IPTables Regel *lookinside*

Post Reply
Message
Author
Hardraada

IPTables Regel *lookinside*

#1 Post by Hardraada »

Hi

also ich brächte mal dringend die regel für die iptables um NUR 2 rechnern zu erlauben mit einander zu kommunizieren und das auch nur über ftp port 21.
danke schonmal

Hardraada

ratte

Re: IPTables Regel *lookinside*

#2 Post by ratte »

hier, mal eben ;)

<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
#!/bin/bash
IPT=/sbin/iptables
IP_1=172.16.0.1
IP_2=172.16.0.2

usage ()
{
echo "$0 [start|stop]"
}

fire_on ()
{
echo "starting IPTABLES roules"
$IPT -I INPUT -p tcp -s $IP_1 --sport 1023: \
--dport 20:21 -i eth1 d $IP_2 -j ACCEPT
$IPT -I INPUT -p tcp -s $IP_1 --sport 1023: \
--dport 1023: -i eth1 -d $IP_2 -j ACCEPT
$IPT -I INPUT -p tcp -s $IP_1 --sport 20:21 \
--dport 1023: -i eth1 -d $IP_2 -j ACCEPT

$IPT -I OUTPUT -p tcp -s $IP_1 --sport 20:21 \
--dport 1023: -o eth1 -d $IP_2 -j ACCEPT
$IPT -I OUTPUT -p tcp -s $IP_1 --sport 1023: \
--dport 1023: -o eth1 -d $IP_2 -j ACCEPT
$IPT -I OUTPUT -p tcp -s $IP_1 --sport 1023: \
--dport 20:21 -o eth1 -d $IP_2 -j ACCEPT

}

init_on ()
{
### SYSCTL: PERFORMANCE TUNING, DoS, ETC ---------------------------
# Definitions @ http://www.tldp.org/HOWTO/Adv-Routing-HOWTO-13.html
#
#echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address
echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir
echo 0 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs

## Antispoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done


## set policies defaults to deny
$IPT -F # flush all chain rules
$IPT -X # delete all not builtin chains
$IPT -Z # zero all counters
$IPT -P INPUT DROP # deny all input
$IPT -P OUTPUT DROP # deny all output
$IPT -P FORWARD DROP # deny all forwarding

## keep lo running
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -f -o lo -j ACCEPT
}

if [ "$#" -lt 1 ]; then
echo "ERROR: not enough args."
usage
exit 1
fi

case "$1" in
start)
init_on
/sbin/modprobe ip_conntrack_ftp
fire_on
/usr/bin/logger "Firewall is started."
;;

stop)
init_on
#echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_dynaddr
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done

/sbin/rmmod ip_conntrack_ftp
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
;;

*) echo "ERROR: wrong args."
usage
exit 1
;;
esac

# EOF
</font><hr></pre></blockquote>

ratte

hier

Re: IPTables Regel *lookinside*

#3 Post by hier »

die /proc regeln würde ich aber rausnehmen und in ein extra skript fassen. wenn du die firewall mal ausmachst hast du die proc regeln immer noch, das ist echt sinnvoll. nenn es doch /etc/init.d/procregel :)
ist nur so ein vorschlag

mfg

Michael

Re: IPTables Regel *lookinside*

#4 Post by Michael »

Sieht aba aus wie nur passives FTP, oda?

Cheers

Michael

ratte

Re: IPTables Regel *lookinside*

#5 Post by ratte »

wie kommst du denn darauf?

ratte

Michael

Re: IPTables Regel *lookinside*

#6 Post by Michael »

>$IPT -I INPUT -p tcp -s $IP_1 --sport 1023: \
> --dport 1023: -i eth1 -d $IP_2 -j ACCEPT

Oops, hatte wohl nen Knick in der Optik.

Cheers

Michael

Post Reply