View previous topic :: View next topic |
Author |
Message |
Mythos l33t
Joined: 02 May 2004 Posts: 953 Location: Portugal
|
Posted: Tue May 18, 2004 1:31 am Post subject: Iptables configurações ...(SOLVED) |
|
|
#!/sbin/runscript
start() {
ebegin "setting Firewall set "
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p icmp -i eth0 --icmp-type ! echo-request -m limit --limit 2/second -j ACCEPT
iptables -t filter -A INPUT -p udp -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -f -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A INPUT -d 192.168.1.2 -s 192.168.1.2 -p tcp --sport 80 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.1.2 -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 6000 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 6000 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 631 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 631 -j ACCEPT
#iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport -j ACCEPT
#iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn -j REJECT
iptables -A INPUT -p udp -m udp -j REJECT
iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,ACK -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
iptables -t filter -P OUTPUT ACCEPT
#iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 80 -j DROP
iptables -t filter -A OUTPUT -p tcp --sport 631 -j DROP
iptables -t filter -A OUTPUT -p tcp --sport 6000 -j DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t filter -A FORWARD -p tcp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -d 192.168.1.1/29 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -p udp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p udp -d 192.168.1.1/29 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -p icmp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p icmp -d 192.168.1.1/29 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source `ifconfig eth0 | grep inet | awk '{print $2}' | sed 's/addr\://g'`
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source `ifconfig eth0 | grep inet | awk '{print $2}' | sed 's/addr\://g'`
iptables -t nat -A POSTROUTING -p icmp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source `ifconfig eth0 | grep inet | awk '{print $2}' | sed 's/addr\://g'`
eend
}
stop() {
ebegin "Good Bye, Firewall Defused"
eend 0
}
Tive a ver algumas coisas que andam por ai e decidi aplicar estas regras, contudo tive dois problemas. Primeiro o gnome não entra. O segundo se correr manualmente ela não dá nehum erro, contudo se adicionar ao rc-uptade ela deetcta-me erros no --to--source.
Alguém me podia dizer o que fiz de mal ? Ou se esotu a ser exagerado ?
Abraços,
Sérgio Henrique
Last edited by Mythos on Sat Jun 05, 2004 12:53 am; edited 1 time in total |
|
Back to top |
|
|
To Veteran
Joined: 12 Apr 2003 Posts: 1145 Location: Coimbra, Portugal
|
Posted: Tue May 18, 2004 8:14 am Post subject: Re: Iptables configurações ... |
|
|
Honestamente não me cabe a mim dizer se estás a ser exagerado ou não... tu é que sabes a finalidade da maquina. Sobre o teu problema, eu usaria isto assim:
Quote: | #!/sbin/runscript
start() {
ebegin "setting Firewall set "
echo "1" > /proc/sys/net/ipv4/ip_forward
IPETH0="`ifconfig eth0 | grep inet | awk '{print $2}`"
iptables -t filter -F
iptables -t nat -F
iptables -t filter -X
iptables -t nat -X
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -p icmp -i eth0 --icmp-type ! echo-request -m limit --limit 2/second -j ACCEPT
iptables -t filter -A INPUT -p udp -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -f -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -i eth0 -j ACCEPT
iptables -t filter -A INPUT -d 192.168.1.2 -s 192.168.1.2 -p tcp --sport 80 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.1.2 -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 80 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 6000 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 6000 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport 631 -j ACCEPT
iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 631 -j ACCEPT
#iptables -t filter -A INPUT -s localhost -d localhost -p tcp --dport -j ACCEPT
#iptables -t filter -A INPUT -s localhost -d localhost -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn -j REJECT
iptables -A INPUT -p udp -m udp -j REJECT
iptables -t filter -A INPUT -p tcp --syn -i eth0 -j DROP
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,ACK -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -p tcp --tcp-flags ALL ACK -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -A INPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with tcp-reset
iptables -t filter -P OUTPUT ACCEPT
#iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 80 -j DROP
iptables -t filter -A OUTPUT -p tcp --sport 631 -j DROP
iptables -t filter -A OUTPUT -p tcp --sport 6000 -j DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t filter -A FORWARD -p tcp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p tcp -d 192.168.1.1/29 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -p udp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p udp -d 192.168.1.1/29 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -p icmp -s 192.168.1.1/29 -j ACCEPT
iptables -t filter -A FORWARD -p icmp -d 192.168.1.1/29 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
iptables -t nat -A POSTROUTING -p icmp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
...
|
Tó _________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
Back to top |
|
|
Mythos l33t
Joined: 02 May 2004 Posts: 953 Location: Portugal
|
Posted: Thu May 20, 2004 12:23 am Post subject: still problemns |
|
|
Obrigado pela ajuda, mas algo se passa dá me erro na mesma
IPETH0="`ifconfig eth0 | grep inet | awk '{print $2}`"
será o erro na splicas em cima ?
* setting Firewall set...
/sbin/runscript.sh: command substitution: line 1: unexpected EOF while looking for matching `''
/sbin/runscript.sh: command substitution: line 2: syntax error: unexpected end of file
iptables v1.2.9: Unknown arg `--to-source'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--to-source'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.9: Unknown arg `--to-source'
Try `iptables -h' or 'iptables --help' for more information. [ ok ]root@******** |
|
Back to top |
|
|
Kobal Guru
Joined: 12 Feb 2004 Posts: 323 Location: Brasil / Brazil / Brésil / Brasilien / el Brasil
|
Posted: Thu May 20, 2004 1:13 am Post subject: |
|
|
Eu uso assim:
Bom ainda to aprendendo iptables, mais ajuda.
#!/bin/bash
#limpando tabelas
iptables -F &&
iptables -X &&
iptables -t nat -F &&
iptables -t nat -X &&
#liberando acesso interno da rede
iptables -A INPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT &&
iptables -A OUTPUT -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT &&
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/255.255.255.0 -j ACCEPT &&
#compartilhando a web na rede interna
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j MASQUERADE &&
echo 1 > /proc/sys/net/ipv4/ip_forward &&
# Protecao contra port scanners ocultos
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Bloqueando tracertroute
iptables -A INPUT -p udp -s 0/0 -i eth1 --dport 33435:33525 -j DROP
#Protecoes contra ataques
iptables -A INPUT -m state --state INVALID -j DROP |
|
Back to top |
|
|
To Veteran
Joined: 12 Apr 2003 Posts: 1145 Location: Coimbra, Portugal
|
Posted: Thu May 20, 2004 8:12 am Post subject: |
|
|
Tens razão desculpa, usa assim:
Code: | IPETH0="`ifconfig eth0 | grep inet | awk '{print $2}' | sed 's/addr\://g'`" |
Tó _________________
------------------------------------------------
Linux Gandalf 3.2.35-grsec
Gentoo Base System version 2.2
------------------------------------------------ |
|
Back to top |
|
|
humpback Retired Dev
Joined: 19 Oct 2002 Posts: 394 Location: Coimbra - Portugal
|
Posted: Thu May 20, 2004 11:06 am Post subject: |
|
|
Ja que estamos numa de cut's greps sed's e awks eu mando a minha solução
Code: | `/sbin/ifconfig eth0 |grep inet | cut -d : -f 2 | cut -d \ -f 1` |
Isto ja me esta a fazer lembrar os meus primeiros tempos de unix, em que o pessoal tentava fazer as maiores barbaridades numa so linha
Ainda me lembro de um script de uma linha com sed awk e cut's greps e wgets que gerava uma pagina html com links para todas as contas dessa maquina com pagina web. _________________ Gustavo Felisberto
Humpback @ #gentoo-pt
------------
It's most certainly GNU/Linux, not Linux. Read more at
http://www.gnu.org/gnu/why-gnu-linux.html .
------------- |
|
Back to top |
|
|
Mythos l33t
Joined: 02 May 2004 Posts: 953 Location: Portugal
|
Posted: Mon May 24, 2004 12:23 am Post subject: Erros ainda |
|
|
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
iptables -t nat -A POSTROUTING -p udp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
iptables -t nat -A POSTROUTING -p icmp -s 192.168.1.1/29 -o eth0 -j SNAT --to-source $IPETH0
acho que esse --to-source contuinua a dar problemas
Thanx Anyway
[[[[]]]][/i] |
|
Back to top |
|
|
Mythos l33t
Joined: 02 May 2004 Posts: 953 Location: Portugal
|
Posted: Mon May 24, 2004 1:15 am Post subject: Bom problema meio solucionado |
|
|
Usei ai um pouco das regras de todos. E parece-me que isto ficou mais ao menos.
Obrigado a todos :)
só gostava é de saber porque me dá aquele erro do --to-source ...
abraços |
|
Back to top |
|
|
|