Dear all,
aku buat firewall script, rencananya hanya IP tertentu yang bisa konek, yang
lainnya di-DROP atau di-DENY tapi kok masih bisa lolos ya?? Apa ada rule
yang tertumpuk?
INPUT nya saya pengen buat DROP kalo tidak terdaftar, server memang tidak
bisa diakses saat firewall aktif, tapi paket2 internet kok lolos ke server
berikut nya ya?
tolong dong.
#!/bin/sh
# DMZ WEB
DMZ_IF="eth1"
PUBLIC_IF="eth0"
PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142'
PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306'
# internet port in, local network always allow
PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142'
## load modules
MODPROBE="/sbin/modprobe"
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE iptable_mangle
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc
firewall_basic()
{
echo 1 > /proc/sys/net/ipv4/ip_forward
# No spoofing !!!
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then
# for f in /proc/sys/net/ipv4/conf/*/rp_filter do
# echo 1 > $f
# done
#fi
}
firewall_flush()
{
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Set the default policy for the NAT table
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Delete all rules
iptables -F
iptables -t nat -F
# Delete all chains
iptables -X
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
}
firewall_input()
{
# A. DEFAULT AND BASIC
# A.1. Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
#iptables -P FORWARD DROP
# A.2. Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP
iptables -N bad_tcp_packets
iptables -N allowed
iptables -N icmp_packets
#A.4.LOG bad packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# A.5. Allow UDP, DNS and Passive FTP dari internet interface
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#A.6. Allow ping for all interfaces
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#B. INPUT CHAIN
#B.1. bad packets
iptables -A INPUT -p tcp -j bad_tcp_packets
#B.2. ICMP
iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets
#iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets
#B.3. allow input from local
#iptables -A INPUT -i $DMZ_IF -j DROP
# TEMPORARY
iptables -A INPUT -i $PUBLIC_IF -j ACCEPT
# DROP UNLISTED IP
iptables -A INPUT -s 192.168.2.1 -j ACCEPT
iptables -A INPUT -s 192.168.2.2 -j ACCEPT
iptables -A INPUT -s 192.168.2.3 -j ACCEPT
iptables -A INPUT -s 192.168.2.4 -j ACCEPT
#B.4. PORT RULES FOR PUBLIC NET
# for PORT in $PUBLIC_PORT_ALLOW; do
# iptables -A INPUT -i $PUBLIC_IF -p tcp --dport $PORT -j allowed
# done
#B.5 Paket dari internet ke firewall
iptables -A INPUT -i $PUBLIC_IF -m state --state ESTABLISHED,RELATED -j
ACCEPT
#B.6 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
--log-prefix "IPT INPUT packet died: "
#C. FORWARD CHAIN
#C.1 Bad packets
iptables -A FORWARD -p tcp -j bad_tcp_packets
#C.2 Forward akses ke PUBLIC NET dari DMZ NET
# for PORT in $PORT_FORWARD; do
# iptables -A FORWARD -p tcp -i $DMZ_IF --dport $PORT -j allowed
# done
#C.3 Forward akses ke PUBLIC dari localhost
iptables -A FORWARD -p ALL -s 127.0.0.1 -o $PUBLIC_IF -j ACCEPT
#C.4 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
--log-prefix "IPT FORWARD packet died: "
#D. OUTPUT CHAIN
#D.1 Bad packets
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#D.2 Allow OUTPUT dari semua interface, toh yang dibatasi hanya INPUT
iptables -A OUTPUT -o $PUBLIC_IF -j ACCEPT
#D.3 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
--log-prefix "IPT FORWARD packet died: "
#F.2 Set this system as a router for Rest of LAN
iptables -t nat -A POSTROUTING -o $PUBLIC_IF -j MASQUERADE
}
## Main routines
firewall_start() {
firewall_basic
firewall_flush
firewall_input
return 0
}
firewall_stop()
{
firewall_flush
return 0
}
case "$1" in
start)
echo "Starting firewall ..."
firewall_start
;;
stop)
echo "Stopping firewall ..."
firewall_stop
;;
frestart)
echo "Only restart firewall ..."
firewall_basic
firewall_flush
firewall_input
;;
restart)
echo "Restarting firewall ..."
## Restarting should not stop the firewall
## Since stopping opens the ports for a moment
firewall_start
;;
reload)
echo "Reloading firewall ..."
firewall_start
;;
status)
iptables -nL
echo
iptables -t nat -nL
;;
*)
echo "Usage $0 {start|stop|frestart|restart|reload|status}"
esac
--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id
Arsip dan info milis selengkapnya di http://linux.or.id/milis
