Re: lug-bg: zashtita
- Subject: Re: lug-bg: zashtita
- From: vlk@xxxxxxxxxxx (Vesselin Kolev)
- Date: Wed, 26 Sep 2001 17:03:38 +0300
Parvo ne filtruvai samo echo-request. Edinstvenoto, koeto shte
pusnesh ot ICMP - tipovete sa echo-reply, destination-unreachible
i time exceeded:
ipchains -A input -i ppp0 -p 1 -s 0/0 0:0 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 3:3 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 11:11 -j ACCEPT
ipchains -A input -i ppp0 -p 1 -s 0/0 -l -j DENY
led tova si zashtitavash DNS-a, kato ne davash na nikoi ot
interface ppp0 da dava zaiavki, da transferira zoni i t.n. Predpolaga
se, che ne darzhish pri sebe si zona, t.e. imash caching-only
DNS-server:
ipchains -A input -i ppp0 -p 6 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY
(tozi parvia red ne e nuzhen, ako po-natatak blokirash idbvashtite zaiavki
kam mashinata si).
ipchains -A input -i ppp0 -p 17 -s 0/0 -d TVOIA_IP_ADDRESS 53:53 -j DENY
Ako niamsh niakakvi services, koito da iksat zaiavki otvan zablokirai
SYN-paketite za da ne se priemat zaiavki i si govov v nai-obshti linii.
Nakraia pishesh :
ipchains -A input -i ppp0 -p 6 -s 0/0 -y -j DENY
Razbira se ima i po-finni i slozhni nastroiki. No vsiaka ot tiah
zapochva sas scanirane na portovete s nmap, primerno, za
da se vidi kakvo e otvoreno i kakvo ne i t.n.. Osven tova mislia,
che po-dobri rezultati shte postignesh s IPTABLES.
Shto se kasae do TOS-bitovete, ima opisano podrobno koe za
kakvo se polzva v LINUX NAG.
Vesselin
On Wednesday 26 September 2001 16:26, you wrote:
> Imam si edno server v edna zala s 3 PC-ta mnoo moshti athlon
> no nemi e tva problema.
> Iskam da pitam kak da si izgradq ili da si napisha firewall
> za linux stava vypros neshto kato anti DNS-spoofing
> IP-spoofing zabrana na ping
> ipchains -A input -l -i ppp0 -p icmp -s 0.0.0.0/0 echo-request -j DENY
> i iskam da pitam tiq parametri za kvo she mi pomognat
> ipchains -A output -p tcp -d 0.0.0.0/0 telnet -t 0x01 0x10
> ipchains -A output -p tcp -d 0.0.0.0/0 ftp -t 0x01 0x10
> ipchains -A output -p tcp -d 0.0.0.0/0 ftp-data -t 0x01 0x10
> ===========================================================================
> A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
> http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
===========================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|