Читаем Iptables Tutorial 1.1.19 полностью

Iptables Tutorial 1.1.19

Oskar Andreasson

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

–log-prefix «New not syn:»

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

# allowed chain

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

# TCP rules

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed

# UDP ports

#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 53 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 123 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 2074 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –source-port 4000 -j ACCEPT

# In Microsoft Networks you will be swamped by broadcasts. These lines

# will prevent them from showing up in the logs.

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \

#–destination-port 135:139 -j DROP

# If we get DHCP requests from the Outside of our network, our logs will

# be swamped as well. This rule will block them from getting logged.

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \

#–destination-port 67:68 -j DROP

# ICMP rules

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain

# Bad TCP packets we don't want.

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Rules for special networks not part of the Internet

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Rules for incoming packets from anywhere.

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state –state ESTABLISHED,RELATED \

–j ACCEPT

$IPTABLES -A INPUT -p TCP -j tcp_packets

$IPTABLES -A INPUT -p UDP -j udp_packets

$IPTABLES -A INPUT -p ICMP -j icmp_packets

# If you have a Microsoft Network on the outside of your firewall, you may

# also get flooded by Multicasts. We drop them so we do not get flooded by

# logs

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

–log-level DEBUG –log-prefix "IPT INPUT packet died: "

# 4.1.5 FORWARD chain

# Bad TCP packets we don't want

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# Accept the packets we actually want to forward

$IPTABLES -A FORWARD -p tcp –dport 21 -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -p tcp –dport 80 -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -p tcp –dport 110 -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG \

–log-level DEBUG –log-prefix "IPT FORWARD packet died: "

# 4.1.6 OUTPUT chain

# Bad TCP packets we don't want.

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Log weird packets that don't match the above.

$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG \

–log-level DEBUG –log-prefix "IPT OUTPUT packet died: "

######

# 4.2 nat table

# 4.2.1 Set policies

# 4.2.2 Create user specified chains

# 4.2.3 Create content in user specified chains

# 4.2.4 PREROUTING chain

# 4.2.5 POSTROUTING chain

# Enable simple IP Forwarding and Network Address Translation

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $INET_IP

# 4.2.6 OUTPUT chain

######

# 4.3 mangle table

# 4.3.1 Set policies

# 4.3.2 Create user specified chains

# 4.3.3 Create content in user specified chains

# 4.3.4 PREROUTING chain

# 4.3.5 INPUT chain

# 4.3.6 FORWARD chain

# 4.3.7 OUTPUT chain

# 4.3.8 POSTROUTING chain

<p>I.4. Пример rc.DHCP.firewall</p>

#!/bin/sh

# rc.firewall – DHCP IP Firewall script for Linux 2.4.x and iptables

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; version 2 of the License.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program or from the site that you downloaded it

# from; if not, write to the Free Software Foundation, Inc., 59 Temple

# Place, Suite 330, Boston, MA 02111-1307 USA

Перейти на страницу:

Похожие книги

Все жанры

Фантастика

Любовные романы

Приключения

Детективы и Триллеры

Пьесы

Финансы и бизнес

Эро литература

Дом и досуг

Документальная литература

Аниме

Древние книги

Знания и навыки

Лёгкое чтение

Серьёзное чтение

Юмор

Книги по IT

Словари и Энциклопедии

Love Action

Ценные бумаги

Эссе

Без Жанра

Иностранная литература

Народные

Романы про измену

Образование и наука

РПГ

Наука, Образование

Документальное

Техника

Справочная литература

Фольклор

Образовательная литература

Cпецслужбы

Семейная психология

Семейный роман

Частушки

Литература для детей

Искусство, Искусствоведение, Дизайн

Жанр не определён

Разное

Деловая литература

Драматургия

Дом и семья

Компьютеры и Интернет

Прочее

Учебники и пособия

Военное дело

Проза

Родителям

Романы

Старинное

Зарубежная литература

Книги Для Детей

Стихи и поэзия