لطفا منتظر باشید ...
7.10. A Sample Firewall Configuration
We've discussed
the fundamentals of firewall configuration. Let's
now look at an easily customizable firewall configuration. In this
example, the network 172.16.1.0/24
is treated as if it were a publicly routable network, but it is
actually a private, non-routable network. We are using such a
non-routable network in this example because we have to use
some network, and we don't want
to put a real publicly routable network number here. The commands
shown would work for a real class C publicly routable network.
#!/bin/bashIn many simple situations, to use the sample, all you have to do is
##########################################################################
# This sample configuration is for a single host firewall configuration
# with no services supported by the firewall host itself.
##########################################################################
#
# USER CONFIGURABLE SECTION (Lists are comma-separated)
#
# OURNET Internal network address space
# OURBCAST Internal network broadcast address
# OURDEV Internal network interface name
#
# ANYADDR External network address space
# EXTDEV External network interface name
#
# TCPIN List of TCP ports to allow in (empty = all)
# TCPOUT List of TCP ports to allow out (empty = all)
#
# UDPIN List of TCP ports to allow in (empty = all)
# UDPOUT List of TCP ports to allow out (empty = all)
#
# LOGGING Set to 1 to turn logging on, else leave empty
#
###########################################################################
OURNET="172.29.16.0/24"
OURBCAST="172.29.16.255"
OURDEV="eth0"
ANYADDR="0/0"
EXTDEV="eth1"
TCPIN="smtp,www"
TCPOUT="smtp,www,ftp,ftp-data,irc"
UDPIN="domain"
UDPOUT="domain"
LOGGING=
###########################################################################
#
# IMPLEMENTATION
#
###########################################################################
#
# Install the modules
#
modprobe ip_tables
modprobe ip_conntrack # Means we won't have to deal with fragments
#
# Drop all packets destined for this host received from outside.
#
iptables -A INPUT -i $EXTDEV -j DROP
#
# Remove all rules on the FORWARD chain of the filter table, and set th
# policy for that chain to DROP.
#
iptables -F FORWARD # Delete rules
iptables -P FORWARD DROP # Policy = DROP
iptables -A FORWARD -s $OURNET -i $EXTDEV -j DROP # Anti-spoof
iptables -A FORWARD -p icmp -i $EXTDEV -d $OURBCAST -j DROP # Anti-Smurf
#
# TCP - ESTABLISHED CONNECTIONS
#
# We will accept all TCP packets belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
#
iptables -A FORWARD -d $OURNET -p tcp --tcp-flags SYN,ACK ACK -m multiport --dports $TCPIN -j ACCEPT
iptables -A FORWARD -s $OURNET -p tcp --tcp-flags SYN,ACK ACK -m multiport --sports $TCPIN -j ACCEPT
#
# TCP - NEW INCOMING CONNECTIONS
#
# We will accept connection requests from the outside only on the
# allowed TCP ports.
#
iptables -A FORWARD -i $EXTDEV -d $OURNET -p tcp --syn -m multiport --sports $TCPIN -j ACCEPT
#
# TCP - NEW OUTGOING CONNECTIONS
#
# We will accept all outgoing tcp connection requests on the allowed /
# TCP ports.
#
iptables -A FORWARD -i $OURDEV -d $ANYADDR -p tcp --syn -m multiport --dports $TCPOUT -j ACCEPT
#
# UDP - INCOMING
#
# We will allow UDP packets in on the allowed ports and back.
#
iptables -A FORWARD -i $EXTDEV -d $OURNET -p udp -m multiport --dports $UDPIN -j ACCEPT
iptables -A FORWARD -i $EXTDEV -s $OURNET -p udp -m multiport --sports $UDPIN -j ACCEPT
#
# UDP - OUTGOING
#
# We will allow UDP packets out to the allowed ports and back.
#
iptables -A FORWARD -i $OURDEV -d $ANYADDR -p udp -m multiport --dports $UDPOUT -j ACCEPT
iptables -A FORWARD -i $OURDEV -s $ANYADDR -p udp -m multiport --sports $UDPOUT -j ACCEPT
#
# DEFAULT and LOGGING
#
# All remaining packets fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
iptables -A FORWARD -p tcp -j LOG # Log barred TCP
iptables -A FORWARD -p udp -j LOG # Log barred UDP
iptables -A FORWARD -p icmp -j LOG # Log barred ICMP
fi
edit the top section of the file labeled
"USER CONFIGURABLE
section" to specify which protocols and
packets type you wish to allow in and out. For more complex
configurations, you will need to edit the section at the bottom as
well. Remember, this is a simple example, so scrutinize it very
carefully to ensure it does what you want while implementing
it.
