iptables
Matthes
ornest na mistral.cz
Sobota Červenec 13 14:34:24 CEST 2002
Tohle je script, kterej pouzivam pro nastaveni iptables. Povoluje
forwarding mezi vnitrni siti a i-netem, pristup z inetu na port 80
(webserver) a udp pakety kvuli DNS, dale pak nektere ridici packety ICMP.
Eth0 je spojeni do I-netu, eth1 je vnitrni sit.
pridejte radek s povolenim na port 3884 nebo jaky jste chtel.
#!/bin/sh
#first, drop all rules out
iptables -F
iptables -X
#implicit policy DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
#let go through everyting from our network
iptables -A INPUT -p ALL -i eth1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT
#Let DNS answers in
iptables -A INPUT -p UDP -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
#also let in tcp answers
iptables -A INPUT -p TCP -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
#OK, I need some access to my webserver too:
iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT
#### Sem vlozte radke povolujici spojeni na port 3884 ####
#let some ICMP packets in; create new chain icmp_packets
iptables -N icmp_packets
iptables -A INPUT -p ICMP -i eth0 -j icmp_packets
iptables -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
#prevent ping of death
iptables -A icmp_packets -p ICMP --icmp-type echo-request -m limit --limit
1/s --limit-burst 5 -j ACCEPT
#fuck off spoofers:
iptables -N spoof
iptables -A spoof -s 192.168.0.0/16 -j DROP
iptables -A spoof -s 172.16.0.0/12 -j DROP
iptables -A spoof -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -j spoof
iptables -A FORWARD -i eth0 -j spoof
#prevent syn flooding attack
iptables -N synflood
iptables -A synflood -m limit --limit 1/s --limit-burst 5 -j RETURN
iptables -A synflood -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -j synflood
#everything else will be loged
iptables -A INPUT -j LOG --log-level alert
#forwarding for inside network
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Masquerading for our hosts
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Matthes
> Dne pĂĄ 12. Äervenec 2002 11:40 jste napsal(a):
> > Zdravim,
> > chtel bych aby sem se mohl pripojovat na servery na Internetu a nikdo
> > se nemohl pripojit ke mne.
Další informace o konferenci Linux