Sitter och försöker confa min server/router.
Tänkte använda Shorewall men börjar bli tveksam till att det är ett bra val.
Här kommer mina filer i /etc/shorewall:
interface
Kod: Markera allt
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918
loc eth1 detect
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 eth0
Policy
Kod: Markera allt
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw all ACCEPT
loc net ACCEPT
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Kod: Markera allt
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
# PORT PORT(S) DEST LIMIT GROUP
#
# Accept DNS connections from the firewall to the network
#
DNS(ACCEPT) $FW net
DNS(ACCEPT) $FW loc
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) all $FW
ACCEPT all $FW tcp 10022
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#
#HTTP
ACCEPT loc $FW tcp www
ACCEPT all $FW tcp https
ACCEPT all $FW udp 53
ACCEPT all $FW tcp 53
Kod: Markera allt
# Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2loc - [0:0]
:fw2net - [0:0]
:loc2fw - [0:0]
:loc2net - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
-A INPUT -m state --state INVALID,NEW -j dynamic
-A INPUT -i eth0 -j net2fw
-A INPUT -i eth1 -j loc2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j Reject
-A INPUT -j LOG --log-prefix "Shorewall:INPUT:REJECT:" --log-level 6
-A INPUT -g reject
-A FORWARD -m state --state INVALID,NEW -j dynamic
-A FORWARD -i eth0 -o eth1 -j net2loc
-A FORWARD -i eth1 -o eth0 -j loc2net
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j Reject
-A FORWARD -j LOG --log-prefix "Shorewall:FORWARD:REJECT:" --log-level 6
-A FORWARD -g reject
-A OUTPUT -o eth0 -j fw2net
-A OUTPUT -o eth1 -j fw2loc
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A Drop
-A Drop -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
-A Drop -j dropBcast
-A Drop -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j DROP
-A Drop -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j DROP
-A Drop -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j DROP
-A Drop -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j DROP
-A Drop -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
-A Drop -p tcp -j dropNotSyn
-A Drop -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A Reject
-A Reject -p tcp -m tcp --dport 113 -m comment --comment "Auth" -j reject
-A Reject -j dropBcast
-A Reject -p icmp -m icmp --icmp-type 3/4 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -p icmp -m icmp --icmp-type 11 -m comment --comment "Needed ICMP types" -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p udp -m multiport --dports 135,445 -m comment --comment "SMB" -j reject
-A Reject -p udp -m udp --dport 137:139 -m comment --comment "SMB" -j reject
-A Reject -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment "SMB" -j reject
-A Reject -p tcp -m multiport --dports 135,139,445 -m comment --comment "SMB" -j reject
-A Reject -p udp -m udp --dport 1900 -m comment --comment "UPnP" -j DROP
-A Reject -p tcp -j dropNotSyn
-A Reject -p udp -m udp --sport 53 -m comment --comment "Late DNS Replies" -j DROP
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/4 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A fw2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2loc -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A fw2loc -p tcp -m tcp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A fw2loc -p icmp -j ACCEPT
-A fw2loc -j ACCEPT
-A fw2net -p udp -m udp --dport 67:68 -j ACCEPT
-A fw2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2net -p udp -m udp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A fw2net -p tcp -m tcp --dport 53 -m comment --comment "DNS" -j ACCEPT
-A fw2net -p icmp -j ACCEPT
-A fw2net -j ACCEPT
-A loc2fw -p tcp -j tcpflags
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 10022 -j ACCEPT
-A loc2fw -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping" -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A loc2fw -p udp -m udp --dport 53 -j ACCEPT
-A loc2fw -p tcp -m tcp --dport 53 -j ACCEPT
-A loc2fw -j Reject
-A loc2fw -j LOG --log-prefix "Shorewall:loc2fw:REJECT:" --log-level 6
-A loc2fw -g reject
-A loc2net -p tcp -j tcpflags
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -j ACCEPT
-A logdrop -j DROP
-A logflags -j LOG --log-prefix "Shorewall:logflags:DROP:" --log-level 6 --log-ip-options
-A logflags -j DROP
-A logreject -j reject
-A net2fw -m state --state INVALID,NEW -j blacklst
-A net2fw -m state --state INVALID,NEW -j smurfs
-A net2fw -p udp -m udp --dport 67:68 -j ACCEPT
-A net2fw -p tcp -j tcpflags
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -p tcp -m tcp --dport 22 -m comment --comment "SSH" -j ACCEPT
-A net2fw -p tcp -m tcp --dport 10022 -j ACCEPT
-A net2fw -p icmp -m icmp --icmp-type 8 -m comment --comment "Ping" -j DROP
-A net2fw -p tcp -m tcp --dport 80 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 443 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 110 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 25 -j ACCEPT
-A net2fw -p udp -m udp --dport 53 -j ACCEPT
-A net2fw -p tcp -m tcp --dport 53 -j ACCEPT
-A net2fw -j Drop
-A net2fw -j LOG --log-prefix "Shorewall:net2fw:DROP:" --log-level 6
-A net2fw -j DROP
-A net2loc -m state --state INVALID,NEW -j blacklst
-A net2loc -m state --state INVALID,NEW -j smurfs
-A net2loc -p tcp -j tcpflags
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -j Drop
-A net2loc -j LOG --log-prefix "Shorewall:net2loc:DROP:" --log-level 6
-A net2loc -j DROP
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p igmp -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 0.0.0.0/32 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -m addrtype --src-type BROADCAST -j DROP
-A smurfs -s 224.0.0.0/4 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/4 -j DROP
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j logflags
-A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -j logflags
COMMIT
# Completed on Sat Jun 12 00:19:05 2010
# Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010
*mangle
:PREROUTING ACCEPT [26:3685]
:INPUT ACCEPT [21:1464]
:FORWARD ACCEPT [5:2221]
:OUTPUT ACCEPT [16:1840]
:POSTROUTING ACCEPT [21:4061]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A FORWARD -j MARK --set-xmark 0x0/0xffffffff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
# Completed on Sat Jun 12 00:19:05 2010
# Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:eth0_masq - [0:0]
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 85.228.192.0/20 -j MASQUERADE
COMMIT
# Completed on Sat Jun 12 00:19:05 2010
# Generated by iptables-save v1.4.4 on Sat Jun 12 00:19:05 2010
*raw
:PREROUTING ACCEPT [26:3685]
:OUTPUT ACCEPT [16:1840]
COMMIT
# Completed on Sat Jun 12 00:19:05 2010
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
Fast det sparas inte när man startar om datorn..
Nån vänlig själ som ser var jag gör fel?
//mille7
