shunda 发表于 2003-10-14 16:57:50

试了smoothwall-2.06-voyage和IPCOP1.30二种软件发现用smoothwall-2.06-voyage做的在外网用扫描工具扫描时有如外反应:
IP Address : 218.15.161.35
Operating System : undetermined
Time to live : 0

   UDP ports - 12 open ports
         39 [ RLP => Resource Location Protocol ]   
         43 [ whois ]   
         67 [ bootps => Bootstrap Protocol Server ]   
         68 [ bootpc => Bootstrap Protocol Client ]   
         88 [ Kerberos 5 ]   
         135 [ epmap => DCE endpoint resolution ]   
         138 [ Netbios-DGM => Netbios Datagram Service ]   
         162 [ SNMP trap ]   
         514 [ syslog ]   
         749 [ Kerberos Administration ]   
         1434 [ ms-sql-m => Microsoft SQL Monitor ]   
         1900 [ ssdp => Simple Service Discovery Protocol ]
这是什么防火墙??!!即使参照别人的做法加上iptables -A INPUT -p icmp -j DROP则老是提示什-A不正确,-A是什么规则?我一气之下把# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
改为# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j DROP
/sbin/iptables -A block -p icmp -i ippp0 -j DROP
,这样才把在拔号状态的ICMP禁掉,再在外网用扫描工具扫描时,虽PING不通了但上述端囗还是一个不漓地显了出来‘气个半死。想到网之鹰曾介绍过IPCOP1.30跑到它的老家搬了一个回来安好以后再用扫描工具扫描,则什么都发现不了,从安全性考虑出发,建议使用IPCOP1.30,另外IPCOP1.30的流量图也做得比smoothwall-2.06-voyage详细,可我却想让smoothwall-2.06-voyage也象一样扫描工具扫描什么都发现不了,应怎样改,请诸位老鸟指教。另外我看到smoothwall有bate和GPL二种,它们在功能上有什么不同??IPCOP1.30与smoothwall的关系如何??是否为smoothwall的破解,相当于smoothwall的哪个板本?

附smoothwall-2.06-voyage的rc.firewall.up
#!/bin/sh

# Disable ICMP Redirect Acceptance
for FILE in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $FILE
done

# Disable Source Routed Packets
for FILE in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $FILE
done

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for FILE in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $FILE
done

# Set timeouts.2.5 hours for TCP.
#/sbin/ipchains -M -S 9000 0 0

/sbin/iptables -F
/sbin/iptables -X

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Spoof protection for RED (rp_filter does not work with FreeS/WAN)
/sbin/iptables -N spoof
/sbin/iptables -A spoof -s $GREEN_NETADDRESS/$GREEN_NETMASK -j DROP
if [ "$ORANGE_DEV" != "" ]; then
        /sbin/iptables -A spoof -s $ORANGE_NETADDRESS/$ORANGE_NETMASK -j DROP
fi

/sbin/iptables -A INPUT -i ppp0 -j spoof
/sbin/iptables -A INPUT -i ippp0 -j spoof
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A INPUT -i $RED_DEV -j spoof
fi


# localhost and ethernet.
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

# IPSEC
/sbin/iptables -N secin
/sbin/iptables -A secin -i ipsec0 -j ACCEPT
/sbin/iptables -A INPUT -j secin

/sbin/iptables -N secout
/sbin/iptables -A secout -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -j secout

/sbin/iptables -N block

# Let em through.
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -i $GREEN_DEV -j ACCEPT

# External access.Rule set with setxtaccess setuid
/sbin/iptables -N xtaccess
/sbin/iptables -A block -j xtaccess

# IPSEC
/sbin/iptables -N ipsec
/sbin/iptables -A ipsec -p udp --destination-port 500 -j ACCEPT
/sbin/iptables -A ipsec -p 47 -j ACCEPT
/sbin/iptables -A ipsec -p 50 -j ACCEPT
/sbin/iptables -A block -i ppp0 -j ipsec
/sbin/iptables -A block -i ippp0 -j ipsec
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A block -i $RED_DEV -j ipsec
fi

# DHCP
if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
        /sbin/iptables -A block -p tcp --source-port 67 --destination-port 68
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p tcp --source-port 68 --destination-port 67
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p udp --source-port 67 --destination-port 68
                -i $RED_DEV -j ACCEPT
        /sbin/iptables -A block -p udp --source-port 68 --destination-port 67
                -i $RED_DEV -j ACCEPT
fi

# All ICMP on ppp too.
/sbin/iptables -A block -p icmp -i ppp0 -j ACCEPT
/sbin/iptables -A block -p icmp -i ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A block -p icmp -i $RED_DEV -d $RED_NETADDRESS/$RED_NETMASK -j ACCEPT
fi

/sbin/iptables -A INPUT -j block

# last rule in INPUT chain is for logging.
/sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

# Allow packets that we know about through.
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ppp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ippp0 -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW -o ippp0 -j ACCEPT
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -o $RED_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $RED_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state NEW -o $RED_DEV -j ACCEPT
fi

# Port forwarding
/sbin/iptables -N portfwf
/sbin/iptables -A FORWARD -j portfwf

/sbin/iptables -N dmzholes

# Allow GREEN to talk to ORANGE.
if [ "$ORANGE_DEV" != "" ]; then
        /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -m state
                --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -i $GREEN_DEV -o $ORANGE_DEV -m state
                --state NEW,ESTABLISHED,RELATED -j ACCEPT
        # dmz pinhole chain.setdmzholes setuid prog adds rules here to allow
        # ORANGE to talk to GREEN.
        /sbin/iptables -A FORWARD -i $ORANGE_DEV -o $GREEN_DEV -j dmzholes
fi

# VPN
/sbin/iptables -A FORWARD -i $GREEN_DEV -o ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec0 -o $GREEN_DEV -j ACCEPT

/sbin/iptables -A FORWARD -j LOG
/sbin/iptables -A FORWARD -j REJECT

# NAT table
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X

# squid
/sbin/iptables -t nat -N squid
/sbin/iptables -t nat -N jmpsquid
/sbin/iptables -t nat -A jmpsquid -d 10.0.0.0/8 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 172.16.0.0/12 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 192.168.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -d 169.254.0.0/16 -j RETURN
/sbin/iptables -t nat -A jmpsquid -j squid
/sbin/iptables -t nat -A PREROUTING -i $GREEN_DEV -j jmpsquid

# Masqurade
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -o ippp0 -j MASQUERADE
if [ "$RED_DEV" != "" ]; then
        /sbin/iptables -t nat -A POSTROUTING -o $RED_DEV -j MASQUERADE
fi

# Port forwarding
/sbin/iptables -t nat -N portfw
/sbin/iptables -t nat -A PREROUTING -j portfw



再附IPCOP1.30的rc.firewall
#!/bin/sh

. /var/ipcop/ppp/settings
. /var/ipcop/ethernet/settings
IFACE=`/bin/cat /var/ipcop/red/iface | /usr/bin/tr -d '12'`

iptables_init() {
        echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Reduce DoS'ing ability by reducing timeouts
        echo   30 > /proc/sys/net/ipv4/tcp_fin_timeout
        echo    0 > /proc/sys/net/ipv4/tcp_window_scaling
        echo    0 > /proc/sys/net/ipv4/tcp_timestamps
        echo    0 > /proc/sys/net/ipv4/tcp_sack
        echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog

        # Flush all rules and delete all custom chains
        /sbin/iptables -F
        /sbin/iptables -t nat -F
        /sbin/iptables -X
        /sbin/iptables -t nat -X

        # Set up policies
        /sbin/iptables -P INPUT DROP
        /sbin/iptables -P FORWARD DROP
        /sbin/iptables -P OUTPUT ACCEPT

        # This chain will log, then DROPs "Xmas" and Null packets which might
        # indicate a port-scan attempt
        /sbin/iptables -N PSCAN
        /sbin/iptables -A PSCAN -p tcp-m limit --limit 10/minute -j LOG --log-prefix "TCP Scan? "
        /sbin/iptables -A PSCAN -p udp-m limit --limit 10/minute -j LOG --log-prefix "UDP Scan? "
        /sbin/iptables -A PSCAN -p icmp -m limit --limit 10/minute -j LOG --log-prefix "ICMP Scan? "
        /sbin/iptables -A PSCAN -f      -m limit --limit 10/minute -j LOG --log-prefix "FRAG Scan? "
        /sbin/iptables -A PSCAN -j DROP

        # Disallow packets frequently used by port-scanners, XMas and Null
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL ALL-j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL ALL-j PSCAN
        /sbin/iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j PSCAN
        /sbin/iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j PSCAN
}

iptables_red() {
        /sbin/iptables -F RED
        /sbin/iptables -t nat -F RED

        # PPPoE / PPTP Device
        if [ "$IFACE" != "" ]; then
                # PPPoE / PPTP
                if [ "$DEVICE" != "" ]; then
                        /sbin/iptables -A RED -i $DEVICE -j ACCEPT
                fi
                if [ "$RED_TYPE" = "PPTP" -o "$RED_TYPE" = "PPPOE" ]; then
                        if [ "$RED_DEV" != "" ]; then
                                /sbin/iptables -A RED -i $RED_DEV -j ACCEPT
                        fi
                fi
        fi

        if [ "$IFACE" != "" -a -f /var/ipcop/red/active ]; then
                # DHCP
                if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
                        /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                        /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                fi
                if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
                        /sbin/iptables -A RED -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                        /sbin/iptables -A RED -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                fi

                # Allow IPSec
                /sbin/iptables -A RED -p 47-i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p 50-i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p 51-i $IFACE -j ACCEPT
                /sbin/iptables -A RED -p udp -i $IFACE --sport 500 --dport 500 -j ACCEPT

                # Outgoing masquerading
                /sbin/iptables -t nat -A RED -o $IFACE -j MASQUERADE
        fi
}

# See how we were called.
case "$1" in
start)
        iptables_init

        # Limit Packets- helps reduce dos/syn attacks
        /sbin/iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 10/sec

        # CUSTOM chains, can be used by the users themselves
        /sbin/iptables -N CUSTOMINPUT
        /sbin/iptables -A INPUT -j CUSTOMINPUT
        /sbin/iptables -N CUSTOMFORWARD
        /sbin/iptables -A FORWARD -j CUSTOMFORWARD
        /sbin/iptables -t nat -N CUSTOMPREROUTING
        /sbin/iptables -t nat -A PREROUTING -j CUSTOMPREROUTING

        # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # localhost and ethernet.
        /sbin/iptables -A INPUT   -i lo         -j ACCEPT
        /sbin/iptables -A INPUT   -p icmp       -j ACCEPT
        /sbin/iptables -A INPUT   -i $GREEN_DEV -j ACCEPT
        /sbin/iptables -A FORWARD -i $GREEN_DEV -j ACCEPT

        # accept all traffic from ipsec interfaces
        /sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT

        # Port forwarding
        if [ "$ORANGE_DEV" != "" ]; then
                # This rule enables a host on ORANGE network to connect to the outside
                /sbin/iptables -A FORWARD -i $ORANGE_DEV -p tcp
                        -o ! $GREEN_DEV -j ACCEPT
                /sbin/iptables -A FORWARD -i $ORANGE_DEV -p udp
                        -o ! $GREEN_DEV -j ACCEPT
        fi

        # RED chain, used for the red interface
        /sbin/iptables -N RED
        /sbin/iptables -A INPUT -j RED
        /sbin/iptables -t nat -N RED
        /sbin/iptables -t nat -A POSTROUTING -j RED

        iptables_red

        # XTACCESS chain, used for external access
        /sbin/iptables -N XTACCESS
        /sbin/iptables -A INPUT -j XTACCESS

        # PORTFWACCESS chain, used for portforwarding
        /sbin/iptables -N PORTFWACCESS
        /sbin/iptables -A FORWARD -j PORTFWACCESS

        # DMZ pinhole chain.setdmzholes setuid prog adds rules here to allow
        # ORANGE to talk to GREEN.
        /sbin/iptables -N DMZHOLES
        /sbin/iptables -A FORWARD-o $GREEN_DEV -j DMZHOLES

        # Custom prerouting chains (for transparent proxy and port forwarding)
        /sbin/iptables -t nat -N SQUID
        /sbin/iptables -t nat -A PREROUTING -j SQUID
        /sbin/iptables -t nat -N PORTFW
        /sbin/iptables -t nat -A PREROUTING -j PORTFW

        # last rule in input and forward chain is for logging.
        /sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
        /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
      ;;
stop)
        iptables_init

        # Accept everyting connected
        /sbin/iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

        # localhost and ethernet.
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A INPUT -i $GREEN_DEV -j ACCEPT

        if [ "$RED_DEV" != "" -a "$RED_TYPE" = "DHCP" ]; then
                /sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                /sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
        fi
        if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then
                /sbin/iptables -A input -p tcp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
                /sbin/iptables -A input -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
        fi

        /sbin/iptables -A INPUT   -m limit --limit 10/minute -j LOG --log-prefix "INPUT "
        /sbin/iptables -A FORWARD -m limit --limit 10/minute -j LOG --log-prefix "OUTPUT "
      ;;
reload)
        iptables_red
        ;;
restart)
        $0 stop
        $0 start
        ;;
*)
      echo "Usage: $0 {start|stop|reload|restart}"
      exit 1
        ;;
esac

exit 0
页: [1]
查看完整版本: [其它][分享][建议]smoothwall-2.06-voyage和IPCOP1.30二种软件