[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:36257] Re: iptable での personal firewall



竹島です。

plain@おはら様、早速プリントアウトして読まさせて頂きました。
大変丁寧に書いてあってまさに目から鱗でした。
これを参考にしてsambaをいれてみました。
もちろんインターネット常時接続環境なら恐ろしい事がおこるかもしれませんが、
sambaファイルサーバーないといろんな不便が生じます。
で、一時的に動かす用です。

debian:~# more samba-firewall.bat 
----------------------------------
#!/bin/sh

/etc/init.d/iptables clear

modprobe ipt_LOG
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_MASQUERADE
modprobe ipt_multiport

# blocco i ping verso la mia macchina
# block the ping towards my machine 
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# attivo protezione contro attacchi Spoofing
# active protection against Spoofing attacks 
echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo '1' > /proc/sys/net/ipv4/tcp_syncookies
echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter

# logga in /var/log/messages i pacchetti malformati e scartati automaticamente
# logga in/var/log/messages the malformati packages and it discards to you automatically
echo '1' > /proc/sys/net/ipv4/conf/all/log_martians
echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects

# configurazione politica di default per la tabella filter
# political configuration of default for the table filter 
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

# configurazione politica di default per la tabella nat
# political configuration of default for the table nat 
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# configurazione politica di default per la tabella mangle
# political configuration of default for the table mangle 

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# scarta subito pacchetti malformati
# it discards endured malformati packages 
iptables -A INPUT -m unclean -j DROP

# consento traffico su loopback
# I concur traffic on loopback 
iptables -A INPUT -i lo -j ACCEPT

# regole personali
# personal rule

# accetto tutte le connessioni correlate alla mia
# I accept all the logons correlated to mine 
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# abilito servizio DNS per protocolli UDP
# I qualify service DNS for protocols UDP 
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT

# abilito la navigazione web e il traffico https
# I qualify navigation web and the traffic https 
iptables -t filter -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

######### samba by takesima 大変危険なので注意 ########
iptables -A INPUT  -p tcp --dport 139 -s 192.168.72.0/24  -j ACCEPT
iptables -A OUTPUT -p tcp --sport 139 -d 192.168.72.0/24  -j ACCEPT
iptables -A INPUT  -p udp --dport 138 -s 192.168.72.0/24  -j ACCEPT
iptables -A OUTPUT -p udp --sport 138 -d 192.168.72.0/24  -j ACCEPT
iptables -A INPUT  -p udp --dport 137 -s 192.168.72.0/24  -j ACCEPT
iptables -A OUTPUT -p udp --sport 137 -d 192.168.72.0/24  -j ACCEPT
##################イ####################################

# abilito connessioni SMPT e POP3
# I qualify logons SMPT and POP3 
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

# abilito connessioni SSH (SecureShell) con attivazione Log
# I qualify logons SSH (SecureShell) with Log activation 
iptables -t filter -A OUTPUT -p tcp --syn --dport 22 -m state --state NEW -j LOG \
  --log-level info --log-prefix "---SSH from eth0---"
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT

# blocco tutti i pacchetti destinati al server X11 e al Xfont Server


# block all the packages assigns you to the serveur X11 and to the Xfont Serveur 
iptables -t filter -A INPUT -i eth0 -p tcp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 6000:6010 -j DROP
iptables -t filter -A INPUT -i eth0 -p tcp --dport 7000:7010 -j DROP
iptables -t filter -A INPUT -i eth0 -p udp --dport 7000:7010 -j DROP

# disabilito pacchetti ICMP di tipo echo-request
# disabilito type packages ICMP echo-request 
iptables -t filter -A INPUT -p icmp ! --icmp-type 8 -j ACCEPT

# aggiungo questa regola in caso di problemi nella politica di DEFAULT
# I add this rule in case of problems in DEFAULT politics 
iptables -A INPUT -j DROP

# mascheramento
# masking 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# riabilita l'inoltro dei pacchetti alla fine delle operazioni di settaggio
# del firewall
# riabilita I forward it of the packages to the end of the settaggio operations 
# of the firewall 

/etc/init.d/iptables save active
/etc/init.d/iptables save inactive
dpkg-reconfigure iptables

iptables -L -v
------------------------------

これでは
debian:~# sh samba-firewall.bat 
Clearing iptables ruleset: default ACCEPT policy.
Savinging iptables ruleset: save "active" with counters.
Savinging iptables ruleset: save "inactive" with counters.
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere           unclean 
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere           
    0     0 ACCEPT     all  --  any    any     anywhere             anywhere           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  any    any     localnet/24          anywhere           tcp dpt:netbios-ssn 
    0     0 ACCEPT     udp  --  any    any     localnet/24          anywhere           udp dpt:netbios-dgm 
    0     0 ACCEPT     udp  --  any    any     localnet/24          anywhere           udp dpt:netbios-ns 
    0     0 DROP       tcp  --  eth0   any     anywhere             anywhere           tcp dpts:x11:6010 
    0     0 DROP       udp  --  eth0   any     anywhere             anywhere           udp dpts:x11:6010 
    0     0 DROP       tcp  --  eth0   any     anywhere             anywhere           tcp dpts:afs3-fileserver:7010 
    0     0 DROP       udp  --  eth0   any     anywhere             anywhere           udp dpts:afs3-fileserver:7010 
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere           icmp !echo-request 
    0     0 DROP       all  --  any    any     anywhere             anywhere           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere           udp dpt:domain 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           multiport dports www,https 
    0     0 ACCEPT     tcp  --  any    any     anywhere             localnet/24        tcp spt:netbios-ssn 
    0     0 ACCEPT     udp  --  any    any     anywhere             localnet/24        udp spt:netbios-dgm 
    0     0 ACCEPT     udp  --  any    any     anywhere             localnet/24        udp spt:netbios-ns 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:smtp 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:pop3 
    0     0 LOG        tcp  --  any    any     anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN state NEW LOG level info prefix `---SSH from eth0---' 
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere           tcp dpt:ssh 
以上です。

------------------------- 
http://nakajin.dyndns.org
ママ裸じゃ嫌、 一家に一台firewall