Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Strony: 1
- Forum Debian Users Gang
- » Sieci i serwery
- » Iptables (nakładka Guarddog) blokuje dostęp do Samby
#1 2009-03-28 13:54:15
DadaD - 
Użytkownik
- DadaD
- Użytkownik
- Zarejestrowany: 2008-03-26
Iptables (nakładka Guarddog) blokuje dostęp do Samby
Witam!
Niestety nie mogę stwierdzić co w Iptables Debiana, blokuje mi dostęp do Samby przy połączeniu z innego komputera z WinXP.
Skrypt utworzony jest Guarddogiem i porty dla Samby są odblokowane.
Prawdopodobnie chodzi o inną regułę, którą niestety nie jestem w stanie określić.
Przy wyłączonym firewallu dostęp do Samby na Debianie z komputera z WinXP jest bezproblemowy.
Plik konfiguracyjny /etc/rc.firewall.
Kod:
#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
# http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=1
# LOGDROP=1
# LOGABORTEDTCP=1
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=1
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [ServerZone] Internet
# [ClientZone] Obszar Lokalny
# CONNECTED=1
# PROTOCOL=smtp
# PROTOCOL=nicname
# PROTOCOL=snmp
# PROTOCOL=irc
# PROTOCOL=microsoft-ds
# PROTOCOL=pop3
# PROTOCOL=http
# PROTOCOL=time
# PROTOCOL=ntp
# PROTOCOL=ah
# PROTOCOL=https
# PROTOCOL=netbios
# PROTOCOL=auth
# PROTOCOL=jabber
# PROTOCOL=pop3s
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=webmin
# PROTOCOL=domain
# PROTOCOL=smtps
# [ServerZone] Obszar Lokalny
# [ClientZone] Internet
# CONNECTED=1
# PROTOCOL=smtp
# PROTOCOL=nicname
# PROTOCOL=snmp
# PROTOCOL=irc
# PROTOCOL=microsoft-ds
# PROTOCOL=pop3
# PROTOCOL=http
# PROTOCOL=time
# PROTOCOL=ntp
# PROTOCOL=ah
# PROTOCOL=https
# PROTOCOL=netbios
# PROTOCOL=auth
# PROTOCOL=jabber
# PROTOCOL=pop3s
# PROTOCOL=ftp
# PROTOCOL=ping
# PROTOCOL=webmin
# PROTOCOL=domain
# PROTOCOL=smtps
# PROTOCOL=ssh
# [End]
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "B??D: Nie mog? okre?li? polece? firewalla! (Czy masz zainstalowane ipchains lub iptables?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "U?ywam ipchains"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetuj? konfiguracj? firewalla"
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY
# Delete any existing chains
ipchains -F
ipchains -X
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Ustawiam parametry kernela."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Konfiguruj? firewalla."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Problem
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Obszar Lokalny'
ipchains -N f0to1
# Create chain to filter traffic going from 'Obszar Lokalny' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains
# Traffic from 'Internet' to 'Obszar Lokalny'
# Allow 'smtp'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 25:25 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 25:25 --dport 1024:65535 -j ACCEPT
# Allow 'nicname'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 43:43 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 43:43 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'snmp'
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 161:161 -j ACCEPT
ipchains -A f1to0 -p udp --sport 161:161 --dport 1024:65535 -j ACCEPT
# Allow 'irc'
# Server connection
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 6660:6669 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 6660:6669 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'microsoft-ds'
# SMB over TCP
ipchains -A f0to1 -p tcp --sport 0:65535 --dport 445:445 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 445:445 --dport 0:65535 -j ACCEPT
# Allow 'pop3'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 110:110 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 110:110 --dport 1024:65535 -j ACCEPT
# Allow 'http'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 80:80 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 80:80 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 8080:8080 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 8080:8080 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 8008:8008 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 8008:8008 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 8000:8000 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 8000:8000 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 8888:8888 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 8888:8888 --dport 1024:65535 -j ACCEPT
# Allow 'time'
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 37:37 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 37:37 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 37:37 --dport 1024:65535 -j ACCEPT
# Allow 'ntp'
ipchains -A f0to1 -p udp --sport 0:65535 --dport 123:123 -j ACCEPT
ipchains -A f1to0 -p udp --sport 123:123 --dport 0:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 123:123 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 123:123 --dport 1024:65535 -j ACCEPT
# Allow 'ah'
ipchains -A f0to1 -p 51 -j ACCEPT
ipchains -A f1to0 -p 51 -j ACCEPT
# Allow 'https'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 443:443 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 443:443 --dport 1024:65535 -j ACCEPT
# Allow 'netbios'
# NETBIOS Name Service
ipchains -A f0to1 -p tcp --sport 0:65535 --dport 137:137 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 137:137 --dport 0:65535 -j ACCEPT
# NETBIOS Name Service
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 137:137 -j ACCEPT
ipchains -A f1to0 -p udp --sport 137:137 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
ipchains -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Name Service, announcements, lookup replies.
ipchains -A f1to0 -p udp --sport 137:137 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 137:137 -j ACCEPT
ipchains -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
ipchains -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Datagram Service
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 138:138 -j ACCEPT
ipchains -A f1to0 -p udp --sport 138:138 --dport 1024:65535 -j ACCEPT
# NETBIOS Datagram Service (announcement)
ipchains -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
ipchains -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (printer search)
ipchains -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
ipchains -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Session Service
ipchains -A f0to1 -p tcp --sport 0:65535 --dport 139:139 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 139:139 --dport 0:65535 -j ACCEPT
# NETBIOS Session Service
ipchains -A f0to1 -p udp --sport 1024:65535 --dport 139:139 -j ACCEPT
# Allow 'auth'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 113:113 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 113:113 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
ipchains -A f1to0 -p udp --sport 113:113 --dport 0:65535 -j ACCEPT
# Allow 'jabber'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 5222:5222 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 5222:5222 --dport 1024:65535 -j ACCEPT
# Jabber over Secure Socket Layer
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 5223:5223 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 5223:5223 --dport 1024:65535 -j ACCEPT
# Allow 'pop3s'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 995:995 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 995:995 --dport 1024:65535 -j ACCEPT
# Allow 'ftp'
# Control connection
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 21:21 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 21:21 --dport 1024:65535 -j ACCEPT
# Data connection
ipchains -A f1to0 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT
# Data connection passive mode
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'ping'
# Echo Request
ipchains -A f0to1 -p icmp --sport 8 -j ACCEPT
# Echo reply
ipchains -A f1to0 -p icmp --sport 0 -j ACCEPT
# Allow 'webmin'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 10000:10000 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 10000:10000 --dport 1024:65535 -j ACCEPT
# Allow 'domain'
ipchains -A f0to1 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A f0to1 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f1to0 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# Allow 'smtps'
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 465:465 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 465:465 --dport 1024:65535 -j ACCEPT
# Allow 'ssh'
# Normal connection
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 22:22 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 22:22 --dport 1024:65535 -j ACCEPT
# privileged source port (rhosts compat.)
ipchains -A f0to1 -p tcp --sport 0:1023 --dport 22:22 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 22:22 --dport 0:1023 -j ACCEPT
# Rejected traffic from 'Internet' to 'Obszar Lokalny'
# Traffic from 'Obszar Lokalny' to 'Internet'
# Allow 'smtp'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 25:25 --dport 1024:5999 -j ACCEPT
# Allow 'nicname'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 43:43 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 43:43 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'snmp'
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 161:161 -j ACCEPT
ipchains -A f0to1 -p udp --sport 161:161 --dport 1024:5999 -j ACCEPT
# Allow 'irc'
# Server connection
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 6660:6669 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 6660:6669 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'microsoft-ds'
# SMB over TCP
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 445:445 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 445:445 --dport 0:65535 -j ACCEPT
# Allow 'pop3'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 110:110 --dport 1024:5999 -j ACCEPT
# Allow 'http'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 80:80 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8080:8080 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8008:8008 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8000:8000 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 8888:8888 --dport 1024:5999 -j ACCEPT
# Allow 'time'
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 37:37 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 37:37 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 37:37 --dport 1024:5999 -j ACCEPT
# Allow 'ntp'
ipchains -A f1to0 -p udp --sport 0:65535 --dport 123:123 -j ACCEPT
ipchains -A f0to1 -p udp --sport 123:123 --dport 0:65535 -j ACCEPT
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 123:123 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 123:123 --dport 1024:5999 -j ACCEPT
# Allow 'ah'
ipchains -A f1to0 -p 51 -j ACCEPT
ipchains -A f0to1 -p 51 -j ACCEPT
# Allow 'https'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 443:443 --dport 1024:5999 -j ACCEPT
# Allow 'netbios'
# NETBIOS Name Service
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 137:137 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 137:137 --dport 0:65535 -j ACCEPT
# NETBIOS Name Service
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 137:137 -j ACCEPT
ipchains -A f0to1 -p udp --sport 137:137 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
ipchains -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Name Service, announcements, lookup replies.
ipchains -A f0to1 -p udp --sport 137:137 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 137:137 -j ACCEPT
ipchains -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
ipchains -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Datagram Service
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 138:138 -j ACCEPT
ipchains -A f0to1 -p udp --sport 138:138 --dport 1024:5999 -j ACCEPT
# NETBIOS Datagram Service (announcement)
ipchains -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
ipchains -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (printer search)
ipchains -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
ipchains -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Session Service
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 139:139 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 139:139 --dport 0:65535 -j ACCEPT
# NETBIOS Session Service
ipchains -A f1to0 -p udp --sport 1024:5999 --dport 139:139 -j ACCEPT
# Allow 'auth'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 113:113 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 113:113 --dport 1024:5999 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
ipchains -A f0to1 -p udp --sport 113:113 --dport 0:65535 -j ACCEPT
# Allow 'jabber'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 5222:5222 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 5222:5222 --dport 1024:5999 -j ACCEPT
# Jabber over Secure Socket Layer
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 5223:5223 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 5223:5223 --dport 1024:5999 -j ACCEPT
# Allow 'pop3s'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 995:995 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 995:995 --dport 1024:5999 -j ACCEPT
# Allow 'ftp'
# Control connection
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 21:21 --dport 1024:5999 -j ACCEPT
# Data connection
ipchains -A f0to1 -p tcp --sport 20:20 --dport 1024:65535 -j ACCEPT
ipchains -A f1to0 -p tcp ! -y --sport 1024:65535 --dport 20:20 -j ACCEPT
# Data connection passive mode
ipchains -A f1to0 -p tcp --sport 1024:65535 --dport 1024:65535 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 1024:65535 --dport 1024:65535 -j ACCEPT
# Allow 'ping'
# Echo Request
ipchains -A f1to0 -p icmp --sport 8 -j ACCEPT
# Echo reply
ipchains -A f0to1 -p icmp --sport 0 -j ACCEPT
# Allow 'webmin'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 10000:10000 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 10000:10000 --dport 1024:5999 -j ACCEPT
# Allow 'domain'
ipchains -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A f0to1 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
# Allow 'smtps'
ipchains -A f1to0 -p tcp --sport 1024:5999 --dport 465:465 -j ACCEPT
ipchains -A f0to1 -p tcp ! -y --sport 465:465 --dport 1024:5999 -j ACCEPT
# Rejected traffic from 'Obszar Lokalny' to 'Internet'
# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY
# Chain to split traffic coming from zone 'Obszar Lokalny' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0
# Remove the temp DNS accept rules
if [ $MIN_MODE -eq 0 ] ; then
ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT
ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT
# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Zrobione"
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "U?ywam iptables"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetuj? konfiguracj? firewalla"
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Delete any existing chains
iptables -F
iptables -X
# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "?aduj? modu?y kernela."
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Ustawiam parametry kernela."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Konfiguruj? firewalla."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP
iptables -N logaborted2
iptables -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N logaborted
iptables -A logaborted -m limit --limit 1/second --limit-burst 10 -j logaborted2
iptables -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Obszar Lokalny'
iptables -N f0to1
# Create chain to filter traffic going from 'Obszar Lokalny' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains
# Traffic from 'Internet' to 'Obszar Lokalny'
# Allow 'smtp'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'snmp'
iptables -A f0to1 -p udp --sport 1024:65535 --dport 161:161 -j ACCEPT
# Allow 'irc'
# Server connection
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 6660:6669 -m state --state NEW -j ACCEPT
# - Handled by netfilter state tracking
# Allow 'microsoft-ds'
# SMB over TCP
iptables -A f0to1 -p tcp --sport 0:65535 --dport 445:445 -m state --state NEW -j ACCEPT
# Allow 'pop3'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 110:110 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'time'
iptables -A f0to1 -p udp --sport 1024:65535 --dport 37:37 -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 37:37 -m state --state NEW -j ACCEPT
# Allow 'ntp'
iptables -A f0to1 -p udp --sport 0:65535 --dport 123:123 -j ACCEPT
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 123:123 -m state --state NEW -j ACCEPT
# Allow 'ah'
iptables -A f0to1 -p 51 -j ACCEPT
# Allow 'https'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'netbios'
# NETBIOS Name Service
iptables -A f0to1 -p tcp --sport 0:65535 --dport 137:137 -m state --state NEW -j ACCEPT
# NETBIOS Name Service
iptables -A f0to1 -p udp --sport 1024:65535 --dport 137:137 -j ACCEPT
iptables -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Name Service, announcements, lookup replies.
iptables -A f1to0 -p udp --sport 137:137 --dport 1024:65535 -j ACCEPT
iptables -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Datagram Service
iptables -A f0to1 -p udp --sport 1024:65535 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (announcement)
iptables -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (printer search)
iptables -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Session Service
iptables -A f0to1 -p tcp --sport 0:65535 --dport 139:139 -m state --state NEW -j ACCEPT
# NETBIOS Session Service
iptables -A f0to1 -p udp --sport 1024:65535 --dport 139:139 -j ACCEPT
# Allow 'auth'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 113:113 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
# Allow 'jabber'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 5222:5222 -m state --state NEW -j ACCEPT
# Jabber over Secure Socket Layer
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 5223:5223 -m state --state NEW -j ACCEPT
# Allow 'pop3s'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 995:995 -m state --state NEW -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f0to1 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f1to0 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'webmin'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 10000:10000 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f0to1 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f0to1 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'smtps'
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 465:465 -m state --state NEW -j ACCEPT
# Allow 'ssh'
# Normal connection
iptables -A f0to1 -p tcp --sport 1024:65535 --dport 22:22 -m state --state NEW -j ACCEPT
# privileged source port (rhosts compat.)
iptables -A f0to1 -p tcp --sport 0:1023 --dport 22:22 -m state --state NEW -j ACCEPT
# Rejected traffic from 'Internet' to 'Obszar Lokalny'
# Traffic from 'Obszar Lokalny' to 'Internet'
# Allow 'smtp'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 25:25 -m state --state NEW -j ACCEPT
# Allow 'nicname'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 43:43 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 43:43 -j ACCEPT
# Allow 'snmp'
iptables -A f1to0 -p udp --sport 1024:5999 --dport 161:161 -j ACCEPT
# Allow 'irc'
# Server connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 6660:6669 -m state --state NEW -j ACCEPT
# - Handled by netfilter state tracking
# Allow 'microsoft-ds'
# SMB over TCP
iptables -A f1to0 -p tcp --sport 0:65535 --dport 445:445 -m state --state NEW -j ACCEPT
# Allow 'pop3'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 110:110 -m state --state NEW -j ACCEPT
# Allow 'http'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 80:80 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8080:8080 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8008:8008 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8000:8000 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 8888:8888 -m state --state NEW -j ACCEPT
# Allow 'time'
iptables -A f1to0 -p udp --sport 1024:5999 --dport 37:37 -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 37:37 -m state --state NEW -j ACCEPT
# Allow 'ntp'
iptables -A f1to0 -p udp --sport 0:65535 --dport 123:123 -j ACCEPT
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 123:123 -m state --state NEW -j ACCEPT
# Allow 'ah'
iptables -A f1to0 -p 51 -j ACCEPT
# Allow 'https'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 443:443 -m state --state NEW -j ACCEPT
# Allow 'netbios'
# NETBIOS Name Service
iptables -A f1to0 -p tcp --sport 0:65535 --dport 137:137 -m state --state NEW -j ACCEPT
# NETBIOS Name Service
iptables -A f1to0 -p udp --sport 1024:5999 --dport 137:137 -j ACCEPT
iptables -A f1to0 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Name Service, announcements, lookup replies.
iptables -A f0to1 -p udp --sport 137:137 --dport 1024:5999 -j ACCEPT
iptables -A f0to1 -p udp --sport 137:137 --dport 137:137 -j ACCEPT
# NETBIOS Datagram Service
iptables -A f1to0 -p udp --sport 1024:5999 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (announcement)
iptables -A f0to1 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Datagram Service (printer search)
iptables -A f1to0 -p udp --sport 138:138 --dport 138:138 -j ACCEPT
# NETBIOS Session Service
iptables -A f1to0 -p tcp --sport 0:65535 --dport 139:139 -m state --state NEW -j ACCEPT
# NETBIOS Session Service
iptables -A f1to0 -p udp --sport 1024:5999 --dport 139:139 -j ACCEPT
# Allow 'auth'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 113:113 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 113:113 -j ACCEPT
# Allow 'jabber'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 5222:5222 -m state --state NEW -j ACCEPT
# Jabber over Secure Socket Layer
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 5223:5223 -m state --state NEW -j ACCEPT
# Allow 'pop3s'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 995:995 -m state --state NEW -j ACCEPT
# Allow 'ftp'
# Control connection
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 21:21 -m state --state NEW -j ACCEPT
# Data connection
# - Handled by netfilter state tracking
# Data connection passive mode
# - Handled by netfilter state tracking
# Allow 'ping'
# Echo Request
iptables -A f1to0 -p icmp --icmp-type echo-request -j ACCEPT
# Echo reply
iptables -A f0to1 -p icmp --icmp-type echo-reply -j ACCEPT
# Allow 'webmin'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 10000:10000 -m state --state NEW -j ACCEPT
# Allow 'domain'
iptables -A f1to0 -p tcp --sport 0:65535 --dport 53:53 -m state --state NEW -j ACCEPT
iptables -A f1to0 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# Allow 'smtps'
iptables -A f1to0 -p tcp --sport 1024:5999 --dport 465:465 -m state --state NEW -j ACCEPT
# Rejected traffic from 'Obszar Lokalny' to 'Internet'
# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop
# Chain to split traffic coming from zone 'Obszar Lokalny' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0
if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Zrobione"
fi;
fi;
truePorty lokalne
Kod:
nmap -sS 127.0.0.1 Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-28 13:34 CET Interesting ports on localhost (127.0.0.1): Not shown: 1708 closed ports PORT STATE SERVICE 25/tcp open smtp 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 3000/tcp open ppp 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 0.170 seconds
Porty na sieć
Kod:
nmap -sS 192.168.1.101 Starting Nmap 4.62 ( http://nmap.org ) at 2009-03-28 13:35 CET Interesting ports on 192.168.1.101: Not shown: 1709 closed ports PORT STATE SERVICE 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 3000/tcp open ppp 10000/tcp open snet-sensor-mgmt Nmap done: 1 IP address (1 host up) scanned in 0.186 seconds
Wylistowane łańcuchy iptables
Kod:
iptables --list -n --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 192.168.1.101 255.255.255.255 3 logaborted tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp flags:0x04/0x04 4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 7 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 8 nicfilt all -- 0.0.0.0/0 0.0.0.0/0 9 srcfilt all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 5 srcfilt all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 6 s1 all -- 0.0.0.0/0 0.0.0.0/0 Chain f0to1 (3 references) num target prot opt source destination 1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 state NEW 2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:43 state NEW 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:43 4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:161 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpts:6660:6669 state NEW 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW 8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 state NEW 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8080 state NEW 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8008 state NEW 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8000 state NEW 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8888 state NEW 13 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:37 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:37 state NEW 15 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:123 state NEW 17 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 state NEW 19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 state NEW 20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:137 21 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137 22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:138 23 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138 24 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW 25 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:139 26 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:113 state NEW 27 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113 28 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:5222 state NEW 29 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:5223 state NEW 30 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:995 state NEW 31 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 state NEW 32 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 33 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:10000 state NEW 34 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW 35 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 36 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:465 state NEW 37 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 state NEW 38 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:0:1023 dpt:22 state NEW 39 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:5999 40 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137 41 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138 42 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 43 logdrop all -- 0.0.0.0/0 0.0.0.0/0 Chain f1to0 (1 references) num target prot opt source destination 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpts:1024:65535 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137 3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:25 state NEW 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:43 state NEW 7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:43 8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:161 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpts:6660:6669 state NEW 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 state NEW 11 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:110 state NEW 12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:80 state NEW 13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8080 state NEW 14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8008 state NEW 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8000 state NEW 16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:8888 state NEW 17 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:37 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:37 state NEW 19 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123 20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:123 state NEW 21 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:443 state NEW 23 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:137 state NEW 24 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:137 25 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:137 dpt:137 26 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:138 27 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:138 dpt:138 28 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 state NEW 29 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:5999 dpt:139 30 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:113 state NEW 31 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:113 32 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:5222 state NEW 33 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:5223 state NEW 34 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:995 state NEW 35 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:21 state NEW 36 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 37 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:10000 state NEW 38 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 state NEW 39 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 40 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:5999 dpt:465 state NEW 41 logdrop all -- 0.0.0.0/0 0.0.0.0/0 Chain logaborted (1 references) num target prot opt source destination 1 logaborted2 all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10 2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED ' Chain logaborted2 (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `ABORTED ' 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain logdrop (4 references) num target prot opt source destination 1 logdrop2 all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10 2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED ' 3 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logdrop2 (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `DROPPED ' 2 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logreject (0 references) num target prot opt source destination 1 logreject2 all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 10 2 LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 2/min burst 1 LOG flags 0 level 4 prefix `LIMITED ' 3 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 4 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 5 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain logreject2 (1 references) num target prot opt source destination 1 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 7 level 4 prefix `REJECTED ' 2 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 3 REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 4 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain nicfilt (1 references) num target prot opt source destination 1 RETURN all -- 0.0.0.0/0 0.0.0.0/0 2 RETURN all -- 0.0.0.0/0 0.0.0.0/0 3 RETURN all -- 0.0.0.0/0 0.0.0.0/0 4 logdrop all -- 0.0.0.0/0 0.0.0.0/0 Chain s0 (1 references) num target prot opt source destination 1 f0to1 all -- 0.0.0.0/0 192.168.1.101 2 f0to1 all -- 0.0.0.0/0 255.255.255.255 3 f0to1 all -- 0.0.0.0/0 127.0.0.1 4 logdrop all -- 0.0.0.0/0 0.0.0.0/0 Chain s1 (1 references) num target prot opt source destination 1 f1to0 all -- 0.0.0.0/0 0.0.0.0/0 Chain srcfilt (2 references) num target prot opt source destination 1 s0 all -- 0.0.0.0/0 0.0.0.0/0
Będę wdzięczny za wskazówki.
Tworzyłem skryp Kmyfirewall i Firestarter z podobnym skutkiem blokady dla Samby
Pozdrowienia
EDYTKA:
do tej pory dobrze mi służył Guarddog, niestety mimo wielu zmian konfiguracji i prób nie udało mi się na nim odblokować Samby - ciągle była niedostępna.
Odinstalowałem wierny program i zaadoptowałem skrypt na iptables - Samba stała się widoczna dla komputerów w sieci lokalnej.
Dziękuję za zainteresowanie
Pozdrowienia
Ostatnio edytowany przez DadaD (2009-03-31 13:31:54)
"Rzeczą ludzką jest błądzić, rzeczą głupców jest trwać w błędzie"
Seneka
Offline
Strony: 1
- Forum Debian Users Gang
- » Sieci i serwery
- » Iptables (nakładka Guarddog) blokuje dostęp do Samby