>>>Сервер с Mandrake 9.0 выходит в инет. Надо настроить безопасность. Подскажите, что
>>>лучше использовать: iptables или shorewall (и чем они собственно отдичаются друг
>>>от друга). Если есть русский man скиньте пожалуйста на мыло.
>>
>>Shorewall - это программа, которая генерирует различные правила для firewall'а и использует
>>для этого iptables
>
>Но это мне не совсем понятно - где нужно писать правила в
>iptables или shorewall?
Это программа ( shorewal) работает с вместе с iptables или на основе iptables.
Ты создаёш зоны ( например: local, DMZ, inet ... или ещё какие-нибудь)
потом только пишешь
local inet ACCEPT all ( это значит, что все пакеты из локальной сети могут проходить в интернет )
inet local ACCEPT 21,22 ( это значит, что все пакеты из интернета в локальную сеть могут проходить только на 21(FTP) и 22(SSH) порты.
shorewall start
и эта программа генерирует iptables-правила и включает их в firewall
router:~ # shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Restarting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc loc2 loc3
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: ppp+:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0 ipsec0:0.0.0.0/0
Local2 Zone: eth2:0.0.0.0/0
Local3 Zone: eth+:0.0.0.0/0
Deleting user chains...
Configuring Proxy ARP and NAT
Adding Common Rules
Enabling RFC1918 Filtering
Setting up Blacklisting...
Blacklisting enabled on ppp+
212.227.126.156 added to Black List
212.227.126.156 added to Black List
211.194.117.174 added to Black List
211.194.117.174 added to Black List
211.43.197.41/24 added to Black List
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
IPSEC tunnel to 0.0.0.0/0 defined.
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 21,22,25,80,110,143,389,443,500" added.
Rule "ACCEPT fw net udp 53,50,500" added.
Rule "ACCEPT fw loc tcp 21,22,25,53,80,110,139,143,389,443" added.
Rule "ACCEPT fw loc udp 53,137,138,500" added.
Rule "ACCEPT fw loc2 tcp 21,22,25,53,80,110,139,143,389,443" added.
Rule "ACCEPT fw loc2 udp 53,137,138" added.
Rule "ACCEPT fw loc3 tcp 21,22,25,53,80,110,139,143,389,443" added.
Rule "ACCEPT fw loc3 udp 53,137,138" added.
Rule "DROP net fw udp 50,500" added.
Rule "REJECT net fw tcp 113" added.
Rule "ACCEPT loc fw tcp 22,3000" added.
Rule "ACCEPT loc2 fw tcp" added.
Rule "ACCEPT loc2 fw udp" added.
Rule "ACCEPT loc3 fw tcp" added.
Rule "ACCEPT loc3 fw udp" added.
Rule "ACCEPT loc net tcp" added.
Rule "ACCEPT loc net udp" added.
Rule "ACCEPT loc2 net tcp" added.
Rule "ACCEPT loc2 net udp" added.
Rule "ACCEPT loc3 net tcp" added.
Rule "ACCEPT loc3 net udp" added.
Rule "ACCEPT loc loc2 tcp 20,21,22,25,53,80,110,137,138,139,143,443" added.
Rule "ACCEPT loc loc2 udp 53" added.
Rule "ACCEPT loc loc3 tcp" added.
Rule "ACCEPT loc loc3 udp" added.
Rule "ACCEPT loc2 loc tcp 20,21,22,25,53,80,110,137,138,139,143,443" added.
Rule "ACCEPT loc2 loc udp 53" added.
Rule "ACCEPT loc2 loc3 tcp" added.
Rule "ACCEPT loc2 loc3 udp" added.
Rule "ACCEPT loc3 loc tcp" added.
Rule "ACCEPT loc3 loc udp" added.
Rule "ACCEPT loc3 loc2 tcp" added.
Rule "ACCEPT loc3 loc2 udp" added.
Rule "ACCEPT net loc:192.168.33.44 tcp 20,21,22,25,80,443,993,995,8022,5016,5017 - all" added.
Rule "ACCEPT net loc:192.168.33.44 udp 53 - all" added.
Rule "ACCEPT net loc:172.16.173.4 tcp 4661,4662,4663,6969,4343,4242,6300 - all" added.
Rule "ACCEPT net loc:172.16.173.4 udp 4665 - all" added.
Rule "ACCEPT fw loc icmp 8" added.
Rule "ACCEPT fw loc2 icmp 8" added.
Rule "ACCEPT fw loc3 icmp 8" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT loc2 fw icmp 8" added.
Rule "ACCEPT loc3 fw icmp 8" added.
Rule "ACCEPT:info net fw tcp 10000 -" added.
Adding rules for DHCP
Setting up ICMP Echo handling...
Processing /etc/shorewall/policy...
Policy REJECT for fw to net.
Policy REJECT for fw to loc.
Policy REJECT for fw to loc2.
Policy REJECT for fw to loc3.
Policy DROP for net to fw.
Policy DROP for net to loc.
Policy ACCEPT for loc to fw.
Policy ACCEPT for loc to net.
Policy ACCEPT for loc to loc.
Policy REJECT for loc to loc2.
Policy REJECT for loc to loc3.
Policy REJECT for loc2 to fw.
Policy ACCEPT for loc2 to net.
Policy REJECT for loc2 to loc.
Policy REJECT for loc2 to loc3.
Policy REJECT for loc3 to fw.
Policy ACCEPT for loc3 to net.
Policy REJECT for loc3 to loc.
Policy REJECT for loc3 to loc2.
Masqueraded Subnets and Hosts:
To 0.0.0.0/0 from -s 192.168.33.32/28 through ppp+
To 0.0.0.0/0 from -s 172.16.173.0/24 through ppp+
To 0.0.0.0/0 from -s 192.168.0.0/24 through ppp+
Processing /etc/shorewall/tos...
Rule "all all tcp - ssh 16" added.
Rule "all all tcp ssh - 16" added.
Rule "all all tcp - ftp 16" added.
Rule "all all tcp ftp - 16" added.
Rule "all all tcp ftp-data - 8" added.
Rule "all all tcp - ftp-data 8" added.
Activating Rules...
Shorewall Restarted
router:~ #
твой готов....
PS: ip-adress изменены
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
on
03-Ноя-03, 14:56 (MSK)
