IPNAT+Ipfilter+Bridge 超級防火牆

剑心通明

Description :

近來有個朋友的公司『公司約200多台PC』，他們所使用的防火牆ipfirewall+natd出現問題！迫使他們改用ipfilter+ipnat，於使用ipfilter+ipnat後，我這位朋友一直贊譽有佳，因此引發了我開始研究ipfilter+ipnat這套防火牆軟體。
ipfilter+ipnat是由OpenBSD開發出來可免費使用的防火牆軟體，跨平台可以使用於NetBSD、OpenBSD、FreeBSD、 Linux 等OS，甚至連商業版的Solaris也都可使用，可說是相當優秀的一套防火牆軟體。
ipfilter+ipnat 到底有甚麼吸引力呢？可以讓一位原本癡迷使用 FreeBSD CoreTeam 所開發出的ipfirewall+natd 者，再去學習 ipfilter+ipnat呢？其中我想最主要的因素即是，ipfilter+ipnat 使用於大型網路架構中，IP轉換的效能比較好同時具有跨平臺優異性，光這兩項我想就足夠吸引ipfirewall+natd的擁護者轉而投抱再學習 ipfilter+ipnat，而原本的ipfirewall+natd並不是沒有其優點，雖然效能差了些但是DUMMYNET可做頻寬控管就是其優點，這就是 ipfilter 所沒有的，唉~ 這真是魚與熊掌不能兼得 ~
Setp 1.
重新編輯新的Kernel 同時加入bridge 的option
#cd /usr/src/sys/i386/conf/
#cp GENERIC /etc/NEWIPF
#ln -s /etc/NEWIPF
#vi NEWIPF
ident NEWIPF      #  ident記得要改成新的NEWIPF
options BRIDGE   #  加入這行即可
#config NEWIPF#cd ../compiler/NEWIPF#make depend all install
Setp 2.
驅動 ipfilter 我們選擇kldload 直接驅動，而不需重新編輯 kernel 可直接驅動 ipfilter
#cd /etc
#vi rc.load    # 編輯 rc.load 使重開機 ipfilter 可自動執行，內容如下：
kldload ipl.koipf -Fa -f /etc/ipf.rulesipnat -CF -f /etc/ipnat.rulessysctl net.inet.ip.forwarding=1sysctl net.link.ether.bridge.enable=1sysctl net.link.ether.bridge.ipf=1sysctl net.link.ether.bridge.config=fxp0,de0
Setp 3.
編輯 ipf.rules 和 ipnat.rules 及 rc.conf 這三個設定檔
#vi /etc/ipf.rules # ipf 的規則有符合last match 所以會重頭一直向下比對直到最後一條規則，若有加 quick 則是有優先 match。
pass in allpass out all
#vi /etc/ipnat.rules      # ipnat 的 rule 有先後順序，排在前面的會優先比對。
map fxp0 10.10.10.0/24 -> 168.168.168.253/32
#vi /etc/rc.conf
hostname="ipf.ntut.idv.tw"defaultrouter="168.168.168.254"ifconfig_fxp0="inet 168.168.168.253 netmask 255.255.255.0"ifconfig_de1="inet 10.10.10.254 netmask 255.255.255.0"usbd_enable="YES"sshd_enable="YES"
#reboot 存檔後重開機後即完成 ...
指令說明：
#kldstat  ( 看ipfilter有無被驅動 )
#ipf -V  ( -V查看ipfilter的版本 )
#ipf -D  ( 停止 ipfilter )
#ipf -E  ( 啟動 ipfilter )
#ipf -Fa -f /etc/ipf.rules  ( -Fa清除所有rule，-f 導入新的rule，為更新ipf.rules後重新啟動必下指令)
#ipfstats  ( 統計所有封包狀態 )
#ipfstats -o  ( -o看所有output的rule )
#ipfstats -i  ( -i看所以input的rule )
#ipmon  ( 觀查所有ip及封包走向 IP -> host， PORT -> protocol )
#ipnat -C  ( 清除所有規則 )
#ipnat -l  ( 查看目前設置的轉換規則及已經執行過後的轉換關係 )
#ipnat -s  ( 查看ipnat的狀態 )
#ipnat -f /etc/ipnat.rules  ( 重讀 ipnat.rules )
研究 ipnat.rules：
map fxp0 10.10.10.0/24 -> 168.168.168.253/32 proxy port 8000 ftp/tcp
# proxy 的用法並不是我有裝Squid 而做，主要用意為ftp協定較特殊，為了高傳輸效率port會一直變換所以要鎖住ftp port。
map fxp0 10.10.10.0/24 -> 168.168.168.253/32 portmap tcp/udp 40000:60000
# 10.10.10.0/24 整個 class C 的IP，僅 tcp/udp 協定出去internet時走168.168.168.253這個ip，而且限定都走 40000~60000 之間的 port。
map fxp0 10.10.10.0/24 -> 168.168.168.253/32
# 轉換10.10.10.0/24 所有協定：tcp/udp、icmp、esp (for ipsec) and gre (for pptp)，outgoing 到internet 走168.168.168.253 這個ip 出去。
rdr fxp0 168.168.168.253/32 port 80 -> 10.10.10.2/32 port 80
# 讓10.10.10.2 這個ip 的 80 port走到168.168.168.253出去，做為Web Server用。
ipnat Handbook 重點研究說明：
For example;
FTP. We can make our firewall pay
attention to the packets going across it and when it notices
that it's dealing with an Active FTP session, it can write
itself some temporary rules, much like what happens with
keep state, so that the FTP data connection works. To do
this, we use a rule like so:
map tun0 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp ftp/tcp
Keep in mind that these portmap rules only apply to the pro-
tocols that you have specified (e.g.: tcp, udp, or tcp/udp),
and do not apply to other protocols like ICMP or IPSec
ESP/AH. For these, you need to have an additonal map
statement that applies to all other protocols:
map tun0 192.168.1.0/24 -> 0/32 portmap tcp/udp 20000:30000
map tun0 192.168.1.0/24 -> 0/3
研究 ipf.rules：
Example 1.
針對 LAN 的網路卡做限制範例：
# 過濾非法封包。block in quick log quick all with shortblock in quick log quick all with ipopts## 同意封包由WAN網卡fxp0介面及localhost介面lo0自由進出。pass in quick on fxp0 allpass out quick on fxp0 allpass in quick on lo0 allpass out quick on lo0 all## 杜絕網際網路上的私有協定的IP封包，阻絕所有私有IP封包進入WAN網卡fxp0這張介面。block in quick on fxp0 from 192.168.0.0/16 to anyblock in quick on fxp0 from 172.16.0.0/12 to anyblock in quick on fxp0 from 10.0.0.0/8 to anyblock in quick on fxp0 from 127.0.0.0/8 to anyblock in quick on fxp0 from 192.0.2.0/24 to any## 阻絕所有封包進入LAN網卡中的de1介面。block in quick log on de1 allblock out quick log on de1 all## 同意出去LAN網卡中的de1介面所有tcp/udp封包皆可通行。pass out quick log on de1 proto tcp/udp from any to any keep state## 同意進出LAN網卡中的de1介面所有icmp封包皆可通行。pass in quick log on de1 proto icmp all keep statepass out quick log on de1 proto icmp all keep state## 同意進入LAN網卡中的de1介面，對特定的通訊協定port開放。pass in quick on de1 proto tcp/udp from any to any port = 53 keep statepass in quick on de1 proto tcp/udp from any to any port = 20 keep statepass in quick on de1 proto tcp/udp from any to any port = 21 keep statepass in quick on de1 proto tcp from any to any port = 23 keep statepass in quick on de1 proto tcp from any to any port = 22 keep statepass in quick on de1 proto tcp from any to any port = 25 keep statepass in quick on de1 proto tcp from any to any port = 110 keep statepass in quick on de1 proto tcp/udp from any to any port = 139 keep statepass in quick on de1 proto tcp from any to any port = 80 keep statepass in quick on de1 proto tcp from any to any port = 443 keep statepass in quick on de1 proto tcp/udp from any to any port = 445 keep statepass in quick on de1 proto tcp from any to any port = 8000 keep state
Example 2.
群組規劃 + 針對 WAN 的網路卡做限制的範例：
# 過濾非法封包。block in log quick all with shortblock in log quick all with opt lsrrblock in log quick all with opt ssrrblock in log quick all with ipoptsblock in log quick on fxp0 proto tcp from any to any flags FUPblock in log quick on fxp0 proto tcp from any to any flags SF/SFRAblock in log quick on fxp0 proto tcp from any to any flags /SFRA## 群組分類 head 100/150 LAN介面，head 200/250 WAN介面。block in log quick on de1 all head 100block out log quick on de1 all head 150block in log quick on fxp0 all head 200block out log quick on fxp0 all head 250## 放行localhost的所有通訊協定。pass in log quick on lo0 allpass out log quick on lo0 all## Group 100 所有可通行規則 incoming， TCP/UDP、ICMP、ESP (for IPsec) and GRE (for PPTP)。pass in quick proto tcp/udp from 10.10.10.0/24 to any keep state group 100pass in quick proto icmp from 10.10.10.0/24 to any keep state group 100pass in quick proto esp from 10.10.10.0/24 to any keep state keep frags group 100pass in quick proto gre from 10.10.10.0/24 to any keep state group 100## Group 150 所有可通行規則 outgoing。pass out quick proto tcp/udp from any to 10.10.10.0/24 keep state group 150pass out quick proto icmp from any to 10.10.10.0/24 keep state group 150pass out quick proto esp from any to 10.10.10.0/24 keep state keep frags group 150pass out quick proto gre from any to 10.10.10.0/24 keep state group 150## Group 200 所有可通行規則 incoming。pass in quick proto tcp/udp from any to any port = 53 keep state group 200pass in quick proto tcp from any to any port = 22 keep state group 200pass in quick proto tcp from any to any port = 23 keep state group 200pass in quick proto tcp from any to any port = 25 keep state group 200pass in quick proto tcp from any to any port = 80 keep state group 200pass in quick proto tcp from any to any port = 110 keep state group 200pass in quick proto tcp from any to any port = 443 keep state group 200pass in quick proto tcp from any to any port = 8000 keep state group 200## Group 250 所有可通行規則 outgoing。pass out quick proto tcp/udp from any to any keep state group 250pass out quick proto icmp from any to any keep state group 250
參考資料：
http://www-900.ibm.com/developerWorks/cn/security/l-udsfirewall/part1/index.shtml
http://www-900.ibm.com/developerWorks/cn/security/l-udsfirewall/part2/index.shtml
http://www.phildev.net/ipf/IPFques.html



本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4206/showart_522876.html