Hello rlug, Spuneti-mi va rog sugestiile voastre cu privire la firewall-ul de mai jos......se pare ca undeva e o eroare...ca dupa ce s-a executat, daca ii dau iptables -F ingheatza calculatorul... ============================================== #!/bin/bash
# eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. PRIVATE=192.168.0.0/24 # Loopback address LOOP=127.0.0.1 # Adresa externa IPEXT=a.b.c.d # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP #Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh --syn -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT iptables -A INPUT -p udp --dport domain -j ACCEPT # Accepta conexiunea VPN iptables -A INPUT -p udp --dport 5000 -j ACCEPT # Allow packets from TUN/TAP devices. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -m state --state INVALID -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "Packete noi dar fara --syn:" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A OUTUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT --reject-with tcp-reset # SNAT local subnet iptables -t nat -A POSTROUTING -o eth0 -s $PRIVATE -j SNAT --to-source $IPEXT # IP-uri fara drept de internet iptables -A FORWARD -s 192.168.0.72 -j REJECT #Protectie flood #aceasta regula seteaza 12 conexiuni per secunda #dupa ce s-a atins un maxim de 24 iptables -t nat -N syn-flood iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN iptables -t nat -A syn-flood -j DROP iptables -t nat -A PREROUTING -i eth0 -d $IPEXT -p tcp --syn -j syn-flood iptables -A INPUT --fragment -p icmp -j DROP #impotriva scanarilor clandestine iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # TOS si alte chestii iptables -A PREROUTING -t mangle -p tcp --sport ssh \ -j TOS --set-tos Minimize-Delay =============================================================================== -- Best regards, yo8stl mailto:[EMAIL PROTECTED] --- Detalii despre listele noastre de mail: http://www.lug.ro/
