Catatan IPTABLES II

Posted in linux 
bash-3.1# cat iptables-save1

untuk melihat isi file iptables-save1

# Generated by iptables-save v1.4.3.2 on Fri Apr  2 15:58:07 2010
*nat
-:PREROUTING ACCEPT [0:0]
-:POSTROUTING ACCEPT [16:1136]
:OUTPUT ACCEPT [50:3704]
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Apr  2 15:58:07 2010
# Generated by iptables-save v1.4.3.2 on Fri Apr  2 15:58:07 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [26:3082]
-:DEFAULT - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/16 -i eth0 -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/16 -i eth0 -j DROP
-A INPUT -s 224.0.0.0/4 -i eth0 -j DROP
-A INPUT -s 240.0.0.0/5 -i eth0 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -i eth1 -j ACCEPT
-A INPUT -d 192.168.0.80/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -d 192.168.0.80/32 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -j DEFAULT
-A FORWARD -j DEFAULT
-A DEFAULT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DEFAULT ! -i eth0 -m state --state NEW -j ACCEPT
-A DEFAULT -m limit --limit 30/min -j LOG --log-prefix "Dropping: "
-A DEFAULT -j DROP
COMMIT
# Completed on Fri Apr  2 15:58:07 2010

catatan:
hapus tanda “-” pada baris 4,5, dan 32. tanda “-” ditulis karena “:” dan “D” atau “:” dan “P” akan berubah menjadi “smile” ….

mengaktifkan dengan perintah iptable-restore

bash-3.1# iptables-restore iptables-save1 
bash-3.1# iptables -L -n -v

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9  1419 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       169.254.0.0/16       0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       240.0.0.0/5          0.0.0.0/0           
    0     0 DROP       all  --  *      *       255.255.255.255      0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.80        tcp dpt:80 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.80        icmp type 0 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.80        icmp type 3 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            192.168.0.80        icmp type 11 
    5   268 DEFAULT    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DEFAULT    all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 14 packets, 5800 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DEFAULT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    5   268 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  !eth0  *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 30/min burst 5 LOG flags 0 level 4 prefix `Dropping: ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

hasil nya ada di /var/log/syslog

bash-3.1# cat /var/log/syslog | grep Drop
Apr  5 08:48:27 pisang kernel: Dropping: IN=eth0 OUT= MAC=00:xx:xx:xx:xx:xx:00:13:xx:3a:a7:83:xx:xx SRC=xxx.xxx.x.xx DST=192.168.0.80 LEN=xx TOS=0x00 PREC=0x00 TTL=xx ID=0 DF PROTO=xxx SPT=xx DPT=62357 LEN=XX

sumber: http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/index.html

Published by muntaza

Hobby: OpenBSD, Gnu/Linux, Browsing, Blogging, Reading E-Book Alamat: Kota Paringin, Kab. Balangan, Prov. Kalimantan Selatan Pendidikan: SDN Tampang, MTsN Amuntai, SMK Antasari Barabai. pesan: Apa yang tidak bisa kamu lakukan semuanya, jangan kamu tinggalkan semuanya.

Leave a comment