[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[debian-users:36257] Re: iptable での personal firewall
- From: nakazintuyosi@xxxxxxxxxxxxxxxxxx
- Subject: [debian-users:36257] Re: iptable での personal firewall
- Date: Tue, 11 Feb 2003 19:19:25 +0900
- List-help: <mailto:debian-users-ctl@debian.or.jp?body=help>
- List-id: debian-users.debian.or.jp
- List-owner: <mailto:debian-users-admin@debian.or.jp>
- List-post: <mailto:debian-users@debian.or.jp>
- List-software: fml [fml 4.0.3 release (20011202/4.0.3)]
- List-unsubscribe: <mailto:debian-users-ctl@debian.or.jp?body=unsubscribe>
- X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
- X-ml-name: debian-users
- X-mlserver: fml [fml 4.0.3 release (20011202/4.0.3)]; post only (only members can post)
- X-spam-level: *****
- X-spam-status: No, hits=5.9 required=10.0 tests=IN_REP_TO,ISO2022JP_CHARSET,NO_REAL_NAME,ISO2022JP_BODY, EIGHTBIT_BODY,DOUBLE_CAPSWORD,WEIRD_PORT,URI_IS_POUND version=2.31
- References: <20030210222403.GC24141%yamyas@xxxxxxxxxx> <20030211080552.7baa7286.nakazintuyosi@xxxxxxxxxxxxxxxxxx> <20030211170846.9343.CAR31930@xxxxxxxxxxxxxxx>
- Message-id: <20030211191917.1de1158f.nakazintuyosi@xxxxxxxxxxxxxxxxxx>
- X-mail-count: 36257
- X-mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-debian-linux-gnu)
竹島です。
plain@おはら様、早速プリントアウトして読まさせて頂きました。
大変丁寧に書いてあってまさに目から鱗でした。
これを参考にしてsambaをいれてみました。
もちろんインターネット常時接続環境なら恐ろしい事がおこるかもしれませんが、
sambaファイルサーバーないといろんな不便が生じます。
で、一時的に動かす用です。
debian:~# more samba-firewall.bat
----------------------------------
#!/bin/sh
/etc/init.d/iptables clear
modprobe ipt_LOG
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_multiport
# blocco i ping verso la mia macchina
# block the ping towards my machine
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# attivo protezione contro attacchi Spoofing
# active protection against Spoofing attacks
echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo '1' > /proc/sys/net/ipv4/tcp_syncookies
echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter
# logga in /var/log/messages i pacchetti malformati e scartati automaticamente
# logga in/var/log/messages the malformati packages and it discards to you automatically
echo '1' > /proc/sys/net/ipv4/conf/all/log_martians
echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
# configurazione politica di default per la tabella filter
# political configuration of default for the table filter
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
# configurazione politica di default per la tabella nat
# political configuration of default for the table nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# configurazione politica di default per la tabella mangle
# political configuration of default for the table mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# scarta subito pacchetti malformati
# it discards endured malformati packages
iptables -A INPUT -m unclean -j DROP
# consento traffico su loopback
# I concur traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
# regole personali
# personal rule
# accetto tutte le connessioni correlate alla mia
# I accept all the logons correlated to mine
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# abilito servizio DNS per protocolli UDP
# I qualify service DNS for protocols UDP
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
# abilito la navigazione web e il traffico https
# I qualify navigation web and the traffic https
iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
######### samba by takesima 大変危険なので注意 ########
iptables -A INPUT -p tcp --dport 139 -s 192.168.72.0/24 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -d 192.168.72.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 138 -s 192.168.72.0/24 -j ACCEPT
iptables -A OUTPUT -p udp --sport 138 -d 192.168.72.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 137 -s 192.168.72.0/24 -j ACCEPT
iptables -A OUTPUT -p udp --sport 137 -d 192.168.72.0/24 -j ACCEPT
##################イ####################################
# abilito connessioni SMPT e POP3
# I qualify logons SMPT and POP3
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# abilito connessioni SSH (SecureShell) con attivazione Log
# I qualify logons SSH (SecureShell) with Log activation
iptables -t filter -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j LOG \
--log-level info --log-prefix "---SSH from eth0---"
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
# blocco tutti i pacchetti destinati al server X11 e al Xfont Server
# block all the packages assigns you to the serveur X11 and to the Xfont Serveur
iptables -t filter -A INPUT -i eth0 -p tcp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp --dport 7000:7010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 7000:7010 -j DROP
# disabilito pacchetti ICMP di tipo echo-request
# disabilito type packages ICMP echo-request
iptables -t filter -A INPUT -p icmp ! --icmp-type 8 -j ACCEPT
# aggiungo questa regola in caso di problemi nella politica di DEFAULT
# I add this rule in case of problems in DEFAULT politics
iptables -A INPUT -j DROP
# mascheramento
# masking
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# riabilita l'inoltro dei pacchetti alla fine delle operazioni di settaggio
# del firewall
# riabilita I forward it of the packages to the end of the settaggio operations
# of the firewall
/etc/init.d/iptables save active
/etc/init.d/iptables save inactive
dpkg-reconfigure iptables
iptables -L -v
------------------------------
これでは
debian:~# sh samba-firewall.bat
Clearing iptables ruleset: default ACCEPT policy.
Savinging iptables ruleset: save "active" with counters.
Savinging iptables ruleset: save "inactive" with counters.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any any anywhere anywhere unclean
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any localnet/24 anywhere tcp dpt:netbios-ssn
0 0 ACCEPT udp -- any any localnet/24 anywhere udp dpt:netbios-dgm
0 0 ACCEPT udp -- any any localnet/24 anywhere udp dpt:netbios-ns
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpts:x11:6010
0 0 DROP udp -- eth0 any anywhere anywhere udp dpts:x11:6010
0 0 DROP tcp -- eth0 any anywhere anywhere tcp dpts:afs3-fileserver:7010
0 0 DROP udp -- eth0 any anywhere anywhere udp dpts:afs3-fileserver:7010
0 0 ACCEPT icmp -- any any anywhere anywhere icmp !echo-request
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports www,https
0 0 ACCEPT tcp -- any any anywhere localnet/24 tcp spt:netbios-ssn
0 0 ACCEPT udp -- any any anywhere localnet/24 udp spt:netbios-dgm
0 0 ACCEPT udp -- any any anywhere localnet/24 udp spt:netbios-ns
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW LOG level info prefix `---SSH from eth0---'
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
以上です。
-------------------------
http://nakajin.dyndns.org
ママ裸じゃ嫌、 一家に一台firewall