leg ne datei an mit dem folgenden inhalt:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:CUST_LOG - [0:0]
:ICMP_CHK - [0:0]
:SANITY_CHK - [0:0]
:SPOOF_CHK - [0:0]
:STATE_CHK - [0:0]
:TCP_CHK - [0:0]
:UDP_CHK - [0:0]
[0:0] -A INPUT -j STATE_CHK
[0:0] -A INPUT -p tcp -j SANITY_CHK
[0:0] -A INPUT -p tcp -j TCP_CHK
[0:0] -A INPUT -p udp -j UDP_CHK
[0:0] -A INPUT -p icmp -j ICMP_CHK
[0:0] -A INPUT -j CUST_LOG
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,ACK -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,ACK -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "ILLEGAL " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
[5:200] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -m state --state NEW -j LOG --log-prefix "ACKSCAN " --log-level 7 --log-tcp-options --log-ip-options
[5:200] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG ACK -m state --state NEW -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "FINSCAN " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "XMASSCAN " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "NULLSCAN " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
[17:680] -A CUST_LOG -p tcp -m multiport --dports telnet,81,sunrpc,snmp,microsoft-ds,printer,555,1234,1241,1243,ms-sql-s,ica,nfs,mysql -j LOG --log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options
[17:680] -A CUST_LOG -p tcp -m multiport --dports telnet,81,sunrpc,snmp,microsoft-ds,printer,555,1234,1241,1243,ms-sql-s,ica,nfs,mysql -j DROP
[8:320] -A CUST_LOG -p tcp -m multiport --dports squid,3389,5631,5632,6635,webcache,9055,12345,2445 2,asp,27573,31337,42484 -j LOG --log-prefix "PROBE " --log-level 7 --log-tcp-options --log-ip-options
[8:320] -A CUST_LOG -p tcp -m multiport --dports squid,3389,5631,5632,6635,webcache,9055,12345,2445 2,asp,27573,31337,42484 -j DROP
[0:0] -A CUST_LOG -p udp -m multiport --dports ssh,snmp,1025,3283,5634,5882,28431,31337,31789 -j LOG --log-prefix "PROBE " --log-level 7 --log-ip-options
[0:0] -A CUST_LOG -p udp -m multiport --dports ssh,snmp,1025,3283,5634,5882,28431,31337,31789 -j DROP
[0:0] -A CUST_LOG -m state --state INVALID -j LOG --log-prefix "INVALID " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -m state --state INVALID -j DROP
[0:0] -A CUST_LOG -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "INVALID " --log-level 7 --log-tcp-options --log-ip-options
[0:0] -A CUST_LOG -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
[1474:61044] -A CUST_LOG -j LOG --log-prefix "ALL_ELSE " --log-level 7 --log-tcp-options --log-ip-options
[1474:61044] -A CUST_LOG -j DROP
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 3/0 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 3/1 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 3/3 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 3/4 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -p icmp -m icmp --icmp-type 11 -m limit --limit 1/sec -j ACCEPT
[0:0] -A ICMP_CHK -j DROP
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,ACK -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j CUST_LOG
[0:0] -A SANITY_CHK -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j CUST_LOG
[0:0] -A SPOOF_CHK -s 127.0.0.0/255.0.0.0 -j DROP
[0:0] -A SPOOF_CHK -s 240.0.0.0/248.0.0.0 -j DROP
[0:0] -A SPOOF_CHK -s 248.0.0.0/248.0.0.0 -j DROP
[0:0] -A STATE_CHK -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A STATE_CHK -m state --state INVALID -j CUST_LOG
[0:0] -A STATE_CHK -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j CUST_LOG
[0:0] -A TCP_CHK -p tcp -m tcp --dport 25 -j ACCEPT
[0:0] -A TCP_CHK -p tcp -m tcp --dport 110 -j ACCEPT
[0:0] -A TCP_CHK -p tcp -m tcp --dport 22 -j ACCEPT
[0:0] -A TCP_CHK -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
dann tipp ein: iptables-restore </dateiname
und wenn du rules von hand hinzufügst während die box läuft dann speicher sie irgendwann mal ab mit iptables-save >/dateiname
und in deine rc.local trägst du den iptables restore befehl ein das der beim hochfahren ausgeführt wird .. voila ..
F*U*C*K SuSE FireWall .... sorry.. aber das ding ist nur was für deppen ... trügerische sicherheit ohne zu verstehen was man da genau macht ...
Powered by vBulletin® Version 4.2.5 Copyright ©2024 Adduco Digital e.K. und vBulletin Solutions, Inc. Alle Rechte vorbehalten.