Aşagidaki dosyayı firewall adı ile kaydedebilirsiniz.
#!/bin/sh # Iptables ile yazilmis Firewall'dir.
# Linux Kernel 2.4.20-8 cekirdekte yazildiktan sonra
denenmistir.
# Sistemde DHCP,WEB serverlari calismaktadir.
# Internete bakan yuz ara1 ic network'e bakan ara2
degiskenlerine atanmistir.
#
# sonersag@yahoo.com
IPB="/sbin/iptables"
LOCAL=127.0.0.0/8
WEBSERV=192.168.1.1
LAN=10.1.34.0/24
ara1=eth0
ara2=eth1
udp_port=67:68
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPB -F INPUT
$IPB -F OUTPUT
$IPB -F FORWARD
$IPB -P INPUT DROP
$IPB -P OUTPUT ACCEPT
$IPB -P FORWARD ACCEPT
$IPB -A INPUT -j DROP -i $ara2 ! -s $LAN
$IPB -A FORWARD -j DROP -i $ara2 ! -s $LAN
$IPB -A INPUT -j DROP -i ! $ara2 -s $LAN
$IPB -A FORWARD -j DROP -i ! $ara2 -s $LAN
$IPB -A INPUT -j DROP -i ! lo -s $LOCAL
$IPB -A FORWARD -j DROP -i ! lo -s $LOCAL
$IPB -A INPUT -j ACCEPT -i lo
$IPB -A INPUT -j ACCEPT -p tcp -i $ara1 --dport www -s
$WEBSERV
$IPB -A INPUT -m state --state ESTABLISHED,RELATED
-i $ara1 -p tcp --sport www -s $WEBSERV -d $LAN
-j ACCEPT
$IPB -A INPUT -i $ara2 -p udp --dport $udp_port --sport
$udp_port -j ACCEPT
$IPB -A OUTPUT -m state --state NEW -o $ara1 -p tcp
--sport www -d $LAN -j DROP
$IPB -A INPUT -m state --state ESTABLISHED,RELATED
-i $ara1 -p ! icmp -j ACCEPT
$IPB -A INPUT -m state --state NEW -i $ara1 -j DROP
$IPB -A FORWARD -m state --state NEW -i $ara1 -j DROP
$IPB -A INPUT -j ACCEPT -p all -i $ara2 -s $LAN
$IPB -A INPUT -j ACCEPT -p icmp -i $ara1 --icmp-type 0
-d $WEBSERV
$IPB -A INPUT -j ACCEPT -p icmp -i $ara1 --icmp-type 8
-d $WEBSERV
$IPB -A INPUT -j ACCEPT -p icmp -i $ara1 --icmp-type 3
-d $WEBSERV
$IPB -A INPUT -p tcp --syn -m limit --limit 1/second
-j ACCEPT
$IPB -t nat -A POSTROUTING -o $ara1 -j MASQUERADE
$IPB -A INPUT -p tcp -i $ara1 --tcp-flags SYN,ACK,FIN,RST
RST -m
limit --limit 1/second -j ACCEPT
$IPB -A INPUT -p icmp -i $ara1 --icmp-type 8 -m limit
--limit 1/second -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward |
#chmod +x firewall
#./firewall
#service iptables save
veya
#iptables-save > /etc/sysconfig/iptables
Yazdığımız ******'in çiktisi aşagidaki gibi olacaktir.
# Generated by iptables-save v1.2.7a on Sun
Sep 12 00:37:15 2004
*nat
:PREROUTING ACCEPT [13:1727]
:POSTROUTING ACCEPT [13:2030]
:OUTPUT ACCEPT [36:5662]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE COMMIT
# Completed on Sun Sep 12 00:37:15 2004
# Generated by iptables-save v1.2.7a on Sun
Sep 12 00:37:15 2004
*filter
:INPUT DROP [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s ! 10.1.34.0/255.255.255.0 -i eth1 -j DROP
-A INPUT -s 10.1.34.0/255.255.255.0 -i ! eth1 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.1 -i eth0 -p tcp -m tcp --dport 80
-j ACCEPT
-A INPUT -s 192.168.1.1 -d 10.1.34.0/255.255.255.0 -i eth0
-p tcp -m
state -- state RELATED,ESTABLISHED -m tcp --sport 80
-j ACCEPT
-A INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68
-j ACCEPT
-A INPUT -i eth0 -p ! icmp -m state --state RELATED,
ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -m state --state NEW -j DROP
-A INPUT -s 10.1.34.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -d 192.168.1.1 -i eth0 -p icmp -m icmp --icmp-type 0
-j ACCEPT
-A INPUT -d 192.168.1.1 -i eth0 -p icmp -m icmp --icmp-type 8
-j ACCEPT
-A INPUT -d 192.168.1.1 -i eth0 -p icmp -m icmp --icmp-type 3
-j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit
--limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,
ACK RST -m limit --limit 1/sec -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -m limit
--limit 1/sec -j ACCEPT
-A FORWARD -s ! 10.1.34.0/255.255.255.0 -i eth1 -j DROP
-A FORWARD -s 10.1.34.0/255.255.255.0 -i ! eth1 -j DROP
-A FORWARD -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A FORWARD -i eth0 -m state --state NEW -j DROP
-A OUTPUT -d 10.1.34.0/255.255.255.0 -o eth0 -p tcp -m state
--state NEW -m tcp --sport 80 -j DROP COMMIT
# Completed on Sun Sep 12 00:37:15 2004 |
IPTABLES KOMUTLARI
#iptables-save > /etc/sysconfig/iptables
iptables-save komutu kuralları standart çıktıya gönderir.
#iptables-restore < /etc/sysconfig/iptables iptables-restore komutu kuralları geri yüklemek için kullanılır. Netfilter /etc/sysconfig/iptables dosyasina kaydedilir.Bu dosya
açilişlarda ve service iptables start komutu verildiğinde kontrol
edilecektir.
Ayrıca
#service iptables save
komutu ile /etc/sysconfig/iptables dosyasına değişiklikleri
yansıtabilirsiniz.
#service iptables stop
iptables'ı durdurulur.
#service iptables start
iptables başlatir.
Service iptables status
iptables kurallarını gösterir.
#iptables -L -n komutu ile iptables'ın durumu aşağıda
görülmektedir.
Chain INPUT (policy DROP) target prot opt source destination
DROP all -- !10.1.34.0/24 0.0.0.0/0
DROP all -- 10.1.34.0/24 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 192.168.1.1 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 192.168.1.1 10.1.34.0/24 tcp spt:80 state
RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
ACCEPT !icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW
ACCEPT all -- 10.1.34.0/24 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 192.168.1.1 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 192.168.1.1 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 192.168.1.1 icmp type 3
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
limit: avg 1/sec burst 5
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x04
limit: avg 1/sec burst 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
limit: avg 1/sec burst 5 Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- !10.1.34.0/24 0.0.0.0/0
DROP all -- 10.1.34.0/24 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 state NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 10.1.34.0/24 tcp spt:80 state NEW |
Dokümanı pdf formatında aşağıdaki adresten çekebilirsiniz:
www.olympos.org/pdf/iptables.pdf
Alıntı : http://www.olympos.org/article/view/1334/1/12/
linux_iptables___netfilter_kurulumu
0 yorum :
Yorum Gönder