[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

From: Murat AKTAS (hazalsultan@yahoo.de)
Date: Wed 07 Aug 2002 - 16:51:16 EEST

Next message: Genco Yilmaz: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Previous message: Nilgün Belma Bugüner: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
In reply to: Serdar Koylu: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Next in thread: Genco Yilmaz: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Next in thread: Nilgün Belma Bugüner: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"

Tekrar Merhaba arkadaslar

Oncelikle yardimlariniz icin cok tesekker ederim.
/etc/service dosyasinda default olarak tum servisler
tanimli ve hic hir degisiklik yapmadim. Cunku orada
tanimli olan tum servislerin onunde # yok. Yani hepsi
suan calisabilir durumda,
Serdar Beyin Anlattigi uzere sistemi basitten zora
dogru yapilanma icine koydum.

1. sorum su olacak. Sistem yeniden acildiginda ve
hicbir iptables v.s programi calismamis haliyle.
lan'daki nmap kurulmus bir windows PC ile linux in
lan'a bakan ethernet ip sine port scan yaptigimda
normalde etc services dosyasinda bulunan tum portlari
gormem gerekmiyor mu?

2. sorum 3 tane ethernet kartim var. biri lan, biri
wan, biri de dmz te bakiyor. Ayni sekilde ip tables
ile yazilan scripti calistirdigimda ve lan tarafindan
bir pc ile port scan yaptigimda karsima cikan sonuc:
Iptables scripti calismadan once acik olan portlar
iptables scripti calistiktan sonra yine acik
Yani iptables calismasiyla calismamasi arasinda her
hangi bir degisiklik yok.
Burada Yaptigim port scan firewall da local degil, lan
dan wan dan ve dmz den sonuc ayni.
Acaba ben nerede yanlis yapiyorum.

Script file asagidadir.

#!/bin/sh

#
# This is automatically generated file. DO NOT MODIFY
!
#
# Firewall Builder fwb_ipt v1.0.4
#
# Generated Wed Aug 7 14:45:16 2002 CET by root
#
#
#
#
cd /etc || exit 1

if [ -x /usr/bin/logger ]; then
logger -p info "Activating firewall script perde.fw
generated Wed Aug 7 14:45:16 2002 CET by root"
fi

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  iptables -t $table -L -n | while read c chain rest;
do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
      fi
  done
  iptables -t $table -X
done

MODULE_DIR="/lib/modules/`uname
-r`/kernel/net/ipv4/netfilter/"
MODULES="ip_conntrack ip_conntrack_ftp ip_nat_ftp
ip_conntrack_irc ip_nat_irc"
for module in $(echo $MODULES); do
  if [ -e "${MODULE_DIR}/${module}.o" -o -e
"${MODULE_DIR}/${module}.o.gz" ]; then
    modprobe -k ${module} || exit 1
  fi
done

FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

ip -f inet addr flush dev eth0 scope link
ip -f inet addr flush dev eth1 scope link
ip -f inet addr flush dev eth2 scope link

#
# Rule 0(NAT)
#
#
iptables -t nat -A POSTROUTING -o eth0 -s
10.10.10.0/24 -j SNAT --to-source 217.6.36.148
iptables -t nat -A POSTROUTING -o eth0 -s
192.168.101.0/24 -j SNAT --to-source 217.6.36.148
#
#

iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT

#
# Rule 0(eth0)
#
# Anti-spoofing rule
#
iptables -N eth0_In_RULE_0
iptables -A INPUT -i eth0 -s 217.6.36.148 -j
eth0_In_RULE_0
iptables -A INPUT -i eth0 -s 192.168.101.1 -j
eth0_In_RULE_0
iptables -A INPUT -i eth0 -s 10.10.10.200 -j
eth0_In_RULE_0
iptables -A INPUT -i eth0 -s 10.10.10.0/24 -j
eth0_In_RULE_0
iptables -A INPUT -i eth0 -s 192.168.101.0/24 -j
eth0_In_RULE_0
iptables -A FORWARD -i eth0 -s 217.6.36.148 -j
eth0_In_RULE_0
iptables -A FORWARD -i eth0 -s 192.168.101.1 -j
eth0_In_RULE_0
iptables -A FORWARD -i eth0 -s 10.10.10.200 -j
eth0_In_RULE_0
iptables -A FORWARD -i eth0 -s 10.10.10.0/24 -j
eth0_In_RULE_0
iptables -A FORWARD -i eth0 -s 192.168.101.0/24 -j
eth0_In_RULE_0
iptables -A eth0_In_RULE_0 -j LOG --log-level info
--log-prefix "RULE 0 -- DROP "
iptables -A eth0_In_RULE_0 -j DROP
#
# Rule 1(eth0)
#
# Anti-spoofing rule
#
iptables -N ptmp001
iptables -A OUTPUT -o eth0 -j ptmp001
iptables -A FORWARD -o eth0 -j ptmp001
iptables -A ptmp001 -o eth0 -s 217.6.36.148 -j RETURN

iptables -A ptmp001 -o eth0 -s 192.168.101.1 -j
RETURN
iptables -A ptmp001 -o eth0 -s 10.10.10.200 -j RETURN

iptables -A ptmp001 -o eth0 -s 10.10.10.0/24 -j
RETURN
iptables -A ptmp001 -o eth0 -s 192.168.101.0/24 -j
RETURN
iptables -N eth0_Out_RULE_1
iptables -A ptmp001 -o eth0 -j eth0_Out_RULE_1
iptables -A eth0_Out_RULE_1 -j LOG --log-level info
--log-prefix "RULE 1 -- DROP "
iptables -A eth0_Out_RULE_1 -j DROP
#
# Rule 0(lo)
#
# allow everything on loopback
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#
# Rule 0(global)
#
# block fragments
#
iptables -A OUTPUT -p ip -f -j DROP
iptables -A INPUT -p ip -f -j DROP
iptables -A FORWARD -p ip -f -j DROP
#
# Rule 1(global)
#
# icmp servislerin dogru calisabilmesi icin
#
iptables -N ptmp003
iptables -A OUTPUT -d 217.6.36.148 -m state --state
NEW -j ptmp003
iptables -A OUTPUT -d 192.168.101.1 -m state --state
NEW -j ptmp003
iptables -A OUTPUT -d 10.10.10.200 -m state --state
NEW -j ptmp003
iptables -A ptmp003 -p icmp --icmp-type 3 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp -m state --state NEW -j
ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 3/1 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 0/0 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 8/0 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 3/3 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 11/0 -m state
--state NEW -j ACCEPT
iptables -A ptmp003 -p icmp --icmp-type 11/1 -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp -m state --state NEW -j
ACCEPT
iptables -A INPUT -p icmp --icmp-type 3/1 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0/0 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8/0 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3/3 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11/0 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11/1 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
# Tracerote icin gerekli
#
iptables -A OUTPUT -p udp -d 10.10.10.0/24
--destination-port 33434:33524 -m state --state NEW -j
ACCEPT
#
# Rule 3(global)
#
# Iceriden guvenlik duvarina erisim var
#
iptables -A OUTPUT -d 217.6.36.148 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -d 192.168.101.1 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -d 10.10.10.200 -m state --state
NEW -j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT
#
# Rule 4(global)
#
# firewall her yere erisebilir.
#
iptables -A INPUT -s 217.6.36.148 -m state --state
NEW -j ACCEPT
iptables -A INPUT -s 192.168.101.1 -m state --state
NEW -j ACCEPT
iptables -A INPUT -s 10.10.10.200 -m state --state
NEW -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j ACCEPT
#
# Rule 5(global)
#
# LAN dAN DISARIYA IZIN VER
#
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -s 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -s 10.10.10.0/24
--source-port 20 --destination-port 1025:65535 -m
state --state NEW -j ACCEPT
iptables -A INPUT -p tcp -m multiport -s
10.10.10.0/24 --destination-port
80,443,21,53,143,993,119,110,465,25,22,23 -m state
--state NEW -j ACCEPT
iptables -A INPUT -p udp -s 10.10.10.0/24
--destination-port 33434:33524 -m state --state NEW -j
ACCEPT
iptables -A INPUT -p udp -s 10.10.10.0/24
--destination-port 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -s 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -s 10.10.10.0/24
--source-port 20 --destination-port 1025:65535 -m
state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -s
10.10.10.0/24 --destination-port
80,443,21,53,143,993,119,110,465,25,22,23 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p udp -s 10.10.10.0/24
--destination-port 33434:33524 -m state --state NEW -j
ACCEPT
iptables -A FORWARD -p udp -s 10.10.10.0/24
--destination-port 53 -m state --state NEW -j ACCEPT
#
# Rule 6(global)
#
#
#
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p icmp -d 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 20 -d
10.10.10.0/24 --destination-port 1025:65535 -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport -d
10.10.10.0/24 --destination-port
80,443,21,53,143,993,119,110,465,25,22,23 -m state
--state NEW -j ACCEPT
iptables -A OUTPUT -p udp -d 10.10.10.0/24
--destination-port 33434:33524 -m state --state NEW -j
ACCEPT
iptables -A OUTPUT -p udp -d 10.10.10.0/24
--destination-port 53 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3/1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 0/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 8/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 3/3 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 11/0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p icmp -d 10.10.10.0/24
--icmp-type 11/1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -p tcp --source-port 20 -d
10.10.10.0/24 --destination-port 1025:65535 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p tcp -m multiport -d
10.10.10.0/24 --destination-port
80,443,21,53,143,993,119,110,465,25,22,23 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -p udp -d 10.10.10.0/24
--destination-port 33434:33524 -m state --state NEW -j
ACCEPT
iptables -A FORWARD -p udp -d 10.10.10.0/24
--destination-port 53 -m state --state NEW -j ACCEPT
#
# Rule 7(global)
#
# 'masquerading' rule
#
iptables -A INPUT -s 10.10.10.0/24 -m state --state
NEW -j ACCEPT
iptables -A INPUT -s 192.168.101.0/24 -m state
--state NEW -j ACCEPT
iptables -A FORWARD -s 10.10.10.0/24 -m state --state
NEW -j ACCEPT
iptables -A FORWARD -s 192.168.101.0/24 -m state
--state NEW -j ACCEPT
#
# Rule 8(global)
#
#
#
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Möchten Sie mit einem Gruß antworten? http://grusskarten.yahoo.de
-----------------------------------------------------------------------
Liste üyeliğiniz ile ilgili her türlü işlem için
http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.

Listeden çıkmak için: 'linux-guvenlik-request@linux.org.tr' adresine,
"Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz.
-----------------------------------------------------------------------

Next message: Genco Yilmaz: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Previous message: Nilgün Belma Bugüner: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
In reply to: Serdar Koylu: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Next in thread: Genco Yilmaz: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"
Next in thread: Nilgün Belma Bugüner: "[linux-guvenlik] Re: Neden Yardim Alamiyorum Arkadaslar"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view

Bu arsiv hypermail 2b29 tarafindan uretilmistir.