[Pluto-security] Firewall
Andrea[Debian]
mail_linux at libero.it
Thu Mar 6 21:46:24 CET 2003
Avevo postato un paio di gg fa su pluto-help chiedendo se qlc poteva
dare una controllata alle regole dello script che uso per iptables, e
giustamente mi e' stato detto di postare su questa ml...
Se le regole vi paiono familiari e' xche' in gran parte le ho prese
dagli script di oskar andreasson (tutorial su iptables) e di un ragazzo
del cslug ( mi pare )... Cmq conoscendomi sono capace di avere fatto qlc
cappellata colossale pure cosi'... quindi nn insultatemi =)
Non posto tutto lo script ( posso postarlo pure tutto volendo... ),
solamente la parte con le regole e la definizione delle interfacce...
Ciao e grazie
**************************
**************************
IPTABLES="/sbin/iptables"
# ===== Assegnazione valori interfacce ======
#INTERFACCE=$(/sbin/ifconfig | grep Link | cut -d" " -f1)
LAN_IFACE=eth0
LAN_IP=$(/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d" " -f1)
LAN_IP_RANGE=192.168.0.0/192.168.0.2
LAN_IP_BROADCAST=192.168.255.255
SUBNET_MASK=255.255.255.0
LO_IFACE=lo
LO_IP=$(/sbin/ifconfig lo | grep inet | cut -d: -f2 | cut -d" " -f1)
INET_IFACE=ppp0
INET_IP=$(/sbin/ifconfig ppp0 2> /dev/null | grep inet | cut -d: -f2 |
cut -d" " -f1)
# ===== flushing delle regole ====
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo -e "\nFlushing delle regole \t\t\t\t[ ${GREEN}OK ${WHITE}]"
# ===== creo catene ====
echo -e "\nCreazione catene :"
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
echo -e "catena bad_tcp_packets\t\t\t\t[ ${GREEN}OK ${WHITE}]"
echo -e "catena allowed\t\t\t\t\t[ ${GREEN}OK ${WHITE}]"
echo -e "catena tcp_packets\t\t\t\t[ ${GREEN}OK ${WHITE}]"
echo -e "catena udp_packets\t\t\t\t[ ${GREEN}OK ${WHITE}]"
echo -e "catena icmp_packets\t\t\t\t[ ${GREEN}OK ${WHITE}]"
# ===== politiche di base ====
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
echo -e "\nSettaggio regole di base \t\t\t[ ${GREEN}OK ${WHITE}]"
# ===== ottimizzazioni in mangle ====
$IPTABLES -A PREROUTING -t mangle -p tcp --sport 20 -j TOS --set-tos
Maximize-Throughput
$IPTABLES -A PREROUTING -t mangle -p tcp --sport 22 -j TOS --set-tos
Minimize-Delay
# ==== catena bad_tcp_packets ====
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# impedire xmastree
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
-j DROP
# blocco pacchetti senza flag
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
# blocco pacchetti SYN + RST
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# blocco FYN scan ( funziona ? )
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags FIN FIN -j DROP
# ==== catena allowed =====
$IPTABLES -A allowed -p tcp --syn -j ACCEPT
$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p tcp -j DROP
# ==== regole x pacchetti IGMP ====
$IPTABLES -A INPUT -i $INET_IFACE -p igmp -j DROP
# ==== regole x pacchetti ICMP ====
$IPTABLES -A icmp_packets -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p icmp --icmp-type 11 -j ACCEPT
# ==== regole x pacchetti tcp ====
#$IPTABLES -A tcp_packets -p tcp --dport 80 -j allowed
$IPTABLES -A tcp_packets -p tcp --dport 113 -j REJECT
#TEST $IPTABLES -A tcp_packets -p tcp --dport 5222 -j allowed
#TEST $IPTABLES -A tcp_packets -p tcp --sport 5222 -j allowed
# ==== regole x pacchetti udp ====
$IPTABLES -A udp_packets -p udp --sport 4000 -j ACCEPT
#DNS LIBERO
$IPTABLES -A udp_packets -m state -p udp -s 193.70.192.25 --sport 53
--dport 53 --state NEW -j ACCEPT
$IPTABLES -A udp_packets -m state -p udp -s 193.70.152.25 --sport 53
--dport 53 --state NEW -j ACCEPT
# ==== pacchetti tcp sospetti ====
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# ==== catene dove smistare i pacchetti ====
$IPTABLES -A INPUT -p icmp -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p tcp -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p udp -i $INET_IFACE -j udp_packets
# ===== traffico su sch. rete ====
$IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -i $LAN_IFACE -d $LAN_IP_BROADCAST -j ACCEPT
# ===== traffico su loopback =====
$IPTABLES -A INPUT -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -i $LO_IFACE -s $LAN_IP_RANGE -j ACCEPT
# ==== ====
$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT
# ==== catena forward ====
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ==== catena output ====
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
#TEST $IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT
# ==== nat - prerouting ==== CONTROLLARE
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s $LO_IP -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s $LAN_IP_RANGE -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s $INET_IP -j DROP
echo -e "\nImpostazione delle regole di filtraggio\t\t[ ${GREEN}OK
${WHITE}]"
--
JabbeR : andrea a amessage.de
ICQ : 48431218
Look around at this world we've made
Equality our stock in trade
Come and join the Brotherhood of Man
Oh, what a nice, contented world
Let the banners be unfurled
Hold the Red Star proudly high in hand
--
More information about the pluto-security
mailing list