Hirdetés

2024. április 26., péntek

Lapcsaládunk:

Gyorskeresés

Útvonal

Fórumok  »  Szakmai LOGOUT  »  [Re:] Debian rendszerünk biztonsága

Hozzászólások

(#11) #40935168 válasza hcl (#5) üzenetére


#40935168
törölt tag

Megírnám de el-el száll a gépem, a tápom valamit nem szeret.
Kóstoló, nálam gyönyörűen működött, részben saját, részben Rusty írásai a netfilter.org-ról, az iptables szülőhazájából. ;)

Angolul írtam a kommenteket is, mert én informatikában utálom a magyart.
Laptopról értelmessé is tehetem, amint odajutok hogy kommentelem is, mi ez itt..

Addig is enjoy, a teljesség igénye nélkül, tehát lehetne még mit bőven finomítani rajta.. egy régi script-em, de évekig húzta vele a debianom :) Van benne Apache, BIND, minden jóféle móka :)

#!/bin/bash
clear
# Define your interfaces here:
EXT="ppp0"
INT="eth0"

# Don't change these, these are not site specific:
LOOPBACK="127.0.0.0/8"
RESERVED_IP_172_SPACE="172.16.0.0/12"
RESERVED_IP_192_SPACE="192.168.0.0/16"
RESERVED_IP_10_SPACE="10.0.0.0/8"
RESERVED_IP_MULTICAST="224.0.0.0/4"
RESERVED_IP_FUTURE="240.0.0.0/5"

# Basic Opsys Protection
# Disable routing triangulation. Respont to queries out the same
# interface, not another. Helps to maintain state. Also protects
# against IP spoofing.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Enable logging of packets with malformed IP addresses
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Disable redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Disable source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable acceptance of ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Turn on protection from DoS attacks
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable responding to ping broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Basic iptables Initialization
# Load modules for ftp connection tracking and NAT
modprobe ip_conntrack_ftp
modprobe iptable_nat
# Initialize all the chains by removing all the rules tied to them
iptables -F
iptables -t nat -F
iptables -t mangle -F
# Delete user defined chains
iptables -X valid-tcp-flags
iptables -X LOGDROP
iptables -X valid-source-address
iptables -X valid-destination-address
# Loopback interface ACCEPTs everything
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# BLOCK
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Advanced network security checking rules
# LOG-and-DROP rules:
iptables -N LOGDROP
iptables -A LOGDROP -j LOG --log-ip-options --log-tcp-options --log-level debug
iptables -A LOGDROP -j DROP
# Invalid tcp state flag checker rules
iptables -N valid-tcp-flags
iptables -A valid-tcp-flags -p tcp --tcp-flags ALL NONE -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,FIN, FIN -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,PSH PSH -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags ACK,URG URG -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP
iptables -A valid-tcp-flags -p tcp --tcp-flags FIN,RST FIN,RST -j LOGDROP
# Check TCP packets for invalid state flag combinations
iptables -A INPUT -p tcp -j valid-tcp-flags
iptables -A OUTPUT -p tcp -j valid-tcp-flags
iptables -A FORWARD -p tcp -j valid-tcp-flags
# Source and destination address checker rules
iptables -N valid-source-address
iptables -N valid-destination-address
iptables -A valid-source-address -s $RESERVED_IP_10_SPACE -j DROP
iptables -A valid-source-address -s $RESERVED_IP_172_SPACE -j DROP
iptables -A valid-source-address -s $RESERVED_IP_MULTICAST -j DROP
iptables -A valid-source-address -s $RESERVED_IP_FUTURE -j DROP
iptables -A valid-source-address -s $LOOPBACK -j DROP
iptables -A valid-source-address -s 0.0.0.0/8 -j DROP
iptables -A valid-source-address -d 255.255.255.255 -j DROP
iptables -A valid-source-address -s 169.254.0.0/16 -j DROP
iptables -A valid-source-address -s 192.0.2.0/24 -j DROP
iptables -A valid-destination-address -d $RESERVED_IP_MULTICAST -j DROP

# Verify valid source and destination addresses for all packets
iptables -A INPUT -i $EXT -p ! tcp -j valid-source-address
iptables -A INPUT -i $EXT -p tcp --syn -j valid-source-address
iptables -A FORWARD -i $EXT -p ! tcp -j valid-source-address
iptables -A FORWARD -i $EXT -p tcp --syn -j valid-source-address
iptables -A OUTPUT -o $EXT -j valid-destination-address
iptables -A FORWARD -o $EXT -j valid-destination-address

# Allowing outbound DNS queries from the FW and the replies to come in.
iptables -A OUTPUT -p udp -o $EXT --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i $EXT --sport 53 --dport 1024:65535 -j ACCEPT
# Allow inbound DNS queries TO the firewall (to the BIND9 nameserver):
iptables -A INPUT -p udp -i $INT --dport 53 --sport 1024:65535 -j ACCEPT
# Allow ping out and reply in:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow previously established connections, direction outbound.
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow port 80 (www) and 22 (ssh) connection to the firewall, 80 for the
# internal net, ssh for internal net + from outside some hosts.
iptables -A INPUT -p tcp -i $INT --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i $EXT --dport 22 -s 81.182.0.0/16 --sport 1024:65535 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -i $INT --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
# Allowing the FW to access the internet (http:80, https:443)
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow ssh out from the FW
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow irc port 6667 out and reply in
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
# Allow FTP out
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
# Allow localhost's mail out of the FW (SMTP sends to port25 of the MTA like
# mx.axelero.hu)
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

# Allow proxy access for the internal network
iptables -A INPUT -p tcp --dport 3128 -i eth0 -j ACCEPT

# Allow previously established connection's reply into the FW:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# *********************************************************************
# * NAT SETUP + filtering + portforward (if needed) *
# *********************************************************************
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 >/proc/sys/net/ipv4/ip_forward
# Allow masquerading
iptables -t nat -A POSTROUTING -o $EXT -s 192.168.1.0/24 -d 0/0 -j MASQUERADE
# Prior to masquerading, the packets are routed via the filter table's
# FORWARD chain.
# Allowed outbound: NEW, ESTABLISHED, RELATED
# Allowed inbound: ESTABLISHED, RELATED
iptables -P FORWARD DROP
# "LAN -> Internet" rules come here:
# Allow all outgoing communication to the Internet:
# iptables -A FORWARD -t filter -i $INT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Some custom rules for LAN->Inet:
# http & https engedve:
iptables -A FORWARD -t filter -i $INT -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i $INT -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# irc engedve:
iptables -A FORWARD -t filter -i $INT -p tcp --dport 6667:6668 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# sima ping engedve (flood vedelemmel):
iptables -A FORWARD -t filter -i $INT -p icmp --icmp-type echo-request -m state --state NEW -m limit --limit 3/s -j ACCEPT
# pop3 mail lekerdezeshez port
iptables -A FORWARD -t filter -i $INT -p tcp --dport 110 -j ACCEPT
# smtp, mail kuldeshez port
iptables -A FORWARD -t filter -i $INT -p tcp --dport 25 -j ACCEPT
# Messenger kilat netre
iptables -A FORWARD -t filter -i $INT -p tcp --dport 1863 -j ACCEPT
# SSH-zni lehessen a helyi LAN-rol ki a netre:
iptables -A FORWARD -t filter -i $INT -p tcp --dport 22 -j ACCEPT
# Telnet szinten menjen, ki tudja mi hasznalja :)
iptables -A FORWARD -t filter -i $INT -p tcp --dport 23 -j ACCEPT
# FTP Out:
#iptables -A FORWARD -t filter -i $INT -p tcp --dport 20 -j ACCEPT
#iptables -A FORWARD -t filter -i $INT -p udp --dport 20 -j ACCEPT
#iptables -A FORWARD -t filter -i $INT -p tcp --dport 21 -j ACCEPT
#iptables -A FORWARD -t filter -i $INT -p udp --dport 21 -j ACCEPT

# "Internet -> LAN" rules come here:
# Allow all incoming REPLY (!) communication to the LAN from the NET:
# (Ez minden fentebbi kimeno keres visszatero labat beengedi, igy a
# kommunikacio fennmarad es mukodik):
iptables -A FORWARD -t filter -i $EXT -m state --state RELATED,ESTABLISHED -j ACCEPT

Útvonal

Fórumok  »  Szakmai LOGOUT  »  [Re:] Debian rendszerünk biztonsága

Támogatóink

Copyright © 2000-2024 PROHARDVER Informatikai Kft.