Debian Linux: 二月 2008

2008年2月25日星期一

我的iptables+tc配置

http://www.xxlinux.com/linux/article/network/security/20060608/1142_2.html

wed -p tcp --syn -j ACCEPT4s2Linux联盟
iptables -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT4s2Linux联盟
iptables -A allowed -p tcp -j DROP4s2Linux联盟
4s2Linux联盟
#定义icmp规则包，防止ping死攻击4s2Linux联盟
# ICMP rules chain4s2Linux联盟
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT4s2Linux联盟
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT4s2Linux联盟
# limited_packets rules chain4s2Linux联盟
#iptables -A limited_packets -p tcp ! --syn -m state --state NEW -j DROP4s2Linux联盟
#iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP4s2Linux联盟
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT4s2Linux联盟
#4s2Linux联盟
######################################################################4s2Linux联盟
##对input链做bad_tcp_packets过滤4s2Linux联盟
# The first bad_tcp_packets filter of INPUT chain4s2Linux联盟
iptables -A INPUT -p tcp -j bad_tcp_packets4s2Linux联盟
##对input链做icmp_packets过滤4s2Linux联盟
# The second icmp_packets filter of INPUT chain4s2Linux联盟
iptables -A INPUT -p icmp -i $INET_IF -j icmp_packets4s2Linux联盟
# Open trusted ports4s2Linux联盟
#echo "Open trusted ports....."4s2Linux联盟
#iptables -N services4s2Linux联盟
#for PORT in $TRUSTED_TCP_PORT; do4s2Linux联盟
#iptables -A tcp_packets -s 0/0 -p tcp --dport $PORT -j allowed4s2Linux联盟
#done4s2Linux联盟
#for PORT in $TRUSTED_UDP_PORT; do4s2Linux联盟
#iptables -A tcp_packets -s 0/0 -p udp --dport $PORT -j allowed4s2Linux联盟
#done4s2Linux联盟
# The trust port of INPUT chain4s2Linux联盟
#iptables -A INPUT -p tcp -i $INET_IF -j tcp_packets4s2Linux联盟
##拒绝欺骗攻击4s2Linux联盟
# deny local cheat4s2Linux联盟
iptables -A INPUT -i $INET_IF -s 192.168.0.0/16 -j DROP 4s2Linux联盟
iptables -A INPUT -i $INET_IF -s 10.0.0.0/8 -j DROP 4s2Linux联盟
iptables -A INPUT -i $INET_IF -s 172.16.0.0/12 -j DROP 4s2Linux联盟
iptables -A INPUT -i $INET_IF -s 127.0.0.0/8 -j DROP 4s2Linux联盟
# allow DHCP_packets from LAN4s2Linux联盟
#iptables -A INPUT -p udp -i $LAN_IF --dport 67 --sport 68 -j ACCEPT4s2Linux联盟
##拒绝burst攻击4s2Linux联盟
# deny attack of hack to input chain4s2Linux联盟
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level INFO --log-prefix "IPT INPUT packets died:"4s2Linux联盟
4s2Linux联盟
4s2Linux联盟
##定义forward链上的规则4s2Linux联盟
# FORWARD chain4s2Linux联盟
##bad_tcp_packets filter检查4s2Linux联盟
# bad_tcp_packets filter4s2Linux联盟
iptables -A FORWARD -p tcp -j bad_tcp_packets4s2Linux联盟
# address of limited filter4s2Linux联盟
#iptables -A FORWARD -p tcp -j limited_packets4s2Linux联盟
##从内网出去的包不做流量外的限制4s2Linux联盟
# allow the packets from LAN to WAN4s2Linux联盟
iptables -A FORWARD -o $INET_IF -s $LAN_IP_RANGE -j ACCEPT4s2Linux联盟
iptables -A FORWARD -i $LAN_IF -s $LAN_IP_RANGE -j ACCEPT4s2Linux联盟
##定义从ppp0进来的包通过foward链的规则4s2Linux联盟
# allow the packets from wan to lan4s2Linux联盟
iptables -A FORWARD -i $INET_IF -d $LAN_IP_RANGE -m state --state ESTABLISHED,RELATED -j ACCEPT4s2Linux联盟
##对forward做burst检测4s2Linux联盟
# deny attack of hack to forward chain4s2Linux联盟
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packets died:"4s2Linux联盟
##对forward链做icmp（ping攻击）检测4s2Linux联盟
# deny ping attack of hack4s2Linux联盟
iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT4s2Linux联盟
iptables -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT4s2Linux联盟
4s2Linux联盟
##对forward链做简单的ddos防御4s2Linux联盟
# deny DDOS attack4s2Linux联盟
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT4s2Linux联盟
4s2Linux联盟
##做伪装（net转换）4s2Linux联盟
# allow UDP 4s2Linux联盟
#iptables -A FORWARD -p udp -d $LAN_IP_RANGE -i $EXT_IF -j ACCEPT4s2Linux联盟
# the servies of www to the port for Squid4s2Linux联盟
#iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 31284s2Linux联盟
# the other servies use nat chain to masquerade 4s2Linux联盟
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE4s2Linux联盟
############mark for mangle filter############4s2Linux联盟
echo "Enabling mangle "4s2Linux联盟
# uploads4s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 104s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 204s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 304s2Linux联盟
##为ip地址打标记以便进行流量控制--上传4s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.52 -j MARK --set-mark 404s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -j MARK --set-mark 704s2Linux联盟
#iptables -t mangle -A PREROUTING -s 192.168.0.3 -j MARK --set-mark 604s2Linux联盟
# downloads4s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto dns -j MARK --set-mark 104s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto smtp -j MARK --set-mark 204s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.6 -m layer7 --l7proto http -j MARK --set-mark 304s2Linux联盟
##为ip地址打标记以便进行流量控制--下载4s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.52 -j MARK --set-mark 404s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.0/24 -j MARK --set-mark 704s2Linux联盟
#iptables -t mangle -A POSTROUTING -d 192.168.0.3 -j MARK --set-mark 604s2Linux联盟
4s2Linux联盟
################################### iptables END########################################4s2Linux联盟
echo "iptables END"4s2Linux联盟
#echo "Enabling Squid"4s2Linux联盟
#/usr/local/squid/sbin/squid4s2Linux联盟
echo "Enabling ADSL"4s2Linux联盟
adsl-start4s2Linux联盟
##########################################################4s2Linux联盟
每个人的linux安装的不一样，netfilter模块加载的也不一样，在模块加载处估计各位要进行微调，将需要加载的模块前带#的去掉几个估计就可以了，tc处可根据自己的实际情况进行微调。4s2Linux联盟
本配置已经实际运行了3年，没出现什么问题（配置上），但要是某个高手盯上你了，估计。。。。嘿嘿，技术就是这样，没有绝对的，反正我的配置（p3赛阳 600，128mpc100,10g硬盘，810e主板，双8139d百兆网卡，debian woody 2.4.32核心）不关机除了每两个月的正常清洁外没出现过什么异常（因为对内网是没有限制的，故清理内鬼是比较重要的）。欢迎大家多多指教，把此脚本多多完善，本人不胜感激。学以致用，linux学习更应如此。

How To Install DNS server with Master/Slave's config

How To Install DNS server with Master/Slave's config
1、下载并安装
Cd /software
Wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz
Tar zxvf bind-9.3.2.tar.gz
Cd bin-9.3.2
./configure -prefix=/Data/apps/named \
--enable-threads
Make
Make install
2、配置
Cd /Data/apps/named
[root@linux named]# mkdir etc
生成rndc控制命令的key文件
[root@linux named]# sbin/rndc-confgen > etc/rndc.conf
从rndc.conf文件中提取named.conf用的key
[root@linux named]# cd etc
自动在/Data/apps/named/etc生成named.conf文件
[root@linux etc]# tail -10 rndc.conf | head -9 | sed s/#\ //g >
named.conf
3、建立Zone文件目录
[root@linux etc]# mkdir /Data/named
进入/Data/named目录
[root@linux etc]# cd /var/named
A、建立localhost.zone
[root@linux named]#vi localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d.
adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

1D IN NS @
1D IN A 127.0.0.1
B、建立named.local
[root@linux named]#vi named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

C、生成named.root
[root@linux named]#dig > named.root
D、修改named.conf
Cd /Data/apps/named/etc
配置named.conf文件，在后面加入一下代码
[root@linux etc]# vi named.conf
options {
directory "/Data/named";
pid-file "named.pid";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

E、测试启动bind
/Data/apps/named/sbin/named -c /Data/apps/named/etc/named.conf &

4、下面已longrujun.com/lrj.com为例进行配置

Server 1:Master
IPADDR=192.168.5.223/224
NETMASK=255.255.255.0
GATEWAY=192.168.5.1
Server 2: Slave
IPADDR=192.168.5.225/226
NETMASK=255.255.255.0
GATEWAY=192.168.5.1
其中
Longrujun.com做view功能及Master/Slave同步，再一定程度上便于解决互联互通问题
lrj.com只涉及Master/Slave同步功能

A、网络参数配置
由于View+功能同步需要每服务器2个IP，在每个服务器上面多做一个ip
alias
已redhat as4 为例
[root@redhatas4 named]# cd /etc/sysconfig/network-scripts/
[root@redhatas4 network-scripts]# cp ifcfg-eth0 cp ifcfg-eth0:1
[root@redhatas4 network-scripts]# cat ifcfg-eth0:1
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0:1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.5.224
NETMASK=255.255.255.0
GATEWAY=192.168.5.1

B、在Master建立config及zone文件

1>、修改named.conf文件
由于View功能需要把所有Zone放到View中，故在named.conf中删除如下文件
[root@redhatas4 network-scripts]# vi /Data/apps/named/etc/named.conf
zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

同时在最后加上
include "zone.named.conf";
完整的named.conf如下
[root@redhatas4 etc]# cat named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "7GOJi0L1LwB2WXR38/K3ow==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
directory "/Data/named";
pid-file "named.pid";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "zone.named.conf";

2>、建立zone.named.conf
[root@redhatas4 etc]# cd /Data/named/
[root@redhatas4 named]# vi zone.named.conf
acl CNCbeijing {
61.48/14;61.135/16;61.148/15;202.96.0/18;202.99.0/18;202.106/16;202.108/16;221.216/13;222.128/14;
};

acl CNChebei {
60.0.0.0/12;61.55.0.0/16;61.159.0.0/18;61.182/16;202.99.128.0/18;218.11/15;221.192/14;
};

acl CNCshandong {
60.208.0.0/12;61.133.0.0/17;61.156.0.0/16;61.162.0.0/16;61.179.0.0/16;202.102.128.0/18;202.110.192.0/18;218.56.0.0/14;221.0.0.0/14;
};

acl CNCzhejiang { 60.12/16;221.12/16;};
acl CNCgansu { 60.13.0/18;221.7.32/19;};
acl CNCchongqing { 221.5.128/17;221.7.64/19;};
acl CNCguangdong { 221.4/15;};
acl CNCguangxi { 221.7.128/17;};
acl CNCguizhou { 221.13.0/18;};
acl CNChainan { 221.11.128/17;};
acl CNCheilongjiang {
61.138.0/18;61.167/16;61.180.128/17;202.97.192/18;218.7/14;221.208/13;};
acl CNChenan {
61.52/14;61.136.64/18;61.158.128/17;61.163/16;61.168/16;202.102.224/19;202.110.64/18;202.111.128/19;218.28/15;221.13.128/14;222.136/13;};
acl CNCjiangsu { 221.6/16;};
acl CNCjilin {
61.138.128/18;61.139.128/18;61.161.0/18;202.98.0/19;202.111.160/19;218.27/16;221.8/15;222.160/14;};
acl CNCliaoning {
60.16/13;61.137.128/17;61.161.128/17;61.176/16;61.189.0/17;202.96.64/19;202.97.160/19;202.107.0/17;202.110.0/18;218.24/15;218.60/15;221.200/14;};
acl CNCneimeng {60.31/16;221.199.128/17;};
acl CNCneimenggu { 61.134.96/19;61.138.64/18;202.99.224/19;};
acl CNCningxia { 221.199.0/18;};
acl CNCqinghai { 221.207.0/18;};
acl CNCshanxi
{221.11.0/17;60.220/14;202.97.128/19;202.99.192/19;218.26/16;221.204/15;};
acl CNCsichuan { 221.10/16;};
acl CNCtianjin {
60.24/13;60.181/16;202.99.64/18;218.67.128/14;221.196/14;};
acl CNCxinjiang { 60.13.128/17;221.7.0/19;};
acl CNCxizang { 221.13.64/19;};
acl CNCyunnan { 221.213/16;221.3.128/17;};
# pls edit acl testip1/2 with ur truely ip
#acl testip {211.157.101.174;211.157.101.175;};
#acl testip2 {211.152.17.58;211.152.17.59;};
acl testip1 {192.168.5.223;192.168.5.224;};
acl testip2 {192.168.5.225;192.168.5.226;};

view "internal" {
match-clients {
!192.168.5.224;!192.168.5.226;CNCbeijing;CNChebei;CNCshandong;CNCtianjin;CNCzhejiang;CNCgansu;CNCchongqing;CNCguangdong;CNCguangxi;CNCguizhou;CNChainan;CNCheilongjiang;CNChenan;CNCjiangsu;CNCjilin;CNCliaoning;CNCneimeng;CNCneimenggu;CNCningxia;CNCqinghai;CNCshanxi;CNCsichuan;CNCxinjiang;CNCxizang;CNCyunnan;testip1;testip2;};

recursion yes;
notify-source 192.168.5.223;
transfer-source 192.168.5.223;
query-source address 192.168.5.223;
include "common.zone.named.conf";
include "longrujun.other.zone.named.conf";

zone "longrujun.com" IN {
type master;
file "longrujun.com.zone.bj";
allow-transfer {192.168.5.225;};
};
};

view "external" {
match-clients { any; };
recursion yes;
notify-source 192.168.5.224;
transfer-source 192.168.5.224;
query-source address 192.168.5.224;
include "common.zone.named.conf";
include "longrujun.other.zone.named.conf";

zone "longrujun.com" IN {
type master;
file "longrujun.com.zone";
allow-transfer {192.168.5.226;};
};
};

3>、建立common.zone.named.conf
[root@redhatas4 named]# cd /Data/named/
[root@redhatas4 named]# vi common.zone.named.conf
zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

4>、建立longrujun.other.zone.named.conf
[root@redhatas4 named]# cd /Data/named/
[root@redhatas4 named]# vi longrujun.other.zone.named.conf
zone "dearbook.com.cn" IN {
type master;
file "domain1.com.cn";
allow-update { none; };
};

zone "lrj.com" IN {
type master;
file "lrj.com";
allow-update { none; };
};

5>、建立longrujun.com.zone
[root@redhatas4 named]# cd /Data/named/
[root@redhatas4 named]# vi longrujun.com.zone
$ORIGIN .
$TTL 3600
longrujun.com IN SOA dns.longrujun.com.
admin.longrujun.com. (
2006071602; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
longrujun.com NS dns.longrujun.com
longrujun.com NS dns2.longrujun.com
longrujun.com MX 10 mail.longrujun.com
mail.longrujun.com CNAME mail.longrujun.com
$ORIGIN longrujun.com.
www A 202.99.8.1
dns A 192.168.5.223
dns2 A 192.168.5.225
live A 10.10.10.99
tag A 10.100.10.100

6>、建立longrujun.com.zone.bj
[root@redhatas4 named]# cd /Data/named/
[root@redhatas4 named]# vi longrujun.com.zone.bj
$ORIGIN .
$TTL 3600
longrujun.com IN SOA dns.longrujun.com.
admin.longrujun.com. (
2006071603; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
longrujun.com NS dns.longrujun.com
longrujun.com NS dns2.longrujun.com
A 11.11.11.11
longrujun.com MX 10 mail.longrujun.com
mail.longrujun.com CNAME mail.longrujun.com
$ORIGIN longrujun.com.
www A 10.10.10.10
dns A 192.168.5.223
dns2 A 192.168.5.225
live A 10.10.10.11
tag A 10.10.10.12
7>、建立lrj.com
[root@redhatas4 named]# vi lrj.com
$ORIGIN .
$TTL 3600
lrj.com IN SOA dns.longrujun.com. admin.longrujun.com.
(
2006071602; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
lrj.com NS dns.longrujun.com
lrj.com NS dns2.longrujun.com
A 12.12.12.12
$ORIGIN lrj.com.
www A 12.12.12.12
至此所有配置工作均已完成，检查一下Zone及conf文件
[root@redhatas4 named]# cd /Data/apps/named/sbin/
[root@redhatas4 sbin]# ./named-checkzone longrujun.com
/Data/named/longrujun.com
.zone
zone longrujun.com/IN: loaded serial 2006071602
OK
[root@redhatas4 sbin]# ./named-checkzone longrujun.com
/Data/named/longrujun.com.zone.bj
zone longrujun.com/IN: loaded serial 2006071603
OK
[root@redhatas4 sbin]# ./named-checkzone lrj.com /Data/named/lrj.com
zone lrj.com/IN: loaded serial 2006071602
OK

C、在Slave上安装及配置相关文件
1>、安装bind
Cd /software
Wget http://ftp.isc.org/isc/bind9/9.3.2/bind-9.3.2.tar.gz
Tar zxvf bind-9.3.2.tar.gz
Cd bin-9.3.2
./configure -prefix=/Data/apps/named \
--enable-threads
Make
Make install
2>、配置
Cd /Data/apps/named
[root@linux named]# mkdir etc
生成rndc控制命令的key文件
[root@linux named]# sbin/rndc-confgen > etc/rndc.conf
从rndc.conf文件中提取named.conf用的key
[root@linux named]# cd etc
自动在/Data/apps/named/etc生成named.conf文件
[root@linux etc]# tail -10 rndc.conf | head -9 | sed s/#\ //g >
named.conf
3>、建立Zone文件目录
[root@linux etc]# mkdir /Data/named
进入/Data/named目录
[root@linux etc]# cd /var/named
4>、建立localhost.zone
[root@linux named]#vi localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d.
adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

1D IN NS @
1D IN A 127.0.0.1
5>、建立named.local
[root@linux named]#vi named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

6>、生成named.root
[root@linux named]#dig > named.root
7>、修改named.conf
Cd /Data/apps/named/etc
配置named.conf文件，在后面加入一下代码
[root@linux etc]# vi named.conf
options {
directory "/Data/named";
pid-file "named.pid";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

8>、测试启动bind
/Data/apps/named/sbin/named -c /Data/apps/named/etc/named.conf &
1>>在Slave建立config及zone文件
A>、修改named.conf文件
由于View功能需要把所有Zone放到View中，故在named.conf中删除如下文件
[root@redhatas4 network-scripts]# vi /Data/apps/named/etc/named.conf
zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

同时在最后加上
include "zone.named.conf";
完整的named.conf如下
[root@redhatas4 etc]# cat named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "7GOJi0L1LwB2WXR38/K3ow==";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

options {
directory "/Data/named";
pid-file "named.pid";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "zone.named.conf";

B>、建立zone.named.conf
[root@redhatas4 etc]# cd /Data/named/
[root@redhatas4 named]# vi zone.named.conf
debian:/Data/named# cat zone.named.conf
acl CNCbeijing {
61.48/14;61.135/16;61.148/15;202.96.0/18;202.99.0/18;202.106/16;202.108/16;221.216/13;222.128/14;
};

acl CNChebei {
60.0.0.0/12;61.55.0.0/16;61.159.0.0/18;61.182/16;202.99.128.0/18;218.11/15;221.192/14;
};

acl CNCshandong {
60.208.0.0/12;61.133.0.0/17;61.156.0.0/16;61.162.0.0/16;61.179.0.0/16;202.102.128.0/18;202.110.192.0/18;218.56.0.0/14;221.0.0.0/14;
};

acl CNCzhejiang { 60.12/16;221.12/16;};
acl CNCgansu { 60.13.0/18;221.7.32/19;};
acl CNCchongqing { 221.5.128/17;221.7.64/19;};
acl CNCguangdong { 221.4/15;};
acl CNCguangxi { 221.7.128/17;};
acl CNCguizhou { 221.13.0/18;};
acl CNChainan { 221.11.128/17;};
acl CNCheilongjiang {
61.138.0/18;61.167/16;61.180.128/17;202.97.192/18;218.7/14;221.208/13;};
acl CNChenan {
61.52/14;61.136.64/18;61.158.128/17;61.163/16;61.168/16;202.102.224/19;202.110.64/18;202.111.128/19;218.28/15;221.13.128/14;222.136/13;};
acl CNCjiangsu { 221.6/16;};
acl CNCjilin {
61.138.128/18;61.139.128/18;61.161.0/18;202.98.0/19;202.111.160/19;218.27/16;221.8/15;222.160/14;};
acl CNCliaoning {
60.16/13;61.137.128/17;61.161.128/17;61.176/16;61.189.0/17;202.96.64/19;202.97.160/19;202.107.0/17;202.110.0/18;218.24/15;218.60/15;221.200/14;};
acl CNCneimeng {60.31/16;221.199.128/17;};
acl CNCneimenggu { 61.134.96/19;61.138.64/18;202.99.224/19;};
acl CNCningxia { 221.199.0/18;};
acl CNCqinghai { 221.207.0/18;};
acl CNCshanxi
{221.11.0/17;60.220/14;202.97.128/19;202.99.192/19;218.26/16;221.204/15;};
acl CNCsichuan { 221.10/16;};
acl CNCtianjin {
60.24/13;60.181/16;202.99.64/18;218.67.128/14;221.196/14;};
acl CNCxinjiang { 60.13.128/17;221.7.0/19;};
acl CNCxizang { 221.13.64/19;};
acl CNCyunnan { 221.213/16;221.3.128/17;};
# pls edit acl testip1/2 with ur truely ip
#acl testip {211.157.101.174;211.157.101.175;};
#acl testip2 {211.152.17.58;211.152.17.59;};
acl testip1 {192.168.5.223;192.168.5.224;};
acl testip2 {192.168.5.225;192.168.5.226;};

view "internal" {
match-clients {
!192.168.5.224;!192.168.5.226;CNCbeijing;CNChebei;CNCshandong;CNCtianjin;CNCzhejiang;CNCgansu;CNCchongqing;CNCguangdong;CNCguangxi;CNCguizhou;CNChainan;CNCheilongjiang;CNChenan;CNCjiangsu;CNCjilin;CNCliaoning;CNCneimeng;CNCneimenggu;CNCningxia;CNCqinghai;CNCshanxi;CNCsichuan;CNCxinjiang;CNCxizang;CNCyunnan;testip1;testip2;};

recursion yes;
notify-source 192.168.5.225;
transfer-source 192.168.5.225;
query-source address 192.168.5.225;
include "common.zone.named.conf";
include "longrujun.other.zone.named.conf";

zone "longrujun.com" IN {
type slave;
file "longrujun.com.zone.bj";
masters { 192.168.5.223; };
transfer-source 192.168.5.225;
};
};

view "external" {
match-clients { any; };
recursion yes;
notify-source 192.168.5.226;
transfer-source 192.168.5.226;
query-source address 192.168.5.226;
include "common.zone.named.conf";
include "longrujun.other.zone.named.conf";

zone "longrujun.com" IN {
type slave;
file "longrujun.com.zone";
masters { 192.168.5.224; };
transfer-source 192.168.5.226;
};
};

C>、建立common.zone.named.conf
debian:/Data/named# vi common.zone.named.conf
zone "." IN {
type hint;
file "named.root";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

D>、建立longrujun.other.zone.named.conf
debian:/Data/named# vi longrujun.other.zone.named.conf

zone "lrj.com" IN {
type slave;
file "Slave/lrj.com";
masters { 192.168.5.223; };
};

E>、建立longrujun.com.zone
debian:/Data/named# vi longrujun.com.zone
$ORIGIN .
$TTL 3600 ; 1 hour
longrujun.com IN SOA dns.longrujun.com. admin.longrujun.com.
(
2006071602 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
NS dns.longrujun.com.
NS dns2.longrujun.com.
MX 10 mail.longrujun.com.
$ORIGIN longrujun.com.
dns A 192.168.5.223
dns2 A 192.168.5.225
live A 10.10.10.99
mail CNAME mail
tag A 10.100.10.100
www A 202.99.8.1

F>、建立longrujun.com.zone.bj
debian:/Data/named# vi longrujun.com.zone.bj
$ORIGIN .
$TTL 3600
longrujun.com IN SOA dns.longrujun.com.
admin.longrujun.com. (
2006071603; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
longrujun.com NS dns.longrujun.com
longrujun.com NS dns2.longrujun.com
A 11.11.11.11
longrujun.com MX 10 mail.longrujun.com
mail.longrujun.com CNAME mail.longrujun.com
$ORIGIN longrujun.com.
www A 10.10.10.10
dns A 192.168.5.223
dns2 A 192.168.5.225
live A 10.10.10.11
tag A 10.10.10.12

7>、建立lrj.com
debian:/Data/named# cat lrj.com
$ORIGIN .
$TTL 3600
lrj.com IN SOA dns.longrujun.com. admin.longrujun.com.
(
2006071602; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
lrj.com NS dns.longrujun.com
lrj.com NS dns2.longrujun.com
A 12.12.12.12
$ORIGIN lrj.com.
www A 12.12.12.12
至此所有配置工作均已完成，检查一下Zone及conf文件
Published 2006年8月19日 16:32 by admin

2008年2月22日星期五

实例解析 Linux用IPtable实现防火墙
发布时间：2007.05.11 06:24 来源：赛迪网技术社区作者：sixth

一般LINUX防火墙（iptalbes）的运用无非是用nat 表（PREROUTING、OUTPUT、POSTROUTING）和filter表(FORWARD、INPUT、OUTPUT)。我们只有知道了数据的流向才能正确的配置防火墙。现用一个相对比较直观的图形解释数据的走向。（此处只作最基本的iptables数据流走向说明。）

上图是你的家，蓝色的圈是你家院子，有两扇大门①⑥进出，你家有两个房间，分别为eth0和 eth1房间，每个房间有两个门可以进出②③④⑤。旁边是张三和李四的家，张三家和李四家之间的往返必须要过你家院子。

现假设，eth0网卡IP为：192.168.5.1链接内网，eth1网卡IP为：218.100.100.111链接互连网。

再假设，“张三家”为一个局域网，“李四家”为互连网。进我家院子用 PREROUTING，出我家院子用FORWARD，进我家门用INPUT，出我家门用 OUTPUT。（当我们的操作是征对服务器本身而言的话，如SSH操作，此时肯定会用到PREROUTING、INPUT和OUTPUT，当数据只是通过服务器去访问别的机器时会用到PREROUTING和FORWARD。）

又假设，默认这六个门都是关的。生成如下代码。

###########################################################################

*nat

################################

:PREROUTING DROP [0:0]

:OUTPUT DROP [0:0]

:POSTROUTING DROP [0:0]

################################

-F

-Z

-X

### 以后要新增语句请在此处增加。

-L –v

COMMIT

################################################

*filter

##############################

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

##############################

-F

-Z

-X

### 以后要新增语句请在此处增加。

-L –v

COMMIT

##########################################################################

1、局域网用户通过服务器共享上网

(即从张三家到李四家)

1)首先进①号门，再从⑥号门走出。

-A PREROUTING –p tcp --dport 80 –j ACCEPT #允许TCP 80端口通过服务器

-A FORWARD –p tcp --dport 80 –j ACCEPT #允许TCP80 端口转发

-A FORWARD –p tcp --sport 80 –j ACCEPT #允许接收对方为TCP80端口反回的信息

2)其次，由于我们上网打的是域名，为此有一个公网DNS服务器为我们服务，那当然也要允许内网机器与DNS服务器的数据转发。DNS用UDP 53或者 TCP 53端口。两者用其一个就行。

-A PREROUTING –p udp --dport 53 –j ACCEPT

-A FORWARD –p udp --dport 53 –j ACCEPT

-A FORWARD –p udp --sport 53 –j ACCEPT

3）再次，由于局域网的地址在公网上是不被允许的，所以在出公网前应该把其地址转为服务器地址进行伪装。

-A POSTROUTING –s 192.168.5.0/24 –j SNAT –to 218.100.100.111

2、允许局域网和公网可以访问服务器的SSH

假设SSH采用默认端口TCP 22 。此要求相当于要进我的家的TCP 22号门，为此我们首先要进我家院子，然后再进我家门，最后走出我家门这样的过程。此操作是征对服务器本身的操作。

-A PREROUTING –p tcp --dport 22 –j ACCEPT

-A INPUT –p tcp --dport 22 –j ACCEPT

-A OUTPUT –p tcp --sport 22 –j ACCEPT

3、允许内网机器可以登录MSN和QQ。

（MSN 和QQ默认是不允许登录的）QQ一般来说可以从TCP 80、8000、443及UDP 8000、4000登录，而MSN可以从TCP 1863、443登录。我们登录MSN和QQ的过程就象上网一样，也是去访问远程服务器的指定端口，故而我们只用数据转发即可。

-A PREROUTING –p tcp --dport 1863 –j ACCEPT

-A PREROUTING –p tcp --dport 443 –j ACCEPT

-A PREROUTING –p tcp --dport 8000 –j ACCEPT

-A PREROUTING –p udp --dport 8000 –j ACCEPT

-A PREROUTING –p udp --dport 4000 –j ACCEPT

-A FORWARD –p tcp --dport 1863 –j ACCEPT

-A FORWARD –p tcp --sport 1863 –j ACCEPT

-A FORWARD –p tcp --dport 443 –j ACCEPT

-A FORWARD –p tcp --sport 443 –j ACCEPT

-A FORWARD –p tcp --dport 8000 –j ACCEPT

-A FORWARD –p tcp --sport 8000 –j ACCEPT

-A FORWARD –p udp --dport 8000 –j ACCEPT

-A FORWARD –p udp --sport 8000 –j ACCEPT

-A FORWARD –p udp --dport 4000 –j ACCEPT

-A FORWARD –p udp --sport 4000 –j ACCEPT

4、让内网机器可以收发邮件。

接收邮件是访问远程服务器的TCP 110端口，发送邮件是访问TCP25端口。用数据转发即可。

-A PREROUTING –p tcp --dport 110 –j ACCEPT

-A PREROUTING –p tcp --dport 25 –j ACCEPT

-A FORWARD –p tcp --dport 110 –j ACCEPT

-A FORWARD –p tcp --sport 110 –j ACCEPT

-A FORWARD –p tcp --dport 25 –j ACCEPT

-A FORWARD –p tcp --sport 25 –j ACCEPT

5、内部机器对外发布WEB。

要把内网机器192.168.5.179的WEB对外发布的话，相当于是从外网访问内网。与第1步操作的局域网共享上网相同，只是访问的方向改变了。不是从内网访问外网，而是从外网访问内网。

当公网访问服务器218.100.100.111时，防火墙把它映射到内网的192.168.5.179的TCP80上。当内网机器访问服务器218.100.100.111时，防火墙把它映射到内网的192.168.5.179的TCP80上。

-A PREROUTING –i eth0 –p tcp –d 218.100.100.111 --dport 80 –j DNAT --to-destination 192.168.5.179:80

-A PREROUTING –i eth1 –p tcp –d 218.100.100.111 –dport 80 –j DNAT –to-destination 192.168.5.179:80

（以上两句必须写在 –A PREROUTING –p tcp --dport 80 –j ACCEPT 前面。）

TCP 80端口的转发在第1步就已做过，此处就不用重复制作了。另外在

-A POSTROUTING –s 192.168.5.0/24 –j SNAT –to 218.100.100.111 之后加上一句:

-A POSTROUTING –p tcp --dport 80 –j ACCEPT

为什么要加这句话呢，我的理解是这样的，

公网访问 [url]http://218.100.100.111[/url]时：（假设公网上用户的IP为199.199.199.199,端口12345为随机的产生的。）

数据源： ip:199.199.199.199 sport:12345

数据目标： ip:218.100.100.111 dport 80

此时，通过-A PREROUTING –i eth0 –p tcp –d 218.100.100.111 --dport 80 –j DNAT --to-destination 192.168.5.179:80 告诉199.199.199.199,您要访问的真正地址应该是192.168.5.179:80,然后我们通过-A POSTROUTING –p tcp --dport 80 –j ACCEPT 目标地址218.100.100.111:80伪装成 192.168.5.179:80 。

数据源： ip:199.199.199.199 sport:12345

数据目标： ip:192.168.5.179 dport 80

当192.168.5.179返回数据时：

数据源： ip:192.168.5.179 sport:80

数据目标： ip:199.199.199.199 dport 12345

数据经过 -A POSTROUTING –s 192.168.5.0/24 –j SNAT –to 218.100.100.111 后，

数据源： ip:218.100.100.111 sport:80

数据目标： ip:199.199.199.199 dport 12345

6、完整的iptables配置

###########################################################################

*nat

################################

:PREROUTING DROP [0:0]

:OUTPUT DROP [0:0]

:POSTROUTING DROP [0:0]

################################

-F

-Z

-X

-A PREROUTING –i eth0 –p tcp –d 218.100.100.111 --dport 80 –j DNAT --to-destination 192.168.5.179:80

-A PREROUTING –i eth1 –p tcp –d 218.100.100.111 --dport 80 –j DNAT –to-destination 192.168.5.179:80

-A PREROUTING –p tcp --dport 80 –j ACCEPT

-A PREROUTING –p udp --dport 53 –j ACCEPT

-A PREROUTING –p tcp --dport 22 –j ACCEPT

-A PREROUTING –p tcp --dport 1863 –j ACCEPT

-A PREROUTING –p tcp --dport 443 –j ACCEPT

-A PREROUTING –p tcp --dport 8000 –j ACCEPT

-A PREROUTING –p udp --dport 8000 –j ACCEPT

-A PREROUTING –p udp --dport 4000 –j ACCEPT

-A PREROUTING –p tcp --dport 110 –j ACCEPT

-A PREROUTING –p tcp --dport 25 –j ACCEPT

-A POSTROUTING –s 192.168.5.0/24 –j SNAT –to 218.100.100.111

-A POSTROUTING –p tcp --dport 80 –j ACCEPT

-L –v

COMMIT

################################################

*filter

##############################

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

##############################

-F

-Z

-X

-A INPUT –p tcp --dport 22 –j ACCEPT

-A OUTPUT –p tcp --sport 22 –j ACCEPT

-A FORWARD –p tcp --dport 80 –j ACCEPT

-A FORWARD –p tcp --sport 80 –j ACCEPT

-A FORWARD –p udp --dport 53 –j ACCEPT

-A FORWARD –p udp --sport 53 –j ACCEPT

-A FORWARD –p tcp --dport 1863 –j ACCEPT

-A FORWARD –p tcp --sport 1863 –j ACCEPT

-A FORWARD –p tcp --dport 443 –j ACCEPT

-A FORWARD –p tcp --sport 443 –j ACCEPT

-A FORWARD –p tcp --dport 8000 –j ACCEPT

-A FORWARD –p tcp --sport 8000 –j ACCEPT

-A FORWARD –p udp --dport 8000 –j ACCEPT

-A FORWARD –p udp --sport 8000 –j ACCEPT

-A FORWARD –p udp --dport 4000 –j ACCEPT

-A FORWARD –p udp --sport 4000 –j ACCEPT

-A FORWARD –p tcp --dport 110 –j ACCEPT

-A FORWARD –p tcp --sport 110 –j ACCEPT

-A FORWARD –p tcp --dport 25 –j ACCEPT

-A FORWARD –p tcp --sport 25 –j ACCEPT

-L –v

COMMIT

##########################################################################

7、其它注意事项

1)在使用iptables防火墙之前，必须先打开IP转发功能。

# echo “1” > /proc/sys/net/ipv4/ip_forward

2)以上内容（第6步生成的内容）保存到 /etc/sysconfig/iptables文件中。

3）每修改一次iptables文件后，都要重启iptalbes

# service iptables restart

(T002)
http://tech.ccidnet.com/art/9513/20070510/1078171_1.html

有效配置与管理iptable来提高网络安全

有效配置与管理iptable来提高网络安全
开发者在线 Builder.com.cn 更新时间:2006-02-27作者：Chad Perrin 来源:

重定向

在测试该配置一段时间后，我将使用iptables-save命令将配置内容输出到一个文件中，我使用重定向将输出内容保存到名为saved.std或iptables.std的文件中，此处的std是standard（标准）的缩写，这样，我就清楚地标记出了基准的通用的工作站iptable配置模板。

一旦我保存了这个文件，我就能针对单独的工作站的需要编辑iptable规则了，并可以使用iptables-restore命令来加载它们，在默认情况下，iptables-restore命令将在重建iptable 之前刷新原有设置，所以您不需要担心在使用该命令前刷新iptable来保证所有的事情按照您的需求运作。

现在，如果我需要那个save.std文件在很多其他的计算机上重复使用，我应该将其保存在方便的位置，然后，将它应用到新的计算机上，我所需要做的就是将它拷贝到新的系统上，并在新的系统上运行iptables-restore < saved.std就像我要在第一个系统上恢复备份的默认设置一样，这样做就使新的配置完全取代了原有的iptable设置，即使重新启动计算机也不会取消这些改变，它将保持不便知道您再次改变它。

这是一个模板文件saved.std的例子（列表A）和一些解释。

列表A

*mangle

:PREROUTING ACCEPT [48436:11233990]

:INPUT ACCEPT [48436:11233990]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [29730:6162034]

:POSTROUTING ACCEPT [29730:6162034]

COMMIT

*nat

:PREROUTING ACCEPT [391:49336]

:POSTROUTING ACCEPT [1793:110951]

:OUTPUT ACCEPT [1793:110951]

COMMIT

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [1418:147349]

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT

-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

-A OUTPUT -p tcp -m tcp --sport 631 -j ACCEPT

COMMIT

这个iptable配置可以从根本上使您的计算机立刻对任何没有通过您请求的输入连接伪装成不存在，对于转发的包也同样适用，这通常是一个好的策略，使用默认的:INPUT DROP和:FORWARD DROP，用于特定端口、地址等等的例外情况可以在稍后创建。

与此同时，为了保证您不会忘记允许您的用户可以做的事情，您或许可以使用:OUTPUT ACCEPT的默认值，这样的操作是在假设由此用户发起的来自系统外部的连接不太可能是安全威胁。一种更安全的配置方式是使用:OUTPUT DROP并设定您希望允许的例外情况，但当最终用户系统必需执行多种网络功能时，这可能会造成一些困难。

同样的，尽管创建一个更安全并可有效管理的配置是可能的，但是这一任务在不同的案例和需求情况下是截然不同的，这超出了本文的讨论范围。请将我提供的配置当作是“足够好”的解决方案，直到您学到了足够的关于iptable的知识来改变其配置以符合您专门的单独的需要。这一模板配置彻底提高了默认配置的安全性，而不会干扰您完成工作的能力。

-A INPUT -i lo -j允许您的系统接收所有源自您自己网络适配器的输入请求，这对于诸如测试您的系统配置是非常有帮助的，比如ping自己，让本地系统传送邮件（当您的计算机想要告诉您什么东西坏掉时）等等。

-A INPUT -m state --state ESTABLISHED -j ACCEPT利用了iptable过滤有状态的数据包的能力，这将允许您对输入数据保的DROP策略采取更灵活的手段。这行命令基本上规定了任何由您发起的连接都可以继续，对于任何已经建立的连接中的输入信息包可以绕过DROP策略。另外，您也可以将数据发送到其它的服务器，但是永远都不会知道数据是否送达了，因为服务器试图向您的防火墙进行回复，但只能丢弃那些数据包而没有任何注释。

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT允许输入的SSH连接，您可能要将命令中的22改为任何其它的端口，以保证任何远程客户可以建立SSH连接，因为这些用户可能使用的是其它的端口用于建立SSH连接。

对于永远不要远程访问的系统，您在应用此配置前应当删除这一行命令，但是据我的经验，远程SSH访问是一种对分布式网络进行安全管理的一种工具，所以大部分非单机系统用户，比如家庭桌面计算机，都是网络中的计算机，而这些用户大都需要某种程度上的远程SSH连接。今后当您非常精通iptable配置的时候，您可以将这行命令替换为多行以详细定义与远程计算机连接的有效来源，这样即使使用的是非标准的系统端口，也能够从错误的来源建立SSH连接（比如不正确的IP地址等等），但这些内容已经超过了本文的范围。

-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT允许使用通用UNIX打印系统（CUPS）与网络中的打印机连接，如果这不是您需要考虑的内容，请将这行删除。对于更复杂的情况，需要更安全的iptable规则来实现这些功能，但这行命令只是一个简洁的起点。

-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT是另一“允许我和我自己通话”的命令。

基于我所给出的INPUT部分的说明，OUTPUT部分的命令也就不言自明了，它们主要定义了与外界连接的网络活动的规则。用于保证系统安全的iptable的工作还可以有很多，但是我的目的在于提供一个管理iptable配置的起始点。在我所见到过的系统默认配置中，这个简短的配置是优秀的、具有安全智慧的，而默认配置往往会长达上百行。

执行总结

为了简单起见，这是您所要执行的工作信息。

1. 输入iptables-save > /var/lib/iptables/saved.bak命令（或某些相似的文件名或路径）来保存现有的iptable配置，这样您以后就可以撤销所做的改变。
2. 将以上的iptable配置保存到/var/lib/iptables/saved.std（或相似的文件）。
3. 输入iptables-restore < /var/lib/iptables/saved.std命令来使用saved.std对现有的iptable进行设置。

如果您决定将改变的配置只用于一个系统，而不是其它的，您可以将saved.std复制为saved.loc，这样您可以在新的文件中编辑iptable的配置参数以反映新的配置需求，然后使用iptables-restore命令在本地系统上执行这些改变。

在大型网络中，推动脚本或网络节点的克隆脚本可以用于替代在这些机器上的任何新版本的saved.std文件，它们可以自动执行，尽管我建议不要允许工作站的本地脚本来改变iptable配置，这可能会引入安全漏洞，而且，一个在网络中从中央位置运行的推动脚本来部署新的配置文件以及运行iptables-restore可能是一个更好的选择，这将有助于减少管理费用。

以上这些只是一个与本地系统防火墙相关的严肃的企业范围的安全策略的开始，还有很多工作要做，尤其在大型网络中需要进一步减少工作量，然而，从此开始您一定可以施展这些技能在今后的工作中造就难以渗透的网络。

努力工作，并祝好运。

iptables 的观念及用法

这一节开始说明 iptables 的观念及用法

iptables 中的指令，均需区分大小写。

ipchains 和 iptables 在语法上的主要的差异，注意如下∶
1. 在 ipchains 中，诸如 input 链，是使用小写的 chains 名，在 iptables 中，要改用大写 INPUT。
2. 在 iptables 中，要指定规则是欲作用在那一个规则表上(使用 -t 来指定，如 -t nat)，若不指定，则预设是作用在 filter 这个表。
3. 在 ipchains 中， -i 是指介面(interface)，但在 iptables 中，-i 则是指进入的方向，且多了 -o，代表出去的方向。
4. 在 iptables 中，来源 port 要使用关键字 --sport 或 --source-port
5. 在 iptables 中，目的 port 要使用关键字 --dport 或 --destination-port
6. 在 iptables 中，"丢弃" 的处置动作，不再使用 DENY 这个 target，改用 DROP。
7. 在 ipchains 的记录档功能 -l，已改为目标 -j LOG，并可指定记录档的标题。
8. 在 ipchains 中的旗标 -y，在 iptables 中可用 --syn 或 --tcp-flag SYN,ACK,FIN SYN
9. 在 iptables 中，imcp messages 型态，要加上关键字 --icmp-type，如∶
iptables -A OUTPUT -o eth0 -p icmp -s $FW_IP --icmp-type 8 -d any/0 -j ACCEPT

iptables 使用时的样板
在设定 iptables 的封包过滤规则时，有几个样板的动作，若先熟悉它们，往后就可自行套用，依此类推，很快地，您就可以进入这个天地之中。

观察目前的设定
作法如下∶

iptables -L -n
iptablse -t nat -L -n

定义变数
FW_IP="163.26.197.8"

打开核心 forward 功能
作法如下∶

###-----------------------------------------------------###
# 打开 forward 功能
###-----------------------------------------------------###

echo "1" > /proc/sys/net/ipv4/ip_forward

清除所有的规则
一开始要先清除所有的规则，重新开始，以免旧有的规则影响新的设定。作法如下∶

###-----------------------------------------------------###
# 清除先前的设定
###-----------------------------------------------------###
# 清除预设表 filter 中，所有规则链中的规则
iptables -F
# 清除预设表 filter 中，使用者自订链中的规则
iptables -X

# 清除mangle表中，所有规则链中的规则
iptables -F -t mangle
# 清除mangle表中，使用者自订链中的规则
iptables -t mangle -X

# 清除nat表中，所有规则链中的规则
iptables -F -t nat
# 清除nat表中，使用者自订链中的规则
iptables -t nat -X

选定预设的政策
接着，要选定各个不同的规则链，预设的政策为何。作法如下∶

预设全部丢弃∶

###-----------------------------------------------------###
# 设定 filter table 的预设政策
###-----------------------------------------------------###
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

或者预设全部接受∶

###-----------------------------------------------------###
# 设定 filter table 的预设政策
###-----------------------------------------------------###
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

各个规则链的预设政策可独立自主的设定，不必受其它链的影响。

以下练习，若目标为 DROP，则 policy 请设为 ACCEPT；若目标为 ACCEPT，则 policy 请设为 DROP，如此方可看出效果。

开放某一个介面
作法如下∶

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

注∶IPFW 或 Netfilter 的封包流向，local process 不会经过 FORWARD Chain，
因此 lo 只在 INPUT 及 OUTPUT 二个 chain 作用。

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

IP 伪装
使内部网路的封包经过伪装之后，使用对外的 eth0 网卡当作代表号，对外连线。作法如下∶

###-----------------------------------------------------###
# 启动内部对外转址
###-----------------------------------------------------###

iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/16 -j SNAT --to-source $FW_IP

上述指令意指∶把 172.16.0.0/16 这个网段，伪装成 $FW_IP 出去。

虚拟主机
利用转址、转 port 的方式，使外部网路的封包，可以到达内部网路中的伺服主机，俗称虚拟主机。这种方式可保护伺服主机大部份的 port 不被外界存取，只开放公开服务的通道(如 Web Server port 80)，因此安全性甚高。

作法如下∶

###-----------------------------------------------------###
# 启动外部对内部转址
###-----------------------------------------------------###
# 凡对 $FW_IP:80 连线者, 则转址至 172.16.255.2:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -d $FW_IP --dport 80 -j DNAT --to-destination 172.16.255.2:80

开放内部主机可以 telnet 至外部的主机
开放内部网路，可以 telnet 至外部主机。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open 外部主机 telnet port 23
###-----------------------------------------------------###

iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 23 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 23 -d $FW_IP --dport 1024:65535 -j ACCEPT

开放邮包转递通道
开放任意的邮件主机送信包给你的 Mail Server，而你的 Mail Server 也可以送信包过去。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open SMTP port 25
###-----------------------------------------------------###

# 以下是∶别人可以送信给你
iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d $FW_IP --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 25 -d any/0 --dport 1024:65535 -j ACCEPT

# 以下是∶你可以送信给别人
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 25 -d $FW_IP --dport 1024:65525 -j ACCEPT

开放对外离线下载信件的通道
开放内部网路可以对外部网路的 POP3 server 取信件。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open 对外部主机的 POP3 port 110
###-----------------------------------------------------###

iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 110 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 110 -d $FW_IP --dport 1024:65535 -j ACCEPT

开放观看网页的通道
开放内部网路可以观看外部网路的网站。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open 对外部主机的 HTTP port 80
###-----------------------------------------------------###

iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 80 -d $FW_IP --dport 1024:65535 -j ACCEPT

开放查询外部网路的 DNS 主机
开放内部网路，可以查询外部网路任何一台 DNS 主机。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open DNS port 53
###-----------------------------------------------------###

# 第一次会用 udp 封包来查询
iptables -A OUTPUT -o eth0 -p udp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT

# 若有错误，会改用 tcp 封包来查询
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 53 -d $FW_IP --dport 1024:65535 -j ACCEPT

# 开放这台主机上的 DNS 和外部的 DNS 主机互动查询∶使用 udp
iptables -A OUTPUT -o eth0 -p udp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT
# 开放这台主机上的 DNS 和外部的 DNS 主机互动查询∶使用 tcp
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 53 -d any/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! -y -s any/0 --sport 53 -d $FW_IP --dport 53 -j ACCEPT

开放内部主机可以 ssh 至外部的主机
开放内部网路，可以 ssh 至外部主机。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open 外部主机 ssh port 22
###-----------------------------------------------------###

iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1024:65535 -j ACCEPT

# 以下是 ssh protocol 比较不同的地方
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1020:1023 -d any/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 22 -d $FW_IP --dport 1020:1023 -j ACCEPT

开放内部主机可以 ftp 至外部的主机
开放内部网路，可以 ftp 至外部主机。

作法如下∶(预设 policy 为 DROP)

###-----------------------------------------------------###
# open 对外部主机 ftp port 21
###-----------------------------------------------------###

# 以下是打开命令 channel 21
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 21 -d $FW_IP --dport 1024:65535 -j ACCEPT

# 以下是打开资料 channel 20
iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 20 -d $FW_IP --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp ! --syn -s $FW_IP --sport 1024:65535 -d any/0 --dport 20 -j ACCEPT

# 以下是打开 passive mode FTP 资料通道
iptables -A OUTPUT -o eth0 -p tcp -s $FW_IP --sport 1024:65535 -d any/0 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp ! --syn -s any/0 --sport 1024:65535 -d $FW_IP --dport 1024:65535 -j ACCEPT

开放 ping
可以对外 ping 任何一台主机。

作法如下∶(预设 policy 为 DROP)

iptables -A OUTPUT -o eth0 -p icmp -s $FW_IP --icmp-type 8 -d any/0 -j ACCEPT
iptables -A INPUT -i eth0 -p icm -s any/0 --icmp-type 0 -d $FW_IP -j ACCEPT

Basic Iptables - Debian/RedHat

Basic Iptables - Debian/RedHat
Submitted by themachine (Contact Author) (Forums) on Mon, 2005-10-17 02:21. :: Kernel

Summary

You can find an easier to read version here: 5dollarwhitebox.org

Alot of people are freaked out by IPTables and find it hard to understand. However, once you get the grasp of it the basics are easy. This document will serve as a basic how-to on using iptables. I am in no way an iptables guru, but have been using it like this for quite a while. If I've made any mistakes please don't hesitate to email me.

The System

Debian Sarge 3.1 Vanilla 2.6.12.4 kernel from mirrors.kernel.org iptables administration utility version 1.2.11-10

Preparation

This How-To is performed on a Debian Sarge 3.1 box, though the commands and syntax should work for any linux distro. Before you can configure iptables, you first must ensure that it has been compiled into the kernel, and that you have the proper userland utilities installed.

You should have a config file from when the kernel was compiled. Grep'ing it for "CONFIG_IP_NF" should produce '=y' or '=m' for most of the lines/options. Here you see that "CONFIG_IP_NF_IPTABLES" was compiled as a kernel module.

# cat /boot/config-2.4.30 | grep -i "CONFIG_IP_NF"

CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
CONFIG_IP_NF_MATCH_TOS=m
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
CONFIG_IP_NF_MATCH_CONNTRACK=m
CONFIG_IP_NF_MATCH_UNCLEAN=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_MIRROR=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_MARK=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
CONFIG_IP_NF_COMPAT_IPCHAINS=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_COMPAT_IPFWADM=m
CONFIG_IP_NF_NAT_NEEDED=y

This isn't all that necessary, since you'll find out real quick whether iptables works or not once we try to add some rules.

You can check whether you have the iptables administration utility installed by executing:
# dpkg -l iptables
iptables 1.2.11-10 Linux kernel 2.4+ iptables administration to

...or for rpm based distro:
# rpm -qa | grep iptablesiptables-xxxxx

...or you can just see if the binary is there!
# which iptables
/sbin/iptables

If the utility is missing you can install it like so:

APT
# apt-get update && apt-get install iptables

RPM
# rpm -Uvh iptables-xxxx.rpm
Preparing ################################# [100%]

The Main Files

Debian

* /etc/init.d/iptables â€“ INIT script to start|stop|restart the service (and save rulesets). This file is no longer default as of Sarge but you can still get it (I'll show you).

* /var/lib/iptables â€“ Debian's home for the 'active' and 'inactive' iptables-save counter files (i.e. The saved rulesets). On RedHat you would find the saved rules in '/etc/sysconfig/iptables'.

* /var/lib/iptables/active â€“ Active Counters (more on that later)

* /var/lib/iptables/inactive â€“ Inactive Counters

* /sbin/iptables â€“ The administration utility/binary.

RedHat

* /etc/init.d/iptables â€“ INIT script to start|stop|restart the service (and save rulesets).

* /etc/sysconfig/iptables â€“ RedHat's file for the iptables-save counter files (i.e. The saved rulesets).

* /sbin/iptables â€“ The administration utility/binary.

A Little About IPTables

To see what rulesets we currently have in place, execute:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This is what you will see when there are no rule sets in place. Looking at this we see 3 'Chains'.

* INPUT - Holds rules for traffic directed at this server.

* FORWARD â€“ Holds rules for traffic that will be forwarding on to an IP behind this server (i.e. If this box serves as a firewall for other servers).

* OUTPUT â€“ Holds rules for traffic that is coming from this server out to the internet.

Mainly we will be dealing with traffic directed at this server, and will be issuing rules for the INPUT Chain. When traffic passes through the kernel, it determines a â€œTARGETâ€? based on whether the packet matches a rule or not. General targets are:

* ACCEPT â€“ Traffic is accepted for delivery.

* REJECT â€“ Traffic is rejected, sending a packet back to the sending host.

* DROP - The traffic is dropped. Nothing is sent back to the sending host.

Configuring Rule Sets

So, lets get down to it. Its important to note that the order in which rules are appended is very important. For example, if your first rule is to deny everything... then no matter what you specifically allow, it will be denied.

Also to note is that nothing you do is saved on disk until you execute 'iptables-save' (or use the init script to save). All counters/rulesets are in memory. Once the server reboots, or you execute 'iptables --flush' everything you've worked on is gone. Personally I work out of a bash script file called 'iptables-rules.sh', which allows me to keep everything organized and commented. If I make a mistake, I have no worries if I just want to flush all the rules out, I just go right back to my bash script and start editing again, save it out and execute the script (this however will not run at startup... that will be covered in the next section).

Its very important that if you are working on this server remotely through ssh, that you make every effort to not lock yourself out. Therefore, our first rule will be to ensure that no matter what, I can still access ssh from my IP address.

# iptables -A INPUT -s 192.168.1.10 -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT

Lets break that down:

* -A => Tells iptables to 'append' this rule to the INPUT Chain

* -s => Source Address. This rule only pertains to traffic coming FROM this IP. Substitute with the IP address you are SSHing from.

* -d => Destination Address. This rule only pertains to traffic going TO this IP. Substitute with the IP of this server.

* -p => Protocol. Specifying traffic which is TCP.

* --dport => Destination Port. Specifying traffic which is for TCP Port 22 (SSH)

* -j => Jump. If everything in this rule matches then 'jump' to ACCEPT

Next, we will want to use some standard rules for general network traffic. This goes a bit beyond the basic stuff, however iptables can determine the 'state' that a packet is in. This has to do with standard TCP communication. For example, the 3 way handshake between two hosts when transmitting data.

* NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.

* RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.

* ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.

Now that we have our basics set in place, lets see what iptables lists for our rulesets:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

ACCEPT tcp -- 192.168.1.10 10.1.15.1 tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED

From here you can add whatever rules you like. If your running a basic webserver, you'll probably need something similar to:

INIVIDUAL REJECTS FIRST:

-----------------------------------------------------------------------

BAD GUYS (Block Source IP Address):
# iptables -A INPUT -s 172.34.5.8 -j DROP

NO SPAMMERS (notice the use of FQDN):
# iptables -A INPUT -s mail.spammer.org -d 10.1.15.1 -p tcp --dport 25 -j REJECT

-----------------------------------------------------------------------

THEN OPEN IT UP:-----------------------------------------------------------------------

MYSQL (Allow Remote Access To Particular IP):
# iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT
SSH:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT

Sendmail/Postfix:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT

FTP: (Notice how you can specify a range of ports 20-21)
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT

Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule)
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 50000:50050 -j ACCEPT

HTTP/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT

SSL/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT

IMAP
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT

IMAPS
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT

POP3
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT

POP3S
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT

Any Traffic From Localhost:
# iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT

ICMP/Ping:
# iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT-----------------------------------------------------------------------

GLOBAL REJECTS LAST:

-----------------------------------------------------------------------

Reject everything else to that IP:
# iptables -A INPUT -d 10.1.15.1 -j REJECT

Or, reject everything else coming through to any IP:
# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT-----------------------------------------------------------------------

Notice the we do the global REJECT lines last! These must be last.

Saving Rule Sets

With the init scripts, saving rule sets is quite easy. Once you are happy with your config, just do one of the following:

The Debian Way

The old style init script is no longer in Sarge by default, but it is still around for legacy use. I believe the new way is to use ' /etc/network/if-up.d' and '/etc/network/if-down.d' for iptables scripts (but I don't like that).

You can grab the legacy INIT script this way:
# gunzip /usr/share/doc/iptables/examples/oldinitdscript.gz -c > /etc/init.d/iptables
# chmod +x /etc/init.d/iptables
# mkdir /var/lib/iptables
# chmod 700 /var/lib/iptables

Now that you have the script in place you can do the needful.

Active Rules

The Active rules are those loaded when starting iptables:
# /etc/init.d/iptables save active
Saving iptables ruleset: save "active" with counters.

This saves your rules in /var/lib/iptables/active

Inactive Rules

You can also configure a second set of rules for when you stop iptables called 'inactive'. Iptables doesn't actually â€œstopâ€?, it just flushes out the rule sets that are in place and then loads the 'inactive' rules.

# /etc/init.d/iptables stop
Loading iptables ruleset: load "inactive"

Therefore, you can set your 'inactive' rules, and then save them with:
# /etc/init.d/iptables save inactive
Saving iptables ruleset: save "inactive" with counters.

The RedHat Way

The RedHat INIT script is very similar. You can use it to start and stop iptables, as well as save rule sets.

To save your active rules execute the following:
# /etc/init.d/iptables save

This will save your rules to '/etc/sysconfig/iptables'.

When you start iptables, the rules are read from '/etc/sysconfig/iptables':
# /etc/init.d/iptables start
Starting iptables [OK]

And when you stop iptables, all rules are flushed:
# /etc/init.d/iptables stop
Stopping iptables [OK]

Manual Save and Restore

You can also manually use the iptables-save and iptables-restore utilities like so:

Save the rules to a files
# iptables-save > /root/iptables-save.out

Restore the rules
# iptables-restore -c /root/iptables-save.out

The -c tells iptables-restore that this is file was created using iptables-save, which outputs the rules as â€œcountersâ€?.

Conclusion

And there you go, iptables at its very basic. The uses of iptables are too numerous to even start truly doing a howto on them. However, for basic security and understanding of IPTables, I hope this might have helped you. If there is anything I could add, please feel free to email me.

---
BJ Dierkes, RHCE4-LPIC1
wdierkes [at] 5dollarwhitebox [dot] org
Texas, USA

Resources

* Netfilter/Iptables: http://www.netfilter.org/
* Transmittion Control Protocol: http://www.rhyshaden.com/tcp.htm

[Creative Commons Attribution License]
This page is licensed under a Creative Commons License.
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf | Display a printer-friendly version of this page. printer-friendly version | Bookmark this post on del.icio.us. | Digg this post on digg.com. | Submit this post on reddit.com. | Search Technorati for links to this post. | Submit this post on ma.gnolia.com. | Submit this post on blogmarks.net. | Submit this post on FURL.net. | Submit this post on Spurl.net. | Submit this post on Simpy.com.
Related Tutorials

* The Perfect Linux Firewall Part I -- IPCop
* How To Test Your Linux-Distro Firewall
* Chkrootkit-Portsentry-Howto
* How To Install A Custom Iptables Firewall

Comment viewing options
Select your preferred way to display the comments and click "Save settings" to activate your changes.
Please do not use the comment function to ask for help! If you need help, please use our forum: http://www.howtoforge.com/forums
Comments will be published after administrator approval.
Possible Denial of Service (DoS)
Submitted by Anonymous (Contact Author) (Forums) on Fri, 2006-07-07 17:02.

Remember that automated tools like Fail2Ban and PortSentry leave you open to denial of service attacks. If someone were spoof the address of an SSH client you regularly connect from, you could be locked out of your server. While it's not easy to spoof enough of an SSH connection to trigger Fail2Ban, it is possible.

Another senario is where you SSH to your home server from behind a corporate NAT router. Anyone else on you your corporate network could lock you out by simply trying to log in a few times.

I'm not trying to talk anyone out of using Fail2Ban (I use it!), but I think it's important to know the implications of doing so.

Rich B.

login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Thankyou!!!
Submitted by Anonymous (Contact Author) (Forums) on Sun, 2006-02-26 21:05.

Just wanted to thankyou for something very rare in the linux world: An easy to understand howto, covering the basics!

Everywhere else, you find badly written solutions to extremely uncommon problems.

Thanks!
&flix
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Another IPTables page
Submitted by Anonymous (Contact Author) (Forums) on Wed, 2006-06-21 19:51.

The following page is also pretty good:

http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm

It outlines how the mangle and nat chains work, which is obviously less useful for most people, but anyway.
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
I always use my trusty -fwbuilder- as my iptables mangler
Submitted by Anonymous (Contact Author) (Forums) on Sat, 2006-01-21 11:59.

http://www.fwbuilder.org/

It creates fw scripts for that can be automatically deployed to all of yer fw´s using ssh. Best thing is that it´s gui is simular to checkpoints interface, all for free (using linux!) Creating fw setups using windows is gonna cost 49,95 dollars. hahahahah

Thanks for the howto! always nice to see the inner workings!
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Very Awsome!
Submitted by Anonymous (Contact Author) (Forums) on Tue, 2005-11-22 17:29.
Thanks so much for your article here. Every document I ever tried to read about iptables before was like a freaking Chinese Instruction Manual! I never realized it could be so easy. Thanks a million.
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Wow... and here I thought
Submitted by IaMMai (Contact Author) (Forums) on Fri, 2005-12-02 10:45.

Wow... and here I thought I might be wasting my time.... ;)
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
missing init skript in Sarge
Submitted by Anonymous (Contact Author) (Forums) on Thu, 2005-11-03 07:40.
Hi, you seem to have missed that the init skript is not part of iptables in Sarge anymore: iptables (1.2.7-8) unstable; urgency=low * removed init.d, /var/lib/iptables, and debconf-ization If you still have that file it is probably a relic of older iptables versions from which you upgraded. Because init scripts are treated like configuration files, they are not automatically removed when you remove or upgrade the package. If you want to initialize iptables, you need your own skript, or you can run iptables when the interfaces come up (see /etc/network/interfaces and /etc/network/if-ip.d).
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
You are correct... this sys
Submitted by IaMMai (Contact Author) (Forums) on Thu, 2005-11-03 14:54.

You are correct... this system was upgraded from woody... which I've had running over a year before Sarge was stable.... I shall update this howto as "Pre-Sarge"... and when I get a second do a Sarge install from scratch and update as necessary.

Thanks for the note.

---
BJ Dierkes, RHCE4 - LPIC1
wdierkes [at] machinehost [dot] org
Texas, USA
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Let me share with you my way
Submitted by Anonymous (Contact Author) (Forums) on Fri, 2005-10-28 02:30.

I added a nice init script that does the work for me, all I have to do is to edit the file from time to time according to my needs.

Here is the script: (/etc/init.d/iptables)

====== CUT BELOW HERE ======

#!/bin/bash
#
if [ ! -x /sbin/iptables ]; then
exit 0
fi

start()
{
# clear all
clearall

# Create new chain (I called it filter) which blocks new
# connections, except if coming from inside.
iptables -N filter
iptables -A filter -m state --state ESTABLISHED,RELATED -j ACCEPT
# The next rule depends on what connection to the NET you have
# It could be ppp0 instead of eth0, suit your own needs
iptables -A filter -m state --state NEW -i ! eth0 -j ACCEPT

# Allowed Services - Here you can put all the actually needed
# ports, a few common examples below:
iptables -A filter -p tcp --dport http -j ACCEPT
iptables -A filter -p tcp --dport ftp -j ACCEPT
iptables -A filter -p tcp --dport smtp -j ACCEPT
iptables -A filter -p tcp --dport pop3 -j ACCEPT
iptables -A filter -p udp --dport 53 -j ACCEPT
# Allowed IPs/Networks
iptables -A filter -p all -s 192.168.0.0/24 -j ACCEPT
iptables -A filter -p all -s 192.168.1.15 -j ACCEPT
# Blacklisted IPs/Networks
iptables -A filter -p all -s 192.168.100.0/24 -j DROP
iptables -A filter -p all -s 10.0.0.32 -j DROP
# drop tcp priv'd ports
iptables -A filter -p tcp --dport 0:1023 -j DROP
# drop udp priv'd ports
iptables -A filter -p udp --dport 0:1023 -j DROP
iptables -A filter -j DROP

# Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j filter
iptables -A FORWARD -j filter

}

clearall()
{
iptables -F
iptables -X
}

case "$1" in
restart|start)
start
;;
stop)
clearall
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac

exit 0

===== END CUT =====

After saving this script as /etc/init.d/iptables , don't forget to chmod it

chmod 755 /etc/init.d/iptables

Now you need to add it to the default runlevels, make this command:

update-rc.d iptables defaults 12

Have fun!

Ziv

login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
iptables rules
Submitted by Anonymous (Contact Author) (Forums) on Thu, 2005-10-20 04:23.
In year 2005, writing hand-crafted iptables rules makes about as much sense as using assembly language to produce dynamic webpages. Sure, you can do it and it offers the best possible performance, but does it make sense?

There are dozens of tools that makes it easy to manage iptables. Among those, 2 open source projects stand out far above the rest:

1. Shorewall - http://www.shorewall.net/
2. FireHOL - http://firehol.sourceforge.net/

It is very easy to make mistakes with hand-crafted iptables rules that is hard to detect. You can end up with numerous security holes without even being aware of their existence until someone exploits them.

Seriously consider using one of the above tools, you'll find that they provide all the flexibility you need for managing iptables without having to hand-craft rules using iptables syntax.

I started using shorewall to manage my iptables and I've never looked back. And this includes gateways with multiple ethernet cards, public servers, and secure desktops.

Try any 3 iptables-related projects--the 2 mentioned above and 1 other of your choice. Pick one and you'll end up far better than directly writing iptables rules.

2008年2月11日星期一

Monitoring Asterisk 1.4 with SNMP and CACTI for pretty graphs!

This, wasn’t too easy to actually get going. Though I don’t have very much experience with SNMP, which may have been part of my problems. The whole SNMP / RES_SNMP with Asterisk is all very beta too from what I’ve been reading, and since the only other document really that I can find on setting this up, is by Mark Spencer himself, I hope this might help some other users out there too.

So, with the aide of Mark Spencers’ Howto over at VOIP Magazine I will be venturing forth and trying to get this going, but even better, because I will be using a remote CACTI server, instead of a local one.

REQUIREMENTS:

Asterisk Server (we’ll call it ASTERISK-BOX)
Cacti Web Server (we’ll call it CACTI-BOX)
Gentoo or equivalent Linux dist installed
Some Time

REQUIREMENTS - ASTERISK-BOX:

These are not in the scope of this document and assume you have already done this.

install net-snmp
install asterisk, and then enable the net-snmp module
bring asterisk to a functioning state

REQUIREMENTS - CACTI-BOX:

install apache/php/cacti/mysql
setup apache/mysql/cacti

Now, lets get our hands dirty.

STEP 1 - SETUP ON ASTERISK-BOX:

Turn on SNMP in asterisk

# nano /etc/asterisk/res_snmp.conf

should look like this

[general] subagent = yes enabled = yes

Now we configure snmp on the box so it will generate two communities, one for the actual box, and one using the sub-agent, agentx as it’s known (agent 13 actually). So we setup our /etc/snmp/snmpd.conf as per this:

# cat /etc/snmp/snmpd.conf
rocommunity YOUR.COMMUNITY.NAME
master agentx
#agentXSocket tcp:YOUR.ASTERISK.IP.ADDY:705
agentXperms 0660 0550 nobody asterisk
com2sec local localhost COMMUNITY.NAME
com2sec mynetwork0 YOUR.NETWORK/24 YOUR.COMMUNITY.NAME
com2sec mynetwork1 YOUR.NETWORK/24 YOUR.COMMUNITY.NAME
com2sec mynetwork2 YOUR.NETWORK/24 YOUR.COMMUNITY.NAME
com2sec mynetwork3 YOUR.NETWORK/24 YOUR.COMMUNITY.NAME
group MyROGroup any local
group MyROGroup any mynetwork0
group MyROGroup any mynetwork1
group MyROGroup any mynetwork2
group MyROGroup any mynetwork3
view all included .1
access MyROGroup “” any noauth 0 all none none

*Note in the above script the permissions, and the nobody, asterisk. This is because I am running asterisk as asterisk:asterisk, so this is where agentX needs to connect. The username doesn’t matter apparently, but the group does.

Now we have to modify some init scripts. I am using Gentoo. this may be different for your distribution.

First we edit /etc/conf.d/snmpd to look something like the following

SNMPD_FLAGS="${SNMPD_FLAGS} -x /var/agentx/master"

Then we have to edit /etc/conf.d/snmptrapd to something looking like the following

SNMPTRAPD_FLAGS="" SNMPTRAPD_FLAGS="${SNMPTRAPD_FLAGS} -a" SNMPTRAPD_FLAGS="${SNMPTRAPD_FLAGS} -Lf /var/log/snmptrapd.log"

Now we should stop asterisk and net-snmp (if they are running)

# /etc/init.d/asterisk stop # /etc/init.d/snmpd stop

Now we should start both back up. I use screen so I can do all of this.

# screen screen#asterisk -vvvvvvvvvvvvvvvvvvvvgc screen# # /etc/init.d/snmpd start # /etc/init.d/snmptrapd start # screen -r

You should see Asterisk spit out a message that it’s connected to the SNMP data source.

If asterisk looks to be working, then you can continue, otherwise debug to find out why it’s not connecting. Next we should setup snmpd and snmptrapd to start on boot of the box. Again, I am using Gentoo. This may be different for your OS.

# rc-update add snmpd default # rc-update add snmptrapd default

Now we are done on this, we can copy the MIB’s from asterisk over to both boxes so they have them.

# cp //doc/asterisk-mib.txt /usr/share/snmp/mibs # cp //doc/digium-mib.txt /usr/share/snmp/mibs # scp //doc/digium-mib.txt admin@CACTI-BOX: # scp //doc/asterisk-mib.txt admin@CACTI-BOX:

Now, we can test to make sure we see the output of the SNMP MIB’s at least locally on our box. So, we perform the following

# export MIBS=+ASTERISK-MIB # snmpwalk -c YOUR.COMMUNITY.NAME -v 1 localhost asterisk
If all worked out well, then we are ready to move over to the Cacti box and get things setup there.

STEP 2 - SETUP ON CACTI-BOX:

First lets copy those files we scp’d over to the proper location

# mv /home/admin/digium-mib.txt /usr/share/snmp/mibs/ # mv /home/admin/asterisk-mib.txt /usr/share/snmp/mibs/

Now lets create the polling script in /usr/local/bin

# cat /usr/local/bin/snmp_poller.sh

#!/bin/bash # filename: snmp_poller.sh # created this to make the polling process easier # Can make updates to it and such to add functionality MIBS=+ASTERISK-MIB export MIBS /usr/bin/php /usr/share/cacti/poller.php

# chmod 755 /usr/local/bin/snmp_poller.sh

Now, edit your crontab file so we can enable the polling script we just created.

# crontab -e

Then add this line, which will run the script every 5 minutes

*/5 * * * * /usr/local/bin/snmp_poller.sh > /dev/null 2>&1

Exit and save the file, and now we are done on the console and can go into Cacti’s web interface for the rest of this tutorial.

STEP 3 - CACTI WEB INTERFACE:

First, I’ll quote from Marks’ original post instead of re-writing it…

The first step is to add the server to the Cacti database. First, click Create devices on the front page. Click the Add link on the right side of the screen.
Clicking add reveals a new screen where you will input basic information about connecting to the server. Fill out the fields, making sure to set the community name to COMMUNITY_NAME (what you put in snmpd.conf) Also, make sure the template is set to None, unless you know for sure you want another set of services automatically setup to be monitored. After clicking create, you’ll come to a screen with the systems in cacti, click the one you just created. Select “SNMP – Generic OID Template” from the drop down menu under “Associated Graph Templates” and click add. Add more services if you like, but this is the one we will use to connect to the Asterisk SNMP module.
Advertisment

Now that the server is setup, we need some graphs. Click the create graphs for this host link at the top. On this page, select the “SNMP – Generic OID Template” by clicking the checkbox next to it. Select “SNMP – Generic OID template” from the drop down menu and click “create”. Fill in the form with your basic information about the particular graph you’re looking at. The vertical label will basically be the number of current calls in use.

To elaborate on the above, here’s a sample of one of my entries into Cacti

Go to your device, create a new graph, generic OID template, and enter your values like the following example:

Title: |host_description| - GTALK Channels in use Vertical Label: Current Google Talk Channels Legend Color: your choice Legend Text: Google Talk Channels Name: |host_description| - GTALK Channels Maximum Value: 100 Data Source: GUAGE OID: .1.3.6.1.4.1.22736.1.5.4.1.7.9

Now, This is where things have changed since he wrote his article in April 2006. Now we have new OID’s to deal with which I will provide a listing of below…

Here are all the possible ones to use:
Channel.1 = The NuFone Network's Open H.323 Channel Driver Channel.2 = Skinny Client Control Protocol (Skinny) Channel.3 = Zapata Telephony Driver Channel.4 = Session Initiation Protocol (SIP) Channel.5 = Standard Linux Telephony API Driver Channel.6 = OSS Console Channel Driver Channel.7 = Local Proxy Channel Driver Channel.8 = Inter Asterisk eXchange Driver (Ver 2) Channel.9 = Gtalk Channel Driver Channel.10 = Feature Proxy Channel Driver Channel.11 = Call Agent Proxy Channel

Here is what I am using:
overall channels in use (all types): .1.3.6.1.4.1.22736.1.5.1.0 ASTERISK-MIB::astNumChannels.0

Session Initiation Protocol (SIP):
.1.3.6.1.4.1.22736.1.5.4.1.7.4
ASTERISK-MIB::astChanTypeChannels.4

Inter Asterisk eXchange Driver (Ver 2):
ASTERISK-MIB::astChanTypeChannels.8
.1.3.6.1.4.1.22736.1.5.4.1.7.8

zap channels in use:
ASTERISK-MIB::astChanTypeChannels.3
.1.3.6.1.4.1.22736.1.5.4.1.7.3

google talk in use:
ASTERISK-MIB::astChanTypeChannels.9
.1.3.6.1.4.1.22736.1.5.4.1.7.9

h323 channels in use:
ASTERISK-MIB::astChanTypeChannels.1
.1.3.6.1.4.1.22736.1.5.4.1.7.1

Here are the commands used to translate between numerical and alphabetic:

To convert from Alphabetic just do this for example:

# snmpwalk -On -c YOUR.COMMUNITY.NAME -v 2c YOUR.ASTERISK.IP.ADDY ASTERISK-MIB::astChanTypeChannels.9

and it will spit out the numerical version of the OID, to see the alpha one just do this instead

# snmpwalk -c YOUR.COMMUNITY.NAME -v 2c YOUR.ASTERISK.IP.ADDY .1.3.6.1.4.1.22736.1.5.4.1.7.9

And now after we have that all sorted out and you have what you want to graph all figured out, we can go back to marks’ original howto again.

When you are sure everything is right, continue on by clicking create.
Click Graph Management on the left. Select the newly created graph on the right (servername – SIP Users in the picture), and choose “Place on a Tree (Default Tree)” so that it’ll show up on the graphs page. Click go when ready. Just click yes on the next page that comes up.

After a few minutes, the graph will have populated from the polling thread, and you can click the graphs tab at the top. This will take you to a page with graphs on it, just select the Default Tree link, and look for the new graph.

You should end up with some graphs that look like this.

and that should be it really.. let me know if you have problems in the comments..

Extras - Helpful Testing Commands:

ASTERISK-BOX:
Walk the snmp tree:
# snmpwalk -c YOUR.COMMUNITY.NAME -v 2c YOUR.ASTERISK.IP.ADDY asterisk

CACTI-BOX:
Walk the snmp tree, but show as OID’s instead:
# snmpwalk -On -c YOUR.COMMUNITY.NAME -v 2c YOUR.ASTERISK.IP.ADDY asterisk

Hey, You! - Do you like this post?: Subscribe to our latest articles via RSS feed or by email!. Post a comment below or email us to say hi.

450,000 members worldwide -- and growing! Join FON and get FREE WiFi virtually anywhere!

VoIP. Voice over Internet. Rates under retail. Lingo. Go Talk.

Funny Ringtones for your phone!

Visit www.ashleymadison.com If you really want it.

Jamster Real Tones

LD from any standard or cordless home phone or cell phone speed dialer. PIN-free. Pay as you go. USA - 2.9c/min. MX 5.0c/min.

This entry was posted on Monday, April 16th, 2007 at 3:50 am and is filed under Asterisk Tidbits, Howtos. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

38 Responses to “Monitoring Asterisk 1.4 with SNMP and CACTI for pretty graphs!”

SinoLogic » Tutorial para configurar SNMP en Asterisk 1.4 on April 16th, 2007 at 2:44 pm

[…] http://www.voipphreak.ca/archives/382 Tags:asterisk, snmp, trucos, tutoriales, voip 16-Abril-2007 a las […]
Voip Phreak - » Using sipp to stress test your asterisk 1.4 pbx system on April 17th, 2007 at 2:08 am

[…] addition to yesterday’s post about SNMP and Asterisk 1.4, here is how I tested the graphs to ensure the calls were showing up as […]
Sebastien Cruaux on April 26th, 2007 at 4:42 am

I followed this tutorial (and Mark Spencer’s, since my Asterisk box and My Cacti box are on the same machine) step by step but I still have a problem : I can’t have an access to the Asterisk MIB. I explain myself : when I run snmpwalk -v1 -v mycommunity localhost asterisk, I receive a SNMP get-reponse with an error status noSuchName. I ran snmptranslate -Tp -IR private (which is .1.3.6.1.4) to check if the Asterisk MIB was in the SNMP tree and yes, it was at .1.3.6.1.4.1.22736.1. However, when I “snmpwalk” .1.3.6.1.4.1 I receive a response but with .1.3.6.1.4.1.22736 I have the noSuchName error. Consequently, I can’t display the graphs in Cacti, they always remain empty.
Maybe there is some problem in snmpd.conf ? My snmpd.conf is :

master agentx
agentXperms 0660 0550 root root
com2sec local localhost asteriskcom
com2sec mynetwork0 xxx.xxx.xxx.0/24 asteriskcom
group MyROGroup v1 local
group MyROGroup v1 mynetwork0
view all included .1
access MyROGroup “” any noauth exact all none none

Thanks for your help
Voip Phreak on April 26th, 2007 at 3:13 pm

Hi Sebastien,

Interesting. I had a bitch of a time getting this to work let me tell you! I’m not sure what your specific issue is. I do notice that in order to get SNMP data, I must do the following in this particular order to get the data pumping out.

- stop asterisk
- stop snmpd
- start asterisk
- start snmpd

then watch the asterisk debug output to make sure it performs the agentx connection properly. It took me a good few hours to actually get it to grab the data for me. Let me know if you are still having issues.

Thanks!
Sebastien Cruaux on April 27th, 2007 at 4:44 am

Ok so it seems that the problem comes from the asterisk snmp module. I run the commands in the order you gave but I have no trace of snmp or agentx connection neither in asterisk CLI nor in asterisk logs. Is there anything to do to activate SNMP in Asterisk besides uncommenting subagent=yes and enabled=yes in res_snmp.conf ?
Something else is weird : I ran modules show in Asterisk CLI and there were no res_snmp.so. Is it normal or is it some kind of addon which has to be installed ?

Thanks
Matt Gibson on April 27th, 2007 at 3:59 pm

Hi Sebastien,

Ahhh - Yeah, I think I know what your issue is.

Go back to your asterisk source, and do this :

# make distclean
# ./configure –with-net-snmp (check that)
# make menueselect

go to the app options, and make sure res-snmp is there, then

# make && make install

Now you’ll have res-snmp.so installed in /var/lib/asterisk/modules and you should be able to get it working.

Hope this helps!
Thanks,
VoipPhreak
Sebastien Cruaux on May 3rd, 2007 at 4:25 am

No idea ? :(
Voip Phreak on May 3rd, 2007 at 4:12 pm

Hi Sebastien,

Sorry, I forgot to moderate my post! Try my suggestion above to make sure you have res_snmp compiled and included with asterisk, it sounds like that will solve your issues.

Thanks,
Matt
Sebastien Cruaux on May 4th, 2007 at 9:38 am

Actually it was
# ./configure –with-netsnmp (without ‘-’ between net and snmp)
But I still have a problem (sorry). When I run this command I get an error message :

checking for net-snmp-config… /usr/bin/net-snmp-config
checking for snmp_register_callback in -lnetsnmp… no
configure: ***
configure: *** The Net-SNMP installation on this system appears to be broken.
configure: *** Either correct the installation, or run configure
configure: *** including –without-netsnmp

I installed net-snmp using
# yum install net-snmp*
What could be wrong ?

Thank you again
matt gibson on May 4th, 2007 at 2:36 pm

Hi Sebastien,

I’m not that familiar with RH based distributions, afaik what you’ve done should be working.
I would try installing the net-snmp source from scratch instead of using YUM to see if that fixes your issues.

Thanks,
Matt Gibson
Voip Phreak - » Asterisk, Cacti, SNMP howto updated for slackware and translated to portugese! on May 9th, 2007 at 5:49 pm

[…] to my good buddy Everton from Brazil, we’ve updated the SNMP Howto for Asterisk 1.4 with updated instructions for slackware. He’s also been so kind to provide a pdf that’s […]
Syed Network on June 26th, 2007 at 12:57 pm

This post looks quite helpfull, i’m using Asterisk version 1.4.4, since everything is pretty understanding in this post, but i’m just newbie to CACTI. Can you please help with CACTI steps? Thanks
Voip Phreak on June 26th, 2007 at 1:20 pm

Hi Syed,

Sure not a problem. What Linux distribution are you using and what kind of help do you need to get Cacti Running? Cacti is usually included with most Linux dists as a package and is installed through the package managers or in the case of Gentoo, using portage. Once installed the setup is very straight forward but I can help with whatever you need.

Thanks,
Matt
Syed Network on June 26th, 2007 at 3:39 pm

Thanks Matt for your quick response. I’m using RHEL 4. actually i’ve couple of Asterisk server at different locations, some monitoring via SNMP that’s what asterisk 1.4.x supports.
I gonna give it a try proir in testing env.. once done then will go on production servers. But for now i wanna do all on same machine and also i don’t know anything about CACTI.
Matt Gibson on June 26th, 2007 at 9:45 pm

Hi Syed,

I hope this helps you, I found a CACTI installation tutorial for CentOS. Not the same as RHEL, but very similar so it will probably work. Give it a try and let me know if you need any help.

Here’s the link:
http://wiki.centos.org/HowTos/Cacti_on_CentOS_4.x

Thanks,
Matt
Voip Phreak on June 26th, 2007 at 9:52 pm

Hey Syed,

I found this howto for Cacti on CentOS. I’m not sure if it’ll work for you but it should be very similar for RHEL. Give it a shot and let me know if you need any help with it.

Here’s the link:
http://wiki.centos.org/HowTos/Cacti_on_CentOS_4.x
Leonardo Gallego on July 2nd, 2007 at 4:25 pm

Hello Matt,

Im trying to set up a stresstesting platform using your how-tos, the one about SIPP and this one.

The SIPP part is working nicely. But im having trouble on getting CACTI-box to grab de data from the asterisk-box.

I cant get cacti to recognize the other host, i always get a “SNMP Error” and “Unknown status” on cacti.

This command is working ok:

snmpwalk -c comunidad -v 2c localhost asterisk

But when i try to do it from the cacti-box:

snmpwalk -c comunidad -v 2c 192.168.1.8 asterisk

I dont get anything. Also if i try to run it in the same asterisk-box, i dont get any output, its like snmp is not listening on that interface.

I followed your steps quite closely, and modified just what was needed… do you have any idea what can be wrong?

Regards and thanks for the tutorials.
Leonardo
Voip Phreak on July 2nd, 2007 at 9:34 pm

Hello Leonardo,

Glad most of the howto’s are working for you. Your error sounds interesting, and I’ll be happy to help you figure it out.

What happens if you run:

netstat -tunl | grep 161

on the SNMP box, is the port there?

Are you blocking it with your firewall?

Are you allowing the 192.168 ip range in your snmpd.conf?

What happens if you just run snmpwalk -c -v 2c 192.168.1.8 without asterisk to see if it returns anything at all?

It sounds like it’s a problem with snmp itself if 161 isn’t there or isn’t listening.

What about /var/log/messages?

This should get you on the right track and then we can continue from there :) Good luck!
Jon on July 16th, 2007 at 11:55 am

Great article, I’m running debian unstable debs of asterisk 1.4. I can snmpwalk the system MIB’s but snmpwalk -v2c -c mycommunity localhost asterisk returns the following error:

ASTERISK-MIB::asterisk = No Such Object available on this agent at this OID

snmpwalking system returns plenty of information, so the problem is related to agentx and/or asterisk as near as I can tell. Any ideas?
Voip Phreak on July 16th, 2007 at 1:02 pm

Hi Jon,

Thanks! I hope it was able to help.

It looks to me like the error you are experiencing is because Asterisk is not compiled or functioning with the res-snmp module. When you open Asterisk does it say that it successfully connected to the snmp daemon and that it’s sending statistics? I get a little message from asterisk that it’s connected.

That seems like it might be your issue since you’re getting the system information, but not the asterisk specific stuff.

I’d start the debugging with Asterisk and the SNMP Module and make sure that’s all working, then go from there :)

Let me know how you make out.

Thanks,
Matt
Jon on July 16th, 2007 at 6:56 pm

This is all I get when loading and unloading res_snmp. This is with core debug and verbose 10.

pbx*CLI> module unload res_snmp.so
Unloading [Sub]Agent Modulenmp.so
== Terminating SubAgent
pbx*CLI> module load res_snmp.so
== Parsing ‘/etc/asterisk/res_snmp.conf’: Found
Loading [Sub]Agent Module
Loaded res_snmp.so => (SNMP [Sub]Agent for Asterisk)
== Starting SubAgent
pbx*CLI>

What should I be getting? I’m running asterisk 1.4.6, which version are you using successfully?
Matt Gibson on July 16th, 2007 at 9:30 pm

Hi Jon,

Thanks for the info. I am using 1.4.7.1 for the Asterisk version, and I’ve confirmed it’s still working on here.

Your SNMP debug looks right, however I see this on my console when it connects

NET-SNMP version 5.4 AgentX subagent connected

and this on my console when it doesn’t connect

Warning: Failed to connect to the agentx master agent ([NIL]):

Do you see anything similar? If not, something with SNMP isn’t working as expected. Once you see the successfully connected message, you should be able to walk the Asterisk SNMP tree.

HTH!
Msa on July 27th, 2007 at 5:52 am

Sebastian, were you able to build asterisk with res_snmp. I’m getting the same

“The Net-SNMP installation on this system appears to be broken”

Im using CentOS. If you did can you please post the solution here. It would be great.
Brandon Kruse on July 28th, 2007 at 5:27 pm

Hey guys, great tutorial

I am in the middle of adding a TON of features to the res_snmp module for 1.4 and backporting the module to 1.2.

Warning: Failed to connect to the agentx master agent (/var/agentx/master): Unknown host (/var/agentx/master) (No such file or directory)

From asterisk when I do a module load res_snmp.so

I currently have a lot of features such as : Cacti integration (a HUGE collection of templates)

Call analysis, total channels, sip/iax/h323/local/agent/console channels. Meetme conferences, agents logged in, channel count by agents, theres tons of stuff I am working on, and I am always open to new suggestions!

rocommunity public
master agentx
#agentXSocket tcp:127.0.0.1:705
agentXperms 0777 0777 nobody asterisk
com2sec local localhost public
group MyROGroup any local
view all included .1
access MyROGroup “” any noauth 0 all none none

asterisk is running as root, i built net-snmp manually and configured asterisk –with-snmp, any ideas?

admteamkruz@gmail.com

These new features I am adding are extremely exciting.

-bkruse
Voip Phreak on July 29th, 2007 at 12:16 am

Hi Brandon,

Small World :P - How is the template working out for Astmon that I made for you?

Two things I notice from your description.

1. You have “–with-snmp” while It’s supposed to be “–with-netsnmp” (unless things have changed?

2. Did you create /var/agentx/ and make sure that snmpd can write to it?

drwxrwxrwx 2 asterisk asterisk 4096 Jul 29 00:15 agentx

and within that directory I simply did
“# touch master” and then “chown asterisk:asterisk master” and then restarted snmpd and asterisk.

See if that helps.

Thanks,
Matt
Brandon Kruse on July 29th, 2007 at 2:41 am

Matt,

I knew I recognized that url :]

Everything is going great! astmon is going great, and props to you again!

I am working on getting all the statistics right now, then I will update all those docs and work on manager specific things (snmp)

I will try this and see how it turns out, shoot me an email also, at my work email, we will keep this discussion on this board, however, to help people that may have the same problems :]

-bk
Brandon Kruse on July 29th, 2007 at 3:51 am

Yes, I did configure with –with-netsnmp, my mistake.

It still says Warning: Failed to connect to the agentx master agent (/var/agentx/master): Unknown host (/var/agentx/master) (Connection refused)

:[

ps aux | grep snmp
snmp 9546 0.0 0.3 7020 3956 ? S 01:44 0:00 /usr/sbin/snmpd -x /var/agentx/master

cat /var/log/snmpd.log
cat /var/log/snmpd.log
Turning on AgentX master support.
NET-SNMP version 5.4.1.rc2

asterisk error:

== Starting SubAgent
*CLI> NET-SNMP version 5.4.1.rc2 AgentX subagent connected
registering pdu failed: 263!

I noticed, it does not have -x /var/agentx/master, but if i try that:
Matt on July 29th, 2007 at 7:57 pm

Hey Brandon,

I sent you a message @gmail, couldn’t find your work email anywhere.

Not sure if it makes a difference, but when I “ps aux | grep snmpd” I see the following:

root 3788 0.0 0.9 8388 4592 ? S Jul24 0:32 /usr/sbin/snmpd -p /var/run/snmpd.pid -x /var/agentx/master

maybe the PID and full paths matter?

I’m also using 5.4.1 not the RC2, perhaps that makes a difference?

Looks like the last bit of your message was cut off, what happens when you try with the -x /var/agentx/master?

Thanks,
Matt
Roger Gomez Olivares on September 27th, 2007 at 1:48 pm

I have a diferent version of linux, Centos 5.0 and I try to follow the step in this tutorial but the init scripts of the snmpd and snmptrap are different. What can I do?
Voip Phreak on September 27th, 2007 at 2:14 pm

Hi Roger,

I am not sure what the problem is with CentOS. I have seen a few people complain of issues with SNMP and CentOS.

I found this tutorial for SNMP on CentOS 5. It’s more for installing the system, but he does mention and install net-snmp. Perhaps this can help you?

http://support.lithiumcorp.com/content/view/128/70/

Thanks,
Voip Phreak
Martin Madsen on November 27th, 2007 at 1:26 pm

To make netsnmp work with asterisk on CentOS 4, you willl have to compile from source (check sourceforge) you cannot use the stock rpms, havent cared to find out why since source works.

MM
Martin Madsen on November 27th, 2007 at 2:58 pm

Problem solved, issue is on line 21667 of the configure file.

NETSNMP_libs=`${NETSNMP_CONFIG} –agent-libs`

CHANGE to:

NETSNMP_libs=`${NETSNMP_CONFIG} –libs`

And all is well.

MM
Martin Madsen on November 27th, 2007 at 7:29 pm

too fast it compiles no issue but there is a symbol error..
Hmmph on December 21st, 2007 at 1:03 am

Working on getting this installed on our dev server, running Ubuntu Dapper. Been working on it for about 9 hours. Here’s where I am at…

snmpd_5.2.1.2-4
(tried to use compiled net-snmp-5.4.1 as well)

getting connection errors right now. not sure what is causing it.

root@ubuntupbx:/usr/src/net-snmp-5.4.1# netstat -natup | grep 161
udp 0 0 0.0.0.0:161 0.0.0.0:* 18312/snmpd
snmpwalk -c public -v 1 localhost asterisk
Timeout: No Response from localhost

my snmpd.conf (tried both on this site, this is from S Cruaux’s post)
rocommunity public
master agentx
#agentXSocket tcp:127.0.0.1:705
agentXperms 0777 0777 nobody asterisk
com2sec local localhost public
group MyROGroup any local
view all included .1
access MyROGroup “” any noauth 0 all none none

Any help appreciated, be really great to get this working
K Myers (Formerly Hmmph) on December 21st, 2007 at 1:33 am

gah.. got that part straightened out. now i get

[Dec 21 00:31:19] WARNING[6373]: loader.c:363 load_dynamic_module: Error loading module ‘res_snmp.so’: /usr/lib/libnetsnmpagent.so.15: undefined symbol: boot_DynaLoader
[Dec 21 00:31:19] WARNING[6373]: loader.c:649 load_resource: Module ‘res_snmp.so’ could not be loaded.

When trying to do a “module load res_snmp.so”..

Gonna keep hammering on it.
Voip Phreak - » Top Asterisk Coders Revealed! on December 21st, 2007 at 2:11 am

[…] that these stats are useful for anything more than fun, they are still fun to look at if you like pretty graphs as much as I […]
K Myers (Formerly Hmmph) on December 21st, 2007 at 2:31 am

Seems that this issue is a library linking issue, trying some things out with the guys from #perl. Once I get this all hammered out i’ll write up a debian/ubuntu specific howto
Brandon Kruse on January 6th, 2008 at 3:47 am

Well,

I got it working on debian/ubuntu and I am going to be working on the astmon project now.

thanks Matt!

-bkruse

订阅：博文 (Atom)

2008年2月25日星期一

2008年2月22日星期五

2008年2月11日星期一

38 Responses to “Monitoring Asterisk 1.4 with SNMP and CACTI for pretty graphs!”

博客归档