|
|
|
|
|||||||||||||
|
|||||||||||||||
|
|
|
Linux 2.4 indeholder nogle nye avancerede firewall faciliteter. I de tidligere Linux versioner - med ipfwadm og ipchains - havde Linux kun et simpelt pakke filter, hvilket gav nogle ubehagelige begrænsninger i hvad man kunne med sine firewall regler. Især var det vanskeligt at understøtte f.eks. ftp.
Med den nye netfilter software i Linux 2.4 kernen, har Linux fået en avanceret, såkaldt stateful inspection firewall. Linux kernen holder nu rede på hvilken trafik der er aktiv på firewallen, og opretter og nedlægger midlertidige firewall regler efter behov. Det gør firewallen mere sikker, og samtidig bliver det meget nemmere at konfigurere firewall regelsættet.
Her er et eksempel på brug af netfilter faciliteten i Linux 2.4 kernen til at beskytte en Linux maskine, som er koblet op til Internettet. Regelsættet tillader at man kan bruge sin maskine normalt, altså surfe på web, hente post og news, downloade filer med ftp osv, men hvis nogen udefra prøver at få forbindelse med din maskine, så er der lukket af. Scriptet enabler også nogle andre faciliteter i Linux 2.4 kernen, som beskytter mod forskellige former for angreb.
Jeppe Koefoed har været så venlig at levere et andet script, der er til en lidt mere avanceret firewall med tre netværks-kort. Du kan se hans forslag til firewall script her.
Jeg vil anbefale dig, at du bruger disse scripts som inspiration - læs også man-siden til iptables-programmet, så du har en ide om hvad de forskellige kommandoer gør.
iptables kommandoen findes som rpm-pakke her.
Du kan downloade selve scriptet her.
#!/bin/sh # # Configure safe networking practices for Linux 2.4 # # chkconfig: - 06 90 # description: Setup firewalling and network security # # To install this on a Red Hat system, save this script as # /etc/rc.d/init.d/securenet, then run the commands # # chmod 755 /etc/rc.d/init.d/securenet # /sbin/chkconfig --add securenet # /sbin/chkconfig --level 2345 securenet on # # The "iptables" command is available from http://netfilter.kernelnotes.org/ # An rpm-package is available from Red Hat's contrib-section # # Henrik Størner, henrik@storner.dk # PATH=/bin:/sbin:/usr/bin:/usr/sbin #################### # Configuration # # Need to know which ethX is external, # and which is internal #################### NET_INTERN=eth0 NET_EXTERN="ppp0" # Slet de næste to linier efter du har rettet NET_INTERN og NET_EXTERN echo "Du skal rette NET_INTERN og NET_EXTERN for at scriptet virker" exit 1 ######################################### # First setup some of the kernel features ######################################### # Disable forwarding - this is for a standalone system. # (For masquerading, see below). echo "0" >/proc/sys/net/ipv4/ip_forward # Enable syn-cookies (syn-flooding attacks) echo "1" >/proc/sys/net/ipv4/tcp_syncookies # Disable ICMP echo-request to broadcast addresses (Smurf amplifier) echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Shut off source-routing and enable IP spoof detection # It seems that this must be done for all network interfaces for f in /proc/sys/net/ipv4/conf/*; do # Drop all source-routed packets echo "0" >$f/accept_source_route # Enable source-address verification (anti spoofing). echo "1" >$f/rp_filter done ###################### # Setup IP firewalling ###################### # Default policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT # Create a common chain for the INPUT and FORWARD handling iptables -N block iptables -F block # Allow traffic on established connections iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new connections if not from the outside iptables -A block -m state --state NEW -i ! "$NET_EXTERN" -j ACCEPT # Allow new connections to our public http service # For home users there are normally none # # How to do this depends on whether the service is running on the # firewall host itself, or on another system "behind" the firewall # (on the internal LAN, or a separate network segment - so called DMZ). # # The following command is needed in both cases: # iptables -A block -m state --protocol tcp --state NEW -i $NET_EXTERN --destination-port http -j ACCEPT # If the service is running on another host (here: 192.168.11.22), you must # do "port forwarding" like this (no need for ipmasqadm anymore): # iptables -t nat -A PREROUTING --protocol tcp -i $NET_EXTERN --destination-port http -j DNAT --to 192.168.11.22 # Block anything else iptables -A block -j LOG # Activate the new chain iptables -A INPUT -j block iptables -A FORWARD -j block #################### # Setup Masquerading #################### # Setup NAT for outgoing connections from the local network ### NB: This is disabled by default. If you want to use ### ### masquerading, just remove the "###" comment-markers ### ### from the lines below. ### ###iptables -t nat -F POSTROUTING ###iptables -t nat -A POSTROUTING -o $NET_EXTERN -j MASQUERADE # # NB: On Red Hat systems, forwarding is controlled in /etc/sysctl.conf ! # You need to set net.ipv4.ip_forward=1 in this file, or the # command below will have no effect. # ###echo "1" >/proc/sys/net/ipv4/ip_forward
|
|
|
||||||||||||
|
||||||||||||||
| ||||||||||||||
|
||||||||||||||
|
|
|
||||||||||||