firewall sunexeias
Alex Chontzopoulos
ac at it-cell.com
Tue Nov 15 10:31:39 EET 2005
Δεν μου αρέσει. Όχι όσο για το τι αφήνεις να περνάει ..
αλλά για τον τρόπο που είναι γραμμένο το script. Εκτός από το ssh που αφήνεις να περάσει από το εσωτερικό σου δίκτυο, αφήνεις και όλο τον κόσμο (βλέπε 0.0.0.0/0) να συνδέεται επάνω στον ftp σου .. (Είναι οι 2 γραμμές ΠΡΙΝ την τελευταία στην αλυσίδα INBOUND)
Μόλις το είδα αυτό.. Αλυσίδα INPUT, 3ος κανόνας
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
????????????
Χάνω κάτι στην εικόνα ??
Δεν μπαίνεις στο site www.grc.com και να επιλέξεις το shieldsup να δείς τι έχεις ανοιχτό στον έξω κόσμο ?
-----Original Message-----
From: linux-greek-users-bounces at lists.hellug.gr [mailto:linux-greek-users-bounces at lists.hellug.gr] On Behalf Of Harris Kosmidhs
Sent: Tuesday, November 15, 2005 9:45 AM
To: linux-greek-users at hellug.gr
Subject: firewall sunexeias
Mia pou anoi3e tetoio topic as rothso kai go kati.
Exo ena laptop to opoio to exo to proi sto penepisthmeio pou douleuo kai
meta to perno spiti pou exo ena aplo diktuaki 192.168.0.x opou kai
bgaino sto net meso kapoiou allou upologisth.
Gia na mhn allazo ka8e fora tis ru8miseis me to xeri trexo ena scriptaki
pou ousiastika allazei to ip/gateway ktl.
Teleutaia eipa na xrhsimopoihso kai ena firewall. Ka8os den eixa idea
apo iptables eipa na balo kati grafiko na to elegxo ki olas. To kalutero
pou brhka einai to firestarter. Eftia3a ena scriptaki pou ousiastika
epitrepo mono ssh kai bittorent inbound.
To problhma einai oti otan to laptop paei spiti kai tou allazo th
dieu8unsh se 192.168.0.200 to mhxanhma de dexetai kamia kinhsh inbound
kai outbound kai prepei na to kleino me to xeri.
Para8eto to iptables -L -n an mporeite na boh8hsete kai na mou peite kai
an einai kalo(=medium security). Epishs 8a i8ela na rothso poies LOG
commands mporo na peta3o, giati ta logs mou exoun ginei terastia kai de
nomizo oti xreiazetai na kratao TOSH plhroforia...
===============================
Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpts:6881:6889
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
dpts:6881:6889
ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
LSI all -- 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 155.207.0.31 0.0.0.0/0 tcp
flags:!0x17/0x02
ACCEPT udp -- 155.207.0.31 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
LSI icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 255.255.255.255
DROP all -- 0.0.0.0/0 155.207.87.255
DROP all -- 224.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/8
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg
10/min burst 5
INBOUND all -- 0.0.0.0/0 0.0.0.0/0
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Unknown Input'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
LSI icmp -- 0.0.0.0/0 0.0.0.0/0
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Unknown Forward'
Chain LOG_FILTER (5 references)
target prot opt source destination
Chain LSI (4 references)
target prot opt source destination
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound '
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix
`Inbound '
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x17/0x04
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg
5/sec burst 5 LOG flags 0 level 6 prefix `Outbound '
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 155.207.87.86 155.207.0.31 tcp dpt:53
ACCEPT udp -- 155.207.87.86 155.207.0.31 udp dpt:53
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 224.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/8
DROP all -- 255.255.255.255 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
OUTBOUND all -- 0.0.0.0/0 0.0.0.0/0
LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 6 prefix `Unknown Output'
More information about the Linux-greek-users
mailing list