[howto] firewall con dmz

[jtclark]

Quote:

Originariamente inviato da HexDEF6

se ho un attimo di tempo si... magari se e' anche un attimo commentato cosi riesco a capire meglio cosa vuoi fare, ci metto meno!

e' commentato un po alla mia maniera mezzo italiano mezzo inglese ma ho tolto le parolacce


#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
#
# set a few variables
echo "Welcome in ale336"
echo "Alessandra sei la mia vita"
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REDHAT=NO ##set yes if run under redhat machine
IPT="`whereis -b iptables | cut -d \" \" -f 2`"

NET="eth0"
WEB=eth0:0
LAN="eth1"
PROXY="eth1:0"
DMZ="eth3"
LO="lo"
CASA=bla.bla.bla.bla

IP_NET=`ifconfig $NET | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_WEB=`ifconfig $WEB | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LAN=`ifconfig $LAN | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_DMZ=`ifconfig $DMZ | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_PROXY=`ifconfig $PROXY | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LO="127.0.0.1"
RANGE_IP_LAN="192.168.2.0/24"
RANGE_IP_DMZ="192.168.200.0/24"
SERVER_WEB="192.168.200.2"
CLUSTER="192.168.2.10"
IP_WEB_UPDATE=security.debian.org
FTP_WEB_UPDATE=ftp.debian.org

# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians; fi
if [ -f /proc/sys/net/ipv4/conf/eth1/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/eth1/log_martians; fi
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi


#pulisco tutto
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

#imposto il comportamento di default
$IPT -t nat POSTROUTING -P ACCEPT
$IPT -t nat PREROUTING -P ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP



#creo dei chan nuovi per tipo di connessione
$IPT -N net_to_lan
$IPT -N lan_to_net
$IPT -N web_to_dmz
$IPT -N dmz_to_web
$IPT -N lan_to_dmz
$IPT -N dmz_to_lan
$IPT -N server_to_web
$IPT -N web_to_server
$IPT -N lan_to_server
$IPT -N server_to_lan
$IPT -N dmz_to_server
$IPT -N server_to_dmz

#accetto in input sull'interfaccia LO tutto quello che arriva da se stessa
$IPT -A INPUT -p ALL -i $LO -s $IP_LO -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO -d $IP_LO -j ACCEPT


#rispondo ai ping (non fondamentale, ma a volte e' comodo)
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#redirigo le chiamate fatte sulla porta 443 al server in DMZ
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p tcp --dport 443 -j DNAT --to
$SERVER_WEB
#idem per il dns ci metto un bind per fare i giochini
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p udp --dport 53 -j DNAT --to
$SERVER_WEB

#faccio snat dei computer in LAN altrimenti non escono e si sentono le urla
$IPT -t nat -A POSTROUTING -o $NET -s $RANGE_IP_LAN -j SNAT --to-source
$IP_NET

#divido le connessioni (FORWARD) in base alla provenienza/destinazione
$IPT -A FORWARD -i $NET -o $LAN -j net_to_lan
$IPT -A FORWARD -i $LAN -o $NET -j lan_to_net
$IPT -A FORWARD -i $WEB -o $DMZ -j web_to_dmz
$IPT -A FORWARD -i $DMZ -o $WEB -j dmz_to_web
$IPT -A FORWARD -i $LAN -o $DMZ -j lan_to_dmz
$IPT -A FORWARD -i $DMZ -o $LAN -j dmz_to_lan

#divido anche le connessioni in input....
$IPT -A INPUT -i $WEB -j web_to_server
$IPT -A INPUT -i $LAN -j lan_to_server
$IPT -A INPUT -i $DMZ -j dmz_to_server

#... e output
$IPT -A OUTPUT -o $WEB -j server_to_WEB
$IPT -A OUTPUT -o $DMZ -j server_to_dmz
$IPT -A OUTPUT -o $LAN -j server_to_lan

#da internet verso la LAN accetto solo le connessioni related,estabilished
$IPT -A net_to_lan -m state --state INVALID -j DROP
$IPT -A net_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#dalla LAN permetto di uscire
$IPT -A lan_to_net -j ACCEPT

#dalla DMZ verso internet accetto solo le connesioni related o estabilished
$IPT -A dmz_to_web -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni verso il server web in DMZ
$IPT -A INPUT -d $IP_WEB -p tcp --dport 443 --m state --state NEW -j ACCEPT
$IPT -A web_to_dmz -d $SERVER_WEB -p tcp --dport 443 -j ACCEPT

#dalla LAN posso accedere a tutte le porte del server in DMZ
$IPT -A lan_to_dmz -j ACCEPT

#dalla dmz verso la lan accetto solamente le connessioni related ed
estabilished non ne servono altre
$IPT -A dmz_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni fatte dalla LAN verso il server
$IPT -A lan_to_server -j ACCEPT

#accetto solo le connessioni related o estabilished che il server fa alla LAN
$IPT -A server_to_lan -j ACCEPT
#permetto gli update del firewall
$IPT -A dmz_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A dmz_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
$IPT -A server_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A server_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
#permetto di risolvere nomi da scommentare sei bind non funziona a dovere
#$IPT -A dmz_to_net -d $IP_DNS1 -p udp --dport 53 -j ACCEPT
#$IPT -A dmz_to_net -d $IP_DNS2 -p udp --dport 53 -j ACCPET
#se il tipo di connessione non e' fra quelli permessi, lo loggo
$IPT -A server_to_net -j LOG --log-prefix dmz_to_net:

#permetto al firewall che riceva le risposte
$IPT -A net_to_server -m state --state RELATED,ESTABLISHED -j ACCEPT

#loggo i tentativi del server in dmz di accedere al firewall
$IPT -A dmz_to_server -j LOG --log-prefix dmz_to_server:

#tunnel vari
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7200 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7298 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7299 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p udp --dport 7207 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7300 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 775 -j DNAT --to-destination 192.168.2.10:775
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.10:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.3:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7298 -j DNAT --to-destination 192.168.2.10:7298
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7299 -j DNAT --to-destination 192.168.2.10:7299
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7207 -j DNAT --to-destination 192.168.2.254:7207
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7300 -j DNAT --to-destination 192.168.2.254:7300
$IPT -A FORWARD -i $NET -p tcp --dport 775 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7200 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7298 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7299 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p udp --dport 7207 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
## fine tunnel
#unauthorized lan
$IPT -I INPUT -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -s 172.16.0.0/12 -j DROP
$IPT -I INPUT -s 192.168.0.0/16 -j DROP
$IPT -I INPUT -s 127.0.0.0/8 -j DROP
$IPT -I INPUT -s 224.0.0.0/4 -j DROP

$IPT -I FORWARD -s 10.0.0.0/8 -j DROP
$IPT -I FORWARD -s 172.16.0.0/12 -j DROP
$IPT -I FORWARD -s 192.168.0.0/16 -j DROP
$IPT -I FORWARD -s 127.0.0.0/8 -j DROP
$IPT -I FORWARD -s 224.0.0.0/4 -j DROP

## stop netbios logging
$IPT -I INPUT -p tcp --dport 135:139 -j DROP
$IPT -I INPUT -p udp --dport 135:139 -j DROP
$IPT -I INPUT -p tcp --dport 445 -j DROP
# icmp
echo " applying icmp rules"
echo ""
$IPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -i $NET -j DROP

# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$IPT -I INPUT -p icmp --icmp-type redirect -j DROP
$IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# squid
echo " applying squid rules"
echo ""
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.82 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.100 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.200 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.210 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.239 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.240 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.251 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.252 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.253 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.254 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.3 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.4 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.5 -j ACCEPT
### accept for dummy
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.15 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.245 -j ACCEPT
## non dovrebbe servire visto che c'e' autenticazione ntlm ma la metto lo stesso.
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
## le stampanti di rete parlano troppo cio' e' male
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.33 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.32 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.34 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.35 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.38 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.31 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.30 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.37 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.39 --dport 110 -j DROP

$IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --set
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

$IPT -A FORWARD -i $NET -p tcp --dport 21 -j ACCEPT


$IPT -A FORWARD -s $CASA -i $NET -p tcp --dport 5900 -j ACCEPT
$IPT -t nat -A PREROUTING -s $CASA -i $NET -p tcp -d $NET_IP --dport 5900 -j DNAT --to-destination 192.168.2.254:5900
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 21 -j DNAT --to-destination 192.168.2.251:21
## ultravnc per clienti
# $IPT -I INPUT -p tcp -s 0/0 -i $NET
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5500 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5500 -j DNAT --to-destination 192.168.2.152:5500
## ultravnc per portatile in ditta
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5570 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5570 -j DNAT --to-destination 192.168.2.70:5570
# logging
echo " applying logging rules"
echo ""
$IPT -A INPUT -i $NET -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$IPT -A INPUT -i $NET -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "

# drop all other packets
echo " applying default drop policies"
echo ""
# required from psad
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
# end of psad require
$IPT -A INPUT -i $NET -p tcp --dport 0:65535 -j DROP
$IPT -A POSTROUTING -t nat -o $NET -j MASQUERADE

# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPT -F
$IPT -P FORWARD DROP
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Starting Firewall:" echo
;;
*)

echo "Usage: firewall (start|stop|restart)"
exit 1
esac
fi
echo "Alessandra sei la mia vita"

[HexDEF6]

Quote:

Originariamente inviato da jtclark

e' commentato un po alla mia maniera mezzo italiano mezzo inglese ma ho tolto le parolacce


#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
#
# set a few variables
echo "Welcome in ale336"
echo "Alessandra sei la mia vita"
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REDHAT=NO ##set yes if run under redhat machine
IPT="`whereis -b iptables | cut -d \" \" -f 2`"

NET="eth0"
WEB=eth0:0
LAN="eth1"
PROXY="eth1:0"
DMZ="eth3"
LO="lo"
CASA=bla.bla.bla.bla

IP_NET=`ifconfig $NET | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_WEB=`ifconfig $WEB | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LAN=`ifconfig $LAN | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_DMZ=`ifconfig $DMZ | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_PROXY=`ifconfig $PROXY | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LO="127.0.0.1"
RANGE_IP_LAN="192.168.2.0/24"
RANGE_IP_DMZ="192.168.200.0/24"
SERVER_WEB="192.168.200.2"
CLUSTER="192.168.2.10"
IP_WEB_UPDATE=security.debian.org
FTP_WEB_UPDATE=ftp.debian.org

# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians; fi
if [ -f /proc/sys/net/ipv4/conf/eth1/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/eth1/log_martians; fi
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi


#pulisco tutto
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

#imposto il comportamento di default
$IPT -t nat POSTROUTING -P ACCEPT
$IPT -t nat PREROUTING -P ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP



#creo dei chan nuovi per tipo di connessione
$IPT -N net_to_lan
$IPT -N lan_to_net
$IPT -N web_to_dmz
$IPT -N dmz_to_web
$IPT -N lan_to_dmz
$IPT -N dmz_to_lan
$IPT -N server_to_web
$IPT -N web_to_server
$IPT -N lan_to_server
$IPT -N server_to_lan
$IPT -N dmz_to_server
$IPT -N server_to_dmz

#accetto in input sull'interfaccia LO tutto quello che arriva da se stessa
$IPT -A INPUT -p ALL -i $LO -s $IP_LO -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO -d $IP_LO -j ACCEPT


#rispondo ai ping (non fondamentale, ma a volte e' comodo)
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#redirigo le chiamate fatte sulla porta 443 al server in DMZ
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p tcp --dport 443 -j DNAT --to
$SERVER_WEB
#idem per il dns ci metto un bind per fare i giochini

se non sbaglio iptable non capisce eth0:X ma solo le interfacce fisiche...
quindi devi usare solo l'ip per suddividere

Quote:

Originariamente inviato da jtclark

$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p udp --dport 53 -j DNAT --to
$SERVER_WEB

#faccio snat dei computer in LAN altrimenti non escono e si sentono le urla
$IPT -t nat -A POSTROUTING -o $NET -s $RANGE_IP_LAN -j SNAT --to-source
$IP_NET

#divido le connessioni (FORWARD) in base alla provenienza/destinazione

qui dividi le connessioni.... e poi non le usi dappertutto!

Quote:

Originariamente inviato da jtclark

$IPT -A FORWARD -i $NET -o $LAN -j net_to_lan
$IPT -A FORWARD -i $LAN -o $NET -j lan_to_net
$IPT -A FORWARD -i $WEB -o $DMZ -j web_to_dmz
$IPT -A FORWARD -i $DMZ -o $WEB -j dmz_to_web
$IPT -A FORWARD -i $LAN -o $DMZ -j lan_to_dmz
$IPT -A FORWARD -i $DMZ -o $LAN -j dmz_to_lan

#divido anche le connessioni in input....
$IPT -A INPUT -i $WEB -j web_to_server
$IPT -A INPUT -i $LAN -j lan_to_server
$IPT -A INPUT -i $DMZ -j dmz_to_server

#... e output
$IPT -A OUTPUT -o $WEB -j server_to_WEB
$IPT -A OUTPUT -o $DMZ -j server_to_dmz
$IPT -A OUTPUT -o $LAN -j server_to_lan

#da internet verso la LAN accetto solo le connessioni related,estabilished
$IPT -A net_to_lan -m state --state INVALID -j DROP
$IPT -A net_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#dalla LAN permetto di uscire
$IPT -A lan_to_net -j ACCEPT

#dalla DMZ verso internet accetto solo le connesioni related o estabilished
$IPT -A dmz_to_web -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni verso il server web in DMZ
$IPT -A INPUT -d $IP_WEB -p tcp --dport 443 --m state --state NEW -j ACCEPT
$IPT -A web_to_dmz -d $SERVER_WEB -p tcp --dport 443 -j ACCEPT

#dalla LAN posso accedere a tutte le porte del server in DMZ
$IPT -A lan_to_dmz -j ACCEPT

#dalla dmz verso la lan accetto solamente le connessioni related ed
estabilished non ne servono altre
$IPT -A dmz_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni fatte dalla LAN verso il server
$IPT -A lan_to_server -j ACCEPT

#accetto solo le connessioni related o estabilished che il server fa alla LAN
$IPT -A server_to_lan -j ACCEPT
#permetto gli update del firewall
$IPT -A dmz_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A dmz_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
$IPT -A server_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A server_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
#permetto di risolvere nomi da scommentare sei bind non funziona a dovere
#$IPT -A dmz_to_net -d $IP_DNS1 -p udp --dport 53 -j ACCEPT
#$IPT -A dmz_to_net -d $IP_DNS2 -p udp --dport 53 -j ACCPET
#se il tipo di connessione non e' fra quelli permessi, lo loggo
$IPT -A server_to_net -j LOG --log-prefix dmz_to_net:

#permetto al firewall che riceva le risposte
$IPT -A net_to_server -m state --state RELATED,ESTABLISHED -j ACCEPT

#loggo i tentativi del server in dmz di accedere al firewall
$IPT -A dmz_to_server -j LOG --log-prefix dmz_to_server:

#tunnel vari
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7200 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7298 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7299 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p udp --dport 7207 -j ACCEPT
$IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \
-p tcp --dport 7300 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 775 -j DNAT --to-destination 192.168.2.10:775
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.10:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.3:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7298 -j DNAT --to-destination 192.168.2.10:7298
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7299 -j DNAT --to-destination 192.168.2.10:7299
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7207 -j DNAT --to-destination 192.168.2.254:7207
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7300 -j DNAT --to-destination 192.168.2.254:7300
$IPT -A FORWARD -i $NET -p tcp --dport 775 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7200 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7298 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7299 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p udp --dport 7207 -o $LAN -j ACCEPT
$IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
## fine tunnel
#unauthorized lan

le seguenti sono un po inutili... di default droppi tutto sull'input e forward

Quote:

Originariamente inviato da jtclark

$IPT -I INPUT -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -s 172.16.0.0/12 -j DROP
$IPT -I INPUT -s 192.168.0.0/16 -j DROP
$IPT -I INPUT -s 127.0.0.0/8 -j DROP
$IPT -I INPUT -s 224.0.0.0/4 -j DROP

$IPT -I FORWARD -s 10.0.0.0/8 -j DROP
$IPT -I FORWARD -s 172.16.0.0/12 -j DROP
$IPT -I FORWARD -s 192.168.0.0/16 -j DROP
$IPT -I FORWARD -s 127.0.0.0/8 -j DROP
$IPT -I FORWARD -s 224.0.0.0/4 -j DROP

## stop netbios logging
$IPT -I INPUT -p tcp --dport 135:139 -j DROP
$IPT -I INPUT -p udp --dport 135:139 -j DROP
$IPT -I INPUT -p tcp --dport 445 -j DROP
# icmp
echo " applying icmp rules"
echo ""

qui non ricordo... ma su icmp, ci sono le NEW o le ESTABLISHED?

Quote:

Originariamente inviato da jtclark

$IPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -i $NET -j DROP

# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$IPT -I INPUT -p icmp --icmp-type redirect -j DROP
$IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# squid
echo " applying squid rules"
echo ""

di solito si sconsiglia di droppare/accettare in prerouting

Quote:

Originariamente inviato da jtclark

$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.82 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.100 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.200 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.210 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.239 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.240 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.251 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.252 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.253 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.254 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.3 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.4 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.5 -j ACCEPT
### accept for dummy
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.15 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.245 -j ACCEPT
## non dovrebbe servire visto che c'e' autenticazione ntlm ma la metto lo stesso.
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
## le stampanti di rete parlano troppo cio' e' male
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.33 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.32 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.34 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.35 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.38 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.31 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.30 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.37 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.39 --dport 110 -j DROP

$IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --set
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

$IPT -A FORWARD -i $NET -p tcp --dport 21 -j ACCEPT


$IPT -A FORWARD -s $CASA -i $NET -p tcp --dport 5900 -j ACCEPT
$IPT -t nat -A PREROUTING -s $CASA -i $NET -p tcp -d $NET_IP --dport 5900 -j DNAT --to-destination 192.168.2.254:5900
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 21 -j DNAT --to-destination 192.168.2.251:21
## ultravnc per clienti
# $IPT -I INPUT -p tcp -s 0/0 -i $NET
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5500 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5500 -j DNAT --to-destination 192.168.2.152:5500
## ultravnc per portatile in ditta
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5570 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5570 -j DNAT --to-destination 192.168.2.70:5570
# logging
echo " applying logging rules"
echo ""
$IPT -A INPUT -i $NET -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$IPT -A INPUT -i $NET -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "

# drop all other packets
echo " applying default drop policies"
echo ""
# required from psad
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
# end of psad require
$IPT -A INPUT -i $NET -p tcp --dport 0:65535 -j DROP
$IPT -A POSTROUTING -t nat -o $NET -j MASQUERADE

# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPT -F
$IPT -P FORWARD DROP
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Starting Firewall:" echo
;;
*)

echo "Usage: firewall (start|stop|restart)"
exit 1
esac
fi
echo "Alessandra sei la mia vita"

se riesci a ripostare il tutto in un [code] si riesce a leggere meglio!

[jtclark]

Quote:

Originariamente inviato da HexDEF6

se non sbaglio iptable non capisce eth0:X ma solo le interfacce fisiche...
quindi devi usare solo l'ip per suddividere

ni nel senso che da quello che ho letto su linuxquestion.org all'url http://www.linuxquestions.org/questi...rfaces-201220/
in effetti non supporta l'ipaliasing pero' se setti un aliasing lui riconosce il traffico come proveniente dall'interfaccia fisica e poi giochi con gli ip



qui dividi le connessioni.... e poi non le usi dappertutto!

sicuramente ho scordato qualcosa ci guardo ancora subito
le seguenti sono un po inutili... di default droppi tutto sull'input e forward

ok

qui non ricordo... ma su icmp, ci sono le NEW o le ESTABLISHED?

qui:
http://www.kalamazoolinux.org/presen...conntrack.html
dice che ci sono entrambe

di solito si sconsiglia di droppare/accettare in prerouting
perche'?
e se non accetto/droppo che azioni mi sono consentite?

se riesci a ripostare il tutto in un [code] si riesce a leggere meglio!

scusa ma non capisco cosa significhi [code]
Grazie mi lle per la cortesia nel rispondere

[HexDEF6]

Quote:

Originariamente inviato da jtclark

scusa ma non capisco cosa significhi [code]
Grazie mi lle per la cortesia nel rispondere

e' il tastino # nel reply... in questa maniera quello che scrivi non sballa la formattazione (fondamentale per leggere meglio uno script!):

Codice:

questo testo
   non sballa la formattazione
      ciao!

[jtclark]

Quote:

Originariamente inviato da HexDEF6

e' il tastino # nel reply... in questa maniera quello che scrivi non sballa la formattazione (fondamentale per leggere meglio uno script!):

Codice:

questo testo
   non sballa la formattazione
      ciao!

vediamo se ho capito cosa intendevi sulle catene e sul code

Codice:

 
#!/bin/bash

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
#
# set a few variables
echo "Welcome in ale336"
echo "Alessandra sei la mia vita"
echo "  setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REDHAT=NO   ##set yes if run under redhat machine
IPT="`whereis -b iptables | cut -d \" \" -f 2`"

NET="eth0"
WEB=eth0:0
LAN="eth1"
PROXY="eth1:0"
DMZ="eth3"
LO="lo"
CASA=bla.bla.bla.bla

IP_NET=`ifconfig $NET | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_WEB=`ifconfig $WEB | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LAN=`ifconfig $LAN | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_DMZ=`ifconfig $DMZ | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_PROXY=`ifconfig $PROXY | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LO="127.0.0.1"
RANGE_IP_LAN="192.168.2.0/24"
RANGE_IP_DMZ="192.168.200.0/24"
SERVER_WEB="192.168.200.2"
CLUSTER="192.168.2.10"
IP_WEB_UPDATE=security.debian.org
FTP_WEB_UPDATE=ftp.debian.org

# adjust /proc
echo "  applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0  >  /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians; fi
if [ -f /proc/sys/net/ipv4/conf/eth1/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/eth1/log_martians; fi
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi


#pulisco tutto
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

#imposto il comportamento di default
$IPT -t nat POSTROUTING -P ACCEPT
$IPT -t nat PREROUTING -P ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP



#creo dei chan nuovi per  tipo di connessione 
$IPT -N net_to_lan
$IPT -N lan_to_net
$IPT -N web_to_dmz
$IPT -N dmz_to_web
$IPT -N lan_to_dmz
$IPT -N dmz_to_lan
$IPT -N server_to_web
$IPT -N web_to_server
$IPT -N lan_to_server
$IPT -N server_to_lan
$IPT -N dmz_to_server
$IPT -N server_to_dmz

#accetto in input sull'interfaccia LO tutto quello che arriva da se stessa
$IPT -A INPUT -p ALL -i $LO -s $IP_LO -j ACCEPT

$IPT -A OUTPUT -p ALL -o $LO -d $IP_LO -j ACCEPT


#rispondo ai ping (non fondamentale, ma a volte e' comodo)
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#redirigo le chiamate fatte sulla porta 443 al server in DMZ
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p tcp --dport 443 -j DNAT --to
$SERVER_WEB
#idem per il dns ci metto un bind per fare i giochini
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p udp --dport 53 -j DNAT --to
$SERVER_WEB

#faccio snat dei computer in LAN altrimenti non escono e si sentono le urla
$IPT -t nat -A POSTROUTING -o $NET -s $RANGE_IP_LAN -j SNAT --to-source
$IP_NET

#divido le connessioni (FORWARD) in base alla provenienza/destinazione
$IPT -A FORWARD -i $NET -o $LAN -j net_to_lan
$IPT -A FORWARD -i $LAN -o $NET -j lan_to_net
$IPT -A FORWARD -i $WEB -o $DMZ -j web_to_dmz
$IPT -A FORWARD -i $DMZ -o $WEB -j dmz_to_web
$IPT -A FORWARD -i $LAN -o $DMZ -j lan_to_dmz
$IPT -A FORWARD -i $DMZ -o $LAN -j dmz_to_lan

#divido anche le connessioni in input....
$IPT -A INPUT -i $WEB -j web_to_server
$IPT -A INPUT -i $LAN -j lan_to_server
$IPT -A INPUT -i $DMZ -j dmz_to_server
$IPT -A INPUT -i $NET -j net_to_lan

#... e output
$IPT -A OUTPUT -o $WEB -j server_to_WEB
$IPT -A OUTPUT -o $DMZ -j server_to_dmz
$IPT -A OUTPUT -o $LAN -j server_to_lan

#da internet verso la LAN accetto solo le connessioni related,estabilished
$IPT -A net_to_lan -m state --state INVALID -j DROP
$IPT -A net_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#dalla LAN permetto di uscire
$IPT -A lan_to_net -j ACCEPT

#dalla DMZ verso internet accetto solo le connesioni related o estabilished
$IPT -A dmz_to_web -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni verso il server web in DMZ
$IPT -A INPUT -d $IP_WEB -p tcp --dport 443 --m state --state NEW -j ACCEPT
$IPT -A web_to_dmz -d $SERVER_WEB -p tcp --dport 443 -j ACCEPT

#dalla LAN posso accedere a tutte le porte del server in DMZ 
$IPT -A lan_to_dmz -j ACCEPT

#dalla dmz verso la lan accetto solamente le connessioni related ed
estabilished non ne servono altre
$IPT -A dmz_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT

#accetto le connessioni fatte dalla LAN verso il server
$IPT -A lan_to_server -j ACCEPT

#accetto solo le connessioni related o estabilished che il server fa alla LAN
$IPT -A server_to_lan -j ACCEPT
#permetto gli update del firewall
$IPT -A dmz_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A dmz_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
$IPT -A server_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A server_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
#permetto di risolvere nomi da scommentare sei bind non funziona a dovere
#$IPT -A dmz_to_net -d $IP_DNS1 -p udp --dport 53 -j ACCEPT
#$IPT -A dmz_to_net -d $IP_DNS2 -p udp --dport 53 -j ACCPET
#se il tipo di connessione non e' fra quelli permessi, lo loggo
$IPT -A server_to_net -j LOG --log-prefix dmz_to_net:

#permetto al firewall che riceva le risposte
$IPT -A net_to_server -m state --state RELATED,ESTABLISHED -j ACCEPT

#loggo i tentativi del server in dmz di accedere al firewall
$IPT -A dmz_to_server -j LOG --log-prefix dmz_to_server:

#tunnel vari 
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 775 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7200 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7298 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7299 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7207 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7300 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 775 -j DNAT --to-destination 192.168.2.10:775
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.10:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.3:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7298 -j DNAT --to-destination 192.168.2.10:7298
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7299 -j DNAT --to-destination 192.168.2.10:7299
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7207 -j DNAT --to-destination 192.168.2.254:7207
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7300 -j DNAT --to-destination 192.168.2.254:7300

$IPT -A net_to_lan -i $NET -p tcp --dport 775 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7200 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7298 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7299 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p udp --dport 7207 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
## fine tunnel

# icmp
echo "  applying icmp rules"
echo ""
$IPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -i $NET -j DROP

# apply icmp type match blocking
echo "  applying icmp type match blocking"
echo ""
$IPT -I INPUT -p icmp --icmp-type redirect -j DROP
$IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# squid
echo "  applying squid rules"
echo ""
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.82 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.100 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.200 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.210 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.239 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.240 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.251 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.252 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.253 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.254 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.3 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.4 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.5 -j ACCEPT
### accept for dummy
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.15 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.245 -j ACCEPT
## non dovrebbe servire visto che c'e' autenticazione ntlm ma la metto lo stesso.
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
## le stampanti di rete parlano troppo cio' e' male
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.33 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.32 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.34 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.35 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.38 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.31 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.30 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.37 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.39 --dport 110 -j DROP

$IPT -A net_to_lan -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --set
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

$IPT -A FORWARD -i $NET -p tcp --dport 21 -j ACCEPT


$IPT -A FORWARD -s $CASA -i $NET -p tcp --dport 5900 -j ACCEPT
$IPT -t nat -A PREROUTING -s $CASA -i $NET -p tcp -d $NET_IP --dport 5900 -j DNAT --to-destination 192.168.2.254:5900
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 21 -j DNAT --to-destination 192.168.2.251:21
## ultravnc per clienti
# $IPT -I INPUT -p tcp -s 0/0 -i $NET
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5500 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i  $NET -p tcp -d $NET_IP --dport 5500 -j DNAT --to-destination 192.168.2.152:5500
## ultravnc per portatile in ditta
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5570 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i  $NET -p tcp -d $NET_IP --dport 5570 -j DNAT --to-destination 192.168.2.70:5570
# logging
echo "  applying logging rules"
echo ""
$IPT -A INPUT -i $NET -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$IPT -A INPUT -i $NET -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "

# drop all other packets
echo "  applying default drop policies"
echo ""
# required from psad
$IPT -A INPUT  -j LOG
$IPT -A FORWARD -j LOG
# end of psad require
$IPT -A INPUT -i $NET -p tcp --dport 0:65535 -j DROP
$IPT -A POSTROUTING -t nat -o $NET -j MASQUERADE

# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
        . /etc/rc.d/init.d/functions
        case "$1" in
                stop)
                        action "Shutting down firewall:" echo
                        $IPT -F
                        $IPT -P FORWARD DROP
                        exit 0
                        ;;
                                                                                                status)
                        echo "The status command is not supported for iptables"
                        exit 0
                        ;;
                restart|reload)
                        $0 stop
                        exec $0 start
                        ;;
                start)
                        action "Starting Firewall:" echo
                        ;;
                *)

                        echo "Usage: firewall (start|stop|restart)"
                        exit 1
        esac
fi
echo "Alessandra sei la mia vita"

[jeremy.83]

Scusate l'interferenza, posso chiedere ai mod che questa guida e le atre in firma di HexDEF6 finiscano in sticky o perlomeno nell'apposita sezione?

Lo chiedo perchè sto realizzando un server e mi farebbe comodo avere sott'occhio queste ottime guide, senza dover inseguire ogni volta l'utente nei meandri della ricerca di hwupgrade.

Grazie infinite

[darkbasic]

Effettivamente questa ottima guida non ha avuto la visibilità che meritava.

[HexDEF6]

scusate... ma sono un po incasinato... comunque per me nessun problema a spostare la guida dove volete... magari quando avro' tempo (ormai questa sta' diventando una battuta, visto che non ho mai tempo!) sistemo un po di errori e amplio un attimino magari introducento il mark dei pacchetti e un uso base di iproute (che ho usato per gestire il traffico di 2 adsl dallo stesso server )...

[jeremy.83]

Ho segnalato il 3d ai moderatori per richiedere che sia messo nelle doc ufficiali. Intanto uppo