Linux Firewalls: Attack Detection and Response--Chapter 1: Care and Feeding of iptables
来源:互联网 发布:数据平台运营管理办法 编辑:程序博客网 时间:2024/06/05 17:24
引用:http://www.cipherdyne.org/LinuxFirewalls/
Chapter 1: Care and Feeding of iptables
Chapter 1 provides an introduction to packet filtering with iptables, including kernel build specifics and iptables administration. A default policy and network diagram is provided in this chapter and is referenced throughout the book. The Linux machine that runs the default policy functions as the firewall for a local area network (LAN), and attacks against this system are illustrated in later chapters.Here is a script that builds the default iptables policy used throughout the book. This script is meant to be executed on the iptables firewall system in the following diagram, and you can modify this script to your liking for your own systems (the script is displayed below for reference as well).
#!/bin/sh################################################################################ File: iptables.sh## Purpose: To build a basic iptables policy with default log and drop rules.# This script was written for the book "Linux Firewalls: Attack# Detection and Response" published by No Starch Press.## Copyright (C) 2006-2012 Michael Rash (mbr@cipherdyne.org)## License (GNU Public License):## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307# USA################################################################################IPTABLES=/sbin/iptablesIP6TABLES=/sbin/ip6tablesMODPROBE=/sbin/modprobeINT_NET=192.168.10.0/24INT_INTF=eth1EXT_INTF=eth0### flush existing rules and set chain policy setting to DROPecho "[+] Flushing existing iptables rules..."$IPTABLES -F$IPTABLES -F -t nat$IPTABLES -X$IPTABLES -P INPUT DROP$IPTABLES -P OUTPUT DROP$IPTABLES -P FORWARD DROP### this policy does not handle IPv6 traffic except to drop it.#echo "[+] Disabling IPv6 traffic..."$IP6TABLES -P INPUT DROP$IP6TABLES -P OUTPUT DROP$IP6TABLES -P FORWARD DROP### load connection-tracking modules#$MODPROBE ip_conntrack$MODPROBE iptable_nat$MODPROBE ip_conntrack_ftp$MODPROBE ip_nat_ftp###### INPUT chain #######echo "[+] Setting up INPUT chain..."### state tracking rules$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT### anti-spoofing rules$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "$IPTABLES -A INPUT -i $INT_INTF ! -s $INT_NET -j DROP### ACCEPT rules$IPTABLES -A INPUT -i $INT_INTF -p tcp -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT### default INPUT LOG rule$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options### make sure that loopback traffic is accepted$IPTABLES -A INPUT -i lo -j ACCEPT###### OUTPUT chain #######echo "[+] Setting up OUTPUT chain..."### state tracking rules$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options$IPTABLES -A OUTPUT -m conntrack --ctstate INVALID -j DROP$IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT### ACCEPT rules for allowing connections out$IPTABLES -A OUTPUT -p tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 43 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 4321 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT### default OUTPUT LOG rule$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options### make sure that loopback traffic is accepted$IPTABLES -A OUTPUT -o lo -j ACCEPT###### FORWARD chain #######echo "[+] Setting up FORWARD chain..."### state tracking rules$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options$IPTABLES -A FORWARD -m conntrack --ctstate INVALID -j DROP$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT### anti-spoofing rules$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "$IPTABLES -A FORWARD -i $INT_INTF ! -s $INT_NET -j DROP### ACCEPT rules$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 21 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 22 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 25 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 43 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp -i $INT_INTF -s $INT_NET --dport 4321 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT### default LOG rule$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options###### NAT rules #######echo "[+] Setting up NAT rules..."$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -i $EXT_INTF -j DNAT --to 192.168.10.3:80$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -i $EXT_INTF -j DNAT --to 192.168.10.3:443$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -i $EXT_INTF -j DNAT --to 192.168.10.4:53$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o $EXT_INTF -j MASQUERADE###### forwarding #######echo "[+] Enabling IP forwarding..."echo 1 > /proc/sys/net/ipv4/ip_forwardexit### EOF ###
- Linux Firewalls: Attack Detection and Response--Chapter 1: Care and Feeding of iptables
- Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort [ILLUSTRATED]
- On The Care and Handling of Cookies
- Linux Firewalls Using iptables
- Characterization and Measurement of TCP Traversal through NATs and Firewalls
- Oracle and Firewalls
- Firewalls and NAT Interaction
- Server-Side XSS Attack Detection with ModSecurity and PhantomJS
- c and pointer care
- Chapter 1 The Breadth and Depth of DSP
- Histogram of Oriented Gradients and Object Detection
- Detection and Analysis of Candlestick Patterns
- Resource of Character Detection and Recognition
- [Cloud Computing]Mechanisms: Endpoint Threat Detection and Response
- Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter
- SQL Injection: Modes of Attack, Defence, and Why It Matters
- Internet Denial of Service: Attack and Defense Mechanisms
- Scenario and Attack Graphs
- 各类排序算法
- Android APP功能测试检测点总结
- metasploit运行run vnc
- String,StringBuffer与StringBuilder的区别
- svn使用说明详解
- Linux Firewalls: Attack Detection and Response--Chapter 1: Care and Feeding of iptables
- 音视频开发平台所支持的开发语言
- 我的Android进阶之旅------>Android常用计量单位(Dimension)的介绍(px,in,mm,pt,dp,dip,sp)
- 271895
- Win2003计数器日志自动存入SQL数据库
- Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
- Chrome源代码分析之线程模型(十一)
- STM32学习篇(转)
- hdu 3068