LINUX-сервер пошаговые инструкции инсталляции и настройки - Бруй В. В. , Карлов С. В
..pdfГлава 10. GIPTables Firewall – программное обеспечение для настройки IPTables |
151 |
NETWORK1_IN_REFUSE_SPOOFING[5]="yes"
#Refuse incoming packets claiming to be from class C private network
#Если вы не используете локальную сеть класса С, то измените значения
#параметров:
#INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"
#INTERFACE1_IN_REFUSE_SPOOFING[4]="yes"
#NETWORK1_IN_REFUSE_SPOOFING[4]="yes"
REFUSE_SPOOFING_IPADDR[6]="192.168.0.0/16"
INTERFACE0_IN_REFUSE_SPOOFING[6]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[6]="no"
NETWORK1_IN_REFUSE_SPOOFING[6]="no"
# Refuse incoming packets claiming to be from class D, E, and unallocated
REFUSE_SPOOFING_IPADDR[7]="224.0.0.0/3"
INTERFACE0_IN_REFUSE_SPOOFING[7]="yes"
INTERFACE1_IN_REFUSE_SPOOFING[7]="yes"
NETWORK1_IN_REFUSE_SPOOFING[7]="yes"
#Далее приведены настройки, разрешающие работу служб. Если вам
#необходимо отключить какую-нибудь службу, измените значения
#соответствующих параметров с "yes" на "no", или просто закомментируйте
#фрагмент. Для разрешения служб, запрещенных в приведенном примере,
#используйте соответствующие фрагменты из файла
#/lib/giptables/conf/giptables.conf.README
#********************************************************************
# |
|
* |
# |
A N Y |
* |
# |
|
* |
# |
****************************************************************** |
|
ACCEPT_ANY="no"
#********************************************************************
# |
|
* |
# |
D N S |
* |
# |
|
* |
#********************************************************************
ACCEPT_DNS="yes"
#--------------------------------------------------------------------
#DNS outgoing client request
#Interface 0 DNS outgoing client request
INTERFACE0_DNS_CLIENT="yes"
INTERFACE0_DNS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[0]="no"
INTERFACE0_DNS_OUT_SRC_IPADDR[1]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[1]="no"
# Network 1 DNS forwarded outgoing client request
152 |
Часть 2. Система сетевой защиты |
NETWORK1_DNS_CLIENT="yes"
NETWORK1_DNS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
NETWORK1_DNS_OUT_UDP_REQUEST[0]="yes"
NETWORK1_DNS_OUT_TCP_REQUEST[0]="yes"
NETWORK1_DNS_OUT_SPORT53_REQUEST[0]="no"
NETWORK1_DNS_OUT_SRC_IPADDR[1]=$NETWORK1
NETWORK1_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
NETWORK1_DNS_OUT_UDP_REQUEST[1]="yes"
NETWORK1_DNS_OUT_TCP_REQUEST[1]="yes"
NETWORK1_DNS_OUT_SPORT53_REQUEST[1]="no"
#--------------------------------------------------------------------
#DNS incoming client request
#
# Interface 1 DNS incoming client request
INTERFACE1_DNS_SERVER="no"
INTERFACE1_DNS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_DNS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_DNS_IN_UDP_REQUEST[0]="yes"
INTERFACE1_DNS_IN_TCP_REQUEST[0]="yes"
INTERFACE1_DNS_IN_SPORT53_REQUEST[0]="no"
INTERFACE1_DNS_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_DNS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE1_DNS_IN_UDP_REQUEST[1]="yes"
INTERFACE1_DNS_IN_TCP_REQUEST[1]="yes"
INTERFACE1_DNS_IN_SPORT53_REQUEST[1]="no"
#*********************************************************************
# |
|
* |
# |
F T P |
* |
# |
|
* |
#*********************************************************************
ACCEPT_FTP="yes"
#---------------------------------------------------------------------
#FTP outgoing client request
#Interface 0 FTP outgoing client request
INTERFACE0_FTP_CLIENT="yes"
INTERFACE0_FTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
INTERFACE0_FTP_OUT_PASIVE[0]="yes"
INTERFACE0_FTP_OUT_ACTIVE[0]="no"
# Interface 1 FTP outgoing client request
INTERFACE1_FTP_CLIENT="yes"
INTERFACE1_FTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_FTP_OUT_DST_IPADDR[0]=$NETWORK1
INTERFACE1_FTP_OUT_PASIVE[0]="yes"
INTERFACE1_FTP_OUT_ACTIVE[0]="yes"
Глава 10. GIPTables Firewall – программное обеспечение для настройки IPTables |
153 |
# Network 1 FTP forwarded outgoing client request
NETWORK1_FTP_CLIENT="yes"
NETWORK1_FTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
NETWORK1_FTP_OUT_PASIVE[0]="yes"
NETWORK1_FTP_OUT_ACTIVE[0]="no"
#--------------------------------------------------------------------
#FTP incoming client request
#Interface 1 FTP incoming client request
INTERFACE1_FTP_SERVER="yes"
INTERFACE1_FTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_FTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_FTP_IN_PASIVE[0]="yes"
INTERFACE1_FTP_IN_ACTIVE[0]="yes"
INTERFACE1_FTP_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_FTP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE1_FTP_IN_PASIVE[1]="yes"
INTERFACE1_FTP_IN_ACTIVE[1]="yes"
#********************************************************************
# |
|
* |
# |
S S H |
* |
# |
|
* |
#********************************************************************
ACCEPT_SSH="yes"
#--------------------------------------------------------------------
#SSH outgoing client request
#Interface 0 SSH outgoing client request
INTERFACE0_SSH_CLIENT="yes"
INTERFACE0_SSH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 SSH outgoing client request
INTERFACE1_SSH_CLIENT="yes"
INTERFACE1_SSH_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_SSH_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 SSH forwarded outgoing client request
NETWORK1_SSH_CLIENT="yes"
NETWORK1_SSH_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR
#-------------------------------------------------------------------
# SSH incoming client request
#
154 |
Часть 2. Система сетевой защиты |
# Interface 0 SSH incoming client request
INTERFACE0_SSH_SERVER="yes"
INTERFACE0_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 SSH incoming client request
INTERFACE1_SSH_SERVER="yes"
INTERFACE1_SSH_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_SSH_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_SSH_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#********************************************************************
# |
|
* |
# |
T E L N E T |
* |
# |
|
* |
#********************************************************************
ACCEPT_TELNET="no"
#--------------------------------------------------------------------
#TELNET outgoing client request
#Interface 0 TELNET outgoing client request
INTERFACE0_TELNET_CLIENT="yes"
INTERFACE0_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Interface 1 TELNET outgoing client request
INTERFACE1_TELNET_CLIENT="yes"
INTERFACE1_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_TELNET_OUT_DST_IPADDR[0]=$NETWORK1
# Network 1 TELNET forwarded outgoing client request
NETWORK1_TELNET_CLIENT="yes"
NETWORK1_TELNET_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR
#--------------------------------------------------------------------
#TELNET incoming client request
#Interface 1 TELNET incoming client request
INTERFACE1_TELNET_SERVER="no"
INTERFACE1_TELNET_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_TELNET_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_TELNET_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_TELNET_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
Глава 10. GIPTables Firewall – программное обеспечение для настройки IPTables |
155 |
|
#********************************************************************* |
||
# |
|
* |
# |
T E L N E T S |
* |
# |
|
* |
#********************************************************************* |
||
|
ACCEPT_TELNETS="no" |
|
#********************************************************************* |
||
# |
|
* |
# |
S M T P |
* |
# |
|
* |
#*********************************************************************
ACCEPT_SMTP="yes"
#_--------------------------------------------------------------------
#SMTP outgoing client request
#Interface 0 SMTP outgoing client request
INTERFACE0_SMTP_CLIENT="yes"
INTERFACE0_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# Network 1 SMTP forwarded outgoing client request
NETWORK1_SMTP_CLIENT="yes"
NETWORK1_SMTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
#----------------------------------------------------------------------
#SMTP incoming client request
#Interface 0 SMTP incoming client request
INTERFACE0_SMTP_SERVER="no"
INTERFACE0_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 SMTP incoming client request
INTERFACE1_SMTP_SERVER="no"
INTERFACE1_SMTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_SMTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR
#************************************************************************
# |
|
* |
# |
S M T P S |
* |
# |
|
* |
#************************************************************************
ACCEPT_SMTPS="no"
#************************************************************************
# |
|
* |
# |
P O P 3 |
* |
# |
|
* |
#************************************************************************
156 Часть 2. Система сетевой защиты
ACCEPT_POP3="yes"
#------------------------------------------------------------------------
#POP3 outgoing client request
#Network 1 POP3 forwarded outgoing client request
NETWORK1_POP3_CLIENT="yes"
NETWORK1_POP3_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_POP3_OUT_DST_IPADDR[0]=$ANY_IPADDR
#-----------------------------------------------------------------------
#POP3 incoming client request
#Interface 0 POP3 incoming client request
INTERFACE0_POP3_SERVER="no"
INTERFACE0_POP3_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 POP3 incoming client request
INTERFACE1_POP3_SERVER="no"
INTERFACE1_POP3_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_POP3_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_POP3_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
*
#
*
# P O P 3 S
*
#
*
#************************************************************************
*
ACCEPT_POP3S="no"
#------------------------------------------------------------------------
-
#POP3S outging client request
#Network 1 POP3S forwarded outging client request
NETWORK1_POP3S_CLIENT="yes"
NETWORK1_POP3S_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_POP3S_OUT_DST_IPADDR[0]=$ANY_IPADDR
#------------------------------------------------------------------------
-
# POP3S incoming client request
#
Глава 10. GIPTables Firewall – программное обеспечение для настройки IPTables |
157 |
# Interface 0 POP3S incoming client request
INTERFACE0_POP3S_SERVER="no"
INTERFACE0_POP3S_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_POP3S_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 POP3S incoming client request
INTERFACE1_POP3S_SERVER="no"
INTERFACE1_POP3S_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_POP3S_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_POP3S_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_POP3S_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
# |
|
* |
# |
I M A P |
* |
# |
|
* |
#************************************************************************
ACCEPT_IMAP="yes"
#------------------------------------------------------------------------
#IMAP outgoing client request
#Network 1 IMAP forwarded outgoing client request
NETWORK1_IMAP_CLIENT="yes"
NETWORK1_IMAP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_IMAP_OUT_DST_IPADDR[0]=$ANY_IPADDR
#_-----------------------------------------------------------------------
-
#IMAP incoming client request
#Interface 0 IMAP incoming client request
INTERFACE0_IMAP_SERVER="no"
INTERFACE0_IMAP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_IMAP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 IMAP incoming client request
INTERFACE1_IMAP_SERVER="no"
INTERFACE1_IMAP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_IMAP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_IMAP_IN_SRC_IPADDR[1]=$NETWORK1 INTERFACE1_IMAP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
# |
|
* |
# |
I M A P S |
* |
# |
|
* |
#************************************************************************
158 Часть 2. Система сетевой защиты
ACCEPT_IMAPS="no"
#------------------------------------------------------------------------
#IMAPS outgoing client request
#Network 1 IMAPS forwarded outgoing client request
NETWORK1_IMAPS_CLIENT="yes"
NETWORK1_IMAPS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_IMAPS_OUT_DST_IPADDR[0]=$ANY_IPADDR
#-----------------------------------------------------------------------
#IMAPS incoming client request
#Interface 0 IMAPS incoming client request
INTERFACE0_IMAPS_SERVER="no"
INTERFACE0_IMAPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_IMAPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 IMAPS incoming client request
INTERFACE1_IMAPS_SERVER="no"
INTERFACE1_IMAPS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_IMAPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_IMAPS_IN_SRC_IPADDR[1]=$NETWORK1 INTERFACE1_IMAPS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
*
#
*
# H T T P
*
#
*
#************************************************************************
*
ACCEPT_HTTP="yes"
#------------------------------------------------------------------------
-
#HTTP outgoing client request
#Network 1 HTTP forwarded outgoing client request
NETWORK1_HTTP_CLIENT="yes"
NETWORK1_HTTP_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
#------------------------------------------------------------------------
-
# HTTP incoming client request
#
# Interface 0 HTTP incoming client request
Глава 10. GIPTables Firewall – программное обеспечение для настройки IPTables |
159 |
INTERFACE0_HTTP_SERVER="no"
INTERFACE0_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 HTTP incoming client request
INTERFACE1_HTTP_SERVER="no"
INTERFACE1_HTTP_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_HTTP_IN_SRC_IPADDR[1]=$NETWORK1 INTERFACE1_HTTP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
# |
|
* |
# |
H T T P S |
* |
# |
|
* |
#************************************************************************
ACCEPT_HTTPS="yes"
#------------------------------------------------------------------------
#HTTPS outgoing client request
#Network 1 HTTPS forwarded outgoing client request
NETWORK1_HTTPS_CLIENT="yes"
NETWORK1_HTTPS_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_HTTPS_OUT_DST_IPADDR[0]=$ANY_IPADDR
#------------------------------------------------------------------------
#HTTPS incoming client request
#Interface 0 HTTPS incoming client request
INTERFACE0_HTTPS_SERVER="no"
INTERFACE0_HTTPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 HTTPS incoming client request
INTERFACE1_HTTPS_SERVER="no"
INTERFACE1_HTTPS_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_HTTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_HTTPS_IN_SRC_IPADDR[1]=$NETWORK1 INTERFACE1_HTTPS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
*
#
*
# S Q U I D
*
#
*
#(***********************************************************************
*
160 Часть 2. Система сетевой защиты
ACCEPT_SQUID="no" # Squid in Proxy-Caching Mode
#************************************************************************
# |
|
* |
# |
W E B C A C H E |
* |
# |
|
* |
#************************************************************************
ACCEPT_WEBCACHE="no" # Squid in HTTPD-Accelerator Mode
#------------------------------------------------------------------------
#WEBCACHE outgoing client request
#Network 1 WEBCACHE forwarded outgoing client request
NETWORK1_WEBCACHE_CLIENT="yes"
NETWORK1_WEBCACHE_OUT_SRC_IPADDR[0]=$NETWORK1
NETWORK1_WEBCACHE_OUT_DST_IPADDR[0]=$ANY_IPADDR
#------------------------------------------------------------------------
#WEBCACHE incoming client request
#Interface 0 WEBCACHE incoming client request
INTERFACE0_WEBCACHE_SERVER="no"
INTERFACE0_WEBCACHE_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_WEBCACHE_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
# Interface 1 WEBCACHE incoming client request
INTERFACE1_WEBCACHE_SERVER="no"
INTERFACE1_WEBCACHE_IN_SRC_IPADDR[0]=$NETWORK1
INTERFACE1_WEBCACHE_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE1_WEBCACHE_IN_SRC_IPADDR[1]=$NETWORK1
INTERFACE1_WEBCACHE_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR
#************************************************************************
# |
|
* |
# |
S O C K S |
* |
# |
|
* |
#************************************************************************
ACCEPT_SOCKS="no"
#************************************************************************
*
#
*
# N N T P
*
#
*
#************************************************************************
*
ACCEPT_NNTP="yes"