Filtrovani paketu

Pátek Únor 21 16:30:41 CET 2003

Linux pc s RH 7.0 je pripojene rozhranim eth1 (bezdratové pripojeni) k
internetu a rozhranim eth0 k win pc. Linux pc ma slouzit jako webserver,
mailserver, dns a firewall. Proxy jeste uvazim. Pro maskaradovani a
filtrovani paketu chci pouzit nasledujici skripty:

skript 1)

#!/bin/bash
ipchains -P forward DENY
ipchains -A forward -i eth1 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_masq_ftp

skript 2)

#!/bin/bash

RETVAL=0

# See how we were called.
case "$1" in
  start)
 echo -n "Starting Firewall script:"
 #maskarada
 /sbin/ipchains -P forward DENY
 /sbin/ipchains -A forward -i eth1 -j ACCEPT
 echo 1 > /proc/sys/net/ipv4/ip_forward
 /sbin/insmod ip_masq_ftp
 #paketove filtry
 /sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT
 #DNS
 /sbin/ipchains -A input -i eth1 -p TCP --source-port 53 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p TCP --destination-port 53 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p UDP --source-port 53 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p UDP --destination-port 53 -j ACCEPT
 #http
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 80 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 8080 -j ACCEPT
 #http z venku
 /sbin/ipchains -A input -i eth1 -p tcp --destination-port 80 -j ACCEPT
 #ftp
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 21 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 20 -j ACCEPT
 #ssh
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 22 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p tcp --destination-port 22 -j ACCEPT
 #smtp
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 25 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p tcp --destination-port 25 -j ACCEPT
 #pop3
 /sbin/ipchains -A input -i eth1 -p tcp --source-port 110 -j ACCEPT
 /sbin/ipchains -A input -i eth1 -p tcp --destination-port 110 -j ACCEPT
 #zakazani vseho ostatniho
 /sbin/ipchains -A input -i eth1 -j DENY
 #filtr samby
 #/sbin/ipchains -A input -i eth1 --destination-port 137:139 -j DENY
 #/sbin/ipchains -A output -i eth1 --source-port 137:139 -j DENY
 #filtr proxy z vnejsku
 #/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY
 #/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY

 ;;
  stop)
 echo -n "Stopping Firewall script: "
 echo 0 > /proc/sys/net/ipv4/ip_forward
 /sbin/ipchains -F
 /sbin/ipchains -P forward ACCEPT
 /sbin/ipchains -P input ACCEPT -i eth1
 /sbin/rmmod ip_masq_ftp
 ;;
  restart)
   $0 stop
 $0 start
 ;;
  *)
 echo "Usage: firewall {start|stop|restart}"
 exit 1
esac

exit $RETVAL

Muzete mi poradit, kam mam ty skripty ulozit a pod jakym nazvem a co si mam
predtim zalohovat?

Zdenek Masek