此时,您应该已经安装了内核和其他必需的软件包。所有网络 IP 地址、网关和 DNS 地址都应该在您的 Linux MASQ 服务器上配置完成。如果您不知道如何配置您的 Linux 网卡,请查阅 2.4.x 第 2.6 节、2.2.x 第 2.7 节 或 2.0.x 第 2.8 节 中列出的 HOWTO 文档。
现在,唯一剩下的事情是配置 IP 防火墙工具,以便将适当的数据包转发 (FORWARD) 和伪装 (MASQUERADE) 到正确的机器。
** 本节仅为用户提供使 IP Masquerading 工作的最基本防火墙规则集。
一旦 IP MASQ 成功测试(如本 HOWTO 后续章节所述),请参考 第 6.4.1 节中针对 2.4.x 内核的更强大的 IPTABLES 规则集、第 6.4.2 节中针对 2.2.x 内核的更强大的 IPCHAINS 规则集以及 第 6.4.3 节中针对 2.0.x 内核的更强大的 IPFWADM 规则集。请注意,这些更强大的防火墙规则集更像是一个模板。对于真正安全的防火墙规则集,请查看 HOWTO 的要求部分(2.4.x - 第 2.6 节,2.2.x - 第 2.7 节,2.0.x - 第 2.8 节)。
我建议您直接 浏览示例目录 或 下载所有 rc.firewall-* 文件的存档,而不是手动键入这些文件中的任何一个。
请注意,对于 2.6.x 和 2.4.x 内核而言,IPCHAINS 不再是主要的防火墙配置工具。虽然新的 2.4.x 内核仍然可以通过兼容性模块运行大多数旧的 IPCHAINS 或 IPFWADM 规则集,但新的内核现在使用 IPTABLES 工具包。还应该注意的是,当在这种兼容性模式下运行时,不能加载任何 IPTABLES 模块。原因是 2.2.x IPMASQ 模块均与 2.4.x 内核不兼容。有关这些更改的更多详细信息,请参阅 第 7.40 节。
好的,正如之前提到的,/etc/rc.d/rc.local-*脚本可以在每次重启后加载一次。加载脚本的机制因不同的 Linux 发行版而异(请参阅下面的一些示例)。rc.firewall-iptables 脚本将加载所有必需的 IPMASQ 模块,并启用最终的 IPMASQ 功能。对于高级设置,同一个文件也可能包含非常安全的防火墙规则集。
无论如何,使用以下初始的简单规则集创建文件 /etc/rc.d/rc.firewall-iptables
<rc.firewall-iptables START>
#!/bin/sh # # rc.firewall-iptables FWVER=0.76 # # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.76 - Added comments on why the default policy is ACCEPT # 0.75 - Added more kernel modules to the comments section # 0.74 - the ruleset now uses modprobe vs. insmod # 0.73 - REJECT is not a legal policy yet; back to DROP # 0.72 - Changed the default block behavior to REJECT not DROP # 0.71 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.70 - Added commented option for IRC nat module # - Added additional use of environment variables # - Added additional formatting # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n" # The location of the iptables and kernel module programs # # If your Linux distribution came with a copy of iptables, # most likely all the programs will be located in /sbin. If # you manually compiled iptables, the default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # #IPTABLES=/sbin/iptables IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP (REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-iptables v$FWVER done.\n" |
完成编辑此 /etc/rc.d/rc.firewall-iptables 规则集后,通过键入以下命令使其可执行chmod 700 /etc/rc.d/rc.firewall-iptables
现在防火墙规则集已准备就绪,您需要使其在每次重启后运行。您可以手动每次都运行它(非常麻烦)或将其添加到启动脚本中。我们在下面介绍了两种方法:Redhat(SyS-V 风格)和 Slackware(BSD 风格)
1. Redhat 和 Redhat 衍生发行版
在 Redhat 中自动加载内容有两种方法:/etc/rc.d/rc.local 或 /etc/rc.d/init.d/ 中的 init 脚本。第一种方法最简单,但不符合 SYS-V 风格。您只需添加以下行
echo "Loading the rc.firewall-iptables ruleset.. " /etc/rc.d/rc.firewall-iptables |
到 /etc/rc.d/rc.local 文件的末尾即可(如本 HOWTO 前面所述)。
这种方法的问题在于防火墙直到启动的最后阶段才执行。
首选方法是在网络子系统加载后立即加载防火墙。为此,请将以下文件复制到 /etc/rc.d/init.d 目录中
<firewall-iptables START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-iptables ruleset.
#
# processname: firewall-iptables
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-iptables
# probe: true
# ----------------------------------------------------------------------------
# v05/24/03
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
# 05/24/03 - removed a old networking up check that had some
# improper SGML ampersand conversions.
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/usr/local/sbin/iptables
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall-iptables
;;
stop)
echo -e "\nFlushing firewall and setting default policies to DROP\n"
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
;;
restart)
$0 stop
$0 start
;;
status)
$IPTABLES -L
;;
mlist)
cat /proc/net/ip_conntrack
;;
*)
echo "Usage: firewall-iptables {start|stop|status|mlist}"
exit 1
esac
exit 0 |
有了这个脚本,您现在需要做的就是使其可执行,然后使其在重启时加载。首先,通过运行以下命令使其可执行
#Redhat-style # chmod 700 /etc/rc.d/init.d/firewall-iptables |
#Redhat style # /sbin/chkconfig --level=345 firewall-iptables on |
#Redhat style # chkconfig --list firewall-iptables #The output should look like: # firewall-iptables 0:off 1:off 2:off 3:on 4:on 5:on 6:off |
2. Slackware
在 Slackware 中加载内容有两种方法:/etc/rc.d/rc.local 或编辑 /etc/rc.d/rc.inet2 文件。第一种方法最简单,但不是最安全的(见下文)。您只需将以下行附加到 /etc/rc.d/rc.local 文件中
echo "Loading the rc.firewall-iptables ruleset.." /etc/rc.d/rc.firewall-iptables |
这种方法的问题在于,如果您运行的是强大的防火墙规则集,则防火墙直到启动的最后阶段才执行。首选方法是在网络子系统加载后立即加载防火墙。目前,本 HOWTO 仅介绍如何使用 /etc/rc.d/rc.local 执行此操作,但如果您知道自己在做什么(很容易),请继续修改 inet2 启动脚本以在网络启动后立即加载 /etc/rc.d/rc.firewall-iptables 文件。如果您想要更详细的指南和/或更强大的防火墙规则集,我建议您查看本 HOWTO 底部链接部分中的 TrinityOS 的第 10 节。
关于用户可能希望如何更改上述防火墙规则集的说明
您还可以基于每台机器启用 IP Masquerading,而不是上述方法,后者是启用整个 TCP/IP 网络。例如,假设我只想让 192.168.0.2 和 192.168.0.8 主机访问互联网,而不是任何其他内部机器。我将更改 /etc/rc.d/rc.firewall-iptables 规则集的“启用简单的 IP 转发和 Masquerading”部分(如上所示)。
#!/bin/sh # # Partial IPTABLES config to enable simple IP forwarding and Masquerading # v0.61 # # NOTE: The following is an example to allow only IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a # "/24" subnet mask connecting to the Internet on interface eth0. # # ** Please change the network number, subnet mask, and the Internet # ** connection interface name to match your internal LAN setup # echo " - Setting the default FORWARD policy to DROP" $IPTABLES -P FORWARD DROP echo " - Enabling SNAT (IPMASQ) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.2/32 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.0.8/32 -j MASQUERADE echo " - Setting the FORWARD policy to 'DROP' all incoming / unrelated traffic" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP |
常见错误
对于新的 IP Masq 用户来说,一个常见的错误似乎是将第一个命令简单地设置为以下内容
IPTABLES: --------- iptables -t nat -A POSTROUTING -j MASQUERADE |
不要将您的默认策略设置为 MASQUERADING。否则,有人可能会操纵他们的路由表以直接隧道穿过您的网关,并使用它来伪装他们自己的身份!
同样,您可以将这些行添加到/etc/rc.d/rc.firewall-iptables文件、您喜欢的其他 rc 文件之一,或者在每次需要 IP Masquerade 时手动执行此操作。
有关强大的 IPTABLES 规则集示例的详细指南,请参阅 第 6.4.1 节。有关 IPTABLES 用法的更多详细信息,请访问主要 IPTABLES 站点 http://www.netfilter.org/。
请注意,对于操作 2.1.x 和 2.2.x 内核的 IP Masquerading 规则而言,IPFWADM 不再是防火墙工具。这些新内核现在使用 IPCHAINS 工具包。有关此更改的更详细原因,请参阅 第 7 章。
使用以下初始的简单规则集创建文件 /etc/rc.d/rc.firewall-ipchains
<rc.firewall-ipchains START>
#!/bin/sh # # rc.firewall-ipchains # # - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x kernels # using IPCHAINS. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. FWVER="1.23" # # 1.23 - Added comments on why the default policy is ACCEPT # 1.22 - ruleset now uses modprobe instead of insmod # 1.21 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 1.20 - Updated the script to use environment vars # 1.01 - Original version echo -e "\n\nLoading simple rc.firewall-ipchains : version $FWVER..\n" # The location of the ipchains and kernel module programs # # If your Linux distribution came with a copy of ipchains, # most likely all the programs will be located in /sbin. If # you manually compiled ipchains, the default location will # be in /usr/local/sbin # # ** Please use the "whereis ipchains" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPCHAINS=/sbin/ipchains #IPTABLES=/usr/local/sbin/ipchains DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall-ipchains file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules # are shown below but are commented out from loading. echo " loading required IPMASQ kernel modules.." # Needed to initially load modules # $DEPMOD -a echo -en " Loading modules: " # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " $MODPROBE ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " $MODPROBE ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #$MODPROBE ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. This modules is # for for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #$MODPROBE ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #$MODPROBE ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #$MODPROBE ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive " #$MODPROBE ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # in 2.2.x kernels. This used to be a compile-time option but the # behavior was changed in 2.2.12 # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this # following option. This enables dynamic-ip address hacking in IP MASQ, # making the life with Diald and similar programs much easier. # #echo " enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable the LooseUDP patch which some Internet-based games require # # If you are trying to get an Internet game to work through your IP MASQ box, # and you have set it up to the best of your ability without it working, try # enabling this option (delete the "#" character). This option is disabled # by default due to possible internal machine UDP port scanning # vulnerabilities. # #echo " enabling LooseUDP.." #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " clearing any existing rules and setting default policy.." $IPCHAINS -P input ACCEPT $IPCHAINS -P output ACCEPT $IPCHAINS -P forward REJECT $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." $IPCHAINS -M -S 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP for connctions such as DSL or Cablemodem users, it is necessary # to use the following before the deny command. # # This example is currently commented out. # # #$IPCHAINS -A input -j ACCEPT -i $EXTIF -s 0/0 67 -d 0/0 68 -p udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup # echo " enabling IPMASQ functionality on $EXTIF" $IPCHAINS -P forward DENY $IPCHAINS -A forward -i $EXTIF -s $INTLAN -j MASQ echo -e "\nrc.firewall-ipchains v$FWVER done.\n" |
完成编辑 /etc/rc.d/rc.firewall-ipchains 规则集后,通过键入以下命令使其可执行chmod 700 /etc/rc.d/rc.firewall-ipchains
现在防火墙规则集已准备就绪,您需要使其在每次重启后运行。您可以手动每次都运行它(非常麻烦)或将其添加到启动脚本中。我们在下面介绍了两种方法:Redhat(SyS-V 风格)和 Slackware(BSD 风格)
1. Redhat 和 Redhat 衍生发行版
在 Redhat 中自动加载内容有两种方法:/etc/rc.d/rc.local 或 /etc/rc.d/init.d/ 中的 init 脚本。第一种方法最简单,但不符合 Sys-V 风格。您只需添加以下行
echo "Loading the rc.firewall ruleset.." /etc/rc.d/rc.firewall-ipchains |
到 /etc/rc.d/rc.local 文件的末尾即可(如本 HOWTO 前面所述)。
这种方法的问题在于防火墙直到启动的最后阶段才执行。首选方法是在网络子系统加载后立即加载防火墙。为此,请将以下文件复制到 /etc/rc.d/init.d 目录中
<firewall-ipchains START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-ipchains ruleset.
#
# processname: firewall-ipchains
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-ipchains
# probe: true
# ----------------------------------------------------------------------------
# v08/29/02
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
#
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
# This line no longer work with bash2
#[ ${NETWORKING} = "no" ] && exit 0
# This should be OK.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPCHAINS=/sbin/ipchains
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall-ipchains
;;
stop)
echo -e "\nFlushing firewall and setting default policies to REJECT\n"
$IPCHAINS -P input REJECT
$IPCHAINS -P output REJECT
$IPCHAINS -P forward REJECT
$IPCHAINS -F input
$IPCHAINS -F output
$IPCHAINS -F forward
;;
restart)
$0 stop
$0 start
;;
status)
$IPCHAINS -L
;;
mlist)
$IPCHAINS -M -L
;;
*)
echo "Usage: firewall-ipchains {start|stop|status|mlist}"
exit 1
esac
exit 0 |
有了这个脚本,您现在需要做的就是使其可执行,然后使其在重启时加载。首先,通过运行以下命令使其可执行
#Redhat-style # chmod 700 /etc/rc.d/init.d/firewall-ipchains |
#Redhat style # chkconfig --level=345 firewall-ipchains on |
#Redhat style # chkconfig --list firewall-ipchains #The output should look like: # firewall-ipchains 0:off 1:off 2:off 3:on 4:on 5:on 6:off |
2. Slackware
在 Slackware 中加载内容有两种方法:/etc/rc.d/rc.local 或编辑 /etc/rc.d/rc.inet2 文件。第一种方法最简单,但不是最安全的(见下文)。您只需将以下行附加到 /etc/rc.d/rc.local 文件中
echo "Loading the rc.firewall-ipchains ruleset.." /etc/rc.d/rc.firewall-ipchains |
这种方法的问题在于,如果您运行的是强大的防火墙规则集,则防火墙直到启动的最后阶段才执行。首选方法是在网络子系统加载后立即加载防火墙。目前,本 HOWTO 仅介绍如何使用 /etc/rc.d/rc.local 执行此操作,但如果您知道自己在做什么(很容易),请继续修改 inet2 启动脚本以在网络启动后立即加载 /etc/rc.d/rc.firewall-ipchains 文件。如果您想要更详细的指南和/或更强大的防火墙规则集,我建议您查看本 HOWTO 底部链接部分中的 TrinityOS 的第 10 节。
关于用户可能希望如何更改上述防火墙规则集的说明
您还可以基于每台机器启用 IP Masquerading,而不是上述方法,后者是启用整个 TCP/IP 网络。例如,假设我只想让 192.168.0.2 和 192.168.0.8 主机访问互联网,而不是任何其他内部机器。我将更改 /etc/rc.d/rc.firewall-ipchains 规则集的“启用简单的 IP 转发和 Masquerading”部分(如上所示)。
#!/bin/sh # # Enable simple IP forwarding and Masquerading # v1.01 # # NOTE: The following is an example used in addition to the simple # IPCHAINS ruleset anove to allow only IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a # "24" bit subnet mask connecting to the Internet on interface $EXTIF. # # ** Please change the network number, subnet mask, and the Internet # ** connection interface name to match your internal LAN setup # $IPCHAINS -P forward DENY $IPCHAINS -A forward -i $EXTIF -s 192.168.0.2/32 -j MASQ $IPCHAINS -A forward -i $EXTIF -s 192.168.0.8/32 -j MASQ |
常见错误
对于新的 IP MASQ 用户来说,一个常见的错误似乎是将第一个命令设置为
$IPCHAINS -P forward masquerade |
不要将您的默认策略设置为 MASQUERADING。否则,有人可能会操纵他们的路由表以直接隧道穿过您的网关,并使用它来伪装他们自己的身份!
同样,您可以将这些行添加到/etc/rc.d/rc.firewall-ipchains文件、您喜欢的其他 rc 文件之一,或者在每次需要 IP Masquerade 时手动执行此操作。
有关 IPCHAINS 和强大的 IPCHAINS 规则集示例的详细指南,请参阅 第 6.4.2 节。有关 IPCHAINS 用法的更多详细信息,请访问主要 IPCHAINS 站点 http://www.netfilter.org/ipchains/ 或 Linux IP CHAINS HOWTO 备份 站点
使用以下初始的简单规则集创建文件 /etc/rc.d/rc.firewall-ipfwadm:<rc.firewall-ipfwadm START>
#!/bin/sh # # rc.firewall-ipfwadm # # A Initial SIMPLE IP Masquerade setup for 2.0.x kernels using IPFWADM # FWVER="2.03" # # 2.03 - Added comments on why the default policy is ACCEPT # 2.02 - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # echo -e "\n\nLoading simple rc.firewall-ipfwadm version $FWVER..\n" #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the NATing will occur and the internal network # should preferably be addressed with a RFC1918 private addressing # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # # ** Please change this to reflect your specific configuration ** # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # Network Address of the Internal Network # # This example rc.firewall-ipfwadm file uses the 192.168.0.0 network # with a /24 or 255.255.255.0 netmask. # # ** Change this variable to reflect your specific setup ** # INTLAN="192.168.0.0/24" echo -e " Internal Interface: $INTLAN\n" # Load all required IP MASQ modules # # NOTE: Only load the IP MASQ modules you need. All current available IP # MASQ modules are shown below but are commented out from loading. echo -en "Loading modules: " # Needed to initially load modules # /sbin/depmod -a # Supports the proper masquerading of FTP file transfers using the PORT method # echo -en "FTP, " /sbin/modprobe ip_masq_ftp # Supports the masquerading of RealAudio over UDP. Without this module, # RealAudio WILL function but in TCP mode. This can cause a reduction # in sound quality # #echo -en "RealAudio, " #/sbin/modprobe ip_masq_raudio # Supports the masquerading of IRC DCC file transfers # #echo -en "Irc, " #/sbin/modprobe ip_masq_irc # Supports the masquerading of Quake and QuakeWorld by default. These modules # are for multiple users behind the Linux MASQ server. If you are going to # play Quake I, II, and III, use the second example. # # NOTE: If you get ERRORs loading the QUAKE module, you are running an old # ----- kernel that has bugs in it. Please upgrade to the newest kernel. # #echo -en "Quake, " #Quake I / QuakeWorld (ports 26000 and 27000) #/sbin/modprobe ip_masq_quake # #Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) #/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 # Supports the masquerading of the CuSeeme video conferencing software # #echo -en "CuSeeme, " #/sbin/modprobe ip_masq_cuseeme #Supports the masquerading of the VDO-live video conferencing software # #echo -en "VdoLive, " #/sbin/modprobe ip_masq_vdolive echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #CRITICAL: Enable automatic IP defragmenting since it is disabled by default # # This used to be a compile-time option but the behavior was changed # in 2.2.12. This option is required for both 2.0 and 2.2 kernels. # echo " enabling AlwaysDefrag.." echo "1" > /proc/sys/net/ipv4/ip_always_defrag # Dynamic IP users: # # If you get your Internet IP address dynamically from SLIP, PPP, or DHCP, # enable the following option. This enables dynamic-ip address hacking in # IP MASQ, making the life with DialD, PPPd, and similar programs much easier. # #echo " enabling DynamicAddr.." #echo "1" > /proc/sys/net/ipv4/ip_dynaddr #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is REJECT # # Isn't ACCEPT insecure? To some degree, YES, but this is our testing # phase. Once we know that IPMASQ is working well, I recommend you run # the rc.firewall-*-stronger rulesets which set the defaults to DROP but # also include the critical additional rulesets to still let you connect to # the IPMASQ server, etc. # echo " clearing any existing rules and setting default policy.." /sbin/ipfwadm -I -p accept /sbin/ipfwadm -O -p accept /sbin/ipfwadm -F -p reject /sbin/ipfwadm -I -f /sbin/ipfwadm -O -f /sbin/ipfwadm -F -f # MASQ timeouts # # 2 hrs timeout for TCP session timeouts # 10 sec timeout for traffic after the TCP/IP "FIN" packet is received # 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users) # echo " setting default timers.." /sbin/ipfwadm -M -s 7200 10 160 # DHCP: For people who receive their external IP address from either DHCP or # BOOTP such as DSL or Cablemodem users, it is necessary to use the # following before the deny command. # # This example is currently commented out. # # #/sbin/ipfwadm -I -a accept -S 0/0 67 -D 0/0 68 -W $EXTIF -P udp # Enable simple IP forwarding and Masquerading # # NOTE: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup. # echo " enabling IPMASQ functionality on $EXTIF" /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -W $EXTIF -S $INTLAN -D 0.0.0.0/0 echo -e "\nrc.firewall-ipfwadm v$FWVER done.\n" |
完成编辑 /etc/rc.d/rc.firewall-ipfwadm 规则集后,通过键入“chmod 700 /etc/rc.d/rc.firewall-ipfwadm"
现在防火墙规则集已准备就绪,您需要使其在每次重启后运行。您可以手动每次都运行它(非常麻烦)或将其添加到启动脚本中。我们在下面介绍了两种方法:Redhat(SyS-V 风格)和 Slackware(BSD 风格)
Redhat 和 Redhat 衍生发行版
在 Redhat 中自动加载内容有两种方法:/etc/rc.d/rc.local 或 /etc/rc.d/init.d/ 中的 init 脚本。第一种方法最简单,但不符合 Sys-V 风格。您只需添加以下行
echo "Loading the rc.firewall-ipfwadm ruleset.." /etc/rc.d/rc.firewall-ipfwadm |
这种方法的问题在于防火墙直到启动的最后阶段才执行。首选方法是在网络子系统加载后立即加载防火墙。为此,请将以下文件复制到 /etc/rc.d/init.d 目录中
<firewall-ipfwadm START>
#!/bin/sh
#
# chkconfig: 2345 11 89
#
# description: Loads the rc.firewall-ipfwadm ruleset.
#
# processname: firewall-ipfwadm
# pidfile: /var/run/firewall.pid
# config: /etc/rc.d/rc.firewall-ipfwadm
# probe: true
# ----------------------------------------------------------------------------
# v02/09/02
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
#
# ----------------------------------------------------------------------------
# Source function library.
. /etc/rc.d/init.d/functions
# Check that networking is up.
# This line no longer work with bash2
#[ ${NETWORKING} = "no" ] && exit 0
# This should be OK.
[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0
[ -x /sbin/ifconfig ] || exit 0
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables, most
# likely it is located in /sbin. If you manually compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPFWADM=/sbin/ipfwadm
# See how we were called.
case "$1" in
start)
/etc/rc.d/rc.firewall-ipfwadm
;;
stop)
echo -e "\nFlushing firewall and setting default policies to REJECT\n"
$IPFWADM -I -p REJECT
$IPFWADM -O -p REJECT
$IPFWADM -F -p REJECT
$IPFWADM -I -f
$IPFWADM -O -f
$IPFWADM -F -f
;;
restart)
$0 stop
$0 start
;;
status)
$IPFWADM -l
;;
mlist)
$IPFWADM -M -l
;;
*)
echo "Usage: firewall-ipfwadm {start|stop|status|mlist}"
exit 1
esac
exit 0 |
有了这个脚本,您现在需要做的就是使其可执行,然后使其在重启时加载。首先,通过运行以下命令使其可执行
#Redhat-style # chmod 700 /etc/rc.d/init.d/firewall-ipfwadm |
#Redhat style # chkconfig --level=345 firewall-ipfwadm on |
#Redhat style # chkconfig --list firewall-ipfwadm #The output should look like: # firewall-ipfwadm 0:off 1:off 2:off 3:on 4:on 5:on 6:off |
Slackware
在 Slackware 中自动加载内容有两种方法:/etc/rc.d/rc.local 或编辑 /etc/rc.d/rc.inet2 文件。第一种方法最简单,但不是最安全的(见下文)。您只需将以下行附加到 /etc/rc.d/rc.local 文件中
echo "Loading the rc.firewall-ipfwadm ruleset.." /etc/rc.d/rc.firewall-ipfwadm |
这种方法的问题在于,如果您运行的是强大的防火墙规则集,则防火墙直到启动的最后阶段才执行。首选方法是在网络子系统加载后立即加载防火墙。目前,本 HOWTO 仅介绍如何使用 /etc/rc.d/rc.local 执行此操作,但如果您知道自己在做什么(很容易),请继续修改 inet2 启动脚本以在网络启动后立即加载 /etc/rc.d/rc.firewall-ipfwadm 文件。如果您想要更详细的指南和/或更强大的防火墙规则集,我建议您查看本 HOWTO 底部链接部分中的 TrinityOS 的第 10 节。
关于用户可能希望如何更改上述防火墙规则集的说明
您也可以基于每台机器启用 IP Masquerading,而不是上述方法,后者是启用整个 TCP/IP 网络。例如,假设我只想让 192.168.0.2 和 192.168.0.8 主机访问互联网,而不是任何其他内部机器。我将更改 /etc/rc.d/rc.firewall-ipfwadm 规则集的“启用简单的 IP 转发和 Masquerading”部分(如上所示)。
# Enable simple IP forwarding and Masquerading # v2.01 # # NOTE: The following is an example to only allow IP Masquerading for the # 192.168.0.2 and 192.168.0.8 machines with a 255.255.255.0 or a "24" # bit subnet mask connected to the Internet on interface eth0. # # ** Please change this network number, subnet mask, and your Internet # ** connection interface name to match your internal LAN setup # # Please use the following in ADDITION to the simple rulesets above for # specific MASQ networks. # /sbin/ipfwadm -F -p deny /sbin/ipfwadm -F -a m -W $EXTIF -S 192.168.0.2/32 -D 0.0.0.0/0 /sbin/ipfwadm -F -a m -W $EXTIF -S 192.168.0.8/32 -D 0.0.0.0/0 |
常见错误
对于新的 IP Masq 用户来说,一个常见的错误似乎是将第一个命令设置为
ipfwadm -F -p masquerade |
不要将您的默认策略设置为 MASQUERADING。否则,有能力操纵其路由表的人将能够直接隧道穿过您的网关,并使用它来伪装他们自己的身份!
同样,您可以将这些行添加到/etc/rc.d/rc.firewall-ipfwadm文件、您喜欢的其他 rc 文件之一(如果愿意),或在每次需要 IP Masquerade 时手动添加这些行。
有关 IPCHAINS 和 IPFWADM 规则集示例的详细指南和更强大的示例,请参阅 第 6.4.3 节 和 第 6.4.3 节。