Pár napon belül be kel üzemelnem egy szervert, amin egy squid fog müködni transzparens proxy-ként, a gépen még dhcp szolgáltatás fog futni.(+ssh,apache2 stb..)
Átnéznétek az alábbi scriptet, mert valami nem jó benne :( Belső hálon nem látszik a 80 és a 21 port se :( kösszi, fontos lenne Imre #!/bin/sh echo -n 'Configuring firewall ' echo "1" > /proc/sys/net/ipv4/ip_forward #allandok NET_INT=192.168.0.0/255.255.0.0 #belsĂľ halozatot lefedĂľ teljes cimtartomany IFACE_INT=eth0 #belsĂľ csatolo IFACE_EXT=eth1 #kulsĂľ csatolo IP_GW=192.168.1.1 PORT_SSH_EXT=10000 #SSH external port MORE_F_TCP_PORTS="544 1755 2628 6881 81" MORE_F_UDP_PORTS="544 1755" #544-RealMedia 1755-WindowsMedia 2628-JDictionary 6880-BitTorrent #IP_INT=192.168.100.1 #belsĂľ IP cim IP_INT="`ifconfig $IFACE_INT | grep inet\ addr | cut -f2 -d: | cut -f1 -d\ `" IP_EXT="`ifconfig $IFACE_EXT | grep inet\ addr | cut -f2 -d: | cut -f1 -d\ `" #külső IP cím #regi szabalyok tĂľrlese iptables -F iptables --delete-chain iptables -t nat -F iptables -t nat --delete-chain iptables -Z #alapertelemzetten mindent eldob iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #visszahurkolo engedĂŠlyezĂŠse iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #tovabbi lancok letrehozasa: iptables -N security iptables -N dosattack iptables -N sinput iptables -N portscan #gw elerhetĂľsege iptables -A INPUT -s $IP_GW -j ACCEPT iptables -A OUTPUT -d $IP_GW -j ACCEPT #Portscan & PoD loggolas iptables -A security -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log- prefix "FW: Xmas-tree scan (?) " iptables -A security -p tcp --tcp-flags ALL NONE -m state --state ! ESTABLISHED -j LOG --log-prefix "FW: Null scan (?) " iptables -A security -p icmp --icmp-type echo-request -m limit --limit 1/s - j ACCEPT iptables -A security -p icmp --icmp-type echo-request -j LOG --log- prefix "FW: PingofDeath attack (?) " iptables -A security -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -j security iptables -A FORWARD -j security #DoS tamadasok & portscanek szurese, loggolasa iptables -A dosattack -p tcp --syn -m limit --limit 8/s -j sinput iptables -A dosattack -p tcp --syn -j LOG --log-prefix "FW: Syn-Flood attack (?) " iptables -A dosattack -p tcp --syn -j DROP iptables -A dosattack -j sinput #bejovo szabalyok iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED #jovahagyott kapcsolatok elfogadasa iptables -A INPUT -j dosattack iptables -A sinput -p tcp ! --syn -m state --state NEW -j LOG --log- prefix "FW: hidded portscan ? " iptables -A sinput -p tcp ! --syn -m state --state NEW -j DROP iptables -A sinput -i $IFACE_INT -p tcp -s $NET_INT -m multiport --dport 20,21,25,53,80,3128 -m state --state NEW -j ACCEPT iptables -A sinput -i $IFACE_INT -p udp -s $NET_INT -m multiport -- dport 20,21,25,53,80,3128 -m state --state NEW -j ACCEPT iptables -A sinput -p tcp --dport 443 -j ACCEPT iptables -A sinput -p icmp -j ACCEPT #iptables -A sinput -j LOG --log-prefix "FW: Rejected default (in) " iptables -A sinput -j REJECT #kimenĂľ szabalyok iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dport 20,21,25,53,80,110,443 - m state --state NEW,RELATED -j ACCEPT iptables -A OUTPUT -p udp -m multiport --dport 20,21,25,53,80,110,443 -m state --state NEW,RELATED -j ACCEPT iptables -A OUTPUT -p tcp -d $NET_INT --sport 3128 -j ACCEPT iptables -A OUTPUT -p tcp -d $NET_INT --sport 25 -j ACCEPT iptables -A OUTPUT -j LOG --log-prefix "FW: Rejected default (out) " iptables -A OUTPUT -j REJECT #tovabbitt szabalyok iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp- mss-to-pmtu iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 16/s -j ACCEPT iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP iptables -A FORWARD -p icmp -j ACCEPT iptables -A FORWARD -i $IFACE_INT -p tcp -m multiport --dport 20,21,53,80,110,123,443 -m state --state NEW,RELATED -j ACCEPT iptables -A FORWARD -i $IFACE_INT -p udp -m multiport --dport 20,21,53,80,110,123,44 #Tovabbitasra a MORE_F_TCP_PORTS tombben tarolt portok kinyitasa if test -n "$MORE_F_TCP_PORTS" then for i in $MORE_F_TCP_PORTS do iptables -A FORWARD -i $IFACE_INT -p tcp --dport $i -m state --state NEW,RELATED -j ACCEPT done fi if test -n "$MORE_F_UDP_PORTS" then for i in $MORE_F_UDP_PORTS do iptables -A FORWARD -i $IFACE_INT -p udp --dport $i -m state -- state NEW,RELATED -j ACCEPT done fi #iptables -A FORWARD -j LOG --log-prefix "FW: Rejected default (fwd) " iptables -A FORWARD -j REJECT #NAT iptables -t nat -A POSTROUTING -o $IFACE_EXT -j MASQUERADE #transzparens proxy engedalyezase iptables -t nat -A PREROUTING -i $IFACE_INT -s $NET_INT -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -m limit --limit 60/hour -j LOG --log-prefix "FW: Permitted SSH connect " iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -m limit --limit 60/hour -j DNAT --to $IP_INT:10000 iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -j LOG --log-prefix "FW: Unpermitted SSH Connect " iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT --syn -j DROP iptables -t nat -A PREROUTING -p tcp --dport $PORT_SSH_EXT -j DNAT -- to $IP_INT:10000 echo 'Done' _____________________________________________________________________ Ön lemondana évi 72 ezer forint támogatásról? http://lakaskassza.origo.hu/index.html _________________________________________________ linux lista - [email protected] http://mlf2.linux.rulez.org/mailman/listinfo/linux
