Re: firewall domestico
On Sat, Apr 13, 2002 at 12:12:19AM +0200, Umberto Favarato wrote:
> uno scriptino per fare un semplice firewall:
> #Unless specified, the defaults for INPUT, OUTPUT, and FORWARD is ACCEPT
> $IPTABLES -P INPUT ACCEPT
Piu` che un firewall mi pare un holewall fatto da uno che usava ipchains
e non ha capito che in iptables le catene INPUT FORWARD OUTPUT funzionano
in modo diverso che con ipchains
*Perlomeno* modificalo cosi` (*MA*: quto fire come minimo non ti difende da
macchine interne windows infettate da malattie postali aulukkose et similia
e poi ci potrebbero essere tante altre cose da dire ... per esempio io
preferisco REJECT a DROP):
IPTABLES=/sbin/iptables # path del programma iptables
EXT=ipp0 # interfaccia verso internet
INT=eth0 # interfaccia verso la LAN interna *SUPERFIDATA*
NET=192.168.0.0/24 # rete interna da mascherare con l'ip dinamico di $EXT
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t filter -F
$IPTABLES -t filter -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -i $INT -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j LOG
$IPTABLES -A FORWARD -i $INT -o $EXT -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $EXT -o $INT -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -s $NET -o $EXT -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
--
To UNSUBSCRIBE, email to debian-italian-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: