NZ
03-11-2007, 13:45
ho ritrovato un vecchio script x IPTABLES che usavo prima di avere un router con firewall integrato.
Ecco lo script:
#!/bin/sh
#
# Script Firewall for IP-tables
#
IPT=/usr/sbin/iptables
# SET-UP POLICY CATENE PRINCIPALI
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP
$IPT -t filter -F
$IPT -t filter -X
# CREAZIONE DI 5 NUOVE CATENE AUSILIARIE
$IPT -t filter -N ppp_in
$IPT -t filter -N syn_flood
$IPT -t filter -N check_in
$IPT -t filter -N ip_halt
# REGOLE DELLA CATENA DI INPUT
$IPT -t filter -A INPUT -s 224.0.0.0/8 -j DROP
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
$IPT -t filter -A INPUT -i ppp0 -j ppp_in
$IPT -t filter -A INPUT -j DROP
# REGOLE DELLA CATENA DI SYN_FLOOD
$IPT -t filter -A syn_flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -t filter -A syn_flood -j DROP
# REGOLE DELLA CATENA DI IP_HALT
$IPT -t filter -A ip_halt -s 4.43.108.0/24 -j DROP
$IPT -t filter -A ip_halt -s 4.67.43.0/24 -j DROP
$IPT -t filter -A ip_halt -s 65.215.219.0/24 -j DROP
$IPT -t filter -A ip_halt -s 12.5.248.128/25 -j DROP
$IPT -t filter -A ip_halt -s 151.12.58.0/24 -j DROP
$IPT -t filter -A ip_halt -s 193.43.80.0/21 -j DROP
$IPT -t filter -A ip_halt -s 193.43.106.0/23 -j DROP
$IPT -t filter -A ip_halt -s 193.43.108.0/24 -j DROP
$IPT -t filter -A ip_halt -s 195.120.182.0/24 -j DROP
$IPT -t filter -A ip_halt -s 151.12.60.64/27 -j DROP
$IPT -t filter -A ip_halt -s 151.99.156.160/27 -j DROP
$IPT -t filter -A ip_halt -s 151.99.187.248/29 -j DROP
$IPT -t filter -A ip_halt -s 193.42.1.0/24 -j DROP
$IPT -t filter -A ip_halt -s 194.177.114.208/28 -j DROP
$IPT -t filter -A ip_halt -s 195.223.222.200/29 -j DROP
$IPT -t filter -A ip_halt -s 208.209.2.110/31 -j DROP
$IPT -t filter -A ip_halt -s 208.209.2.112/31 -j DROP
$IPT -t filter -A ip_halt -s 217.228.123.45 -j DROP
$IPT -t filter -A ip_halt -s 64.241.31.0/24 -j DROP
$IPT -t filter -A ip_halt -j RETURN
# REGOLE CATENA DI CHECK_IN
$IPT -t filter -A check_in -p tcp --dport 0:1023 -j DROP
$IPT -t filter -A check_in -p udp --dport 0:1023 -j DROP
$IPT -t filter -A check_in -p tcp --dport 6000:6063 -j DROP
$IPT -t filter -A check_in -p udp --dport 6000:6063 -j DROP
$IPT -t filter -A check_in -p tcp --dport 10000 -j DROP
$IPT -t filter -A check_in -p tcp --dport 32768 -j DROP
$IPT -t filter -A check_in -p udp --dport 32768 -j DROP
$IPT -t filter -A check_in -j RETURN
# REGOLE CATENA PPP_IN
$IPT -t filter -A ppp_in -s 192.168.0.0/24 -j DROP
$IPT -t filter -A ppp_in -d 192.168.0.0/24 -j DROP
$IPT -t filter -A ppp_in -s 127.0.0.0/8 -j DROP
$IPT -t filter -A ppp_in -d 127.0.0.0/8 -j DROP
$IPT -t filter -A ppp_in -d 224.0.0.0/4 -j DROP
$IPT -t filter -A ppp_in -m state --state INVALID -j DROP
$IPT -t filter -A ppp_in -j ip_halt
$IPT -t filter -A ppp_in -p tcp --syn -j syn_flood
$IPT -t filter -A ppp_in -j check_in
$IPT -t filter -A ppp_in -p tcp -m tcp --dport 31831 -j ACCEPT # ed2k
$IPT -t filter -A ppp_in -p udp -m udp --dport 43602 -j ACCEPT # ed2k
$IPT -t filter -A ppp_in -p tcp -m tcp --dport 43467 -j ACCEPT # torrent
$IPT -t filter -A ppp_in -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A ppp_in -j DROP
# REGOLE DELLA CATENA DI OUTPUT
$IPT -t filter -A OUTPUT -p tcp -m tcp --dport 135:139 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --dport 445 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --sport 135:139 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --sport 445 -j DROP
# IMPORTANTE!
#
# Gli IP bloccati dalla catena ip_halt sono i seguenti:
# Le liste degli IP da bloccare possono essere scaricate da:
# http://xs.tech.nu/
# Una volta ottenuta la lista,e salvatala in un file.txt,č possibile
# convertirla in comandi iptables utilizzando il tool presente su:
# http://www.bluetack.co.uk
vorrei riutilizzare questo script ma adesso non uso pių un model 56k (e relativa interfaccia ppp0) ma un router con IP=192.168.0.1 e la mia linux_box ha IP=192.168.0.2 (il DHCP č diabilitato!)
Come modifico la seguente riga??
$IPT -t filter -A INPUT -i ppp0 -j ppp_in
anzichč -i ppp0 ho provato con -i eth0 oppure -S 192.168.0.1 ma non funziona nulla nel senso che non navigo pių :(
Suggerimenti?
grazie mille :)
Ecco lo script:
#!/bin/sh
#
# Script Firewall for IP-tables
#
IPT=/usr/sbin/iptables
# SET-UP POLICY CATENE PRINCIPALI
$IPT -t filter -P INPUT DROP
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD DROP
$IPT -t filter -F
$IPT -t filter -X
# CREAZIONE DI 5 NUOVE CATENE AUSILIARIE
$IPT -t filter -N ppp_in
$IPT -t filter -N syn_flood
$IPT -t filter -N check_in
$IPT -t filter -N ip_halt
# REGOLE DELLA CATENA DI INPUT
$IPT -t filter -A INPUT -s 224.0.0.0/8 -j DROP
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A INPUT -i ! lo -d 127.0.0.0/8 -j DROP
$IPT -t filter -A INPUT -i ppp0 -j ppp_in
$IPT -t filter -A INPUT -j DROP
# REGOLE DELLA CATENA DI SYN_FLOOD
$IPT -t filter -A syn_flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPT -t filter -A syn_flood -j DROP
# REGOLE DELLA CATENA DI IP_HALT
$IPT -t filter -A ip_halt -s 4.43.108.0/24 -j DROP
$IPT -t filter -A ip_halt -s 4.67.43.0/24 -j DROP
$IPT -t filter -A ip_halt -s 65.215.219.0/24 -j DROP
$IPT -t filter -A ip_halt -s 12.5.248.128/25 -j DROP
$IPT -t filter -A ip_halt -s 151.12.58.0/24 -j DROP
$IPT -t filter -A ip_halt -s 193.43.80.0/21 -j DROP
$IPT -t filter -A ip_halt -s 193.43.106.0/23 -j DROP
$IPT -t filter -A ip_halt -s 193.43.108.0/24 -j DROP
$IPT -t filter -A ip_halt -s 195.120.182.0/24 -j DROP
$IPT -t filter -A ip_halt -s 151.12.60.64/27 -j DROP
$IPT -t filter -A ip_halt -s 151.99.156.160/27 -j DROP
$IPT -t filter -A ip_halt -s 151.99.187.248/29 -j DROP
$IPT -t filter -A ip_halt -s 193.42.1.0/24 -j DROP
$IPT -t filter -A ip_halt -s 194.177.114.208/28 -j DROP
$IPT -t filter -A ip_halt -s 195.223.222.200/29 -j DROP
$IPT -t filter -A ip_halt -s 208.209.2.110/31 -j DROP
$IPT -t filter -A ip_halt -s 208.209.2.112/31 -j DROP
$IPT -t filter -A ip_halt -s 217.228.123.45 -j DROP
$IPT -t filter -A ip_halt -s 64.241.31.0/24 -j DROP
$IPT -t filter -A ip_halt -j RETURN
# REGOLE CATENA DI CHECK_IN
$IPT -t filter -A check_in -p tcp --dport 0:1023 -j DROP
$IPT -t filter -A check_in -p udp --dport 0:1023 -j DROP
$IPT -t filter -A check_in -p tcp --dport 6000:6063 -j DROP
$IPT -t filter -A check_in -p udp --dport 6000:6063 -j DROP
$IPT -t filter -A check_in -p tcp --dport 10000 -j DROP
$IPT -t filter -A check_in -p tcp --dport 32768 -j DROP
$IPT -t filter -A check_in -p udp --dport 32768 -j DROP
$IPT -t filter -A check_in -j RETURN
# REGOLE CATENA PPP_IN
$IPT -t filter -A ppp_in -s 192.168.0.0/24 -j DROP
$IPT -t filter -A ppp_in -d 192.168.0.0/24 -j DROP
$IPT -t filter -A ppp_in -s 127.0.0.0/8 -j DROP
$IPT -t filter -A ppp_in -d 127.0.0.0/8 -j DROP
$IPT -t filter -A ppp_in -d 224.0.0.0/4 -j DROP
$IPT -t filter -A ppp_in -m state --state INVALID -j DROP
$IPT -t filter -A ppp_in -j ip_halt
$IPT -t filter -A ppp_in -p tcp --syn -j syn_flood
$IPT -t filter -A ppp_in -j check_in
$IPT -t filter -A ppp_in -p tcp -m tcp --dport 31831 -j ACCEPT # ed2k
$IPT -t filter -A ppp_in -p udp -m udp --dport 43602 -j ACCEPT # ed2k
$IPT -t filter -A ppp_in -p tcp -m tcp --dport 43467 -j ACCEPT # torrent
$IPT -t filter -A ppp_in -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A ppp_in -j DROP
# REGOLE DELLA CATENA DI OUTPUT
$IPT -t filter -A OUTPUT -p tcp -m tcp --dport 135:139 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --dport 445 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --sport 135:139 -j DROP
$IPT -t filter -A OUTPUT -p tcp -m tcp --sport 445 -j DROP
# IMPORTANTE!
#
# Gli IP bloccati dalla catena ip_halt sono i seguenti:
# Le liste degli IP da bloccare possono essere scaricate da:
# http://xs.tech.nu/
# Una volta ottenuta la lista,e salvatala in un file.txt,č possibile
# convertirla in comandi iptables utilizzando il tool presente su:
# http://www.bluetack.co.uk
vorrei riutilizzare questo script ma adesso non uso pių un model 56k (e relativa interfaccia ppp0) ma un router con IP=192.168.0.1 e la mia linux_box ha IP=192.168.0.2 (il DHCP č diabilitato!)
Come modifico la seguente riga??
$IPT -t filter -A INPUT -i ppp0 -j ppp_in
anzichč -i ppp0 ho provato con -i eth0 oppure -S 192.168.0.1 ma non funziona nulla nel senso che non navigo pių :(
Suggerimenti?
grazie mille :)