Close
Duke shfaqur rezultatin -19 deri 0 prej 8
  1. #1
    Hec e gjeje injorantin... Maska e init-6
    Anėtarėsuar
    05-03-2008
    Vendndodhja
    Kernel
    Postime
    124

    Skript firewall per iptables.

    Ky eshte nje skript bash per iptables i cili gjeneron nje ser rregullash duke krijuar nje firewall te tipit "Stateful", eshte testuar kunder pjeses me te madhe te sulmeve me nmap dhe i bllokon, perveē nese dergohet vetem 1 packet SYN ne 1 port, pra nese skanohen me shume se 3 porta (gje shume normale ne nje skamin stealth) te bllokon. SYN nuk e bllokon sepse nese do bllokonte dhe ate ne porten 80 psh do te thote te bllkonte ē'do lloj lidhjeje.
    Normalisht bllokon dhe skanimet e tipit Xmas, Null, FIN, etj etj, gjithashtu eshte testuar edhe kunder --scanflags (skanime te personalizuara duke zgjedhur vet Flamurin TCP), bllokon sulmet spoofing duke ndryshuar direkt ne "core" rregullin e ndryshon ne netfilter.
    Ah, diēka qe eshte prerekuizit, kerneli duhet te jete i kompiluar me supportin conntrack , ndryshe rregullat kunder nmap nuk do funksionojn.
    Eshte versioni 1.1, keshtu qe do kete shume per te ndryshuar dhe shume per tu permirsuar, gjithsesi eshte goxha i konsoliduar si skript.
    Ne perfundim , skripti eshte ne anglisht sepse edhe faqa eshte ne periudh tranzicioni e do kaloj ne anglisht.
    Nese dikush merr inisiativen ta perkthej, faleminderit.


    Kodi:
    #!/bin/sh
    #*****************************************************************
    #AlbanianWizard Iptables Firewall Script v 1.1 [connection bug fix]
    #Tested against most nmap personalised scans,
    #To Do : portbunny/unicornscan/ping3 scanning [next versions]
    #Author : Arditi
    #License : GPLv3 
    #Contact : arditi[nospam]hush.ai
    #WARNINGS: You must be root to run this,  
    #	   This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
    #          Dont change the chain/rule-set order
    #Technologies for building this mini-firewall: 
    # a) Static rule based policies (not to be confused with a "static firewall")
    # b) Connection based stateful policies
    # c) Sanity based policies
    #*****************************************************************
    #Variables, please check the correct location of iptables 
    #whereis iptables ; whereis ip6tables
    #*****************************************************************
    IPT=/sbin/iptables
    IPT6=/sbin/ip6tables
    MP=/sbin/modprobe
    INET=192.168.1.0/8
    IF=eth0
    echo $USER is setting up AW iptables firewall on $HOSTNAME 
    #*****************************************************************      
    #Setting up Connection Tracking Modules  
    echo * [+] Setting up Connection Tracking Modules        
    $MP ip_conntrack
    $MP iptable_nat
    $MP ip_conntrack_ftp
    $MP ip_nat_ftp
    $MP nfnetlink_log
    #*****************************************************************   
    #Initial Setup
    echo * [+] Setting up Chains
    $IPT -F
    $IPT -X
    $IPT -P INPUT DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
    $IPT -N FLOOD_CHAIN
    $IPT -N BAD_CHAIN
    $IPT -N TCP_CHAIN
    $IPT -N ICMP_CHAIN
    $IPT -N UDP_CHAIN
    $IPT -A INPUT -j FLOOD_CHAIN
    $IPT -A INPUT -j BAD_CHAIN
    $IPT -A INPUT -j TCP_CHAIN
    $IPT -A INPUT -j ICMP_CHAIN
    $IPT -A INPUT -j UDP_CHAIN
    #*****************************************************************   
    #Blocking IPV6 traffic
    echo * [+] Blocking all IPV6 Traffic
    $IPT6 -P INPUT DROP
    $IPT6 -P FORWARD DROP
    $IPT6 -P OUTPUT DROP
    #*****************************************************************   
    #Setting up the Rules
    echo * [+] Setting up the rules
    #Good things :)
    $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i lo -j ACCEPT #Accept loopback traffic
    #Bad things are normal :)
    #against -sO IP Protocol Scan (for supported protocols)
    $IPT -A INPUT -p sctp -j DROP
    $IPT -A INPUT -p gre -j DROP
    echo * [+] Setting up the FLOOD_CHAIN
    #This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
    #This will work for UDPTCPICMP floods sending more than 1 packet/s and also try to block nmap -sS scan.
    $IPT -A FLOOD_CHAIN -i $IF -m limit --limit 6/s --limit-burst 6 -j RETURN #Accept only 6 packet/sec and we match only the first 6 packet.
    $IPT -A FLOOD_CHAIN -i $IF -j LOG --log-level 7 --log-prefix "# Syn Flood #"
    $IPT -A FLOOD_CHAIN -i $IF -j DROP
    #***********THE BAD CHAINS *****************************************
    echo * [+] Setting up the BAD_CHAIN
    #$IPT -A BAD_CHAIN -p tcp ! --syn -m state --state NEW -j DROP #Force --syn packet check for NEW connections, if not DROP IT!
    $IPT -A BAD_CHAIN -m conntrack --ctstate INVALID -j DROP #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
    #Throw away fragmentation attacks
    $IPT -A BAD_CHAIN -f -j DROP
    #nmap scans not blocked by "INVALID" state
    $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,PSH -j DROP
    $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL SYN,URG -j DROP
    $IPT -A BAD_CHAIN -p tcp -i $IF --tcp-flags ALL NONE -j DROP
    #Anti-spoofing
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
    #******************************************************************
    echo * [+] Setting up the TCP_CHAIN
    #WEB-SERVER
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl 
    $IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing 
    $IPT -A TCP_CHAIN -p tcp -i $IF -j DROP
    echo * [+] Setting up the UDP_CHAIN
    #UDP_CHAIN
    #$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT  if you want some DNS server
    $IPT -A UDP_CHAIN -p udp -i $IF -j DROP
    echo * [+] Setting up the ICMP_CHAIN
    #ICMP_CHAIN
    #allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged] 
    $IPT -A ICMP_CHAIN -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ACCEPT 
    $IPT -A ICMP_CHAIN -p icmp -i $IF -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ACCEPT
    $IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
    #Logging dropping things
    $IPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "DROP: " --log-level 7
    
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
    #Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
    #application designed for performing layer 7 application checks.
    #Yes, iptalbes can do this stuff but it is to mutch resource consuming
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #print the configuration
    #$IPT -nvL
    Po the se miza u krijua nga hiēi te thone budalla po the se bota u krijua nga hiēi te thon ateist

  2. #2
    i/e regjistruar Maska e xubuntu
    Anėtarėsuar
    03-05-2009
    Vendndodhja
    Itali
    Postime
    168
    ky script te duhet per ndonje server, sepse per perdorim desktop Firestarter mjafton

  3. #3
    Hec e gjeje injorantin... Maska e init-6
    Anėtarėsuar
    05-03-2008
    Vendndodhja
    Kernel
    Postime
    124
    jo jo , eshte per kompiutera personal, une e mbaj nje httpd ne egzekutim, si dihet rruges, ta kem nje me vete..
    firestarter vertet mjafton per nje desktop, por ne fund te fundit edhe ai mbi iptables ndertohet, vetem se i ndryshon rregullat jo me ane te shellit , por me ane te GUI-t si windows

    Skripti panvarsisht se jep te njejtat rezultate me firestarter , mbas nje skanimi perseri eshte ne nje version primitiv, ne ndonje version te ardhshem shpresoj te ndertoj diēka multi-layered
    Disa arsye pse preferoj ta perdor mbi nje aplikacion jane:
    - Custom , sipas preferencave te mia
    - Di se ē'fare po egzekutoj
    - Shume i leht dhe shume i vogel ne krahasim me nje aplikacion te ndertuar mbi iptables [PS , firewallet si endian-firewall, ip-cop, smothwall, etj etj nuk perdorin aplikacione , perdorin pikerisht skripte] (perpiqem te mbaj nje sistem sa me te thjesht dhe minimalist)
    - Kur nuk kujtoj ndonje komand hap skriptin dhe e shoh aty

    Ne fund te fundit, punen e vet e ben, portat i ēon te gjitha stealth, por ne realitet sulmet sot jane te tipit ssh over http, "protocol over protocol" , e per keto duhet diēka ne nivelin 7 qe te punoj me signature.. iptables edhe pse mund te ndaloj diēka te tille nuk eshte krijuar per diēka te tille..

    Ti perdor firestarter?
    Po the se miza u krijua nga hiēi te thone budalla po the se bota u krijua nga hiēi te thon ateist

  4. #4
    i/e regjistruar Maska e xubuntu
    Anėtarėsuar
    03-05-2009
    Vendndodhja
    Itali
    Postime
    168
    Citim Postuar mė parė nga init-6 Lexo Postimin
    jo jo , eshte per kompiutera personal, une e mbaj nje httpd ne egzekutim, si dihet rruges, ta kem nje me vete..
    firestarter vertet mjafton per nje desktop, por ne fund te fundit edhe ai mbi iptables ndertohet, vetem se i ndryshon rregullat jo me ane te shellit , por me ane te GUI-t si windows

    Skripti panvarsisht se jep te njejtat rezultate me firestarter , mbas nje skanimi perseri eshte ne nje version primitiv, ne ndonje version te ardhshem shpresoj te ndertoj diēka multi-layered
    Disa arsye pse preferoj ta perdor mbi nje aplikacion jane:
    - Custom , sipas preferencave te mia
    - Di se ē'fare po egzekutoj
    - Shume i leht dhe shume i vogel ne krahasim me nje aplikacion te ndertuar mbi iptables [PS , firewallet si endian-firewall, ip-cop, smothwall, etj etj nuk perdorin aplikacione , perdorin pikerisht skripte] (perpiqem te mbaj nje sistem sa me te thjesht dhe minimalist)
    - Kur nuk kujtoj ndonje komand hap skriptin dhe e shoh aty

    Ne fund te fundit, punen e vet e ben, portat i ēon te gjitha stealth, por ne realitet sulmet sot jane te tipit ssh over http, "protocol over protocol" , e per keto duhet diēka ne nivelin 7 qe te punoj me signature.. iptables edhe pse mund te ndaloj diēka te tille nuk eshte krijuar per diēka te tille..

    Ti perdor firestarter?
    une te Ubuntu perdor firestarter, qe sic thate dhe ju eshte thjeshte nje interface grafiche e iptables, per arsue kohe nuk i jam fut te studioj iptables

  5. #5
    i/e regjistruar Maska e davidd
    Anėtarėsuar
    02-09-2009
    Postime
    2,016
    ca lodhesh kot me iptaple aman...

  6. #6
    Hec e gjeje injorantin... Maska e init-6
    Anėtarėsuar
    05-03-2008
    Vendndodhja
    Kernel
    Postime
    124
    V 2.0

    Kodi:
    #!/bin/sh
    #*****************************************************************
    #AlbanianWizard Iptables Firewall Script v 2.0 [re-design]
    #Tested against most nmap personalised scans.
    #Author : Arditi
    #License : GPLv3
    #Contact : arditi[nospam]hush.ai
    #WARNINGS: You must be root to run this,
    #      This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
    #          Dont change the chain/rule-set order
    #Technologies for building this mini-firewall:
    # a) Static rule based policies (not to be confused with a "static firewall")
    # b) Connection based stateful policies
    # c) Sanity based policies
    #*****************************************************************
    #Variables, please check the correct location of iptables
    #whereis iptables ; whereis ip6tables and edit the Variables below
    #*****************************************************************
    IPT=/usr/sbin/iptables
    IPT6=/usr/sbin/ip6tables
    MP=/sbin/modprobe
    IF=wlan0
    echo $USER is setting up AW iptables firewall on $HOSTNAME
    #*****************************************************************
    #Setting up Connection Tracking Modules
    echo \* [+] Setting up Connection Tracking Modules
    $MP ip_conntrack
    $MP iptable_nat
    $MP ip_conntrack_ftp
    $MP ip_nat_ftp
    $MP nfnetlink_log
    #*****************************************************************
    #Initial Setup
    #*****************************************************************
    echo \* [+] Setting up Chains
    $IPT -F
    $IPT -X
    $IPT -P INPUT DROP #Set the default policy for chaing INPUT to DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
    $IPT -N BAD_CHAIN     #Chain dedicated to scanning /fragmentation attacks
    $IPT -N TCP_CHAIN     #Chain to define what packets we accept from TCP
    $IPT -N UDP_CHAIN     #Chain to define what packets we accept from UDP
    $IPT -N ICMP_CHAIN    #Chain to define what packets we accept from ICMP
    #*****************************************************************
    #Blocking all IPV6 traffic
    echo \* [+] Blocking all IPV6 Traffic
    $IPT6 -P INPUT DROP
    $IPT6 -P FORWARD DROP
    $IPT6 -P OUTPUT DROP
    #*****************************************************************
    #Setting up the Rules
    echo \* [+] Setting up the rules \( accepting good things \)
    #Accept already established connections.
    $IPT -A INPUT -i $IF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i $IF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
    #Other rule for UDP
    $IPT -A INPUT -i $IF -p udp -m limit --limit 2/s --limit-burst 20 -j UDP_CHAIN
    #Accept loopback traffic
    $IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
    #####################################################################
    #                      WORMING UP THE INPUT
    #####################################################################
    #Anti-spoofing
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
    #Force --syn packet check for NEW connections, if not send it to BAD_CHAIN!
    $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j BAD_CHAIN
    #Throw away fragmentation attacks
    $IPT -A INPUT -f -j BAD_CHAIN
    #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
    $IPT -A INPUT -m conntrack --ctstate INVALID -j BAD_CHAIN
    #nmap scans not blocked by "INVALID" state
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,PSH -j BAD_CHAIN
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,URG -j BAD_CHAIN
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL NONE -j BAD_CHAIN
    #**********************************************************************#
    #                      FLOOD CHAIN REDIRECTS                           #
    #This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
    #This will work for UDPTCPICMP floods sending more than 5 packet/s and also try to block nmap -sS scan.
    $IPT -A INPUT -i $IF -p tcp -m limit --limit 1/s --limit-burst 1  -j TCP_CHAIN
    $IPT -A INPUT -i $IF -p icmp -m limit --limit 1/s --limit-burst 1 -j ICMP_CHAIN
    #Accept only 5 packet/sec and we match only the first 5 packet.
    #########################################################################
    #                    BAD CHAIN                  #
    #########################################################################
    $IPT -A BAD_CHAIN -i $IF -j LOG --log-level info --log-prefix "# Bad Packets #"
    $IPT -A BAD_CHAIN -i $IF -j DROP
    #******************************************************************
    echo \* [+] Setting up the TCP_CHAIN
    #WEB-SERVER
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl
    $IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
    $IPT -A TCP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# TCP_CHAIN BLOCKED PACKET #"
    $IPT -A TCP_CHAIN -i $IF -j DROP
    echo \* [+] Setting up the UDP_CHAIN
    #UDP_CHAIN
    #$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT  if you want some DNS server
    $IPT -A UDP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# UDP DROPPED #"
    $IPT -A UDP_CHAIN -p udp -i $IF -j DROP
    echo \* [+] Setting up the ICMP_CHAIN
    #ICMP_CHAIN
    #allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged]
    #$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (allow others to ping you)
    $IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ping from you to others
    $IPT -A ICMP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# ICMP BAD PACKET #"
    $IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
    #Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
    #application designed for performing layer 7 application checks.
    #Yes, iptalbes can do this stuff but it is to mutch resource consuming
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #print the configuration
    #$IPT -nvL
    Permiresimet:

    *U rregullua problemi ne design i filtrimit te paketave ne baze te shpejtesis per bllokimin e sulmeve flood.
    * U aplikuan opcione mbrojtese kunder pjeses me derrmuese te port-scanimeve, dhe edhe nese skanohet me paketa normale syn ky firewall arrin ta fshehi porten edhe nese ajo eshte e hapur.

    SI?

    => Ja si funksionon:
    Nese dikush, kryen nje skanim -sS me nmap (pra klasiku SYN Scan) do te filloj te dergoj shume paketa per sekond dhe normalisht do te kontrolloj portat ne seri (1-1000) ose portat me te perdorura.
    Menjeher do te hyj ne fuqi rregulli --limit dhe --limit-burst i cili do te pranoj vetem paketen e pare dhe do te refuzoj (sdo pergjigjet) per te tjerat.
    Pra edhe nese ne realitet porta psh 80 eshte e hapur skanimi do jete ne conntrack dhe do ti behet DROP.
    Po atehere si do te jete sereveri im ( po e zem) online?
    Normalisht, nje lidhje standarte do te ishte 1 paket syn => dpt 80, dhe kjo nuk do te bllokohej

    *Eshte shtuar opcioni per te loguar te gjitha paketat e bllokuara.

    Opcione te tjera si mbaj mend, ka qene ora 2 e nates kur u perfundua.
    Eshte i testuar, funksionon per se mbari

    Enjoy , dhe raportoni bug tek homepage.
    Po the se miza u krijua nga hiēi te thone budalla po the se bota u krijua nga hiēi te thon ateist

  7. #7
    i/e regjistruar Maska e xubuntu
    Anėtarėsuar
    03-05-2009
    Vendndodhja
    Itali
    Postime
    168
    Citim Postuar mė parė nga init-6 Lexo Postimin
    V 2.0

    Kodi:
    #!/bin/sh
    #*****************************************************************
    #AlbanianWizard Iptables Firewall Script v 2.0 [re-design]
    #Tested against most nmap personalised scans.
    #Author : Arditi
    #License : GPLv3
    #Contact : arditi[nospam]hush.ai
    #WARNINGS: You must be root to run this,
    #      This script is designed only for personal pclaptopbox's it is not for Gatewaysrouters
    #          Dont change the chain/rule-set order
    #Technologies for building this mini-firewall:
    # a) Static rule based policies (not to be confused with a "static firewall")
    # b) Connection based stateful policies
    # c) Sanity based policies
    #*****************************************************************
    #Variables, please check the correct location of iptables
    #whereis iptables ; whereis ip6tables and edit the Variables below
    #*****************************************************************
    IPT=/usr/sbin/iptables
    IPT6=/usr/sbin/ip6tables
    MP=/sbin/modprobe
    IF=wlan0
    echo $USER is setting up AW iptables firewall on $HOSTNAME
    #*****************************************************************
    #Setting up Connection Tracking Modules
    echo \* [+] Setting up Connection Tracking Modules
    $MP ip_conntrack
    $MP iptable_nat
    $MP ip_conntrack_ftp
    $MP ip_nat_ftp
    $MP nfnetlink_log
    #*****************************************************************
    #Initial Setup
    #*****************************************************************
    echo \* [+] Setting up Chains
    $IPT -F
    $IPT -X
    $IPT -P INPUT DROP #Set the default policy for chaing INPUT to DROP
    $IPT -P FORWARD DROP
    $IPT -P OUTPUT ACCEPT #Or change to DROP and allow what you want if is not your personal box
    $IPT -N BAD_CHAIN     #Chain dedicated to scanning /fragmentation attacks
    $IPT -N TCP_CHAIN     #Chain to define what packets we accept from TCP
    $IPT -N UDP_CHAIN     #Chain to define what packets we accept from UDP
    $IPT -N ICMP_CHAIN    #Chain to define what packets we accept from ICMP
    #*****************************************************************
    #Blocking all IPV6 traffic
    echo \* [+] Blocking all IPV6 Traffic
    $IPT6 -P INPUT DROP
    $IPT6 -P FORWARD DROP
    $IPT6 -P OUTPUT DROP
    #*****************************************************************
    #Setting up the Rules
    echo \* [+] Setting up the rules \( accepting good things \)
    #Accept already established connections.
    $IPT -A INPUT -i $IF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPT -A INPUT -i $IF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
    #Other rule for UDP
    $IPT -A INPUT -i $IF -p udp -m limit --limit 2/s --limit-burst 20 -j UDP_CHAIN
    #Accept loopback traffic
    $IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
    #####################################################################
    #                      WORMING UP THE INPUT
    #####################################################################
    #Anti-spoofing
    echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter #setting to 0 disable spoofing protection
    #Force --syn packet check for NEW connections, if not send it to BAD_CHAIN!
    $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j BAD_CHAIN
    #Throw away fragmentation attacks
    $IPT -A INPUT -f -j BAD_CHAIN
    #Enforcing, dropping invalid connections beginning with FIN,PSH,ACK,RST etc..
    $IPT -A INPUT -m conntrack --ctstate INVALID -j BAD_CHAIN
    #nmap scans not blocked by "INVALID" state
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,PSH -j BAD_CHAIN
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL SYN,URG -j BAD_CHAIN
    $IPT -A INPUT -p tcp -i $IF --tcp-flags ALL NONE -j BAD_CHAIN
    #**********************************************************************#
    #                      FLOOD CHAIN REDIRECTS                           #
    #This will only get better the situation, in real life you should use Reactive Address Blocking (RAB)
    #This will work for UDPTCPICMP floods sending more than 5 packet/s and also try to block nmap -sS scan.
    $IPT -A INPUT -i $IF -p tcp -m limit --limit 1/s --limit-burst 1  -j TCP_CHAIN
    $IPT -A INPUT -i $IF -p icmp -m limit --limit 1/s --limit-burst 1 -j ICMP_CHAIN
    #Accept only 5 packet/sec and we match only the first 5 packet.
    #########################################################################
    #                    BAD CHAIN                  #
    #########################################################################
    $IPT -A BAD_CHAIN -i $IF -j LOG --log-level info --log-prefix "# Bad Packets #"
    $IPT -A BAD_CHAIN -i $IF -j DROP
    #******************************************************************
    echo \* [+] Setting up the TCP_CHAIN
    #WEB-SERVER
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 80 --syn -m state --state NEW -j ACCEPT
    $IPT -A TCP_CHAIN -p tcp -i $IF --dport 443 --syn -m state --state NEW -j ACCEPT #ssl
    $IPT -A TCP_CHAIN -m conntrack -i $IF --ctstate ESTABLISHED,RELATED -j ACCEPT #enforcing
    $IPT -A TCP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# TCP_CHAIN BLOCKED PACKET #"
    $IPT -A TCP_CHAIN -i $IF -j DROP
    echo \* [+] Setting up the UDP_CHAIN
    #UDP_CHAIN
    #$IPT -A UDP_CHAIN -p udp --dport 53 -j ACCEPT  if you want some DNS server
    $IPT -A UDP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# UDP DROPPED #"
    $IPT -A UDP_CHAIN -p udp -i $IF -j DROP
    echo \* [+] Setting up the ICMP_CHAIN
    #ICMP_CHAIN
    #allow ping | Currently you can ping others but others can't ping you :D [uncomment below if you want to be pinged]
    #$IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT (allow others to ping you)
    $IPT -A ICMP_CHAIN -p icmp -i $IF --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT #allow ping from you to others
    $IPT -A ICMP_CHAIN -i $IF -j LOG --log-level info --log-prefix "# ICMP BAD PACKET #"
    $IPT -A ICMP_CHAIN -p icmp -i $IF -j DROP
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #Note, this are all some of the common layer-3 attacks, but the real firewall attacks today are with
    #Protocol Tunneling /or firewall piercing so for this you need to use Snort l7-firewall or some other
    #application designed for performing layer 7 application checks.
    #Yes, iptalbes can do this stuff but it is to mutch resource consuming
    #°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°#
    #print the configuration
    #$IPT -nvL
    Permiresimet:

    *U rregullua problemi ne design i filtrimit te paketave ne baze te shpejtesis per bllokimin e sulmeve flood.
    * U aplikuan opcione mbrojtese kunder pjeses me derrmuese te port-scanimeve, dhe edhe nese skanohet me paketa normale syn ky firewall arrin ta fshehi porten edhe nese ajo eshte e hapur.

    SI?

    => Ja si funksionon:
    Nese dikush, kryen nje skanim -sS me nmap (pra klasiku SYN Scan) do te filloj te dergoj shume paketa per sekond dhe normalisht do te kontrolloj portat ne seri (1-1000) ose portat me te perdorura.
    Menjeher do te hyj ne fuqi rregulli --limit dhe --limit-burst i cili do te pranoj vetem paketen e pare dhe do te refuzoj (sdo pergjigjet) per te tjerat.
    Pra edhe nese ne realitet porta psh 80 eshte e hapur skanimi do jete ne conntrack dhe do ti behet DROP.
    Po atehere si do te jete sereveri im ( po e zem) online?
    Normalisht, nje lidhje standarte do te ishte 1 paket syn => dpt 80, dhe kjo nuk do te bllokohej

    *Eshte shtuar opcioni per te loguar te gjitha paketat e bllokuara.

    Opcione te tjera si mbaj mend, ka qene ora 2 e nates kur u perfundua.
    Eshte i testuar, funksionon per se mbari

    Enjoy , dhe raportoni bug tek homepage.
    nese dua te hap porten 22 mjafton komanda
    Kodi:
    iptables -A TCP_CHAIN  -p tcp  -i $IF --dport 22  -s 192.168.0.100 -j ACCEPT

  8. #8
    Hec e gjeje injorantin... Maska e init-6
    Anėtarėsuar
    05-03-2008
    Vendndodhja
    Kernel
    Postime
    124
    Citim Postuar mė parė nga xubuntu Lexo Postimin
    nese dua te hap porten 22 mjafton komanda
    Kodi:
    iptables -A TCP_CHAIN  -p tcp  -i $IF --dport 22  -s 192.168.0.100 -j ACCEPT
    Sakt, por do keshilloja edhe nje --state , sepse mund te ndodhnin edhe bypase me skanera dhe opcione te ndryshme te portbunney etj..
    Ne rrjetin lokal nuk do ishte problem, se po shoh -s 192.168.0.100, dhe kjo eshte filozofia qe ndiqet ne pergjithesi ne ndertimin e firewalleve, pra bllokohet ē'do gje dhe lihet hapur vetem e domosdoshmja.

    Nese ke servera me IP publike, nuk eshte absolutisht e keshillueshm te lesh porten 22 te hapur, (zakonisht exploitet per openssh mbahen gjithmon private, perveē ndonjerit qe ka rm -rf /* ne shellcode ) keshtu qe :
    a) Ndrysho porten psh 1583
    b) http://www.zeroflux.org/projects/knock

    E zgjedh ti si ta konfigurosh, pastaj i dergon disa paketa ne porta qe i cakton (i jep shenje serverit) dhe ai pastaj hap porten per ty.

    Perdoret nga shumica e kompanive qe merren me firewalle linux.
    Po the se miza u krijua nga hiēi te thone budalla po the se bota u krijua nga hiēi te thon ateist

Regullat e Postimit

  • Ju nuk mund tė hapni tema tė reja.
  • Ju nuk mund tė postoni nė tema.
  • Ju nuk mund tė bashkėngjitni skedarė.
  • Ju nuk mund tė ndryshoni postimet tuaja.
  •