|
TwojePC.pl © 2001 - 2024
|
 |
A R C H I W A L N A W I A D O M O Ś Ć |
 |
| |
|
/Bogus flag probe test/ Co pare dni Zapora MKS_VIR'a wykrywa.. , coolman 1/04/07 17:23
..mi taki atak sieciowy. Podobno jest to sprawdzanie rodzaju systemu operacyjnego, martwic sie ?http://jet.blog.pl - CHECKFLAG , RusH 1/04/07 19:00
rasz@capek:~$ cat /etc/init.d/firewall
#################################################################################
#
# IPTABLES Firewall v 0.86
# by
#
# Small parts from http://members.optusnet.com.au/~technion/
# and some tutorials
#!/bin/sh
# This is the location of the iptables command
IPTABLES="/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----#
## Default external interface (used, if EXTIF isn't specified on command line)
#DEFAULT_EXTIF="ppp0"
## Default internal interface (used, if INTIF isn't specified on command line)
#DEFAULT_INTIF="eth0"
#----Special Variables-----#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"
#-----Port-Forwarding Variables-----#
#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the FORWARD +
#PREROUTING-chain:
#These are examples, uncomment to activate
#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"
#IP for forwarded HTTP-traffic
#HTTPIP="192.168.0.20"
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
#LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
#LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
#----Automatically determine infos about involved interfaces-----#
### External Interface:
EXTIF="eth0"
#----Load IPTABLES-modules-----#
#Insert modules- should be done automatically if needed
#If the IRC-modules are available, uncomment them below
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
#echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#log
$IPTABLES -N Loog
# $IPTABLES -A Loog -j LOG --log-prefix "fp=loog:1 a=DROP "
$IPTABLES -A Loog -j DROP
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
# $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
# $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
# $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute
$IPTABLES -N ICMP_IN
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMP_IN -p icmp --icmp-type echo-request -j DROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A ICMP_IN -p icmp --icmp-type address-mask-reply -j DROP
#Allow all other ICMP in
$IPTABLES -A ICMP_IN -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKFLAG
$IPTABLES -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
$IPTABLES -A INPUT -d 224.0.0.1 -j DROP
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP
$IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMP_IN
##Public services running ON FIREWALL-BOX (comment out to activate):
# ftp-data
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT
# ftp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT
# ssh
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT
#telnet
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT
# smtp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT
# torrent
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 31618 -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 31618 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 4662 -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 4662 -j ACCEPT
# http
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT
# https
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT
# POP-3
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
##Catch all rule
$IPTABLES -A INPUT -j DROP
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac
exit 0
lancuch CHECKFLAG, dzinnie jakies 10 hitow, mozesz tego swojego MKSa zasadzic w rowek osoby, ktora go kupila do firmy, bo ZMNIEJSZA produktywnosc celem szerzenia FUD i promowania sie jako zbawiciela w oczach (l)uzerow.I fix shit
http://raszpl.blogspot.com/ - _______ , coolman 3/04/07 00:48
eeeeeee :| o co chodzi ?! Co to za prog..mozesz jasniej pisac ? Panowie o co mu chodzi ? :Dhttp://jet.blog.pl - no wlasnie o to chodzi , RusH 3/04/07 01:28
ze jak nie masz pojecia to placisz za mks vira .. i nadal nie masz pojecia, ale jestes biedniejszyI fix shit
http://raszpl.blogspot.com/
|
|
|
|
 |
All rights reserved ® Copyright and Design 2001-2024, TwojePC.PL |
 |
|
|
|
