Rozdíly
Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.
| Následující verze | Předchozí verze | ||
|
linux:net:firewall [12.08.2005 07:41] 127.0.0.1 external edit |
linux:net:firewall [13.03.2020 18:43] (aktuální) |
||
|---|---|---|---|
| Řádek 1: | Řádek 1: | ||
| - | [[:start]] --- [[:linux]] | + | {{page>:menu}} |
| - | ---- | + | |
| ====== Firewall ====== | ====== Firewall ====== | ||
| Řádek 6: | Řádek 6: | ||
| * firewall na základě scriptu [[http:// | * firewall na základě scriptu [[http:// | ||
| * jednotlivé díly na publikované na [[http:// | * jednotlivé díly na publikované na [[http:// | ||
| + | |||
| + | |||
| + | ===== Petříček ===== | ||
| <code bash> | <code bash> | ||
| #!/bin/sh | #!/bin/sh | ||
| Řádek 227: | Řádek 230: | ||
| # Ostatni pakety logujeme (nemely by byt zadne takove) | # Ostatni pakety logujeme (nemely by byt zadne takove) | ||
| $IPTABLES -A OUTPUT -j LOG --log-prefix " | $IPTABLES -A OUTPUT -j LOG --log-prefix " | ||
| + | </ | ||
| + | |||
| + | |||
| + | ===== Dynamický blacklist ===== | ||
| + | *dynamický blacklist pro SSH spojení - http:// | ||
| + | <code bash> | ||
| + | ### Dynamic blacklist for SSH connection | ||
| + | # create properREJECT chain that does different rejects for tcp/udp | ||
| + | $IPTABLES -N properREJECT | ||
| + | $IPTABLES -A properREJECT -p tcp -j REJECT --reject-with tcp-reset | ||
| + | $IPTABLES -A properREJECT -j REJECT --reject-with icmp-port-unreachable | ||
| + | # | ||
| + | $IPTABLES -N blacklistdrop | ||
| + | $IPTABLES -A blacklistdrop -j LOG --log-prefix " | ||
| + | $IPTABLES -A blacklistdrop -m recent --name BLACKLIST --set -j DROP | ||
| + | # | ||
| + | # | ||
| + | # on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 30 seconds | ||
| + | # this rule drops *any* packet if the IP is in the blacklist | ||
| + | # icmp ' | ||
| + | # they are generated by our own REJECT rule in the extern_out chain | ||
| + | $IPTABLES -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP | ||
| + | # | ||
| + | # all *established* ssh connections simply continue | ||
| + | $IPTABLES -A extern_in | ||
| + | # | ||
| + | # *new* ssh connections are all put into a list ' | ||
| + | # we send the package to chain ' | ||
| + | $IPTABLES -A extern_in | ||
| + | # | ||
| + | # if we have seen less then 3 such packets in the last 30 seconds we accept | ||
| + | $IPTABLES -A extern_in | ||
| + | # | ||
| + | # if the destination address is in the blacklist, we REJECT *any* packet | ||
| + | $IPTABLES -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT | ||
| + | # | ||
| + | # outgoing we accept all ssh traffic, with connection tracking | ||
| + | $IPTABLES -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED, | ||
| </ | </ | ||
| Řádek 237: | Řádek 278: | ||
| * http:// | * http:// | ||
| + | |||
| + | |||
| + | ===== / | ||
| + | < | ||
| + | *filter | ||
| + | :INPUT DROP [0:0] | ||
| + | :FORWARD DROP [0:0] | ||
| + | :OUTPUT DROP [0:0] | ||
| + | |||
| + | ###################################################################### | ||
| + | # Retezec LOGOVANI | ||
| + | # | ||
| + | |||
| + | -N logIN | ||
| + | -A logIN -j LOG -m limit --limit 10/minute --log-level 4 --log-prefix "INPUT RULE 2 -- DROP " | ||
| + | -A logIN -j RETURN | ||
| + | |||
| + | -N logPS | ||
| + | -A logPS -j LOG -m limit --limit 10/minute --log-level 4 --log-prefix " | ||
| + | -A logPS -j RETURN | ||
| + | |||
| + | |||
| + | ###################################################################### | ||
| + | # Retezec INPUT | ||
| + | # | ||
| + | |||
| + | # Navazovani spojeni ala Microsoft - | ||
| + | # Paket navazuje spojeni, ale nema nastaveny priznak SYN, pryc s nim | ||
| + | -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
| + | |||
| + | # Portscan s nastavenym SYN,FIN | ||
| + | -A INPUT -p tcp -i eth0 --tcp-flags SYN,FIN SYN,FIN -j logPS | ||
| + | -A INPUT -p tcp -i eth0 --tcp-flags SYN,FIN SYN,FIN -j DROP | ||
| + | |||
| + | # navazana spojeni | ||
| + | -A INPUT -i eth0 -m state --state ESTABLISHED, | ||
| + | |||
| + | # Loopback neomezovat | ||
| + | -A INPUT -i lo -j ACCEPT | ||
| + | |||
| + | # Ping | ||
| + | -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT | ||
| + | |||
| + | ## --- Sluzby pro vsechny --- | ||
| + | # FTP | ||
| + | -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT | ||
| + | # passivni prenos pro FTP | ||
| + | -A INPUT -i eth0 -p tcp --dport 49160:49170 -j ACCEPT | ||
| + | -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT | ||
| + | -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT | ||
| + | |||
| + | ## --- Omezeny pristup na sluzby --- | ||
| + | # Datron DMZ | ||
| + | -A INPUT -s 212.158.133.128/ | ||
| + | # Klfree | ||
| + | -A INPUT -s 81.201.48.0/ | ||
| + | # z domova | ||
| + | -A INPUT -s 86.63.200.73 -p tcp --dport 22 -j ACCEPT | ||
| + | |||
| + | |||
| + | # Broadcasty na lokalnim rozhrani jsou take nase | ||
| + | #-A INPUT -i eth1 -d 10.10.255.255 -j ACCEPT | ||
| + | |||
| + | # Stejne jako pakety z lokalni site, jsou-li urceny pro nas | ||
| + | #-A INPUT -i eth1 -d 10.10.30.23 -j ACCEPT | ||
| + | |||
| + | # MS klienti maji chybu v implementaci DHCP - nechceme DHCP - dropujeme | ||
| + | -A INPUT -i eth0 -p udp --dport 67 -j DROP | ||
| + | -A INPUT -i eth1 -p udp --dport 67 -j DROP | ||
| + | |||
| + | # Ostatni pakety mimo nasi DMZ pred zahozenim logujeme | ||
| + | -A INPUT -s ! 212.158.133.128/ | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ###################################################################### | ||
| + | # Retezec OUTPUT | ||
| + | # | ||
| + | |||
| + | # TOS flagy slouzi k optimalizaci datovych cest | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --sport ssh -j TOS --set-tos Minimize-Delay | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --dport ssh -j TOS --set-tos Minimize-Delay | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --sport ftp -j TOS --set-tos Minimize-Delay | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --dport ftp -j TOS --set-tos Minimize-Delay | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --dport telnet -j TOS --set-tos Minimize-Delay | ||
| + | -t mangle -A OUTPUT -o eth0 -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput | ||
| + | |||
| + | |||
| + | # odchozi pakety veschny | ||
| + | -A OUTPUT -s 212.158.133.135 | ||
| + | -A OUTPUT -s 10.10.30.23 | ||
| + | |||
| + | ## --- Povolime DHCP broadcasty na LAN rozhrani --- | ||
| + | #-A OUTPUT -o eth1 -p UDP --dport 68 --sport 67 -j ACCEPT | ||
| + | |||
| + | # Ostatni pakety logujeme (nemely by byt zadne takove) | ||
| + | -A OUTPUT -j LOG --log-prefix " | ||
| + | |||
| + | COMMIT | ||
| + | # Generated by webmin | ||
| + | *mangle | ||
| + | :FORWARD ACCEPT [0:0] | ||
| + | :INPUT ACCEPT [0:0] | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :PREROUTING ACCEPT [0:0] | ||
| + | : | ||
| + | COMMIT | ||
| + | # Completed | ||
| + | # Generated by webmin | ||
| + | *nat | ||
| + | :OUTPUT ACCEPT [0:0] | ||
| + | :PREROUTING ACCEPT [0:0] | ||
| + | : | ||
| + | COMMIT | ||
| + | # Completed | ||
| + | </ | ||
