Fórum Ubuntu CZ/SK
Ubuntu pro osobní počítače => Internet a sítě => Téma založeno: johny9009 21 Března 2011, 16:46:15
-
Dobrý den,
zkoušel jsem si trochu hrál s firewallem, konkrétně s GUI nadstavbami. Po odinstalaci jedné z nich mi ale přestal jít internet. Teď nemám žádnou, ani UFW a stále nic. Vyzkoušel jsem snad všechno co jsem nalezl na googlu, ale něco jako iptables -F, -X na všechny tabulky prostě nezabírá. Unáhlil jsem se tedy k poslední možnosti, reinstalaci iptables. Po odinstalování a restartu opravdu vše šlo jak má. Ihned jsem ale samozřejmě dal iptables zpět, protože je to jinak docela díra do internetu. Po dalším restartu jsem na tom ale byl stejně jako na začátku, nejspíš konfigurace zůstala uložená...
Nevíte tedy prosim vás, jak by se tedy dalo dát iptables do stavu jako po instalaci? Nerad bych přeinstalovával celé Ubuntu kvůli tomu.
Děkuji moc
-
das tady vypis iptables?
sudo iptables -L
-
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- ubuntu 147.32.117.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt all -- anywhere anywhere
srcfilt all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 all -- anywhere anywhere
Chain f0to1 (3 references)
target prot opt source destination
logdrop all -- anywhere anywhere
Chain f1to0 (1 references)
target prot opt source destination
logdrop all -- anywhere anywhere
Chain logaborted (1 references)
target prot opt source destination
logaborted2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
target prot opt source destination
logdrop2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP all -- anywhere anywhere
Chain logdrop2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP all -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
logreject2 all -- anywhere anywhere limit: avg 1/sec burst 10
LOG all -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
Chain logreject2 (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP all -- anywhere anywhere
Chain nicfilt (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
logdrop all -- anywhere anywhere
Chain s0 (1 references)
target prot opt source destination
f0to1 all -- anywhere ubuntu
f0to1 all -- anywhere 147.32.117.255
f0to1 all -- anywhere localhost.localdomain
logdrop all -- anywhere anywhere
Chain s1 (1 references)
target prot opt source destination
f1to0 all -- anywhere anywhere
Chain srcfilt (2 references)
target prot opt source destination
s0 all -- anywhere anywhere
Děkuji
-
mas tam soubor /etc/rc.firewall?
-
Ano, mám
obsah je
#!/bin/bash
# [Guarddog2]
# DO NOT EDIT!
# This firewall script was generated by "Guarddog" by Simon Edwards
# http://www.simonzone.com/software/guarddog/ This script requires Linux
# kernel version 2.2.x and ipchains OR Linux kernel 2.4.x and iptables.
#
# [Description]
#
# [Config]
# LOCALPORTRANGESTART=1024
# LOCALPORTRANGEEND=5999
# DISABLED=0
# LOGREJECT=1
# LOGDROP=1
# LOGABORTEDTCP=1
# LOGIPOPTIONS=1
# LOGTCPOPTIONS=1
# LOGTCPSEQUENCE=1
# LOGLEVEL=4
# LOGRATELIMIT=1
# LOGRATE=1
# LOGRATEUNIT=0
# LOGRATEBURST=10
# LOGWARNLIMIT=1
# LOGWARNRATE=2
# LOGWARNRATEUNIT=1
# DHCPC=0
# DHCPCINTERFACENAME=eth0
# DHCPD=0
# DHCPDINTERFACENAME=eth0
# ALLOWTCPTIMESTAMPS=0
# [ServerZone] Internet
# [ClientZone] Místní
# CONNECTED=1
# [ServerZone] Místní
# [ClientZone] Internet
# CONNECTED=1
# [End]
# Real code starts here
# If you change the line below then also change the # DISABLED line above.
DISABLE_GUARDDOG=0
if test -z $GUARDDOG_VERBOSE; then
GUARDDOG_VERBOSE=0
fi;
if [ $DISABLE_GUARDDOG -eq 0 ]; then
# Set the path
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
# Detect which filter command we should use.
FILTERSYS=0
# 0 = unknown, 1 = ipchains, 2 = iptables
# Check for ipchains.
if [ -e /sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/sbin/ipchains ]; then
FILTERSYS=1
fi;
if [ -e /usr/local/sbin/ipchains ]; then
FILTERSYS=1
fi;
# Check for iptables support.
if [ -e /proc/sys/kernel/osrelease ]; then
KERNEL_VERSION=`sed "s/^\([0-9][0-9]*\.[0-9][0-9]*\).*\$/\1/" < /proc/sys/kernel/osrelease`
if [ $KERNEL_VERSION == "2.6" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.5" ]; then
KERNEL_VERSION="2.4"
fi;
if [ $KERNEL_VERSION == "2.4" ]; then
if [ -e /sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/sbin/iptables ]; then
FILTERSYS=2
fi;
if [ -e /usr/local/sbin/iptables ]; then
FILTERSYS=2
fi;
fi;
fi;
if [ $FILTERSYS -eq 0 ]; then
logger -p auth.info -t guarddog "ERROR Can't determine the firewall command! (Is ipchains or iptables installed?)"
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "CHYBA Nelze interpretovat p?íkaz firewallu (Jsou instalovány ipchains nebo iptables?)"
false
fi;
if [ $FILTERSYS -eq 1 ]; then
###############################
###### ipchains ###############
###############################
logger -p auth.info -t guarddog Configuring ipchains firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Pou?ijí se ipchains."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetují se firewalová pravidla."
# Shut down all traffic
ipchains -P forward DENY
ipchains -P input DENY
ipchains -P output DENY
# Delete any existing chains
ipchains -F
ipchains -X
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Nastavení parametru kernelu."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the up TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Konfigurace firewallových pravidel."
# Allow loopback traffic.
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
# Accept broadcasts from ourself.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
ipchains -A input -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Allow certain critical ICMP types
ipchains -A input -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A output -p icmp --sport 3 -j ACCEPT # Dest unreachable
ipchains -A forward -p icmp --sport 3 -j ACCEPT &> /dev/null # Dest unreachable
ipchains -A input -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A output -p icmp --sport 11 -j ACCEPT # Time exceeded
ipchains -A forward -p icmp --sport 11 -j ACCEPT &> /dev/null # Time exceeded
ipchains -A input -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A output -p icmp --sport 12 -j ACCEPT # Parameter Problem
ipchains -A forward -p icmp --sport 12 -j ACCEPT &> /dev/null # Parameter Problem
# Work out our local IPs.
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
ipchains -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
ipchains -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
ipchains -A nicfilt -l -j DENY
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Místní'
ipchains -N f0to1
# Create chain to filter traffic going from 'Místní' to 'Internet'
ipchains -N f1to0
# Add rules to the filter chains
# Traffic from 'Internet' to 'Místní'
# Rejected traffic from 'Internet' to 'Místní'
# Traffic from 'Místní' to 'Internet'
# Rejected traffic from 'Místní' to 'Internet'
# Place DENY and log rules at the end of our filter chains.
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f0to1 -l -j DENY
# Failing all the rules above, we DENY and maybe log the packet.
ipchains -A f1to0 -l -j DENY
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have ipchains be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
ipchains -A output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -A output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -A input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
ipchains -N s0
for X in $IPS ; do
ipchains -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s0 -l -j DENY
# Chain to split traffic coming from zone 'Místní' by dest zone
ipchains -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
ipchains -A s1 -j f1to0
# Create the srcfilt chain
ipchains -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has a least something in it.
fi
# Assume internet default rule
ipchains -A srcfilt -j s0
# Remove the temp DNS accept rules
if [ $MIN_MODE -eq 0 ] ; then
ipchains -D output -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT
ipchains -D output -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
ipchains -D input -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is quite simple. We diverge and filter any traffic from
# the local machine and accept the rest. The rest should have come via the
# forward chain, and hence is already filtered.
ipchains -A output -j nicfilt
for X in $IPS ; do
ipchains -A output -s $X -j s1
done
ipchains -A output -j ACCEPT
ipchains -A input -j nicfilt
# Direct local bound traffic on the input chain to the srcfilt chain
for X in $IPS ; do
ipchains -A input -d $X -j srcfilt
done
ipchains -A input -j ACCEPT
# All traffic on the forward chains goes to the srcfilt chain.
ipchains -A forward -j nicfilt &> /dev/null
ipchains -A forward -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Hotovo."
fi;
if [ $FILTERSYS -eq 2 ]; then
###############################
###### iptables firewall ######
###############################
logger -p auth.info -t guarddog Configuring iptables firewall now.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Pou?ijí se iptables."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Resetují se firewalová pravidla."
# Shut down all traffic
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Delete any existing chains
iptables -F
iptables -X
# Load any special kernel modules.
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Nahrání modul? kernelu."
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Nastavení parametru kernelu."
# Turn on kernel IP spoof protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Set the TCP timestamps config
echo 0 > /proc/sys/net/ipv4/tcp_timestamps 2> /dev/null
# Enable TCP SYN Cookie Protection if available
test -e /proc/sys/net/ipv4/tcp_syncookies && echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 2> /dev/null
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 2> /dev/null
# Log truly weird packets.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 2> /dev/null
echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 2> /dev/null
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Set kernel rp_filter. NICs used for IPSEC should not have rp_fitler turned on.
# Find the IPs of any ipsecX NICs
IPSEC_IPS="`ifconfig | gawk '/^ipsec\w/ { grabip = 1}
/inet addr:[[:digit:]\\.]+/ { if(grabip==1) printf \"%s \",gensub(/^.*inet addr:([[:digit:]\\.]+).*$/,\"\\\\1\",\"g\",$0)
grabip = 0}'`"
# Build a list of NIC names and metching IPs
IP_NIC_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*/ {match($0,/inet addr:[[:digit:]\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
printf \"%s_%s\\n\",nic,ip }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Activate rp_filter for each NIC, except for NICs that are using
# an IP that is involved with IPSEC.
for X in $IP_NIC_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
RPF="1"
for SEC_IP in $IPSEC_IPS ; do
if [[ $SEC_IP == $IP ]]; then
RPF="0"
fi
done
echo $RPF > /proc/sys/net/ipv4/conf/$NIC/rp_filter 2> /dev/null
done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 2> /dev/null
echo "1024 5999" > /proc/sys/net/ipv4/ip_local_port_range 2> /dev/null
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Konfigurace firewallových pravidel."
# Set up our logging and packet 'executing' chains
iptables -N logdrop2
iptables -A logdrop2 -j LOG --log-prefix "DROPPED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logdrop2 -j DROP
iptables -N logdrop
iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logdrop -j DROP
iptables -N logreject2
iptables -A logreject2 -j LOG --log-prefix "REJECTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject2 -j DROP
iptables -N logreject
iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2
iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A logreject -j DROP
iptables -N logaborted2
iptables -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
iptables -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -N logaborted
iptables -A logaborted -m limit --limit 1/second --limit-burst 10 -j logaborted2
iptables -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4
# Allow loopback traffic.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Accept broadcasts from ourself.
IP_BCAST_PAIRS="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",$1)}
/inet addr:.*Bcast/ {match($0,/inet addr:[[:digit:]\\.]+/)
ip=substr($0,RSTART+10,RLENGTH-10)
match($0,/Bcast:[[:digit:]\\.]+/)
bcast = substr($0,RSTART+6,RLENGTH-6)
printf \"%s_%s_%s\\n\",nic,ip,bcast }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
for X in $IP_BCAST_PAIRS ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
IP="`echo \"$X\" | cut -f 2 -d _`"
BCAST="`echo \"$X\" | cut -f 3 -d _`"
iptables -A INPUT -i $NIC -s $IP -d $BCAST -j ACCEPT
done
# Detect aborted TCP connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted
# Quickly allow anything that belongs to an already established connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow certain critical ICMP types
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable
iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded
iptables -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem
iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem
# Switch the current language for a moment
GUARDDOG_BACKUP_LANG=$LANG
GUARDDOG_BACKUP_LC_ALL=$LC_ALL
LANG=US
LC_ALL=US
export LANG
export LC_ALL
# Work out our local IPs.
NIC_IP="`ifconfig | gawk '/^\w/ { nic = gensub(/^(.*):.*/,\"\\\\1\",\"g\",\$1)}
/inet addr:/ { match(\$0,/inet addr:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+10,RLENGTH-10) }
/Bcast/ { match(\$0,/Bcast:[[:digit:]\\.]+/)
printf \"%s_%s\\n\",nic,substr(\$0,RSTART+6,RLENGTH-6) }'`"
# Restore the language setting
LANG=$GUARDDOG_BACKUP_LANG
LC_ALL=$GUARDDOG_BACKUP_LC_ALL
export LANG
export LC_ALL
# Create the nicfilt chain
iptables -N nicfilt
GOT_LO=0
NIC_COUNT=0
for X in $NIC_IP ; do
NIC="`echo \"$X\" | cut -f 1 -d _`"
iptables -A nicfilt -i $NIC -j RETURN
# We also take this opportunity to see if we only have a lo interface.
if [ $NIC == "lo" ]; then
GOT_LO=1
fi
let NIC_COUNT=$NIC_COUNT+1
done
IPS="`echo \"$NIC_IP\" | cut -f 2 -d _`"
iptables -A nicfilt -j logdrop
# Do we have just a lo interface?
if [ $GOT_LO -eq 1 ] && [ $NIC_COUNT -eq 1 ] ; then
MIN_MODE=1
else
MIN_MODE=0
fi
# Are there *any* interfaces?
if [ $NIC_COUNT -eq 0 ] ; then
MIN_MODE=1
fi
# If we only have a lo interface or no interfaces then we assume that DNS
# is not going to work and just skip any iptables calls that need DNS.
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Místní'
iptables -N f0to1
# Create chain to filter traffic going from 'Místní' to 'Internet'
iptables -N f1to0
# Add rules to the filter chains
# Traffic from 'Internet' to 'Místní'
# Rejected traffic from 'Internet' to 'Místní'
# Traffic from 'Místní' to 'Internet'
# Rejected traffic from 'Místní' to 'Internet'
# Place DROP and log rules at the end of our filter chains.
# Failing all the rules above, we log and DROP the packet.
iptables -A f0to1 -j logdrop
# Failing all the rules above, we log and DROP the packet.
iptables -A f1to0 -j logdrop
# Add some temp DNS accept rules to the input and output chains.
# This is so that we can pass domain names to ipchains and have iptables be
# able to look it up without being blocked by the our half-complete firewall.
if [ $MIN_MODE -eq 0 ] ; then
iptables -A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -A INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# Chain to split traffic coming from zone 'Internet' by dest zone
iptables -N s0
for X in $IPS ; do
iptables -A s0 -d $X -j f0to1
done
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s0 -j logdrop
# Chain to split traffic coming from zone 'Místní' by dest zone
iptables -N s1
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
iptables -A s1 -j f1to0
# Create the srcfilt chain
iptables -N srcfilt
if [ $MIN_MODE -eq 0 ] ; then
true # make sure this if [] has at least something in it.
fi
# Assume internet default rule
iptables -A srcfilt -j s0
if [ $MIN_MODE -eq 0 ] ; then
# Remove the temp DNS accept rules
iptables -D OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p tcp ! --syn --sport 53:53 --dport 0:65535 -j ACCEPT
iptables -D OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
iptables -D INPUT -p udp --sport 53:53 --dport 0:65535 -j ACCEPT
fi
# The output chain is very simple. We direct everything to the
# 'source is local' split chain.
iptables -A OUTPUT -j s1
iptables -A INPUT -j nicfilt
iptables -A INPUT -j srcfilt
# All traffic on the forward chains goes to the srcfilt chain.
iptables -A FORWARD -j srcfilt &> /dev/null
logger -p auth.info -t guarddog Finished configuring firewall
[ $GUARDDOG_VERBOSE -eq 1 ] && echo "Hotovo."
fi;
fi;
true
Koukám, že tady asi opravdu bude zakopaný pes, když je to vygenerovaný nějakým tím GUI programem. To je asi opravdu ten, který mi to rozes...
Můžu ten soubor prostě jenom smazat? A bude to pak vše v pořádku?
Děkuji
-
guarddog - zakopany pes - dobry vtip :D
ted k veci - mas 2 moznosti:
- nainstalovat zpet guarddog a pak ho znovu odinstalovat VCETNE konf. souboru (sudo apt-get purge guarddog)
- smazat vsechny konf. soubory, ktere ti po nem zbyly, viz nize
/etc/rc.firewall
/etc/init.d/guarddog
/etc/network/if-down.d/50guarddog
/etc/network/if-up.d/50guarddog
/etc/ppp/ip-down.d/50guarddog
/etc/ppp/ip-up.d/50guarddog
-
;D
OK, díky moc, jdu na to
-
Mi došlo, že vlastně přes tu instalaci to nejde, protože to bez internetu nenainstaluju :)
každopádně po ručním odstranění vše zase funguje
velký dík