Kako postaviti automatsku primjenu iptablesa kod boot-a?

Posted on 04/10/2011 by

Vecina ljudi skuzi kako napraviti iptables i slicno, ali ima jedna poteskoca u svemu tome sto iptables se gubi prilikom restarta stroja ili gasenja.

Iptables se primjenjuje na nivou kernela (jezgre) samog operatinog sustava. Prilikom bootanja stroja potrebno je iptables postaviti za automatsko podizanje.

Ove upute se odnose na Debian i Ubuntu distirbucije, na drugim distribucijama je promjenjena lokacija datoteke  interfaces.

Kako to postici:

U datoteci /etc/network/interfaces treba dodati redak:

Code:
post-up iptables-restore < /etc/iptables.up.rules

gdje /etc/iptables.up.rules je putanja do skripte koja podize firewall.

Izgled interfaces datoteke je:

Code:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo eth0 eth1
iface lo inet loopback

# The primary network interface
iface eth0 inet static
        address 192.168.2.5
        netmask 255.255.255.0
        network 192.168.2.0
        brodcast 192.168.2.255
        gateway 192.168.2.1
        post-up iptables-restore < /etc/iptables.up.rules

iface eth1 inet static
        address 172.16.0.1
        netmask 255.255.0.0
        broadcast 172.16.255.255
        network 172.16.0.0

Izgled iptables.up.rules datoteke:

Code:
# Generated by iptables-save v1.3.6 on Tue May 27 18:17:28 2008
*filter
:INPUT ACCEPT [38725:4186870]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [41704:3636788]
:SSH_WHITELIST - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -m limit --limit 2/sec -j LOG --log-prefix "SSH_brute_force:"
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth1 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -i eth0 -o eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A SSH_WHITELIST -s 0.0.0.0 -m recent --remove --name SSH --rsource -j ACCEPT
COMMIT
# Completed on Tue May 27 18:17:28 2008
# Generated by iptables-save v1.3.6 on Tue May 27 18:17:28 2008
*nat
:PREROUTING ACCEPT [36084:3553453]
:POSTROUTING ACCEPT [1093:112681]
:OUTPUT ACCEPT [37973:3320426]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue May 27 18:17:28 2008

Posted in Linux | No Comments »

Leave a Reply