![]()
From: Ahmet Aksoy (ahmetax@kablonet.com.tr)
Date: Mon 20 Jan 2003 - 21:25:24 EET
Merhaba,
Biraz kolayina kacmak gibi ama, asagida, ipchains ile hazirlanmis bir kurallar dizisi var. Bunu iptables'a gore uyarlayabilir miyiz?
Simdiden tesekkurler.
Ahmet Aksoy
#!/bin/bash
#PATH=/sbin:
# Find out out current IP... filtering based on a ppp connection
# which usually has a netmask of 255.255.255.x
MYIP=`ifconfig | grep 255.255.255 | cut -f 2 -d : | cut -f 1 -d ' '`
# Flush all firewalling rules
ipchains -F input
ipchains -F forward
ipchains -F output
# Set default policies
ipchains -P input REJECT
ipchains -P forward DENY
ipchains -P output ACCEPT
# Localhost is assumed OK
ipchains -A input -j ACCEPT -i lo
ipchains -A output -j ACCEPT -i lo
ipchains -A forward -j ACCEPT -i lo
# Exclusively reject and log X connections
ipchains -A input -j REJECT -s 0.0.0.0./0 -d $MYIP 6000:6010 -p TCP -l
ipchains -A input -j REJECT -s 0.0.0.0./0 -d $MYIP 6000:6010 -p UDP -l
# Log IP spoofing
ipchains -A input -j REJECT -s 192.168.0.0/16 -d $MYIP -p TCP -l
ipchains -A input -j REJECT -s 192.168.0.0/16 -d $MYIP -p UDP -l
ipchains -A input -j REJECT -s 172.16.0.0/16 -d $MYIP -p TCP -l
ipchains -A input -j REJECT -s 172.16.0.0/16 -d $MYIP -p UDP -l
ipchains -A input -j REJECT -s 10.0.0.0/8 -d $MYIP -p TCP -l
ipchains -A input -j REJECT -s 10.0.0.0/8 -d $MYIP -p UDP -l
# Permit all ICMP to me
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP -p icmp
# Allow incoming data (for DNS queries, SMTP, FTP sessions, web etc.)
# Forbid incoming connections to all ports but 4090-4100 (preserved for ICQ)
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 1024:4089 -p tcp ! -y
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 1024:4089 -p UDP
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 4090:4100 -p tcp
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 4090:4100 -p UDP
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 4101:65535 -p tcp ! -y
ipchains -A input -j ACCEPT -s 0.0.0.0/0 -d $MYIP 4101:65535 -p UDP
# Done deal.
-----------------------------------------------------------------------
Liste üyeliğiniz ile ilgili her türlü işlem için
http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-request@linux.org.tr' adresine,
"Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz.
-----------------------------------------------------------------------
![]()