Ip Tables
Ip Tables
Banyak orang bingung dengan IPTables dan berusaha keras untuk dapat memahami
bagaimana IPTables bekerja. tapi, ketika anda mendapatkan konsep dasarnya maka hal
itu menjadi cukup mudah Tutorial ini akan menjelaskan kepada anda dasar bagaimana
menggunakan IPTables. Sebenarnya saya tidak begitu canggih menggunakan IPTables,
tapi saya cukup mengerti bagaimana iptables bekerja.
tutorial ini saya buat menggunakan linux debian 4.0, tapi tidak masalah disto linux
apapun yang anda gunakan karena perintah atau syntax nya bisa bekerja di berbagai
distro linux.
Kita juga bisa men check apakah kita sudah menginstall fasilitas iptables pada mesin
linux dengan menjalankan perintah :
jika iptables belum terinstall pada mesin linux dan anda ingin menginstallnya maka
jalankan perintah :
mail:~# apt-get update && apt-get install iptables
Get:1 http://kambing.vlsm.org stable Release.gpg [378B]
Get:2 http://kambing.vlsm.org stable/updates Release.gpg [189B]
Hit http://kambing.vlsm.org stable Release
Hit http://kambing.vlsm.org stable/updates Release
Ign http://kambing.vlsm.org stable/main Packages/DiffIndex
Ign http://kambing.vlsm.org stable/contrib Packages/DiffIndex
Ign http://kambing.vlsm.org stable/non-free Packages/DiffIndex
Ign http://kambing.vlsm.org stable/main Sources/DiffIndex
Ign http://kambing.vlsm.org stable/contrib Sources/DiffIndex
Ign http://kambing.vlsm.org stable/non-free Sources/DiffIndex
Hit http://kambing.vlsm.org stable/main Packages
Ign http://kambing.vlsm.org stable/updates/main Packages/DiffIndex
Ign http://kambing.vlsm.org stable/updates/contrib Packages/DiffIndex
Ign http://kambing.vlsm.org stable/updates/non-free Packages/DiffIndex
Ign http://kambing.vlsm.org stable/updates/main Sources/DiffIndex
Ign http://kambing.vlsm.org stable/updates/contrib Sources/DiffIndex
Ign http://kambing.vlsm.org stable/updates/non-free Sources/DiffIndex
Hit http://kambing.vlsm.org stable/contrib Packages
Hit http://kambing.vlsm.org stable/non-free Packages
Hit http://kambing.vlsm.org stable/main Sources
Hit http://kambing.vlsm.org stable/contrib Sources
Hit http://kambing.vlsm.org stable/non-free Sources
Hit http://kambing.vlsm.org stable/updates/main Packages
Hit http://kambing.vlsm.org stable/updates/contrib Packages
Hit http://kambing.vlsm.org stable/updates/non-free Packages
Hit http://kambing.vlsm.org stable/updates/main Sources
Hit http://kambing.vlsm.org stable/updates/contrib Sources
Hit http://kambing.vlsm.org stable/updates/non-free Sources
Fetched 2B in 1s (1B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
iptables is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 9 not upgraded.
mail:~#
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
inilah yang akan anda lihat ketika mesin linux belum terpasang ruleset. Kita bisa melihat
disana ada 3 'Chains'
Yang utama kita perhatikan traffic yang mengarah dari jaringan luar ke server, dan kita
masuk dalam rule INPUT Chain. Jadi ketika traffic lewat melalui kernel, maka akan
dijadikan target berdasarkan apakah paket sesuai dengan rules atau tidak, target secara
umum dibagi menjadi 3 status:
Selanjutnya kita akan menggunakan beberapa rules standart pada jaringan internet..
Hmm… sebelum kita mengkonfigurasi iptables, sebenarnya IPTables dapat dijelaskan
dimana posisi paket berada. Ini hampir mirip dengan standart komunikasi TCP/IP.
Contohnya 3 langkah komunikasi data antara dua host ketika terjadi pertukaran data.
NEW : ServerA Connect ke ServerB dan melakukan SYN (Syncronize) Paket
RELATED : ServerB menerima SYN paket dan membalas dengan SYN-ACK Paket
ESTABLISHED : ServerA menerima SYN_ACK paket lalu merespon dengan final
ACK paket
Setelah tiga langkah diatas lengkap, maka lalulintas (traffic) terbentuk. Dan siap
melakukan pertukaran data. Nah rules IPTables hampir mirip dengan ini, perintahnya :
nah sekarang kita memiliki dasar rules dari IPTables list yang kita buat mari kita lihat :
setelah memasukkan rules diatas, anda bisa menambahkan apa saja rules yang akan anda buat
tanpa perlu takut terkunci oleh rule anda sendiri.
OK.. mungkin sebagai contoh rule disini adalah jika anda menjalankan services pada mesin linux
anda, misalnya webserver, contoh configurasi yang anda lakukan adalah:
IMAP
# iptables -A INPUT -d 202.47.77.249 -p tcp --dport 143 -j ACCEPT
IMAPS
# iptables -A INPUT -d 202.47.77.249 -p tcp --dport 993 -j ACCEPT
POP3
# iptables -A INPUT -d 202.47.77.249 -p tcp --dport 110 -j ACCEPT
POP3S
# iptables -A INPUT -d 202.47.77.249 -p tcp --dport 995 -j ACCEPT
ICMP/Ping:
# iptables -A INPUT -d 202.47.77.249 -p icmp -j ACCEPT
# iptables-restore -c /root/iptables-save.out
Hasil konfigurasi dari IPTables yang sudah dibuat :
mail:~# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.0.2 202.47.77.249 tcp dpt:ssh
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
DROP 0 -- 172.34.5.8 anywhere
ACCEPT tcp -- 192.168.0.2 202.47.77.249 tcp dpt:mysql
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:ssh
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpts:ftp-data:ftp
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:www
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:https
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:imap2
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:imaps
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:pop3
ACCEPT tcp -- anywhere 202.47.77.249 tcp dpt:pop3s
ACCEPT 0 -- localhost 202.47.77.249
ACCEPT icmp -- anywhere 202.47.77.249
REJECT 0 -- anywhere 202.47.77.249 reject-with icmp-port-
unreachable
REJECT 0 -- anywhere anywhere reject-with icmp-port-
unreachable
13. Routing
A GNU/Linux machine has routing in the kernel. The only thing you need to do is enable
it. Therefor you need to adjust /proc/sys/net/ipv4/ip_forward.
To make sure the setting is also set after a reboot adjust /etc/network/options:
ip_forward=yes
Spoofprotect
Put in /etc/network/options:
spoofprotect=yes
Syncookies
Put in /etc/network/options:
syncookies=no
Defragment
[META]
When you use IP-addresses of the private range on your internal network, like:
• Class A: 10.0.0.0/8
• Class B: 172....
• Class C: 192.168.0.0/16
then no connection to the Internet from your local net will succeed, although you have
turned on routing. The reason for this is that no private range address is allowed on the
Internet, so they are filtered. To solve this you need NAT, or as it is called in the
GNU/Linux world: masquerading
There are two types of NAT: Source NAT and Destination NAT.
Source NAT
In the case of private IP addresses that may not occur on the Internet we use Source NAT
to hide them. If you have a 2.4.x kernel installed use iptables to set masquerading:
We assume that ppp0 is you Internet interface. For 2.2.x kernels you might want to use
ipchains:
With the above lines one has a basic system. You internal network is connected to the
Internet. You have a router, but no firewall yet.
Destination NAT
To setup a firewall, and a complete discription of how to do it, is a lot of work. For now
we are gonna close every incoming connection from the Internet, just to be sure (this also
closes our SSH connection):
# vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.1.255
auto eth1
iface eth1 inet static
address 10.1.1.2
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1
# vi /etc/bind/named.conf
masukkan perintah ;
zone "0.168.192.in-addr.arpa" IN {
type master;
file "db.ip";
};
*lalu buat file db.domain dan db.ip , letak posisi file di /var/cache/bind/
.::db.domain
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN A 192.168.0.254
ns1 IN A 192.168.0.254
mail IN A 192.168.0.2 ; We have our mail server somewhere else.
www IN A 192.168.0.254
client1 IN A 192.168.0.1 ; We connect to client1 very often.
.:: db.ip
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
ns1 IN PTR 192.168.0.254
254 IN PTR ns1
254 IN PTR ns1.chuprex.net
nameserver 192.168.0.254
domain chuprex.net
domain www.chuprex.net
/etc/init.d/bind9 restart
#vi /etc/network/options
ip_forward = yes
spoofprotect = yes
syncookies = no
#iptables-save
Sekian aja ya, setting router sederhana sudah selesai. Ooops, ternyata ada yg tertinggal.
#/etc/init.d/networking restart
auto eth0
iface eth0 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.1.255
auto eth1
iface eth1 inet static
address 10.1.1.2
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1
# vi /etc/bind/named.conf
masukkan perintah ;
zone "0.168.192.in-addr.arpa" IN {
type master;
file "db.ip";
};
*lalu buat file db.domain dan db.ip , letak posisi file di /var/cache/bind/
.::db.domain
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN A 192.168.0.254
ns1 IN A 192.168.0.254
mail IN A 192.168.0.2 ; We have our mail server somewhere else.
www IN A 192.168.0.254
client1 IN A 192.168.0.1 ; We connect to client1 very often.
.:: db.ip
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
ns1 IN PTR 192.168.0.254
254 IN PTR ns1
254 IN PTR ns1.chuprex.net
nameserver 192.168.0.254
domain chuprex.net
domain www.chuprex.net
/etc/init.d/bind9 restart
#vi /etc/network/options
ip_forward = yes
spoofprotect = yes
syncookies = no
#iptables-save
Sekian aja ya, setting router sederhana sudah selesai. Ooops, ternyata ada yg tertinggal.
#/etc/init.d/networking restart
# vi /etc/network/interfaces
auto eth0
iface eth0 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.1.255
auto eth1
iface eth1 inet static
address 10.1.1.2
netmask 255.255.255.0
broadcast 10.1.1.255
gateway 10.1.1.1
masukkan perintah ;
zone "0.168.192.in-addr.arpa" IN {
type master;
file "db.ip";
};
*lalu buat file db.domain dan db.ip , letak posisi file di /var/cache/bind/
.::db.domain
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN A 192.168.0.254
ns1 IN A 192.168.0.254
mail IN A 192.168.0.2 ; We have our mail server somewhere else.
www IN A 192.168.0.254
client1 IN A 192.168.0.1 ; We connect to client1 very often.
.:: db.ip
; chuprex.net
$TTL 604800
@ IN SOA ns1.chuprex.net. root.chuprex.net. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
ns1 IN PTR 192.168.0.254
254 IN PTR ns1
254 IN PTR ns1.chuprex.net
nameserver 192.168.0.254
domain chuprex.net
domain www.chuprex.net
/etc/init.d/bind9 restart
#vi /etc/network/options
ip_forward = yes
spoofprotect = yes
syncookies = no
#iptables-save
Sekian aja ya, setting router sederhana sudah selesai. Ooops, ternyata ada yg tertinggal.
#/etc/init.d/networking restart