Linux IPCHAINS-HOWTO Paul Russell, ipchains@rustcorp.com

v1.0.7, 12 March 1999



--------------------------------------------------

Translated by Ilgiz Kalmetev (2:5011/36.6@fidonet)

--------------------------------------------------



    ,    

   IP firewalling (chains)  Linux  

    .



______________________________________________________________________







 



1. 

  1.1 ?

  1.2 ?

  1.3 ?

  1.4 ?



2.   

  2.1 ?

  2.2 ?

  2.3 ?

    2.3.1    

    2.3.2 ipchains

    2.3.3    



3.  ! , ,  , ipautofw ...

  3.1     

  3.2  :  WatchGuard

  3.3  Firewall- 

    3.3.1  :  

    3.3.2  :  

    3.3.3  : 

    3.3.4  

    3.3.5   

  3.4    



4. IP Firewalling 

  4.1     

    4.1.1  ipchains

    4.1.2   

    4.1.3   

      4.1.3.1  IP     

      4.1.3.2  

      4.1.3.3  

        4.1.3.3.1   UDP  TCP

        4.1.3.3.2     ICMP 

      4.1.3.4  

      4.1.3.5   TCP SYN 

      4.1.3.6  

    4.1.4   

      4.1.4.1  

      4.1.4.2  

      4.1.4.3   

      4.1.4.4  

      4.1.4.5   

      4.1.4.6   

      4.1.4.7  

      4.1.4.8  

      4.1.4.9  

      4.1.4.10  () 

      4.1.4.11  

    4.1.5   

    4.1.6  

    4.1.7       

  4.2  

    4.2.1  ipchains-save

    4.2.2  ipchains-restore



5. .

  5.1    Firewall 

  5.2    

    5.2.1 ICMP 

    5.2.2 TCP   DNS ( )

    5.2.3  FTP

  5.3    (DeathPing)

  5.4  Teardrop  Bonk

  5.5   

  5.6   Firewall 

  5.7     ?

  5.8  

    5.8.1 SPF: Stateful Packet Filtering

    5.8.2  Michael Hasenstein'  ftp-data 

  5.9  



6.  

  6.1 ipchains -L !

  6.2 Masquerading/Forwarding  !

  6.3 -j REDIR  !

  6.4    !

  6.5 TOS  !

  6.6 ipautofw    ipportfw   !

  6.7 xosview !

  6.8 Segmentation Fault  `-j REDIRECT'!

  6.9      !

  6.10    Firewall IPX!



7.  .

  7.1 

  7.2 

  7.3   

  7.4    

    7.4.1     forward 

    7.4.2   icmp-acc 

    7.4.3  Good ( )  DMZ ()

    7.4.4  Bad ( )  DMZ ().

    7.4.5  Good ( )  Bad ( ).

    7.4.6  DMZ  Good ( ).

    7.4.7  DMZ  bad ( ).

    7.4.8  Bad ( )  Good ( ).

    7.4.9     Linux-

      7.4.9.1  Bad ( ).

      7.4.9.2  DMZ.

      7.4.9.3  Good ( ).

  7.5  



8. :   ipchains  ipfwadm.

  8.1    .

  8.2    ipfwadm



9. :   ipfwadm-wrapper.



10. : .

______________________________________________________________________





 



  - ,    , 

        :



chains        --  ( )

target        --  (  ) 

policy        --  ()

to resolve    --     ( )

MTU discovery --  MTU

redirection   -- 

forwarding    -- 

wildcards     -- 

patch         -- 

______________________________________________________________________







1. 



 - Linux IPCHAINS-HOWTO;  ``?"   ,   

   .     Linux NET-3-HOWTO.

     IP-Masqurading HOWTO, PPP-HOWTO, 

Ethernet-HOWTO  Firewall HOWTO. (Then again, so might the alt.fan.bigfoot FAQ).



    ,   ``?", ``? "  

    ``IP Firewalling ".



    ipfwadm,   ``", ``?"  

  ``  ipchains  ipfwadm"  `` 

 ipfwadm-wrapper''.





1.1. ?



Linux ipchains  Linux IPV4 firewalling  (   

   BSD)   ipfwadm,    ipfw 

BSD.      IP    Linux 

 2.1.102  .





1.2. ?



 Linux firewalling     ,  32- 

 ( Intel   ),       

  TCP, UDP  ICMP,       atomically,

    ,   ,    

   (    ).





1.3. ?



        2.1.102.   2.0,   

     .    2.0  ,  

 ,    ;    2.0  

 (.    2.0.34      2.0.35).

   2.0    ipportfw  ipautofw,    

 ,        

,  ipchains.





1.4. ?



  - Linux IP Firewall Chains Page  

<http://www.rustcorp.com/linux/ipchains>



   , ,    

  .      , 

  ``subscribe"  ipchains-request  rustcorp.com. 

      " ipchains'  

"ipchains-requetst".





2.   



2.1. ?



       . ,    

 ( 50) , ,  36     

1460  .



   ,   ,   ,  

    .     

.   ,    ,

  .



 ,   TCP,    web, 

     ,   "" - 

         

  (  ),  "  

", ""  "".    .



  -   ,   

         .   

  (   ,      ),

  (    )    ( 

,       ).



 Linux,     ,    , 

  -  ,       

      .





2.2. ?



. . .



:

     Linux-       

    (,  Internet),      -

      -  . ,   

     ,       

      .  :   Netscape,  

     Dilbert.      

  doubleclick.net,  Netscape       .  

       ,      

      ,  doubleclick.net (    

   ).



:

    Linux- -     Internet   

  ,  ,  ,     ,  

      . ,     - 

     ,      " ", 

    .   :    

    telnet-  Linux-,      

   ;    (  )  

   Internet,     (  ) -   

      ;     

   ,    ,  .



:

          

     .        , 

    ;     -   

     .





2.3. ?



2.3.1    



  ,     IP firewall chains ().  

 ,     ,   "/proc/net/ip_fwchains'. 

  ,    .



 ,     ,    IP firewall . 

,   .      2.1.102  , 

      (       ).

,     web ,  ,   

   .    ,   ,  

 -  Kernel-HOWTO.



 ,        2.0:



______________________________________________________________________



CONFIG_EXPERIMENTAL=y

CONFIG_FIREWALL=y

CONFIG_IP_FIREWALL=y

CONFIG_IP_FIREWALL_CHAINS=y

______________________________________________________________________





  2.1  2.2 :

______________________________________________________________________



CONFIG_FIREWALL=y

CONFIG_IP_FIREWALL=y

______________________________________________________________________





ipchains         .    

,    ,      

 .





2.3.2.  ipchains



Ipchains         .

 ,  ,       

;      ``  " .



Ipchains  ipfwadm,      IP Firewall. 

   ,   ftp- ipchains:



        ftp://ftp.rustcorp.com/ipchains/ipchains-scripts-1.1.2.tar.gz 



  shell,  ipfwadm-wrapper,     

   ,     .   

  ,          

  ipfwadm ( ,     .).



  ,      HOWTO.



.   ``  ipchains  ipfwadm"  `` 

 ipfwadm-wrapper'    ipfwadm.





2.3.3.   



   firewall   ,    

   .     

`ipchains-save'  `ipchainsrestore',     . 

  ,   ,   ( root):





       # ipchains-save > /etc/ipchains.rules

       #



   :



----------------------------------------------------------------------

#! /bin/sh

#    .



#   ,    .

[ -f /etc/ipchains.rules ] || exit 0



case "$1" in



  start)

    echo -n "  :" 

    /sbin/ipchains-restore < /etc/ipchains.rules || exit 1 

    echo 1 > /proc/sys/net/ipv4/ip_forward 

    echo "." ;;



  stop)

    echo -n "  :" 

    echo 0 > /proc/sys/net/ipv4/ip_forward 

    /sbin/ipchains -X 

    /sbin/ipchains -F 

    /sbin/ipchains -P input ACCEPT 

    /sbin/ipchains -P output ACCEPT 

    /sbin/ipchains -P forward ACCEPT 

    echo "." ;;



  *)

    echo ": /etc/init.d/packetfilter {start|stop}" 

    exit 1 ;;



esac



exit 0

----------------------------------------------------------------------





,      .   

( Debian 2.1),       "S39packetfilter" 

 "/etc/rcS.d' (    S40network).





3.  ! , ,  , ipautofw ...



 HOWTO    .  ,   

,       . ,   Linux 

    ,      

,   .



    ,       (``ipchains ") 

    ,   ,   - 

        (

 Linux  ,    ).



      HOWTO,  

       

,         ,    

   ,      .  

     .





3.1.     



,      ppp0.  

 ifconfig    :





       # ipchains -P forward DENY

       # ipchains -A forward -i ppp0 -j MASQ

       # echo 1 > /proc/sys/net/ipv4/ip_forward







3.2.  :  WatchGuard



   off-the-shelf .   -   

WatchGuard FireBox.  ,    ,  , 

 Linux,       ipchains,   

   ( 2.3).  , WatchGuard   

 ,        .    , 

 .



                      http://www.watchguard.com 







3.3.  Firewall- 



    littlecorp.com.     ,   

 Internet    (PPP) (firewall.littlecorp.com  

1.2.3.4).      ethernet,    

  "myhost".



     ,   . 

  ,      .





3.3.1.  :  



  ,         Internet,  

.  IP       RFC1597 

Private Network Allocations ( , 10.*.*.*, 172.16.*.*  192.168.*.*).



    Internet -  firewall,  

     ,   

.    ( firewall),  proxy,  

  (   FTP, web, telnet, RealAudio, Usenet   

). . Firewall HOWTO.



  ,   ,    firewall.



( . ``  " ).



:       web- .

  

  1.     192.168.1.*, myhost   

     192.168.1.100,  ethernet  firewall'  192.168.1.1.

  

  2. Web proxy (. "Squid")     firewall, 

        8080.

  

  3. Netscape       firewall  

     8080   .

  

  4. DNS      .

  

  5. DNS     firewall.

  

  6.       (  - )   .

  

Netscape  myhost   http://slashdot.org.

  

  1. Netscape   firewall  8080,   1050  myhost. 

        web "http://slashdot.org".

  

  2. Proxy   "slashdot.org"  IP ,   207.218.152.131. 

            IP (  1025  

       firewall'),    web- ( 80) 

      web.

  

  3.      web     web,  

          Netscape.

  

  4. Netscape  .

  

 ,    slashdot.org,     

1.2.3.4 ( PPP firewall')  1025  207.218.152.131 (slashdot.org) 

 80.    myhost,    192.168.1.100 (myhost) 

 1050  192.168.1.1 (ethernet  firewall')  8080.





3.3.2.  :  



  ,         Internet,  

.  IP       RFC1597 

Private Network Allocations ( , 10.*.*.*, 172.16.*.*  192.168.*.*).



    Internet -  firewall,  

     ,   

.    ( firewall),   proxy,

  ;      ,   

  ( ,    ).



  ,     ,    

.



  ,   ,    firewall.



( . ``  " ).



:       web- .



  1.     192.168.1.*, myhost   

     192.168.1.100,  ethernet  firewall'  192.168.1.1.

  

  2.   ( ,     squid,  "transproxy") 

         firewall,    8080.

  

  3.  ,       80  , 

      ipchains.

  

  4. Netscape       .

  

  5.       DNS (     

     DNS     firewall).

  

  6.          (aka ), 

         firewall.



Netscape  myhost   http://slashdot.org.

  

  1. Netscape   web "http://slashdot.org"  

     207.218.152.131.      IP , 

       1050    web- ( 80)  web.

  

  2.    myhost ( 1050)  slashdot.org ( 80)  

      firewall,        

     8080.     (   

     1025)  207.218.152.131  80 (   

     ).

  

  3.      web     web,  

          Netscape.

  

  4. Netscape  .



     slashdot.org,    1.2.3.4 ( 

PPP firewall')  1025  207.218.152.131 (slashdot.org)  80.   

 myhost    192.168.1.100 (myhost)  1050  

207.218.152.131 (slashdot.org)  80,     

  .





3.3.3.  : 



  ,         Internet 

 ,  .  IP     

  RFC1597 Private Network Allocations ( , 10.*.*.*, 

172.16.*.*  192.168.*.*).



  ,     , 

 "".   ,   

  firewall, ,  ,     

firewall .     ,   

,      .



      "" ,  

FTP, RealAudio, Quake  ..      

 "",      

       

: . `` ipportfw" ( 2.0)  ``ipmasqadm" ( 2.1).



  ,   ,    firewall.



( . ``  " ).



:       web- .



  1.     192.168.1.*, myhost   

     192.168.1.100,  ethernet  firewall'  192.168.1.1.

  

  2. Firewall     ,      

        80   .

  

  3. Netscape    .

  

  4. DNS       .

  

  5. Firewall       (aka )  

      .



Netscape  myhost   http://slashdot.org.



  1. Netscape   web "http://slashdot.org"  

     207.218.152.131.      IP , 

       1050    web- ( 80)  web.

  

  2.    myhost ( 1050)  slashdot.org ( 80)  

      firewall,   ,     PPP 

     firewall  65000. Firewall   Internet  (1.2.3.4), 

          www.linuxhq.com    firewall.

  

  3.     slashdot.org ( 80)  firewall.littlecorp.com 

     ( 65000)  ,    myhost  1050.   

        :  ,     

     ,     ,     .

  

  4. Netscape  .

  

     slashdot.org     1.2.3.4 

( PPP firewall')  65000  207.218.152.131 (slashdot.org)  80.

   myhost     192.168.1.100 (myhost) 

1050  207.218.152.131 (slashdot.org)  80.





3.3.4.  



  ,    -  Internet:    

      .  IP     

     IP,       

,   ,  .   

.



  ,      ,

       Internet, .. 

    Internet     web.



:       web- .



  1.          IP

      ( 1.2.3.*).

  

  2.  firewall   .

  

  3. Netscape    .

  

  4.        DNS.

  

  5. Firewall       (aka )  

      .



Netscape  myhost   http://slashdot.org.

  

  1. Netscape   web "http://slashdot.org"  

     207.218.152.131.      IP , 

       1050    web- ( 80)  web.

  

  2.     firewall ,      

         slashdot.org.

  

  3. Netscape  .

  

     :  1.2.3.100 (myhost)  1050  

207.218.152.131 (slashdot.org)  80.





3.3.5.   



 firewall         

  .       

   .



      "(redirector)",  

  ,      ,   

       ,   

   .    - "redir".   

 Internet   c  firewall.     

 ,      firewall 

 .



  (    2.0,   ipportfw,  

  2.1   )      

 .      ,   "redir",   : 

  ,        

    .    Internet,   

  firewall.      ,   

   Internet  .





3.4    



     HOWTO  ,   

   HOWTO.      

http://www.ecst.csuchico.edu/~dranch/LINUX/index-LINUX.html#ipmasq

  .



 ,         Linux Documentation 

Project  http://www.metalab.unc.edu/LDP



   - http://ipmasq.cjb.net 





4.  IP Firewalling Chains



4. IP Firewalling 



   ,       

 ,   .





4.1.  How Packets Traverse The Filters



4.1     



     ;    firewall- 

  .    input, output  forward.  

  (,   ethernet)    input, 

   .     ,   ,

    (  ).   

   ,     forward. 

 , ,      ,  

   output.



 -   .    "  

   ,     -'.    

  ,      . , 

    ,      ,  

,  .       , 

       .



  ASCII-,    ,   .





          ----------------------------------------------------------------

          |            ACCEPT/                               lo |

          v           REDIRECT                  _______                  |

  --> C --> S --> ______ --> D -> ~~~~~~~~~~ ->|forward|----> _______ -->

      h     a    |input |    e   {  }  |- |     |output |ACCEPT

      e     n    |-|    m   {- }  |_____| --->|- |

      c     i    |____|    a    ~~~~~~~~~~~      |     | ->|_____|

      k     t       |        s       |             |     | |     |

      s     y       |        q       |             v     | |     |

      u     |       v        e       v            DENY/  | |     v

      m     |     DENY/      r     REJECT  | |   DENY/

      |     v    REJECT      a       |                   | |  REJECT

      |   DENY               d       --------------------- |

      v                      e -----------------------------

     DENY





    :



   (Checksum):

      .     ,  

    (DENY).



  (Sanity):

              

     ,   input  .   

         ,   

    ,       (DENY) (  

    ,   syslog  ).



   input:

     -  firewall ,  .    

      (DENY)  (REJECT) ,   

    .



  (Demasquerade):

          ,  ,  

        output.     IP 

    ,       .



    :

         ,  ,  

          (. " "

    )     (. " forward" ).



   : 

    ,         " 

     ",     (   " 

     "     output).



   lo:

           , 

       output  ,   "lo",  

          "lo".  lo  

       (loopback).



  (local):

          ,   forward  

    ,      output.



   forward:

        ,      .



   output:

         ,    .





4.1.1.  ipchains



 ,    ipchains   , 

    :



       $ ipchains --version ipchains 1.3.9, 17-Mar-1999



 ,    1.3.4 (     

,  `--sport'),  1.3.8  ;   .



Ipchains    man (man ipchains),      

,      (man 4 ipfw),   

net/ipv4/ip_fw.c     2.1.x,   () 

.



         

    A4  US Letter Postscript(TM).



 ipchains    . -,   .

      : input, forward  output, 

   .



  1.    (-N).

  

  2.    (-X).

  

  3.      (-P).

  

  4.     (-L).

  

  5.     (-F).

  

  6.          (-Z).



      :



   1.      ('-A') 



   2.        ('-I') 



   3.       ('-R') 



   4.       ('-D') 



   5.     ,   ('-D') 



    ,    ipchains - 

      :



  1.     ('-M -L') 

  

  2.      ('-M -S') 

     ( . ``     !").



 (, ,  )    ,

     ,       

 .





4.1.2   



 - "" ipchains;  .     

   (-A)   (-D).  (-I    

-R  ) -    .



      (   " 

")   . ,      

ICMP ,   IP  127.0.0.1.      

  ,     ICMP    127.0.0.1.

  - "DENY"().



127.0.0.1 -  "" ,     ,  

      .    

 "ping",     (    

ICMP 8 ( ECHO),        

    ICMP 0 ( ECHO)).    .





       # ping -c 1 127.0.0.1

       PING 127.0.0.1 (127.0.0.1): 56 data bytes

       64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.2 ms



       --- 127.0.0.1 ping statistics ---

       1 packets transmitted, 1 packets received, 0% packet loss

       round-trip min/avg/max = 0.2/0.2/0.2 ms

       # ipchains -A input -s 127.0.0.1 -p icmp -j DENY

       # ping -c 1 127.0.0.1

       PING 127.0.0.1 (127.0.0.1): 56 data bytes



       --- 127.0.0.1 ping statistics ---

       1 packets transmitted, 0 packets received, 100% packet loss

       #





 ,   ping   ( "-c 1' , 

   ).



   (-A)   "input" , ,  

  127.0.0.1 ("-s 127.0.0.1')  ICMP ("-p ICMP')  

 (DENY) ("-j DENY').



    ,   ping.  

 ,     .



       . -,    , 

  -     ,     

  .   1  :



           # ipchains -D input 1

           #





The second way is to mirror the -A command, but replacing the -A with



       -A  -D.

 ,      ,     

 .   ,    :



           # ipchains -D input -s 127.0.0.1 -p icmp -j DENY

           #



 -D     ,   -A ( -I  -R). 

         , 

      .





4.1.3   



 ,  "-p"    ,  " -s'  

  ,     ,    

    .    

  .





4.1.3.1.     



IP   (-s)   (-d)    

.      ,    ,

 "localhost"  "www.linuxhq.com".     ,  

 IP   "127.0.0.1".



        IP,  

"199.95.207.0/24"  "199.95.207.0/255.255.255.0".



     IP  192.95.207.0  192.95.207.255 

;   "/" ,   IP  

. "/32"  "/255.255.255.255" -    

(  IP ).    , 

  "/0":



           # ipchains -A input -s 0/0 -j DENY

           #



,     ,      

,       .





4.1.3.2  



 ,  "-s'  "-d'   ,   

"!' ( "')   ,    . ,

"-s! localhost'   ,    localhost.





4.1.3.3.  



     "-p".     (  

     IP)    "TCP", "UDP"  

"ICMP".     ,   "tcp"   

"TCP".



    "!"    , 

. "-p! TCP'.





4.1.3.3.1.   UDP  TCP 



  ,    TCP  UDP, 

  ,   TCP  UDP,  

()   ( . `` " ). 

     ":',  "6000:6010',  

11     6000  6010.     ,  

   0.    ,     

65535. .,   TCP ,    1024 , 

 : "-p TCP -s 0.0.0.0/0:1023'.      

, . "www'.



 ,      "!",  

  .      TCP ,  www:



           -p TCP -d 0.0.0.0/0 ! www



   



           -p TCP -d ! 192.168.1.1 www



  



           -p TCP -d 192.168.1.1 ! www



   TCP   WWW   , 

192.168.1.1.    TCP      

192.168.1.1,  WWW .



 ,    WWW     192.168.1.1:



           -p TCP -d ! 192.168.1.1 ! www





4.1.3.3.2.     ICMP 



ICMP     ,   ICMP  

 , (ICMP    )    .



     ICMP  ( ipchains -h icmp   

 )   "-s',       ICMP,   

   "-s',      "-d".



ICMP   :      

,   ,    .



       ICMP :



                                 

       0       echo-reply               ping

       3       destination-unreachable   TCP/UDP 

       5       redirect                 ,     

       8       echo-request             ping

       11      time-exceeded            traceroute



 ,   ICMP      

 "!".



!        ICMP-  3! 

          (. `` ICMP  " ).





4.1.3.4.  



 "-i"   .  -  , /

 /  .     ifconfig, 

      "" (     

 ).



    (  ,   input)

 ,    .  ,   

   (,   output) - ,  

  .   ,   forward - 

 ,    ;   ,  

 .



   ,    

 ;        ,  

  .



     PPP  ( 

ppp0)  ...



  ,     "+"  

   (       ),

    . ,   ,  

   PPP,    "-i ppp+'.



    "!"   , 

    ().





4.1.3.5.    TCP SYN 



   TCP    . ,  

       WWW ,   

   .



       TCP,   .  

, TCP     ,     

 .



     ,    

.    SYN  (ok,     

  SYN,    ACK  FIN,     

SYN ).    ,     

 .



    "-y":     ,  

  TCP . ,     TCP 

 192.168.1.1:



            -p TCP -s 192.168.1.1 -y



,     ,   "!",  

  ,    .







4.1.3.6.  



   ,    .   

,    ,     . 

        .



     ,    , 

  (   ,  ,  ICMP,

 ICMP,  SYN  TCP) ,     , 

     .



   -     ,    

 Linux ,     ,  

  ,     IP: always defragment "Y".

   .



  ,  ,     . 

  ,   ,   ,

   .  ,     

   .       .

   "-p TCP -s 192.168.1.1 www' (  

"www")      (  ).

  "-p TCP -s 192.168.1.1 ! www'   .



,          

,   "-f". -,    

  TCP  UDP ,  ICMP,  ICMP  TCP SYN,  

       .



  ,         

,  '!'  '-f'. 



         ,

       ,   

   , ,     ,

      .  .



 :    (TCP, UDP  ICMP , 

    firewalling ,  ,  

          ICMP)  

  .  TCP ,    8 

  firewall  ( syslog   

).



,     ,   

192.168.1.1:



          # ipchains -A output -f -d 192.168.1.1 -j DENY

          #





4.1.4.   



,      ,    

 ,   ,  .



   ,   :



  1.          (  

      ).

  

  2.      .

  

  3.    ,     .

  

  4.    ,   Type Of Service.

  

  5.    ,   (   2.0)

  

  6. ,       ,

         .



 ,       .





4.1.4.1.  



   ,    ,   

. Ipchains  "-j" ( "jump-to")   

.      8  .  

,  "RETURN"  "return"  .



   -    .    ( 

  "")       

.      ,     

  . ,      192.168.1.1, 

    :



        # ipchains -A input -s 192.168.1.1

        #



( "ipchains -L -v'       , 

   ).



   .  , ACCEPT, REJECT  DENY  

. ACCEPT   . DENY  ,   

   . REJECT   ,  (   ICMP 

)  ICMP- , ,   .



, MASQ,  ,    .   ,

      IP .  

.  Masquerading-HOWTO   ``  ipchains  ipfwadm". 

     ,    forward.



    - REDIRECT,  ,    

       ,   

 .



      ,   TCP  UDP 

.     (  )  

"-j REDIRECT",        ,   

    .



     ,    forward.



  - RETURN      

  . (.  `` '').



      (   

``  " ).       

.       , ,     

 ,       

 .



     ASCII-.   () :

input ( )  Test ( ).





           `input'                            `Test'

          -------------------------------    -------------------------------

          | 1: -p ICMP -j REJECT |    | 1: -s 192.168.1.1    |

          |-----------------------------|    |-----------------------------|

          | 2: -p TCP -j Test    |    | 2: -d 192.168.1.1    |

          |-----------------------------|    -------------------------------

          | 3: -p UDP -j DENY    |

          -------------------------------





 TCP    192.168.1.1  1.2.3.4.    

input     1.



2 ,    - Test,     

     Test. 1  Test ,  

    ,     2.   

,      .    

input,      2,      3,

   .



   :



                                  v    __________________________

           `input'                |   /    `Test'                v

          ------------------------|--/    -----------------------|----

          | 1              | /|    | 1             |   |

          |-----------------------|/-|    |----------------------|---|

          | 2              /  |    | 2             |   |

          |--------------------------|    -----------------------v----

          | 3              /--+___________________________/

          ------------------------|---

                                  v



  ``   Firewall "    

  .





4.1.4.2.  



   ;       

  ,   "-l".     

  ,        ,   

  -  .



     :



       Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025

         L=34 S=0x00 I=18 F=0x0000 T=254



      ,   ,   

  ,    -,   

       .   

 :



1. `input' - ,   ,    

       .



2. `DENY' - ,      .   - "-",  

       ( ).



3. "eth0" -  .     input,  

      "eth0".



4. `PROTO=17' ,      17.  

      "/etc/protocols'.    

   1 (ICMP), 6 (TCP)  17 (UDP).



5. "192.168.2.1" -  IP ,    



6. ":53" ,      53.  "/etc/services' 

      `domain' (   -   DNS).  UDP  TCP, 

      .  ICMP,  -  ICMP.     

   65535.



7. "192.168.1.1" - IP  .



8. ":1025" ,      1025.  UDP  TCP 

     -  .  ICMP  -  ICMP.     

   65535.



9. "L=34' ,      34 .



10. "S=0x00'   Type of Service ( 4,   Type of 

    Service   ipchains).



11. `I=18'  IP.



12. "F=0x0000'  16-    . , 

      "0x4"  "0x5", ,    Don't 

    Fragment. "0x2"  "0x3"    `More Fragments';  

        .    - 

      ,   8.



13. "T=254'    (Time To Live) .    

          ,    

      15  255.



14. `(#5)'       (  2.2.9). 

     -  ,     .



  Linux ,     klogd (kernel

logging daemon)    syslogd (system logging daemon). 

"/etc/syslog.conf'   syslogd,   

  "facility" (  , facility - "")  "" ( 

ipchains,   - "info").



,  (Debian) /etc/syslog.conf   ,  

 "kern.info":



  kern.*                          -/var/log/kern.log

  *.=info;*.=notice;*.=warn;\

          auth,authpriv.none;\

          cron,daemon.none;\

          mail,news.none          -/var/log/messages





 ,     " /var/log/kern.log'  

"/var/log/messages'.  .  "man syslog.conf'.







4.1.4.3.   Type Of Service



 IP    - ,  Type of 

Service (TOS) .    ;   - 

" ", " ", " 

"  " ".       

 . Rob van Nieuwkerk,  TOS-,    

 :



       " "     .  

        ""    upstream  

     (Linux).    33k  . Linux   

        3 .      

           

      (         

      ,      ,    

         1.5 ).



 :           

;      ,   

.        ,  

   RSVP (     ,   

 ).



         telnet  

ftp " ",    FTP  - " 

".     :



     ipchains -A output -p tcp -d 0.0.0.0/0 telnet   -t 0x01 0x10 

     ipchains -A output -p tcp -d 0.0.0.0/0 ftp      -t 0x01 0x10 

     ipchains -A output -p tcp -s 0.0.0.0/0 ftp-data -t 0x01 0x08



 "-t"      hex-.    

    TOS:   -  AND 

  TOS ,    - XOR     .



      ,   :





  TOS                                    



                0x01 0x10       ftp, telnet

     0x01 0x08       ftp-data

             0x01 0x04       snmp

               0x01 0x02       nntp





Andi Kleen    ( ):



             txqueuelen  ifconfig 

         TOS.       

         ethernet,        

        3-  (    TOS) 

       .        4-10 

          b  ISDN :    

         .



    2.0  2.1,   2.1   ifconfig (  

nettools),      2.0  .



,       TOS   

PPP ,   "ifconfig $1 txqueuelen'    

/etc/ppp/ip-up.         

;    Andi:



             

      .      ,  

        .        

      TOS,  TOS      .

      (    linux ).





4.1.4.4.  



          

  (Quality of Service)  ,    

     2.1.     .  

2.0   .





4.1.4.5   



   ipchains -    

  .         , 

       (input, output  forward)  

 (MASQ, REDIRECT, ACCEPT, DENY, REJECT  RETURN).



        , 

        .    

  8 .





4.1.4.6.   



   .    test --     

!



       # ipchains -N test

       #



  .           

.





4.1.4.7.  



   .



       # ipchains -X test

       #



 "-X"? ,    .



     :     (. 

`` " )        .   

      .





4.1.4.8.  



          

"-F".



      # ipchains -F forward

      #



    ,     .





4.1.4.9.  



      ,   "-L".



       # ipchains -L input

       Chain input (refcnt = 1): (policy ACCEPT)

       target     prot opt    source                destination           ports

       ACCEPT     icmp -----  anywhere              anywhere              any

       # ipchains -L test

       Chain test (refcnt = 0):

       target     prot opt    source                destination           ports

       DENY       icmp -----  localnet/24           anywhere              any

       #



"refcnt"  test -   ,   test   .

     (  )   .



   ,   ,  .



  ,     "-L". "-n" (numeric)  

 ,    ipchains    IP  

 ,  ( ,   ,  DNS)  

 ,   DNS  ,    

 DNS .    ,     

  ,    .



 "-v"     ,     

,  TOS,    .     

. :



    # ipchains -v -L input

    Chain input (refcnt = 1): (policy ACCEPT)

     pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports

       10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any





 ,      ,  

  "K", ""  "G"  1000, 1,000,000  1,000,000,000 

.   "-x" (expand numbers)  

 ,    .





4.1.4.10.  () 



    .    "-Z". 

:



    # ipchains -v -L input

    Chain input (refcnt = 1): (policy ACCEPT)

     pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports

       10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

    # ipchains -Z input

    # ipchains -v -L input

    Chain input (refcnt = 1): (policy ACCEPT)

     pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports

        0     0 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any

    #



The problem with this approach is that sometimes you need to know the counter 

values immediately before they are reset.  In the above example, some packets 

could pass through between the `-L' and `-Z' commands.  For this reason, you can 

use the `-L' and `-Z' together, to reset the counters while reading them.  

Unfortunately, if you do this, you can't operate on a single chain: you have to 

list and zero all the chains at once.



     ,        

 ,   .   ,     

     "-L"  "-Z".      

 "-L"  "-Z" ,     .  

,    ,      :  

     .



  # ipchains -L -v -Z

  Chain input (policy ACCEPT):

   pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports

     10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any



  Chain forward (refcnt = 1): (policy ACCEPT)

  Chain output (refcnt = 1): (policy ACCEPT)

  Chain test (refcnt = 0):

      0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any

  # ipchains -L -v

  Chain input (policy ACCEPT):

   pkts bytes target     prot opt   tosa tosx  ifname    mark        source                destination           ports

     10   840 ACCEPT     icmp ----- 0xFF 0x00  lo                    anywhere              anywhere              any



  Chain forward (refcnt = 1): (policy ACCEPT)

  Chain output (refcnt = 1): (policy ACCEPT)

  Chain test (refcnt = 0):

      0     0 DENY       icmp ----- 0xFF 0x00  ppp0                  localnet/24           anywhere              any

  #





4.1.4.11.  



   ,  ,       

,  ,       `` " 

.   ,     .  

  (input, output  forward)  ,  ,  

    ,     

.



        : ACCEPT, DENY, 

REJECT  MASQ. MASQ     "forward".



   ,   RETURN      

       ,   

 .





4.1.5   



  ,      IP . 

   ipchains,         

(    ).



 IP Masquerading - "-M",       "-L",  

  masqueraded ,   " -S',   

 .



 "-L"   "-n" (     

  )  "-v" ( deltas     

masqueraded ,    ).



 "-S'     ,  :

 TCP ,  TCP    FIN   UDP .   

      ,    "0'.



     "/usr/src/linux/include/net/ip_masq.h',  

   15 , 2   5  .



     - ,  FTP (. `` FTP" 

).



      , 

 ``      !".





4.1.6.  



   ,  ,       

, .,    firewall .  ipchains   

"-C",      ,     

  .



 ,    ,     

"-C".          input, output  forward,

      . 



 ""      , 

    firewall.    ("-p"), 

  ("-s'),   ("-d')   ("-i') .

  - TCP  UDP,         

,   ICMP        ICMP ( 

   "-f'    ,   

 ).



  - TCP (  "-f"  ),    

"-y",  ,        SYN.



   TCP SYN    192.168.1.1 

60000   192.168.1.2  www,    eth0  

"input". ( -    WWW ):



  # ipchains -C input -p tcp -y -i eth0 -s 192.168.1.1 60000 -d 192.168.1.2 www 

  packet accepted

  #





4.1.7.       



         .

    . -,     , 

  ( DNS)   IP , ipchains  

 ,          

.



,    "www.foo.com"    IP ,    

"www.bar.com" -    IP ,   "ipchains -A input -j REJECT 

-s www.bar.com -d www.foo.com'   6    input.



 ,  ipchains   , 

   ("-b" -- bidirectional).    

ipchains   ,     ,    

    "-s'  "-d'. ,   

  192.168.1.1,     :



    # ipchains -b -A forward -j REJECT -s 192.168.1.1

    #



   "-b"   ;    , ., 

`` ipchains-save" .



 "-b"      ("-I"),  ("-D")

(    ),  ("-A")   ("-C").



   "-v" (verbose),     ,  

ipchains    .  ,      

,     . ,   

    192.168.1.1  192.168.1.2.



       # ipchains -v -b -C input -p tcp -f -s 192.168.1.1 -d 192.168.1.2 -i lo

         tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.1  -> 192.168.1.2    * ->   *

       packet accepted

         tcp opt   ---f- tos 0xFF 0x00  via lo    192.168.1.2  -> 192.168.1.1    * ->   *

       packet accepted

       #





4.2.  



    PPP  (-i ppp0).    

(-p TCP -s news.virtual.net.au nntp)   

(-p TCP -s mail.virtual.net.au pop-3)   PPP-.   

 Debian    FTP  

(-p TCP -y -s ftp.debian.org.au ftp-data).  web      

ISP (-p TCP -d proxy.virtual.net.au 8080),   doubleclick.net  

Dilbert Archive (-p TCP -y -d 199.95.207.0/24  -p TCP -y -d 199.95.208.0/24).



   ,    ftp     

(-p TCP -d $LOCALIP ftp),    ,  - ,  

    (-s 192.168.1.0/24).    IP spoofing,

       2.1.     : . 

``   IP Spoof ?''.



   ,      

      .



  ,     (  Netscape, lynx  ..)

  doubleclick.net:



      # ipchains -A output -d 199.95.207.0/24 -j REJECT

      # ipchains -A output -d 199.95.208.0/24 -j REJECT

      #



         ( 

    ).     ,   

         ppp-out.



      # ipchains -N ppp-out

      # ipchains -A output -i ppp0 -j ppp-out

      #



   web  telnet.



      # ipchains -A ppp-out -p TCP -d proxy.virtual.net.au 8080 -t 0x01 0x10 

      # ipchains -A ppp-out -p TCP -d 0.0.0.0 telnet -t 0x01 0x10

      #



   ftp-data, nntp, pop-3:



      # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 ftp-data -t 0x01 0x02

      # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 nntp -t 0x01 0x02

      # ipchains -A ppp-out -p TCP -d 0.0.0.0/0 pop-3 -t 0x01 0x02

      #



    ,    ppp0:  

  "ppp-in":



      # ipchains -N ppp-in

      # ipchains -A input -i ppp0 -j ppp-in

      #



,  ,   ppp0     

192.168.1.*,       :



      # ipchains -A ppp-in -s 192.168.1.0/24 -l -j DENY

      #



   UDP   DNS (     , 

     203.29.16.1,      DNS 

  ),   ftp,     ftp-data 

(         1023,     X11 

   6000).



      # ipchains -A ppp-in -p UDP -s 203.29.16.1 -d $LOCALIP dns -j ACCEPT

      # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 1024:5999 -j ACCEPT 

      # ipchains -A ppp-in -p TCP -s 0.0.0.0/0 ftp-data -d $LOCALIP 6010: -j ACCEPT 

      # ipchains -A ppp-in -p TCP -d $LOCALIP ftp -j ACCEPT

      #



 ,          :



      # ipchains -A input -i lo -j ACCEPT

      #



,        input - DENY,   

      :



      # ipchains -P input DENY

      #



 :        ,  

      ,    .   

 -   DENY,   . ,   

   DNS   ,      

.





4.2.1.   ipchains-save



  firewall    -  ,  

     .



, ipchains-save - ,        

   .   ,    .



ipchains-save       (    

).       - "-v",  

  ( stderr)   ,   .

  .     input, 

output  forward



     # ipchains-save > my_firewall Saving `input'.

     Saving `output'.

     Saving `forward'.

     Saving `ppp-in'.

     Saving `ppp-out'.

     #





4.2.2.   ipchains-restore



ipchains-restore  ,  ipchains-save.  

 : "-v",     ,  "-f" ,

   ,   ,   

.



     input, ipchains-restore , 

   .  ,   ,    

(  )     .    "-f" 

  ,    ;   .



:



    # ipchains-restore < my_firewall Restoring `input'.

    Restoring `output'.

    Restoring `forward'.

    Restoring `ppp-in'.

    Chain `ppp-in' already exists. Skip or flush? [S/f]? s Skipping `ppp-in'.

    Restoring `ppp-out'.

    Chain `ppp-out' already exists. Skip or flush? [S/f]? f Flushing `ppp-out'.

    #







5. .



      FAQ,       

  .





5.1.    Firewall 



    .     

,    (  - 

  )   .



    ,   PPP,      

     input "-i ppp0 -j DENY'   

,        ip-up:



      #   `ppp-in' .

      ipchains-restore -f < ppp-in.firewall

      #   DENY   ppp-.

      ipchains -R input 1 -i ppp0 -j ppp-in



   ip-down:



      ipchains -R input 1 -i ppp0 -j DENY





5.2.    



There are some things you should be aware of before you start filtering out 

everything you don't want.



,      ,    

 .





5.2.1. ICMP 



ICMP   ( )     

 ( TCP  UDP).  "destination-unreachable"  . 

   ,       

 "Host unreachable'  "No route to host';    

  ,    .  ,  

.



   -  ICMP    MTU.  

 TCP  ( Linux)   MTU,   

   ,     

(,  , ,     

).  MTU      

 "Don't Fragment".        ICMP- 

"Fragmentation needed but DF set" --   " , 

  DF".    "destination unreachable',     

,      MTU,     

  .



    ICMP   ( 5);   

    (  IP  ), 

   .





5.2.2 TCP   DNS ( )



     TCP ,  ,  DNS 

   UDP;       512 , 

  TCP  (    53).



DNS     " - ';     

     DNS .



  DNS           

 ( ,    nameserver  

/etc/resolv.conf,    forward    ),

      TCP    domain   

     domain (  

 )       (>1023)   

/etc/resolv.conf.





5.2.3.  FTP 



     - FTP. FTP   ; 

        

 . Web-       

,    FTP       

.



  ,       (  

  ls  dir),    TCP   

 .  ,       TCP 

    FTP.



       ,   ; 

       ,    

.     TCP   

  1024   6000..6010 (  XWINDOWS).





5.3    (DeathPing)



Linux-      ,  

     ICMP ,   

 TCP-  -    .



   ,       " ", 

     ICMP.  ICMP   

 ,   ,    

     -   " ".   ( 

 ),         

   ICMP,     

  .



   ,   ,  ICMP-, 

      TCP  UDP- (  

),          . 





5.4.  Teardrop  Bonk



Teardrop  Bonk -   (    Windows NT 

Microsoft),     .   

   ,    

    .





5.5.   



,   " " TCP   , 

    ,       

.  Linux   .     

(      )     

  "IP: always defragment "Y"" (   ,    

Linux -     ).





5.6.  Firewall 



 ,       .  

,        

.     :



       # ipchains -I input 1 -j DENY

       # ipchains -I output 1 -j DENY

       # ipchains -I forward 1 -j DENY

       ...   ...

       # ipchains -D input 1

       # ipchains -D output 1

       # ipchains -D forward 1

       #



      .



      ,     

   ,    ("-R") ,  

   ,  ,     ; 

     .    .





5.7.     ?



IP spoofing -     IP  .   

       , IP spoofing 

,      .



     ,   SYN, Teardrop, 

" "  ..(      -  ),  

   ,        .



     IP spoofing  Source Address 

Verification (  ).     

,    .   

/proc/sys/net/ipv4/conf/all/rp_filter.



  ,    Source Address Verification  .

 c ,       

  :





       #  :  Source Address Verification  

       #       .

       if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

         echo -n "   ... "

         for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

             echo 1 > $f

         done

         echo "."

       else

         echo       .

         echo " CONTROL-D    shell    ."

         echo

         #   shell  

         /sbin/sulogin $CONSOLE

       fi



     ,       

  .      .  2.1 

  ,    127.* (

   , lo).



, ,     : eth0, eth1  ppp0.   

 ifconfig,       .



,  eth0    192.168.1.0   

255.255.255.0, eth1    10.0.0.0    255.0.0.0,  

ppp0   Internet (      

   IP),     :





       # ipchains -A input -i eth0 -s ! 192.168.1.0/255.255.255.0 -j DENY

       # ipchains -A input -i ! eth0 -s 192.168.1.0/255.255.255.0 -j DENY

       # ipchains -A input -i eth1 -s ! 10.0.0.0/255.0.0.0 -j DENY

       # ipchains -A input -i ! eth1 -s 10.0.0.0/255.0.0.0 -j DENY

       #



      Source Address Verification,   

    ,      .



  2.0      : 



       # ipchains -A input -i ! lo -s 127.0.0.0/255.0.0.0 -j DENY

       #





5.8.  



 userspace ,  ,     

,  "libfw".    IP  1.3  

    userspace (   IP_FIREWALL_NETLINK).



       Quality of 

Service ,  ,      .  

   ,  ,       , 

,   .



       userspace   stateful 

 (    firewalling).    

      ,   

userspace daemon.     .





5.8.1. SPF: Stateful  



ftp://ftp.interlinx.bc.ca/pub/spf -   SPF  Brian Murrell', 

     userspace.   

  .



     ,     

,       :



>  ,     ,   :  

> ""-,        

>  .



,    .    , 

""  it gets right.    

 ( ,      ) FTP ( 

,      ),  RealAudio, 

traceroute, ICMP   ICQ (  ICQ    TCP 

,    TCP      

  ..  ) 



>   ipchains  ?



 - . ipchains -      

 Linux . SPF - ,     

ipchains          

.





5.8.2.   Michael Hasenstein'  ftp-data 



Michael Hasenstein  SuSE    ,    ipchains

 ftp-.      

http://www.csn.tu-chemnitz.de/~mha/patch.ftp-data-2.gz 





5.9.  



  2.3 firewalling  NAT  .    

    netdev    ipchains-dev.   

     (firewalling     

  )       firewalling.





6.  





6.1.  ipchains -L !



   DNS;     .



   "-n" (numeric)  ipchains,   

 .





6.2. /  !



,     (   ,  

   ,  ,      

"forward").     ( root),  



        # echo 1 > /proc/sys/net/ipv4/ip_forward

        #



    ,       -  

 ,     ; firewalling 

 ,    .







6.3.  -j REDIR  !



     (. )  ,  

 ;     . ,  

   ,     , 

    .



 ,  REDIR (   input)   

   .





6.4.    !



   2.1.102  2.1.103   (   

), -     ipchains,   

  (, -i ppp +).



    ,        2.0.34.  

       ,   63  

   include/linux/ip_fw.h:



      #define IP_FW_F_MASK    0x002F  /* All possible flag bits mask   */



   ``0x003F".  ,   .





6.5.  TOS  !



   :   Type of Service   

 Type of Service    2.1.102 - 2.1.111.   

   2.1.112.





6.6.  ipautofw and ipportfw  !



 2.0.x  ;         

   ipchains  ipautofw/ipportfw.



 2.1.x  ipmasqadm Juan Ciarlante'  http://juanjox.linuxhq.com/

     ,     ipautofw  ipportfw, 

  ,   ipportfw   ipmasqadm portfw,  

 ipautofw  ipmasqadm autofw.





6.7.  xosview !!



  1.6.0  ,    2.1.x   

 firewall.   , ,     1.6.1

(   !).





6.8.  Segmentation Fault  `-j REDIRECT'!



    ipchains  1.3.3.  .





6.9.      !



   (  2.1.x)  2.1.123.  2.1.124   

     ( return  ret =  

1328 net/ipv4/ip_fw.c).  2.1.125   .





6.10.    IPX!



,   ,  .  ,     

 IP. On the good side, all the hooks are there to firewall IPX!

    ;     ,  .





7.  .



   Michael Neuling   LinuxWorld Tutorial   1999;  - 

     ,    .  

,     .

 



7.1. 



     (  ),   

   "GOOD" ("").



      ( "DMZ" -- Demilitarized 

  Zone --  ).



 PPP   Internet ( "BAD" -- "").



            (BAD)

                  |

                  |

              ppp0|

           ---------------

           | 192.84.219.1|               (DMZ)

           |             |eth0

           |             |----------------------------------------------

           |             |192.84.219.250 |             |              |

           |             |               |             |              |

           |192.168.1.250|               |             |              |

           ---------------          --------       -------        -------

                  | eth1            | SMTP |       | DNS |        | WWW |

                  |                 --------       -------        -------

                  |              192.84.219.128  192.84.219.129  192.84.218.130

                  |

            (GOOD)





7.2. 



  :



  PING  

      ,   .



  TRACEROUTE  

    ,   .



  DNS  

     ping  DNS  .



 DMZ:



    



     SMTP   



      SMTP     



      Pop-3   



   



       DNS   



      DNS         



  Web 



      HTTP     



     Rsync    



 :



   WWW, ftp, traceroute, ssh    .  

   ,    :   

    ,      .



   SMTP   

         .



   POP-3   

           



   DNS   

           WWW, ftp, traceroute  ssh.



   rsync   

          .



   WWW    

    ,         

     .



   ping    

     -     .   , 

         (    , 

          ).





7.3.   





 



        ,     

     .



      # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

      #



      (DENY) :



   ,  loopback .



          # ipchains -A input -i ! lo -j DENY

          # ipchains -A output -i ! lo -j DENY

          # ipchains -A forward -j DENY

          #



  



        . ,   

     ,   ,   

     ,    .



    -.



        FTP, ,    

   FTP " '   .



          # insmod ip_masq_ftp

          #





7.4.    



    --    forward.



  forward       

  /;      

 .



       ipchains -N good-dmz 

       ipchains -N bad-dmz 

       ipchains -N good-bad 

       ipchains -N dmz-good 

       ipchains -N dmz-bad 

       ipchains -N bad-good



ACCEPT'  ICMP    --   ,

    .



       ipchains -N icmp-acc





7.4.1.     forward



 ,   (  forward)   .  

,       ,   

  (    ).



 ,      ,    

     (,     ).



     ipchains -A forward -s 192.168.1.0/24 -i eth0 -j good-dmz 

     ipchains -A forward -s 192.168.1.0/24 -i ppp0 -j good-bad 

     ipchains -A forward -s 192.84.219.0/24 -i ppp0 -j dmz-bad 

     ipchains -A forward -s 192.84.219.0/24 -i eth1 -j dmz-good 

     ipchains -A forward -i eth0 -j bad-dmz 

     ipchains -A forward -i eth1 -j bad-good 

     ipchains -A forward -j DENY -l





7.4.2.  icmp-acc 



,     ICMP    ACCEPT',  

     .



     ipchains -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT 

     ipchains -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT 

     ipchains -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT 

     ipchains -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT





7.4.3.   Good ( )  DMZ ()



 :



    WWW, ftp, traceroute, ssh   



    SMTP   



    POP-3   



    DNS   



    rsync    



    WWW    



    ping    



         DMZ,      

.   -      ,  

     .



        ipchains -A good-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT 

        ipchains -A good-dmz -p tcp -d 192.84.219.128 pop-3 -j ACCEPT 

        ipchains -A good-dmz -p udp -d 192.84.219.129 domain -j ACCEPT 

        ipchains -A good-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT 

        ipchains -A good-dmz -p tcp -d 192.84.218.130 www -j ACCEPT 

        ipchains -A good-dmz -p tcp -d 192.84.218.130 rsync -j ACCEPT 

        ipchains -A good-dmz -p icmp -j icmp-acc 

        ipchains -A good-dmz -j DENY -l





7.4.4.   BAD ( )  DMZ ().





 DMZ :



    



     SMTP   

      SMTP     

      POP-3   



     



      DNS   

      DNS         



    Web 



      HTTP     

     Rsync    



 ,        DMZ.



     ,    .



        ipchains -A bad-dmz -p tcp -d 192.84.219.128 smtp -j ACCEPT 

        ipchains -A bad-dmz -p udp -d 192.84.219.129 domain -j ACCEPT 

        ipchains -A bad-dmz -p tcp -d 192.84.219.129 domain -j ACCEPT 

        ipchains -A bad-dmz -p tcp -d 192.84.218.130 www -j ACCEPT 

        ipchains -A bad-dmz -p icmp -j icmp-acc 

        ipchains -A bad-dmz -j DENY





7.4.5.  Good ( )  Bad ( ).



  :



    WWW, ftp, traceroute, ssh   

    SMTP   

    POP-3   

    DNS   

    rsync    

    WWW    

    ping    

            ,   

     .  -- .

    .

    FTP,   masq.



       ipchains -A good-bad -p tcp --dport www -j MASQ

       ipchains -A good-bad -p tcp --dport ssh -j MASQ

       ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ

       ipchains -A good-bad -p tcp --dport ftp --j MASQ

       ipchains -A good-bad -p icmp --icmp-type ping -j MASQ

       ipchains -A good-bad -j REJECT -l





7.4.6.   DMZ  Good ( ).



  :



    WWW, ftp, traceroute, ssh   

    SMTP   

    POP-3   

    DNS   

    rsync    

    WWW    

    ping    

              

     ,    .  --  .

    .

    FTP,   masq.

            DMZ,   

        ,   .   

     ,       .



       ipchains -A dmz-good -p tcp ! -y -s 192.84.219.128 smtp -j ACCEPT

       ipchains -A dmz-good -p udp -s 192.84.219.129 domain -j ACCEPT

       ipchains -A dmz-good -p tcp ! -y -s 192.84.219.129 domain -j ACCEPT

       ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 www -j ACCEPT

       ipchains -A dmz-good -p tcp ! -y -s 192.84.218.130 rsync -j ACCEPT

       ipchains -A dmz-good -p icmp -j icmp-acc

       ipchains -A dmz-bad -j DENY -l





7.4.7.  DMZ  bad ( ).



 DMZ :



    

     SMTP   

      SMTP     

      POP-3   

 

     

      DNS   

      DNS         



    Web 



      HTTP     

     Rsync    



       ipchains -A dmz-bad -p tcp -s 192.84.219.128 smtp -j ACCEPT

       ipchains -A dmz-bad -p udp -s 192.84.219.129 domain -j ACCEPT

       ipchains -A dmz-bad -p tcp -s 192.84.219.129 domain -j ACCEPT

       ipchains -A dmz-bad -p tcp ! -y -s 192.84.218.130 www -j ACCEPT

       ipchains -A dmz-bad -p icmp -j icmp-acc

       ipchains -A dmz-bad -j DENY -l





7.4.8.  Bad ( )  Good ( ).



     (-)      



       ipchains -A bad-good -j REJECT





7.4.9.     Linux 



        , 

    linux ,        

  input.        :



       ipchains -N bad-if 

       ipchains -N dmz-if 

       ipchains -N good-if



    :



       ipchains -A input -d 192.84.219.1 -j bad-if 

       ipchains -A input -d 192.84.219.250 -j dmz-if 

       ipchains -A input -d 192.168.1.250 -j good-if





7.4.9.1.   Bad ( ).



   :



    PING  

    TRACEROUTE  

      DNS

             ICMP 

           ping .



        ipchains -A bad-if -i ! ppp0 -j DENY -l 

        ipchains -A bad-if -p TCP --dport 61000:65096 -j ACCEPT 

        ipchains -A bad-if -p UDP --dport 61000:65096 -j ACCEPT 

        ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT 

        ipchains -A bad-if -j icmp-acc 

        ipchains -A bad-if -j DENY







7.4.9.2.  DMZ.



    :



   PING  

   TRACEROUTE  

     DNS

   DMZ    DNS,  ping  ICMP   .



       ipchains -A dmz-if -i ! eth0 -j DENY 

       ipchains -A dmz-if -p TCP ! -y -s 192.84.219.129 53 -j ACCEPT 

       ipchains -A dmz-if -p UDP -s 192.84.219.129 53 -j ACCEPT 

       ipchains -A dmz-if -p ICMP --icmp-type pong -j ACCEPT 

       ipchains -A dmz-if -j icmp-acc 

       ipchains -A dmz-if -j DENY -l





7.4.9.3.  Good ().



    :



   PING  

   TRACEROUTE  

     DNS

   DMZ    DNS,  ping  ICMP   .



   :



    WWW, ftp, traceroute, ssh   

    SMTP   

    POP-3   

    DNS   

    rsync    

    WWW    

    ping    

       DNS,  ping  ICMP   

    .



         ipchains -A good-if -i ! eth1 -j DENY 

         ipchains -A good-if -p ICMP --icmp-type ping -j ACCEPT 

         ipchains -A good-if -p ICMP --icmp-type pong -j ACCEPT 

         ipchains -A good-if -j icmp-acc 

         ipchains -A good-if -j DENY -l





7.5.  



   :



        ipchains -D input 1 

        ipchains -D forward 1 

        ipchains -D output 1





8. :   ipchains  ipfwadm.



    -    ,  

 ipchains    ipfwadm.



1.     :    

    ,      .



2.   ,     

       (. "input"  "-I").



3. "-k"  :  "! -y'.



4. "-b"   //  ,   

     `bidirectional'.



5. "-b"     "-C",     (  

   ).



6. "-x"   "-l"    "-v".



7.        .

         .



8.       ( ).  

       2.1.



9.  ,   .



10. Explicit accounting chains have been done away with.



11.       IP.



12.     SYN  ACK (  

      -TCP );  SYN    

    -TCP- .



13.   32-   64-,   32-.



14.   .



15.  ICMP .



16.   .



17.    TOS:       

    ()   `Must Be Zero' TOS;     

      ipchains  .





8.1.    .



[ ,     ,    -  ] 



    :   "-j MASQ'; 

   " -j ACCEPT',   ,   

 ,    ipfwadm.



  ================================================================

  | ipfwadm      | ipchains              | Notes

  ----------------------------------------------------------------

  | -A [both]    | -N acct               |  `acct' 

  |              |& -I 1 input -j acct   |    

  |              |& -I 1 output -j acct  | .

  |              |& acct                 |

  ----------------------------------------------------------------

  | -A in        | input                 |   

  ----------------------------------------------------------------

  | -A out       | output                |   

  ----------------------------------------------------------------

  | -F           | forward               | .   [].

  ----------------------------------------------------------------

  | -I           | input                 | .   [].

  ----------------------------------------------------------------

  | -O           | output                | .   [].

  ----------------------------------------------------------------

  | -M -l        | -M -L                 |

  ----------------------------------------------------------------

  | -M -s        | -M -S                 |

  ----------------------------------------------------------------

  | -a policy    | -A [chain] -j POLICY  | ( . -r  -m).

  ----------------------------------------------------------------

  | -d policy    | -D [chain] -j POLICY  | ( . -r  -m).

  ----------------------------------------------------------------

  | -i policy    | -I 1 [chain] -j POLICY| ( . -r  -m).

  ----------------------------------------------------------------

  | -l           | -L                    |

  ----------------------------------------------------------------

  | -z           | -Z                    |

  ----------------------------------------------------------------

  | -f           | -F                    |

  ----------------------------------------------------------------

  | -p           | -P                    |

  ----------------------------------------------------------------

  | -c           | -C                    |

  ----------------------------------------------------------------

  | -P           | -p                    |

  ----------------------------------------------------------------

  | -S           | -s                    |   

  |              |                       |  ,  .

  ----------------------------------------------------------------

  | -D           | -d                    |   

  |              |                       |  ,  .

  ----------------------------------------------------------------

  | -V           | <>                | . -i [].

  ----------------------------------------------------------------

  | -W           | -i                    |

  ----------------------------------------------------------------

  | -b           | -b                    | -  2 .

  ----------------------------------------------------------------

  | -e           | -v                    |

  ----------------------------------------------------------------

  | -k           | ! -y                  |  ,  

  |              |                       |  -p tcp.

  ----------------------------------------------------------------

  | -m           | -j MASQ               |

  ----------------------------------------------------------------

  | -n           | -n                    |

  ----------------------------------------------------------------

  | -o           | -l                    |

  ----------------------------------------------------------------

  | -r [redirpt] | -j REDIRECT [redirpt] |

  ----------------------------------------------------------------

  | -t           | -t                    |

  ----------------------------------------------------------------

  | -v           | -v                    |

  ----------------------------------------------------------------

  | -x           | -x                    |

  ----------------------------------------------------------------

  | -y           | -y                    |  ,  

  |              |                       |  -p tcp.

  ----------------------------------------------------------------





8.2.    ipfwadm



 : ipfwadm -F -p deny

 : ipchains -P forward DENY



 : ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0

 : ipchains -A forward -j MASQ -s 192.168.0.0/24 -d 0.0.0.0/0



 : ipfwadm -I -a accept -V 10.1.2.1 -S 10.0.0.0/8 -D 0.0.0.0/0

 : ipchains -A input -j ACCEPT -i eth0 -s 10.0.0.0/8 -d 0.0.0.0/0



( ,     :   

.   , 10.1.2.1  eth0).





9. :   ipfwadm-wrapper.



  ipfwadm-wrapper      

ipfwadm 2.3a.



 ,       -  "-V".

  ,  .     

"-W",  "-V" . ,     , 

   ,  ifconfig.     ( 

 ,   ),       

.



       "-V"  "-W",  

     /dev/null.



   -      -   

 ipfwadm   ,     : 

EMail  ipchains@rustcorp.com   "BUG-REPORT".



,     ipfwadm (ipfwadm -h),  

ipchains (ipchains --version),   ipfwadm-wrapper 

(ipfwadm-wrapper --version).    ipchainssave.  .



  ipchains   ipfwadm-wrapper      

. 





10. : .



  Michael Neuling,       ipchains

      result-caching,  

  ,       ,    

 .



     24- EMail  ,  

.



    ipfw  ipfwadm,  Jos Vos. 

Standing on the shoulders of giants and all that...

   Linus Torvalds,       userspace.



  -   ,  Jordan Mendelson, 

Shaw Carruthers, Kevin Moule, Dr. Liviu Daia, Helmut Adams, Franck Sicard, 

Kevin Littlejohn, Matt Kemner, John D. Hardin, Alexey Kuznetsov, Leos Bitto, 

Jim Kunzman, Gerard Gerritsen, Serge Sivkov, Andrew Burgess, Steve Schmidtke, 

Richard Offer, Bernhard Weisshuhn, Larry Auton, Ambrose Li, Pavel Krauz, Steve 

Chadsey, Francesco Potorti`  Alain Knaff.

