Saturday, March 22, 2014

iptables accept ssh + apt-get

Sau 1 ngày vọc iptables, cuối cùng cũng tìm ra giải pháp.
Thông tin router:

  • IP: 192.168.0.1
  • DNS: 8.8.8.8, 8.8.4.4

Thông tin PC:

  • IP: 192.168.0.105
Mở file /etc/apt/source.list xem nội dung
deb http://ftp.debian.org/debian wheezy main
deb http://ftp.debian.org/debian wheezy contrib
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main



=> ta thấy có 2 hostname mà apt sẽ kết nối đến.
Bây giờ ta sẽ tạo một file có ext là .sh và thêm các dòng:

#!/bin/sh
# My system IP/set ip address of server
SERVER_IP="192.168.0.105"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
#iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming is established
iptables -A INPUT -i eth0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming ssh only
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 22 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow in/outcoming from dns
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 8.8.8.8 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP --sport 513:65535 -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 8.8.8.8 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 8.8.4.4 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP --sport 513:65535 -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -s 8.8.4.4 --sport 53 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow outcoming to anywhere with port 80
iptables -A OUTPUT -o eth0 -p tcp -s $SERVER_IP --sport 513:65535 -d 0/0 --dport 80 -j ACCEPT
# Allow incoming from ftp.debian.org
iptables -A INPUT -i eth0 -p tcp --src ftp.debian.org --sport 80 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming from security.debian.org
iptables -A INPUT -i eth0 -p tcp --src security.debian.org --sport 80 -d $SERVER_IP --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Log output message
iptables -A OUTPUT -s $SERVER_IP -d 0/0 -j LOG --log-prefix "OCATCH:" --log-level info
# DHCP Client
iptables -A INPUT -i eth0 -p udp -s 192.168.0.1 -d $SERVER_IP --dport 68 --sport 67 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -s $SERVER_IP -d 192.168.0.1 --dport 67 --sport 68 -j ACCEPT
# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP


Lưu lại và chạy.
Posted by at No comments:
Subscribe to: Posts (Atom)