÕâáï ãÚÐ×ÐÝØÕ âÐÑÛØæë Ò ÝÐçÐÛÕ ßàÐÒØÛÐ.

´ÐÛÕÕ, ÝÕßÞáàÕÔáâÒÕÝÝÞ ×Ð ØÜÕÝÕÜ âÐÑÛØæë, ÔÞÛÖÝÐ áâÞïâì ÚÞÜÐÝÔÐ. µáÛØ áßÕæØäØÚÐâÞàÐ âÐÑÛØæë ÝÕâ, âÞ ÚÞÜÐÝÔÐ ÒáÕÓÔÐ ÔÞÛÖÝÐ áâÞïâì ßÕàÒÞÙ. ºÞÜÐÝÔÐ ÞßàÕÔÕÛïÕâ ÔÕÙáâÒØÕ iptables, ÝÐßàØÜÕà: ÒáâÐÒØâì ßàÐÒØÛÞ, ØÛØ ÔÞÑÐÒØâì ßàÐÒØÛÞ Ò ÚÞÝÕæ æÕßÞçÚØ, ØÛØ ãÔÐÛØâì ßàÐÒØÛÞ Ø â.ß.

ÀÐ×ÔÕÛ matches ×ÐÔÐÕâ ÚàØâÕàØØ ßàÞÒÕàÚØ, ßÞ ÚÞâÞàëÜ ÞßàÕÔÕÛïÕâáï ßÞÔßÐÔÐÕâ ÛØ ßÐÚÕâ ßÞÔ ÔÕÙáâÒØÕ íâÞÓÞ ßàÐÒØÛÐ ØÛØ ÝÕâ. ·ÔÕáì Üë ÜÞÖÕÜ ãÚÐ×Ðâì áÐÜëÕ àÐ×ÝëÕ ÚàØâÕàØØ -- Ø IP-ÐÔàÕá ØáâÞçÝØÚÐ ßÐÚÕâÐ ØÛØ áÕâØ, Ø áÕâÕÒÞÙ ØÝâÕàäÕÙá Ø â.Ô. ÁãéÕáâÒãÕâ ÜÝÞÖÕáâÒÞ ÚàØâÕàØÕÒ, ÚÞâÞàëÕ Üë àÐááÜÞâàØÜ Ò ÔÐÝÝÞÙ ÓÛÐÒÕ.

¸ ÝÐÚÞÝÕæ target ãÚÐ×ëÒÐÕâ, ÚÐÚÞÕ ÔÕÙáâÒØÕ ÔÞÛÖÝÞ Ñëâì ÒëßÞÛÝÕÝÞ ßàØ ãáÛÞÒØØ ÒëßÞÛÝÕÝØï ÚàØâÕàØÕÒ Ò ßàÐÒØÛÕ. ·ÔÕáì ÜÞÖÝÞ ×ÐáâÐÒØâì ïÔàÞ ßÕàÕÔÐâì ßÐÚÕâ Ò ÔàãÓãî æÕßÞçÚã ßàÐÒØÛ, "áÑàÞáØâì" ßÐÚÕâ Ø ×ÐÑëâì ßàÞ ÝÕÓÞ, ÒëÔÐâì ÝÐ ØáâÞçÝØÚ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ Ø â.ß.


ÂÐÑÛØæë

¾ßæØï -t ãÚÐ×ëÒÐÕâ ÝÐ ØáßÞÛì×ãÕÜãî âÐÑÛØæã. ¿Þ ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï âÐÑÛØæÐ filter. Á ÚÛîçÞÜ -t ßàØÜÕÝïîâáï áÛÕÔãîéØÕ ÞßæØØ.

ÂÐÑÛØæÐ 1. ÂÐÑÛØæë

ÂÐÑÛØæÐ ¾ßØáÐÝØÕ
nat ÂÐÑÛØæÐ nat ØáßÞÛì×ãÕâáï ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (Network Address Translation). ÇÕàÕ× íâã âÐÑÛØæã ßàÞåÞÔØâ âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ. ¿àÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÞÒ ÐÒâÞÜÐâØçÕáÚØ ßàØÜÕÝïÕâáï ÚÞ ÒáÕÜ ßÞáÛÕÔãîéØÜ ßÐÚÕâÐÜ. ÍâÞ ÞÔØÝ Ø× äÐÚâÞàÞÒ, ØáåÞÔï Ø× ÚÞâÞàëå Üë ÝÕ ÔÞÛÖÝë ÞáãéÕáâÒÛïâì ÚÐÚãî-ÛØÑÞ äØÛìâàÐæØî Ò íâÞÙ âÐÑÛØæÕ. ÆÕßÞçÚÐ PREROUTING ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ßÐÚÕâë ÝÐ ÒåÞÔÕ Ò ÑàÐÝÔÜÐãíà. ÆÕßÞçÚÐ OUTPUT ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ßÐÚÕâÞÒ, áÞ×ÔÐÝÝëå ßàØÛÞÖÕÝØïÜØ ÒÝãâàØ ÑàÐÝÔÜÐãíàÐ, ßÕàÕÔ ßàØÝïâØÕÜ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ Ò ÝÐáâÞïéÕÕ ÒàÕÜï íâÐ æÕßÞçÚÐ ÝÕ àÐÑÞâÐÕâ. ¸ ßÞáÛÕÔÝïï æÕßÞçÚÐ Ò íâÞÙ âÐÑÛØæÕ -- POSTROUTING, ÚÞâÞàÐï ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ßÐÚÕâÞÒ ßÕàÕÔ ÒëÔÐçÕÙ Øå ÒÞ ÒÝÕ.
mangle ÍâÐ âÐÑÛØæÐ ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ×ÐÓÞÛÞÒÚØ ßÐÚÕâÞÒ. ¿àØÜÕàÞÜ ÜÞÖÕâ áÛãÖØâì Ø×ÜÕÝÕÝØÕ ßÞÛï TTL, TOS ØÛØ MARK. ²ÐÖÝÞ: Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ßÞÛÕ MARK ÝÕ Ø×ÜÕÝïÕâáï, ÝÞ Ò ßÐÜïâØ ïÔàÐ ×ÐÒÞÔØâáï áâàãÚâãàÐ, ÚÞâÞàÐï áÞßàÞÒÞÖÔÐÕâ ÔÐÝÝëÙ ßÐÚÕâ ÒáÕ ÒàÕÜï ÕÓÞ ßàÞåÞÖÔÕÝØï çÕàÕ× ÜÐèØÝã, âÐÚ çâÞ ÔàãÓØÕ ßàÐÒØÛÐ Ø ßàØÛÞÖÕÝØï ÝÐ ÔÐÝÝÞÙ ÜÐèØÝÕ (Ø âÞÛìÚÞ ÝÐ ÔÐÝÝÞÙ ÜÐèØÝÕ) ÜÞÓãâ ØáßÞÛì×ÞÒÐâì íâÞ ßÞÛÕ Ò áÒÞØå æÕÛïå. ÂÐÑÛØæÐ ØÜÕÕâ ÔÒÕ æÕßÞçÚØ PREROUTING Ø OUTPUT. PREROUTING ØáßÞÛì×ãÕâáï ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ ÝÐ ÒåÞÔÕ Ò ÑàÐÝÔÜÐãíà ßÕàÕÔ ßàØÝïâØÕÜ àÕèÕÝØï Þ ÜÐàèàãâØ×ÐæØØ. OUTPUT -- ÔÛï ÒÝÕáÕÝØï Ø×ÜÕÝÕÝØÙ Ò ßÐÚÕâë, ßÞáâãßÐîéØÕ Þâ ßàØÛÞÖÕÝØÙ ÒÝãâàØ ÑàÐÝÔÜÐãíàÐ. ·ÐÜÕâìâÕ, çâÞ âÐÑÛØæÐ mangle ÝØ Ò ÚÞÕÜ áÛãçÐÕ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ ØÛØ ÜÐáÚÐàÐÔØÝÓÐ (Network Address Translation, Masquerading), ßÞáÚÞÛìÚã ÔÛï íâØå æÕÛÕÙ ØÜÕÕâáï âÐÑÛØæÐ nat.
filter ÂÐÑÛØæÐ filter ØáßÞÛì×ãÕâáï ÓÛÐÒÝëÜ ÞÑàÐ×ÞÜ ÔÛï äØÛìâàÐæØØ ßÐÚÕâÞÒ. ´Ûï ßàØÜÕàÐ, ×ÔÕáì Üë ÜÞÖÕÜ ÒëßÞÛÝØâì DROP, LOG, ACCEPT ØÛØ REJECT ÑÕ× ÚÐÚØå ÛØÑÞ áÛÞÖÝÞáâÕÙ, ÚÐÚ Ò ÔàãÓØå âÐÑÛØæÐå. ¸ÜÕÕâáï âàØ ÒáâàÞÕÝÝëå æÕßÞçÚØ. ¿ÕàÒÐï -- FORWARD, ØáßÞÛì×ãÕÜÐï ÔÛï äØÛìâàÐæØØ ßÐÚÕâÞÒ, ØÔãéØå âàÐÝרâÞÜ çÕàÕ× ÑàÐÝÔÜÐãíà. ÆÕßÞçÚã INPUT ßàÞåÞÔïâ ßÐÚÕâë, ÚÞâÞàëÕ ßàÕÔÝÐ×ÝÐçÕÝë ÛÞÚÐÛìÝëÜ ßàØÛÞÖÕÝØïÜ (ÑàÐÝÔÜÐãíàã). ¸ æÕßÞçÚÐ OUTPUT -- ØáßÞÛì×ãÕâáï ÔÛï äØÛìâàÐæØØ ØáåÞÔïéØå ßÐÚÕâÞÒ, áÓÕÝÕàØàÞÒÐÝÝëå ßàØÛÞÖÕÝØïÜØ ÝÐ áÐÜÞÜ ÑàÐÝÔÜÐãíàÕ.

²ëèÕ Üë àÐááÜÞâàÕÛØ ÞáÝÞÒÝëÕ ÞâÛØçØï âàÕå ØÜÕîéØåáï âÐÑÛØæ. ºÐÖÔÐï Ø× ÝØå ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò áÒÞØå æÕÛïå, Ø Òë ÔÞÛÖÝë íâÞ ßÞÝØÜÐâì. ½ÕæÕÛÕÒÞÕ ØáßÞÛì×ÞÒÐÝØÕ âÐÑÛØæ ÜÞÖÕâ ßàØÒÕáâØ Ú ÞáÛÐÑÛÕÝØî ×ÐéØâë ÑàÐÝÔÜÐãíàÐ Ø áÕâØ, ÝÐåÞÔïéÕÙáï ×Ð ÝØÜ. ¿Þ×ÔÝÕÕ, Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ, Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ íâÞÜ.


ºÞÜÐÝÔë

½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÚÞÜÐÝÔ Ø ßàÐÒØÛÐ Øå ØáßÞÛì×ÞÒÐÝØï. ¿ÞáàÕÔáâÒÞÜ ÚÞÜÐÝÔ Üë áÞÞÑéÐÕÜ iptables çâÞ Üë ßàÕÔßÞÛÐÓÐÕÜ áÔÕÛÐâì. ¾ÑëçÝÞ ßàÕÔßÞÛÐÓÐÕâáï ÞÔÝÞ Ø× ÔÒãå ÔÕÙáâÒØÙ -- íâÞ ÔÞÑÐÒÛÕÝØÕ ÝÞÒÞÓÞ ßàÐÒØÛÐ Ò æÕßÞçÚã ØÛØ ãÔÐÛÕÝØÕ áãéÕáâÒãîéÕÓÞ ßàÐÒØÛÐ Ø× âÞÙ ØÛØ ØÝÞÙ âÐÑÛØæë. ´ÐÛÕÕ ßàØÒÕÔÕÝë ÚÞÜÐÝÔë, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï Ò iptables.

ÂÐÑÛØæÐ 2. ºÞÜÐÝÔë

ºÞÜÐÝÔÐ
¿àØÜÕà
¿ÞïáÝÕÝØï
-A, --append
iptables -A INPUT ...
´ÞÑÐÒÛïÕâ ÝÞÒÞÕ ßàÐÒØÛÞ Ò ÚÞÝÕæ ×ÐÔÐÝÝÞÙ æÕßÞçÚØ.
-D, --delete
iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
ÃÔÐÛÕÝØÕ ßàÐÒØÛÐ Ø× æÕßÞçÚØ. ºÞÜÐÝÔÐ ØÜÕÕâ ÔÒÐ äÞàÜÐâÐ ×ÐߨáØ, ßÕàÒëÙ -- ÚÞÓÔÐ ×ÐÔÐÕâáï ÚàØâÕàØÙ áàÐÒÝÕÝØï á ÞßæØÕÙ -D (áÜ. ßÕàÒëÙ ßàØÜÕà), ÒâÞàÞÙ -- ßÞàïÔÚÞÒëÙ ÝÞÜÕà ßàÐÒØÛÐ. µáÛØ ×ÐÔÐÕâáï ÚàØâÕàØÙ áàÐÒÝÕÝØï, âÞ ãÔÐÛïÕâáï ßàÐÒØÛÞ, ÚÞâÞàÞÕ ØÜÕÕâ Ò áÕÑÕ íâÞâ ÚàØâÕàØÙ, ÕáÛØ ×ÐÔÐÕâáï ÝÞÜÕà ßàÐÒØÛÐ, âÞ ÑãÔÕâ ãÔÐÛÕÝÞ ßàÐÒØÛÞ á ×ÐÔÐÝÝëÜ ÝÞÜÕàÞÜ. ÁçÕâ ßàÐÒØÛ Ò æÕßÞçÚÐå ÝÐçØÝÐÕâáï á 1.
-R, --replace
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
´ÐÝÝÐï ÚÞÜÐÝÔÐ ×ÐÜÕÝïÕâ ÞÔÝÞ ßàÐÒØÛÞ ÔàãÓØÜ. ² ÞáÝÞÒÝÞÜ ÞÝÐ ØáßÞÛì×ãÕâáï ÒÞ ÒàÕÜï ÞâÛÐÔÚØ ÝÞÒëå ßàÐÒØÛ.
-I, --insert
iptables -I INPUT 1 --dport 80 -j ACCEPT
²áâÐÒÛïÕâ ÝÞÒÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã. ÇØáÛÞ, áÛÕÔãîéÕÕ ×Ð ØÜÕÝÕÜ æÕßÞçÚØ ãÚÐ×ëÒÐÕâ ÝÞÜÕà ßàÐÒØÛÐ, ßÕàÕÔ ÚÞâÞàëÜ ÝãÖÝÞ ÒáâÐÒØâì ÝÞÒÞÕ ßàÐÒØÛÞ, ÔàãÓØÜØ áÛÞÒÐÜØ çØáÛÞ ×ÐÔÐÕâ ÝÞÜÕà ÔÛï ÒáâÐÒÛïÕÜÞÓÞ ßàÐÒØÛÐ. ² ßàØÜÕàÕ ÒëèÕ, ãÚÐ×ëÒÐÕâáï, çâÞ ÔÐÝÝÞÕ ßàÐÒØÛÞ ÔÞÛÖÝÞ Ñëâì 1-Ü Ò æÕßÞçÚÕ INPUT.
-L, --list
iptables -L INPUT
²ëÒÞÔ áߨáÚÐ ßàÐÒØÛ Ò ×ÐÔÐÝÝÞÙ æÕßÞçÚÕ, Ò ÔÐÝÝÞÜ ßàØÜÕàÕ ßàÕÔßÞÛÐÓÐÕâáï ÒëÒÞÔ ßàÐÒØÛ Ø× æÕßÞçÚØ INPUT. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ÒëÒÞÔØâáï áߨáÞÚ ßàÐÒØÛ ÔÛï ÒáÕå æÕßÞçÕÚ. ÄÞàÜÐâ ÒëÒÞÔÐ ×ÐÒØáØâ Þâ ÝÐÛØçØï ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ò ÚÞÜÐÝÔÕ, ÝÐßàØÜÕà -n, -v, Ø ßà.
-F, --flush
iptables -F INPUT
ÁÑàÞá (ãÔÐÛÕÝØÕ) ÒáÕå ßàÐÒØÛ Ø× ×ÐÔÐÝÝÞÙ æÕßÞçÚØ (âÐÑÛØæë). µáÛØ ØÜï æÕßÞçÚØ Ø âÐÑÛØæë ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ãÔÐÛïîâáï ÒáÕ ßàÐÒØÛÐ, ÒÞ ÒáÕå æÕßÞçÚÐå.
-Z, --zero
iptables -Z INPUT
¾ÑÝãÛÕÝØÕ ÒáÕå áçÕâçØÚÞÒ Ò ×ÐÔÐÝÝÞÙ æÕßÞçÚÕ. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ëÒÐÕâáï, âÞ ßÞÔàÐ×ãÜÕÒÐîâáï ÒáÕ æÕßÞçÚØ. ¿àØ ØáßÞÛì×ÞÒÐÝØØ ÚÛîçÐ -v áÞÒÜÕáâÝÞ á ÚÞÜÐÝÔÞÙ -L, ÝÐ ÒëÒÞÔ ÑãÔãâ ßÞÔÐÝë Ø áÞáâÞïÝØï áçÕâçØÚÞÒ ßÐÚÕâÞÒ, ßÞßÐÒèØå ßÞÔ ÔÕÙáâÒØÕ ÚÐÖÔÞÓÞ ßàÐÒØÛÐ. ´ÞßãáÚÐÕâáï áÞÒÜÕáâÝÞÕ ØáßÞÛì×ÞÒÐÝØÕ ÚÞÜÐÝÔ -L Ø -Z. ² íâÞÜ áÛãçÐÕ ÑãÔÕâ ÒëÔÐÝ áÝÐçÐÛÐ áߨáÞÚ ßàÐÒØÛ áÞ áçÕâçØÚÐÜØ, Ð ×ÐâÕÜ ßàÞØ×ÞÙÔÕâ ÞÑÝãÛÕÝØÕ áçÕâçØÚÞÒ.
-N, --new-chain
iptables -N allowed
ÁÞ×ÔÐÕâáï ÝÞÒÐï æÕßÞçÚÐ á ×ÐÔÐÝÝëÜ ØÜÕÝÕÜ Ò ×ÐÔÐÝÝÞÙ âÐÑÛØæÕ ² ÒëèÕ ßàØÒÕÔÕÝÝÞÜ ßàØÜÕàÕ áÞ×ÔÐÕâáï ÝÞÒÐï æÕßÞçÚÐ á ØÜÕÝÕÜ allowed. ¸Üï æÕßÞçÚØ ÔÞÛÖÝÞ Ñëâì ãÝØÚÐÛìÝëÜ Ø ÝÕ ÔÞÛÖÝÞ áÞÒßÐÔÐâì á ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÜØ ØÜÕÝÐÜØ æÕßÞçÕÚ Ø ÔÕÙáâÒØÙ (DROP, REJECT Ø â.ß.)
-X, --delete-chain
iptables -X allowed
ÃÔÐÛÕÝØÕ ×ÐÔÐÝÝÞÙ æÕßÞçÚØ Ø× ×ÐÔÐÝÝÞÙ âÐÑÛØæë. ÃÔÐÛïÕÜÐï æÕßÞçÚÐ ÝÕ ÔÞÛÖÝÐ ØÜÕâì ßàÐÒØÛ Ø ÝÕ ÔÞÛÖÝÞ Ñëâì ááëÛÞÚ Ø× ÔàãÓØå æÕßÞçÕÚ ÝÐ ãÔÐÛïÕÜãî æÕßÞçÚã. µáÛØ ØÜï æÕßÞçÚØ ÝÕ ãÚÐ×ÐÝÞ, âÞ ÑãÔãâ ãÔÐÛÕÝë ÒáÕ æÕßÞçÚØ, ÞßàÕÔÕÛÕÝÝëÕ ÚÞÜÐÝÔÞÙ -N Ò ×ÐÔÐÝÝÞÙ âÐÑÛØæÕ.
-P, --policy
iptables -P INPUT DROP
¾ßàÕÔÕÛïÕâ ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî ÔÛï ×ÐÔÐÝÝÞÙ æÕßÞçÚØ. ¿ÞÛØâØÚÐ ßÞ ãÜÞÛçÐÝØî ÞßàÕÔÕÛïÕâ ÔÕÙáâÒØÕ, ßàØÜÕÝïÕÜÞÕ Ú ßÐÚÕâÐÜ ÝÕ ßÞßÐÒèØÜ ßÞÔ ÔÕÙáâÒØÕ ÝØ ÞÔÝÞÓÞ Ø× ßàÐÒØÛ Ò æÕßÞçÚÕ. ² ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ ãÜÞÛçÐÝØî ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì DROP, ACCEPT Ø REJECT.
-E, --rename-chain
iptables -E allowed disallowed
ºÞÜÐÝÔÐ -E ÒëßÞÛÝïÕâ ßÕàÕØÜÕÝÞÒÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚÞÙ æÕßÞçÚØ. ² ßàØÜÕàÕ æÕßÞçÚÐ allowed ÑãÔÕâ ßÕàÕØÜÕÝÞÒÐÝÐ Ò æÕßÞçÚã disallowed. ÍâØ ßÕàÕØÜÕÝÞÒÐÝØï ÝÕ Ø×ÜÕÝïîâ ßÞàïÔÞÚ àÐÑÞâë, Ð ÝÞáïâ âÞÛìÚÞ ÚÞáÜÕâØçÕáÚØÙ åÐàÐÚâÕà.

ºÞÜÐÝÔÐ ÔÞÛÖÝÐ Ñëâì ãÚÐ×ÐÝÐ ÒáÕÓÔÐ. ÁߨáÞÚ ÔÞáâãßÝëå ÚÞÜÐÝÔ ÜÞÖÝÞ ßàÞáÜÞâàÕâì á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -h ØÛØ, çâÞ âÞÖÕ áÐÜÞÕ, iptables --help. ½ÕÚÞâÞàëÕ ÚÞÜÐÝÔë ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï áÞÒÜÕáâÝÞ á ÔÞßÞÛÝØâÕÛìÝëÜØ ÚÛîçÐÜØ. ½ØÖÕ ßàØÒÞÔØâáï áߨáÞÚ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÞߨáëÒÐÕâáï àÕ×ãÛìâÐâ Øå ÔÕÙáâÒØï. ¿àØ íâÞÜ ×ÐÜÕâìâÕ, çâÞ ×ÔÕáì ÝÕ ßàØÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ßàØ ßÞáâàÞÕÝØØ ÚàØâÕàØÕÒ (matches) ØÛØ ÔÕÙáâÒØÙ (targets). ÍâØ ÞßæØØ Üë ÑãÔÕÜ ÞÑáãÖÔÐâì ÔÐÛÕÕ.

ÂÐÑÛØæÐ 3. ºÛîçØ

ºÛîç
ºÞÜÐÝÔë, á ÚÞâÞàëÜØ ØáßÞÛì×ãÕâáï
¾ßØáÐÝØÕ
-v, --verbose
--list, --append, --insert, --delete, --replace
´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï ÔÛï ßÞÒëèÕÝØï ØÝäÞàÜÐâØÒÝÞáâØ ÒëÒÞÔÐ Ø, ÚÐÚ ßàÐÒØÛÞ, ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ÚÞÜÐÝÔÞÙ --list. ² áÛãçÐÕ ØáßÞÛì×ÞÒÐÝØï á ÚÞÜÐÝÔÞÙ --list, Ò ÒëÒÞÔ íâÞÙ ÚÞÜÐÝÔë ÒÚÛîçÐîâáï âÐÚ ÖÕ ØÜï ØÝâÕàäÕÙáÐ, áçÕâçØÚØ ßÐÚÕâÞÒ Ø ÑÐÙâ ÔÛï ÚÐÖÔÞÓÞ ßàÐÒØÛÐ. ÄÞàÜÐâ ÒëÒÞÔÐ áçÕâçØÚÞÒ ßàÕÔßÞÛÐÓÐÕâ ÒëÒÞÔ ÚàÞÜÕ æØäà çØáÛÐ ÕéÕ Ø áØÜÒÞÛìÝëÕ ÜÝÞÖØâÕÛØ K (x1000), M (x1,000,000) Ø G (x1,000,000,000). ´Ûï âÞÓÞ, çâÞÑë ×ÐáâÐÒØâì ÚÞÜÐÝÔã --list ÒëÒÞÔØâì ßÞÛÝÞÕ çØáÛÞ (ÑÕ× ãßÞâàÕÑÛÕÝØï ÜÝÞÖØâÕÛÕÙ) âàÕÑãÕâáï ßàØÜÕÝïâì ÚÛîç -x, ÚÞâÞàëÙ ÞߨáÐÝ ÝØÖÕ. µáÛØ ÚÛîç -v, --verbose ØáßÞÛì×ãÕâáï á ÚÞÜÐÝÔÐÜØ --append, --insert, --delete ØÛØ --replace, âÞ âÞ ÝÐ ÒëÒÞÔ ÑãÔÕâ ÒëÔÐÝ ßÞÔàÞÑÝëÙ ÞâçÕâ Þ ßàÞØ×ÒÕÔÕÝÝÞÙ ÞßÕàÐæØØ.
-x, --exact
--list
´Ûï ÒáÕå çØáÕÛ Ò ÒëåÞÔÝëå ÔÐÝÝëå ÒëÒÞÔïâáï Øå âÞçÝëÕ ×ÝÐçÕÝØï ÑÕ× ÞÚàãÓÛÕÝØï Ø ÑÕ× ßàØÜÕÝÕÝØï ÜÝÞÖØâÕÛÕÙ K, M, G. ²ÐÖÝÞ âÞ, çâÞ ÔÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list Ø ÝÕ ßàØÜÕÝïÕâáï á ÔàãÓØÜØ ÚÞÜÐÝÔÐÜØ.
-n, --numeric
--list
·ÐáâÐÒÛïÕâ iptables ÒëÒÞÔØâì IP-ÐÔàÕáÐ Ø ÝÞÜÕàÐ ßÞàâÞÒ Ò çØáÛÞÒÞÜ ÒØÔÕ ßàÕÔÞâÒàÐéÐï ßÞßëâÚØ ßàÕÞÑàÐ×ÞÒÐâì Øå Ò áØÜÒÞÛØçÕáÚØÕ ØÜÕÝÐ. ´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list.
--line-numbers
--list
ºÛîç --line-numbers ÒÚÛîçÐÕâ àÕÖØÜ ÒëÒÞÔÐ ÝÞÜÕàÞÒ áâàÞÚ ßàØ ÞâÞÑàÐÖÕÝØØ áߨáÚÐ ßàÐÒØÛ ÚÞÜÐÝÔÞÙ --list. ½ÞÜÕà áâàÞÚØ áÞÞâÒÕâáâÒãÕâ ßÞ×ØæØØ ßàÐÒØÛÐ Ò æÕßÞçÚÕ. ÍâÞâ ÚÛîç ØáßÞÛì×ãÕâáï âÞÛìÚÞ á ÚÞÜÐÝÔÞÙ --list.
-c, --set-counters
--insert, --append, --replace
ÍâÞâ ÚÛîç ØáßÞÛì×ãÕâáï ßàØ áÞ×ÔÐÝØØ ÝÞÒÞÓÞ ßàÐÒØÛÐ ÔÛï ãáâÐÝÞÒÚØ áçÕâçØÚÞÒ ßÐÚÕâÞÒ Ø ÑÐÙâ Ò ×ÐÔÐÝÝÞÕ ×ÝÐçÕÝØÕ. ½ÐßàØÜÕà, ÚÛîç --set-counters 20 4000ãáâÐÝÞÒØâ áçÕâçØÚ ßÐÚÕâÞÒ = 20, Ð áçÕâçØÚ ÑÐÙâ = 4000.
--modprobe
All
ºÛîç --modprobe ÞßàÕÔÕÛïÕâ ÚÞÜÐÝÔã ×ÐÓàã×ÚØ ÜÞÔãÛï ïÔàÐ. ´ÐÝÝëÙ ÚÛîç ØáßÞÛì×ãÕâáï Ò áÛãçÐÕ, ÕáÛØ ÒÐèÐ ÚÞÜÐÝÔÐ modprobe ÝÐåÞÔØâáï ÒÝÕ ßãâØ ßÞØáÚÐ (searchpath). ÍâÞâ ÚÛîç ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï á ÛîÑÞÙ ÚÞÜÐÝÔÞÙ.

ºàØâÕàØØ

·ÔÕáì Üë ßÞÔàÞÑÝÕÕ ÞáâÐÝÞÒØÜáï ÝÐ ÚàØâÕàØïå ÒëÔÕÛÕÝØï ßÐÚÕâÞÒ. Ï àÐ×ÑØÛ ÒáÕ ÚàØâÕàØØ ÝÐ ßïâì Óàãßß. ¿ÕàÒÐï -- ÞÑéØÕ ÚàØâÕàØØ ÚÞâÞàëÕ ÜÞÓãâ ØáßÞÛì×ÞÒÐâìáï Ò ÛîÑëå ßàÐÒØÛÐå. ²âÞàÐï - TCP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú TCP ßÐÚÕâÐÜ. ÂàÕâìï -- UDP ÚàØâÕàØØ ÚÞâÞàëÕ ßàØÜÕÝïîâáï âÞÛìÚÞ Ú UDP ßÐÚÕâÐÜ. ÇÕâÒÕàâÐï - ICMP ÚàØâÕàØØ ÔÛï àÐÑÞâë á ICMP ßÐÚÕâÐÜØ. ¸ ÝÐÚÞÝÕæ ßïâÐï -- áßÕæØÐÛìÝëÕ ÚàØâÕàØØ, âÐÚØÕ ÚÐÚ state, owner, limit Ø ßà.


¾ÑéØÕ ÚàØâÕàØØ

·ÔÕáì Üë àÐááÜÞâàØÜ ¾ÑéØÕ ÚàØâÕàØØ. ¾ÑéØÕ ÚàØâÕàØØ ÔÞßãáâØÜÞ ãßÞâàÕÑÛïâì Ò ÛîÑëå ßàÐÒØÛÐå Ø ÝÕ ×ÐÒØáïâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø ÝÕ âàÕÑãîâ ßÞÔÓàã×ÚØ ÜÞÔãÛÕÙ àÐáèØàÕÝØï. ² íâã Óàãßßã ï ÔÞÑÐÒØÛ ÚàØâÕàØÙ --protocol ÝÕáÜÞâàï ÝÐ âÞ, çâÞ ÞÝ ØáßÞÛì×ãÕâáï Ò ÝÕÚÞâÞàëå áßÕæØäØçÝëå Þâ ßàÞâÞÚÞÛÐ àÐáèØàÕÝØïå. ½ÐßàØÜÕà, Üë àÕèØÛØ ØáßÞÛì×ÞÒÐâì TCP ÚàØâÕàØÙ, âÞÓÔÐ ÝÐÜ ÝÕÞÑåÞÔØÜÞ ÑãÔÕâ ØáßÞÛì×ÞÒÐâì Ø ÚàØâÕàØÙ --protocol ÚÞâÞàÞÜã Ò ÚÐçÕáâÒÕ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ÚÛîçÐ ßÕàÕÔÐÕâáï ÝÐ×ÒÐÝØÕ ßàÞâÞÚÞÛÐ -- TCP. ¾ÔÝÐÚÞ --protocol áÐÜ ßÞ áÕÑÕ ïÒÛïÕâáï ÚàØâÕàØÕÜ, ÚÞâÞàëÙ ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï âØßÐ ßàÞâÞÚÞÛÐ.

ÂÐÑÛØæÐ 4. ¾ÑéØÕ ÚàØâÕàØØ

ºàØâÕàØÙ -p, --protocol
¿àØÜÕà iptables -A INPUT -p tcp
¾ßØáÐÝØÕ ÍâÞâ ÚàØâÕàØÙ ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï âØßÐ ßàÞâÞÚÞÛÐ. ¿àØÜÕàÐÜØ ßàÞâÞÚÞÛÞÒ ÜÞÓãâ Ñëâì TCP, UDP Ø ICMP. ÁߨáÞÚ ßàÞâÞÚÞÛÞÒ ÜÞÖÝÞ ßÞáÜÞâàÕâì Ò äÐÙÛÕ /etc/p rotocols. ¿àÕÖÔÕ ÒáÕÓÞ, Ò ÚÐçÕáâÒÕ ØÜÕÝØ ßàÞâÞÚÞÛÐ Ò ÔÐÝÝëÙ ÚàØâÕàØÙ ÜÞÖÝÞ ßÕàÕÔÐÒÐâì âàØ ÒëèÕãßÞÜïÝãâëå ßàÞâÞÚÞÛÐ, Ð âÐÚÖÕ ÚÛîçÕÒÞÕ áÛÞÒÞ ALL. ² ÚÐçÕáâÒÕ ßàÞâÞÚÞÛÐ ÔÞßãáÚÐÕâáï ßÕàÕÔÐÒÐâì çØáÛÞ - ÝÞÜÕà ßàÞâÞÚÞÛÐ, âÐÚ ÝÐßàØÜÕà, 255 áÞÞâÒÕâáâÒãÕâ ßàÞâÞÚÞÛã RAW IP. ÁÞÞâÒÕâáâÒØï ÜÕÖÔã ÝÞÜÕàÐÜØ ßàÞâÞÚÞÛÞÒ Ø Øå ØÜÕÝÐÜØ Òë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ò äÐÙÛÕ /etc/protocols, ÚÞâÞàëÙ ãÖÕ ãßÞÜØÝÐÛáï. ºàØâÕàØî ÜÞÖÕâ ßÕàÕÔÐÒÐâìáï Ø áߨáÞÚ ßàÞâÞÚÞÛÞÒ, àÐ×ÔÕÛÕÝÝëå ×ÐßïâëÜØ, ÝÐßàØÜÕà âÐÚ: udp,tcp (ÅÞâï ÐÒâÞà Ø ãÚÐ×ëÒÐÕâ ÝÐ ÒÞ×ÜÞÖÝÞáâì ßÕàÕÔÐçØ áߨáÚÐ ßàÞâÞÚÞÛÞÒ, âÕÜ ÝÕ ÜÕÝÕÕ ÝØÚÞÜã ÕéÕ ÝÕ ãÔÐÛÞáì áÔÕÛÐâì íâÞÓÞ! ºáâÐâØ, man iptables ïÒÝÞ ÞÓÞÒÐàØÒÐÕâ, çâÞ Ò ÔÐÝÝÞÜ ÚàØâÕàØØ ÜÞÖÕâ Ñëâì ãÚÐ×ÐÝ âÞÛìÚÞ ÞÔØÝ ßàÞâÞÚÞÛ. ¼ÞÖÕâ Ñëâì íâÞ àÐáèØàÕÝØÕ ØÜÕÕâáï Ò patch-o-matic? ßàØÜ. ßÕàÕÒ.) µáÛØ ÔÐÝÝÞÜã ÚàØâÕàØî ßÕàÕÔÐÕâáï çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ 0, âÞ íâÞ íÚÒØÒÐÛÕÝâÝÞ ØáßÞÛì×ÞÒÐÝØî áßÕæØäØÚÐâÞàÐ ALL, ÚÞâÞàëÙ ßÞÔàÐ×ãÜÕÒÐÕâáï ßÞ ãÜÞÛçÐÝØî, ÚÞÓÔÐ ÚàØâÕàØÙ --protocol ÝÕ ØáßÞÛì×ãÕâáï. ´Ûï ÛÞÓØçÕáÚÞÙ ØÝÒÕàáØØ ÚàØâÕàØï, ßÕàÕÔ ØÜÕÝÕÜ ßàÞâÞÚÞÛÐ (áߨáÚÞÜ ßàÞâÞÚÞÛÞÒ) ØáßÞÛì×ãÕâáï áØÜÒÞÛ !, ÝÐßàØÜÕà --protocol ! tcp ßÞÔàÐ×ãÜÕÒÐÕâ ßÐÚÕâë ÛîÑÞÓÞ ßàÞâÞÚÞÛÐ, ÚàÞÜÕ tcp.
ºàØâÕàØÙ -s, --src, --source
¿àØÜÕà iptables -A INPUT -s 192.168.1.1
¾ßØáÐÝØÕ IP-ÐÔàÕá(Ð) ØáâÞçÝØÚÐ ßÐÚÕâÐ. °ÔàÕá ØáâÞçÝØÚÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï âÐÚ, ÚÐÚ ßÞÚÐ×ÐÝÞ Ò ßàØÜÕàÕ, âÞÓÔÐ ßÞÔàÐ×ãÜÕÒÐÕâáï ÕÔØÝáâÒÕÝÝëÙ IP-ÐÔàÕá. ° ÜÞÖÝÞ ãÚÐ×Ðâì ÐÔàÕá Ò ÒØÔÕ address/mask, ÝÐßàØÜÕà ÚÐÚ 192.168.0.0/255.255.255.0, ØÛØ ÑÞÛÕÕ áÞÒàÕÜÕÝÝëÜ áßÞáÞÑÞÜ 192.168.0.0/24, â.Õ. äÐÚâØçÕáÚØ ÞßàÕÔÕÛïï ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ !, ãáâÐÝÞÒÛÕÝÝëÙ ßÕàÕÔ ÐÔàÕáÞÜ, Þ×ÝÐçÐÕâ ÛÞÓØçÕáÚÞÕ ÞâàØæÐÝØÕ, â.Õ. --source ! 192.168.0.0/24 Þ×ÝÐçÐÕâ ÛîÑÞÙ ÐÔàÕá ÚàÞÜÕ ÐÔàÕáÞÒ 192.168.0.x
ºàØâÕàØÙ -d, --dst, --destination
¿àØÜÕà iptables -A INPUT -d 192.168.1.1
¾ßØáÐÝØÕ IP-ÐÔàÕá(Ð) ßÞÛãçÐâÕÛï. ¸ÜÕÕâ áØÝâÐÚáØá áåÞÖØÙ á ÚàØâÕàØÕÜ --source, ×Ð ØáÚÛîçÕÝØÕÜ âÞÓÞ, çâÞ ßÞÔàÐ×ãÜÕÒÐÕâ ÐÔàÕá ÜÕáâÐ ÝÐ×ÝÐçÕÝØï. ÂÞçÝÞ âÐÚ ÖÕ ÜÞÖÕâ ÞßàÕÔÕÛïâì ÚÐÚ ÕÔØÝáâÒÕÝÝëÙ IP-ÐÔàÕá, âÐÚ Ø ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ. ÁØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ÛÞÓØçÕáÚÞÙ ØÝÒÕàáØØ ÚàØâÕàØï.
ºàØâÕàØÙ -i, --in-interface
¿àØÜÕà iptables -A INPUT -i eth0
¾ßØáÐÝØÕ ¸ÝâÕàäÕÙá, á ÚÞâÞàÞÓÞ ÑëÛ ßÞÛãçÕÝ ßÐÚÕâ. ¸áßÞÛì×ÞÒÐÝØÕ íâÞÓÞ ÚàØâÕàØï ÔÞßãáÚÐÕâáï âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø PREROUTING, Ò ÛîÑëå ÔàãÓØå áÛãçÐïå ÑãÔÕâ Òë×ëÒÐâì áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ. ¿àØ ÞâáãâáâÒØØ íâÞÓÞ ÚàØâÕàØï ßàÕÔßÞÛÐÓÐÕâáï ÛîÑÞÙ ØÝâÕàäÕÙá, çâÞ àÐÒÝÞáØÛìÝÞ ØáßÞÛì×ÞÒÐÝØî ÚàØâÕàØï -i +. ºÐÚ Ø ßàÕÖÔÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ àÕ×ãÛìâÐâ áÞÒßÐÔÕÝØï. µáÛØ ØÜï ØÝâÕàäÕÙáÐ ×ÐÒÕàèÐÕâáï áØÜÒÞÛÞÜ +, âÞ ÚàØâÕàØÙ ×ÐÔÐÕâ ÒáÕ ØÝâÕàäÕÙáë, ÝÐçØÝÐîéØÕáï á ×ÐÔÐÝÝÞÙ áâàÞÚØ, ÝÐßàØÜÕà -i PPP+ ÞÑÞ×ÝÐçÐÕâ ÛîÑÞÙ PPP ØÝâÕàäÕÙá, Ð ×Ðߨáì -i ! eth+ -- ÛîÑÞÙ ØÝâÕàäÕÙá, ÚàÞÜÕ ÛîÑÞÓÞ eth.
ºàØâÕàØÙ -o, --out-interface
¿àØÜÕà iptables -A FORWARD -o eth0
¾ßØáÐÝØÕ ·ÐÔÐÕâ ØÜï ÒëåÞÔÝÞÓÞ ØÝâÕàäÕÙáÐ. ÍâÞâ ÚàØâÕàØÙ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÐå OUTPUT, FORWARD Ø POSTROUTING, Ò ßàÞâØÒÝÞÜ áÛãçÐÕ ÑãÔÕâ ÓÕÝÕàØàÞÒÐâìáï áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ. ¿àØ ÞâáãâáâÒØØ íâÞÓÞ ÚàØâÕàØï ßàÕÔßÞÛÐÓÐÕâáï ÛîÑÞÙ ØÝâÕàäÕÙá, çâÞ àÐÒÝÞáØÛìÝÞ ØáßÞÛì×ÞÒÐÝØî ÚàØâÕàØï -o +. ºÐÚ Ø ßàÕÖÔÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ àÕ×ãÛìâÐâ áÞÒßÐÔÕÝØï. µáÛØ ØÜï ØÝâÕàäÕÙáÐ ×ÐÒÕàèÐÕâáï áØÜÒÞÛÞÜ +, âÞ ÚàØâÕàØÙ ×ÐÔÐÕâ ÒáÕ ØÝâÕàäÕÙáë, ÝÐçØÝÐîéØÕáï á ×ÐÔÐÝÝÞÙ áâàÞÚØ, ÝÐßàØÜÕà -o eth+ ÞÑÞ×ÝÐçÐÕâ ÛîÑÞÙ eth ØÝâÕàäÕÙá, Ð ×Ðߨáì -o ! eth+ - ÛîÑÞÙ ØÝâÕàäÕÙá, ÚàÞÜÕ ÛîÑÞÓÞ eth
ºàØâÕàØÙ -f, --fragment
¿àØÜÕà iptables -A INPUT -f
¾ßØáÐÝØÕ ¿àÐÒØÛÞ àÐáßàÞáâàÐÝïÕâáï ÝÐ ÒáÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝÞÓÞ ßÐÚÕâÐ, ÚàÞÜÕ ßÕàÒÞÓÞ, áÔÕÛÐÝÞ íâÞ ßÞâÞÜã, çâÞ ÝÕâ ÒÞ×ÜÞÖÝÞáâØ ÞßàÕÔÕÛØâì ØáåÞÔïéØÙ/ÒåÞÔïéØÙ ßÞàâ ÔÛï äàÐÓÜÕÝâÐ ßÐÚÕâÐ, Ð ÔÛï ICMP-ßÐÚÕâÞÒ ÞßàÕÔÕÛØâì Øå âØß. Á ßÞÜÞéìî äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ ÜÞÓãâ ßàÞØ×ÒÞÔØâìáï ÐâÐÚØ ÝÐ ÒÐè ÑàÐÝÔÜÐãíà, âÐÚ ÚÐÚ äàÐÓÜÕÝâë ßÐÚÕâÞÒ ÜÞÓãâ ÝÕ ÞâÛÐÒÛØÒÐâìáï ÔàãÓØÜØ ßàÐÒØÛÐÜØ. ºÐÚ Ø àÐÝìèÕ, ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØï áØÜÒÞÛÐ ! ÔÛï ØÝÒÕàáØØ àÕ×ãÛìâÐâÐ áàÐÒÝÕÝØï. âÞÛìÚÞ Ò ÔÐÝÝÞÜ áÛãçÐÕ áØÜÒÞÛ ! ÔÞÛÖÕÝ ßàÕÔèÕáâÒÞÒÐâì ÚàØâÕàØî -f, ÝÐßàØÜÕà ! -f. ¸ÝÒÕàáØï ÚàØâÕàØï âàÐÚâãÕâáï ÚÐÚ "ÒáÕ ßÕàÒëÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ Ø/ØÛØ ÝÕäàÐÓÜÕÝâØàÞÒÐÝÝëÕ ßÐÚÕâë, ÝÞ ÝÕ ÒâÞàëÕ Ø ßÞáÛÕÔãîéØÕ äàÐÓÜÕÝâë äàÐÓÜÕÝâØàÞÒÐÝÝëå ßÐÚÕâÞÒ".

½ÕïÒÝëÕ ÚàØâÕàØØ

² íâÞÜ àÐ×ÔÕÛÕ Üë àÐááÜÞâàØÜ ÝÕïÒÝëÕ ÚàØâÕàØØ, âÞçÝÕÕ, âÕ ÚàØâÕàØØ, ÚÞâÞàëÕ ßÞÔÓàãÖÐîâáï ÝÕïÒÝÞ Ø áâÐÝÞÒïâáï ÔÞáâãßÝë, ÝÐßàØÜÕà ßàØ ãÚÐ×ÐÝØØ ÚàØâÕàØï --protocol. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ âàØ ÐÒâÞÜÐâØçÕáÚØ ßÞÔÓàãÖÐÕÜëå àÐáèØàÕÝØï, íâÞ TCP ÚàØâÕàØØ, UDP ÚàØâÕàØØ Ø ICMP ÚàØâÕàØØ (ßàØ ßÞáâàÞÕÝØØ áÒÞØå ßàÐÒØÛ ï áâÞÛÚÝãÛáï á ÝÕÞÑåÞÔØÜÞáâìî ×ÐÓàã×ÚØ ãÚÐ×ÐÝÝëå àÐáèØàÕÝØÙ ïÒÝÞ, â.Õ. àÐáèØàÕÝØï ÝÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ. ßàØÜ. ßÕàÕÒ.). ·ÐÓàã×ÚÐ íâØå àÐáèØàÕÝØÙ ÜÞÖÕâ ßàÞØ×ÒÞÔØâìáï Ø ïÒÝëÜ ÞÑàÐ×ÞÜ á ßÞÜÞéìî ÚÛîçÐ -m, -match, ÝÐßàØÜÕà -m tcp.


TCP ÚàØâÕàØØ

ÍâÞ àÐáèØàÕÝØÕ ×ÐÒØáØâ Þâ âØßÐ ßàÞâÞÚÞÛÐ Ø àÐÑÞâÐÕâ âÞÛìÚÞ á TCP ßÐÚÕâÐÜØ. ÇâÞÑë ØáßÞÛì×ÞÒÐâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÚàØâÕàØØ, ÒÐÜ ßÞâàÕÑãÕâáï Ò ßàÐÒØÛÐå ãÚÐ×ëÒÐâì âØß ßàÞâÞÚÞÛÐ --protocol tcp. ²ÐÖÝÞ: ÚàØâÕàØÙ --protocol tcp ÞÑï×ÐâÕÛìÝÞ ÔÞÛÖÕÝ áâÞïâì ßÕàÕÔ áßÕæØäØçÝëÜ ÚàØâÕàØÕÜ. ÍâØ àÐáèØàÕÝØï ×ÐÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ÚÐÚ ÔÛï tcp ßàÞâÞÚÞÛÐ, âÐÚ Ø ÔÛï udp Ø icmp ßàÞâÞÚÞÛÞÒ.(¾ ÝÕïÒÝÞÙ ×ÐÓàã×ÚÕ àÐáèØàÕÝØÙ ï ãÖÕ ãßÞÜØÝÐÛ ÒëèÕ ßàØÜ. ßÕàÕÒ.).

ÂÐÑÛØæÐ 5. TCP ÚàØâÕàØØ

ºàØâÕàØÙ --sport, --source-port
¿àØÜÕà iptables -A INPUT -p tcp --sport 22
¾ßØáÐÝØÕ ¸áåÞÔÝëÙ ßÞàâ, á ÚÞâÞàÞÓÞ ÑëÛ ÞâßàÐÒÛÕÝ ßÐÚÕâ. ² ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï ÝÞÜÕà ßÞàâÐ ØÛØ ÝÐ×ÒÐÝØÕ áÕâÕÒÞÙ áÛãÖÑë. ÁÞÞâÒÕâáâÒØÕ ØÜÕÝ áÕàÒØáÞÒ Ø ÝÞÜÕàÞÒ ßÞàâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò äÐÙÛÕ /etc/services ¿àØ ãÚÐ×ÐÝØØ ÝÞÜÕàÞÒ ßÞàâÞÒ ßàÐÒØÛÐ ÞâàÐÑÐâëÒÐîâ ÝÕáÚÞÛìÚÞ ÑëáâàÕÕ. ÞÔÝÐÚÞ íâÞ ÜÕÝÕÕ ãÔÞÑÝÞ ßàØ àÐ×ÑÞàÕ ÛØáâØÝÓÞÒ áÚàØßâÞÒ. µáÛØ ÖÕ Òë áÞÑØàÐÕâÕáì áÞ×ÔÐÒÐâì ×ÝÐçØâÕÛìÝëÕ ßÞ ÞÑêÕÜã ÝÐÑÞàë ßàÐÒØÛ, áÚÐÖÕÜ ßÞàïÔÚÐ ÝÕáÚÞÛìÚØå áÞâÕÝ Ø ÑÞÛÕÕ, âÞ âãâ ßàÕÔßÞçâØâÕÛìÝÕÕ ØáßÞÛì×ÞÒÐâì ÝÞÜÕàÐ ßÞàâÞÒ.
½ÞÜÕàÐ ßÞàâÞÒ ÜÞÓãâ ×ÐÔÐÒÐâìáï Ò ÒØÔÕ ØÝâÕàÒÐÛÐ Ø× ÜØÝØÜÐÛìÝÞÓÞ Ø ÜÐÚáØÜÐÛìÝÞÓÞ ÝÞÜÕàÞÒ, ÝÐßàØÜÕà --source-port 22:80. µáÛØ ÞßãáÚÐÕâáï ÜØÝØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port :80, âÞ Ò ÚÐçÕáâÒÕ ÝÐçÐÛÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 0. µáÛØ ÞßãáÚÐÕâáï ÜÐÚáØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port 22:, âÞ Ò ÚÐçÕáâÒÕ ÚÞÝæÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 65535. ´ÞßãáÚÐÕâáï âÐÚÐï ×Ðߨáì --source-port 80:22, Ò íâÞÜ áÛãçÐÕ iptables ßÞÜÕÝïÕâ çØáÛÐ 22 Ø 80 ÜÕáâÐÜØ, â.Õ. ßÞÔÞÑÝÞÓÞ àÞÔÐ ×Ðߨáì ÑãÔÕâ ßàÕÞÑàÐ×ÞÒÐÝÐ Ò --source-port 22:80. ºÐÚ Ø àÐÝìèÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ. ÂÐÚ ÚàØâÕàØÙ --source-port ! 22 ßÞÔàÐ×ãÜÕÒÐÕâ ÛîÑÞÙ ßÞàâ, ÚàÞÜÕ 22. ¸ÝÒÕàáØï ÜÞÖÕâ ßàØÜÕÝïâìáï Ø Ú ÔØÐßÐ×ÞÝã ßÞàâÞÒ, ÝÐßàØÜÕà --source-port ! 22:80.
ºàØâÕàØÙ --dport, --destination-port
¿àØÜÕà iptables -A INPUT -p tcp --dport 22
¾ßØáÐÝØÕ ¿Þàâ, ÝÐ ÚÞâÞàëÙ ÐÔàÕáÞÒÐÝ ßÐÚÕâ. °àÓãÜÕÝâë ×ÐÔÐîâáï Ò âÞÜ ÖÕ äÞàÜÐâÕ, çâÞ Ø ÔÛï --source-port.
ºàØâÕàØÙ --tcp-flags
¿àØÜÕà iptables -p tcp --tcp-flags SYN,ACK,FIN SYN
¾ßØáÐÝØÕ ¾ßàÕÔÕÛïÕâ ÜÐáÚã Ø äÛÐÓØ tcp-ßÐÚÕâÐ. ¿ÐÚÕâ áçØâÐÕâáï ãÔÞÒÛÕâÒÞàïîéØÜ ÚàØâÕàØî, ÕáÛØ Ø× ßÕàÕçØáÛÕÝÝëå äÛÐÓÞÒ Ò ßÕàÒÞÜ áߨáÚÕ Ò ÕÔØÝØçÝÞÕ áÞáâÞïÝØÕ ãáâÐÝÞÒÛÕÝë äÛÐÓØ Ø× ÒâÞàÞÓÞ áߨáÚÐ. ÂÐÚ ÔÛï ÒëèÕãÚÐ×ÐÝÝÞÓÞ ßàØÜÕàÐ ßÞÔ ÚàØâÕàØÙ ßÞÔßÐÔÐîâ ßÐÚÕâë ã ÚÞâÞàëå äÛÐÓ SYN ãáâÐÝÞÒÛÕÝ, Ð äÛÐÓØ FIN Ø ACK áÑàÞèÕÝë. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÞÒ ÚàØâÕàØï ÜÞÓãâ ÒëáâãßÐâì äÛÐÓØ SYN, ACK, FIN, RST, URG, PSH, Ð âÐÚ ÖÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ØÔÕÝâØäØÚÐâÞàë ALL Ø NONE. ALL -- ×ÝÐçØâ ²Áµ äÛÐÓØ Ø NONE - ½¸ ¾´¸½ äÛÐÓ. ÂÐÚ, ÚàØâÕàØÙ --tcp-flags ALL NONE Þ×ÝÐçÐÕâ, çâÞ ÒáÕ äÛÐÓØ Ò ßÐÚÕâÕ ÔÞÛÖÝë Ñëâì áÑàÞèÕÝë. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! Þ×ÝÐçÐÕâ ØÝÒÕàáØî ÚàØâÕàØï ²ÐÖÝÞ: ØÜÕÝÐ äÛÐÓÞÒ Ò ÚÐÖÔÞÜ áߨáÚÕ ÔÞÛÖÝë àÐ×ÔÕÛïâìáï ×ÐßïâëÜØ, ßàÞÑÕÛë áÛãÖÐâ ÔÛï àÐ×ÔÕÛÕÝØï áߨáÚÞÒ.
ºàØâÕàØÙ --syn
¿àØÜÕà iptables -p tcp --syn
¾ßØáÐÝØÕ ºàØâÕàØÙ --syn ïÒÛïÕâáï ßÞ áãâØ àÕÛØÚâÞÜ, ßÕàÕÚÞçÕÒÐÒèØÜ Ø× ipchains. ºàØâÕàØî áÞÞâÒÕâáâÒãîâ ßÐÚÕâë á ãáâÐÝÞÒÛÕÝÝëÜ äÛÐÓÞÜ SYN Ø áÑàÞèÕÝÝëÜØ äÛÐÓÐÜØ ACK Ø FIN. ÍâÞâ ÚàØâÕàØÙ ÐÝÐÛÞÓØçÕÝ ÚàØâÕàØî --tcp-flags SYN,ACK,FIN SYN. ÂÐÚØÕ ßÐÚÕâë ØáßÞÛì×ãîâáï ÔÛï ÞâÚàëâØï áÞÕÔØÝÕÝØï TCP. ·ÐÑÛÞÚØàÞÒÐÒ âÐÚØÕ ßÐÚÕâë, Òë ÝÐÔÕÖÝÞ ×ÐÑÛÞÚØàãÕâÕ ÒáÕ ÒåÞÔïéØÕ ×ÐßàÞáë ÝÐ áÞÕÔØÝÕÝØÕ, ÞÔÝÐÚÞ íâÞâ ÚàØâÕàØÙ ÝÕ áßÞáÞÑÕÝ ×ÐÑÛÞÚØàÞÒÐâì ØáåÞÔïéØÕ ×ÐßàÞáë ÝÐ áÞÕÔØÝÕÝØÕ. ºÐÚ Ø àÐÝÕÕ, ÔÞßãáÚÐÕâáï ØÝÒÕàâØàÞÒÐÝØÕ ÚàØâÕàØï áØÜÒÞÛÞÜ !. ÂÐÚ ÚàØâÕàØÙ ! --syn Þ×ÝÐçÐÕâ ÒáÕ ßÐÚÕâë, ÝÕ ïÒÛïîéØÕáï ×ÐßàÞáÞÜ ÝÐ áÞÕÔØÝÕÝØÕ, â.Õ. ÒáÕ ßÐÚÕâë á ãáâÐÝÞÒÛÕÝÝëÜØ äÛÐÓÐÜØ FIN ØÛØ ACK.
ºàØâÕàØÙ --tcp-option
¿àØÜÕà iptables -p tcp --tcp-option 16
¾ßØáÐÝØÕ ÃÔÞÒÛÕâÒÞàïîéØÜ ãáÛÞÒØî ÔÐÝÝÞÓÞ ÚàØâÕàØï ÑãÔÕâ ÑãÔÕâ áçØâÐâìáï ßÐÚÕâ, TCP ßÐàÐÜÕâà ÚÞâÞàÞÓÞ àÐÒÕÝ ×ÐÔÐÝÝÞÜã çØáÛã. ¿ÐÚÕâ, ÚÞâÞàëÙ ÝÕ ÑãÔÕâ ØÜÕâì ßÞÛÝÞÓÞ TCP ×ÐÓÞÛÞÒÚÐ, ÑãÔÕâ áÑàÞèÕÝ ÐÒâÞÜÐâØçÕáÚØ ßàØ ßÞßëâÚÕ Ø×ãçÕÝØï ÕÓÞ TCP ßÐàÐÜÕâàÐ. ºÐÚ Ø àÐÝÕÕ, ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐÝØÕ äÛÐÓÐ ØÝÒÕàáØØ ãáÛÞÒØï [!].

UDP ÚàØâÕàØØ

² ÔÐÝÝÞÜ àÐ×ÔÕÛÕ ÑãÔãâ àÐááÜÐâàØÒÐâìáï ÚàØâÕàØØ, áßÕæØäØçÝëÕ âÞÛìÚÞ ÔÛï ßàÞâÞÚÞÛÐ UDP. ÍâØ àÐáèØàÕÝØï ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ ßàØ ãÚÐ×ÐÝØØ âØßÐ ßàÞâÞÚÞÛÐ --protocol UDP. ²ÐÖÝÞ ÞâÜÕâØâì, çâÞ ßÐÚÕâë UDP ÝÕ ÞàØÕÝâØàÞÒÐÝë ÝÐ ãáâÐÝÞÒÛÕÝÝÞÕ áÞÕÔØÝÕÝØÕ, Ø ßÞíâÞÜã ÝÕ ØÜÕîâ àÐ×ÛØçÝëå äÛÐÓÞÒ ÚÞâÞàëÕ ÔÐîâ ÒÞ×ÜÞÖÝÞáâì áãÔØâì Þ ßàÕÔÝÐ×ÝÐçÕÝØØ ÔÐâÐÓàÐÜÜë. ¿ÞÛãçÕÝØÕ UDP ßÐÚÕâÞÒ ÝÕ âàÕÑãÕâ ÚÐÚÞÓÞ ÛØÑÞ ßÞÔâÒÕàÖÔÕÝØï áÞ áâÞàÞÝë ßÞÛãçÐâÕÛï. µáÛØ ÞÝØ ßÞâÕàïÝë, âÞ ÞÝØ ßàÞáâÞ ßÞâÕàïÝë (ÝÕ Òë×ëÒÐï ßÕàÕÔÐçã ICMP áÞÞÑéÕÝØï ÞÑ ÞèØÑÚÕ). ÍâÞ ßàÕÔßÞÛÐÓÐÕâ ÝÐÛØçØÕ ×ÝÐçØâÕÛìÝÞ ÜÕÝìèÕÓÞ çØáÛÐ ÔÞßÞÛÝØâÕÛìÝëå ÚàØâÕàØÕÒ, Ò ÞâÛØçØÕ Þâ TCP ßÐÚÕâÞÒ. ²ÐÖÝÞ: ÅÞàÞèØÙ ÑàÐÝÔÜÐãíà ÔÞÛÖÕÝ àÐÑÞâÐâì á ßÐÚÕâÐÜØ ÛîÑÞÓÞ âØßÐ, UDP ØÛØ ICMP, ÚÞâÞàëÕ áçØâÐîâáï ÝÕ ÞàØÕÝâØàÞÒÐÝÝëÜØ ÝÐ áÞÕÔØÝÕÝØÕ, âÐÚ ÖÕ åÞàÞèÞ ÚÐÚ Ø á TCP ßÐÚÕâÐÜØ. ¾Ñ íâÞÜ Üë ßÞÓÞÒÞàØÜ ßÞ×ÔÝÕÕ, Ò áÛÕÔãîéØå ÓÛÐÒÐå.

ÂÐÑÛØæÐ 6. UDP ÚàØâÕàØØ

ºàØâÕàØÙ --sport, --source-port
¿àØÜÕà iptables -A INPUT -p udp --sport 53
¾ßØáÐÝØÕ ¸áåÞÔÝëÙ ßÞàâ, á ÚÞâÞàÞÓÞ ÑëÛ ÞâßàÐÒÛÕÝ ßÐÚÕâ. ² ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ ÜÞÖÕâ ãÚÐ×ëÒÐâìáï ÝÞÜÕà ßÞàâÐ ØÛØ ÝÐ×ÒÐÝØÕ áÕâÕÒÞÙ áÛãÖÑë. ÁÞÞâÒÕâáâÒØÕ ØÜÕÝ áÕàÒØáÞÒ Ø ÝÞÜÕàÞÒ ßÞàâÞÒ Òë áÜÞÖÕâÕ ÝÐÙâØ Ò äÐÙÛÕ /etc/services ¿àØ ãÚÐ×ÐÝØØ ÝÞÜÕàÞÒ ßÞàâÞÒ ßàÐÒØÛÐ ÞâàÐÑÐâëÒÐîâ ÝÕáÚÞÛìÚÞ ÑëáâàÕÕ. ÞÔÝÐÚÞ íâÞ ÜÕÝÕÕ ãÔÞÑÝÞ ßàØ àÐ×ÑÞàÕ ÛØáâØÝÓÞÒ áÚàØßâÞÒ. µáÛØ ÖÕ Òë áÞÑØàÐÕâÕáì áÞ×ÔÐÒÐâì ×ÝÐçØâÕÛìÝëÕ ßÞ ÞÑêÕÜã ÝÐÑÞàë ßàÐÒØÛ, áÚÐÖÕÜ ßÞàïÔÚÐ ÝÕáÚÞÛìÚØå áÞâÕÝ Ø ÑÞÛÕÕ, âÞ âãâ ßàÕÔßÞçâØâÕÛìÝÕÕ ØáßÞÛì×ÞÒÐâì ÝÞÜÕàÐ ßÞàâÞÒ.
½ÞÜÕàÐ ßÞàâÞÒ ÜÞÓãâ ×ÐÔÐÒÐâìáï Ò ÒØÔÕ ØÝâÕàÒÐÛÐ Ø× ÜØÝØÜÐÛìÝÞÓÞ Ø ÜÐÚáØÜÐÛìÝÞÓÞ ÝÞÜÕàÞÒ, ÝÐßàØÜÕà --source-port 22:80. µáÛØ ÞßãáÚÐÕâáï ÜØÝØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port :80, âÞ Ò ÚÐçÕáâÒÕ ÝÐçÐÛÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 0. µáÛØ ÞßãáÚÐÕâáï ÜÐÚáØÜÐÛìÝëÙ ßÞàâ, â.Õ. ÚÞÓÔÐ ÚàØâÕàØÙ ×ÐߨáëÒÐÕâáï ÚÐÚ --source-port 22:, âÞ Ò ÚÐçÕáâÒÕ ÚÞÝæÐ ÔØÐßÐ×ÞÝÐ ßàØÝØÜÐÕâáï çØáÛÞ 65535. ´ÞßãáÚÐÕâáï âÐÚÐï ×Ðߨáì --source-port 80:22, Ò íâÞÜ áÛãçÐÕ iptables ßÞÜÕÝïÕâ çØáÛÐ 22 Ø 80 ÜÕáâÐÜØ, â.Õ. ßÞÔÞÑÝÞÓÞ àÞÔÐ ×Ðߨáì ÑãÔÕâ ßàÕÞÑàÐ×ÞÒÐÝÐ Ò --source-port 22:80. ºÐÚ Ø àÐÝìèÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ. ÂÐÚ ÚàØâÕàØÙ --source-port ! 22 ßÞÔàÐ×ãÜÕÒÐÕâ ÛîÑÞÙ ßÞàâ, ÚàÞÜÕ 22. ¸ÝÒÕàáØï ÜÞÖÕâ ßàØÜÕÝïâìáï Ø Ú ÔØÐßÐ×ÞÝã ßÞàâÞÒ, ÝÐßàØÜÕà --source-port ! 22:80.
ºàØâÕàØÙ --dport, --destination-port
¿àØÜÕà iptables -A INPUT -p udp --dport 53
¾ßØáÐÝØÕ ¿Þàâ, ÝÐ ÚÞâÞàëÙ ÐÔàÕáÞÒÐÝ ßÐÚÕâ. ÄÞàÜÐâ ÐàÓãÜÕÝâÞÒ ßÞÛÝÞáâìî ÐÝÐÛÞÓØçÕÝ ßàØÝïâÞÜã Ò ÚàØâÕàØØ --source-port.

ICMP ÚàØâÕàØØ

ÍâÞâ ßàÞâÞÚÞÛ ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, ÔÛï ßÕàÕÔÐçØ áÞÞÑéÕÝØÙ ÞÑ ÞèØÑÚÐå Ø ÔÛï ãßàÐÒÛÕÝØï áÞÕÔØÝÕÝØÕÜ. ¾Ý ÝÕ ïÒÛïÕâáï ßÞÔçØÝÕÝÝëÜ IP ßàÞâÞÚÞÛã, ÝÞ âÕáÝÞ á ÝØÜ Ò×ÐØÜÞÔÕÙáâÒãÕâ, ßÞáÚÞÛìÚã ßÞÜÞÓÐÕâ ÞÑàÐÑÐâëÒÐâì ÞèØÑÞçÝëÕ áØâãÐæØØ. ·ÐÓÞÛÞÒÚØ ICMP ßÐÚÕâÞÒ ÞçÕÝì ßÞåÞÖØ ÝÐ IP ×ÐÓÞÛÞÒÚØ, ÝÞ ØÜÕîâ Ø ÞâÛØçØï. ³ÛÐÒÝÞÕ áÒÞÙáâÒÞ íâÞÓÞ ßàÞâÞÚÞÛÐ ×ÐÚÛîçÐÕâáï Ò âØßÕ ×ÐÓÞÛÞÒÚÐ, ÚÞâÞàëÙ áÞÔÕàÖØâ ØÝäÞàÜÐæØî Þ âÞÜ, çâÞ íâÞ ×Ð ßÐÚÕâ. ½ÐßàØÜÕà, ÚÞÓÔÐ Üë ßëâÐÕÜáï áÞÕÔØÝØâìáï á ÝÕÔÞáâãßÝëÜ åÞáâÞÜ, âÞ Üë ßÞÛãçØÜ Ò ÞâÒÕâ áÞÞÑéÕÝØÕ ICMP host unreachable. ¿ÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ, Òë ÜÞÖÕâÕ ßÞáÜÞâàÕâì Ò ßàØÛÞÖÕÝØØ âØßë ICMP. ÁãéÕáâÒãÕâ âÞÛìÚÞ ÞÔØÝ áßÕæØäØçÝëÙ ÚàØâÕàØÙ ÔÛï ICMP ßÐÚÕâÞÒ. ÍâÞ àÐáèØàÕÝØÕ ×ÐÓàãÖÐÕâáï ÐÒâÞÜÐâØçÕáÚØ, ÚÞÓÔÐ Üë ãÚÐ×ëÒÐÕÜ ÚàØâÕàØÙ --protocol ICMP. ·ÐÜÕâìâÕ, çâÞ ÔÛï ßàÞÒÕàÚØ ICMP ßÐÚÕâÞÒ ÜÞÓãâ ãßÞâàÕÑÛïâìáï Ø ÞÑéØÕ ÚàØâÕàØØ, ßÞáÚÞÛìÚã Ø×ÒÕáâÝë Ø ÐÔàÕá ØáâÞçÝØÚÐ Ø ÐÔàÕá ÝÐ×ÝÐçÕÝØï Ø ßà.

ÂÐÑÛØæÐ 7. ICMP ÚàØâÕàØØ

ºàØâÕàØÙ --icmp-type
¿àØÜÕà iptables -A INPUT -p icmp --icmp-type 8
¾ßØáÐÝØÕ ÂØß áÞÞÑéÕÝØï ICMP ÂØß áÞÞÑéÕÝØï ICMP ÞßàÕÔÕÛïÕâáï ÝÞÜÕàÞÜ ØÛØ ØÜÕÝÕÜ. ÇØáÛÞÒëÕ ×ÝÐçÕÝØï ÞßàÕÔÕÛïîâáï Ò RFC 792. ÇâÞÑë ßÞÛãçØâì áߨáÞÚ ØÜÕÝ ICMP ×ÝÐçÕÝØÙ ÒëßÞÛÝØâÕ ÚÞÜÐÝÔã iptables --protocol icmp --help, ØÛØ ßÞáÜÞâàØâÕ ßàØÛÞÖÕÝØÕ âØßë ICMP. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! ØÝÒÕàâØàãÕâ ÚàØâÕàØÙ, ÝÐßàØÜÕà --icmp-type ! 8.

ÏÒÝëÕ ÚàØâÕàØØ

¿ÕàÕÔ ØáßÞÛì×ÞÒÐÝØÕÜ íâØå àÐáèØàÕÝØÙ, ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÓàãÖÕÝë ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m ØÛØ --match. ÂÐÚ, ÝÐßàØÜÕà, ÕáÛØ Üë áÞÑØàÐÕÜáï ØáßÞÛì×ÞÒÐâì ÚàØâÕàØØ state, âÞ Üë ÔÞÛÖÝë ïÒÝÞ ãÚÐ×Ðâì íâÞ Ò áâàÞÚÕ ßàÐÒØÛÐ: -m state ÛÕÒÕÕ ØáßÞÛì×ãÕÜÞÓÞ ÚàØâÕàØï. ½ÕÚÞâÞàëÕ Ø× íâØå ÚàØâÕàØÕÒ ßÞÚÐ ÕéÕ ÝÐåÞÔïâáï Ò áâÐÔØØ àÐ×àÐÑÞâÚØ, Ð ßÞáÕÜã ÜÞÓãâ àÐÑÞâÐâì ÝÕ ÒáÕÓÔÐ, ÞÔÝÐÚÞ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÞÝØ àÐÑÞâÐîâ ÒßÞÛÝÕ ãáâÞÙçØÒÞ. ²áÕ ÞâÛØçØÕ ÜÕÖÔã ïÒÝëÜØ Ø ÝÕïÒÝëÜØ ÚàØâÕàØïÜØ ×ÐÚÛîçÐÕâáï âÞÛìÚÞ Ò âÞÜ, çâÞ ßÕàÒëÕ ÝãÖÝÞ ßÞÔÓàãÖÐâì ïÒÝÞ, Ð ÒâÞàëÕ ßÞÔÓàãÖÐîâáï ÐÒâÞÜÐâØçÕáÚØ.


MAC ÚàØâÕàØÙ

ÂÐÑÛØæÐ 8. MAC ÚàØâÕàØØ

MAC ÚàØâÕàØÙ ØáßÞÛì×ãÕâáï ÔÛï ßàÞÒÕàÚØ ØáåÞÔÝÞÓÞ MAC-ÐÔàÕáÐ ßÐÚÕâÐ. ¼ÞÔãÛì -m mac, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì, ßàÕÔÞáâÐÒÛïÕâ ÕÔØÝáâÒÕÝÝëÙ ÚàØâÕàØÙ, ÝÞ ÒÞ×ÜÞÖÝÞ Ò ÑãÔãéÕÜ ÞÝ ÑãÔÕâ àÐáèØàÕÝ Ø áâÐÝÕâ ÑÞÛÕÕ ßÞÛÕ×ÕÝ.

Note

¼ÞÔãÛì àÐáèØàÕÝØï ÔÞÛÖÕÝ ßÞÔÓàãÖÐâìáï ïÒÝÞ ÚÛîçÞÜ -m mac. ÃßÞÜØÝÐî ï ÞÑ íâÞÜ ßÞâÞÜã, çâÞ ÜÝÞÓØÕ, ×ÐÑëÒ ãÚÐ×Ðâì íâÞâ ÚÛîç, ãÔØÒÛïîâáï, ßÞçÕÜã ÝÕ àÐÑÞâÐÕâ íâÞâ ÚàØâÕàØÙ.

ºàØâÕàØÙ --mac-source
¿àØÜÕà iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
¾ßØáÐÝØÕ MAC ÐÔàÕá áÕâÕÒÞÓÞ ã×ÛÐ, ßÕàÕÔÐÒèÕÓÞ ßÐÚÕâ. MAC ÐÔàÕá ÔÞÛÖÕÝ ãÚÐ×ëÒÐâìáï Ò äÞàÜÕ XX:XX:XX:XX:XX:XX. ºÐÚ Ø àÐÝÕÕ, áØÜÒÞÛ ! ØáßÞÛì×ãÕâáï ÔÛï ØÝÒÕàáØØ ÚàØâÕàØï, ÝÐßàØÜÕà --mac-source ! 00:00:00:00:00:01, çâÞ Þ×ÝÐçÐÕâ - ßÐÚÕâ á ÛîÑÞÓÞ ã×ÛÐ, ÚàÞÜÕ ã×ÛÐ, ÚÞâÞàëÙ ØÜÕÕâ MAC ÐÔàÕá 00:00:00:00:00:01 ÍâÞâ ÚàØâÕàØÙ ØÜÕÕâ áÜëáÛ âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING, FORWARD Ø INPUT Ø ÝØÓÔÕ ÑÞÛÕÕ.

ºàØâÕàØÙ limit

´ÞÛÖÕÝ ßÞÔÓàãÖÐâìáï ïÒÝÞ ÚÛîçÞÜ -m limit. ¿àÕÚàÐáÝÞ ßÞÔåÞÔØâ ÔÛï ßàÐÒØÛ, ßàÞØ×ÒÞÔïéØå ×Ðߨáì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (logging) Ø â.ß. ´ÞÑÐÒÛïï íâÞâ ÚàØâÕàØÙ, Üë âÕÜ áÐÜëÜ ãáâÐÝÐÒÛØÒÐÕÜ ßàÕÔÕÛìÝÞÕ çØáÛÞ ßÐÚÕâÞÒ Ò ÕÔØÝØæã ÒàÕÜÕÝØ, ÚÞâÞàÞÕ áßÞáÞÑÝÞ ßàÞßãáâØâì ßàÐÒØÛÞ. ¼ÞÖÝÞ ØáßÞÛì×ÞÒÐâì áØÜÒÞÛ ! ÔÛï ØÝÒÕàáØØ, ÝÐßàØÜÕà -m ! limit. ² íâÞÜ áÛãçÐÕ ßÞÔàÐ×ãÜÕÒÐÕâáï, çâÞ ßÐÚÕâë ÑãÔãâ ßàÞåÞÔØâì ßàÐÒØÛÞ âÞÛìÚÞ ßÞáÛÕ ßàÕÒëèÕÝØï ÞÓàÐÝØçÕÝØï.

ÂÐÑÛØæÐ 9. ºàØâÕàØÙ limit

ºàØâÕàØÙ --limit
¿àØÜÕà iptables -A INPUT -m limit --limit 3/hour
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâáï ÜÐÚáØÜÐÛìÝÞÕ ÚÞÛØçÕáâÒÞ ßÐÚÕâÞÒ ×Ð ÕÔØÝØæã ÒàÕÜÕÝØ, Ú ÚÞâÞàÞÜã ÔÐÝÝÞÕ ßàÐÒØÛÞ ÑãÔÕâ ßàØÜÕÝÕÝÞ ßàØ áÞÒßÐÔÕÝØØ ÒáÕå ßàÞçØå ãáÛÞÒØÙ. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÐ ãÚÐ×ëÒÐÕâáï çØáÛÞ ßÐÚÕâÞÒ Ø ÒàÕÜï. ´ÞßãáâØÜëÜØ áçØâÐîâáï áÛÕÔãîéØÕ ÕÔØÝØæë Ø×ÜÕàÕÝØï ÒàÕÜÕÝØ: /second /minute /hour /day. ¿Þ ãÜÞÛçÐÝØî ßàØÝïâÞ ×ÝÐçÕÝØÕ 3 ßÐÚÕâÐ Ò çÐá, ØÛØ 3/hour. ¸áßÞÛì×ÞÒÐÝØÕ äÛÐÓÐ ØÝÒÕàáØØ ãáÛÞÒØï [!] Ò ÔÐÝÝÞÜ ÚàØâÕàØØ ÝÕÔÞßãáâØÜ.
ºàØâÕàØÙ --limit-burst
¿àØÜÕà iptables -A INPUT -m limit --limit-burst 5
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâ ÜÐÚáØÜÐÛìÝÞÕ ×ÝÐçÕÝØÕ çØáÛÐ burst limit ÔÛï ÚàØâÕàØï limit. ÍâÞ çØáÛÞ ãÒÕÛØçØÒÐÕâáï ÝÐ ÕÔØÝØæã ÕáÛØ ßÞÛãçÕÝ ßÐÚÕâ, ßÞÔßÐÔÐîéØÙ ßÞÔ ÔÕÙáâÒØÕ ÔÐÝÝÞÓÞ ßàÐÒØÛÐ, Ø ßàØ íâÞÜ áàÕÔÝïï áÚÞàÞáâì (×ÐÔÐÒÐÕÜÐï ÚÛîçÞÜ --limit) ßÞáâãßÛÕÝØï ßÐÚÕâÞÒ ãÖÕ ÔÞáâØÓÝãâÐ. ÂÐÚ ßàÞØáåÞÔØâ ÔÞ âÕå ßÞà, ßÞÚÐ çØáÛÞ burst limit ÝÕ ÔÞáâØÓÝÕâ ÜÐÚáØÜÐÛìÝÞÓÞ ×ÝÐçÕÝØï, ãáâÐÝÐÒÛØÒÐÕÜÞÓÞ ÚÛîçÞÜ --limit-burst. ¿ÞáÛÕ íâÞÓÞ ßàÐÒØÛÞ ÝÐçØÝÐÕâ ßàÞßãáÚÐâì ßÐÚÕâë áÞ áÚÞàÞáâìî, ×ÐÔÐÒÐÕÜÞÙ ÚÛîçÞÜ --limit. ·ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî ßàØÝØÜÐÕâáï àÐÒÝëÜ 5. ´Ûï ÔÕÜÞÝáâàÐæØØ ßàØÝæØßÞÒ àÐÑÞâë ÔÐÝÝÞÓÞ ÚàØâÕàØï ï ÝÐߨáÐÛ áæÕÝÐàØÙ limit-test.txt. Á ßÞÜÞéìî íâÞÓÞ áæÕÝÐàØï Òë ãÒØÔØâÕ ÚÐÚ àÐÑÞâÐÕâ ÚàØâÕàØÙ limit, ßàÞáâÞ ßÞáëÛÐï ping-ßÐÚÕâë á àÐ×ÛØçÝëÜØ ÒàÕÜÕÝÝËÜØ ØÝâÕàÒÐÛÐÜØ.

¾â ßÕàÕÒÞÔçØÚÐ: ¾çÕÝì ÔÞÛÓÞÕ ÒàÕÜï ÜÞÕ ßÞÝØÜÐÝØÕ ÚàØâÕàØÕÒ limit ÝÐåÞÔØÛÞáì ÝÐ ØÝâãØâØÒÝÞÜ ãàÞÒÝÕ, ßÞÚÐ ²ÛÐÔØÜØà ÅÞÛÜÐÝÞÒ (áÝØÜÐî èÛïßã Ò ÓÛãÑÞçÐÙèÕÜ ßÞÚÛÞÝÕ) ÝÕ ÞÑêïáÝØÛ ÜÝÕ ßàÞáâÞ Ø ßÞÝïâÝÞ ÕÓÞ áãâì. ¿ÞáâÐàÐîáì ßÕàÕÔÐâì ÕÓÞ ßÞïáÝÕÝØï:

  1. ÀÐáèØàÕÝØÕ -m limit ßÞÔàÐ×ãÜÕÒÐÕâ ÝÐÛØçØÕ ÚÛîçÕÙ --limit Ø --limit-burst. µáÛØ Òë ÝÕ ãÚÐ×ëÒÐÕâÕ íâØ ÚÛîçØ, âÞ ÞÝØ ßàØÝØÜÐîâ ×ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî.
  2. ºÛîç --limit-burst - íâÞ ÜÐÚáØÜÐÛìÝÞÕ ×ÝÐçÕÝØÕ áçÕâçØÚÐ ßÐÚÕâÞÒ, ßàØ ÚÞâÞàÞÜ áàÐÑÐâëÒÐÕâ ÞÓàÐÝØçÕÝØÕ.
  3. ºÛîç --limit - íâÞ áÚÞàÞáâì, á ÚÞâÞàÞÙ áçÕâçØÚ burst limit "ÞâÚàãçØÒÐÕâáï ÝÐ×ÐÔ".

¿àØÝæØß, ÚÞâÞàëÙ ßàÞáâÞ àÕÐÛØ×ãÕâáï ÝÐ C Ø èØàÞÚÞ ØáßÞÛì×ãÕâáï ÒÞ ÜÝÞÓØå ÐÛÓÞàØâÜÐå-ÞÓàÐÝØçØâÕÛïå.




ÀÐáèØàÕÝØÕ Multiport

ÀÐáèØàÕÝØÕ multiport ßÞ×ÒÞÛïÕâ ãÚÐ×ëÒÐâì Ò âÕÚáâÕ ßàÐÒØÛÐ ÝÕáÚÞÛìÚÞ ßÞàâÞÒ Ø ÔØÐßÐ×ÞÝÞÒ ßÞàâÞÒ.

Note

²ë ÝÕ áÜÞÖÕâÕ ØáßÞÛì×ÞÒÐâì áâÐÝÔÐàâÝãî ßàÞÒÕàÚã ßÞàâÞÒ Ø àÐáèØàÕÝØÕ -m multiport (ÝÐßàØÜÕà --sport 1024:63353 -m multiport --dport 21,23,80) ÞÔÝÞÒàÕÜÕÝÝÞ. ¿ÞÔÞÑÝëÕ ßàÐÒØÛÐ ÑãÔãâ ßàÞáâÞ ÞâÒÕàÓÐâìáï iptables.

ÂÐÑÛØæÐ 10. ÀÐáèØàÕÝØÕ Multiport

ºàØâÕàØÙ --source-port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
¾ßØáÐÝØÕ ÁÛãÖØâ ÔÛï ãÚÐ×ÐÝØï áߨáÚÐ ØáåÞÔïéØå ßÞàâÞÒ. Á ßÞÜÞéìî ÔÐÝÝÞÓÞ ÚàØâÕàØï ÜÞÖÝÞ ãÚÐ×Ðâì ÔÞ 15 àÐ×ÛØçÝëå ßÞàâÞÒ. ½Ð×ÒÐÝØï ßÞàâÞÒ Ò áߨáÚÕ ÔÞÛÖÝë ÞâÔÕÛïâìáï ÔàãÓ Þâ ÔàãÓÐ ×ÐßïâëÜØ, ßàÞÑÕÛë Ò áߨáÚÕ ÝÕ ÔÞßãáâØÜë. ´ÐÝÝÞÕ àÐáèØàÕÝØÕ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ áÞÒÜÕáâÝÞ á ÚàØâÕàØïÜØ the -p tcp ØÛØ -p udp. ³ÛÐÒÝëÜ ÞÑàÐ×ÞÜ ØáßÞÛì×ãÕâáï ÚÐÚ àÐáèØàÕÝÝÐï ÒÕàáØï ÞÑëçÝÞÓÞ ÚàØâÕàØï --source-port.
ºàØâÕàØÙ --destination-port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
¾ßØáÐÝØÕ ÁÛãÖØâ ÔÛï ãÚÐ×ÐÝØï áߨáÚÐ ÒåÞÔÝëå ßÞàâÞÒ. ÄÞàÜÐâ ×ÐÔÐÝØï ÐàÓãÜÕÝâÞÒ ßÞÛÝÞáâìî ÐÝÐÛÞÓØçÕÝ -m multiport --source-port
ºàØâÕàØÙ --port
¿àØÜÕà iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
¾ßØáÐÝØÕ ´ÐÝÝëÙ ÚàØâÕàØÙ ßàÞÒÕàïÕâ ÚÐÚ ØáåÞÔïéØÙ âÐÚ Ø ÒåÞÔïéØÙ ßÞàâ ßÐÚÕâÐ. ÄÞàÜÐâ ÐàÓãÜÕÝâÞÒ ÐÝÐÛÞÓØçÕÝ ÚàØâÕàØî --source-port Ø --destination-port. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ çâÞ ÔÐÝÝëÙ ÚàØâÕàØÙ ßàÞÒÕàïÕâ ßÞàâë ÞÑÕØå ÝÐßàÐÒÛÕÝØÙ, â.Õ. ÕáÛØ Òë ߨèÕâÕ-multiport --port 80, âÞ ßÞÔ ÔÐÝÝëÙ ÚàØâÕàØÙ ßÞÔßÐÔÐîâ ßÐÚÕâë, ØÔãéØÕ á ßÞàâÐ 80 ÝÐ ßÞàâ 80. .

ÀÐáèØàÕÝØÕ Mark

ÀÐáèØàÕÝØÕ mark ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì "ßÞÜÕâØâì" ßÐÚÕâë áßÕæØÐÛìÝëÜ ÞÑàÐ×ÞÜ. Mark - áßÕæØÐÛìÝÞÕ ßÞÛÕ, ÚÞâÞàÞÕ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ÞÑÛÐáâØ ßÐÜïâØ ïÔàÐ Ø áÒï×ÐÝÞ á ÚÞÝÚàÕâÝëÜ ßÐÚÕâÞÜ. ¼ÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ò áÐÜëå àÐ×ÝÞÞÑàÐ×Ýëå æÕÛïå, ÝÐßàØÜÕà, ÞÓàÐÝØçÕÝØÕ âàÐäØÚÐ Ø äØÛìâàÐæØï. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì áãéÕáâÒãÕâ ÕÔØÝáâÒÕÝÝÐï ÒÞ×ÜÞÖÝÞáâì ãáâÐÝÞÒÚØ ÜÕâÚØ ÝÐ ßÐÚÕâ Ò Linux -- íâÞ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï MARK. ¿ÞÛÕ mark ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÑÕ××ÝÐÚÞÒÞÕ æÕÛÞÕ çØáÛÞ Ò ÔØÐßÐ×ÞÝÕ Þâ 0 ÔÞ 4294967296 ÔÛï 32-ÑØâÝëå áØáâÕÜ.

ÂÐÑÛØæÐ 11. ÀÐáèØàÕÝØÕ mark

ºàØâÕàØÙ --mark
¿àØÜÕà iptables -t mangle -A INPUT -m mark --mark 1
¾ßØáÐÝØÕ ºàØâÕàØÙ ßàÞØ×ÒÞÔØâ ßàÞÒÕàÚã ßÐÚÕâÞÒ, ÚÞâÞàëÕ ÑëÛØ ßàÕÔÒÐàØâÕÛìÝÞ "ßÞÜÕçÕÝë". ¼ÕâÚØ ãáâÐÝÐÒÛØÒÐîâáï ÔÕÙáâÒØÕÜ MARK, ÚÞâÞàÞÕ Üë ÑãÔÕÜ àÐááÜÐâàØÒÐâì ÝØÖÕ. ²áÕ ßÐÚÕâë, ßàÞåÞÔïéØÕ çÕàÕ× netfilter ØÜÕîâ áßÕæØÐÛìÝÞÕ ßÞÛÕ mark. ·ÐßÞÜÝØâÕ, çâÞ ÝÕâ ÝØÚÐÚÞÙ ÒÞ×ÜÞÖÝÞáâØ ßÕàÕÔÐâì áÞáâÞïÝØÕ íâÞÓÞ ßÞÛï ÒÜÕáâÕ á ßÐÚÕâÞÜ Ò áÕâì. ¿ÞÛÕ mark ïÒÛïÕâáï æÕÛëÜ ÑÕ××ÝÐÚÞÒëÜ, âÐÚØÜ ÞÑàÐ×ÞÜ ÜÞÖÝÞ áÞ×ÔÐâì ÝÕ ÑÞÛÕÕ 65535 àÐ×ÛØçÝëå ÜÕâÞÚ. ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì ÜÐáÚã á ÜÕâÚÐÜ. ² ÔÐÝÝÞÜ áÛãçÐÕ ÚàØâÕàØÙ ÑãÔÕâ ÒëÓÛïÔÕâì ßÞÔÞÑÝëÜ ÞÑàÐ×ÞÜ: --mark 1/1. µáÛØ ãÚÐ×ëÒÐÕâáï ÜÐáÚÐ, âÞ ÒëßÞÛÝïÕâáï ÛÞÓØçÕáÚÞÕ AND ÜÕâÚØ Ø ÜÐáÚØ.

ÀÐáèØàÕÝØÕ owner

ÀÐáèØàÕÝØÕ owner ßàÕÔÝÐ×ÝÐçÕÝÞ ÔÛï ßàÞÒÕàÚØ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ. ¸×ÝÐçÐÛìÝÞ ÔÐÝÝÞÕ àÐáèØàÕÝØÕ ÑëÛÞ ÝÐߨáÐÝÞ ÚÐÚ ßàØÜÕà ÔÕÜÞÝáâàÐæØØ ÒÞ×ÜÞÖÝÞáâÕÙ iptables. ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì íâÞâ ÚàØâÕàØÙ âÞÛìÚÞ Ò æÕßÞçÚÕ OUTPUT. ÂÐÚÞÕ ÞÓàÐÝØçÕÝØÕ ÝÐÛÞÖÕÝÞ ßÞâÞÜã, çâÞ ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛìÝÞÓÞ ÜÕåÐÝØ×ÜÐ ßÕàÕÔÐçØ ØÝäÞàÜÐæØØ Þ "ÒÛÐÔÕÛìæÕ" ßÞ áÕâØ. ÁßàÐÒÕÔÛØÒÞáâØ àÐÔØ áÛÕÔãÕâ ÞâÜÕâØâì, çâÞ ÔÛï ÝÕÚÞâÞàëå ßÐÚÕâÞÒ ÝÕÒÞ×ÜÞÖÝÞ ÞßàÕÔÕÛØâì "ÒÛÐÔÕÛìæÐ" Ò íâÞÙ æÕßÞçÚÕ. º âÐÚÞÓÞ àÞÔÐ ßÐÚÕâÐÜ ÞâÝÞáïâáï àÐ×ÛØçÝëÕ ICMP responses. ¿ÞíâÞÜã ÝÕ áÛÕÔãÕâ ãßÞâàÕÑÛïâì íâÞâ ÚàØâÕàØÙ Ú ICMP responses ßÐÚÕâÐÜ.

ÂÐÑÛØæÐ 12. ÀÐáèØàÕÝØÕ owner

ºàØâÕàØÙ --uid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --uid-owner 500
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÞ User ID (UID). ¿ÞÔÞÑÝÞÓÞ àÞÔÐ ßàÞÒÕàÚÐ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï, Ú ßàØÜÕàã, ÔÛï ÑÛÞÚØàÞÒÚØ ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ ÞâÔÕÛìÝëå ßÞÛì×ÞÒÐâÕÛÕÙ.
ºàØâÕàØÙ --gid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --gid-owner 0
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ ßÞ Group ID (GID).
ºàØâÕàØÙ --pid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --pid-owner 78
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ "ÒÛÐÔÕÛìæÐ" ßÐÚÕâÐ ßÞ Process ID (PID). ÍâÞâ ÚàØâÕàØÙ ÔÞáâÐâÞçÝÞ áÛÞÖÕÝ Ò ØáßÞÛì×ÞÒÐÝØØ, ÝÐßàØÜÕà, ÕáÛØ Üë åÞâØÜ ßÞ×ÒÞÛØâì ßÕàÕÔÐçã ßÐÚÕâÞÒ ÝÐ HTTP ßÞàâ âÞÛìÚÞ Þâ ×ÐÔÐÝÝÞÓÞ ÔÕÜÞÝÐ, âÞ ÝÐÜ ßÞâàÕÑãÕâáï ÝÐߨáÐâì ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ, ÚÞâÞàëÙ ßÞÛãçÐÕâ PID ßàÞæÕááÐ (åÞâïÑë çÕàÕ× ps) Ø ×ÐâÕÜ ßÞÔáâÐÒÛïÕâ ÝÐÙÔÕÝÝëÙ PID Ò ßàÐÒØÛÐ. ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï ÚàØâÕàØï ÜÞÖÝÞ ÝÐÙâØ Ò pid-owner.txt.
ºàØâÕàØÙ --sid-owner
¿àØÜÕà iptables -A OUTPUT -m owner --sid-owner 100
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâáï ßàÞÒÕàÚÐ Session ID ßÐÚÕâÐ. ·ÝÐçÕÝØÕ SID ÝÐáÛÕÔãîâáï ÔÞçÕàÝØÜØ ßàÞæÕááÐÜØ Þâ "àÞÔØâÕÛï", âÐÚ, ÝÐßàØÜÕà, ÒáÕ ßàÞæÕááë HTTPD ØÜÕîâ ÞÔØÝ Ø âÞâ ÖÕ SID (ßàØÜÕàÞÜ âÐÚØå ßàÞæÕááÞÒ ÜÞÓãâ áÛãÖØâì HTTPD Apache Ø Roxen). ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï íâÞÓÞ ÚàØâÕàØï ÜÞÖÝÞ ÝÐÙâØ Ò sid-owner.txt. ÍâÞâ áæÕÝÐàØÙ ÜÞÖÝÞ ×ÐßãáÚÐâì ßÞ ÒàÕÜÕÝØ ÔÛï ßàÞÒÕàÚØ ÝÐÛØçØï ßàÞæÕááÐ HTTPD, Ø Ò áÛãçÐÕ ÞâáãâáâÒØï - ßÕàÕ×ÐßãáâØâì "ãßÐÒèØÙ" ßàÞæÕáá, ßÞáÛÕ çÕÓÞ áÑàÞáØâì áÞÔÕàÖØÜÞÕ æÕßÞçÚØ OUTPUT Ø ÒÒÕáâØ ÕÕ áÝÞÒÐ.

ºàØâÕàØÙ state

ºàØâÕàØÙ state ØáßÞÛì×ãÕâáï áÞÒÜÕáâÝÞ á ÚÞÔÞÜ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ Ø ßÞ×ÒÞÛïÕâ ÝÐÜ ßÞÛãçÐâì ØÝäÞàÜÐæØî Þ âàÐááØàÞÒÞçÝÞÜ ßàØ×ÝÐÚÕ áÞáâÞïÝØï áÞÕÔØÝÕÝØï, çâÞ ßÞ×ÒÞÛïÕâ áãÔØâì Þ áÞáâÞïÝØØ áÞÕÔØÝÕÝØï, ßàØçÕÜ ÔÐÖÕ ÔÛï âÐÚØå ßàÞâÞÚÞÛÞÒ ÚÐÚ ICMP Ø UDP. ´ÐÝÝÞÕ àÐáèØàÕÝØÕ ÝÕÞÑåÞÔØÜÞ ×ÐÓàãÖÐâì ïÒÝÞ, á ßÞÜÞéìî ÚÛîçÐ -m state. ±ÞÛÕÕ ßÞÔàÞÑÝÞ ÜÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï áÞÕÔØÝÕÝØï ÞÑáãÖÔÐÕâáï Ò àÐ×ÔÕÛÕ ¼ÕåÐÝØ×Ü ÞßàÕÔÕÛÕÝØï áÞáâÞïÝØï .

ÂÐÑÛØæÐ 13. ºàØâÕàØØ state

ºàØâÕàØÙ --state
¿àØÜÕà iptables -A INPUT -m state --state RELATED,ESTABLISHED
¾ßØáÐÝØÕ ¿àÞÒÕàïÕâáï ßàØ×ÝÐÚ áÞáâÞïÝØï áÞÕÔØÝÕÝØï (state) ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì ÜÞÖÝÞ ãÚÐ×ëÒÐâì 4 áÞáâÞïÝØï: INVALID, ESTABLISHED, NEW Ø RELATED. INVALID ßÞÔàÐ×ãÜÕÒÐÕâ, çâÞ ßÐÚÕâ áÒï×ÐÝ á ÝÕØ×ÒÕáâÝëÜ ßÞâÞÚÞÜ ØÛØ áÞÕÔØÝÕÝØÕÜ Ø, ÒÞ×ÜÞÖÝÞ áÞÔÕàÖØâ ÞèØÑÚã Ò ÔÐÝÝëå ØÛØ Ò ×ÐÓÞÛÞÒÚÕ. ESTABLISHED ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÜã áÞÕÔØÝÕÝØî çÕàÕ× ÚÞâÞàÞÕ ßÐÚÕâë ØÔãâ Ò ÞÑÕØå ÝÐßàÐÒÛÕÝØïå. NEW ßÞÔàÐ×ãÜÕÒÐÕâ, çâÞ ßÐÚÕâ ÞâÚàëÒÐÕâ ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ ØÛØ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ÞÔÝÞÝÐßàÐÒÛÕÝÝÞÜã ßÞâÞÚã. ¸ ÝÐÚÞÝÕæ, RELATED ãÚÐ×ëÒÐÕâ ÝÐ âÞ çâÞ ßÐÚÕâ ßàØÝÐÔÛÕÖØâ ãÖÕ áãéÕáâÒãîéÕÜã áÞÕÔØÝÕÝØî, ÝÞ ßàØ íâÞÜ ÞÝ ÞâÚàëÒÐÕâ ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ ¿àØÜÕàÞÜ âÞÜã ÜÞÖÕâ áÛãÖØâì ßÕàÕÔÐçÐ ÔÐÝÝëå ßÞ FTP, ØÛØ ÒëÔÐçÐ áÞÞÑéÕÝØï ICMP ÞÑ ÞèØÑÚÕ, ÚÞâÞàÞÕ áÒï×ÐÝÞ á áãéÕáâÒãîéØÜ TCP ØÛØ UDP áÞÕÔØÝÕÝØÕÜ. ·ÐÜÕçã, çâÞ ßàØ×ÝÐÚ NEW íâÞ ÝÕ âÞ ÖÕ áÐÜÞÕ, çâÞ ãáâÐÝÞÒÛÕÝÝëÙ ÑØâ SYN Ò ßÐÚÕâÐå TCP, ßÞáàÕÔáâÒÞÜ ÚÞâÞàëå ÞâÚàëÒÐÕâáï ÝÞÒÞÕ áÞÕÔØÝÕÝØÕ, Ø, ßÞÔÞÑÝÞÓÞ àÞÔÐ ßÐÚÕâë, ÜÞÓãâ Ñëâì ßÞâÕÝæØÐÛìÝÞ ÞßÐáÝë Ò áÛãçÐÕ, ÚÞÓÔÐ ÔÛï ×ÐéØâë áÕâØ Òë ØáßÞÛì×ãÕâÕ ÞÔØÝ áÕâÕÒÞÙ íÚàÐÝ. ±ÞÛÕÕ ßÞÔàÞÑÝÞ íâÐ ßàÞÑÛÕÜÐ àÐááÜÐâàØÒÐÕâáï ÝØÖÕ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ ¿àØ×ÝÐÚ NEW Ò ßÐÚÕâÐå áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN.

ºàØâÕàØÙ "ÜãáÞàÐ" (Unclean match)

ºàØâÕàØÙ unclean ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ Ø ÔÛï ÕÓÞ ØáßÞÛì×ÞÒÐÝØï ÔÞáâÐâÞçÝÞ ïÒÝÞ ×ÐÓàãרâì ÜÞÔãÛì. ±ãÔìâÕ ÞáâÞàÞÖÝë, ÔÐÝÝëÙ ÜÞÔãÛì ÝÐåÞÔØâáï ÕéÕ ÝÐ áâÐÔØØ àÐ×àÐÑÞâÚØ Ø ßÞíâÞÜã Ò ÝÕÚÞâÞàëå áØâãÐæØïå ÜÞÖÕâ àÐÑÞâÐâì ÝÕÚÞààÕÚâÝÞ. ´ÐÝÝÐï ßàÞÒÕàÚÐ ßàÞØ×ÒÞÔØâáï ÔÛï ÒëçÛÕÝÕÝØï ßÐÚÕâÞÒ, ÚÞâÞàëÕ ØÜÕîâ àÐáåÞÖÔÕÝØï á ßàØÝïâëÜØ áâÐÝÔÐàâÐÜØ, íâÞ ÜÞÓãâ Ñëâì ßÐÚÕâë á ßÞÒàÕÖÔÕÝÝëÜ ×ÐÓÞÛÞÒÚÞÜ ØÛØ á ÝÕÒÕàÝÞÙ ÚÞÝâàÞÛìÝÞÙ áãÜÜÞÙ Ø ßà., ÞÔÝÐÚÞ ØáßÞÛì×ÞÒÐÝØÕ íâÞÙ ßàÞÒÕàÚØ ÜÞÖÕâ ßàØÒÕáâØ Ú àÐ×àëÒã Ø ÒßÞÛÝÕ ÚÞààÕÚâÝÞÓÞ áÞÕÔØÝÕÝØï.


ºàØâÕàØÙ TOS

ºàØâÕàØÙ TOS ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕÔÕÝØï ßàÞÒÕàÚØ ÑØâÞÒ ßÞÛï TOS. TOS -- Type Of Service -- ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ 8-ÜØ ÑØâÞÒÞÕ, ßÞÛÕ Ò ×ÐÓÞÛÞÒÚÕ IP-ßÐÚÕâÐ. ¼ÞÔãÛì ÔÞÛÖÕÝ ×ÐÓàãÖÐâìáï ïÒÝÞ, ÚÛîçÞÜ -m tos.

¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ßàØÒÞÔØâáï ÞߨáÐÝØÕ ßÞÛï TOS, Ò×ïâÞÕ ÝÕ Ø× ÞàØÓØÝÐÛÐ, ßÞáÚÞÛìÚã ÞàØÓØÝÐÛìÝÞÕ ÞߨáÐÝØÕ ï ÝÐåÞÖã ÝÕáÚÞÛìÚÞ âãÜÐÝÝëÜ.
´ÐÝÝÞÕ ßÞÛÕ áÛãÖØâ ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÐ. ÃáâÐÝÞÒÚÐ ÛîÑÞÓÞ ÑØâÐ ÜÞÖÕâ ßàØÒÕáâØ Ú âÞÜã, çâÞ ßÐÚÕâ ÑãÔÕâ ÞÑàÐÑÞâÐÝ ÜÐàèàãâØ×ÐâÞàÞÜ ÝÕ âÐÚ ÚÐÚ ßÐÚÕâ áÞ áÑàÞèÕÝÝëÜØ ÑØâÐÜØ TOS. ºÐÖÔëÙ ÑØâ ßÞÛï TOS ØÜÕÕâ áÒÞÕ ×ÝÐçÕÝØÕ. ² ßÐÚÕâÕ ÜÞÖÕâ Ñëâì ãáâÐÝÞÒÛÕÝ âÞÛìÚÞ ÞÔØÝ Ø× ÑØâÞÒ íâÞÓÞ ßÞÛï, ßÞíâÞÜã ÚÞÜÑØÝÐæØØ ÝÕ ÔÞßãáâØÜë. ºÐÖÔëÙ ÑØâ ÞßàÕÔÕÛïÕâ âØß áÕâÕÒÞÙ áÛãÖÑë:
¼ØÝØÜÐÛìÝÐï ×ÐÔÕàÖÚÐ
¸áßÞÛì×ãÕâáï Ò áØâãÐæØïå, ÚÞÓÔÐ ÒàÕÜï ßÕàÕÔÐçØ ßÐÚÕâÐ ÔÞÛÖÝÞ Ñëâì ÜØÝØÜÐÛìÝëÜ, â.Õ., ÕáÛØ Õáâì ÒÞ×ÜÞÖÝÞáâì, âÞ ÜÐàèàãâØ×ÐâÞà ÔÛï âÐÚÞÓÞ ßÐÚÕâÐ ÑãÔÕâ ÒëÑØàÐâì ÑÞÛÕÕ áÚÞàÞáâÝÞÙ ÚÐÝÐÛ. ½ÐßàØÜÕà, ÕáÛØ Õáâì ÒëÑÞà ÜÕÖÔã ÞßâÞÒÞÛÞÚÞÝÝÞÙ ÛØÝØÕÙ Ø áßãâÝØÚÞÒëÜ ÚÐÝÐÛÞÜ, âÞ ßàÕÔßÞçâÕÝØÕ ÑãÔÕâ ÞâÔÐÝÞ ÑÞÛÕÕ áÚÞàÞáâÝÞÜã ÞßâÞÒÞÛÞÚÝã.
¼ÐÚáØÜÐÛìÝÐï ßàÞßãáÚÝÐï áßÞáÞÑÝÞáâì
ÃÚÐ×ëÒÐÕâ, çâÞ ßÐÚÕâ ÔÞÛÖÕÝ Ñëâì ßÕàÕßàÐÒÛÕÝ çÕàÕ× ÚÐÝÐÛ á ÜÐÚáØÜÐÛìÝÞÙ ßàÞßãáÚÝÞÙ áßÞáÞÑÝÞáâìî. ½ÐßàØÜÕà áßãâÝØÚÞÒëÕ ÚÐÝÐÛë, ÞÑÛÐÔÐï ÑÞÛìèÕÙ ×ÐÔÕàÖÚÞÙ ØÜÕîâ ÒëáÞÚãî ßàÞßãáÚÝãî áßÞáÞÑÝÞáâì.
¼ÐÚáØÜÐÛìÝÐï ÝÐÔÕÖÝÞáâì
²ëÑØàÐÕâáï ÜÐÚáØÜÐÛìÝÞ ÝÐÔÕÖÝëÙ ÜÐàèàãâ ÒÞ Ø×ÑÕÖÐÝØÕ ÝÕÞÑåÞÔØÜÞáâØ ßÞÒâÞàÝÞÙ ßÕàÕÔÐçØ ßÐÚÕâÐ. ¿àØÜÕàÞÜ ÜÞÓãâ áÛãÖØâì PPP Ø SLIP áÞÕÔØÝÕÝØï, ÚÞâÞàëÕ ßÞ áÒÞÕÙ ÝÐÔÕÖÝÞáâØ ãáâãßÐîâ, Ú ßàØÜÕàã, áÕâïÜ X.25, ßÞíâÞÜã, áÕâÕÒÞÙ ßàÞÒÐÙÔÕà ÜÞÖÕâ ßàÕÔãáÜÞâàÕâì áßÕæØÐÛìÝëÙ ÜÐàèàãâ á ßÞÒëèÕÝÝÞÙ ÝÐÔÕÖÝÞáâìî.
¼ØÝØÜÐÛìÝëÕ ×ÐâàÐâë
¿àØÜÕÝïÕâáï Ò áÛãçÐïå, ÚÞÓÔÐ ÒÐÖÝÞ ÜØÝØÜØ×ØàÞÒÐâì ×ÐâàÐâë (Ò áÜëáÛÕ ÔÕÝìÓØ) ÝÐ ßÕàÕÔÐçã ÔÐÝÝëå. ½ÐßàØÜÕà, ßàØ ßÕàÕÔÐçÕ çÕàÕ× ÞÚÕÐÝ (ÝÐ ÔàãÓÞÙ ÚÞÝâØÝÕÝâ) ÐàÕÝÔÐ áßãâÝØÚÞÒÞÓÞ ÚÐÝÐÛÐ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÔÕèÕÒÛÕ, çÕÜ ÐàÕÝÔÐ ÞßâÞÒÞÛÞÚÞÝÝÞÓÞ ÚÐÑÕÛï. ÃáâÐÝÞÒÚÐ ÔÐÝÝÞÓÞ ÑØâÐ ÒßÞÛÝÕ ÜÞÖÕâ ßàØÒÕáâØ Ú âÞÜã, çâÞ ßÐÚÕâ ßÞÙÔÕâ ßÞ ÑÞÛÕÕ "ÔÕèÕÒÞÜã" ÜÐàèàãâã.
¾ÑëçÝëÙ áÕàÒØá
² ÔÐÝÝÞÙ áØâãÐæØØ ÒáÕ ÑØâë ßÞÛï TOS áÑàÞèÕÝë. ¼ÐàèàãâØ×ÐæØï âÐÚÞÓÞ ßÐÚÕâÐ ßÞÛÝÞáâìî ÞâÔÐÕâáï ÝÐ ãáÜÞâàÕÝØÕ ßàÞÒÐÙÔÕàÐ.

ÂÐÑÛØæÐ 14. ºàØâÕàØÙ TOS

ºàØâÕàØÙ --tos
¿àØÜÕà iptables -A INPUT -p tcp -m tos --tos 0x16
¾ßØáÐÝØÕ ´ÐÝÝëÙ ÚàØâÕàØÙ ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕàÚØ ãáâÐÝÞÒÛÕÝÝëå ÑØâÞÒ TOS, ÚÞâÞàëÕ ÞߨáëÒÐÛØáì ÒëèÕ. ºÐÚ ßàÐÒØÛÞ ßÞÛÕ ØáßÞÛì×ãÕâáï ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ, ÝÞ ÒßÞÛÝÕ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ á æÕÛìî "ÜÐàÚØàÞÒÚØ" ßÐÚÕâÞÒ ÔÛï ØáßÞÛì×ÞÒÐÝØï á iproute2 Ø ÔÞßÞÛÝØâÕÛìÝÞÙ ÜÐàèàãâØ×ÐæØØ Ò linux. ² ÚÐçÕáâÒÕ ÐàÓãÜÕÝâÐ ÚàØâÕàØî ÜÞÖÕâ Ñëâì ßÕàÕÔÐÝÞ ÔÕáïâØçÝÞÕ ØÛØ èÕáâÝÐÔæÐâØàØçÝÞÕ çØáÛÞ, ØÛØ ÜÝÕÜÞÝØçÕáÚÞÕ ÞߨáÐÝØÕ ÑØâÐ, ÜÝÕÜÞÝØÚØ Ø Øå çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ Òë ÜÞÖÕâÕ ßÞÛãçØâì ÒëßÞÛÝØÒ ÚÞÜÐÝÔã iptables -m tos -h. ½ØÖÕ ßàØÒÞÔïâáï ÜÝÕÜÞÝØÚØ Ø Øå ×ÝÐçÕÝØï.
Minimize-Delay 16 (0x10) (¼ØÝØÜÐÛìÝÐï ×ÐÔÕàÖÚÐ),
Maximize-Throughput 8 (0x08) (¼ÐÚáØÜÐÛìÝÐï ßàÞßãáÚÝÐï áßÞáÞÑÝÞáâì),
Maximize-Reliability 4 (0x04) (¼ÐÚáØÜÐÛìÝÐï ÝÐÔÕÖÝÞáâì),
Minimize-Cost 2 (0x02) (¼ØÝØÜÐÛìÝëÕ ×ÐâàÐâë),
Normal-Service 0 (0x00) (¾ÑëçÝëÙ áÕàÒØá).

ºàØâÕàØÙ TTL

TTL (Time To Live) ïÒÛïÕâáï çØáÛÞÒëÜ ßÞÛÕÜ Ò IP ×ÐÓÞÛÞÒÚÕ. ¿àØ ßàÞåÞÖÔÕÝØØ ÞçÕàÕÔÝÞÓÞ ÜÐàèàãâØ×ÐâÞàÐ, íâÞ çØáÛÞ ãÜÕÝìèÐÕâáï ÝÐ 1. µáÛØ çØáÛÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî, âÞ ÞâßàÐÒØâÕÛî ßÐÚÕâÐ ÑãÔÕâ ßÕàÕÔÐÝÞ ICMP áÞÞÑéÕÝØÕ âØßÐ 11 á ÚÞÔÞÜ 0 (TTL equals 0 during transit) ØÛØ á ÚÞÔÞÜ 1 (TTL equals 0 during reassembly) . ´Ûï ØáßÞÛì×ÞÒÐÝØï íâÞÓÞ ÚàØâÕàØï ÝÕÞÑåÞÔØÜÞ ïÒÝÞ ×ÐÓàãÖÐâì ÜÞÔãÛì ÚÛîçÞÜ -m ttl.

¾â ßÕàÕÒÞÔçØÚÐ: ¾ßïâì ÞÑÝÐàãÖØÛÞáì ÝÕÚÞâÞàÞÕ ÝÕáÞÞâÒÕâáâÒØÕ ÞàØÓØÝÐÛìÝÞÓÞ âÕÚáâÐ á ÔÕÙáâÒØâÕÛìÝÞáâìî, ßÞ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï iptables 1.2.6a, Þ ÚÞâÞàÞÙ áÞÑáâÒÕÝÝÞ Ø ØÔÕâ àÕçì, áãéÕáâÒãÕâ âàØ àÐ×ÛØçÝëå ÚàØâÕàØï ßàÞÒÕàÚØ ßÞÛï TTL, íâÞ -m ttl --ttl-eq çØáÛÞ, -m ttl --ttl-lt çØáÛÞ Ø -m ttl --ttl-gt çØáÛÞ. ½Ð×ÝÐçÕÝØÕ íâØå ÚàØâÕàØÕÒ ÒØÔÝÞ ãÖÕ Ø× Øå áØÝâÐÚáØáÐ.
ÂÕÜ ÝÕ ÜÕÝÕÕ, ï ÒáÕ âÐÚØ ßàØÒÕÔã ßÕàÕÒÞÔ ÞàØÓØÝÐÛÐ:

ÂÐÑÛØæÐ 15. ºàØâÕàØÙ TTL

ºàØâÕàØÙ --ttl
¿àØÜÕà iptables -A OUTPUT -m ttl --ttl 60
¾ßØáÐÝØÕ ¿àÞØ×ÒÞÔØâ ßàÞÒÕàÚã ßÞÛï TTL ÝÐ àÐÒÕÝáâÒÞ ×ÐÔÐÝÝÞÜã ×ÝÐçÕÝØî. ´ÐÝÝëÙ ÚàØâÕàØÙ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝ ßàØ ÝÐÛÐÔÚÕ ÛÞÚÐÛìÝÞÙ áÕâØ, ÝÐßàØÜÕà: ÔÛï áÛãçÐÕÒ, ÚÞÓÔÐ ÚÐÚÐï ÛØÑÞ ÜÐèØÝÐ ÛÞÚÐÛìÝÞÙ áÕâØ ÝÕ ÜÞÖÕâ ßÞÔÚÛîçØâìáï Ú áÕàÒÕàã Ò ¸ÝâÕàÝÕâÕ, ØÛØ ÔÛï ßÞØáÚÐ "âàÞïÝÞÒ" Ø ßà. ²ÞÑéÕÜ, ÞÑÛÐáâØ ßàØÜÕÝÕÝØï íâÞÓÞ ßÞÛï ÞÓàÐÝØçØÒÐîâáï âÞÛìÚÞ ÒÐèÕÙ äÐÝâÐרÕÙ. µéÕ ÞÔØÝ ßàØÜÕà: ØáßÞÛì×ÞÒÐÝØÕ íâÞÓÞ ÚàØâÕàØï ÜÞÖÕâ Ñëâì ÝÐßàÐÒÛÕÝÞ ÝÐ ßÞØáÚ ÜÐèØÝ á ÝÕÚÐçÕáâÒÕÝÝÞÙ àÕÐÛØ×ÐæØÕÙ áâÕÚÐ TCP/IP ØÛØ á ÞèØÑÚÐÜØ Ò ÚÞÝäØÓãàÐæØØ ¾Á.

´ÕÙáâÒØï Ø ßÕàÕåÞÔë

´ÕÙáâÒØï Ø ßÕàÕåÞÔë áÞÞÑéÐîâ ßàÐÒØÛã, çâÞ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÞâÒÕáâÒãÕâ ×ÐÔÐÝÝÞÜã ÚàØâÕàØî. ÇÐéÕ ÒáÕÓÞ ãßÞâàÕÑÛïîâáï ÔÕÙáâÒØï ACCEPT Ø DROP. ¾ÔÝÐÚÞ, ÔÐÒÐÙâÕ ÚàÐâÚÞ àÐááÜÞâàØÜ ßÞÝïâØÕ ßÕàÕåÞÔÞÒ.

¾ßØáÐÝØÕ ßÕàÕåÞÔÞÒ Ò ßàÐÒØÛÐå ÒëÓÛïÔØâ âÞçÝÞ âÐÚ ÖÕ ÚÐÚ Ø ÞߨáÐÝØÕ ÔÕÙáâÒØÙ, â.Õ. áâÐÒØâáï ÚÛîç -j Ø ãÚÐ×ëÒÐÕâáï ÝÐ×ÒÐÝØÕ æÕßÞçÚØ ßàÐÒØÛ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ. ½Ð ßÕàÕåÞÔë ÝÐÚÛÐÔëÒÐÕâáï àïÔ ÞÓàÐÝØçÕÝØÙ, ßÕàÒÞÕ - æÕßÞçÚÐ, ÝÐ ÚÞâÞàãî ÒëßÞÛÝïÕâáï ßÕàÕåÞÔ, ÔÞÛÖÝÐ ÝÐåÞÔØâìáï Ò âÞÙ ÖÕ âÐÑÛØæÕ, çâÞ Ø æÕßÞçÚÐ, Ø× ÚÞâÞàÞÙ íâÞâ ßÕàÕåÞÔ ÒëßÞÛÝïÕâáï, ÒâÞàÞÕ - æÕßÞçÚÐ , ïÒÛïîéÐïáï æÕÛìî ßÕàÕåÞÔÐ ÔÞÛÖÝÐ Ñëâì áÞ×ÔÐÝÐ ÔÞ âÞÓÞ ÚÐÚ ÝÐ ÝÕÕ ÑãÔãâ ÒëßÞÛÝïâìáï ßÕàÕåÞÔë. ½ÐßàØÜÕà, áÞ×ÔÐÔØÜ æÕßÞçÚã tcp_packets Ò âÐÑÛØæÕ filter á ßÞÜÞéìî ÚÞÜÐÝÔë iptables -N tcp_packets. ÂÕßÕàì Üë ÜÞÖÕÜ ÒëßÞÛÝïâì ßÕàÕåÞÔë ÝÐ íâã æÕßÞçÚã ßÞÔÞÑÝÞ iptables -A INPUT -p tcp -j tcp_packets. Â.Õ. ÒáâàÕâØÒ ßÐÚÕâ ßàÞâÞÚÞÛÐ tcp, iptables ßàÞØ×ÒÕÔÕâ ßÕàÕåÞÔ ÝÐ æÕßÞçÚã tcp_packets Ø ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ íâÞÙ æÕßÞçÚÕ. µáÛØ ßÐÚÕâ ÔÞáâØÓ ÚÞÝæÐ æÕßÞçÚØ âÞ ÞÝ ÑãÔÕâ ÒÞ×ÒàÐéÕÝ Ò Òë×ëÒÐîéãî æÕßÞçÚã (Ò ÝÐèÕÜ áÛãçÐÕ íâÞ æÕßÞçÚÐ INPUT) Ø ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßàÞÔÞÛÖØâáï á ßàÐÒØÛÐ, áÛÕÔãîéÕÓÞ ×Ð ßàÐÒØÛÞÜ, Òë×ÒÐÒèÕÜ ßÕàÕåÞÔ. µáÛØ Ú ßÐÚÕâã ÒÞ ÒÛÞÖÕÝÝÞÙ æÕßÞçÚÕ ÑãÔÕâ ßàØÜÕÝÕÝÞ ÔÕÙáâÒØÕ ACCEPT, âÞ ÐÒâÞÜÐâØçÕáÚØ ßÐÚÕâ ÑãÔÕâ áçØâÐâìáï ßàØÝïâëÜ Ø Ò Òë×ëÒÐîéÕÙ æÕßÞçÚÕ Ø ãÖÕ ÝÕ ÑãÔÕâ ßàÞÔÞÛÖÐâì ÔÒØÖÕÝØÕ ßÞ Òë×ëÒÐîéØÜ æÕßÞçÚÐÜ. ¾ÔÝÐÚÞ ßÐÚÕâ ßÞÙÔÕâ ßÞ ÔàãÓØÜ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ ßÞàïÔÚÕ ßàÞåÞÖÔÕÝØï æÕßÞçÕÚ Ø âÐÑÛØæ Òë áÜÞÖÕâÕ ßÞÛãçØâì Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ.

´ÕÙáâÒØÕ - íâÞ ßàÕÔÞßàÕÔÕÛÕÝÝÐï ÚÞÜÐÝÔÐ, ÞߨáëÒÐîéÐï ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ÝÕÞÑåÞÔØÜÞ ÒëßÞÛÝØâì, ÕáÛØ ßÐÚÕâ áÞÒßÐÛ á ×ÐÔÐÝÝëÜ ÚàØâÕàØÕÜ. ½ÐßàØÜÕà, ÜÞÖÝÞ ßàØÜÕÝØâì ÔÕÙáâÒØÕ DROP ØÛØ ACCEPT Ú ßÐÚÕâã, Ò ×ÐÒØáØÜÞáâØ Þâ ÝÐèØå ÝãÖÔ. ÁãéÕáâÒãÕâ Ø àïÔ ÔàãÓØå ÔÕÙáâÒØÙ, ÚÞâÞàëÕ ÞߨáëÒÐîâáï ÝØÖÕ Ò íâÞÙ áÕ򾯯. ² àÕ×ãÛìâÐâÕ ÒëßÞÛÝÕÝØï ÞÔÝØå ÔÕÙáâÒØÙ, ßÐÚÕâ ßàÕÚàÐéÐÕâ áÒÞÕ ßàÞåÞÖÔÕÝØÕ ßÞ æÕßÞçÚÕ, ÝÐßàØÜÕà DROP Ø ACCEPT, Ò àÕ×ãÛìâÐâÕ ÔàãÓØå, ßÞáÛÕ ÒëßÞÛÝÕÝØï ÝÕÚØå ÞßÕàÐæØÙ, ßàÞÔÞÛÖÐÕâ ßàÞÒÕàÚã, ÝÐßàØÜÕà, LOG, Ò àÕ×ãÛìâÐâÕ àÐÑÞâë âàÕâìØå ÔÐÖÕ ÒØÔÞØ×ÜÕÝïÕâáï, ÝÐßàØÜÕà DNAT Ø SNAT, TTL Ø TOS, ÝÞ âÐÚ ÖÕ ßàÞÔÞÛÖÐÕâ ßàÞÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ.


´ÕÙáâÒØÕ ACCEPT

´ÐÝÝÐï ÞßÕàÐæØï ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ÚÛîçÕÙ. µáÛØ ÝÐÔ ßÐÚÕâÞÜ ÒëßÞÛÝïÕâáï ÔÕÙáâÒØÕ ACCEPT, âÞ ßÐÚÕâ ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÕ (Ø ÒáÕÜ Òë×ÒÐÒèØÜ æÕßÞçÚÐÜ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ) Ø áçØâÐÕâáï ¿À¸½ÏÂ˼ (âÞ ÑØèì ßàÞßãáÚÐÕâáï), âÕÜ ÝÕ ÜÕÝÕÕ, ßÐÚÕâ ßàÞÔÞÛÖØâ ÔÒØÖÕÝØÕ ßÞ æÕßÞçÚÐÜ Ò ÔàãÓØå âÐÑÛØæÐå Ø ÜÞÖÕâ Ñëâì ÞâÒÕàÓÝãâ âÐÜ. ´ÕÙáâÒØÕ ×ÐÔÐÕâáï á ßÞÜÞéìî ÚÛîçÐ -j ACCEPT.


´ÕÙáâÒØÕ DROP

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ßàÞáâÞ "áÑàÐáëÒÐÕâ" ßÐÚÕâ Ø iptables "×ÐÑëÒÐÕâ" Þ ÕÓÞ áãéÕáâÒÞÒÐÝØØ. "ÁÑàÞèÕÝÝëÕ" ßÐÚÕâë ßàÕÚàÐéÐîâ áÒÞÕ ÔÒØÖÕÝØÕ ßÞÛÝÞáâìî, â.Õ. ÞÝØ ÝÕ ßÕàÕÔÐîâáï Ò ÔàãÓØÕ âÐÑÛØæë, ÚÐÚ íâÞ ßàÞØáåÞÔØâ Ò áÛãçÐÕ á ÔÕÙáâÒØÕÜ ACCEPT. ÁÛÕÔãÕâ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ ØÜÕâì ÝÕÓÐâØÒÝëÕ ßÞáÛÕÔáâÒØï, ßÞáÚÞÛìÚã ÜÞÖÕâ ÞáâÐÒÛïâì ÝÕ×ÐÚàëâëÕ "ÜÕàâÒëÕ" áÞÚÕâë ÚÐÚ ÝÐ áâÞàÞÝÕ áÕàÒÕàÐ, âÐÚ Ø ÝÐ áâÞàÞÝÕ ÚÛØÕÝâÐ, ÝÐØÛãçèØÜ áßÞáÞÑÞÜ ×ÐéØâë ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï REJECT ÞáÞÑÕÝÝÞ ßàØ ×ÐéØâÕ Þâ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ.


´ÕÙáâÒØÕ QUEUE

´ÕÙáâÒØÕ QUEUE áâÐÒØâ ßÐÚÕâ Ò ÞçÕàÕÔì ÝÐ ÞÑàÐÑÞâÚã ßÞÛì×ÞÒÐâÕÛìáÚÞÜã ßàÞæÕááã. ¾ÝÞ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÔÛï ÝãÖÔ ãçÕâÐ, ßàÞÚáØàÞÒÐÝØï ØÛØ ÔÞßÞÛÝØâÕÛìÝÞÙ äØÛìâàÐæØØ ßÐÚÕâÞÒ.

¾â ßÕàÕÒÞÔçØÚÐ: ´ÐÛÕÕ ÐÒâÞà ßàÞáâàÐÝÝÞ àÐááãÖÔÐÕâ Þ âÞÜ, çâÞ ÞÑáãÖÔÕÝØÕ ÔÐÝÝÞÙ âÕÜë ÔÐÛÕÚÞ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ø ßà., ßÞíâÞÜã, ÝÕ ÜãÔàáâÒãï ÛãÚÐÒÞ, ßàØÒÕÔã ×ÔÕáì ÒëÔÕàÖÚã Ø× Linux 2.4 Packet Filtering HOWTO Ò ßÕàÕÒÞÔÕ µÒÓÕÝØï ´ÐÝØÛìçÕÝÚÞ aka virii5, eugene@kriljon.ru

"...´Ûï âÞÓÞ çâÞÑë íâÐ æÕÛì ÑëÛÐ ßÞÛÕ×ÝÐ, ÝÕÞÑåÞÔØÜë ÕéÕ ÔÒÐ ÚÞÜßÞÝÕÝâÐ:

  • "queue handler" - ÞÑàÐÑÞâçØÚ ÞçÕàÕÔØ, ÚÞâÞàëÙ ÒëßÞÛÝïÕâ àÐÑÞâã ßÞ ßÕàÕÔÐçÕ ßÐÚÕâÞÒ ÜÕÖÔã ïÔàÞÜ Ø ßÞÛì×ÞÒÐâÕÛìáÚØÜ ßàØÛÞÖÕÝØÕÜ; Ø
  • ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ ÚÞâÞàÞÕ ÑãÔÕâ ßÞÛãçÐâì, ÒÞ×ÜÞÖÝÞ ÞÑàÐÑÐâëÒÐâì, Ø àÕèÐâì áãÔìÑã ßÐÚÕâÞÒ.
ÁâÐÝÔÐàâÝëÙ ÞÑàÐÑÞâçØÚ ÞçÕàÕÔØ ÔÛï IPv4 - ÜÞÔãÛì ip-queue, ÚÞâÞàëÙ àÐáßàÞáâàÐÝïÕâáï á ïÔàÞÜ Ø ßÞÜÕçÕÝ ÚÐÚ íÚáßÕàØÜÕÝâÐÛìÝëÙ. ½ØÖÕ ÔÐÝ ßàØÜÕà, ÚÐÚ ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì iptables ÔÛï ßÕàÕÔÐçØ ßÐÚÕâÞÒ Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ:
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
Á íâØÜ ßàÐÒØÛÞÜ, áÞ×ÔÐÝÝëÕ ÛÞÚÐÛìÝÞ ßÐÚÕâë ICMP âØßÐ (âÐÚØÕ, çâÞ áÞ×ÔÐîâáï áÚÐÖÕÜ ßàØ ßÞÜÞéØ ÚÞÜÐÝÔë ping) ßÞßÐÔÐîâ Ò ÜÞÔãÛì ip_queue, ÚÞâÞàëÙ ×ÐâÕÜ ßëâÐÕâáï ßÕàÕÔÐâì Øå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ. µáÛØ ÝØ ÞÔÝÞ Ø× âÐÚØå ßàØÛÞÖÕÝØÙ ÝÕ ÝÐÙÔÕÝÞ, ßÐÚÕâë áÑàÐáëÒÐîâáï. ÇâÞÑë ÝÐߨáÐâì ßÞÛì×ÞÒÐâÕÛìáÚãî ßàÞÓàÐÜÜã ÞÑàÐÑÞâÚØ ßÐÚÕâÞÒ, ØáßÞÛì×ãÙâÕ libipq API. ¾ÝÞ àÐáßàÞáâàÐÝïÕâáï á ßÐÚÕâÞÜ iptables. ¿àØÜÕàë ÜÞÖÝÞ ÝÐÙâØ Ò testsuite tools (ÝÐßàØÜÕà redirect.c) ÝÐ CVS. ÁâÐâãá ip_queue ÜÞÖÝÞ ßàÞÒÕàØâì á ßÞÜÞéìî: /proc/net/ip_queue ¼ÐÚáØÜÐÛìÝãî ÔÛØÝÝã ÞçÕàÕÔØ (âÞ Õáâì, çØáÛÞ ßÐÚÕâÞÒ ßÕàÕÔÐÒÐÕÜëå Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàØÛÞÖÕÝØÕ ÑÕ× ßÞÔâÒÕàÖÔÕÝØï ÞÑàÐÑÞâÚØ) ÜÞÖÝÞ ÚÞÝâàÞÛØàÞÒÐâì á ßÞÜÞéìî: /proc/sys/net/ipv4/ip_queue_maxlen ¿Þ ãÜÞÛçÐÝØî - ÜÐÚáØÜÐÛìÝÐï ÔÛØÝÝÐ ÞçÕàÕÔØ àÐÒÝÐ 1024. ºÐÚ âÞÛìÚÞ íâÞâ ßàÕÔÕÛ ÔÞáâØÓÐÕâáï, ÝÞÒëÕ ßÐÚÕâë ÑãÔãâ áÑàÐáëÒÐâìáï, ßÞÚÐ ÞçÕàÕÔì ÝÕ áÝØ×Øâìáï ÝØÖÕ ÔÐÝÝÞÓÞ ßàÕÔÕÛÐ. ÅÞàÞèØÕ ßàÞâÞÚÞÛë, âÐÚØÕ ÚÐÚ TCP ØÝâÕàßàÕâØàãîâ áÑàÞèÕÝÝëÕ ßÐÚÕâë ÚÐÚ ßÕàÕÓàãÖÕÝÝÞáâì ÚÐÝÐÛÐ ßÕàÕÔÐçØ, Ø ãáßÕèÝÞ á íâØÜ áßàÐÒÛïîâáï (ÝÐáÚÞÛìÚÞ ï ßÞÜÝî, ßÐÚÕâ ÑãÔÕâ ßàÞáâÞ ßÕàÕáÛÐÝ ×ÐÝÞÒÞ ãÔÐÛÕÝÝÞÙ áâÞàÞÝÞÙ, ßàØÜ. ßÕàÕÒÞÔ.). ¾ÔÝÐÚÞ, ÜÞÖÕâ ßÞâàÕÑÞÒÐâìáï ÝÕÚÞâÞàÞÓÞ àÞÔÐ íÚáßÕàÕÜÕÝâØàÞÒÐÝØÕ, çâÞÑë ÞßàÕÔÕÛØâì ÞßâØÜÐÛìÝãî ÔÛØÝÝã ÞçÕàÕÔØ Ò ÚÐÖÔÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ, ÕáÛØ ßÞ ãÜÞÛçÐÝØî ÞçÕàÕÔì áÛØèÚÞÜ ÜÐÛÐ..."




´ÕÙáâÒØÕ RETURN

´ÕÙáâÒØÕ RETURN ßàÕÚàÐéÐÕâ ÔÒØÖÕÝØÕ ßÐÚÕâÐ ßÞ âÕÚãéÕÙ æÕßÞçÚÕ ßàÐÒØÛ Ø ßàÞØ×ÒÞÔØâ ÒÞ×ÒàÐâ Ò Òë×ëÒÐîéãî æÕßÞçÚã, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÑëÛÐ ÒÛÞÖÕÝÝÞÙ, ØÛØ, ÕáÛØ âÕÚãéÐï æÕßÞçÚÐ ÛÕÖØâ ÝÐ áÐÜÞÜ ÒÕàåÝÕÜ ãàÞÒÝÕ (ÝÐßàØÜÕà INPUT), âÞ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî. ¾ÑëçÝÞ, Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ÝÐ×ÝÐçÐîâ ÔÕÙáâÒØï ACCEPT ØÛØ DROP .

´Ûï ßàØÜÕàÐ, ÔÞßãáâØÜ, çâÞ ßÐÚÕâ ØÔÕâ ßÞ æÕßÞçÚÕ INPUT Ø ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßÕàÕåÞÔ ÒÞ ÒÛÞÖÕÝÝãî æÕßÞçÚã - --jump EXAMPLE_CHAIN. ´ÐÛÕÕ, Ò æÕßÞçÚÕ EXAMPLE_CHAIN ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN. ÂÞÓÔÐ ßàÞØ×ÞÙÔÕâ ÒÞ×ÒàÐâ ßÐÚÕâÐ Ò æÕßÞçÚã INPUT. ´àãÓÞÙ ßàØÜÕà, ßãáâì ßÐÚÕâ ÒáâàÕçÐÕâ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ ÔÕÙáâÒØÕ --jump RETURN Ò æÕßÞçÚÕ INPUT. ÂÞÓÔÐ Ú ßÐÚÕâã ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî æÕßÞçÚØ INPUT.


´ÕÙáâÒØÕ LOG

LOG - ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ áÛãÖØâ ÔÛï ÖãàÝÐÛØàÞÒÐÝØï ÞâÔÕÛìÝëå ßÐÚÕâÞÒ Ø áÞÑëâØÙ. ² ÖãàÝÐÛ ÜÞÓãâ ×ÐÝÞáØâìáï ×ÐÓÞÛÞÒÚØ IP ßÐÚÕâÞÒ Ø ÔàãÓÐï ØÝâÕàÕáãîéÐï ÒÐá ØÝäÞàÜÐæØï. ¸ÝäÞàÜÐæØï Ø× ÖãàÝÐÛÐ ÜÞÖÕâ Ñëâì ×ÐâÕÜ ßàÞçØâÐÝÐ á ßÞÜÞéìî dmesg ØÛØ syslogd ÛØÑÞ á ßÞÜÞéìî ÔàãÓØå ßàÞÓàÐÜÜ. ¿àÕÒÞáåÞÔÝÞÕ áàÕÔáâÒÞ ÔÛï ÞâÛÐÔÚØ ÒÐèØå ßàÐÒØÛ. ½ÕßÛÞåÞ ÑëÛÞ Ñë ÝÐ ßÕàØÞÔ ÞâÛÐÔÚØ ßàÐÒØÛ ÒÜÕáâÞ ÔÕÙáâÒØï DROP ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ LOG, çâÞÑë ÔÞ ÚÞÝæÐ ãÑÕÔØâìáï, çâÞ ÒÐè ÑàÐÝÔÜÐãíà àÐÑÞâÐÕâ ÑÕ×ãßàÕçÝÞ. ¾ÑàÐâØâÕ ÒÐèÕ ÒÝØÜÐÝØÕ âÐÚ ÖÕ ÝÐ ÔÕÙáâÒØÕ ULOG, ÚÞâÞàÞÕ ÝÐÒÕàÝïÚÐ ×ÐØÝâÕàÕáãÕâ ÒÐá áÒÞØÜØ ÒÞ×ÜÞÖÝÞáâïÜØ, ßÞáÚÞÛìÚã ßÞ×ÒÞÛïÕâ ÒëßÞÛÝïâì ×Ðߨáì ÖãàÝÐÛØàãÕÜÞÙ ØÝäÞàÜÐæØØ ÝÕ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, Ð Ò ÑÐ×ã ÔÐÝÝëå MySQL Ø â.ß..

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ - ÕáÛØ ã ÒÐá ØÜÕîâáï ßàÞÑÛÕÜë á ×Ðߨáìî Ò áØáâÕÜÝëÙ ÖãàÝÐÛ, âÞ íâÞ ßàÞÑÛÕÜë ÝÕ iptables ØÛØ netfilter, Ð syslogd. ·Ð ØÝäÞàÜÐæØÕÙ ßÞ ÚÞÝäØÓãàØàÞÒÐÝØî syslogd ÞÑàÐéÐÙâÕáì Ú man syslog.conf.

LOG ØÜÕÕâ ßïâì ÚÛîçÕÙ, ÚÞâÞàëÕ ßÕàÕçØáÛÕÝë ÝØÖÕ.

ÂÐÑÛØæÐ 17. ºÛîçØ ÔÛï ÔÕÙáâÒØï LOG

ºÛîç --log-level
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-level debug
¾ßØáÐÝØÕ ¸áßÞÛì×ãÕâáï ÔÛï ×ÐÔÐÝØï ãàÞÒÝï ÖãàÝÐÛØàÞÒÐÝØï (log level). ¿ÞÛÝëÙ áߨáÞÚ ãàÞÒÝÕÙ Òë ÝÐÙÔÕâÕ Ò àãÚÞÒÞÔáâÒÕ (man) ßÞ syslog.conf. ¾ÑëçÝÞ, ÜÞÖÝÞ ×ÐÔÐâì áÛÕÔãîéØÕ ãàÞÒÝØ: debug, info, notice, warning, warn, err, error, crit, alert, emerg Ø panic. ºÛîçÕÒÞÕ áÛÞÒÞ error Þ×ÝÐçÐÕâ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø err, warn - warning Ø panic - emerg. ²ÐÖÝÞ: Ò ßÞáÛÕÔÝØå âàÕå ßÐàÐå áÛÞÒ ÝÕ áÛÕÔãÕâ ØáßÞÛì×ÞÒÐâì error, warn Ø panic. ¿àØÞàØâÕâ ÞßàÕÔÕÛïÕâ àÐ×ÛØçØï Ò âÞÜ ÚÐÚ ÑãÔãâ ×ÐÝÞáØâìáï áÞÞÑéÕÝØï Ò ÖãàÝÐÛ. ²áÕ áÞÞÑéÕÝØï ×ÐÝÞáïâáï Ò ÖãàÝÐÛ áàÕÔáâÒÐÜØ ïÔàÐ. µáÛØ Òë ãáâÐÝÞÒØâÕ áâàÞÚã kern.=info /var/log/iptables Ò äÐÙÛÕ syslog.conf, âÞ ÒáÕ ÒÐèØ áÞÞÑéÕÝØï Ø× iptables, ØáßÞÛì×ãîéØÕ ãàÞÒÕÝì info, ÑãÔãâ ×ÐÝÞáØâìáï Ò äÐÙÛ /var/log/iptables ¾ÔÝÐÚÞ, Ò íâÞâ äÐÙÛ ßÞßÐÔãâ Ø ÔàãÓØÕ áÞÞÑéÕÝØï, ßÞáâãßÐîéØÕ Ø× ÔàãÓØå ßÞÔáØáâÕÜ, ÚÞâÞàëÕ ØáßÞÛì×ãîâ ãàÞÒÕÝì info. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ßÞ syslog Ø syslog.conf ï àÕÚÞÜÕÝÔãî ÞÑàÐéÐâìáï Ú manpages Ø HOWTO.
ºÛîç --log-prefix
¿àØÜÕà iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
¾ßØáÐÝØÕ ºÛîç ×ÐÔÐÕâ âÕÚáâ (ßàÕäØÚá), ÚÞâÞàëÜ ÑãÔãâ ßàÕÔÒÐàïâìáï ÒáÕ áÞÞÑéÕÝØï iptables. ÁÞÞÑéÕÝØï áÞ áßÕæØäØçÝëÜ ßàÕäØÚáÞÜ ×ÐâÕÜ ÛÕÓÚÞ ÜÞÖÝÞ ÝÐÙâØ, Ú ßàØÜÕàã, á ßÞÜÞéìî grep. ¿àÕäØÚá ÜÞÖÕâ áÞÔÕàÖÐâì ÔÞ 29 áØÜÒÞÛÞÒ, ÒÚÛîçÐï Ø ßàÞÑÕÛë.
ºÛîç --log-tcp-sequence
¿àØÜÕà iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò ÖãàÝÐÛ ÝÞÜÕà TCP Sequence ßÐÚÕâÐ. ½ÞÜÕà TCP Sequence ØÔÕÝâØäØæØàãÕâ ÚÐÖÔëÙ ßÐÚÕâ Ò ßÞâÞÚÕ Ø ÞßàÕÔÕÛïÕâ ßÞàïÔÞÚ "áÑÞàÚØ" ßÞâÞÚÐ. ÍâÞâ ÚÛîç ßÞâÕÝæØÐÛìÝÞ ÞßÐáÕÝ ÔÛï ÑÕ×ÞßÐáÝÞáâØ áØáâÕÜë, ÕáÛØ áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×àÕèÐÕâ ÔÞáâãß "½° ǵ½¸µ" ÒáÕÜ ßÞÛì×ÞÒÐâÕÛïÜ. ºÐÚ Ø ÛîÑÞÙ ÔàãÓÞÙ ÖãàÝÐÛ, áÞÔÕàÖÐéØÙ áÞÞÑéÕÝØï Þâ iptables.
ºÛîç --log-tcp-options
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-tcp-options
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×ÛØçÝëÕ áÒÕÔÕÝØï Ø× ×ÐÓÞÛÞÒÚÐ TCP ßÐÚÕâÐ. ÂÐÚÐï ÒÞ×ÜÞÖÝÞáâì ÜÞÖÕâ Ñëâì ßÞÛÕ×ÝÐ ßàØ ÞâÛÐÔÚÕ. ÍâÞâ ÚÛîç ÝÕ ØÜÕÕâ ÔÞßÞÛÝØâÕÛìÝëå ßÐàÐÜÕâàÞÒ, ÚÐÚ Ø ÑÞÛìèØÝáâÒÞ ÚÛîçÕÙ ÔÕÙáâÒØï LOG.
ºÛîç --log-ip-options
¿àØÜÕà iptables -A FORWARD -p tcp -j LOG --log-ip-options
¾ßØáÐÝØÕ ÍâÞâ ÚÛîç ßÞ×ÒÞÛïÕâ ×ÐÝÞáØâì Ò áØáâÕÜÝëÙ ÖãàÝÐÛ àÐ×ÛØçÝëÕ áÒÕÔÕÝØï Ø× ×ÐÓÞÛÞÒÚÐ IP ßÐÚÕâÐ. ²Þ ÜÝÞÓÞÜ áåÞÖ á ÚÛîçÞÜ --log-tcp-options, ÝÞ àÐÑÞâÐÕâ âÞÛìÚÞ á IP ×ÐÓÞÛÞÒÚÞÜ.

´ÕÙáâÒØÕ MARK

¸áßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÜÕâÞÚ ÔÛï ÞßàÕÔÕÛÕÝÝëå ßÐÚÕâÞÒ. ÍâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò ßàÕÔÕÛÐå âÐÑÛØæë mangle. ÃáâÐÝÞÒÚÐ ÜÕâÞÚ ÞÑëçÝÞ ØáßÞÛì×ãÕâáï ÔÛï ÝãÖÔ ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ ßÞ àÐ×ÛØçÝëÜ ÜÐàèàãâÐÜ, ÔÛï ÞÓàÐÝØçÕÝØï âàÐäØÚÐ Ø â.ß.. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ Òë ÜÞÖÕâÕ ÞÑàÐâØâìáï Ú LARTC HOWTO. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ "ÜÕâÚÐ" ßÐÚÕâÐ áãéÕáâÒãÕâ âÞÛìÚÞ Ò ßÕàØÞÔ ÒàÕÜÕÝØ ßÞÚÐ ßÐÚÕâ ÝÕ ßÞÚØÝãÛ ÑàÐÝÔÜÐãíà, â.Õ. ÜÕâÚÐ ÝÕ ßÕàÕÔÐÕâáï ßÞ áÕâØ. µáÛØ ÝÕÞÑåÞÔØÜÞ ÚÐÚ-âÞ ßÞÜÕâØâì ßÐÚÕâë, çâÞÑë ØáßÞÛì×ÞÒÐâì ÜÐàÚØàÞÒÚã ÝÐ ÔàãÓÞÙ ÜÐèØÝÕ, âÞ ÜÞÖÕâÕ ßÞßàÞÑÞÒÐâì ÜÐÝØßãÛØàÞÒÐâì ÑØâÐÜØ ßÞÛï TOS.

ÂÐÑÛØæÐ 18. ºÛîçØ ÔÛï ÔÕÙáâÒØï MARK

ºÛîç --set-mark
¿àØÜÕà iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
¾ßØáÐÝØÕ ºÛîç --set-mark ãáâÐÝÐÒÛØÒÐÕâ ÜÕâÚã ÝÐ ßÐÚÕâ. ¿ÞáÛÕ ÚÛîçÐ --set-mark ÔÞÛÖÝÞ áÛÕÔÞÒÐâì æÕÛÞÕ ÑÕ××ÝÐÚÞÒÞÕ çØáÛÞ.

´ÕÙáâÒØÕ REJECT

REJECT ØáßÞÛì×ãÕâáï, ÚÐÚ ßàÐÒØÛÞ, Ò âÕå ÖÕ áÐÜëå áØâãÐæØïå, çâÞ Ø DROP, ÝÞ Ò ÞâÛØçØÕ Þâ DROP, ÚÞÜÐÝÔÐ REJECT ÒëÔÐÕâ áÞÞÑéÕÝØÕ ÞÑ ÞèØÑÚÕ ÝÐ åÞáâ, ßÕàÕÔÐÒèØÙ ßÐÚÕâ. ´ÕÙáâÒØÕ REJECT ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì "àÐÑÞâÐÕâ" âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø OUTPUT (Ø ÒÞ ÒÛÞÖÕÝÝëå Ò ÝØå æÕßÞçÚÐå). ¿ÞÚÐ áãéÕáâÒãÕâ âÞÛìÚÞ ÕÔØÝáâÒÕÝÝëÙ ÚÛîç, ãßàÐÒÛïîéØÙ ßÞÒÕÔÕÝØÕÜ ÚÞÜÐÝÔë REJECT.

ÂÐÑÛØæÐ 19. ´ÕÙáâÒØÕ REJECT

ºÛîç --reject-with
¿àØÜÕà iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
¾ßØáÐÝØÕ ÃÚÐ×ëÒÐÕâ, ÚÐÚÞÕ áÞÞÑéÕÝØÕ ÝÕÞÑåÞÔØÜÞ ßÕàÕÔÐâì Ò ÞâÒÕâ, ÕáÛØ ßÐÚÕâ áÞÒßÐÛ á ×ÐÔÐÝÝëÜ ÚàØâÕàØÕÜ. ¿àØ ßàØÜÕÝÕÝØØ ÔÕÙáâÒØï REJECT Ú ßÐÚÕâã, áÝÐçÐÛÐ ÝÐ åÞáâ-ÞâßàÐÒØâÕÛì ÑãÔÕâ ÞâÞáÛÐÝ ãÚÐ×ÐÝÝëÙ ÞâÒÕâ, Ð ×ÐâÕÜ ßÐÚÕâ ÑãÔÕâ "áÑàÞèÕÝ". ´ÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì áÛÕÔãîéØÕ âØßë ÞâÒÕâÞÒ: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited Ø icmp-host-prohibited. ¿Þ-ãÜÞÛçÐÝØî ßÕàÕÔÐÕâáï áÞÞÑéÕÝØÕ port-unreachable. ²áÕ ÒëèÕãÚÐ×ÐÝÝëÕ âØßë ÞâÒÕâÞÒ ïÒÛïîâáï ICMP error messages. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ âØßÐÜ ICMP áÞÞÑéÕÝØÙ Òë ÜÞÖÕâÕ ßÞÛãçØâì Ò ßàØÛÞÖÕÝØØ ÂØßë ICMP. ² ×ÐÚÛîçÕÝØÕ ãÚÐÖÕÜ ÕéÕ ÞÔØÝ âØß ÞâÒÕâÐ - tcp-reset, ÚÞâÞàëÙ ØáßÞÛì×ãÕâáï âÞÛìÚÞ ÔÛï ßàÞâÞÚÞÛÐ TCP. µáÛØ ãÚÐ×ÐÝÞ ×ÝÐçÕÝØÕ tcp-reset, âÞ ÔÕÙáâÒØÕ REJECT ßÕàÕÔÐáâ Ò ÞâÒÕâ ßÐÚÕâ TCP RST, ßÐÚÕâë TCP RST ØáßÞÛì×ãîâáï ÔÛï ×ÐÚàëâØï TCP áÞÕÔØÝÕÝØÙ. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú RFC 793 - Transmission Control Protocol. (ÁߨáÞÚ âØßÞÒ ICMP ÞâÒÕâÞÒ Ø Øå ÐÛØÐáÞÒ Òë áÜÞÖÕâÕ ßÞÛãçØâì ÒÒÕÔï ÚÞÜÐÝÔã iptables -j REJECT -hßàØÜ. ßÕàÕÒ.).

´ÕÙáâÒØÕ TOS

ºÞÜÐÝÔÐ TOS ØáßÞÛì×ãÕâáï ÔÛï ãáâÐÝÞÒÚØ ÑØâÞÒ Ò ßÞÛÕ Type of Service IP ×ÐÓÞÛÞÒÚÐ. ¿ÞÛÕ TOS áÞÔÕàÖØâ 8 ÑØâ, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÞÒ. ÍâÞ ÞÔØÝ Ø× ÝÕáÚÞÛìÚØå ßÞÛÕÙ, ØáßÞÛì×ãÕÜëå iproute2. ÂÐÚ ÖÕ ÒÐÖÝÞ ßÞÜÝØâì, çâÞ ÔÐÝÝÞÕ ßÞÛÕ ÜÞÖÕâ ÞÑàÐÑÐâëÒÐâìáï àÐ×ÛØçÝëÜØ ÜÐàèàãâØ×ÐâÞàÐÜØ á æÕÛìî ÒëÑÞàÐ ÜÐàèàãâÐ ÔÒØÖÕÝØï ßÐÚÕâÐ. ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì ÒëèÕ, íâÞ ßÞÛÕ, Ò ÞâÛØçØÕ Þâ MARK, áÞåàÐÝïÕâ áÒÞÕ ×ÝÐçÕÝØÕ ßàØ ÔÒØÖÕÝØØ ßÞ áÕâØ, Ð ßÞíâÞÜã ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ ÔÛï ÜÐàèàãâØ×ÐæØØ ßÐÚÕâÐ. ½Ð áÕÓÞÔÝïèÝØÙ ÔÕÝì, ÑÞÛìèØÝáâÒÞ ÜÐàèàãâØ×ÐâÞàÞÒ Ò ¸ÝâÕàÝÕâÕ ÝØÚÐÚ ÝÕ ÞÑàÐÑÐâëÒÐîâ íâÞ ßÞÛÕ, ÞÔÝÐÚÞ Õáâì Ø âÐÚØÕ, ÚÞâÞàëÕ áÜÞâàïâ ÝÐ ÝÕÓÞ. µáÛØ Òë ØáßÞÛì×ãÕâÕ íâÞ ßÞÛÕ Ò áÒÞØå ÝãÖÔÐå, âÞ ßÞÔÞÑÝëÕ ÜÐàèàãâØ×ÐâÞàë ÜÞÓãâ ßàØÝïâì ÝÕÒÕàÝÞÕ àÕèÕÝØÕ ßàØ ÒëÑÞàÕ ÜÐàèàãâÐ, ßÞíâÞÜã, ÛãçèÕ ÒáÕÓÞ ØáßÞÛì×ÞÒÐâì íâÞ ßÞÛÕ ÔÛï áÒÞØå ÝãÖÔ âÞÛìÚÞ Ò ßàÕÔÕÛÐå ÒÐèÕÙ WAN ØÛØ LAN.

Caution

´ÕÙáâÒØÕ TOS ÒÞáßàØÝØÜÐÕâ âÞÛìÚÞ ßàÕÔÞßàÕÔÕÛÕÝÝëÕ çØáÛÞÒëÕ ×ÝÐçÕÝØï Ø ÜÝÕÜÞÝØÚØ, ÚÞâÞàëÕ Òë ÜÞÖÕâÕ ÝÐÙâØ Ò linux/ip.h. µáÛØ ÒÐÜ ÔÕÙáâÒØâÕÛìÝÞ ÝÕÞÑåÞÔØÜÞ ãáâÐÝÐÒÛØÒÐâì ßàÞØ×ÒÞÛìÝëÕ ×ÝÐçÕÝØï Ò ßÞÛÕ TOS, âÞ ÜÞÖÝÞ ÒÞáßÞÛì×ÞÒÐâìáï "×ÐßÛÐâÞÙ" FTOS Þâ Matthew G. Marsh. ¾ÔÝÐÚÞ, ÑãÔìâÕ ÚàÐÙÝÕ ÞáâÞàÞÖÝë á íâÞÙ "×ÐßÛÐâÞÙ". ½Õ áÛÕÔãÕâ ØáßÞÛì×ÞÒÐâì ÝÕáâÐÝÔÐàâÝëÕ ×ÝÐçÕÝØï TOS ØÝÐçÕ ÚÐÚ Ò ÞáÞÑÕÝÝëå áØâãÐæØïå.

Note

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ Ò ßàÕÔÕÛÐå âÐÑÛØæë mangle.

Note

² ÝÕÚÞâÞàëå áâÐàëå ÒÕàáØïå iptables (1.2.2 Ø ÝØÖÕ) íâÞ ÔÕÙáâÒØÕ àÕÐÛØ×ÞÒÐÝÞ á ÞèØÑÚÞÙ (ÝÕ ØáßàÐÒÛïÕâáï ÚÞÝâàÞÛìÝÐï áãÜÜÐ ßÐÚÕâÐ), Ð íâÞ ÒÕÔÕâ Ú ÝÐàãèÕÝØî ßàÞâÞÚÞÛÐ ÞÑÜÕÝÐ Ø Ò àÕ×ãÛìâÐâÕ âÐÚØÕ áÞÕÔØÝÕÝØï ÝÕ àÐÑÞâÐîâ.

ºÞÜÐÝÔÐ TOS ØÜÕÕâ âÞÛìÚÞ ÞÔØÝ ÚÛîç, ÚÞâÞàëÙ ÞߨáÐÝ ÝØÖÕ.

ÂÐÑÛØæÐ 20. ´ÕÙáâÒØÕ TOS

ºÛîç --set-tos
¿àØÜÕà iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
¾ßØáÐÝØÕ ºÛîç --set-tos ÞßàÕÔÕÛïÕâ çØáÛÞÒÞÕ ×ÝÐçÕÝØÕ Ò ÔÕáïâØçÝÞÜ ØÛØ èÕáâÝÐÔæÐâØàØçÝÞÜ ÒØÔÕ. ¿ÞáÚÞÛìÚã ßÞÛÕ TOS ïÒÛïÕâáï 8-ÑØâÝëÜ, âÞ Òë ÜÞÖÕâÕ ãÚÐ×Ðâì çØáÛÞ Ò ÔØÐßÐ×ÞÝÕ Þâ 0 ÔÞ 255 (0x00 - 0xFF). ¾ÔÝÐÚÞ, ÑÞÛìèØÝáâÒÞ ×ÝÐçÕÝØÙ íâÞÓÞ ßÞÛï ÝØÚÐÚ ÝÕ ØáßÞÛì×ãîâáï. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ Ò ÑãÔãéØå àÕÐÛØ×ÐæØïå TCP/IP çØáÛÞÒëÕ ×ÝÐçÕÝØï ÜÞÓãâ Ñëâì Ø×ÜÕÝÕÝë, ßÞíâÞÜã, ÒÞ-Ø×ÑÕÖÐÝØÕ ÞèØÑÞÚ, ÛãçèÕ ØáßÞÛì×ÞÒÐâì ÜÝÕÜÞÝØçÕáÚØÕ ÞÑÞ×ÝÐçÕÝØï: Minimize-Delay (16 ØÛØ 0x10), Maximize-Throughput (8 ØÛØ 0x08), Maximize-Reliability (4 ØÛØ 0x04), Minimize-Cost (2 ØÛØ 0x02) ØÛØ Normal-Service (0 ØÛØ 0x00). ¿Þ-ãÜÞÛçÐÝØî ÑÞÛìèØÝáâÒÞ ßÐÚÕâÞÒ ØÜÕîâ ßàØ×ÝÐÚ Normal-Service, ØÛØ 0. ÁߨáÞÚ ÜÝÕÜÞÝØÚ Òë áÜÞÖÕâÕ ßÞÛãçØâì, ÒëßÞÛÝØÒ ÚÞÜÐÝÔã iptables -j TOS -h.

´ÕÙáâÒØÕ MIRROR

ºÞÜÐÝÔÐ MIRROR ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÒÐÜØ âÞÛìÚÞ ÔÛï íÚáßÕàØÜÕÝâÞÒ Ø Ò ÔÕÜÞÝáâàÐæØÞÝÝëå æÕÛïå, ßÞáÚÞÛìÚã íâÞ ÔÕÙáâÒØÕ ÜÞÖÕâ ßàØÒÕáâØ Ú "×ÐæØÚÛØÒÐÝØî" ßÐÚÕâÐ Ø Ò àÕ×ãÛìâÐâÕ Ú "¾âÚÐ×ã Þâ ÞÑáÛãÖØÒÐÝØï". ² àÕ×ãÛìâÐâÕ ÔÕÙáâÒØï MIRROR Ò ßÐÚÕâÕ, ßÞÛï source Ø destination ÜÕÝïîâáï ÜÕáâÐÜØ (invert the source and destination fields) Ø ßÐÚÕâ ÞâßàÐÒÛïÕâáï Ò áÕâì. ¸áßÞÛì×ÞÒÐÝØÕ íâÞÙ ÚÞÜÐÝÔë ÜÞÖÕâ ØÜÕâì ÒÕáìÜÐ ×ÐÑÐÒÝëÙ àÕ×ãÛìâÐâ, ÝÐÒÕàÝÞÕ, áÞ áâÞàÞÝë ÔÞÒÞÛìÝÞ ßÞâÕèÝÞ ÝÐÑÛîÔÐâì, ÚÐÚ ÚãÛìåÐæÚÕà ßëâÐÕâáï "Ò×ÛÞÜÐâì" áÒÞÙ áÞÑáâÒÕÝÝëÙ ÚÞÜßìîâÕà!

´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÔÞßãáÚÐÕâáï ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÐå INPUT, FORWARD Ø PREROUTING, Ø Ò æÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø× íâØå âàÕå. ¿ÐÚÕâë, ÞâßàÐÒÛïÕÜëÕ Ò áÕâì ÔÕÙáâÒØÕÜ MIRROR ÑÞÛìèÕ ÝÕ ßÞÔÒÕàÓÐîâáï äØÛìâàÐæØØ, âàÐááØàÞÒÚÕ ØÛØ NAT, Ø×ÑÕÓÐï âÕÜ áÐÜëÜ "×ÐæØÚÛØÒÐÝØï" Ø ÔàãÓØå ÝÕßàØïâÝÞáâÕÙ. ¾ÔÝÐÚÞ íâÞ ÝÕ Þ×ÝÐçÐÕâ, çâÞ ßàÞÑÛÕÜ á íâØÜ ÔÕÙáâÒØÕÜ ÝÕâ. ´ÐÒÐÙâÕ, Ú ßàØÜÕàã, ßàÕÔáâÐÒØÜ, çâÞ ÝÐ åÞáâÕ, ØáßÞÛì×ãîéÕÜ ÔÕÙáâÒØÕ MIRROR äÐÑàØÚãÕâáï ßÐÚÕâ, á TTL àÐÒÝëÜ 255, ÝÐ íâÞâ ÖÕ áÐÜëÙ åÞáâ Ø ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ "×ÕàÚÐÛØàãîéÕÓÞ" ßàÐÒØÛÐ. ¿ÐÚÕâ "ÞâàÐÖÐÕâáï" ÝÐ íâÞâ ÖÕ åÞáâ, Ð ßÞáÚÞÛìÚã ÜÕÖÔã "ßàØÕÜÝØÚÞÜ" Ø "ßÕàÕÔÐâçØÚÞÜ" âÞÛìÚÞ 1 åÞß (hop) âÞ ßÐÚÕâ ÑãÔÕâ ßàëÓÐâì âãÔÐ Ø ÞÑàÐâÝÞ 255 àÐ×. ½ÕßÛÞåÞ ÔÛï ÚàïÚÕàÐ, ÒÕÔì, ßàØ ÒÕÛØçØÝÕ ßÐÚÕâÐ 1500 ÑÐÙâ, Üë ßÞâÕàïÕÜ ÔÞ 380 ºÑÐÙâ âàÐäØÚÐ!


´ÕÙáâÒØÕ SNAT

SNAT ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï áÕâÕÒëå ÐÔàÕáÞÒ (Source Network Address Translation), â.Õ. Ø×ÜÕÝÕÝØÕ ØáåÞÔïéÕÓÞ IP ÐÔàÕáÐ Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. ½ÐßàØÜÕà, íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÒëåÞÔÐ Ò ¸ÝâÕàÝÕâ ÔàãÓØÜ ÚÞÜßìîâÕàÐÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ØÜÕï ÛØèì ÞÔØÝ ãÝØÚÐÛìÝëÙ IP ÐÔàÕá. ´Ûï íâÞÓÞ. ÝÕÞÑåÞÔØÜÞ ÒÚÛîçØâì ßÕàÕáëÛÚã ßÐÚÕâÞÒ (forwarding) Ò ïÔàÕ Ø ×ÐâÕÜ áÞ×ÔÐâì ßàÐÒØÛÐ, ÚÞâÞàëÕ ÑãÔãâ âàÐÝáÛØàÞÒÐâì ØáåÞÔïéØÕ IP ÐÔàÕáÐ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ò àÕÐÛìÝëÙ ÒÝÕèÝØÙ ÐÔàÕá. ² àÕ×ãÛìâÐâÕ, ÒÝÕèÝØÙ ÜØà ÝØçÕÓÞ ÝÕ ÑãÔÕâ ×ÝÐâì Þ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÝ ÑãÔÕâ áçØâÐâì, çâÞ ×ÐßàÞáë ßàØèÛØ á ÝÐèÕÓÞ ÑàÐÝÔÜÐãíàÐ.

SNAT ÔÞßãáÚÐÕâáï ÒëßÞÛÝïâì âÞÛìÚÞ Ò âÐÑÛØæÕ nat, Ò æÕßÞçÚÕ POSTROUTING. ´àãÓØÜØ áÛÞÒÐÜØ, âÞÛìÚÞ ×ÔÕáì ÔÞßãáÚÐÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔïéØå ÐÔàÕáÞÒ. µáÛØ ßÕàÒëÙ ßÐÚÕâ Ò áÞÕÔØÝÕÝØØ ßÞÔÒÕàÓáï ßàÕÞÑàÐ×ÞÒÐÝØî ØáåÞÔïéÕÓÞ ÐÔàÕáÐ, âÞ ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë, Ø× íâÞÓÞ ÖÕ áÞÕÔØÝÕÝØï, ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ ßÞÙÔãâ çÕàÕ× íâã æÕßÞçÚã ßàÐÒØÛ.

ÂÐÑÛØæÐ 21. ´ÕÙáâÒØÕ SNAT

ºÛîç --to-source
¿àØÜÕà iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
¾ßØáÐÝØÕ ºÛîç --to-source ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï ÐÔàÕáÐ, ßàØáÒÐÕÜÞÒÞÓÞ ßÐÚÕâã. ²áÕ ßàÞáâÞ, Òë ãÚÐ×ëÒÐÕâÕ IP ÐÔàÕá, ÚÞâÞàëÙ ÑãÔÕâ ßÞÔáâÐÒÛÕÝ Ò ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ Ò ÚÐçÕáâÒÕ ØáåÞÔïéÕÓÞ. µáÛØ Òë áÞÑØàÐÕâÕáì ßÕàÕàÐáßàÕÔÕÛïâì ÝÐÓàã×Úã ÜÕÖÔã ÝÕáÚÞÛìÚØÜØ ÑàÐÝÔÜÐãíàÐÜØ, âÞ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ, ÓÔÕ ÝÐçÐÛìÝëÙ Ø ÚÞÝÕçÝëÙ ÐÔàÕáÐ ÔØÐßÐ×ÞÝÐ àÐ×ÔÕÛïîâáï ÔÕäØáÞÜ, ÝÐßàØÜÕà: 194.236.50.155-194.236.50.160. ÂÞÓÔÐ, ÚÞÝÚàÕâÝëÙ IP ÐÔàÕá ÑãÔÕâ ÒëÑØàÐâìáï Ø× ÔØÐßÐ×ÞÝÐ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ. ´ÞßÞÛÝØâÕÛìÝÞ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ßÞàâÞÒ, ÚÞâÞàëÕ ÑãÔãâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ ÔÛï ÝãÖÔ SNAT. ²áÕ ØáåÞÔïéØÕ ßÞàâë ÑãÔãâ ßÞáÛÕ íâÞÓÞ ßÕàÕÚÐàâØàÞÒÐâìáï Ò ×ÐÔÐÝÝëÙ ÔØÐßÐ×ÞÝ. iptables áâÐàÐÕâáï, ßÞ-ÒÞ×ÜÞÖÝÞáâØ, Ø×ÑÕÓÐâì ßÕàÕÚÐàâØàÞÒÐÝØï ßÞàâÞÒ, ÞÔÝÐÚÞ ÝÕ ÒáÕÓÔÐ íâÞ ÒÞ×ÜÞÖÝÞ, Ø âÞÓÔÐ ßàÞØ×ÒÞÔØâáï ßÕàÕÚÐàâØàÞÒÐÝØÕ . µáÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÝÕ ×ÐÔÐÝ, âÞ ØáåÞÔÝëÕ ßÞàâë ÝØÖÕ 512 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 0-511, ßÞàâë Ò ÔØÐßÐ×ÞÝÕ 512-1023 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 512-1023, Ø, ÝÐÚÞÝÕæ ßÞàâë Ø× ÔØÐßÐ×ÞÝÐ 1024-65535 ßÕàÕÚÐàâØàãîâáï Ò ÔØÐßÐ×ÞÝÕ 1024-65535. ÇâÞ ÚÐáÐÕâáï ßÞàâÞÒ ÝÐ×ÝÐçÕÝØï, âÞ ÞÝØ ÝÕ ßÞÔÒÕàÓÐîâáï ßÕàÕÚÐàâØàÞÒÐÝØî.

´ÕÙáâÒØÕ DNAT

DNAT (Destination Network Address Translation) ØáßÞÛì×ãÕâáï ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÐ ÜÕáâÐ ÝÐ×ÝÐçÕÝØï Ò IP ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ. µáÛØ ßÐÚÕâ ßÞÔßÐÔÐÕâ ßÞÔ ÚàØâÕàØÙ ßàÐÒØÛÐ, ÒëßÞÛÝïîéÕÓÞ DNAT, âÞ íâÞâ ßÐÚÕâ, Ø ÒáÕ ßÞáÛÕÔãîéØÕ ßÐÚÕâë Ø× íâÞÓÞ ÖÕ ßÞâÞÚÐ, ÑãÔãâ ßÞÔÒÕàÓÝãâë ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï Ø ßÕàÕÔÐÝë ÝÐ âàÕÑãÕÜÞÕ ãáâàÞÙáâÒÞ, åÞáâ ØÛØ áÕâì. ´ÐÝÝÞÕ ÔÕÙáâÒØÕ ÜÞÖÕâ, Ú ßàØÜÕàã, ãáßÕèÝÞ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú ÒÐèÕÜã web-áÕàÒÕàã, ÝÐåÞÔïéÕÜãáï Ò ÛÞÚÐÛìÝÞÙ áÕâØ, Ø ÝÕ ØÜÕîéÕÜã àÕÐÛìÝÞÓÞ IP ÐÔàÕáÐ. ´Ûï íâÞÓÞ Òë áâàÞØâÕ ßàÐÒØÛÞ, ÚÞâÞàÞÕ ßÕàÕåÒÐâëÒÐÕâ ßÐÚÕâë, ØÔãéØÕ ÝÐ HTTP ßÞàâ ÑàÐÝÔÜÐãíàÐ Ø ÒëßÞÛÝïï DNAT ßÕàÕÔÐÕâÕ Øå ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá web-áÕàÒÕàÐ. ´Ûï íâÞÓÞ ÔÕÙáâÒØï âÐÚ ÖÕ ÜÞÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ÐÔàÕáÞÒ, âÞÓÔÐ ÒëÑÞà ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ ÑãÔÕâ ßàÞØ×ÒÞÔØâìáï áÛãçÐÙÝÐÜ ÞÑàÐ×ÞÜ.

´ÕÙáâÒØÕ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat, Ø ÒÞ ÒÛÞÖÕÝÝëå ßÞÔ-æÕßÞçÚÐå.

ÂÐÑÛØæÐ 22. ´ÕÙáâÒØÕ DNAT

ºÛîç --to-destination
¿àØÜÕà iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
¾ßØáÐÝØÕ ºÛîç --to-destination ãÚÐ×ëÒÐÕâ, ÚÐÚÞÙ IP ÐÔàÕá ÔÞÛÖÕÝ Ñëâì ßÞÔáâÐÒÛÕÝ Ò ÚÐçÕáâÒÕ ÐÔàÕáÐ ÜÕáâÐ ÝÐ×ÝÐçÕÝØï. ² ÒëèÕ ßàØÒÕÔÕÝÝÞÜ ßàØÜÕàÕ ÒÞ ÒáÕå ßÐÚÕâÐå, ßàØèÕÔèØå ÝÐ ÐÔàÕá 15.45.23.67, ÐÔàÕá ÝÐ×ÝÐçÕÝØï ÑãÔÕâ Ø×ÜÕÝÕÝ ÝÐ ÞÔØÝ Ø× ÔØÐßÐ×ÞÝÐ Þâ 192.168.1.1 ÔÞ 192.168.1.10. ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì ÒëèÕ, ÒáÕ ßÐÚÕâë Ø× ÞÔÝÞÓÞ ßÞâÞÚÐ ÑãÔãâ ÝÐßàÐÒÛïâìáï ÝÐ ÞÔØÝ Ø âÞâ ÖÕ ÐÔàÕá, Ð ÔÛï ÚÐÖÔÞÓÞ ÝÞÒÞÓÞ ßÞâÞÚÐ ÑãÔÕâ ÒëÑØàÐâìáï ÞÔØÝ Ø× ÐÔàÕáÞÒ Ò ãÚÐ×ÐÝÝÞÜ ÔØÐßÐ×ÞÝÕ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ. ¼ÞÖÝÞ âÐÚÖÕ ÞßàÕÔÕÛØâì ÕÔØÝáâÒÕÝÝëÙ IP ÐÔàÕá. ¼ÞÖÝÞ ÔÞßÞÛÝØâÕÛìÝÞ ãÚÐ×Ðâì ßÞàâ ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ, ÝÐ ÚÞâÞàëÙ (ÚÞâÞàëÕ) ÑãÔÕâ ßÕàÕÝÐßàÐÒÛÕÝ âàÐääØÚ. ´Ûï íâÞÓÞ ßÞáÛÕ ip ÐÔàÕáÐ çÕàÕ× ÔÒÞÕâÞçØÕ ãÚÐÖØâÕ ßÞàâ, ÝÐßàØÜÕà --to-destination 192.168.1.1:80, Ð ãÚÐ×ÐÝØÕ ÔØÐßÐ×ÞÝÐ ßÞàâÞÒ ÒëÓÛïÔØâ âÐÚ: --to-destination 192.168.1.1:80-100. ºÐÚ Òë ÜÞÖÕâÕ ÒØÔÕâì, áØÝâÐÚáØá ÔÕÙáâÒØÙ DNAT Ø SNAT ÒÞ ÜÝÞÓÞÜ áåÞÖ. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ ãÚÐ×ÐÝØÕ ßÞàâÞÒ ÔÞßãáÚÐÕâáï âÞÛìÚÞ ßàØ àÐÑÞâÕ á ßàÞâÞÚÞÛÞÜ TCP ØÛØ UDP, ßàØ ÝÐÛØçØØ ÞßæØØ --protocol Ò ÚàØâÕàØØ.

´ÕÙáâÒØÕ DNAT ÔÞáâÐâÞçÝÞ áÛÞÖÝÞ Ò ØáßÞÛì×ÞÒÐÝØØ Ø âàÕÑãÕâ ÔÞßÞÛÝØâÕÛìÝÞÓÞ ßÞïáÝÕÝØï. ÀÐááÜÞâàØÜ ßàÞáâÞÙ ßàØÜÕà. à ÝÐá Õáâì WEB áÕàÒÕà Ø Üë åÞâØÜ àÐ×àÕèØâì ÔÞáâãß Ú ÝÕÜã Ø× ¸ÝâÕàÝÕâ. ¼ë ØÜÕÕÜ âÞÛìÚÞ ÞÔØÝ àÕÐÛìÝëÙ IP ÐÔàÕá, Ð WEB-áÕàÒÕà àÐáßÞÛÞÖÕÝ Ò ÛÞÚÐÛìÝÞÙ áÕâØ. ÀÕÐÛìÝëÙ IP ÐÔàÕá $INET_IP ÝÐ×ÝÐçÕÝ ÑàÐÝÔÜÐãíàã, HTTP áÕàÒÕà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÔàÕá $HTTP_IP Ø, ÝÐÚÞÝÕæ ÑàÐÝÔÜÐãíà ØÜÕÕâ ÛÞÚÐÛìÝëÙ ÐÛàÕá $LAN_IP. ´Ûï ÝÐçÐÛÐ ÔÞÑÐÒØÜ ßàÞáâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã PREROUTING âÐÑÛØæë nat.

iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

² áÞÞâÒÕâáâÒØØ á íâØÜ ßàÐÒØÛÞÜ, ÒáÕ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ 80-Ù ßÞàâ ÐÔàÕáÐ $INET_IP ßÕàÕÝÐßàÐÒÛïîâáï ÝÐ ÝÐè ÒÝãâàÕÝÝØÙ WEB-áÕàÒÕà. µáÛØ âÕßÕàì ÞÑàÐâØâìáï Ú WEB-áÕàÒÕàã Ø× ¸ÝâÕàÝÕâ, âÞ ÒáÕ ÑãÔÕâ àÐÑÞâÐâì ßàÕÚàÐáÝÞ. ½Þ çâÞ ÖÕ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ßÞßàÞÑÞÒÐâì áÞÕÔØÝØâìáï á ÝØÜ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ? ÁÞÕÔØÝÕÝØÕ ßàÞáâÞ ÝÕ ãáâÐÝÞÒØâáï. ´ÐÒÐÙâÕ ßÞáÜÞâàØÜ ÚÐÚ ÜÐàèàãâØ×Øàãîâáï ßÐÚÕâë, ØÔãéØÕ Ø× ¸ÝâÕàÝÕâ ÝÐ ÝÐè WEB-áÕàÒÕà. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ¸ÝâÕàÝÕâ àÐÒÝëÜ $EXT_BOX.
  1. ¿ÐÚÕâ ßÞÚØÔÐÕâ ÚÛØÕÝâáÚØÙ ã×ÕÛ á ÐÔàÕáÞÜ $EXT_BOX Ø ÝÐßàÐÒÛïÕâáï ÝÐ $INET_IP

  2. ¿ÐÚÕâ ßàØåÞÔØâ ÝÐ ÝÐè ÑàÐÝÔÜÐãíà.

  3. ±àÐÝÔÜÐãíà, Ò áÞÞâÒÕâáâÒØØ á ÒëèÕßàØÒÕÔÕÝÝëÜ ßàÐÒØÛÞÜ, ßÞÔÜÕÝïÕâ ÐÔàÕá ÝÐ×ÝÐçÕÝØï Ø ßÕàÕÔÐÕâ ÕÓÞ ÔÐÛìèÕ, Ò ÔàãÓØÕ æÕßÞçÚØ.

  4. ¿ÐÚÕâ ßÕàÕÔÐÕâáï ÝÐ $HTTP_IP.

  5. ¿ÐÚÕâ ßÞáâãßÐÕâ ÝÐ HTTP áÕàÒÕà Ø áÕàÒÕà ßÕàÕÔÐÕâ ÞâÒÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, ÕáÛØ Ò âÐÑÛØæÕ ÜÐàèàãâØ×ÐæØØ ÞÝ ÞÑÞ×ÝÐçÕÝ ÚÐÚ èÛî× ÔÛï $EXT_BOX. ºÐÚ ßàÐÒØÛÞ, ÞÝ ÝÐ×ÝÐçÐÕâáï èÛî×ÞÜ ßÞ-ãÜÞÛçÐÝØî ÔÛï HTTP áÕàÒÕàÐ.

  6. ±àÐÝÔÜÐãíà ßàÞØ×ÒÞÔØâ ÞÑàÐâÝãî ßÞÔáâÐÝÞÒÚã ÐÔàÕáÐ Ò ßÐÚÕâÕ, âÕßÕàì ÒáÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÑãÔâÞ Ñë ßÐÚÕâ ÑëÛ áäÞàÜØàÞÒÐÝ ÝÐ ÑàÐÝÔÜÐãíàÕ.

  7. ¿ÐÚÕâ ßÕàÕÔÐÕâáï ÚÛØÕÝâã $EXT_BOX.



° âÕßÕàì ßÞáÜÞâàØÜ, çâÞ ßàÞØ×ÞÙÔÕâ, ÕáÛØ ×ÐßàÞá ßÞáëÛÐÕâáï á ã×ÛÐ, àÐáßÞÛÞÖÕÝÝÞÓÞ Ò âÞÙ ÖÕ ÛÞÚÐÛìÝÞÙ áÕâØ. ´Ûï ßàÞáâÞâë Ø×ÛÞÖÕÝØï ßàØÜÕÜ ÐÔàÕá ÚÛØÕÝâÐ Ò ÛÞÚÐÛìÝÞÙ áÕâØ àÐÒÝëÜ $LAN_BOX.

  1. ¿ÐÚÕâ ßÞÚØÔÐÕâ $LAN_BOX.

  2. ¿ÞáâãßÐÕâ ÝÐ ÑàÐÝÔÜÐãíà.

  3. ¿àÞØ×ÒÞÔØâáï ßÞÔáâÐÝÞÒÚÐ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï, ÞÔÝÐÚÞ ÐÔàÕá ÞâßàÐÒØâÕÛï ÝÕ ßÞÔÜÕÝïÕâáï, â.Õ. ØáåÞÔÝëÙ ÐÔàÕá ÞáâÐÕâáï Ò ßÐÚÕâÕ ÑÕ× Ø×ÜÕÝÕÝØï.

  4. ¿ÐÚÕâ ßÞÚØÔÐÕâ ÑàÐÝÔÜÐãíà Ø ÞâßàÐÒÛïÕâáï ÝÐ HTTP áÕàÒÕà.

  5. HTTP áÕàÒÕà, ÓÞâÞÒïáì Ú ÞâßàÐÒÚÕ ÞâÒÕâÐ, ÞÑÝÐàãÖØÒÐÕâ, çâÞ ÚÛØÕÝâ ÝÐåÞÔØâáï Ò ÛÞÚÐÛìÝÞÙ áÕâØ (ßÞáÚÞÛìÚã ßÐÚÕâ ×ÐßàÞáÐ áÞÔÕàÖÐÛ ÞàØÓØÝÐÛìÝëÙ IP ÐÔàÕá, ÚÞâÞàëÙ âÕßÕàì ßàÕÒàÐâØÛáï Ò ÐÔàÕá ÝÐ×ÝÐçÕÝØï) Ø ßÞíâÞÜã ÞâßàÐÒÛïÕâ ßÐÚÕâ ÝÕßÞáàÕÔáâÒÕÝÝÞ ÝÐ $LAN_BOX.

  6. ¿ÐÚÕâ ßÞáâãßÐÕâ ÝÐ $LAN_BOX. ºÛØÕÝâ ßãâÐÕâáï, ßÞáÚÞÛìÚã ÞâÒÕâ ßàØèÕÛ ÝÕ á âÞÓÞ ã×ÛÐ, ÝÐ ÚÞâÞàëÙ ÞâßàÐÒÛïÛáï ×ÐßàÞá. ¿ÞíâÞÜã ÚÛØÕÝâ "áÑàÐáëÒÐÕâ" ßÐÚÕâ ÞâÒÕâÐ Ø ßàÞÔÞÛÖÐÕâ ÖÔÐâì "ÝÐáâÞïéØÙ" ÞâÒÕâ.



¿àÞÑÛÕÜÐ àÕèÐÕâáï ÔÞÒÞÛìÝÞ ßàÞáâÞ á ßÞÜÞéìî SNAT. ½ØÖÕ ßàØÒÞÔØâáï ßàÐÒØÛÞ, ÚÞâÞàÞÕ ÒëßÞÛÝïÕâ íâã äãÝÚæØî. ÍâÞ ßàÐÒØÛÞ ÒëÝãÖÔÐÕâ HTTP áÕàÒÕà ßÕàÕÔÐÒÐâì ÞâÒÕâë ÝÐ ÝÐè ÑàÐÝÔÜÐãíà, ÚÞâÞàëÕ ×ÐâÕÜ ÑãÔãâ ßÕàÕÔÐÝë ÚÛØÕÝâã.

iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

·ÐßÞÜÝØâÕ, æÕßÞçÚÐ POSTROUTING ÞÑàÐÑÐâëÒÐÕâáï áÐÜÞÙ ßÞáÛÕÔÝÕÙ Ø Ú íâÞÜã ÜÞÜÕÝâã ßÐÚÕâ ãÖÕ ßàÞèÕÛ ßàÞæÕÔãàã ßàÕÞÑàÐ×ÞÒÐÝØï DNAT, ßÞíâÞÜã ÚàØâÕàØÙ áâàÞØâáï ÝÐ ÑÐ×Õ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï $HTTP_IP.

µáÛØ Òë ÔãÜÐÕâÕ, çâÞ ÝÐ íâÞÜ ÜÞÖÝÞ ÞáâÐÝÞÒØâìáï, âÞ Òë ÞèØÑÐÕâÕáì! ¿àÕÔáâÐÒØÜ áÕÑÕ áØâãÐæØî, ÚÞÓÔÐ Ò ÚÐçÕáâÒÕ ÚÛØÕÝâÐ ÒëáâãßÐÕâ áÐÜ ÑàÐÝÔÜÐãíà. ÂÞÓÔÐ, Ú áÞÖÐÛÕÝØî, ßÐÚÕâë ÑãÔãâ ßÕàÕÔÐÒÐâìáï ÝÐ ÛÞÚÐÛìÝëÙ ßÞàâ á ÝÞÜÕàÞÜ 80 áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ, Ð ÝÕ ÝÐ $HTTP_IP. ÇâÞÑëàÐ×àÕèØâì Ø íâã ßàÞÑÛÕÜã, ÔÞÑÐÒØÜ ßàÐÒØÛÞ

iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

ÂÕßÕàì ÝØÚÐÚØå ßàÞÑÛÕÜ, á ÔÞáâãßÞÜ Ú ÝÐèÕÜã WEB-áÕàÒÕàã, ãÖÕ ÝÕ ÔÞÛÖÝÞ ÒÞ×ÝØÚÐâì.


´ÕÙáâÒØÕ MASQUERADE

¼ÐáÚÐàÐÔØÝÓ (MASQUERADE) Ò ÞáÝÞÒÕ áÒÞÕÙ ßàÕÔáâÐÒÛïÕâ âÞ ÖÕ áÐÜÞÕ, çâÞ Ø SNAT âÞÛìÚÞ ÝÕ ØÜÕÕâ ÚÛîçÐ --to-source. ¿àØçØÝÞÙ âÞÜã âÞ, çâÞ ÜÐáÚÐàÐÔØÝÓ ÜÞÖÕâ àÐÑÞâÐâì, ÝÐßàØÜÕà, á dialup ßÞÔÚÛîçÕÝØÕÜ ØÛØ DHCP, â.Õ. Ò âÕå áÛãçÐïå, ÚÞÓÔÐ IP ÐÔàÕá ßàØáÒÐØÒÐÕâáï ãáâàÞÙáâÒã ÔØÝÐÜØçÕáÚØ. µáÛØ ã ÒÐá ØÜÕÕâáï ÔØÝÐÜØçÕáÚÞÕ ßÞÔÚÛîçÕÝØÕ, âÞ ÝãÖÝÞ ØáßÞÛì×ÞÒÐâì ÜÐáÚÐàÐÔØÝÓ, ÕáÛØ ÖÕ ã ÒÐá áâÐâØçÕáÚÞÕ IP ßÞÔÚÛîçÕÝØÕ, âÞ ÑÕááßÞàÝÞ ÛãçèØÜ ÒëåÞÔÞÜ ÑãÔÕâ ØáßÞÛì×ÞÒÐÝØÕ ÔÕÙáâÒØï SNAT.

¼ÐáÚÐàÐÔØÝÓ ßÞÔàÐ×ãÜÕÒÐÕâ ßÞÛãçÕÝØÕ IP ÐÔàÕáÐ Þâ ×ÐÔÐÝÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ, ÒÜÕáâÞ ßàïÜÞÓÞ ÕÓÞ ãÚÐ×ÐÝØï, ÚÐÚ íâÞ ÔÕÛÐÕâáï á ßÞÜÞéìî ÚÛîçÐ --to-source Ò ÔÕÙáâÒØØ SNAT. ´ÕÙáâÒØÕ MASQUERADE ØÜÕÕâ åÞàÞèÕÕ áÒÞÙáâÒÞ - "×ÐÑëÒÐâì" áÞÕÔØÝÕÝØï ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ. ² áÛãçÐÕ ÖÕ SNAT, Ò íâÞÙ áØâãÐæØØ, Ò âÐÑÛØæÕ âàÐááØàÞÒéØÚÐ ÞáâÐîâáï ÔÐÝÝëÕ Þ ßÞâÕàïÝÝëå áÞÕÔØÝÕÝØïå, Ø íâØ ÔÐÝÝëÕ ÜÞÓãâ áÞåàÐÝïâìáï ÔÞ áãâÞÚ, ßÞÓÛÞéÐï æÕÝÝãî ßÐÜïâì. ÍääÕÚâ "×ÐÑëÒçØÒÞáâØ" áÒï×ÐÝ á âÕÜ, çâÞ ßàØ ÞáâÐÝÞÒÚÕ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ á ÔØÝÐÜØçÕáÚØÜ IP ÐÔàÕáÞÜ, Õáâì ÒÕàÞïâÝÞáâì ÝÐ áÛÕÔãîéÕÜ ×ÐßãáÚÕ ßÞÛãçØâì ÔàãÓÞÙ IP ÐÔàÕá, ÝÞ Ò íâÞÜ áÛãçÐÕ ÛîÑëÕ áÞÕÔØÝÕÝØï ÒáÕ àÐÒÝÞ ÑãÔãâ ßÞâÕàïÝë, Ø ÑëÛÞ Ñë ÓÛãßÞ åàÐÝØâì âàÐááØàÞÒÞçÝãî ØÝäÞàÜÐæØî.

ºÐÚ Òë ãÖÕ ßÞÝïÛØ, ÔÕÙáâÒØÕ MASQUERADE ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÞ ÒÜÕáâÞ SNAT, ÔÐÖÕ ÕáÛØ Òë ØÜÕÕâÕ ßÞáâÞïÝÝëÙ IP ÐÔàÕá, ÞÔÝÐÚÞ, ÝÕÒרàÐï ÝÐ ßÞÛÞÖØâÕÛìÝëÕ çÕàâë, ÜÐáÚÐàÐÔØÝÓ ÝÕ áÛÕÔãÕâ áçØâÐâì ßàÕÔßÞçâØâÕÛìÝëÜ Ò íâÞÜ áÛãçÐÕ, ßÞáÚÞÛìÚã ÞÝ ÔÐÕâ ÑÞÛìèãî ÝÐÓàã×Úã ÝÐ áØáâÕÜã.

´ÕÙáâÒØÕ MASQUERADE ÔÞßãáÚÐÕâáï ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat, âÐÚ ÖÕ ÚÐÚ Ø ÔÕÙáâÒØÕ SNAT. MASQUERADE ØÜÕÕâ ÚÛîç, ÞߨáëÒÐÕÜëÙ ÝØÖÕ, ØáßÞÛì×ÞÒÐÝØÕ ÚÞâÞàÞÓÞ ÝÕÞÑï×ÐâÕÛìÝÞ.

ÂÐÑÛØæÐ 23. ´ÕÙáâÒØÕ MASQUERADE

ºÛîç --to-ports
¿àØÜÕà iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
¾ßØáÐÝØÕ ºÛîç --to-ports ØáßÞÛì×ãÕâáï ÔÛï ãÚÐ×ÐÝØï ßÞàâÐ ØáâÞçÝØÚÐ ØÛØ ÔØÐßÐ×ÞÝÐ ßÞàâÞÒ ØáåÞÔïéÕÓÞ ßÐÚÕâÐ. ¼ÞÖÝÞ ãÚÐ×Ðâì ÞÔØÝ ßÞàâ, ÝÐßàØÜÕà: --to-ports 1025, ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÚÐÚ ×ÔÕáì: --to-ports 1024-3000. íâÞâ ÚÛîç ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò ßàÐÒØÛÐå, ÓÔÕ ÚàØâÕàØÙ áÞÔÕàÖØâ ïÒÝÞÕ ãÚÐ×ÐÝØÕ ÝÐ ßàÞâÞÚÞÛ TCP ØÛØ UDP á ßÞÜÞéìî ÚÛîçÐ --protocol.

´ÕÙáâÒØÕ REDIRECT

²ëßÞÛÝïÕâ ßÕàÕÝÐßàÐÒÛÕÝØÕ ßÐÚÕâÞÒ Ø ßÞâÞÚÞÒ ÝÐ ÔàãÓÞÙ ßÞàâ âÞÙ ÖÕ áÐÜÞÙ ÜÐèØÝë. º ßàØÜÕàã, ÜÞÖÝÞ ßÐÚÕâë, ßÞáâãßÐîéØÕ ÝÐ HTTP ßÞàâ ßÕàÕÝÐßàÐÒØâì ÝÐ ßÞàâ HTTP proxy. ´ÕÙáâÒØÕ REDIRECT ÞçÕÝì ãÔÞÑÝÞ ÔÛï ÒëßÞÛÝÕÝØï "ßàÞ×àÐçÝÞÓÞ" ßàÞÚáØàÞÒÐÝØï (transparent proxying), ÚÞÓÔÐ ÜÐèØÝë Ò ÛÞÚÐÛìÝÞÙ áÕâØ ÔÐÖÕ ÝÕ ßÞÔÞ×àÕÒÐîâ Þ áãéÕáâÒÞÒÐÝØØ ßàÞÚáØ.

REDIRECT ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï âÞÛìÚÞ Ò æÕßÞçÚÐå PREROUTING Ø OUTPUT âÐÑÛØæë nat. ½ã Ø ÚÞÝÕçÝÞ ÖÕ íâÞ ÔÕÙáâÒØÕ ÜÞÖÝÞ ÒëßÞÛÝïâì Ò ßÞÔæÕßÞçÚÐå, Òë×ëÒÐÕÜëå Ø ÒëèÕãÚÐ×ÐÝÝëå. ´Ûï ÔÕÙáâÒØï REDIRECT ßàÕÔãáÜÞâàÕÝ âÞÛìÚÞ ÞÔØÝ ÚÛîç.

ÂÐÑÛØæÐ 24. ´ÕÙáâÒØÕ REDIRECT

ºÛîç --to-ports
¿àØÜÕà iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
¾ßØáÐÝØÕ ºÛîç --to-ports ÞßàÕÔÕÛïÕâ ßÞàâ ØÛØ ÔØÐßÐ×ÞÝ ßÞàâÞÒ ÝÐ×ÝÐçÕÝØï. ±Õ× ãÚÐ×ÐÝØï ÚÛîçÐ --to-ports, ßÕàÕÝÐßàÐÒÛÕÝØï ÝÕ ßàÞØáåÞÔØâ, â.Õ. ßÐÚÕâ ØÔÕâ ÝÐ âÞâ ßÞàâ, ÚãÔÐ Ø ÑëÛ ÝÐ×ÝÐçÕÝ. ² ßàØÜÕàÕ, ßàØÒÕÔÕÝÝÞÜ ÒëèÕ, --to-ports 8080 ãÚÐ×ÐÝ ÞÔØÝ ßÞàâ ÝÐ×ÝÐçÕÝØï. µáÛØ ÝãÖÝÞ ãÚÐ×Ðâì ÔØÐßÐ×ÞÝ ßÞàâÞÒ, âÞ Üë ÔÞÛÖÝë ÝÐߨáÐâì ÝÕçâÞ ßÞÔÞÑÝÞÕ --to-ports 8080-8090. ÍâÞâ ÚÛîç ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì âÞÛìÚÞ Ò ßàÐÒØÛÐå, ÓÔÕ ÚàØâÕàØÙ áÞÔÕàÖØâ ïÒÝÞÕ ãÚÐ×ÐÝØÕ ÝÐ ßàÞâÞÚÞÛ TCP ØÛØ UDP á ßÞÜÞéìî ÚÛîçÐ --protocol.

´ÕÙáâÒØÕ TTL

´ÕÙáâÒØÕ TTL ØáßÞÛì×ãÕâáï ÔÛï Ø×ÜÕÝÕÝØï áÞÔÕàÖØÜÞÓÞ ßÞÛï Time To Live Ò IP ×ÐÓÞÛÞÒÚÕ. ¾ÔØÝ Ø× ÒÐàØÐÝâÞÒ ßàØÜÕÝÕÝØï íâÞÓÞ ÔÕÙáâÒØï - íâÞ ãáâÐÝÐÒÛØÒÐâì ×ÝÐçÕÝØÕ ßÞÛï Time To Live ²¾ ²ÁµÅ ØáåÞÔïéØå ßÐÚÕâÐå Ò ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ. ´Ûï çÕÓÞ íâÞ?! µáâì ÝÕÚÞâÞàëÕ ßàÞÒÐÙÔÕàë, ÚÞâÞàëÕ ÞçÕÝì ÝÕ ÛîÑïâ, ÚÞÓÔÐ ÞÔÝØÜ ßÞÔÚÛîçÕÝØÕÜ ßÞÛì×ãÕâáï ÝÕáÚÞÛìÚÞ ÚÞÜßìîâÕàÞÒ, ÕáÛØ Üë ÝÐçØÝÐÕÜ ãáâÐÝÐÒÛØÒÐâì ÝÐ ÒáÕ ßÐÚÕâë ÞÔÝÞ Ø âÞ ÖÕ ×ÝÐçÕÝØÕ TTL, âÞ âÕÜ áÐÜëÜ Üë ÛØèÐÕÜ ßàÞÒÐÙÔÕàÐ ÞÔÝÞÓÞ Ø× ÚàØâÕàØÕÒ ÞßàÕÔÕÛÕÝØï âÞÓÞ, çâÞ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâã àÐ×ÔÕÛïÕâáï ÜÕÖÔã ÝÕáÚÞÛìÚØÜØ ÚÞÜßìîâÕàÐÜØ. ´Ûï ßàØÜÕàÐ ÜÞÖÝÞ ßàØÒÕáâØ çØáÛÞ TTL = 64, ÚÞâÞàÞÕ ïÒÛïÕâáï áâÐÝÔÐàâÝëÜ ÔÛï ïÔàÐ Linux.

·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ßÞ ãáâÐÝÞÒÚÕ ×ÝÐçÕÝØï ßÞ-ãÜÞÛçÐÝØî ÞÑàÐéÐÙâÕáì Ú ip-sysctl.txt, ÚÞâÞàëÙ Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë.

´ÕÙáâÒØÕ TTL ÜÞÖÝÞ ãÚÐ×ëÒÐâì âÞÛìÚÞ Ò âÐÑÛØæÕ mangle Ø ÝØÓÔÕ ÑÞÛìèÕ. ´Ûï ÔÐÝÝÞÓÞ ÔÕÙáâÒØï ßàÕÔãáÜÞâàÕÝÞ 3 ÚÛîçÐ, ÞߨáëÒÐÕÜëå ÝØÖÕ.

ÂÐÑÛØæÐ 25. ´ÕÙáâÒØÕ TTL

ºÛîç --ttl-set
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64
¾ßØáÐÝØÕ ÃáâÐÝÐÒÛØÒÐÕâ ßÞÛÕ TTL Ò ×ÐÔÐÝÝÞÕ ×ÝÐçÕÝØÕ. ¾ßâØÜÐÛìÝëÜ áçØâÐÕâáï ×ÝÐçÕÝØÕ ÞÚÞÛÞ 64. ÍâÞ ÝÕ áÛØèÚÞÜ ÜÝÞÓÞ, ÝÞ Ø ÝÕ áÛØèÚÞÜ ÜÐÛÞ ½Õ ×ÐÔÐÒÐÙâÕ áÛØèÚÞÜ ÑÞÛìèÞÕ ×ÝÐçÕÝØÕ, íâÞ ÜÞÖÕâ ØÜÕâì ÝÕßàØïâÝëÕ ßÞáÛÕÔáâÒØï ÔÛï ÒÐèÕÙ áÕâØ. ¿àÕÔáâÐÒìâÕ áÕÑÕ, çâÞ ßÐÚÕâ "×ÐæØÚÛØÒÐÕâáï" ÜÕÖÔã ÔÒãÜï ÝÕßàÐÒØÛìÝÞ áÚÞÝäØÓãàØàÞÒÐÝÝëÜØ àÞãâÕàÐÜØ, âÞÓÔÐ, ßàØ ÑÞÛìèØå ×ÝÐçÕÝØïå TTL, Õáâì àØáÚ "ßÞâÕàïâì" ×ÝÐçØâÕÛìÝãî ÔÞÛî ßàÞßãáÚÝÞÙ áßÞáÞÑÝÞáâØ ÚÐÝÐÛÐ.
ºÛîç --ttl-dec
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1
¾ßØáÐÝØÕ ÃÜÕÝìèÐÕâ ×ÝÐçÕÝØÕ ßÞÛï TTL ÝÐ ×ÐÔÐÝÝÞÕ çØáÛÞ. ½ÐßàØÜÕà, ßãáâì ÒåÞÔïéØÙ ßÐÚÕâ ØÜÕÕâ ×ÝÐçÕÝØÕ TTL àÐÒÝÞÕ 53 Ø Üë ÒëßÞÛÝïÕÜ ÚÞÜÐÝÔã --ttl-dec 3, âÞÓÔÐ ßÐÚÕâ ßÞÚØÝÕâ ÝÐè åÞáâ á ßÞÛÕÜ TTL àÐÒÝëÜ 49. ½Õ ×ÐÑëÒÐÙâÕ, çâÞ áÕâÕÒÞÙ ÚÞÔ ÐÒâÞÜÐâØçÕáÚØ ãÜÕÝìèØâ ×ÝÐçÕÝØÕ TTL ÝÐ 1, ßÞíâÞÜã, äÐÚâØçÕáÚØ Üë ßÞÛãçÐÕÜ 53 - 3 - 1 = 49. µÁ»¸ ºÂ¾-½¸±Ã´Ì ¼¾¶µÂ ¿À¸²µÁ¸ ¿À¸¼µÀ ¿À°ºÂ¸ÇµÁº¸ Ƶ½½¾³¾ ¿À¸¼µ½µ½¸Ï ;¹ ¾¿Æ¸¸, Á¾¾±É¸Âµ ¼½µ!
ºÛîç --ttl-inc
¿àØÜÕà iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1
¾ßØáÐÝØÕ ÃÒÕÛØçØÒÐÕâ ×ÝÐçÕÝØÕ ßÞÛï TTL ÝÐ ×ÐÔÐÝÝÞÕ çØáÛÞ. ²Þ×ìÜÕÜ ßàÕÔëÔãéØÙ ßàØÜÕà, ßãáâì Ú ÝÐÜ ßÞáâãßÐÕâ ßÐÚÕâ á TTL = 53, âÞÓÔÐ, ßÞáÛÕ ÒëßÞÛÝÕÝØï ÚÞÜÐÝÔë --ttl-inc 4, ÝÐ ÒëåÞÔÕ á ÝÐèÕÓÞ åÞáâÐ, ßÐÚÕâ ÑãÔÕâ ØÜÕâì TTL = 56, ÝÕ ×ÐÑëÒÐÙâÕ ÞÑ ÐÒâÞÜÐâØçÕáÚÞÜ ãÜÕÝìèÕÝØØ ßÞÛï TTL áÕâÕÒëÜ ÚÞÔÞÜ ïÔàÐ, â.Õ. äÐÚâØçÕáÚØ Üë ßÞÛãçÐÕÜ ÒëàÐÖÕÝØÕ 53 + 4 - 1 = 56. ÃÒÕÛØçÕÝØÕ ßÞÛï TTL ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï âÞÓÞ, çâÞÑë áÔÕÛÐâì ÝÐè ÑàÐÝÔÜÐãíà ÜÕÝÕÕ "×ÐÜÕâÝëÜ" ÔÛï âàÐááØàÞÒéØÚÞÒ (traceroutes). ¿àÞÓàÐÜÜë âàÐááØàÞÒÚØ ÛîÑïâ ×Ð æÕÝÝãî ØÝäÞàÜÐæØî ßàØ ßÞØáÚÕ ßàÞÑÛÕÜÝëå ãçÐáâÚÞÒ áÕâØ, Ø ÝÕÝÐÒØÔïâ ×Ð íâÞ ÖÕ, ßÞáÚÞÛìÚã íâÐ ØÝäÞàÜÐæØï ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÚàïÚÕàÐÜØ Ò ÝÕÑÛÐÓÞÒØÔÝëå æÕÛïå. ¿àØÜÕà ØáßÞÛì×ÞÒÐÝØï Òë ÜÞÖÕâÕ ÝÐÙâØ Ò ttl-inc.txt.

ULOG target

´ÕÙáâÒØÕ ULOG ßàÕÔÞáâÐÒÛïÕâ ÒÞ×ÜÞÖÝÞáâì ÖãàÝÐÛØàÞÒÐÝØï ßÐÚÕâÞÒ Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàÞáâàÐÝáâÒÞ. ¾ÝÞ ×ÐÜÕÝïÕâ âàÐÔØæØÞÝÝÞÕ ÔÕÙáâÒØÕ LOG, ÑÐרàãîéÕÕáï ÝÐ áØáâÕÜÝÞÜ ÖãàÝÐÛÕ. ¿àØ ØáßÞÛì×ÞÒÐÝØØ íâÞÓÞ ÔÕÙáâÒØï, ßÐÚÕâ, çÕàÕ× áÞÚÕâë netlink, ßÕàÕÔÐÕâáï áßÕæØÐÛìÝÞÜã ÔÕÜÞÝã ÚÞâÞàëÙ ÜÞÖÕâ ÒëßÞÛÝïâì ÞçÕÝì ÔÕâÐÛìÝÞÕ ÖãàÝÐÛØàÞÒÐÝØÕ Ò àÐ×ÛØçÝëå äÞàÜÐâÐå (ÞÑëçÝëÙ âÕÚáâÞÒëÙ äÐÙÛ, ÑÐ×Ð ÔÐÝÝëå MySQL Ø ßà.) Ø Ú âÞÜã ÖÕ ßÞÔÔÕàÖØÒÐÕâ ÒÞ×ÜÞÖÝÞáâì ÔÞÑÐÒÛÕÝØï ÝÐÔáâàÞÕÚ (ßÛÐÓØÝÞÒ) ÔÛï äÞàÜØàÞÒÐÝØï àÐ×ÛØçÝëå ÒëåÞÔÝëå äÞàÜÐâÞÒ Ø ÞÑàÐÑÞâÚØ áÕâÕÒëå ßàÞâÞÚÞÛÞÒ. ¿ÞÛì×ÞÒÐâÕÛìáÚãî çÐáâì ULOGD Òë ÜÞÖÕâÕ ßÞÛãçØâì ÝÐ ÔÞÜÐèÝÕÙ áâàÐÝØæÕ ULOGD project.

Table 26. ULOG target

ºÛîç --ulog-nlgroup
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
¾ßØáÐÝØÕ ºÛîç --ulog-nlgroup áÞÞÑéÐÕâ ULOG Ò ÚÐÚãî Óàãßßã netlink ÔÞÛÖÕÝ Ñëâì ßÕàÕÔÐÝ ßÐÚÕâ. ²áÕÓÞ áãéÕáâÒãÕâ 32 Óàãßßë (Þâ 1 ÔÞ 32). µáÛØ Òë ÖÕÛÐÕâÕ ßÕàÕÔÐâì ßÐÚÕâ Ò 5-î Óàãßßã, âÞ ÜÞÖÝÞ ßàÞáâÞ ãÚÐ×Ðâì --ulog-nlgroup 5. ¿Þ-ãÜÞÛçÐÝØî ØáßÞÛì×ãÕâáï 1-ï ÓàãßßÐ.
ºÛîç --ulog-prefix
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
¾ßØáÐÝØÕ ºÛîç --ulog-prefix ØÜÕÕâ âÞâ ÖÕ áÜëáÛ, çâÞ Ø ÐÝÐÛÞÓØçÝÐï ÞßæØï Ò ÔÕÙáâÒØØ LOG. ´ÛØÝÐ áâàÞÚØ ßàÕäØÚáÐ ÝÕ ÔÞÛÖÝÐ ßàÕÒëèÐâì 32 áØÜÒÞÛÐ.
ºÛîç --ulog-cprange
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
¾ßØáÐÝØÕ ºÛîç --ulog-cprange ÞßàÕÔÕÛïÕâ, ÚÐÚãî ÔÞÛî ßÐÚÕâÐ, Ò ÑÐÙâÐå, ÝÐÔÞ ßÕàÕÔÐÒÐâì ÔÕÜÞÝã ULOG. µáÛØ ãÚÐ×Ðâì çØáÛÞ 100, ÚÐÚ ßÞÚÐ×ÐÝÞ Ò ßàØÜÕàÕ, âÞ ÔÕÜÞÝã ÑãÔÕâ ßÕàÕÔÐÝÞ âÞÛìÚÞ 100 ÑÐÙâ Ø× ßÐÚÕâÐ, íâÞ Þ×ÝÐçÐÕâ, çâÞ ÔÕÜÞÝã ÑãÔÕâ ßÕàÕÔÐÝ ×ÐÓÞÛÞÒÞÚ ßÐÚÕâÐ Ø ÝÕÚÞâÞàÐï çÐáâì ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. µáÛØ ãÚÐ×Ðâì 0, âÞ ÑãÔÕâ ßÕàÕÔÐÝ ÒÕáì ßÐÚÕâ, ÝÕ×ÐÒØáØÜÞ Þâ ÕÓÞ àÐ×ÜÕàÐ. ·ÝÐçÕÝØÕ ßÞ-ãÜÞÛçÐÝØî àÐÒÝÞ 0.
ºÛîç --ulog-qthreshold
¿àØÜÕà iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
¾ßØáÐÝØÕ ºÛîç --ulog-qthreshold ãáâÐÝÐÒÛØÒÐÕâ ÒÕÛØçØÝã ÑãäÕàÐ Ò ÞÑÛÐáâØ ïÔàÐ. ½ÐßàØÜÕà, ÕáÛØ ×ÐÔÐâì ÒÕÛØçØÝã ÑãäÕàÐ àÐÒÝÞÙ 10, ÚÐÚ Ò ßàØÜÕàÕ, âÞ ïÔàÞ ÑãÔÕâ ÝÐÚÐßÛØÒÐâì ÖãàÝÐÛØàãÕÜëÕ ßÐÚÕâë ÒÞ ÒÝãâàÕÝÝÕÜ ÑãäÕàÕ Ø ßÕàÕÔÐÒÐâì Ò ßÞÛì×ÞÒÐâÕÛìáÚÞÕ ßàÞáâàÐÝáâÒÞ ÓàãßßÐÜØ ßÞ 10 ßÐÚÕâÞÒ. ¿Þ-ãÜÞÛçÐÝØî àÐ×ÜÕà ÑãäÕàÐ àÐÒÕÝ 1 Ø×-×Ð áÞåàÐÝÕÝØï ÞÑàÐâÝÞÙ áÞÒÜÕáâØÜÞáâØ á àÐÝÝØÜØ ÒÕàáØïÜØ ulogd, ÚÞâÞàëÕ ÝÕ ÜÞÓÛØ ßàØÝØÜÐâì Óàãßßë ßÐÚÕâÞÒ.


ÄÐÙÛ rc.firewall

² íâÞÙ ÓÛÐÒÕ Üë àÐááÜÞâàØÜ ÝÐáâàÞÙÚã ÑàÐÝÔÜÐãíàÐ ÝÐ ßàØÜÕàÕ áæÕÝÐàØï rc.firewall.txt. ¼ë ÑãÔÕÜ ÑàÐâì ÚÐÖÔãî ÑÐ×ÞÒãî ÝÐáâàÞÙÚã Ø àÐááÜÐâàØÒÐâì ÚÐÚ ÞÝÐ àÐÑÞâÐÕâ Ø çâÞ ÔÕÛÐÕâ. ÍâÞ ÜÞÖÕâ ÝÐâÞÛÚÝãâì ÒÐá ÝÐ àÕèÕÝØÕ ÒÐèØå áÞÑáâÒÕÝÝëå ×ÐÔÐç. ´Ûï ×ÐßãáÚÐ íâÞÓÞ áæÕÝÐàØï ÒÐÜ ßÞâàÕÑãÕâáï ÒÝÕáâØ Ò ÝÕÓÞ Ø×ÜÕÝÕÝØï âÐÚØÜ ÞÑàÐ×ÞÜ, çâÞÑë ÞÝ ÜÞÓ àÐÑÞâÐâì á ÒÐèÕÙ ÚÞÝäØÓãàÐæØÕÙ áÕâØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ ÔÞáâÐâÞçÝÞ Ø×ÜÕÝØâì âÞÛìÚÞ ßÕàÕÜÕÝÝëÕ.

Note

¿àØÜÕçÐâÕÛìÝÞ, çâÞ Õáâì ÑÞÛÕÕ íääÕÚâØÒÝëÕ áßÞáÞÑë ×ÐÔÐÝØï ÝÐÑÞàÞÒ ßàÐÒØÛ, ÞÔÝÐÚÞ ï ØáåÞÔØÛ Ø× ÜëáÛØ Þ ÑÞÛìèÕÙ ãÔÞÑÞçØâÐÕÜÞáâØ áæÕÝÐàØï, âÐÚ, çâÞÑë ÚÐÖÔëÙ áÜÞÓ ßÞÝïâì ÕÓÞ ÑÕ× ÓÛãÑÞÚØå ßÞ×ÝÐÝØÙ ÞÑÞÛÞçÚØ BASH.


¿àØÜÕà rc.firewall

¸âÐÚ, ÒáÕ ÓÞâÞÒÞ ÔÛï àÐ×ÑÞàÐ äÐÙÛÐ ßàØÜÕàÐ rc.firewall.txt (áæÕÝÐàØÙ ÒÚÛîçÕÝ Ò áÞáâÐÒ ÔÐÝÝÞÓÞ ÔÞÚãÜÕÝâÐ Ò ßàØÛÞÖÕÝØØ ¿àØÜÕàë áæÕÝÐàØÕÒ). ¾Ý ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ÝÞ âÞÛìÚÞ Ø×-×Ð ÑÞÛìèÞÓÞ ÚÞÛØçÕáâÒÐ ÚÞÜÜÕÝâÐàØÕÒ. ÁÕÙçÐá ï ßàÕÔÛÐÓÐî ÒÐÜ ßàÞáÜÞâàÕâì íâÞâ äÐÙÛ, çâÞÑë ßÞÛãçØâì ßàÕÔáâÐÒÛÕÝØÕ Þ ÕÓÞ áÞÔÕàÖØÜÞÜ Ø ×ÐâÕÜ ÒÕàÝãâìáï áîÔÐ ×Ð ÑÞÛÕÕ ßÞÔàÞÑÝëÜØ ßÞïáÝÕÝØïÜØ.


¾ßØáÐÝØÕ áæÕÝÐàØï rc.firewall

ºÞÝäØÓãàÐæØï

¿ÕàÒÐï çÐáâì äÐÙÛÐ rc.firewall.txt ïÒÛïÕâáï ÚÞÝäØÓãàÐæØÞÝÝëÜ àÐ×ÔÕÛÞÜ. ·ÔÕáì ×ÐÔÐîâáï ÞáÝÞÒÝëÕ ÝÐáâàÞÙÚØ ÑàÐÝÔÜÐãíàÐ, ÚÞâÞàëÕ ×ÐÒØáïâ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ áÕâØ. ½ÐßàØÜÕà IP ÐÔàÕáÐ - ÝÐÒÕàÝïÚÐ ÔÞÛÖÝë Ñëâì Ø×ÜÕÝÕÝë ÝÐ ÒÐèØ áÞÑáâÒÕÝÝëÕ. ¿ÕàÕÜÕÝÝÐï $INET_IP ÔÞÛÖÝÐ áÞÔÕàÖÐâì àÕÐÛìÝëÙ IP ÐÔàÕá, ÕáÛØ Òë ßÞÔÚÛîçÐÕâÕáì Ú ¸ÝâÕàÝÕâ çÕàÕ× DHCP, âÞ ÒÐÜ áÛÕÔãÕâ ÞÑàÐâØâì ÒÝØÜÐÝØÕ ÝÐ áÚàØßâ rc.DHCP.firewall.txt, °ÝÐÛÞÓØçÝÞ $INET_IFACE ÔÞÛÖÝÐ ãÚÐ×ëÒÐâì ÒÐèÕ ãáâàÞÙáâÒÞ, çÕàÕ× ÚÞâÞàÞÕ ÞáãéÕáâÒÛïÕâáï ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ. ÍâÞ ÜÞÖÕâ Ñëâì, Ú ßàØÜÕàã, eth0, eth1, ppp0, tr0 Ø ßà.

ÍâÞâ áæÕÝÐàØÙ ÝÕ áÞÔÕàÖØâ ÚÐÚØå ÛØÑÞ ÝÐáâàÞÕÚ, áßÕæØäØçÝëå ÔÛï DHCP, PPPoE, ßÞíâÞÜã íâØ àÐ×ÔÕÛë ÝÕ ×ÐßÞÛÝÕÝë. ÂÞ ÖÕ áÐÜÞÕ ÚÐáÐÕâáï Ø ÔàãÓØå "ßãáâëå" àÐ×ÔÕÛÞÒ. ÍâÞ áÔÕÛÐÝÞ ßàÕÔÝÐÜÕàÕÝÝÞ, çâÞÑë Òë ÜÞÓÛØ ÑÞÛÕÕ ÝÐÓÛïÔÝÞ ÒØÔÕâì àÐ×ÝØæã ÜÕÖÔã áæÕÝÐàØïÜØ. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßÞÛÝØâì íâØ àÐ×ÔÕÛë, âÞ Òë ÜÞÖÕâÕ Ò×ïâì Øå Ø× ÔàãÓØå áÚàØßâÞÒ, ØÛØ ÝÐߨáÐâì áÒÞÙ áÞÑáâÒÕÝÝëÙ.

ÀÐ×ÔÕÛ Local Area Network ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÝÐáâàÞÙÚØ, áÞÞâÒÕâáâÒãîéØÕ ÚÞÝäØÓãàÐæØØ ÒÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ. ²ë ÔÞÛÖÝë ãÚÐ×Ðâì ÛÞÚÐÛìÝëÙ IP ÐÔàÕá ÑàÐÝÔÜÐãíàÐ, ØÝâÕàäÕÙá, ßÞÔÚÛîçÕÝÝëÙ Ú ÛÞÚÐÛìÝÞÙ áÕâØ, ÜÐáÚã ßÞÔáÕâØ Ø èØàÞÚÞÒÕéÐâÕÛìÝëÙ ÐÔàÕá.

´ÐÛÕÕ áÛÕÔãÕâ áÕÚæØï Localhost Configuration, ÚÞâÞàãî Ø×ÜÕÝïâì ÒÐÜ ÕÔÒÐ ÛØ ßàØÔÕâáï. ² íâÞÙ áÕ򾯯 ãÚÐ×ëÒÐÕâáï ÛÞÚÐÛìÝëÙ ØÝâÕàäÕÙá lo Ø ÛÞÚÐÛìÝëÙ IP ÐÔàÕá 127.0.0.1. ·Ð àÐ×ÔÕÛÞÜ Localhost Configuration, áÛÕÔãÕâ áÕÚæØï Iptables Configuration. ·ÔÕáì áÞ×ÔÐÕâáï ßÕàÕÜÕÝÝÐï $IPTABLES, áÞÔÕàÖÐéÐï ßãâì Ú äÐÙÛã iptables (/usr/local/sbin/iptables). µáÛØ Òë ãáâÐÝÐÒÛØÒÐÛØ iptables Ø× ØáåÞÔÝëå ÜÞÔãÛÕÙ, âÞ ã ÒÐá ßãâì Ú iptables ÜÞÖÕâ ÝÕáÚÞÛìÚÞ ÞâÛØçÐâìáï Þâ ßàØÒÕÔÕÝÝÞÓÞ Ò áæÕÝÐàØØ, ÞÔÝÐÚÞ Ò ÑÞÛìèØÝáâÒÕ ÔØáâàØÑãâØÒÞÒ iptables àÐáßÞÛÞÖÕÝÐ ØÜÕÝÝÞ ×ÔÕáì.


·ÐÓàã×ÚÐ ÔÞßÞÛÝØâÕÛìÝëå ÜÞÔãÛÕÙ

² ßÕàÒãî ÞçÕàÕÔì, ÚÞÜÐÝÔÞÙ /sbin/depmod -a, ÒëßÞÛÝïÕâáï ßàÞÒÕàÚÐ ×ÐÒØáØÜÞáâÕÙ ÜÞÔãÛÕÙ ßÞáÛÕ çÕÓÞ ßàÞØ×ÒÞÔØâáï ßÞÔÓàã×ÚÐ ÜÞÔãÛÕÙ, ÝÕÞÑåÞÔØÜëå ÔÛï àÐÑÞâë áæÕÝÐàØï. ÁâÐàÐÙâÕáì Ò ÒÐèØå áæÕÝÐàØïå ×ÐÓàãÖÐâì âÞÛìÚÞ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ.

Caution

² áÒÞØå áæÕÝÐàØïå ï ßàØÝãÔØâÕÛìÝÞ ×ÐÓàãÖÐî ÒáÕ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ, ÒÞ Ø×ÑÕÖÐÝØÕ ÞâÚÐ×ÞÒ. µáÛØ ßàÞØáåÞÔØâ ÞèØÑÚÐ ÒÞ ÒàÕÜï ×ÐÓàã×ÚØ ÜÞÔãÛï, âÞ ßàØçØÝ ÜÞÖÕâ Ñëâì ÜÝÞÖÕáâÒÞ, ÝÞ ÞáÝÞÒÝÞÙ ßàØçØÝÞÙ ïÒÛïÕâáï âÞ, çâÞ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ áÚÞÜßØÛØàÞÒÐÝë á ïÔàÞÜ áâÐâØçÕáÚØ. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú àÐ×ÔÕÛã ¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ.

² áÛÕÔãîéÕÙ áÕ򾯯 ßàØÒÞÔØâáï àïÔ ÜÞÔãÛÕÙ, ÚÞâÞàëÕ ÝÕ ØáßÞÛì×ãîâáï Ò ÔÐÝÝÞÜ áæÕÝÐàØØ, ÝÞ ßÕàÕçØáÛÕÝë ÔÛï ßàØÜÕàÐ. ÂÐÚ ÝÐßàØÜÕà ÜÞÔãÛì ipt_owner, ÚÞâÞàëÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßàÕÔÞáâÐÒÛÕÝØï ÔÞáâãßÐ Ú áÕâØ á ÒÐèÕÙ ÜÐèØÝë âÞÛìÚÞ ÞßàÕÔÕÛÕÝÝÞÜã ÚàãÓã ßÞÛì×ÞÒÐâÕÛÕÙ, ßÞÒëèÐï, âÕÜ áÐÜëÜ ãàÞÒÕÝì ÑÕ×ÞßÐáÝÞáâØ. ¸ÝäÞàÜÐæØî ßÞ ÚàØâÕàØïÜ ipt_owner, áÜÞâàØâÕ Ò ÀÐáèØàÕÝØÕ Owner Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ.

¼ë ÜÞÖÕÜ ×ÐÓàãרâì ÔÞßÞÛÝØâÕÛìÝëÕ ÜÞÔãÛØ ÔÛï ßàÞÒÕàÚØ "áÞáâÞïÝØï" ßÐÚÕâÞÒ (state matching). ²áÕ ÜÞÔãÛØ, àÐáèØàïîéØÕ ÒÞ×ÜÞÖÝÞáâØ ßàÞÒÕàÚØ áÞáâÞïÝØï ßÐÚÕâÞÒ, ØÜÕÝãîâáï ÚÐÚ ip_conntrack_* Ø ip_nat_*. Á ßÞÜÞéìî íâØå ÜÞÔãÛÕÙ ÞáãéÕáâÒÛïÕâáï âàÐááØàÞÒÚÐ áÞÕÔØÝÕÝØÙ ßÞ áßÕæØäØçÝëÜ ßàÞâÞÚÞÛÐÜ. ½ÐßàØÜÕà: ßàÞâÞÚÞÛ FTP ïÒÛïÕâáï ÚÞÜßÛÕÚáÝëÜ ßàÞâÞÚÞÛÞÜ ßÞ ÞßàÕÔÕÛÕÝØî, ÞÝ ßÕàÕÔÐÕâ ØÝäÞàÜÐæØî Þ áÞÕÔØÝÕÝØØ Ò ÞÑÛÐáâØ ÔÐÝÝëå ßÐÚÕâÐ. ÂÐÚ, ÕáÛØ ÝÐè ÛÞÚÐÛìÝëÙ åÞáâ ßÕàÕÔÐÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, ßàÞØ×ÒÞÔïéØÙ âàÐÝáÛïæØî ÐÔàÕáÞÒ, ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ á FTP áÕàÒÕàÞÜ Ò ¸ÝâÕàÝÕâ, âÞ ÒÝãâàØ ßÐÚÕâÐ ßÕàÕÔÐÕâáï ÛÞÚÐÛìÝëÙ IP ÐÔàÕá åÞáâÐ. ° ßÞáÚÞÛìÚã, IP ÐÔàÕáÐ, ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, áçØâÐîâáï ÞèØÑÞçÝëÜØ Ò ¸ÝâÕàÝÕâ, âÞ áÕàÒÕà ÝÕ ÑãÔÕâ ×ÝÐâì çâÞ ÔÕÛÐâì á íâØÜ ×ÐßàÞáÞÜ, Ò àÕ×ãÛìâÐâÕ áÞÕÔØÝÕÝØÕ ÝÕ ÑãÔÕâ ãáâÐÝÞÒÛÕÝÞ. ²áßÞÜÞÓÐâÕÛìÝëÙ ÜÞÔãÛì FTP NAT ÒëßÞÛÝïÕâ ÒáÕ ÝÕÞÑåÞÔØÜëÕ ÔÕÙáâÒØï ßÞ ßàÕÞÑàÐ×ÞÒÐÝØî ÐÔàÕáÞÒ, ßÞíâÞÜã FTP áÕàÒÕà äÐÚâØçÕáÚØ ßÞÛãçØâ ×ÐßàÞá ÝÐ áÞÕÔØÝÕÝØÕ Þâ ØÜÕÝØ ÝÐèÕÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ Ø áÜÞÖÕâ ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ. ÂÞ ÖÕ áÐÜÞÕ ßàÞØáåÞÔØâ ßàØ ØáßÞÛì×ÞÒÐÝØØ DCC ÔÛï ßÕàÕÔÐçØ äÐÙÛÞÒ Ø çÐâÞÒ. ÃáâÐÝÞÒÚÐ áÞÕÔØÝÕÝØÙ íâÞÓÞ âØßÐ âàÕÑãÕâ ßÕàÕÔÐçØ IP ÐÔàÕáÐ Ø ßÞàâÐ ßÞ ßàÞâÞÚÞÛã IRC, ÚÞâÞàëÙ âÐÚ ÖÕ ßàÞåÞÔØâ çÕàÕ× âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ ÝÐ ÑàÐÝÔÜÐãíàÕ. ±Õ× áßÕæØÐÛìÝÞÓÞ ÜÞÔãÛï àÐáèØàÕÝØï àÐÑÞâÞáßÞáÞÑÝÞáâì ßàÞâÞÚÞÛÞÒ FTP Ø IRC áâÐÝÞÒØâáï ÒÕáìÜÐ áÞÜÝØâÕÛìÝÞÙ. ½ÐßàØÜÕà, Òë ÜÞÖÕâÕ ßàØÝØÜÐâì äÐÙÛë çÕàÕ× DCC, ÝÞ ÝÕ ÜÞÖÕâÕ ÞâßàÐÒÛïâì. ÍâÞ ÞÑãáÛÞÒÛØÒÐÕâáï âÕÜ, ÚÐÚ DCC "×ÐßãáÚÐÕâ" áÞÕÔØÝÕÝØÕ. ²ë áÞÞÑéÐÕâÕ ßàØÝØÜÐîéÕÜã ã×Ûã Þ áÒÞÕÜ ÖÕÛÐÝØØ ßÕàÕÔÐâì äÐÙÛ Ø ÚãÔÐ ÞÝ ÔÞÛÖÕÝ ßÞÔÚÛîçØâìáï. ±Õ× ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï DCC áÞÕÔØÝÕÝØÕ ÒëÓÛïÔØâ âÐÚ, ÚÐÚ ÕáÛØ Ñë Üë ßÞâàÕÑÞÒÐÛØ ãáâÐÝÞÒÛÕÝØÕ áÞÕÔØÝÕÝØï ÒÝÕèÝÕÓÞ ßàØÕÜÝØÚÐ á ã×ÛÞÜ Ò ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞéÕ ÓÞÒÞàï âÐÚÞÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ "ÞÑàãèÕÝÞ". ¿àØ ØáßÞÛì×ÞÒÐÝØØ ÖÕ ÒáßÞÜÞÓÐâÕÛìÝÞÓÞ ÜÞÔãÛï ÒáÕ àÐÑÞâÐÕâ ßàÕÚàÐáÝÞ. ßÞáÚÞÛìÚã ßàØÕÜÝØÚã ßÕàÕÔÐÕâáï ÚÞààÕÚâÝëÙ IP ÐÔàÕá ÔÛï ãáâÐÝÞÒÛÕÝØï áÞÕÔØÝÕÝØï.

´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ÜÞÔãÛïÜ conntrack Ø nat çØâÐÙâÕ Ò ßàØÛÞÖÕÝØØ ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë. ÂÐÚ ÖÕ ÝÕ ×ÐÑëÒÐÙâÕ Þ ÔÞÚãÜÕÝâÐæØØ, ÒÚÛîçÐÕÜÞÙ Ò ßÐÚÕâ iptables. ÇâÞÑë ØÜÕâì íâØ ÔÞßÞÛÝØâÕÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ, ÒÐÜ ßÞâàÕÑãÕâáï ãáâÐÝÞÒØâì patch-o-matic Ø ßÕàÕáÞÑàÐâì ïÔàÞ. ºÐÚ íâÞ áÔÕÛÐâì - ÞÑêïáÝïÕâáï ÒëèÕ Ò ÓÛÐÒÕ ¿ÞÔÓÞâÞÒÚÐ.

Note

·ÐÜÕâìâÕ, çâÞ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_nat_irc Ø ip_nat_ftp ÒÐÜ ßÞâàÕÑãÕâáï âÞÛìÚÞ Ò âÞÜ áÛãçÐÕ, ÕáÛØ Òë åÞâØâÕ, çâÞÑë ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (Network Adress Translation) ßàÞØ×ÒÞÔØÛÞáì ÚÞààÕÚâÝÞ á ßàÞâÞÚÞÛÐÜØ FTP Ø IRC. ÂÐÚ ÖÕ ÒÐÜ ßÞâàÕÑãÕâáï ßÞÔÓàãרâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_conntrack_ftp ÔÞ ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ NAT.


½ÐáâàÞÙÚÐ /proc

·ÔÕáì Üë ×ÐßãáÚÐÕÜ ßÕàÕáëÛÚã ßÐÚÕâÞÒ (IP forwarding), ×ÐߨáÐÒ ÕÔØÝØæã Ò äÐÙÛ /proc/sys/net/ipv4/ip_forward âÐÚØÜ áßÞáÞÑÞÜ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Caution

½ÐÒÕàÝÞÕ áâÞØâ ×ÐÔãÜÐâìáï ÝÐÔ âÕÜ ÓÔÕ Ø ÚÞÓÔÐ ÒÚÛîçÐâì ßÕàÕáëÛÚã (IP forwarding). ² íâÞÜ Ø Ò ÔàãÓØå áæÕÝÐàØïå Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ, Üë ÒÚÛîçÐÕÜ ßÕàÕáëÛÚã ÔÞ âÞÓÞ ÚÐÚ áÞ×ÔÐÔØÜ ÚÐÚØÕ ÛØÑÞ ßàÐÒØÛÐ iptables. ¾â ÝÐçÐÛÐ àÐÑÞâë ßÕàÕáëÛÚØ (IP forwarding) ÔÞ ÜÞÜÕÝâÐ, ÚÞÓÔÐ ÑãÔãâ áÞ×ÔÐÝë ÝÕÞÑåÞÔØÜëÕ ßàÐÒØÛÐ, ßàØ ÝÐèÕÜ ÒÐàØÐÝâÕ, ÜÞÖÕâ ßàÞÙâØ Þâ ÝÕáÚÞÛìÚØå ÜØÛÛØáÕÚãÝÔ ÔÞ ÜØÝãâ, ÒáÕ ×ÐÒØáØâ Þâ ÞÑêÕÜÐ àÐÑÞâë, ÒëßÞÛÝïÕÜÞÙ áæÕÝÐàØÕÜ Ø ÑëáâàÞÔÕÙáâÒØï ÚÞÝÚàÕâÝÞÓÞ ÚÞÜßìîâÕàÐ. ¿ÞÝïâÝÞ, çâÞ íâÞ ÔÐÕâ ÝÕÚÞâÞàëÙ ßàÞÜÕÖãâÞÚ ÒàÕÜÕÝØ, ÚÞÓÔÐ ×ÛÞãÜëèÛÕÝÝØÚ ÜÞÖÕâ ßàÞÝØÚÝãâì çÕàÕ× ÑàÐÝÔÜÐãíà. ¿ÞíâÞÜã, Ò àÕÐÛìÝÞÙ áØâãÐæØØ ×ÐßãáÚÐâì ßÕàÕáëÛÚã (IP forwarding) áÛÕÔãÕâ ßÞáÛÕ áÞ×ÔÐÝØï ÒáÕÓÞ ÝÐÑÞàÐ ßàÐÒØÛ. ·ÔÕáì ÖÕ ï ßÞÜÕáâØÛ ÒÚÛîçÕÝØÕ ßÕàÕáëÛÚØ Ò ÝÐçÐÛÕ ØáÚÛîçØâÕÛìÝÞ Ò æÕÛïå ãÔÞÑÞçØâÐÕÜÞáâØ.

µáÛØ ÒÐÜ ÝÕÞÑåÞÔØÜÐ ßÞÔÔÕàÖÚÐ ÔØÝÐÜØçÕáÚÞÓÞ IP, (ßàØ ØáßÞÛì×ÞÒÐÝØØ SLIP, PPP ØÛØ DHCP) Òë ÜÞÖÕâÕ àÐáÚÞÜÜÕÝâÐàØâì áâàÞÚã:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

µáÛØ ÒÐÜ âàÕÑãÕâáï ÒÚÛîçØâì ÛîÑëÕ ÔàãÓØÕ ÞßæØØ, Òë ÔÞÛÖÝë ÞÑàÐéÐâìáï Ú áÞÞâÒÕâáâÒãîéÕÙ ÔÞÚãÜÕÝâÐæØØ ßÞ íâØÜ ÞßæØïÜ. ÅÞàÞèØÙ Ø ÛÐÚÞÝØçÝëÙ ÔÞÚãÜÕÝâ ßÞ äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc ßÞáâÐÒÛïÕâáï ÒÜÕáâÕ á ïÔàÞÜ. ÁáëÛÚØ ÝÐ ÝÐ ÔàãÓØÕ ÔÞÚãÜÕÝâë Òë ÝÐÙÔÕâÕ Ò ßàØÛÞÖÕÝØØ ´àãÓØÕ àÕáãàáë Ø ááëÛÚØ.

Note

ÁæÕÝÐàØÙ rc.firewall.txt Ø ÒáÕ ÞáâÐÛìÝëÕ áæÕÝÐàØØ Ò ÔÐÝÝÞÜ àãÚÞÒÞÔáâÒÕ, áÞÔÕàÖÐâ ÝÕÑÞÛìèãî ßÞ àÐ×ÜÕàÐÜ áÕÚæØî ÝÕ âàÕÑãÕÜëå (non-required) ÝÐáâàÞÕÚ proc. ºÐÚ Ñë ßàØÒÛÕÚÐâÕÛìÝÞ ÝÕ ÒëÓÛïÔÕÛØ íâØ ÞßæØØ - ÝÕ ÒÚÛîçÐÙâÕ Øå, ßÞÚÐ ÝÕ ãÑÕÔØâÕáì, çâÞ ÔÞáâÐâÞçÝÞ çÕâÚÞ ßàÕÔáâÐÒÛïÕâÕ áÕÑÕ äãÝ򾯯, ÚÞâÞàëÕ ÞÝØ ÒëßÞÛÝïîâ.


ÀÐ×ÜÕéÕÝØÕ ßàÐÒØÛ Ò ÔàãÓØå æÕßÞçÚÐå

·ÔÕáì Üë ßÞÓÞÒÞàØÜ Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, Ò çÐáâÝÞáâØ - Þ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÚÐå, ÞßàÕÔÕÛïÕÜëå Ò áæÕÝÐàØØ rc.firewall.txt. ¼ÞÙ ÒÐàØÐÝâ àÐ×ÔÕÛÕÝØï ßàÐÒØÛ ßÞ ÔÞßÞÛÝØâÕÛìÝëÜ æÕßÞçÚÐÜ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÝÕßàØÕÜÛÕÜëÜ Ò âÞÜ ØÛØ ØÝÞÜ ÚÞÝÚàÕâÝÞÜ áÛãçÐÕ. Ï ÝÐÔÕîáì, çâÞ áÜÞÓã ßÞÚÐ×Ðâì ÒÐÜ ÒÞ×ÜÞÖÝëÕ "ßÞÔÒÞÔÝëÕ ÚÐÜÝØ". ´ÐÝÝëÙ àÐ×ÔÕÛ âÕáÝÞ ßÕàÕÚÛØÚÐÕâáï á ÓÛÐÒÞÙ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ Ø áÞÒÕàèÕÝÝÞ ÝÕÛØèÝØÜ ÑãÔÕâ ÕéÕ àÐ×, åÞâï Ñë ÑÕÓÛÞ, ßàÞáÜÞâàÕâì ÕÕ.

ÀÐáßàÕÔÕÛØÒ ÝÐÑÞà ßàÐÒØÛ ßÞ ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ, ï ÔÞÑØÛáï íÚÞÝÞÜØØ ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, ÑÕ× ßÞâÕàØ ãàÞÒÝï ÑÕ×ÞßÐáÝÞáâØ áØáâÕÜë Ø çØâÐÑÕÛìÝÞáâØ áæÕÝÐàØÕÒ. ²ÜÕáâÞ âÞÓÞ, çâÞÑë ßàÞßãáÚÐâì TCP ßÐÚÕâë çÕàÕ× ÒÕáì ÝÐÑÞà ßàÐÒØÛ (Ø ÔÛï ICMP, Ø ÔÛï UDP), ï ßàÞáâÞ ÞâÑØàÐî TCP ßÐÚÕâë Ø ßàÞßãáÚÐî Øå çÕàÕ× ßÞÛì×ÞÒÐâÕÛìáÚãî æÕßÞçÚã, ßàÕÔÝÐ×ÝÐçÕÝÝãî ØÜÕÝÝÞ ÔÛï TCP ßÐÚÕâÞÒ, çâÞ ßàØÒÞÔØâ Ú ãÜÕÝìèÕÝØî ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ½Ð áÛÕÔãîéÕÙ ÚÐàâØÝÚÕ áåÕÜÐâØçÝÞ ßàØÒÞÔØâáï ßÞàïÔÞÚ ßàÞåÞÖÔÕÝØï ßÐÚÕâÞÒ çÕàÕ× netfilter. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ÚÐàâØÝÚÐ ÒëÓÛïÔØâ ÝÕáÚÞÛìÚÞ ÞÓàÐÝØçÕÝÝÞ ßÞ áàÐÒÝÕÝØî áÞ áåÕÜÞÙ, ßàØÒÕÔÕÝÝÞÙ Ò ÓÛÐÒÕ ¿ÞàïÔÞÚ ßàÞåÞÖÔÕÝØï âÐÑÛØæ Ø æÕßÞçÕÚ.

¾áÝÞÒÝÞÕ ÝÐ×ÝÐçÕÝØÕ àØáãÝÚÐ - ÞáÒÕÖØâì ÝÐèã ßÐÜïâì. ² æÕÛÞÜ, ÔÐÝÝëÙ ßàØÜÕà áæÕÝÐàØï ÞáÝÞÒÐÝ ÝÐ ßàÕÔßÞÛÞÖÕÝØØ, çâÞ Üë ØÜÕÕÜ ÞÔÝã ÛÞÚÐÛìÝãî áÕâì, ÞÔØÝ ÑàÐÝÔÜÐãíà (firewall) Ø ÕÔØÝáâÒÕÝÝÞÕ ßÞÔÚÛîçÕÝØÕ Ú ¸ÝâÕàÝÕâ, á ßÞáâÞïÝÝëÜ IP ÐÔàÕáÞÜ (Ò ßàÞâØÒÞßÞÛÞÖÝÞáâì PPP, SLIP, DHCP Ø ßàÞçØÜ). ÂÐÚ ÖÕ ßàÕÔßÞÛÐÓÐÕâáï, çâÞ ÔÞáâãß Ú áÕàÒØáÐÜ ¸ÝâÕàÝÕâ ØÔÕâ çÕàÕ× ÑàÐÝÔÜÐãíà, çâÞ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ Ø ßÞíâÞÜã ÝÕ áÞÑØàÐÕÜáï ÑÛÞÚØàÞÒÐâì âàÐääØÚ, ØáåÞÔïéØÙ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÞÔÝÐÚÞ ¸ÝâÕàÝÕâ ÝÕ ÜÞÖÕâ áçØâÐâìáï ÔÞÒÕàØâÕÛìÝÞÙ áÕâìî Ø ßÞíâÞÜã ÝÕÞÑåÞÔØÜÞ ÞÓàÐÝØçØâì ÒÞ×ÜÞÖÝÞáâì ÔÞáâãßÐ Ò ÝÐèã ÛÞÚÐÛìÝãî áÕâì Ø×ÒÝÕ. ¼ë áÞÑØàÐÕÜáï ØáåÞÔØâì Ø× ßàØÝæØßÐ "²áÕ çâÞ ÝÕ àÐ×àÕèÕÝÞ - âÞ ×ÐßàÕéÕÝÞ". ´Ûï ÒëßÞÛÝÕÝØï ßÞáÛÕÔÝÕÓÞ ÞÓàÐÝØçÕÝØï, Üë ãáâÐÝÐÒÛØÒÐÕÜ ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî - DROP. ÂÕÜ áÐÜëÜ Üë ÞâáÕÚÐÕÜ áÞÕÔØÝÕÝØï, ÚÞâÞàëÕ ïÒÝÞ ÝÕ àÐ×àÕèÕÝë.

° âÕßÕàì ÔÐÒÐÙâÕ àÐááÜÞâàØÜ çâÞ ÝÐÜ ÝãÖÝÞ áÔÕÛÐâì Ø ÚÐÚ.

´Ûï ÝÐçÐÛÐ - ßÞ×ÒÞÛØÜ áÞÕÔØÝÕÝØï Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á ¸ÝâÕàÝÕâ. ´Ûï íâÞÓÞ ÝÐÜ ßÞâàÕÑãÕâáï ÒëßÞÛÝØâì ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (NAT). ´ÕÛÐÕâáï íâÞ Ò æÕßÞçÚÕ PREROUTING (Ï ßÞÛÐÓÐî, çâÞ ×ÔÕáì ÐÒâÞà ßàÞáâÞ ÔÞßãáâØÛ ÞßÕçÐâÚã, ßÞáÚÞÛìÚã Ò âÕÚáâÕ áæÕÝÐàØï ×ÐßÞÛÝïÕâáï æÕßÞçÚÐ POSTROUTING, ÔÐ Ø Üë ãÖÕ ×ÝÐÕÜ, çâÞ SNAT ßàÞØ×ÒÞÔØâáï Ò æÕßÞçÚÕ POSTROUTING âÐÑÛØæë nat ßàØÜ. ßÕàÕÒ.), ÚÞâÞàÐï ×ÐßÞÛÝïÕâáï ßÞáÛÕÔÝÕÙ Ò ÝÐèÕÜ áæÕÝÐàØØ. ¿ÞÔàÐ×ãÜÕÒÐÕâáï, âÐÚÖÕ, ÒëßÞÛÝÕÝØÕ ÝÕÚÞâÞàÞÙ äØÛìâàÐæØØ Ò æÕßÞçÚÕ FORWARD. µáÛØ Üë ßÞÛÝÞáâìî ÔÞÒÕàïÕÜ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ, ßàÞßãáÚÐï ÒÕáì âàÐääØÚ Ò ¸ÝâÕàÝÕâ, âÞ íâÞ ÕéÕ ÝÕ Þ×ÝÐçÐÕâ ÔÞÒÕàØï Ú ¸ÝâÕàÝÕâ Ø, áÛÕÔÞÒÐâÕÛìÝÞ ÝÕÞÑåÞÔØÜÞ ÒÒÞÔØâì ÞÓàÐÝØçÕÝØï ÝÐ ÔÞáâãß Ú ÝÐèØÜ ÚÞÜßìîâÕàÐÜ Ø×ÒÝÕ. ² ÝÐèÕÜ áÛãçÐÕ Üë ÔÞßãáÚÐÕÜ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ Ò ÝÐèã áÕâì âÞÛìÚÞ Ò áÛãçÐÕ ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï, ÛØÑÞ Ò áÛãçÐÕ ÞâÚàëâØï ÝÞÒÞÓÞ áÞÕÔØÝÕÝØï, ÝÞ Ò àÐÜÚÐå ãÖÕ áãéÕáâÒãîéÕÓÞ (ESTABLISHED Ø RELATED).

ÇâÞ ÚÐáÐÕâáï ÜÐèØÝë-ÑàÐÝÔÜÐãíàÐ - ÝÕÞÑåÞÔØÜÞ ÔÞ ÜØÝØÜãÜÐ áÒÕáâØ áÕàÒØáë, àÐÑÞâÐîéØÕ á ¸ÝâÕàÝÕâ. ÁÛÕÔÞÒÐâÕÛìÝÞ Üë ÔÞßãáÚÐÕÜ âÞÛìÚÞ HTTP, FTP, SSH Ø IDENTD ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã. ²áÕ íâØ ßàÞâÞÚÞÛë Üë ÑãÔÕÜ áçØâÐâì ÔÞßãáâØÜëÜØ Ò æÕßÞçÚÕ INPUT, áÞÞâÒÕâáâÒÕÝÝÞ ÝÐÜ ÝÕÞÑåÞÔØÜÞ àÐ×àÕèØâì "ÞâÒÕâÝëÙ" âàÐääØÚ Ò æÕßÞçÚÕ OUTPUT. ¿ÞáÚÞÛìÚã Üë ßàÕÔßÞÛÐÓÐÕÜ ÔÞÒÕàØâÕÛìÝëÕ Ò×ÐØÜÞÞâÝÞèÕÝØï á ÛÞÚÐÛìÝÞÙ áÕâìî, âÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÐ ÔÛï ÔØÐßÐ×ÞÝÐ ÐÔàÕáÞÒ ÛÞÚÐÛìÝÞÙ áÕâØ, Ð ×ÐÞÔÝÞ Ø ÔÛï ÛÞÚÐÛìÝÞÓÞ áÕâÕÒÞÓÞ ØÝâÕàäÕÙáÐ Ø ÛÞÚÐÛìÝÞÓÞ IP ÐÔàÕáÐ (127.0.0.1). ºÐÚ ãÖÕ ãßÞÜØÝÐÛÞáì ÒëèÕ, áãéÕáâÒãÕâ àïÔ ÔØÐßÐ×ÞÝÞÒ ÐÔàÕáÞÒ, ÒëÔÕÛÕÝÝëå áßÕæØÐÛìÝÞ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ, íâØ ÐÔàÕáÐ áçØâÐîâáï Ò ¸ÝâÕàÝÕâ ÞèØÑÞçÝëÜØ Ø ÚÐÚ ßàÐÒØÛÞ ÝÕ ÞÑáÛãÖØÒÐîâáï. ¿ÞíâÞÜã Ø Üë ×ÐßàÕâØÜ ÛîÑÞÙ âàÐääØÚ Ø× ¸ÝâÕàÝÕâ á ØáåÞÔïéØÜ ÐÔàÕáÞÜ, ßàØÝÐÔÛÕÖÐéØÜ ÔØÐßÐ×ÞÝÐÜ ÛÞÚÐÛìÝëå áÕâÕÙ. ¸ Ò ×ÐÚÛîçÕÝØÕ ßàÞçØâÐÙâÕ ÓÛÐÒã ¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë.

ÂÐÚ ÚÐÚ ã ÝÐá àÐÑÞâÐÕâ FTP áÕàÒÕà, âÞ ßàÐÒØÛÐ, ÞÑáÛãÖØÒÐîéØÕ áÞÕÔØÝÕÝØï á íâØÜ áÕàÒÕàÞÜ, ÖÕÛÐâÕÛìÝÞ ÑëÛÞ Ñë ßÞÜÕáâØâì Ò ÝÐçÐÛÞ æÕßÞçÚØ INPUT, ÔÞÑØÒÐïáì âÕÜ áÐÜëÜ ãÜÕÝìèÕÝØï ÝÐÓàã×ÚØ ÝÐ áØáâÕÜã. ² æÕÛÞÜ ÖÕ, ÝÐÔÞ ßÞÝØÜÐâì, çâÞ çÕÜ ÜÕÝìèÕ ßàÐÒØÛ ßàÞåÞÔØâ ßÐÚÕâ, âÕÜ ÑÞÛìèÕ íÚÞÝÞÜØï ßàÞæÕááÞàÝÞÓÞ ÒàÕÜÕÝØ, âÕÜ ÝØÖÕ ÝÐÓàã×ÚÐ ÝÐ áØáâÕÜã. Á íâÞÙ æÕÛìî ï àÐ×ÑØÛ ÝÐÑÞà ßàÐÒØÛ ÝÐ ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ.

² ÝÐèÕÜ ßàØÜÕàÕ ï àÐ×ÑØÛ ßÐÚÕâë ÝÐ Óàãßßë ßÞ Øå ßàØÝÐÔÛÕÖÝÞáâØ Ú âÞÜã ØÛØ ØÝÞÜã ßàÞâÞÚÞÛã. ´Ûï ÚÐÖÔÞÓÞ âØßÐ ßàÞâÞÚÞÛÐ áÞ×ÔÐÝÐ áÒÞï æÕßÞçÚÐ ßàÐÒØÛ, ÝÐßàØÜÕà, tcp_packets, ÚÞâÞàÐï áÞÔÕàÖØâ ßàÐÒØÛÐ ÔÛï ßàÞÒÕàÚØ ÒáÕå ÔÞßãáâØÜëå TCP ßÞàâÞÒ Ø ßàÞâÞÚÞÛÞÒ. ´Ûï ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ ßÐÚÕâÞÒ, ßàÞèÕÔèØå çÕàÕ× ÞÔÝã æÕßÞçÚã, ÜÞÖÕâ Ñëâì áÞ×ÔÐÝÐ ÔàãÓÐï. ² ÝÐèÕÜ áÛãçÐÕ âÐÚÞÒÞÙ ïÒÛïÕâáï æÕßÞçÚÐ allowed. ² íâÞÙ æÕßÞçÚÕ ßàÞØ×ÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ ÞâÔÕÛìÝëå åÐàÐÚâÕàØáâØÚ TCP ßÐÚÕâÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßàØÝïâì ÞÚÞÝçÐâÕÛìÝÞÕ àÕèÕÝØÕ Þ ßàÞßãáÚÕ. ICMP ßÐÚÕâë áÛÕÔãîâ çÕàÕ× æÕßÞçÚã icmp_packets. ·ÔÕáì Üë ßàÞáâÞ ßàÞßãáÚÐÕÜ ÒáÕ ICMP ßÐÚÕâë á ãÚÐ×ÐÝÝëÜ ÚÞÔÞÜ áÞÞÑéÕÝØï. ¸ ÝÐÚÞÝÕæ UDP ßÐÚÕâë. ¾ÝØ ßàÞåÞÔïâ çÕàÕ× æÕßÞçÚã udpincoming_packets, ÚÞâÞàÐï ÞÑàÐÑÐâëÒÐÕâ ÒåÞÔïéØÕ UDP ßÐÚÕâë. µáÛØ ÞÝØ ßàØÝÐÔÛÕÖÐâ ÔÞßãáâØÜëÜ áÕàÒØáÐÜ, âÞ ÞÝØ ßàÞßãáÚÐîâáï ÑÕ× ßàÞÒÕÔÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ.

¿ÞáÚÞÛìÚã Üë àÐááÜÐâàØÒÐÕÜ áàÐÒÝØâÕÛìÝÞ ÝÕÑÞÛìèãî áÕâì, âÞ ÝÐè ÑàÐÝÔÜÐãíà ØáßÞÛì×ãÕâáï ÕéÕ Ø Ò ÚÐçÕáâÒÕ àÐÑÞçÕÙ áâÐÝæØØ, ßÞíâÞÜã Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ Ø á áÐÜÞÓÞ ÑàÐÝÔÜÐãíàÐ.

¸ Ò ×ÐÒÕàèÕÝØÕ Þ æÕßÞçÚÕ OUTPUT. ¼ë ÝÕ ÒëßÞÛÝïÕÜ ÚÐÚØå ÛØÑÞ áßÕæØäØçÝëå ÑÛÞÚØàÞÒÞÚ ÔÛï ßÞÛì×ÞÒÐâÕÛÕÙ, ÞÔÝÐÚÞ Üë ÝÕ åÞâØÜ, çâÞÑë ÚâÞ ÛØÑÞ, ØáßÞÛì×ãï ÝÐè ÑàÐÝÔÜÐãíà ÒëÔÐÒÐÛ Ò áÕâì "ßÞÔÔÕÛìÝëÕ" ßÐÚÕâë, ßÞíâÞÜã Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛÐ, ßÞ×ÒÞÛïîéØÕ ßàÞåÞÖÔÕÝØÕ ßÐÚÕâÞÒ âÞÛìÚÞ á ÝÐèØÜ ÐÔàÕáÞÜ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÝÐèØÜ ÛÞÚÐÛìÝëÜ ÐÔàÕáÞÜ (127.0.0.1) Ø á ÝÐèØÜ ÐÔàÕáÞÜ Ò ¸ÝâÕàÝÕâ. Á íâØå ÐÔàÕáÞÒ ßÐÚÕâë ßàÞßãáÚÐîâáï æÕßÞçÚÞÙ OUTPUT, ÒáÕ ÞáâÐÛìÝëÕ (áÚÞàÕÕ ÒáÕÓÞ áäÐÛìáØäØæØàÞÒÐÝÝëÕ) ÞâáÕÚÐîâáï ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî DROP.


ÃáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî

¿àÕÖÔÕ, çÕÜ ßàØáâãߨâì Ú áÞ×ÔÐÝØî ÝÐÑÞàÐ ßàÐÒØÛ, ÝÕÞÑåÞÔØÜÞ ÞßàÕÔÕÛØâìáï á ßÞÛØâØÚÐÜØ æÕßÞçÕÚ ßÞ-ãÜÞÛçÐÝØî. ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ãáâÐÝÐÒÛØÒÐÕâáï ÚÞÜÐÝÔÞÙ, ßÞÔÞÑÝÞÙ ßàØÒÞÔØÜÞÙ ÝØÖÕ

iptables -P <chain name> <policy>

¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî ßàÕÔáâÐÒÛïÕâ áÞÑÞÙ ÔÕÙáâÒØÕ, ÚÞâÞàÞÕ ßàØÜÕÝïÕâáï Ú ßÐÚÕâã, ÝÕ ßÞßÐÒèÕÜã ßÞÔ ÔÕÙáâÒØÕ ÝØ ÞÔÝÞÓÞ Ø× ßàÐÒØÛ Ò æÕßÞçÚÕ. (½ÕÑÞÛìèÞÕ ãâÞçÝÕÝØÕ, ÚÞÜÐÝÔÐ iptables -P ßàØÜÕÝØÜР¾»Ìº¾ º ²ÁÂÀ¾µ½½Ë¼ æÕßÞçÚÐÜ, â.Õ. INPUT, FORWARD, OUTPUT Ø â.ß., Ø ÝÕ ßàØÜÕÝØÜÐ Ú ßÞÛì×ÞÒÐâÕÛìáÚØÜ æÕßÞçÚÐÜ. ßàØÜ. ßÕàÕÒ.).


ÁÞ×ÔÐÝØÕ ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ

¸âÐÚ, ã ÒÐá ßÕàÕÔ ÓÛÐ×ÐÜØ ÝÐÒÕàÝïÚÐ ãÖÕ áâÞØâ ÚÐàâØÝÚÐ ÔÒØÖÕÝØï ßÐÚÕâÞÒ çÕàÕ× àÐ×ÛØçÝëÕ æÕßÞçÚØ, Ø ÚÐÚ íâØ æÕßÞçÚØ Ò×ÐØÜÞÔÕÙáâÒãîâ ÜÕÖÔã áÞÑÞÙ! ²ë ãÖÕ ÔÞÛÖÝë ïáÝÞ ßàÕÔáâÐÒÛïâì áÕÑÕ æÕÛØ Ø ÝÐ×ÝÐçÕÝØÕ ÔÐÝÝÞÓÞ áæÕÝÐàØï. ´ÐÒÐÙâÕ ÝÐçÝÕÜ áÞ×ÔÐÒÐâì æÕßÞçÚØ Ø ÝÐÑÞàë ßàÐÒØÛ ÔÛï ÝØå.

¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ áÞ×ÔÐâì ÔÞßÞÛÝØâÕÛìÝëÕ æÕßÞçÚØ á ßÞÜÞéìî ÚÞÜÐÝÔë -N. ÁàÐ×ã ßÞáÛÕ áÞ×ÔÐÝØï æÕßÞçÚØ ÕéÕ ÝÕ ØÜÕîâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ. ² ÝÐèÕÜ ßàØÜÕàÕ áÞ×ÔÐîâáï æÕßÞçÚØ icmp_packets, tcp_packets, udpincoming_packets Ø æÕßÞçÚÐ allowed, ÚÞâÞàÐï Òë×ëÒÐÕâáï Ø× æÕßÞçÚØ tcp_packets. ²åÞÔïéØÕ ßÐÚÕâë á ØÝâÕàäÕÙáÐ $INET_IFACE (â.Õ. Ø× ¸ÝâÕàÝÕâ), ßÞ ßàÞâÞÚÞÛã ICMP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ßÐÚÕâë ßàÞâÞÚÞÛÐ TCP ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã tcp_packets Ø ÒåÞÔïéØÕ ßÐÚÕâë UDP á ØÝâÕàäÕÙáÐ eth0 ØÔãâ Ò æÕßÞçÚã udpincoming_packets.


ÆÕßÞçÚÐ bad_tcp_packets

ÍâÐ æÕßÞçÚÐ ßàÕÔÝÐ×ÝÐçÕÝÐ ÔÛï ÞâäØÛìâàÞÒëÒÐÝØï ßÐÚÕâÞÒ á "ÝÕßàÐÒØÛìÝëÜØ" ×ÐÓÞÛÞÒÚÐÜØ Ø àÕèÕÝØï àïÔÐ ÔàãÓØå ßàÞÑÛÕÜ. ·ÔÕáì ÞâäØÛìâàÞÒëÒÐîâáï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ àÐáßÞ×ÝÐîâáï ÚÐÚ NEW, ÝÞ ÝÕ ïÒÛïîâáï SYN ßÐÚÕâÐÜØ. ÍâÐ æÕßÞçÚÐ ÜÞÖÕâ Ñëâì ØáßÞÛì×ÞÒÐÝÐ ÔÛï ×ÐéØâë Þâ ÒâÞàÖÕÝØï Ø áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ÁîÔÐ, âÐÚ ÖÕ, ÔÞÑÐÒÛÕÝÞ ßàÐÒØÛÞ ÔÛï ÞâáÕØÒÐÝØï ßÐÚÕâÞÒ áÞ áâÐâãáÞÜ INVALID.


ÆÕßÞçÚÐ allowed

TCP ßÐÚÕâ, áÛÕÔãï á ØÝâÕàäÕÙáÐ $INET_IFACE, ßÞßÐÔÐÕâ Ò æÕßÞçÚã tcp_packets, ÕáÛØ ßÐÚÕâ áÛÕÔãÕâ ÝÐ àÐ×àÕèÕÝÝëÙ ßÞàâ, âÞ ßÞáÛÕ íâÞÓÞ ßàÞÒÞÔØâáï ÔÞßÞÛÝØâÕÛìÝÐï ßàÞÒÕàÚÐ.

¿ÕàÒÞÕ ßàÐÒØÛÞ ßàÞÒÕàïÕâ, ïÒÛïÕâáï ÛØ ßÐÚÕâ SYN ßÐÚÕâÞÜ, â.Õ. ×ÐßàÞáÞÜ ÝÐ áÞÕÔØÝÕÝØÕ. ÂÐÚÞÙ ßÐÚÕâ Üë áçØâÐÕÜ ÔÞßãáâØÜëÜ Ø ßàÞßãáÚÐÕÜ. ÁÛÕÔãîéÕÕ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒáÕ ßÐÚÕâë á ßàØ×ÝÐÚÞÜ ESTABLISHED ØÛØ RELATED. ºÞÓÔÐ áÞÕÔØÝÕÝØÕ ãáâÐÝÐÒÛØÒÐÕâáï SYN ßÐÚÕâÞÜ, Ø ÝÐ íâÞâ ×ÐßàÞá ÑëÛ ÞâßàÐÒÛÕÝ ßÞÛÞÖØâÕÛìÝëÙ ÞâÒÕâ, âÞ ÞÝÞ ßÞÛãçÐÕâ áâÐâãá ESTABLISHED. ¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ Ò íâÞÙ æÕßÞçÚÕ áÑàÐáëÒÐîâáï ÒáÕ ÞáâÐÛìÝëÕ TCP ßÐÚÕâë. ¿ÞÔ íâÞ ßàÐÒØÛÞ ßÞßÐÔÐîâ ßÐÚÕâë Ø× ÝÕáãéÕáâÒãîéÕÓÞ áÞÕÔØÝÕÝØï, ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN, ÚÞâÞàëÕ ßëâÐîâáï ×ÐßãáâØâì áÞÕÔØÝÕÝØÕ. ½Õ SYN ßÐÚÕâë ßàÐÚâØçÕáÚØ ÝÕ ØáßÞÛì×ãîâáï ÔÛï ×ÐßãáÚÐ áÞÕÔØÝÕÝØï, ×Ð ØáÚÛîçÕÝØÕÜ áÛãçÐÕÒ áÚÐÝØàÞÒÐÝØï ßÞàâÞÒ. ½ÐáÚÞÛìÚÞ ï ×ÝÐî, ÝÐ áÕÓÞÔÝïèÝØÙ ÔÕÝì ÝÕâ àÕÐÛØ×ÐæØØ TCP/IP, ÚÞâÞàÐï ßÞÔÔÕàÖØÒÐÛÐ Ñë ÞâÚàëâØÕ áÞÕÔØÝÕÝØï ØÝÐçÕ, çÕÜ ßÕàÕÔÐçÐ SYN ßÐÚÕâÐ, ßÞíâÞÜã ÝÐ 99% ÜÞÖÝÞ Ñëâì ãÒÕàÕÝÝëÜ, çâÞ áÑàÞèÕÝë ßÐÚÕâë, ßÞáÛÐÝÝëÕ áÚÐÝÕàÞÜ ßÞàâÞÒ.


ÆÕßÞçÚÐ ÔÛï TCP

¸âÐÚ, Üë ßÞÔÞèÛØ Ú TCP áÞÕÔØÝÕÝØïÜ. ·ÔÕáì Üë ãÚÐ×ëÒÐÕÜ, ÚÐÚØÕ ßÞàâë ÜÞÓãâ Ñëâì ÔÞáâãßÝë Ø× Internet. ½ÕáÜÞâàï ÝÐ âÞ, çâÞ ÔÐÖÕ ÕáÛØ ßÐÚÕâ ßàÞèÕÛ ßàÞÒÕàÚã ×ÔÕáì, Üë ÒáÕ àÐÒÝÞ ÒáÕ ßÐÚÕâë ßÕàÕÔÐÕÜ Ò æÕßÞçÚã allowed ÔÛï ÔÞßÞÛÝØâÕÛìÝÞÙ ßàÞÒÕàÚØ.

Ï ÞâÚàëÛ TCP ßÞàâ á ÝÞÜÕàÞÜ 21, ÚÞâÞàëÙ ïÒÛïÕâáï ßÞàâÞÜ ãßàÐÒÛÕÝØï FTP áÞÕÔØÝÕÝØïÜØ. Ø ÔÐÛÕÕ, ï àÐ×àÕèÐî ÒáÕ RELATED áÞÕÔØÝÕÝØï, àÐ×àÕèÐï, âÕÜ áÐÜëÜ, PASSIVE FTP, ßàØ ãáÛÞÒØØ, çâÞ ÑëÛ ×ÐÓàãÖÕÝ ÜÞÔãÛì ip_conntrack_ftp. µáÛØ ÒÐÜ ßÞâàÕÑãÕâáï ×ÐßàÕâØâì FTP áÞÕÔØÝÕÝØï, âÞ ÒÐÜ ßÞâàÕÑãÕâáï ÒëÓàãרâì ÜÞÔãÛì ip_conntrack_ftp Ø ãÔÐÛØâì áâàÞÚã $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed Ø× áæÕÝÐàØï rc.firewall.txt.

¿Þàâ 22 - íâÞ SSH, ÚÞâÞàëÙ ÝÐÜÝÞÓÞ ÑÞÛÕÕ ÑÕ×ÞßÐáÕÝ çÕÜ telnet ÝÐ 23 ßÞàâã. µáÛØ ²ÐÜ Ò×ÔãÜÐÕâáï ßàÕÔÞáâÐÒØâì ÔÞáâãß Ú ÚÞÜÐÝÔÝÞÙ ÞÑÞÛÞçÚÕ (shell) ÚÞÜã Ñë âÞ ÝØ ÑëÛÞ Ø× ¸ÝâÕàÝÕâ, âÞ ÛãçèÕ ÚÞÝÕçÝÞ ßÞÛì×ÞÒÐâìáï SSH. ¾ÔÝÐÚÞ , åÞçã ×ÐÜÕâØâì, çâÞ ÒÞÞÑéÕ-âÞ áçØâÐÕâáï ÔãàÝëÜ âÞÝÞÜ ßàÕÔÞáâÐÒÛïâì ÔÞáâãß Ú ÑàÐÝÔÜÐãíàã ÛîÑÞÜã ÚàÞÜÕ ÒÐá áÐÜØå. ²Ðè áÕâÕÒÞÙ íÚàÐÝ ÔÞÛÖÕÝ ØÜÕâì âÞÛìÚÞ âÕ áÕàÒØáë, ÚÞâÞàëÕ ÔÕÙáâÒØâÕÛìÝÞ ÝÕÞÑåÞÔØÜë Ø ÝÕ ÑÞÛÕÕ âÞÓÞ.

¿Þàâ 80 - íâÞ ßÞàâ HTTP, ÔàãÓØÜ áÛÞÒÐÜØ - web áÕàÒÕà, ãÑÕàØâÕ íâÞ ßàÐÒØÛÞ, ÕáÛØ ã ÒÐá ÝÕâ web áÕàÒÕàÐ.

¸ ÝÐÚÞÝÕæ ßÞàâ 113, ÞâÒÕâáâÒÕÝÝëÙ ×Ð áÛãÖÑã IDENTD Ø ØáßÞÛì×ãîéØÙáï ÝÕÚÞâÞàëÜØ ßàÞâÞÚÞÛÐÜØ âØßÐ IRC, Ø ßà.


ÆÕßÞçÚÐ ÔÛï UDP

¿ÐÚÕâë UDP Ø× æÕßÞçÚØ INPUT áÛÕÔãîâ Ò æÕßÞçÚã udpincoming_packets ºÐÚ Ø Ò áÛãçÐÕ á TCP ßÐÚÕâÐÜØ, ×ÔÕáì ÞÝØ ßàÞÒÕàïîâáï ÝÐ ÔÞßãáâØÜÞáâì ßÞ ÝÞÜÕàã ßÞàâÐ ÝÐ×ÝÐçÕÝØï.

¾âÚàëâëÜ ÔÛï UDP ßÐÚÕâÞÒ ïÒÛïÕâáï ßÞàâ 53, ÝÐ ÚÞâÞàÞÜ "áØÔØâ" DNS. µáÛØ Üë åÞâØÜ ßÞÛì×ÞÒÐâìáï áØÜÒÞÛØçÕáÚØÜØ ØÜÕÝÐÜØ ã×ÛÞÒ, Ð ÝÕ Øå IP ÐÔàÕáÐÜØ, âÞ ÕáâÕáâÒÕÝÝÞ ÝÐÔÞ ßÞ×ÒÞÛØâì àÐÑÞâÐâì áÛãÖÑÕ ÔÞÜÕÝÝëå ØÜÕÝ.

Ï ÛØçÝÞ àÐ×àÕèÐî ßÞàâ 123, ÝÐ ÚÞâÞàÞÜ àÐÑÞâÐÕâ NTP (network time protocol). ÍâÞÙ áÛãÖÑÞÙ ÞÑëçÝÞ ßÞÛì×ãîâáï ÔÛï ßàØÕÜÐ ÞçÕÝì âÞçÝÞÓÞ ÒàÕÜÕÝØ á áÕàÒÕàÞÒ ÒàÕÜÕÝØ Ò ¸ÝâÕàÝÕâ.

¿Þàâ 2074 ØáßÞÛì×ãÕâáï ÝÕÚÞâÞàëÜØ ÜãÛìâØÜÕÔØÙÝëÜØ ßàØÛÞÖÕÝØïÜØ, ßÞÔÞÑÝÞ speak freely, ÚÞâÞàëÕ ØáßÞÛì×ãîâáï ÔÛï ßÕàÕÔÐçØ ÓÞÛÞáÐ Ò àÕÖØÜÕ àÕÐÛìÝÞÓÞ ÒàÕÜÕÝØ.

¸ ÝÐÚÞÝÕæ - ICQ, ÝÐ ßÞàâã 4000. ÍâÞ èØàÞÚÞ Ø×ÒÕáâÝëÙ ßàÞâÞÚÞÛ, ØáßÞÛì×ãÕÜëÙ ICQ-ßàØÛÞÖÕÝØïÜØ Ï ßÞÛÐÓÐî ÝÕ áÛÕÔãÕâ ÞÑêïáÝïâì ÒÐÜ çâÞ íâÞ âÐÚÞÕ.


ÆÕßÞçÚÐ ÔÛï ICMP

·ÔÕáì ßàØÝØÜÐÕâáï àÕèÕÝØÕ Þ ßàÞßãáÚÕ ICMP ßÐÚÕâÞÒ. µáÛØ ßÐÚÕâ ßàØåÞÔØâ á eth0 Ò æÕßÞçÚã INPUT, âÞ ÔÐÛÕÕ ÞÝ ßÕàÕÝÐßàÐÒÛïÕâáï Ò æÕßÞçÚã icmp_packets. ² íâÞÙ æÕßÞçÚÕ ßàÞÒÕàïÕâáï âØß ICMP áÞÞÑéÕÝØï. ¿àÞßãáÚÐîâáï âÞÛìÚÞ ICMP Echo Replies, Destination unreachable, Redirect Ø Time Exceeded.

¿àØ ßàØÝïâØØ àÕèÕÝØï ï ØáåÞÖã Ø× áÛÕÔãîéØå áÞÞÑàÐÖÕÝØÙ: ICMP Echo Replies ßÐÚÕâë ßàØåÞÔïâ Ò ÞâÒÕâ, ÚÞÓÔÐ Òë Ú ßàØÜÕàã ÒëßÞÛÝïÕâÕ ping ÔàãÓÞÓÞ ã×ÛÐ áÕâØ, ÕáÛØ ×ÐßàÕâØâì íâÞ áÞÞÑéÕÝØÕ, âÞ Üë ÛØèØÜáï ÒÞ×ÜÞÖÝÞáâØ ßÞÛì×ÞÒÐâìáï äãÝÚæØÕÙ ping.

Destination Unreachable ßàØåÞÔØâ, ÕáÛØ ÚÐÚÞÙ ÛØÑÞ ã×ÕÛ áÕâØ ÝÕÔÞáâãßÕÝ, ÝÐßàØÜÕà, ÒëßÞÛÝïï HTTP ×ÐßàÞá ÝÐ ÝÕÔÞáâãßÝëÙ åÞáâ, ßÞáÛÕÔÝØÙ ÜÐàèàãâØ×ÐâÞà, ÚÞâÞàëÙ ÝÕ áÜÞÓ ÝÐÙâØ ÜÐàèàãâ Ú ã×Ûã, ÒÕàÝÕâ ÝÐÜ áÞÞÑéÕÝØÕ Destination Unreachable. ÂÕÜ áÐÜëÜ ÝÐÜ ÝÕ ßàØÔÕâáï ÖÔÐâì ßÞÚÐ ØáâÕçÕâ ÒàÕÜï ÞÖØÔÐÝØï (time out) ÝÐèÕÓÞ ÑàÐã×ÕàÐ, ÚÞâÞàëÙ ßÞ-ãÜÞÛçÐÝØî ÔÞáâÐâÞçÝÞ ÒÕÛØÚ, ßÞàïÔÚÐ 60 áÕÚãÝÔ Ø ÒëèÕ

Time Exceeded. ²Þ ÒàÕÜï ÔÒØÖÕÝØï ßÐÚÕâÐ ßÞ áÕâØ, ÝÐ ÚÐÖÔÞÜ ÜÐàèàãâØ×ÐâÞàÕ ßÞÛÕ TTL, Ò ×ÐÓÞÛÞÒÚÕ ßÐÚÕâÐ, ãÜÕÝìèÐÕâáï ÝÐ 1. ºÐÚ âÞÛìÚÞ ßÞÛÕ TTL áâÐÝÕâ àÐÒÝëÜ ÝãÛî, âÞ ÜÐàèàãâØ×ÐâÞàÞÜ ÑãÔÕâ ßÞáÛÐÝÞ áÞÞÑéÕÝØÕ Time Exceeded. ½ÐßàØÜÕà, ÚÞÓÔÐ Òë ÒëßÞÛÝïÕâÕ âàÐááØàÞÒÚã (traceroute) ÚÐÚÞÓÞ ÛØÑÞ ã×ÛÐ, âÞ ßÞÛÕ TTL ãáâÐÝÐÒÛØÒÐÕâáï àÐÒÝëÜ 1, ÝÐ ßÕàÒÞÜ ÖÕ ÜÐàèàãâØ×ÐâÞàÕ ÞÝÞ áâÐÝÞÒØâáï àÐÒÝëÜ ÝãÛî Ø Ú ÝÐÜ ßàØåÞÔØâ áÞÞÑéÕÝØÕ Time Exceeded, ÔÐÛÕÕ, ãáâÐÝÐÒÛØÒÐÕÜ TTL = 2 Ø ÒâÞàÞÙ ÜÐàèàãâØ×ÐâÞà ßÕàÕÔÐÕâ ÝÐÜ Time Exceeded, Ø âÐÚ ÔÐÛÕÕ, ßÞÚÐ ÝÕ ßÞÛãçØÜ ÞâÒÕâ á áÐÜÞÓÞ ã×ÛÐ.

ÁߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ áÜÞâàØâÕ Ò ßàØÛÞÖÕÝØØ. ´ÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî ßÞ ICMP Òë ÜÞÖÕâÕ ßÞÛãçØâì Ò áÛÕÔãîéØå ÔÞÚãÜÕÝâÐå:

±ãÔìâÕ ÒÝØÜÐâÕÛìÝë ßàØ ÑÛÞÚØàÞÒÐÝØØ ICMP ßÐÚÕâÞÒ, ÒÞ×ÜÞÖÝÞ ï ÝÕ ßàÐÒ, ÑÛÞÚØàãï ÚÐÚØÕ-âÞ Ø× ÝØå, ÜÞÖÕâ ÞÚÐ×Ðâìáï âÐÚ, çâÞ ÔÛï ÒÐá íâÞ ÝÕßàØÕÜÛÕÜÞ.


ÆÕßÞçÚÐ INPUT

ÆÕßÞçÚÐ INPUT, ÚÐÚ ï ãÖÕ ßØáÐÛ, ÔÛï ÒëßÞÛÝÕÝØï ÞáÝÞÒÝÞÙ àÐÑÞâë ØáßÞÛì×ãÕâ ÔàãÓØÕ æÕßÞçÚØ, ×Ð áçÕâ çÕÓÞ áÝØÖÐï ÝÐÓàã×Úã ÝÐ áÕâÕÒÞÙ äØÛìâà. ÍääÕÚâ ßàØÜÕÝÕÝØï âÐÚÞÓÞ ÒÐàØÐÝâÐ ÞàÓÐÝØ×ÐæØØ ßàÐÒØÛ ÛãçèÕ ×ÐÜÕâÕÝ ÝÐ ÜÕÔÛÕÝÝëå ÜÐèØÝÐå, ÚÞâÞàëÕ Ò ÔàãÓÞÜ áÛãçÐÕ ÝÐçØÝÐîâ "âÕàïâì" ßÐÚÕâë ßàØ ÒëáÞÚÞÙ ÝÐÓàã×ÚÕ.

¿ÕàÒëÜ ÖÕ ßàÐÒØÛÞÜ Üë ßëâÐÕÜáï ÞâÑàÞáØâì "ßÛÞåØÕ" ßÐÚÕâë. ·Ð ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØÕÙ ÞÑàÐéÐÙâÕáì Ú ßàØÛÞÖÕÝØî ÞâÝÞáØâÕÛìÝÞ ßÐÚÕâÞÒ á ßàØ×ÝÐÚÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN. ² ÝÕÚÞâÞàëå ÞáÞÑÕÝÝëå áØâãÐæØïå âÐÚØÕ ßÐÚÕâë ÜÞÓãâ áçØâÐâìáï ÔÞßãáâØÜëÜØ, ÝÞ Ò 99% áÛãçÐÕÒ ÛãçèÕ Øå "ÞáâÐÝÞÒØâì". ¿ÞíâÞÜã âÐÚØÕ ßÐÚÕâë ×ÐÝÞáïâáï Ò áØáâÕÜÝëÙ ÖãàÝÐÛ (ÛÞÓØàãîâáï) Ø "áÑàÐáëÒÐîâáï".

´ÐÛÕÕ, ÒáÕ ICMP ßÐÚÕâë, ßàØåÞÔïéØÕ Ò æÕßÞçÚã INPUT á ØÝâÕàäÕÙáÐ $INET_IFACE, Ò ÜÞÕÜ áÛãçÐÕ íâÞ eth0, ßÕàÕÝÐßàÐÒÛïîâáï Ò æÕßÞçÚã icmp_packets, ÚÞâÞàãî Üë àÐááÜÞâàÕÛØ àÐÝÕÕ. ÁÛÕÔãîéØÜ ßàÐÒØÛÞÜ ÒáÕ TCP ßÐÚÕâë á ØÝâÕàäÕÙáÐ$INET_IFACE ßÕàÕÔÐîâáï Ò æÕßÞçÚãtcp_packets. ¸ ÝÐÚÞÝÕæ ÒáÕ UDP ßÐÚÕâë ÞâßàÐÒÛïîâáï Ò æÕßÞçÚã udpincoming_packets.

² ÚÞÝæÕ Üë ßÞ×ÒÞÛïÕÜ ßàÞÙâØ ÒáÕÜã, çâÞ ÔÒØÖÕâáï á ÝÐèÕÓÞ $LOCALHOST_IP ÐÔàÕáÐ, ÚÞâÞàëÙ ÞÑëçÝÞ ÑëÒÐÕâ 127.0.0.1, ÒáÕ çâÞ ØÔÕâ á $LAN_IP ÐÔàÕáÐ, ÚÞâÞàëÙ Ò ÜÞÕÜ áÛãçÐÕ 192.168.0.2, ×ÐÞÔÝÞ ßàÞßãáÚÐÕÜ Ø ÒáÕ, çâÞ ØÔÕâ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ á $LAN_IP_RANGE, ÔÛï ÜÕÝï íâÞ 192.168.0.0/24. Ï ßàÞßãáÚÐî ÒáÕ, çâÞ ØÔÕâ á ÜÞÕÓÞ áÞÑáâÒÕÝÝÞÓÞ ÒÝÕèÝÕÓÞ IP ÐÔàÕáÐ, Ø ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED. ÂÐÚ ÖÕ áçØâÐÕâáï ÔÞßãáâØÜëÜ èØàÞÚÞÒÕéÐâÕÛìÝëÙ âàÐääØÚ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ, ÝÕÚÞâÞàëÕ ßàØÛÞÖÕÝØï ×ÐÒØáïâ Þâ èØàÞÚÞÒÕéÐâÕÛìÝëå áÞÞÑéÕÝØÙ, ÝÐßàØÜÕà Samba, Ø ÝÕ áÜÞÓãâ ÒëßÞÛÝïâì áÒÞØ äãÝ򾯯 ÑÕ× ÝØå.

¿ÞáÛÕÔÝØÜ ßàÐÒØÛÞÜ, ßÕàÕÔ âÕÜ ÚÐÚ ÚÞ ÒáÕÜ ÝÕ ßàØÝïâëÜ ïÒÝÞ ßÐÚÕâÐÜ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßàØÜÕÝÕÝÐ ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî, âàÐääØÚ ÖãàÝÐÛØàãÕâáï, ÝÐ áÛãçÐÙ ÝÕÞÑåÞÔØÜÞáâØ ßÞØáÚÐ ßàØçØÝ ÒÞ×ÝØÚÐîéØå ßàÞÑÛÕÜ. ¿àØ íâÞÜ Üë ãáâÐÝÐÒÛØÒÐÕÜ ßàÐÒØÛã, ÞÓàÐÝØçÕÝØÕ ÝÐ ÚÞÛØçÕáâÒÞ ÛÞÓØàãÕÜëå ßÐÚÕâÞÒ - ÝÕ ÑÞÛÕÕ 3-å Ò ÜØÝãâã, çâÞÑë ßàÕÔÞâÒàÐâØâì çàÕ×ÜÕàÝÞÕ àÐ×ÔãÒÐÝØÕ ÖãàÝÐÛÐ.

²áÕ çâÞ ÝÕ ÑëÛÞ ïÒÝÞ ßàÞßãéÕÝÞ Ò æÕßÞçÚÕ INPUT ÑãÔÕâ ßÞÔÒÕàÓÝãâÞ ÔÕÙáâÒØî DROP, ßÞáÚÞÛìÚã ØÜÕÝÝÞ íâÞ ÔÕÙáâÒØÕ ÝÐ×ÝÐçÕÝÞ Ò ÚÐçÕáâÒÕ ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî.


ÆÕßÞçÚÐ OUTPUT

ºÐÚ ï ãÖÕ ãßÞÜØÝÐÛ àÐÝÕÕ, Ò ÜÞÕÜ áÛãçÐÕ ÚÞÜßìîâÕà ØáßÞÛì×ãÕâáï ÚÐÚ ÑàÐÝÔÜÐãíà Ø ÞÔÝÞÒàÕÜÕÝÝÞ ÚÐÚ àÐÑÞçÐï áâÐÝæØï. ¿ÞíâÞÜã ï ßÞ×ÒÞÛïî ßÞÚØÔÐâì ÜÞÙ åÞáâ ÒáÕÜã, çâÞ ØÜÕÕâ ØáåÞÔÝëÙ ÐÔàÕá $LOCALHOST_IP, $LAN_IP ØÛØ $STATIC_IP. ÁÔÕÛÐÝÞ íâÞ ÔÛï ×ÐéØâë Þâ âàÐäØÚÐ, ÚÞâÞàëÙ ÜÞÖÕâ áäÐÛìáØæØàÞÒÐâì ÝÕ ÞçÕÝì åÞàÞèØÙ çÕÛÞÒÕÚ ÝÐ ÜÞÕÙ ÜÐèØÝÕ. ¸ Ò ÔÞÒÕàèÕÝØÕ ÚÞ ÒáÕÜã, ï ÖãàÝÐÛØàãî "áÑàÞèÕÝÝëÕ" ßÐÚÕâë, ÝÐ áÛãçÐÙ ßÞØáÚÐ ÞèØÑÞÚ ØÛØ Ò æÕÛïå ÒëïÒÛÕÝØï áäÐÛìáØäØæØàÞÒÐÝÝëå ßÐÚÕâÞÒ. ºÞ ÒáÕÜ ßÐÚÕâÐÜ, ÝÕ ßàÞèÕÔèØÜ ÝØ ÞÔÝÞ Ø× ßàÐÒØÛ, ßàØÜÕÝïÕâáï ßÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî - DROP.


ÆÕßÞçÚÐ FORWARD

ºÐÚ ÞÑëçÝÞ, Üë àÐ×àÕèÕÜ ÔÒØÖÕÝØÕ ßÐÚÕâÞÒ Ø× ÛÞÚÐÛìÝÞÙ áÕâØ ÑÕ× ÞÓàÐÝØçÕÝØÙ ßàÐÒØÛÞÜ.

/usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT

µáâÕáâÒÕÝÝÞ, ÝãÖÝÞ ßàÞßãáâØâì ÞâÒÕâÝëÕ ßÐÚÕâë Ò ÛÞÚÐÛìÝãî áÕâì, ßÞíâÞÜã áÛÕÔãîéØÜ ßàÐÒØÛÞÜ Üë ßàÞßãáÚÐÕÜ ÒáÕ, çâÞ ØÜÕÕâ ßàØ×ÝÐÚ ESTABLISHED ØÛØ RELATED, â.Õ. Üë ßàÞßãáÚÐÕÜ ßÐÚÕâë ßÞ áÞÕÔØÝÕÝØî ãáâÐÝÞÒÛÕÝÝÞÜã ¸· ÛÞÚÐÛìÝÞÙ áÕâØ. ¸ ßÕàÕÔ âÕÜ ÚÐÚ áÑàÞáØâì ÒáÕ ÝÕÔÞßãáâØÜëÕ ßÐÚÕâë ßÞÛØâØÚÞÙ ßÞ-ãÜÞÛçÐÝØî, Üë ÖãàÝÐÛØàãÕÜ âàÐääØÚ ãáâÐÝÞÒØÒ ßàÕÔÕÛ 3 ×ÐßØáØ ×Ð ÜØÝãâã.


ÆÕßÞçÚÐ PREROUTING âÐÑÛØæë nat

·ÔÕáì ÒëßÞÛÝïÕâáï ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ ßÕàÕÔ âÕÜ ÚÐÚ ßÐÚÕâë ßÞßÐÔãâ Ò æÕßÞçÚã INPUT ØÛØ FORWARD. µéÕ àÐ× åÞçã ÝÐßÞÜÝØâì, çâÞ íâÐ æÕßÞçÚÐ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝÐ ÝØ ÔÛï ÚÐÚÞÓÞ ÒØÔÐ äØÛìâàÐæØØ, Ð âÞÛìÚÞ ÔÛï ßàÕÞÑàÐ×ÞÒÐÝØï ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã Ò íâã æÕßÞçÚã ßÞßÐÔÐÕâ âÞÛìÚÞ ßÕàÒëÙ ßÐÚÕâ Ø× ßÞâÞÚÐ.

´Ûï ÝÐçÐÛÐ Üë ÞâáÕÚÐÕÜ ÒáÕ ßÐÚÕâë á ×ÐÒÕÔÞÜÞ ÝÕÒÕàÝëÜØ ØáåÞÔÝëÜØ ÐÔàÕáÐÜØ, âÐÚØÜØ ÚÐÚ ÐÔàÕáÐ Ø× ÔØÐßÐ×ÞÝÞÒ, ÒëÔÕÛÕÝÝëÜØ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ: 192.168.x.x, 10.x.x.x ØÛØ 172.16.x.x. ¿ÞÔÞÑÝÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï Ø ÔÛï ÞÑàÐâÝÞÓÞ ÝÐßàÐÒÛÕÝØï, áÑàÐáëÒÐï ÒáÕ ßÐÚÕâë, ÚÞâÞàëÕ ÝÕ ßàØÝÐÔÛÕÖÐâ ÝÐèÕÙ ÛÞÚÐÛìÝÞÙ áÕâØ.


·ÐßãáÚ Network Address Translation

¸ ×ÐÚÛîçØâÕÛìÝëÙ àÐ×ÔÕÛ - ÝÐáâàÞÙÚÐ SNAT. ¿Þ ÚàÐÙÝÕÙ ÜÕàÕ ÔÛï ÜÕÝï. ¿àÕÖÔÕ ÒáÕÓÞ Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÞ Ò âÐÑÛØæã nat, Ò æÕßÞçÚã POSTROUTING, ÚÞâÞàÞÕ ßàÞØ×ÒÞÔØâ ßàÕÞÑàÐ×ÞÒÐÝØÕ ØáåÞÔÝëå ÐÔàÕáÞÒ ÒáÕå ßÐÚÕâÞÒ, ØáåÞÔïéØå á ØÝâÕàäÕÙáÐ, ßÞÔÚÛîçÕÝÝÞÓÞ Ú Internet. ´Ûï ÜÕÝï - íâÞ eth0. ² áæÕÝÐàØØ ÞßàÕÔÕÛÕÝ àïÔ ßÕàÕÜÕÝÝëå, á ßÞÜÞéìî ÚÞâÞàëå ÜÞÖÝÞ ØáßÞÛì×ÞÒÐâì ÔÛï ÐÒâÞÜÐâØçÕáÚÞÙ ÝÐáâàÞÙÚØ áæÕÝÐàØï. ºàÞÜÕ âÞÓÞ, ØáßÞÛì×ÞÒÐÝØÕ ßÕàÕÜÕÝÝëå ßÞÒëèÐÕâ ãÔÞÑÞçØâÐÕÜÞáâì áÚàØßâÞÒ. ºÛîçÞÜ -t ×ÐÔÐÕâáï ØÜï âÐÑÛØæë, Ò ÔÐÝÝÞÜ áÛãçÐÕ nat. ºÞÜÐÝÔÐ -A ÔÞÑÐÒÛïÕâ (Add) ÝÞÒÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚã POSTROUTING, ÚàØâÕàØÙ -o $INET_IFACE ×ÐÔÐÕâ ØáåÞÔïéØÙ ØÝâÕàäÕÙá, Ø Ò ÚÞÝæÕ ßàÐÒØÛÐ ×ÐÔÐÕÜ ÔÕÙáâÒØÕ ÝÐÔ ßÐÚÕâÞÜ - SNAT. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ÒáÕ ßÐÚÕâë, ßÞÔÞèÕÔèØÕ ßÞÔ ×ÐÔÐÝÝëÙ ÚàØâÕàØÙ ÑãÔãâ "×ÐÜÐáÚØàÞÒÐÝë", â.Õ. ÑãÔãâ ÒëÓÛïÔÕâì âÐÚ, ÚÐÚ ÑãÔâÞ ÞÝØ ÞâßàÐÒÛÕÝë á ÝÐèÕÓÞ ã×ÛÐ. ½Õ ×ÐÑãÔìâÕ ãÚÐ×Ðâì ÚÛîç --to-source á áÞÞâÒÕâáâÒãîéØÜ IP ÐÔàÕáÞÜ ÔÛï ØáåÞÔïéØå ßÐÚÕâÞÒ

² íâÞÜ áæÕÝÐàØÕ ï ØáßÞÛì×ãî SNAT ÒÜÕáâÞ MASQUERADE ßÞ àïÔã ßàØçØÝ. ¿ÕàÒÐï - ßàÕÔßÞÛÐÓÐÕâáï, çâÞ íâÞâ áæÕÝÐàØÙ ÔÞÛÖÕÝ àÐÑÞâÐâì ÝÐ áÕâÕÒÞÜ ã×ÛÕ, ÚÞâÞàëÙ ØÜÕÕâ ßÞáâÞïÝÝëÙ IP ÐÔàÕá. ÁÛÕÔãîéÐï áÞáâÞØâ Ò âÞÜ, çâÞ SNAT àÐÑÞâÐÕâ ÑëáâàÕÕ Ø ÑÞÛÕÕ íääÕÚâØÒÝÞ. ºÞÝÕçÝÞ, ÕáÛØ Òë ÝÕ ØÜÕÕâÕ ßÞáâÞïÝÝÞÓÞ IP ÐÔàÕáÐ, âÞ Òë ÔÞÛÖÝë ØáßÞÛì×ÞÒÐâì ÔÕÙáâÒØÕ MASQUERADE, ÚÞâÞàÞÕ ßàÕÔÞáâÐÒÛïÕâ ÑÞÛÕÕ ßàÞáâÞÙ áßÞáÞÑ âàÐÝáÛïæØØ ÐÔàÕáÞÒ, ßÞáÚÞÛìÚã ÞÝÞ ÐÒâÞÜÐâØçÕáÚØ ÞßàÕÔÕÛïÕâ IP ÐÔàÕá, ßàØáÒÞÕÝÝëÙ ×ÐÔÐÝÝÞÜã ØÝâÕàäÕÙáã. ¾ÔÝÐÚÞ, ßÞ áàÐÒÝÕÝØî á SNAT íâÞ ÔÕÙáâÒØÕ âàÕÑãÕâ ÝÕáÚÞÛìÚÞ ÑÞÛìèØå ÒëçØáÛØâÕÛìÝëå àÕáãàáÞÒ, åÞâï Ø ÝÕ ×ÝÐçØâÕÛìÝÞ. µáÛØ ÒÐÜ ÝãÖÕÝ ßàØÜÕà àÐÑÞâë MASQUERADE, âÞ ÞÑàÐéÐÙâÕáì Ú áæÕÝÐàØî rc.DHCP.firewall.txt.


¿àØÜÕàë áæÕÝÐàØÕÒ

ÆÕÛì íâÞÙ ÓÛÐÒë áÞáâÞØâ Ò âÞÜ, çâÞÑë ÔÐâì ÚàÐâÚÞÕ ÞߨáÐÝØÕ ÚÐÖÔÞÓÞ áæÕÝÐàØï, Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. ÍâØ áæÕÝÐàØØ ÝÕ áÞÒÕàèÕÝÝë, Ø ÞÝØ ÝÕ ÜÞÓãâ ßÞÛÝÞáâìî áÞÞâÒÕâáâÒÞÒÐâì ÒÐèØÜ ÝãÖÔÐÜ. ÍâÞ Þ×ÝÐçÐÕâ, çâÞ Òë ÔÞÛÖÝë áÐÜØ "ßÞÔÞÓÝÐâì" íâØ áæÕÝÐàØØ ßÞÔ áÕÑï. ¿ÞáÛÕÔãîéÐï çÐáâì àãÚÞÒÞÔáâÒÐ ßàØ×ÒÐÝÐ ÞÑÛÕÓçØâì ÒÐÜ íâã ßÞÔÓÞÝÚã.


ÁâàãÚâãàÐ äÐÙÛÐ rc.firewall.txt

²áÕ áæÕÝÐàØØ, ÞߨáÐÝÝëÕ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ, ØÜÕîâ ÞßàÕÔÕÛÕÝÝãî áâàãÚâãàã. ÁÔÕÛÐÝÞ íâÞ ÔÛï âÞÓÞ, çâÞÑë áæÕÝÐàØØ ÑëÛØ ÜÐÚáØÜÐÛìÝÞ ßÞåÞÖØ ÔàãÓ ÝÐ ÔàãÓÐ, ÞÑÛÕÓçÐï âÕÜ áÐÜëÜ ßÞØáÚ àÐ×ÛØçØÙ ÜÕÖÔã ÝØÜØ. ÍâÐ áâàãÚâãàÐ ÔÞÒÞÛìÝÞ åÞàÞèÞ ÞߨáëÒÐÕâáï Ò íâÞÙ ÓÛÐÒÕ. ·ÔÕáì ï ÝÐÔÕîáì ÔÐâì ÒÐÜ ßÞÝØÜÐÝØÕ, ßÞçÕÜã ÒáÕ áæÕÝÐàØØ ÑëÛØ ÝÐߨáÐÝë ØÜÕÝÝÞ âÐÚ Ø ßÞçÕÜã ï ÒëÑàÐÛ ØÜÕÝÝÞ íâã áâàãÚâãàã.

Note ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ ÝÐ âÞ, çâÞ íâÐ áâàãÚâãàÐ ÜÞÖÕâ ÞÚÐ×Ðâìáï ÔÐÛÕÚÞ ÝÕÞßâØÜÐÛìÝÞÙ ÔÛï ÒÐèØå áæÕÝÐàØÕÒ. ÍâÐ áâàãÚâãàÐ ÒëÑàÐÝÐ ÛØèì ÔÛï ÛãçèÕÓÞ ÞÑêïáÝÕÝØï åÞÔÐ ÜÞØå ÜëáÛÕÙ.


ÁâàãÚâãàÐ

ÍâÞ - áâàãÚâãàÐ, ÚÞâÞàÞÙ áÛÕÔãîâ ÒáÕ áæÕÝÐàØØ Ò íâÞÜ àãÚÞÒÞÔáâÒÕ. µáÛØ Òë ÞÑÝÐàãÖØâÕ, çâÞ íâÞ ÝÕ âÐÚ, âÞ áÚÞàÕÕ ÒáÕÓÞ íâÞ ÜÞï ÞèØÑÚÐ, ÕáÛØ ÚÞÝÕçÝÞ ï ÝÕ ÞÑêïáÝØÛ, ßÞçÕÜã ï ÝÐàãèØÛ íâã áâàãÚâãàã.

  1. Configuration - ¿àÕÖÔÕ ÒáÕÓÞ Üë ÔÞÛÖÝë ×ÐÔÐâì ßÐàÐÜÕâàë ÚÞÝäØÓãàÐæØØ, ÔÛï áæÕÝÐàØï. ¿ÐàÐÜÕâàë ºÞÝäØÓãàÐæØØ, Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ, ÔÞÛÖÝë Ñëâì ÞߨáÐÝë ßÕàÒëÜØ Ò ÛîÑÞÜ áæÕÝÐàØØ.

    1. Internet - ÍâÞ àÐ×ÔÕÛ ÚÞÝäØÓãàÐæØØ, ÞߨáëÒÐîéÕÙ ßÞÔÚÛîçÕÝØÕ Ú Internet. ÍâÞâ àÐ×ÔÕÛ ÜÞÖÕâ Ñëâì ÞßãéÕÝ, ÕáÛØ Òë ÝÕ ßÞÔÚÛîçÕÝë Ú ¸ÝâÕàÝÕâ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ÜÞÖÕâ ØÜÕâìáï ÑÞÛìèÕÕ ÚÞÛØçÕáâÒÞ ßÞÔàÐ×ÔÕÛÞÒ çÕÜ, ×ÔÕáì ßÕàÕçØáÛÕÝÞ, ÝÞ âÞÛìÚÞ âÕ, ÚÞâÞàëÕ ÞߨáëÒÐîâ ÝÐèÕ ßÞÔÚÛîçÕÝØÕ Ú Internet.

      1. DHCP - µáÛØ ØÜÕîâáï áßÕæØäØçÝëÕ ÔÛï DHCP ÝÐáâàÞÙÚØ, âÞ ÞÝØ ÔÞÑÐÒÛïîâáï ×ÔÕáì.

      2. PPPoE - ¾ßØáëÒÐîâáï ßÐàÐÜÕâàë ÝÐáâàÞÙÚØ PPPOE ßÞÔÚÛîçÕÝØï.

    2. LAN - µáÛØ ØÜÕÕâáï ÛîÑÐï »¾º°»Ì½°Ï ÁµÂÌ ×Ð ÑàÐÝÔÜÐãíàÞÜ, âÞ ×ÔÕáì ãÚÐ×ëÒÐîâáï ßÐàÐÜÕâàë, ØÜÕîéØÕ ÞâÝÞèÕÝØÕ Ú ÝÕÙ. ½ÐØÑÞÛÕÕ ÒÕàÞïâÝÞ, çâÞ íâÞâ àÐ×ÔÕÛ ÑãÔÕâ ßàØáãâáâÒÞÒÐâì ßÞçâØ ÒáÕÓÔÐ.

    3. DMZ - ·ÔÕáì ÔÞÑÐÒÛïÕâáï ÚÞÝäØÓãàÐæØï ×ÞÝë DMZ. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ íâÞÓÞ àÐ×ÔÕÛÐ ÝÕ ÑãÔÕâ, â.Ú. ÛîÑÐï ÝÞàÜÐÛìÝÐï ÔÞÜÐèÝïï áÕâì, ØÛØ ÜÐÛÕÝìÚÐï ÛÞÚÐÛìÝÐï áÕâì, ÝÕ ÑãÔÕâ ØÜÕâì ÕÕ. (DMZ - de-militarized zone. ÁÚÞàÕÕ ÒáÕÓÞ ßÞÔ íâÞ ßÞÝïâØÕ ÐÒâÞà ßÞÔÒÕÛ ÝÕÑÞÛìèãî ßÞÔáÕâì, Ò ÚÞâÞàÞÙ àÐáßÞÛÞÖÕÝë áÕàÒÕàë, ÝÐßàØÜÕà: DNS, MAIL, WEB Ø â.ß, Ø ÝÕâ ÝØ ÞÔÝÞÙ ßÞÛì×ÞÒÐâÕÛìáÚÞÙ ÜÐèØÝë. ßàØÜ. ßÕàÕÒ.)

    4. Localhost - ÍâØ ßÐàÐÜÕâàë ßàØÝÐÔÛÕÖÐâ ÝÐèÕÜã ÑàÐÝÔÜÐãíàã (localhost). ² ÒÐèÕÜ áÛãçÐÕ íâØ ßÕàÕÜÕÝÝëÕ ÒàïÔ ÛØ Ø×ÜÕÝïâáï, ÝÞ, âÕÜ ÝÕ ÜÕÝÕÕ, ï áÞ×ÔÐÛ íâØ ßÕàÕÜÕÝÝëÕ.ÅÞâÕÛÞáì Ñë ÝÐÔÕïâìáï, çâÞ ã ÒÐá ÝÕ ÑãÔÕâ ßàØçØÝ Ø×ÜÕÝïâì íâØ ßÕàÕÜÕÝÝëÕ.

    5. iptables - ÍâÞâ àÐ×ÔÕÛ áÞÔÕàÖØâ ØÝäÞàÜÐæØî ÞÑ iptables. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ ÔÞáâÐâÞçÝÞ ÑãÔÕâ âÞÛìÚÞ ÞÔÝÞÙ ßÕàÕÜÕÝÝÞÙ, ÚÞâÞàÐï ãÚÐ×ëÒÐÕâ ßãâì Ú iptables.

    6. Other - ·ÔÕáì àÐáßÞÛÐÓÐîâáï ßàÞçØÕ ÝÐáâàÞÙÚØ, ÚÞâÞàëÕ ÝÕ ÞâÝÞáïâáï Ø Ú ÞÔÝÞÜã Ø× ÒëèÕãÚÐ×ÐÝÝëå àÐ×ÔÕÛÞÒ.

  2. Module loading - ÍâÞâ àÐ×ÔÕÛ áæÕÝÐàØÕÒ áÞÔÕàÖØâ áߨáÞÚ ÜÞÔãÛÕÙ. ¿ÕàÒÐï çÐáâì ÔÞÛÖÝÐ áÞÔÕàÖÐâì âàÕÑãÕÜëÕ ÜÞÔãÛØ, Ò âÞ ÒàÕÜï ÚÐÚ ÒâÞàÐï çÐáâì ÔÞÛÖÝÐ áÞÔÕàÖÐâì ÝÕ-âàÕÑãÕÜëÕ ÜÞÔãÛØ.

    Note

    ¾ÑàÐâØâì ÒÝØÜÐÝØÕ. ½ÕÚÞâÞàëÕ ÜÞÔãÛØ, ÞâÒÕçÐîéØÕ ×Ð ÔÞßÞÛÝØâÕÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ,, ÜÞÓãâ Ñëâì ãÚÐ×ÐÝë ÔÐÖÕ ÕáÛØ ÞÝØ ÝÕ âàÕÑãîâáï. ¾ÑëçÝÞ, Ò âÐÚØå áÛãçÐïå, ßàØÜÕà áæÕÝÐàØï ÞâÜÕçÐÕâ íâã ÞáÞÑÕÝÝÞáâì.

    1. Required modules - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÜÞÔãÛØ, ÝÕÞÑåÞÔØÜëÕ ÔÛï àÐÑÞâë áæÕÝÐàØï.

    2. Non-required modules - ÍâÞâ àÐ×ÔÕÛ áÞÔÕàÖØâ ÜÞÔãÛØ, ÚÞâÞàëÕ ÝÕ âàÕÑãîâáï ÔÛï ÝÞàÜÐÛìÝÞÙ àÐÑÞâë áæÕÝÐàØï. ²áÕ íâØ ÜÞÔãÛØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë. µáÛØ ÒÐÜ ÞÝØ ßÞâàÕÑãîâáï, âÞ Òë ÔÞÛÖÝë ßàÞáâÞ àÐáÚÞÜÜÕÝâØàÞÒÐâì Øå.

  3. proc configuration - ÍâÞâ àÐ×ÔÕÛ ÞâÒÕçÐÕâ ×Ð ÝÐáâàÞÙÚã äÐÙÛÞÒÞÙ áØáâÕÜë /proc. µáÛØ íâØ ßÐàÐÜÕâàë ÝÕÞÑåÞÔØÜë - ÞÝØ ÑãÔãâ ßÕàÕçØáÛÕÝë, ÕáÛØ ÝÕâ, âÞ ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë ßÞ-ãÜÞÛçÐÝØî, Ø ãÚÐ×ÐÝë ÚÐÚ ÝÕ-âàÕÑãÕÜëÕ. ±ÞÛìèØÝáâÒÞ ßÞÛÕ×Ýëå ÝÐáâàÞÕÚ /proc ÑãÔãâ ßÕàÕçØáÛÕÝë Ò ßàØÜÕàÐå, ÝÞ ÔÐÛÕÚÞ ÝÕ ÒáÕ.

    1. Required proc configuration - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÒáÕ âàÕÑãÕÜëÕ áæÕÝÐàØÕÜ ÝÐáâàÞÙÚÐ ÔÛï /proc. ÍâÞ ÜÞÓãâ Ñëâì ÝÐáâàÞÙÚØ ÔÛï ×ÐßãáÚÐ áØáâÕÜë ×ÐéØâë, ÒÞ×ÜÞÖÝÞ, ÔÞÑÐÒÛïîâ áßÕæØÐÛìÝëÕ ÒÞ×ÜÞÖÝÞáâØ ÔÛï ÐÔÜØÝØáâàÐâÞàÐ ØÛØ ßÞÛì×ÞÒÐâÕÛÕÙ.

    2. Non-required proc configuration - ÍâÞâ àÐ×ÔÕÛ ÔÞÛÖÕÝ áÞÔÕàÖÐâì ÝÕ-âàÕÑãÕÜëÕ ÝÐáâàÞÙÚØ /proc, ÚÞâÞàëÕ ÜÞÓãâ ÞÚÐ×Ðâìáï ßÞÛÕ×ÝëÜØ Ò ÑãÔãéÕÜ. ²áÕ ÞÝØ ÔÞÛÖÝë Ñëâì ×ÐÚÞÜÜÕÝâØàÞÒÐÝë, âÐÚ ÚÐÚ ÞÝØ äÐÚâØçÕáÚØ ÝÕ âàÕÑãîâáï ÔÛï àÐÑÞâë áæÕÝÐàØï. ÍâÞâ áߨáÞÚ ÑãÔÕâ áÞÔÕàÖÐâì ÔÐÛÕÚÞ ÝÕ ÒáÕ ÝÐáâàÞÙÚØ /proc.

  4. rules set up - º íâÞÜã ÜÞÜÕÝâã áÚàØßâ, ÚÐÚ ßàÐÒØÛÞ, ãÖÕ ßÞÔÓÞâÞÒÛÕÝ Ú âÞÜã, çâÞÑë ÒáâÐÒÛïâì ÝÐÑÞàë ßàÐÒØÛ. Ï àÐ×ÑØÛ ÒáÕ ßàÐÒØÛÐ ßÞ âÐÑÛØæÐÜ Ø æÕßÞçÚÐÜ. »îÑëÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÞÛÖÝë Ñëâì áÞ×ÔÐÝë ßàÕÖÔÕ, çÕÜ Üë áÜÞÖÕÜ Øå ØáßÞÛì×ÞÒÐâì. Ï ãÚÐ×ëÒÐî æÕßÞçÚØ Ø Øå ÝÐÑÞàë ßàÐÒØÛ Ò âÞÜ ÖÕ ßÞàïÔÚÕ, Ò ÚÐÚÞÜ ÞÝØ ÒëÒÞÔïâáï ÚÞÜÐÝÔÞÙ iptables -L.

    1. Filter table - ¿àÕÖÔÕ ÒáÕÓÞ Üë ßàÞåÞÔØÜ âÐÑÛØæã äØÛìâàÐ. ´Ûï ÝÐçÐÛÐ ÝÕÞÑåÞÔØÜÞ ãáâÐÝÞÒØâì ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî Ò âÐÑÛØæÕ.

      1. Set policies - ½Ð×ÝÐçÕÝØÕ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî ÔÛï áØáâÕÜÝëå æÕßÞçÕÚ. ¾ÑëçÝÞ ï ãáâÐÝÐÒÛØÒÐî DROP ÔÛï æÕßÞçÕÚ Ò âÐÑÛØæÕ filter, Ø ÑãÔã ßàÞßãáÚÐâì ßÞâÞÚØ, ÚÞâÞàëÕ ØÔãâ Ø×ÝãâàØ. ÂÕÜ áÐÜëÜ Üë Ø×ÑÐÒØÜáï Þâ ÒáÕÓÞ, çâÞ ÝÐÜ ÝÕãÓÞÔÝÞ.

      2. Create user specified chains - ² íâÞÜ àÐ×ÔÕÛÕ, áÞ×ÔÐîâáï ÒáÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ, ÚÞâÞàëÕ Üë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì ßÞ×ÖÕ Ò ßàÕÔÕÛÐå íâÞÙ âÐÑÛØæë. ¼ë ÝÕ áÜÞÖÕÜ ØáßÞÛì×ÞÒÐâì íâØ æÕßÞçÚØ Ò ÔÞ âÕå ßÞà, ßÞÚÐ ÝÕ áÞ×ÔÐÔØÜ Øå.

      3. Create content in user specified chains - ¿ÞáÛÕ áÞ×ÔÐÝØï ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ, Üë ÜÞÖÕÜ ×ÐßÞÛÝØâì Øå ßàÐÒØÛÐÜØ. µÔØÝáâÒÕÝÝÐï ßàØçØÝÐ, ßÞ ÚÞâÞàÞÙ ßàÐÒØÛÐ ÔÛï ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ ÞßàÕÔÕÛïîâáï ×ÔÕáì - íâÞ ÑÛØ×Þáâì Ú ÚÞÜÐÝÔÐÜ, áÞ×ÔÐîéØÜ íâØ æÕßÞçÚØ. ²ë ÖÕ ÜÞÖÕâÕ àÐ×ÜÕéÐâì ßàÐÒØÛÐ Ò ÔàãÓÞÜ ÜÕáâÕ ÒÐèÕÓÞ áæÕÝÐàØï.

      4. INPUT chain - ² íâÞÜ àÐ×ÔÕÛÕ ÔÞÑÐÒÛïîâáï ßàÐÒØÛÐ ÔÛï æÕßÞçÚØ INPUT.

        Note

        ºÐÚ ãÖÕ ãÚÐ×ëÒÐÛÞáì, ï áâÐàÐÛáï áÛÕÔÞÒÐâì ßÞàïÔÚã, ÚÞâÞàëÙ ßÞÛãçÐÕâáï Ò ÒëÒÞÔÕ ÚÞÜÐÝÔë iptables -L. ½Õâ áÕàìÕ×Ýëå ßàØçØÝ, çâÞÑë áÞÑÛîÔÐâì íâã áâàãÚâãàã, ÞÔÝÐÚÞ, ßàÞÑãÙâÕ Ø×ÑÕÖÐâì áÜÕèØÒÐÝØï ÔÐÝÝëå Ø× àÐ×ÛØçÝëå âÐÑÛØæ Ø æÕßÞçÕÚ, âÐÚ ÚÐÚ áâÐÝÕâ ÝÐÜÝÞÓÞ âïÖÕÛÕÕ çØâÐâì âÐÚÞÙ ÝÐÑÞà ßàÐÒØÛ Ø ÒëØáÚØÒÐâì ÒÞ×ÜÞÖÝëÕ ßàÞÑÛÕÜë.

      5. FORWARD chain - ·ÔÕáì Üë ÔÞÑÐÒÛïÕÜ ßàÐÒØÛÐ Ò æÕßÞçÚã FORWARD

      6. OUTPUT chain - ÁÐÜÞÙ ßÞáÛÕÔÝÕÙ Ò âÐÑÛØæÕ filter, ×ÐßÞÛÝïÕâáï æÕßÞçÚÐ OUTPUT.

    2. nat table - ¿ÞáÛÕ âÐÑÛØæë filter Üë ßÕàÕåÞÔØÜ Ú âÐÑÛØæÕ nat. ÁÔÕÛÐÝÞ íâÞ ßÞ àïÔã ßàØçØÝ. ¿àÕÖÔÕ ÒáÕÓÞ - ÝÕ áÛÕÔãÕâ ×ÐßãáÚÐâì ÜÕåÐÝØ×Ü NAT ÝÐ àÐÝÝÕÙ áâÐÔØØ, ÚÞÓÔÐ ÕéÕ ÒÞ×ÜÞÖÝÐ ßÕàÕÔÐçÐ ßÐÚÕâÞÒ ÑÕ× ÞÓàÐÝØçÕÝØÙ (âÞ Õáâì, ÚÞÓÔÐ NAT ãÖÕ ÒÚÛîçÕÝÐ, ÝÞ ÝÕâ ÝØ ÞÔÝÞÓÞ ßàÐÒØÛÐ äØÛìâàÐæØØ). ÂÐÚÖÕ, ï àÐááÜÐâàØÒÐî âÐÑÛØæã nat ÚÐÚ áÒÞÕÓÞ àÞÔÐ ãàÞÒÕÝì, ÚÞâÞàëÙ ÝÐåÞÔØâáï ÒÝÕ âÐÑÛØæë filter. ÂÐÑÛØæÐ filter ïÒÛïÕâáï áÒÞÕÓÞ àÞÔÐ ïÔàÞÜ, Ò âÞ ÒàÕÜï ÚÐÚ nat - ÞÑÞÛÞçÚÐ ÒÞÚàãÓ ïÔàÐ, Ð âÐÑÛØæÐ mangle. ÜÞÖÕâ àÐááÜÐâàØÒÐâìáï ÚÐÚ ÞÑÞÛÞçÚÐ ÒÞÚàãÓ âÐÑÛØæë nat. ÍâÞ ÜÞÖÕâ Ñëâì ÝÕ áÞÒáÕÜ ßàÐÒØÛìÝÞ, ÝÞ ÝÕ âÐÚ ÔÐÛÕÚÞ Þâ ÔÕÙáâÒØâÕÛìÝÞáâØ.

    3. Set policies - ¿àÕÖÔÕ ÒáÕÓÞ Üë ãáâÐÝÐÒÛØÒÐÕÜ Òáî ßÞÛØâØÚã ßÞ ãÜÞÛçÐÝØî Ò ßàÕÔÕÛÐå âÐÑÛØæë nat. ¾ÑëçÝÞ, ï ãáâÐÝÐÒÛØÒÐî ACCEPT. ÍâÐ âÐÑÛØæÐ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï äØÛìâàÐæØØ, Ø Üë ÝÕ ÔÞÛÖÝë ×ÔÕáì "ÒëÑàÐáëÒÐâì" (DROP) ßÐÚÕâë. µáâì àïÔ ÝÕßàØïâÝëå ßÞÑÞçÝëå íääÕÚâÞÒ ÚÞâÞàëÕ ØÜÕîâ ÜÕáâÞ Ñëâì Ò âÐÚØå áÛãçÐïå Ø×-×Ð ÝÐèØå ßàÕÔßÞÛÞÖÕÝØÙ. Ï ßàÞßãáÚÐî ÒáÕ ßÐÚÕâë Ò íâØå æÕßÞçÚÐå, ßÞáÚÞÛìÚã ÝÕ ÒØÖã ÝØÚÐÚØå ßàØçØÝ ÝÕ ÔÕÛÐâì íâÞÓÞ.

    4. Create user specified chains - ·ÔÕáì áÞ×ÔÐîâáï ÒáÕ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÛï âÐÑÛØæë nat. ¾ÑëçÝÞ ã ÜÕÝï Øå ÝÕâ, ÝÞ ï ÔÞÑÐÒØÛ íâÞâ àÐ×ÔÕÛ ÝÐ ÒáïÚØÙ áÛãçÐÙ. ¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ ÔÞÛÖÝë Ñëâì áÞ×ÔÐÝë ÔÞ Øå äÐÚâØçÕáÚÞÓÞ ØáßÞÛì×ÞÒÐÝØï.

    5. Create content in user specified chains - ´ÞÑÐÒÛÕÝØÕ ßàÐÒØÛ Ò ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ âÐÑÛØæë nat. ¿àØÝæØß àÐ×ÜÕéÕÝØï ßàÐÒØÛ ×ÔÕáì âÞâ ÖÕ çâÞ Ø Ò âÐÑÛØæÕ filtert. Ï ÔÞÑÐÒÛïî Øå ×ÔÕáì ßÞâÞÜã, çâÞ ÝÕ ÒØÖã ßàØçØÝ ÒëÝÞáØâì Øå Ò ÔàãÓÞÕ ÜÕáâÞ.

    6. PREROUTING chain - ÆÕßÞçÚÐ PREROUTING ØáßÞÛì×ãÕâáï ÔÛï DNAT. ² ÑÞÛìèØÝáâÒÕ áæÕÝÐàØÕÒ DNAT ÝÕ ØáßÞÛì×ãÕâáï, ØÛØ ßÞ ÚàÐÙÝÕÙ ÜÕàÕ ×ÐÚÞÜÜÕÝâØàÞÒÐÝÐ, çâÞÑë ÝÕ "ÞâÚàëÒÐâì ÒÞàÞâÐ" Ò ÝÐèã ÛÞÚÐÛìÝãî áÕâì áÛØèÚÞÜ èØàÞÚÞ. ² ÝÕÚÞâÞàëå áæÕÝÐàØïå íâÞ ßàÐÒØÛÞ ÒÚÛîçÕÝÞ, âÐÚ ÚÐÚ ÕÔØÝáâÒÕÝÝÐï æÕÛì íâØå áæÕÝÐàØÕÒ áÞáâÞØâ Ò ßàÕÔÞáâÐÒÛÕÝØØ ãáÛãÓ, ÚÞâÞàëÕ ÑÕ× DNAT ÝÕÒÞ×ÜÞÖÝë.

    7. POSTROUTING chain - ÆÕßÞçÚÐ POSTROUTING ØáßÞÛì×ãÕâáï áæÕÝÐàØïÜØ, ÚÞâÞàëÕ ï ÝÐߨáÐÛ, âÐÚ ÚÐÚ Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ ØÜÕÕâáï ÞÔÝÐ ØÛØ ÑÞÛÕÕ ÛÞÚÐÛìÝëå áÕâÕÙ, ÚÞâÞàëÕ Üë åÞâØÜ ßÞÔÚÛîçØâì Ú ¸ÝâÕàÝÕâ çÕàÕ× áÕâÕÒÞÙ íÚàÐÝ. ³ÛÐÒÝëÜ ÞÑàÐ×ÞÜ Üë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì SNAT, ÝÞ Ò ÝÕÚÞâÞàëå áÛãçÐïå, Üë ÒëÝãÖÔÕÝë ÑãÔÕÜ ØáßÞÛì×ÞÒÐâì MASQUERADE.

    8. OUTPUT chain - ÆÕßÞçÚÐ OUTPUT ØáßÞÛì×ãÕâáï ÒÞÞÑéÕ Ò ÛîÑÞÜ Ø× áæÕÝÐàØÕÒ. ½Þ ï ßÞÚÐ ÝÕ ÝÐèÕÛ áÕàìÕ×Ýëå ÞáÝÞÒÐÝØÙ ÔÛï ØáßÞÛì×ÞÒÐÝØï íâÞÙ æÕßÞçÚØ. µáÛØ Òë ØáßÞÛì×ãÕâÕ íâã æÕßÞçÚã, çÕàÚÝØâÕ ÜÝÕ ßÐàã áâàÞÚ, Ø ï ÒÝÕáã áÞÞâÒÕâáâÒãîéØÕ Ø×ÜÕÝÕÝØï Ò ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ.

  5. mangle table - ÂÐÑÛØæÐ mangle - ßÞáÛÕÔÝïï âÐÑÛØæÐ ÝÐ ßãâØ ßÐÚÕâÞÒ. ¾ÑëçÝÞ ï ÝÕ ØáßÞÛì×ãî íâã âÐÑÛØæã ÒÞÞÑéÕ, âÐÚ ÚÐÚ ÞÑëçÝÞ ÝÕ ÒÞ×ÝØÚÐÕâ ßÞâàÕÑÝÞáâÕÙ Ò çÕÜ ÛØÑÞ, âØßÐ Ø×ÜÕÝÕÝØï TTL ßÞÛï ØÛØ ßÞÛï TOS Ø ßà. ´àãÓØÜØ áÛÞÒÐÜØ, ï ÞáâÐÒØÛ íâÞâ àÐ×ÔÕÛ ßãáâëÜ Ò ÝÕÚÞâÞàëå áæÕÝÐàØïå, á ÝÕáÚÞÛìÚØÜØ ØáÚÛîçÕÝØïÜØ, ÓÔÕ ï ÔÞÑÐÒØÛ, ÝÕáÚÞÛìÚÞ ßàØÜÕàÞÒ ØáßÞÛì×ÞÒÐÝØï íâÞÙ âÐÑÛØæë.

    1. Set policies - ·ÔÕáì ×ÐÔÐÕâáï ¿ÞÛØâØÚÐ ßÞ-ãÜÞÛçÐÝØî. ·ÔÕáì áãéÕáâÒãîâ âÕ ÖÕ ÞÓàÐÝØçÕÝØï, çâÞ Ø ÔÛï âÐÑÛØæë nat. ÂÐÑÛØæÐ ÝÕ ÔÞÛÖÝÐ ØáßÞÛì×ÞÒÐâìáï ÔÛï äØÛìâàÐæØØ, Ø áÛÕÔÞÒÐâÕÛìÝÞ Òë ÔÞÛÖÝë Ø×ÑÕÓÐâì íâÞÓÞ. Ï ÝÕ ãáâÐÝÐÒÛØÒÐÛ ÝØÚÐÚÞÙ ßÞÛØâØÚØ Ò ÛîÑÞÜ Ø× áæÕÝÐàØÕÒ ÔÛï æÕßÞçÕÚ Ò âÐÑÛØæÕ mangle, Ø ÒÐÜ áÛÕÔãâ ßÞáâãßÐâì âÐÚ ÖÕ.

    2. Create user specified chains - ÁÞ×ÔÐîâáï ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ. ÂÐÚ ÚÐÚ ï ÝÕ ØáßÞÛì×ãî âÐÑÛØæã mangle Ò áæÕÝÐàØïå, ï ÝÕ áâÐÛ áÞ×ÔÐÒÐâì ßÞÛì×ÞÒÐâÕÛìáÚØå æÕßÞçÕÚ. ¾ÔÝÐÚÞ, íâÞâ àÐ×ÔÕÛ ÑëÛ ÔÞÑÐÒÛÕÝ ÝÐ ÒáïÚØÙ áÛãçÐÙ.

    3. Create content in userspecified chains - µáÛØ Òë áÞ×ÔÐÛØ ÚÐÚØÕ ÛØÑÞ ßÞÛì×ÞÒÐâÕÛìáÚØÕ æÕßÞçÚØ Ò ßàÕÔÕÛÐå íâÞÙ âÐÑÛØæë, Òë ÜÞÖÕâÕ ×ÐßÞÛÝØâì Øå ßàÐÒØÛÐÜØ ×ÔÕáì.

    4. PREROUTING - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    5. INPUT chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    6. FORWARD chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    7. OUTPUT chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

    8. POSTROUTING chain - ² íâÞÜ ßãÝÚâÕ ØÜÕÕâáï âÞÛìÚÞ ãßÞÜØÝÐÝØÕ Þ æÕßÞçÚÕ.

½ÐÔÕîáì, çâÞ ï ÞÑêïáÝØÛ ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ, ÚÐÚ ÚÐÖÔëÙ áæÕÝÐàØÙ áâàãÚâãàØàÞÒÐÝ Ø ßÞçÕÜã ÞÝØ áâàãÚâãàØàÞÒÐÝë âÐÚØÜ áßÞáÞÑÞÜ.

Caution

¾ÑàÐâØâì ÒÝØÜÐÝØÕ, çâÞ íâØ ÞߨáÐÝØï çàÕ×ÒëçÐÙÝÞ ÚàÐâÚØ, Ø ïÒÛïîâáï ÛØèì ÚàÐâÚØÜ ßÞïáÝÕÝØÕÜ âÞÓÞ, ßÞçÕÜã áæÕÝÐàØØ ØÜÕîâ âÐÚãî áâàãÚâãàã. Ï ÝÕ ßàÕâÕÝÔãî ÝÐ ØáâØÝã Ò ßÞáÛÕÔÝÕÙ ØÝáâÐÝæØØ Ø ÝÕ ãâÒÕàÖÔÐî, çâÞ íâÞ - ÕÔØÝáâÒÕÝÝëÙ Ø ÛãçèØÙ ÒÐàØÐÝâ.


rc.firewall.txt

ÁæÕÝÐàØÙ rc.firewall.txt - ÞáÝÞÒÝÞÕ ïÔàÞ, ÝÐ ÚÞâÞàÞÜ ÞáÝÞÒëÒÐÕâáï ÞáâÐÛìÝÐï çÐáâì áæÕÝÐàØÕÒ. ³ÛÐÒÐ rc.firewall file ÔÞáâÐâÞçÝÞ ßÞÔàÞÑÝÞ ÞߨáëÒÐÕâ áæÕÝÐàØÙ. ÁæÕÝÐàØÙ ÝÐߨáÐÝ ÔÛï ÔÞÜÐèÝÕÙ áÕâØ, ÓÔÕ Òë ØÜÕÕâÕ ÞÔÝã »¾º°»Ì½ÃÎ ÁµÂÌ Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ÍâÞâ áæÕÝÐàØÙ âÐÚÖÕ ØáåÞÔØâ Ø× ßàÕÔßÞÛÞÖÕÝØï, çâÞ Òë ØÜÕÕâÕ áâÐâØçÕáÚØÙ IP ÐÔàÕá, Ø áÛÕÔÞÒÐâÕÛìÝÞ ÝÕ ØáßÞÛì×ãÕâÕ DHCP, PPP, SLIP ÛØÑÞ ÚÐÚÞÙ âÞ ÔàãÓÞÙ ßàÞâÞÚÞÛ, ÚÞâÞàëÙ ÝÐ×ÝÐçÐÕâ IP ÔØÝÐÜØçÕáÚØ. ² ßàÞâØÒÝÞÜ áÛãçÐÕ ÒÞ×ìÜØâÕ ×Ð ÞáÝÞÒã áæÕÝÐàØÙ rc.DHCP.firewall.txt.

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG



rc.DMZ.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.DMZ.firewall.txt ÑëÛ ÝÐߨáÐÝ ÔÛï âÕå, ÚâÞ ØÜÕÕâ ÔÞÒÕàØâÕÛìÝãî ÛÞÚÐÛìÝãî áÕâì, ÞÔÝã "´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝãî ·ÞÝã" Ø ÞÔÝÞ ßÞÔÚÛîçÕÝØÕ Ú Internet. ´Ûï ÔÞáâãßÐ Ú áÕàÒÕàÐÜ ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝë Ø×ÒÝÕ, ØáßÞÛì×ãÕâáï NAT "ÞÔØÝ Ú ÞÔÝÞÜã", âÞ Õáâì, ²ë ÔÞÛÖÝë ×ÐáâÐÒØâì ÑàÐÝÔÜÐãíà àÐáßÞ×ÝÐÒÐâì ßÐÚÕâë ÑÞÛÕÕ çÕÜ ÔÛï ÞÔÝÞÓÞ IP ÐÔàÕáÐ.

ÁæÕÝÐàØÙ àÐÑÞâÐÕâ á ÔÒãÜï ÒÝãâàÕÝÝØÜØ áÕâïÜØ, ÚÐÚ íâÞ ßàÞÔÕÜÞÝáâàØàÞÒÐÝÞ ÝÐ àØáãÝÚÕ. ¾ÔÝÐ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ IP ÐÔàÕáÞÒ 192.168.0.0/24 Ø ïÒÛïÕâáï ´ÞÒÕàØâÕÛìÝÞÙ ²ÝãâàÕÝÝÕÙ ÁÕâìî. ´àãÓÐï ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 192.168.1.0/24 Ø ÝÐ×ëÒÐÕâáï ´ÕÜØÛØâÐàØ×ØàÞÒÐÝÝÞÙ ·ÞÝÞÙ (DMZ), ÔÛï ÚÞâÞàÞÙ Üë ÑãÔÕÜ ÒëßÞÛÝïâì ßàÕÞÑàÐ×ÞÒÐÝØÕ ÐÔàÕáÞÒ (NAT) "ÞÔØÝ Ú ÞÔÝÞÜã". ½ÐßàØÜÕà, ÕáÛØ ÚâÞ - âÞ Ø× ¸ÝâÕàÝÕâ ßÞáëÛÐÕâ ßÐÚÕâ ÝÐèÕÜã DNS_IP, âÞ Üë ÒëßÞÛÝïÕÜ DNAT, ÚÞâÞàëÙ ×ÐÜÕéÐÕâ ÐÔàÕá ÝÐ×ÝÐçÕÝØï ÝÐ ÛÞÚÐÛìÝëÙ ÐÔàÕá áÕàÒÕàÐ DNS Ò DMZ. µáÛØ Ñë DNAT ÝÕ ÒëßÞÛÝïÛáï, âÞ DNS ÝÕ áÜÞÓ Ñë ßÞÛãçØâì ×ÐßàÞá, ßÞáÚÞÛìÚã ÞÝ ØÜÕÕâ ÐÔàÕá DMZ_DNS_IP, Ð ÝÕ DNS_IP. ÂàÐÝáÛïæØï ÒëßÞÛÝïÕâáï áÛÕÔãîéØÜ ßàÐÒØÛÞÜ.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

´Ûï ÝÐçÐÛÐ ÝÐßÞÜÝî, çâÞ DNAT ÜÞÖÕâ ÒëßÞÛÝïâìáï âÞÛìÚÞ Ò æÕßÞçÚÕ PREROUTING âÐÑÛØæë nat. ÁÞÓÛÐáÝÞ íâÞÜã ßàÐÒØÛã, ßÐÚÕâ ÔÞÛÖÕÝ ßàØåÞÔØâì ßÞ ßàÞâÞÚÞÛã TCP ÝÐ $INET_IFACE á ÐÔàÕáÐâÞÜ IP, ÚÞâÞàëÙ áÞÞâÒÕâáâÒãÕâ ÝÐèÕÜã $DNS_IP, Ø ÝÐßàÐÒÛÕÝ ÝÐ ßÞàâ 53. µáÛØ ÒáâàÕçÕÝ âÐÚÞÙ ßÐÚÕâ, âÞ ÒëßÞÛÝïÕâáï ßÞÔÜÕÝÐ ÐÔàÕáÐ ÝÐ×ÝÐçÕÝØï ØÛØ DNAT. ´ÕÙáâÒØî DNAT ßÕàÕÔÐÕâáï ÐÔàÕá ÔÛï ßÞÔÜÕÝë á ßÞÜÞéìî ÚÛîçÐ --to-destination $DMZ_DNS_IP. ºÞÓÔÐ çÕàÕ× ÑàÐÝÔÜÐãíà ÒÞ×ÒàÐéÐÕâáï ßÐÚÕâ ÞâÒÕâÐ, âÞ áÕâÕÒëÜ ÚÞÔÞÜ ïÔàÐ ÐÔàÕá ÞâßàÐÒØâÕÛï ÑãÔÕâ ÐÒâÞÜÐâØçÕáÚØ Ø×ÜÕÝÕÝ á $DMZ_DNS_IP ÝÐ $DNS_IP, ÔàãÓØÜØ áÛÞÒÐÜØ ÞÑàÐâÝÐï ÔÕâàÐÝáÛïæØï ÐÔàÕáÞÒ ÒëßÞÛÝïÕâáï ÐÒâÞÜÐâØçÕáÚØ Ø ÝÕ âàÕÑãÕâ áÞ×ÔÐÝØï ÔÞßÞÛÝØâÕÛìÝëå ßàÐÒØÛ.

ÂÕßÕàì Òë ãÖÕ ÔÞÛÖÝë ßÞÝØÜÐâì ÚÐÚ àÐÑÞâÐÕâ DNAT, çâÞÑë áÐÜÞáâÞïâÕÛìÝÞ àÐ×ÞÑàÐâìáï Ò âÕÚáâÕ áæÕÝÐàØï ÑÕ× ÚÐÚØå ÛØÑÞ ßàÞÑÛÕÜ. µáÛØ çâÞ-âÞ ÔÛï ÒÐá ÞáâÐÛÞáì ÝÕ ïáÝëÜ Ø íâÞ ÝÕ ÑëÛÞ àÐááÜÞâàÕÝÞ Ò ÔÐÝÝÞÜ ÔÞÚãÜÕÝâÕ, âÞ Òë ÜÞÖÕâÕ áÞÞÑéØâì ÜÝÕ ÞÑ íâÞÜ - ÒÕàÞïâÝÞ íâÞ ÜÞï ÞèØÑÚÐ.


rc.DHCP.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.DHCP.firewall.txt ÞçÕÝì ßÞåÞÖ ÝÐ ÞàØÓØÝÐÛ rc.firewall.txt. ¾ÔÝÐÚÞ, íâÞâ áæÕÝÐàØÙ ÑÞÛìèÕ ÝÕ ØáßÞÛì×ãÕâ ßÕàÕÜÕÝÝãî STATIC_IP, íâÞ Ø ïÒÛïÕâáï ÞáÝÞÒÝëÜ ÞâÛØçØÕÜ Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt. ¿àØçØÝÐ Ò âÞÜ, çâÞ rc.firewall.txt ÝÕ ÑãÔÕâ àÐÑÞâÐâì Ò áÛãçÐÕ ÔØÝÐÜØçÕáÚÞÓÞ IP ÐÔàÕáÐ. ¸×ÜÕÝÕÝØï, ßÞ áàÐÒÝÕÝØî á ÞàØÓØÝÐÛÞÜ - ÜØÝØÜÐÛìÝë. ÍâÞâ áæÕÝÐàØÙ ÑãÔÕâ ßÞÛÕ×ÕÝ Ò áÛãçÐÕ DHCP, PPP Ø SLIP ßÞÔÚÛîçÕÝØï Ú ¸ÝâÕàÝÕâ.

³ÛÐÒÝÞÕ ÞâÛØçØÕ ÔÐÝÝÞÓÞ áÚàØßâÐ áÞáâÞØâ Ò ãÔÐÛÕÝØØ ßÕàÕÜÕÝÝÞÙ STATIC_IP Ø ÒáÕå ááëÛÞÚ ÝÐ íâã ßÕàÕÜÕÝÝãî. ²ÜÕáâÞ ÝÕÕ âÕßÕàì ØáßÞÛì×ãÕâáï ßÕàÕÜÕÝÝÐï INET_IFACE. ´àãÓØÜØ áÛÞÒÐÜØ -d $STATIC_IP ×ÐÜÕÝïÕâáï ÝÐ -i $INET_IFACE. ÁÞÑáâÒÕÝÝÞ íâÞ ÒáÕ, çâÞ ÝãÖÝÞ Ø×ÜÕÝØâì Ò ÔÕÙáâÒØâÕÛìÝÞáâØ.
(ÅÞçÕâáï ÞâÜÕâØâì, çâÞ Ò ÔÐÝÝÞÜ áÛãçÐÕ ßÞÔ STATIC_IP ÐÒâÞà ßÞÝØÜÐÕâ ßÕàÕÜÕÝÝãî INET_IP ßàØÜ. ßÕàÕÒ.)

¼ë ÑÞÛìèÕ ÝÕ ÜÞÖÕÜ ãáâÐÝÐÒÛØÒÐâì ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT ßÞÔÞÑÝëå íâÞÜã: --in-interface $LAN_IFACE --dst $INET_IP. ÍâÞ Ò áÒÞî ÞçÕàÕÔì ÒëÝãÖÔÐÕâ ÝÐá áâàÞØâì ßàÐÒØÛÐ ÞáÝÞÒëÒÐïáì âÞÛìÚÞ ÝÐ áÕâÕÒÞÜ ØÝâÕàäÕÙáÕ. ½ÐßàØÜÕà, ßãáâì ÝÐ ÑàÐÝÔÜÐãíàÕ ×ÐßãéÕÝ HTTP áÕàÒÕà. µáÛØ Üë ßàØåÞÔØÜ ÝÐ ÓÛÐÒÝãî áâàÐÝØçÚã, áÞÔÕàÖÐéãî áâÐâØçÕáÚãî ááëÛÚã ÞÑàÐâÝÞ ÝÐ íâÞâ ÖÕ áÕàÒÕà, ÚÞâÞàëÙ àÐÑÞâÐÕâ ßÞÔ ÔØÝÐÜØçÕáÚØÜ ÐÔàÕáÞÜ, âÞ Üë ÜÞÖÕÜ "ÞÓàÕáâØ" ÝÕÜÐÛÞ ßàÞÑÛÕÜ. ÅÞáâ, ÚÞâÞàëÙ ßàÞåÞÔØâ çÕàÕ× NAT, ×ÐßàÞáØâ çÕàÕ× DNS IP ÐÔàÕá HTTP áÕàÒÕàÐ, ßÞáÛÕ çÕÓÞ ßÞßàÞÑãÕâ ßÞÛãçØâì ÔÞáâãß Ú íâÞÜã IP. µáÛØ ÑàÐÝÔÜÐãíà ßàÞØ×ÒÞÔØâ äØÛìâàÐæØî ßÞ ØÝâÕàäÕÙáã Ø IP ÐÔàÕáã, âÞ åÞáâ ÝÕ áÜÞÖÕâ ßÞÛãçØâì ÞâÒÕâ, ßÞáÚÞÛìÚã æÕßÞçÚÐ INPUT ÞâäØÛìâàãÕâ âÐÚÞÙ ×ÐßàÞá. (ÁÚÞàÕÕ ÒáÕÓÞ ÐÒâÞà ØÜÕÕâ ÒÒØÔã áÚàØßâ rc.firewall.txt ßàØÜ. ßÕàÕÒ.) ÍâÞ âÐÚ ÖÕ áßàÐÒÕÔÛØÒÞ Ø ÔÛï ÝÕÚÞâÞàëå áÛãçÐÕÒ ÚÞÓÔÐ Üë ØÜÕÕÜ áâÐâØçÕáÚØÙ IP ÐÔàÕá, ÝÞ âÞÓÔÐ íâÞ ÜÞÖÝÞ ÞÑÞÙâØ, ØáßÞÛì×ãï ßàÐÒØÛÐ, ÚÞâÞàëÕ ßàÞÒÕàïîâ ßÐÚÕâë, ßàØåÞÔïéØÕ á LAN ØÝâÕàäÕÙáÐ ÝÐ ÝÐè INET_IP Ø ÒëßÞÛÝïâì ACCEPT ÔÛï ÝØå.

¿ÞáÛÕ ÒáÕÓÞ ÒëèÕáÚÐ×ÐÝÝÞÓÞ, ÝÕ âÐÚÞÙ ãÖ ßÛÞåÞÙ ÜÞÖÕâ ßÞÚÐ×Ðâìáï ÜëáÛì Þ áÞ×ÔÐÝØØ áæÕÝÐàØï, ÚÞâÞàëÙ Ñë ÞÑàÐÑÐâëÒÐÛ ÔØÝÐÜØçÕáÚØÙ IP. ½ÐßàØÜÕà, ÜÞÖÝÞ ÑëÛÞ Ñë ÝÐߨáÐâì áÚàØßâ, ÚÞâÞàëÙ ßÞÛãçÐÕâ IP ÐÔàÕá çÕàÕ× ifconfig Ø ßÞÔáâÐÒÛïÕâ ÕÓÞ Ò âÕÚáâ áæÕÝÐàØï (ÓÔÕ ÞßàÕÔÕÛïÕâáï áÞÞâÒÕâáâÒãîéÐï ßÕàÕÜÕÝÝÐï), ÚÞâÞàëÙ "ßÞÔÝØÜÐÕâ" áÞÕÔØÝÕÝØÕ á ¸ÝâÕàÝÕâ. ·ÐÜÕçÐâÕÛìÝëÙ áÐÙâ linuxguruz.org ØÜÕÕâ ÞÓàÞÜÝãî ÚÞÛÛÕÚæØî áÚàØßâÞÒ, ÔÞáâãßÝëå ÔÛï áÚÐçØÒÐÝØï. ÁáëÛÚã ÝÐ linuxguruz.org Òë ÝÐÙÔÕâÕ Ò ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë.

Note

ÍâÞâ áæÕÝÐàØÙ ÜÕÝÕÕ ÑÕ×ÞßÐáÕÝ çÕÜ rc.firewall.txt. Ï ÝÐáâÞïâÕÛìÝÞ àÕÚÞÜÕÝÔãî ÒÐÜ ØáßÞÛì×ÞÒÐâì áæÕÝÐàØÙ rc.firewall.txt, ÕáÛØ íâÞ ÒÞ×ÜÞÖÝÞ, âÐÚ ÚÐÚ rc.DHCP.firewall.txt ÑÞÛÕÕ ÞâÚàëâ ÔÛï ÝÐßÐÔÕÝØÙ Ø×ÒÝÕ.

ÂÐÚÖÕ, ÜÞÖÝÞ ÔÞÑÐÒØâì Ò ÒÐèØ áæÕÝÐàØØ çâÞ ÝØÑãÔì ÒàÞÔÕ íâÞÓÞ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`

²ëèÕ ßàØÒÕÔÕÝÝÐï ÚÞÜÐÝÔÐ ßÞÛãçÐÕâ ÔØÝÐÜØçÕáÚØÙ IP Þâ ØÝâÕàäÕÙáÐ, ÞÔÝÐÚÞ ã âÐÚÞÓÞ ßÞÔåÞÔÐ Õáâì áÕàìÕ×ÝëÕ ÝÕÔÞáâÐâÚØ, ÞߨáÐÝÝëÕ ÝØÖÕ.

  1. µáÛØ áÚàØßâ ×ÐßãáÚÐÕâáï Ø× ÔàãÓÞÓÞ áæÕÝÐàØï, ÚÞâÞàëÙ Ò áÒÞî ÞçÕàÕÔì ×ÐßãáÚÐÕâáï ÔÕÜÞÝÞÜ PPP, âÞ íâÞ ÜÞÖÕâ ßàØÒÕáâØ Ú "×ÐÒØáÐÝØî" ÒáÕå, ãÖÕ ãáâÐÝÞÒÛÕÝÝëå áÞÕÔØÝÕÝØÙ, Ø×-×Ð ßàÐÒØÛ, ÚÞâÞàëÕ ÞâÑàÐÚÞÒëÒÐîâ ßÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN. (áÜÞâàØ ¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN). ¿àÞÑÛÕÜã ÚÞÝÕçÝÞ ÜÞÖÝÞ àÐ×àÕèØâì ãÔÐÛÕÝØÕÜ íâØå ßàÐÒØÛ, ÝÞ âÐÚÞÕ àÕèÕÝØÕ ÔÞÒÞÛìÝÞ áÞÜÝØâÕÛìÝÞ á âÞçÚØ ×àÕÝØï ÑÕ×ÞßÐáÝÞáâØ.

  2. ¿àÕÔßÞÛÞÖØÜ, çâÞ ã ÒÐá Õáâì ÝÐÑÞà áâÐâØçÕáÚØå ßàÐÒØÛ, ÔÞÒÞÛìÝÞ ÓàãÑÞ ÑãÔÕâ ßÞáâÞïÝÝÞ áâØàÐâì Ø ÔÞÑÐÒÛïâì ßàÐÒØÛÐ, Ú âÞÜã ÖÕ àØáÚãï ßÞÒàÕÔØâì áãéÕáâÒãîéØÕ. For example, if you want to block hosts on your LAN to connect to the firewall, but at the same time operate a script from the PPP daemon, how would you do it without erasing your already active rules blocking the LAN?

  3. ÍâÞ ÜÞÖÕâ ßàØÒÕáâØ Ú Ø×ÛØèÝØÜ ãáÛÞÖÝÕÝØïÜ, çâÞ Ò áÒÞî ÞçÕàÕÔì, ÒÛÕçÕâ ÞáÛÐÑÛÕÝØÕ ×ÐéØâë. ÇÕÜ ßàÞéÕ áÚàØßâ, âÕÜ ßàÞéÕ ÕÓÞ áÞßàÞÒÞÖÔÐâì.


rc.UTIN.firewall.txt

ÁæÕÝÐàØÙ âàÕÑãÕâ, çâÞÑë áÛÕÔãîéØÕ ÞßæØØ ÑëÛØ áÚÞÜßØÛØàÞÒÐÝë ÛØÑÞ áâÐâØçÕáÚØ, ÛØÑÞ ÚÐÚ ÜÞÔãÛØ. ±Õ× ÚÐÚÞÙ ÛØÑÞ Ø× ÝØå áæÕÝÐàØÙ ÑãÔÕâ ÝÕàÐÑÞâÞáßÞáÞÑÕÝ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


ÁæÕÝÐàØÙ rc.UTIN.firewall.txt, Ò ÞâÛØçØÕ Þâ ÔàãÓØå áæÕÝÐàØÕÒ, ÑÛÞÚØàãÕâ LAN, ÚÞâÞàÐï ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ. ¼ë ÔÞÒÕàïÕÜ ÒÝãâàÕÝÝØÜ ßÞÛì×ÞÒÐâÕÛïÜ ÝÕ ÑÞÛìèÕ çÕÜ ßÞÛì×ÞÒÐâÕÛïÜ Ø× Internet. ´àãÓØÜØ áÛÞÒÐÜØ, Üë ÝÕ ÔÞÒÕàïÕÜ ÝØÚÞÜã, ÝØ Ò ¸ÝâÕàÝÕâ, ÝØ Ò ÛÞÚÐÛìÝÞÙ áÕâØ, á ÚÞâÞàëÜØ Üë áÒï×ÐÝë. ¿ÞíâÞÜã ÔÞáâãß Ú ¸ÝâÕàÝÕâ ÞÓàÐÝØçØÒÐÕâáï âÞÛìÚÞ ßàÞâÞÚÞÛÐÜØ POP3, HTTP Ø FTP.

ÍâÞâ áæÕÝÐàØÙ áÛÕÔãÕâ ×ÞÛÞâÞÜã ßàÐÒØÛã - "ÝÕ ÔÞÒÕàïÙ ÝØÚÞÜã, ÔÐÖÕ áÞÑáâÒÕÝÝëÜ áÛãÖÐéØÜ". ÍâÞ ÓàãáâÝÞ ÝÞ äÐÚâ, çâÞ ÑÞÛìèÐï çÐáâì ÐâÐÚ Ø Ò×ÛÞÜÞÒ, ÚÞâÞàëÜ ßÞÔÒÕàÓÐÕâáï ÚÞÜßÐÝØï, ßàÞØ×ÒÞÔØâáï áÛãÖÐéØÜØ ÚÞÜßÐÝØÙ Ø× ÛÞÚÐÛìÝëå áÕâÕÙ. ÍâÞâ áæÕÝÐàØÙ, ÝÐÔÕîáì, ÔÐáâ ÝÕÚÞâÞàëÕ áÒÕÔÕÝØï, ÚÞâÞàëÕ ßÞÜÞÓãâ ÒÐÜ ãáØÛØâì ÒÐèã ÜÕÖáÕâÕÒãî ×ÐéØâã. ¾Ý ÜÐÛÞ ÞâÛØçÐÕâáï Þâ ÞàØÓØÝÐÛÐ rc.firewall.txt, ÝÞ áÞÔÕàÖØâ ßÞÔáÚÐ×ÚØ Þ âÞÜ, çâÞ Üë ÞÑëçÝÞ ßàÞßãáÚÐÕÜ.


rc.test-iptables.txt

ÁæÕÝÐàØÙ rc.test-iptables.txt ßàÕÔÝÐ×ÝÐçÕÝ ÔÛï ßàÞÒÕàÚØ àÐ×ÛØçÝëå æÕßÞçÕÚ ÝÞ ÜÞÖÕâ ßÞâàÕÑÞÒÐâì ÔÞßÞÛÝØâÕÛìÝëå ÝÐáâàÞÕÚ, Ò ×ÐÒØáØÜÞáâØ Þâ ÒÐèÕÙ ÚÞÝäØÓãàÐæØØ, ÝÐßàØÜÕà, ÒÚÛîçÕÝØï ip_forwarding ØÛØ ÝÐáâàÞÙÚØ masquerading Ø â.ß. ÂÕÜ ÝÕ ÜÕÝÕÕ Ò ÑÞÛìèØÝáâÒÕ áÛãçÐÕÒ á ÑÐ×ÞÒëÜØ ÝÐáâàÞÙÚÐÜØ, ÚÞÓÔÐ ÝÐáâàÞÕÝë ÞáÝÞÒÝëÕ âÐÑÛØæë, íâÞâ áæÕÝÐàØÙ ÑãÔÕâ àÐÑÞâÞáßÞáÞÑÕÝ. ² ÔÕÙáâÒØâÕÛìÝÞáâØ, Ò íâÞÜ áæÕÝÐàØØ ßàÞØ×ÒÞÔØâáï ãáâÐÝÞÒÚÐ ÔÕÙáâÒØÙ LOG ÝÐ ping-×ÐßàÞáë Ø ping-ÞâÒÕâë. ÂÐÚØÜ áßÞáÞÑÞÜ ßÞïÒÛïÕâáï ÒÞ×ÜÞÖÝÞáâì ×ÐäØÚáØàÞÒÐâì Ò áØáâÕÜÝÞÜ ÖãàÝÐÛÕ ÚÐÚØÕ æÕßÞçÚØ ßàÞåÞÔØÛØáì Ø Ò ÚÐÚÞÜ ßÞàïÔÚÕ. ·ÐßãáâØâÕ áæÕÝÐàØÙ Ø ×ÐâÕÜ ÒëßÞÛÝØâÕ áÛÕÔãîéØÕ ÚÞÜÐÝÔë:

ping -c 1 host.on.the.internet

¸ ÒÞ ÒàÕÜï ØáßÞÛÝÕÝØï ßÕàÒÞÙ ÚÞÜÐÝÔë ÒëßÞÛÝØâÕ tail -n 0 -f /var/log/messages. ÂÕßÕàì Òë ÔÞÛÖÝë ïáÝÞ ÒØÔÕâì ÒáÕ ØáßÞÛì×ãÕÜëÕ æÕßÞçÚØ Ø ßÞàïÔÞÚ Øå ßàÞåÞÖÔÕÝØï.

Note

ÍâÞâ áæÕÝÐàØÙ ÑëÛ ÝÐߨáÐÝ ØáÚÛîçØâÕÛìÝÞ Ò ÔÕÜÞÝáâàÐæØÞÝÝëå æÕÛïå. ´àãÓØÜØ áÛÞÒÐÜØ, ÝÕ áÛÕÔãÕâ ØÜÕâì ßàÐÒØÛÐ ÔÛï ÖãàÝÐÛØàÞÒÐÝØï ßÞÔÞÑÝÞ íâØÜ, ÚÞâÞàëÕ àÕÓØáâàØàãîâ ÒáÕ ßÐÚÕâë ÑÕ× ÞÓàÐÝØçÕÝØÙ. ² ßàÞâØÒÝÞÜ áÛãçÐÕ Òë àØáÚãÕâÕ áâÐâì ÛÕÓÚÞÙ ÔÞÑëçÕÙ ÔÛï ×ÛÞãÜëèÛÕÝÝØÚÐ, ÚÞâÞàëÙ ÜÞÖÕâ ×ÐáëßÐâì ÒÐá ßÐÚÕâÐÜØ, "àÐ×Ôãâì" ÒÐè ÛÞÓ, çâÞ ÜÞÖÕâ Òë×ÒÐâì "¾âÚÐ× Ò ÞÑáÛãÖØÒÐÝØØ", Ð ßÞáÛÕ íâÞÓÞ ßÕàÕÙâØ Ú àÕÐÛìÝÞÜã Ò×ÛÞÜã ÒÐèÕÙ áØáâÕÜë ÝÕ ÑÞïáì Ñëâì ÞÑÝÐàãÖÕÝÝëÜ, ßÞáÚÞÛìÚã ÝÕ áÜÞÖÕâ Ñëâì ×ÐàÕÓØáâàØàÞÒÐÝ áØáâÕÜÞÙ.


rc.flush-iptables.txt

ÁæÕÝÐàØÙ rc.flush-iptables.txt Ò ÔÕÙáâÒØâÕÛìÝÞáâØ ÝÕ ØÜÕÕâ áÐÜÞáâÞïâÕÛìÝÞÙ æÕÝÝÞáâØ ßÞáÚÞÛìÚã ÞÝ áÑàÐáëÒÐÕâ ÒáÕ ÒÐèØ âÐÑÛØæë Ø æÕßÞçÚØ. ² ÝÐçÐÛÕ áæÕÝÐàØï, ãáâÐÝÐÒÛØÒÐîâáï ßÞÛØâØÚØ ßÞ-ãÜÞÛçÐÝØî ACCEPT ÔÛï æÕßÞçÕÚ INPUT, OUTPUT Ø FORWARD Ò âÐÑÛØæÕ filter. ¿ÞáÛÕ íâÞÓÞ áÑàÐáëÒÐîâáï Ò ×ÐÔÐÝÝãî ßÞ-ãÜÞÛçÐÝØî ßÞÛØâØÚØ ÔÛï æÕßÞçÕÚ PREROUTING, POSTROUTING Ø OUTPUT âÐÑÛØæë nat. ÍâØ ÔÕÙáâÒØï ÒëßÞÛÝïîâáï ßÕàÒëÜØ, çâÞÑë ÝÕ ÒÞ×ÝØÚÐÛÞ ßàÞÑÛÕÜ á ×ÐÚàëâëÜØ áÞÕÔØÝÕÝØïÜØ Ø ÑÛÞÚØàãÕÜëÜØ ßÐÚÕâÐÜØ. ÄÐÚâØçÕáÚØ, íâÞâ áæÕÝÐàØÙ ÜÞÖÕâ ØáßÞÛì×ÞÒÐâìáï ÔÛï ßÞÔÓÞâÞÒÚØ ÑàÐÝÔÜÐãíàÐ Ú ÝÐáâàÞÙÚÕ Ø ßàØ ÞâÛÐÔÚÕ ÒÐèØå áæÕÝÐàØÕÒ, ßÞíâÞÜã ×ÔÕáì Üë ×ÐÑÞâØÜáï âÞÛìÚÞ ÞÑ ÞçØáâÚÕ ÝÐÑÞàÐ ßàÐÒØÛ Ø ãáâÐÝÞÒÚÕ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî.

ºÞÓÔÐ ÒëßÞÛÝÕÝÐ ãáâÐÝÞÒÚÐ ßÞÛØâØÚ ßÞ-ãÜÞÛçÐÝØî, Üë ßÕàÕåÞÔØÜ Ú ÞçØáâÚÕ áÞÔÕàÖØÜÞÓÞ æÕßÞçÕÚ Ò âÐÑÛØæÐå filter Ø nat, Ð ×ÐâÕÜ ßàÞØ×ÒÞÔØâáï ãÔÐÛÕÝØÕ ÒáÕå, ÞßàÕÔÕÛÕÝÝëå ßÞÛì×ÞÒÐâÕÛÕÜ, æÕßÞçÕÚ. ¿ÞáÛÕ íâÞÓÞ àÐÑÞâÐ áÚàØßâÐ ×ÐÒÕàèÐÕâáï. µáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ Òë ÔÞÛÖÝë ÑãÔÕâÕ ÔÞÑÐÒØâì Ò áæÕÝÐàØÙ áÞÞâÒÕâáâÒãîéØÕ áâàÞÚØ ÔÛï ÞÑàÐÑÞâÚØ íâÞÙ âÐÑÛØæë.

Note

² ×ÐÚÛîçÕÝØÕ ßÐàã áÛÞÒ. ¾çÕÝì ÜÝÞÓØÕ áßàÐèØÒÐîâ ÜÕÝï, Ð ßÞçÕÜã Ñë ÝÕ ßÞÜÕáâØâì Òë×ÞÒ íâÞÓÞ áæÕÝÐàØï Ò rc.firewal, ÝÐߨáÐÒ çâÞ ÝØÑãÔì âØßÐ rc.firewall start ÔÛï ×ÐßãáÚÐ áÚàØßâÐ. Ï ÝÕ áÔÕÛÐÛ íâÞÓÞ ÔÞ áØå ßÞà, ßÞâÞÜã çâÞ áçØâÐî, çâÞ ãçÕÑÝëÙ ÜÐâÕàØÐÛ ÔÞÛÖÕÝ ÝÕáâØ Ò áÕÑÕ ÞáÝÞÒÝëÕ ØÔÕØ Ø ÝÕ ÔÞÛÖÕÝ Ñëâì ßÕàÕÓàãÖÕÝ àÐ×ÝÞÞÑàÐ×ÝëÜØ áæÕÝÐàØïÜØ áÞ áâàÐÝÝëÜ áØÝâÐÚáØáÞÜ. ´ÞÑÐÒÛÕÝØÕ áßÕæØäØçÝÞÓÞ áØÝâÐÚáØáÐ ÔÕÛÐÕâ áæÕÝÐàØØ ÜÕÝÕÕ çØâÐÑÕÛìÝëÜØ, Ð áÐÜ ãçÕÑÝëÙ ÜÐâÕàØÐÛ ÑÞÛÕÕ áÛÞÖÝëÜ Ò ßÞÝØÜÐÝØØ, ßÞíâÞÜã ÔÐÝÝÞÕ àãÚÞÒÞÔáâÒÞ ÞáâÐÕâáï âÐÚØÜ, ÚÐÚÞÒÞ ÞÝÞ Õáâì, Ø ßàÞÔÞÛÖØâ ÞáâÐÒÐâìáï âÐÚØÜ.


´ÕâÐÛìÝÞÕ ÞߨáÐÝØÕ áßÕæØÐÛìÝëå ÚÞÜÐÝÔ

²ëÒÞÔ áߨáÚÐ ÝÐÑÞàÐ ßàÐÒØÛ

ÇâÞÑë ÒëÒÕáâØ áߨáÞÚ ßàÐÒØÛ ÝãÖÝÞ ÒëßÞÛÝØâì ÚÞÜÐÝÔã iptables á ÚÛîçÞÜ L, ÚÞâÞàëÙ ÚàÐâÚÞ ÑëÛ ÞߨáÐÝ àÐÝÕÕ Ò ÓÛÐÒÕ ºÐÚ áâàÞØâì ßàÐÒØÛÐ. ²ëÓÛïÔØâ íâÞ ßàØÜÕàÝÞ âÐÚ:

iptables -L

ÍâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ ÝÐ íÚàÐÝ áߨáÞÚ ßàÐÒØÛ Ò ãÔÞÑÞçØâÐÕÜÞÜ ÒØÔÕ. ½ÞÜÕàÐ ßÞàâÞÒ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ áÛãÖÑ Ò áÞÞâÒÕâáâÒØØ á äÐÙÛÞÜ /etc/services, IP ÐÔàÕáÐ ÑãÔãâ ßàÕÞÑàÐ×ÞÒÐÝë Ò ØÜÕÝÐ åÞáâÞÒ çÕàÕ× àÐ×àÕèÕÝØÕ ØÜÕÝ Ò áÛãÖÑÕ DNS. Á àÐ×àÕèÕÝØÕÜ (resolving) ØÜÕÝ ÜÞÓãâ ÒÞ×ÝØÚÝãâì ÝÕÚÞâÞàëÕ ßàÞÑÛÕÜë, ÝÐßàØÜÕà, ØÜÕï áÕâì 192.168.0.0/16 áÛãÖÑÐ DNS ÝÕ áÜÞÖÕâ ÞßàÕÔÕÛØâì ØÜï åÞáâÐ á ÐÔàÕáÞÜ 192.168.1.1, Ò àÕ×ãÛìâÐâÕ ßàÞØ×ÞÙÔÕâ ßÞÔÒØáÐÝØÕ ÚÞÜÐÝÔë. ÇâÞÑë ÞÑÞÙâØ íâã ßàÞÑÛÕÜã áÛÕÔãÕâ ÒëßÞÛÝØâì ÒëÒÞÔ áߨáÚÐ ßàÐÒØÛ á ÔÞßÞÛÝØâÕÛìÝëÜ ÚÛîçÞÜ:

iptables -L -n

ÇâÞÑë ÒëÒÕáâØ ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî Þ æÕßÞçÚÐå Ø ßàÐÒØÛÐå, ÒëßÞÛÝØâÕ

iptables -L -n -v

¸ÜÕÕâáï àïÔ äÐÙÛÞÒ Ò äÐÙÛÞÒÞÙ áØáâÕÜÕ /proc, ÚÞâÞàëÕ áÞÔÕàÖÐâ ÔÞáâÐâÞçÝÞ ØÝâÕàÕáÝãî ÔÛï ÝÐá ØÝäÞàÜÐæØî. ½ÐßàØÜÕà, ÔÞßãáâØÜ ÝÐÜ ×ÐåÞâÕÛÞáì ßàÞáÜÞâàÕâì áߨáÞÚ áÞÕÔØÝÕÝØÙ Ò âÐÑÛØæÕ conntrack. ÍâÞ ÞáÝÞÒÝÐï âÐÑÛØæÐ, ÚÞâÞàÐï áÞÔÕàÖØâ áߨáÞÚ âàÐááØàãÕÜëå áÞÕÔØÝÕÝØÙ Ø Ò ÚÐÚÞÜ áÞáâÞïÝØØ ÚÐÖÔÞÕ Ø× ÝØå ÝÐåÞÔØâáï. ´Ûï ßàÞáÜÞâàÐ âÐÑÛØæë ÒëßÞÛÝØâÕ ÚÞÜÐÝÔã

cat /proc/net/conntrack | less


¸×ÜÕÝÕÝØÕ Ø ÞçØáâÚÐ ÒÐèØå âÐÑÛØæ

¿Þ ÜÕàÕ âÞÓÞ ÚÐÚ Òë ßàÞÔÞÛÖØâÕ ãÓÛãÑÛïâìáï Ò ØááÛÕÔÞÒÐÝØÕ iptables, ßÕàÕÔ ÒÐÜØ ÒáÕ ÐÚâãÐÛìÝÕÕ ÑãÔÕâ ÒáâÐÒÐâì ÒÞßàÞá ÞÑ ãÔÐÛÕÝØØ ÞâÔÕÛìÝëå ßàÐÒØÛ Ø× æÕßÞçÕÚ ÑÕ× ÝÕÞÑåÞÔØÜÞáâØ ßÕàÕ×ÐÓàã×ÚØ ÜÐèØÝë. ÁÕÙçÐá ï ßÞßàÞÑãî ÝÐ ÝÕÓÞ ÞâÒÕâØâì. µáÛØ Òë ßÞ ÞèØÑÚÕ ÔÞÑÐÒØÛØ ÚÐÚÞÕ ÛØÑÞ ßàÐÒØÛÞ, âÞ ÒÐÜ ÝãÖÝÞ âÞÛìÚÞ ×ÐÜÕÝØâì ÚÞÜÐÝÔã -A ÝÐ ÚÞÜÐÝÔã -D Ò áâàÞÚÕ ßàÐÒØÛÐ. iptables ÝÐÙÔÕâ ×ÐÔÐÝÝÞÕ ßàÐÒØÛÞ Ø ãÔÐÛØâ ÕÓÞ. µáÛØ ØÜÕÕâáï ÝÕáÚÞÛìÚÞ ßàÐÒØÛ, ÚÞâÞàëÕ ÒëÓÛïÔïâ ÚÐÚ ×ÐÔÐÝÝëÙ èÐÑÛÞÝ ÔÛï ãÔÐÛÕÝØï, âÞ ÑãÔÕâ áâÕàâÞ ßÕàÒÞÕ Ø× ÝÐÙÔÕÝÝëå ßàÐÒØÛ. µáÛØ âÐÚÞÙ ßÞàïÔÞÚ ÒÕéÕÙ ÒÐá ÝÕ ãáâàÐØÒÐÕâ, âÞ ÚÞÜÐÝÔÕ -D, Ò ÚÐçÕáâÒÕ ßÐàÐÜÕâàÐ, ÜÞÖÝÞ ßÕàÕÔÐâì ÝÞÜÕà ãÔÐÛïÕÜÞÙ áâàÞÚØ., ÝÐßàØÜÕà, ÚÞÜÐÝÔÐ iptables -D INPUT 10 áÞâàÕâ ÔÕáïâÞÕ ßàÐÒØÛÞ Ò æÕßÞçÚÕ INPUT. (ÇâÞÑë ã×ÝÐâì ÝÞÜÕà ßàÐÒØÛÐ, ßÞÔÐÙâÕ ÚÞÜÐÝÔã iptables -L ½°·²°½¸µ_Ƶ¿¾Çº¸ --line-numbers, âÞÓÔÐ ßàÐÒØÛÐ ÑãÔãâ ÒëÒÞÔØâìáï áÞ áÒÞØÜØ ÝÞÜÕàÐÜØ ßàØÜ. ßÕàÕÒ.)

´Ûï ãÔÐÛÕÝØï áÞÔÕàÖØÜÞÓÞ æÕÛÞÙ æÕßÞçÚØ ØáßÞÛì×ãÙâÕ ÚÞÜÐÝÔã -F. ½ÐßàØÜÕà: iptables -F INPUT - áÞâàÕâ ÒáÕ ßàÐÒØÛÐ Ò æÕßÞçÚÕ INPUT, ÞÔÝÐÚÞ íâÐ ÚÞÜÐÝÔÐ ÝÕ Ø×ÜÕÝïÕâ ßÞÛØâØÚØ æÕßÞçÚØ ßÞ-ãÜÞÛçÐÝØî, âÐÚ çâÞ ÕáÛØ ÞÝÐ ãáâÐÝÞÒÛÕÝÐ ÚÐÚ DROP âÞ ÑãÔÕâ ÑÛÞÚØàÞÒÐâìáï ÒáÕ, çâÞ ßÞßÐÔÐÕâ Ò æÕßÞçÚã INPUT. ÇâÞÑë áÑàÞáØâì ßÞÛØâØÚã ßÞ-ãÜÞÛçÐÝØî, ÝãÖÝÞ ßàÞáâÞ ãáâÐÝÞÒØâì ÕÕ Ò ßÕàÒÞÝÐçÐÛìÝÞÕ áÞáâÞïÝØÕ, ÝÐßàØÜÕà iptables -P INPUT ACCEPT.

¼ÝÞî ÑëÛ ÝÐߨáÐÝ ÝÕÑÞÛìèÞÙ áæÕÝÐàØÙ (ÞߨáÐÝÝëÙ ÝÕáÚÞÛìÚÞ ÒëèÕ) ÚÞâÞàëÙ ßàÞØ×ÒÞÔØâ ÞçØáâÚã ÒáÕå âÐÑÛØæ Ø æÕßÞçÕÚ, Ø ßÕàÕãáâÐÝÐÒÛØÒÐÕâ ßÞÛØâØÚØ æÕßÞçÕÚ Ò iptables. ·ÐÜÕâìâÕ âÞÛìÚÞ, çâÞ ÕáÛØ Òë ØáßÞÛì×ãÕâÕ âÐÑÛØæã mangle, âÞ ÒÐÜ ÝÕÞÑåÞÔØÜÞ ÒÝÕáâØ ÔÞßÞÛÝÕÝØï Ò íâÞâ áæÕÝÐàØÙ, ßÞáÚÞÛìÚã ÞÝ ÕÕ ÝÕ ÞÑàÐÑÐâëÒÐÕâ.


¾ÑéØÕ ßàÞÑÛÕÜë Ø ÒÞßàÞáë

¿àÞÑÛÕÜë ×ÐÓàã×ÚØ ÜÞÔãÛÕÙ

²ë ÜÞÖÕâÕ áâÞÛÚÝãâìáï á ÝÕáÚÞÛìÚØÜØ ßàÞÑÛÕÜÐÜØ ßàØ ßÞßëâÚÕ ×ÐÓàãרâì âÞâ ØÛØ ØÝÞÙ ÜÞÔãÛì. ½ÐßàØÜÕà, ÜÞÖÕâ Ñëâì ÒëÔÐÝÞ áÞÞÑéÕÝØÕ ÞÑ ÞâáãâáâÒØØ ×ÐßàÐèØÒÐÕÜÞÓÞ ÜÞÔãÛï

insmod: iptable_filter: no module by that name found

¿ÞÚÐ ÕéÕ ÝÕâ ßàØçØÝ ÔÛï ÑÕáßÞÚÞÙáâÒÐ. ²ßÞÛÝÕ ÒÞ×ÜÞÖÝÞ, çâÞ ×ÐßàÐèØÒÐÕÜëÙ ÜÞÔãÛì (ØÛØ ÜÞÔãÛØ) ÑëÛ áÒï×ÐÝ á ïÔàÞÜ áâÐâØçÕáÚØ. ÍâÞ ßÕàÒÞÕ, çâÞ Òë ÔÞÛÖÝë ßàÞÒÕàØâì. ´Ûï íâÞÓÞ ßàÞáâÞ ×ÐßãáâØâÕ ÚÞÜÐÝÔã

iptables -t filter -L

µáÛØ ÒáÕ ÝÞàÜÐÛìÝÞ, âÞ íâÐ ÚÞÜÐÝÔÐ ÒëÒÕÔÕâ Ò âÕàÜØÝÐÛÕ áߨáÞÚ ÒáÕå æÕßÞçÕÚ Ø× âÐÑÛØæë filter. ²ëÒÞÔ ÔÞÛÖÕÝ ÒëÓÛïÔÕâì ßàØÜÕàÝÞ âÐÚ:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

µáÛØ âÐÑÛØæÐ filter ÞâáãâáâÒãÕâ, âÞ ÒëÒÞÔ ÑãÔÕâ ßàØÜÕàÝÞ áÛÕÔãîéØÜ

iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

ÍâÞ ãÖÕ áÕàìÕ×ÝÕÕ, âÐÚ ÚÐÚ íâÞ áÞÞÑéÕÝØÕ ãÚÐ×ëÒÐÕâ ÝÐ âÞ, çâÞ ÛØÑÞ Òë ×ÐÑëÛØ ãáâÐÝÞÒØâì ÜÞÔãÛØ, ÛØÑÞ Òë ×ÐÑëÛØ ÒëßÞÛÝØâì depmod -a, ÛØÑÞ Òë ÒÞÞÑéÕ ÝÕ áÚÞÜßØÛØàÞÒÐÛØ ÝÕÞÑåÞÔØÜëÕ ÜÞÔãÛØ ´Ûï àÕèÕÝØï ßÕàÒÞÙ ßàÞÑÛÕÜë ×ÐßãáâØâÕ ÚÞÜÐÝÔã make modules_install Ò ÚÐâÐÛÞÓÕ á ØáåÞÔÝëÜØ âÕÚáâÐÜØ ïÔàÐ. ²âÞàÐï ßàÞÑÛÕÜÐ àÕèÐÕâáï ×ÐßãáÚÞÜ ÚÞÜÐÝÔë depmod -a. ÀÐ×àÕèÕÝØÕ âàÕâìÕÙ ßàÞÑÛÕÜë ãÖÕ ÒëåÞÔØâ ×Ð àÐÜÚØ ÔÐÝÝÞÓÞ àãÚÞÒÞÔáâÒÐ, Ø Ò íâÞÜ áÛãçÐÕ àÕÚÞÜÕÝÔãî ßÞáÕâØâì ÔÞÜÐèÝîî áâàÐÝØçÚã Linux Documentation Project. (²×ÓÛïÝØâÕ ÕéÕ àÐ× Ò ÝÐçÐÛÞ ÔÞÚãÜÕÝâÐ, ÓÔÕ ÞߨáëÒÐÕâáï ßàÞæÕáá ãáâÐÝÞÒÚØ iptables. ßàØÜ. ßÕàÕÒ.)

´àãÓØÕ ÞèØÑÚØ, ÚÞâÞàëÕ Òë ÜÞÖÕâÕ ßÞÛãçØâì ßàØ ×ÐßãáÚÕ iptables:

iptables: No chain/target/match by that name

ÍâÐ ÞèØÑÚÐ áÞÞÑéÐÕâ, çâÞ ÝÕâ âÐÚÞÙ æÕßÞçÚØ, ÔÕÙáâÒØï ØÛØ ÚàØâÕàØï. ÍâÞ ÜÞÖÕâ ×ÐÒØáÕâì Þâ ÞÓàÞÜÝÞÓÞ çØáÛÐ äÐÚâÞàÞÒ, ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ, çâÞ Òë ßëâÐÕâÕáì ØáßÞÛì×ÞÒÐâì ÝÕáãéÕáâÒãîéãî (ØÛØ ÕéÕ ÝÕ ÞßàÕÔÕÛÕÝÝãî) æÕßÞçÚã, ÝÕáãéÕáâÒãîéÕÕ ÔÕÙáâÒØÕ ØÛØ ÚàØâÕàØÙ. »ØÑÞ ßÞâÞÜã, çâÞ ÝÕ ×ÐÓàãÖÕÝ ÝÕÞÑåÞÔØÜëÙ ÜÞÔãÛì.


Passive FTP ÑÕ× DCC

ÍâÞ ÞÔÝÐ Ø× ×ÐÜÕçÐâÕÛìÝëå ÞáÞÑÕÝÝÞáâÕÙ ÝÞÒëå iptables, ßÞÔÔÕàÖØÒÐÕÜëå ïÔàÐÜØ áÕàØØ 2.4.x, ÚÞÓÔÐ Òë ÜÞÖÕâÕ àÐ×àÕèØâì Passive FTP, Ø ×ÐßàÕâØâì ßÕàÕÔÐçã ßÞ DCC á ßÞÜÞéìî ÝÞÒÞÓÞ âàÐááØàÞÒÞçÝÞÓÞ ÚÞÔÐ. ²ë ÜÞÖÕâÕ áßàÞáØâì "ºÐÚ íâÞ?", ÒáÕ ÔÞÒÞÛìÝÞ ßàÞáâÞ. ÇâÞÑë áÔÕÛÐâì íâÞ ÒÞ×ÜÞÖÝëÜ, ÒÐÜ ßÞâàÕÑãÕâáï áÚÞÜßØÛØàÞÒÐâì ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp Ø ip_nat_ftp ÚÐÚ ßÞÔÓàãÖÐÕÜëÕ ÜÞÔãÛØ, Ð ÝÕ ÚÐÚ áâÐâØçÕáÚØÙ ÚÞÔ Ò ïÔàÕ. ÇâÞ íâØ ÜÞÔãÛØ ÔÕÛÐîâ, âÐÚ ÞÝØ ÔÞÑÐÒÛïîâ ßÞÔÔÕàÖÚã âàÐááØàÞÒÚØ Ø NAT ÔÛï Passive FTP Ø DCC send. ±Õ× íâØå ÜÞÔãÛÕÙ áÕâÕÒÞÙ ÚÞÔ ïÔàÐ ÝÕ áÜÞÖÕâ ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì áÞÕÔØÝÕÝØï íâÞÓÞ âØßÐ.

µáÛØ, Ú ßàØÜÕàã, Òë åÞâØâÕ àÐ×àÕèØâì Passive FTP Ø ßàØ íâÞÜ ×ÐßàÕâØâì DCC send, âÞ ÒÐÜ âàÕÑãÕâáï ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ×ÐâÕÜ ÔÞÑÐÒØâì ßàÐÒØÛÞ:

iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT

ºÞâÞàÞÕ ßÞ×ÒÞÛØâ ÒëßÞÛÝÕÝØÕ áÞÕÔØÝÕÝØÙ Passive FTP, ÝÞ ÝÕ DCC. µáÛØ ÝãÖÝÞ ÝÐÞÑÞàÞâ ×ÐßàÕâØâì Passive FTP Ø àÐ×àÕèØâì DCC, âÞ ÒÐÜ ÝÐÔÞ á âÞçÝÞáâìî ÔÞ ÝÐÞÑÞàÞâ ×ÐÓàãרâì ÜÞÔãÛØ ip_conntrack_irc Ø ip_nat_irc Ø ½µ ×ÐÓàãÖÐâì ÜÞÔãÛØ ip_conntrack_ftp Ø ip_nat_ftp. ·ÐÜÕâìâÕ, çâÞ ÜÞÔãÛØ ip_nat_* ÝÕÞÑåÞÔØÜë âÞÛìÚÞ Ò âÞÜ áÛãçÐÕ, ÕáÛØ ÒÐè ÑàÐÝÔÜÐãíà ÒëßÞÛÝïÕâ ßàÕÞÑàÐ×ÞÒÐÝØÕ áÕâÕÒëå ÐÔàÕáÞÒ (Network Adress Translation) ØÛØ ÜÐáÚÐàÐÔØÝÓ ßàØ ßÞÔÚÛîçÕÝØØ ÛÞÚÐÛìÝëå ã×ÛÞÒ ã ¸ÝâÕàÝÕâ.

´Ûï ßÞÛãçÕÝØï ÔÞßÞÛÝØâÕÛìÝÞÙ ØÝäÞàÜÐæØØ ÞâÝÞáØâÕÛìÝÞ Active Ø Passive FTP, çØâÐÙâÕ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. ÍâÞâ RFC áÞÔÕàÖØâ ØÝäÞàÜÐæØî ÞâÝÞáØâÕÛìÝÞ ßàÞâÞÚÞÛÐ FTP, Active Ø Passive FTP Ø ÚÐÚ ÞÝØ àÐÑÞâÐîâ. ºÐÚ ÞߨáëÒÐÕâ íâÞâ ÔÞÚãÜÕÝâ, Ò áÛãçÐÕ Active FTP, ÚÛØÕÝâ ßÞáëÛÐÕâ áÕàÒÕàã áÒÞÙ IP Ø ßÞàâ, ÒëÑàÐÝÝëÙ áÛãçÐÙÝëÜ ÞÑàÐ×ÞÜ ã áÕÑï ÔÛï áÒïר. ·ÐâÕÜ áÕàÒÕà áÞÕÔØÝïÕâáï á íâØÜ ßÞàâÞÜ ÝÐ ÚÛØÕÝâÕ. ² áÛãçÐÕ, ÕáÛØ ÒÐè ÚÛØÕÝâ ÝÐåÞÔØâáï ×Ð ÑàÐÝÔÜÐãíàÞÜ, ÒëßÞÛÝïîéØÜ NAT, âÞÓÔÐ àÐ×ÔÕÛ ÔÐÝÝëå ßÐÚÕâÞÒ ÔÞÛÖÕÝ Ñëâì ßàÕÞÑàÐ×ÞÒÐÝ âÐÚ ÚÐÚ íâÞ ÔÕÛÐÕâ ÜÞÔãÛì ip_nat_ftp. ² Passive FTP ßÞàïÔÞÚ ÔÕÙáâÒØÙ ßÞÛÝÞáâìî Ø×ÜÕÝÕÝ. ºÛØÕÝâ áÞÞÑéÐÕâ áÕàÒÕàã, çâÞ åÞçÕâ ßÞáÛÐâì ØÛØ ßàØÝïâì ÔÐÝÝëÕ, Ð áÕàÒÕà Ò ÞâÒÕâÕ áÞÞÑéÐÕâ ÚÛØÕÝâã Ú ÚÐÚÞÜã ÐÔàÕáã ÝãÖÝÞ ßÞÔÚÛîçØâìáï Ø ÚÐÚÞÙ ßÞàâ ØáßÞÛì×ÞÒÐâì.


¿ÐÚÕâë áÞ áâÐâãáÞÜ NEW Ø áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN

ÍâÞ áÒÞÙáâÒÞ iptables ÝÕÔÞáâÐâÞçÝÞ åÞàÞèÞ ×ÐÔÞÚãÜÕÝâØàÞÒÐÝÞ, Ð ßÞíâÞÜã ÜÝÞÓØÕ ÜÞÓãâ ãÔÕÛØâì ÕÜã ÝÕÔÞáâÐâÞçÝÞÕ ÒÝØÜÐÝØÕ (ÒÚÛîçÐï Ø ÜÕÝï). µáÛØ Òë ØáßÞÛì×ãÕâÕ ßàÐÒØÛÐ, ÞßàÕÔÕÛïîéØÕ áâÐâãá ßÐÚÕâÐ NEW, ÝÞ ÝÕ ßàÞÒÕàïÕâÕ áÞáâÞïÝØÕ ÑØâÐ SYN, âÞ ßÐÚÕâë áÞ áÑàÞèÕÝÝëÜ ÑØâÞÜ SYN áÜÞÓãâ "ßàÞáÞçØâìáï" çÕàÕ× ÒÐèã ×ÐéØâã. ÅÞâï, Ò áÛãçÐÕ, ÚÞÓÔÐ Üë ØáßÞÛì×ãÕÜ ÝÕáÚÞÛìÚÞ ÑàÐÝÔÜÐãíàÞÒ, âÐÚÞÙ ßÐÚÕâ ÜÞÖÕâ ÞÚÐ×Ðâìáï çÐáâìî ESTABLISHED áÞÕÔØÝÕÝØï, ãáâÐÝÞÒÛÕÝÝÞÓÞ çÕàÕ× ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¿àÞßãáÚÐï ßÞÔÞÑÝëÕ ßÐÚÕâë, Üë ÔÕÛÐÕÜ ÒÞ×ÜÞÖÝëÜ áÞÒÜÕáâÝãî àÐÑÞâã ÔÒãå ØÛØ ÑÞÛÕÕ ÑàÐÝÔÜÐãíàÞÒ, ßàØ íâÞÜ Üë ÜÞÖÕÜ ÛîÑÞÙ Ø× ÝØå ÞáâÐÝÞÒØâì ÝÕ ÑÞïáì àÐ×ÞàÒÐâì ãáâÐÝÞÒÛÕÝÝëÕ áÞÕÔØÝÕÝØï, ¿ÞáÚÞÛìÚã äãÝ򾯯 ßÞ ßÕàÕÔÐçÕ ÔÐÝÝëå âãâ ÖÕ ÒÞ×ìÜÕâ ÝÐ áÕÑï ÔàãÓÞÙ ÑàÐÝÔÜÐãíà. ¾ÔÝÐÚÞ íâÞ ßÞ×ÒÞÛØâ ãáâÐÝÐÒÛØÒÐâì ßàÐÚâØçÕáÚØ ÛîÑÞÕ TCP áÞÕÔØÝÕÝØÕ. ²Þ Ø×ÑÕÖÐÝØÕ íâÞÓÞ áÛÕÔãÕâ ÔÞÑÐÒØâì áÛÕÔãîéØÕ ßàÐÒØÛÐ Ò æÕßÞçÚØ INPUT, OUTPUT Ø FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

²ëèÕßàØÒÕÔÕÝÝëÕ ßàÐÒØÛÐ ßÞ×ÐÑÞâïâáï ÞÑ íâÞÙ ßàÞÑÛÕÜÕ. ±ãÔìâÕ çàÕ×ÒëçÐÙÝÞ ÒÝØÜÐâÕÛìÝë ßàØ ßÞáâàÞÕÝØØ ßàÐÒØÛ ßàØÝØÜÐîéØå àÕèÕÝØÕ ÝÐ ÞáÝÞÒÕ áâÐâãáÐ ßÐÚÕâÐ.

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, çâÞ ØÜÕîâáï ÝÕÚÞâÞàëÕ ÝÕßàØïâÝÞáâØ á ÒëèÕßàØÒÕÔÕÝÝëÜØ ßàÐÒØÛÐÜØ Ø ßÛÞåÞÙ àÕÐÛØ×ÐæØÕÙ TCP/IP Þâ Microsoft. ´ÕÛÞ Ò âÞÜ, çâÞ ßàØ ÝÕÚÞâÞàëå ãáÛÞÒØïå, ßÐÚÕâë, áÓÕÝÕàØàÞÒÐÝÝëÕ ßàÞÓàÐÜÜÐÜØ Þâ Microsoft ÜÐàÚØàãîâáï ÚÐÚ NEW Ø áÞÓÛÐáÝÞ íâØÜ ßàÐÒØÛÐÜ ÑãÔãâ áÑàÞèÕÝë. ÍâÞ, ÞÔÝÐÚÞ, ÝÕ ßàØÒÞÔØâ Ú àÐ×àãèÕÝØî áÞÕÔØÝÕÝØÙ, ÝÐáÚÞÛìÚÞ ï ×ÝÐî. ¿àÞØáåÞÔØâ íâÞ ßÞâÞÜã, çâÞ, ÚÞÓÔÐ áÞÕÔØÝÕÝØÕ ×ÐÚàëÒÐÕâáï, Ø ßÞáëÛÐÕâáï ×ÐÒÕàèÐîéØÙ ßÐÚÕâ FIN/ACK, âÞ netfilter ×ÐÚàëÒÐÕâ íâÞ áÞÕÔØÝÕÝØÕ Ø ãÔÐÛïÕâ ÕÓÞ Ø× âÐÑÛØæë conntrack. ² íâÞâ ÜÞÜÕÝâ, ÔÕäÕÚâØÒÝëÙ ÚÞÔ Microsoft ßÞáëÛÐÕâ ÔàãÓÞÙ ßÐÚÕâ, ÚÞâÞàÞÜã ßàØáÒÐØÒÐÕâáï áâÐâãá NEW, ÝÞ Ò íâÞÜ ßÐÚÕâÕ ÝÕ ãáâÐÝÞÒÛÕÝ ÑØâ SYN Ø, áÛÕÔÞÒÐâÕÛìÝÞ áÞÞâÒÕâáâÒãÕâ ÒëèÕãßÞÜïÝãâëÜ ßàÐÒØÛÐÜ. ºÞàÞçÕ ÓÞÒÞàï - ÞáÞÑÞ ÝÕ ßÕàÕÖØÒÐÙâÕ ßÞ ßÞÒÞÔã íâØå ßàÐÒØÛ. ² áÛãçÐÕ çÕÓÞ - Òë áÜÞÖÕâÕ ßàÞáÜÞâàÕâì áØáâÕÜÝëÙ ÖãàÝÐÛ, ÚãÔÐ ÛÞÓØàãîâáï ÞâÑàÐáëÒÐÕÜëÕ ßÐÚÕâë (áÜ. ßàÐÒØÛÐ ÒëèÕ) Ø àÐ×ÞÑàÐâìáï á ÝØÜØ.

¸ÜÕÕâáï ÕéÕ ÞÔÝÐ Ø×ÒÕáâÝÐï ßàÞÑÛÕÜÐ á íâØÜØ ßàÐÒØÛÐÜØ. µáÛØ ÚâÞ - âÞ Ò ÝÐáâÞïéÕÕ ÒàÕÜï áÒï×ÐÝ á ÑàÐÝÔÜÐãíàÞÜ, ÝÐßàØÜÕà Ø× LAN, Ø ÐÚâØÒØàãÕâ PPP, âÞ Ò íâÞÜ áÛãçÐÕ áÞÕÔØÝÕÝØÕ ÑãÔÕâ ãÝØçâÞÖÕÝÞ. ÍâÞ ßàÞØáåÞÔØâ Ò ÜÞÜÕÝâ, ÚÞÓÔÐ ×ÐÓàãÖÐîâáï ØÛØ ÒëÓàãÖÐîâáï conntrack Ø nat ÜÞÔãÛØ. ´àãÓÞÙ áßÞáÞÑ ßÞÛãçØâì íâã ßàÞÑÛÕÜã áÞáâÞØâ Ò âÞÜ, çâÞÑë ÒëßÞÛÝØâì rc.firewall.txt áæÕÝÐàØÙ Ø× ßÞÔÚÛîçÕÝØï telnet á ÔàãÓÞÓÞ ÚÞÜßìîâÕàÐ. ´Ûï íâÞÓÞ Òë áÞÕÔØÝïÕâÕáì ßÞ telnet á ÑàÐÝÔÜÐãíàÞÜ. ·ÐßãáÚÐÕâÕ rc.firewall.txt, Ò ßàÞæÕááÕ ØáßÞÛÝÕÝØï ÚÞâÞàÞÓÞ, ×ÐßãáÚÐîâáï ÜÞÔãÛØ âàÐááØàÞÒÚØ ßÞÔÚÛîçÕÝØÙ, Óàã×ïâáï ßàÐÒØÛÐ "NEW not SYN". ºÞÓÔÐ ÚÛØÕÝâ telnet ØÛØ daemon ßàÞÑãîâ ßÞáÛÐâì çâÞ ÝØÑãÔì, âÞ íâÞ ßÞÔÚÛîçÕÝØÕ ÑãÔÕâ àÐáßÞ×ÝÐÝÞ âàÐááØàÞÒÞçÝëÜ ÚÞÔÞÜ ÚÐÚ NEW, ÝÞ ßÐÚÕâë ÝÕ ØÜÕîâ ãáâÐÝÞÒÛÕÝÝÞÓÞ ÑØâÐ SYN, âÐÚ ÚÐÚ ÞÝØ, äÐÚâØçÕáÚØ, ïÒÛïîâáï çÐáâìî ãÖÕ ãáâÐÝÞÒÛÕÝÝÞÓÞ áÞÕÔØÝÕÝØï. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßÐÚÕâ ÑãÔÕâ áÞÞâÒÕâáâÒÞÒÐâì ßàÐÒØÛÐÜ Ò àÕ×ãÛìâÐâÕ çÕÓÞ ÑãÔÕâ ×ÐÖãàÝÐÛØàÞÒÐÝ Ø áÑàÞèÕÝ.


¿ÞáâÐÒéØÚØ ãáÛãÓ Internet, ØáßÞÛì×ãîéØÕ ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ IP-ÐÔàÕáÐ

Ï ÔÞÑÐÒØÛ íâÞâ àÐ×ÔÕÛ çâÞÑë ßàÕÔãßàÕÔØâì ÒÐá Þ âãßÞÒÐâëå Internet Service Providers, ÚÞâÞàëÕ ÝÐ×ÝÐçÐîâ IP ÐÔàÕáÐ, ÞâÒÕÔÕÝÝëÕ IANA ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ. ½ÐßàØÜÕà, Swedish Internet Service Provider Ø âÕÛÕäÞÝÝÐï ÜÞÝÞßÞÛØï Telia ØáßÞÛì×ãîâ âÐÚØÕ ÐÔàÕáÐ, ÝÐßàØÜÕà, ÔÛï Øå áÕàÒÕàÞÒ DNS, ÚÞâÞàëÕ ØáßÞÛì×ãÕâ ÔØÐßÐ×ÞÝ 10.x.x.x. ¿àÞÑÛÕÜÐ, á ÚÞâÞàÞÙ Òë ÑãÔÕâÕ ÝÐØÑÞÛÕÕ ÒÕàÞïâÝÞ áâÐÛÚØÒÐâìáï, áÞáâÞØâ Ò âÞÜ, çâÞ Üë, Ò áÒÞØå áæÕÝÐàØïå, ÝÕ ßÞ×ÒÞÛïÕÜ ßÞÔÚÛîçÕÝØï á ÛîÑëå IP Ò ÔØÐßÐ×ÞÝÕ 10.x.x.x, Ø×-×Ð ÒÞ×ÜÞÖÝÞáâØ äÐÛìáØäØÚÐæØØ ßÐÚÕâÞÒ. µáÛØ Òë áâÞÛÚÝÕâÕáì á âÐÚÞÙ áØâãÐæØÕÙ, âÞ ÝÐÒÕàÝÞÕ ÒÐÜ ßàØÔÕâáï áÝïâì çÐáâì ßàÐÒØÛ. ¸ÛØ ãáâÐÝÞÒØâì ßàÐÒØÛÐ, ßàÞßãáÚÐîéØÕ âàÐääØÚ á íâØå áÕàÒÕàÞÒ, àÐÝÕÕ æÕßÞçÚØ INPUT, ÝÐßàØÜÕà âÐÚ:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT

ÅÞâÕÛÞáì Ñë ÝÐßÞÜÝØâì ßÞÔÞÑÝëÜ ßàÞÒÐÙÔÕàÐÜ, çâÞ íâØ ÔØÐßÐ×ÞÝë ÐÔàÕáÞÒ ÝÕ ßàÕÔÝÐ×ÝÐçÕÝë ÔÛï ØáßÞÛì×ÞÒÐÝØï Ò ¸ÝâÕàÝÕâ. ´Ûï ÚÞàßÞàÐâØÒÝëå áÕâÕÙ - ßÞÖÐÛãÙáâÐ, ÔÛï ÒÐèØå áÞÑáâÒÕÝÝëå ÔÞÜÐèÝØå áÕâÕÙ - ßàÕÚàÐáÝÞ! ½Þ Òë ÝÕ ÔÞÛÖÝë ÒëÝãÖÔÐâì ÝÐá "ÞâÚàëÒÐâìáï" ßÞ ÒÐèÕÙ ßàØåÞâØ.


ºÐÚ àÐ×àÕèØâì ßàÞåÞÖÔÕÝØÕ DHCP ×ÐßàÞáÞÒ çÕàÕ× iptables

² ÔÕÙáâÒØâÕÛìÝÞáâØ, íâÐ ×ÐÔÐçÐ ÔÞáâÐâÞçÝÞ ßàÞáâÐ, ÕáÛØ ÒÐÜ Ø×ÒÕáâÝë ßàØÝæØßë àÐÑÞâë ßàÞâÞÚÞÛÐ DHCP. ¿àÕÖÔÕ ÒáÕÓÞ ÝÕÞÑåÞÔØÜÞ ×ÝÐâì, çâÞ DHCP àÐÑÞâÐÕâ ßÞ ßàÞâÞÚÞÛã UDP. ÁÛÕÔÞÒÐâÕÛìÝÞ, ßàÞâÞÚÞÛ ïÒÛïÕâáï ßÕàÒëÜ ÚàØâÕàØÕÜ. ´ÐÛÕÕ, ÝÕÞÑåÞÔØÜÞ ãâÞçÝØâì ØÝâÕàäÕÙá, ÝÐßàØÜÕà, ÕáÛØ DHCP ×ÐßàÞáë ØÔãâ çÕàÕ× $LAN_IFACE, âÞ ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ DHCP áÛÕÔãÕâ àÐ×àÕèØâì âÞÛìÚÞ çÕàÕ× íâÞâ ØÝâÕàäÕÙá. ¸ ÝÐÚÞÝÕæ, çâÞÑë áÔÕÛÐâì ßàÐÒØÛÞ ÑÞÛÕÕ ÞßàÕÔÕÛÕÝÝëÜ, áÛÕÔãÕâ ãâÞçÝØâì ßÞàâë. DHCP ØáßÞÛì×ãÕâ ßÞàâë 67 Ø 68. ÂÐÚØÜ ÞÑàÐ×ÞÜ, ØáÚÞÜÞÕ ßàÐÒØÛÞ ÜÞÖÕâ ÒëÓÛïÔÕâì áÛÕÔãîéØÜ ÞÑàÐ×ÞÜ:

$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

¾ÑàÐâØâÕ ÒÝØÜÐÝØÕ, íâÞ ßàÐÒØÛÞ ßàÞßãáÚÐÕâ ÒÕáì âàÐäØÚ ßÞ ßàÞâÞÚÞÛã UDP çÕàÕ× ßÞàâë 67 Ø 68, ÞÔÝÐÚÞ íâÞ ÝÕ ÔÞÛÖÝÞ ÒÐá ÞáÞÑÕÝÝÞ áÜãéÐâì, ßÞáÚÞÛìÚã ÞÝÞ àÐ×àÕèÐÕâ ÛØèì ÔÒØÖÕÝØÕ ×ÐßàÞáÞÒ Þâ ã×ÛÞÒ áÕâØ, ßëâÐîéØåáï ãáâÐÝÞÒØâì áÞÕÔØÝÕÝØÕ á ßÞàâÐÜØ 67 Ø 68. ÍâÞÓÞ ßàÐÒØÛÐ ÒßÞÛÝÕ ÔÞáâÐâÞçÝÞ, çâÞÑë ßÞ×ÒÞÛØâì ÒëßÞÛÝÕÝØÕ DHCP ×ÐßàÞáÞÒ Ø ßàØ íâÞÜ ÝÕ áÛØèÚÞÜ èØàÞÚÞ "ÞâÚàëâì ÒÞàÞâÐ". µáÛØ ÒÐá ÞçÕÝì ÑÕáßÞÚÞØâ ßàÞÑÛÕÜÐ ÑÕ×ÞßÐáÝÞáâØ, âÞ Òë ÒßÞÛÝÕ ÜÞÖÕâÕ ãÖÕáâÞçØâì íâÞ ßàÐÒØÛÞ.


¿àÞÑÛÕÜë mIRC DCC

mIRC ØáßÞÛì×ãÕâ áßÕæØäØçÝëÕ ÝÐáâàÞÙÚØ, ÚÞâÞàëÕ ßÞ×ÒÞÛïîâ áÞÕÔØÝïâìáï çÕàÕ× ÑàÐÝÔÜÐãíà Ø ÞÑàÐÑÐâëÒÐâì DCC áÞÕÔØÝÕÝØï ÔÞÛÖÝëÜ ÞÑàÐ×ÞÜ. µáÛØ íâØ ÝÐáâàÞÙÚØ ØáßÞÛì×ãîâáï áÞÒÜÕáâÝÞ á iptables, âÞçÝÕÕ á ÜÞÔãÛïÜØ ip_conntrack_irc Ø ip_nat_irc, âÞ íâÐ áÒï×ÚÐ ßàÞáâÞ ÝÕ ÑãÔÕâ àÐÑÞâÐâì. ¿àÞÑÛÕÜÐ ×ÐÚÛîçÐÕâáï Ò âÞÜ, çâÞ mIRC ÐÒâÞÜÐâØçÕáÚØ ÒëßÞÛÝïÕâ âàÐÝáÛïæØî áÕâÕÒëå ÐÔàÕáÞÒ (NAT) ÒÝãâàØ ßÐÚÕâÞÒ. ² àÕ×ãÛìâÐâÕ, ÚÞÓÔÐ ßÐÚÕâ ßÞßÐÔÐÕâ Ò iptables, ÞÝÐ ßàÞáâÞ ÝÕ ×ÝÐÕâ, çâÞ á ÝØÜ ÔÕÛÐâì. mIRC ÝÕ ÞÖØÔÐÕâ, çâÞ ÑàÐÝÔÜÐãíà ÑãÔÕâ ÝÐáâÞÛìÚÞ "ãÜÝëÜ", çâÞÑë ÚÞààÕÚâÝÞ ÞÑàÐÑÐâëÒÐâì IRC, Ø ßÞíâÞÜã áÐÜÞáâÞïâÕÛìÝÞ ×ÐßàÐèØÒÐÕâ áÒÞÙ IP ã áÕàÒÕàÐ Ø ×ÐâÕÜ ßÞÔáâÐÒÛïÕâ ÕÓÞ, ßàØ ßÕàÕÔÐçÕ DCC ×ÐßàÞáÐ.

²ÚÛîçÕÝØÕ ÞßæØØ "I am behind a firewall" ("Ï ×Ð ÑàÐÝÔÜÐãíàÞÜ") Ø ØáßÞÛì×ÞÒÐÝØÕ ÜÞÔãÛÕÙ ip_conntrack_irc Ø ip_nat_irc ßàØÒÞÔØâ Ú âÞÜã, çâÞ netfilter ߨèÕâ Ò áØáâÕÜÝëÙ ÖãàÝÐÛ áÞÞÑéÕÝØÕ "Forged DCC send packet".

à íâÞÙ ßàÞÑÛÕÜë Õáâì ßàÞáâÞÕ àÕèÕÝØÕ - ÞâÚÛîçØâÕ íâã ÞßæØî Ò mIRC Ø ßÞ×ÒÞÛìâÕ iptables ÒëßÞÛÝïâì Òáî àÐÑÞâã.


ÂØßë ICMP

ÍâÞ ßÞÛÝëÙ áߨáÞÚ âØßÞÒ ICMP áÞÞÑéÕÝØÙ:

ÂÐÑÛØæÐ 1. ÂØßë ICMP

TYPE CODE Description Query Error
0 0 Echo Reply x  
3 0 Network Unreachable   x
3 1 Host Unreachable   x
3 2 Protocol Unreachable   x
3 3 Port Unreachable   x
3 4 Fragmentation needed but no frag. bit set   x
3 5 Source routing failed   x
3 6 Destination network unknown   x
3 7 Destination host unknown   x
3 8 Source host isolated (obsolete)   x
3 9 Destination network administratively prohibited   x
3 10 Destination host administratively prohibited   x
3 11 Network unreachable for TOS   x
3 12 Host unreachable for TOS   x
3 13 Communication administratively prohibited by filtering   x
3 14 Host precedence violation   x
3 15 Precedence cutoff in effect   x
4 0 Source quench    
5 0 Redirect for network    
5 1 Redirect for host    
5 2 Redirect for TOS and network    
5 3 Redirect for TOS and host    
8 0 Echo request x  
9 0 Router advertisement    
10 0 Route sollicitation    
11 0 TTL equals 0 during transit   x
11 1 TTL equals 0 during reassembly   x
12 0 IP header bad (catchall error)   x
12 1 Required options missing   x
13 0 Timestamp request (obsolete) x  
14 Timestamp reply (obsolete) x  
15 0 Information request (obsolete) x  
16 0 Information reply (obsolete) x  
17 0 Address mask request x  
18 0 Address mask reply x  

ÁáëÛÚØ ÝÐ ÔàãÓØÕ àÕáãàáë

·ÔÕáì ßàØÒÕÔÕÝ áߨáÞÚ ááëÛÞÚ, ÓÔÕ Òë áÜÞÖÕâÕ ßÞÛãçØâì ÔÞßÞÛÝØâÕÛìÝãî ØÝäÞàÜÐæØî :

  • ip-sysctl.txt - Ø× ÔÞÚãÜÕÝâÐæØØ Ú ïÔàã 2.4.14. ¼ÐÛÕÝìÚØÙ, ÝÞ åÞàÞèØÙ áßàÐÒÞçÝØÚ ßÞ ÞàÓÐÝØ×ÐæØØ áÕâÕÒÞÓÞ ÚÞÔÐ ïÔàÐ.

  • ip_dynaddr.txt - Ø× ÔÞÚãÜÕÝâÐæØØ Ú ïÔàã 2.4.14. ¼ÐÛÕÝìÚØÙ áßàÐÒÞçÝØÚ ßÞ ßÐàÐÜÕâàÐÜ ÝÐáâàÞÙÚØ ip_dynaddr, ÔÞáâãßÝëÜ çÕàÕ× sysctl Ø äÐÙÛÞÒãî áØáâÕÜã /proc.

  • iptables.8 - ¼ÐÝë ÔÛï iptables 1.2.4 Ò äÞàÜÐâÕ HTML ¿àÕÚàÐáÝÞÕ àãÚÞÒÞÔáâÒÞ ÔÛï áÞ×ÔÐÝØï ßàÐÒØÛ Ò iptables. ²áÕÓÔÐ ßÞÛÕ×ÝÞ ØÜÕâì ßÞÔ àãÚÞÙ.

  • http://netfilter.filewatcher.org/ - ¾äØæØÐÛìÝëÙ áÐÙâ netfilter Ø iptables. ½ÕÞÑåÞÔØÜ ÔÛï ÒáÕå ÖÕÛÐîéØå ãáâÐÝÞÒØâì iptables Ø netfilter Ò linux.

  • http://netfilter.filewatcher.org/netfilter-faq.html - ¾äØæØÐÛìÝëÙ FAQ (Frequently Asked Questions) ßÞ netfilter .

  • http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html - Rusty Russells Unreliable Guide to packet filtering. ¿àÕÚàÐáÝÐï ÔÞÚãÜÕÝâÐæØï ßÞ ÞáÝÞÒÐÜ äØÛìâàÐæØØ ßÐÚÕâÞÒ á ßÞÜÞéìî iptables, ÝÐߨáÐÝÝÐï ÞÔÝØÜ Ø× àÐ×àÐÑÞâçØÚÞÒ iptables Ø netfilter.

  • http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html - Rusty Russells Unreliable Guide to Network Address Translation. ·ÐÜÕçÐâÕÛìÝÐï ÔÞÚãÜÕÝâÐæØï ßÞ Network Address Translation Ò iptables Ø netfilter, ÝÐߨáÐÝÝÐï ÞÔÝØÜ Ø× ÞáÝÞÒÝëå àÐ×àÐÑÞâçØÚÞÒ ÀÐáâØ ÀÐááÕÛÞÜ (Rusty Russell).

  • http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html - Rusty Russells Unreliable Netfilter Hacking HOWTO. ¾ÔØÝ Ø× ÝÕÜÝÞÓØå ÔÞÚãÜÕÝâÞÒ ßÞ áÞ×ÔÐÝØî ÚÞÔÐ ÔÛï àÐÑÞâë á netfilter Ø iptables. ÂÐÚ ÖÕ ÝÐߨáÐÝ ÀÐáâØ ÀÐááÕÛÞÜ (Rusty Russell).

  • http://www.linuxguruz.org/iptables/ - ÁÞÔÕàÖØâ ÜÝÞÖÕáâÒÞ ááëÛÞÚ Ò ¸ÝâÕàÝÕâ ßÞ âÕÜÐâØÚÕ. ¸ÜÕÕâáï áߨáÞÚ áæÕÝÐàØÕÒ iptables ÔÛï àÐ×ÛØçÝëå ßàØÜÕÝÕÝØÙ.

  • http://www.islandsoft.net/veerapen.html - ¾âÛØçÝÞÕ ÞÑáãÖÔÕÝØÕ ßÞ ÐÒâÞÜÐâØ×ÐæØØ àÐÑÞâë iptables, ÝÐßàØÜÕà: ÚÐÚ, ÒÝÕáÕÝØÕÜ ÝÕ×ÝÐçØâÕÛìÝëå Ø×ÜÕÝÕÝØÙ, ×ÐáâÐÒØâì ÒÐè ÚÞÜßìîâÕà ÐÒâÞÜÐâØçÕáÚØ ÔÞÑÐÒÛïâì "ÝÕãÓÞÔÝëÕ" áÐÙâë Ò áßÕæØÐÛìÝëÙ áߨáÞÚ (banlist) Ò iptables.

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ¿àÕÚàÐáÝÞÕ ÞߨáÐÝØÕ ÜÞÔãÛÕÙ âàÐááØàÞÒéØÚÐ áÞÕÔØÝÕÝØÙ. µáÛØ ÒÐÜ ØÝâÕàÕáÝÐ âÕÜÐ âàÐááØàÞÒÚØ áÞÕÔØÝÕÝØÙ, âÞ ÒÐÜ áÛÕÔãÕâ íâÞ ßàÞçØâÐâì.

  • http://www.docum.org - ¾ÔØÝ Ø× ÝÕÜÝÞÓØå áÐÙâÞÒ, ÚÞâÞàëÙ áÞÔÕàÖØâ ØÝäÞàÜÐæØî Þ ÚÞÜÐÝÔÐå Linux CBQ, tc Ø ip. ¿ÞÔÔÕàÖØÒÐÕâ áÐÙâ - Stef Coene.

  • http://lists.samba.org/mailman/listinfo/netfilter- ¾äØæØÐÛìÝëÙ áߨáÞÚ ÐÔàÕáÞÒ (mailing-list) ßÞ netfilter. ÇàÕ×ÒëçÐÙÝÞ ßÞÛÕ×ÕÝ ÔÛï àÐ×àÕèÕÝØï ÒÞßàÞáÞÒ ßÞ iptables Ø netfilter.

¸ ÚÞÝÕçÝÞ ÖÕ ØáåÞÔÝëÙ ÚÞÔ iptables, ÔÞÚãÜÕÝâÐæØï Ø ÛîÔØ, ÚÞâÞàëÕ ßÞÜÞÓÐÛØ ÜÝÕ.


±ÛÐÓÞÔÐàÝÞáâØ

Ï åÞâÕÛ Ñë ÒëàÐרâì ÞáÞÑãî ßàØ×ÝÐâÕÛìÝÞáâì ÛîÔïÜ, ÚÞâÞàëÕ ÞÚÐ×ÐÛØ ÜÝÕ ÝÕÞæÕÝØÜãî ßÞÜÞéì ßàØ áÞ×ÔÐÝØØ íâÞÓÞ ÔÞÚãÜÕÝâÐ.:

  • Fabrice Marie, ºÐÚ ÓÛÐÒÝÞÜã àÕÔÐÚâÞàã, ×Ð ØáßàÐÒÛÕÝØÕ ÜÞØå ÖãâÚØå ÞèØÑÞÚ. ° âÐÚ ÖÕ ÞÓàÞÜÝÞÕ áßÐáØÑÞ ×Ð ßÕàÕÒÞÔ íâÞÓÞ ÔÞÚãÜÕÝâÐ Ò äÞàÜÐâ DocBook.

  • Marc Boucher, ·Ð ßÞÜÞéì ßÞ ÝÕÚÞâÞàëÜ ÐáßÕÚâÐÜ àÐÑÞâë ÚÞÔÐ, ÞßàÕÔÕÛïîéÕÓÞ áâÐâãá ßÐÚÕâÞÒ (state matching code).

  • Frode E. Nyboe, ·Ð ãáÞÒÕàèÕÝáâÒÞÒÐÝØÕ ßàÐÒØÛ rc.firewall, ×Ð ÒÔÞåÝÞÒÛÕÝØÕ ÜÕÝï ÝÐ ßÕàÕߨáëÒÐÝØÕ ßàÐÒØÛ Ø ×Ð ÒÒÕÔÕÝØÕ ÝÕáÚÞÛìÚØå âÐÑÛØæ Ò íâÞâ ÖÕ äÐÙÛ.

  • Chapman Brad, Alexander W. Janssen, ·Ð ßÞÜÞéì Ò ßÞÝØÜÐÝØØ ßÞàïÔÚÐ ßàÞåÞÖÔÕÝØï ßÐÚÕâÐÜØ ÞáÝÞÒÝëå âÐÑÛØæ NAT Ø filter.

  • Michiel Brandenburg, Myles Uyema, ·Ð ßÞÜÞéì Ò ßÞÛãçÕÝØØ àÐÑÞâÞáßÞáÞÑÝëå ßàÐÒØÛ, ØáßÞÛì×ãîéØå ÚàØâÕàØØ ßàÞÒÕàÚØ áâÐâãáÐ (state matching).

  • Kent `Artech' Stahre, ·Ð ßÞÜÞéì á ÚÐàâØÝÚÐÜØ. Ï ×ÝÐî, çâÞ ï ßÛÞåÞÙ ÞäÞàÜØâÕÛì, Ð Òë ÛãçèØÕ Ø× âÕå ÚÞÓÞ ï ×ÝÐî ;). ° âÐÚ ÖÕ áßÐáØÑÞ ×Ð ßÞØáÚ ÞèØÑÞÚ Ò íâÞÜ ÔÞÚãÜÕÝâÕ.

  • Anders 'DeZENT' Johansson, ·Ð ØÝäÞàÜÐæØî Þ áâàÐÝÝëå ßàÞÒÐÙÔÕàÐå (ISP), ÚÞâÞàëÕ ØáßÞÛì×ãîâ ÐÔàÕáÐ, ×ÐàÕ×ÕàÒØàÞÒÐÝÝëÕ ÔÛï ÛÞÚÐÛìÝëå áÕâÕÙ.

  • Jeremy `Spliffy' Smith, ×Ð ÜÝÞÓÞçØáÛÕÝÝëÕ ßÞÔáÚÐ×ÚØ Ø ×Ð ÒëÛÐÒÛØÒÐÝØÕ ÜÞØå ÞèØÑÞÚ.

¸ ÚÞÝÕçÝÞ ÖÕ ÒáÕå, ÚâÞ ÞâÒÕçÐÛ ÝÐ ÜÞØ ÒÞßàÞáë, ÒëáÚÐ×ëÒÐÛ áÒÞØ áãÖÔÕÝØï ÞÑ íâÞÜ ÔÞÚãÜÕÝâÕ. ¾çÕÝì áÞÖÐÛÕî, çâÞ ÝÕ ÜÞÓã ãßÞÜïÝãâì ÒáÕå.

ÅàÞÝÞÛÞÓØï

Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.

Version1.1.9(21March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:VinceHerried,ToganMuftuoglu,GalenJohnson,KellyAshe,Janne
Johansson,ThomasSmets,PeterHorst,MitchLanders,NeilJolly,JelleKalf,
JasonLamandEvanNemerson

Version1.1.8(5March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson

Version1.1.7(4February2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:ParimiRavi,PhilSchultz,StevenMcClintoc,BillDossett,
DaveWreski,ErikSj?lund,AdamMansbridge,VasooVeerapen,Aladdinand
RustyRussell.

Version1.1.6(7December2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:JimRamsey,PhilSchultz,G?ranBåge,DougMonroe,Jasper
Aikema,KurtLieber,ChrisTallon,ChrisMartin,JonasPasche,Jan
Labanowski,RodrigoR.Branco,JaccovanKollandDaveWreski

Version1.1.5(14November2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:FabriceMarie,MerijnScheringandKurtLieber

Version1.1.4(6November2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:StigW.Jensen,SteveHnizdur,ChrisPlutaandKurtLieber

Version1.1.3(9October2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:JoniChu,N.EmileAkabi-DavisandJelleKalf

Version1.1.2(29September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.1.1(26September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:DaveRichardson

Version1.1.0(15September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.9(9September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.8(7September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.7(23August2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie

Version1.0.6
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.5
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie


GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<onelinetogivetheprogram'snameandabriefideaofwhatitdoes.>
Copyright(C)<year><nameofauthor>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne,Inc.,herebydisclaimsallcopyrightinterestintheprogram
`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.

<signatureofTyCoon>,1April1989
TyCoon,PresidentofVice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


Example scripts codebase

Example rc.firewall script

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DMZ.firewall script

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.UTIN.firewall script

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DHCP.firewall script

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# adress for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.flush-iptables script

#!/bin/sh

# rc.flush-iptables - Resets iptables to default values. 

# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



    


Example rc.test-iptables script

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"




    

ºÞÝÕæ.

áÒÈÉ× ÄÏËÕÍÅÎÔÁÃÉÉ ÎÁ OpenNet.ru