Next Previous Contents

7. ¨Ï¥Î iptables

¦pªG±z»Ý­n¯S©wªº¸Ô²Ó¤F¸Ñ¡Miptables ¦³¤@­Ó«D±`¸ÔºÉªº manual page (man iptables)¡C°²¦p±z¼ô±x ipchains ªº¸Ü¡M©Î³\¥i¥Hª½±µ¸õ¨ì iptables »P ipchains ªº®t²§ (Differences Between iptables and ipchains) ¥h¬Ý¡Q¥¦­Ì¬O«D±`ªñ¦üªº¡C

±zÁÙ¥i¥H§Q¥Î iptables °µ³\¦h¤£¦Pªº¨Æ±¡®@¡C±z©Ò¶}©lªº¨º¤T­Ó¤º«Ø(buit-in) Ãì¡R INPUT¡NOUTPUT¡N©MFORWARD ¡M±z¬O¤£¯à§R°£ªº¡CÅý§Ú­Ì¬Ý¬Ý¾ã­ÓÃ쪺ºÞ²z¹B§@§a¡R

  1. «Ø¥ß¤@­Ó·sÃì (-N)¡C
  2. §R°£¤@­ÓªÅÃì (-X)¡C
  3. §ïÅܤ@­Ó¤º«ØÃ쪺­ì«h (-P)¡C
  4. ¦C¥X¤@­ÓÃ줤ªº³W«h (-L)¡C
  5. ²M°£¤@­ÓÃ줤ªº©Ò¦³³W«h (-F)¡C
  6. Âk¹s(zero) ¤@­ÓÃ줤©Ò¦³³W«hªº«Ê¥]¦r¸`(byte) °O¼Æ¾¹ (-Z)¡C

¦³¦n¨Ç¤èªk¥i¥H²ÎÄw¤@­ÓÃ줤ªº³W«h¡R

  1. ©µ¼W(append) ¤@­Ó·s³W«h¨ì¤@­ÓÃì (-A)¡C
  2. ¦bÃ줺¬Y­Ó¦ì¸m´¡¤J(insert) ¤@­Ó·s³W«h(-I)¡C
  3. ¦bÃ줺¬Y­Ó¦ì¸m´À´«(replace) ¤@±ø³W«h (-R)¡C
  4. ¦bÃ줺¬Y­Ó¦ì¸m§R°£(delete) ¤@±ø³W«h (-D)¡C
  5. §R°£(delete) Ã줺²Ä¤@±ø³W«h (-D)¡C

7.1 ·í±zªº¾÷¾¹±Ò°Ê®É¡M±z©Ò¬Ý¨ìªº

iptables ¥i¥H°µ¦¨¼Ò²Õ(module)¡M¥s°µ `iptable_filter.o' ¡M·í±z²Ä¤@¦¸¶] iptables ´N·|³Q¦Û°Ê¸ü¤J¡C¥¦¤]¥i¥H¥Ã¤[©Êªº«Ø¸m©ó®Ö¤ß¸Ì­±¡C

¦b¶]¥ô¦ó iptables ©R¥O¤§«e (¤p¤ß¡R¦³¨Ç®M¥ó(distributions) ©Î³\·|¥Î¥¦­Ìªº°_©l©R¥O½Z¨Ó¶] iptables)¡M¤º«ØÃì( `INPUT'¡N`FORWARD'¡N©M `OUTPUT' )±N¤£±a¥ô¦ó³W«h¡M©Ò¦³Ãì³£±N­ì«h³]¬° ACCEPT¡C±z¥i¥H±N iptable_filter ¼Ò²Õ¿ï¶µ³]¬° `forward=0' ¡M¨Ó§ïÅܹw³]ªº FORWARD Ãì­ì«h¡C

7.2 ¤@­Ó³æ¤@³W«hªº¹B§@

¤U­±Åý§Ú­Ì¨Ó¼ô½m¤@¤U­ì«hªº¹B¥Î§a¡M©Ò¿×¼ô¯à¥Í¥©¬O¤]¡C±z³Ì±`¥Îªº©Î³\·|¬O append (-A) ©M delete (-D) ©R¥O¡C¦Ü©ó¨ä¥¦¦p insert (-I) ©M replace (-R)¡M ¥u¬O³o¨Ç·§©Àªº©µ¦ù¦Ó¤w¡C

¨C¤@±ø³W«h³£­­©w¤F¤@²Õ±ø¥ó(conditions)»P¯S©w«Ê¥]¤ñ¹ï¡M¥H¤Î·í¥¦­Ì²Å¦X®É­n¦p¦ó³B¸m(«ü¤@­Ó`target' )¡C¤ñ¤è»¡¡M±z©Î³\­n¥á±ó©Ò¦³¨Ó¦Û127.0.0.1 ³o­Ó IP ¦a§}ªº ICMP «Ê¥]¡M¦]¦Ó§Ú­Ì³o¸Ìªº±ø¥ó´N¦¨¬°³o¼Ë¡R¨ó©w¥²¶·¬O ICMP¡M¦Ó¨Ó·½¦a§}¥²¶·¬O 127.0.0.1 ¡M¦Ó§Ú­Ìªº target(¥Ø¼Ð)±N·|¬O`DROP' ¡C

§Ú­ÌºÙ 127.0.0.1 ¬° `loopback' ¬É­±¡M´Nºâ±z¨S¦³¯u¹êªººô¸ô³s±µ¡M±z¤]·|¦³³o­Ó¬É­±ªº¡C±z¥i¥H¥Î `ping' ³o°¦µ{¦¡²£¥Í³o¼Ëªº«Ê¥] (¥¦¥u¬O°e¥X¤@­Ó type 8(echo request)ªº ICMP «Ê¥]¡M¦Ó©Ò¦³¼Ö©ó¦^À³ªº¦X§@ºÝ(cooperative hosts) «h°e¦^¤@­Ó type 0(echo reply)ªº ICMP «Ê¥])¡C¥Î¨Ó´ú¸Õ¬O«Ü¦n¥Îªº¡C

# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms
# iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP
# ping -c 1 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
#

³o¸Ì±z¥i¥H¬Ý¨ì²Ä¤@­Ó ping ¦¨¥\¤F(³o¸Ìªº `-c 1' °Ñ¼Æ¬O§i¶D ping ¥u°e¥X¤@­Ó«Ê¥])¡C

µM«á¡M§Ú­Ì¬°`INPUT' ©µ¼W(-A)¤@±ø³W«h¡M±N¨Ó¦Û 127.0.0.1(`-s 127.0.0.1') ªº ICMP ¨ó©w (`-p icmp') «Ê¥]°e¦Ü DROP ³o­Ó¥Ø¼Ð (-j DROP)¡C

µM«á§Ú­Ì¥i¥H¥Î²Ä¤G­Ó ping ¨Ó´ú¸Õ§Ú­Ìªº³W«h¡C¦bµ{¦¡©ñ±óÄ Äòµ¥«Ý¨º¨Ç¥Ã¤£¨ì¨Óªº¦^À³¤§«e¡M±N¦³¤@¬q¼È°±¡C

§Ú­Ì¦³¨â­Ó¤èªk¥i¥H²¾°£³W«h¡C­º¥ý¡M¦]¬°§Ú­Ì¥Ø«e¨î©w¦b input Ã줤¥u¦³°ß¤@¤@±ø³W«h¡M©Ò¥H§Ú­Ì¥i¥H«ü©w¼Æ¦r¨Ó²¾°£¡M¨Ò¦p¡R 

        # iptables -D INPUT 1
        #
³o¼Ë´N§â²Ä¤@±ø³W«h±q INPUT Ã줤²¾°£±¼¡C

²Ä¤G­Ó¤èªk¬O¬M®g(mirro)¤W­±ªº -A ©R¥O¡M¦ý¥Î -D ¨Ó¥N´À -A ¦Ó¤w¡C·í±z¦³¤@­ÓÃì¡M¸Ì­±¼g¦³«D±`½ÆÂøªº³W«h¡M¦Ó¤S¤£·Q³v¦æ¼Æ¥X²Ä 37 ¦æ´N¬O±z­nªº¨º±ø³W«h¡M³o®É­Ô¡M³o¤èªk´N«D±`¦³¥Î¤F¡C 

        # iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP
        #
¦b©R¥O¦æ¤¤¡M¨ä»yªk¬O -D ¥²¶·©M -A (©Î -I¡N©Î -R) ©R¥Oªº¦ì¸m¤@­P¡C¦pªG¦b¦P¤@­ÓÃ줤¦³¼Æ±ø¬Û¦Pªº³W«h¡M¨º»ò¥u¦³²Ä¤@±ø·|³Q²¾°£±¼¡C

7.3 ¹LÂo³W®æ

§Ú­Ì¤w¸g¬Ý¹L¥Î `-p' ¨Ó«ü©w¨ó©w¡M¥H¤Î¥Î `-s' ¨Ó«ü©w¨Ó·½¦a§}¡M¦ýÁÙ¦³¨ä¥¦¿ï¶µ§Ú­Ì¬O¥i¥H¥Î¨Ó«ü©w¥X¤@­Ó«Ê¥]ªº¯S©º¡C©³¤U¬O¤@­Ó§¹¾ãªº·§­z¡C

«ü©w¨Ó·½©M¥Øªº¦a¤§ IP ¦a§}

§Ú­Ì¥i¥H¥Î¥|ºØ¤èªk¨Ó«ü©w¨Ó·½(`-s'¡N©Î`--source'¡N©Î `--src') ©M¥Øªº¦a(`-d'¡N©Î`--destination'¡N©Î`--dst') IP ¦a§}¡C³Ì±`¥Îªº¤èªk¬O¨Ï¥Î§¹¾ã¦WºÙ¡M¨Ò¦p `localhost' ©Î `www.linuxhq.com' ¡C²Ä¤GºØ¤èªk¬O«ü©w¨ä IP ¦a§}¡M¨Ò¦p `127.0.0.1' ¡C

²Ä¤T©M²Ä¥|ºØ¤èªk¤¹³\«ü©w¤@²Õ(group) IP¦a§}¡M¨Ò¦p `199.95.207.0/24' ©Î `199.95.207.0/255.255.255.0' ¡M³o¨â­Ó³]©w³£«ü©w¤F©Ò¦³±q 199.95.207.0 ¨ì 199.95.207.255 ¤§¶¡ªº IP ¦a§}¡Q¦Ó¦b¼Æ¦r«á­±ªº `/' ²Å¸¹¬O§i¶D¨t²Î­þ³¡¥÷ IP ¤ ¦³®Ä¡C `/32' ©Î `/255.255.255.255' ¬°¹w³]­È(©Ò¦³ IP ­È³£¥²¶·§k¦X)¡C¥þ³¡¥Î `/0' ¨Ó«ü©w IP ¦a§}¤]¬O¥i¦æªº¡M¨Ò¦p¡R 

        [ NOTE: `-s 0/0' is redundant here. ]
        # iptables -A INPUT -s 0/0 -j DROP
        #

¤£¹L³o«D±`¤Ö¥Î¡M¦]¬°¥H¤Wªº®ÄªG©M¤£«ü©w `-s' ²@µL¨â¼Ë¡C

¬Û¤Ï«ü©w

³\¦hºX¼Ð(flags)¡M¥]¬A `-s' (©Î `--source')¡N©M `-d' (©Î `--destination')¡M¥i¥H¦b¥¦­Ì«e­±©ñ¸m¤@­Ó `!' ²Å¸¹(µo­µ¬°`not') ¡M¨Ó²Å¦X©Ò¦³«D(NOT)¨ä½á¤©­Èªº¦a§}¡C¤ñ¤è»¡¡M`-s ! localhost' ²Å¦X©Ò¦³«D(not) ¨Ó¦Û¥»¾÷ªº«Ê¥]¡C

«ü©w¨ó©w

¨ó©w¥i¥H¥Î `-p' (©Î `--protocol') ºX¼Ð¨Ó«ü©w¡C¨ó©w¥i¥H¬°¤@­Ó¸¹½X(°²¦p±zª¾¹D IP ¨ó©w¼Æ­Èªº¸Ü)¡M©Î¬O¤@­Ó½Ñ¦p `TCP'¡N©Î`UDP'¡N©Î`ICMP' ³o¼Ëªº¦WºÙ¡C¤j¤p¼g¨SÃö«Y¡M©Ò¥H `tcp' ©M `TCP' ³£¥i¥H¤u§@¡C

¨ó©w¤]¥i¥H¥[¤W¤@­Ó `!' «e¸m²Å¸¹¡M¨Ï¤§¬Û¤Ï¡C¨Ò¦p `-p ! TCP' «h«ü©w¤F©Ò¦³«D TCP ªº«Ê¥]¡C

«ü©w¬É­±

§Ú­Ì¥Î `-i' (©Î `--in-interface') ©M `-o' (©Î `--out-interface') ¿ï¶µ¨Ó«ü©w¤@­Ó²Å¦Xªº¬É­±(interface)¡C¤@­Ó¬É­±´N¬O«Ê¥]¶i¤J(`-i') ¡M©Î¶Ç¥X(`-o')¤§ª«²z³]³Æ¡C±z¥i¥H¥Î ifconfig ©R¥O¦C¥X­þ¨Ç¬É­±¬O¶]°_¨Ó(`up' )ªº¡C

¬ï¶V INPUT Ã쪺«Ê¥]¤£·|¦³¶Ç¥X(output)¬É­±ªº¡M©Ò¥H¡M¥ô¦ó¦bÃ줤¨Ï¥Î `-o' ¿ï¶µªº³W«h³£¤£»P¤§²Å¦X¡C¦P¼Ëªº¡M¬ï¶V OUTPUT Ã쪺«Ê¥]¤]¤£·|¦³¶Ç¤J(input)¬É­±¡M©Ò¥H¦bÃ줤¥ô¦ó±a `-i' ¿ï¶µªº³W«h¤]¬O¤£²Å¦Xªº´N¬O¤F¡C

¶È¶È¬O¬ï¶V FORWARD Ã쪺«Ê¥]¤ ·|¦P®É¦³¶Ç¤J©M¶Ç¥X¬É­±¡C

«ü©w¤@­Ó¤£¦s¦bªº¬É­±¬O§¹¥þ¦Xªk(legal)ªº¡Q¤Ï¥¿¦b¬É­±ÁÙ¨S°_¨Ó¤§«e¡M³o±ø³W«h¬O¤£·|²Å¦Xªº¡C³o¹ï©ó PPP ¼·±µ(³q±`·|¬Oppp0) ©Î¬ÛÃþ³s½u¡M´N·¥¤§¦³¥Î¤F¡C

¨Ò¦p¦b¤@­Ó¯S®í¨Ò¤l¤¤¡M¬É­±¬O¥Î¤@­Ó `+' µ²§Àªº¸Ü¡M´Nªx«ü©Ò¦³¥H¦¹¦r¦ê¶}ÀYªº¬É­±(¤£ºÞ¥¦­Ì¥Ø«e¬O§_°_¨Ó¤F)¡C¨Ò¦p¡M­n«ü©w¤@±ø³W«h¨Ó²Å¦X©Ò¦³ªº PPP ¬É­±ªº¸Ü¡M-i ppp+ ¿ï¶µ´N¥i¥H¥Î¤W¤F¡C

¬É­±¦WºÙ«e­±¥i¥H¥Î¤@­Ó`!' ²Å¸¹¨Ó²Å¦X¤@­Ó»P«ü©w¬É­± ¤£ ²Å¦Xªº«Ê¥]¡C

«ü©w«Ê¥]¸H¤ù (Fragments)

¦³®É­Ô¡M¤@­Ó«Ê¥]·|¦]¬°¤Ó¤j¦Ó¤£¯à¤@¦¸¹L¶ë¶i³s½u¥h¡C·í³o¼Ëªº¨Æ±¡µo¥Í¤F¡M«Ê¥]·|³Q¤Á³Î¦¨ ¸H¤ù(fragments)¡M¦P®É·|¥H¦h­Ó«Ê¥]¨Ó¶Ç°e¡C¦Ó¥t¤@ºÝ«h­«²Õ³o¨Ç¸H¤ù¥HÁÙ­ì¾ã­Ó«Ê¥]¡C

¦ý¸H¤ùªº°ÝÃD¬O¡M²Ä¤@­Ó°_©l¸H¤ù¦³¾ã­Ó«Ê¥]ªíÀYÄæ¦ì(IP+TCP¡NUDP¡N©M ICMP)¥i¨ÑÀˬd¡M¦ý«áÄ «Ê¥]«o¥u¥]§tªíÀYªº¤p³¡¥÷(¤£±aÃB¥ ¨ó©wÄæ¦ìªº IP)¡C³o¼Ëªº¸Ü¡M­nÀˬd«áÄ ¸H¤ù¤§¨ó©wªíÀY(¤ñ¤è¥Ñ TCP¡NUDP¡N©M ICMP extensions ¦Ó¦¨)¡M´N¤£¥i¯à¤F¡C

¦pªG±z­n°µ³s½u°lÂÜ©Î NAT¡M¨º©Ò¦³¸H¤ù¦b»¼µ¹«Ê¥]¹LÂo½X¤§«e³£·|¶×¦X¦^¤@°_¡M©Ò¥H±zµL»Ý¾á¤ß¸H¤ù°ÝÃD¡C

µM¦Ó¡M­n§Ë©ú¥Õ¹LÂo³W«h¦p¦ó³B²z¸H¤ùªº¡M´NÅܱo«D±`­«­n¤F¡C¥ô¦ó³W«h­n¸ß°Ýªº¸ê®Æ¦Ó§Ú­Ì¨Ã¨S¦³®É¡M±N³Qµø¬° ¤£ ²Å¦X¡C¤]´N¬O»¡¡M²Ä¤@­Ó¸H¤ù«Ê¥]ªº³B²z©M¨ä¥¦«Ê¥]¤@¼Ë¡C¦ý²Ä¤G¤Î¤§«áªº¸H¤ù´N¤£¬O³o¼Ë¤F¡C³o¼Ëªº¸Ü¡M¤@±ø -p TCP --sport www («ü©w¨Ó·½°ð¤f¬°`www')ªº³W«h¡M±N¥Ã»·¤£©M¸H¤ù²Å¦X(°£²Ä¤@­Ó¸H¤ù¥ )¡C¬Û¤Ïªº³W«h¦p-p TCP --sport ! www ¤]¤@¼Ë´N¬O¤F¡C

¤£¹L¡M±z¥i¥H¥Î `-f' (or `--fragment') ºX¼Ð¯S§O¬°²Ä¤G¤Î¥H«áªº¸H¤ù«ü©w¤@±ø³W«h¡C¦b `-f' «e­±¥[¤W¤@­Ó `!' ¨Ó«ü©w¤@±ø³W«h ¤£ ¾A¥Î©ó²Ä¤G¤Î¥H«á¸H¤ù¡M¤]¬O¥i¦æªº¡C

³q±`¡MÅý²Ä¤G¤Î¥H«á¸H¤ù³q¹L¬O³Qµø¬°¦w¥þªº¡M¦]¬°¦pªG¹LÂo·|¼vÅT²Ä¤@­Ó¸H¤ùªº¸Ü¡M¨º»ò¤]´N¥i¥HÁקK¦b¥Ø¼Ð¥D¾÷¶i¦æ­«²Õ¡Q¦ý¬O¡M¤@¨Ç¤wª¾ªº¯ä¦äÅã¥Ü¡M¥á°e¸H¤ù«Ê¥]¥i¥H»´©öªºÅý¥D¾÷·í±¼¡C¨º¬O»Õ¤U­nÀ³¥Iªº¨Æ±¡¤F¡C

ºô¸ôª±®a­n¯d·Nªº¬O¡R·í¶i¦æ³o¼ËªºÀË´ú®É¡M¤£§¹¾ãªº«Ê¥](¤Óµuªº TCP¡NUDP¡N©M ICMP «Ê¥]·|Åý¤õÀðµ{¦¡Åª¤£¨ì°ð¤f©Î ICMP ½X©MÃþ«¬) ·|³Q¥á±ó¡C¦]¦¹¡M TCP ¸H¤ù³£¥Ñ²Ä 8 ­Ó¦ì¸m¶}©lªº *¡C

(* ĶªÌµù¡R§Ú¤]¤£¬O«Ü©ú¥Õ§@ªÌ³o¸Ì©Ò«ü¦óª«¡M­ì¤å¬O¡R¡¥So are TCP fragments starting at position 8¡¦¡C¦]¬°Ãi±o¥h½¸ê®Æ¡M¬G¤£ª¾¹D position 8 ¬O«ü TCP ªíÀY¦ì¸mÁÙ¬O¨ä¥¦¡C°²¦p±z§ä¨ìµª®×¡MÅwªï¼g«Hµ¹§Ú¥H§@¼á²M¡C)

Á|¨Ò¨Ó»¡¡M¥H¤Uªº³W«h·|¥á±ó¥ô¦ó°eµ¹ 192.168.1.1 ªº¸H¤ù¡C

# iptables -A OUTPUT -f -d 192.168.1.1 -j DROP
#

©µ¦ù iptables ¡R·sªº¤ñ¹ï(matches)

iptables ¬O ¥i©µ¦ùªº(extensible)¡M¤]´N¬O»¡¡M®Ö¤ß©M iptables ¤u¨ã¥i¥H¶i¦æÂX®i¥H´£¨Ñ·sªº¥\¯à¡C

¬Y¨Ç©µ¦ù(Extensions)¬O¼Ð·Çªº¡M¦ý¦³¨Ç«h¥i¥H»¡¬O¬£¥Í¥X¨Óªº¡C§OªºªB¤Í©Î³\·|»s°µ¥X¤@¨Ç©µ¦ù¡M¦P®É´²¼½µ¹¦X¾Aªº¥Î¤á¡C

®Ö¤ßªº©µ¦ù³q±`© ©ó®Ö¤ß¼Ò²Õ¥Ø¿ý¤º¡M¨Ò¦p /lib/modules/2.3.15/net ¡C°²¦p±zªº®Ö¤ß¬O¥Î CONFIG_KMOD ³]©w¨Ó½sĶªº¸Ü¡M¥¦­Ì¬OÀ³»Ý¨D¸ü¤Jªº¡M©Ò¥H±zµL»Ý¤â°Êªº´¡¤J¥¦­Ì¡C

µM¦Ó¡Miptables µ{¦¡ªº©µ¦ù«h³q±`¬O© ©ó /usr/local/lib/iptables/ ¸Ì­±ªº¤À¨É¨ç¦¡®w¡M©ÎªÌ¦³¨Ç´²¼½ª©¥»·|±N¥¦­Ì©ñ¶i /lib/iptables ©Î /usr/lib/iptables ¸Ì¥h¡C

©µ¦ù¦³¨â­ÓºØÃþ¡R·s¥Ø¼Ð(target)¡M©M·s¤ñ¹ï(match)¡Q¤U­±§Ú­Ì´NÁ¿Á¿·s¥Ø¼Ð§a¡C¦³¨Ç¨ó©w·|¦Û°Ê´£¨Ñ·sªº´ú¸Õ(tests)¡R¥Ø«e¦³ TCP¡NUDP¡N©M ICMP¡M¦p¤U­z¡C

¦b©R¥O«á¨Ï¥Î `-p' ¿ï¶µ§â©µ¦ù¸ü¤J¶i¨Ó¡M±z´N¥i¥H¨Ó«ü©w¤@­Ó·s´ú¸Õ¤F¡C·í©µ¦ù¿ï¶µ¤¹³\ªº®É­Ô¡M¨Ï¥Î `-m' ¨Ó¸ü¤J©µ¦ù¡M«h¥i¥H©ú½T«ü¥Ü¤@­Ó·s´ú¸Õ¡C

¦p»Ý¬Y­Ó©µ¦ùªº¨D§U¸ê®Æ¡M¥i¥H¨Ï¥Î¿ï¶µ«á±µ `-h' ©Î `--help' ±N¤§¸ü¤J(`-p'¡N `-j'¡N©Î `-m')¡M¨Ò¦p¡R 

# iptables -p tcp --help
#

TCP ©µ¦ù

¦pªG«ü©w¤F `-p tcp' ¡MTCP ¤§©µ¦ù·|¦Û°Ê¸ü¤Jªº¡C¥¦´£¨Ñ¦p¤U¿ï¶µ(¨Ã¤£²Å¦X fragments)¡C

--tcp-flags

«á±µ¤@­Ó `!' ¿ï¶µ¡M«h¦³¨â­ÓºX¼Ðªº¦r¦êÅý±z¯à°÷¹ï«ü©wªº TCP ºX¼Ð¶i¦æ¹LÂo¡C ²Ä¤@­Ó¦r¦ê¬O¾B¸n(mask)¡R¤@­Ó±z±ýÀˬdªººX¼Ð¦Cªí¡C²Ä¤G­Ó¦r¦ê¬O­n»¡­þ¨ÇªF¦è­n³]©w¡C¨Ò¦p¡R

# iptables -A INPUT --protocol tcp --tcp-flags ALL SYN,ACK -j DENY

³oªí¥Ü©Ò¦³ºX¼Ð³£­nÀˬd (`ALL' ´N¬Oªx«ü `SYN,ACK,FIN,RST,URG,PSH')¡M¦ý¥u¦³ SNY ©M ACK ³Q³]©w¦Ó¤w¡C¥t¥ ¦³¤@­Ó°Ñ¼Æ `NONE' «h¬O¨SºX¼Ðªº·N«ä¡C

--syn

¬°`--tcp-flags SYN,RST,ACK SYN' ªºÂ²¼g¡M¨ä«e­±¥i¥H³Æ¿ï¤@­Ó `!' ²Å¸¹¡C

--source-port

¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@­Ó³æ¿Wªº TCP °ð¤f©Î¤@­Ó°ð¤f­È°ì(range)¡C°ð¤f¥i¥H¬° /etc/services ©Ò¦C®q°ð¤f¦WºÙ¡M¤]¥i¥H¬O¤@­Ó¼Æ¦r¡C¦pªG¬O­È°ìªº¸Ü¡M¥i¥H¬O¤@¹ï¥Î`:' ²Å¸¹¤À¹jªº°ð¤f¦W¦r¡M©Î¤@­Ó°ð¤f«á­±±a `:' («ü¤j©ó©Mµ¥©ó¸Ó°ð¤f)¡M¤S©Î¬O¤@­Ó°ð¤f«e­±±a `:' («ü¤p©ó©Mµ¥©ó¸Ó°ð¤f)¡C

--sport

µ¥¦P©ó `--source-port'¡C

--destination-port

©M

--dport

»P¤W¦P¡M¥u¬O¥¦­Ì¬O¥Î¨Ó«ü©w¥Øªº¦a¦Ó«D¨Ó·½°ð¤f¥[¥H¤ñ¹ï¡C

--tcp-option

¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬°¤@­Ó¼Æ¦r¡M¥Î¨Ó¤ñ¹ï¤@­Ó TCP ¿ï¶µµ¥©ó¸Ó¼Æ¦rªº«Ê¥]¡C°²¦p»Ý­nÀˬd TCP ¿ï¶µ¡M¨º¨Ç TCP ªíÀY¤£§¹¾ãªº«Ê¥]´N·|¦Û°Êªº³Q¥á±ó¡C

¤@­Ó TCP ºX¼Ðªº¸ÑÄÀ

¦³®É­Ô¡M¤¹³\³æ¦V¦Ó«DÂù¦Vªº TCP ³s½u·|«Ü¦n¥Î¡C¨Ò¦p¡M±z©Î³\·Q¤¹³\³s½u¨ì¥ ³¡ WWW ¦øªA¾¹¡M¦ý«o¤£·Q¨Ó¦Û¸Ó¦øªA¾¹ªº³s½u¡C

³Ì¥®¸XªºÁ|°Ê©Î³\·|¬O¾×±¼¨Ó¦Û¸Ó¦øªA¾¹ªº TCP «Ê¥]¡C¦ý¤£©¯ªº¬O¡MTCP ³s½u®Ú¥»´N­n¨D«Ê¥]¬OÂù¦V¶Ç»¼ªº¡C

¸Ñ¨M¤§¹D¬O§â¨º¨Ç­n¨D³s½uªº«Ê¥]¾×±¼¡C³o¨Ç«Ê¥]³QºÙ¬° SYN «Ê¥](¶â¡M§Þ³N¤WÁ¿¡M¥¦­Ì¬O±a SYN ³]©wªº«Ê¥]¡M¦Ó FIN ©M ACK ¼ÐÅÒ«h¬OªÅ¥Õ¡M¥u¬O§Ú­Ì±N¤§Â²ºÙ¬° SYN «Ê¥]¦Ó¤w)¡C­n¥u­­¨î³o¼Ëªº«Ê¥]ªº¸Ü¡M§Ú­Ì´N¥i¥H¨î¤î¨º¨Ç¥ ¨Óªº³s½u¹Á¸Õ¤F¡C

`--syn' ºX¼Ð¥i¥H¥Î©ó³o¨Ç¤è­±¡R¥¦¶È¹ï¨º¨Ç«ü©w¬° TCP ¨ó©wªº³W«h¦³§@¥Î¡C¨Ò¦p¡M«ü©w¨Ó¦Û 192.168.1.1 ªº TCP ³s½u½Ð¨D¡R 

-p TCP -s 192.168.1.1 --syn

³oºX¼Ð¤]¥i¥H«á±µ¤@­Ó `!' ¨Ó¤Ï³]¡M·N«ü¨C¤@­Ó«D¸ÓÃþªì©l³s½uªº«Ê¥]¡C

UDP ©µ¦ù

¦pªG `-p udp' ³Q«ü©wªº¸Ü¡M³o¨Ç©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦´£¨Ñ¤F `--source-port'¡N `--sport'¡N`--destination-port'¡N¥H¤Î `--dport' ³o¨Ç¿ï¶µ¡M¤@¦p«e­zªº TCP ³]©w¡C

ICMP ©µ¦ù

¦pªG `-p icmp' ³Q«ü©wªº¸Ü¡M³o­Ó©µ¦ù´N·|¦Û°Ê¸ü¤J¡C¥¦¥u´£¨Ñ¤@­Ó·sªº¿ï¶µ¡R

--icmp-type

¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@­Ó icmp ¦WºÙÃþ«¬(¦p `host-unreachable' )¡M©Î¬O¤@­Ó¼Æ¦rÃþ«¬(¦p `3' )¡M©Î¬O¤@¹ï¥Î `/' ¤À¹jªº¼Æ¦rÃþ«¬©M½s½X(¦p `3/3' )¡C¨Ï¥Î `-p icmp --help' ´N¥i¥HÀò±o¤@¥÷¥i¥Î icmp Ãþ«¬¦WºÙ²M³æ¡C

¨ä¥¦¤ñ¹ïªº©µ¦ù

¦b nerfilter ®M¥ó¤¤ªº¨ä¥¦©µ¦ù«h¬O®i¥Ü©Ê(demonstration)ªº©µ¦ù¤º®e¡M¥i¥H¥Î `-m' ¿ï¶µ¨Ó©I¥s(°²¦p¤w¦w¸Ë¤Fªº¸Ü)¡C

mac

¦¹¤@¼Ò²Õ¥²¶·­n©ú½Tªº¥Î `-m mac' ©Î `--match mac' ¨Ó«ü©w¡C¥¦¥Î©ó¤ñ¹ï¶Ç¤J«Ê¥]ªº¨Ó·½ Ethernet (MAC) ¦a§}¡M¦]¦Ó¥u¹ï¨º¨Ç¬ï¶V PREROUTING ©M INPUT Ã쪺«Ê¥]°_§@¥Î¡C¥¦¥u´£¨Ñ¤@­Ó¿ï¶µ¡R

--mac-source

¨ä«á¥i¥H³Æ¿ï `!' ¡MµM«á¬O¤@­Ó¥Î«_¸¹¤À¹jªº¤Q¤»¶i¨î ethernet ¦a§}¡M¦p `--mac-source 00:60:08:91:CC:B7'¡C

limit

³o­Ó¼Ò²Õ¥²¶·©ú½Tªº¥Î `-m limit' ©Î `--match limit'¨Ó«ü©w¡C¥¦¥Î¨Ó­­¨î¤@­Ó¤ñ¹ïµ¥¯Å¡M½Ñ¦p§í¨î°O¿ý«H®§µ¥¡C¥¦¥u¯à¤ñ¹ï¤@­Ó¨C¬í¦¸¼Æ­È(¹w³]¬O¨C¤@­Ó¤p®É 3 ­Ó¤ñ¹ï¡M¦ñÀH 5 ­ÓIJµo(burst))¡C¥¦±µ¨ü¨â­Ó³Æ¿ï°Ñ¼Æ¡R

--limit

«á±µ¤@­Ó¼Æ­È¡Q«ü©w¥i¤¹³\ªº¨C¬í³Ì¤j¥­§¡¤ñ¹ï¼Æ­È¡C¸Ó¼Æ­È¥i¥H¥Î `/second'¡N`/minute'¡N`/hour'¡N©Î `/day'¡N©Î¨ä¤¤³¡¥÷ (¬G `5/second' ©M `5/s' ¬O¤@¼Ëªº)¡M¨Ó©ú½T«ü©w³æ¦ì(unit)¡M

--limit-burst

«á±µ¤@­Ó¼Æ­È¡M«ü¥Ü¥X¤Þ°_«e­z­­¨î¤§«eªº³Ì¤jIJµo¦¸¼Æ¡C

³o­Ó¤ñ¹ï±`¥Î©ó LOG ¥Ø¼Ð¡M¥H¶i¦æ¤ñ²v­­¨î(rate-limited) ¤§°O¿ý¡C¬°¤F§ó¦n¤F¸Ñ¥¦¬O¦p¦ó¤u§@ªº¡MÅý§Ú­Ì¬Ý¤@¬Ý¤U­±ªº³W«h¡M¬O¥H¹w³]­­¨î¤Þ¼Æ¨Ó°O¿ý«Ê¥]ªº¡R

# iptables -A FORWARD -m limit -j LOG

·í¦¹³W«h²Ä¤@¦¸¤Þ¥Îªº®É­Ô¡M«Ê¥]´N·|³Q°O¿ý¤U¨Ó¡Q¨Æ¹ê¤W¡M¥Ñ©ó¹w³]ªºÄ²µo¬° 5 ¡M¨º¬°­ºªº 5 ­Ó«Ê¥]´N·|°O¿ý¤U¨Ó¡CµM«á¡M¦A¹j 20 ¤ÀÄÁ¦¹³W«h¤ ·|¦A°O¿ý«Ê¥]¡M¦Ó¤£ºÞ´Á¶¡¦³¦h¤Ö­Ó«Ê¥]©è¹F¡C¦Ó¥B¡M¨C 20 ¤ÀÄÁ¦pªG¨S¦³²Å¦Xªº«Ê¥]³q¹L¡M«h·|«ì´_ (regained) ¤@­ÓIJµo¼Æ­È¡Q°²¦p 100 ¤ÀÄÁ¤º¦AµL³o¼Ëªº«Ê¥]IJ¤Î³o³W«hªº¸Ü¡M¨º»òIJµo¦¸¼Æ´N·|§¹¥þ´_­ì(recharged)¡Q¦^¨ì§Ú­Ì¶}©l®Éªºª¬ºA¡C

µù¡R±z¥Ø«e¤£¯à¥H¤j©ó 59 ¤p®Éªº´_­ì®É¶¡¨Ó«Ø¥ß¤@­Ó³W«h¡M¬G¦¹¡M°²¦p±z³]©w¤@­Ó¥­§¡²v¬°¨C¤Ñ¤@¦¸¡M¨º»ò¡M±zªºÄ²µo²v«h¤@©w­n¤Ö©ó 3 ¡C

±z¤]¥i¥H¥Î³o¼Ò²Õ¥hÁקK¥H§Ö³t¤ñ²v´£ª@ªA°È¦^À³ªºªýÂ_ªA°È§ðÀ»(DoS)¡C

Syn-flood protection¡R 

# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

Furtive port scanner¡R 

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping of death¡R 

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

¦¹¼Ò²Õªº¤u§@­ì²z¦³ÂI¹³¡§ºI¬y»Ö¡¨¤@¼Ë¡M½Ð°Ñ¦Ò¤U­±ªº¹Ï¥Ü¡C

       rate (pkt/s)  
             ^        .---.
             |       / DoS \
             |      /       \
Edge of DoS -|.....:.........\.......................
 = (limit *  |    /:          \
limit-burst) |   / :           \         .-.
             |  /  :            \       /   \
             | /   :             \     /     \
End of DoS  -|/....:..............:.../.......\..../.
 = limit     |     :              :`-'         `--'
-------------+-----+--------------+------------------> time (s)
   LOGIC =>  Match | Didn't Match |    Match

¤ñ¤è»¡¡M§Ú­Ì¥H 5 ­Ó«Ê¥]IJµo¨Ó¤ñ¹ï¨C¬í¤@­Ó«Ê¥]¡M¦ý«Ê¥]±q¨C¬í¥|­Ó¶}©l¶Ç¤J¡M«ùÄò¤T¬í¡MµM«áµ¥¤T¬í¦A­«·s¶}©l¡C 



        <--Flood 1-->           <---Flood 2--->

Total  ^                   Line  __--      YNNN
Packets|               Rate  __--      YNNN
       |            mum  __--      YNNN
    10 |        Maxi __--         Y
       |         __--            Y
       |     __--               Y
       | __--    YNNN           
       |-    YNNN
     5 |    Y    
       |   Y                                Key:  Y -> Matched Rule
       |  Y                                       N -> Didn't Match Rule
       | Y
       |Y 
     0 +-------------------------------------------------->  Time (seconds)
        0   1   2   3   4   5   6   7   8   9  10  11  12

±z·|µo²{ÀY¤­­Ó«Ê¥]³Q¤¹³\¶W¹L¨C¬í¤@­Ó«Ê¥]¡MµM«á´N¤Þ°_­­¨î¤F¡M¦pªG¦³¤@­Ó°±·²¡M¨ä¥¦ªºÄ²µo¤]±N³Q¤¹³\¡M¦ý´N¤£¯à³q¹L³W«h³]©wªº³Ì°ª¤ñ²v(¦b¸ÓIJµo¨Ï¥Î«á¬°¨C¬í¤@­Ó«Ê¥])¡C

owner

¦¹¼Ò²Õ¬°¥»¾÷²£¥Íªº«Ê¥]¤ñ¹ï¤£¦P¯S©ºªº«Ê¥]«Ø¥ßªÌ(creator)¡C¥¦¶È¹ï OUTPUT Ã즳¥Î¡M¦Ó¥B¡M¬Æ¦Ü¬Y¨Ç«Ê¥](¦p ICMP ping responses)©Î³\¨S¦³ owner¡M±N³Qµø¬°¤£²Å¦X®@¡C

--uid-owner userid

¦pªG«Ê¥]¥Ñ¤@­Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) user id «Ø¥ßªº¡M«h¬°²Å¦X¡C

--uid-owner groupid

¦pªG«Ê¥]¥Ñ¤@­Ó¦æµ{¥H¦³®Ä(¼Æ¦r¦¡) group id «Ø¥ßªº¡M«h¬°²Å¦X¡C

--pid-owner processid

¦pªG«Ê¥]¥Ñ¤@­Ó¦æµ{¥H process id «Ø¥ßªº¡M«h¬°²Å¦X¡C

--sid-owner processid

¦pªG«Ê¥]¥Ñ¤@­Ó¦æµ{¥H session group «Ø¥ßªº¡M«h¬°²Å¦X¡C

unclean

¦¹¤@¹êÅç©Ê¼Ò²Õ¥²¶·¥H `-m unclean' ©Î `--match unclean' ¨Ó©ú½T«ü©w¡C¥¦·|¹ï«Ê¥]¶i¦æ¤£¦PªºÀH¾÷§PÂ_ÀË´ú¡C³o¼Ò²Õ©|¥¼³Q½]¬d¹L¡M©Ò¥H¤£À³¸Ó¥Î©ó¦w¥þ³]³Æ¤W(¥¦©Î³\·|§â¨Æ±¡·d¯{¡M¦]¬°¥¦¥»¨­©Î³\¦³¯ä¦äªº)¡C¥¦¨Ã¨S´£¨Ñ¿ï¶µ³]©w¡C

The State Match

³Ì¦³¥Îªº¤ñ¹ï§PÂ_¼Ð·Ç¥Ñ `state' ©µ¦ù©Ò´£¨Ñ¡M¥H¸àÄÀ `ip_conntrack' ¼Ò²Õªº³s½u°lÂܤÀªR¡C³o¬O«D±`­È±o¹ªÀy¨Ï¥Îªº¡C

«ü©w `-m state' «h¤¹³\¥t¤@­ÓÃB¥ ªº `--state' ¿ï¶µ¡M¥i¥H¬°¤@­Ó¨§ÂI¤À¹jªº¤ñ¹ï³¯­z¦Cªí( `!' ºX¼Ð«ü¥Ü ¤£(not) ²Å¦X¨º¨Ç³¯­z)¡C³o¨Ç³¯­z¬O¡R

NEW

¤@­Ó«Ø¥ß·s³s½uªº«Ê¥]¡C

ESTABLISHED

¤@­ÓÄÝ©ó²{¦³³s½u(¦p¡R¤w¸g¦^À³«Ê¥]¤F)¤§«Ê¥]¡C

RELATED

¤@­Ó»P²{¦³³s½u¬ÛÃö¡M¦ý«o¨Ã¤£­­©ó¨ä¤¤³¡¥÷ªº«Ê¥]¡M½Ñ¦p ICMP ¿ù» ¡M©Î¬O«Ø¥ß FTP ¼Æ¾Ú³s½uªº«Ê¥](FTP ¼Ò²Õ¤w´¡¤J)¡C

INVALID

¤@­Ó¦]¬Y¨Ç­ì¦]¤£¯à³Qų§Oªº«Ê¥]¡R³o¥]¬A°O¾ÐÅ餣¨¬©M¤£¯à¦^À³¥ô¦ó¤wª¾³s½uªº ICMP ¿ù» ¡C³q±`¡M³o¼Ëªº«Ê¥]³£·|³Q¥á±ó±¼¡C

7.4 ¥Ø¼Ð(Target)³W®æ

²{¦b¡M§Ú­Ìª¾¹D¥i¥H¹ï«Ê¥]°µ¤°»ò¼ËªºÀˬd¤F¡M§Ú­ÌÁٻݭn¤@­Ó¤èªk¨Ó»¡¥X¹ï¤@­Ó²Å¦X§Ú­Ì´ú¸Õªº«Ê¥]­n°µ¤°»ò¼Ë°Ê§@¡C³o´N¬O©Ò¿×ªº¤@±ø³W«h¤§¥Ø¼Ð(target) °Õ¡C

¦³¨â­Ó«D±`¬ÛÃþªº¤º«Ø¥Ø¼Ð¡RDROP ©M ACCEPT¡M§Ú­Ì¤w¸g±µÄ²¹L¤F¡C¦pªG¤@±ø³W«h²Å¦X¤@­Ó«Ê¥]¡M¦P®É¥Ø¼Ð¬O¨ä¤¤¤§¤@¡M¨º»ò´N¦A¨S¦³³W«h»Ý­n«t¸ß¡R«Ê¥]ªº©R¹B¤w¸g©w¤U¨Ó¤F¡C

°£¤F¤º«Ø¥ ¡M¤]¦³¨âºØÃþ«¬ªº¥Ø¼Ð¡R©µ¦ù©M¥Î¤á¦Û©wÃì¡C

¥Î¤á¦Û©wÃì

iptables ©Óŧ¤F ipchains ¤@­Ó«D±`¼F®`ªº¥\¯à¡M´N¬OÅý¨Ï¥ÎªÌ¥i¥H³Ð«Ø¥X·sÃì¡Mªþ¥[©ó¤T­Ó¤º«ØÃì(INPUT¡NFORWARD¡N©M OUTPUT)¤§¥ ¡C«öºD¨Ò¡M¥Î¤á¦Û©wÃì¥Î¤p¼g¥H¥Ü°Ï§O(«Ý·|§Ú­Ì·|¦b«á­±ªº ¦b¾ãÃì¤W¹B§@(Operations on an Entire Chain) ¨º¸Ì¸ÑÄÀ¦p¦ó¥h«Ø¥ß·sªº¥Î¤á¦Û©w³s)

·í¤@­Ó«Ê¥]²Å¦X¤@±ø¥Ø¼Ð¬°¥Î¤á¦Û©wÃ줧³W«h®É¡M«Ê¥]´N·|¶}©l¬ï¶V¥Î¤á¦Û©wÃ줤ªº³W«h¡C°²¦p¸ÓÃ쥼¯à¨M©w¥X«Ê¥]ªº©R¹B¡M«h¤@¥¹µ²§ô¬ï¶V¸ÓÃì«á¡M´N·|±µµÛ·í«eÃ줤ªº¤U¤@­Ó³W«hÄ Äò¬ï¶V¤U¥h¡C

Ä Äòª±ª± ASCII ÃÀ³N¦n¤F¡C°²³]¦³³o»ò¨â±ø(©Ç)Ãì¡RINPUT (¤º«ØÃì)¡M ©M test (¥Î¤á¦Û©wÃì)¡C

         `INPUT'                         `test'
        ----------------------------    ----------------------------
        | Rule1: -p ICMP -j DROP   |    | Rule1: -s 192.168.1.1    |
        |--------------------------|    |--------------------------|
        | Rule2: -p TCP -j test    |    | Rule2: -d 192.168.1.1    |
        |--------------------------|    ----------------------------
        | Rule3: -p UDP -j DROP    |
        ----------------------------

°²³]¤@­Ó¨Ó¦Û192.168.1.1 ªº TCP «Ê¥]¡M­n¨ì 1.2.3.4 ¨º¸Ì¥h¡C¥¦¶i¤JINPUT Ãì¡M¨Ã¨ü¨ì Rule1 ªº´ú¸Õ - ¦ý¤£²Å¦X¡C¦ý¬O²Å¦X Rule2 ¡M¥B¥¦ªº¥Ø¼Ð¬O test¡M©Ò¥H¤U¤@­Ó­nÀËÅ窺³W«h±N±q test ¶}©l¡C¦b test ¤¤ªº Rule1 ²Å¦X¡M¦ý¨Ã¨S¦³«ü©w¥Ø¼Ð¡M©Ò¥H¦AÀËÅç¤U¤@±ø³W«h¡M¤]´N¬O Rule2 ¡C¤£¹L¥¦¨Ã¤£²Å¦X¡M©Ò¥H§Ú­Ì¤w¸g©è¹F³o±øÃ쪺¥½ºÝ¤F¡CµM«á§Ú­Ì¦^¨ì INPUT Ã줤¡M¤]´N¬O§Ú­Ì­è¤ ÀËÅç Rule2 ¨º¸Ì¡M©Ò¥H§Ú­Ì²{¦b´N­nÀˬd Rule3¡M¨ÌµM¤£²Å¦X¡C

³o¼Ë¡M¸Ó«Ê¥]ªº¸ô®|¬O³o¼Ë¤lªº¡R 

                                v    __________________________
         `INPUT'                |   /    `test'                v
        ------------------------|--/    -----------------------|----
        | Rule1                 | /|    | Rule1                |   |
        |-----------------------|/-|    |----------------------|---|
        | Rule2                 /  |    | Rule2                |   |
        |--------------------------|    -----------------------v----
        | Rule3                 /--+___________________________/
        ------------------------|---
                                v

¥Î¤á¦Û©wÃì¤]¥i¥H¦A¸õ¨ì¥t¤@­Ó¥Î¤á¦Û©wÃì¥h(¦ý¤£­n°µ¦¨°j°é¡R±zªº«Ê¥]¦pªG³Qµo²{³B©ó°j°é¤¤´N·|³Q¥á±ó)¡C

iptables ¤§©µ¦ù¡R·s¥Ø¼Ð

¥t¤@Ãþ«¬ªº¥Ø¼Ð¬O¤@­Ó©µ¦ù¡C¤@­Ó¥Ø¼Ðªº©µ¦ù¥Ñ®Ö¤ß¼Ò²Õ©M¥i¿ïªº iptables ©µ¦ù²Õ¦¨¡M¥H´£¨Ñ·sªº©R¥O¦æ¿ï¶µ¡C¦b¹w³]ªº netfilter ´²¼½ª©¥»¤¤¦³¦n´X­Ó©µ¦ù¡R

LOG

¦¹¼Ò²Õ´£¨Ñ®Ö¤ß°O¿ý²Å¦Xªº«Ê¥]¡C¥¦´£¨Ñ³o¨ÇÃB¥ ¿ï¶µ¡R

--log-level

«á±µ¤@­Ó¼h¦¸(level)¸¹½X©Î¦WºÙ¡C¦Xªkªº¦WºÙ¦³(¤j¤p¼g¦³§O)¡R`debug'¡N`info'¡N`notice'¡N`warning'¡N`err'¡N`crit'¡N`alert'¡N¥H¤Î `emerg'¡M¬Û¹ïªº¸¹½X¥Ñ 7 ¨ì 0 ¡C¦U¼h¦¸¸¹½Xªº¸ÑÄÀ½Ð°Ñ¦Ò syslog.conf ªº man page¡C

--log-prefix

«á±µ¤@­Ó³Ì¦h 30 ­Ó¦r¥Àªº¦r¦ê¡C¦¹¤@«H®§¥Ñ°O¿ý«H®§¶}©l®É°e¥X¡M¥O¨ä¥i¥H­Ó§Oªº³Qų§O¥X¨Ó¡C

¦¹¼Ò²Õ±`¥Î©ó¤@­Ó­­¨î¥Ø¼Ð«á¡M©Ò¥H¡M±z¤£­nÄéÃz±zªº°O¿ýÀÉ®@¡C

REJECT

¦¹¼Ò²Õ°£¤F¦Vµo°eºÝ°e¥X¤@­Ó `port unreachable' ³o¼Ëªº ICMP ¿ù» ¥ ¡M©M `DROP' ¬O¤@¼Ëªº¡Cµù¡R¦b¤U¦C±ø¥ó¤¤¡MICMP ¿ù» «H®§±N¤£·|°e¥X(½Ð°Ñ¦Ò RFC 1122)¡R

REJECT ¥t¥ ÁÙ±µ¨ü¤@­Ó `--reject-with' ¿ï¶µ¨Ó§ó§ï¨ä¦^À³«Ê¥]¡R½Ð°Ñ¦Ò»¡©ú¤å¥ó¡C

¯S®íªº¤º«Ø¥Ø¼Ð

¦³¨âºØ¯S®íªº¤º«Ø¥Ø¼Ð¡RRETURN ©M QUEUE¡C

RETURN ©M±¼¨ì¤@­ÓÃ쪺¥½ºÝ¦³¬Û¦Pªº®ÄªG¡R¹ï¤@±ø¤º«ØÃ쪺³W«h¦Ó¨¥¡M«h±Ò¥Î¸ÓÃ쪺­ì«h¡C¹ï¤@±ø¥Î¤á¦Û©w³W«h¦Ó¨¥¡M«h·|¦^¨ì«e¤@­ÓÃ줤ĠÄò¬ï¶V¡M´N±µ¦b¸õ¨ì³o­ÓÃ쪺¨º±ø³W«h¤§«á¡C

QUEUE ¤]¬O¤@­Ó¯S®í¥Ø¼Ð¡M¥i¥H´À¨Ï¥ÎªÌªÅ¶¡(userspace)¦æµ{Àx¦C«Ê¥]¡C­n¹B¥Î¥¦¡M¨â­Ó¥\¯à²Õ¥ó¬O¥²»Ýªº¡R

IPv4 iptables ªº¼Ð·Ç queue handler ¬° ip_queue ¼Ò²Õ¡M¥¦¥Ø«e¬O¥H¹êÅç©Ê½è»P®Ö¤ß¤@°_µo§Gªº¡C

¦p¤U¬O¤@­Ó¦p¦ó¥Î iptables ¬°¨Ï¥ÎªÌªÅ¶¡¦æµ{¶i¦æÀx¦C«Ê¥]ªºÂ²³æ¨Ò¤l¡R 

# modprobe iptable_filter
# modprobe ip_queue
# iptables -A OUTPUT -p icmp -j QUEUE
¥Î¦¹³W«h¡M¥»¾÷²£¥Íªº¹ï¥  ICMP «Ê¥](¦p¥Î ping «Ø¥ß) ´N·|³Q°e¦Ü ip_queue ¼Ò²Õ¥h¡MµM«á¹Á¸Õ±N«Ê¥]¶Çµ¹¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{¦¡¡C¦pªG¨S¦³¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{¦¡¦bµ¥«Ýªº¸Ü¡M¸Ó«Ê¥]´N·|³Q¥á±ó¡C

­n¼g¤@­Ó¨Ï¥ÎªÌªÅ¶¡À³¥Îµ{¦¡¡M»Ý¨Ï¥Î libipq API ¡C¥¦¤]¬O©M iptables ¤@°_µo§Gªº¡Cµ{¦¡½X½d¨Ò¥i¥H¦b CVS ¤¤ªº testsuite ¤u¨ã(¦p redirect.c) §ä¨ì¡C

ip_queue ªºª¬ºA¥i¥H¥Î¦p¤U¤èªk¨ÓÀˬd¡R 

/proc/net/ip_queue
Àx¦Cªº³Ì¤jªø«×(¦p¶Ç»¼µ¹¨Ï¥ÎªÌªÅ¶¡¥BµL»Ý°e¦^µô¨M«Ê¥]¤§¼Æ¶q)¥i¥H³q¹L³o¼Ëªº¤è¦¡¨Ó±±¨î¡R 
/proc/sys/net/ipv4/ip_queue_maxlen
³Ì¤jÀx¦Cªø«×ªº¹w³]­È¬° 1024¡C¤@¥¹¹F¨ì¦¹­­¨î¡M·sªº«Ê¥]´N·|³Q¥á±ó¡Mª½¨ìÀx¦Cªø«×¶^¦^§C©ó­­¨î¤§¼Æ¬°¤î¡C¦nªº¨ó©w¡M¦p TCP¡M·|±N¥á±óªº«Ê¥]¸ÑÄÀ¬°¾ÖÀ½(congestion)¡M¦P®É²z·Q¦a¡M·íÀx¦C¶ñ°_¨Ó«á·|±N¤§¾×¦^¥h¡CµM¦Ó¡M¦pªG¹w³]­È¦b©ÒÁ|±¡§Î¤Uı±o¤Ó¤pªº¸Ü¡M©Î³\»Ý­n¤@¨Ç¹êÅç¨Ó¨M©w¨ä²z·Qªº³Ì°ªÀx¦Cªø«×¡C

7.5 ¦b¾ãÃì¤W¹B§@

iptables ªº¤@­Ó«D±`¦³¥Îªº¥\¯à¬O¡M¥¦¯à°÷²Õ¦X(group)¬ÛÃöªº³W«h©óÃ줤¡C¥u­n±z³ßÅw¡M±z¥i¥HÀH«K¬°Ãì°_¤@­Ó¦W¦r¡M¦ý§Ú«Øij±z¨Ï¥Î¤p¼g¦r¥À¥HÁקK©M¤º«ØÃì¤Î¥Ø¼Ð·d²V¤F¡CÃì¦W³Ìªø¥i¥H¥h¨ì 31 ­Ó¦r¥À¡C

«Ø¥ß¤@­Ó·sÃì

²{¦b´NÅý§Ú­Ì¤@°_«Ø¤@­Ó·sÃì§a¡C¦]¬°§Ú¹ê¦b¬O¤@­Ó·R¤Û·Qªº³Ã¥ë¡M©Ò¥H§ÚºÙ¤§¬°test («¢¡M¦³ÂI¿Ø¨ë)¡C³o¸Ì¡M§Ú­Ì¥Î `-N' ©Î `--new-chain' ¿ï¶µ¡R

# iptables -N test
#

´N¬O³o»ò²³æ¡C¦n¤F¡M²{¦b±z¥i¥H±N¤@¨Ç³W«h¥[¤J¨ä¤¤¡M¤@¦p«e­±»¡ªº¨º¼Ë¡C

§R°£¤@±øÃì

­n§R°£¤@±øÃì¤]¬O¤@¼Ë²³æ¡M¥Î `-X' ©Î `--delete-chain' §Y¥i¡C¬°¤°»ò¥Î `-X' ©O¡S¶â¡M ¦n¥Îªº¦r¥À³£¤@¦­µ¹¥Î¥ú¤F°Õ¡C

# iptables -X test
#

­n§R°£¤@±øÃ쪺¸Ü¡M·|¦³¦n¨Ç­­¨î¡R¥¦­Ì¥²»Ý¬OªÅªº (½Ð°Ñ¦Ò«á­±ªº ²MªÅ¤@±øÃì(Flushing a Chain) ) ¡M¦P®É¥¦­Ì¥²»Ý¤£¯à§@¬°¥ô¦ó³W«hªº¥Ø¼Ð¡C¥ô¦ó¤T±ø¤º«ØÃì±z³£¤£¯à§R°£´N¬O¤F¡C

°²¦p±z¤£«ü©w¤@±øÃì¡M¨º»ò¦pªG¥i¯àªº¸Ü¡M ¥þ³¡ ¥Î¤á¦Û©wÂIÃì³£·|³Q§R°£¡C

²MªÅ¤@±øÃì

¦³¤@­Ó²³æªº¤èªk¥i¥H²MªÅ¤@±øÃ줤ªº©Ò¦³³W«h¡M´N¬O¨Ï¥Î `-F' (©Î `--flush') ©R¥O¡C

# iptables -F forward
#

¦pªG±z¤£«ü©w¬O­þ¤@±øÃì¡M¨º»ò ¥þ³¡ Ãì³£·|³Q²MªÅ¡C

¦C¥Ü¤@±øÃì

±z¥i¥H¨Ï¥Î `-L' (©Î `--list') ©R¥O¦C¥Ü¤@±øÃ줤ªº©Ò¦³³W«h¡C

¨C¤@­Ó¥Î¤á¦Û©wÃì©Ò¦Cªº `refcnt' ¡M¬O»¡¦³¦h¤Ö¼Æ¥Øªº³W«h¬O¥H¸ÓÃ쬰¥Ø¼Ðªº¡C¦b¸ÓÃì³Q§R°£¤§«e¡M³o¼Æ¥Ø¥²»Ý¬°¹s(¦P®ÉÃì¬OªÅªº)¡C

¦pªG¨S´£¨ÑÃì¦WºÙªº¸Ü¡M©Ò¦³Ãì³£·|³Q¦C¥Ü¥X¨Ó¡M´NºâªÅÃì¤]¤@¼Ë¡C

¦³¤T­Ó¿ï¶µ¥i¥H¦ñÀH `-L' ¤@°_¨Ï¥Îªº¡C­º¥ý¬O `-n' (numeric) ¿ï¶µ¡M¥¦«Ü¦³¥Î¡M¦]¬°¥¦¥i¥HÁקK iptables ¥h¹Á¸Õ¬d§ä IP ¦a§}¡M°²¦p±zªº DNS ¨S¦³³]©w¥¿½Tªº¸Ü¡M©Î¬O±z¤w¸g¹LÂo±¼ DNS ½Ð¨D¤F¡M³o©Î³\·|³y¦¨ÄY­«ªº©µ¿ð(°²³]±z©M¤j¦h¼Æ¤H¤@¼Ë³£¬O¨Ï¥Î DNS )¡C¥¦¦P®É¤]·|±N TCP »P UDP °ð¤fÅã¥Ü¬°¼Æ¦r¦Ó«D¦WºÙ¡C

²Ä¤G­Ó¬O `-v' ¿ï¶µ¡M¥¦·|Åã¥Ü¥X±z¥þ³¡³W«hªº²Ó¸`¡M½Ñ¦p«Ê¥]ªº byte ¬y¶q²Î­p¡NTOS ¤ñ¸û¡N¥H¤Î¬É­±µ¥¡C§_«h³o¨Ç¼Æ­È¬O³Q²¤±¼ªº¡C

µù¡R«Ê¥]ªº byte ¬y¶q²Î­p¥i¥H¤À§O¨Ï¥Î `K', `M' ©Î `G' ³o¨Ç¦r§À¡M¤À§O¥Nªí 1000¡N1,000,000¡N¥H¤Î1,000,000,000¡M¨ÓÅã¥Ü¡C¨Ï¥Î `-x' (expand numbers) ºX¼Ð¦P¼Ë¤]¥i¥HÅã¥Ü¥X§¹¾ãªº¼Æ¦r¡M®Ú¥»¤£²z·|¥¦­Ì¦³¦hªø¡C

­«³](Âk¹s)¬y¶q°O¼Æ¾¹(counter)

¯à°÷­«³]¬y¶q°O¼Æ¾¹·íµM¬O¦³¥Îªº¡C±z¥i¥H¥Î `-Z' (©Î `--zero') ¿ï¶µ¨Ó°µ¡C

°ß¤@³Â·Ð¬O¡M¦³®É­Ô¦b¶i¦æ­«³]¤§«e¡M±z¥²»Ý¥ß§Y°O¦í¬y¶q²Î­p­È¡C¦b«e­±ªº¨Ò¤l¤¤¡M·í±z¤U `-L' µM«á `-Z' ©R¥O¡M¬Y¨Ç«Ê¥]¥i¯à·|¦b³o´Á¶¡³q¹L¡C¦]¦¹¡M±z¥i¥H§â `-L' ©M `-Z' ¤@°_ ¨Ï¥Î¡M¦bŪ¨úªº¦P®É¶i¦æ°O¼Æ¾¹­«³]¡C

³]©w­ì«h(policy)

§Ú­Ì¦b«e­±±´°Q«Ê¥]¦p¦ó³q¹L¤@­ÓÃ쪺®É­Ô¡M¤w¸àÄÀ¹L·í«Ê¥]©è¹F¤º«ØÃ쥽ºÝ®É±N·|µo¥Í¤°»ò¨Æ±¡¡C¦¹®É¡M´N¥Ñ¸ÓÃ쪺­ì«h¨Ó¨M©w«Ê¥]ªº©R¹B¡C¥u¦³¤º«ØÃì(INPUT¡NOUTPUT¡N¥H¤Î FORWARD) ¤ ¦³­ì«h³]©w¡M¦]¬°¡M¦pªG¤@­Ó«Ê¥]±¼¦Ü¤@­Ó¥Î¤á¦Û©wÃ쪺®É­Ô¡M«h·|¦^¨ì¤W¤@­ÓÃ줤ĠÄò¬ï¶V¡C

­ì«h¥i¥H¬° ACCEPT ©Î DROP¡C

Next Previous Contents