[bglug] Problemone con iptables
aba
abaddon83@email.it
Mer 13 Ott 2004 18:58:51 CEST
Rimosso contenuto di tipo multipart/signed-------------- parte successiva --------------
#!/bin/bash
#FIREWALL SERVER BLACKHOLE KIS Stefano Longhi v.1.0.0 06/07/04
#Script ispirato a quello di Gabriele Tozzi che si ringrazia
#SETUP
#ignoro gli icmp redirect
#echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#disabilito le risposte ai broadcast
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#protezione dai msg di errore bogus
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#abilito forward
echo "1" > /proc/sys/net/ipv4/ip_forward
#loggo i pacchetti strani
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#bloccano i syn di troppo
#echo "1" > /proc/sys/net/ipv4/tcp_syncookies
UFFICIO="eth1"
AULA1="eth0"
AULA2="eth3"
PORTATILI="eth2"
UFFICIO_ip="192.168.1.0/24"
AULA1_ip="192.168.2.0/24"
AULA2_ip="192.168.4.0/24"
PORTATILI_ip="192.168.3.0/24"
#reset regole/contatori
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
#politica
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#evito di routare pacchetti in multicast
#iptables -A FORWARD -m pkttype --pkt-type multicast -j DROP
#accetto tutto da lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#################################
##REGOLE OUTPUT #
#################################
#accetto connessioni stabilite, related e new
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#################################
##REGOLE INPUT #
#################################
#icmp da AULA1, AULA2, PORTATILI
#iptables -A INPUT -p icmp -i $AULA1 -j ACCEPT
#iptables -A INPUT -p icmp -i $AULA2 -j ACCEPT
#iptables -A INPUT -p icmp -i $PORTATILI -j ACCEPT
#icmp da UFFICIO
#iptables -A INPUT -p icmp -i $UFFICIO --icmp-type destination-unreachable -j ACCEPT
#iptables -A INPUT -p icmp -i $UFFICIO --icmp-type echo-request -j ACCEPT
#iptables -A INPUT -p icmp -i $UFFICIO -m state --state related -j ACCEPT
#ssh
iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -i $UFFICIO -j ACCEPT
#http
iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#ftp
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#mysql
iptables -A INPUT -p tcp --dport 3336 -m state --state NEW,ESTABLISHED -i $UFFICIO -j ACCEPT
#ut2004
iptables -A INPUT -p tcp --dport 7777 -i $UFFICIO -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 7777 -i $UFFICIO -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 7778 -i $UFFICIO -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 7778 -i $UFFICIO -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 8888 -i $UFFICIO -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -p icmp -j ACCEPT
#monitoraggio traffico bloccato
#iptables -A INPUT -i $UFFICIO -j loganddrop
#########################################################
##REGOLE FORWARD #
#########################################################
iptables -A FORWARD -d $UFFICIO_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $UFFICIO_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#UFFICIO -> AULA1
iptables -A FORWARD -i $UFFICIO -o $AULA1 -j ACCEPT
#UFFICIO -> AULA2
iptables -A FORWARD -i $UFFICIO -o $AULA2 -s 192.168.1.0/24 -j ACCEPT
#UFFICIO -> PORTATILI
iptables -A FORWARD -i $UFFICIO -o $PORTATILI -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s $AULA1_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $AULA1_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $AULA2_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $AULA2_ip -o $UFFICIO -p udp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $PORTATILI_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $PORTATILI_ip -o $UFFICIO -p udp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $PORTATILI_ip -o $UFFICIO -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#REGOLA NON VOLUTA MA NECESSARIA ALTRIMENTI NON SI NAVIGA PIU'!!!!!
iptables -A FORWARD -j ACCEPT
#########################################################
#regole POSTROUTING #
#########################################################
##modulo ip_contract_ftp
#NAT AULA1 https, www, ftp
#iptables -t nat -A POSTROUTING -s $AULA1_ip -o $UFFICIO -j MASQUERADE
iptables -t nat -A POSTROUTING -s $AULA1_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
iptables -t nat -A POSTROUTING -s $AULA1_ip -o $UFFICIO -p udp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
#NAT $AULA2 https, www, ftp
iptables -t nat -A POSTROUTING -s $AULA2_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
iptables -t nat -A POSTROUTING -s $AULA2_ip -o $UFFICIO -p udp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
#NAT $PORTATILI https, www, ftp
iptables -t nat -A POSTROUTING -s $PORTATILI_ip -o $UFFICIO -p tcp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
iptables -t nat -A POSTROUTING -s $PORTATILI_ip -o $UFFICIO -p udp -m multiport --dport 80,21,53 -m state --state NEW,ESTABLISHED,RELATED -j MASQUERADE
#####################FINE###############################
Maggiori informazioni sulla lista
bglug