Entwicklungsumgebung/Firewall: Unterschied zwischen den Versionen
K (hat „Delixs:Entwicklungsumgebung/Firewall“ nach „Entwicklungsumgebung/Firewall“ verschoben) |
(sammeln) |
||
Zeile 5: | Zeile 5: | ||
== Firewall == | == Firewall == | ||
Text kommt noch | Text kommt noch, jetzt erst einmal eine völlig unstrukturierte Materialsammlung: | ||
Schau Dir mal ipfilter:uif an (Harry am 07.06.2008 in developer). | |||
1. per default, alle tables auf drop | |||
2. syntax: narrensicher | |||
3. LDAP-Support | |||
4. conf-Datei, keine GUI, koennen wir also leicht scripten | |||
Als Vergleich die Werte von wc: | |||
debby-3:/home/hjede/qemu-run# grep -Ev '(^#|^$)' /etc/uif/uif.conf |wc | |||
44 96 851 | |||
debby-3:/home/hjede/qemu-run# iptables-save |wc | |||
99 606 4448 | |||
Beispiel: | |||
<source lang="text"> | |||
service { | |||
traceroute udp(32769:65535/33434:33523) icmp(11) | |||
ping icmp(8) | |||
ipp udp(/631) | |||
} | |||
network { | |||
localhost 127.0.0.1 | |||
all 0.0.0.0/0 | |||
trusted 192.168.231.0/24 | |||
dmz 192.168.12.0/24 | |||
gateway 192.168.12.1 | |||
} | |||
interface { | |||
loop lo | |||
ETHA eth0 | |||
ETH1 eth1 | |||
BR0 br0 | |||
ETH0 ETHA BR0 | |||
} | |||
input { | |||
in+ i=loop s=localhost | |||
in+ i=ETH0 s=trusted | |||
in+ p=ping,traceroute | |||
in- p=ipp i=ETH1 f=reject | |||
in- f=log(input),reject | |||
} | |||
output { | |||
out+ o=loop d=localhost | |||
out+ d=all | |||
out+ o=ETH0,ETH1 | |||
out- f=log(output),reject | |||
} | |||
forward { | |||
fw+ i=BR0 o=BR0 | |||
fw> o=ETH1 | |||
fw+ o=ETH1 s=trusted | |||
fw- f=log(forward),reject | |||
} | |||
masquerade { | |||
masq+ o=ETH1 s=trusted d=gateway f=log(masq) | |||
masq+ o=ETH1 s=trusted d=all | |||
} | |||
</source> | |||
Und hier die lange & komplizierte Ausgabe von iptables-save: | |||
<source lang="text"> | |||
# Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008 | |||
*nat | |||
:PREROUTING ACCEPT [61495:5257743] | |||
:POSTROUTING ACCEPT [22191:3933471] | |||
:OUTPUT ACCEPT [6405:1246646] | |||
:13MASQUERADElog - [0:0] | |||
-A POSTROUTING -s 192.168.231.0/255.255.255.0 -d 192.168.12.1 -o eth1 -j | |||
13MASQUERADElog | |||
-A POSTROUTING -s 192.168.231.0/255.255.255.0 -o eth1 -j MASQUERADE | |||
-A 13MASQUERADElog -m limit --limit 20/min -j LOG --log-prefix "FW | |||
MASQUERADE (masq): " --log-level 7 --log-tcp-options --log-ip-options | |||
-A 13MASQUERADElog -j MASQUERADE | |||
COMMIT | |||
# Completed on Sat Jun 7 13:13:25 2008 | |||
# Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008 | |||
*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT DROP [0:0] | |||
:12DROPlog - [0:0] | |||
:1_1 - [0:0] | |||
:4DROPlog - [0:0] | |||
:8DROPlog - [0:0] | |||
:ACCOUNTINGFORWARD - [0:0] | |||
:ACCOUNTINGINPUT - [0:0] | |||
:ACCOUNTINGOUTPUT - [0:0] | |||
:ACCOUNTINGSTATELESSFORWARD - [0:0] | |||
:ACCOUNTINGSTATELESSINPUT - [0:0] | |||
:ACCOUNTINGSTATELESSOUTPUT - [0:0] | |||
:MYREJECT - [0:0] | |||
:STATEFORWARD - [0:0] | |||
:STATEINPUT - [0:0] | |||
:STATELESSFORWARD - [0:0] | |||
:STATELESSINPUT - [0:0] | |||
:STATELESSOUTPUT - [0:0] | |||
:STATENOTNEW - [0:0] | |||
:STATEOUTPUT - [0:0] | |||
-A INPUT -j STATEINPUT | |||
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT | |||
-A INPUT -s 192.168.231.0/255.255.255.0 -j 1_1 | |||
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT | |||
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |||
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT | |||
-A INPUT -i eth1 -p udp -m udp --dport 631 -j MYREJECT | |||
-A INPUT -j 4DROPlog | |||
-A FORWARD -j STATEFORWARD | |||
-A FORWARD -i br0 -o br0 -j ACCEPT | |||
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j | |||
TCPMSS --clamp-mss-to-pmtu | |||
-A FORWARD -s 192.168.231.0/255.255.255.0 -o eth1 -j ACCEPT | |||
-A FORWARD -j 12DROPlog | |||
-A OUTPUT -j STATEOUTPUT | |||
-A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT | |||
-A OUTPUT -j ACCEPT | |||
-A OUTPUT -o eth1 -j ACCEPT | |||
-A OUTPUT -o br0 -j ACCEPT | |||
-A OUTPUT -o eth0 -j ACCEPT | |||
-A OUTPUT -j 8DROPlog | |||
-A 12DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT | |||
(forward): " --log-level 7 --log-tcp-options --log-ip-options | |||
-A 12DROPlog -j MYREJECT | |||
-A 1_1 -i br0 -j ACCEPT | |||
-A 1_1 -i eth0 -j ACCEPT | |||
-A 4DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT | |||
(input): " --log-level 7 --log-tcp-options --log-ip-options | |||
-A 4DROPlog -j MYREJECT | |||
-A 8DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT | |||
(output): " --log-level | |||
7 --log-tcp-options --log-ip-options | |||
-A 8DROPlog -j MYREJECT | |||
-A MYREJECT -p tcp -m tcp -j REJECT --reject-with tcp-reset | |||
-A MYREJECT -j REJECT --reject-with icmp-port-unreachable | |||
-A STATEFORWARD -m state --state INVALID -j STATELESSFORWARD | |||
-A STATEFORWARD -j ACCOUNTINGFORWARD | |||
-A STATEFORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A STATEFORWARD -m state --state | |||
INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW | |||
-A STATEINPUT -m state --state INVALID -j STATELESSINPUT | |||
-A STATEINPUT -j ACCOUNTINGINPUT | |||
-A STATEINPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A STATEINPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j | |||
STATENOTNEW | |||
-A STATELESSFORWARD -j ACCOUNTINGSTATELESSFORWARD | |||
-A STATELESSFORWARD -m limit --limit 20/min -j LOG --log-prefix "FW | |||
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options | |||
-A STATELESSFORWARD -j DROP | |||
-A STATELESSINPUT -j ACCOUNTINGSTATELESSINPUT | |||
-A STATELESSINPUT -m limit --limit 20/min -j LOG --log-prefix "FW | |||
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options | |||
-A STATELESSINPUT -j DROP | |||
-A STATELESSOUTPUT -j ACCOUNTINGSTATELESSOUTPUT | |||
-A STATELESSOUTPUT -m limit --limit 20/min -j LOG --log-prefix "FW | |||
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options | |||
-A STATELESSOUTPUT -j DROP | |||
-A STATENOTNEW -m limit --limit 20/min -j LOG --log-prefix "FW STATE NOT | |||
NEW: " --log-level 7 --log-tcp-options --log-ip-options | |||
-A STATENOTNEW -j DROP | |||
-A STATEOUTPUT -m state --state INVALID -j STATELESSOUTPUT | |||
-A STATEOUTPUT -j ACCOUNTINGOUTPUT | |||
-A STATEOUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
-A STATEOUTPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j | |||
STATENOTNEW | |||
COMMIT | |||
# Completed on Sat Jun 7 13:13:25 2008 | |||
# Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008 | |||
*mangle | |||
:PREROUTING ACCEPT [25994780:19965091246] | |||
:INPUT ACCEPT [24155447:19040604203] | |||
:FORWARD ACCEPT [6557432:3191342180] | |||
:OUTPUT ACCEPT [24433500:25546765616] | |||
:POSTROUTING ACCEPT [32829626:29312519572] | |||
COMMIT | |||
# Completed on Sat Jun 7 13:13:25 2008 | |||
</source> | |||
Version vom 16. Dezember 2008, 19:53 Uhr
Diese Seite sollte nochmals überarbeitet werden. Eine Begründung befindet sich in der Regel unter Diskussion (oben). |
Firewall
Text kommt noch, jetzt erst einmal eine völlig unstrukturierte Materialsammlung:
Schau Dir mal ipfilter:uif an (Harry am 07.06.2008 in developer).
1. per default, alle tables auf drop 2. syntax: narrensicher 3. LDAP-Support 4. conf-Datei, keine GUI, koennen wir also leicht scripten
Als Vergleich die Werte von wc:
debby-3:/home/hjede/qemu-run# grep -Ev '(^#|^$)' /etc/uif/uif.conf |wc 44 96 851 debby-3:/home/hjede/qemu-run# iptables-save |wc 99 606 4448
Beispiel:
<source lang="text"> service {
traceroute udp(32769:65535/33434:33523) icmp(11) ping icmp(8) ipp udp(/631)
} network {
localhost 127.0.0.1 all 0.0.0.0/0 trusted 192.168.231.0/24 dmz 192.168.12.0/24 gateway 192.168.12.1
} interface {
loop lo ETHA eth0 ETH1 eth1 BR0 br0 ETH0 ETHA BR0
} input {
in+ i=loop s=localhost in+ i=ETH0 s=trusted in+ p=ping,traceroute in- p=ipp i=ETH1 f=reject in- f=log(input),reject
} output {
out+ o=loop d=localhost out+ d=all out+ o=ETH0,ETH1 out- f=log(output),reject
} forward {
fw+ i=BR0 o=BR0 fw> o=ETH1 fw+ o=ETH1 s=trusted fw- f=log(forward),reject
} masquerade {
masq+ o=ETH1 s=trusted d=gateway f=log(masq) masq+ o=ETH1 s=trusted d=all
} </source>
Und hier die lange & komplizierte Ausgabe von iptables-save:
<source lang="text">
- Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
- nat
- PREROUTING ACCEPT [61495:5257743]
- POSTROUTING ACCEPT [22191:3933471]
- OUTPUT ACCEPT [6405:1246646]
- 13MASQUERADElog - [0:0]
-A POSTROUTING -s 192.168.231.0/255.255.255.0 -d 192.168.12.1 -o eth1 -j 13MASQUERADElog -A POSTROUTING -s 192.168.231.0/255.255.255.0 -o eth1 -j MASQUERADE -A 13MASQUERADElog -m limit --limit 20/min -j LOG --log-prefix "FW MASQUERADE (masq): " --log-level 7 --log-tcp-options --log-ip-options -A 13MASQUERADElog -j MASQUERADE COMMIT
- Completed on Sat Jun 7 13:13:25 2008
- Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
- filter
- INPUT DROP [0:0]
- FORWARD DROP [0:0]
- OUTPUT DROP [0:0]
- 12DROPlog - [0:0]
- 1_1 - [0:0]
- 4DROPlog - [0:0]
- 8DROPlog - [0:0]
- ACCOUNTINGFORWARD - [0:0]
- ACCOUNTINGINPUT - [0:0]
- ACCOUNTINGOUTPUT - [0:0]
- ACCOUNTINGSTATELESSFORWARD - [0:0]
- ACCOUNTINGSTATELESSINPUT - [0:0]
- ACCOUNTINGSTATELESSOUTPUT - [0:0]
- MYREJECT - [0:0]
- STATEFORWARD - [0:0]
- STATEINPUT - [0:0]
- STATELESSFORWARD - [0:0]
- STATELESSINPUT - [0:0]
- STATELESSOUTPUT - [0:0]
- STATENOTNEW - [0:0]
- STATEOUTPUT - [0:0]
-A INPUT -j STATEINPUT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.231.0/255.255.255.0 -j 1_1 -A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 631 -j MYREJECT -A INPUT -j 4DROPlog -A FORWARD -j STATEFORWARD -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -s 192.168.231.0/255.255.255.0 -o eth1 -j ACCEPT -A FORWARD -j 12DROPlog -A OUTPUT -j STATEOUTPUT -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -j 8DROPlog -A 12DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (forward): " --log-level 7 --log-tcp-options --log-ip-options -A 12DROPlog -j MYREJECT -A 1_1 -i br0 -j ACCEPT -A 1_1 -i eth0 -j ACCEPT -A 4DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (input): " --log-level 7 --log-tcp-options --log-ip-options -A 4DROPlog -j MYREJECT -A 8DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (output): " --log-level 7 --log-tcp-options --log-ip-options -A 8DROPlog -j MYREJECT -A MYREJECT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A MYREJECT -j REJECT --reject-with icmp-port-unreachable -A STATEFORWARD -m state --state INVALID -j STATELESSFORWARD -A STATEFORWARD -j ACCOUNTINGFORWARD -A STATEFORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEFORWARD -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW -A STATEINPUT -m state --state INVALID -j STATELESSINPUT -A STATEINPUT -j ACCOUNTINGINPUT -A STATEINPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEINPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW -A STATELESSFORWARD -j ACCOUNTINGSTATELESSFORWARD -A STATELESSFORWARD -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSFORWARD -j DROP -A STATELESSINPUT -j ACCOUNTINGSTATELESSINPUT -A STATELESSINPUT -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSINPUT -j DROP -A STATELESSOUTPUT -j ACCOUNTINGSTATELESSOUTPUT -A STATELESSOUTPUT -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSOUTPUT -j DROP -A STATENOTNEW -m limit --limit 20/min -j LOG --log-prefix "FW STATE NOT NEW: " --log-level 7 --log-tcp-options --log-ip-options -A STATENOTNEW -j DROP -A STATEOUTPUT -m state --state INVALID -j STATELESSOUTPUT -A STATEOUTPUT -j ACCOUNTINGOUTPUT -A STATEOUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEOUTPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW COMMIT
- Completed on Sat Jun 7 13:13:25 2008
- Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
- mangle
- PREROUTING ACCEPT [25994780:19965091246]
- INPUT ACCEPT [24155447:19040604203]
- FORWARD ACCEPT [6557432:3191342180]
- OUTPUT ACCEPT [24433500:25546765616]
- POSTROUTING ACCEPT [32829626:29312519572]
COMMIT
- Completed on Sat Jun 7 13:13:25 2008
</source>
Attacken abwehren
apt-get install fail2ban
Datei "/etc/fail2ban/jail.conf" bearbeiten:
ignoreip = 127.0.0.1 <weitere IP> bantime = 3600 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Einlesen:
/etc/init.d/fail2ban restart
in "/var/log/fail2ban.log" seht ihr anschließend das sehr spannende Ergebnis.
Weblinks