#!/bin/bash
# Zensur-Hinweis
# Da dieses Script von der LUG Krefeld erstellt worden ist, soll es auch
# innerhalb und ausserhalb dieser Gruppe veroeffentlicht werden duerfen.
# Da es jedoch teilweise sicherheitsrelevante interne Daten wie z.B.
# interne IP-Adressen enthaelt, sind einige Zeilen mit "### ZENSUR"
# gekennzeichnet. Diese Zeilen muessen vor der Veroeffentlichung entfernt
# werden. Dies kann z.B. erfolgen mit:
DEV_INET=ppp0
DEV_BAYENNET=eth0
DEV_LUGNET=eth1
# Beispiel:
# LOCALNET=192.168.1.0/24
# Die Maske fuer Server im Internet. Sie wird fuer smtp, news etc. benutzt.
# Im Zweifelsfalle kann hier ! $LOCALNET eingetragen werden.
# Die hier angegebene scheint fuer T-Online zu taugen.
PROVIDERSERVER=194.25.134.0/24
# Wenn ich komplexe Dienste habe, die mehr als einen Port haben und diese nicht
# global, sondern nur bestimmten Rechnern freigeben will, ist es sinnvoll, hierfuer
# eigene chains zu erzeugen. Dies geschieht in den folgenden Routinen.
makechain_tonline(){
# Wenn auf einem Rechner die T-Online 3.0-Software laufen darf,
# kommen seine Pakete in diese Chain:
# Es ist vorher sichergestellt, dass nur ausgehende Verb. hierhergelangen
TONLINESERVER=194.25.134.0/24
iptables -N tonline
# Beim Verbindungsaufbau geht ein einzelnes Paket an diesen Port:
iptables -A tonline -j ACCEPT -s $LOCALNET -d $TONLINESERVER -p udp --dport 811
iptables -A tonline -j ACCEPT -d $LOCALNET -s $TONLINESERVER -p udp --sport 811
# Das ist die eigentliche T-Online-Classic-Verbindung
iptables -A tonline -j ACCEPT -s $LOCALNET -d $TONLINESERVER -p tcp --dport 866
iptables -A tonline -j ACCEPT -d $LOCALNET -s $TONLINESERVER -p tcp --sport 866
}
makechain_email(){
# Wenn ein Rechner einen eigenen EMail-Client haben darf,
# kommen seine Pakete in diese Chain:
# Es ist vorher sichergestellt, dass nur ausgehende Verb. hierhergelangen
iptables -N email
iptables -A email -j ACCEPT -s $LOCALNET -d ! $LOCALNET -p tcp --dport pop3
iptables -A email -j ACCEPT -d $LOCALNET -s ! $LOCALNET -p tcp --sport pop3
iptables -A email -j ACCEPT -s $LOCALNET -d $PROVIDERSERVER -p tcp --dport smtp
iptables -A email -j ACCEPT -d $LOCALNET -s $PROVIDERSERVER -p tcp --sport smtp
}
makechain_laestig(){
# Hier werden Pakete, die ab und zu vorkommen, die nervig sind, die aber nicht
# ins logfile sollen, weil sie bekannt und unvermeidbar sind, verworfen.
iptables -N laestig
iptables -A laestig -j DROP -p udp --sport netbios-dgm --dport netbios-dgm -m limit --limit 10/minute --limit-burst 10
iptables -A laestig -j DROP -p udp --sport netbios-ns --dport netbios-ns -m limit --limit 10/minute --limit-burst 10
}
makechains(){
makechain_tonline
makechain_email
makechain_laestig
}
deletechains(){
iptables -X tonline >/dev/null 2>&1
iptables -X email >/dev/null 2>&1
iptables -X laestig >/dev/null 2>&1
}
flush(){
iptables -P INPUT $1
iptables -P OUTPUT $1
iptables -P FORWARD $1
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X in_private >/dev/null 2>&1
iptables -X papierkorb >/dev/null 2>&1
iptables -X netzeingang >/dev/null 2>&1
iptables -X netzausgang >/dev/null 2>&1
iptables -X fweingang >/dev/null 2>&1
iptables -X fwausgang >/dev/null 2>&1
deletechains
# Masquerading und Routing abschalten
iptables -t nat -F POSTROUTING
echo 0 >/proc/sys/net/ipv4/ip_forward
}
stop() {
flush ACCEPT
}
close() {
flush DROP
}
start() {
# Erstmal ein Unterprogramm aufrufen, um alles zu sperren
flush DROP
# Kette papierkorb
# hier landen alle Pakete, die geloggt und weggeschmissen werden
iptables -N papierkorb
iptables -A papierkorb -j LOG --log-level notice -m limit --limit 60/minute --limit-burst 20
iptables -A papierkorb -j DROP
# Verhindern, dass Pakete mit privaten Adressen von draussen hereinkommen
iptables -N in_private
iptables -F in_private
iptables -A in_private -j papierkorb -s 127.0.0.0/8
iptables -A in_private -j papierkorb -s 10.0.0.0/8
iptables -A in_private -j papierkorb -s 172.16.0.0/12
iptables -A in_private -j papierkorb -s 192.168.0.0/16
iptables -A in_private -j papierkorb -s 224.0.0.0/4
iptables -A in_private -j papierkorb -s 240.0.0.0/4
# INPUT und FORWARD auf solche privaten Adressen ueberpruefen
iptables -A INPUT -j in_private -i $DEV_INET
iptables -A FORWARD -j in_private -i $DEV_INET
# Sachen, die der Nameserver selber im Internet darf:
iptables -A OUTPUT -j ACCEPT -o $DEV_INET -p tcp --sport 1024: --dport domain -m state --state ESTABLISHED,NEW
iptables -A OUTPUT -j ACCEPT -o $DEV_INET -p udp --sport 1024: --dport domain -m state --state ESTABLISHED,NEW
iptables -A INPUT -j ACCEPT -i $DEV_INET -p tcp --sport domain --dport 1024: -m state --state ESTABLISHED
iptables -A INPUT -j ACCEPT -i $DEV_INET -p udp --sport domain --dport 1024: -m state --state ESTABLISHED
# Spezialchains erzeugen
makechains
# Eingang in die Firewall selber:
############################################################################
iptables -N fweingang
iptables -A INPUT -j fweingang -i $DEV_BAYENNET
iptables -A INPUT -j fweingang -i $DEV_LUGNET
iptables -N fwausgang
iptables -A OUTPUT -j fwausgang -o $DEV_BAYENNET
iptables -A OUTPUT -j fwausgang -o $DEV_LUGNET
# Grundvoraussetzungen fuer geroutete Pakete:
iptables -A fweingang -j papierkorb -s ! $LOCALNET
iptables -A fweingang -j papierkorb -m state --state INVALID
iptables -A fwausgang -j papierkorb -d ! $LOCALNET
iptables -A fwausgang -j papierkorb -m state --state INVALID,NEW
# Windows-Broadcasts wegfiltern:
iptables -A fweingang -j laestig
# ICMP-Pakete freigeben.
# Typ 3/Code? 4 "fragmentation needed" kommt oft vor. Darueber sollte ich
# interne Clients informieren.
iptables -A fwausgang -j ACCEPT -p icmp --icmp-type fragmentation-needed
# und jetzt werden die eigentlichen Protokolle freigegeben
iptables -A fweingang -j ACCEPT -p tcp --dport ssh
iptables -A fwausgang -j ACCEPT -p tcp --sport ssh
# iptables -A fweingang -j ACCEPT -p tcp --dport telnet
# iptables -A fwausgang -j ACCEPT -p tcp --sport telnet
iptables -A fweingang -j ACCEPT -p tcp --dport domain
iptables -A fwausgang -j ACCEPT -p tcp --sport domain
iptables -A fweingang -j ACCEPT -p udp --dport domain
iptables -A fwausgang -j ACCEPT -p udp --sport domain
# Vorschlag:
# (Das wuenscht sich Kai)
#tcp fweingang,telnet
# Ein- und Ausgangspakete fuer die beiden lokalen Netze in gemeinsame Chains
############################################################################
iptables -N netzeingang
iptables -A FORWARD -j netzeingang -i $DEV_INET -o $DEV_BAYENNET
iptables -A FORWARD -j netzeingang -i $DEV_INET -o $DEV_LUGNET
iptables -N netzausgang
iptables -A FORWARD -j netzausgang -o $DEV_INET -i $DEV_BAYENNET
iptables -A FORWARD -j netzausgang -o $DEV_INET -i $DEV_LUGNET
# Grundvoraussetzungen fuer geroutete Pakete:
iptables -A netzeingang -j papierkorb -d ! $LOCALNET
iptables -A netzeingang -j papierkorb -m state --state INVALID,NEW
iptables -A netzausgang -j papierkorb -s ! $LOCALNET
iptables -A netzausgang -j papierkorb -m state --state INVALID
# und jetzt werden die eigentlichen Protokolle freigegeben
iptables -A netzeingang -j ACCEPT -p tcp --sport Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. iptables -A netzausgang -j ACCEPT -p tcp --dport Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. iptables -A netzeingang -j ACCEPT -p tcp --sport https
iptables -A netzausgang -j ACCEPT -p tcp --dport https
iptables -A netzeingang -j ACCEPT -p tcp --sport nntp
iptables -A netzausgang -j ACCEPT -p tcp --dport nntp
# Jetzt backe ich eine Extrawurst fuer den Rechner in der Wohnung
# Er darf selber EMail machen und Classic T-Online benutzen
iptables -A netzeingang -j tonline -d $EXTRAWURST
iptables -A netzausgang -j tonline -s $EXTRAWURST
iptables -A netzeingang -j email -d $EXTRAWURST
iptables -A netzausgang -j email -s $EXTRAWURST
iptables -A netzeingang -j email -d $LUGEXTRAWURST
iptables -A netzausgang -j email -s $LUGEXTRAWURST
# ssh-Ausgang z.B. fuer Sourceforge
iptables -A netzeingang -j ACCEPT -p tcp --sport ssh -d $TESTEXTRAWURST
iptables -A netzausgang -j ACCEPT -p tcp --dport ssh -s $TESTEXTRAWURST
iptables -A netzeingang -j ACCEPT -p tcp --sport ssh -d $LUGEXTRAWURST
iptables -A netzausgang -j ACCEPT -p tcp --dport ssh -s $LUGEXTRAWURST
# Der Rest kommt in den Muell
############################################################################
iptables -A INPUT -j papierkorb
iptables -A OUTPUT -j papierkorb
iptables -A FORWARD -j papierkorb
# Fuer ins Internet gehende Pakete Masquerading einschalten
iptables -t nat -A POSTROUTING -o $DEV_INET -j MASQUERADE
echo 1 >/proc/sys/net/ipv4/ip_forward
}
case $1 in
start)
echo -n "Starting IP filtering... "
start
echo "done"
;;
restart)
echo -n "Re-Starting IP filtering... "
stop
start
echo "done"
;;
stop)
echo -n "Stopping IP filtering... "
stop
echo "done"
;;
close)
echo -n "Closing IP interfaces... "
stop
echo "done"
;;
*)
echo "Usage: $0 start | restart | stop | close"
exit 1
esac
exit 0
--------------
Kod: Kodu kopyalamak için üzerine çift tıklayın!
#!/bin/sh
###
modprobe ip_tables
#modprobe ip_nat_irc ports=6667,7000,7001,6665
## Set variables
PATH=$PATH:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
BASEDIR=/etc/rc.d
VARFILE=$BASEDIR/vars
EXTIF="eth1"
INTIF="eth0"
INTNET="192.168.1.0/24"
INTIP=$(/sbin/ifconfig $INTIF | grep "inet addr:" | awk '{print $2}' | cut -c 6-)
EXTIP=$(/sbin/ifconfig $EXTIF | grep "inet addr:" | awk '{print $2}' | cut -c 6-)
## Create file with variables in it for modules to source
## this is a klunky way to do it, but it keeps the number of files you have to
## edit down
echo "BASEDIR=$BASEDIR" > $VARFILE
echo "VARFILE=$VARFILE" >> $VARFILE
echo "EXTIF=$EXTIF" >> $VARFILE
echo "INTIF=$INTIF" >> $VARFILE
echo "INTNET=$INTNET" >> $VARFILE
echo "INTIP=$INTIP" >> $VARFILE
echo "EXTIP=$EXTIP" >> $VARFILE
chmod 700 $VARFILE
## flush entries
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
## basic policy -- a lot of stuff in here is redundant, just so you know
# Default policy - these should be accept since we block almost everything later anyway
# note to self, make it so these default to DROP so people don't get scared
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
# other note to self, setting pre and post routing to drop means you need
# to add a lot more itables lines
iptables -P INPUT ACCEPT
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
## STATEFUL PART!
# note to self, figure out which of these rules actually do anything
# do the actual network address translation
iptables -t nat -A POSTROUTING -s $INTNET -d ! $INTNET -o $EXTIF -j SNAT --to $EXTIP
# allow the internal net to be forwarded
iptables -A FORWARD -s $INTNET -d ! $INTNET -j ACCEPT
# some weird stateful stuff
iptables -A FORWARD -m state --state NEW -i $INTIF -s $INTNET -d ! $INTNET -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $EXTIF -s ! $INTNET -j ACCEPT
# iptables -A INPUT -m state --state NEW -i $INTIF -s $INTNET -d ! $INTNET -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXTIF -s ! $INTNET -j ACCEPT
# Allow our internal network to do whatever to the local machine
iptables -A INPUT -s $INTNET -j ACCEPT
# allow the local machine to connect to places, including itself
iptables -A OUTPUT -s $EXTIP -j ACCEPT
iptables -A OUTPUT -s $INTIP -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
# do our the port forwarding modules
find $BASEDIR/forward -type f -perm +100 -exec '{}' $VARFILE ';'
# and the block modules
find $BASEDIR/block -type f -perm +100 -exec '{}' $VARFILE ';'
# limit icmp traffic - move to block module?
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j LOG --log-level warning --log-prefix "excessive icmp ping count."
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/s -j LOG --log-level warning --log-prefix "excessive icmp ping count."
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/s -j ACCEPT
# a bit of egress filtering
# Anything coming from our internal network should have only our addresses
iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROP
iptables -A INPUT -i $INTIF -s ! $INTNET -j DROP
# we also shouldn't forward stuff that's not from out local net
# well no packets need to get back to their hosts
# iptables -A FORWARD -s ! $INTNET -j DROP
# Kill malformed packets -- enhance this list yourself!
# hopefull this part will shrink or go away when the unclean modules gets done
# note to self, make a checklist of things to test out the config
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# Block NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from the Internet should have a real Internet address
# note to self, make this part smaller by moving all but the 10/172/192's into
# the reserved net file, also consider dropping these in the prerouting chain
# instead of forward and input
# get a lot of reserved nets from that file
cat $BASEDIR/reservednets | while read net
do
iptables -t nat -A PREROUTING -s $net -j DROP
iptables -t nat -A PREROUTING -d $net -j DROP
# iptables -A FORWARD -s $net -j DROP
# iptables -A FORWARD -d $net -j DROP
# iptables -A INPUT -s $net -j DROP
done
# block these reserved sets separately since they may be inside the network
iptables -A FORWARD -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A FORWARD -d 192.168.0.0/16 -j DROP
iptables -A FORWARD -d 172.16.0.0/12 -j DROP
iptables -A FORWARD -d 10.0.0.0/8 -j DROP
# Note:There are prolly more reserved networks
# turn of tcp congestion notificication beceause a lot of weenies block it
echo "0" > /proc/sys/net/ipv4/tcp_ecn
# turn ip fowarding on again
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
-------------------
Kod: Kodu kopyalamak için üzerine çift tıklayın!
# Documentation
# -------------
# This firewall script is using the default policy DROP EVERYTHING, in order to get all the services working you need to adjust the
# "Standard Settings".
# - IPTABLES="/usr/sbin/iptables" => This defines the path where your "iptables" executable is. You can find it by using "whereis iptables"
# - INT_IF="eth0" => Change "eth0" to the name of your INTERNAL NIC (Network Interface Card) eg: "eth0" "eth1" "eth2"
# - BROADCAST="192.168.3.255/24" => Change the IP to the BROADCAST address of your network. eg: "192.168.0.255/24" "192.168.1.255/24"
# - EXT_IF="ppp0" => This is you EXTERNAL INTERFACE, if you use dial up it is "ppp0", if you use broadband it is one of your Ethernets.
# - FORWARD_PORTS_1="22,80" => These are the ports which will be FORWARDED from your INTERNAL INTERFACE to your EXTERNAL INTERFACE (maximum 15 ports)
# - FORWARD_PORTS_2="194,443" => Same as above, this is just here if you need more than 15 ports (To prevent error messages you should enter at least one port in here)
# - TCP_SERVICES_IN_INT_IF="6" => Server ports you want to export to your LOCAL NETWORK. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_IN_EXT_IF="80" => Server ports you want to export to your EXTERNAL INTERFACE (Internet). (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_INT_IF="22,80" => If you want to access ports from the machine where you install the firewall INSIDE your network you need to specify the ports. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - TCP_SERVICES_OUT_EXT_IF="22,80" => Ports you want to connect to OUTSIDE your local network from the machine where the firewall is installed. (To prevent error messages enter at least one value, port 6 is Unassigned)
# - NAMESERVER_1="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL DNS1/NAMESERVER (you can get the IP from your ISP)
# - NAMESERVER_2="XXX.XXX.XXX.XXX" => The IP of your EXTERNAL DNS2/NAMESERVER (you can get the IP from your ISP)
# - LOOPBACK="127.0.0.0/8" => This is your loopback IP, don't change this unless you know what you are doing
# - CLASS_A="10.0.0.0/8" => This will block a /8 (Class A) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_B="172.16.0.0/16" => This will block a /16 (Class B) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - CLASS_C="192.168.0.0/16" => This will block a /24 (Class C) IP coming in through your EXTERNAL interface, because it will be spoofed.
# - XSERVER_PORTS="6000:6063" => Most X servers listen at these ports, this will block the specified ports
# - ICQ_PORT_TCP="5190" => This is the default port where ICQ connects to the ICQ network
# - ICQ_PORT_UDP="4000" => This is the default port where ICQ connects to the ICQ network
# - TROJAN_PORTS_TCP="12345,12346" => This will block INCOMING requests for Trojans on your Network tcp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
# - TROJAN_PORTS_UDP="27444,31335" => This will block INCOMING requests for Trojans on your Network udp. You can add more ports (max 15 ports) or use port 6 to disable this feature.
#
#
##########
# Standard Settings
IPTABLES="/usr/sbin/iptables"
INT_IF="eth0"
BROADCAST="192.168.1.255/24"
EXT_IF="ppp0"
FORWARD_PORTS_1="20,21,22,23,25,79,80,81,110,119"
FORWARD_PORTS_2="194,443"
TCP_SERVICES_IN_INT_IF="22,80"
TCP_SERVICES_IN_EXT_IF="80"
TCP_SERVICES_OUT_INT_IF="22,80"
TCP_SERVICES_OUT_EXT_IF="21,22,80,119"
NAMESERVER_1="207.217.126.81"
NAMESERVER_2="207.217.77.82"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
UP_PORTS="1024:65535"
XSERVER_PORTS="6000:6063"
ICQ_PORT_TCP="5190"
ICQ_PORT_UDP="4000"
TROJAN_PORTS_TCP="12345,12346,1524,27665,31337"
TROJAN_PORTS_UDP="12345,12346,27444,31335,31337"
#
#
echo "Starting Firewall ....."
# Load appropriate modules.
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#
##########
# Flush Rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -t nat -F PREROUTING
$IPTABLES -t nat -F POSTROUTING
#
#
##########
# Changing Kernel Parameters, you need CONFIG_SYSCTL defined in your kernel
#
# SYN Cookie Protection
/bin/echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Disable response to ping
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable response to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
# Disable ICMP redirect acceptance
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
# Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Log spoofed packets, source routed packets, redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#
#
##########
# Rules
#
# Standard Rules
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
#
# Deny packets claiming to be to or from a /8,/16,/24 (Class A,B,C) Network ($EXT_IF)
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A INPUT -i $EXT_IF -d $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_A -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_B -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -s $CLASS_C -j DROP
$IPTABLES -A OUTPUT -o $EXT_IF -d $CLASS_C -j DROP
#
# Firewall syn/flood and port scanner protection $INT_IF
$IPTABLES -N syn-flood_INT_IF
$IPTABLES -F syn-flood_INT_IF
$IPTABLES -A INPUT -i $INT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_INT_IF
#$IPTABLES -A INPUT -i $INT_IF -p tcp --syn -j syn-flood_INT_IF
$IPTABLES -A syn-flood_INT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_INT_IF -j DROP
#
# Firewall syn/flood and port scanner protection $EXT_IF
$IPTABLES -N syn-flood_EXT_IF
$IPTABLES -F syn-flood_EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood_EXT_IF
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --syn -j syn-flood_EXT_IF
$IPTABLES -A syn-flood_EXT_IF -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood_EXT_IF -j DROP
#
# Make sure NEW tcp connections are SYN packets
$IPTABLES -A INPUT -i $INT_IF -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp ! --syn -m state --state NEW -j DROP
#
# Block incoming fragments $INT_IF
$IPTABLES -A INPUT -i $INT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -f -j DROP
#
# Block incoming fragments $EXT_IF
$IPTABLES -A INPUT -i $EXT_IF -f -j LOG --log-prefix "IPTABLES FRAGMENTS $EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -f -j DROP
#
# Drop broadcast packets
$IPTABLES -A INPUT -i $EXT_IF -d $BROADCAST -j DROP
#
# Trojan protection
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan INT_IF: "
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $INT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j LOG --log-prefix "IPTABLES Trojan EXT_IF: "
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TROJAN_PORTS_TCP -j DROP
$IPTABLES -A INPUT -i $EXT_IF -p udp -m multiport --dport $TROJAN_PORTS_UDP -j DROP
#
# ICQ INPUT/OUTPUT rules (I get the error message that the hostname is not found, if somebody knows why PLZ let me know)
#$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# icmp INPUT/OUTPUT rules $INT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $INT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $INT_IF -p icmp --icmp-type 0 -j DROP
#
# icmp INPUT/OUTPUT rules $EXT_IF. For a list of icmp types check the end of this file.
$IPTABLES -A INPUT -i $EXT_IF -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j DROP
#
# Nameserver INPUT/OUTPUT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_1 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p udp -s $NAMESERVER_2 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED -j ACCEPT
#
# FORWARD
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_1 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d $NAMESERVER_2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_1 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -m multiport --dport $FORWARD_PORTS_2 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p udp -d icq.mirabilis.com --dport $ICQ_PORT_UDP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp -d login.icq.com --dport $ICQ_PORT_TCP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INT_IF -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# OUTPUT
$IPTABLES -A OUTPUT -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --sport $TCP_SERVICES_IN_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_INT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp -m multiport --dport $TCP_SERVICES_OUT_EXT_IF -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXT_IF -p tcp --sport $UP_PORTS --dport $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# POSTROUTING
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
##########
# icmp types
#
# 0 Echo Reply [RFC792]
# 1 Unassigned [JBP]
# 2 Unassigned [JBP]
# 3 Destination Unreachable [RFC792]
# 4 Source Quench [RFC792]
# 5 Redirect [RFC792]
# 6 Alternate Host Address [JBP]
# 7 Unassigned [JBP]
# 8 Echo [RFC792]
# 9 Router Advertisement [RFC1256]
# 10 Router Solicitation [RFC1256]
# 11 Time Exceeded [RFC792]
# 12 Parameter Problem [RFC792]
# 13 Timestamp [RFC792]
# 14 Timestamp Reply [RFC792]
# 15 Information Request [RFC792]
# 16 Information Reply [RFC792]
# 17 Address Mask Request [RFC950]
# 18 Address Mask Reply [RFC950]
# 19 Reserved (for Security) [Solo]
# 20-29 Reserved (for Robustness Experiment) [ZSu]
# 30 Traceroute [RFC1393]
# 31 Datagram Conversion Error [RFC1475]
# 32 Mobile Host Redirect [David Johnson]
# 33 IPv6 Where-Are-You [Bill Simpson]
# 34 IPv6 I-Am-Here [Bill Simpson]
# 35 Mobile Registration Request [Bill Simpson]
# 36 Mobile Registration Reply [Bill Simpson]
# 37 Domain Name Request [Simpson]
# 38 Domain Name Reply [Simpson]
# 39 SKIP [Markson]
# 40 Photuris [Simpson]
# 41-255 Reserved [JBP]
##########
echo "Firewall STARTED"
### END ###
#iptables -t nat -A PREROUTING --dport <the listening port of internal host> -i <outer iface(eth0 for you)> -j DNAT --to
#iptables -t nat -A PREROUTING -p tcp -i (inet iface) --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
#iptables -t filter -A FORWARD -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
---------------
Kod: Kodu kopyalamak için üzerine çift tıklayın!
# Red Hat Linux firewall using iptables
#
# Created: October 2007
# Revised: August 2009
#
# Authors: Dennis G. Allard ( Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. ) and Don Cohen ( Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. )
#
# This script works on on servers running Red Hat 7.3, 8.0, 9.0, and
# RHEL ES 3 and 4. Variants of this script are in active use on
# many servers.
#
# No warranty is implied. Use at your own risk!!
# Using this script
# -----------------
#
# I save this file as /etc/sysconfig/iptables-precursor
# and then source it and run iptables-save to create
# /etc/sysconfig/iptables, which is an input file
# consumed by the script /etc/rc.d/init.d/iptables,
# which in turn makes use of the script /sbin/iptables-restore.
#
# Before mucking with setting up iptables, you should
# disconnect the machine from the internet. Examine
# and understand the current set of iptables rules
# before you reconnect to the internet.
#
# To configure the set of iptables rules:
#
# /etc/rc.d/init.d/iptables stop
# source /etc/sysconfig/iptables-precursor
#
# To save the current set of iptables rules for use at next reboot:
#
# iptables-save > /etc/sysconfig/iptables
#
# To dynamically restart iptables after modifying /etc/sysconfig/iptables:
#
# /etc/rc.d/init.d/iptables restart
#
# Note that /etc/rc.d/init.d/iptables is a script. You can read it to
# gain understanding of how iptables uses iptables-restore to restore
# iptables firewall rules at reboot.
#
# To examine the current set of rules in effect:
#
# /etc/rc.d/init.d/iptables status
#
# However, I prefer to show the current set of rules via:
#
# iptables -nvL -t filter
# iptables -nvL -t nat
#
# or
#
# iptables -vL -t filter
# iptables -vL -t nat
#
#
# To configure iptables to be used at next system reboot:
#
# chkconfig --add iptables
#
# To see if iptables is currently configured to start at boot, do:
#
# chkconfig --list iptables
#
# (You might have to do chkconfig --del ipchains to remove ipchains)
#
# The rest of this file is derived from my old ipchains script.
#
# A word about routing
# --------------------
#
# Note that this web page does not discuss routing decisions. Routing
# (see the 'ifconfig' and 'route' commands) decides which interface an
# incoming packet will be delivered to, i.e. if a given packet will be
# 'input' to this machine or be 'forwarded' to some interface for
# delivery to another machine, say on an internal network. You should
# have your routing configured before you attempt to configure your
# firewall.
# The network
# -----------
#
# This firewall is running on a gateway machine having multiple ethernet
# interfaces, a public one, eth0, which is a DSL connection to an ISP,
# and one or more internal ones, including eth1, which is assigned to
# 192.168.0.1, an IP number on my internal private network. My public
# network has static IP numbers depicted below as x.y.z.... Actual
# IP numbers would, of course, be a sequence of four octets. For this
# script, I assume that the firewall is running on the same machine
# having the interfaces configued with my public IPs. For this reason,
# most of the rules below are INPUT rules. Were I to route some of my public
# static IP numbers to interfaces on one or more machines inside the
# firewall on the internal network, I would modify certain rules to be
# FORWARD rules instead of INPUT rules. I show some examples below of
# FORWARD rules. Finally, the script is just for a single server IP,
# hence all of the "/32" network masks below. A more realistic situation
# would involve using IP ranges and their corresponding network masks.
#
# The gateway at my ISP is x.y.z.1. I run a few web servers on
# x.y.z.w, a DNS server on x.y.z.n, and qmail on x.y.z.m.
#
# Using this file in a more complex network would require some
# modifications. Particular attention would need to be given to using
# the right the IP numbers and interfaces, among other things. :-)
# Preliminaries
# -------------
#
# To permit machines internal to the network to be able to
# send IP packets to the outside world, enable IP Forwarding:
#
# echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Prevent SYN floods from consuming memory resources:
#
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# I place the above echo commands into /etc/rc.d/rc.local
# so that they will be executed at boot time.
# The basic idea of this firewall
# -------------------------------
#
# Provide rules that are applied in the following order:
#
# ACCEPT all UDP packets for certain UDP services
#
# Currently the only UDP connections I accept are to my secure DNS
# server, tinydns. For an explanation of why tinydns is secure, see:
# Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. DENY all other UDP packets.
#
# ACCEPT SYN packets just for certain TCP services
#
# SYN packets are specified via the -syn flag in the input
# rules defined below. Note that certain services can be
# further filtered by xinetd.
#
# DENY all other TCP SYN packets.
#
# ACCEPT all other TCP packets that are part of existing connections
#
# DENY all other TCP packets.
#
# In other words, we allow any TCP packet through that is part of an
# established TCP connection, but we are very selective in just which
# connections we permit to be made to start off with.
#
# A brief explanation of SYN packets goes as follows. TCP connections
# are initiated via a hand shaking protocol between the client and server
# programs at either end of the connection. The very first TCP packet
# is sent by the client to the server and is called a SYN packet,
# because it has the SYN flag set to 1 in the TCP packet header. We
# only allow SYN packets for the specific servers running on specific
# ports of specific hosts. Subsequently, we only permit further TCP
# packets in that are determined to be part of a connection whose
# initial SYN packet was already accepted and responded to by one of our
# servers. This is done via 'Stateful Packet Inspection' provided by the
# netfilter functionality added to linux as of kernel 2.4. By stopping all
# other packets in their tracks, we limit attempts to attack our internal
# network.
#
# There are subtle ways that Denial of Service attacks can be performed
# if an attacker is able to somehow gain access to a machine inside our
# network or otherwise hijack a connection. However, even in such
# cases, current research is leading to ways to greatly limit the effect
# of such attacks. For further reading, see: Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. For detailed background reading about iptables, please refer to:
# Bu forumdaki linkleri ve resimleri görebilmek için en az 25 mesajınız olması gerekir. begin oceanpark.com firewall rules (using iptables)
# ---------------------------------------------------
# Here we go...
#
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Flush (-F) all specific rules
#
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat
# The rest of this file contains specific rules that are applied in the order
# listed. If none applies, then the above policy rules are used.
#
# Forward all packets from eth1 (internal network) to eth0 (the internet).
#
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
#
# Forward packets that are part of existing and related connections from eth0 to eth1.
#
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Permit packets in to firewall itself that are part of existing and related connections.
#
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Note, in the above two rules, a connection becomes ESTABLISHED in the
# iptables PREROUTING chain upon receipt of a SYNACK packet that is a
# response to a previously sent SYN packet. The SYNACK packet itself is
# considered to be part of the established connection, so no special
# rule is needed to allow the SYNACK packet itself.
#
# Allow all inputs to firewall from the internal network and local interfaces
#
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#
# Enable SNAT functionality on eth0
#
# SNAT is used to map private IP numbers of interfaces on the internal LAN to one of
# my public static IP numbers. SNAT performs this mapping when a client running
# on one of the internal hosts (x.y.z.c) initiates a TCP connection (SYN) through eth0.
#
iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source x.y.z.c
#
# Alternative to SNAT -- MASQUERADE
#
# If your firewall has a dynamic IP number because it connects to the
# internet itself via DHCP, then you probably cannot predict what the IP
# number is of your firewall's interface connected to the internet. In
# this case, you need a rule like the following that assigns the (an) IP
# number associated with eth0 to outgoing connections without you needing
# to know in advance (at time of writing this rule) what that IP number is:
#
# iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
#
# Note that the above SNAT and MASQUERADE rules are applicable
# independent of how a host on the internal network is assigned its own
# internal IP number. The host could be assigned a static IP number on
# an internal nonpublic network (e.g. 10. or 192.168.) or it could be
# itself assigned a dynamic IP number from your own DHCP server running
# on the firewall, or it could even have a public static IP number.
# However, it seems unlikely that one would want to assign a public IP
# number to a host and then proceed to hide that number from the public.
#
# Deny any packet coming in on the public internet interface eth0
# which has a spoofed source address from our local networks:
#
iptables -A INPUT -i eth0 -s x.y.z.s/32 -j DROP
iptables -A INPUT -i eth0 -s x.y.z.c/32 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
#
# Accept all tcp SYN packets for protocols SMTP, HTTP, HTTPS, and SSH:
# (SMTP connections are further audited by our SMTP server)
#
iptables -A INPUT -p tcp -s 0/0 -d x.y.z.s/32 --destination-port 25 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT
#
# Notice that the above rules are all INPUT rules. My current network
# does not require me to make use of FORWARD rules, since I run all
# publicly accessible servers directly on my firewall machine. But I
# promised above in the description of my network to give examples of
# rules used when there are servers running on machines on the internal
# network. Following are examples of FORWARD rules I would use if I ran
# mail, web, and ssh servers on machines on the internal network inside
# the firewall.
#
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.m/32 --destination-port 25 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 --destination-port 80 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d x.y.z.w/32 --destination-port 443 --syn -j ACCEPT
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT
#
# The first of the above four rules would be used if my routing
# delivered packets having destination x.y.z.m to an interface
# connected to my internal network. The second through fourth of the
# above four rules would be used if my routing delivered packets having
# one of my public static IPs as destination to some internal interface
# (where there should be a server listening to HTTP, HTTPS, or SSH ports.)
# The difference between an INPUT rule and a FORWARD rule is that an INPUT
# rule applies to packets that are 'input' to this machine (the machine
# on which these iptables rules are installed), whereas a FORWARD rule
# applies to packets that are being 'fowarded', i.e. to packets that are
# passing through this machine to some other machine, such as a machine
# on my internal network.
#
# If I ran my mail server on an internal machine, I would no longer
# need my previous INPUT rule for x.y.z.m and would use the above
# FORWARD rule instead.
#
# Sometimes I run older versions of SSH on port 2200:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 2200 --syn -j ACCEPT
#
# For imapd via stunnel (instead of xinetd-based imapd):
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 993 --syn -j ACCEPT
#
# For xinetd-based IMAP server (see /etc/xinetd.conf for who can use it):
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 --syn -j ACCEPT
#
# For DHCP server:
#
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
#
# For LDAP clients:
#
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 389 -syn -j ACCEPT
#dga- worry about LDAP later (after I decode LDAP documentation (-;)
#
# DNS queries:
#
# Permit responses from our ISP's DNS server. When a client running on our
# host makes a DNS query, the outgoing query is allowed since we permit all
# outgoing packets. The reply will be a UDP connection back to the high
# numbered client port from which the query was made. So we only need to
# permit UDP packets from our ISP's DNS servers back to high numbered ports:
#
#iptables -A INPUT -p udp -s <ISP DNS server IP>/32 --source-port 53 -d 0/0 --destination-port 1024:65535 -j ACCEPT
#
# But since we trust our ISP DNS Server not not have been hacked and we may
# not be sure what our client IP range is, we loosen this to:
#
iptables -A INPUT -p udp -s <ISP DNS server IP>/32 --source-port 53 -d 0/0 -j ACCEPT
#
# Running a caching DNS Server
#
# We need to permit querying a remote DNS server. Since I am running
# a caching DNS server on x.y.z.d that makes requests for DNS lookups
# to external DNS servers, those servers send back responses via UDP to
# the high numbered client port on x.y.z.d where the caching server listens.
# I could of course increase security by running the dns cache on its own
# machine/IP and restricting to just that machine/IP.
#
iptables -A INPUT -p udp -s 0/0 --source-port 53 -d x.y.z.d/32 --destination-port 1024:65535 -j ACCEPT
#
# Running a DNS server (tinydns)
#
# When we run a DNS server, we have to accept UDP from anywhere to port 53
#
iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 53 -j ACCEPT
#
# Running a Master DNS Server to update slave DNS servers
#
# You may have your server colocated at an ISP and may arrange to have your
# ISP provide your primary and secondary DNS with the ISP DNS servers slaving
# off of your master DNS server. This has the advantage of letting you be
# in full control of the DNS zone files yet keeping the DNS servers exposed
# to the public outside of your network. To achieve this, in addition to
# permitting vanilla DNS responses from the ISP DNS serves, you also need
# to allow TCP connections from the ISP Master DNS Server:
#
# Allow DNS zone transfers via TCP from ISP Master DNS server:
#
# iptables -A INPUT -p tcp -s <ISP Master DNS server IP>/32 -d 0/0 --destination-port 53 --syn -j ACCEPT
#
# For some other custom server running here listening on port <port number>:
#
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port <port number> --syn -j ACCEPT
#
# For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
# (for public file transfers we use scp, sftp, and related SSH file transfer tools)
#
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 --destination-port 20 --syn -j ACCEPT
iptables -A INPUT -p tcp -s x.y.z.s/32 -d 0/0 --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 --destination-port 20 --syn -j ACCEPT
iptables -A INPUT -p tcp -s 127.0.0.1/8 -d 0/0 --destination-port 21 --syn -j ACCEPT
#
# For Samba (smbd and nmbd), restricted to specific local client hosts (x.y.z.c):
#
iptables -A INPUT -p tcp -s x.y.z.c/32 -d x.y.z.s/32 --destination-port 139 --syn -j ACCEPT
iptables -A INPUT -p udp -s x.y.z.c/32 -d x.y.z.s/32 --destination-port 137 -j ACCEPT
#
#Special cable modem rules. I used to have a third ethernet card,
#eth2, attached to a separate ISP via a cable modem and used the rules
#shown below to cause a specific Windows machine on my internal network
#(192.168.0.128) to send traffic out via DSL and get it back via cable.
#This violates ingres filtering rules but seems to work. It was neat
#since my cable modem had higher inbound bandwidth and it permitted
#me to do downloads without impacting my DSL inbound bandwidth.
#I no longer have that third interface, so no longer use this technique.
#
#iptables -A INPUT -i eth2 -s 68.65.209.39/32 -j DROP
#iptables -A INPUT -i eth2 -s 127.0.0.0/8 -j DROP
#iptables -t nat -A POSTROUTING -s 192.168.0.128/32 -d 0/0 -j SNAT --to-source 68.65.209.39
#
# Finally, DENY all connection requests to any UDP port not yet provided
# for and all SYN connection requests to any TCP port not yet provided
# for. Using DENY instead of REJECT means that no 'ICMP port
# unreachable' response is sent back to the client attempting to
# connect. I.e., DENY just ignores connection attempts. Hence, use of
# DENY causes UDP connection requests to time out and TCP connection
# requests to hang. Hence, using DENY instead of REJECT may have
# the effect of frustrating attackers due to increasing the amount of
# time taken to probe ports.
#
# Note that there is a fundamental difference between UDP and TCP
# protocols. With UDP, there is no 'successful connection' response.
# With TCP, there is. So an attacking client will be left in the dark
# about whether or not the denied UDP packets arrived and will hang
# waiting for a response from denied TCP ports. An attacker will not
# be able to immediately tell if UDP connection requests are simply
# taking a long time, if there is a problem with connectivity between
# the attacking client and the server, or if the packets are being
# ignored. This increases the amount of time it takes for an attacker
# to scan all UDP ports. Similarly, TCP connection requests to denied
# ports will hang for a long time. By using REJECT instead of DENY, you
# would prevent access to a port in a more 'polite' manner, but give out
# more information to wannabe attackers, since the attacker can positively
# detect that a port is not accessible in a small amount of time from
# the 'ICMP port unreachable' response.
#-A input -s 0/0 -d 0/0 -p udp -j DENY
#-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
# end oceanpark.com firewall rules (using iptables)
# -------------------------------------------------
----------------
Umarim yararli olacaktir, iyi paylasimlar.
__________________
Geçme namert köprüsünden alırsa sel alsın seni. Yatma çakal gölgesinde yerse aslan yesin seni!
25 Ocak 2010, 17:29
Benzer Konular 
Normal
