Decron Skrevet 2. februar 2005 Forfatter Skrevet 2. februar 2005 Legger en liten post her for å huske å komme tilbake i morgen og poste iptables scriptet jeg bruker på routerene mine. Det er fint. Men nå lurer igrunn på hvordan jeg skal få ruteren på nett, sammen med de andre maskinen. Jeg får logget på den, men ikke gjort noe fra den.
Torbjørn Skrevet 2. februar 2005 Skrevet 2. februar 2005 husk at iptrafikk går ut og kommer inn. hvis du tillater alt på OUTPUT (ikke unormalt), så har du kommet halvveis. det kommer fortsatt pakker tilbake igjen (tcp går begge veier, men mest den ene veien) du må også på INPUT godta de pakkene som er relatert til en allerede åpen forbindelse. til dette bruker du state-matching, og vil da typisk godta RELATED og ESTABLISHED pakker.
Decron Skrevet 2. februar 2005 Forfatter Skrevet 2. februar 2005 (endret) husk at iptrafikk går ut og kommer inn. hvis du tillater alt på OUTPUT (ikke unormalt), så har du kommet halvveis. det kommer fortsatt pakker tilbake igjen (tcp går begge veier, men mest den ene veien) du må også på INPUT godta de pakkene som er relatert til en allerede åpen forbindelse. til dette bruker du state-matching, og vil da typisk godta RELATED og ESTABLISHED pakker. Men jeg har jo åpnet for de pakkene vel? Hvorfor er jeg uten nett på selve ruteren da? Ut altså.. Kanskje med iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT Endret 2. februar 2005 av Dark_Soldier
petterg Skrevet 2. februar 2005 Skrevet 2. februar 2005 Iptables scipt på mine servere. Brukes både på servere og routere. IP adresser er sensurert bort. Begynte plutselig å lure på hvorfor jeg har kommentert bort -P FoRWARD DROP. Må være en grunn jeg ikke husker.... # script inspired by http://www.sns.ias.edu/~jns/security/iptables/rules.html # Network interface 'world' IFACE="eth0" # Public IP IPADDR="213.145.xxx.xxx" # Standard deff. LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/4" # Trusted public IP's (My other servers) TRUSTED_IP="213.145.xxx.xxx/29" # List of banned ip's BLOCKLIST="/var/lib/iptables/blockips" # Portnumbers MS_DS="445" NETBIOS="137:139" #NETBIOS_SESSION="139" #NETBIOS_DATAGRAM="138" #NETBIOS_NAME="137" WEBMIN="8088" POP3="110" POP3S="995" IMAP="143" IMAPS="993" SMTP="25" SSH="22" HTTP="80" HTTPS="443" DNS="53" #P_PORTS="0:1023" #UP_PORTS="1024:65535" #TR_SRC_PORTS="32769:65535" #TR_DEST_PORTS="33434:33523" #NAMESERVER_1="x.x.x.x" #NAMESERVER_2="x.x.x.x" #BROADCAST="x.x.x.255" iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -Z iptables -P INPUT DROP #iptables -P FORWARD DROP #iptables -P OUTPUT ACCEPT # Anti lockout iptables -t filter -A INPUT -s ${TRUSTED_IP} -p tcp --dport 22 -j ACCEPT #*filter # Allow everything to/from localhost iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT #*nat # Forward outgoing iptables -t nat -A POSTROUTING -o $IFACE -j SNAT --to-source $IPADDR # Forward ports to host #iptables -t nat -A PREROUTING -i $IFACE -p tcp --dport 54321 -j DNAT --to 192.168.2.101:54321 ## block host iptables -N BLOCKIPS iptables -A BLOCKIPS -j RETURN iptables -t filter -A INPUT -i $IFACE -s ! ${TRUSTED_IP} -j BLOCKIPS iptables -N DOBLOCK iptables -A DOBLOCK -p tcp -j LOG --log-prefix "TARPIT :" iptables -A DOBLOCK -p tcp -j TARPIT iptables -A DOBLOCK -j LOG --log-prefix "BLOCK :" iptables -A DOBLOCK -j DROP if [ -f ${BLOCKLIST} ] then for BLOCKENTRY in `cat ${BLOCKLIST}` do BLOCKIP=`expr "${BLOCKENTRY}" : "[0-9]*[:]\([0-9.]*\)[:].*"` echo "Blocking ${BLOCKIP}" iptables -I BLOCKIPS -s ${BLOCKIP} -j DOBLOCK done fi # Defence (DoS) # Syn-flood protection iptables -N syn-flood iptables -t filter -A INPUT -i $IFACE -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP # Make sure NEW tcp connections are SYN packets iptables -t filter -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP # Furtive port scanner iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Ping of death iptables -t filter -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -t filter -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # block local ip from eth0 iptables -t filter -A INPUT -s $LOOPBACK -i $IFACE -j DROP iptables -t filter -A INPUT -d $LOOPBACK -i $IFACE -j DROP # SPOOFING iptables -t filter -A INPUT -s $CLASS_C -i $IFACE -j DROP iptables -t filter -A INPUT -s $CLASS_B -i $IFACE -j DROP iptables -t filter -A INPUT -s $CLASS_A -i $IFACE -j DROP iptables -t filter -A INPUT -s $CLASS_D_MULTICAST -i $IFACE -j DROP iptables -t filter -A INPUT -s $CLASS_E_RESERVED_NET -i $IFACE -j DROP # Do not allow internal IP's form outside. (Only oneway router - connection tracking keeps track on return.) iptables -t filter -A INPUT -d $CLASS_C -i $IFACE -j DROP iptables -t filter -A INPUT -d $CLASS_B -i $IFACE -j DROP iptables -t filter -A INPUT -d $CLASS_A -i $IFACE -j DROP ## =================================================================== ## ICMP # We prefilter icmp by pulling it off to user-dfined chains so that we can restrict which # types are allowed from the beginning rather than leaving it to the connection tracking. # For instance, we don't want redirects whatever happens. # In case you hadn't realised, ICMP scares me ................... # # 0: echo reply (pong) # 3: destination-unreachable (port-unreachable, fragmentation-needed etc). # 4: source quench # 5: redirect # 8: echo request (ping) # 9: router advertisement # 10: router solicitation # 11: time-exceeded # 12: parameter-problem # 13: timestamp request # 14: timestamp reply # 15: information request # 16: information reply # 17: address mask request # 18: address mask reply iptables -N icmp-in iptables -N icmp-out iptables -t filter -A INPUT -i $IFACE -p icmp -j icmp-in iptables -t filter -A OUTPUT -o $IFACE -p icmp -j icmp-out # Accept 0,3,4,11,12,14,16,18 in. iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 8 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN # Allow 4,8,12,13,15,17 out. iptables -A icmp-out -o $IFACE -p icmp --icmp-type 0 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN # Any ICMP not already allowed is logged and then dropped. #iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN: " iptables -A icmp-in -i $IFACE -j DROP #iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT: " iptables -A icmp-out -o $IFACE -j DROP # Dropping invalid packets iptables -t filter -A INPUT -m state --state INVALID -j DROP iptables -t filter -A OUTPUT -m state --state INVALID -j DROP iptables -t filter -A FORWARD -m state --state INVALID -j DROP # Connection tracking - allow all new connections from local network to world iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -m state --state NEW -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -d $CLASS_C -m state --state NEW -j ACCEPT # Allowing DHCPD traffic iptables -t filter -A INPUT -i ! $IFACE -p udp --sport 67:68 --dport 67:68 -j ACCEPT # Allow smb connections from local network #iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $NETBIOS_SESSION --syn -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -p udp --dport $NETBIOS_SESSION -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $NETBIOS_DATAGRAM --syn -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -p udp --dport $NETBIOS_DATAGRAM -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $NETBIOS_NAME --syn -j ACCEPT #iptables -t filter -A INPUT -i ! $IFACE -p udp --dport $NETBIOS_NAME -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $NETBIOS --syn -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p udp --dport $NETBIOS -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $MS_DS --syn -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p udp --dport $MS_DS -j ACCEPT # Allow pop and webmin form local network and TRUSTED network iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $IMAP --syn -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $POP3 --syn -j ACCEPT iptables -t filter -A INPUT -i ! $IFACE -p tcp --dport $WEBMIN --syn -j ACCEPT #iptables -t filter -A INPUT -s $TRUSTED_IP -p tcp --dport $IMAP --syn -j ACCEPT #iptables -t filter -A INPUT -s $TRUSTED_IP -p tcp --dport $POP3 --syn -j ACCEPT iptables -t filter -A INPUT -s $TRUSTED_IP -p tcp --dport $WEBMIN --syn -j ACCEPT # Allow ping replies #iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow dns, http, https, ssh, smtp, ssl-pop and ssl-imap from everyone iptables -t filter -A INPUT -p tcp --dport $DNS --syn -j ACCEPT iptables -t filter -A INPUT -p udp --dport $DNS -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $HTTP --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $HTTPS --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $SSH --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $SMTP --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $IMAPS --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport $POP3S --syn -j ACCEPT # Do not forward local ips from eth0 iptables -t filter -A FORWARD -s $LOOPBACK -i $IFACE -j DROP iptables -t filter -A FORWARD -d $LOOPBACK -i $IFACE -j DROP iptables -t filter -A FORWARD -s $CLASS_C -i $IFACE -j DROP iptables -t filter -A FORWARD -s $CLASS_B -i $IFACE -j DROP iptables -t filter -A FORWARD -s $CLASS_A -i $IFACE -j DROP iptables -t filter -A FORWARD -s $CLASS_D_MULTICAST -i $IFACE -j DROP iptables -t filter -A FORWARD -s $CLASS_E_RESERVED_NET -i $IFACE -j DROP # Do not function as relay for world-world iptables -t filter -A FORWARD -i $IFACE -o $IFACE -j REJECT --reject-with icmp-port-unreachable # Block smb broadcast to world iptables -t filter -A FORWARD -o $IFACE -p tcp -m tcp --sport 137:139 -j DROP iptables -t filter -A FORWARD -o $IFACE -p udp -m udp --sport 137:139 -j DROP iptables -t filter -A FORWARD -o $IFACE -p tcp -m tcp --sport 445 -j DROP iptables -t filter -A FORWARD -o $IFACE -p udp -m udp --sport 445 -j DROP iptables -t filter -A OUTPUT -o $IFACE -p tcp -m tcp --sport 137:139 -j DROP iptables -t filter -A OUTPUT -o $IFACE -p udp -m udp --sport 137:139 -j DROP iptables -t filter -A OUTPUT -o $IFACE -p tcp -m tcp --sport 445 -j DROP iptables -t filter -A OUTPUT -o $IFACE -p udp -m udp --sport 445 -j DROP Har også endret endel på startup scriptet: /etc/init.d/iptables opts="start stop save reload" depend() { before net need logger } checkrules() { if [ ! -f ${IPTABLES_SAVE} ] then eerror "Not starting iptables. First create some rules then run" eerror "/etc/init.d/iptables save" return 1 fi } start() { checkrules || return 1 ebegin "Loading iptables state and starting firewall" einfo "Restoring iptables ruleset" /sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE} if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ]; then einfo "Enabling forwarding for IPv4" #echo "1" > /proc/sys/net/ipv4/conf/all/forwarding echo "1" > /proc/sys/net/ipv4/ip_forward fi if [ "${ICMP_ECHO_IGNORE_BROADCASTS}" = "yes" ]; then einfo "Ignoring echo broadcast for IPv4" echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts fi if [ "${DENY_SOURCE_ROUTING}" = "yes" ]; then einfo "Deny source routing for IPv4" echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route fi # Default on for eth*. No need to reenable? No script to turn off under stop() # if [ "${DENY_REDIRECTS}" = "yes" ]; then # for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do # einfo "Block redirects on ${interface}" # echo "0" > ${interface} # done # fi if [ "${IGNORE_BOGUS_ERROR_RESPONSES}" = "yes" ]; then einfo "Enable bad error message protection" echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses fi # Default on for eth*. No need to reenable. No script to turn off under stop() # if [ "${ENABLE_RP_FILTER}" = "yes" ]; then # for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo "1" > ${interface} # done # fi if [ "${LOG_MARTIANS}" = "yes" ]; then einfo "Enable logging" echo "1" > /proc/sys/net/ipv4/conf/all/log_martians fi eend $? } stop() { if [ "${SAVE_ON_STOP}" = "yes" ]; then save || return 1 fi einfo "Disabling forwarding for IPv4" echo "0" > /proc/sys/net/ipv4/conf/all/forwarding echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "0" > /proc/sys/net/ipv4/conf/all/log_martians ebegin "Stopping firewall" for a in `cat /proc/net/ip_tables_names`; do /sbin/iptables -F -t $a /sbin/iptables -X -t $a if [ $a == nat ]; then /sbin/iptables -t nat -P PREROUTING ACCEPT /sbin/iptables -t nat -P POSTROUTING ACCEPT /sbin/iptables -t nat -P OUTPUT ACCEPT elif [ $a == mangle ]; then /sbin/iptables -t mangle -P PREROUTING ACCEPT /sbin/iptables -t mangle -P INPUT ACCEPT /sbin/iptables -t mangle -P FORWARD ACCEPT /sbin/iptables -t mangle -P OUTPUT ACCEPT /sbin/iptables -t mangle -P POSTROUTING ACCEPT elif [ $a == filter ]; then /sbin/iptables -t filter -P INPUT ACCEPT /sbin/iptables -t filter -P FORWARD ACCEPT /sbin/iptables -t filter -P OUTPUT ACCEPT fi done eend $? } reload() { ebegin "Flushing firewall" for a in `cat /proc/net/ip_tables_names`; do /sbin/iptables -F -t $a /sbin/iptables -X -t $a done; eend $? start } save() { ebegin "Saving iptables state" /sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE} eend $? } /etc/conf.d/iptables # Location in which iptables initscript will save set rules on # service shutdown IPTABLES_SAVE="/var/lib/iptables/rules-save" #Options to pass to iptables-save and iptables-restore SAVE_RESTORE_OPTIONS="-c" #Save state on stopping iptables #SAVE_ON_STOP="no" SAVE_ON_STOP="yes" #Enable routing functionality ENABLE_FORWARDING_IPv4="yes" # Script modifications inspired by # http://www.sns.ias.edu/~jns/security/iptables/rules.html # Ignore response to broadcasts. # You don't want yourself becoming a Smurf amplifier. ICMP_ECHO_IGNORE_BROADCASTS="yes" # Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. DENY_SOURCE_ROUTING="yes" # Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing # tables, possibly to a bad end. # Default on for eth*. No need to reenable? No script to turn off under stop() #DENY_REDIRECTS="yes" # Enable bad error message protection. IGNORE_BOGUS_ERROR_RESPONSES="yes" # Turn on reverse path filtering. This helps make sure that packets use # legitimate source addresses, by automatically rejecting incoming packets # if the routing table entry for their source address doesn't match the network # interface they're arriving on. This has security advantages because it prevents # so-called IP spoofing, however it can pose problems if you use asymmetric routing # (packets from you to a host take a different path than packets from that host to you) # or if you operate a non-routing host which has several IP addresses on different # interfaces. (Note - If you turn on IP forwarding, you will also get this). # Default on for eth*. No need to reenable. No script to turn off under stop() #ENABLE_RP_FILTER="yes" # Log spoofed packets, source routed packets, redirect packets. LOG_MARTIANS="yes"
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå