/mnt/disk/backup.20100208/iptables $ cat iptables.setup
#!/bin/bash
# cat /proc/net/ip_conntrack
#grep net.ipv4.ip_forward /etc/sysctl.conf
#sudo cp /home/daniel/iptables/ip_forward /proc/sys/net/ipv4/
#内网的软路由
sudo iptables -t nat -A POSTROUTING -s 172.16.20.0/24 -o ppp0 -j MASQUERADE
#/etc/ssh/sshd_config:Port 22
sudo iptables -N SSHSCAN
#允许内网ssh(port=22)
sudo iptables -A INPUT -p tcp --dport 22 -s 172.16.20.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
sudo iptables -A SSHSCAN -m recent --set --name SSH
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j LOG --log-level info --log-prefix "SCAN blocked SSH: "
sudo iptables -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
#/etc/proftpd/proftpd.conf:Port 21
sudo iptables -N FTPSCAN
#允许内网ftp(port=21)
sudo iptables -A INPUT -p tcp --dport 21 -s 172.16.20.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTPSCAN
sudo iptables -A FTPSCAN -m recent --set --name FTP
#/etc/syslog-ng/syslog-ng.conf
sudo iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP -j LOG --log-level info --log-prefix "SCAN blocked FTP: "
sudo iptables -A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP -j DROP
#log every connection
sudo iptables -N INBOUND
sudo iptables -A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED,RELATED -j INBOUND
sudo iptables -A INBOUND -p tcp -j LOG --log-level 4 --log-prefix "INBOUND: "
=======iptables-save=======
~/iptables $ sudo
# Generated by iptables-save v1.4.6 on Wed Mar 3 20:36:06 2010
*filter
:INPUT ACCEPT [102225:139094790]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [63270:4434437]
:FTPSCAN - [0:0]
:INBOUND - [0:0]
:SSHSCAN - [0:0]
-A INPUT -s 172.16.20.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j SSHSCAN
-A INPUT -s 172.16.20.0/24 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j FTPSCAN
-A INPUT -i ppp0 -p tcp -m state --state RELATED,ESTABLISHED -j INBOUND
-A FTPSCAN -m recent --set --name FTP --rsource
-A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP --rsource -j LOG --log-prefix "SCAN blocked FTP: " --log-level 6
-A FTPSCAN -m recent --update --seconds 300 --hitcount 10 --name FTP --rsource -j DROP
-A INBOUND -p tcp -j LOG --log-prefix "INBOUND: "
-A SSHSCAN -m recent --set --name SSH --rsource
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH --rsource -j LOG --log-prefix "SCAN blocked SSH: " --log-level 6
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH --rsource -j DROP
COMMIT
# Completed on Wed Mar 3 20:36:06 2010
# Generated by iptables-save v1.4.6 on Wed Mar 3 20:36:06 2010
*nat
:PREROUTING ACCEPT [802:98365]
:POSTROUTING ACCEPT [1590:103394]
:OUTPUT ACCEPT [1590:103394]
-A POSTROUTING -s 172.16.20.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 3 20:36:06 2010
=======配置log=======
@version: 3.0
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.3.0,v 1.1 2009/05/25 20:07:21 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
options {
chain_hostnames(no);
# The default action of syslog-ng is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats_freq(43200);
};
source src {
unix-stream("/dev/log" max-connections(256));
internal();
file("/proc/kmsg");
};
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
########################## Add by Daniel start #########################
destination d_iptables { file("/var/log/iptables.log"); };
destination d_sshd { file("/var/log/sshd.log"); };
destination d_proftpd { file("/var/log/proftpd.log"); };
destination d_inbound { file("/var/log/inbound.log"); };
filter f_proftpd { program(proftpd); };
filter f_iptables { match("^SCAN blocked" value("MESSAGE")); };
filter f_sshd { program(ssh); };
filter f_inbound { match("^INBOUND" value("MESSAGE")); };
log { source(src); filter(f_iptables); destination(d_iptables); flags(final); };
log { source(src); filter(f_sshd); destination(d_sshd); flags(final); };
log { source(src); filter(f_proftpd); destination(d_proftpd); flags(final); };
log { source(src); filter(f_inbound); destination(d_inbound); flags(final); };
########################## Add by Daniel end #########################
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
=======modules=======
grep _NF_ /usr/src/linux/.config && grep _NETFILTER_ /usr/src/linux/.config
ls /lib/modules/`uname -r`/kernel/net/netfilter/
阅读(905) | 评论(0) | 转发(0) |