防火墙
应用层防火墙:Tcp_wrapper
IP防火墙:IPtables
一.应用层防火墙Tcp_wrapper
1.配置文件:hosts.allow,hosts.deny(注意逻辑关系)
The access control software consults two files. The search stops at the first match:
Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
Otherwise, access will be granted.
A non-existing access control file is treated as if it were an empty file. Thus, access control can be turned off by pro-viding no access control files.
2.hosts.allow,hosts.deny文件格式
后台进程列表:客户端列表
eg. hosts.allow vsftpd:192.168.1.117
hosts.deny vsftpd:.saeg.com.cn
例子说明:除117主机外,其它.saeg.com.cn内的所有主机均拒绝访问
后台进程列表:daemon,ALL
客户端列表:IP地址(192.168.1., 192.168.1.117)
域名或主机名(.saeg.com.cn,test.saeg.com.cn)
子网掩码(192.168.1.0/24)
网络名(@mydomain)
ALL,LOCAL,UNKNOWN,KNOWN,PARANOID,EXCEPT
eg. ALL:ALL EXCEPT .saeg.com.cn EXCEPT test.saeg.com.cn
3.如何查询服务(daemon)是否支持Tcp_wrapper
ldd `which daemon` |grep wrap
如果有返回值,则说明Tcp_wrapper支持daemon
注:daemon可以是--vsftpd,sshd,xinetd,etc
4.基于xinetd服务的Tcp_wrapper
--基于主机的限制
--基于时间的限制
--先tcp_wrapper,再xinetd(先检查hosts.*文件,如果没有限制,再检查xinetd.conf或xinetd.d/*文件)
5.配置xinetd访问限制
可直接修改/etc/xinetd.conf,也可以修改/etc/xinetd.d/*
使用语句:
--only_from=
--no_access=
--access_time=
--per_source=
例子:telnet服务只对192.168.1.2,并且是9:00am--16:00pm(tcp_wrapper没有限制)
===========================================================================
/etc/xinetd.conf
--------------------------
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
only_from=192.168.1.0/24
no_access=192.168.1.117
access_time=9:00-16:00
per_source=2
}
includedir /etc/xinetd.d
/etc/xinetd.d/krb5-telnet
---------------------------
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/kerberos/sbin/telnetd
log_on_failure += USERID
disable = no
}
[[[[[[[[[[[[[[[[ 下面这个问题已经搞清楚了]]]]]]]]]]]]]]]]]]]]]]]]]]
注明(测试结果,有点不明白):
>4个限制条件放在xinetd.conf中只有only_from有效
>个限制条件放在xinetd.d/*中均不管怎么配置,均无法访问
[[[[[[[[[[[[[[[[ 上面这个问题已经搞清楚了]]]]]]]]]]]]]]]]]]]]]]]]]]
原因:
书写格式不对(或书写错误access_time),所以导致参数没有生效
only_from = 192.168.1.117
no_access = 192.168.1.2
access_times = 9:00-11:00
service xinetd restart
===========================================================================
官方文档
二.IPtables防火墙
1.iptables语法
iptables [-t table] [pattern] [-j target]
﹒tables
>filter
>NAT
>tables又包含多个chains(INPUT,OUTPUT,FORWARD)
﹒action
> -A CHAIN
> -D CHAIN
> -L CHAIN
> -F CHAIN
> -P CHAIN
﹒pattern
> -s
> -d
﹒target
>ACCEPT
>DROP
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain] List the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain] Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--proto -p [!] proto protocol: by number or name, eg. `tcp'
--source -s [!] address[/mask]
source specification
--destination -d [!] address[/mask]
destination specification
--in-interface -i [!] input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
--out-interface -o [!] output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe= try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.
2.例子
﹒拒绝接受任何ping信息
iptables -A INPUT -p icmp -j DROP
或者
iptables -A INPUT -p icmp -j REJECT --reject-wich icmp-host-unreachable
﹒对给定网段开放http服务
1.iptables -A INPUT -p tcp --sport 80 -j DROP (可省)
2.iptables -A OUTPUT -p tcp --dport 80 -j DROP (可省)
3.iptables -A INPUT -p tcp --sport 80 -m iprange --src-range 192.168.1.100-192.168.1.120 -j ACCEPT
4.iptables -A OUTPUT -p tcp --dport 80 -m iprange --src-range 192.168.1.100-192.168.1.120 -j ACCEPT
(
3.iptables -A INPUT -s 192.168.1.0/24 -p tcp --sport 80 -j ACCEPT
4.iptables -A OUTPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
)
﹒开放DNS服务
1.iptables -A INPUT -p udp --sport 53 -j ACCEPT
2.iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
﹒开放FTP服务
1.iptables -A INPUT -p tcp --sport 21 -j ACCEPT
2.iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
3.iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
﹒待续
阅读(2610) | 评论(0) | 转发(0) |