Nieuws:

Welkom, Gast. Alsjeblieft inloggen of registreren.
Heb je de activerings-mail niet ontvangen?

Auteur Topic: IPtables probleem  (gelezen 650 keer)

Offline Scormen

  • Lid
    • LinuxOntdekt.Be
  • Steunpunt: Nee
IPtables probleem
« Gepost op: 2008/10/29, 11:39:56 »
Hoi allen,

De laatste dagen ben ik me eens aan het verdiepen in IPtables. Helaas wilt het niet echt lukken.
Tot nog toe heb ik dit bij elkaar geknutsteld, maar de webserver blijft nog steeds bereikbaar, al zou dat niet mogen.

#!/bin/bash

#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
#                                                                                         #
#                           IPTables server.test.lan                                      #
#                                                                                         #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#

#------------------------------------------------------------------------------------------
# IPTables binary
#------------------------------------------------------------------------------------------

IPT="/sbin/iptables"

#------------------------------------------------------------------------------------------
# The network interface we will use
#------------------------------------------------------------------------------------------

EXTIF="eth0"
UNIVERSE="0/0"

echo -e "\nExternal interface: $EXTIF"
echo -e "Loading firewall server rules..."

#------------------------------------------------------------------------------------------
# Flush everything and set default policy to drop
#------------------------------------------------------------------------------------------

$IPT -P INPUT DROP
$IPT -F INPUT
$IPT -P OUTPUT DROP
$IPT -F OUTPUT
$IPT -P FORWARD DROP
$IPT -F FORWARD
$IPT -F -t nat

# Flush the user chain if it exists
if [ "`$IPT -L | grep FIREWALL`" ]; then
   $IPT -F FIREWALL
fi

# Delete all User-specified chains
$IPT -X

# Reset all IPTables counters
$IPT -Z

#------------------------------------------------------------------------------------------
# Create a DROP chain
#------------------------------------------------------------------------------------------

$IPT -N FIREWALL
$IPT -A FIREWALL -j LOG --log-level info
$IPT -A FIREWALL -j DROP

#------------------------------------------------------------------------------------------
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#------------------------------------------------------------------------------------------

echo -e "- Loading FIREWALL rulesets"

# Allow loopback interface
$IPT -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# remote interface, any source, going to permanent PPP address is valid
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -j ACCEPT


echo -e "- Allowing EXTERNAL access to the server"

# - SSH
$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 9999 -j ACCEPT

# - DNS
$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 53 -j ACCEPT
$IPT -A INPUT -i $EXTIF -m state --state NEW -p udp -s $UNIVERSE --dport 53 -j ACCEPT

# - HTTP
#$IPT -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 80 -j ACCEPT


# Syn-flood protection
$IPT -A INPUT -p tcp --syn -m limit --limit 1/second --limit-burst 5 -j ACCEPT

# Furtive port scanner protection
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/second --limit-burst 5 -j ACCEPT

# Ping of death protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
$IPT -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Send al INCOMMING packets to the FIREWALL chain
$IPT -A INPUT -j FIREWALL


#------------------------------------------------------------------------------------------
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#------------------------------------------------------------------------------------------

echo -e "- Loading OUTPUT rulesets"

# Loopback interface is valid.
$IPT -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# Allow previously established connections
$IPT -A OUTPUT -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

# Anything else outgoing on remote interface is valid
$IPT -A OUTPUT -o $EXTIF -d $UNIVERSE -j ACCEPT

# Catch all rule, all other outgoing is denied and logged
$IPT -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j FIREWALL

echo -e "Firewall server rules loading complete\n"
Wat doe ik fout?
En vooral, wat zouden jullie anders doen?

Avast bedankt,
Kris
Ubuntu gebruiker #18341 | Linux gebruiker #456955
· Mijn persoonlijke Linux blog

Offline Scormen

  • Lid
    • LinuxOntdekt.Be
  • Steunpunt: Nee
IPtables probleem
« Reactie #1 Gepost op: 2008/10/29, 13:29:48 »
Hoi allen,

Ik ben nog eens een paar uurtjes bezig geweest, wat gegoogled, opnieuw begonnen en nu werkt het :)
Voor de geïnteresseerde, bij deze het werkende IPtables scriptje:

#!/bin/bash

#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
#                                                                                         #
#                           IPTables server.test.lan                                      #
#                                                                                         #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#

#------------------------------------------------------------------------------------------
# Basic configuration
#------------------------------------------------------------------------------------------

echo -e "\n+++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo -e "Loading firewall server rules..."

# IPtables binary
IPT=/sbin/iptables

# External interface
EXTIF=eth0

# Everyone, the world
UNIVERSE=0/0

#------------------------------------------------------------------------------------------
# Flush everything
#------------------------------------------------------------------------------------------

echo -e "Flushing all rules and chains"

$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t nat

# Flush the user chain if it exists
if [ "`$IPT -L | grep SERVICES`" ]; then
   $IPT -F SERVICES
fi

# Delete all User-specified chains
$IPT -X

# Reset all IPTables counters
$IPT -Z

#------------------------------------------------------------------------------------------
# Set default policies
#------------------------------------------------------------------------------------------

echo -e "Loading default policies:"
echo -e "- output: ACCEPT"
echo -e "- input: DROP"
echo -e "- forward: DROP"

$IPT -P OUTPUT ACCEPT
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#------------------------------------------------------------------------------------------
# Create a SERVICES chain
#------------------------------------------------------------------------------------------

# Make a new chain SERVICES
$IPT -N SERVICES

#------------------------------------------------------------------------------------------
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#------------------------------------------------------------------------------------------

echo -e "Loading INPUT rulesets"

# Allow loopback interface
$IPT -A INPUT --in-interface lo -j ACCEPT

# Send all INPUT to SERVICES
$IPT -A INPUT -j SERVICES

# Allow responses
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


echo -e "Allowing EXTERNAL access to the server"

# Allow these services:

# - SSH
$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 1234 -j ACCEPT

# - HTTP and HTTPS
#$IPT -A SERVICES -i $EXTIF -p tcp -s $UNIVERSE --dport 80 -j ACCEPT


#------------------------------------------------------------------------------------------
# Some small "shields"
#------------------------------------------------------------------------------------------

# Furtive port scanner protection
$IPT -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/second --limit-burst 5 -j ACCEPT

# Ping of death protection
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT


echo -e "...firewall server rules loading completed successful"
echo -e "+++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
Groetjes,
Kris
Ubuntu gebruiker #18341 | Linux gebruiker #456955
· Mijn persoonlijke Linux blog