[SOVED]firewall-sinexeias

Alex Chontzopoulos ac at it-cell.com
Fri Nov 18 12:50:12 EET 2005


Theoria...

To default policy tis alisidas (INPUT) einai DROP

Auto paei na pei oti oti den orizoume san ACCEPT t kanei DROP. To action
DROP "rixnei" to paketo XWRIS na eidopoiei ton aposolea gia tipota.
Ousiastika den dinei stoixeia uparksis kapoias portas I opoia nai men
"paizei" alla den afinoume na sundethoun epanw se autin.

Akribws to antitheto kanei to REJECT. Enimerwnei diladi ton "kakoboulo"
oti emeis DEN afinoume na sundethei epanw stin sigkekrimeni porta..

Ta sumperasmata loipon einai 2...

a) Apo tin stigma pou to default policy einai DROP,den prepei
"kanonika*" na sumperilaboume kanena allo "DROP" stous kanones tis
alisidas

b) To Reject einai "proklisi" kai extra "pliroforia" gia kapoion
"kakoboulo". Oi mones periptwseis pou bazoume "toulaxiston egw" Reject
einai px gia to ping to opoio Nai men den thelo na pernaei, alla na
mporw na katalabainw oti o server einai online..


*Mia xrisi tou DROP se alisida me DEFAULT DROP einai to na kaneis apo
tin arxi DROP ta broadcasts, etsi wste na min ta blepeis sta log sou :-)
px:

Default policy DROP

rule 1 DROP BROADCASTS
rule 2 PERMIT
rule 3 PERMIT 
mpla mpla
mpla
mpla

final rule LOG EVERYTHING     <-----Edw ousiastika ginontai log osa den
matcharistoun apo tous parapanw kanones. Ara exeis ena katharo log.


Elpizw na min kourasa

-----Original Message-----
From: linux-greek-users-bounces at lists.hellug.gr
[mailto:linux-greek-users-bounces at lists.hellug.gr] On Behalf Of Harris
Kosmidhs
Sent: Friday, November 18, 2005 12:17 PM
To: linux-greek-users at hellug.gr
Subject: [SOVED]firewall-sinexeias

Telika prosarmosa to firwall os e3hs:
====================================================
iptables -F
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  ACCEPT

# Eiserxomenh kinhsh gia dika mas ekserxomenes syndeseis.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

# Eiserxomena paketa pros Bittorent clients
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT

#eiserxomena ftp
iptables -A INPUT -p tcp -s 155.207.0.0/16 --dport 20:21 -j ACCEPT

iptables -A INPUT -p TCP --dport 113 -i eth0 -j REJECT --reject-with
tcp-reset

iptables -A INPUT -d 255.255.255.255 -j DROP # do not log broadcasts
iptables -A INPUT -d 224.0.0.0/8 -j DROP # do not log Microsoft
multicasts
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
        --log-prefix "[FIREWALL] INPUT policy: " --log-level notice

echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
================================================================

douleuei mia xara apo oso blepo...Isos to LOG INPUT na einai ligo
enoxlhtiko, alla 8a i8ela na loggaro kapoia pragmata tou styl portscan
attack ktl.
Epishs den eimai sigouros kata poso to rule sto port 113 einai
kalo....[mou to eixe pei kapoios palia, mporei kai apo th lista]

Telos na rothso mporo na kano limit sto bandwidth se sugkekrimenes ports
h services? Px na balo sto ftp na mhn kanei kapoios upload me pano apo
50kb/sec. (fantazomai to proftd 8a to uposthrizei os option, alla milao
genikotera).

Thanks se osous boh8hsan







More information about the Linux-greek-users mailing list