linux:security:lab1
建構簡單單機型防火牆實驗
- 預設進來(INPUT)的封包都Drop
- 清空所有filter表的所有規則
- 新增一筆允許進來的lookback 介面
- 允許從防火牆ping其他的電腦;反之不允許其他電腦ping 防火牆
- 允許從來源端192.168.0.0/24網段且以ICMP協定
- 允許以tcp 且為目的port 22 新連線進來
- 來源為192.168.1.0/24網段都reject掉
- 任何進來的都reject掉
#!/bin/bash iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j REJECT; iptables -A INPUT -j REJECT
測試單元
iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT
- 於防火牆測試loopback
ping 127.0.0.1 ok
- 從192.168.1.8 ping及ssh 192.168.1.254
ping 192.168.1.254 Not ok ssh 192.168.1.254 Not ok
- 從192.168.0.8 ping及ssh 192.168.0.254
ping 192.168.0.254 Not ok ssh 192.168.0.254 Not ok
- 從192.168.0.254 ping 192.168.0.8
ping 192.168.0.8 Not ok
iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- 從192.168.0.254 ping 192.168.0.8
ping 192.168.0.8 ok
- 反之,從192.168.0.8 ping 192.168.0.254
ping 192.168.0.254 not ok
iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j REJECT;
- 從192.168.0.8 ssh 192.168.0.254
ssh 192.168.0.254 not ok
- 從192.168.1.8 ssh 192.168.1.254
ssh 192.168.1.254 not ok
- 從192.168.1.8 ping 192.168.1.254
ping 192.168.1.254 not ok,且會出現 Destination Port Unreachable等訊息
iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j REJECT; iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT
- 從192.168.0.8 ping 192.168.0.254
ping 192.168.0.254 ok
- 從192.168.0.8 ssh 192.168.0.254
ssh 192.168.0.254 not ok
iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j REJECT; iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
- 從192.168.0.8 ssh 192.168.0.254
ssh 192.168.0.254 ok
- 從192.168.1.8 ssh 192.168.1.254
ssh 192.168.1.254 not ok
#!/bin/bash iptables -P INPUT DROP; iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -j REJECT; iptables -A INPUT -j REJECT
- 從192.168.0.8 ssh 192.168.0.254
ssh 192.168.0.254 ok
- 從192.168.0.8 ping 192.168.0.254
ping 192.168.0.254 ok
- 從192.168.1.8 ssh 192.168.1.254
ssh 192.168.1.254 ok
- 從192.168.1.8 ping 192.168.1.254
ssh 192.168.1.254 not ok
linux/security/lab1.txt · 上一次變更: 2013/07/06 01:28 (外部編輯)
若無特別註明,本 wiki 上的內容都是採用以下授權方式: CC Attribution-Share Alike 3.0 Unported
