Www.LinuxCabal.com.

Un Lugar Donde Confiar Muros Contrafuegos Con Netfilter/IPTables

Un Lugar Donde Confiar

1er. Generation: ipFWadmin
Un Lugar Donde Confiar 1er. Generation: ipFWadmin 2nd. Generation: ipChains 3re. Generation: Netfilter/ipTables

ISO/OSI Model Un Lugar Donde Confiar Application Presentation Session
Transport Network Link Physical

Un Lugar Donde Confiar Tables filter nat raw mangle

Un Lugar Donde Confiar raw PREROUTING OUTPUT

mangle INPUT OUTPUT FORWARD PREROUTING POSTROUTING Un Lugar Donde
Confiar mangle INPUT OUTPUT FORWARD PREROUTING POSTROUTING

Un Lugar Donde Confiar nat PREROUTING OUTPUT POSTROUTING

NAT Un Lugar Donde Confiar 192.168.1.51 eth0 207.214.84.142 eth0 eth1

Un Lugar Donde Confiar filter INPUT OUTPUT FORWARD

RULES/REGLAS iptables [-t table] -N Chain
Un Lugar Donde Confiar RULES/REGLAS iptables [-t table] -N Chain iptables [-t table] -A Chain RuleSpec iptables [-t table] -F [Chain] iptables [-t table] -L [Chain] iptables [-t table] -I Chain [#] RuleSpec iptables [-t table] -D Chain # iptables [-t table] -E OldChain NewChain iptables [-t table] -P Chain Target iptables [-t table] -R Chain # RuleSpec

Parámetros [!] -i, --in-interface nombre
Un Lugar Donde Confiar Parámetros [!] -i, --in-interface nombre [!] -o, --out-interface nombre [!] -s, --source dirección/[mascara] [!] -d, --destinación dirección/[mascara]

-m, --match Un Lugar Donde Confiar iprange [!] --src-range ip-ip
iprange [!] --dst-range ip-ip mac [!] --mac-source xx:xx:xx:xx:xx:xx multiport [!] --source-ports puerto[,puerto[,puerto:puerto...]] multiport [!] --destination-ports puerto[,puerto[,puerto:puerto...]] multiport [!] --ports puerto[,puerto[,puerto:puerto...]] owner [!] --uid-owner # [!] --gid-owner # [!] --pid-owner # conntrack --ctstate INVALID|NEW|ESTABLISHED|RELATED tcp|udp [!] --source-port puerto[:puerto] tcp|udp [!] --destination-port puerto[:puerto] tcp [!] --tcp-flags mask oblig Ops: SYN|ACK|FIN|RST|URG|PSH|ALL [!] --syn [!] --tcp-option número

-m, --match connlimit Un Lugar Donde Confiar :
# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT

-j Targets ACCEPT QUEUE User Defined DROP RETURN Chain
Un Lugar Donde Confiar -j Targets ACCEPT QUEUE User Defined DROP RETURN Chain REJECT --reject-with type LOG --log-prefix --log-level BALANCE --to-destination ipaddr-ipaddr MASQUERADE SNAT DNAT REDIRECT --to-ports puerto[-puerto]

Vamos crear un muro contrafuego
Un Lugar Donde Confiar Vamos crear un muro contrafuego Verifica que tiene FORWARD_IPV4=yes en su /etc/sysconfig/network O net.ipv4.ip_forward = 1 en su /etc/sysctl.conf service iptables start Iptables-save

Un Lugar Donde Confiar Muro de Fuego eth0 LAN Inalámbrica Hub/Switch
Router/ADSLMódem Muro de Fuego eth0 LAN Inalámbrica Hub/Switch eth2 LAN

iptables -t raw -P PREROUTING ACCEPT
Un Lugar Donde Confiar iptables -t raw -P PREROUTING ACCEPT iptables -t mangle -P OUTPUT ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t filter -P INPUT ACCEPT

iptables-save Un Lugar Donde Confiar
# Generated by iptables-save v1.4.0 on Mon Sep 8 16:45: *filter :INPUT ACCEPT [29:2054] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17:2426] COMMIT # Completed on Mon Sep 8 16:45: *nat :PREROUTING ACCEPT [1:42] :POSTROUTING ACCEPT [1:132] :OUTPUT ACCEPT [1:132] *mangle :PREROUTING ACCEPT [37:2508] :INPUT ACCEPT [37:2508] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24:3320] :POSTROUTING ACCEPT [24:3320] COMMIT # Completed on Mon Sep 8 16:45: # Generated by iptables-save v1.4.0 on Mon Sep 8 16:45: *raw :PREROUTING ACCEPT [39:2612] :OUTPUT ACCEPT [26:3600]

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Un Lugar Donde Confiar iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE o iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

# Generated by iptables-save v1.4.0 on Mon Sep 8 16:57: *nat :PREROUTING ACCEPT [1:42] :POSTROUTING ACCEPT [12:968] :OUTPUT ACCEPT [12:968] -A POSTROUTING -o eth0 -j SNAT --to-source COMMIT # Completed on Mon Sep 8 16:57:

Un Lugar Donde Confiar iptables -t filter -N block iptables -A block -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT iptables -A block -j LOG --log-prefix "IPTables:block " --log-level 6 iptables -A block -j DROP

# Generated by iptables-save v1.4.0 on Mon Sep 8 17:09: *filter :INPUT ACCEPT [768:36126] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [746:61346] :block - [0:0] -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT # Completed on Mon Sep 8 17:09:

iptables -A FORWARD -j block
Un Lugar Donde Confiar iptables -A FORWARD -j block

# Generated by iptables-save v1.4.0 on Mon Sep 8 19:35: *filter :INPUT ACCEPT [3060:148984] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2997:236170] :block - [0:0] -A FORWARD -j block -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT # Completed on Mon Sep 8 19:35:

Un Lugar Donde Confiar iptables -A INPUT ! -i eth2 -p tcp --dport 22 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 25 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 53 -j ACCEPT iptables -A INPUT ! -i eth2 -p udp --dport 53 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 80 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 443 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 993 -j ACCEPT iptables -A INPUT ! -i eth2 -p tcp --dport 995 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j block

iptables-save Un Lugar Donde Confiar *filter
:INPUT ACCEPT [3097:151128] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3187:276550] :block - [0:0] -A INPUT -i eth2 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 80 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth2 -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -i eth2 -p udp -m udp --dport 995 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j block -A FORWARD -j block -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A block -i eth1 -m conntrack --ctstate NEW -j ACCEPT -A block -j LOG --log-prefix "IPTables:block " --log-level 6 -A block -j DROP COMMIT

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De0BCast: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De0Net: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De1BCast: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De1Net: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De2BCast: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:De2Net: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:DGNet: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP iptables -t raw -A PREROUTING -d /32 -j LOG --log-prefix "IPTables:raw:DGBCast: " --log-level 6 iptables -t raw -A PREROUTING -d /32 -j DROP

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se0BCast: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se0Net: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se1BCast: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se1Net: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se2BCast: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:Se2Net: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP

Un Lugar Donde Confiar iptables -t raw -A PREROUTING -m iprange --src-range j LOG --log-prefix "IPTables:raw:S10: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range j DROP iptables -t raw -A PREROUTING -m iprange --src-range j LOG --log-prefix "IPTables:raw:S10: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range j DROP iptables -t raw -A PREROUTING -m iprange --src-range j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range j DROP iptables -t raw -A PREROUTING -m iprange --src-range j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range j DROP iptables -t raw -A PREROUTING -m iprange --src-range j LOG --log-prefix "IPTables:raw:S192: " --log-level 6 iptables -t raw -A PREROUTING -m iprange --src-range j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:SGNet: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP iptables -t raw -A PREROUTING -s /32 -j LOG --log-prefix "IPTables:raw:SGBCast: " --log-level 6 iptables -t raw -A PREROUTING -s /32 -j DROP # microsoft-ds netbios-ns iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,445 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,445 -j DROP iptables -t raw -A PREROUTING -p udp -m udp --dport 137:139 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --dport 137:139 -j DROP iptables -t raw -A PREROUTING -p udp -m udp --sport dport 1024: j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --sport dport 1024: j DROP iptables -t raw -A PREROUTING -p udp -m multiport --dports 135,139,445 -j LOG --log-prefix "IPTables:raw:ms-ds: " --log-level 6 iptables -t raw -A PREROUTING -p tcp -m multiport --dports 135,139,445 -j DROP

Un Lugar Donde Confiar # messenger "multicast" broadcast address for UPnP devices iptables -t raw -A PREROUTING -p udp -m udp --dport j LOG --log-prefix "IPTables:raw:UPnP: " --log-level 6 iptables -t raw -A PREROUTING -p udp -m udp --dport j DROP # UPnP Device Host service iptables -t raw -A PREROUTING -p udp -m udp --dport j LOG --log-prefix "IPTables:raw:UPnP: " --log-level 6 iptables -t raw -A PREROUTING -p tcp -m tcp --dport j DROP iptables -t raw -A PREROUTING -m pkttype --pkt-type broadcast -j LOG --log-prefix "IPTables:raw:GBCast: " --log-level 6 iptables -t raw -A PREROUTING -m pkttype --pkt-type broadcast -j DROP iptables -t raw -A PREROUTING -m pkttype --pkt-type multicast -j LOG --log-prefix "IPTables:raw:GMCast: " --log-level 6 iptables -t raw -A PREROUTING -m pkttype --pkt-type multicast -j DROP iptables -t raw -A PREROUTING -s / j LOG --log-prefix "IPTables:raw:SMCast: " --log-level 6 iptables -t raw -A PREROUTING -s / j DROP

SysV/POSIX iptables-save > /etc/sysconfig/iptables
Un Lugar Donde Confiar SysV/POSIX iptables-save > /etc/sysconfig/iptables chkconfig iptables on service iptables stop service iptables start service iptables restart service iptables reload service iptables status service iptables check

Un Lugar Donde Confiar ¿Preguntas?

Un Lugar Donde Confiar ¡JUGAMOS!

Www.LinuxCabal.com.

Similar presentations

Presentation on theme: "Www.LinuxCabal.com."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Www.LinuxCabal.com.

Similar presentations

Presentation on theme: "Www.LinuxCabal.com."— Presentation transcript:

Similar presentations

About project

Feedback