#!/bin/sh #Mi ricavo l'indirizzo IP del'interfaccia internet ppp0 IP_ADDR=$(ifconfig eth0 | grep inet | cut -d":" -f2 | cut -d" " -f1) #Indirizzo della rete interna IP_LOCALNET=192.168.0.0/24 IP_HDSL=$IP_ADDR/28 echo "indirizzo rete HDSL " $IP_HDSL echo "indirizzo rete locale " $IP_LOCALNET # Elimino precedenti regole di firewall iptables -F iptables -X iptables -F -t nat #mistero!!! Serve per far fronte ad un bug del router cisco... echo 0 > /proc/sys/net/ipv4/tcp_ecn #abilita il forward per l'FTP echo 1 > /proc/sys/net/ipv4/ip_forward ######################################################################### # Politica di OUTPUT # ######################################################################### # Politica di default iptables -P OUTPUT ACCEPT ######################################################################### # Regole di forward # ######################################################################### # Politica di default. iptables -P FORWARD DROP # tutto è scartato, il "forward" lo fa il proxy ad eccezione di me e nicola che possiamo uscire direttamente in FTP iptables -A FORWARD -p tcp -m multiport --dports 6881 -s 192.168.0.200 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m multiport --sports 6881 -d 192.168.0.200 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #accesso ai time-server da parte dei server dietro al firewall per le porte tcp e udp iptables -A FORWARD -p tcp -m multiport --dports 123 -s 192.168.0.76 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m multiport --sports 123 -d 192.168.0.76 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp -m multiport --dports 123 -s 192.168.0.76 -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p udp -m multiport --sports 123 -d 192.168.0.76 -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ######################################################################### # Regole di input # ######################################################################### # Respingo tutto il resto. iptables -P INPUT DROP # accetto le connessioni dalla rete locale. iptables -A INPUT -i eth1 -j ACCEPT # interfaccia locale iptables -A INPUT -i lo -j ACCEPT # test # Accetto le connessioni relative a connessioni già iniziate iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # respingo i ping provenienti dall'interfaccia HDSL iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP #masquerade iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Visualizzo iptables iptables -L -v && iptables -L -t nat -v