firewall sunexeias

[Michael Iatrou]

When the date was Wednesday 16 November 2005 20:16, Giorgos Keramidas wrote:

> Opote to teliko ruleset, me liga sxolia gia na mhn ksexaseis
> argotera giati yparxei to kathe ti ekei mesa, einai:
>
>     #!/bin/sh
>
>     iptables -F
>
>     iptables -P INPUT   DROP
>     iptables -P FORWARD DROP
>     iptables -P OUTPUT  ACCEPT
>
>     # Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
>     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>     iptables -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
>     iptables -A INPUT -p icmp -j ACCEPT
>
>     # Eiserxomena paketa pros Bittorent clients
>     iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
>     iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT

Μερικές μικρές αλλαγές...

	#!/bin/sh
	
	# Pi8ana interfaces
	IFACES="eth0 eth1"
	
	iptables -F
	iptables -X
	iptables -Z
	
	iptables -P INPUT   DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT  ACCEPT
	
	# Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	
	# Gia osa paketa "pisteuoun" oti katagontai apo to loopback
	for IFACE in $IFACES; do	
		iptables -A INPUT -i $IFACE -d 127.0.0.1 -j DROP
	done

	# Anti gia IPs, interfaces.
	iptables -A INPUT  -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT
	iptables -A INPUT -p icmp -j ACCEPT
	
	# Eiserxomena paketa pros Bittorent clients
	iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
	iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
	
Από εκεί και πέρα, καλό θα ήταν να αγνοείς τα προβληματικά ICMP:

	echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

να ενεργοποιήσεις το rp_filter:

	echo "1" > /proc/sys/net/ipv4/conf/*/rp_filter

τα ICMP redirects:

	echo "0" > /proc/sys/net/ipv4/conf/*/accept_redirects

και τα source routed πακέτα:

	echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route


-- 
 Μιχάλης Ιατρού