Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1852988
  • 博文数量: 334
  • 博客积分: 11301
  • 博客等级: 上将
  • 技术积分: 3452
  • 用 户 组: 普通用户
  • 注册时间: 2006-10-18 10:19
个人简介

路虽弥,不行不至;事虽少,不做不成。

文章分类

全部博文(334)

文章存档

2013年(4)

2012年(19)

2011年(27)

2010年(71)

2009年(45)

2008年(15)

2007年(84)

2006年(69)

分类: LINUX

2007-02-01 12:43:41

防火墙

  应用层防火墙:Tcp_wrapper
     IP防火墙:IPtables

 
一.应用层防火墙Tcp_wrapper
  
  1.配置文件:hosts.allow,hosts.deny(注意逻辑关系)
      The access control software consults two files. The search stops at the first match:
      Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
      Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
      Otherwise, access will be granted.
      A  non-existing access control file is treated as if it were an empty file. Thus, access control can be turned off by pro-viding no access control files.
     
  2.hosts.allow,hosts.deny文件格式
      后台进程列表:客户端列表
      eg.  hosts.allow     vsftpd:192.168.1.117
            hosts.deny      vsftpd:.saeg.com.cn
    例子说明:除117主机外,其它.saeg.com.cn内的所有主机均拒绝访问
      后台进程列表:daemon,ALL
        客户端列表:IP地址(192.168.1., 192.168.1.117)
                  域名或主机名(.saeg.com.cn,test.saeg.com.cn)
                  子网掩码(192.168.1.0/24)
                  网络名(@mydomain)
                  ALL,LOCAL,UNKNOWN,KNOWN,PARANOID,EXCEPT
      eg.   ALL:ALL EXCEPT .saeg.com.cn EXCEPT test.saeg.com.cn
 
  3.如何查询服务(daemon)是否支持Tcp_wrapper
     ldd `which daemon` |grep wrap
     如果有返回值,则说明Tcp_wrapper支持daemon
     注:daemon可以是--vsftpd,sshd,xinetd,etc
 
  4.基于xinetd服务的Tcp_wrapper
    --基于主机的限制
    --基于时间的限制
    --先tcp_wrapper,再xinetd(先检查hosts.*文件,如果没有限制,再检查xinetd.conf或xinetd.d/*文件)
 
  5.配置xinetd访问限制
    可直接修改/etc/xinetd.conf,也可以修改/etc/xinetd.d/*
    
    使用语句:
      --only_from=
      --no_access=
      --access_time=
      --per_source=
   例子:telnet服务只对192.168.1.2,并且是9:00am--16:00pm(tcp_wrapper没有限制)
===========================================================================
    /etc/xinetd.conf
--------------------------
defaults
{
        instances               = 60
        log_type                = SYSLOG authpriv
        log_on_success          = HOST PID
        log_on_failure          = HOST
        cps                     = 25 30
        only_from=192.168.1.0/24
        no_access=192.168.1.117
        access_time=9:00-16:00
        per_source=2
}
includedir /etc/xinetd.d
 
   /etc/xinetd.d/krb5-telnet
---------------------------
service telnet
{
        flags           = REUSE
        socket_type     = stream       
        wait            = no
        user            = root
        server          = /usr/kerberos/sbin/telnetd
        log_on_failure  += USERID
        disable         = no
}
 
[[[[[[[[[[[[[[[[ 下面这个问题已经搞清楚了]]]]]]]]]]]]]]]]]]]]]]]]]]
  注明(测试结果,有点不明白):
    >4个限制条件放在xinetd.conf中只有only_from有效
    >个限制条件放在xinetd.d/*中均不管怎么配置,均无法访问
[[[[[[[[[[[[[[[[ 上面这个问题已经搞清楚了]]]]]]]]]]]]]]]]]]]]]]]]]]
  原因:
      书写格式不对(或书写错误access_time),所以导致参数没有生效
      only_from      =  192.168.1.117
      no_access      =  192.168.1.2
      access_times   =  9:00-11:00
     
 
service xinetd restart
===========================================================================
 
官方文档

 

 
二.IPtables防火墙
 
 1.iptables语法
   iptables [-t table] [pattern] [-j target]
    tables
       >filter
       >NAT
       >tables又包含多个chains(INPUT,OUTPUT,FORWARD)      
    action
      > -A CHAIN
      > -D CHAIN
      > -L CHAIN
      > -F CHAIN
      > -P CHAIN
    pattern
      > -s
      > -d
      > -p
      > --dport   依赖-p
      > --sport   依赖-p
     target
      >ACCEPT
      >DROP

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)
Commands:
Either long or short options are allowed.
  --append  -A chain            Append to chain
  --delete  -D chain            Delete matching rule from chain
  --delete  -D chain rulenum
                                Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
                                Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
                                Replace rule rulenum (1 = first) in chain
  --list    -L [chain]          List the rules in a chain or all chains
  --flush   -F [chain]          Delete all rules in  chain or all chains
  --zero    -Z [chain]          Zero counters in chain or all chains
  --new     -N chain            Create a new user-defined chain
  --delete-chain
            -X [chain]          Delete a user-defined chain
  --policy  -P chain target
                                Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
                                Change chain name, (moving any references)
Options:
  --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
  --source      -s [!] address[/mask]
                                source specification
  --destination -d [!] address[/mask]
                                destination specification
  --in-interface -i [!] input name[+]
                                network interface name ([+] for wildcard)
  --jump        -j target
                                target for rule (may load target extension)
  --match       -m match
                                extended match (may load extension)
  --numeric     -n              numeric output of addresses and ports
  --out-interface -o [!] output name[+]
                                network interface name ([+] for wildcard)
  --table       -t table        table to manipulate (default: `filter')
  --verbose     -v              verbose mode
  --line-numbers                print line numbers when listing
  --exact       -x              expand numbers (display exact values)
[!] --fragment  -f              match second or further fragments only
  --modprobe=          try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V              print package version.

  2.例子        
    拒绝接受任何ping信息
       iptables -A INPUT -p icmp -j DROP
      或者
       iptables -A INPUT -p icmp -j REJECT --reject-wich icmp-host-unreachable
    
    对给定网段开放http服务
       1.iptables -A INPUT -p tcp --sport 80 -j DROP (可省)
       2.iptables -A OUTPUT -p tcp --dport 80 -j DROP (可省)
 
       3.iptables -A INPUT -p tcp --sport 80 -m iprange --src-range 192.168.1.100-192.168.1.120 -j ACCEPT
       4.iptables -A OUTPUT -p tcp --dport 80 -m iprange --src-range 192.168.1.100-192.168.1.120 -j ACCEPT
     (
       3.iptables -A INPUT -s 192.168.1.0/24 -p tcp --sport 80  -j ACCEPT
       4.iptables -A OUTPUT -s 192.168.1.0/24 -p tcp --dport 80  -j ACCEPT
     )
     开放DNS服务
       1.iptables -A INPUT -p udp --sport 53 -j ACCEPT
       2.iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
     开放FTP服务
       1.iptables -A INPUT -p tcp --sport 21 -j ACCEPT
       2.iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
       3.iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      待续
阅读(2610) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~