Nefunkcni fpt pri pouziti iptables

Josef Gryga grygaj na fnb.cz
Pondělí Březen 18 11:25:04 CET 2002


Ty pravidla jsem nestudoval, ale zkuste:
modprobe ip_conntrack_ftp

J.G.

>Jeste dodatek:
>
>k ftp se prihlasim, ale dal to nejde. jen se mi objevi chyba:
>200 Type set to A.
>500 Invalid PORT Command.
>500 'LPRT 6,16,0,0,0,0,0,0,0,0,5,4,0,0,0,0,53,3,2,6,74': command not
>understood
>
>
>--------------------------------------
>
>
>Nastavil jsem si pravidla pro iptables a nemohu se dostat na ftp servery.
>Asi bude stacit zkuseny pohled, ale ja ve skriptu nemuzu prijit na pricinu.
>
>(Pokud ke skriptu mate i dalsi pripominky tak to uvitam. Je to prvni pokus.)
>
>Petr
>
>-------------------------------------
>#!/bin/bash
>#
># acfw - pravidla pro firewall
>
># Vase IP adresa a vnejsi rozhrani
>INET_IP=a.b.c.d
>INET_IFACE=eth1
>
># IP a broadcast adresa a rozhrani vnitrni site
>LAN1_IP=192.168.1.1/32
>LAN1_BCAST=192.168.1.255/32
>LAN1_IFACE=eth0
>LAN1_SERVER=192.168.1.254
>
># Lokalni loopback rozhrani
>LO_IFACE=lo
>LO_IP=127.0.0.1/32
>
># Cesta k programu iptables
>IPTABLES=iptables
>
># Zapneme routovani paketu
>echo "1" > /proc/sys/net/ipv4/ip_forward
>
># rp_filter na zamezeni IP spoofovani
>for interface in /proc/sys/net/ipv4/conf/*/rp_filter
>do
>    echo "1" > ${interface}
>done
>
># Implicitni politikou je zahazovat nepovolene pakety
>$IPTABLES -P INPUT DROP
>$IPTABLES -P OUTPUT DROP
>$IPTABLES -P FORWARD DROP
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Retezec PREROUTING v NAT tabulce
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># Presmerujeme port 25, 110, 1723 na stanici uvnitr site
>$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -d $INET_IP -j DNAT --to
>$LAN1_SERVER:25
>$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -d $INET_IP -j DNAT --to
>$LAN1_SERVER:110
>$IPTABLES -t nat -A PREROUTING -p tcp --dport 1723 -d $INET_IP -j DNAT --to
>$LAN1_SERVER:1723
>$IPTABLES -t nat -A PREROUTING -p 47 -d $INET_IP -j DNAT --to $LAN1_SERVER
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Retezec POSTROUTING v NAT tabulce
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># IP maskarada - SNAT
>$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Pridavne retezce pro snazsi kontrolu na rezervovane adresy
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># Zahazovat a logovat (max. 5 x 3 pakety za hod)
>$IPTABLES -N spoofing
>$IPTABLES -A spoofing -m limit --limit 5/h --limit-burst 3 -j LOG
>--log-prefix "Rezervovana adresa: "
>$IPTABLES -A spoofing -j DROP
>
># V tomto retezci se kontroluje, zda prichozi pakety nemaji nesmyslnou IP
>adresu
>$IPTABLES -N IN_FW
>$IPTABLES -A IN_FW -s 192.168.0.0/16 -j spoofing # rezervovano podle RFC1918
>$IPTABLES -A IN_FW -s 10.0.0.0/8 -j spoofing     #   ---- dtto ----
>$IPTABLES -A IN_FW -s 172.16.0.0/12 -j spoofing  #   ---- dtto ----
>$IPTABLES -A IN_FW -s 96.0.0.0/4 -j spoofing     # rezervovano podle IANA
># ... dalsi rezervovane adresy mozno doplnit podle 
>#       http://www.iana.com/assignments/ipv4-address-space
>
># Retezec pro stanoveni limitu prichozich SYN konexi (ochrana pred SYN
>floods)
># propusti pouze 4 SYN segmenty/sec
>$IPTABLES -N syn-flood
>$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
>$IPTABLES -A syn-flood -j DROP
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Retezec FORWARD
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># Paket je oznacen jako NEW, ale nema nastaveny priznak SYN, pryc s nim
>$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
>"NEW nema SYN: "
>$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
>
># Nechceme rezervovane adresy na internetovem rozhrani
>$IPTABLES -A FORWARD -i $INET_IFACE -j IN_FW
>
># Umoznit presmerovani portu na stanici dovnitr site (25, 110, 1723,
>protokol 47)
>$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
>--dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
>--dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
>--dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p 47 -d $LAN1_SERVER -m
>state --state ESTABLISHED,RELATED -j ACCEPT
>
># Routing zevnitr site ven neomezujeme
>$IPTABLES -A FORWARD -i ! $INET_IFACE -j ACCEPT
>
># Routing zvenku dovnitr pouze pro navazana spojeni (stavovy firewall)
>$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -m state --state
>ESTABLISHED,RELATED -j ACCEPT
>
># Ostatni pakety budou zahozeny, tak je budeme logovat (6 x 5 pak/hod)
>$IPTABLES -A FORWARD -m limit --limit 6/h -j LOG --log-prefix "forward drop:
>"
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Retezec INPUT
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># Paket je oznaceny jako NEW, ale nema nastaveny SYN flag - pryc s nim
>$IPTABLES -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW  -j
>LOG --log-prefix "NEW nema SYN: "
>$IPTABLES -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j
>DROP
>
># Nejprve se zbavime nezadoucich adres
>$IPTABLES -A INPUT -i $INET_IFACE -j IN_FW
>
># Odfiltrovat pokusy o syn-flooding
>$IPTABLES -A INPUT -i $INET_IFACE -p tcp --syn -j syn-flood
>
># Sluzbu AUTH neni dobre filtrovat pomoci DROP, protoze to muze
># vest k prodlevam pri navazovani nekterych spojeni. Proto jej
># sice zamitneme, ale vygenerujeme korektni ICMP chybovou zpravu
>$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with
>tcp-reset #AUTH server
>
># Propoustime pouze vybrane ICMP zpravy
>$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-reply -j ACCEPT
>$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type
>destination-unreachable -j ACCEPT
>$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT
>$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type time-exceeded -j
>ACCEPT
>
># Loopback neni radno omezovat
>$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
>
># Stejne jako pakety z lokalni site, jsou-li urceny pro nas
>$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
>$IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT
>
># Broadcasty na lokalnim rozhrani jsou take nase
>$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT
>
># Pakety od navazanych spojeni jsou v poradku
>$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j
>ACCEPT
>
># Vsechno ostatni je zakazano - tedy logujeme, maximalne 5 paketu,
># 6x za hodinu
>$IPTABLES -A INPUT -m limit --limit 6/h -j LOG --log-prefix "input drop: "
>
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
># Retezec OUTPUT
>#
>----------------------------------------------------------------------------
>------------------------------------------------------
>
># Povolime odchozi pakety, ktere maji nase IP adresy
>$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
>$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
>$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
>
># Ostatni pakety logujeme (nemely by byt zadne takove)
>$IPTABLES -A OUTPUT -j LOG --log-prefix "output drop: "
>





Další informace o konferenci Linux