Выбрать главу

NO WARRANTY

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM «AS IS» WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS

2. How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the «copyright» line and a pointer to where the full notice is found.

<one line to give the program's name and a brief idea of what it does.>

Copyright (C) <year> <name of author>

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items–whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a «copyright disclaimer» for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright interest in the program

`Gnomovision' (which makes passes at compilers) written by James Hacker.

<signature of Ty Coon>, 1 April 1989

Ty Coon, President of Vice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

Приложение I. Примеры сценариев

I.1. Пример rc.firewall

#!/bin/sh

#

# rc.firewall – Initial SIMPLE IP Firewall script for Linux 2.4.x and iptables

#

# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; version 2 of the License.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program or from the site that you downloaded it

# from; if not, write to the Free Software Foundation, Inc., 59 Temple

# Place, Suite 330, Boston, MA 02111-1307 USA

#

###########################################################################

#

# 1. Configuration options.

#

#

# 1.1 Internet Configuration.

#

INET_IP="194.236.50.155"

INET_IFACE="eth0"

INET_BROADCAST="194.236.50.255"

#

# 1.1.1 DHCP

#

#

# 1.1.2 PPPoE

#

#

# 1.2 Local Area Network configuration.

#

# your LAN's IP range and localhost IP. /24 means to only use the first 24

# bits of the 32 bit IP address. the same as netmask 255.255.255.0

#

LAN_IP="192.168.0.2"

LAN_IP_RANGE="192.168.0.0/16"

LAN_IFACE="eth1"

#

# 1.3 DMZ Configuration.

#

#

# 1.4 Localhost Configuration.

#

LO_IFACE="lo"

LO_IP="127.0.0.1"

#

# 1.5 IPTables Configuration.

#

IPTABLES="/usr/sbin/iptables"

#

# 1.6 Other Configuration.

#

###########################################################################

#

# 2. Module loading.

#

#

# Needed to initially load modules

#

/sbin/depmod -a

#

# 2.1 Required modules

#

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state

#

# 2.2 Non-Required modules

#

#/sbin/modprobe ipt_owner

#/sbin/modprobe ipt_REJECT

#/sbin/modprobe ipt_MASQUERADE

#/sbin/modprobe ip_conntrack_ftp

#/sbin/modprobe ip_conntrack_irc

#/sbin/modprobe ip_nat_ftp

#/sbin/modprobe ip_nat_irc

###########################################################################

#

# 3. /proc set up.

#

#

# 3.1 Required proc configuration

#

echo "1" > /proc/sys/net/ipv4/ip_forward

#

# 3.2 Non-Required proc configuration

#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp

#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################

#

# 4. rules set up.

#

######

# 4.1 Filter table

#

#

# 4.1.1 Set policies

#

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

#

# 4.1.2 Create userspecified chains

#

#

# Create chain for bad tcp packets

#

$IPTABLES -N bad_tcp_packets

#

# Create separate chains for ICMP, TCP and UDP to traverse

#

$IPTABLES -N allowed

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N icmp_packets

#

# 4.1.3 Create content in userspecified chains

#

#

# bad_tcp_packets chain

#

$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

–m state –state NEW -j REJECT –reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j LOG \

–log-prefix «New not syn:»

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

#

# allowed chain

#

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

#

# TCP rules

#

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 113 -j allowed

#

# UDP ports

#

#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 53 -j ACCEPT

#$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 123 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 2074 -j ACCEPT

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4000 -j ACCEPT

#

# In Microsoft Networks you will be swamped by broadcasts. These lines

# will prevent them from showing up in the logs.

#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \

#–destination-port 135:139 -j DROP

#

# If we get DHCP requests from the Outside of our network, our logs will

# be swamped as well. This rule will block them from getting logged.

#

#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \

#–destination-port 67:68 -j DROP

#

# ICMP rules

#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

#

# 4.1.4 INPUT chain

#

#

# Bad TCP packets we don't want.