Linux - статьи



              

I.1. Пример rc.firewall - часть 2


#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc

################################ # # 3. /proc set up. #

# # 3.1 Required proc configuration #

echo "1" > /proc/sys/net/ipv4/ip_forward

# # 3.2 Non-Required proc configuration #

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

####################################### # # 4. rules set up. #

###### # 4.1 Filter table #

# # 4.1.1 Set policies #

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP

# # 4.1.2 Create userspecified chains #

# # Create chain for bad tcp packets #

$IPTABLES -N bad_tcp_packets

# # Create separate chains for ICMP,
TCP and UDP to traverse #

$IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -N icmp_packets

# # 4.1.3 Create content in userspecified chains #

# # bad_tcp_packets chain #

$IPTABLES -A bad_tcp_packets -p
tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT
--reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp !
--syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp !
--syn -m state --state NEW -j DROP

# # allowed chain #

$IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state
--state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP

# # TCP rules #

$IPTABLES -A tcp_packets -p TCP -s 0/0
--dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0
--dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0
--dport 80 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0
--dport 113 -j allowed

# # UDP ports #

#$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 53 -j ACCEPT #$IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 123 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 2074 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0
--destination-port 4000 -j ACCEPT




Содержание  Назад  Вперед