Firewall di livello 7 Cloudflare , Web Application Firewall
https://www.cloudflare.com/waf/ , integrate the firewall in your webcode
RETE configurazioni generali e condivisione connessione
Iptables persistent , quick iptables reference
good guide http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html
and for the rule http://wiki.vpslink.com/HOWTO:_Building_IPTables_rules
aptitude install iptables-persistent
and here a good file for the configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Completed on Thu Mar 6 16:16:08 2014
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s localhost -j ACCEPT
-A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment ssh
-A INPUT -s 8.8.8.8/32 -p tcp --dport 3306 -j ACCEPT -m comment --comment mysql
-A INPUT -j DROP
COMMIT
the first lines are to setup the default policy accepted
Impostazione sistema debian
Un altro modo per configurare le opzioni su sistemi debian è manipolare il file di configurazione della rete
/etc/network/interfaces
Mettere un esempio di file di configurazione
Per ricaricare le impostazioni lanciare
/etc/init.d/networking restart
Interfaces
auto lo
iface lo inet loopback
# The primary network interface
#allow-hotplug eth0
auto eth0
iface eth0 inet static
address 192.168.100.5
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
gateway 192.168.100.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 208.67.222.222
dns-search intranet.miazienda.com
up ip addr add 192.168.100.110/24 dev eth0
#Mi sa che l'hotplug non funziona
#allow-hotplug eth1
auto eth1
iface eth1 inet dhcp
ip
Il comando ip sta sostituendo il più datato ifconfig.
# mosta lo stato dei link
ip link show
#metterlo in up
ip link set eth0 up
#controllalo
ip link show dev eth0
#mostra tutti gli ip di tutte le interfacce
ip addr show
ip addr show eth0 #solo eth0
#Mostra tutti i percorsi di routing
ip route show
#eliminare un ip
ip addr del 192.168.211.1/24 dev tap0
# con questo elimina tutta la classe provare con netmask che identifica un solo ip /32
ip addr del 192.168.211.1/32 dev tap0
#aggiungere ip
ip addr add 1.2.3.200/25 dev eth0
#aggiungere una rotta
ip route add 10.38.0.0/16 via 192.168.100.1
#aggiungere il default gw
ip route add default via 192.168.100.1
#eliminare il default gw
ip route del default via 192.168.100.1
#eliminare tutti gli indirizzi ip in un'interfaccia
ip address flush dev eth0
ip e la tabella di arp
visualizzare la tabella di arp
ip neigh show
192.168.9.9 dev eth0 lladdr 00:1a:7e:1c:a6:a9 STALE
192.168.9.1 dev eth0 lladdr 70:7:bc:3f:2c:f2 STALE
Rendere permanente una entry arp
ip neigh change 192.168.9.1 lladdr 70:7:bc:3f:2c:f4 nud permanent dev eth0
Approfondire l'uso di ip da
http://linux-ip.net/html/tools-ip-route.html
e in generale del sito
http://linux-ip.net/
Destination Nat e masquerade
EXT_IFACE=eth0
INT_IFACE=eth1
EXT_ADDR1=172.16.15.10
EXT_ADDR2=172.16.15.11
LOCALNETS=192.168.0.0/16
iptables -t nat -A PREROUTING -i $EXT_IFACE -s ! $LOCALNETS -d $EXT_ADDR1/32 -p tcp --dport 15432 -j DNAT --to 192.168.97.25:5432
iptables -t nat -A POSTROUTING -o $INT_IFACE -s ! $LOCALNETS -d 192.168.97.25/32 -j MASQUERADE
Link in dettaglio
ip -s -s link show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:1a:4b:7c:ef:6a brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
201043653 157703 0 0 0 449
RX errors: length crc frame fifo missed
0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
10523573 106665 0 0 0 0
TX errors: aborted fifo window heartbeat
0 0 0 0
Tunnel
Ecco un fantastico modo di fare tunneling basta creare uno script come sotto e poi metterlo in /etc/init.d/ .. bisogna installare anche il pacchetto 6tunnel
#!/bin/sh
PATH=$PATH:.
start_tunnel() {
VHOST=$1
LPORT=$2
RHOST=$3
RPORT=$4
6tunnel -4 $LPORT $RHOST $RPORT
#ATTENZIONE IN UBUNTU 12 BISOGNA LEVARE L'OPZIONE -4 e mettere -6 ALTRIMENTI DA UN ERRORE
echo $LPORT
}
start_tunnel cvs 2401 192.168.1.63 2401
start_tunnel tomcatalfa 9003 192.168.1.30 8080
start_tunnel tomcatbeta 9005 192.168.1.27 8080
l'opzione -4 dice di lavorare su ipv4
Per chiudere un tunnel fare
root@ubuntu:~# ps aux | grep tunnel
root 1384 0.0 0.0 1752 272 ? Ss 16:56 0:00 6tunnel -4 443 192.168.1.242 443
root 1391 0.0 0.0 1752 276 ? Ss 16:57 0:00 6tunnel -4 902 192.168.1.242 902
root 1418 0.0 0.0 1752 272 ? Ss 16:57 0:00 6tunnel -4 80 192.168.1.242 80
root 1536 0.0 0.0 3320 808 pts/0 S+ 17:35 0:00 grep --color=auto tunnel
e un kill del tunnel che vogliamo chiudere
FIREWALL
Codice per configurazione base di un firewall iptables
#!/bin/bash
modprobe ip_conntrack
modprobe ip_conntrack_ftp
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
################regole per la posta elettronica e ftp
iptables -A FORWARD -p udp -s 192.168.100.0/24 -d 0/0 --dport domain -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport pop3 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.100.0/24 -d 0/0 --dport pop3 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport smtp -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport ssmtp -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport pop3s -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.100.0/24 -d 0/0 --dport pop3s -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport imap3 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.100.0/24 -d 0/0 --dport imap3 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.100.0/24 -d 0/0 --dport imaps -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.100.0/24 -d 0/0 --dport imaps -j ACCEPT
#per ftp passivo
iptables -A FORWARD -d 192.168.100.0/24 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.100.0/24 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 192.168.100.0/24 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.100.0/24 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
##########################
#le connessioni gia' stabilite devono funzionare
iptables -A FORWARD -d 192.168.100.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.100.0/24 -i eth1 -j ACCEPT # e' qui' per samba interno
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #fa funzionare squid
iptables -A INPUT -i lo -j ACCEPT
VLAN SU LINUX
Ecco un esempio di definizione delle interfacce di vlan sotto linux, all'interfaccia eth0 è collegata la porta di trunk dello switch e poi linux che effettua l'untagging delle vlan.
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto vlan99
iface vlan99 inet static
address 192.168.99.1
netmask 255.255.255.0
network 192.168.99.0
broadcast 192.168.99.255
vlan_raw_device eth0
auto vlan100
iface vlan100 inet static
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
vlan_raw_device eth0
auto vlan101
iface vlan101 inet static
address 192.168.101.1
netmask 255.255.255.0
network 192.168.101.0
broadcast 192.168.101.255
vlan_raw_device eth0
Comandi da lanciare da shell o script
La connessione internet viene da eth0 e deve andare a eth1
#!/bin/bash
ifconfig eth0 down
ifconfig eth1 down
ifconfig eth0 192.168.0.200 up
ifconfig eth1 192.168.100.1 up
#route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
#route add -net 192.168.100.0 netmask 255.255.255.0 dev eth1
route add default gw 192.168.0.1
echo 1 >> /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
alias ls='ls -l'
route add -net 172.16.0.0 netmask 255.255.0.0 gw 192.168.9.3