Ich wollte mal meine Firewall (iptables, Debian 9) neu konfigurieren und deswegen fragen, ob es irgendwas gibt, was ich besonders beachten sollte. Reicht es einfach, standardmäßig alles auf DROP zu haben und einfach benötigte Ports freizugeben? Muss ich diese TCP Flags beachten? Selbiges auch bei ip6tables? Wenn jemand von den eigenen iptables-Regeln überzeugt ist, bitte hier posten :).
Tipps für IPtables
- florian2833z
- Erledigt
-
-
Ich wollte mal meine Firewall (iptables, Debian 9) neu konfigurieren und deswegen fragen, ob es irgendwas gibt, was ich besonders beachten sollte. Reicht es einfach, standardmäßig alles auf DROP zu haben und einfach benötigte Ports freizugeben? Selbiges auch bei ip6tables?
Reicht, macht aber bei Dual-Stack Diensten manchmal Probleme
Bsp.: IPv6 Drop und IPv4 Accept - wenn zuerst auf IPv6 geprobed wird, dann wird der Dienst ggf. als nicht erreichbar angesehen.
Deshalb lieber Accept Policy und entsprechende Reject Rule.
IPv6 nicht vergessen: Neighbor Discovery - das ARP von IPv6. Nicht mehr auf MAC Ebene sondern auf IP Ebene - gemanaged über ICMP.
Siehe auch hier von KB19 (entspricht meiner Ünerzeugung :-P)
Outbound: DNS und Updateserver nicht vergessen.
Wenn jemand von den eigenen iptables-Regeln überzeugt ist, bitte hier posten :).
-
Sieht bei mir dann so aus:
Bash
Alles anzeigen#!/bin/sh #IPv4 Firewall iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p 41 -j DROP iptables -A FORWARD -p 41 -j DROP #Updateserver iptables -A OUTPUT -p tcp -m tcp -s 46.38.***.*** -d 88.159.20.184 --dport 80 -m state --state NEW -j ACCEPT #SSH ********.network.h6g.de iptables -A INPUT -p tcp -m tcp -s 31.19.***.*** --dport 22 -m state --state NEW -j ACCEPT #DNS iptables -N CH-DNS iptables -A OUTPUT -p tcp -m tcp -s 46.38.***.*** --dport 53 -m state --state NEW -j CH-DNS iptables -A OUTPUT -p udp -m udp -s 46.38.***.*** --dport 53 -m state --state NEW -j CH-DNS iptables -A CH-DNS -d 8.8.4.4 -j ACCEPT iptables -A CH-DNS -d 8.8.8.8 -j ACCEPT #DNS-Server iptables -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT #LDAP iptables -N CH-LDAP iptables -A INPUT -p tcp -m tcp -m multiport -d 46.38.***.*** --dports 389,636 -m state --state NEW -j CH-LDAP iptables -A INPUT -p udp -m udp -d 46.38.***.*** --dport 389 -m state --state NEW -j CH-LDAP iptables -A CH-LDAP -s 31.19.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 37.221.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.26.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.194.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.244.***.*** -j ACCEPT iptables -A CH-LDAP -s 37.221.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.207.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT #Monitoring iptables -A INPUT -p tcp -m tcp -s 188.68.***.*** --dport 6556 -m state --state NEW -j ACCEPT #ICMP-IN iptables -N CH-ICMP-IN iptables -A INPUT -p icmp -m icmp -d 46.38.***.*** --icmp-type any -m state --state NEW -j ACCEPT iptables -A CH-ICMP-IN -s 31.19.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 37.221.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.26.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.194.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.244.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 37.221.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.207.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A OUTPUT -p icmp -m icmp -o eth0 --icmp-type any -m state --state NEW -j ACCEPT #MongoDB iptables -N CH-MONGO iptables -A INPUT -p tcp -m tcp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A OUTPUT -p tcp -m tcp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A INPUT -p udp -m udp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A OUTPUT -p udp -m udp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A CH-MONGO -s 31.19.***.*** -j ACCEPT iptables -A CH-MONGO -s 46.38.***.*** -j ACCEPT iptables -A CH-MONGO -s 37.221.***.*** -j ACCEPT iptables -A CH-MONGO -s 188.68.***.*** -j ACCEPT iptables -A CH-MONGO -d 31.19.***.*** -j ACCEPT iptables -A CH-MONGO -d 46.38.***.*** -j ACCEPT iptables -A CH-MONGO -d 37.221.***.*** -j ACCEPT iptables -A CH-MONGO -d 188.68.***.*** -j ACCEPT #Global Policy Reject iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT iptables -A OUTPUT -j REJECT #IPv6 Firewall ip6tables -F ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT #DNS ip6tables -N CH-DNS ip6tables -A OUTPUT -p tcp -m tcp -o eth0 --dport 53 -m state --state NEW -j CH-DNS ip6tables -A OUTPUT -p udp -m udp -o eth0 --dport 53 -m state --state NEW -j CH-DNS ip6tables -A CH-DNS -d 2001:4860:4860::8888 -j ACCEPT ip6tables -A CH-DNS -d 2001:4860:4860::8844 -j ACCEPT #DNS-Server ip6tables -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT ip6tables -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT #LDAP ip6tables -N CH-LDAP ip6tables -A INPUT -p tcp -m tcp -m multiport -i eth0 --dports 389,636 -m state --state NEW -j CH-LDAP ip6tables -A INPUT -p udp -m udp -i eth0 --dport 389 -m state --state NEW -j CH-LDAP ip6tables -A CH-LDAP -s 2a03:4000:10:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:10:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:9:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:6:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:1c:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:27:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:9:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:1e:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:6:**::1 -j ACCEPT #Monitoring ip6tables -A INPUT -p tcp -m tcp -s 2a03:4000:6:**::1 --dport 6556 -m state --state NEW -j ACCEPT #ICMP ip6tables -N CH-ICMP-IN ip6tables -N CH-ICMP-FW ip6tables -A INPUT -p icmpv6 -j CH-ICMP-IN ip6tables -A INPUT -p icmpv6 -j CH-ICMP-FW ip6tables -A FORWARD -p icmpv6 -j CH-ICMP-FW ip6tables -A OUTPUT -p icmpv6 -j CH-ICMP-IN ip6tables -A OUTPUT -p icmpv6 -j CH-ICMP-FW #ICMP Neighbor Discovery ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 130 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 131 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 132 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 133 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 134 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 135 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 136 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 141 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 142 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 143 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 148 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 149 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 151 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 152 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 153 -j ACCEPT ip6tables -A CH-ICMP-FW -m state --state INVALID -j DROP ip6tables -A CH-ICMP-FW -m state --state ESTABLISHED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 1 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 2 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 3 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 4 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 128 -m state --state NEW -j ACCEPT #Global Policy Reject ip6tables -A INPUT -j REJECT ip6tables -A FORWARD -j REJECT ip6tables -A OUTPUT -j REJECT
-
IPv6 nicht vergessen: Neighbor Discovery - das ARP von IPv6. Nicht mehr auf MAC Ebene sondern auf IP Ebene - gemanaged über ICMP.Hatte ich vergessen zu erwähnen, ICMP ist bei mir komplett frei.
-
Sieht bei mir dann so aus:
Bash
Alles anzeigen#!/bin/sh #IPv4 Firewall iptables -F iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p 41 -j DROP iptables -A FORWARD -p 41 -j DROP #Updateserver iptables -A OUTPUT -p tcp -m tcp -s 46.38.***.*** -d 88.159.20.184 --dport 80 -m state --state NEW -j ACCEPT #SSH ********.network.h6g.de iptables -A INPUT -p tcp -m tcp -s 31.19.***.*** --dport 22 -m state --state NEW -j ACCEPT #DNS iptables -N CH-DNS iptables -A OUTPUT -p tcp -m tcp -s 46.38.***.*** --dport 53 -m state --state NEW -j CH-DNS iptables -A OUTPUT -p udp -m udp -s 46.38.***.*** --dport 53 -m state --state NEW -j CH-DNS iptables -A CH-DNS -d 8.8.4.4 -j ACCEPT iptables -A CH-DNS -d 8.8.8.8 -j ACCEPT #DNS-Server iptables -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT #LDAP iptables -N CH-LDAP iptables -A INPUT -p tcp -m tcp -m multiport -d 46.38.***.*** --dports 389,636 -m state --state NEW -j CH-LDAP iptables -A INPUT -p udp -m udp -d 46.38.***.*** --dport 389 -m state --state NEW -j CH-LDAP iptables -A CH-LDAP -s 31.19.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 37.221.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.26.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.194.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.244.***.*** -j ACCEPT iptables -A CH-LDAP -s 37.221.***.*** -j ACCEPT iptables -A CH-LDAP -s 185.207.***.*** -j ACCEPT iptables -A CH-LDAP -s 188.68.***.*** -j ACCEPT #Monitoring iptables -A INPUT -p tcp -m tcp -s 188.68.***.*** --dport 6556 -m state --state NEW -j ACCEPT #ICMP-IN iptables -N CH-ICMP-IN iptables -A INPUT -p icmp -m icmp -d 46.38.***.*** --icmp-type any -m state --state NEW -j ACCEPT iptables -A CH-ICMP-IN -s 31.19.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 37.221.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.26.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.194.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.244.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 37.221.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 185.207.***.*** -j ACCEPT iptables -A CH-ICMP-IN -s 188.68.***.*** -j ACCEPT iptables -A OUTPUT -p icmp -m icmp -o eth0 --icmp-type any -m state --state NEW -j ACCEPT #MongoDB iptables -N CH-MONGO iptables -A INPUT -p tcp -m tcp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A OUTPUT -p tcp -m tcp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A INPUT -p udp -m udp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A OUTPUT -p udp -m udp --dport 27017 -m state --state NEW -j CH-MONGO iptables -A CH-MONGO -s 31.19.***.*** -j ACCEPT iptables -A CH-MONGO -s 46.38.***.*** -j ACCEPT iptables -A CH-MONGO -s 37.221.***.*** -j ACCEPT iptables -A CH-MONGO -s 188.68.***.*** -j ACCEPT iptables -A CH-MONGO -d 31.19.***.*** -j ACCEPT iptables -A CH-MONGO -d 46.38.***.*** -j ACCEPT iptables -A CH-MONGO -d 37.221.***.*** -j ACCEPT iptables -A CH-MONGO -d 188.68.***.*** -j ACCEPT #Global Policy Reject iptables -A INPUT -j REJECT iptables -A FORWARD -j REJECT iptables -A OUTPUT -j REJECT #IPv6 Firewall ip6tables -F ip6tables -P INPUT ACCEPT ip6tables -P OUTPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A INPUT -s fe80::/10 -j ACCEPT ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT #DNS ip6tables -N CH-DNS ip6tables -A OUTPUT -p tcp -m tcp -o eth0 --dport 53 -m state --state NEW -j CH-DNS ip6tables -A OUTPUT -p udp -m udp -o eth0 --dport 53 -m state --state NEW -j CH-DNS ip6tables -A CH-DNS -d 2001:4860:4860::8888 -j ACCEPT ip6tables -A CH-DNS -d 2001:4860:4860::8844 -j ACCEPT #DNS-Server ip6tables -A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT ip6tables -A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT #LDAP ip6tables -N CH-LDAP ip6tables -A INPUT -p tcp -m tcp -m multiport -i eth0 --dports 389,636 -m state --state NEW -j CH-LDAP ip6tables -A INPUT -p udp -m udp -i eth0 --dport 389 -m state --state NEW -j CH-LDAP ip6tables -A CH-LDAP -s 2a03:4000:10:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:10:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:9:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:6:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:1c:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:27:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:9:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:1e:**::1 -j ACCEPT ip6tables -A CH-LDAP -s 2a03:4000:6:**::1 -j ACCEPT #Monitoring ip6tables -A INPUT -p tcp -m tcp -s 2a03:4000:6:**::1 --dport 6556 -m state --state NEW -j ACCEPT #ICMP ip6tables -N CH-ICMP-IN ip6tables -N CH-ICMP-FW ip6tables -A INPUT -p icmpv6 -j CH-ICMP-IN ip6tables -A INPUT -p icmpv6 -j CH-ICMP-FW ip6tables -A FORWARD -p icmpv6 -j CH-ICMP-FW ip6tables -A OUTPUT -p icmpv6 -j CH-ICMP-IN ip6tables -A OUTPUT -p icmpv6 -j CH-ICMP-FW #ICMP Neighbor Discovery ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 130 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 131 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 132 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 133 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 134 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 135 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 136 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 141 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 142 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 143 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 148 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 149 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 151 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 152 -j ACCEPT ip6tables -A CH-ICMP-IN -p icmpv6 --icmpv6-type 153 -j ACCEPT ip6tables -A CH-ICMP-FW -m state --state INVALID -j DROP ip6tables -A CH-ICMP-FW -m state --state ESTABLISHED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 1 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 2 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 3 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 4 -m state --state RELATED -j ACCEPT ip6tables -A CH-ICMP-FW -p icmpv6 --icmpv6-type 128 -m state --state NEW -j ACCEPT #Global Policy Reject ip6tables -A INPUT -j REJECT ip6tables -A FORWARD -j REJECT ip6tables -A OUTPUT -j REJECT
Danke
-
-
Sorry für den Spam, hätte aber noch eine Frage. Ich komme mit den Chains nicht weiter. Worin liegt bei mir der Fehler?
-
H6G Warum verwendest du bevorzugt REJECT anstelle von DROP?
Siehe:
Reicht, macht aber bei Dual-Stack Diensten manchmal Probleme
Bsp.: IPv6 Drop und IPv4 Accept - wenn zuerst auf IPv6 geprobed wird, dann wird der Dienst ggf. als nicht erreichbar angesehen.
Deshalb lieber Accept Policy und entsprechende Reject Rule.
Sorry für den Spam, hätte aber noch eine Frage. Ich komme mit den Chains nicht weiter. Worin liegt bei mir der Fehler?
Zeile drei sollte weg. Zeile drei bedeutet: du schiebst jeden Traffic in die Chain TS3-IN und Akzeptierst ihn dann. Die beiden unteren Regeln werden nicht mehr berücksichtigt.
-
Hallo hier meine IP(6)tables Files
(da ich CentOS habe sind die Files bei mir in /etc/sysconfig/ und werden automatisch ausgeführt, sprich
es ist da kein Skript welches explizit iptables od. ip6tables aufruft notwendig)
f. IP /etc/sysconfig/iptables
Code
Alles anzeigen# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # ICMP-packettypes: extra chain -N RESTRICT-ICMP -A RESTRICT-ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type echo-request -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type echo-reply -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMP -p icmp -j DROP # Block services: extra chains -N BLOCK-ANY -A BLOCK-ANY -j DROP -N BLOCK-DNS -A BLOCK-DNS -m tcp -p tcp --dport 53 -j DROP -A BLOCK-DNS -m udp -p udp --dport 53 -j DROP -N BLOCK-SMTP -A BLOCK-SMTP -m tcp -p tcp --dport 25 -j DROP -N BLOCK-HTTP -A BLOCK-HTTP -m tcp -p tcp --dport 80 -j DROP -A BLOCK-HTTP -m tcp -p tcp --dport 443 -j DROP # Allow anything on the local link -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # Block totally from internet # # Begin #.shodan.io # census1.shodan.io -I INPUT -i eth0 -s 198.20.69.72/29 -j DROP # census2.shodan.io -I INPUT -i eth0 -s 198.20.69.96/29 -j DROP # census3.shodan.io -I INPUT -i eth0 -s 198.20.70.111/32 -j DROP -I INPUT -i eth0 -s 198.20.70.112/32 -j DROP -I INPUT -i eth0 -s 198.20.70.113/32 -j DROP -I INPUT -i eth0 -s 198.20.70.114/32 -j DROP -I INPUT -i eth0 -s 198.20.70.115/32 -j DROP -I INPUT -i eth0 -s 198.20.70.116/32 -j DROP -I INPUT -i eth0 -s 198.20.70.117/32 -j DROP -I INPUT -i eth0 -s 198.20.70.118/32 -j DROP -I INPUT -i eth0 -s 198.20.70.119/32 -j DROP # census4.shodan.io -I INPUT -i eth0 -s 198.20.99.128/29 -j DROP # census5.shodan.io (m247.ro.shodan.io) -I INPUT -i eth0 -s 93.120.27.62/32 -j DROP # census6.shodan.io -I INPUT -i eth0 -s 66.240.236.119/32 -j DROP # census7.shodan.io -I INPUT -i eth0 -s 71.6.135.131/32 -j DROP # census8.shodan.io -I INPUT -i eth0 -s 66.240.192.138/32 -j DROP # census9.shodan.io -I INPUT -i eth0 -s 71.6.167.142/32 -j DROP # census10.shodan.io -I INPUT -i eth0 -s 82.221.105.6/32 -j DROP # census11.shodan.io -I INPUT -i eth0 -s 82.221.105.7/32 -j DROP # census12.shodan.io -I INPUT -i eth0 -s 71.6.165.200/32 -j DROP # atlantic.census.shodan.io -I INPUT -i eth0 -s 188.138.9.50/32 -j DROP # pacific.census.shodan.io -I INPUT -i eth0 -s 85.25.103.50/32 -j DROP # rim.census.shodan.io -I INPUT -i eth0 -s 85.25.43.94/32 -j DROP # pirate.census.shodan.io -I INPUT -i eth0 -s 71.6.146.185/32 -j DROP # inspire.census.shodan.io -I INPUT -i eth0 -s 71.6.146.186/32 -j DROP # ninja.census.shodan.io -I INPUT -i eth0 -s 71.6.158.166/32 -j DROP # border.census.shodan.io -I INPUT -i eth0 -s 198.20.87.96/29 -j DROP # burger.census.shodan.io -I INPUT -i eth0 -s 66.240.219.146/32 -j DROP # atlantic.dns.shodan.io -I INPUT -i eth0 -s 209.126.110.38/32 -j DROP # blog.shodan.io -I INPUT -i eth0 -s 104.236.198.48/32 -j DROP # cloud.shodan.io -I INPUT -i eth0 -s 216.117.2.180/32 -j DROP # hello.data.shodan.io -I INPUT -i eth0 -s 104.131.0.69/32 -j DROP # www.shodan.io -I INPUT -i eth0 -s 162.159.244.38/32 -j DROP # ny.private.shodan.io -I INPUT -i eth0 -s 159.203.176.62/32 -j DROP # sky.census.shodan.io -I INPUT -i eth0 -s 80.82.77.33/32 -j DROP # dojo.census.shodan.io -I INPUT -i eth0 -s 80.82.77.139/32 -j DROP # flower.census.shodan.io -I INPUT -i eth0 -s 94.102.49.190 -j DROP # turtle.census.shodan.io -I INPUT -i eth0 -s 185.181.102.18 -j DROP # goldfish.census.shodan.io -I INPUT -i eth0 -s 185.163.109.66 -j DROP # malware-hunter.census.shodan.io -I INPUT -i eth0 -s 66.240.205.34 -j DROP # End #.shodan.io # # # further Block-Packet Rules here ... # e.g. -I INPUT -i eth0 -s 8.8.8.8 -j BLOCK-DNS # # # Block scanner -I INPUT -i eth0 -m string --to 60 --algo bm --string "GET /w00tw00t.at." -p tcp --dport 80 -j DROP # Allow anything out on the internet -A OUTPUT -o eth0 -j ACCEPT # Allow established, related packets back in -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Only pings with restricted icmp are allowed -A INPUT -i eth0 -j RESTRICT-ICMP # Enable TRACEroute to me -A INPUT -i eth0 -p udp --sport 32769:65535 --dport 33434:33523 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT # Enable SSH (private) -A INPUT -i eth0 -s #MYIP# -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -s #ISP-IPRANGE# -m limit --limit 1/min -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT ... -A INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -j DROP # Enable DNS -A INPUT -i eth0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m udp -p udp --dport 53 -j ACCEPT # Enable HTTP/HTTPS -A INPUT -i eth0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # Prevent from logging -A INPUT -i eth0 -m tcp -p tcp --dport 23 -j DROP -A INPUT -i eth0 -m tcp -p tcp --dport 445 -j DROP # Log all other -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level crit -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level crit -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level crit COMMIT
f. IPv6 /etc/sysconfig/ip6tables
Code
Alles anzeigen# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # ICMPv6-packettypes: extra chain -N RESTRICT-ICMPv6 -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type echo-request -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type echo-reply -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 -j DROP # Block services: extra chains -N BLOCK-ANY -A BLOCK-ANY -j DROP -N BLOCK-DNS -A BLOCK-DNS -m tcp -p tcp --dport 53 -j DROP -A BLOCK-DNS -m udp -p udp --dport 53 -j DROP -N BLOCK-SMTP -A BLOCK-SMTP -m tcp -p tcp --dport 25 -j DROP -N BLOCK-HTTP -A BLOCK-HTTP -m tcp -p tcp --dport 80 -j DROP -A BLOCK-HTTP -m tcp -p tcp --dport 443 -j DROP # Filter all packets that have RH0 headers -A INPUT -m rt --rt-type 0 -j DROP -A FORWARD -m rt --rt-type 0 -j DROP -A OUTPUT -m rt --rt-type 0 -j DROP # Enable Link-Local addresses -A INPUT -s fe80::/10 -j ACCEPT -A OUTPUT -s fe80::/10 -j ACCEPT # Enable multicast -A INPUT -d ff00::/8 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT # Allow anything on the local link -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # Block totally from internet # - Terdo: 2001:0::/32 # - 6to4: 2002::/16 # - ... # -I INPUT -i eth0 -s 2001:0::/32 -j DROP -I INPUT -i eth0 -s 2002::/16 -j DROP # # further Block-Packet Rules here ... # e.g. -I INPUT -i eth0 -s 2001:4860:4860::8888 -j BLOCK-DNS # # # Block scanner -I INPUT -i eth0 -m string --to 84 --algo bm --string "GET /w00tw00t.at." -p tcp --dport 80 -j DROP # Allow anything out on the internet -A OUTPUT -o eth0 -j ACCEPT # Allow established, related packets back in -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Only pings with restricted icmp are allowed -A INPUT -i eth0 -d #IPv6-Prefix# -j RESTRICT-ICMPv6 # Enable TRACEroute to me -A INPUT -i eth0 -d #IPv6-Prefix# -p udp --sport 32769:65535 --dport 33434:33523 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT # Enable SSH (private) -A INPUT -i eth0 -s #MYIPv6# -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j DROP # Enable DNS -A INPUT -i eth0 -d #IPv6-DNS# -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -d #IPv6-DNS# -m udp -p udp --dport 53 -j ACCEPT # Enable HTTP/HTTPS -A INPUT -i eth0 -d #IPv6-HTTP# -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -d #IPv6-HTTP# -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # Log all other -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level crit -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level crit -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level crit COMMIT
-
Hallo hier meine IP(6)tables Files
(da ich CentOS habe sind die Files bei mir in /etc/sysconfig/ und werden automatisch ausgeführt, sprich
es ist da kein Skript welches explizit iptables od. ip6tables aufruft notwendig)
f. IP /etc/sysconfig/iptables
Code
Alles anzeigen# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # ICMP-packettypes: extra chain -N RESTRICT-ICMP -A RESTRICT-ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type time-exceeded -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type parameter-problem -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type echo-request -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMP -p icmp --icmp-type echo-reply -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMP -p icmp -j DROP # Block services: extra chains -N BLOCK-ANY -A BLOCK-ANY -j DROP -N BLOCK-DNS -A BLOCK-DNS -m tcp -p tcp --dport 53 -j DROP -A BLOCK-DNS -m udp -p udp --dport 53 -j DROP -N BLOCK-SMTP -A BLOCK-SMTP -m tcp -p tcp --dport 25 -j DROP -N BLOCK-HTTP -A BLOCK-HTTP -m tcp -p tcp --dport 80 -j DROP -A BLOCK-HTTP -m tcp -p tcp --dport 443 -j DROP # Allow anything on the local link -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # Block totally from internet # # Begin #.shodan.io # census1.shodan.io -I INPUT -i eth0 -s 198.20.69.72/29 -j DROP # census2.shodan.io -I INPUT -i eth0 -s 198.20.69.96/29 -j DROP # census3.shodan.io -I INPUT -i eth0 -s 198.20.70.111/32 -j DROP -I INPUT -i eth0 -s 198.20.70.112/32 -j DROP -I INPUT -i eth0 -s 198.20.70.113/32 -j DROP -I INPUT -i eth0 -s 198.20.70.114/32 -j DROP -I INPUT -i eth0 -s 198.20.70.115/32 -j DROP -I INPUT -i eth0 -s 198.20.70.116/32 -j DROP -I INPUT -i eth0 -s 198.20.70.117/32 -j DROP -I INPUT -i eth0 -s 198.20.70.118/32 -j DROP -I INPUT -i eth0 -s 198.20.70.119/32 -j DROP # census4.shodan.io -I INPUT -i eth0 -s 198.20.99.128/29 -j DROP # census5.shodan.io (m247.ro.shodan.io) -I INPUT -i eth0 -s 93.120.27.62/32 -j DROP # census6.shodan.io -I INPUT -i eth0 -s 66.240.236.119/32 -j DROP # census7.shodan.io -I INPUT -i eth0 -s 71.6.135.131/32 -j DROP # census8.shodan.io -I INPUT -i eth0 -s 66.240.192.138/32 -j DROP # census9.shodan.io -I INPUT -i eth0 -s 71.6.167.142/32 -j DROP # census10.shodan.io -I INPUT -i eth0 -s 82.221.105.6/32 -j DROP # census11.shodan.io -I INPUT -i eth0 -s 82.221.105.7/32 -j DROP # census12.shodan.io -I INPUT -i eth0 -s 71.6.165.200/32 -j DROP # atlantic.census.shodan.io -I INPUT -i eth0 -s 188.138.9.50/32 -j DROP # pacific.census.shodan.io -I INPUT -i eth0 -s 85.25.103.50/32 -j DROP # rim.census.shodan.io -I INPUT -i eth0 -s 85.25.43.94/32 -j DROP # pirate.census.shodan.io -I INPUT -i eth0 -s 71.6.146.185/32 -j DROP # inspire.census.shodan.io -I INPUT -i eth0 -s 71.6.146.186/32 -j DROP # ninja.census.shodan.io -I INPUT -i eth0 -s 71.6.158.166/32 -j DROP # border.census.shodan.io -I INPUT -i eth0 -s 198.20.87.96/29 -j DROP # burger.census.shodan.io -I INPUT -i eth0 -s 66.240.219.146/32 -j DROP # atlantic.dns.shodan.io -I INPUT -i eth0 -s 209.126.110.38/32 -j DROP # blog.shodan.io -I INPUT -i eth0 -s 104.236.198.48/32 -j DROP # cloud.shodan.io -I INPUT -i eth0 -s 216.117.2.180/32 -j DROP # hello.data.shodan.io -I INPUT -i eth0 -s 104.131.0.69/32 -j DROP # www.shodan.io -I INPUT -i eth0 -s 162.159.244.38/32 -j DROP # ny.private.shodan.io -I INPUT -i eth0 -s 159.203.176.62/32 -j DROP # sky.census.shodan.io -I INPUT -i eth0 -s 80.82.77.33/32 -j DROP # dojo.census.shodan.io -I INPUT -i eth0 -s 80.82.77.139/32 -j DROP # flower.census.shodan.io -I INPUT -i eth0 -s 94.102.49.190 -j DROP # turtle.census.shodan.io -I INPUT -i eth0 -s 185.181.102.18 -j DROP # goldfish.census.shodan.io -I INPUT -i eth0 -s 185.163.109.66 -j DROP # malware-hunter.census.shodan.io -I INPUT -i eth0 -s 66.240.205.34 -j DROP # End #.shodan.io # # # further Block-Packet Rules here ... # e.g. -I INPUT -i eth0 -s 8.8.8.8 -j BLOCK-DNS # # # Block scanner -I INPUT -i eth0 -m string --to 60 --algo bm --string "GET /w00tw00t.at." -p tcp --dport 80 -j DROP # Allow anything out on the internet -A OUTPUT -o eth0 -j ACCEPT # Allow established, related packets back in -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Only pings with restricted icmp are allowed -A INPUT -i eth0 -j RESTRICT-ICMP # Enable TRACEroute to me -A INPUT -i eth0 -p udp --sport 32769:65535 --dport 33434:33523 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT # Enable SSH (private) -A INPUT -i eth0 -s #MYIP# -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -s #ISP-IPRANGE# -m limit --limit 1/min -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT ... -A INPUT -i eth0 -m tcp -p tcp --dport 22 -m state --state NEW -j DROP # Enable DNS -A INPUT -i eth0 -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m udp -p udp --dport 53 -j ACCEPT # Enable HTTP/HTTPS -A INPUT -i eth0 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # Prevent from logging -A INPUT -i eth0 -m tcp -p tcp --dport 23 -j DROP -A INPUT -i eth0 -m tcp -p tcp --dport 445 -j DROP # Log all other -A INPUT -j LOG --log-prefix "IP[IN]: " --log-level crit -A FORWARD -j LOG --log-prefix "IP[FWD]: " --log-level crit -A OUTPUT -j LOG --log-prefix "IP[OUT]: " --log-level crit COMMIT
f. IPv6 /etc/sysconfig/ip6tables
Code
Alles anzeigen# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # ICMPv6-packettypes: extra chain -N RESTRICT-ICMPv6 -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type echo-request -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type echo-reply -m limit --limit 2/sec --limit-burst 4 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT -A RESTRICT-ICMPv6 -p icmpv6 -j DROP # Block services: extra chains -N BLOCK-ANY -A BLOCK-ANY -j DROP -N BLOCK-DNS -A BLOCK-DNS -m tcp -p tcp --dport 53 -j DROP -A BLOCK-DNS -m udp -p udp --dport 53 -j DROP -N BLOCK-SMTP -A BLOCK-SMTP -m tcp -p tcp --dport 25 -j DROP -N BLOCK-HTTP -A BLOCK-HTTP -m tcp -p tcp --dport 80 -j DROP -A BLOCK-HTTP -m tcp -p tcp --dport 443 -j DROP # Filter all packets that have RH0 headers -A INPUT -m rt --rt-type 0 -j DROP -A FORWARD -m rt --rt-type 0 -j DROP -A OUTPUT -m rt --rt-type 0 -j DROP # Enable Link-Local addresses -A INPUT -s fe80::/10 -j ACCEPT -A OUTPUT -s fe80::/10 -j ACCEPT # Enable multicast -A INPUT -d ff00::/8 -j ACCEPT -A OUTPUT -d ff00::/8 -j ACCEPT # Allow anything on the local link -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # Block totally from internet # - Terdo: 2001:0::/32 # - 6to4: 2002::/16 # - ... # -I INPUT -i eth0 -s 2001:0::/32 -j DROP -I INPUT -i eth0 -s 2002::/16 -j DROP # # further Block-Packet Rules here ... # e.g. -I INPUT -i eth0 -s 2001:4860:4860::8888 -j BLOCK-DNS # # # Block scanner -I INPUT -i eth0 -m string --to 84 --algo bm --string "GET /w00tw00t.at." -p tcp --dport 80 -j DROP # Allow anything out on the internet -A OUTPUT -o eth0 -j ACCEPT # Allow established, related packets back in -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Only pings with restricted icmp are allowed -A INPUT -i eth0 -d #IPv6-Prefix# -j RESTRICT-ICMPv6 # Enable TRACEroute to me -A INPUT -i eth0 -d #IPv6-Prefix# -p udp --sport 32769:65535 --dport 33434:33523 -m limit --limit 2/sec --limit-burst 4 -j ACCEPT # Enable SSH (private) -A INPUT -i eth0 -s #MYIPv6# -m tcp -p tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j DROP # Enable DNS -A INPUT -i eth0 -d #IPv6-DNS# -m tcp -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -d #IPv6-DNS# -m udp -p udp --dport 53 -j ACCEPT # Enable HTTP/HTTPS -A INPUT -i eth0 -d #IPv6-HTTP# -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT -A INPUT -i eth0 -d #IPv6-HTTP# -m tcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # Log all other -A INPUT -j LOG --log-prefix "IPv6[IN]: " --log-level crit -A FORWARD -j LOG --log-prefix "IPv6[FWD]: " --log-level crit -A OUTPUT -j LOG --log-prefix "IPv6[OUT]: " --log-level crit COMMIT
Vielen Dank!
Zeile drei sollte weg. Zeile drei bedeutet: du schiebst jeden Traffic in die Chain TS3-IN und Akzeptierst ihn dann. Die beiden unteren Regeln werden nicht mehr berücksichtigt.
Das komische ist, dass ich dann immer noch nicht durchkomme.
-
-m state --state NEW
Und was passiert, wenn der State nicht mehr "NEW" ist, sondern bereits eine Verbindung besteht?
-
Und was passiert, wenn der State nicht mehr "NEW" ist, sondern bereits eine Verbindung besteht?
Leider komme ich dann immer noch nicht durch
Edit: Hier ein Screenshot: [Blockierte Grafik: https://i.imgur.com/xGgqw1A.png]
Vielleicht übersehe ich ja was.
Edit2: Output ist blockiert gewesen. Doch wieso? -
Ich hab mir mal vor ner Zeit eine Vorlage für ipv4 und ipv6 Firewall gemacht und ersetzt seitdem darin einfach nur noch die Adressen und Interface Namen.
ALLERDINGS: Das ist eine sehr restriktive Firewall (in meinen Augen)
Hier muss ALLES explizit erlaubt werden.
Aber das ist nun mal meine Vorstellung von einem "gut" gesicherten und administrierten System.
Mir ist durchaus bewusst, dass das vielleicht nicht jeder so weit treiben will.
In dem Beispiel ist erst mal nur SSH inbound erlaubt.
Ausgehend DNS,NTP,Packet-updates
ipv4:
Code
Alles anzeigen# Generated by iptables-save v1.6.0 on Sat Jul 8 00:52:23 2017 *nat :PREROUTING ACCEPT [171:8318] :INPUT ACCEPT [74:3933] :OUTPUT ACCEPT [8:546] :POSTROUTING ACCEPT [8:546] COMMIT # Completed on Sat Jul 8 00:52:23 2017 # Generated by iptables-save v1.6.0 on Sat Jul 8 00:52:23 2017 *mangle :PREROUTING ACCEPT [1604:550176] :INPUT ACCEPT [1604:550176] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1751:769781] :POSTROUTING ACCEPT [1745:767339] COMMIT # Completed on Sat Jul 8 00:52:23 2017 # Generated by iptables-save v1.6.0 on Sat Jul 8 00:52:23 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT #INBOUND PING -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT #INBOUND SSH -A INPUT -p tcp -m tcp -d <IP>/32 --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT #Package updates -A OUTPUT -p tcp -m tcp -m multiport -o <INTERFACE> -j ACCEPT --dports 80,443 #DNS -A OUTPUT -p udp -m udp -o <INTERFACE> --dport 53 -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT
ipv6:
Code
Alles anzeigen# Generated by ip6tables-save v1.4.21 on Fri Sep 22 17:00:45 2017 # Completed on Fri Sep 22 17:00:45 2017 # Generated by ip6tables-save v1.4.21 on Fri Sep 22 17:00:45 2017 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -p tcp -m tcp -d <IP>/128 --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable -A FORWARD -j REJECT --reject-with icmp6-port-unreachable -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p ipv6-icmp -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT #NTP -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT -A OUTPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 80,443 -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT
-
Ich D*pp weiß jetzt, warum der Output blockiert war. Es waren nur Output-Verbindungen für RELATED und ESTABLISHED erlaubt ....