[Pluto-security] aiuto sul script
Matteo
matteo.king at libero.it
Tue Mar 25 11:57:18 CET 2003
Ciao a tutti ho realizzato finalmente il mio firewall seguendo la guida di
R(ex) Sanna e funziona quasi tutto . Vi spiego quale è il problema per
scarisità di denaro ho solo una macchina che fa da firewall sulla quale pero'
devo essere abilitate le seguenti porte quella del server ftp 21 quella della
porta ssh e la porta 4662 (servizio di emule) qusti servizi sono sulla stessa
macchina che fa da firewall ,mentre il resto delle porte deve essere chuso
bloccato!!
Ho fatto tutto cio e sono andato sul questo sito http://scan.sygatetech.com/ e
ho fatto uno scanning e con mio stupore ho visto che le porte che io pensavo
fossere bloccate erano invece semplicemente chiuse altre invece erano
aperte!!
Ho riletto le guide ma nn ho risolto il problema vi posto il mio script
sperando cosi' di capire dove sbaglio!!
Grazie mille
Matteo
#!/bin/sh
#
###### ####
###### Configurazione firewall ####
###### ####
IPTABLES="/usr/local/sbin/iptables"
LOCALINTERFACE="eth0"
INTERNETINTERFACE="ppp+"
LOOPINTERFACE="lo"
LOCALNET=192.168.0.0/255.255.255.0
LOOPBACK=127.0.0.0/8
FIREWALL=192.168.0.254
PAZZEO=192.168.0.1
CHECCO=192.168.0.2
#------------------------------ codici escape colori
RED="\\033[1;31m"
GREEN="\\033[0;32m"
WHITE="\\033[0;39m"
CYAN="\\033[0;36m"
BLUE="\\033[1;34m"
ORANGE="\\033[0;33m"
YELLOW="\\033[1;33m"
MAGENTA="\\033[1;35m"
start(){
echo -n "Disattivazione del ip forward :"
echo 0 > /proc/sys/net/ipv4/ip_forward
echo -n "Caricamento Moduli : "
#------------------------------ caricamento moduli necessari
/sbin/modprobe ipt_LOG > /dev/null 2> /dev/null
/sbin/modprobe ip_conntrack > /dev/null 2> /dev/null
/sbin/modprobe ip_conntrack_ftp > /dev/null 2> /dev/null
/sbin/modprobe ip_conntrack_irc > /dev/null 2> /dev/null
/sbin/modprobe ipt_MASQUERADE > /dev/null 2> /dev/null
/sbin/modprobe ipt_state > /dev/null 2> /dev/null
/sbin/modprobe iptable_nat > /dev/null 2> /dev/null
/sbin/modprobe ip_nat_ftp > /dev/null 2> /dev/null
/sbin/modprobe ip_nat_irc > /dev/null 2> /dev/null
echo -n "Flushing delle regole eventualmente presenti : "
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -Z
echo -n "Carico policy catene :"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
# echo -n " Creazione catene di errore : "
#
# # ----------------------------- definizione delle catene di errore
# $IPTABLES -N errore1
# $IPTABLES -A errore1 -j LOG --log-prefix "Tentativo di spoofing:"
--log-level info
# $IPTABLES -A errore1 -j DROP
echo -n " Esecuzione protezioni varie : "
#------------------------------ attivazione protezioni varie
echo -n "Attivazione Source Address Verification : "
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
echo -n "SAV non disponibile, utilizzo di ipchains : "
$IPTABLES -A input -s $LOOPBACK -i ! lo -j errore1
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
fi
echo -n "Attivazione TCP SYN Cookie Protection : "
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Attivazione del Forward dei pacchetti: "
if [ /proc/sys/net/ipv4/ip_forward ]; then
echo 1 >/proc/sys/net/ipv4/ip_forward
echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Attivazione Broadcast Echo Protection : "
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Attivazione Bad Error Message Protection : "
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Disattivazione ICMP Redirect Acceptance : "
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Disattivazione Source Routed Packets : "
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t\t[ ${RED}NO ${WHITE}]"
fi
echo -n "Log pacchetti spoofed, source routed, redirected : "
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
echo -e "\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t[ ${RED}NO ${WHITE}]"
fi
# Se hai il Kernel 2.4 la congestione tcp deve essere disattivata, non
# tutti i supportano la ricezione della verifica di congestione.
echo -n "Disattivazione notifica congestione tcp : "
if [ -e /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t[ ${RED}NO ${WHITE}]"
fi
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable
this following
# option. This enables dynamic-ip address hacking in IP MASQ, making
the life
# with Diald and similar programs much easier.
#
echo -n "Attivazione IP Dynamical Address :"
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]"
else
echo -e "\t\t\t\t[ ${RED}NO ${WHITE}]"
fi
# Enable the LooseUDP patch which some Internet-based games require
#
# If you are trying to get an Internet game to work through your IP MASQ box,
# and you have set it up to the best of your ability without it working, try
# enabling this option (delete the "#" character). This option is disabled
# by default due to possible internal machine UDP port scanning
# vunerabilities.
#
echo "1" > /proc/sys/net/ipv4/ip_nonlocal_bind
# Blocco i ping verso la mia macchina :
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo -n " Caricamneto catene Prerouting e postrouting "
####################################################################
####################################################################
## REGOLE CATENE DI PREROUTING/POSTROUTING ##
####################################################################
####################################################################echo -n
"Mascheramento di ci che esce da PPP+: "
$IPTABLES -t nat -A POSTROUTING -o $INTERNETINTERFACE -j MASQUERADE
echo -n " Creazione catena in entrata :"
####################################################################
####################################################################
## REGOLE CATENE DI INPUT ##
####################################################################
####################################################################
#creo catena per servii disponibili sul firewall
$IPTABLES -N extfirewall
# accetta tutto su loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
# protezione dal SYN flood
$IPTABLES -N syn-flood # create chain "syn-flood"
$IPTABLES -A INPUT -i $INTERNETINTERFACE -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
$IPTABLES -A INPUT -i $INTERNETINTERFACE -p tcp ! --syn -m state --state NEW
-j DROP
echo "SYN flood: OK"
$IPTABLES -A INPUT -s $LOCALNET -j ACCEPT
$IPTABLES -A INPUT -i $LOCALINTERFACE -j ACCEPT
$IPTABLES -A INPUT -i $INTERNETINTERFACE -j ACCEPT
echo -n " Creazione catena forward : "
####################################################################
####################################################################
## REGOLE CATENE DI FORWARD ##
####################################################################
####################################################################
$IPTABLES -N lanext
$IPTABLES -A FORWARD -i $LOCALINTERFACE -o $INTERNETINTERFACE -j lanext
$IPTABLES -A FORWARD -i $INTERNETINTERFACE -o $LOCALINTERFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INTERNETINTERFACE -o lo -m state --state
NEW,ESTABLISHED -j extfirewall
# logga prima di scartare il pacchetto
$IPTABLES -A FORWARD -j LOG --log-prefix "Pacchetto anomalo in forward:"
--log-level info
####################################################################
####################################################################
## REGOLE CATENE DI LANEXT ##
####################################################################
####################################################################
# accetta tutti i pacchetti uscenti dalla lan
$IPTABLES -A lanext -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
####################################################################
####################################################################
## REGOLE CATENE DI EXFIREWALL ##
####################################################################
####################################################################
$IPTABLES -N internet-icmp
$IPTABLES -N internet-tcp
$IPTABLES -N internet-udp
$IPTABLES -A extfirewall -p tcp --syn -j internet-tcp
#Protocollo igmp
$IPTABLES -A extfirewall -p igmp -j DROP
#Catene per i protocolli icmp e udp
$IPTABLES -A extfirewall -p icmp -j internet-icmp
$IPTABLES -A extfirewall -p udp -j internet-udp
#########################################################
## Filtraggio ICMP, sono permessi solo i tipi 0,3,8,11 ##
#########################################################
$IPTABLES -A internet-icmp -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A internet-icmp -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A internet-icmp -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A internet-icmp -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A internet-icmp -j DROP
$IPTABLES -A internet-icmp -j LOG --log-prefix "ICMP non autorizzato:"
#########################################################################
## Filtraggio TCP SYN ##
## ##
## INSERIRE QUI EVENTUALI CATENE DI ACCEPT PER SERVIZI CHE DEVO ESSERE ##
## DISPONIBILI DALL'ESTERNO ##
#########################################################################
$IPTABLES -A internet-tcp -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A internet-tcp -p tcp --dport 4662 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A internet-tcp -p tcp --dport 4661 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A internet-tcp -p tcp --dport 6699 -m state --state NEW,ESTABLISHED
-j ACCEPT
$IPTABLES -A internet-tcp -m state --state NEW,ESTABLISHED -j DROP
$IPTABLES -A internet-tcp -j LOG --log-prefix "Connessione TCP rifiutata:"
######################
## Filtraggio UDP ##
######################
$IPTABLES -A internet-udp -m state --state NEW,ESTABLISHED -j ACCEPT
####################################################################
####################################################################
## REGOLE CATENE DI OUTPUT ##
####################################################################
####################################################################
#La Policy è ACCEPT !!
#######################################################################################################################################################
echo -n " Riabilito l ip forward :"
echo 1 > /proc/sys/net/ipv4/ip_forward
}
#------------------------------ opzione stop dello script
stop() {
echo "Disattivazione del Firewall in corso..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
echo -n "Rimozione dei moduli necessari : "
/sbin/rmmod ipt_LOG > /dev/null 2> /dev/null
/sbin/rmmod ip_conntrack > /dev/null 2> /dev/null
/sbin/rmmod ip_conntrack_ftp > /dev/null 2> /dev/null
/sbin/rmmod ip_conntrack_irc > /dev/null 2> /dev/null
/sbin/rmmod ipt_MASQUERADE > /dev/null 2> /dev/null
/sbin/rmmod ipt_state > /dev/null 2> /dev/null
/sbin/rmmod iptable_nat > /dev/null 2> /dev/null
/sbin/rmmod ip_nat_ftp > /dev/null 2> /dev/null
/sbin/rmmod ip_nat_irc > /dev/null 2> /dev/null
echo -e "\t\t[ ${GREEN}OK ${WHITE}]"
echo -n "Disattivazione IP forwarding : "
echo 0 > /proc/sys/net/ipv4/ip_forward
echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]"
echo -e "${YELLOW}ATTENZIONE: IL FIREWALL NON E' PIU' OPERATIVO${WHITE}"
}
#------------------------------ opzione status dello script
status() {
echo "Impostazioni attuali del firewall : "
echo -e "Indirizzo IP locale sull'interfaccia \
${YELLOW}$INTERFACE${WHITE} : ${RED}$INTERFACEIP${WHITE}"
$IPTABLES --list
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;
status)
iptables -L -v
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
;;
esac
exit 0
More information about the pluto-security
mailing list