|
|
 | Dhcp og ipchains
Fra : Kenneth Møller |
Dato : 04-10-01 08:33 |
|
Hej
Jeg har et lille problem , jeg har en redhat 7.1 maskine kørende ,der
fungere som dhcp server, men jeg kan ikke få den til at køre når jeg har
startet ipchains!
Det er sikkert en lille fejl , men jeg håber der er nogle der kan hjælpe
mig!
#!/bin/sh
# -------------------------------------------------------------------------
#
#
# FIREWALL
#
# Sti : /etc/sysconfig
# Filnavn : ipchains
# Backup : ipchains-backup
#
#
# VIGTIGT : Denne fil er lavet manuelt ,så brug ikke firewall
# opstætnings værktøjet i GNOME. Da denne Firewall
# vil blive slettet, og dermed alle reglerne!
#
#
# Netkort : eth0 ekstern (internet)
# ip: 195.249.XX.XX
#
# eth1 intern (lokal netværk)
# ip: 192.168.2.197
#
# Opbygning :
# Fra internettet er der adgang til : www (port 80)
# smtp (port 25)
#
# Fra lokal nettet er der adgang til : www (port 80)
# smtp (port 25)
# telnet (port 23)
# pop3 (port 110)
# ftp (port 21)
#
#
# Ipchains starts automatisk ved start op!
# Men hvis det skal gøres manuelt gøres det sådanne:
#
# start : service ipchains start
# stop : service ipchains stop
#
#
#
#
#
#---------------------------------------------------------------------------
-
#------------------------------------------------------------------
#
# flush'er alle regler ()
#
#------------------------------------------------------------------
-F
#------------------------------------------------------------------
#
# sætter alle input, output og forward til afvis
#
#------------------------------------------------------------------
-P input DENY
-P output REJECT
-P forward DENY
#------------------------------------------------------------------
#
# acceptere al trafik på loopback interface
#
#------------------------------------------------------------------
-A input -i lo -j ACCEPT
-A output -i lo -j ACCEPT
#------------------------------------------------------------------
#
# alle maskiner på lokal netværket har adgang til denne computer
#
#------------------------------------------------------------------
-A input -i eth1 -s 192.168.2.197/24 -j ACCEPT
-A output -i eth1 -d 192.168.2.197/24 -j ACCEPT
-A forward -i eth0 -s 192.168.2.197/24 -j MASQ
-A input -i eth1 -d 255.255.255.255 -j ACCEPT
#------------------------------------------------------------------
#
# SPOOFING AND BAD ADRESSES
#
#
#
#------------------------------------------------------------------
#------------------------------------------------------------------
#
# afviser ingående pakker som giver sig ud
# for at være fra en Eksten adresse
#
#------------------------------------------------------------------
-A input -i eth0 -s 195.249.xx.xxx -j DENY -l
#------------------------------------------------------------------
#
# afviser indgående pakker som giver sig ud
# for at være a class A;B or C private netværk
#
#------------------------------------------------------------------
-A input -i eth0 -s 10.0.0.0/8 -j DENY
-A input -i eth0 -s 172.16.0.0/12 -j DENY
-A input -i eth0 -s 192.168.2.2/16 -j DENY
#------------------------------------------------------------------
#
# afviser broadcast til 255.255.255.255 og fra ip adresse 0.0.0.0
#
#------------------------------------------------------------------
-A input -i eth0 -s 255.255.255.255 -j DENY -l
-A input -i eth0 -d 0.0.0.0 -j DENY -l
#------------------------------------------------------------------
#
# Afviser Class d multicast .Multicast er illegal som kilde adresse!
#
#------------------------------------------------------------------
-A input -i eth0 -s 224.0.0.0/4 -j DENY
#------------------------------------------------------------------
#
# Afviser Class E reservert ip adresser
#
#------------------------------------------------------------------
-A input -i eth0 -s 240.0.0.0/5 -j DENY -l
#------------------------------------------------------------------
#
# Afviser adresser som er difinert som reseveret af IANA
#
#------------------------------------------------------------------
-A input -i eth0 -s 0.0.0.0/8 -j DENY -l
-A input -i eth0 -s 127.0.0.0/8 -j DENY -l
-A input -i eth0 -s 169.254.0.0/16 -j DENY -l
-A input -i eth0 -s 192.0.2.0/24 -j DENY -l
-A input -i eth0 -s 224.0.0.0/3 -j DENY -l
#------------------------------------------------------------------
#
# UDP INCOMING TRACEROUTE
#
#------------------------------------------------------------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
-A input -i eth0 -p udp \
--source-port 32769:65535 \
--destination-port 33434:33523 -j DENY -l
#-----------------------------------------------------------------
#
# DNS client (53)
#
#-----------------------------------------------------------------
-A output -i eth0 -p udp \
-s 195.249.xx.xxx 1024:65535 \
-d 193.162.159.194 53 -j ACCEPT
-A input -i eth0 -p udp \
-s 193.162.159.194 53 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
-d 193.162.159.194 53 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
-s 193.162.159.194 53 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
-A output -i eth0 -p udp \
-s 195.249.xx.xxx 1024:65535 \
-d 193.168.145.130 53 -j ACCEPT
-A input -i eth0 -p udp \
-s 193.168.145.130 53 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
-d 193.168.145.130 53 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
-s 193.168.145.130 53 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
#------------------------------------------------------------------
#
# port 67 & 68 DHCPD
#
#------------------------------------------------------------------
-A input -i eth1 -p tcp -d 192.168.2.197:68 -j ACCEPT
-A output -i eth1 -p tcp -s 192.168.2.197:68 -j ACCEPT
-A input -i eth1 -p udp -d 192.168.2.197:68 -j ACCEPT
-A output -i eth1 -p udp -s 192.168.2.197:68 -j ACCEPT
-A input -i eth1 -p tcp -d 192.168.2.197:67 -j ACCEPT
-A output -i eth1 -p tcp -s 192.168.2.197:67 -j ACCEPT
-A input -i eth1 -p udp -d 192.168.2.197:67 -j ACCEPT
-A output -i eth1 -p udp -s 192.168.2.197:67 -j ACCEPT
#-A input -i eth1 -p tcp \
# --source-port 1024:65535 \
# -d 192.168.2.197 68 -j ACCEPT
# -A output -i eth1 -p tcp ! -y \
# -s 192.168.2.197 68 \
# --destination-port 1024:65535 -j ACCEPT
#-A input -s 0.0.0.0/0 68 -d 255.255.255.255 67 -j ACCEPT
#-A input -s 192.168.2.197 67 -d 255.255.255.255 68 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTP server (80)
#
# ------------------------------------------------------------------
-A input -i eth0 -p tcp \
--source-port 1024:65535 \
-d 195.249.xx.xxx 80 -j ACCEPT
-A output -i eth0 -p tcp ! -y \
-s 195.249.xx.xxx 80 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTP client (80)
#
# ------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
--destination-port 80 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 80 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# HTTPS client (443)
#
# ------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
--destination-port 443 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 443 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# POP server (110) fra ekstern eth0
#
# ------------------------------------------------------------------
# hvis man skal kunne check post fra internette skal de næste
# linier aktiveres
# -A input -i eth0 -p tcp \
# --source-port 1024:65535 \
# -d 195.249.xx.xxx 110 -j ACCEPT
#
# -A output -i eth0 -p tcp ! -y \
# -s 195.249.xx.xxx 110 \
# --destination-port 1024:65535 -j ACCEPT
#--------------------------------------------------------------------
#
# POP server (110) fra intern eth1
#
#--------------------------------------------------- ----------------
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 192.168.2.197 110 -j ACCEPT
-A output -i eth1 -p tcp ! -y \
-s 192.168.2.197 110 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# SMTP server (25) fra ekstern eth0
#
#-------------------------------------------------------------------
-A input -i eth0 -p tcp \
--source-port 25 \
-d 195.249.xx.xxx -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
--destination-port 25 -j ACCEPT
-A input -i eth0 -p tcp \
--source-port 1024:65535 \
-d 195.249.xx.xxx 25 -j ACCEPT
-A output -i eth0 -p tcp ! -y \
-s 195.249.xx.xxx 25 \
--destination-port 1024:65535 -j ACCEPT
#--------------------------------------------------------------------
#
# SMTP server (25) fra intern eth1
#
#--------------------------------------------------------------------
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 0/0 25 -j ACCEPT
-A output -i eth1 -p tcp ! -y \
-s 0/0 25 \
--destination-port 1:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# TELNET server (23) KUN FRA INTERN eth1
#
#-------------------------------------------------------------------
-A input -p tcp \
--source-port 1024:65535 \
-d 192.168.2.197 23 -j ACCEPT
-A output -p tcp ! -y \
-s 192.168.2.197 23 \
--destination-port 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# AUTH server (113)
#
# ------------------------------------------------------------------
# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
-A input -i eth0 -p tcp \
--source-port 1024:65535 \
-d 195.249.xx.xxx 113 -j REJECT
# ------------------------------------------------------------------
#
# AUTH client (113)
#
# ------------------------------------------------------------------
#-A output -i eth0 -p tcp -s 195.249.xx.xxx 1024:65535 -d 0/0 113 -j ACCEPT
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
--destination-port 113 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 113 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
#-------------------------------------------------------------------
#
# WHO IS client (43)
#
#-------------------------------------------------------------------
-A output -i eth0 -p tcp \
-s 195.249.xx.xxx 1024:65535 \
--destination-port 43 -j ACCEPT
-A input -i eth0 -p tcp ! -y \
--source-port 43 \
-d 195.249.xx.xxx 1024:65535 -j ACCEPT
# ------------------------------------------------------------------
#
# FTP server (21) KUN FRA INTERN NETVÆRK
#
# ------------------------------------------------------------------
# indgående
-A input -i eth1 -p tcp \
--source-port 1024:65535 \
-d 195.249.xx.xxx 21 -j ACCEPT
-A output -p tcp ! -y \
-i eth1 -s 195.249.xx.xxx 21 \
--destination-port 1024:65535 -j ACCEPT
# PORT MODE data channel responses
-A output -p tcp \
-i eth1 -s 195.249.xx.xxx 20 \
--destination-port 1024:65535 -j ACCEPT
-A input -i eth1 -p tcp ! -y \
--source-port 1024:65535 \
-d 195.249.xx.xxx 20 -j ACCEPT
#---------------------------------------------------------------------------
--
#
# TRACE ROUTE
#
#---------------------------------------------------------------------------
--
-A output -i eth0 -p udp \
-s 195.249.xx.xxx 32769:65535 \
--destination-port 33434:33523 -j ACCEPT -l
# --------------------------------------------------------------------------
--
#
# ICMP
#
#---------------------------------------------------------------------------
--
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
-A input -i eth0 -p icmp \
--icmp-type echo-reply \
-d 195.249.xx.xxx -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type destination-unreachable \
-d 195.249.xx.xxx -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type source-quench \
-d 195.249.xx.xxx -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type time-exceeded \
-d 195.249.xx.xxx -j ACCEPT
-A input -i eth0 -p icmp \
--icmp-type parameter-problem \
-d 195.249.xx.xxx -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.xx.xxx fragmentation-needed -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.xx.xxx source-quench -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.xx.xxx echo-request -j ACCEPT
-A output -i eth0 -p icmp \
-s 195.249.xx.xxx parameter-problem -j ACCEPT
# ------------------------------------------------------------------
#
# Enable logging for selected denied packets
#
# ------------------------------------------------------------------
-A input -i eth0 -p tcp -j DENY -l
-A input -i eth0 -p udp \
--destination-port 0:1023 -j DENY -l
-A input -i eth0 -p udp \
--destination-port 1024:65535 -j DENY -l
-A input -i eth0 -p icmp \
--icmp-type 5 -j DENY -l
-A input -i eth0 -p icmp \
--icmp-type 13:255 -j DENY -l
-A output -i eth0 -j REJECT -l
# ------------------------------------------------------------------
#
# SLUT
#
# ------------------------------------------------------------------
| |
 Mikkel Bundgaard (04-10-2001)
| Kommentar
Fra : Mikkel Bundgaard |
Dato : 04-10-01 10:59 |
|
Prøv at sætte dine DHCP accept regler før alle din deny regler i dit
script. Så skulle det gerne virke. Det er nok fordi en af dine deny
regler fanger dit dhcp request inden og når derfor ikke til dhcp reglen.
MVH Mikkel Bundgaard
Kenneth Møller wrote:
> Hej
>
> Jeg har et lille problem , jeg har en redhat 7.1 maskine kørende ,der
> fungere som dhcp server, men jeg kan ikke få den til at køre når jeg har
> startet ipchains!
>
> Det er sikkert en lille fejl , men jeg håber der er nogle der kan hjælpe
> mig!
>
>
> #!/bin/sh
>
> # -------------------------------------------------------------------------
> #
> #
> # FIREWALL
> #
> # Sti : /etc/sysconfig
> # Filnavn : ipchains
> # Backup : ipchains-backup
> #
> #
> # VIGTIGT : Denne fil er lavet manuelt ,så brug ikke firewall
> # opstætnings værktøjet i GNOME. Da denne Firewall
> # vil blive slettet, og dermed alle reglerne!
> #
> #
> # Netkort : eth0 ekstern (internet)
> # ip: 195.249.XX.XX
> #
> # eth1 intern (lokal netværk)
> # ip: 192.168.2.197
> #
> # Opbygning :
> # Fra internettet er der adgang til : www (port 80)
> # smtp (port 25)
> #
> # Fra lokal nettet er der adgang til : www (port 80)
> # smtp (port 25)
> # telnet (port 23)
> # pop3 (port 110)
> # ftp (port 21)
> #
> #
> # Ipchains starts automatisk ved start op!
> # Men hvis det skal gøres manuelt gøres det sådanne:
> #
> # start : service ipchains start
> # stop : service ipchains stop
> #
> #
> #
> #
> #
> #---------------------------------------------------------------------------
> -
>
>
>
>
> #------------------------------------------------------------------
> #
> # flush'er alle regler ()
> #
> #------------------------------------------------------------------
>
> -F
>
>
> #------------------------------------------------------------------
> #
> # sætter alle input, output og forward til afvis
> #
> #------------------------------------------------------------------
>
>
> -P input DENY
> -P output REJECT
> -P forward DENY
>
>
> #------------------------------------------------------------------
> #
> # acceptere al trafik på loopback interface
> #
> #------------------------------------------------------------------
>
>
> -A input -i lo -j ACCEPT
> -A output -i lo -j ACCEPT
>
>
> #------------------------------------------------------------------
> #
> # alle maskiner på lokal netværket har adgang til denne computer
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth1 -s 192.168.2.197/24 -j ACCEPT
>
> -A output -i eth1 -d 192.168.2.197/24 -j ACCEPT
>
> -A forward -i eth0 -s 192.168.2.197/24 -j MASQ
>
> -A input -i eth1 -d 255.255.255.255 -j ACCEPT
>
> #------------------------------------------------------------------
> #
> # SPOOFING AND BAD ADRESSES
> #
> #
> #
> #------------------------------------------------------------------
>
>
> #------------------------------------------------------------------
> #
> # afviser ingående pakker som giver sig ud
> # for at være fra en Eksten adresse
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 195.249.xx.xxx -j DENY -l
>
>
>
> #------------------------------------------------------------------
> #
> # afviser indgående pakker som giver sig ud
> # for at være a class A;B or C private netværk
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 10.0.0.0/8 -j DENY
> -A input -i eth0 -s 172.16.0.0/12 -j DENY
> -A input -i eth0 -s 192.168.2.2/16 -j DENY
>
>
>
> #------------------------------------------------------------------
> #
> # afviser broadcast til 255.255.255.255 og fra ip adresse 0.0.0.0
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 255.255.255.255 -j DENY -l
> -A input -i eth0 -d 0.0.0.0 -j DENY -l
>
>
>
> #------------------------------------------------------------------
> #
> # Afviser Class d multicast .Multicast er illegal som kilde adresse!
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 224.0.0.0/4 -j DENY
>
>
> #------------------------------------------------------------------
> #
> # Afviser Class E reservert ip adresser
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 240.0.0.0/5 -j DENY -l
>
>
> #------------------------------------------------------------------
> #
> # Afviser adresser som er difinert som reseveret af IANA
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth0 -s 0.0.0.0/8 -j DENY -l
> -A input -i eth0 -s 127.0.0.0/8 -j DENY -l
> -A input -i eth0 -s 169.254.0.0/16 -j DENY -l
> -A input -i eth0 -s 192.0.2.0/24 -j DENY -l
> -A input -i eth0 -s 224.0.0.0/3 -j DENY -l
>
>
> #------------------------------------------------------------------
> #
> # UDP INCOMING TRACEROUTE
> #
> #------------------------------------------------------------------
>
> # traceroute usually uses -S 32769:65535 -D 33434:33523
>
>
> -A input -i eth0 -p udp \
> --source-port 32769:65535 \
> --destination-port 33434:33523 -j DENY -l
>
>
> #-----------------------------------------------------------------
> #
> # DNS client (53)
> #
> #-----------------------------------------------------------------
>
>
> -A output -i eth0 -p udp \
> -s 195.249.xx.xxx 1024:65535 \
> -d 193.162.159.194 53 -j ACCEPT
>
>
> -A input -i eth0 -p udp \
> -s 193.162.159.194 53 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> -d 193.162.159.194 53 -j ACCEPT
>
>
> -A input -i eth0 -p tcp ! -y \
> -s 193.162.159.194 53 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> -A output -i eth0 -p udp \
> -s 195.249.xx.xxx 1024:65535 \
> -d 193.168.145.130 53 -j ACCEPT
>
>
> -A input -i eth0 -p udp \
> -s 193.168.145.130 53 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> -d 193.168.145.130 53 -j ACCEPT
>
>
> -A input -i eth0 -p tcp ! -y \
> -s 193.168.145.130 53 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
> #------------------------------------------------------------------
> #
> # port 67 & 68 DHCPD
> #
> #------------------------------------------------------------------
>
>
> -A input -i eth1 -p tcp -d 192.168.2.197:68 -j ACCEPT
>
> -A output -i eth1 -p tcp -s 192.168.2.197:68 -j ACCEPT
>
> -A input -i eth1 -p udp -d 192.168.2.197:68 -j ACCEPT
>
> -A output -i eth1 -p udp -s 192.168.2.197:68 -j ACCEPT
>
>
>
> -A input -i eth1 -p tcp -d 192.168.2.197:67 -j ACCEPT
>
> -A output -i eth1 -p tcp -s 192.168.2.197:67 -j ACCEPT
>
> -A input -i eth1 -p udp -d 192.168.2.197:67 -j ACCEPT
> -A output -i eth1 -p udp -s 192.168.2.197:67 -j ACCEPT
>
>
>
> #-A input -i eth1 -p tcp \
> # --source-port 1024:65535 \
> # -d 192.168.2.197 68 -j ACCEPT
>
> # -A output -i eth1 -p tcp ! -y \
> # -s 192.168.2.197 68 \
> # --destination-port 1024:65535 -j ACCEPT
>
> #-A input -s 0.0.0.0/0 68 -d 255.255.255.255 67 -j ACCEPT
> #-A input -s 192.168.2.197 67 -d 255.255.255.255 68 -j ACCEPT
>
>
>
>
>
>
>
>
>
> # ------------------------------------------------------------------
> #
> # HTTP server (80)
> #
> # ------------------------------------------------------------------
>
>
> -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 195.249.xx.xxx 80 -j ACCEPT
>
>
> -A output -i eth0 -p tcp ! -y \
> -s 195.249.xx.xxx 80 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # HTTP client (80)
> #
> # ------------------------------------------------------------------
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> --destination-port 80 -j ACCEPT
>
> -A input -i eth0 -p tcp ! -y \
> --source-port 80 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # HTTPS client (443)
> #
> # ------------------------------------------------------------------
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> --destination-port 443 -j ACCEPT
>
>
> -A input -i eth0 -p tcp ! -y \
> --source-port 443 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # POP server (110) fra ekstern eth0
> #
> # ------------------------------------------------------------------
>
> # hvis man skal kunne check post fra internette skal de næste
> # linier aktiveres
>
> # -A input -i eth0 -p tcp \
> # --source-port 1024:65535 \
> # -d 195.249.xx.xxx 110 -j ACCEPT
> #
> # -A output -i eth0 -p tcp ! -y \
> # -s 195.249.xx.xxx 110 \
> # --destination-port 1024:65535 -j ACCEPT
>
>
> #--------------------------------------------------------------------
> #
> # POP server (110) fra intern eth1
> #
> #--------------------------------------------------- ----------------
>
>
> -A input -i eth1 -p tcp \
> --source-port 1024:65535 \
> -d 192.168.2.197 110 -j ACCEPT
>
> -A output -i eth1 -p tcp ! -y \
> -s 192.168.2.197 110 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # SMTP server (25) fra ekstern eth0
> #
> #-------------------------------------------------------------------
>
>
> -A input -i eth0 -p tcp \
> --source-port 25 \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> --destination-port 25 -j ACCEPT
>
>
> -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 195.249.xx.xxx 25 -j ACCEPT
>
>
> -A output -i eth0 -p tcp ! -y \
> -s 195.249.xx.xxx 25 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> #--------------------------------------------------------------------
> #
> # SMTP server (25) fra intern eth1
> #
> #--------------------------------------------------------------------
>
>
> -A input -i eth1 -p tcp \
> --source-port 1024:65535 \
> -d 0/0 25 -j ACCEPT
>
>
> -A output -i eth1 -p tcp ! -y \
> -s 0/0 25 \
> --destination-port 1:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # TELNET server (23) KUN FRA INTERN eth1
> #
> #-------------------------------------------------------------------
>
>
> -A input -p tcp \
> --source-port 1024:65535 \
> -d 192.168.2.197 23 -j ACCEPT
>
>
> -A output -p tcp ! -y \
> -s 192.168.2.197 23 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # AUTH server (113)
> #
> # ------------------------------------------------------------------
>
> # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
>
>
> -A input -i eth0 -p tcp \
> --source-port 1024:65535 \
> -d 195.249.xx.xxx 113 -j REJECT
>
>
>
> # ------------------------------------------------------------------
> #
> # AUTH client (113)
> #
> # ------------------------------------------------------------------
>
> #-A output -i eth0 -p tcp -s 195.249.xx.xxx 1024:65535 -d 0/0 113 -j ACCEPT
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> --destination-port 113 -j ACCEPT
>
> -A input -i eth0 -p tcp ! -y \
> --source-port 113 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
>
> #-------------------------------------------------------------------
> #
> # WHO IS client (43)
> #
> #-------------------------------------------------------------------
>
>
> -A output -i eth0 -p tcp \
> -s 195.249.xx.xxx 1024:65535 \
> --destination-port 43 -j ACCEPT
>
>
> -A input -i eth0 -p tcp ! -y \
> --source-port 43 \
> -d 195.249.xx.xxx 1024:65535 -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # FTP server (21) KUN FRA INTERN NETVÆRK
> #
> # ------------------------------------------------------------------
>
> # indgående
>
> -A input -i eth1 -p tcp \
> --source-port 1024:65535 \
> -d 195.249.xx.xxx 21 -j ACCEPT
>
> -A output -p tcp ! -y \
> -i eth1 -s 195.249.xx.xxx 21 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> # PORT MODE data channel responses
>
>
> -A output -p tcp \
> -i eth1 -s 195.249.xx.xxx 20 \
> --destination-port 1024:65535 -j ACCEPT
>
>
> -A input -i eth1 -p tcp ! -y \
> --source-port 1024:65535 \
> -d 195.249.xx.xxx 20 -j ACCEPT
>
>
> #---------------------------------------------------------------------------
> --
> #
> # TRACE ROUTE
> #
> #---------------------------------------------------------------------------
> --
>
>
> -A output -i eth0 -p udp \
> -s 195.249.xx.xxx 32769:65535 \
> --destination-port 33434:33523 -j ACCEPT -l
>
>
> # --------------------------------------------------------------------------
> --
> #
> # ICMP
> #
> #---------------------------------------------------------------------------
> --
>
> # To prevent denial of service attacks based on ICMP bombs, filter
> # incoming Redirect (5) and outgoing Destination Unreachable (3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
>
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
> # To block this, deny OUTGOING 3 and 11
>
> # 0: echo-reply (pong)
> # 3: destination-unreachable, port-unreachable, fragmentation-needed,
> etc.
> # 4: source-quench
> # 5: redirect
> # 8: echo-request (ping)
> # 11: time-exceeded
> # 12: parameter-problem
>
>
> -A input -i eth0 -p icmp \
> --icmp-type echo-reply \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A input -i eth0 -p icmp \
> --icmp-type destination-unreachable \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A input -i eth0 -p icmp \
> --icmp-type source-quench \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A input -i eth0 -p icmp \
> --icmp-type time-exceeded \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A input -i eth0 -p icmp \
> --icmp-type parameter-problem \
> -d 195.249.xx.xxx -j ACCEPT
>
>
> -A output -i eth0 -p icmp \
> -s 195.249.xx.xxx fragmentation-needed -j ACCEPT
>
>
> -A output -i eth0 -p icmp \
> -s 195.249.xx.xxx source-quench -j ACCEPT
>
>
> -A output -i eth0 -p icmp \
> -s 195.249.xx.xxx echo-request -j ACCEPT
>
>
> -A output -i eth0 -p icmp \
> -s 195.249.xx.xxx parameter-problem -j ACCEPT
>
>
> # ------------------------------------------------------------------
> #
> # Enable logging for selected denied packets
> #
> # ------------------------------------------------------------------
>
>
> -A input -i eth0 -p tcp -j DENY -l
>
>
> -A input -i eth0 -p udp \
> --destination-port 0:1023 -j DENY -l
>
>
> -A input -i eth0 -p udp \
> --destination-port 1024:65535 -j DENY -l
>
>
> -A input -i eth0 -p icmp \
> --icmp-type 5 -j DENY -l
>
>
> -A input -i eth0 -p icmp \
> --icmp-type 13:255 -j DENY -l
>
>
> -A output -i eth0 -j REJECT -l
>
>
>
> # ------------------------------------------------------------------
> #
> # SLUT
> #
> # ------------------------------------------------------------------
>
>
>
>
>
>
>
| |
|
|