iptables

Matthes ornest na mistral.cz
Sobota Červenec 13 14:34:24 CEST 2002 

Tohle je script, kterej pouzivam pro nastaveni iptables. Povoluje 
forwarding mezi vnitrni siti a i-netem, pristup z inetu na port 80 
(webserver) a udp pakety kvuli DNS, dale pak nektere ridici packety ICMP.
Eth0 je spojeni do I-netu, eth1 je vnitrni sit.
pridejte radek s povolenim na port 3884 nebo jaky jste chtel.

#!/bin/sh

#first, drop all rules out
iptables -F
iptables -X

#implicit policy DROP
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

#let go through everyting from our network
iptables -A INPUT -p ALL -i eth1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -j ACCEPT

#Let DNS answers in
iptables -A INPUT -p UDP -i eth0 -m state --state ESTABLISHED,RELATED -j 
ACCEPT

#also let in tcp answers
iptables -A INPUT -p TCP -i eth0 -m state --state ESTABLISHED,RELATED -j 
ACCEPT

#OK, I need some access to my webserver too:
iptables -A INPUT -p TCP -i eth0 --dport 80 -j ACCEPT

#### Sem vlozte radke povolujici spojeni na port 3884 ####

#let some ICMP packets in; create new chain icmp_packets
iptables -N icmp_packets
iptables -A INPUT -p ICMP -i eth0 -j icmp_packets
iptables -A icmp_packets -p ICMP --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT

#prevent ping of death
iptables -A icmp_packets -p ICMP --icmp-type echo-request -m limit --limit 
1/s --limit-burst 5 -j ACCEPT

#fuck off spoofers:
iptables -N spoof
iptables -A spoof -s 192.168.0.0/16 -j DROP
iptables -A spoof -s 172.16.0.0/12 -j DROP
iptables -A spoof -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i eth0 -j spoof
iptables -A FORWARD -i eth0 -j spoof

#prevent syn flooding attack
iptables -N synflood
iptables -A synflood -m limit --limit 1/s --limit-burst 5 -j RETURN
iptables -A synflood -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -j synflood

#everything else will be loged
iptables -A INPUT -j LOG --log-level alert

#forwarding for inside network
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Masquerading for our hosts
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Matthes

> Dne pá 12. červenec 2002 11:40 jste napsal(a):
> > Zdravim,
> > chtel bych aby sem se mohl pripojovat na servery na Internetu a nikdo
> > se nemohl pripojit ke mne.

Další informace o konferenci Linux