hello, today after many days without going over here (lack of time) have been writing about a subject that intrigues us all (when I say everyone I mean those who manage Linux servers that have one way or another connection to the internet) is the subject security.
always thought the safest thing to implement is a firewall, but as I implement?
some distributions of Linux and bring pre Iptables based Firewall and allow us to open one port to another when needed.
others use operators such as Firestarter, Shorewall or others.
but in my opinion these are limiting for advanced settings that require very rarely implemented.
so when it comes to installing a firewall prefer to create 1 to 1 iptables rules ejectable in bash.
first thing I remember is that going to open ports. 
start with something simple: 1. I have my server that will make your proxy server instead of router between Internet and LAN. I also hope that users do not have your browser set ip
the server is on LAN (hub) ip 192.168.0.1 and the WAN the
200.1.2.3 eth0 is the LAN and the WAN eth1
Firewall
comiezon my file $ sudo vi
firewall.sh
# / bin / sh # Firewall
by th3doctor
# # FLUSH
rules iptables-F
iptables-X iptables-Z
iptables-t nat-F
# # Set default policies iptables-P INPUT
ACCEPT iptables-P OUTPUT ACCEPT iptables-P FORWARD
ACCEPT iptables-t nat-P PREROUTING ACCEPT
iptables-t nat-P POSTROUTING ACCEPT # #
started to filter
# # # Note: eth0 is the interface connected to the LAN
# # # and eth1 is the WAN interface
# # allow everything to localhost
iptables-A INPUT-i lo
ACCEPT # # allow access from the LAN
proxy iptables-A INPUT-s 192.168.0.0/24-p tcp - dport 3128-j ACCEPT # # allow
the
output HTTPS iptables-A INPUT -S 192.168.0.0/24-p tcp - dport 443-j ACCEPT
iptables-A FORWARD-s 192.168.0.0/24-p tcp - dport 443-j ACCEPT # # allow
FTP for LAN
iptables-A INPUT-s 192.168.0.0/24-p tcp - dport 21-j ACCEPT
iptables-A FORWARD-s 192.168.0.0/24-p tcp - dport 21-j ACCEPT # # #
disclaim the rest, if number is required for someone in the lan, you need to access
# # # any port should be put before the next rule
iptables-A FORWARD-s 192.168.0.0/24-i eth0-j DROP iptables-A
INPUT-s 192.168.0.0/24-i eth0-j DROP
iptables-A OUTPUT-s 192.168.0.0/24-i eth0-j DROP # #
oblige everyone to go through the proxy
# # with the exception ! we indicate do not use proxy for addresses
LAN iptables-t nat-A PREROUTING-i eth1-s 192.168.0.0/24-d! 192.168.0.0/24-p tcp - dport 80-j REDIRECT - to-port 3128 # Now we
masking local network
# and sets the bit FORWARDING (imprescindible! !!!!)
iptables - t nat-A POSTROUTING-s 192.168.0.0/24-o eth1-j MASQUERADE #
This allow to forward packets in the firewall, or
# other machines can go through the firewall.
echo 1> / proc/sys/net/ipv4/ip_forward # Removed
pings.
/ bin / echo "1"> / proc/sys/net/ipv4/icmp_echo_ignore_al
end echo ------ the configuration
now only add enough with the start of the machine to be taken before any changes are
reboots on Debian (used for the vast majority of distros)
simply edit the file / etc / rc .
local
and before placing
exit 0 sh / location / firewall.sh (change "location" for the path where your firewall)
there we have the basis to start building a firewall in accordance with our requirements.
0 comments:
Post a Comment