แสดงกระทู้

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - golfreeze

Pages: 1 ... 141 142 [143] 144 145 146
2131
all application on unix knowledges by golfreeze / Re: set iptables by golfreeze
« on: มกราคม 23, 2011, 12:49:26 AM »


#step to ทำ nat เป็น firewall
1.สร้าง aliase interface ที่ตัว nat server ก่อน
2.สร้าง rule สำหรับ dnat ขาเข้า
3.สร้าง rule สำหระบ snat ขาออกไป ครับ

2132
all application on unix knowledges by golfreeze / Re: set iptables by golfreeze
« on: มกราคม 23, 2011, 12:48:44 AM »
Syntax and Use of IPTables

A comprehensive documentation of IPTables/NetFilter is available online (see references below) and
additional documentation can be found in the IPTables man pages.

IPTables has the following options to manage whole chains:

-N — Create a new chain.

-X — Delete an empty chain.

-P — Change the policy for a built-in chain.

-L — List the rules in a chain.

-F — Flush the rules out of a chain.

-Z — Zero the packet and byte counters.

The following are ways to manipulate rules inside the chain:

-A — Append a new rule.

-I — Insert a new rule.

-R — Replace a rule.

-D — Delete a rule.

A simple script with comments written by Oskar Andreasson of BoingWorld.com is shown in Listing 1.
The script shows the implementation of some simple IP forwarding, masquerading (NAT) spoofing checks
of non-routable addresses (RFC191, and the opening of some ports to allow access. If you are
familiar with ipchains, you will probably have little difficulty in following most of the rules.

The command:

iptables -P <chain name> <policy>

sets the default policy for the chain, either ACCEPT or DROP (DENY). Only built-in chains (INPUT,
OUTPUT, and FORWARD) have policies. Packet-mangling activities that modify the packets in transit
(such as NAT and proxying) use two additional predefined chains, PREROUTE (usually for DNAT), and
POSTROUTE (usually for SNAT). The names are descriptive enough and convey the fact that DNAT
destination addresses are typically rewritten before other chain rules are applied, and SNAT source
addresses are rewritten after they have traversed the rule chains.

Rules are added to chains using the following syntax:

iptables -A <chain name> <match condition> -j <jump>

>The condition is a logical match of, for example, the following:

-s <source IP>

-d <destination IP>

-sport <source port>

-dport <destination port>

-p <protocol tcp, udp, or icmp>

-m <match, e.g., MAC address or TCP state>

-owner <user/group/process/session id>

The above match conditions are meant to be extensible, and numerous other extensions exist. To learn
more about a match extension, use the -h option. For example, for the ICMP protocol (-p), type:

#/sbin/iptables -p icmp -h

and a list of the three dozen or so -icmp-type extensions will be displayed.

The jump (or “judgement”) following the -j is one of the following:

ACCEPT — Accept the packet.

DROP — Drop the packet.

REJECT — Drop the packet and respond with “port-unreachable” ICMP packet.

NAT — Rewrite the packets source or destination address.

LOG — Log to the kernel logging daemon klogd.

TOS — Impose a type/level of service.

Example Applications of Some Rules

Here are some example rulesets for the features described in the “Enhancements” section:

1. Stateful Inspection — The rule:

/sbin/iptables -A FORWARD -m state --state \
ESTABLISHED,RELATED -j ACCEPT

forwards packets across the firewall that are part of a pre-existing connection. Besides ESTABLISHED
(packet is part of existing connection) and RELATED (packet is related to existing connection and
passing in same direction), other defined states are NEW (packet is trying to create a new
connection), INVALID (packet doesn’t match any exisitng connection), and RELATED+REPLY (packet is
not part of an existing connection, but is related to one (e.g., ftp-data transfer requested
following an existing ftp-control session).

2. DNAT — To redirect traffic from the 10.0.0.0 network to the Web server 10.0.1.1 to the Web server
10.0.1.100, use the rule:

# /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d \
10.0.1.1 -p tcp --dport 80 -j DNAT --to 10.0.1.100

You can implement a load-balancing solution and redirect all incoming traffic to port 8080 on a
group of servers IP 10.0.1.100-10.0.1.102:

# /sbin/iptables -t nat -A POSTROUTING -p -s 10.0.0.0/24 \

-d 10.0.1.1 tcp -dport 80 -j DNAT --to 10.0.1.100-10.0.1.102:8080

3. Enhanced TCP monitoring — To check all six TCP flags and check that the SYN and ACK flags are
set:

#/sbin/ iptables -A INPUT -p tcp --tcp-flags ALL SYN,ACK -j DROP

To deny outgoing connections to insecure telnet, FTP, and rsh services using a single command:

# /sbin/iptables -A input -t DENY -p tcp --destport telnet,ftp,shell

Note that in ipchains, each port would have required its own separate rule.

4. Filtering by MAC address — The rule:

# /sbin/iptables -A FORWARD -m state --state \

NEW -m mac --mac-source 00:C7:8F:72:14 -j ACCEPT

allows only outgoing packets from a known MAC address, given in colon-separated hex notation.

5. Enhanced logging:

# /sbin/iptables -A INPUT -s 192.168.0.1 -m limit -limit \

1/second -j LOG

limits the rate of writes to the logs to one per second. Specific matches can be labeled. For
example, log entries corresponding to connect requests from the Litigation Department’s Cisco 1601
router can be labeled:

# /sbin/iptables -A INPUT -s 192.168.5.254 \

-j LOG --log-prefix ' ## Litigation Dept Cisco 1601 ## '

The logfile entry looks like:

Aug 1 14:58:39 mymachine kernel: ## Litigation Dept Cisco 1601 \

## IN=eth0 OUT= MAC=00:f0:28:2c:69:67:00:00:7a:93:5e:62:08:00 \

SRC=192.168.5.254 DST=192.168.1.254 LEN=40 TOS=0x00 PREC=0x00 \

TTL=247 ID=21864 DF PROTO=TCP SPT=42300 DPT=23 WINDOW=8760 RES=0x0

0 RST URGP=0

6. Rate-Limited matching — To protect from syn-flood denial of service, only accept a maximum of 1
per second:

#/sbin/iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j ACCEPT

7. Type of Service (TOS) prioritization — To maximize ssh response while maintaining maximum file
data transfer over HTTP connections, the following rule can be applied:

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh \

-j TOS --set-tos Minimize-Delay

# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http \

-j TOS --set-tos Maximize-Throughput

Conclusion

This article explains some new firewalling features of IPTables that administrators of
ipchains-based Linux firewalls may find useful. My aim was also to provide a starting point for
administrators who are familiar with ipchains based-firewalling and are considering a move to
IPTables/NetFilter. Much of the hoopla surrounding the Linux 2.4 kernel has revolved around IPTables
support for stateful packet inspection. However, I hope that this article has shown that there is
more to IPTables than merely stateful inspection. IPTables also can provide firewalling scripts that
are cleaner and easier to read, and easier to maintain. It seems that with its many powerful new
features, Open Source Linux firewalling has finally come of age.

2133
all application on unix knowledges by golfreeze / Re: set iptables by golfreeze
« on: มกราคม 23, 2011, 12:48:38 AM »
#good document
http://www.gophernet.org/articles/iptables/

#junning secure stack in *nix
http://www.cromwell-intl.com/security/security-stack-hardening.html

เราสามารถ check ว่ามี packet ผ่าน rule ของเราสร้างให้ nat ได้โดย

watch -n 2 "iptables -L -t nat -v -nx"

2134
About the script: The script below is used to make an effective and strong firewall for the Gateway
machines. The script is commented to make it self explanatory. This script is completely done using
Iptables.

#!/bin/bash
# iptables, by SysAdmin,
# description: Script for setting IPTABLES rules for Gateway
# processname: iptables

The below options will make us adjust the script parameters in one shot. If there requires a
situation like if we want to swap the eth0 and eth1 for some reason, we can adjust that in the below
option rather than adjusting that for the whole script manually. I am using my network configuration
in here. So modify this according to your requirements.

INTERNALIF="eth1" # Internal Ethernet card identifier
INTERNALNET="192.168.1.0/24" # Internet network address range
INTERNALBCAST="192.168.1.255" # Internal Broadcast address
EXTERNALIF="eth0" # External Ethernet card identifier

# Pathnames
DMESG="/bin/dmesg" # Location of Dmesg
IPTABLES="/sbin/iptables" # Location of Iptables

The section below is used to control the script using &#8220;Start&#8221; or
&#8220;Stop&#8221; or &#8220;Restart&#8221; functions just like controlling services
of a Linux machine. The script has to be called like in example below

# sh /firewall.sh start

if [ "$1" = "" ] # this will make the script to exit if no argument
is present
then
echo "Usage: sh /fire.sh (start|stop|restart)"
exit
else
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPTABLES -F
$IPTABLES -P FORWARD DROP
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
echo "Starting Firewall:"
;;
*)
echo "Usage: firewall (start|stop|restart)"
exit 1
esac
fi

To avoid any conflicts that may arise in the implementation of the Firewall, its better to flush
every rules that were actually present in the chains and then to start over.

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

The below are some tweaks that can be done to SysCtl to avoid make kinds of attacks. They are pretty
simple yet effective.

Disabling IP Spoofing attacks:

IP spoofing is one of the most common forms of on-line camouflage. In IP spoofing, an attacker gains
unauthorized access to a computer or a network by making it appear that a malicious message has come
from a trusted machine by &#8220;spoofing&#8221; the IP address of that machine.

echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

The below change will stop the Gateway from responding to broadcast pings.

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Block Source Routing:

Source routing allows the sender of the packet to specify the route that a packet must take in
traveling to the destination. If the selected route is not available for any reason, the packet
would not be delivered. If the recipient replied to the packets, the response would follow the same
route. it can be used to discover the IP addresses of routers within a network. However, it also has
the potential for misuse. A malicious user could use source routing to learn more about a network
that he or she is targeting for attack. Data packets contain information about where they have been
and what machines they have transited. A malicious user might send data into a network in order to
collect information about the network's topology. Its better to block source routing from the
Gateway itself

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

Kill timestamps.

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

Trying to prevent SYN flood attacks:

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN
requests to a target's system. One of most important steps is to enable the operating system's
built-in protection mechanisms like SYN cookies. In Linux, we can set the SYN Cookies in the
following manner.

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Disable all redirection requests in Gateway machine:

echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

The below command enables bad error message protection

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Allow dynamic ip addresses

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

Its recommend to log packets with impossible addresses. This can be done by giving a positive
parameter to the following sysctl parameter.

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Set a local port range:

By default, the local port range is 32768 to 61000 for all new 2.6 kernel based systems. Its
explicitly mentioned in the Firewall script because if we need to increase that further, we can
adjust the port range throug the Firewall script itself.

echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

Denial of Service (DoS) attacks: Denial of Service attack is an attempt by a malicious (or
unwitting) user, process, or system to prevent legitimate users from accessing a resource (usually a
network service) by exploiting a weakness or design limitation in an information system. Examples of
DoS attacks include flooding network connections, filling disk storage, disabling ports, or removing
power. This can be limited by setting timeouts.

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog

Basic Rules of a typical Firewall:

Kill INVALID packets with illegal combination flags.

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

No restrictions to connections from localhost

$IPTABLES -A INPUT -i lo -j ACCEPT

Reject connections from Outside world to Internal loop back device.

$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

No restrictions for traffic generating from legit internal addresses

$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT

Incase we have to use IPv6 addresses in your environment uncomment the below line:

#$IPTABLES -A INPUT -p ipv6 -j ACCEPT

Kill all packets from Outside world claiming to be packets generated from Internal network.

$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT

Block ICMP requests.

$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT

Prevent Ping flood attacks:

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP

Deny pings to local broadcast address:

$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP

#Allow all other icmp

$IPTABLES -A INPUT -p icmp -j ACCEPT

No restrictions to established connections:

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Dont forward SMB related traffic. Samba Services are one of the most aimed targets by hackers.

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT

1. Disable Samba Share

#$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT

Allow all other connections to be forwarded

$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT

Allow replies from established connections :

$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow yourself to be a DHCP server for your inside network
#Necessary because the default rule allowing valid addresses ignores broadcast

$IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT

1. This section is to allow nameserver packets.

cat /etc/resolv.conf | \
awk '/^nameserver/ {print $2}' | \
xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s

#From here on, we are dealing with connection attempts. These services are not needed for our
Gateway. But just incase we happen to have them up and running, just uncomment and restart the
firewall script.

# ftp-data
#$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

# ftp
#$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
# ssh

#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#telnet

#$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT

# smtp One per second limt -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s \
# --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

# DNS
#$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT

# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# POP-3
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT

# identd
#$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT

# https
#$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT

#VNC Server
#$IPTABLES -A INPUT -p tcp --dport 5801 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 6001 -j ACCEPT

##Some ports should be denied and logged.

$IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG --log-prefix "Firewalled packet: MSSQL
"
$IPTABLES -A INPUT -p tcp --dport 1433 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG --log-prefix "Firewalled packet:
Deepthrt "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG --log-prefix "Firewalled packet: Sub7
"
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG --log-prefix "Firewalled packet: Sub7
"
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG --log-prefix "Firewalled packet: Sub7
"
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG --log-prefix "Firewalled packet:
Netbus "
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG --log-prefix "Firewalled packet:
Netbus "
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG --log-prefix "Firewalled packet:
Netbus "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG --log-prefix "Firewalled packet: BO
"
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG --log-prefix "Firewalled packet: XWin
"
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP

#Traceroutes depend on finding a rejected port. DROP the ones it uses

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log web or ssl because people surfing for long times lose connection tracking and cause
the system to create a new one, flooding logs.

$IPTABLES -A INPUT -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -p tcp --dport 443 -j REJECT

The below rules will be effective it it doesnt match any of the above rules. A log for all
connections will be &#8220;noise&#8221; and will give us a hard time to find something
relevant from the flooded logs. So the rules below just logs connection requests.

$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG --log-prefix "Firewalled
packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG --log-prefix "Firewalled
packet:"

#Reject

$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP

$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP

#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

EXPLICITLY BLOCKING SERVICE PORTS FOR GATEWAY FROM OUTSIDE WORLD

/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 21 # ftp
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 22 # ssh
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 23 # telnet
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 25 # smtp
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 53 # domain
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 79 # finger
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 80 # httpd
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 110 # pop3
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 111 # sunrpc
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 137 # netbios-ns
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 138 # netbios-dgm
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 139 # netbios
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 143 # imap
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 161 # snmp
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 162 # snmp trap
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 443 # https
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 515 # printer
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 1080 # socks
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 2049 # nfs
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 3128 # squid
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 3306 # mysql
/sbin/iptables -A INPUT -j DROP -i eth0 -p tcp --dport 5432 # postgres

1. EXPLICITLY BLOCKING SERVICE PORTS FOR UDP CONNECTIONS

/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 21 # ftp
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 23 # telnet
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 25 # smtp
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 53 # domain
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 79 # finger
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 110 # pop3
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 111 # sunrpc
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 137 # netbios-ns
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 138 # netbios-dgm
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 139 # netbios
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 143 # imap
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 161 # snmp
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 162 # snmp trap
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 443 # https
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 515 # printer
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 1080 # socks
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 2049 # nfs
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 3128 # squid
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 3306 # mysql
/sbin/iptables -A INPUT -j DROP -i eth0 -p udp --dport 5432 # postgres

1. this line will prevent people on the internet (or you) from pinging the gateway

/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j DROP

exit 0

2135
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:47:17 AM »
set SNAT ด้วยครับ

#iptables -t nat -A POSTROUTING -j SNAT -o ethขาที่ออกไป -s จากipไหน --to ออกไปipไหน


### เกี่ยวกับ ipvsadm

http://docs.huihoo.com/hpc-cluster/linux-virtual-server/HOWTO/index.html

2136
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:46:47 AM »
check package วิ่งผ่าน firewall โดย command line
#watch -n 1 "iptables -t nat -L -xv"
check load วิ่งเข้า load balance ดู connection ต่างๆ
#watch -n 1"ipvsadm -L -n --stats"

2137
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:46:36 AM »
ถ้าใครใช้เป็น debian 4.0 R1 เป็นแบบ 64 bit ก็ตั้ง

deb http://ftp.thaios.net/debian/etch main
deb-src http://ftp.thaios.net/debian/etch main

สำหรับ kernel ที่เป็น verion "lenny"
ตั้งไปที่
deb http://ftp.de.debian.org/debianlenny main
deb-src http://ftp.de.debian.org/debianlenny main

2139
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:46:02 AM »


สำหรับ network ที่ทำก็ตามรูป นี้น่ะครับ

2140
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:45:28 AM »
ถ้าทำแล้ว มี error สั่งให้ start service ไม่ได้ ตอน ดู
สั่ง /etc/init.d/heartbeat stop
/etc/init.d/heartbeat start
Ldirectord is stopped for /etc/ha.d/ldirectord.cf
แล้วจะเกิดเป็น heartbeat failure [rc=xxx] failed

ให้เข้าไป check ที่ไฟล์ config เพราะอาจจะ กำหนด ตัว ชื่อ ethX ผิดในไฟล์
Ldirectord.cf , ha.cf
แล้วสั่ง start อีกรอบ ดู จะได้ครับ

2141
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:45:10 AM »
อีกคำสั่งที่เอาไว้ check ip addr ของ virtual ip คือ
#ip addr sh

ก็จะมีดังนี้ ครับ

2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:11:25:f1:ef:7d brd ff:ff:ff:ff:ff:ff
inet 10.0.1.149/23 brd 10.0.1.255 scope global eth0
inet 10.0.1.152/23 brd 10.0.1.255 scope global secondary eth0
inet6 2001:d90:10:101:211:25ff:fef1:ef7d/64 scope global dynamic
valid_lft 2591980sec preferred_lft 604780sec
inet6 fe80::211:25ff:fef1:ef7d/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:80:48:13:56:1c brd ff:ff:ff:ff:ff:ff
inet 172.16.0.2/29 brd 172.16.0.7 scope global eth2
inet6 fe80::280:48ff:fe13:561c/64 scope link
valid_lft forever preferred_lft forever

2142
all application on unix knowledges by golfreeze / Re: install ipvs loadbalance in debian
« on: มกราคม 23, 2011, 12:44:57 AM »
สำหรับ ipvsadm version 1.2.1 ถ้าท่านไหนใช้ ให้ load balance ตัว
pop3 กับ imap protocol ล่ะก็ต้องลง patch module เพิ่มด้วยน่ะครับ

ของผมใช้งานเป็น debian 4.0 R1 ก็ search packet โดย

#apt-cache search ldirectord
ถ้ามี ก็สั่ง install โดย
#apt-get install ldirectord2
ซึ่งจะทำการ โหลด module ของ libmail-pop3client-perl
ซึ่งจะทำให้สามารถ load balance application ที่เป็น pop กับ imap ได้ครับ

เสร็จก็ทำการ restart service ipvs 1 รอบโดย

#/etc/init.d/heartbeat restart

แล้วลอง ipvsadm -l ดูครับ load ก็จะทำการ balance ไปที่ pop client

golfreeze[at]packetlove.com

2143
#ipvs + Heartbeat + Debian4.0 R1 (NAT Mode) ต้องทำ static nat ที่ loadbalance ด้วย

LB1 = install Debian 4.0 R1
LB2 = install Debian 4.0 R1

##Add this in /etc/apt/sources.list
deb http://www.ultramonkey.org/download/3/sargemain
deb-src http://www.ultramonkey.org/download/3sarge main
deb http://ftp.coe.psu.ac.th/debianstablemain
deb-src http://ftp.coe.psu.ac.th/debianstable main

#apt-get update
#apt-get install ultramonkey

ปกติถ้า ทำ HA จะมี config หลักๆ 3 ตัวคือ
#/etc/ha.d/ha.cf , haresources , authkeys
ส่วนของ ipvs จะให้อ่านจากไฟล์ config /etc/ha.cf/ldirectord.cf

#Diagram ก็ประมาณนี้ครับ




####LB1

#vi /etc/ha.d/ldirectord.conf
# Global Directives
checktimeout=10
checkinterval=2
#fallback=127.0.0.1:80
autoreload=no
logfile=\"/var/log/ldirectord.log\" #เก็บไฟล์log ของ ldirector
logfile=\"local0\"
quiescent=yes

# Virtual Server for HTTP
virtual=10.0.1.152:80
real=192.168.0.4:80 masq 2
real=192.168.0.5:80 masq 1
service=http
request=\"test.html\"
receive=\"Test Page\"
scheduler=wrr
#persistent=600
protocol=tcp
checktype=negotiate


#vi haresources

lb1 ldirectord::ldirectord.cf
lb1 LVSSyncDaemonSwap::master
lb1 IPaddr2::10.x.x.152/23/eth0
lb1 IPaddr2::192.z.x.254/24/eth1
-----------------------------------------------------

---------------------------------------
lb1:/etc/ha.d# more authkeys
auth3
#1 crc
3 sha1 ultramonkey


lb1:/etc/ha.d# more ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
bcast eth1 # Linux
mcast eth1 225.0.0.1 694 1 0
auto_failback on
node lb1
node lb2
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster


--------------------------------------------------


####LB2
#vi /etc/ha.d/ldirectord.conf
# Global Directives
checktimeout=10
checkinterval=2
#fallback=127.0.0.1:80
autoreload=no
logfile=\"/var/log/ldirectord.log\"
logfile=\"local0\"
quiescent=yes

# Virtual Server for HTTP
virtual=10.0.1.152:80
real=192.168.0.4:80 masq 2
real=192.168.0.5:80 masq 1
service=http
request=\"test.html\"
receive=\"Test Page\"
scheduler=rr
#persistent=600
protocol=tcp
checktype=negotiate


haresource จะเอาไว้สร้างตัว vip ให้เราน่ะครับ ก็ไม่มีไรมาก 2 ตัวต้องเหมือนกันน่ะครับทั้ง ตัว
master(lb1) กับ slave(lb2)
เพราะว่า
#vi haresources

lb1 ldirectord::ldirectord.cf
lb1 LVSSyncDaemonSwap::master
lb1 IPaddr2::10.x.x.152/23/eth0
lb1 IPaddr2::192.z.x.254/24/eth1

-----------------------------------------------------

Lb2:/etc/ha.d# more authkeys
auth3
#1 crc
3 sha1 ultramonkey


Lb2:/etc/ha.d# more ha.cf
debugfile /var/log/ha-debug
logfile /var/log/ha-log
logfacility local0
bcast eth1 # Linux
mcast eth1 225.0.0.1 694 1 0
auto_failback on
node lb1
node lb2
respawn hacluster /usr/lib/heartbeat/ipfail
apiauth ipfail gid=haclient uid=hacluster





##Set static nat in loadbalance1 and loadbalance2

#vi /etc/rc.local
iptables -t nat -F
iptables -t nat -A POSTROUTING -j SNAT -o eth1 -s 192.168.0.4 --to 10.x.x.x
iptables -t nat -A POSTROUTING -j SNAT -o eth1 -s 192.168.0.5 --to 10.x.x.x

สั่งให้ อ่าน rc.local ก็
#/etc/rc.local

#เสร็จแล้ว ก็มาทำ ตัวroute สำหรับผมมาติดปัญหาตรงจุดนี้ครับ ซึ่งลองใช้ tcpdump ช่วยก็เห็นว่า packet
มันไม่ส่งจากเครื่อง Rip(192.168.0.4) กับ จุด 5 ไปยังเครื่อง loadbalance
ตรงจุดนี้สำคัญมากน่ะครับคือต้องเรียนรู้เรื่อง network routing table ให้พอเข้าใจก่อน
#netstat -nr
lb1:/home/golf# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.0.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth1
0.0.0.0 10.x.x.x 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth2

***#route add -net 0.0.0.0/0 gw 10.0.0.254 dev eth1
***#route add -net 0.0.0.0/0 gw 192.168.0.254 dev eth2
***#route add -net 192.168.0.0 netmask 255.255.255.0 dev eth2


แล้วก็มา set ให้ เครื่อง loadbalance forward packet มาให้เครื่อง Rip น่ะครับ
#sysctl -a | grep forward
#vi /etc/sysctl.conf
Add
net.ipv4.ip_forward = 1
แล้วสั่งให้ show ค่าออกมาดูน่ะครับ
#sysctl -p

ส่วนเครื่อง web1 / web2
ก็ลงเป็น
#web1 os linux(debian4)
#ip 192.168.0.4
เครื่องฝั่ง internal ก็ไม่มีไรมากครับ ลง app ที่เราจะต้องใช้ แล้วก็จูน ให้เสร็จ ก็เปิดรับ service
ให้ใช้งานได้ก็จบครับ

#set ip
#vi /etc/network/interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.0.4
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.254


#web2 os Freebsd(6.2)
#ip 192.168.0.5

#vi /etc/rc.conf
ifconfig_dc0=\"inet 192.168.0.5 netmask 255.255.255.0\"

ให้มัน restart network 1 ดอก
#/etc/rc.d/netif restart

คราวนี้ลองใช้ telnet เข้า vip ที่เรา set ไว้ดูน่ะครับ
ดังนี้
#telnet x.x.x.x 80
ลอง GET ดูน่ะครับ ถ้าได้ค่าว่า Test Page ก็แสดงว่า work แระ


คำสั่งที่จะใช้งานตรวจสอบว่า มี packet เข้ามาในเครื่องผ่าน nat เปล่าก็
#watch -n 1 "iptables -L -n -t nat -xv"

คำสั่งนี้เอาไว้ track ปัญหาน่ะครับ แล้วให้เขียน output ไปไว้ที่ xx.txt แล้วก็ค่อยไปไล่ๆ ดู
#tcpdump -n -i any port 80 > xx.txt

ดูว่า load balance ทำงานแบบ real time ก็
#watch -n 1 "ipvsadm -L -n --stats"
ได้ครับ

----------------------------------------------------------------------------------------------------


---
ในงานที่ต้องรับ connection ที่เยอะๆ นั้นการทำ load balance ก็สามารถช่วยแก้ปัญหาได้ครับ
ทำให้ประสิทธิภาพของงานทำได้ดีมากขึ้น แต่บางครั้งในส่วนของ software ก็อาจจะยังมีบางจุดที่ยังไม่ค่อย
stable พอหรือตาม config ที่อาจจะมีบางจุดที่นักพัฒนายัง implement อยู่
ซึ่งถ้ามองแล้วจะทำงานได้ไม่เท่ากับพวก hardware จริงๆ ซึ่งตัว hareware loadbalance
ค่อยข้างจะมีมาตรฐานพอสมควร ซึ่งพวกองค์กรที่ต้องการ performance แล้วก็แนะนำเป็น hareware (F5)
ดีกว่าครับ แพงดีแต่ก็คุ้มครับ

Lab By
http://www.packetlove.com
golfreeze@packetlove.com
ขอบคุณพี่อัท http://www.siambox.com ที่แนะนำเรื่อง route ครับ และคำแนะนำ อิอิ

2145
วันนี้ ลอง tool อีกตัวหนึ่งครับ คือ macchanger

ใน debian ก็ลงเป็น
#apt-get install macchanger

เสร็จแล้ว ก็ เริ่ม ใส่โดย
#macchanger --m xxxxxxx ชื่อinterface

แค่นี้ก็จัดการ ปลอม mac address ของ wifi ได้แล้วครับ อิอิ

Pages: 1 ... 141 142 [143] 144 145 146