Chinaunix首页 | 论坛 | 博客

HereItIs

首页 |  博文目录 |  关于我

HereItIs

  • 博客访问: 161560
  • 博文数量: 24
  • 博客积分: 2019
  • 博客等级: 大尉
  • 技术积分: 352
  • 用 户 组: 普通用户
  • 注册时间: 2010-01-22 17:36
文章分类

全部博文(24)

文章存档

2011年(2)

2010年(22)

我的朋友
最近访客
推荐博文
相关博文
FTP ALG in Netfilter(Part 3 - 实例分析)

分类: 网络与安全

2010-03-18 12:48:16

FTP ALG in Netfilter(Part 3 - 实例分析)

  本博客Netfilter/IPtables系列文章均基于Linux2.6.30内核。
  本文档版权归hereitis所有,可以自由拷贝/转载,转载时请保持文档的完整性并且注明来源,禁止用于任何商业用途。
  hereitis.cu@gmail.com
  1. 测试网络
    防火墙上相关的Iptables配置:
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | \
             awk '{print $2}' | sed -e 's/.*://'`"

dmz_int="eth1"
dmz_ip="`ifconfig $dmz_int | grep 'inet addr' | \
             awk '{print $2}' | sed -e 's/.*://'`"

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i $external_int -p tcp --sport 1024:65535 -d $external_ip --dport 21 \
    -j DNAT --to-destination $dmz_ip

iptables -A FORWARD -i $external_int -o $dmz_int -p tcp --sport 1024:65535 -d $dmz_ip --dport 21 \
    -m state --state NEW -j ACCEPT

iptables -A FORWARD -i $dmz_int -o $external_int -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $external_int -o $dmz_int -m state --state ESTABLISHED,RELATED -j ACCEPT
  1. 数据流流经Netfilter Hook点示意图

  1. Big Pictures of each Hook fn
    1. conntrack on PREROUTING

    1. nat on PREROUTING 


    1. nat on POSTROUTING

    1. conntrack on POSTROUTING
  1. 部分数据流
No.     Time        Source                Destination           Protocol Info
      5 21.803473   172.20.9.84           172.20.9.80           TCP      nsc-ccs > ftp [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 5 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Info
      6 21.809685   172.20.9.84           192.168.1.100         TCP      nsc-ccs > ftp [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 6 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Info
      7 21.809817   192.168.1.100         172.20.9.84           TCP      ftp > nsc-ccs [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 7 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 0, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Info
      8 21.810310   172.20.9.80           172.20.9.84           TCP      ftp > nsc-ccs [SYN, ACK] Seq=3899138973 Ack=1 Win=5840 Len=0 MSS=1460

Frame 8 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.80 (172.20.9.80), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 3899138973, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Info
      9 21.810587   172.20.9.84           172.20.9.80           TCP      nsc-ccs > ftp [ACK] Seq=1 Ack=3899138974 Win=65535 Len=0

Frame 9 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 1, Ack: 3899138974, Len: 0

No.     Time        Source                Destination           Protocol Info
     10 21.811067   172.20.9.84           192.168.1.100         TCP      nsc-ccs > ftp [ACK] Seq=1 Ack=1 Win=65535 Len=0

Frame 10 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 1, Ack: 1, Len: 0

No.     Time        Source                Destination           Protocol Info
     11 21.820922   172.20.9.80           172.20.9.84           FTP      Response: 220 (vsFTPd 2.0.1)

Frame 11 (74 bytes on wire, 74 bytes captured)
Internet Protocol, Src: 172.20.9.80 (172.20.9.80), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 3899138974, Ack: 1, Len: 20
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     12 21.821189   192.168.1.100         172.20.9.84           FTP      Response: 220 (vsFTPd 2.0.1)

Frame 12 (74 bytes on wire, 74 bytes captured)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 1, Ack: 1, Len: 20
File Transfer Protocol (FTP)

......

No.     Time        Source                Destination           Protocol Info
     35 21.835468   172.20.9.84           172.20.9.80           FTP      Request: PASV

Frame 35 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 62, Ack: 3899139110, Len: 6
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     36 21.835901   172.20.9.84           192.168.1.100         FTP      Request: PASV

Frame 36 (60 bytes on wire, 60 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 62, Ack: 137, Len: 6
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     37 21.836411   172.20.9.80           172.20.9.84           FTP      Response: 227 Entering Passive Mode (172,20,9,80,27,191)

Frame 37 (102 bytes on wire, 96 bytes captured)
Internet Protocol, Src: 172.20.9.80 (172.20.9.80), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 3899139110, Ack: 68, Len: 48
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     38 21.837059   192.168.1.100         172.20.9.84           FTP      Response: 227 Entering Passive Mode (192,168,1,100,27,191)

Frame 38 (104 bytes on wire, 96 bytes captured)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 137, Ack: 68, Len: 50
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     39 21.837476   172.20.9.84           172.20.9.80           FTP      Request: SIZE /

Frame 39 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 68, Ack: 3899139158, Len: 8
File Transfer Protocol (FTP)

No.     Time        Source                Destination           Protocol Info
     40 21.837921   172.20.9.84           172.20.9.80           TCP      wag-service > 7103 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 40 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: wag-service (2608), Dst Port: 7103 (7103), Seq: 0, Len: 0

.......
No.     Time        Source                Destination           Protocol Info
     43 21.838966   172.20.9.84           192.168.1.100         TCP      wag-service > 7103 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 43 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: wag-service (2608), Dst Port: 7103 (7103), Seq: 0, Len: 0

No.     Time        Source                Destination           Protocol Info
     44 21.839180   192.168.1.100         172.20.9.84           TCP      7103 > wag-service [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 44 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 172.20.9.84 (172.20.9.84)
Transmission Control Protocol, Src Port: 7103 (7103), Dst Port: wag-service (2608), Seq: 0, Ack: 1, Len: 0

  1. 数据流分析
    1. What we got from packet 5
No.     Time        Source                Destination           Protocol Info
      5 21.803473   172.20.9.84           172.20.9.80           TCP      nsc-ccs > ftp [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 5 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 172.20.9.80 (172.20.9.80)
Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 0, Len: 0







  1. What we got from packet 6
No.     Time        Source                Destination           Protocol Info
       6 21.809685   172.20.9.84           192.168.1.100         TCP      nsc-ccs > ftp [SYN] Seq=0 Win=65535 Len=0 MSS=1460

 Frame 6 (62 bytes on wire, 62 bytes captured)
 Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
 Transmission Control Protocol, Src Port: nsc-ccs (2604), Dst Port: ftp (21), Seq: 0, Len: 0


  1. What we got from packet 38
No.     Time        Source                Destination           Protocol Info
      38 21.837059   192.168.1.100         172.20.9.84           FTP      Response: 227 Entering Passive Mode (192,168,1,100,27,191)

 Frame 38 (104 bytes on wire, 96 bytes captured)
 Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst: 172.20.9.84 (172.20.9.84)
 Transmission Control Protocol, Src Port: ftp (21), Dst Port: nsc-ccs (2604), Seq: 137, Ack: 68, Len: 50
 File Transfer Protocol (FTP)
  1. What we got from packet 43
No.     Time        Source                Destination           Protocol Info
     43 21.838966   172.20.9.84           192.168.1.100         TCP      wag-service > 7103 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 43 (62 bytes on wire, 62 bytes captured)
Internet Protocol, Src: 172.20.9.84 (172.20.9.84), Dst: 192.168.1.100 (192.168.1.100)
Transmission Control Protocol, Src Port: wag-service (2608), Dst Port: 7103 (7103), Seq: 0, Len: 0

阅读(5595) | 评论(0) | 转发(2) |
0

上一篇:实例分析Iptables基本原理(Part 3 - DS of Iptables)

下一篇:Notes: NAT Mapping and Filter Behavior - RFC4787

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6