που είναι το λάθος; iptables script

Christos Ricudis ricudis at itc.auth.gr
Sun May 8 19:33:24 EEST 2011 

On 05/07/2011 12:18 AM, Demosthenes Koptsis wrote:

Diafora sxolia :

> INTERFACE="eth1"
> LOOPBACK_INTERFACE="lo"
> IPADDR="192.168.0.5"
> LOOPBACK="127.0.0.1"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> CLASS_E_RESERVED_NET="240.0.0.0/5"
> BROADCAST_SRC="0.0.0.0"
> BROADCAST_DEST="255.255.255.255"
>
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"


An o skopos sou einai na kobeis o,tidhpote ypoti8etai oti den prepei na 
emfanizetai se kapoio internet-facing interface, yparxoun kai alla IP 
ranges na kopseis ektos apo to RFC1918. P.X. to 169.254/16. Epishs 8a 
h8eles na kopseis to 127/8 apo ola ta non-loopback interfaces. Paizoun 
kai kapoia alla minor ranges poy ypoti8etai oti den prepei na 
synanthseis on the wild, alla den ta 8ymamai ola (p.x. to 192.0.2/24). 
Des to RFC 3330, to 5737, kai o,ti allo isws tyxaiei na ta exei kanei 
obsolete :P


>
> #Drop Spoofed Packets
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>      echo 1>  $f
> done
>


Auto mporei na sou dhmiourghsei problhmata se periptwseis pou exeis 
periergo routing. Egw genika protimw na kobw explicitly o,ti den 
epitrepetai na emfanizetai se kapoio interface.

> #Log packets with impossible addresses
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
>      echo 1>  $f
> done


Auto einai ligo axrhsto. Synh8ws gkriniazei gia IP addresses pou den 
kserei pws na ftasei ws aytes, pragma poy einai poly spanio otan exeis 
default route me apla routing tables :P

> accept_policy()
> {
>      #set default policy to accept
>      iptables --policy INPUT ACCEPT
>      iptables --policy OUTPUT ACCEPT
>      iptables --policy FORWARD ACCEPT


Ayta ta tria arkoun, sto nat kai sto mangle tables de xreiazontai (to 
idio isxyei gia to DROP).

Genika synh8ws kanoyme ACCEPT sto OUTPUT chain kai DROP sto INPUT kai 
FORWARD. To meionekthma tou na kobeis sto OUTPUT chain einai oti prepei 
na oriseis me poly megalh safhneia to ti 8es na pernaei pros ta eksw, 
pragma pou kanei to firewall configuration arketa periploko. To idio 
isxyei bebaia kai gia to FORWARD, alla synh8ws ayto syndiazetai me 
kapoio parakatw rule pou sxedon epitrepei ta panta :P

To target poy exei thn perissoterh plaka apo ola einai to MIRROR, to 
opoio ypopsiazomai oti to ylopoihse kapoios pou spazotan fobera otan ta 
koritsakia tou ekanan ka8reftaki sth deytera dhmotikou. Dystyxws to na 
apantas me o,tidhpote se kati invalid einai poly kalos tropos na gineis 
endiamesos gia diaforwn eidwn denial of service attacks se tritous :(

  
>    iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
>    iptables -A INPUT -p tcp --sport 22 -j ACCEPT


Molis epetrepses o,tidhpote proerxetai apo source TCP port 22 na 
xtyphsei opoiadhpote porta sto systhma sou. Ara kapoios mporei poly 
aneta na kanei bind to exploit lalaki tou sto source port 22 tou kai na 
prosperasei olo sou to firewall.

Ayto poy skeftosoun oti h8eles na kaneis ginetai me to :

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

to opoio 8a to xreiasteis etsi ki alliws gia na mporei to iptables na 
sou anoigei trypes stis periptwseis twn prwtokollwn pou xrhsimopoioun 
embedded IP addresses (p.x. to FTP).

More information about the Linux-greek-users mailing list