Mason
19-01-2004, 13:17
secondo voi e sensato sto scriptino per iptables?
dovrebbe essere un poco ridondande, ma preferisco cosi, anche magari perche' mettero possibilita' di accesso all'esterno ad ssh per alcuni ip
#!/bin/bash
#qualche variabile per manutenzione se serve
LOCALIF=eth0
WWWIF=ppp0
IPTABLES=/usr/sbin/iptables
SERVICES="ssh smtp http 631"
$IPTABLES -F #flush the chains
$IPTABLES -X logging
$IPTABLES -X filtering
$IPTABLES -N logging
$IPTABLES -N filtering
$IPTABLES -A INPUT -j logging
$IPTABLES -A INPUT -j filtering
$IPTABLES -A FORWARD -j logging
$IPTABLES -A FORWARD -j filtering
$IPTABLES -P INPUT DROP
################################################################################
#logging
################################################################################
$IPTABLES -A logging -i $WWWIF -m state --state NEW -p all -j LOG #mumble, loggo un po troppo...
################################################################################
#filterin
################################################################################
for i in $SERVICES ; do
$IPTABLES -A filtering -p tcp -i $WWWIF --dport $i -j DROP
$IPTABLES -A filtering -p udp -i $WWWIF --dport $i -j DROP
done
$IPTABLES -A filtering -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A filtering -m state -i ! $WWWIF --state NEW -j ACCEPT
$IPTABLES -A filtering -j DROP
loggo troppa roba?, dopo vorrei mettere psad per analizzare i log, devo ancora provarlo e non so bene cosa faccia, ma qualcuno puo dirmi se il programma in questione e valido o esistono alternative?
ultima cosina, qualcuno sa dirmi brevemente PF_PACKET cos'e?, penso centri qualcosa con interfaccie virtuali ma non ne son sicuro.
dovrebbe essere un poco ridondande, ma preferisco cosi, anche magari perche' mettero possibilita' di accesso all'esterno ad ssh per alcuni ip
#!/bin/bash
#qualche variabile per manutenzione se serve
LOCALIF=eth0
WWWIF=ppp0
IPTABLES=/usr/sbin/iptables
SERVICES="ssh smtp http 631"
$IPTABLES -F #flush the chains
$IPTABLES -X logging
$IPTABLES -X filtering
$IPTABLES -N logging
$IPTABLES -N filtering
$IPTABLES -A INPUT -j logging
$IPTABLES -A INPUT -j filtering
$IPTABLES -A FORWARD -j logging
$IPTABLES -A FORWARD -j filtering
$IPTABLES -P INPUT DROP
################################################################################
#logging
################################################################################
$IPTABLES -A logging -i $WWWIF -m state --state NEW -p all -j LOG #mumble, loggo un po troppo...
################################################################################
#filterin
################################################################################
for i in $SERVICES ; do
$IPTABLES -A filtering -p tcp -i $WWWIF --dport $i -j DROP
$IPTABLES -A filtering -p udp -i $WWWIF --dport $i -j DROP
done
$IPTABLES -A filtering -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A filtering -m state -i ! $WWWIF --state NEW -j ACCEPT
$IPTABLES -A filtering -j DROP
loggo troppa roba?, dopo vorrei mettere psad per analizzare i log, devo ancora provarlo e non so bene cosa faccia, ma qualcuno puo dirmi se il programma in questione e valido o esistono alternative?
ultima cosina, qualcuno sa dirmi brevemente PF_PACKET cos'e?, penso centri qualcosa con interfaccie virtuali ma non ne son sicuro.