Secure Firewall

Protecting your Linux box
Post Reply
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Secure Firewall

Post by abakali »

Gateway Firewall
is connector between internal network and external network, In this case use connecting with Lease Line you need to have 2 network card for connect to external network (eth0) and connect to internal network (eth1 for LAN and have private ip such as 192.168.1.1) . Next, Create firewall file in /etc/rc.d/init.d/ by command :

#vi /etc/rc.d/init.d/firewall

Add firewall script as below, some services is disable if you need to use you can uncomment that service line for enable it to working
#!/bin/sh
#chkconfig: 2345 60 95
#description: IPTABLES Firewall \

#CALL FUNCTION-------------------------------
. /etc/rc.d/init.d/functions
#CHECK NETWORK----------------------------
. /etc/sysconfig/network
#CHECK NETWORK STATUS-----------------
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi


#CREATE SCRIPT FOR PARAMETER BEHIND SERVICE---------------------------
case "$1" in
start)
echo -n "Starting Firewall : "
#-----------------------------------------------------------------------------------------------------
#YOUR NETWORK INFORMATION------------------------------------------------
IP_ADDR="your Public IP Address"
EXT_INTERFACE="eth0"
LO_INTERFACE="lo"
LOCAL_INTERFACE_1="eth1"
LOCALNET="192.168.1.0/24"
PRI_DNS="your Primary DNS"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIV_PORTS="0:1023"
UNPRIV_PORTS="1024:"
#--------------------------------------------------------------------------------------------
#USE SSH CLIENT---------------------------------------------------------------
SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"
#USE TRACEROUTE------------------------------------------------------------
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#----------------------------------------------------------------------------------------------
#FIREWALL MODULES---------------------------------------------------------
/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_MARK
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ipt_REDIRECT
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_TOS
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_mac
#/sbin/modprobe ipt_mark
#/sbin/modprobe ipt_multiport
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_tos
#/sbin/modprobe iptable_mangle
#-----------------------------------------------------------------------------------------------
#DELTE ALL OLD CHAINS----------------------------------------
iptables -F
iptables -F -t nat
#DELETE CHAINS FOR USER CREATE-------------------------
iptables -X
#SET POLICY ALL TO DENY--------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#---------------------------------------------------------------------------------------------------
#UNLIMITED TRAFFIC ON LOOPBACK-----------------------------
iptables -A INPUT -i $LO_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LO_INTERFACE -j ACCEPT
#----------------------------------------------------------------------------------------------------
#UNLIMITED TRAFFIC ON LOCAL NETWORK-----------------------------
iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET -j ACCEPT
#----------------------------------------------------------------------------------------------------
#DROP PACKAGE FOR ERROR------------------------------------------------------
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
#DROP NONE DATA PACKAGE------------------------------------------------------
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
#BLOCK PACKAGE------------------------------------------------------
iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $LOCALNET -j DROP
#SEND PACKAGE FROM LOCAL TO OUT NETWORK------------------------------------------------------
iptables -A FORWARD -m state --state NEW,ESTABLISHED \
-i $LOCAL_INTERFACE_1 -s $LOCALNET -j ACCEPT
#RECEIVE PACKAGE GROUP IN------------------------------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
-i $EXT_INTERFACE -s ! $LOCALNET -j ACCEPT
#SET INTERNAL TRAFFIC OUTGOING------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -t nat -o $EXT_INTERFACE -j MASQUERADE
#-----------------------------------------------------------------------------------------------------------------------------
#PROTECT FOR NETWORK ERROR-------------------------------------------------------------------------
#/etc/rc.d/rc.firewall.blocked contains a list of
#iptables -A INPUT -i $EXT_INTERFACE -s address -j DROP
#MANAGE FOR WEBSITE ERROR-------------------------------------------------------------
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\ ([0-9.]*\).*$/\ 1/p" \
| awk '$1' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXT_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXT_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXT_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
#------------------------------------------------------------------------------------------------------------------------
#SPOOFING & BAD ADDRESSES--------------------------------------------------
iptables -A INPUT -s $IP_ADDR -j DROP
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
#iptables -A INPUT -s $CLASS_C -j DROP
#DROP BROADCAST ADDRESS SOURCE PACKETS------------------------
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
#DROP CLASS D MULTICAST ADDRESS------------------------
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
#DROP CLASS E RESERVED IP ADDRESS------------------------
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
#DROP SPECIAL ADDRESSES BY IANA.-----------------------------
#Note: This list includes the loopback, multicast, & reserved addresses.
#0.*.*.* NOT USE DHCP USERS.
#127.*.*.*--------------LoopBack
#169.254.*.*-----------Link Local Networks
#192.0.2.*---------------TEST-NET
#224-255.*.*.*---------Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
#--------------------------------------------------------------------------------------------------------
#UDP TRACEROUTE
#traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IP_ADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#---------------------------------------------------------------------------------------------------------
#DNS forward-only nameserver
iptables -A INPUT -i $EXT_INTERFACE -p udp \
-s $PRI_DNS --source-port 53 \
-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
-s $IP_ADDR --source-port $UNPRIV_PORTS \
-d $PRI_DNS --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
-s $PRI_DNS --source-port 53 \
-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR --source-port $UNPRIV_PORTS \
-d $PRI_DNS --destination-port 53 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#HTTP CLIENT (80)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 80 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 80 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#HTTPS CLIENT (443)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 443 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 443 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#WWW-CACHE CLIENT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 3128 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 3128 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#NNTP NEWS CLIENT (119)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 119 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 119 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#POP CLIENT (110)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 110 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 110 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#IMAP CLIENT (143)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 143 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 143 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#SMTP CLIENT (25)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 25 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 25 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#SSH SERVER (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IP_ADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! --syn \
-s $IP_ADDR --source-port 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
#SSH CLIENT (22)
iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
--source-port 22 \
-d $IP_ADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
-s $IP_ADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#TELNET CLIENT (23)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 23 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 23 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#AUTH SERVER (113)
#Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port 113 -j REJECT
#AUTH CLIENT (113)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 113 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 113 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#WHOIS CLIENT (43)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 43 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 43 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#FINGER CLIENT (79)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 79 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 79 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#FTP CLIENT (21)
#outgoing request
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 21 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 21 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#PORT mode data channel
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port 20 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp ! --syn \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 20 -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#IRC CLIENT (6667)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 6667 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 6667 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p tcp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port $UNPRIV_PORTS -j ACCEPT
#----------------------------------------------------------------------------------------------------------------
#RealAudio / QuickTime Client
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 554 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 554 -j ACCEPT
#TCP is a more secure method : 7070:7071
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 7070:7071 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 7070:7071 -j ACCEPT
#UDP is the preferred method: 6970:6999
#For LAN machines, UDP requires the RealAudio masquerading module and
#the ipmasqadm third-party software.
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#--source-port $UNPRIV_PORTS \
#-d $IP_ADDR --destination-port 6970:6999 -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR --source-port 6970:6999 \
#--destination-port $UNPRIV_PORTS -j ACCEPT
#-------------------------------------------------------------------------------------
#ICQ client (4000)
#iptables -A INPUT -i $EXT_INTERFACE -p tcp ! --syn \
#--source-port 2000:4000 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 2000:4000 -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p udp \
#--source-port 4000 \
#-d $IP_ADDR --destination-port $UNPRIV_PORTS -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR --source-port $UNPRIV_PORTS \
#--destination-port 4000 -j ACCEPT
#-------------------------------------------------------------------------------------
#SYSLOG client (514)
#iptables -A OUTPUT -o $EXT_INTERFACE -p udp \
#-s $IP_ADDR -source-port 514 \
#-d $SYSLOG_SERVER -destination-port $UNPRIV_PORTS -j ACCEPT
#-------------------------------------------------------------------------------------
#ICMP
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type echo-reply \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type destination-unreachable \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type source-quench \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type time-exceeded \
#-d $IP_ADDR -j ACCEPT
#iptables -A INPUT -i $EXT_INTERFACE -p icmp \
#--icmp-type parameter-problem \
#-d $IP_ADDR -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type fragmentation-needed -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type source-quench -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type echo-request -j ACCEPT
#iptables -A OUTPUT -o $EXT_INTERFACE -p icmp \
#-s $IP_ADDR --icmp-type parameter-problem -j ACCEPT
#-------------------------------------------------------------------------------------
#Enable logging for selected denied packets
iptables -A INPUT -i $EXT_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--destination-port $PRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p udp \
--destination-port $UNPRIV_PORTS -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXT_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXT_INTERFACE -j REJECT \
#-------------------------------------------------------------------------------------
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp -s $IP_ADDR -d website ipaddress --dport www -j REJECT
iptables -A OUTPUT -d www.example.com -j REJECT
iptables -L OUTPUT
;;
stop)
echo -n "Shutting Firewall : "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
#Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0

Next, save this file and change file permission with command as below :

#chmod 700 /etc/rc.d/init.d/firewall
#chmod 0.0 /etc/rc.d/init.d/firewall
#chkconfig - -add firewall
#chkconfig - -level 2345 firewall on

Starting your firewall with command :

#/etc/init.d/firewall start or #service firewall start

If no have problem your firewall is running
Command you can use for control your firewall :
Start Firewall : #service firewall start
Stop Firewall : #service firewall stop
Status Firewall : #service firewall status
Restart Firewall : #service firewall restart
Reload Firewall : #service firewall reload
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
sakimustafa
Lance Naik
Posts: 41
Joined: Sat Jan 13, 2007 1:36 pm
Location: Bangladesh
Contact:

Post by sakimustafa »

Please explain me

Code: Select all

-p tcp ! --syn
Best Regards,
SAKI
8801712764543
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Post by abakali »

sakimustafa wrote:Please explain me

Code: Select all

-p tcp ! --syn

TCP SYN : This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non- listener. If a SYN|ACK is received, you immediately send a RST to tear down the connection (actually the kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. and your iptables are not increase tcp connections
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

Deat Asif Bakali,

I just want to know how can we integrate MAC address base security in this firewall like for example

iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

now i have a list of MAC Address only which i want to allow and rest should be dropped...

Can you tell me how to implement you firewall with MAC Address

and one more thing, it is a bit out of the topic....

can you tell me or guide me in creating a script that can limit bandwidth on per user base to exact 15 KB with out giving high latency.

looking forward for your response
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
abakali
Naik
Posts: 91
Joined: Wed Jun 01, 2005 5:38 pm

Post by abakali »

mudasir wrote:Deat Asif Bakali,

I just want to know how can we integrate MAC address base security in this firewall like for example

iptables -A INPUT -i eth1 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT

now i have a list of MAC Address only which i want to allow and rest should be dropped...

Can you tell me how to implement you firewall with MAC Address

and one more thing, it is a bit out of the topic....

can you tell me or guide me in creating a script that can limit bandwidth on per user base to exact 15 KB with out giving high latency.

looking forward for your response

Create file mac.addresses and put

00:00:00:00:00:00 10.0.0.2 # user 1

### Replace with PROTECT FOR NETWORK ERROR Tag

iptables -t nat -I PREROUTING -m mark --mark 1 -p tcp -j DNAT --to-destination=10.0.0.1:80
iptables -t mangle -I maccheck -j RETURN
iptables -t mangle -I maccheck -j MARK --set-mark 1


## Define your Mac Address Path
MACFILE="/extra/scripts"
rm -f $MACFILE/allowed.macs

cat $MACFILE/mac.addresses | awk '{ print $1, $2 }' >> $MACFILE/raw1

sleep 1
cat $MACFILE/raw1 | grep -v '#' |grep -v '^\ ' > $MACFILE/allowed.macs
sleep 1

rm -f $MACFILE/raw1
rm -f $MACFILE/raw2

cat $MACFILE/allowed.macs | while read allowedmacs
do
mac=`echo $allowedmacs | awk '{ print $1 }'`
ip=`echo $allowedmacs | awk '{ print $2 }'`
iptables -t mangle -I maccheck -m mac -j RETURN --mac-source $mac -s $ip
done


iptables -t mangle -I PREROUTING -i eth0 -p tcp -j maccheck
Asif Bakali !
Feel free to contact me (flames about my english and the useless of this driver will be redirected to /dev/null, oh no, it's full...).
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

abakali wrote:## Define your Mac Address Path
MACFILE="/extra/scripts"
rm -f $MACFILE/allowed.macs
since you're using it as a directory, it should be MACDIR.
cat $MACFILE/mac.addresses | awk '{ print $1, $2 }' >> $MACFILE/raw1
why >> and not >?
sleep 1
why the sleeps?
cat $MACFILE/raw1 | grep -v '#' |grep -v '^\ ' > $MACFILE/allowed.macs
i think you mean '^$'
mac=`echo $allowedmacs | awk '{ print $1 }'`
ip=`echo $allowedmacs | awk '{ print $2 }'`
learn to use shell builtins:

Code: Select all

cat allowed.macs | while read line
do
  set $line
  mac=$1
  ip=$2
  ...
done
and you win an award for the useless use of cat (see also).
Post Reply