áÒÈÉ× ÄÏËÕÍÅÎÔÁÃÉÉ OpenNet.ru / òÁÚÄÅÌ "âÅÚÏÐÁÓÎÏÓÔØ" / éÎÄÅËÓ

òÕËÏ×ÏÄÓÔ×Ï ÐÏ Iptables


Iptables Tutorial 1.1.11

Oskar Andreasson (blueflux@koffein.net)

Copyright (C) 2001 by Oskar Andreasson

ðÅÒÅ×ÏÄ: áÎÄÒÅÊ ëÉÓÅÌÅ× kis_an@mail.ru
ïÒÉÇÉÎÁÌ ÍÏÖÎÏ ÎÁÊÔÉ ÐÏ ÁÄÒÅÓÕ: http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html

äÏÐÕÓËÁÅÔÓÑ ËÏÐÉÒÏ×ÁÎÉÅ É/ÉÌÉ ÍÏÄÉÆÉËÁÃÉÑ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ ÉÌÉ ÅÇÏ ÞÁÓÔÉ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÑÍÉ, ÐÒÉÎÑÔÙÍÉ × GNU Free Documentation License, ×ÅÒÓÉÉ 1.1. îÅÉÚÍÅÎÑÅÍÙÍÉ ÒÁÚÄÅÌÁÍÉ Ñ×ÌÑÀÔÓÑ ÒÁÚÄÅÌ "÷×ÅÄÅÎÉÅ" É ×ÓÅ ÐÏÄÒÁÚÄÅÌÙ ÜÔÏÇÏ ÒÁÚÄÅÌÁ, Á ÔÁË ÖÅ ÒÁÚÄÅÌÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ ÓÌÏ×ÁÍÉ "Original Author: Oskar Andreasson",
ëÏÐÉÑ GNU Free Documentation License ×ËÌÀÞÅÎÁ × ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ É ÎÁÈÏÄÉÔÓÑ × ÓÅËÃÉÉ "GNU Free Documentation License".

÷ÓÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å ÐÏÄÐÁÄÁÀÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ GNU General Public License. ÷ÓÅ ÏÎÉ Ñ×ÌÑÀÔÓÑ Ó×ÏÂÏÄÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÍÙÍÉ É ÍÏÇÕÔ ËÏÐÉÒÏ×ÁÔØÓÑ É/ÉÌÉ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØÓÑ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÕÓÌÏ×ÉÑÍÉ GNU General Public License ×ÅÒÓÉÉ 2.

÷ÓÅ ÓÃÅÎÁÒÉÉ ÒÁÓÐÒÏÓÔÒÁÎÑÀÔÓÑ × ÎÁÄÅÖÄÅ ÎÁ ÔÏ, ÞÔÏ ÏÎÉ ÂÕÄÕÔ ÐÏÌÅÚÎÙ ×ÁÍ, ÎÏ âåú ëáëéè ìéâï çáòáîôéê. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÔÅËÓÔÕ GNU General Public License.

ó ÄÁÎÎÙÍ ÄÏËÕÍÅÎÔÏÍ ÄÏÌÖÎÁ ÒÁÓÐÒÏÓÔÒÁÎÑÔØÓÑ ËÏÐÉÑ GNU General Public License, × ÓÅËÃÉÉ "GNU General Public License"; × ÓÌÕÞÁÅ ÅÅ ÏÔÓÕÔÓÔ×ÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÐÉÓÁÔØ ÐÏ ÁÄÒÅÓÕ Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA


óÏÄÅÒÖÁÎÉÅ

÷×ÅÄÅÎÉÅ
ï Á×ÔÏÒÅ
ðÏÓ×ÑÝÅÎÉÑ
ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï
ëÁË ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ
ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ
ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ
ðÏÄÇÏÔÏ×ËÁ
çÄÅ ×ÚÑÔØ iptables
îÁÓÔÒÏÊËÁ ÑÄÒÁ
õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ
óÂÏÒËÁ ÐÁËÅÔÁ
õÓÔÁÎÏ×ËÁ × Red Hat 7.1
ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË
ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ
ôÁÂÌÉÃÁ Mangle
ôÁÂÌÉÃÁ Nat
ôÁÂÌÉÃÁ Filter
íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ
÷×ÅÄÅÎÉÅ
ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ
óÏÓÔÏÑÎÉÑ
TCP ÓÏÅÄÉÎÅÎÉÑ
UDP ÓÏÅÄÉÎÅÎÉÑ
ICMP ÓÏÅÄÉÎÅÎÉÑ
ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ
ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×
ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ
ïÓÎÏ×Ù
ôÁÂÌÉÃÙ
ëÏÍÁÎÄÙ
ëÒÉÔÅÒÉÉ
ïÂÝÉÅ ËÒÉÔÅÒÉÉ
îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ
ñ×ÎÙÅ ËÒÉÔÅÒÉÉ
äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ
äÅÊÓÔ×ÉÅ ACCEPT
äÅÊÓÔ×ÉÅ DROP
äÅÊÓÔ×ÉÅ QUEUE
äÅÊÓÔ×ÉÅ RETURN
äÅÊÓÔ×ÉÅ LOG
äÅÊÓÔ×ÉÅ MARK
äÅÊÓÔ×ÉÅ REJECT
äÅÊÓÔ×ÉÅ TOS
äÅÊÓÔ×ÉÅ MIRROR
äÅÊÓÔ×ÉÅ SNAT
äÅÊÓÔ×ÉÅ DNAT
äÅÊÓÔ×ÉÅ MASQUERADE
äÅÊÓÔ×ÉÅ REDIRECT
äÅÊÓÔ×ÉÅ TTL
äÅÊÓÔ×ÉÅ ULOG
æÁÊÌ rc.firewall
ðÒÉÍÅÒ rc.firewall
ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall
ëÏÎÆÉÇÕÒÁÃÉÑ
úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ
îÁÓÔÒÏÊËÁ /proc
òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ
õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ
óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË
ãÅÐÏÞËÁ bad_tcp_packets
ãÅÐÏÞËÁ allowed
ãÅÐÏÞËÁ ÄÌÑ TCP
ãÅÐÏÞËÁ ÄÌÑ UDP
ãÅÐÏÞËÁ ÄÌÑ ICMP
ãÅÐÏÞËÁ INPUT
ãÅÐÏÞËÁ OUTPUT
ãÅÐÏÞËÁ FORWARD
ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat
úÁÐÕÓË Network Address Translation
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt
óÔÒÕËÔÕÒÁ
rc.firewall.txt
rc.DMZ.firewall.txt
rc.DHCP.firewall.txt
rc.UTIN.firewall.txt
rc.test-iptables.txt
rc.flush-iptables.txt
äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ
÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ
éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ
ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ
ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ
Passive FTP ÂÅÚ DCC
ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN
ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ éÎÔÅÒÎÅÔÁ (ISP), ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÁÄÒÅÓÁ IP
ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables
ðÒÏÂÌÅÍÙ mIRC DCC
ôÉÐÙ ICMP
óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ
âÌÁÇÏÄÁÒÎÏÓÔÉ
èÒÏÎÏÌÏÇÉÑ
GNU Free Documentation License
0. PREAMBLE
1. APPLICABILITY AND DEFINITIONS
2. VERBATIM COPYING
3. COPYING IN QUANTITY
4. MODIFICATIONS
5. COMBINING DOCUMENTS
6. COLLECTIONS OF DOCUMENTS
7. AGGREGATION WITH INDEPENDENT WORKS
8. TRANSLATION
9. TERMINATION
10. FUTURE REVISIONS OF THIS LICENSE
How to use this License for your documents
GNU General Public License
0. Preamble
1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
2. How to Apply These Terms to Your New Programs
ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DMZ.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.UTIN.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.DHCP.firewall
ðÒÉÍÅÒ ÓÃÅÎÁÒÉÑ rc.flush-iptables
rc.test-iptables

÷×ÅÄÅÎÉÅ

ï Á×ÔÏÒÅ

ñ ÞÅÌÏ×ÅË, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÎÁ Ó×ÏÅÍ ÐÏÐÅÞÅÎÉÉ ÄÏÓÔÁÔÏÞÎÏ ÍÎÏÇÏ ÓÔÁÒÅÎØËÉÈ ËÏÍÐØÀÔÅÒÏ×, ÏÂßÅÄÉÎÅÎÎÙÈ ÍÎÏÀ × ÌÏËÁÌØÎÕÀ ÓÅÔØ Ó ×ÙÈÏÄÏÍ × éÎÔÅÒÎÅÔ, É ÏÂÅÓÐÅÞÉ×ÁÀÝÉÊ ÉÈ ÂÅÚÏÐÁÓÎÏÓÔØ. é × ÜÔÏÍ ÏÔÎÏÛÅÎÉÉ ÐÅÒÅÈÏÄ ÏÔ ipchains Ë iptables Ñ×ÌÑÅÔÓÑ ÏÐÒÁ×ÄÁÎÎÙÍ. òÁÎÅÅ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ Ó×ÏÅÊ ÓÅÔÉ, ×Ù ÍÏÇÌÉ ÏÔÓÅËÁÔØ ×ÓÅ ÐÁËÅÔÙ, ÚÁËÒÙ×ÁÑ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÏÒÔÙ, ÏÄÎÁËÏ ÜÔÏ ÐÏÒÏÖÄÁÌÏ ÐÒÏÂÌÅÍÙ Ó ÐÁÓÓÉ×ÎÙÍ FTP (passive FTP) ÉÌÉ ÉÓÈÏÄÑÝÉÍ DCC × IRC (outgoing DCC in IRC), ÄÌÑ ËÏÔÏÒÙÈ ÐÏÒÔÙ ÎÁ ÓÅÒ×ÅÒÅ ÎÁÚÎÁÞÁÀÔÓÑ ÄÉÎÁÍÉÞÅÓËÉ É ÐÏÔÏÍ ÓÏÏÂÝÁÀÔÓÑ ËÌÉÅÎÔÕ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÓÁÍÏÍ ÎÁÞÁÌÅ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅËÏÔÏÒÙÍÉ 'ÂÏÌÅÚÎÑÍÉ', ÐÅÒÅËÏÞÅ×Á×ÛÉÍÉ ÉÚ ipchains, É ÓÞÉÔÁÌ ËÏÄ iptables ÎÅ ÓÏ×ÓÅÍ ÇÏÔÏ×ÙÍ Ë ÏËÏÎÞÁÔÅÌØÎÏÍÕ ×ÙÐÕÓËÕ. óÅÇÏÄÎÑ ÖÅ Ñ ÍÏÇ ÂÙ ÐÏÒÅËÏÍÅÎÄÏ×ÁÔØ ×ÓÅÍ, ËÔÏ ÉÓÐÏÌØÚÕÅÔ × Ó×ÏÅÊ ÒÁÂÏÔÅ ipchains É ipfwadm 'ÐÅÒÅÓÅÓÔØ' ÎÁ iptables!


ðÏÓ×ÑÝÅÎÉÑ

ðÒÅÖÄÅ ×ÓÅÇÏ Ñ ÈÏÔÅÌ ÂÙ ÐÏÓ×ÑÔÉÔØ ÄÁÎÎÙÊ ÄÏËÕÍÅÎÔ ÍÏÅÊ ÚÁÍÅÞÁÔÅÌØÎÏÊ ÐÏÄÒÕÇÅ îÉÎÅÌØ (Ninel). ïÎÁ ÐÏÄÄÅÒÖÉ×ÁÅÔ ÍÅÎÑ ÂÏÌØÛÅ, ÞÅÍ Ñ ËÏÇÄÁ ÌÉÂÏ ÓÍÏÇÕ ÐÏÄÄÅÒÖÁÔØ ÅÅ.

÷Ï-×ÔÏÒÙÈ - ×ÓÅÍ ÒÁÚÒÁÂÏÔÞÉËÁÍ Linux ÓÄÅÌÁ×ÛÉÍ ÜÔÕ ÚÁÍÅÞÁÔÅÌØÎÕÀ ÏÐÅÒÁÃÉÏÎÎÕÀ ÓÉÓÔÅÍÕ, ÚÁ ÉÈ ÎÅ×ÅÒÏÑÔÎÏ ÎÁÐÒÑÖÅÎÎÙÊ ÔÒÕÄ.


ðÏÞÅÍÕ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï

óËÁÖÅÍ ÔÁË, Ñ ÐÏÓÞÉÔÁÌ, ÞÔÏ ÓÕÝÅÓÔ×ÕÅÔ ÄÏÓÁÄÎÙÊ ÐÒÏÂÅÌ × HOWTO ÐÏ ÞÁÓÔÉ ÉÎÆÏÒÍÁÃÉÉ Ï iptables É ÆÕÎËÃÉÑÈ ÓÅÔÅ×ÏÇÏ ÆÉÌØÔÒÁ (netfilter), ÒÅÁÌÉÚÏ×ÁÎÎÙÈ × ÎÏ×ÏÊ ÓÅÒÉÉ ÑÄÅÒ 2.4.x Linux. ëÒÏÍÅ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, Ñ ÐÏÐÙÔÁÌÓÑ ÏÔ×ÅÔÉÔØ ÎÁ ÎÅËÏÔÏÒÙÅ ×ÏÐÒÏÓÙ ÐÏ ÐÏ×ÏÄÕ ÎÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ, ÎÁÐÒÉÍÅÒ ÐÒÏ×ÅÒËÉ ÓÔÁÔÕÓÁ (ÂÏÌÅÅ ÌÕÞÛÅÇÏ ÔÅÒÍÉÎÁ ÎÅ ÎÁÛÅÌ :(( ÐÒÉÍ. ÐÅÒÅ×.) ÐÁËÅÔÏ× (state matching), ËÏÔÏÒÁÑ ÄÅÌÁÅÔ ×ÏÚÍÏÖÎÙÍ passive FTP ÎÁ ×ÁÛ ÓÅÒ×ÅÒ, ÎÏ ÎÅ ÐÒÏÐÕÓËÁÅÔ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË DCC ÏÔ IRC. ÷ÓÅ ÐÒÉÍÅÒÙ Ñ ÂÕÄÕ ÂÒÁÔØ ÉÚ ÆÁÊÌÁ rc.firewall.txt ËÏÔÏÒÙÊ ×Ù ÍÏÖÅÔÅ ×ÓÔÁ×ÉÔØ × /etc/rc.d/. äÌÑ ÔÅÈ, ËÏÍÕ ÜÔÏ ÉÎÔÅÒÅÓÎÏ, ÇÏÔÏ× ÓÏÏÂÝÉÔØ, ÞÔÏ ÜÔÏÔ ÆÁÊÌ ÐÅÒ×ÏÎÁÞÁÌØÎÏ ÂÙÌ ÏÓÎÏ×ÁÎ ÎÁ masquerading HOWTO.

ôÁÍ ÖÅ ×Ù ÎÁÊÄÅÔÅ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ rc.flush-iptables.txt, ÎÁÐÉÓÁÎÎÙÊ ÍÎÏÀ. ÷Ù ÔÁË ÖÅ ÍÏÖÅÔÅ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ, ÐÒÉ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÒÁÓÛÉÒÑÑ ÐÏÄ Ó×ÏÀ ËÏÎÆÉÇÕÒÁÃÉÀ.


ëÁË ÏÎ ÂÙÌ ÎÁÐÉÓÁÎ

ñ ÚÁÄÁ×ÁÌ ×ÏÐÒÏÓÙ íÁÒËÕ âÕÞÅÒÕ (Marc Boucher) É ÄÒÕÇÉÍ ÞÌÅÎÁÍ ËÏÍÁÎÄÙ ÒÁÚÒÁÂÏÔËÉ netfilter. ðÏÌØÚÕÑÓØ ÓÌÕÞÁÅÍ, ×ÙÒÁÖÁÀ ÏÇÒÏÍÎÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÚÁ ÉÈ ÐÏÍÏÝØ × ÓÏÚÄÁÎÉÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, ËÏÔÏÒÏÅ ÂÙÌÏ ÓÏÚÄÁÎÏ ÄÌÑ boingworld.com. ÷ ÎÅÍ ×Ù ÐÒÏÊÄÅÔÅ ÐÒÏÃÅÓÓ ÎÁÓÔÒÏÊËÉ ÛÁÇ ÚÁ ÛÁÇÏÍ É, ÎÁÄÅÀÓØ, ÞÔÏ Ë ËÏÎÃÕ ÉÚÕÞÅÎÉÑ ÄÏËÕÍÅÎÔÁ ×Ù ÂÕÄÅÔÅ ÚÎÁÔØ Ï ÐÁËÅÔÅ iptables ÚÎÁÞÉÔÅÌØÎÏ ÂÏÌØÛÅ. âÏÌØÛÁÑ ÞÁÓÔØ ÍÁÔÅÒÉÁÌÁ ÂÁÚÉÒÕÅÔÓÑ ÎÁ ÆÁÊÌÅ rc.firewall.txt, ÔÁË ËÁË Ñ ÓÞÉÔÁÀ, ÞÔÏ ÒÁÓÓÍÏÔÒÅÎÉÅ ÐÒÉÍÅÒÁ -- ÌÕÞÛÉÊ ÓÐÏÓÏ ÉÚÕÞÅÎÉÑ iptables. ñ ÐÒÏÊÄÕ ÐÏ ÏÓÎÏ×ÎÙÍ ÃÅÐÏÞËÁÍ ÐÒÁ×ÉÌ × ÐÏÒÑÄËÅ ÉÈ ÓÌÅÄÏ×ÁÎÉÑ. üÔÏ ÎÅÓËÏÌØËÏ ÕÓÌÏÖÎÑÅÔ ÉÚÕÞÅÎÉÅ, ÚÁÔÏ ÉÚÌÏÖÅÎÉÅ ÓÔÁÎÏ×ÉÔÓÑ ÌÏÇÉÞÎÅÅ. é, ×ÓÑËÉÊ ÒÁÚ, ËÏÇÄÁ Õ ×ÁÓ ×ÏÚÎÉËÎÕÔ ÚÁÔÒÕÄÎÅÎÉÑ, ×Ù ÍÏÖÅÔÅ ÏÂÒÁÝÁÔØÓÑ Ë ÜÔÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ.


ëÁË ÞÉÔÁÔØ ÜÔÏÔ ÄÏËÕÍÅÎÔ

üÔÏÔ ÄÏËÕÍÅÎÔ ÎÁÐÉÓÁÎ, ÔÁË ÞÔÏÂÙ ÏÂÌÅÇÞÉÔØ ÞÉÔÁÔÅÌÑÍ ÐÏÎÉÍÁÎÉÅ ÚÁÍÅÞÁÔÅÌØÎÏÇÏ ÍÉÒÁ iptables. úÄÅÓØ ×Ù ÎÅ ÎÁÊÄÅÔÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÛÉÂËÁÈ × iptables ÉÌÉ × netfilter. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ, ÔÏ ÍÏÖÅÔÅ Ó×ÑÚÑÔØÓÑ Ó ËÏÍÁÎÄÏÊ ÒÁÚÒÁÂÏÔÞÉËÏ×, Á ÏÎÉ × ÏÔ×ÅÔ ÍÏÇÕÔ ÓÏÏÂÝÉÔØ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÌÉ ÓÕÝÅÓÔ×ÕÅÔ ÔÁËÁÑ ÏÛÉÂËÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ iptables É netfilter ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÓÏÄÅÒÖÁÔ ÏÛÉÂÏË, ÈÏÔÑ ÉÚÒÅÄËÁ ÏÄÎÁ - Ä×Å "ÐÒÏÓËÁËÉ×ÁÀÔ". éÎÆÏÒÍÁÃÉÑ Ï ÔÁËÉÈ ÏÛÉÂËÁÈ ÏÂÑÚÁÔÅÌØÎÏ ÐÏÑ×ÌÑÅÔÓÑ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.

÷ÙÛÅÓËÁÚÁÎÎÏÅ ÔÁËÖÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÐÒÉÌÁÇÁÅÍÙÈ Ë ÄÁÎÎÏÍÕ ÒÕËÏ×ÏÄÓÔ×Õ, ÎÅ ÕÞÉÔÙ×ÁÌÏÓØ ×ÏÚÍÏÖÎÏÅ ÎÁÌÉÞÉÅ ËÁËÉÈ-ÌÉÂÏ ÏÛÉÂÏË ×ÎÕÔÒÉ netfilter. ïÓÎÏ×ÎÁÑ ÃÅÌØ ÐÒÉÍÅÒÏ× - ÐÏËÁÚÁÔØ ÐÏÒÑÄÏË ÎÁÐÉÓÁÎÉÑ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÐÒÏÂÌÅÍÙ, Ó ËÏÔÏÒÙÍÉ ×Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ. îÁÐÒÉÍÅÒ × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ ÎÅ ÐÏÑÓÎÑÅÔÓÑ ËÁË ÚÁËÒÙÔØ ÕÑÚ×ÉÍÏÓÔØ Apache 1.2.12 ÎÁ HTTP ÐÏÒÔÕ (ÆÁËÔÉÞÅÓËÉ × ÐÒÉÍÅÒÁÈ ×Ù ÎÁÊÄÅÔÅ ËÁË ÚÁËÒÙÔØ ÜÔÏÔ ÐÏÒÔ, ÎÏ ÐÏ ÄÒÕÇÏÊ ÐÒÉÞÉÎÅ).

üÔÏÔ ÄÏËÕÍÅÎÔ ÂÙÌ ÎÁÐÉÓÁÎ Ó ÃÅÌØÀ ÄÁÔØ ÎÁÞÉÎÁÀÝÉÍ ÈÏÒÏÛÉÊ É ÐÒÏÓÔÏÊ ÕÞÅÂÎÉË ÐÏ iptables É × ÔÏ ÖÅ ×ÒÅÍÑ ÄÏÓÔÁÔÏÞÎÏ ÐÏÌÎÙÊ. ïÎ ÎÅ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÄÅÊÓÔ×ÉÑÍ É ËÒÉÔÅÒÉÑÍ ÉÚ patch-o-matic ÐÏ ÔÏÊ ÐÒÏÓÔÏÊ ÐÒÉÞÉÎÅ, ÞÔÏ ÐÏÔÒÅÂÏ×ÁÌÏÓØ ÂÙ ÓÌÉÛËÏÍ ÍÎÏÇÏ ÕÓÉÌÉÊ, ÞÔÏÂÙ ÚÁÐÏÍÎÉÔØ ×ÅÓØ ÓÐÉÓÏË ÉÚÍÅÎÅÎÉÊ. åÓÌÉ Õ ×ÁÓ ×ÏÚÎÉËÎÅÔ ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÐÏÌÕÞÅÎÉÉ ÉÎÆÏÒÍÁÃÉÉ ÐÏ ÍÏÄÉÆÉËÁÃÉÑÍ patch-o-matic, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÝÁÔØÓÑ Ë ÄÏËÕÍÅÎÔÁÃÉÉ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ËÏÎËÒÅÔÎÙÊ patch-o-matic, ÏÎÁ ÄÏÓÔÕÒÎÁ ÎÁ ÇÌÁ×ÎÏÊ ÓÔÒÁÎÉÃÅ netfilter.


ôÅÒÍÉÎÙ, ÉÓÐÏÌØÚÕÅÍÙÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ

üÔÏÔ ÄÏËÕÍÅÎÔ ÓÏÄÅÒÖÉÔ ÎÅÓËÏÌØËÏ ÔÅÒÍÉÎÏ×, ËÏÔÏÒÙÅ ÓÌÅÄÕÅÔ ÐÏÑÓÎÉÔØ ÐÒÅÖÄÅ, ÞÅÍ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÎÉÍÉ.

ðÏÔÏË (Stream) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÀÔÓÑ É ÐÒÉÎÉÍÁÀÔÓÑ ÐÁËÅÔÙ. ñ ÉÓÐÏÌØÚÏ×ÁÌ ÜÔÏÔ ÔÅÒÍÉÎ ÄÌÑ ÏÂÏÚÎÁÞÅÎÉÑ ÓÏÅÄÉÎÅÎÉÊ, ÞÅÒÅÚ ËÏÔÏÒÙÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÍÅÎØÛÅÊ ÍÅÒÅ 2 ÐÁËÅÔÁ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. ÷ ÓÌÕÞÁÅ TCP ÜÔÏ ÍÏÖÅÔ ÏÚÎÁÞÁÔØ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÅÒÅÄÁÅÔÓÑ SYN ÐÁËÅÔ É ÚÁÔÅÍ ÐÒÉÎÉÍÁÅÔÓÑ SYN/ACK ÐÁËÅÔ. îÏ ÜÔÏ ÔÁË ÖÅ ÍÏÖÅÔ ÐÏÄÒÁÚÕÍÅ×ÁÔØ É ÐÅÒÅÄÁÞÕ SYN ÐÁËÅÔÁ É ÐÒÉÅÍ ÓÏÏÂÝÅÎÉÑ ICMP Host unreachable. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÉÓÐÏÌØÚÕÀ ÜÔÏÔ ÔÅÒÍÉÎ × ÄÏÓÔÁÔÏÞÎÏ ÛÉÒÏËÏÍ ÄÉÁÐÁÚÏÎÅ ÐÒÉÍÅÎÅÎÉÊ.

óÏÓÔÏÑÎÉÅ (State) - ÐÏÄ ÜÔÉÍ ÔÅÒÍÉÎÏÍ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ, × ËÏÔÏÒÏÍ ÎÁÈÏÄÉÔÓÑ ÐÁËÅÔ, ÓÏÇÌÁÓÎÏ RFC 793 - Transmission Control Protocol , Á ÔÁËÖÅ ÔÒÁËÔÏ×ËÁÍ, ÉÓÐÏÌØÚÕÅÍÙÍ × netfilter/iptables.


ðÏÄÇÏÔÏ×ËÁ

ãÅÌØÀ ÄÁÎÎÏÊ ÇÌÁ×Ù Ñ×ÌÑÅÔÓÑ ÏËÁÚÁÎÉÅ ÐÏÍÏÝÉ × ÐÏÎÉÍÁÎÉÉ ÔÏÊ ÒÏÌÉ, ËÏÔÏÒÕÀ netfilter É iptables ÉÇÒÁÀÔ × Linux ÓÅÇÏÄÎÑ. ôÁË ÖÅ ÏÎÁ ÄÏÌÖÎÁ ÐÏÍÏÞØ ×ÁÍ ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÖÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).


çÄÅ ×ÚÑÔØ iptables

ðÁËÅÔÙ iptables ÍÏÇÕÔ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ó ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÙ netfilter. äÌÑ ÒÁÂÏÔÙ Ó iptables ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÏÂÒÁÚÏÍ ÄÏÌÖÎÏ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÏ ÑÄÒÏ ×ÁÛÅÊ Linux-ÓÉÓÔÅÍÙ. îÁÓÔÒÏÊËÁ ÑÄÒÁ ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÎÉÖÅ.


îÁÓÔÒÏÊËÁ ÑÄÒÁ

äÌÑ ÏÂÅÓÐÅÞÅÎÉÑ ÂÁÚÏ×ÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables, Ó ÐÏÍÏÝØÀ ÕÔÉÌÉÔÙ make config ÉÌÉ ÅÊ ÐÏÄÏÂÎÙÈ (make menuconfig ÉÌÉ make xconfig ÐÒÉÍ. ÐÅÒÅ×.), × ÑÄÒÏ ÄÏÌÖÎÙ ÂÙÔØ ×ËÌÀÞÅÎÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ:

CONFIG_PACKET -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÐÒÉÌÏÖÅÎÉÊ, ÒÁÂÏÔÁÀÝÉÈ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ Ó ÓÅÔÅ×ÙÍÉ ÕÓÔÒÏÊÓÔ×ÁÍÉ, ÎÁÐÒÉÍÅÒ: tcpdump ÉÌÉ snort.

CONFIG_NETFILTER -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ, ÅÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ËÏÍÐØÀÔÅÒ × ËÁÞÅÓÔ×Å ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ (firewall) ÉÌÉ ÛÌÀÚÁ (gateway) × éÎÔÅÒÎÅÔ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ×ÁÍ ÏÎÁ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÎÁÄÏÂÉÔÓÑ, ÉÎÁÞÅ ÚÁÞÅÍ ÔÏÇÄÁ ÞÉÔÁÔØ ÜÔÏ ÒÕËÏ×ÏÄÓÔ×Ï!

é ËÏÎÅÞÎÏ ÎÕÖÎÏ ÄÏÂÁ×ÉÔØ ÄÒÁÊ×ÅÒÙ ÄÌÑ ×ÁÛÉÈ ÕÓÔÒÏÊÓÔ×, Ô.Å. ÄÌÑ ËÁÒÔÙ Ethernet , PPP É SLIP. äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÒÁÓÛÉÒÅÎÎÙÈ ×ÏÚÍÏÖÎÏÓÔÅÊ IPTables ÐÒÉÄÅÔÓÑ ×ËÌÀÞÉÔØ × ÑÄÒÏ ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÏÐÃÉÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÏÐÃÉÊ ÄÌÑ ÑÄÒÁ 2.4.9 É ÉÈ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ.

CONFIG_IP_NF_CONNTRACK -- ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ. ôÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ, ÓÒÅÄÉ ×ÓÅÇÏ ÐÒÏÞÅÇÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× É ÍÁÓËÁÒÁÄÉÎÇÅ (NAT and Masquerading). åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÔÒÏÉÔØ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall) ÄÌÑ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÔÏ ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÁ ÏÐÃÉÑ. ë ÐÒÉÍÅÒÕ, ÜÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÈÏÄÉÍ ÄÌÑ ÒÁÂÏÔÙ rc.firewall.txt.

CONFIG_IP_NF_FTP -- ôÒÁÓÓÉÒÏ×ËÁ FTP ÓÏÅÄÉÎÅÎÉÊ. ïÂÍÅÎ ÐÏ FTP ÉÄÅÔ ÓÌÉÛËÏÍ ÉÎÔÅÎÓÉ×ÎÏ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÂÙÞÎÙÅ ÍÅÔÏÄÙ ÔÒÁÓÓÉÒÏ×ËÉ. åÓÌÉ ÎÅ ÄÏÂÁ×ÉÔØ ÜÔÏÔ ÍÏÄÕÌØ, ÔÏ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÒÕÄÎÏÓÔÑÍÉ ÐÒÉ ÐÅÒÅÄÁÞÅ ÐÒÏÔÏËÏÌÁ FTP ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ (firewall).

CONFIG_IP_NF_IPTABLES -- üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÐÅÒÁÃÉÊ ÆÉÌØÔÒÁÃÉÉ, ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) É ÍÁÓËÁÒÁÄÉÎÇÁ (masquerading). âÅÚ ÎÅÅ ×Ù ×ÏÏÂÝÅ ÎÉÞÅÇÏ ÎÅ ÓÍÏÖÅÔÅ ÄÅÌÁÔØ Ó iptables.

CONFIG_IP_NF_MATCH_LIMIT -- üÔÏÔ ÍÏÄÕÌØ ÎÅÏÂÑÚÁÔÅÌÅÎ, ÏÄÎÁËÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÁÈ rc.firewall.txt. ïÎ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÏÇÒÁÎÉÞÅÎÉÑ ËÏÌÉÞÅÓÔ×Á ÐÒÏ×ÅÒÏË ÄÌÑ ÎÅËÏÔÏÒÏÇÏ ÐÒÁ×ÉÌÁ. îÁÐÒÉÍÅÒ, -m limit -limit 3/minute ÕËÁÚÙ×ÁÅÔ, ÞÔÏ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÐÒÏÐÕÓÔÉÔØ ÎÅ ÂÏÌÅÅ 3-È ÐÁËÅÔÏ× × ÍÉÎÕÔÕ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÎÁÐÁÄÅÎÉÊ ÔÉÐÁ ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ.

CONFIG_IP_NF_MATCH_MAC -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÓÎÏ×ÁÎÎÙÅ ÎÁ MAC-ÁÄÒÅÓÁÃÉÉ. ëÁË ÉÚ×ÅÓÔÎÏ, ËÁÖÄÁÑ ÓÅÔÅ×ÁÑ ËÁÒÔÁ ÉÍÅÅÔ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ÕÎÉËÁÌØÎÙÊ Ethernet-ÁÄÒÅÓ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÓÕÝÅÓÔ×ÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÂÌÏËÉÒÏ×ÁÔØ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ Ó ÏÐÒÅÄÅÌÅÎÎÙÈ MAC-ÁÄÒÅÓÏ× (Ô.Å. Ó ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÅÔÅ×ÙÈ ËÁÒÔ). óÌÅÄÕÅÔ, ÏÄÎÁËÏ, ÏÔÍÅÔÉÔØ ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ × rc.firewall.txt ÉÌÉ ÇÄÅ ÌÉÂÏ ÅÝÅ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å.

CONFIG_IP_NF_MATCH_MARK -- æÕÎËÃÉÑ ÍÁÒËÉÒÏ×ËÉ ÐÁËÅÔÏ× (MARK). îÁÐÒÉÍÅÒ, ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÆÕÎËÃÉÉ MARK ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÏÍÅÔÉÔØ ÔÒÅÂÕÅÍÙÅ ÐÁËÅÔÙ, Á ÚÁÔÅÍ, × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÚÎÁÞÅÎÉÑ ÍÅÔËÉ, ÐÒÉÎÉÍÁÔØ ÒÅÛÅÎÉÅ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÏÍÅÞÅÎÎÏÇÏ ÐÁËÅÔÁ. âÏÌÅÅ ÐÏÄÒÏÂÎÏÅ ÏÐÉÓÁÎÉÅ ÆÕÎËÃÉÉ MARK ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ.

CONFIG_IP_NF_MATCH_MULTIPORT -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ Ó ÐÒÏ×ÅÒËÏÊ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ ÐÁËÅÔÁ Ë ÄÉÁÐÁÚÏÎÕ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÉÓÔÏÞÎÉËÁ/ÐÒÉÅÍÎÉËÁ.

CONFIG_IP_NF_MATCH_TOS -- üÔÏÔ ÍÏÄÕÌØ ÐÏÚ×ÏÌÉÔ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ, ÏÔÔÁÌËÉ×ÁÑÓØ ÏÔ ÓÏÓÔÏÑÎÉÑ ÐÏÌÑ TOS × ÐÁËÅÔÅ. ðÏÌÅ TOS ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÄÌÑ Type Of Service. ôÁË ÖÅ ÓÔÁÎÏ×ÉÔÓÑ ×ÏÚÍÏÖÎÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ É ÓÂÒÁÓÙ×ÁÔØ ÂÉÔÙ ÜÔÏÇÏ ÐÏÌÑ × ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌÁÈ × ÔÁÂÌÉÃÅ mangle ÉÌÉ ËÏÍÁÎÄÁÍÉ ip/tc.

CONFIG_IP_NF_MATCH_TCPMSS -- üÔÁ ÏÐÃÉÑ ÄÏÂÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏ×ÅÒËÉ ÐÏÌÑ MSS ÄÌÑ TCP-ÐÁËÅÔÏ×.

CONFIG_IP_NF_MATCH_STATE -- üÔÏ ÏÄÎÏ ÉÚ ÓÁÍÙÈ ÓÅÒØÅÚÎÙÈ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÊ ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ipchains. üÔÏÔ ÍÏÄÕÌØ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÕÐÒÁ×ÌÅÎÉÑ TCP ÐÁËÅÔÁÍÉ, ÏÓÎÏ×Ù×ÁÑÓØ ÎÁ ÉÈ ÓÏÓÔÏÑÎÉÉ (state). ë ÐÒÉÍÅÒÕ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ, Ó ÔÒÁÆÆÉËÏÍ × ÏÂÁ ËÏÎÃÁ, ÔÏÇÄÁ ÐÁËÅÔ ÐÏÌÕÞÅÎÎÙÊ ÐÏ ÔÁËÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ -- ÐÒÉÍ. ÒÅÄ). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÐÒÉÍÅÒÅ rc.firewall.txt .

CONFIG_IP_NF_MATCH_UNCLEAN -- üÔÏÔ ÍÏÄÕÌØ ÒÅÁÌÉÚÕÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ IP, TCP, UDP É ICMP ÐÁËÅÔÏ× ÎÁ ÐÒÅÄÍÅÔ ÎÁÌÉÞÉÑ × ÎÉÈ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÊ, "ÓÔÒÁÎÎÏÓÔÅÊ", ÏÛÉÂÏË. õÓÔÁÎÏ×É× ÅÇÏ ÍÙ, Ë ÐÒÉÍÅÒÕ, ÐÏÌÕÞÉÍ ×ÏÚÍÏÖÎÏÓÔØ "ÏÔÓÅËÁÔØ" ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ. ïÄÎÁËÏ ÈÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÐÏËÁ ÎÁÈÏÄÉÔÓÑ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ É ÎÅ ×Ï ×ÓÅÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÏÄÉÎÁËÏ×Ï, ÐÏÜÔÏÍÕ ÎÉËÏÇÄÁ ÎÅÌØÚÑ ÂÕÄÅÔ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÍÙ ÎÅ "ÓÂÒÏÓÉÌÉ" ×ÐÏÌÎÅ ÐÒÁ×ÉÌØÎÙÅ ÐÁËÅÔÙ.

CONFIG_IP_NF_MATCH_OWNER - ðÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÓÏÅÄÉÎÅÎÉÑ (socket). äÌÑ ÐÒÉÍÅÒÁ, ÍÙ ÍÏÖÅÍ ÐÏÚ×ÏÌÉÔØ ÔÏÌØËÏ ÐÏÌØÚÏ×ÁÔÅÌÀ root ×ÙÈÏÄÉÔØ × Internet. üÔÏÔ ÍÏÄÕÌØ ÂÙÌ ÎÁÐÉÓÁÎ ËÁË ÐÒÉÍÅÒ ÒÁÂÏÔÙ Ó iptables. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÙÊ ÍÏÄÕÌØ ÉÍÅÅÔ ÓÔÁÔÕÓ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÇÏ É ÍÏÖÅÔ ÎÅ ×ÓÅÇÄÁ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ.

CONFIG_IP_NF_FILTER -- òÅÁÌÉÚÁÃÉÑ ÔÁÂÌÉÃÙ filter × ËÏÔÏÒÏÊ × ÏÓÎÏ×ÎÏÍ É ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÆÉÌØÔÒÁÃÉÑ. ÷ ÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÎÁÈÏÄÑÔÓÑ ÃÅÐÏÞËÉ INPUT, FORWARD É OUTPUT. üÔÏÔ ÍÏÄÕÌØ ÏÂÑÚÁÔÅÌÅÎ, ÅÓÌÉ ×Ù ÐÌÁÎÉÒÕÅÔÅ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ×.

CONFIG_IP_NF_TARGET_REJECT -- äÏÂÁ×ÌÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ REJECT, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ × ÏÔ×ÅÔ ÎÁ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ, ËÏÔÏÒÙÊ ÏÔ×ÅÒÇÁÅÔÓÑ ÚÁÄÁÎÎÙÍ ÐÒÁ×ÉÌÏÍ. úÁÐÏÍÎÉÔÅ, ÞÔÏ TCP ÓÏÅÄÉÎÅÎÉÑ, × ÏÔÌÉÞÉÅ ÏÔ UDP É ICMP, ×ÓÅÇÄÁ ÚÁ×ÅÒÛÁÀÔÓÑ ÉÌÉ ÏÔ×ÅÒÇÁÀÔÓÑ ÐÁËÅÔÏÍ TCP RST.

CONFIG_IP_NF_TARGET_MIRROR -- ÷ÏÚÍÏÖÎÏÓÔØ ÏÔÐÒÁ×ËÉ ÐÏÌÕÞÅÎÎÏÇÏ ÐÁËÅÔÁ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎÉÅ). îÁÐÒÉÍÅÒ, ÅÓÌÉ ÎÁÚÎÁÞÉÔØ ÄÅÊÓÔ×ÉÅ MIRROR ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ × ÐÏÒÔ HTTP ÞÅÒÅÚ ÎÁÛÕ ÃÅÐÏÞËÕ INPUT (Ô.Å. ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ ÐÒÉÍ. ÐÅÒÅ×.), ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÔÐÒÁ×ÌÅÎ ÏÂÒÁÔÎÏ (ÏÔÒÁÖÅÎ) É, × ÒÅÚÕÌØÔÁÔÅ, ÏÔÐÒÁ×ÉÔÅÌØ Õ×ÉÄÉÔ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ. (ôÕÔ ÏÄÎÉ ÓÐÌÏÛÎÙÅ "ÅÓÌÉ": åÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÓÔÏÉÔ WEB-ÓÅÒ×ÅÒ, ÅÓÌÉ ÏÎ ÒÁÂÏÔÁÅÔ ÎÁ ÔÏÍ ÖÅ ÐÏÒÔÕ, ÅÓÌÉ Õ ÏÔÐÒÁ×ÉÔÅÌÑ ÅÓÔØ ÄÏÍÁÛÎÑÑ ÓÔÒÁÎÉÞËÁ, É Ô.Ä. . óÕÔØ-ÔÏ ÓÏÂÓÔ×ÅÎÎÏ Ó×ÏÄÉÔÓÑ Ë ÔÏÍÕ, ÞÔÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÏÔÐÒÁ×ÉÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÏÎ ÏÔÐÒÁ×ÉÌ ÎÁ Ó×ÏÀ ÓÏÂÓÔ×ÅÎÎÕÀ ÍÁÛÉÎÕ, Á ÐÒÏÝÅ ÇÏ×ÏÒÑ, ÄÅÊÓÔ×ÉÅ MIRROR ÍÅÎÑÅÔ ÍÅÓÔÁÍÉ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ É ×ÙÄÁÅÔ ÉÚÍÅÎÅÎÎÙÊ ÐÅËÅÔ × ÓÅÔØ ÐÒÉÍ. ÐÅÒÅ×.)

CONFIG_IP_NF_NAT -- NAT. ôÒÁÎÓÌÑÃÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× × ÒÁÚÌÉÞÎÙÈ ÅÅ ×ÉÄÁÈ. ó ÐÏÍÏÝØÀ ÜÔÏÊ ÏÐÃÉÉ ×Ù ÓÍÏÖÅÔÅ ÄÁÔØ ×ÙÈÏÄ × éÎÔÅÒÎÅÔ ×ÓÅÍ ËÏÍÐØÀÔÅÒÁÍ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP-ÁÄÒÅÓ. üÔÁ ÏÐÃÉÑ ÎÅÏÂÈÏÄÉÍÁ ÄÌÑ ÒÁÂÏÔÙ ÐÒÉÍÅÒÁ rc.firewall.txt.

CONFIG_IP_NF_TARGET_MASQUERADE -- íÁÓËÁÒÁÄÉÎÇ. ÷ ÏÔÌÉÞÉÅ ÏÔ NAT, ÍÁÓËÁÒÁÄÉÎÇ ÉÓÐÏÌØÚÕÅÔÓÑ × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÚÁÒÁÎÅÅ ÎÅÉÚ×ÅÓÔÅÎ ÎÁÛ IP-ÁÄÒÅÓ × éÎÔÅÒÎÅÔÅ, Ô.Å. ÄÌÑ ÓÌÕÞÁÅ× DHCP, PPP, SLIP ÉÌÉ ËÁËÏÇÏ-ÌÉÂÏ ÄÒÕÇÏÇÏ ÓÐÏÓÏÂÁ ÐÏÄËÌÀÞÅÎÉÑ, ÐÏÄÒÁÚÕÍÅ×ÁÀÝÅÇÏ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÌÕÞÅÎÉÅ IP-ÁÄÒÅÓÁ. íÁÓËÁÒÁÄÉÎÇ ÄÁÅÔ ÎÅÓËÏÌØËÏ ÂÏÌÅÅ ×ÙÓÏËÕÀ ÎÁÇÒÕÚËÕ ÎÁ ËÏÍÐØÀÔÅÒ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó NAT, ÏÄÎÁËÏ ÏÎ ÒÁÂÏÔÁÅÔ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ÎÅ×ÏÚÍÏÖÎÏ ÚÁÒÁÎÅÅ ÕËÁÚÁÔØ ÓÏÂÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP-ÁÄÒÅÓ.

CONFIG_IP_NF_TARGET_REDIRECT -- ðÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ. ïÂÙÞÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÐÒÏËÓÉ. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓÔÉÔØ ÐÁËÅÔ ÄÁÌØÛÅ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÓÅÔÅ×ÏÇÏ ÜËÒÁÎÁ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ ÉÍÅÅÍ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ "ÐÒÏÚÒÁÞÎÏÅ ÐÒÏËÓÉÒÏ×ÁÎÉÅ".

CONFIG_IP_NF_TARGET_LOG -- äÏÂÁ×ÌÑÅÔ ÄÅÊÓÔ×ÉÅ LOG × iptables. íÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ÍÏÄÕÌØ ÄÌÑ ÆÉËÓÁÃÉÉ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ (syslog). üÔÁ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ×ÅÓØÍÁ ÐÏÌÅÚÎÏÊ ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×.

CONFIG_IP_NF_TARGET_TCPMSS -- üÔÁ ÏÐÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÊ, ÎÁËÌÁÄÙ×ÁÅÍÙÈ ÎÅËÏÔÏÒÙÍÉ ÐÒÏ×ÁÊÄÅÒÁÍÉ (Internet Service Providers), ËÏÔÏÒÙÅ ÂÌÏËÉÒÕÀÔ ICMP Fragmentation Needed ÐÁËÅÔÙ. ÷ ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÈ ÏÇÒÁÎÉÞÅÎÉÊ ÓÅÒ×ÅÒÙ ÐÒÏ×ÁÊÄÅÒÏ× ÍÏÇÕÔ ÎÅ ÐÅÒÅÄÁ×ÁÔØ web-ÓÔÒÁÎÉÃÙ, ssh ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, × ÔÏ ×ÒÅÍÑ ËÁË scp ÏÂÒÙ×ÁÅÔÓÑ ÐÏÓÌÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ É ÐÒ. äÌÑ ÐÒÅÏÄÏÌÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÏÇÒÁÎÉÞÅÎÉÊ ÍÙ ÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ TCPMSS ÏÇÒÁÎÉÞÉ×ÁÑ ÚÎÁÞÅÎÉÅ MSS (Maximum Segment Size) (ÏÂÙÞÎÏ MSS ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÒÁÚÍÅÒÏÍ MTU ÉÓÈÏÄÑÝÅÇÏ ÉÎÔÅÒÆÅÊÓÁ ÍÉÎÕÓ 40 ÂÁÊÔ ÐÒÉÍ. ÐÅÒÅ×.). ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÁÅÍ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÅÏÄÏÌÅÔØ ÔÏ, ÞÔÏ Á×ÔÏÒÙ netfilter ÎÁÚÙ×ÁÀÔ "ÐÒÅÓÔÕÐÎÏÊ ÂÅÚÍÏÚÇÌÏÓÔØÀ ÐÒÏ×ÁÊÄÅÒÏ× É ÓÅÒ×ÅÒÏ×" ("criminally braindead ISPs or servers") × ÓÐÒÁ×ËÅ ÐÏ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ.

CONFIG_IP_NF_COMPAT_IPCHAINS -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ÂÏÌÅÅ ÓÔÁÒÏÊ ÔÅÈÎÏÌÏÇÉÅÊ ipchains. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÓÏ×ÍÅÓÔÉÍÏÓÔØ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎÁ É × ÑÄÒÁÈ ÓÅÒÉÉ 2.6.x.

CONFIG_IP_NF_COMPAT_IPFWADM -- äÏÂÁ×ÌÑÅÔ ÓÏ×ÍÅÓÔÉÍÏÓÔØ Ó ipfwadm, ÎÅ ÓÍÏÔÒÑ ÎÁ ÔÏ ÞÔÏ ÜÔÏ ÏÞÅÎØ ÓÔÁÒÏÅ ÓÒÅÄÓÔ×Ï ÐÏÓÔÒÏÅÎÉÑ ÂÒÁÎÄÍÁÕÜÒÏ×.

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, Ñ ÄÁÌ ËÒÁÔËÕÀ ÈÁÒÁËÔÅÒÉÓÔÉËÕ ËÁÖÄÏÍÕ ÍÏÄÕÌÀ. äÁÎÎÙÅ ÏÐÃÉÉ ÄÏÓÔÕÐÎÙ × ÑÄÒÅ ×ÅÒÓÉÉ 2.4.9.

äÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ rc.firewall.txt ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÄÏÂÁ×ÉÔØ × ÑÄÒÏ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÉÌÉ ÓÏÂÒÁÔØ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÏÐÃÉÑÍ, ÎÅÏÂÈÏÄÉÍÙÍ ÄÌÑ ÒÁÂÏÔÙ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ Ó ÐÒÉÍÅÒÁÍÉ ÜÔÉÈ ÓÃÅÎÁÒÉÅ×.

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_CONNTRACK
  • CONFIG_IP_NF_FTP
  • CONFIG_IP_NF_IRC
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_TARGET_LOG
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_TARGET_MASQUERADE

÷ÙÛÅ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÍÉÎÉÍÁÌØÎÏ ÎÅÏÂÈÏÄÉÍÙÈ ÏÐÃÉÊ ÑÄÒÁ ÄÌÑ ÓÃÅÎÁÒÉÑ rc.firewall.txt ðÅÒÅÞÅÎØ ÏÐÃÉÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÄÒÕÇÉÈ ÐÒÉÍÅÒÏ× ÓÃÅÎÁÒÉÅ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÎÉÖÅ. óÅÊÞÁÓ ÖÅ ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÇÌÁ×ÎÏÍ ÓÃÅÎÁÒÉÉ É ÎÁÞÎÅÍ ÅÇÏ ÉÚÕÞÅÎÉÅ.


õÓÔÁÎÏ×ËÁ ÐÁËÅÔÁ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÐÏÓÍÏÔÒÉÍ ËÁË ÓÏÂÒÁÔØ (ÓËÏÍÐÉÌÉÒÏ×ÁÔØ) ÐÁËÅÔ iptables. óÂÏÒËÁ ÐÁËÅÔÁ × ÚÎÁÞÉÔÅÌØÎÏÊ ÓÔÅÐÅÎÉ ÚÁ×ÉÓÉÔ ÏÔ ËÏÎÆÉÇÕÒÁÃÉÉ ÑÄÒÁ É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅËÏÔÏÒÙÅ ÄÉÓÔÒÉÂÕÔÉ×Ù ÐÒÅÄÐÏÌÁÇÁÀÔ ÐÒÅÄÕÓÔÁÎÏ×ËÕ ÐÁËÅÔÁ iptables, ÏÄÉÎ ÉÚ ÎÉÈ -- Red Hat 7.1. ïÄÎÁËÏ × RedHat 7.1 ÜÔÏÔ ÐÁËÅÔ ÐÏ ÕÍÏÌÞÁÎÉÀ ×ÙËÌÀÞÅÎ, ÐÏÜÔÏÍÕ ÎÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ËÁË ÅÇÏ ×ËÌÀÞÉÔØ × ÄÁÎÎÏÍ É × ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ.

óÂÏÒËÁ ÐÁËÅÔÁ

äÌÑ ÎÁÞÁÌÁ ÐÁËÅÔ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ iptables ÎÕÖÎÏ ÒÁÓÐÁËÏ×ÁÔØ. íÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÐÁËÅÔ iptables 1.2.6a É ÑÄÒÏ 2.4.9. òÁÓÐÁËÕÅÍ ËÁË ÏÂÙÞÎÏ, ËÏÍÁÎÄÏÊ bzip2 -cd iptables-1.2.6a.tar.bz2 | tar -xvf -. åÓÌÉ ÒÁÓÐÁËÏ×ËÁ ÐÒÏÛÌÁ ÕÄÁÞÎÏ, ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÒÁÚÍÅÝÅÎ × ËÁÔÁÌÏÇÅ iptables-1.2.6a. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë ÆÁÊÌÕ iptables-1.2.6a/INSTALL, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÐÏÄÒÏÂÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÓÂÏÒËÅ É ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ.

äÁÌÅÅ ÎÅÏÂÈÏÄÉÍÏ ÐÒÏ×ÅÒÉÔØ ×ËÌÀÞÅÎÉÅ × ÑÄÒÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ É ÏÐÃÉÊ. ûÁÇÉ, ÏÐÉÓÙ×ÁÅÍÙÅ ÚÄÅÓØ, ÂÕÄÕÔ ËÁÓÁÔØÓÑ ÔÏÌØËÏ ÎÁÌÏÖÅÎÉÑ ÎÁ ÑÄÒÏ "ÚÁÐÌÁÔ" (patches). îÁ ÜÔÏÍ ÛÁÇÅ ÍÙ ÕÓÔÁÎÏ×ÉÍ ÏÂÎÏ×ÌÅÎÉÑ, ËÏÔÏÒÙÅ, ËÁË ÏÖÉÄÁÅÔÓÑ, ÂÕÄÕÔ ×ËÌÀÞÅÎÙ × ÑÄÒÏ × ÂÕÄÕÝÅÍ.

Note

îÅËÏÔÏÒÙÅ ÉÚ ÎÉÈ ÎÁÈÏÄÑÔÓÑ ÐÏËÁ ÎÁ ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÏÊ ÓÔÁÄÉÉ, ÏÄÎÁËÏ ÓÒÅÄÉ ÎÉÈ ÅÓÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÉÎÔÅÒÅÓÎÙÅ ÆÕÎËÃÉÉ É ÄÅÊÓÔ×ÉÑ. ÷ÙÐÏÌÎÉÍ ÜÔÏÔ ÛÁÇ, ÎÁÂÒÁ× ËÏÍÁÎÄÕ (ÅÓÔÅÓÔ×ÅÎÎÏ, ÏÂÌÁÄÁÑ ÐÒÁ×ÁÍÉ ÐÏÌØÚÏ×ÁÔÅÌÑ root)

make pending-patches KERNEL_DIR=/usr/src/linux/

ðÅÒÅÍÅÎÎÁÑ KERNEL_DIR ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÐÕÔØ Ë ÉÓÈÏÄÎÙÍ ÔÅËÓÔÁÍ ×ÁÛÅÇÏ ÑÄÒÁ. ïÂÙÞÎÏ ÜÔÏ /usr/src/linux/. åÓÌÉ ÉÓÈÏÄÎÙÅ ÔÅËÓÔÙ Õ ×ÁÓ ÒÁÓÐÏÌÏÖÅÎÙ × ÄÒÕÇÏÍ ÍÅÓÔÅ, ÔÏ, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ×Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ Ó×ÏÊ ÐÕÔØ.

Note

úÄÅÓØ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÎÅÓËÏÌØËÏ ÏÂÎÏ×ÌÅÎÉÊ É ÄÏÐÏÌÎÅÎÉÊ, ËÏÔÏÒÙÅ ÏÐÒÅÄÅÌÅÎÎÏ ×ÏÊÄÕÔ × ÓÏÓÔÁ× ÑÄÒÁ, ÎÏ ÎÅÓËÏÌØËÏ ÐÏÚÄÎÅÅ, ÓÅÊÞÁÓ ÖÅ ÍÙ ×ÏÚØÍÅÍ ÉÈ ÏÔÓÀÄÁ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ

make most-of-pom KERNEL_DIR=/usr/src/linux/

÷ ÐÒÏÃÅÓÓÅ ×ÙÐÏÌÎÅÎÉÑ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÙ Õ ×ÁÓ ÂÕÄÅÔ ÚÁÐÒÁÛÉ×ÁÔØÓÑ ÐÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÏÂÎÏ×ÌÅÎÉÅ ËÁÖÄÏÇÏ ÒÁÚÄÅÌÁ ÉÚ ÔÏÇÏ, ÞÔÏ × ÍÉÒÅ netfilter ÎÁÚÙ×ÁÅÔÓÑ patch-o-matic. þÔÏÂÙ ÕÓÔÁÎÏ×ÉÔØ ×ÓÅ "ÚÁÐÌÁÔËÉ" ÉÚ patch-o-matic, ×ÁÍ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make patch-o-matic KERNEL_DIR=/usr/src/linux/

îÅ ÚÁÂÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÏ É ÄÏ ËÏÎÃÁ ÐÒÏÞÉÔÁÔØ ÓÐÒÁ×ËÕ ÐÏ ËÁÖÄÏÊ "ÚÁÐÌÁÔËÅ" ÄÏ ÔÏÇÏ ËÁË ×Ù ÂÕÄÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÞÔÏ-ÌÉÂÏ, ÐÏÓËÏÌØËÕ ÏÄÎÉ "ÚÁÐÌÁÔËÉ" ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÎÅÓÏ×ÍÅÓÔÉÍÙ Ó ÄÒÕÇÉÍÉ, Á ÎÅËÏÔÏÒÙÅ -- ÐÒÉ ÓÏ×ÍÅÓÔÎÏÍ ÎÁÌÏÖÅÎÉÉ ÄÁÖÅ ÒÁÚÒÕÛÉÔØ ÑÄÒÏ.

Note

÷Ù ÍÏÖÅÔÅ ×ÏÏÂÝÅ ÐÒÏÐÕÓÔÉÔØ ÏÂÎÏ×ÌÅÎÉÅ ÑÄÒÁ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÓÏÂÏÊ ÎÕÖÄÙ × ÔÁËÏÍ ÏÂÎÏ×ÌÅÎÉÉ ÎÅÔ, ÏÄÎÁËÏ patch-o-matic ÓÏÄÅÒÖÉÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÉÎÔÅÒÅÓÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ, É Õ ×ÁÓ ×ÐÏÌÎÅ ÍÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ÖÅÌÁÎÉÅ ÐÏÓÍÏÔÒÅÔØ ÎÁ ÎÉÈ. îÉÞÅÇÏ ÓÔÒÁÛÎÏÇÏ ÎÅ ÓÌÕÞÉÔÓÑ, ÅÓÌÉ ×Ù ÚÁÐÕÓÔÉÔÅ ÜÔÉ ËÏÍÁÎÄÙ É ÐÏÓÍÏÔÒÉÔÅ ËÁËÉÅ ÏÂÎÏ×ÌÅÎÉÑ ÉÍÅÀÔÓÑ.

ðÏÓÌÅ ÚÁ×ÅÒÛÅÎÉÑ ÏÂÎÏ×ÌÅÎÉÑ, ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ, ÄÏÂÁ×É× × ÎÅÇÏ ÔÏÌØËÏ ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ. îÅ ÚÁÂÕÄØÔÅ ÓÎÁÞÁÌÁ ×ÙÐÏÌÎÉÔØ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÅ ÑÄÒÁ, ÐÏÓËÏÌØËÕ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÏÂÎÏ×ÌÅÎÉÑ ÓËÏÒÅÅ ×ÓÅÇÏ ÏËÁÖÕÔÓÑ ×ÙËÌÀÞÅÎÎÙÍÉ. ÷ ÐÒÉÎÃÉÐÅ, ÍÏÖÎÏ ÐÏÄÏÖÄÁÔØ Ó ËÏÍÐÉÌÑÃÉÅÊ ÑÄÒÁ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ×Ù ÎÅ ÚÁËÏÎÞÉÔÅ ÕÓÔÁÎÏ×ËÕ iptables.

ðÒÏÄÏÌÖÁÑ ÓÂÏÒËÕ iptables, ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ:

make KERNEL_DIR=/usr/src/linux/

åÓÌÉ × ÐÒÏÃÅÓÓÅ ÓÂÏÒËÉ ×ÏÚÎÉËÌÉ ËÁËÉÅ ÌÉÂÏ ÐÒÏÂÌÅÍÙ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÙÔÁÔØÓÑ ÒÁÚÒÅÛÉÔØ ÉÈ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ, ÌÉÂÏ ÏÂÒÁÔÉÔØÓÑ ÎÁ netfilter mailing list, ÇÄÅ ×ÁÍ ÓÍÏÇÕÔ ÐÏÍÏÞØ. ôÁÍ ×Ù ÎÁÊÄÅÔÅ ÐÏÑÓÎÅÎÉÑ, ÞÔÏ ÍÏÇÌÏ ÂÙÔØ ÓÄÅÌÁÎÏ ×ÁÍÉ ÎÅÐÒÁ×ÉÌØÎÏ ÐÒÉ ÕÓÔÁÎÏ×ËÅ, ÔÁË ÞÔÏ ÓÒÁÚÕ ÎÅ ÐÁÎÉËÕÊÔÅ. åÓÌÉ ÜÔÏ ÎÅ ÐÏÍÏÇÌÏ -- ÐÏÓÔÁÒÁÊÔÅÓØ ÐÏÒÁÚÍÙÓÌÉÔØ ÌÏÇÉÞÅÓËÉ, ×ÏÚÍÏÖÎÏ ÜÔÏ ÐÏÍÏÖÅÔ. éÌÉ ÏÂÒÁÔÉÔÅÓØ Ë ËÏÍÕ-ÎÉÂÕÄØ ÚÎÁÀÝÅÍÕ.

åÓÌÉ ×ÓÅ ÐÒÏÛÌÏ ÇÌÁÄËÏ, ÔÏ ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÇÏÔÏ×Ù Ë ÕÓÔÁÎÏ×ËÅ ÉÓÐÏÌÎÑÅÍÙÈ ÍÏÄÕÌÅÊ (binaries), ÄÌÑ ÞÅÇÏ ÚÁÐÕÓÔÉÔÅ ÓÌÅÄÕÀÝÕÀ ËÏÍÁÎÄÕ:

make install KERNEL_DIR=/usr/src/linux/

îÁÄÅÀÓØ, ÞÔÏ ÚÄÅÓØ-ÔÏ ÐÒÏÂÌÅÍ ÎÅ ×ÏÚÎÉËÌÏ! ôÅÐÅÒØ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÐÁËÅÔÁ iptables ×ÁÍ ÏÐÒÅÄÅÌÅÎÎÏ ÐÏÔÒÅÂÕÅÔÓÑ ÐÅÒÅÓÏÂÒÁÔØ É ÕÓÔÁÎÏ×ÉÔØ ÑÄÒÏ, ÅÓÌÉ ×Ù ÄÏ ÓÉÈ ÐÏÒ ÜÔÏÇÏ ÎÅ ÓÄÅÌÁÌÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÕÓÔÁÎÏ×ËÅ ÐÁËÅÔÁ ×Ù ÎÁÊÄÅÔÅ × ÆÁÊÌÅ INSTALL.


õÓÔÁÎÏ×ËÁ × Red Hat 7.1

RedHAt 7.1, Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÑÄÒÏÍ 2.4.x ÕÖÅ ×ËÌÀÞÁÅÔ ÐÒÅÄÕÓÔÁÎÏ×ÌÅÎÎÙÅ netfilter É iptables. ïÄÎÁËÏ, ÄÌÑ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÐÒÅÄÙÄÕÝÉÍÉ ÄÉÓÔÒÉÂÕÔÉ×ÁÍÉ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÒÁÂÏÔÁÅÔ ÐÁËÅÔ ipchains. óÅÊÞÁÓ ÍÙ ËÏÒÏÔËÏ ÒÁÚÂÅÒÅÍ - ËÁË ÕÄÁÌÉÔØ ipchains É ÚÁÐÕÓÔÉÔØ ×ÍÅÓÔÏ ÎÅÇÏ iptables.

Note

÷ÅÒÓÉÑ iptables × Red Hat 7.1 ÓÉÌØÎÏ ÕÓÔÁÒÅÌÁ É, ÎÁ×ÅÒÎÏÅ ÎÅÐÌÏÈÉÍ ÒÅÛÅÎÉÅÍ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÉÔØ ÂÏÌÅÅ ÎÏ×ÕÀ ×ÅÒÓÉÀ iptables.

äÌÑ ÎÁÞÁÌÁ ÎÕÖÎÏ ÏÔËÌÀÞÉÔØ ipchains, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÚÁÇÒÕÚËÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÈ ÍÏÄÕÌÅÊ × ÂÕÄÕÝÅÍ. þÔÏÂÙ ÄÏÂÉÔØÓÑ ÜÔÏÇÏ, ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÉÚÍÅÎÉÔØ ÉÍÅÎÁ ÎÅËÏÔÏÒÙÈ ÆÁÊÌÏ× × ÄÅÒÅ×Å ËÁÔÁÌÏÇÏ× /etc/rc.d/. óÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ, ×ÙÐÏÌÎÉÔ ÔÒÅÂÕÅÍÙÅ ÄÅÊÓÔ×ÉÑ:

chkconfig --level 0123456 ipchains off

÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÜÔÏÊ ËÏÍÁÎÄÙ, × ÎÅËÏÔÏÒÙÈ ÉÍÅÎÁÈ ÆÁÊÌÏ× ÓÉÍ×ÏÌ S (ËÏÔÏÒÙÊ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÄÁÎÎÙÊ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ ÎÁ ÚÁÐÕÓËÅ ÓÉÓÔÅÍÙ) ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÓÉÍ×ÏÌÏÍ K (ÏÔ ÓÌÏ×Á Kill, ËÏÔÏÒÙÊ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÓÃÅÎÁÒÉÊ ÏÔÒÁÂÁÔÙ×ÁÅÔ, ÐÒÉ ÚÁ×ÅÒÛÅÎÉÉ ÒÁÂÏÔÙ ÓÉÓÔÅÍÙ. ôÁËÉÍ ÏÂÒÁÚÏÍ ÍÙ ÐÏÌÕÞÉÍ ÉÍÅÎÁ ÓÓÙÌÏË K92ipchains, ÐÒÅÄÏÔ×ÒÁÔÉ× ÔÅÍ ÓÁÍÙÍ ÚÁÐÕÓË ÜÔÏÇÏ ÓÅÒ×ÉÓÁ × ÂÕÄÕÝÅÍ.

ïÄÎÁËÏ ipchains ÐÏ-ÐÒÅÖÎÅÍÕ ÏÓÔÁÀÔÓÑ × ÒÁÂÏÔÅ. ôÅÐÅÒØ ÎÁÄÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ, ËÏÔÏÒÁÑ ÏÓÔÁÎÏ×ÉÔ ÜÔÏÔ ÓÅÒ×ÉÓ.

service ipchains stop

é × ÚÁËÌÀÞÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÐÕÓÔÉÔØ ÓÅÒ×ÉÓ iptables. äÌÑ ÜÔÏÇÏ, ×Ï-ÐÅÒ×ÙÈ, ÎÁÄÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÕÒÏ×ÎÑÍÉ ÚÁÐÕÓËÁ ÏÐÅÒÁÃÉÏÎÎÏÊ ÓÉÓÔÅÍÙ, ÎÁ ËÏÔÏÒÙÈ ÎÕÖÎÏ ÓÔÁÒÔÏ×ÁÔØ ÜÔÏÔ ÓÅÒ×ÉÓ. ïÂÙÞÎÏ ÜÔÏ ÕÒÏ×ÎÉ 2, 3 É 5. ï ÜÔÉÈ ÕÒÏ×ÎÑÈ ÍÙ ÚÎÁÅÍ:

  • 2. íÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÂÅÚ ÐÏÄÄÅÒÖËÉ NFS ÉÌÉ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É 3, ÎÏ ÂÅÚ ÓÅÔÅ×ÏÊ ÐÏÄÄÅÒÖËÉ.
  • 3. ðÏÌÎÏÆÕÎËÃÉÏÎÁÌØÎÙÊ ÍÎÏÇÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ.
  • 5. X11. äÁÎÎÙÊ ÕÒÏ×ÅÎØ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÚÁÇÒÕÚËÉ Xwindows.

þÔÏÂÙ ÚÁÐÕÓÔÉÔØ iptables ÎÁ ÜÔÉÈ ÕÒÏ×ÎÑÈ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ:

chkconfig --level 235 iptables on

èÏÞÅÔÓÑ ÕÐÏÍÑÎÕÔØ Ï ÕÒÏ×ÎÑÈ, ÎÁ ËÏÔÏÒÙÈ ÎÅ ÔÒÅÂÕÅÔÓÑ ÚÁÐÕÓËÁ iptables: õÒÏ×ÅÎØ 1 -- ÏÄÎÏÐÏÌØÚÏ×ÁÔÅÌØÓËÉÊ ÒÅÖÉÍ ÒÁÂÏÔÙ, ËÁË ÐÒÁ×ÉÌÏ ÉÓÐÏÌØÚÕÅÔÓÑ × ÜËÓÔÒÅÎÎÙÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÍÙ "ÐÏÄÎÉÍÁÅÍ" "ÕÐÁ×ÛÕÀ" ÓÉÓÔÅÍÕ. õÒÏ×ÅÎØ 4 -- ×ÏÏÂÝÅ ÎÅ ÄÏÌÖÅÎ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ. õÒÏ×ÅÎØ ×ÙÐÏÌÎÅÎÉÑ 6 -- ÜÔÏ ÕÒÏ×ÅÎØ ÏÓÔÁÎÏ×ËÉ ÓÉÓÔÅÍÙ ÐÒÉ ×ÙËÌÀÞÅÎÉÉ ÉÌÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ.

äÌÑ ÁËÔÉ×ÁÃÉÉ ÓÅÒ×ÉÓÁ iptables ÐÏÄÁÄÉÍ ËÏÍÁÎÄÕ:

service iptables start

éÔÁË, ÍÙ ÚÁÐÕÓÔÉÌÉ iptables, ÎÏ Õ ÎÁÓ ÐÏËÁ ÅÝÅ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. þÔÏÂÙ ÄÏÂÁ×ÉÔØ ÎÏ×ÙÅ ÐÒÁ×ÉÌÁ × Red Hat 7.1 ÍÏÖÎÏ ÐÏÊÔÉ Ä×ÕÍÑ ÐÕÔÑÍÉ, ×Ï-ÐÅÒ×ÙÈ: ÐÏÄÐÒÁ×ÉÔØ ÆÁÊÌ /etc/rc.d/init.d/iptables, ÎÏ ÜÔÏÔ ÓÐÏÓÏ ÉÍÅÅÔ ÔÏ ÎÅÇÁÔÉ×ÎÏÅ Ó×ÏÊÓÔ×Ï, ÞÔÏ ÐÒÉ ÏÂÎÏ×ÌÅÎÉÉ iptables ÉÚ RPM-ÐÁËÅÔÏ× ×ÓÅ ×ÁÛÉ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÕÔÅÒÑÎÙ, Á ×Ï-×ÔÏÒÙÈ: ÚÁÎÅÓÔÉ ÐÒÁ×ÉÌÁ É ÓÏÈÒÁÎÉÔØ ÉÈ ËÏÍÁÎÄÏÊ iptables-save, ÓÏÈÒÁÎÅÎÎÙÅ ÔÁËÉÍ ÏÂÒÁÚÏÍ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÏÓÓÔÁÎÁ×ÌÉ×ÁÔØÓÑ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ.

÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÉÚÂÒÁÌÉ ÐÅÒ×ÙÊ ×ÁÒÉÁÎÔ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ × iptables, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ÚÁÎÅÓÔÉ ÉÈ × ÓÅËÃÉÀ start ÓÃÅÎÁÒÉÑ /etc/rc.d/init.d/iptables (ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÒÁ×ÉÌ ÐÒÉ ÚÁÇÒÕÚËÅ ÓÉÓÔÅÍÙ) ÉÌÉ × ÆÕÎËÃÉÀ start(). äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÄÅÊÓÔ×ÉÊ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÉÓÔÅÍÙ -- ×ÎÅÓÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÓÅËÃÉÀ stop) ÉÌÉ × ÆÕÎËÃÉÀ stop(). ôÁË ÖÅ ÎÅ ÚÁÂÕÄØÔÅ ÐÒÏ ÓÅËÃÉÉ restart É condrestart. èÏÞÅÔÓÑ ÅÝÅ ÒÁÚ ÎÁÐÏÍÎÉÔØ, ÞÔÏ × ÓÌÕÞÁÅ ÏÂÎÏ×ÌÅÎÉÑ iptables ÉÚ RPM-ÐÁËÅÔÏ× ÉÌÉ ÞÅÒÅÚ Á×ÔÏÍÁÔÉÞÅÓËÏÅ ÏÂÎÏ×ÌÅÎÉÅ ÐÏ ÓÅÔÉ, ×Ù ÍÏÖÅÔÅ ÕÔÅÒÑÔØ ×ÓÅ ÉÚÍÅÎÅÎÉÑ, ×ÎÅÓÅÎÎÙÅ × ÆÁÊÌ /etc/rc.d/init.d/iptables.

÷ÔÏÒÏÊ ÓÐÏÓÏ ÚÁÇÒÕÚËÉ ÐÒÁ×ÉÌ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. ïÎ ÐÒÅÄÐÏÌÁÇÁÅÔ ÓÌÅÄÕÀÝÉÅ ÛÁÇÉ. äÌÑ ÎÁÞÁÌÁ -- ÚÁÐÉÛÉÔÅ ÐÒÁ×ÉÌÁ × ÆÁÊÌ ÉÌÉ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ, ÞÅÒÅÚ ËÏÍÁÎÄÕ iptables, ÓÍÏÔÒÑ ÞÔÏ ÄÌÑ ×ÁÓ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ. úÁÔÅÍ ÉÓÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables-save. üÔÁ ËÏÍÁÎÄÁ ÜË×É×ÁÌÅÎÔÎÁ ËÏÍÁÎÄÅ iptables-save > /etc/sysconfig/iptables. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÓÏÈÒÁÎÅÎ × ÆÁÊÌÅ /etc/sysconfig/iptables, ËÏÔÏÒÙÊ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÔÓÑ ÐÒÉ ÚÁÐÕÓËÅ ÓÅÒ×ÉÓÁ iptables. äÒÕÇÉÍ ÓÐÏÓÏÂÏÍ ÓÏÈÒÁÎÉÔØ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÂÕÄÅÔ ÐÏÄÁÞÁ ËÏÍÁÎÄÙ service iptables save, ËÏÔÏÒÁÑ ÐÏÌÎÏÓÔØÀ ÉÄÅÎÔÉÞÎÁ ×ÙÛÅÐÒÉ×ÅÄÅÎÎÏÊ ËÏÍÁÎÄÅ. ÷ÐÏÓÌÅÄÓÔ×ÉÉ, ÐÒÉ ÐÅÒÅÚÁÇÒÕÚËÅ ËÏÍÐØÀÔÅÒÁ, ÓÃÅÎÁÒÉÊ iptables ÉÚ rc.d ÂÕÄÅÔ ×ÙÐÏÌÎÑÔØ ËÏÍÁÎÄÕ iptables-restore ÄÌÑ ÚÁÇÒÕÚËÉ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ ÉÚ ÆÁÊÌÁ /etc/sysconfig/iptables.

îÕ É ÎÁËÏÎÅÃ, × ÚÁ×ÅÒÛÅÎÉÅ ÕÓÔÁÎÏ×ËÉ, ÎÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÕÄÁÌÉÔØ ÓÔÁÒÕÀ ×ÅÒÓÉÀ ipchains.

rpm -e  ipchains

ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË × ËÁÖÄÏÊ ÔÁÂÌÉÃÅ. üÔÁ ÉÎÆÏÒÍÁÃÉÑ ÂÕÄÅÔ ÏÞÅÎØ ×ÁÖÎÁ ÄÌÑ ×ÁÓ ÐÏÚÄÎÅÅ, ËÏÇÄÁ ×Ù ÎÁÞÎÅÔÅ ÓÔÒÏÉÔØ Ó×ÏÉ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ × ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÂÕÄÕÔ ×ËÌÀÞÁÔØÓÑ ÔÁËÉÅ ÄÅÊÓÔ×ÉÑ ËÁË DNAT, SNAT É ËÏÎÅÞÎÏ ÖÅ TOS.


ïÂÝÉÅ ÐÏÌÏÖÅÎÉÑ

ëÏÇÄÁ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÏ ÏÎ ÓÐÅÒ×Á ÐÏÐÁÄÁÅÔ ÎÁ ÓÅÔÅ×ÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÐÅÒÅÈ×ÁÔÙ×ÁÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ ÄÒÁÊ×ÅÒÏÍ É ÄÁÌÅÅ ÐÅÒÅÄÁÅÔÓÑ × ÑÄÒÏ. äÁÌÅÅ ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÒÑÄ ÔÁÂÌÉÃ É ÚÁÔÅÍ ÐÅÒÅÄÁÅÔÓÑ ÌÉÂÏ ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ, ÌÉÂÏ ÐÅÒÅÐÒÁ×ÌÑÅÔÓÑ ÎÁ ÄÒÕÇÕÀ ÍÁÛÉÎÕ. ðÏÒÑÄÏË ÓÌÅÄÏ×ÁÎÉÑ ÐÁËÅÔÁ ÐÒÉ×ÏÄÉÔÓÑ ÎÉÖÅ.

ôÁÂÌÉÃÁ 1. ðÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÔÒÁÎÚÉÔÎÙÈ ÐÁËÅÔÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÜÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÂÉÔÏ× TOS É ÐÒ..
4 nat PREROUTING üÔÁ ÃÅÐÏÞËÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Destination Network Address Translation). Source Network Address Translation ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÚÄÎÅÅ, × ÄÒÕÇÏÊ ÃÅÐÏÞËÅ. ìÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÑ × ÜÔÏÊ ÃÅÐÏÞËÅ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÄÁÌØÎÅÊÛÅÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, Ô.Å. × ÜÔÏÊ ÔÏÞËÅ ÒÅÛÁÅÔÓÑ ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ - ÌÏËÁÌØÎÏÍÕ ÐÒÉÌÏÖÅÎÉÀ ÉÌÉ ÎÁ ÄÒÕÇÏÊ ÕÚÅÌ ÓÅÔÉ.
6 filter FORWARD ÷ ÃÅÐÏÞËÕ FORWARD ÐÏÐÁÄÁÀÔ ÔÏÌØËÏ ÔÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÉÄÕÔ ÎÁ ÄÒÕÇÏÊ ÈÏÓÔ ÷ÓÑ ÆÉÌØÔÒÁÃÉÑ ÔÒÁÎÚÉÔÎÏÇÏ ÔÒÁÆÉËÁ ÄÏÌÖÎÁ ×ÙÐÏÌÎÑÔØÓÑ ÚÄÅÓØ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÏÈÏÄÉÔ ÔÒÁÆÆÉË × ÏÂÏÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÏÂÑÚÁÔÅÌØÎÏ ÕÞÉÔÙ×ÁÊÔÅ ÜÔÏ ÏÂÓÔÏÑÔÅÌØÓÔ×Ï ÐÒÉ ÎÁÐÉÓÁÎÉÉ ÐÒÁ×ÉÌ ÆÉÌØÔÒÁÃÉÉ.
7 nat POSTROUTING üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ × ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ ÄÌÑ Source Network Address Translation. îÅ ÉÓÐÏÌØÚÕÊÔÅ ÅÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÂÅÚ ÏÓÏÂÏÊ ÎÁ ÔÏ ÎÅÏÂÈÏÄÉÍÏÓÔÉ. úÄÅÓØ ÖÅ ×ÙÐÏÌÎÑÅÔÓÑ É ÍÁÓËÉÒÏ×ËÁ (Masquerading).
8     ÷ÙÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth1).
9     ëÁÂÅÌØ (ÐÕÓÔØ ÂÕÄÅÔ LAN).

ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÐÁËÅÔ ÐÒÏÈÏÄÉÔ ÎÅÓËÏÌØËÏ ÜÔÁÐÏ×, ÐÒÅÖÄÅ ÞÅÍ ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÄÁÌÅÅ. îÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ ÐÁËÅÔ ÍÏÖÅÔ ÂÙÔØ ÏÓÔÁÎÏ×ÌÅÎ, ÂÕÄØ ÔÏ ÃÅÐÏÞËÁ iptables ÉÌÉ ÞÔÏ ÌÉÂÏ ÅÝÅ, ÎÏ ÎÁÓ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÎÔÅÒÅÓÕÅÔ iptables. úÁÍÅÔØÔÅ, ÞÔÏ ÎÅÔ ËÁËÉÈ ÌÉÂÏ ÃÅÐÏÞÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ ÏÔÄÅÌØÎÙÈ ÉÎÔÅÒÆÅÊÓÏ× ÉÌÉ ÞÅÇÏ ÌÉÂÏ ÐÏÄÏÂÎÏÇÏ. ãÅÐÏÞËÕ FORWARD ÐÒÏÈÏÄÑÔ ÷óå ÐÁËÅÔÙ, ËÏÔÏÒÙÅ Ä×ÉÖÕÔÓÑ ÞÅÒÅÚ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ/ÒÕÔÅÒ. îÉÖÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÏÇÏ ÌÏËÁÌØÎÏÍÕ ÐÒÏÃÅÓÓÕ/ÐÒÉÌÏÖÅÎÉÀ

ôÁÂÌÉÃÁ 2. äÌÑ ÌÏËÁÌØÎÏÇÏ ÐÒÉÌÏÖÅÎÉÑ

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅt
1     ëÁÂÅÌØ (Ô.Å. éÎÔÅÒÎÅÔ)
2     ÷ÈÏÄÎÏÊ ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
3 mangle PREROUTING ïÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ, ÎÁÐÒÉÍÅÒ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× TOS É ÐÒ.
4 nat PREROUTING ðÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (Destination Network Address Translation). æÉÌØÔÒÁÃÉÑ ÐÁËÅÔÏ× ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÉÓËÌÀÞÉÔÅÌØÎÙÈ ÓÌÕÞÁÑÈ.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ.
6 filter INPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÆÉÌØÔÒÁÃÉÑ ×ÈÏÄÑÝÅÇÏ ÔÒÁÆÉËÁ. ðÏÍÎÉÔÅ, ÞÔÏ ×ÓÅ ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ, ÁÄÒÅÓÏ×ÁÎÎÙÅ ÎÁÍ, ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÔÏÇÏ Ó ËÁËÏÇÏ ÉÎÔÅÒÆÅÊÓÁ ÏÎÉ ÐÏÓÔÕÐÉÌÉ.
7     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ/ÐÒÉÌÏÖÅÎÉÅ

÷ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÎÁ ÜÔÏÔ ÒÁÚ ÐÁËÅÔÙ ÉÄÕÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ INPUT, Á ÎÅ ÞÅÒÅÚ FORWARD. é × ÚÁËÌÀÞÅÎÉÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÌÏËÁÌØÎÙÍÉ ÐÒÏÃÅÓÓÁÍÉ.

ôÁÂÌÉÃÁ 3. ïÔ ÌÏËÁÌØÎÙÈ ÐÒÏÃÅÓÓÏ×

ûÁÇ ôÁÂÌÉÃÁ ãÅÐÏÞËÁ ðÒÉÍÅÞÁÎÉÅ
1     ìÏËÁÌØÎÙÊ ÐÒÏÃÅÓÓ
2 Mangle OUTPUT úÄÅÓØ ÐÒÏÉÚ×ÏÄÉÔÓÑ ×ÎÅÓÅÎÉÅ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ. æÉÌØÔÒÁÃÉÑ, ×ÙÐÏÌÎÑÅÍÁÑ × ÜÔÏÊ ÃÅÐÏÞËÅ, ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ.
3 Nat OUTPUT îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÒÁÂÏÔÁÅÔ. íÏÖÅÔ ËÔÏ ÚÎÁÅÔ ËÏÇÄÁ ÉÓÐÒÁ×ÑÔ ÜÔÕ ÏÛÉÂËÕ?
4 Filter OUTPUT úÄÅÓØ ÆÉÌØÔÒÕÅÔÓÑ ÉÓÈÏÄÑÝÉÊ ÔÒÁÆÆÉË.
5     ðÒÉÎÑÔÉÅ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. úÄÅÓØ ÒÅÛÁÅÔÓÑ - ËÕÄÁ ÐÏÊÄÅÔ ÐÁËÅÔ ÄÁÌØÛÅ.
6 Nat POSTROUTING úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ Source Network Address Translation. îÅ ÓÌÅÄÕÅÔ × ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÖÅÌÁÔÅÌØÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ×. ïÄÎÁËÏ É ÚÄÅÓØ ÍÏÖÎÏ ÏÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÁËÅÔÙ, ÐÒÉÍÅÎÑÑ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.
7     óÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ (ÎÁÐÒÉÍÅÒ, eth0)
8     ëÁÂÅÌØ (Ô.Å., Internet)

ôÅÐÅÒØ ÍÙ ÚÎÁÅÍ, ÞÔÏ ÅÓÔØ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ×ÁÒÉÁÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×. òÉÓÕÎÏË ÎÉÖÅ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ÄÅÍÏÎÓÔÒÉÒÕÅÔ ÜÔÏ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÓÃÅÎÁÒÉÉ rc.test-iptables.txt, × ËÏÔÏÒÏÍ ÐÒÉ×ÏÄÉÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÐÏÎÉÍÁÎÉÑ ÐÏÒÑÄËÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ×.


ôÁÂÌÉÃÁ Mangle

ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÜÔÁ ÔÁÂÌÉÃÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ, ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ× (mangle - ÉÓËÁÖÁÔØ, ÉÚÍÅÎÑÔØ. ÐÒÉÍ. ÐÅÒÅ×.). ô.Å. × ÜÔÏÊ ÔÁÂÌÉÃÅ ×Ù ÍÏÖÅÔÅ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÂÉÔÙ TOS (Type Of Service) É Ô.Ä.

Caution

åÝÅ ÒÁÚ ÎÁÐÏÍÉÎÁÀ ×ÁÍ, ÞÔÏ × ÜÔÏÊ ÔÁÂÌÉÃÅ ÎÅ ÓÌÅÄÕÅÔ ÐÒÏÉÚ×ÏÄÉÔØ ÌÀÂÏÇÏ ÒÏÄÁ ÆÉÌØÔÒÁÃÉÀ, ÍÁÓËÉÒÏ×ËÕ ÉÌÉ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (DNAT, SNAT).

÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ

  • TOS

  • TTL

  • MARK

äÅÊÓÔ×ÉÅ TOS ×ÙÐÏÌÎÑÅÔ ÕÓÔÁÎÏ×ËÕ ÂÉÔÏ× ÐÏÌÑ Type of Service × ÐÁËÅÔÅ. üÔÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÁÚÎÁÞÅÎÉÑ ÓÅÔÅ×ÏÊ ÐÏÌÉÔÉËÉ ÏÂÓÌÕÖÉ×ÁÎÉÑ ÐÁËÅÔÁ, Ô.Å. ÚÁÄÁÅÔ ÖÅÌÁÅÍÙÊ ×ÁÒÉÁÎÔ ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÄÎÁËÏ, ÓÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ÄÁÎÎÏÅ Ó×ÏÊÓÔ×Ï × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÉÓÐÏÌØÚÕÅÔÓÑ ÎÁ ÎÅÚÎÁÞÉÔÅÌØÎÏÍ ËÏÌÉÞÅÓÔ×Å ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ.äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÚÍÅÎÑÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ÄÌÑ ÐÁËÅÔÏ×, ÕÈÏÄÑÝÉÈ × éÎÔÅÒÎÅÔ, ÐÏÔÏÍÕ ÞÔÏ ÎÁ ÒÕÔÅÒÁÈ, ËÏÔÏÒÙÅ ÔÁËÉ ÏÂÓÌÕÖÉ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÍÏÖÅÔ ÂÙÔØ ÐÒÉÎÑÔÏ ÎÅÐÒÁ×ÉÌØÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ.

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÚÎÁÞÅÎÉÑ ÐÏÌÑ TTL (Time To Live) ÐÁËÅÔÁ. åÓÔØ ÏÄÎÏ ÎÅÐÌÏÈÏÅ ÐÒÉÍÅÎÅÎÉÅ ÜÔÏÍÕ ÄÅÊÓÔ×ÉÀ. íÙ ÍÏÖÅÍ ÐÒÉÓ×ÁÉ×ÁÔØ ÏÐÒÅÄÅÌÅÎÎÏÅ ÚÎÁÞÅÎÉÅ ÜÔÏÍÕ ÐÏÌÀ, ÞÔÏÂÙ ÓËÒÙÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÏÔ ÞÅÒÅÓÞÕÒ ÌÀÂÏÐÙÔÎÙÈ ÐÒÏ×ÁÊÄÅÒÏ× (Internet Service Providers). äÅÌÏ × ÔÏÍ, ÞÔÏ ÏÔÄÅÌØÎÙÅ ÐÒÏ×ÁÊÄÅÒÙ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ ËÏÇÄÁ ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ ÒÁÚÄÅÌÑÅÔÓÑ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. É ÔÏÇÄÁ ÏÎÉ ÎÁÞÉÎÁÀÔ ÐÒÏ×ÅÒÑÔØ ÚÎÁÞÅÎÉÅ TTL ÐÒÉÈÏÄÑÝÉÈ ÐÁËÅÔÏ× É ÉÓÐÏÌØÚÕÀÔ ÅÇÏ ËÁË ÏÄÉÎ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÏÄÉÎ ËÏÍÐØÀÔÅÒ "ÓÉÄÉÔ" ÎÁ ÐÏÄËÌÀÞÅÎÉÉ ÉÌÉ ÎÅÓËÏÌØËÏ.

äÅÊÓÔ×ÉÅ MARK ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÓÐÅÃÉÁÌØÎÕÀ ÍÅÔËÕ ÎÁ ÐÁËÅÔ, ËÏÔÏÒÁÑ ÚÁÔÅÍ ÍÏÖÅÔ ÂÙÔØ ÐÒÏ×ÅÒÅÎÁ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ × iptables ÉÌÉ ÄÒÕÇÉÍÉ ÐÒÏÇÒÁÍÍÁÍÉ, ÎÁÐÒÉÍÅÒ iproute2. ó ÐÏÍÏÝØÀ "ÍÅÔÏË" ÍÙ ÍÏÖÅÍ ÕÐÒÁ×ÌÑÔØ ÍÁÒÛÒÕÔÉÚÁÃÉÅÊ ÐÁËÅÔÏ×, ÏÇÒÁÎÉÞÉ×ÁÔØ ÔÒÁÆÆÉË É Ô.Ð.


ôÁÂÌÉÃÁ Nat

üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÊ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× NAT (Network Address Translation) ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ÒÁÎÅÅ, ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÃÅÐÏÞËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ, ÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÉÒÏ×ËÁ ÐÒÉÍÅÎÑÀÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ × ÐÏÔÏËÅ Á×ÔÏÍÁÔÉÞÅÓËÉ. äÌÑ ÜÔÏÊ ÔÁÂÌÉÃÙ ÈÁÒÁËÔÅÒÎÙ ÄÅÊÓÔ×ÉÑ:

  • DNAT

  • SNAT

  • MASQUERADE

äÅÊÓÔ×ÉÅ DNAT (Destination Network Address Translation) ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× ÎÁÚÎÁÞÅÎÉÑ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× ÎÁ ÄÒÕÇÉÅ ÁÄÒÅÓÁ, ÏÔÌÉÞÎÙÅ ÏÔ ÕËÁÚÁÎÎÙÈ × ÚÁÇÏÌÏ×ËÁÈ ÐÁËÅÔÏ×.

SNAT (Source Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ÐÁËÅÔÏ×. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÍÏÖÎÏ ÓËÒÙÔØ ÓÔÒÕËÔÕÒÕ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÒÁÚÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ ×ÎÅÛÎÉÊ IP ÁÄÒÅÓ ÍÅÖÄÕ ËÏÍÐØÀÔÅÒÁÍÉ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÌÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÒÁÎÄÍÁÕÜÒ, Ó ÐÏÍÏÝØÀ SNAT, Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÑÍÏÅ É ÏÂÒÁÔÎÏÅ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ×, ÔÅÍ ÓÁÍÙÍ ÄÁ×ÁÑ ×ÏÚÍÏÖÎÏÓÔØ ×ÙÐÏÌÎÑÔØ ÐÏÄËÌÀÞÅÎÉÅ Ë ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔÅ Ó ËÏÍÐØÀÔÅÒÏ× × ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

íÁÓËÉÒÏ×ËÁ (MASQUERADE) ÐÒÉÍÅÎÑÅÔÓÑ × ÔÅÈ ÖÅ ÃÅÌÑÈ, ÞÔÏ É SNAT, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ ÐÏÓÌÅÄÎÅÊ, MASQUERADE ÄÁÅÔ ÂÏÌÅÅ ÓÉÌØÎÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ËÁÖÄÙÊ ÒÁÚ, ËÏÇÄÁ ÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÅÎÉÅ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÐÒÏÉÚ×ÏÄÉÔÓÑ ÚÁÐÒÏÓ IP ÁÄÒÅÓÁ ÄÌÑ ÕËÁÚÁÎÎÏÇÏ × ÄÅÊÓÔ×ÉÉ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, × ÔÏ ×ÒÅÍÑ ËÁË ÄÌÑ SNAT IP ÁÄÒÅÓ ÕËÁÚÙ×ÁÅÔÓÑ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ. ïÄÎÁËÏ, ÂÌÁÇÏÄÁÒÑ ÔÁËÏÍÕ ÏÔÌÉÞÉÀ, MASQUERADE ÍÏÖÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÑÈ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, Ô.Å. ËÏÇÄÁ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ, ÓËÁÖÅÍ ÞÅÒÅÚ PPP, SLIP ÉÌÉ DHCP.


ôÁÂÌÉÃÁ Filter

ëÁË ÓÌÅÄÕÅÔ ÉÚ ÎÁÚ×ÁÎÉÑ, × ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÌÖÎÙ ÓÏÄÅÒÖÁÔØÓÑ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ðÁËÅÔÙ ÍÏÇÕÔ ÐÒÏÐÕÓËÁÔØÓÑ ÄÁÌÅÅ, ÌÉÂÏ ÏÔ×ÅÒÇÁÔØÓÑ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÉÍÏÇÏ. ëÏÎÅÞÎÏ ÖÅ, ÍÙ ÍÏÖÅÍ ÏÔÆÉÌØÔÒÏ×Ù×ÁÔØ ÐÁËÅÔÙ É × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ, ÎÏ ÜÔÁ ÔÁÂÌÉÃÁ ÓÕÝÅÓÔ×ÕÅÔ ÉÍÅÎÎÏ ÄÌÑ ÎÕÖÄ ÆÉÌØÔÒÁÃÉÉ. ÷ ÜÔÏÊ ÔÁÂÌÉÃÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÏÌØÛÉÎÓÔ×Á ÉÚ ÓÕÝÅÓÔ×ÕÀÝÉÈ ÄÅÊÓÔ×ÉÊ, ÏÄÎÁËÏ ÒÑÄ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ×ÙÛÅ × ÜÔÏÊ ÇÌÁ×Å, ÄÏÌÖÎÙ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÉÓÕÝÉÈ ÉÍ ÔÁÂÌÉÃÁÈ.


íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ×ÓÅ ×ÎÉÍÁÎÉÅ ÂÕÄÅÔ ÕÄÅÌÅÎÏ ÍÅÈÁÎÉÚÍÕ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÁ (state machine). ðÏÓÌÅ ÅÅ ÐÒÏÞÔÅÎÉÑ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÓÔÁÔÏÞÎÏ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÒÁÂÏÔÕ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ. ôÁËÖÅ ÂÕÄÅÔ ÒÁÓÓÍÏÔÒÅÎ ÚÎÁÞÉÔÅÌØÎÙÊ ÏÂßÅÍ ÐÏÑÓÎÑÀÝÉÈ ÐÒÉÍÅÒÏ×.

÷×ÅÄÅÎÉÅ

íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ (state machine) Ñ×ÌÑÅÔÓÑ ÞÁÓÔØÀ iptables É × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÄÏÌÖÅÎ ÂÙ ÔÁË ÎÁÚÙ×ÁÔØÓÑ, ÐÏÓËÏÌØËÕ ÆÁËÔÉÞÅÓËÉ Ñ×ÌÑÅÔÓÑ ÍÅÈÁÎÉÚÍÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ. ïÄÎÁËÏ ÚÎÁÞÉÔÅÌØÎÏÍÕ ËÏÌÉÞÅÓÔ×Õ ÌÀÄÅÊ ÏÎ ÉÚ×ÅÓÔÅÎ ÉÍÅÎÎÏ ËÁË "ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ" (state machine). ÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÜÔÉ ÎÁÚ×ÁÎÉÑ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÁË ÓÉÎÏÎÉÍÙ. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÓÏÚÄÁÎ ÔÁË, ÞÔÏÂÙ netfilter ÍÏÇ ÐÏÌÕÞÉÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÓÔÏÑÎÉÉ ËÏÎËÒÅÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. îÁÌÉÞÉÅ ÜÔÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÏÚ×ÏÌÉÔ ×ÁÍ ÓÏÚÄÁ×ÁÔØ ÂÏÌÅÅ ÎÁÄÅÖÎÙÅ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ.

÷ ÐÒÅÄÅÌÁÈ iptables, ÓÏÅÄÉÎÅÎÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÄÎÏ ÉÚ 4-È ÂÁÚÏ×ÙÈ ÓÏÓÔÏÑÎÉÊ: NEW, ESTABLISHED, RELATED É INVALID. ðÏÚÄÎÅÅ, ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ, ÍÙ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÁÖÄÏÍ ÉÚ ÎÉÈ. äÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÐÁËÅÔÁÍÉ, ÎÁ ÏÓÎÏ×Å ÉÈ ÓÏÓÔÏÑÎÉÑ, ÉÓÐÏÌØÚÕÅÔÓÑ ËÒÉÔÅÒÉÊ --state. ôÒÁÓÓÉÒÏ×ÝÉË ÏÐÒÅÄÅÌÑÅÔ 4 ÏÓÎÏ×ÎÙÈ ÓÏÓÔÏÑÎÉÑ ËÁÖÄÏÇÏ TCP ÉÌÉ UDP ÐÁËÅÔÁ É ÎÅËÏÔÏÒÙÅ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÈÁÒÁËÔÅÒÉÓÔÉËÉ. äÌÑ TCP É UDP ÐÁËÅÔÏ× ÜÔÏ IP ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ, IP ÁÄÒÅÓ ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÒÔ ÐÏÌÕÞÁÔÅÌÑ.

÷ ÐÒÅÄÙÄÕÝÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ ÉÍÅÌÁÓØ ×ÏÚÍÏÖÎÏÓÔØ ×ËÌÀÞÅÎÉÑ/×ÙËÌÀÞÅÎÉÑ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÐÏÓÌÅ ÔÏÇÏ ËÁË ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÂÙÌÁ ×ËÌÀÞÅÎÁ × ÓÏÓÔÁ× iptables/netfilter, ÎÁÄÏÂÎÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ ÔÒÁÓÓÉÒÏ×ÝÉË ÎÅ × ÓÏÓÔÏÑÎÉÉ ×ÙÐÏÌÎÑÔØ ×ÏÚÌÏÖÅÎÎÙÅ ÎÁ ÎÅÇÏ ÆÕÎËÃÉÉ ÂÅÚ ÐÏÄÄÅÒÖËÉ ÄÅÆÒÁÇÍÅÎÔÁÃÉÉ É ÐÏÜÔÏÍÕ ÏÎÁ ×ËÌÀÞÅÎÁ ÐÏÓÔÏÑÎÎÏ. åÅ ÎÅÌØÚÑ ÏÔËÌÀÞÉÔØ ÉÎÁÞÅ ËÁË ÏÔËÌÀÞÉ× ÔÒÁÓÓÉÒÏ×ËÕ ÓÏÅÄÉÎÅÎÉÊ.

ôÒÁÓÓÉÒÏ×ËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ PREROUTING. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ iptables ÐÒÏÉÚ×ÏÄÉÔ ×ÓÅ ×ÙÞÉÓÌÅÎÉÑ, Ó×ÑÚÁÎÎÙÅ Ó ÏÐÒÅÄÅÌÅÎÉÅÍ ÓÏÓÔÏÑÎÉÑ, × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÃÅÐÏÞËÉ. ëÏÇÄÁ ÏÔÐÒÁ×ÌÑÅÔÓÑ ÉÎÉÃÉÉÒÕÀÝÉÊ ÐÁËÅÔ × ÐÏÔÏËÅ, ÔÏ ÅÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÏÓÔÏÑÎÉÅ NEW, Á ËÏÇÄÁ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÚÍÅÎÑÅÔÓÑ ÎÁ ESTABLISHED, É ÔÁË ÄÁÌÅÅ.


ôÁÂÌÉÃÁ ÔÒÁÓÓÉÒÏ×ËÉ

ëÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÔÁÂÌÉÃÕ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ËÏÔÏÒÕÀ ÍÏÖÎÏ ÎÁÊÔÉ × ÆÁÊÌÅ /proc/net/ip_conntrack. úÄÅÓØ ÓÏÄÅÒÖÉÔÓÑ ÓÐÉÓÏË ×ÓÅÈ ÁËÔÉ×ÎÙÈ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ÍÏÄÕÌØ ip_conntrack ÚÁÇÒÕÖÅÎ, ÔÏ ËÏÍÁÎÄÁ cat /proc/net/ip_conntrak ÄÏÌÖÎÁ ×Ù×ÅÓÔÉ ÎÅÞÔÏ, ÐÏÄÏÂÎÏÅ:

tcp 6 117 SYN_SENT src=192.168.1.6 dst=192.168.1.9 sport=32775 dport=22 [UNREPLIED] src=192.168.1.9 dst=192.168.1.6 sport=22 dport=32775 use=2

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÓÏÄÅÒÖÉÔÓÑ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ, ËÏÔÏÒÁÑ ÉÚ×ÅÓÔÎÁ ÔÒÁÓÓÉÒÏ×ÝÉËÕ, ÐÏ ËÏÎËÒÅÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. ðÅÒ×ÏÅ, ÞÔÏ ÍÏÖÎÏ Õ×ÉÄÅÔØ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ - tcp. äÁÌÅÅ ÓÌÅÄÕÅÔ ÎÅËÏÔÏÒÏÅ ÞÉÓÌÏ × ÏÂÙÞÎÏÍ ÄÅÓÑÔÉÞÎÏÍ ÐÒÅÄÓÔÁ×ÌÅÎÉÉ. ðÏÓÌÅ ÎÅÇÏ ÓÌÅÄÕÅÔ ÞÉÓÌÏ, ÏÐÒÅÄÅÌÑÀÝÅÅ "×ÒÅÍÑ ÖÉÚÎÉ" (Ô.Å. ËÏÌÉÞÅÓÔ×Ï ÓÅËÕÎÄ, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÉÎÆÏÒÍÁÃÉÑ Ï ÓÏÅÄÉÎÅÎÉÉ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ) ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ. äÌÑ ÎÁÛÅÇÏ ÓÌÕÞÁÑ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÂÕÄÅÔ ÈÒÁÎÉÔØÓÑ ÅÝÅ 117 ÓÅËÕÎÄ, ÅÓÌÉ ËÏÎÅÞÎÏ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÂÏÌÅÅ ÎÅ ÐÒÏÓÌÅÄÕÅÔ ÎÉ ÏÄÎÏÇÏ ÐÁËÅÔÁ, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÜÔÏ ÚÎÁÞÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ × ÚÎÁÞÅÎÉÅ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÇÏ ÓÏÓÔÏÑÎÉÑ. üÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1 ËÁÖÄÕÀ ÓÅËÕÎÄÕ. äÁÌÅÅ ÓÌÅÄÕÅÔ ÆÁËÔÉÞÅÓËÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. äÌÑ ÎÁÛÅÇÏ ÐÒÉÍÅÒÁ ÓÏÓÔÏÑÎÉÅ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ SYN_SENT. ÷ÎÕÔÒÅÎÎÅÅ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ ÓÏÓÔÏÑÎÉÑ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ×ÎÅÛÎÅÇÏ. úÎÁÞÅÎÉÅ SYN_SENT ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÞÅÒÅÚ ÄÁÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÓÌÅÄÏ×ÁÌ ÅÄÉÎÓÔ×ÅÎÎÙÊ ÐÁËÅÔ TCP SYN. äÁÌÅÅ ÒÁÓÐÏÌÏÖÅÎÙ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÐÏÒÔ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï, ËÏÔÏÒÏÅ ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÔ×ÅÔÎÏÇÏ ÔÒÁÆÉËÁ ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÅÝÅ ÎÅ ÂÙÌÏ. é ÎÁËÏÎÅà ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÉÎÆÏÒÍÁÃÉÑ ÐÏ ÏÖÉÄÁÅÍÏÍÕ ÐÁËÅÔÕ, ÜÔÏ IP ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ/ÐÏÌÕÞÁÔÅÌÑ (ÔÅ ÖÅ ÓÁÍÙÅ, ÔÏÌØËÏ ÐÏÍÅÎÑ×ÛÉÅÓÑ ÍÅÓÔÁÍÉ, ÐÏÓËÏÌØËÕ ÏÖÉÄÁÅÔÓÑ ÏÔ×ÅÔÎÙÊ ÐÁËÅÔ), ÔÏ ÖÅ ËÁÓÁÅÔÓÑ É ÐÏÒÔÏ×.

Note

óÏ×ÓÅÍ ÎÅÄÁ×ÎÏ, × patch-o-matic, ÐÏÑ×ÉÌÁÓØ ÚÁÐÌÁÔÁ tcp-window-tracking, ËÏÔÏÒÁÑ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÚÎÁÞÅÎÉÊ ×ÓÅÈ ÔÁÊÍÁÕÔÏ× ÞÅÒÅÚ ÓÐÅÃÉÁÌØÎÙÅ ÐÅÒÅÍÅÎÎÙÅ, Ô.Å. ÐÏÚ×ÏÌÑÅÔ ÉÚÍÅÎÑÔØ ÉÈ "ÎÁ ÌÅÔÕ". ôÁËÉÍ ÏÂÒÁÚÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÉÚÍÅÎÅÎÉÑ ÔÁÊÍÁÕÔÏ× ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÓÂÏÒËÉ ÑÄÒÁ.

éÚÍÅÎÅÎÉÑ ×ÎÏÓÑÔÓÑ Ó ÐÏÍÏÝØÀ ÏÐÒÅÄÅÌÅÎÎÙÈ ÓÉÓÔÅÍÎÙÈ ×ÙÚÏ×Ï×, ÞÅÒÅÚ ËÁÔÁÌÏÇ /proc/sys/net/ipv4/netfilter. ïÓÏÂÏÅ ×ÎÉÍÁÎÉÅ ÏÂÒÁÔÉÔÅ ÎÁ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ /proc/sys/net/ipv4/netfilter/ip_ct_* .



ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ ÏÔ×ÅÔÁ ÔÒÁÓÓÉÒÏ×ÝÉË ÓÎÉÍÅÔ ÆÌÁÇ [UNREPLIED] É ÚÁÍÅÎÉÔ ÅÇÏ ÆÌÁÇÏÍ [ASSURED]. üÔÏÔ ÆÌÁÇ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÏ Õ×ÅÒÅÎÎÏ É ÜÔÁ ÚÁÐÉÓØ ÎÅ ÂÕÄÅÔ ÓÔÅÒÔÁ ÐÏ ÄÏÓÔÉÖÅÎÉÉ ÍÁËÓÉÍÁÌØÎÏ ×ÏÚÍÏÖÎÏÇÏ ËÏÌÉÞÅÓÔ×Á ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ. íÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÚÁÐÉÓÅÊ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØÓÑ × ÔÁÂÌÉÃÅ, ÚÁ×ÉÓÉÔ ÏÔ ÚÎÁÞÅÎÉÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎÏ ×ÙÚÏ×ÏÍ ÆÕÎËÃÉÉ ipsysctl × ÐÏÓÌÅÄÎÉÈ ×ÅÒÓÉÑÈ ÑÄÒÁ. äÌÑ ÏÂßÅÍÁ ïúõ 128 í ÜÔÏ ÚÎÁÞÅÎÉÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 8192 ÚÁÐÉÓÑÍ, ÄÌÑ 256 í - 16376. ÷Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ É ÉÚÍÅÎÉÔØ ÜÔÏ ÚÎÁÞÅÎÉÅ ÞÅÒÅÚ /proc/sys/net/ipv4/ip_conntrack_max.


óÏÓÔÏÑÎÉÑ

ëÁË ×Ù ÕÖÅ ×ÉÄÅÌÉ, ÐÁËÅÔÙ ÍÏÇÕÔ ÉÍÅÔØ ÎÅÓËÏÌØËÏ ÒÁÚÌÉÞÎÙÈ ÓÏÓÔÏÑÎÉÊ × ÐÒÅÄÅÌÁÈ ÑÄÒÁ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ïÄÎÁËÏ, ×ÎÅ ÑÄÒÁ ÉÍÅÅÔÓÑ ÔÏÌØËÏ 4 ÓÏÓÔÏÑÎÉÑ, ËÁË ÂÙÌÏ ÓËÁÚÁÎÏ ×ÙÛÅ. ÷ ÏÓÎÏ×ÎÏÍ ÓÏÓÔÏÑÎÉÅ ÐÁËÅÔÁ ÉÓÐÏÌØÚÕÅÔÓÑ × ËÒÉÔÅÒÉÉ --state. äÏÐÕÓÔÉÍÙÍÉ Ñ×ÌÑÀÔÓÑ ÓÏÓÔÏÑÎÉÑ NEW, ESTABLISHED, RELATED É INVALID. ÷ ÔÁÂÌÉÃÅ, ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ, ÒÁÓÓÍÔÒÉ×ÁÀÔÓÑ ËÁÖÄÏÅ ÉÚ ×ÏÚÍÏÖÎÙÈ ÓÏÓÔÏÑÎÉÊ.

Table 1. ðÅÒÅÞÅÎØ ÓÏÓÔÏÑÎÉÊ

óÏÓÔÏÑÎÉÅ ïÐÉÓÁÎÉÅ
NEW ðÒÉÚÎÁË NEW ÓÏÏÂÝÁÅÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÄÁÎÎÏÍ ÓÏÅÄÉÎÅÎÉÉ, ËÏÔÏÒÙÊ Õ×ÉÄÅÌ ÍÏÄÕÌØ ÔÒÁÓÓÉÒÏ×ÝÉËÁ. îÁÐÒÉÍÅÒ ÅÓÌÉ ÐÏÌÕÞÅÎ SYN ÐÁËÅÔ Ñ×ÌÑÀÝÉÊÓÑ ÐÅÒ×ÙÍ ÐÁËÅÔÏÍ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ÏÎ ÐÏÌÕÞÉÔ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ, ÐÁËÅÔ ÍÏÖÅÔ É ÎÅ ÂÙÔØ SYN ÐÁËÅÔÏÍ É ÔÅÍ ÎÅ ÍÅÎÅÅ ÐÏÌÕÞÉÔØ ÓÔÁÔÕÓ NEW. üÔÏ ÍÏÖÅÔ ÐÏÒÏÄÉÔØ ÏÐÒÅÄÅÌÅÎÎÙÅ ÐÒÏÂÌÅÍÙ × ÏÔÄÅÌØÎÙÈ ÓÌÕÞÁÑÈ, ÎÏ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ É ×ÅÓØÍÁ ÐÏÌÅÚÎÙÍ, ÎÁÐÒÉÍÅÒ ËÏÇÄÁ ÖÅÌÁÔÅÌØÎÏ "ÐÏÄÈ×ÁÔÉÔØ" ÓÏÅÄÉÎÅÎÉÑ, "ÐÏÔÅÒÑÎÎÙÅ" ÄÒÕÇÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ ÉÌÉ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ÔÁÊÍÁÕÔ ÓÏÅÄÉÎÅÎÉÑ ÕÖÅ ÉÓÔÅË, ÎÏ ÓÁÍÏ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÙÌÏ ÚÁËÒÙÔÏ.
ESTABLISHED ðÒÉÚÎÁË ESTABLISHED ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÎÅ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. óÈÅÍÁ ÕÓÔÁÎÏ×ËÉ ÐÒÉÚÎÁËÁ ESTABLISHED ÄÏÓÔÁÔÏÞÎÁ ÐÒÏÓÔÁ ÄÌÑ ÐÏÎÉÍÁÎÉÑ. åÄÉÎÓÔ×ÅÎÎÏÅ ÔÒÅÂÏ×ÁÎÉÅ, ÐÒÅÄßÑ×ÌÑÅÍÏÅ Ë ÓÏÅÄÉÎÅÎÉÀ, ÄÌÑ ÐÅÒÅÈÏÄÁ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED ÎÅÏÂÈÏÄÉÍÏ ÞÔÏÂÙ ÏÄÉÎ ÈÏÓÔ ÐÅÒÅÄÁÌ ÐÁËÅÔ É ÐÏÌÕÞÉÌ ÎÁ ÎÅÇÏ ÏÔ×ÅÔ ÏÔ ÄÒÕÇÏÇÏ ÈÏÓÔÁ. ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÏÔ×ÅÔÁ ÐÒÉÚÎÁË ÓÏÅÄÉÎÅÎÉÑ NEW ÂÕÄÅÔ ÚÁÍÅÎÅÎ ÎÁ ESTABLISHED.
RELATED óÏÓÔÏÑÎÉÅ RELATED ÏÄÎÏ ÉÚ ÓÁÍÙÈ "ÈÉÔÒÙÈ". óÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ RELATED ÅÓÌÉ ÏÎÏ Ó×ÑÚÁÎÏ Ó ÄÒÕÇÉÍ ÓÏÅÄÉÎÅÎÉÅÍ, ÉÍÅÀÝÉÍ ÐÒÉÚÎÁË ESTABLISHED. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÓÏÅÄÉÎÅÎÉÅ ÐÏÌÕÞÁÅÔ ÐÒÉÚÎÁË RELATED ÔÏÇÄÁ, ËÏÇÄÁ ÏÎÏ ÉÎÉÃÉÉÒÏ×ÁÎÏ ÉÚ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÉÍÅÀÝÅÇÏ ÐÒÉÚÎÁË ESTABLISHED. èÏÒÏÛÉÍ ÐÒÉÍÅÒÏÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÏÅ ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË RELATED, Ñ×ÌÑÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ FTP-data, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ Ó×ÑÚÁÎÎÙÍ Ó ÐÏÒÔÏÍ FTP control, Á ÔÁË ÖÅ DCC ÓÏÅÄÉÎÅÎÉÅ, ÚÁÐÕÝÅÎÎÏÅ ÉÚ IRC. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÂÏÌØÛÉÎÓÔ×Ï ÐÒÏÔÏËÏÌÏ× TCP É ÎÅËÏÔÏÒÙÅ ÉÚ ÐÒÏÔÏËÏÌÏ× UDP, ËÏÔÏÒÙÅ ÐÏÌÁÇÁÀÔÓÑ ÎÁ ÜÔÏÔ ÍÅÈÁÎÉÚÍ, ×ÅÓØÍÁ ÓÌÏÖÎÙ É ÐÅÒÅÄÁÀÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ TCP ÉÌÉ UDP ÐÁËÅÔÏ× É ÐÏÜÔÏÍÕ ÔÒÅÂÕÀÔ ÎÁÌÉÞÉÑ ÓÐÅÃÉÁÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ËÏÒÒÅËÔÎÏÊ ÒÁÂÏÔÙ.
INVALID ðÒÉÚÎÁË INVALID ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ ÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÄÅÎÔÉÆÉÃÉÒÏ×ÁÎ É ÐÏÜÔÏÍÕ ÎÅ ÍÏÖÅÔ ÉÍÅÔØ ÏÐÒÅÄÅÌÅÎÎÏÇÏ ÓÔÁÔÕÓÁ. üÔÏ ÍÏÖÅÔ ÐÒÏÉÓÈÏÄÉÔØ ÐÏ ÒÁÚÎÙÍ ÐÒÉÞÉÎÁÍ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÎÅÈ×ÁÔËÅ ÐÁÍÑÔÉ ÉÌÉ ÐÒÉ ÐÏÌÕÞÅÎÉÉ ICMP ÓÏÏÂÝÅÎÉÑ, ËÏÔÏÒÏÅ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ËÁËÏÍÕ ÌÉÂÏ ÉÚ×ÅÓÔÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ. îÁ×ÅÒÎÏÅ ÎÁÉÌÕÞÛÉÍ ×ÁÒÉÁÎÔÏÍ ÂÙÌÏ ÂÙ ÐÒÉÍÅÎÅÎÉÅ ÄÅÊÓÔ×ÉÑ DROP Ë ÔÁËÉÍ ÐÁËÅÔÁÍ.

üÔÉ ÞÅÔÙÒÅ ÓÏÓÔÏÑÎÉÑ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ËÒÉÔÅÒÉÉ --state. íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÐÏÚ×ÏÌÑÅÔ ÓÔÒÏÉÔØ ÞÒÅÚ×ÙÞÁÊÎÏ ÍÏÝÎÕÀ É ÜÆÆÅËÔÉ×ÎÕÀ ÚÁÝÉÔÕ. òÁÎØÛÅ ÎÁÍ ÐÒÉÈÏÄÉÌÏÓØ ÏÔËÒÙ×ÁÔØ ×ÓÅ ÐÏÒÔÙ ×ÙÛÅ 1024, ÞÔÏÂÙ ÐÒÏÐÕÓÔÉÔØ ÏÂÒÁÔÎÙÊ ÔÒÁÆÉË × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÔÅÐÅÒØ ÖÅ, ÐÒÉ ÎÁÌÉÞÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ, ÎÅÏÂÈÏÄÉÍÏÓÔØ × ÜÔÏÍ ÏÔÐÁÌÁ, ÐÏÓËÏÌØËÕ ÔÅÐÅÒØ ÓÔÁÌÏ ×ÏÚÍÏÖÎÙÍ "ÏÔËÒÙ×ÁÔØ" ÄÏÓÔÕÐ ÔÏÌØËÏ ÄÌÑ ÏÂÒÁÔÎÏÇÏ (ÏÔ×ÅÔÎÏÇÏ) ÔÒÁÆÉËÁ.


TCP ÓÏÅÄÉÎÅÎÉÑ

÷ ÜÔÏÍ É × ÐÏÓÌÅÄÕÀÝÉÈ ÒÁÚÄÅÌÁÈ ÍÙ ÐÏÂÌÉÖÅ ÒÁÓÓÍÏÔÒÉÍ ÐÒÉÚÎÁËÉ ÓÏÓÔÏÑÎÉÊ É ÐÏÒÑÄÏË ÉÈ ÏÂÒÁÂÏÔËÉ ËÁÖÄÙÍ ÉÚ ÔÒÅÈ ÂÁÚÏ×ÙÈ ÐÒÏÔÏËÏÌÏ× TCP, UDP É ICMP, Á ÔÁË ÖÅ ËÏÓÎÅÍÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ÐÒÏÔÏËÏÌ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÍÏÖÅÔ ÂÙÔØ ËÌÁÓÓÉÆÉÃÉÒÏ×ÁÎ ÎÁ ÐÒÉÎÁÄÌÅÖÎÏÓÔØ Ë ÔÒÅÍ, ×ÙÛÅÕËÁÚÁÎÎÙÍ, ÐÒÏÔÏËÏÌÁÍ. îÁÞÎÅÍ ÒÁÓÓÍÏÔÒÅÎÉÅ Ó ÐÒÏÔÏËÏÌÁ TCP, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÍÎÏÖÅÓÔ×Ï ÉÎÔÅÒÅÓÎÅÊÛÉÈ ÏÓÏÂÅÎÎÏÓÔÅÊ × ÏÔÎÏÛÅÎÉÉ ÍÅÈÁÎÉÚÍÁ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ × iptables.

TCP ÓÏÅÄÉÎÅÎÉÅ ×ÓÅÇÄÁ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÐÅÒÅÄÁÞÅÊ ÔÒÅÈ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÎÉÃÉÁÌÉÚÉÒÕÀÔ É ÕÓÔÁÎÁ×ÌÉ×ÁÀÔ ÓÏÅÄÉÎÅÎÉÅ, ÞÅÒÅÚ ËÏÔÏÒÏÅ × ÄÁÌØÎÅÊÛÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÄÁÎÎÙÅ. óÅÓÓÉÑ ÎÁÞÉÎÁÅÔÓÑ Ó ÐÅÒÅÄÁÞÉ SYN ÐÁËÅÔÁ, × ÏÔ×ÅÔ ÎÁ ËÏÔÏÒÙÊ ÐÅÒÅÄÁÅÔÓÑ SYN/ACK ÐÁËÅÔ É ÐÏÄÔ×ÅÒÖÄÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ÐÁËÅÔ ACK. ðÏÓÌÅ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ÕÓÔÁÎÏ×ÌÅÎÎÙÍ É ÇÏÔÏ×ÙÍ Ë ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ. íÏÖÅÔ ×ÏÚÎÉËÎÕÔØ ×ÏÐÒÏÓ: "á ËÁË ÖÅ ÔÒÁÓÓÉÒÕÅÔÓÑ ÓÏÅÄÉÎÅÎÉÅ?". ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ.

äÌÑ ×ÓÅÈ ÔÉÐÏ× ÓÏÅÄÉÎÅÎÉÊ, ÔÒÁÓÓÉÒÏ×ËÁ ÐÒÏÈÏÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÏÄÉÎÁËÏ×Ï. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ, ÇÄÅ ÐÏËÁÚÁÎÙ ×ÓÅ ÓÔÁÄÉÉ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÁË ×ÉÄÉÔÅ, ÔÒÁÓÓÉÒÏ×ÝÉË, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÆÁËÔÉÞÅÓËÉ ÎÅ ÓÌÅÄÉÔ ÚÁ ÈÏÄÏÍ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ. ðÒÏÓÔÏ, ËÁË ÔÏÌØËÏ ÔÒÁÓÓÉÒÏ×ÝÉË "Õ×ÉÄÅÌ" ÐÅÒ×ÙÊ (SYN) ÐÁËÅÔ, ÔÏ ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ NEW. ëÁË ÔÏÌØËÏ ÞÅÒÅÚ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÐÒÏÈÏÄÉÔ ×ÔÏÒÏÊ ÐÁËÅÔ (SYN/ACK), ÔÏ ÓÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ ESTABLISHED. ðÏÞÍÕ ÉÍÅÎÎÏ ×ÔÏÒÏÊ ÐÁËÅÔ? óÅÊÞÁÓ ÒÁÚÂÅÒÅÍÓÑ. óÔÒÏÑ Ó×ÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ, ×Ù ÍÏÖÅÔÅ ÐÏÚ×ÏÌÉÔØ ÐÏËÉÄÁÔØ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÐÁËÅÔÁÍ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ESTABLISHED, Á ×Ï ×ÈÏÄÑÝÅÍ ÔÒÁÆÉËÅ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÔÏÌØËÏ ÓÏ ÓÔÁÔÕÓÏÍ ESTABLISHED É ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. é ÎÁÏÂÏÒÏÔ, ÅÓÌÉ ÂÙ ÔÒÁÓÓÉÒÏ×ÝÉË ÐÒÏÄÏÌÖÁÌ ÂÙ ÓÞÉÔÁÔØ ÓÏÅÄÉÎÅÎÉÅ ËÁË NEW, ÔÏ ÆÁËÔÉÞÅÓËÉ ×ÁÍ ÎÉËÏÇÄÁ ÎÅ ÕÄÁÌÏÓØ ÂÙ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó "×ÎÅÛÎÉÍ ÍÉÒÏÍ", ÌÉÂÏ ÐÒÉÛÌÏÓØ ÂÙ ÐÏÚ×ÏÌÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ NEW ÐÁËÅÔÏ× × ÌÏËÁÌØÎÕÀ ÓÅÔØ.

ó ÔÏÞËÉ ÚÒÅÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌÑ ×ÓÅ ×ÙÇÌÑÄÉÔ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÏ, ÏÄÎÁËÏ ÅÓÌÉ ÐÏÓÍÏÔÒÅÔØ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÑÄÒÁ, ÔÏ ×ÓÅ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÓÌÏÖÎÅÅ. òÁÓÓÍÏÔÒÉÍ ÐÏÒÑÄÏË ÉÚÍÅÎÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ × ÔÁÂÌÉÃÅ /proc/net/ip_conntrack. ðÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ SYN.

tcp 6 117 SYN_SENT src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 [UNREPLIED] src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ëÁË ×ÉÄÉÔÅ, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÏÔÒÁÖÁÅÔ ÔÏÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ: ÂÙÌ ÏÔÍÅÞÅÎ ÆÁËÔ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ SYN (ÆÌÁÇ SYN_SENT), ÎÁ ËÏÔÏÒÙÊ ÏÔ×ÅÔÁ ÐÏËÁ ÎÅ ÂÙÌÏ (ÆÌÁÇ [UNREPLIED]). ðÏÓÌÅ ÐÏÌÕÞÅÎÉÑ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÌÅÄÕÀÝÅÅ ×ÎÕÔÒÅÎÎÅÅ ÓÏÓÔÏÑÎÉÅ:

tcp 6 57 SYN_RECV src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ô.Å. ÚÁÐÉÓØ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÏÂÒÁÔÎÏ ÐÒÏÛÅÌ ÐÁËÅÔ SYN/ACK. îÁ ÜÔÏÔ ÒÁÚ ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ SYN_RECV. üÔÏ ÓÏÓÔÏÑÎÉÅ ÇÏ×ÏÒÉÔ Ï ÔÏÍ, ÞÔÏ ÐÁËÅÔ SYN ÂÙÌ ÂÌÁÇÏÐÏÌÕÞÎÏ ÄÏÓÔÁ×ÌÅÎ ÐÏÌÕÞÁÔÅÌÀ É × ÏÔ×ÅÔ ÎÁ ÎÅÇÏ ÐÒÉÛÅÌ ÐÁËÅÔ-ÐÏÄÔ×ÅÒÖÄÅÎÉÅ (SYN/ACK). ëÒÏÍÅ ÔÏÇÏ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ "Õ×ÉÄÅ×" ÐÁËÅÔÙ, ÓÌÅÄÕÀÝÉÅ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ, ÓÎÉÍÁÅÔ ÆÌÁÇ [UNREPLIED]. é ÎÁËÏÎÅà ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÚÁËÌÀÞÉÔÅÌØÎÏÇÏ ACK-ÐÁËÅÔÁ, × ÐÒÏÃÅÄÕÒÅ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ

tcp 6 431999 ESTABLISHED src=192.168.1.5 dst=192.168.1.35 sport=1031 dport=23 src=192.168.1.35 dst=192.168.1.5 sport=23 dport=1031 use=1

ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅÈÏÄÉÔ × ÓÏÓÔÏÑÎÉÅ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÏÅ). ðÏÓÌÅ ÐÒÉÅÍÁ ÎÅÓËÏÌØËÉÈ ÐÁËÅÔÏ× ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ, Ë ÎÅÍÕ ÄÏÂÁ×ÉÔÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ).

ðÒÉ ÚÁËÒÙÔÉÉ, TCP ÓÏÅÄÉÎÅÎÉÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÓÌÅÄÕÀÝÉÅ ÓÏÓÔÏÑÎÉÑ.



ëÁË ×ÉÄÎÏ ÉÚ ÒÉÓÕÎËÁ, ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÚÁËÒÙ×ÁÅÔÓÑ ÄÏ ÔÅÈ ÐÏÒ ÐÏËÁ ÎÅ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÐÏÓÌÅÄÎÉÊ ÐÁËÅÔ ACK. ïÂÒÁÔÉÔÅ ×ÎÉÍÐÎÉÅ, ÜÔÁ ËÁÒÔÉÎËÁ ÏÐÉÓÙ×ÁÅÔ ÎÏÒÍÁÌØÎÙÊ ÐÒÏÃÅÓÓ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÅÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÏÔ×ÅÒÇÁÅÔÓÑ, ÔÏ ÏÎÏ ÍÏÖÅÔ ÂÙÔØ ÚÁËÒÙÔÏ ÐÅÒÅÄÁÞÅÊ ÐÁËÅÔÁ RST (ÓÂÒÏÓ). ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÚÁËÒÙÔÏ ÐÏ ÉÓÔÅÞÅÎÉÅ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÏÇÏ ×ÒÅÍÅÎÉ.

ðÒÉ ÚÁËÒÙÔÉÉ, ÓÏÅÄÉÎÅÎÉÅ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ TIME_WAIT, ÐÒÏÄÏÌÖÉÔÅÌØÎÏÓÔØ ËÏÔÏÒÏÇÏ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ 2 ÍÉÎÕÔÁÍ, × ÔÅÞÅÎÉÅ ËÏÔÏÒÏÇÏ ÅÝÅ ×ÏÚÍÏÖÎÏ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. üÔÏ Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ "ÂÕÆÅÒÎÙÍ ×ÒÅÍÅÎÅÍ", ËÏÔÏÒÏÅ ÄÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÐÒÏÊÔÉ ÐÁËÅÔÁÍ, "Õ×ÑÚÛÉÍ" ÎÁ ÔÏÍ ÉÌÉ ÉÎÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ (ÒÏÕÔÅÒÅ).

åÓÌÉ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÐÏ ÐÏÌÕÞÅÎÉÉ ÐÁËÅÔÁ RST, ÔÏ ÏÎÏ ÐÅÒÅ×ÏÄÉÔÓÑ × ÓÏÓÔÏÑÎÉÅ CLOSE. ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ ÄÏ ÆÁËÔÉÞÅÓËÏÇÏ ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÐÏ ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 10 ÓÅËÕÎÄ. ðÏÄÔ×ÅÒÖÄÅÎÉÅ ÎÁ ÐÁËÅÔÙ RST ÎÅ ÐÅÒÅÄÁÅÔÓÑ É ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ ÓÒÁÚÕ ÖÅ. ëÒÏÍÅ ÔÏÇÏ ÉÍÅÅÔÓÑ ÒÑÄ ÄÒÕÇÉÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ. ÷ ÔÁÂÌÉÃÅ ÎÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ×ÏÚÍÏÖÎÙÈ ×ÎÕÔÒÅÎÎÉÈ ÓÏÓÔÏÑÎÉÊ ÓÏÅÄÉÎÅÎÉÑ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÍ ÒÁÚÍÅÒÙ ÔÁÊÍÁÕÔÏ×.

ôÁÂÌÉÃÁ 2. ÷ÎÕÔÒÅÎÎÉÅ ÓÏÓÔÏÑÎÉÑ

óÏÓÔÏÑÎÉÅ ÷ÒÅÍÑ ÏÖÉÄÁÎÉÑ
NONE 30 ÍÉÎÕÔ
ESTABLISHED 5 ÄÎÅÊ
SYN_SENT 2 ÍÉÎÕÔÙ
SYN_RECV 60 ÓÅËÕÎÄ
FIN_WAIT 2 ÍÉÎÕÔÙ
TIME_WAIT 2 ÍÉÎÕÔÙ
CLOSE 10 ÓÅËÕÎÄ
CLOSE_WAIT 12 ÞÁÓÏ×
LAST_ACK 30 ÓÅËÕÎÄ
LISTEN> 2 ÍÉÎÕÔÙ


üÔÉ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÎÅÓËÏÌØËÏ ÉÚÍÅÎÑÔØÓÑ ÏÔ ×ÅÒÓÉÉ Ë ×ÅÒÓÉÉ ÑÄÒÁ, ËÒÏÍÅ ÔÏÇÏ, ÏÎÉ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc (ÐÅÒÅÍÅÎÎÙÅ proc/sys/net/ipv4/netfilter/ip_ct_tcp_*). úÎÁÞÅÎÉÑ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ × ÓÏÔÙÈ ÄÏÌÑÈ ÓÅËÕÎÄÙ, ÔÁË ÞÔÏ ÞÉÓÌÏ 3000 ÏÚÎÁÞÁÅÔ 30 ÓÅËÕÎÄ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌØÚÏ×ÁÔÅÌÑ, ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÉËÁË ÎÅ ÏÔÏÂÒÁÖÁÅÔ ÓÏÓÔÏÑÎÉÅ ÆÌÁÇÏ× TCP ÐÁËÅÔÏ×. ëÁË ÐÒÁ×ÉÌÏ - ÜÔÏ ÐÌÏÈÏ, ÐÏÓËÏÌØËÕ ÓÏÓÔÏÑÎÉÅ NEW ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ, ÎÅ ÔÏÌØËÏ ÐÁËÅÔÁÍ SYN.

üÔÁ ÐÒÏÂÌÅÍÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÏ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.


UDP ÓÏÅÄÉÎÅÎÉÑ



ðÏ ÓÕÔÉ Ó×ÏÅÊ, UDP ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÉÍÅÀÔ ÐÒÉÚÎÁËÁ ÓÏÓÔÏÑÎÉÑ. üÔÏÍÕ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÉÞÉÎ, ÏÓÎÏ×ÎÁÑ ÉÚ ÎÉÈ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÜÔÏÔ ÐÒÏÔÏËÏÌ ÎÅ ÐÒÅÄÕÓÍÁÔÒÉ×ÁÅÔ ÕÓÔÁÎÏ×ÌÅÎÉÑ É ÚÁËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ ÓÁÍÙÊ ÂÏÌØÛÏÊ ÎÅÄÏÓÔÁÔÏË - ÏÔÓÕÔÓÔ×ÉÅ ÉÎÆÏÒÍÁÃÉÉ Ï ÏÞÅÒÅÄÎÏÓÔÉ ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ×. ðÒÉÎÑ× Ä×Å UDP ÄÁÔÁÇÒÁÍÍÙ, ÎÅ×ÏÚÍÏÖÎÏ ÕÚÎÁÔØ ÔÏÞÎÏ × ËÁËÏÍ ÐÏÒÑÄËÅ ÏÎÉ ÂÙÌÉ ÏÔÐÒÁ×ÌÅÎÙ. ïÄÎÁËÏ, ÄÁÖÅ × ÜÔÏÊ ÓÉÔÕÁÃÉÉ ÅÝÅ ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ ÓÏÓÔÏÑÎÉÅ ÓÏÅÄÉÎÅÎÉÑ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÒÉÓÕÎÏË ÔÏÇÏ, ËÁË ×ÙÇÌÑÄÉÔ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.



ëÁË ×ÉÄÉÔÅ, ÓÏÓÔÏÑÎÉÅ UDP ÓÏÅÄÉÎÅÎÉÑ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÞÔÉ ÔÁË ÖÅ ËÁË É ÓÏÓÔÏÑÎÉÅ TCP ÓÏÅÄÉÎÅÎÉÑ, Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÉÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÇÏ ÐÒÏÓÔÒÁÎÓÔ×Á. éÚÎÕÔÒÉ ÖÅ ÜÔÏ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÉÎÁÞÅ, ÈÏÔÑ É ×Ï ÍÎÏÇÏÍ ÐÏÈÏÖÅ. äÌÑ ÎÁÞÁÌÁ ÐÏÓÍÏÔÒÉÍ ÎÁ ÚÁÐÉÓØ, ÐÏÑ×É×ÛÕÀÓÑ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ UDP.

udp 17 20 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 [UNREPLIED] src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÅÒ×ÏÅ, ÞÔÏ ÍÙ ×ÉÄÉÍ - ÜÔÏ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ (udp) É ÅÇÏ ÎÏÍÅÒ (ÓÍ. /etc/protocols ÐÒÉÍ. ÐÅÒÅ×.). ôÒÅÔØÅ ÚÎÁÞÅÎÉÅ - ÏÓÔÁ×ÛÅÅÓÑ "×ÒÅÍÑ ÖÉÚÎÉ" ÚÁÐÉÓÉ × ÓÅËÕÎÄÁÈ. äÁÌÅÅ ÓÌÅÄÕÀÔ ÈÁÒÁËÔÅÒÉÓÔÉËÉ ÐÁËÅÔÁ, ÐÒÏÛÅÄÛÅÇÏ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ - ÜÔÏ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. úÄÅÓØ ÖÅ ×ÉÄÎÏ, ÞÔÏ ÜÔÏ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÅÓÓÉÉ (ÆÌÁÇ [UNREPLIED]). é ÚÁ×ÅÒÛÁÀÔ ÚÁÐÉÓØ ÁÄÒÅÓÁ É ÐÏÒÔÙ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ. ôÁÊÍÁÕÔ ÔÁËÏÊ ÚÁÐÉÓÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÓÏÓÔÁ×ÌÑÅÔ 30 ÓÅËÕÎÄ.

udp 17 170 src=192.168.1.2 dst=192.168.1.5 sport=137 dport=1025 src=192.168.1.5 dst=192.168.1.2 sport=1025 dport=137 use=1

ðÏÓÌÅ ÔÏÇÏ ËÁË ÓÅÒ×ÅÒ "Õ×ÉÄÅÌ" ÏÔ×ÅÔ ÎÁ ÐÅÒ×ÙÊ ÐÁËÅÔ, ÓÏÅÄÉÎÅÎÉÅ ÓÞÉÔÁÅÔÓÑ ESTABLISHED (ÕÓÔÁÎÏ×ÌÅÎÎÙÍ), ÏÄÎÁËÏ ÅÄÉÎÓÔ×ÅÎÎÏÅ ÏÔÌÉÞÉÅ ÏÔ ÐÒÅÄÙÄÕÝÅÊ ÚÁÐÉÓÉ ÓÏÓÔÏÉÔ × ÏÔÓÕÔÓÔ×ÉÉ ÆÌÁÇÁ [UNRREPLIED] É, ËÒÏÍÅ ÔÏÇÏ, ÔÁÊÍÁÕÔ ÄÌÑ ÚÁÐÉÓÉ ÓÔÁÌ ÒÁ×ÎÙÍ 180 ÓÅËÕÎÄÁÍ. ðÏÓÌÅ ÜÔÏÇÏ ÍÏÖÅÔ ÔÏÌØËÏ ÄÏÂÁ×ÉÔØÓÑ ÆÌÁÇ [ASSURED] (Õ×ÅÒÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ), ËÏÔÏÒÙÊ ÂÙÌ ÏÐÉÓÁÎ ×ÙÛÅ. æÌÁÇ [ASSURED] ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÎÅËÏÔÏÒÏÇÏ ËÏÌÉÞÅÓÔ×Á ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ.

udp 17 175 src=192.168.1.5 dst=195.22.79.2 sport=1025 dport=53 src=195.22.79.2 dst=192.168.1.5 sport=53 dport=1025 [ASSURED] use=1

ôÅÐÅÒØ ÓÏÅÄÉÎÅÎÉÅ ÓÔÁÌÏ "Õ×ÅÒÅÎÎÙÍ". úÁÐÉÓØ × ÔÁÂÌÉÃÅ ×ÙÇÌÑÄÉÔ ÐÒÁËÔÉÞÅÓËÉ ÔÁË ÖÅ ËÁË É × ÐÒÅÄÙÄÕÝÅÍ ÐÒÉÍÅÒÅ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÆÌÁÇÁ [ASSURED]. åÓÌÉ × ÔÅÞÅÎÉÅ 180 ÓÅËÕÎÄ ÞÅÒÅÚ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÐÒÏÊÄÅÔ ÈÏÔÑÂÙ ÏÄÉÎ ÐÁËÅÔ, ÔÏ ÚÁÐÉÓØ ÂÕÄÅÔ ÕÄÁÌÅÎÁ ÉÚ ÔÁÂÌÉÃÙ. üÔÏ ÄÏÓÔÁÔÏÞÎÏ ÍÁÌÅÎØËÉÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ÎÏ ÅÇÏ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ ÄÌÑ ÂÏÌØÛÉÎÓÔ×Á ÐÒÉÍÅÎÅÎÉÊ. "÷ÒÅÍÑ ÖÉÚÎÉ" ÏÔÓÞÉÔÙ×ÁÅÔÓÑ ÏÔ ÍÏÍÅÎÔÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÐÁËÅÔÁ É ÐÒÉ ÐÏÑ×ÌÅÎÉÉ ÎÏ×ÏÇÏ, ×ÒÅÍÑ ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ × Ó×ÏÅ ÎÁÞÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ.


ICMP ÓÏÅÄÉÎÅÎÉÑ

ICMP ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÅÒÅÄÁÞÉ ÕÐÒÁ×ÌÑÀÝÉÈ ÓÏÏÂÝÅÎÉÊ É ÎÅ ÏÒÇÁÎÉÚÕÀÔ ÐÏÓÔÏÑÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ïÄÎÁËÏ, ÓÕÝÅÓÔ×ÕÅÔ 4 ÔÉÐÁ ICMP ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ×ÏÚÂÕÖÄÁÀÔ ÐÅÒÅÄÁÞÕ ÏÔ×ÅÔÁ, ÐÏÜÔÏÍÕ ÏÎÉ ÍÏÇÕÔ ÉÍÅÔØ Ä×Á ÓÏÓÔÏÑÎÉÑ: NEW É ESTABLISHED. ë ÜÔÉÍ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ICMP Echo Request/Echo Reply, ICMP Timestamp Request/Timestamp Reply, ICMP Information Request/Information Reply É ICMP Address Mask Request/Address Mask Reply. éÚ ÎÉÈ ICMP Timestamp Request/Timestamp Reply É ICMP Information Request/Information Reply ÓÞÉÔÁÀÔÓÑ ÕÓÔÁÒÅ×ÛÉÍÉ É ÐÏÜÔÏÍÕ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÍÏÇÕÔ ÂÅÚÂÏÌÅÚÎÅÎÎÏ ÓÂÒÁÓÙ×ÁÔØÓÑ (DROP). ÷ÚÇÌÑÎÉÔÅ ÎÁ ÒÉÓÕÎÏË ÎÉÖÅ.



ëÁË ×ÉÄÎÏ ÉÚ ÜÔÏÇÏ ÒÉÓÕÎËÁ, ÓÅÒ×ÅÒ ×ÙÐÏÌÎÑÅÔ Echo Request (ÜÈÏ-ÚÁÐÒÏÓ) Ë ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ (ÚÁÐÒÏÓ) ÒÁÓÐÏÚÎÁÅÔÓÑ ÂÒÁÎÄÍÁÕÜÒÏÍ ËÁË NEW. îÁ ÜÔÏÔ ÚÁÐÒÏÓ ËÌÉÅÎÔ ÏÔ×ÅÞÁÅÔ ÐÁËÅÔÏÍ Echo Reply, É ÔÅÐÅÒØ ÐÁËÅÔ ÒÁÓÐÏÚÎÁÅÔÓÑ ËÁË ÉÍÅÀÝÉÊ ÓÏÓÔÏÑÎÉÅ ESTABLISHED. ðÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÐÅÒ×ÏÇÏ ÐÁËÅÔÁ (Echo Request) × ip_conntrack ÐÏÑ×ÌÑÅÔÓÑ ÚÁÐÉÓØ:

icmp 1 25 src=192.168.1.6 dst=192.168.1.10 type=8 code=0 id=33029 [UNREPLIED] src=192.168.1.10 dst=192.168.1.6 type=0 code=0 id=33029 use=1

üÔÁ ÚÁÐÉÓØ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÚÁÐÉÓÅÊ, Ó×ÏÊÓÔ×ÅÎÎÙÈ ÐÒÏÔÏËÏÌÁÍ TCP É UDP, ÈÏÔÑ ÔÏÞÎÏ ÔÁË ÖÅ ÐÒÉÓÕÔÓÔ×ÕÀÔ É ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ É ×ÒÅÍÑ ÔÁÊÍÁÕÔÁ É ÁÄÒÅÓÁ ÐÅÒÅÄÁÔÞÉËÁ É ÐÒÉÅÍÎÉËÁ, ÎÏ ÄÁÌÅÅ ÐÏÑ×ÌÑÀÔÓÑ ÔÒÉ ÎÏ×ÙÈ ÐÏÌÑ - type, code É id. ðÏÌÅ type ÓÏÄÅÒÖÉÔ ÔÉÐ ICMP, ÐÏÌÅ code - ËÏÄ ICMP. úÎÁÞÅÎÉÑ ÔÉÐÏ× É ËÏÄÏ× ICMP ÐÒÉ×ÏÄÑÔÓÑ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. é ÐÏÓÌÅÄÎÅÅ ÐÏÌÅ id ÓÏÄÅÒÖÉÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ. ëÁÖÄÙÊ ICMP-ÐÁËÅÔ ÉÍÅÅÔ Ó×ÏÊ ÉÄÅÎÔÉÆÉËÁÔÏÒ. ëÏÇÄÁ ÐÒÉÅÍÎÉË, × ÏÔ×ÅÔ ÎÁ ICMP-ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔ ÏÔ×ÅÔ, ÏÎ ÐÏÄÓÔÁ×ÌÑÅÔ × ÐÁËÅÔ ÏÔ×ÅÔÁ ÜÔÏÔ ÉÄÅÎÔÉÆÉËÁÔÏÒ, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ, ÐÅÒÅÄÁÔÞÉË ÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÒÁÓÐÏÚÎÁÔØ × ÏÔ×ÅÔ ÎÁ ËÁËÏÊ ÚÁÐÒÏÓ ÐÒÉÛÅÌ ÏÔ×ÅÔ.

óÌÅÄÕÀÝÅÅ ÐÏÌÅ - ÆÌÁÇ [UNREPLIED], ËÏÔÏÒÙÊ ×ÓÔÒÅÞÁÌÓÑ ÎÁÍ ÒÁÎÅÅ. ïÎ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÉÂÙÌ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ. úÁ×ÅÒÛÁÅÔÓÑ ÚÁÐÉÓØ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍÉ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ÏÔ×ÅÔÁ. óÀÄÁ ×ËÌÀÞÁÀÔÓÑ ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ. þÔÏ ËÁÓÁÅÔÓÑ ÔÉÐÁ É ËÏÄÁ ICMP ÐÁËÅÔÁ, ÔÏ ÏÎÉ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌØÎÙÍ ÚÎÁÞÅÎÉÑÍ ÏÖÉÄÁÅÍÏÇÏ ÐÁËÅÔÁ ICMP Echo Reply. éÄÅÎÔÉÆÉËÁÔÏÒ ÐÁËÅÔÁ-ÏÔ×ÅÔÁ ÔÏÔ ÖÅ, ÞÔÏ É × ÐÁËÅÔÅ ÚÁÐÒÏÓÁ.

ðÁËÅÔ ÏÔ×ÅÔÁ ÒÁÓÐÏÚÎÁÅÔÓÑ ÕÖÅ ËÁË ESTABLISHED. ïÄÎÁËÏ, ÍÙ ÚÎÁÅÍ, ÞÔÏ ÐÏÓÌÅ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÏÔ×ÅÔÁ, ÞÅÒÅÚ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ ÕÖÅ ÎÉÞÅÇÏ ÎÅ ÏÖÉÄÁÅÔÓÑ, ÐÏÜÔÏÍÕ ÐÏÓÌÅ ÐÒÏÈÏÖÄÅÎÉÑ ÏÔ×ÅÔÁ ÞÅÒÅÚ netfilter, ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ.

÷ ÌÀÂÏÍ ÓÌÕÞÁÅ ÚÁÐÒÏÓ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ËÁË NEW, Á ÏÔ×ÅÔ ËÁË ESTABLISHED. úÁÍÅÔØÔÅ, ÞÔÏ ÐÒÉ ÜÔÏÍ ÐÁËÅÔ ÏÔ×ÅÔÁ ÄÏÌÖÅÎ ÓÏ×ÐÁÄÁÔØ ÐÏ Ó×ÏÉÍ ÈÁÒÁËÔÅÒÉÓÔÉËÁÍ (ÁÄÒÅÓÁ ÏÔÐÒÁ×ÉÔÅÌÑ É ÐÏÌÕÞÁÔÅÌÑ, ÔÉÐ, ËÏÄ É ÉÄÅÎÔÉÆÉËÁÔÏÒ) Ó ÕËÁÚÁÎÎÙÍÉ × ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ.

ICMP ÚÁÐÒÏÓÙ ÉÍÅÀÔ ÔÁÊÍÁÕÔ, ÐÏ-ÕÍÏÌÞÁÎÉÀ, 30 ÓÅËÕÎÄ. üÔÏÇÏ ×ÒÅÍÅÎÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ. ÷ÒÅÍÑ ÔÁÊÍÁÕÔÁ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_icmp_timeout. ( îÁÐÏÍÉÎÁÀ, ÞÔÏ ÐÅÒÅÍÅÎÎÙÅ ÔÉÐÁ /proc/sys/net/ipv4/netfilter/ip_ct_* ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ ÔÏÌØËÏ ÐÏÓÌÅ ÕÓÔÁÎÏ×ËÉ "ÚÁÐÌÁÔÙ" tcp-window-tracking ÉÚ patch-o-matic ÐÒÉÍ. ÐÅÒÅ×.).

úÎÁÞÉÔÅÌØÎÁÑ ÞÁÓÔØ ICMP ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÔÏÍ, ÞÔÏ ÐÒÏÉÓÈÏÄÉÔ Ó ÔÅÍ ÉÌÉ ÉÎÙÍ UDP ÉÌÉ TCP ÓÏÅÄÉÎÅÎÉÅÍ. ÷Ó×ÑÚÉ Ó ÜÔÉÍ ÏÎÉ ÏÞÅÎØ ÞÁÓÔÏ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË Ó×ÑÚÁÎÎÙÅ (RELATED) Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ ÓÏÅÄÉÎÅÎÉÅÍ. ðÒÏÓÔÙÍ ÐÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÓÏÏÂÝÅÎÉÑ ICMP Host Unreachable ÉÌÉ ICMP Network Unreachable. ïÎÉ ×ÓÅÇÄÁ ÐÏÒÏÖÁÀÔÓÑ ÐÒÉ ÐÏÐÙÔËÅ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕÚÌÏÍ ÓÅÔÉ ËÏÇÄÁ ÜÔÏÔ ÕÚÅÌ ÉÌÉ ÓÅÔØ ÎÅÄÏÓÔÕÐÎÙ, × ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ×ÅÒÎÅÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ICMP ÐÁËÅÔ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎ ËÁË RELATED. îÁ ÒÉÓÕÎËÅ ÎÉÖÅ ÐÏËÁÚÁÎÏ ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ.

÷ ÜÔÏÍ ÐÒÉÍÅÒÅ ÎÅËÏÔÏÒÏÍÕ ÕÚÌÕ ÐÅÒÅÄÁÅÔÓÑ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ (SYN ÐÁËÅÔ). ïÎ ÐÒÉÏÂÒÅÔÁÅÔ ÓÔÁÔÕÓ NEW ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. ïÄÎÁËÏ, × ÜÔÏÔ ÍÏÍÅÎÔ ×ÒÅÍÅÎÉ, ÓÅÔØ ÏËÁÚÙ×ÁÅÔÓÑ ÎÅÄÏÓÔÕÐÎÏÊ, ÐÏÜÔÏÍÕ ÒÏÕÔÅÒ ×ÏÚ×ÒÁÝÁÅÔ ÐÁËÅÔ ICMP Network Unreachable. ôÒÁÓÓÉÒÏ×ÝÉË ÓÏÅÄÉÎÅÎÉÊ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏÔ ÐÁËÅÔ ËÁË RELATED, ÂÌÁÇÏÄÁÒÑ ÕÖÅ ÉÍÅÀÝÅÊÓÑ ÚÁÐÉÓÉ × ÔÁÂÌÉÃÅ, ÔÁË ÞÔÏ ÐÁËÅÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ËÌÉÅÎÔÕ, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÏÂÏÒ×ÅÔ ÎÅÕÄÁÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ. ôÅÍ ×ÒÅÍÅÎÅÍ, ÂÒÁÎÄÍÁÕÜÒ ÕÎÉÞÔÏÖÉÔ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ, ÐÏÓËÏÌØËÕ ÄÌÑ ÄÁÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ÂÙÌÏ ÐÏÌÕÞÅÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ.

ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ É Ó UDP ÓÏÅÄÉÎÅÎÉÑÍÉ, ÅÓÌÉ ÏÂÎÁÒÕÖÉ×ÁÀÔÓÑ ÐÏÄÏÂÎÙÅ ÐÒÏÂÌÅÍÙ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ICMP, ÐÅÒÅÄÁ×ÁÅÍÙÅ × ÏÔ×ÅÔ ÎÁ UDP ÓÏÅÄÉÎÅÎÉÅ, ÒÁÓÓÍÁÔÒÉ×ÁÀÔÓÑ ËÁË RELATED. ÷ÚÇÌÑÎÉÔÅ ÎÁ ÓÌÅÄÕÀÝÉÊ ÒÉÓÕÎÏË.



äÁÔÁÇÒÁÍÍÁ UDP ÐÅÒÅÄÁÅÔÓÑ ÎÁ ÓÅÒ×ÅÒ. óÏÅÄÉÎÅÎÉÀ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW. ïÄÎÁËÏ ÄÏÓÔÕÐ Ë ÓÅÔÉ ÚÁÐÒÅÝÅÎ (ÂÒÁÎÄÍÁÕÜÒÏÍ ÉÌÉ ÒÏÕÔÅÒÏÍ), ÐÏÜÔÏÍÕ ÏÂÒÁÔÎÏ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ ICMP Network Prohibited. âÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁÅÔ ÜÔÏ ÓÏÏÂÝÅÎÉÅ ËÁË Ó×ÑÚÁÎÎÏÅ Ó ÏÔËÒÙÔÙÍ UDP ÓÏÅÄÉÎÅÎÉÅÍ, ÐÒÉÓ×ÁÉ×ÁÅÔ ÅÍÕ ÓÔÁÔÕÓ RELATED É ÐÅÒÅÄÁÅÔ ËÌÉÅÎÔÕ. ðÏÓÌÅ ÞÅÇÏ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÕÎÉÞÔÏÖÁÅÔÓÑ, Á ËÌÉÅÎÔ ÂÌÁÇÏÐÏÌÕÞÎÏ ÏÂÒÙ×ÁÅÔ ÓÏÅÄÉÎÅÎÉÅ.


ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ

÷ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÍÏÖÅÔ ÒÁÓÐÏÚÎÁÔØ ÐÒÏÔÏËÏÌ ÏÂÍÅÎÁ É, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÎÅ ÍÏÖÅÔ ×ÙÂÒÁÔØ ÓÔÒÁÔÅÇÉÀ ÏÂÒÁÂÏÔËÉ ÜÔÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÏÎ ÐÅÒÅÈÏÄÉÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏ×ÅÄÅÎÉÀ. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÏÂÓÌÕÖÉ×ÁÎÉÉ ÐÒÏÔÏËÏÌÏ× NETBLT, MUX É EGP. ðÏ×ÅÄÅÎÉÅ ÐÏ-ÍÏÌÞÁÎÉÀ ×Ï ÍÎÏÇÏÍ ÓÈÏÖÅ Ó ÔÒÁÓÓÉÒÏ×ËÏÊ UDP ÓÏÅÄÉÎÅÎÉÊ. ðÅÒ×ÏÍÕ ÐÁËÅÔÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, Á ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ - ÓÔÁÔÕÓ ESTABLISHED.

ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÐÏ×ÅÄÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ× ÉÓÐÏÌØÚÕÅÔÓÑ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ ÔÁÊÍÁÕÔÁ, ËÏÔÏÒÏÅ ÍÏÖÎÏ ÉÚÍÅÎÉÔØ × /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout. ðÏ-ÕÍÏÌÞÁÎÉÀ ÜÔÏ ÚÎÁÞÅÎÉÅ ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ, ÉÌÉ 6 ÍÉÎÕÔÁÍ (ÄÁ, ÄÁ, ÉÍÅÎÎÏ ÔÁË É ÕËÁÚÁÎÏ × ÏÒÉÇÉÎÁÌØÎÏÍ ÔÅËÓÔÅ. ðÏÄÏÚÒÅ×ÁÀ, ÞÔÏ Á×ÔÏÒ ÐÒÏÓÔÏ ÏÐÉÓáÌÓÑ É × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÌÅÄÕÅÔ ÐÏÎÉÍÁÔØ "600 ÓÅËÕÎÄ ÉÌÉ 10 ÍÉÎÕÔ". ëÓÔÁÔÉ, × ÉÓÈÏÄÎÏÍ ËÏÄÅ (/usr/src/linux/net/ipv4/netfilter/ip_conntrack_proto_generic.c ÚÎÁÞÅÎÉÅ GENERIC_TIMEOUT ÒÁ×ÎÏ 600 ÓÅËÕÎÄÁÍ. ÐÒÉÍ. ÐÅÒÅ×.). ÷ ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÔÉÐÁ ÔÒÁÆÉËÁ, ÜÔÏ ×ÒÅÍÑ ÍÏÖÅÔ ÍÅÎÑÔØÓÑ, ÏÓÏÂÅÎÎÏ ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÞÅÒÅÚ ÓÐÕÔÎÉË.


ôÒÁÓÓÉÒÏ×ËÁ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×

éÍÅÅÔÓÑ ÒÑÄ ËÏÍÐÌÅËÓÎÙÈ ÐÒÏÔÏËÏÌÏ×, ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ËÏÔÏÒÙÈ ÂÏÌÅÅ ÓÌÏÖÎÁ. ðÒÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ ÐÒÏÔÏËÏÌÙ ICQ, IRC É FTP. ëÁÖÄÙÊ ÉÚ ÜÔÉÈ ÐÒÏÔÏËÏÌÏ× ÎÅÓÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ËÏÒÒÅËÔÎÁÑ ÔÒÁÓÓÉÒÏ×ËÁ ÔÁËÉÈ ÓÏÅÄÎÅÎÉÊ ÔÒÅÂÕÅÔ ÐÏÄËÌÀÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ.

÷ ËÁÞÅÓÔ×Å ÐÅÒ×ÏÇÏ ÐÒÉÍÅÒÁ ÒÁÓÓÍÏÔÒÉÍ ÐÒÏÔÏËÏÌ FTP. ðÒÏÔÏËÏÌ FTP ÓÎÁÞÁÌÁ ÏÔËÒÙ×ÁÅÔ ÏÄÉÎÏÞÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, ËÏÔÏÒÏÅ ÎÁÚÙ×ÁÅÔÓÑ "ÓÅÁÎÓÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP" (FTP control session). ðÒÉ ×ÙÐÏÌÎÅÎÉÉ ËÏÍÁÎÄ × ÐÒÅÄÅÌÁÈ ÜÔÏÇÏ ÓÅÁÎÓÁ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÐÕÔÓÔ×ÕÀÝÉÈ ÄÁÎÎÙÈ ÏÔËÒÙ×ÁÀÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÐÏÒÔÙ. üÔÉ ÓÏÅÄÉÎÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÁËÔÉ×ÎÙÍÉ ÉÌÉ ÐÁÓÓÉ×ÎÙÍÉ. ðÒÉ ÓÏÚÄÁÎÉÉ ÁËÔÉ×ÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ ËÌÅÎÔ ÐÅÒÅÄÁÅÔ FTP ÓÅÒ×ÅÒÕ ÎÏÍÅÒ ÐÏÒÔÁ É IP ÁÄÒÅÓ ÄÌÑ ÓÏÅÄÉÎÅÎÉÑ. úÁÔÅÍ ËÌÅÎÔ ÏÔËÒÙ×ÁÅÔ ÐÏÒÔ, ÓÅÒ×ÅÒ ÐÏÄËÌÀÞÁÅÔ Ë ÚÁÄÁÎÎÏÍÕ ÐÏÒÔÕ ËÌÉÅÎÔÁ Ó×ÏÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 20 (ÉÚ×ÅÓÔÎÙÊ ËÁË FTP-Data) É ÐÅÒÅÄÁÅÔ ÄÁÎÎÙÅ ÞÅÒÅÚ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ.

ðÒÏÂÌÅÍÁ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÎÉÞÅÇÏ ÎÅ ÚÎÁÅÔ Ï ÜÔÉÈ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÏÄËÌÀÞÅÎÉÑÈ, ÐÏÓËÏÌØËÕ ×ÓÑ ÉÎÆÏÒÍÁÃÉÑ Ï ÎÉÈ ÐÅÒÅÄÁÅÔÓÑ ÞÅÒÅÚ ÏÂÌÁÓÔØ ÄÁÎÎÙÈ ÐÁËÅÔÁ. éÚ-ÚÁ ÜÔÏÇÏ ÂÒÁÎÄÍÁÕÜÒ ÎÅ ÐÏÚ×ÏÌÉÔ ÓÅÒ×ÅÒÕ ÓÏÅÄÉÎÉÔØÓÑ Ó ÕËÁÚÁÎÎÙÍ ÐÏÒÔÏÍ ËÌÉÅÎÔÁ.

òÅÛÅÎÉÅ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ÔÒÁÓÓÉÒÏ×ËÉ, ËÏÔÏÒÙÊ ÏÔÓÌÅÖÉ×ÁÅÔ, ÓÐÅÃÉÆÉÞÎÕÀ ÄÌÑ ÄÁÎÎÏÇÏ ÐÒÏÔÏËÏÌÁ, ÉÎÆÏÒÍÁÃÉÀ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÒÁÍËÁÈ ÓÅÁÎÓÁ ÕÐÒÁ×ÌÅÎÉÑ. ðÒÉ ÓÏÚÄÁÎÉÉ ÔÁËÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ËÏÒÒÅËÔÎÏ ×ÏÓÐÒÉÍÅÔ ÐÅÒÅÄÁ×ÁÅÍÕÀ ÉÎÆÏÒÍÁÃÉÀ É ÓÏÚÄÁÓÔ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÕÀ ÚÁÐÉÓØ × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏ ÓÔÁÔÕÓÏÍ RELATED, ÂÌÁÇÏÄÁÒÑ ÞÅÍÕ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. òÉÓÕÎÏË ÎÉÖÅ ÐÏÑÓÎÑÅÔ ÐÏÒÑÄÏË ×ÙÐÏÌÎÅÎÉÑ ÐÏÄÏÂÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.



ðÁÓÓÉ×ÎÙÊ FTP ÄÅÊÓÔ×ÕÅÔ ÐÒÏÔÉ×ÏÐÏÌÏÖÎÙÍ ÏÂÒÁÚÏÍ. ëÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÚÁÐÒÏÓ ÓÅÒ×ÅÒÕ ÎÁ ÐÏÌÕÞÅÎÉÅ ÄÁÎÎÙÈ, Á ÓÅÒ×ÅÒ ×ÏÚ×ÒÁÝÁÅÔ ËÌÉÅÎÔÕ IP ÁÄÒÅÓ É ÎÏÍÅÒ ÐÏÒÔÁ ÄÌÑ ÐÏÄËÌÀÞÅÎÉÑ. ëÌÉÅÎÔ ÐÏÄËÌÀÞÁÅÔ Ó×ÏÊ 20-Ê ÐÏÒÔ (FTP-data) Ë ÕËÁÚÁÎÎÏÍÕ ÐÏÒÔÕ ÓÅÒ×ÅÒÁ É ÐÏÌÕÞÁÅÔ ÚÁÐÒÏÛÅÎÎÙÅ ÄÁÎÎÙÅ. åÓÌÉ ×ÁÛ FTP ÓÅÒ×ÅÒ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÜÔÏÔ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÅÒ×ÅÒ ÓÍÏÇ ÏÂÓÌÕÖÉ×ÁÔØ ËÌÉÅÎÔÏ× ÉÚ éÎÔÅÒÎÅÔ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ ÓÌÕÞÁÑ, ËÏÇÄÁ ×Ù ÈÏÔÉÔÅ ÏÇÒÁÎÉÞÉÔØ Ó×ÏÉÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ ÔÏÌØËÏ ×ÏÚÍÏÖÎÏÓÔØÀ ÐÏÄËÌÀÞÅÎÉÑ Ë HTTP É FTP ÓÅÒ×ÅÒÁÍ × éÎÔÅÒÎÅÔ É ÚÁËÒÙÔØ ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÏÒÔÙ. òÉÓÕÎÏË ÎÉÖÅ ÐÏËÁÚÙ×ÁÅÔ ËÁË ×ÙÐÏÌÎÑÅÔÓÑ ÐÁÓÓÉ×ÎÏÅ ÓÏÅÄÉÎÅÎÉÅ FTP.



îÅËÏÔÏÒÙÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÕÖÅ ×ËÌÀÞÅÎÙ × ÓÏÓÔÁ× ÑÄÒÁ. åÓÌÉ ÂÙÔØ ÂÏÌÅÅ ÔÏÞÎÙÍ, ÔÏ × ÓÏÓÔÁ× ÑÄÒÁ ×ËÌÀÞÅÎÙ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏÔÏËÏÌÏ× FTP É IRC. åÓÌÉ × ×ÁÛÅÍ ÒÁÓÐÏÒÑÖÅÎÉÉ ÎÅÔ ÎÅÏÂÈÏÄÉÍÏÇÏ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØÓÑ Ë patch-o-matic, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÂÏÌØÛÏÅ ËÏÌÉÞÅÓÔ×Ï ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÄÌÑ ÔÒÁÓÓÉÒÏ×ËÉ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ×, ËÁË ntalk ÉÌÉ H.323. åÓÌÉ É ÚÄÅÓØ ×Ù ÎÅ ÎÁÛÌÉ ÔÏ, ÞÔÏ ×ÁÍ ÎÕÖÎÏ, ÔÏ Õ ×ÁÓ ÅÓÔØ ÅÝÅ ×ÁÒÉÁÎÔÙ: ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë CVS iptables, ÅÓÌÉ ÉÓËÏÍÙÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ ÅÝÅ ÎÅ ÂÙÌ ×ËÌÀÞÅÎ × patch-o-matic, ÌÉÂÏ ÍÏÖÅÔÅ ×ÏÊÔÉ × ËÏÎÔÁËÔ Ó ÒÁÚÒÁÂÏÔÞÉËÁÍÉ netfilter É ÕÚÎÁÔØ Õ ÎÉÈ, ÉÍÅÅÔÓÑ ÌÉ ÐÏÄÏÂÎÙÊ ÍÏÄÕÌØ É ÐÌÁÎÉÒÕÅÔÓÑ ÌÉ ÏÎ Ë ×ÙÐÕÓËÕ. åÓÌÉ É ÔÕÔ ×Ù ÐÏÔÅÒÐÅÌÉ ÎÅÕÄÁÞÕ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÓÌÅÄÕÅÔ ÐÒÏÞÉÔÁÔØ Rusty Russells Unreliable Netfilter Hacking HOWTO.

÷ÓÐÏÍÏÇÁÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÍÏÇÕÔ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË × ×ÉÄÅ ÐÏÄÇÒÕÖÁÅÍÙÈ ÍÏÄÕÌÅÊ ÑÄÒÁ, ÔÁË É ÓÔÁÔÉÞÅÓËÉ. åÓÌÉ ÏÎÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ËÁË ÍÏÄÕÌÉ, ÔÏ ×Ù ÍÏÖÅÔÅ ÚÁÇÒÕÚÉÔØ ÉÈ ËÏÍÁÎÄÏÊ

modprobe ip_conntrack_*

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÎÅ ÉÍÅÅÔ ÎÉËÁËÏÇÏ ÏÔÎÏÛÅÎÉÑ Ë ÔÒÁÎÓÌÑÃÉÉ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT), ÐÏÜÔÏÍÕ ×ÁÍ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ, ÅÓÌÉ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÁËÕÀ ÔÒÁÎÓÌÑÃÉÀ. äÏÐÕÓÔÉÍ, ÞÔÏ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ× É ÔÒÁÓÓÉÒÏ×ËÕ FTP ÓÏÅÄÉÎÅÎÉÊ, ÔÏÇÄÁ ×ÁÍ ÎÅÏÂÈÏÄÉÍ ÔÁË ÖÅ É ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÊ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ NAT. éÍÅÎÁ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ NAT ÎÁÞÉÎÁÀÔÓÑ Ó ip_nat, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÓÏÇÌÁÛÅÎÉÅÍ Ï ÉÍÅÎÁÈ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÍÏÄÕÌØ ÎÁÚÙ×ÁÅÔÓÑ ip_nat_ftp. äÌÑ ÐÒÏÔÏËÏÌÁ IRC ÔÁËÏÊ ÍÏÄÕÌØ ÂÕÄÅÔ ÎÁÚÙ×ÁÔØÓÑ ip_nat_irc. ôÏÍÕ ÖÅ ÓÁÍÏÍÕ ÓÏÇÌÁÛÅÎÉÀ ÓÌÅÄÕÀÔ É ÎÁÚ×ÁÎÉÑ ×ÓÐÏÍÏÇÁÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ, ÎÁÐÒÉÍÅÒ: ip_conntrack_ftp É ip_conntrack_irc.


ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ

÷ ÄÁÎÎÏÊ ÇÌÁ×Å ÂÕÄÅÔ ÏÂÓÕÖÄÁÔØÓÑ ÐÏÒÑÄÏË ÐÏÓÔÒÏÅÎÉÑ ÓÏÂÓÔ×ÅÎÎÙÈ ÐÒÁ×ÉÌ ÄÌÑ iptables. ëÁÖÄÁÑ ÓÔÒÏËÁ, ËÏÔÏÒÕÀ ×Ù ×ÓÔÁ×ÌÑÅÔÅ × ÔÕ ÉÌÉ ÉÎÕÀ ÃÅÐÏÞËÕ, ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÏÔÄÅÌØÎÏÅ ÐÒÁ×ÉÌÏ. íÙ ÔÁË ÖÅ ÏÂÓÕÄÉÍ ÏÓÎÏ×ÎÙÅ ÐÒÏ×ÅÒËÉ É ÄÅÊÓÔ×ÉÑ É ÐÏÒÑÄÏË ÓÏÚÄÁÎÉÑ Ó×ÏÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÃÅÐÏÞÅË ÐÒÁ×ÉÌ.


ïÓÎÏ×Ù

ëÁË ÕÖÅ ÇÏ×ÏÒÉÌÏÓØ ×ÙÛÅ, ËÁÖÄÏÅ ÐÒÁ×ÉÌÏ -- ÜÔÏ ÓÔÒÏËÁ, ÓÏÄÅÒÖÁÝÁÑ × ÓÅÂÅ ËÒÉÔÅÒÉÉ ÏÐÒÅÄÅÌÑÀÝÉÅ, ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ, É ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ × ÓÌÕÞÁÅ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÑ. ÷ ÏÂÝÅÍ ×ÉÄÅ ÐÒÁ×ÉÌÁ ÚÁÐÉÓÙ×ÁÀÔÓÑ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables [-t table] command [match] [target/jump]

îÉÇÄÅ ÎÅ ÕÔ×ÅÒÖÄÁÅÔÓÑ, ÞÔÏ ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÑ (target/jump) ÄÏÌÖÎÏ ÓÔÏÑÔØ ÐÏÓÌÅÄÎÉÍ × ÓÔÒÏËÅ, ÍÙ, ÏÄÎÁËÏ, ÂÕÄÅÍ ÐÒÉÄÅÒÖÉ×ÁÔØÓÑ ÉÍÅÎÎÏ ÔÁËÏÊ ÎÏÔÁÃÉÉ ÄÌÑ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ × ÐÒÁ×ÉÌÏ ÎÅ ×ËÌÀÞÁÅÔÓÑ ÓÐÅÃÉÆÉËÁÔÏÒ [-t table], ÔÏ ÐÏ ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉÃÙ filter, ÅÓÌÉ ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÒÕÇÏÊ ÔÁÂÌÉÃÙ, ÔÏ ÜÔÏ ÔÒÅÂÕÅÔÓÑ ÕËÁÚÁÔØ Ñ×ÎÏ. óÐÅÃÉÆÉËÁÔÏÒ ÔÁÂÌÉÃÙ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ × ÌÀÂÏÍ ÍÅÓÔÅ ÓÔÒÏËÉ ÐÒÁ×ÉÌÁ, ÏÄÎÁËÏ ÂÏÌÅÅ ÉÌÉ ÍÅÎÅÅ ÓÔÁÎÄÁÒÔÏÍ ÓÞÉÔÁÅÔÓÑ ÕËÁÚÁÎÉÅ ÔÁÂÌÉÃÙ × ÎÁÞÁÌÅ ÐÒÁ×ÉÌÁ.

äÁÌÅÅ, ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÚÁ ÉÍÅÎÅÍ ÔÁÂÌÉÃÙ, ÄÏÌÖÎÁ ÓÔÏÑÔØ ËÏÍÁÎÄÁ. åÓÌÉ ÓÐÅÃÉÆÉËÁÔÏÒÁ ÔÁÂÌÉÃÙ ÎÅÔ, ÔÏ ËÏÍÁÎÄÁ ×ÓÅÇÄÁ ÄÏÌÖÎÁ ÓÔÏÑÔØ ÐÅÒ×ÏÊ. ëÏÍÁÎÄÁ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ iptables, ÎÁÐÒÉÍÅÒ: ×ÓÔÁ×ÉÔØ ÐÒÁ×ÉÌÏ, ÉÌÉ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ, ÉÌÉ ÕÄÁÌÉÔØ ÐÒÁ×ÉÌÏ É Ô.Ð.

òÁÚÄÅÌ matches ÚÁÄÁÅÔ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ, ÐÏ ËÏÔÏÒÙÍ ÏÐÒÅÄÅÌÑÅÔÓÑ ÐÏÄÐÁÄÁÅÔ ÌÉ ÐÁËÅÔ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÁ ÉÌÉ ÎÅÔ. úÄÅÓØ ÍÙ ÍÏÖÅÍ ÕËÁÚÁÔØ ÓÁÍÙÅ ÒÁÚÎÙÅ ËÒÉÔÅÒÉÉ -- É IP-ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ ÉÌÉ ÓÅÔÉ, É ÓÅÔÅ×ÏÊ ÉÎÔÅÒÆÅÊÓ É Ô.Ä. óÕÝÅÓÔ×ÕÅÔ ÍÎÏÖÅÓÔ×Ï ËÒÉÔÅÒÉÅ×, ËÏÔÏÒÙÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ × ÄÁÎÎÏÊ ÇÌÁ×Å.

é ÎÁËÏÎÅà target ÕËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÌÖÎÏ ÂÙÔØ ×ÙÐÏÌÎÅÎÏ ÐÒÉ ÕÓÌÏ×ÉÉ ×ÙÐÏÌÎÅÎÉÑ ËÒÉÔÅÒÉÅ× × ÐÒÁ×ÉÌÅ. úÄÅÓØ ÍÏÖÎÏ ÚÁÓÔÁ×ÉÔØ ÑÄÒÏ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × ÄÒÕÇÕÀ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ, "ÓÂÒÏÓÉÔØ" ÐÁËÅÔ É ÚÁÂÙÔØ ÐÒÏ ÎÅÇÏ, ×ÙÄÁÔØ ÎÁ ÉÓÔÏÞÎÉË ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ É Ô.Ð.


ôÁÂÌÉÃÙ

ïÐÃÉÑ -t ÕËÁÚÙ×ÁÅÔ ÎÁ ÉÓÐÏÌØÚÕÅÍÕÀ ÔÁÂÌÉÃÕ. ðÏ ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÁÂÌÉÃÁ filter. ó ËÌÀÞÏÍ -t ÐÒÉÍÅÎÑÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ.

ôÁÂÌÉÃÁ 1. ôÁÂÌÉÃÙ

ôÁÂÌÉÃÁ ïÐÉÓÁÎÉÅ
nat ôÁÂÌÉÃÁ nat ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Address Translation). þÅÒÅÚ ÜÔÕ ÔÁÂÌÉÃÕ ÐÒÏÈÏÄÉÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ. ðÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ× Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉÍÅÎÑÅÔÓÑ ËÏ ×ÓÅÍ ÐÏÓÌÅÄÕÀÝÉÍ ÐÁËÅÔÁÍ. üÔÏ ÏÄÉÎ ÉÚ ÆÁËÔÏÒÏ×, ÉÓÈÏÄÑ ÉÚ ËÏÔÏÒÙÈ ÍÙ ÎÅ ÄÏÌÖÎÙ ÏÓÕÝÅÓÔ×ÌÑÔØ ËÁËÕÀ-ÌÉÂÏ ÆÉÌØÔÒÁÃÉÀ × ÜÔÏÊ ÔÁÂÌÉÃÅ. ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ×, ÓÏÚÄÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ, ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÒÁÂÏÔÁÅÔ. é ÐÏÓÌÅÄÎÑÑ ÃÅÐÏÞËÁ × ÜÔÏÊ ÔÁÂÌÉÃÅ -- POSTROUTING, ËÏÔÏÒÁÑ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÐÁËÅÔÏ× ÐÅÒÅÄ ×ÙÄÁÞÅÊ ÉÈ ×Ï ×ÎÅ.
mangle üÔÁ ÔÁÂÌÉÃÁ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÚÁÇÏÌÏ×ËÉ ÐÁËÅÔÏ×. ðÒÉÍÅÒÏÍ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÉÚÍÅÎÅÎÉÅ ÐÏÌÑ TTL, TOS ÉÌÉ MARK. ÷ÁÖÎÏ: × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÐÏÌÅ MARK ÎÅ ÉÚÍÅÎÑÅÔÓÑ, ÎÏ × ÐÁÍÑÔÉ ÑÄÒÁ ÚÁ×ÏÄÉÔÓÑ ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÁÑ ÓÏÐÒÏ×ÏÖÄÁÅÔ ÄÁÎÎÙÊ ÐÁËÅÔ ×ÓÅ ×ÒÅÍÑ ÅÇÏ ÐÒÏÈÏÖÄÅÎÉÑ ÞÅÒÅÚ ÍÁÛÉÎÕ, ÔÁË ÞÔÏ ÄÒÕÇÉÅ ÐÒÁ×ÉÌÁ É ÐÒÉÌÏÖÅÎÉÑ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ (É ÔÏÌØËÏ ÎÁ ÄÁÎÎÏÊ ÍÁÛÉÎÅ) ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÃÅÌÑÈ. ôÁÂÌÉÃÁ ÉÍÅÅÔ Ä×Å ÃÅÐÏÞËÉ PREROUTING É OUTPUT. PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ ÎÁ ×ÈÏÄÅ × ÂÒÁÎÄÍÁÕÜÒ ÐÅÒÅÄ ÐÒÉÎÑÔÉÅÍ ÒÅÛÅÎÉÑ Ï ÍÁÒÛÒÕÔÉÚÁÃÉÉ. OUTPUT -- ÄÌÑ ×ÎÅÓÅÎÉÑ ÉÚÍÅÎÅÎÉÊ × ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÏÔ ÐÒÉÌÏÖÅÎÉÊ ×ÎÕÔÒÉ ÂÒÁÎÄÍÁÕÜÒÁ. úÁÍÅÔØÔÅ, ÞÔÏ ÔÁÂÌÉÃÁ mangle ÎÉ × ËÏÅÍ ÓÌÕÞÁÅ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇÁ (Network Address Translation, Masquerading), ÐÏÓËÏÌØËÕ ÄÌÑ ÜÔÉÈ ÃÅÌÅÊ ÉÍÅÅÔÓÑ ÔÁÂÌÉÃÁ nat.
filter ôÁÂÌÉÃÁ filter ÉÓÐÏÌØÚÕÅÔÓÑ ÇÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. äÌÑ ÐÒÉÍÅÒÁ, ÚÄÅÓØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÉÔØ DROP, LOG, ACCEPT ÉÌÉ REJECT ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÓÌÏÖÎÏÓÔÅÊ, ËÁË × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. éÍÅÅÔÓÑ ÔÒÉ ×ÓÔÒÏÅÎÎÙÈ ÃÅÐÏÞËÉ. ðÅÒ×ÁÑ -- FORWARD, ÉÓÐÏÌØÚÕÅÍÁÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ ÔÒÁÎÚÉÔÏÍ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ãÅÐÏÞËÕ INPUT ÐÒÏÈÏÄÑÔ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÌÏËÁÌØÎÙÍ ÐÒÉÌÏÖÅÎÉÑÍ (ÂÒÁÎÄÍÁÕÜÒÕ). é ÃÅÐÏÞËÁ OUTPUT -- ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÈ ÐÒÉÌÏÖÅÎÉÑÍÉ ÎÁ ÓÁÍÏÍ ÂÒÁÎÄÍÁÕÜÒÅ.

÷ÙÛÅ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÏÓÎÏ×ÎÙÅ ÏÔÌÉÞÉÑ ÔÒÅÈ ÉÍÅÀÝÉÈÓÑ ÔÁÂÌÉÃ. ëÁÖÄÁÑ ÉÚ ÎÉÈ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × Ó×ÏÉÈ ÃÅÌÑÈ, É ×Ù ÄÏÌÖÎÙ ÜÔÏ ÐÏÎÉÍÁÔØ. îÅÃÅÌÅ×ÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÔÁÂÌÉà ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÏÓÌÁÂÌÅÎÉÀ ÚÁÝÉÔÙ ÂÒÁÎÄÍÁÕÜÒÁ É ÓÅÔÉ, ÎÁÈÏÄÑÝÅÊÓÑ ÚÁ ÎÉÍ. ðÏÚÄÎÅÅ, × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ÜÔÏÍ.


ëÏÍÁÎÄÙ

îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ËÏÍÁÎÄ É ÐÒÁ×ÉÌÁ ÉÈ ÉÓÐÏÌØÚÏ×ÁÎÉÑ. ðÏÓÒÅÄÓÔ×ÏÍ ËÏÍÁÎÄ ÍÙ ÓÏÏÂÝÁÅÍ iptables ÞÔÏ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÓÄÅÌÁÔØ. ïÂÙÞÎÏ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÏÄÎÏ ÉÚ Ä×ÕÈ ÄÅÊÓÔ×ÉÊ -- ÜÔÏ ÄÏÂÁ×ÌÅÎÉÅ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ ÉÌÉ ÕÄÁÌÅÎÉÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÐÒÁ×ÉÌÁ ÉÚ ÔÏÊ ÉÌÉ ÉÎÏÊ ÔÁÂÌÉÃÙ. äÁÌÅÅ ÐÒÉ×ÅÄÅÎÙ ËÏÍÁÎÄÙ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ × iptables.

ôÁÂÌÉÃÁ 2. ëÏÍÁÎÄÙ

ëÏÍÁÎÄÁ
ðÒÉÍÅÒ
ðÏÑÓÎÅÎÉÑ
-A, --append
iptables -A INPUT ...
äÏÂÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ.
-D, --delete
iptables -D INPUT --dport 80 -j DROP, iptables -D INPUT 1
õÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ ÉÚ ÃÅÐÏÞËÉ. ëÏÍÁÎÄÁ ÉÍÅÅÔ Ä×Á ÆÏÒÍÁÔÁ ÚÁÐÉÓÉ, ÐÅÒ×ÙÊ -- ËÏÇÄÁ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ Ó ÏÐÃÉÅÊ -D (ÓÍ. ÐÅÒ×ÙÊ ÐÒÉÍÅÒ), ×ÔÏÒÏÊ -- ÐÏÒÑÄËÏ×ÙÊ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ. åÓÌÉ ÚÁÄÁÅÔÓÑ ËÒÉÔÅÒÉÊ ÓÒÁ×ÎÅÎÉÑ, ÔÏ ÕÄÁÌÑÅÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÉÍÅÅÔ × ÓÅÂÅ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÅÓÌÉ ÚÁÄÁÅÔÓÑ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÔÏ ÂÕÄÅÔ ÕÄÁÌÅÎÏ ÐÒÁ×ÉÌÏ Ó ÚÁÄÁÎÎÙÍ ÎÏÍÅÒÏÍ. óÞÅÔ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÁÈ ÎÁÞÉÎÁÅÔÓÑ Ó 1.
-R, --replace
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
äÁÎÎÁÑ ËÏÍÁÎÄÁ ÚÁÍÅÎÑÅÔ ÏÄÎÏ ÐÒÁ×ÉÌÏ ÄÒÕÇÉÍ. ÷ ÏÓÎÏ×ÎÏÍ ÏÎÁ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ×ÒÅÍÑ ÏÔÌÁÄËÉ ÎÏ×ÙÈ ÐÒÁ×ÉÌ.
-I, --insert
iptables -I INPUT 1 --dport 80 -j ACCEPT
÷ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ. þÉÓÌÏ, ÓÌÅÄÕÀÝÅÅ ÚÁ ÉÍÅÎÅÍ ÃÅÐÏÞËÉ ÕËÁÚÙ×ÁÅÔ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÅÒÅÄ ËÏÔÏÒÙÍ ÎÕÖÎÏ ×ÓÔÁ×ÉÔØ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÞÉÓÌÏ ÚÁÄÁÅÔ ÎÏÍÅÒ ÄÌÑ ×ÓÔÁ×ÌÑÅÍÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÐÒÉÍÅÒÅ ×ÙÛÅ, ÕËÁÚÙ×ÁÅÔÓÑ, ÞÔÏ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÄÏÌÖÎÏ ÂÙÔØ 1-Í × ÃÅÐÏÞËÅ INPUT.
-L, --list
iptables -L INPUT
÷Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ, × ÄÁÎÎÏÍ ÐÒÉÍÅÒÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ×Ù×ÏÄ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞËÉ INPUT. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ×Ù×ÏÄÉÔÓÑ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÄÌÑ ×ÓÅÈ ÃÅÐÏÞÅË. æÏÒÍÁÔ ×Ù×ÏÄÁ ÚÁ×ÉÓÉÔ ÏÔ ÎÁÌÉÞÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ × ËÏÍÁÎÄÅ, ÎÁÐÒÉÍÅÒ -n, -v, É ÐÒ.
-F, --flush
iptables -F INPUT
óÂÒÏÓ (ÕÄÁÌÅÎÉÅ) ×ÓÅÈ ÐÒÁ×ÉÌ ÉÚ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ (ÔÁÂÌÉÃÙ). åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ É ÔÁÂÌÉÃÙ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÕÄÁÌÑÀÔÓÑ ×ÓÅ ÐÒÁ×ÉÌÁ, ×Ï ×ÓÅÈ ÃÅÐÏÞËÁÈ.
-Z, --zero
iptables -Z INPUT
ïÂÎÕÌÅÎÉÅ ×ÓÅÈ ÓÞÅÔÞÉËÏ× × ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÙ×ÁÅÔÓÑ, ÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÀÔÓÑ ×ÓÅ ÃÅÐÏÞËÉ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ËÌÀÞÁ -v ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ -L, ÎÁ ×Ù×ÏÄ ÂÕÄÕÔ ÐÏÄÁÎÙ É ÓÏÓÔÏÑÎÉÑ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ×, ÐÏÐÁ×ÛÉÈ ÐÏÄ ÄÅÊÓÔ×ÉÅ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. äÏÐÕÓËÁÅÔÓÑ ÓÏ×ÍÅÓÔÎÏÅ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÍÁÎÄ -L É -Z. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ×ÙÄÁÎ ÓÎÁÞÁÌÁ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÓÏ ÓÞÅÔÞÉËÁÍÉ, Á ÚÁÔÅÍ ÐÒÏÉÚÏÊÄÅÔ ÏÂÎÕÌÅÎÉÅ ÓÞÅÔÞÉËÏ×.
-N, --new-chain
iptables -N allowed
óÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÚÁÄÁÎÎÙÍ ÉÍÅÎÅÍ × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÅÔÓÑ ÎÏ×ÁÑ ÃÅÐÏÞËÁ Ó ÉÍÅÎÅÍ allowed. éÍÑ ÃÅÐÏÞËÉ ÄÏÌÖÎÏ ÂÙÔØ ÕÎÉËÁÌØÎÙÍ É ÎÅ ÄÏÌÖÎÏ ÓÏ×ÐÁÄÁÔØ Ó ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÍÉ ÉÍÅÎÁÍÉ ÃÅÐÏÞÅË É ÄÅÊÓÔ×ÉÊ (DROP, REJECT É Ô.Ð.)
-X, --delete-chain
iptables -X allowed
õÄÁÌÅÎÉÅ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ ÉÚ ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÙ. õÄÁÌÑÅÍÁÑ ÃÅÐÏÞËÁ ÎÅ ÄÏÌÖÎÁ ÉÍÅÔØ ÐÒÁ×ÉÌ É ÎÅ ÄÏÌÖÎÏ ÂÙÔØ ÓÓÙÌÏË ÉÚ ÄÒÕÇÉÈ ÃÅÐÏÞÅË ÎÁ ÕÄÁÌÑÅÍÕÀ ÃÅÐÏÞËÕ. åÓÌÉ ÉÍÑ ÃÅÐÏÞËÉ ÎÅ ÕËÁÚÁÎÏ, ÔÏ ÂÕÄÕÔ ÕÄÁÌÅÎÙ ×ÓÅ ÃÅÐÏÞËÉ, ÏÐÒÅÄÅÌÅÎÎÙÅ ËÏÍÁÎÄÏÊ -N × ÚÁÄÁÎÎÏÊ ÔÁÂÌÉÃÅ.
-P, --policy
iptables -P INPUT DROP
ïÐÒÅÄÅÌÑÅÔ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÚÁÄÁÎÎÏÊ ÃÅÐÏÞËÉ. ðÏÌÉÔÉËÁ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÅ, ÐÒÉÍÅÎÑÅÍÏÅ Ë ÐÁËÅÔÁÍ ÎÅ ÐÏÐÁ×ÛÉÍ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. ÷ ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ DROP, ACCEPT É REJECT.
-E, --rename-chain
iptables -E allowed disallowed
ëÏÍÁÎÄÁ -E ×ÙÐÏÌÎÑÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÃÅÐÏÞËÉ. ÷ ÐÒÉÍÅÒÅ ÃÅÐÏÞËÁ allowed ÂÕÄÅÔ ÐÅÒÅÉÍÅÎÏ×ÁÎÁ × ÃÅÐÏÞËÕ disallowed. üÔÉ ÐÅÒÅÉÍÅÎÏ×ÁÎÉÑ ÎÅ ÉÚÍÅÎÑÀÔ ÐÏÒÑÄÏË ÒÁÂÏÔÙ, Á ÎÏÓÑÔ ÔÏÌØËÏ ËÏÓÍÅÔÉÞÅÓËÉÊ ÈÁÒÁËÔÅÒ.

ëÏÍÁÎÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÕËÁÚÁÎÁ ×ÓÅÇÄÁ. óÐÉÓÏË ÄÏÓÔÕÐÎÙÈ ËÏÍÁÎÄ ÍÏÖÎÏ ÐÒÏÓÍÏÔÒÅÔØ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -h ÉÌÉ, ÞÔÏ ÔÏÖÅ ÓÁÍÏÅ, iptables --help. îÅËÏÔÏÒÙÅ ËÏÍÁÎÄÙ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍÉ ËÌÀÞÁÍÉ. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÓÐÉÓÏË ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÏÐÉÓÙ×ÁÅÔÓÑ ÒÅÚÕÌØÔÁÔ ÉÈ ÄÅÊÓÔ×ÉÑ. ðÒÉ ÜÔÏÍ ÚÁÍÅÔØÔÅ, ÞÔÏ ÚÄÅÓØ ÎÅ ÐÒÉ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ËÒÉÔÅÒÉÅ× (matches) ÉÌÉ ÄÅÊÓÔ×ÉÊ (targets). üÔÉ ÏÐÃÉÉ ÍÙ ÂÕÄÅÍ ÏÂÓÕÖÄÁÔØ ÄÁÌÅÅ.

ôÁÂÌÉÃÁ 3. ëÌÀÞÉ

ëÌÀÞ
ëÏÍÁÎÄÙ, Ó ËÏÔÏÒÙÍÉ ÉÓÐÏÌØÚÕÅÔÓÑ
ïÐÉÓÁÎÉÅ
-v, --verbose
--list, --append, --insert, --delete, --replace
äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÏ×ÙÛÅÎÉÑ ÉÎÆÏÒÍÁÔÉ×ÎÏÓÔÉ ×Ù×ÏÄÁ É, ËÁË ÐÒÁ×ÉÌÏ, ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÍÁÎÄÏÊ --list. ÷ ÓÌÕÞÁÅ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ËÏÍÁÎÄÏÊ --list, × ×Ù×ÏÄ ÜÔÏÊ ËÏÍÁÎÄÙ ×ËÌÀÞÁÀÔÓÑ ÔÁË ÖÅ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ, ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ× É ÂÁÊÔ ÄÌÑ ËÁÖÄÏÇÏ ÐÒÁ×ÉÌÁ. æÏÒÍÁÔ ×Ù×ÏÄÁ ÓÞÅÔÞÉËÏ× ÐÒÅÄÐÏÌÁÇÁÅÔ ×Ù×ÏÄ ËÒÏÍÅ ÃÉÆÒ ÞÉÓÌÁ ÅÝÅ É ÓÉÍ×ÏÌØÎÙÅ ÍÎÏÖÉÔÅÌÉ K (x1000), M (x1,000,000) É G (x1,000,000,000). äÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÚÁÓÔÁ×ÉÔØ ËÏÍÁÎÄÕ --list ×Ù×ÏÄÉÔØ ÐÏÌÎÏÅ ÞÉÓÌÏ (ÂÅÚ ÕÐÏÔÒÅÂÌÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ) ÔÒÅÂÕÅÔÓÑ ÐÒÉÍÅÎÑÔØ ËÌÀÞ -x, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ. åÓÌÉ ËÌÀÞ -v, --verbose ÉÓÐÏÌØÚÕÅÔÓÑ Ó ËÏÍÁÎÄÁÍÉ --append, --insert, --delete ÉÌÉ --replace, ÔÏ ÔÏ ÎÁ ×Ù×ÏÄ ÂÕÄÅÔ ×ÙÄÁÎ ÐÏÄÒÏÂÎÙÊ ÏÔÞÅÔ Ï ÐÒÏÉÚ×ÅÄÅÎÎÏÊ ÏÐÅÒÁÃÉÉ.
-x, --exact
--list
äÌÑ ×ÓÅÈ ÞÉÓÅÌ × ×ÙÈÏÄÎÙÈ ÄÁÎÎÙÈ ×Ù×ÏÄÑÔÓÑ ÉÈ ÔÏÞÎÙÅ ÚÎÁÞÅÎÉÑ ÂÅÚ ÏËÒÕÇÌÅÎÉÑ É ÂÅÚ ÐÒÉÍÅÎÅÎÉÑ ÍÎÏÖÉÔÅÌÅÊ K, M, G. ÷ÁÖÎÏ ÔÏ, ÞÔÏ ÄÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list É ÎÅ ÐÒÉÍÅÎÑÅÔÓÑ Ó ÄÒÕÇÉÍÉ ËÏÍÁÎÄÁÍÉ.
-n, --numeric
--list
úÁÓÔÁ×ÌÑÅÔ iptables ×Ù×ÏÄÉÔØ IP-ÁÄÒÅÓÁ É ÎÏÍÅÒÁ ÐÏÒÔÏ× × ÞÉÓÌÏ×ÏÍ ×ÉÄÅ ÐÒÅÄÏÔ×ÒÁÝÁÑ ÐÏÐÙÔËÉ ÐÒÅÏÂÒÁÚÏ×ÁÔØ ÉÈ × ÓÉÍ×ÏÌÉÞÅÓËÉÅ ÉÍÅÎÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
--line-numbers
--list
ëÌÀÞ --line-numbers ×ËÌÀÞÁÅÔ ÒÅÖÉÍ ×Ù×ÏÄÁ ÎÏÍÅÒÏ× ÓÔÒÏË ÐÒÉ ÏÔÏÂÒÁÖÅÎÉÉ ÓÐÉÓËÁ ÐÒÁ×ÉÌ ËÏÍÁÎÄÏÊ --list. îÏÍÅÒ ÓÔÒÏËÉ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÏÚÉÃÉÉ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ. üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ Ó ËÏÍÁÎÄÏÊ --list.
-c, --set-counters
--insert, --append, --replace
üÔÏÔ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÒÉ ÓÏÚÄÁÎÉÉ ÎÏ×ÏÇÏ ÐÒÁ×ÉÌÁ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÓÞÅÔÞÉËÏ× ÐÁËÅÔÏ× É ÂÁÊÔ × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. îÁÐÒÉÍÅÒ, ËÌÀÞ --set-counters 20 4000ÕÓÔÁÎÏ×ÉÔ ÓÞÅÔÞÉË ÐÁËÅÔÏ× = 20, Á ÓÞÅÔÞÉË ÂÁÊÔ = 4000.
--modprobe
All
ëÌÀÞ --modprobe ÏÐÒÅÄÅÌÑÅÔ ËÏÍÁÎÄÕ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ ÑÄÒÁ. äÁÎÎÙÊ ËÌÀÞ ÉÓÐÏÌØÚÕÅÔÓÑ × ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛÁ ËÏÍÁÎÄÁ modprobe ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÐÕÔÉ ÐÏÉÓËÁ (searchpath). üÔÏÔ ËÌÀÞ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ Ó ÌÀÂÏÊ ËÏÍÁÎÄÏÊ.

ëÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÐÏÄÒÏÂÎÅÅ ÏÓÔÁÎÏ×ÉÍÓÑ ÎÁ ËÒÉÔÅÒÉÑÈ ×ÙÄÅÌÅÎÉÑ ÐÁËÅÔÏ×. ñ ÒÁÚÂÉÌ ×ÓÅ ËÒÉÔÅÒÉÉ ÎÁ ÐÑÔØ ÇÒÕÐÐ. ðÅÒ×ÁÑ -- ÏÂÝÉÅ ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÍÏÇÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ. ÷ÔÏÒÁÑ - TCP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë TCP ÐÁËÅÔÁÍ. ôÒÅÔØÑ -- UDP ËÒÉÔÅÒÉÉ ËÏÔÏÒÙÅ ÐÒÉÍÅÎÑÀÔÓÑ ÔÏÌØËÏ Ë UDP ÐÁËÅÔÁÍ. þÅÔ×ÅÒÔÁÑ - ICMP ËÒÉÔÅÒÉÉ ÄÌÑ ÒÁÂÏÔÙ Ó ICMP ÐÁËÅÔÁÍÉ. é ÎÁËÏÎÅà ÐÑÔÁÑ -- ÓÐÅÃÉÁÌØÎÙÅ ËÒÉÔÅÒÉÉ, ÔÁËÉÅ ËÁË state, owner, limit É ÐÒ.


ïÂÝÉÅ ËÒÉÔÅÒÉÉ

úÄÅÓØ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ïÂÝÉÅ ËÒÉÔÅÒÉÉ. ïÂÝÉÅ ËÒÉÔÅÒÉÉ ÄÏÐÕÓÔÉÍÏ ÕÐÏÔÒÅÂÌÑÔØ × ÌÀÂÙÈ ÐÒÁ×ÉÌÁÈ É ÎÅ ÚÁ×ÉÓÑÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÎÅ ÔÒÅÂÕÀÔ ÐÏÄÇÒÕÚËÉ ÍÏÄÕÌÅÊ ÒÁÓÛÉÒÅÎÉÑ. ÷ ÜÔÕ ÇÒÕÐÐÕ Ñ ÄÏÂÁ×ÉÌ ËÒÉÔÅÒÉÊ --protocol ÎÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÏÎ ÉÓÐÏÌØÚÕÅÔÓÑ × ÎÅËÏÔÏÒÙÈ ÓÐÅÃÉÆÉÞÎÙÈ ÏÔ ÐÒÏÔÏËÏÌÁ ÒÁÓÛÉÒÅÎÉÑÈ. îÁÐÒÉÍÅÒ, ÍÙ ÒÅÛÉÌÉ ÉÓÐÏÌØÚÏ×ÁÔØ TCP ËÒÉÔÅÒÉÊ, ÔÏÇÄÁ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ É ËÒÉÔÅÒÉÊ --protocol ËÏÔÏÒÏÍÕ × ËÁÞÅÓÔ×Å ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ËÌÀÞÁ ÐÅÒÅÄÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÐÒÏÔÏËÏÌÁ -- TCP. ïÄÎÁËÏ --protocol ÓÁÍ ÐÏ ÓÅÂÅ Ñ×ÌÑÅÔÓÑ ËÒÉÔÅÒÉÅÍ, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ.

ôÁÂÌÉÃÁ 4. ïÂÝÉÅ ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ -p, --protocol
ðÒÉÍÅÒ iptables -A INPUT -p tcp
ïÐÉÓÁÎÉÅ üÔÏÔ ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ. ðÒÉÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× ÍÏÇÕÔ ÂÙÔØ TCP, UDP É ICMP. óÐÉÓÏË ÐÒÏÔÏËÏÌÏ× ÍÏÖÎÏ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/p rotocols. ðÒÅÖÄÅ ×ÓÅÇÏ, × ËÁÞÅÓÔ×Å ÉÍÅÎÉ ÐÒÏÔÏËÏÌÁ × ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÎÏ ÐÅÒÅÄÁ×ÁÔØ ÔÒÉ ×ÙÛÅÕÐÏÍÑÎÕÔÙÈ ÐÒÏÔÏËÏÌÁ, Á ÔÁËÖÅ ËÌÀÞÅ×ÏÅ ÓÌÏ×Ï ALL. ÷ ËÁÞÅÓÔ×Å ÐÒÏÔÏËÏÌÁ ÄÏÐÕÓËÁÅÔÓÑ ÐÅÒÅÄÁ×ÁÔØ ÞÉÓÌÏ - ÎÏÍÅÒ ÐÒÏÔÏËÏÌÁ, ÔÁË ÎÁÐÒÉÍÅÒ, 255 ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÐÒÏÔÏËÏÌÕ RAW IP. óÏÏÔ×ÅÔÓÔ×ÉÑ ÍÅÖÄÕ ÎÏÍÅÒÁÍÉ ÐÒÏÔÏËÏÌÏ× É ÉÈ ÉÍÅÎÁÍÉ ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÆÁÊÌÅ /etc/protocols, ËÏÔÏÒÙÊ ÕÖÅ ÕÐÏÍÉÎÁÌÓÑ. ëÒÉÔÅÒÉÀ ÍÏÖÅÔ ÐÅÒÅÄÁ×ÁÔØÓÑ É ÓÐÉÓÏË ÐÒÏÔÏËÏÌÏ×, ÒÁÚÄÅÌÅÎÎÙÈ ÚÁÐÑÔÙÍÉ, ÎÁÐÒÉÍÅÒ ÔÁË: udp,tcp (èÏÔÑ Á×ÔÏÒ É ÕËÁÚÙ×ÁÅÔ ÎÁ ×ÏÚÍÏÖÎÏÓÔØ ÐÅÒÅÄÁÞÉ ÓÐÉÓËÁ ÐÒÏÔÏËÏÌÏ×, ÔÅÍ ÎÅ ÍÅÎÅÅ ÎÉËÏÍÕ ÅÝÅ ÎÅ ÕÄÁÌÏÓØ ÓÄÅÌÁÔØ ÜÔÏÇÏ! ëÓÔÁÔÉ, man iptables Ñ×ÎÏ ÏÇÏ×ÁÒÉ×ÁÅÔ, ÞÔÏ × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÍÏÖÅÔ ÂÙÔØ ÕËÁÚÁÎ ÔÏÌØËÏ ÏÄÉÎ ÐÒÏÔÏËÏÌ. íÏÖÅÔ ÂÙÔØ ÜÔÏ ÒÁÓÛÉÒÅÎÉÅ ÉÍÅÅÔÓÑ × patch-o-matic? ÐÒÉÍ. ÐÅÒÅ×.) åÓÌÉ ÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ ÐÅÒÅÄÁÅÔÓÑ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ 0, ÔÏ ÜÔÏ ÜË×É×ÁÌÅÎÔÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ÓÐÅÃÉÆÉËÁÔÏÒÁ ALL, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÇÄÁ ËÒÉÔÅÒÉÊ --protocol ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ. äÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÐÅÒÅÄ ÉÍÅÎÅÍ ÐÒÏÔÏËÏÌÁ (ÓÐÉÓËÏÍ ÐÒÏÔÏËÏÌÏ×) ÉÓÐÏÌØÚÕÅÔÓÑ ÓÉÍ×ÏÌ !, ÎÁÐÒÉÍÅÒ --protocol ! tcp ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÁËÅÔÙ ÌÀÂÏÇÏ ÐÒÏÔÏËÏÌÁ, ËÒÏÍÅ tcp.
ëÒÉÔÅÒÉÊ -s, --src, --source
ðÒÉÍÅÒ iptables -A INPUT -s 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÉÓÔÏÞÎÉËÁ ÐÁËÅÔÁ. áÄÒÅÓ ÉÓÔÏÞÎÉËÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÔÁË, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏÇÄÁ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ. á ÍÏÖÎÏ ÕËÁÚÁÔØ ÁÄÒÅÓ × ×ÉÄÅ address/mask, ÎÁÐÒÉÍÅÒ ËÁË 192.168.0.0/255.255.255.0, ÉÌÉ ÂÏÌÅÅ ÓÏ×ÒÅÍÅÎÎÙÍ ÓÐÏÓÏÂÏÍ 192.168.0.0/24, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÑ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ× ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ !, ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÐÅÒÅÄ ÁÄÒÅÓÏÍ, ÏÚÎÁÞÁÅÔ ÌÏÇÉÞÅÓËÏÅ ÏÔÒÉÃÁÎÉÅ, Ô.Å. --source ! 192.168.0.0/24 ÏÚÎÁÞÁÅÔ ÌÀÂÏÊ ÁÄÒÅÓ ËÒÏÍÅ ÁÄÒÅÓÏ× 192.168.0.x
ëÒÉÔÅÒÉÊ -d, --dst, --destination
ðÒÉÍÅÒ iptables -A INPUT -d 192.168.1.1
ïÐÉÓÁÎÉÅ IP-ÁÄÒÅÓ(Á) ÐÏÌÕÞÁÔÅÌÑ. éÍÅÅÔ ÓÉÎÔÁËÓÉÓ ÓÈÏÖÉÊ Ó ËÒÉÔÅÒÉÅÍ --source, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÔÏÇÏ, ÞÔÏ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÁÄÒÅÓ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ôÏÞÎÏ ÔÁË ÖÅ ÍÏÖÅÔ ÏÐÒÅÄÅÌÑÔØ ËÁË ÅÄÉÎÓÔ×ÅÎÎÙÊ IP-ÁÄÒÅÓ, ÔÁË É ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×. óÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÌÏÇÉÞÅÓËÏÊ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ.
ëÒÉÔÅÒÉÊ -i, --in-interface
ðÒÉÍÅÒ iptables -A INPUT -i eth0
ïÐÉÓÁÎÉÅ éÎÔÅÒÆÅÊÓ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÐÏÌÕÞÅÎ ÐÁËÅÔ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, × ÌÀÂÙÈ ÄÒÕÇÉÈ ÓÌÕÞÁÑÈ ÂÕÄÅÔ ×ÙÚÙ×ÁÔØ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -i +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -i PPP+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ PPP ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -i ! eth+ -- ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth.
ëÒÉÔÅÒÉÊ -o, --out-interface
ðÒÉÍÅÒ iptables -A FORWARD -o eth0
ïÐÉÓÁÎÉÅ úÁÄÁÅÔ ÉÍÑ ×ÙÈÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ OUTPUT, FORWARD É POSTROUTING, × ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ÂÕÄÅÔ ÇÅÎÅÒÉÒÏ×ÁÔØÓÑ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ. ðÒÉ ÏÔÓÕÔÓÔ×ÉÉ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ÞÔÏ ÒÁ×ÎÏÓÉÌØÎÏ ÉÓÐÏÌØÚÏ×ÁÎÉÀ ËÒÉÔÅÒÉÑ -o +. ëÁË É ÐÒÅÖÄÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ÒÅÚÕÌØÔÁÔ ÓÏ×ÐÁÄÅÎÉÑ. åÓÌÉ ÉÍÑ ÉÎÔÅÒÆÅÊÓÁ ÚÁ×ÅÒÛÁÅÔÓÑ ÓÉÍ×ÏÌÏÍ +, ÔÏ ËÒÉÔÅÒÉÊ ÚÁÄÁÅÔ ×ÓÅ ÉÎÔÅÒÆÅÊÓÙ, ÎÁÞÉÎÁÀÝÉÅÓÑ Ó ÚÁÄÁÎÎÏÊ ÓÔÒÏËÉ, ÎÁÐÒÉÍÅÒ -o eth+ ÏÂÏÚÎÁÞÁÅÔ ÌÀÂÏÊ eth ÉÎÔÅÒÆÅÊÓ, Á ÚÁÐÉÓØ -o ! eth+ - ÌÀÂÏÊ ÉÎÔÅÒÆÅÊÓ, ËÒÏÍÅ ÌÀÂÏÇÏ eth
ëÒÉÔÅÒÉÊ -f, --fragment
ðÒÉÍÅÒ iptables -A INPUT -f
ïÐÉÓÁÎÉÅ ðÒÁ×ÉÌÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ ÎÁ ×ÓÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÏÇÏ ÐÁËÅÔÁ, ËÒÏÍÅ ÐÅÒ×ÏÇÏ, ÓÄÅÌÁÎÏ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅÔ ×ÏÚÍÏÖÎÏÓÔÉ ÏÐÒÅÄÅÌÉÔØ ÉÓÈÏÄÑÝÉÊ/×ÈÏÄÑÝÉÊ ÐÏÒÔ ÄÌÑ ÆÒÁÇÍÅÎÔÁ ÐÁËÅÔÁ, Á ÄÌÑ ICMP-ÐÁËÅÔÏ× ÏÐÒÅÄÅÌÉÔØ ÉÈ ÔÉÐ. ó ÐÏÍÏÝØÀ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× ÍÏÇÕÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÁÔÁËÉ ÎÁ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ, ÔÁË ËÁË ÆÒÁÇÍÅÎÔÙ ÐÁËÅÔÏ× ÍÏÇÕÔ ÎÅ ÏÔÌÁ×ÌÉ×ÁÔØÓÑ ÄÒÕÇÉÍÉ ÐÒÁ×ÉÌÁÍÉ. ëÁË É ÒÁÎØÛÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÓÉÍ×ÏÌÁ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ ÒÅÚÕÌØÔÁÔÁ ÓÒÁ×ÎÅÎÉÑ. ÔÏÌØËÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÓÉÍ×ÏÌ ! ÄÏÌÖÅÎ ÐÒÅÄÛÅÓÔ×Ï×ÁÔØ ËÒÉÔÅÒÉÀ -f, ÎÁÐÒÉÍÅÒ ! -f. éÎ×ÅÒÓÉÑ ËÒÉÔÅÒÉÑ ÔÒÁËÔÕÅÔÓÑ ËÁË "×ÓÅ ÐÅÒ×ÙÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ× É/ÉÌÉ ÎÅÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÅ ÐÁËÅÔÙ, ÎÏ ÎÅ ×ÔÏÒÙÅ É ÐÏÓÌÅÄÕÀÝÉÅ ÆÒÁÇÍÅÎÔÙ ÆÒÁÇÍÅÎÔÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×".

îÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ

÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÅÑ×ÎÙÅ ËÒÉÔÅÒÉÉ, ÔÏÞÎÅÅ, ÔÅ ËÒÉÔÅÒÉÉ, ËÏÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ ÎÅÑ×ÎÏ É ÓÔÁÎÏ×ÑÔÓÑ ÄÏÓÔÕÐÎÙ, ÎÁÐÒÉÍÅÒ ÐÒÉ ÕËÁÚÁÎÉÉ ËÒÉÔÅÒÉÑ --protocol. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÏÄÇÒÕÖÁÅÍÙÈ ÒÁÓÛÉÒÅÎÉÑ, ÜÔÏ TCP ËÒÉÔÅÒÉÉ, UDP ËÒÉÔÅÒÉÉ É ICMP ËÒÉÔÅÒÉÉ (ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ Ó×ÏÉÈ ÐÒÁ×ÉÌ Ñ ÓÔÏÌËÎÕÌÓÑ Ó ÎÅÏÂÈÏÄÉÍÏÓÔØÀ ÚÁÇÒÕÚËÉ ÕËÁÚÁÎÎÙÈ ÒÁÓÛÉÒÅÎÉÊ Ñ×ÎÏ, Ô.Å. ÒÁÓÛÉÒÅÎÉÑ ÎÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ. ÐÒÉÍ. ÐÅÒÅ×.). úÁÇÒÕÚËÁ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ ÍÏÖÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ É Ñ×ÎÙÍ ÏÂÒÁÚÏÍ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m, -match, ÎÁÐÒÉÍÅÒ -m tcp.


TCP ËÒÉÔÅÒÉÉ

üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁ×ÉÓÉÔ ÏÔ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ É ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó TCP ÐÁËÅÔÁÍÉ. þÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ËÒÉÔÅÒÉÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ × ÐÒÁ×ÉÌÁÈ ÕËÁÚÙ×ÁÔØ ÔÉÐ ÐÒÏÔÏËÏÌÁ --protocol tcp. ÷ÁÖÎÏ: ËÒÉÔÅÒÉÊ --protocol tcp ÏÂÑÚÁÔÅÌØÎÏ ÄÏÌÖÅÎ ÓÔÏÑÔØ ÐÅÒÅÄ ÓÐÅÃÉÆÉÞÎÙÍ ËÒÉÔÅÒÉÅÍ. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÚÁÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ËÁË ÄÌÑ tcp ÐÒÏÔÏËÏÌÁ, ÔÁË É ÄÌÑ udp É icmp ÐÒÏÔÏËÏÌÏ×.(ï ÎÅÑ×ÎÏÊ ÚÁÇÒÕÚËÅ ÒÁÓÛÉÒÅÎÉÊ Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ×ÙÛÅ ÐÒÉÍ. ÐÅÒÅ×.).

ôÁÂÌÉÃÁ 5. TCP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --sport 22
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp --dport 22
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. áÒÇÕÍÅÎÔÙ ÚÁÄÁÀÔÓÑ × ÔÏÍ ÖÅ ÆÏÒÍÁÔÅ, ÞÔÏ É ÄÌÑ --source-port.
ëÒÉÔÅÒÉÊ --tcp-flags
ðÒÉÍÅÒ iptables -p tcp --tcp-flags SYN,ACK,FIN SYN
ïÐÉÓÁÎÉÅ ïÐÒÅÄÅÌÑÅÔ ÍÁÓËÕ É ÆÌÁÇÉ tcp-ÐÁËÅÔÁ. ðÁËÅÔ ÓÞÉÔÁÅÔÓÑ ÕÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ËÒÉÔÅÒÉÀ, ÅÓÌÉ ÉÚ ÐÅÒÅÞÉÓÌÅÎÎÙÈ ÆÌÁÇÏ× × ÐÅÒ×ÏÍ ÓÐÉÓËÅ × ÅÄÉÎÉÞÎÏÅ ÓÏÓÔÏÑÎÉÅ ÕÓÔÁÎÏ×ÌÅÎÙ ÆÌÁÇÉ ÉÚ ×ÔÏÒÏÇÏ ÓÐÉÓËÁ. ôÁË ÄÌÑ ×ÙÛÅÕËÁÚÁÎÎÏÇÏ ÐÒÉÍÅÒÁ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ Õ ËÏÔÏÒÙÈ ÆÌÁÇ SYN ÕÓÔÁÎÏ×ÌÅÎ, Á ÆÌÁÇÉ FIN É ACK ÓÂÒÏÛÅÎÙ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÏ× ËÒÉÔÅÒÉÑ ÍÏÇÕÔ ×ÙÓÔÕÐÁÔØ ÆÌÁÇÉ SYN, ACK, FIN, RST, URG, PSH, Á ÔÁË ÖÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÉÄÅÎÔÉÆÉËÁÔÏÒÙ ALL É NONE. ALL -- ÚÎÁÞÉÔ ÷óå ÆÌÁÇÉ É NONE - îé ïäéî ÆÌÁÇ. ôÁË, ËÒÉÔÅÒÉÊ --tcp-flags ALL NONE ÏÚÎÁÞÁÅÔ, ÞÔÏ ×ÓÅ ÆÌÁÇÉ × ÐÁËÅÔÅ ÄÏÌÖÎÙ ÂÙÔØ ÓÂÒÏÛÅÎÙ. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÏÚÎÁÞÁÅÔ ÉÎ×ÅÒÓÉÀ ËÒÉÔÅÒÉÑ ÷ÁÖÎÏ: ÉÍÅÎÁ ÆÌÁÇÏ× × ËÁÖÄÏÍ ÓÐÉÓËÅ ÄÏÌÖÎÙ ÒÁÚÄÅÌÑÔØÓÑ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ ÓÌÕÖÁÔ ÄÌÑ ÒÁÚÄÅÌÅÎÉÑ ÓÐÉÓËÏ×.
ëÒÉÔÅÒÉÊ --syn
ðÒÉÍÅÒ iptables -p tcp --syn
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ --syn Ñ×ÌÑÅÔÓÑ ÐÏ ÓÕÔÉ ÒÅÌÉËÔÏÍ, ÐÅÒÅËÏÞÅ×Á×ÛÉÍ ÉÚ ipchains. ëÒÉÔÅÒÉÀ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍ ÆÌÁÇÏÍ SYN É ÓÂÒÏÛÅÎÎÙÍÉ ÆÌÁÇÁÍÉ ACK É FIN. üÔÏÔ ËÒÉÔÅÒÉÊ ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --tcp-flags SYN,ACK,FIN SYN. ôÁËÉÅ ÐÁËÅÔÙ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÏÔËÒÙÔÉÑ ÓÏÅÄÉÎÅÎÉÑ TCP. úÁÂÌÏËÉÒÏ×Á× ÔÁËÉÅ ÐÁËÅÔÙ, ×Ù ÎÁÄÅÖÎÏ ÚÁÂÌÏËÉÒÕÅÔÅ ×ÓÅ ×ÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÏÄÎÁËÏ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÎÅ ÓÐÏÓÏÂÅÎ ÚÁÂÌÏËÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ ÚÁÐÒÏÓÙ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÎ×ÅÒÔÉÒÏ×ÁÎÉÅ ËÒÉÔÅÒÉÑ ÓÉÍ×ÏÌÏÍ !. ôÁË ËÒÉÔÅÒÉÊ ! --syn ÏÚÎÁÞÁÅÔ ×ÓÅ ÐÁËÅÔÙ, ÎÅ Ñ×ÌÑÀÝÉÅÓÑ ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, Ô.Å. ×ÓÅ ÐÁËÅÔÙ Ó ÕÓÔÁÎÏ×ÌÅÎÎÙÍÉ ÆÌÁÇÁÍÉ FIN ÉÌÉ ACK.
ëÒÉÔÅÒÉÊ --tcp-option
ðÒÉÍÅÒ iptables -p tcp --tcp-option 16
ïÐÉÓÁÎÉÅ õÄÏ×ÌÅÔ×ÏÒÑÀÝÉÍ ÕÓÌÏ×ÉÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÂÕÄÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÁËÅÔ, TCP ÐÁÒÁÍÅÔÒ ËÏÔÏÒÏÇÏ ÒÁ×ÅÎ ÚÁÄÁÎÎÏÍÕ ÞÉÓÌÕ. ðÁËÅÔ, ËÏÔÏÒÙÊ ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÐÏÌÎÏÇÏ TCP ÚÁÇÏÌÏ×ËÁ, ÂÕÄÅÔ ÓÂÒÏÛÅÎ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÐÏÐÙÔËÅ ÉÚÕÞÅÎÉÑ ÅÇÏ TCP ÐÁÒÁÍÅÔÒÁ. ëÁË É ÒÁÎÅÅ, ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!].

UDP ËÒÉÔÅÒÉÉ

÷ ÄÁÎÎÏÍ ÒÁÚÄÅÌÅ ÂÕÄÕÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÒÉÔÅÒÉÉ, ÓÐÅÃÉÆÉÞÎÙÅ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ UDP. üÔÉ ÒÁÓÛÉÒÅÎÉÑ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÒÉ ÕËÁÚÁÎÉÉ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ --protocol UDP. ÷ÁÖÎÏ ÏÔÍÅÔÉÔØ, ÞÔÏ ÐÁËÅÔÙ UDP ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÙ ÎÁ ÕÓÔÁÎÏ×ÌÅÎÎÏÅ ÓÏÅÄÉÎÅÎÉÅ, É ÐÏÜÔÏÍÕ ÎÅ ÉÍÅÀÔ ÒÁÚÌÉÞÎÙÈ ÆÌÁÇÏ× ËÏÔÏÒÙÅ ÄÁÀÔ ×ÏÚÍÏÖÎÏÓÔØ ÓÕÄÉÔØ Ï ÐÒÅÄÎÁÚÎÁÞÅÎÉÉ ÄÁÔÁÇÒÁÍÍÙ. ðÏÌÕÞÅÎÉÅ UDP ÐÁËÅÔÏ× ÎÅ ÔÒÅÂÕÅÔ ËÁËÏÇÏ ÌÉÂÏ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÓÏ ÓÔÏÒÏÎÙ ÐÏÌÕÞÁÔÅÌÑ. åÓÌÉ ÏÎÉ ÐÏÔÅÒÑÎÙ, ÔÏ ÏÎÉ ÐÒÏÓÔÏ ÐÏÔÅÒÑÎÙ (ÎÅ ×ÙÚÙ×ÁÑ ÐÅÒÅÄÁÞÕ ICMP ÓÏÏÂÝÅÎÉÑ Ï ÏÛÉÂËÅ). üÔÏ ÐÒÅÄÐÏÌÁÇÁÅÔ ÎÁÌÉÞÉÅ ÚÎÁÞÉÔÅÌØÎÏ ÍÅÎØÛÅÇÏ ÞÉÓÌÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÒÉÔÅÒÉÅ×, × ÏÔÌÉÞÉÅ ÏÔ TCP ÐÁËÅÔÏ×. ÷ÁÖÎÏ: èÏÒÏÛÉÊ ÂÒÁÎÄÍÁÕÜÒ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ Ó ÐÁËÅÔÁÍÉ ÌÀÂÏÇÏ ÔÉÐÁ, UDP ÉÌÉ ICMP, ËÏÔÏÒÙÅ ÓÞÉÔÁÀÔÓÑ ÎÅ ÏÒÉÅÎÔÉÒÏ×ÁÎÎÙÍÉ ÎÁ ÓÏÅÄÉÎÅÎÉÅ, ÔÁË ÖÅ ÈÏÒÏÛÏ ËÁË É Ó TCP ÐÁËÅÔÁÍÉ. ï ÜÔÏÍ ÍÙ ÐÏÇÏ×ÏÒÉÍ ÐÏÚÄÎÅÅ, × ÓÌÅÄÕÀÝÉÈ ÇÌÁ×ÁÈ.

ôÁÂÌÉÃÁ 6. UDP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --sport, --source-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --sport 53
ïÐÉÓÁÎÉÅ éÓÈÏÄÎÙÊ ÐÏÒÔ, Ó ËÏÔÏÒÏÇÏ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÁËÅÔ. ÷ ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ ÍÏÖÅÔ ÕËÁÚÙ×ÁÔØÓÑ ÎÏÍÅÒ ÐÏÒÔÁ ÉÌÉ ÎÁÚ×ÁÎÉÅ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ. óÏÏÔ×ÅÔÓÔ×ÉÅ ÉÍÅÎ ÓÅÒ×ÉÓÏ× É ÎÏÍÅÒÏ× ÐÏÒÔÏ× ×Ù ÓÍÏÖÅÔÅ ÎÁÊÔÉ × ÆÁÊÌÅ /etc/services ðÒÉ ÕËÁÚÁÎÉÉ ÎÏÍÅÒÏ× ÐÏÒÔÏ× ÐÒÁ×ÉÌÁ ÏÔÒÁÂÁÔÙ×ÁÀÔ ÎÅÓËÏÌØËÏ ÂÙÓÔÒÅÅ. ÏÄÎÁËÏ ÜÔÏ ÍÅÎÅÅ ÕÄÏÂÎÏ ÐÒÉ ÒÁÚÂÏÒÅ ÌÉÓÔÉÎÇÏ× ÓËÒÉÐÔÏ×. åÓÌÉ ÖÅ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÓÏÚÄÁ×ÁÔØ ÚÎÁÞÉÔÅÌØÎÙÅ ÐÏ ÏÂßÅÍÕ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ, ÓËÁÖÅÍ ÐÏÒÑÄËÁ ÎÅÓËÏÌØËÉÈ ÓÏÔÅÎ É ÂÏÌÅÅ, ÔÏ ÔÕÔ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÅÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÏÍÅÒÁ ÐÏÒÔÏ×.
îÏÍÅÒÁ ÐÏÒÔÏ× ÍÏÇÕÔ ÚÁÄÁ×ÁÔØÓÑ × ×ÉÄÅ ÉÎÔÅÒ×ÁÌÁ ÉÚ ÍÉÎÉÍÁÌØÎÏÇÏ É ÍÁËÓÉÍÁÌØÎÏÇÏ ÎÏÍÅÒÏ×, ÎÁÐÒÉÍÅÒ --source-port 22:80. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÉÎÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port :80, ÔÏ × ËÁÞÅÓÔ×Å ÎÁÞÁÌÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 0. åÓÌÉ ÏÐÕÓËÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÙÊ ÐÏÒÔ, Ô.Å. ËÏÇÄÁ ËÒÉÔÅÒÉÊ ÚÁÐÉÓÙ×ÁÅÔÓÑ ËÁË --source-port 22:, ÔÏ × ËÁÞÅÓÔ×Å ËÏÎÃÁ ÄÉÁÐÁÚÏÎÁ ÐÒÉÎÉÍÁÅÔÓÑ ÞÉÓÌÏ 65535. äÏÐÕÓËÁÅÔÓÑ ÔÁËÁÑ ÚÁÐÉÓØ --source-port 80:22, × ÜÔÏÍ ÓÌÕÞÁÅ iptables ÐÏÍÅÎÑÅÔ ÞÉÓÌÁ 22 É 80 ÍÅÓÔÁÍÉ, Ô.Å. ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÚÁÐÉÓØ ÂÕÄÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÁ × --source-port 22:80. ëÁË É ÒÁÎØÛÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ. ôÁË ËÒÉÔÅÒÉÊ --source-port ! 22 ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÌÀÂÏÊ ÐÏÒÔ, ËÒÏÍÅ 22. éÎ×ÅÒÓÉÑ ÍÏÖÅÔ ÐÒÉÍÅÎÑÔØÓÑ É Ë ÄÉÁÐÁÚÏÎÕ ÐÏÒÔÏ×, ÎÁÐÒÉÍÅÒ --source-port ! 22:80.
ëÒÉÔÅÒÉÊ --dport, --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p udp --dport 53
ïÐÉÓÁÎÉÅ ðÏÒÔ, ÎÁ ËÏÔÏÒÙÊ ÁÄÒÅÓÏ×ÁÎ ÐÁËÅÔ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ ÐÒÉÎÑÔÏÍÕ × ËÒÉÔÅÒÉÉ --source-port.

ICMP ËÒÉÔÅÒÉÉ

üÔÏÔ ÐÒÏÔÏËÏÌ ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, ÄÌÑ ÐÅÒÅÄÁÞÉ ÓÏÏÂÝÅÎÉÊ Ï ÏÛÉÂËÁÈ É ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÅÍ. ïÎ ÎÅ Ñ×ÌÑÅÔÓÑ ÐÏÄÞÉÎÅÎÎÙÍ IP ÐÒÏÔÏËÏÌÕ, ÎÏ ÔÅÓÎÏ Ó ÎÉÍ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÅÔ, ÐÏÓËÏÌØËÕ ÐÏÍÏÇÁÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØ ÏÛÉÂÏÞÎÙÅ ÓÉÔÕÁÃÉÉ. úÁÇÏÌÏ×ËÉ ICMP ÐÁËÅÔÏ× ÏÞÅÎØ ÐÏÈÏÖÉ ÎÁ IP ÚÁÇÏÌÏ×ËÉ, ÎÏ ÉÍÅÀÔ É ÏÔÌÉÞÉÑ. çÌÁ×ÎÏÅ Ó×ÏÊÓÔ×Ï ÜÔÏÇÏ ÐÒÏÔÏËÏÌÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÉÐÅ ÚÁÇÏÌÏ×ËÁ, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÏÍ, ÞÔÏ ÜÔÏ ÚÁ ÐÁËÅÔ. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ÍÙ ÐÙÔÁÅÍÓÑ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÅÄÏÓÔÕÐÎÙÍ ÈÏÓÔÏÍ, ÔÏ ÍÙ ÐÏÌÕÞÉÍ × ÏÔ×ÅÔ ÓÏÏÂÝÅÎÉÅ ICMP host unreachable. ðÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÐÏÓÍÏÔÒÅÔØ × ÐÒÉÌÏÖÅÎÉÉ ÔÉÐÙ ICMP. óÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÏÄÉÎ ÓÐÅÃÉÆÉÞÎÙÊ ËÒÉÔÅÒÉÊ ÄÌÑ ICMP ÐÁËÅÔÏ×. üÔÏ ÒÁÓÛÉÒÅÎÉÅ ÚÁÇÒÕÖÁÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ, ËÏÇÄÁ ÍÙ ÕËÁÚÙ×ÁÅÍ ËÒÉÔÅÒÉÊ --protocol ICMP. úÁÍÅÔØÔÅ, ÞÔÏ ÄÌÑ ÐÒÏ×ÅÒËÉ ICMP ÐÁËÅÔÏ× ÍÏÇÕÔ ÕÐÏÔÒÅÂÌÑÔØÓÑ É ÏÂÝÉÅ ËÒÉÔÅÒÉÉ, ÐÏÓËÏÌØËÕ ÉÚ×ÅÓÔÎÙ É ÁÄÒÅÓ ÉÓÔÏÞÎÉËÁ É ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÒ.

ôÁÂÌÉÃÁ 7. ICMP ËÒÉÔÅÒÉÉ

ëÒÉÔÅÒÉÊ --icmp-type
ðÒÉÍÅÒ iptables -A INPUT -p icmp --icmp-type 8
ïÐÉÓÁÎÉÅ ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ôÉÐ ÓÏÏÂÝÅÎÉÑ ICMP ÏÐÒÅÄÅÌÑÅÔÓÑ ÎÏÍÅÒÏÍ ÉÌÉ ÉÍÅÎÅÍ. þÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÏÐÒÅÄÅÌÑÀÔÓÑ × RFC 792. þÔÏÂÙ ÐÏÌÕÞÉÔØ ÓÐÉÓÏË ÉÍÅÎ ICMP ÚÎÁÞÅÎÉÊ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ iptables --protocol icmp --help, ÉÌÉ ÐÏÓÍÏÔÒÉÔÅ ÐÒÉÌÏÖÅÎÉÅ ÔÉÐÙ ICMP. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÎ×ÅÒÔÉÒÕÅÔ ËÒÉÔÅÒÉÊ, ÎÁÐÒÉÍÅÒ --icmp-type ! 8.

ñ×ÎÙÅ ËÒÉÔÅÒÉÉ

ðÅÒÅÄ ÉÓÐÏÌØÚÏ×ÁÎÉÅÍ ÜÔÉÈ ÒÁÓÛÉÒÅÎÉÊ, ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁÇÒÕÖÅÎÙ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m ÉÌÉ --match. ôÁË, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ËÒÉÔÅÒÉÉ state, ÔÏ ÍÙ ÄÏÌÖÎÙ Ñ×ÎÏ ÕËÁÚÁÔØ ÜÔÏ × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ: -m state ÌÅ×ÅÅ ÉÓÐÏÌØÚÕÅÍÏÇÏ ËÒÉÔÅÒÉÑ. îÅËÏÔÏÒÙÅ ÉÚ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ÐÏËÁ ÅÝÅ ÎÁÈÏÄÑÔÓÑ × ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ, Á ÐÏÓÅÍÕ ÍÏÇÕÔ ÒÁÂÏÔÁÔØ ÎÅ ×ÓÅÇÄÁ, ÏÄÎÁËÏ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÏÎÉ ÒÁÂÏÔÁÀÔ ×ÐÏÌÎÅ ÕÓÔÏÊÞÉ×Ï. ÷ÓÅ ÏÔÌÉÞÉÅ ÍÅÖÄÕ Ñ×ÎÙÍÉ É ÎÅÑ×ÎÙÍÉ ËÒÉÔÅÒÉÑÍÉ ÚÁËÌÀÞÁÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ, ÞÔÏ ÐÅÒ×ÙÅ ÎÕÖÎÏ ÐÏÄÇÒÕÖÁÔØ Ñ×ÎÏ, Á ×ÔÏÒÙÅ ÐÏÄÇÒÕÖÁÀÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ.


MAC ËÒÉÔÅÒÉÊ

ôÁÂÌÉÃÁ 8. MAC ËÒÉÔÅÒÉÉ

MAC ËÒÉÔÅÒÉÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÏ×ÅÒËÉ ÉÓÈÏÄÎÏÇÏ MAC-ÁÄÒÅÓÁ ÐÁËÅÔÁ. íÏÄÕÌØ -m mac, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÒÉÔÅÒÉÊ, ÎÏ ×ÏÚÍÏÖÎÏ × ÂÕÄÕÝÅÍ ÏÎ ÂÕÄÅÔ ÒÁÓÛÉÒÅÎ É ÓÔÁÎÅÔ ÂÏÌÅÅ ÐÏÌÅÚÅÎ.

Note

íÏÄÕÌØ ÒÁÓÛÉÒÅÎÉÑ ÄÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m mac. õÐÏÍÉÎÁÀ Ñ Ï ÜÔÏÍ ÐÏÔÏÍÕ, ÞÔÏ ÍÎÏÇÉÅ, ÚÁÂÙ× ÕËÁÚÁÔØ ÜÔÏÔ ËÌÀÞ, ÕÄÉ×ÌÑÀÔÓÑ, ÐÏÞÅÍÕ ÎÅ ÒÁÂÏÔÁÅÔ ÜÔÏÔ ËÒÉÔÅÒÉÊ.

ëÒÉÔÅÒÉÊ --mac-source
ðÒÉÍÅÒ iptables -A INPUT -m mac --mac-source 00:00:00:00:00:01
ïÐÉÓÁÎÉÅ MAC ÁÄÒÅÓ ÓÅÔÅ×ÏÇÏ ÕÚÌÁ, ÐÅÒÅÄÁ×ÛÅÇÏ ÐÁËÅÔ. MAC ÁÄÒÅÓ ÄÏÌÖÅÎ ÕËÁÚÙ×ÁÔØÓÑ × ÆÏÒÍÅ XX:XX:XX:XX:XX:XX. ëÁË É ÒÁÎÅÅ, ÓÉÍ×ÏÌ ! ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÎ×ÅÒÓÉÉ ËÒÉÔÅÒÉÑ, ÎÁÐÒÉÍÅÒ --mac-source ! 00:00:00:00:00:01, ÞÔÏ ÏÚÎÁÞÁÅÔ - ÐÁËÅÔ Ó ÌÀÂÏÇÏ ÕÚÌÁ, ËÒÏÍÅ ÕÚÌÁ, ËÏÔÏÒÙÊ ÉÍÅÅÔ MAC ÁÄÒÅÓ 00:00:00:00:00:01 üÔÏÔ ËÒÉÔÅÒÉÊ ÉÍÅÅÔ ÓÍÙÓÌ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING, FORWARD É INPUT É ÎÉÇÄÅ ÂÏÌÅÅ.

ëÒÉÔÅÒÉÊ limit

äÏÌÖÅÎ ÐÏÄÇÒÕÖÁÔØÓÑ Ñ×ÎÏ ËÌÀÞÏÍ -m limit. ðÒÅËÒÁÓÎÏ ÐÏÄÈÏÄÉÔ ÄÌÑ ÐÒÁ×ÉÌ, ÐÒÏÉÚ×ÏÄÑÝÉÈ ÚÁÐÉÓØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (logging) É Ô.Ð. äÏÂÁ×ÌÑÑ ÜÔÏÔ ËÒÉÔÅÒÉÊ, ÍÙ ÔÅÍ ÓÁÍÙÍ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÅÄÅÌØÎÏÅ ÞÉÓÌÏ ÐÁËÅÔÏ× × ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, ËÏÔÏÒÏÅ ÓÐÏÓÏÂÎÏ ÐÒÏÐÕÓÔÉÔØ ÐÒÁ×ÉÌÏ. íÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÉÍ×ÏÌ ! ÄÌÑ ÉÎ×ÅÒÓÉÉ, ÎÁÐÒÉÍÅÒ -m ! limit. ÷ ÜÔÏÍ ÓÌÕÞÁÅ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÞÔÏ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÈÏÄÉÔØ ÐÒÁ×ÉÌÏ ÔÏÌØËÏ ÐÏÓÌÅ ÐÒÅ×ÙÛÅÎÉÑ ÏÇÒÁÎÉÞÅÎÉÑ.

ôÁÂÌÉÃÁ 9. ëÒÉÔÅÒÉÊ limit

ëÒÉÔÅÒÉÊ --limit
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit 3/hour
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏÅ ËÏÌÉÞÅÓÔ×Ï ÐÁËÅÔÏ× ÚÁ ÅÄÉÎÉÃÕ ×ÒÅÍÅÎÉ, Ë ËÏÔÏÒÏÍÕ ÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÐÒÉ ÓÏ×ÐÁÄÅÎÉÉ ×ÓÅÈ ÐÒÏÞÉÈ ÕÓÌÏ×ÉÊ. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ÕËÁÚÙ×ÁÅÔÓÑ ÞÉÓÌÏ ÐÁËÅÔÏ× É ×ÒÅÍÑ. äÏÐÕÓÔÉÍÙÍÉ ÓÞÉÔÁÀÔÓÑ ÓÌÅÄÕÀÝÉÅ ÅÄÉÎÉÃÙ ÉÚÍÅÒÅÎÉÑ ×ÒÅÍÅÎÉ: /second /minute /hour /day. ðÏ ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÑÔÏ ÚÎÁÞÅÎÉÅ 3 ÐÁËÅÔÁ × ÞÁÓ, ÉÌÉ 3/hour. éÓÐÏÌØÚÏ×ÁÎÉÅ ÆÌÁÇÁ ÉÎ×ÅÒÓÉÉ ÕÓÌÏ×ÉÑ [!] × ÄÁÎÎÏÍ ËÒÉÔÅÒÉÉ ÎÅÄÏÐÕÓÔÉÍ.
ëÒÉÔÅÒÉÊ --limit-burst
ðÒÉÍÅÒ iptables -A INPUT -m limit --limit-burst 5
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÞÉÓÌÁ burst limit ÄÌÑ ËÒÉÔÅÒÉÑ limit. üÔÏ ÞÉÓÌÏ Õ×ÅÌÉÞÉ×ÁÅÔÓÑ ÎÁ ÅÄÉÎÉÃÕ ÅÓÌÉ ÐÏÌÕÞÅÎ ÐÁËÅÔ, ÐÏÄÐÁÄÁÀÝÉÊ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÄÁÎÎÏÇÏ ÐÒÁ×ÉÌÁ, É ÐÒÉ ÜÔÏÍ ÓÒÅÄÎÑÑ ÓËÏÒÏÓÔØ (ÚÁÄÁ×ÁÅÍÁÑ ËÌÀÞÏÍ --limit) ÐÏÓÔÕÐÌÅÎÉÑ ÐÁËÅÔÏ× ÕÖÅ ÄÏÓÔÉÇÎÕÔÁ. ôÁË ÐÒÏÉÓÈÏÄÉÔ ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÞÉÓÌÏ burst limit ÎÅ ÄÏÓÔÉÇÎÅÔ ÍÁËÓÉÍÁÌØÎÏÇÏ ÚÎÁÞÅÎÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍÏÇÏ ËÌÀÞÏÍ --limit-burst. ðÏÓÌÅ ÜÔÏÇÏ ÐÒÁ×ÉÌÏ ÎÁÞÉÎÁÅÔ ÐÒÏÐÕÓËÁÔØ ÐÁËÅÔÙ ÓÏ ÓËÏÒÏÓÔØÀ, ÚÁÄÁ×ÁÅÍÏÊ ËÌÀÞÏÍ --limit. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÉÎÉÍÁÅÔÓÑ ÒÁ×ÎÙÍ 5. äÌÑ ÄÅÍÏÎÓÔÒÁÃÉÉ ÐÒÉÎÃÉÐÏ× ÒÁÂÏÔÙ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ Ñ ÎÁÐÉÓÁÌ ÓÃÅÎÁÒÉÊ limit-test.txt. ó ÐÏÍÏÝØÀ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×Ù Õ×ÉÄÉÔÅ ËÁË ÒÁÂÏÔÁÅÔ ËÒÉÔÅÒÉÊ limit, ÐÒÏÓÔÏ ÐÏÓÙÌÁÑ ping-ÐÁËÅÔÙ Ó ÒÁÚÌÉÞÎÙÍÉ ×ÒÅÍÅÎÎùÍÉ ÉÎÔÅÒ×ÁÌÁÍÉ.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÞÅÎØ ÄÏÌÇÏÅ ×ÒÅÍÑ ÍÏÅ ÐÏÎÉÍÁÎÉÅ ËÒÉÔÅÒÉÅ× limit ÎÁÈÏÄÉÌÏÓØ ÎÁ ÉÎÔÕÉÔÉ×ÎÏÍ ÕÒÏ×ÎÅ, ÐÏËÁ ÷ÌÁÄÉÍÉÒ èÏÌÍÁÎÏ× (ÓÎÉÍÁÀ ÛÌÑÐÕ × ÇÌÕÂÏÞÁÊÛÅÍ ÐÏËÌÏÎÅ) ÎÅ ÏÂßÑÓÎÉÌ ÍÎÅ ÐÒÏÓÔÏ É ÐÏÎÑÔÎÏ ÅÇÏ ÓÕÔØ. ðÏÓÔÁÒÁÀÓØ ÐÅÒÅÄÁÔØ ÅÇÏ ÐÏÑÓÎÅÎÉÑ:

  1. òÁÓÛÉÒÅÎÉÅ -m limit ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÎÁÌÉÞÉÅ ËÌÀÞÅÊ --limit É --limit-burst. åÓÌÉ ×Ù ÎÅ ÕËÁÚÙ×ÁÅÔÅ ÜÔÉ ËÌÀÞÉ, ÔÏ ÏÎÉ ÐÒÉÎÉÍÁÀÔ ÚÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ.
  2. ëÌÀÞ --limit-burst - ÜÔÏ ÍÁËÓÉÍÁÌØÎÏÅ ÚÎÁÞÅÎÉÅ ÓÞÅÔÞÉËÁ ÐÁËÅÔÏ×, ÐÒÉ ËÏÔÏÒÏÍ ÓÒÁÂÁÔÙ×ÁÅÔ ÏÇÒÁÎÉÞÅÎÉÅ.
  3. ëÌÀÞ --limit - ÜÔÏ ÓËÏÒÏÓÔØ, Ó ËÏÔÏÒÏÊ ÓÞÅÔÞÉË burst limit "ÏÔËÒÕÞÉ×ÁÅÔÓÑ ÎÁÚÁÄ".

ðÒÉÎÃÉÐ, ËÏÔÏÒÙÊ ÐÒÏÓÔÏ ÒÅÁÌÉÚÕÅÔÓÑ ÎÁ C É ÛÉÒÏËÏ ÉÓÐÏÌØÚÕÅÔÓÑ ×Ï ÍÎÏÇÉÈ ÁÌÇÏÒÉÔÍÁÈ-ÏÇÒÁÎÉÞÉÔÅÌÑÈ.




òÁÓÛÉÒÅÎÉÅ Multiport

òÁÓÛÉÒÅÎÉÅ multiport ÐÏÚ×ÏÌÑÅÔ ÕËÁÚÙ×ÁÔØ × ÔÅËÓÔÅ ÐÒÁ×ÉÌÁ ÎÅÓËÏÌØËÏ ÐÏÒÔÏ× É ÄÉÁÐÁÚÏÎÏ× ÐÏÒÔÏ×.

Note

÷Ù ÎÅ ÓÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÔÁÎÄÁÒÔÎÕÀ ÐÒÏ×ÅÒËÕ ÐÏÒÔÏ× É ÒÁÓÛÉÒÅÎÉÅ -m multiport (ÎÁÐÒÉÍÅÒ --sport 1024:63353 -m multiport --dport 21,23,80) ÏÄÎÏ×ÒÅÍÅÎÎÏ. ðÏÄÏÂÎÙÅ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ÐÒÏÓÔÏ ÏÔ×ÅÒÇÁÔØÓÑ iptables.

ôÁÂÌÉÃÁ 10. òÁÓÛÉÒÅÎÉÅ Multiport

ëÒÉÔÅÒÉÊ --source-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ÉÓÈÏÄÑÝÉÈ ÐÏÒÔÏ×. ó ÐÏÍÏÝØÀ ÄÁÎÎÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÏ 15 ÒÁÚÌÉÞÎÙÈ ÐÏÒÔÏ×. îÁÚ×ÁÎÉÑ ÐÏÒÔÏ× × ÓÐÉÓËÅ ÄÏÌÖÎÙ ÏÔÄÅÌÑÔØÓÑ ÄÒÕÇ ÏÔ ÄÒÕÇÁ ÚÁÐÑÔÙÍÉ, ÐÒÏÂÅÌÙ × ÓÐÉÓËÅ ÎÅ ÄÏÐÕÓÔÉÍÙ. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÓÏ×ÍÅÓÔÎÏ Ó ËÒÉÔÅÒÉÑÍÉ the -p tcp ÉÌÉ -p udp. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÒÁÓÛÉÒÅÎÎÁÑ ×ÅÒÓÉÑ ÏÂÙÞÎÏÇÏ ËÒÉÔÅÒÉÑ --source-port.
ëÒÉÔÅÒÉÊ --destination-port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110
ïÐÉÓÁÎÉÅ óÌÕÖÉÔ ÄÌÑ ÕËÁÚÁÎÉÑ ÓÐÉÓËÁ ×ÈÏÄÎÙÈ ÐÏÒÔÏ×. æÏÒÍÁÔ ÚÁÄÁÎÉÑ ÁÒÇÕÍÅÎÔÏ× ÐÏÌÎÏÓÔØÀ ÁÎÁÌÏÇÉÞÅÎ -m multiport --source-port
ëÒÉÔÅÒÉÊ --port
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m multiport --port 22,53,80,110
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ËÁË ÉÓÈÏÄÑÝÉÊ ÔÁË É ×ÈÏÄÑÝÉÊ ÐÏÒÔ ÐÁËÅÔÁ. æÏÒÍÁÔ ÁÒÇÕÍÅÎÔÏ× ÁÎÁÌÏÇÉÞÅÎ ËÒÉÔÅÒÉÀ --source-port É --destination-port. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ ÞÔÏ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÏ×ÅÒÑÅÔ ÐÏÒÔÙ ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÊ, Ô.Å. ÅÓÌÉ ×Ù ÐÉÛÅÔÅ-multiport --port 80, ÔÏ ÐÏÄ ÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÏÄÐÁÄÁÀÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ Ó ÐÏÒÔÁ 80 ÎÁ ÐÏÒÔ 80. .

òÁÓÛÉÒÅÎÉÅ Mark

òÁÓÛÉÒÅÎÉÅ mark ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ "ÐÏÍÅÔÉÔØ" ÐÁËÅÔÙ ÓÐÅÃÉÁÌØÎÙÍ ÏÂÒÁÚÏÍ. Mark - ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ, ËÏÔÏÒÏÅ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÏÂÌÁÓÔÉ ÐÁÍÑÔÉ ÑÄÒÁ É Ó×ÑÚÁÎÏ Ó ËÏÎËÒÅÔÎÙÍ ÐÁËÅÔÏÍ. íÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ × ÓÁÍÙÈ ÒÁÚÎÏÏÂÒÁÚÎÙÈ ÃÅÌÑÈ, ÎÁÐÒÉÍÅÒ, ÏÇÒÁÎÉÞÅÎÉÅ ÔÒÁÆÉËÁ É ÆÉÌØÔÒÁÃÉÑ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÓÕÝÅÓÔ×ÕÅÔ ÅÄÉÎÓÔ×ÅÎÎÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÕÓÔÁÎÏ×ËÉ ÍÅÔËÉ ÎÁ ÐÁËÅÔ × Linux -- ÜÔÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ MARK. ðÏÌÅ mark ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÂÅÚÚÎÁËÏ×ÏÅ ÃÅÌÏÅ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 4294967296 ÄÌÑ 32-ÂÉÔÎÙÈ ÓÉÓÔÅÍ.

ôÁÂÌÉÃÁ 11. òÁÓÛÉÒÅÎÉÅ mark

ëÒÉÔÅÒÉÊ --mark
ðÒÉÍÅÒ iptables -t mangle -A INPUT -m mark --mark 1
ïÐÉÓÁÎÉÅ ëÒÉÔÅÒÉÊ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÂÙÌÉ ÐÒÅÄ×ÁÒÉÔÅÌØÎÏ "ÐÏÍÅÞÅÎÙ". íÅÔËÉ ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÄÅÊÓÔ×ÉÅÍ MARK, ËÏÔÏÒÏÅ ÍÙ ÂÕÄÅÍ ÒÁÓÓÍÁÔÒÉ×ÁÔØ ÎÉÖÅ. ÷ÓÅ ÐÁËÅÔÙ, ÐÒÏÈÏÄÑÝÉÅ ÞÅÒÅÚ netfilter ÉÍÅÀÔ ÓÐÅÃÉÁÌØÎÏÅ ÐÏÌÅ mark. úÁÐÏÍÎÉÔÅ, ÞÔÏ ÎÅÔ ÎÉËÁËÏÊ ×ÏÚÍÏÖÎÏÓÔÉ ÐÅÒÅÄÁÔØ ÓÏÓÔÏÑÎÉÅ ÜÔÏÇÏ ÐÏÌÑ ×ÍÅÓÔÅ Ó ÐÁËÅÔÏÍ × ÓÅÔØ. ðÏÌÅ mark Ñ×ÌÑÅÔÓÑ ÃÅÌÙÍ ÂÅÚÚÎÁËÏ×ÙÍ, ÔÁËÉÍ ÏÂÒÁÚÏÍ ÍÏÖÎÏ ÓÏÚÄÁÔØ ÎÅ ÂÏÌÅÅ 65535 ÒÁÚÌÉÞÎÙÈ ÍÅÔÏË. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÕ Ó ÍÅÔËÁÍ. ÷ ÄÁÎÎÏÍ ÓÌÕÞÁÅ ËÒÉÔÅÒÉÊ ÂÕÄÅÔ ×ÙÇÌÑÄÅÔØ ÐÏÄÏÂÎÙÍ ÏÂÒÁÚÏÍ: --mark 1/1. åÓÌÉ ÕËÁÚÙ×ÁÅÔÓÑ ÍÁÓËÁ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÌÏÇÉÞÅÓËÏÅ AND ÍÅÔËÉ É ÍÁÓËÉ.

òÁÓÛÉÒÅÎÉÅ owner

òÁÓÛÉÒÅÎÉÅ owner ÐÒÅÄÎÁÚÎÁÞÅÎÏ ÄÌÑ ÐÒÏ×ÅÒËÉ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ. éÚÎÁÞÁÌØÎÏ ÄÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÂÙÌÏ ÎÁÐÉÓÁÎÏ ËÁË ÐÒÉÍÅÒ ÄÅÍÏÎÓÔÒÁÃÉÉ ×ÏÚÍÏÖÎÏÓÔÅÊ iptables. äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ ÔÏÌØËÏ × ÃÅÐÏÞËÅ OUTPUT. ôÁËÏÅ ÏÇÒÁÎÉÞÅÎÉÅ ÎÁÌÏÖÅÎÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌØÎÏÇÏ ÍÅÈÁÎÉÚÍÁ ÐÅÒÅÄÁÞÉ ÉÎÆÏÒÍÁÃÉÉ Ï "×ÌÁÄÅÌØÃÅ" ÐÏ ÓÅÔÉ. óÐÒÁ×ÅÄÌÉ×ÏÓÔÉ ÒÁÄÉ ÓÌÅÄÕÅÔ ÏÔÍÅÔÉÔØ, ÞÔÏ ÄÌÑ ÎÅËÏÔÏÒÙÈ ÐÁËÅÔÏ× ÎÅ×ÏÚÍÏÖÎÏ ÏÐÒÅÄÅÌÉÔØ "×ÌÁÄÅÌØÃÁ" × ÜÔÏÊ ÃÅÐÏÞËÅ. ë ÔÁËÏÇÏ ÒÏÄÁ ÐÁËÅÔÁÍ ÏÔÎÏÓÑÔÓÑ ÒÁÚÌÉÞÎÙÅ ICMP responses. ðÏÜÔÏÍÕ ÎÅ ÓÌÅÄÕÅÔ ÕÐÏÔÒÅÂÌÑÔØ ÜÔÏÔ ËÒÉÔÅÒÉÊ Ë ICMP responses ÐÁËÅÔÁÍ.

ôÁÂÌÉÃÁ 12. òÁÓÛÉÒÅÎÉÅ owner

ëÒÉÔÅÒÉÊ --uid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --uid-owner 500
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÏ User ID (UID). ðÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÒÏ×ÅÒËÁ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ, Ë ÐÒÉÍÅÒÕ, ÄÌÑ ÂÌÏËÉÒÏ×ËÉ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÏÔÄÅÌØÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.
ëÒÉÔÅÒÉÊ --gid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --gid-owner 0
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Group ID (GID).
ëÒÉÔÅÒÉÊ --pid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --pid-owner 78
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ "×ÌÁÄÅÌØÃÁ" ÐÁËÅÔÁ ÐÏ Process ID (PID). üÔÏÔ ËÒÉÔÅÒÉÊ ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÅÎ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÚ×ÏÌÉÔØ ÐÅÒÅÄÁÞÕ ÐÁËÅÔÏ× ÎÁ HTTP ÐÏÒÔ ÔÏÌØËÏ ÏÔ ÚÁÄÁÎÎÏÇÏ ÄÅÍÏÎÁ, ÔÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÎÁÐÉÓÁÔØ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ PID ÐÒÏÃÅÓÓÁ (ÈÏÔÑÂÙ ÞÅÒÅÚ ps) É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÎÁÊÄÅÎÎÙÊ PID × ÐÒÁ×ÉÌÁ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × pid-owner.txt.
ëÒÉÔÅÒÉÊ --sid-owner
ðÒÉÍÅÒ iptables -A OUTPUT -m owner --sid-owner 100
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÒÏ×ÅÒËÁ Session ID ÐÁËÅÔÁ. úÎÁÞÅÎÉÅ SID ÎÁÓÌÅÄÕÀÔÓÑ ÄÏÞÅÒÎÉÍÉ ÐÒÏÃÅÓÓÁÍÉ ÏÔ "ÒÏÄÉÔÅÌÑ", ÔÁË, ÎÁÐÒÉÍÅÒ, ×ÓÅ ÐÒÏÃÅÓÓÙ HTTPD ÉÍÅÀÔ ÏÄÉÎ É ÔÏÔ ÖÅ SID (ÐÒÉÍÅÒÏÍ ÔÁËÉÈ ÐÒÏÃÅÓÓÏ× ÍÏÇÕÔ ÓÌÕÖÉÔØ HTTPD Apache É Roxen). ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÎÏ ÎÁÊÔÉ × sid-owner.txt. üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÎÏ ÚÁÐÕÓËÁÔØ ÐÏ ×ÒÅÍÅÎÉ ÄÌÑ ÐÒÏ×ÅÒËÉ ÎÁÌÉÞÉÑ ÐÒÏÃÅÓÓÁ HTTPD, É × ÓÌÕÞÁÅ ÏÔÓÕÔÓÔ×ÉÑ - ÐÅÒÅÚÁÐÕÓÔÉÔØ "ÕÐÁ×ÛÉÊ" ÐÒÏÃÅÓÓ, ÐÏÓÌÅ ÞÅÇÏ ÓÂÒÏÓÉÔØ ÓÏÄÅÒÖÉÍÏÅ ÃÅÐÏÞËÉ OUTPUT É ××ÅÓÔÉ ÅÅ ÓÎÏ×Á.

ëÒÉÔÅÒÉÊ state

ëÒÉÔÅÒÉÊ state ÉÓÐÏÌØÚÕÅÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó ËÏÄÏÍ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ É ÐÏÚ×ÏÌÑÅÔ ÎÁÍ ÐÏÌÕÞÁÔØ ÉÎÆÏÒÍÁÃÉÀ Ï ÔÒÁÓÓÉÒÏ×ÏÞÎÏÍ ÐÒÉÚÎÁËÅ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ, ÞÔÏ ÐÏÚ×ÏÌÑÅÔ ÓÕÄÉÔØ Ï ÓÏÓÔÏÑÎÉÉ ÓÏÅÄÉÎÅÎÉÑ, ÐÒÉÞÅÍ ÄÁÖÅ ÄÌÑ ÔÁËÉÈ ÐÒÏÔÏËÏÌÏ× ËÁË ICMP É UDP. äÁÎÎÏÅ ÒÁÓÛÉÒÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÚÁÇÒÕÖÁÔØ Ñ×ÎÏ, Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -m state. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÍÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ ÏÂÓÕÖÄÁÅÔÓÑ × ÒÁÚÄÅÌÅ íÅÈÁÎÉÚÍ ÏÐÒÅÄÅÌÅÎÉÑ ÓÏÓÔÏÑÎÉÑ .

ôÁÂÌÉÃÁ 13. ëÒÉÔÅÒÉÉ state

ëÒÉÔÅÒÉÊ --state
ðÒÉÍÅÒ iptables -A INPUT -m state --state RELATED,ESTABLISHED
ïÐÉÓÁÎÉÅ ðÒÏ×ÅÒÑÅÔÓÑ ÐÒÉÚÎÁË ÓÏÓÔÏÑÎÉÑ ÓÏÅÄÉÎÅÎÉÑ (state) îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ 4 ÓÏÓÔÏÑÎÉÑ: INVALID, ESTABLISHED, NEW É RELATED. INVALID ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ Ó×ÑÚÁÎ Ó ÎÅÉÚ×ÅÓÔÎÙÍ ÐÏÔÏËÏÍ ÉÌÉ ÓÏÅÄÉÎÅÎÉÅÍ É, ×ÏÚÍÏÖÎÏ ÓÏÄÅÒÖÉÔ ÏÛÉÂËÕ × ÄÁÎÎÙÈ ÉÌÉ × ÚÁÇÏÌÏ×ËÅ. ESTABLISHED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ ÓÏÅÄÉÎÅÎÉÀ ÞÅÒÅÚ ËÏÔÏÒÏÅ ÐÁËÅÔÙ ÉÄÕÔ × ÏÂÅÉÈ ÎÁÐÒÁ×ÌÅÎÉÑÈ. NEW ÐÏÄÒÁÚÕÍÅ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ÉÌÉ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÏÄÎÏÎÁÐÒÁ×ÌÅÎÎÏÍÕ ÐÏÔÏËÕ. é ÎÁËÏÎÅÃ, RELATED ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ ÞÔÏ ÐÁËÅÔ ÐÒÉÎÁÄÌÅÖÉÔ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÍÕ ÓÏÅÄÉÎÅÎÉÀ, ÎÏ ÐÒÉ ÜÔÏÍ ÏÎ ÏÔËÒÙ×ÁÅÔ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ ðÒÉÍÅÒÏÍ ÔÏÍÕ ÍÏÖÅÔ ÓÌÕÖÉÔØ ÐÅÒÅÄÁÞÁ ÄÁÎÎÙÈ ÐÏ FTP, ÉÌÉ ×ÙÄÁÞÁ ÓÏÏÂÝÅÎÉÑ ICMP Ï ÏÛÉÂËÅ, ËÏÔÏÒÏÅ Ó×ÑÚÁÎÏ Ó ÓÕÝÅÓÔ×ÕÀÝÉÍ TCP ÉÌÉ UDP ÓÏÅÄÉÎÅÎÉÅÍ. úÁÍÅÞÕ, ÞÔÏ ÐÒÉÚÎÁË NEW ÜÔÏ ÎÅ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ ÕÓÔÁÎÏ×ÌÅÎÎÙÊ ÂÉÔ SYN × ÐÁËÅÔÁÈ TCP, ÐÏÓÒÅÄÓÔ×ÏÍ ËÏÔÏÒÙÈ ÏÔËÒÙ×ÁÅÔÓÑ ÎÏ×ÏÅ ÓÏÅÄÉÎÅÎÉÅ, É, ÐÏÄÏÂÎÏÇÏ ÒÏÄÁ ÐÁËÅÔÙ, ÍÏÇÕÔ ÂÙÔØ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÎÙ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÄÌÑ ÚÁÝÉÔÙ ÓÅÔÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÏÄÉÎ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. âÏÌÅÅ ÐÏÄÒÏÂÎÏ ÜÔÁ ÐÒÏÂÌÅÍÁ ÒÁÓÓÍÁÔÒÉ×ÁÅÔÓÑ ÎÉÖÅ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ ðÒÉÚÎÁË NEW × ÐÁËÅÔÁÈ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN.

ëÒÉÔÅÒÉÊ "ÍÕÓÏÒÁ" (Unclean match)

ëÒÉÔÅÒÉÊ unclean ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ É ÄÌÑ ÅÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÄÏÓÔÁÔÏÞÎÏ Ñ×ÎÏ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌØ. âÕÄØÔÅ ÏÓÔÏÒÏÖÎÙ, ÄÁÎÎÙÊ ÍÏÄÕÌØ ÎÁÈÏÄÉÔÓÑ ÅÝÅ ÎÁ ÓÔÁÄÉÉ ÒÁÚÒÁÂÏÔËÉ É ÐÏÜÔÏÍÕ × ÎÅËÏÔÏÒÙÈ ÓÉÔÕÁÃÉÑÈ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ ÎÅËÏÒÒÅËÔÎÏ. äÁÎÎÁÑ ÐÒÏ×ÅÒËÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÌÑ ×ÙÞÌÅÎÅÎÉÑ ÐÁËÅÔÏ×, ËÏÔÏÒÙÅ ÉÍÅÀÔ ÒÁÓÈÏÖÄÅÎÉÑ Ó ÐÒÉÎÑÔÙÍÉ ÓÔÁÎÄÁÒÔÁÍÉ, ÜÔÏ ÍÏÇÕÔ ÂÙÔØ ÐÁËÅÔÙ Ó ÐÏ×ÒÅÖÄÅÎÎÙÍ ÚÁÇÏÌÏ×ËÏÍ ÉÌÉ Ó ÎÅ×ÅÒÎÏÊ ËÏÎÔÒÏÌØÎÏÊ ÓÕÍÍÏÊ É ÐÒ., ÏÄÎÁËÏ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ÐÒÏ×ÅÒËÉ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÒÁÚÒÙ×Õ É ×ÐÏÌÎÅ ËÏÒÒÅËÔÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ.


ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ TOS ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÐÒÏ×ÅÒËÉ ÂÉÔÏ× ÐÏÌÑ TOS. TOS -- Type Of Service -- ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ 8-ÍÉ ÂÉÔÏ×ÏÅ, ÐÏÌÅ × ÚÁÇÏÌÏ×ËÅ IP-ÐÁËÅÔÁ. íÏÄÕÌØ ÄÏÌÖÅÎ ÚÁÇÒÕÖÁÔØÓÑ Ñ×ÎÏ, ËÌÀÞÏÍ -m tos.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ ÐÒÉ×ÏÄÉÔÓÑ ÏÐÉÓÁÎÉÅ ÐÏÌÑ TOS, ×ÚÑÔÏÅ ÎÅ ÉÚ ÏÒÉÇÉÎÁÌÁ, ÐÏÓËÏÌØËÕ ÏÒÉÇÉÎÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ Ñ ÎÁÈÏÖÕ ÎÅÓËÏÌØËÏ ÔÕÍÁÎÎÙÍ.
äÁÎÎÏÅ ÐÏÌÅ ÓÌÕÖÉÔ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. õÓÔÁÎÏ×ËÁ ÌÀÂÏÇÏ ÂÉÔÁ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÏÂÒÁÂÏÔÁÎ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÎÅ ÔÁË ËÁË ÐÁËÅÔ ÓÏ ÓÂÒÏÛÅÎÎÙÍÉ ÂÉÔÁÍÉ TOS. ëÁÖÄÙÊ ÂÉÔ ÐÏÌÑ TOS ÉÍÅÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ. ÷ ÐÁËÅÔÅ ÍÏÖÅÔ ÂÙÔØ ÕÓÔÁÎÏ×ÌÅÎ ÔÏÌØËÏ ÏÄÉÎ ÉÚ ÂÉÔÏ× ÜÔÏÇÏ ÐÏÌÑ, ÐÏÜÔÏÍÕ ËÏÍÂÉÎÁÃÉÉ ÎÅ ÄÏÐÕÓÔÉÍÙ. ëÁÖÄÙÊ ÂÉÔ ÏÐÒÅÄÅÌÑÅÔ ÔÉÐ ÓÅÔÅ×ÏÊ ÓÌÕÖÂÙ:
íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ
éÓÐÏÌØÚÕÅÔÓÑ × ÓÉÔÕÁÃÉÑÈ, ËÏÇÄÁ ×ÒÅÍÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ ÄÏÌÖÎÏ ÂÙÔØ ÍÉÎÉÍÁÌØÎÙÍ, Ô.Å., ÅÓÌÉ ÅÓÔØ ×ÏÚÍÏÖÎÏÓÔØ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÄÌÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÊ ËÁÎÁÌ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÅÓÔØ ×ÙÂÏÒ ÍÅÖÄÕ ÏÐÔÏ×ÏÌÏËÏÎÎÏÊ ÌÉÎÉÅÊ É ÓÐÕÔÎÉËÏ×ÙÍ ËÁÎÁÌÏÍ, ÔÏ ÐÒÅÄÐÏÞÔÅÎÉÅ ÂÕÄÅÔ ÏÔÄÁÎÏ ÂÏÌÅÅ ÓËÏÒÏÓÔÎÏÍÕ ÏÐÔÏ×ÏÌÏËÎÕ.
íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ
õËÁÚÙ×ÁÅÔ, ÞÔÏ ÐÁËÅÔ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÐÒÁ×ÌÅÎ ÞÅÒÅÚ ËÁÎÁÌ Ó ÍÁËÓÉÍÁÌØÎÏÊ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔØÀ. îÁÐÒÉÍÅÒ ÓÐÕÔÎÉËÏ×ÙÅ ËÁÎÁÌÙ, ÏÂÌÁÄÁÑ ÂÏÌØÛÅÊ ÚÁÄÅÒÖËÏÊ ÉÍÅÀÔ ×ÙÓÏËÕÀ ÐÒÏÐÕÓËÎÕÀ ÓÐÏÓÏÂÎÏÓÔØ.
íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ
÷ÙÂÉÒÁÅÔÓÑ ÍÁËÓÉÍÁÌØÎÏ ÎÁÄÅÖÎÙÊ ÍÁÒÛÒÕÔ ×Ï ÉÚÂÅÖÁÎÉÅ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏ×ÔÏÒÎÏÊ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÁ. ðÒÉÍÅÒÏÍ ÍÏÇÕÔ ÓÌÕÖÉÔØ PPP É SLIP ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏ Ó×ÏÅÊ ÎÁÄÅÖÎÏÓÔÉ ÕÓÔÕÐÁÀÔ, Ë ÐÒÉÍÅÒÕ, ÓÅÔÑÍ X.25, ÐÏÜÔÏÍÕ, ÓÅÔÅ×ÏÊ ÐÒÏ×ÁÊÄÅÒ ÍÏÖÅÔ ÐÒÅÄÕÓÍÏÔÒÅÔØ ÓÐÅÃÉÁÌØÎÙÊ ÍÁÒÛÒÕÔ Ó ÐÏ×ÙÛÅÎÎÏÊ ÎÁÄÅÖÎÏÓÔØÀ.
íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ
ðÒÉÍÅÎÑÅÔÓÑ × ÓÌÕÞÁÑÈ, ËÏÇÄÁ ×ÁÖÎÏ ÍÉÎÉÍÉÚÉÒÏ×ÁÔØ ÚÁÔÒÁÔÙ (× ÓÍÙÓÌÅ ÄÅÎØÇÉ) ÎÁ ÐÅÒÅÄÁÞÕ ÄÁÎÎÙÈ. îÁÐÒÉÍÅÒ, ÐÒÉ ÐÅÒÅÄÁÞÅ ÞÅÒÅÚ ÏËÅÁÎ (ÎÁ ÄÒÕÇÏÊ ËÏÎÔÉÎÅÎÔ) ÁÒÅÎÄÁ ÓÐÕÔÎÉËÏ×ÏÇÏ ËÁÎÁÌÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÅÛÅ×ÌÅ, ÞÅÍ ÁÒÅÎÄÁ ÏÐÔÏ×ÏÌÏËÏÎÎÏÇÏ ËÁÂÅÌÑ. õÓÔÁÎÏ×ËÁ ÄÁÎÎÏÇÏ ÂÉÔÁ ×ÐÏÌÎÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÔÏÍÕ, ÞÔÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÂÏÌÅÅ "ÄÅÛÅ×ÏÍÕ" ÍÁÒÛÒÕÔÕ.
ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ
÷ ÄÁÎÎÏÊ ÓÉÔÕÁÃÉÉ ×ÓÅ ÂÉÔÙ ÐÏÌÑ TOS ÓÂÒÏÛÅÎÙ. íÁÒÛÒÕÔÉÚÁÃÉÑ ÔÁËÏÇÏ ÐÁËÅÔÁ ÐÏÌÎÏÓÔØÀ ÏÔÄÁÅÔÓÑ ÎÁ ÕÓÍÏÔÒÅÎÉÅ ÐÒÏ×ÁÊÄÅÒÁ.

ôÁÂÌÉÃÁ 14. ëÒÉÔÅÒÉÊ TOS

ëÒÉÔÅÒÉÊ --tos
ðÒÉÍÅÒ iptables -A INPUT -p tcp -m tos --tos 0x16
ïÐÉÓÁÎÉÅ äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÂÉÔÏ× TOS, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÌÉÓØ ×ÙÛÅ. ëÁË ÐÒÁ×ÉÌÏ ÐÏÌÅ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ, ÎÏ ×ÐÏÌÎÅ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ Ó ÃÅÌØÀ "ÍÁÒËÉÒÏ×ËÉ" ÐÁËÅÔÏ× ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó iproute2 É ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÍÁÒÛÒÕÔÉÚÁÃÉÉ × linux. ÷ ËÁÞÅÓÔ×Å ÁÒÇÕÍÅÎÔÁ ËÒÉÔÅÒÉÀ ÍÏÖÅÔ ÂÙÔØ ÐÅÒÅÄÁÎÏ ÄÅÓÑÔÉÞÎÏÅ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÅ ÞÉÓÌÏ, ÉÌÉ ÍÎÅÍÏÎÉÞÅÓËÏÅ ÏÐÉÓÁÎÉÅ ÂÉÔÁ, ÍÎÅÍÏÎÉËÉ É ÉÈ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -m tos -h. îÉÖÅ ÐÒÉ×ÏÄÑÔÓÑ ÍÎÅÍÏÎÉËÉ É ÉÈ ÚÎÁÞÅÎÉÑ.
Minimize-Delay 16 (0x10) (íÉÎÉÍÁÌØÎÁÑ ÚÁÄÅÒÖËÁ),
Maximize-Throughput 8 (0x08) (íÁËÓÉÍÁÌØÎÁÑ ÐÒÏÐÕÓËÎÁÑ ÓÐÏÓÏÂÎÏÓÔØ),
Maximize-Reliability 4 (0x04) (íÁËÓÉÍÁÌØÎÁÑ ÎÁÄÅÖÎÏÓÔØ),
Minimize-Cost 2 (0x02) (íÉÎÉÍÁÌØÎÙÅ ÚÁÔÒÁÔÙ),
Normal-Service 0 (0x00) (ïÂÙÞÎÙÊ ÓÅÒ×ÉÓ).

ëÒÉÔÅÒÉÊ TTL

TTL (Time To Live) Ñ×ÌÑÅÔÓÑ ÞÉÓÌÏ×ÙÍ ÐÏÌÅÍ × IP ÚÁÇÏÌÏ×ËÅ. ðÒÉ ÐÒÏÈÏÖÄÅÎÉÉ ÏÞÅÒÅÄÎÏÇÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÜÔÏ ÞÉÓÌÏ ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. åÓÌÉ ÞÉÓÌÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÏÔÐÒÁ×ÉÔÅÌÀ ÐÁËÅÔÁ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ICMP ÓÏÏÂÝÅÎÉÅ ÔÉÐÁ 11 Ó ËÏÄÏÍ 0 (TTL equals 0 during transit) ÉÌÉ Ó ËÏÄÏÍ 1 (TTL equals 0 during reassembly) . äÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÎÅÏÂÈÏÄÉÍÏ Ñ×ÎÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌØ ËÌÀÞÏÍ -m ttl.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: ïÐÑÔØ ÏÂÎÁÒÕÖÉÌÏÓØ ÎÅËÏÔÏÒÏÅ ÎÅÓÏÏÔ×ÅÔÓÔ×ÉÅ ÏÒÉÇÉÎÁÌØÎÏÇÏ ÔÅËÓÔÁ Ó ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔØÀ, ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ iptables 1.2.6a, Ï ËÏÔÏÒÏÊ ÓÏÂÓÔ×ÅÎÎÏ É ÉÄÅÔ ÒÅÞØ, ÓÕÝÅÓÔ×ÕÅÔ ÔÒÉ ÒÁÚÌÉÞÎÙÈ ËÒÉÔÅÒÉÑ ÐÒÏ×ÅÒËÉ ÐÏÌÑ TTL, ÜÔÏ -m ttl --ttl-eq ÞÉÓÌÏ, -m ttl --ttl-lt ÞÉÓÌÏ É -m ttl --ttl-gt ÞÉÓÌÏ. îÁÚÎÁÞÅÎÉÅ ÜÔÉÈ ËÒÉÔÅÒÉÅ× ×ÉÄÎÏ ÕÖÅ ÉÚ ÉÈ ÓÉÎÔÁËÓÉÓÁ.
ôÅÍ ÎÅ ÍÅÎÅÅ, Ñ ×ÓÅ ÔÁËÉ ÐÒÉ×ÅÄÕ ÐÅÒÅ×ÏÄ ÏÒÉÇÉÎÁÌÁ:

ôÁÂÌÉÃÁ 15. ëÒÉÔÅÒÉÊ TTL

ëÒÉÔÅÒÉÊ --ttl
ðÒÉÍÅÒ iptables -A OUTPUT -m ttl --ttl 60
ïÐÉÓÁÎÉÅ ðÒÏÉÚ×ÏÄÉÔ ÐÒÏ×ÅÒËÕ ÐÏÌÑ TTL ÎÁ ÒÁ×ÅÎÓÔ×Ï ÚÁÄÁÎÎÏÍÕ ÚÎÁÞÅÎÉÀ. äÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎ ÐÒÉ ÎÁÌÁÄËÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÁÐÒÉÍÅÒ: ÄÌÑ ÓÌÕÞÁÅ×, ËÏÇÄÁ ËÁËÁÑ ÌÉÂÏ ÍÁÛÉÎÁ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÎÅ ÍÏÖÅÔ ÐÏÄËÌÀÞÉÔØÓÑ Ë ÓÅÒ×ÅÒÕ × éÎÔÅÒÎÅÔÅ, ÉÌÉ ÄÌÑ ÐÏÉÓËÁ "ÔÒÏÑÎÏ×" É ÐÒ. ÷ÏÂÝÅÍ, ÏÂÌÁÓÔÉ ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÐÏÌÑ ÏÇÒÁÎÉÞÉ×ÁÀÔÓÑ ÔÏÌØËÏ ×ÁÛÅÊ ÆÁÎÔÁÚÉÅÊ. åÝÅ ÏÄÉÎ ÐÒÉÍÅÒ: ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÇÏ ËÒÉÔÅÒÉÑ ÍÏÖÅÔ ÂÙÔØ ÎÁÐÒÁ×ÌÅÎÏ ÎÁ ÐÏÉÓË ÍÁÛÉÎ Ó ÎÅËÁÞÅÓÔ×ÅÎÎÏÊ ÒÅÁÌÉÚÁÃÉÅÊ ÓÔÅËÁ TCP/IP ÉÌÉ Ó ÏÛÉÂËÁÍÉ × ËÏÎÆÉÇÕÒÁÃÉÉ ïó.

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ

äÅÊÓÔ×ÉÑ É ÐÅÒÅÈÏÄÙ ÓÏÏÂÝÁÀÔ ÐÒÁ×ÉÌÕ, ÞÔÏ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏÏÔ×ÅÓÔ×ÕÅÔ ÚÁÄÁÎÎÏÍÕ ËÒÉÔÅÒÉÀ. þÁÝÅ ×ÓÅÇÏ ÕÐÏÔÒÅÂÌÑÀÔÓÑ ÄÅÊÓÔ×ÉÑ ACCEPT É DROP. ïÄÎÁËÏ, ÄÁ×ÁÊÔÅ ËÒÁÔËÏ ÒÁÓÓÍÏÔÒÉÍ ÐÏÎÑÔÉÅ ÐÅÒÅÈÏÄÏ×.

ïÐÉÓÁÎÉÅ ÐÅÒÅÈÏÄÏ× × ÐÒÁ×ÉÌÁÈ ×ÙÇÌÑÄÉÔ ÔÏÞÎÏ ÔÁË ÖÅ ËÁË É ÏÐÉÓÁÎÉÅ ÄÅÊÓÔ×ÉÊ, Ô.Å. ÓÔÁ×ÉÔÓÑ ËÌÀÞ -j É ÕËÁÚÙ×ÁÅÔÓÑ ÎÁÚ×ÁÎÉÅ ÃÅÐÏÞËÉ ÐÒÁ×ÉÌ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ. îÁ ÐÅÒÅÈÏÄÙ ÎÁËÌÁÄÙ×ÁÅÔÓÑ ÒÑÄ ÏÇÒÁÎÉÞÅÎÉÊ, ÐÅÒ×ÏÅ - ÃÅÐÏÞËÁ, ÎÁ ËÏÔÏÒÕÀ ×ÙÐÏÌÎÑÅÔÓÑ ÐÅÒÅÈÏÄ, ÄÏÌÖÎÁ ÎÁÈÏÄÉÔØÓÑ × ÔÏÊ ÖÅ ÔÁÂÌÉÃÅ, ÞÔÏ É ÃÅÐÏÞËÁ, ÉÚ ËÏÔÏÒÏÊ ÜÔÏÔ ÐÅÒÅÈÏÄ ×ÙÐÏÌÎÑÅÔÓÑ, ×ÔÏÒÏÅ - ÃÅÐÏÞËÁ , Ñ×ÌÑÀÝÁÑÓÑ ÃÅÌØÀ ÐÅÒÅÈÏÄÁ ÄÏÌÖÎÁ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÏ ÔÏÇÏ ËÁË ÎÁ ÎÅÅ ÂÕÄÕÔ ×ÙÐÏÌÎÑÔØÓÑ ÐÅÒÅÈÏÄÙ. îÁÐÒÉÍÅÒ, ÓÏÚÄÁÄÉÍ ÃÅÐÏÞËÕ tcp_packets × ÔÁÂÌÉÃÅ filter Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ iptables -N tcp_packets. ôÅÐÅÒØ ÍÙ ÍÏÖÅÍ ×ÙÐÏÌÎÑÔØ ÐÅÒÅÈÏÄÙ ÎÁ ÜÔÕ ÃÅÐÏÞËÕ ÐÏÄÏÂÎÏ iptables -A INPUT -p tcp -j tcp_packets. ô.Å. ×ÓÔÒÅÔÉ× ÐÁËÅÔ ÐÒÏÔÏËÏÌÁ tcp, iptables ÐÒÏÉÚ×ÅÄÅÔ ÐÅÒÅÈÏÄ ÎÁ ÃÅÐÏÞËÕ tcp_packets É ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÜÔÏÊ ÃÅÐÏÞËÅ. åÓÌÉ ÐÁËÅÔ ÄÏÓÔÉÇ ËÏÎÃÁ ÃÅÐÏÞËÉ ÔÏ ÏÎ ÂÕÄÅÔ ×ÏÚ×ÒÁÝÅÎ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ (× ÎÁÛÅÍ ÓÌÕÞÁÅ ÜÔÏ ÃÅÐÏÞËÁ INPUT) É Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÒÏÄÏÌÖÉÔÓÑ Ó ÐÒÁ×ÉÌÁ, ÓÌÅÄÕÀÝÅÇÏ ÚÁ ÐÒÁ×ÉÌÏÍ, ×ÙÚ×Á×ÛÅÍ ÐÅÒÅÈÏÄ. åÓÌÉ Ë ÐÁËÅÔÕ ×Ï ×ÌÏÖÅÎÎÏÊ ÃÅÐÏÞËÅ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÏ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÐÁËÅÔ ÂÕÄÅÔ ÓÞÉÔÁÔØÓÑ ÐÒÉÎÑÔÙÍ É × ×ÙÚÙ×ÁÀÝÅÊ ÃÅÐÏÞËÅ É ÕÖÅ ÎÅ ÂÕÄÅÔ ÐÒÏÄÏÌÖÁÔØ Ä×ÉÖÅÎÉÅ ÐÏ ×ÙÚÙ×ÁÀÝÉÍ ÃÅÐÏÞËÁÍ. ïÄÎÁËÏ ÐÁËÅÔ ÐÏÊÄÅÔ ÐÏ ÄÒÕÇÉÍ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÐÏÒÑÄËÅ ÐÒÏÈÏÖÄÅÎÉÑ ÃÅÐÏÞÅË É ÔÁÂÌÉà ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

äÅÊÓÔ×ÉÅ - ÜÔÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÁÑ ËÏÍÁÎÄÁ, ÏÐÉÓÙ×ÁÀÝÁÑ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÎÅÏÂÈÏÄÉÍÏ ×ÙÐÏÌÎÉÔØ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÐÒÉÍÅÎÉÔØ ÄÅÊÓÔ×ÉÅ DROP ÉÌÉ ACCEPT Ë ÐÁËÅÔÕ, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÎÁÛÉÈ ÎÕÖÄ. óÕÝÅÓÔ×ÕÅÔ É ÒÑÄ ÄÒÕÇÉÈ ÄÅÊÓÔ×ÉÊ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔÓÑ ÎÉÖÅ × ÜÔÏÊ ÓÅËÃÉÉ. ÷ ÒÅÚÕÌØÔÁÔÅ ×ÙÐÏÌÎÅÎÉÑ ÏÄÎÉÈ ÄÅÊÓÔ×ÉÊ, ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ó×ÏÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ, ÎÁÐÒÉÍÅÒ DROP É ACCEPT, × ÒÅÚÕÌØÔÁÔÅ ÄÒÕÇÉÈ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ÎÅËÉÈ ÏÐÅÒÁÃÉÊ, ÐÒÏÄÏÌÖÁÅÔ ÐÒÏ×ÅÒËÕ, ÎÁÐÒÉÍÅÒ, LOG, × ÒÅÚÕÌØÔÁÔÅ ÒÁÂÏÔÙ ÔÒÅÔØÉÈ ÄÁÖÅ ×ÉÄÏÉÚÍÅÎÑÅÔÓÑ, ÎÁÐÒÉÍÅÒ DNAT É SNAT, TTL É TOS, ÎÏ ÔÁË ÖÅ ÐÒÏÄÏÌÖÁÅÔ ÐÒÏÄ×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ.


äÅÊÓÔ×ÉÅ ACCEPT

äÁÎÎÁÑ ÏÐÅÒÁÃÉÑ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ËÌÀÞÅÊ. åÓÌÉ ÎÁÄ ÐÁËÅÔÏÍ ×ÙÐÏÌÎÑÅÔÓÑ ÄÅÊÓÔ×ÉÅ ACCEPT, ÔÏ ÐÁËÅÔ ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÅ (É ×ÓÅÍ ×ÙÚ×Á×ÛÉÍ ÃÅÐÏÞËÁÍ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ) É ÓÞÉÔÁÅÔÓÑ ðòéîñôùí (ÔÏ ÂÉÛØ ÐÒÏÐÕÓËÁÅÔÓÑ), ÔÅÍ ÎÅ ÍÅÎÅÅ, ÐÁËÅÔ ÐÒÏÄÏÌÖÉÔ Ä×ÉÖÅÎÉÅ ÐÏ ÃÅÐÏÞËÁÍ × ÄÒÕÇÉÈ ÔÁÂÌÉÃÁÈ É ÍÏÖÅÔ ÂÙÔØ ÏÔ×ÅÒÇÎÕÔ ÔÁÍ. äÅÊÓÔ×ÉÅ ÚÁÄÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ -j ACCEPT.


äÅÊÓÔ×ÉÅ DROP

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÐÒÏÓÔÏ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ É iptables "ÚÁÂÙ×ÁÅÔ" Ï ÅÇÏ ÓÕÝÅÓÔ×Ï×ÁÎÉÉ. "óÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ ÐÒÅËÒÁÝÁÀÔ Ó×ÏÅ Ä×ÉÖÅÎÉÅ ÐÏÌÎÏÓÔØÀ, Ô.Å. ÏÎÉ ÎÅ ÐÅÒÅÄÁÀÔÓÑ × ÄÒÕÇÉÅ ÔÁÂÌÉÃÙ, ËÁË ÜÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÓÌÕÞÁÅ Ó ÄÅÊÓÔ×ÉÅÍ ACCEPT. óÌÅÄÕÅÔ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÇÁÔÉ×ÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ, ÐÏÓËÏÌØËÕ ÍÏÖÅÔ ÏÓÔÁ×ÌÑÔØ ÎÅÚÁËÒÙÔÙÅ "ÍÅÒÔ×ÙÅ" ÓÏËÅÔÙ ËÁË ÎÁ ÓÔÏÒÏÎÅ ÓÅÒ×ÅÒÁ, ÔÁË É ÎÁ ÓÔÏÒÏÎÅ ËÌÉÅÎÔÁ, ÎÁÉÌÕÞÛÉÍ ÓÐÏÓÏÂÏÍ ÚÁÝÉÔÙ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ REJECT ÏÓÏÂÅÎÎÏ ÐÒÉ ÚÁÝÉÔÅ ÏÔ ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×.


äÅÊÓÔ×ÉÅ QUEUE

äÅÊÓÔ×ÉÅ QUEUE ÓÔÁ×ÉÔ ÐÁËÅÔ × ÏÞÅÒÅÄØ ÎÁ ÏÂÒÁÂÏÔËÕ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÍÕ ÐÒÏÃÅÓÓÕ. ïÎÏ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ÄÌÑ ÎÕÖÄ ÕÞÅÔÁ, ÐÒÏËÓÉÒÏ×ÁÎÉÑ ÉÌÉ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.

ïÔ ÐÅÒÅ×ÏÄÞÉËÁ: äÁÌÅÅ Á×ÔÏÒ ÐÒÏÓÔÒÁÎÎÏ ÒÁÓÓÕÖÄÁÅÔ Ï ÔÏÍ, ÞÔÏ ÏÂÓÕÖÄÅÎÉÅ ÄÁÎÎÏÊ ÔÅÍÙ ÄÁÌÅËÏ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ É ÐÒ., ÐÏÜÔÏÍÕ, ÎÅ ÍÕÄÒÓÔ×ÕÑ ÌÕËÁ×Ï, ÐÒÉ×ÅÄÕ ÚÄÅÓØ ×ÙÄÅÒÖËÕ ÉÚ Linux 2.4 Packet Filtering HOWTO × ÐÅÒÅ×ÏÄÅ å×ÇÅÎÉÑ äÁÎÉÌØÞÅÎËÏ aka virii5, eugene@kriljon.ru

"...äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÜÔÁ ÃÅÌØ ÂÙÌÁ ÐÏÌÅÚÎÁ, ÎÅÏÂÈÏÄÉÍÙ ÅÝÅ Ä×Á ËÏÍÐÏÎÅÎÔÁ:

  • "queue handler" - ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ, ËÏÔÏÒÙÊ ×ÙÐÏÌÎÑÅÔ ÒÁÂÏÔÕ ÐÏ ÐÅÒÅÄÁÞÅ ÐÁËÅÔÏ× ÍÅÖÄÕ ÑÄÒÏÍ É ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÐÒÉÌÏÖÅÎÉÅÍ; É
  • ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ËÏÔÏÒÏÅ ÂÕÄÅÔ ÐÏÌÕÞÁÔØ, ×ÏÚÍÏÖÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ, É ÒÅÛÁÔØ ÓÕÄØÂÕ ÐÁËÅÔÏ×.
óÔÁÎÄÁÒÔÎÙÊ ÏÂÒÁÂÏÔÞÉË ÏÞÅÒÅÄÉ ÄÌÑ IPv4 - ÍÏÄÕÌØ ip-queue, ËÏÔÏÒÙÊ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÑÄÒÏÍ É ÐÏÍÅÞÅÎ ËÁË ÜËÓÐÅÒÉÍÅÎÔÁÌØÎÙÊ. îÉÖÅ ÄÁÎ ÐÒÉÍÅÒ, ËÁË ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ iptables ÄÌÑ ÐÅÒÅÄÁÞÉ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ:
# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ÓÏÚÄÁÎÎÙÅ ÌÏËÁÌØÎÏ ÐÁËÅÔÙ ICMP ÔÉÐÁ (ÔÁËÉÅ, ÞÔÏ ÓÏÚÄÁÀÔÓÑ ÓËÁÖÅÍ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÁÎÄÙ ping) ÐÏÐÁÄÁÀÔ × ÍÏÄÕÌØ ip_queue, ËÏÔÏÒÙÊ ÚÁÔÅÍ ÐÙÔÁÅÔÓÑ ÐÅÒÅÄÁÔØ ÉÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ. åÓÌÉ ÎÉ ÏÄÎÏ ÉÚ ÔÁËÉÈ ÐÒÉÌÏÖÅÎÉÊ ÎÅ ÎÁÊÄÅÎÏ, ÐÁËÅÔÙ ÓÂÒÁÓÙ×ÁÀÔÓÑ. þÔÏÂÙ ÎÁÐÉÓÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÐÒÏÇÒÁÍÍÕ ÏÂÒÁÂÏÔËÉ ÐÁËÅÔÏ×, ÉÓÐÏÌØÚÕÊÔÅ libipq API. ïÎÏ ÒÁÓÐÒÏÓÔÒÁÎÑÅÔÓÑ Ó ÐÁËÅÔÏÍ iptables. ðÒÉÍÅÒÙ ÍÏÖÎÏ ÎÁÊÔÉ × testsuite tools (ÎÁÐÒÉÍÅÒ redirect.c) ÎÁ CVS. óÔÁÔÕÓ ip_queue ÍÏÖÎÏ ÐÒÏ×ÅÒÉÔØ Ó ÐÏÍÏÝØÀ: /proc/net/ip_queue íÁËÓÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ (ÔÏ ÅÓÔØ, ÞÉÓÌÏ ÐÁËÅÔÏ× ÐÅÒÅÄÁ×ÁÅÍÙÈ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÉÌÏÖÅÎÉÅ ÂÅÚ ÐÏÄÔ×ÅÒÖÄÅÎÉÑ ÏÂÒÁÂÏÔËÉ) ÍÏÖÎÏ ËÏÎÔÒÏÌÉÒÏ×ÁÔØ Ó ÐÏÍÏÝØÀ: /proc/sys/net/ipv4/ip_queue_maxlen ðÏ ÕÍÏÌÞÁÎÉÀ - ÍÁËÓÉÍÁÌØÎÁÑ ÄÌÉÎÎÁ ÏÞÅÒÅÄÉ ÒÁ×ÎÁ 1024. ëÁË ÔÏÌØËÏ ÜÔÏÔ ÐÒÅÄÅÌ ÄÏÓÔÉÇÁÅÔÓÑ, ÎÏ×ÙÅ ÐÁËÅÔÙ ÂÕÄÕÔ ÓÂÒÁÓÙ×ÁÔØÓÑ, ÐÏËÁ ÏÞÅÒÅÄØ ÎÅ ÓÎÉÚÉÔØÓÑ ÎÉÖÅ ÄÁÎÎÏÇÏ ÐÒÅÄÅÌÁ. èÏÒÏÛÉÅ ÐÒÏÔÏËÏÌÙ, ÔÁËÉÅ ËÁË TCP ÉÎÔÅÒÐÒÅÔÉÒÕÀÔ ÓÂÒÏÛÅÎÎÙÅ ÐÁËÅÔÙ ËÁË ÐÅÒÅÇÒÕÖÅÎÎÏÓÔØ ËÁÎÁÌÁ ÐÅÒÅÄÁÞÉ, É ÕÓÐÅÛÎÏ Ó ÜÔÉÍ ÓÐÒÁ×ÌÑÀÔÓÑ (ÎÁÓËÏÌØËÏ Ñ ÐÏÍÎÀ, ÐÁËÅÔ ÂÕÄÅÔ ÐÒÏÓÔÏ ÐÅÒÅÓÌÁÎ ÚÁÎÏ×Ï ÕÄÁÌÅÎÎÏÊ ÓÔÏÒÏÎÏÊ, ÐÒÉÍ. ÐÅÒÅ×ÏÄ.). ïÄÎÁËÏ, ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØÓÑ ÎÅËÏÔÏÒÏÇÏ ÒÏÄÁ ÜËÓÐÅÒÅÍÅÎÔÉÒÏ×ÁÎÉÅ, ÞÔÏÂÙ ÏÐÒÅÄÅÌÉÔØ ÏÐÔÉÍÁÌØÎÕÀ ÄÌÉÎÎÕ ÏÞÅÒÅÄÉ × ËÁÖÄÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ÐÏ ÕÍÏÌÞÁÎÉÀ ÏÞÅÒÅÄØ ÓÌÉÛËÏÍ ÍÁÌÁ..."




äÅÊÓÔ×ÉÅ RETURN

äÅÊÓÔ×ÉÅ RETURN ÐÒÅËÒÁÝÁÅÔ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÁ ÐÏ ÔÅËÕÝÅÊ ÃÅÐÏÞËÅ ÐÒÁ×ÉÌ É ÐÒÏÉÚ×ÏÄÉÔ ×ÏÚ×ÒÁÔ × ×ÙÚÙ×ÁÀÝÕÀ ÃÅÐÏÞËÕ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÂÙÌÁ ×ÌÏÖÅÎÎÏÊ, ÉÌÉ, ÅÓÌÉ ÔÅËÕÝÁÑ ÃÅÐÏÞËÁ ÌÅÖÉÔ ÎÁ ÓÁÍÏÍ ×ÅÒÈÎÅÍ ÕÒÏ×ÎÅ (ÎÁÐÒÉÍÅÒ INPUT), ÔÏ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. ïÂÙÞÎÏ, × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÎÁÚÎÁÞÁÀÔ ÄÅÊÓÔ×ÉÑ ACCEPT ÉÌÉ DROP .

äÌÑ ÐÒÉÍÅÒÁ, ÄÏÐÕÓÔÉÍ, ÞÔÏ ÐÁËÅÔ ÉÄÅÔ ÐÏ ÃÅÐÏÞËÅ INPUT É ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÅÒÅÈÏÄ ×Ï ×ÌÏÖÅÎÎÕÀ ÃÅÐÏÞËÕ - --jump EXAMPLE_CHAIN. äÁÌÅÅ, × ÃÅÐÏÞËÅ EXAMPLE_CHAIN ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN. ôÏÇÄÁ ÐÒÏÉÚÏÊÄÅÔ ×ÏÚ×ÒÁÔ ÐÁËÅÔÁ × ÃÅÐÏÞËÕ INPUT. äÒÕÇÏÊ ÐÒÉÍÅÒ, ÐÕÓÔØ ÐÁËÅÔ ×ÓÔÒÅÞÁÅÔ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÄÅÊÓÔ×ÉÅ --jump RETURN × ÃÅÐÏÞËÅ INPUT. ôÏÇÄÁ Ë ÐÁËÅÔÕ ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÃÅÐÏÞËÉ INPUT.


äÅÊÓÔ×ÉÅ LOG

LOG - ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÓÌÕÖÉÔ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÏÔÄÅÌØÎÙÈ ÐÁËÅÔÏ× É ÓÏÂÙÔÉÊ. ÷ ÖÕÒÎÁÌ ÍÏÇÕÔ ÚÁÎÏÓÉÔØÓÑ ÚÁÇÏÌÏ×ËÉ IP ÐÁËÅÔÏ× É ÄÒÕÇÁÑ ÉÎÔÅÒÅÓÕÀÝÁÑ ×ÁÓ ÉÎÆÏÒÍÁÃÉÑ. éÎÆÏÒÍÁÃÉÑ ÉÚ ÖÕÒÎÁÌÁ ÍÏÖÅÔ ÂÙÔØ ÚÁÔÅÍ ÐÒÏÞÉÔÁÎÁ Ó ÐÏÍÏÝØÀ dmesg ÉÌÉ syslogd ÌÉÂÏ Ó ÐÏÍÏÝØÀ ÄÒÕÇÉÈ ÐÒÏÇÒÁÍÍ. ðÒÅ×ÏÓÈÏÄÎÏÅ ÓÒÅÄÓÔ×Ï ÄÌÑ ÏÔÌÁÄËÉ ×ÁÛÉÈ ÐÒÁ×ÉÌ. îÅÐÌÏÈÏ ÂÙÌÏ ÂÙ ÎÁ ÐÅÒÉÏÄ ÏÔÌÁÄËÉ ÐÒÁ×ÉÌ ×ÍÅÓÔÏ ÄÅÊÓÔ×ÉÑ DROP ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ LOG, ÞÔÏÂÙ ÄÏ ËÏÎÃÁ ÕÂÅÄÉÔØÓÑ, ÞÔÏ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ÒÁÂÏÔÁÅÔ ÂÅÚÕÐÒÅÞÎÏ. ïÂÒÁÔÉÔÅ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÔÁË ÖÅ ÎÁ ÄÅÊÓÔ×ÉÅ ULOG, ËÏÔÏÒÏÅ ÎÁ×ÅÒÎÑËÁ ÚÁÉÎÔÅÒÅÓÕÅÔ ×ÁÓ Ó×ÏÉÍÉ ×ÏÚÍÏÖÎÏÓÔÑÍÉ, ÐÏÓËÏÌØËÕ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØ ÚÁÐÉÓØ ÖÕÒÎÁÌÉÒÕÅÍÏÊ ÉÎÆÏÒÍÁÃÉÉ ÎÅ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, Á × ÂÁÚÕ ÄÁÎÎÙÈ MySQL É Ô.Ð..

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ - ÅÓÌÉ Õ ×ÁÓ ÉÍÅÀÔÓÑ ÐÒÏÂÌÅÍÙ Ó ÚÁÐÉÓØÀ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ÔÏ ÜÔÏ ÐÒÏÂÌÅÍÙ ÎÅ iptables ÉÌÉ netfilter, Á syslogd. úÁ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÀ syslogd ÏÂÒÁÝÁÊÔÅÓØ Ë man syslog.conf.

LOG ÉÍÅÅÔ ÐÑÔØ ËÌÀÞÅÊ, ËÏÔÏÒÙÅ ÐÅÒÅÞÉÓÌÅÎÙ ÎÉÖÅ.

ôÁÂÌÉÃÁ 17. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ LOG

ëÌÀÞ --log-level
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-level debug
ïÐÉÓÁÎÉÅ éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÚÁÄÁÎÉÑ ÕÒÏ×ÎÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ (log level). ðÏÌÎÙÊ ÓÐÉÓÏË ÕÒÏ×ÎÅÊ ×Ù ÎÁÊÄÅÔÅ × ÒÕËÏ×ÏÄÓÔ×Å (man) ÐÏ syslog.conf. ïÂÙÞÎÏ, ÍÏÖÎÏ ÚÁÄÁÔØ ÓÌÅÄÕÀÝÉÅ ÕÒÏ×ÎÉ: debug, info, notice, warning, warn, err, error, crit, alert, emerg É panic. ëÌÀÞÅ×ÏÅ ÓÌÏ×Ï error ÏÚÎÁÞÁÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É err, warn - warning É panic - emerg. ÷ÁÖÎÏ: × ÐÏÓÌÅÄÎÉÈ ÔÒÅÈ ÐÁÒÁÈ ÓÌÏ× ÎÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ error, warn É panic. ðÒÉÏÒÉÔÅÔ ÏÐÒÅÄÅÌÑÅÔ ÒÁÚÌÉÞÉÑ × ÔÏÍ ËÁË ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ ÓÏÏÂÝÅÎÉÑ × ÖÕÒÎÁÌ. ÷ÓÅ ÓÏÏÂÝÅÎÉÑ ÚÁÎÏÓÑÔÓÑ × ÖÕÒÎÁÌ ÓÒÅÄÓÔ×ÁÍÉ ÑÄÒÁ. åÓÌÉ ×Ù ÕÓÔÁÎÏ×ÉÔÅ ÓÔÒÏËÕ kern.=info /var/log/iptables × ÆÁÊÌÅ syslog.conf, ÔÏ ×ÓÅ ×ÁÛÉ ÓÏÏÂÝÅÎÉÑ ÉÚ iptables, ÉÓÐÏÌØÚÕÀÝÉÅ ÕÒÏ×ÅÎØ info, ÂÕÄÕÔ ÚÁÎÏÓÉÔØÓÑ × ÆÁÊÌ /var/log/iptables ïÄÎÁËÏ, × ÜÔÏÔ ÆÁÊÌ ÐÏÐÁÄÕÔ É ÄÒÕÇÉÅ ÓÏÏÂÝÅÎÉÑ, ÐÏÓÔÕÐÁÀÝÉÅ ÉÚ ÄÒÕÇÉÈ ÐÏÄÓÉÓÔÅÍ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÕÒÏ×ÅÎØ info. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ syslog É syslog.conf Ñ ÒÅËÏÍÅÎÄÕÀ ÏÂÒÁÝÁÔØÓÑ Ë manpages É HOWTO.
ëÌÀÞ --log-prefix
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"
ïÐÉÓÁÎÉÅ ëÌÀÞ ÚÁÄÁÅÔ ÔÅËÓÔ (ÐÒÅÆÉËÓ), ËÏÔÏÒÙÍ ÂÕÄÕÔ ÐÒÅÄ×ÁÒÑÔØÓÑ ×ÓÅ ÓÏÏÂÝÅÎÉÑ iptables. óÏÏÂÝÅÎÉÑ ÓÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÅÆÉËÓÏÍ ÚÁÔÅÍ ÌÅÇËÏ ÍÏÖÎÏ ÎÁÊÔÉ, Ë ÐÒÉÍÅÒÕ, Ó ÐÏÍÏÝØÀ grep. ðÒÅÆÉËÓ ÍÏÖÅÔ ÓÏÄÅÒÖÁÔØ ÄÏ 29 ÓÉÍ×ÏÌÏ×, ×ËÌÀÞÁÑ É ÐÒÏÂÅÌÙ.
ëÌÀÞ --log-tcp-sequence
ðÒÉÍÅÒ iptables -A INPUT -p tcp -j LOG --log-tcp-sequence
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÖÕÒÎÁÌ ÎÏÍÅÒ TCP Sequence ÐÁËÅÔÁ. îÏÍÅÒ TCP Sequence ÉÄÅÎÔÉÆÉÃÉÒÕÅÔ ËÁÖÄÙÊ ÐÁËÅÔ × ÐÏÔÏËÅ É ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÑÄÏË "ÓÂÏÒËÉ" ÐÏÔÏËÁ. üÔÏÔ ËÌÀÞ ÐÏÔÅÎÃÉÁÌØÎÏ ÏÐÁÓÅÎ ÄÌÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ, ÅÓÌÉ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÒÅÛÁÅÔ ÄÏÓÔÕÐ "îá þôåîéå" ×ÓÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ. ëÁË É ÌÀÂÏÊ ÄÒÕÇÏÊ ÖÕÒÎÁÌ, ÓÏÄÅÒÖÁÝÉÊ ÓÏÏÂÝÅÎÉÑ ÏÔ iptables.
ëÌÀÞ --log-tcp-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-tcp-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ TCP ÐÁËÅÔÁ. ôÁËÁÑ ×ÏÚÍÏÖÎÏÓÔØ ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÁ ÐÒÉ ÏÔÌÁÄËÅ. üÔÏÔ ËÌÀÞ ÎÅ ÉÍÅÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÁÒÁÍÅÔÒÏ×, ËÁË É ÂÏÌØÛÉÎÓÔ×Ï ËÌÀÞÅÊ ÄÅÊÓÔ×ÉÑ LOG.
ëÌÀÞ --log-ip-options
ðÒÉÍÅÒ iptables -A FORWARD -p tcp -j LOG --log-ip-options
ïÐÉÓÁÎÉÅ üÔÏÔ ËÌÀÞ ÐÏÚ×ÏÌÑÅÔ ÚÁÎÏÓÉÔØ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÒÁÚÌÉÞÎÙÅ Ó×ÅÄÅÎÉÑ ÉÚ ÚÁÇÏÌÏ×ËÁ IP ÐÁËÅÔÁ. ÷Ï ÍÎÏÇÏÍ ÓÈÏÖ Ó ËÌÀÞÏÍ --log-tcp-options, ÎÏ ÒÁÂÏÔÁÅÔ ÔÏÌØËÏ Ó IP ÚÁÇÏÌÏ×ËÏÍ.

äÅÊÓÔ×ÉÅ MARK

éÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÍÅÔÏË ÄÌÑ ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÁËÅÔÏ×. üÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle. õÓÔÁÎÏ×ËÁ ÍÅÔÏË ÏÂÙÞÎÏ ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÎÕÖÄ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ× ÐÏ ÒÁÚÌÉÞÎÙÍ ÍÁÒÛÒÕÔÁÍ, ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÔÒÁÆÉËÁ É Ô.Ð.. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ×Ù ÍÏÖÅÔÅ ÏÂÒÁÔÉÔØÓÑ Ë LARTC HOWTO. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ "ÍÅÔËÁ" ÐÁËÅÔÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ × ÐÅÒÉÏÄ ×ÒÅÍÅÎÉ ÐÏËÁ ÐÁËÅÔ ÎÅ ÐÏËÉÎÕÌ ÂÒÁÎÄÍÁÕÜÒ, Ô.Å. ÍÅÔËÁ ÎÅ ÐÅÒÅÄÁÅÔÓÑ ÐÏ ÓÅÔÉ. åÓÌÉ ÎÅÏÂÈÏÄÉÍÏ ËÁË-ÔÏ ÐÏÍÅÔÉÔØ ÐÁËÅÔÙ, ÞÔÏÂÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÒËÉÒÏ×ËÕ ÎÁ ÄÒÕÇÏÊ ÍÁÛÉÎÅ, ÔÏ ÍÏÖÅÔÅ ÐÏÐÒÏÂÏ×ÁÔØ ÍÁÎÉÐÕÌÉÒÏ×ÁÔØ ÂÉÔÁÍÉ ÐÏÌÑ TOS.

ôÁÂÌÉÃÁ 18. ëÌÀÞÉ ÄÌÑ ÄÅÊÓÔ×ÉÑ MARK

ëÌÀÞ --set-mark
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-mark ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÍÅÔËÕ ÎÁ ÐÁËÅÔ. ðÏÓÌÅ ËÌÀÞÁ --set-mark ÄÏÌÖÎÏ ÓÌÅÄÏ×ÁÔØ ÃÅÌÏÅ ÂÅÚÚÎÁËÏ×ÏÅ ÞÉÓÌÏ.

äÅÊÓÔ×ÉÅ REJECT

REJECT ÉÓÐÏÌØÚÕÅÔÓÑ, ËÁË ÐÒÁ×ÉÌÏ, × ÔÅÈ ÖÅ ÓÁÍÙÈ ÓÉÔÕÁÃÉÑÈ, ÞÔÏ É DROP, ÎÏ × ÏÔÌÉÞÉÅ ÏÔ DROP, ËÏÍÁÎÄÁ REJECT ×ÙÄÁÅÔ ÓÏÏÂÝÅÎÉÅ Ï ÏÛÉÂËÅ ÎÁ ÈÏÓÔ, ÐÅÒÅÄÁ×ÛÉÊ ÐÁËÅÔ. äÅÊÓÔ×ÉÅ REJECT ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ "ÒÁÂÏÔÁÅÔ" ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É OUTPUT (É ×Ï ×ÌÏÖÅÎÎÙÈ × ÎÉÈ ÃÅÐÏÞËÁÈ). ðÏËÁ ÓÕÝÅÓÔ×ÕÅÔ ÔÏÌØËÏ ÅÄÉÎÓÔ×ÅÎÎÙÊ ËÌÀÞ, ÕÐÒÁ×ÌÑÀÝÉÊ ÐÏ×ÅÄÅÎÉÅÍ ËÏÍÁÎÄÙ REJECT.

ôÁÂÌÉÃÁ 19. äÅÊÓÔ×ÉÅ REJECT

ëÌÀÞ --reject-with
ðÒÉÍÅÒ iptables -A FORWARD -p TCP --dport 22 -j REJECT --reject-with tcp-reset
ïÐÉÓÁÎÉÅ õËÁÚÙ×ÁÅÔ, ËÁËÏÅ ÓÏÏÂÝÅÎÉÅ ÎÅÏÂÈÏÄÉÍÏ ÐÅÒÅÄÁÔØ × ÏÔ×ÅÔ, ÅÓÌÉ ÐÁËÅÔ ÓÏ×ÐÁÌ Ó ÚÁÄÁÎÎÙÍ ËÒÉÔÅÒÉÅÍ. ðÒÉ ÐÒÉÍÅÎÅÎÉÉ ÄÅÊÓÔ×ÉÑ REJECT Ë ÐÁËÅÔÕ, ÓÎÁÞÁÌÁ ÎÁ ÈÏÓÔ-ÏÔÐÒÁ×ÉÔÅÌØ ÂÕÄÅÔ ÏÔÏÓÌÁÎ ÕËÁÚÁÎÎÙÊ ÏÔ×ÅÔ, Á ÚÁÔÅÍ ÐÁËÅÔ ÂÕÄÅÔ "ÓÂÒÏÛÅÎ". äÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÌÅÄÕÀÝÉÅ ÔÉÐÙ ÏÔ×ÅÔÏ×: icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited É icmp-host-prohibited. ðÏ-ÕÍÏÌÞÁÎÉÀ ÐÅÒÅÄÁÅÔÓÑ ÓÏÏÂÝÅÎÉÅ port-unreachable. ÷ÓÅ ×ÙÛÅÕËÁÚÁÎÎÙÅ ÔÉÐÙ ÏÔ×ÅÔÏ× Ñ×ÌÑÀÔÓÑ ICMP error messages. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÔÉÐÁÍ ICMP ÓÏÏÂÝÅÎÉÊ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÐÒÉÌÏÖÅÎÉÉ ôÉÐÙ ICMP. ÷ ÚÁËÌÀÞÅÎÉÅ ÕËÁÖÅÍ ÅÝÅ ÏÄÉÎ ÔÉÐ ÏÔ×ÅÔÁ - tcp-reset, ËÏÔÏÒÙÊ ÉÓÐÏÌØÚÕÅÔÓÑ ÔÏÌØËÏ ÄÌÑ ÐÒÏÔÏËÏÌÁ TCP. åÓÌÉ ÕËÁÚÁÎÏ ÚÎÁÞÅÎÉÅ tcp-reset, ÔÏ ÄÅÊÓÔ×ÉÅ REJECT ÐÅÒÅÄÁÓÔ × ÏÔ×ÅÔ ÐÁËÅÔ TCP RST, ÐÁËÅÔÙ TCP RST ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁËÒÙÔÉÑ TCP ÓÏÅÄÉÎÅÎÉÊ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë RFC 793 - Transmission Control Protocol. (óÐÉÓÏË ÔÉÐÏ× ICMP ÏÔ×ÅÔÏ× É ÉÈ ÁÌÉÁÓÏ× ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ××ÅÄÑ ËÏÍÁÎÄÕ iptables -j REJECT -hÐÒÉÍ. ÐÅÒÅ×.).

äÅÊÓÔ×ÉÅ TOS

ëÏÍÁÎÄÁ TOS ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÂÉÔÏ× × ÐÏÌÅ Type of Service IP ÚÁÇÏÌÏ×ËÁ. ðÏÌÅ TOS ÓÏÄÅÒÖÉÔ 8 ÂÉÔ, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÏ×. üÔÏ ÏÄÉÎ ÉÚ ÎÅÓËÏÌØËÉÈ ÐÏÌÅÊ, ÉÓÐÏÌØÚÕÅÍÙÈ iproute2. ôÁË ÖÅ ×ÁÖÎÏ ÐÏÍÎÉÔØ, ÞÔÏ ÄÁÎÎÏÅ ÐÏÌÅ ÍÏÖÅÔ ÏÂÒÁÂÁÔÙ×ÁÔØÓÑ ÒÁÚÌÉÞÎÙÍÉ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁÍÉ Ó ÃÅÌØÀ ×ÙÂÏÒÁ ÍÁÒÛÒÕÔÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ÜÔÏ ÐÏÌÅ, × ÏÔÌÉÞÉÅ ÏÔ MARK, ÓÏÈÒÁÎÑÅÔ Ó×ÏÅ ÚÎÁÞÅÎÉÅ ÐÒÉ Ä×ÉÖÅÎÉÉ ÐÏ ÓÅÔÉ, Á ÐÏÜÔÏÍÕ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÄÌÑ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÐÁËÅÔÁ. îÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ, ÂÏÌØÛÉÎÓÔ×Ï ÍÁÒÛÒÕÔÉÚÁÔÏÒÏ× × éÎÔÅÒÎÅÔÅ ÎÉËÁË ÎÅ ÏÂÒÁÂÁÔÙ×ÁÀÔ ÜÔÏ ÐÏÌÅ, ÏÄÎÁËÏ ÅÓÔØ É ÔÁËÉÅ, ËÏÔÏÒÙÅ ÓÍÏÔÒÑÔ ÎÁ ÎÅÇÏ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÏ ÐÏÌÅ × Ó×ÏÉÈ ÎÕÖÄÁÈ, ÔÏ ÐÏÄÏÂÎÙÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÙ ÍÏÇÕÔ ÐÒÉÎÑÔØ ÎÅ×ÅÒÎÏÅ ÒÅÛÅÎÉÅ ÐÒÉ ×ÙÂÏÒÅ ÍÁÒÛÒÕÔÁ, ÐÏÜÔÏÍÕ, ÌÕÞÛÅ ×ÓÅÇÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÏ ÐÏÌÅ ÄÌÑ Ó×ÏÉÈ ÎÕÖÄ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ×ÁÛÅÊ WAN ÉÌÉ LAN.

Caution

äÅÊÓÔ×ÉÅ TOS ×ÏÓÐÒÉÎÉÍÁÅÔ ÔÏÌØËÏ ÐÒÅÄÏÐÒÅÄÅÌÅÎÎÙÅ ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ É ÍÎÅÍÏÎÉËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × linux/ip.h. åÓÌÉ ×ÁÍ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÏÉÚ×ÏÌØÎÙÅ ÚÎÁÞÅÎÉÑ × ÐÏÌÅ TOS, ÔÏ ÍÏÖÎÏ ×ÏÓÐÏÌØÚÏ×ÁÔØÓÑ "ÚÁÐÌÁÔÏÊ" FTOS ÏÔ Matthew G. Marsh. ïÄÎÁËÏ, ÂÕÄØÔÅ ËÒÁÊÎÅ ÏÓÔÏÒÏÖÎÙ Ó ÜÔÏÊ "ÚÁÐÌÁÔÏÊ". îÅ ÓÌÅÄÕÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÔÁÎÄÁÒÔÎÙÅ ÚÎÁÞÅÎÉÑ TOS ÉÎÁÞÅ ËÁË × ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ.

Note

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ mangle.

Note

÷ ÎÅËÏÔÏÒÙÈ ÓÔÁÒÙÈ ×ÅÒÓÉÑÈ iptables (1.2.2 É ÎÉÖÅ) ÜÔÏ ÄÅÊÓÔ×ÉÅ ÒÅÁÌÉÚÏ×ÁÎÏ Ó ÏÛÉÂËÏÊ (ÎÅ ÉÓÐÒÁ×ÌÑÅÔÓÑ ËÏÎÔÒÏÌØÎÁÑ ÓÕÍÍÁ ÐÁËÅÔÁ), Á ÜÔÏ ×ÅÄÅÔ Ë ÎÁÒÕÛÅÎÉÀ ÐÒÏÔÏËÏÌÁ ÏÂÍÅÎÁ É × ÒÅÚÕÌØÔÁÔÅ ÔÁËÉÅ ÓÏÅÄÉÎÅÎÉÑ ÎÅ ÒÁÂÏÔÁÀÔ.

ëÏÍÁÎÄÁ TOS ÉÍÅÅÔ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ, ËÏÔÏÒÙÊ ÏÐÉÓÁÎ ÎÉÖÅ.

ôÁÂÌÉÃÁ 20. äÅÊÓÔ×ÉÅ TOS

ëÌÀÞ --set-tos
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 0x10
ïÐÉÓÁÎÉÅ ëÌÀÞ --set-tos ÏÐÒÅÄÅÌÑÅÔ ÞÉÓÌÏ×ÏÅ ÚÎÁÞÅÎÉÅ × ÄÅÓÑÔÉÞÎÏÍ ÉÌÉ ÛÅÓÔÎÁÄÃÁÔÉÒÉÞÎÏÍ ×ÉÄÅ. ðÏÓËÏÌØËÕ ÐÏÌÅ TOS Ñ×ÌÑÅÔÓÑ 8-ÂÉÔÎÙÍ, ÔÏ ×Ù ÍÏÖÅÔÅ ÕËÁÚÁÔØ ÞÉÓÌÏ × ÄÉÁÐÁÚÏÎÅ ÏÔ 0 ÄÏ 255 (0x00 - 0xFF). ïÄÎÁËÏ, ÂÏÌØÛÉÎÓÔ×Ï ÚÎÁÞÅÎÉÊ ÜÔÏÇÏ ÐÏÌÑ ÎÉËÁË ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ × ÂÕÄÕÝÉÈ ÒÅÁÌÉÚÁÃÉÑÈ TCP/IP ÞÉÓÌÏ×ÙÅ ÚÎÁÞÅÎÉÑ ÍÏÇÕÔ ÂÙÔØ ÉÚÍÅÎÅÎÙ, ÐÏÜÔÏÍÕ, ×Ï-ÉÚÂÅÖÁÎÉÅ ÏÛÉÂÏË, ÌÕÞÛÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÎÅÍÏÎÉÞÅÓËÉÅ ÏÂÏÚÎÁÞÅÎÉÑ: Minimize-Delay (16 ÉÌÉ 0x10), Maximize-Throughput (8 ÉÌÉ 0x08), Maximize-Reliability (4 ÉÌÉ 0x04), Minimize-Cost (2 ÉÌÉ 0x02) ÉÌÉ Normal-Service (0 ÉÌÉ 0x00). ðÏ-ÕÍÏÌÞÁÎÉÀ ÂÏÌØÛÉÎÓÔ×Ï ÐÁËÅÔÏ× ÉÍÅÀÔ ÐÒÉÚÎÁË Normal-Service, ÉÌÉ 0. óÐÉÓÏË ÍÎÅÍÏÎÉË ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ, ×ÙÐÏÌÎÉ× ËÏÍÁÎÄÕ iptables -j TOS -h.

äÅÊÓÔ×ÉÅ MIRROR

ëÏÍÁÎÄÁ MIRROR ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ×ÁÍÉ ÔÏÌØËÏ ÄÌÑ ÜËÓÐÅÒÉÍÅÎÔÏ× É × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ, ÐÏÓËÏÌØËÕ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁÃÉËÌÉ×ÁÎÉÀ" ÐÁËÅÔÁ É × ÒÅÚÕÌØÔÁÔÅ Ë "ïÔËÁÚÕ ÏÔ ÏÂÓÌÕÖÉ×ÁÎÉÑ". ÷ ÒÅÚÕÌØÔÁÔÅ ÄÅÊÓÔ×ÉÑ MIRROR × ÐÁËÅÔÅ, ÐÏÌÑ source É destination ÍÅÎÑÀÔÓÑ ÍÅÓÔÁÍÉ (invert the source and destination fields) É ÐÁËÅÔ ÏÔÐÒÁ×ÌÑÅÔÓÑ × ÓÅÔØ. éÓÐÏÌØÚÏ×ÁÎÉÅ ÜÔÏÊ ËÏÍÁÎÄÙ ÍÏÖÅÔ ÉÍÅÔØ ×ÅÓØÍÁ ÚÁÂÁ×ÎÙÊ ÒÅÚÕÌØÔÁÔ, ÎÁ×ÅÒÎÏÅ, ÓÏ ÓÔÏÒÏÎÙ ÄÏ×ÏÌØÎÏ ÐÏÔÅÛÎÏ ÎÁÂÌÀÄÁÔØ, ËÁË ËÕÌØÈÁÃËÅÒ ÐÙÔÁÅÔÓÑ "×ÚÌÏÍÁÔØ" Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ ËÏÍÐØÀÔÅÒ!

äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÄÏÐÕÓËÁÅÔÓÑ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ INPUT, FORWARD É PREROUTING, É × ÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ ÉÚ ÜÔÉÈ ÔÒÅÈ. ðÁËÅÔÙ, ÏÔÐÒÁ×ÌÑÅÍÙÅ × ÓÅÔØ ÄÅÊÓÔ×ÉÅÍ MIRROR ÂÏÌØÛÅ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÆÉÌØÔÒÁÃÉÉ, ÔÒÁÓÓÉÒÏ×ËÅ ÉÌÉ NAT, ÉÚÂÅÇÁÑ ÔÅÍ ÓÁÍÙÍ "ÚÁÃÉËÌÉ×ÁÎÉÑ" É ÄÒÕÇÉÈ ÎÅÐÒÉÑÔÎÏÓÔÅÊ. ïÄÎÁËÏ ÜÔÏ ÎÅ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÐÒÏÂÌÅÍ Ó ÜÔÉÍ ÄÅÊÓÔ×ÉÅÍ ÎÅÔ. äÁ×ÁÊÔÅ, Ë ÐÒÉÍÅÒÕ, ÐÒÅÄÓÔÁ×ÉÍ, ÞÔÏ ÎÁ ÈÏÓÔÅ, ÉÓÐÏÌØÚÕÀÝÅÍ ÄÅÊÓÔ×ÉÅ MIRROR ÆÁÂÒÉËÕÅÔÓÑ ÐÁËÅÔ, Ó TTL ÒÁ×ÎÙÍ 255, ÎÁ ÜÔÏÔ ÖÅ ÓÁÍÙÊ ÈÏÓÔ É ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ "ÚÅÒËÁÌÉÒÕÀÝÅÇÏ" ÐÒÁ×ÉÌÁ. ðÁËÅÔ "ÏÔÒÁÖÁÅÔÓÑ" ÎÁ ÜÔÏÔ ÖÅ ÈÏÓÔ, Á ÐÏÓËÏÌØËÕ ÍÅÖÄÕ "ÐÒÉÅÍÎÉËÏÍ" É "ÐÅÒÅÄÁÔÞÉËÏÍ" ÔÏÌØËÏ 1 ÈÏÐ (hop) ÔÏ ÐÁËÅÔ ÂÕÄÅÔ ÐÒÙÇÁÔØ ÔÕÄÁ É ÏÂÒÁÔÎÏ 255 ÒÁÚ. îÅÐÌÏÈÏ ÄÌÑ ËÒÑËÅÒÁ, ×ÅÄØ, ÐÒÉ ×ÅÌÉÞÉÎÅ ÐÁËÅÔÁ 1500 ÂÁÊÔ, ÍÙ ÐÏÔÅÒÑÅÍ ÄÏ 380 ëÂÁÊÔ ÔÒÁÆÉËÁ!


äÅÊÓÔ×ÉÅ SNAT

SNAT ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Source Network Address Translation), Ô.Å. ÉÚÍÅÎÅÎÉÅ ÉÓÈÏÄÑÝÅÇÏ IP ÁÄÒÅÓÁ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. îÁÐÒÉÍÅÒ, ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ×ÙÈÏÄÁ × éÎÔÅÒÎÅÔ ÄÒÕÇÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÉÍÅÑ ÌÉÛØ ÏÄÉÎ ÕÎÉËÁÌØÎÙÊ IP ÁÄÒÅÓ. äÌÑ ÜÔÏÇÏ. ÎÅÏÂÈÏÄÉÍÏ ×ËÌÀÞÉÔØ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (forwarding) × ÑÄÒÅ É ÚÁÔÅÍ ÓÏÚÄÁÔØ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÔÒÁÎÓÌÉÒÏ×ÁÔØ ÉÓÈÏÄÑÝÉÅ IP ÁÄÒÅÓÁ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ × ÒÅÁÌØÎÙÊ ×ÎÅÛÎÉÊ ÁÄÒÅÓ. ÷ ÒÅÚÕÌØÔÁÔÅ, ×ÎÅÛÎÉÊ ÍÉÒ ÎÉÞÅÇÏ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ Ï ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÎ ÂÕÄÅÔ ÓÞÉÔÁÔØ, ÞÔÏ ÚÁÐÒÏÓÙ ÐÒÉÛÌÉ Ó ÎÁÛÅÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

SNAT ÄÏÐÕÓËÁÅÔÓÑ ×ÙÐÏÌÎÑÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ nat, × ÃÅÐÏÞËÅ POSTROUTING. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÔÏÌØËÏ ÚÄÅÓØ ÄÏÐÕÓËÁÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÑÝÉÈ ÁÄÒÅÓÏ×. åÓÌÉ ÐÅÒ×ÙÊ ÐÁËÅÔ × ÓÏÅÄÉÎÅÎÉÉ ÐÏÄ×ÅÒÇÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÉÓÈÏÄÑÝÅÇÏ ÁÄÒÅÓÁ, ÔÏ ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ, ÉÚ ÜÔÏÇÏ ÖÅ ÓÏÅÄÉÎÅÎÉÑ, ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÐÏÊÄÕÔ ÞÅÒÅÚ ÜÔÕ ÃÅÐÏÞËÕ ÐÒÁ×ÉÌ.

ôÁÂÌÉÃÁ 21. äÅÊÓÔ×ÉÅ SNAT

ëÌÀÞ --to-source
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 194.236.50.155-194.236.50.160:1024-32000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-source ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÁÄÒÅÓÁ, ÐÒÉÓ×ÁÅÍÏ×ÏÇÏ ÐÁËÅÔÕ. ÷ÓÅ ÐÒÏÓÔÏ, ×Ù ÕËÁÚÙ×ÁÅÔÅ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÐÏÄÓÔÁ×ÌÅÎ × ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ × ËÁÞÅÓÔ×Å ÉÓÈÏÄÑÝÅÇÏ. åÓÌÉ ×Ù ÓÏÂÉÒÁÅÔÅÓØ ÐÅÒÅÒÁÓÐÒÅÄÅÌÑÔØ ÎÁÇÒÕÚËÕ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ÂÒÁÎÄÍÁÕÜÒÁÍÉ, ÔÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÇÄÅ ÎÁÞÁÌØÎÙÊ É ËÏÎÅÞÎÙÊ ÁÄÒÅÓÁ ÄÉÁÐÁÚÏÎÁ ÒÁÚÄÅÌÑÀÔÓÑ ÄÅÆÉÓÏÍ, ÎÁÐÒÉÍÅÒ: 194.236.50.155-194.236.50.160. ôÏÇÄÁ, ËÏÎËÒÅÔÎÙÊ IP ÁÄÒÅÓ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÉÚ ÄÉÁÐÁÚÏÎÁ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ. äÏÐÏÌÎÉÔÅÌØÎÏ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ËÏÔÏÒÙÅ ÂÕÄÕÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ ÄÌÑ ÎÕÖÄ SNAT. ÷ÓÅ ÉÓÈÏÄÑÝÉÅ ÐÏÒÔÙ ÂÕÄÕÔ ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅËÁÒÔÉÒÏ×ÁÔØÓÑ × ÚÁÄÁÎÎÙÊ ÄÉÁÐÁÚÏÎ. iptables ÓÔÁÒÁÅÔÓÑ, ÐÏ-×ÏÚÍÏÖÎÏÓÔÉ, ÉÚÂÅÇÁÔØ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×, ÏÄÎÁËÏ ÎÅ ×ÓÅÇÄÁ ÜÔÏ ×ÏÚÍÏÖÎÏ, É ÔÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÅ . åÓÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÅ ÚÁÄÁÎ, ÔÏ ÉÓÈÏÄÎÙÅ ÐÏÒÔÙ ÎÉÖÅ 512 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 0-511, ÐÏÒÔÙ × ÄÉÁÐÁÚÏÎÅ 512-1023 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 512-1023, É, ÎÁËÏÎÅà ÐÏÒÔÙ ÉÚ ÄÉÁÐÁÚÏÎÁ 1024-65535 ÐÅÒÅËÁÒÔÉÒÕÀÔÓÑ × ÄÉÁÐÁÚÏÎÅ 1024-65535. þÔÏ ËÁÓÁÅÔÓÑ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ, ÔÏ ÏÎÉ ÎÅ ÐÏÄ×ÅÒÇÁÀÔÓÑ ÐÅÒÅËÁÒÔÉÒÏ×ÁÎÉÀ.

äÅÊÓÔ×ÉÅ DNAT

DNAT (Destination Network Address Translation) ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ × IP ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ. åÓÌÉ ÐÁËÅÔ ÐÏÄÐÁÄÁÅÔ ÐÏÄ ËÒÉÔÅÒÉÊ ÐÒÁ×ÉÌÁ, ×ÙÐÏÌÎÑÀÝÅÇÏ DNAT, ÔÏ ÜÔÏÔ ÐÁËÅÔ, É ×ÓÅ ÐÏÓÌÅÄÕÀÝÉÅ ÐÁËÅÔÙ ÉÚ ÜÔÏÇÏ ÖÅ ÐÏÔÏËÁ, ÂÕÄÕÔ ÐÏÄ×ÅÒÇÎÕÔÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÎÙ ÎÁ ÔÒÅÂÕÅÍÏÅ ÕÓÔÒÏÊÓÔ×Ï, ÈÏÓÔ ÉÌÉ ÓÅÔØ. äÁÎÎÏÅ ÄÅÊÓÔ×ÉÅ ÍÏÖÅÔ, Ë ÐÒÉÍÅÒÕ, ÕÓÐÅÛÎÏ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ×ÁÛÅÍÕ web-ÓÅÒ×ÅÒÕ, ÎÁÈÏÄÑÝÅÍÕÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, É ÎÅ ÉÍÅÀÝÅÍÕ ÒÅÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÔÒÏÉÔÅ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ÐÅÒÅÈ×ÁÔÙ×ÁÅÔ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÎÁ HTTP ÐÏÒÔ ÂÒÁÎÄÍÁÕÜÒÁ É ×ÙÐÏÌÎÑÑ DNAT ÐÅÒÅÄÁÅÔÅ ÉÈ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ web-ÓÅÒ×ÅÒÁ. äÌÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ ÔÁË ÖÅ ÍÏÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÁÄÒÅÓÏ×, ÔÏÇÄÁ ×ÙÂÏÒ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ÐÒÏÉÚ×ÏÄÉÔØÓÑ ÓÌÕÞÁÊÎÁÍ ÏÂÒÁÚÏÍ.

äÅÊÓÔ×ÉÅ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat, É ×Ï ×ÌÏÖÅÎÎÙÈ ÐÏÄ-ÃÅÐÏÞËÁÈ.

ôÁÂÌÉÃÁ 22. äÅÊÓÔ×ÉÅ DNAT

ëÌÀÞ --to-destination
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-destination ÕËÁÚÙ×ÁÅÔ, ËÁËÏÊ IP ÁÄÒÅÓ ÄÏÌÖÅÎ ÂÙÔØ ÐÏÄÓÔÁ×ÌÅÎ × ËÁÞÅÓÔ×Å ÁÄÒÅÓÁ ÍÅÓÔÁ ÎÁÚÎÁÞÅÎÉÑ. ÷ ×ÙÛÅ ÐÒÉ×ÅÄÅÎÎÏÍ ÐÒÉÍÅÒÅ ×Ï ×ÓÅÈ ÐÁËÅÔÁÈ, ÐÒÉÛÅÄÛÉÈ ÎÁ ÁÄÒÅÓ 15.45.23.67, ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÂÕÄÅÔ ÉÚÍÅÎÅÎ ÎÁ ÏÄÉÎ ÉÚ ÄÉÁÐÁÚÏÎÁ ÏÔ 192.168.1.1 ÄÏ 192.168.1.10. ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ ×ÙÛÅ, ×ÓÅ ÐÁËÅÔÙ ÉÚ ÏÄÎÏÇÏ ÐÏÔÏËÁ ÂÕÄÕÔ ÎÁÐÒÁ×ÌÑÔØÓÑ ÎÁ ÏÄÉÎ É ÔÏÔ ÖÅ ÁÄÒÅÓ, Á ÄÌÑ ËÁÖÄÏÇÏ ÎÏ×ÏÇÏ ÐÏÔÏËÁ ÂÕÄÅÔ ×ÙÂÉÒÁÔØÓÑ ÏÄÉÎ ÉÚ ÁÄÒÅÓÏ× × ÕËÁÚÁÎÎÏÍ ÄÉÁÐÁÚÏÎÅ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ. íÏÖÎÏ ÔÁËÖÅ ÏÐÒÅÄÅÌÉÔØ ÅÄÉÎÓÔ×ÅÎÎÙÊ IP ÁÄÒÅÓ. íÏÖÎÏ ÄÏÐÏÌÎÉÔÅÌØÎÏ ÕËÁÚÁÔØ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÎÁ ËÏÔÏÒÙÊ (ËÏÔÏÒÙÅ) ÂÕÄÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎ ÔÒÁÆÆÉË. äÌÑ ÜÔÏÇÏ ÐÏÓÌÅ ip ÁÄÒÅÓÁ ÞÅÒÅÚ Ä×ÏÅÔÏÞÉÅ ÕËÁÖÉÔÅ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ --to-destination 192.168.1.1:80, Á ÕËÁÚÁÎÉÅ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ×ÙÇÌÑÄÉÔ ÔÁË: --to-destination 192.168.1.1:80-100. ëÁË ×Ù ÍÏÖÅÔÅ ×ÉÄÅÔØ, ÓÉÎÔÁËÓÉÓ ÄÅÊÓÔ×ÉÊ DNAT É SNAT ×Ï ÍÎÏÇÏÍ ÓÈÏÖ. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÕËÁÚÁÎÉÅ ÐÏÒÔÏ× ÄÏÐÕÓËÁÅÔÓÑ ÔÏÌØËÏ ÐÒÉ ÒÁÂÏÔÅ Ó ÐÒÏÔÏËÏÌÏÍ TCP ÉÌÉ UDP, ÐÒÉ ÎÁÌÉÞÉÉ ÏÐÃÉÉ --protocol × ËÒÉÔÅÒÉÉ.

äÅÊÓÔ×ÉÅ DNAT ÄÏÓÔÁÔÏÞÎÏ ÓÌÏÖÎÏ × ÉÓÐÏÌØÚÏ×ÁÎÉÉ É ÔÒÅÂÕÅÔ ÄÏÐÏÌÎÉÔÅÌØÎÏÇÏ ÐÏÑÓÎÅÎÉÑ. òÁÓÓÍÏÔÒÉÍ ÐÒÏÓÔÏÊ ÐÒÉÍÅÒ. õ ÎÁÓ ÅÓÔØ WEB ÓÅÒ×ÅÒ É ÍÙ ÈÏÔÉÍ ÒÁÚÒÅÛÉÔØ ÄÏÓÔÕÐ Ë ÎÅÍÕ ÉÚ éÎÔÅÒÎÅÔ. íÙ ÉÍÅÅÍ ÔÏÌØËÏ ÏÄÉÎ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, Á WEB-ÓÅÒ×ÅÒ ÒÁÓÐÏÌÏÖÅÎ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ. òÅÁÌØÎÙÊ IP ÁÄÒÅÓ $INET_IP ÎÁÚÎÁÞÅÎ ÂÒÁÎÄÍÁÕÜÒÕ, HTTP ÓÅÒ×ÅÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ $HTTP_IP É, ÎÁËÏÎÅà ÂÒÁÎÄÍÁÕÜÒ ÉÍÅÅÔ ÌÏËÁÌØÎÙÊ ÁÌÒÅÓ $LAN_IP. äÌÑ ÎÁÞÁÌÁ ÄÏÂÁ×ÉÍ ÐÒÏÓÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ PREROUTING ÔÁÂÌÉÃÙ nat.

iptables -t nat -A PREROUTING --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

÷ ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÜÔÉÍ ÐÒÁ×ÉÌÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ 80-Ê ÐÏÒÔ ÁÄÒÅÓÁ $INET_IP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ ÎÁ ÎÁÛ ×ÎÕÔÒÅÎÎÉÊ WEB-ÓÅÒ×ÅÒ. åÓÌÉ ÔÅÐÅÒØ ÏÂÒÁÔÉÔØÓÑ Ë WEB-ÓÅÒ×ÅÒÕ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ×ÓÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ ÐÒÅËÒÁÓÎÏ. îÏ ÞÔÏ ÖÅ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÐÏÐÒÏÂÏ×ÁÔØ ÓÏÅÄÉÎÉÔØÓÑ Ó ÎÉÍ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ? óÏÅÄÉÎÅÎÉÅ ÐÒÏÓÔÏ ÎÅ ÕÓÔÁÎÏ×ÉÔÓÑ. äÁ×ÁÊÔÅ ÐÏÓÍÏÔÒÉÍ ËÁË ÍÁÒÛÒÕÔÉÚÉÒÕÀÔÓÑ ÐÁËÅÔÙ, ÉÄÕÝÉÅ ÉÚ éÎÔÅÒÎÅÔ ÎÁ ÎÁÛ WEB-ÓÅÒ×ÅÒ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × éÎÔÅÒÎÅÔ ÒÁ×ÎÙÍ $EXT_BOX.
  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ ËÌÉÅÎÔÓËÉÊ ÕÚÅÌ Ó ÁÄÒÅÓÏÍ $EXT_BOX É ÎÁÐÒÁ×ÌÑÅÔÓÑ ÎÁ $INET_IP

  2. ðÁËÅÔ ÐÒÉÈÏÄÉÔ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ.

  3. âÒÁÎÄÍÁÕÜÒ, × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍ ÐÒÁ×ÉÌÏÍ, ÐÏÄÍÅÎÑÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ É ÐÅÒÅÄÁÅÔ ÅÇÏ ÄÁÌØÛÅ, × ÄÒÕÇÉÅ ÃÅÐÏÞËÉ.

  4. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ÎÁ $HTTP_IP.

  5. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ HTTP ÓÅÒ×ÅÒ É ÓÅÒ×ÅÒ ÐÅÒÅÄÁÅÔ ÏÔ×ÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÅÓÌÉ × ÔÁÂÌÉÃÅ ÍÁÒÛÒÕÔÉÚÁÃÉÉ ÏÎ ÏÂÏÚÎÁÞÅÎ ËÁË ÛÌÀÚ ÄÌÑ $EXT_BOX. ëÁË ÐÒÁ×ÉÌÏ, ÏÎ ÎÁÚÎÁÞÁÅÔÓÑ ÛÌÀÚÏÍ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ HTTP ÓÅÒ×ÅÒÁ.

  6. âÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÏÂÒÁÔÎÕÀ ÐÏÄÓÔÁÎÏ×ËÕ ÁÄÒÅÓÁ × ÐÁËÅÔÅ, ÔÅÐÅÒØ ×ÓÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÂÕÄÔÏ ÂÙ ÐÁËÅÔ ÂÙÌ ÓÆÏÒÍÉÒÏ×ÁÎ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ.

  7. ðÁËÅÔ ÐÅÒÅÄÁÅÔÓÑ ËÌÉÅÎÔÕ $EXT_BOX.



á ÔÅÐÅÒØ ÐÏÓÍÏÔÒÉÍ, ÞÔÏ ÐÒÏÉÚÏÊÄÅÔ, ÅÓÌÉ ÚÁÐÒÏÓ ÐÏÓÙÌÁÅÔÓÑ Ó ÕÚÌÁ, ÒÁÓÐÏÌÏÖÅÎÎÏÇÏ × ÔÏÊ ÖÅ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. äÌÑ ÐÒÏÓÔÏÔÙ ÉÚÌÏÖÅÎÉÑ ÐÒÉÍÅÍ ÁÄÒÅÓ ËÌÉÅÎÔÁ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÒÁ×ÎÙÍ $LAN_BOX.

  1. ðÁËÅÔ ÐÏËÉÄÁÅÔ $LAN_BOX.

  2. ðÏÓÔÕÐÁÅÔ ÎÁ ÂÒÁÎÄÍÁÕÜÒ.

  3. ðÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÓÔÁÎÏ×ËÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ, ÏÄÎÁËÏ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÎÅ ÐÏÄÍÅÎÑÅÔÓÑ, Ô.Å. ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ ÏÓÔÁÅÔÓÑ × ÐÁËÅÔÅ ÂÅÚ ÉÚÍÅÎÅÎÉÑ.

  4. ðÁËÅÔ ÐÏËÉÄÁÅÔ ÂÒÁÎÄÍÁÕÜÒ É ÏÔÐÒÁ×ÌÑÅÔÓÑ ÎÁ HTTP ÓÅÒ×ÅÒ.

  5. HTTP ÓÅÒ×ÅÒ, ÇÏÔÏ×ÑÓØ Ë ÏÔÐÒÁ×ËÅ ÏÔ×ÅÔÁ, ÏÂÎÁÒÕÖÉ×ÁÅÔ, ÞÔÏ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ (ÐÏÓËÏÌØËÕ ÐÁËÅÔ ÚÁÐÒÏÓÁ ÓÏÄÅÒÖÁÌ ÏÒÉÇÉÎÁÌØÎÙÊ IP ÁÄÒÅÓ, ËÏÔÏÒÙÊ ÔÅÐÅÒØ ÐÒÅ×ÒÁÔÉÌÓÑ × ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ) É ÐÏÜÔÏÍÕ ÏÔÐÒÁ×ÌÑÅÔ ÐÁËÅÔ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ $LAN_BOX.

  6. ðÁËÅÔ ÐÏÓÔÕÐÁÅÔ ÎÁ $LAN_BOX. ëÌÉÅÎÔ ÐÕÔÁÅÔÓÑ, ÐÏÓËÏÌØËÕ ÏÔ×ÅÔ ÐÒÉÛÅÌ ÎÅ Ó ÔÏÇÏ ÕÚÌÁ, ÎÁ ËÏÔÏÒÙÊ ÏÔÐÒÁ×ÌÑÌÓÑ ÚÁÐÒÏÓ. ðÏÜÔÏÍÕ ËÌÉÅÎÔ "ÓÂÒÁÓÙ×ÁÅÔ" ÐÁËÅÔ ÏÔ×ÅÔÁ É ÐÒÏÄÏÌÖÁÅÔ ÖÄÁÔØ "ÎÁÓÔÏÑÝÉÊ" ÏÔ×ÅÔ.



ðÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ Ó ÐÏÍÏÝØÀ SNAT. îÉÖÅ ÐÒÉ×ÏÄÉÔÓÑ ÐÒÁ×ÉÌÏ, ËÏÔÏÒÏÅ ×ÙÐÏÌÎÑÅÔ ÜÔÕ ÆÕÎËÃÉÀ. üÔÏ ÐÒÁ×ÉÌÏ ×ÙÎÕÖÄÁÅÔ HTTP ÓÅÒ×ÅÒ ÐÅÒÅÄÁ×ÁÔØ ÏÔ×ÅÔÙ ÎÁ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÅ ÚÁÔÅÍ ÂÕÄÕÔ ÐÅÒÅÄÁÎÙ ËÌÉÅÎÔÕ.

iptables -t nat -A POSTROUTING --dst $HTTP_IP --dport 80 -j SNAT --to-source $LAN_IP

úÁÐÏÍÎÉÔÅ, ÃÅÐÏÞËÁ POSTROUTING ÏÂÒÁÂÁÔÙ×ÁÅÔÓÑ ÓÁÍÏÊ ÐÏÓÌÅÄÎÅÊ É Ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÐÁËÅÔ ÕÖÅ ÐÒÏÛÅÌ ÐÒÏÃÅÄÕÒÕ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ DNAT, ÐÏÜÔÏÍÕ ËÒÉÔÅÒÉÊ ÓÔÒÏÉÔÓÑ ÎÁ ÂÁÚÅ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ $HTTP_IP.

åÓÌÉ ×Ù ÄÕÍÁÅÔÅ, ÞÔÏ ÎÁ ÜÔÏÍ ÍÏÖÎÏ ÏÓÔÁÎÏ×ÉÔØÓÑ, ÔÏ ×Ù ÏÛÉÂÁÅÔÅÓØ! ðÒÅÄÓÔÁ×ÉÍ ÓÅÂÅ ÓÉÔÕÁÃÉÀ, ËÏÇÄÁ × ËÁÞÅÓÔ×Å ËÌÉÅÎÔÁ ×ÙÓÔÕÐÁÅÔ ÓÁÍ ÂÒÁÎÄÍÁÕÜÒ. ôÏÇÄÁ, Ë ÓÏÖÁÌÅÎÉÀ, ÐÁËÅÔÙ ÂÕÄÕÔ ÐÅÒÅÄÁ×ÁÔØÓÑ ÎÁ ÌÏËÁÌØÎÙÊ ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 80 ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ, Á ÎÅ ÎÁ $HTTP_IP. þÔÏÂÙÒÁÚÒÅÛÉÔØ É ÜÔÕ ÐÒÏÂÌÅÍÕ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ

iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP

ôÅÐÅÒØ ÎÉËÁËÉÈ ÐÒÏÂÌÅÍ, Ó ÄÏÓÔÕÐÏÍ Ë ÎÁÛÅÍÕ WEB-ÓÅÒ×ÅÒÕ, ÕÖÅ ÎÅ ÄÏÌÖÎÏ ×ÏÚÎÉËÁÔØ.


äÅÊÓÔ×ÉÅ MASQUERADE

íÁÓËÁÒÁÄÉÎÇ (MASQUERADE) × ÏÓÎÏ×Å Ó×ÏÅÊ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÔÏ ÖÅ ÓÁÍÏÅ, ÞÔÏ É SNAT ÔÏÌØËÏ ÎÅ ÉÍÅÅÔ ËÌÀÞÁ --to-source. ðÒÉÞÉÎÏÊ ÔÏÍÕ ÔÏ, ÞÔÏ ÍÁÓËÁÒÁÄÉÎÇ ÍÏÖÅÔ ÒÁÂÏÔÁÔØ, ÎÁÐÒÉÍÅÒ, Ó dialup ÐÏÄËÌÀÞÅÎÉÅÍ ÉÌÉ DHCP, Ô.Å. × ÔÅÈ ÓÌÕÞÁÑÈ, ËÏÇÄÁ IP ÁÄÒÅÓ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÕÓÔÒÏÊÓÔ×Õ ÄÉÎÁÍÉÞÅÓËÉ. åÓÌÉ Õ ×ÁÓ ÉÍÅÅÔÓÑ ÄÉÎÁÍÉÞÅÓËÏÅ ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÎÕÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÁÓËÁÒÁÄÉÎÇ, ÅÓÌÉ ÖÅ Õ ×ÁÓ ÓÔÁÔÉÞÅÓËÏÅ IP ÐÏÄËÌÀÞÅÎÉÅ, ÔÏ ÂÅÓÓÐÏÒÎÏ ÌÕÞÛÉÍ ×ÙÈÏÄÏÍ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÄÅÊÓÔ×ÉÑ SNAT.

íÁÓËÁÒÁÄÉÎÇ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÐÏÌÕÞÅÎÉÅ IP ÁÄÒÅÓÁ ÏÔ ÚÁÄÁÎÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ, ×ÍÅÓÔÏ ÐÒÑÍÏÇÏ ÅÇÏ ÕËÁÚÁÎÉÑ, ËÁË ÜÔÏ ÄÅÌÁÅÔÓÑ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-source × ÄÅÊÓÔ×ÉÉ SNAT. äÅÊÓÔ×ÉÅ MASQUERADE ÉÍÅÅÔ ÈÏÒÏÛÅÅ Ó×ÏÊÓÔ×Ï - "ÚÁÂÙ×ÁÔØ" ÓÏÅÄÉÎÅÎÉÑ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ. ÷ ÓÌÕÞÁÅ ÖÅ SNAT, × ÜÔÏÊ ÓÉÔÕÁÃÉÉ, × ÔÁÂÌÉÃÅ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÏÓÔÁÀÔÓÑ ÄÁÎÎÙÅ Ï ÐÏÔÅÒÑÎÎÙÈ ÓÏÅÄÉÎÅÎÉÑÈ, É ÜÔÉ ÄÁÎÎÙÅ ÍÏÇÕÔ ÓÏÈÒÁÎÑÔØÓÑ ÄÏ ÓÕÔÏË, ÐÏÇÌÏÝÁÑ ÃÅÎÎÕÀ ÐÁÍÑÔØ. üÆÆÅËÔ "ÚÁÂÙ×ÞÉ×ÏÓÔÉ" Ó×ÑÚÁÎ Ó ÔÅÍ, ÞÔÏ ÐÒÉ ÏÓÔÁÎÏ×ËÅ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ó ÄÉÎÁÍÉÞÅÓËÉÍ IP ÁÄÒÅÓÏÍ, ÅÓÔØ ×ÅÒÏÑÔÎÏÓÔØ ÎÁ ÓÌÅÄÕÀÝÅÍ ÚÁÐÕÓËÅ ÐÏÌÕÞÉÔØ ÄÒÕÇÏÊ IP ÁÄÒÅÓ, ÎÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÌÀÂÙÅ ÓÏÅÄÉÎÅÎÉÑ ×ÓÅ ÒÁ×ÎÏ ÂÕÄÕÔ ÐÏÔÅÒÑÎÙ, É ÂÙÌÏ ÂÙ ÇÌÕÐÏ ÈÒÁÎÉÔØ ÔÒÁÓÓÉÒÏ×ÏÞÎÕÀ ÉÎÆÏÒÍÁÃÉÀ.

ëÁË ×Ù ÕÖÅ ÐÏÎÑÌÉ, ÄÅÊÓÔ×ÉÅ MASQUERADE ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÏ ×ÍÅÓÔÏ SNAT, ÄÁÖÅ ÅÓÌÉ ×Ù ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ, ÏÄÎÁËÏ, ÎÅ×ÚÉÒÁÑ ÎÁ ÐÏÌÏÖÉÔÅÌØÎÙÅ ÞÅÒÔÙ, ÍÁÓËÁÒÁÄÉÎÇ ÎÅ ÓÌÅÄÕÅÔ ÓÞÉÔÁÔØ ÐÒÅÄÐÏÞÔÉÔÅÌØÎÙÍ × ÜÔÏÍ ÓÌÕÞÁÅ, ÐÏÓËÏÌØËÕ ÏÎ ÄÁÅÔ ÂÏÌØÛÕÀ ÎÁÇÒÕÚËÕ ÎÁ ÓÉÓÔÅÍÕ.

äÅÊÓÔ×ÉÅ MASQUERADE ÄÏÐÕÓËÁÅÔÓÑ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat, ÔÁË ÖÅ ËÁË É ÄÅÊÓÔ×ÉÅ SNAT. MASQUERADE ÉÍÅÅÔ ËÌÀÞ, ÏÐÉÓÙ×ÁÅÍÙÊ ÎÉÖÅ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ËÏÔÏÒÏÇÏ ÎÅÏÂÑÚÁÔÅÌØÎÏ.

ôÁÂÌÉÃÁ 23. äÅÊÓÔ×ÉÅ MASQUERADE

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÕËÁÚÁÎÉÑ ÐÏÒÔÁ ÉÓÔÏÞÎÉËÁ ÉÌÉ ÄÉÁÐÁÚÏÎÁ ÐÏÒÔÏ× ÉÓÈÏÄÑÝÅÇÏ ÐÁËÅÔÁ. íÏÖÎÏ ÕËÁÚÁÔØ ÏÄÉÎ ÐÏÒÔ, ÎÁÐÒÉÍÅÒ: --to-ports 1025, ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ËÁË ÚÄÅÓØ: --to-ports 1024-3000. ÜÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ REDIRECT

÷ÙÐÏÌÎÑÅÔ ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÅ ÐÁËÅÔÏ× É ÐÏÔÏËÏ× ÎÁ ÄÒÕÇÏÊ ÐÏÒÔ ÔÏÊ ÖÅ ÓÁÍÏÊ ÍÁÛÉÎÙ. ë ÐÒÉÍÅÒÕ, ÍÏÖÎÏ ÐÁËÅÔÙ, ÐÏÓÔÕÐÁÀÝÉÅ ÎÁ HTTP ÐÏÒÔ ÐÅÒÅÎÁÐÒÁ×ÉÔØ ÎÁ ÐÏÒÔ HTTP proxy. äÅÊÓÔ×ÉÅ REDIRECT ÏÞÅÎØ ÕÄÏÂÎÏ ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ "ÐÒÏÚÒÁÞÎÏÇÏ" ÐÒÏËÓÉÒÏ×ÁÎÉÑ (transparent proxying), ËÏÇÄÁ ÍÁÛÉÎÙ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÁÖÅ ÎÅ ÐÏÄÏÚÒÅ×ÁÀÔ Ï ÓÕÝÅÓÔ×Ï×ÁÎÉÉ ÐÒÏËÓÉ.

REDIRECT ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÁÈ PREROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. îÕ É ËÏÎÅÞÎÏ ÖÅ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÍÏÖÎÏ ×ÙÐÏÌÎÑÔØ × ÐÏÄÃÅÐÏÞËÁÈ, ×ÙÚÙ×ÁÅÍÙÈ É ×ÙÛÅÕËÁÚÁÎÎÙÈ. äÌÑ ÄÅÊÓÔ×ÉÑ REDIRECT ÐÒÅÄÕÓÍÏÔÒÅÎ ÔÏÌØËÏ ÏÄÉÎ ËÌÀÞ.

ôÁÂÌÉÃÁ 24. äÅÊÓÔ×ÉÅ REDIRECT

ëÌÀÞ --to-ports
ðÒÉÍÅÒ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
ïÐÉÓÁÎÉÅ ëÌÀÞ --to-ports ÏÐÒÅÄÅÌÑÅÔ ÐÏÒÔ ÉÌÉ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ× ÎÁÚÎÁÞÅÎÉÑ. âÅÚ ÕËÁÚÁÎÉÑ ËÌÀÞÁ --to-ports, ÐÅÒÅÎÁÐÒÁ×ÌÅÎÉÑ ÎÅ ÐÒÏÉÓÈÏÄÉÔ, Ô.Å. ÐÁËÅÔ ÉÄÅÔ ÎÁ ÔÏÔ ÐÏÒÔ, ËÕÄÁ É ÂÙÌ ÎÁÚÎÁÞÅÎ. ÷ ÐÒÉÍÅÒÅ, ÐÒÉ×ÅÄÅÎÎÏÍ ×ÙÛÅ, --to-ports 8080 ÕËÁÚÁÎ ÏÄÉÎ ÐÏÒÔ ÎÁÚÎÁÞÅÎÉÑ. åÓÌÉ ÎÕÖÎÏ ÕËÁÚÁÔØ ÄÉÁÐÁÚÏÎ ÐÏÒÔÏ×, ÔÏ ÍÙ ÄÏÌÖÎÙ ÎÁÐÉÓÁÔØ ÎÅÞÔÏ ÐÏÄÏÂÎÏÅ --to-ports 8080-8090. üÔÏÔ ËÌÀÞ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÔÏÌØËÏ × ÐÒÁ×ÉÌÁÈ, ÇÄÅ ËÒÉÔÅÒÉÊ ÓÏÄÅÒÖÉÔ Ñ×ÎÏÅ ÕËÁÚÁÎÉÅ ÎÁ ÐÒÏÔÏËÏÌ TCP ÉÌÉ UDP Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --protocol.

äÅÊÓÔ×ÉÅ TTL

äÅÊÓÔ×ÉÅ TTL ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÐÏÌÑ Time To Live × IP ÚÁÇÏÌÏ×ËÅ. ïÄÉÎ ÉÚ ×ÁÒÉÁÎÔÏ× ÐÒÉÍÅÎÅÎÉÑ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ - ÜÔÏ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÚÎÁÞÅÎÉÅ ÐÏÌÑ Time To Live ÷ï ÷óåè ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÁÈ × ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ. äÌÑ ÞÅÇÏ ÜÔÏ?! åÓÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏ×ÁÊÄÅÒÙ, ËÏÔÏÒÙÅ ÏÞÅÎØ ÎÅ ÌÀÂÑÔ, ËÏÇÄÁ ÏÄÎÉÍ ÐÏÄËÌÀÞÅÎÉÅÍ ÐÏÌØÚÕÅÔÓÑ ÎÅÓËÏÌØËÏ ËÏÍÐØÀÔÅÒÏ×, ÅÓÌÉ ÍÙ ÎÁÞÉÎÁÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÎÁ ×ÓÅ ÐÁËÅÔÙ ÏÄÎÏ É ÔÏ ÖÅ ÚÎÁÞÅÎÉÅ TTL, ÔÏ ÔÅÍ ÓÁÍÙÍ ÍÙ ÌÉÛÁÅÍ ÐÒÏ×ÁÊÄÅÒÁ ÏÄÎÏÇÏ ÉÚ ËÒÉÔÅÒÉÅ× ÏÐÒÅÄÅÌÅÎÉÑ ÔÏÇÏ, ÞÔÏ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔÕ ÒÁÚÄÅÌÑÅÔÓÑ ÍÅÖÄÕ ÎÅÓËÏÌØËÉÍÉ ËÏÍÐØÀÔÅÒÁÍÉ. äÌÑ ÐÒÉÍÅÒÁ ÍÏÖÎÏ ÐÒÉ×ÅÓÔÉ ÞÉÓÌÏ TTL = 64, ËÏÔÏÒÏÅ Ñ×ÌÑÅÔÓÑ ÓÔÁÎÄÁÒÔÎÙÍ ÄÌÑ ÑÄÒÁ Linux.

úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÐÏ ÕÓÔÁÎÏ×ËÅ ÚÎÁÞÅÎÉÑ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÏÂÒÁÝÁÊÔÅÓØ Ë ip-sysctl.txt, ËÏÔÏÒÙÊ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

äÅÊÓÔ×ÉÅ TTL ÍÏÖÎÏ ÕËÁÚÙ×ÁÔØ ÔÏÌØËÏ × ÔÁÂÌÉÃÅ mangle É ÎÉÇÄÅ ÂÏÌØÛÅ. äÌÑ ÄÁÎÎÏÇÏ ÄÅÊÓÔ×ÉÑ ÐÒÅÄÕÓÍÏÔÒÅÎÏ 3 ËÌÀÞÁ, ÏÐÉÓÙ×ÁÅÍÙÈ ÎÉÖÅ.

ôÁÂÌÉÃÁ 25. äÅÊÓÔ×ÉÅ TTL

ëÌÀÞ --ttl-set
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-set 64
ïÐÉÓÁÎÉÅ õÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÅ TTL × ÚÁÄÁÎÎÏÅ ÚÎÁÞÅÎÉÅ. ïÐÔÉÍÁÌØÎÙÍ ÓÞÉÔÁÅÔÓÑ ÚÎÁÞÅÎÉÅ ÏËÏÌÏ 64. üÔÏ ÎÅ ÓÌÉÛËÏÍ ÍÎÏÇÏ, ÎÏ É ÎÅ ÓÌÉÛËÏÍ ÍÁÌÏ îÅ ÚÁÄÁ×ÁÊÔÅ ÓÌÉÛËÏÍ ÂÏÌØÛÏÅ ÚÎÁÞÅÎÉÅ, ÜÔÏ ÍÏÖÅÔ ÉÍÅÔØ ÎÅÐÒÉÑÔÎÙÅ ÐÏÓÌÅÄÓÔ×ÉÑ ÄÌÑ ×ÁÛÅÊ ÓÅÔÉ. ðÒÅÄÓÔÁרÔÅ ÓÅÂÅ, ÞÔÏ ÐÁËÅÔ "ÚÁÃÉËÌÉ×ÁÅÔÓÑ" ÍÅÖÄÕ Ä×ÕÍÑ ÎÅÐÒÁ×ÉÌØÎÏ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÎÙÍÉ ÒÏÕÔÅÒÁÍÉ, ÔÏÇÄÁ, ÐÒÉ ÂÏÌØÛÉÈ ÚÎÁÞÅÎÉÑÈ TTL, ÅÓÔØ ÒÉÓË "ÐÏÔÅÒÑÔØ" ÚÎÁÞÉÔÅÌØÎÕÀ ÄÏÌÀ ÐÒÏÐÕÓËÎÏÊ ÓÐÏÓÏÂÎÏÓÔÉ ËÁÎÁÌÁ.
ëÌÀÞ --ttl-dec
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-dec 1
ïÐÉÓÁÎÉÅ õÍÅÎØÛÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ×ÈÏÄÑÝÉÊ ÐÁËÅÔ ÉÍÅÅÔ ÚÎÁÞÅÎÉÅ TTL ÒÁ×ÎÏÅ 53 É ÍÙ ×ÙÐÏÌÎÑÅÍ ËÏÍÁÎÄÕ --ttl-dec 3, ÔÏÇÄÁ ÐÁËÅÔ ÐÏËÉÎÅÔ ÎÁÛ ÈÏÓÔ Ó ÐÏÌÅÍ TTL ÒÁ×ÎÙÍ 49. îÅ ÚÁÂÙ×ÁÊÔÅ, ÞÔÏ ÓÅÔÅ×ÏÊ ËÏÄ Á×ÔÏÍÁÔÉÞÅÓËÉ ÕÍÅÎØÛÉÔ ÚÎÁÞÅÎÉÅ TTL ÎÁ 1, ÐÏÜÔÏÍÕ, ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ 53 - 3 - 1 = 49. åóìé ëôï-îéâõäø íïöåô ðòé÷åóôé ðòéíåò ðòáëôéþåóëé ãåîîïçï ðòéíåîåîéñ üôïê ïðãéé, óïïâýéôå íîå!
ëÌÀÞ --ttl-inc
ðÒÉÍÅÒ iptables -t mangle -A PREROUTING -o eth0 -j TTL --ttl-inc 1
ïÐÉÓÁÎÉÅ õ×ÅÌÉÞÉ×ÁÅÔ ÚÎÁÞÅÎÉÅ ÐÏÌÑ TTL ÎÁ ÚÁÄÁÎÎÏÅ ÞÉÓÌÏ. ÷ÏÚØÍÅÍ ÐÒÅÄÙÄÕÝÉÊ ÐÒÉÍÅÒ, ÐÕÓÔØ Ë ÎÁÍ ÐÏÓÔÕÐÁÅÔ ÐÁËÅÔ Ó TTL = 53, ÔÏÇÄÁ, ÐÏÓÌÅ ×ÙÐÏÌÎÅÎÉÑ ËÏÍÁÎÄÙ --ttl-inc 4, ÎÁ ×ÙÈÏÄÅ Ó ÎÁÛÅÇÏ ÈÏÓÔÁ, ÐÁËÅÔ ÂÕÄÅÔ ÉÍÅÔØ TTL = 56, ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï Á×ÔÏÍÁÔÉÞÅÓËÏÍ ÕÍÅÎØÛÅÎÉÉ ÐÏÌÑ TTL ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ, Ô.Å. ÆÁËÔÉÞÅÓËÉ ÍÙ ÐÏÌÕÞÁÅÍ ×ÙÒÁÖÅÎÉÅ 53 + 4 - 1 = 56. õ×ÅÌÉÞÅÎÉÅ ÐÏÌÑ TTL ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÍÅÎÅÅ "ÚÁÍÅÔÎÙÍ" ÄÌÑ ÔÒÁÓÓÉÒÏ×ÝÉËÏ× (traceroutes). ðÒÏÇÒÁÍÍÙ ÔÒÁÓÓÉÒÏ×ËÉ ÌÀÂÑÔ ÚÁ ÃÅÎÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÒÉ ÐÏÉÓËÅ ÐÒÏÂÌÅÍÎÙÈ ÕÞÁÓÔËÏ× ÓÅÔÉ, É ÎÅÎÁ×ÉÄÑÔ ÚÁ ÜÔÏ ÖÅ, ÐÏÓËÏÌØËÕ ÜÔÁ ÉÎÆÏÒÍÁÃÉÑ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ËÒÑËÅÒÁÍÉ × ÎÅÂÌÁÇÏ×ÉÄÎÙÈ ÃÅÌÑÈ. ðÒÉÍÅÒ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ×Ù ÍÏÖÅÔÅ ÎÁÊÔÉ × ttl-inc.txt.

ULOG target

äÅÊÓÔ×ÉÅ ULOG ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÁËÅÔÏ× × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï. ïÎÏ ÚÁÍÅÎÑÅÔ ÔÒÁÄÉÃÉÏÎÎÏÅ ÄÅÊÓÔ×ÉÅ LOG, ÂÁÚÉÒÕÀÝÅÅÓÑ ÎÁ ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ. ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÜÔÏÇÏ ÄÅÊÓÔ×ÉÑ, ÐÁËÅÔ, ÞÅÒÅÚ ÓÏËÅÔÙ netlink, ÐÅÒÅÄÁÅÔÓÑ ÓÐÅÃÉÁÌØÎÏÍÕ ÄÅÍÏÎÕ ËÏÔÏÒÙÊ ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØ ÏÞÅÎØ ÄÅÔÁÌØÎÏÅ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÅ × ÒÁÚÌÉÞÎÙÈ ÆÏÒÍÁÔÁÈ (ÏÂÙÞÎÙÊ ÔÅËÓÔÏ×ÙÊ ÆÁÊÌ, ÂÁÚÁ ÄÁÎÎÙÈ MySQL É ÐÒ.) É Ë ÔÏÍÕ ÖÅ ÐÏÄÄÅÒÖÉ×ÁÅÔ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÂÁ×ÌÅÎÉÑ ÎÁÄÓÔÒÏÅË (ÐÌÁÇÉÎÏ×) ÄÌÑ ÆÏÒÍÉÒÏ×ÁÎÉÑ ÒÁÚÌÉÞÎÙÈ ×ÙÈÏÄÎÙÈ ÆÏÒÍÁÔÏ× É ÏÂÒÁÂÏÔËÉ ÓÅÔÅ×ÙÈ ÐÒÏÔÏËÏÌÏ×. ðÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÞÁÓÔØ ULOGD ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÎÁ ÄÏÍÁÛÎÅÊ ÓÔÒÁÎÉÃÅ ULOGD project.

Table 26. ULOG target

ëÌÀÞ --ulog-nlgroup
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-nlgroup ÓÏÏÂÝÁÅÔ ULOG × ËÁËÕÀ ÇÒÕÐÐÕ netlink ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÄÁÎ ÐÁËÅÔ. ÷ÓÅÇÏ ÓÕÝÅÓÔ×ÕÅÔ 32 ÇÒÕÐÐÙ (ÏÔ 1 ÄÏ 32). åÓÌÉ ×Ù ÖÅÌÁÅÔÅ ÐÅÒÅÄÁÔØ ÐÁËÅÔ × 5-À ÇÒÕÐÐÕ, ÔÏ ÍÏÖÎÏ ÐÒÏÓÔÏ ÕËÁÚÁÔØ --ulog-nlgroup 5. ðÏ-ÕÍÏÌÞÁÎÉÀ ÉÓÐÏÌØÚÕÅÔÓÑ 1-Ñ ÇÒÕÐÐÁ.
ëÌÀÞ --ulog-prefix
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-prefix ÉÍÅÅÔ ÔÏÔ ÖÅ ÓÍÙÓÌ, ÞÔÏ É ÁÎÁÌÏÇÉÞÎÁÑ ÏÐÃÉÑ × ÄÅÊÓÔ×ÉÉ LOG. äÌÉÎÁ ÓÔÒÏËÉ ÐÒÅÆÉËÓÁ ÎÅ ÄÏÌÖÎÁ ÐÒÅ×ÙÛÁÔØ 32 ÓÉÍ×ÏÌÁ.
ëÌÀÞ --ulog-cprange
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-cprange ÏÐÒÅÄÅÌÑÅÔ, ËÁËÕÀ ÄÏÌÀ ÐÁËÅÔÁ, × ÂÁÊÔÁÈ, ÎÁÄÏ ÐÅÒÅÄÁ×ÁÔØ ÄÅÍÏÎÕ ULOG. åÓÌÉ ÕËÁÚÁÔØ ÞÉÓÌÏ 100, ËÁË ÐÏËÁÚÁÎÏ × ÐÒÉÍÅÒÅ, ÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎÏ ÔÏÌØËÏ 100 ÂÁÊÔ ÉÚ ÐÁËÅÔÁ, ÜÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ÄÅÍÏÎÕ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ÚÁÇÏÌÏ×ÏË ÐÁËÅÔÁ É ÎÅËÏÔÏÒÁÑ ÞÁÓÔØ ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. åÓÌÉ ÕËÁÚÁÔØ 0, ÔÏ ÂÕÄÅÔ ÐÅÒÅÄÁÎ ×ÅÓØ ÐÁËÅÔ, ÎÅÚÁ×ÉÓÉÍÏ ÏÔ ÅÇÏ ÒÁÚÍÅÒÁ. úÎÁÞÅÎÉÅ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÒÁ×ÎÏ 0.
ëÌÀÞ --ulog-qthreshold
ðÒÉÍÅÒ iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
ïÐÉÓÁÎÉÅ ëÌÀÞ --ulog-qthreshold ÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ × ÏÂÌÁÓÔÉ ÑÄÒÁ. îÁÐÒÉÍÅÒ, ÅÓÌÉ ÚÁÄÁÔØ ×ÅÌÉÞÉÎÕ ÂÕÆÅÒÁ ÒÁ×ÎÏÊ 10, ËÁË × ÐÒÉÍÅÒÅ, ÔÏ ÑÄÒÏ ÂÕÄÅÔ ÎÁËÁÐÌÉ×ÁÔØ ÖÕÒÎÁÌÉÒÕÅÍÙÅ ÐÁËÅÔÙ ×Ï ×ÎÕÔÒÅÎÎÅÍ ÂÕÆÅÒÅ É ÐÅÒÅÄÁ×ÁÔØ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÅ ÐÒÏÓÔÒÁÎÓÔ×Ï ÇÒÕÐÐÁÍÉ ÐÏ 10 ÐÁËÅÔÏ×. ðÏ-ÕÍÏÌÞÁÎÉÀ ÒÁÚÍÅÒ ÂÕÆÅÒÁ ÒÁ×ÅÎ 1 ÉÚ-ÚÁ ÓÏÈÒÁÎÅÎÉÑ ÏÂÒÁÔÎÏÊ ÓÏ×ÍÅÓÔÉÍÏÓÔÉ Ó ÒÁÎÎÉÍÉ ×ÅÒÓÉÑÍÉ ulogd, ËÏÔÏÒÙÅ ÎÅ ÍÏÇÌÉ ÐÒÉÎÉÍÁÔØ ÇÒÕÐÐÙ ÐÁËÅÔÏ×.


æÁÊÌ rc.firewall

÷ ÜÔÏÊ ÇÌÁ×Å ÍÙ ÒÁÓÓÍÏÔÒÉÍ ÎÁÓÔÒÏÊËÕ ÂÒÁÎÄÍÁÕÜÒÁ ÎÁ ÐÒÉÍÅÒÅ ÓÃÅÎÁÒÉÑ rc.firewall.txt. íÙ ÂÕÄÅÍ ÂÒÁÔØ ËÁÖÄÕÀ ÂÁÚÏ×ÕÀ ÎÁÓÔÒÏÊËÕ É ÒÁÓÓÍÁÔÒÉ×ÁÔØ ËÁË ÏÎÁ ÒÁÂÏÔÁÅÔ É ÞÔÏ ÄÅÌÁÅÔ. üÔÏ ÍÏÖÅÔ ÎÁÔÏÌËÎÕÔØ ×ÁÓ ÎÁ ÒÅÛÅÎÉÅ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÚÁÄÁÞ. äÌÑ ÚÁÐÕÓËÁ ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÎÅÓÔÉ × ÎÅÇÏ ÉÚÍÅÎÅÎÉÑ ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÞÔÏÂÙ ÏÎ ÍÏÇ ÒÁÂÏÔÁÔØ Ó ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÅÊ ÓÅÔÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÄÏÓÔÁÔÏÞÎÏ ÉÚÍÅÎÉÔØ ÔÏÌØËÏ ÐÅÒÅÍÅÎÎÙÅ.

Note

ðÒÉÍÅÞÁÔÅÌØÎÏ, ÞÔÏ ÅÓÔØ ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÙÅ ÓÐÏÓÏÂÙ ÚÁÄÁÎÉÑ ÎÁÂÏÒÏ× ÐÒÁ×ÉÌ, ÏÄÎÁËÏ Ñ ÉÓÈÏÄÉÌ ÉÚ ÍÙÓÌÉ Ï ÂÏÌØÛÅÊ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ ÓÃÅÎÁÒÉÑ, ÔÁË, ÞÔÏÂÙ ËÁÖÄÙÊ ÓÍÏÇ ÐÏÎÑÔØ ÅÇÏ ÂÅÚ ÇÌÕÂÏËÉÈ ÐÏÚÎÁÎÉÊ ÏÂÏÌÏÞËÉ BASH.


ðÒÉÍÅÒ rc.firewall

éÔÁË, ×ÓÅ ÇÏÔÏ×Ï ÄÌÑ ÒÁÚÂÏÒÁ ÆÁÊÌÁ ÐÒÉÍÅÒÁ rc.firewall.txt (ÓÃÅÎÁÒÉÊ ×ËÌÀÞÅÎ × ÓÏÓÔÁ× ÄÁÎÎÏÇÏ ÄÏËÕÍÅÎÔÁ × ÐÒÉÌÏÖÅÎÉÉ ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×). ïÎ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÎÏ ÔÏÌØËÏ ÉÚ-ÚÁ ÂÏÌØÛÏÇÏ ËÏÌÉÞÅÓÔ×Á ËÏÍÍÅÎÔÁÒÉÅ×. óÅÊÞÁÓ Ñ ÐÒÅÄÌÁÇÁÀ ×ÁÍ ÐÒÏÓÍÏÔÒÅÔØ ÜÔÏÔ ÆÁÊÌ, ÞÔÏÂÙ ÐÏÌÕÞÉÔØ ÐÒÅÄÓÔÁ×ÌÅÎÉÅ Ï ÅÇÏ ÓÏÄÅÒÖÉÍÏÍ É ÚÁÔÅÍ ×ÅÒÎÕÔØÓÑ ÓÀÄÁ ÚÁ ÂÏÌÅÅ ÐÏÄÒÏÂÎÙÍÉ ÐÏÑÓÎÅÎÉÑÍÉ.


ïÐÉÓÁÎÉÅ ÓÃÅÎÁÒÉÑ rc.firewall

ëÏÎÆÉÇÕÒÁÃÉÑ

ðÅÒ×ÁÑ ÞÁÓÔØ ÆÁÊÌÁ rc.firewall.txt Ñ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÍ ÒÁÚÄÅÌÏÍ. úÄÅÓØ ÚÁÄÁÀÔÓÑ ÏÓÎÏ×ÎÙÅ ÎÁÓÔÒÏÊËÉ ÂÒÁÎÄÍÁÕÜÒÁ, ËÏÔÏÒÙÅ ÚÁ×ÉÓÑÔ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÉ. îÁÐÒÉÍÅÒ IP ÁÄÒÅÓÁ - ÎÁ×ÅÒÎÑËÁ ÄÏÌÖÎÙ ÂÙÔØ ÉÚÍÅÎÅÎÙ ÎÁ ×ÁÛÉ ÓÏÂÓÔ×ÅÎÎÙÅ. ðÅÒÅÍÅÎÎÁÑ $INET_IP ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÒÅÁÌØÎÙÊ IP ÁÄÒÅÓ, ÅÓÌÉ ×Ù ÐÏÄËÌÀÞÁÅÔÅÓØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ DHCP, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÏÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ ÎÁ ÓËÒÉÐÔ rc.DHCP.firewall.txt, áÎÁÌÏÇÉÞÎÏ $INET_IFACE ÄÏÌÖÎÁ ÕËÁÚÙ×ÁÔØ ×ÁÛÅ ÕÓÔÒÏÊÓÔ×Ï, ÞÅÒÅÚ ËÏÔÏÒÏÅ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ. üÔÏ ÍÏÖÅÔ ÂÙÔØ, Ë ÐÒÉÍÅÒÕ, eth0, eth1, ppp0, tr0 É ÐÒ.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÎÅ ÓÏÄÅÒÖÉÔ ËÁËÉÈ ÌÉÂÏ ÎÁÓÔÒÏÅË, ÓÐÅÃÉÆÉÞÎÙÈ ÄÌÑ DHCP, PPPoE, ÐÏÜÔÏÍÕ ÜÔÉ ÒÁÚÄÅÌÙ ÎÅ ÚÁÐÏÌÎÅÎÙ. ôÏ ÖÅ ÓÁÍÏÅ ËÁÓÁÅÔÓÑ É ÄÒÕÇÉÈ "ÐÕÓÔÙÈ" ÒÁÚÄÅÌÏ×. üÔÏ ÓÄÅÌÁÎÏ ÐÒÅÄÎÁÍÅÒÅÎÎÏ, ÞÔÏÂÙ ×Ù ÍÏÇÌÉ ÂÏÌÅÅ ÎÁÇÌÑÄÎÏ ×ÉÄÅÔØ ÒÁÚÎÉÃÕ ÍÅÖÄÕ ÓÃÅÎÁÒÉÑÍÉ. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÏÌÎÉÔØ ÜÔÉ ÒÁÚÄÅÌÙ, ÔÏ ×Ù ÍÏÖÅÔÅ ×ÚÑÔØ ÉÈ ÉÚ ÄÒÕÇÉÈ ÓËÒÉÐÔÏ×, ÉÌÉ ÎÁÐÉÓÁÔØ Ó×ÏÊ ÓÏÂÓÔ×ÅÎÎÙÊ.

òÁÚÄÅÌ Local Area Network ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÁÓÔÒÏÊËÉ, ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ËÏÎÆÉÇÕÒÁÃÉÉ ×ÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ. ÷Ù ÄÏÌÖÎÙ ÕËÁÚÁÔØ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÂÒÁÎÄÍÁÕÜÒÁ, ÉÎÔÅÒÆÅÊÓ, ÐÏÄËÌÀÞÅÎÎÙÊ Ë ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÍÁÓËÕ ÐÏÄÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ.

äÁÌÅÅ ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Localhost Configuration, ËÏÔÏÒÕÀ ÉÚÍÅÎÑÔØ ×ÁÍ ÅÄ×Á ÌÉ ÐÒÉÄÅÔÓÑ. ÷ ÜÔÏÊ ÓÅËÃÉÉ ÕËÁÚÙ×ÁÅÔÓÑ ÌÏËÁÌØÎÙÊ ÉÎÔÅÒÆÅÊÓ lo É ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ 127.0.0.1. úÁ ÒÁÚÄÅÌÏÍ Localhost Configuration, ÓÌÅÄÕÅÔ ÓÅËÃÉÑ Iptables Configuration. úÄÅÓØ ÓÏÚÄÁÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ $IPTABLES, ÓÏÄÅÒÖÁÝÁÑ ÐÕÔØ Ë ÆÁÊÌÕ iptables (/usr/local/sbin/iptables). åÓÌÉ ×Ù ÕÓÔÁÎÁ×ÌÉ×ÁÌÉ iptables ÉÚ ÉÓÈÏÄÎÙÈ ÍÏÄÕÌÅÊ, ÔÏ Õ ×ÁÓ ÐÕÔØ Ë iptables ÍÏÖÅÔ ÎÅÓËÏÌØËÏ ÏÔÌÉÞÁÔØÓÑ ÏÔ ÐÒÉ×ÅÄÅÎÎÏÇÏ × ÓÃÅÎÁÒÉÉ, ÏÄÎÁËÏ × ÂÏÌØÛÉÎÓÔ×Å ÄÉÓÔÒÉÂÕÔÉ×Ï× iptables ÒÁÓÐÏÌÏÖÅÎÁ ÉÍÅÎÎÏ ÚÄÅÓØ.


úÁÇÒÕÚËÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÍÏÄÕÌÅÊ

÷ ÐÅÒ×ÕÀ ÏÞÅÒÅÄØ, ËÏÍÁÎÄÏÊ /sbin/depmod -a, ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÏ×ÅÒËÁ ÚÁ×ÉÓÉÍÏÓÔÅÊ ÍÏÄÕÌÅÊ ÐÏÓÌÅ ÞÅÇÏ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÐÏÄÇÒÕÚËÁ ÍÏÄÕÌÅÊ, ÎÅÏÂÈÏÄÉÍÙÈ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. óÔÁÒÁÊÔÅÓØ × ×ÁÛÉÈ ÓÃÅÎÁÒÉÑÈ ÚÁÇÒÕÖÁÔØ ÔÏÌØËÏ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ.

Caution

÷ Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ Ñ ÐÒÉÎÕÄÉÔÅÌØÎÏ ÚÁÇÒÕÖÁÀ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ, ×Ï ÉÚÂÅÖÁÎÉÅ ÏÔËÁÚÏ×. åÓÌÉ ÐÒÏÉÓÈÏÄÉÔ ÏÛÉÂËÁ ×Ï ×ÒÅÍÑ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÑ, ÔÏ ÐÒÉÞÉÎ ÍÏÖÅÔ ÂÙÔØ ÍÎÏÖÅÓÔ×Ï, ÎÏ ÏÓÎÏ×ÎÏÊ ÐÒÉÞÉÎÏÊ Ñ×ÌÑÅÔÓÑ ÔÏ, ÞÔÏ ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÒÁÚÄÅÌÕ ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ.

÷ ÓÌÅÄÕÀÝÅÊ ÓÅËÃÉÉ ÐÒÉ×ÏÄÉÔÓÑ ÒÑÄ ÍÏÄÕÌÅÊ, ËÏÔÏÒÙÅ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ × ÄÁÎÎÏÍ ÓÃÅÎÁÒÉÉ, ÎÏ ÐÅÒÅÞÉÓÌÅÎÙ ÄÌÑ ÐÒÉÍÅÒÁ. ôÁË ÎÁÐÒÉÍÅÒ ÍÏÄÕÌØ ipt_owner, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÒÅÄÏÓÔÁ×ÌÅÎÉÑ ÄÏÓÔÕÐÁ Ë ÓÅÔÉ Ó ×ÁÛÅÊ ÍÁÛÉÎÙ ÔÏÌØËÏ ÏÐÒÅÄÅÌÅÎÎÏÍÕ ËÒÕÇÕ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÐÏ×ÙÛÁÑ, ÔÅÍ ÓÁÍÙÍ ÕÒÏ×ÅÎØ ÂÅÚÏÐÁÓÎÏÓÔÉ. éÎÆÏÒÍÁÃÉÀ ÐÏ ËÒÉÔÅÒÉÑÍ ipt_owner, ÓÍÏÔÒÉÔÅ × òÁÓÛÉÒÅÎÉÅ Owner × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ.

íÙ ÍÏÖÅÍ ÚÁÇÒÕÚÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÍÏÄÕÌÉ ÄÌÑ ÐÒÏ×ÅÒËÉ "ÓÏÓÔÏÑÎÉÑ" ÐÁËÅÔÏ× (state matching). ÷ÓÅ ÍÏÄÕÌÉ, ÒÁÓÛÉÒÑÀÝÉÅ ×ÏÚÍÏÖÎÏÓÔÉ ÐÒÏ×ÅÒËÉ ÓÏÓÔÏÑÎÉÑ ÐÁËÅÔÏ×, ÉÍÅÎÕÀÔÓÑ ËÁË ip_conntrack_* É ip_nat_*. ó ÐÏÍÏÝØÀ ÜÔÉÈ ÍÏÄÕÌÅÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÔÒÁÓÓÉÒÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÐÏ ÓÐÅÃÉÆÉÞÎÙÍ ÐÒÏÔÏËÏÌÁÍ. îÁÐÒÉÍÅÒ: ÐÒÏÔÏËÏÌ FTP Ñ×ÌÑÅÔÓÑ ËÏÍÐÌÅËÓÎÙÍ ÐÒÏÔÏËÏÌÏÍ ÐÏ ÏÐÒÅÄÅÌÅÎÉÀ, ÏÎ ÐÅÒÅÄÁÅÔ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÏÅÄÉÎÅÎÉÉ × ÏÂÌÁÓÔÉ ÄÁÎÎÙÈ ÐÁËÅÔÁ. ôÁË, ÅÓÌÉ ÎÁÛ ÌÏËÁÌØÎÙÊ ÈÏÓÔ ÐÅÒÅÄÁÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÐÒÏÉÚ×ÏÄÑÝÉÊ ÔÒÁÎÓÌÑÃÉÀ ÁÄÒÅÓÏ×, ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ Ó FTP ÓÅÒ×ÅÒÏÍ × éÎÔÅÒÎÅÔ, ÔÏ ×ÎÕÔÒÉ ÐÁËÅÔÁ ÐÅÒÅÄÁÅÔÓÑ ÌÏËÁÌØÎÙÊ IP ÁÄÒÅÓ ÈÏÓÔÁ. á ÐÏÓËÏÌØËÕ, IP ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÓÞÉÔÁÀÔÓÑ ÏÛÉÂÏÞÎÙÍÉ × éÎÔÅÒÎÅÔ, ÔÏ ÓÅÒ×ÅÒ ÎÅ ÂÕÄÅÔ ÚÎÁÔØ ÞÔÏ ÄÅÌÁÔØ Ó ÜÔÉÍ ÚÁÐÒÏÓÏÍ, × ÒÅÚÕÌØÔÁÔÅ ÓÏÅÄÉÎÅÎÉÅ ÎÅ ÂÕÄÅÔ ÕÓÔÁÎÏ×ÌÅÎÏ. ÷ÓÐÏÍÏÇÁÔÅÌØÎÙÊ ÍÏÄÕÌØ FTP NAT ×ÙÐÏÌÎÑÅÔ ×ÓÅ ÎÅÏÂÈÏÄÉÍÙÅ ÄÅÊÓÔ×ÉÑ ÐÏ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÀ ÁÄÒÅÓÏ×, ÐÏÜÔÏÍÕ FTP ÓÅÒ×ÅÒ ÆÁËÔÉÞÅÓËÉ ÐÏÌÕÞÉÔ ÚÁÐÒÏÓ ÎÁ ÓÏÅÄÉÎÅÎÉÅ ÏÔ ÉÍÅÎÉ ÎÁÛÅÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ É ÓÍÏÖÅÔ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ. ôÏ ÖÅ ÓÁÍÏÅ ÐÒÏÉÓÈÏÄÉÔ ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ DCC ÄÌÑ ÐÅÒÅÄÁÞÉ ÆÁÊÌÏ× É ÞÁÔÏ×. õÓÔÁÎÏ×ËÁ ÓÏÅÄÉÎÅÎÉÊ ÜÔÏÇÏ ÔÉÐÁ ÔÒÅÂÕÅÔ ÐÅÒÅÄÁÞÉ IP ÁÄÒÅÓÁ É ÐÏÒÔÁ ÐÏ ÐÒÏÔÏËÏÌÕ IRC, ËÏÔÏÒÙÊ ÔÁË ÖÅ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ. âÅÚ ÓÐÅÃÉÁÌØÎÏÇÏ ÍÏÄÕÌÑ ÒÁÓÛÉÒÅÎÉÑ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔØ ÐÒÏÔÏËÏÌÏ× FTP É IRC ÓÔÁÎÏ×ÉÔÓÑ ×ÅÓØÍÁ ÓÏÍÎÉÔÅÌØÎÏÊ. îÁÐÒÉÍÅÒ, ×Ù ÍÏÖÅÔÅ ÐÒÉÎÉÍÁÔØ ÆÁÊÌÙ ÞÅÒÅÚ DCC, ÎÏ ÎÅ ÍÏÖÅÔÅ ÏÔÐÒÁ×ÌÑÔØ. üÔÏ ÏÂÕÓÌÏ×ÌÉ×ÁÅÔÓÑ ÔÅÍ, ËÁË DCC "ÚÁÐÕÓËÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ. ÷Ù ÓÏÏÂÝÁÅÔÅ ÐÒÉÎÉÍÁÀÝÅÍÕ ÕÚÌÕ Ï Ó×ÏÅÍ ÖÅÌÁÎÉÉ ÐÅÒÅÄÁÔØ ÆÁÊÌ É ËÕÄÁ ÏÎ ÄÏÌÖÅÎ ÐÏÄËÌÀÞÉÔØÓÑ. âÅÚ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ DCC ÓÏÅÄÉÎÅÎÉÅ ×ÙÇÌÑÄÉÔ ÔÁË, ËÁË ÅÓÌÉ ÂÙ ÍÙ ÐÏÔÒÅÂÏ×ÁÌÉ ÕÓÔÁÎÏ×ÌÅÎÉÅ ÓÏÅÄÉÎÅÎÉÑ ×ÎÅÛÎÅÇÏ ÐÒÉÅÍÎÉËÁ Ó ÕÚÌÏÍ × ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÝÅ ÇÏ×ÏÒÑ ÔÁËÏÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ "ÏÂÒÕÛÅÎÏ". ðÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ ÖÅ ×ÓÐÏÍÏÇÁÔÅÌØÎÏÇÏ ÍÏÄÕÌÑ ×ÓÅ ÒÁÂÏÔÁÅÔ ÐÒÅËÒÁÓÎÏ. ÐÏÓËÏÌØËÕ ÐÒÉÅÍÎÉËÕ ÐÅÒÅÄÁÅÔÓÑ ËÏÒÒÅËÔÎÙÊ IP ÁÄÒÅÓ ÄÌÑ ÕÓÔÁÎÏ×ÌÅÎÉÑ ÓÏÅÄÉÎÅÎÉÑ.

äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ÍÏÄÕÌÑÍ conntrack É nat ÞÉÔÁÊÔÅ × ÐÒÉÌÏÖÅÎÉÉ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ. ôÁË ÖÅ ÎÅ ÚÁÂÙ×ÁÊÔÅ Ï ÄÏËÕÍÅÎÔÁÃÉÉ, ×ËÌÀÞÁÅÍÏÊ × ÐÁËÅÔ iptables. þÔÏÂÙ ÉÍÅÔØ ÜÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÕÓÔÁÎÏ×ÉÔØ patch-o-matic É ÐÅÒÅÓÏÂÒÁÔØ ÑÄÒÏ. ëÁË ÜÔÏ ÓÄÅÌÁÔØ - ÏÂßÑÓÎÑÅÔÓÑ ×ÙÛÅ × ÇÌÁ×Å ðÏÄÇÏÔÏ×ËÁ.

Note

úÁÍÅÔØÔÅ, ÞÔÏ ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_nat_irc É ip_nat_ftp ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×Ù ÈÏÔÉÔÅ, ÞÔÏÂÙ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÐÒÏÉÚ×ÏÄÉÌÏÓØ ËÏÒÒÅËÔÎÏ Ó ÐÒÏÔÏËÏÌÁÍÉ FTP É IRC. ôÁË ÖÅ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÐÏÄÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_conntrack_ftp ÄÏ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ NAT.


îÁÓÔÒÏÊËÁ /proc

úÄÅÓØ ÍÙ ÚÁÐÕÓËÁÅÍ ÐÅÒÅÓÙÌËÕ ÐÁËÅÔÏ× (IP forwarding), ÚÁÐÉÓÁ× ÅÄÉÎÉÃÕ × ÆÁÊÌ /proc/sys/net/ipv4/ip_forward ÔÁËÉÍ ÓÐÏÓÏÂÏÍ:

echo "1" > /proc/sys/net/ipv4/ip_forward

Caution

îÁ×ÅÒÎÏÅ ÓÔÏÉÔ ÚÁÄÕÍÁÔØÓÑ ÎÁÄ ÔÅÍ ÇÄÅ É ËÏÇÄÁ ×ËÌÀÞÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding). ÷ ÜÔÏÍ É × ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÑÈ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÍÙ ×ËÌÀÞÁÅÍ ÐÅÒÅÓÙÌËÕ ÄÏ ÔÏÇÏ ËÁË ÓÏÚÄÁÄÉÍ ËÁËÉÅ ÌÉÂÏ ÐÒÁ×ÉÌÁ iptables. ïÔ ÎÁÞÁÌÁ ÒÁÂÏÔÙ ÐÅÒÅÓÙÌËÉ (IP forwarding) ÄÏ ÍÏÍÅÎÔÁ, ËÏÇÄÁ ÂÕÄÕÔ ÓÏÚÄÁÎÙ ÎÅÏÂÈÏÄÉÍÙÅ ÐÒÁ×ÉÌÁ, ÐÒÉ ÎÁÛÅÍ ×ÁÒÉÁÎÔÅ, ÍÏÖÅÔ ÐÒÏÊÔÉ ÏÔ ÎÅÓËÏÌØËÉÈ ÍÉÌÌÉÓÅËÕÎÄ ÄÏ ÍÉÎÕÔ, ×ÓÅ ÚÁ×ÉÓÉÔ ÏÔ ÏÂßÅÍÁ ÒÁÂÏÔÙ, ×ÙÐÏÌÎÑÅÍÏÊ ÓÃÅÎÁÒÉÅÍ É ÂÙÓÔÒÏÄÅÊÓÔ×ÉÑ ËÏÎËÒÅÔÎÏÇÏ ËÏÍÐØÀÔÅÒÁ. ðÏÎÑÔÎÏ, ÞÔÏ ÜÔÏ ÄÁÅÔ ÎÅËÏÔÏÒÙÊ ÐÒÏÍÅÖÕÔÏË ×ÒÅÍÅÎÉ, ËÏÇÄÁ ÚÌÏÕÍÙÛÌÅÎÎÉË ÍÏÖÅÔ ÐÒÏÎÉËÎÕÔØ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ. ðÏÜÔÏÍÕ, × ÒÅÁÌØÎÏÊ ÓÉÔÕÁÃÉÉ ÚÁÐÕÓËÁÔØ ÐÅÒÅÓÙÌËÕ (IP forwarding) ÓÌÅÄÕÅÔ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ×ÓÅÇÏ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ. úÄÅÓØ ÖÅ Ñ ÐÏÍÅÓÔÉÌ ×ËÌÀÞÅÎÉÅ ÐÅÒÅÓÙÌËÉ × ÎÁÞÁÌÅ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÃÅÌÑÈ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔÉ.

åÓÌÉ ×ÁÍ ÎÅÏÂÈÏÄÉÍÁ ÐÏÄÄÅÒÖËÁ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP, (ÐÒÉ ÉÓÐÏÌØÚÏ×ÁÎÉÉ SLIP, PPP ÉÌÉ DHCP) ×Ù ÍÏÖÅÔÅ ÒÁÓËÏÍÍÅÎÔÁÒÉÔØ ÓÔÒÏËÕ:

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

åÓÌÉ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ×ËÌÀÞÉÔØ ÌÀÂÙÅ ÄÒÕÇÉÅ ÏÐÃÉÉ, ×Ù ÄÏÌÖÎÙ ÏÂÒÁÝÁÔØÓÑ Ë ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÅÊ ÄÏËÕÍÅÎÔÁÃÉÉ ÐÏ ÜÔÉÍ ÏÐÃÉÑÍ. èÏÒÏÛÉÊ É ÌÁËÏÎÉÞÎÙÊ ÄÏËÕÍÅÎÔ ÐÏ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc ÐÏÓÔÁ×ÌÑÅÔÓÑ ×ÍÅÓÔÅ Ó ÑÄÒÏÍ. óÓÙÌËÉ ÎÁ ÎÁ ÄÒÕÇÉÅ ÄÏËÕÍÅÎÔÙ ×Ù ÎÁÊÄÅÔÅ × ÐÒÉÌÏÖÅÎÉÉ äÒÕÇÉÅ ÒÅÓÕÒÓÙ É ÓÓÙÌËÉ.

Note

óÃÅÎÁÒÉÊ rc.firewall.txt É ×ÓÅ ÏÓÔÁÌØÎÙÅ ÓÃÅÎÁÒÉÉ × ÄÁÎÎÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÓÏÄÅÒÖÁÔ ÎÅÂÏÌØÛÕÀ ÐÏ ÒÁÚÍÅÒÁÍ ÓÅËÃÉÀ ÎÅ ÔÒÅÂÕÅÍÙÈ (non-required) ÎÁÓÔÒÏÅË proc. ëÁË ÂÙ ÐÒÉ×ÌÅËÁÔÅÌØÎÏ ÎÅ ×ÙÇÌÑÄÅÌÉ ÜÔÉ ÏÐÃÉÉ - ÎÅ ×ËÌÀÞÁÊÔÅ ÉÈ, ÐÏËÁ ÎÅ ÕÂÅÄÉÔÅÓØ, ÞÔÏ ÄÏÓÔÁÔÏÞÎÏ ÞÅÔËÏ ÐÒÅÄÓÔÁ×ÌÑÅÔÅ ÓÅÂÅ ÆÕÎËÃÉÉ, ËÏÔÏÒÙÅ ÏÎÉ ×ÙÐÏÌÎÑÀÔ.


òÁÚÍÅÝÅÎÉÅ ÐÒÁ×ÉÌ × ÄÒÕÇÉÈ ÃÅÐÏÞËÁÈ

úÄÅÓØ ÍÙ ÐÏÇÏ×ÏÒÉÍ Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, × ÞÁÓÔÎÏÓÔÉ - Ï ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞËÁÈ, ÏÐÒÅÄÅÌÑÅÍÙÈ × ÓÃÅÎÁÒÉÉ rc.firewall.txt. íÏÊ ×ÁÒÉÁÎÔ ÒÁÚÄÅÌÅÎÉÑ ÐÒÁ×ÉÌ ÐÏ ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ÃÅÐÏÞËÁÍ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÎÅÐÒÉÅÍÌÅÍÙÍ × ÔÏÍ ÉÌÉ ÉÎÏÍ ËÏÎËÒÅÔÎÏÍ ÓÌÕÞÁÅ. ñ ÎÁÄÅÀÓØ, ÞÔÏ ÓÍÏÇÕ ÐÏËÁÚÁÔØ ×ÁÍ ×ÏÚÍÏÖÎÙÅ "ÐÏÄ×ÏÄÎÙÅ ËÁÍÎÉ". äÁÎÎÙÊ ÒÁÚÄÅÌ ÔÅÓÎÏ ÐÅÒÅËÌÉËÁÅÔÓÑ Ó ÇÌÁ×ÏÊ ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË É ÓÏ×ÅÒÛÅÎÎÏ ÎÅÌÉÛÎÉÍ ÂÕÄÅÔ ÅÝÅ ÒÁÚ, ÈÏÔÑ ÂÙ ÂÅÇÌÏ, ÐÒÏÓÍÏÔÒÅÔØ ÅÅ.

òÁÓÐÒÅÄÅÌÉ× ÎÁÂÏÒ ÐÒÁ×ÉÌ ÐÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ, Ñ ÄÏÂÉÌÓÑ ÜËÏÎÏÍÉÉ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÂÅÚ ÐÏÔÅÒÉ ÕÒÏ×ÎÑ ÂÅÚÏÐÁÓÎÏÓÔÉ ÓÉÓÔÅÍÙ É ÞÉÔÁÂÅÌØÎÏÓÔÉ ÓÃÅÎÁÒÉÅ×. ÷ÍÅÓÔÏ ÔÏÇÏ, ÞÔÏÂÙ ÐÒÏÐÕÓËÁÔØ TCP ÐÁËÅÔÙ ÞÅÒÅÚ ×ÅÓØ ÎÁÂÏÒ ÐÒÁ×ÉÌ (É ÄÌÑ ICMP, É ÄÌÑ UDP), Ñ ÐÒÏÓÔÏ ÏÔÂÉÒÁÀ TCP ÐÁËÅÔÙ É ÐÒÏÐÕÓËÁÀ ÉÈ ÞÅÒÅÚ ÐÏÌØÚÏ×ÁÔÅÌØÓËÕÀ ÃÅÐÏÞËÕ, ÐÒÅÄÎÁÚÎÁÞÅÎÎÕÀ ÉÍÅÎÎÏ ÄÌÑ TCP ÐÁËÅÔÏ×, ÞÔÏ ÐÒÉ×ÏÄÉÔ Ë ÕÍÅÎØÛÅÎÉÀ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. îÁ ÓÌÅÄÕÀÝÅÊ ËÁÒÔÉÎËÅ ÓÈÅÍÁÔÉÞÎÏ ÐÒÉ×ÏÄÉÔÓÑ ÐÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ netfilter. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ËÁÒÔÉÎËÁ ×ÙÇÌÑÄÉÔ ÎÅÓËÏÌØËÏ ÏÇÒÁÎÉÞÅÎÎÏ ÐÏ ÓÒÁ×ÎÅÎÉÀ ÓÏ ÓÈÅÍÏÊ, ÐÒÉ×ÅÄÅÎÎÏÊ × ÇÌÁ×Å ðÏÒÑÄÏË ÐÒÏÈÏÖÄÅÎÉÑ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË.

ïÓÎÏ×ÎÏÅ ÎÁÚÎÁÞÅÎÉÅ ÒÉÓÕÎËÁ - ÏÓ×ÅÖÉÔØ ÎÁÛÕ ÐÁÍÑÔØ. ÷ ÃÅÌÏÍ, ÄÁÎÎÙÊ ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÓÎÏ×ÁÎ ÎÁ ÐÒÅÄÐÏÌÏÖÅÎÉÉ, ÞÔÏ ÍÙ ÉÍÅÅÍ ÏÄÎÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÉÎ ÂÒÁÎÄÍÁÕÜÒ (firewall) É ÅÄÉÎÓÔ×ÅÎÎÏÅ ÐÏÄËÌÀÞÅÎÉÅ Ë éÎÔÅÒÎÅÔ, Ó ÐÏÓÔÏÑÎÎÙÍ IP ÁÄÒÅÓÏÍ (× ÐÒÏÔÉ×ÏÐÏÌÏÖÎÏÓÔØ PPP, SLIP, DHCP É ÐÒÏÞÉÍ). ôÁË ÖÅ ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÄÏÓÔÕÐ Ë ÓÅÒ×ÉÓÁÍ éÎÔÅÒÎÅÔ ÉÄÅÔ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ÞÔÏ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ É ÐÏÜÔÏÍÕ ÎÅ ÓÏÂÉÒÁÅÍÓÑ ÂÌÏËÉÒÏ×ÁÔØ ÔÒÁÆÆÉË, ÉÓÈÏÄÑÝÉÊ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÏÄÎÁËÏ éÎÔÅÒÎÅÔ ÎÅ ÍÏÖÅÔ ÓÞÉÔÁÔØÓÑ ÄÏ×ÅÒÉÔÅÌØÎÏÊ ÓÅÔØÀ É ÐÏÜÔÏÍÕ ÎÅÏÂÈÏÄÉÍÏ ÏÇÒÁÎÉÞÉÔØ ×ÏÚÍÏÖÎÏÓÔØ ÄÏÓÔÕÐÁ × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÉÚ×ÎÅ. íÙ ÓÏÂÉÒÁÅÍÓÑ ÉÓÈÏÄÉÔØ ÉÚ ÐÒÉÎÃÉÐÁ "÷ÓÅ ÞÔÏ ÎÅ ÒÁÚÒÅÛÅÎÏ - ÔÏ ÚÁÐÒÅÝÅÎÏ". äÌÑ ×ÙÐÏÌÎÅÎÉÑ ÐÏÓÌÅÄÎÅÇÏ ÏÇÒÁÎÉÞÅÎÉÑ, ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP. ôÅÍ ÓÁÍÙÍ ÍÙ ÏÔÓÅËÁÅÍ ÓÏÅÄÉÎÅÎÉÑ, ËÏÔÏÒÙÅ Ñ×ÎÏ ÎÅ ÒÁÚÒÅÛÅÎÙ.

á ÔÅÐÅÒØ ÄÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÞÔÏ ÎÁÍ ÎÕÖÎÏ ÓÄÅÌÁÔØ É ËÁË.

äÌÑ ÎÁÞÁÌÁ - ÐÏÚ×ÏÌÉÍ ÓÏÅÄÉÎÅÎÉÑ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó éÎÔÅÒÎÅÔ. äÌÑ ÜÔÏÇÏ ÎÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÐÏÌÎÉÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT). äÅÌÁÅÔÓÑ ÜÔÏ × ÃÅÐÏÞËÅ PREROUTING (ñ ÐÏÌÁÇÁÀ, ÞÔÏ ÚÄÅÓØ Á×ÔÏÒ ÐÒÏÓÔÏ ÄÏÐÕÓÔÉÌ ÏÐÅÞÁÔËÕ, ÐÏÓËÏÌØËÕ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ POSTROUTING, ÄÁ É ÍÙ ÕÖÅ ÚÎÁÅÍ, ÞÔÏ SNAT ÐÒÏÉÚ×ÏÄÉÔÓÑ × ÃÅÐÏÞËÅ POSTROUTING ÔÁÂÌÉÃÙ nat ÐÒÉÍ. ÐÅÒÅ×.), ËÏÔÏÒÁÑ ÚÁÐÏÌÎÑÅÔÓÑ ÐÏÓÌÅÄÎÅÊ × ÎÁÛÅÍ ÓÃÅÎÁÒÉÉ. ðÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ, ÔÁËÖÅ, ×ÙÐÏÌÎÅÎÉÅ ÎÅËÏÔÏÒÏÊ ÆÉÌØÔÒÁÃÉÉ × ÃÅÐÏÞËÅ FORWARD. åÓÌÉ ÍÙ ÐÏÌÎÏÓÔØÀ ÄÏ×ÅÒÑÅÍ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÐÒÏÐÕÓËÁÑ ×ÅÓØ ÔÒÁÆÆÉË × éÎÔÅÒÎÅÔ, ÔÏ ÜÔÏ ÅÝÅ ÎÅ ÏÚÎÁÞÁÅÔ ÄÏ×ÅÒÉÑ Ë éÎÔÅÒÎÅÔ É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÏ ××ÏÄÉÔØ ÏÇÒÁÎÉÞÅÎÉÑ ÎÁ ÄÏÓÔÕÐ Ë ÎÁÛÉÍ ËÏÍÐØÀÔÅÒÁÍ ÉÚ×ÎÅ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÍÙ ÄÏÐÕÓËÁÅÍ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× × ÎÁÛÕ ÓÅÔØ ÔÏÌØËÏ × ÓÌÕÞÁÅ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÌÉÂÏ × ÓÌÕÞÁÅ ÏÔËÒÙÔÉÑ ÎÏ×ÏÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÎÏ × ÒÁÍËÁÈ ÕÖÅ ÓÕÝÅÓÔ×ÕÀÝÅÇÏ (ESTABLISHED É RELATED).

þÔÏ ËÁÓÁÅÔÓÑ ÍÁÛÉÎÙ-ÂÒÁÎÄÍÁÕÜÒÁ - ÎÅÏÂÈÏÄÉÍÏ ÄÏ ÍÉÎÉÍÕÍÁ Ó×ÅÓÔÉ ÓÅÒ×ÉÓÙ, ÒÁÂÏÔÁÀÝÉÅ Ó éÎÔÅÒÎÅÔ. óÌÅÄÏ×ÁÔÅÌØÎÏ ÍÙ ÄÏÐÕÓËÁÅÍ ÔÏÌØËÏ HTTP, FTP, SSH É IDENTD ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ. ÷ÓÅ ÜÔÉ ÐÒÏÔÏËÏÌÙ ÍÙ ÂÕÄÅÍ ÓÞÉÔÁÔØ ÄÏÐÕÓÔÉÍÙÍÉ × ÃÅÐÏÞËÅ INPUT, ÓÏÏÔ×ÅÔÓÔ×ÅÎÎÏ ÎÁÍ ÎÅÏÂÈÏÄÉÍÏ ÒÁÚÒÅÛÉÔØ "ÏÔ×ÅÔÎÙÊ" ÔÒÁÆÆÉË × ÃÅÐÏÞËÅ OUTPUT. ðÏÓËÏÌØËÕ ÍÙ ÐÒÅÄÐÏÌÁÇÁÅÍ ÄÏ×ÅÒÉÔÅÌØÎÙÅ ×ÚÁÉÍÏÏÔÎÏÛÅÎÉÑ Ó ÌÏËÁÌØÎÏÊ ÓÅÔØÀ, ÔÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ ÄÌÑ ÄÉÁÐÁÚÏÎÁ ÁÄÒÅÓÏ× ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Á ÚÁÏÄÎÏ É ÄÌÑ ÌÏËÁÌØÎÏÇÏ ÓÅÔÅ×ÏÇÏ ÉÎÔÅÒÆÅÊÓÁ É ÌÏËÁÌØÎÏÇÏ IP ÁÄÒÅÓÁ (127.0.0.1). ëÁË ÕÖÅ ÕÐÏÍÉÎÁÌÏÓØ ×ÙÛÅ, ÓÕÝÅÓÔ×ÕÅÔ ÒÑÄ ÄÉÁÐÁÚÏÎÏ× ÁÄÒÅÓÏ×, ×ÙÄÅÌÅÎÎÙÈ ÓÐÅÃÉÁÌØÎÏ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ÜÔÉ ÁÄÒÅÓÁ ÓÞÉÔÁÀÔÓÑ × éÎÔÅÒÎÅÔ ÏÛÉÂÏÞÎÙÍÉ É ËÁË ÐÒÁ×ÉÌÏ ÎÅ ÏÂÓÌÕÖÉ×ÁÀÔÓÑ. ðÏÜÔÏÍÕ É ÍÙ ÚÁÐÒÅÔÉÍ ÌÀÂÏÊ ÔÒÁÆÆÉË ÉÚ éÎÔÅÒÎÅÔ Ó ÉÓÈÏÄÑÝÉÍ ÁÄÒÅÓÏÍ, ÐÒÉÎÁÄÌÅÖÁÝÉÍ ÄÉÁÐÁÚÏÎÁÍ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. é × ÚÁËÌÀÞÅÎÉÅ ÐÒÏÞÉÔÁÊÔÅ ÇÌÁ×Õ ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ.

ôÁË ËÁË Õ ÎÁÓ ÒÁÂÏÔÁÅÔ FTP ÓÅÒ×ÅÒ, ÔÏ ÐÒÁ×ÉÌÁ, ÏÂÓÌÕÖÉ×ÁÀÝÉÅ ÓÏÅÄÉÎÅÎÉÑ Ó ÜÔÉÍ ÓÅÒ×ÅÒÏÍ, ÖÅÌÁÔÅÌØÎÏ ÂÙÌÏ ÂÙ ÐÏÍÅÓÔÉÔØ × ÎÁÞÁÌÏ ÃÅÐÏÞËÉ INPUT, ÄÏÂÉ×ÁÑÓØ ÔÅÍ ÓÁÍÙÍ ÕÍÅÎØÛÅÎÉÑ ÎÁÇÒÕÚËÉ ÎÁ ÓÉÓÔÅÍÕ. ÷ ÃÅÌÏÍ ÖÅ, ÎÁÄÏ ÐÏÎÉÍÁÔØ, ÞÔÏ ÞÅÍ ÍÅÎØÛÅ ÐÒÁ×ÉÌ ÐÒÏÈÏÄÉÔ ÐÁËÅÔ, ÔÅÍ ÂÏÌØÛÅ ÜËÏÎÏÍÉÑ ÐÒÏÃÅÓÓÏÒÎÏÇÏ ×ÒÅÍÅÎÉ, ÔÅÍ ÎÉÖÅ ÎÁÇÒÕÚËÁ ÎÁ ÓÉÓÔÅÍÕ. ó ÜÔÏÊ ÃÅÌØÀ Ñ ÒÁÚÂÉÌ ÎÁÂÏÒ ÐÒÁ×ÉÌ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ.

÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ Ñ ÒÁÚÂÉÌ ÐÁËÅÔÙ ÎÁ ÇÒÕÐÐÙ ÐÏ ÉÈ ÐÒÉÎÁÄÌÅÖÎÏÓÔÉ Ë ÔÏÍÕ ÉÌÉ ÉÎÏÍÕ ÐÒÏÔÏËÏÌÕ. äÌÑ ËÁÖÄÏÇÏ ÔÉÐÁ ÐÒÏÔÏËÏÌÁ ÓÏÚÄÁÎÁ Ó×ÏÑ ÃÅÐÏÞËÁ ÐÒÁ×ÉÌ, ÎÁÐÒÉÍÅÒ, tcp_packets, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÒÏ×ÅÒËÉ ×ÓÅÈ ÄÏÐÕÓÔÉÍÙÈ TCP ÐÏÒÔÏ× É ÐÒÏÔÏËÏÌÏ×. äÌÑ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÏÄÎÕ ÃÅÐÏÞËÕ, ÍÏÖÅÔ ÂÙÔØ ÓÏÚÄÁÎÁ ÄÒÕÇÁÑ. ÷ ÎÁÛÅÍ ÓÌÕÞÁÅ ÔÁËÏ×ÏÊ Ñ×ÌÑÅÔÓÑ ÃÅÐÏÞËÁ allowed. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ ÏÔÄÅÌØÎÙÈ ÈÁÒÁËÔÅÒÉÓÔÉË TCP ÐÁËÅÔÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÒÉÎÑÔØ ÏËÏÎÞÁÔÅÌØÎÏÅ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ. ICMP ÐÁËÅÔÙ ÓÌÅÄÕÀÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ icmp_packets. úÄÅÓØ ÍÙ ÐÒÏÓÔÏ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ ICMP ÐÁËÅÔÙ Ó ÕËÁÚÁÎÎÙÍ ËÏÄÏÍ ÓÏÏÂÝÅÎÉÑ. é ÎÁËÏÎÅà UDP ÐÁËÅÔÙ. ïÎÉ ÐÒÏÈÏÄÑÔ ÞÅÒÅÚ ÃÅÐÏÞËÕ udpincoming_packets, ËÏÔÏÒÁÑ ÏÂÒÁÂÁÔÙ×ÁÅÔ ×ÈÏÄÑÝÉÅ UDP ÐÁËÅÔÙ. åÓÌÉ ÏÎÉ ÐÒÉÎÁÄÌÅÖÁÔ ÄÏÐÕÓÔÉÍÙÍ ÓÅÒ×ÉÓÁÍ, ÔÏ ÏÎÉ ÐÒÏÐÕÓËÁÀÔÓÑ ÂÅÚ ÐÒÏ×ÅÄÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ðÏÓËÏÌØËÕ ÍÙ ÒÁÓÓÍÁÔÒÉ×ÁÅÍ ÓÒÁ×ÎÉÔÅÌØÎÏ ÎÅÂÏÌØÛÕÀ ÓÅÔØ, ÔÏ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ÉÓÐÏÌØÚÕÅÔÓÑ ÅÝÅ É × ËÁÞÅÓÔ×Å ÒÁÂÏÞÅÊ ÓÔÁÎÃÉÉ, ÐÏÜÔÏÍÕ ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ É Ó ÓÁÍÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.

é × ÚÁ×ÅÒÛÅÎÉÅ Ï ÃÅÐÏÞËÅ OUTPUT. íÙ ÎÅ ×ÙÐÏÌÎÑÅÍ ËÁËÉÈ ÌÉÂÏ ÓÐÅÃÉÆÉÞÎÙÈ ÂÌÏËÉÒÏ×ÏË ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌÅÊ, ÏÄÎÁËÏ ÍÙ ÎÅ ÈÏÔÉÍ, ÞÔÏÂÙ ËÔÏ ÌÉÂÏ, ÉÓÐÏÌØÚÕÑ ÎÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÄÁ×ÁÌ × ÓÅÔØ "ÐÏÄÄÅÌØÎÙÅ" ÐÁËÅÔÙ, ÐÏÜÔÏÍÕ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÁ, ÐÏÚ×ÏÌÑÀÝÉÅ ÐÒÏÈÏÖÄÅÎÉÅ ÐÁËÅÔÏ× ÔÏÌØËÏ Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ÎÁÛÉÍ ÌÏËÁÌØÎÙÍ ÁÄÒÅÓÏÍ (127.0.0.1) É Ó ÎÁÛÉÍ ÁÄÒÅÓÏÍ × éÎÔÅÒÎÅÔ. ó ÜÔÉÈ ÁÄÒÅÓÏ× ÐÁËÅÔÙ ÐÒÏÐÕÓËÁÀÔÓÑ ÃÅÐÏÞËÏÊ OUTPUT, ×ÓÅ ÏÓÔÁÌØÎÙÅ (ÓËÏÒÅÅ ×ÓÅÇÏ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÅ) ÏÔÓÅËÁÀÔÓÑ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ DROP.


õÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ

ðÒÅÖÄÅ, ÞÅÍ ÐÒÉÓÔÕÐÉÔØ Ë ÓÏÚÄÁÎÉÀ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ, ÎÅÏÂÈÏÄÉÍÏ ÏÐÒÅÄÅÌÉÔØÓÑ Ó ÐÏÌÉÔÉËÁÍÉ ÃÅÐÏÞÅË ÐÏ-ÕÍÏÌÞÁÎÉÀ. ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ËÏÍÁÎÄÏÊ, ÐÏÄÏÂÎÏÊ ÐÒÉ×ÏÄÉÍÏÊ ÎÉÖÅ

iptables -P <chain name> <policy>

ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÒÅÄÓÔÁ×ÌÑÅÔ ÓÏÂÏÊ ÄÅÊÓÔ×ÉÅ, ËÏÔÏÒÏÅ ÐÒÉÍÅÎÑÅÔÓÑ Ë ÐÁËÅÔÕ, ÎÅ ÐÏÐÁ×ÛÅÍÕ ÐÏÄ ÄÅÊÓÔ×ÉÅ ÎÉ ÏÄÎÏÇÏ ÉÚ ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ. (îÅÂÏÌØÛÏÅ ÕÔÏÞÎÅÎÉÅ, ËÏÍÁÎÄÁ iptables -P ÐÒÉÍÅÎÉÍÁ ôïìøëï ë ÷óôòïåîîùí ÃÅÐÏÞËÁÍ, Ô.Å. INPUT, FORWARD, OUTPUT É Ô.Ð., É ÎÅ ÐÒÉÍÅÎÉÍÁ Ë ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÍ ÃÅÐÏÞËÁÍ. ÐÒÉÍ. ÐÅÒÅ×.).


óÏÚÄÁÎÉÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË

éÔÁË, Õ ×ÁÓ ÐÅÒÅÄ ÇÌÁÚÁÍÉ ÎÁ×ÅÒÎÑËÁ ÕÖÅ ÓÔÏÉÔ ËÁÒÔÉÎËÁ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÏ× ÞÅÒÅÚ ÒÁÚÌÉÞÎÙÅ ÃÅÐÏÞËÉ, É ËÁË ÜÔÉ ÃÅÐÏÞËÉ ×ÚÁÉÍÏÄÅÊÓÔ×ÕÀÔ ÍÅÖÄÕ ÓÏÂÏÊ! ÷Ù ÕÖÅ ÄÏÌÖÎÙ ÑÓÎÏ ÐÒÅÄÓÔÁ×ÌÑÔØ ÓÅÂÅ ÃÅÌÉ É ÎÁÚÎÁÞÅÎÉÅ ÄÁÎÎÏÇÏ ÓÃÅÎÁÒÉÑ. äÁ×ÁÊÔÅ ÎÁÞÎÅÍ ÓÏÚÄÁ×ÁÔØ ÃÅÐÏÞËÉ É ÎÁÂÏÒÙ ÐÒÁ×ÉÌ ÄÌÑ ÎÉÈ.

ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÓÏÚÄÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÃÅÐÏÞËÉ Ó ÐÏÍÏÝØÀ ËÏÍÁÎÄÙ -N. óÒÁÚÕ ÐÏÓÌÅ ÓÏÚÄÁÎÉÑ ÃÅÐÏÞËÉ ÅÝÅ ÎÅ ÉÍÅÀÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ. ÷ ÎÁÛÅÍ ÐÒÉÍÅÒÅ ÓÏÚÄÁÀÔÓÑ ÃÅÐÏÞËÉ icmp_packets, tcp_packets, udpincoming_packets É ÃÅÐÏÞËÁ allowed, ËÏÔÏÒÁÑ ×ÙÚÙ×ÁÅÔÓÑ ÉÚ ÃÅÐÏÞËÉ tcp_packets. ÷ÈÏÄÑÝÉÅ ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE (Ô.Å. ÉÚ éÎÔÅÒÎÅÔ), ÐÏ ÐÒÏÔÏËÏÌÕ ICMP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ÐÁËÅÔÙ ÐÒÏÔÏËÏÌÁ TCP ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ tcp_packets É ×ÈÏÄÑÝÉÅ ÐÁËÅÔÙ UDP Ó ÉÎÔÅÒÆÅÊÓÁ eth0 ÉÄÕÔ × ÃÅÐÏÞËÕ udpincoming_packets.


ãÅÐÏÞËÁ bad_tcp_packets

üÔÁ ÃÅÐÏÞËÁ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÄÌÑ ÏÔÆÉÌØÔÒÏ×Ù×ÁÎÉÑ ÐÁËÅÔÏ× Ó "ÎÅÐÒÁ×ÉÌØÎÙÍÉ" ÚÁÇÏÌÏ×ËÁÍÉ É ÒÅÛÅÎÉÑ ÒÑÄÁ ÄÒÕÇÉÈ ÐÒÏÂÌÅÍ. úÄÅÓØ ÏÔÆÉÌØÔÒÏ×Ù×ÁÀÔÓÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÒÁÓÐÏÚÎÁÀÔÓÑ ËÁË NEW, ÎÏ ÎÅ Ñ×ÌÑÀÔÓÑ SYN ÐÁËÅÔÁÍÉ. üÔÁ ÃÅÐÏÞËÁ ÍÏÖÅÔ ÂÙÔØ ÉÓÐÏÌØÚÏ×ÁÎÁ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ×ÔÏÒÖÅÎÉÑ É ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. óÀÄÁ, ÔÁË ÖÅ, ÄÏÂÁ×ÌÅÎÏ ÐÒÁ×ÉÌÏ ÄÌÑ ÏÔÓÅÉ×ÁÎÉÑ ÐÁËÅÔÏ× ÓÏ ÓÔÁÔÕÓÏÍ INVALID.


ãÅÐÏÞËÁ allowed

TCP ÐÁËÅÔ, ÓÌÅÄÕÑ Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ tcp_packets, ÅÓÌÉ ÐÁËÅÔ ÓÌÅÄÕÅÔ ÎÁ ÒÁÚÒÅÛÅÎÎÙÊ ÐÏÒÔ, ÔÏ ÐÏÓÌÅ ÜÔÏÇÏ ÐÒÏ×ÏÄÉÔÓÑ ÄÏÐÏÌÎÉÔÅÌØÎÁÑ ÐÒÏ×ÅÒËÁ.

ðÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÐÒÏ×ÅÒÑÅÔ, Ñ×ÌÑÅÔÓÑ ÌÉ ÐÁËÅÔ SYN ÐÁËÅÔÏÍ, Ô.Å. ÚÁÐÒÏÓÏÍ ÎÁ ÓÏÅÄÉÎÅÎÉÅ. ôÁËÏÊ ÐÁËÅÔ ÍÙ ÓÞÉÔÁÅÍ ÄÏÐÕÓÔÉÍÙÍ É ÐÒÏÐÕÓËÁÅÍ. óÌÅÄÕÀÝÅÅ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÓÅ ÐÁËÅÔÙ Ó ÐÒÉÚÎÁËÏÍ ESTABLISHED ÉÌÉ RELATED. ëÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ SYN ÐÁËÅÔÏÍ, É ÎÁ ÜÔÏÔ ÚÁÐÒÏÓ ÂÙÌ ÏÔÐÒÁ×ÌÅÎ ÐÏÌÏÖÉÔÅÌØÎÙÊ ÏÔ×ÅÔ, ÔÏ ÏÎÏ ÐÏÌÕÞÁÅÔ ÓÔÁÔÕÓ ESTABLISHED. ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ × ÜÔÏÊ ÃÅÐÏÞËÅ ÓÂÒÁÓÙ×ÁÀÔÓÑ ×ÓÅ ÏÓÔÁÌØÎÙÅ TCP ÐÁËÅÔÙ. ðÏÄ ÜÔÏ ÐÒÁ×ÉÌÏ ÐÏÐÁÄÁÀÔ ÐÁËÅÔÙ ÉÚ ÎÅÓÕÝÅÓÔ×ÕÀÝÅÇÏ ÓÏÅÄÉÎÅÎÉÑ, ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN, ËÏÔÏÒÙÅ ÐÙÔÁÀÔÓÑ ÚÁÐÕÓÔÉÔØ ÓÏÅÄÉÎÅÎÉÅ. îÅ SYN ÐÁËÅÔÙ ÐÒÁËÔÉÞÅÓËÉ ÎÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÚÁÐÕÓËÁ ÓÏÅÄÉÎÅÎÉÑ, ÚÁ ÉÓËÌÀÞÅÎÉÅÍ ÓÌÕÞÁÅ× ÓËÁÎÉÒÏ×ÁÎÉÑ ÐÏÒÔÏ×. îÁÓËÏÌØËÏ Ñ ÚÎÁÀ, ÎÁ ÓÅÇÏÄÎÑÛÎÉÊ ÄÅÎØ ÎÅÔ ÒÅÁÌÉÚÁÃÉÉ TCP/IP, ËÏÔÏÒÁÑ ÐÏÄÄÅÒÖÉ×ÁÌÁ ÂÙ ÏÔËÒÙÔÉÅ ÓÏÅÄÉÎÅÎÉÑ ÉÎÁÞÅ, ÞÅÍ ÐÅÒÅÄÁÞÁ SYN ÐÁËÅÔÁ, ÐÏÜÔÏÍÕ ÎÁ 99% ÍÏÖÎÏ ÂÙÔØ Õ×ÅÒÅÎÎÙÍ, ÞÔÏ ÓÂÒÏÛÅÎÙ ÐÁËÅÔÙ, ÐÏÓÌÁÎÎÙÅ ÓËÁÎÅÒÏÍ ÐÏÒÔÏ×.


ãÅÐÏÞËÁ ÄÌÑ TCP

éÔÁË, ÍÙ ÐÏÄÏÛÌÉ Ë TCP ÓÏÅÄÉÎÅÎÉÑÍ. úÄÅÓØ ÍÙ ÕËÁÚÙ×ÁÅÍ, ËÁËÉÅ ÐÏÒÔÙ ÍÏÇÕÔ ÂÙÔØ ÄÏÓÔÕÐÎÙ ÉÚ Internet. îÅÓÍÏÔÒÑ ÎÁ ÔÏ, ÞÔÏ ÄÁÖÅ ÅÓÌÉ ÐÁËÅÔ ÐÒÏÛÅÌ ÐÒÏ×ÅÒËÕ ÚÄÅÓØ, ÍÙ ×ÓÅ ÒÁ×ÎÏ ×ÓÅ ÐÁËÅÔÙ ÐÅÒÅÄÁÅÍ × ÃÅÐÏÞËÕ allowed ÄÌÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÐÒÏ×ÅÒËÉ.

ñ ÏÔËÒÙÌ TCP ÐÏÒÔ Ó ÎÏÍÅÒÏÍ 21, ËÏÔÏÒÙÊ Ñ×ÌÑÅÔÓÑ ÐÏÒÔÏÍ ÕÐÒÁ×ÌÅÎÉÑ FTP ÓÏÅÄÉÎÅÎÉÑÍÉ. É ÄÁÌÅÅ, Ñ ÒÁÚÒÅÛÁÀ ×ÓÅ RELATED ÓÏÅÄÉÎÅÎÉÑ, ÒÁÚÒÅÛÁÑ, ÔÅÍ ÓÁÍÙÍ, PASSIVE FTP, ÐÒÉ ÕÓÌÏ×ÉÉ, ÞÔÏ ÂÙÌ ÚÁÇÒÕÖÅÎ ÍÏÄÕÌØ ip_conntrack_ftp. åÓÌÉ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÚÁÐÒÅÔÉÔØ FTP ÓÏÅÄÉÎÅÎÉÑ, ÔÏ ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ×ÙÇÒÕÚÉÔØ ÍÏÄÕÌØ ip_conntrack_ftp É ÕÄÁÌÉÔØ ÓÔÒÏËÕ $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ÉÚ ÓÃÅÎÁÒÉÑ rc.firewall.txt.

ðÏÒÔ 22 - ÜÔÏ SSH, ËÏÔÏÒÙÊ ÎÁÍÎÏÇÏ ÂÏÌÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ telnet ÎÁ 23 ÐÏÒÔÕ. åÓÌÉ ÷ÁÍ ×ÚÄÕÍÁÅÔÓÑ ÐÒÅÄÏÓÔÁ×ÉÔØ ÄÏÓÔÕÐ Ë ËÏÍÁÎÄÎÏÊ ÏÂÏÌÏÞËÅ (shell) ËÏÍÕ ÂÙ ÔÏ ÎÉ ÂÙÌÏ ÉÚ éÎÔÅÒÎÅÔ, ÔÏ ÌÕÞÛÅ ËÏÎÅÞÎÏ ÐÏÌØÚÏ×ÁÔØÓÑ SSH. ïÄÎÁËÏ , ÈÏÞÕ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÏÏÂÝÅ-ÔÏ ÓÞÉÔÁÅÔÓÑ ÄÕÒÎÙÍ ÔÏÎÏÍ ÐÒÅÄÏÓÔÁ×ÌÑÔØ ÄÏÓÔÕÐ Ë ÂÒÁÎÄÍÁÕÜÒÕ ÌÀÂÏÍÕ ËÒÏÍÅ ×ÁÓ ÓÁÍÉÈ. ÷ÁÛ ÓÅÔÅ×ÏÊ ÜËÒÁÎ ÄÏÌÖÅÎ ÉÍÅÔØ ÔÏÌØËÏ ÔÅ ÓÅÒ×ÉÓÙ, ËÏÔÏÒÙÅ ÄÅÊÓÔ×ÉÔÅÌØÎÏ ÎÅÏÂÈÏÄÉÍÙ É ÎÅ ÂÏÌÅÅ ÔÏÇÏ.

ðÏÒÔ 80 - ÜÔÏ ÐÏÒÔ HTTP, ÄÒÕÇÉÍ ÓÌÏ×ÁÍÉ - web ÓÅÒ×ÅÒ, ÕÂÅÒÉÔÅ ÜÔÏ ÐÒÁ×ÉÌÏ, ÅÓÌÉ Õ ×ÁÓ ÎÅÔ web ÓÅÒ×ÅÒÁ.

é ÎÁËÏÎÅà ÐÏÒÔ 113, ÏÔ×ÅÔÓÔ×ÅÎÎÙÊ ÚÁ ÓÌÕÖÂÕ IDENTD É ÉÓÐÏÌØÚÕÀÝÉÊÓÑ ÎÅËÏÔÏÒÙÍÉ ÐÒÏÔÏËÏÌÁÍÉ ÔÉÐÁ IRC, É ÐÒ.


ãÅÐÏÞËÁ ÄÌÑ UDP

ðÁËÅÔÙ UDP ÉÚ ÃÅÐÏÞËÉ INPUT ÓÌÅÄÕÀÔ × ÃÅÐÏÞËÕ udpincoming_packets ëÁË É × ÓÌÕÞÁÅ Ó TCP ÐÁËÅÔÁÍÉ, ÚÄÅÓØ ÏÎÉ ÐÒÏ×ÅÒÑÀÔÓÑ ÎÁ ÄÏÐÕÓÔÉÍÏÓÔØ ÐÏ ÎÏÍÅÒÕ ÐÏÒÔÁ ÎÁÚÎÁÞÅÎÉÑ.

ïÔËÒÙÔÙÍ ÄÌÑ UDP ÐÁËÅÔÏ× Ñ×ÌÑÅÔÓÑ ÐÏÒÔ 53, ÎÁ ËÏÔÏÒÏÍ "ÓÉÄÉÔ" DNS. åÓÌÉ ÍÙ ÈÏÔÉÍ ÐÏÌØÚÏ×ÁÔØÓÑ ÓÉÍ×ÏÌÉÞÅÓËÉÍÉ ÉÍÅÎÁÍÉ ÕÚÌÏ×, Á ÎÅ ÉÈ IP ÁÄÒÅÓÁÍÉ, ÔÏ ÅÓÔÅÓÔ×ÅÎÎÏ ÎÁÄÏ ÐÏÚ×ÏÌÉÔØ ÒÁÂÏÔÁÔØ ÓÌÕÖÂÅ ÄÏÍÅÎÎÙÈ ÉÍÅÎ.

ñ ÌÉÞÎÏ ÒÁÚÒÅÛÁÀ ÐÏÒÔ 123, ÎÁ ËÏÔÏÒÏÍ ÒÁÂÏÔÁÅÔ NTP (network time protocol). üÔÏÊ ÓÌÕÖÂÏÊ ÏÂÙÞÎÏ ÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÒÉÅÍÁ ÏÞÅÎØ ÔÏÞÎÏÇÏ ×ÒÅÍÅÎÉ Ó ÓÅÒ×ÅÒÏ× ×ÒÅÍÅÎÉ × éÎÔÅÒÎÅÔ.

ðÏÒÔ 2074 ÉÓÐÏÌØÚÕÅÔÓÑ ÎÅËÏÔÏÒÙÍÉ ÍÕÌØÔÉÍÅÄÉÊÎÙÍÉ ÐÒÉÌÏÖÅÎÉÑÍÉ, ÐÏÄÏÂÎÏ speak freely, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔÓÑ ÄÌÑ ÐÅÒÅÄÁÞÉ ÇÏÌÏÓÁ × ÒÅÖÉÍÅ ÒÅÁÌØÎÏÇÏ ×ÒÅÍÅÎÉ.

é ÎÁËÏÎÅà - ICQ, ÎÁ ÐÏÒÔÕ 4000. üÔÏ ÛÉÒÏËÏ ÉÚ×ÅÓÔÎÙÊ ÐÒÏÔÏËÏÌ, ÉÓÐÏÌØÚÕÅÍÙÊ ICQ-ÐÒÉÌÏÖÅÎÉÑÍÉ ñ ÐÏÌÁÇÁÀ ÎÅ ÓÌÅÄÕÅÔ ÏÂßÑÓÎÑÔØ ×ÁÍ ÞÔÏ ÜÔÏ ÔÁËÏÅ.


ãÅÐÏÞËÁ ÄÌÑ ICMP

úÄÅÓØ ÐÒÉÎÉÍÁÅÔÓÑ ÒÅÛÅÎÉÅ Ï ÐÒÏÐÕÓËÅ ICMP ÐÁËÅÔÏ×. åÓÌÉ ÐÁËÅÔ ÐÒÉÈÏÄÉÔ Ó eth0 × ÃÅÐÏÞËÕ INPUT, ÔÏ ÄÁÌÅÅ ÏÎ ÐÅÒÅÎÁÐÒÁ×ÌÑÅÔÓÑ × ÃÅÐÏÞËÕ icmp_packets. ÷ ÜÔÏÊ ÃÅÐÏÞËÅ ÐÒÏ×ÅÒÑÅÔÓÑ ÔÉÐ ICMP ÓÏÏÂÝÅÎÉÑ. ðÒÏÐÕÓËÁÀÔÓÑ ÔÏÌØËÏ ICMP Echo Replies, Destination unreachable, Redirect É Time Exceeded.

ðÒÉ ÐÒÉÎÑÔÉÉ ÒÅÛÅÎÉÑ Ñ ÉÓÈÏÖÕ ÉÚ ÓÌÅÄÕÀÝÉÈ ÓÏÏÂÒÁÖÅÎÉÊ: ICMP Echo Replies ÐÁËÅÔÙ ÐÒÉÈÏÄÑÔ × ÏÔ×ÅÔ, ËÏÇÄÁ ×Ù Ë ÐÒÉÍÅÒÕ ×ÙÐÏÌÎÑÅÔÅ ping ÄÒÕÇÏÇÏ ÕÚÌÁ ÓÅÔÉ, ÅÓÌÉ ÚÁÐÒÅÔÉÔØ ÜÔÏ ÓÏÏÂÝÅÎÉÅ, ÔÏ ÍÙ ÌÉÛÉÍÓÑ ×ÏÚÍÏÖÎÏÓÔÉ ÐÏÌØÚÏ×ÁÔØÓÑ ÆÕÎËÃÉÅÊ ping.

Destination Unreachable ÐÒÉÈÏÄÉÔ, ÅÓÌÉ ËÁËÏÊ ÌÉÂÏ ÕÚÅÌ ÓÅÔÉ ÎÅÄÏÓÔÕÐÅÎ, ÎÁÐÒÉÍÅÒ, ×ÙÐÏÌÎÑÑ HTTP ÚÁÐÒÏÓ ÎÁ ÎÅÄÏÓÔÕÐÎÙÊ ÈÏÓÔ, ÐÏÓÌÅÄÎÉÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ, ËÏÔÏÒÙÊ ÎÅ ÓÍÏÇ ÎÁÊÔÉ ÍÁÒÛÒÕÔ Ë ÕÚÌÕ, ×ÅÒÎÅÔ ÎÁÍ ÓÏÏÂÝÅÎÉÅ Destination Unreachable. ôÅÍ ÓÁÍÙÍ ÎÁÍ ÎÅ ÐÒÉÄÅÔÓÑ ÖÄÁÔØ ÐÏËÁ ÉÓÔÅÞÅÔ ×ÒÅÍÑ ÏÖÉÄÁÎÉÑ (time out) ÎÁÛÅÇÏ ÂÒÁÕÚÅÒÁ, ËÏÔÏÒÙÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÏÓÔÁÔÏÞÎÏ ×ÅÌÉË, ÐÏÒÑÄËÁ 60 ÓÅËÕÎÄ É ×ÙÛÅ

Time Exceeded. ÷Ï ×ÒÅÍÑ Ä×ÉÖÅÎÉÑ ÐÁËÅÔÁ ÐÏ ÓÅÔÉ, ÎÁ ËÁÖÄÏÍ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÐÏÌÅ TTL, × ÚÁÇÏÌÏ×ËÅ ÐÁËÅÔÁ, ÕÍÅÎØÛÁÅÔÓÑ ÎÁ 1. ëÁË ÔÏÌØËÏ ÐÏÌÅ TTL ÓÔÁÎÅÔ ÒÁ×ÎÙÍ ÎÕÌÀ, ÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÏÍ ÂÕÄÅÔ ÐÏÓÌÁÎÏ ÓÏÏÂÝÅÎÉÅ Time Exceeded. îÁÐÒÉÍÅÒ, ËÏÇÄÁ ×Ù ×ÙÐÏÌÎÑÅÔÅ ÔÒÁÓÓÉÒÏ×ËÕ (traceroute) ËÁËÏÇÏ ÌÉÂÏ ÕÚÌÁ, ÔÏ ÐÏÌÅ TTL ÕÓÔÁÎÁ×ÌÉ×ÁÅÔÓÑ ÒÁ×ÎÙÍ 1, ÎÁ ÐÅÒ×ÏÍ ÖÅ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ ÏÎÏ ÓÔÁÎÏ×ÉÔÓÑ ÒÁ×ÎÙÍ ÎÕÌÀ É Ë ÎÁÍ ÐÒÉÈÏÄÉÔ ÓÏÏÂÝÅÎÉÅ Time Exceeded, ÄÁÌÅÅ, ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ TTL = 2 É ×ÔÏÒÏÊ ÍÁÒÛÒÕÔÉÚÁÔÏÒ ÐÅÒÅÄÁÅÔ ÎÁÍ Time Exceeded, É ÔÁË ÄÁÌÅÅ, ÐÏËÁ ÎÅ ÐÏÌÕÞÉÍ ÏÔ×ÅÔ Ó ÓÁÍÏÇÏ ÕÚÌÁ.

óÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ ÓÍÏÔÒÉÔÅ × ÐÒÉÌÏÖÅÎÉÉ. äÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ ÐÏ ICMP ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ × ÓÌÅÄÕÀÝÉÈ ÄÏËÕÍÅÎÔÁÈ:

âÕÄØÔÅ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÂÌÏËÉÒÏ×ÁÎÉÉ ICMP ÐÁËÅÔÏ×, ×ÏÚÍÏÖÎÏ Ñ ÎÅ ÐÒÁ×, ÂÌÏËÉÒÕÑ ËÁËÉÅ-ÔÏ ÉÚ ÎÉÈ, ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÔÁË, ÞÔÏ ÄÌÑ ×ÁÓ ÜÔÏ ÎÅÐÒÉÅÍÌÅÍÏ.


ãÅÐÏÞËÁ INPUT

ãÅÐÏÞËÁ INPUT, ËÁË Ñ ÕÖÅ ÐÉÓÁÌ, ÄÌÑ ×ÙÐÏÌÎÅÎÉÑ ÏÓÎÏ×ÎÏÊ ÒÁÂÏÔÙ ÉÓÐÏÌØÚÕÅÔ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ, ÚÁ ÓÞÅÔ ÞÅÇÏ ÓÎÉÖÁÑ ÎÁÇÒÕÚËÕ ÎÁ ÓÅÔÅ×ÏÊ ÆÉÌØÔÒ. üÆÆÅËÔ ÐÒÉÍÅÎÅÎÉÑ ÔÁËÏÇÏ ×ÁÒÉÁÎÔÁ ÏÒÇÁÎÉÚÁÃÉÉ ÐÒÁ×ÉÌ ÌÕÞÛÅ ÚÁÍÅÔÅÎ ÎÁ ÍÅÄÌÅÎÎÙÈ ÍÁÛÉÎÁÈ, ËÏÔÏÒÙÅ × ÄÒÕÇÏÍ ÓÌÕÞÁÅ ÎÁÞÉÎÁÀÔ "ÔÅÒÑÔØ" ÐÁËÅÔÙ ÐÒÉ ×ÙÓÏËÏÊ ÎÁÇÒÕÚËÅ.

ðÅÒ×ÙÍ ÖÅ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÙÔÁÅÍÓÑ ÏÔÂÒÏÓÉÔØ "ÐÌÏÈÉÅ" ÐÁËÅÔÙ. úÁ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÅÊ ÏÂÒÁÝÁÊÔÅÓØ Ë ÐÒÉÌÏÖÅÎÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÁËÅÔÏ× Ó ÐÒÉÚÎÁËÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. ÷ ÎÅËÏÔÏÒÙÈ ÏÓÏÂÅÎÎÙÈ ÓÉÔÕÁÃÉÑÈ ÔÁËÉÅ ÐÁËÅÔÙ ÍÏÇÕÔ ÓÞÉÔÁÔØÓÑ ÄÏÐÕÓÔÉÍÙÍÉ, ÎÏ × 99% ÓÌÕÞÁÅ× ÌÕÞÛÅ ÉÈ "ÏÓÔÁÎÏ×ÉÔØ". ðÏÜÔÏÍÕ ÔÁËÉÅ ÐÁËÅÔÙ ÚÁÎÏÓÑÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ (ÌÏÇÉÒÕÀÔÓÑ) É "ÓÂÒÁÓÙ×ÁÀÔÓÑ".

äÁÌÅÅ, ×ÓÅ ICMP ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ × ÃÅÐÏÞËÕ INPUT Ó ÉÎÔÅÒÆÅÊÓÁ $INET_IFACE, × ÍÏÅÍ ÓÌÕÞÁÅ ÜÔÏ eth0, ÐÅÒÅÎÁÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ icmp_packets, ËÏÔÏÒÕÀ ÍÙ ÒÁÓÓÍÏÔÒÅÌÉ ÒÁÎÅÅ. óÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ×ÓÅ TCP ÐÁËÅÔÙ Ó ÉÎÔÅÒÆÅÊÓÁ$INET_IFACE ÐÅÒÅÄÁÀÔÓÑ × ÃÅÐÏÞËÕtcp_packets. é ÎÁËÏÎÅà ×ÓÅ UDP ÐÁËÅÔÙ ÏÔÐÒÁ×ÌÑÀÔÓÑ × ÃÅÐÏÞËÕ udpincoming_packets.

÷ ËÏÎÃÅ ÍÙ ÐÏÚ×ÏÌÑÅÍ ÐÒÏÊÔÉ ×ÓÅÍÕ, ÞÔÏ Ä×ÉÖÅÔÓÑ Ó ÎÁÛÅÇÏ $LOCALHOST_IP ÁÄÒÅÓÁ, ËÏÔÏÒÙÊ ÏÂÙÞÎÏ ÂÙ×ÁÅÔ 127.0.0.1, ×ÓÅ ÞÔÏ ÉÄÅÔ Ó $LAN_IP ÁÄÒÅÓÁ, ËÏÔÏÒÙÊ × ÍÏÅÍ ÓÌÕÞÁÅ 192.168.0.2, ÚÁÏÄÎÏ ÐÒÏÐÕÓËÁÅÍ É ×ÓÅ, ÞÔÏ ÉÄÅÔ ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ Ó $LAN_IP_RANGE, ÄÌÑ ÍÅÎÑ ÜÔÏ 192.168.0.0/24. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ, ÞÔÏ ÉÄÅÔ Ó ÍÏÅÇÏ ÓÏÂÓÔ×ÅÎÎÏÇÏ ×ÎÅÛÎÅÇÏ IP ÁÄÒÅÓÁ, É ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED. ôÁË ÖÅ ÓÞÉÔÁÅÔÓÑ ÄÏÐÕÓÔÉÍÙÍ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÔÒÁÆÆÉË ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ, ÎÅËÏÔÏÒÙÅ ÐÒÉÌÏÖÅÎÉÑ ÚÁ×ÉÓÑÔ ÏÔ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÈ ÓÏÏÂÝÅÎÉÊ, ÎÁÐÒÉÍÅÒ Samba, É ÎÅ ÓÍÏÇÕÔ ×ÙÐÏÌÎÑÔØ Ó×ÏÉ ÆÕÎËÃÉÉ ÂÅÚ ÎÉÈ.

ðÏÓÌÅÄÎÉÍ ÐÒÁ×ÉÌÏÍ, ÐÅÒÅÄ ÔÅÍ ËÁË ËÏ ×ÓÅÍ ÎÅ ÐÒÉÎÑÔÙÍ Ñ×ÎÏ ÐÁËÅÔÁÍ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÒÉÍÅÎÅÎÁ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÒÁÆÆÉË ÖÕÒÎÁÌÉÒÕÅÔÓÑ, ÎÁ ÓÌÕÞÁÊ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÏÉÓËÁ ÐÒÉÞÉÎ ×ÏÚÎÉËÁÀÝÉÈ ÐÒÏÂÌÅÍ. ðÒÉ ÜÔÏÍ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ÐÒÁ×ÉÌÕ, ÏÇÒÁÎÉÞÅÎÉÅ ÎÁ ËÏÌÉÞÅÓÔ×Ï ÌÏÇÉÒÕÅÍÙÈ ÐÁËÅÔÏ× - ÎÅ ÂÏÌÅÅ 3-È × ÍÉÎÕÔÕ, ÞÔÏÂÙ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÞÒÅÚÍÅÒÎÏÅ ÒÁÚÄÕ×ÁÎÉÅ ÖÕÒÎÁÌÁ.

÷ÓÅ ÞÔÏ ÎÅ ÂÙÌÏ Ñ×ÎÏ ÐÒÏÐÕÝÅÎÏ × ÃÅÐÏÞËÅ INPUT ÂÕÄÅÔ ÐÏÄ×ÅÒÇÎÕÔÏ ÄÅÊÓÔ×ÉÀ DROP, ÐÏÓËÏÌØËÕ ÉÍÅÎÎÏ ÜÔÏ ÄÅÊÓÔ×ÉÅ ÎÁÚÎÁÞÅÎÏ × ËÁÞÅÓÔ×Å ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ.


ãÅÐÏÞËÁ OUTPUT

ëÁË Ñ ÕÖÅ ÕÐÏÍÉÎÁÌ ÒÁÎÅÅ, × ÍÏÅÍ ÓÌÕÞÁÅ ËÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÂÒÁÎÄÍÁÕÜÒ É ÏÄÎÏ×ÒÅÍÅÎÎÏ ËÁË ÒÁÂÏÞÁÑ ÓÔÁÎÃÉÑ. ðÏÜÔÏÍÕ Ñ ÐÏÚ×ÏÌÑÀ ÐÏËÉÄÁÔØ ÍÏÊ ÈÏÓÔ ×ÓÅÍÕ, ÞÔÏ ÉÍÅÅÔ ÉÓÈÏÄÎÙÊ ÁÄÒÅÓ $LOCALHOST_IP, $LAN_IP ÉÌÉ $STATIC_IP. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÚÁÝÉÔÙ ÏÔ ÔÒÁÆÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÓÆÁÌØÓÉÃÉÒÏ×ÁÔØ ÎÅ ÏÞÅÎØ ÈÏÒÏÛÉÊ ÞÅÌÏ×ÅË ÎÁ ÍÏÅÊ ÍÁÛÉÎÅ. é × ÄÏ×ÅÒÛÅÎÉÅ ËÏ ×ÓÅÍÕ, Ñ ÖÕÒÎÁÌÉÒÕÀ "ÓÂÒÏÛÅÎÎÙÅ" ÐÁËÅÔÙ, ÎÁ ÓÌÕÞÁÊ ÐÏÉÓËÁ ÏÛÉÂÏË ÉÌÉ × ÃÅÌÑÈ ×ÙÑ×ÌÅÎÉÑ ÓÆÁÌØÓÉÆÉÃÉÒÏ×ÁÎÎÙÈ ÐÁËÅÔÏ×. ëÏ ×ÓÅÍ ÐÁËÅÔÁÍ, ÎÅ ÐÒÏÛÅÄÛÉÍ ÎÉ ÏÄÎÏ ÉÚ ÐÒÁ×ÉÌ, ÐÒÉÍÅÎÑÅÔÓÑ ÐÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ - DROP.


ãÅÐÏÞËÁ FORWARD

ëÁË ÏÂÙÞÎÏ, ÍÙ ÒÁÚÒÅÛÅÍ Ä×ÉÖÅÎÉÅ ÐÁËÅÔÏ× ÉÚ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ ÐÒÁ×ÉÌÏÍ.

/usr/local/sbin/iptables -A FORWARD -i $LAN_IFACE -j ACCEPT

åÓÔÅÓÔ×ÅÎÎÏ, ÎÕÖÎÏ ÐÒÏÐÕÓÔÉÔØ ÏÔ×ÅÔÎÙÅ ÐÁËÅÔÙ × ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÐÏÜÔÏÍÕ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ ÍÙ ÐÒÏÐÕÓËÁÅÍ ×ÓÅ, ÞÔÏ ÉÍÅÅÔ ÐÒÉÚÎÁË ESTABLISHED ÉÌÉ RELATED, Ô.Å. ÍÙ ÐÒÏÐÕÓËÁÅÍ ÐÁËÅÔÙ ÐÏ ÓÏÅÄÉÎÅÎÉÀ ÕÓÔÁÎÏ×ÌÅÎÎÏÍÕ éú ÌÏËÁÌØÎÏÊ ÓÅÔÉ. é ÐÅÒÅÄ ÔÅÍ ËÁË ÓÂÒÏÓÉÔØ ×ÓÅ ÎÅÄÏÐÕÓÔÉÍÙÅ ÐÁËÅÔÙ ÐÏÌÉÔÉËÏÊ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÖÕÒÎÁÌÉÒÕÅÍ ÔÒÁÆÆÉË ÕÓÔÁÎÏ×É× ÐÒÅÄÅÌ 3 ÚÁÐÉÓÉ ÚÁ ÍÉÎÕÔÕ.


ãÅÐÏÞËÁ PREROUTING ÔÁÂÌÉÃÙ nat

úÄÅÓØ ×ÙÐÏÌÎÑÅÔÓÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× ÐÅÒÅÄ ÔÅÍ ËÁË ÐÁËÅÔÙ ÐÏÐÁÄÕÔ × ÃÅÐÏÞËÕ INPUT ÉÌÉ FORWARD. åÝÅ ÒÁÚ ÈÏÞÕ ÎÁÐÏÍÎÉÔØ, ÞÔÏ ÜÔÁ ÃÅÐÏÞËÁ ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÁ ÎÉ ÄÌÑ ËÁËÏÇÏ ×ÉÄÁ ÆÉÌØÔÒÁÃÉÉ, Á ÔÏÌØËÏ ÄÌÑ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÑ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ × ÜÔÕ ÃÅÐÏÞËÕ ÐÏÐÁÄÁÅÔ ÔÏÌØËÏ ÐÅÒ×ÙÊ ÐÁËÅÔ ÉÚ ÐÏÔÏËÁ.

äÌÑ ÎÁÞÁÌÁ ÍÙ ÏÔÓÅËÁÅÍ ×ÓÅ ÐÁËÅÔÙ Ó ÚÁ×ÅÄÏÍÏ ÎÅ×ÅÒÎÙÍÉ ÉÓÈÏÄÎÙÍÉ ÁÄÒÅÓÁÍÉ, ÔÁËÉÍÉ ËÁË ÁÄÒÅÓÁ ÉÚ ÄÉÁÐÁÚÏÎÏ×, ×ÙÄÅÌÅÎÎÙÍÉ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ: 192.168.x.x, 10.x.x.x ÉÌÉ 172.16.x.x. ðÏÄÏÂÎÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ É ÄÌÑ ÏÂÒÁÔÎÏÇÏ ÎÁÐÒÁ×ÌÅÎÉÑ, ÓÂÒÁÓÙ×ÁÑ ×ÓÅ ÐÁËÅÔÙ, ËÏÔÏÒÙÅ ÎÅ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÊ ÌÏËÁÌØÎÏÊ ÓÅÔÉ.


úÁÐÕÓË Network Address Translation

é ÚÁËÌÀÞÉÔÅÌØÎÙÊ ÒÁÚÄÅÌ - ÎÁÓÔÒÏÊËÁ SNAT. ðÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÄÌÑ ÍÅÎÑ. ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÏ × ÔÁÂÌÉÃÕ nat, × ÃÅÐÏÞËÕ POSTROUTING, ËÏÔÏÒÏÅ ÐÒÏÉÚ×ÏÄÉÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÉÓÈÏÄÎÙÈ ÁÄÒÅÓÏ× ×ÓÅÈ ÐÁËÅÔÏ×, ÉÓÈÏÄÑÝÉÈ Ó ÉÎÔÅÒÆÅÊÓÁ, ÐÏÄËÌÀÞÅÎÎÏÇÏ Ë Internet. äÌÑ ÍÅÎÑ - ÜÔÏ eth0. ÷ ÓÃÅÎÁÒÉÉ ÏÐÒÅÄÅÌÅÎ ÒÑÄ ÐÅÒÅÍÅÎÎÙÈ, Ó ÐÏÍÏÝØÀ ËÏÔÏÒÙÈ ÍÏÖÎÏ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÌÑ Á×ÔÏÍÁÔÉÞÅÓËÏÊ ÎÁÓÔÒÏÊËÉ ÓÃÅÎÁÒÉÑ. ëÒÏÍÅ ÔÏÇÏ, ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÐÅÒÅÍÅÎÎÙÈ ÐÏ×ÙÛÁÅÔ ÕÄÏÂÏÞÉÔÁÅÍÏÓÔØ ÓËÒÉÐÔÏ×. ëÌÀÞÏÍ -t ÚÁÄÁÅÔÓÑ ÉÍÑ ÔÁÂÌÉÃÙ, × ÄÁÎÎÏÍ ÓÌÕÞÁÅ nat. ëÏÍÁÎÄÁ -A ÄÏÂÁ×ÌÑÅÔ (Add) ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÕ POSTROUTING, ËÒÉÔÅÒÉÊ -o $INET_IFACE ÚÁÄÁÅÔ ÉÓÈÏÄÑÝÉÊ ÉÎÔÅÒÆÅÊÓ, É × ËÏÎÃÅ ÐÒÁ×ÉÌÁ ÚÁÄÁÅÍ ÄÅÊÓÔ×ÉÅ ÎÁÄ ÐÁËÅÔÏÍ - SNAT. ôÁËÉÍ ÏÂÒÁÚÏÍ, ×ÓÅ ÐÁËÅÔÙ, ÐÏÄÏÛÅÄÛÉÅ ÐÏÄ ÚÁÄÁÎÎÙÊ ËÒÉÔÅÒÉÊ ÂÕÄÕÔ "ÚÁÍÁÓËÉÒÏ×ÁÎÙ", Ô.Å. ÂÕÄÕÔ ×ÙÇÌÑÄÅÔØ ÔÁË, ËÁË ÂÕÄÔÏ ÏÎÉ ÏÔÐÒÁ×ÌÅÎÙ Ó ÎÁÛÅÇÏ ÕÚÌÁ. îÅ ÚÁÂÕÄØÔÅ ÕËÁÚÁÔØ ËÌÀÞ --to-source Ó ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÍ IP ÁÄÒÅÓÏÍ ÄÌÑ ÉÓÈÏÄÑÝÉÈ ÐÁËÅÔÏ×

÷ ÜÔÏÍ ÓÃÅÎÁÒÉÅ Ñ ÉÓÐÏÌØÚÕÀ SNAT ×ÍÅÓÔÏ MASQUERADE ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÅÒ×ÁÑ - ÐÒÅÄÐÏÌÁÇÁÅÔÓÑ, ÞÔÏ ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÄÏÌÖÅÎ ÒÁÂÏÔÁÔØ ÎÁ ÓÅÔÅ×ÏÍ ÕÚÌÅ, ËÏÔÏÒÙÊ ÉÍÅÅÔ ÐÏÓÔÏÑÎÎÙÊ IP ÁÄÒÅÓ. óÌÅÄÕÀÝÁÑ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ SNAT ÒÁÂÏÔÁÅÔ ÂÙÓÔÒÅÅ É ÂÏÌÅÅ ÜÆÆÅËÔÉ×ÎÏ. ëÏÎÅÞÎÏ, ÅÓÌÉ ×Ù ÎÅ ÉÍÅÅÔÅ ÐÏÓÔÏÑÎÎÏÇÏ IP ÁÄÒÅÓÁ, ÔÏ ×Ù ÄÏÌÖÎÙ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÅÊÓÔ×ÉÅ MASQUERADE, ËÏÔÏÒÏÅ ÐÒÅÄÏÓÔÁ×ÌÑÅÔ ÂÏÌÅÅ ÐÒÏÓÔÏÊ ÓÐÏÓÏ ÔÒÁÎÓÌÑÃÉÉ ÁÄÒÅÓÏ×, ÐÏÓËÏÌØËÕ ÏÎÏ Á×ÔÏÍÁÔÉÞÅÓËÉ ÏÐÒÅÄÅÌÑÅÔ IP ÁÄÒÅÓ, ÐÒÉÓ×ÏÅÎÎÙÊ ÚÁÄÁÎÎÏÍÕ ÉÎÔÅÒÆÅÊÓÕ. ïÄÎÁËÏ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó SNAT ÜÔÏ ÄÅÊÓÔ×ÉÅ ÔÒÅÂÕÅÔ ÎÅÓËÏÌØËÏ ÂÏÌØÛÉÈ ×ÙÞÉÓÌÉÔÅÌØÎÙÈ ÒÅÓÕÒÓÏ×, ÈÏÔÑ É ÎÅ ÚÎÁÞÉÔÅÌØÎÏ. åÓÌÉ ×ÁÍ ÎÕÖÅÎ ÐÒÉÍÅÒ ÒÁÂÏÔÙ MASQUERADE, ÔÏ ÏÂÒÁÝÁÊÔÅÓØ Ë ÓÃÅÎÁÒÉÀ rc.DHCP.firewall.txt.


ðÒÉÍÅÒÙ ÓÃÅÎÁÒÉÅ×

ãÅÌØ ÜÔÏÊ ÇÌÁ×Ù ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ÄÁÔØ ËÒÁÔËÏÅ ÏÐÉÓÁÎÉÅ ËÁÖÄÏÇÏ ÓÃÅÎÁÒÉÑ, × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. üÔÉ ÓÃÅÎÁÒÉÉ ÎÅ ÓÏ×ÅÒÛÅÎÎÙ, É ÏÎÉ ÎÅ ÍÏÇÕÔ ÐÏÌÎÏÓÔØÀ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ×ÁÛÉÍ ÎÕÖÄÁÍ. üÔÏ ÏÚÎÁÞÁÅÔ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÓÁÍÉ "ÐÏÄÏÇÎÁÔØ" ÜÔÉ ÓÃÅÎÁÒÉÉ ÐÏÄ ÓÅÂÑ. ðÏÓÌÅÄÕÀÝÁÑ ÞÁÓÔØ ÒÕËÏ×ÏÄÓÔ×Á ÐÒÉÚ×ÁÎÁ ÏÂÌÅÇÞÉÔØ ×ÁÍ ÜÔÕ ÐÏÄÇÏÎËÕ.


óÔÒÕËÔÕÒÁ ÆÁÊÌÁ rc.firewall.txt

÷ÓÅ ÓÃÅÎÁÒÉÉ, ÏÐÉÓÁÎÎÙÅ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å, ÉÍÅÀÔ ÏÐÒÅÄÅÌÅÎÎÕÀ ÓÔÒÕËÔÕÒÕ. óÄÅÌÁÎÏ ÜÔÏ ÄÌÑ ÔÏÇÏ, ÞÔÏÂÙ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÍÁËÓÉÍÁÌØÎÏ ÐÏÈÏÖÉ ÄÒÕÇ ÎÁ ÄÒÕÇÁ, ÏÂÌÅÇÞÁÑ ÔÅÍ ÓÁÍÙÍ ÐÏÉÓË ÒÁÚÌÉÞÉÊ ÍÅÖÄÕ ÎÉÍÉ. üÔÁ ÓÔÒÕËÔÕÒÁ ÄÏ×ÏÌØÎÏ ÈÏÒÏÛÏ ÏÐÉÓÙ×ÁÅÔÓÑ × ÜÔÏÊ ÇÌÁ×Å. úÄÅÓØ Ñ ÎÁÄÅÀÓØ ÄÁÔØ ×ÁÍ ÐÏÎÉÍÁÎÉÅ, ÐÏÞÅÍÕ ×ÓÅ ÓÃÅÎÁÒÉÉ ÂÙÌÉ ÎÁÐÉÓÁÎÙ ÉÍÅÎÎÏ ÔÁË É ÐÏÞÅÍÕ Ñ ×ÙÂÒÁÌ ÉÍÅÎÎÏ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

Note ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÜÔÁ ÓÔÒÕËÔÕÒÁ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÄÁÌÅËÏ ÎÅÏÐÔÉÍÁÌØÎÏÊ ÄÌÑ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×. üÔÁ ÓÔÒÕËÔÕÒÁ ×ÙÂÒÁÎÁ ÌÉÛØ ÄÌÑ ÌÕÞÛÅÇÏ ÏÂßÑÓÎÅÎÉÑ ÈÏÄÁ ÍÏÉÈ ÍÙÓÌÅÊ.


óÔÒÕËÔÕÒÁ

üÔÏ - ÓÔÒÕËÔÕÒÁ, ËÏÔÏÒÏÊ ÓÌÅÄÕÀÔ ×ÓÅ ÓÃÅÎÁÒÉÉ × ÜÔÏÍ ÒÕËÏ×ÏÄÓÔ×Å. åÓÌÉ ×Ù ÏÂÎÁÒÕÖÉÔÅ, ÞÔÏ ÜÔÏ ÎÅ ÔÁË, ÔÏ ÓËÏÒÅÅ ×ÓÅÇÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ, ÅÓÌÉ ËÏÎÅÞÎÏ Ñ ÎÅ ÏÂßÑÓÎÉÌ, ÐÏÞÅÍÕ Ñ ÎÁÒÕÛÉÌ ÜÔÕ ÓÔÒÕËÔÕÒÕ.

  1. Configuration - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÄÏÌÖÎÙ ÚÁÄÁÔØ ÐÁÒÁÍÅÔÒÙ ËÏÎÆÉÇÕÒÁÃÉÉ, ÄÌÑ ÓÃÅÎÁÒÉÑ. ðÁÒÁÍÅÔÒÙ ëÏÎÆÉÇÕÒÁÃÉÉ, × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ×, ÄÏÌÖÎÙ ÂÙÔØ ÏÐÉÓÁÎÙ ÐÅÒ×ÙÍÉ × ÌÀÂÏÍ ÓÃÅÎÁÒÉÉ.

    1. Internet - üÔÏ ÒÁÚÄÅÌ ËÏÎÆÉÇÕÒÁÃÉÉ, ÏÐÉÓÙ×ÁÀÝÅÊ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÒÁÚÄÅÌ ÍÏÖÅÔ ÂÙÔØ ÏÐÕÝÅÎ, ÅÓÌÉ ×Ù ÎÅ ÐÏÄËÌÀÞÅÎÙ Ë éÎÔÅÒÎÅÔ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÍÏÖÅÔ ÉÍÅÔØÓÑ ÂÏÌØÛÅÅ ËÏÌÉÞÅÓÔ×Ï ÐÏÄÒÁÚÄÅÌÏ× ÞÅÍ, ÚÄÅÓØ ÐÅÒÅÞÉÓÌÅÎÏ, ÎÏ ÔÏÌØËÏ ÔÅ, ËÏÔÏÒÙÅ ÏÐÉÓÙ×ÁÀÔ ÎÁÛÅ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet.

      1. DHCP - åÓÌÉ ÉÍÅÀÔÓÑ ÓÐÅÃÉÆÉÞÎÙÅ ÄÌÑ DHCP ÎÁÓÔÒÏÊËÉ, ÔÏ ÏÎÉ ÄÏÂÁ×ÌÑÀÔÓÑ ÚÄÅÓØ.

      2. PPPoE - ïÐÉÓÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ ÎÁÓÔÒÏÊËÉ PPPOE ÐÏÄËÌÀÞÅÎÉÑ.

    2. LAN - åÓÌÉ ÉÍÅÅÔÓÑ ÌÀÂÁÑ ìïëáìøîáñ óåôø ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ÔÏ ÚÄÅÓØ ÕËÁÚÙ×ÁÀÔÓÑ ÐÁÒÁÍÅÔÒÙ, ÉÍÅÀÝÉÅ ÏÔÎÏÛÅÎÉÅ Ë ÎÅÊ. îÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ÜÔÏÔ ÒÁÚÄÅÌ ÂÕÄÅÔ ÐÒÉÓÕÔÓÔ×Ï×ÁÔØ ÐÏÞÔÉ ×ÓÅÇÄÁ.

    3. DMZ - úÄÅÓØ ÄÏÂÁ×ÌÑÅÔÓÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÚÏÎÙ DMZ. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÜÔÏÇÏ ÒÁÚÄÅÌÁ ÎÅ ÂÕÄÅÔ, Ô.Ë. ÌÀÂÁÑ ÎÏÒÍÁÌØÎÁÑ ÄÏÍÁÛÎÑÑ ÓÅÔØ, ÉÌÉ ÍÁÌÅÎØËÁÑ ÌÏËÁÌØÎÁÑ ÓÅÔØ, ÎÅ ÂÕÄÅÔ ÉÍÅÔØ ÅÅ. (DMZ - de-militarized zone. óËÏÒÅÅ ×ÓÅÇÏ ÐÏÄ ÜÔÏ ÐÏÎÑÔÉÅ Á×ÔÏÒ ÐÏÄ×ÅÌ ÎÅÂÏÌØÛÕÀ ÐÏÄÓÅÔØ, × ËÏÔÏÒÏÊ ÒÁÓÐÏÌÏÖÅÎÙ ÓÅÒ×ÅÒÙ, ÎÁÐÒÉÍÅÒ: DNS, MAIL, WEB É Ô.Ð, É ÎÅÔ ÎÉ ÏÄÎÏÊ ÐÏÌØÚÏ×ÁÔÅÌØÓËÏÊ ÍÁÛÉÎÙ. ÐÒÉÍ. ÐÅÒÅ×.)

    4. Localhost - üÔÉ ÐÁÒÁÍÅÔÒÙ ÐÒÉÎÁÄÌÅÖÁÔ ÎÁÛÅÍÕ ÂÒÁÎÄÍÁÕÜÒÕ (localhost). ÷ ×ÁÛÅÍ ÓÌÕÞÁÅ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ ×ÒÑÄ ÌÉ ÉÚÍÅÎÑÔÓÑ, ÎÏ, ÔÅÍ ÎÅ ÍÅÎÅÅ, Ñ ÓÏÚÄÁÌ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.èÏÔÅÌÏÓØ ÂÙ ÎÁÄÅÑÔØÓÑ, ÞÔÏ Õ ×ÁÓ ÎÅ ÂÕÄÅÔ ÐÒÉÞÉÎ ÉÚÍÅÎÑÔØ ÜÔÉ ÐÅÒÅÍÅÎÎÙÅ.

    5. iptables - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï iptables. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× ÄÏÓÔÁÔÏÞÎÏ ÂÕÄÅÔ ÔÏÌØËÏ ÏÄÎÏÊ ÐÅÒÅÍÅÎÎÏÊ, ËÏÔÏÒÁÑ ÕËÁÚÙ×ÁÅÔ ÐÕÔØ Ë iptables.

    6. Other - úÄÅÓØ ÒÁÓÐÏÌÁÇÁÀÔÓÑ ÐÒÏÞÉÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÎÅ ÏÔÎÏÓÑÔÓÑ É Ë ÏÄÎÏÍÕ ÉÚ ×ÙÛÅÕËÁÚÁÎÎÙÈ ÒÁÚÄÅÌÏ×.

  2. Module loading - üÔÏÔ ÒÁÚÄÅÌ ÓÃÅÎÁÒÉÅ× ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÍÏÄÕÌÅÊ. ðÅÒ×ÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ, × ÔÏ ×ÒÅÍÑ ËÁË ×ÔÏÒÁÑ ÞÁÓÔØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÍÏÄÕÌÉ.

    Note

    ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ. îÅËÏÔÏÒÙÅ ÍÏÄÕÌÉ, ÏÔ×ÅÞÁÀÝÉÅ ÚÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ,, ÍÏÇÕÔ ÂÙÔØ ÕËÁÚÁÎÙ ÄÁÖÅ ÅÓÌÉ ÏÎÉ ÎÅ ÔÒÅÂÕÀÔÓÑ. ïÂÙÞÎÏ, × ÔÁËÉÈ ÓÌÕÞÁÑÈ, ÐÒÉÍÅÒ ÓÃÅÎÁÒÉÑ ÏÔÍÅÞÁÅÔ ÜÔÕ ÏÓÏÂÅÎÎÏÓÔØ.

    1. Required modules - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÍÏÄÕÌÉ, ÎÅÏÂÈÏÄÉÍÙÅ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ.

    2. Non-required modules - üÔÏÔ ÒÁÚÄÅÌ ÓÏÄÅÒÖÉÔ ÍÏÄÕÌÉ, ËÏÔÏÒÙÅ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÎÏÒÍÁÌØÎÏÊ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. ÷ÓÅ ÜÔÉ ÍÏÄÕÌÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ. åÓÌÉ ×ÁÍ ÏÎÉ ÐÏÔÒÅÂÕÀÔÓÑ, ÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏÓÔÏ ÒÁÓËÏÍÍÅÎÔÉÒÏ×ÁÔØ ÉÈ.

  3. proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÏÔ×ÅÞÁÅÔ ÚÁ ÎÁÓÔÒÏÊËÕ ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÙ /proc. åÓÌÉ ÜÔÉ ÐÁÒÁÍÅÔÒÙ ÎÅÏÂÈÏÄÉÍÙ - ÏÎÉ ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ, ÅÓÌÉ ÎÅÔ, ÔÏ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ ÐÏ-ÕÍÏÌÞÁÎÉÀ, É ÕËÁÚÁÎÙ ËÁË ÎÅ-ÔÒÅÂÕÅÍÙÅ. âÏÌØÛÉÎÓÔ×Ï ÐÏÌÅÚÎÙÈ ÎÁÓÔÒÏÅË /proc ÂÕÄÕÔ ÐÅÒÅÞÉÓÌÅÎÙ × ÐÒÉÍÅÒÁÈ, ÎÏ ÄÁÌÅËÏ ÎÅ ×ÓÅ.

    1. Required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ×ÓÅ ÔÒÅÂÕÅÍÙÅ ÓÃÅÎÁÒÉÅÍ ÎÁÓÔÒÏÊËÁ ÄÌÑ /proc. üÔÏ ÍÏÇÕÔ ÂÙÔØ ÎÁÓÔÒÏÊËÉ ÄÌÑ ÚÁÐÕÓËÁ ÓÉÓÔÅÍÙ ÚÁÝÉÔÙ, ×ÏÚÍÏÖÎÏ, ÄÏÂÁ×ÌÑÀÔ ÓÐÅÃÉÁÌØÎÙÅ ×ÏÚÍÏÖÎÏÓÔÉ ÄÌÑ ÁÄÍÉÎÉÓÔÒÁÔÏÒÁ ÉÌÉ ÐÏÌØÚÏ×ÁÔÅÌÅÊ.

    2. Non-required proc configuration - üÔÏÔ ÒÁÚÄÅÌ ÄÏÌÖÅÎ ÓÏÄÅÒÖÁÔØ ÎÅ-ÔÒÅÂÕÅÍÙÅ ÎÁÓÔÒÏÊËÉ /proc, ËÏÔÏÒÙÅ ÍÏÇÕÔ ÏËÁÚÁÔØÓÑ ÐÏÌÅÚÎÙÍÉ × ÂÕÄÕÝÅÍ. ÷ÓÅ ÏÎÉ ÄÏÌÖÎÙ ÂÙÔØ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÙ, ÔÁË ËÁË ÏÎÉ ÆÁËÔÉÞÅÓËÉ ÎÅ ÔÒÅÂÕÀÔÓÑ ÄÌÑ ÒÁÂÏÔÙ ÓÃÅÎÁÒÉÑ. üÔÏÔ ÓÐÉÓÏË ÂÕÄÅÔ ÓÏÄÅÒÖÁÔØ ÄÁÌÅËÏ ÎÅ ×ÓÅ ÎÁÓÔÒÏÊËÉ /proc.

  4. rules set up - ë ÜÔÏÍÕ ÍÏÍÅÎÔÕ ÓËÒÉÐÔ, ËÁË ÐÒÁ×ÉÌÏ, ÕÖÅ ÐÏÄÇÏÔÏ×ÌÅÎ Ë ÔÏÍÕ, ÞÔÏÂÙ ×ÓÔÁ×ÌÑÔØ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ. ñ ÒÁÚÂÉÌ ×ÓÅ ÐÒÁ×ÉÌÁ ÐÏ ÔÁÂÌÉÃÁÍ É ÃÅÐÏÞËÁÍ. ìÀÂÙÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÐÒÅÖÄÅ, ÞÅÍ ÍÙ ÓÍÏÖÅÍ ÉÈ ÉÓÐÏÌØÚÏ×ÁÔØ. ñ ÕËÁÚÙ×ÁÀ ÃÅÐÏÞËÉ É ÉÈ ÎÁÂÏÒÙ ÐÒÁ×ÉÌ × ÔÏÍ ÖÅ ÐÏÒÑÄËÅ, × ËÁËÏÍ ÏÎÉ ×Ù×ÏÄÑÔÓÑ ËÏÍÁÎÄÏÊ iptables -L.

    1. Filter table - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÐÒÏÈÏÄÉÍ ÔÁÂÌÉÃÕ ÆÉÌØÔÒÁ. äÌÑ ÎÁÞÁÌÁ ÎÅÏÂÈÏÄÉÍÏ ÕÓÔÁÎÏ×ÉÔØ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÔÁÂÌÉÃÅ.

      1. Set policies - îÁÚÎÁÞÅÎÉÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ ÄÌÑ ÓÉÓÔÅÍÎÙÈ ÃÅÐÏÞÅË. ïÂÙÞÎÏ Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ DROP ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ filter, É ÂÕÄÕ ÐÒÏÐÕÓËÁÔØ ÐÏÔÏËÉ, ËÏÔÏÒÙÅ ÉÄÕÔ ÉÚÎÕÔÒÉ. ôÅÍ ÓÁÍÙÍ ÍÙ ÉÚÂÁ×ÉÍÓÑ ÏÔ ×ÓÅÇÏ, ÞÔÏ ÎÁÍ ÎÅÕÇÏÄÎÏ.

      2. Create user specified chains - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ, ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ, ËÏÔÏÒÙÅ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÐÏÚÖÅ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ. íÙ ÎÅ ÓÍÏÖÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÜÔÉ ÃÅÐÏÞËÉ × ÄÏ ÔÅÈ ÐÏÒ, ÐÏËÁ ÎÅ ÓÏÚÄÁÄÉÍ ÉÈ.

      3. Create content in user specified chains - ðÏÓÌÅ ÓÏÚÄÁÎÉÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË, ÍÙ ÍÏÖÅÍ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ. åÄÉÎÓÔ×ÅÎÎÁÑ ÐÒÉÞÉÎÁ, ÐÏ ËÏÔÏÒÏÊ ÐÒÁ×ÉÌÁ ÄÌÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË ÏÐÒÅÄÅÌÑÀÔÓÑ ÚÄÅÓØ - ÜÔÏ ÂÌÉÚÏÓÔØ Ë ËÏÍÁÎÄÁÍ, ÓÏÚÄÁÀÝÉÍ ÜÔÉ ÃÅÐÏÞËÉ. ÷Ù ÖÅ ÍÏÖÅÔÅ ÒÁÚÍÅÝÁÔØ ÐÒÁ×ÉÌÁ × ÄÒÕÇÏÍ ÍÅÓÔÅ ×ÁÛÅÇÏ ÓÃÅÎÁÒÉÑ.

      4. INPUT chain - ÷ ÜÔÏÍ ÒÁÚÄÅÌÅ ÄÏÂÁ×ÌÑÀÔÓÑ ÐÒÁ×ÉÌÁ ÄÌÑ ÃÅÐÏÞËÉ INPUT.

        Note

        ëÁË ÕÖÅ ÕËÁÚÙ×ÁÌÏÓØ, Ñ ÓÔÁÒÁÌÓÑ ÓÌÅÄÏ×ÁÔØ ÐÏÒÑÄËÕ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔÓÑ × ×Ù×ÏÄÅ ËÏÍÁÎÄÙ iptables -L. îÅÔ ÓÅÒØÅÚÎÙÈ ÐÒÉÞÉÎ, ÞÔÏÂÙ ÓÏÂÌÀÄÁÔØ ÜÔÕ ÓÔÒÕËÔÕÒÕ, ÏÄÎÁËÏ, ÐÒÏÂÕÊÔÅ ÉÚÂÅÖÁÔØ ÓÍÅÛÉ×ÁÎÉÑ ÄÁÎÎÙÈ ÉÚ ÒÁÚÌÉÞÎÙÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, ÔÁË ËÁË ÓÔÁÎÅÔ ÎÁÍÎÏÇÏ ÔÑÖÅÌÅÅ ÞÉÔÁÔØ ÔÁËÏÊ ÎÁÂÏÒ ÐÒÁ×ÉÌ É ×ÙÉÓËÉ×ÁÔØ ×ÏÚÍÏÖÎÙÅ ÐÒÏÂÌÅÍÙ.

      5. FORWARD chain - úÄÅÓØ ÍÙ ÄÏÂÁ×ÌÑÅÍ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÕ FORWARD

      6. OUTPUT chain - óÁÍÏÊ ÐÏÓÌÅÄÎÅÊ × ÔÁÂÌÉÃÅ filter, ÚÁÐÏÌÎÑÅÔÓÑ ÃÅÐÏÞËÁ OUTPUT.

    2. nat table - ðÏÓÌÅ ÔÁÂÌÉÃÙ filter ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÔÁÂÌÉÃÅ nat. óÄÅÌÁÎÏ ÜÔÏ ÐÏ ÒÑÄÕ ÐÒÉÞÉÎ. ðÒÅÖÄÅ ×ÓÅÇÏ - ÎÅ ÓÌÅÄÕÅÔ ÚÁÐÕÓËÁÔØ ÍÅÈÁÎÉÚÍ NAT ÎÁ ÒÁÎÎÅÊ ÓÔÁÄÉÉ, ËÏÇÄÁ ÅÝÅ ×ÏÚÍÏÖÎÁ ÐÅÒÅÄÁÞÁ ÐÁËÅÔÏ× ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ (ÔÏ ÅÓÔØ, ËÏÇÄÁ NAT ÕÖÅ ×ËÌÀÞÅÎÁ, ÎÏ ÎÅÔ ÎÉ ÏÄÎÏÇÏ ÐÒÁ×ÉÌÁ ÆÉÌØÔÒÁÃÉÉ). ôÁËÖÅ, Ñ ÒÁÓÓÍÁÔÒÉ×ÁÀ ÔÁÂÌÉÃÕ nat ËÁË Ó×ÏÅÇÏ ÒÏÄÁ ÕÒÏ×ÅÎØ, ËÏÔÏÒÙÊ ÎÁÈÏÄÉÔÓÑ ×ÎÅ ÔÁÂÌÉÃÙ filter. ôÁÂÌÉÃÁ filter Ñ×ÌÑÅÔÓÑ Ó×ÏÅÇÏ ÒÏÄÁ ÑÄÒÏÍ, × ÔÏ ×ÒÅÍÑ ËÁË nat - ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÑÄÒÁ, Á ÔÁÂÌÉÃÁ mangle. ÍÏÖÅÔ ÒÁÓÓÍÁÔÒÉ×ÁÔØÓÑ ËÁË ÏÂÏÌÏÞËÁ ×ÏËÒÕÇ ÔÁÂÌÉÃÙ nat. üÔÏ ÍÏÖÅÔ ÂÙÔØ ÎÅ ÓÏ×ÓÅÍ ÐÒÁ×ÉÌØÎÏ, ÎÏ ÎÅ ÔÁË ÄÁÌÅËÏ ÏÔ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.

    3. Set policies - ðÒÅÖÄÅ ×ÓÅÇÏ ÍÙ ÕÓÔÁÎÁ×ÌÉ×ÁÅÍ ×ÓÀ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ × ÐÒÅÄÅÌÁÈ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ, Ñ ÕÓÔÁÎÁ×ÌÉ×ÁÀ ACCEPT. üÔÁ ÔÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÍÙ ÎÅ ÄÏÌÖÎÙ ÚÄÅÓØ "×ÙÂÒÁÓÙ×ÁÔØ" (DROP) ÐÁËÅÔÙ. åÓÔØ ÒÑÄ ÎÅÐÒÉÑÔÎÙÈ ÐÏÂÏÞÎÙÈ ÜÆÆÅËÔÏ× ËÏÔÏÒÙÅ ÉÍÅÀÔ ÍÅÓÔÏ ÂÙÔØ × ÔÁËÉÈ ÓÌÕÞÁÑÈ ÉÚ-ÚÁ ÎÁÛÉÈ ÐÒÅÄÐÏÌÏÖÅÎÉÊ. ñ ÐÒÏÐÕÓËÁÀ ×ÓÅ ÐÁËÅÔÙ × ÜÔÉÈ ÃÅÐÏÞËÁÈ, ÐÏÓËÏÌØËÕ ÎÅ ×ÉÖÕ ÎÉËÁËÉÈ ÐÒÉÞÉÎ ÎÅ ÄÅÌÁÔØ ÜÔÏÇÏ.

    4. Create user specified chains - úÄÅÓØ ÓÏÚÄÁÀÔÓÑ ×ÓÅ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÌÑ ÔÁÂÌÉÃÙ nat. ïÂÙÞÎÏ Õ ÍÅÎÑ ÉÈ ÎÅÔ, ÎÏ Ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ. ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÄÏÌÖÎÙ ÂÙÔØ ÓÏÚÄÁÎÙ ÄÏ ÉÈ ÆÁËÔÉÞÅÓËÏÇÏ ÉÓÐÏÌØÚÏ×ÁÎÉÑ.

    5. Create content in user specified chains - äÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ × ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ ÔÁÂÌÉÃÙ nat. ðÒÉÎÃÉÐ ÒÁÚÍÅÝÅÎÉÑ ÐÒÁ×ÉÌ ÚÄÅÓØ ÔÏÔ ÖÅ ÞÔÏ É × ÔÁÂÌÉÃÅ filtert. ñ ÄÏÂÁ×ÌÑÀ ÉÈ ÚÄÅÓØ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ×ÉÖÕ ÐÒÉÞÉÎ ×ÙÎÏÓÉÔØ ÉÈ × ÄÒÕÇÏÅ ÍÅÓÔÏ.

    6. PREROUTING chain - ãÅÐÏÞËÁ PREROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÄÌÑ DNAT. ÷ ÂÏÌØÛÉÎÓÔ×Å ÓÃÅÎÁÒÉÅ× DNAT ÎÅ ÉÓÐÏÌØÚÕÅÔÓÑ, ÉÌÉ ÐÏ ËÒÁÊÎÅÊ ÍÅÒÅ ÚÁËÏÍÍÅÎÔÉÒÏ×ÁÎÁ, ÞÔÏÂÙ ÎÅ "ÏÔËÒÙ×ÁÔØ ×ÏÒÏÔÁ" × ÎÁÛÕ ÌÏËÁÌØÎÕÀ ÓÅÔØ ÓÌÉÛËÏÍ ÛÉÒÏËÏ. ÷ ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ ÜÔÏ ÐÒÁ×ÉÌÏ ×ËÌÀÞÅÎÏ, ÔÁË ËÁË ÅÄÉÎÓÔ×ÅÎÎÁÑ ÃÅÌØ ÜÔÉÈ ÓÃÅÎÁÒÉÅ× ÓÏÓÔÏÉÔ × ÐÒÅÄÏÓÔÁ×ÌÅÎÉÉ ÕÓÌÕÇ, ËÏÔÏÒÙÅ ÂÅÚ DNAT ÎÅ×ÏÚÍÏÖÎÙ.

    7. POSTROUTING chain - ãÅÐÏÞËÁ POSTROUTING ÉÓÐÏÌØÚÕÅÔÓÑ ÓÃÅÎÁÒÉÑÍÉ, ËÏÔÏÒÙÅ Ñ ÎÁÐÉÓÁÌ, ÔÁË ËÁË × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× ÉÍÅÅÔÓÑ ÏÄÎÁ ÉÌÉ ÂÏÌÅÅ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ, ËÏÔÏÒÙÅ ÍÙ ÈÏÔÉÍ ÐÏÄËÌÀÞÉÔØ Ë éÎÔÅÒÎÅÔ ÞÅÒÅÚ ÓÅÔÅ×ÏÊ ÜËÒÁÎ. çÌÁ×ÎÙÍ ÏÂÒÁÚÏÍ ÍÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ SNAT, ÎÏ × ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÑÈ, ÍÙ ×ÙÎÕÖÄÅÎÙ ÂÕÄÅÍ ÉÓÐÏÌØÚÏ×ÁÔØ MASQUERADE.

    8. OUTPUT chain - ãÅÐÏÞËÁ OUTPUT ÉÓÐÏÌØÚÕÅÔÓÑ ×ÏÏÂÝÅ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ×. îÏ Ñ ÐÏËÁ ÎÅ ÎÁÛÅÌ ÓÅÒØÅÚÎÙÈ ÏÓÎÏ×ÁÎÉÊ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÃÅÐÏÞËÉ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÜÔÕ ÃÅÐÏÞËÕ, ÞÅÒËÎÉÔÅ ÍÎÅ ÐÁÒÕ ÓÔÒÏË, É Ñ ×ÎÅÓÕ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÉÚÍÅÎÅÎÉÑ × ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï.

  5. mangle table - ôÁÂÌÉÃÁ mangle - ÐÏÓÌÅÄÎÑÑ ÔÁÂÌÉÃÁ ÎÁ ÐÕÔÉ ÐÁËÅÔÏ×. ïÂÙÞÎÏ Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÜÔÕ ÔÁÂÌÉÃÕ ×ÏÏÂÝÅ, ÔÁË ËÁË ÏÂÙÞÎÏ ÎÅ ×ÏÚÎÉËÁÅÔ ÐÏÔÒÅÂÎÏÓÔÅÊ × ÞÅÍ ÌÉÂÏ, ÔÉÐÁ ÉÚÍÅÎÅÎÉÑ TTL ÐÏÌÑ ÉÌÉ ÐÏÌÑ TOS É ÐÒ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, Ñ ÏÓÔÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÐÕÓÔÙÍ × ÎÅËÏÔÏÒÙÈ ÓÃÅÎÁÒÉÑÈ, Ó ÎÅÓËÏÌØËÉÍÉ ÉÓËÌÀÞÅÎÉÑÍÉ, ÇÄÅ Ñ ÄÏÂÁ×ÉÌ, ÎÅÓËÏÌØËÏ ÐÒÉÍÅÒÏ× ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÜÔÏÊ ÔÁÂÌÉÃÙ.

    1. Set policies - úÄÅÓØ ÚÁÄÁÅÔÓÑ ðÏÌÉÔÉËÁ ÐÏ-ÕÍÏÌÞÁÎÉÀ. úÄÅÓØ ÓÕÝÅÓÔ×ÕÀÔ ÔÅ ÖÅ ÏÇÒÁÎÉÞÅÎÉÑ, ÞÔÏ É ÄÌÑ ÔÁÂÌÉÃÙ nat. ôÁÂÌÉÃÁ ÎÅ ÄÏÌÖÎÁ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ×Ù ÄÏÌÖÎÙ ÉÚÂÅÇÁÔØ ÜÔÏÇÏ. ñ ÎÅ ÕÓÔÁÎÁ×ÌÉ×ÁÌ ÎÉËÁËÏÊ ÐÏÌÉÔÉËÉ × ÌÀÂÏÍ ÉÚ ÓÃÅÎÁÒÉÅ× ÄÌÑ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÅ mangle, É ×ÁÍ ÓÌÅÄÕÔ ÐÏÓÔÕÐÁÔØ ÔÁË ÖÅ.

    2. Create user specified chains - óÏÚÄÁÀÔÓÑ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ. ôÁË ËÁË Ñ ÎÅ ÉÓÐÏÌØÚÕÀ ÔÁÂÌÉÃÕ mangle × ÓÃÅÎÁÒÉÑÈ, Ñ ÎÅ ÓÔÁÌ ÓÏÚÄÁ×ÁÔØ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÈ ÃÅÐÏÞÅË. ïÄÎÁËÏ, ÜÔÏÔ ÒÁÚÄÅÌ ÂÙÌ ÄÏÂÁ×ÌÅÎ ÎÁ ×ÓÑËÉÊ ÓÌÕÞÁÊ.

    3. Create content in userspecified chains - åÓÌÉ ×Ù ÓÏÚÄÁÌÉ ËÁËÉÅ ÌÉÂÏ ÐÏÌØÚÏ×ÁÔÅÌØÓËÉÅ ÃÅÐÏÞËÉ × ÐÒÅÄÅÌÁÈ ÜÔÏÊ ÔÁÂÌÉÃÙ, ×Ù ÍÏÖÅÔÅ ÚÁÐÏÌÎÉÔØ ÉÈ ÐÒÁ×ÉÌÁÍÉ ÚÄÅÓØ.

    4. PREROUTING - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    5. INPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    6. FORWARD chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    7. OUTPUT chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

    8. POSTROUTING chain - ÷ ÜÔÏÍ ÐÕÎËÔÅ ÉÍÅÅÔÓÑ ÔÏÌØËÏ ÕÐÏÍÉÎÁÎÉÅ Ï ÃÅÐÏÞËÅ.

îÁÄÅÀÓØ, ÞÔÏ Ñ ÏÂßÑÓÎÉÌ ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ, ËÁË ËÁÖÄÙÊ ÓÃÅÎÁÒÉÊ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎ É ÐÏÞÅÍÕ ÏÎÉ ÓÔÒÕËÔÕÒÉÒÏ×ÁÎÙ ÔÁËÉÍ ÓÐÏÓÏÂÏÍ.

Caution

ïÂÒÁÔÉÔØ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÜÔÉ ÏÐÉÓÁÎÉÑ ÞÒÅÚ×ÙÞÁÊÎÏ ËÒÁÔËÉ, É Ñ×ÌÑÀÔÓÑ ÌÉÛØ ËÒÁÔËÉÍ ÐÏÑÓÎÅÎÉÅÍ ÔÏÇÏ, ÐÏÞÅÍÕ ÓÃÅÎÁÒÉÉ ÉÍÅÀÔ ÔÁËÕÀ ÓÔÒÕËÔÕÒÕ. ñ ÎÅ ÐÒÅÔÅÎÄÕÀ ÎÁ ÉÓÔÉÎÕ × ÐÏÓÌÅÄÎÅÊ ÉÎÓÔÁÎÃÉÉ É ÎÅ ÕÔ×ÅÒÖÄÁÀ, ÞÔÏ ÜÔÏ - ÅÄÉÎÓÔ×ÅÎÎÙÊ É ÌÕÞÛÉÊ ×ÁÒÉÁÎÔ.


rc.firewall.txt

óÃÅÎÁÒÉÊ rc.firewall.txt - ÏÓÎÏ×ÎÏÅ ÑÄÒÏ, ÎÁ ËÏÔÏÒÏÍ ÏÓÎÏ×Ù×ÁÅÔÓÑ ÏÓÔÁÌØÎÁÑ ÞÁÓÔØ ÓÃÅÎÁÒÉÅ×. çÌÁ×Á rc.firewall file ÄÏÓÔÁÔÏÞÎÏ ÐÏÄÒÏÂÎÏ ÏÐÉÓÙ×ÁÅÔ ÓÃÅÎÁÒÉÊ. óÃÅÎÁÒÉÊ ÎÁÐÉÓÁÎ ÄÌÑ ÄÏÍÁÛÎÅÊ ÓÅÔÉ, ÇÄÅ ×Ù ÉÍÅÅÔÅ ÏÄÎÕ ìïëáìøîõà óåôø É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. üÔÏÔ ÓÃÅÎÁÒÉÊ ÔÁËÖÅ ÉÓÈÏÄÉÔ ÉÚ ÐÒÅÄÐÏÌÏÖÅÎÉÑ, ÞÔÏ ×Ù ÉÍÅÅÔÅ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, É ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÎÅ ÉÓÐÏÌØÚÕÅÔÅ DHCP, PPP, SLIP ÌÉÂÏ ËÁËÏÊ ÔÏ ÄÒÕÇÏÊ ÐÒÏÔÏËÏÌ, ËÏÔÏÒÙÊ ÎÁÚÎÁÞÁÅÔ IP ÄÉÎÁÍÉÞÅÓËÉ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×ÏÚØÍÉÔÅ ÚÁ ÏÓÎÏ×Õ ÓÃÅÎÁÒÉÊ rc.DHCP.firewall.txt.

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG



rc.DMZ.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DMZ.firewall.txt ÂÙÌ ÎÁÐÉÓÁÎ ÄÌÑ ÔÅÈ, ËÔÏ ÉÍÅÅÔ ÄÏ×ÅÒÉÔÅÌØÎÕÀ ÌÏËÁÌØÎÕÀ ÓÅÔØ, ÏÄÎÕ "äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÕÀ úÏÎÕ" É ÏÄÎÏ ÐÏÄËÌÀÞÅÎÉÅ Ë Internet. äÌÑ ÄÏÓÔÕÐÁ Ë ÓÅÒ×ÅÒÁÍ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÙ ÉÚ×ÎÅ, ÉÓÐÏÌØÚÕÅÔÓÑ NAT "ÏÄÉÎ Ë ÏÄÎÏÍÕ", ÔÏ ÅÓÔØ, ÷Ù ÄÏÌÖÎÙ ÚÁÓÔÁ×ÉÔØ ÂÒÁÎÄÍÁÕÜÒ ÒÁÓÐÏÚÎÁ×ÁÔØ ÐÁËÅÔÙ ÂÏÌÅÅ ÞÅÍ ÄÌÑ ÏÄÎÏÇÏ IP ÁÄÒÅÓÁ.

óÃÅÎÁÒÉÊ ÒÁÂÏÔÁÅÔ Ó Ä×ÕÍÑ ×ÎÕÔÒÅÎÎÉÍÉ ÓÅÔÑÍÉ, ËÁË ÜÔÏ ÐÒÏÄÅÍÏÎÓÔÒÉÒÏ×ÁÎÏ ÎÁ ÒÉÓÕÎËÅ. ïÄÎÁ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ IP ÁÄÒÅÓÏ× 192.168.0.0/24 É Ñ×ÌÑÅÔÓÑ äÏ×ÅÒÉÔÅÌØÎÏÊ ÷ÎÕÔÒÅÎÎÅÊ óÅÔØÀ. äÒÕÇÁÑ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 192.168.1.0/24 É ÎÁÚÙ×ÁÅÔÓÑ äÅÍÉÌÉÔÁÒÉÚÉÒÏ×ÁÎÎÏÊ úÏÎÏÊ (DMZ), ÄÌÑ ËÏÔÏÒÏÊ ÍÙ ÂÕÄÅÍ ×ÙÐÏÌÎÑÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÁÄÒÅÓÏ× (NAT) "ÏÄÉÎ Ë ÏÄÎÏÍÕ". îÁÐÒÉÍÅÒ, ÅÓÌÉ ËÔÏ - ÔÏ ÉÚ éÎÔÅÒÎÅÔ ÐÏÓÙÌÁÅÔ ÐÁËÅÔ ÎÁÛÅÍÕ DNS_IP, ÔÏ ÍÙ ×ÙÐÏÌÎÑÅÍ DNAT, ËÏÔÏÒÙÊ ÚÁÍÅÝÁÅÔ ÁÄÒÅÓ ÎÁÚÎÁÞÅÎÉÑ ÎÁ ÌÏËÁÌØÎÙÊ ÁÄÒÅÓ ÓÅÒ×ÅÒÁ DNS × DMZ. åÓÌÉ ÂÙ DNAT ÎÅ ×ÙÐÏÌÎÑÌÓÑ, ÔÏ DNS ÎÅ ÓÍÏÇ ÂÙ ÐÏÌÕÞÉÔØ ÚÁÐÒÏÓ, ÐÏÓËÏÌØËÕ ÏÎ ÉÍÅÅÔ ÁÄÒÅÓ DMZ_DNS_IP, Á ÎÅ DNS_IP. ôÒÁÎÓÌÑÃÉÑ ×ÙÐÏÌÎÑÅÔÓÑ ÓÌÅÄÕÀÝÉÍ ÐÒÁ×ÉÌÏÍ.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

äÌÑ ÎÁÞÁÌÁ ÎÁÐÏÍÎÀ, ÞÔÏ DNAT ÍÏÖÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÔÏÌØËÏ × ÃÅÐÏÞËÅ PREROUTING ÔÁÂÌÉÃÙ nat. óÏÇÌÁÓÎÏ ÜÔÏÍÕ ÐÒÁ×ÉÌÕ, ÐÁËÅÔ ÄÏÌÖÅÎ ÐÒÉÈÏÄÉÔØ ÐÏ ÐÒÏÔÏËÏÌÕ TCP ÎÁ $INET_IFACE Ó ÁÄÒÅÓÁÔÏÍ IP, ËÏÔÏÒÙÊ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÁÛÅÍÕ $DNS_IP, É ÎÁÐÒÁ×ÌÅÎ ÎÁ ÐÏÒÔ 53. åÓÌÉ ×ÓÔÒÅÞÅÎ ÔÁËÏÊ ÐÁËÅÔ, ÔÏ ×ÙÐÏÌÎÑÅÔÓÑ ÐÏÄÍÅÎÁ ÁÄÒÅÓÁ ÎÁÚÎÁÞÅÎÉÑ ÉÌÉ DNAT. äÅÊÓÔ×ÉÀ DNAT ÐÅÒÅÄÁÅÔÓÑ ÁÄÒÅÓ ÄÌÑ ÐÏÄÍÅÎÙ Ó ÐÏÍÏÝØÀ ËÌÀÞÁ --to-destination $DMZ_DNS_IP. ëÏÇÄÁ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ ×ÏÚ×ÒÁÝÁÅÔÓÑ ÐÁËÅÔ ÏÔ×ÅÔÁ, ÔÏ ÓÅÔÅ×ÙÍ ËÏÄÏÍ ÑÄÒÁ ÁÄÒÅÓ ÏÔÐÒÁ×ÉÔÅÌÑ ÂÕÄÅÔ Á×ÔÏÍÁÔÉÞÅÓËÉ ÉÚÍÅÎÅÎ Ó $DMZ_DNS_IP ÎÁ $DNS_IP, ÄÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ ÏÂÒÁÔÎÁÑ ÄÅÔÒÁÎÓÌÑÃÉÑ ÁÄÒÅÓÏ× ×ÙÐÏÌÎÑÅÔÓÑ Á×ÔÏÍÁÔÉÞÅÓËÉ É ÎÅ ÔÒÅÂÕÅÔ ÓÏÚÄÁÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÐÒÁ×ÉÌ.

ôÅÐÅÒØ ×Ù ÕÖÅ ÄÏÌÖÎÙ ÐÏÎÉÍÁÔØ ËÁË ÒÁÂÏÔÁÅÔ DNAT, ÞÔÏÂÙ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÒÁÚÏÂÒÁÔØÓÑ × ÔÅËÓÔÅ ÓÃÅÎÁÒÉÑ ÂÅÚ ËÁËÉÈ ÌÉÂÏ ÐÒÏÂÌÅÍ. åÓÌÉ ÞÔÏ-ÔÏ ÄÌÑ ×ÁÓ ÏÓÔÁÌÏÓØ ÎÅ ÑÓÎÙÍ É ÜÔÏ ÎÅ ÂÙÌÏ ÒÁÓÓÍÏÔÒÅÎÏ × ÄÁÎÎÏÍ ÄÏËÕÍÅÎÔÅ, ÔÏ ×Ù ÍÏÖÅÔÅ ÓÏÏÂÝÉÔØ ÍÎÅ Ï ÜÔÏÍ - ×ÅÒÏÑÔÎÏ ÜÔÏ ÍÏÑ ÏÛÉÂËÁ.


rc.DHCP.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_MASQUERADE
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.DHCP.firewall.txt ÏÞÅÎØ ÐÏÈÏÖ ÎÁ ÏÒÉÇÉÎÁÌ rc.firewall.txt. ïÄÎÁËÏ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÏÌØÛÅ ÎÅ ÉÓÐÏÌØÚÕÅÔ ÐÅÒÅÍÅÎÎÕÀ STATIC_IP, ÜÔÏ É Ñ×ÌÑÅÔÓÑ ÏÓÎÏ×ÎÙÍ ÏÔÌÉÞÉÅÍ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt. ðÒÉÞÉÎÁ × ÔÏÍ, ÞÔÏ rc.firewall.txt ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ × ÓÌÕÞÁÅ ÄÉÎÁÍÉÞÅÓËÏÇÏ IP ÁÄÒÅÓÁ. éÚÍÅÎÅÎÉÑ, ÐÏ ÓÒÁ×ÎÅÎÉÀ Ó ÏÒÉÇÉÎÁÌÏÍ - ÍÉÎÉÍÁÌØÎÙ. üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÐÏÌÅÚÅÎ × ÓÌÕÞÁÅ DHCP, PPP É SLIP ÐÏÄËÌÀÞÅÎÉÑ Ë éÎÔÅÒÎÅÔ.

çÌÁ×ÎÏÅ ÏÔÌÉÞÉÅ ÄÁÎÎÏÇÏ ÓËÒÉÐÔÁ ÓÏÓÔÏÉÔ × ÕÄÁÌÅÎÉÉ ÐÅÒÅÍÅÎÎÏÊ STATIC_IP É ×ÓÅÈ ÓÓÙÌÏË ÎÁ ÜÔÕ ÐÅÒÅÍÅÎÎÕÀ. ÷ÍÅÓÔÏ ÎÅÅ ÔÅÐÅÒØ ÉÓÐÏÌØÚÕÅÔÓÑ ÐÅÒÅÍÅÎÎÁÑ INET_IFACE. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ -d $STATIC_IP ÚÁÍÅÎÑÅÔÓÑ ÎÁ -i $INET_IFACE. óÏÂÓÔ×ÅÎÎÏ ÜÔÏ ×ÓÅ, ÞÔÏ ÎÕÖÎÏ ÉÚÍÅÎÉÔØ × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ.
(èÏÞÅÔÓÑ ÏÔÍÅÔÉÔØ, ÞÔÏ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ ÐÏÄ STATIC_IP Á×ÔÏÒ ÐÏÎÉÍÁÅÔ ÐÅÒÅÍÅÎÎÕÀ INET_IP ÐÒÉÍ. ÐÅÒÅ×.)

íÙ ÂÏÌØÛÅ ÎÅ ÍÏÖÅÍ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT ÐÏÄÏÂÎÙÈ ÜÔÏÍÕ: --in-interface $LAN_IFACE --dst $INET_IP. üÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ ×ÙÎÕÖÄÁÅÔ ÎÁÓ ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ ÏÓÎÏ×Ù×ÁÑÓØ ÔÏÌØËÏ ÎÁ ÓÅÔÅ×ÏÍ ÉÎÔÅÒÆÅÊÓÅ. îÁÐÒÉÍÅÒ, ÐÕÓÔØ ÎÁ ÂÒÁÎÄÍÁÕÜÒÅ ÚÁÐÕÝÅÎ HTTP ÓÅÒ×ÅÒ. åÓÌÉ ÍÙ ÐÒÉÈÏÄÉÍ ÎÁ ÇÌÁ×ÎÕÀ ÓÔÒÁÎÉÞËÕ, ÓÏÄÅÒÖÁÝÕÀ ÓÔÁÔÉÞÅÓËÕÀ ÓÓÙÌËÕ ÏÂÒÁÔÎÏ ÎÁ ÜÔÏÔ ÖÅ ÓÅÒ×ÅÒ, ËÏÔÏÒÙÊ ÒÁÂÏÔÁÅÔ ÐÏÄ ÄÉÎÁÍÉÞÅÓËÉÍ ÁÄÒÅÓÏÍ, ÔÏ ÍÙ ÍÏÖÅÍ "ÏÇÒÅÓÔÉ" ÎÅÍÁÌÏ ÐÒÏÂÌÅÍ. èÏÓÔ, ËÏÔÏÒÙÊ ÐÒÏÈÏÄÉÔ ÞÅÒÅÚ NAT, ÚÁÐÒÏÓÉÔ ÞÅÒÅÚ DNS IP ÁÄÒÅÓ HTTP ÓÅÒ×ÅÒÁ, ÐÏÓÌÅ ÞÅÇÏ ÐÏÐÒÏÂÕÅÔ ÐÏÌÕÞÉÔØ ÄÏÓÔÕÐ Ë ÜÔÏÍÕ IP. åÓÌÉ ÂÒÁÎÄÍÁÕÜÒ ÐÒÏÉÚ×ÏÄÉÔ ÆÉÌØÔÒÁÃÉÀ ÐÏ ÉÎÔÅÒÆÅÊÓÕ É IP ÁÄÒÅÓÕ, ÔÏ ÈÏÓÔ ÎÅ ÓÍÏÖÅÔ ÐÏÌÕÞÉÔØ ÏÔ×ÅÔ, ÐÏÓËÏÌØËÕ ÃÅÐÏÞËÁ INPUT ÏÔÆÉÌØÔÒÕÅÔ ÔÁËÏÊ ÚÁÐÒÏÓ. (óËÏÒÅÅ ×ÓÅÇÏ Á×ÔÏÒ ÉÍÅÅÔ ××ÉÄÕ ÓËÒÉÐÔ rc.firewall.txt ÐÒÉÍ. ÐÅÒÅ×.) üÔÏ ÔÁË ÖÅ ÓÐÒÁ×ÅÄÌÉ×Ï É ÄÌÑ ÎÅËÏÔÏÒÙÈ ÓÌÕÞÁÅ× ËÏÇÄÁ ÍÙ ÉÍÅÅÍ ÓÔÁÔÉÞÅÓËÉÊ IP ÁÄÒÅÓ, ÎÏ ÔÏÇÄÁ ÜÔÏ ÍÏÖÎÏ ÏÂÏÊÔÉ, ÉÓÐÏÌØÚÕÑ ÐÒÁ×ÉÌÁ, ËÏÔÏÒÙÅ ÐÒÏ×ÅÒÑÀÔ ÐÁËÅÔÙ, ÐÒÉÈÏÄÑÝÉÅ Ó LAN ÉÎÔÅÒÆÅÊÓÁ ÎÁ ÎÁÛ INET_IP É ×ÙÐÏÌÎÑÔØ ACCEPT ÄÌÑ ÎÉÈ.

ðÏÓÌÅ ×ÓÅÇÏ ×ÙÛÅÓËÁÚÁÎÎÏÇÏ, ÎÅ ÔÁËÏÊ ÕÖ ÐÌÏÈÏÊ ÍÏÖÅÔ ÐÏËÁÚÁÔØÓÑ ÍÙÓÌØ Ï ÓÏÚÄÁÎÉÉ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ ÂÙ ÏÂÒÁÂÁÔÙ×ÁÌ ÄÉÎÁÍÉÞÅÓËÉÊ IP. îÁÐÒÉÍÅÒ, ÍÏÖÎÏ ÂÙÌÏ ÂÙ ÎÁÐÉÓÁÔØ ÓËÒÉÐÔ, ËÏÔÏÒÙÊ ÐÏÌÕÞÁÅÔ IP ÁÄÒÅÓ ÞÅÒÅÚ ifconfig É ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ × ÔÅËÓÔ ÓÃÅÎÁÒÉÑ (ÇÄÅ ÏÐÒÅÄÅÌÑÅÔÓÑ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÁÑ ÐÅÒÅÍÅÎÎÁÑ), ËÏÔÏÒÙÊ "ÐÏÄÎÉÍÁÅÔ" ÓÏÅÄÉÎÅÎÉÅ Ó éÎÔÅÒÎÅÔ. úÁÍÅÞÁÔÅÌØÎÙÊ ÓÁÊÔ linuxguruz.org ÉÍÅÅÔ ÏÇÒÏÍÎÕÀ ËÏÌÌÅËÃÉÀ ÓËÒÉÐÔÏ×, ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓËÁÞÉ×ÁÎÉÑ. óÓÙÌËÕ ÎÁ linuxguruz.org ×Ù ÎÁÊÄÅÔÅ × óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÍÅÎÅÅ ÂÅÚÏÐÁÓÅÎ ÞÅÍ rc.firewall.txt. ñ ÎÁÓÔÏÑÔÅÌØÎÏ ÒÅËÏÍÅÎÄÕÀ ×ÁÍ ÉÓÐÏÌØÚÏ×ÁÔØ ÓÃÅÎÁÒÉÊ rc.firewall.txt, ÅÓÌÉ ÜÔÏ ×ÏÚÍÏÖÎÏ, ÔÁË ËÁË rc.DHCP.firewall.txt ÂÏÌÅÅ ÏÔËÒÙÔ ÄÌÑ ÎÁÐÁÄÅÎÉÊ ÉÚ×ÎÅ.

ôÁËÖÅ, ÍÏÖÎÏ ÄÏÂÁ×ÉÔØ × ×ÁÛÉ ÓÃÅÎÁÒÉÉ ÞÔÏ ÎÉÂÕÄØ ×ÒÏÄÅ ÜÔÏÇÏ:

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1`

÷ÙÛÅ ÐÒÉ×ÅÄÅÎÎÁÑ ËÏÍÁÎÄÁ ÐÏÌÕÞÁÅÔ ÄÉÎÁÍÉÞÅÓËÉÊ IP ÏÔ ÉÎÔÅÒÆÅÊÓÁ, ÏÄÎÁËÏ Õ ÔÁËÏÇÏ ÐÏÄÈÏÄÁ ÅÓÔØ ÓÅÒØÅÚÎÙÅ ÎÅÄÏÓÔÁÔËÉ, ÏÐÉÓÁÎÎÙÅ ÎÉÖÅ.

  1. åÓÌÉ ÓËÒÉÐÔ ÚÁÐÕÓËÁÅÔÓÑ ÉÚ ÄÒÕÇÏÇÏ ÓÃÅÎÁÒÉÑ, ËÏÔÏÒÙÊ × Ó×ÏÀ ÏÞÅÒÅÄØ ÚÁÐÕÓËÁÅÔÓÑ ÄÅÍÏÎÏÍ PPP, ÔÏ ÜÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë "ÚÁ×ÉÓÁÎÉÀ" ×ÓÅÈ, ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÙÈ ÓÏÅÄÉÎÅÎÉÊ, ÉÚ-ÚÁ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ÏÔÂÒÁËÏ×Ù×ÁÀÔ ÐÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN. (ÓÍÏÔÒÉ ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN). ðÒÏÂÌÅÍÕ ËÏÎÅÞÎÏ ÍÏÖÎÏ ÒÁÚÒÅÛÉÔØ ÕÄÁÌÅÎÉÅÍ ÜÔÉÈ ÐÒÁ×ÉÌ, ÎÏ ÔÁËÏÅ ÒÅÛÅÎÉÅ ÄÏ×ÏÌØÎÏ ÓÏÍÎÉÔÅÌØÎÏ Ó ÔÏÞËÉ ÚÒÅÎÉÑ ÂÅÚÏÐÁÓÎÏÓÔÉ.

  2. ðÒÅÄÐÏÌÏÖÉÍ, ÞÔÏ Õ ×ÁÓ ÅÓÔØ ÎÁÂÏÒ ÓÔÁÔÉÞÅÓËÉÈ ÐÒÁ×ÉÌ, ÄÏ×ÏÌØÎÏ ÇÒÕÂÏ ÂÕÄÅÔ ÐÏÓÔÏÑÎÎÏ ÓÔÉÒÁÔØ É ÄÏÂÁ×ÌÑÔØ ÐÒÁ×ÉÌÁ, Ë ÔÏÍÕ ÖÅ ÒÉÓËÕÑ ÐÏ×ÒÅÄÉÔØ ÓÕÝÅÓÔ×ÕÀÝÉÅ. For example, if you want to block hosts on your LAN to connect to the firewall, but at the same time operate a script from the PPP daemon, how would you do it without erasing your already active rules blocking the LAN?

  3. üÔÏ ÍÏÖÅÔ ÐÒÉ×ÅÓÔÉ Ë ÉÚÌÉÛÎÉÍ ÕÓÌÏÖÎÅÎÉÑÍ, ÞÔÏ × Ó×ÏÀ ÏÞÅÒÅÄØ, ×ÌÅÞÅÔ ÏÓÌÁÂÌÅÎÉÅ ÚÁÝÉÔÙ. þÅÍ ÐÒÏÝÅ ÓËÒÉÐÔ, ÔÅÍ ÐÒÏÝÅ ÅÇÏ ÓÏÐÒÏ×ÏÖÄÁÔØ.


rc.UTIN.firewall.txt

óÃÅÎÁÒÉÊ ÔÒÅÂÕÅÔ, ÞÔÏÂÙ ÓÌÅÄÕÀÝÉÅ ÏÐÃÉÉ ÂÙÌÉ ÓËÏÍÐÉÌÉÒÏ×ÁÎÙ ÌÉÂÏ ÓÔÁÔÉÞÅÓËÉ, ÌÉÂÏ ËÁË ÍÏÄÕÌÉ. âÅÚ ËÁËÏÊ ÌÉÂÏ ÉÚ ÎÉÈ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÎÅÒÁÂÏÔÏÓÐÏÓÏÂÅÎ

  • CONFIG_PACKET
  • CONFIG_NETFILTER
  • CONFIG_IP_NF_CONNTRACK
  • CONFIG_IP_NF_IPTABLES
  • CONFIG_IP_NF_MATCH_LIMIT
  • CONFIG_IP_NF_MATCH_STATE
  • CONFIG_IP_NF_FILTER
  • CONFIG_IP_NF_NAT
  • CONFIG_IP_NF_TARGET_LOG


óÃÅÎÁÒÉÊ rc.UTIN.firewall.txt, × ÏÔÌÉÞÉÅ ÏÔ ÄÒÕÇÉÈ ÓÃÅÎÁÒÉÅ×, ÂÌÏËÉÒÕÅÔ LAN, ËÏÔÏÒÁÑ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ. íÙ ÄÏ×ÅÒÑÅÍ ×ÎÕÔÒÅÎÎÉÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÎÅ ÂÏÌØÛÅ ÞÅÍ ÐÏÌØÚÏ×ÁÔÅÌÑÍ ÉÚ Internet. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÍÙ ÎÅ ÄÏ×ÅÒÑÅÍ ÎÉËÏÍÕ, ÎÉ × éÎÔÅÒÎÅÔ, ÎÉ × ÌÏËÁÌØÎÏÊ ÓÅÔÉ, Ó ËÏÔÏÒÙÍÉ ÍÙ Ó×ÑÚÁÎÙ. ðÏÜÔÏÍÕ ÄÏÓÔÕÐ Ë éÎÔÅÒÎÅÔ ÏÇÒÁÎÉÞÉ×ÁÅÔÓÑ ÔÏÌØËÏ ÐÒÏÔÏËÏÌÁÍÉ POP3, HTTP É FTP.

üÔÏÔ ÓÃÅÎÁÒÉÊ ÓÌÅÄÕÅÔ ÚÏÌÏÔÏÍÕ ÐÒÁ×ÉÌÕ - "ÎÅ ÄÏ×ÅÒÑÊ ÎÉËÏÍÕ, ÄÁÖÅ ÓÏÂÓÔ×ÅÎÎÙÍ ÓÌÕÖÁÝÉÍ". üÔÏ ÇÒÕÓÔÎÏ ÎÏ ÆÁËÔ, ÞÔÏ ÂÏÌØÛÁÑ ÞÁÓÔØ ÁÔÁË É ×ÚÌÏÍÏ×, ËÏÔÏÒÙÍ ÐÏÄ×ÅÒÇÁÅÔÓÑ ËÏÍÐÁÎÉÑ, ÐÒÏÉÚ×ÏÄÉÔÓÑ ÓÌÕÖÁÝÉÍÉ ËÏÍÐÁÎÉÊ ÉÚ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. üÔÏÔ ÓÃÅÎÁÒÉÊ, ÎÁÄÅÀÓØ, ÄÁÓÔ ÎÅËÏÔÏÒÙÅ Ó×ÅÄÅÎÉÑ, ËÏÔÏÒÙÅ ÐÏÍÏÇÕÔ ×ÁÍ ÕÓÉÌÉÔØ ×ÁÛÕ ÍÅÖÓÅÔÅ×ÕÀ ÚÁÝÉÔÕ. ïÎ ÍÁÌÏ ÏÔÌÉÞÁÅÔÓÑ ÏÔ ÏÒÉÇÉÎÁÌÁ rc.firewall.txt, ÎÏ ÓÏÄÅÒÖÉÔ ÐÏÄÓËÁÚËÉ Ï ÔÏÍ, ÞÔÏ ÍÙ ÏÂÙÞÎÏ ÐÒÏÐÕÓËÁÅÍ.


rc.test-iptables.txt

óÃÅÎÁÒÉÊ rc.test-iptables.txt ÐÒÅÄÎÁÚÎÁÞÅÎ ÄÌÑ ÐÒÏ×ÅÒËÉ ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞÅË ÎÏ ÍÏÖÅÔ ÐÏÔÒÅÂÏ×ÁÔØ ÄÏÐÏÌÎÉÔÅÌØÎÙÈ ÎÁÓÔÒÏÅË, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ×ÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÎÁÐÒÉÍÅÒ, ×ËÌÀÞÅÎÉÑ ip_forwarding ÉÌÉ ÎÁÓÔÒÏÊËÉ masquerading É Ô.Ð. ôÅÍ ÎÅ ÍÅÎÅÅ × ÂÏÌØÛÉÎÓÔ×Å ÓÌÕÞÁÅ× Ó ÂÁÚÏ×ÙÍÉ ÎÁÓÔÒÏÊËÁÍÉ, ËÏÇÄÁ ÎÁÓÔÒÏÅÎÙ ÏÓÎÏ×ÎÙÅ ÔÁÂÌÉÃÙ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÂÕÄÅÔ ÒÁÂÏÔÏÓÐÏÓÏÂÅÎ. ÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, × ÜÔÏÍ ÓÃÅÎÁÒÉÉ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÓÔÁÎÏ×ËÁ ÄÅÊÓÔ×ÉÊ LOG ÎÁ ping-ÚÁÐÒÏÓÙ É ping-ÏÔ×ÅÔÙ. ôÁËÉÍ ÓÐÏÓÏÂÏÍ ÐÏÑ×ÌÑÅÔÓÑ ×ÏÚÍÏÖÎÏÓÔØ ÚÁÆÉËÓÉÒÏ×ÁÔØ × ÓÉÓÔÅÍÎÏÍ ÖÕÒÎÁÌÅ ËÁËÉÅ ÃÅÐÏÞËÉ ÐÒÏÈÏÄÉÌÉÓØ É × ËÁËÏÍ ÐÏÒÑÄËÅ. úÁÐÕÓÔÉÔÅ ÓÃÅÎÁÒÉÊ É ÚÁÔÅÍ ×ÙÐÏÌÎÉÔÅ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:

ping -c 1 host.on.the.internet

é ×Ï ×ÒÅÍÑ ÉÓÐÏÌÎÅÎÉÑ ÐÅÒ×ÏÊ ËÏÍÁÎÄÙ ×ÙÐÏÌÎÉÔÅ tail -n 0 -f /var/log/messages. ôÅÐÅÒØ ×Ù ÄÏÌÖÎÙ ÑÓÎÏ ×ÉÄÅÔØ ×ÓÅ ÉÓÐÏÌØÚÕÅÍÙÅ ÃÅÐÏÞËÉ É ÐÏÒÑÄÏË ÉÈ ÐÒÏÈÏÖÄÅÎÉÑ.

Note

üÔÏÔ ÓÃÅÎÁÒÉÊ ÂÙÌ ÎÁÐÉÓÁÎ ÉÓËÌÀÞÉÔÅÌØÎÏ × ÄÅÍÏÎÓÔÒÁÃÉÏÎÎÙÈ ÃÅÌÑÈ. äÒÕÇÉÍÉ ÓÌÏ×ÁÍÉ, ÎÅ ÓÌÅÄÕÅÔ ÉÍÅÔØ ÐÒÁ×ÉÌÁ ÄÌÑ ÖÕÒÎÁÌÉÒÏ×ÁÎÉÑ ÐÏÄÏÂÎÏ ÜÔÉÍ, ËÏÔÏÒÙÅ ÒÅÇÉÓÔÒÉÒÕÀÔ ×ÓÅ ÐÁËÅÔÙ ÂÅÚ ÏÇÒÁÎÉÞÅÎÉÊ. ÷ ÐÒÏÔÉ×ÎÏÍ ÓÌÕÞÁÅ ×Ù ÒÉÓËÕÅÔÅ ÓÔÁÔØ ÌÅÇËÏÊ ÄÏÂÙÞÅÊ ÄÌÑ ÚÌÏÕÍÙÛÌÅÎÎÉËÁ, ËÏÔÏÒÙÊ ÍÏÖÅÔ ÚÁÓÙÐÁÔØ ×ÁÓ ÐÁËÅÔÁÍÉ, "ÒÁÚÄÕÔØ" ×ÁÛ ÌÏÇ, ÞÔÏ ÍÏÖÅÔ ×ÙÚ×ÁÔØ "ïÔËÁÚ × ÏÂÓÌÕÖÉ×ÁÎÉÉ", Á ÐÏÓÌÅ ÜÔÏÇÏ ÐÅÒÅÊÔÉ Ë ÒÅÁÌØÎÏÍÕ ×ÚÌÏÍÕ ×ÁÛÅÊ ÓÉÓÔÅÍÙ ÎÅ ÂÏÑÓØ ÂÙÔØ ÏÂÎÁÒÕÖÅÎÎÙÍ, ÐÏÓËÏÌØËÕ ÎÅ ÓÍÏÖÅÔ ÂÙÔØ ÚÁÒÅÇÉÓÔÒÉÒÏ×ÁÎ ÓÉÓÔÅÍÏÊ.


rc.flush-iptables.txt

óÃÅÎÁÒÉÊ rc.flush-iptables.txt × ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ ÎÅ ÉÍÅÅÔ ÓÁÍÏÓÔÏÑÔÅÌØÎÏÊ ÃÅÎÎÏÓÔÉ ÐÏÓËÏÌØËÕ ÏÎ ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ×ÁÛÉ ÔÁÂÌÉÃÙ É ÃÅÐÏÞËÉ. ÷ ÎÁÞÁÌÅ ÓÃÅÎÁÒÉÑ, ÕÓÔÁÎÁ×ÌÉ×ÁÀÔÓÑ ÐÏÌÉÔÉËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ ACCEPT ÄÌÑ ÃÅÐÏÞÅË INPUT, OUTPUT É FORWARD × ÔÁÂÌÉÃÅ filter. ðÏÓÌÅ ÜÔÏÇÏ ÓÂÒÁÓÙ×ÁÀÔÓÑ × ÚÁÄÁÎÎÕÀ ÐÏ-ÕÍÏÌÞÁÎÉÀ ÐÏÌÉÔÉËÉ ÄÌÑ ÃÅÐÏÞÅË PREROUTING, POSTROUTING É OUTPUT ÔÁÂÌÉÃÙ nat. üÔÉ ÄÅÊÓÔ×ÉÑ ×ÙÐÏÌÎÑÀÔÓÑ ÐÅÒ×ÙÍÉ, ÞÔÏÂÙ ÎÅ ×ÏÚÎÉËÁÌÏ ÐÒÏÂÌÅÍ Ó ÚÁËÒÙÔÙÍÉ ÓÏÅÄÉÎÅÎÉÑÍÉ É ÂÌÏËÉÒÕÅÍÙÍÉ ÐÁËÅÔÁÍÉ. æÁËÔÉÞÅÓËÉ, ÜÔÏÔ ÓÃÅÎÁÒÉÊ ÍÏÖÅÔ ÉÓÐÏÌØÚÏ×ÁÔØÓÑ ÄÌÑ ÐÏÄÇÏÔÏ×ËÉ ÂÒÁÎÄÍÁÕÜÒÁ Ë ÎÁÓÔÒÏÊËÅ É ÐÒÉ ÏÔÌÁÄËÅ ×ÁÛÉÈ ÓÃÅÎÁÒÉÅ×, ÐÏÜÔÏÍÕ ÚÄÅÓØ ÍÙ ÚÁÂÏÔÉÍÓÑ ÔÏÌØËÏ Ï ÏÞÉÓÔËÅ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ É ÕÓÔÁÎÏ×ËÅ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ.

ëÏÇÄÁ ×ÙÐÏÌÎÅÎÁ ÕÓÔÁÎÏ×ËÁ ÐÏÌÉÔÉË ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÍÙ ÐÅÒÅÈÏÄÉÍ Ë ÏÞÉÓÔËÅ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÐÏÞÅË × ÔÁÂÌÉÃÁÈ filter É nat, Á ÚÁÔÅÍ ÐÒÏÉÚ×ÏÄÉÔÓÑ ÕÄÁÌÅÎÉÅ ×ÓÅÈ, ÏÐÒÅÄÅÌÅÎÎÙÈ ÐÏÌØÚÏ×ÁÔÅÌÅÍ, ÃÅÐÏÞÅË. ðÏÓÌÅ ÜÔÏÇÏ ÒÁÂÏÔÁ ÓËÒÉÐÔÁ ÚÁ×ÅÒÛÁÅÔÓÑ. åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×Ù ÄÏÌÖÎÙ ÂÕÄÅÔÅ ÄÏÂÁ×ÉÔØ × ÓÃÅÎÁÒÉÊ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÓÔÒÏËÉ ÄÌÑ ÏÂÒÁÂÏÔËÉ ÜÔÏÊ ÔÁÂÌÉÃÙ.

Note

÷ ÚÁËÌÀÞÅÎÉÅ ÐÁÒÕ ÓÌÏ×. ïÞÅÎØ ÍÎÏÇÉÅ ÓÐÒÁÛÉ×ÁÀÔ ÍÅÎÑ, Á ÐÏÞÅÍÕ ÂÙ ÎÅ ÐÏÍÅÓÔÉÔØ ×ÙÚÏ× ÜÔÏÇÏ ÓÃÅÎÁÒÉÑ × rc.firewal, ÎÁÐÉÓÁ× ÞÔÏ ÎÉÂÕÄØ ÔÉÐÁ rc.firewall start ÄÌÑ ÚÁÐÕÓËÁ ÓËÒÉÐÔÁ. ñ ÎÅ ÓÄÅÌÁÌ ÜÔÏÇÏ ÄÏ ÓÉÈ ÐÏÒ, ÐÏÔÏÍÕ ÞÔÏ ÓÞÉÔÁÀ, ÞÔÏ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÄÏÌÖÅÎ ÎÅÓÔÉ × ÓÅÂÅ ÏÓÎÏ×ÎÙÅ ÉÄÅÉ É ÎÅ ÄÏÌÖÅÎ ÂÙÔØ ÐÅÒÅÇÒÕÖÅÎ ÒÁÚÎÏÏÂÒÁÚÎÙÍÉ ÓÃÅÎÁÒÉÑÍÉ ÓÏ ÓÔÒÁÎÎÙÍ ÓÉÎÔÁËÓÉÓÏÍ. äÏÂÁ×ÌÅÎÉÅ ÓÐÅÃÉÆÉÞÎÏÇÏ ÓÉÎÔÁËÓÉÓÁ ÄÅÌÁÅÔ ÓÃÅÎÁÒÉÉ ÍÅÎÅÅ ÞÉÔÁÂÅÌØÎÙÍÉ, Á ÓÁÍ ÕÞÅÂÎÙÊ ÍÁÔÅÒÉÁÌ ÂÏÌÅÅ ÓÌÏÖÎÙÍ × ÐÏÎÉÍÁÎÉÉ, ÐÏÜÔÏÍÕ ÄÁÎÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÏÓÔÁÅÔÓÑ ÔÁËÉÍ, ËÁËÏ×Ï ÏÎÏ ÅÓÔØ, É ÐÒÏÄÏÌÖÉÔ ÏÓÔÁ×ÁÔØÓÑ ÔÁËÉÍ.


äÅÔÁÌØÎÏÅ ÏÐÉÓÁÎÉÅ ÓÐÅÃÉÁÌØÎÙÈ ËÏÍÁÎÄ

÷Ù×ÏÄ ÓÐÉÓËÁ ÎÁÂÏÒÁ ÐÒÁ×ÉÌ

þÔÏÂÙ ×Ù×ÅÓÔÉ ÓÐÉÓÏË ÐÒÁ×ÉÌ ÎÕÖÎÏ ×ÙÐÏÌÎÉÔØ ËÏÍÁÎÄÕ iptables Ó ËÌÀÞÏÍ L, ËÏÔÏÒÙÊ ËÒÁÔËÏ ÂÙÌ ÏÐÉÓÁÎ ÒÁÎÅÅ × ÇÌÁ×Å ëÁË ÓÔÒÏÉÔØ ÐÒÁ×ÉÌÁ. ÷ÙÇÌÑÄÉÔ ÜÔÏ ÐÒÉÍÅÒÎÏ ÔÁË:

iptables -L

üÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ ÎÁ ÜËÒÁÎ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÕÄÏÂÏÞÉÔÁÅÍÏÍ ×ÉÄÅ. îÏÍÅÒÁ ÐÏÒÔÏ× ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÓÌÕÖÂ × ÓÏÏÔ×ÅÔÓÔ×ÉÉ Ó ÆÁÊÌÏÍ /etc/services, IP ÁÄÒÅÓÁ ÂÕÄÕÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÙ × ÉÍÅÎÁ ÈÏÓÔÏ× ÞÅÒÅÚ ÒÁÚÒÅÛÅÎÉÅ ÉÍÅÎ × ÓÌÕÖÂÅ DNS. ó ÒÁÚÒÅÛÅÎÉÅÍ (resolving) ÉÍÅÎ ÍÏÇÕÔ ×ÏÚÎÉËÎÕÔØ ÎÅËÏÔÏÒÙÅ ÐÒÏÂÌÅÍÙ, ÎÁÐÒÉÍÅÒ, ÉÍÅÑ ÓÅÔØ 192.168.0.0/16 ÓÌÕÖÂÁ DNS ÎÅ ÓÍÏÖÅÔ ÏÐÒÅÄÅÌÉÔØ ÉÍÑ ÈÏÓÔÁ Ó ÁÄÒÅÓÏÍ 192.168.1.1, × ÒÅÚÕÌØÔÁÔÅ ÐÒÏÉÚÏÊÄÅÔ ÐÏÄ×ÉÓÁÎÉÅ ËÏÍÁÎÄÙ. þÔÏÂÙ ÏÂÏÊÔÉ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÌÅÄÕÅÔ ×ÙÐÏÌÎÉÔØ ×Ù×ÏÄ ÓÐÉÓËÁ ÐÒÁ×ÉÌ Ó ÄÏÐÏÌÎÉÔÅÌØÎÙÍ ËÌÀÞÏÍ:

iptables -L -n

þÔÏÂÙ ×Ù×ÅÓÔÉ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ Ï ÃÅÐÏÞËÁÈ É ÐÒÁ×ÉÌÁÈ, ×ÙÐÏÌÎÉÔÅ

iptables -L -n -v

éÍÅÅÔÓÑ ÒÑÄ ÆÁÊÌÏ× × ÆÁÊÌÏ×ÏÊ ÓÉÓÔÅÍÅ /proc, ËÏÔÏÒÙÅ ÓÏÄÅÒÖÁÔ ÄÏÓÔÁÔÏÞÎÏ ÉÎÔÅÒÅÓÎÕÀ ÄÌÑ ÎÁÓ ÉÎÆÏÒÍÁÃÉÀ. îÁÐÒÉÍÅÒ, ÄÏÐÕÓÔÉÍ ÎÁÍ ÚÁÈÏÔÅÌÏÓØ ÐÒÏÓÍÏÔÒÅÔØ ÓÐÉÓÏË ÓÏÅÄÉÎÅÎÉÊ × ÔÁÂÌÉÃÅ conntrack. üÔÏ ÏÓÎÏ×ÎÁÑ ÔÁÂÌÉÃÁ, ËÏÔÏÒÁÑ ÓÏÄÅÒÖÉÔ ÓÐÉÓÏË ÔÒÁÓÓÉÒÕÅÍÙÈ ÓÏÅÄÉÎÅÎÉÊ É × ËÁËÏÍ ÓÏÓÔÏÑÎÉÉ ËÁÖÄÏÅ ÉÚ ÎÉÈ ÎÁÈÏÄÉÔÓÑ. äÌÑ ÐÒÏÓÍÏÔÒÁ ÔÁÂÌÉÃÙ ×ÙÐÏÌÎÉÔÅ ËÏÍÁÎÄÕ

cat /proc/net/conntrack | less


éÚÍÅÎÅÎÉÅ É ÏÞÉÓÔËÁ ×ÁÛÉÈ ÔÁÂÌÉÃ

ðÏ ÍÅÒÅ ÔÏÇÏ ËÁË ×Ù ÐÒÏÄÏÌÖÉÔÅ ÕÇÌÕÂÌÑÔØÓÑ × ÉÓÓÌÅÄÏ×ÁÎÉÅ iptables, ÐÅÒÅÄ ×ÁÍÉ ×ÓÅ ÁËÔÕÁÌØÎÅÅ ÂÕÄÅÔ ×ÓÔÁ×ÁÔØ ×ÏÐÒÏÓ Ï ÕÄÁÌÅÎÉÉ ÏÔÄÅÌØÎÙÈ ÐÒÁ×ÉÌ ÉÚ ÃÅÐÏÞÅË ÂÅÚ ÎÅÏÂÈÏÄÉÍÏÓÔÉ ÐÅÒÅÚÁÇÒÕÚËÉ ÍÁÛÉÎÙ. óÅÊÞÁÓ Ñ ÐÏÐÒÏÂÕÀ ÎÁ ÎÅÇÏ ÏÔ×ÅÔÉÔØ. åÓÌÉ ×Ù ÐÏ ÏÛÉÂËÅ ÄÏÂÁ×ÉÌÉ ËÁËÏÅ ÌÉÂÏ ÐÒÁ×ÉÌÏ, ÔÏ ×ÁÍ ÎÕÖÎÏ ÔÏÌØËÏ ÚÁÍÅÎÉÔØ ËÏÍÁÎÄÕ -A ÎÁ ËÏÍÁÎÄÕ -D × ÓÔÒÏËÅ ÐÒÁ×ÉÌÁ. iptables ÎÁÊÄÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ É ÕÄÁÌÉÔ ÅÇÏ. åÓÌÉ ÉÍÅÅÔÓÑ ÎÅÓËÏÌØËÏ ÐÒÁ×ÉÌ, ËÏÔÏÒÙÅ ×ÙÇÌÑÄÑÔ ËÁË ÚÁÄÁÎÎÙÊ ÛÁÂÌÏÎ ÄÌÑ ÕÄÁÌÅÎÉÑ, ÔÏ ÂÕÄÅÔ ÓÔÅÒÔÏ ÐÅÒ×ÏÅ ÉÚ ÎÁÊÄÅÎÎÙÈ ÐÒÁ×ÉÌ. åÓÌÉ ÔÁËÏÊ ÐÏÒÑÄÏË ×ÅÝÅÊ ×ÁÓ ÎÅ ÕÓÔÒÁÉ×ÁÅÔ, ÔÏ ËÏÍÁÎÄÅ -D, × ËÁÞÅÓÔ×Å ÐÁÒÁÍÅÔÒÁ, ÍÏÖÎÏ ÐÅÒÅÄÁÔØ ÎÏÍÅÒ ÕÄÁÌÑÅÍÏÊ ÓÔÒÏËÉ., ÎÁÐÒÉÍÅÒ, ËÏÍÁÎÄÁ iptables -D INPUT 10 ÓÏÔÒÅÔ ÄÅÓÑÔÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ INPUT. (þÔÏÂÙ ÕÚÎÁÔØ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÐÏÄÁÊÔÅ ËÏÍÁÎÄÕ iptables -L îáú÷áîéå_ãåðïþëé --line-numbers, ÔÏÇÄÁ ÐÒÁ×ÉÌÁ ÂÕÄÕÔ ×Ù×ÏÄÉÔØÓÑ ÓÏ Ó×ÏÉÍÉ ÎÏÍÅÒÁÍÉ ÐÒÉÍ. ÐÅÒÅ×.)

äÌÑ ÕÄÁÌÅÎÉÑ ÓÏÄÅÒÖÉÍÏÇÏ ÃÅÌÏÊ ÃÅÐÏÞËÉ ÉÓÐÏÌØÚÕÊÔÅ ËÏÍÁÎÄÕ -F. îÁÐÒÉÍÅÒ: iptables -F INPUT - ÓÏÔÒÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ INPUT, ÏÄÎÁËÏ ÜÔÁ ËÏÍÁÎÄÁ ÎÅ ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞËÉ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÔÁË ÞÔÏ ÅÓÌÉ ÏÎÁ ÕÓÔÁÎÏ×ÌÅÎÁ ËÁË DROP ÔÏ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØÓÑ ×ÓÅ, ÞÔÏ ÐÏÐÁÄÁÅÔ × ÃÅÐÏÞËÕ INPUT. þÔÏÂÙ ÓÂÒÏÓÉÔØ ÐÏÌÉÔÉËÕ ÐÏ-ÕÍÏÌÞÁÎÉÀ, ÎÕÖÎÏ ÐÒÏÓÔÏ ÕÓÔÁÎÏ×ÉÔØ ÅÅ × ÐÅÒ×ÏÎÁÞÁÌØÎÏÅ ÓÏÓÔÏÑÎÉÅ, ÎÁÐÒÉÍÅÒ iptables -P INPUT ACCEPT.

íÎÏÀ ÂÙÌ ÎÁÐÉÓÁÎ ÎÅÂÏÌØÛÏÊ ÓÃÅÎÁÒÉÊ (ÏÐÉÓÁÎÎÙÊ ÎÅÓËÏÌØËÏ ×ÙÛÅ) ËÏÔÏÒÙÊ ÐÒÏÉÚ×ÏÄÉÔ ÏÞÉÓÔËÕ ×ÓÅÈ ÔÁÂÌÉÃ É ÃÅÐÏÞÅË, É ÐÅÒÅÕÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÌÉÔÉËÉ ÃÅÐÏÞÅË × iptables. úÁÍÅÔØÔÅ ÔÏÌØËÏ, ÞÔÏ ÅÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÔÁÂÌÉÃÕ mangle, ÔÏ ×ÁÍ ÎÅÏÂÈÏÄÉÍÏ ×ÎÅÓÔÉ ÄÏÐÏÌÎÅÎÉÑ × ÜÔÏÔ ÓÃÅÎÁÒÉÊ, ÐÏÓËÏÌØËÕ ÏÎ ÅÅ ÎÅ ÏÂÒÁÂÁÔÙ×ÁÅÔ.


ïÂÝÉÅ ÐÒÏÂÌÅÍÙ É ×ÏÐÒÏÓÙ

ðÒÏÂÌÅÍÙ ÚÁÇÒÕÚËÉ ÍÏÄÕÌÅÊ

÷Ù ÍÏÖÅÔÅ ÓÔÏÌËÎÕÔØÓÑ Ó ÎÅÓËÏÌØËÉÍÉ ÐÒÏÂÌÅÍÁÍÉ ÐÒÉ ÐÏÐÙÔËÅ ÚÁÇÒÕÚÉÔØ ÔÏÔ ÉÌÉ ÉÎÏÊ ÍÏÄÕÌØ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ×ÙÄÁÎÏ ÓÏÏÂÝÅÎÉÅ Ï ÏÔÓÕÔÓÔ×ÉÉ ÚÁÐÒÁÛÉ×ÁÅÍÏÇÏ ÍÏÄÕÌÑ

insmod: iptable_filter: no module by that name found

ðÏËÁ ÅÝÅ ÎÅÔ ÐÒÉÞÉÎ ÄÌÑ ÂÅÓÐÏËÏÊÓÔ×Á. ÷ÐÏÌÎÅ ×ÏÚÍÏÖÎÏ, ÞÔÏ ÚÁÐÒÁÛÉ×ÁÅÍÙÊ ÍÏÄÕÌØ (ÉÌÉ ÍÏÄÕÌÉ) ÂÙÌ Ó×ÑÚÁÎ Ó ÑÄÒÏÍ ÓÔÁÔÉÞÅÓËÉ. üÔÏ ÐÅÒ×ÏÅ, ÞÔÏ ×Ù ÄÏÌÖÎÙ ÐÒÏ×ÅÒÉÔØ. äÌÑ ÜÔÏÇÏ ÐÒÏÓÔÏ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ

iptables -t filter -L

åÓÌÉ ×ÓÅ ÎÏÒÍÁÌØÎÏ, ÔÏ ÜÔÁ ËÏÍÁÎÄÁ ×Ù×ÅÄÅÔ × ÔÅÒÍÉÎÁÌÅ ÓÐÉÓÏË ×ÓÅÈ ÃÅÐÏÞÅË ÉÚ ÔÁÂÌÉÃÙ filter. ÷Ù×ÏÄ ÄÏÌÖÅÎ ×ÙÇÌÑÄÅÔØ ÐÒÉÍÅÒÎÏ ÔÁË:

Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination

åÓÌÉ ÔÁÂÌÉÃÁ filter ÏÔÓÕÔÓÔ×ÕÅÔ, ÔÏ ×Ù×ÏÄ ÂÕÄÅÔ ÐÒÉÍÅÒÎÏ ÓÌÅÄÕÀÝÉÍ

iptables v1.2.5: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.

üÔÏ ÕÖÅ ÓÅÒØÅÚÎÅÅ, ÔÁË ËÁË ÜÔÏ ÓÏÏÂÝÅÎÉÅ ÕËÁÚÙ×ÁÅÔ ÎÁ ÔÏ, ÞÔÏ ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ÕÓÔÁÎÏ×ÉÔØ ÍÏÄÕÌÉ, ÌÉÂÏ ×Ù ÚÁÂÙÌÉ ×ÙÐÏÌÎÉÔØ depmod -a, ÌÉÂÏ ×Ù ×ÏÏÂÝÅ ÎÅ ÓËÏÍÐÉÌÉÒÏ×ÁÌÉ ÎÅÏÂÈÏÄÉÍÙÅ ÍÏÄÕÌÉ äÌÑ ÒÅÛÅÎÉÑ ÐÅÒ×ÏÊ ÐÒÏÂÌÅÍÙ ÚÁÐÕÓÔÉÔÅ ËÏÍÁÎÄÕ make modules_install × ËÁÔÁÌÏÇÅ Ó ÉÓÈÏÄÎÙÍÉ ÔÅËÓÔÁÍÉ ÑÄÒÁ. ÷ÔÏÒÁÑ ÐÒÏÂÌÅÍÁ ÒÅÛÁÅÔÓÑ ÚÁÐÕÓËÏÍ ËÏÍÁÎÄÙ depmod -a. òÁÚÒÅÛÅÎÉÅ ÔÒÅÔØÅÊ ÐÒÏÂÌÅÍÙ ÕÖÅ ×ÙÈÏÄÉÔ ÚÁ ÒÁÍËÉ ÄÁÎÎÏÇÏ ÒÕËÏ×ÏÄÓÔ×Á, É × ÜÔÏÍ ÓÌÕÞÁÅ ÒÅËÏÍÅÎÄÕÀ ÐÏÓÅÔÉÔØ ÄÏÍÁÛÎÀÀ ÓÔÒÁÎÉÞËÕ Linux Documentation Project. (÷ÚÇÌÑÎÉÔÅ ÅÝÅ ÒÁÚ × ÎÁÞÁÌÏ ÄÏËÕÍÅÎÔÁ, ÇÄÅ ÏÐÉÓÙ×ÁÅÔÓÑ ÐÒÏÃÅÓÓ ÕÓÔÁÎÏ×ËÉ iptables. ÐÒÉÍ. ÐÅÒÅ×.)

äÒÕÇÉÅ ÏÛÉÂËÉ, ËÏÔÏÒÙÅ ×Ù ÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÐÒÉ ÚÁÐÕÓËÅ iptables:

iptables: No chain/target/match by that name

üÔÁ ÏÛÉÂËÁ ÓÏÏÂÝÁÅÔ, ÞÔÏ ÎÅÔ ÔÁËÏÊ ÃÅÐÏÞËÉ, ÄÅÊÓÔ×ÉÑ ÉÌÉ ËÒÉÔÅÒÉÑ. üÔÏ ÍÏÖÅÔ ÚÁ×ÉÓÅÔØ ÏÔ ÏÇÒÏÍÎÏÇÏ ÞÉÓÌÁ ÆÁËÔÏÒÏ×, ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ, ÞÔÏ ×Ù ÐÙÔÁÅÔÅÓØ ÉÓÐÏÌØÚÏ×ÁÔØ ÎÅÓÕÝÅÓÔ×ÕÀÝÕÀ (ÉÌÉ ÅÝÅ ÎÅ ÏÐÒÅÄÅÌÅÎÎÕÀ) ÃÅÐÏÞËÕ, ÎÅÓÕÝÅÓÔ×ÕÀÝÅÅ ÄÅÊÓÔ×ÉÅ ÉÌÉ ËÒÉÔÅÒÉÊ. ìÉÂÏ ÐÏÔÏÍÕ, ÞÔÏ ÎÅ ÚÁÇÒÕÖÅÎ ÎÅÏÂÈÏÄÉÍÙÊ ÍÏÄÕÌØ.


Passive FTP ÂÅÚ DCC

üÔÏ ÏÄÎÁ ÉÚ ÚÁÍÅÞÁÔÅÌØÎÙÈ ÏÓÏÂÅÎÎÏÓÔÅÊ ÎÏ×ÙÈ iptables, ÐÏÄÄÅÒÖÉ×ÁÅÍÙÈ ÑÄÒÁÍÉ ÓÅÒÉÉ 2.4.x, ËÏÇÄÁ ×Ù ÍÏÖÅÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP, É ÚÁÐÒÅÔÉÔØ ÐÅÒÅÄÁÞÕ ÐÏ DCC Ó ÐÏÍÏÝØÀ ÎÏ×ÏÇÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÏÇÏ ËÏÄÁ. ÷Ù ÍÏÖÅÔÅ ÓÐÒÏÓÉÔØ "ëÁË ÜÔÏ?", ×ÓÅ ÄÏ×ÏÌØÎÏ ÐÒÏÓÔÏ. þÔÏÂÙ ÓÄÅÌÁÔØ ÜÔÏ ×ÏÚÍÏÖÎÙÍ, ×ÁÍ ÐÏÔÒÅÂÕÅÔÓÑ ÓËÏÍÐÉÌÉÒÏ×ÁÔØ ip_conntrack_irc, ip_nat_irc, ip_conntrack_ftp É ip_nat_ftp ËÁË ÐÏÄÇÒÕÖÁÅÍÙÅ ÍÏÄÕÌÉ, Á ÎÅ ËÁË ÓÔÁÔÉÞÅÓËÉÊ ËÏÄ × ÑÄÒÅ. þÔÏ ÜÔÉ ÍÏÄÕÌÉ ÄÅÌÁÀÔ, ÔÁË ÏÎÉ ÄÏÂÁ×ÌÑÀÔ ÐÏÄÄÅÒÖËÕ ÔÒÁÓÓÉÒÏ×ËÉ É NAT ÄÌÑ Passive FTP É DCC send. âÅÚ ÜÔÉÈ ÍÏÄÕÌÅÊ ÓÅÔÅ×ÏÊ ËÏÄ ÑÄÒÁ ÎÅ ÓÍÏÖÅÔ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ ÓÏÅÄÉÎÅÎÉÑ ÜÔÏÇÏ ÔÉÐÁ.

åÓÌÉ, Ë ÐÒÉÍÅÒÕ, ×Ù ÈÏÔÉÔÅ ÒÁÚÒÅÛÉÔØ Passive FTP É ÐÒÉ ÜÔÏÍ ÚÁÐÒÅÔÉÔØ DCC send, ÔÏ ×ÁÍ ÔÒÅÂÕÅÔÓÑ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É ÚÁÔÅÍ ÄÏÂÁ×ÉÔØ ÐÒÁ×ÉÌÏ:

iptables -A INPUT -p TCP -m state --state RELATED -j ACCEPT

ëÏÔÏÒÏÅ ÐÏÚ×ÏÌÉÔ ×ÙÐÏÌÎÅÎÉÅ ÓÏÅÄÉÎÅÎÉÊ Passive FTP, ÎÏ ÎÅ DCC. åÓÌÉ ÎÕÖÎÏ ÎÁÏÂÏÒÏÔ ÚÁÐÒÅÔÉÔØ Passive FTP É ÒÁÚÒÅÛÉÔØ DCC, ÔÏ ×ÁÍ ÎÁÄÏ Ó ÔÏÞÎÏÓÔØÀ ÄÏ ÎÁÏÂÏÒÏÔ ÚÁÇÒÕÚÉÔØ ÍÏÄÕÌÉ ip_conntrack_irc É ip_nat_irc É îå ÚÁÇÒÕÖÁÔØ ÍÏÄÕÌÉ ip_conntrack_ftp É ip_nat_ftp. úÁÍÅÔØÔÅ, ÞÔÏ ÍÏÄÕÌÉ ip_nat_* ÎÅÏÂÈÏÄÉÍÙ ÔÏÌØËÏ × ÔÏÍ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ÂÒÁÎÄÍÁÕÜÒ ×ÙÐÏÌÎÑÅÔ ÐÒÅÏÂÒÁÚÏ×ÁÎÉÅ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (Network Adress Translation) ÉÌÉ ÍÁÓËÁÒÁÄÉÎÇ ÐÒÉ ÐÏÄËÌÀÞÅÎÉÉ ÌÏËÁÌØÎÙÈ ÕÚÌÏ× Õ éÎÔÅÒÎÅÔ.

äÌÑ ÐÏÌÕÞÅÎÉÑ ÄÏÐÏÌÎÉÔÅÌØÎÏÊ ÉÎÆÏÒÍÁÃÉÉ ÏÔÎÏÓÉÔÅÌØÎÏ Active É Passive FTP, ÞÉÔÁÊÔÅ RFC 959 - File Transfer Protocol by J. Postel and J. Reynolds. üÔÏÔ RFC ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ ÏÔÎÏÓÉÔÅÌØÎÏ ÐÒÏÔÏËÏÌÁ FTP, Active É Passive FTP É ËÁË ÏÎÉ ÒÁÂÏÔÁÀÔ. ëÁË ÏÐÉÓÙ×ÁÅÔ ÜÔÏÔ ÄÏËÕÍÅÎÔ, × ÓÌÕÞÁÅ Active FTP, ËÌÉÅÎÔ ÐÏÓÙÌÁÅÔ ÓÅÒ×ÅÒÕ Ó×ÏÊ IP É ÐÏÒÔ, ×ÙÂÒÁÎÎÙÊ ÓÌÕÞÁÊÎÙÍ ÏÂÒÁÚÏÍ Õ ÓÅÂÑ ÄÌÑ Ó×ÑÚÉ. úÁÔÅÍ ÓÅÒ×ÅÒ ÓÏÅÄÉÎÑÅÔÓÑ Ó ÜÔÉÍ ÐÏÒÔÏÍ ÎÁ ËÌÉÅÎÔÅ. ÷ ÓÌÕÞÁÅ, ÅÓÌÉ ×ÁÛ ËÌÉÅÎÔ ÎÁÈÏÄÉÔÓÑ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ, ×ÙÐÏÌÎÑÀÝÉÍ NAT, ÔÏÇÄÁ ÒÁÚÄÅÌ ÄÁÎÎÙÈ ÐÁËÅÔÏ× ÄÏÌÖÅÎ ÂÙÔØ ÐÒÅÏÂÒÁÚÏ×ÁÎ ÔÁË ËÁË ÜÔÏ ÄÅÌÁÅÔ ÍÏÄÕÌØ ip_nat_ftp. ÷ Passive FTP ÐÏÒÑÄÏË ÄÅÊÓÔ×ÉÊ ÐÏÌÎÏÓÔØÀ ÉÚÍÅÎÅÎ. ëÌÉÅÎÔ ÓÏÏÂÝÁÅÔ ÓÅÒ×ÅÒÕ, ÞÔÏ ÈÏÞÅÔ ÐÏÓÌÁÔØ ÉÌÉ ÐÒÉÎÑÔØ ÄÁÎÎÙÅ, Á ÓÅÒ×ÅÒ × ÏÔ×ÅÔÅ ÓÏÏÂÝÁÅÔ ËÌÉÅÎÔÕ Ë ËÁËÏÍÕ ÁÄÒÅÓÕ ÎÕÖÎÏ ÐÏÄËÌÀÞÉÔØÓÑ É ËÁËÏÊ ÐÏÒÔ ÉÓÐÏÌØÚÏ×ÁÔØ.


ðÁËÅÔÙ ÓÏ ÓÔÁÔÕÓÏÍ NEW É ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN

üÔÏ Ó×ÏÊÓÔ×Ï iptables ÎÅÄÏÓÔÁÔÏÞÎÏ ÈÏÒÏÛÏ ÚÁÄÏËÕÍÅÎÔÉÒÏ×ÁÎÏ, Á ÐÏÜÔÏÍÕ ÍÎÏÇÉÅ ÍÏÇÕÔ ÕÄÅÌÉÔØ ÅÍÕ ÎÅÄÏÓÔÁÔÏÞÎÏÅ ×ÎÉÍÁÎÉÅ (×ËÌÀÞÁÑ É ÍÅÎÑ). åÓÌÉ ×Ù ÉÓÐÏÌØÚÕÅÔÅ ÐÒÁ×ÉÌÁ, ÏÐÒÅÄÅÌÑÀÝÉÅ ÓÔÁÔÕÓ ÐÁËÅÔÁ NEW, ÎÏ ÎÅ ÐÒÏ×ÅÒÑÅÔÅ ÓÏÓÔÏÑÎÉÅ ÂÉÔÁ SYN, ÔÏ ÐÁËÅÔÙ ÓÏ ÓÂÒÏÛÅÎÎÙÍ ÂÉÔÏÍ SYN ÓÍÏÇÕÔ "ÐÒÏÓÏÞÉÔØÓÑ" ÞÅÒÅÚ ×ÁÛÕ ÚÁÝÉÔÕ. èÏÔÑ, × ÓÌÕÞÁÅ, ËÏÇÄÁ ÍÙ ÉÓÐÏÌØÚÕÅÍ ÎÅÓËÏÌØËÏ ÂÒÁÎÄÍÁÕÜÒÏ×, ÔÁËÏÊ ÐÁËÅÔ ÍÏÖÅÔ ÏËÁÚÁÔØÓÑ ÞÁÓÔØÀ ESTABLISHED ÓÏÅÄÉÎÅÎÉÑ, ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÞÅÒÅÚ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ðÒÏÐÕÓËÁÑ ÐÏÄÏÂÎÙÅ ÐÁËÅÔÙ, ÍÙ ÄÅÌÁÅÍ ×ÏÚÍÏÖÎÙÍ ÓÏ×ÍÅÓÔÎÕÀ ÒÁÂÏÔÕ Ä×ÕÈ ÉÌÉ ÂÏÌÅÅ ÂÒÁÎÄÍÁÕÜÒÏ×, ÐÒÉ ÜÔÏÍ ÍÙ ÍÏÖÅÍ ÌÀÂÏÊ ÉÚ ÎÉÈ ÏÓÔÁÎÏ×ÉÔØ ÎÅ ÂÏÑÓØ ÒÁÚÏÒ×ÁÔØ ÕÓÔÁÎÏ×ÌÅÎÎÙÅ ÓÏÅÄÉÎÅÎÉÑ, ðÏÓËÏÌØËÕ ÆÕÎËÃÉÉ ÐÏ ÐÅÒÅÄÁÞÅ ÄÁÎÎÙÈ ÔÕÔ ÖÅ ×ÏÚØÍÅÔ ÎÁ ÓÅÂÑ ÄÒÕÇÏÊ ÂÒÁÎÄÍÁÕÜÒ. ïÄÎÁËÏ ÜÔÏ ÐÏÚ×ÏÌÉÔ ÕÓÔÁÎÁ×ÌÉ×ÁÔØ ÐÒÁËÔÉÞÅÓËÉ ÌÀÂÏÅ TCP ÓÏÅÄÉÎÅÎÉÅ. ÷Ï ÉÚÂÅÖÁÎÉÅ ÜÔÏÇÏ ÓÌÅÄÕÅÔ ÄÏÂÁ×ÉÔØ ÓÌÅÄÕÀÝÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÉ INPUT, OUTPUT É FORWARD:

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Caution

÷ÙÛÅÐÒÉ×ÅÄÅÎÎÙÅ ÐÒÁ×ÉÌÁ ÐÏÚÁÂÏÔÑÔÓÑ Ï ÜÔÏÊ ÐÒÏÂÌÅÍÅ. âÕÄØÔÅ ÞÒÅÚ×ÙÞÁÊÎÏ ×ÎÉÍÁÔÅÌØÎÙ ÐÒÉ ÐÏÓÔÒÏÅÎÉÉ ÐÒÁ×ÉÌ ÐÒÉÎÉÍÁÀÝÉÈ ÒÅÛÅÎÉÅ ÎÁ ÏÓÎÏ×Å ÓÔÁÔÕÓÁ ÐÁËÅÔÁ.

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÞÔÏ ÉÍÅÀÔÓÑ ÎÅËÏÔÏÒÙÅ ÎÅÐÒÉÑÔÎÏÓÔÉ Ó ×ÙÛÅÐÒÉ×ÅÄÅÎÎÙÍÉ ÐÒÁ×ÉÌÁÍÉ É ÐÌÏÈÏÊ ÒÅÁÌÉÚÁÃÉÅÊ TCP/IP ÏÔ Microsoft. äÅÌÏ × ÔÏÍ, ÞÔÏ ÐÒÉ ÎÅËÏÔÏÒÙÈ ÕÓÌÏ×ÉÑÈ, ÐÁËÅÔÙ, ÓÇÅÎÅÒÉÒÏ×ÁÎÎÙÅ ÐÒÏÇÒÁÍÍÁÍÉ ÏÔ Microsoft ÍÁÒËÉÒÕÀÔÓÑ ËÁË NEW É ÓÏÇÌÁÓÎÏ ÜÔÉÍ ÐÒÁ×ÉÌÁÍ ÂÕÄÕÔ ÓÂÒÏÛÅÎÙ. üÔÏ, ÏÄÎÁËÏ, ÎÅ ÐÒÉ×ÏÄÉÔ Ë ÒÁÚÒÕÛÅÎÉÀ ÓÏÅÄÉÎÅÎÉÊ, ÎÁÓËÏÌØËÏ Ñ ÚÎÁÀ. ðÒÏÉÓÈÏÄÉÔ ÜÔÏ ÐÏÔÏÍÕ, ÞÔÏ, ËÏÇÄÁ ÓÏÅÄÉÎÅÎÉÅ ÚÁËÒÙ×ÁÅÔÓÑ, É ÐÏÓÙÌÁÅÔÓÑ ÚÁ×ÅÒÛÁÀÝÉÊ ÐÁËÅÔ FIN/ACK, ÔÏ netfilter ÚÁËÒÙ×ÁÅÔ ÜÔÏ ÓÏÅÄÉÎÅÎÉÅ É ÕÄÁÌÑÅÔ ÅÇÏ ÉÚ ÔÁÂÌÉÃÙ conntrack. ÷ ÜÔÏÔ ÍÏÍÅÎÔ, ÄÅÆÅËÔÉ×ÎÙÊ ËÏÄ Microsoft ÐÏÓÙÌÁÅÔ ÄÒÕÇÏÊ ÐÁËÅÔ, ËÏÔÏÒÏÍÕ ÐÒÉÓ×ÁÉ×ÁÅÔÓÑ ÓÔÁÔÕÓ NEW, ÎÏ × ÜÔÏÍ ÐÁËÅÔÅ ÎÅ ÕÓÔÁÎÏ×ÌÅÎ ÂÉÔ SYN É, ÓÌÅÄÏ×ÁÔÅÌØÎÏ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ×ÙÛÅÕÐÏÍÑÎÕÔÙÍ ÐÒÁ×ÉÌÁÍ. ëÏÒÏÞÅ ÇÏ×ÏÒÑ - ÏÓÏÂÏ ÎÅ ÐÅÒÅÖÉ×ÁÊÔÅ ÐÏ ÐÏ×ÏÄÕ ÜÔÉÈ ÐÒÁ×ÉÌ. ÷ ÓÌÕÞÁÅ ÞÅÇÏ - ×Ù ÓÍÏÖÅÔÅ ÐÒÏÓÍÏÔÒÅÔØ ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ, ËÕÄÁ ÌÏÇÉÒÕÀÔÓÑ ÏÔÂÒÁÓÙ×ÁÅÍÙÅ ÐÁËÅÔÙ (ÓÍ. ÐÒÁ×ÉÌÁ ×ÙÛÅ) É ÒÁÚÏÂÒÁÔØÓÑ Ó ÎÉÍÉ.

éÍÅÅÔÓÑ ÅÝÅ ÏÄÎÁ ÉÚ×ÅÓÔÎÁÑ ÐÒÏÂÌÅÍÁ Ó ÜÔÉÍÉ ÐÒÁ×ÉÌÁÍÉ. åÓÌÉ ËÔÏ - ÔÏ × ÎÁÓÔÏÑÝÅÅ ×ÒÅÍÑ Ó×ÑÚÁÎ Ó ÂÒÁÎÄÍÁÕÜÒÏÍ, ÎÁÐÒÉÍÅÒ ÉÚ LAN, É ÁËÔÉ×ÉÒÕÅÔ PPP, ÔÏ × ÜÔÏÍ ÓÌÕÞÁÅ ÓÏÅÄÉÎÅÎÉÅ ÂÕÄÅÔ ÕÎÉÞÔÏÖÅÎÏ. üÔÏ ÐÒÏÉÓÈÏÄÉÔ × ÍÏÍÅÎÔ, ËÏÇÄÁ ÚÁÇÒÕÖÁÀÔÓÑ ÉÌÉ ×ÙÇÒÕÖÁÀÔÓÑ conntrack É nat ÍÏÄÕÌÉ. äÒÕÇÏÊ ÓÐÏÓÏ ÐÏÌÕÞÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏÂÙ ×ÙÐÏÌÎÉÔØ rc.firewall.txt ÓÃÅÎÁÒÉÊ ÉÚ ÐÏÄËÌÀÞÅÎÉÑ telnet Ó ÄÒÕÇÏÇÏ ËÏÍÐØÀÔÅÒÁ. äÌÑ ÜÔÏÇÏ ×Ù ÓÏÅÄÉÎÑÅÔÅÓØ ÐÏ telnet Ó ÂÒÁÎÄÍÁÕÜÒÏÍ. úÁÐÕÓËÁÅÔÅ rc.firewall.txt, × ÐÒÏÃÅÓÓÅ ÉÓÐÏÌÎÅÎÉÑ ËÏÔÏÒÏÇÏ, ÚÁÐÕÓËÁÀÔÓÑ ÍÏÄÕÌÉ ÔÒÁÓÓÉÒÏ×ËÉ ÐÏÄËÌÀÞÅÎÉÊ, ÇÒÕÚÑÔÓÑ ÐÒÁ×ÉÌÁ "NEW not SYN". ëÏÇÄÁ ËÌÉÅÎÔ telnet ÉÌÉ daemon ÐÒÏÂÕÀÔ ÐÏÓÌÁÔØ ÞÔÏ ÎÉÂÕÄØ, ÔÏ ÜÔÏ ÐÏÄËÌÀÞÅÎÉÅ ÂÕÄÅÔ ÒÁÓÐÏÚÎÁÎÏ ÔÒÁÓÓÉÒÏ×ÏÞÎÙÍ ËÏÄÏÍ ËÁË NEW, ÎÏ ÐÁËÅÔÙ ÎÅ ÉÍÅÀÔ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÂÉÔÁ SYN, ÔÁË ËÁË ÏÎÉ, ÆÁËÔÉÞÅÓËÉ, Ñ×ÌÑÀÔÓÑ ÞÁÓÔØÀ ÕÖÅ ÕÓÔÁÎÏ×ÌÅÎÎÏÇÏ ÓÏÅÄÉÎÅÎÉÑ. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÁËÅÔ ÂÕÄÅÔ ÓÏÏÔ×ÅÔÓÔ×Ï×ÁÔØ ÐÒÁ×ÉÌÁÍ × ÒÅÚÕÌØÔÁÔÅ ÞÅÇÏ ÂÕÄÅÔ ÚÁÖÕÒÎÁÌÉÒÏ×ÁÎ É ÓÂÒÏÛÅÎ.


ðÏÓÔÁ×ÝÉËÉ ÕÓÌÕÇ Internet, ÉÓÐÏÌØÚÕÀÝÉÅ ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ IP-ÁÄÒÅÓÁ

ñ ÄÏÂÁ×ÉÌ ÜÔÏÔ ÒÁÚÄÅÌ ÞÔÏÂÙ ÐÒÅÄÕÐÒÅÄÉÔØ ×ÁÓ Ï ÔÕÐÏ×ÁÔÙÈ Internet Service Providers, ËÏÔÏÒÙÅ ÎÁÚÎÁÞÁÀÔ IP ÁÄÒÅÓÁ, ÏÔ×ÅÄÅÎÎÙÅ IANA ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ. îÁÐÒÉÍÅÒ, Swedish Internet Service Provider É ÔÅÌÅÆÏÎÎÁÑ ÍÏÎÏÐÏÌÉÑ Telia ÉÓÐÏÌØÚÕÀÔ ÔÁËÉÅ ÁÄÒÅÓÁ, ÎÁÐÒÉÍÅÒ, ÄÌÑ ÉÈ ÓÅÒ×ÅÒÏ× DNS, ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÅÔ ÄÉÁÐÁÚÏÎ 10.x.x.x. ðÒÏÂÌÅÍÁ, Ó ËÏÔÏÒÏÊ ×Ù ÂÕÄÅÔÅ ÎÁÉÂÏÌÅÅ ×ÅÒÏÑÔÎÏ ÓÔÁÌËÉ×ÁÔØÓÑ, ÓÏÓÔÏÉÔ × ÔÏÍ, ÞÔÏ ÍÙ, × Ó×ÏÉÈ ÓÃÅÎÁÒÉÑÈ, ÎÅ ÐÏÚ×ÏÌÑÅÍ ÐÏÄËÌÀÞÅÎÉÑ Ó ÌÀÂÙÈ IP × ÄÉÁÐÁÚÏÎÅ 10.x.x.x, ÉÚ-ÚÁ ×ÏÚÍÏÖÎÏÓÔÉ ÆÁÌØÓÉÆÉËÁÃÉÉ ÐÁËÅÔÏ×. åÓÌÉ ×Ù ÓÔÏÌËÎÅÔÅÓØ Ó ÔÁËÏÊ ÓÉÔÕÁÃÉÅÊ, ÔÏ ÎÁ×ÅÒÎÏÅ ×ÁÍ ÐÒÉÄÅÔÓÑ ÓÎÑÔØ ÞÁÓÔØ ÐÒÁ×ÉÌ. éÌÉ ÕÓÔÁÎÏ×ÉÔØ ÐÒÁ×ÉÌÁ, ÐÒÏÐÕÓËÁÀÝÉÅ ÔÒÁÆÆÉË Ó ÜÔÉÈ ÓÅÒ×ÅÒÏ×, ÒÁÎÅÅ ÃÅÐÏÞËÉ INPUT, ÎÁÐÒÉÍÅÒ ÔÁË:

/usr/local/sbin/iptables -t nat -I PREROUTING -i eth1 -s 10.0.0.1/32 -j ACCEPT

èÏÔÅÌÏÓØ ÂÙ ÎÁÐÏÍÎÉÔØ ÐÏÄÏÂÎÙÍ ÐÒÏ×ÁÊÄÅÒÁÍ, ÞÔÏ ÜÔÉ ÄÉÁÐÁÚÏÎÙ ÁÄÒÅÓÏ× ÎÅ ÐÒÅÄÎÁÚÎÁÞÅÎÙ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × éÎÔÅÒÎÅÔ. äÌÑ ËÏÒÐÏÒÁÔÉ×ÎÙÈ ÓÅÔÅÊ - ÐÏÖÁÌÕÊÓÔÁ, ÄÌÑ ×ÁÛÉÈ ÓÏÂÓÔ×ÅÎÎÙÈ ÄÏÍÁÛÎÉÈ ÓÅÔÅÊ - ÐÒÅËÒÁÓÎÏ! îÏ ×Ù ÎÅ ÄÏÌÖÎÙ ×ÙÎÕÖÄÁÔØ ÎÁÓ "ÏÔËÒÙ×ÁÔØÓÑ" ÐÏ ×ÁÛÅÊ ÐÒÉÈÏÔÉ.


ëÁË ÒÁÚÒÅÛÉÔØ ÐÒÏÈÏÖÄÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× ÞÅÒÅÚ iptables

÷ ÄÅÊÓÔ×ÉÔÅÌØÎÏÓÔÉ, ÜÔÁ ÚÁÄÁÞÁ ÄÏÓÔÁÔÏÞÎÏ ÐÒÏÓÔÁ, ÅÓÌÉ ×ÁÍ ÉÚ×ÅÓÔÎÙ ÐÒÉÎÃÉÐÙ ÒÁÂÏÔÙ ÐÒÏÔÏËÏÌÁ DHCP. ðÒÅÖÄÅ ×ÓÅÇÏ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ, ÞÔÏ DHCP ÒÁÂÏÔÁÅÔ ÐÏ ÐÒÏÔÏËÏÌÕ UDP. óÌÅÄÏ×ÁÔÅÌØÎÏ, ÐÒÏÔÏËÏÌ Ñ×ÌÑÅÔÓÑ ÐÅÒ×ÙÍ ËÒÉÔÅÒÉÅÍ. äÁÌÅÅ, ÎÅÏÂÈÏÄÉÍÏ ÕÔÏÞÎÉÔØ ÉÎÔÅÒÆÅÊÓ, ÎÁÐÒÉÍÅÒ, ÅÓÌÉ DHCP ÚÁÐÒÏÓÙ ÉÄÕÔ ÞÅÒÅÚ $LAN_IFACE, ÔÏ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× DHCP ÓÌÅÄÕÅÔ ÒÁÚÒÅÛÉÔØ ÔÏÌØËÏ ÞÅÒÅÚ ÜÔÏÔ ÉÎÔÅÒÆÅÊÓ. é ÎÁËÏÎÅÃ, ÞÔÏÂÙ ÓÄÅÌÁÔØ ÐÒÁ×ÉÌÏ ÂÏÌÅÅ ÏÐÒÅÄÅÌÅÎÎÙÍ, ÓÌÅÄÕÅÔ ÕÔÏÞÎÉÔØ ÐÏÒÔÙ. DHCP ÉÓÐÏÌØÚÕÅÔ ÐÏÒÔÙ 67 É 68. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÉÓËÏÍÏÅ ÐÒÁ×ÉÌÏ ÍÏÖÅÔ ×ÙÇÌÑÄÅÔØ ÓÌÅÄÕÀÝÉÍ ÏÂÒÁÚÏÍ:

$IPTABLES -I INPUT -i $LAN_IFACE -p udp --dport 67:68 --sport 67:68 -j ACCEPT

ïÂÒÁÔÉÔÅ ×ÎÉÍÁÎÉÅ, ÜÔÏ ÐÒÁ×ÉÌÏ ÐÒÏÐÕÓËÁÅÔ ×ÅÓØ ÔÒÁÆÉË ÐÏ ÐÒÏÔÏËÏÌÕ UDP ÞÅÒÅÚ ÐÏÒÔÙ 67 É 68, ÏÄÎÁËÏ ÜÔÏ ÎÅ ÄÏÌÖÎÏ ×ÁÓ ÏÓÏÂÅÎÎÏ ÓÍÕÝÁÔØ, ÐÏÓËÏÌØËÕ ÏÎÏ ÒÁÚÒÅÛÁÅÔ ÌÉÛØ Ä×ÉÖÅÎÉÅ ÚÁÐÒÏÓÏ× ÏÔ ÕÚÌÏ× ÓÅÔÉ, ÐÙÔÁÀÝÉÈÓÑ ÕÓÔÁÎÏ×ÉÔØ ÓÏÅÄÉÎÅÎÉÅ Ó ÐÏÒÔÁÍÉ 67 É 68. üÔÏÇÏ ÐÒÁ×ÉÌÁ ×ÐÏÌÎÅ ÄÏÓÔÁÔÏÞÎÏ, ÞÔÏÂÙ ÐÏÚ×ÏÌÉÔØ ×ÙÐÏÌÎÅÎÉÅ DHCP ÚÁÐÒÏÓÏ× É ÐÒÉ ÜÔÏÍ ÎÅ ÓÌÉÛËÏÍ ÛÉÒÏËÏ "ÏÔËÒÙÔØ ×ÏÒÏÔÁ". åÓÌÉ ×ÁÓ ÏÞÅÎØ ÂÅÓÐÏËÏÉÔ ÐÒÏÂÌÅÍÁ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÔÏ ×Ù ×ÐÏÌÎÅ ÍÏÖÅÔÅ ÕÖÅÓÔÏÞÉÔØ ÜÔÏ ÐÒÁ×ÉÌÏ.


ðÒÏÂÌÅÍÙ mIRC DCC

mIRC ÉÓÐÏÌØÚÕÅÔ ÓÐÅÃÉÆÉÞÎÙÅ ÎÁÓÔÒÏÊËÉ, ËÏÔÏÒÙÅ ÐÏÚ×ÏÌÑÀÔ ÓÏÅÄÉÎÑÔØÓÑ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ É ÏÂÒÁÂÁÔÙ×ÁÔØ DCC ÓÏÅÄÉÎÅÎÉÑ ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ. åÓÌÉ ÜÔÉ ÎÁÓÔÒÏÊËÉ ÉÓÐÏÌØÚÕÀÔÓÑ ÓÏ×ÍÅÓÔÎÏ Ó iptables, ÔÏÞÎÅÅ Ó ÍÏÄÕÌÑÍÉ ip_conntrack_irc É ip_nat_irc, ÔÏ ÜÔÁ Ó×ÑÚËÁ ÐÒÏÓÔÏ ÎÅ ÂÕÄÅÔ ÒÁÂÏÔÁÔØ. ðÒÏÂÌÅÍÁ ÚÁËÌÀÞÁÅÔÓÑ × ÔÏÍ, ÞÔÏ mIRC Á×ÔÏÍÁÔÉÞÅÓËÉ ×ÙÐÏÌÎÑÅÔ ÔÒÁÎÓÌÑÃÉÀ ÓÅÔÅ×ÙÈ ÁÄÒÅÓÏ× (NAT) ×ÎÕÔÒÉ ÐÁËÅÔÏ×. ÷ ÒÅÚÕÌØÔÁÔÅ, ËÏÇÄÁ ÐÁËÅÔ ÐÏÐÁÄÁÅÔ × iptables, ÏÎÁ ÐÒÏÓÔÏ ÎÅ ÚÎÁÅÔ, ÞÔÏ Ó ÎÉÍ ÄÅÌÁÔØ. mIRC ÎÅ ÏÖÉÄÁÅÔ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ ÂÕÄÅÔ ÎÁÓÔÏÌØËÏ "ÕÍÎÙÍ", ÞÔÏÂÙ ËÏÒÒÅËÔÎÏ ÏÂÒÁÂÁÔÙ×ÁÔØ IRC, É ÐÏÜÔÏÍÕ ÓÁÍÏÓÔÏÑÔÅÌØÎÏ ÚÁÐÒÁÛÉ×ÁÅÔ Ó×ÏÊ IP Õ ÓÅÒ×ÅÒÁ É ÚÁÔÅÍ ÐÏÄÓÔÁ×ÌÑÅÔ ÅÇÏ, ÐÒÉ ÐÅÒÅÄÁÞÅ DCC ÚÁÐÒÏÓÁ.

÷ËÌÀÞÅÎÉÅ ÏÐÃÉÉ "I am behind a firewall" ("ñ ÚÁ ÂÒÁÎÄÍÁÕÜÒÏÍ") É ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÍÏÄÕÌÅÊ ip_conntrack_irc É ip_nat_irc ÐÒÉ×ÏÄÉÔ Ë ÔÏÍÕ, ÞÔÏ netfilter ÐÉÛÅÔ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ ÓÏÏÂÝÅÎÉÅ "Forged DCC send packet".

õ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÅÓÔØ ÐÒÏÓÔÏÅ ÒÅÛÅÎÉÅ - ÏÔËÌÀÞÉÔÅ ÜÔÕ ÏÐÃÉÀ × mIRC É ÐÏÚ×ÏÌØÔÅ iptables ×ÙÐÏÌÎÑÔØ ×ÓÀ ÒÁÂÏÔÕ.


ôÉÐÙ ICMP

üÔÏ ÐÏÌÎÙÊ ÓÐÉÓÏË ÔÉÐÏ× ICMP ÓÏÏÂÝÅÎÉÊ:

ôÁÂÌÉÃÁ 1. ôÉÐÙ ICMP

TYPE CODE Description Query Error
0 0 Echo Reply x  
3 0 Network Unreachable   x
3 1 Host Unreachable   x
3 2 Protocol Unreachable   x
3 3 Port Unreachable   x
3 4 Fragmentation needed but no frag. bit set   x
3 5 Source routing failed   x
3 6 Destination network unknown   x
3 7 Destination host unknown   x
3 8 Source host isolated (obsolete)   x
3 9 Destination network administratively prohibited   x
3 10 Destination host administratively prohibited   x
3 11 Network unreachable for TOS   x
3 12 Host unreachable for TOS   x
3 13 Communication administratively prohibited by filtering   x
3 14 Host precedence violation   x
3 15 Precedence cutoff in effect   x
4 0 Source quench    
5 0 Redirect for network    
5 1 Redirect for host    
5 2 Redirect for TOS and network    
5 3 Redirect for TOS and host    
8 0 Echo request x  
9 0 Router advertisement    
10 0 Route sollicitation    
11 0 TTL equals 0 during transit   x
11 1 TTL equals 0 during reassembly   x
12 0 IP header bad (catchall error)   x
12 1 Required options missing   x
13 0 Timestamp request (obsolete) x  
14 Timestamp reply (obsolete) x  
15 0 Information request (obsolete) x  
16 0 Information reply (obsolete) x  
17 0 Address mask request x  
18 0 Address mask reply x  

óÓÙÌËÉ ÎÁ ÄÒÕÇÉÅ ÒÅÓÕÒÓÙ

úÄÅÓØ ÐÒÉ×ÅÄÅÎ ÓÐÉÓÏË ÓÓÙÌÏË, ÇÄÅ ×Ù ÓÍÏÖÅÔÅ ÐÏÌÕÞÉÔØ ÄÏÐÏÌÎÉÔÅÌØÎÕÀ ÉÎÆÏÒÍÁÃÉÀ :

  • ip-sysctl.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ, ÎÏ ÈÏÒÏÛÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÏÒÇÁÎÉÚÁÃÉÉ ÓÅÔÅ×ÏÇÏ ËÏÄÁ ÑÄÒÁ.

  • ip_dynaddr.txt - ÉÚ ÄÏËÕÍÅÎÔÁÃÉÉ Ë ÑÄÒÕ 2.4.14. íÁÌÅÎØËÉÊ ÓÐÒÁ×ÏÞÎÉË ÐÏ ÐÁÒÁÍÅÔÒÁÍ ÎÁÓÔÒÏÊËÉ ip_dynaddr, ÄÏÓÔÕÐÎÙÍ ÞÅÒÅÚ sysctl É ÆÁÊÌÏ×ÕÀ ÓÉÓÔÅÍÕ /proc.

  • iptables.8 - íÁÎÙ ÄÌÑ iptables 1.2.4 × ÆÏÒÍÁÔÅ HTML ðÒÅËÒÁÓÎÏÅ ÒÕËÏ×ÏÄÓÔ×Ï ÄÌÑ ÓÏÚÄÁÎÉÑ ÐÒÁ×ÉÌ × iptables. ÷ÓÅÇÄÁ ÐÏÌÅÚÎÏ ÉÍÅÔØ ÐÏÄ ÒÕËÏÊ.

  • http://netfilter.filewatcher.org/ - ïÆÉÃÉÁÌØÎÙÊ ÓÁÊÔ netfilter É iptables. îÅÏÂÈÏÄÉÍ ÄÌÑ ×ÓÅÈ ÖÅÌÁÀÝÉÈ ÕÓÔÁÎÏ×ÉÔØ iptables É netfilter × linux.

  • http://netfilter.filewatcher.org/netfilter-faq.html - ïÆÉÃÉÁÌØÎÙÊ FAQ (Frequently Asked Questions) ÐÏ netfilter .

  • http://netfilter.filewatcher.org/unreliable-guides/packet-filtering-HOWTO/index.html - Rusty Russells Unreliable Guide to packet filtering. ðÒÅËÒÁÓÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ ÏÓÎÏ×ÁÍ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× Ó ÐÏÍÏÝØÀ iptables, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÒÁÚÒÁÂÏÔÞÉËÏ× iptables É netfilter.

  • http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/index.html - Rusty Russells Unreliable Guide to Network Address Translation. úÁÍÅÞÁÔÅÌØÎÁÑ ÄÏËÕÍÅÎÔÁÃÉÑ ÐÏ Network Address Translation × iptables É netfilter, ÎÁÐÉÓÁÎÎÁÑ ÏÄÎÉÍ ÉÚ ÏÓÎÏ×ÎÙÈ ÒÁÚÒÁÂÏÔÞÉËÏ× òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://netfilter.filewatcher.org/unreliable-guides/netfilter-hacking-HOWTO/index.html - Rusty Russells Unreliable Netfilter Hacking HOWTO. ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÄÏËÕÍÅÎÔÏ× ÐÏ ÓÏÚÄÁÎÉÀ ËÏÄÁ ÄÌÑ ÒÁÂÏÔÙ Ó netfilter É iptables. ôÁË ÖÅ ÎÁÐÉÓÁÎ òÁÓÔÉ òÁÓÓÅÌÏÍ (Rusty Russell).

  • http://www.linuxguruz.org/iptables/ - óÏÄÅÒÖÉÔ ÍÎÏÖÅÓÔ×Ï ÓÓÙÌÏË × éÎÔÅÒÎÅÔ ÐÏ ÔÅÍÁÔÉËÅ. éÍÅÅÔÓÑ ÓÐÉÓÏË ÓÃÅÎÁÒÉÅ× iptables ÄÌÑ ÒÁÚÌÉÞÎÙÈ ÐÒÉÍÅÎÅÎÉÊ.

  • http://www.islandsoft.net/veerapen.html - ïÔÌÉÞÎÏÅ ÏÂÓÕÖÄÅÎÉÅ ÐÏ Á×ÔÏÍÁÔÉÚÁÃÉÉ ÒÁÂÏÔÙ iptables, ÎÁÐÒÉÍÅÒ: ËÁË, ×ÎÅÓÅÎÉÅÍ ÎÅÚÎÁÞÉÔÅÌØÎÙÈ ÉÚÍÅÎÅÎÉÊ, ÚÁÓÔÁ×ÉÔØ ×ÁÛ ËÏÍÐØÀÔÅÒ Á×ÔÏÍÁÔÉÞÅÓËÉ ÄÏÂÁ×ÌÑÔØ "ÎÅÕÇÏÄÎÙÅ" ÓÁÊÔÙ × ÓÐÅÃÉÁÌØÎÙÊ ÓÐÉÓÏË (banlist) × iptables.

  • http://kalamazoolinux.org/presentations/20010417/conntrack.html ðÒÅËÒÁÓÎÏÅ ÏÐÉÓÁÎÉÅ ÍÏÄÕÌÅÊ ÔÒÁÓÓÉÒÏ×ÝÉËÁ ÓÏÅÄÉÎÅÎÉÊ. åÓÌÉ ×ÁÍ ÉÎÔÅÒÅÓÎÁ ÔÅÍÁ ÔÒÁÓÓÉÒÏ×ËÉ ÓÏÅÄÉÎÅÎÉÊ, ÔÏ ×ÁÍ ÓÌÅÄÕÅÔ ÜÔÏ ÐÒÏÞÉÔÁÔØ.

  • http://www.docum.org - ïÄÉÎ ÉÚ ÎÅÍÎÏÇÉÈ ÓÁÊÔÏ×, ËÏÔÏÒÙÊ ÓÏÄÅÒÖÉÔ ÉÎÆÏÒÍÁÃÉÀ Ï ËÏÍÁÎÄÁÈ Linux CBQ, tc É ip. ðÏÄÄÅÒÖÉ×ÁÅÔ ÓÁÊÔ - Stef Coene.

  • http://lists.samba.org/mailman/listinfo/netfilter- ïÆÉÃÉÁÌØÎÙÊ ÓÐÉÓÏË ÁÄÒÅÓÏ× (mailing-list) ÐÏ netfilter. þÒÅÚ×ÙÞÁÊÎÏ ÐÏÌÅÚÅÎ ÄÌÑ ÒÁÚÒÅÛÅÎÉÑ ×ÏÐÒÏÓÏ× ÐÏ iptables É netfilter.

é ËÏÎÅÞÎÏ ÖÅ ÉÓÈÏÄÎÙÊ ËÏÄ iptables, ÄÏËÕÍÅÎÔÁÃÉÑ É ÌÀÄÉ, ËÏÔÏÒÙÅ ÐÏÍÏÇÁÌÉ ÍÎÅ.


âÌÁÇÏÄÁÒÎÏÓÔÉ

ñ ÈÏÔÅÌ ÂÙ ×ÙÒÁÚÉÔØ ÏÓÏÂÕÀ ÐÒÉÚÎÁÔÅÌØÎÏÓÔØ ÌÀÄÑÍ, ËÏÔÏÒÙÅ ÏËÁÚÁÌÉ ÍÎÅ ÎÅÏÃÅÎÉÍÕÀ ÐÏÍÏÝØ ÐÒÉ ÓÏÚÄÁÎÉÉ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ.:

  • Fabrice Marie, ëÁË ÇÌÁ×ÎÏÍÕ ÒÅÄÁËÔÏÒÕ, ÚÁ ÉÓÐÒÁ×ÌÅÎÉÅ ÍÏÉÈ ÖÕÔËÉÈ ÏÛÉÂÏË. á ÔÁË ÖÅ ÏÇÒÏÍÎÏÅ ÓÐÁÓÉÂÏ ÚÁ ÐÅÒÅ×ÏÄ ÜÔÏÇÏ ÄÏËÕÍÅÎÔÁ × ÆÏÒÍÁÔ DocBook.

  • Marc Boucher, úÁ ÐÏÍÏÝØ ÐÏ ÎÅËÏÔÏÒÙÍ ÁÓÐÅËÔÁÍ ÒÁÂÏÔÙ ËÏÄÁ, ÏÐÒÅÄÅÌÑÀÝÅÇÏ ÓÔÁÔÕÓ ÐÁËÅÔÏ× (state matching code).

  • Frode E. Nyboe, úÁ ÕÓÏ×ÅÒÛÅÎÓÔ×Ï×ÁÎÉÅ ÐÒÁ×ÉÌ rc.firewall, ÚÁ ×ÄÏÈÎÏ×ÌÅÎÉÅ ÍÅÎÑ ÎÁ ÐÅÒÅÐÉÓÙ×ÁÎÉÅ ÐÒÁ×ÉÌ É ÚÁ ××ÅÄÅÎÉÅ ÎÅÓËÏÌØËÉÈ ÔÁÂÌÉÃ × ÜÔÏÔ ÖÅ ÆÁÊÌ.

  • Chapman Brad, Alexander W. Janssen, úÁ ÐÏÍÏÝØ × ÐÏÎÉÍÁÎÉÉ ÐÏÒÑÄËÁ ÐÒÏÈÏÖÄÅÎÉÑ ÐÁËÅÔÁÍÉ ÏÓÎÏ×ÎÙÈ ÔÁÂÌÉà NAT É filter.

  • Michiel Brandenburg, Myles Uyema, úÁ ÐÏÍÏÝØ × ÐÏÌÕÞÅÎÉÉ ÒÁÂÏÔÏÓÐÏÓÏÂÎÙÈ ÐÒÁ×ÉÌ, ÉÓÐÏÌØÚÕÀÝÉÈ ËÒÉÔÅÒÉÉ ÐÒÏ×ÅÒËÉ ÓÔÁÔÕÓÁ (state matching).

  • Kent `Artech' Stahre, úÁ ÐÏÍÏÝØ Ó ËÁÒÔÉÎËÁÍÉ. ñ ÚÎÁÀ, ÞÔÏ Ñ ÐÌÏÈÏÊ ÏÆÏÒÍÉÔÅÌØ, Á ×Ù ÌÕÞÛÉÅ ÉÚ ÔÅÈ ËÏÇÏ Ñ ÚÎÁÀ ;). á ÔÁË ÖÅ ÓÐÁÓÉÂÏ ÚÁ ÐÏÉÓË ÏÛÉÂÏË × ÜÔÏÍ ÄÏËÕÍÅÎÔÅ.

  • Anders 'DeZENT' Johansson, úÁ ÉÎÆÏÒÍÁÃÉÀ Ï ÓÔÒÁÎÎÙÈ ÐÒÏ×ÁÊÄÅÒÁÈ (ISP), ËÏÔÏÒÙÅ ÉÓÐÏÌØÚÕÀÔ ÁÄÒÅÓÁ, ÚÁÒÅÚÅÒ×ÉÒÏ×ÁÎÎÙÅ ÄÌÑ ÌÏËÁÌØÎÙÈ ÓÅÔÅÊ.

  • Jeremy `Spliffy' Smith, ÚÁ ÍÎÏÇÏÞÉÓÌÅÎÎÙÅ ÐÏÄÓËÁÚËÉ É ÚÁ ×ÙÌÁ×ÌÉ×ÁÎÉÅ ÍÏÉÈ ÏÛÉÂÏË.

é ËÏÎÅÞÎÏ ÖÅ ×ÓÅÈ, ËÔÏ ÏÔ×ÅÞÁÌ ÎÁ ÍÏÉ ×ÏÐÒÏÓÙ, ×ÙÓËÁÚÙ×ÁÌ Ó×ÏÉ ÓÕÖÄÅÎÉÑ Ï ÜÔÏÍ ÄÏËÕÍÅÎÔÅ. ïÞÅÎØ ÓÏÖÁÌÅÀ, ÞÔÏ ÎÅ ÍÏÇÕ ÕÐÏÍÑÎÕÔØ ×ÓÅÈ.

èÒÏÎÏÌÏÇÉÑ

Version 1.1.11 (27 May 2002)
http://www.netfilter.org/tutorial/
By: Oskar Andreasson
Contributors: Steve Hnizdur, Lonni Friedman, Jelle Kalf, Harald Welte,
Valentina Barrios and Tony Earnshaw.

Version1.1.9(21March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:VinceHerried,ToganMuftuoglu,GalenJohnson,KellyAshe,Janne
Johansson,ThomasSmets,PeterHorst,MitchLanders,NeilJolly,JelleKalf,
JasonLamandEvanNemerson

Version1.1.8(5March2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson

Version1.1.7(4February2002)
http://www.boingworld.com/workshops/linux/iptables-tutorial/
By:OskarAndreasson
Contributors:ParimiRavi,PhilSchultz,StevenMcClintoc,BillDossett,
DaveWreski,ErikSj?lund,AdamMansbridge,VasooVeerapen,Aladdinand
RustyRussell.

Version1.1.6(7December2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:JimRamsey,PhilSchultz,G?ranBÈge,DougMonroe,Jasper
Aikema,KurtLieber,ChrisTallon,ChrisMartin,JonasPasche,Jan
Labanowski,RodrigoR.Branco,JaccovanKollandDaveWreski

Version1.1.5(14November2001)
http://people.unix-fu.org/andreasson/
By:OskarAndreasson
Contributors:FabriceMarie,MerijnScheringandKurtLieber

Version1.1.4(6November2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:StigW.Jensen,SteveHnizdur,ChrisPlutaandKurtLieber

Version1.1.3(9October2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:JoniChu,N.EmileAkabi-DavisandJelleKalf

Version1.1.2(29September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.1.1(26September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:DaveRichardson

Version1.1.0(15September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.9(9September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.8(7September2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.7(23August2001)
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie

Version1.0.6
http://people.unix-fu.org/andreasson
By:OskarAndreasson

Version1.0.5
http://people.unix-fu.org/andreasson
By:OskarAndreasson
Contributors:FabriceMarie


GNU Free Documentation License

Version 1.1, March 2000

Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other written document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.


1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (For example, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, whose contents can be viewed and edited directly and straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup has been designed to thwart or discourage subsequent modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML designed for human modification. Opaque formats include PostScript, PDF, proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.


2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.


3. COPYING IN QUANTITY

If you publish printed copies of the Document numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a publicly-accessible computer-network location containing a complete Transparent copy of the Document, free of added material, which the general network-using public has access to download anonymously at no charge using public-standard network protocols. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section entitled "History", and its title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. In any section entitled "Acknowledgements" or "Dedications", preserve the section's title, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.


5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections entitled "History" in the various original documents, forming one section entitled "History"; likewise combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."


6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.


7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, does not as a whole count as a Modified Version of the Document, provided no compilation copyright is claimed for the compilation. Such a compilation is called an "aggregate", and this License does not apply to the other self-contained works thus compiled with the Document, on account of their being thus compiled, if they are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one quarter of the entire aggregate, the Document's Cover Texts may be placed on covers that surround only the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.


8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License provided that you also include the original English version of this License. In case of a disagreement between the translation and the original English version of this License, the original English version will prevail.


9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.


10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.


How to use this License for your documents

To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:

Copyright (c) YEAR YOUR NAME. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with the Invariant Sections being LIST THEIR TITLES, with the Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST. A copy of the license is included in the section entitled "GNU Free Documentation License".

If you have no Invariant Sections, write "with no Invariant Sections" instead of saying which ones are invariant. If you have no Front-Cover Texts, write "no Front-Cover Texts" instead of "Front-Cover Texts being LIST"; likewise for Back-Cover Texts.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.


GNU General Public License

Version 2, June 1991

Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.


0. Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.


1. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

    Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

  2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

    You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

  3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

    1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

    2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

    3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

    These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

    Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

    In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

  4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

    1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

    3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

    The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

    If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

  5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

  6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

  7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

  8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

    If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

    It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

    This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

    If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

    Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

  10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

  11. NO WARRANTY

    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<onelinetogivetheprogram'snameandabriefideaofwhatitdoes.>
Copyright(C)<year><nameofauthor>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne,Inc.,herebydisclaimsallcopyrightinterestintheprogram
`Gnomovision'(whichmakespassesatcompilers)writtenbyJamesHacker.

<signatureofTyCoon>,1April1989
TyCoon,PresidentofVice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


Example scripts codebase

Example rc.firewall script

#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DMZ.firewall script

#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.UTIN.firewall script

#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.DHCP.firewall script

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# adress for the DHCP server in the DHCP_SERVER variable.
#

DHCP="no"
DHCP_SERVER="195.22.90.65"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
 $IPTABLES -A udpincoming_packets -p UDP -s $DHCP_SERVER --sport 67 \
 --dport 68 -j ACCEPT
fi

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

if [ $PPPOE_PMTU == "yes" ] ; then
 $IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
 -j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
    


Example rc.flush-iptables script

#!/bin/sh

# rc.flush-iptables - Resets iptables to default values. 

# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

#
# Configurations
#
IPTABLES="/usr/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X



    


Example rc.test-iptables script

#!/bin/bash
#
# rc.test-iptables - test script for iptables chains and tables.
#
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
#

#
# Filter table, all chains
#
iptables -t filter -A INPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A INPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter INPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter OUTPUT:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-request \
-j LOG --log-prefix="filter FORWARD:"
iptables -t filter -A FORWARD -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="filter FORWARD:"

#
# NAT table, all chains except OUTPUT which don't work.
#
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat PREROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat POSTROUTING:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="nat OUTPUT:"
iptables -t nat -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="nat OUTPUT:"

#
# Mangle table, all chains
#
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A PREROUTING -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle PREROUTING:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-j LOG --log-prefix="mangle OUTPUT:"
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-reply \
-j LOG --log-prefix="mangle OUTPUT:"




    

ëÏÎÅÃ.

áÒÈÉ× ÄÏËÕÍÅÎÔÁÃÉÉ ÎÁ OpenNet.ru