iptables

Kostas Liakakis kostas at skiathos.physics.auth.gr
Wed Nov 14 11:21:01 EET 2001


De mou les omos ti 0es na kaneis...
Blepontas to scriptaki, manteuo oti 0es na afhseis na mpainoun se www server
kai smtp server
Epishs mallon 0es na mporei o smtp server sou na stelnei mail. Opos kai na
mporeis na kaneis ftp. Sosta?

Auto me to "domain" sto UDP den to katalaba... To icmp logiko.

H proth antirhsh 0a htan sth xrhsh tou DROP. Einai protimotero to REJECT, to
opoio stelnei piso la0os. Isos autos na einai kai o logos pou to programma
gia ta ports sou bgazei portes anoixtes. Alla3e to kai des.

Tora an 0es as kanoume kai koubentoula :-) Loipon:

"Dimitrios Tsimbidis" <dtsimbid at otenet.gr> wrote
> OURNET="192.168.1.0/24"
> OURDEV="eth0"
> WORLDADDR="0/0"
> WORLDDEV="eth1"
> TCPIN="smtp,www"
> TCPOUT="smtp,www,ftp,ftp-data"
> #  Rules
> $IPTABLES -F FORWARD -v
> $IPTABLES -P FORWARD DROP -v

Default action DROP.

> $IPTABLES -A INPUT -i $WORLDDEV -j DROP -v

Rixneis oti mpainei ap'e3o ston idio ton router. Sosta.

> $IPTABLES -A FORWARD -s $OURNET -i $WORLDDEV -j DROP -v

Petas kai oti erxetai ap'e3o me diko sou IP. Sosta.

> #SMURF
> $IPTABLES -A FORWARD -m icmp -p icmp -i $WORLDDEV -d $OURNET -j DROP -v

Petas _ola_ ta icmp pou sou erxontai... xmmm... Xmm.. giati? afou kaneis
kalyterh dialogh argotera sto telos...

> $IPTABLES -A FORWARD -f -j ACCEPT -v

Dexesai ta fragments...  Nomizo pos apo tote pou to IP_ALWAYS_DEFRAG efyge
apo compile option, to na energopoieis to ip_forward automata kanei kai
defragmentation prin perasei to paketo sto netfilter... alla pali den eimai
entelos sigouros... Xrhstoooooo...

> $IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dport $TCPIN
> ! --tcp-flags SYN,ACK ACK -j ACCEPT -v

Dexesai ta  SYN kai SYNACK pros ton www kai smtp server sou.

> $IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sport $TCPIN
> ! --tcp-flags SYN,ACK ACK -j ACCEPT -v

Stelneis pros ta e3o oti erxetai apo ton www/smtp  server sou kai einai SYN
`h SYNACK. Hmm....

> $IPTABLES -A FORWARD -m multiport -p tcp -i $WORLDDEV -d $OURNET --dport
> $TCPIN --syn -j ACCEPT -v

Dexesai oti exei SYN kai paei pros www/smtp (3ana...)

> $IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $WORLDADDR --dport
> $TCPOUT --syn -j ACCEPT -v

Kai stelneis pros ta e3o oti einai SYN kai paei pros ftp, ftp-data, smtp,
www

Telika 0a tous afhseis na steiloun data? Mono syn packets afhneis na pernane
apo to router...
Nomizo pos kapou emple3es. Mhpos gi' auto den mporeis na deis ton e3o kosmo
telika? Mhpos 0a htan kalytera na:

$IPTABLES -A FORWARD -m multiport -p tcp -i $WORLDDEV --dport $TCPIN -j
ACCEPT -v
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV --sport $TCPOUT -j
ACCEPT -v

Ektos ki an zhtas kati diaforetiko pou den to epiasa....

-K.





More information about the Linux-greek-users mailing list