實驗四-網(wǎng)上安全技術-防火墻

1、實驗四-網(wǎng)上安全技術-防火墻淮海工學院計算機工程學院實驗報告書課程名：網(wǎng)絡安全技術題目：防火墻班級：學號：姓名：評語：指導教師:【實驗目的】理解iptables工作機理熟練掌握iptables包過濾命令及規(guī)則學會利用iptables對網(wǎng)絡事件進行審計熟練掌握iptablesNAT工作原理及實現(xiàn)流程學會利用iptables+squid實現(xiàn)Web應用代理【實驗人數(shù)】每組2人合作方：韓云霄2012122618【系統(tǒng)環(huán)境】Linux【網(wǎng)絡環(huán)境】交換網(wǎng)絡結構【實驗工具】iptablesNmapUlogd【實驗步驟】一、iptables包過濾本任務主機A、B為一組,C、D為一組,E、F為一組。首先使用“快

2、照X”，恢復Linux系統(tǒng)環(huán)境。操作概述：為了應用iptables的包過濾功能，首先我們將filter鏈表的所有鏈規(guī)則清空，并設置鏈表默認策略為DROP（禁止）。通過向INPUT規(guī)則鏈插入新規(guī)則，依次允許同組主機icmp回顯請求、Web請求，最后開放信任接口eth0。iptables操作期間需同組主機進行操作驗證。羔件成）編輯（母查看l£）終端中標簽叫薦助E.zoatfExpMCportscan*iptables-tfilter-F.roatlExpMCportscan?ifcortircl110Linkcncop:EdicruetHnddr00:0C:29:77:BC:0EInet

3、add”17匕咆0.20Beast:172*16.0.255Mask:255.255,255.0inot&addr:fe80:20（:29ff:fc77:bc0o/51ScopciLink（2）同組主機點擊工具欄中“控制臺”按鈕，使用nmap工具對當前主機進行端口掃描cnmap端口掃描命令機IP。nmap-sS-T5同侖日主表9-2-1說明nmap具體使用方法可查看實驗11練習一I實驗原理。查看端口掃描結果，并填寫表9-2-1。PORISTATESERVICEopenftpZ3/tcpopentelnet開放端口（tcp）提供服務SO.tepuponLltp111tcpopenrpcb

4、ind113'tepopenhttps21ftp23telnet80http111rpcbind443https(3) 查看INPUT、FORWARD和OUTPUT鏈默認策略。iptables命令iptables-tfilter-L。rootftEpNTCportscanT#iptablestfilterChainINPUT(policyACCEPT)targetprolopisourcedestinat1onChainFORA'ARD(policyACCEPT)targetprotop1soutccdostinationChainOUTPUT(policyACC1帥【)tar

5、getpi'otopisourcedestinatianChainREI-FireLI-PINPtl(0referenced:argetpro!optsourceroatExpNTCpartscfin1#|de5；tincitjon(4) 將INPUT、FORWARD和OUTPUT鏈默認策略均設置為DROP。iptables命令iptables-PINPUTDROPiptables-PFORWARDDROPiptables-POUTPUTDROP同組主機利用nmap對當前主機進行端口掃描，查看掃描結果，并利用ping命令進行連通性測試。-PINPUTDROPTERLARDDRO1-PO

6、UTPUTDROP-T5Vi3rjolExijNlCportscanzniptablestDCjl®ExpMCportslud,niptableurCportscanJniptablesrDolte?ExpNlportscanJRlimEip-sSStartingmap4.20(http:/insecure,org)atNUL5-CHT510:17CSTsendtoinseiid_ip_packet:sendto(d,packet,44,U,172,Id.U.fiJ,LtiJ->OperationnotpermtttedDfrentiinspEicket:TCh

7、17z.LB.3.ZO'(3L303>17z.IO,a.t53:SOSLL1T4Ld-ZZ5&lj印EliM4sEq=3J26359634win=1034<hes1460rsendtoin5endippacket:sendt(5,packet,44T0,17L-16.0.3,161=OpevatjonnotprmittedOffondinflpacket:TCP172+16.3.20:61303>3:53Sttt-59id-21123=41同q=33263596跑vin=4O9ti<mss116。spnritninGpndippack

8、et:sndtn(5Ppnrknt,44p0,17ZIfi.0.fi3,l(i)=>OporatfornotprmirflOffendingpacket:TC172.I瓦0.20:61303>172.16.0,63:25(5SttL=40d=4120Ulen=41soa-3326359624vin-1021<mss116O>sendtoinsond_ip_packct:sondto(a,packet,-Jh0,172*16.D.63,16)；OperationnotpormittcdOffendingpacket:Id'0:61303>

9、172.16.0,63:21Sttl=49id=44soq=3326359624vin=20J8<mss1160>endtoinsentl_ip_packot:sendtopacket,44,0,17Z1£.Q.63116)UperalLtmnotpermltiedorrendingpacketsTCP0:01303>172.Id.0.(53:551Stil-52Ld=ieJ29iplch-Use-332O359l324Lu-1021<mssU00>setidluiniSend_ip_ja.kel:endlo(jrpacket,44,

10、0,3,113)->Opeia.LLunnotp2rmitiedDffcrtdiilgpEickct!TCI10:61303>172.Id.0.63:636S"1T6id=427LJiplcn=J1忌(?q=332l335勺631vin=lOii1<mss1160kaidtinsend_ip_packet:sndtopacket44»0,17218.0.33,16=OperatLannotpprmittadnffendititfpacket:TCIP172.L0.0.20：172.IH.(1,:25S111=55ld

11、-31997ir1?n=4,lseq=332(5359(524win=4O9t5mss1460>sendtoinsendippacket:3endto(5tpacket,44.0,172,16.0.63,16)=>OperationnotpermittedOffeidinspacket:TCID;61303>17%Iti,CL63：443Sttl=52id=l6190ipen=44wq=3326359624win=1024<mss140>sgdtoin5endippacket:sendto(5tpacket,44,0,172»16.0

12、.63,16)=>Opergtianntpermitted"ifeidinfipacket:HTMLL應U.2E13Q3>HEIti,3tXl=7iplen-44j：剝=33時楠叩24win=Z048<ttissHfiO>ping:ping:ping:P叫;pinp:seiKinisR：upci'aiionhotpermiixcasond.msg:sentims:setidms:enclmsR：Operation0perillluiiOperationOpcrntinnnotnot1DtnotpormiiledpermiltedpermiLtedper

13、mi1ted172.Iti.0.63pingsLalistMs42pEickeLstransmjited,0recei.ved,Lt)O%puckcI1ossTLittio11U02rns(5) 利用功能擴展命令選項(ICMP)設置防火墻僅允許ICMP回顯請求及回顯應答。ICMP回顯請求類型8:代碼QICMP回顯應答類型0:代碼Qiptables命令iptables-IINPUT-picmp-icmp-type8/0-jACCEPTiptables-IOUTPUT-picmp-icmp-type0/0-jACCEPT利用ping指令測試本機與同組主機的連通性。.rootEjtpNlCports

14、can.ftipIablos-11NPUl-口ictnp一icmp-S/0-jACCEPI.ruotEMp.Nltt>ortscan.ITLpIables-1UL'TPLT-pichip一icmptytjeQ.U-jACCEPT.rootE3cpNlCportscanffpiriR3(6) PING3(3)56(84)bytesofdata,pins:sendimsR:Operationnotpermittedping：sendimsg:Dperationnotpermittedpihr:sendmsR:Dperatio

15、nnotpcrniittodpins：sendniR：OperatiornotpormittedpinR:sendmsR：Operationnotpormitiedping;sendmsg:Operationnotpermitiedping:sendmsg:Operationnotpermittedping:sendmsg:Dperationnotpermittedping:sendmsg:Opcrationnotpermitted對外開放Web服務(默認端口80/tcp)。iptables命令iptables-IINPUT-ptcp-dport80-jACCEPTiptables-IOUTP

16、UT-ptcp-sport80-jACCEPT同組主機利用nmap對當前主機進行端口掃描，查看掃描結果。rootQLxpNICportscanffnmap-sS-T5172,16,0,63Starting:Nmap-130(http:/'insecure,org)at2015-04-15Interestiiigportsdu172.It5.0.(33:Notshown11692closedportsPORTSTATESEKVCE21/tcpopDllftp23/lcpopt>n80/teppt?|h.ttp1IL,ztrpopenrprbilid113ftcpnpE】httpsM

17、ACAddress:00;QC;29;6A:B5:F93加are)10:35CSTsecondsNinapfinished;ITPtiddress(Ihostup)smnnedin0(159LraotttExplilCportscan#|.uoot'EspMCportscanHipIcibles-INPITplep一-dport80-jACCEPT.I'oot'EjpMCportcan«iptEibles-】OLTPLT-ptcp一-sportbO-jACCEPTt.Loul'3EjplCportt?niricip-sS-TfL?Zr1&Q.8

18、3StartinpNrnap4.20(http:/insecure*org)at20$-04-1510:27CSTsendtoinsendippacket:sendl(,packet,4-1,0bIT2.1氏U,16：=,Speratimnotpenn(tiedOffondir.Hpacket:TCP172.16.0,20:450(50>172.Id.0.S3:22Sttl=43id=85J99iplon5。尸696船。日5。win=4096"mss1160)sendtoinsend_ip_parkct:sendio(*packeth<11,0,172.15*0.63.1

19、6/=>Opcralonnulperm!LludOnondiuspacket:TCP172.16.D.20:15060172.16.0.d3:3399Sttl=47id=380Sliplen=44seq=fl96030850win=409o<mssJ160：sendtoinsond_ip_packet:sondw(5,packGi,JL伉3,16；=>OporationnoIpermittedbfiendinffpacket:TCP172.16l0.20:45000)3:113Sttl=55id=4J7B4ipleH-4Jseq-(39

20、0630850<in-J096<nss1J60>E?ndtoinseid_it?_packt?t:sendlo(jTpoickel,14,0.17.Iti.0.63,IE；=Opcrutioinolpel-mittedOfl'pudirgpack&l:TCP171i.Itj.0.20:IfOriOJ1了2一16.0一63:3&9Stt1=59id=25451ipl-?】二-seq=t59dd3D850Tin-4096<nss1460sendtoinsendippacket:sendto(5,packeln44,0,173.CL63.18：=>

21、;C*peratioinotperinitiedOffendirSpacket:TCP0:150(50>172,1(5.0.o321Sttl=57id-51199iplon=-Hseq=t59dti3O5Owin=20<inss1405endtoinsendippacket;sendto(3,packet,4-1,&h172.1i5hC.63,IG;=>CperationnotpeTTDirtedOffendirspackat:TCP172.16,O+20：ItiOfiO>172.ltib0bp3;J135ttl-38id*IINiplonH

22、卜業(yè)=朗的30的0iFin=30i2<mssIsendtoinsendippacket:woncHNS,packetf4k(X1了2.1瓦CL=>Opera1ionnotpeTTDitiedOffondirgpacket:TCP172.16.0,20:15060>17*16.0.63;551Sid-850iplon1-Jsoq0951530850vin=3072<mss1160sendtoinsond_ip_packotisondio(5tpacket1Js0,172.IS,0.63,lb)=>OperationnotpermittedOrfoiidirapaek

23、oL：TCP172.IS.0.20:15060172.16.0.d3:23Sttl-45id3079iplcn-11S9q-t39d6308j0wld=20J8<mssLit30>i；£?iidtoinsend_ip_packet:sendlo(5,puckl,41,th172.115-0.63,ItJ；=>OperationnoLpermitted(7) hffendiiiapackot:TCP172.15.O.20；If060>172.10.0.(53:53£ttl=48id=5375t5iplon二4scq=t396ti30S50wlii=30

24、72mss14t0zsendtoinsendippacket:se:idlo(5,pcickel,14,0T172.Id.6.63,16：->&peratioinoLpertnitted設置防火墻允許來自eth0(假設eth0為內(nèi)部網(wǎng)絡接口)的任何數(shù)據(jù)通過。iptables命令iptables-AINPUT-ieth0-jACCEPTiptables-AOUTPUT-oeth0-jACCEPT同組主機利用nmap對當前主機進行端口掃描，查看掃描結果。PORTSTATESERV.1CE21tcpop&nftp23/1cpopc-ntednet80/tcpopenhttpHL

25、tcpopenrpcbi-iid143/tctiapaiLhttps'JACAddress:00:OC:29:HA:BS:F9(VMware)Nmnpfinished:1FFnddress(1hostup)scannedind158seconds一.事件審計實驗操作概述：利用iptables的日志功能檢測、記錄網(wǎng)絡端口掃描事件，日志路徑/var/log/iptables.log。(1) 清空filter表所有規(guī)則鏈規(guī)則。iptables命令根據(jù)實驗原理(TCP擴展)設計iptables包過濾規(guī)則，并應用日志生成工具ULOG對iptables捕獲的網(wǎng)絡事件進行響應。iptables命令文

26、件蝙毫心查看明終妹標簽®幫助.rootlEupNICparLttCEm#LptublesF.rootlExpNICportscBJi#Iptables-IINPUT-ptcp-tcpflagALLSYN-JULOG-ulog-prefix*SNFloquost*HadargumentSYNRoques"ry'iptables-hor!Iptableshelp'formoreinformalion.rootflExpNJCporp.sciinffiptables-IIlU'-ptcp-tcp-11asALLSYN-jULOG-uloK-Dref*SYN

27、Roquost*root®EjcpNlCportscanfl|RO組主機應用端口掃描工具對當前主機進行端口掃描，并觀察掃描結果。乂|-r'U洲啊S.-6'L-1玲WtVJJ叫rootExpXICporLscajiflnniap-sS-T5172.Id.0.133Slai*tingrtKiplx20(htip:/inicur.or5)at2015-01-1511:20C£Tsendtoinsend_LD_racket:sendto(5Tjacket,44,0.172.IB.D.S3.Ifl)二OperationnotpcLmiItedOffendingpack

28、et:TCP172.Id.0.21:56375>172.It5.D.fi3:443Sttl=4tiId=32fl54ipleti=4Jseq=yyL97d34¥in=3U7ii<iissUtiO?sendtoinsendippacket:sendto<5Tpacksl,44,O.J72.10.0.ttJ*lb)=>Operationnotpermi11edOffendinspack&t：KP172.16,0.20:56375>1?2.le.3PC3：25Sttl=o2id=14903iplen=44wrpZ9919彳依43win=1024<

29、m=:sl+fi0>sendtoinsend_ip_packet:sendto(5,packet,44,0,172.IS.0.53,16)->OperationnotpennittedOffendingpicket:TCPUM100,凱：56375>N丸I瓦DM3:113Sttl=45id=19175iplcnH土scq=Z19T034JwinZ04&<nssUt50>ac-ndtoinsend_ip_packct:3cndlo(5tpockety44,0.172.15*(h源,Ifi)=>Operationnotpoiiriittodtirfpnd

30、inspacket:TCP172,Ifi,0.2tl：.5n275172.16.D.03:23Sttl=41(d=2B535inleTi=14seq=2991976313vin=20J8<mss1160>soiidtoinsend_ip_packetiscudto(5,p&cketf44,0.172.IS.0.t53TId)=>OperationnotpermiLtedOffendingpacket:TCP172.O.20:3MT5>172.Ifl.0.03:22Sttl=47ld=10894iplen=44scq=Z9J97t?J4Jvin=4O9timss1

31、460.tol11send_ip_packpt:sendto(5jpackst.44,0.T霎.1&(h相*Iti)=>Op&rationnotpennLltedOffendingpacket;TCP172,IB.0.20;56375>3:80Sttl=44id=H61Dip：en=44secr2999753Wwin=1024<mss1460>sendtoinsend_ip.packet:sondtotS,packet,44,.112.DtIti)=Dp&rationnotpejmlitedOffendingpocket:1C

32、PIFA16+0,網(wǎng)：陽3蒲>172.】氏盅另3;389Sttl=39id=S5151iplen=41soq=29?197343viTi=1096<mssscndtoinsendippacket:sondto(5*packet.44.0-】T215,(k(53*16)=>OperationnotponriLttedOffendingpicket:TCP172.IS.0.20:56375>3:3389Sttl=51id=3U874Ipiei-14soq=vin='JU9tjmss1160>sendLuLuLp_packel1沁itlL。(

33、&packcl,44h0.172.Id.0.Lfl)->OperaLionnotpoitnittedOffendingpacket:TCP172.1(3.0.2C:515375>17E16.).63田3l5SLt1=401(1=50001iplui-44sc口二99197634：viti=1021<mssL160>st?:idLoinsend_ip_packet1sendto<5,packeI,44,0.172.Ifi.0.63,IEj)=OperationnotpoiniLltedUifetidingpacket:JCP7%1艮。.我J:bt53Tb&g

34、t;172.Iti.U.t53:25dSttl=40id=tit)W9iplen二44seq-9?L97O34vliilOZ4<riSi14C0>(2) 在同組主機端口掃描完成后，當前主機查看iptables日志，對端口掃描事件進行審計，日志內(nèi)容如圖所示。二.狀態(tài)檢測實驗操作概述：分別對新建和已建的網(wǎng)絡會話進行狀態(tài)檢測。(1) 1.對新建的網(wǎng)絡會話進行狀態(tài)檢測清空filter規(guī)則鏈全部內(nèi)容。(2) iptables命令設置全部鏈表默認規(guī)則為允許。iptables命令(3)設置規(guī)則禁止任何新建連接通過。iptables命令.root®FxpK.IC.rootOExpNTC.

35、rootfiEADNIC.TooLfiExpNICj'octICporLscait.portscanr)ortscan;|jortsctin;portscanportscaniptabI3ip北IosiptablosipltiblosiplabI-F-P-P-PA1NPUTACCEPTFOEAAKDACCEPTOUTPUTACCEPTINPUt-thstatestateNEW-jUROP(4)同組主機對當前主機防火墻規(guī)則進行測試，驗證規(guī)則正確性。.rooilixpNLCportaetin.ffiptables-I.I'ootCExpMCportijean.iptables-PI

36、NPUlACCEPTrootFxpKtCporiscan.ipiEiblrs-?FORAARDACCEPTiTnotEMpNLCportscanffiptablesPOUTPUTACCEPT;rchitEKpKECportscanriptables-AINPUT-mstate-stateKEN-JDROProotfiEjqjNECpartsear#nimp-sS-T53StartinsNirapL20(http:/insecure.otk)at2015-04-J511:41CS1Al11697scannpdportson3arefilteredMACAd

37、dress:00:0C:29:&A:B5:F9(Wlvare)NinEipfinished:1IPaddress'1hostup)scaJitiedin18.782secolidsroothxpNlCportscanff|2.對已建的網(wǎng)絡會話進行狀態(tài)檢測(1)清空filter規(guī)則鏈全部內(nèi)容，并設置默認規(guī)則為允許。(2)同組主機首先telnet遠程登錄當前主機，當出現(xiàn)“l(fā)ogin:”界面時，暫停登錄操作。telnet登錄命令.rootl：spNlCtroot®ExpN1Ckroot0ExpN1CrootEspNICrootEjtpNlCporiscan.portport

38、scan,purlsculljortscaniptables-Iiptables-PINPUTACCEP1iptables-PFORWARDACCEPTiptables-I1OLTPITACCEPTtelent3。社sh:telent:comnandnotfoundrootSEjipNICportscan#telnet3drying172-16-0.63-JoLitiecledto172,16-0_63(172.16.0_153).:scapecharacteris''IedoraCorerelease5(rJoTde;m?iLornol

39、2.G_15-1.2051_FC5onaril58tigin:(3) iptables添加新規(guī)則(狀態(tài)檢測)僅禁止新建網(wǎng)絡會話請求。iptables命令或同組主機續(xù)步驟(2)繼續(xù)執(zhí)行登錄操作，嘗試輸入登錄用戶名“guest”及口令guestpasS,登錄是否成功?iptable-Fiptables-PnPHACCEPTptablcs-PFORMRDMOTTLptcihles-POUTUTACCLI'ltelnet17216.0.63rooICpax'tscanxpfCportsranrootExpNICportscan;.roolOExpNICportscau.rootOExp

40、NICportscan,frying172.I成0.63Connoctod.tuL72.16.D.63(3)Escapecliaracteri.iS'',FedoraCororol&ase5(Bordeaux)Kernel左氐15T3O0FC5onani網(wǎng)6login;ffu.051Pussvord:auestExpNTC*$同組主機啟動Web瀏覽器訪問當前主機Web服務，訪問是否成功？。解釋上述現(xiàn)象。(4) 刪除步驟(3)中添加的規(guī)則。iptables命令或同組主機重新telnet遠程登錄當前主機，當出現(xiàn)“l(fā)ogin:”界面時，暫停登錄操作Trying172.