Chinaunix首页 | 论坛 | 博客
  • 博客访问: 25468
  • 博文数量: 11
  • 博客积分: 601
  • 博客等级: 上士
  • 技术积分: 120
  • 用 户 组: 普通用户
  • 注册时间: 2010-02-07 22:11
文章分类

全部博文(11)

文章存档

2010年(11)

我的朋友
最近访客

分类: LINUX

2010-03-02 22:25:35

/mnt/disk/backup.20100208/iptables $ cat iptables.setup
#!/bin/bash
# cat /proc/net/ip_conntrack
#grep net.ipv4.ip_forward /etc/sysctl.conf
#sudo cp /home/daniel/iptables/ip_forward /proc/sys/net/ipv4/
#内网的软路由
sudo iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o ppp0 -j MASQUERADE
 
#/etc/ssh/sshd_config:Port 22
sudo iptables -N SSHSCAN
#允许内网ssh(port=22)
sudo iptables -A INPUT -p tcp --dport 22 -s 172.16.20.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j LOG --log-level info --log-prefix "SCAN blocked SSH: "
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
 
#/etc/proftpd/proftpd.conf:Port 21
sudo iptables -N FTPSCAN
#允许内网ftp(port=21)
sudo iptables -A INPUT -p tcp --dport 21 -s 172.16.20.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTPSCAN
sudo iptables -A FTPSCAN -m recent --set --name FTP
#/etc/syslog-ng/syslog-ng.conf
sudo iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP -j LOG --log-level info --log-prefix "SCAN blocked FTP: "
sudo iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP -j DROP
 
#log every connection
sudo iptables -N INBOUND
sudo iptables -A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED,RELATED -j INBOUND
sudo iptables -A INBOUND -p tcp -j LOG --log-level 4 --log-prefix "INBOUND: "
 
=======iptables-save=======
~/iptables $ sudo
# Generated by iptables-save v1.4.6 on Wed Mar  3 20:36:06 2010
*filter
:INPUT ACCEPT [102225:139094790]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63270:4434437]
:FTPSCAN - [0:0]
:INBOUND - [0:0]
:SSHSCAN - [0:0]
-A INPUT -s 172.16.20.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
-A INPUT -s 172.16.20.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j FTPSCAN
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j INBOUND
-A FTPSCAN -m recent --set --name FTP --rsource
-A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP --rsource -j LOG --log-prefix "SCAN blocked FTP: " --log-level 6
-A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP --rsource -j DROP
-A INBOUND -p tcp -j LOG --log-prefix "INBOUND: "
-A SSHSCAN -m recent --set --name SSH --rsource
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH --rsource -j LOG --log-prefix "SCAN blocked SSH: " --log-level 6
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH --rsource -j DROP
COMMIT
# Completed on Wed Mar  3 20:36:06 2010
# Generated by iptables-save v1.4.6 on Wed Mar  3 20:36:06 2010
*nat
:PREROUTING ACCEPT [802:98365]
:POSTROUTING ACCEPT [1590:103394]
:OUTPUT ACCEPT [1590:103394]
-A POSTROUTING -s 172.16.20.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Mar  3 20:36:06 2010
=======配置log=======
@version: 3.0
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
options {
        chain_hostnames(no);
        # The default action of syslog-ng is to log a STATS line
        # to the file every 10 minutes.  That's pretty ugly after a while.
        # Change it to every 12 hours so you get a nice daily update of
        # how many messages syslog-ng missed (0).
        stats_freq(43200);
};
source src {
    unix-stream("/dev/log" max-connections(256));
    internal();
    file("/proc/kmsg");
};
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
########################## Add by Daniel start #########################
destination d_iptables { file("/var/log/iptables.log"); };
destination d_sshd { file("/var/log/sshd.log"); };
destination d_proftpd { file("/var/log/proftpd.log"); };
destination d_inbound { file("/var/log/inbound.log"); };
filter f_proftpd { program(proftpd); };
filter f_iptables { match("^SCAN blocked" value("MESSAGE")); };
filter f_sshd { program(ssh); };
filter f_inbound { match("^INBOUND" value("MESSAGE")); };
log { source(src); filter(f_iptables); destination(d_iptables); flags(final); };
log { source(src); filter(f_sshd); destination(d_sshd); flags(final); };
log { source(src); filter(f_proftpd); destination(d_proftpd); flags(final); };
log { source(src); filter(f_inbound); destination(d_inbound); flags(final); };
##########################  Add by Daniel end  #########################
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
=======modules=======
grep _NF_ /usr/src/linux/.config && grep _NETFILTER_ /usr/src/linux/.config
ls /lib/modules/`uname -r`/kernel/net/netfilter/
 
 
 
 
阅读(898) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~