You are on page 1of 11

developerWorks 13.06.

2006

LPI:
(LPIC-2) 212



Linux "netfilter",
.
, . ,
(, iptables
iptables_filter.o, ).
Linux iptables;
ipchains. ipfwadm.
, ,
ipchains ,
iptables. ,
iptables ipchains.
(firewall, NAT, ),
, .
ipchains,
("") -- , INPUT OUTPUT. ,
, - FORWARD
; ,
.

iptables ( ipchains),
Linux IP-, . - , ,
.
, IP- ,
, ,
, , .
, , ,
. " ",

, - .

route. , .
, ,
route add del.
, ,
routed gated,
-.
routed Routing Information Protocol (RIP); gated
--
-- :

Routing Information Protocol Next Generation (RIPng)


Exterior Gateway Protocol (EGP)
Border Gateway Protocol (BGP) BGP4+
Defense Communications Network Local-Network Protocol (HELLO)
Open Shortest Path First (OSPF)
Intermediate System to Intermediate System (IS-IS)
Internet Control Message Protocol (ICMP ICMPv6)/Router Discovery

:
Listing 1.
% /sbin/route
Kernel IP routing table
Destination
Gateway
Genmask
Flags Metric
66.98.217.0
*
255.255.255.0
U
0
10.10.12.0
*
255.255.254.0
U
0
66.98.216.0
*
255.255.254.0
U
0
169.254.0.0
*
255.255.0.0
U
0
default
ev1s-66-98-216- 0.0.0.0
UG
0

Ref
0
0
0
0
0

Use
0
0
0
0
0

Iface
eth0
eth1
eth0
eth1
eth0

, 66.98.217/24 66.98.216/23
eth0. 10.10.12/23 169.254/16
eth1. , , ev1s-66-98-2161.ev1servers.net ( route;
route -n, , IP- 66.98.216.1).
,
:
Listing 2.
% route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1 dev
eth0

, , ,
, routed gated,

. routed
/etc/gateways. gated , ,
, ; /etc/gated.conf.
, - ,
. routed gated
, , ,
.

iptables
Linux IP-,
.
, "".
,
, .
, : INPUT, OUTPUT, FORWARD.
INPUT , -,
. FORWARD ,
, , ,
, , .
, ,
OUTPUT -- OUTPUT (
), .
, , DROP ()
;
.
, ,
.
. ,
, , iptables.
Linux, ipchains. ,
, ipfwadm ,
iptables.
, , ,
, .
, DROP () .
, , ( - ) ping
( ICMP). :
Listing 3.
% iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP

, , , ,
, :

Listing 4.
% iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP

-D ,
,
( ) :
Listing 5. ,
% iptables -D INPUT 1


. , ,
.
/ :
Listing 6. /
% iptables -A INPUT -s 66.98.216/24 -d 64.41.64/24 -j DROP

, 66.98.216.* IP-
64.41.64.*. , IP .

IP:
Listing 7. IP

% iptables -A INPUT -s ! 66.98.216/24 -d 64.41.64/24 -j DROP

IP 66.98.216.*
. , ,
.
(, eth0),
. ,
web-, :
Listing 8.
-
% iptables -A INPUT -s ! example.com -d 64.41.64.124 -p TCP -sport 80 -j
DROP

iptables, ,
TCP.
man- iptables.

,
.
iptables ,
.
-N;
DROP. ACCEPT () --
. RETURN ()
QUEUE ( ).
/ . QUEUE
(
, , ,
, iptables).
"Linux 2.4 Packet Filtering HOWTO" --
:
Listing 9.
#

|-------- XML error: The previous line is longer than the max of 90
characters ---------|
% iptables -N block
% iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
% iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
% iptables -A block -j DROP # ,
(ACCEPT)
# INPUT FORWARD
% iptables -A INPUT -j block
% iptables -A FORWARD -j block

, block (ACCEPT)
, (DROP) ,
.
, ,
, ,
-L .

, ,
. (NAT)
iptables.
, NAT --

,
WAN, , " " (
OUTPUT). /, NAT, ,
,
, .
, NAT .
, , "" ,
, NAT .
, NAT,
iptables. , iptables_nat
, IP-:
Listing 10.
% modprobe iptables_nat
#
% iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
% echo 1 > /proc/sys/net/piv4/ip_forward
#

NAT -- .
NAT (DNAT),
, , . ,
, .
, NAT,
NAT . NAT ,
PREROUTING, POSTROUTING. DNAT,
.

FTP-
FTP-
Linux FTP-,
. ,
,
.
FTP- vsftpd (Very Secure FTP daemon). ProFTP
, wu-ftpd ncftpd.
FTP, , . ,
, ,
scp (secure copy), SSH,
cp.
vsftpd -- /etc/vsftpd.conf. FTP-

FTP
/etc/vsftpd.conf (, , ,
), :

anonymous_enabled: ,
"anonymous" "ftp".
anon_mkdir_write_enable:
(
).
anon_upload_enable:
.
anon_world_readable_only: "YES"; - . FTP
, .
chroot_list_enable: (
/etc/vsftpd.chroot-list) " chroot" (
,
).
ssl_enable: SSL- .

man- FTP-
. , FTP- ,

.

(SSH)

Linux- ( )
(SSH).
OpenSSH, SSH . SSH
,
SSH-.
,
. SSH- ;
, .
;
. , ,
, ,

.
SSH , 1 2.
2, ,
, , 1
( ).
1.
1 2
. 1 ssh-keygen
RSA, $HOME/.ssh/identity, --
$HOME/.ssh/identity.pub. identity.pub
$HOME/.ssh/authorized_keys.
, :
, ? , SSH
,
,
(
, ).
2 RSA, DSA, RSA-
1. 2,
$HOME/.ssh/id_rsa $HOME/.ssh/id_dsa. 2
: AES,
3DES, Blowfish, CAST128, HMAC-MD5, HMAC-SHA1, .
,
.
, ,
/etc/ssh/ssh_config (, , /$HOME/.ssh/config).
-o;
-X -x, X11.
, X11 SSH,
X11 .
, scp
SSH. , , ,
X11 , ( --
):
Listing 11. X11
$ which gedit #
$ ssh -X dqm@192.168.2.2
Password:
Linux averatec 2.6.10-5-386 #1 Mon Oct 10 11:15:41 UTC 2005 i686
GNU/Linux
No mail.
Last login: Thu Feb 23 03:51:15 2006 from 192.168.2.101
dqm@averatec:~$ gedit &


sshd, OpenSSH,

. sshd
,
.
, , , .
sshd ,
/etc/ssh/sshd_config.
. ,
/etc/hosts.allow /etc/hosts.deny .
, /etc/ssh/ssh_host_key ( 1),
/etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key, --
/etc/ssh/ssh_host_dsa_key.pub . , ,
ssh-keygen. man- sshd ssh-keygen

.
/etc/ssh/sshd_config,
, , ( ).
:

AllowTcpForwarding ,
"YES".
Ciphers ,
.
AllowUsers AllowGroups
,
.
DenyGroups DenyUsers . ,
.
PermitRootLogin root SSH.
Protocol , (,
, ( ).
TCPKeepAlive , SSH-.
"keepalive" , ,
. ,
.

SSH
OpenSSH
SSH-. sshd

,
. , ,
/, ,
. , telnet:
Listing 12. telnet
% ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com
% telnet localhost 5023

, , SSH
shell. POP3,
HTTP, SMTP, FTP, X11, .
,
,
SSH .
, , :

-2 ( 2),
-N ( / ),
-f (SSH ),
-L, ( "localport:remotehost:remoteport").

TCP-wrappers
"TCP-wrappers"?
, TCP-wrappers -- ,
, .
, tcpd TCP-wrappers .
,
iptables . TCPwrappers SYSTAT,
FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, .
TCP-wrappers .
tcpd, ,
, tcpd .
,
inetd. , :
tftp dgram udp wait root /usr/etc/tcpd in.tftpd -s /tftpboot

, tftp

(tcpd) in.tftpd.


- (
).
.
, .
web-, :

Security focus news: The Security Focus web- --


.
,
, ,
.

The Bugtraq mailing list:



: , , .

CERT Coordination Center: Carnegie Mellon University,


CERT , Security Focus site,
.
-- , ,
,
.

Computer Incident Advisory Capability: CIAC


Department of Energy
.
, CIAC
, , ,
. CIAC
, .
, , :

Open Source Tripwire: .


, .
scanlogd : , TCP .
Snort: ,
; , ,
.