640 lines
19 KiB
Plaintext
640 lines
19 KiB
Plaintext
= global.hq.c3d2.de =
|
|
|
|
== Samba Active Directory für DynDNS Updates mit GSS-TSIG ==
|
|
; Ziel: einfacher DynDNS Update Dienst (mit [[wikipedia:Kerberos protocol|Kerberos]] & [[wikipedia:Generic Security Service Algorithm for Secret Key Transaction | GSS-TSIG]] Absicherung) für '''Wunschname'''''.space.c3d2.de''
|
|
|
|
{{NiftyDiv|
|
|
Farbe=#aafd72|
|
|
Inhalt=
|
|
|
|
[[pentapad:global.hq.c3d2.de]] als aktuelle DNS Reservierungsliste
|
|
}}
|
|
|
|
== Client Installation / Einrichtung ==
|
|
|
|
benötigt werden:
|
|
* Samba(4)
|
|
* Kerberos(5)
|
|
* Kerberos(5) Client Package (klist/kinit etc.)
|
|
* DNSUtils
|
|
* [https://github.com/plitc/samba-nsupdate/blob/master/do-nsupdate.sh do-nsupdate.sh] Mini-Skript (Linux/Mac/FreeBSD)
|
|
|
|
Samba muss '''nicht''' auf dem Client-Rechner (als Dienst) konfiguriert werden!
|
|
|
|
=== Installation ===
|
|
|
|
{{NiftyDiv|
|
|
Farbe=#b4d9fa|
|
|
Inhalt=
|
|
|
|
do-nsupdate.sh
|
|
|
|
ab Version 15 werden fehlende Komponenten automatisch nachinstalliert
|
|
|
|
}}
|
|
|
|
==== Allgemein ====
|
|
|
|
<source lang="bash">
|
|
git clone https://github.com/plitc/samba-nsupdate.git
|
|
|
|
cp ~/samba-nsupdate/do-nsupdate.conf $HOME/do-nsupdate.conf
|
|
|
|
chmod 775 $HOME/do-nsupdate.sh
|
|
$HOME/do-nsupdate.sh
|
|
</source>
|
|
|
|
|
|
==== (Debian) Linux ====
|
|
|
|
<source lang="bash">
|
|
apt-get install samba krb5-user krb5-clients dnsutils
|
|
</source>
|
|
|
|
==== (Free)BSD ====
|
|
|
|
<source lang="bash">
|
|
cd /usr/ports/net/samba4/ && make install clean
|
|
</source>
|
|
|
|
optional
|
|
|
|
<source lang="bash">
|
|
cd /usr/ports/security/krb5/ && make install clean
|
|
</source>
|
|
|
|
==== MacOS ====
|
|
|
|
benötigt:
|
|
* min. 10.9.x (für SMB2 Support)
|
|
|
|
Active-Directory Mitgliedschaft erforderlich!
|
|
|
|
==== Windows ====
|
|
|
|
benötigt:
|
|
* min. Vista (SMB2 entspricht SMB2.0 Vista SP1+ Windows 2008)
|
|
* nsupdate erfolgt über $COMPUTERNAME Konto
|
|
|
|
Active-Directory Mitgliedschaft erforderlich!
|
|
|
|
=== do-nsupdate.sh Benutzung ===
|
|
|
|
# Mini-Skript herunterladen
|
|
# bearbeiten (mit Texteditor eigener Wahl)
|
|
# ausführen
|
|
|
|
<source lang="bash">
|
|
KERBEROSADMINUSER="username@SPACE.C3D2.DE"
|
|
ADMACHINENAME="wunschname.space.c3d2.de"
|
|
ADSERVERNAME="space.c3d2.de"
|
|
ADSERVERZONE="space.c3d2.de"
|
|
ADMACHINETTL="3600"
|
|
</source>
|
|
|
|
<source lang="bash">
|
|
chmod 775 do-nsupdate.sh
|
|
</source>
|
|
<source lang="bash">
|
|
./do-nsupdate.sh
|
|
</source>
|
|
|
|
=== do-nsupdate.sh Beispiel ===
|
|
|
|
<source lang="bash">
|
|
[daniel@freebie:~]$ ./do-nsupdate.sh
|
|
username@SPACE.C3D2.DE's Password:
|
|
Outgoing update query:
|
|
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
|
|
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
|
|
;; ZONE SECTION:
|
|
;space.c3d2.de. IN SOA
|
|
|
|
;; UPDATE SECTION:
|
|
wunschname.space.c3d2.de. 0 ANY A
|
|
wunschname.space.c3d2.de. 3600 IN A XXX.XXX.XXX.XXX
|
|
wunschname.space.c3d2.de. 0 ANY AAAA
|
|
wunschname.space.c3d2.de. 3600 IN AAAA ZZZZ:ZZZZ:ZZZZ::YYYY
|
|
</source>
|
|
|
|
So lässt sich schnell ein DNS Update durchführen um fix im neuen Netz seine Dienste bereitstellen zu können.
|
|
|
|
'''That's it!'''
|
|
|
|
{{NiftyDiv|
|
|
Farbe=#b4d9fa|
|
|
Inhalt=
|
|
|
|
== Active Directory - Verzeichnis Administratoren ==
|
|
derzeit: [[user:daniel.plominski|daniel]]
|
|
|
|
... weitere Freiwillige? ...
|
|
|
|
}}
|
|
|
|
{{NiftyDiv|
|
|
Farbe=#f4b9c4|
|
|
Inhalt=
|
|
|
|
== Active Directory - User hinzufügen ==
|
|
|
|
samba-tool user add USERNAME
|
|
|
|
samba-tool group addmembers DnsAdmins USERNAME
|
|
|
|
}}
|
|
|
|
== lxc Container ==
|
|
* Debian Jessie
|
|
* Samba 4.1.3 / Kerberos 5
|
|
* IPv4: 217.115.11.136
|
|
* IPv6: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
|
|
|
=== DNS ===
|
|
* global.hq.c3d2.de
|
|
|
|
=== DNS Nameserver / Records ===
|
|
* space.c3d2.de. IN NS global.hq.c3d2.de.
|
|
* _dns-update._tcp IN SRV 5 0 53 space.c3d2.de.
|
|
* _dns-update._udp IN SRV 5 0 53 space.c3d2.de.
|
|
* space IN MX 10 mail.c3d2.de.
|
|
* space IN TXT "v=spf1 mx -all"
|
|
* b._dns-sd._udp 60 PTR space.c3d2.de.
|
|
* db._dns-sd._udp 60 PTR space.c3d2.de.
|
|
* dr._dns-sd._udp 60 PTR space.c3d2.de.
|
|
* lb._dns-sd._udp 60 PTR space.c3d2.de.
|
|
* r._dns-sd._udp 60 PTR space.c3d2.de.
|
|
|
|
== Server Installation ==
|
|
|
|
<source lang="bash">
|
|
apt-get install samba
|
|
</source>
|
|
<source lang="bash">
|
|
service samba stop
|
|
</source>
|
|
<source lang="bash">
|
|
rm /etc/samba/smb.conf
|
|
</source>
|
|
<source lang="bash">
|
|
rm -rfv /var/lib/samba
|
|
</source>
|
|
<source lang="bash">
|
|
mkdir /var/lib/samba
|
|
</source>
|
|
<source lang="bash">
|
|
mkdir /var/lib/samba/private
|
|
</source>
|
|
|
|
=== neue Samba Provisionierung ===
|
|
|
|
<source lang="bash">
|
|
/usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
|
</source>
|
|
|
|
Samba läuft mit virtuellen sysvol NTACLs, zukünftig fehlende +s3fs Daemon Unterstützung da --use-xattrs=yes nicht in dem lxc Container mit btrfs unterstützt wird!
|
|
|
|
<source lang="bash">
|
|
[root@global:~]# /usr/bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --function-level=2008_R2 --realm=SPACE.C3D2.DE --domain=SPACE --adminpass='GEHEIM' --server-role='dc' --dns-backend=SAMBA_INTERNAL
|
|
You are not root or your system do not support xattr, using tdb backend for attributes.
|
|
not using extended attributes to store ACLs and other metadata. If you intend to use this provision in production, rerun the script as root on a system supporting xattrs.
|
|
Looking up IPv4 addresses
|
|
Looking up IPv6 addresses
|
|
Setting up share.ldb
|
|
Setting up secrets.ldb
|
|
Setting up the registry
|
|
Setting up the privileges database
|
|
Setting up idmap db
|
|
Setting up SAM db
|
|
Setting up sam.ldb partitions and settings
|
|
Setting up sam.ldb rootDSE
|
|
Pre-loading the Samba 4 and AD schema
|
|
Adding DomainDN: DC=space,DC=c3d2,DC=de
|
|
Adding configuration container
|
|
Setting up sam.ldb schema
|
|
Setting up sam.ldb configuration data
|
|
Setting up display specifiers
|
|
Modifying display specifiers
|
|
Adding users container
|
|
Modifying users container
|
|
Adding computers container
|
|
Modifying computers container
|
|
Setting up sam.ldb data
|
|
Setting up well known security principals
|
|
Setting up sam.ldb users and groups
|
|
Setting up self join
|
|
Adding DNS accounts
|
|
Creating CN=MicrosoftDNS,CN=System,DC=space,DC=c3d2,DC=de
|
|
Creating DomainDnsZones and ForestDnsZones partitions
|
|
Populating DomainDnsZones and ForestDnsZones partitions
|
|
Setting up sam.ldb rootDSE marking as synchronized
|
|
Fixing provision GUIDs
|
|
A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
|
|
Setting up fake yp server settings
|
|
Once the above files are installed, your Samba4 server will be ready to use
|
|
Server Role: active directory domain controller
|
|
Hostname: global
|
|
NetBIOS Domain: SPACE
|
|
DNS Domain: space.c3d2.de
|
|
DOMAIN SID: S-1-5-21-0123456789-123456789-0123456789
|
|
</source>
|
|
|
|
=== smb.conf - Anpassung ===
|
|
|
|
<source lang="bash">
|
|
vi /etc/samba/smb.conf
|
|
</source>
|
|
|
|
<source lang="text">
|
|
# Global parameters
|
|
[global]
|
|
workgroup = SPACE
|
|
realm = SPACE.C3D2.DE
|
|
netbios name = GLOBAL
|
|
server role = active directory domain controller
|
|
|
|
idmap_ldb:use rfc2307 = yes # LDAP Provisionierung nach RFC2307
|
|
posix:eadb = /var/lib/samba/private/eadb.tdb
|
|
|
|
### dns forwarder = 172.22.99.251 # soll kein public resolver werden
|
|
|
|
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
|
|
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
|
|
server string = %h - Global.HQ.C3D2.de
|
|
|
|
### interfaces = 217.115.11.136 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7
|
|
### bind interfaces only = No
|
|
|
|
# allow dynamic dns update / true = nonsecure + signed
|
|
allow dns updates = signed
|
|
|
|
# debian specific
|
|
nsupdate command = /usr/sbin/samba_dnsupdate
|
|
|
|
### ### # server options
|
|
|
|
### server min protocol = SMB2_02 (ab Windows 7)
|
|
server min protocol = SMB2
|
|
server max protocol = SMB3
|
|
|
|
disable netbios = yes
|
|
smb ports = 445
|
|
|
|
server signing = auto
|
|
|
|
# protocol stream encryption for smbclient
|
|
smb encrypt = auto
|
|
|
|
### ### # client options (for local services / smbclient etc.)
|
|
|
|
### client min protocol = SMB2_02
|
|
client min protocol = SMB2
|
|
client max protocol = SMB3
|
|
|
|
|
|
client ldap sasl wrapping = seal
|
|
|
|
client signing = auto
|
|
client schannel = auto
|
|
|
|
lanman auth = No
|
|
ntlm auth = No
|
|
client use spnego = Yes
|
|
client ntlmv2 auth = Yes
|
|
client lanman auth = No
|
|
client plaintext auth = No
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
|
|
[netlogon]
|
|
path = /var/lib/samba/sysvol/space.c3d2.de/scripts
|
|
read only = No
|
|
|
|
[sysvol]
|
|
path = /var/lib/samba/sysvol
|
|
read only = No
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
#
|
|
# EOF
|
|
</source>
|
|
|
|
=== Samba Checks ===
|
|
|
|
<source lang="bash">
|
|
samba-tool testparm
|
|
</source>
|
|
<source lang="bash">
|
|
samba-tool dbcheck
|
|
</source>
|
|
<source lang="bash">
|
|
samba-tool ntacl sysvolcheck
|
|
</source>
|
|
|
|
=== krb5.conf - Anpassung ===
|
|
|
|
<source lang="bash">
|
|
vi /var/lib/samba/private/krb5.conf
|
|
</source>
|
|
|
|
<source lang="text">
|
|
[libdefaults]
|
|
default_realm = SPACE.C3D2.DE
|
|
dns_lookup_realm = true
|
|
dns_lookup_kdc = true
|
|
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
|
|
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
|
|
|
|
forwardable = true
|
|
proxiable = true
|
|
|
|
ticket_lifetime = 86400
|
|
|
|
[realms]
|
|
SPACE.C3D2.DE = {
|
|
kdc = localhost:88
|
|
admin_server = localhost:749
|
|
default_domain = space.c3d2.de
|
|
}
|
|
|
|
[domain_realm]
|
|
.space.c3d2.de = SPACE.C3D2.DE
|
|
space.c3d2.de = SPACE.C3D2.DE
|
|
|
|
[logging]
|
|
default = FILE:/var/log/samba/krb5libs.log
|
|
kdc = FILE:/var/log/samba/krb5kdc.log
|
|
admin_server = FILE:/var/log/samba/kadmind.log
|
|
|
|
; [kdc]
|
|
; allow-anonymous = false
|
|
; require-preauth = true
|
|
; enable-kerberos4 = false
|
|
|
|
; # EOF
|
|
</source>
|
|
|
|
=== BTRFS Snapshot ===
|
|
|
|
<source lang="bash">
|
|
btrfs subvolume snapshot /var/lib/lxc/global/rootfs /var/lib/lxc/global/rootfs-snap-smb4-`date -u +%Y.%m.%d-%H.%M.%S`
|
|
</source>
|
|
|
|
=== Samba Server starten ===
|
|
|
|
<source lang="bash">
|
|
service samba start
|
|
</source>
|
|
|
|
== Tests ==
|
|
|
|
=== DNS - SRV Record ===
|
|
|
|
<source lang="bash">
|
|
[root@vps11:~]# dig SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
|
zsh: correct '@global.hq.c3d2.de' to 'global.hq.c3d2.de' [nyae]? n
|
|
|
|
; <<>> DiG 9.8.4-P2 <<>> SRV @global.hq.c3d2.de _kerberos._tcp.space.c3d2.de
|
|
; (2 servers found)
|
|
;; global options: +cmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9702
|
|
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
|
|
;; WARNING: recursion requested but not available
|
|
|
|
;; QUESTION SECTION:
|
|
;_kerberos._tcp.space.c3d2.de. IN SRV
|
|
|
|
;; ANSWER SECTION:
|
|
_kerberos._tcp.space.c3d2.de. 900 IN SRV 0 100 88 global.space.c3d2.de.
|
|
|
|
;; Query time: 1 msec
|
|
;; SERVER: 2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7#53(2001:4dd0:fb82:c3d2:a800:5bff:fe06:c2b7)
|
|
;; WHEN: Sat Jan 11 06:01:49 2014
|
|
;; MSG SIZE rcvd: 73
|
|
</source>
|
|
|
|
=== Kerberos Ticket ===
|
|
|
|
<source lang="bash">
|
|
[daniel@freebie:~]$ klist
|
|
Credentials cache: FILE:/tmp/krb5cc_1001
|
|
Principal: username@SPACE.C3D2.DE
|
|
|
|
Issued Expires Principal
|
|
Jan 11 06:11:43 Jan 11 16:11:42 krbtgt/SPACE.C3D2.DE@SPACE.C3D2.DE
|
|
Jan 11 06:11:43 Jan 11 16:11:42 DNS/global.space.c3d2.de@SPACE.C3D2.DE
|
|
</source>
|
|
|
|
'''That's it!'''
|
|
|
|
== Server Optimierungen ==
|
|
|
|
{{Broken
|
|
|Reason= IPv6 Beispiel-Tables von squeeze/wheezy funktionieren derzeit im lxc Container unter jessie nicht
|
|
}}
|
|
|
|
=== Firewall: IPv6 Rules ===
|
|
|
|
<source lang="bash">
|
|
sudo apt-get install iptables
|
|
</source>
|
|
<source lang="bash">
|
|
sudo vi /root/set_firewall_ipv6.sh
|
|
</source>
|
|
|
|
<source lang="text">
|
|
#!/bin/bash
|
|
# A bash shell script for ip6tables to protect single hosting / dedicated / vps / colo server running CentOS / Debian / RHEL / or any other Linux distribution.
|
|
# -------------------------------------------------------------------------
|
|
# Copyright (c) 2007 nixCraft project <http://www.cyberciti.biz/fb/>
|
|
# This script is licensed under GNU GPL version 2.0 or above
|
|
# -------------------------------------------------------------------------
|
|
# This script is part of nixCraft shell script collection (NSSC)
|
|
# Visit http://bash.cyberciti.biz/ for more information.
|
|
# ----------------------------------------------------------------------
|
|
# Last updated on Jan-23, 2008 : Added support for tcp packets
|
|
# Last updated on Oct-01, 2012 : Daniel Plominski (PLITC)
|
|
# ---------------------------------------------------------------------------
|
|
IPT6="/sbin/ip6tables"
|
|
|
|
# Interfaces
|
|
PUB_IF="eth0"
|
|
PUB_LO="lo0"
|
|
### PUB_ETH1="eth1"
|
|
### PUB_ETH2="eth2"
|
|
### PUB_ETH3="eth3"
|
|
|
|
# Custom chain names
|
|
CHAINS="chk_tcp6_packets_chain chk_tcp_inbound chk_udp_inbound chk_icmp_packets"
|
|
|
|
echo "Starting IPv6 firewall..."
|
|
# first clean old mess
|
|
$IPT6 -F
|
|
$IPT6 -X
|
|
$IPT6 -Z
|
|
for table in $(</proc/net/ip6_tables_names)
|
|
do
|
|
$IPT6 -t $table -F
|
|
$IPT6 -t $table -X
|
|
$IPT6 -t $table -Z
|
|
done
|
|
$IPT6 -P INPUT ACCEPT
|
|
$IPT6 -P OUTPUT ACCEPT
|
|
$IPT6 -P FORWARD ACCEPT
|
|
|
|
# Set default DROP all
|
|
$IPT6 -P INPUT DROP
|
|
$IPT6 -P OUTPUT DROP
|
|
$IPT6 -P FORWARD DROP
|
|
|
|
# Create the chain
|
|
for c in $CHAINS
|
|
do $IPT6 --new-chain $c
|
|
done
|
|
|
|
# Input policy
|
|
$IPT6 -A INPUT -i $PUB_LO -j ACCEPT
|
|
### $IPT6 -A INPUT -i $PUB_ETH1 -j ACCEPT
|
|
### $IPT6 -A INPUT -i $PUB_ETH2 -j ACCEPT
|
|
### $IPT6 -A INPUT -i $PUB_ETH3 -j ACCEPT
|
|
$IPT6 -A INPUT -i $PUB_IF -j chk_tcp6_packets_chain
|
|
$IPT6 -A INPUT -i $PUB_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
$IPT6 -A INPUT -i $PUB_IF -p tcp -j chk_tcp_inbound
|
|
$IPT6 -A INPUT -i $PUB_IF -p udp -j chk_udp_inbound
|
|
$IPT6 -A INPUT -i $PUB_IF -p icmp -j chk_icmp_packets
|
|
$IPT6 -A INPUT -i $PUB_IF -p ipv6-icmp -j chk_icmp_packets
|
|
$IPT6 -A INPUT -i $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT OUTPUT "
|
|
$IPT6 -A INPUT -i $PUB_IF -j DROP
|
|
|
|
# Output policy
|
|
$IPT6 -A OUTPUT -o $PUB_LO -j ACCEPT
|
|
### $IPT6 -A OUTPUT -o $PUB_ETH1 -j ACCEPT
|
|
### $IPT6 -A OUTPUT -o $PUB_ETH2 -j ACCEPT
|
|
### $IPT6 -A OUTPUT -o $PUB_ETH3 -j ACCEPT
|
|
$IPT6 -A OUTPUT -o $PUB_IF -j ACCEPT
|
|
$IPT6 -A OUTPUT -o $PUB_IF -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "DROP OUTPUT "
|
|
|
|
### Custom chains ###
|
|
# Bad packets chk
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp packets"
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "BAD tcp"
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp"
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "Bad tcp "
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
|
|
$IPT6 -A chk_tcp6_packets_chain -p tcp -j RETURN
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
|
|
# Global - SSH
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
|
|
# Global - DNS
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 53 -j ACCEPT
|
|
# Global - Kerberos Auth
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 88 -j ACCEPT
|
|
# Global - NetBIOS Name
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 137 -j ACCEPT
|
|
# Global - NetBIOS Datagram
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 138 -j ACCEPT
|
|
# Global - NetBIOS Session
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 139 -j ACCEPT
|
|
# Global - LDAP
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 389 -j ACCEPT
|
|
# Global - CIFS
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 445 -j ACCEPT
|
|
# Global - Kerberos Change/Set Password
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 464 -j ACCEPT
|
|
# Global - Microsoft EPMAP - DCE/RPC
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 135 -j ACCEPT
|
|
# Global - LDAPS
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 636 -j ACCEPT
|
|
# Global - Kerberos Admin
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 749 -j ACCEPT
|
|
# Global - reserved
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 1024 -j ACCEPT
|
|
# Global - msft-gc
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3268 -j ACCEPT
|
|
# Global - msft-gc-ssl
|
|
$IPT6 -A chk_tcp_inbound -p tcp -m tcp --dport 3269 -j ACCEPT
|
|
|
|
###############################
|
|
# do not modify following rule
|
|
$IPT6 -A chk_tcp_inbound -p tcp -j RETURN
|
|
###############################
|
|
#
|
|
### ### ### C3D2 ### ### ###
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
|
|
# Global - DNS
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 53 -j ACCEPT
|
|
# Global - Kerberos Auth
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 88 -j ACCEPT
|
|
# Global - NetBIOS Name
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 137 -j ACCEPT
|
|
# Global - NetBIOS Datagram
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 138 -j ACCEPT
|
|
# Global - NetBIOS Session
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 139 -j ACCEPT
|
|
# Global - LDAP
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 389 -j ACCEPT
|
|
# Global - CIFS
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 445 -j ACCEPT
|
|
# Global - Kerberos Change/Set Password
|
|
$IPT6 -A chk_tcp_inbound -p udp -m udp --dport 464 -j ACCEPT
|
|
|
|
###############################
|
|
# do not modify following rule
|
|
$IPT6 -A chk_udp_inbound -p udp -j RETURN
|
|
###############################
|
|
|
|
# ICMP - allow ping pong
|
|
$IPT6 -A chk_icmp_packets -p ipv6-icmp -j ACCEPT
|
|
$IPT6 -A chk_icmp_packets -p icmp -j RETURN
|
|
|
|
### ### ### C3D2 ### ### ###
|
|
# EOF
|
|
</source>
|
|
|
|
<source lang="bash">
|
|
sudo chmod 555 /root/set_firewall_ipv6.sh
|
|
</source>
|
|
<source lang="bash">
|
|
sudo chattr +i /root/set_firewall_ipv6.sh</source>
|
|
|
|
<source lang="bash">
|
|
vi /etc/rc.local
|
|
</source>
|
|
|
|
<source lang="text">
|
|
#!/bin/sh -e
|
|
#
|
|
/root/set_firewall_ipv6.sh
|
|
#
|
|
exit 0
|
|
</source>
|
|
|
|
=== Firewallregeln aktivieren ===
|
|
|
|
<source lang="bash">
|
|
/root/set_firewall_ipv6.sh
|
|
</source>
|
|
<source lang="bash">
|
|
ip6tables -S
|
|
</source>
|
|
|
|
[[Kategorie:Infrastruktur]]
|