ipchains
Zdenek Masek
sediss na seznam.cz
Neděle Únor 23 02:04:45 CET 2003
Do adresare /etc/rc.d/init.d jsem s umistil nasledujici skript pro
filtrovani paketu, ale system ho pri restartu nenacetl, ani ho nespustim
prikazem ./firewall start, system rika, ze neni ani souborem, ani adresarem.
Kde mam prosim chybu?
Zdenek Masek
#!/bin/bash
RETVAL=0
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewall script:"
#maskarada
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/insmod ip_masq_ftp
#paketove filtry
/sbin/ipchains -A input -i eth1 -p ICMP -j ACCEPT
#DNS
/sbin/ipchains -A input -i eth1 -p TCP --source-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p TCP --destination-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p UDP --source-port 53 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p UDP --destination-port 53 -j ACCEPT
#http
/sbin/ipchains -A input -i eth1 -p tcp --source-port 80 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --source-port 8080 -j ACCEPT
#http z venku
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 80 -j ACCEPT
#ftp
/sbin/ipchains -A input -i eth1 -p tcp --source-port 21 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --source-port 20 -j ACCEPT
#ssh
/sbin/ipchains -A input -i eth1 -p tcp --source-port 22 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 22 -j ACCEPT
#smtp
/sbin/ipchains -A input -i eth1 -p tcp --source-port 25 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 25 -j ACCEPT
#pop3
/sbin/ipchains -A input -i eth1 -p tcp --source-port 110 -j ACCEPT
/sbin/ipchains -A input -i eth1 -p tcp --destination-port 110 -j ACCEPT
#zakazani vseho ostatniho
/sbin/ipchains -A input -i eth1 -j DENY
#filtr samby
#/sbin/ipchains -A input -i eth1 --destination-port 137:139 -j DENY
#/sbin/ipchains -A output -i eth1 --source-port 137:139 -j DENY
#filtr proxy z vnejsku
#/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY
#/sbin/ipchains -A input -i eth1 -p tcp --destination-port 3128 -j DENY
;;
stop)
echo -n "Stopping Firewall script: "
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -F
/sbin/ipchains -P forward ACCEPT
/sbin/ipchains -P input ACCEPT -i eth1
/sbin/rmmod ip_masq_ftp
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: firewall {start|stop|restart}"
exit 1
esac
exit $RETVAL
Další informace o konferenci Linux