6 Мая, 2019

Базовый firewall (iptables)

Денис Забияко
# iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
DROP icmp -- anywhere 100.80.245.182 icmp echo-request
ACCEPT 2 -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:domain

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT udp -- anywhere anywhere udp spt:l2tp
ACCEPT udp -- anywhere anywhere udp dpt:l2tp
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT tcp -- anywhere anywhere tcp spt:1723
ACCEPT 47 -- anywhere anywhere
ACCEPT udp -- anywhere base-address.mcast.net/4 udp
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere base-address.mcast.net/4 udp
ACCEPT esp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
MINIUPNPD all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh

Chain MINIUPNPD (1 references)
target prot opt source destination
#

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N MINIUPNPD
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -d 100.80.245.182/32 -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -i eth1 -p 2 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 23 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p udp -m udp --sport 1701 -j ACCEPT
-A FORWARD -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 1723 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 1723 -j ACCEPT
-A FORWARD -p 47 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i eth1 -p udp -m udp -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -i eth1 -o br0 -p udp -m udp --dport 500 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -i eth1 -p udp -m udp -j ACCEPT
-A FORWARD -i eth1 -o br0 -p esp -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 ! -o eth1 -j MINIUPNPD
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
#
#