On Mon, Nov 03, 2003 at 10:09:47AM +0200, lonely wolf wrote:
> oameni buni.. andy a cerut citeva reguli specifice de iptables, nu lista
> distributiilor gindite pt firewall
> andy: uite un exemplu pt ce vroiai tu:
>
> # xmas scan
>
> iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
>
> pt celelalte tipuri de scan se nasc reguli similare. asa cum ti s-a
> recomandat, citeste doacele si vei stii ce sa adaugi regulii de mai sus
Uite aici:
ES1 = Server extern 1
ES2 = Server extern 2
EXT1, EXT2, EXT3, EXT4, EXT5 = adresele externe pe care raspunde firewall-ul
INT1 = Adresa IP catre reteaua interna numarul 1
INT2 = Adresa IP catre reteaua interna numarul 2
INT3 = Adresa IP catre zona demilitarizata
DMZ1, DMZ2, DMZ3 = Servere din zona demilitarizata
PCI11, PCI12, PCI13 ... = PC-uri din reteaua interna numarul 1
PCI21, PCI22 ... = PC-uri din reteaua interna numarul 2
INET1 = reteaua interna numarul 1
INET2 = reteaua interna numarul 2
ES1 ES2
\ /
\ /
\ /
Internet
| |---DMZ3
| |
| |
+----------EXT1,EXT2,EXT3,EXT4,EXT5----------+ |---DMZ1
| | |
| ################ | |
| # firewall # INT3-------|---DMZ2
| ################ |
| |
+-------------INT1---------INT2--------------+
| |
INET1 INET2
| |
+------+------+-----+-- +------+------+
| | | | |
| | | | |
PCI11 PCI12 PCI13 ... PCI21 PCI22 ...
quick and dirty:
----------------------------------------------------------
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d EXT1 -p tcp -m tcp --dport 80 -j DNAT --to-destination DMZ1
-A PREROUTING -d EXT2 -p tcp -m tcp --dport 22 -j DNAT --to-destination DMZ2
-A PREROUTING -d EXT2 -p tcp -m tcp --dport 25 -j DNAT --to-destination DMZ2
-A PREROUTING -d EXT3 -p tcp -m tcp --dport 443 -j DNAT --to-destination DMZ3
-A POSTROUTING -s PCI21 -j MASQUERADE
-A POSTROUTING -s PCI22 -j MASQUERADE
-A POSTROUTING -s PCI11 -j MASQUERADE
-A POSTROUTING -s PCI12 -j MASQUERADE
-A POSTROUTING -s PCI13 -j MASQUERADE
-A POSTROUTING -s DMZ1 -j MASQUERADE
-A POSTROUTING -s DMZ2 -j MASQUERADE
-A POSTROUTING -s DMZ3 -j MASQUERADE
COMMIT
# Completed on
# Generated by iptables-save
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s SE1 -d EXT5 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s SE2 -d EXT5 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s PCI21 -d INT2 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s INET1/255.255.255.0 -d INT1 -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s INET1/255.255.255.0 -d INT1 -i eth1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d INT1 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d EXT1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d EXT1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d EXT1 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d EXT1 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT1 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT2 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT2 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT3 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT3 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT3 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT1 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT1 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT2 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT2 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT4 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT4 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT5 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d EXT5 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT3 -p tcp -m tcp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A INPUT -d INT3 -p udp -m udp --dport 0:1023 -j REJECT --reject-with
icmp-proto-unreachable
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A FORWARD -p udp -m udp --sport 69 -j DROP
-A FORWARD -p tcp -m tcp --sport 135:139 -j DROP
-A FORWARD -p udp -m udp --sport 135:139 -j DROP
-A FORWARD -p tcp -m tcp --sport 445 -j DROP
-A FORWARD -p udp -m udp --sport 445 -j DROP
-A FORWARD -p tcp -m tcp --sport 593 -j DROP
-A FORWARD -p udp -m udp --sport 593 -j DROP
-A FORWARD -p tcp -m tcp --sport 635 -j DROP
-A FORWARD -p udp -m udp --sport 635 -j DROP
-A FORWARD -p tcp -m tcp --sport 2049 -j DROP
-A FORWARD -p udp -m udp --sport 2049 -j DROP
-A FORWARD -p tcp -m tcp --sport 4444 -j DROP
-A FORWARD -p tcp -m tcp --sport 111 -j DROP
-A FORWARD -p udp -m udp --sport 111 -j DROP
-A FORWARD -p udp -m udp --sport 12203 -j DROP
COMMIT
# Completed on
----------------------------------------------------------
salvat intr-un fisier, editat - inlocuit variabilele
cu ce e acolo, incercat de inteles ce face,
iptables-restore < fisier si apoi esti de unul singur..
Nu raspund de ce ti se va intampla.. vezi ca daca vrei un firewall ca
lumea trebuie sa faci mult mai mult de atat si sunt convins ca pe lista
asta sunt baieti care sa ti-l faca pe bani frumosi.. nu pe ochi
frumosi..
S.
---
Detalii despre listele noastre de mail: http://www.lug.ro/
