Parere su iptables

garide · 04-12-2003, 14:17

Salve a tutti è un periodo che mi sto documentando su iptable e dopo vari tentativi e scopiazzamenti vari sono riuscito a ottenere mi sembra un buon firewall.
voi che ne ditè:

# Internal and External Devices
dev_world=eth0
dev_int=eth1

# Firewall IP
addr_int=192.168.0.254

# Internal Net
net_int=192.168.0.0/24

# Transito pacchetti
echo 0 > /proc/sys/net/ipv4/ip_forward

## Blocca Ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## Abilitiamo syn cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

## Disibilito ecn
echo 0 > /proc/sys/net/ipv4/tcp_ecn

## Ignora ICMP
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### Non accetta pacchetti ICMP di route redirection
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#################################################################
# Cancella tuttO
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
#################################################################
#
iptables -N BLOCK
iptables -N EXT-INT
iptables -N INT-EXT
iptables -N ICMP-DENY
iptables -N INT-IF
iptables -N EXT-IF

#################################################################

iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A BLOCK -m state --state NEW -i ! $dev_world -j ACCEPT
iptables -A BLOCK -j DROP

iptables -A INPUT -j BLOCK
iptables -A FORWARD -j BLOCK

#################################################################
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $dev_int -s $net_int -j INT-IF
iptables -A INPUT -d ! $addr_int -i $dev_world -s ! $net_int -j EXT-IF
iptables -A INPUT -j DROP

iptables -A FORWARD -d ! $net_int -i $dev_world -s $net_int -j INT-EXT
iptables -A FORWARD -d $net_int -i $dev_int -s ! $net_int -j EXT-INT
iptables -A FORWARD -j DROP

iptables -A OUTPUT -j ACCEPT

#################################################################
#
iptables -A EXT-INT -j DROP

iptables -A EXT-IF -i ! $dev_world -j DROP
iptables -A EXT-IF -p tcp --dport 22 -j ACCEPT
iptables -A EXT-IF -j DROP

iptables -A INT-IF -j ACCEPT

################################################################
# NAT
# Standard
iptables -A POSTROUTING -t nat -o $dev_world -j MASQUERADE -s $net_int

################################################################
#
# Redirezione delle porte per eMule sul client windows
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 192.168.0.244:4665

iptables -t nat -A PREROUTING -i eth1 -p udp --dport 4672 -j DNAT --to 192.168.0.244:4675
################################################################
#
echo 1 > /proc/sys/net/ipv4/ip_forward

The X · 05-12-2003, 15:34

Usi x caso 1 router ?

Perchè se così non fosse non capisco come mai usi la eth0 come device d uscita verso internet....

04-12-2003, 14:17	#1
garide Member Iscritto dal: Dec 1999 Messaggi: 86	Parere su iptables Salve a tutti è un periodo che mi sto documentando su iptable e dopo vari tentativi e scopiazzamenti vari sono riuscito a ottenere mi sembra un buon firewall. voi che ne ditè: # Internal and External Devices dev_world=eth0 dev_int=eth1 # Firewall IP addr_int=192.168.0.254 # Internal Net net_int=192.168.0.0/24 # Transito pacchetti echo 0 > /proc/sys/net/ipv4/ip_forward ## Blocca Ping echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ## Abilitiamo syn cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies ## Disibilito ecn echo 0 > /proc/sys/net/ipv4/tcp_ecn ## Ignora ICMP echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ### Non accetta pacchetti ICMP di route redirection #echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects ################################################################# # Cancella tuttO iptables -F iptables -F -t nat iptables -X iptables -Z ################################################################# # iptables -N BLOCK iptables -N EXT-INT iptables -N INT-EXT iptables -N ICMP-DENY iptables -N INT-IF iptables -N EXT-IF ################################################################# iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A BLOCK -m state --state NEW -i ! $dev_world -j ACCEPT iptables -A BLOCK -j DROP iptables -A INPUT -j BLOCK iptables -A FORWARD -j BLOCK ################################################################# # iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i $dev_int -s $net_int -j INT-IF iptables -A INPUT -d ! $addr_int -i $dev_world -s ! $net_int -j EXT-IF iptables -A INPUT -j DROP iptables -A FORWARD -d ! $net_int -i $dev_world -s $net_int -j INT-EXT iptables -A FORWARD -d $net_int -i $dev_int -s ! $net_int -j EXT-INT iptables -A FORWARD -j DROP iptables -A OUTPUT -j ACCEPT ################################################################# # iptables -A EXT-INT -j DROP iptables -A EXT-IF -i ! $dev_world -j DROP iptables -A EXT-IF -p tcp --dport 22 -j ACCEPT iptables -A EXT-IF -j DROP iptables -A INT-IF -j ACCEPT ################################################################ # NAT # Standard iptables -A POSTROUTING -t nat -o $dev_world -j MASQUERADE -s $net_int ################################################################ # # Redirezione delle porte per eMule sul client windows iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 4662 -j DNAT --to 192.168.0.244:4665 iptables -t nat -A PREROUTING -i eth1 -p udp --dport 4672 -j DNAT --to 192.168.0.244:4675 ################################################################ # echo 1 > /proc/sys/net/ipv4/ip_forward

05-12-2003, 15:34	#2
The X Senior Member Iscritto dal: Apr 2003 Città: Rimini Messaggi: 3970	Usi x caso 1 router ? Perchè se così non fosse non capisco come mai usi la eth0 come device d uscita verso internet.... __________________ Powered by Apple Macbook Pro Retina

Strumenti
Mostra una versione stampabile Invia questa pagina per email