robim si firewall na pocitaci a pravidla som zhrnul do takehoto skriptu.
#!/bin/bash
IPT="/sbin/iptables"
echo -n "Nastavujem FIREWALL...
"
# Flush old rules
$IPT --flush
$IPT --delete-chain
# By default, drop everything except outgoing traffic
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
# Allow incoming and outgoing for loopback interfaces
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# ICMP rules
$IPT -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/s -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block new connections without SYN
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Allow established connections:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# FTP
$IPT -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
# SSH
#$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# HTTP
$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# DC++
$IPT -A INPUT -p tcp --dport 1421 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p udp --dport 1421 -m state --state NEW -j ACCEPT
# Instant messeging
#$IPT -A INPUT -p tcp --dport 5222 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p tcp --dport 5190 -m state --state NEW -j ACCEPT
# Antik TV
$IPT -A INPUT -p udp --dport 2001 -m state --state NEW -j ACCEPT
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST
$IPT -A INPUT -p ip -f -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
echo "...FIREWALL JE NASTAVENY...!"
Nechapem preco teda iptables neblokuje napr jabber (port 5222/tcp), ked v skripte nemam (mam zakomentovane) pravidlo na ACCEPT a iptv (2000/tcp) , ktore vobec nemam povolene.
root@debian:~# netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:58378 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:607 0.0.0.0:* LISTEN
tcp 0 0 10.32.176.11:60427 88.86.102.53:5222 ESTABLISHED
tcp 2368 0 10.32.176.11:51779 10.254.7.6:2000 ESTABLISHED
tcp 0 0 10.32.176.11:51930 205.188.13.48:5190 ESTABLISHED
tcp 0 0 10.32.176.11:53522 205.188.9.130:5190 ESTABLISHED
tcp 0 0 10.32.176.11:44913 64.12.104.201:5190 ESTABLISHED
Neviete mi pomoct spravne nastavit firewall? Nemam s tymto vobec skusenosti. Ktore porty mam zablokovat, ktore pravidla mam v skripte zbytocne, alebo nespravne. Budem vdacny za kazdu radu.
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTodchadzajuce spojenia zakazane nemas a spojenie od jabber servera sa uz klasifikuje ako releated/established a nie ako new. Ak chces blokovat dany port tak
$IPT -A INPUT -p tcp --dport 5222 -j DROPale musis to umiestnit pred rulu na established/releateda inac odporucam ti to zavadzat stylom:
ALLOWED_TCP_PORTS=( 21 22 80 )for i in ${ALLOWED_TCP_PORTS[@]};
do
$IPT -A INPUT -p tcp --dport $i -m state --state NEW -j ACCEPT
done
je to prehladnejsie a lahsie sa to nastavuje.
A taktiez drop ruly na nevhodne pakety (myslim tym tie posledne) daj pred ruly ktore povoluju komunikaciu.