Freesco, NND, CDN, EOS

  1    <1 ms    <1 ms    <1 ms  ziomal.magiclan.one.pl [10.1.1.1]

  3   912 ms  1012 ms  1144 ms  ols-ru1.idsl.tpnet.pl [213.25.2.152]

#!/bin/sh
# firewall 0.1-2004.12.27 Zciech (poprawka w lini 113 i 49 - macieks)
#
# W podstawowej wersji caly ruch z inerfejsow wewnetrznych jest dopuszczony i maskowany
# ruch z internetu zabroniony poza pakietami "powracajacymi" juz nawiazanych polaczen
# i polaczen na strone www (port 80 tcp) oraz pingi 1/s

. /etc/rc.conf
. /etc/rc.d/functions

i=`which iptables`

# Zmienne pobierane z rc.conf
# EXTIF="ppp0" # Interfejs do inetu
# CONNECTION="neorj" # Rodzaj polaczenia
# NETWORK=1 # Wlaczenie maskarady
 
case $1 in

start)
      
    if [ -e /proc/sys/net/ipv4/tcp_ecn ];then
   echo 0 > /proc/sys/net/ipv4/tcp_ecn
    fi

    echo 1 > /proc/sys/net/ipv4/ip_forward

    if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    fi

    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo  1 > $f
    done
      
    $i -F
    $i -F -t nat
                 
    $i -P INPUT DROP
    $i -P FORWARD DROP
    $i -P OUTPUT ACCEPT
           
    # interfejs lo
    $i -A INPUT -i lo -j ACCEPT
    $i -A FORWARD -o lo -j ACCEPT
           
    # Neostrada zmiana MTU
#    if [ $CONNECTION = "neorj" -o $CONNECTION = "neosagem" -o $CONNECTION = "neothomson" ];then
    if [ $CONNECTION = "neorj" ];then
   $i -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    fi
               
    # Blaster i Saser
    $i -A INPUT -p tcp --dst 0/0 -m multiport --dport 135,445 -j DROP
    $i -A FORWARD -p tcp --dst 0/0 -m multiport --dport 135,445 -j DROP
            
    # Odrzucamy z komunikatem ICMP Port Unreachable polaczenia
    # na IDENT oraz SOCKS (czesto sprawdzane przez serwery IRC)
    # Jesli udostepniasz te uslugi zaplotkuj (#) odpowiedne linie
    $i -A INPUT -p tcp --dst 0/0 --dport 113  -j REJECT --reject-with icmp-port-unreachable
    $i -A INPUT -p tcp --dst 0/0 --dport 1080 -j REJECT --reject-with icmp-port-unreachable
               
    # zaplotkuj jesli nie chcesz udostepniac serwisu  http do inetu
    if [ $WWW = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 80 -j ACCEPT
    fi

    # zaplotkuj jesli nie chcesz udostepniac serwisu  https do inetu
    if [ $HTTPS = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 443 -j ACCEPT
    fi
   
    # dns
    #if [ $DNS = 1 ]; then
       $i -A INPUT -p udp -i $EXTIF sport 53 --dst $EXTIP --dport 53 -j ACCEPT
       $i -A INPUT -p udp -i $EXTIF sport 137 --dst $EXTIP --dport 53 -j ACCEPT
       $i -A INPUT -p udp -i $EXTIF sport 1024:65535 --dst $EXTIP --dport 53 -j ACCEPT
       $i -A OUTPUT -p tcp --sport 53 -j ACCEPT
       $i -A OUTPUT -p tcp --sport 53 -j ACCEPT
   $i -A INPUT -p tcp -i $EXTIF --dport 53 -j ACCEPT
        $i -A INPUT -p udp -i $EXTIF --dport 53 -j ACCEPT
    #fi
         
   
    # zaplotkuj jesli nie chcesz udostepniac serwisu  ftp do inetu
    if [ $FTP = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 20 -j ACCEPT
   $i -A INPUT -p tcp -i $EXTIF --dport 21 -j ACCEPT
    fi
   
    # zaplotkuj jesli nie chcesz udostepniac poczty do inetu
    if [ $MAIL = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 110 -j ACCEPT
   $i -A INPUT -p tcp -i $EXTIF --dport 25 -j ACCEPT
    fi
   
        # zaplotkuj jesli nie chcesz udostepniac SSH do inetu
    if [ $SSH = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 22 -j ACCEPT
    fi

    # zaplotkuj jesli nie chcesz udostepniac serwera IMAP do inetu
    if [ $IMAP = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 143 -j ACCEPT
   $i -A INPUT -p udp -i $EXTIF --dport 143 -j ACCEPT
    fi
   
        # zaplotkuj jesli nie chcesz udostepniac serwera IMAPS do inetu
    if [ $IMAPS = 1 ]; then
   $i -A INPUT -p tcp -i $EXTIF --dport 993 -j ACCEPT
   $i -A INPUT -p udp -i $EXTIF --dport 993 -j ACCEPT
    fi
   
    # pingi pozwalamy
    $i -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m limit --limit 1/sec
         
    # Wszystkie polaczenia z innych interfejsow niz interfejs do internetu pozwalamy
    $i -A INPUT -i ! $EXTIF  -j ACCEPT
    $i -A FORWARD -i ! $EXTIF -j ACCEPT
    # i maskujemy
    if [ $NETWORK = 1 ]; then
   $i -t nat -A POSTROUTING  -o $EXTIF -j MASQUERADE
    fi
                    
    # Zezwalamy na wszystko co odbywa sie w ramach juz dozwolonych polaczen
    $i -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
    $i -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
    wynik
    ;;
stop)
    $i -F INPUT
    $i -F FORWARD
    $i -F OUTPUT
   
    $i -P INPUT DROP
    $i -P FORWARD DROP
    $i -P OUTPUT DROP
    echo 0 > /proc/sys/net/ipv4/ip_forward
    wynik
    ;;
esac

# Generated by iptables-save v1.2.11 on Wed Jun  1 03:09:11 2005
*filter
:INPUT DROP [78:3715]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [493:102907]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --dports 135,445 -j DROP
-A INPUT -i eth0 -p tcp -m multiport --dports 80,22,53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 1080 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -s 10.1.1.2 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.3 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.4 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.5 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.6 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.7 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.8 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.9 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.10 -i ! eth0 -j ACCEPT
-A INPUT -s 10.1.1.11 -i ! eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.1.1.2 -p udp -m udp --dport 4672 -j ACCEPT
-A FORWARD -d 10.1.1.2 -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -s 5.5.5.5 -p tcp -m time --timestart 08:00 --timestop 20:00 -m tcp --dport 8074 -j DROP
-A FORWARD -s 5.5.5.5 -p tcp -m time --timestart 08:00 --timestop 20:00 -m tcp --dport 443 -j DROP
-A FORWARD -s 192.168.0.1 -p tcp -m tcp --dport 8074 -j DROP
-A FORWARD -s 192.168.0.1 -p tcp -m tcp --dport 443 -j DROP
-A FORWARD -s 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m tcp --dport 8074 -j DROP
-A FORWARD -s 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m tcp --dport 443 -j DROP
-A FORWARD -o lo -j ACCEPT
-A FORWARD -p tcp -m multiport --dports 135,445 -j DROP
-A FORWARD -s 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --ipp2p -j DROP
-A FORWARD -s 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --ipp2p-data -j DROP
-A FORWARD -s 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --bit --apple --soul -j DROP
-A FORWARD -d 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --ipp2p -j DROP
-A FORWARD -d 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --ipp2p-data -j DROP
-A FORWARD -d 10.10.10.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -m ipp2p --bit --apple --soul -j DROP
-A FORWARD -s 192.168.0.1 -p tcp -m ipp2p --ipp2p -j DROP
-A FORWARD -d 192.168.0.1 -p tcp -m ipp2p --ipp2p -j DROP
-A FORWARD -s 192.168.0.1 -p tcp -m ipp2p --ipp2p-data -j DROP
-A FORWARD -d 192.168.0.1 -p tcp -m ipp2p --ipp2p-data -j DROP
-A FORWARD -s 192.168.0.1 -p tcp -m ipp2p --ipp2p --bit --apple --soul -j DROP
-A FORWARD -d 192.168.0.1 -p tcp -m ipp2p --ipp2p --bit --apple --soul -j DROP
-A FORWARD -s 10.1.1.2 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.3 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.4 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.5 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.6 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.7 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.8 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.9 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.10 -i ! eth0 -j ACCEPT
-A FORWARD -s 10.1.1.11 -i ! eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jun  1 03:09:11 2005
# Generated by iptables-save v1.2.11 on Wed Jun  1 03:09:11 2005
*mangle
:PREROUTING ACCEPT [17302:5311060]
:INPUT ACCEPT [737:51310]
:FORWARD ACCEPT [16565:5259750]
:OUTPUT ACCEPT [494:103063]
:POSTROUTING ACCEPT [17059:5362813]
COMMIT
# Completed on Wed Jun  1 03:09:11 2005
# Generated by iptables-save v1.2.11 on Wed Jun  1 03:09:11 2005
*nat
:PREROUTING ACCEPT [825:45576]
:POSTROUTING ACCEPT [4:310]
:OUTPUT ACCEPT [4:310]
-A PREROUTING -s 5.5.5.5 -d 217.17.46.250 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:80
-A PREROUTING -s 10.10.10.3 -d ! 10.1.1.1 -p tcp -m time --timestart 10:00 --timestop 15:00 -j REDIRECT --to-ports 98
-A PREROUTING -s 192.168.0.1 -d ! 10.1.1.1 -p tcp -j REDIRECT --to-ports 56
-A PREROUTING -i eth0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 10.1.1.2
-A PREROUTING -i eth0 -p udp -m udp --dport 4672 -j DNAT --to-destination 10.1.1.2
-A POSTROUTING -s 10.1.1.2 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.3 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.4 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.5 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.6 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.7 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.9 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.10 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.1.11 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun  1 03:09:11 2005

[root@ziomal root]# nmap -sU 10.1.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-02 20:57 CEST
Interesting ports on ziomal (10.1.1.1):
(The 1474 ports scanned but not shown below are in state: closed)
PORT    STATE         SERVICE
53/udp  open|filtered domain
67/udp  open|filtered dhcpserver
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm

Nmap run completed -- 1 IP address (1 host up) scanned in 5.015 seconds
[root@ziomal root]# nmap -sT 10.1.1.1

Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-02 20:57 CEST
Interesting ports on ziomal (10.1.1.1):
(The 1656 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3306/tcp open  mysql

root@serwer:/etc/rc.d$resolveip magiclan.one.pl
resolveip: Unable to find hostid for 'magiclan.one.pl': no_data

root@serwer:/etc/rc.d$ping magiclan.one.pl
ping: unknown host magiclan.one.pl

root@serwer:/etc/rc.d$nmap x.x.x.x -p 53 -sU

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on x.internetdsl.tpnet.pl (x.x.x.x):
Port       State       Service
53/udp     open        domain

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Press any key to continue...
root@serwer:/etc/rc.d$nmap x.x.x.x -p 53

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on x.internetdsl.tpnet.pl (x.x.x.x):
Port       State       Service
53/tcp     open        domain

# zaplotkuj jesli nie chcesz udostepniac serwera DNS do inetu
    if [ $DNS = 1 ]; then
        # dla zapytan do serwera DNS
        $i -A INPUT -p udp -i $EXTIF --sport 53 --dst $EXTIP --dport 53 -j ACCEPT
        $i -A INPUT -p udp -i $EXTIF --sport 137 --dst $EXTIP --dport 53 -j ACCEPT
        $i -A INPUT -p udp -i $EXTIF --sport 1024:65535 --dst $EXTIP --dport 53-j ACCEPT
        $i -A OUTPUT -p tcp --sport 53 -j ACCEPT
        $i -A OUTPUT -p udp --sport 53 -j ACCEPT
        # dla transferu stref
        $i -A INPUT -p tcp -i $EXTIF --src $SECDNSIP1 --sport 53 --dst $EXTIP --dport 53 -j ACCEPT
        $i -A INPUT -p tcp -i $EXTIF --src $SECDNSIP1 --sport 1024:65535 --dst $EXTIP --dport 53 -j ACCEPT
        $i -A INPUT -p tcp -i $EXTIF --src $SECDNSIP2 --sport 53 --dst $EXTIP --dport 53 -j ACCEPT
        $i -A INPUT -p tcp -i $EXTIF --src $SECDNSIP2 --sport 1024:65535 --dst $EXTIP --dport 53 -j ACCEPT
    fi

-A INPUT -d x.x.x.x -i eth0 -p udp -m udp --sport 53 --dport 53 -j ACCEPT
-A INPUT -d x.x.x.x -i eth0 -p udp -m udp --sport 137 --dport 53 -j ACCEPT
-A INPUT -d x.x.x.x -i eth0 -p udp -m udp --sport 1024:65535 --dport 53 -jACCEPT
...
-A OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT

root@elohi:~# ping magiclan.one.pl
ping: unknown host magiclan.one.pl
root@elohi:~# resolveip magiclan.one.pl
resolveip: Unable to find hostid for 'magiclan.one.pl': try again