Pár napon belül be kel üzemelnem egy szervert, amin egy squid fog
müködni transzparens proxy-ként, a gépen még dhcp szolgáltatás fog
futni.(+ssh,apache2 stb..)
Átnéznétek az alábbi scriptet, mert valami nem jó benne :(
Belső hálon nem látszik a 80 és a 21 port se :(
kösszi, fontos lenne
Imre
#!/bin/sh
echo -n 'Configuring firewall '
echo 1 /proc/sys/net/ipv4/ip_forward
#allandok
NET_INT=192.168.0.0/255.255.0.0 #belsĂľ halozatot lefedĂľ teljes
cimtartomany
IFACE_INT=eth0 #belsĂľ csatolo
IFACE_EXT=eth1 #kulsĂľ csatolo
IP_GW=192.168.1.1
PORT_SSH_EXT=1 #SSH external port
MORE_F_TCP_PORTS=544 1755 2628 6881 81
MORE_F_UDP_PORTS=544 1755
#544-RealMedia 1755-WindowsMedia 2628-JDictionary 6880-BitTorrent
#IP_INT=192.168.100.1 #belsĂľ IP cim
IP_INT=`ifconfig $IFACE_INT | grep inet\ addr | cut -f2 -d: | cut -f1 -d\
`
IP_EXT=`ifconfig $IFACE_EXT | grep inet\ addr | cut -f2 -d: | cut -f1 -d\
` #külső IP cím
#regi szabalyok tĂľrlese
iptables -F
iptables --delete-chain
iptables -t nat -F
iptables -t nat --delete-chain
iptables -Z
#alapertelemzetten mindent eldob
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#visszahurkolo engedĂŠlyezĂŠse
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#tovabbi lancok letrehozasa:
iptables -N security
iptables -N dosattack
iptables -N sinput
iptables -N portscan
#gw elerhetĂľsege
iptables -A INPUT -s $IP_GW -j ACCEPT
iptables -A OUTPUT -d $IP_GW -j ACCEPT
#Portscan PoD loggolas
iptables -A security -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-
prefix FW: Xmas-tree scan (?)
iptables -A security -p tcp --tcp-flags ALL NONE -m state --state !
ESTABLISHED -j LOG --log-prefix FW: Null scan (?)
iptables -A security -p icmp --icmp-type echo-request -m limit --limit 1/s -
j ACCEPT
iptables -A security -p icmp --icmp-type echo-request -j LOG --log-
prefix FW: PingofDeath attack (?)
iptables -A security -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -j security
iptables -A FORWARD -j security
#DoS tamadasok portscanek szurese, loggolasa
iptables -A dosattack -p tcp --syn -m limit --limit 8/s -j sinput
iptables -A dosattack -p tcp --syn -j LOG --log-prefix FW: Syn-Flood
attack (?)
iptables -A dosattack -p tcp --syn -j DROP
iptables -A dosattack -j sinput
#bejovo szabalyok
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
#jovahagyott kapcsolatok elfogadasa
iptables -A INPUT -j dosattack
iptables -A sinput -p tcp ! --syn -m state --state NEW -j LOG --log-
prefix FW: hidded portscan ?
iptables -A sinput -p tcp ! --syn -m state --state NEW -j DROP
iptables -A sinput -i $IFACE_INT -p tcp -s $NET_INT -m multiport --dport
20,21,25,53,80,3128 -m state --state NEW -j ACCEPT
iptables -A sinput -i $IFACE_INT -p udp -s $NET_INT -m multiport --
dport 20,21,25,53,80,3128 -m state --state NEW -j ACCEPT
iptables -A sinput -p tcp --dport 443 -j ACCEPT
iptables -A sinput -p icmp -j ACCEPT
#iptables -A sinput -j LOG --log-prefix FW: Rejected default (in)
iptables -A sinput -j REJECT
#kimenĂľ szabalyok
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dport 20,21,25,53,80,110,443 -
m state --state NEW,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --dport
20,21,25,53,80,110,443 -m state --state NEW,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d $NET_INT --sport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp -d $NET_INT --sport 25 -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix FW: Rejected default (out)
iptables -A OUTPUT -j REJECT
#tovabbitt szabalyok
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-
mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
16/s -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -i $IFACE_INT -p tcp -m multiport --dport
20,21,53,80,110,123,443 -m state --state NEW,RELATED -j ACCEPT
iptables -A FORWARD -i $IFACE_INT -p udp -m multiport --dport
20,21,53,80,110,123,44
#Tovabbitasra a MORE_F_TCP_PORTS tombben tarolt portok kinyitasa
if test -n $MORE_F_TCP_PORTS
then
for i in $MORE_F_TCP_PORTS
do iptables -A FORWARD -i $IFACE_INT -p tcp --dport $i -m state --state
NEW,RELATED -j ACCEPT
done
fi
if test -n $MORE_F_UDP_PORTS
then
for i in $MORE_F_UDP_PORTS
do iptables -A FORWARD -i $IFACE_INT -p udp --dport $i -m state --
state NEW,RELATED -j ACCEPT
done
fi
#iptables -A FORWARD -j LOG --log-prefix FW: Rejected default (fwd)
iptables -A FORWARD -j REJECT
#NAT
iptables -t nat -A POSTROUTING -o $IFACE_EXT -j MASQUERADE
#transzparens proxy engedalyezase
iptables -t nat -A PREROUTING -i $IFACE_INT -s $NET_INT -p tcp --dport
80 -j REDIRECT --to-ports 3128