[CB-lug] firewall

robertom ulivo15@yahoo.it
Lun 12 Feb 2007 19:21:47 CET 

Salve, questo è il mio firewall (e mi sembra
coincidere con le tue esigenze), da accodare
all'interno di rc.local. Probabilmente c'è qualcosa di
pleonastico, sed in dubio pro ...



#--------------attivazione firewall----------------

#resetta e imposta la politica
iptables -F 
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 

#nega i tentativi di accesso dall'esterno e li logga
in /var
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing

#iptables -A INPUT -i eth0  -m state --state NEW -j
LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i eth1  -m state --state NEW -j
LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i ppp0  -m state --state NEW -j
LOG --log-prefix tentativo_connessione
iptables -A INPUT -i eth1  -m state --state NEW -j
DROP
iptables -A INPUT -i eth0  -m state --state NEW -j
DROP
iptables -A INPUT -i ppp0 -m state --state NEW -j DROP

# Deny ICMP echo-requests
iptables -A INPUT -p icmp -j DROP


# Anti-spoofing blocks
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato

iptables -A INPUT -i eth1 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.1 -j DROP

for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
 echo 1 > $i
 done

 # Ensure source routing is OFF
 for i in
/proc/sys/net/ipv4/conf/*/accept_source_route;
  do
    echo 0 > $i
  done

 # Ensure TCP SYN cookies protection is enabled
 [ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\
 echo 1 > /proc/sys/net/ipv4/tcp_syncookies

 # Ensure ICMP redirects are disabled
 for i in /proc/sys/net/ipv4/conf/*/accept_redirects;
 do
 echo 0 > $i
 done

 # Ensure oddball addresses are logged
 [ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\
 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
 [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
&&\
 echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 [ -e
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
&&\
 echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses


 #carica firewall

# Reject TCP packets to privileged ports


#consento il loopback (da/per localhost solo)
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT

#consento connessioni richieste e connesse
iptables -A INPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED,NEW



#--------------fine attivazione firewall------------



	

	
		
___________________________________ 
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail: 
http://it.docs.yahoo.com/nowyoucan.html

Maggiori informazioni sulla lista Lugcb