[LinuxFocus-icon]
äÏÍÏÊ  |  ëÁÒÔÁ  |  éÎÄÅËÓ  |  ðÏÉÓË

îÏ×ÏÓÔÉ | áÒÈÉ×Ù | óÓÙÌËÉ | ðÒÏ LF
[an error occurred while processing this directive]
Vincent Renardias
Á×ÔÏÒ Vincent Renardias
<vincent(at)renardias.com>

ï Á×ÔÏÒÅ:

ðÏÌØÚÏ×ÁÔÅÌØ GNU/Linux Ó 1993, ÷ÉÎÓÅÎÔ òÅÎÁÒÄÉÁÓ (Vincent Renardias) ÎÁÞÁÌ Õ×ÌÅËÁÔØÓÑ ÅÇÏ ÒÁÚÒÁÂÏÔËÏÊ × 1996: òÁÚÒÁÂÏÔÞÉË Debian, æÒÁÎÃÕÚÓËÉÊ ÐÅÒÅ×ÏÄÞÉË ÐÒÏÇÒÁÍÍÙ GIMP É ÒÁÂÏÞÅÇÏ ÓÔÏÌÁ GNOME, ÏÓÎÏ×ÁÔÅÌØ ÇÒÕÐÐÙ ÐÏÌØÚÏ×ÁÔÅÌÅÊ Linux User Group × íÁÒÓÅÌÅ (PLUG)... ôÅÐÅÒØ, ÕÐÒÁ×ÌÑÀÝÉÊ ËÏÍÐÁÎÉÉ R&D EFB2, ÏÎ ÐÒÏÄÏÌÖÁÅÔ ÓÏÄÅÊÓÔ×ÉÅ GNU/Linux.



ðÅÒÅ×ÏÄ ÎÁ òÕÓÓËÉÊ:
÷ÏÒÏÎÉÎ ìÅÏÎÉÄ <gooamoko(at)rambler.ru>

óÏÄÅÒÖÁÎÉÅ:

 

æÉÌØÔÒÁÃÉÑ ÐÁËÅÔÏ× × Linux

[Illustration]

òÅÚÀÍÅ:

äÁÎÎÁÑ ÓÔÁÔØÑ ×ÐÅÒ×ÙÅ ÂÙÌÁ ÏÐÕÂÌÉËÏ×ÁÎÁ × ÓÐÅÃÉÁÌØÎÏÍ ×ÙÐÕÓËÅ Linux Magazine France, ÓÏÓÒÅÄÏÔÏÞÅÎÎÏÍ ÎÁ ÂÅÚÏÐÁÓÎÏÓÔÉ. òÅÄÁËÔÏÒ, Á×ÔÏÒÙ É ÐÅÒÅ×ÏÄÞÉËÉ ÌÀÂÅÚÎÏ ÐÏÚ×ÏÌÉÌÉ LinuxFocus ÐÕÂÌÉËÏ×ÁÔØ ×ÓÅ ÓÔÁÔØÉ ÉÚ ÜÔÏÇÏ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÙÐÕÓËÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ LinuxFocus ÐÅÒÅÄÁÓÔ ÉÈ ×ÁÍ ÓÒÁÚÕ ÖÅ ÐÏÓÌÅ ÐÅÒÅ×ÏÄÁ ÎÁ ÁÎÇÌÉÊÓËÉÊ. óÐÁÓÉÂÏ ×ÓÅÍ, ËÔÏ ×Ï×ÌÅÞÅÎ × ÜÔÕ ÒÁÂÏÔÕ. äÁÎÎÏÅ ÒÅÚÀÍÅ ÂÕÄÅÔ ×ÏÓÐÒÏÉÚ×ÅÄÅÎÏ ×Ï ×ÓÅÈ ÓÔÁÔØÑÈ, ÉÍÅÀÝÉÈ ÔÏ ÖÅ ÐÒÏÉÓÈÏÖÄÅÎÉÅ.


ïÄÉÎ ÉÚ ÈÏÒÏÛÉÈ ÐÕÔÅÊ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÐÏÐÙÔËÉ ×ÔÏÒÖÅÎÉÑ - ÜÔÏ ÆÉÌØÔÒÁÃÉÑ, ËÏÔÏÒÁÑ ÂÅÓÐÏÌÅÚÎÁ × ÓÅÔÉ. üÔÁ ÚÁÄÁÞÁ ÏÂÙÞÎÏ ÐÒÉÐÉÓÁÎÁ ËÏÍÐØÀÔÅÒÕ, ÉÓÐÏÌØÚÕÅÍÏÍÕ × ËÁÞÅÓÔ×Å ÂÒÁÎÄÍÁÕÜÒÁ (firewall).
÷ ÄÁÎÎÏÊ ÓÔÁÔØÅ ÍÙ ÐÒÅÄÏÓÔÁ×ÉÍ ÎÅÏÂÈÏÄÉÍÕÀ ÂÁÚÕ ÄÌÑ ÏÓÕÝÅÓÔ×ÌÅÎÉÑ É ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÑ ÔÁËÏÊ ÓÉÓÔÅÍÙ.


_________________ _________________ _________________

 

ûÌÀÚ, Arp-ðÒÏÓËÉ ÉÌÉ ÓÅÔÅ×ÏÊ ÍÏÓÔ?

íÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ ÍÏÖÅÔ ÂÙÔØ ÒÁÓÓÍÏÔÒÅÎ ËÁË ÓÅÔØ, ËÏÔÏÒÁÑ ÂÕÄÅÔ ÚÁÄÅÒÖÉ×ÁÔØ ÎÅËÏÔÏÒÙÅ ÎÅÖÅÌÁÔÅÌØÎÙÅ ÐÁËÅÔÙ. îÁÉÂÏÌÅÅ ×ÁÖÎÏ ÎÁÊÔÉ ÐÒÁ×ÉÌØÎÙÊ ÒÁÚÍÅÒ ÐÅÔÌÉ (ÑÞÅÊËÉ ÓÅÔÉ) É ÐÒÁ×ÉÌØÎÏÅ ÍÅÓÔÏ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÓÅÔÉ.

òÁÓÐÏÌÏÖÅÎÉÅ ÂÒÁÎÄÍÁÕÜÒÁ × ÓÅÔÉ
Firewall location

þÔÏÂÙ ÆÉÌØÔÒÕÀÝÉÊ ÍÅÈÁÎÉÚÍ ÂÙÌ × ÓÏÓÔÏÑÎÉÉ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ, ÏÎ ÄÏÌÖÅÎ ÂÙÔØ ÆÉÚÉÞÅÓËÉ ÒÁÚÍÅÝÅÎ ÍÅÖÄÕ ÚÁÝÉÝÁÅÍÏÊ ÓÅÔØÀ É "×ÎÅÛÎÉÍ ÍÉÒÏÍ". ðÒÁËÔÉÞÅÓËÉ ÜÔÏ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÐØÀÔÅÒÁ, ÉÍÅÀÝÅÇÏ Ä×Á ÓÅÔÅ×ÙÈ ÉÎÔÅÒÆÅÊÓÁ (ÏÂÙÞÎÏ Ethernet), ÏÄÉÎ ÉÚ ËÏÔÏÒÙÈ ÐÏÄËÌÀÞÅÎ Ë ×ÎÕÔÒÅÎÎÅÊ ÓÅÔÉ, Á ÄÒÕÇÏÊ - Ë ÍÁÒÛÒÕÔÉÚÁÔÏÒÕ, ÞÅÒÅÚ ËÏÔÏÒÙÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÄÏÓÔÕÐ Ë ×ÎÅÛÎÅÊ ÓÅÔÉ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ËÏÍÍÕÎÉËÁÃÉÉ ÄÏÌÖÎÙ ÂÕÄÕÔ ÉÄÔÉ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÊ ÂÕÄÅÔ ÉÌÉ ÎÅ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØ ÉÈ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÁÎÉÑ.
ëÏÍÐØÀÔÅÒ, ÏÓÕÝÅÓÔ×ÌÑÀÝÉÊ ÆÉÌØÔÒÁÃÉÀ, ÍÏÖÅÔ ÂÙÔØ ÎÁÓÔÒÏÅÎ ÔÒÅÍÑ ÒÁÚÎÙÍÉ ÐÕÔÑÍÉ:

- "ðÒÏÓÔÏÊ" ÛÌÀÚ: ÜÔÏ ÎÁÉÂÏÌÅÅ ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ. ëÏÍÐØÀÔÅÒ ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÛÌÀÚ ÍÅÖÄÕ Ä×ÕÍÑ ÓÅÔÑÍÉ ÉÌÉ ÐÏÄÓÅÔÑÍÉ. ëÏÍÐØÀÔÅÒÙ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÏÌÖÎÙ ÂÙÔØ ÎÁÓÔÒÏÅÎÙ ÎÁ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÒÁÎÄÍÁÕÜÒÁ ×ÍÅÓÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ × ËÁÞÅÓÔ×Å ÍÁÒÛÒÕÔÁ ÐÏ ÕÍÏÌÞÁÎÉÀ (ÏÓÎÏ×ÎÏÇÏ ÛÌÀÚÁ).

- ûÌÀÚ "ARP-ðÒÏËÓÉ": ÐÒÅÄÙÄÕÝÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÄÅÌÅÎÉÅ ÓÅÔÉ ÎÁ Ä×Å ÐÏÄÓÅÔÉ, ËÏÔÏÒÙÅ ÐÒÉ×ÏÄÑÔ Ë ÐÏÔÅÒÅ ÐÏÌÏ×ÉÎÙ ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓÅÔÉ IP ÁÄÒÅÓÏ×. üÔÏ ÎÅÍÎÏÇÏ ÒÁÚÄÒÁÖÁÅÔ. îÁÐÒÉÍÅÒ, ÉÚ 16-ÔÉ ÁÄÒÅÓÎÏÊ ÐÏÄÓÅÔÉ (Ó 28 ÂÉÔÎÏÊ ÍÁÓËÏÊ ÐÏÄÓÅÔÉ), ÔÏÌØËÏ 14 ÄÏÓÔÕÐÎÙ, Ó ÔÅÈ ÐÏÒ ËÁË ÉÓÐÏÌØÚÕÀÔÓÑ ÁÄÒÅÓ ÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ. äÏÂÁ×ÌÑÑ ÅÝ£ ÏÄÉÎ ÂÉÔ × ÍÁÓËÕ ÐÏÄÓÅÔÉ, ÍÙ ÕÍÅÎØÛÁÅÍ ÄÏÓÔÕÐÎÙÅ ÁÄÒÅÓÁ Ó 14 ÄÏ 6 (8 ÁÄÒÅÓÏ× ÚÁ ×ÙÞÅÔÏÍ ÁÄÒÅÓÁ ÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÏÇÏ ÁÄÒÅÓÁ). ëÏÇÄÁ ×Ù ÎÅ ÍÏÖÅÔÅ ÄÏÐÕÓÔÉÔØ ÐÏÔÅÒÉ ÐÏÌÏ×ÉÎÙ ÄÏÓÔÕÐÎÙÈ IP-ÁÄÒÅÓÏ×, ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÏÅ ÒÅÛÅÎÉÅ, ËÏÔÏÒÏÅ ÏÂßÑÓÎÑÅÔÓÑ ÄÁÌÅÅ × ÜÔÏÊ ÓÔÁÔØÅ. ëÒÏÍÅ ÔÏÇÏ, ÄÁÎÎÏÅ ÒÅÛÅÎÉÅ ÎÅ ÔÒÅÂÕÅÔ ËÁËÉÈ-ÌÉÂÏ ÉÚÍÅÎÅÎÉÊ × ÎÁÓÔÒÏÊËÅ ÓÅÔÉ ÎÉ ÎÁ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ, ÎÉ ÎÁ ÚÁÝÉÝÁÅÍÙÈ ËÏÍÐØÀÔÅÒÁÈ.

- íÏÓÔ Ethernet: ÕÓÔÁÎÁ×ÌÉ×ÁÑ ÛÌÀÚ Ethernet (ÎÅ IP ÛÌÀÚ), ÄÅÌÁÀÔ ÍÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ ÎÅ×ÉÄÉÍÙÍ Ó ÄÒÕÇÉÈ ËÏÍÐØÀÔÅÒÏ×. ôÁËÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÍÏÖÅÔ ÂÙÔØ ×ÙÐÏÌÎÅÎÁ ÂÅÚ ÎÁÚÎÁÞÅÎÉÑ IP ÁÄÒÅÓÏ× Ethernet-ÉÎÔÅÒÆÅÊÓÁÍ. ÷ ÔÁËÏÍ ÓÌÕÞÁÅ, ËÏÍÐØÀÔÅÒÙ ÎÅ×ÏÚÍÏÖÎÏ ÏÂÎÁÒÕÖÉÔØ ÐÒÉ ÐÏÍÏÝÉ ping, traceroute É Ô.Ð. óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÙÐÏÌÎÅÎÉÅ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× × ÔÁËÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÔÒÅÂÕÅÔ ÑÄÒÁ ×ÅÒÓÉÉ 2.2.x, Á ÐÅÒÅÎÏÓ ÄÁÎÎÏÊ ÆÕÎËÃÉÉ ÎÁ ÑÄÒÁ ×ÅÒÓÉÉ 2.4.x ÐÏËÁ ÎÅ ÚÁËÏÎÞÅÎ.

 

ðÒÏÓÔÅÊÛÉÅ ÐÒÁ×ÉÌÁ ÆÉÌØÔÒÁÃÉÉ

ôÅÐÅÒØ, ËÏÇÄÁ ÍÙ ÚÎÁÅÍ ÇÄÅ ÕÓÔÁÎÏ×ÉÔØ ÎÁÛ ÆÉÌØÔÒ, ÍÙ ÄÏÌÖÎÙ ÏÐÒÅÄÅÌÉÔØ, ÞÔÏ ÏÎ ÄÏÌÖÅÎ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØ ÉÌÉ ÞÔÏ ÏÎ ÄÏÌÖÅÎ ÂÕÄÅÔ ÐÒÏÐÕÓËÁÔØ.
åÓÔØ Ä×Á ÐÕÔÉ ÎÁÓÔÒÏÊËÉ ÔÁËÏÇÏ ÆÉÌØÔÒÁ:

- ðÅÒ×ÙÊ, ÈÏÒÏÛÉÊ: ÚÁÄÅÒÖÉ×ÁÅÍ ×ÓÅ ÐÁËÅÔÙ, ËÒÏÍÅ ÔÅÈ, ËÏÔÏÒÙÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌÁÍ.
- ÷ÔÏÒÏÊ, ÐÌÏÈÏÊ: (ÎÏ Ë ÓÏÖÁÌÅÎÉÀ, ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÙÊ) Ñ×ÎÏ ÚÁÐÒÅÝÅÎÎÙÅ ÐÁËÅÔÙ ÚÁÄÅÒÖÉ×ÁÀÔÓÑ, Á ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÒÏÐÕÓËÁÀÔÓÑ.

üÔÏ ÐÒÏÓÔÏ ÏÂßÑÓÎÑÅÔÓÑ: ÷ ÐÅÒ×ÏÍ ÓÌÕÞÁÅ, ÚÁÂÙ×ÁÎÉÅ (ÎÁÒÕÛÅÎÉÅ) ÐÒÁ×ÉÌ ÐÒÉ×ÏÄÑÔ Ë ÎÁÒÕÛÅÎÉÀ ÒÁÂÏÔÙ ÓÌÕÖÂÙ ÉÌÉ ÐÏÌÎÏÊ ÕÔÅÒÅ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔÉ. ïÂÙÞÎÏ ÜÔÏ ÂÙÓÔÒÏ ×ÙÑ×ÌÑÅÔÓÑ É ÐÒÏÉÄ×ÏÄÉÔÓÑ ÄÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ, ÄÏÓÔÁÔÏÞÎÙÈ ÄÌÑ ×ÏÚÏÂÎÏ×ÌÅÎÉÑ ÒÁÂÏÔÙ.
÷Ï ×ÔÏÒÏÍ ÓÌÕÞÁÅ, ÚÁÂÙ×ÁÎÉÅ (ÎÁÒÕÛÅÎÉÅ) ÐÒÁ×ÉÌ ÓÏÚÄÁÅÔ ÐÏÔÅÎÃÉÁÌØÎÕÀ ÕÑÚ×ÉÍÏÓÔØ, ËÏÔÏÒÕÀ ÞÁÓÔÏ ÏÞÅÎØ ÓÌÏÖÎÏ ×ÙÑ×ÉÔØ... ÅÓÌÉ ÍÏÖÎÏ ×ÏÏÂÝÅ.

 

Netfilter

îÁÉÂÏÌÅÅ ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÏÅ ÐÒÏÇÒÁÍÍÎÏÅ ÏÂÅÓÐÅÞÅÎÉÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× × Linux - ÜÔÏ Netfilter; ÜÔÁ ÐÒÉÑÔÎÁÑ ÚÁÍÅÎÁ 'ipchains', ÉÓÐÏÌØÚÕÅÍÏÊ × Linux Ó ÑÄÒÏÍ 2.2. Netfilter ÓÄÅÌÁÎ ÉÚ Ä×ÕÈ ÞÁÓÔÅÊ: ÐÏÄÄÅÒÖËÁ ÑÄÒÁ, ËÏÔÏÒÁÑ ÄÏÌÖÎÁ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÁ × ×ÁÛÅÍ ÑÄÒÅ É ËÏÍÁÎÄÙ 'iptables' ËÏÔÏÒÙÅ ÄÏÌÖÎÙ ÂÙÔØ ÄÏÓÔÕÐÎÙ × ×ÁÛÅÊ ÓÉÓÔÅÍÅ.

 

ðÒÉÍÅÒ ÎÁÓÔÒÏÊËÉ

ëÏÍÍÅÎÔÉÒÏ×ÁÎÎÙÊ ÐÒÉÍÅÒ ÌÕÞÛÅ, ÞÅÍ ÄÌÉÎÎÁÑ ÒÅÞØ. ðÏÔÏÍ ÍÙ ÏÐÉÛÅÍ, ËÁË ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ. äÌÑ ÎÁÞÁÌÁ, ËÏÍÐØÀÔÅÒ ÂÕÄÅÔ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎ ËÁË ÛÌÀÚ, ÉÓÐÏÌØÚÕÀÝÉÊ ARP-ÐÒÏËÓÉ ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÞÉÓÌÁ IP-ÁÄÒÅÓÏ×, Á ÐÏÔÏÍ ÍÙ ÎÁÓÔÒÏÉÍ ÓÉÓÔÅÍÕ ÆÉÌØÔÒÁÃÉÉ.

á×ÔÏÒ ÏÔÄÁÅÔ ÐÒÅÄÐÏÞÔÅÎÉÅ ÄÉÓÔÒÉÂÕÔÉ×Õ Debian ÄÌÑ ÎÁÓÔÒÏÊËÉ ÔÁËÏÊ ÓÉÓÔÅÍÙ, ÎÏ ÁÎÁÌÏÇÉÞÎÏ ÍÏÖÅÔ ÂÙÔØ ÎÁÓÔÒÏÅÎ ÌÀÂÏÊ ÄÒÕÇÏÊ ÄÉÓÔÒÉÂÕÔÉ×.

÷Ï-ÐÅÒ×ÙÈ, ÐÒÏ×ÅÒÉÍ, ÞÔÏ ×ÁÛÅ ÑÄÒÏ ÐÏÄÄÅÒÖÉ×ÁÅÔ Netfilter. åÓÌÉ ÜÔÏ ÔÁË, ÔÏ ÚÁÇÒÕÚÏÞÎÁÑ ÚÁÐÉÓØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ:

ip_conntrack (4095 buckets, 32760 max)
ip_tables: (c)2000 Netfilter core team

éÎÁÞÅ, ×ÁÍ ÐÒÉÄÅÔÓÑ ÐÅÒÅËÏÍÐÉÌÉÒÏ×ÁÔØ ÑÄÒÏ ÐÏÓÌÅ ÁËÔÉ×ÉÚÁÃÉÉ ÐÏÄÄÅÒÖËÉ Netfilter. óÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÏÐÃÉÉ ÍÏÇÕÔ ÂÙÔØ ÎÁÊÄÅÎÙ × ÐÏÄÍÅÎÀ "Network Packet Filtering" ÍÅÎÀ "Networking Options". ÷ÙÂÅÒÉÔÅ ÎÅÏÂÈÏÄÉÍÙÅ ÏÐÃÉÉ × ÓÅËÃÉÉ "Netfilter Configuration". åÓÌÉ ×Ù ÓÏÍÎÅ×ÁÅÔÅÓØ, ÍÏÖÅÔÅ ×ÙÂÒÁÔØ ×ÓÅ ÏÐÃÉÉ, ËÒÏÍÅ ÔÏÇÏ, ÌÕÞÛÅ ×ËÌÀÞÉÔØ Netfilter × ÑÄÒÏ É ÎÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÏÄÕÌÉ. åÓÌÉ ÐÏ ËÁËÉÍ-ÔÏ ÐÒÉÞÉÎÁÍ ÏÄÉÎ ÉÚ ÍÏÄÕÌÅÊ Netfilter ÂÙÌ ÐÒÏÐÕÝÅÎ ÉÌÉ ÎÅ ÚÁÇÒÕÖÅÎ, ÆÉÌØÔÒÁÃÉÑ ÒÁÂÏÔÁÔØ ÎÅ ÂÕÄÅÔ É ÍÙ ÌÕÞÛÅ ÎÅ ÂÕÄÅÍ ÇÏ×ÏÒÉÔØ Ï ÒÉÓËÅ, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ.

÷Ù ÔÁË ÖÅ ÍÏÖÅÔÅ ÕÓÔÁÎÏ×ÉÔØ ÐÁËÅÔ 'iproute2' (ÐÏÓÌÅÄÎÅÅ ÎÅ ÏÂÑÚÁÔÅÌØÎÏ, ÎÏ ÎÁÛ ÐÒÉÍÅÒ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÙÊ ÐÁËÅÔ, ÔÁË ËÁË ÄÁÎÎÙÊ ÐÁËÅÔ ÐÏÚ×ÏÌÑÅÔ ÓÄÅÌÁÔØ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÊ ÓËÒÉÐÔ (ÓÃÅÎÁÒÉÊ) ÐÒÏÝÅ). ÷ ÄÉÓÔÒÉÂÕÔÉ×Å Debian, ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÁËÅÔÁ 'iproute2' ÄÏÓÔÁÔÏÞÎÏ ÎÁÂÒÁÔØ ËÏÍÁÎÄÕ 'apt-get install iproute'.
÷ ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ, ÎÁÊÄÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÁËÅÔÙ. õÓÔÁÎÏ×ÉÔØ ÉÈ ÍÏÖÎÏ ÏÂÙÞÎÙÍ ÐÕÔÅÍ ÉÌÉ ÉÚ ÉÓÈÏÄÎÙÈ ËÏÄÏ×, ËÏÔÏÒÙÅ ÍÏÖÎÏ ÚÁÇÒÕÚÉÔØ ÓÏ ÓÌÅÄÕÀÝÅÇÏ ÁÄÒÅÓÁ:
ftp://ftp.inr.ac.ru/ip-routing/

ôÅÐÅÒØ ÄÏÌÖÎÙ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÙ Ä×Å Ethernet ËÁÒÔÙ. íÙ ÄÏÌÖÎÙ ÏÂÒÁÔÉÔØ ×ÁÛÅ ×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÑÄÒÏ Linux, ËÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔ Á×ÔÏÏÐÒÅÄÅÌÅÎÉÅ ÏÂÏÒÕÄÏ×ÁÎÉÑ, ÏÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÉÓË ÓÅÔÅ×ÙÈ ËÁÒÔ ËÁË ÔÏÌØËÏ ÎÁÊÄÅÔ ÐÅÒ×ÕÀ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÏÐÒÅÄÅÌÉÔÓÑ ÔÏÌØËÏ ÐÅÒ×ÁÑ.
ìÅÇËÏÅ ÒÅÛÅÎÉÅ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ ÓÌÅÄÕÀÝÅÊ ÓÔÒÏËÉ × ÆÁÊÌ lilo.conf:
append="ether=0,0,eth1"

ôÅÐÅÒØ ÍÙ ÄÏÌÖÎÙ ÎÁÓÔÒÏÉÔØ Ethernet-ÉÎÔÅÒÆÅÊÓÙ. ÷ÙÂÒÁÎÎÙÊ ÎÁÍÉ ÍÅÔÏÄ ÐÏÚ×ÏÌÑÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÄÉÎ É ÔÏÔ ÖÅ IP-ÁÄÒÅÓ ÄÌÑ ÏÂÏÉÈ ÐÌÁÔ, ÓÏÈÒÁÎÑÑ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÏÄÉÎ ÁÄÒÅÓ.
äÏÐÕÓÔÉÍ, ÞÔÏ Õ ÎÁÓ ÅÓÔØ ÐÏÄÓÅÔØ 10.1.2.96/28, ÁÄÒÅÓÁ ËÏÔÏÒÏÊ ÎÁÞÉÎÁÀÔÓÑ Ó 10.1.2.96 ÐÏ 10.1.2.111 ×ËÌÀÞÉÔÅÌØÎÏ. íÁÒÛÒÕÔÉÚÁÔÏÒ ÂÕÄÅÔ ÉÍÅÔØ ÁÄÒÅÓ 10.1.2.97, Á ÎÁÛ ËÏÍÐØÀÔÅÒ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ - 10.1.2.98. éÎÔÅÒÆÅÊÓ eth0 ÂÕÄÅÔ ÐÏÄËÌÀÞÅÎ Ë ÍÁÒÛÒÕÔÉÚÁÔÏÒÕ ÞÅÒÅÚ ÓÏÅÄÉÎÉÔÅÌØÎÙÊ ËÁÂÅÌØ RJ-45, ÅÓÌÉ ÏÂÅ ËÁÒÔÙ ÓÏÅÄÉÎÅÎÙ ÎÁÐÒÑÍÕÀ, ÂÅÚ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÈÁÂÁ (hub) ÉÌÉ Ó×ÉÔÞÁ (switch); éÎÔÅÒÆÅÊÓ eth1 ÂÕÄÅÔ ÐÏÄËÌÀÞÅÎ Ë ÈÁÂÕ/Ó×ÉÔÞÕ, Á ÏÔÔÕÄÁ - Ë ËÏÍÐØÀÔÅÒÁÍ ÌÏËÁÌØÎÏÊ ÓÅÔÉ.

óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÏÂÁ ÉÎÔÅÒÆÅÊÓÁ ÂÕÄÕÔ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÙ ÓÏ ÓÌÅÄÕÀÝÉÍÉ ÐÁÒÁÍÅÔÒÁÍÉ:

address  : 10.1.2.98
netmask  : 255.255.255.240
network  : 10.1.2.96
broadcast: 10.1.2.111
gateway  : 10.1.2.97

äÁÌÅÅ ÉÓÐÏÌØÚÕÅÍ ÓÌÅÄÕÀÝÉÊ ÓËÒÉÐÔ (ÓÃÅÎÁÒÉÊ), ËÏÔÏÒÙÊ ÄÏÌÖÅÎ ÚÁÐÕÓËÁÔØÓÑ ÐÏÓÌÅ ÎÁÞÁÌØÎÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÅ×ÙÈ ËÁÒÔ ÄÌÑ ÚÁ×ÅÒÛÅÎÉÑ ÕÓÔÁÎÏ×ËÉ.

net.vars: configuration variables

PREFIX=10.1.2
DMZ_ADDR=$PREFIX.96/28
# Interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
ROUTER=$PREFIX.97


net-config.sh: network configuration script

#!/bin/sh
# Comment out the next line to display the commands at execution time
# set -x
# We read the variables defined in the previous file
source /etc/init.d/net.vars
# We remove the present routes from the local network
ip route del $PREFIX.96/28 dev $BAD_IFACE
ip route del $PREFIX.96/28 dev $DMZ_IFACE
# We define that the local network can be reached through eth1
# and the router through eth0.
ip route add $ROUTER dev $BAD_IFACE
ip route add $PREFIX.96/28 dev $DMZ_IFACE
# We activate Proxy-ARP for both interfaces
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# We activate the IP forwarding to allow the packets coming to one card
# to be routed to the other one.
echo 1 > /proc/sys/net/ipv4/ip_forward

ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ×ÅÒÎÅÍÓÑ Ë ÔÒÅÂÕÅÍÏÍÕ ÍÅÈÁÎÉÚÍÕ ARP-ÐÒÏËÓÉ ÄÌÑ ÎÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ.
äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÏÄÉÎ ËÏÍÐØÀÔÅÒ ÍÏÇ "ÏÂÝÁÔØÓÑ" Ó ÄÒÕÇÉÍ × ÔÏÊ ÖÅ ÓÅÔÉ, ÅÍÕ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ Ethernet ÁÄÒÅÓ (ÉÌÉ MAC ÁÄÒÅÓ ÉÌÉ ÁÐÐÁÒÁÔÎÙÊ ÁÄÒÅÓ), ÓÏÏÂÝÁÅÍÙÊ ÅÇÏ IP-ÁÄÒÅÓÕ. ôÏÇÄÁ ËÏÍÐØÀÔÅÒ-ÉÓÔÏÞÎÉË ÏÔÐÒÁ×ÌÑÅÔ ÚÁÐÒÏÓ: "ëÁËÏÊ MAC-ÁÄÒÅÓ ÉÎÔÅÒÆÅÊÓÁ, ÉÍÅÀÝÅÇÏ IP-ÁÄÒÅÓ 1.2.3.4 ?" É ËÏÍÐØÀÔÅÒ-ÐÒÉÅÍÎÉË ÄÏÌÖÅÎ ÏÔ×ÅÔÉÔØ.

÷ÏÔ ÐÒÉÍÅÒ ÔÁËÏÇÏ "ÏÂÝÅÎÉÑ", ÏÂÎÁÒÕÖÅÎÎÏÇÏ ÐÒÉ ÐÏÍÏÝÉ tcpdump:
- úÁÐÒÏÓ: ËÏÍÐØÀÔÅÒ 172.16.6.72 ÓÐÒÁÛÉ×ÁÅÔ MAC-ÁÄÒÅÓ, ÐÅÒÅÄÁ×ÁÅÍÙÊ IP-ÁÄÒÅÓÕ 172.16.6.10.
19:46:15.702516 arp who-has 172.16.6.10 tell 172.16.6.72
- ïÔ×ÅÔ: ËÏÍÐØÀÔÅÒ 172.16.6.10 ÐÒÅÄÏÓÔÁ×ÌÑÅÔ Ó×ÏÊ ÎÏÍÅÒ ÓÅÔÅ×ÏÊ ËÁÒÔÙ.
19:46:15.702747 arp reply 172.16.6.10 is-at 0:a0:4b:7:43:71

üÔÏ ÐÒÉ×ÏÄÉÔ ÎÁÓ Ë ÓÌÅÄÕÀÝÅÍÕ ËÏÒÏÔËÏÍÕ ÏÂßÑÓÎÅÎÉÀ: ARP-ÚÁÐÒÏÓÙ ÏÓÕÝÅÓÔ×ÌÑÀÔÓÑ ÐÒÉ ÐÏÍÏÝÉ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÈ ÚÁÐÒÏÓÏ×, ÏÇÒÁÎÉÞÅÎÎÙÈ ÔÏÌØËÏ ÏÄÎÏÊ ÆÉÚÉÞÅÓËÏÊ ÓÅÔØÀ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÚÁÐÒÏÓ ÏÔ ÚÁÝÉÝÅÎÎÏÇÏ ËÏÍÐØÀÔÅÒÁ ÎÁ ÎÁÈÏÖÄÅÎÉÅ MAC-ÁÄÒÅÓÁ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÄÏÌÖÅÎ ÂÙÔØ ÂÌÏËÉÒÏ×ÁÎ ÆÉÌØÔÒÕÀÝÉÍ ËÏÍÐØÀÔÅÒÏÍ. áËÔÉ×ÁÃÉÑ ×ÏÚÍÏÖÎÏÓÔÅÊ ARP-ÐÒÏËÓÉ ÐÏÚ×ÏÌÑÅÔ ÒÅÛÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ, ÔÁË ËÁË ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁ×ÁÔØ ARP-ÚÁÐÒÏÓÙ.

îÁ ÄÁÎÎÏÍ ÕÒÏ×ÎÅ, ×Ù ÄÏÌÖÎÙ ÉÍÅÔØ ÒÁÂÏÔÁÀÝÕÀ ÓÅÔØ Ó ËÏÍÐØÀÔÅÒÏÍ, ÕÐÒÁ×ÌÑÀÝÉÍ ×ÓÅÍ ÔÒÁÆÉËÏÍ ÍÅÖÄÕ ÌÏËÁÌØÎÏÊ É ×ÎÅÛÎÅÊ ÓÅÔØÀ.

ôÅÐÅÒØ, ÍÙ ÄÏÌÖÎÙ ÎÁÓÔÒÏÉÔØ ÆÉÌØÔÒÁÃÉÀ ÉÓÐÏÌØÚÕÑ Netfilter.
Netfilter ÐÏÚ×ÏÌÑÅÔ ÄÅÊÓÔ×Ï×ÁÔØ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ ÐÏÔÏË ÐÁËÅÔÏ×. ÷ ÐÒÏÓÔÅÊÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÐÁËÅÔÙ ÕÐÒÁ×ÌÑÀÔÓÑ ÔÒÅÍÑ ÃÅÐÏÞËÁÍÉ ÐÒÁ×ÉÌ:
- INPUT: ÄÌÑ ÐÁËÅÔÏ×, ×ÈÏÄÑÝÉÈ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ,
- FORWARD: ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁÀÝÉÈÓÑ ÏÔ ÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ë ÄÒÕÇÏÍÕ,
- OUTPUT: ÄÌÑ ÐÁËÅÔÏ×, ×ÙÈÏÄÑÝÉÈ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ.

ëÏÍÁÎÄÁ 'iptables' ÐÏÚ×ÏÌÑÅÔ ÄÏÂÁ×ÌÑÔØ, ÉÚÍÅÎÑÔØ É ÕÄÁÌÑÔØ ÐÒÁ×ÉÌÁ × ËÁÖÄÏÊ ÉÚ ÜÔÉÈ ÃÅÐÏÞÅË ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÐÏ×ÅÄÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ.
ëÒÏÍÅ ÔÏÇÏ, ËÁÖÄÁÑ ÃÅÐÏÞËÁ ÉÍÅÅÔ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÁÑ ÏÐÒÅÄÅÌÑÅÔ ÄÅÊÓÔ×ÉÑ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÐÁËÅÔ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÉ ÏÄÎÏÍÕ ÐÒÁ×ÉÌÕ × ÃÅÐÏÞËÅ.

þÅÔÙÒÅ ÎÁÉÂÏÌÅÅ ÒÁÓÐÒÏÓÔÒÁÎÅÎÎÙÈ ÐÒÁ×ÉÌÁ - ÜÔÏ:
- ACCEPT: ÐÁËÅÔÕ ÐÏÚ×ÏÌÅÎÏ ÐÒÏÈÏÄÉÔØ,
- REJECT: ÐÁËÅÔ ÏÔËÌÏÎÑÅÔÓÑ É ÐÏÓÙÌÁÅÔÓÑ ÐÁËÅÔ, Ó×ÑÚÁÎÎÙÊ Ó ÏÛÉÂËÏÊ (ICMP Port Unreachable, TCP RESET, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÓÉÔÕÁÃÉÉ),
- LOG: ðÒÉÍÅÞÁÎÉÅ ÐÁËÅÔÁ ÐÉÛÅÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ,
- DROP: ðÁËÅÔ ÉÇÎÏÒÉÒÕÅÔÓÑ É ÏÔ×ÅÔ ÎÅ ÐÏÓÙÌÁÅÔÓÑ.

ðÒÏÈÏÄ ÐÁËÅÔÏ× ÞÅÒÅÚ ÓÔÁÎÄÁÒÔÎÙÅ ÃÅÐÏÞËÉ

Packet flow

÷ÏÔ ÇÌÁ×ÎÙÅ ÏÐÃÉÉ iptables, ÐÏÚ×ÏÌÑÀÝÉÅ ÕÐÒÁ×ÌÑÔØ ÃÅÐÏÞËÁÍÉ. íÙ ÄÅÔÁÌÉÚÉÒÕÅÍ ÉÈ ÐÏÚÖÅ:

-N: ÓÏÚÄÁÅÔ ÎÏ×ÕÀ ÃÅÐÏÞËÕ.
-X: ÕÄÁÌÑÅÔ ÐÕÓÔÕÀ ÃÅÐÏÞËÕ.
-P: ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÕ ÃÅÐÏÞËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ.
-L: ×Ù×ÏÄÉÔ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ.
-F: ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ.
-Z: ÏÞÉÝÁÅÔ ÂÁÊÔÙ É ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÃÅÐÏÞËÕ.

äÌÑ ÉÚÍÅÎÅÎÉÑ ÃÅÐÏÞËÉ ÄÏÓÔÕÐÎÙ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:
-A: ÄÏÂÁ×ÌÑÅÔ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ.
-I: ×ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÚÁÄÁÎÎÕÀ ÐÏÚÉÃÉÀ × ÃÅÐÏÞËÅ.
-R: ÚÁÍÅÎÑÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ.
-D: ÕÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ, ÉÓÐÏÌØÚÕÑ ÌÉÂÏ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÌÉÂÏ ÅÇÏ ÏÐÉÓÁÎÉÑ.

äÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÍÁÌÅÎØËÉÊ ÐÒÁËÔÉÞÅÓËÉÊ ÐÒÉÍÅÒ: ÍÙ ÚÁÂÌÏËÉÒÕÅÍ ping-ÏÔ×ÅÔÙ (ÜÔÏ ÔÉÐ ICMP-ÐÁËÅÔÏ× 'echo-reply'), ÉÄÕÝÉÅ ÏÔ ÚÁÄÁÎÎÏÇÏ ËÏÍÐØÀÔÅÒÁ.
óÎÁÞÁÌÁ ÕÄÏÓÔÏ×ÅÒÉÍÓÑ, ÞÔÏ ÚÁÄÁÎÎÙÊ ËÏÍÐØÀÔÅÒ "ÐÉÎÇÕÅÔÓÑ" (Ô.Å. ÏÔ×ÅÞÁÅÔ ÎÁ ËÏÍÁÎÄÕ ping):

# ping -c 1 172.16.6.74
PING 172.16.6.74 (172.16.6.74): 56 data bytes
64 bytes from 172.16.6.74: icmp_seq=0 ttl=255 time=0.6 ms

--- 172.16.6.74 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms
ôÅÐÅÒØ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ (ËÏÔÏÒÏÅ ÐÒÅÒ×ÅÔ ICMP-ÏÔ×ÅÔ) × INPUT-ÃÅÐÏÞËÕ ('-p icmp --icmp-type echo-reply') ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ Ó ËÏÍÐØÀÔÅÒÁ 172.16.6.74 ('-s 172.16.6.74'). üÔÉ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÉÇÎÏÒÉÒÏ×ÁÎÙ ('-j DROP').
# iptables -A INPUT -s 172.16.6.74 -p icmp --icmp-type echo-reply -j DROP

ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ÓÎÏ×Á "ÐÉÎÇÁÎÅÍ" ÜÔÏÔ ËÏÍÐØÀÔÅÒ:

# ping -c 3 172.16.6.74
PING 172.16.6.74 (172.16.6.74): 56 data bytes

--- 172.16.6.74 ping statistics ---

3 packets transmitted, 0 packets received, 100% packet loss

ëÁË ÍÙ É ÍÏÇÌÉ ÏÖÉÄÁÔØ, ÐÁËÅÔÙ ÎÅ ÐÒÏÛÌÉ. íÙ ÍÏÖÅÍ ÐÒÏ×ÅÒÉÔØ, ÞÔÏ ÔÒÉ ÐÁËÅÔÁ ÂÙÌÉ ÚÁÂÌÏËÉÒÏ×ÁÎÙ (3 ÐÁËÅÔÁ ÉÌÉ 252 ÂÁÊÔÁ):

# iptables -L INPUT -v
Chain INPUT (policy ACCEPT 604K packets, 482M bytes)
 pkts bytes target     prot opt in    out     source       destination
  3   252   DROP       icmp --  any   any     172.16.6.74    anywhere

þÔÏÂÙ ×ÅÒÎÕÔØ ×ÓÅ ËÁË ÂÙÌÏ, ÎÁÍ ÎÁÄÏ ÔÏÌØËÏ ÕÄÁÌÉÔØ ÐÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÉÚ ÃÅÐÏÞËÉ INPUT:

# iptables -D INPUT 1

ôÅÐÅÒØ, PING ÚÁÒÁÂÏÔÁÅÔ ÓÎÏ×Á:

# ping -c 1 172.16.6.74
PING 172.16.6.74 (172.16.6.74): 56 data bytes
64 bytes from 172.16.6.74: icmp_seq=0 ttl=255 time=0.6 ms

--- 172.16.6.74 ping statistics ---

1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms
#

òÁÂÏÔÁÅÔ!

÷Ù ÍÏÖÅÔÅ ÄÏÂÁ×ÉÔØ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ Ë ÔÒÅÍ ÉÚÎÁÞÁÌØÎÏ ÓÕÝÅÓÔ×ÕÀÝÉÍ (ËÏÔÏÒÙÅ ×Ù ÎÅ ÓÍÏÖÅÔÅ ÕÄÁÌÉÔØ × ÌÀÂÏÍ ÓÌÕÞÁÅ) É ÓÄÅÌÁÔØ ÞÁÓÔØ ÔÒÁÆÉËÁ ÐÒÏÈÏÄÑÝÉÍ ÞÅÒÅÚ ÎÉÈ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÙÍ ÉÚÂÅÇÁÔØ ÄÕÂÌÉÒÏ×ÁÎÉÑ ÐÒÁ×ÉÌ × ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞËÁÈ.

ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ÎÁÓÔÒÏÉÍ ÔÒÅÂÕÅÍÙÅ ÐÒÁ×ÉÌÁ ÄÌÑ ÍÉÎÉÍÁÌØÎÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ. ïÎ ÂÕÄÅÔ ÐÏÚ×ÏÌÑÔØ ssh, ÓÌÕÖÂÕ ÄÏÍÅÎÎÙÈ ÉÍÅÎ (DNS), ÓÌÕÖÂÙ http É smtp É ÎÉÞÅÇÏ ÂÏÌØÛÅ.
äÌÑ ÕÐÒÏÝÅÎÉÑ, ËÏÍÁÎÄÙ ÎÁÓÔÒÏÊËÉ ÚÁÐÉÓÁÎÙ × ÓÃÅÎÁÒÉÊ ÏÂÏÌÏÞËÉ (ÓËÒÉÐÔ), ÞÔÏ ÓÄÅÌÁÔØ ËÏÎÆÉÇÕÒÁÃÉÀ ÐÒÏÝÅ. óÃÅÎÁÒÉÊ ÎÁÞÎÅÔ ÏÞÉÝÁÔØ ÔÅËÕÝÕÀ ËÏÎÆÉÇÕÒÁÃÉÀ ÐÅÒÅÄ ÕÓÔÁÎÏ×ËÏÊ ÎÏ×ÏÊ. üÔÁ ÍÁÌÅÎØËÁÑ ÕÌÏ×ËÁ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÓËÒÉÐÔÕ ÐÒÉ ÁËÔÉ×ÎÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÂÅÚ ÒÉÓËÁ ÄÕÂÌÉÒÏ×ÁÎÉÑ ÐÒÁ×ÉÌ.

rc.firewall

#!/bin/sh

# Flushing out the rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD


# The chain is built according to the direction.
# bad = eth0 (outside)
# dmz = eth1 (inside)
iptables -X bad-dmz
iptables -N bad-dmz
iptables -X dmz-bad
iptables -N dmz-bad
iptables -X icmp-acc
iptables -N icmp-acc
iptables -X log-and-drop
iptables -N log-and-drop

# Specific chain used for logging packets before blocking them
iptables -A log-and-drop -j LOG --log-prefix "drop "
iptables -A log-and-drop -j DROP

# The packets having the TCP flags activated are dropped
# and so for the ones with no flag at all (often used with Nmap scans)
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop

# The packets coming from reserved addresses classes are dropped
# and so for multicast
iptables -A FORWARD -i eth+ -s 224.0.0.0/4 -j log-and-drop
iptables -A FORWARD -i eth+ -s 192.168.0.0/16 -j log-and-drop
iptables -A FORWARD -i eth+ -s 172.16.0.0/12 -j log-and-drop
iptables -A FORWARD -i eth+ -s 10.0.0.0/8 -j log-and-drop

# The packets belonging to an already established connexion are accepted
iptables -A FORWARD -m state --state INVALID -j log-and-drop
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# The corresponding chain is sent according to the packet origin
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
# All the rest is ignored
iptables -A FORWARD -j log-and-drop

# Accepted ICMPs
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A icmp-acc -j log-and-drop

# Outside -> Inside chain
# mail, DNS, http(s) and SSH are accepted
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j log-and-drop

# Inside -> Outside chain
# mail, DNS, http(s) and telnet are accepted
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j log-and-drop

# Chains for the machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if

# External interface
# SSH only accepted on this machine
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -p tcp --dport ssh -j ACCEPT
iptables -A bad-if -p tcp --sport ssh -j ACCEPT
ipchains -A bad-if -j log-and-drop

# Internal interface
iptables -A dmz-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT

îÅÓËÏÌØËÏ ÓÌÏ× Ï ËÁÞÅÓÔ×Å ÏÂÓÌÕÖÉ×ÁÎÉÑ. Linux ÍÏÖÅÔ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØ ÐÏÌÅ ToS ("ÔÉÐ ÓÅÒ×ÉÓÁ") É ÉÚÍÅÎÑÔØ ÅÇÏ ÚÎÁÞÅÎÉÑ, ÞÔÏÂÙ ÄÁÔØ ÐÁËÅÔÁÍ ÒÁÚÌÉÞÎÙÅ ÐÒÉÏÒÉÔÅÔÙ. îÁÐÒÉÍÅÒ, ÓÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ ÉÚÍÅÎÑÅÔ ÉÓÈÏÄÑÝÉÅ SSH ÐÁËÅÔÙ ÄÌÑ ÕÌÕÞÛÅÎÉÑ ÏÔËÌÉËÁ ÓÏÅÄÉÎÅÎÉÑ.

iptables -A OUTPUT -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay

ôÅÍ ÖÅ ÐÕÔÅÍ, ÄÌÑ FTP ÓÏÅÄÉÎÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÐÃÉÀ '--set-tos Maximize-Throughput' ÄÌÑ ÕÌÕÞÛÅÎÉÑ ÓËÏÒÏÓÔÉ ÐÅÒÅÄÁÞÉ.

÷ÏÔ É ×Ó£. ôÅÐÅÒØ, ×Ù ÚÎÁÅÔÅ ÏÓÎÏ×Ù ÎÁÓÔÒÏÊËÉ ÓÉÓÔÅÍÙ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×. ïÄÎÁËÏ, ÉÍÅÊÔÅ ××ÉÄÕ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ - ÎÅ ÐÁÎÁÃÅÑ, ËÏÇÄÁ ÂÅÓÐÏËÏÉÔ ÂÅÚÏÐÁÓÎÏÓÔØ. üÔÏ ×ÓÅÇÏ ÌÉÛØ ÅÝ£ ÏÄÎÁ ÐÒÅÄÏÓÔÏÒÏÖÎÏÓÔØ. õÓÔÁÎÏ×ËÁ ÂÒÁÎÄÍÁÕÜÒÁ ÎÅ ÏÓ×ÏÂÏÖÄÁÅÔ ×ÁÓ ÏÔ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÈÏÒÏÛÉÈ ("ÓÉÌØÎÙÈ") ÐÁÒÏÌÅÊ, ÓÁÍÙÈ ÐÏÓÌÅÄÎÉÈ ÐÁÔÞÅÊ ÐÏ ÂÅÚÏÐÁÓÎÏÓÔÉ, ÓÉÓÔÅÍ ÏÂÎÁÒÕÖÅÎÉÑ ×ÔÏÒÖÅÎÉÊ É Ô.Ä.

 

óÓÙÌËÉ ÎÁ ÄÏÐÏÌÎÉÔÅÌØÎÙÅ ÒÅÓÕÒÓÙ

 

óÔÒÁÎÉÃÁ ÏÔÚÙ×Ï×

õ ËÁÖÄÏÊ ÚÁÍÅÔËÉ ÅÓÔØ ÓÔÒÁÎÉÃÁ ÏÔÚÙ×Ï×. îÁ ÜÔÏÊ ÓÔÒÁÎÉÃÅ ×Ù ÍÏÖÅÔÅ ÏÓÔÁ×ÉÔØ Ó×ÏÊ ËÏÍÍÅÎÔÁÒÉÊ ÉÌÉ ÐÒÏÓÍÏÔÒÅÔØ ËÏÍÍÅÎÔÁÒÉÉ ÄÒÕÇÉÈ ÞÉÔÁÔÅÌÅÊ :
 talkback page 

Webpages maintained by the LinuxFocus Editor team
© Vincent Renardias, FDL
LinuxFocus.org
Translation information:
fr --> -- : Vincent Renardias <vincent(at)renardias.com>
fr --> en: Georges Tarbouriech <gt(at)linuxfocus.org>
en --> ru: ÷ÏÒÏÎÉÎ ìÅÏÎÉÄ <gooamoko(at)rambler.ru>

2003-05-24, generated by lfparser version 2.31