|
| Jazyk |
Výber jazykovej mutácie:
|
|
|
|
| The time now is 04.11.2025 - 03:38 |
|
|
|
|
| Author |
Message |
|
|
Post subject: CCR namiesto Linux GW
 Posted: 24.05.2014 - 21:23 #106560
|
|
Basic
Joined: Feb 18, 2007
Posts: 418
|
|
Nazdar.
Momentalne je moja hlavna gw linux. Je to HP server ktory uz bezi cca 5 rokov a je otazka casu kedy klakne (mozno mesiac mozno rok ktoho vie) a preto si robim zalozny stroj. Rozhodol som sa zakupit Mikrotik CCR a nastavit ho, odlozit do skladu a nech tam stoji.
Mal by som 3 otazky ako to spravne nakonfigurovat.
Otazka c.1 a to DNS: Na linuxe mam nastavene : 1: 127.0.0.1, 2: 8.8.8.8 a tretiu OPENDNS ip. Je potrebne aj na MK nastavit prve 127.0.0.1?
Otazka c.2 NAT 1:1: Na UPLINKU som nastavil IP adresu a na LAN IP adresu tak ako mam aj na linuxe. Ak chcem nastavit 1:1 NAT davam SNAT a DNAT ale je potrebne pridat aj danu verejnu IP adresu na ten port co je uplink t.j. port na uplink bude mat cca 30 adries?Tolko kolko mam verejnych IP prenatovanych na lokal? A nakoniec dam masquerade?Nebude sa bit ak dam 1:1 na jednu lokalnu IPadresu a zaroven aj 1:subnet co je aj lokalna z neho?
Otazka c.3 FW: Ake hlavne pravidla mate na MK? Na Inpute bloknem vsetko a povil napr. iba pre Winbox a na forward ake pravidla? Zatial som dal iba klasicke blok 135-139, 25 a nejake este na virusy. Davate nieco ine?
Dik za radu. |
|
|
| |
|
|
|
 |
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 25.05.2014 - 09:47 #106561
|
|
Basic
Joined: Jan 21, 2005
Posts: 180
Location: Bratislava
|
|
odporucam mat nejaky samostatny stroj na DNS , napr. bind
1 - tam ho nastavis, 127.0.0.1 netreba aj ked mas CCR ako DNS resolver
2 - verejna ktora sa natuje nemusi byt na uplinku, ja ju mam na bridgi bez portov nazvanom loopback,samozrejme musi byt naroutovana na tvoj CCR cez ipcku na uplinku
srcnat mozes spravit na tu istu takisto aj masquerade, bit sa to nebude.
3 - ak budes mat CCR ako dns server,treba hlavne bloknut INPUT DNS UDP port 53 na uplinku , a ja este k tomu menim defaultne porty ssh , ftp , atd - nepotrebujem mat logy plne sprostosti |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 27.05.2014 - 17:52 #106583
|
|
Ucen
Joined: Aug 09, 2004
Posts: 753
|
|
1. Mikrotiku ako DNS pre celu siet sa radsej vyhni. Ja som po prehodeni GW z linuxu na MK mal pekny pruser s DNS. Niekomu to islo OK, niekomu nenacitavalo fb a podobne. Doteraz som neprisiel na to preco, ale DNS mi bezi pekne po starom na binde a nieje problem.
3. na inpute si povol full z menezovacich IP/subnetov, dalej established,related, icmp, DNS reply a vsetko ostatne DROP, nic viac nepotrebujes
-na forwarde podla potreby, ako pises SMTP a win bordel, pripadne zakazat smerom von destination privatne IP a z vnutra zasa traffic z inych rozsahov ako realne pouzivas |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 29.05.2014 - 19:54 #106591
|
|
Majster
Joined: Júl 11, 2008
Posts: 2311
|
|
Quote: › 2 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
3 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
4 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
6 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
7 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
9 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
10 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
11 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
12 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
13 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
14 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
17 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
18 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
19 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
20 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
21 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25
22 ;;; vpn(gre)
chain=input action=accept protocol=gre
23 ;;; ping
chain=input action=accept protocol=icmp
24 ;;; tcp ports
chain=input action=accept protocol=tcp
dst-port=22,25,53,1723,2000,7780,8291
25 ;;; udp
chain=input action=accept protocol=udp dst-port=53
26 ;;; allow estabilished connections
chain=input action=accept connection-state=established
27 ;;; drop everything else
chain=input action=drop in-interface=ether1
tak to mam input...ether1 je uplink, MK mi robi dns |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 30.05.2014 - 12:40 #106593
|
|
Basic
Joined: Máj 25, 2003
Posts: 264
|
|
rado3105 wrote: › Quote: › 2 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
3 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w
4 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
6 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w
7 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w
8 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
9 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w
10 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
11 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32
12 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
13 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
14 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22
16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22
17 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22
18 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
19 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22
20 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
21 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25
22 ;;; vpn(gre)
chain=input action=accept protocol=gre
23 ;;; ping
chain=input action=accept protocol=icmp
24 ;;; tcp ports
chain=input action=accept protocol=tcp
dst-port=22,25,53,1723,2000,7780,8291
25 ;;; udp
chain=input action=accept protocol=udp dst-port=53
26 ;;; allow estabilished connections
chain=input action=accept connection-state=established
27 ;;; drop everything else
chain=input action=drop in-interface=ether1
tak to mam input...ether1 je uplink, MK mi robi dns
takto mas nastaveny FW na hlavnej GW do netu ? DNS normalne kesujes alebo preposielas na DNS server? |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 31.05.2014 - 12:46 #106601
|
|
Majster
Joined: Júl 11, 2008
Posts: 2311
|
|
| ano tak to mam...dns cachujem... to su pravidla len pre input...mam tam aj ine... nieco sa ti nezda? |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 31.05.2014 - 13:18 #106603
|
|
Basic
Joined: Feb 18, 2007
Posts: 418
|
|
| Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat. |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 31.05.2014 - 14:41 #106605
|
|
Majster
Joined: Okt 21, 2003
Posts: 4247
|
|
sef wrote: ›Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat.
statne organy mozu robit iba to, co maju stanovene zakonom. ma RU zakonom stanovene ze ma poslat vyzvu na ukoncenie logovania? odpoved - nie. |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 31.05.2014 - 19:47 #106608
|
|
Basic
Joined: Okt 21, 2007
Posts: 305
|
|
| a pokial viem este to nieje v platnosti, ale v takom divnom stave kedy to caka na vydanie smernice alebo nariadenia.. |
|
|
| |
|
|
|
|
|
|
|
Post subject: RE: CCR namiesto Linux GW
Posted: 01.06.2014 - 13:53 #106613
|
|
Ucen
Joined: Aug 09, 2004
Posts: 753
|
|
sef wrote: ›Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat.
co mas na mysli pod logovanim spojeni? ved destination adresy logovat nemozes, "narusil" by si telekomunikacne tajomstvo
ked chcu, viem im dat zoznam privat IP schovanych pod kazdou public IP a cest praci.. |
|
|
| |
|
|
|
|
|
|
|
All times are GMT
|
|
|
|
|
|
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits |
|
|
|
