Академический Документы
Профессиональный Документы
Культура Документы
LINUX
=>
, Iptables Tutorial 1.1.19 Iptables Tutorial 1.2.0 iptables Windows, Iptables Tutorial 1.1.14
<=
:
." ." " " " " " " 1. " FORWARD, IP ( 2. " 3. " )" FTP" " , , IP , MAILIPIP( FORWARD" IP ( ) " " " )" " , " "
.
"
, iptables-restore /usr/local/
"
.
/usr/local/iptables-restore/
/sbin/iptables-restore /usr/local/iptables-restore/demo demo (demo), ( ( , ) eth1) " IP ( , demo 1. iptables -F iptables -t nat -F 2. demo: : : , FORWARD ) ( " eth0) IP
"
, / :
"
1 2 3 mangle PREROUTING
( . .
nat
( . ., -
FORWARD.
( . ., ).
. --
, . . mangle ,
1 2 3 mangle PREROUTING
( . . (
) , eth0) , TOS ..
nat
. 8 mangle POSTROUTING
. 9 nat POSTROUTING Source Network Address Translation. . (Masquerading). 10 eth1). 11 , 1. 2. 3. (FORWARD). , ( ( ) , ) (INPUT). (OUTPUT). ( LAN). . ( ,
1. " "(
10.10.10.10) 1. " , "
, filter):
(eth0, IP (eth1, IP 101.101.101.101) .
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . . .FORWARD , ( " "). . eth0 . . ( )
2. (
, ):
-A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 110 , : -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP ( 100.100.100.110, : 110 110 110 ) . IP , IP , . .( ) ,
-A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , IP, 88.88.88.88, :
-A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, : IP , 88.88.88.0
-A INPUT -s 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.255, IP : , 88.88.88.0
-A INPUT -s ! 88.88.88.0/24 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP . , : -A INPUT -i eth0 -p tcp --dport -j ACCEPT
( input)
. :
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable
3. (
, ( IP , . ), . .
).
(eth1) eth1 eth0. eth0 c IP
IP NAT.
10.10.10.10, :
-A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 : *nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.10 COMMIT *filter -A INPUT -s 88.88.88.88 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -s 100.100.100.110 -i eth0 -p tcp --dport 110 -j ACCEPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT IP (-A FORWARD -o eth0 -p tcp -j DROP), , . . . "
FORWARD FORWARD"
POSTROUTING-
eth0
IP
, .( ) ( PPPoE),
4.
FORWARD ,
FORWARD
( . :
filter
), . .
),
eth0
tcp.
-A FORWARD -o eth0 -p tcp -j DROP , 88.88.88.0/24 -A FORWARD -p tcp -d ! 88.88.88.0/24 -o eth0 -p tcp -j DROP : -A FORWARD -m iprange --src-range 88.88.88.5-88.88.88.124 -j ACCEPT -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT , -d 88.88.88.0/24 -d !
1. IP
, : 168.192.1.0/24 eth1 168.192.1.2-168.192.1.254) IP
IP
168.192.1.1-168.192.1.254,
( IP 168.192.1.1 ,
IP 255.255.255.0 IP 168.192.1.1
168.192.1.2-168.192.1.254 DNS IP DNS eth0 ppp0, ppp). 1. : -A FORWARD -s 168.192.1.0/24 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 2. : (80 TCP) : : ( eth0
TCP/IP 255.255.255.0, . ),
ppp0 (
ppp+,
-A FORWARD -s 168.192.1.0/24 -p tcp -m tcp --dport 80 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m tcp --sport 80 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP
-A FORWARD -o eth1 -p tcp -j DROP 3. : -A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,110 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,110 -o eth1 -j ACCEPT -A FORWARD -o eth0 -p tcp -j DROP -A FORWARD -o eth1 -p tcp -j DROP 4. : IPTABLES: TCP , :
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -s 168.192.1.0/24 -p icmp -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p icmp -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p udp -m udp --dport 53 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p udp -m udp --sport 53 -o eth1 -j ACCEPT
-A FORWARD -s 168.192.1.0/24 -p tcp -m multiport --dports 20,21,25,80,110,8080 -i eth1 -j ACCEPT -A FORWARD -d 168.192.1.0/24 -p tcp -m multiport --sports 20,21,25,80,110,8080 -o eth1 -j ACCEPT -A FORWARD -s 168.192.1.0/24 -p !icmp -m state --state INVALID -i eth1 -j DROP -A FORWARD -d 168.192.1.0/24 -p !icmp -m state --state INVALID -o eth1 -j DROP -A FORWARD -o eth0 -j DROP -A FORWARD -o eth1 -j DROP COMMIT
IP UDP 53
(168.192.1.1-168.192.1.254) icmp )
2"
(eth1) . , :
FTP(eth0) ,
":
, ICQ, IRC
FTP. . FTP. " , . FTP ( , . . , , , . RELATED, . . , , , FTP-Data) IP . , . . 20 . FTP FTP" (FTP control session). ,
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 1. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT 21 " ":
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT 2. *filter -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j REJECT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT , filter): *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos mangle ( mangle , :
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT . . *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :outtos - [0:0] :pretos - [0:0] -A PREROUTING -j pretos -A OUTPUT -j outtos -A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 iptables FTP:
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 -A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 -A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j LOG --log-level 7 --log-tcpoptions -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,ACK SYN -j REJECT --reject-with icmp-portunreachable -A FORWARD -o eth0 -p tcp -j DROP COMMIT
3"
, 80 *nat 8080:
"
-I PREROUTING -d 10.1.0.20 -p tcp --dport 80 -J DNAT --to-destination 10.1.0.20:8080 -I POSTROUTING -s 10.1.0.20 -o eth0 -p tcp -j SNAT --to-source 10.1.0.20:8080
COMMIT 10.1.0.20 ipweb. . *nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 , ... ( 6.11.2006)
=>
<=