[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [OT] Primo script Iptables: suggerimenti,commenti,correzioni

Leonardo Canducci wrote:


On Mon, Apr 19, 2004 at 09:57:04AM +0200, gianni wrote:

#!/bin/sh


come prima cosa bisogna fare il flush delle tabelle, altrimenti quando
rilanci lo script te le trovi prima doppie, poi triple ecc.

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

iptables -X INPUT
iptables -X OUTPUT
iptables -X FORWARD

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#telnet 192.168.1.2->192.168.1.1
iptables -A INPUT -s 192.168.1.0/24 -p tcp  --dport 23 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp --sport 23 -j ACCEPT


intanto userei ssh invece di telnet. con win putty e winscp. poi
indicherei l'IP esatto e, volendo essere paranoici, anche il MAC della
scheda di rete dell'unico pc che deve connettersi

#risoluzione nomi: richieste client->server
iptables -A OUTPUT -o ppp0 -p udp -d 194.185.97.134 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -d 194.185.97.134 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT


#risoluzione nomi: risposte server->client
iptables -A INPUT -i ppp0 -p udp -s 194.185.97.134 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -s 194.185.97.134 --sport 53 -m state --state ESTABLISHED -j ACCEPT


usi un solo dns? mi sembra di capire che il tuo approccio è bloccare
tutto da LAN verso WAN... strano se a usare il pc in LAN sei solo tu.

#icmp in entrata
iptables -A INPUT -i ppp0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#icmp in uscita
iptables -A OUTPUT -o ppp0 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ppp0 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


lo state è superfluo se li indichi tutti.

#icmp mio_client->firewall/gateway
iptables -A INPUT  -i eth0 -s 192.168.1.2 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.1.2 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#posta in uscita (194.185.97.20 e' l'SMTP del mio provider)
iptables -A FORWARD -i ppp0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp -d 194.185.97.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

#posta in ingresso
iptables -A FORWARD -i ppp0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

#news
iptables -A FORWARD -i ppp0 -p tcp --sport 119 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 119 -m state --state NEW,ESTABLISHED -j ACCEPT

#http in uscita
iptables -A FORWARD -i ppp0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

#https in uscita
iptables -A FORWARD -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

#masquerading
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE


io uso echo "1" > /proc/sys/net/ipv4/ip_forward



io aggiungerei anche
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/tcp_ecn
se li hai compilati nel kernel
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

e inoltre
iptables -t nat -A PREROUTING -s 127.0.0.0/8 -i lo -j ACCEPT
iptables -t nat -A PREROUTING -d 127.0.0.0/8 -i lo -j ACCEPT

iptables -t nat -A PREROUTING -s 192.168.0.0/16 -i ppp0 -j DROP

googola un po' e ne trovi tanti script già fatti o tutorial per capire
quello che ti serve

                                      Ciao Br|aN
Reply to: