Provlima me firewall kai httpd 2.0.48!

Giorgos Keramidas keramida at ceid.upatras.gr
Thu Jan 8 10:07:07 EET 2004 

On 2004-01-07 15:08, leonidas tsabros <ltsampros at upnet.gr> wrote:
> katafera ston ipologisti moy ( slackware 9.1 P2 @ 400 64MB
> RAM ) na kano compile ton httpd 2.0.48 kai edosa tin entoli
> apachectl start gia na ksekinisi. Dokimazo na do ton server apo
> kapoion allon ipologisti dinontas gia url to hostname kai tzifos...
> ston idio ton server dokimasa lynx localost kai doyleve ara
> psiliastika oti to provlima egkeitai kapoy sto firewall [...]

Geia sou re Leonida :-)))
Kala to psyliasthkes apo oti blepw.

> To configuration toy firewall einai:
>
> iptables --flush
> iptables -X
> iptables -F
> iptables -Z
> iptables --policy INPUT  DROP
> iptables --policy OUTPUT DROP  #efault,kopsimo
> iptables --policy FORWARD DROP # default,kopsimo

Kaneis drop to sumpan, ektos ki an uparxei eidikos kanonas parakatw
pou na epitrepei se kati na perasei.  Kalh idea alla upomonh twra
mexri na ftiakseis to ruleset sou etsi opws prepei gia na se
prostateuei arketa kai na mh sou zalizei ton erwta kobwntas kai
xrhsima pragmata.  Ypomonh ligo twra... Giati blepw oti phges na
kaneis entelws teleiws BOFH setup, pou kobei akoma kai ta ekserxomena
paketa, pou den einai asxhmh idea alla mporei na se paidepsei ligo
sthn arxh :)

> #To lo ta dexete ola.
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT
> iptables -A INPUT -p icmp -j REJECT --reject-with icmp-host-unreachable
>
> iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #SSH
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #HTTP
> iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #HTTPS
> iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT #POP3
> iptables -A OUTPUT -p tcp --dport 25  -j ACCEPT #SMTP
> iptables -A OUTPUT -p udp --dport 53  -j ACCEPT #dns

To TCP einai connection oriented protocol.  Esu parapanw pernas mono
to paketo pou arxikopoiei th sundesh.  Se ola sou ta TCP rules prepei
na prostheteis kai to --state (opws ekanes parakatw gia ta ports 20
kai 21 tou FTP) alliws mono to prwto paketo tou connection pernaei ki
ola ta alla ta trwei h marmagka.

Epishs prosekse mhpos autoi oi kanones pou bazeis sto OUTPUT chain sou
prepei na epanalhf8oun sto INPUT chain h' na metafer8oun ekei.

> iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 

Na opws edw parapanw xrhsimopoieis to --state option...  Kati tetoio
prepei na kaneis kai gia ta ports 22,25,53,80,110,443 sou.  Prosoxh
pali me to FTP port 20 pou den einai "destination port" alla einai to
"source port tou client".  Otan exeis duo mhxanhmata C kai S gia
client kai server sto FTP, arxika to C kanei connect sto port 21 tou S
kai ustera kanei deutero connect (to C pali) apo to port C:20 se
kapoio tuxaio port tou S.  Genika oi kanones gia to FTP prepei na
epitrepoun duo connections opws autes:

	+---------+                            +-------+
	|         | (21) <-------------------- |       |
	|    S    |                            |   C   |
	|         | (xxxx) <------------- (20) |       |
	+---------+                            +-------+

Opou (xxxx) ena tuxaio port number >1024.  Opote oi kanones einai
sinithos ths morfhs:

    iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED -j ACCEPT

Me --dport sto 21 alla --sport sto 20.

Cheers,
Giorgos

More information about the Migrate2linux mailing list