/ Forside / Teknologi / Operativsystemer / Linux / Nyhedsindlæg
Glemt dit kodeord?


Top 10 brugere
o.v.n. 11177
peque 7911
dk 4814
e.c 2359
Uranus 1334
emesen 1334
stone47 1307
linuxrules 1214
Octon 1100
10  BjarneD 875
Iptables og ftp-server?
Fra : Lars

Dato : 04-02-01 16:08

Er der nogen der har et bud på, hvad der skal ændres/rettes/tilføjes i
nedestående script (fra Henrik Størner) for at tillade adgang til en
ftp-server, der kører på en maskine bag firewall'en?
Jeg er kørt lidt sur i syntaksen.

På forhånd tak.


# Henrik Størner, henrik@storner.dk


# First setup some of the kernel features

# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Shut off source-routing and enable IP spoof detection
# It seems that this must be done for all network interfaces
for f in /proc/sys/net/ipv4/conf/*; do
# Drop all source-routed packets
echo "0" >$f/accept_source_route

# Enable source-address verification (anti spoofing).
# The value 2 means use Ingress filtering as per RFC 1812.
# Overhead is a little more than the simple routing check
# (enabled with 1) but it negligible for most home users.
echo "2" >$f/rp_filter

# Setup IP firewalling

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Create a common chain for the INPUT and FORWARD handling
iptables -N block
iptables -F block

# Allow traffic on established connections
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow new connections if not from the outside
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT

# Allow new connections to our public services
# For home users there are normally none
# iptables -A block -m state --protocol tcp --state NEW --destination-port
http -j ACCEPT

# Block anything else
iptables -A block -j LOG

# Activate the new chain
iptables -A INPUT -j block
iptables -A FORWARD -j block

# Setup Masquerading

# Setup NAT for outgoing connections from the local network

### NB: This is disabled by default. If you want to use ###
### masquerading, just remove the "###" comment-markers ###
### from the lines below. ###

###iptables -t nat -F POSTROUTING
###iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# NB: On Red Hat systems, this is controlled in /etc/sysctl.conf !
# You need to set net.ipv4.ip_forward=1 in this file, or the
# command below will have no effect.
###echo "1" >/proc/sys/net/ipv4/ip_forward

Joakim Recht (05-02-2001)
Fra : Joakim Recht

Dato : 05-02-01 21:42

"Lars" <lars@linuxnet.dk> writes:

> Er der nogen der har et bud på, hvad der skal ændres/rettes/tilføjes i
> nedestående script (fra Henrik Størner) for at tillade adgang til en
> ftp-server, der kører på en maskine bag firewall'en?
> Jeg er kørt lidt sur i syntaksen.
> På forhånd tak.
> /Lars
> #!/bin/sh
> #
> #
> # Henrik Størner, henrik@storner.dk
> #
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
> #########################################
> # First setup some of the kernel features
> #########################################
> # Disable forwarding - this is for a standalone system.
> # (For masquerading, see below).
> echo "0" >/proc/sys/net/ipv4/ip_forward
> # Enable syn-cookies (syn-flooding attacks)
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
> # Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
> echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> # Shut off source-routing and enable IP spoof detection
> # It seems that this must be done for all network interfaces
> for f in /proc/sys/net/ipv4/conf/*; do
> # Drop all source-routed packets
> echo "0" >$f/accept_source_route
> # Enable source-address verification (anti spoofing).
> # The value 2 means use Ingress filtering as per RFC 1812.
> # Overhead is a little more than the simple routing check
> # (enabled with 1) but it negligible for most home users.
> echo "2" >$f/rp_filter
> done
> ######################
> # Setup IP firewalling
> ######################
> # Default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> # Create a common chain for the INPUT and FORWARD handling
> iptables -N block
> iptables -F block
> # Allow traffic on established connections
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> # Allow new connections if not from the outside
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> # Allow new connections to our public services
> # For home users there are normally none
> # iptables -A block -m state --protocol tcp --state NEW --destination-port
> http -j ACCEPT
> # Block anything else
> iptables -A block -j LOG
> # Activate the new chain
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
I principet er det bare at forwarde ftp og ftp-data portene ind på lokalnettet,
men nogle ftpd'er kan godt blive lidt utilfredse med det (fx skal proftpd *vist*
nok have allowforeignaddress on)... Nå, men port forwarding med iptables gøres
med -j DNAT i nat tabellen:

iptables -t nat -A PREROUTING -p tcp -d eksternadresse --dport 21 -j DNAT --to-destination internadresse:21
iptables -t nat -A PREROUTING -p tcp -d eksternadresse --dport 20 -j DNAT --to-destination internadresse:20

Joakim Recht
Tlf. 20 85 54 77
Email god@cs.auc.dk
WWW http://www.braindump.dk / http://www.compuclub.dk

Spørgsmål : 177599
Tips : 31970
Nyheder : 719565
Indlæg : 6409237
Brugere : 218889

Månedens bedste
Årets bedste
Sidste års bedste