[CB-lug] firewall
robertom
ulivo15@yahoo.it
Lun 12 Feb 2007 19:31:24 CET
oooooooops, non si è preso l'allegato, speriamo che
sia la volta buona
saluti
___________________________________
L'email della prossima generazione? Puoi averla con la nuova Yahoo! Mail:
http://it.docs.yahoo.com/nowyoucan.html
-------------- parte successiva --------------
#--------------attivazione firewall-----------------------------------------
#resetta e imposta la politica
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#nega i tentativi di accesso dall'esterno e li logga in /var
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG --log-prefix tentativo_spoofing
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG --log-prefix tentativo_spoofing
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG --log-prefix tentativo_spoofing
#iptables -A INPUT -i eth0 -m state --state NEW -j LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i eth1 -m state --state NEW -j LOG --log-prefix tentativo_connessione
#iptables -A INPUT -i ppp0 -m state --state NEW -j LOG --log-prefix tentativo_connessione
iptables -A INPUT -i eth1 -m state --state NEW -j DROP
iptables -A INPUT -i eth0 -m state --state NEW -j DROP
iptables -A INPUT -i ppp0 -m state --state NEW -j DROP
# Deny ICMP echo-requests
iptables -A INPUT -p icmp -j DROP
# Anti-spoofing blocks
#iptables -A INPUT -i eth1 -s 127.0.0.1 -j LOG --log-prefix spoofing_superato
#iptables -A INPUT -i eth0 -s 127.0.0.1 -j LOG --log-prefix spoofing_superato
#iptables -A INPUT -i ppp0 -s 127.0.0.1 -j LOG --log-prefix spoofing_superato
iptables -A INPUT -i eth1 -s 127.0.0.1 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.1 -j DROP
for i in /proc/sys/net/ipv4/conf/*/rp_filter;
do
echo 1 > $i
done
# Ensure source routing is OFF
for i in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $i
done
# Ensure TCP SYN cookies protection is enabled
[ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Ensure ICMP redirects are disabled
for i in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $i
done
# Ensure oddball addresses are logged
[ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] &&\
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
[ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] &&\
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#carica firewall
# Reject TCP packets to privileged ports
#consento il loopback (da/per localhost solo)
iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT
#consento connessioni richieste e connesse
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED,NEW
#--------------fine attivazione firewall-----------------------------------------
Maggiori informazioni sulla lista
Lugcb