firewall sunexeias

Harris Kosmidhs hkosmidi at softnet.tuc.gr
Wed Nov 16 09:51:58 EET 2005 

Giorgos Keramidas wrote:

>
>Ayto to problhma egw to elysa ftiaxnontas sto home tou root user scripts
>gia ka8e syndesh pou xrhsimopoiw:
>
>    # /root/net/home.sh
>    # /root/net/work.sh
>
>  
>

kai go kati antistoixo exo kanei. Mallon prpei na ensomatoso kai to
firwall kapou :-)

>>===============================
>>Chain INBOUND (1 references)
>>target     prot opt source               destination
>>ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
>>ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6889
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:6881:6889
>>ACCEPT     tcp  --  192.168.0.0/24       0.0.0.0/0           tcp dpt:22
>>ACCEPT     udp  --  192.168.0.0/24       0.0.0.0/0           udp dpt:22
>>ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpts:20:21
>>LSI        all  --  0.0.0.0/0            0.0.0.0/0
>>    
>>
>
>Parathrhseis gia to INBOUND rule chain:
>
>    - Giati einai anoixta ta ports 6881:6889?
>    - De xreiazesai to port UDP:22 gia na paiksei to SSH.
>    - De xreiazesai to port UDP:20 h to UDP:21 gia na paiksei to FTP.
>
>  
>

basika tou exo pei na exei anoixta to ftpd kai bittorrent (gia na kano
kai upload). Tora ta UDP giati ta anoi3e den 3ero....apo thn allh omos
ti peirazei?? Yparxei dhaldh periptosh na se xakecoun h floodarei me UDP
se auth th 8ura??
Ti einai to LSI? na to bgalo?

>>Chain INPUT (policy DROP)
>>target     prot opt source               destination
>>ACCEPT     tcp  --  155.207.0.31         0.0.0.0/0           tcp flags:!0x17/0x02
>>ACCEPT     udp  --  155.207.0.31         0.0.0.0/0
>>ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434
>>LSI        icmp --  0.0.0.0/0            0.0.0.0/0
>>DROP       all  --  0.0.0.0/0            255.255.255.255
>>DROP       all  --  0.0.0.0/0            155.207.87.255
>>DROP       all  --  224.0.0.0/8          0.0.0.0/0
>>DROP       all  --  0.0.0.0/0            224.0.0.0/8
>>DROP       all  --  255.255.255.255      0.0.0.0/0
>>DROP       all  --  0.0.0.0/0            0.0.0.0
>>DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
>>LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5
>>INBOUND    all  --  0.0.0.0/0            0.0.0.0/0
>>LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
>>LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input'
>>    
>>
>
>Parathrhseis gia to INPUT rule chain:
>
>    - To host 155.207.0.31 se exei hackepsei aneta :P
>  
>
To host einai to DNS tou auth.gr :-)

>    - Giati dexesai incoming paketa apo 0.0.0.0/0?
>  
>
auto shmainei dexomai apo pantou? Alla kanontas nmap sto mhxanhma mou de
blepo portes anoixtes pera apo autes pou exo orisei...

>    - Megalh malakia to LSI chain telika.
>    - Bgale ta log lines, tsampa gemizeis to disko sou
>  
>

>>Chain FORWARD (policy DROP)
>>target     prot opt source               destination
>>ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:33434
>>LSI        icmp --  0.0.0.0/0            0.0.0.0/0
>>LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
>>LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward'
>>    
>>
>
>Kalh fash to LOG_FILTER ruleset, alla psilo-axrhsto kai ayto kai to
>FORWARD chain oloklhro, ektos ki an 8es na kaneis to laptop sou router.
>
>  
>

auto shmanei na to sbhso e?

>>Chain LOG_FILTER (5 references)
>>target     prot opt source               destination
>>
>>Chain LSI (4 references)
>>target     prot opt source               destination
>>LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0
>>LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02
>>LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04
>>LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
>>LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP       all  --  0.0.0.0/0            0.0.0.0/0
>>    
>>
>
>Apisteytes paparies!  Eleos pia ayta ta GUI 'tools'.  Me to OUTPUT chain
>oute pou 8elw na asxolh8w.
>
>Ti na sou pw... egw de 8a xrhsimopoioysa pote ena toso polyploko
>ruleset.  Oso auksanei h polyplokothta enos pragmatos, toso pio eykola
>mporei na ginei lathos.
>
>Egw 8a protimousa kati san to parakatw se ena script:
>
>    iptables -F
>
>    iptables -P INPUT   DROP
>    iptables -P FORWARD DROP
>    iptables -P OUTPUT  ACCEPT
>
>    iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
>    iptables -A INPUT -p icmp -j ACCEPT
>
>Ayta gia arxh.  Ystera mporeis na anoikseis "epilektika" kapoia
>eiserxomena paketa :)
>  
>
kai go auths ths apochs eimai alla den 3ero iptables. PX an i8ela na
anoi3o ports gia to bittorent de 8a i3era pos na to kano.

thanks

More information about the Linux-greek-users mailing list