Entwicklungsumgebung/Firewall: Unterschied zwischen den Versionen

Aus Delixs
Zur Navigation springen Zur Suche springen
(sammeln)
Zeile 5: Zeile 5:
== Firewall ==
== Firewall ==


Text kommt noch
Text kommt noch, jetzt erst einmal eine völlig unstrukturierte Materialsammlung:
 
Schau Dir mal ipfilter:uif an (Harry am 07.06.2008 in developer).
 
1. per default, alle tables auf drop
2. syntax: narrensicher
3. LDAP-Support
4. conf-Datei, keine GUI, koennen wir also leicht scripten
 
Als Vergleich die Werte von wc:
 
debby-3:/home/hjede/qemu-run# grep -Ev '(^#|^$)' /etc/uif/uif.conf |wc
    44      96    851
debby-3:/home/hjede/qemu-run# iptables-save |wc
    99    606    4448
 
 
Beispiel:
 
<source lang="text">
service {
    traceroute  udp(32769:65535/33434:33523) icmp(11)
    ping        icmp(8)
    ipp        udp(/631)
}
network {
    localhost  127.0.0.1
    all        0.0.0.0/0
    trusted    192.168.231.0/24
    dmz        192.168.12.0/24
    gateway    192.168.12.1
}
interface {
    loop    lo
    ETHA        eth0
    ETH1        eth1
    BR0        br0
    ETH0        ETHA BR0
}
input {
    in+  i=loop    s=localhost
    in+  i=ETH0 s=trusted
    in+  p=ping,traceroute
    in-  p=ipp i=ETH1 f=reject
    in-  f=log(input),reject
}
output {
    out+ o=loop    d=localhost
    out+ d=all
    out+ o=ETH0,ETH1
    out- f=log(output),reject
}
forward {
    fw+  i=BR0 o=BR0
    fw> o=ETH1
    fw+ o=ETH1 s=trusted
    fw-  f=log(forward),reject
}
masquerade {
    masq+ o=ETH1 s=trusted d=gateway f=log(masq)
    masq+ o=ETH1 s=trusted d=all
}
</source>
 
 
Und hier die lange & komplizierte Ausgabe von iptables-save:
 
<source lang="text">
# Generated by iptables-save v1.3.6 on Sat Jun  7 13:13:25 2008
*nat
:PREROUTING ACCEPT [61495:5257743]
:POSTROUTING ACCEPT [22191:3933471]
:OUTPUT ACCEPT [6405:1246646]
:13MASQUERADElog - [0:0]
-A POSTROUTING -s 192.168.231.0/255.255.255.0 -d 192.168.12.1 -o eth1 -j
13MASQUERADElog
-A POSTROUTING -s 192.168.231.0/255.255.255.0 -o eth1 -j MASQUERADE
-A 13MASQUERADElog -m limit --limit 20/min -j LOG --log-prefix "FW
MASQUERADE (masq): " --log-level 7 --log-tcp-options --log-ip-options
-A 13MASQUERADElog -j MASQUERADE
COMMIT
# Completed on Sat Jun  7 13:13:25 2008
# Generated by iptables-save v1.3.6 on Sat Jun  7 13:13:25 2008
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:12DROPlog - [0:0]
:1_1 - [0:0]
:4DROPlog - [0:0]
:8DROPlog - [0:0]
:ACCOUNTINGFORWARD - [0:0]
:ACCOUNTINGINPUT - [0:0]
:ACCOUNTINGOUTPUT - [0:0]
:ACCOUNTINGSTATELESSFORWARD - [0:0]
:ACCOUNTINGSTATELESSINPUT - [0:0]
:ACCOUNTINGSTATELESSOUTPUT - [0:0]
:MYREJECT - [0:0]
:STATEFORWARD - [0:0]
:STATEINPUT - [0:0]
:STATELESSFORWARD - [0:0]
:STATELESSINPUT - [0:0]
:STATELESSOUTPUT - [0:0]
:STATENOTNEW - [0:0]
:STATEOUTPUT - [0:0]
-A INPUT -j STATEINPUT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.231.0/255.255.255.0 -j 1_1
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 631 -j MYREJECT
-A INPUT -j 4DROPlog
-A FORWARD -j STATEFORWARD
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.231.0/255.255.255.0 -o eth1 -j ACCEPT
-A FORWARD -j 12DROPlog
-A OUTPUT -j STATEOUTPUT
-A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -j 8DROPlog
-A 12DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT
(forward): " --log-level 7 --log-tcp-options --log-ip-options
-A 12DROPlog -j MYREJECT
-A 1_1 -i br0 -j ACCEPT
-A 1_1 -i eth0 -j ACCEPT
-A 4DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT
(input): " --log-level 7 --log-tcp-options --log-ip-options
-A 4DROPlog -j MYREJECT
-A 8DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT
(output): " --log-level
7 --log-tcp-options --log-ip-options
-A 8DROPlog -j MYREJECT
-A MYREJECT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A MYREJECT -j REJECT --reject-with icmp-port-unreachable
-A STATEFORWARD -m state --state INVALID -j STATELESSFORWARD
-A STATEFORWARD -j ACCOUNTINGFORWARD
-A STATEFORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFORWARD -m state --state
INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW
-A STATEINPUT -m state --state INVALID -j STATELESSINPUT
-A STATEINPUT -j ACCOUNTINGINPUT
-A STATEINPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEINPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j
STATENOTNEW
-A STATELESSFORWARD -j ACCOUNTINGSTATELESSFORWARD
-A STATELESSFORWARD -m limit --limit 20/min -j LOG --log-prefix "FW
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options
-A STATELESSFORWARD -j DROP
-A STATELESSINPUT -j ACCOUNTINGSTATELESSINPUT
-A STATELESSINPUT -m limit --limit 20/min -j LOG --log-prefix "FW
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options
-A STATELESSINPUT -j DROP
-A STATELESSOUTPUT -j ACCOUNTINGSTATELESSOUTPUT
-A STATELESSOUTPUT -m limit --limit 20/min -j LOG --log-prefix "FW
INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options
-A STATELESSOUTPUT -j DROP
-A STATENOTNEW -m limit --limit 20/min -j LOG --log-prefix "FW STATE NOT
NEW: " --log-level 7 --log-tcp-options --log-ip-options
-A STATENOTNEW -j DROP
-A STATEOUTPUT -m state --state INVALID -j STATELESSOUTPUT
-A STATEOUTPUT -j ACCOUNTINGOUTPUT
-A STATEOUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEOUTPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j
STATENOTNEW
COMMIT
# Completed on Sat Jun  7 13:13:25 2008
# Generated by iptables-save v1.3.6 on Sat Jun  7 13:13:25 2008
*mangle
:PREROUTING ACCEPT [25994780:19965091246]
:INPUT ACCEPT [24155447:19040604203]
:FORWARD ACCEPT [6557432:3191342180]
:OUTPUT ACCEPT [24433500:25546765616]
:POSTROUTING ACCEPT [32829626:29312519572]
COMMIT
# Completed on Sat Jun  7 13:13:25 2008
</source>
 
 





Version vom 16. Dezember 2008, 19:53 Uhr

Uberarbeiten Diese Seite sollte nochmals überarbeitet werden. Eine Begründung befindet sich in der Regel unter Diskussion (oben).


Firewall

Text kommt noch, jetzt erst einmal eine völlig unstrukturierte Materialsammlung:

Schau Dir mal ipfilter:uif an (Harry am 07.06.2008 in developer).

1. per default, alle tables auf drop 2. syntax: narrensicher 3. LDAP-Support 4. conf-Datei, keine GUI, koennen wir also leicht scripten

Als Vergleich die Werte von wc:

debby-3:/home/hjede/qemu-run# grep -Ev '(^#|^$)' /etc/uif/uif.conf |wc
    44      96     851
debby-3:/home/hjede/qemu-run# iptables-save |wc
    99     606    4448


Beispiel:

<source lang="text"> service {

   traceroute  udp(32769:65535/33434:33523) icmp(11)
   ping        icmp(8)
   ipp         udp(/631)

} network {

   localhost   127.0.0.1
   all         0.0.0.0/0
   trusted     192.168.231.0/24
   dmz         192.168.12.0/24
   gateway     192.168.12.1

} interface {

   loop     lo
   ETHA        eth0
   ETH1        eth1
   BR0         br0
   ETH0        ETHA BR0

} input {

   in+  i=loop    s=localhost
   in+  i=ETH0 s=trusted
   in+  p=ping,traceroute
   in-  p=ipp i=ETH1 f=reject
   in-  f=log(input),reject

} output {

   out+ o=loop    d=localhost
   out+ d=all
   out+ o=ETH0,ETH1
   out- f=log(output),reject

} forward {

   fw+  i=BR0 o=BR0
   fw> o=ETH1
   fw+ o=ETH1 s=trusted
   fw-  f=log(forward),reject

} masquerade {

   masq+ o=ETH1 s=trusted d=gateway f=log(masq)
   masq+ o=ETH1 s=trusted d=all

} </source>


Und hier die lange & komplizierte Ausgabe von iptables-save:

<source lang="text">

  1. Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
  • nat
PREROUTING ACCEPT [61495:5257743]
POSTROUTING ACCEPT [22191:3933471]
OUTPUT ACCEPT [6405:1246646]
13MASQUERADElog - [0:0]

-A POSTROUTING -s 192.168.231.0/255.255.255.0 -d 192.168.12.1 -o eth1 -j 13MASQUERADElog -A POSTROUTING -s 192.168.231.0/255.255.255.0 -o eth1 -j MASQUERADE -A 13MASQUERADElog -m limit --limit 20/min -j LOG --log-prefix "FW MASQUERADE (masq): " --log-level 7 --log-tcp-options --log-ip-options -A 13MASQUERADElog -j MASQUERADE COMMIT

  1. Completed on Sat Jun 7 13:13:25 2008
  2. Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
  • filter
INPUT DROP [0:0]
FORWARD DROP [0:0]
OUTPUT DROP [0:0]
12DROPlog - [0:0]
1_1 - [0:0]
4DROPlog - [0:0]
8DROPlog - [0:0]
ACCOUNTINGFORWARD - [0:0]
ACCOUNTINGINPUT - [0:0]
ACCOUNTINGOUTPUT - [0:0]
ACCOUNTINGSTATELESSFORWARD - [0:0]
ACCOUNTINGSTATELESSINPUT - [0:0]
ACCOUNTINGSTATELESSOUTPUT - [0:0]
MYREJECT - [0:0]
STATEFORWARD - [0:0]
STATEINPUT - [0:0]
STATELESSFORWARD - [0:0]
STATELESSINPUT - [0:0]
STATELESSOUTPUT - [0:0]
STATENOTNEW - [0:0]
STATEOUTPUT - [0:0]

-A INPUT -j STATEINPUT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.231.0/255.255.255.0 -j 1_1 -A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth1 -p udp -m udp --dport 631 -j MYREJECT -A INPUT -j 4DROPlog -A FORWARD -j STATEFORWARD -A FORWARD -i br0 -o br0 -j ACCEPT -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -A FORWARD -s 192.168.231.0/255.255.255.0 -o eth1 -j ACCEPT -A FORWARD -j 12DROPlog -A OUTPUT -j STATEOUTPUT -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT -A OUTPUT -o br0 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -j 8DROPlog -A 12DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (forward): " --log-level 7 --log-tcp-options --log-ip-options -A 12DROPlog -j MYREJECT -A 1_1 -i br0 -j ACCEPT -A 1_1 -i eth0 -j ACCEPT -A 4DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (input): " --log-level 7 --log-tcp-options --log-ip-options -A 4DROPlog -j MYREJECT -A 8DROPlog -m limit --limit 20/min -j LOG --log-prefix "FW REJECT (output): " --log-level 7 --log-tcp-options --log-ip-options -A 8DROPlog -j MYREJECT -A MYREJECT -p tcp -m tcp -j REJECT --reject-with tcp-reset -A MYREJECT -j REJECT --reject-with icmp-port-unreachable -A STATEFORWARD -m state --state INVALID -j STATELESSFORWARD -A STATEFORWARD -j ACCOUNTINGFORWARD -A STATEFORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEFORWARD -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW -A STATEINPUT -m state --state INVALID -j STATELESSINPUT -A STATEINPUT -j ACCOUNTINGINPUT -A STATEINPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEINPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW -A STATELESSFORWARD -j ACCOUNTINGSTATELESSFORWARD -A STATELESSFORWARD -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSFORWARD -j DROP -A STATELESSINPUT -j ACCOUNTINGSTATELESSINPUT -A STATELESSINPUT -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSINPUT -j DROP -A STATELESSOUTPUT -j ACCOUNTINGSTATELESSOUTPUT -A STATELESSOUTPUT -m limit --limit 20/min -j LOG --log-prefix "FW INVALID STATE: " --log-level 7 --log-tcp-options --log-ip-options -A STATELESSOUTPUT -j DROP -A STATENOTNEW -m limit --limit 20/min -j LOG --log-prefix "FW STATE NOT NEW: " --log-level 7 --log-tcp-options --log-ip-options -A STATENOTNEW -j DROP -A STATEOUTPUT -m state --state INVALID -j STATELESSOUTPUT -A STATEOUTPUT -j ACCOUNTINGOUTPUT -A STATEOUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATEOUTPUT -m state --state INVALID,RELATED,ESTABLISHED,UNTRACKED -j STATENOTNEW COMMIT

  1. Completed on Sat Jun 7 13:13:25 2008
  2. Generated by iptables-save v1.3.6 on Sat Jun 7 13:13:25 2008
  • mangle
PREROUTING ACCEPT [25994780:19965091246]
INPUT ACCEPT [24155447:19040604203]
FORWARD ACCEPT [6557432:3191342180]
OUTPUT ACCEPT [24433500:25546765616]
POSTROUTING ACCEPT [32829626:29312519572]

COMMIT

  1. Completed on Sat Jun 7 13:13:25 2008

</source>



Attacken abwehren

 apt-get install fail2ban

Datei "/etc/fail2ban/jail.conf" bearbeiten:


 ignoreip = 127.0.0.1 <weitere IP>
 bantime  = 3600
 [ssh]
 enabled = true
 port    = ssh
 filter  = sshd
 logpath  = /var/log/auth.log
 maxretry = 3

Einlesen:

 /etc/init.d/fail2ban restart

in "/var/log/fail2ban.log" seht ihr anschließend das sehr spannende Ergebnis.


Weblinks



zurück | Hauptseite