[CB-lug] firewall
robertom
ulivo15@yahoo.it
Lun 12 Feb 2007 19:21:47 CET
Salve, questo è il mio firewall (e mi sembra
coincidere con le tue esigenze), da accodare
all'interno di rc.local. Probabilmente c'è qualcosa di
pleonastico, sed in dubio pro ...
#--------------attivazione firewall----------------
#resetta e imposta la politica
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#nega i tentativi di accesso dall'esterno e li logga
in /var
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG
--log-prefix tentativo_spoofing
#iptables -A INPUT -i eth0 -m state --state NEW -j
LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i eth1 -m state --state NEW -j
LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i ppp0 -m state --state NEW -j
LOG --log-prefix tentativo_connessione
iptables -A INPUT -i eth1 -m state --state NEW -j
DROP
iptables -A INPUT -i eth0 -m state --state NEW -j
DROP
iptables -A INPUT -i ppp0 -m state --state NEW -j DROP
# Deny ICMP echo-requests
iptables -A INPUT -p icmp -j DROP
# Anti-spoofing blocks
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG
--log-prefix spoofing_superato
iptables -A INPUT -i eth1 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.1 -j DROP
for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $i
done
# Ensure source routing is OFF
for i in
/proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $i
done
# Ensure TCP SYN cookies protection is enabled
[ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Ensure ICMP redirects are disabled
for i in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $i
done
# Ensure oddball addresses are logged
[ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]
&&\
echo 1 >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[ -e
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]
&&\
echo 1 >
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#carica firewall
# Reject TCP packets to privileged ports
#consento il loopback (da/per localhost solo)
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
#consento connessioni richieste e connesse
iptables -A INPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state
ESTABLISHED,RELATED,NEW
#--------------fine attivazione firewall------------
___________________________________
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
http://it.docs.yahoo.com/nowyoucan.html
Maggiori informazioni sulla lista
Lugcb