[ SlackList ] [ WkikiSlack ]


Re: HELP IPtables ??

From: demeus <demeus@go2.pl>
Date: Thu Apr 17 2003 - 22:31:27 CEST
[slacklist] Re: HELP IPtables ??

>BARDZO !!! Potrzebuje gotowego skrypty firewall-a = pod iptables...ponieważ nie za bardzo wiem jak go napisać pod ..z = :-)

Lub mozesz uzyc takiego oto firewalla...
u mnie eth0 jest od strony netu a eth1 od strony = LAN

#!/bin/sh
#ochrona przed atakiem typu Smurf
/bin/echo 1 > = /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#odrzucenie pakietow "source route"
/bin/echo 0 > = /proc/sys/net/ipv4/conf/all/accept_source_route
#odrzucenie pakietow ICMP redirect
/bin/echo 0 > = /proc/sys/net/ipv4/conf/all/accept_redirects
#ochrona przed blednymi komunikatami ICMP
/bin/echo 1 > = /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#odrzucenie pakietow innych niz te z tablicy = routingu
/bin/echo 1 > = /proc/sys/net/ipv4/conf/all/rp_filter
#logowanie dziwnych pakietow (spoofed, source routed, = redirects)
/bin/echo 1 > = /proc/sys/net/ipv4/conf/all/log_martians

iptables -F
iptables -F -t nat

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

#====================== =========
#zabezpieczenie przed syn-flood
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A FORWARD -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 10/s = --limit-burst 30 -j RETURN
iptables -A syn-flood -j LOG -m limit --limit 10/hour = --log-level debug --log-prefix "SYN-FLOOD: "
iptables -A syn-flood -j DROP

#====================== ================
#zabezpieczenie przed skanerami portow
iptables -A FORWARD -i eth+ -p tcp --tcp-flags = SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

#====================== =============
#zabezpieczenie przed ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request = -m limit --limit 1/s -j ACCEPT

#============
#pakiety ICMP
iptables -A INPUT -p icmp --icmp-type 8/0 -m state = --state ! INVALID -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state = ESTABLISHED,RELATED,NEW -j ACCEPT

#====================== =============
#bledne pakiety z flaga new bez syn
iptables -A INPUT -p tcp ! --syn -m state --state NEW = -j LOG --log-level debug --log-prefix "IPT NEW: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW = -j DROP

#======================
#pakiety sfragmetowane
iptables -A INPUT -f -j LOG -m limit --limit 10/hour = --log-level debug --log-prefix "IPT FRAGMENTS: "
iptables -A INPUT -f -j DROP

iptables -A INPUT -s TWOJE_ZEWNETRZNE_IP -j = DROP
iptables -A INPUT -s TWOJE_WEWNETRZNE_IP -j = DROP
iptables -A INPUT -i eth1 -p udp -d BROADCAST --dport = 137:139 -j DROP

#=============
#lancuch INPUT
iptables -I INPUT -i ! eth0 -p udp --dport 67 -j = ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 22 -m = state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --sport 1024: --dport 113 = -m state --state NEW -j REJECT --reject-with =
iptables -A INPUT -p tcp --sport 1024: --dport 113 -m = state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8080 -m = state --state NEW -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp --dport 8080 -m state = --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state = ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG -m limit --limit 10/hour = --log-level debug --log-prefix "IPT INPUT: "
iptables -A INPUT -j DROP

#==============
#lancuch OUTPUT

iptables -A OUTPUT -m state --state ! INVALID -j = ACCEPT
iptables -A OUTPUT -j LOG -m limit --limit 10/hour = --log-level debug --log-prefix "IPT OUTPUT: "
iptables -A OUTPUT -j DROP

#==============
#lancuh forward
iptables -A FORWARD -i eth1 -s TWOJE_WENTERZNE_IP -j = DROP
iptables -A FORWARD -i eth1 -p tcp -s ADRES_SIECI = --sport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -s ADRES_SIECI = --sport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -d ADRES_SIECI = --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -p udp -d ADRES_SIECI = --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d ADRES_SIECI -m state --state = NEW,INVALID -j DROP
iptables -A FORWARD -p tcp -s ADRES_SIECI -d ! = TWOJE_WEWNETRZNE_IP --dport 3128 -j DROP
iptables -A FORWARD -p tcp -s ADRES_SIECI -d ! = TWOJE_WEWNETRZNE_IP --dport 8080 -j DROP

iptables -A FORWARD -p icmp -m state --state ! INVALID = -j ACCEPT
iptables -A FORWARD -j LOG -m limit --limit 10/hour = --log-level debug --log-prefix "IPT FORWARD: "
iptables -A FORWARD -j DROP

#===============
#masqarada (NAT)
iptables -t nat -A POSTROUTING -p all -s = ADRES_SIECI-j MASQUERADE
#=====

#proxy
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport = 80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport = 80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport = 8080 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport = 8080 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport = 3128 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport = 3128 -j REDIRECT --to-port 8080

#================
#Zwiekszamy TTL-a
iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j = TTL --ttl-inc 1

Received on Sat Feb 21 03:35:59 2004
This archive was generated by hypermail 2.1.8. Wyprawa Shackleton 2014