Problemi script firewall-builder.
Ho usato lo script trovato su debianitalia.org (è lo stesso che c'è su
debianizzati.org) e ho fatto tutti i dovuti adattamenti. Funziona tutto
a dovere passando i parametri "router" o "stop" (in quest'ultimo caso il
nat è disabilitato), mentre con "start" sull'interfaccia eth1 dove c'è
l'ip pubblico tutte le porte risultano chiuse. Io però ho decommentato
le righe che aprono le porte 21,22,25,80,993. Lanciando lo script con il
parametro "policy" ottengo in output (eth0 interfaccia interna
192.168.0.6, eth1 interfaccia esterna):
Politiche ...
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.0.0/24
0.0.0.0/0
0 0 ACCEPT all -- eth0 * 192.168.0.6
0.0.0.0/0
33 2340 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 DROP icmp -- eth1 * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- eth0 * 192.168.0.0
0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 151.99.125.2
0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- eth1 * 151.99.0.100
0.0.0.0/0 udp spt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 SYN-FLOOD tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x29
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x16
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x3F/0x00
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x06
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x03/0x03
0 0 chain-log tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x01/0x01
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:135:139
0 0 chain-log all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 chain-log all -- eth0 * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:993
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
0 0 ACCEPT all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 26 packets, 3496 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 80,443
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 state NEW LOG flags 0
level 6 prefix `---SSH from eth1---'
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
Chain SYN-FLOOD (1 references)
pkts bytes target prot opt in out source
destination
0 0 chain-log all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 1/sec burst 4
Chain chain-log (9 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Ma non dovrebbero essere aperte quelle porte?
Qualcuno ha già provato con successo il suddetto script?
Grazie.
Reply to: