Andrey Kuleshov wrote:
> Andrey Kuleshov wrote:
>
> Судя по обилию ответов рекомендация одна: reinstall Linux!
>
> Спасибо за участие!
>
Судя по реакции сообщества я-таки был неправ. Ок.
Приношу извинения.
Если еще остались желающие
</opt/scripts/rc.firewall #вызывается из /etc/rc.local>
#!/bin/sh -x
IPTABLES="/sbin/iptables"
ANYWHERE="any/0"
UNPRIVPORTS="1025:65535"
LO_IFACE="lo"
LO_IP="127.0.0.1"
LO_MASK="/0.0.0.255"
LO_NET=$LO_IP$LO_MASK
EXT_IFACE="eth1"
EXT_IP="192.168.1.2"
EXT_BASE="192.168.1.0"
EXT_MASK="/24"
EXT_NET=$EXT_BASE$EXT_MASK
INT_IFACE="eth0"
INT_IP="192.168.2.1"
INT_BASE="192.168.2.0"
INT_MASK="/24"
INT_NET=$INT_BASE$INT_MASK
echo 0 >/proc/sys/net/ipv4/ip_forward
service iptables stop
$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X
$IPTABLES -t filter -N INT_IN
$IPTABLES -t filter -N INT_OUT
$IPTABLES -t filter -N PUB_IN
$IPTABLES -t filter -N PUB_OUT
$IPTABLES -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A INPUT -d $LO_NET -i ! $LO_IFACE -p tcp -j DROP
$IPTABLES -t filter -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT # ping
$IPTABLES -t filter -A INPUT -p all -s ! $INT_NET -j PUB_IN
$IPTABLES -t filter -A INPUT -p all -i $INT_IFACE -d $INT_NET -j INT_IN
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A FORWARD -p udp -s $INT_NET --dport 123 -j ACCEPT # ntp
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 443 -j ACCEPT # https
# ftp session
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 21 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --sport 21 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ftp active mode
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 20 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --sport 20 \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ftp passive mode
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --sport $UNPRIVPORTS \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --dport $UNPRIVPORTS \
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 5190 -j ACCEPT # ICQ
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p all -o $LO_IFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p all -o $EXT_IFACE -j PUB_OUT
$IPTABLES -t filter -A OUTPUT -p all -o $INT_IFACE -j INT_OUT
$IPTABLES -t filter -A OUTPUT -j DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -A INT_IN -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -t filter -A INT_IN -p udp --dport 53 -j ACCEPT #DNS
$IPTABLES -t filter -A INT_IN -p tcp --dport 3128 -j ACCEPT # SQUID
$IPTABLES -t filter -A INT_IN -p tcp --dport 20 -j ACCEPT # FTP control
$IPTABLES -t filter -A INT_IN -p tcp --dport 21 -j ACCEPT # FTP data
$IPTABLES -t filter -A INT_IN -p tcp --dport 22 -j ACCEPT # ssh
$IPTABLES -t filter -A INT_IN -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -t filter -A INT_IN -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -t filter -A INT_IN -p udp -s $INT_NET --dport 123 -j ACCEPT # ntp
$IPTABLES -t filter -A INT_IN -p tcp --dport 143 -j ACCEPT # IMAP
$IPTABLES -t filter -A INT_IN -p tcp --dport 443 -j ACCEPT # https
#$IPTABLES -t filter -A INT_IN -p tcp --dport 465 -j ACCEPT # SMTPs
$IPTABLES -t filter -A INT_IN -p tcp --dport 873 -j ACCEPT # rSYNC
$IPTABLES -t filter -A INT_IN -p tcp --dport 993 -j ACCEPT # IMAPs
$IPTABLES -t filter -A INT_IN -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -t filter -A INT_IN -p tcp --dport 1241 -j ACCEPT # nessus
$IPTABLES -t filter -A INT_IN -p tcp --dport 2121 -j REJECT # FTP proxy
$IPTABLES -t filter -A INT_IN -p tcp --dport 2638 -j ACCEPT # Sybase
$IPTABLES -t filter -A INT_IN -p tcp --dport 4025 -j ACCEPT # partimaged
$IPTABLES -t filter -A INT_IN -p tcp --dport 53 -j ACCEPT
$IPTABLES -t filter -A INT_IN -p tcp --dport 1863 -j ACCEPT # MSN
$IPTABLES -t filter -A INT_IN -p tcp --dport 3000 -j ACCEPT # int http
$IPTABLES -t filter -A INT_IN -p tcp --dport 5190 -j ACCEPT
$IPTABLES -t filter -A INT_IN -p tcp --dport 5900 -j ACCEPT # VNC
$IPTABLES -t filter -A INT_IN -p tcp --dport 6000 -j ACCEPT # X
$IPTABLES -t filter -A INT_IN -p tcp --sport $UNPRIVPORTS -j ACCEPT #
$IPTABLES -t filter -A INT_IN -p icmp --icmp-type 8 -j ACCEPT # ping
$IPTABLES -t filter -A INT_IN -p all -j REJECT
$IPTABLES -t filter -A INT_OUT -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 25 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 993 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 995 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 23 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 21 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 143 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 110 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 79 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 111 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 512 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 513 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 98 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 22 -m state --state
INVALID,NEW \
-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -j DROP
$IPTABLES -t filter -A PUB_OUT -p icmp -m icmp --icmp-type 3 -j REJECT \
--reject-with icmp-port-unreachable
$IPTABLES -t filter -A PUB_OUT -p icmp -m icmp --icmp-type 11 -j REJECT \
--reject-with icmp-port-unreachable
$IPTABLES -t filter -A PUB_OUT -p icmp -j ACCEPT
$IPTABLES -t filter -A PUB_OUT -j ACCEPT
# http
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET \
--dport 80 -d $INT_NET -j REDIRECT --to-ports 3000 # local httpd
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET \
-m multiport --dport 80,81,82,83,88,777,8000,8001,8002,8080,8081 \
-d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p udp -s $INT_NET -m multiport \
--dport 80,81,82,83,88,777,8000,8001,8002,8080,8081 \
-d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET -m multiport \
--dport 8082,8083,8091,8100,8101,8102,8103,8080,8888 \
-d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p udp -s $INT_NET -m multiport \
--dport 8082,8083,8091,8100,8101,8102,8103,8080,8888 \
-d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -A POSTROUTING -p all -s $INT_NET -o $EXT_IFACE -j SNAT
--to-source $EXT_IP
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
echo 1 >/proc/sys/net/ipv4/ip_forward
<//opt/scripts/rc.firewall>
--
AK1041-UANIC
_______________________________________________
Sysadmins mailing list
Sysadmins@lists.altlinux.org
https://lists.altlinux.org/mailman/listinfo/sysadmins
