Tuesday, October 25, 2011

DMZ āļ„ืāļ­

knowledge
Demilitarized Zone (DMZ)
    āđƒāļ™āļāļĢāļ“ีāļ—ี่āļœู้āđƒāļŠ้āļšāļĢิāļāļēāļĢāļĄี Server āļ•่āļēāļ‡ āđ† āļ­āļĒู่āļ”้āļ§āļĒ āđƒāļ™āļ—ี่āļ™ี่āļŠāļĄāļĄุāļ•ิāļ§่āļēāļĄี Web Server, FTP Server, DNS Server , Proxy Server, Mail Server āđāļĨāļ° MySQL  Serer āđāļĨ้āļ§āđ€āļĢāļēāļˆāļ°āļ—āļģāļ­āļĒ่āļēāļ‡āđ„āļĢāļĨ่āļ°
āļ§ิāļ˜ีāļāļēāļĢāļ—ี่āļ™ิāļĒāļĄāļัāļ™āļ„ืāļ­āļāļēāļĢāđ€āļžิ่āļĄāđ‚āļ‹āļ™āļ‚āļ­āļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļĄāļēāļ­ีāļāđ‚āļ‹āļ™āļŦāļ™ึ่āļ‡āļ™ั่āļ™āļ„ืāļ­ Demilitarized Zone (DMZ) āļ‹ึ่āļ‡āļ–้āļēāđāļ›āļĨāļ•āļĢāļ‡ āđ† āļ็āļ„ืāļ­ "āđ€āļ‚āļ•āļ›āļĨāļ­āļ”āļ—āļŦāļēāļĢ" āđ€āļŠ่āļ™ āļ—ี่āļāļģāļŦāļ™āļ”āļ‚ึ้āļ™āļ—ี่āđ€āļ‚āļ•āđāļ”āļ™āļĢāļ°āļŦāļ§่āļēāļ‡āļ›āļĢāļ°āđ€āļ—āļĻāđ€āļāļēāļŦāļĨีāđ€āļŦāļ™ืāļ­āđāļĨāļ°āļ›āļĢāļ°āđ€āļ—āļĻāđ€āļāļēāļŦāļĨีāđƒāļ•้āđƒāļ™āļĢāļ°āļŦāļ§่āļēāļ‡ āļāļēāļĢāļŠāļ‡āļšāļĻึāļāļŠั่āļ§āļ„āļĢāļēāļ§āļ‚āļ­āļ‡āļŠāļ‡āļ„āļĢāļēāļĄāđ€āļāļēāļŦāļĨี
āļŠāļģāļŦāļĢัāļšāđƒāļ™āđ€āļĢื่āļ­āļ‡ Network Security āđāļĨ้āļ§ DMZ āđ€āļ›็āļ™āļ„āļģāļˆāļģāļัāļ”āļ„āļ§āļēāļĄāļ‚āļ­āļ‡āđ‚āļ‹āļ™āļ­ีāļāļ›āļĢāļ°āđ€āļ āļ—āļŦāļ™ึ่āļ‡āļ—ี่āđ„āļĄ่āđƒāļŠ่āļ—ั้āļ‡ Internal (āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™) āđāļĨāļ° External (āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāļŦāļĢืāļ­āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ­ิāļ™āđ€āļ•āļ­āļĢ์āđ€āļ™็āļ•) āđāļ•่āļŦāļĄāļēāļĒāļ–ึāļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ—ี่āļ•้āļ­āļ‡āļĄีāļāļēāļĢāļŠื่āļ­āļŠāļēāļĢāļัāļšāļ—ั้āļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđāļĨāļ°āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ āļ āļēāļĒāļ™āļ­āļāļ™ั่āļ™āđ€āļ­āļ‡  āđāļĨāļ°āļ”ัāļ‡āļ™ั้āļ™āļœāļĄāļˆึāļ‡āđ„āļ”้āļˆัāļ”āđƒāļŦ้ Server āļ—ั้āļ‡ 5 āļ‹ึ่āļ‡āļ•้āļ­āļ‡āļ•ิāļ•āļ•่āļ­āļัāļšāļ—ั้āļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđāļĨāļ°āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđƒāļŦ้āļ­āļĒู่āđƒāļ™ DMZ āļ”ัāļ‡āļĢูāļ›āļ—ี่ 3
āļ­āļēāļˆāļˆāļ°āļŠāļ‡āļŠัāļĒāļš้āļēāļ‡āļ§่āļēāļ–้āļēāļĄี DHCP Server āļ”้āļ§āļĒāļˆāļ°āđ€āļ­āļēāđ„āļ§้āļ•āļĢāļ‡āđ„āļŦāļ™  āđ€āļ™ื่āļ­āļ‡āļˆāļēāļ DHCP Server āđ„āļĄ่āļ•้āļ­āļ‡āļĄีāļāļēāļĢāļ•ิāļ”āļ•่āļ­āļŠื่āļ­āļŠāļēāļĢāļัāļšāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļ āļˆึāļ‡āļŠāļēāļĄāļēāļĢāļ–āļ§āļēāļ‡āđ„āļ§้āļ—ี่āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ„āļ”้āđ€āļĨāļĒāļ„āļĢัāļš āļŦāļĢืāļ­āļ–้āļē Gateway āļĄี Spec āļŠูāļ‡āļŦāļ™่āļ­āļĒ āļ็āļŠāļēāļĄāļēāļĢāļ–āļ§āļēāļ‡āđ„āļ§้āļšāļ™ gateway āđ€āļĨāļĒāļ็āđ„āļ”้āļ„āļĢัāļš
āļĢูāļ›āļ—ี่ 3 āļāļēāļĢāļ—āļģāđ„āļŸāļĢ์āļ§āļ­āļĨāļĨ์āđāļšāļšāļ—ี่āļĄี DMZ āļ—ี่āļˆัāļ”āđāļš่āļ‡āđ„āļ­āļžีāđ„āļĄ่āļ–ูāļāļ•้āļ­āļ‡
āļˆāļēāļ āļĢูāļ›āļ‚้āļēāļ‡āļšāļ™āļ™ี้āļœāļĄāļĨāļ­āļ‡āļ—āļģāļ”ูāđāļĨ้āļ§āļĄีāļ›ัāļāļŦāļēāļ„āļĢัāļš āļ„ืāļ­ Linux āđ„āļĄ่āļĒāļ­āļĄāļĢัāļšāļĨัāļāļĐāļ“āļ°āļ—ี่āļĄีāļāļēāļĢ์āļ”āđāļĨāļ™āļ”์ 2 āļāļēāļĢ์āļ”āđāļ•่āļĄีāļ„่āļē IP āļ­āļĒู่āđƒāļ™āļ§āļ‡āđ€āļ”ีāļĒāļ§āļัāļ™āļ™ั่āļ™āļ„ืāļ­āļāļēāļĢ์āļ” 202.129.48.162 āļัāļšāļāļēāļĢ์āļ” 202.29.48.163 āļ‹ึ่āļ‡āđ€āļ›็āļ™ IP āļ—ี่āļ­āļĒู่āđƒāļ™āļ§āļ‡āđ€āļ”ีāļĒāļ§āļัāļ™āļ„ืāļ­āļ­āļĒู่āđƒāļ™āļ§āļ‡ 202.129.48.160/28
āđ€āļĄื่āļ­āđ€āļ›็āļ™āđāļšāļšāļ™ี้āļ§ิāļ˜ีāļāļēāļĢāđāļ้āļ›ัāļāļŦāļēāļ็āļŠāļēāļĄāļēāļĢāļ–āļ—āļģāđ„āļ”้āļ”้āļ§āļĒāļāļēāļĢāđāļš่āļ‡ subnet āļ­āļ­āļāđ€āļ›็āļ™ 2 subnet āļ„ืāļ­āđāļš่āļ‡āđ„āļ­āļžีāļ§āļ‡āđāļĨāļ™āļ—ี่āđ„āļ”้āļˆāļēāļ ISP āđ€āļ›็āļ™ 2 āļ§āļ‡āđāļĨāļ™āļ™ั่āļ™āđ€āļ­āļ‡ āđ‚āļ”āļĒāļ§āļ‡āđāļĨāļ™āļ§āļ‡āļ—ี่āļŦāļ™ึ่āļ‡āļˆāļ°āđƒāļŦ้āđ€āļ›็āļ™āļ‚āļ­āļ‡ External āđāļĨāļ°āļ§āļ‡āļ—ี่āļŠāļ­āļ‡āđ€āļ›็āļ™āļ‚āļ­āļ‡ DMZ āļ‹ึ่āļ‡āļŠāļēāļĄāļēāļĢāļ–āđāļš่āļ‡āđ„āļ”้āđ€āļ›็āļ™āļ”ัāļ‡āļ™ี้ :
āļ§āļ‡āļ—ี่ 1 : 202.129.48.160/29 āļ‹ึ่āļ‡āļˆāļ°āļĄีāđ„āļ­āļžีāđ€āļ›็āļ™ 8 āđ„āļ­āļžีāļ—ี่āļ­āļĒู่āđƒāļ™āļŠ่āļ§āļ‡ 202.129.48.160 āļ–ึāļ‡ 202.129.48.167 āđāļ•่āļˆāļ°āđƒāļŠ้āļ‡āļēāļ™āđ„āļ”้āļˆāļĢิāļ‡āđ€āļ›็āļ™ 6 ip āļ„ืāļ­ 202.129.48.161 āļ–ึāļ‡ 202.129.48.166
āļ§āļ‡āļ—ี่ 2 : 202.129.48.168/29 āļ‹ึ่āļ‡āļˆāļ°āļĄีāđ„āļ­āļžีāđ€āļ›็āļ™ 8 āđ„āļ­āļžีāļ—ี่āļ­āļĒู่āđƒāļ™āļŠ่āļ§āļ‡ 202.129.48.168 āļ–ึāļ‡ 202.129.48.175 āđāļ•่āļˆāļ°āđƒāļŠ้āļ‡āļēāļ™āđ„āļ”้āļˆāļĢิāļ‡āđ€āļ›็āļ™ 6 ip āļ„ืāļ­ 202.129.48.169 āļ–ึāļ‡ 202.129.48.174āđāļĨāļ°āđāļĨ้āļ§āļ็āļˆāļ°āđ„āļ”้āļĢูāļ›āđāļšāļšāļ‚āļ­āļ‡āļāļēāļĢāļˆัāļ”āļ§āļēāļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ—ั้āļ‡āļŦāļĄāļ”āđƒāļŦāļĄ่āđ€āļ›็āļ™ āļ”ัāļ‡āļĢูāļ›āļ—ี่ 4
āļĢูāļ›āļ—ี่ 4 āļāļēāļĢāļ—āļģāđ„āļŸāļĢ์āļ§āļ­āļĨāļĨ์āđāļšāļšāļ—ี่āļĄี DMZ āļ—ี่āļ–ูāļāļ•้āļ­āļ‡
āđ€āļžื่āļ­ āļ„āļ§āļēāļĄāļŠāļ°āļ”āļ§āļāđƒāļ™āļāļēāļĢāļ—āļģ ipchains āđ€āļĢāļēāļ„āļ§āļĢāļˆัāļ”āļ—āļģāļ•āļēāļĢāļēāļ‡āđāļ­āļ„āđ€āļ‹āļŠāļĢูāļĨāļ‚ึ้āļ™āļĄāļēāļ่āļ­āļ™  āđ€āļžื่āļ­āđāļŠāļ”āļ‡āļ„āļ§āļēāļĄāļ•้āļ­āļ‡āļāļēāļĢāđƒāļ™āļāļēāļĢāđƒāļŠ้āļ‡āļēāļ™āļ§่āļēāđ€āļĢāļēāļ•้āļ­āļ‡āļāļēāļĢāļˆāļ°āļĒāļ­āļĄāļĢัāļšāļŦāļĢืāļ­āļ›āļิāđ€āļŠāļ˜āđāļ­āļ›āļ›āļĨิāđ€āļ„ āļŠัāļ™āļ­ัāļ™āđ„āļŦāļ™āļš้āļēāļ‡  āđ‚āļ”āļĒāļ„āļ§āļēāļĄāļ•้āļ­āļ‡āļāļēāļĢāđƒāļ™āļ—ี่āļ™ี้āļ‚āļ­āļ­้āļēāļ‡āļ–ึāļ‡āļĢูāļ›āļ—ี่ 4 āđāļĨāļ°āđ„āļ”้āļ”ัāļ‡āļ•āļēāļĢāļēāļ‡āļ•่āļ­āđ„āļ›āļ™ี้ :
āļĨāļģāļ”ัāļš
Source
Destination
Service
Port No.
Action
1
internal
any
āđ€āļ›็āļ™āļāļēāļĢāļ—āļģ NAT (MASQ)

forward
2
internal
any
ftp
21 tcp
accept
3
internal
any
dns
53 udp
accept
4
dmz
any
dns
53 udp
accept
5
any
dmz
dns
53 udp
accept
6
any
any
http
80 tcp
accept
7
Internal
any
telnet
23 tcp
accept
8
any (external)
internal
telnet
23 tcp
reject
9
any
any
smtp
25 tcp
accept
10
internal
any
pop3
110 tcp
accept
11
Intenal
any
imap
143 tcp
accept
12
Internal
any
https
443 tcp
accept
13
Internal
any
ping
icmp
accept
14
āđ„āļĄ่āđƒāļŠ่ Internal
any
webcache (proxy)
8080 tcp
reject
15
any (external)
dmz
ping
icmp
reject
16
any
any
tcp port 0-1023
0-1023 tcp
reject
17
any
any
tcp Network File System (NFS)
2049 tcp
reject
18
any
any
udp port 0-1023
0-1023 udp
reject
19
any
any
udp Network File System (NFS)
2049 udp
reject
20
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
2773 tcp
reject
21
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
6771 tcp
reject
22
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
6713 tcp
reject
23
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
7215 tcp
reject
24
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
27374 tcp
reject
25
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
27573 tcp
reject
26
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
54283 tcp
reject
27
any
dmz
x windows system
6000-6009 tcp
reject
28
any
dmz
X Font Service
7100 tcp
reject
29
intenal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ Back Orifice 2000
8787 tcp
reject
30
internal
any
āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ Back Orifice 2000
54320-54321
reject
1:#ipchains -A forward -s 192.168.1.0/24 -d 0/0 -j MASQ
2:#ipchains -A input -s 192.168.1.0/24 -d 0/0 21 -p tcp -y -j ACCEPT
3.:#ipchains -A input -s 192.168.1.0/24 -d 0/0 53 -p udp -j ACCEPT
4:#ipchains -A input -s 202.129.48.168/29 -d 0/0 53 -p udp -j ACCEPT
5:#ipchains -A input -s 0/0 -d 202.129.48.168/29 53 -p udp -j ACCEPT
6:#ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
7:#ipchains -A input -s 192.168.1.0/24 -d 0/0 23 -p tcp -y -j ACCEPT
8:#ipchains -A input -s 0/0 -d 202.129.48.168/29 23 -p tcp -y  -j REJECT
9:#ipchains -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
10:#ipchains -A input -s 192.168.1.0/24 -d 0/0 110 -p tcp -y -j ACCEPT
11:#ipchains -A input -s 192.168.1.0/24 -d 0/0 143 -p tcp -y -j ACCEPT
12:#ipchains -A input -s 192.168.1.0/24 -d 0/0 443 -p tcp -y -j ACCEPT
13:#ipchains -A input -s 192.168.1.0/24 -d 0/0 -p icmp --icmp-type ping -j ACCEPT
14: #ipchains -A input -s ! 192.168.1.0/24 -d 0/0 8080 -p tcp -y -j REJECT
15:#ipchains -A input -s 0/0 -d 202.129.48.168/29 -p icmp --icmp-type ping -j REJECT
16:#ipchains -A input -s 0/0 -d 0/0 0:1023 -p tcp -y -j REJECT
17:#ipchains -A input -s 0/0 -d 0/0 2049 -p tcp -y -j REJECT
18:#ipchains -A input -s 0/0 -d 0/0 0:1023 -p udp -j REJECT
19:#ipchains -A input -s 0/0 -d 0/0 2049 -p udp -j REJECT
20:#ipchains -A input -s 192.168.1.0/24 -d 0/0 2773 -p tcp -y -j REJECT
21:#ipchains -A input -s 192.168.1.0/24 -d 0/0 6771 -p tcp -y -j REJECT
22:#ipchains -A input -s 192.168.1.0/24 -d 0/0 6713 -p tcp -y -j REJECT
23#ipchains -A input -s 192.168.1.0/24 -d 0/0 7215 -p tcp -y -j REJECT
24:#ipchains -A input -s 192.168.1.0/24 -d 0/0 27374 -p tcp -y -j REJECT
25:#ipchains -A input -s 192.168.1.0/24 -d 0/0 27573 -p tcp -y -j REJECT
26:#ipchains -A input -s 192.168.1.0/24 -d 0/0 54283 -p tcp -y -j REJECT
27:#ipchains -A input -s 0/0 -d 202.129.48.168/29 6000:6009 -p tcp -y -j REJECT
28:#ipchains -A input -s 0/0 -d 202.129.48.168/29 7100 -p tcp -y -j REJECT
29:#ipchains -A input -s 192.168.0.1/24 -d 0/0 8787 -p tcp -y -j REJECT
30:#ipchains -A input -s 192.168.0.1/24 -d 0/0 54320:54321 -p udp -j REJECT
:
āļ„āļ§āļēāļĄāļŦāļĄāļēāļĒāđāļ•่āļĨāļ°āļšāļĢāļĢāļ—ัāļ”:
1.āļ—āļģ NAT āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ€āļžื่āļ­āļˆāļ°āđƒāļŦ้āļŠāļēāļĄāļēāļĢāļ–āļ­āļ­āļāļŠู่āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđ„āļ”้
2.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™ ftp āđ„āļ›āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
3.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđƒāļŠ้ DNS āļ‚āļ­āļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
4.āļ­āļ™ุāļāļēāļ• āđƒāļŦ้ DMZ āđ„āļ›āđƒāļŠ้ DNS āļ‚āļ­āļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้  āļ‹ึ่āļ‡āļ•āļĢāļ‡āļ™ี้āđ€āļ›็āļ™āļāļēāļĢāļ­āļ™ุāļāļēāļ•āđƒāļŦ้āļ—ั้āļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ  āļˆāļĢิāļ‡ āđ† āđāļĨ้āļ§āļ­āļēāļˆāļˆāļ°āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ‰āļžāļēāļ° Proxy Server āļัāļš DNS Sever āļ็āļžāļ­āđāļĨ้āļ§ āđ‚āļ”āļĒāđƒāļŦ้āļĢāļ°āļšุ IP address āļ‚āļ­āļ‡ Server āđ„āļ›āđ„āļ”้āđ€āļĨāļĒ āļ™ั่āļ™āļ„ืāļ­āļ•้āļ­āļ‡āđƒāļŠ้āļ„āļģāļŠั่āļ‡āļ™ี้āļŠāļ­āļ‡āļšāļĢāļĢāļ—ัāļ”āļ™āļ°
5.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āļ•้āļ™āļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้āļĄāļēāđƒāļŠ้ DNS āđƒāļ™ DMZ āđ„āļ”้  āļ‹ึ่āļ‡āđ„āļ­āļžีāļ‚āļ­āļ‡āļ›āļĨāļēāļĒāļ—āļēāļ‡āļŠāļēāļĄāļēāļĢāļ–āļˆāļ°āļĢāļ°āļšุāđ€āļ‰āļžāļēāļ° IP āļ‚āļ­āļ‡ DNS Server āđ„āļ›āđ€āļĨāļĒāļ็āđ„āļ”้
6.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđƒāļŠ้ http āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™
7.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āļŠāļēāļĄāļēāļĢāļ–āļˆāļ° telnet āđ„āļ›āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
8.āđ„āļĄ่ āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āļ•้āļ™āļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้ telnet āđ€āļ‚้āļēāļĄāļē DMZ āđ„āļ”้ āđāļ•่āđ€āļĄื่āļ­āļĒ้āļ­āļ™āđ„āļ›āļ”ูāļ‚้āļ­ 7 āļ็āļŠāļĢุāļ›āļ§่āļēāļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ‰āļžāļēāļ°āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ€āļ—่āļēāļ™ั้āļ™āļ—ี่ telnet āđ€āļ‚้āļē DMZ āđ„āļ”้
9.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āļ•้āļ™āļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļŠāļēāļĄāļēāļĢāļ–āđƒāļŠ้ smtp āļ—ี่āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
10.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ„āļ›āđƒāļŠ้ pop3 āļ—ี่āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
11.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ„āļ›āđƒāļŠ้ imap āļ“ āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
12.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ„āļ›āđƒāļŠ้ https āļ“ āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
13.āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™ ping āđ„āļ›āļ—ี่āđ„āļŦāļ™āļ็āđ„āļ”้
14.āđ„āļĄ่āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ—ี่āļ™āļ­āļāđ€āļŦāļ™ืāļ­āļˆāļēāļāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āļŠāļēāļĄāļēāļĢāļ–āđƒāļŠ้āļ‡āļēāļ™ Proxy Server āđ„āļ”้
15.āđ„āļĄ่ āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āļ—ุāļāļ—ี่ ping āđ€āļ‚้āļēāļĄāļēāđƒāļ™ DMZ āđāļ•่āđ€āļĄื่āļ­āļĒ้āļ­āļ™āđ„āļ›āļ”ูāļ‚้āļ­ 13 āđāļĨ้āļ§ āļŠāļĢุāļ›āđ€āļ›็āļ™āļ§่āļēāļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ‰āļžāļēāļ°āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ€āļ—่āļēāļ™ั้āļ™āļ—ี่ ping āđ€āļ‚้āļē dmz āđ„āļ”้
16.āļŦ้āļēāļĄāļāļēāļĢāđƒāļŠ้āļ‡āļēāļ™āļ—ี่āļžāļ­āļĢ์āļ• 0-1023 tcp āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™ āđāļ•่āļˆāļ°āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ‰āļžāļēāļ°āļāļŽāļ‚้āļ­āļ่āļ­āļ™āļŦāļ™้āļēāļ™ี้āđ€āļ—่āļēāļ™ั้āļ™
17.āļŦ้āļēāļĄāļāļēāļĢāđƒāļŠ้āļ‡āļēāļ™ tcp Network File System (NFS) āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™
18.āļŦ้āļēāļĄāļāļēāļĢāđƒāļŠ้āļ‡āļēāļ™āļ—ี่āļžāļ­āļĢ์āļ• 0-1023 udp āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™ āđāļ•่āļˆāļ°āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ‰āļžāļēāļ°āļāļŽāļ‚้āļ­āļ่āļ­āļ™āļŦāļ™้āļēāļ™ี้āđ€āļ—่āļēāļ™ั้āļ™
19.āļŦ้āļēāļĄāļāļēāļĢāđƒāļŠ้āļ‡āļēāļ™ udp Network File System (NFS) āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™
20-26 āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ SubSeven
27.āļŦ้āļēāļĄāļ•้āļ™āļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™āļ็āđāļĨ้āļ§āđāļ•่  āļ•ิāļ”āļ•่āļ­āđ€āļ‚้āļēāđ„āļ›āļĒัāļ‡ x windows system āļ‚āļ­āļ‡ DMZ
28.āđ„āļĄ่āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđƒāļŠ้āļ‡āļēāļ™ tcp āļžāļ­āļĢ์āļ• 7100 (X Font Service) āđ„āļĄ่āļ§่āļēāļˆāļ°āđ€āļ›็āļ™āļ•้āļ™āļ—āļēāļ‡āđāļĨāļ°āļ›āļĨāļēāļĒāļ—āļēāļ‡āļ—ี่āđ„āļŦāļ™
29-30 āļ”ัāļāļˆัāļšāđ‚āļŪāļŠāļ•์āļ āļēāļĒāđƒāļ™āļ—ี่āļ•ิāļ”āđ‚āļ›āļĢāđāļāļĢāļĄ Back Orifice 2000

āļ—ี่āļĄāļē http://www.tkc.ac.th/osunun/technology/linux/gateway_firewall.html

Monday, October 24, 2011

āļ•ัāļ§āļ­āļĒ่āļēāļ‡āļāļēāļĢāļ—āļģ Firewall āđāļšāļš DMZ āļžāļĢ้āļ­āļĄ Transparent Proxy (DMZ āđƒāļŠ้ Private IP)

āļāļēāļĢāļˆัāļ”āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ Firewall āđāļšāļš DMZ (Demilitarized Zone) āđ€āļ›็āļ™āļĢูāļ›āđāļšāļšāļŦāļ™ึ่āļ‡āļ—ี่āļ™ิāļĒāļĄāđƒāļŠ้āļัāļ™  āļ‹ึ่āļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļˆāļ°āļ›āļĢāļ°āļāļ­āļšāđ„āļ›āļ”้āļ§āļĒāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ 3 āļŠ่āļ§āļ™āļ”้āļ§āļĒāļัāļ™ āļ„ืāļ­
1 .āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™ 
(trusted internal network) āļˆāļ°āđ€āļ›็āļ™āļŠ่āļ§āļ™āļ—ี่āđ„āļĄ่āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđ€āļ‚้āļēāļĄāļēāđ„āļ”้ āļ‹ึ่āļ‡āļŠ่āļ§āļ™āđƒāļŦāļ่āļˆāļ°āđ€āļ›็āļ™āļŠ่āļ§āļ™āļ‚āļ­āļ‡ Client
2. āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ
DMZ āđ€āļ›็āļ™āļŠ่āļ§āļ™āļ—ี่āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđāļĨāļ°āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āđ€āļ‚้āļēāļĄāļēāđƒāļŠ้āļ‡āļēāļ™āđ„āļ”้āļ•āļēāļĄāļāļŽāļ—ี่ Firewall āđ„āļ”้āļ•ั้āļ‡āđ„āļ§้
3.āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļ (Internet)

āđ‚āļ”āļĒāļāļēāļĢāđ€āļŠื่āļ­āļĄāļ•่āļ­āđƒāļŠ้āļ‡āļēāļ™āļˆāļ°āļ•้āļ­āļ‡āļĄี
Linux Server āļ•ัāļ§āļŦāļ™ี่āļ‡āļ—āļģāļŦāļ™้āļēāļ—ี่āđ€āļ›็āļ™ Firewall āļ‹ึ่āļ‡āļˆāļ°āļ•้āļ­āļ‡āļ›āļĢāļ°āļāļ­āļšāļ”้āļ§āļĒāļāļēāļĢ์āļ”āđāļĨāļ™ 3 āļāļēāļĢ์āļ” āļ”ัāļ‡āļĢูāļ›āļ—ี่ 1



āļĢูāļ›āļ—ี่ 1
āđ€āļžื่āļ­āđƒāļŦ้āđ€āļ‚้āļēāđƒāļˆāđ„āļ”้āļ‡่āļēāļĒāļ‚ึ้āļ™āļˆึāļ‡āļ‚āļ­āđƒāļŠ้āļĢูāļ›āļ•ัāļ§āļ­āļĒ่āļēāļ‡āļāļēāļĢāđ€āļŠื่āļ­āļĄāļ•่āļ­āļˆāļĢิāļ‡ āđ† āļ”ัāļ‡āļĢูāļ›āļ—ี่ 2  āļ‹ึ่āļ‡āļ—ี่ Linux Firewall āļˆāļ°āļĄี Ethernet Card 3 āļāļēāļĢ์āļ”āļ„ืāļ­ eth0 āđƒāļŠ้āđ€āļŠื่āļ­āļĄāļ•่āļ­āļัāļšāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļ, eth1 āđƒāļŠ้āđ€āļŠื่āļ­āļĄāļ•่āļ­āļัāļšāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™  āđāļĨāļ° eth2 āđƒāļŠ้āđ€āļŠื่āļ­āļĄāļ•่āļ­āļัāļšāđ€āļ„āļĢืāļ­āļ‚่āļēāļĒ DMZ  āđƒāļ™āļŠ่āļ§āļ™āļ‚āļ­āļ‡ eth0 āļ™ั้āļ™āļĄี IP Address āđ€āļ›็āļ™ 3 āļ„่āļēāļ„ืāļ­
1. 202.129.49.194
āđāļ—āļ™āļ•ัāļ§āđ€āļ­āļ‡āļ‹ึ่āļ‡āđ€āļ›็āļ™ Firewall
2. 202.129.49.195 āđƒāļŠ้āđāļ—āļ™
HTTP
3. 202.129.49.196
āđƒāļŠ้āđāļ—āļ™ DNS

āļŦāļĄāļēāļĒāđ€āļŦāļ•ุ Proxy āđ„āļĄ่āļˆāļģāđ€āļ›็āļ™āļ•้āļ­āļ‡āđƒāļŦ้āļšāļĢิāļāļēāļĢāļัāļšāļšุāļ„āļ„āļĨāļ āļēāļĒāļ™āļ­āļ āļˆึāļ‡āđ„āļĄ่āļˆāļģāđ€āļ›็āļ™āļ•้āļ­āļ‡āđƒāļŠ้ IP āļˆāļĢิāļ‡



āļĢูāļ›āļ—ี่ 2
āļŦāļ™้āļēāļ—ี่āļ‚āļ­āļ‡ Linux Firewall
1.āļ—āļģ NAT (Outbound) āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™ (trusted internal network) āļŠāļēāļĄāļēāļĢāļ–āđ€āļŠื่āļ­āļĄāļ•่āļ­āđ„āļ›āļĒัāļ‡āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđ„āļ”้
2.āđƒāļ™āļāļĢāļ“ีāļ—ี่āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āļ­āļ­āļāđ„āļ›āđƒāļŠ้āļ‡āļēāļ™āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđ€āļ›็āļ™āļāļēāļĢāđ€āļĢีāļĒāļāđƒāļŠ้ http āđƒāļŦ้ redirect āđ„āļ›āļĒัāļ‡ Proxy āļ‚āļ­āļ‡ DMZ (Transparent Proxy)
3.
Linux Server āļ•้āļ­āļ‡āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āļŠāļēāļĄāļēāļĢāļ–āđƒāļŠ้āļ‡āļēāļ™ DNS Server āđƒāļ™āļ§āļ‡ DMZ āļ—ั้āļ‡āļāļēāļĢāđ€āļĢีāļĒāļāđ‚āļ”āļĒāđƒāļŠ้ IP āļˆāļĢิāļ‡āđāļĨāļ° IP āļ›āļĨāļ­āļĄāđ„āļ”้ (āļ—ั้āļ‡ 202.129.49.196 āđāļĨāļ° 192.168.2.3)
4.
Linux Server āļ•้āļ­āļ‡āļ­āļ™ุāļāļēāļ•āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāđƒāļ™āļŠāļēāļĄāļēāļĢāļ–āđƒāļŠ้āļ‡āļēāļ™ Web Server āđƒāļ™āļ§āļ‡ DMZ āļ—ั้āļ‡āļāļēāļĢāđ€āļĢีāļĒāļāđ‚āļ”āļĒāđƒāļŠ้ IP āļˆāļĢิāļ‡āđāļĨāļ° IP āļ›āļĨāļ­āļĄ (āļ—ั้āļ‡ 202.129.49.195 āđāļĨāļ° 192.168.2.2)
5
.āļ—āļģ NAT (Inbound) āđƒāļŦ้āđ€āļ„āļĢืāļ­āļ‚่āļēāļĒāļ āļēāļĒāļ™āļ­āļāđ€āļ‚้āļēāļĄāļēāđƒāļŠ้ Web Server āđāļĨāļ° DNS Server āđƒāļ™āļ§āļ‡  DMZ āđ„āļ”้
6.āļ—āļģāļŦāļ™้āļēāļ—ี่āđ€āļ›็āļ™
Firewall

āļ„āļģāļŠั่āļ‡
iptables āļ—ี่āđƒāļŠ้
āļ„āļģāļŠั่āļ‡āļ—ี่āđƒāļŠ้āļ—ั้āļ‡āļŦāļĄāļ”āđ€āļ›็āļ™āļ”ัāļ‡āļ™ี้
:

#-----Start script------#

#Define variables
LAN_IP="192.168.1.1"
LAN_BCAST_ADRESS="192.168.1.255"
LAN_IFACE="eth1"

INET_IP="202.129.49.194"
INET_IFACE="eth0"

HTTP_IP="202.129.49.195"
DNS_IP="202.129.49.196"

DMZ_IP="192.168.2.1"
DMZ_IFACE="eth2"

DMZ_HTTP_IP="192.168.2.2"
DMZ_DNS_IP="192.168.2.3"
DMZ_PROXY_IP="192.168.2.4"

LO_IP="127.0.0.1"
LO_IFACE="lo"
#CRITICAL: Enable IP forwarding since it is disabled by default.
echo "1" > /proc/sys/net/ipv4/ip_forward
#Clear all chains of rule
iptables -F
iptables -X allowed
iptables -X icmp_packets
iptables -t nat -F

# Chain Policies gets set up before any bad packets gets through
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# the allowed chain for TCP connections, utilized in the FORWARD chain
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

# ICMP rules, utilized in the FORWARD chain
iptables -N icmp_packets
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# POSTROUTING chain in the nat table : Enable IP SNAT for all internal networks trying to get out on the Internet
iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# PREROUTING chain in the nat table

         
# Do some checks for obviously spoofed IP's
iptables -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
iptables -t nat -A PREROUTING -i $INET_IFACE -s $INET_IP -j DROP

          # Enable IP Destination NAT for DMZ zone (Inbound NAT)
iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
iptables -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP
iptables -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP
          # Enable Internal network connect to DMZ HTTP and DMZ DNS by public IP (update by Adisorn)
iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP
iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP
iptables -t nat -A PREROUTING -p UDP -i $LAN_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

          #Redirect all http from internal network (not DMZ http destination) to Proxy Server (Transparent Proxy) (update by sorn)
iptables -t nat -A PREROUTING -p TCP -i $LAN_IFACE -s 192.168.1.0/24 -d ! $DMZ_HTTP_IP --dport 80 -j DNAT --to-dest 192.168.2.4:3128
# FORWARD chain

         
# Get rid of bad TCP packets
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

          # DMZ section : General rules
iptables -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
iptables -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
iptables -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT

          # DMZ section : HTTP server
iptables -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP --dport 80 -j allowed
iptables -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -j icmp_packets         

          #DMZ section : DNS server
iptables -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j allowed
iptables -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP --dport 53 -j ACCEPT
iptables -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP -j icmp_packets                   
          # LAN section
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

          # LOG all packets reaching here
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# Firewall rules

         
# INPUT chain

                    #Get rid of bad packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
                    # Packets from the Internet to this box
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

                    # Packets from LAN, DMZ or LOCALHOST

                              # From DMZ Interface to DMZ firewall IP
iptables -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

                              # From LAN Interface to LAN firewall IP
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
                              # From Localhost interface to Localhost IP
iptables -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
                    # All established and related packets incoming from the internet to the firewall
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
                    # Logging rule
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
          # OUTPUT chain

                    # Get rid of bad TCP packets
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
                    # Allow ourself to send packets not spoofed everywhere
iptables -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
                    # Logging rule
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

#-----End script------#

āļāļēāļĢāļ—āļģ DMZ

āđ€āļŠ่āļ™ 202.29.30.49 map 192.168.2.19 āļŠāļēāļĄāļēāļĢāļ–āđ€āļĢีāļĒāļāļ”ูāđ„āļ”้ āļ—ี่
202.29.30.49 āļ„āļĢัāļš


āđ€āļ‚āļēāđ€āļĢีāļĒāļāļ§่āļēāļāļēāļĢāļ—āļģ DMZ āļ„āļĢัāļš āļ„ืāļ­āļ•้āļ­āļ‡āļĄีāļāļēāļĢ์āļ”āđāļĨāļ™āđ€āļžิ่āļĄāļĄāļēāļ­ีāļāđƒāļšāļ™ึāļ‡āļ„ัāļš āđ€āļ—่āļēāļ—ี่āļ—āļĢāļēāļš āđāļ•่āļ§่āļēāļœāļĄāļ็āļĒัāļ‡āđ„āļĄ่āđ€āļ„āļĒāļ—āļģ

āļ›āļĨ. āđ„āļĄ่āļĢู้āļœāļĄāđ€āļ‚้āļēāđƒāļˆāļ–ูāļāļŦāļĢืāļ­āđ€āļ›āļĨ่āļēāļ™āļ°āļ„āļĢัāļš āļ—ี่āļœāļĄāđ€āļ‚้āļēāđƒāļˆāļ็āļ„ืāļ­ āļ­āļĒ่āļēāļ‡āđ€āļŠ่āļ™āđ€āļĢāļēāđ€āļ‚้āļē 202.29.30.49:80 āļ็āđƒāļŦ้āļ§ิ่āļ‡āđ„āļ›āđ€āļ›ิāļ”āđ€āļ„āļĢื่āļ­āļ‡ 192.168.2.19:80 āđƒāļŠāļ›่āļ°āļ„ัāļš āļ–้āļēāđƒāļŠ่āđ€āļ‚āļēāđ€āļĢีāļĒāļāļ—āļģ DMZ āļ„āļĢัāļš
āđƒāļŠ้ ipnat āļ„āļĢัāļš
āđ€āļ›ิāļ” ipnat āđƒāļŦ้āļ—āļģāļ‡āļēāļ™āđ‚āļ”āļĒāđ€āļžิ่āļĄāđƒāļ™āđ„āļŸāļĨ์ /etc/rc.conf āļ”ัāļ‡āļ™ี้
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.rules"

āđāļĨ้āļ§āđ€āļžิ่āļĄāļāļŽāļ™ี้āđ€āļ‚้āļēāđ„āļ›āđƒāļ™ /etc/ipnat.rules
rdr rl1 0.0.0.0/0 port 8081 -> 192.168.0.252 port 80 tcp

āđ‚āļ”āļĒ rl1 āļ„ืāļ­āļāļēāļĢ์āļ”āđāļĨāļ™āđƒāļšāļ—ี่āļ•้āļ­āļ‡āļāļēāļĢāđƒāļŦ้ forward āļĄāļē āļ­āļēāļˆāļˆāļ°āđ€āļ›็āļ™ ip āļˆāļĢิāļ‡āļั่āļ‡āļ—ี่āļ•่āļ­āļัāļšāļ­ิāļ™āđ€āļ•āļ­āļĢ์āđ€āļ™็āļ• āđ‚āļ”āļĒāļžāļ­āļĢ์āļ• 8081 āļ„ืāļ­āļŦāļĄāļēāļĒāđ€āļĨāļ‚āļžāļ­āļĢ์āļ•āļ—ี่āđ€āļĢีāļĒāļāđ€āļ‚้āļēāļĄāļē
āđ€āļŠ่āļ™ āļāļēāļĢ์āļ”āđāļĨāļ™āđƒāļšāļ™ี้(rl1)āļĄี ip 202.222.123.5 āļ–้āļēāđ€āļĢีāļĒāļāļœ่āļēāļ™ potocol http āļ็āđ€āļĢีāļĒāļāđ‚āļ”āļĒhttp://202.222.123.5:8081āļĄัāļ™āļ็āļˆāļ° forward āđ„āļ›āļ—ี่ 192.168.0.252 āļžāļ­āļĢ์āļ• 80

āļ•ัāļ§āļ­āļĒ่āļēāļ‡
rdr rl1 0.0.0.0/0 port 8081 -> 192.168.0.252 port 80 tcp
rdr rl1 0.0.0.0/0 port 22 -> 192.168.0.3 port 22 tcp
rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.4 port 80 tcp
rdr rl1 0.0.0.0/0 port 25 -> 192.168.0.4 port 25 tcp

   
āđ€āļžิ่āļĄāđ€āļ•ิāļĄāļ„āļĢัāļš
āđ€āļ„āļĢื่āļ­āļ‡āļ—ี่āļ—āļģ port forwarding āļ•้āļ­āļ‡āļĄีāđāļĨāļ™āļāļēāļĢ์āļ”āļ­āļĒ่āļēāļ‡āļ™้āļ­āļĒāļŠāļ­āļ‡āđƒāļš āļ„ืāļ­ ip āļˆāļĢิāļ‡ āļัāļš ip āļ›āļĨāļ­āļĄ

āļ–้āļēāļ—āļģ port forwarding āļˆāļēāļ router āđƒāļŠ้āļ„āļģāļŠั่āļ‡āļ”ัāļ‡āļ™ี้āļ„āļĢัāļš
ip nat inside source static tcp 192.168.0.50 80 interface serial0 80

āđ‚āļ”āļĒ 192.168.0.50 80 āļ„ืāļ­ ip āļ›āļĨāļ­āļĄ āļัāļš āļžāļ­āļĢ์āļ• āļ—ี่āļ•้āļ­āļ‡āļāļēāļĢāđƒāļŦ้ forward āļĄāļē

serial0 80 āļ„ืāļ­ interface āļั่āļ‡ WAN āļ—ี่āļ­āļ­āļāđ€āļ™็āļ•

/sbin/iptab/sbin/iptables -t nat -A PREROUTING -p tcp -s x/x -d [ip.address āļั่āļ‡ wan āļ‚āļ­āļ‡āļ„ุāļ“] -i [wan-interface-name] --dport 80 -j DNAT --to-destination 192.168.1.100:80


āļāļĢāļ“ีāļ—ี่āđ€āļĢāļēāļĄี web1, web2 āļ–้āļēāļāļģāļŦāļ™āļ” rules āđāļšāļšāļ™ี้āļĄัāļ™āļˆāļ°āļ‡āļ‡āļĄั๊āļĒāļ„āļĢัāļš

rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.4 port 80 tcp
rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.5 port 80 tcp

āļāļģāļŦāļ™āļ”āļ‹้āļ­āļ™āļัāļ™āđ„āļĄ่āđ„āļ”้āļ„āļĢัāļš āļ–้āļē 2 āđ€āļ§็āļšāļ็āļ•้āļ­āļ‡āļĢัāļ™āļัāļ™āļ„āļ™āļĨāļ° port āļ„āļĢัāļš

āļ‡ั้āļ™āļ•้āļ­āļ‡āđ€āļ›็āļ™āđāļšāļšāļ™ี้āļĢึāđ€āļ›āļĨ่āļēāļ„āļĢัāļš

rdr rl1 0.0.0.0/0 port 80 -> 192.168.0.4 port 80 tcp (web1)
rdr rl1 0.0.0.0/0 port 81 -> 192.168.0.5 port 80 tcp (web2)

āđāļĨ้āļ§āđ€āļ§āļĨāļēāđ€āļ‚้āļēāđ€āļ§āļ›āļĨ่āļ°āļ„āļĢัāļš āļāļĢāļ“ีāļ—ี่āđ€āļ›็āļ™ web2 āļ•้āļ­āļ‡āđ€āļ›็āļ™ www.web2.com:81 āļĢึāđ€āļ›āļĨ่āļēāļ„āļĢัāļš āļ–้āļēāđ€āļ›็āļ™āļ­āļĒ่āļēāļ‡āļ™ี้āđ€āļĢāļēāļˆāļ°āļĄีāļ§ิāļ˜ีāđāļ้āļĒัāļ‡āļ‡ัāļĒāļ„āļĢัāļšāđƒāļŦ้ user āđ€āļ„้āļēāđ€āļ‚้āļēāđ„āļ”้āđāļšāļšāļ›āļāļ•ิāļ™่āļ°āļ„āļĢัāļšāļ„ืāļ­

www.web2.com āļ­āļĒ่āļēāļ‡āļ™ี้āđ€āļĨāļĒ...āļĢāļšāļāļ§āļ™āļ”้āļ§āļĒāļ™āļ°āļ„āļĢัāļš āļœāļĄāļŠāļ‡āļŠัāļĒāļˆāļĢิāļ‡āđ† āļ‚āļ­āļšāļ„ุāļ“āļ„āļĢัāļš

Sunday, October 23, 2011

Domain forwarding in Apache

Domain forwarding in Apache

Here's a short tutorial on one way to forward one domain to another in Apache, keeping Google happy as we go along.

The disclaimer bit

First of all this tutorial is based on Apache 2.2 on Centos 5. No responsibility will be taken for things going wrong so use at your own risk!

What we want to achieve

Let's say we have a client who wants to forward three domains to one. For this example let's use:
  • www.ilovemymonkeys.com
  • www.monkeysarecool.com
  • www.monkeysrockmyworld.com
The domain the client wants all of these forwarded to is
  • www.monkeyworld.com

Is it really worth it?

Well not really no. If you can pursuade the client it is probably best to park these additional domains that have been registered. There is not going to be a great deal of benefit, if any, for SEO. But if you really need to do it here's how.

What you'll need

This article assumes you have command line access to your box. If you don't then you'll need to contact your hosting company and explain your requirements

Virtual hosts

It is likely you'll be using Name Based Virtual Hosts in Apache. If you haven't set up Virtual Hosts it is a great way to manage sites so be sure to read up on it. Presuming you have an entry for monkeyworld.com we need to edit/create it in our virtual hosts file. The location of where you should place this varies depending on what flavour of Linux you are running. On Centos 5 you can create a file in /etc/httpd/conf.d with the appenedix .conf and it will be picked up when Apache is started.
vi /etc/httpd/conf.d/httpd-vhosts.conf 
NameVirtualHost *:80 
# Monkey World 
<VirtualHost *:80> 
  <Directory /var/www/vhosts/monkeysarecool.com/httpdocs> 
    AllowOverride All 
  </Directory> 
    DocumentRoot /var/www/vhosts/monkeysarecool.com/httpdocs 
    ServerName www.monkeysarecool.com 
    ServerAlias ilovemonkeys.com monkeysarecool.co.uk monkeysrockmyworld.co.uk 
    ServerAlias www.ilovemonkeys.com www.monkeysarecool.co.uk www.monkeysrockmyworld.co.uk Include /var/www/vhosts/monkeysarecool.com/conf/vhost.conf 
</VirtualHost> 
You'll see the lines Server Alias have listings for the domains both with www and without. This ensures you can receive requests with and without www. I like to put them on separate lines so I can see I have what's happening.
Finally there is an Include line. This points to an additional configuration file for the domain. You could use an .htaccess file here but if you have root access to the box it is much more efficient performance wise to put it in an additional configuration file.

Forwarding the domain

So far we've set up requests for Apache to serve up monkeyworld.com for our additional domains. You could leave it like this and restart Apache to have the same content served up on these domains. This is a bad thing for Google though and it is likely your rankings will slip down with duplicate content on multiple domains.
So we want to forward the domain. To do that lets open our additional configuration file:
vi /var/www/vhosts/monkeysarecool.com/conf/vhost.conf
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(monkeyworld.com|ilovemonkeys.com|monkeysarecool.co.uk|monkeysrockmyworld.co.uk) [NC] 
RewriteRule ^(.*)$ http://www.monkeyworld.com$1 [R=301,L]

RewriteCond %{HTTP_HOST} ^(www.ilovemonkeys.com|www.monkeysarecool.co.uk|www.monkeysrockmyworld.co.uk) [NC] 
RewriteRule ^(.*)$ http://www.circalibrary.com$1 [R=301,L]
We're using Apache's mod_rewrite to send redirect requests and return a 301 Moved Permanently Header. This should help Google and any other bots to understand what we're doing. Again I like separate entries for with and without www but that's personal preference.
Save this file. We should be done but before restarting Apache let's test that we haven't made any syntax errors that will stop the server from starting up.
/etc/init.d/httpd configtest
If you get "Syntax OK" you are good to restart the server:
/etc/init.d/httpd restart
All done! So now when you hit www.ilovemonkeys.com, monkeysarecool.co.uk or monkeysrockmyworld.co.uk you will be forwarded monkeyworld.com, with the address being changed as well.

 
Design by GURU