[ dr_ambis @ 16.04.2007. 01:21 ] @
Zanima me koliko je sigurno filtriranje po MAC adresama. Naime, delim internet sa drugom i u mrezi smo sa jos njih 6. Imam server na kome sam namestio polise na INPUT FORWARD OUTPUT i PREROUTING na DROP A pustio samo u PREROUTING i INPUT tabelu MAC-ove nasih mreznih karti.( znaci nikakva komplikovana IPTABLES skripta, odradjeno samo filtriranje po MAC-ovima) Ukljucio forvardovanje, masquerade i to radi. Sad voleo bih da znam koliko je te nepropusno za razne vrste paketa, dos napade, skeniranja i sl.Evo u prilog i skriptica: IPT="/usr/sbin/iptables" EXTIF="eth1" INTIF="eth0" LOCAL_IP="192.168.1.1" LOCAL_NET="192.168.1.0/24" LOCAL_BCAST="192.168.1.255" LO_IFACE="lo" LO_IP="127.0.0.1" echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo "1" > /proc/sys/net/ipv4/ip_forward $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -t nat -P PREROUTING DROP $IPT -t filter -A INPUT -p ALL -i $LO_IFACE -j ACCEPT $IPT -t nat -A PREROUTING -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT $IPT -t nat -A PREROUTING -m mac --mac-source 00:40:B9:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:40:B9:xx:xx:xx -j ACCEPT $IPT -t nat -A PREROUTING -m mac --mac-source 00:0C:76:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:0C:76:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:80:5F:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:0D:88:xx:xx:xx -j ACCEPT $IPT -t filter -A INPUT -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT $IPT -t filter -A OUTPUT -p ALL -j ACCEPT $IPT -t filter -A FORWARD -p ALL -i $INTIF -o $EXTIF -j ACCEPT $IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -p ALL -i $LO_IFACE -o $EXTIF -j ACCEPT $IPT -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -i $INTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -t filter -A FORWARD -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE Ovo provereno radi, znaci menjao sam mrezne karte na svom racunaru i ni sa jednom nisam imao pristup osim sa ovom ciji sam MAC dozvolio. |