Hardware Upgrade Forum - View Single Post

HexDEF6 · 25-05-2004, 18:46

Beh ecco il mio firewall (sono partito da uno gia fatto e poi ho tolto/aggiunto/modificato):
Non e' il massimo della sicurezza, ma almeno qualcosa fa' (p.s. chi usa la rete interna e' piu' che fidato: se combinano qualcosa gli spezzo le braccine!!

)

Codice:

#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="ppp0"

# The following rules will clear out any existing firewall rules, 
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus 
# by extension, NAT. Turn this on if you're going to be 
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external) 
# interface to be the given IP. 
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE -s 192.168.0.0/24 -d 0/0

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51. 
# Anything incoming over your $INT through your gateway will 
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
$IPT -A FORWARD -i $INT -m state --state INVALID -j DROP
# regole per ridirigere sul pc interno (192.168.0.1)
# -ssh: contattare l'ip pubblico sulla porta 2000
# -gnomemmeeting
# -vncconnect
$IPT -t nat -A PREROUTING -p tcp --dport 2000 -i ppp0 -j DNAT --to 192.168.0.1:22
$IPT -t nat -A PREROUTING -s 0/0  -i $INT -p tcp --dport 1720 -j DNAT --to-dest 192.168.0.1
$IPT -t nat -A PREROUTING -s 0/0  -i $INT -p tcp --dport 30000:30010 -j DNAT --to-dest 192.168.0.1
$IPT -t nat -A PREROUTING -s 0/0  -i $INT -p udp --dport 5000:5013 -j DNAT --to-dest 192.168.0.1
$IPT -t nat -A PREROUTING -s 0/0  -i $INT -p tcp --dport 5500 -j DNAT --to-dest 192.168.0.1
$IPT -t nat -A PREROUTING -s 0/0  -i $INT -p tcp --dport 5501 -j DNAT --to-dest 192.168.0.1
# Now, our firewall chain. We use the limit commands to 
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the 
# network below.
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -d 192.168.0.254 -p all -j ACCEPT

#
# Drop those nasty packets! These are all TCP flag 
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that 
# are used to attack a box in various ways, so we 
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to 
# enable SSH access from anywhere, uncomment the second line only. 
#accetto connessioni sulle porte:
#-22: ssh
#-80: il mio server web
#-443: https (non voglio usare il webmail con la password che gira in chiaro!)
#-993: imap4 su ssl (non voglio password in chiaro!)
#-995: pop3 su ssl (devo ripetermi?)
#-25: smtp
#-4662:4664 tcp e 4672 udp: un certo mulo!
#-19150: gkrellm2 server! (ma fra poco la tolgo, e per controllare uso un tunnel ssh)
#-6880:6889: beh ormai senza bittorrent dove vai?! 
$IPT -A INPUT -i $INT -s 0/0  -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 993 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 995 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 4662:4664 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 19150 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 4672 -j ACCEPT
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6880:6889 -j ACCEPT

# Lets do some basic state-matching. This allows us 
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. 
# We don't like that netbios stuff, and it's way too 
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall 
# so we don't get silent drops.
$IPT -A INPUT -j dropwall

Se mi date una mano a renderlo piu' sicuro, ben vengano suggerimenti!

Ciao!