Firewall s Netfilter/iptables
Následují příklady pravidel pro iptables.
## forward + masquerading
# vsechno zakazem
iptables --table filter -P FORWARD DROP
# povolime pruchod paketum, ktere patri k ex. spojeni
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# povolime provoz zevnitr
iptables -A FORWARD -s 10.0.5.0/24 -i eth1 -j ACCEPT
# zakazem podvrhy zvenci
iptables -A FORWARD -s 10.0.0.0/16 -i eth0 -j DROP
# maskarada
iptables --table nat -A POSTROUTING -s 10.0.0.0/16 -o eth0 -j MASQUERADE
#-----
# povolime existujici spojeni
iptables --table filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# povoleni icmp
iptables --table filter -A INPUT -p icmp -j ACCEPT
# povoleni localhost -> localhost
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
## SSH
SSH_ALLOW="10.0.1.2"
SSH_LISTEN="10.0.0.1"
iptables -N SSH_ALLOW
iptables -A INPUT -p tcp --dport 22 -j SSH_ALLOW
for IP in $SSH_ALLOW; do
iptables -A SSH_ALLOW -p tcp -s $IP -d $SSH_LISTEN --dport 22 -j ACCEPT
done
#-----
## FTP
FTP_LISTEN=10.0.0.1
# max --hitcount (10) pokusu o pripojeni za --seconds (300s = 5min)
echo -n ..FTP
iptables -N FTPSCAN
iptables -A INPUT -p tcp --dport 21 \
-m state --state NEW -j FTPSCAN
iptables -A FTPSCAN -p tcp -d $FTP_LISTEN --dport 21 -j ACCEPT
iptables -A FTPSCAN -m recent --set --name FTP
iptables -A FTPSCAN -m recent --update --seconds 300 \
--hitcount 10 --name FTP -j DROP
iptables -A FTPSCAN -j DROP
#-----
# cups
iptables --table filter -A INPUT -p tcp --dport 631 -j ACCEPT
# povolime DNS odpovedi
iptables --table filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables --table filter -A INPUT -p udp --dport 53 -j ACCEPT
# ident - odmitnuti misto zahozeni
iptables -A INPUT -p tcp --dport 113 -j REJECT
iptables -A INPUT -p udp --dport 113 -j REJECT
del.icio.us!
linkuj.cz
jagg.cz!
Digg it! 