diff options
Diffstat (limited to 'core/network.html')
| -rw-r--r-- | core/network.html | 234 |
1 files changed, 216 insertions, 18 deletions
diff --git a/core/network.html b/core/network.html index 9aa5921..feb9765 100644 --- a/core/network.html +++ b/core/network.html @@ -14,7 +14,7 @@ <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> <dd>Configure <a href="#iptables">iptables</a>, start option - loads set of rules from file /etc/iptables/name.v4, open option + loads set of rules from file /etc/iptables/net.v4, open option allows everything to outside and blocks everything from outside, stop will block and log everything.</dd> <dt><a href="conf/rc.d/net">/etc/rc.d/net</a></dt> @@ -114,20 +114,16 @@ <h2 id="iptables">2.3.3. Iptables</h2> - <p>For more information about iptables read - <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. - Iptables can be setup at boot with - <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> init script, change - <a href="scripts/iptables.sh">iptables.sh</a> with your needs and run - to save rules in <a href="conf/iptables/net.v4">/etc/iptables/net.v4</a> - file.</p> + <p>For more information about firewall systems read arch wiki + <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a> + an <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> - <p>Init script "start" option loads set of rules from file - /etc/iptables/rules.v4, "open" option allows everything to outside + <p>To setup iptables rules a set of scripts is used, init script + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> + loads set of rules from file /etc/iptables/net.v4 at boot time. + Start option "open" option allows everything to outside and blocks everything from outside, "stop" will block and log - everything.</p> - - <p>Setup init script and rules ;</p> + everything. Setup init script and rules ;</p> <pre> # mkdir /etc/iptables @@ -142,18 +138,220 @@ SERVICES=(iptables lo net crond) </pre> + <p>See current rules and packets counts;</p> + + <pre> + # iptables -L -n -v | less + </pre> + + <p>Diagram of a package route throw iptables;</p> + + <pre> + + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + + | + v + +-------------+ +------------------+ + |table: filter| >---+ | table: nat | + |chain: INPUT | | | chain: PREROUTING| + +-----+-------+ | +--------+---------+ + | | | + v | v + [local process] | **************** +--------------+ + | +---------+ Routing decision +------< |table: filter | + v **************** |chain: FORWARD| + **************** +------+-------+ + Routing decision | + **************** | + | | + v **************** | + +-------------+ +------< Routing decision >---------------+ + |table: nat | | **************** + |chain: OUTPUT| | + + +-----+-------+ | | + | | v + v | +-------------------+ + +--------------+ | | table: nat | + |table: filter | +----+ | chain: POSTROUTING| + |chain: OUTPUT | +--------+----------+ + +--------------+ | + v + XXXXXXXXXXXXXXXXX + XXXX Network XXXX + XXXXXXXXXXXXXXXXX + + </pre> + + <p>Command line usage;</p> + + <pre> + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] {-A|-C|-D} chain rule-specification + iptables [-t table] -I chain [rulenum] rule-specification + iptables [-t table] -R chain rulenum rule-specification + iptables [-t table] -D chain rulenum + iptables [-t table] -S [chain [rulenum]] + iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...] + iptables [-t table] -N chain + iptables [-t table] -X [chain] + iptables [-t table] -P chain target + iptables [-t table] -E old-chain-name new-chain-name + rule-specification = [matches...] [target] + match = -m matchname [per-match-options] + </pre> + + <p>Targets, can be a user defined chain;</p> + + <pre> + ACCEPT - accepts the packet + DROP - drop the packet on the floor + QUEUE - packet will be stent to queue + RETURN - stop traversing this chain and + resume ate the next rule in the + previeus (calling) chain. + + if packet reach the end of the chain or + a target RETURN, default policy for that + chain is applayed. + </pre> + + <p>Target Extensions</p> + + <pre> + AUDIT + CHECKSUM + CLASSIFY + DNAT + DSCP + LOG + Torn on kernel logging, will print some + some information on all matching packets. + Log data can be read with dmesg or syslogd. + This is a non-terminating target and a rule + should be created with matching criteria. + + --log-level level + Level of logging (numeric or see sys- + log.conf(5) + + --log-prefix prefix + Prefix log messages with specified prefix + up to 29 chars log + + --log-uid + Log the userid of the process with gener- + ated the packet + NFLOG + This target pass the packet to loaded logging + backend to log the packet. One or more userspace + processes may subscribe to the group to receive + the packets. + + ULOG + This target provides userspace logging of maching + packets. One or more userspace processes may then + then subscribe to various multicast groups and + then receive the packets. + </pre> + + <p>Commands</p> + <pre> + -A, --append chain rule-specification + -C, --check chain rule-specification + -D, --delete chain rule-specification + -D, --delete chain rulenum + -I, --insert chain [rulenum] rule-specification + -R, --replace chain rulenum rule-specification + -L, --list [chain] + -P, --policy chain target + </pre> + + <p>Parameters</p> + <pre> + -p, --protocol protocol + tcp, udp, udplite, icmp, esp, ah, sctp, all + -s, --source address[/mask][,...] + -d, --destination address[/mask][,...] + -j, --jump target + -g, --goto chain + -i, --in-interface name + -o, --out-interface name + -f, --fragment + -m, --match options module-name + iptables can use extended packet matching + modules. + -c, --set-counters packets bytes + </pre> + + <h3 id="ipt_server">2.3.3.1. Server iptables</h3> + <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with your network configuration then run it;</p> + <p>Default configuration;</p> + + <pre> + server) + + echo "Setting server network..." + ####### Input Chain ###### + $IPT -A INPUT -j blocker + + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in + $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in + + ####### Output Chain ###### + $IPT -A OUTPUT -j blocker + + $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out + $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out + $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + + ## log everything else and drop + iptables_log + + iptables-save > /etc/iptables/net.v4 + exit 0 + + ;; + </pre> + <pre> # bash core/scripts/iptables.sh </pre> - <p>See current rules and packets;</p> + <h3 id="ipt_client">2.3.3.2. Client iptables </h3> + + <p></p> + <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3> <pre> - # iptables -L -n -v | less - </pre> + $IPT -A FORWARD -j blocker + $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out + $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in + <pre> <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> @@ -245,8 +443,8 @@ <a href="index.html">Core OS Index</a> <p> - This is part of the c9-doc Manual. - Copyright (C) 2017 + This is part of the Hive System Documentation. + Copyright (C) 2018 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |