Sziasztok!
Egy gatewayen menne a lenti tűzfal script, ami működik, de ilyenekkel szorja a kern.log-t:
Apr 22 17:01:17 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=84.1.109.74 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=63895 DF PROTO=TCP SPT=3212 DPT=28554 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:17 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=85.186.2.86 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=63896 DF PROTO=TCP SPT=3214 DPT=16488 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:18 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=145.236.126.69 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=64200 DF PROTO=TCP SPT=3211 DPT=10211 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:22 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=85.66.101.127 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=65054 DF PROTO=TCP SPT=3219 DPT=62675 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:22 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=86.101.150.158 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=65055 DF PROTO=TCP SPT=3220 DPT=42091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:25 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=86.101.150.158 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=65534 DF PROTO=TCP SPT=3220 DPT=42091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 22 17:01:41 IBM-Server FORWARD_DROP: IN=eth2 OUT=eth3 SRC=192.168.1.74 DST=84.3.131.116 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3380 DF PROTO=TCP SPT=3225 DPT=15312 WINDOW=65535 RES=0x00 SYN URGP=0
Mitől lehet?
Továbbá érdekelne, hogy működése mellett, biz.tech szempontból is jó lesz-e ez a script? (gw-re még nem raktam tűzfalat)
A legfontosabb: jelenleg koliban teszteljük, később adsl-en lesz. Elég csak a KULSO_ETH=ppp0-ra átirni?
#!/bin/sh
echo "Starting firewall"
BELSO_ETH=eth2
KULSO_ETH=eth3
iptables -Z
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "1" > /proc/sys/net/ipv4/ip_forward # IP forwarding bekapcsolása
echo "1" >/proc/sys/net/ipv4/tcp_syncookies # DOS vedelem
echo "1" >/proc/sys/net/ipv4/conf/all/rp_filter # Source Address Verification
# INPUT lanc
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $BELSO_ETH -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $KULSO_ETH -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $KULSO_ETH -p tcp --dport 22 -m limit --limit 3/m -j LOG --log-prefix "SSH_ACCEPT: "
iptables -A INPUT -i $KULSO_ETH -p tcp -m multiport --dport 21,80 -j ACCEPT
iptables -A INPUT -i $BELSO_ETH -p tcp --syn -s 192.168.1.0/8 -dport 139 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
# OUTPUT lanc
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # dns
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # dns
# iptables -A OUTPUT -o $BELSO_ETH -j ACCEPT
# iptables -A OUTPUT -o $KULSO_ETH -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dport 20,21,22,80,1863,6667,1021 -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
# FORWARD lanc
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 3/m --limit-burst 1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/8 --destination-port 80 -j REDIRECT --to-ports 3128 # squid
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # packet fregmentálódásra
iptables -A FORWARD -j LOG --log-prefix "FORWARD_DROP: "
# NAT
iptables -t nat -A POSTROUTING -o $KULSO_ETH -s 192.168.1.0/8 -j MASQUERADE