iptables – cemdogan.com

#!/bin/sh # squid server IP SQUID_SERVER=`ifconfig eth0 | sed -ne 's/.*inet addr:([^ ]*).*/1/p'` # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth0" # Squid port SQUID_PORT="3128" # DO NOT MODIFY BELOW # Clean old firewall iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # Load IPTABLES modules for NAT and IP conntrack support modprobe ip_conntrack modprobe ip_conntrack_ftp # For win xp ftp client #modprobe ip_nat_ftp echo 1 > /proc/sys/net/ipv4/ip_forward # Setting default filter policy iptables -P INPUT DROP iptables -P OUTPUT ACCEPT # Unlimited access to loop back iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow UDP, DNS and Passive FTP iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT # set this system as a router for Rest of LAN iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT # unlimited access to LAN iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT #iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 443 -j DNAT --to $SQUID_SERVER:3130 # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3130 # DROP everything and Log it iptables -A INPUT -j LOG iptables -A INPUT -j DROP iptables -A OUTPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143,587,3169 -m state --state NEW -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp -m multiport --dports 21,22,110,25,143,587,3169 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Fail2ban, log dosyalarini inceleyerek, fazla hatalı veya başarısız islem yapan ip adresini belirli bir sure engellemek icin kullanılan uygulamadır. Tercihinize göre iptables veya tcpwrapper kullanarak DROP kurallarını otomatik olarak ekler veya kaldırır ve sizi email yoluyla bilgilendirebilir.

EPEL deposunda bulunan fail2ban’ı kurmak için

#yum install fail2ban

Varsayılan olarak /etc/fail2ban/jail.conf dosyasinda yapılandırmak istedigimiz servisin log dosyasinin bulundugu bolum duzenlenir ya da eklenir. Örnek olarak ;

[sasl-iptables]

enabled  = true
filter   = sasl
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail[name=sasl, dest=email@address.com]
logpath  = /var/log/maillog

[postfix]

enabled = true
filter  = postfix
action  = iptables[name=SMTP, port=smtp, protocol=tcp]
          sendmail[name=Postfix, dest=email@address.com]
logpath = /var/log/maillog


[dovecot]
enabled = true
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
 	mail[name=dovecot, dest=email@address.com]
logpath = /var/log/dovecot.log 
maxretry = 20
findtime = 1200
bantime = 1200

fail2ban.conf ve jail.conf dosyalarındaki diğer ayarları düzenledikten sonra, uygulamayı başlatmanız gerekecektir.

# service fail2ban restart

Fail2ban log örneği ise aşağıdaki gibi olacaktır;

2013-03-28 04:52:35,474 fail2ban.actions: WARNING [dovecot] Ban 122.226.212.222
2013-03-28 05:12:36,194 fail2ban.actions: WARNING [dovecot] Unban 122.226.212.222
2013-03-28 05:59:13,869 fail2ban.actions: WARNING [sasl-iptables] Ban 174.50.235.244
2013-03-28 06:09:13,956 fail2ban.actions: WARNING [sasl-iptables] Unban 174.50.235.244
2013-03-28 07:15:37,082 fail2ban.actions: WARNING [postfix] Ban 5.47.155.176
2013-03-28 07:25:37,178 fail2ban.actions: WARNING [postfix] Unban 5.47.155.176

Tag: iptables

squid için tek eth ile kullanılabilecek iptables kuralları

fail2ban kullanımı