欢迎光临
我们一直在努力

第七章 网络防火墙(二)-网管专栏,安全与管理

建站超值云服务器,限时71元/月

防火墙脚本文件

使用ipchains 可以建立防火墙,使用ip伪装等等。ipchains 与系统核心交互,并告诉内核过滤哪些数据包。因此所有的防火墙设置都保存在内核中,在系统重新启动时就丢掉了。

为了避免出现这种情况,我们推荐使用 system v(系统v)的init 脚本来使安全策略永远有效。要达到这个目的,就应该象下面的例子一样,为每一个服务器在 “/etc/rc.d/init.d”下创建一个防火墙脚本文件。为了保险起见,每一个服务器提供不同的服务,并使用不同的防火墙配置。由于这个原因,我们提供了一系列不同的防火墙配置,你可以对它们进行测试并修改成自己所需要的样子。同时,我们也假设你具有关于过滤型防火墙和防火墙规定工作过程的最基本知识。

为web服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们web服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是icmp ,dns 缓存(caching)和客户服务器(53),ssh服务器(22),http服务器(80),https 服务器(443),smtp 客户机(25),ftp 服务器(20,21)和outgoing traceroute请求(用于了解在访问某个地址过程中出现的错误—-译者注)。

如果不需要我在下面文件中缺省列出的某些服务,你可以用行开头加“#”来注释掉该行。如果需要某些被注释掉的服务,去掉该行开头的“#”就可以了。

请在web服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh
#
# —————————————————————————-
# last modified by gerhard mourani: 02-01-2000
# —————————————————————————-
# copyright (c) 1997, 1998, 1999 robert l. ziegler
#
# permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# this software is provided as an example and basis for individual firewall
# development. this software is provided without warranty.
#
# any material furnished by robert l. ziegler is furnished on an
# “as is” basis. he makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# —————————————————————————-
#
# invoked from /etc/rc.d/init.d/firewall.
# chkconfig: – 60 95
# description: starts and stops the ipchains firewall
# used to provide firewall network services.
# source function library.
. /etc/rc.d/init.d/functions
# source networking configuration.
. /etc/sysconfig/network
# check that networking is up.
[ ${networking} = “no” ] && exit 0
# see how we were called.
case “$1” in
start)
echo -n “starting firewalling services: ”
# some definitions for easy maintenance.
# —————————————————————————-
# edit these to suit your system and isp.
external_interface=”eth0″ # whichever you use
loopback_interface=”lo”
ipaddr=”208.164.186.3″
anywhere=”any/0″
nameserver_1=”208.164.186.1″ # your primary name server
nameserver_2=”208.164.186.2″ # your secondary name server
smtp_server=”mail.openarch.com” # your mail hub server.
syslog_server=”mail.openarch.com” # your syslog internal server
syslog_client=”208.164.168.0/24″ # your syslog internal client
loopback=”127.0.0.0/8″
class_a=”10.0.0.0/8″
class_b=”172.16.0.0/12″
class_c=”192.168.0.0/16″
class_d_multicast=”224.0.0.0/4″
class_e_reserved_net=”240.0.0.0/5″
broadcast_src=”0.0.0.0″
broadcast_dest=”255.255.255.255″
privports=”0:1023″
unprivports=”1024:65535″
# —————————————————————————-
# ssh starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
ssh_ports=”1022:1023″ # range for ssh privileged ports
# traceroute usually uses -s 32769:65535 -d 33434:33523
traceroute_src_ports=”32769:65535″
traceroute_dest_ports=”33434:33523″
# —————————————————————————-
# default policy is deny
# explicitly accept desired incoming & outgoing connections
# remove all existing rules belonging to this filter
ipchains -f
# set the default policy of the filter to deny.
ipchains -p input deny
ipchains -p output reject
ipchains -p forward reject
# —————————————————————————-
# enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# enable ip spoofing protection
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# —————————————————————————-
# loopback
# unlimited traffic on the loopback interface.
ipchains -a input -i $loopback_interface -j accept
ipchains -a output -i $loopback_interface -j accept
# —————————————————————————-
# network ghouls
# deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -a input -i $external_interface -s address -j deny
# rules to block from any access.
# refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# —————————————————————————-
# spoofing & bad addresses
# refuse spoofed packets.
# ignore blatantly illegal source addresses.
# protect yourself from sending to bad addresses.
# refuse spoofed packets pretending to be from the external address.
ipchains -a input -i $external_interface -s $ipaddr -j deny -l
# refuse packets claiming to be to or from a class a private network
ipchains -a input -i $external_interface -s $class_a -j deny -l
ipchains -a input -i $external_interface -d $class_a -j deny -l
ipchains -a output -i $external_interface -s $class_a -j reject -l
ipchains -a output -i $external_interface -d $class_a -j reject -l
# refuse packets claiming to be to or from a class b private network
ipchains -a input -i $external_interface -s $class_b -j deny -l
ipchains -a input -i $external_interface -d $class_b -j deny -l
ipchains -a output -i $external_interface -s $class_b -j reject -l
ipchains -a output -i $external_interface -d $class_b -j reject -l
# refuse packets claiming to be to or from a class c private network
ipchains -a input -i $external_interface -s $class_c -j deny -l
ipchains -a input -i $external_interface -d $class_c -j deny -l
ipchains -a output -i $external_interface -s $class_c -j reject –l
ipchains -a output -i $external_interface -d $class_c -j reject -l
# refuse packets claiming to be from the loopback interface
ipchains -a input -i $external_interface -s $loopback -j deny -l
ipchains -a output -i $external_interface -s $loopback -j reject -l
# refuse broadcast address source packets
ipchains -a input -i $external_interface -s $broadcast_dest -j deny -l
ipchains -a input -i $external_interface -d $broadcast_src -j deny -l
# refuse class d multicast addresses (in.h) (net-3-howto)
# multicast is illegal as a source address.
# multicast uses udp.
ipchains -a input -i $external_interface -s $class_d_multicast -j deny -l
# refuse class e reserved ip addresses
ipchains -a input -i $external_interface -s $class_e_reserved_net -j deny -l
# refuse addresses defined as reserved by the iana
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -a input -i $external_interface -s 1.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 2.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 5.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 7.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 23.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 27.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 31.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 37.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 39.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 41.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 42.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 58.0.0.0/7 -j deny -l
ipchains -a input -i $external_interface -s 60.0.0.0/8 -j deny -l
#65: 01000001 – /3 includes 64 – need 65-79 spelled out
ipchains -a input -i $external_interface -s 65.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 66.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 67.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 68.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 69.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 70.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 71.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 72.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 73.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 74.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 75.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 76.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 77.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 78.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 79.0.0.0/8 -j deny -l
#80: 01010000 – /4 masks 80-95
ipchains -a input -i $external_interface -s 80.0.0.0/4 -j deny -l
# 96: 01100000 – /4 makses 96-111
ipchains -a input -i $external_interface -s 96.0.0.0/4 -j deny -l
#126: 01111110 – /3 includes 127 – need 112-126 spelled out
ipchains -a input -i $external_interface -s 112.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 113.0.0.0/8 -j deny –l
ipchains -a input -i $external_interface -s 114.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 115.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 116.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 117.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 118.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 119.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 120.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 121.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 122.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 123.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 124.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 125.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 126.0.0.0/8 -j deny -l
#217: 11011001 – /5 includes 216 – need 217-219 spelled out
ipchains -a input -i $external_interface -s 217.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 218.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 219.0.0.0/8 -j deny -l
#223: 11011111 – /6 masks 220-223
ipchains -a input -i $external_interface -s 220.0.0.0/6 -j deny -l
# —————————————————————————-
# icmp
# to prevent denial of service attacks based on icmp bombs, filter
# incoming redirect (5) and outgoing destination unreachable (3).
# note, however, disabling destination unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# for bi-directional ping.
# message types: echo_reply (0), echo_request (8)
# to prevent attacks, limit the src addresses to your isp range.
#
# for outgoing traceroute.
# message types: incoming dest_unreachable (3), time_exceeded (11)
# default udp base: 33434 to base+nhops-1
#
# for incoming traceroute.
# message types: outgoing dest_unreachable (3), time_exceeded (11)
# to block this, deny outgoing 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -a input -i $external_interface -p icmp
-s $anywhere 0 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 3 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 4 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 11 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 12 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s 208.164.186.0/24 8 -d $ipaddr -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 0 -d 208.164.186.0/24 -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 3 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 4 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 8 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 12 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 11 -d 208.164.186.0/24 -j accept
# —————————————————————————-
# udp incoming traceroute
# traceroute usually uses -s 32769:65535 -d 33434:33523
ipchains -a input -i $external_interface -p udp
-s 208.164.186.0/24 $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j accept -l
ipchains -a input -i $external_interface -p udp
-s $anywhere $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j deny -l
# —————————————————————————-
# dns server
# ———-
# dns forwarding, caching only nameserver (53)
# ——————————————–
# server to server query or response
# caching only name server only requires udp, not tcp
ipchains -a input -i $external_interface -p udp
-s $nameserver_1 53
-d $ipaddr 53 -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr 53
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p udp
-s $nameserver_2 53
-d $ipaddr 53 -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr 53
-d $nameserver_2 53 -j accept
# dns client (53)
# —————
ipchains -a input -i $external_interface -p udp
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p udp
-s $nameserver_2 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $nameserver_2 53 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $nameserver_2 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $nameserver_2 53 -j accept
# —————————————————————————-
# tcp accept only on selected ports
# ———————————
# ——————————————————————
# ssh server (22)
# —————
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $unprivports -j accept
ipchains -a input -i $external_interface -p tcp
-s $anywhere $ssh_ports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $ssh_ports -j accept
# ssh client (22)
# —————
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 22
# -d $ipaddr $unprivports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $unprivports
# -d $anywhere 22 -j accept
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 22
# -d $ipaddr $ssh_ports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $ssh_ports
# -d $anywhere 22 -j accept
# ——————————————————————
# http server (80)
# —————-
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 80 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 80
-d $anywhere $unprivports -j accept
# ——————————————————————
# https server (443)
# ——————
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 443 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 443
-d $anywhere $unprivports -j accept
# ——————————————————————
# syslog server (514)
# —————–
# provides full remote logging. using this feature youre able to
# control all syslog messages on one host.
# ipchains -a input -i $external_interface -p udp
# -s $syslog_client
# -d $ipaddr 514 -j accept
# syslog client (514)
# —————–
# ipchains -a output -i $external_interface -p udp
# -s $ipaddr 514
# -d $syslog_server 514 -j accept
# ——————————————————————
# auth server (113)
# —————–
# reject, rather than deny, the incoming auth port. (net-3-howto)
ipchains -a input -i $external_interface -p tcp
-s $anywhere
-d $ipaddr 113 -j reject
# ——————————————————————
# smtp client (25)
# —————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $smtp_server 25
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $smtp_server 25 -j accept
# ——————————————————————
# ftp server (20, 21)
# ——————-
# incoming request
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 21 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 21
-d $anywhere $unprivports -j accept
# port mode data channel responses
#
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere $unprivports
-d $ipaddr 20 -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr 20
-d $anywhere $unprivports -j accept
# passive mode data channel responses
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr $unprivports
-d $anywhere $unprivports -j accept
# ——————————————————————
# outgoing traceroute
# ——————-
ipchains -a output -i $external_interface -p udp
-s $ipaddr $traceroute_src_ports
-d $anywhere $traceroute_dest_ports -j accept
# —————————————————————————-
# enable logging for selected denied packets
ipchains -a input -i $external_interface -p tcp
-d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $privports -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $unprivports -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 5 -d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 13:255 -d $ipaddr -j deny -l
# —————————————————————————-
;;
stop)
echo -n “shutting firewalling services: ”
# remove all existing rules belonging to this filter
ipchains -f
# reset the default policy of the filter to accept.
ipchains -p input accept
ipchains -p output accept
ipchains -p forward accept
# reset tcp syn cookie protection to off.
echo 0 >/proc/sys/net/ipv4/tcp_syncookies
# reset ip spoofing protection to off.
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# reset icmp redirect acceptance to on.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 1 > $f
done
# reset source routed packets to on.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 1 > $f
done
;;
status)
echo -n “now do you show firewalling stats?”
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo “usage: firewall {start|stop|status|restart|reload}”
exit 1
esac

现在,让这个脚本文件成为可执行的,并改变它的缺省权限:

[root@deep]# chmod 700 /etc/rc.d/init.d/firewall
[root@deep]# chown 0.0 /etc/rc.d/init.d/firewall

创建防火墙文件与rc.d的符号链接:

[root@deep]# chkconfig –add firewall
[root@deep]# chkconfig –level 345 firewall on

现在,防火墙规则就通过使用系统v的init 配置好了(系统v的init 负责启动所有在系统引导阶段需要运行的普通程序),并且它会在服务器重起时自动执行。

要手工停止防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall stop

要手工运行防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall start

为邮件服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们邮件服务器的配置脚本文件。这个配置允许在回馈网卡上的所有流量,缺省情况下是icmp ,dns服务器和客户机(53),ssh服务器(22),smtp 服务器和客户机(25),imap 服务器(143)和outgoing traceroute请求。

如果你不需要我在下面文件中缺省列出的某些服务,可以用行开头加“#”来注释掉该行。如果需要那些被注释掉的服务,去掉该行开头的“#”就可以了。

请在邮件服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh
#
# —————————————————————————-
# last modified by gerhard mourani: 02-01-2000
# —————————————————————————-
# copyright (c) 1997, 1998, 1999 robert l. ziegler
#
# permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# this software is provided as an example and basis for individual firewall
# development. this software is provided without warranty.
#
# any material furnished by robert l. ziegler is furnished on an
# “as is” basis. he makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# —————————————————————————-
#
# invoked from /etc/rc.d/init.d/firewall.
# chkconfig: – 60 95
# description: starts and stops the ipchains firewall
# used to provide firewall network services.
# source function library.
. /etc/rc.d/init.d/functions
# source networking configuration.
. /etc/sysconfig/network
# check that networking is up.
[ ${networking} = “no” ] && exit 0
# see how we were called.
case “$1” in
start)
echo -n “starting firewalling services: ”
# some definitions for easy maintenance.
# —————————————————————————-
# edit these to suit your system and isp.
external_interface=”eth0″ # whichever you use
loopback_interface=”lo”
ipaddr=”208.164.186.2″
anywhere=”any/0″
nameserver_1=”208.164.186.1″ # your primary name server
nameserver_2=”208.164.186.2″ # your secondary name server
syslog_server=”mail.openarch.com” # your syslog internal server
syslog_client=”208.164.168.0/24″ # your syslog internal client
loopback=”127.0.0.0/8″
class_a=”10.0.0.0/8″
class_b=”172.16.0.0/12″
class_c=”192.168.0.0/16″
class_d_multicast=”224.0.0.0/4″
class_e_reserved_net=”240.0.0.0/5″
broadcast_src=”0.0.0.0″
broadcast_dest=”255.255.255.255″
privports=”0:1023″
unprivports=”1024:65535″
# —————————————————————————-
# ssh starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
ssh_ports=”1022:1023″ # range for ssh privileged ports
# traceroute usually uses -s 32769:65535 -d 33434:33523
traceroute_src_ports=”32769:65535″
traceroute_dest_ports=”33434:33523″
# —————————————————————————-
# default policy is deny
# explicitly accept desired incoming & outgoing connections
# remove all existing rules belonging to this filter
ipchains -f
# set the default policy of the filter to deny.
ipchains -p input deny
ipchains -p output reject
ipchains -p forward reject
# —————————————————————————-
# enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# enable ip spoofing protection
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# —————————————————————————-
# loopback
# unlimited traffic on the loopback interface.
ipchains -a input -i $loopback_interface -j accept
ipchains -a output -i $loopback_interface -j accept
# —————————————————————————-
# network ghouls
# deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -a input -i $external_interface -s address -j deny
# rules to block from any access.
# refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# —————————————————————————-
# spoofing & bad addresses
# refuse spoofed packets.
# ignore blatantly illegal source addresses.
# protect yourself from sending to bad addresses.
# refuse spoofed packets pretending to be from the external address.
ipchains -a input -i $external_interface -s $ipaddr -j deny -l
# refuse packets claiming to be to or from a class a private network
ipchains -a input -i $external_interface -s $class_a -j deny -l
ipchains -a input -i $external_interface -d $class_a -j deny -l
ipchains -a output -i $external_interface -s $class_a -j reject -l
ipchains -a output -i $external_interface -d $class_a -j reject -l
# refuse packets claiming to be to or from a class b private network
ipchains -a input -i $external_interface -s $class_b -j deny -l
ipchains -a input -i $external_interface -d $class_b -j deny -l
ipchains -a output -i $external_interface -s $class_b -j reject -l
ipchains -a output -i $external_interface -d $class_b -j reject -l
# refuse packets claiming to be to or from a class c private network
ipchains -a input -i $external_interface -s $class_c -j deny -l
ipchains -a input -i $external_interface -d $class_c -j deny -l
ipchains -a output -i $external_interface -s $class_c -j reject -l
ipchains -a output -i $external_interface -d $class_c -j reject -l
# refuse packets claiming to be from the loopback interface
ipchains -a input -i $external_interface -s $loopback -j deny -l
ipchains -a output -i $external_interface -s $loopback -j reject -l
# refuse broadcast address source packets
ipchains -a input -i $external_interface -s $broadcast_dest -j deny –l
ipchains -a input -i $external_interface -d $broadcast_src -j deny -l
# refuse class d multicast addresses (in.h) (net-3-howto)
# multicast is illegal as a source address.
# multicast uses udp.
ipchains -a input -i $external_interface -s $class_d_multicast -j deny -l
# refuse class e reserved ip addresses
ipchains -a input -i $external_interface -s $class_e_reserved_net -j deny -l
# refuse addresses defined as reserved by the iana
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -a input -i $external_interface -s 1.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 2.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 5.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 7.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 23.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 27.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 31.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 37.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 39.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 41.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 42.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 58.0.0.0/7 -j deny -l
ipchains -a input -i $external_interface -s 60.0.0.0/8 -j deny -l
#65: 01000001 – /3 includes 64 – need 65-79 spelled out
ipchains -a input -i $external_interface -s 65.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 66.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 67.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 68.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 69.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 70.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 71.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 72.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 73.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 74.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 75.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 76.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 77.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 78.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 79.0.0.0/8 -j deny -l
#80: 01010000 – /4 masks 80-95
ipchains -a input -i $external_interface -s 80.0.0.0/4 -j deny -l
# 96: 01100000 – /4 makses 96-111
ipchains -a input -i $external_interface -s 96.0.0.0/4 -j deny -l
#126: 01111110 – /3 includes 127 – need 112-126 spelled out
ipchains -a input -i $external_interface -s 112.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 113.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 114.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 115.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 116.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 117.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 118.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 119.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 120.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 121.0.0.0/8 -j deny –l
ipchains -a input -i $external_interface -s 122.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 123.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 124.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 125.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 126.0.0.0/8 -j deny -l
#217: 11011001 – /5 includes 216 – need 217-219 spelled out
ipchains -a input -i $external_interface -s 217.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 218.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 219.0.0.0/8 -j deny -l
#223: 11011111 – /6 masks 220-223
ipchains -a input -i $external_interface -s 220.0.0.0/6 -j deny -l
# —————————————————————————-
# icmp
# to prevent denial of service attacks based on icmp bombs, filter
# incoming redirect (5) and outgoing destination unreachable (3).
# note, however, disabling destination unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# for bi-directional ping.
# message types: echo_reply (0), echo_request (8)
# to prevent attacks, limit the src addresses to your isp range.
#
# for outgoing traceroute.
# message types: incoming dest_unreachable (3), time_exceeded (11)
# default udp base: 33434 to base+nhops-1
#
# for incoming traceroute.
# message types: outgoing dest_unreachable (3), time_exceeded (11)
# to block this, deny outgoing 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -a input -i $external_interface -p icmp
-s $anywhere 0 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 3 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 4 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 11 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 12 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s 208.164.186.0/24 8 -d $ipaddr -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 0 -d 208.164.186.0/24 -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 3 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 4 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 8 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 12 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 11 -d 208.164.186.0/24 -j accept
# —————————————————————————-
# udp incoming traceroute
# traceroute usually uses -s 32769:65535 -d 33434:33523
ipchains -a input -i $external_interface -p udp
-s 208.164.186.0/24 $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j accept -l
ipchains -a input -i $external_interface -p udp
-s $anywhere $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j deny -l
# —————————————————————————-
# dns server
# ———-
# dns: full server
# server/client to server query or response
ipchains -a input -i $external_interface -p udp
-s $anywhere $unprivports
-d $ipaddr 53 -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr 53
-d $anywhere $unprivports -j accept
# dns client (53)
# —————
ipchains -a input -i $external_interface -p udp
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
# —————————————————————————-
# tcp accept only on selected ports
# ———————————
# ——————————————————————
# ssh server (22)
# —————
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $unprivports -j accept
ipchains -a input -i $external_interface -p tcp
-s $anywhere $ssh_ports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $ssh_ports -j accept
# ssh client (22)
# —————
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 22
# -d $ipaddr $unprivports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $unprivports
# -d $anywhere 22 -j accept
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 22
# -d $ipaddr $ssh_ports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $ssh_ports
# -d $anywhere 22 -j accept
# ——————————————————————
# auth server (113)
# —————–
# reject, rather than deny, the incoming auth port. (net-3-howto)
ipchains -a input -i $external_interface -p tcp
-s $anywhere
-d $ipaddr 113 -j reject
# ——————————————————————
# syslog server (514)
# —————–
# provides full remote logging. using this feature youre able to
# control all syslog messages on one host.
# ipchains -a input -i $external_interface -p udp
# -s $syslog_client
# -d $ipaddr 514 -j accept
# syslog client (514)
# —————–
# ipchains -a output -i $external_interface -p udp
# -s $ipaddr 514
# -d $syslog_server 514 -j accept
# ——————————————————————
# smtp server (25)
# —————-
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 25 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 25
-d $anywhere $unprivports -j accept
# smtp client (25)
# —————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 25
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 25 -j accept
# ——————————————————————
# imap server (143)
# —————–
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 143 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 143
-d $anywhere $unprivports -j accept
# ——————————————————————
# outgoing traceroute
# ——————-
ipchains -a output -i $external_interface -p udp
-s $ipaddr $traceroute_src_ports
-d $anywhere $traceroute_dest_ports -j accept
# —————————————————————————-
# enable logging for selected denied packets
ipchains -a input -i $external_interface -p tcp
-d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $privports -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $unprivports -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 5 -d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 13:255 -d $ipaddr -j deny -l
# —————————————————————————-
;;
stop)
echo -n “shutting firewalling services: ”
# remove all existing rules belonging to this filter
ipchains -f
# reset the default policy of the filter to accept.
ipchains -p input accept
ipchains -p output accept
ipchains -p forward accept
# reset tcp syn cookie protection to off.
echo 0 >/proc/sys/net/ipv4/tcp_syncookies
# reset ip spoofing protection to off.
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# reset icmp redirect acceptance to on.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 1 > $f
done
# reset source routed packets to on.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 1 > $f
done
;;
status)
echo -n “now do you show firewalling stats?”
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo “usage: firewall {start|stop|status|restart|reload}”
exit 1
esac

现在,让这个脚本文件成为可执行的,并改变它的缺省权限:

[root@deep]# chmod 700 /etc/rc.d/init.d/firewall
[root@deep]# chown 0.0 /etc/rc.d/init.d/firewall

创建防火墙文件与rc.d的符号链接:

[root@deep]# chkconfig –add firewall
[root@deep]# chkconfig –level 345 firewall on

现在,防火墙规则就通过使用系统v的init 配置好了(系统v的init 负责启动所有在系统引导阶段需要运行的普通程序),并且它会在服务器重起是自动执行。

要手工停止防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall stop

要手工运行防火墙,用命令:

[root@deep]# /etc/rc.d/init.d/firewall start

为网关服务器配置“/etc/rc.d/init.d/firewall”脚本文件

下面是用于我们网关服务器的配置脚本文件。这个配置允许在回馈地址上的所有流量,缺省情况下是icmp ,dns服务器和客户机(53),ssh服务器和客户机(22),http服务器和客户机(80),https 服务器和客户机(443),pop客户机(110),nntp news客户机(119),smtp 服务器和客户机(25),imap 服务器(143),irc客户机(6667),icq客户机(4000),ftp客户机(20,21),realaudio/quicktime客户机和outgoing traceroute请求。

如果你不需要在下面文件中缺省列出的某些服务,可以用行开头加“#”来注释掉该行。如果你需要某些被注释掉的服务,去掉该行开头的“#”就可以了。如果你在服务器上配置了ip伪装,可以去掉伪装相应服务所需模块前的注释符号,比如ip_masq_irc.o,ip_masq_raudio.o等等。

请在邮件服务器上创建如下的防火墙脚本文件(用 touch /etc/rc.d/init.d/firewall ):

#!/bin/sh
#
# —————————————————————————-
# last modified by gerhard mourani: 02-01-2000
# —————————————————————————-
# copyright (c) 1997, 1998, 1999 robert l. ziegler
#
# permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# this software is provided as an example and basis for individual firewall
# development. this software is provided without warranty.
#
# any material furnished by robert l. ziegler is furnished on an
# “as is” basis. he makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# —————————————————————————-
#
# invoked from /etc/rc.d/init.d/firewall.
# chkconfig: – 60 95
# description: starts and stops the ipchains firewall
# used to provide firewall network services.
# source function library.
. /etc/rc.d/init.d/functions
# source networking configuration.
. /etc/sysconfig/network
# check that networking is up.
[ ${networking} = “no” ] && exit 0
# see how we were called.
case “$1” in
start)
echo -n “starting firewalling services: ”
# some definitions for easy maintenance.
# —————————————————————————-
# edit these to suit your system and isp.
external_interface=”eth0″ # whichever you use
local_interface_1=”eth1″ # whichever you use
loopback_interface=”lo”
ipaddr=”208.164.186.1″
localnet_1=”192.168.1.0/24″ # whatever private range you use
anywhere=”any/0″
nameserver_1=”208.164.186.1″
nameserver_2=”208.164.186.2″
pop_server=”pop.videotron.ca” # your pop external server
news_server=”news.videotron.ca” # your news external server
syslog_server=”mail.openarch.com” # your syslog internal server
loopback=”127.0.0.0/8″
class_a=”10.0.0.0/8″
class_b=”172.16.0.0/12″
class_c=”192.168.0.0/16″
class_d_multicast=”224.0.0.0/4″
class_e_reserved_net=”240.0.0.0/5″
broadcast_src=”0.0.0.0″
broadcast_dest=”255.255.255.255″
privports=”0:1023″
unprivports=”1024:65535″
# —————————————————————————-
# ssh starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
ssh_ports=”1022:1023″ # range for ssh privileged ports
# traceroute usually uses -s 32769:65535 -d 33434:33523
traceroute_src_ports=”32769:65535″
traceroute_dest_ports=”33434:33523″
# —————————————————————————-
# default policy is deny
# explicitly accept desired incoming & outgoing connections
# remove all existing rules belonging to this filter
ipchains -f
# set the default policy of the filter to deny.
ipchains -p input deny
ipchains -p output reject
ipchains -p forward reject
# set masquerade timeout to 10 hours for tcp connections
ipchains -m -s 36000 0 0
# dont forward fragments. assemble before forwarding.
ipchains -a output -f -i $local_interface_1 -j deny
# —————————————————————————-
# enable tcp syn cookie protection
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
# enable ip spoofing protection
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# disable icmp redirect acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# these modules are necessary to masquerade their respective services.
/sbin/modprobe ip_masq_ftp.o
/sbin/modprobe ip_masq_raudio.o ports=554,7070,7071,6970,6971
/sbin/modprobe ip_masq_irc.o
#/sbin/modprobe/ip_masq_vdolive.o
#/sbin/modprobe/ip_masq_cuseeme.o
#/sbin/modprobe/ip_masq_quake.o
# —————————————————————————-
# loopback
# unlimited traffic on the loopback interface.
ipchains -a input -i $loopback_interface -j accept
ipchains -a output -i $loopback_interface -j accept
# —————————————————————————-
# network ghouls
# deny access to jerks
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -a input -i $external_interface -s address -j deny
# rules to block from any access.
# refuse any connection from problem sites
#if [ -f /etc/rc.d/rc.firewall.blocked ]; then
# . /etc/rc.d/rc.firewall.blocked
#fi
# —————————————————————————-
# spoofing & bad addresses
# refuse spoofed packets.
# ignore blatantly illegal source addresses.
# protect yourself from sending to bad addresses.
# refuse spoofed packets pretending to be from the external address.
ipchains -a input -i $external_interface -s $ipaddr -j deny -l
# refuse packets claiming to be to or from a class a private network
ipchains -a input -i $external_interface -s $class_a -j deny -l
ipchains -a input -i $external_interface -d $class_a -j deny -l
ipchains -a output -i $external_interface -s $class_a -j reject -l
ipchains -a output -i $external_interface -d $class_a -j reject -l
# refuse packets claiming to be to or from a class b private network
ipchains -a input -i $external_interface -s $class_b -j deny -l
ipchains -a input -i $external_interface -d $class_b -j deny –l
ipchains -a output -i $external_interface -s $class_b -j reject -l
ipchains -a output -i $external_interface -d $class_b -j reject -l
# refuse packets claiming to be to or from a class c private network
ipchains -a input -i $external_interface -s $class_c -j deny -l
ipchains -a input -i $external_interface -d $class_c -j deny -l
ipchains -a output -i $external_interface -s $class_c -j reject -l
ipchains -a output -i $external_interface -d $class_c -j reject -l
# refuse packets claiming to be from the loopback interface
ipchains -a input -i $external_interface -s $loopback -j deny -l
ipchains -a output -i $external_interface -s $loopback -j reject -l
# refuse broadcast address source packets
ipchains -a input -i $external_interface -s $broadcast_dest -j deny -l
ipchains -a input -i $external_interface -d $broadcast_src -j deny -l
# refuse class d multicast addresses (in.h) (net-3-howto)
# multicast is illegal as a source address.
# multicast uses udp.
ipchains -a input -i $external_interface -s $class_d_multicast -j deny -l
# refuse class e reserved ip addresses
ipchains -a input -i $external_interface -s $class_e_reserved_net -j deny -l
# refuse addresses defined as reserved by the iana
# 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.*
# 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.*
ipchains -a input -i $external_interface -s 1.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 2.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 5.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 7.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 23.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 27.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 31.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 37.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 39.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 41.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 42.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 58.0.0.0/7 -j deny -l
ipchains -a input -i $external_interface -s 60.0.0.0/8 -j deny -l
#65: 01000001 – /3 includes 64 – need 65-79 spelled out
ipchains -a input -i $external_interface -s 65.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 66.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 67.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 68.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 69.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 70.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 71.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 72.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 73.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 74.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 75.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 76.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 77.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 78.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 79.0.0.0/8 -j deny -l
#80: 01010000 – /4 masks 80-95
ipchains -a input -i $external_interface -s 80.0.0.0/4 -j deny –l
# 96: 01100000 – /4 makses 96-111
ipchains -a input -i $external_interface -s 96.0.0.0/4 -j deny -l
#126: 01111110 – /3 includes 127 – need 112-126 spelled out
ipchains -a input -i $external_interface -s 112.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 113.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 114.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 115.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 116.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 117.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 118.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 119.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 120.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 121.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 122.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 123.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 124.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 125.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 126.0.0.0/8 -j deny -l
#217: 11011001 – /5 includes 216 – need 217-219 spelled out
ipchains -a input -i $external_interface -s 217.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 218.0.0.0/8 -j deny -l
ipchains -a input -i $external_interface -s 219.0.0.0/8 -j deny -l
#223: 11011111 – /6 masks 220-223
ipchains -a input -i $external_interface -s 220.0.0.0/6 -j deny -l
# —————————————————————————-
# icmp
# to prevent denial of service attacks based on icmp bombs, filter
# incoming redirect (5) and outgoing destination unreachable (3).
# note, however, disabling destination unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# for bi-directional ping.
# message types: echo_reply (0), echo_request (8)
# to prevent attacks, limit the src addresses to your isp range.
#
# for outgoing traceroute.
# message types: incoming dest_unreachable (3), time_exceeded (11)
# default udp base: 33434 to base+nhops-1
#
# for incoming traceroute.
# message types: outgoing dest_unreachable (3), time_exceeded (11)
# to block this, deny outgoing 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -a input -i $external_interface -p icmp
-s $anywhere 0 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 3 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 4 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 11 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s $anywhere 12 -d $ipaddr -j accept
ipchains -a input -i $external_interface -p icmp
-s 208.164.186.0/24 8 -d $ipaddr -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 0 -d 208.164.186.0/24 -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 3 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 4 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 8 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 12 -d $anywhere -j accept
ipchains -a output -i $external_interface -p icmp
-s $ipaddr 11 -d 208.164.186.0/24 -j accept
# —————————————————————————-
# udp incoming traceroute
# traceroute usually uses -s 32769:65535 -d 33434:33523
ipchains -a input -i $external_interface -p udp
-s 208.164.186.0/24 $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j accept -l
ipchains -a input -i $external_interface -p udp
-s $anywhere $traceroute_src_ports
-d $ipaddr $traceroute_dest_ports -j deny -l
# —————————————————————————-
# dns server
# ———-
# dns: full server
# server/client to server query or response
ipchains -a input -i $external_interface -p udp
-s $anywhere $unprivports
-d $ipaddr 53 -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr 53
-d $anywhere $unprivports -j accept
# dns client (53)
# —————
ipchains -a input -i $external_interface -p udp
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $nameserver_1 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $nameserver_1 53 -j accept
ipchains -a input -i $external_interface -p udp
-s $nameserver_2 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $nameserver_2 53 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $nameserver_2 53
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $nameserver_2 53 -j accept
# —————————————————————————-
# tcp accept only on selected ports
# ———————————
# ——————————————————————
# ssh server (22)
# —————
ipchains -a input -i $external_interface -p tcp
-s $anywhere $unprivports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $unprivports -j accept
ipchains -a input -i $external_interface -p tcp
-s $anywhere $ssh_ports
-d $ipaddr 22 -j accept
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr 22
-d $anywhere $ssh_ports -j accept
# ssh client (22)
# —————
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 22
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 22 -j accept
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 22
-d $ipaddr $ssh_ports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $ssh_ports
-d $anywhere 22 -j accept
# ——————————————————————
# http client (80)
# —————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 80
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 80 -j accept
# ——————————————————————
# https client (443)
# ——————
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 443
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 443 -j accept
# ——————————————————————
# pop client (110)
# —————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $pop_server 110
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $pop_server 110 -j accept
# ——————————————————————
# nntp news client (119)
# ———————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $news_server 119
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $news_server 119 -j accept
# ——————————————————————
# finger client (79)
# ——————
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 79
# -d $ipaddr $unprivports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $unprivports
# -d $anywhere 79 -j accept
# ——————————————————————
# syslog client (514)
# —————–
# ipchains -a output -i $local_interface_1 -p udp
# -s $ipaddr 514
# -d $syslog_server 514 -j accept
# ——————————————————————
# auth server (113)
# —————–
# reject, rather than deny, the incoming auth port. (net-3-howto)
ipchains -a input -i $external_interface -p tcp
-s $anywhere
-d $ipaddr 113 -j reject
# auth client (113)
# —————–
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 113
# -d $ipaddr $unprivports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $unprivports
# -d $anywhere 113 -j accept
# ——————————————————————
# smtp client (25)
# —————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 25
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 25 -j accept
# ——————————————————————
# irc client (6667)
# —————–
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 6667
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 6667 -j accept
# ——————————————————————
# icq client (4000)
# —————–
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 2000:4000
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 2000:4000 -j accept
ipchains -a input -i $external_interface -p udp
-s $anywhere 4000
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $anywhere 4000 -j accept
# ——————————————————————
# ftp client (20, 21)
# ——————-
# outgoing request
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 21
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 21 -j accept
# normal mode data channel
ipchains -a input -i $external_interface -p tcp
-s $anywhere 20
-d $ipaddr $unprivports -j accept
# normal mode data channel responses
ipchains -a output -i $external_interface -p tcp ! -y
-s $ipaddr $unprivports
-d $anywhere 20 -j accept
# passive mode data channel creation
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere $unprivports -j accept
# passive mode data channel responses
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere $unprivports
-d $ipaddr $unprivports -j accept
# ——————————————————————
# realaudio / quicktime client
# —————————-
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 554
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 554 -j accept
# tcp is a more secure method: 7070:7071
ipchains -a input -i $external_interface -p tcp ! -y
-s $anywhere 7070:7071
-d $ipaddr $unprivports -j accept
ipchains -a output -i $external_interface -p tcp
-s $ipaddr $unprivports
-d $anywhere 7070:7071 -j accept
# udp is the preferred method: 6970:6999
# for lan machines, udp requires the realaudio masquerading module and
# the ipmasqadm third-party software.
ipchains -a input -i $external_interface -p udp
-s $anywhere $unprivports
-d $ipaddr 6970:6999 -j accept
ipchains -a output -i $external_interface -p udp
-s $ipaddr $unprivports
-d $anywhere $unprivports -j accept
# ——————————————————————
# whois client (43)
# —————–
# ipchains -a input -i $external_interface -p tcp ! -y
# -s $anywhere 43
# -d $ipaddr $unprivports -j accept
# ipchains -a output -i $external_interface -p tcp
# -s $ipaddr $unprivports
# -d $anywhere 43 -j accept
# ——————————————————————
# outgoing traceroute
# ——————-
ipchains -a output -i $external_interface -p udp
-s $ipaddr $traceroute_src_ports
-d $anywhere $traceroute_dest_ports -j accept
# —————————————————————————-
# unlimited traffic within the local network.
# all internal machines have access to the firewall machine.
ipchains -a input -i $local_interface_1 -s $localnet_1 -j accept
ipchains -a output -i $local_interface_1 -d $localnet_1 -j accept
# —————————————————————————-
# masquerade internal traffic.
# all internal traffic is masqueraded externally.
ipchains -a forward -i $external_interface -s $localnet_1 -j masq
# —————————————————————————-
# enable logging for selected denied packets
ipchains -a input -i $external_interface -p tcp
-d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $privports -j deny -l
ipchains -a input -i $external_interface -p udp
-d $ipaddr $unprivports -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 5 -d $ipaddr -j deny -l
ipchains -a input -i $external_interface -p icmp
-s $anywhere 13:255 -d $ipaddr -j deny -l
# —————————————————————————-
;;
stop)
echo -n “shutting firewalling services: ”
# remove all existing rules belonging to this filter
ipchains -f
# reset the default policy of the filter to accept.
ipchains -p input accept
ipchains -p output accept
ipchains -p forward accept
# reset tcp syn cookie protection to off.
echo 0 >/proc/sys/net/ipv4/tcp_syncookies
# reset ip spoofing protection to off.
# turn on source address verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
# reset icmp redirect acceptance to on.
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 1 > $f
done
# reset source routed packets to on.
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 1 > $f
done
;;
status)
echo -n “now do you show firewalling stats?”
;;
restart|reload)
$0 stop
$0 start

赞(0)
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com 特别注意:本站所有转载文章言论不代表本站观点! 本站所提供的图片等素材,版权归原作者所有,如需使用,请与原作者联系。未经允许不得转载:IDC资讯中心 » 第七章 网络防火墙(二)-网管专栏,安全与管理
分享到: 更多 (0)