搜索到
4
篇与
iptables
的结果
-
利用iptables的string模块来屏蔽域名(关键词匹配) 简介iptables功能十分丰富,它能够对网关下带客户端的上网行为进行有效的控制,下面介绍如何利用它的string模块来对客户端的上网行为进行控制。string模块是iptables的一个扩展模块,目前大多数系统都已集成了该模块,少数较老的openwrt路由如果没有的话,可通过opkg命令安装。应用场景部署于基于Linux操作系统的网关上,可以是路由器,也可以是挂于旁路的防火墙、审计系统,只要可收集到客户端的上网流量即可。保护客户端数据安全,避免被某些无底线的互联网公司收集个人数据。屏蔽令人不适的广告。操作命令示范如果要屏蔽一个具体的网站,具体思路是让防火墙匹配客户端请求的数据包中的关键字,然后将该包丢弃,使客户端放弃连接。比如百度地图在定位的同时会收集当前IP地址所对应的物理位置。美名其曰收集地理位置提供更好的服务,实则令人厌烦,暴露了用户的行踪,时常有人代理服务器IP被定位到自家门口的情况。该API目前已关闭,然而不仅仅是百度地图,其他某些地图厂家也会这么干。而客户端向百度上报自己地点的数据包会携带相应的域名,即HTTP请求的Host头部(api.map.baidu.com和map.baidu.com),基于此原理即可将域名作为关键词来进行匹配。iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m string --string "api.map.baidu.com" --algo bm -j REJECT --reject-with tcp-reset iptables -I FORWARD 1 -p tcp -m multiport --dports 80,443 -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m string --string "map.baidu.com" --algo bm -j REJECT --reject-with tcp-reset客户端的数据经由网关发出时,经过的是FORWARD链,所以应在它上面配置规则,multiport模块用于匹配多端口。即使它使用了SSL来传输数据,通过443端口传送时,我们仍然能从其中Client Hello数据包内的server_name(SNI)字段得知请求的主机名。这样,即使传输内容虽已加密,但是请求的主机名是明文传送的,iptables仍可以通过这一点来进行匹配。--tcp-flags可以更精确地匹配不同状态的数据包,避免错杀,若无额外配置该选项,则很可能将baidu的其他业务也屏蔽。--algo bm是匹配算法,默认是使用bm,当然也有较为复杂的kmp算法。最后的--reject-with tcp-reset较为重要的作用是将连接重置,令客户端无法与服务器建立连接。当然,这个操作已经将整个百度地图的服务全部屏蔽,客户端无法通过该局域网使用百度地图。而实际情况,我们常在室外(LTE网络)使用它,在室内基本是用不到的。题外话对于防火墙来说,通过返回TCP RST数据包给客户端来达到终止客户端的连接是非常合适的,因为在TCP/IP协议中,RST包是用来关闭异常的连接的,客户端一旦收到该数据包,将会立即关闭对主机的连接,不再尝试重连,应用会发出“连接已重置”或者"Connection reset by peer"的错误提示。而若将REJECT改为DROP,防火墙则是默默地丢弃数据包,不明真相的客户端迟迟未收到服务器回应,会多次发包尝试重连,防火墙则必须多次丢弃该数据包。因此REJECT与DROP相比,前者对防火墙的资源消耗少,显然采取它是明智的,这也与某些ISP的网络审计和过滤系统原理是类似的。防火墙被设计出来的目的就是为了保证内部网络的安全,将关键词过滤这一功能统一部署于网关将给防火墙后的客户端带来极大的方便和安全性,可以阻止无底线公司上传用户敏感数据,屏蔽流氓软件广告推送等等。 -
iptables管理脚本 #!/bin/sh # # iptablesStart iptables firewall # # chkconfig: 2345 08 92 # description:Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config # ### BEGIN INIT INFO # Provides: iptables # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop iptables firewall # Description: Start, stop and save iptables firewall ### END INIT INFO # Source function library. . /etc/init.d/functions IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES # only usable for root if [ $EUID != 0 ]; then echo -n $"${IPTABLES}: Only usable by root."; warning; echo exit 4 fi if [ ! -x /sbin/$IPTABLES ]; then echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo exit 5 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools \ && NEW_MODUTILS=1 \ || NEW_MODUTILS=0 # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes" IPTABLES_SYSCTL_LOAD_LIST="" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" # Netfilter modules NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables) NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 local ref= # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] \ && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \ || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 res=$? [ $res -eq 0 ] || echo -n " $mod" let ret+=$res; fi return $ret } flush_n_delete() { # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 echo -n $"${IPTABLES}: Flushing firewall rules: " ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) $IPTABLES -t raw -P PREROUTING $policy \ && $IPTABLES -t raw -P OUTPUT $policy \ || let ret+=1 ;; filter) $IPTABLES -t filter -P INPUT $policy \ && $IPTABLES -t filter -P OUTPUT $policy \ && $IPTABLES -t filter -P FORWARD $policy \ || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy \ && $IPTABLES -t nat -P POSTROUTING $policy \ && $IPTABLES -t nat -P OUTPUT $policy \ || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy \ && $IPTABLES -t mangle -P POSTROUTING $policy \ && $IPTABLES -t mangle -P INPUT $policy \ && $IPTABLES -t mangle -P OUTPUT $policy \ && $IPTABLES -t mangle -P FORWARD $policy \ || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } load_sysctl() { # load matched sysctl values if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then echo -n $"Loading sysctl settings: " ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi return $ret } start() { # Do not start if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo return 6 fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IPTABLES}: ${_IPV} is disabled." return 150 fi echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; if [ -f "$IPTABLES_FALLBACK_DATA" ]; then echo -n $"${IPTABLES}: Applying firewall fallback rules: " $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi else return 1 fi fi # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi # Load sysctl settings load_sysctl touch $VAR_SUBSYS_IPTABLES return $ret } stop() { # Do not stop if iptables module is not loaded. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Set default chain policy to ACCEPT, in order to not break shutdown # on systems where the default policy is DROP and root device is # network-based (i.e.: iSCSI, NFS) set_policy ACCEPT # And then, flush the rules and delete chains flush_n_delete if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"${IPTABLES}: Unloading modules: " ret=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod let ret+=$?; done # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do rmmod_r $mod >/dev/null done [ $ret -eq 0 ] && success || failure echo fi rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo return 0 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo -n $"${IPTABLES}: Nothing to save."; warning; echo return 6 fi echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \ && chmod 600 "$TMP_FILE" \ && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \ && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \ || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ && restorecon $IPTABLES_DATA.save \ || ret=1 fi if [ $ret -eq 0 ]; then mv -f $TMP_FILE $IPTABLES_DATA \ && chmod 600 $IPTABLES_DATA \ && restorecon $IPTABLES_DATA \ || ret=1 fi fi rm -f $TMP_FILE [ $ret -eq 0 ] && success || failure echo return $ret } status() { if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not configured. " return 3 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $NF_TABLES; do echo $"Table: $table" $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 } reload() { # Do not reload if there is no config file. if [ ! -f "$IPTABLES_DATA" ]; then echo -n $"${IPTABLES}: No config file."; warning; echo return 6 fi # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] \ && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IPTABLES}: ${_IPV} is disabled." return 150 fi echo -n $"${IPTABLES}: Trying to reload firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; echo "Firewall rules are not changed."; return 1 fi # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi # Load sysctl settings load_sysctl return $ret } restart() { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 start RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart|force-reload) restart RETVAL=$? ;; reload) [ -e "$VAR_SUBSYS_IPTABLES" ] && reload RETVAL=$? ;; condrestart|try-restart) [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 restart RETVAL=$? ;; status) status RETVAL=$? ;; panic) set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: ${IPTABLES} {start|stop|reload|restart|condrestart|status|panic|save}" RETVAL=2 ;; esac exit $RETVAL
-
基于iptables,针对中国移动HTTP劫持,发送RST包屏蔽部分网站的解决办法 原理:在Linux系统的路由器上,通过iptables,或者UNIX,如华为,cisco等设备,使用ACL将中国移动IDS系统和旁路设备返回的虚假数据包丢弃。iptables配置规则丢弃中国移动IDS系统设备返回的RST数据包,解决墙中墙问题。iptables -A FORWARD -p tcp --tcp-flags RST RST -j DROP基于TTL检测,将旁路设备抢答返回的虚假数据包丢弃,解决当下载以.exe、.rar、.zip、.apk等为后缀的文件时,被中国移动通过302重定向至自己网内cache服务器的问题。通过抓包检测,旁路设备返回的虚假302重定向数据包TTL值在20-30内,不同省份可能不同,而真实的服务器TTL大都在40-60左右(Linux)和100-128(Windows)。iptables -A FORWARD -p tcp -m tcp --sport --m ttl --ttl-gt 20 -m ttl --ttl-lt 30 -j DROPiptables其他参数-s 0.0.0.0/0 可自定义源IP-d 0.0.0.0/0 自定义目的IP--ttl-gt TTL大于一个值--ttl-lt TTL小于一个值--ttl-eq TTL等于一个值
-
iptables应用小记 iptables应用小记iptables -F #清空规则iptables -X #清除各链的规则iptables -Z #流量归零iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #允许已建立的所有传入连接通过iptables -A INPUT -i lo -j ACCEPT #允许lo网卡所有流量通过iptables -A INPUT -p tcp -j DROPiptables -A INPUT -p udp -j DROP #禁止所有TCP、UDP数据包传入iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP #禁止外网ping本机iptables -nL --line-number #显示当前已保存的iptables规则及行号iptables -D INPUT 1 #删除INPUT链中第一条规则iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT #将这条规则插入INPUT链中第一行iptables -t nat -nL --line-number #显示nat规则及行号iptables -A POSTROUTING -s 172.31.0.0/16 -o eth0 -j MASQUERADE #将172.31.0.0/24网段NAT为eth0网卡的IP地址上网,常用于VPN网关iptables -A PREROUTING -d 172.31.0.1/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.0.1:80 #使用SNAT将172.31.0.1的80端口重定向到10.10.0.1的80端口
