[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:36251] iptable での personal firewall

From: nakazintuyosi@xxxxxxxxxxxxxxxxxx
Subject: [debian-users:36251] iptable での personal firewall
Date: Tue, 11 Feb 2003 06:48:31 +0900
List-help: <mailto:debian-users-ctl@debian.or.jp?body=help>
List-id: debian-users.debian.or.jp
List-owner: <mailto:debian-users-admin@debian.or.jp>
List-post: <mailto:debian-users@debian.or.jp>
List-software: fml [fml 4.0.3 release (20011202/4.0.3)]
List-unsubscribe: <mailto:debian-users-ctl@debian.or.jp?body=unsubscribe>
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 4.0.3 release (20011202/4.0.3)]; post only (only members can post)
X-spam-level: ***
X-spam-status: No, hits=3.4 required=10.0 tests=ISO2022JP_CHARSET,NO_REAL_NAME,ISO2022JP_BODY,CASHCASHCASH, DOUBLE_CAPSWORD,URI_IS_POUND version=2.31
Message-id: <20030211064823.20b76b97.nakazintuyosi@xxxxxxxxxxxxxxxxxx>
X-mail-count: 36251
X-mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-debian-linux-gnu)

竹島と申します。

お世話になってます。
http://www.pluto.linux.it/journal/pj0207/personal_fw.html
をみてまねして、personal firewall らしき物をつくってみました。
以下の上#文がイタリア語
      下#文がそのマシン翻訳英語です。

woody(NIC:eth0)----YAHOOmodem---intenet を想定してます。
iptablesもipchainも始めてですので ご指導おねがいします。

/root/iptables.bat
が
---
#!/bin/sh

#原文のpppをethに全て置き換え
#以下３行付け加えました。
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

modprobe ipt_LOG
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_multiport

# blocco i ping verso la mia macchina
# block the ping towards my machine 
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# attivo protezione contro attacchi Spoofing
# active protection against Spoofing attacks 
echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo '1' > /proc/sys/net/ipv4/tcp_syncookies
echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter

# logga in /var/log/messages i pacchetti malformati e scartati automaticamente
# logga in/var/log/messages the malformati packages and it discards to you automatically
echo '1' > /proc/sys/net/ipv4/conf/all/log_martians
echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects

# configurazione politica di default per la tabella filter
# political configuration of default for the table filter 
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

# configurazione politica di default per la tabella nat
# political configuration of default for the table nat 
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# configurazione politica di default per la tabella mangle
# political configuration of default for the table mangle 
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# scarta subito pacchetti malformati
# it discards endured malformati packages 
iptables -A INPUT -m unclean -j DROP

# consento traffico su loopback
# I concur traffic on loopback 
iptables -A INPUT -i lo -j ACCEPT

# regole personali
# personal rule

# accetto tutte le connessioni correlate alla mia
# I accept all the logons correlated to mine 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# abilito servizio DNS per protocolli UDP
# I qualify service DNS for protocols UDP 
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

# abilito la navigazione web e il traffico https
# I qualify navigation web and the traffic https 
iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# abilito connessioni SMPT e POP3
# I qualify logons SMPT and POP3 
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# abilito connessioni SSH (SecureShell) con attivazione Log
# I qualify logons SSH (SecureShell) with Log activation 
iptables -t filter -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j LOG \
  --log-level info --log-prefix "---SSH from eth0---"
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# blocco tutti i pacchetti destinati al server X11 e al Xfont Server
# block all the packages assigns you to the serveur X11 and to the Xfont Serveur 
iptables -t filter -A INPUT -i eth0 -p tcp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp --dport 7000:7010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 7000:7010 -j DROP

# disabilito pacchetti ICMP di tipo echo-request
# disabilito type packages ICMP echo-request 
iptables -t filter -A INPUT -p icmp ! --icmp-type 8 -j ACCEPT

# aggiungo questa regola in caso di problemi nella politica di DEFAULT
# I add this rule in case of problems in DEFAULT politics 
iptables -A INPUT -j DROP

# mascheramento
# masking 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# riabilita l'inoltro dei pacchetti alla fine delle operazioni di settaggio
# del firewall
# riabilita I forward it of the packages to the end of the settaggio operations 
# of the firewall 
---

上だと
debian:~# iptables -L
は
---
debian:~# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere           unclean 
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED 
DROP       tcp  --  anywhere             anywhere           tcp dpts:x11:6010 
DROP       udp  --  anywhere             anywhere           udp dpts:x11:6010 
DROP       tcp  --  anywhere             anywhere           tcp dpts:afs3-fileserver:7010 
DROP       udp  --  anywhere             anywhere           udp dpts:afs3-fileserver:7010 
ACCEPT     icmp --  anywhere             anywhere           icmp !echo-request 
DROP       all  --  anywhere             anywhere           

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere           multiport dports www,https 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3 
LOG        tcp  --  anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW LOG level info prefix `---SSH from eth0---' 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
---
となりました。
できてるのでしょうか。

またこれでは再起動時に また sh /root/iptables.batで読み込ませねばなりませんので不便です。
自動的に起動時に読み込ませるには如何にすればしたらいいのでしょう。

また、/root/iptables-update.batをあらたにつくり
元のiptables.batのルールを忘れさせる方法も教えていただければまことに幸せです。
/etc/default/iptables 読んでみましたが もひとつピンときませんでした。

-- 
メール nakazintuyosi@xxxxxxxxxxxxxxxxxx

Follow-Ups:
- [debian-users:36252] Re: iptable での personal firewall
  - From: YamYas

Prev by Date: [debian-users:36250] Re: kdmでGnomeのメニュー日本語化
Next by Date: [debian-users:36252] Re: iptable での personal firewall
Previous by thread: [debian-users:36238] Re: 自社監視装置にDebian を利用する件につきまして
Next by thread: [debian-users:36252] Re: iptable での personal firewall
Index(es):
- Date
- Thread