|
|
|
|
| 请教关于用iptables设置LINUX防火墙的问题(紧急) |
  请教关于用iptables设置LINUX防火墙的问题(紧急) - tianmimgz [ 2004-03-31 12:54 | 18,505 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - arounddavid [ 2004-04-06 14:06 | 145 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - tianmimgz [ 2004-04-04 20:13 | 227 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - dl_dht [ 2004-03-31 16:01 | 1,642 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - tianmimgz [ 2004-04-04 20:52 | 1,649 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - dl_dht [ 2004-04-05 09:40 | 1,829 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - chair_ou [ 2004-04-05 11:20 | 54 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - tianmimgz [ 2004-04-05 11:47 | 56 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - chair_ou [ 2004-04-05 12:59 | 106 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - dl_dht [ 2004-04-05 12:04 | 378 byte(s)]
Re: 请教关于用iptables设置LINUX防火墙的问题(紧急) - dl_dht [ 2004-04-05 11:39 | 44 byte(s)]
|
|
|
|
[Original]
[Print]
[Top]
|
我刚刚开始用LINUX ,想在LINUX上用iptables/ip6tables构建IPv4/IPv6双栈防火墙,不知那位高手能指点一二,特别是关于iptables/ip6tables的安装及使用,我已经按照peter linux howto上的文档进行了设置,但无法完成,不知是什么问题.另外希望能够提供一些关于这方面配置的中文文档.peter的配置文档如下:
Linux IPv6 HOWTO (en)
Prev
Chapter 16. Firewalling Next
16.2. Preparation
16.2.1. Get sources
Get the latest kernel source: http://www.kernel.org/
Get the latest iptables package:
• Source tarball (for kernel patches): http://www.netfilter.org/
• Source RPM for rebuild of binary (for RedHat systems): ftp://ftp.redhat.com/redhat/linux/rawhide/SRPMS/SRPMS/ or perhaps also at http://www.netcore.fi/pekkas/linux/ipv6/
16.2.2. Extract sources
Change to source directory:
# cd /path/to/src
Unpack and rename kernel sources
# tar z|jxf kernel-version.tar.gz|bz2
# mv linux linux-version-iptables-version+IPv6
Unpack iptables sources
# tar z|jxf iptables-version.tar.gz|bz2
16.2.3. Apply latest iptables/IPv6-related patches to kernel source
Change to iptables directory
# cd iptables-version
Apply pending patches
# make pending-patches KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Apply additional IPv6 related patches (still not in the vanilla kernel included)
# make patch-o-matic KERNEL_DIR=/path/to/src/linux-version-iptables-version/
Say yes at following options (iptables-1.2.2)
• ah-esp.patch
• masq-dynaddr.patch (only needed for systems with dynamic IP assigned WAN connections like PPP or PPPoE)
• ipv6-agr.patch.ipv6
• ipv6-ports.patch.ipv6
• LOG.patch.ipv6
• REJECT.patch.ipv6
Check IPv6 extensions
# make print-extensions
Extensions found: IPv6:owner IPv6:limit IPv6:mac IPv6:multiport
16.2.4. Configure, build and install new kernel
Change to kernel sources
# cd /path/to/src/linux-version-iptables-version/
Edit Makefile
- EXTRAVERSION =
+ EXTRAVERSION = -iptables-version+IPv6-try
Run configure, enable IPv6 related
Code maturity level options
Prompt for development and/or incomplete code/drivers : yes
Networking options
Network packet filtering: yes
The IPv6 protocol: module
IPv6: Netfilter Configuration
IP6 tables support: module
All new options like following:
limit match support: module
MAC address match support: module
Multiple port match support: module
Owner match support: module
netfilter MARK match support: module
Aggregated address check: module
Packet filtering: module
REJECT target support: module
LOG target support: module
Packet mangling: module
MARK target support: module
Configure other related to your system, too
Compilation and installing: see the kernel section here and other HOWTOs
16.2.5. Rebuild and install binaries of iptables
Make sure, that upper kernel source tree is also available at /usr/src/linux/
Rename older directory
# mv /usr/src/linux /usr/src/linux.old
Create a new softlink
# ln -s /path/to/src/linux-version-iptables-version /usr/src/linux
Rebuild SRPMS
# rpm --rebuild /path/to/SRPMS/iptables-version-release.src.rpm
Install new iptables packages (iptables + iptables-ipv6)
• On RH 7.1 systems, normally, already an older version is installed, therefore use "freshen"
# rpm -Fhv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
• If not already installed, use "install"
# rpm -ihv /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
• On RH 6.2 systems, normally, no kernel 2.4.x is installed, therefore the requirements don't fit. Use "--nodeps" to install it
# rpm -ihv --nodeps /path/to/RPMS/cpu/iptables*-version-release.cpu.rpm
Perhaps it's necessary to create a softlink for iptables libraries where iptables looks for them
# ln -s /lib/iptables/ /usr/lib/iptables
Prev
Home
Next
Firewalling using netfilter6 Up
Usage
Linux IPv6 HOWTO (en)
Prev
Chapter 16. Firewalling Next
16.3. Usage
16.3.1. Check for support
Load module, if so compiled
# modprobe ip6_tables
Check for capability
# [ ! -f /proc/net/ip6_tables_names ] && echo "Current kernel doesn't support
'ip6tables' firewalling (IPv6)!"
16.3.2. Learn how to use ip6tables
16.3.2.1. List all IPv6 netfilter entries
• Short
# ip6tables -L
• Extended
# ip6tables -n -v --line-numbers -L
16.3.2.2. List specified filter
# ip6tables -n -v --line-numbers -L INPUT
16.3.2.3. Insert a log rule at the input filter with options
# ip6tables --table filter --append INPUT -j LOG --log-prefix "INPUT:"
--log-level 7
16.3.2.4. Insert a drop rule at the input filter
# ip6tables --table filter --append INPUT -j DROP
16.3.2.5. Delete a rule by number
# ip6tables --table filter --delete INPUT 1
16.3.2.6. Allow ICMPv6
Using older kernels (unpatched kernel 2.4.5 and iptables-1.2.2) no type can be specified
• Accept incoming ICMPv6 through tunnels
# ip6tables -A INPUT -i sit+ -p icmpv6 -j ACCEPT
• Allow outgoing ICMPv6 through tunnels
# ip6tables -A OUTPUT -o sit+ -p icmpv6 -j ACCEPT
Newer kernels allow specifying of ICMPv6 types:
# ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
16.3.2.7. Rate-limiting
Because it can happen (author already saw it to times) that an ICMPv6 storm will raise up, you should use available rate limiting for at least ICMPv6 ruleset. In addition logging rules should also get rate limiting to prevent DoS attacks against syslog and storage of log file partition. An example for a rate limited ICMPv6 looks like:
# ip6tables -A INPUT --protocol icmpv6 --icmpv6-type echo-request
-j ACCEPT --match limit --limit 30/minute
16.3.2.8. Allow incoming SSH
Here an example is shown for a ruleset which allows incoming SSH connection from a specified IPv6 address
• Allow incoming SSH from 3ffe:ffff:100::1/128
# ip6tables -A INPUT -i sit+ -p tcp -s 3ffe:ffff:100::1/128 --sport 512:65535
--dport 22 -j ACCEPT
• Allow response packets (at the moment IPv6 connection tracking isn't in mainstream netfilter6 implemented)
# ip6tables -A OUTPUT -o sit+ -p tcp -d 3ffe:ffff:100::1/128 --dport 512:65535
--sport 22 ! --syn j ACCEPT
16.3.2.9. Enable tunneled IPv6-in-IPv4
To accept tunneled IPv6-in-IPv4 packets, you have to insert rules in your IPv4 firewall setup relating to such packets, for example
• Accept incoming IPv6-in-IPv4 on interface ppp0
# iptables -A INPUT -i ppp0 -p ipv6 -j ACCEPT
• Allow outgoing IPv6-in-IPv4 to interface ppp0
# iptables -A OUTPUT -o ppp0 -p ipv6 -j ACCEPT
If you have only a static tunnel, you can specify the IPv4 addresses, too, like
• Accept incoming IPv6-in-IPv4 on interface ppp0 from tunnel endpoint 1.2.3.4
# iptables -A INPUT -i ppp0 -p ipv6 -s 1.2.3.4 -j ACCEPT
• Allow outgoing IPv6-in-IPv4 to interface ppp0 to tunnel endpoint 1.2.3.4
# iptables -A OUTPUT -o ppp0 -p ipv6 -d 1.2.3.4 -j ACCEPT
16.3.2.10. Protection against incoming TCP connection requests
VERY RECOMMENDED! For security issues you should really insert a rule which blocks incoming TCP connection requests. Adapt "-i" option, if other interface names are in use!
• Block incoming TCP connection requests to this host
# ip6tables -I INPUT -i sit+ -p tcp --syn -j DROP
• Block incoming TCP connection requests to hosts behind this router
# ip6tables -I FORWARD -i sit+ -p tcp --syn -j DROP
Perhaps the rules have to be placed below others, but that is work you have to think about it. Best way is to create a script and execute rules in a specified way.
16.3.2.11. Protection against incoming UDP connection requests
ALSO RECOMMENDED! Like mentioned on my firewall information it's possible to control the ports on outgoing UDP/TCP sessions. So if all of your local IPv6 systems are using local ports e.g. from 32768 to 60999 you are able to filter UDP connections also (until connection tracking works) like:
• Block incoming UDP packets which cannot be responses of outgoing requests of this host
# ip6tables -I INPUT -i sit+ -p udp ! --dport 32768:60999 -j DROP
• Block incoming UDP packets which cannot be responses of forwarded requests of hosts behind this router
# ip6tables -I FORWARD -i sit+ -p udp ! --dport 32768:60999 -j DROP
16.3.3. Demonstration example
Following lines show a more sophisticated setup as an example. Happy netfilter6 ruleset creation....
# ip6tables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extIN all sit+ * ::/0 ::/0
4 384 intIN all eth0 * ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all lo * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `INPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 int2ext all eth0 sit+ ::/0 ::/0
0 0 ext2int all sit+ eth0 ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `FORWARD-default:'
0 0 DROP all * * ::/0 ::/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 extOUT all * sit+ ::/0 ::/0
4 384 intOUT all * eth0 ::/0 ::/0
0 0 ACCEPT all * * ::1/128 ::1/128
0 0 ACCEPT all * lo ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `OUTPUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain ext2int (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `ext2int-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain extIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp * * 3ffe:400:100::1/128 ::/0
tcp spts:512:65535 dpt:22
0 0 ACCEPT tcp * * 3ffe:400:100::2/128 ::/0
tcp spts:512:65535 dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
tcp spts:1:65535 dpts:1024:65535 flags:!0x16/0x02
0 0 ACCEPT udp * * ::/0 ::/0
udp spts:1:65535 dpts:1024:65535
0 0 LOG all * * ::/0 ::/0
limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `extIN-default:'
0 0 DROP all * * ::/0 ::/0
Chain extOUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp * * ::/0
3ffe:ffff:100::1/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT tcp * * ::/0
3ffe:ffff:100::2/128tcp spt:22 dpts:512:65535 flags:!0x16/0x02
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
tcp spts:1024:65535 dpts:1:65535
0 0 ACCEPT udp * * ::/0 ::/0
udp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `extOUT-default:'
0 0 DROP all * * ::/0 ::/0
Chain int2ext (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmpv6 * * ::/0 ::/0
0 0 ACCEPT tcp * * ::/0 ::/0
tcp spts:1024:65535 dpts:1:65535
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `int2ext:'
0 0 DROP all * * ::/0 ::/0
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `int2ext-default:'
0 0 DROP tcp * * ::/0 ::/0
0 0 DROP udp * * ::/0 ::/0
0 0 DROP all * * ::/0 ::/0
Chain intIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0
fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
Chain intOUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * * ::/0
fe80::/ffc0::
4 384 ACCEPT all * * ::/0 ff02::/16
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `intOUT-default:'
0 0 DROP all * * ::/0 ::/0
Prev
Home
Next
Preparation Up
Security
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
I can run ip6tables on my host.
[root@dht linux-2.6.4]# ip6tables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all * * ::/0 ::/0
LOG flags 0 level 7 prefix `INPUT:'
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@dht linux-2.6.4]# lsmod
Module Size Used by
ip6t_LOG 5312 1
ip6table_filter 2464 1
ip6_tables 22944 2 ip6t_LOG,ip6table_filter
out 1792 0
soundcore 9824 0
8139too 22080 0
md5 3840 1
ipv6 253376 9 ip6_tables
autofs 16928 0
via_rhine 19528 0
mii 5024 2 8139too,via_rhine
crc32 4320 2 8139too,via_rhine
hid 33024 0
uhci_hcd 32784 0
ehci_hcd 26980 0
usbcore 105596 5 hid,uhci_hcd,ehci_hcd
You should tell us clearly what's the matter you met .
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
|
我是想在LINUX2.4.8上安装ipv6tables的模块,按peter给的文档下载了ip6tables1.2.9的安装文件,但无法安装,所以想知道到底是他的文档有问题还是我的操作错了,不知你有没有其他的配置文档或告之安装的方法,将不胜感激,非常紧急,望早日回信。
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
我的机器显示为:
[root@ipv6-002 root]# lsmod
Module Size Used by Not tainted
iptable_nat 21720 0 (autoclean) (unused)
ip_conntrack 26976 1 (autoclean) [iptable_nat]
ip6_tables 15864 0
ide-cd 35708 0 (autoclean)
cdrom 33728 0 (autoclean) [ide-cd]
parport_pc 19076 1 (autoclean)
lp 8996 0 (autoclean)
parport 37056 1 (autoclean) [parport_pc lp]
ipv6 168660 -1 (autoclean)
autofs 13268 0 (autoclean) (unused)
via-rhine 15856 1
mii 3976 0 [via-rhine]
ipt_REJECT 3928 2 (autoclean)
iptable_filter 2412 1 (autoclean)
ip_tables 15096 5 [iptable_nat ipt_REJECT iptable_filter]
keybdev 2944 0 (unused)
mousedev 5492 1
hid 22148 0 (unused)
input 5856 0 [keybdev mousedev hid]
usb-uhci 26348 0 (unused)
usbcore 78784 1 [hid usb-uhci]
ext3 70784 2
jbd 51892 2 [ext3]
[root@ipv6-002 root]# ip6_tables -nvL
bash: ip6_tables: command not found
没有ip6t_LOG和ip6tables_filter项,ip6_tables -nvL也无法执行
另外想请教是否能同时运行iptables和ip6tables配置ipv4和ipv6的链表规则
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
[root@dht server]# ip6tables -F
[root@dht server]# ping6 ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.048 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.041 ms
--- ::1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.041/0.044/0.048/0.007 ms
[root@dht server]# ip6tables -I OUTPUT -o lo -j DROP
[root@dht server]# ping6 ::1
PING ::1(::1) 56 data bytes
--- ::1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
[root@dht server]# iptables -F
[root@dht server]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.135 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.044 ms
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.044/0.089/0.135/0.046 ms
[root@dht server]# iptables -I OUTPUT -o lo -j DROP
[root@dht server]# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- 127.0.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
>> 没有ip6t_LOG和ip6tables_filter项,ip6_tables -nvL也无法执行
# ip6tables -nvL
try : modprobe ip6tables_filter and ip6t_LOG
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
I use 2.6.4 , this is my .config, you can try.
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
# CONFIG_INET6_IPCOMP is not set
CONFIG_IPV6_TUNNEL=m
There have many updates of ipv6 in 2.6.X more then 2.4.x, and some bugs are correctted , you'd better update your kernel.
|
|
|
[Original]
[Print]
[Top]
|
|
[Original]
[Print]
[Top]
|
|
我用的是linux2.4.24 iptables-1.2.9 你先将iptables-1.2.9打包到linux2.4.24中,然后用在编译内核时用make menuconfig 选取ipv6的选项,编译后就可以得到
|
|
[Original]
[Print]
[Top]
|
|
|
声明: 本页内容为中国Linux论坛的内容镜像,文章的版权以及其他所有的相关权利属于中国Linux论坛和相应文章的作者,如果转载,请注明文章来源及相关版权信息。