鸟哥学习笔记---防火墙

 

1.Netfilter  2.TCP Wrappers(链接的程序名与IP来判断)  3.Proxy----------squid

TCP Wrappers就是通过/etc/hosts.allow、/etc/hosts.deny来管理的，但要满足下面这两个程序才可能用这个来管理：
1：由Super Deamon（Xinetd）所管理的服务
2：支持libwrap.so模块的服务

 

 

[root@szm ~]# chkconfig xinetd on这个一定要打开，下面的命令才有Xinetd的内容

[root@szm ~]# chkconfig --list

................省略......

xinetd based services:

        chargen-dgram:  off

        chargen-stream: off

        cvs:            off

        daytime-dgram:  off

        daytime-stream: off

        discard-dgram:  off

        discard-stream: off

        echo-dgram:     off

        echo-stream:    off

        rsync:          off

        tcpmux-server:  off

        telnet:         on

        time-dgram:     off

        time-stream:    off

[root@szm ~]# ldd $(which rsyslogd sshd xinetd httpd)

/sbin/rsyslogd:

        linux-gate.so.1 =>  (0x00348000)

        libz.so.1 => /lib/libz.so.1 (0x005b9000)

        libpthread.so.0 => /lib/libpthread.so.0 (0x0071d000)

        libdl.so.2 => /lib/libdl.so.2 (0x0053d000)

        librt.so.1 => /lib/librt.so.1 (0x001f0000)

        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x00ca1000)

        libc.so.6 => /lib/libc.so.6 (0x003b0000)

        /lib/ld-linux.so.2 (0x0038a000)

/usr/sbin/sshd:

        linux-gate.so.1 =>  (0x0030c000)

        libfipscheck.so.1 => /usr/lib/libfipscheck.so.1 (0x00321000)

        libwrap.so.0 => /lib/libwrap.so.0 (0x00276000)

        libpam.so.0 => /lib/libpam.so.0 (0x00110000)

        libdl.so.2 => /lib/libdl.so.2 (0x00391000)

        libselinux.so.1 => /lib/libselinux.so.1 (0x00e1d000)

        libaudit.so.1 => /lib/libaudit.so.1 (0x004f7000)

        libresolv.so.2 => /lib/libresolv.so.2 (0x003a4000)

        libcrypto.so.10 => /usr/lib/libcrypto.so.10 (0x00bd5000)

        libutil.so.1 => /lib/libutil.so.1 (0x00900000)

        libz.so.1 => /lib/libz.so.1 (0x004c6000)

        libnsl.so.1 => /lib/libnsl.so.1 (0x00472000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0x0011d000)

        libgssapi_krb5.so.2 => /lib/libgssapi_krb5.so.2 (0x00f69000)

        libkrb5.so.3 => /lib/libkrb5.so.3 (0x0014d000)

        libk5crypto.so.3 => /lib/libk5crypto.so.3 (0x0021d000)

        libcom_err.so.2 => /lib/libcom_err.so.2 (0x00ba7000)

        libnss3.so => /usr/lib/libnss3.so (0x005ea000)

        libc.so.6 => /lib/libc.so.6 (0x00722000)

        /lib/ld-linux.so.2 (0x005ca000)

        libfreebl3.so => /lib/libfreebl3.so (0x0027f000)

        libkrb5support.so.0 => /lib/libkrb5support.so.0 (0x009c1000)

        libkeyutils.so.1 => /lib/libkeyutils.so.1 (0x00e93000)

        libpthread.so.0 => /lib/libpthread.so.0 (0x00edb000)

        libnssutil3.so => /usr/lib/libnssutil3.so (0x00529000)

        libplc4.so => /lib/libplc4.so (0x00244000)

        libplds4.so => /lib/libplds4.so (0x00967000)

        libnspr4.so => /lib/libnspr4.so (0x002c9000)

/usr/sbin/xinetd:

        linux-gate.so.1 =>  (0x004b0000)

        libselinux.so.1 => /lib/libselinux.so.1 (0x00aa8000)

        libwrap.so.0 => /lib/libwrap.so.0 (0x00cc3000)

        libnsl.so.1 => /lib/libnsl.so.1 (0x00333000)

        libm.so.6 => /lib/libm.so.6 (0x00f1c000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0x002c0000)

        libc.so.6 => /lib/libc.so.6 (0x004b1000)

        libdl.so.2 => /lib/libdl.so.2 (0x00110000)

        /lib/ld-linux.so.2 (0x003f4000)

        libfreebl3.so => /lib/libfreebl3.so (0x006d8000)

/usr/sbin/httpd:

        linux-gate.so.1 =>  (0x00fd5000)

        libm.so.6 => /lib/libm.so.6 (0x00de7000)

        libpcre.so.0 => /lib/libpcre.so.0 (0x00946000)

        libselinux.so.1 => /lib/libselinux.so.1 (0x00395000)

        libaprutil-1.so.0 =/> /usr/lib/libaprutil-1.so.0 (0x007ec000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00bc9000)

        libexpat.so.1 => /lib/libexpat.so.1 (0x00a70000)

        libdb-4.7.so => /lib/libdb-4.7.so (0x0056e000)

        libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00130000)

        libpthread.so.0 => /lib/libpthread.so.0 (0x00baa000)

        libc.so.6 => /lib/libc.so.6 (0x0015e000)

        /lib/ld-linux.so.2 (0x00110000)

        libdl.so.2 => /lib/libdl.so.2 (0x0073a000)

        libuuid.so.1 => /lib/libuuid.so.1 (0x00c92000)

        libfreebl3.so => /lib/libfreebl3.so (0x002e9000)

rsyslogd、httpd这两个程序不支持；  sshd、xinetd支持；

 

 

查看顺序：
1./etc/hosts.allow
2./etc/hosts.deny
3.两个都没有就放行
 

查找rsync的服务启动文件名：（因为TCP Wrappers是通过启动服务的文件名来管理的）
[root@szm ~]# cat /etc/xinetd.d/rsync

 

# default: off

# description: The rsync server is a good addition to an ftp server, as it \

#       allows crc checksumming etc.

service rsync

{

        disable = yes

        flags           = IPv6

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/bin/rsync

        server_args     = --daemon

        log_on_failure  += USERID

}

[root@szm ~]# cat /etc/hosts.allow

#

# hosts.allow   This file contains access rules which are used to

#               allow or deny connections to network services that

#               either use the tcp_wrappers library or that have been

#               started through a tcp_wrappers-enabled xinetd.

#

#               See 'man 5 hosts_options' and 'man 5 hosts_access'

#               for information on rule syntax.

#               See 'man tcpd' for information on tcp_wrappers

#

ALL:127.0.0.1

rsync:192.168.179.0/255.255.255.0 10.0.0.100

[root@szm ~]# cat /etc/hosts.deny

#

# hosts.deny    This file contains access rules which are used to

#               deny connections to network services that either use

#               the tcp_wrappers library or that have been

#               started through a tcp_wrappers-enabled xinetd.

#

#               The rules in this file can also be set up in

#               /etc/hosts.allow with a 'deny' option instead.

#

#               See 'man 5 hosts_options' and 'man 5 hosts_access'

#               for information on rule syntax.

#               See 'man tcpd' for information on tcp_wrappers

#

rsync: ALL

允许127.0.0.1，192.168.179.0，10.0.0.100  其他的地方不允许；

 

 

iptables:由Linux内核所提供的，所以速度快  V2.0：ipfwadm  V2.2：ipchains  V2.4与V2.6：iptables Linux的iptables至少就有3个表格， 1.包括管理本机进出的Filter（INPUT,OUTPUT,FORWARD） 2.管理后端（防火墙内部的其他计算机）的NAT(PREROUTING,POSTROUTING,OUTPUT) 3.管理特殊标志使用的Mangle(PREROUTING,OUTPUT,INPUT,FORWORD) 如果Iptables只是用来保护Linux主机本身的话，根本就不需要理NAT规则，直接设置为开放即可。

 

 

[root@szm ~]# iptables -L -n默认查看Filter表

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0---------这里没有标识接口lo

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

详细信息，包括数据包数：

[root@szm ~]# iptables -L -n -v

 

查看NAT表：

[root@szm ~]# iptables -L -n -t nat

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

 

 

 

 [root@szm ~]# iptables-save

# Generated by iptables-save v1.4.7 on Mon Mar 25 08:18:52 2013

*nat

:PREROUTING ACCEPT [69:5769]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

COMMIT

# Completed on Mon Mar 25 08:18:52 2013

# Generated by iptables-save v1.4.7 on Mon Mar 25 08:18:52 2013

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [218:19174]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT本机主动向外发出请求

-A INPUT -p icmp -j ACCEPT所有ICMP

-A INPUT -i lo -j ACCEPT所有本机进程数据通信

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPTssh

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Mar 25 08:18:52 2013

-F:清除所有已制定规则  -X:除掉所有用户自定义的Tables  -Z:将所有的Chain的计数与流量统计都归零

 

 

 

[root@szm ~]# iptables -P INPUT DROP

[root@szm ~]# iptables -P OUTPUT ACCEPT

[root@szm ~]# iptables -P FORWARD ACCEPT

 

[root@szm ~]# iptables -t nat -P PREROUTING ACCEPT

[root@szm ~]# iptables -A INPUT -i lo -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -s 192.168.179.0/24 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -s 192.168.179.222 -j DROP

 

 [root@szm ~]# iptables-save

# Generated by iptables-save v1.4.7 on Mon Mar 25 14:15:07 2013

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [31:2076]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -s 192.168.179.0/24 -i eth0 -j ACCEPT----规则设置有问题

-A INPUT -s 192.168.179.2/32 -i eth0 -j ACCEPT

-A INPUT -s 192.168.179.222/32 -i eth0 -j DROP

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Mon Mar 25 14:15:07 2013

记内核记录日志：/etc/messages
[root@szm ~]# iptables -A INPUT -s 192.168.179.200 -j LOG

-A：增加 -I：插入 -i：Input -o：Output -p：协议 -s：源 -d：目的 -j：操作（ACCEPT，Drop，Reject，Log）

 

TCP、UDP规则：

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

[root@szm ~]# iptables -A INPUT -i eth0 -p udp --dport 137:138 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT

 

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp -s 192.168.179.44/24 --sport 1024:65534 --dport ssh -j DROP

注意要加上-p这个参数

 

 

[root@szm ~]# iptables -A INPUT -i eth0 -p tcp --sport 1:1023 --dport 1:1023 --syn -j DROP

状态检测包过滤： -m:state与mac模块 --state：INVALID（无效的数据包）,ESTABLISHED（已经连接成功），NEW（想要新建连接）,RELATED（与主机发送出去的数据包有关）

 

[root@szm ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@szm ~]# iptables -A INPUT -m state --state INVALID -j DROP
[root@szm ~]# iptables -A INPUT -m mac --mac-source aa:bb:cc:dd:ee:ff -j ACCEPT

 

针对ICPM类型的Chain:

[root@szm ~]# cat /bin/iptable.icmp.sh

#!/bin/bash

icmp_type="0 3 4 11 12 14 16 18"

for typeicmp in $icmp_type

do

        iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT

done

应用目前的设置规则：
[root@szm ~]# /etc/init.d/iptables save

 

 

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

IPv4内核管理功能：/proc/sys/net/ipv4/

资料：[root@szm ~]# yum install kernel-doc

这个防止Dos攻击的模块默认开启：
[root@szm ~]# cat /proc/sys/net/ipv4/tcp_syncookies

 

 

1

当启动SYN Cookie时，主机在改善SYN/ACK确认数据前，会要求Clinet端在短时间内回复一个序号，这个序号包含许多原SYN数据包内的信息，包括IP、port等。若Client端可以回复正确的序号，那么主机就确定该数据包为可信的，因此会发送SYN/ACK数据包，否则就不理会以此数据包。

 

 

[root@szm ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

1

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/rp_filter

1

逆向路由过滤，可以根据路由表来判断IP的来源是否可靠；

 

 

 

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/log_martians

0

记录不合法IP事件，建议为1

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/accept_source_route

0

来源路由；建议为0

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/accept_redirects

1

建议关闭0，ICMP重定向

[root@szm ~]# cat /proc/sys/net/ipv4/conf/eth0/send_redirects

1

建议关闭0

[root@szm ~]# /etc/init.d/iptables save 这条命令会写配置文件：/etc/sysconfig/iptables

 

开机启动脚本：

 

 

 

 

[root@szm ~]# cat /etc/rc.d/rc.local

#!/bin/sh

#

# This script will be executed *after* all the other init scripts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

 

touch /var/lock/subsys/local

 

=======================================================NAT

 

1.NAT tables 的PREROUTING（修改目标IP）DNAT－－－－－－DMZ，发布内部服务  2.是否进入本机，不是就下一步  3.Filter tables 的FORWARD  4.NAT tables的POSTROUTING（修改源IP）SNAT－－－－－NAT上网

SNAT配置：

如果外网接口取得IP的方式是拨号时，对于配置文件/etc/sysconfig/network和ifcfg-eth0,不要设置GateWay，否则会出现两个Default Gateway的情况。

 

[root@szm ~]# cat /proc/sys/net/ipv4/ip_forward

1

端口NAT： [root@szm ~]# iptables -t nat -A POSTROUTING -s $innet -o eth1 -j MASQUERADE IP伪装

 

静态NAT：[root@szm ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100

 

动态NAT：[root@szm ~]# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.1.100-192.168.1.200

DNAT配置：eth1为Public IP

 

[root@szm ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.179.10:80

高级设置：[root@szm ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-ports 8080