Dear all, aku buat firewall script, rencananya hanya IP tertentu yang bisa konek, yang lainnya di-DROP atau di-DENY tapi kok masih bisa lolos ya?? Apa ada rule yang tertumpuk? INPUT nya saya pengen buat DROP kalo tidak terdaftar, server memang tidak bisa diakses saat firewall aktif, tapi paket2 internet kok lolos ke server berikut nya ya?
tolong dong. #!/bin/sh # DMZ WEB DMZ_IF="eth1" PUBLIC_IF="eth0" PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142' PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306' # internet port in, local network always allow PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142' ## load modules MODPROBE="/sbin/modprobe" $MODPROBE ip_tables $MODPROBE iptable_filter $MODPROBE iptable_nat $MODPROBE iptable_mangle $MODPROBE ipt_LOG $MODPROBE ipt_limit $MODPROBE ipt_state $MODPROBE ip_nat_ftp $MODPROBE ip_nat_irc $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc firewall_basic() { echo 1 > /proc/sys/net/ipv4/ip_forward # No spoofing !!! #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then # for f in /proc/sys/net/ipv4/conf/*/rp_filter do # echo 1 > $f # done #fi } firewall_flush() { iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT # Set the default policy for the NAT table iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT # Delete all rules iptables -F iptables -t nat -F # Delete all chains iptables -X iptables -t nat -X iptables -t mangle -F iptables -t mangle -X } firewall_input() { # A. DEFAULT AND BASIC # A.1. Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT #iptables -P FORWARD DROP # A.2. Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP iptables -N bad_tcp_packets iptables -N allowed iptables -N icmp_packets #A.4.LOG bad packets iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # A.5. Allow UDP, DNS and Passive FTP dari internet interface iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP #A.6. Allow ping for all interfaces iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #B. INPUT CHAIN #B.1. bad packets iptables -A INPUT -p tcp -j bad_tcp_packets #B.2. ICMP iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets #iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets #B.3. allow input from local #iptables -A INPUT -i $DMZ_IF -j DROP # TEMPORARY iptables -A INPUT -i $PUBLIC_IF -j ACCEPT # DROP UNLISTED IP iptables -A INPUT -s 192.168.2.1 -j ACCEPT iptables -A INPUT -s 192.168.2.2 -j ACCEPT iptables -A INPUT -s 192.168.2.3 -j ACCEPT iptables -A INPUT -s 192.168.2.4 -j ACCEPT #B.4. PORT RULES FOR PUBLIC NET # for PORT in $PUBLIC_PORT_ALLOW; do # iptables -A INPUT -i $PUBLIC_IF -p tcp --dport $PORT -j allowed # done #B.5 Paket dari internet ke firewall iptables -A INPUT -i $PUBLIC_IF -m state --state ESTABLISHED,RELATED -j ACCEPT #B.6 mencatat paket-paket yang tidak sesuai dengan aturan di atas. iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ --log-prefix "IPT INPUT packet died: " #C. FORWARD CHAIN #C.1 Bad packets iptables -A FORWARD -p tcp -j bad_tcp_packets #C.2 Forward akses ke PUBLIC NET dari DMZ NET # for PORT in $PORT_FORWARD; do # iptables -A FORWARD -p tcp -i $DMZ_IF --dport $PORT -j allowed # done #C.3 Forward akses ke PUBLIC dari localhost iptables -A FORWARD -p ALL -s 127.0.0.1 -o $PUBLIC_IF -j ACCEPT #C.4 mencatat paket-paket yang tidak sesuai dengan aturan di atas. iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ --log-prefix "IPT FORWARD packet died: " #D. OUTPUT CHAIN #D.1 Bad packets iptables -A OUTPUT -p tcp -j bad_tcp_packets #D.2 Allow OUTPUT dari semua interface, toh yang dibatasi hanya INPUT iptables -A OUTPUT -o $PUBLIC_IF -j ACCEPT #D.3 mencatat paket-paket yang tidak sesuai dengan aturan di atas. iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ --log-prefix "IPT FORWARD packet died: " #F.2 Set this system as a router for Rest of LAN iptables -t nat -A POSTROUTING -o $PUBLIC_IF -j MASQUERADE } ## Main routines firewall_start() { firewall_basic firewall_flush firewall_input return 0 } firewall_stop() { firewall_flush return 0 } case "$1" in start) echo "Starting firewall ..." firewall_start ;; stop) echo "Stopping firewall ..." firewall_stop ;; frestart) echo "Only restart firewall ..." firewall_basic firewall_flush firewall_input ;; restart) echo "Restarting firewall ..." ## Restarting should not stop the firewall ## Since stopping opens the ports for a moment firewall_start ;; reload) echo "Reloading firewall ..." firewall_start ;; status) iptables -nL echo iptables -t nat -nL ;; *) echo "Usage $0 {start|stop|frestart|restart|reload|status}" esac -- FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id Arsip dan info milis selengkapnya di http://linux.or.id/milis