[tanya-jawab] nanya iptables

Ferry Kristianto Wed, 30 Sep 2009 20:39:03 -0700

Dear all,

aku buat firewall script, rencananya hanya IP tertentu yang bisa konek, yang
lainnya di-DROP atau di-DENY tapi kok masih bisa lolos ya?? Apa ada rule
yang tertumpuk?
INPUT nya saya pengen buat DROP kalo tidak terdaftar, server memang tidak
bisa diakses saat firewall aktif, tapi paket2 internet kok lolos ke server
berikut nya ya?


tolong dong.

#!/bin/sh
# DMZ WEB
DMZ_IF="eth1"
PUBLIC_IF="eth0"

PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142'
PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306'
# internet port in, local network always allow
PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142'

## load modules
MODPROBE="/sbin/modprobe"
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE iptable_mangle
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ip_nat_ftp
$MODPROBE ip_nat_irc
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc


firewall_basic()
{
echo 1 > /proc/sys/net/ipv4/ip_forward

# No spoofing !!!
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then
#  for f in /proc/sys/net/ipv4/conf/*/rp_filter do
#    echo 1 > $f
#  done
#fi

}

firewall_flush()
{
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT

 # Set the default policy for the NAT table
 iptables -t nat -P PREROUTING ACCEPT
 iptables -t nat -P POSTROUTING ACCEPT
 iptables -t nat -P OUTPUT ACCEPT

 # Delete all rules
 iptables -F
 iptables -t nat -F

 # Delete all chains
 iptables -X
 iptables -t nat -X

 iptables -t mangle -F
 iptables -t mangle -X
}

firewall_input()
{
 # A. DEFAULT AND BASIC
 # A.1. Setting default filter policy
 iptables -P INPUT DROP
 iptables -P OUTPUT ACCEPT
 #iptables -P FORWARD DROP

 # A.2. Unlimited access to loop back
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP
 iptables -N bad_tcp_packets
 iptables -N allowed
 iptables -N icmp_packets

 #A.4.LOG bad packets
 iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
state --state NEW -j REJECT --reject-with tcp-reset
 iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
LOG --log-prefix "New not syn:"
 iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

 # A.5. Allow UDP, DNS and Passive FTP dari internet interface
 iptables -A allowed -p TCP --syn -j ACCEPT
 iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A allowed -p TCP -j DROP

 #A.6. Allow ping for all interfaces
 iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
 iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

 #B. INPUT CHAIN
 #B.1. bad packets
 iptables -A INPUT -p tcp -j bad_tcp_packets

 #B.2. ICMP
 iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets
 #iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets

 #B.3. allow input from local
 #iptables -A INPUT -i $DMZ_IF -j DROP
 # TEMPORARY
 iptables -A INPUT -i $PUBLIC_IF -j ACCEPT

 # DROP UNLISTED IP
 iptables -A INPUT -s 192.168.2.1 -j ACCEPT
 iptables -A INPUT -s 192.168.2.2 -j ACCEPT
 iptables -A INPUT -s 192.168.2.3 -j ACCEPT
 iptables -A INPUT -s 192.168.2.4 -j ACCEPT


 #B.4. PORT RULES FOR PUBLIC NET
#  for PORT in $PUBLIC_PORT_ALLOW; do
#    iptables -A INPUT -i $PUBLIC_IF -p tcp --dport $PORT -j allowed
#  done

 #B.5 Paket dari internet ke firewall
 iptables -A INPUT -i $PUBLIC_IF -m state --state ESTABLISHED,RELATED -j
ACCEPT

 #B.6 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
 iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
 --log-prefix "IPT INPUT packet died: "



 #C. FORWARD CHAIN
 #C.1 Bad packets
 iptables -A FORWARD -p tcp -j bad_tcp_packets

 #C.2 Forward akses ke PUBLIC NET dari DMZ NET
#  for PORT in $PORT_FORWARD; do
#    iptables -A FORWARD -p tcp -i $DMZ_IF --dport $PORT -j allowed
#  done

 #C.3 Forward akses ke PUBLIC dari localhost
 iptables -A FORWARD -p ALL -s 127.0.0.1 -o $PUBLIC_IF -j ACCEPT

 #C.4 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
 iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
 --log-prefix "IPT FORWARD packet died: "


 #D. OUTPUT CHAIN
 #D.1 Bad packets
 iptables -A OUTPUT -p tcp -j bad_tcp_packets
 #D.2 Allow OUTPUT dari semua interface, toh yang dibatasi hanya INPUT
 iptables -A OUTPUT -o $PUBLIC_IF -j ACCEPT
 #D.3 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
 iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG\
 --log-prefix "IPT FORWARD packet died: "

 #F.2 Set this system as a router for Rest of LAN
 iptables -t nat -A POSTROUTING -o $PUBLIC_IF -j MASQUERADE
}

## Main routines
firewall_start() {
 firewall_basic
 firewall_flush
 firewall_input
 return 0
}

firewall_stop()
{
 firewall_flush
 return 0
}

case "$1" in
 start)
   echo "Starting firewall ..."
   firewall_start
   ;;
 stop)
   echo "Stopping firewall ..."
   firewall_stop
   ;;
 frestart)
   echo "Only restart firewall ..."
   firewall_basic
   firewall_flush
   firewall_input
   ;;
 restart)
   echo "Restarting firewall ..."
   ## Restarting should not stop the firewall
   ## Since stopping opens the ports for a moment
   firewall_start
   ;;
 reload)
   echo "Reloading firewall ..."
   firewall_start
   ;;

 status)
   iptables -nL
   echo
   iptables -t nat -nL
   ;;
 *)
   echo "Usage $0 {start|stop|frestart|restart|reload|status}"
esac


--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke [email protected]
Arsip dan info milis selengkapnya di http://linux.or.id/milis

[tanya-jawab] nanya iptables

Kirim email ke