napravih si firewall s iptables(bzaimstah mnogo :)oba4e ne moga da razbera kade sa mi failovete s logovete ako izob6to ima takiva napravo slagam celiq skript ako nqkoi moje da mi pomogne mu blagodarq ot sega
'>
10x
#!/bin/bash
# iptables, by DreamTeam
# $Id: iptables,v 1.00 2004/05/29 03:57:15 technion Exp $
# chkconfig: 2345 08 80
# description: Script for setting IPTABLES rules
# processname: iptables
#===============================================================================
# Network information you will need to adjust
MYDEV="eth1"
MYNET="10.100.100.0/24"
MYBCAST="10.100.100.255"
DKDEV="eth0"
# Pathnames
DMESG="/bin/dmesg"
IPTABLES="iptables"
MODPROBE="/sbin/modprobe"
#===============================================================================
# Tova e za menuto start stop restart
case "$1" in
'stop'
'>
echo "Stop the fucking Firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
exit 0
;;
'restart'
'>
echo "Restarting skript"
$0 stop
exec $0 start
exit 0
;;
'start'
'>
echo "Start FIREWALL"
;;
*)
echo "usage $0 start|stop|restart" ;;
esac
#===============================================================================
# Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#
## Flush everything, start from scratch
#
# Incoming packets from the outside network
$IPTABLES -F INPUT
# Outgoing packets from the internal network
$IPTABLES -F OUTPUT
# Forwarding/masquerading
$IPTABLES -F FORWARD
#Nat table
$IPTABLES -t nat -F
##Setup sysctl controls which affect tcp/ip
#
#Disabling IP Spoofing attacks.
#Comment this line out when using IPSEC
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Defragment all Packets
#Default now
#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps. These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
#===============================================================================
##Set basic rules
#Note that unlike ipchains, rules passing through a FORWARD chain do NOT
#also have to pass through an INPUT chain.
#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#-TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
#or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from
http://www.linux-mag.com/2000-01/bestdefense_02.html#This has been found to be a little buggy. Removed for now.
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP
#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
# Allow all connections on the internal interface
$IPTABLES -A INPUT -i lo -j ACCEPT
#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $MYDEV -s $MYNET -j ACCEPT
#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $DKDEV -s $MYNET -j REJECT
##ICMP
#ping don't forward pings going inside
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $MYDEV -j REJECT
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $MYBCAST -j DROP
#Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT
##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic
#$IPTABLES -A FORWARD -o $DKDEV -p tcp --dport 137 -j REJECT
#$IPTABLES -A FORWARD -o $DKDEV -p tcp --dport 138 -j REJECT
#$IPTABLES -A FORWARD -o $DKDEV -p tcp --dport 139 -j REJECT
#$IPTABLES -A FORWARD -o $DKDEV -p udp --dport 137 -j REJECT
#$IPTABLES -A FORWARD -o $DKDEV -p udp --dport 138 -j REJECT
#$IPTABLES -A FORWARD -o $DKDEV -p udp --dport 139 -j REJECT
#ZABRANQVA SMB CONECTION-A
#$IPTABLES -A INPUT -i $DKDEV -p udp --dport 137 -j REJECT
#Samba Share
$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT
#Allow ALL other forwarding going out
$IPTABLES -A FORWARD -o $DKDEV -i $MYDEV -j ACCEPT
#Allow replies coming in
$IPTABLES -A FORWARD -i $DKDEV -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow nameserver packets. Different versions of iptables seem to error here.
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
#FRom here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services. Uncomment to allow in.
# ftp-data
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
# ftp
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#telnet
$IPTABLES -A INPUT -p tcp -i $MYDEV --dport 23 -j ACCEPT
# DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# identd
#$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
# https
#$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
##Some ports should be denied and logged(4ervei i tn).
$IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG \
--log-prefix "Firewalled packet: MSSQL "
$IPTABLES -A INPUT -p tcp --dport 1433 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
--log-prefix "Firewalled packet: Deepthrt "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
--log-prefix "Firewalled packet: BO "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG \
--log-prefix "Firewalled packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP
#Traceroutes depend on finding a rejected port. DROP the ones it uses
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP
#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT
#Don't log igmp. Some people get too many of these
$IPTABLES -A INPUT -p igmp -j REJECT
#Don't log web or ssl because people surfing for long times lose connection
#tracking and cause the system to create a new one, flooding logs.
$IPTABLES -A INPUT -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -p tcp --dport 443 -j REJECT
##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
#Log. There's no point logging noise. There's too much of it.
#Just log connection requests
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP
$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP
#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT
#===============================================================================
#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $DKDEV -j SNAT --to-source 10.100.12.57
exit 0
tova e
Автор
Тема: iptables log problem (Прочетена 1227 пъти)
Dec 10, 2002, 23:48