KnigaRead.com/

Oskar Andreasson - Iptables Tutorial 1.2.2

На нашем сайте KnigaRead.com Вы можете абсолютно бесплатно читать книгу онлайн Oskar Andreasson, "Iptables Tutorial 1.2.2" бесплатно, без регистрации.
Перейти на страницу:

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS


2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.

<one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.


Appendix J. Example scripts code-base


Example rc.firewall script

#!/bin/sh

#

# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables

#

# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; version 2 of the License.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program or from the site that you downloaded it

# from; if not, write to the Free Software Foundation, Inc., 59 Temple

# Place, Suite 330, Boston, MA 02111-1307 USA

#


###########################################################################

#

# 1. Configuration options.

#


#

# 1.1 Internet Configuration.

#


INET_IP="194.236.50.155"

INET_IFACE="eth0"

INET_BROADCAST="194.236.50.255"


#

# 1.1.1 DHCP

#


#

# 1.1.2 PPPoE

#


#

# 1.2 Local Area Network configuration.

#

# your LAN's IP range and localhost IP. /24 means to only use the first 24

# bits of the 32 bit IP address. the same as netmask 255.255.255.0

#


LAN_IP="192.168.0.2"

LAN_IP_RANGE="192.168.0.0/16"

LAN_IFACE="eth1"


#

# 1.3 DMZ Configuration.

#


#

# 1.4 Localhost Configuration.

#


LO_IFACE="lo"

LO_IP="127.0.0.1"


#

# 1.5 IPTables Configuration.

#


IPTABLES="/usr/sbin/iptables"


#

# 1.6 Other Configuration.

#


###########################################################################

#

# 2. Module loading.

#


#

# Needed to initially load modules

#


/sbin/depmod -a


#

# 2.1 Required modules

#


/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state


#

# 2.2 Non-Required modules

#


#/sbin/modprobe ipt_owner

#/sbin/modprobe ipt_REJECT

#/sbin/modprobe ipt_MASQUERADE

#/sbin/modprobe ip_conntrack_ftp

#/sbin/modprobe ip_conntrack_irc

#/sbin/modprobe ip_nat_ftp

#/sbin/modprobe ip_nat_irc


###########################################################################

#

# 3. /proc set up.

#


#

# 3.1 Required proc configuration

#


echo "1" > /proc/sys/net/ipv4/ip_forward


#

# 3.2 Non-Required proc configuration

#


#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr


###########################################################################

#

# 4. rules set up.

#


######

# 4.1 Filter table

#


#

# 4.1.1 Set policies

#


$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP


#

# 4.1.2 Create userspecified chains

#


#

# Create chain for bad tcp packets

#


$IPTABLES -N bad_tcp_packets


#

# Create separate chains for ICMP, TCP and UDP to traverse

#


$IPTABLES -N allowed

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N icmp_packets


#

# 4.1.3 Create content in userspecified chains

#


#

# bad_tcp_packets chain

#


$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK

-m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG

--log-prefix "New not syn:"

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP


#

# allowed chain

#


$IPTABLES -A allowed -p TCP --syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP


#

# TCP rules

#


$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed


#

# UDP ports

#


#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT


#

# In Microsoft Networks you will be swamped by broadcasts. These lines

# will prevent them from showing up in the logs.

#


#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST

#--destination-port 135:139 -j DROP


#

# If we get DHCP requests from the Outside of our network, our logs will

# be swamped as well. This rule will block them from getting logged.

#


#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255

#--destination-port 67:68 -j DROP


#

# ICMP rules

#


$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT


#

# 4.1.4 INPUT chain

#


#

# Bad TCP packets we don't want.

#


$IPTABLES -A INPUT -p tcp -j bad_tcp_packets


#

# Rules for special networks not part of the Internet

#


$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


#

# Special rule for DHCP requests from LAN, which are not caught properly

# otherwise.

#


$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT


#

# Rules for incoming packets from the internet.

#


$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED

-j ACCEPT

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


#

# If you have a Microsoft Network on the outside of your firewall, you may

# also get flooded by Multicasts. We drop them so we do not get flooded by

# logs

#


#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


#

# Log weird packets that don't match the above.

#


$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG

--log-level DEBUG --log-prefix "IPT INPUT packet died: "


#

# 4.1.5 FORWARD chain

#


#

# Bad TCP packets we don't want

#


$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#

# Accept the packets we actually want to forward

#


$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


#

# Log weird packets that don't match the above.

#


$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG

--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


#

# 4.1.6 OUTPUT chain

#


#

# Bad TCP packets we don't want.

#


$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets


#

# Special OUTPUT rules to decide which IP's to allow.

#


$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


#

# Log weird packets that don't match the above.

#


$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG

Перейти на страницу:
Прокомментировать
Подтвердите что вы не робот:*