[ Pobierz całość w formacie PDF ]
.16.0/16 -y -j REJECTipchains -A wwwout -p tcp -d 172.16.0/16 -y -j REJECTipchains -A sshin -p tcp -s 172.16.0/16 -y -j REJECTipchains -A sshout -p tcp -d 172.16.0/16 -y -j REJECT## Ensure that anything reaching the end of a user-defined chain is rejected.ipchains -A sshin -j REJECTipchains -A sshout -j REJECTipchains -A wwwin -j REJECTipchains -A wwwout -j REJECT## divert www and ssh services to the relevant user-defined chainipchains -A forward -p tcp -d 172.16.0/16 ssh -b -j sshinipchains -A forward -p tcp -s 172.16.0/16 -d 0/0 ssh -b -j sshoutipchains -A forward -p tcp -d 172.16.0/16 www -b -j wwwinipchains -A forward -p tcp -s 172.16.0/16 -d 0/0 www -b -j wwwout## Insert our rules to match hosts at position two in our user-defined chains.ipchains -I wwwin 2 -d 172.16.1.2 -b -j ACCEPTipchains -I wwwout 2 -s 172.16.1.0/24 -b -j ACCEPT ipchains -I sshin 2 -d 172.16.1.4 -b -j ACCEPTipchains -I sshout 2 -s 172.16.1.4 -b -j ACCEPTipchains -I sshout 2 -s 172.16.1.6 -b -j ACCEPT#In this example, we've used a selection of user-defined chains both to simplify management of our firewallconfiguration and improve the efficiency of our firewall as compared to a solution involving only the built-inchains.Our example creates user-defined chains for each of the ssh and www services in each connection direction.Thechain called wwwout is where we place rules for hosts that are allowed to make outgoing World Wide Webconnections, and sshin is where we define rules for hosts to which we want to allow incoming ssh connections.We've assumed that we have a requirement to allow and deny individual hosts on our network the ability to make orreceive ssh and www connections.The simplication occurs because the user-defined chains allow us to neatlygroup the rules for the host incoming and outgoing permissions rather than muddling them all together.Theimprovement in efficiency occurs because for any particular datagram, we have reduced the average number oftests required before a target is found.The efficiency gain increases as we add more hosts.If we hadn't useduser-defined chains, we'd potentially have to search the whole list of rules to determine what action to take witheach and every datagram received.Even if we assume that each of the rules in our list matches an equal proportionof the total number of datagrams processed, we'd still be searching half the list on average.User-defined chainsallow us to avoid testing large numbers of rules if the datagram being tested doesn't match the simple rule in thebuilt-in chain that jumps to them.The ipchains support scriptsThe ipchains software package is supplied with three support scripts.The first of these we've discussed brieflyalready, while the remaining two provide an easy and convenient means of saving and restoring your firewallconfiguration.The ipfwadm-wrapper script emulates the command-line syntax of the ipfwadm command, but drives theipchains command to build the firewall rules.This is a convenient way to migrate your existing firewallconfiguration to the kernel or an alternative to learning the ipchains syntax.The ipfwadm-wrapper script behavesdifferently from the ipfwadm command in two ways: firstly, because the ipchains command doesn't supportspecification of an interface by address, the ipfwadm-wrapper script accepts an argument of -V but attempts toconvert it into the ipchains equivalent of a -W by searching for the interface name configured with the suppliedaddress.The ipfwadm-wrapper script will always provide a warning when you use the -V option to remind you ofthis.Secondly, fragment accounting rules are not translated correctly.The ipchains-save and ipchains-restore scripts make building and modifying a firewall configuration muchsimpler.The ipchains-save command reads the current firewall configuration and writes a simplified form to thestandard output.The ipchains-restore command reads data in the output format of the ipchains-save commandand configures the IP firewall with these rules.The advantage of using these scripts over directly modifying yourfirewall configuration script and testing the configuration is the ability to dynamically build your configurationonce and then save it.You can then restore that configuration, modify it, and resave it as you please.To use the scripts, you'd enter something like:ipchains-save >/var/state/ipchains/firewall.stateto save your current firewall configuration.You'd restore it, perhaps at boot time, with:ipchains-restore /proc/sys/net/ipv4/ip_forwardYou should then enable promiscuous mode on your Ethernet interface using the ifconfig command.Nowyou can establish accounting rules that allow you to collect information about the datagrams flowingacross your Ethernet without involving your Linux in the route at all.Notes[1] This isn't a good thing to do if your Linux machine serves as a router [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl odbijak.htw.pl
.16.0/16 -y -j REJECTipchains -A wwwout -p tcp -d 172.16.0/16 -y -j REJECTipchains -A sshin -p tcp -s 172.16.0/16 -y -j REJECTipchains -A sshout -p tcp -d 172.16.0/16 -y -j REJECT## Ensure that anything reaching the end of a user-defined chain is rejected.ipchains -A sshin -j REJECTipchains -A sshout -j REJECTipchains -A wwwin -j REJECTipchains -A wwwout -j REJECT## divert www and ssh services to the relevant user-defined chainipchains -A forward -p tcp -d 172.16.0/16 ssh -b -j sshinipchains -A forward -p tcp -s 172.16.0/16 -d 0/0 ssh -b -j sshoutipchains -A forward -p tcp -d 172.16.0/16 www -b -j wwwinipchains -A forward -p tcp -s 172.16.0/16 -d 0/0 www -b -j wwwout## Insert our rules to match hosts at position two in our user-defined chains.ipchains -I wwwin 2 -d 172.16.1.2 -b -j ACCEPTipchains -I wwwout 2 -s 172.16.1.0/24 -b -j ACCEPT ipchains -I sshin 2 -d 172.16.1.4 -b -j ACCEPTipchains -I sshout 2 -s 172.16.1.4 -b -j ACCEPTipchains -I sshout 2 -s 172.16.1.6 -b -j ACCEPT#In this example, we've used a selection of user-defined chains both to simplify management of our firewallconfiguration and improve the efficiency of our firewall as compared to a solution involving only the built-inchains.Our example creates user-defined chains for each of the ssh and www services in each connection direction.Thechain called wwwout is where we place rules for hosts that are allowed to make outgoing World Wide Webconnections, and sshin is where we define rules for hosts to which we want to allow incoming ssh connections.We've assumed that we have a requirement to allow and deny individual hosts on our network the ability to make orreceive ssh and www connections.The simplication occurs because the user-defined chains allow us to neatlygroup the rules for the host incoming and outgoing permissions rather than muddling them all together.Theimprovement in efficiency occurs because for any particular datagram, we have reduced the average number oftests required before a target is found.The efficiency gain increases as we add more hosts.If we hadn't useduser-defined chains, we'd potentially have to search the whole list of rules to determine what action to take witheach and every datagram received.Even if we assume that each of the rules in our list matches an equal proportionof the total number of datagrams processed, we'd still be searching half the list on average.User-defined chainsallow us to avoid testing large numbers of rules if the datagram being tested doesn't match the simple rule in thebuilt-in chain that jumps to them.The ipchains support scriptsThe ipchains software package is supplied with three support scripts.The first of these we've discussed brieflyalready, while the remaining two provide an easy and convenient means of saving and restoring your firewallconfiguration.The ipfwadm-wrapper script emulates the command-line syntax of the ipfwadm command, but drives theipchains command to build the firewall rules.This is a convenient way to migrate your existing firewallconfiguration to the kernel or an alternative to learning the ipchains syntax.The ipfwadm-wrapper script behavesdifferently from the ipfwadm command in two ways: firstly, because the ipchains command doesn't supportspecification of an interface by address, the ipfwadm-wrapper script accepts an argument of -V but attempts toconvert it into the ipchains equivalent of a -W by searching for the interface name configured with the suppliedaddress.The ipfwadm-wrapper script will always provide a warning when you use the -V option to remind you ofthis.Secondly, fragment accounting rules are not translated correctly.The ipchains-save and ipchains-restore scripts make building and modifying a firewall configuration muchsimpler.The ipchains-save command reads the current firewall configuration and writes a simplified form to thestandard output.The ipchains-restore command reads data in the output format of the ipchains-save commandand configures the IP firewall with these rules.The advantage of using these scripts over directly modifying yourfirewall configuration script and testing the configuration is the ability to dynamically build your configurationonce and then save it.You can then restore that configuration, modify it, and resave it as you please.To use the scripts, you'd enter something like:ipchains-save >/var/state/ipchains/firewall.stateto save your current firewall configuration.You'd restore it, perhaps at boot time, with:ipchains-restore /proc/sys/net/ipv4/ip_forwardYou should then enable promiscuous mode on your Ethernet interface using the ifconfig command.Nowyou can establish accounting rules that allow you to collect information about the datagrams flowingacross your Ethernet without involving your Linux in the route at all.Notes[1] This isn't a good thing to do if your Linux machine serves as a router [ Pobierz całość w formacie PDF ]