IPTABLES!!! RULES, Разгавор о iptables

sergleo · Отправлено: **11:21, 24-02-2006** | #7

Код:

# Linux Firewalls - host myhost.mydomain.ru
# Starting firewalling...

#------------------------------------------------------------------
# Default
*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

:admin-in - [0:0]
:dep-in - [0:0]
:wifi-in - [0:0]

#------------------------------------------------------------
# Unlimited traffic on the loopback interface
-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

#------------------------------------------------------------
# Stealth Scans and TCP State Flags

# All of the bits are cleared
-A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
-A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
-A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
-A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK
-A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK
-A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK
-A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

#------------------------------------------------------------
# Using Connection State to By-pass Rule Checking

-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Using the state module alone, INVALID will break protocols that use
# bi-directional connections or multiple connections or exchanges,
# unless an ALG is provided for the protocol. At this time, FTP and is
# IRC are the only protocols with ALG support.

-A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "
-A INPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID ouput: "
-A OUTPUT -m state --state INVALID -j DROP

-A FORWARD -m state --state INVALID -j LOG --log-prefix "INVALID forward: "
-A FORWARD -m state --state INVALID -j DROP

#------------------------------------------------------------
# Source Address Spoofing and Other Bad Addresses

# Refuse spoofed packets pretending to be from the external interface's IP address
-A INPUT -i eth1 -s x.x.x.x -j DROP

# Refuse packets claiming to be from a Class A private network
#-A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

# Refuse packets claiming to be from a Class B private network
-A INPUT -i eth1 -s 172.16.0.0/12 -j DROP

# Refuse packets claiming to be from a Class C private network
-A INPUT -i eth1 -s 192.168.0.0/16 -j DROP

# Refuse packets claiming to be from the loopback interface
-A INPUT -i eth1 -s 127.0.0.0/8 -j DROP

# Refuse malformed broadcast packets
-A INPUT -i eth1 -s 255.255.255.255 -j LOG --log-prefix "Malformed broadcast: "
-A INPUT -i eth1 -s 255.255.255.255 -j DROP
-A INPUT -i eth1 -d 0.0.0.0  -j LOG --log-prefix "Malformed broadcast: "
-A INPUT -i eth1 -d 0.0.0.0  -j DROP

# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
#$SUBNET_BASE="network.address"         # ISP network segment base address
#$SUBNET_BROADCAST="directed.broadcast" # network segment broadcast address
#-A INPUT -i eth1 -d $SUBNET_BASE -j DROP 
#-A INPUT -i eth1 -d $SUBNET_BROADCAST -j DROP 

# Refuse limited broadcasts
-A INPUT -i eth1 -d 255.255.255.255 -j DROP

# Refuse Class D multicast addresses
# illegal as a source address
-A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
-A INPUT -i eth1 -p ! udp -d 224.0.0.0/4 -j DROP
-A INPUT -i eth1 -p udp -d 224.0.0.0/4 -j ACCEPT

# Refuse Class E reserved IP addresses
-A INPUT -i eth1 -s 240.0.0.0/5 -j DROP

# refuse addresses defined as reserved by the IANA
# 0.*.*.*  - Can`t be blocked unilaterally with DHCP
# 169.254.0.0/16   - Link Local Networks
# 192.0.2.0/24 - TEST-NET

-A INPUT -i eth1 -s 0.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 169.254.0.0/16 -j DROP
-A INPUT -i eth1 -s 192.0.2.0/24 -j DROP

#------------------------------------------------------------
# Disallowing Connections to Common TCP Unprivileged Server Ports

# X Window connection establishment
-A OUTPUT -o eth1 -p tcp --syn --destination-port 6000:6063 -j REJECT
# X Window: incoming connection attempt
-A INPUT  -i eth1 -p tcp --syn --destination-port 6000:6063 -j DROP

# Establishing a connection over TCP to NFS, OpenWindows, SOCKS or squid
-A OUTPUT -o eth1 -p tcp -m multiport --destination-port 2049,2000,1080,3128,8080 --syn -j REJECT
-A INPUT  -i eth1 -p tcp -m multiport --destination-port 2049,2000,1080,3128,8080 --syn -j DROP

#------------------------------------------------------------
# Disallowing Connections to Common UDP Unprivileged Server Ports
# NFS and lockd
-A OUTPUT -o eth1 -p udp -m multiport --destination-port 2049,4045 -j REJECT
-A INPUT  -i eth1 -p udp -m multiport --destination-port 2049,4045 -j DROP