Security World: Re: Default Policy = DROP. Help-me

I usually use the following rules for debugging purpose to detect
packets that are not allowed to get in or getting forwarded.

IPT=/bin/iptables
$IPT -A INPUT -m limit --limit 3/minute -j LOG --log-prefix "Illegale
Inputs:"
$IPT -A OUTPUT -m limit --limit 3/minute -j LOG --log-prefix "Illegale
Outputs:"
$IPT -A FORWARD -j LOG --log-prefix "Illegale Forwards:"

greetings,
whylee.

Yuri Rodrigues schrieb:
> Hello Debian Geeks,
> I am mounting a firewall, but I am having great difficulty because of
> the policy of chains that I adopted.
> I usually browse the Internet, get ssh servers for my network and get
> my ssh server when I am in a remote location. But can not access
> servers ssh from my server firewall. Somebody help me with that firewall?
>
> Very Thank's,
>
> Yuri Rodrigues.
>
> Ps: Excuse me for the mistakes, I am Brazilian and translate with the
> help of google.
> Pss: The file of firewall is attached.
>
>
> #!/bin/sh
>
> # Sistema de Firewall
> # Autor - Yuri Rodrigues
> # Mail - yurirbraz@gmail.com
> #
> # Admite-se que:
> # Eth0 = Intranet
> # Eth1 = Internet
>
> intranet="eth0"
> iptables="/sbin/iptables"
> internet="eth1"
> rede="192.168.121.0/24"
>
> echo "-----------------======= Firewall =======------------------"
> echo " Por: Yuri Rodrigues "
> echo "Monitoramento: [ /var/log/syslog ] "
> echo ""
> echo "Iniciando o script "
> echo ""
>
> # Para monitoramento ver logs em
> # /var/log/syslog
>
> #### Limpando regras ####
> $iptables -F
> $iptables -t nat -F
> $iptables -t mangle -F
> echo "Limpando Regras Antigas ............................ [ OK ]"
>
> #### Ativar Modulos ####
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ip_queue
> modprobe ip_tables
> modprobe ipt_LOG
> modprobe ipt_MARK
> modprobe ipt_MASQUERADE
> modprobe ipt_REDIRECT
> modprobe ipt_REJECT
> modprobe ipt_TCPMSS
> modprobe ipt_TOS
> modprobe ipt_limit
> modprobe ipt_mac
> modprobe ipt_mark
> modprobe ipt_multiport
> modprobe ipt_owner
> modprobe ipt_state
> modprobe ipt_tcpmss
> modprobe ipt_tos
> modprobe iptable_filter
> modprobe iptable_mangle
> modprobe iptable_nat
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "Ativando Modulos ................................... [ OK ]"
>
> #### Definicao de Policiamento ####
> # Tabela filter
> $iptables -t filter -P INPUT DROP
> $iptables -t filter -P OUTPUT DROP
> $iptables -t filter -P FORWARD DROP
> # Tabela nat
> $iptables -t nat -P PREROUTING DROP
> $iptables -t nat -P OUTPUT DROP
> $iptables -t nat -P POSTROUTING DROP
> # Tabela mangle
> $iptables -t mangle -P PREROUTING DROP
> $iptables -t mangle -P OUTPUT DROP
> $iptables -t mangle -P INPUT DROP
> $iptables -t mangle -P POSTROUTING DROP
> echo "Definindo Policiamento ............................. [ OK ]"
>
> #### Permitindo conexoes ja estabelecidas ####
> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> #### Trafego LoopBack Aceito ####
> $iptables -A INPUT -i lo -j ACCEPT
>
> echo ">>>>>>>>>>>>>>>>>> Regras para usuarios <<<<<<<<<<<<<<<<<<"
>
> #### Servidor SSH Rede > Internet ####
> $iptables -t nat -A POSTROUTING -p tcp --dport 22 -o $internet -j
> MASQUERADE
> $iptables -A FORWARD -p tcp -i $internet --sport 22 -j ACCEPT
> $iptables -A FORWARD -p tcp -i $intranet --dport 22 -j ACCEPT
> $iptables -t nat -A PREROUTING -i $internet -p tcp --dport 22 -j ACCEPT
> $iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 22 -j ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j
> ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 22 -j
> ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j
> ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 22 -j
> ACCEPT
> echo "Servidor ssh Internet .............................. [ OK ]"
>
> #### Acesso ssh Internet > Servidor ####
> $iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $internet --dport 22 -j
> ACCEPT
> $iptables -t mangle -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
> $iptables -t mangle -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $internet --sport 22 -j
> ACCEPT
>
> #### Acesso ssh Servidor > Internet ####
> $iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
> $iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j
> ACCEPT
> $iptables -t mangle -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
> $iptables -t mangle -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j
> ACCEPT
>
> #### Servidor SSH Intranet ####
> $iptables -A INPUT -i $intranet -p tcp --dport 22 -j ACCEPT
> $iptables -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT
> $iptables -A INPUT -i $intranet -p tcp --dport 22 -j LOG --log-prefix
> "SSH INTRA: "
> $iptables -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -j ACCEPT
> $iptables -t mangle -A INPUT -i $intranet -s $rede -p tcp --dport 22
> -j ACCEPT
> $iptables -t mangle -A INPUT -i $intranet -p tcp --syn --dport 22 -j
> ACCEPT
> $iptables -t mangle -A OUTPUT -o $intranet -d $rede -p tcp --sport 22
> -j ACCEPT
> echo "Servidor ssh Intranet .............................. [ OK ]"
>
> #### Compartilhamento de Internet ####
> $iptables -t nat -A POSTROUTING -p tcp --dport 80 -o $internet -s
> 192.168.121.0/24 -j MASQUERADE
> $iptables -A FORWARD -p tcp -i $internet --sport 80 -j ACCEPT
> $iptables -A FORWARD -p tcp -i $intranet --dport 80 -j ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 80 -j
> ACCEPT
> $iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 80 -j
> ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 80 -j
> ACCEPT
> $iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 80 -j
> ACCEPT
> $iptables -t nat -A PREROUTING -p tcp -i $internet --dport 80 -j ACCEPT
> $iptables -t nat -A PREROUTING -p tcp -i $intranet --dport 80 -j ACCEPT
> $iptables -t nat -A POSTROUTING -p tcp -o $internet --dport 80 -j ACCEPT
> $iptables -t nat -A POSTROUTING -p tcp -o $intranet --sport 80 -j ACCEPT
> $iptables -t nat -A OUTPUT -p tcp -o $internet --dport 80 -j ACCEPT
> $iptables -t nat -A OUTPUT -p tcp -o $intranet --sport 80 -j ACCEPT
> echo "Compartilhamento de Internet ....................... [ OK ]"
>
> echo "<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
>
> #### Protecao contra SynFloods ####
> $iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
> echo "Protecao contra SynFloods .......................... [ OK ]"
>
> #### Protecao contra ping da morte ####
> $iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
> 1/s -j ACCEPT
> echo "Protecao contra ping da morte ...................... [ OK ]"
>
> #### Bloqueando pacotes fragmentados ####
> $iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
> $iptables -A INPUT -f -i $internet -j DROP
> echo "Bloquando pacotes fragmentados ..................... [ OK ]"
>
> #### Protecao contra ping flood ####
> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
> echo "Protecao contra ping flood ......................... [ Ok ]"
>
> #### Conexoes Locais ####
> $iptables -t nat -A POSTROUTING -o lo -j ACCEPT
>
> echo ""
> echo "-------------======= Firewall Ativado =======--------------"
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Security World

Wednesday, October 24, 2007

Re: Default Policy = DROP. Help-me

No comments:

Post a Comment