iptables

Dimitris Mexis m65 at vivodinet.gr
Wed Jul 19 13:09:45 EEST 2006 

On Wed, 19 Jul 2006 13:02:20 +0300, Giorgos Keramidas wrote:

> On 2006-07-19 12:27, Dimitris Mexis <m65 at vivodinet.gr> wrote:
>> Einai kalitero afto to copy/paste ?
> 
> Nai poly kalytero. Kai fainetai amesws poio einai to problhma.
> 
> Sxolia parakatw, anamesa apo tous kanones:
> 
>>    [root at zeus root]# more /etc/sysconfig/iptables
>>    [...]
> 
>>    # Completed on Tue Jul 18 18:55:22 2006
>>    # Generated by iptables-save v1.2.9 on Tue Jul 18 18:55:22 2006
>>    *filter
>>    :INPUT ACCEPT [283:24980]
>>    :FORWARD ACCEPT [0:0]
>>    :OUTPUT ACCEPT [4594:933261]
> 
> Ta ekserxomena paketa, ta epitrepeis ola.  Sxetika kalh idea, alla
> oxi 100% asfalhs.  Ayto den einai to problhma sou omws.
> 
>>    [...]
>>    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
>>    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
>>    [...]
> 
> Epitrepeis ta paketa pou erxontai apo ton eksw kosmo *PROS* to port 53
> tou mhxanhmatos sou.  Auto moiazei na einai mia prospa8eia na afhsei to
> firewall sou na pernoun ta paketa pou einai sxetika me to DNS.
> 
> Einai lathos omws.
> 
> Kai einai lathos gia enan aplo logo:
> 
>     * Ta paketa pou exoun sxesh me DNS queries ta stelnei to diko
>       sou (local) mhxanhma, apo ena tyxaio topiko port *PROS* to
>       port 53 twn ekswterikwn name servers.
> 
>     * Auta ta ekserxomena paketa, den pernoun apo to INPUT chain
>       alla apo to OUTPUT (einai 'ekserxomena', fysiko einai).
> 
>     * To OUTPUT chain ta epitrepei ola, opote auta pernoun mia xara.
> 
>     * Ystera o apomakrysmenos name server apanta me paketa *APO*
>       to diko tou port 53 (--sport option), *PROS* to diko sou
>       tyxaio port number apo to opoio egine to query.
> 
>     * To INPUT chain den kanei match epeidh den einai to --dport
>       (destination port tou paketou) pou einai 53 alla to --sport
>       (source port, to port tou name server).
> 
>     * To paketo synexizei na pernaei apo kanones, den kanei match
>       me kanenan allo pio prin kai telika peftei se auton:
> 
>       -A INPUT -j REJECT --reject-with icmp-port-unreachable
> 
>     * To mhxanhma sou aporriptei thn apanthsh tou DNS server.
> 
> Mia aplh lysh einai na allakseis to --dport se --sport ston
> kanona pou pisteyei oti einai sxetikos me ta DNS queries.
> 
> H aplh lysh einai, sthn sygkekrimenh periptwsh lathos.
> 
> H swsth lysh einai na xrhsimopoihseis "stateful" kanones, pou
> epitrepoun se kapoio eiserxomeno paketo na perasei mono an einai
> sxetiko me kapoio yparxon connection.
> 
> Den thymamai apeksw to syntaktiko twn iptables, alla mporeis na
> bgaleis panw-katw akrh elpizw apo to parakatw mini firewall ayths
> ths logikhs:
> 
>     # Packet fiter rules (remember that the *LAST* match or a 'quick' match wins)
>     block    in  log all
>     block    out log all
> 
>     pass     in  proto icmp all
>     pass     out proto icmp all
> 
>     pass     out proto { tcp, udp } all keep state (no-sync)
>     pass     in  proto tcp from any to any port = { 22, 80 } keep state (no-sync)
> 
> Prosekse oti:
> 
>     * Ola ta ekserxomena connections xrhsimopoioun 'state' gia na
>       mporei na kserei to firewall poia eiserxomena paketa na
>       afhnei na pernoun.
> 
>     * Apo ta eiserxomena paketa (pou den ginontai apodekta logw
>       kapoiou yparxontos 'state'), pernoun mono ayta pou thelw egw.
> 
>     * Den filtraretai kanena ICMP (o pyrhnas exei rate-limiting,
>       pou to protimw apo to na mplokarw ta panta apo ICMP).
> 
> Kati antistoixo, mporei na graftei se iptables kapws etsi (an exw
> kanei kapoio lathos sto syntaktiko, as me dior8wsei kapoios pou
> kserei apo Linux firewalls kalytera):
> 
>     *filter
>     :INPUT REJECT
>     :OUTPUT REJECT
>     -A INPUT   -p ip   -i lo0  -s 120.0.0.1/32 -d 120.0.0.1/32 -j ACCEPT
>     -A OUTPUT  -p ip   -i lo0  -s 120.0.0.1/32 -d 120.0.0.1/32 -j ACCEPT
>     #
>     -A INPUT   -p icmp -m icmp -j ACCEPT
>     -A OUTPUT  -p icmp -m icmp -j ACCEPT
>     #
>     -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
>     -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>     -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
>     #
>     -A INPUT   -p tcp   -m tcp --dport 22 --state NEW -j ACCEPT
> 
> PROSOXH: TO KSANAGRAFW.  AYTOI OI KANONES DEN EINAI DOKIMASMENOI!
> 
> AN KLEIDW8EIS APEKSW EPEIDH TOUS XRHSIMOPOIHSES 8A STENAXWRH8W...
> GIA PERIPOY 0.623 DEYTEROLEPTA... META THA MOU PERASEI.

Ok exo katalavei ti simveni, tha katso na googlaro ligo gia dns+iptables
provlimata...
0,623sec? Toso poli? Gia koitaxe to iptables --dport aisthimata kai
ftiaxto ligo kalitera...ts ts ts :-)

Efharisto pedia!

More information about the Linux-greek-users mailing list