[ Pobierz całość w formacie PDF ]

# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LAN s IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don t have a static
# IP, I suggest not using this option at all for now but it s stil
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="192.168.0.2"
LAN_BCAST_ADRESS="192.168.0.255"
LAN_IFACE="eth1"
INET_IP="194.236.50.152"
INET_IFACE="eth0"
HTTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
DMZ_HTTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"
72
Appendix I. Example scripts codebase
LO_IP="127.0.0.1"
LO_IFACE="lo"
IPTABLES="/usr/local/sbin/iptables"
###########################################
#
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MASQUERADE
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#CRITICAL: Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################
#
# Chain Policies gets set up before any bad packets gets through
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# the allowed chain for TCP connections, utilized in the FORWARD chain
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP  syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state  state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules, utilized in the FORWARD chain
#
$IPTABLES -N icmp_packets
73
Appendix I. Example scripts codebase
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0  icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0  icmp-type 11 -j ACCEPT
#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don t want.
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp !  syn -m state  state NEW -j LOG \
 log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp !  syn -m state  state NEW -j DROP
#
# Do some checks for obviously spoofed IP s
#
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
###########################################
# POSTROUTING chain in the nat table
#
# Enable IP SNAT for all internal networks trying to get out on the Internet
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT  to-source $INET_IP
###########################################
# PREROUTING chain in the nat table
#
# Enable IP Destination NAT for DMZ zone
#
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP  dport 80 \
-j DNAT  to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP  dport 53 \
-j DNAT  to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP  dport 53 \
-j DNAT  to-destination $DMZ_DNS_IP [ Pobierz całość w formacie PDF ]

zanotowane.pl

doc.pisz.pl

pdf.pisz.pl

dirtyboys.xlx.pl

Search

Search:

Tematy

• Strona Główna
• Juanita Coulson The Death God's Citadel
• Miniatury Morskie 004 Polacy w wyprawach polarnych
• Jan Kochanowski PieśÂ›ni
• Krall Hanna SześÂ›ć‡ odcieni bieli
• CWIHP Bulletin nr 3
• Hitched Sean Michael
• Wallis A Gu
• 1080. Carpenter Teresa Cenny podarunek
• Courths Mahler Jadwiga Trucicielka
• 3 The Icewind Dale 3 The Halfling's Gem
• zanotowane.pl
• doc.pisz.pl
• pdf.pisz.pl
• ugrzesia.htw.pl