firewall sunexeias
Giorgos Keramidas
keramida at ceid.upatras.gr
Wed Nov 16 20:16:50 EET 2005
On 2005-11-16 09:51, Harris Kosmidhs <hkosmidi at softnet.tuc.gr> wrote:
>Giorgos Keramidas wrote:
>>Ayto to problhma egw to elysa ftiaxnontas sto home tou root user scripts
>>gia ka8e syndesh pou xrhsimopoiw:
>>
>> # /root/net/home.sh
>> # /root/net/work.sh
>
> kai go kati antistoixo exo kanei. Mallon prpei na ensomatoso
> kai to firwall kapou :-)
>
>>>===============================
>>>Chain INBOUND (1 references)
>>>target prot opt source destination
>>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
>>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889
>>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6889
>>>ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:22
>>>ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:22
>>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21
>>>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:20:21
>>>LSI all -- 0.0.0.0/0 0.0.0.0/0
>>>
>>>
>>
>>Parathrhseis gia to INBOUND rule chain:
>>
>> - Giati einai anoixta ta ports 6881:6889?
>> - De xreiazesai to port UDP:22 gia na paiksei to SSH.
>> - De xreiazesai to port UDP:20 h to UDP:21 gia na paiksei to FTP.
>
> basika tou exo pei na exei anoixta to ftpd kai bittorrent (gia
> na kano kai upload). Tora ta UDP giati ta anoi3e den
> 3ero...
Einai ligo xazo, mporw na pw :)
> apo thn allh omos ti peirazei??
Ta panta peirazoun. H eimaste paranoikoi mpastardoi h den eimaste :P
> Yparxei dhaldh periptosh na se xakecoun h floodarei me UDP se
> auth th 8ura??
> Ti einai to LSI? na to bgalo?
Mia malakia pou skefthke kapoios kapou kapote oti einai kalh
idea. Ena chain apo kanones sto opoio 'stelnei' ta paketa otan
8elei na einai rate-limited.
To lathos einai oti den yparxei kanenas kalos logos na pernane
2-3 fores ta paketa apo to chain ayto, afoy etsi trwne sth mapa
2 kai 3 fores to delay poy pisteyei aytos oti einai kalo.
Pare to Keramido-tsekoyro kai kalh diaskedash :)
> >>Chain INPUT (policy DROP)
> >>target prot opt source destination
> >>ACCEPT tcp -- 155.207.0.31 0.0.0.0/0 tcp flags:!0x17/0x02
> >>ACCEPT udp -- 155.207.0.31 0.0.0.0/0
> >>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> >>ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
> >>LSI icmp -- 0.0.0.0/0 0.0.0.0/0
> >>DROP all -- 0.0.0.0/0 255.255.255.255
> >>DROP all -- 0.0.0.0/0 155.207.87.255
> >>DROP all -- 224.0.0.0/8 0.0.0.0/0
> >>DROP all -- 0.0.0.0/0 224.0.0.0/8
> >>DROP all -- 255.255.255.255 0.0.0.0/0
> >>DROP all -- 0.0.0.0/0 0.0.0.0
> >>DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID
> >>LSI all -f 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5
> >>INBOUND all -- 0.0.0.0/0 0.0.0.0/0
> >>LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
> >>LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Input'
> >>
> >>
> >
> >Parathrhseis gia to INPUT rule chain:
> >
> > - To host 155.207.0.31 se exei hackepsei aneta :P
>
> To host einai to DNS tou auth.gr :-)
Ok, den yparxei logos na dexesai ta panta apo ekei.
An ftiakseis kanones pou epitrepoyn ola ta TCP & UDP paketa *kai*
kratane state (gia na perasei h apanthsh mesa apo to
'ESTABLISHED,RELATED' filtro), tote de 8a xreiastei pote kati
allo. Otan kaneis esy ekserxomenh syndesh pros ayto to mhxanhma
8a paizei opws kai ola ta alla.
Genika, eimai ths gnwmhs oti otan yparxei kapoio exception prepei
na yparxei kai kapoios POLY kalos logos pou yparxei ayto to
exception.
> > - Giati dexesai incoming paketa apo 0.0.0.0/0?
>
> auto shmainei dexomai apo pantou? Alla kanontas nmap sto
> mhxanhma mou de blepo portes anoixtes pera apo autes pou exo
> orisei...
Xm, den einai ayto. Einai mias morfhs broadcast paketa :)
>>> Chain FORWARD (policy DROP)
>>> target prot opt source destination
>>> ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:33434
>>> LSI icmp -- 0.0.0.0/0 0.0.0.0/0
>>> LOG_FILTER all -- 0.0.0.0/0 0.0.0.0/0
>>> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Unknown Forward'
>>
>> Kalh fash to LOG_FILTER ruleset, alla psilo-axrhsto kai ayto
>> kai to FORWARD chain oloklhro, ektos ki an 8es na kaneis to
>> laptop sou router.
>
> auto shmanei na to sbhso e?
Etsi lew. An se boleyei gia na 'filtrareis' kapoia apo ta paketa
(kanontas DROP) prin pesoyn ston kanona pou kanei log to sympan
twra, krata to. An apo thn allh de se noiazei toso poly na
kratas log apo ola ayta ta pragmata, tote ok sbhsto kai bale log
kanones mono ekei pou pragmatika 8eleis na blepeis ta log files.
>> Apisteytes paparies! Eleos pia ayta ta GUI 'tools'. Me to OUTPUT chain
>> oute pou 8elw na asxolh8w.
>>
>> Ti na sou pw... egw de 8a xrhsimopoioysa pote ena toso polyploko
>> ruleset. Oso auksanei h polyplokothta enos pragmatos, toso pio eykola
>> mporei na ginei lathos.
>>
>> Egw 8a protimousa kati san to parakatw se ena script:
>>
>> iptables -F
>>
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>>
>> iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
>> iptables -A INPUT -p icmp -j ACCEPT
>>
>> Ayta gia arxh. Ystera mporeis na anoikseis "epilektika" kapoia
>> eiserxomena paketa :)
>
> kai go auths ths apochs eimai alla den 3ero iptables. PX an
> i8ela na anoi3o ports gia to bittorent de 8a i3era pos na to
> kano.
Eykairia den einai na matheis iptables? HEHE :)
Oso gia to bittorent, apo oti mou eipe enas filos (ws apanthsh
sto sxolio mou se prohgoymeno post), aytoi oi kanones einai gia
na paiksei swsta to bittorent:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6889
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:6881:6889
To iptables einai arketa ilithio pou to report format toy den
einai amesa xrhsimopoihsimo ws input pali sto idio to iptables,
opote prepei na metafrasoyme ayto se command line entoles pou
exoyn to idio apotelesma:
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
Pros8ese aytes tis entoles stis 6-7 pou legame prin kai logika
tha exeis to idio apotelesma me to teras-ruleset pou eixes
arxika, oson afora ta Bittorent paketa.
Opote to teliko ruleset, me liga sxolia gia na mhn ksexaseis
argotera giati yparxei to kathe ti ekei mesa, einai:
#!/bin/sh
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
# Eiserxomena paketa pros Bittorent clients
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
Logika, me kati tetoio eisai entaksei :)
This e-mail and any attachments may contain confidential and
privileged information. If you are not the intended recipient,
please notify the sender immediately by return e-mail, do not forward
this email to any other person, delete this
e-mail and destroy all copies. Any dissemination or use of this
information by a person other than the intended recipient is
unauthorized and may be illegal.
More information about the Linux-greek-users
mailing list