Здравствуйте!
У постоянно в ipcad видно следующее:
10.10.43.189 153.134.179.202 1 78
192.168.0.5 153.134.179.202 1 78
10.10.43.189 144.142.165.145 1 78
192.168.0.14 144.142.165.145 1 78
10.10.43.189 137.184.169.84 1 78
192.168.1.11 137.184.169.84 1 78
10.10.43.189 4.116.197.216 1 78
192.168.1.12 4.116.197.216 1 78
10.10.43.189 29.237.228.223 1 78
192.168.0.5 29.237.228.223 1 78
10.10.43.189 160.111.56.146 1 78
192.168.0.8 160.111.56.146 1 78
10.10.43.189 220.211.202.164 1 78
192.168.0.6 220.211.202.164 1 78
10.10.43.189 155.38.226.227 1 78
192.168.1.13 155.38.226.227 1 78
192.168.1.13 192.168.0.77 2 156
10.10.43.189 153.134.179.201 1 78
192.168.0.5 153.134.179.201 1 78
10.10.43.189 144.142.165.144 1 78
192.168.0.14 144.142.165.144 1 78
10.10.43.189 137.184.169.83 1 78
192.168.1.11 137.184.169.83 1 78
10.10.43.189 4.116.197.215 1 78
192.168.1.12 4.116.197.215 1 78
10.10.43.189 29.237.228.222 1 78
192.168.0.5 29.237.228.222 1 78
10.10.43.189 160.111.56.145 1 78
192.168.0.8 160.111.56.145 1 78
10.10.43.189 155.38.226.226 1 78
192.168.1.13 155.38.226.226 1 78
10.10.43.189 220.211.202.163 1 78
192.168.0.6 220.211.202.163 1 78
10.10.43.189 204.168.58.255 1 78
192.168.1.11 204.168.58.255 1 78
192.168.1.13 192.168.0.76 2 156
10.10.43.189 153.134.179.200 1 78
192.168.0.5 153.134.179.200 1 78
10.10.43.189 144.142.165.143 1 78
192.168.0.14 144.142.165.143 1 78
10.10.43.189 137.184.169.82 1 78
и т.д.
10.10.43.189 - это адрес машины в сети провайдера, 192.168.0.0/16 - это моя локалка.
Что это может быть? Таких адресов, как 192.168.0.76, 192.168.0.77 не существует, а скан идёт.
Как бы такое запретить через iptables?
Прошу Вас посмотреть на нижеприведенный мной скрипт и высказаться о надежности предпринятой защиты и порекомендовать, что исправить дабы защита была на высоте.
/flush
sleep 1
/sbin/depmod -a
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
#############################################
# Set up /proc files...
#############################################
echo 1 > /proc/sys/net/ipv4/ip_forward
# TCP SYN Cookie protection...
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# IP Spoof protection
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done
# Disable ICMP redirect acceptance
for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $file
done
# Disable source-routed packets
for file in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $file
done
# Interface setup
function get_addr()
{
IFCONFIG='/sbin/ifconfig';
HEAD='head -2';
TAIL='tail -1';
CUT='cut -d: -f2';
IP=`$IFCONFIG $1 | $HEAD | $TAIL | awk '{print $2}' | $CUT`;
echo $IP;
}
EXTDEV=ppp0
EXTERNALIP=`get_addr $EXTDEV`
LEVIP="10.10.44.206"
ENETWORKIP=$EXTERNALIP+"/255.255.255.255"
INTDEV=eth2
INTERNALIP=`get_addr $INTDEV`
INETWORKIP="192.168.0.0/255.255.0.0"
LOOPBACK="127.0.0.1"
ANYWHERE="0.0.0.0/0"
PORTS="1024:65535"
# Flush chains
/sbin/iptables -F
/sbin/iptables -F -t nat
# =====================================
# ==== Set Up User Defined Chains =====
# =====================================
/sbin/iptables -N ALLOW_ICMP
/sbin/iptables -N ALLOW_PORTS
/sbin/iptables -N CHECK_FLAGS
/sbin/iptables -N DENY_PORTS
/sbin/iptables -N DST_EGRESS
/sbin/iptables -N KEEP_STATE
/sbin/iptables -N SRC_EGRESS
# =====================================
# ========== Incoming Rules ===========
# =====================================
# Setting default INPUT policy to DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -j ACCEPT -s 192.168.0.0/16 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -s $EXTERNALIP -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i lo
/sbin/iptables -A INPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -i ppp0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $ANYWHERE --sport $PORTS -d $EXTERNALIP --dport 80
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $LEVIP --sport $PORTS -d $EXTERNALIP --dport 21
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $LEVIP --sport $PORTS -d $EXTERNALIP --dport 22
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $LEVIP --sport $PORTS -d $EXTERNALIP --dport 25
/sbin/iptables -A INPUT -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 53 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 1720 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 9123 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 1717 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 1718 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 1719 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 4000:5600 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 27000:28000 -d $ANYWHERE
/sbin/iptables -A INPUT -j ACCEPT -p udp -s $ANYWHERE --sport 25793 -d $ANYWHERE
# /sbin/iptables -A INPUT -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' ##INPUT DENY LOG## '
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE --dport 40000:43000
/sbin/iptables -A INPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE -i eth2
# =====================================
# ========== Outgoing Rules ===========
# =====================================
# Setting default OUTPUT policy to DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d 192.168.0.0/16
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $EXTERNALIP
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o lo
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o ppp0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 25 -o ppp0
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $ANYWHERE --dport 80
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $LEVIP --dport 21
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $LEVIP --dport 22
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $LEVIP --dport 25
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 53
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $ANYWHERE --dport 1720
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $EXTERNALIP --sport $PORTS -d $ANYWHERE --dport 9123
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 1717
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 1718
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 1719
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 4000:5600
/sbin/iptables -A OUTPUT -j ACCEPT -p udp -s $EXTERNALIP -d $ANYWHERE --dport 25793
/sbin/iptables -A OUTPUT -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE
# /sbin/iptables -A OUTPUT -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' ##OUTPUT DENY LOG## '
/sbin/iptables -A OUTPUT -j ACCEPT -s $ANYWHERE -d $ANYWHERE -o ppp0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE --dport 40000:43000
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 27000:28000 -o eth2
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 40000:43000 -o eth2
/sbin/iptables -A OUTPUT -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE -o ppp0
# ======================================
# ========== Forwarded Rules ===========
# ======================================
# Setting default forward policy to DROP
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -A FORWARD -j ACCEPT -s $ANYWHERE -d $ANYWHERE -m state --state RELATED,ESTABLISHED
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 21
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 22
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 25
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 80
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 22
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 110
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 1080
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 5190
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 27000:28000
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 443
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 53
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 4501
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 53
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 1720
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s 192.168.0.0/16 -d $ANYWHERE --dport 9123
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 1717
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 1718
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 1719
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 4000:5600
/sbin/iptables -A FORWARD -j ACCEPT -p udp -s 192.168.0.0/16 -d $ANYWHERE --dport 25793
# /sbin/iptables -A FORWARD -j LOG -s $ANYWHERE -d $ANYWHERE --log-prefix ' ##FORWARD DENY LOG## '
#4501
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE --dport 40000:43000
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 40000:43000 -o eth2
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 40000:43000 -i eth2
/sbin/iptables -A FORWARD -j ACCEPT -p tcp -s $ANYWHERE --sport 40000:43000 -d $ANYWHERE -o ppp0
/sbin/iptables -A FORWARD -j ACCEPT -p icmp -s $ANYWHERE -d $ANYWHERE
# ======================================
# ========== Prerouting Rules ==========
# ======================================
#/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.200 --dport 80 --to-destination 195.184.234.84:3128
/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.200 --dport 80 --to-port 3128
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 8080 --to-port 3128
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 8081 --to-port 3128
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s ! 192.168.0.200 -d 192.168.0.200 --dport 3128 --to-port 80
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s $ANYWHERE -d $ANYWHERE --dport 8088 --to-port 3128
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s 192.168.0.0/255.255.0.0 -d $ANYWHERE --dport 25 --to-port 25
# /sbin/iptables -t nat -A PREROUTING -p tcp -d ! 217.20.87.0/255.255.255.0 --dport 80 -j DNAT --to-destination 192.168.0.200:80
/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s 192.168.0.0/255.255.0.0 -d ! 192.168.0.200 --dport 25 --to-destination 217.20.87.19:25
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s 192.168.0.0/255.255.0.0 -d $ANYWHERE --dport 21 --to-port 2121
# /sbin/iptables -t nat -A PREROUTING -p tcp -d 0/0 --dport 21 -j DNAT --to 192.168.0.200:2121
# /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp -s 192.168.0.0/255.255.0.0 -d $ANYWHERE --dport 20 --to-port 2121
# ======================================
# ========= Postrouting Rules ==========
# ======================================
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.0.0/255.255.0.0 -d $ANYWHERE -o ppp0 --to $EXTERNALIP
/sbin/iptables -t nat -A POSTROUTING -j MASQUERADE -s 192.168.0.0/255.255.0.0 -d $ANYWHERE -o ppp0
# ======================================
# ========= User Defined Rules =========
# ======================================
squid -k reconfigure
Надеюсь на Вашу помощь, коллеги, мне важно Ваше мнение!!!
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
03-Сен-03, 09:14 (MSK)
