Guarddog kifelé ne blokkoljon

UHU Linux

Guarddog kifelé ne blokkoljon

  • 1269 megtekintés

( XmIsTeR | 2006. 01. 27., p – 18:38 )

Átnéztem egy párszor, de a megoládsra nem sikerült rájönnöm...
Mert az pl. nagy baj, hogy a DROP az felsőbbrendűbb az ACCEPT -nél. Ha beállítom, hogy mindent dropoljon, akkor utána hiába veszek fel az ACCEPThez akármit, nem figyel rá :( . Ha ez nem így lenne talán könnyebb lenne megoldani.

( XmIsTeR | 2006. 01. 20., p – 15:31 )

Van egy 1.1s UHU linux a gépen, a beépített guarddog(vagyis iptables) tűzfallal ami be is van üzemelve, csak az a baj, hogy kifelé is csak azokat a portokat engedi amik be vannak állítva, azt szeretném, hogy kifelé ne figyeljen, vagyis mindent portot engedjen kifelé, hogy lehetne ezt megoldani?

( Polesz v | 2006. 01. 27., p – 19:17 )

[code:1:63f8635bdd]iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -j ACCEPT
[/code:1:63f8635bdd]

( XmIsTeR | 2006. 01. 27., p – 21:15 )

Thx! A második sort én is próbáltam már, de egyedül nem volt hatásos, mégegyszer kössz!

( Névtelen (nem ellenőrzött) | 2006. 01. 20., p – 20:56 )

[quote:02768222e9="XmIsTeR"]Van egy 1.1s UHU linux a gépen, a beépített guarddog(vagyis iptables) tűzfallal ami be is van üzemelve, csak az a baj, hogy kifelé is csak azokat a portokat engedi amik be vannak állítva, azt szeretném, hogy kifelé ne figyeljen, vagyis mindent portot engedjen kifelé, hogy lehetne ezt megoldani?

iptables -L > hup.hu

( XmIsTeR | 2006. 01. 20., p – 21:23 )

Nem történik semmi, csak visszakapom a promptot.
Gondolom ez azt jelenti, hogy a hup.hu felé mindent enged, ami azért nem jó, mert mindenhova engednem kéne kifelé...de ha nem ezt teszi, akkor világosíts fel :roll:

( joyeux | 2006. 01. 20., p – 21:39 )

Szerintem Oregon a tűzfalszabályok listáját szerette volna meg tudni :D
Ez lenne az iptables -L vagy iptables-save parancs kimenete.

( Névtelen (nem ellenőrzött) | 2006. 01. 20., p – 21:45 )

hup.hu a fajl neve a gepeden. :)

nezd meg!!!!!!!!!!

( XmIsTeR | 2006. 01. 20., p – 21:50 )

root@l1:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- libronet 62.255.255.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt all -- anywhere anywhere
srcfilt all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 all -- anywhere anywhere

Chain f0to1 (3 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:0 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:5900:5903 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:5800 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:40003
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:40003 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:imap state NEW
ACCEPT udp -- anywhere anywhere udp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:6881 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:11337
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:4032 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:5214 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:telnet state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10001
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:10001 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:mysql state NEW
ACCEPT udp -- anywhere anywhere udp dpt:6881
ACCEPT tcp -- anywhere anywhere tcp dpt:boks_servm state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:irdmi state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ftp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:boks_servm
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:https state NEW
logdrop all -- anywhere anywhere

Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:pop3 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:rtsclient state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpts:5900:5903 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:5800 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:40003
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:40003 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:imap state NEW
ACCEPT udp -- anywhere anywhere udp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:6881 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:11337
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:4032 state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:5214 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:0:1023 dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:imaps state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:smtp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:telnet state NEW
ACCEPT udp -- anywhere anywhere udp dpt:10001
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:pop3s state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:10001 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:mysql state NEW
ACCEPT udp -- anywhere anywhere udp dpt:6881
ACCEPT tcp -- anywhere anywhere tcp dpt:boks_servm state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:irdmi state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:ftp state NEW
ACCEPT udp -- anywhere anywhere udp dpt:boks_servm
ACCEPT tcp -- anywhere anywhere tcp spts:1024:cvsup dpt:https state NEW
logreject tcp -- anywhere anywhere tcp dpt:0 state NEW
logdrop all -- anywhere anywhere

Chain logaborted (1 references)
target prot opt source destination
logaborted2 all -- anywhere anywhere limit: avg 2/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '

Chain logaborted2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain logdrop (4 references)
target prot opt source destination
logdrop2 all -- anywhere anywhere limit: avg 2/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all -- anywhere anywhere

Chain logdrop2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all -- anywhere anywhere

Chain logreject (1 references)
target prot opt source destination
logreject2 all -- anywhere anywhere limit: avg 2/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain logreject2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere

Chain nicfilt (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere

Chain s0 (1 references)
target prot opt source destination
f0to1 all -- anywhere libronet
f0to1 all -- anywhere 62.255.255.255
f0to1 all -- anywhere l1
logdrop all -- anywhere anywhere

Chain s1 (1 references)
target prot opt source destination
f1to0 all -- anywhere anywhere

Chain srcfilt (2 references)
target prot opt source destination
s0 all -- anywhere anywhere

( Névtelen (nem ellenőrzött) | 2006. 01. 20., p – 21:56 )

szuper!

Akkor most menj es nezd meg mi mit jelent itt:
http://www.szabilinux.hu/iptables/index.html

es egybol tudni fogod mit nem kellene bekapcsolnod.

Bocsi hogy rtfm-ezek, de ugy erzem ezzel segitek a legtobbet.