firewall sunexeias
Giorgos Keramidas
keramida at ceid.upatras.gr
Tue Nov 15 19:21:19 EET 2005
On 2005-11-15 09:44, Harris Kosmidhs <hkosmidi at softnet.tuc.gr> wrote:
> Mia pou anoi3e tetoio topic as rothso kai go kati. Exo ena laptop to
> opoio to exo to proi sto penepisthmeio pou douleuo kai meta to perno
> spiti pou exo ena aplo diktuaki 192.168.0.x opou kai bgaino sto net
> meso kapoiou allou upologisth.
>
> Gia na mhn allazo ka8e fora tis ru8miseis me to xeri trexo ena
> scriptaki pou ousiastika allazei to ip/gateway ktl.
>
> Teleutaia eipa na xrhsimopoihso kai ena firewall. Ka8os den eixa idea
> apo iptables eipa na balo kati grafiko na to elegxo ki olas. To
> kalutero pou brhka einai to firestarter. Eftia3a ena scriptaki pou
> ousiastika epitrepo mono ssh kai bittorent inbound.
>
> To problhma einai oti otan to laptop paei spiti kai tou allazo th
> dieu8unsh se 192.168.0.200 to mhxanhma de dexetai kamia kinhsh inbound
> kai outbound kai prepei na to kleino me to xeri.
Ayto to problhma egw to elysa ftiaxnontas sto home tou root user scripts
gia ka8e syndesh pou xrhsimopoiw:
# /root/net/home.sh
# /root/net/work.sh
To home.sh gia paradeigma exei ta ekshs:
#!/bin/sh
echo 'Stopping (named,sendmail)'
/etc/rc.d/named stop
/etc/rc.d/sendmail stop
cp /etc/resolv.conf_home /etc/resolv.conf
cp /etc/namedb/named.conf_home /etc/namedb/named.conf
echo 'Loading safe firewall ruleset (all incoming blocked)'
cp /etc/pf.conf_safe /etc/pf.conf
/etc/rc.d/pf reload
echo 'Setting up ath0 network interface'
export ifconfig_ath0="DHCP ssid "XXXX" \
wepmode on weptxkey 1 wepkey '1:0xFFFFFFFFFFFFFFFFFFFFFFFFFF'"
/etc/rc.d/netif stop bge0
/etc/rc.d/netif stop ath0
/etc/rc.d/netif start ath0
echo -n "Waiting for ath0 to associate "
_timeout=0
_associated=NO
while [ "$_timeout" -lt 30 ]; do
status=$( ifconfig ath0 2>&1 | grep status: |\
awk '{print $2}' )
if [ X"${status}" = X"associated" ]; then
_associated=YES
break
fi
echo -n '.'
sleep 1
_timeout=$(( $_timeout + 1 ))
done
if [ X"${_associated}" = X"YES" ]; then
echo " ok"
else
echo ''
echo "Failed to bring up ath0. Aborting."
/etc/rc.d/netif ath0 stop
exit 1
fi
echo 'Loading home firewall rules.'
cp /etc/pf.conf_home /etc/pf.conf
/etc/rc.d/pf reload
echo 'Starting services'
/etc/rc.d/named start
/etc/rc.d/sendmail start
Kati antistoixo mporeis na grapseis kai gia iptables, arkei na swseis
apo prin 'etoima' rule sets gia kathe syndesh pou thes na xrhsimopoieis.
> Para8eto to iptables -L -n an mporeite na boh8hsete kai na mou peite kai
> an einai kalo(=medium security). Epishs 8a i8ela na rothso poies LOG
> commands mporo na peta3o, giati ta logs mou exoun ginei terastia kai de
> nomizo oti xreiazetai na kratao TOSH plhroforia...
>
> ===============================
> Chain INBOUND (1 references)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6889
> ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
> ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:22
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
> LSI all -- 0.0.0.0/0 0.0.0.0/0
Parathrhseis gia to INBOUND rule chain:
- Giati einai anoixta ta ports 6881:6889?
- De xreiazesai to port UDP:22 gia na paiksei to SSH.
- De xreiazesai to port UDP:20 h to UDP:21 gia na paiksei to FTP.
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT tcp -- 155.207.0.31 0.0.0.0/0 tcp flags:!0x17/0x02
> ACCEPT udp -- 155.207.0.31 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
> LSI icmp -- 0.0.0.0/0 0.0.0.0/0
> DROP all -- 0.0.0.0/0 255.255.255.255
> DROP all -- 0.0.0.0/0 155.207.87.255
> DROP all -- 224.0.0.0/8 0.0.0.0/0
> DROP all -- 0.0.0.0/0 224.0.0.0/8
> DROP all -- 255.255.255.255 0.0.0.0/0
> DROP all -- 0.0.0.0/0 0.0.0.0
> DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
> INBOUND all -- 0.0.0.0/0 0.0.0.0/0
> LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
Parathrhseis gia to INPUT rule chain:
- To host 155.207.0.31 se exei hackepsei aneta :P
- Giati dexesai incoming paketa apo 0.0.0.0/0?
- Megalh malakia to LSI chain telika.
- Bgale ta log lines, tsampa gemizeis to disko sou
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
> LSI icmp -- 0.0.0.0/0 0.0.0.0/0
> LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
Kalh fash to LOG_FILTER ruleset, alla psilo-axrhsto kai ayto kai to
FORWARD chain oloklhro, ektos ki an 8es na kaneis to laptop sou router.
> Chain LOG_FILTER (5 references)
> target prot opt source destination
>
> Chain LSI (4 references)
> target prot opt source destination
> LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
> DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
Apisteytes paparies! Eleos pia ayta ta GUI 'tools'. Me to OUTPUT chain
oute pou 8elw na asxolh8w.
Ti na sou pw... egw de 8a xrhsimopoioysa pote ena toso polyploko
ruleset. Oso auksanei h polyplokothta enos pragmatos, toso pio eykola
mporei na ginei lathos.
Egw 8a protimousa kati san to parakatw se ena script:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
Ayta gia arxh. Ystera mporeis na anoikseis "epilektika" kapoia
eiserxomena paketa :)
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, do not forward
this email to any other person, delete this
e-mail and destroy all copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
More information about the Linux-greek-users
mailing list