|
|||||||
|
|
|
 |
|
|
Strumenti |
15-07-2009, 09:26
|
#21 | |
|
Junior Member
Iscritto dal: Jul 2009
Messaggi: 6
|
Quote:
#!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # # # set a few variables echo "Welcome in ale336" echo "Alessandra sei la mia vita" echo " setting global variables" echo "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin REDHAT=NO ##set yes if run under redhat machine IPT="`whereis -b iptables | cut -d \" \" -f 2`" NET="eth0" WEB=eth0:0 LAN="eth1" PROXY="eth1:0" DMZ="eth3" LO="lo" CASA=bla.bla.bla.bla IP_NET=`ifconfig $NET | grep inet| cut -f2 -d:| cut -f1 -d" "` IP_WEB=`ifconfig $WEB | grep inet| cut -f2 -d:| cut -f1 -d" "` IP_LAN=`ifconfig $LAN | grep inet| cut -f2 -d:| cut -f1 -d" "` IP_DMZ=`ifconfig $DMZ | grep inet| cut -f2 -d:| cut -f1 -d" "` IP_PROXY=`ifconfig $PROXY | grep inet| cut -f2 -d:| cut -f1 -d" "` IP_LO="127.0.0.1" RANGE_IP_LAN="192.168.2.0/24" RANGE_IP_DMZ="192.168.200.0/24" SERVER_WEB="192.168.200.2" CLUSTER="192.168.2.10" IP_WEB_UPDATE=security.debian.org FTP_WEB_UPDATE=ftp.debian.org # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn; fi if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi if [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians; fi if [ -f /proc/sys/net/ipv4/conf/eth1/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/eth1/log_martians; fi if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi #pulisco tutto $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t mangle $IPT -F -t nat $IPT -X #imposto il comportamento di default $IPT -t nat POSTROUTING -P ACCEPT $IPT -t nat PREROUTING -P ACCEPT $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP #creo dei chan nuovi per tipo di connessione $IPT -N net_to_lan $IPT -N lan_to_net $IPT -N web_to_dmz $IPT -N dmz_to_web $IPT -N lan_to_dmz $IPT -N dmz_to_lan $IPT -N server_to_web $IPT -N web_to_server $IPT -N lan_to_server $IPT -N server_to_lan $IPT -N dmz_to_server $IPT -N server_to_dmz #accetto in input sull'interfaccia LO tutto quello che arriva da se stessa $IPT -A INPUT -p ALL -i $LO -s $IP_LO -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO -d $IP_LO -j ACCEPT #rispondo ai ping (non fondamentale, ma a volte e' comodo) $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #redirigo le chiamate fatte sulla porta 443 al server in DMZ $IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p tcp --dport 443 -j DNAT --to $SERVER_WEB #idem per il dns ci metto un bind per fare i giochini $IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p udp --dport 53 -j DNAT --to $SERVER_WEB #faccio snat dei computer in LAN altrimenti non escono e si sentono le urla $IPT -t nat -A POSTROUTING -o $NET -s $RANGE_IP_LAN -j SNAT --to-source $IP_NET #divido le connessioni (FORWARD) in base alla provenienza/destinazione $IPT -A FORWARD -i $NET -o $LAN -j net_to_lan $IPT -A FORWARD -i $LAN -o $NET -j lan_to_net $IPT -A FORWARD -i $WEB -o $DMZ -j web_to_dmz $IPT -A FORWARD -i $DMZ -o $WEB -j dmz_to_web $IPT -A FORWARD -i $LAN -o $DMZ -j lan_to_dmz $IPT -A FORWARD -i $DMZ -o $LAN -j dmz_to_lan #divido anche le connessioni in input.... $IPT -A INPUT -i $WEB -j web_to_server $IPT -A INPUT -i $LAN -j lan_to_server $IPT -A INPUT -i $DMZ -j dmz_to_server #... e output $IPT -A OUTPUT -o $WEB -j server_to_WEB $IPT -A OUTPUT -o $DMZ -j server_to_dmz $IPT -A OUTPUT -o $LAN -j server_to_lan #da internet verso la LAN accetto solo le connessioni related,estabilished $IPT -A net_to_lan -m state --state INVALID -j DROP $IPT -A net_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT #dalla LAN permetto di uscire $IPT -A lan_to_net -j ACCEPT #dalla DMZ verso internet accetto solo le connesioni related o estabilished $IPT -A dmz_to_web -m state --state RELATED,ESTABLISHED -j ACCEPT #accetto le connessioni verso il server web in DMZ $IPT -A INPUT -d $IP_WEB -p tcp --dport 443 --m state --state NEW -j ACCEPT $IPT -A web_to_dmz -d $SERVER_WEB -p tcp --dport 443 -j ACCEPT #dalla LAN posso accedere a tutte le porte del server in DMZ $IPT -A lan_to_dmz -j ACCEPT #dalla dmz verso la lan accetto solamente le connessioni related ed estabilished non ne servono altre $IPT -A dmz_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT #accetto le connessioni fatte dalla LAN verso il server $IPT -A lan_to_server -j ACCEPT #accetto solo le connessioni related o estabilished che il server fa alla LAN $IPT -A server_to_lan -j ACCEPT #permetto gli update del firewall $IPT -A dmz_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT $IPT -A dmz_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT $IPT -A server_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT $IPT -A server_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT #permetto di risolvere nomi da scommentare sei bind non funziona a dovere #$IPT -A dmz_to_net -d $IP_DNS1 -p udp --dport 53 -j ACCEPT #$IPT -A dmz_to_net -d $IP_DNS2 -p udp --dport 53 -j ACCPET #se il tipo di connessione non e' fra quelli permessi, lo loggo $IPT -A server_to_net -j LOG --log-prefix dmz_to_net: #permetto al firewall che riceva le risposte $IPT -A net_to_server -m state --state RELATED,ESTABLISHED -j ACCEPT #loggo i tentativi del server in dmz di accedere al firewall $IPT -A dmz_to_server -j LOG --log-prefix dmz_to_server: #tunnel vari $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 7200 -j ACCEPT $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 7298 -j ACCEPT $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 7299 -j ACCEPT $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \ -p udp --dport 7207 -j ACCEPT $IPT -A INPUT -i $NET -m state --state NEW,ESTABLISHED,RELATED \ -p tcp --dport 7300 -j ACCEPT $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 775 -j DNAT --to-destination 192.168.2.10:775 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.10:7200 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.3:7200 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7298 -j DNAT --to-destination 192.168.2.10:7298 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7299 -j DNAT --to-destination 192.168.2.10:7299 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7207 -j DNAT --to-destination 192.168.2.254:7207 $IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7300 -j DNAT --to-destination 192.168.2.254:7300 $IPT -A FORWARD -i $NET -p tcp --dport 775 -o $LAN -j ACCEPT $IPT -A FORWARD -i $NET -p tcp --dport 7200 -o $LAN -j ACCEPT $IPT -A FORWARD -i $NET -p tcp --dport 7298 -o $LAN -j ACCEPT $IPT -A FORWARD -i $NET -p tcp --dport 7299 -o $LAN -j ACCEPT $IPT -A FORWARD -i $NET -p udp --dport 7207 -o $LAN -j ACCEPT $IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT ## fine tunnel #unauthorized lan $IPT -I INPUT -s 10.0.0.0/8 -j DROP $IPT -I INPUT -s 172.16.0.0/12 -j DROP $IPT -I INPUT -s 192.168.0.0/16 -j DROP $IPT -I INPUT -s 127.0.0.0/8 -j DROP $IPT -I INPUT -s 224.0.0.0/4 -j DROP $IPT -I FORWARD -s 10.0.0.0/8 -j DROP $IPT -I FORWARD -s 172.16.0.0/12 -j DROP $IPT -I FORWARD -s 192.168.0.0/16 -j DROP $IPT -I FORWARD -s 127.0.0.0/8 -j DROP $IPT -I FORWARD -s 224.0.0.0/4 -j DROP ## stop netbios logging $IPT -I INPUT -p tcp --dport 135:139 -j DROP $IPT -I INPUT -p udp --dport 135:139 -j DROP $IPT -I INPUT -p tcp --dport 445 -j DROP # icmp echo " applying icmp rules" echo "" $IPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT $IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -i $NET -j DROP # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $IPT -I INPUT -p icmp --icmp-type redirect -j DROP $IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP $IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP $IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP $IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP # squid echo " applying squid rules" echo "" $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.82 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.100 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.200 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.210 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.239 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.240 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.251 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.252 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.253 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.254 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.1 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.2 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.3 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.4 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.5 -j ACCEPT ### accept for dummy $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.15 -j ACCEPT $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.245 -j ACCEPT ## non dovrebbe servire visto che c'e' autenticazione ntlm ma la metto lo stesso. $IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128 ## le stampanti di rete parlano troppo cio' e' male $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.33 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.32 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.34 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.35 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.38 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.31 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.30 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.37 --dport 110 -j DROP $IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.39 --dport 110 -j DROP $IPT -A FORWARD -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT #$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --set #$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP $IPT -A FORWARD -i $NET -p tcp --dport 21 -j ACCEPT $IPT -A FORWARD -s $CASA -i $NET -p tcp --dport 5900 -j ACCEPT $IPT -t nat -A PREROUTING -s $CASA -i $NET -p tcp -d $NET_IP --dport 5900 -j DNAT --to-destination 192.168.2.254:5900 $IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 21 -j DNAT --to-destination 192.168.2.251:21 ## ultravnc per clienti # $IPT -I INPUT -p tcp -s 0/0 -i $NET $IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5500 -j ACCEPT $IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5500 -j DNAT --to-destination 192.168.2.152:5500 ## ultravnc per portatile in ditta $IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5570 -j ACCEPT $IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5570 -j DNAT --to-destination 192.168.2.70:5570 # logging echo " applying logging rules" echo "" $IPT -A INPUT -i $NET -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: " $IPT -A INPUT -i $NET -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: " # drop all other packets echo " applying default drop policies" echo "" # required from psad $IPT -A INPUT -j LOG $IPT -A FORWARD -j LOG # end of psad require $IPT -A INPUT -i $NET -p tcp --dport 0:65535 -j DROP $IPT -A POSTROUTING -t nat -o $NET -j MASQUERADE # This is a batch of Red Hat Linux-specific commands # that enable a user to call the script with a start/stop/restart # argument. # This is a batch of Red Hat Linux-specific commands # that enable a user to call the script with a start/stop/restart # argument. if [ X"$REDHAT" = X"YES" ]; then . /etc/rc.d/init.d/functions case "$1" in stop) action "Shutting down firewall:" echo $IPT -F $IPT -P FORWARD DROP exit 0 ;; status) echo "The status command is not supported for iptables" exit 0 ;; restart|reload) $0 stop exec $0 start ;; start) action "Starting Firewall:" echo ;; *) echo "Usage: firewall (start|stop|restart)" exit 1 esac fi echo "Alessandra sei la mia vita" Ultima modifica di jtclark : 15-07-2009 alle 09:34. Motivo: sbagliatii nomi delle intefacce |
|
|
|
|
15-07-2009, 10:13
|
#22 | ||||||
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Quote:
quindi devi usare solo l'ip per suddividere Quote:
Quote:
Quote:
Quote:
Quote:
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
||||||
|
|
|
|
15-07-2009, 10:39
|
#23 | |
|
Junior Member
Iscritto dal: Jul 2009
Messaggi: 6
|
Quote:
Grazie mi lle per la cortesia nel rispondere |
|
|
|
|
|
15-07-2009, 10:44
|
#24 | |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
Quote:
Codice:
questo testo
non sballa la formattazione
ciao!
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
|
15-07-2009, 11:48
|
#25 | |
|
Junior Member
Iscritto dal: Jul 2009
Messaggi: 6
|
Quote:
Codice:
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
#
# set a few variables
echo "Welcome in ale336"
echo "Alessandra sei la mia vita"
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REDHAT=NO ##set yes if run under redhat machine
IPT="`whereis -b iptables | cut -d \" \" -f 2`"
NET="eth0"
WEB=eth0:0
LAN="eth1"
PROXY="eth1:0"
DMZ="eth3"
LO="lo"
CASA=bla.bla.bla.bla
IP_NET=`ifconfig $NET | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_WEB=`ifconfig $WEB | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LAN=`ifconfig $LAN | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_DMZ=`ifconfig $DMZ | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_PROXY=`ifconfig $PROXY | grep inet| cut -f2 -d:| cut -f1 -d" "`
IP_LO="127.0.0.1"
RANGE_IP_LAN="192.168.2.0/24"
RANGE_IP_DMZ="192.168.200.0/24"
SERVER_WEB="192.168.200.2"
CLUSTER="192.168.2.10"
IP_WEB_UPDATE=security.debian.org
FTP_WEB_UPDATE=ftp.debian.org
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route; fi
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then echo 0 > /proc/sys/net/ipv4/tcp_ecn; fi
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects; fi
if [ -e /proc/sys/net/ipv4/conf/all/secure_redirects ]; then echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects; fi
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts; fi
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects; fi
if [ -e /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout; fi
if [ -f /proc/sys/net/ipv4/conf/eth0/log_martians ]; then echo 1 > /proc/sys/net/ipv4/conf/eth0/log_martians; fi
if [ -f /proc/sys/net/ipv4/conf/eth1/log_martians ]; then echo 0 > /proc/sys/net/ipv4/conf/eth1/log_martians; fi
if [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then echo 1 > /proc/sys/net/ipv4/tcp_timestamps; fi
#pulisco tutto
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
#imposto il comportamento di default
$IPT -t nat POSTROUTING -P ACCEPT
$IPT -t nat PREROUTING -P ACCEPT
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#creo dei chan nuovi per tipo di connessione
$IPT -N net_to_lan
$IPT -N lan_to_net
$IPT -N web_to_dmz
$IPT -N dmz_to_web
$IPT -N lan_to_dmz
$IPT -N dmz_to_lan
$IPT -N server_to_web
$IPT -N web_to_server
$IPT -N lan_to_server
$IPT -N server_to_lan
$IPT -N dmz_to_server
$IPT -N server_to_dmz
#accetto in input sull'interfaccia LO tutto quello che arriva da se stessa
$IPT -A INPUT -p ALL -i $LO -s $IP_LO -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO -d $IP_LO -j ACCEPT
#rispondo ai ping (non fondamentale, ma a volte e' comodo)
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
#redirigo le chiamate fatte sulla porta 443 al server in DMZ
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p tcp --dport 443 -j DNAT --to
$SERVER_WEB
#idem per il dns ci metto un bind per fare i giochini
$IPT -t nat -A PREROUTING -i $WEB -d $IP_WEB -p udp --dport 53 -j DNAT --to
$SERVER_WEB
#faccio snat dei computer in LAN altrimenti non escono e si sentono le urla
$IPT -t nat -A POSTROUTING -o $NET -s $RANGE_IP_LAN -j SNAT --to-source
$IP_NET
#divido le connessioni (FORWARD) in base alla provenienza/destinazione
$IPT -A FORWARD -i $NET -o $LAN -j net_to_lan
$IPT -A FORWARD -i $LAN -o $NET -j lan_to_net
$IPT -A FORWARD -i $WEB -o $DMZ -j web_to_dmz
$IPT -A FORWARD -i $DMZ -o $WEB -j dmz_to_web
$IPT -A FORWARD -i $LAN -o $DMZ -j lan_to_dmz
$IPT -A FORWARD -i $DMZ -o $LAN -j dmz_to_lan
#divido anche le connessioni in input....
$IPT -A INPUT -i $WEB -j web_to_server
$IPT -A INPUT -i $LAN -j lan_to_server
$IPT -A INPUT -i $DMZ -j dmz_to_server
$IPT -A INPUT -i $NET -j net_to_lan
#... e output
$IPT -A OUTPUT -o $WEB -j server_to_WEB
$IPT -A OUTPUT -o $DMZ -j server_to_dmz
$IPT -A OUTPUT -o $LAN -j server_to_lan
#da internet verso la LAN accetto solo le connessioni related,estabilished
$IPT -A net_to_lan -m state --state INVALID -j DROP
$IPT -A net_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT
#dalla LAN permetto di uscire
$IPT -A lan_to_net -j ACCEPT
#dalla DMZ verso internet accetto solo le connesioni related o estabilished
$IPT -A dmz_to_web -m state --state RELATED,ESTABLISHED -j ACCEPT
#accetto le connessioni verso il server web in DMZ
$IPT -A INPUT -d $IP_WEB -p tcp --dport 443 --m state --state NEW -j ACCEPT
$IPT -A web_to_dmz -d $SERVER_WEB -p tcp --dport 443 -j ACCEPT
#dalla LAN posso accedere a tutte le porte del server in DMZ
$IPT -A lan_to_dmz -j ACCEPT
#dalla dmz verso la lan accetto solamente le connessioni related ed
estabilished non ne servono altre
$IPT -A dmz_to_lan -m state --state RELATED,ESTABLISHED -j ACCEPT
#accetto le connessioni fatte dalla LAN verso il server
$IPT -A lan_to_server -j ACCEPT
#accetto solo le connessioni related o estabilished che il server fa alla LAN
$IPT -A server_to_lan -j ACCEPT
#permetto gli update del firewall
$IPT -A dmz_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A dmz_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
$IPT -A server_to_net -d $IP_WEB_UPDATE -p tcp --dport 80 -j ACCEPT
$IPT -A server_to_net -d $IP_FTP_UPDATE -p tcp --dport 21 -j ACCEPT
#permetto di risolvere nomi da scommentare sei bind non funziona a dovere
#$IPT -A dmz_to_net -d $IP_DNS1 -p udp --dport 53 -j ACCEPT
#$IPT -A dmz_to_net -d $IP_DNS2 -p udp --dport 53 -j ACCPET
#se il tipo di connessione non e' fra quelli permessi, lo loggo
$IPT -A server_to_net -j LOG --log-prefix dmz_to_net:
#permetto al firewall che riceva le risposte
$IPT -A net_to_server -m state --state RELATED,ESTABLISHED -j ACCEPT
#loggo i tentativi del server in dmz di accedere al firewall
$IPT -A dmz_to_server -j LOG --log-prefix dmz_to_server:
#tunnel vari
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 775 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7200 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7298 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7299 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7207 -j ACCEPT
$IPT -A net_to_lan -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 7300 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 775 -j DNAT --to-destination 192.168.2.10:775
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.10:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7200 -j DNAT --to-destination 192.168.2.3:7200
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7298 -j DNAT --to-destination 192.168.2.10:7298
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7299 -j DNAT --to-destination 192.168.2.10:7299
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7207 -j DNAT --to-destination 192.168.2.254:7207
$IPT -t nat -A PREROUTING -p tcp -i $NET -d $NET_IP --dport 7300 -j DNAT --to-destination 192.168.2.254:7300
$IPT -A net_to_lan -i $NET -p tcp --dport 775 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7200 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7298 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7299 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p udp --dport 7207 -o $LAN -j ACCEPT
$IPT -A net_to_lan -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
## fine tunnel
# icmp
echo " applying icmp rules"
echo ""
$IPT -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$IPT -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -i $NET -j DROP
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$IPT -I INPUT -p icmp --icmp-type redirect -j DROP
$IPT -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$IPT -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$IPT -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# squid
echo " applying squid rules"
echo ""
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.82 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.100 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.200 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.210 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.239 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.240 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.251 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.252 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.253 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.254 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.1 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.2 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.3 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.4 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.5 -j ACCEPT
### accept for dummy
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.15 -j ACCEPT
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.245 -j ACCEPT
## non dovrebbe servire visto che c'e' autenticazione ntlm ma la metto lo stesso.
$IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 80 -j REDIRECT --to-port 3128
## le stampanti di rete parlano troppo cio' e' male
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.33 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.32 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.34 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.35 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.38 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.31 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.30 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.37 --dport 110 -j DROP
$IPT -t nat -A PREROUTING -i $LAN -p tcp -s 192.168.2.39 --dport 110 -j DROP
$IPT -A net_to_lan -i $NET -p tcp --dport 7300 -o $LAN -j ACCEPT
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --set
#$IPT -I INPUT -p tcp --dport 21 -i $NET -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP
$IPT -A FORWARD -i $NET -p tcp --dport 21 -j ACCEPT
$IPT -A FORWARD -s $CASA -i $NET -p tcp --dport 5900 -j ACCEPT
$IPT -t nat -A PREROUTING -s $CASA -i $NET -p tcp -d $NET_IP --dport 5900 -j DNAT --to-destination 192.168.2.254:5900
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 21 -j DNAT --to-destination 192.168.2.251:21
## ultravnc per clienti
# $IPT -I INPUT -p tcp -s 0/0 -i $NET
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5500 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5500 -j DNAT --to-destination 192.168.2.152:5500
## ultravnc per portatile in ditta
$IPT -A FORWARD -s 0/0 -i $NET -p tcp --dport 5570 -j ACCEPT
$IPT -t nat -A PREROUTING -s 0/0 -i $NET -p tcp -d $NET_IP --dport 5570 -j DNAT --to-destination 192.168.2.70:5570
# logging
echo " applying logging rules"
echo ""
$IPT -A INPUT -i $NET -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$IPT -A INPUT -i $NET -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
# drop all other packets
echo " applying default drop policies"
echo ""
# required from psad
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
# end of psad require
$IPT -A INPUT -i $NET -p tcp --dport 0:65535 -j DROP
$IPT -A POSTROUTING -t nat -o $NET -j MASQUERADE
# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
# This is a batch of Red Hat Linux-specific commands
# that enable a user to call the script with a start/stop/restart
# argument.
if [ X"$REDHAT" = X"YES" ]; then
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPT -F
$IPT -P FORWARD DROP
exit 0
;;
status)
echo "The status command is not supported for iptables"
exit 0
;;
restart|reload)
$0 stop
exec $0 start
;;
start)
action "Starting Firewall:" echo
;;
*)
echo "Usage: firewall (start|stop|restart)"
exit 1
esac
fi
echo "Alessandra sei la mia vita"
|
|
|
|
|
|
15-07-2009, 13:16
|
#26 |
|
Senior Member
Iscritto dal: May 2007
Città: DiSaronno Originale
Messaggi: 2374
|
Scusate l'interferenza, posso chiedere ai mod che questa guida e le atre in firma di HexDEF6 finiscano in sticky o perlomeno nell'apposita sezione?
Lo chiedo perchè sto realizzando un server e mi farebbe comodo avere sott'occhio queste ottime guide, senza dover inseguire ogni volta l'utente nei meandri della ricerca di hwupgrade. Grazie infinite
__________________
Dell XPS 9570 Powered by Arch Linux || Motorola One Vision Ho concluso con raffaelev, Iceworld, stebru, Dichy, AXIP, Quakeman e Swampo |
|
|
|
|
17-07-2009, 13:37
|
#27 |
|
Senior Member
Iscritto dal: Dec 2004
Messaggi: 3573
|
Effettivamente questa ottima guida non ha avuto la visibilità che meritava.
__________________
Debian amd64 | Gentoo amd64 | AMD Athlon64 3800+ X2@2701Mhz vcore 1.49V | Placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas | e-mail+jabber: darkbasic|a.t|linuxsystems|d.o.t|it | www.linuxsystems.it |
|
|
|
|
17-07-2009, 17:40
|
#28 |
|
Senior Member
Iscritto dal: Dec 2000
Città: Trento
Messaggi: 5917
|
scusate... ma sono un po incasinato... comunque per me nessun problema a spostare la guida dove volete... magari quando avro' tempo (ormai questa sta' diventando una battuta, visto che non ho mai tempo!) sistemo un po di errori e amplio un attimino magari introducento il mark dei pacchetti e un uso base di iproute (che ho usato per gestire il traffico di 2 adsl dallo stesso server )...
__________________
Linux User #272700 >+++++++++[<+++++++++>-]<+.++.>++++[<---->-]<++.+++++++. HOWTO: SSH Firewall e DMZ ɐɹdosoʇʇos oʇuǝs ıɯ |
|
|
|
|
20-07-2009, 16:38
|
#29 |
|
Senior Member
Iscritto dal: May 2007
Città: DiSaronno Originale
Messaggi: 2374
|
Ho segnalato il 3d ai moderatori per richiedere che sia messo nelle doc ufficiali. Intanto uppo
__________________
Dell XPS 9570 Powered by Arch Linux || Motorola One Vision Ho concluso con raffaelev, Iceworld, stebru, Dichy, AXIP, Quakeman e Swampo |
|
|
|
|
|
| Strumenti | |
|
|
Tutti gli orari sono GMT +1. Ora sono le: 03:29.
