UHU linux alatt port forwarding

This topic has 34 hozzászólás, 5 résztvevő, and was last updated 17 years, 7 months telt el by mrdozer.

10 bejegyzés megtekintése - 11-20 / 35

← 1 2 3 4 →

Szerző

Bejegyzés
2007-11-15-07:45 #2140616
mrdozer
Felhasználó
dotmind wrote:

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp –dport 2080 -j ACCEPT

itt a baj. Itt mar a 80 portot kell atengedned, mivel a prerouting lanc mar atirta a celportot.
tehat helyesen:

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp –dport 80 -j ACCEPT

es egyebkent udp nem kell a webszervernek….

Ok módosítottam eszerint ugyanugy semmi.

Az előző doksi alapján próbálkoztam…
http://tldp.fsf.hu/HOWTO/IP-Masquerade-HOWTO-hu/forwarders.html

szintén semmi, de lehet a sorrendel van probléma. Most próbálkozok!
2007-11-15-07:45 #2140617
mrdozer
Felhasználó
dotmind wrote:

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp –dport 2080 -j ACCEPT

itt a baj. Itt mar a 80 portot kell atengedned, mivel a prerouting lanc mar atirta a celportot.
tehat helyesen:

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp –dport 80 -j ACCEPT

es egyebkent udp nem kell a webszervernek….

Ok módosítottam eszerint ugyanugy semmi.

Az előző doksi alapján próbálkoztam…
http://tldp.fsf.hu/HOWTO/IP-Masquerade-HOWTO-hu/forwarders.html

szintén semmi, de lehet a sorrendel van probléma. Most próbálkozok!
2007-11-16-15:44 #2140618
mrdozer
Felhasználó
OK…

Nem tudtam belőni eddig, a script amúgy jó csakhogy valamiért szerintem az egyik utasítás felülírja a másikat, és ezért nem irányitja át a portot.

Ha bárkinek van valami ötlete ha csak sejtés is irja meg mert hátha segít!

Most elolvasok még két doksit és írok előlről egy új scriptet hátha...

De ha valakinek van esetleg működő port forwardingos hasonló rendszere akkor kérem segítsen.

Akinek pedi netmegosztás kell szolgáltatásokkla annak itt ez a jó kis script!
Az a része működik csak ez a hülye port forwarding nem!
2007-11-16-15:44 #2140619
mrdozer
Felhasználó
OK…

Nem tudtam belőni eddig, a script amúgy jó csakhogy valamiért szerintem az egyik utasítás felülírja a másikat, és ezért nem irányitja át a portot.

Ha bárkinek van valami ötlete ha csak sejtés is irja meg mert hátha segít!

Most elolvasok még két doksit és írok előlről egy új scriptet hátha...

De ha valakinek van esetleg működő port forwardingos hasonló rendszere akkor kérem segítsen.

Akinek pedi netmegosztás kell szolgáltatásokkla annak itt ez a jó kis script!
Az a része működik csak ez a hülye port forwarding nem!
2007-11-17-00:40 #2140620
mrdozer
Felhasználó
Egyik barátomtól kaptam, de ez sem müxik, pedig nagyon korrekt…
.. másik gépen tuti jó.l bevanlőve az apache a weboldal csak a belső hálón a saját ipjével látszik : 192.168.0.200
pedig a külső hálókártya ipjével is kéne: 213.257.215.90:2080
de semmi. (A külső ip cím itt is fiktiv csupán a példa kedvéért!!!!)

A script:
[SHADOW=red,left]

#!/bin/sh

# Firewall script for the Linux 2.4 kernel
# copyright 2002 Timothy Scott Morizot

###############################################################################
#
# Local Settings
#

# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL=”/sbin/sysctl -w”

# To echo the value directly to the /proc file instead
# SYSCTL=””

# IPTables Location – adjust if needed

IPT=”/usr/sbin/iptables”
IPTS=”/usr/sbin/iptables-save”
IPTR=”/usr/sbin/iptables-restore”

# Internet Interface
INET_IFACE=”eth1″

# Local Interface Information
LOCAL_IFACE=”eth0″
LOCAL_IP=”192.168.0.1″
LOCAL_NET=”192.168.0.0/24″
LOCAL_BCAST=”192.168.0.255″

# Localhost Interface

LO_IFACE=”lo”
LO_IP=”127.0.0.1″

# Save and Restore arguments handled here
if [ „$1” = „save” ]
then
echo -n „Saving firewall to /etc/sysconfig/iptables … „
$IPTS > /etc/sysconfig/iptables
echo „done”
exit 0
elif [ „$1” = „restore” ]
then
echo -n „Restoring firewall from /etc/sysconfig/iptables … „
$IPTR /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward=”1″
fi

# This enables dynamic address hacking.
# This may help if you have a dynamic IP address (e.g. slip, ppp, dhcp).
#if [ „$SYSCTL” = „” ]
#then
# echo „1” > /proc/sys/net/ipv4/ip_dynaddr
#else
# $SYSCTL net.ipv4.ip_dynaddr=”1″
#fi

# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies=”1″
fi

# Turn it off if you use multiple NICs connected to the same network.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter=”1″
fi

#if [ „$SYSCTL” = „” ]
#then
# echo „1” > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp=”1″
#fi

# The following kernel settings were suggested by Alex Weeks. Thanks!

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=”1″
fi

# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ „$SYSCTL” = „” ]
then
echo „0” > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route=”0″
fi

# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn’t be
# needed by most systems using this generator.
#if [ „$SYSCTL” = „” ]
#then
# echo „0” > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
# $SYSCTL net.ipv4.conf.all.accept_redirects=”0″
#fi

# However, we’ll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects=”1″
fi

# This option logs packets from impossible addresses.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians=”1″
fi

###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo „Flushing Tables …”

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ „$1” = „stop” ]
then
echo „Firewall completely flushed! Now running with no firewall.”
exit 0
fi

###############################################################################
#
# Rules Configuration
#

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo „Create and populate custom rule chains …”

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

# bad_packets chain
#

# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG
–log-prefix „Illegal source: „

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state –state INVALID -j LOG
–log-prefix „Invalid packet: „

$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! –syn -m state
# –state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG
–log-prefix „New not syn: „
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets –fragment -p ICMP -j LOG
–log-prefix „ICMP Fragment: „
$IPT -A icmp_packets –fragment -p ICMP -j DROP

# Echo – uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j LOG
# –log-prefix „Ping detected: „
# $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers

# udp_inbound chain
#

$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 138 -j DROP

# DNS Server

$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 53 -j ACCEPT

$IPT -A udp_inbound -p UDP -s 0/0 –source-port 67 –destination-port 68
-j ACCEPT

# User specified allowed UDP protocol
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 6666:7000 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# Web Server

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 80 -j ACCEPT

# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 –source-port 20 -j ACCEPT

# Passive FTP

$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 62000:64000 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 22 -j ACCEPT

# MSN Messenger File Transfers
#

$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 6891:6900 -j ACCEPT

# User specified allowed UDP protocol
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 6666:7000 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo „Process INPUT chain …”

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED
-j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# broadcast protocols.
$IPT -A INPUT -m pkttype –pkt-type broadcast -j DROP

# Log packets that still don’t match
$IPT -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „INPUT packet died: „

###############################################################################
#
# FORWARD Chain
#

echo „Process FORWARD chain …”

# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state –state ESTABLISHED,RELATED
-j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE –destination-port 80
–destination 192.168.0.200 -j ACCEPT

# Log packets that still don’t match
$IPT -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „FORWARD packet died: „

###############################################################################
#
# OUTPUT Chain
#

echo „Process OUTPUT chain …”

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp –state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don’t match
$IPT -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „OUTPUT packet died: „

###############################################################################
#
# nat table
#
###############################################################################

echo „Load rules for nat table …”

###############################################################################
#
# PREROUTING chain
#

# Port Forwarding
#

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE –destination-port 2080
-j DNAT –to-destination 192.168.0.200:80

###############################################################################
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

###############################################################################

echo „Load rules for mangle table …”

[/SHADOW]
2007-11-17-00:40 #2140621
mrdozer
Felhasználó
Egyik barátomtól kaptam, de ez sem müxik, pedig nagyon korrekt…
.. másik gépen tuti jó.l bevanlőve az apache a weboldal csak a belső hálón a saját ipjével látszik : 192.168.0.200
pedig a külső hálókártya ipjével is kéne: 213.257.215.90:2080
de semmi. (A külső ip cím itt is fiktiv csupán a példa kedvéért!!!!)

A script:
[SHADOW=red,left]

#!/bin/sh

# Firewall script for the Linux 2.4 kernel
# copyright 2002 Timothy Scott Morizot

###############################################################################
#
# Local Settings
#

# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL=”/sbin/sysctl -w”

# To echo the value directly to the /proc file instead
# SYSCTL=””

# IPTables Location – adjust if needed

IPT=”/usr/sbin/iptables”
IPTS=”/usr/sbin/iptables-save”
IPTR=”/usr/sbin/iptables-restore”

# Internet Interface
INET_IFACE=”eth1″

# Local Interface Information
LOCAL_IFACE=”eth0″
LOCAL_IP=”192.168.0.1″
LOCAL_NET=”192.168.0.0/24″
LOCAL_BCAST=”192.168.0.255″

# Localhost Interface

LO_IFACE=”lo”
LO_IP=”127.0.0.1″

# Save and Restore arguments handled here
if [ „$1” = „save” ]
then
echo -n „Saving firewall to /etc/sysconfig/iptables … „
$IPTS > /etc/sysconfig/iptables
echo „done”
exit 0
elif [ „$1” = „restore” ]
then
echo -n „Restoring firewall from /etc/sysconfig/iptables … „
$IPTR /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward=”1″
fi

# This enables dynamic address hacking.
# This may help if you have a dynamic IP address (e.g. slip, ppp, dhcp).
#if [ „$SYSCTL” = „” ]
#then
# echo „1” > /proc/sys/net/ipv4/ip_dynaddr
#else
# $SYSCTL net.ipv4.ip_dynaddr=”1″
#fi

# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies=”1″
fi

# Turn it off if you use multiple NICs connected to the same network.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter=”1″
fi

#if [ „$SYSCTL” = „” ]
#then
# echo „1” > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
# $SYSCTL net.ipv4.conf.all.proxy_arp=”1″
#fi

# The following kernel settings were suggested by Alex Weeks. Thanks!

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address. This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=”1″
fi

# This option can be used to accept or refuse source routed
# packets. It is usually on by default, but is generally
# considered a security risk. This option turns it off.
if [ „$SYSCTL” = „” ]
then
echo „0” > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route=”0″
fi

# This option can disable ICMP redirects. ICMP redirects
# are generally considered a security risk and shouldn’t be
# needed by most systems using this generator.
#if [ „$SYSCTL” = „” ]
#then
# echo „0” > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
# $SYSCTL net.ipv4.conf.all.accept_redirects=”0″
#fi

# However, we’ll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects=”1″
fi

# This option logs packets from impossible addresses.
if [ „$SYSCTL” = „” ]
then
echo „1” > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians=”1″
fi

###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo „Flushing Tables …”

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ „$1” = „stop” ]
then
echo „Firewall completely flushed! Now running with no firewall.”
exit 0
fi

###############################################################################
#
# Rules Configuration
#

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo „Create and populate custom rule chains …”

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

# bad_packets chain
#

# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG
–log-prefix „Illegal source: „

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state –state INVALID -j LOG
–log-prefix „Invalid packet: „

$IPT -A bad_packets -p ALL -m state –state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! –syn -m state
# –state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG
–log-prefix „New not syn: „
$IPT -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG
–log-prefix „Stealth scan: „
$IPT -A bad_tcp_packets -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets –fragment -p ICMP -j LOG
–log-prefix „ICMP Fragment: „
$IPT -A icmp_packets –fragment -p ICMP -j DROP

# Echo – uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j LOG
# –log-prefix „Ping detected: „
# $IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
# http://www.chebucto.ns.ca/~rakerman/port-table.html
# http://www.iana.org/assignments/port-numbers

# udp_inbound chain
#

$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 138 -j DROP

# DNS Server

$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 53 -j ACCEPT

$IPT -A udp_inbound -p UDP -s 0/0 –source-port 67 –destination-port 68
-j ACCEPT

# User specified allowed UDP protocol
$IPT -A udp_inbound -p UDP -s 0/0 –destination-port 6666:7000 -j ACCEPT

# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# Web Server

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 80 -j ACCEPT

# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 –source-port 20 -j ACCEPT

# Passive FTP

$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 62000:64000 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 22 -j ACCEPT

# MSN Messenger File Transfers
#

$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 6891:6900 -j ACCEPT

# User specified allowed UDP protocol
$IPT -A tcp_inbound -p TCP -s 0/0 –destination-port 6666:7000 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo „Process INPUT chain …”

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state –state ESTABLISHED,RELATED
-j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# broadcast protocols.
$IPT -A INPUT -m pkttype –pkt-type broadcast -j DROP

# Log packets that still don’t match
$IPT -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „INPUT packet died: „

###############################################################################
#
# FORWARD Chain
#

echo „Process FORWARD chain …”

# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state –state ESTABLISHED,RELATED
-j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE –destination-port 80
–destination 192.168.0.200 -j ACCEPT

# Log packets that still don’t match
$IPT -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „FORWARD packet died: „

###############################################################################
#
# OUTPUT Chain
#

echo „Process OUTPUT chain …”

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp –state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don’t match
$IPT -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG
–log-prefix „OUTPUT packet died: „

###############################################################################
#
# nat table
#
###############################################################################

echo „Load rules for nat table …”

###############################################################################
#
# PREROUTING chain
#

# Port Forwarding
#

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE –destination-port 2080
-j DNAT –to-destination 192.168.0.200:80

###############################################################################
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

###############################################################################

echo „Load rules for mangle table …”

[/SHADOW]
2007-11-17-10:05 #2140622
lada2105
Felhasználó
Biztos kell ez a sok egyéb, ti biztos jobban tudjátok, de nálam kb ennyivel megy a dolog:

Code:

echo -en „IP tovabbitas engedelyezesen”
echo „1” > /proc/sys/net/ipv4/ip_forward
echo -en „IP maszkolas engedelyezese…n”
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# syn-flood vedelem
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
# portscan elleni vedelem
iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST, RST -m limit –limit 1/s
-j ACCEPT
# halal pingje elleni vedelem
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACC
EPT

#itt meg van egy kis porttiltás, azokra a portokra, amik „veszélyesebbek” pl 22-es stb…

echo „forward beallitas…”
iptables -t nat -A PREROUTING –destination ! 10.1.10.0/24 -p tcp –dport 3363
-j DNAT –to-destination 10.1.10.230:3363
echo „kesz”

nah persze a modulok, ha nem megy valami, szükségesek, de nálam így tök jól müködik minden.
Jó, persze nem a legbiztonságosabb, de legalább nem kell minden egyes programnál keresni a portokat amin kifelé kommunikál, hogy engedélyezze az ember…
2007-11-17-10:05 #2140623
lada2105
Felhasználó
Biztos kell ez a sok egyéb, ti biztos jobban tudjátok, de nálam kb ennyivel megy a dolog:

Code:

echo -en „IP tovabbitas engedelyezesen”
echo „1” > /proc/sys/net/ipv4/ip_forward
echo -en „IP maszkolas engedelyezese…n”
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# syn-flood vedelem
iptables -A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
# portscan elleni vedelem
iptables -A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST, RST -m limit –limit 1/s
-j ACCEPT
# halal pingje elleni vedelem
iptables -A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACC
EPT

#itt meg van egy kis porttiltás, azokra a portokra, amik „veszélyesebbek” pl 22-es stb…

echo „forward beallitas…”
iptables -t nat -A PREROUTING –destination ! 10.1.10.0/24 -p tcp –dport 3363
-j DNAT –to-destination 10.1.10.230:3363
echo „kesz”

nah persze a modulok, ha nem megy valami, szükségesek, de nálam így tök jól müködik minden.
Jó, persze nem a legbiztonságosabb, de legalább nem kell minden egyes programnál keresni a portokat amin kifelé kommunikál, hogy engedélyezze az ember…
2007-11-17-11:15 #2140624
dotmind
Felhasználó
Szerintem megerett az ido arra, hogy elkezd logozni a csomagogat, es kb 5 perc alatt rajojj, hogy mi a baj…
a scripted vegere:

iptables -A INPUT -j LOG –log_prefix ” INPUT”
iptables -A FORWARD -j LOG –log_prefix ” FORWARD”
iptables -A OUTPUT -j LOG –log_prefix ” OUTPUT”

ez ha minden igaz, akkor a syslogba fogja dokumentalni azokat a csomagokat, amikre nem illeszkedik egy szabaly sem. (tehat csak akkor kerul bele, ha nem fogadod/dobod el elotte)

masik nagyon hasznos eszkoz a tcpdump. bovebb info a manban.
2007-11-17-11:15 #2140625
dotmind
Felhasználó
Szerintem megerett az ido arra, hogy elkezd logozni a csomagogat, es kb 5 perc alatt rajojj, hogy mi a baj…
a scripted vegere:

iptables -A INPUT -j LOG –log_prefix ” INPUT”
iptables -A FORWARD -j LOG –log_prefix ” FORWARD”
iptables -A OUTPUT -j LOG –log_prefix ” OUTPUT”

ez ha minden igaz, akkor a syslogba fogja dokumentalni azokat a csomagokat, amikre nem illeszkedik egy szabaly sem. (tehat csak akkor kerul bele, ha nem fogadod/dobod el elotte)

masik nagyon hasznos eszkoz a tcpdump. bovebb info a manban.
Szerző

Bejegyzés