>BARDZO !!! Potrzebuje gotowego skrypty firewall-a = pod iptables...ponieważ nie za bardzo wiem jak go napisać pod ..z = :-)
Lub mozesz uzyc takiego oto firewalla...
u mnie eth0 jest od strony netu a eth1 od strony =
LAN
#!/bin/sh
#ochrona przed atakiem typu Smurf
/bin/echo 1 > =
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#odrzucenie pakietow "source route"
/bin/echo 0 > =
/proc/sys/net/ipv4/conf/all/accept_source_route
#odrzucenie pakietow ICMP redirect
/bin/echo 0 > =
/proc/sys/net/ipv4/conf/all/accept_redirects
#ochrona przed blednymi komunikatami ICMP
/bin/echo 1 > =
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#odrzucenie pakietow innych niz te z tablicy =
routingu
/bin/echo 1 > =
/proc/sys/net/ipv4/conf/all/rp_filter
#logowanie dziwnych pakietow (spoofed, source routed, =
redirects)
/bin/echo 1 > =
/proc/sys/net/ipv4/conf/all/log_martians
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#======================
=========
#zabezpieczenie przed syn-flood
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A FORWARD -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 10/s =
--limit-burst 30 -j RETURN
iptables -A syn-flood -j LOG -m limit --limit 10/hour =
--log-level debug --log-prefix "SYN-FLOOD: "
iptables -A syn-flood -j DROP
#======================
================
#zabezpieczenie przed skanerami portow
iptables -A FORWARD -i eth+ -p tcp --tcp-flags =
SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
#======================
=============
#zabezpieczenie przed ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request =
-m limit --limit 1/s -j ACCEPT
#============
#pakiety ICMP
iptables -A INPUT -p icmp --icmp-type 8/0 -m state =
--state ! INVALID -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state =
ESTABLISHED,RELATED,NEW -j ACCEPT
#======================
=============
#bledne pakiety z flaga new bez syn
iptables -A INPUT -p tcp ! --syn -m state --state NEW =
-j LOG --log-level debug --log-prefix "IPT NEW: "
iptables -A INPUT -p tcp ! --syn -m state --state NEW =
-j DROP
#======================
#pakiety sfragmetowane
iptables -A INPUT -f -j LOG -m limit --limit 10/hour =
--log-level debug --log-prefix "IPT FRAGMENTS: "
iptables -A INPUT -f -j DROP
iptables -A INPUT -s TWOJE_ZEWNETRZNE_IP -j =
DROP
iptables -A INPUT -s TWOJE_WEWNETRZNE_IP -j =
DROP
iptables -A INPUT -i eth1 -p udp -d BROADCAST --dport =
137:139 -j DROP
#=============
#lancuch INPUT
iptables -I INPUT -i ! eth0 -p udp --dport 67 -j =
ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 22 -m =
state --state NEW -j ACCEPT
#iptables -A INPUT -p tcp --sport 1024: --dport 113 =
-m state --state NEW -j REJECT --reject-with =
iptables -A INPUT -p tcp --sport 1024: --dport 113 -m =
state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8080 -m =
state --state NEW -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp --dport 8080 -m state =
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state =
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG -m limit --limit 10/hour =
--log-level debug --log-prefix "IPT INPUT: "
iptables -A INPUT -j DROP
#==============
#lancuch OUTPUT
iptables -A OUTPUT -m state --state ! INVALID -j =
ACCEPT
iptables -A OUTPUT -j LOG -m limit --limit 10/hour =
--log-level debug --log-prefix "IPT OUTPUT: "
iptables -A OUTPUT -j DROP
#==============
#lancuh forward
iptables -A FORWARD -i eth1 -s TWOJE_WENTERZNE_IP -j =
DROP
iptables -A FORWARD -i eth1 -p tcp -s ADRES_SIECI =
--sport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -p udp -s ADRES_SIECI =
--sport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -p tcp -d ADRES_SIECI =
--dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth1 -p udp -d ADRES_SIECI =
--dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d ADRES_SIECI -m state --state =
NEW,INVALID -j DROP
iptables -A FORWARD -p tcp -s ADRES_SIECI -d ! =
TWOJE_WEWNETRZNE_IP --dport 3128 -j DROP
iptables -A FORWARD -p tcp -s ADRES_SIECI -d ! =
TWOJE_WEWNETRZNE_IP --dport 8080 -j DROP
iptables -A FORWARD -p icmp -m state --state ! INVALID =
-j ACCEPT
iptables -A FORWARD -j LOG -m limit --limit 10/hour =
--log-level debug --log-prefix "IPT FORWARD: "
iptables -A FORWARD -j DROP
#===============
#masqarada (NAT)
iptables -t nat -A POSTROUTING -p all -s =
ADRES_SIECI-j MASQUERADE
#=====
#proxy
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport =
80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport =
80 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport =
8080 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport =
8080 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport =
3128 -j REDIRECT --to-port 8080
#iptables -t nat -A PREROUTING -i eth2 -p tcp --dport =
3128 -j REDIRECT --to-port 8080
#================
#Zwiekszamy TTL-a
iptables -t mangle -A PREROUTING -s 192.168.2.0/24 -j =
TTL --ttl-inc 1