Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 











Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum

Jazyk
Výber jazykovej mutácie:



The time now is 28.02.2020 - 20:02


CCR namiesto Linux GW

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Author Message
sef
Post subject: CCR namiesto Linux GW  PostPosted: 24.05.2014 - 21:23 #106560
Basic


Joined: Feb 18, 2007
Posts: 418

Nazdar.

Momentalne je moja hlavna gw linux. Je to HP server ktory uz bezi cca 5 rokov a je otazka casu kedy klakne (mozno mesiac mozno rok ktoho vie) a preto si robim zalozny stroj. Rozhodol som sa zakupit Mikrotik CCR a nastavit ho, odlozit do skladu a nech tam stoji.

Mal by som 3 otazky ako to spravne nakonfigurovat.

Otazka c.1 a to DNS: Na linuxe mam nastavene : 1: 127.0.0.1, 2: 8.8.8.8 a tretiu OPENDNS ip. Je potrebne aj na MK nastavit prve 127.0.0.1?

Otazka c.2 NAT 1:1: Na UPLINKU som nastavil IP adresu a na LAN IP adresu tak ako mam aj na linuxe. Ak chcem nastavit 1:1 NAT davam SNAT a DNAT ale je potrebne pridat aj danu verejnu IP adresu na ten port co je uplink t.j. port na uplink bude mat cca 30 adries?Tolko kolko mam verejnych IP prenatovanych na lokal? A nakoniec dam masquerade?Nebude sa bit ak dam 1:1 na jednu lokalnu IPadresu a zaroven aj 1:subnet co je aj lokalna z neho?

Otazka c.3 FW: Ake hlavne pravidla mate na MK? Na Inpute bloknem vsetko a povil napr. iba pre Winbox a na forward ake pravidla? Zatial som dal iba klasicke blok 135-139, 25 a nejake este na virusy. Davate nieco ine?

Dik za radu.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
misohero
Post subject: RE: CCR namiesto Linux GW  PostPosted: 25.05.2014 - 09:47 #106561
Basic


Joined: Jan 21, 2005
Posts: 178
Location: Bratislava
odporucam mat nejaky samostatny stroj na DNS , napr. bind
1 - tam ho nastavis, 127.0.0.1 netreba aj ked mas CCR ako DNS resolver
2 - verejna ktora sa natuje nemusi byt na uplinku, ja ju mam na bridgi bez portov nazvanom loopback,samozrejme musi byt naroutovana na tvoj CCR cez ipcku na uplinku
srcnat mozes spravit na tu istu takisto aj masquerade, bit sa to nebude.
3 - ak budes mat CCR ako dns server,treba hlavne bloknut INPUT DNS UDP port 53 na uplinku , a ja este k tomu menim defaultne porty ssh , ftp , atd - nepotrebujem mat logy plne sprostosti
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
neos
Post subject: RE: CCR namiesto Linux GW  PostPosted: 27.05.2014 - 17:52 #106583
Ucen


Joined: Aug 09, 2004
Posts: 741

1. Mikrotiku ako DNS pre celu siet sa radsej vyhni. Ja som po prehodeni GW z linuxu na MK mal pekny pruser s DNS. Niekomu to islo OK, niekomu nenacitavalo fb a podobne. Doteraz som neprisiel na to preco, ale DNS mi bezi pekne po starom na binde a nieje problem.

3. na inpute si povol full z menezovacich IP/subnetov, dalej established,related, icmp, DNS reply a vsetko ostatne DROP, nic viac nepotrebujes
-na forwarde podla potreby, ako pises SMTP a win bordel, pripadne zakazat smerom von destination privatne IP a z vnutra zasa traffic z inych rozsahov ako realne pouzivas
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
rado3105
Post subject: RE: CCR namiesto Linux GW  PostPosted: 29.05.2014 - 19:54 #106591
Majster


Joined: Júl 11, 2008
Posts: 2311

Quote: › 2 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

3 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

4 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w

6 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w

7 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

8 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
9 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

10 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

11 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32

12 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32

13 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
14 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22

16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22

17 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22

18 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
19 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

20 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast

21 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25

22 ;;; vpn(gre)
chain=input action=accept protocol=gre

23 ;;; ping
chain=input action=accept protocol=icmp

24 ;;; tcp ports
chain=input action=accept protocol=tcp
dst-port=22,25,53,1723,2000,7780,8291
25 ;;; udp
chain=input action=accept protocol=udp dst-port=53

26 ;;; allow estabilished connections
chain=input action=accept connection-state=established

27 ;;; drop everything else
chain=input action=drop in-interface=ether1


tak to mam input...ether1 je uplink, MK mi robi dns
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
bob
Post subject: RE: CCR namiesto Linux GW  PostPosted: 30.05.2014 - 12:40 #106593
Basic


Joined: Máj 25, 2003
Posts: 264

rado3105 wrote: ›
Quote: › 2 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid

3 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=port scanners address-list-timeout=2w

4 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list
tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w
5 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp
address-list=port scanners address-list-timeout=2w

6 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp
address-list=port scanners address-list-timeout=2w

7 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list
tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp
address-list=port scanners address-list-timeout=2w

8 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list
tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners
address-list-timeout=2w
9 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp
address-list=port scanners address-list-timeout=2w

10 ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners

11 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
connection-limit=3,32

12 ;;; detect DoS attack(10 connections/ip from internet)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32

13 ;;; DOS attack protection(50 connections/ip)
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d connection-limit=50,32
14 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

15 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage3 address-list=ssh_blacklist
address-list-timeout=1w3d dst-port=22

16 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage2 address-list=ssh_stage3
address-list-timeout=1m dst-port=22

17 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
src-address-list=ssh_stage1 address-list=ssh_stage2
address-list-timeout=1m dst-port=22

18 chain=input action=add-src-to-address-list connection-state=new protocol=tc>
address-list=ssh_stage1 address-list-timeout=1m dst-port=22
19 ;;; drop ssh brute downstream
chain=forward action=drop protocol=tcp src-address-list=ssh_blacklist
dst-port=22

20 ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast

21 ;;; smtp(e-mail)
chain=input action=accept protocol=tcp src-port=25

22 ;;; vpn(gre)
chain=input action=accept protocol=gre

23 ;;; ping
chain=input action=accept protocol=icmp

24 ;;; tcp ports
chain=input action=accept protocol=tcp
dst-port=22,25,53,1723,2000,7780,8291
25 ;;; udp
chain=input action=accept protocol=udp dst-port=53

26 ;;; allow estabilished connections
chain=input action=accept connection-state=established

27 ;;; drop everything else
chain=input action=drop in-interface=ether1


tak to mam input...ether1 je uplink, MK mi robi dns





takto mas nastaveny FW na hlavnej GW do netu ? DNS normalne kesujes alebo preposielas na DNS server?
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
rado3105
Post subject: RE: CCR namiesto Linux GW  PostPosted: 31.05.2014 - 12:46 #106601
Majster


Joined: Júl 11, 2008
Posts: 2311

ano tak to mam...dns cachujem... to su pravidla len pre input...mam tam aj ine... nieco sa ti nezda?
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
sef
Post subject: RE: CCR namiesto Linux GW  PostPosted: 31.05.2014 - 13:18 #106603
Basic


Joined: Feb 18, 2007
Posts: 418

Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
pixall
Post subject: RE: CCR namiesto Linux GW  PostPosted: 31.05.2014 - 14:41 #106605
Majster


Joined: Okt 21, 2003
Posts: 4229

sef wrote: ›Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat.


statne organy mozu robit iba to, co maju stanovene zakonom. ma RU zakonom stanovene ze ma poslat vyzvu na ukoncenie logovania? odpoved - nie.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
Jardo
Post subject: RE: CCR namiesto Linux GW  PostPosted: 31.05.2014 - 19:47 #106608
Basic


Joined: Okt 21, 2007
Posts: 305

a pokial viem este to nieje v platnosti, ale v takom divnom stave kedy to caka na vydanie smernice alebo nariadenia..
 
 View user's profile Send private message  
Reply with quote Back to top
neos
Post subject: RE: CCR namiesto Linux GW  PostPosted: 01.06.2014 - 13:53 #106613
Ucen


Joined: Aug 09, 2004
Posts: 741

sef wrote: ›Aby som nezakladal novu temu. LOGujete este komunikaciu? Sa cudujem ze teraz teleoff neposlal ziadnu vyzvu na okamzite ukoncenie LOGovania, vedia len okamzite pokuty posielat.


co mas na mysli pod logovanim spojeni? ved destination adresy logovat nemozes, "narusil" by si telekomunikacne tajomstvo

ked chcu, viem im dat zoznam privat IP schovanych pod kazdou public IP a cest praci..
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Jump to:  

Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)