信息安全科技创新作业之编写iptables规则

发表于

本文为信息安全科技创新课程作业

对于保护单个主机的人防火墙,其连接Internet的接口为eth0,假定 ftp服务为port模式,请给出以下安全策略相应的iptables命令:

1)将一条规则放在 INPUT 链首,允许所有从任何地方到本地telnet 端口的连接 

1
iptables -t filter -I INPUT -p tcp --dport telnet -j ACCEPT

2)将一条规则附加到 INPUT 链的末尾,确定来自源地址 205.168.0.0/24 的信息包可以 ACCEPT

1
iptables -t filter -A INPUT -s 205.168.0.0/24 -j ACCEPT

3)更改所有离开 eth0 接口数据包的源地址为1.2.3.4

1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

4)更改源IP为202.127.14.61,进入 eth0 接口数据包的目地址为1.2.4.4

1
iptables -t nat -A PREROUTING -s 202.127.14.61 -i eth0 -j DNAT --to 1.2.4.4

5)将所有来自外网的ftp访问数据流重定向到1.2.4.4:1008

1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport ftp -j DNAT --to 1.2.4.4:1008

6)本机对外开放 FTP 服务

1
2
3
4
iptables -t filter -A INPUT -p tcp --dport ftp -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport ftp -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport ftp -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport ftp -j ACCEPT

7)在filter表的 INPUT链的最后追加一条规则,丢弃通过eth0传入的序号为8的icmp协议数据包,即ping request,以实现其他主机不能成功的ping通本机

1
iptables -t filter -A INPUT -i eth0 -p icmp --icmp-type 8 -j DROP

运行结果:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
> iptables -L -t filter

Chain INPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT all -- 205.168.0.0/24 anywhere 
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
DROP icmp -- anywhere anywhere icmp echo-request

Chain FORWARD (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp spt:ftp

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination 
DNAT all -- 202.127.14.61 anywhere to:1.2.4.4
DNAT tcp -- anywhere anywhere tcp dpt:ftp to:1.2.4.4:1008

Chain INPUT (policy ACCEPT)
target prot opt source destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source destination 

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination 
SNAT all -- anywhere anywhere to:1.2.3.4