Upload
daovanhiep
View
226
Download
0
Embed Size (px)
Citation preview
7/31/2019 Xay Dng H Thng Tng La IP Table
1/65
MC LC
MC LC ..............................................................................................................1
LI CM N .........................................................................................................4
LI M U ........................................................................................................5
Chng 1:
VN AN NINH AN TON MNG MY TNH ..............................................7
1.1. Tng quan v vn an ninh an ton mng my tnh ..................7
1.1.1. e do an ninh t u? ................................................................................................................7
1.1.2. Cc gii php c bn m bo an ninh ........................................................................................8
1.2. Vn bo mt h thng v mng ...............................................10
1.2.1. Cc vn d chung v bo mt h thng v mng .............................................................. .......10
1.2.2. Mt s khi nim v lch s bo mt h thng ..........................................................................11
1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu ..........................................12
1.3. Vn bo mt cho mng LAN ...................................................16
1.3.1. Mng ring o (Virtual Private Network- VPN) ......................................................................16
1.3.2. Tng la (Firewall) .................................................................................................................17
Chng 2: TNG QUAN V FIREWALL ..........................................................18
2.1. Gii thiu v firewall ....................................................................18
2.1.1. Khi nim firewall ....................................................................................................................18
2.1.2. Cc chc nng c bn ca firewall ............................................................................................18
2.1.3. Phn loi firewall ............................................................................................................ ........ ..19
2.1.4 Mt s h thng firewall khc ....................................................................................................22
2.2. Cc chin lc xy dng firewall ...............................................27
2.2.1. Quyn hn ti thiu(Least Privilege) ............................................................................ ......... ...27
2.2.2. Bo v theo chiu su (Defense in Depth) ............................................................................. ...27
2.2.3. Nt tht (Choke Point) ....................................................................................................... .......27
2.2.4. im xung yu nht (Weakest Link) ............................................................................... .........27
2.2.5. Hng trong an ton (Fail-Safe Stance) ......................................................................................28
2.2.6. S tham gia ton cu .............................................................................................................. ...28
7/31/2019 Xay Dng H Thng Tng La IP Table
2/65
2.2.7. Tnh a dng ca vic bo v ....................................................................................................28
2.2.8. n gin ho .......................................................................................................................... ...29
2.3. Cch thc xy dng firewall ........................................................29
2.3.1. Xy dng cc nguyn tc cn bn(Rule Base) ..........................................................................29
2.3.2. Xy dng chnh sch an ton (Security Policy) .................................................................. ......29
2.3.3. Xy dng kin trc an ton ................................................................................................ .......30
2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base) .........................................................31
2.3.5. Cc quy tc cn bn (Rules Base) .......................................................................................... ...31
2.4. Lc gi v c ch hot ng ........................................................32
2.4.1. B lc gi (packet filtering) ................................................................................................. .....33
2.4.2. Cng ng dng (Application Gateway) ........................................................................... .........33
2.4.3. B lc Sesion thng minh (Smart Sesion Filtering) ..................................................................34
2.4.4. Firewall hn hp (Hybrid Firewall) ....................................................................................... ...35
2.5. Kt lun .........................................................................................35
Chng 3:
TM HIU IPTALES TRONG H IU HNH LINUX ..................................36
3.1. Firewall IPtable trn Redhat .........................................................363.1.1. Gii thiu v IPtables ................................................................................................................37
3.1.2. Qu trnh chuyn gi d liu qua Netfilter ................................................................................40
3.1.3. Cu trc ca Iptable..................................................................................................................40
3.1.4. Ci t iptables ..........................................................................................................................41
3.2. Cc tham s dng lnh thng gp ..............................................41
3.2.1 Gi tr gip ............................................................................................................................. ...41
3.2.2 Cc ty chn ch nh thng s .................................................................................... .........41
3.2.3. Cc ty chn thao tc vi chain ............................................................................................42
3.2.4. Cc ty chn thao tc vi lut ........................................................................................ ......42
3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet ................................................... ......... ...42
3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED ..............................................................43
3.2.7 Ty chn --limit, --limit-burst ....................................................................................................43
3.3. Gii thiu v bng NAT (Network Address Traslation) ...........44
3.3.1. Khi nim cn bn v NAT .......................................................................................................44
7/31/2019 Xay Dng H Thng Tng La IP Table
3/65
3.3.2. Cch i a ch IP ng (Dynamic - NAT) ................................................................... ........ ..45
3.3.3. Cch ng gi a ch IP (masquerade) .....................................................................................46
3.3.4. Mt s v d s dng k thut NAT ..........................................................................................46
Chng 4:THIT LP FIREWALL BO V MNG NI B BNG IPTABLES TRONG
H IU HNH LINUX ....................................................................................49
4.1. Cch lm vic ca Firewall c vng DMZ ..................................49
4.2. Cu trc file cu hnh v cu hnh ................................................50
4.2.1. Cu hnh cc tu chn: ..............................................................................................................50
4.2.2. Ti cc module cn thit k vo Kernel....................................................................................51
4.2.3. Ci t cu hnh cn thit cho h thng file proc......................................................................51
4.2.4. Ci t cc nguyn tc...............................................................................................................51
4.3. Cu hnh cho my ni b truy cp mng bn ngoi ....................56
4.4. Kim tra Firewall ..........................................................................56
4.5. Xy dng phn mm qun tr Firewall IPTables t xa ..............59
4.5.1. M t bi ton ............................................................................................................................59
4.5.2. Mt s giao din chng trnh ............................................................................................ ......59
4.5.3. nh gi phn mm ..................................................................................................................62
KT LUN ...........................................................................................................64
TI LIU THAM KHO .....................................................................................65
7/31/2019 Xay Dng H Thng Tng La IP Table
4/65
Tm hiu vn bo mt mng LAN
LI CM N
Trc tin em xin gi li cm n chn thnh n GS, TS.Trn Hu Ngh
hiu trng nh trng ngi c cng ln trong vic sng lp ra trng HDLHi Phng. ng thi em xin gi li cm n xu sc ti cc thy, cc c trong t
B mn tin hc ca trng HDL Hi Phng nhng ngi tn tnh ging dy v
cung cp nhng kin thc qu bu cho em trong sut bn nm hc qua.
c bit em xin chn thnh cm n TS. Phm Hng Thi v CN. Lng Vit
Nguyn - trng i hc cng ngh cc thy dnh nhiu thi gian v cng qu
bu tn tnh hng dn em cng nh to mi iu kin thun li em c th hon
thnh tt ti.Cui cng em cng xin cm n gia nh, bn b nhng ngi thn lun bn
cnh ng vin, gip v to mi iu kin thun li cho em .
Do cn hn ch v kin thc v kinh nghim nn lun vn cn nhiu thiu
st em rt mong c s ph bnh, nh gi v gp ca thy c v cc bn.
Em xin chn thnh cm n!
Hi Phng, Ngy thng 8 nm 2007.
Sinh vin
Nguyn Th Thy
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 4 -
7/31/2019 Xay Dng H Thng Tng La IP Table
5/65
Tm hiu vn bo mt mng LAN
LI M U
Vi nhu cu trao i thng tin, bt buc cc c quan, t chc phi ho mnh
vo mng ton cu Internet. An ton v bo mt thng tin l mt trong nhng vn
quan trng hng u, khi thc hin kt ni mng ni b ca cc c quan, doanh
nghip, t chc vi Internet. Ngy nay, cc bin php an ton thng tin cho my
tnh c nhn cng nh cc mng ni b c nghin cu v trin khai. Tuy
nhin, vn thng xuyn c cc mng b tn cng, c cc t chc b nh cp thng
tin,gy nn nhng hu qu v cng nghim trng.
Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet,
cc my tnh ca cc cng ty ln nh AT&T, IBM, cc trng i hc v cc c
quan nh nc, cc t chc qun s, nh bng,mt s v tn cng vi quy m
khng l (c ti 100.000 my tnh b tn cng). Hn na nhng con s ny ch l
phn ni ca tng bng tri. Mt phn rt ln cc v tn cng khng c thng
bo v nhiu l do, trong c th k n ni lo mt uy tn hoc ch n gin nhng
ngi qun tr d n khng h hay bit nhng v tn cng nhm vo h thng cah.
Khng ch cc v tn cng tng ln nhanh chng m cc phng php tn
cng cng lin tc c hon thin. iu mt phn do cc nhn vin qun tr h
thng ngy cng cao cnh gic. V vy vic kt ni mng ni b ca c quan t
chc mnh vo mng Internet m khng c cc bin php m bo an ninh th cng
c xem l t st.
T nhu cu pht trin, i hi cc c quan, t chc phi ha mnh vo mng
ton cu, mng Internet song vn phi m bo an ton thng tin trong qu trnh kt
ni. Bi vy, em quyt nh chn ti: Nghin cu gii php bo v mng ni
b, nhm iu khin lung thng tin ra, vo v bo v cc mng ni b khi s tn
cng t Internet. Ni dung ti ny s trnh by mt cch khi qut cc khi nim
v mng v Firewall, cch bo v mng bng Firewall, cch xy dng Firewall.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 5 -
7/31/2019 Xay Dng H Thng Tng La IP Table
6/65
Tm hiu vn bo mt mng LAN
ng thi, dng Iptables trong h iu hnh Linux thit lp Firewall bo v cc
mng ni b.
Ni dung chnh ca ti gm 4 chng nh sau:
Chng 1: Vn an ninh trong mng my tnh.
Trnh by tng quan v vn an ninh trong mng my tnh, cc nguy c v
vn bo mt h thng mng.
Chng 2: Tng quan v Firewall.
Trnh by cc khi nim Firewall, chc nng Firewall, phn loi Firewall v
cc kin trc Firewall.
a ra cc chnh sch xy dng Firewall, t cc chnh sch ta c cch
xy dng nn cc Firewall bo v mng.
Chng 3: Tm hiu IPTables trong h iu hnh Linux.
Tm hiu v Iptables v cc tham s ca dng lnh thng gp.
Chng 4: Thit lp Firewall bo v mng ni b bng Iptables trong hiu hnh Linux.
T vic tm hiu v Iptables chng 3 t thit lp bc tng la bo
v cho cc mng ni b bng Iptables trong Linux.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 6 -
7/31/2019 Xay Dng H Thng Tng La IP Table
7/65
Tm hiu vn bo mt mng LAN
Chng 1:
VN AN NINH AN TON MNG MY TNH
1.1. Tng quan v vn an ninh an ton mng my tnh
1.1.1. e do an ninh t u?
Trong x hi, ci thin v ci c lun song song tn ti nh hai mt khng
tch ri, chng lun ph nh nhau. C bit bao nhiu ngi mun hng ti ci
chn thin, ci tt p, th cng c khng t k v mc ch ny hay mc ch khc
li lm cho ci c ny sinh, ln lt ci thin. S ging co gia ci thin v ci c
y lun l vn bc xc ca x hi, cn phi loi tr ci c, th nhng ci c lilun ny sinh theo thi gian. Mng my tnh cng vy, c nhng ngi phi mt
bit bao nhiu cng sc nghin cu ra cc bin php bo v cho an ninh ca t chc
mnh, th cng li c k tm mi cch ph v lp bo v vi nhiu khc
nhau.
Mc ch ca ngi lng thin l lun mun to ra cc kh nng bo v an
ninh cho t chc rt r rng. Ngc li, ca k xu li nhiu gc , cung
bc khc nhau. C k mun ph v lp v an ninh chng t kh nng ca mnh, tho mn thi h ch k. Loi ngi ny thng lm hi ngi khc bng cch
ph hoi cc ti nguyn trn mng, xm phm quyn ring t hoc bi nh danh d
ca h. Nguy him hn, c nhng k li mun ot khng cc ngun li ca ngi
khc nh vic ly cp cc thng tin mt ca cc cng ty, t nhp vo ngn hng
chuyn trm tin... Bi trn thc t, hu ht cc t chc cng ty tham gia vo mng
my tnh ton cu u c mt lng ln cc thng tin kt ni trc tuyn. Trong
lng ln cc thng tin y, c cc thng tin b mt nh: cc b mt thng mi, cc
k hoch pht trin sn phm, chin lc maketing, phn tch ti chnh... hay ccthng tin v nhn s, b mt ring t... Cc thng tin ny ht sc quan trng, vic
l ra cc thng tin cho cc i th cnh tranh s dn n mt hu qu ht sc
nghim trng.
Tuy nhin, khng phi bt c khi no mun nhng k xu cng c th thc
hin c mc ch ca mnh. Chng cn phi c thi gian, nhng s h, yu km
ca chnh nhng h thng bo v an ninh mng. V thc hin c iu ,
chng cng phi c tr tu thng minh cng vi c mt chui di kinh nghim. Cn xy dng c cc bin php m bo an ninh, i hi ngi xy dng cng
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 7 -
7/31/2019 Xay Dng H Thng Tng La IP Table
8/65
Tm hiu vn bo mt mng LAN
khng km v tr tu v kinh nghim thc tin. Nh th, c hai mt tch cc v tiu
cc y u c thc hin bi bn tay khi c ca con ngi, khng c my mc
no c th thay th c. Vy, vn an ninh an ton mng my tnh hon ton
mang tnh con ngi.
Ban u, nhng tr ph hoi ch mang tnh cht l tr chi ca nhng ngi
c tr tu khng nhm mc ch v li, xu xa. Tuy nhin, khi mng my tnh tr
nn ph dng, c s kt ni ca nhiu t chc, cng ty, c nhn vi nhiu thng tin
b mt, th nhng tr ph hoi y li khng ngng gia tng. S ph hoi y gy ra
nhiu hu qu nghim trng, n tr thnh mt loi ti phm. Theo s liu thng
k ca CERT (Computer Emegency Response Team) th s lng cc v tn cng
trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong
400 vo nm 1991, 1400 nm 1993 v 2241 nm 1994. Nhng v tn cng nynhm vo tt c cc my tnh c mt trn Internet, t cc my tnh ca cc cng ty
ln nh AT & T, IBM, cc trng i hc, cc c quan nh nc, cc nh bng...
Nhng con s a ra ny, trn thc t ch l phn ni ca tng bng. Mt phn ln
cc v tn cng khng c thng bo v nhiu l do khc nhau, nh s mt uy tn,
hoc ch n gin l h khng h bit mnh b tn cng.
Thc t, e do an ninh khng ch bn ngoi t chc, m bn trong t chc
vn cng ht sc nghim trng. e do bn trong t chc xy ra ln hn bnngoi, nguyn nhn chnh l do cc nhn vin c quyn truy nhp h thng gy ra.
V h c quyn truy nhp h thng nn h c th tm c cc im yu ca h
thng, hoc v tnh h cng c th ph hy hay to c hi cho nhng k khc xm
nhp h thng. V nguy him hn, mt khi h l k bt mn hay phn bi th hu
qu khng th lng trc c.
Tm li, vn an ninh an ton mng my tnh hon ton l vn con
ngi v khng ngng gia tng, n c th b e do t bn ngoi hoc bn trong t
chc. Vn ny tr thnh mi lo ngi ln cho bt k ch th no tham gia vo
mng my tnh ton cu. V nh vy, m bo vic trao i thng tin an ton v
an ninh cho mng my tnh, buc cc t chc phi trin khai cc bin php bo
v m bo an ninh, m trc ht l cho chnh mnh.
1.1.2. Cc gii php c bn m bo an ninh
Nh trn ta thy, an ninh an ton mng my tnh c th b e do t rt
nhiu gc v nguyn nhn khc nhau. e do an ninh c th xut pht t bn
ngoi mng ni b hoc cng c th xut pht t ngay bn trong t chc. Do ,
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 8 -
7/31/2019 Xay Dng H Thng Tng La IP Table
9/65
Tm hiu vn bo mt mng LAN
vic m bo an ninh an ton cho mng my tnh cn phi c nhiu gii php c th
khc nhau. Tuy nhin, tng quan nht c ba gii php c bn sau:
Gii php v phn cng.
Gii php v phn mm.
Gii php v con ngi.
y l ba gii php tng qut nht m bt k mt nh qun tr an ninh no
cng phi tnh n trong cng tc m bo an ninh an ton mng my tnh. Mi gii
php c mt u nhc im ring m ngi qun tr an ninh cn phi bit phn
tch, tng hp v chn la to kh nng m bo an ninh ti u nht cho t chc
mnh.
Gii php phn cng l gii php s dng cc thit b vt l nh cc h
thng my chuyn dng, cng c th l cc thit lp trong m hnh mng (thit lp
knh truyn ring, mng ring)... Gii php phn cng thng thng i km vi n
l h thng phn mm iu khin tng ng. y l mt gii php khng ph bin,
v khng linh hot trong vic p ng vi cc tin b ca cc dch v mi xut hin,
v chi ph rt cao.
Khc vi gii php phn cng, gii php v phn mm ht sc a dng. Gii
php phn mm c th ph thuc hay khng ph thuc vo phn cng. C th ccgii php v phn mm nh: cc phng php xc thc, cc phng php m ho,
mng ring o, cc h thng bc tng la,... Cc phng php xc thc v m ho
m bo cho thng tin truyn trn mng mt cch an ton nht. V vi cch thc
lm vic ca n, thng tin tht trn ng truyn c m ho di dng m nhng
k nhm trm khng th thy c, hoc nu thng tin b sa i th ti ni nhn
s c c ch pht hin s sa i . Cn phng php s dng h thng bc tng
la li m bo an ninh gc khc. Bng cch thit lp cc lut ti mt im
c bit (thng gi l im nght) gia h thng mng bn trong (mng cn bo
v) vi h thng mng bn ngoi (mng c coi l khng an ton v bo mt - hay
l Internet), h thng bc tng la hon ton c th kim sot cc kt ni trao i
thng tin gia hai mng. Vi cch thc ny, h thng tng la m bo an ninh
kh tt cho h thng mng cn bo v. Nh th, gii php v phn mm gn nh
hon ton gm cc chng trnh my tnh, do chi ph cho gii php ny s t hn
so vi gii php v phn cng.
Bn cnh hai gii php trn, gii php v chnh sch con ngi l mt giiphp ht sc c bn v khng th thiu c. V nh phn trn thy, vn an
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 9 -
7/31/2019 Xay Dng H Thng Tng La IP Table
10/65
Tm hiu vn bo mt mng LAN
ninh an ton mng my tnh hon ton l vn con ngi, do vic a ra mt
hnh lang php l v cc quy nguyn tc lm vic c th l cn thit. y, hnh
lang php l c th gm: cc iu khon trong b lut ca nh nc, cc vn bn
di lut,... Cn cc quy nh c th do tng t chc t ra cho ph hp vi tng
c im ring. Cc quy nh c th nh: quy nh v nhn s, vic s dng my,
s dng phn mm,... V nh vy, s hiu qu nht trong vic m bo an ninh an
ton cho h thng mng my tnh mt khi ta thc hin trit gii php v chnh
sch con ngi.
Tm li, vn an ninh an ton mng my tnh l mt vn ln, n yu
cu cn phi c mt gii php tng th, khng ch phn mm, phn cng my tnh
m n i hi c vn chnh sch v con ngi. V vn ny cn phi c
thc hin mt cch thng xuyn lin tc, khng bao gi trit c v n lunny sinh theo thi gian. Tuy nhin, bng cc gii php tng th hp l, c bit l
gii quyt tt vn chnh sch v con ngi ta c th to ra cho mnh s an ton
chc chn hn.
1.2. Vn bo mt h thng v mng
1.2.1. Cc vn d chung v bo mt h thng v mng
c im chung ca mt h thng mng l c nhiu ngi s dng chung vphn tn v mt a l nn vic bo v ti nguyn (mt mt hoc s dng khng
hp l) phc tp hn nhiu so vi vic mi trng mt my tnh n l, hoc mt
ngi s dng.
Hot ng ca ngi qun tr h thng mng phi m bo cc thng tin trn
mng l tin cy v s dng ng mc ch, i tng ng thi m bo mng hot
ng n nh khng b tn cng bi nhng k ph hoi.
Nhng trn thc t l khng mt mng no m bo l an ton tuyt i, mth thng d c bo v chc chn n mc no th cng c lc b v hiu ha bi
nhng k c xu.
Trong ni dung ti ca em l tm hiu v cc phng php bo mt cho
mng LAN. Trong ni dung v l thuyt ca ti em xin trnh by v mt s khi
nim sau:
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 10 -
7/31/2019 Xay Dng H Thng Tng La IP Table
11/65
Tm hiu vn bo mt mng LAN
1.2.2. Mt s khi nim v lch s bo mt h thng
a. i tng tn cng mng (intruder)
i tng l nhng c nhn hoc t chc s dng nhng kin thc v mng
v cc cng c ph hoi (gm phn cng hoc phn mm) d tm cc im yu
v cc l hng bo mt trn h thng, thc hin cc hot ng xm nhp v chim
ot ti nguyn tri php.
Mt s i tng tn cng mng nh:
Hacker: l nhng k xm nhp vo mng tri php bng cch s dng cc
cng c ph mt khu hoc khai thc cc im yu ca thnh phn truy nhp trn h
thng
Masquerader : L nhng k gi mo thng tin trn mng nh gi mo a ch
IP, tn min, nh danh ngi dng
Eavesdropping: L nhng i tng nghe trm thng tin trn mng, s dng
cc cng c Sniffer, sau dng cc cng c phn tch v debug ly c cc
thng tin c gi tr.
Nhng i tng tn cng mng c th nhm nhiu mc ch khc nhau nh
n cp cc thng tin c gi tr v kinh t, ph hoi h thng mng c ch nh, hoc
c th l nhng hnh ng v thc
b. Cc l hng bo mt
Cc l hng bo mt l nhng im yu trn h thng hoc n cha trong
mt dch v m da vo k tn cng c th xm nhp tri php vo h thng
thc hin nhng hnh ng ph hoi chim ot ti nguyn bt hp php.
C nhiu nguyn nhn gy ra nhng l hng bo mt: c th do li ca bn
thn h thng, hoc phn mm cung cp hoc ngi qun tr yu km khng hiusu v cc dch v cung cp
Mc nh hng ca cc l hng ti h thng l khc nhau. C l hng
ch nh hng ti cht lng dch v cung cp, c l hng nh hng ti ton b h
thng hoc ph hy h thng.
c. Chnh sch bo mt
Chnh sch bo mt l tp hp cc quy tc p dng cho nhng ngi tham
gia qun tr mng, c s dng cc ti nguyn v cc dch v mng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 11 -
7/31/2019 Xay Dng H Thng Tng La IP Table
12/65
Tm hiu vn bo mt mng LAN
i vi tng trng hp phi c chnh sch bo mt khc nhau. Chnh sch
bo mt gip ngi s dng bit trch nhim ca mnh trong vic bo v cc ti
nguyn trn mng, ng thi cn gip cho nh qun tr mng thit lp cc bin php
m bo hu hiu trong qu trnh trang b, cu hnh v kim sot hot ng ca h
thng v mng.
1.2.3. Cc loi l hng bo mt v phng thc tn cng mng ch yu
a. Cc loi l hng
C nhiu cc t chc tin hnh phn loi cc dng l hng c bit. Theo
b quc phng M cc loi l hng c phn lm ba loi nh sau:
L hng loi C: Cho php thc hin cc hnh thc tn cng theo DoS
(Denial of Services- T chi dch v) Mc nguy him thp ch nh hng ti
cht lng dch v, lm ngng tr gin on h thng, khng lm ph hng d liu
hoc t c quyn truy cp bt hp php.
DoS l hnh thc tn cng s dng cc giao thc tng Internet trong b
giao thc TCP/IP lm h thng ngng tr dn n tnh trng t chi ngi s
dng hp php truy nhp hay s dng h thng.
Cc dch v c l hng cho php cc cuc tn cng DoS c th c nngcp hoc sa cha bng cc phin bn mi hn ca cc nh cung cp dch v. Hin
nay cha c mt bin php hu hiu no khc phc tnh trng tn cng kiu ny
v bn thn thit k tng Internet (IP) ni ring v b giao thc TCP/IP ni chung
n cha nhng nguy c tim tang ca cc l hng loi ny.
L hng loi B : Cho php ngi s dng c thm cc quyn trn h thng
m khng cn kim tra tnh hp l dn n mt mt thng tin yu cu cn bo mt.
L hng ny thng c trong cc ng dng trn h thng . C mc nguy him
trung bnh.
L hng loi B ny c mc nguy him hn l hng loi C. Cho php
ngi s dng ni b c th chim c quyn cao hn hoc truy nhp khng hp
php.Nhng l hng loi ny thng xut hin trong cc dch v trn h thng.
Ngi s dng local c hiu l ngi c quyn truy nhp vo h thng vi
mt s quyn hn nht nh.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 12 -
7/31/2019 Xay Dng H Thng Tng La IP Table
13/65
Tm hiu vn bo mt mng LAN
Mt dng khc ca l hng loi B xy ra vi cc chng trnh vit bng m
ngun C. Nhng chng trnh vit bng m ngun C thng s dng mt vng
m, mt vng trong b nh s dng lu tr d liu trc khi x l. Ngi lp
trnh thng s dng vng m trong b nh trc khi gn mt khong khng gian
b nh cho tng khi d liu. V d khi vit chng trnh nhp trng tn ngi s
dng quy nh trng ny di 20 k t bng khai bo:
Char first_name [20]; Khai bo ny cho php ngi s dng nhp ti a 20
k t. Khi nhp d liu ban u d liu c lu vng m. Khi ngi s dng
nhp nhiu hn 20 k t s trn vng m. Nhng k t nhp tha s nm ngoi
vng m khin ta khng th kim sot c. Nhng i vi nhng k tn cng
chng c th li dng nhng l hng ny nhp vo nhng k t c bit thc
thi mt s lnh c bit trn h thng. Thng thng nhng l hng ny c lidng bi nhng ngi s dng trn h thng t c quyn root khng hp l.
hn ch c cc l hng loi B phi kim sot cht ch cu hnh h thng v
cc chng trnh.
L hng loi A: Cho php ngi ngoi h thng c th truy cp bt hp php
vo h thng. C th lm ph hu ton b h thng. Loi l hng ny c mc rt
nguy him e da tnh ton vn v bo mt ca h thng. Cc l hng ny thng
xut hin nhng h thng qun tr yu km hoc khng kim sot c cu hnh
mng. V d vi cc web server chy trn h iu hnh Novell cc server ny c
mt scripst l convert.bas chy scripst ny cho php c ton b ni dung cc file
trn h thng.
Nhng l hng loi ny ht sc nguy him v n tn ti sn c trn phn
mm s dng, ngi qun tr nu khng hiu su v dch v v phn mm s dng
c th b qua im yu ny. V vy thng xuyn phi kim tra cc thng bo cacc nhm tin v bo mt trn mng pht hin nhng l hng loi ny. Mt lot
cc chng trnh phin bn c thng s dng c nhng l hng loi A nh: FTP,
Gopher, Telnet, Sendmail, ARP, finger...
b. Cc hnh thc tn cng mng ph bin
Scanner
Scanner l mt trng trnh t ng r sot v pht hin nhng im yu vbo mt trn mt trm lm vic cc b hoc mt trm xa. Mt k ph hoi s
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 13 -
7/31/2019 Xay Dng H Thng Tng La IP Table
14/65
Tm hiu vn bo mt mng LAN
dng chng trnh Scanner c th pht hin ra nhng l hng v bo mt trn mt
Server d xa.
C ch hot ng l r sot v pht hin nhng cng TCP/UDP c s
dng trn h thng cn tn cng v cc dch v s dng trn h thng . Scannerghi li nhng p ng trn h thng t xa tng ng vi dch v m n pht hin
ra. T n c th tm ra im yu ca h thng.
Nhng yu t mt Scanner hot ng nh sau:
Yu cu thit b v h thng: Mi trng c h tr TCP/IP
H thng phi kt ni vo mng Internet.
Cc chng trnh Scanner c vai tr quan trng trong mt h thng bo mt,
v chng c kh nng pht hin ra nhng im yu km trn mt h thng mng.
Password Cracker
L mt chng trnh c kh nng gii m mt mt khu c m ho
hoc c th v hiu ho chc nng bo v mt khu ca mt h thng.
Mt s chng trnh ph kho c nguyn tc hot ng khc nhau. Mt s
chng trnh to ra danh sch cc t gii hn, p dng mt s thut ton m ho t
kt qu so snh vi Password m ho cn b kho to ra mt danh sch khctheo mt logic ca chng trnh.
Khi thy ph hp vi mt khu m ho, k ph hoi c c mt khu
di dng text . Mt khu text thng thng s c ghi vo mt file.
Bin php khc phc i vi cch thc ph hoi ny l cn xy dng mt
chnh sch bo v mt khu ng n.
Sniffer
Sniffer l cc cng c (phn cng hoc phn mm)bt cc thng tin lu
chuyn trn mng v ly cc thng tin c gi tr trao i trn mng.
Sniffer c th bt c cc thng tin trao i gia nhiu trm lm vic vi
nhau. Thc hin bt cc gi tin t tng IP tr xung. Giao thc tng IP c nh
ngha cng khai, v cu trc cc trng header r rng, nn vic gii m cc gi tin
ny khng kh khn.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 14 -
7/31/2019 Xay Dng H Thng Tng La IP Table
15/65
Tm hiu vn bo mt mng LAN
Mc ch ca cc chng trnh sniffer l thit lp ch promiscuous
(mode dng chung) trn cc card mng ethernet - ni cc gi tin trao i trong
mng - t "bt" c thng tin.
Cc thit b sniffer c th bt c ton b thng tin trao i trn mng lda vo nguyn tc broadcast (qung b) cc gi tin trong mng Ethernet.
Tuy nhin vic thit lp mt h thng sniffer khng phi n gin v cn
phi xm nhp c vo h thng mng v ci t cc phn mm sniffer.
ng thi cc chng trnh sniffer cng yu cu ngi s dng phi hiu
su v kin trc, cc giao thc mng.
Vic pht hin h thng b sniffer khng phi n gin, v sniffer hot ng
tng rt thp, v khng nh hng ti cc ng dng cng nh cc dch v hthng cung cp.
Tuy nhin vic xy dng cc bin php hn ch sniffer cng khng qu kh
khn nu ta tun th cc nguyn tc v bo mt nh:
Khng cho ngi l truy nhp vo cc thit b trn h thng
Qun l cu hnh h thng cht ch
Thit lp cc kt ni c tnh bo mt cao thng qua cc c ch m ho.
Trojans
Trojans l mt chng trnh chy khng hp l trn mt h thng. Vi vai
tr nh mt chng trnh hp php. Trojans ny c th chy c l do cc chng
trnh hp php b thay i m ca n thnh m bt hp php.
V d nh cc chng trnh virus l loi in hnh ca Trojans. Nhng
chng trnh virus thng che du cc on m trong cc chng trnh s dng hpphp. Khi nhng chng trnh ny c kch hot th nhng on m n du s
thc thi v chng thc hin mt s chc nng m ngi s dng khng bit nh: n
cp mt khu hoc copy file m ngi s dng nh ta thng khng hay bit.
Mt chng trnh Trojans s thc hin mt trong nhng cng vic sau:
Thc hin mt vi chc nng hoc gip ngi lp trnh ln n pht hin
nhng thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc
ch trn mt vi thnh phn ca h thng .
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 15 -
7/31/2019 Xay Dng H Thng Tng La IP Table
16/65
Tm hiu vn bo mt mng LAN
Che du mt vi chc nng hoc l gip ngi lp trnh pht hin nhng
thng tin quan trng hoc nhng thng tin c nhn trn mt h thng hoc ch trn
mt vi thnh phn ca h thng.
Ngoi ra cn c cc chng trnh Trojan c th thc hin c c hai chc nng
ny. C chng trnh Trojan cn c th ph hy h thng bng cch ph hoi cc
thng tin trn cng. Nhng ngy nay cc Trojans kiu ny d dng b pht hin v
kh pht huy c tc dng.
Tuy nhin c nhng trng hp nghim trng hn nhng k tn cng to ra
nhng l hng bo mt thng qua Trojans v k tn cng ly c quyn root trn
h thng v li dng quyn ph hy mt phn hoc ton b h thng hoc
dng quyn root thay i logfile, ci t cc chng trnh trojans khc m ngi
qun tr khng th pht hin c gy ra mc nh hng rt nghim trng v
ngi qun tr ch cn cch ci t li ton b h thng.
1.3. Vn bo mt cho mng LAN
Khi ni n vn bo mt cho mng LAN ta thng quan tm ti nhngvn chnh l bo mt thng tin d liu trao i bn trong mng ni b, bo mt
thng tin d liu trao i t trong mng ra bn ngoi v t bn ngoi vo trong
mng. Vic kim sot c nhng truy cp bt hp php t bn ngoi vo cng nh
kim sot nhng truy cp khng cho php t trong ni b mng ra bn ngoi. Cng
vi s pht trin mnh m ca Internet v s kt ni mng ni b vi Internet th
vn m bo an ton, an ninh mng cng tr nn kh khn v cn thit.
Hin nay bo mt cho mng LAN c nhiu phng php trong c mts phng php ph bin v ng tin cy l:
1.3.1. Mng ring o (Virtual Private Network- VPN)
Mng ring o (Virtual Private Network - VPN) l s m rng mng ring
ca cc cng ty, t chc thng qua s dng cc kt ni mng cng cng hoc mng
chia s nh Internet. VPN cung cp cho khch hng y cc tnh nng m mt
knh thu ring c c nhng vi gi thnh r hn do s dng h tng c s mng
cng cng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 16 -
7/31/2019 Xay Dng H Thng Tng La IP Table
17/65
Tm hiu vn bo mt mng LAN
VPN s dng giao thc to ng hm truyn tin ring v cc bin php
an ninh bo v d liu trn ng truyn nh m ho, xc thc
1.3.2. Tng la (Firewall)
Thut ng Firewall (Bc tng ngn la) c ngun gc t mt k thut thitk trong xy dng ngn chn, hn ch ho hon. Trong cng ngh mng thng
tin, Firewall l mt k thut c tch hp vo h thng mng chng s truy
cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm
nhp vo h thng ca mt s thng tin khc khng mong mun. Cng c th
hiu rng Firewall l mt c ch bo v mng tin tng (Trusted network) khi
cc mng khng tin tng (Untrusted network).
Firewall gia mng ca mt t chc, mt cng ty, hay mt quc gia(Intranet) v Internet. N thc hin vai tr bo mt cc thng tin Intranet t th gii
Internet bn ngoi.
Qua qu trnh tm hiu em thy rng Firewall l phng php hu hiu v
ph bin nht hin nay do n c nhiu u im, cung cp nhng tnh nng bo mt
tt cho vn bo v an ninh mng hin nay. Trong khun kh bi bo co ny em
xin trnh by v phng php bo mt mng LAN bng Firewall.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 17 -
7/31/2019 Xay Dng H Thng Tng La IP Table
18/65
Tm hiu vn bo mt mng LAN
Chng 2: TNG QUAN V FIREWALL
bo v mng ni b Firewall l mt trong nhng gii php bo v mng
hu hiu v ph bin hin nay. N gip cho cc mng ni b trnh khi nhng truynhp tri php t bn ngoi bng cch iu khin thng tin ra vo gia cc mng
ni b. Ni dung chnh ca chng ny em s i gii thiu tng quan v Firewall,
khi nim, cc chc nng ca Firewall, phn loi Firewall, u nhc im ca tng
loi Firewall, cc chin lc xy dng Firewall v gii thiu v c ch lc gi
tin.
2.1. Gii thiu v firewall
2.1.1. Khi nim firewall
Firewall l thit b nhm ngn chn s truy nhp khng hp l t mng
ngoi vo mng trong. H thng firewall thng bao gm c phn cng v phn
mm. Firewall thng c dng theo phng thc ngn chn hay to cc lut i
vi cc a ch khc nhau.
2.1.2. Cc chc nng c bn ca firewall
Chc nng chnh ca Firewall l kim sot lung thng tin gia mng cn
bo v (Trusted Network) v Internet thng qua cc chnh sch truy nhp c
thit lp.
- Cho php hoc cm cc dch v truy nhp t trong ra ngoi v t ngoi vo
trong.
- Kim sot a ch truy nhp, v dch v s dng.
- Kim sot kh nng truy cp ngi s dng gia 2 mng.
- Kim sot ni dung thng tin truyn ti gia 2 mng.
- Ngn nga kh nng tn cng t cc mng ngoi.
Xy dng firewalls l mt bin php kh hu hiu, n cho php bo v v
kim sot hu ht cc dch v do c p dng ph bin nht trong cc bin
php bo v mng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 18 -
7/31/2019 Xay Dng H Thng Tng La IP Table
19/65
Tm hiu vn bo mt mng LAN
2.1.3. Phn loi firewall
Firewall c nhiu loi tuy nhin mi loi c u v nhc im ring. Nhng
thng thng firewall c chia lm 2 loi chnh l:
Firewall phn cng
Firewall phn mm.
a. Firewall phn cng.
L mt thit b phn cng c tch hp b nh tuyn, cc quy tc cho vic
lc gi tin c thit lp ngay trn b nh tuyn . Firewall phn cng ny nh
mt chic my tnh ch thc hin chc nng duy nht l lc gi tin bng cch chy
mt phn mm c cng ha trong v ch c th thit lp cc tp lut cnkhng th thay i b nh tuyn c cng ha v tch hp bn trong. Ty vo
tng loi firewall phn cng ca cc hng khc nhau m cho php ngi qun tr c
kh nng cp nht nhng quy tc lc gi tin khc nhau.
Khi hot ng, tng la s da trn cc quy tc c thit lp trong b
nh tuyn m kim tra thng tin header ca gi tin nh a ch ngun (source IP
address), a ch ch (destination IP address), cng (Port) ... Nu mi thng tin
trong header ca gi tin l hp l n s c cho qua v nu khng hp l n s b
b qua. Chnh vic khng mt thi gian x l nhng gi tin c a ch khng hp l
lm cho tc x l ca firewall phn cng rt nhanh v y chnh l u im ln
nht ca h thng firewall phn cng.
Mt im ng ch l tt c cc loi firewall phn cng trn th gii hin
nay u cha th lc c ni dung ca gi tin m ch c th lc c phn ni
dung trong header ca gi tin.
Di y s gii thiu m hnh s dng firewall phn cng m bo an ninh
mng:
M hnh s dng firewall phn cng: (Thit b phn cng Firewall trong m
hnh ny ch c mt chc nng duy nht l lc gi tin m khng th thc hin bt k
mt cng vic no khc)
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 19 -
7/31/2019 Xay Dng H Thng Tng La IP Table
20/65
Tm hiu vn bo mt mng LAN
Hnh 1: M hnh s dng Firewall phn cng.
Trong m hnh ny thng tin t mng Internet khng th trc tip i vo
vng mng c bo v v ngc li m n phi thng qua Firewall phn cng.
Qu trnh kim duyt xy ra nu cc thng tin trong phn header ca gi tin baogm a ch ngun (source IP address), a ch ch (destination IP address), cng
(Port) ... c chp nhn th n s c chuyn tip vo mng bn trong hay
chuyn ra mng internet bn ngoi.
Hin nay trn th gii co mt s hng sn xut firewall phn cng rt ni
ting nh CISCO, D-LINK, PLANET...
b. Firewall phn mm
Loi firewall ny l mt chng trnh ng dng nguyn tc hot ng datrn trn ng dng proxy - l mt phn mm cho php chuyn cc gi tin m my
ch nhn c n nhng a im nht nh theo yu cu. V cc quy tc lc gi
tin c ngi s dng t thit lp. Ngi ta thng s dng firewall loi ny khi
mt mng my tnh c my ch v mi thng tin u thng qua my ch ny ri
mi chuyn n my con trong mng hoc dng cho my tnh c nhn khi tham gia
mng ... Firewall phn mm ny rt tin li ch phn mm c th d dng thay
i c p nht cc phin bn mi.
Cch thc hot ng ca firewall dng ny cng rt n gin. Phn mm
firewall c chy thng tr trn my ch hay my tnh c nhn. My tnh ny c
th m ng nhiu nhim v ngoi cng vic l Firewall. Mi khi c cc gi tin
c chuyn n hay chuyn i n u c phn mm firewall ny kim tra phn
header ca gi tin bao gm cc thng tin v a ch n, a ch i, giao thc, cng
dch v ....Firewall phn mm mi hin nay cn c th kim tra c ni dung ca
gi tin. Cc thng tin m firewall kim tra c ngi dng quy nh trc trong
tp lut. Nu gi tin c phn mm firewall cho qua th tip theo n s c an cc my con trong mng hoc l cc ng dng chy trc tip trn my .
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 20 -
7/31/2019 Xay Dng H Thng Tng La IP Table
21/65
Tm hiu vn bo mt mng LAN
Di y l m hnh thng s dng firewall phn mm: (My tnh dng
lm firewall c th m ng nhiu nhim v khc nhau ngoi vic l mt
Firewall v d DNS server, Mail server, Web server ...)
Hnh 2: M hnh s dng Firewall phn mm.
Trong m hnh ny my tnh chy ng dng firewall c vai tr trung gian.
N s nhn cc gi tin t Internet v Protected Network sau thc hin qu trnh
kim tra phn header ca cc gi tin gm thng tin nh : a ch n, a ch i,
giao thc, cng dch v ... sau nu phn mm firewall chp nhn cho gi tin i
qua th gi tin s tip tc chuyn n ch. Ngc li nu gi tin khng c chp
nhn chuyn tip th phn mm firewall s a ra quyt nh hy b. Cch hy b
cng c nhiu kiu nh hy b khng cn tr li cho my gi ti bit l do (DROP),
hy b nhng vn tr li cho my gi ti bit l do (REJECT) ... Chnh vic x l
vic hy b gi tin nh vy dn n tc ca loi firewall ny b hn ch.
Mt s phn mm firewall s dng nhiu v c nh gi cao v kh nnglc gi tin nh ZoneAlarm Pro, SmoothWall, McAfee Personal Firewall Plus,
ZoneAlarm Pro , Sygate Personal Firewall ...
c. u v nhc im ca firewall
Mi loi tng la c nhng u im, nhc im v c s dng trong
nhng trng hp khc nhau. Tng la phn cng thng c s dng m
bo an ninh cho cc mng ln v nu khng s dng firewall phn cng th s cn
h thng firewall phn mm tc l s c mt tnh my ch. My ch ny s nhn
mi gi tin v kim duyt ri chuyn tip cho cc my trong mng. M tc ca
firewall phn mm hot ng chm hn so vi firewall phn cng nn nh hng
ln n tc ca ton h thng mng.
Mt khc h thng tng la phn mm thng c s dng m bo
an ninh cho cc my tnh c nhn hoc mt mng nh. Vic s dng h thng
firewall phn mm s gip gim chi ph v gi c thit b firewall phn cng t gp
nhiu ln so vi h thng firewall phn mm. Hn na, khi ta s dng h thngfirewall phn mm trong vic m bo an ninh cho my tnh c nhn hay mng vi
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 21 -
7/31/2019 Xay Dng H Thng Tng La IP Table
22/65
Tm hiu vn bo mt mng LAN
quy m nh th vic nh hng n tc chuyn cc gi tin trong mng l khng
ng k.
im yu khc ca firewall phn mm l vi mi firewall phn mm
c chy trn tng h iu hnh nht nh. V d ZoneAlarm Pro l mt h thngfirewall phn mm ch chy trn h iu hnh Windows. Hay vi phn mm
SmoothWall th li ch c th chy trn h iu hnh Linux. Nhng vi firewall
phn cng th c th chy mt cc hon ton c l p khng b ph thuc vo h
iu hnh nh firewall phn mm.
Firewall phn mm hin gi c th lc c ni dung gi tin cn firewall
phn cng ch c th lc thng tin trong phn header ca gi tin cn phn ni dung
chnh ca gi tin th firewall phn cng khng th kim sot c. Bi vy m
Firewall phn cng khng th gip ngn chn cc loi virus h thng nhng
firewall phn mm th c th.
2.1.4 Mt s h thng firewall khc
a. Packet-Filtering Router (B trung chuyn c lc gi)
H thng Internet firewall ph bin nht ch bao gm mt packet-filtering
router t gia mng ni b v Internet. Mt packet-filtering router c hai chc
nng: chuyn tip truyn thng gia hai mng v s dng cc quy lut v lc gi cho php hay t chi truyn thng. Cn bn, cc quy lut lc c nh ngha sao
cho cc host trn mng ni b c quyn truy nhp trc tip ti Internet, trong khi
cc host trn Internet ch c mt s gii hn cc truy nhp vo cc my tnh trn
mng ni b. T tng ca m hnh cu trc firewall ny l tt c nhng g khng
c ch ra r rng l cho php th c ngha l b t chi.
Hnh 3: Packet-Filtering Router
u im
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 22 -
Bn ngoi
Packet filtering
router
The Internet Mng ni b
Bn trong
7/31/2019 Xay Dng H Thng Tng La IP Table
23/65
Tm hiu vn bo mt mng LAN
Gi thnh thp (v cu hnh n gin)
Trong sut i vi user
Hn ch C tt c hn ch ca mt packet-filtering router, nh l d b tn
cng vo cc b lc m cu hnh c t khng hon ho, hoc l b tn cng
ngm di nhng dch v c php.
Bi v cc packet c trao i trc tip gia hai mng thng qua
router , nguy c b tn cng quyt nh bi s lng cc host v dch v c php.
iu dn n mi mt host c php truy nhp trc tip vo Internet cn phi
c cung cp mt h thng xc thc phc tp, v thng xuyn kim tra bi
ngi qun tr mng xem c du hiu ca s tn cng no khng.
Nu mt packet-filtering router do mt s c no ngng hot
ng, tt c h thng trn mng ni b c th b tn cng.
b. Screened Host Firewall
H thng ny bao gm mt packet-filtering router v mt bastion host.
Screened Host Firewall cung cp bo mt cao hn Packet-Filtering Router, v n
thc hin c bo mt tng network( packet-filtering ) v tng ng dng
(application level). ng thi, k tn cng phi ph v c hai tng bo mt tn
cng vo mng ni b.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 23 -
7/31/2019 Xay Dng H Thng Tng La IP Table
24/65
Tm hiu vn bo mt mng LAN
Hnh 4: Screened Host Firewall
Trong h thng ny, bastion host c cu hnh trong mng ni b. Quy
lut filtering trn packet-filtering router c nh ngha sao cho tt c cc h thng
bn ngoi ch c th truy nhp bastion host. Vic truyn thng ti tt c cc h
thng bn trong u b kho. Bi v cc h thng ni b v bastion host trn cng
mt mng, chnh sch bo mt ca mt t chc s quyt nh xem cc h thng ni
b c php truy nhp trc tip vo bastion Internet hay l chng phi s dngdch v proxy trn bastion host. Vic bt buc nhng user ni b c thc hin
bng cch t cu hnh b lc ca router sao cho ch chp nhn nhng truyn thng
ni b xut pht t bastion host.
u im
My ch cung cp cc thng tin cng cng qua dch v Web v
FTP c th t trn packet-filtering router v bastion. Trong trng hp yu cu
an ton cao nht, bastion host c th chy cc dch v proxy yu cu tt c cc user
c trong v ngoi truy nhp qua bastion host trc khi ni vi my ch. Trng hp
khng yu cu an ton cao th cc my ni b c th ni thng vi my ch.
Nu cn bo mt cao hn na th c th dng h thng firewall dual-
home (hai chiu) bastion host. Mt h thng bastion host nh vy c 2 giao din
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 24 -
The Internet
Bn ngoi
Packet filtering
router
Bn trong
Information server
Bastion host
Mng ni b
7/31/2019 Xay Dng H Thng Tng La IP Table
25/65
Tm hiu vn bo mt mng LAN
mng (network interface), nhng khi kh nng truyn thng trc tip gia hai
giao din qua dch v proxy l b cm.
Hnh 5: H thng firewall dual-home (hai chiu) bastion host.
Hn ch
Bi v bastion host l h thng bn trong duy nht c th truy nhp c t
Internet, s tn cng cng ch gii hn n bastion host m thi. Tuy nhin, nu
nh user log on c vo bastion host th h c th d dng truy nhp ton b mng
ni b. V vy cn phi cm khng cho user logon vo bastion host.
c. Demilitarized Zone (DMZ - khu vc phi qun s) hay Screened-subnet
Firewall
H thng ny bao gm hai packet-filtering router v mt bastion host. H
thng firewall ny c an ton cao nht v n cung cp c mc bo mt networkv application trong khi nh ngha mt mng phi qun s. Mng DMZ ng vai
tr nh mt mng nh, c lp t gia Internet v mng ni b. C bn, mt DMZ
c cu hnh sao cho cc h thng trn Internet v mng ni b ch c th truy
nhp c mt s gii hn cc h thng trn mng DMZ, v s truyn trc tip qua
mng DMZ l khng th c.
Vi nhng thng tin n, router ngoi chng li nhng s tn cng chun(nh gi mo a ch IP), v iu khin truy nhp ti DMZ. N cho php h thng
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 25 -
The internet
Bnngoi
Packet filtering
router
Information server
Bastion host
Bn trong
Mng ni b
7/31/2019 Xay Dng H Thng Tng La IP Table
26/65
Tm hiu vn bo mt mng LAN
bn ngoi truy nhp ch bastion host, v c th c information server. Router trong
cung cp s bo v th hai bng cch iu khin DMZ truy nhp mng ni b ch
vi nhng truyn thng bt u t bastion host.
Vi nhng thng tin i, router trong iu khin mng ni b truy nhp ti
DMZ. N ch cho php cc h thng bn trong truy nhp bastion host v c th c
information server. Quy lut filtering trn router ngoi yu cu s dung dich v
proxy bng cch ch cho php thng tin ra bt ngun t bastion host.
Hnh 6: Screened-subnet Firewall
u im
K tn cng cn ph v ba tng bo v: router ngoi, bastion host v router
trong.
Bi v router ngoi ch qung co DMZ network ti Internet, h thng mng
ni b l khng th nhn thy (invisible). Ch c mt s h thng c chn ra
trn DMZ l c bit n bi Internet qua routing table v DNS information
exchange ( Domain Name Server ).
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 26 -
The Internet
Bn ngoi Packet filtering
router
Bn trong
Information server
Bastion host
Outside
routerInside router
D
MZ
7/31/2019 Xay Dng H Thng Tng La IP Table
27/65
Tm hiu vn bo mt mng LAN
Bi v router trong ch qung co DMZ network ti mng ni b, cc h
thng trong mng ni b khng th truy nhp trc tip vo Internet. iu nay m
bo rng nhng user bn trong bt buc phi truy nhp Internet qua dch v proxy.
2.2. Cc chin lc xy dng firewall
Khi nghin cu chi tit v Firewall, chng ta cn hiu mt s chin lc c
bn c dng xy dng Firewall.
2.2.1. Quyn hn ti thiu(Least Privilege)
Mt nguyn tc c bn nht ca an ton (khng phi ch p dng cho an ton
mng) l trao quyn ti thiu. V c bn, nguyn tc ny c ngha l bt k mt itng no (ngi s dng, ngi qun tr, chng trnh, h thng.) Ch nn c
nhng quyn hn nht nh m i tng cn phi c thc hin cc nhin v
ca mnh v ch nh vy. Quyn hn ti thiu l nguyn tc quan trng trnh cho
ngi ngoi li dng t nhp v hn ch s ph hu do cc t nhp gy ra.
2.2.2. Bo v theo chiu su (Defense in Depth)
Mt nguyn tc khc ca an ton v bo v theo chiu su. i vi mi h
thng, khng nn ci t v ch s dng mt ch an ton cho d n c th mnh,m nn lp t nhiu c ch an ton chng c th h tr ln nhau. V vy
firewall c xy dng theo c ch c nhiu lp bo v.
2.2.3. Nt tht (Choke Point)
Mt nt tht bt buc nhng k t nhp phi i qua mt ca khu hp m
chng ta c th kim sot v iu khin c ging nh vic mun vo rp xem
ht, ta phi i qua cng kim sot v.
Trong c ch an ton mng, Firewall nm gia h thng ca ta v mngInternet, n chnh l mt nt tht. Bt k ai c nh t nhp h thng t Internet
s phi qua ca khu ny, v ta c th theo di, qun l c.
2.2.4. im xung yu nht (Weakest Link)
Khi mun xm nhp vo h thng, k t nhp tinh ranh thng tm cc
im yu nht tn cng vo . Do vy, i vi tng h thng cn phi bit im
yu nht c phng n bo v an ton h thng. Thng ta hay quan tm n
nhng k t nhp trn mng hn l nhng k tip nhn h thng, cho nn an tonv mt vt l c coi l im yu nht trong mi h thng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 27 -
7/31/2019 Xay Dng H Thng Tng La IP Table
28/65
Tm hiu vn bo mt mng LAN
2.2.5. Hng trong an ton (Fail-Safe Stance)
Mt nguyn tc nn tng khc ca an ton l hng trong an ton; iu ny
c ngha l nu h thng ang hng th n phi c hng theo mt cch no
ngn chn s truy nhp bt hp php tt hn l cho k t nhp lt vo ph hthng. ng nhin vic hng trong an ton cng hu b s truy nhp hp php
ca ngi s dng cho n khi h thng c khi phc li.
Da trn nguyn tc ny ngi ta a ra hai quy tc c bn p dng cho cc
quy nh v bin php an ton:
Mt l, Default deny Stance: Ch trng vo nhng ci c php v ngn
chn tt c ci g cn li. Nhng g khng r rng c th s b ngn cm.
Hai l, Default permit stance: Tr trng vo nhng ci b ngn cm v chophp tt c nhng ci cn li, nhng g khng b ngn cm th c php.
Hu ht nhng ngi s dng v nh qun l quy tc default pernmit stance
cho rng mi th mc nh ngha l cho php v mt s dch v, hnh ng rc ri,
khng r rng s b ngn cm. V d:
NFS khng cho php qua firewall.
Truy nhp WWW b hn ch i vi nhng chuyn gia o to v nhng
vn an ton ca WWW.
Ngi s dng khng c ci t cc Server khng c php. Vy vn
dng quy tc no th tt hn? Theo quan im v an ton th nn dng quy tc
Default deny stance. Cn theo quan im ca cc nh qun l th li l quy tc
Default pernmit Stance.
2.2.6. S tham gia ton cu
t hiu qu an ton cao, tt c cc h thng trn mng phi tham gia vogii php an ton. Nu tn ti mt h thng c c ch an ton km, ngi truy nhp
bt hp php c th truy nhp vo h thng ny sau truy nhp cc h thng khc
t bn trong.
2.2.7. Tnh a dng ca vic bo v
Do s dng nhiu h thng khc nhau, ta phi c nhiu bin php bo v
m bo chin lc bo v theo chiu su. Bi v, nu tt c cc h thng ca ta
u nh nhau v mt ngi no bit cch t nhp vo mt trong s cc hthng th anh ta cng c th t nhp vo tt cc h thng cn li. S dng nhiu h
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 28 -
7/31/2019 Xay Dng H Thng Tng La IP Table
29/65
Tm hiu vn bo mt mng LAN
thng khc nhau c th hn ch cc cc c hi pht sinh li v an ton hn. Song
i li, ta phi i mt vi cc vn v gi c v tnh cht phc tp. Vic mua
bn, lp t nhiu h thng khc nhau s kh hn, tn km thi gian hn cc h
thng cng chng loi. Ngoi ra , cng cn nhiu s h tr v thi gian o to
cn b vn hnh, qun tr h thng t pha cc nh cung cp.
2.2.8. n gin ho
Mi th n gin s tr nn d hiu. Nu ta khng hiu r mt ci g , ta
cng khng th bit c liu n c an ton hay khng.
2.3. Cch thc xy dng firewall
Trong qu trnh xy dng mt tng la i hi bc tin hnh u phic nn k hoch trc v phi hp cht ch vi nhau. V gii quyt vn
ln nht l xy dng thnh cng mt tng la hot ng theo hiu qu th ta phi
xy dng tng bc tht vng chc, hn ch ti a nhng sai st ng tic c th
xy ra trong qu trnh xy dng.
2.3.1. Xy dng cc nguyn tc cn bn(Rule Base)
Mun xy dng c mt Firewall thnh cng th n phi thc hin theo
mt s quy tc cn bn nht nh (Rule base). Khi c mt gi tin IP i qua tngla th n s phi da cc quy tc cn bn ny phn tch v lc gi tin. V th
chng ta phi a ra cc quy tc tht n gin, ngn gn v d hiu nhm tng tc
s l gi tin trong tng la v s trnh c tc nghn, ng thi n cn gip
cho vic thay i v bo tr h thng c d dng hn rt nhiu. Thng thng th
ta nn dng khng qu 30 quy tc cn bn v ti a khng oc qu 50 quy tc v
nu dng qu nhiu s lm cho vic lc gi s chm hn v cng s d gy ra li v
cc quy tc c th b chng cho ln nhau.
2.3.2. Xy dng chnh sch an ton (Security Policy)
Mt tng la phi c cc chnh sch an ton (security policy) v thc cht
tng la ch l mt cng c thc thi cc chnh sch an ton. Vic qun l v xy
dng chnh sch an ton mt cch cht ch s to ra c sc mnh cho tng la.
V vy trc khi chng ta xy dng cc quy tc cn bn th chng ta phi hiu c
chnh sch an ton ca tng la cn xy dng l g ?
V ng thi cng phi xy dng cc chnh sch an ton sao cho d hiu vn gin mt cch tng i v khng nn xy dng mt cch qu phc tp dn
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 29 -
7/31/2019 Xay Dng H Thng Tng La IP Table
30/65
Tm hiu vn bo mt mng LAN
n chng cho d gy nhm ln v d kim tra, bo tr. Chng ta c th a ra mt
s chnh sch an ton rt n gin nh sau:
Nhng my trong mng ni b c truy nhp ra Internet khng gii hn.
Cho php s truy cp vo Web v Mail Server ca mng ni b t Internet
Tt c cc thng tin i vo trong mch ni b u phi c xc thc v m
ho.
T nhng chnh sch rt n gin nh v d trn y chng ta c th pht
trin thnh nhng chnh sch hot ng mt cch hiu qu v phc tp hn rt
nhiu. v d gii hn mng ni b ch c s dng internet mt cch hn ch vi
mt vi dch v c bn nh Mail, HTTP m thi, cn li ngn cm hon ton
dch v truyn tp FTP v.v
2.3.3. Xy dng kin trc an ton
Cc bc cn lm khi xy dng mt kin trc an ton:
u tin th ta cho php tt c cc my trong mng ni b c th truy cp ra
Internet.
Sau ta thc hin ci t cc phn thng tin khng cn bo v (v d: Web
Server v Mail Server) vo mt vng c tn k thut l vng phi qun s(Demilitarized Zone - MDZ). DMZ l mt mng tch bit ni m ta s t cc h
thng m chng ta khng hon ton tin tng (v mt khi t Internet c th truy cp
vo c trong DMZ ca chng ta nn khng th tin tng chng). Bi vy nhng
h thng trong DMZ s khng bao gi kt ni trc tip vi mng bn trong mt khi
chng cha c tin cy. C hai loi DMZ l: DMZ c bo v v DMZ khng
c bo v. DMZ c bo v l mt phn tch ri ra bn ngoi ca tng la.
DMZ khng c bo v l phn mng nm gia Router v tng la. Chng ta
nn dng loi DMZ c bo v, v ni l ni chng ta thng t c WebServer v Mail Server
Con ng duy nht c th i vo mng ni b l phi i qua s kim sot
ca nh qun tr mng (cng c th cho php thc hin mng t xa)
Ci m chng ta c th ni n na l DNS (Domain Name Server). Chng
ta s phi thc hin chia DNS ra lm nhiu phn. Chia DNS thnh nhiu phn c
ngha l chia cc thao tc ca DNS s thuc hai my ch DNS khc nhau. Chng ta
lm iu ny v ta s mt my ch DNS s lo cho chng ta vic gii quyt thngtin tn min ca cng ty vi mng bn ngoi. V mt my ch DNS bn trong
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 30 -
7/31/2019 Xay Dng H Thng Tng La IP Table
31/65
Tm hiu vn bo mt mng LAN
gii quyt vn ca mng bn trong. My ch DNS ngoi s nm trong DMS c
c bo v cng vi Web v Mail Server. My DNS bn trong s nm mng bn
trong vi vic ny s gip cho chng ta khng cho bit thng tin v tn min trong
mng ni b. V my ch DNS cha thng tin v s ca mng bn trong nn
cng ta cn phi t di s bo v trnh l thng tin v bn mng.
2.3.4. Th t cc quy tc trong bng (Sequence of Rules Base)
Trc khi chng ta xy dng cc quy tc cn bn th iu chng ta cn phi
quan tm n chnh l th t ca cc quy tc (hay cn gi l cp ca cc quy
tc) v trong c mt quy tc c bit, n s gi vai tr then cht trong chnh sch
bo mt tng la ca chng ta. C nhiu quy tc c cp tng t nh nhau
nhng vn phi t chng theo mt th t trc/sau, vic ny lm thay i phng
thc lm vic cn bn ca tng la. a s cc tng la kim tra cc gi tin mt
cch tun t v lin tc. Khi tng la nhn c mt gi tin, n s xem xt gi tin
c ng vi quy tc no trong bng Rules base hay khng bng cch cho xt bt
u t quy tc th nht, ri quy tc th hai cho n khi c quy tc no tho
mn th n s dng cng vic kim tr v n s thc thi theo quy tc . Nu gi tin
c so snh vi tt c cc quy tc trong bng m khng c quy tc no tho
ng th gi tin s b t chi (lc b). Vn then cht l phi sm tm c quy
tc u tin tho mn khp c vi quy tc Rules Base cho gi tin cnhanh chng c i qua. V khi tm hiu r c iu ny th ta nn t cc quy
tc c bit trc tin, ri sau mi n cc quy tc thng thng. Vic ny ngn
chn vic cc quy tc thng thng cho php gi tin i qua nhng trong trng hp
c bit li khng cho gi tin i qua gy chng cho. Chnh v vy phi lun ch
v phi t cc quy tc c bit ln trc tin ri ti cc nguyn tc thng thng.
Phi tun th nguyn tc ny trnh vic cu hnh b sai gip tng la lm vic
hiu qu, ng thi d dng trong cng tc nng cp bo tr v thay i sa cha.
2.3.5. Cc quy tc cn bn (Rules Base)
Default properties (nguyn tc mc nh): Phi loi tr tt c cc trng hp
ny v phi chc chn mt iu l khng c mt gi tin no c th i qua c, bt
k gi tin y l gi tin g.
Internal Outbound (i t mng bn trong ra ngoi): Bc u tin ta cho
php vic i t trong ra ngoi m khng c hn ch no. V tt c cc dch v c
bn nh Web, Mail, FTP v.v u cho php
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 31 -
7/31/2019 Xay Dng H Thng Tng La IP Table
32/65
Tm hiu vn bo mt mng LAN
Lockdown (): Hn ch tt c khng cho php mt s sm nhp no vo
tng la ca chng ta. y l quy tc chun m quy tc cn bn cn phi c.
Khng c bt k s sm nhp no vo tng la nhng chng ta li cn c ngi
qun tr tng la (Firewall Admins).
Admin Access (): Khng ai c th kt ni vi tng la, bao gm c Admin.
Chng ta cng phi to ra mt quy tc cho php Admin truy nhp vo c
tng la
Drop All (): Thng thng th ta s loi b tt c cc gi tin m khng ph
hp vi quy tc no. Nhng ta nn a gi tin ny vo mt bn ghi v ta s thm
vo cui danh sch cc quy tc. y l mt quy tc chun m ta nn c.
No Logging (): Thng thng s c rt nhiu gi tin c gi n tt c cca ch (vd: nh tin qung co) trn mng. Khi n tng la th n s b loi b v
sau c ghi vo bn ghi, nhng vic ny s lm cho bn ghi nhanh chng b
y. Chnh v vy ta phi to mt quy tc sao cho khi ta b gi tin y i m li
khng ghi li vo bn ghi. y cng l mt nguyn tc cn bn m i khi ta cng
phi dng n.
DNS Access (): M hnh v cc thnh phn ca tng la.
2.4. Lc gi v c ch hot ng
Khi ni n vic chuyn thng tin d liu gia cc mng vi nhau thng tin
qua tng la th iu c ngha rng bc tng la hot ng kt hp cht ch
vi giao thc TCP/IP v giao thc ny lm vic theo thut ton chia nh cc d liu
nhn c t cc ng dng trn mng. Tc l:
D liu nhn c t cc dch v chy trn cc giao thc ph cp trn mng
(v d nh: telnet, SMTP, DNS, SMNP,..) c phn thnh cc gi gi liu (data
packet).
Cc gi tin ny c gn nhng a ch v thng tin c th nhn v ti
hp li thnh d liu ban u. Chnh v vy cc loi tng la cng lin quan rt
nhiu n cc gi tin v cc a ch ca chng sau y chng ta s cng tm hiu lc
gi l g v c ch ca n nh th no.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 32 -
7/31/2019 Xay Dng H Thng Tng La IP Table
33/65
Tm hiu vn bo mt mng LAN
2.4.1. B lc gi (packet filtering)
B lc gi c nhng chc nng thc hin vic kim tra s nhn dng a ch
ca gi tin kim tra c th cho php chng i qua tng la hay khng. Cc
thng tin c th lc c mt gi tin bao gm :a ch ni xut pht hay cn gi l a ch ngun (source IP Address)
a ch ni nhn hay cn gi l a ch ch (destination IP Address).
S cng ca ni xut pht (source port).
S cng ca ni nhn (destination).
Nh vy m tng la c th chn c cc kt ni t mng ngoi vo
nhng my ch ni b hoc vo trong mng ni b. T nhng a ch khng chophp.
Hn na vic kim sot cc cng lm cho tng la c kh nng ch cho
php mt s loi kt ni nht nh vo my ch c nh sn m phc v cho
mt s dch v no (Telnet, SMTP,mail) c php s dng trn mng
ni b.
2.4.2. Cng ng dng (Application Gateway)
Application Gateway c thit k tng cng chc nng kim sot ccloi dich v vo giao thc c cho php truy cp vo h thng mng. C ch hot
ng ca n d trn ci gi l dch v i din (proxy Service).
Proxy Service hot ng theo c ch: Mt ng dng no c quy chiu
n (hay i din bi) mt proxy Service chy trn cc h thng my ch th c
quy chiu n ApplicationGateway ca firewall. C ch lc ca packet filtering
phi hp kim sot vi c ch i din ca Application gateway cung cp mt
kh nng an ton hn cho firewall trong vic giao tip thng tin vi mng ngoi.V d mt h thng mng c chc nng lc gi tin, n s ngn cc kt ni
bng Telnet vo h thng ch tr mt cng duy nht -Telnet Application Gateway-
l c php. Mt ngi s dng dch v Telnet mun kt ni vo h thng phi
thc hin cc bc sau:
Thc hin dch v Telnet n Telnet Application Gateway ri cho bit tn
ca my ch bn trong cn truy cp.
Gateway kim tra a ch IP ni xut pht ca ngi truy cp ri cho phphoc t chi tu theo ch an ninh ca h thng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 33 -
7/31/2019 Xay Dng H Thng Tng La IP Table
34/65
Tm hiu vn bo mt mng LAN
Ngi truy cp phi vt qua c h thng kim tra xc nh.
Proxy service lin kt lu thng gia ngi truy cp vi my ch.
C ch hot ng ny c ngha quan trng trong vic thit k an ninh h
thng. N c th cung cp nhiu kh nng, v d nh:
Che du cc thng tin: ngi dng ch c th nhn thy trc tip cc
Gateway c php.
Tng cng kim tra truy cp bng cc dch v xc thc (Authentication).
Gim ng k gi thnh cho vic pht trin cc h qun tr xc thc v h
thng ny c thit k ch quy chiu n Application Gateway.
Gim thiu cc quy tc kim sot ca b lc (Packet Filtering). iu ny lm
tng mt cch ng k tc hot ng ca Firewall.
2.4.3. B lc Sesion thng minh (Smart Sesion Filtering)
C ch hot ng phi hp gia b lc packet v cng ng dng nh cp
trn cung cp mt ch an ninh cao tuy nhin n cng tn ti mt vi hn ch.
Vn chnh hin nay l lm sao cung cp Proxy Service cho rt nhiu ng
dng khc nhau ang pht trin t. iu ny c ngha l nguy c, p lc i vi
vic firewall b nh la gia tng ln rt ln nu cc Proxy khng kp p ng.Trong khi gim st cc packet nhng mc pha trn, nu nh lp Network
i hi nhiu cng sc i vi vic lc cc packet n gin, th vic gim st cc
giao dch lu thng mc mng (Sesion) i hi t cng vic hn. Cch ny cng
loi b c cc dch v c th cho tng loi ng dng khc nhau.
C ch hot ng ca b lc sesion thng minh chnh l vic kt hp kh
nng ghi nhn thng tin v cc Sesion v s dng n to cc quy tc cho b lc.
Bit rng, mt Sesion mc network c to bi hai packet lu thng haichiu:
Mt kim sot cc packet lu thng t host pht sinh ra n n my ch
cn ti.
Mt kim sot packet tr v t my ch pht sinh
Mt b lc thng minh s nhn bit c rng packet tr v theo chiu
ngc li nn quy tc th hai l khng cn thit. Do vy, cch tip nhn cc packet
khng mong mun sinh ra t bn ngoi firewall s khc bit rt r vi cch tip
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 34 -
7/31/2019 Xay Dng H Thng Tng La IP Table
35/65
Tm hiu vn bo mt mng LAN
nhn cho cc packet do nhng kt ni c php (ra bn ngoi). V nh vy d
dng nhn dng c cc packet bt hp php.
2.4.4. Firewall hn hp (Hybrid Firewall)
Trong thc t xy dng, cc firewall c s dng l kt hp ca nhiu kthut to ra hiu qu an ninh ti a. V d vic lt li ti cc kim sot ca
b lc packet c th c thc hin ti b lc sesion thng minh mc ng dng.
Cc gim st ca b lc lt cht ch bi cc dch v Proxy ca Application
Gateway.
2.5. Kt lun
Cc h thng firewall thit lp nhm mc ch m bo an ninh mng thngqua vic kim sot phn header ca cc gi tin. Nhng s dng firewall m bo
c an ninh mng mt cc hiu qu th ngi qun tr h thng cn c nhng hiu
bit su sc v a ch IP ch, a ch IP ngun, cng dch v, cc giao thc mng
(TCP, UDP, SMTP)v c bit cn c nhng cng c gip cu hnh h thng
firewall hiu qu. Trong chng tip theo ny em s trnh by v cng c
FirewallIptable c tch hp trn h iu hnh m ngun m Linux bo v cho
mng ni b.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 35 -
7/31/2019 Xay Dng H Thng Tng La IP Table
36/65
Tm hiu vn bo mt mng LAN
Chng 3:
TM HIU IPTALES TRONG H IU HNH LINUX
Hin nay c nhiu phn mm firewall c thc hin trn cc h iu
hnh nh Windows NT, Linux, Solaris. Nhng vi h iu hnh m ngun m
Linux th phn mm IPtables Firewall phin bn mi ny thc s l mt cng c
mnh dng m bo an ninh mng. Ngi qun tr mng c th s dng n cng
nhiu ty chn hu ch. Nhng do phn mm c qu nhiu tham s v s dng
c th i hi ngi s dng phi c kin thc chuyn su v h thng mng my
tnh. Nh vy vi nhng ngi t kin thc v mng my tnh v khng bit r v
tham s ca chng trnh th khng th s dng cng c IPtables c.Trong phm vi ti ny em s tm hiu v cng c Iptables ca firewall
trn Linux vi vic kim sot ngi dng trong mng ni b c quyn gi bt c
yu cu truy cp trn bt c giao thc no t bn trong my ra ngoi cng nh cn
bt c yu cu truy cp trn mi giao thc t bn ngoi vo. Ngoi ra nh ta
bit, trong khi my chy trn Linux s c mt s dch v ang lng nghe (LISTEN).
Nhng dch v ny ch phc v cho ring bn v bn khng mun bt c ai t
Internet truy cp vo cc dch v ny. Cho nn ta phi xy dng cc lut n nh:
khi cc packet i vo (INPUT) firewall, firewall s kim tra xem c lut INPUT no
thch hp cho php n i vo, nu khng firewall s cn n theo quy nh ca quy
ch mc nh.
iu ny s lm tng kh nng bo mt v tnh linh ng cho ngi qun tr
mng my tnh.
Trong chng ny em s i gii thiu tng quan v cng c Firewall IPtable
v tm hiu mt s tp lut c bn trong IPtable:
3.1. Firewall IPtable trn Redhat
Phin bn nhn Linux version 2.4.x c a ra vi rt nhiu tnh nng
mi gip Linux hot ng tin cy hn v h tr cho nhiu thit b. Mt trong nhng
tnh nng mi ca n l h tr Netfilter iptables ngay trong kernel, gip thao tc
trn packet hiu qu hn so vi cc ng dng trc nh ipfwadm trong kernel
2.0 v ipchains trong kernel 2.2, tuy vn h tr cho cc b lnh c. Thit lp
firewall theo kiu lc packet (packet filtering lc gi thng tin) vi ipfwadm hocipchains c nhiu hn ch: thiu cc tch hp cn thit m rng tnh nng, khi s
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 36 -
7/31/2019 Xay Dng H Thng Tng La IP Table
37/65
Tm hiu vn bo mt mng LAN
dng lc packet cho cc giao thc thng thng v chuyn i a ch mng
(Network Address Translation - NAT) th thc hin hon ton tch bit m khng
c c tnh kt hp. Netfilter v iptables trn kernel 2.4 gii quyt tt cc hn ch
trn v c thm nhiu tnh nng khc m Ipfwadm v Ipchains khng c.
3.1.1. Gii thiu v IPtables
Trong h thng Linux c rt nhiu firewall. Trong c mt s firewall
c cu hnh v hot ng trn nn console rt nh v tin dng l Iptable v
Ipchain.
a. Netfilter/IPtables
Gii thiu
Iptables do Netfilter Organiztion vit ra tng tnh nng bo mt trn h
thng Linux.
Hnh 7: Firewall IPTable trong Linux.
Iptables l mt tng la ng dng lc gi d liu rt mnh, c sn bn
trong kernel Linux 2.4.x v 2.6.x. Netfilter/Iptable gm 2 phn l Netfilter trong
nhn Linux v Iptables nm ngoi nhn. IpTables chu trch nhim giao tip gia
ngi dng v Netfilter y cc lut ca ngi dng vo cho Netfilter x l.Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong
nhn, nhanh v khng lm gim tc ca h thng. c thit k thay th cho
linux 2.2.x Ipchains v linux 2.0.x ipfwadm v c nhiu c tnh hn Ipchains v n
c xy dng hp l hn vi nhng im sau:
Netfilter/Iptables c kh nng g?
Xy dng bc tng la da trn c ch lc gi stateless v stateful
Dng bng NAT v masquerading chia s s truy cp mng nu khng c a ch mng.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 37 -
7/31/2019 Xay Dng H Thng Tng La IP Table
38/65
Tm hiu vn bo mt mng LAN
Dng bng NAT ci t transparent proxy
Gip cc h thng tc v iproute2 to cc chnh sch router phc tp v
QoS
Lm cc thay i cc bit(mangling) TOS/DSCP/ECN ca IP header
C kh nng theo di s kt ni, c kh nng kim tra nhiu trng thi ca
packet. N lm vic ny cho UDP v ICMP tt nht l kt ni TCP, v d tnh trng
y ca lc ICMP ch cho php hi m khi c yu cu pht i, ch khng chn
cc yu cu nhng vn chp nhn hi m vi gi s rng chng lun p li lnh
ping. S hi m khng do yu cu c th l tn hiu ca s tn cng hoc ca sau.
X s n gin ca cc packet tho thun trong cc chains (mt danh sch
cc nguyn tc) INPUT, OUTPUT, FORWARD. Trn cc host c nhiu giao dinmng, cc packet di chuyn gia cc giao din ch trn chain FORWARD hn l
trn 3 chain.
Phn bit r rng gia lc packet v NAT (Nework Address Translation)
C kh nng gii hn tc kt ni v ghi nht k. Bn c th gii hn kt
ni v ghi nht k t trnh s tn cng t chi dch v (Deinal of service).
C kh nng lc trn cc c v a ch vt l ca TCP.
L mt firewall c nhiu trng thi, nn n c th theo di trong sut s kt
ni, do n an ton hn firewall c t trng thi.
Iptables bao gm 4 bng, mi bng vi mt chnh sch (police) mc nh v
cc nguyn tc trong chain xy dng sn.
b. Ipchain
Mt trong nhng phn mm m Linux s dng cu hnh bng NAT ca
kernel l Ipchain. Bn trong chng trnh Ipchain c 2 trnh kch bn (scrip) chnhc s dng n gin ha cng tc qun tr Ipchains.
Ipchain c dng ci t, duy tr v kim tra cc lut ca Ip firewall
trong Linux kernel. Nhng lut ny c th chia lm nhm chui lut khc nhau l:
Ip Input chain (chui lut p dng cho cc gi tin i n firewall).
Ip Output chain (chui lut p dng cho cc gi tin c pht sinh cc b
trn firewall v i ra khi firewall).
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 38 -
7/31/2019 Xay Dng H Thng Tng La IP Table
39/65
Tm hiu vn bo mt mng LAN
Ip forwarding chain (p dng cho cc gi tin c chuyn tip ti my hoc
mng khc qua firewall). V cc chui lut do ngi dng nh ngha (user
defined).
Ipchains s dng khi nim chui lut (chain ) x l cc gi tin. Mtchui lut l mt danh sch cc lut dng x l cc gi tin c cng kiu l gi tin
n, gi tin chuyn tip hay gi tin i ra. Nhng lut ny ch r hnh ng no c
p dng cho gi tin. Cc lut c lu tr trong bng NAT l nhng cp a ch IP
ch khng phi tng a ch IP ring l.
Mt lut firewall ch ra cc tiu chun packet v ch n. Nu packet
khng ng lut k tip s c xem xt, nu ng th lut k tip s ch nh r gi
tr ca ch c th cc chain do ngi dng nh ngha hay c th l mt trong cc
gi tr c th sau: ACCEPT, DENY, REJECT, MASQ, REDICRECT hay
RETURN.
ACCEPT: cho php packet i qua.
DENY: Hy packet m khng c tr li thng bo cho pha client bit
iu ny.
REJECT: Tng t nh DENY nhng c tr li cho client bit gi tin
b hy b. MASQ: Ch hp l i vi chain forward v chain do ngi dng
nh ngha v c dng khi kernel c bin dch vi
CONFIG_IP_MASQUERADE. Vi chain ny packet s c
masquerade nh l n c sinh ra t my cc b, hn th na cc
packet ngc s c nhn ra v chng s c demasqueraded mt
cch t ng, b qua forwarding chain.
REDIRECT: Ch hp l vi chain input v chain do ngi dng nhngha v ch c dng khi Linux kernel c bin dch vi tham s
CONFIG_IP_TRANSPARENT_PROXY c nh ngha. Vi iu
ny packets s c chuyn ti socket cc b, thm ch chng c
gi n host xa.
Mt s c php hay c s dng:
Ipchains [ADC] chain rule-specification [options]
Ipchains [RI] chain rulenum rule-specification
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 39 -
7/31/2019 Xay Dng H Thng Tng La IP Table
40/65
Tm hiu vn bo mt mng LAN
[options]
Ipchains D chain rulenum [options]
Ipchains [LFZNX] [chain] [options] Ipchains P chain target [options]
Ipchains M [-L | -S] [options]
3.1.2. Qu trnh chuyn gi d liu qua Netfilter
Gi d liu (packet) chy trn cp, sau i vo card mng (chng hn nh
eth0). u tin packet s qua chain PREROUTING (trc khi nh tuyn). Ti y,
packet c th b thay i thng s (mangle) hoc b i a ch IP ch (DNAT).
i vi packet i vo my, n s qua chain INPUT. Ti chain INPUT, packet c th
c chp nhn hoc b hy b. Tip theo packet s c chuyn ln cho cc ng
dng (client/server) x l v tip theo l c chuyn ra chain OUTPUT. Ti chain
OUTPUT, packet c th b thay i cc thng s v b lc chp nhn ra hay b hy
b. i vi packet forward qua my, packet sau khi ri chain PREROUTING s
qua chain FORWARD. Ti chain FORWARD, n cng b lc ACCEPT hoc
DENY. Packet sau khi qua chain FORWARD hoc chain OUTPUT s n chain
POSTROUTING (sau khi nh tuyn). Ti chain POSTROUTING, packet c th
c i a ch IP ngun (SNAT) hoc MASQUERADE. Packet sau khi ra card
mng s c chuyn ln cp i n my tnh khc trn mng.3.1.3. Cu trc ca Iptable.
Iptables c chia lm 4 bng (table):
Bng filter dng lc gi d liu.
Bng nat dng thao tc vi cc gi d liu c NAT ngun hay
NAT ch.
Bng mangle dng thay i cc thng s trong gi IP.
Bng conntrack dng theo di cc kt ni.
Mi table gm nhiu mc xch (chain). Chain gm nhiu lut (rule) thao
tc vi cc gi d liu. Rule c th l ACCEPT (chp nhn gi d liu), DROP (th
gi), REJECT (loi b gi) hoc tham chiu (reference) n mt chain khc.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 40 -
7/31/2019 Xay Dng H Thng Tng La IP Table
41/65
Tm hiu vn bo mt mng LAN
3.1.4. Ci t iptables
Iptables c ci t mc nh trong h thng Linux, package ca iptables l
iptablesversion.rpm hoc iptables-version.tgz , ta c th dng lnh ci t
package ny:$ rpm ivh iptables-version.rpm i Red Hat
$ apt-get install iptables i vi Debian
Khi ng iptables: service iptables start
Tt iptables: service iptables stop
Ti khi ng iptables: service iptables restart
Xc nh trng thi iptables: service iptables status
3.2. Cc tham s dng lnh thng gp
3.2.1 Gi tr gip
gi tr gip v Iptables, bn g lnh $ man iptables hoc $ iptables
--help. Chng hn nu bn cn bit v cc ty chn ca match limit, bn g lnh $iptables -m limit --help.
3.2.2 Cc ty chn ch nh thng s
Ch nh tn table: -t , v d -t filter, -t nat, .. nu khng ch nh table,
gi tr mc nh l filter
Ch inh loi giao thc: -p , v d -p tcp, -p udp hoc -p ! udp ch nh
cc giao thc khng phi l udp
Ch nh card mng vo: -i , v d: -i eth0, -i lo
Ch nh card mng ra: -o , v d: -o eth0, -o pp0
Ch nh a ch IP ngun: -s , v d: -s
192.168.0.0/24 (mng 192.168.0 vi 24 bt mng), -s 192.168.0.1-
192.168.0.3 (cc IP 192.168.0.1, 192.168.0.2, 192.168.0.3).
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 41 -
7/31/2019 Xay Dng H Thng Tng La IP Table
42/65
Tm hiu vn bo mt mng LAN
Ch nh a ch IP ch: -d , tng t nh -s
Ch nh cng ngun: --sport , v d: --sport 21 (cng 21), --sport 22:88
(cc cng 22 .. 88), --sport :80 (cc cng =22)
Ch nh cng ch: --dport , tng t nh sport
3.2.3. Cc ty chn thao tc vi chain
To chain mi: iptables -N
Xa ht cc lut to trong chain: iptables -X
t chnh sch cho cc chain `built-in` (INPUT, OUTPUT &
FORWARD): iptables -P , v d: iptables -P INPUT ACCEPT chp
nhn cc packet vo chain INPUT
Lit k cc lut c trong chain: iptables -L
Xa cc lut c trong chain (flush chain): iptables -F
Reset b m packet v 0: iptables -Z
3.2.4. Cc ty chn thao tc vi lut
Thm lut: -A (append)
Xa lut: -D (delete)
Thay th lut: -R (replace)
Chn thm lut: -I (insert)
3.2.5 Phn bit gia ACCEPT, DROP v REJECT packet
ACCEPT: chp nhn packet
DROP: th packet (khng hi m cho client)
REJECT: loi b packet (hi m cho client bng mt packet khc)
Mt s v d:
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 42 -
7/31/2019 Xay Dng H Thng Tng La IP Table
43/65
Tm hiu vn bo mt mng LAN
# iptables -A INPUT -i eth0 --dport 80 -j ACCEPT chp nhn cc packet vo
cng 80 trn card mng eth0
# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP th cc packet n
cng 23 dng giao thc TCP trn card mng eth0# iptables -A INPUT -i eth1 -s ! 10.0.0.1-10.0.0.5 --dport 22 -j REJECT
--reject-with tcp-reset
Gi gi TCP vi c RST=1 cho cc kt ni khng n t dy a ch IP
10.0.0.1..5 trn cng 22, card mng eth1
# iptables -A INPUT -p udp --dport 139 -j REJECT --reject-with icmp-port-
unreachable
Gi gi ICMP `port-unreachable` cho cc kt ni n cng 139, dng giaothc UDP
3.2.6 Phn bit gia NEW, ESTABLISHED v RELATED
NEW: m kt ni mi
ESTABLISHED: thit lp kt ni
RELATED: m mt kt ni mi trong kt ni hin ti
Mt s v d:
# iptables -P INPUT DROP
t chnh sch cho chain INPUT l DROP
# iptables -A INPUT -p tcp --syn -m state --state NEW -j ACCEPT
Ch chp nhn cc gi TCP m kt ni set c SYN=1
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
Khng ng cc kt ni ang c thit lp, ng thi cng cho php m
cc kt ni mi trong kt ni c thit lp
# iptables -A INPUT -p tcp -j DROP cc gi TCP cn li u b DROP
3.2.7 Ty chn --limit, --limit-burst
--limit-burst: mc nh, tnh bng s packet
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 43 -
7/31/2019 Xay Dng H Thng Tng La IP Table
44/65
Tm hiu vn bo mt mng LAN
--limit: tc khi chm mc nh, tnh bng s packet/s(giy), m(pht),
d(gi) hoc h(ngy).
3.3. Gii thiu v bng NAT (Network Address Traslation)
C mt vn c t ra hin nay l s khan him a ch IP, mt c quan
khi c rt nhiu my tnh nhng ch c cp pht mt a ch IP duy nht. Vy lm
th no ch vi mt a ch IP duy nht ny tt c cc my tnh trong mt c
quan c th truy cp c Internet. C mt c ch thc hin iu , chnh l
NAT (Network Address Translation).
3.3.1. Khi nim cn bn v NAT
NAT c dng khi c nhn dng a ch mng ring ca mnh kt nivo Internet (Trong khi mun kt ni c vi Internet th yu cu bn phi c a
ch mng chung Public Address)
a ch mng chung s dng trn Internet ch tn ti duy nht v thng
thng c cung cp bi cc nh cung cp dch v Internet (Internet Service
Providers ISPs) hay cn gi l a ch IP hp l. a ch mng ring c s dng
trong mng ni b (Local Address Networt- LAN). a ch ny th khng cn phi
cung cp t nh dch v m c th c cung cp bi ngi qun tr mng ni b.
Nhng khng bao gi a ch mng ring li c s dng trn Internet.
NAT c th gip bn vo Internet ngay trong khi bn ang s dng a ch
mng ring . Thc hin c iu l do NAT cho php bn chuyn i gia
hai kiu a ch , bt k bn ang mng ni b c kch thc nh th no trong
khi ISPS ch cung cp cho bn duy nht mt a ch chung duy nht.
NAT s bin i a ch ngun v khi ra khi mng ni b th n s s dng
a ch mng chung vo Internet. V nu ng t Internet th s khng th bit
c a ch ring ca my m ch bit c a ch chung ca mng ni b. NAT
s nhn bit cc a ch mng ca cc my trong mng ni b thng qua s cng
dch v.
Vi nhng c im ny th NAT c nhng u im sau:
B mt c a ch mng ni b vi mng bn ngoi.
Nu kt ni vo Internet th n s tit kim c a ch chung (a
ch Internet).
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 44 -
7/31/2019 Xay Dng H Thng Tng La IP Table
45/65
Tm hiu vn bo mt mng LAN
N s phc v cn bng ti v c th chia ra nhiu server khc nhau
bn trong mng ni b.
Qu trnh phn phi kho s c m bo b mt.
Nu thay i a ch Internet cng khng cn phi cu hnh li cho
tng my s rt thun li cho ngi qun tr.
Gim c chi ph u t.
Nhng cng vi nhng u im nu trn th n cng khng trnh khi cc
nhc im:
Tc x l chm v phi phn tch li gi tin, ghi li a ch v tnh
ton a ch gi tin.
D xy ra tc nghn nu qu nhiu thng tin cng qua li mt thi
im.
Chng ta s tm hiu v mt s phng thc i a ch ca NAT sau y.
3.3.2. Cch i a ch IP ng (Dynamic - NAT)
NAT ng l mt trong nhng k thut chuyn i a ch IP NAT (Network
Address Translation). Cc a ch IP ni b c chuyn sang IP NAT nh sau:
Hnh 8: Cch i ia ch IP ng.
NAT Router m nhn vic chuyn dy IP ni b 169.168.0.x sang dy IP
mi 203.162.2.x. Khi c gi liu vi IP ngun l 192.168.0.200 n router, router
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 45 -
7/31/2019 Xay Dng H Thng Tng La IP Table
46/65
Tm hiu vn bo mt mng LAN
s i IP ngun thnh 203.162.2.200 sau mi gi ra ngoi. Qu trnh ny gi l
SNAT (Source-NAT, NAT ngun). Router lu d liu trong mt bng gi l bng
NAT ng. Ngc li, khi c mt gi t liu t gi t ngoi vo vi IP ch l
203.162.2.200, router s cn c vo bng NAT ng hin ti i a ch ch
203.162.2.200 thnh a ch ch mi l 192.168.0.200. Qu trnh ny gi l DNAT
(Destination-NAT, NAT ch). Lin lc gia 192.168.0.200 v 203.162.2.200 l
hon ton trong sut (transparent) qua NAT router. NAT router tin hnh chuyn
tip (forward) gi d liu t 192.168.0.200 n 203.162.2.200 v ngc li.
3.3.3. Cch ng gi a ch IP (masquerade)
Hnh 9: Cch ng gi a ch IP
NAT Router chuyn dy IP ni b 192.168.0.x sang mt IP duy nht l
203.162.2.4 bng cch dng cc s hiu cng (port-number) khc nhau. Chng hn
khi c gi d liu IP vi ngun 192.168.0.168:1204, ch 211.200.51.15:80 n
router, router s i ngun thnh 203.162.2.4:26314 v lu d liu ny vo mt
bng gi l bng masquerade ng. Khi c mt gi d liu t ngoi vo vi ngun
l 221.200.51.15:80, ch 203.162.2.4:26314 n router, router s cn c vo bngmasquerade ng hin ti i ch t 203.162.2.4:26314 thnh
192.168.0.164:1204. Lin lc gia cc my trong mng LAN vi my khc bn
ngoi hon ton trong sut qua router.
3.3.4. Mt s v d s dng k thut NAT
Iptables h tr ty chn -j REDIRECT cho php i hng cng mt cch
d dng. V d nh SQUID ang listen trn cng 3128/tcp. redirect cng 80 n
cng 3128 ny:
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 46 -
7/31/2019 Xay Dng H Thng Tng La IP Table
47/65
Tm hiu vn bo mt mng LAN
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port 3128
Lu : ty chn -j REDIRECT c trong chain PREROUTING
SNAT & MASQUERADE
to kt ni `transparent` gia mng LAN 192.168.0.1 vi Internet th lp
cu hnh cho tng la Iptables nh sau:
# echo 1 > /proc/sys/net/ipv4/ip_forward
Cho php forward cc packet qua my ch t Iptables
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
210.40.2.71
i IP ngun cho cc packet ra card mng eth0 l 210.40.2.71. Khi nhn
c packet vo t Internet, Iptables s t ng i IP ch 210.40.2.71 thnh IP
ch tng ng ca my tnh trong mng LAN 192.168.0/24.
Hoc c th dng MASQUERADE thay cho SNAT nh sau:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
(MASQUERADE thng c dng khi kt ni n Internet l pp0 v dng
a ch IP ng)
DNAT
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 47 -
7/31/2019 Xay Dng H Thng Tng La IP Table
48/65
Tm hiu vn bo mt mng LAN
Gi s t cc my ch Proxy, Mail v DNS trong mng DMZ. to kt ni
trong sut t Internet vo cc my ch ny :
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-
destination 192.168.1.2
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-
destination 192.168.1.3
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-
destination 192.168.1.4
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 48 -
7/31/2019 Xay Dng H Thng Tng La IP Table
49/65
Tm hiu vn bo mt mng LAN
Chng 4:
THIT LP FIREWALL BO V MNG NI B
BNG IPTABLES TRONG H IU HNH LINUXTrong ng dng ny dng iptables trn my ch Linux lm Firewall cho
php mng bn ngoi truy cp vo vng DMZ v cho php mng ni b truy cp
mng bn ngoi qua Firewall. Khng cho php mng bn ngoi truy cp vo mng
ni b.
4.1. Cch lm vic ca Firewall c vng DMZ
Hnh 10: Firewall c vung DMZ
Firewall cho php my bn trong mng ni b truy cp ti nguyn
mng bn ngoi bng k thut SNAT
Ch cho php cc my ca mng bn ngoi truy cp ti nguyn Web
Server v DNS Server trong vng DMZ bng k thut DNAT.
Cc yu cu i vi Firewall 2.4.x , cc modules cn thit cho
Firewall, gn a ch cho mng ni b v DMZ thc hin ging nh
i vi ng dng IP NAT.
Cc chain do ngi dng nh ngha: gm 3 chains
bad_tcp_packets, allowed v icmp_packets ging nh trong ng
dng IP NAT.
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 49 -
7/31/2019 Xay Dng H Thng Tng La IP Table
50/65
Tm hiu vn bo mt mng LAN
4.2. Cu trc file cu hnh v cu hnh
File cu hnh cho Firewall:
4.2.1. Cu hnh cc tu chn:
#!/bin/sh
# rc.firewall_dmz Firewall DMZ cho Linux 2.4.x v iptables
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# 1. Configuration options.
# 1.1 Cu hnh giao din vi Internet.
#INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"
# 1.2 Cu hnh giao din mng cc b.
LAN_IP="192.168.0.1"
LAN_IFACE="eth1"
# 1.3 Cu hnh giao din vng DMZ.
#
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
# 1.4 Cu hnh Localhost.
LO_IFACE="lo"
LO_IP="127.0.0.1"
# 1.5 V tr chng trnh iptables.
IPTABLES="/usr/sbin/iptables"
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 50 -
7/31/2019 Xay Dng H Thng Tng La IP Table
51/65
Tm hiu vn bo mt mng LAN
4.2.2. Ti cc module cn thit k vo Kernel.
# 2. Ti cc module cn thit vo Kernel.
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
4.2.3. Ci t cu hnh cn thit cho h thng file proc.
# 3. t cu hnh cn thit cho h thng file.
echo "1" > /proc/sys/net/ipv4/ip_forward
4.2.4. Ci t cc nguyn tc.
# 4. Ci t cc nguyn tc.
# 4.1 Filter table
# 4.1.1 Nguyn tc cp nht lut trong cc chain.
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# 4.1.2 To cc chain do ngi dng nh ngha
# To chain bad_tcp_packets.
$IPTABLES -N bad_tcp_packets
# To chain allowed, icmp_packets.
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 51 -
7/31/2019 Xay Dng H Thng Tng La IP Table
52/65
Tm hiu vn bo mt mng LAN
#
# 4.1.3 To ni dung ca chains do ngi dng nh ngha
# chain bad_tcp_packets.
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
DROP
# chain allowed.
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP#
# chain icmp_packets
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# 4.1.4 INPUT chain
# Cc packet d dng khng mun
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# Cc packets t Internet n Firewall.
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Cc packets t LAN, DMZ hoc LOCALHOST
#
# T giao din DMZ n firewall IP DMX
MSSV: 10419 - Nguyn Th Thy CT 701 Trang - 52 -
7/31/2019 Xay Dng H Thng Tng La IP Table
53/65
Tm hiu vn bo mt mng LAN
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
#
# T giao din LAN n firewall IP LAN
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
#
# T giao din Localhost n IP Localhost
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
# Cc nguyn t