Filtrovani paketu
Zdenek Masek
sediss na seznam.cz
Pátek Únor 21 16:30:41 CET 2003
Linux pc s RH 7.0 je pripojene rozhranim eth1 (bezdratové pripojeni) k
internetu a rozhranim eth0 k win pc. Linux pc ma slouzit jako webserver,
mailserver, dns a firewall. Proxy jeste uvazim. Pro maskaradovani a
filtrovani paketu chci pouzit nasledujici skripty:
skript 1)
#!/bin/bash
ipchains -P forward DENY
ipchains -A forward -i eth1 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ip_masq_ftp
skript 2)
#!/bin/bash
RETVAL=0
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewall script:"
#maskarada
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/insmod ip_masq_ftp
#paketove filtry
/sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT
#DNS
/sbin/ipchains -A input -i eth1 -p TCP --source-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p TCP --destination-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p UDP --source-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p UDP --destination-port 53 -j ACCEPT
#http
/sbin/ipchains -A input -i eth1 -p tcp --source-port 80 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --source-port 8080 -j ACCEPT
#http z venku
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 80 -j ACCEPT
#ftp
/sbin/ipchains -A input -i eth1 -p tcp --source-port 21 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --source-port 20 -j ACCEPT
#ssh
/sbin/ipchains -A input -i eth1 -p tcp --source-port 22 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 22 -j ACCEPT
#smtp
/sbin/ipchains -A input -i eth1 -p tcp --source-port 25 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 25 -j ACCEPT
#pop3
/sbin/ipchains -A input -i eth1 -p tcp --source-port 110 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 110 -j ACCEPT
#zakazani vseho ostatniho
/sbin/ipchains -A input -i eth1 -j DENY
#filtr samby
#/sbin/ipchains -A input -i eth1 --destination-port 137:139 -j DENY
#/sbin/ipchains -A output -i eth1 --source-port 137:139 -j DENY
#filtr proxy z vnejsku
#/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY
#/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY
;;
stop)
echo -n "Stopping Firewall script: "
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -P forward ACCEPT
/sbin/ipchains -P input ACCEPT -i eth1
/sbin/rmmod ip_masq_ftp
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|restart}"
exit 1
esac
exit $RETVAL
Muzete mi poradit, kam mam ty skripty ulozit a pod jakym nazvem a co si mam
predtim zalohovat?
Zdenek Masek
Další informace o konferenci Linux