Iptables básico
-
Upload
eden-caldas -
Category
Technology
-
view
3.015 -
download
2
Transcript of Iptables básico
- 1. Iptables Bsico
- Eden Caldas
2. Tabelas
- FILTER
3. Tabela padro, regras de entrada, sada. 4. NAT 5. Regras de SNAT, DNAT, MASQUERADE 6. MANGLE 7. QOS 8. FILTER
- INPUT
9. Regras para pacotes que entram no firewall. 10. OUTPUT 11. Regras para pacotes que saem do firewall. 12. FORWARD 13. Regras para pacotes que atravessam o firewall. 14. NAT
- PREROUTING
15. Regras para pacotes que mudam o endereo antes de serem roteados. Ou seja, que usam DNAT. 16. POSTROUTING 17. Regras para pacotes que mudam o endereo depois da deciso de roteamento. Ou seja, SNAT. 18. NAT
- __________ // PREROUTING -->[Routing ]----------------->POSTROUTING-----> D-NAT/[Decision]S-NAT/ |^ |||| || || || || --------> Local Process ------
19. Incio de um script iptables #!/bin/bash # Apagando regras anteriores iptables -F iptables -t nat -F # Poltica padro iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Libera loopback - REGRA OBRIGATRIA iptables -A INPUT -i lo -j ACCEPT # Libera pacotes de retorno.iptables -A INPUT-m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT-m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Habilita encaminhamento de pacotes echo "1" > /proc/sys/net/ipv4/ip_forward 20. Exemplos no chain INPUT
- iptables -A INPUT -p icmp -j DROP iptables -A INPUT -p icmp -s 10.0.0.0/8 -j DROP iptables -A INPUT -p tcp -dport 80 -j ACCEPT iptables -A INPUT -p tcp -dport 80 -i eth1 -j ACCEPT iptables -A INPUT -p tcp -m multiport -dports 80,53,21,25 -s 192.168.5.3 -i eth2 -j ACCEPT
21. Exemplos no chain FORWARD
- iptables -A FORWARD -i eth1 -o eth0 -s 192.168.3.0/24 -j ACCEPT iptables -A FORWARD -s 192.168.3.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -o eth2 -d 172.16.3.23 -p tcp --dport 25 -j ACCEPT iptables -A FOWARD -i eth2 -s 172.16.3.23 -o eth0 -p tcp --dport 25 -j ACCEPT
22. Exemplos de nat
- iptables -t nat -A PREROUTING -i eth0 -d 200.200.200.201-p tcp -dport 25 -j DNAT --to 172.16.3.24 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 200.233.222.123 iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80-j REDIRECT --to-port 8080