Napravil sam si firewall script za iptables za dial-up
mashina. Imam slednite pitanya: 1) kak da smesya NAT i
filtrirane za dial-up (kakvi parametri da zadam za da moze
vseki adres kam koito se svarzvam ili veche sam varzan da
se
proveryava? 2)kakvi stoinosti sa dobri za zashtita ot
portscan i dobre li sam napravil pravilata za portscan,
SYN
flood, Ping? Kakvi stoinosti za -j MASQ da dam za assigned
ip adres?10x Eto i scripta:
#!/bin/sh
########################################################
#Firewall rules
#
########################################################
#flush all rules
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
#
#set policies
#
insmod ip_conntrack
insmod ip_conntrack_ftp
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#allow local
iptables -A INPUT - lo -j ACCEPT
#
#deny spoofed
#
iptables -A INPUT -i ppp0 -s 255.255.255.255/32 -b -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -b -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -b -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -b -j DROP
#
#allow return packets from connections we initiated
#
iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
#ili prepisa ot NETFILTER HOWTO:
# iptables -A INPUT -m state -state ESTABLISHED,RELATED -j
ACCEPT
#iptables -A INPUT -m state -state NEW -i ! ppp0 -j ACCEPT
#
#Anti SYN flood
iptables -A INPUT -p tcp --syn -m limit --limit-burst 2 -m
state --state NEW, ESTABLISHED, RELATED, INVALID -j LOG
#
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -m
state
--state NEW, ESTABLISHED, RELATED, INVALID -j ACCEPT
#
iptables -A FORWARD -p tcp --syn -m limit --limit-burst 2
-m
state --state NEW, ESTABLISHED, RELATED, INVALID -j LOG
#
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -m
state --state NEW, ESTABLISHED, RELATED, INVALID -j ACCEPT
#
#Allow connections to MAIL,SSH+WEB
#
iptables -A INPUT -i ppp0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
#
#REJECT auth connections 4 fast SMTP handshake
#
iptables -A INPUT -i ppp0 -p tcp --dport 113 -j REJECT
#
#Allow DNS replies
#
iptables -A INPUT -i ppp0 -p udp -s DNS #1 --sport 53 -j
ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s DNS #1 --sport 53 -j
ACCEPT
iptables -A INPUT -i ppp0 -p udp -s DNS #2 --sport 53 -j
ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s DNS #2 --sport 53 -j
ACCEPT
#
#allow certain classes of ICMP ;)
#
iptables -A INPUT -p icmp --icmp-type echo-request -m
limit
--limit-burst 2 -m state --state NEW, ESTABLISHED,
RELATED,
INVALID - j LOG
#
iptables -A INPUT -p icmp --icmp-type echo-request -m
limit
--limit 1/s -m state --state NEW, ESTABLISHED, RELATED,
INVALID -j ACCEPT
#
iptables -A FORWARD -p icmp --icmp-type echo-request -m
limit --limit-burst 2 -m state --state NEW, ESTABLISHED,
RELATED, INVALID - j LOG
#
iptables -A FORWARD -p icmp --icmp-type echo-request -m
limit --limit 1/s -m state --state NEW,
ESTABLISHED,RELATED,
INVALID - j ACCEPT
#
iptables -A INPUT -i ppp0 -p icmp --dport 0 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp --dport 3 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp --dport 11 -j ACCEPT
#
#detect TCP portscans
#
iptables -A INPUT -p tcp --tcp-flags
SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst 11 -j LOG
#
iptables -A INPUT -p tcp --tcp-flags
SYN,ACK,FIN,RST,URG,PUSH --limit 10/m -j ACCEPT
#
iptables -A FORWARD -p tcp --tcp-flags
SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst 11
-j LOG
#
iptables -A FORWARD -p tcp --tcp-flags
SYN,ACK,FIN,RST,URG,PUSH -m limit --limit 10/m -m -j
ACCEPT
#
#UDP bans
iptables -A INPUT -i ppp0 -p udp -s 0/0 -j DROP
#
iptables -A INPUT -j DROP --log-level 20
#
#MASQ
iptables -A FORWARD -j MASQ -s 0.0.0.0/xx -d! 0.0.0.0/xx
#EOF
|