*Empty MediaWiki Message*
This commit is contained in:
parent
6ad0ee95b2
commit
b1a65b64a6
|
@ -368,3 +368,202 @@ Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
|
|||
</pre>
|
||||
|
||||
'''Thats it!'''
|
||||
|
||||
== Server Optimierungen ==
|
||||
|
||||
=== Firefall: IPv6 Rules ===
|
||||
|
||||
<pre>
|
||||
sudo apt-get install iptables
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
sudo vi /root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
#!/bin/bash
|
||||
# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
|
||||
# -------------------------------------------------------------------------
|
||||
# Copyright (c) 2007 nixCraft project <http://www.cyberciti.biz/fb/>
|
||||
# This script is licensed under GNU GPL version 2.0 or above
|
||||
# -------------------------------------------------------------------------
|
||||
# This script is part of nixCraft shell script collection (NSSC)
|
||||
# Visit http://bash.cyberciti.biz/ for more information.
|
||||
# ----------------------------------------------------------------------
|
||||
# Last updated on Jan-23, 2008 : Added support for tcp packets
|
||||
# Last updated on Oct-01, 2012 : Daniel Plominski (PLITC)
|
||||
# ---------------------------------------------------------------------------
|
||||
IPT6="/sbin/ip6tables"
|
||||
|
||||
# Interfaces
|
||||
PUB_IF="eth0"
|
||||
PUB_LO="lo0"
|
||||
### PUB_ETH1="eth1"
|
||||
### PUB_ETH2="eth2"
|
||||
### PUB_ETH3="eth3"
|
||||
|
||||
# Custom chain names
|
||||
CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
|
||||
|
||||
echo "Starting IPv6 firewall..."
|
||||
# first clean old mess
|
||||
$IPT6 -F
|
||||
$IPT6 -X
|
||||
$IPT6 -Z
|
||||
for table in $(</proc/net/ip6_tables_names)
|
||||
do
|
||||
$IPT6 -t $table -F
|
||||
$IPT6 -t $table -X
|
||||
$IPT6 -t $table -Z
|
||||
done
|
||||
$IPT6 -P INPUT ACCEPT
|
||||
$IPT6 -P OUTPUT ACCEPT
|
||||
$IPT6 -P FORWARD ACCEPT
|
||||
|
||||
# Set default DROP all
|
||||
$IPT6 -P INPUT DROP
|
||||
$IPT6 -P OUTPUT DROP
|
||||
$IPT6 -P FORWARD DROP
|
||||
|
||||
# Create the chain
|
||||
for c in $CHAINS
|
||||
do $IPT6 --new-chain $c
|
||||
done
|
||||
|
||||
# Input policy
|
||||
$IPT6 -A INPUT -i $PUB_LO -j ACCEPT
|
||||
### $IPT6 -A INPUT -i $PUB_ETH1 -j ACCEPT
|
||||
### $IPT6 -A INPUT -i $PUB_ETH2 -j ACCEPT
|
||||
### $IPT6 -A INPUT -i $PUB_ETH3 -j ACCEPT
|
||||
$IPT6 -A INPUT -i $PUB_IF -j chk_tcp6_packets_chain
|
||||
$IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
$IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound
|
||||
$IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound
|
||||
$IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets
|
||||
$IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets
|
||||
$IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
|
||||
$IPT6 -A INPUT -i $PUB_IF -j DROP
|
||||
|
||||
# Output policy
|
||||
$IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
|
||||
### $IPT6 -A OUTPUT -o $PUB_ETH1 -j ACCEPT
|
||||
### $IPT6 -A OUTPUT -o $PUB_ETH2 -j ACCEPT
|
||||
### $IPT6 -A OUTPUT -o $PUB_ETH3 -j ACCEPT
|
||||
$IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT
|
||||
$IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
|
||||
|
||||
### Custom chains ###
|
||||
# Bad packets chk
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp"
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp"
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
||||
$IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
|
||||
# Global - SSH
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
|
||||
# Global - DNS
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
|
||||
# Global - Kerberos Auth
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 88 -j ACCEPT
|
||||
# Global - NetBIOS Name
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 137 -j ACCEPT
|
||||
# Global - NetBIOS Datagram
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 138 -j ACCEPT
|
||||
# Global - NetBIOS Session
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 139 -j ACCEPT
|
||||
# Global - LDAP
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 389 -j ACCEPT
|
||||
# Global - CIFS
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 445 -j ACCEPT
|
||||
# Global - Kerberos Change/Set Password
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 464 -j ACCEPT
|
||||
# Global - Microsoft EPMAP - DCE/RPC
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 135 -j ACCEPT
|
||||
# Global - LDAPS
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 636 -j ACCEPT
|
||||
# Global - Kerberos Admin
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 749 -j ACCEPT
|
||||
# Global - reserved
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 1024 -j ACCEPT
|
||||
# Global - msft-gc
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3268 -j ACCEPT
|
||||
# Global - msft-gc-ssl
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3269 -j ACCEPT
|
||||
|
||||
###############################
|
||||
# do not modify following rule
|
||||
$IPT6 -A chk_tcp_inbound -p tcp -j RETURN
|
||||
###############################
|
||||
#
|
||||
### ### ### C3D2 ### ### ###
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
|
||||
# Global - DNS
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 53 -j ACCEPT
|
||||
# Global - Kerberos Auth
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 88 -j ACCEPT
|
||||
# Global - NetBIOS Name
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 137 -j ACCEPT
|
||||
# Global - NetBIOS Datagram
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 138 -j ACCEPT
|
||||
# Global - NetBIOS Session
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 139 -j ACCEPT
|
||||
# Global - LDAP
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 389 -j ACCEPT
|
||||
# Global - CIFS
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 445 -j ACCEPT
|
||||
# Global - Kerberos Change/Set Password
|
||||
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 464 -j ACCEPT
|
||||
|
||||
###############################
|
||||
# do not modify following rule
|
||||
$IPT6 -A chk_udp_inbound -p udp -j RETURN
|
||||
###############################
|
||||
|
||||
# ICMP - allow ping pong
|
||||
$IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT
|
||||
$IPT6 -A chk_icmp_packets -p icmp -j RETURN
|
||||
|
||||
### ### ### C3D2 ### ### ###
|
||||
# EOF
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
sudo chmod 555 /root/set_firewall_ipv6.sh
|
||||
sudo chattr +i /root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
vi /etc/rc.local
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
#!/bin/sh -e
|
||||
#
|
||||
/root/set_firewall_ipv6.sh
|
||||
#
|
||||
exit 0
|
||||
</pre>
|
||||
|
||||
=== Firewallregeln aktivieren ===
|
||||
|
||||
<pre>
|
||||
/root/set_firewall_ipv6.sh
|
||||
</pre>
|
||||
|
||||
<pre>
|
||||
ip6tables -S
|
||||
</pre>
|
||||
|
|
Loading…
Reference in New Issue
Block a user