Część 1
Część 2
Część 3
A poniżej gotowy firewall:
1. #!/bin/sh
2.
3. IPT=/sbin/iptables
4.
5. $IPT -F
6.
7. #policies
8.
9. $IPT -P OUTPUT ACCEPT
10. $IPT -P INPUT DROP
11. $IPT -P FORWARD DROP
12. $IPT -t nat -P OUTPUT ACCEPT
13. $IPT -t nat -P PREROUTING ACCEPT
14. $IPT -t nat -P POSTROUTING ACCEPT
15.
16.
17.
18. $IPT -N SERVICES
19.
20. #drop spoofed packets
21.
22. $IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
23.
24. #limit ping requests
25.
26. $IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
27.
28. #drop bogus packets
29.
30. iptables -A INPUT -m state --state INVALID -j DROP
31. iptables -A FORWARD -m state --state INVALID -j DROP
32. iptables -A OUTPUT -m state --state INVALID -j DROP
33. $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
34. $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
35. $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
36. $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
37. $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
38. $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
39. $IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
40.
41. #allowed inputs
42.
43. $IPT -A INPUT --in-interface lo -j ACCEPT
44. $IPT -A INPUT -j SERVICES
45.
46. #allow responses
47.
48. $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
49.
50.
51. #allow services
52.
53. $IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
54. $IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
55.
56. $IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
57.
58. $IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT
59.
60.
61. $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
62.
63. $IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT
2.
3. IPT=/sbin/iptables
4.
5. $IPT -F
6.
7. #policies
8.
9. $IPT -P OUTPUT ACCEPT
10. $IPT -P INPUT DROP
11. $IPT -P FORWARD DROP
12. $IPT -t nat -P OUTPUT ACCEPT
13. $IPT -t nat -P PREROUTING ACCEPT
14. $IPT -t nat -P POSTROUTING ACCEPT
15.
16.
17.
18. $IPT -N SERVICES
19.
20. #drop spoofed packets
21.
22. $IPT -A INPUT --in-interface ! lo --source 127.0.0.0/8 -j DROP
23.
24. #limit ping requests
25.
26. $IPT -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
27.
28. #drop bogus packets
29.
30. iptables -A INPUT -m state --state INVALID -j DROP
31. iptables -A FORWARD -m state --state INVALID -j DROP
32. iptables -A OUTPUT -m state --state INVALID -j DROP
33. $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
34. $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
35. $IPT -t filter -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
36. $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
37. $IPT -t filter -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
38. $IPT -t filter -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
39. $IPT -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
40.
41. #allowed inputs
42.
43. $IPT -A INPUT --in-interface lo -j ACCEPT
44. $IPT -A INPUT -j SERVICES
45.
46. #allow responses
47.
48. $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
49.
50.
51. #allow services
52.
53. $IPT -A SERVICES -p tcp --dport 22 -j ACCEPT
54. $IPT -A SERVICES -p tcp --dport 8080 -j ACCEPT
55.
56. $IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p tcp --dport 631 -j ACCEPT
57.
58. $IPT -A SERVICES -m iprange --src-range 192.168.1.1-192.168.1.254 -p udp --dport 631 -j ACCEPT
59.
60.
61. $IPT -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
62.
63. $IPT -A FORWARD -p tcp --dport 8080 -j ACCEPT
Posty
Brak komentarzy:
Prześlij komentarz