forse ho capito<br>ci sanno stati migliaia di file log<br><br>a cancellarla c'e' voluto un tot ma poi c'e l'ha fatta<br> fwgigi.sh<br><br><br>#!/bin/bash<br><br>LOCALE=eth0<br>INTERNET=ppp0<br><br>############################## Cancella eventuali regole esistenti
<br><br>/sbin/iptables -v -t filter -F INPUT<br>/sbin/iptables -v -t filter -F OUTPUT<br>/sbin/iptables -v -t filter -F FORWARD<br>/sbin/iptables -v -t nat -F PREROUTING<br>/sbin/iptables -v -t nat -F POSTROUTING<br>/sbin/iptables -v -t nat -F OUTPUT
<br><br>#iptables -F INPUT<br>#iptables -F OUTPUT<br>#iptables -F FORWARD<br>#iptables -F -t nat<br><br>############################## Imposta regole predefinite<br><br># Fa passare solo pacchetti uscenti<br>/sbin/iptables -v -t filter -P INPUT DROP
<br>/sbin/iptables -v -t filter -P OUTPUT ACCEPT<br>/sbin/iptables -v -t filter -P FORWARD DROP<br><br>#iptables -P INPUT DROP<br>#iptables -P OUTPUT ACCEPT<br>#iptables -P FORWARD DROP<br><br># Abilita ip forwarding<br>echo 1 > /proc/sys/net/ipv4/ip_forward
<br><br># Inoltro dei pacchetti della rete interna su internet<br>/sbin/iptables -A FORWARD -i $LOCALE -o $INTERNET -j ACCEPT<br># abilita il Masquerading<br>/sbin/iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
<br><br># accetta da internet le connessioni giĆ aperte<br>/sbin/iptables -A FORWARD -i $INTERNET -o $LOCALE -m state --state ESTABLISHED,RELATED -j ACCEPT<br>/sbin/iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
<br><br>#accetta tutte le connessioni a qs macchina dalle reti locali<br>/sbin/iptables -A INPUT -i $LOCALE -s 0/0 -d 0/0 -j ACCEPT<br>/sbin/iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT<br>#non forwarda pacchetti che provengono da internet
<br>/sbin/iptables -A FORWARD -i $INTERNET -o $INTERNET -j DROP<br><br># rifiuta connessioni da indirizzi privati (spoofati) da internet<br>/sbin/iptables -A INPUT -i $INTERNET -s <a href="http://192.168.0.0/24">192.168.0.0/24
</a> -j DROP<br>/sbin/iptables -A INPUT -i $INTERNET -s <a href="http://172.16.0.0/12">172.16.0.0/12</a> -j DROP<br>/sbin/iptables -A INPUT -i $INTERNET -s <a href="http://10.0.0.0/8">10.0.0.0/8</a> -j DROP<br>/sbin/iptables -A INPUT -i $INTERNET -s
<a href="http://127.0.0.0/8">127.0.0.0/8</a> -j DROP<br><br>#block ping of death<br>/sbin/iptables -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT<br>/sbin/iptables -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j DROP
<br><br># Block Furtive port scanner<br>/sbin/iptables -A INPUT -p tcp -i $INTERNET --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT<br><br># Block Syn-flood<br>/sbin/iptables -A INPUT -p tcp -i $INTERNET --syn -m limit --limit 1/s -j ACCEPT
<br><br>#accetta connessioni per la porta 22 (ssh)<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT<br>#/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT
<br>#accetta connessioni per la porta 8001 (motion)<br>#/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 8001 --syn -j ACCEPT<br>#accetta connessioni per la porta 24 -> ssh su <a href="http://192.168.0.2">
192.168.0.2</a><br>#/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 24 -j ACCEPT<br>#/sbin/iptables -t nat -A PREROUTING -i $INTERNET -p tcp -s 0/0 -d 0/0 --destination-port 24 -j DNAT --to <a href="http://192.168.0.2:22">
192.168.0.2:22</a><br>#/sbin/iptables -A FORWARD -i $INTERNET -p tcp -d <a href="http://192.168.0.2">192.168.0.2</a> --dport 22 -j ACCEPT<br><br>#accetta connessioni per la porta 10000 webmin<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 10000 --syn -j ACCEPT
<br><br>#accetta connessioni per la porta 20,21 ftp<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 --syn -j ACCEPT<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 --syn -j ACCEPT
<br>#xmule/edonkey<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 4661 -j ACCEPT<br>/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 4662 -j ACCEPT<br>/sbin/iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 4665 -j ACCEPT
<br>/sbin/ iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port 4672 -j ACCEPT<br>#forward verso ciccio<br>/sbin/iptables -t nat -A PREROUTING -p tcp --dport 4662 -i $INTERNET -j DNAT --to <a href="http://192.168.1.51:4662">
192.168.1.51:4662</a><br>/sbin/iptables -A FORWARD -i $INTERNET -o $LOCALE -p tcp --dport 4662 -d <a href="http://192.168.1.51">192.168.1.51</a> -j ACCEPT<br><br><br><br><div><span class="gmail_quote">Il 01/09/06, <b class="gmail_sendername">
maxxer</b> <<a href="mailto:maxxer_@imilesi.it">maxxer_@imilesi.it</a>> ha scritto:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
gigiv wrote:<br>> mi sembra di capire che almeno cosi' rifiuta la connessione<br>><br>> rimane il fatto che non riesco ne ad accedere ne a cancellare<br>> /var/log/samba<br>questo č un mistero<br><br>io comunque indagherei sul fatto che connessioni da internet arrivino
<br>fino sul tuo server samba. qualche regola di iptables gia che ci siamo? :)<br><br><br>ciao<br>maxxer<br>_______________________________________________<br>glux mailing list<br><a href="mailto:glux@lists.linux.it">glux@lists.linux.it
</a><br><a href="http://lists.linux.it/listinfo/glux">http://lists.linux.it/listinfo/glux</a><br><a href="http://www.lecco.linux.it">http://www.lecco.linux.it</a><br></blockquote></div><br>