Shembull konfigurimi te nje filtruesi

Q

qoska

Primus registratum
Shembull konfigurimi te nje filtruesi

<u>Ketu</u> do te gjeni nje shembull konfigurimi te nje filtruesi(firewall-i) te perdorshem per nje internet kafe.
Aktualisht ky eshte konfigurimi qe une perdor ne te gjithe internet kafet qe mirembaj. Ai perfshin NAT(ose MASQSUERADE, S-NAT, D-NAT sic quhen ne Linux) bllokim trafiku te padeshiruar dhe klasifikim te tij ne forme te thjeshte sipas prioriteteve te programeve me te perdorur.

Packa se konfigurimi ne fjale eshte per *BSD bashke me PF, llogjika mund te perkthehet ne menyre te njejte per IPTables te Linux. Kjo e fundit eshte e vlefshme dhe per Mikro$ik(qe perdor IPTable).
Nese ndonjeri do te beje perkthimin ne IPTable le ta postoje ketu. Gjithe perkthimi konsiston ne kalimin e rregullave specifike qe te jepen sipas opsioneve iptable. Kjo pasi shumica e rregullave perdorin quick qe afrohet me parimin e para fiton ne IPTable.

Me te mira.
 
gurax

gurax

Pan ignoramus
Re: Shembull konfigurimi te nje filtruesi

Me poshte eshte nje implementim i thjeshte i nje Firewall me "iptables". Ne versionin e tij me te thjeshte dhe "quick and dirty", ajo qe duhet bere eshte vendosja e vlerave perkatese ne seksionin 1 dhe me pas eshte gati per pune. E testuar qe punon, dhe madje goxha mire.

Code: 
#!/bin/sh

# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001  Oskar Andreasson (blueflux@koffein.net)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
###########################################################################
#
# 1. Konfigurimi.
#

###########################################################################
#
# Konfigurimi LAN.
#
# IP te LAN, duke perfshire dhe IP lokale
#

LAN_IP="192.168.0.2"
LAN_IP_RANGE="192.168.0.0/16"
LAN_BCAST_ADRESS="192.168.255.255"
LAN_IFACE="eth1"

###########################################################################
#
# Localhost.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Konfigurimi Internet.
#

INET_IP="194.236.50.155"
INET_IFACE="eth0"

###########################################################################
#
# IPTables
#

IPTABLES="/usr/sbin/iptables"

###########################################################################
###########################################################################
#
# 2. Ngarkimi i moduleve
#

#
# Ky rresht eshte i nevojshem !!!
#
/sbin/depmod -a

#
# Disa module te vlefshme: LOG, REJECT, MASQUARADE, etj
# Komentohen per t'u bere deaktive
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# A na duhet owner matching ?
#
#/sbin/modprobe ipt_owner

#
# Aktivizohet connection tracking per FTP dhe IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
###########################################################################
#
# 3. Pergatitja per pune
#
# Duhet aktivizuar ip_forward nese kemi te bejme me me shume sesa 2 rrjete
# duke perfshire dhe Internetin si rrjet me vete. Kjo eshte shume e
# rendesishme sepse packet forwarding eshte fillimisht e paaktivizuar.
#
echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Nese ka perdorues me IP dinamike:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
###########################################################################
#
# 4. konfigurimi i rregullave (IPTable rules) dhe aplikimi
#
# Vendosen rregullat globale per INPUT, FORWARD and OUTPUT.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# ketu kalojne paketat tcp qe klasifikohen si "te keqia".
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "paketa new dhe jo syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Kontrollohet per t'i dale perpara "ip spoofing"
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Aktivizohet ip Forward dhe perkthimi i adresave (NAT)
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# Ketu futen paketat tcp qe nuk na duhen
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Pranojme paketat qe duam te lejohen te kalojne permes kesaj nyje
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD pakete e vdekur: "

#
# krijojme kanale te vecanta per ICMP, TCP dhe UDP
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets


#
# Kanali i lejuar per koneksionet TCP
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# rregullat per ICMP
#

#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# rregullat TCP
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# portat UDP #

# Tregoni kujdes se cfare zgjidhet ketu, ose lereni pa ndryshuar
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# Kanali INPUT
#
# Drejtojme ketu paketat TCP qe nuk na duhen
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# rregullat per paketat qe vijne nga interneti.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rregullat per rrjetet qe s'bejne pjese ne Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT pakete e vdekur: "

###############################
# Kanali OUTPUT
#
#
# paketat TCP qe nuk na duhen.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Rregulla te vecanta ne OUTPUT per te percaktuar
# se cilat IP duhen lejuar.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Mbajme shenim paketa te cuditshme qe nuk klasifikohen askund me lart.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT pakete e vdekur: "

# Fund

Nese te tere kete e ruajme ne nje skedar, psh tek:
/etc/init.d/startfirewall.sh

per ta aktivizuar duhet:

root@gateway:/root# chmod u+x /etc/init.d/startfirewall.sh
root@gateway:/root# /etc/init.d/startfirewall.sh

Per t'a aktivuzar ne bootup, duhet shtuar e dyta nga veprimet me lart(qe mund te quhet ne menyre efektive nje komande) tek procedura e fundit e inicializimeve ne sistem, psh tek: /etc/rc.local
 
Q

qoska

Primus registratum
Re: Shembull konfigurimi te nje filtruesi

<u>Ketu</u> do te gjeni vazhdimin e konfigurimit.
Kesaj radhe eshte dhene menyra e konfigurimit te nje DNS "cache" per nje LAN te cfaredoshem. Kjo mund te perdoret dhe ne Windows pasi BIND ecen dhe ne kete OS /pf/images/graemlins/wink.gif.

Radhes tjeter do te jete DHCP.

Me te mira.
 
I

Indulgence

Primus registratum
Re: Shembull konfigurimi te nje filtruesi

Kalamaja-Programusa! A ka shprese per mua qe kompania ku punoj para dy ditesh ma filtroi Alborumin, dmth kategotine "message board" apo whatever grup futet AF-ja!
/pf/images/graemlins/confused.gif /pf/images/graemlins/cry.gif

GURIIIII! PLIIIHIHIHIZZZZZ
/pf/images/graemlins/cry.gif
 
gurax

gurax

Pan ignoramus
Re: Shembull konfigurimi te nje filtruesi

INGULGENCE

Per kete rastin tend, varet nga programi qe ben filtrimet, ne disa raste mund te anashkalohen keto "testet" e filtrit, ne disa raste ama jo. Ka shprese, s'eshte pa gje. Do te te kthej pergjigje prape kur te kem dicka me te sakte me vone gjate dites :)
 
I

Indulgence

Primus registratum
Re: Shembull konfigurimi te nje filtruesi

Rrofsh Gurax-i /pf/images/graemlins/wave.gif Regardless of the result, the effort counts (American style kjo /pf/images/graemlins/wink.gif /pf/images/graemlins/laugh.gif)
 
Q

qoska

Primus registratum
Re: Shembull konfigurimi te nje filtruesi

<u>Ketu</u> eshte vazhdimi i konfigurimit te nje filtruesi.
Kesaj radhe eshte DHCP sic kisha paralajmeruar duke perfshire ne te mundesine per te zevendesuar ose ndare DHCP&amp; DNS nga kompjuteri ku ekzekutohet "Active Directory".

Per me shume lexoni artikullin.

Heres tjeter SQUID proxy.

Me te mira.
 
gurax

gurax

Pan ignoramus
Meqe jemi tek filtruesit, dicka ne lidhje me bllokimin e reklamave te padeshiruara.

Bllokimi i reklamave mund te kete disa metoda se si realizohet; ne varesi edhe te se si eshte ndertuar, edhe se si mbrrin reklama deri ne kompjuterin tone.
Nje nga format per bllokim eshte vendosja ne sistem e nje skedari - qe njihet si "hosts file" - i cili ben nje lloj "mashtrimi", jep vendodhje te gabuar se ku eshte reklama ne rrjet.
Detajet se si realizohet kjo gje jane specifike dhe te ndryshme per sisteme te ndryshme operative. Por ne te tera rastet eshte i nevojshem "hosts file".
Nje i tille eshte ky ketu: http://winhelp2002.mvps.org/hosts.txt ("right click -> save as..." per t'a ruajtur lokalisht)
Pershkrim i plote i procedures: http://winhelp2002.mvps.org/hosts.htm
 
gurax

gurax

Pan ignoramus
Dhe fiks nje dite me vone pas ketij postimi me lart, sot shoh lajme dhe njoftime qe lajmerojne se shume rrjete te medhenj dhe te mirenjohur (BBC, New York Times, etj) jane perfshire nga nje problem qe rrjeti i tyre eshte duke u perdorur per te shperndare 'malware' neper te tere vizitoret qe lexojne keto faqe, duke (keq)shfrytezuar strukturen e tyre per reklama.

Gjate ketyre dy diteve te fundit, vizitore neper rrjete te mirenjohur te mediave, ku perfshihen edhe New York Times, BBC, Nesweek, kane qene objekt i sulmeve me ane te reklamave per instalimin e programeve 'malware' neper kompjuterat e tyre (shumica me natyre ransomware por edhe mjaft trojane). Vete website-t nuk jane kompromentuar, problemi qendron ne networket per shperndarjen e reklamave qe perdorin keto 'site', ky perfshihen Google, AppNexus, AOL, Rubicon. Keto networke/rrjete reklamash ishin modifikuar per te shperndare reklama me permbajtje demtuese per vizitoret.

https://www.helpnetsecurity.com/2016/03/16/malvertising-campaign/
 
You must log in or register to reply here.
Top