Linux-Bulgaria.ORG
навигация

 

начало

пощенски списък

архив на групата

семинари ...

документи

как да ...

 

 

Предишно писмо Следващо писмо Предишно по тема Следващо по тема По Дата По тема (thread)

lug-bg: port filtering s IPTABE

  • Subject: lug-bg: port filtering s IPTABE
  • From: "neogost2002" <neogost2002@xxxxxxxxx>
  • Date: Sat, 15 Nov 2003 22:47:02 +0200
Здравейте група
сигурно въпросат ми щте е глупав но за съжаление ми трябва вързо решение , и нямам времи да чета документасия по въпроса.  До сега винаги съм ползвал "ipchains" но на тази машина има инсталирана орязана версия на "Debian" специализирана като защитна стена . тука "ipfilteringa" е изпълнен с "iptables" нешто което несап плзвал до сега . Искьм на вътрешно IP 10.2.10.4/32 да забраня всичко освен портовете: 25,110,53,80,6667 по "TCP" и 53 по "UDP" . прилагам фаила "rc.firewal" бихте ли ми помогнали , на машината работи  и траспарент прокси "SQUID"
 
     Много благодаря предварително с уважение neogost  
__________________________________________________________________
neo ghost
ICQ#: 119959087
Current ICQ status:  
+  More ways to contact me
__________________________________________________________________

Attachment: online?icq=119959087&img=21
Description: Binary data

#!/bin/sh

. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '\012'`

iptables_init() {
        echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Reduce DoS'ing ability by reducing timeouts
        echo   30 > /proc/sys/net/ipv4/tcp_fin_timeout
        echo    0 > /proc/sys/net/ipv4/tcp_window_scaling
        echo    0 > /proc/sys/net/ipv4/tcp_timestamps
        echo    0 > /proc/sys/net/ipv4/tcp_sack
        echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog

        # Flush all rules and delete all custom chains
        /sbin/iptables -F
        /sbin/iptables -t nat -F
        /sbin/iptables -X
        /sbin/iptables -t nat -X

        # Set up policies
        /sbin/iptables -P INPUT DROP
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT ACCEPT

        # This chain will log, then DROPs "Xmas" and Null packets which might
        # indicate a port-scan attempt
        /sbin/iptables -N PSCAN
        /sbin/iptables -A PSCAN -p tcp  -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
        /sbin/iptables -A PSCAN -p udp  -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
        /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
        /sbin/iptables -A PSCAN -f      -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
        /sbin/iptables -A PSCAN -j DROP

        # Disallow packets frequently used by port-scanners, XMas and Null
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL ALL  -j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL  -j PSCAN
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}

iptables_red() {
        /sbin/iptables -F RED
        /sbin/iptables -t nat -F RED

        # PPPoE / PPTP Device
        if [ "$IFACE" != "" ]; then
                # PPPoE / PPTP
                if [ "$DEVICE" != "" ]; then
        if [ "$IFACE" != "" ]; then
                # PPPoE / PPTP
                if [ "$DEVICE" != "" ]; then
                        /sbin/iptables -A RED -i $DEVICE -j ACCEPT
                fi
                if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
                        if [ "$RED_DEV" != "" ]; then
                                /sbin/iptables -A RED -i $RED_DEV -j ACCEPT
                        fi
                fi
        fi

        if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
                # DHCP
                if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
                        /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                        /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                fi
                if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
                        /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                        /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                fi

                # Allow IPSec
                /sbin/iptables -A RED -p 47  -i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p 50  -i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p 51  -i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT

                # Outgoing masquerading
                /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
        fi
}

# See how we were called.
case "$1" in
  start)
        iptables_init

        # Limit Packets- helps reduce dos/syn attacks
        /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec

        # CUSTOM chains, can be used by the users themselves
        /sbin/iptables -N CUSTOMINPUT
        /sbin/iptables -A INPUT -j CUSTOMINPUT
        /sbin/iptables -A CUSTOMINPUT -s 10.2.10.4/32 -d 0/0 -p tcp -j DROP
        /sbin/iptables -N CUSTOMFORWARD
        /sbin/iptables -A FORWARD -j CUSTOMFORWARD
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING

        # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
        # localhost and ethernet.
        /sbin/iptables -A INPUT   -i lo         -j ACCEPT
        /sbin/iptables -A INPUT   -p icmp       -j ACCEPT
        /sbin/iptables -A INPUT   -i $GREEN_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT

        # accept all traffic from ipsec interfaces
        /sbin/iptables -A INPUT   -i ipsec+ -j ACCEPT
        /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT

        # Port forwarding
        if [ "$ORANGE_DEV" != "" ]; then
                # This rule enables a host on ORANGE network to connect to the outside
                /sbin/iptables -A FORWARD -i $ORANGE_DEV -o ipsec+ -j DROP
                /sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp \
                        -o ! $GREEN_DEV -j ACCEPT
                /sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp \
                        -o ! $GREEN_DEV -j ACCEPT
        fi

        # RED chain, used for the red interface
        /sbin/iptables -N RED
        /sbin/iptables -A INPUT -j RED
        /sbin/iptables -t nat -N RED
        /sbin/iptables -t nat -A POSTROUTING -j RED

        iptables_red

        # XTACCESS chain, used for external access
        /sbin/iptables -N XTACCESS
        /sbin/iptables -A INPUT -j XTACCESS

        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
        /sbin/iptables -A FORWARD -j PORTFWACCESS

        # DMZ pinhole chain.  setdmzholes setuid prog adds rules here to allow
        # ORANGE to talk to GREEN.
        /sbin/iptables -N DMZHOLES
        /sbin/iptables -A FORWARD  -o $GREEN_DEV -j DMZHOLES

        # Custom prerouting chains (for transparent proxy and port forwarding)
        /sbin/iptables -t nat -N SQUID
        /sbin/iptables -t nat -A PREROUTING -j SQUID
        /sbin/iptables -t nat -N PORTFW
        /sbin/iptables -t nat -A PREROUTING -j PORTFW

        # last rule in input and forward chain is for logging.
        /sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
        /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
        ;;
  stop)
        iptables_init

   # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

        # localhost and ethernet.
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

        if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
                /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
        fi
        if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
                /sbin/iptables -A INPUT -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                /sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
        fi

        /sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
        /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
        ;;
  reload)
        iptables_red
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|restart}"
        exit 1
        ;;
esac

exit 0

 
наши приятели

 

линукс за българи
http://linux-bg.org

FSA-BG
http://fsa-bg.org

OpenFest
http://openfest.org

FreeBSD BG
http://bg-freebsd.org

KDE-BG
http://kde.fsa-bg.org/

Gnome-BG
http://gnome.cult.bg/

проект OpenFMI
http://openfmi.net

NetField Forum
http://netField.ludost.net/forum/

 

 

Linux-Bulgaria.ORG

Mailing list messages are © Copyright their authors.