firewall sunexeias
Harris Kosmidhs
hkosmidi at softnet.tuc.gr
Wed Nov 16 09:51:58 EET 2005
Giorgos Keramidas wrote:
>
>Ayto to problhma egw to elysa ftiaxnontas sto home tou root user scripts
>gia ka8e syndesh pou xrhsimopoiw:
>
> # /root/net/home.sh
> # /root/net/work.sh
>
>
>
kai go kati antistoixo exo kanei. Mallon prpei na ensomatoso kai to
firwall kapou :-)
>>===============================
>>Chain INBOUND (1 references)
>>target prot opt source destination
>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889
>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6889
>>ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
>>ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:22
>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
>>LSI all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>
>Parathrhseis gia to INBOUND rule chain:
>
> - Giati einai anoixta ta ports 6881:6889?
> - De xreiazesai to port UDP:22 gia na paiksei to SSH.
> - De xreiazesai to port UDP:20 h to UDP:21 gia na paiksei to FTP.
>
>
>
basika tou exo pei na exei anoixta to ftpd kai bittorrent (gia na kano
kai upload). Tora ta UDP giati ta anoi3e den 3ero....apo thn allh omos
ti peirazei?? Yparxei dhaldh periptosh na se xakecoun h floodarei me UDP
se auth th 8ura??
Ti einai to LSI? na to bgalo?
>>Chain INPUT (policy DROP)
>>target prot opt source destination
>>ACCEPT tcp -- 155.207.0.31 0.0.0.0/0 tcp flags:!0x17/0x02
>>ACCEPT udp -- 155.207.0.31 0.0.0.0/0
>>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
>>LSI icmp -- 0.0.0.0/0 0.0.0.0/0
>>DROP all -- 0.0.0.0/0 255.255.255.255
>>DROP all -- 0.0.0.0/0 155.207.87.255
>>DROP all -- 224.0.0.0/8 0.0.0.0/0
>>DROP all -- 0.0.0.0/0 224.0.0.0/8
>>DROP all -- 255.255.255.255 0.0.0.0/0
>>DROP all -- 0.0.0.0/0 0.0.0.0
>>DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
>>LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
>>INBOUND all -- 0.0.0.0/0 0.0.0.0/0
>>LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
>>LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
>>
>>
>
>Parathrhseis gia to INPUT rule chain:
>
> - To host 155.207.0.31 se exei hackepsei aneta :P
>
>
To host einai to DNS tou auth.gr :-)
> - Giati dexesai incoming paketa apo 0.0.0.0/0?
>
>
auto shmainei dexomai apo pantou? Alla kanontas nmap sto mhxanhma mou de
blepo portes anoixtes pera apo autes pou exo orisei...
> - Megalh malakia to LSI chain telika.
> - Bgale ta log lines, tsampa gemizeis to disko sou
>
>
>>Chain FORWARD (policy DROP)
>>target prot opt source destination
>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
>>LSI icmp -- 0.0.0.0/0 0.0.0.0/0
>>LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
>>LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
>>
>>
>
>Kalh fash to LOG_FILTER ruleset, alla psilo-axrhsto kai ayto kai to
>FORWARD chain oloklhro, ektos ki an 8es na kaneis to laptop sou router.
>
>
>
auto shmanei na to sbhso e?
>>Chain LOG_FILTER (5 references)
>>target prot opt source destination
>>
>>Chain LSI (4 references)
>>target prot opt source destination
>>LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
>>LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
>>LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
>>LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
>>LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound '
>>DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>>
>
>Apisteytes paparies! Eleos pia ayta ta GUI 'tools'. Me to OUTPUT chain
>oute pou 8elw na asxolh8w.
>
>Ti na sou pw... egw de 8a xrhsimopoioysa pote ena toso polyploko
>ruleset. Oso auksanei h polyplokothta enos pragmatos, toso pio eykola
>mporei na ginei lathos.
>
>Egw 8a protimousa kati san to parakatw se ena script:
>
> iptables -F
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
>
>Ayta gia arxh. Ystera mporeis na anoikseis "epilektika" kapoia
>eiserxomena paketa :)
>
>
kai go auths ths apochs eimai alla den 3ero iptables. PX an i8ela na
anoi3o ports gia to bittorent de 8a i3era pos na to kano.
thanks
More information about the Linux-greek-users
mailing list