ferm – iptables na pravi nacin
Postoji stotine,hiljade iptables firewall skripti koje se trude olaksati zivot administratoru smrtniku. Nekima je lakse i nakucati sve rucno. Ja sam dugo vremena imao nakucanu skriptu koja je radila ono sto i vecina firewall-a na Web server setupima radi. Dozvoli 80,443.. i blokiraj ostalo. I to radi OK.
Onog trenutka kad sam pronasao ferm osjecao sam se kao oni vim i emacs vjernici koji se poslije Boga kletu u editor. Jednostavno je mocan,jednostavan i funkcionalan.
Za neki prosjecan Web setup ferm.conf bi izgledao otprilike ovako (kako instalirati ferm na omiljeni distro zna Google):
#trusted mreze
@def $NET_TRUSTED = (77.239.xxx.xxx 77.74.xxx.xxx);
table filter {
chain INPUT {
policy DROP;
#tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
#dozvoli lokalne konekcije
interface lo ACCEPT;
#dozvoli ping
proto icmp icmp-type echo-request ACCEPT;
#dozvoli SSH sa trusted mreza
saddr $NET_TRUSTED proto tcp dport ssh ACCEPT;
#dozvoli SMTP
proto tcp dport (smtp) ACCEPT;
# dozvoli http i https
proto tcp dport (http https) {
#dozvoli max 20 konekcija po IP adresi
mod connlimit connlimit-above 20 REJECT;
ACCEPT;
}
#dozvoli FTP
proto tcp dport (ftp) {
#dozvoli max 5 konekcija po IP adresi
mod connlimit connlimit-above 5 REJECT;
ACCEPT; }
#dozvoli DNS TCP
proto tcp dport (domain) ACCEPT;
#dozvoli DNS udp
proto udp dport domain ACCEPT;
# the rest is dropped by the above policy
#temp junk
saddr 201.140.107.253 proto tcp DROP;
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
@def $NET_TRUSTED = (77.239.xxx.xxx 77.74.xxx.xxx);
table filter {
chain INPUT {
policy DROP;
#tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
#dozvoli lokalne konekcije
interface lo ACCEPT;
#dozvoli ping
proto icmp icmp-type echo-request ACCEPT;
#dozvoli SSH sa trusted mreza
saddr $NET_TRUSTED proto tcp dport ssh ACCEPT;
#dozvoli SMTP
proto tcp dport (smtp) ACCEPT;
# dozvoli http i https
proto tcp dport (http https) {
#dozvoli max 20 konekcija po IP adresi
mod connlimit connlimit-above 20 REJECT;
ACCEPT;
}
#dozvoli FTP
proto tcp dport (ftp) {
#dozvoli max 5 konekcija po IP adresi
mod connlimit connlimit-above 5 REJECT;
ACCEPT; }
#dozvoli DNS TCP
proto tcp dport (domain) ACCEPT;
#dozvoli DNS udp
proto udp dport domain ACCEPT;
# the rest is dropped by the above policy
#temp junk
saddr 201.140.107.253 proto tcp DROP;
}
# outgoing connections are not limited
chain OUTPUT policy ACCEPT;
# this is not a router
chain FORWARD policy DROP;
}
You see? Prelijepo.. nesto sto se mora probati ukoliko se ima potrebe za firewall-om/iptables-om.