*Empty MediaWiki Message*

2014-01-11 19:36:32 +00:00 · 2014-01-11 19:36:32 +00:00 · b1a65b64a6
commit b1a65b64a6
parent 6ad0ee95b2
1 changed files with 199 additions and 0 deletions
--- a/Server%2Fglobal.mw
+++ b/Server%2Fglobal.mw
@ -368,3 +368,202 @@ Jan 11 06:11:43  Jan 11 16:11:42  DNS/global.space.c3d2.de@SPACE.C3D2.DE
 </pre>

 '''Thats it!'''
+
+== Server Optimierungen ==
+
+=== Firefall: IPv6 Rules ===
+
+<pre>
+sudo apt-get install iptables
+</pre>
+
+<pre>
+sudo vi /root/set_firewall_ipv6.sh
+</pre>
+
+<pre>
+#!/bin/bash
+# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
+# -------------------------------------------------------------------------
+# Copyright (c) 2007 nixCraft project <http://www.cyberciti.biz/fb/>
+# This script is licensed under GNU GPL version 2.0 or above
+# -------------------------------------------------------------------------
+# This script is part of nixCraft shell script collection (NSSC)
+# Visit http://bash.cyberciti.biz/ for more information.
+# ----------------------------------------------------------------------
+# Last updated on Jan-23, 2008 : Added support for tcp packets
+# Last updated on Oct-01, 2012 : Daniel Plominski (PLITC)
+# ---------------------------------------------------------------------------
+IPT6="/sbin/ip6tables"
+ 
+# Interfaces 
+PUB_IF="eth0"
+PUB_LO="lo0"
+### PUB_ETH1="eth1"
+### PUB_ETH2="eth2"
+### PUB_ETH3="eth3"
+ 
+# Custom chain names
+CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
+ 
+echo "Starting IPv6 firewall..."
+# first clean old mess
+$IPT6 -F
+$IPT6 -X
+$IPT6 -Z
+for table in $(</proc/net/ip6_tables_names)
+do
+        $IPT6 -t $table -F
+        $IPT6 -t $table -X
+        $IPT6 -t $table -Z
+done
+$IPT6 -P INPUT ACCEPT
+$IPT6 -P OUTPUT ACCEPT
+$IPT6 -P FORWARD ACCEPT
+ 
+# Set default DROP all
+$IPT6 -P INPUT DROP
+$IPT6 -P OUTPUT DROP
+$IPT6 -P FORWARD DROP
+ 
+# Create the chain 
+for c in $CHAINS
+  do $IPT6 --new-chain $c
+done
+ 
+# Input policy
+$IPT6 -A INPUT -i $PUB_LO -j ACCEPT
+### $IPT6 -A INPUT -i $PUB_ETH1 -j ACCEPT
+### $IPT6 -A INPUT -i $PUB_ETH2 -j ACCEPT
+### $IPT6 -A INPUT -i $PUB_ETH3 -j ACCEPT
+$IPT6 -A INPUT -i $PUB_IF -j  chk_tcp6_packets_chain
+$IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
+$IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound 
+$IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound 
+$IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets 
+$IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets   
+$IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
+$IPT6 -A INPUT -i $PUB_IF -j DROP
+ 
+# Output policy
+$IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
+### $IPT6 -A OUTPUT -o $PUB_ETH1 -j ACCEPT
+### $IPT6 -A OUTPUT -o $PUB_ETH2 -j ACCEPT
+### $IPT6 -A OUTPUT -o $PUB_ETH3 -j ACCEPT
+$IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT 
+$IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
+ 
+### Custom chains ###
+# Bad packets chk 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets" 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp" 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp" 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp " 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 
+$IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN 
+ 
+### ### ### C3D2 ### ### ###
+
+# Global - SSH
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
+# Global - DNS
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
+# Global - Kerberos Auth
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 88 -j ACCEPT
+# Global - NetBIOS Name
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 137 -j ACCEPT
+# Global - NetBIOS Datagram
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 138 -j ACCEPT
+# Global - NetBIOS Session
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 139 -j ACCEPT
+# Global - LDAP
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 389 -j ACCEPT
+# Global - CIFS
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 445 -j ACCEPT
+# Global - Kerberos Change/Set Password
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 464 -j ACCEPT
+# Global - Microsoft EPMAP - DCE/RPC
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 135 -j ACCEPT
+# Global - LDAPS
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 636 -j ACCEPT
+# Global - Kerberos Admin
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 749 -j ACCEPT
+# Global - reserved
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 1024 -j ACCEPT
+# Global - msft-gc
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3268 -j ACCEPT
+# Global - msft-gc-ssl
+$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3269 -j ACCEPT
+
+###############################
+# do not modify following rule
+$IPT6 -A chk_tcp_inbound -p tcp -j RETURN
+###############################
+#
+### ### ### C3D2 ### ### ###
+
+### ### ### C3D2 ### ### ###
+
+# Global - DNS
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 53 -j ACCEPT
+# Global - Kerberos Auth
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 88 -j ACCEPT
+# Global - NetBIOS Name
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 137 -j ACCEPT
+# Global - NetBIOS Datagram
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 138 -j ACCEPT
+# Global - NetBIOS Session
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 139 -j ACCEPT
+# Global - LDAP
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 389 -j ACCEPT
+# Global - CIFS
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 445 -j ACCEPT
+# Global - Kerberos Change/Set Password
+$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 464 -j ACCEPT
+
+###############################
+# do not modify following rule
+$IPT6 -A chk_udp_inbound -p udp -j RETURN
+############################### 
+ 
+# ICMP - allow ping pong
+$IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT 
+$IPT6 -A chk_icmp_packets -p icmp -j RETURN
+
+### ### ### C3D2 ### ### ###
+# EOF
+</pre>
+
+<pre>
+sudo chmod 555 /root/set_firewall_ipv6.sh
+sudo chattr +i /root/set_firewall_ipv6.sh
+</pre>
+
+<pre>
+vi /etc/rc.local
+</pre>
+
+<pre>
+#!/bin/sh -e
+#
+/root/set_firewall_ipv6.sh
+#
+exit 0
+</pre>
+
+=== Firewallregeln aktivieren ===
+
+<pre>
+/root/set_firewall_ipv6.sh
+</pre>
+
+<pre>
+ip6tables -S
+</pre>