Hoi allen,
De laatste dagen ben ik me eens aan het verdiepen in IPtables. Helaas wilt het niet echt lukken.
Tot nog toe heb ik dit bij elkaar geknutsteld, maar de webserver blijft nog steeds bereikbaar, al zou dat niet mogen.
#!/bin/bash
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# #
# IPTables server.test.lan #
# #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
#------------------------------------------------------------------------------------------
# IPTables binary
#------------------------------------------------------------------------------------------
IPT="/sbin/iptables"
#------------------------------------------------------------------------------------------
# The network interface we will use
#------------------------------------------------------------------------------------------
EXTIF="eth0"
UNIVERSE="0/0"
echo -e "\nExternal interface: $EXTIF"
echo -e "Loading firewall server rules..."
#------------------------------------------------------------------------------------------
# Flush everything and set default policy to drop
#------------------------------------------------------------------------------------------
$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -F -t nat
# Flush the user chain if it exists
if [ "`$IPT -L | grep FIREWALL`" ]; then
$IPT -F FIREWALL
fi
# Delete all User-specified chains
$IPT -X
# Reset all IPTables counters
$IPT -Z
#------------------------------------------------------------------------------------------
# Create a DROP chain
#------------------------------------------------------------------------------------------
$IPT -N FIREWALL
$IPT -A FIREWALL -j LOG --log-level info
$IPT -A FIREWALL -j DROP
#------------------------------------------------------------------------------------------
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#------------------------------------------------------------------------------------------
echo -e "- Loading FIREWALL rulesets"
# Allow loopback interface
$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# remote interface, any source, going to permanent PPP address is valid
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -j ACCEPT
echo -e "- Allowing EXTERNAL access to the server"
# - SSH
$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 9999 -j ACCEPT
# - DNS
$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 53 -j ACCEPT
$IPT -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE --dport 53 -j ACCEPT
# - HTTP
#$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 80 -j ACCEPT
# Syn-flood protection
$IPT -A INPUT -p tcp --syn -m limit --limit 1/second --limit-burst 5 -j ACCEPT
# Furtive port scanner protection
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/second --limit-burst 5 -j ACCEPT
# Ping of death protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
$IPT -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Send al INCOMMING packets to the FIREWALL chain
$IPT -A INPUT -j FIREWALL
#------------------------------------------------------------------------------------------
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#------------------------------------------------------------------------------------------
echo -e "- Loading OUTPUT rulesets"
# Loopback interface is valid.
$IPT -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# Allow previously established connections
$IPT -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
# Anything else outgoing on remote interface is valid
$IPT -A OUTPUT -o $EXTIF -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j FIREWALL
echo -e "Firewall server rules loading complete\n"
Wat doe ik fout?
En vooral, wat zouden jullie anders doen?
Avast bedankt,
Kris