Báo Cáo Unix - Nhóm 10 - Firewall - Iptables

Chuyn S1

GVHD : Nguyn Th Thanh Vn

MC LCPhn I : TNG QUAN V FIREWALL .............................................................................. 3 I. Gii thiu v Firewall ...................................................................................................... 31. Firewall l g? ....................................................................................................................................... 3 2. Cc loi Firewall: .................................................................................................................................. 3 3. Cu trc Firewall : ................................................................................................................................ 4 4. Chc nng ca Firewall ........................................................................................................................ 7

II. Nguyn l hot ng ........................................................................................................ 8 III. u im ca Firewall ....................................................................................................... 8 IV. Nhc im ...................................................................................................................... 8 V. Mt s sn phm ca Firewall ......................................................................................... 9 Phn II: IPTABLES ................................................................................................................ 9 I. Gii thiu v Iptables ....................................................................................................... 9 II. Ci t Iptables................................................................................................................ 10 III. C ch x l package trong Iptables ............................................................................. 131. Mangle table: ...................................................................................................................................... 13 2. Filter queue: ........................................................................................................................................ 13 3. NAT queue:......................................................................................................................................... 13

IV. Target v Jumps ............................................................................................................. 141. Jupms: ................................................................................................................................................. 14 2. Target: ................................................................................................................................................. 14

V. Mt s lnh trong Iptables.............................................................................................. 151. Mt s lnh thng dng: ................................................................................................................... 15 2. Nhng giao thc thng dng ............................................................................................................ 16 3. Nhng iu kin m rng thng dng .............................................................................................. 16 4. Mt s v d: ....................................................................................................................................... 17

VI. Iptables script................................................................................................................. 181. Lu Iptables script: ............................................................................................................................. 18 2. Sao lu v phc hi script ................................................................................................................... 18

Phn III : Cu hnh mt s chc nng ca IPTABLES .................................................... 19 I. M hnh mng ................................................................................................................ 19 II. Ci t c bn Iptables ................................................................................................... 20Nhm 10 Page 1

Chuyn S1


1. Kim tra dch v Iptables ci t cha ................................................................................................ 20 2. Khi ng Iptables .............................................................................................................................. 20 3. Xem trng thi ca Iptables ................................................................................................................ 21 4. Xem file cu hnh Iptables .................................................................................................................. 22 5. Lu Iptables ........................................................................................................................................ 23 6. Cho dch v iptables khi ng vo thi im h thng khi ng: .................................................. 23

III. Cu hnh Filter................................................................................................................ 231. Ping ..................................................................................................................................................... 23 2. SSH : Port 22 ...................................................................................................................................... 26 3. Telnet : Port 23.................................................................................................................................... 28 4. HTTP : Port 80 .................................................................................................................................... 30

IV. Cu hnh Nat .................................................................................................................. 331. Nat In .................................................................................................................................................. 33 2. Nat Out ................................................................................................................................................ 37

Nhm 10

Page 2

Chuyn S1


Phn I : TNG QUAN V FIREWALLI. Gii thiu v Firewall 1. Firewall l g? Thut ng Firewall c ngun gc t mt k thut c thit k trong xy dng ngn chn, hn ch ha hon. Firewall l mt k thut c tch hp vo h thng chng li cc truy cp tri php, nhm bo v cc ngun thn tin ni b v hn ch s xm nhp khng mong mun vo h thng. Firewall c miu t nh l h phng th bao quanh vi cc cht kim sot tt c cc lung lu thng nhp xut. C th theo di v kha truy cp ti cc cht ny. Thng thng Firewall c t gia mng bn trong (Intranet) ca mt cng ty, t chc, ngnh hay mt quc gia, v Internet. Vai tr chnh l bo mt thng tin, ngn chn s truy nhp khng mong mun t bn ngoi (Internet) v cm truy nhp t bn trong (Intranet) ti mt s a ch nht nh trn Internet. 2. Cc loi Firewall: Firewall cng : L nhng firewall c tch hp trn Router. c im ca Firewall cng: - Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy tc nh firewall mm) - Firewall cng hot ng tng thp hn Firewall mm (Tng Network v tng Transport) - Firewall cng khng th kim tra c nt dung ca gi tin. V d v Firewall cng: NAT (Network Address Translate).

Nhm 10

Page 3

Chuyn S1


Firewall mm: L nhng Firewall c ci t trn Server. c im ca Firewall mm: - Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng. - Firewall mm hot ng tng cao hn Firewall cng (tng ng dng) - Firewal mm c th kim tra c ni dung ca gi tin (thng qua cc t kha). V d v Firewall mm: Zone Alarm, Norton Firewall 3. Cu trc Firewall : Bao gm 1 hoc nhiu cc thnh phn sau B lc packet (packet- filtering router). Nguyn l hot ng : B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng.) Nu lut l lc packet c tho mn th packet c chuyn qua firewall. Nu khng packet s b b i. Nh vy m Firewall c th ngn cn c cc kt ni vo cc my ch hoc mng no c xc nh, hoc kho vic truy cp vo h thng mng ni b t nhng a ch khng cho php. Hn na, vic kim sot cc cng lm cho Firewall c kh nng ch cho php mt s loi kt ni nht nh vo cc loi my ch no , hoc ch c nhng dch v no (Telnet, SMTP, FTP...) c php mi chy c trn h thng mng cc b. u im - a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router. - Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c.

Nhm 10

Page 4

Chuyn S1


Hn ch Vic nh ngha cc ch lc package l mt vic kh phc tp; i hi ngi

qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. Cng ng dng (Application-level gateway hay proxy server) Nguyn l: - y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc gi l Proxy service. Proxy service l cc b code c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy code cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c trong khi t chi nhng c im khc. - Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit k t bit chng li s tn cng t bn ngoi. Nhng bin php m bo an ninh ca mt bastion host l:

- Bastion host lun chy cc version an ton (secure version) ca cc phn mm h thng (Operating system). Cc version an ton ny c thit k chuyn cho mc ch chng li s tn cng vo Operating System, cng nh l m bo s tch hp firewall. Ch nhng dch v m ngi qun tr mng cho l cn thit mi c ci t trn bastion host, n gin ch v nu mt dch v khng c ci t, n khng th b tn cng. Thng thng, ch mt s gii hn cc ng dng cho cc dch v Telnet,Nhm 10 Page 5

Chuyn S1


DNS, FTP, SMTP v xc thc user l c ci t trn bastion host. Bastion host c th yu cu nhiu mc xc thc khc nhau, v d nh user password hay smart card. Mi proxy c t cu hnh cho php truy nhp ch mt s cc my ch nht nh. iu ny c ngha rng b lnh v c im thit lp cho mi proxy ch ng vi mt s my ch trn ton h thng. Mi proxy duy tr mt quyn nht k ghi chp li ton b chi tit ca giao thng qua n, mi s kt ni, khong thi gian kt ni. Nht k ny rt c ch trong vic tm theo du vt hay ngn chn k ph hoi. Mi proxy u c lp vi cc proxies khc trn bastion host. iu ny cho php d dng qu trnh ci t mt proxy mi, hay tho g mt proxy ang c vn . u im: Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp c bi cc dch v. Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho. Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet. Hn ch: Yu cu cc users thay i thao tc, hoc thay i phn mm ci t trn my client cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn lnh Telnet.

Nhm 10

Page 6

Chuyn S1


Cng mch (Circuite level gateway) Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. Hnh di y minh ho mt hnh ng s dng ni telnet qua cng vng. Cng vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall, n che du thng tin v mng ni b. Cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi. 4. Chc nng ca Firewall Chc nng chnh ca Firewall l kim sot lung thng tin t gia Intranet v Internet. + Cho php hoc cm nhng dch v truy cp ra ngoi. + Cho php hoc cm nhng dch v t ngoi truy cp vo trong. + Theo di lung d liu mng gia Internet v Intranet + Kim sot a ch truy nhp, cm a ch truy nhp + Kim sot ngi s dng v vic truy cp ca ngi s dng.

Nhm 10

Page 7

Chuyn S1


II. Nguyn l hot ng Firewall hot ng cht ch vi giao thc TCP/IP, v giao thc ny lm vic theo thut tan chia nh cc d liu nhn c t cc ng dng trn mng. V vy, Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc packet cho php hay t chi mi packet m n nhn c. Cc lut l lc packet ny l da trn cc thng tin u mi packet (header), dng cho php truyn cc packet trn mng. Nu packet tha cc lut l c thit lp trc ca Firewall th packet c chuyn qua, nu khng tha th s b loi b. Ch : Vic kim tra da trn header ca cc packet nn b lc khng kim sot c ni dng thng tin ca packet. Cho nn, cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. III. u im ca Firewall Gii hn c s lng kt ni, gip cho ta chng c cc c ch tn cng a s cc h thng firewall u s dng b lc packet nn u im ca n l : + Chi ph thp v c ch lc packet c bao gm trong mi phn mm router. + Ci t d v n gin + C th cnh bo trc cc cuc tn cng (vd : pht hin qut cng) IV. Nhc im i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header Khi lc cng ln, cc lut v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Firewall khng th lm nhim v r qut virus trn cc d liu c chuyn qua n, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch.Nhm 10 Page 8

Chuyn S1


-

Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng i qua n. V d : + S d r thng tin do d liu b sao chp bt hp php ln a mm , USB , CD + Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent attack). + V in hnh l cc virus my tnh V. Mt s sn phm ca Firewall Mt s sn phm v lc packet trong Linux: + Iptables + Ipchains + SmoothWall Chng ta nn dng iptables. Ipchains li thi.

Phn II: IPTABLESI. Gii thiu v Iptables Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h thng Linux. Iptables cung cp cc tnh nng sau: + Tch hp tt vi kernel ca Linux. + C kh nng phn tch package hiu qu. + Lc package da vo MAC v mt s c hiu trong TCP Header + Cung cp chi tit cc ty chn ghi nhn s kin h thng + Cung cp k thut NAT + C kh nng ngn chn mt s c ch tn cng theo kiu DoS (Denial of Service attack)

Nhm 10

Page 9

Chuyn S1


II. Ci t Iptables Thng thng th iptables c ci t mc nh trong h thng Linux, gi tin ca iptables trong Linux l iptables-version.rpm (vi version l phin bn iptables cn ci t) Ci t dch v iptables: # rpm ivh iptables-version.rpm. Khi ng iptables: # service iptables start. Cho dch v iptables khi ng vo thi im h thng khi ng: # chkconfig iptables on. Ti khi ng: # service iptables restart. Tt iptables: # service iptables stop. Xc nh trng thi ca iptables: # service iptables status Lu Iptables : # service iptables save M file cu hnh Iptables: # vi /etc/sysconfig/iptables Sa file cu hnh Iptables: # gedit /etc/sysconfig/iptables

Nhm 10

Page 10

Chuyn S1


-

Mn hnh sau khi m file cu hnh Iptables

-

Dng giao din cu hnh Firewall + G setup, chn Firewall configuration

Nhm 10

Page 11

Chuyn S1


+ Chn Enabled cho dng Security level chn Custumize

+ nh du vo cc dch v mun cho qua Firewall. V d nh SSH, Telnet, HTTP

Nhm 10

Page 12

Chuyn S1


III. C ch x l package trong Iptables Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra ny c thc hin mt cch tun t entry u tin n entry cui cng. C ba loi bng trong iptables: Mangle table. Filter queue. NAT queue. 1. Mangle table: Chu trch nhim thay i cc bits cht lng dch v trong TCP header nh TOS , TTL, MARK. Thng thng loi table ny c ng dng trong mng SOHO (Small Office and Home Office). + PREROUTING + POSTROUTING + OUTPUT + INPUT + FORWARD 2. Filter queue: Chu trch nhim thit lp b lc packet (packet filtering). C ba loi built-in chain c m t thc hin cc chnh sch v firewall ( firewall policy rules) + Forward chain: Lc gi tin i qua firewall. + Input chain: Lc gi tin i vo firewall. + Output chain: Lc gi tin i ra firewall. 3. NAT queue: Thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in chains sau y: + Pre-routing chain: NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi thc thi c ch routing. iu ny thun li cho vic i a ch ch

Nhm 10

Page 13

Chuyn S1


a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t k thut ny. + Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT. IV. Target v Jumps 1. Jupms: L c ch chuyn mt packet n mt target no x l thm mt s thao tc khc. 2. Target: L c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc target c xy dng sn trong iptables nh: ACCEPT, DROP, LOG, REJECT, DNAT, SNAT, MASQUERADE. + ACCEPT: iptables chp nhn chuyn data n ch. + DROP: iptables kha nhng packet. + LOG: thng tin ca packet s gi vo syslog daemon iptables tip tc x l lut tip theo trong bng m t lut. Nu lut cui cng khng match th s drop packet. Vi ty chn thng dng l --log-prefix=string, tc iptables s ghi nhn li nhng message bt u bng chui string. + REJECT: ngn chn packet v gi thng bo cho sender. Vi ty chn thng dng l --reject-with qualifier, tc qualifier ch nh loi reject message s c gi li cho ngi gi. + DNAT: thay i a ch ch ca packet. Ty chn l --to-destination ipaddress. + SNAT: thay i a ch ngun ca packet. Ty chn l --to-source [-address][:-]

Nhm 10

Page 14

Chuyn S1


+ MASQUERADING: c s dng thc hin k thut NAT (gi mo a ch ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports []], ch nh dy port ngun s nh x vi dy port ban u. V. Mt s lnh trong Iptables 1. Mt s lnh thng dng: # iptables [tham s chuyn mch] . . . -t : Ch nh bng cho iptables bao gm: filter, nat, mangle tables. -j : Nhy n mt target chain khi packet tha lut hin ti. -A : Thm lut vo cui iptables chain. V d: + # iptables -A INPUT -j ACCEPT : chp nhn tt c cc gi tin gi n cho Firewall. + # iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE : mt rule trong bng nat. -P : Thay i chnh sch ca chain -F : Xa tt c cc lut trong chain la chn. -N : To chain mi. -X : Xa chain t to V d: + # iptables -P INPUT DROP : t chnh sch cho chain INPUT l DROP. Khi mt gi tin vo m khng tha bt k rule no ca chain th n s x l gi tin theo chnh sch. + # iptables -F INPUT : xa tt c lut ca chain INPUT. + # iptables -F OUTPUT : xa tt c lut ca chain OUTPUT. + # iptables -F : xa tt c cc lut ca tt c cc chain. + # iptables -N ChainMoi + # iptables -X ChainMoi Lu : khng th xa nhng built-in chainNhm 10 Page 15

Chuyn S1


-p : M t cc giao thc bao gm: icmp, tcp, udp v all -s : Ch nh a ch ngun -d : Ch nh a ch ch -i : Ch nh input interface nhn packet -o : Ch nh output interface chuyn packet ra ngoi 2. Nhng giao thc thng dng -p tcp --sport : TCP port ngun (source port ). C th l mt gi tr hoc mt dy c dng: start-port:end-port. -p tcp --dport : TCP port ch -p tcp --syn : Dng nhn dng mt yu cu kt ni TCP mi -p udp --sport : UDP port ngun -p udp --dport : UDP port ch -p icmp --icmp-type : ICMP-Type thng dng nht l echo-reply v echo-request. V d : # iptables -A FORWARD -s 0/0 -i eth0 -o eth1 -d 172.16.0.2 -p tcp --sport 1024:65535 --dport 80 -j ACCEPT Firewall chp nhn cc gi d liu c giao tip (protocols) l TCP , n t card mng eth0 , c a ch IP ngun l bt k , i n a ch 172.16.0.2 qua card mng eth1. S port ngun l t 1024 n 65535 v port ch l 80 (www/http). 3. Nhng iu kin m rng thng dng -m multiport --sport : Nhiu port ngun khc nhau ca TCP/UDP c phn cch bi du phy (,). y l lit k cc port ch khng phi l mt dy lin tc cc port. -m multiport --dport : TCP/UDP port ch. -m multiport --ports : Khng phn bit port ch hay port ngun.Nhm 10 Page 16

Chuyn S1


-m state --state : Cc trng thi thng dng l: ESTABLISHED , NEW , RELATED , INVALID . Trng thi ca gi d liu: + ESTABLISHED : Gi d liu l mt phn ca kt ni c thit lp bi c hai hng. + NEW : Gi d liu l bt u ca mt kt ni mi. + RELATED : Gi d liu l bt u mt kt ni ph. Thng thng y l c im ca giao thc FTP hoc li ICPM. + INVALID : Gi d liu khng th nhn dng c. -m limit --limit 1/s: Ch nh s lng ph hp cho mt n v thi gian theo dng(/second, /minute, /hour, /day) 4. Mt s v d: V d 1: FireWall chp nhn cho bt k TCP packet i vo interface eth0 n a ch 172.28.24.199 # iptables -A INPUT -s 0/0 -i eth0 -d 172.28.24.199 -p tcp -j ACCEPT V d 2: FireWall cho php gi icmp echo-request v icmp echo-reply # iptables -A OUPUT -p icmp --icmp-type echo-request -j ACCEPT # iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT V d 3: Cho php truy xut DNS n FireWall # iptables -A OUTPUT -p udp -o eth0 --dport 53 sport 1024:65535 -j ACCEPT # iptables -A INPUT -p udp -i eth0 --dport 53 sport 1024:65535 -j ACCEPT V d 4: Cho php WWW v ssh truy xut ti FireWall # iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED, RELATED -j ACCEPT # iptables -A INPUT -p tcp -i eth0 --dprt 22 --sport 1024:65535 -m state \ -state NEW -j ACCEPT # iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \ -state NEW -j ACCEPTNhm 10 Page 17

Chuyn S1


VI. Iptables script 1. Lu Iptables script: Lnh service iptables save lu li cc rule vo file # /etc/sysconfig/iptables. Khi ta khi ng li th chng trnh iptables-restore s c li file script ny v kch hot li thng tin cu hnh. 2. Sao lu v phc hi script c th phc hi script khi mt script file. u tin, ta phi lu script li dng lnh: # iptables-save > script_du_phong Khi cn phc hi ta np li iptables thng qua lnh iptables-restore # iptables-restore < script_du_phong Cui cng, ta dng lnh lu tr li cc lut vo file cu hnh: # service iptables save

Nhm 10

Page 18

Chuyn S1


Phn III : Cu hnh mt s chc nng ca IPTABLESI. M hnh mng

Ci t : My Client c mt card mng ch Host vi IP 10.0.0.4 My Web-Mail c mt card mng ch Host vi IP 10.0.0.2 My Firewall c 2 card mng 1 ch host vi a ch IP 10.0.0.1 , mt card mng ra ngoi Internet vi IP 192.168.0.1 My ngoi Internet c 1 card mng vi IP 192.168.0.2 Yu cu : Cc my Client , Web-Mail , Firewall ping thy nhau My ngoi Internet ping thy my Firewall v ngc li

Nhm 10

Page 19

Chuyn S1


II.

Ci t c bn Iptables 1. Kim tra dch v Iptables ci t cha

Dng lnh : # rpm qa iptables

2. Khi ng Iptables Dng lnh :

# service iptables start

Nhm 10

Page 20

Chuyn S1


3. Xem trng thi ca Iptables Dng lnh: # service iptables status

Nhm 10

Page 21

Chuyn S1


4. Xem file cu hnh Iptables Dng lnh : # iptables L

Dng lnh # vi /etc/sysconfig/iptables

Nhm 10

Page 22

Chuyn S1


5. Lu Iptables Dng lnh :

# service iptables save

6. Cho dch v iptables khi ng vo thi im h thng khi ng:

# chkconfig iptables on

III.

Cu hnh Filter 1. Ping

M t : mc nh th cc my trong h thng c cng dy mng s ping thy nhau , gi chng ta s chn khng cho cc my ny ping thy nhau T my Firewall , ta m file cu hnh Iptables ln bng lnh # vi /etc/sysconfig/iptables

Nhm 10

Page 23

Chuyn S1


dng 13 l Rule cho php ping , chng ta mun chn ping th thm # trc Rule ny , hoc i ACCPECT thnh DROP

Nhm 10

Page 24

Chuyn S1


Hoc l Drop

Sau Lu rule va chnh sa li v restart iptables bng lnh # service iptables restart

Nhm 10

Page 25

Chuyn S1


2. SSH : Port 22 M t : Iptables ca my Firewall cho php hoc chn khng cho cc my trong mng Lan SSH ti my Firewall Trong phn ci t ta cho php dch v SSH c thng qua

Sau ta m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables dng 21 l Rule cho php dch v telnet thng qua

Nhm 10

Page 26

Chuyn S1


Chn dch v SSH bng cch thm # vo dng 21

Nhm 10

Page 27

Chuyn S1


Sau lu rule va chnh sa li v restart iptables bng lnh # service iptables restart

3. Telnet : Port 23 M t : Iptables ca my Firewall cho php hoc chn khng cho cc my trong mng Lan telnet ti my Firewall Trong phn ci t ta cho php dch v telnet c thng qua

Nhm 10

Page 28

Chuyn S1


Sau ta m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables dng 21 l Rule cho php dch v telnet thng qua

Chn dch v telnet bng cch thm # vo dng 21

Nhm 10

Page 29

Chuyn S1



4. HTTP : Port 80 M t : cc my trong mng Lan c th kt ni c Internet v vo c cc trang web thng qua cc trnh duyt , ni cch khc i qua port 80 : HTTP v HTTPS port 443 trn iptables ta cho php hoc chn cc my trong mng Lan s dng web Trong phn ci t ta cho php dch v HTTP hoc l HTTPS c thng qua

Nhm 10

Page 30

Chuyn S1


Sau ta m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables dng 21,22 l Rule cho php dch v HTTP,HTTPS thng qua

Nhm 10

Page 31

Chuyn S1


Chn dch v HTTP v HTTPS bng cch thm # vo dng 21, 22


Tng t cho cc dch v cn li Ch : Khi m file cu hnh iptables bng lnh # vi /etc/sysconfig/iptables Ta mun sa cu hnh th ta nhn ch a v lu li :x .

Nhm 10

Page 32

Chuyn S1


Ta c th m cu hnh iptables bng lnh # gedit /etc/sysconfig/iptables v ta c th sa v lu trc tip trn file cu hnh Sau khi thay i Rule bt k , ta phi lu li v restart lai iptables th Rule mi c thc thi

IV.

Cu hnh Nat 1. Nat In M t : Cc my ngoi Internet , mun truy cp vo Web-Mail server ca mng Lan , th ta phi dng k thut Nat In my Firewall vo setup ta cho php cc cc dch v c thng qua cc card mng Trusted Devices ta nh du vo cc card mng

Nhm 10

Page 33

Chuyn S1


Thc hin switching ( nh tuyn) gia cc card mng

Nhp dng lnh Nat In

Lu file cu hnh iptables li bng lnh # service iptables save

Khi ng li dch v dng lnh # service iptables restart

Nhm 10

Page 34

Chuyn S1


Cho dch v iptables khi ng vo thi im h thng khi ng: # chkconfig iptables on

M li file cu hnh iptables xem Nat In c thc hin cha

Nhm 10

Page 35

Chuyn S1


Sau t 1 my ngoi Internet bt k c th s dng Web ca h thng mnh

Nhm 10

Page 36

Chuyn S1


2. Nat Out M t : Cho php cc my trong mng Lan kt ni c ra ngoi Internet my Firewall vo setup ta cho php cc cc dch v c thng qua cc card mng Trusted Devices ta nh du vo cc card mng

Thc hin switching ( nh tuyn) gia cc card mng

Nhm 10

Page 37

Chuyn S1


Nhp dng lnh Nat Out

Lu file cu hnh iptables li bng lnh # service iptables save

Khi ng li dch v dng lnh # service iptables restart

Nhm 10

Page 38

Chuyn S1


Cho dch v iptables khi ng vo thi im h thng khi ng: # chkconfig iptables on

M li file cu hnh iptables xem Nat Out c thc hin cha

Sau t 1 my mng Lan bt k c th kt ni vi internet

Nhm 10

Page 39

Báo Cáo Unix - Nhóm 10 - Firewall - Iptables

Documents

Transcript of Báo Cáo Unix - Nhóm 10 - Firewall - Iptables