|
|
发表于 2003-10-14 16:59:21
|
显示全部楼层
试了smoothwall-2.06-voyage和IPCOP1.30二种软件发现用smoothwall-2.06-voyage做的在外网用扫描工具扫描时有如外反应:
IP Address : 218.15.161.35
Operating System : undetermined
Time to live : 0
UDP ports - 12 open ports
39 [ RLP => Resource Location Protocol ]
43 [ whois ]
67 [ bootps => Bootstrap Protocol Server ]
68 [ bootpc => Bootstrap Protocol Client ]
88 [ Kerberos 5 ]
135 [ epmap => DCE endpoint resolution ]
138 [ Netbios-DGM => Netbios Datagram Service ]
162 [ SNMP trap ]
514 [ syslog ]
749 [ Kerberos Administration ]
1434 [ ms-sql-m => Microsoft SQL Monitor ]
1900 [ ssdp => Simple Service Discovery Protocol ]
这是什么防火墙??!!即使参照别人的做法加上iptables -A INPUT -p icmp -j DROP则老是提示什-A不正确,-A是什么规则?我一气之下把# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
改为# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j DROP
/sbin/iptables -A block -p icmp -i ippp0 -j DROP
,这样才把在拔号状态的ICMP禁掉,再在外网用扫描工具扫描时,虽PING不通了但上述端囗还是一个不漓地显了出来‘气个半死。想到网之鹰曾介绍过IPCOP1.30跑到它的老家搬了一个回来安好以后再用扫描工具扫描,则什么都发现不了,从安全性考虑出发,建议使用IPCOP1.30,另外IPCOP1.30的流量图也做得比smoothwall-2.06-voyage详细,可我却想让smoothwall-2.06-voyage也象一样扫描工具扫描什么都发现不了,应怎样改,请诸位老鸟指教。另外我看到smoothwall有bate和GPL二种,它们在功能上有什么不同??IPCOP1.30与smoothwall的关系如何??是否为smoothwall的破解,相当于smoothwall的哪个板本?
[color=#5b00ff]附smoothwall-2.06-voyage的rc.firewall.up
#!/bin/sh
# Disable ICMP Redirect Acceptance
for FILE in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $FILE
done
# Disable Source Routed Packets
for FILE in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $FILE
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for FILE in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $FILE
done
# Set timeouts. 2.5 hours for TCP.
#/sbin/ipchains -M -S 9000 0 0
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Spoof protection for RED (rp_filter does not work with FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROP
fi
/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A INPUT -i $RED_DEV -j spoof
fi
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
# IPSEC
/sbin/iptables -N secin
/sbin/iptables -A secin -i ipsec0 -j ACCEPT
/sbin/iptables -A INPUT -j secin
/sbin/iptables -N secout
/sbin/iptables -A secout -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -j secout
/sbin/iptables -N block
# Let em through.
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT
# External access. Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess
# IPSEC
/sbin/iptables -N ipsec
/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A ipsec -p 47 -j ACCEPT
/sbin/iptables -A ipsec -p 50 -j ACCEPT
/sbin/iptables -A block -i ppp0 -j ipsec
/sbin/iptables -A block -i ippp0 -j ipsec
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -i $RED_DEV -j ipsec
fi
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A block -p tcp --source-port 67 --destination-port 68
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p tcp --source-port 68 --destination-port 67
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 67 --destination-port 68
-i $RED_DEV -j ACCEPT
/sbin/iptables -A block -p udp --source-port 68 --destination-port 67
-i $RED_DEV -j ACCEPT
fi
# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A block -p icmp -i $RED_DEV -d $RED_NETADDRESS/$RED_NETMASK -j ACCEPT
fi
/sbin/iptables -A INPUT -j block
# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
# Allow packets that we know about through.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPT
fi
# Port forwarding
/sbin/iptables -N portfwf
/sbin/iptables -A FORWARD -j portfwf
/sbin/iptables -N dmzholes
# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state
--state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# dmz pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes
fi
# VPN
/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A FORWARD -j REJECT
# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
# squid
/sbin/iptables -t nat -N squid
/sbin/iptables -t nat -N jmpsquid
/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -j squid
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid
# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE
fi
# Port forwarding
/sbin/iptables -t nat -N portfw
/sbin/iptables -t nat -A PREROUTING -j portfw
再附IPCOP1.30的rc.firewall
#!/bin/sh
. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '12'`
iptables_init() {
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Flush all rules and delete all custom chains
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -X
/sbin/iptables -t nat -X
# Set up policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# This chain will log, then DROPs "Xmas" and Null packets which might
# indicate a port-scan attempt
/sbin/iptables -N PSCAN
/sbin/iptables -A PSCAN -p tcp -m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
/sbin/iptables -A PSCAN -p udp -m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
/sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
/sbin/iptables -A PSCAN -f -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
/sbin/iptables -A PSCAN -j DROP
# Disallow packets frequently used by port-scanners, XMas and Null
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j PSCAN
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j PSCAN
/sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}
iptables_red() {
/sbin/iptables -F RED
/sbin/iptables -t nat -F RED
# PPPoE / PPTP Device
if [ "$IFACE" != "" ]; then
# PPPoE / PPTP
if [ "$DEVICE" != "" ]; then
/sbin/iptables -A RED -i $DEVICE -j ACCEPT
fi
if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
if [ "$RED_DEV" != "" ]; then
/sbin/iptables -A RED -i $RED_DEV -j ACCEPT
fi
fi
fi
if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# Allow IPSec
/sbin/iptables -A RED -p 47 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 50 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p 51 -i $IFACE -j ACCEPT
/sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT
# Outgoing masquerading
/sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
fi
}
# See how we were called.
case "$1" in
start)
iptables_init
# Limit Packets- helps reduce dos/syn attacks
/sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec
# CUSTOM chains, can be used by the users themselves
/sbin/iptables -N CUSTOMINPUT
/sbin/iptables -A INPUT -j CUSTOMINPUT
/sbin/iptables -N CUSTOMFORWARD
/sbin/iptables -A FORWARD -j CUSTOMFORWARD
/sbin/iptables -t nat -N CUSTOMPREROUTING
/sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT
# accept all traffic from ipsec interfaces
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT
# Port forwarding
if [ "$ORANGE_DEV" != "" ]; then
# This rule enables a host on ORANGE network to connect to the outside
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp
-o ! $GREEN_DEV -j ACCEPT
/sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp
-o ! $GREEN_DEV -j ACCEPT
fi
# RED chain, used for the red interface
/sbin/iptables -N RED
/sbin/iptables -A INPUT -j RED
/sbin/iptables -t nat -N RED
/sbin/iptables -t nat -A POSTROUTING -j RED
iptables_red
# XTACCESS chain, used for external access
/sbin/iptables -N XTACCESS
/sbin/iptables -A INPUT -j XTACCESS
# PORTFWACCESS chain, used for portforwarding
/sbin/iptables -N PORTFWACCESS
/sbin/iptables -A FORWARD -j PORTFWACCESS
# DMZ pinhole chain. setdmzholes setuid prog adds rules here to allow
# ORANGE to talk to GREEN.
/sbin/iptables -N DMZHOLES
/sbin/iptables -A FORWARD -o $GREEN_DEV -j DMZHOLES
# Custom prerouting chains (for transparent proxy and port forwarding)
/sbin/iptables -t nat -N SQUID
/sbin/iptables -t nat -A PREROUTING -j SQUID
/sbin/iptables -t nat -N PORTFW
/sbin/iptables -t nat -A PREROUTING -j PORTFW
# last rule in input and forward chain is for logging.
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
stop)
iptables_init
# Accept everyting connected
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
/sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
/sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
/sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
/sbin/iptables -A INPUT -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
/sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
;;
reload)
iptables_red
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|reload|restart}"
exit 1
;;
esac
exit 0 |
|
|Archiver|手机版|小黑屋|软路由
( 渝ICP备15001194号-1|
渝公网安备 50011602500124号 )
IP卡
狗仔卡
显身卡
发表于 2003-10-16 12:27:16
