实验四网上安全技术防火墙

1、淮海工学院计算机工程学院实验报告书课程名：网络安全技术题 目：防火墙班 级：学 号：姓 名：评语：成绩： 指导教师： 批阅时间： 年 月【实验目的】 理解iptables工作机理 熟练掌握iptables包过滤命令及规则 学会利用iptables对网络事件进行审计 熟练掌握iptables NAT工作原理及实现流程 学会利用iptables+squid实现 Web应用代理【实验人数】每组2人 合作方：堂|云霄 2012122618【系统环境】Linux【网络环境】交换网络结构【实验工具】iptablesNmapUlogd【实验步骤】一、 iptables 包过滤本任务主机 A、B为一组，C D

2、为一组，E、F为一组。首先使用“快照 X”恢复Linux系统环境。操作概述：为了应用iptables的包过滤功能，首先我们将 filter链表的所有链规则清空, 并设置链表默认策略为DROP禁止）。通过向INPUT规则链插入新规则，依次允许同组主机icmp回显请求、Web请求，最后开放信任接口 eth0。iptables操作期间需同组主机进行操作 验证。；' . I -I* ' H.，亡 X |又件编辑虫查看任)终端中标签'小寿即U.lort?EspM C port scan 4 iptables -1 fi 1 ter -F:TQrt 既同CI。port scan L

3、f configcl 110 I. nk cncop: E th cruel Hhiddr 00:0C: 29:77: BC: OEnet addr:172, 16.0.20 Beast: 172, Id, 0. 25S Mask: 255. 255, 255, 0i notS ad dr: feBO:20c:39ff:fe77:bc0e/B4 Scope I ink(2)同组主机点击工具栏中“控制台”按钮，使用 nmap工具对当前主机进行端口扫 描。nmap 端口扫描命令 nmap -sS -T5 同组上机 IP。说明nmap具体使用方法可查看实验1 |练习一 |实验原理。查看端口扫描结果，

4、并填写表9-2-1。开放端口（ tcp）提供服务21ftp23telnet80http111rpcbind443https表 9-2-1(3)查看 INPUT、FORWARD OUTPUT链默认策略。 iptables 命令 iptables -t filter -L 。PORTSTATEbEK VI Ch.|1/tepopenftp23 ytcpopentelnet80/tcpopenhttpLll/tcp0p白口rpc bind113 tepopenhttpsroot0BspNlC portscan I# iptables -1 filler -LChain INPUT (policy A

5、CCEPT) targetpro I opl sourcedest LnaticuiChain FORAARD (polity ACCEPT) targetprot op1 sourcedostinationChain OU'IPLT (policy ACCEPT) targetprot op1 sourcedest in at i onChaiti RH-F ir al 1 -1- INPUT (0 references) targetprot opt sourcedestinaticmroot0K?ipNIC portscanlft |(4)将INPUT、 FORWARD OUTP

6、UT链默认策略均设置为 DROPiptables 命令 iptables -P INPUT DROPiptables -P FORWARD DROPiptables -P OUTPUT DROP同组主机利用nmap对当前主机进行端口扫描，查看扫描结果，并利用ping命令进行连通性测试。ip Labies i p Labi 日 s i p tabi esnoiEip - S25-P INPUT DROP-k roRtnb droiP OUTPUT DROP-13 L72. 16.0.63:root®ExpNIC port scan ft t'DulExpM C port si

7、an. n root0ExpNIC port scan.n .rootlSExpNIC por tscan J RStarting Nmap 4. i!U ( ti t Ip:/insecure, org ) ei l 2016以- J.5 1J: 17 L STsendto in Eend_jp_packet: send t d (, packet, 44, U, 172, W. U. t5J, lb) -? Uperalion not permtttedDirendins paeks： TCL 17Z. LC. a. ZO; (51303 > 17Z. Ifl, 0. (33 :SO

8、 S LL1M4 Id-ZZSUU IpLuH+ seq=3326359624 草 inTQ£l 心x H60>send t o in 5en d ip pocket; sendt j (3, packet 44» 0, Q7£* |6. 0. 63, IE =Opeyfit i on not pDrmi ttedOffondinfl packet ； TCP 172. 出，1？口；613。3 > 172. 16. 0. 63；53 S ttt-59 fd 2U23 iplon二41saq=3326359624 vin=4O9ti <mss 11

9、 t5C>jinndtc in spnfi ip narkpt: fndtn(5, parkptp 44p 0，172, 16. 0. Ifi) => Opprai f nr not peffni 11(Qfibffendinc packet: TCP 172. 16,0, 20:61303 > 172. If. 0* 63:256 S ttl=40 id-IJ20 iplenMl soq=3326359624 7in=102l <mss 116。eendto in send_ip_packct: scndtT(5, packet, -J h 0, 172. 16, 0

10、. 63, 16) -> Operallon not pormLttcdPffoftding packet: TCP 172. 16.0. 20:61303 > 172, 16. 0. 63:21 S ttl=49 id=55791 iplcn匚时 &oq=3326359621 7in=20J8 (mss 1160)soiidio in sond_ip_packet: £endto(5, piickot, 44, 口，17Z 16.0. t53, 16 => Operation not pormLtiodOtr&Jlding packet! TCP

11、172. 16.0. 20101303 > 172. Id. 0. (53:551 S ttl=52 Ld=ieJ29 iplch-U sl-3320359U24 y Lij-1024 <iiiss LJCO>setidlu in it?ud_ip_ija.kel: deiidtc (packet, 44, 0, 172. 1G. 0. 03, 113) -> Opeia.LLun not p2rmitiedOffending packet: TCP 172. 16. 3. 20:61303 > 172. 1H. 0. 63:636 S ttl=36 id-127

12、1iplcn=l 1 身 c?q=3221335g62 1 v in= 102 1 <tr&s 1160>to in seh(l_ip_packet: s&ndto(5 packet* 44* 0, 172. 16. 0. 33, 10)二)Opera! Lon hot Mrini t tudpffendtrii grk白t： TCP 172. 16. 0. 2D: ri 1303 > 172. IH. 0,: 25 S t.tl=55 td-31997 i r 1 ph-41 seq-332(5359(524 win=40915 mss 14tjQ>s

13、endto in send ip packet: 5endto(5t packet, 44, 01 172, 16. Q. 63, 16)=Operation not permittedDffedins packet ; TCI 172. LId. 3. 2D;(51303 > 172. Iti. 0. 63:442 S ttl=52 id=lt5190 iplen=44 seq=3326355624 vin=lQ24 <mss 14e0>sondto in send ip packet: sendtopacket, 44, 0, 172» 16.0. 63, 16

14、) => OperatLon n3t pei'mi tted"ifeidins packel ; HP 1了乙 用，。，£口：61303 > If 乙 1乩口一面：113 3 ttL=J7ipleh=445024 win=Z04S HfiO>pmg:sen cur sr : upcraT i nnnoipcrmiiieaping:SGtidinsg: Operationnotpormiitodping:setitlms: OpcrELLiulinotpermilLedPEM：setidmsR: OpeT'a t i onnotpermiI

15、tedPins：sendinsR： Oprrnt i onnotpermi1 tod172. Ifi. 0. 63 ping stat Lst ica42 pEickeLs transmj (ted, 0 recei ved, Lt)。/ put keI 1 ossT t ime J 1002ms(5)利用功能扩展命令选项 (ICMP)设置防火墙仅允许ICMP回显请求及回显应答。ICMP回显请求类型8 ;代码 0。ICMP回显应答类型0 ;代码_0_。iptables 命令 -iptables -I INPUT -p icmp -icmp-type 8 /0 -j ACCEPTiptables

16、 -I OUTPUT -p icmp -icmp-type 0/ 0 -j ACCEPT利用ping指令测试本机与同组主机的连通性。.rootdEipNIC port sc an. ?f iptables -I INPUT -p icinp - icmp- type S/0 - j ACCEPT .rootSExpNIC portscan. ff iptables -I OUTPUT -p icnip 一一icnp-type 0/0 -j ACCEPT .rootEjtpN!C por t sc an ff ping 172. It5. 0.bytes of data.PING172.10,

17、0.63 (172. 16.0.63) 5(5(84)ping:sen dmsg:Dperat i onnot permit Ledping;sen dm3g ： *pera t i onnot permi 11 edpi UR：sendni5R:Opera t i onnot pormi 11 c?dping;sendms;Operat i onnot permittedPi UR：sendmsg:Dpprat i onnot permittedping:scndrrisg:pt?ra t i onnot permittudping:sendnisg:Operationnot pcrini

18、ttodping:sendmsg:Operat ionnot pcrini ttedping:sendmsg:Operat i onnot permitted(6)对外开放 Web服务(默认端口 80/tcp)。iptables 命令 iptables -I INPUT -p tcp -dport 80 -j ACCEPTiptables -I OUTPUT -p tcp -sport 80 -j ACCEPT同组主机利用nmap对当前主机进行端口扫描，查看扫描结果。.tooWExpNlC portscanTI Limap -sS -T5 172. 16. 0. 63Starting Nmap

19、 L 20 ( http:/insecure, org ) 在t 2015-04-L5 10:35 CSTInterest j.tig ports on 172. 16. 0.6?:Not. shown: 1692 c I osed ports1犯盯STATESERVICEZl/tcpaponftp23/tcpupontoluol80/tcpopenhttp111/tcp门penrprhind1-13 ' t cpopenhttpsMAC Address; 00:0C:29:6A(VMvaic)Niriap finished; I IP ciddress (I host up) lin

20、ed i n 。、159 seconds rootaExpNIC port scan F |roottExpNIC pottscan ft rroot#EspNlC port scan J n ruuLEjipNIC ：Ji?rLsl£U1 并ip二江bles -L IhiPLT -p tcp 一-dport SO -j ACCEPT ip：ables - OUTPUT -p tcp 一sport 80 -j ACCEPT niiup sS -T5 17工 16. 0, 03Startinp nap 4+ 20 ( fittp: /insecure org ) at 20 L5-0

21、|-10:27 CSTsondto in send_i'p_packet: sendto(5H packc?ti 44p 0, 172,10 0.63, 16) -> Dperal i on not peiml 1 ledOffondinS packet: TCP 172. 15. 0. 20: 15Ot5O > 172. Iti. 0, fi3:22 S ttl=43 id=65399 iplon _ J 5。歹696630850 v 11- /mss H6Tsend to in sond_fp_packot: sendto(5, packot, 4-1 s 0, 172

22、. 16.0. 63. 16) => Dpcrat i on (j 1 peiml 1 LuilOf fond ins packDt: TCP 172. 15. 0. 20:15060 > 172. 16. 0. 62:3389 S ttl=J7 id=38081 ipl en=44 seq=S96630850 nfn=4O90 Crus 1160ijendta in sond_ip_packot: scndto(5, packet, 14h 0. 172. 16.0.63, 16) => Operation not pennLttodOffcndins packet: TC

23、P 172. 16.0. 20:15060 > 172. Ifl. 0. 63:113 S ttl=55 id=447frl iple 11=-J4 seq-t)9t3i33085t)骑i】iE096 <mss 1/60send to Ln send_ ip_packet 1 5eiid lo(5, pEicko l, 44,。，172. 16.0. 63, 10)二Operation not perniL 1 tedOf i'&nd iig packet: TCP 171?L Itj. D. 20:15060 、172. It5. 0."3S9 

24、3; 111-59 id=251£l :i pie】二4seq=6961530S50 win=4O9t3 <mss 1460>send to in send ip packet: send Lo (5, packet, 44, 0, 172. 16.0.63、 16) = Opera t i m no l penni 1 t&dOffondins packet: TCP 172. IB. 0. 20： J 5060 > 172. W 0. 6E S ttl-57 id-511gg ipl on 卜44 seq=6?66J0S50 vin=2048 <m

25、ss 146。)sendt口 in send_jp packet: sendtoOn pacfeet, 44,0b 3, fi)=Dperat i on nci penni uedOffpndins packot: TCP 172. IS. 0. 20： 5060 > 172+ 16. 0. 63： 113 S ttl-38 闯-9112 ipl on =11 $00-696630850 /口=30n <mss 1160send to in send_fp_packet: mc?iidt0(5, packet, 4丸 0, 1Tzim0.03, 16) =>

26、; Operation not permittedOrfondiiig packot: TCP 172. 16,0. 20: 15060 > L72. 16. 0. S3:55 J Sid-850 iplon-1J SE?q=696l530850 / in=3072 <mss 1 Jo0>send to in sond_ip_packot: send to(5, packet, 4L 0. 172. 16.0. 63, 16) => Dpcrati oil not permit todbffoiidLiia patikot: TCP 172. IS. 0. 20: 15

27、060 > 172. 16. 0. 63:23 £ ttl-45 Ld'3079 iplon= U seq9t)d30850 ¥Ln=20J8 <mss Lli50>send to in send_ ip_packet: sendio(5, pEicim, LI, 0, 172. 16.0. 63, 16) => Operat i on not 口ermltlMOffondins packet: TCP 172. 16.0. 20:15060 > 172. 18. 0. S tll-46 Ld-575l5 iplen =44sec=69

28、t5tjJOB5O wi:i=3072 <tnss 1460sendta in send ip packet: send to (5, packet, 44, 0, 172. 16.0.63、 16) -> Opera t i on not pennitted(7)设置防火墙允许来自eth0(假设eth0为内部网络接口)的任何数据通过。iptables 命令 iptables -A INPUT -i eth0 -j ACCEPTiptables -A OUTPUT -o eth0 -j ACCEPT同组主机利用nmap对当前主机进行端口扫描，查看扫描结果。PORT&T

29、63;TESERV LCE21/tcpoponftp23/tcpopc'nt 1110180/tcpopenht tpHL tcpiTpcbLnd113 tc pop UlilllLpSUAC Address:0D:0C:29:(VMware)Nmnp f ini shed: 1 F ndciress Cl host up) scanned in 0. 158 seconds.事件审计实验操作概述：利用iptables的日志功能检测、记录网络端口扫描事件，日志路径 /var/log/iptables.log 。(1)清空filter表所有规则链规则。iptables 命令(2)根据实验

30、原理(TCP扩展)设计iptables包过滤规则，并应用日志生成工具 ULOG对 iptables捕获的网络事件进行响应。iptables 命令文件编辑旧查看旧终端©标签旧帮助®.rou LfJEjtpNI C Lbt anLp tall us .rootdExpNIC portscaniptablos T NPUT -p tcp 'tcp-flag ALL SYN T ULOGul og-pref;x "SYY RaquostiBad arguincnt SYN Roquest17ry iptablos -h¥ or ' iptable

31、s help for more information.'rootfll-.spM C portscanlfl ipiab I os -1 IM 'UT -p tcp - tcp-fl ag ALL SYM T ULUCi - Lo b口refi工 *SVN Rcauost*rootlExpNIC portsc aoj .(3)同组主机应用端口扫描工具对当前主机进行端口扫描，并观察扫描结果。rooieExpMC port scan ff nrnap -£S -T5 172. Id. 0. S3Star ting Tnap，20 ( hLtp: /iniecurx or

32、g ) at 2013-01-15 1J : 20 CST sendto fn send_LD_Dacketr sendto(5, jacket, 44, 0, 172. IS. D. S3, 16)=> ger8rticjn not pctiTii ttedOffending packet: TCP 172. Id 0. 20:5675 > 172. 16. D. fi3:443 S ttl=4ti Id=32854 ipleti =4s&q=24yL97ti34c win=3U72 <mss send in in send ip packet: sendto(5T

33、 packe l, 44, O'. 17Z. 1 巾.0.闺,Id) => Operation not permi ttedOffendinff pack&t： TCP 172. 16, D. 20:563 75、172. 16. 0P t?3：25 S ttl=52 id=14903 iplen= 44 spf299197笛43 win=1024 <tdss 14ti0> sendto in send ip packet: sndtot5, pncket- 4-1, 0.1民&苗,ItO =Operation not permittedUt fond

34、 in r packet: UP 172. 1&2(J:5t)J75172门也以 63:113 S ttl=45 id = 18175 iplcn-44 sc?q=2197034J wln-204& <mss Ut50> acudto in send_ip_packct: 3cndto(5t packets 44, 0. 372. 15. 0* 153, 16) => Operat ion not pormi ttod (irfpndinsJ CP 172, Ifi, 0. 2C：.5fl375 ) 172. 10. D. 03:23 S ttl=41 ld=

35、 28535 io1en=44 砥中299197a343 win=2048 <mss 1400> stolid to in 5；end_ ip_packet: sondtolS, pEickt； I, 44, 01. 172. 16. 0. 63, 1U,) =) Oporation not permiI tedOffending packeL： TCP 172. 10i O. 20:5tWT5 > 172. 10. 0. 03:22 S ttl=47 Ld=l然94 iplen= 145Qq=£99l97b34口 if iu= 1096 mss 146Q.s?ud

36、 to in send_ ip .packet : sendto(5j packet4 44, D. 172 1(5. 0. 63Iti) = Operat ion not permi ttedOffending packet: TCP 171 1& 0. 20:56375 > 172. 16,0. 63;80 S ttl=44 ld=11610 ipleF 44 seq=29397S3W win=1024 <mss 1460> sendto in send_ ip _pa.cket; send Co <5, packet, 44, U.72, Iti, U.

37、HA Iti) => Operation not pe? mlitedOffending packet: J CP16.也 加；56375 > 172,1吐必63哥89 S ttl=33 id=35151 iplensoq=299197ti343 vn=d096 <mss Ut5Q>scud to in send ip packet: scndto(54 racket - 44, 0. 17Pz 1 文&& * 16) => Operation not permi ttedOffending packet: TCP 172. 16. 0. 20:5

38、6375 > 1724 16. 0. 63:3389 S ttl=5l fd=30B74 iple i=44 £(?q二2y9197rb3 13 vin=lU9ti mss 1160) send Lu Lu send_ lp_pai:keL 1 suiEiog, iJiickc L, 11J, 0, 172. II 0.胡,Lfl) -> DiJi,dliuJi not permi tLedOffending packet: TCP 172. IS. 0. 20:5t5375 > 172. 10. 0. fl3:t53l5 S ttl=40 id=50fi01 ip

39、l口i Mi sea=2991970343 wLn=1024 <rss 1J6O> sD：id Lo in seiid_ ip_paeket: send to (5, packe I, 44, 0. 172 Lb. 0. 63, Iti) => Operation not pEiuii ttedOffending packet: I CP 17Z, lb. D. 2(J:bP,b > 17 Id. 0,S ttl=4(J id=fiDy79 Lplen-4i seq-9? 197634 Un=l(lW42 146。(4)在同组主机端口扫描完成后，当前主机查看iptabl

40、es日志，对端口扫描事件进行审计，日志内容如图所示。二.状态检测实验操作概述：分别对新建和已建的网络会话进行状态检测。1.对新建的网络会话进行状态检测(1)清空filter规则链全部内容。iptables 命令(2)设置全部链表默认规则为允许。iptables 命令(3)设置规则禁止任何新建连接通过。iptables 命令.roatdExpNl C TOOtOExpM C .TOOtflExpN C :rootEpNIC :roGlE?tplSl C rroct©-'?(pK I Cjior t sc an # p.rtscan ff )ortscai ffiJoriscti

41、LiJjjur LscaLi.port sc an.ff讦不iptabIes -Riptables -P INPUT ACCEPTiptablcs -P FOKAARD ACCEPTiptHbles -P OUTPUT ACCEPTiplabl es -A LNPU1 - m stcLte -stale NEA -j DR OP(4)同组主机对当前主机防火墙规则进行测试，验证规则正确性。J uo L'EspN 1C .r&otL.KpN IC _roo! ©ExpK IC rootEipRIC.rootAExpNIC j-uutEspNlCDortscan. port

42、 scan, port scan portscanft鼻portscEiii. pPUP ISCEIIL.并LULtibles ' I ipt abl es -1h i pt nbl os -1h ipt abl os P iptables -AINPUl ACCEPTFDRkARD ACCEPT OLTPI T ACCEPT INPUT -n stalo-state ME肃DROPnniiLp - sS 15 3Sta.rtitik 忖rnaj? +2。( httpi/insecure, ors ) al. 2015-04- IS 11:41 CSI Al l 1

43、697 scanned port s on 172. lb. 0, 63 are fi 1 teredMAC Address: 00:0C:29:6A:B5:F9 (VMvtLro)Nrna.p finished: 1 L P address il hos L up) ac Eiiin cd in 1H. 7g2 secondsI rnet伊Exp、IC portcEiii Jft |2.对已建的网络会话进行状态检测(1)清空filter规则链全部内容，并设置默认规则为允许。(2)同组主机首先telnet远程登录当前主机，当出现“login:"界面时，暂停登录操作。telnet登录命

44、令.root0ExpK 1C Cbroi1 C：1,5，团""N C工口 h 1 Cpor l scan J P port scan J port scan J 二portscuiij por l sc Liid Fiptablas 一Fiptablas -P IWI ACCEPT iptables -P FORWARD ACCEPT iptablei -P OUTPUT ACCEPT tel ent 172. 16. 0. 63已用 h ; tel ent; comnuind not found .rQotflETtpNTC port scan # telnet 172.

45、 16463rying 172.15. 0.63.ZoLitiec ted to 172. iti. ), ti3 (L72. 16 0. 63).：sc ape charac ter is 'redora Cotf rel ?a se 5 (ftni'de(iux)lornol 2. 6. 15- 1. 2051_FC5 dii an £686log in i(3) iptables添加新规则(状态检测)一一仅禁止新建网络会话请求。iptables 命令或guest”及口令同组主机续步骤(2)继续执行登录操作，尝试输入登录用户名“guestpass”,登录是否成功？

46、roatl；xp I C rootSExpNIC rootdExpNIC rootExpNIC rnotl3lixpX I Cpai'tscran 胃 -ri .-i-dii 二partscan#porLScaii J 77port sc <iii ,iptablu吕 一Fiptables -P INPL'T ACCEPTfptables -R FORWARD ACCEPTLptables -P OUTPUT ACCLI'l- telnet 172. 16. th 63Try ing 17Z. 16. 0. (53,.Connected, tu 172. 16. D. 63 1172. 16. 0. 63)Escape eliara.cter LiS 'l>dorn Cor