Глава 10. GIPTables Firewall - программное обеспечение для настройки IPTables
NETWORK1_IN_DROP_NEW_WITHOUT_SYN=”yes”
# Drop all incoming fragments
INTERFACE0_IN_DROP_ALL_FRAGMENTS=”yes”
INTERFACE1_IN_DROP_ALL_FRAGMENTS=”yes”
NETWORK1_IN_DROP_ALL_FRAGMENTS=”yes”
# Drop all incoming malformed XMAS packets
INTERFACE0_IN_DROP_XMAS_PACKETS=”yes”
INTERFACE1_IN_DROP_XMAS_PACKETS=”yes”
NETWORK1_IN_DROP_XMAS_PACKETS=”yes”
# Drop all incoming malformed NULL packets
INTERFACE0_IN_DROP_NULL_PACKETS=”yes”
INTERFACE1_IN_DROP_NULL_PACKETS=”yes”
NETWORK1_IN_DROP_NULL_PACKETS=”yes”
#———————————————————————–
# Spoofing and bad addresses
#
REFUSE_SPOOFING=”yes”
# Refuse incoming packets claiming to be from the ip addresses of our
interfaces
# Разрешаем пересылку пакетов между наружным и внешним интерфейсом,
# локальной и внешней сетями.
REFUSE_SPOOFING_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[0]=”yes”
INTERFACE1_IN_REFUSE_SPOOFING[0]=”no”
NETWORK1_IN_REFUSE_SPOOFING[0]=”yes”
REFUSE_SPOOFING_IPADDR[1]=$INTERFACE1_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[1]=”no”
INTERFACE1_IN_REFUSE_SPOOFING[1]=”yes”
NETWORK1_IN_REFUSE_SPOOFING[1]=”no”
# Refuse incoming packets claiming to be from broadcast-src address range
REFUSE_SPOOFING_IPADDR[2]=”0.0.0.0/8″
# If you provide DHCP services on one of your interfaces, do not forget
to
# set the following option related to that interface to “no”
INTERFACE0_IN_REFUSE_SPOOFING[2]=”yes”
INTERFACE1_IN_REFUSE_SPOOFING[2]=”no”
NETWORK1_IN_REFUSE_SPOOFING[2]=”yes”
# Refuse incoming packets claiming to be from reserved loopback address
range
REFUSE_SPOOFING_IPADDR[3]=”127.0.0.0/8″
INTERFACE0_IN_REFUSE_SPOOFING[3]=”yes”
INTERFACE1_IN_REFUSE_SPOOFING[3]=”yes”
NETWORK1_IN_REFUSE_SPOOFING[3]=”yes”
# Фильтруем пакеты, отправленные якобы с адресов, зарезервированных
# для локальных сетей. Очень важно не отфильтровать пакеты, приходящие
# из локальной сети на внутренний сетевой интерфейс.
# Refuse incoming packets claiming to be from class A private network
# Если вы используете локальную сеть класса A, то измените значения
# параметров:
# INTERFACE0_IN_REFUSE_SPOOFING[4]=”yes”
# INTERFACE1_IN_REFUSE_SPOOFING[4]=”no”
# NETWORK1_IN_REFUSE_SPOOFING[4]=”no”
REFUSE_SPOOFING_IPADDR[4]=”10.0.0.0/8″
INTERFACE0_IN_REFUSE_SPOOFING[4]=”yes”
INTERFACE1_IN_REFUSE_SPOOFING[4]=”yes”
NETWORK1_IN_REFUSE_SPOOFING[4]=”yes”
# Refuse incoming packets claiming to be from class B private network
# Если вы используете локальную сеть класса B, то измените значения
# параметров:
# INTERFACE0_IN_REFUSE_SPOOFING[5]=”yes”
# INTERFACE1_IN_REFUSE_SPOOFING[5]=”no”
# NETWORK1_IN_REFUSE_SPOOFING[5]=”no”
REFUSE_SPOOFING_IPADDR[5]=”172.16.0.0/12″
INTERFACE0_IN_REFUSE_SPOOFING[5]=”yes”
INTERFACE1_IN_REFUSE_SPOOFING[5]=”yes”
NETWORK1_IN_REFUSE_SPOOFING[5]=”yes”
# Refuse incoming packets claiming to be from class C private network
# Если вы не используете локальную сеть класса С, то измените значения
# параметров:
Страницы: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Метки: firewall, GIPTables, iptables, прокси, серверы, фаерволл, шлюз