[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[debian-users:36251] iptable での personal firewall
竹島と申します。
お世話になってます。
http://www.pluto.linux.it/journal/pj0207/personal_fw.html
をみてまねして、personal firewall らしき物をつくってみました。
以下の上#文がイタリア語
下#文がそのマシン翻訳英語です。
woody(NIC:eth0)----YAHOOmodem---intenet を想定してます。
iptablesもipchainも始めてですので ご指導おねがいします。
/root/iptables.bat
が
---
#!/bin/sh
#原文のpppをethに全て置き換え
#以下3行付け加えました。
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
modprobe ipt_LOG
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_multiport
# blocco i ping verso la mia macchina
# block the ping towards my machine
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# attivo protezione contro attacchi Spoofing
# active protection against Spoofing attacks
echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo '1' > /proc/sys/net/ipv4/tcp_syncookies
echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter
# logga in /var/log/messages i pacchetti malformati e scartati automaticamente
# logga in/var/log/messages the malformati packages and it discards to you automatically
echo '1' > /proc/sys/net/ipv4/conf/all/log_martians
echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
# configurazione politica di default per la tabella filter
# political configuration of default for the table filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
# configurazione politica di default per la tabella nat
# political configuration of default for the table nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# configurazione politica di default per la tabella mangle
# political configuration of default for the table mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# scarta subito pacchetti malformati
# it discards endured malformati packages
iptables -A INPUT -m unclean -j DROP
# consento traffico su loopback
# I concur traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
# regole personali
# personal rule
# accetto tutte le connessioni correlate alla mia
# I accept all the logons correlated to mine
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# abilito servizio DNS per protocolli UDP
# I qualify service DNS for protocols UDP
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
# abilito la navigazione web e il traffico https
# I qualify navigation web and the traffic https
iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# abilito connessioni SMPT e POP3
# I qualify logons SMPT and POP3
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# abilito connessioni SSH (SecureShell) con attivazione Log
# I qualify logons SSH (SecureShell) with Log activation
iptables -t filter -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j LOG \
--log-level info --log-prefix "---SSH from eth0---"
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# blocco tutti i pacchetti destinati al server X11 e al Xfont Server
# block all the packages assigns you to the serveur X11 and to the Xfont Serveur
iptables -t filter -A INPUT -i eth0 -p tcp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp --dport 7000:7010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 7000:7010 -j DROP
# disabilito pacchetti ICMP di tipo echo-request
# disabilito type packages ICMP echo-request
iptables -t filter -A INPUT -p icmp ! --icmp-type 8 -j ACCEPT
# aggiungo questa regola in caso di problemi nella politica di DEFAULT
# I add this rule in case of problems in DEFAULT politics
iptables -A INPUT -j DROP
# mascheramento
# masking
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# riabilita l'inoltro dei pacchetti alla fine delle operazioni di settaggio
# del firewall
# riabilita I forward it of the packages to the end of the settaggio operations
# of the firewall
---
上だと
debian:~# iptables -L
は
---
debian:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpts:x11:6010
DROP udp -- anywhere anywhere udp dpts:x11:6010
DROP tcp -- anywhere anywhere tcp dpts:afs3-fileserver:7010
DROP udp -- anywhere anywhere udp dpts:afs3-fileserver:7010
ACCEPT icmp -- anywhere anywhere icmp !echo-request
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere multiport dports www,https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW LOG level info prefix `---SSH from eth0---'
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
---
となりました。
できてるのでしょうか。
またこれでは再起動時に また sh /root/iptables.batで読み込ませねばなりませんので不便です。
自動的に起動時に読み込ませるには如何にすればしたらいいのでしょう。
また、/root/iptables-update.batをあらたにつくり
元のiptables.batのルールを忘れさせる方法も教えていただければまことに幸せです。
/etc/default/iptables 読んでみましたが もひとつピンときませんでした。
--
メール nakazintuyosi@xxxxxxxxxxxxxxxxxx