Re: [SOLUCIONADO] iptables asesoramiento
2012/7/5 Juan Antonio <pushakk@limbo.deathwing.net>
>
> El 04/07/12 21:05, M.Vila escribió:
> > Gracias por la ayuda!! Os dejo mi configuración.
> >
> > #!/bin/bash
> > iptables -F
> > iptables -t nat -F
> > iptables -Z
> > iptables -X
> > #
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> > #
> > #/sbin/modprobe ip_conntrack_ftp
> > #
> > iptables -A OUTPUT -o lo -j ACCEPT
> > iptables -A INPUT -i lo -j ACCEPT
> > #
> > # Quitamos los pings.
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > #
> > # No respondemos a los broadcast.
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > #
> > # Para evitar el spoofing nos aseguramos de que la dirección
> > # origen del paquete viene del sitio correcto.
> > for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > /bin/echo "1" > ${interface}
> > done
> > #dns
> > iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p udp --dport 1024:65535 --sport 53 -m state
> > --state ESTABLISHED -j ACCEPT
> > #ssh
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 22 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 22 -m state
> > --state ESTABLISHED -j ACCEPT
> > #smtp
> > iptables -A OUTPUT -p tcp --dport 1024:65535 --sport 25 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --sport 1024:65535 --dport 25 -m state
> > --state ESTABLISHED -j ACCEPT
> > #http
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 80 -m state
> > --state ESTABLISHED -j ACCEPT
> > #smtp
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 443 -m state
> > --state ESTABLISHED -j ACCEPT
> > #https
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 465 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 465 -m state
> > --state ESTABLISHED -j ACCEPT
> > #imap4
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 993 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 993 -m state
> > --state ESTABLISHED -j ACCEPT
> > #pop3
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 995 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 995 -m state
> > --state ESTABLISHED -j ACCEPT
> > #irc
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 6667 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 6667 -m state
> > --state ESTABLISHED -j ACCEPT
> > #squid
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 3128 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 3128 -m state
> > --state ESTABLISHED -j ACCEPT
> > #
> > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 8080 -m state
> > --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 1024:65535 --sport 8080 -m state
> > --state ESTABLISHED -j ACCEPT
> > #
> > iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
> >
> >
>
> algunos consejos.
>
> "-m state --state NEW,ESTABLISHED -j ACCEPT" -> "-j ACCEPT"
>
> Usa tus propias cadenas.
>
> -N _outgoing
> -I _outgoing -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> iptables -A OUTPUT -p tcp --dport 993 -j _outgoing
> iptables -A OUTPUT -p tcp --dport 995 -j _outgoing
> etc ...
>
> si es un servidor y trabajas en remoto, las policy deberías aplicarlas
> al final, despues de haber asegurado el acceso al sistema.
>
> Un saludo.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 4FF53E18.9090405@limbo.deathwing.net">http://lists.debian.org/[🔎] 4FF53E18.9090405@limbo.deathwing.net
>
Hola
Estas cosas:
> > # Quitamos los pings.
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
> > #
> > # No respondemos a los broadcast.
> > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> > #
> > # Para evitar el spoofing nos aseguramos de que la dirección
> > # origen del paquete viene del sitio correcto.
> > for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
> > /bin/echo "1" > ${interface}
> > done
las haria en el /etc/sysctl.conf, por ejemplo:
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
Despues acuerdate de ejecutar sysctl -p
Salu2
--------------------------------------------------------------------------------------
Juan Sierra Pons juan@elsotanillo.net
Linux User Registered: #257202 http://www.elsotanillo.net
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------
Reply to: