Gateway Firewall
is connector between internal network and external network, In this case use connecting with Lease Line you need to have 2 network card for connect to external network (eth0) and connect to internal network (eth1 for LAN and have private ip such as 192.168.1.1) . Next, Create firewall file in /etc/rc.d/init.d/ by command :
#vi /etc/rc.d/init.d/firewall
Add firewall script as below, some services is disable if you need to use you can uncomment that service line for enable it to working
#!/bin/sh
#chkconfig: 2345 60 95
#description: IPTABLES Firewall \
#CALL FUNCTION-------------------------------
. /etc/rc.d/init.d/functions
#CHECK NETWORK----------------------------
. /etc/sysconfig/network
#CHECK NETWORK STATUS-----------------
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
#CREATE SCRIPT FOR PARAMETER BEHIND SERVICE---------------------------
case "$1" in
start)
echo -n "Starting Firewall : "
#-----------------------------------------------------------------------------------------------------
#YOUR NETWORK INFORMATION------------------------------------------------
IP_ADDR="your Public IP Address"
EXT_INTERFACE="eth0"
LO_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"
LOCALNET="192.168.1.0/24"
PRI_DNS="your Primary DNS"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:"
#--------------------------------------------------------------------------------------------
#USE SSH CLIENT---------------------------------------------------------------
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
#USE TRACEROUTE------------------------------------------------------------
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#----------------------------------------------------------------------------------------------
#FIREWALL MODULES---------------------------------------------------------
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_TOS
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_mac
#/sbin/modprobe ipt_mark
#/sbin/modprobe ipt_multiport
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_tos
#/sbin/modprobe iptable_mangle
#-----------------------------------------------------------------------------------------------
#DELTE ALL OLD CHAINS----------------------------------------
iptables -F
iptables -F -t nat
#DELETE CHAINS FOR USER CREATE-------------------------
iptables -X
#SET POLICY ALL TO DENY--------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#---------------------------------------------------------------------------------------------------
#UNLIMITED TRAFFIC ON LOOPBACK-----------------------------
iptables -A INPUT -i $LO_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LO_INTERFACE -j ACCEPT
#----------------------------------------------------------------------------------------------------
#UNLIMITED TRAFFIC ON LOCAL NETWORK-----------------------------
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET -j ACCEPT
#----------------------------------------------------------------------------------------------------
#DROP PACKAGE FOR ERROR------------------------------------------------------
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
#DROP NONE DATA PACKAGE------------------------------------------------------
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
#BLOCK PACKAGE------------------------------------------------------
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $LOCALNET -j DROP
#SEND PACKAGE FROM LOCAL TO OUT NETWORK------------------------------------------------------
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
#RECEIVE PACKAGE GROUP IN------------------------------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXT_INTERFACE -s ! $LOCALNET -j ACCEPT
#SET INTERNAL TRAFFIC OUTGOING------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
#-----------------------------------------------------------------------------------------------------------------------------
#PROTECT FOR NETWORK ERROR-------------------------------------------------------------------------
#/etc/rc.d/rc.firewall.blocked contains a list of
#iptables -A INPUT -i $EXT_INTERFACE -s address -j DROP
#MANAGE FOR WEBSITE ERROR-------------------------------------------------------------
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\ ([0-9.]*\).*$/\ 1/p" \
| awk '$1' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXT_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXT_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXT_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#------------------------------------------------------------------------------------------------------------------------
#SPOOFING & BAD ADDRESSES--------------------------------------------------
iptables -A INPUT -s $IP_ADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
#iptables -A INPUT -s $CLASS_C -j DROP
#DROP BROADCAST ADDRESS SOURCE PACKETS------------------------
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
#DROP CLASS D MULTICAST ADDRESS------------------------
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
#DROP CLASS E RESERVED IP ADDRESS------------------------
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
#DROP SPECIAL ADDRESSES BY IANA.-----------------------------
#Note: This list includes the loopback, multicast, & reserved addresses.
#0.*.*.* NOT USE DHCP USERS.
#127.*.*.*--------------LoopBack
#169.254.*.*-----------Link Local Networks
#192.0.2.*---------------TEST-NET
#224-255.*.*.*---------Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#--------------------------------------------------------------------------------------------------------
#UDP TRACEROUTE
#traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IP_ADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#---------------------------------------------------------------------------------------------------------
#DNS forward-only nameserver
iptables -A INPUT -i $EXT_INTERFACE -p udp \
-s $PRI_DNS --source-port 53 \
-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR --source-port $UNPRIV_PORTS \
-d $PRI_DNS --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
-s $PRI_DNS --source-port 53 \
-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR --source-port $UNPRIV_PORTS \
-d $PRI_DNS --destination-port 53 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#HTTP CLIENT (80)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 80 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 80 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#HTTPS CLIENT (443)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 443 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 443 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#WWW-CACHE CLIENT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 3128 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 3128 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#NNTP NEWS CLIENT (119)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 119 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 119 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#POP CLIENT (110)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 110 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 110 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#IMAP CLIENT (143)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 143 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 143 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#SMTP CLIENT (25)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 25 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 25 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#SSH SERVER (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IP_ADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! --syn \
-s $IP_ADDR --source-port 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
#SSH CLIENT (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
--source-port 22 \
-d $IP_ADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#TELNET CLIENT (23)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 23 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 23 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#AUTH SERVER (113)
#Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port 113 -j REJECT
#AUTH CLIENT (113)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 113 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 113 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#WHOIS CLIENT (43)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 43 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 43 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#FINGER CLIENT (79)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 79 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 79 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#FTP CLIENT (21)
#outgoing request
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 21 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 21 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#PORT mode data channel
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port 20 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! --syn \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 20 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#IRC CLIENT (6667)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 6667 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 6667 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port $UNPRIV_PORTS -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#RealAudio / QuickTime Client
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 554 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 554 -j ACCEPT
#TCP is a more secure method : 7070:7071
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 7070:7071 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 7070:7071 -j ACCEPT
#UDP is the preferred method: 6970:6999
#For LAN machines, UDP requires the RealAudio masquerading module and
#the ipmasqadm third-party software.
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port 6970:6999 -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR --source-port 6970:6999 \
#--destination-port $UNPRIV_PORTS -j ACCEPT
#-------------------------------------------------------------------------------------
#ICQ client (4000)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 2000:4000 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 2000:4000 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#--source-port 4000 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 4000 -j ACCEPT
#-------------------------------------------------------------------------------------
#SYSLOG client (514)
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR -source-port 514 \
#-d $SYSLOG_SERVER -destination-port $UNPRIV_PORTS -j ACCEPT
#-------------------------------------------------------------------------------------
#ICMP
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type echo-reply \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type destination-unreachable \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type source-quench \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type time-exceeded \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type parameter-problem \
#-d $IP_ADDR -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type fragmentation-needed -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type source-quench -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type parameter-problem -j ACCEPT
#-------------------------------------------------------------------------------------
#Enable logging for selected denied packets
iptables -A INPUT -i $EXT_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--destination-port $PRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--destination-port $UNPRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -j REJECT \
#-------------------------------------------------------------------------------------
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp -s $IP_ADDR -d website ipaddress --dport www -j REJECT
iptables -A OUTPUT -d www.example.com -j REJECT
iptables -L OUTPUT
;;
stop)
echo -n "Shutting Firewall : "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
#Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
Next, save this file and change file permission with command as below :
#chmod 700 /etc/rc.d/init.d/firewall
#chmod 0.0 /etc/rc.d/init.d/firewall
#chkconfig - -add firewall
#chkconfig - -level 2345 firewall on
Starting your firewall with command :
#/etc/init.d/firewall start or #service firewall start
If no have problem your firewall is running
Command you can use for control your firewall :
Start Firewall : #service firewall start
Stop Firewall : #service firewall stop
Status Firewall : #service firewall status
Restart Firewall : #service firewall restart
Reload Firewall : #service firewall reload
Secure Firewall
Secure Firewall
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
-
- Lance Naik
- Posts: 41
- Joined: Sat Jan 13, 2007 1:36 pm
- Location: Bangladesh
- Contact:
sakimustafa wrote:Please explain meCode: Select all
-p tcp ! --syn
TCP SYN : This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection (actually the kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. and your iptables are not increase tcp connections
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
Deat Asif Bakali,
I just want to know how can we integrate MAC address base security in this firewall like for example
iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
now i have a list of MAC Address only which i want to allow and rest should be dropped...
Can you tell me how to implement you firewall with MAC Address
and one more thing, it is a bit out of the topic....
can you tell me or guide me in creating a script that can limit bandwidth on per user base to exact 15 KB with out giving high latency.
looking forward for your response
I just want to know how can we integrate MAC address base security in this firewall like for example
iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
now i have a list of MAC Address only which i want to allow and rest should be dropped...
Can you tell me how to implement you firewall with MAC Address
and one more thing, it is a bit out of the topic....
can you tell me or guide me in creating a script that can limit bandwidth on per user base to exact 15 KB with out giving high latency.
looking forward for your response
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir wrote:Deat Asif Bakali,
I just want to know how can we integrate MAC address base security in this firewall like for example
iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
now i have a list of MAC Address only which i want to allow and rest should be dropped...
Can you tell me how to implement you firewall with MAC Address
and one more thing, it is a bit out of the topic....
can you tell me or guide me in creating a script that can limit bandwidth on per user base to exact 15 KB with out giving high latency.
looking forward for your response
Create file mac.addresses and put
00:00:00:00:00:00 10.0.0.2 # user 1
### Replace with PROTECT FOR NETWORK ERROR Tag
iptables -t nat -I PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.0.0.1:80
iptables -t mangle -I maccheck -j RETURN
iptables -t mangle -I maccheck -j MARK --set-mark 1
## Define your Mac Address Path
MACFILE="/extra/scripts"
rm -f $MACFILE/allowed.macs
cat $MACFILE/mac.addresses | awk '{ print $1, $2 }' >> $MACFILE/raw1
sleep 1
cat $MACFILE/raw1 | grep -v '#' |grep -v '^\ ' > $MACFILE/allowed.macs
sleep 1
rm -f $MACFILE/raw1
rm -f $MACFILE/raw2
cat $MACFILE/allowed.macs | while read allowedmacs
do
mac=`echo $allowedmacs | awk '{ print $1 }'`
ip=`echo $allowedmacs | awk '{ print $2 }'`
iptables -t mangle -I maccheck -m mac -j RETURN --mac-source $mac -s $ip
done
iptables -t mangle -I PREROUTING -i eth0 -p tcp -j maccheck
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
since you're using it as a directory, it should be MACDIR.abakali wrote:## Define your Mac Address Path
MACFILE="/extra/scripts"
rm -f $MACFILE/allowed.macs
why >> and not >?cat $MACFILE/mac.addresses | awk '{ print $1, $2 }' >> $MACFILE/raw1
why the sleeps?sleep 1
i think you mean '^$'cat $MACFILE/raw1 | grep -v '#' |grep -v '^\ ' > $MACFILE/allowed.macs
learn to use shell builtins:mac=`echo $allowedmacs | awk '{ print $1 }'`
ip=`echo $allowedmacs | awk '{ print $2 }'`
Code: Select all
cat allowed.macs | while read line
do
set $line
mac=$1
ip=$2
...
done