RedHat 6.2 kan downloades fra
ftp://ftp.sunsite.auc.dk/mirrors/ftp.redhat.comAngående firewall, så er her et eksempel på brug af ipchains i Linux 2.2 kernen til at beskytte en maskine:
#!/bin/sh
echo \"Firewall starting\"
#####################
# Kernel features #
#####################
# IP spoof protection
# Set this to 1 to get weak spoofing protection and 2 to get stronger spoofing protection
echo \"1\" > /proc/sys/net/ipv4/conf/all/rp_filter
# Enable syn-cookies (syn-flooding attacks)
echo \"1\" > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP echo-request to broadcast addresses
echo \"1\" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Set local port range for listeners (ftp ...)
# (masqueraded connections will use the range 61000-65096)
echo \"56000 60999\" > /proc/sys/net/ipv4/ip_local_port_range
####################
# IP firewalling #
####################
# Delete all rules
/sbin/ipchains -F
# Default policies
/sbin/ipchains -P input DENY
/sbin/ipchains -P output ACCEPT
/sbin/ipchains -P forward DENY
# Trust ourselves
/sbin/ipchains -A input -p all -i lo -j ACCEPT
# Deny Back Orifice (logged)
/sbin/ipchains -A input -l -p tcp -s 0/0 --destination-por 31337 -j DENY
/sbin/ipchains -A input -l -p udp -s 0/0 --destination-por 31337 -j DENY
# Deny other things
/sbin/ipchains -A input -p tcp -s 0/0 --destination-port 25 -j DENY
/sbin/ipchains -A input -p tcp -s 0/0 --destination-port 98 -j DENY
/sbin/ipchains -A input -p tcp -s 0/0 --destination-port 515 -j DENY
/sbin/ipchains -A input -p tcp -s 0/0 --destination-port 901 -j DENY
# Handle incoming ICMP
# Allow all, except remote timestamp-, echo- and address-mask requests, and ICMP redirects and router-advertisements
/sbin/ipchains -A input -p icmp -s 0/0 timestamp-request -j DENY
/sbin/ipchains -A input -p icmp -s 0/0 address-mask-request -j DENY
/sbin/ipchains -A input -p icmp -s 0/0 redirect -j DENY
/sbin/ipchains -A input -p icmp -s 0/0 router-advertisement -j DENY
/sbin/ipchains -A input -p icmp -s 0/0 echo-request -j DENY
/sbin/ipchains -A input -p icmp -j ACCEPT
# Explicitly reject (RST) connections to my ident/auth server
/sbin/ipchains -A input -y -p tcp -s 0/0 --destination-port auth -j REJECT
# Allow all traffic that does not try to setup a connection (no SYN)
/sbin/ipchains -A input \\! -y -p tcp -s 0/0 --destination-port 56000:65096 -j ACCEPT
# Allow dns replies to our locally originating requests
/sbin/ipchains -A input -p udp -s 0/0 domain -j ACCEPT
# Allow ntp communication (uses ntp port for request and reply)
/sbin/ipchains -A input -p udp -s 0/0 ntp --destination-port ntp -j ACCEPT
# Allow ftp-data connections (downloads and dir listings)
/sbin/ipchains -A input -y -p tcp -s 0/0 ftp-data --destination-port 56000:65096 -j ACCEPT
# Allow ssh connections to this machine
/sbin/ipchains -A input -y -p tcp -s 0/0 --destination-port 22 -j ACCEPT
# Log what drops through to here
/sbin/ipchains -A input --log
Håber det kan bruges :o)
Ny bruger
Nybegynder
Opret
Preview
