Se trata de 1 servidor Linux corriendo: www, ftp, ssh, sendmail.
El IPtables es:
#!/bin/sh
IPTABLES=/sbin/iptables
# (1) Limpiar reglas anteriores:
iptables -F
# (2) Definir regla/cadena/tabla:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# (3) Aceptar todo para localhost:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# (4) limitar el acceso de paquetes nuevos
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j
DROP
# (5) flag SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# (6) icmp (ping)
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
# (7) Aceptar ssh -p 22 openssh:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j
ACCEPT
# (8) Aceptar www -p 80 apache:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j
ACCEPT
# (9) webs seguras -p 443:
iptables -A INPUT -p tcp -m tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT
# (10) ftp -p 21 20000 vsftpd:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p tcp --dport 20000 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20000 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#(11) SMTP -p 25 sendmail:
iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m state --state NEW,ESTABLISHED -j
ACCEPT
# (14) salir:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# (15) Registrar paquetes:
iptables -A INPUT -j LOG --log-level 4 --log-prefix "ENTRAR:"
iptables -A OUTPUT -j LOG --log-level 4 --log-prefix "SALIR:"
Alguno ve algo interesante en las reglas?
--
To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive:
[🔎] 20130619094032.GA24875@videosgsa.dyndns.org">http://lists.debian.org/[🔎] 20130619094032.GA24875@videosgsa.dyndns.org