Бруй В.В., Карлов С.В. - Linux-сервер - пошаговые инструкции - инсталляции и настройки (1077321), страница 43
Текст из файла (страница 43)
Очень важно не отфильтровать пакеты, приходящие# из локальной сети на внутренний сетевой интерфейс.# Refuse incoming packets claiming to be from class A private network# Если вы используете локальную сеть класса A, то измените значения# параметров:#INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"#INTERFACE1_IN_REFUSE_SPOOFING[4]="no"#NETWORK1_IN_REFUSE_SPOOFING[4]="no"REFUSE_SPOOFING_IPADDR[4]="10.0.0.0/8"INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"INTERFACE1_IN_REFUSE_SPOOFING[4]="yes"NETWORK1_IN_REFUSE_SPOOFING[4]="yes"# Refuse incoming packets claiming to be from class B private network# Если вы используете локальную сеть класса B, то измените значения# параметров:#INTERFACE0_IN_REFUSE_SPOOFING[5]="yes"#INTERFACE1_IN_REFUSE_SPOOFING[5]="no"#NETWORK1_IN_REFUSE_SPOOFING[5]="no"REFUSE_SPOOFING_IPADDR[5]="172.16.0.0/12"INTERFACE0_IN_REFUSE_SPOOFING[5]="yes"INTERFACE1_IN_REFUSE_SPOOFING[5]="yes"Глава 10.
GIPTables Firewall – программное обеспечение для настройки IPTables151NETWORK1_IN_REFUSE_SPOOFING[5]="yes"# Refuse incoming packets claiming to be from class C private network# Если вы не используете локальную сеть класса С, то измените значения# параметров:#INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"#INTERFACE1_IN_REFUSE_SPOOFING[4]="yes"#NETWORK1_IN_REFUSE_SPOOFING[4]="yes"REFUSE_SPOOFING_IPADDR[6]="192.168.0.0/16"INTERFACE0_IN_REFUSE_SPOOFING[6]="yes"INTERFACE1_IN_REFUSE_SPOOFING[6]="no"NETWORK1_IN_REFUSE_SPOOFING[6]="no"# Refuse incoming packets claiming to be from class D, E, and unallocatedREFUSE_SPOOFING_IPADDR[7]="224.0.0.0/3"INTERFACE0_IN_REFUSE_SPOOFING[7]="yes"INTERFACE1_IN_REFUSE_SPOOFING[7]="yes"NETWORK1_IN_REFUSE_SPOOFING[7]="yes"# Далее приведены настройки, разрешающие работу служб. Если вам# необходимо отключить какую-нибудь службу, измените значения# соответствующих параметров с "yes" на "no", или просто закомментируйте# фрагмент. Для разрешения служб, запрещенных в приведенном примере,# используйте соответствующие фрагменты из файла# /lib/giptables/conf/giptables.conf.README#********************************************************************#*#A N Y*#*# ******************************************************************ACCEPT_ANY="no"#********************************************************************#*#D N S*#*#********************************************************************ACCEPT_DNS="yes"#-------------------------------------------------------------------# DNS outgoing client request## Interface 0 DNS outgoing client requestINTERFACE0_DNS_CLIENT="yes"INTERFACE0_DNS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE0_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVERINTERFACE0_DNS_OUT_UDP_REQUEST[0]="yes"INTERFACE0_DNS_OUT_TCP_REQUEST[0]="yes"INTERFACE0_DNS_OUT_SPORT53_REQUEST[0]="no"INTERFACE0_DNS_OUT_SRC_IPADDR[1]=$INTERFACE0_IPADDRINTERFACE0_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVERINTERFACE0_DNS_OUT_UDP_REQUEST[1]="yes"INTERFACE0_DNS_OUT_TCP_REQUEST[1]="yes"INTERFACE0_DNS_OUT_SPORT53_REQUEST[1]="no"# Network 1 DNS forwarded outgoing client request152Часть 2.
Система сетевой защитыNETWORK1_DNS_CLIENT="yes"NETWORK1_DNS_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVERNETWORK1_DNS_OUT_UDP_REQUEST[0]="yes"NETWORK1_DNS_OUT_TCP_REQUEST[0]="yes"NETWORK1_DNS_OUT_SPORT53_REQUEST[0]="no"NETWORK1_DNS_OUT_SRC_IPADDR[1]=$NETWORK1NETWORK1_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVERNETWORK1_DNS_OUT_UDP_REQUEST[1]="yes"NETWORK1_DNS_OUT_TCP_REQUEST[1]="yes"NETWORK1_DNS_OUT_SPORT53_REQUEST[1]="no"# -------------------------------------------------------------------# DNS incoming client request## Interface 1 DNS incoming client requestINTERFACE1_DNS_SERVER="no"INTERFACE1_DNS_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_DNS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE1_DNS_IN_UDP_REQUEST[0]="yes"INTERFACE1_DNS_IN_TCP_REQUEST[0]="yes"INTERFACE1_DNS_IN_SPORT53_REQUEST[0]="no"INTERFACE1_DNS_IN_SRC_IPADDR[1]=$NETWORK1INTERFACE1_DNS_IN_DST_IPADDR[1]=$INTERFACE1_IPADDRINTERFACE1_DNS_IN_UDP_REQUEST[1]="yes"INTERFACE1_DNS_IN_TCP_REQUEST[1]="yes"INTERFACE1_DNS_IN_SPORT53_REQUEST[1]="no"#*********************************************************************#*#F T P*#*#*********************************************************************ACCEPT_FTP="yes"#--------------------------------------------------------------------# FTP outgoing client request## Interface 0 FTP outgoing client requestINTERFACE0_FTP_CLIENT="yes"INTERFACE0_FTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE0_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDRINTERFACE0_FTP_OUT_PASIVE[0]="yes"INTERFACE0_FTP_OUT_ACTIVE[0]="no"# Interface 1 FTP outgoing client requestINTERFACE1_FTP_CLIENT="yes"INTERFACE1_FTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDRINTERFACE1_FTP_OUT_DST_IPADDR[0]=$NETWORK1INTERFACE1_FTP_OUT_PASIVE[0]="yes"INTERFACE1_FTP_OUT_ACTIVE[0]="yes"Глава 10.
GIPTables Firewall – программное обеспечение для настройки IPTables# Network 1 FTP forwarded outgoing client requestNETWORK1_FTP_CLIENT="yes"NETWORK1_FTP_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDRNETWORK1_FTP_OUT_PASIVE[0]="yes"NETWORK1_FTP_OUT_ACTIVE[0]="no"#-------------------------------------------------------------------# FTP incoming client request## Interface 1 FTP incoming client requestINTERFACE1_FTP_SERVER="yes"INTERFACE1_FTP_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_FTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE1_FTP_IN_PASIVE[0]="yes"INTERFACE1_FTP_IN_ACTIVE[0]="yes"INTERFACE1_FTP_IN_SRC_IPADDR[1]=$NETWORK1INTERFACE1_FTP_IN_DST_IPADDR[1]=$INTERFACE1_IPADDRINTERFACE1_FTP_IN_PASIVE[1]="yes"INTERFACE1_FTP_IN_ACTIVE[1]="yes"#********************************************************************#*#S S H*#*#********************************************************************ACCEPT_SSH="yes"#-------------------------------------------------------------------# SSH outgoing client request## Interface 0 SSH outgoing client requestINTERFACE0_SSH_CLIENT="yes"INTERFACE0_SSH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE0_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR# Interface 1 SSH outgoing client requestINTERFACE1_SSH_CLIENT="yes"INTERFACE1_SSH_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDRINTERFACE1_SSH_OUT_DST_IPADDR[0]=$NETWORK1# Network 1 SSH forwarded outgoing client requestNETWORK1_SSH_CLIENT="yes"NETWORK1_SSH_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR#------------------------------------------------------------------# SSH incoming client request#153154Часть 2.
Система сетевой защиты# Interface 0 SSH incoming client requestINTERFACE0_SSH_SERVER="yes"INTERFACE0_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDRINTERFACE0_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR# Interface 1 SSH incoming client requestINTERFACE1_SSH_SERVER="yes"INTERFACE1_SSH_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE1_SSH_IN_SRC_IPADDR[1]=$NETWORK1INTERFACE1_SSH_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR#********************************************************************#*#T E L N E T*#*#********************************************************************ACCEPT_TELNET="no"#-------------------------------------------------------------------# TELNET outgoing client request## Interface 0 TELNET outgoing client requestINTERFACE0_TELNET_CLIENT="yes"INTERFACE0_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE0_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR# Interface 1 TELNET outgoing client requestINTERFACE1_TELNET_CLIENT="yes"INTERFACE1_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDRINTERFACE1_TELNET_OUT_DST_IPADDR[0]=$NETWORK1# Network 1 TELNET forwarded outgoing client requestNETWORK1_TELNET_CLIENT="yes"NETWORK1_TELNET_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR#-------------------------------------------------------------------# TELNET incoming client request## Interface 1 TELNET incoming client requestINTERFACE1_TELNET_SERVER="no"INTERFACE1_TELNET_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_TELNET_IN_DST_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE1_TELNET_IN_SRC_IPADDR[1]=$NETWORK1INTERFACE1_TELNET_IN_DST_IPADDR[1]=$INTERFACE1_IPADDRГлава 10.
GIPTables Firewall – программное обеспечение для настройки IPTables155#*********************************************************************#*#T E L N E T S*#*#*********************************************************************ACCEPT_TELNETS="no"#*********************************************************************#*#S M T P*#*#*********************************************************************ACCEPT_SMTP="yes"#_-------------------------------------------------------------------# SMTP outgoing client request## Interface 0 SMTP outgoing client requestINTERFACE0_SMTP_CLIENT="yes"INTERFACE0_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE0_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR# Network 1 SMTP forwarded outgoing client requestNETWORK1_SMTP_CLIENT="yes"NETWORK1_SMTP_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR#---------------------------------------------------------------------# SMTP incoming client request## Interface 0 SMTP incoming client requestINTERFACE0_SMTP_SERVER="no"INTERFACE0_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDRINTERFACE0_SMTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR# Interface 1 SMTP incoming client requestINTERFACE1_SMTP_SERVER="no"INTERFACE1_SMTP_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_SMTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR#************************************************************************#*#S M T P S*#*#************************************************************************ACCEPT_SMTPS="no"#************************************************************************#*#P O P 3*#*#************************************************************************156Часть 2.
Система сетевой защитыACCEPT_POP3="yes"#-----------------------------------------------------------------------# POP3 outgoing client request## Network 1 POP3 forwarded outgoing client requestNETWORK1_POP3_CLIENT="yes"NETWORK1_POP3_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_POP3_OUT_DST_IPADDR[0]=$ANY_IPADDR#----------------------------------------------------------------------# POP3 incoming client request## Interface 0 POP3 incoming client requestINTERFACE0_POP3_SERVER="no"INTERFACE0_POP3_IN_SRC_IPADDR[0]=$ANY_IPADDRINTERFACE0_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR# Interface 1 POP3 incoming client requestINTERFACE1_POP3_SERVER="no"INTERFACE1_POP3_IN_SRC_IPADDR[0]=$NETWORK1INTERFACE1_POP3_IN_DST_IPADDR[0]=$INTERFACE0_IPADDRINTERFACE1_POP3_IN_SRC_IPADDR[1]=$NETWORK1INTERFACE1_POP3_IN_DST_IPADDR[1]=$INTERFACE1_IPADDR#*************************************************************************#*#P O P 3 S*#*#*************************************************************************ACCEPT_POP3S="no"#-----------------------------------------------------------------------# POP3S outging client request## Network 1 POP3S forwarded outging client requestNETWORK1_POP3S_CLIENT="yes"NETWORK1_POP3S_OUT_SRC_IPADDR[0]=$NETWORK1NETWORK1_POP3S_OUT_DST_IPADDR[0]=$ANY_IPADDR#-----------------------------------------------------------------------# POP3S incoming client request#Глава 10.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
