iptables
Dimitrios Tsimbidis
dtsimbid at otenet.gr
Wed Nov 14 03:21:01 EET 2001
"Kostas Liakakis" <kostas at skiathos.physics.auth.gr> wrote in message
news:9sqrvn$ne2$1 at nic.grnet.gr...
>
> "Dimitrios Tsimbidis" <dtsimbid at otenet.gr> wrote in message
> news:voups9.g68.ln at news.domain.tsimbi...
> > Xrisimopoio to Suse 7.2
> > -Xrisimopoio ta iptables kai eno i anafora tou "iptables -L" einai opos
> > akribos exo zitisei kai opos akribos tha ithela, apo ekso fainomai me
> > anixtes portes san na min eixa katholou firewall. Mipos prepei se kapoio
> > sigekrimeno simeio tou boot na balo to scriptaki me tis parametrous tou
> > iptables?
>
> An sta deinei me -L shmainei oti einai energa. An den kleinei tis portes
pou
> 0es, mallon kana la0aki exeis... Pes ti 0es na kaneis kai dei3e ti exeis
> grapsei na doume.
Edo exo to scriptaki mou...
# Variable definition
IPTABLES=iptables
#net
OURNET="192.168.1.0/24"
OURDEV="eth0"
WORLDADDR="0/0"
WORLDDEV="eth1"
TCPIN="smtp,www"
TCPOUT="smtp,www,ftp,ftp-data"
UDPIN="domain"
UDPOUT="domain"
ICMPIN="0, 3, 11"
ICMPOUT="8, 3, 11"
# Rules
$IPTABLES -F FORWARD -v
$IPTABLES -P FORWARD DROP -v
$IPTABLES -A INPUT -i $WORLDDEV -j DROP -v
#SPOOF
$IPTABLES -A FORWARD -s $OURNET -i $WORLDDEV -j DROP -v
#SMURF
$IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET -j DROP -v
$IPTABLES -A FORWARD -f -j ACCEPT -v
# TCP
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dport $TCPIN
! --tcp-flags SYN,ACK ACK -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sport $TCPIN
! --tcp-flags SYN,ACK ACK -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p tcp -i $WORLDDEV -d $OURNET --dport
$TCPIN --syn -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $WORLDADDR --dport
$TCPOUT --syn -j ACCEPT -v
# UDP
#$IPTABLES -A FORWARD -m multiport -p udp -i $WORLDDEV -d $OURNET --dport
$UDPIN -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p udp -i $WORLDDEV -s $OURNET --sport
$UDPIN -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $WORLDADDR --dport
$UDPOUT -j ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $WORLDADDR --sport
$UDPOUT -j ACCEPT -v
# ICMP
$IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET --icmp-type
echo-reply -j ACCEPT -v
$IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET --icmp-type
3 -j ACCEPT -v
$IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET --icmp-type
11 -j ACCEPT -v
$IPTABLES -A FORWARD -m icmp -p icmp -i $OURDEV -d $WORLDADDR --icmp-type
echo-request -j ACCEPT -v
$IPTABLES -A FORWARD -m icmp -p icmp -i $OURDEV -d $WORLDADDR --icmp-type
3 -j ACCEPT -v
$IPTABLES -A FORWARD -m icmp -p icmp -i $OURDEV -d $WORLDADDR --icmp-type
11 -j ACCEPT -v
kai iptables -L mou ta deixnei sosta.
me ena portscaning omos blepo anoixtes polles. p.x. 139,389,1002,3128 klp...
>
> > -Episis trexo dden trexo ta iptables, kai eno exo sto rc.config
> > energopoiimeno to IP_FORWARDING, den leitourgei san router ( p.x. apo
> > esoteriko mixanima tou diktiou ping pros ta ekso de leitourgei).
>
> 0a eprepe, alla, 3ereis, ta distributions polles fores m****ontai. Gia na
> eisai sigouros, bres to boot.local kai echo 1 > /proc/sys/net/ip_forward
>
> Gia na tsekareis oti einai anoixto: cat /proc/sys/net/ip_forward . An sou
> dosei 1, einai, an 0 oxi.
To exo idi elegxei einai 1 ( /proc/sys/net/ipv4/ip_forward )
>
> Alla gia na doulepseis san router 0a prepei:
> 1) to mhxanhma apo to diko sou diktyo na exei default gateway ton router
sou
> (profanos...)
ego tous moirazo IP kathos kai gateway kai DNS
> 2) to mhxanhma apo to opoio perimeneis apanthsh na 3erei oti gia to diko
sou
> prive subnet prepei na proo0hsei ta paketa meso tou router sou.
>
> -K.
>
>
>
More information about the Linux-greek-users
mailing list