Ferry Kristianto wrote:
> Dear all,
>
> aku buat firewall script, rencananya hanya IP tertentu yang bisa konek,
> yang
> lainnya di-DROP atau di-DENY tapi kok masih bisa lolos ya?? Apa ada rule
> yang tertumpuk?
> INPUT nya saya pengen buat DROP kalo tidak terdaftar, server memang tidak
> bisa diakses saat firewall aktif, tapi paket2 internet kok lolos ke server
> berikut nya ya?
>
> tolong dong.
>
> #!/bin/sh
> # DMZ WEB
> DMZ_IF="eth1"
> PUBLIC_IF="eth0"
>
> PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142'
> PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306'
> # internet port in, local network always allow
> PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142'
>
> ## load modules
> MODPROBE="/sbin/modprobe"
> $MODPROBE ip_tables
> $MODPROBE iptable_filter
> $MODPROBE iptable_nat
> $MODPROBE iptable_mangle
> $MODPROBE ipt_LOG
> $MODPROBE ipt_limit
> $MODPROBE ipt_state
> $MODPROBE ip_nat_ftp
> $MODPROBE ip_nat_irc
> $MODPROBE ip_conntrack
> $MODPROBE ip_conntrack_ftp
> $MODPROBE ip_conntrack_irc
>
>
> firewall_basic()
> {
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # No spoofing !!!
> #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then
> # for f in /proc/sys/net/ipv4/conf/*/rp_filter do
> # echo 1 > $f
> # done
> #fi
>
> }
>
> firewall_flush()
> {
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> # Set the default policy for the NAT table
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> # Delete all rules
> iptables -F
> iptables -t nat -F
>
> # Delete all chains
> iptables -X
> iptables -t nat -X
>
> iptables -t mangle -F
> iptables -t mangle -X
> }
>
> firewall_input()
> {
> # A. DEFAULT AND BASIC
> # A.1. Setting default filter policy
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> #iptables -P FORWARD DROP
>
> # A.2. Unlimited access to loop back
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
> # A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP
> iptables -N bad_tcp_packets
> iptables -N allowed
> iptables -N icmp_packets
>
> #A.4.LOG bad packets
> iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m
> state --state NEW -j REJECT --reject-with tcp-reset
> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
> LOG --log-prefix "New not syn:"
> iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
> # A.5. Allow UDP, DNS and Passive FTP dari internet interface
> iptables -A allowed -p TCP --syn -j ACCEPT
> iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A allowed -p TCP -j DROP
>
> #A.6. Allow ping for all interfaces
> iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
> #B. INPUT CHAIN
> #B.1. bad packets
> iptables -A INPUT -p tcp -j bad_tcp_packets
>
> #B.2. ICMP
> iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets
> #iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets
>
> #B.3. allow input from local
> #iptables -A INPUT -i $DMZ_IF -j DROP
> # TEMPORARY
> iptables -A INPUT -i $PUBLIC_IF -j ACCEPT
>
> # DROP UNLISTED IP
> iptables -A INPUT -s 192.168.2.1 -j ACCEPT
> iptables -A INPUT -s 192.168.2.2 -j ACCEPT
> iptables -A INPUT -s 192.168.2.3 -j ACCEPT
> iptables -A INPUT -s 192.168.2.4 -j ACCEPT
>
salam
sori, yang mo di drop no ip 192.168.2.1-4 ? no ip interface server masuk situ ga
? mungkin bisa dijelaskan lebih banyak lagi.
wassalam
ic
--
Imam Cartealy
Linux registered user #481374
This email is confidential and may contain legally privileged information. You
may not copy, use nor disclose this e-mail in any way. You should only
retransmit, distribute or commercialise this material if you are authorised to
do so. I will not be responsible for any claim arising from the unauthorised
usage of, or alterations to this e-mail or any attachment to it.
This e-mail including any attachments is intended solely for the named addressee
and may contain confidential and/or privileged information. If you are not the
intended addressee, you must take no action based on it, nor show a copy to
anyone. If you have received it in error please notify us immediately and
delete it.
--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke [email protected]
Arsip dan info milis selengkapnya di http://linux.or.id/milis
