On Mon, Apr 19, 2004 at 09:57:04AM +0200, gianni wrote:
#!/bin/sh
come prima cosa bisogna fare il flush delle tabelle, altrimenti quando
rilanci lo script te le trovi prima doppie, poi triple ecc.
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X INPUT
iptables -X OUTPUT
iptables -X FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#telnet 192.168.1.2->192.168.1.1
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 23 -j ACCEPT
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp --sport 23 -j ACCEPT
intanto userei ssh invece di telnet. con win putty e winscp. poi
indicherei l'IP esatto e, volendo essere paranoici, anche il MAC della
scheda di rete dell'unico pc che deve connettersi
#risoluzione nomi: richieste client->server
iptables -A OUTPUT -o ppp0 -p udp -d 194.185.97.134 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p udp -d 194.185.97.134 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#risoluzione nomi: risposte server->client
iptables -A INPUT -i ppp0 -p udp -s 194.185.97.134 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -s 194.185.97.134 --sport 53 -m state --state ESTABLISHED -j ACCEPT
usi un solo dns? mi sembra di capire che il tuo approccio è bloccare
tutto da LAN verso WAN... strano se a usare il pc in LAN sei solo tu.
#icmp in entrata
iptables -A INPUT -i ppp0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#icmp in uscita
iptables -A OUTPUT -o ppp0 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o ppp0 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
lo state è superfluo se li indichi tutti.
#icmp mio_client->firewall/gateway
iptables -A INPUT -i eth0 -s 192.168.1.2 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth0 -d 192.168.1.2 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#posta in uscita (194.185.97.20 e' l'SMTP del mio provider)
iptables -A FORWARD -i ppp0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp -d 194.185.97.20 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#posta in ingresso
iptables -A FORWARD -i ppp0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
#news
iptables -A FORWARD -i ppp0 -p tcp --sport 119 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 119 -m state --state NEW,ESTABLISHED -j ACCEPT
#http in uscita
iptables -A FORWARD -i ppp0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#https in uscita
iptables -A FORWARD -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ppp0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#masquerading
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
io uso echo "1" > /proc/sys/net/ipv4/ip_forward