家庭网关中iptables功能研究与实现

发布时间：2018-03-04 12:42

本文选题：iptables　切入点：家庭网关　出处：《武汉邮电科学研究院》2014年硕士论文　论文类型：学位论文

【摘要】：在计算机网络技术飞速发展的今天,虽然有效化解了信息共享需求与实现这两者之间的矛盾,但出现了一个不容忽视的技术和社会问题,也就是开放信息资源的安全没有解决。作为本地网络与外部网络之间的安全屏障,防火墙在隔离风险网络与本地网络连接的同时,不会影响人们访问外部网络,可作为一种理想的安全网络模型。Linux除了具有良好的网络性能外,还有开放源码的特点,其中Linux2.4和2.6内核的防火墙子系统netfilter/iptables简洁高效、可扩展性好,使越来越多的开发者选择它作为家庭网关中防火墙的实现基础,并且得到了广泛的应用。本文对Netfilter的框架结构以及工作原理进行了深入研究,在此基础上介绍了iptables的框架结构,分析了iptables表和链之间的关系以及iptables的工作原理,同时还对iptables命令的用法进行了研究；接着研究了ebtables的表和链之间的关系以及工作原理,最后分析了ebtables命令的使用。在此基础上,对家庭网关的防火墙功能进行了扩展：(1)为iptables某些规则添加时间限制。允许我们基于数据包的到达或离开的时间进行匹配。(2)为ebtables某些规则添加时间限制。允许我们通过mac地址来控制计算机上网的时间。(3)分析DNS重新绑定攻击的原理,提出防御该攻击的方法,用iptables规则来防止该攻击。(4)增加一些自定义链用来管理家庭网关中已经存在的规则,使之更容易管理。最后通过大量实验验证本文实现的某些扩展功能,对结果进行总结并对未来进行展望。
[Abstract]:With the rapid development of computer network technology, although the contradiction between the need for information sharing and the realization of information sharing has been effectively resolved, a technical and social problem that cannot be ignored has emerged. As a security barrier between the local network and the external network, the firewall not only separates the risk network from the local network, but also does not affect people's access to the external network. Linux is an ideal security network model. In addition to good network performance, there are also open source features, including Linux2.4 and 2.6 kernel firewall subsystem netfilter/iptables, simple and efficient, good scalability, More and more developers choose it as the implementation basis of firewall in home gateway, and it has been widely used. This paper deeply studies the frame structure and working principle of Netfilter, and then introduces the frame structure of iptables. The relationship between iptables table and chain and the working principle of iptables are analyzed, and the usage of iptables command is also studied. Then, the relationship between ebtables table and chain and its working principle are studied. Finally, the use of ebtables command is analyzed. Extends the firewall functionality of the home gateway (1) adds time limits to certain iptables rules. Allows us to match the arrival or departure times of packets. 2) adds time limits to certain ebtables rules. Allows us to. The principle of DNS rebinding attack is analyzed by using mac address to control the time of computer Internet access. The method of defending this attack is put forward, and the iptables rule is used to prevent the attack. (4) some custom chains are added to manage the existing rules in the home gateway to make them easier to manage. Finally, some extended functions implemented in this paper are verified by a large number of experiments. Summarize the results and look forward to the future.
【学位授予单位】：武汉邮电科学研究院
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TN915.05

【相似文献】