FIREWALL NOTLARI ---------------- - aptitude install shorewall -> shorewall-shell -> shorewall-common -> iptables -> iproute - /etc/shorewall/shorewall.conf IP_FORWARDING=Yes ADD_SNAT_ALIASES=Yes - /etc/shorewall/interfaces net eth0 detect tcpflags,blacklist,routefilter,dhcp,nosmurfs loc eth1 detect tcpflags,blacklist,routefilter,dhcp -> tcpflags uygunsuz flag'e sahip TCP paketleri yok edilir -> blacklist blacklist dosyasından yasaklı adresler kontrol edilir -> routefilter spoofing'i engellemek için çekirdekte route filtresini, bu arayüz için açar -> dhcp bu arayüz için IP, DHCP sunucudan alınıyorsa... -> nosmurfs broadcast kaynaklı gözüken paketleri yok eder -> logmartians mümkün olmayan kaynak adresli paketlerin log'unu tutar -> norfc1918 kaynak adresi, RFC1918'de kayıtlı olan paketleri kabul etmez - /etc/shorewall/masq eth0 eth1 - /etc/shorewall/zones fw firewall net ipv4 loc ipv4 - /etc/shorewall/policy $FW loc REJECT $FW net REJECT $FW all REJECT loc $FW REJECT loc net REJECT loc all REJECT net $FW REJECT net loc REJECT net all REJECT all all REJECT - /etc/shorewall/rules # --------------------------------------------------------------------- # firewall -> local SSH/ACCEPT fw loc ACCEPT fw loc icmp # --------------------------------------------------------------------- # firewall -> internet DNS/ACCEPT fw net HTTP/ACCEPT fw net HTTPS/ACCEPT fw net NTP/ACCEPT fw net SMTP/ACCEPT fw net SMTPS/ACCEPT fw net SSH/ACCEPT fw net ACCEPT fw net tcp 587 ACCEPT fw net icmp # --------------------------------------------------------------------- # local -> firewall Ping/ACCEPT loc fw - - 3/sec:10 DNS/ACCEPT loc fw SSH/ACCEPT loc fw HTTP/ACCEPT loc fw ACCEPT loc fw tcp priv_ssh # --------------------------------------------------------------------- # proxy sunucuya yonlendirme... # dansguardian icin 8080. port'a, squid icin 3128. port'a yonlendirilecek REDIRECT loc 8080 tcp 80 - !10.0.0.1 #REDIRECT loc 3128 tcp 80 - !10.0.0.1 # --------------------------------------------------------------------- # local -> internet Ping/ACCEPT loc net CVS/ACCEPT loc net DNS/ACCEPT loc net FTP/ACCEPT loc net HTTP/ACCEPT loc net #HTTPS/ACCEPT loc net HTTPS/ACCEPT loc net:131.175.88.86 # rtai.org HTTPS/ACCEPT loc net:78.40.121.81 # gna.org HTTPS/ACCEPT loc net:74.125.0.0/16 # google / gmail HTTPS/ACCEPT loc net:72.14.192.0/18 # google / gmail HTTPS/ACCEPT loc net:209.85.128.0/17 # google / gmail HTTPS/ACCEPT loc net:64.4.0.0/18 # microsoft / msn HTTPS/ACCEPT loc net:65.52.0.0/14 # microsoft / msn HTTPS/ACCEPT loc net:207.46.0.0/16 # microsoft / msn HTTPS/ACCEPT loc net:213.199.160.0-213.199.191.255 # microsoft / msn HTTPS/ACCEPT loc net:69.147.64.0-69.147.127.255 # yahoo HTTPS/ACCEPT loc net:92.122.176.0-92.122.183.255 # akamai HTTPS/ACCEPT loc net:69.63.176.0/20 # facebook HTTPS/ACCEPT loc net:63.245.208.0/20 # mozilla HTTPS/ACCEPT loc net:194.29.208.0-194.29.215.255 # garanti HTTPS/ACCEPT loc net:217.68.208.0/20 # garanti HTTPS/ACCEPT loc net:193.254.228.0-193.254.229.255 # yapikredi HTTPS/ACCEPT loc net:212.252.202.0/24 # bankasya HTTPS/ACCEPT loc net:213.161.144.64-213.161.144.127 # isbank HTTPS/ACCEPT loc net:91.208.199.0/24 # kuveytturk HTTPS/ACCEPT loc net:195.142.246.0-195.142.247.255 # vakifbank HTTPS/ACCEPT loc net:77.72.184.0/24 # turkiye finans HTTPS/ACCEPT loc net:193.108.213.0/24 # halkbank HTTPS/ACCEPT loc net:217.169.192.0-217.169.199.255 # akbank HTTPS/ACCEPT loc net:213.148.64.0-213.148.71.255 # TEB / ADSL fatura HTTPS/ACCEPT loc net:88.255.51.144-88.255.51.159 # turktelekom JabberPlain/ACCEPT loc net JabberSecure/ACCEPT loc net NTP/ACCEPT loc net POP3/ACCEPT loc net POP3S/ACCEPT loc net RDP/ACCEPT loc net Rsync/ACCEPT loc net SMTP/ACCEPT loc net SMTPS/ACCEPT loc net SSH/ACCEPT loc net VNC/ACCEPT loc net Whois/ACCEPT loc net ACCEPT loc net tcp 587 ACCEPT loc net tcp 1863 ACCEPT loc net tcp 6667 ACCEPT loc net tcp priv_rdesktop ACCEPT loc net tcp priv_ssh ACCEPT loc net tcp priv_vnc # --------------------------------------------------------------------- # internete -> fw Ping/ACCEPT net fw - - 3/sec:10 SSH/ACCEPT net fw ACCEPT net fw tcp priv_ssh ACCEPT net fw tcp priv_sarg # --------------------------------------------------------------------- # internet -> local servers FTP/ACCEPT net loc:10.0.0.xxx FTP/DNAT net loc:10.0.0.xxx - /etc/default/shorewall startup=1 - /etc/sysctl.conf (konsolda cikti istenmiyorsa) kernel.printk = 4 4 1 7 - Kullanıcı tanımlı aksiyon . /etc/shorewall/actions WORD_FILTER . /etc/shorewall/action.WORD_FILTER # dosya bos olacak . /etc/shorewall/WORD_FILTER run_iptables -t filter -I INPUT 1 -p tcp -m string --string FiltrelenecekKelime001 --algo kmp -j REJECT run_iptables -t filter -I INPUT 1 -p tcp -m string --string FiltrelenecekKelime002 --algo kmp -j REJECT run_iptables -t filter -I INPUT 1 -p tcp -m string --string FiltrelenecekKelime003 --algo kmp -j REJECT . /etc/shorewall/rules WORD_FILTER all all . /etc/init.d/shorewall restart