Kontrola firewallu - iptables

[Peter Surda]

On Fri, Sep 10, 2004 at 09:18:39AM +0200, Petr Horacek wrote:
> Dobry den preji
cau

> muzu vas pozadat o zbeznou kontrolu tohoto firewallu postavenem na iptables,
> jestli tam neni nejaka zavazna chyba nebo jestli tam neco nechybi? Eth0 -
> internet, eth1 - LAN, zvenku pristupny web server a SMTP pro qmail, z LAN
> HTTP pres Squid.
Je tam par chyb:
- nepojdu spojenia z routra von lebo chyba RELATED,ESTABLISHED na eth0
- nebude fungovat obmedzenie poctu SYN paketov lebo je to v zlom poradi
- a co ine protokoly ako TCP?
- nie je mi jasne, co chces filtrovat v OUTPUTe

Okrem toho je to suboptimalne, v beznych podmienkach to nevadi ale ja som taky
fajnsmeker :-)

nat je ok. filter by som spravil takto:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:new - [0:0]
:conn - [0:0]
[0:0] -A INPUT -j conn
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -i eth1 -j ACCEPT
[0:0] -A INPUT -j new
[0:0] -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
[0:0] -A FORWARD -j conn
[0:0] -A FORWARD -i eth1 -j ACCEPT 
[0:0] -A new -p tcp -m limit --limit 1/s --limit-burst 1 -j RETURN
[0:0] -A new -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT
[0:0] -A new -j DROP
[0:0] -A conn -m state --state INVALID -j DROP
[0:0] -A conn -m state --state RELATED,ESTABLISHED -j ACCEPT

smtp/http sa da nahradit mport ked to jadro a iptables podporuju:
[0:0] -A INPUT -p tcp -m tcp -m mport --dports 25,80 -j ACCEPT

> Petr
S pozdravom,

Peter Surda (Shurdeek) <shurdeek na routehat.org>, ICQ 10236103, +436505122023

-- 
 - "The world we're living in lies always in darkness."
 - "That's why we're seeking the light."