[Tech] iptables e redirect (o quant'altro)

[Simone Piccardi]

On Mon, 2004-07-05 at 17:36, Franco Vite wrote:
> allego iptable-save (ripulito da tutte le prove, quindi vergine dal 
> punto di vista del redirect).

-A INPUT -i lo -j ACCEPT 
-A INPUT -s 255.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -s 0.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth1 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP 
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state
NEW -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A INPUT -i eth1 -m state --state INVALID,NEW -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 8 -m length --length 128:65535 -j
DROP 
-A INPUT -i eth0 -j ACCEPT 
-A FORWARD -i eth1 -m state --state INVALID,NEW -j DROP 
-A FORWARD -p icmp -m icmp --icmp-type 8 -m length --length 128:65535 -j
DROP 
-A FORWARD -m pkttype --pkt-type multicast -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT 
-A OUTPUT -j DROP 

Qui su FORWARD "droppi" NEW e non ti partira` mai nessuna connessione.

I firewall si fanno con una politica di DROP.

Ti dovrebbe bastare:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT #anche da fuori?
-A INPUT -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -i eth1 -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -j DROP 

beh, elabora a piacere ...

Ciao
Simone