分享
 
 
 

第七章网络防火墙(二)

王朝厨房·作者佚名  2007-01-05
窄屏简体版  字體: |||超大  

防火墙脚本文件

使用ipchains 可以建立防火墙,使用IP伪装等等。Ipchains 与系统核心交互,并告诉内核过滤哪些数据包。因此所有的防火墙设置都保存在内核中,在系统重新启动时就丢掉了。

为了避免出现这种情况,我们推荐使用 System V(系统V)的init 脚本来使安全策略永远有效。要达到这个目的,就应该象下面的例子一样,为每一个服务器在 “/etc/rc.d/init.d”下创建一个防火墙脚本文件。为了保险起见,每一个服务器提供不同的服务,并使用不同的防火墙配置。由于这个原因,我们提供了一系列不同的防火墙配置,你可以对它们进行测试并修改成自己所需要的样子。同时,我们也假设你具有关于过滤型防火墙和防火墙规定工作过程的最基本知识。

为Web服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们Web服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是ICMP ,DNS 缓存(Caching)和客户服务器(53),SSH服务器(22),HTTP服务器(80),HTTPS 服务器(443),SMTP 客户机(25),FTP 服务器(20,21)和OUTGOING TRACEROUTE请求(用于了解在访问某个地址过程中出现的错误----译者注)。

如果不需要我在下面文件中缺省列出的某些服务,你可以用行开头加“#”来注释掉该行。如果需要某些被注释掉的服务,去掉该行开头的“#”就可以了。

请在Web服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh

#

# ----------------------------------------------------------------------------

# Last modified by Gerhard Mourani: 02-01-2000

# ----------------------------------------------------------------------------

# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler

#

# Permission to use, copy, modify, and distribute this software and its

# documentation for educational, research, private and non-profit purposes,

# without fee, and without a written agreement is hereby granted.

# This software is provided as an example and basis for individual firewall

# development. This software is provided without warranty.

#

# Any material furnished by Robert L. Ziegler is furnished on an

# "as is" basis. He makes no warranties of any kind, either expressed

# or implied as to any matter including, but not limited to, warranty

# of fitness for a particular purpose, exclusivity or results obtained

# from use of the material.

# ----------------------------------------------------------------------------

#

# Invoked from /etc/rc.d/init.d/firewall.

# chkconfig: - 60 95

# description: Starts and stops the IPCHAINS Firewall

# used to provide Firewall network services.

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0

# See how we were called.

case "$1" in

start)

echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------

# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # whichever you use

LOOPBACK_INTERFACE="lo"

IPADDR="208.164.186.3"

ANYWHERE="any/0"

NAMESERVER_1="208.164.186.1" # Your primary name server

NAMESERVER_2="208.164.186.2" # Your secondary name server

SMTP_SERVER="mail.openarch.com" # Your Mail Hub Server.

SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server

SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client

LOOPBACK="127.0.0.0/8"

CLASS_A="10.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D_MULTICAST="224.0.0.0/4"

CLASS_E_RESERVED_NET="240.0.0.0/5"

BROADCAST_SRC="0.0.0.0"

BROADCAST_DEST="255.255.255.255"

PRIVPORTS="0:1023"

UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1022:1023" # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------

# Default policy is DENY

# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter

ipchains -F

# Set the default policy of the filter to deny.

ipchains -P input DENY

ipchains -P output REJECT

ipchains -P forward REJECT

# ----------------------------------------------------------------------------

# Enable TCP SYN Cookie Protection

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable IP spoofing protection

# turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done

# Disable ICMP Redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

# Disable Source Routed Packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# ----------------------------------------------------------------------------

# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------

# Network Ghouls

# Deny access to jerks

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY

# rules to block from any access.

# Refuse any connection from problem sites

#if [ -f /etc/rc.d/rc.firewall.blocked ]; then

# . /etc/rc.d/rc.firewall.blocked

#fi

# ----------------------------------------------------------------------------

# SPOOFING & BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

# Refuse packets claiming to be to or from a Class C private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT –l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

# Refuse broadcast address SOURCE packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)

# Multicast is illegal as a source address.

# Multicast uses UDP.

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# refuse addresses defined as reserved by the IANA

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

#65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

#80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000 - /4 makses 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

#126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY –l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

#217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

#223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------

# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter

# incoming Redirect (5) and outgoing Destination Unreachable (3).

# Note, however, disabling Destination Unreachable (3) is not

# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.

# Message Types: Echo_Reply (0), Echo_Request (8)

# To prevent attacks, limit the src addresses to your ISP range.

#

# For outgoing traceroute.

# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

# default UDP base: 33434 to base+nhops-1

#

# For incoming traceroute.

# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)

# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)

# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.

# 4: source-quench

# 5: redirect

# 8: echo-request (ping)

# 11: time-exceeded

# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s 208.164.186.0/24 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 0 -d 208.164.186.0/24 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 3 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 11 -d 208.164.186.0/24 -j ACCEPT

# ----------------------------------------------------------------------------

# UDP INCOMING TRACEROUTE

# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s 208.164.186.0/24 $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

# DNS server

# ----------

# DNS forwarding, caching only nameserver (53)

# --------------------------------------------

# server to server query or response

# Caching only name server only requires UDP, not TCP

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR 53

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_2 53

-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR 53

-d $NAMESERVER_2 53 -j ACCEPT

# DNS client (53)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_2 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_2 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_2 53 -j ACCEPT

# ----------------------------------------------------------------------------

# TCP accept only on selected ports

# ---------------------------------

# ------------------------------------------------------------------

# SSH server (22)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $SSH_PORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $SSH_PORTS -j ACCEPT

# SSH client (22)

# ---------------

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 22

# -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $UNPRIVPORTS

# -d $ANYWHERE 22 -j ACCEPT

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 22

# -d $IPADDR $SSH_PORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $SSH_PORTS

# -d $ANYWHERE 22 -j ACCEPT

# ------------------------------------------------------------------

# HTTP server (80)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 80 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 80

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# HTTPS server (443)

# ------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 443 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 443

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# SYSLOG server (514)

# -----------------

# Provides full remote logging. Using this feature you're able to

# control all syslog messages on one host.

# ipchains -A input -i $EXTERNAL_INTERFACE -p udp

# -s $SYSLOG_CLIENT

# -d $IPADDR 514 -j ACCEPT

# SYSLOG client (514)

# -----------------

# ipchains -A output -i $EXTERNAL_INTERFACE -p udp

# -s $IPADDR 514

# -d $SYSLOG_SERVER 514 -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113)

# -----------------

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE

-d $IPADDR 113 -j REJECT

# ------------------------------------------------------------------

# SMTP client (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $SMTP_SERVER 25

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $SMTP_SERVER 25 -j ACCEPT

# ------------------------------------------------------------------

# FTP server (20, 21)

# -------------------

# incoming request

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 21 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 21

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# PORT MODE data channel responses

#

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 20 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR 20

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# PASSIVE MODE data channel responses

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# OUTGOING TRACEROUTE

# -------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $TRACEROUTE_SRC_PORTS

-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# ----------------------------------------------------------------------------

# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $UNPRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 5 -d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

;;

stop)

echo -n "Shutting Firewalling Services: "

# Remove all existing rules belonging to this filter

ipchains -F

# Reset the default policy of the filter to accept.

ipchains -P input ACCEPT

ipchains -P output ACCEPT

ipchains -P forward ACCEPT

# Reset TCP SYN Cookie Protection to off.

echo 0 >/proc/sys/net/ipv4/tcp_syncookies

# Reset IP spoofing protection to off.

# turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 0 > $f

done

# Reset ICMP Redirect Acceptance to on.

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 1 > $f

done

# Reset Source Routed Packets to on.

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 1 > $f

done

;;

status)

echo -n "Now do you show firewalling stats?"

;;

restart|reload)

$0 stop

$0 start

;;

*)

echo "Usage: firewall {start|stop|status|restart|reload}"

exit 1

esac

现在,让这个脚本文件成为可执行的,并改变它的缺省权限:

[root@deep]# chmod 700 /etc/rc.d/init.d/firewall

[root@deep]# chown 0.0 /etc/rc.d/init.d/firewall

创建防火墙文件与rc.d的符号链接:

[root@deep]# chkconfig --add firewall

[root@deep]# chkconfig --level 345 firewall on

现在,防火墙规则就通过使用系统V的init 配置好了(系统V的init 负责启动所有在系统引导阶段需要运行的普通程序),并且它会在服务器重起时自动执行。

要手工停止防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall stop

要手工运行防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall start

为邮件服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们邮件服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是ICMP ,DNS服务器和客户机(53),SSH服务器(22),SMTP 服务器和客户机(25),IMAP 服务器(143)和OUTGOING TRACEROUTE请求。

如果你不需要我在下面文件中缺省列出的某些服务,可以用行开头加“#”来注释掉该行。如果需要那些被注释掉的服务,去掉该行开头的“#”就可以了。

请在邮件服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh

#

# ----------------------------------------------------------------------------

# Last modified by Gerhard Mourani: 02-01-2000

# ----------------------------------------------------------------------------

# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler

#

# Permission to use, copy, modify, and distribute this software and its

# documentation for educational, research, private and non-profit purposes,

# without fee, and without a written agreement is hereby granted.

# This software is provided as an example and basis for individual firewall

# development. This software is provided without warranty.

#

# Any material furnished by Robert L. Ziegler is furnished on an

# "as is" basis. He makes no warranties of any kind, either expressed

# or implied as to any matter including, but not limited to, warranty

# of fitness for a particular purpose, exclusivity or results obtained

# from use of the material.

# ----------------------------------------------------------------------------

#

# Invoked from /etc/rc.d/init.d/firewall.

# chkconfig: - 60 95

# description: Starts and stops the IPCHAINS Firewall

# used to provide Firewall network services.

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0

# See how we were called.

case "$1" in

start)

echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------

# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # whichever you use

LOOPBACK_INTERFACE="lo"

IPADDR="208.164.186.2"

ANYWHERE="any/0"

NAMESERVER_1="208.164.186.1" # Your primary name server

NAMESERVER_2="208.164.186.2" # Your secondary name server

SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server

SYSLOG_CLIENT="208.164.168.0/24" # Your syslog internal client

LOOPBACK="127.0.0.0/8"

CLASS_A="10.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D_MULTICAST="224.0.0.0/4"

CLASS_E_RESERVED_NET="240.0.0.0/5"

BROADCAST_SRC="0.0.0.0"

BROADCAST_DEST="255.255.255.255"

PRIVPORTS="0:1023"

UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1022:1023" # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------

# Default policy is DENY

# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter

ipchains -F

# Set the default policy of the filter to deny.

ipchains -P input DENY

ipchains -P output REJECT

ipchains -P forward REJECT

# ----------------------------------------------------------------------------

# Enable TCP SYN Cookie Protection

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable IP spoofing protection

# turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done

# Disable ICMP Redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

# Disable Source Routed Packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# ----------------------------------------------------------------------------

# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------

# Network Ghouls

# Deny access to jerks

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY

# rules to block from any access.

# Refuse any connection from problem sites

#if [ -f /etc/rc.d/rc.firewall.blocked ]; then

# . /etc/rc.d/rc.firewall.blocked

#fi

# ----------------------------------------------------------------------------

# SPOOFING & BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

# Refuse packets claiming to be to or from a Class C private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

# Refuse broadcast address SOURCE packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY –l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)

# Multicast is illegal as a source address.

# Multicast uses UDP.

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# refuse addresses defined as reserved by the IANA

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

#65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

#80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY -l

# 96: 01100000 - /4 makses 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

#126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY –l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

#217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

#223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------

# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter

# incoming Redirect (5) and outgoing Destination Unreachable (3).

# Note, however, disabling Destination Unreachable (3) is not

# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.

# Message Types: Echo_Reply (0), Echo_Request (8)

# To prevent attacks, limit the src addresses to your ISP range.

#

# For outgoing traceroute.

# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

# default UDP base: 33434 to base+nhops-1

#

# For incoming traceroute.

# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)

# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)

# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.

# 4: source-quench

# 5: redirect

# 8: echo-request (ping)

# 11: time-exceeded

# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s 208.164.186.0/24 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 0 -d 208.164.186.0/24 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 3 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 11 -d 208.164.186.0/24 -j ACCEPT

# ----------------------------------------------------------------------------

# UDP INCOMING TRACEROUTE

# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s 208.164.186.0/24 $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

# DNS server

# ----------

# DNS: full server

# server/client to server query or response

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR 53

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# DNS client (53)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

# ----------------------------------------------------------------------------

# TCP accept only on selected ports

# ---------------------------------

# ------------------------------------------------------------------

# SSH server (22)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $SSH_PORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $SSH_PORTS -j ACCEPT

# SSH client (22)

# ---------------

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 22

# -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $UNPRIVPORTS

# -d $ANYWHERE 22 -j ACCEPT

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 22

# -d $IPADDR $SSH_PORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $SSH_PORTS

# -d $ANYWHERE 22 -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113)

# -----------------

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE

-d $IPADDR 113 -j REJECT

# ------------------------------------------------------------------

# SYSLOG server (514)

# -----------------

# Provides full remote logging. Using this feature you're able to

# control all syslog messages on one host.

# ipchains -A input -i $EXTERNAL_INTERFACE -p udp

# -s $SYSLOG_CLIENT

# -d $IPADDR 514 -j ACCEPT

# SYSLOG client (514)

# -----------------

# ipchains -A output -i $EXTERNAL_INTERFACE -p udp

# -s $IPADDR 514

# -d $SYSLOG_SERVER 514 -j ACCEPT

# ------------------------------------------------------------------

# SMTP server (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 25 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 25

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# SMTP client (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 25

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 25 -j ACCEPT

# ------------------------------------------------------------------

# IMAP server (143)

# -----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 143 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 143

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# ------------------------------------------------------------------

# OUTGOING TRACEROUTE

# -------------------

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $TRACEROUTE_SRC_PORTS

-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT

# ----------------------------------------------------------------------------

# Enable logging for selected denied packets

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $PRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-d $IPADDR $UNPRIVPORTS -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 5 -d $IPADDR -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 13:255 -d $IPADDR -j DENY -l

# ----------------------------------------------------------------------------

;;

stop)

echo -n "Shutting Firewalling Services: "

# Remove all existing rules belonging to this filter

ipchains -F

# Reset the default policy of the filter to accept.

ipchains -P input ACCEPT

ipchains -P output ACCEPT

ipchains -P forward ACCEPT

# Reset TCP SYN Cookie Protection to off.

echo 0 >/proc/sys/net/ipv4/tcp_syncookies

# Reset IP spoofing protection to off.

# turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 0 > $f

done

# Reset ICMP Redirect Acceptance to on.

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 1 > $f

done

# Reset Source Routed Packets to on.

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 1 > $f

done

;;

status)

echo -n "Now do you show firewalling stats?"

;;

restart|reload)

$0 stop

$0 start

;;

*)

echo "Usage: firewall {start|stop|status|restart|reload}"

exit 1

esac

现在,让这个脚本文件成为可执行的,并改变它的缺省权限:

[root@deep]# chmod 700 /etc/rc.d/init.d/firewall

[root@deep]# chown 0.0 /etc/rc.d/init.d/firewall

创建防火墙文件与rc.d的符号链接:

[root@deep]# chkconfig --add firewall

[root@deep]# chkconfig --level 345 firewall on

现在,防火墙规则就通过使用系统V的init 配置好了(系统V的init 负责启动所有在系统引导阶段需要运行的普通程序),并且它会在服务器重起是自动执行。

要手工停止防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall stop

要手工运行防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall start

为网关服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们网关服务器的配置脚本文件。这个配置允许在回馈地址上的所有流量,缺省情况下是ICMP ,DNS服务器和客户机(53),SSH服务器和客户机(22),HTTP服务器和客户机(80),HTTPS 服务器和客户机(443),POP客户机(110),NNTP NEWS客户机(119),SMTP 服务器和客户机(25),IMAP 服务器(143),IRC客户机(6667),ICQ客户机(4000),FTP客户机(20,21),RealAudio/QuickTime客户机和OUTGOING TRACEROUTE请求。

如果你不需要在下面文件中缺省列出的某些服务,可以用行开头加“#”来注释掉该行。如果你需要某些被注释掉的服务,去掉该行开头的“#”就可以了。如果你在服务器上配置了IP伪装,可以去掉伪装相应服务所需模块前的注释符号,比如ip_masq_irc.o,ip_masq_raudio.o等等。

请在邮件服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh

#

# ----------------------------------------------------------------------------

# Last modified by Gerhard Mourani: 02-01-2000

# ----------------------------------------------------------------------------

# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler

#

# Permission to use, copy, modify, and distribute this software and its

# documentation for educational, research, private and non-profit purposes,

# without fee, and without a written agreement is hereby granted.

# This software is provided as an example and basis for individual firewall

# development. This software is provided without warranty.

#

# Any material furnished by Robert L. Ziegler is furnished on an

# "as is" basis. He makes no warranties of any kind, either expressed

# or implied as to any matter including, but not limited to, warranty

# of fitness for a particular purpose, exclusivity or results obtained

# from use of the material.

# ----------------------------------------------------------------------------

#

# Invoked from /etc/rc.d/init.d/firewall.

# chkconfig: - 60 95

# description: Starts and stops the IPCHAINS Firewall

# used to provide Firewall network services.

# Source function library.

. /etc/rc.d/init.d/functions

# Source networking configuration.

. /etc/sysconfig/network

# Check that networking is up.

[ ${NETWORKING} = "no" ] && exit 0

# See how we were called.

case "$1" in

start)

echo -n "Starting Firewalling Services: "

# Some definitions for easy maintenance.

# ----------------------------------------------------------------------------

# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.

EXTERNAL_INTERFACE="eth0" # whichever you use

LOCAL_INTERFACE_1="eth1" # whichever you use

LOOPBACK_INTERFACE="lo"

IPADDR="208.164.186.1"

LOCALNET_1="192.168.1.0/24" # whatever private range you use

ANYWHERE="any/0"

NAMESERVER_1="208.164.186.1"

NAMESERVER_2="208.164.186.2"

POP_SERVER="pop.videotron.ca" # Your pop external server

NEWS_SERVER="news.vid, eotron.ca" # Your news external server

SYSLOG_SERVER="mail.openarch.com" # Your syslog internal server

LOOPBACK="127.0.0.0/8"

CLASS_A="10.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D_MULTICAST="224.0.0.0/4"

CLASS_E_RESERVED_NET="240.0.0.0/5"

BROADCAST_SRC="0.0.0.0"

BROADCAST_DEST="255.255.255.255"

PRIVPORTS="0:1023"

UNPRIVPORTS="1024:65535"

# ----------------------------------------------------------------------------

# SSH starts at 1023 and works down to 513 for

# each additional simultaneous incoming connection.

SSH_PORTS="1022:1023" # range for SSH privileged ports

# traceroute usually uses -S 32769:65535 -D 33434:33523

TRACEROUTE_SRC_PORTS="32769:65535"

TRACEROUTE_DEST_PORTS="33434:33523"

# ----------------------------------------------------------------------------

# Default policy is DENY

# Explicitly accept desired INCOMING & OUTGOING connections

# Remove all existing rules belonging to this filter

ipchains -F

# Set the default policy of the filter to deny.

ipchains -P input DENY

ipchains -P output REJECT

ipchains -P forward REJECT

# set masquerade timeout to 10 hours for tcp connections

ipchains -M -S 36000 0 0

# Don't forward fragments. Assemble before forwarding.

ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY

# ----------------------------------------------------------------------------

# Enable TCP SYN Cookie Protection

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

# Enable IP spoofing protection

# turn on Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $f

done

# Disable ICMP Redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > $f

done

# Disable Source Routed Packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

# These modules are necessary to masquerade their respective services.

/sbin/modprobe ip_masq_ftp.o

/sbin/modprobe ip_masq_raudio.o ports=554,7070,7071,6970,6971

/sbin/modprobe ip_masq_irc.o

#/sbin/modprobe/ip_masq_vdolive.o

#/sbin/modprobe/ip_masq_cuseeme.o

#/sbin/modprobe/ip_masq_quake.o

# ----------------------------------------------------------------------------

# LOOPBACK

# Unlimited traffic on the loopback interface.

ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT

ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT

# ----------------------------------------------------------------------------

# Network Ghouls

# Deny access to jerks

# /etc/rc.d/rc.firewall.blocked contains a list of

# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY

# rules to block from any access.

# Refuse any connection from problem sites

#if [ -f /etc/rc.d/rc.firewall.blocked ]; then

# . /etc/rc.d/rc.firewall.blocked

#fi

# ----------------------------------------------------------------------------

# SPOOFING & BAD ADDRESSES

# Refuse spoofed packets.

# Ignore blatantly illegal source addresses.

# Protect yourself from sending to bad addresses.

# Refuse spoofed packets pretending to be from the external address.

ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l

# Refuse packets claiming to be to or from a Class A private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l

# Refuse packets claiming to be to or from a Class B private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY –l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l

# Refuse packets claiming to be to or from a Class C private network

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j REJECT -l

ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j REJECT -l

# Refuse packets claiming to be from the loopback interface

ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY -l

ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j REJECT -l

# Refuse broadcast address SOURCE packets

ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY -l

# Refuse Class D multicast addresses (in.h) (NET-3-HOWTO)

# Multicast is illegal as a source address.

# Multicast uses UDP.

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST -j DENY -l

# Refuse Class E reserved IP addresses

ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l

# refuse addresses defined as reserved by the IANA

# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*

# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*

# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*

ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY -l

#65: 01000001 - /3 includes 64 - need 65-79 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 65.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 66.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 69.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 70.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 71.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 73.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 74.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 75.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 76.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 77.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 78.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 79.0.0.0/8 -j DENY -l

#80: 01010000 - /4 masks 80-95

ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY –l

# 96: 01100000 - /4 makses 96-111

ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/4 -j DENY -l

#126: 01111110 - /3 includes 127 - need 112-126 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 112.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 113.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 114.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 115.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 116.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 117.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 118.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 119.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 120.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 121.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 122.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 123.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 124.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 125.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 126.0.0.0/8 -j DENY -l

#217: 11011001 - /5 includes 216 - need 217-219 spelled out

ipchains -A input -i $EXTERNAL_INTERFACE -s 217.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/8 -j DENY -l

ipchains -A input -i $EXTERNAL_INTERFACE -s 219.0.0.0/8 -j DENY -l

#223: 11011111 - /6 masks 220-223

ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY -l

# ----------------------------------------------------------------------------

# ICMP

# To prevent denial of service attacks based on ICMP bombs, filter

# incoming Redirect (5) and outgoing Destination Unreachable (3).

# Note, however, disabling Destination Unreachable (3) is not

# advisable, as it is used to negotiate packet fragment size.

# For bi-directional ping.

# Message Types: Echo_Reply (0), Echo_Request (8)

# To prevent attacks, limit the src addresses to your ISP range.

#

# For outgoing traceroute.

# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)

# default UDP base: 33434 to base+nhops-1

#

# For incoming traceroute.

# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)

# To block this, deny OUTGOING 3 and 11

# 0: echo-reply (pong)

# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.

# 4: source-quench

# 5: redirect

# 8: echo-request (ping)

# 11: time-exceeded

# 12: parameter-problem

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 0 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 3 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 4 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 11 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s $ANYWHERE 12 -d $IPADDR -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p icmp

-s 208.164.186.0/24 8 -d $IPADDR -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 0 -d 208.164.186.0/24 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 3 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 4 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 8 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 12 -d $ANYWHERE -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p icmp

-s $IPADDR 11 -d 208.164.186.0/24 -j ACCEPT

# ----------------------------------------------------------------------------

# UDP INCOMING TRACEROUTE

# traceroute usually uses -S 32769:65535 -D 33434:33523

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s 208.164.186.0/24 $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -l

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $TRACEROUTE_SRC_PORTS

-d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -l

# ----------------------------------------------------------------------------

# DNS server

# ----------

# DNS: full server

# server/client to server query or response

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 53 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR 53

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

# DNS client (53)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_1 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_1 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $NAMESERVER_2 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_2 53 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NAMESERVER_2 53

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NAMESERVER_2 53 -j ACCEPT

# ----------------------------------------------------------------------------

# TCP accept only on selected ports

# ---------------------------------

# ------------------------------------------------------------------

# SSH server (22)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $UNPRIVPORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $UNPRIVPORTS -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE $SSH_PORTS

-d $IPADDR 22 -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR 22

-d $ANYWHERE $SSH_PORTS -j ACCEPT

# SSH client (22)

# ---------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 22

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 22 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 22

-d $IPADDR $SSH_PORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $SSH_PORTS

-d $ANYWHERE 22 -j ACCEPT

# ------------------------------------------------------------------

# HTTP client (80)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 80

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 80 -j ACCEPT

# ------------------------------------------------------------------

# HTTPS client (443)

# ------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 443

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 443 -j ACCEPT

# ------------------------------------------------------------------

# POP client (110)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $POP_SERVER 110

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $POP_SERVER 110 -j ACCEPT

# ------------------------------------------------------------------

# NNTP NEWS client (119)

# ----------------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $NEWS_SERVER 119

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $NEWS_SERVER 119 -j ACCEPT

# ------------------------------------------------------------------

# FINGER client (79)

# ------------------

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 79

# -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $UNPRIVPORTS

# -d $ANYWHERE 79 -j ACCEPT

# ------------------------------------------------------------------

# SYSLOG client (514)

# -----------------

# ipchains -A output -i $LOCAL_INTERFACE_1 -p udp

# -s $IPADDR 514

# -d $SYSLOG_SERVER 514 -j ACCEPT

# ------------------------------------------------------------------

# AUTH server (113)

# -----------------

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE

-d $IPADDR 113 -j REJECT

# AUTH client (113)

# -----------------

# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

# -s $ANYWHERE 113

# -d $IPADDR $UNPRIVPORTS -j ACCEPT

# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

# -s $IPADDR $UNPRIVPORTS

# -d $ANYWHERE 113 -j ACCEPT

# ------------------------------------------------------------------

# SMTP client (25)

# ----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 25

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 25 -j ACCEPT

# ------------------------------------------------------------------

# IRC client (6667)

# -----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 6667

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 6667 -j ACCEPT

# ------------------------------------------------------------------

# ICQ client (4000)

# -----------------

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 2000:4000

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 2000:4000 -j ACCEPT

ipchains -A input -i $EXTERNAL_INTERFACE -p udp

-s $ANYWHERE 4000

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p udp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 4000 -j ACCEPT

# ------------------------------------------------------------------

# FTP client (20, 21)

# -------------------

# outgoing request

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $ANYWHERE 21

-d $IPADDR $UNPRIVPORTS -j ACCEPT

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 21 -j ACCEPT

# NORMAL mode data channel

ipchains -A input -i $EXTERNAL_INTERFACE -p tcp

-s $ANYWHERE 20

-d $IPADDR $UNPRIVPORTS -j ACCEPT

# NORMAL mode data channel responses

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y

-s $IPADDR $UNPRIVPORTS

-d $ANYWHERE 20 -j ACCEPT

# PASSIVE mode data channel creation

ipchains -A output -i $EXTERNAL_INTERFACE -p tcp

-

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有