[linux-guvenlik] Re: btables

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Qzmen?= Emre DEMİRKOL (ozmend@sakarya.edu.tr)
Date: Tue 11 Mar 2003 - 14:19:18 EET

Next message: Bulent Tatlidil: "[linux-guvenlik] Re: apache log anormalligi"

Previous message: Burak DAYIOGLU: "[linux-guvenlik] apache log anormalligi"
In reply to: Tarkan : "[linux-guvenlik] btables"

Slm. Cikis icin birden fazla buna sebep olabilir bunlari ayrintili
ayarlamalisin. yani bir modem ve 2 eth gibi. yolu kapali yada baska yere
bakan eha yonleniyor olabilir.
En guzeli sen traceroute yap client uzerinde, kural yazili iken. hangi
kanaldan(karttan) ciktigina bak.
Kolay gelsin

ozmen demirkol

On Tue, 2003-03-11 at 11:23, Tarkan Öncü wrote:
> Merhabalar
>
> btables ıle guvenlık duvarı kurmaya calısıyorum ama bır turlu yapamadım bırkac yerde takılıyorum yardımcı olursanız sımdıden tesekkurler
>
> sıstem Redhat 7.3 btables da su sekılde
>
> buradan sunu kaldırınca clıentlar nete baglanabılıyor ama o nu ekleyınce cıkıs yok ?
>
> /sbin/iptables -P OUTPUT ACCEPT
>
>
> bunu nasıl duzeltebılırım ?
>
> #!/bin/sh
>
> # ftp icin gerekli modulu yukleyelim. Diger moduller otomatik olarak yuklenecektir.
> #modprobe ip_conntrack_ftp
>
> eth0="101.1.1.254"
> yerel_ag="101.1.1.0/16"
>
>
> case "$1" in
>
> ##############
> ### START ####
> #########################################################
> # firewall baslatildiginda isletilecek olan bolum.
> start)
>
> # Yonlendirme icin cekirdekte ip_forward'in etkinlestirilmesi gerekiyor.
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #DoS saldirilarindan korunmak icin;
> # makinayi pinge kapat.
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
> # syn-flooding den korun.
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> # smurf dan korun.
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Tum gelen ve yonlendirilen paketler ontanimli olarak reddediliyor,
> # disariya cikisa izin veriliyor.
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P FORWARD DROP
>
> # Tum tablolar daha onceden olabilecek kurallardan temizleniyor.
> /sbin/iptables -F
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -F -t mangle
> /sbin/iptables -X
> /sbin/iptables -F -t nat
>
> #masqurade burada yapiliyor.
> /sbin/iptables -t nat -A POSTROUTING -s $yerel_ag -d 0/0 -j MASQUERADE
>
> #transparent proxy icin port yonlendiriliyor.
> #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to $eth0:3128
>
> # Paketlerin kayitlarinin tutulabilmesi icin DUMP isimli bir tablo olusturalim.
> /sbin/iptables -N DUMP > /dev/null
> /sbin/iptables -F DUMP
> /sbin/iptables -A DUMP -p tcp -j LOG
> /sbin/iptables -A DUMP -p udp -j LOG --log-prefix firewall
> # karsi tarafa haber vermeden balantiyi yok say.
> /sbin/iptables -A DUMP -p tcp -j DROP
> /sbin/iptables -A DUMP -p udp -j DROP
> /sbin/iptables -A DUMP -j DROP
>
> # Kabul edilen baglantilarin devami icin STATEFUL tablosunu kullanacagiz.
> /sbin/iptables -N STATEFUL > /dev/null
> /sbin/iptables -F STATEFUL
> /sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A STATEFUL -m state --state NEW -i ! ppp0 -j ACCEPT
> /sbin/iptables -A STATEFUL -j DUMP
>
> # loopback aygiti icin kurallari ontanimli kabul olarak ayarlayalim.
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A OUTPUT -o lo -j ACCEPT
>
> # İceriye gelen istekler icin kullandigimiz belirli portlar.
> #authentication
> /sbin/iptables -A INPUT -p tcp --dport 113 -j ACCEPT
> #pop3
> #/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
> #/sbin/iptables -A INPUT -p udp --dport 110 -j ACCEPT
> #smtp
> #/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> #/sbin/iptables -A INPUT -p udp --dport 25 -j ACCEPT
> #ftpdata:ftp
> /sbin/iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT -s $yerel_ag
> #/sbin/iptables -A INPUT -p udp --dport 20:21 -j ACCEPT
> #http
> #/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> #/sbin/iptables -A INPUT -p udp --dport 80 -j ACCEPT
> #ssh
> #/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> #/sbin/iptables -A INPUT -p udp --dport 22 -j ACCEPT
> #https
> #/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
> #/sbin/iptables -A INPUT -p udp --dport 443 -j ACCEPT
> #named
> /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT -s $yerel_ag
> /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT -s $yerel_ag
> #squid
> #/sbin/iptables -A INPUT -p tcp --dport 3128 -j ACCEPT -s $yerel_ag
>
> # Yonlendirilen istekler icin kullanilan portlar.
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT -s $yerel_ag
>
> # baglanti kabulu icin.
> /sbin/iptables -A INPUT -j STATEFUL
>
> ;;
>
> #################
> ##### STOP ######
> #########################################################
> # firewall durduruldugunda isletilecek olan bolum.
> stop)
>
> # Ping isteklerine acalim makinayi.
> echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
>
> # ontanimli degerler kabul olarak ayarlaniyor.
> /sbin/iptables -P INPUT ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P FORWARD ACCEPT
>
> # tablolardaki kurallar temizleniyor.
> /sbin/iptables -F
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -F -t mangle
> /sbin/iptables -X
> /sbin/iptables -F -t nat
> ;;
> #########################################################
>
> *)
> echo "kullanim: $0 {start|stop}"
> exit 1
> ;;
>
> esac
>
> exit 0
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online

-- 
Özmen Emre DEMİRKOL <ozmend@sakarya.edu.tr>
Sakarya Universitesi

Next message: Bulent Tatlidil: "[linux-guvenlik] Re: apache log anormalligi"

Previous message: Burak DAYIOGLU: "[linux-guvenlik] apache log anormalligi"
In reply to: Tarkan : "[linux-guvenlik] btables"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

Bu arsiv hypermail 2.1.6 tarafindan uretilmistir.