|
![]() |
|
![]() Á×ÔÏÒ Vincent Renardias <vincent(at)renardias.com> ï Á×ÔÏÒÅ: ðÏÌØÚÏ×ÁÔÅÌØ GNU/Linux Ó 1993, ÷ÉÎÓÅÎÔ òÅÎÁÒÄÉÁÓ (Vincent Renardias) ÎÁÞÁÌ Õ×ÌÅËÁÔØÓÑ ÅÇÏ ÒÁÚÒÁÂÏÔËÏÊ × 1996: òÁÚÒÁÂÏÔÞÉË Debian, æÒÁÎÃÕÚÓËÉÊ ÐÅÒÅ×ÏÄÞÉË ÐÒÏÇÒÁÍÍÙ GIMP É ÒÁÂÏÞÅÇÏ ÓÔÏÌÁ GNOME, ÏÓÎÏ×ÁÔÅÌØ ÇÒÕÐÐÙ ÐÏÌØÚÏ×ÁÔÅÌÅÊ Linux User Group × íÁÒÓÅÌÅ (PLUG)... ôÅÐÅÒØ, ÕÐÒÁ×ÌÑÀÝÉÊ ËÏÍÐÁÎÉÉ R&D EFB2, ÏÎ ÐÒÏÄÏÌÖÁÅÔ ÓÏÄÅÊÓÔ×ÉÅ GNU/Linux. ðÅÒÅ×ÏÄ ÎÁ òÕÓÓËÉÊ: ÷ÏÒÏÎÉÎ ìÅÏÎÉÄ <gooamoko(at)rambler.ru> óÏÄÅÒÖÁÎÉÅ: |
òÅÚÀÍÅ:
äÁÎÎÁÑ ÓÔÁÔØÑ ×ÐÅÒ×ÙÅ ÂÙÌÁ ÏÐÕÂÌÉËÏ×ÁÎÁ × ÓÐÅÃÉÁÌØÎÏÍ ×ÙÐÕÓËÅ Linux Magazine France, ÓÏÓÒÅÄÏÔÏÞÅÎÎÏÍ ÎÁ ÂÅÚÏÐÁÓÎÏÓÔÉ. òÅÄÁËÔÏÒ, Á×ÔÏÒÙ É ÐÅÒÅ×ÏÄÞÉËÉ ÌÀÂÅÚÎÏ ÐÏÚ×ÏÌÉÌÉ LinuxFocus ÐÕÂÌÉËÏ×ÁÔØ ×ÓÅ ÓÔÁÔØÉ ÉÚ ÜÔÏÇÏ ÓÐÅÃÉÁÌØÎÏÇÏ ×ÙÐÕÓËÁ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ LinuxFocus ÐÅÒÅÄÁÓÔ ÉÈ ×ÁÍ ÓÒÁÚÕ ÖÅ ÐÏÓÌÅ ÐÅÒÅ×ÏÄÁ ÎÁ ÁÎÇÌÉÊÓËÉÊ. óÐÁÓÉÂÏ ×ÓÅÍ, ËÔÏ ×Ï×ÌÅÞÅÎ × ÜÔÕ ÒÁÂÏÔÕ. äÁÎÎÏÅ ÒÅÚÀÍÅ ÂÕÄÅÔ ×ÏÓÐÒÏÉÚ×ÅÄÅÎÏ ×Ï ×ÓÅÈ ÓÔÁÔØÑÈ, ÉÍÅÀÝÉÈ ÔÏ ÖÅ ÐÒÏÉÓÈÏÖÄÅÎÉÅ.
ïÄÉÎ ÉÚ ÈÏÒÏÛÉÈ ÐÕÔÅÊ ÐÒÅÄÏÔ×ÒÁÔÉÔØ ÐÏÐÙÔËÉ ×ÔÏÒÖÅÎÉÑ - ÜÔÏ ÆÉÌØÔÒÁÃÉÑ, ËÏÔÏÒÁÑ ÂÅÓÐÏÌÅÚÎÁ × ÓÅÔÉ.
üÔÁ ÚÁÄÁÞÁ ÏÂÙÞÎÏ ÐÒÉÐÉÓÁÎÁ ËÏÍÐØÀÔÅÒÕ, ÉÓÐÏÌØÚÕÅÍÏÍÕ × ËÁÞÅÓÔ×Å ÂÒÁÎÄÍÁÕÜÒÁ (firewall).
÷ ÄÁÎÎÏÊ ÓÔÁÔØÅ ÍÙ ÐÒÅÄÏÓÔÁ×ÉÍ ÎÅÏÂÈÏÄÉÍÕÀ ÂÁÚÕ ÄÌÑ ÏÓÕÝÅÓÔ×ÌÅÎÉÑ É ËÏÎÆÉÇÕÒÉÒÏ×ÁÎÉÑ ÔÁËÏÊ ÓÉÓÔÅÍÙ.
íÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ ÍÏÖÅÔ ÂÙÔØ ÒÁÓÓÍÏÔÒÅÎ ËÁË ÓÅÔØ, ËÏÔÏÒÁÑ ÂÕÄÅÔ ÚÁÄÅÒÖÉ×ÁÔØ
ÎÅËÏÔÏÒÙÅ ÎÅÖÅÌÁÔÅÌØÎÙÅ ÐÁËÅÔÙ. îÁÉÂÏÌÅÅ ×ÁÖÎÏ ÎÁÊÔÉ ÐÒÁ×ÉÌØÎÙÊ ÒÁÚÍÅÒ ÐÅÔÌÉ (ÑÞÅÊËÉ ÓÅÔÉ)
É ÐÒÁ×ÉÌØÎÏÅ ÍÅÓÔÏ ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÓÅÔÉ.
þÔÏÂÙ ÆÉÌØÔÒÕÀÝÉÊ ÍÅÈÁÎÉÚÍ ÂÙÌ × ÓÏÓÔÏÑÎÉÉ ÏÓÕÝÅÓÔ×ÌÑÔØ ÆÉÌØÔÒÁÃÉÀ ÐÁËÅÔÏ× ÄÏÌÖÎÙÍ ÏÂÒÁÚÏÍ,
ÏÎ ÄÏÌÖÅÎ ÂÙÔØ ÆÉÚÉÞÅÓËÉ ÒÁÚÍÅÝÅÎ ÍÅÖÄÕ ÚÁÝÉÝÁÅÍÏÊ ÓÅÔØÀ É "×ÎÅÛÎÉÍ ÍÉÒÏÍ".
ðÒÁËÔÉÞÅÓËÉ ÜÔÏ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÐÒÉ ÐÏÍÏÝÉ ËÏÍÐØÀÔÅÒÁ, ÉÍÅÀÝÅÇÏ Ä×Á ÓÅÔÅ×ÙÈ ÉÎÔÅÒÆÅÊÓÁ
(ÏÂÙÞÎÏ Ethernet), ÏÄÉÎ ÉÚ ËÏÔÏÒÙÈ ÐÏÄËÌÀÞÅÎ Ë ×ÎÕÔÒÅÎÎÅÊ ÓÅÔÉ, Á ÄÒÕÇÏÊ - Ë
ÍÁÒÛÒÕÔÉÚÁÔÏÒÕ, ÞÅÒÅÚ ËÏÔÏÒÙÊ ÏÓÕÝÅÓÔ×ÌÑÅÔÓÑ ÄÏÓÔÕÐ Ë ×ÎÅÛÎÅÊ ÓÅÔÉ.
ôÁËÉÍ ÏÂÒÁÚÏÍ, ËÏÍÍÕÎÉËÁÃÉÉ ÄÏÌÖÎÙ ÂÕÄÕÔ ÉÄÔÉ ÞÅÒÅÚ ÂÒÁÎÄÍÁÕÜÒ, ËÏÔÏÒÙÊ
ÂÕÄÅÔ ÉÌÉ ÎÅ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØ ÉÈ × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÉÈ ÓÏÄÅÒÖÁÎÉÑ.
ëÏÍÐØÀÔÅÒ, ÏÓÕÝÅÓÔ×ÌÑÀÝÉÊ ÆÉÌØÔÒÁÃÉÀ, ÍÏÖÅÔ ÂÙÔØ ÎÁÓÔÒÏÅÎ ÔÒÅÍÑ ÒÁÚÎÙÍÉ ÐÕÔÑÍÉ:
- "ðÒÏÓÔÏÊ" ÛÌÀÚ: ÜÔÏ ÎÁÉÂÏÌÅÅ ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ. ëÏÍÐØÀÔÅÒ
ÉÓÐÏÌØÚÕÅÔÓÑ ËÁË ÛÌÀÚ ÍÅÖÄÕ Ä×ÕÍÑ ÓÅÔÑÍÉ ÉÌÉ ÐÏÄÓÅÔÑÍÉ.
ëÏÍÐØÀÔÅÒÙ ÌÏËÁÌØÎÏÊ ÓÅÔÉ ÄÏÌÖÎÙ ÂÙÔØ ÎÁÓÔÒÏÅÎÙ ÎÁ ÉÓÐÏÌØÚÏ×ÁÎÉÅ ÂÒÁÎÄÍÁÕÜÒÁ
×ÍÅÓÔÏ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ × ËÁÞÅÓÔ×Å ÍÁÒÛÒÕÔÁ ÐÏ ÕÍÏÌÞÁÎÉÀ (ÏÓÎÏ×ÎÏÇÏ ÛÌÀÚÁ).
- ûÌÀÚ "ARP-ðÒÏËÓÉ": ÐÒÅÄÙÄÕÝÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÐÏÄÒÁÚÕÍÅ×ÁÅÔ ÄÅÌÅÎÉÅ ÓÅÔÉ ÎÁ Ä×Å
ÐÏÄÓÅÔÉ, ËÏÔÏÒÙÅ ÐÒÉ×ÏÄÑÔ Ë ÐÏÔÅÒÅ ÐÏÌÏ×ÉÎÙ ÄÏÓÔÕÐÎÙÈ ÄÌÑ ÓÅÔÉ IP ÁÄÒÅÓÏ×.
üÔÏ ÎÅÍÎÏÇÏ ÒÁÚÄÒÁÖÁÅÔ. îÁÐÒÉÍÅÒ, ÉÚ 16-ÔÉ ÁÄÒÅÓÎÏÊ ÐÏÄÓÅÔÉ (Ó 28 ÂÉÔÎÏÊ ÍÁÓËÏÊ ÐÏÄÓÅÔÉ),
ÔÏÌØËÏ 14 ÄÏÓÔÕÐÎÙ, Ó ÔÅÈ ÐÏÒ ËÁË ÉÓÐÏÌØÚÕÀÔÓÑ ÁÄÒÅÓ ÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÊ ÁÄÒÅÓ.
äÏÂÁ×ÌÑÑ ÅÝ£ ÏÄÉÎ ÂÉÔ × ÍÁÓËÕ ÐÏÄÓÅÔÉ, ÍÙ ÕÍÅÎØÛÁÅÍ ÄÏÓÔÕÐÎÙÅ ÁÄÒÅÓÁ Ó 14 ÄÏ 6
(8 ÁÄÒÅÓÏ× ÚÁ ×ÙÞÅÔÏÍ ÁÄÒÅÓÁ ÓÅÔÉ É ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÏÇÏ ÁÄÒÅÓÁ).
ëÏÇÄÁ ×Ù ÎÅ ÍÏÖÅÔÅ ÄÏÐÕÓÔÉÔØ ÐÏÔÅÒÉ ÐÏÌÏ×ÉÎÙ ÄÏÓÔÕÐÎÙÈ IP-ÁÄÒÅÓÏ×, ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ
ÄÁÎÎÏÅ ÒÅÛÅÎÉÅ, ËÏÔÏÒÏÅ ÏÂßÑÓÎÑÅÔÓÑ ÄÁÌÅÅ × ÜÔÏÊ ÓÔÁÔØÅ.
ëÒÏÍÅ ÔÏÇÏ, ÄÁÎÎÏÅ ÒÅÛÅÎÉÅ ÎÅ ÔÒÅÂÕÅÔ ËÁËÉÈ-ÌÉÂÏ ÉÚÍÅÎÅÎÉÊ × ÎÁÓÔÒÏÊËÅ ÓÅÔÉ
ÎÉ ÎÁ ÍÁÒÛÒÕÔÉÚÁÔÏÒÅ, ÎÉ ÎÁ ÚÁÝÉÝÁÅÍÙÈ ËÏÍÐØÀÔÅÒÁÈ.
- íÏÓÔ Ethernet: ÕÓÔÁÎÁ×ÌÉ×ÁÑ ÛÌÀÚ Ethernet (ÎÅ IP
ÛÌÀÚ), ÄÅÌÁÀÔ ÍÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ ÎÅ×ÉÄÉÍÙÍ Ó ÄÒÕÇÉÈ ËÏÍÐØÀÔÅÒÏ×.
ôÁËÁÑ ËÏÎÆÉÇÕÒÁÃÉÑ ÍÏÖÅÔ ÂÙÔØ ×ÙÐÏÌÎÅÎÁ ÂÅÚ ÎÁÚÎÁÞÅÎÉÑ IP ÁÄÒÅÓÏ× Ethernet-ÉÎÔÅÒÆÅÊÓÁÍ.
÷ ÔÁËÏÍ ÓÌÕÞÁÅ, ËÏÍÐØÀÔÅÒÙ ÎÅ×ÏÚÍÏÖÎÏ ÏÂÎÁÒÕÖÉÔØ ÐÒÉ ÐÏÍÏÝÉ ping, traceroute É Ô.Ð.
óÌÅÄÕÅÔ ÚÁÍÅÔÉÔØ, ÞÔÏ ×ÙÐÏÌÎÅÎÉÅ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× × ÔÁËÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÔÒÅÂÕÅÔ
ÑÄÒÁ ×ÅÒÓÉÉ 2.2.x, Á ÐÅÒÅÎÏÓ ÄÁÎÎÏÊ ÆÕÎËÃÉÉ ÎÁ ÑÄÒÁ ×ÅÒÓÉÉ 2.4.x ÐÏËÁ ÎÅ ÚÁËÏÎÞÅÎ.
ôÅÐÅÒØ, ËÏÇÄÁ ÍÙ ÚÎÁÅÍ ÇÄÅ ÕÓÔÁÎÏ×ÉÔØ ÎÁÛ ÆÉÌØÔÒ, ÍÙ ÄÏÌÖÎÙ ÏÐÒÅÄÅÌÉÔØ, ÞÔÏ
ÏÎ ÄÏÌÖÅÎ ÂÕÄÅÔ ÂÌÏËÉÒÏ×ÁÔØ ÉÌÉ ÞÔÏ ÏÎ ÄÏÌÖÅÎ ÂÕÄÅÔ ÐÒÏÐÕÓËÁÔØ.
åÓÔØ Ä×Á ÐÕÔÉ ÎÁÓÔÒÏÊËÉ ÔÁËÏÇÏ ÆÉÌØÔÒÁ:
- ðÅÒ×ÙÊ, ÈÏÒÏÛÉÊ: ÚÁÄÅÒÖÉ×ÁÅÍ ×ÓÅ ÐÁËÅÔÙ, ËÒÏÍÅ ÔÅÈ, ËÏÔÏÒÙÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÔ ÐÒÁ×ÉÌÁÍ.
- ÷ÔÏÒÏÊ, ÐÌÏÈÏÊ: (ÎÏ Ë ÓÏÖÁÌÅÎÉÀ, ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÙÊ) Ñ×ÎÏ ÚÁÐÒÅÝÅÎÎÙÅ
ÐÁËÅÔÙ ÚÁÄÅÒÖÉ×ÁÀÔÓÑ, Á ×ÓÅ ÏÓÔÁÌØÎÙÅ ÐÒÏÐÕÓËÁÀÔÓÑ.
üÔÏ ÐÒÏÓÔÏ ÏÂßÑÓÎÑÅÔÓÑ: ÷ ÐÅÒ×ÏÍ ÓÌÕÞÁÅ, ÚÁÂÙ×ÁÎÉÅ (ÎÁÒÕÛÅÎÉÅ) ÐÒÁ×ÉÌ ÐÒÉ×ÏÄÑÔ Ë
ÎÁÒÕÛÅÎÉÀ ÒÁÂÏÔÙ ÓÌÕÖÂÙ ÉÌÉ ÐÏÌÎÏÊ ÕÔÅÒÅ ÒÁÂÏÔÏÓÐÏÓÏÂÎÏÓÔÉ.
ïÂÙÞÎÏ ÜÔÏ ÂÙÓÔÒÏ ×ÙÑ×ÌÑÅÔÓÑ É ÐÒÏÉÄ×ÏÄÉÔÓÑ ÄÏÂÁ×ÌÅÎÉÅ ÐÒÁ×ÉÌ, ÄÏÓÔÁÔÏÞÎÙÈ
ÄÌÑ ×ÏÚÏÂÎÏ×ÌÅÎÉÑ ÒÁÂÏÔÙ.
÷Ï ×ÔÏÒÏÍ ÓÌÕÞÁÅ, ÚÁÂÙ×ÁÎÉÅ (ÎÁÒÕÛÅÎÉÅ) ÐÒÁ×ÉÌ ÓÏÚÄÁÅÔ ÐÏÔÅÎÃÉÁÌØÎÕÀ ÕÑÚ×ÉÍÏÓÔØ,
ËÏÔÏÒÕÀ ÞÁÓÔÏ ÏÞÅÎØ ÓÌÏÖÎÏ ×ÙÑ×ÉÔØ... ÅÓÌÉ ÍÏÖÎÏ ×ÏÏÂÝÅ.
îÁÉÂÏÌÅÅ ÞÁÓÔÏ ÉÓÐÏÌØÚÕÅÍÏÅ ÐÒÏÇÒÁÍÍÎÏÅ ÏÂÅÓÐÅÞÅÎÉÅ ÄÌÑ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ× × Linux - ÜÔÏ Netfilter; ÜÔÁ ÐÒÉÑÔÎÁÑ ÚÁÍÅÎÁ 'ipchains', ÉÓÐÏÌØÚÕÅÍÏÊ × Linux Ó ÑÄÒÏÍ 2.2. Netfilter ÓÄÅÌÁÎ ÉÚ Ä×ÕÈ ÞÁÓÔÅÊ: ÐÏÄÄÅÒÖËÁ ÑÄÒÁ, ËÏÔÏÒÁÑ ÄÏÌÖÎÁ ÂÙÔØ ÓËÏÍÐÉÌÉÒÏ×ÁÎÁ × ×ÁÛÅÍ ÑÄÒÅ É ËÏÍÁÎÄÙ 'iptables' ËÏÔÏÒÙÅ ÄÏÌÖÎÙ ÂÙÔØ ÄÏÓÔÕÐÎÙ × ×ÁÛÅÊ ÓÉÓÔÅÍÅ.
ëÏÍÍÅÎÔÉÒÏ×ÁÎÎÙÊ ÐÒÉÍÅÒ ÌÕÞÛÅ, ÞÅÍ ÄÌÉÎÎÁÑ ÒÅÞØ. ðÏÔÏÍ ÍÙ ÏÐÉÛÅÍ, ËÁË ÕÓÔÁÎÏ×ÉÔØ É ÎÁÓÔÒÏÉÔØ ÍÅÈÁÎÉÚÍ ÆÉÌØÔÒÁÃÉÉ. äÌÑ ÎÁÞÁÌÁ, ËÏÍÐØÀÔÅÒ ÂÕÄÅÔ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎ ËÁË ÛÌÀÚ, ÉÓÐÏÌØÚÕÀÝÉÊ ARP-ÐÒÏËÓÉ ÄÌÑ ÏÇÒÁÎÉÞÅÎÉÑ ÞÉÓÌÁ IP-ÁÄÒÅÓÏ×, Á ÐÏÔÏÍ ÍÙ ÎÁÓÔÒÏÉÍ ÓÉÓÔÅÍÕ ÆÉÌØÔÒÁÃÉÉ.
á×ÔÏÒ ÏÔÄÁÅÔ ÐÒÅÄÐÏÞÔÅÎÉÅ ÄÉÓÔÒÉÂÕÔÉ×Õ Debian ÄÌÑ ÎÁÓÔÒÏÊËÉ ÔÁËÏÊ ÓÉÓÔÅÍÙ, ÎÏ ÁÎÁÌÏÇÉÞÎÏ ÍÏÖÅÔ ÂÙÔØ ÎÁÓÔÒÏÅÎ ÌÀÂÏÊ ÄÒÕÇÏÊ ÄÉÓÔÒÉÂÕÔÉ×.
÷Ï-ÐÅÒ×ÙÈ, ÐÒÏ×ÅÒÉÍ, ÞÔÏ ×ÁÛÅ ÑÄÒÏ ÐÏÄÄÅÒÖÉ×ÁÅÔ Netfilter. åÓÌÉ ÜÔÏ ÔÁË, ÔÏ ÚÁÇÒÕÚÏÞÎÁÑ ÚÁÐÉÓØ ÄÏÌÖÎÁ ÓÏÄÅÒÖÁÔØ:
ip_conntrack (4095 buckets, 32760 max)
ip_tables: (c)2000 Netfilter core team
éÎÁÞÅ, ×ÁÍ ÐÒÉÄÅÔÓÑ ÐÅÒÅËÏÍÐÉÌÉÒÏ×ÁÔØ ÑÄÒÏ ÐÏÓÌÅ ÁËÔÉ×ÉÚÁÃÉÉ ÐÏÄÄÅÒÖËÉ Netfilter. óÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÏÐÃÉÉ ÍÏÇÕÔ ÂÙÔØ ÎÁÊÄÅÎÙ × ÐÏÄÍÅÎÀ "Network Packet Filtering" ÍÅÎÀ "Networking Options". ÷ÙÂÅÒÉÔÅ ÎÅÏÂÈÏÄÉÍÙÅ ÏÐÃÉÉ × ÓÅËÃÉÉ "Netfilter Configuration". åÓÌÉ ×Ù ÓÏÍÎÅ×ÁÅÔÅÓØ, ÍÏÖÅÔÅ ×ÙÂÒÁÔØ ×ÓÅ ÏÐÃÉÉ, ËÒÏÍÅ ÔÏÇÏ, ÌÕÞÛÅ ×ËÌÀÞÉÔØ Netfilter × ÑÄÒÏ É ÎÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÍÏÄÕÌÉ. åÓÌÉ ÐÏ ËÁËÉÍ-ÔÏ ÐÒÉÞÉÎÁÍ ÏÄÉÎ ÉÚ ÍÏÄÕÌÅÊ Netfilter ÂÙÌ ÐÒÏÐÕÝÅÎ ÉÌÉ ÎÅ ÚÁÇÒÕÖÅÎ, ÆÉÌØÔÒÁÃÉÑ ÒÁÂÏÔÁÔØ ÎÅ ÂÕÄÅÔ É ÍÙ ÌÕÞÛÅ ÎÅ ÂÕÄÅÍ ÇÏ×ÏÒÉÔØ Ï ÒÉÓËÅ, ËÏÔÏÒÙÊ ÐÏÄÒÁÚÕÍÅ×ÁÅÔÓÑ × ÄÁÎÎÏÍ ÓÌÕÞÁÅ.
÷Ù ÔÁË ÖÅ ÍÏÖÅÔÅ ÕÓÔÁÎÏ×ÉÔØ ÐÁËÅÔ 'iproute2' (ÐÏÓÌÅÄÎÅÅ ÎÅ ÏÂÑÚÁÔÅÌØÎÏ, ÎÏ
ÎÁÛ ÐÒÉÍÅÒ ÂÕÄÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÄÁÎÎÙÊ ÐÁËÅÔ, ÔÁË ËÁË ÄÁÎÎÙÊ ÐÁËÅÔ ÐÏÚ×ÏÌÑÅÔ
ÓÄÅÌÁÔØ ËÏÎÆÉÇÕÒÁÃÉÏÎÎÙÊ ÓËÒÉÐÔ (ÓÃÅÎÁÒÉÊ) ÐÒÏÝÅ). ÷ ÄÉÓÔÒÉÂÕÔÉ×Å Debian,
ÄÌÑ ÕÓÔÁÎÏ×ËÉ ÐÁËÅÔÁ 'iproute2' ÄÏÓÔÁÔÏÞÎÏ ÎÁÂÒÁÔØ ËÏÍÁÎÄÕ
'apt-get install iproute'.
÷ ÄÒÕÇÉÈ ÄÉÓÔÒÉÂÕÔÉ×ÁÈ, ÎÁÊÄÉÔÅ ÓÏÏÔ×ÅÔÓÔ×ÕÀÝÉÅ ÐÁËÅÔÙ. õÓÔÁÎÏ×ÉÔØ ÉÈ ÍÏÖÎÏ
ÏÂÙÞÎÙÍ ÐÕÔÅÍ ÉÌÉ ÉÚ ÉÓÈÏÄÎÙÈ ËÏÄÏ×, ËÏÔÏÒÙÅ ÍÏÖÎÏ ÚÁÇÒÕÚÉÔØ ÓÏ ÓÌÅÄÕÀÝÅÇÏ ÁÄÒÅÓÁ:
ftp://ftp.inr.ac.ru/ip-routing/
ôÅÐÅÒØ ÄÏÌÖÎÙ ÂÙÔØ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÙ Ä×Å Ethernet ËÁÒÔÙ. íÙ ÄÏÌÖÎÙ ÏÂÒÁÔÉÔØ ×ÁÛÅ
×ÎÉÍÁÎÉÅ ÎÁ ÔÏ, ÞÔÏ ÑÄÒÏ Linux, ËÏÇÄÁ ÐÒÏÉÚ×ÏÄÉÔ Á×ÔÏÏÐÒÅÄÅÌÅÎÉÅ ÏÂÏÒÕÄÏ×ÁÎÉÑ,
ÏÓÔÁÎÁ×ÌÉ×ÁÅÔ ÐÏÉÓË ÓÅÔÅ×ÙÈ ËÁÒÔ ËÁË ÔÏÌØËÏ ÎÁÊÄÅÔ ÐÅÒ×ÕÀ. óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ,
ÏÐÒÅÄÅÌÉÔÓÑ ÔÏÌØËÏ ÐÅÒ×ÁÑ.
ìÅÇËÏÅ ÒÅÛÅÎÉÅ ÜÔÏÊ ÐÒÏÂÌÅÍÙ ÓÏÓÔÏÉÔ × ÄÏÂÁ×ÌÅÎÉÉ
ÓÌÅÄÕÀÝÅÊ ÓÔÒÏËÉ × ÆÁÊÌ lilo.conf:
append="ether=0,0,eth1"
ôÅÐÅÒØ ÍÙ ÄÏÌÖÎÙ ÎÁÓÔÒÏÉÔØ Ethernet-ÉÎÔÅÒÆÅÊÓÙ.
÷ÙÂÒÁÎÎÙÊ ÎÁÍÉ ÍÅÔÏÄ ÐÏÚ×ÏÌÑÅÔ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÄÉÎ É ÔÏÔ ÖÅ IP-ÁÄÒÅÓ ÄÌÑ
ÏÂÏÉÈ ÐÌÁÔ, ÓÏÈÒÁÎÑÑ, ÔÁËÉÍ ÏÂÒÁÚÏÍ, ÏÄÉÎ ÁÄÒÅÓ.
äÏÐÕÓÔÉÍ, ÞÔÏ Õ ÎÁÓ ÅÓÔØ ÐÏÄÓÅÔØ 10.1.2.96/28,
ÁÄÒÅÓÁ ËÏÔÏÒÏÊ ÎÁÞÉÎÁÀÔÓÑ Ó 10.1.2.96 ÐÏ 10.1.2.111 ×ËÌÀÞÉÔÅÌØÎÏ.
íÁÒÛÒÕÔÉÚÁÔÏÒ ÂÕÄÅÔ ÉÍÅÔØ ÁÄÒÅÓ 10.1.2.97, Á ÎÁÛ ËÏÍÐØÀÔÅÒ ÄÌÑ
ÆÉÌØÔÒÁÃÉÉ - 10.1.2.98. éÎÔÅÒÆÅÊÓ eth0 ÂÕÄÅÔ ÐÏÄËÌÀÞÅÎ Ë
ÍÁÒÛÒÕÔÉÚÁÔÏÒÕ ÞÅÒÅÚ ÓÏÅÄÉÎÉÔÅÌØÎÙÊ ËÁÂÅÌØ RJ-45, ÅÓÌÉ
ÏÂÅ ËÁÒÔÙ ÓÏÅÄÉÎÅÎÙ ÎÁÐÒÑÍÕÀ, ÂÅÚ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÈÁÂÁ (hub) ÉÌÉ Ó×ÉÔÞÁ
(switch); éÎÔÅÒÆÅÊÓ eth1 ÂÕÄÅÔ ÐÏÄËÌÀÞÅÎ Ë ÈÁÂÕ/Ó×ÉÔÞÕ, Á ÏÔÔÕÄÁ
- Ë ËÏÍÐØÀÔÅÒÁÍ ÌÏËÁÌØÎÏÊ ÓÅÔÉ.
óÏÏÔ×ÅÔÓÔ×ÅÎÎÏ, ÏÂÁ ÉÎÔÅÒÆÅÊÓÁ ÂÕÄÕÔ ÓËÏÎÆÉÇÕÒÉÒÏ×ÁÎÙ ÓÏ ÓÌÅÄÕÀÝÉÍÉ ÐÁÒÁÍÅÔÒÁÍÉ:
address : 10.1.2.98 netmask : 255.255.255.240 network : 10.1.2.96 broadcast: 10.1.2.111 gateway : 10.1.2.97
äÁÌÅÅ ÉÓÐÏÌØÚÕÅÍ ÓÌÅÄÕÀÝÉÊ ÓËÒÉÐÔ (ÓÃÅÎÁÒÉÊ), ËÏÔÏÒÙÊ ÄÏÌÖÅÎ ÚÁÐÕÓËÁÔØÓÑ ÐÏÓÌÅ
ÎÁÞÁÌØÎÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÓÅÔÅ×ÙÈ ËÁÒÔ ÄÌÑ ÚÁ×ÅÒÛÅÎÉÑ ÕÓÔÁÎÏ×ËÉ.
net.vars: configuration variables PREFIX=10.1.2 DMZ_ADDR=$PREFIX.96/28 # Interface definitions BAD_IFACE=eth0 DMZ_IFACE=eth1 ROUTER=$PREFIX.97 net-config.sh: network configuration script #!/bin/sh # Comment out the next line to display the commands at execution time # set -x # We read the variables defined in the previous file source /etc/init.d/net.vars # We remove the present routes from the local network ip route del $PREFIX.96/28 dev $BAD_IFACE ip route del $PREFIX.96/28 dev $DMZ_IFACE # We define that the local network can be reached through eth1 # and the router through eth0. ip route add $ROUTER dev $BAD_IFACE ip route add $PREFIX.96/28 dev $DMZ_IFACE # We activate Proxy-ARP for both interfaces echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp # We activate the IP forwarding to allow the packets coming to one card # to be routed to the other one. echo 1 > /proc/sys/net/ipv4/ip_forward
ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ×ÅÒÎÅÍÓÑ Ë ÔÒÅÂÕÅÍÏÍÕ ÍÅÈÁÎÉÚÍÕ ARP-ÐÒÏËÓÉ
ÄÌÑ ÎÁÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ.
äÌÑ ÔÏÇÏ ÞÔÏÂÙ ÏÄÉÎ ËÏÍÐØÀÔÅÒ ÍÏÇ "ÏÂÝÁÔØÓÑ" Ó ÄÒÕÇÉÍ × ÔÏÊ ÖÅ
ÓÅÔÉ, ÅÍÕ ÎÅÏÂÈÏÄÉÍÏ ÚÎÁÔØ Ethernet ÁÄÒÅÓ (ÉÌÉ MAC ÁÄÒÅÓ ÉÌÉ ÁÐÐÁÒÁÔÎÙÊ
ÁÄÒÅÓ), ÓÏÏÂÝÁÅÍÙÊ ÅÇÏ IP-ÁÄÒÅÓÕ.
ôÏÇÄÁ ËÏÍÐØÀÔÅÒ-ÉÓÔÏÞÎÉË ÏÔÐÒÁ×ÌÑÅÔ ÚÁÐÒÏÓ: "ëÁËÏÊ MAC-ÁÄÒÅÓ ÉÎÔÅÒÆÅÊÓÁ,
ÉÍÅÀÝÅÇÏ IP-ÁÄÒÅÓ 1.2.3.4 ?" É ËÏÍÐØÀÔÅÒ-ÐÒÉÅÍÎÉË ÄÏÌÖÅÎ ÏÔ×ÅÔÉÔØ.
÷ÏÔ ÐÒÉÍÅÒ ÔÁËÏÇÏ "ÏÂÝÅÎÉÑ", ÏÂÎÁÒÕÖÅÎÎÏÇÏ ÐÒÉ ÐÏÍÏÝÉ tcpdump:
- úÁÐÒÏÓ: ËÏÍÐØÀÔÅÒ 172.16.6.72 ÓÐÒÁÛÉ×ÁÅÔ MAC-ÁÄÒÅÓ, ÐÅÒÅÄÁ×ÁÅÍÙÊ IP-ÁÄÒÅÓÕ 172.16.6.10.
19:46:15.702516 arp who-has 172.16.6.10 tell
172.16.6.72
- ïÔ×ÅÔ: ËÏÍÐØÀÔÅÒ 172.16.6.10 ÐÒÅÄÏÓÔÁ×ÌÑÅÔ Ó×ÏÊ ÎÏÍÅÒ ÓÅÔÅ×ÏÊ ËÁÒÔÙ.
19:46:15.702747 arp reply 172.16.6.10 is-at 0:a0:4b:7:43:71
üÔÏ ÐÒÉ×ÏÄÉÔ ÎÁÓ Ë ÓÌÅÄÕÀÝÅÍÕ ËÏÒÏÔËÏÍÕ ÏÂßÑÓÎÅÎÉÀ: ARP-ÚÁÐÒÏÓÙ ÏÓÕÝÅÓÔ×ÌÑÀÔÓÑ ÐÒÉ ÐÏÍÏÝÉ ÛÉÒÏËÏ×ÅÝÁÔÅÌØÎÙÈ ÚÁÐÒÏÓÏ×, ÏÇÒÁÎÉÞÅÎÎÙÈ ÔÏÌØËÏ ÏÄÎÏÊ ÆÉÚÉÞÅÓËÏÊ ÓÅÔØÀ. ôÁËÉÍ ÏÂÒÁÚÏÍ, ÚÁÐÒÏÓ ÏÔ ÚÁÝÉÝÅÎÎÏÇÏ ËÏÍÐØÀÔÅÒÁ ÎÁ ÎÁÈÏÖÄÅÎÉÅ MAC-ÁÄÒÅÓÁ ÍÁÒÛÒÕÔÉÚÁÔÏÒÁ, ÄÏÌÖÅÎ ÂÙÔØ ÂÌÏËÉÒÏ×ÁÎ ÆÉÌØÔÒÕÀÝÉÍ ËÏÍÐØÀÔÅÒÏÍ. áËÔÉ×ÁÃÉÑ ×ÏÚÍÏÖÎÏÓÔÅÊ ARP-ÐÒÏËÓÉ ÐÏÚ×ÏÌÑÅÔ ÒÅÛÉÔØ ÜÔÕ ÐÒÏÂÌÅÍÕ, ÔÁË ËÁË ÏÎ ÂÕÄÅÔ ÐÅÒÅÄÁ×ÁÔØ ARP-ÚÁÐÒÏÓÙ.
îÁ ÄÁÎÎÏÍ ÕÒÏ×ÎÅ, ×Ù ÄÏÌÖÎÙ ÉÍÅÔØ ÒÁÂÏÔÁÀÝÕÀ ÓÅÔØ Ó ËÏÍÐØÀÔÅÒÏÍ, ÕÐÒÁ×ÌÑÀÝÉÍ ×ÓÅÍ ÔÒÁÆÉËÏÍ ÍÅÖÄÕ ÌÏËÁÌØÎÏÊ É ×ÎÅÛÎÅÊ ÓÅÔØÀ.
ôÅÐÅÒØ, ÍÙ ÄÏÌÖÎÙ ÎÁÓÔÒÏÉÔØ ÆÉÌØÔÒÁÃÉÀ ÉÓÐÏÌØÚÕÑ Netfilter.
Netfilter ÐÏÚ×ÏÌÑÅÔ ÄÅÊÓÔ×Ï×ÁÔØ ÎÅÐÏÓÒÅÄÓÔ×ÅÎÎÏ ÎÁ ÐÏÔÏË ÐÁËÅÔÏ×.
÷ ÐÒÏÓÔÅÊÛÅÊ ËÏÎÆÉÇÕÒÁÃÉÉ, ÐÁËÅÔÙ ÕÐÒÁ×ÌÑÀÔÓÑ ÔÒÅÍÑ ÃÅÐÏÞËÁÍÉ ÐÒÁ×ÉÌ:
- INPUT: ÄÌÑ ÐÁËÅÔÏ×, ×ÈÏÄÑÝÉÈ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ,
- FORWARD: ÄÌÑ ×ÓÅÈ ÐÁËÅÔÏ×, ÐÅÒÅÄÁÀÝÉÈÓÑ ÏÔ ÏÄÎÏÇÏ ÉÎÔÅÒÆÅÊÓÁ Ë ÄÒÕÇÏÍÕ,
- OUTPUT: ÄÌÑ ÐÁËÅÔÏ×, ×ÙÈÏÄÑÝÉÈ ÞÅÒÅÚ ÉÎÔÅÒÆÅÊÓ.
ëÏÍÁÎÄÁ 'iptables' ÐÏÚ×ÏÌÑÅÔ ÄÏÂÁ×ÌÑÔØ, ÉÚÍÅÎÑÔØ É ÕÄÁÌÑÔØ ÐÒÁ×ÉÌÁ ×
ËÁÖÄÏÊ ÉÚ ÜÔÉÈ ÃÅÐÏÞÅË ÄÌÑ ÉÚÍÅÎÅÎÉÑ ÐÏ×ÅÄÅÎÉÑ ÆÉÌØÔÒÁÃÉÉ.
ëÒÏÍÅ ÔÏÇÏ, ËÁÖÄÁÑ ÃÅÐÏÞËÁ ÉÍÅÅÔ ÐÏÌÉÔÉËÕ ÐÏ ÕÍÏÌÞÁÎÉÀ, ËÏÔÏÒÁÑ ÏÐÒÅÄÅÌÑÅÔ
ÄÅÊÓÔ×ÉÑ × ÓÌÕÞÁÅ, ËÏÇÄÁ ÐÁËÅÔ ÎÅ ÓÏÏÔ×ÅÔÓÔ×ÕÅÔ ÎÉ ÏÄÎÏÍÕ ÐÒÁ×ÉÌÕ × ÃÅÐÏÞËÅ.
þÅÔÙÒÅ ÎÁÉÂÏÌÅÅ ÒÁÓÐÒÏÓÔÒÁÎÅÎÎÙÈ ÐÒÁ×ÉÌÁ - ÜÔÏ:
- ACCEPT: ÐÁËÅÔÕ ÐÏÚ×ÏÌÅÎÏ ÐÒÏÈÏÄÉÔØ,
- REJECT: ÐÁËÅÔ ÏÔËÌÏÎÑÅÔÓÑ É ÐÏÓÙÌÁÅÔÓÑ ÐÁËÅÔ, Ó×ÑÚÁÎÎÙÊ Ó ÏÛÉÂËÏÊ
(ICMP Port Unreachable, TCP RESET, × ÚÁ×ÉÓÉÍÏÓÔÉ ÏÔ ÓÉÔÕÁÃÉÉ),
- LOG: ðÒÉÍÅÞÁÎÉÅ ÐÁËÅÔÁ ÐÉÛÅÔÓÑ × ÓÉÓÔÅÍÎÙÊ ÖÕÒÎÁÌ,
- DROP: ðÁËÅÔ ÉÇÎÏÒÉÒÕÅÔÓÑ É ÏÔ×ÅÔ ÎÅ ÐÏÓÙÌÁÅÔÓÑ.
÷ÏÔ ÇÌÁ×ÎÙÅ ÏÐÃÉÉ iptables, ÐÏÚ×ÏÌÑÀÝÉÅ ÕÐÒÁ×ÌÑÔØ ÃÅÐÏÞËÁÍÉ. íÙ ÄÅÔÁÌÉÚÉÒÕÅÍ ÉÈ ÐÏÚÖÅ:
-N: ÓÏÚÄÁÅÔ ÎÏ×ÕÀ ÃÅÐÏÞËÕ.
-X: ÕÄÁÌÑÅÔ ÐÕÓÔÕÀ ÃÅÐÏÞËÕ.
-P: ÉÚÍÅÎÑÅÔ ÐÏÌÉÔÉËÕ ÃÅÐÏÞËÉ ÐÏ ÕÍÏÌÞÁÎÉÀ.
-L: ×Ù×ÏÄÉÔ ÓÐÉÓÏË ÐÒÁ×ÉÌ × ÃÅÐÏÞËÅ.
-F: ÓÂÒÁÓÙ×ÁÅÔ ×ÓÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ.
-Z: ÏÞÉÝÁÅÔ ÂÁÊÔÙ É ÓÞÅÔÞÉËÉ ÐÁËÅÔÏ×, ÐÒÏÛÅÄÛÉÈ ÞÅÒÅÚ ÃÅÐÏÞËÕ.
äÌÑ ÉÚÍÅÎÅÎÉÑ ÃÅÐÏÞËÉ ÄÏÓÔÕÐÎÙ ÓÌÅÄÕÀÝÉÅ ËÏÍÁÎÄÙ:
-A: ÄÏÂÁ×ÌÑÅÔ ÐÒÁ×ÉÌÏ × ËÏÎÅà ÃÅÐÏÞËÉ.
-I: ×ÓÔÁ×ÌÑÅÔ ÎÏ×ÏÅ ÐÒÁ×ÉÌÏ × ÚÁÄÁÎÎÕÀ ÐÏÚÉÃÉÀ × ÃÅÐÏÞËÅ.
-R: ÚÁÍÅÎÑÅÔ ÚÁÄÁÎÎÏÅ ÐÒÁ×ÉÌÏ × ÃÅÐÏÞËÅ.
-D: ÕÄÁÌÅÎÉÅ ÐÒÁ×ÉÌÁ × ÃÅÐÏÞËÅ, ÉÓÐÏÌØÚÕÑ ÌÉÂÏ ÎÏÍÅÒ ÐÒÁ×ÉÌÁ, ÌÉÂÏ ÅÇÏ ÏÐÉÓÁÎÉÑ.
äÁ×ÁÊÔÅ ÒÁÓÓÍÏÔÒÉÍ ÍÁÌÅÎØËÉÊ ÐÒÁËÔÉÞÅÓËÉÊ ÐÒÉÍÅÒ: ÍÙ ÚÁÂÌÏËÉÒÕÅÍ ping-ÏÔ×ÅÔÙ
(ÜÔÏ ÔÉÐ ICMP-ÐÁËÅÔÏ× 'echo-reply'), ÉÄÕÝÉÅ ÏÔ ÚÁÄÁÎÎÏÇÏ ËÏÍÐØÀÔÅÒÁ.
óÎÁÞÁÌÁ ÕÄÏÓÔÏ×ÅÒÉÍÓÑ, ÞÔÏ ÚÁÄÁÎÎÙÊ ËÏÍÐØÀÔÅÒ "ÐÉÎÇÕÅÔÓÑ" (Ô.Å. ÏÔ×ÅÞÁÅÔ ÎÁ ËÏÍÁÎÄÕ ping):
# ping -c 1 172.16.6.74 PING 172.16.6.74 (172.16.6.74): 56 data bytes 64 bytes from 172.16.6.74: icmp_seq=0 ttl=255 time=0.6 ms --- 172.16.6.74 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.6/0.6 msôÅÐÅÒØ, ÄÏÂÁ×ÉÍ ÐÒÁ×ÉÌÏ (ËÏÔÏÒÏÅ ÐÒÅÒ×ÅÔ ICMP-ÏÔ×ÅÔ) × INPUT-ÃÅÐÏÞËÕ ('-p icmp --icmp-type echo-reply') ÄÌÑ ÐÁËÅÔÏ×, ÉÄÕÝÉÈ Ó ËÏÍÐØÀÔÅÒÁ 172.16.6.74 ('-s 172.16.6.74'). üÔÉ ÐÁËÅÔÙ ÂÕÄÕÔ ÐÒÏÉÇÎÏÒÉÒÏ×ÁÎÙ ('-j DROP').
# iptables -A INPUT -s 172.16.6.74 -p icmp --icmp-type echo-reply -j DROP
ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ÓÎÏ×Á "ÐÉÎÇÁÎÅÍ" ÜÔÏÔ ËÏÍÐØÀÔÅÒ:
# ping -c 3 172.16.6.74 PING 172.16.6.74 (172.16.6.74): 56 data bytes --- 172.16.6.74 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss
ëÁË ÍÙ É ÍÏÇÌÉ ÏÖÉÄÁÔØ, ÐÁËÅÔÙ ÎÅ ÐÒÏÛÌÉ. íÙ ÍÏÖÅÍ ÐÒÏ×ÅÒÉÔØ, ÞÔÏ ÔÒÉ ÐÁËÅÔÁ ÂÙÌÉ ÚÁÂÌÏËÉÒÏ×ÁÎÙ (3 ÐÁËÅÔÁ ÉÌÉ 252 ÂÁÊÔÁ):
# iptables -L INPUT -v Chain INPUT (policy ACCEPT 604K packets, 482M bytes) pkts bytes target prot opt in out source destination 3 252 DROP icmp -- any any 172.16.6.74 anywhere
þÔÏÂÙ ×ÅÒÎÕÔØ ×ÓÅ ËÁË ÂÙÌÏ, ÎÁÍ ÎÁÄÏ ÔÏÌØËÏ ÕÄÁÌÉÔØ ÐÅÒ×ÏÅ ÐÒÁ×ÉÌÏ ÉÚ ÃÅÐÏÞËÉ INPUT:
# iptables -D INPUT 1
ôÅÐÅÒØ, PING ÚÁÒÁÂÏÔÁÅÔ ÓÎÏ×Á:
# ping -c 1 172.16.6.74 PING 172.16.6.74 (172.16.6.74): 56 data bytes 64 bytes from 172.16.6.74: icmp_seq=0 ttl=255 time=0.6 ms --- 172.16.6.74 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.6/0.6 ms #
òÁÂÏÔÁÅÔ!
÷Ù ÍÏÖÅÔÅ ÄÏÂÁ×ÉÔØ ÄÒÕÇÉÅ ÃÅÐÏÞËÉ Ë ÔÒÅÍ ÉÚÎÁÞÁÌØÎÏ ÓÕÝÅÓÔ×ÕÀÝÉÍ (ËÏÔÏÒÙÅ ×Ù ÎÅ ÓÍÏÖÅÔÅ ÕÄÁÌÉÔØ × ÌÀÂÏÍ ÓÌÕÞÁÅ) É ÓÄÅÌÁÔØ ÞÁÓÔØ ÔÒÁÆÉËÁ ÐÒÏÈÏÄÑÝÉÍ ÞÅÒÅÚ ÎÉÈ. îÁÐÒÉÍÅÒ, ÍÏÖÅÔ ÂÙÔØ ÐÏÌÅÚÎÙÍ ÉÚÂÅÇÁÔØ ÄÕÂÌÉÒÏ×ÁÎÉÑ ÐÒÁ×ÉÌ × ÒÁÚÌÉÞÎÙÈ ÃÅÐÏÞËÁÈ.
ôÅÐÅÒØ, ÄÁ×ÁÊÔÅ ÎÁÓÔÒÏÉÍ ÔÒÅÂÕÅÍÙÅ ÐÒÁ×ÉÌÁ ÄÌÑ ÍÉÎÉÍÁÌØÎÏÇÏ ÂÒÁÎÄÍÁÕÜÒÁ.
ïÎ ÂÕÄÅÔ ÐÏÚ×ÏÌÑÔØ ssh, ÓÌÕÖÂÕ ÄÏÍÅÎÎÙÈ ÉÍÅÎ (DNS), ÓÌÕÖÂÙ http É smtp É
ÎÉÞÅÇÏ ÂÏÌØÛÅ.
äÌÑ ÕÐÒÏÝÅÎÉÑ, ËÏÍÁÎÄÙ ÎÁÓÔÒÏÊËÉ ÚÁÐÉÓÁÎÙ × ÓÃÅÎÁÒÉÊ ÏÂÏÌÏÞËÉ (ÓËÒÉÐÔ),
ÞÔÏÂ ÓÄÅÌÁÔØ ËÏÎÆÉÇÕÒÁÃÉÀ ÐÒÏÝÅ. óÃÅÎÁÒÉÊ ÎÁÞÎÅÔ ÏÞÉÝÁÔØ ÔÅËÕÝÕÀ ËÏÎÆÉÇÕÒÁÃÉÀ
ÐÅÒÅÄ ÕÓÔÁÎÏ×ËÏÊ ÎÏ×ÏÊ. üÔÁ ÍÁÌÅÎØËÁÑ ÕÌÏ×ËÁ ÐÏÚ×ÏÌÑÅÔ ×ÙÐÏÌÎÑÔØÓÑ ÓËÒÉÐÔÕ ÐÒÉ
ÁËÔÉ×ÎÏÊ ËÏÎÆÉÇÕÒÁÃÉÉ ÂÅÚ ÒÉÓËÁ ÄÕÂÌÉÒÏ×ÁÎÉÑ ÐÒÁ×ÉÌ.
rc.firewall #!/bin/sh # Flushing out the rules iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # The chain is built according to the direction. # bad = eth0 (outside) # dmz = eth1 (inside) iptables -X bad-dmz iptables -N bad-dmz iptables -X dmz-bad iptables -N dmz-bad iptables -X icmp-acc iptables -N icmp-acc iptables -X log-and-drop iptables -N log-and-drop # Specific chain used for logging packets before blocking them iptables -A log-and-drop -j LOG --log-prefix "drop " iptables -A log-and-drop -j DROP # The packets having the TCP flags activated are dropped # and so for the ones with no flag at all (often used with Nmap scans) iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j log-and-drop iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j log-and-drop # The packets coming from reserved addresses classes are dropped # and so for multicast iptables -A FORWARD -i eth+ -s 224.0.0.0/4 -j log-and-drop iptables -A FORWARD -i eth+ -s 192.168.0.0/16 -j log-and-drop iptables -A FORWARD -i eth+ -s 172.16.0.0/12 -j log-and-drop iptables -A FORWARD -i eth+ -s 10.0.0.0/8 -j log-and-drop # The packets belonging to an already established connexion are accepted iptables -A FORWARD -m state --state INVALID -j log-and-drop iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # The corresponding chain is sent according to the packet origin iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz # All the rest is ignored iptables -A FORWARD -j log-and-drop # Accepted ICMPs iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT iptables -A icmp-acc -j log-and-drop # Outside -> Inside chain # mail, DNS, http(s) and SSH are accepted iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT iptables -A bad-dmz -p udp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport www -j ACCEPT iptables -A bad-dmz -p tcp --dport https -j ACCEPT iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT iptables -A bad-dmz -p icmp -j icmp-acc iptables -A bad-dmz -j log-and-drop # Inside -> Outside chain # mail, DNS, http(s) and telnet are accepted iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT iptables -A dmz-bad -p udp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport www -j ACCEPT iptables -A dmz-bad -p tcp --dport https -j ACCEPT iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT iptables -A dmz-bad -p icmp -j icmp-acc iptables -A dmz-bad -j log-and-drop # Chains for the machine itself iptables -N bad-if iptables -N dmz-if iptables -A INPUT -i $BAD_IFACE -j bad-if iptables -A INPUT -i $DMZ_IFACE -j dmz-if # External interface # SSH only accepted on this machine iptables -A bad-if -p icmp -j icmp-acc iptables -A bad-if -p tcp --dport ssh -j ACCEPT iptables -A bad-if -p tcp --sport ssh -j ACCEPT ipchains -A bad-if -j log-and-drop # Internal interface iptables -A dmz-if -p icmp -j icmp-acc iptables -A dmz-if -j ACCEPT
îÅÓËÏÌØËÏ ÓÌÏ× Ï ËÁÞÅÓÔ×Å ÏÂÓÌÕÖÉ×ÁÎÉÑ. Linux ÍÏÖÅÔ ÍÏÄÉÆÉÃÉÒÏ×ÁÔØ ÐÏÌÅ ToS ("ÔÉÐ ÓÅÒ×ÉÓÁ") É ÉÚÍÅÎÑÔØ ÅÇÏ ÚÎÁÞÅÎÉÑ, ÞÔÏÂÙ ÄÁÔØ ÐÁËÅÔÁÍ ÒÁÚÌÉÞÎÙÅ ÐÒÉÏÒÉÔÅÔÙ. îÁÐÒÉÍÅÒ, ÓÌÅÄÕÀÝÁÑ ËÏÍÁÎÄÁ ÉÚÍÅÎÑÅÔ ÉÓÈÏÄÑÝÉÅ SSH ÐÁËÅÔÙ ÄÌÑ ÕÌÕÞÛÅÎÉÑ ÏÔËÌÉËÁ ÓÏÅÄÉÎÅÎÉÑ.
iptables -A OUTPUT -t mangle -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
ôÅÍ ÖÅ ÐÕÔÅÍ, ÄÌÑ FTP ÓÏÅÄÉÎÅÎÉÊ, ×Ù ÍÏÖÅÔÅ ÉÓÐÏÌØÚÏ×ÁÔØ ÏÐÃÉÀ '--set-tos Maximize-Throughput' ÄÌÑ ÕÌÕÞÛÅÎÉÑ ÓËÏÒÏÓÔÉ ÐÅÒÅÄÁÞÉ.
÷ÏÔ É ×Ó£. ôÅÐÅÒØ, ×Ù ÚÎÁÅÔÅ ÏÓÎÏ×Ù ÎÁÓÔÒÏÊËÉ ÓÉÓÔÅÍÙ ÆÉÌØÔÒÁÃÉÉ ÐÁËÅÔÏ×.
ïÄÎÁËÏ, ÉÍÅÊÔÅ ××ÉÄÕ, ÞÔÏ ÂÒÁÎÄÍÁÕÜÒ - ÎÅ ÐÁÎÁÃÅÑ, ËÏÇÄÁ ÂÅÓÐÏËÏÉÔ ÂÅÚÏÐÁÓÎÏÓÔØ.
üÔÏ ×ÓÅÇÏ ÌÉÛØ ÅÝ£ ÏÄÎÁ ÐÒÅÄÏÓÔÏÒÏÖÎÏÓÔØ. õÓÔÁÎÏ×ËÁ ÂÒÁÎÄÍÁÕÜÒÁ ÎÅ ÏÓ×ÏÂÏÖÄÁÅÔ
×ÁÓ ÏÔ ÉÓÐÏÌØÚÏ×ÁÎÉÑ ÈÏÒÏÛÉÈ ("ÓÉÌØÎÙÈ") ÐÁÒÏÌÅÊ, ÓÁÍÙÈ ÐÏÓÌÅÄÎÉÈ ÐÁÔÞÅÊ ÐÏ
ÂÅÚÏÐÁÓÎÏÓÔÉ, ÓÉÓÔÅÍ ÏÂÎÁÒÕÖÅÎÉÑ ×ÔÏÒÖÅÎÉÊ É Ô.Ä.
|
Webpages maintained by the LinuxFocus Editor team
© Vincent Renardias, FDL LinuxFocus.org |
Translation information:
|
2003-05-24, generated by lfparser version 2.31