[linux-guvenlik] btables

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Tarkan (tarkannc@yahoo.com)
Date: Tue 11 Mar 2003 - 11:23:37 EET

Next message: Burak DAYIOGLU: "[linux-guvenlik] apache log anormalligi"

Previous message: Mustafa Özbakır: "[linux-guvenlik] snort konusunda"
Next in thread: Qzmen?= Emre DEMİRKOL: "[linux-guvenlik] Re: btables"

Merhabalar

btables ıle guvenlık duvarı kurmaya calısıyorum ama bır turlu yapamadım bırkac yerde takılıyorum yardımcı olursanız sımdıden tesekkurler

sıstem Redhat 7.3 btables da su sekılde

buradan sunu kaldırınca clıentlar nete baglanabılıyor ama o nu ekleyınce cıkıs yok ?

/sbin/iptables -P OUTPUT ACCEPT

bunu nasıl duzeltebılırım ?

#!/bin/sh

# ftp icin gerekli modulu yukleyelim. Diger moduller otomatik olarak yuklenecektir.
#modprobe ip_conntrack_ftp

eth0="101.1.1.254"
yerel_ag="101.1.1.0/16"

case "$1" in

##############
### START ####
#########################################################
# firewall baslatildiginda isletilecek olan bolum.
start)

# Yonlendirme icin cekirdekte ip_forward'in etkinlestirilmesi gerekiyor.
echo 1 > /proc/sys/net/ipv4/ip_forward

#DoS saldirilarindan korunmak icin;
# makinayi pinge kapat.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# syn-flooding den korun.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# smurf dan korun.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Tum gelen ve yonlendirilen paketler ontanimli olarak reddediliyor,
# disariya cikisa izin veriliyor.
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP

# Tum tablolar daha onceden olabilecek kurallardan temizleniyor.
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat

#masqurade burada yapiliyor.
/sbin/iptables -t nat -A POSTROUTING -s $yerel_ag -d 0/0 -j MASQUERADE

#transparent proxy icin port yonlendiriliyor.
#/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to $eth0:3128

# Paketlerin kayitlarinin tutulabilmesi icin DUMP isimli bir tablo olusturalim.
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp -j LOG
/sbin/iptables -A DUMP -p udp -j LOG --log-prefix firewall
# karsi tarafa haber vermeden balantiyi yok say.
/sbin/iptables -A DUMP -p tcp -j DROP
/sbin/iptables -A DUMP -p udp -j DROP
/sbin/iptables -A DUMP -j DROP

# Kabul edilen baglantilarin devami icin STATEFUL tablosunu kullanacagiz.
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# loopback aygiti icin kurallari ontanimli kabul olarak ayarlayalim.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# İceriye gelen istekler icin kullandigimiz belirli portlar.
#authentication
/sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
#pop3
#/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 110 -j ACCEPT
#smtp
#/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 25 -j ACCEPT
#ftpdata:ftp
/sbin/iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT -s $yerel_ag
#/sbin/iptables -A INPUT -p udp --dport 20:21 -j ACCEPT
#http
#/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 80 -j ACCEPT
#ssh
#/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 22 -j ACCEPT
#https
#/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#/sbin/iptables -A INPUT -p udp --dport 443 -j ACCEPT
#named
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT -s $yerel_ag
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT -s $yerel_ag
#squid
#/sbin/iptables -A INPUT -p tcp --dport 3128 -j ACCEPT -s $yerel_ag

# Yonlendirilen istekler icin kullanilan portlar.
/sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT -s $yerel_ag

# baglanti kabulu icin.
/sbin/iptables -A INPUT -j STATEFUL

;;

#################
##### STOP ######
#########################################################
# firewall durduruldugunda isletilecek olan bolum.
stop)

# Ping isteklerine acalim makinayi.
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# ontanimli degerler kabul olarak ayarlaniyor.
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# tablolardaki kurallar temizleniyor.
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
;;
#########################################################

*)
echo "kullanim: $0 {start|stop}"
exit 1
;;

esac

exit 0

---------------------------------
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online

Next message: Burak DAYIOGLU: "[linux-guvenlik] apache log anormalligi"

Previous message: Mustafa Özbakır: "[linux-guvenlik] snort konusunda"
Next in thread: Qzmen?= Emre DEMİRKOL: "[linux-guvenlik] Re: btables"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

Bu arsiv hypermail 2.1.6 tarafindan uretilmistir.