bizna : |
הבעיה נפתרה!
העניין היה, שאתרים כמו auditmypc.com הצליחו למצוא את שמות המחשבים ברשת הפנימית שלי. זה לא דבר חיובי, כן? מה שעשיתי, בניסוי וטעיה (המון טעיה), זה פשוט להוסיף שורה זהה לשורה הראשונה, עם שינוי אחד: $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:5000 -j REJECT במקום tcp עכשיו יש גם שורה עם udp. מבחינת האתרים הסורקים, הבעיה היחידה במחשב שלי היא העובדה שאני גולש עם דפדפן. מה לעשות, אף אחד לא מושלם... דותן נ.ב. מי שרוצה את הסקריפט של הפיירוול, שיגיד, ואני אשים אותו כאן. |
קוד: |
############################################# ### rc.firewall ### The following script is meant to be ran at startup, after loading ### the network. It does several things: ### 1. Establish a firewall ### 2. Forward all outbound traffic to $EXTIF ############################################# ### Dotan Mazor ### mazor.dotan@idc.ac.il ############################################# ### ### DEFINING VARIABLES IPTABLES="/sbin/iptables" EXTIF=eth0 #INTIF=eth0 ### ### LOADING REQUIRED MODULES /sbin/insmod ip_tables /sbin/insmod ip_conntrack /sbin/insmod ip_conntrack_ftp /sbin/insmod ip_conntrack_irc /sbin/insmod iptable_nat /sbin/insmod ip_nat_ftp /sbin/insmod ipt_mark /sbin/insmod ipt_tcpmss /sbin/insmod ipt_limit /sbin/insmod ipt_multiport /sbin/insmod ipt_state /sbin/insmod ipt_unclean /sbin/insmod iptable_filter /sbin/insmod iptable_mangle ### this little line enables ip forwarding echo "1">/proc/sys/net/ipv4/ip_forward ### ##### ### This part was commented by someone that knows better then me #$IPTABLES -P INPUT ACCEPT #$IPTABLES -F INPUT #$IPTABLES -P OUTPUT ACCEPT #$IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP #$IPTABLES -f FORWARD #$IPTABLES -t nat -F #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT #$IPTABLES -A FORWARD -j LOG# ##### ### ### THE FIREWALL PART ##### NOTICE!!! if you want to allow a port to remain open, put the lines ##### with ACCEPT before the lines with REJECT or DROP ### ### This part opens ports for ssh and telnet #$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT #$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT ### ## Got the next script from the net. it's supposed to block single ports. ## This line blocks all incoming traffic from ports 0 to 5000 ## Oh, and it brings the machine to "stealth" mode $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:5000 -j REJECT ### the next line blocks the NetBIOS, which is the samba, for the WWW $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:5000 -j REJECT ### Commented the next line, because I couldn't find any use for it... #$IPTABLES -I FORWARD -i $EXTIF -p udp --dport 0:5000 -j DROP ### ### This line drops incoming pings, making the machine TOTALY invisible to the WWW $IPTABLES -A INPUT -i $EXTIF -p icmp -j REJECT ####### ### ### THE ROUTING PART $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ### ### Most folks won't need this part ### It seems like my outer network won't work if the following line ### isn't present. it restarts the network device: /sbin/ifdown $EXTIF /sbin/ifup $EXTIF |
קוד: |
#############################################
### rc.firewall ### The following script is meant to be ran at startup, after loading ### the network. It does several things: ### 1. Establish a firewall ### 2. Forward all outbound traffic to $EXTIF ############################################# ### Dotan Mazor ### mazor.dotan@idc.ac.il ############################################# ### ### DEFINING VARIABLES IPTABLES="/sbin/iptables" EXTIF=eth0 #INTIF=eth0 ### ### LOADING REQUIRED MODULES /sbin/insmod ip_tables /sbin/insmod ip_conntrack /sbin/insmod ip_conntrack_ftp /sbin/insmod ip_conntrack_irc /sbin/insmod iptable_nat /sbin/insmod ip_nat_ftp /sbin/insmod ipt_mark /sbin/insmod ipt_tcpmss /sbin/insmod ipt_limit /sbin/insmod ipt_multiport /sbin/insmod ipt_state /sbin/insmod ipt_unclean /sbin/insmod iptable_filter /sbin/insmod iptable_mangle ### this little line enables ip forwarding echo "1">/proc/sys/net/ipv4/ip_forward ### ##### ### This part was commented by someone that knows better then me #$IPTABLES -P INPUT ACCEPT #$IPTABLES -F INPUT #$IPTABLES -P OUTPUT ACCEPT #$IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP #$IPTABLES -f FORWARD #$IPTABLES -t nat -F #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT #$IPTABLES -A FORWARD -j LOG# ##### ### ### THE FIREWALL PART ##### NOTICE!!! if you want to allow a port to remain open, put the lines ##### with ACCEPT before the lines with REJECT or DROP ### ### This part opens ports for ssh and telnet #$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT #$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT ### ## Got the next script from the net. it's supposed to block single ports. ## This line blocks all incoming traffic from ports 0 to 5000 ## Oh, and it brings the machine to "stealth" mode $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 0:5000 -j REJECT ### the next line blocks the NetBIOS, which is the samba, for the WWW $IPTABLES -A INPUT -i $EXTIF -p udp --dport 0:5000 -j REJECT ### Commented the next line, because I couldn't find any use for it... #$IPTABLES -I FORWARD -i $EXTIF -p udp --dport 0:5000 -j DROP ### ### This line drops incoming pings, making the machine TOTALY invisible to the WWW $IPTABLES -A INPUT -i $EXTIF -p icmp -j REJECT ####### ### ### THE ROUTING PART $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ### ### Most folks won't need this part ### It seems like my outer network won't work if the following line ### isn't present: /sbin/ifdown $EXTIF /sbin/ifup $EXTIF |