iptables
Giorgos Keramidas
keramida at ceid.upatras.gr
Wed Jul 19 13:02:20 EEST 2006
On 2006-07-19 12:27, Dimitris Mexis <m65 at vivodinet.gr> wrote:
> Einai kalitero afto to copy/paste ?
Nai poly kalytero. Kai fainetai amesws poio einai to problhma.
Sxolia parakatw, anamesa apo tous kanones:
> [root at zeus root]# more /etc/sysconfig/iptables
> [...]
> # Completed on Tue Jul 18 18:55:22 2006
> # Generated by iptables-save v1.2.9 on Tue Jul 18 18:55:22 2006
> *filter
> :INPUT ACCEPT [283:24980]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [4594:933261]
Ta ekserxomena paketa, ta epitrepeis ola. Sxetika kalh idea, alla
oxi 100% asfalhs. Ayto den einai to problhma sou omws.
> [...]
> -A INPUT -p udp -m udp --dport 53 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
> [...]
Epitrepeis ta paketa pou erxontai apo ton eksw kosmo *PROS* to port 53
tou mhxanhmatos sou. Auto moiazei na einai mia prospa8eia na afhsei to
firewall sou na pernoun ta paketa pou einai sxetika me to DNS.
Einai lathos omws.
Kai einai lathos gia enan aplo logo:
* Ta paketa pou exoun sxesh me DNS queries ta stelnei to diko
sou (local) mhxanhma, apo ena tyxaio topiko port *PROS* to
port 53 twn ekswterikwn name servers.
* Auta ta ekserxomena paketa, den pernoun apo to INPUT chain
alla apo to OUTPUT (einai 'ekserxomena', fysiko einai).
* To OUTPUT chain ta epitrepei ola, opote auta pernoun mia xara.
* Ystera o apomakrysmenos name server apanta me paketa *APO*
to diko tou port 53 (--sport option), *PROS* to diko sou
tyxaio port number apo to opoio egine to query.
* To INPUT chain den kanei match epeidh den einai to --dport
(destination port tou paketou) pou einai 53 alla to --sport
(source port, to port tou name server).
* To paketo synexizei na pernaei apo kanones, den kanei match
me kanenan allo pio prin kai telika peftei se auton:
-A INPUT -j REJECT --reject-with icmp-port-unreachable
* To mhxanhma sou aporriptei thn apanthsh tou DNS server.
Mia aplh lysh einai na allakseis to --dport se --sport ston
kanona pou pisteyei oti einai sxetikos me ta DNS queries.
H aplh lysh einai, sthn sygkekrimenh periptwsh lathos.
H swsth lysh einai na xrhsimopoihseis "stateful" kanones, pou
epitrepoun se kapoio eiserxomeno paketo na perasei mono an einai
sxetiko me kapoio yparxon connection.
Den thymamai apeksw to syntaktiko twn iptables, alla mporeis na
bgaleis panw-katw akrh elpizw apo to parakatw mini firewall ayths
ths logikhs:
# Packet fiter rules (remember that the *LAST* match or a 'quick' match wins)
block in log all
block out log all
pass in proto icmp all
pass out proto icmp all
pass out proto { tcp, udp } all keep state (no-sync)
pass in proto tcp from any to any port = { 22, 80 } keep state (no-sync)
Prosekse oti:
* Ola ta ekserxomena connections xrhsimopoioun 'state' gia na
mporei na kserei to firewall poia eiserxomena paketa na
afhnei na pernoun.
* Apo ta eiserxomena paketa (pou den ginontai apodekta logw
kapoiou yparxontos 'state'), pernoun mono ayta pou thelw egw.
* Den filtraretai kanena ICMP (o pyrhnas exei rate-limiting,
pou to protimw apo to na mplokarw ta panta apo ICMP).
Kati antistoixo, mporei na graftei se iptables kapws etsi (an exw
kanei kapoio lathos sto syntaktiko, as me dior8wsei kapoios pou
kserei apo Linux firewalls kalytera):
*filter
:INPUT REJECT
:OUTPUT REJECT
-A INPUT -p ip -i lo0 -s 120.0.0.1/32 -d 120.0.0.1/32 -j ACCEPT
-A OUTPUT -p ip -i lo0 -s 120.0.0.1/32 -d 120.0.0.1/32 -j ACCEPT
#
-A INPUT -p icmp -m icmp -j ACCEPT
-A OUTPUT -p icmp -m icmp -j ACCEPT
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
-A INPUT -p tcp -m tcp --dport 22 --state NEW -j ACCEPT
PROSOXH: TO KSANAGRAFW. AYTOI OI KANONES DEN EINAI DOKIMASMENOI!
AN KLEIDW8EIS APEKSW EPEIDH TOUS XRHSIMOPOIHSES 8A STENAXWRH8W...
GIA PERIPOY 0.623 DEYTEROLEPTA... META THA MOU PERASEI.
More information about the Linux-greek-users
mailing list