Am 15.02.2012 15:45, schrieb "Jóhann B. Guðmundsson": > Experienced admins dont use service iptables blah anyway ( they use iptables commands directly ) so it hardly > matters to them documentation should however be updated for those that actually use service iptables blah to point > this out so you should file a DOC bug for it. they do because they found out how to built their complete rules years ago with a script and how to save the rules to apply them at tnext reboot by [root@testserver:~]$ service iptables help Verwendung: iptables {start|stop|restart|condrestart|status|panic|save} ______________________ # Skript-Konfiguration export IPTABLES="/sbin/iptables" IPTABLES_SAVE="/sbin/service iptables save" LOUNGE_WAN="91.118.73.0/24" RHSOFT_LOCAL="84.113.45.179" RHSOFT_ARRAKIS="84.113.45.132" RHSOFT_TESTSERVER="84.113.45.81" HOST="192.168.196.1" echo "Setze Regeln zurueck" $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -F $IPTABLES -X CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $CHAINS; do $IPTABLES -t $i -F; done && echo "Flush OK" || echo "Flush FAILED" for i in $CHAINS; do $IPTABLES -t $i -X; done && echo "Clear OK" || echo "Clear FAILED" for i in $CHAINS; do $IPTABLES -t $i -Z; done echo "" echo "Blockiere Traffic zu Beginn" $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP echo "" echo "OS-Fingerprinting/Invalide Pakete blockieren" $IPTABLES -A INPUT ! -i lo -m state --state INVALID -j DROP $IPTABLES -A INPUT ! -i lo -p tcp -m state --state NEW --dport 0 -j DROP $IPTABLES -A INPUT ! -i lo -p udp -m state --state NEW --dport 0 -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags FIN,RST FIN,RST -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,FIN FIN -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,PSH PSH -j DROP $IPTABLES -A INPUT ! -i lo -p tcp --tcp-flags ACK,URG URG -j DROP echo "Neue Verbindungen ohne SYN-Flag verwefen" $IPTABLES -A INPUT ! -i lo -p tcp ! --syn -m state --state NEW -j DROP echo "Eingehende Fragmente verwerfen" $IPTABLES -A INPUT ! -i lo -f -j DROP echo "IP-Spoofing des Loopback-Device verhindern" $IPTABLES -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP echo "" echo "Loopback erlauben" $IPTABLES -A INPUT -i lo -j ACCEPT echo "" echo "Ausgehende Pakete erlauben" $IPTABLES -P OUTPUT ACCEPT echo "" echo "Antwortpakete erlauben" $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo "SSH aus allen Netzen erlauben, Rate-Control" echo "10022" $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --syn --state NEW --dport 10022 -m limit --limit 15/minute --limit-burst 15 -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --syn --state NEW --dport 10022 -j REJECT --reject-with icmp-host-unreachable echo "" echo "HTTP-Ports aus rhsoft/thelounge-Netzwerken erlauben" echo "TCP 80,443" $IPTABLES -A INPUT -p tcp -s $LOUNGE_WAN -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_LOCAL -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_ARRAKIS -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_TESTSERVER -m multiport --destination-port 80,443 -m state --state NEW --syn -j ACCEPT echo "" echo "Mail-Ports aus rhsoft/thelounge-Netzwerken erlauben" echo "TCP 25,587,465,143,993,2000" $IPTABLES -A INPUT -p tcp -s $LOUNGE_WAN -m multiport --destination-port 25,587,465,143,993,2000 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_LOCAL -m multiport --destination-port 25,587,465,143,993,2000 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_ARRAKIS -m multiport --destination-port 25,587,465,143,993,2000 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -s $RHSOFT_TESTSERVER -m multiport --destination-port 25,587,465,143,993,2000 -m state --state NEW --syn -j ACCEPT echo "" echo "AFP aus rhsoft/thelounge-Netzwerken erlauben" echo "TCP 548" $IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $LOUNGE_WAN --dport 548 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_LOCAL --dport 548 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_ARRAKIS --dport 548 -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 1024:65535 -s $RHSOFT_TESTSERVER --dport 548 -m state --state NEW --syn -j ACCEPT echo "" echo "Ping aus bekannten Netzwerken erlauben" $IPTABLES -A INPUT -p icmp -s $LOUNGE_WAN --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -p icmp -s $RHSOFT_LOCAL --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -p icmp -s $RHSOFT_ARRAKIS --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -p icmp -s $RHSOFT_TESTSERVER --icmp-type 8 -j ACCEPT echo "Ping aus fremden Netzwerken unterdruecken" $IPTABLES -A INPUT -p icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable echo "Alle anderen Ports abweisen" $IPTABLES -A INPUT -j REJECT --reject-with icmp-host-unreachable echo "" $IPTABLES_SAVE echo "" MY_TIME=$(date "+%d-%m-%Y %H:%M:%S") echo "$MY_TIME Firewall-Konfiguration wurde aktualisiert" >> /var/log/scriptlog echo ""
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel