From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <drew@bumer.com.ua>
Message-ID: <45F52176.2000209@bumer.com.ua>
Date: Mon, 12 Mar 2007 11:46:30 +0200
From: Andrey Kuleshov <drew@bumer.com.ua>
User-Agent: Thunderbird 1.5.0.8 (X11/20061205)
MIME-Version: 1.0
To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
References: <45ED609C.408@bumer.com.ua> <45EE85E2.7030103@bumer.com.ua>
In-Reply-To: <45EE85E2.7030103@bumer.com.ua>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Sysadmins] =?koi8-r?b?aXB0YWJsZXMgzsUgz9TL0tnXwcXUINDP0tTZ?=
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.9rc1
Precedence: list
Reply-To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmin discuss <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2007 09:46:40 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/45F52176.2000209@bumer.com.ua/>
List-Archive: <http://lore.altlinux.org/sysadmins/>

Andrey Kuleshov wrote:
> Andrey Kuleshov wrote:
>  =20
> =F3=D5=C4=D1 =D0=CF =CF=C2=C9=CC=C9=C0 =CF=D4=D7=C5=D4=CF=D7 =D2=C5=CB=CF=
=CD=C5=CE=C4=C1=C3=C9=D1 =CF=C4=CE=C1: reinstall Linux!
>
> =F3=D0=C1=D3=C9=C2=CF =DA=C1 =D5=DE=C1=D3=D4=C9=C5!
>  =20
=F3=D5=C4=D1 =D0=CF =D2=C5=C1=CB=C3=C9=C9 =D3=CF=CF=C2=DD=C5=D3=D4=D7=C1 =
=D1-=D4=C1=CB=C9 =C2=D9=CC =CE=C5=D0=D2=C1=D7. =EF=CB.
=F0=D2=C9=CE=CF=DB=D5 =C9=DA=D7=C9=CE=C5=CE=C9=D1.

=E5=D3=CC=C9 =C5=DD=C5 =CF=D3=D4=C1=CC=C9=D3=D8 =D6=C5=CC=C1=C0=DD=C9=C5

</opt/scripts/rc.firewall #=D7=D9=DA=D9=D7=C1=C5=D4=D3=D1 =C9=DA /etc/rc.=
local>

#!/bin/sh -x

IPTABLES=3D"/sbin/iptables"
ANYWHERE=3D"any/0"
UNPRIVPORTS=3D"1025:65535"

LO_IFACE=3D"lo"
LO_IP=3D"127.0.0.1"
LO_MASK=3D"/0.0.0.255"
LO_NET=3D$LO_IP$LO_MASK

EXT_IFACE=3D"eth1"
EXT_IP=3D"192.168.1.2"
EXT_BASE=3D"192.168.1.0"
EXT_MASK=3D"/24"
EXT_NET=3D$EXT_BASE$EXT_MASK

INT_IFACE=3D"eth0"
INT_IP=3D"192.168.2.1"
INT_BASE=3D"192.168.2.0"
INT_MASK=3D"/24"
INT_NET=3D$INT_BASE$INT_MASK

echo 0 >/proc/sys/net/ipv4/ip_forward

service iptables stop

$IPTABLES -F
$IPTABLES -Z
$IPTABLES -X

$IPTABLES -t filter -N INT_IN
$IPTABLES -t filter -N INT_OUT
$IPTABLES -t filter -N PUB_IN
$IPTABLES -t filter -N PUB_OUT

$IPTABLES -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCE=
PT
$IPTABLES -t filter -A INPUT -d $LO_NET -i ! $LO_IFACE -p tcp -j DROP
$IPTABLES -t filter -A INPUT -i $LO_IFACE -j ACCEPT
$IPTABLES -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT # ping
$IPTABLES -t filter -A INPUT -p all -s ! $INT_NET -j PUB_IN
$IPTABLES -t filter -A INPUT -p all -i $INT_IFACE -d $INT_NET -j INT_IN
$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -A FORWARD -m state --state RELATED,ESTABLISHED -j AC=
CEPT
$IPTABLES -t filter -A FORWARD -p udp -s $INT_NET --dport 123 -j ACCEPT #=
 ntp
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 443 -j ACCEPT #=
 https
# ftp session
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 21 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --sport 21 \
    -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ftp active mode
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 20 -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --sport 20 \
    -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# ftp passive mode
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --sport $UNPRIVPORTS \
    -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -d $INT_NET --dport $UNPRIVPORTS \
    -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -p tcp -s $INT_NET --dport 5190 -j ACCEPT =
# ICQ
$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACC=
EPT
$IPTABLES -t filter -A OUTPUT -p all -o $LO_IFACE -j ACCEPT
$IPTABLES -t filter -A OUTPUT -p all -o $EXT_IFACE -j PUB_OUT
$IPTABLES -t filter -A OUTPUT -p all -o $INT_IFACE -j INT_OUT
$IPTABLES -t filter -A OUTPUT -j DROP
$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t filter -A INT_IN -m state --state RELATED,ESTABLISHED -j ACC=
EPT
$IPTABLES -t filter -A INT_IN -p udp --dport 53 -j ACCEPT #DNS
$IPTABLES -t filter -A INT_IN -p tcp --dport 3128 -j ACCEPT # SQUID
$IPTABLES -t filter -A INT_IN -p tcp --dport 20 -j ACCEPT # FTP control
$IPTABLES -t filter -A INT_IN -p tcp --dport 21 -j ACCEPT # FTP data
$IPTABLES -t filter -A INT_IN -p tcp --dport 22 -j ACCEPT # ssh
$IPTABLES -t filter -A INT_IN -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -t filter -A INT_IN -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -t filter -A INT_IN -p udp -s $INT_NET --dport 123 -j ACCEPT # =
ntp
$IPTABLES -t filter -A INT_IN -p tcp --dport 143 -j ACCEPT # IMAP
$IPTABLES -t filter -A INT_IN -p tcp --dport 443 -j ACCEPT # https
#$IPTABLES -t filter -A INT_IN -p tcp --dport 465 -j ACCEPT # SMTPs
$IPTABLES -t filter -A INT_IN -p tcp --dport 873 -j ACCEPT # rSYNC
$IPTABLES -t filter -A INT_IN -p tcp --dport 993 -j ACCEPT # IMAPs
$IPTABLES -t filter -A INT_IN -p tcp --dport 995 -j ACCEPT # POP3s
$IPTABLES -t filter -A INT_IN -p tcp --dport 1241 -j ACCEPT # nessus
$IPTABLES -t filter -A INT_IN -p tcp --dport 2121 -j REJECT # FTP proxy
$IPTABLES -t filter -A INT_IN -p tcp --dport 2638 -j ACCEPT # Sybase
$IPTABLES -t filter -A INT_IN -p tcp --dport 4025 -j ACCEPT # partimaged
$IPTABLES -t filter -A INT_IN -p tcp --dport 53 -j ACCEPT
$IPTABLES -t filter -A INT_IN -p tcp --dport 1863 -j ACCEPT # MSN
$IPTABLES -t filter -A INT_IN -p tcp --dport 3000 -j ACCEPT # int http
$IPTABLES -t filter -A INT_IN -p tcp --dport 5190 -j ACCEPT
$IPTABLES -t filter -A INT_IN -p tcp --dport 5900 -j ACCEPT # VNC
$IPTABLES -t filter -A INT_IN -p tcp --dport 6000 -j ACCEPT # X
$IPTABLES -t filter -A INT_IN -p tcp --sport $UNPRIVPORTS -j ACCEPT #
$IPTABLES -t filter -A INT_IN -p icmp --icmp-type 8 -j ACCEPT # ping
$IPTABLES -t filter -A INT_IN -p all -j REJECT
$IPTABLES -t filter -A INT_OUT -j ACCEPT

$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 25 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 993 -j ACCEPT
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 995 -j ACCEPT

$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 23 -m state --state I=
NVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 21 -m state --state I=
NVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"=20
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 143 -m state --state =
INVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 110 -m state --state =
INVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"=20
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 79 -m state --state I=
NVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 111 -m state --state =
INVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"=20
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 512 -m state --state =
INVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 513 -m state --state =
INVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 98 -m state --state I=
NVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"=20
$IPTABLES -t filter -A PUB_IN -p tcp -m tcp --dport 22 -m state --state I=
NVALID,NEW \
	-m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "audit"=20
$IPTABLES -t filter -A PUB_IN -j DROP

$IPTABLES -t filter -A PUB_OUT -p icmp -m icmp --icmp-type 3 -j REJECT \
	--reject-with icmp-port-unreachable
$IPTABLES -t filter -A PUB_OUT -p icmp -m icmp --icmp-type 11 -j REJECT \=

	--reject-with icmp-port-unreachable
$IPTABLES -t filter -A PUB_OUT -p icmp -j ACCEPT
$IPTABLES -t filter -A PUB_OUT -j ACCEPT

# http
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET \
    --dport 80 -d $INT_NET -j REDIRECT --to-ports 3000 # local httpd
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET \
    -m multiport --dport 80,81,82,83,88,777,8000,8001,8002,8080,8081 \
    -d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p udp -s $INT_NET -m multiport \
    --dport 80,81,82,83,88,777,8000,8001,8002,8080,8081 \
    -d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p tcp -s $INT_NET -m multiport \
    --dport 8082,8083,8091,8100,8101,8102,8103,8080,8888 \
    -d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -p udp -s $INT_NET -m multiport \
    --dport 8082,8083,8091,8100,8101,8102,8103,8080,8888 \
    -d ! $INT_NET -j REDIRECT --to-ports 3128
$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -A POSTROUTING -p all -s $INT_NET -o $EXT_IFACE -j SNAT =
--to-source $EXT_IP
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

echo 1 >/proc/sys/net/ipv4/ip_forward

<//opt/scripts/rc.firewall>


--=20

 AK1041-UANIC
=20