On Wed, Jan 22, 2003 at 01:38:13PM +0100, narancs wrote:
A csomagszurot most mar szinte csak a TPROXY-s elteritesekre hasznaljuk, illetve az egyeb aranyos lehetosegekre, mint a SYN limit, ami alkalmazas szintrol nehezen lenne elerheto.
jo lenne latni 1 full csomagszuro konfigot, amiben a lokalhoszt vedelme, az smtp,ntp,dns forgalom, a lokal generalt forgalom es ami persze a legfontosabb a zorppal kapcsolatos szabalyok le vanak irva.
a tutorialban elvileg ilyen is van: *tproxy :PREROUTING ACCEPT :OUTPUT ACCEPT :PRintra - :PRinter - :PRdmz - -A PREROUTING -i IFintra -j PRintra -A PREROUTING -i IFinter -j PRinter -A PREROUTING -i IFdmz -j PRdmz // PRintra chain -A PRintra -p tcp --dport 80 -j TPROXY 50080 -A PRintra -p tcp --dport 443 -j TPROXY 50443 -A PRintra -p tcp --dport 21 -j TPROXY 50021 // PRinter chain -A PRinter -p tcp --dport 80 -j TPROXY 50080 // PRdmz chain // no services permitted COMMIT *filter :INPUT DENY :FORWARD DENY :OUTPUT ACCEPT :noise - :spoof - :spoofdrop DROP :LOintra - :LOinter - :LOdmz - -A INPUT -j noise -A INPUT -j spoof // permit all traffic initiated by transparent proxies -A INPUT -m tproxy -j ACCEPT // // permit all TCP traffic initiated by local processes, or allowed by rules // below, we don't trust the state match for UDP traffic, they will be handled // by individual rules below. // -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT // permit all loopback traffic -A INPUT -i lo -j ACCEPT -A INPUT -i IFintra -j LOintra -A INPUT -i IFinter -j LOinter -A INPUT -i IFdmz -j LOdmz -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "FORWARD DROP: " -A FORWARD -j DROP // LOintra -A LOintra -p udp --dport 53 -j ACCEPT -A LOintra -p udp --dport 123 -j ACCEPT -A LOintra -p tcp --syn --dport 25 -j ACCEPT -A LOintra -j LOG --log-prefix "LOintra DROP: " -A LOintra -j DROP // LOinter // permit DNS replies, bind is configured to send out DNS packets from this // port. We could also use the state match in our INPUT chain. -A LOinter -p udp -s DNS_SERVERS --dport 53000 -j ACCEPT -A LOinter -p udp -s NTP_SERVERS --dport 123 -j ACCEPT -A LOinter -p tcp --syn --dport 25 -j ACCEPT -A LOinter -j LOG --log-prefix "LOinter DROP: " -A LOinter -j DROP // LOdmz -A LOdmz -p udp --dport 53 -j ACCEPT -A LOdmz -p udp --dport 123 -j ACCEPT -A LOdmz -p tcp --syn --dport 25 -j ACCEPT -A LOdmz -j LOG --log-prefix "LOdmz DROP: " -A LOdmz -j DROP // // noise chain, should drop all packets which need not be logged, // otherwise it should return to the main ruleset // -A noise -p udp --dport 137:139 -j DROP -A noise -j RETURN // // spoof chain, should drop all packets with spoofed source address // otherwise it should return to the main ruleset // -A spoof -i lo -j RETURN -A spoof ! -i lo -s 127.0.0.0/8 -j spoofdrop -A spoof -i IFintra ! -s NETintra -j spoofdrop -A spoof ! -i IFintra -s NETintra -j spoofdrop -A spoof -i IFdmz ! -s NETdmz -j spoofdrop -A spoof ! -i IFdmz -s NETdmz -j spoofdrop -A spoof -j RETURN // -A spoofdrop -j LOG --log-prefix "Spoofed packet: " -A spoofdrop -j DROP COMMIT
ezt nem igazán értem... akkor hol konfigolod fel a portokat? a zorp szól a kernelnek hogy mit kell kinyitni?
igen. a portokat tovabbra is beallithatod az FTP proxynak, de mar nem muszaj.
asszem ez zsenialis :-) gratula!
koszi -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1