Cursos Servidores con Centos 6
Sistema Operativo ALDOS
Dezoft

Si algunos de nuestros foros, manuales, ALDOS, paquetería o proyectos te han resultado de ayuda, apreciaremos mucho nos apoyes con un donativo.

 Índice > Todo acerca de Linux > Seguridad Nuevo tema Publicar Respuesta
 firewall error
Tema anterior Tema siguiente
   
edidanilo
Publicado en 11/04/07 06:09 (Leído 4816 veces)  

Nuevo
Forum User

Inscrito: 21/02/07 Publicaciones: 3
estimados amigos tengo el siguiente problema de firewall en un server red hat enterprice linux 4 2.6.9-5.ELsmp:

starting firewall:
iptables: no chain/tarjget/match by that name
iptables: no chain/tarjget/match by that name
iptables: no chain/tarjget/match by that name
iptables: no chain/tarjget/match by that name
etc.......

bien mi firewall es:
#!/bin/sh
# iptables, by Technion
# $Id: iptables,v 1.33 2002/11/20 23:22:16 technion Exp $
# chkconfig: 2345 08 80
# description: Script for setting IPTABLES rules
# processname: iptables


# Is this script to be run on Red Hat Linux? If not, set to "NO"
REDHAT="YES"

# Network information you will need to adjust
INTERNALIF="eth0" #La interface de red interna
INTERNALNET="10.2.19.0/24" #El id de red interna
INTERNALBCAST="10.2.19.255" #La direccion de broadcast interna
EXTERNALIF="eth1" #La interface de red externa
EXTERNALNET="190.11.27.0/24" #Id de red externa
#Para el servicio nat y dnat para que pag externas se puedan ver en mi red interna
#Para exhibir las pag internas en la red externa
MYADDR="190.11.27.151" # Only needed for DNAT, leave out otherwise

# Pathnames
DMESG="/bin/dmesg"
IPTABLES="`which iptables`"
MODPROBE="/sbin/modprobe"


# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPTABLES -F
$IPTABLES -P FORWARD DROP
exit 0
;;
status)
echo "Iptables no soporta status "
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Starting Firewall:" echo
;;
*)
echo "Use: firewall (start|stop|restart)"
exit 1
esac
fi


################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
#
## Flush everything, start from scratch
#
# Incoming packets from the outside network
$IPTABLES -F INPUT
# Outgoing packets from the internal network
$IPTABLES -F OUTPUT
# Forwarding/masquerading
$IPTABLES -F FORWARD
#Nat table
$IPTABLES -t nat -F
##Setup sysctl controls which affect tcp/ip

#
#Disabling IP Spoofing attacks.
#Comment this line out when using IPSEC
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Defragment all Packets
#Default now

#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

#Block source routing
echo 0 >/proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps. These have been the subject of a recent bugtraq thread
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Allow dynamic ip addresses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#Log martians (packets with impossible addresses)
#RiVaL said that certain NICs don't like this. Comment out if necessary.
echo 1 >/proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" >/proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog


##Set basic rules
#
#Note that unlike ipchains, rules passing through a FORWARD chain do NOT
#also have to pass through an INPUT chain.

#Kill ANY stupid packets, including
#-Packets that are too short to have a full ICMP/UDP/TCP header
#- TCP and UDP packets with zero (illegal) source and destination ports
#-Illegal combinations of TCP flags
#-Zero-length (illegal) or over-length TCP and IP options,
# or options after the END-OF-OPTIONS option
#-Fragments of illegal length or offset (e.g., Ping of Death).
#Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html

#This has been found to be a little buggy. Removed for now.
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP

#Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP


# Allow all connections on the internal interface
#

$IPTABLES -A INPUT -i lo -j DROP

#Kill connections to the local interface from the outside world.
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP


#Allow unlimited traffic from internal network using legit addresses
$IPTABLES -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT
#
#Allow IPV6 tunnel traffic
#$IPTABLES -A INPUT -p ipv6 -j ACCEPT

#Allow IPSEC tunnel traffic
#$IPTABLES -A INPUT -p 50 -j ACCEPT
$IPTABLES -A INPUT -p tcp -d 1723 -j ACCEPT
#Allow all traffic from the ipsec device to the internal network
#$IPTABLES -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT
#Allow key negotiation
#$IPTABLES -A INPUT -p udp --dport 500 -j ACCEPT

#Kill anything from outside claiming to be from internal network
$IPTABLES -A INPUT -i $EXTERNALIF -s $INTERNALNET -j DROP

##ICMP
#ping don't forward pings going inside
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j DROP
#ping flood protection
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
#Deny icmp to broadcast address
$IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP

#Allow all other icmp
#Esta linea sirve para que mi red interna pueda hacer ping entre ellas si cambiamos a drop o reject
#se eliminaran los paquetes icmp o se rechazaran respectivamente
$IPTABLES -A INPUT -p icmp -j DROP

##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing
#a local port range- just allow all connections already established.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Note that unlike ipchains, the following must be enabled even with masquerading
#Don't forward SMB related traffic Estos son los puertos que estamos utilizando
#$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 1:3000 DROP
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT
$IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT

$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 1723 -j ACCEPT

$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j ACCEPT
$IPTABLES -A FORWARD -o $EXTERNALIF -p icmp -j DROP
#Samba Share
#$IPTABLES -A INPUT -p tcp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 137 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 138 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 139 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 139 -j ACCEPT
#
#Allow ALL other forwarding going out
$IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT

#Allow replies coming in

$IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT


#Whack allowances
#Allow DHCP- Optus users need this
#$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT

#Allow yourself to be a DHCP server for your inside network
#Necessary because the default rule allowing valid addresses ignores broadcast
#$IPTABLES -A INPUT -i $INTERNALIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTERNALIF -p udp --sport 68 --dport 67 -j ACCEPT

#Allow nameserver packets. Different versions of iptables seem to error here.
#Comment out if necessary.

cat /etc/resolv.conf | \
awk '/^nameserver/ {print $2}' | \
xargs -n1 $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s

#Allow Telstra hearbeat
#This section is propz to Defed
#$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
#$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

#From here on, we're dealing with connection attempts.
#The -m limit is a DoS protection on connects
#First we allow a certain amount of connections per second
#DROP the rest (so we don't DoS ourself with rejections)
#We don't limit normal packets (!syn) by allowing the rest
##Basic services. Uncomment to allow in.

# ftp-data
$IPTABLES -A INPUT -p tcp --dport 20 -j DROP
# ftp
$IPTABLES -A INPUT -p tcp --dport 21 -j DROP
# ssh
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#telnet
$IPTABLES -A INPUT -p tcp --dport 23 -j ACCEPT
# smtp One per second limt -burst rate of ten
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s \
# --limit-burst 10 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
#Correo electronico
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

# DNS
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
# POP-3
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
# identd
#$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
# https
#$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
#VNC Server
#$IPTABLES -A INPUT -p tcp --dport 5801 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 6001 -j ACCEPT
#Webmin
$IPTABLES -A INPUT -p tcp --dport 10000 -j ACCEPT
#pptp
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

##DNAT
#Modify addresses and uncomment to allow DNAT (port forwarding)

#Send web requests to an internal machine
#Send mail to an internal machine
#CONFIGURACION DE NAT TELNET
#$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 23 \
# -j DNAT --to 192.168.10.4:23
#$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d 192.168.10.4 --dport 23 -j ACCEPT


##Some ports should be denied and logged.
$IPTABLES -A INPUT -p tcp --dport 1433 -m limit -j LOG \
--log-prefix "Firewalled packet: MSSQL "

$IPTABLES -A INPUT -p tcp --dport 1433 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6670 -m limit -j LOG \
--log-prefix "Firewalled packet: Deepthrt "
$IPTABLES -A INPUT -p tcp --dport 6670 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6711 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6711 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6712 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6712 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6713 -m limit -j LOG \
--log-prefix "Firewalled packet: Sub7 "
$IPTABLES -A INPUT -p tcp --dport 6713 -j DROP

$IPTABLES -A INPUT -p tcp --dport 12345 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12345 -j DROP
$IPTABLES -A INPUT -p tcp --dport 12346 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 12346 -j DROP
$IPTABLES -A INPUT -p tcp --dport 20034 -m limit -j LOG \
--log-prefix "Firewalled packet: Netbus "
$IPTABLES -A INPUT -p tcp --dport 20034 -j DROP
$IPTABLES -A INPUT -p tcp --dport 31337 -m limit -j LOG \
--log-prefix "Firewalled packet: BO "
$IPTABLES -A INPUT -p tcp --dport 31337 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -m limit -j LOG \
--log-prefix "Firewalled packet: XWin "
$IPTABLES -A INPUT -p tcp --dport 6000 -j DROP


#Traceroutes depend on finding a rejected port. DROP the ones it uses

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j DROP

#Don't log ident because it gets hit all the time eg connecting to an irc server
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT

#Don't log igmp. Some people get too many of these
$IPTABLES -A INPUT -p igmp -j REJECT
#Don't log web or ssl because people surfing for long times lose connection
#tracking and cause the system to create a new one, flooding logs.
$IPTABLES -A INPUT -p tcp --dport 80 -j REJECT
$IPTABLES -A INPUT -p tcp --dport 443 -j REJECT

##Catch all rules.
#iptables reverts to these if it hasn't matched any of the previous rules.
#Log. There's no point logging noise. There's too much of it.
#Just log connection requests
$IPTABLES -A INPUT -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 5/minute -j LOG \
--log-prefix "Firewalled packet:"
#Reject
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p all -j DROP

$IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p all -j DROP
#Accept it anyway if it's only output
$IPTABLES -A OUTPUT -j ACCEPT

#Masquerade internal connections going out.
$IPTABLES -A POSTROUTING -t nat -o $EXTERNALIF -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j \
REDIRECT --to-port 8080

exit 0
 
Perfil
 Citar
Contenido generado en: 0,04 segundos Nuevo tema Publicar Respuesta
 Todas las horas son UTC. Hora actual 04:12 .
Tema normal Tema normal
Tema persistente Tema persistente
Tema cerrado Tema cerrado
Nueva publicación Nueva publicación
Persistente con nueva publicación Persistente con nueva publicación
Cerrado con nueva publicación Cerrado con nueva publicación
Ver publicaciones anónimas 
Usuarios anónimos pueden publicar 
Se permite HTML Filtrado 
Contenido censurado