[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Index   Calendar   Search
 

Netfilter i Linux 2.4

Linux 2.4 indeholder nogle nye avancerede firewall faciliteter. I de tidligere Linux versioner - med ipfwadm og ipchains - havde Linux kun et simpelt pakke filter, hvilket gav nogle ubehagelige begrænsninger i hvad man kunne med sine firewall regler. Især var det vanskeligt at understøtte f.eks. ftp.

Med den nye netfilter software i Linux 2.4 kernen, har Linux fået en avanceret, såkaldt stateful inspection firewall. Linux kernen holder nu rede på hvilken trafik der er aktiv på firewallen, og opretter og nedlægger midlertidige firewall regler efter behov. Det gør firewallen mere sikker, og samtidig bliver det meget nemmere at konfigurere firewall regelsættet.

Her er et eksempel på brug af netfilter faciliteten i Linux 2.4 kernen til at beskytte en Linux maskine, som er koblet op til Internettet. Regelsættet tillader at man kan bruge sin maskine normalt, altså surfe på web, hente post og news, downloade filer med ftp osv, men hvis nogen udefra prøver at få forbindelse med din maskine, så er der lukket af. Scriptet enabler også nogle andre faciliteter i Linux 2.4 kernen, som beskytter mod forskellige former for angreb.

Jeppe Koefoed har været så venlig at levere et andet script, der er til en lidt mere avanceret firewall med tre netværks-kort. Du kan se hans forslag til firewall script her.

Jeg vil anbefale dig, at du bruger disse scripts som inspiration - læs også man-siden til iptables-programmet, så du har en ide om hvad de forskellige kommandoer gør.

iptables kommandoen findes som rpm-pakke her.

Du kan downloade selve scriptet her.

#!/bin/sh
#
# Configure safe networking practices for Linux 2.4
#
# chkconfig: - 06 90
# description: Setup firewalling and network security
#
# To install this on a Red Hat system, save this script as
# /etc/rc.d/init.d/securenet, then run the commands
#
#   chmod 755 /etc/rc.d/init.d/securenet
#   /sbin/chkconfig --add securenet
#   /sbin/chkconfig --level 2345 securenet on
#
# The "iptables" command is available from http://netfilter.kernelnotes.org/
# An rpm-package is available from Red Hat's contrib-section
#
# Henrik Størner, henrik@storner.dk
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin


####################
# Configuration 
#
# Need to know which ethX is external,
# and which is internal
####################
NET_INTERN=eth0
NET_EXTERN="ppp0"

# Slet de næste to linier efter du har rettet NET_INTERN og NET_EXTERN
echo "Du skal rette NET_INTERN og NET_EXTERN for at scriptet virker"
exit 1


#########################################
# First setup some of the kernel features
#########################################

# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Shut off source-routing and enable IP spoof detection
# It seems that this must be done for all network interfaces
for f in /proc/sys/net/ipv4/conf/*; do
   # Drop all source-routed packets
   echo "0" >$f/accept_source_route 

   # Enable source-address verification (anti spoofing).
   echo "1" >$f/rp_filter
done


######################
# Setup IP firewalling
######################

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Create a common chain for the INPUT and FORWARD handling
iptables -N block
iptables -F block

# Allow traffic on established connections
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow new connections if not from the outside
iptables -A block -m state --state NEW -i ! "$NET_EXTERN" -j ACCEPT

# Allow new connections to our public http service
# For home users there are normally none
#
# How to do this depends on whether the service is running on the
# firewall host itself, or on another system "behind" the firewall
# (on the internal LAN, or a separate network segment - so called DMZ).
#
# The following command is needed in both cases:
# iptables -A block -m state --protocol tcp --state NEW -i $NET_EXTERN --destination-port http -j ACCEPT
# If the service is running on another host (here: 192.168.11.22), you must 
# do "port forwarding" like this (no need for ipmasqadm anymore):
# iptables -t nat -A PREROUTING --protocol tcp -i $NET_EXTERN --destination-port http -j DNAT --to 192.168.11.22

# Block anything else
iptables -A block -j LOG

# Activate the new chain
iptables -A INPUT -j block
iptables -A FORWARD -j block


####################
# Setup Masquerading
####################


# Setup NAT for outgoing connections from the local network

### NB: This is disabled by default. If you want to use     ###
###     masquerading, just remove the "###" comment-markers ###
###     from the lines below.                               ###

###iptables -t nat -F POSTROUTING
###iptables -t nat -A POSTROUTING -o $NET_EXTERN -j MASQUERADE

#
# NB: On Red Hat systems, forwarding is controlled in /etc/sysctl.conf !
#     You need to set net.ipv4.ip_forward=1 in this file, or the
#     command below will have no effect.
#
###echo "1" >/proc/sys/net/ipv4/ip_forward


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2004-03-07, 21:25 CET [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]Henrik St&oslash;rner [an error occurred while processing this directive] # [an error occurred while processing this directive] *