Linux - статьи



              

I.2. Пример rc.DMZ.firewall - часть 2


# # 2.2 Non-Required modules #

#/sbin/modprobe ipt_owner #/sbin/modprobe ipt_REJECT #/sbin/modprobe ipt_MASQUERADE #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc #/sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc

######################################### # # 3. /proc set up. #

# # 3.1 Required proc configuration #

echo "1" > /proc/sys/net/ipv4/ip_forward

# # 3.2 Non-Required proc configuration #

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp #echo "1" > /proc/sys/net/ipv4/ip_dynaddr

################################################# # # 4. rules set up. #

###### # 4.1 Filter table #

# # 4.1.1 Set policies #

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP

# # 4.1.2 Create userspecified chains #

# # Create chain for bad tcp packets #

$IPTABLES -N bad_tcp_packets

# # Create separate chains for ICMP, TCP
and UDP to traverse #

$IPTABLES -N allowed $IPTABLES -N icmp_packets

# # 4.1.3 Create content in userspecified chains #

# # bad_tcp_packets chain #

$IPTABLES -A bad_tcp_packets -p tcp
--tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT
--reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp !
--syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp !
--syn -m state --state NEW -j DROP

# # allowed chain #

$IPTABLES -A allowed -p TCP
--syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state
--state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP

# # ICMP rules #

# Changed rules totally $IPTABLES -A icmp_packets -p ICMP -s 0/0
--icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0
--icmp-type 11 -j ACCEPT

# # 4.1.4 INPUT chain #

# # Bad TCP packets we don't want #

$IPTABLES -A INPUT -p tcp
-j bad_tcp_packets

# # Packets from the Internet to this box #

$IPTABLES -A INPUT -p ICMP
-i $INET_IFACE -j icmp_packets




Содержание  Назад  Вперед