Jump to content
aelius

Firewall minimal pentru Linux

By aelius, in Tutoriale in romana

Recommended Posts

aelius Grand Master

aelius

Posted
Posted (edited)

Mai jos puteti vedea un firewall minimal pentru Linux, care face urmatoarele lucruri:

- Seteaza politica default cu drop (nu accepta niciun pachet, atat pe INPUT, FORWARD cat si pe OUTPUT).

- Blocheaza pachetele TCP cu flag-uri invalide.

- Blocheaza OS Fingerprint (detectarea sistemului de operare cu nmap sau alte tool-uri pentru os-fingerprint)

- Permite icmp echo requests (ping) catre host.

- Permite pachetele UDP venite de la nameserverele setate in "/etc/resolv.conf" (Source port 53)

- Accepta conexiuni ssh doar de la surse bine stabilite (exemplu: de la office / home) . In acest fel suntem siguri ca daca ne stie cineva parola de la un utilizator, nu va putea intra. Este o buna masura de precautie impotriva scanning-ului.

- Permite rularea serviciilor pe porturile standarde pentru: ftp, smtp, web, pop3 si https.

Alte note:

- EXTDEV reprezinta interfata externa de retea.

- In sectiunea SECSHELL se pun adresele IP de unde dorim sa avem acces SSH.

- NU folositi comanda "iptables -F" sau "iptables --flush"; politica default este DROP! (daca doriti sa scoateti firewall-ul din functiune, dati stop la el)

- In sectiunea SERVICES sunt definite porturile pentru servicii: ftp, smtp, web, pop3 si https.

- In acest exemplu minimal, nu exista reguli pe FORWARD. Daca serverul este folosit ca router, nu va functiona. Este necesar sa adaugati reguli pentru forward/nat

- Nu folositi acest script inainte de a va da seama ce face exact, in special, nu folositi acest script pe servere la care nu aveti acces fizic, daca nu stiti ce face.

- Scriptul se executa impreuna cu un argument: start, stop sau status.


#!/bin/sh
# Descriere: Firewall minimal pentru linux.

## -- Constante
EXTDEV="eth0"
SECSHELL="4.2.2.2 8.8.8.8 5.5.5.5"
SERVICES="20 21 25 80 110 443"

firewall_start () {
        echo "apply rules ...."

## -- Sterge orice regula prezenta
iptables -F
iptables -Z
iptables -X
iptables -F -t nat
iptables -Z -t nat
iptables -Z -t nat
iptables -F -t mangle
iptables -Z -t mangle
iptables -X -t mangle

## -- Politica default
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

## -- Permite trafic nelimitat pe localhost
iptables -I INPUT -d 127.0.0.0/8 -j ACCEPT
iptables -I OUTPUT -s 127.0.0.0/8 -j ACCEPT

## -- Accepta orice conexiune care este stabilizata in momentul initializarii firewall-ului.
iptables -I INPUT -m state --state ESTABLISHED -j ACCEPT

## -- Permite orice pachet catre OUT.
iptables -I OUTPUT -p all -j ACCEPT

## -- Accepta sursele definite in SECSHELL pentru a se conecta la serviciul SSH.
for i in $SECSHELL;do iptables -I INPUT -p tcp -s $i --dport 22 -j ACCEPT;done

## -- Accepta orice icmp echo (ping)
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT

## -- Blocheaza pachetele invalide
iptables -I INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,ACK NONE -j DROP
iptables -I INPUT -p tcp --tcp-flags RST,FIN RST,FIN -j DROP
iptables -I INPUT -p tcp --tcp-flags SYN,URG SYN,URG -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL SYN,PSH -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL SYN,ACK,PSH -j DROP

## -- Accepta orice port listat in SERVICES (pe tcp)
for i in $SERVICES;do iptables -I INPUT -p tcp --dport $i -j ACCEPT;done

## -- Accepta orice pachet de la DNS-uri (port sursa 53) - doar cele listate in "/etc/resolv.conf"
cat /etc/resolv.conf | \
awk '/^nameserver/ {print $2}' | \
xargs -n1 iptables -I INPUT -p udp --sport 53 -j ACCEPT -s

echo "done, fw active."
  return 0
}

firewall_status () {
    echo "fw status: "
 iptables -L -n -v
return 0
}

firewall_stop () {
    echo "ok. fw stop, clearing rules."
iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
   iptables -F
    iptables -Z
     iptables -X
      iptables -F -t nat
       iptables -Z -t nat
        iptables -Z -t nat
         iptables -F -t mangle
          iptables -Z -t mangle
           iptables -X -t mangle
return 0
}

case "$1" in
  start)
     firewall_start
     ;;
  stop)
     firewall_stop
     ;;
  status)
     firewall_status
     ;;
  *)
     echo "Folosire: $0 {start|status|stop}"
     exit 1

esac

exit 0

-------------------------------

Daca doriti sa puneti tutorialul pe un alt site, va rog sa specificati sursa: 

https://rstcenter.com/forum/46641-firewall-minimal-pentru-linux.rst

"Avem a multumi"

Edited by aelius
formatare text
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...