Securing and Optimizing Linux:RedHat Edition | All about OS

The firewall scripts files

Категория: Securing and Optimizing

-s $IPADDR 11 -d $MY_ISP -j ACCEPT
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $MY_ISP $TRACEROUTE_SRC_PORTS \ -d $IPADDR $TRACEROUTE_DEST_PORTS -j ACCEPT -I
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $ANYWHERE $TRACEROUTE_SRC_PORTS \ -d $IPADDR $TRACEROUTE_DEST_PORTS -j DENY -I
# DNS forwarding, caching only nameserver (53)
# server to server query or response
# Caching only name server only requires UDP, not TCP
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 53 \ -d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_2 53 \ -d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR 53 \
-d $NAMESERVER_2 53 -j ACCEPT
# DNS client (53)
#
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \ -s $NAMESERVER_2 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_2 53 -j ACCEPT
# TCP accept only on selected ports
# SSH server (22)
#

Страниц: 1 2 3 4 5 6 7 8 9 10

« Some explanation of rules used in the firewall script files
Configuration of the “/etc/rc.d/init.d/firewall” script file for the Mail Server »