温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

O'REILLY iptables 笔记

发布时间:2020-03-26 13:05:12 来源:网络 阅读:533 作者:ggh5271 栏目:安全技术
1  introduction
iptable 工作在osi 网络层 和数据链路层
   example
  1.   iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT  --to-destination 192.168.1.3:8080

    1. 解析:

    2. -t  nat    operate the table

    3. -A PERROUTING     by appending the following rule to its PREROUTING chain

    4. -i   eth0       match pactets coming in on the eth2 network interface

    5.  -p   tcp      use tcp protocol

    6. --dport 80    intended for local port 80

    7. -j DNAT      jump to the DNAT target

    8. --to-destination  change the destination address to 192.168.1.3

    9. 192.168.1.3:8080  destination port 80

  2. iptables defines five hook points

    1. PREROUTING

    2. INPUT

    3. FORWARD

    4. POSTROUTING

    5. OUTPUT

  3. tables   comes with three built-in tables

    1. filter   used to set polices for type of traffic allowed into  through and out of the computer.unless you refer to a different table explicitly,iptables operate on chains within this table by default.its built-in chains are FORWARD INPUT OUTPUT

    2. mangles used for specialized packet alteration,built-in chains are FORWARD INPUT OUTPUT POSTROUTING PEROUTING

    3. nat used with connection tracking to rediect connection for network address translation;typically based on source or destination address tis built-in chain are OUTPUT,POSTROUTING PREROUTING

  4. chains      default,each table has chains ,which are initally empty,for some or all of the hook points.  you can create your own custom chains to organize your rules. all user-defined chains have an implict policy of RETURN that cannot be changed.

  5. rules

  6. Matches

  7. targets   built-in four targets

    1. ACCEPT   let the packet through to the next stage of processing stop traversing the  current chain,start

    2. DROP

    3. QUEQU send the packet ro userspace.see the libipq manpage for more information

    4. From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain’s policy to it. See the previous section “Chains” for more information about chain policies.

  8. aplications

    1. packet filtering

    2. Accunting   using byte  packet counters assoiated with packet mataching criteria to moitor netwok traffic volumes.

    3. Connection tracking

    4. packet mangling

    5. network address translation (NAT)

    6. masquerading

    7. port forwarding

    8. loading balancing    Load balancing involves distributing connections across a group of servers so that higher total throughput can be achieved.One way to implement so that the destination address is selected in a round-robin fashion from a list of possible destinations

  9. configuring iptables      under refer to generic and Red Hat-specific information

    1. persistent rules  

      1. chkconfig --list iptables

      2. chkconfig --level 345 iptables on

      3. service iptables start

    2. other configure files     /proc

      1. /etc/sysct1.conf       contains settings for configurations in the /proc/sys directory that are applied at boot time.

      2. /proc/sys/net/ipv4/ip_conntrack_max          controls the size of the connection tracking table in the kernel.default value is calculated  based on the amount of RAM in your computer.you may need to increase it if you are getting "ip_conntrack:table full,dropping packet" errors in your log files

    3. connection tracking

      1. ESTABLISHED  the connection has already seen packets going in both direction.

      2. INVALID  the packet doesn't belong to any tracked connections.

      3. NEW   the packet is starting a new connection or is part of a connection that hasn't yet seen packets in both directions.

      4. RELATED   the packet is starting a new connection,but the new connection is related to an existing connection (such as the data connection for an ftp transfer

      5. @ the connection tracking logic maintains threee bits of status information

        1. ASSURED for tcp connections indicates the tcp connection setup has been completed for UDP connections,indicates its looks like a udp stream to the kernel.

        2. EXPECTED   indicates the connection was expected

        3. SEEN_REPLY  indicates that packets have gone in both directions.

      6. ipables connection tracking logic allows plug-in modules

      7. accounting

      8. NAT

        1. NAT helper modules

          1. ip_nat_amanda                                                                     Amanda backup protocol (requires CONFIG_IP_NFNAT_AMANDA kernel config)

          2. ip_nat_ftp                                                                                                                file transfer protocol(requires CONFIG_IP_NF_NAT_FTP kernel config)

          3. ip_nat_snmp_basic                                                                  simple network management protocol (requires CONFIG_IP_NF_NAT_SNMP_BASIC kernel conifig)

          4. ip_nat_tftp  t                                                                                         rivial file transfer protocol (                                                                          

        2. source NAT and Masquerading                                                           source nat is used to share a single internet connection among computers on a network.the computer attached to the internet acts as a gateway and uses

          1. iptables -t nat -A POSTROUTING to eth2 -j SNAT

          2. iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

      9. DNAT  destination NAT

        1. iptables -t nat -A PREROUTING -i eth2 -p -tcp --dport 80 -j DNAT --to--destination 192.168.1.3:8000

      10. transparent proxying

        1. if you hava an http proxy configured to run as a transparenet proxy on you firewall computer and listen on port 8888. you can add a rule to redirect outbound http traffic to the http proxy

          1. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j redirect --to-port 8888

      11. Load distribution and balancing

      12. stateless and stateful firewalls

      13. tools of the trade

        1. ethereal  network protocol analyzer

        2. Nessus  Remote security scanner

        3. nmap   network mapper

        4. ntop      network traffic probe

        5. tcpdump  packet capture and dumping

        6. traceroute   print the route packets take to a specific host

      14. iptable command reference

        1. -c    packet  or bytes

        2. --exact  synonym(同义)for -x

        3. -j    target  determines what to do with packets matching this rule.the target can be the name of a user-defined chain,one of the built-in targets,

        4. -M     used to load an iptables module with appending inserting  or replacing rules

        5. -n         displays numeric addresses and ports instead of looking up and displaying domain names for the IP address and displaying service names for the port numbers this can be especially useful if your dns server is slow or down.

        6. -t  table    perfroms the specified subcommand on table  if this option is not used.the subcommand operates on filter tables by default.

        7. -x    display exact numbers for packet and byte counters,rather than the default abbreviatd format with metric suffixes(K M G)

      15. the iptables subcommands

        1. -A chain rule   appends rule to chain

        2. --append synonym for -A

        3. -D chain deletes the rule at position index or matching

        4. -E rename chain to new chain

        5. -F flushes (deletes) all rules from chain

        6. --replace synonym for -R

      16. iptables Matches and targets

        1. internet protocol matches (encyclopedic广博的 format)

        2. ah match     this  match is available only if your kernel has been configured with CONFIG_IP_NF_MATCH_AH_ESP enabled

        3. connmark match     based on the packets connection mark

          1. --mark     match if the packets connection mark is equal to value after applying mask.

        4. CONNMARK target  (注意区分大小写)

          1. --set-mark value  set the packets connection mark to the integer value

          2. --save-mark  save the packets mark into the connection

          3. --retore-mark  restore the packets mark from the connection.

        5. DNAT target   the DNAT target extension is avaiable only on the PREROUTING AND OUTPUT chain of the nat table.

        6. DRIP target

        7. dscp match    use this match to identify packets with particular diffntiated services codepoint(DSCP) values in their IPV4 headers    this match is available only if your kernel has been configured with  CONFIG_IP_NF_MATCH_DSCP enabled.

        8. ecn match      CONFIG_IP_NF_MATCH_ECN enabled

        9. esp match     match IPsec protocol encapsulation headers,CONFIG_IP_NF_MATCH_AH_ESP enabled

        10. FTOS  --set-ftos value Set the IP type of service field to the decimal or hex value (this target does not accept Type of Service names). See Table34 for a list of types of service

        11. helper match  CONFIG_IP_NF_MATCH_HELPER

        12. icmp match   --icmp-type   --icmp-type

        13. O'REILLY iptables 笔记

        14. iplimit match

        15. ipv4option match

        16. length match   CONFIG_IP_NF_MATCH_LENGTH enable

        17. limit match     CONFIG_IP_NF_MATCH_LIMIT enabled

          1. iptables -A INPUT -p icmp --icmp-type ping -m limit --limit 10/s -j ACCEPT

        18. log target    CONFIG_IP_NF_TARGET enabled    

          1. --log-ip-options

          2. --log-level level

          3. --log-prefix prefix

          4. --log-tcp-options

          5. --log-tcp-sequence  log level   refer to page 49

        19. mac match   CONFIG_IP_NF_MATCH_MAC enabled

          1. --mac-source  

        20. mark match   CONFIG_IP_NF_MATCH_MARK enabled

        21. MASQUERADE target  --to-ports  CONFIG_IP_NF_TARGET_MASQUERADE

        22. multiport match  CONFIG_IP_NF_MATCH_MULTIPORT enabled

        23. netlink target   CONFIG_IP_NF_QUEQU

          1. iptable -A INPUT -p icmp --icmp-type ping -j NETLINK --nldrop

        24. NETMAP       target     CONFIG_IP_NF_TARGET      An IPv4 address consists of 32 bits, divided into a network number and a host number based on the network mask. This target strips off the network number and replaces it with a different network number

          1. iptables -t nat -A RREROUTING -d 192.168.1.10/24 -j NETMAP --to 172.16.5.0/24

        25. nth match O'REILLY iptables 笔记O'REILLY iptables 笔记O'REILLY iptables 笔记

          1. owner match    CONFIG_IP_NF_MATCH_OWNER enabled

        26. pkttype match

        27. pool match  

          1. --srcpool poll  match if the source ip address is in pool

          2. --dstpool pool  match if the destination ip address is in pool

        28. pool target

        29. psd match      the match extension attempts to detect port scans by monitoring connection attempts across port numbers it calulates and maintains a port scan value staticticO'REILLY iptables 笔记

        30. QUEUE target    match until a quota is reached.    --quota amount

        31. random match     match all traffic from ip addresses that have seen recent activity of a particulrar kind,

        32. record-rpc match

        33. REDIRECT target  CONFIG_IP_NF_TARGET enabled     --to-ports

        34. REJECT target      CONFIG_IP_NF_TARGET_REJECT enabled

        35. RETURN target  

        36. ROUTE target

          1. ROUTE target

          2. SAME target

          3. SNAT target

          4. state match  CONFIG_IP_NF_STATE

          5. sting match  iptables -A INPUT -m string .pif -j QUEQU

          6. tcp match

          7. tcpmss match   CONFIG_IP_NF_MATCH_TCPMSS enable

          8. TCPMSS target  CONFIG_IP_NF_TARGET_TCPMSS

          9. time match

          10. tos match  CONFIG_IP_NF_MATCH_TOS

          11. TOS target  CONFIG_IP_NF_TARGET_TOS

          12. ttl match     CONFIG_IP_NF_MATCH_TTL

          13. udp match  

          14. ULOG target   CONFIG_IP_NF_TARGET_ULOG and CONFIG_IP_NF_QUEUE enabled

          15. unclean match     CONFIG_IP_NF_MATCH_UNCLEAN  matches unusual or malformed ip icmp udp or tcp headers,Documentation of this match is minimal,but you could use it  for logging unusual packets here are a few of the checks it perfoms

            1. ip packet length not less than ip header length

            2. various ip fragmentation checks

            3. noozero ip protocol number

            4. unused ip bits set to zero

            5. icmp date at least two 32 bit words long

            6. icmp code appropriate for icmp type

            7. icmp packet length approgriate for icmp type

            8. udp data at least as big as the minimun-size udp header.

            9. nozero udp destination port

            10. udp fragmentation integrity checks

            11. tcp date at least as big  as the minimum-size tcp header

            12. tcp data offset and overall packet data length in accord

            13. nonzero tcp ports

            14. reserved tcp bits set to zero

            15. tcp flags match one of the patterns

            16. various integrity checks on any tcp option

        37. utility command reference

          1. iptables-restore

          2. iptables-save


向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI