Está en la página 1de 6

Tng la IPTABLE trn LINUX v kh nng can thip mt m bo

mt thng tin
Iptable l mt b cng c c tch hp trn h iu hnh Linux thc
hin chc nng tng la theo c ch lc gi (packet filtering). Iptable cn
c chc nng chuyn i a ch mng ca cc gi tin (NAT- Network
Address Translation) hoc thay i cc thnh phn ca gi tin (packet
mangling).

1. Gii thiu chung v Iptable


Iptable l mt b cng c c tch hp trn h iu hnh Linux thc hin
chc nng tng la theo c ch lc gi (packet filtering). Iptable cn c chc
nng chuyn i a ch mng ca cc gi tin (NAT- Network Address
Translation) hoc thay i cc thnh phn ca gi tin (packet mangling).
Iptable s dng cu trc bng nh ngha cc tp lut v bao gm cc thnh
phn sau:
- Cc bng (table): NAT, FILTER, MANGLE.
- Cc chain: L danh sch cha cc lut ca Iptable, bao gm: INPUT (cha cc
lut x l gi tin i t bn ngoi vo h thng); OUTPUT (cha cc lut
x l gi tin i t h thng ra bn ngoi); FORWARD (cha cc lut x l

gi tin i qua h thng). Ngoi ra, cn c chain PREROUTING v


POSTROUTING c dng cha cc lut chuyn i a ch (NAT) hoc
thay i cc thnh phn ca gi tin (mangle).
- Cc lut (rule): xc nh cc iu kin x l gi tin nh: cho php qua
(ACCEPT), chi b (DROP, REJECT) hoc chu cc tc ng khc. Mi lut
trong Iptable bao gm cc thnh phn sau:
+ Tn ca chain cha lut: (INPUT, OUTPUT, FORWARD, PREROUTING,
POSTROUTING)
+ Cc iu kin xc nh cc nhn dng ca gi tin (match)
+ Cc hnh ng tng ng (target)
V d v mt lut ca Iptable:
Iptables A FORWARD d 192.168.1.1 p tcp j DROP
Hnh 1 di y l m hnh v d v vic s dng Iptable trn Linux lm tng
la kim sot cc truy cp t mng bn ngoi (Internet) vo mng ni b cn
bo v v ngc li. Hiu qu ca vic bo v ph thuc vo vic thit lp cc
tp lut cho Iptable trn h thng tng la ny.

Hnh 1: M hnh s dng Iptable lm tng la

2. X l gi tin IP trn h thng Linux c s dng Iptable


Vic x l gi tin IP trn h iu hnh Linux thng c tin hnh ti Gateway
vi hai giao din mng tng ng vi a ch IP ca mng ni b v mng bn
ngoi. Cc thao tc x l c th l nh tuyn, lc gi, thay i ni dung gi, can
thip mt m. Phn ny xem xt m hnh x l gi IP trn Gateway Linux c

tch hp Iptable.
Hnh 2 di y m t cc mun x l gi tin IP trn Gateway c ci t h
thng Linux vi 2 card mng.

Hnh 2: Cc mun x l gi tin IP trn h thng Linux c 2 card mng


Qu trnh x l nh sau:
Trng hp 1: Gi tin xut pht t mng. Gi tin s c mun
PREROUTING x l, c th l:
+ Nu a ch ch ca gi tin trng vi a ch ca mt trong 2 card mng ca
Gateway, gi tin s c chuyn cho mun INPUT v a ln kernel x l
cc b (FORWARD=NO).
+ Nu a ch ch ca gi tin khc vi a ch 2 card mng ca tng la
(FORWARD=YES), gi tin s c chuyn cho mun FORWARD ri sau
chuyn ti mun POSTROUTING nh tuyn li v gi ra mng.
Trng hp 2: Gi tin xut pht Gateway gi ra mng Internet:
Gi tin c nh tuyn, sau c x l bi cc mun OUTPUT v
POSTROUTING ri gi ra mng. Khi Iptable c kch hot, s x l cc
gi tin i qua Iptable c m t trong Hnh 3.

Hnh 3: S x l cc gi tin IP i qua iptable


+ Trng hp 1: Gi tin c gi t mng (Ni b/Internet).
Gi tin s i qua chain PREROUTING trong bng MANGLE (dng sa i
gi tin), chain PREROUTING ca bng NAT, sau n s c nh tuyn.
Nu l gi tin chuyn tip (FORWARD), n s c chuyn ti chain
FORWARD ca bng MANGLE, FILTER, chain POSTROUTING ca bng
MANGLE v NAT ri gi ra mng. Nu gi tin khng phi chuyn tip, n s
c chuyn vo cc chain INPUT ca bng MANGLE v bng FILTER ri
c a ln kernel x l cc b.
+ Trng hp 2: Gi tin i t tng la Iptable ra mng.
Trng hp ny, cc gi tin sau khi c nh tuyn (Routing), s c chuyn
qua cc chain OUTPUT ca cc bng MANGLE, NAT, FILTER ri qua cc
chain POSTROUTING ca bng MANGLE v NAT ri i ra ngoi.
3. Kh nng nhng mun mt m vo h thng tng la Iptable
Vic s dng Iptable trn Linux lm tng la c nhiu u im v trin khai v
chi ph thc hin. Ngoi ra, Iptable cn cho php tch hp cc mun m ha
nhm bo mt cc thnh phn gi IP khi chng c chuyn qua h thng tng
la.
Vic b sung chc nng m ho cho h thng tng la Iptable trn Linux c
th c thc hin bng cch pht trin mt mun m rng ca tng la
Iptable thc hin chc nng m ho cc gi tin khi i qua n.
Trong s Hnh 3, ta thy cc bng ca Iptable (MANGLE, NAT, FILTER)
u c th cha danh sch cc lut (chain) x l cc gi, tuy nhin, ta c th
t cc lut ti cc chain ph hp nhm nng cao hiu sut ca h thng. Trong

trng hp ta cn x l m ha/gii m cc gi tin th v tr kt ni (hook)


mun m ho cn c tnh ton m bo gi tin c tr l thp nht.
Hnh 4 m t 2 h thng tng la s dng Iptable c chc nng m ho
kim sot v bo v giao dch gia 2 mng cc b bn trong. Trong trng hp
ny, cc gi tin cn x l m ha/gii m phi c kim sot bi cc lut trong
bng MANGLE. Vn t ra y l ta chn chain no trong bng ny
(PREROUTING, FORWARD v POSTROUTING) t lut x l mun m
ha. Chain PREROUTING s l mt la chn thch hp m bo qu trnh
can thip mt m sm nhm lm gim tr ca gi tin. Nh vy, mun m
ho/gii m cn c kt ni vi h thng ti cng v tr vi mun
PREROUTING trong s hnh 2 v tng ng, vi s hnh 3 chc
nng m ho/gii m s c thc hin ti bng MANGLE, trong chain
PREROUTING.

Hnh 4: M hnh kim sot v bo mt cc gi tin khi s dng tng la c


chc nng bo v
Lc ny, vic thit lp cc lut cho tng la s c thm mt target mi (ngoi
cc target chun l DROPT, REJECT v ACCEPT) l m ho/gii m cc gi
tin. Gi s target ny c t l ENCRYPT (m ho gi tin) v DECRYPT
( gii m gi tin), ta s c dng lut lc v m ho cc gi tin nh sau:
Iptable -t mangle -A PREROUTING -j ENCRYPT encrypt-with-secret $key
Iptable -t mangle -A PREROUTING -j DECRYPT decrypt-with-secret $key

trong phn s l cc iu kin lc gi tin. Trong hai lut trn, nu cc gi


tin c iu kin ph hp vi phn macth (a ch ngun, ch, giao thc s dng,
cng ng dng...) th s c chuyn ti target ENCRYPT hoc DECRYPT thc
hin chc nng m ho hoc gii m.
Tuy nhin, cc vn cn quan tm tip theo khi thc hin m ho/gii m cc
gi tin l:
+ Ch m ho/gii m phn d liu (data) ca gi tin m khng m ho phn
thng tin iu khin (header), do vy phi x l gi tin tch ring phn d
liu lm u vo cho thut ton m ho hoc gii m (c th thc hin trn h
thng Linux kernel 2.4 v 2.6 thng qua cu trc sk_buff).
+ La chn thut ton c tc cao gim tr ca h thng (s dng cc
thut ton m khi).
+ Vn phn phi kho: c th xy dng cc ng dng phn phi kho c lp
ti tng ng dng phn phi kho n tng tng la c chc nng m ho.
Vi gii php ny, vic xy dng mt mun m ho v tch hp vo Iptable l
hon ton c th thc hin c. Tuy nhin, kh nng ng dng, vic nh gi
v kha cnh an ton h thng cn nhiu vn cn phi bn v ph thuc rt
nhiu vo s thit k v thc hin gii php.
4. Kt lun:
Xy dng gii php an ton c tch hp nhiu chc nng bo mt trn mt h
thng c rt nhiu cng ty cung cp sn phm ATTT trn th gii thc
hin. Vic nghin cu c ch qun l, x l gi tin trn Tng la Iptable ca h
iu hnh m ngun m Linux cho php chng ta thit k v xy dng sn phm
Firewall c chc nng bo mt dng k thut mt m.
ThS. Nguyn Thanh Sn