rulinux.net - Форум - Security - iptables на домашнем компьютере http://rulinux.net/ rulinux.net - Форум - Security - iptables на домашнем компьютере http://rulinux.net/ http://rulinux.net/rss_icon.png Re: iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8159 https://rulinux.net/message.php?newsid=1179&page=1#8159 Thu, 19 May 2011 19:35:05 +0400 Извращенцы.

:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8158 https://rulinux.net/message.php?newsid=1179&page=1#8158 Sat, 16 May 2009 20:26:09 +0400 > % cat /etc/hosts.deny

не все серверные проги оглядываются на tcp-wrappers, даже по дефолту

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8157 https://rulinux.net/message.php?newsid=1179&page=1#8157 Sat, 16 May 2009 20:24:19 +0400 *упорство кончилось)*

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8156 https://rulinux.net/message.php?newsid=1179&page=1#8156 Sat, 16 May 2009 20:23:26 +0400 -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N allowed -N bad_tcp -N icmp_pack -N tcp_pack -N udp_pack -A INPUT -m state –state INVALID -j LOG –log-prefix "INVALID temp log:" –log-level 7 -A INPUT -p tcp -j bad_tcp -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT -A INPUT -s 127.0.0.1/32 ! -i lo -j DROP -A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -j tcp_pack -A INPUT -i eth1 -p tcp -j tcp_pack -A INPUT -i eth0 -p udp -j udp_pack -A INPUT -i eth1 -p udp -j udp_pack -A INPUT -i eth0 -p icmp -j icmp_pack -A INPUT -i eth1 -p icmp -j icmp_pack -A INPUT -d 224.0.0.0/8 -i eth0 -j DROP -A INPUT -d 224.0.0.0/8 -i eth1 -j DROP -A INPUT -m limit –limit 3/min –limit-burst 3 -j LOG –log-prefix "IPT INPUT packets died:" –log-level 7 -A allowed -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A allowed -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT -A allowed -p tcp -j DROP -A bad_tcp -p tcp -m tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset -A bad_tcp -p tcp -m tcp –dport 6000:6063 –tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A bad_tcp -p tcp -m tcp –dport 113 -j DROP -A bad_tcp -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j LOG –log-prefix "New not SYN:" –log-level 7 -A bad_tcp -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP -A icmp_pack -p icmp -j LOG –log-prefix "ICMP temp log:" –log-level 7 -A icmp_pack -p icmp -f -j DROP -A icmp_pack -p icmp -m icmp –icmp-type 8 -j ACCEPT -A icmp_pack -p icmp -m icmp –icmp-type 11 -j ACCEPT -A tcp_pack -i eth0 -p tcp -m tcp –dport 29317 -j allowed -A tcp_pack -i eth0 -p tcp -m tcp –dport 10100 -j allowed -A tcp_pack -i eth1 -p tcp -m tcp –dport 35572 -j allowed -A tcp_pack -i eth1 -p tcp -m tcp –dport 36562 -j allowed -A tcp_pack -p tcp -m tcp –dport 21 -j allowed -A udp_pack -p udp -m udp –dport 135:138 -j DROP -A udp_pack -p udp -m udp –dport 67:68 -j DROP -A udp_pack -p udp -m udp –dport 1947 -j DROP -A udp_pack -p udp -m udp –dport 6646 -j DROP -A udp_pack -p udp -m udp –dport 9999 -j DROP -A udp_pack -i eth0 -p udp -m udp –dport 10100 -j ACCEPT -A udp_pack -i eth1 -p udp -m udp –dport 35572 -j ACCEPT

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8155 https://rulinux.net/message.php?newsid=1179&page=1#8155 Sat, 16 May 2009 20:22:43 +0400 -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -N allowed -N bad_tcp -N icmp_pack -N tcp_pack -N udp_pack -A INPUT -m state –state INVALID -j LOG –log-prefix "INVALID temp log:" –log-level 7 -A INPUT -p tcp -j bad_tcp -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT -A INPUT -s 127.0.0.1/32 ! -i lo -j DROP -A INPUT -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -m state –state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -p tcp -j tcp_pack -A INPUT -i eth1 -p tcp -j tcp_pack -A INPUT -i eth0 -p udp -j udp_pack -A INPUT -i eth1 -p udp -j udp_pack -A INPUT -i eth0 -p icmp -j icmp_pack -A INPUT -i eth1 -p icmp -j icmp_pack -A INPUT -d 224.0.0.0/8 -i eth0 -j DROP -A INPUT -d 224.0.0.0/8 -i eth1 -j DROP -A INPUT -m limit –limit 3/min –limit-burst 3 -j LOG –log-prefix "IPT INPUT packets died:" –log-level 7 -A allowed -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A allowed -p tcp -m state –state RELATED,ESTABLISHED -j ACCEPT -A allowed -p tcp -j DROP -A bad_tcp -p tcp -m tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset -A bad_tcp -p tcp -m tcp –dport 6000:6063 –tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A bad_tcp -p tcp -m tcp –dport 113 -j DROP -A bad_tcp -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j LOG –log-prefix "New not SYN:" –log-level 7 -A bad_tcp -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP -A icmp_pack -p icmp -j LOG –log-prefix "ICMP temp log:" –log-level 7 -A icmp_pack -p icmp -f -j DROP -A icmp_pack -p icmp -m icmp –icmp-type 8 -j ACCEPT -A icmp_pack -p icmp -m icmp –icmp-type 11 -j ACCEPT -A tcp_pack -i eth0 -p tcp -m tcp –dport 29317 -j allowed -A tcp_pack -i eth0 -p tcp -m tcp –dport 10100 -j allowed -A tcp_pack -i eth1 -p tcp -m tcp –dport 35572 -j allowed -A tcp_pack -i eth1 -p tcp -m tcp –dport 36562 -j allowed -A tcp_pack -p tcp -m tcp –dport 21 -j allowed -A udp_pack -p udp -m udp –dport 135:138 -j DROP -A udp_pack -p udp -m udp –dport 67:68 -j DROP -A udp_pack -p udp -m udp –dport 1947 -j DROP -A udp_pack -p udp -m udp –dport 6646 -j DROP -A udp_pack -p udp -m udp –dport 9999 -j DROP -A udp_pack -i eth0 -p udp -m udp –dport 10100 -j ACCEPT -A udp_pack -i eth1 -p udp -m udp –dport 35572 -j ACCEPT

*drop в конце, чтобы логи были чуточку почише

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8154 https://rulinux.net/message.php?newsid=1179&page=1#8154 Thu, 07 May 2009 07:59:16 +0400 Мои настройки ipt на домашнем сервере:

#!/bin/sh

WAN='ppp0' LAN='eth1' LAN_NET_X200='192.168.0.0/24' LAN_NET_KVM='192.168.100.0/24' LAN_NET_ZAURUS='192.168.129.0/24'

iptables -F iptables -t nat -F

# default policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT

# loopback iptables -I INPUT 1 -i lo -j ACCEPT

# ftp iptables -A INPUT –protocol tcp –dport 21 -j ACCEPT

# ssh iptables -A INPUT –protocol tcp –dport 22 -j ACCEPT # x11 forwarding iptables -A INPUT –protocol tcp –dport 6000 -j ACCEPT

# http iptables -A INPUT –protocol tcp –dport 80 -j ACCEPT

# https iptables -A INPUT –protocol tcp –dport 443 -j ACCEPT

# torrent iptables -A INPUT –protocol tcp –dport 51413 -j ACCEPT # webui iptables -A INPUT –protocol tcp –dport 8112 -j ACCEPT

# git iptables -A INPUT –protocol tcp –dport 9418 -j ACCEPT

# nat for x200 iptables -t nat -A POSTROUTING -s $LAN_NET_X200 -j MASQUERADE # nat for kvm iptables -t nat -A POSTROUTING -s $LAN_NET_KVM -j MASQUERADE # nat for zaurus iptables -t nat -A POSTROUTING -s $LAN_NET_ZAURUS -j MASQUERADE # solving ppp troubles iptables -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

# icmp iptables -A INPUT -p icmp -j ACCEPT

# passing packets from esatblished and related connections iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8153 https://rulinux.net/message.php?newsid=1179&page=1#8153 Fri, 17 Apr 2009 18:59:58 +0400 % cat /etc/hosts.deny

ALL: ALL: DENY

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8152 https://rulinux.net/message.php?newsid=1179&page=1#8152 Tue, 14 Apr 2009 11:43:55 +0400 Я его дома не держу.

]]> Re:iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8151 https://rulinux.net/message.php?newsid=1179&page=1#8151 Tue, 14 Apr 2009 11:19:34 +0400 #!/bin/sh

IPTABLES=`which iptables`

$IPTABLES -F

$IPTABLES -t nat -F

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A INPUT -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p udp -j ACCEPT

$IPTABLES -A INPUT -p icmp -j ACCEPT

]]> iptables на домашнем компьютере https://rulinux.net/message.php?newsid=1179&page=1#8150 https://rulinux.net/message.php?newsid=1179&page=1#8150 Tue, 14 Apr 2009 11:17:19 +0400 У меня довольно простой скрипт настройки iptables

#!/bin/sh

IPTABLES=`which iptables`

$IPTABLES -F $IPTABLES -t nat -F

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p udp -j ACCEPT $IPTABLES -A INPUT -p icmp -j ACCEPT

А как настроен файрвол у вас на домашней машине?

]]>