[ml] Finalmente ho finito: Axl's Firewall ScRiPt 2.0

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Novembre 2005 ml@sikurezza.org
Soggetto: [ml] Finalmente ho finito: Axl's Firewall ScRiPt 2.0
Mittente: Axl M.A.D.
Data: Tue,  8 Nov 2005 13:21:21 +0100 (CET)

Dopo mesi (non scherzo,sono partito da zero!) di continue modifiche ho finito il mio script iptables!!!!! Esperti di sikurezza datemi dei consigli se c'è qualcosa da correggere/migliorare o aggiungere....mi sto appassionando ai firewall e ne voglio uno davvero ben configurato! Lo sto testando da parecchio e devo dire che funziona bene,ma sono ansioso di migliorarlo (con il vostro aiuto!!). Il prossimo passo sarà quello di aprire una alla volta le porte che mi servono in FORWARD!

Attendo commenti e sopratutto i consigli!!!
Ecco lo script:

"
#!/bin/bash
#Flushing all rules,chains,tables,policies.

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#Reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#Reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

#Flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F

#Erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X

#Erase all chains and the rules of all tables.
for table in nat mangle filter
do
 iptables -t $table -F
 iptables -t $table -X
done

#-----------------------------------------------------------------------------

#Close all the traffic iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP #-----------------------------------------------------------------------------

#filter bugous ips iptables -A INPUT -i ppp0 -s 127.0.0.1 -j DROP iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP #------------------------------------------------------------------------------

#kernel's protections echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all for a in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $a done echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 0 > /proc/sys/net/ipv4/tcp_ecn #Fragmented packets management echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 25 > /proc/sys/net/ipv4/ipfrag_time #Permit fpt active mode into clients modprobe ip_conntrack_ftp modprobe ip_nat_ftp #-----------------------------------------------------------------------------

#MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward modprobe ip_tables modprobe ip_conntrack modprobe iptable_nat modprobe ipt_MASQUERADE iptables -t nat -A POSTROUTING -d ! 192.168.0.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -d 192.168.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #-----------------------------------------------------------------------------

#Accept all lan traffic iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT #-----------------------------------------------------------------------------

#Permit loopback connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT #-----------------------------------------------------------------------------


#++++++++++++++++++++++++++++++
#Ports opening                +
#++++++++++++++++++++++++++++++

#++++++++
#INPUT  +
#++++++++

#Dns iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s 85.37.17.12/32 -j ACCEPT iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -p udp --sport 53 -s 151.99.125.1/32 -j ACCEPT iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s 85.37.17.12/32 -j ACCEPT iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -p tcp --sport 53 -s 151.99.125.1/32 -j ACCEPT

#http e https iptables -A INPUT -i ppp0 -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --sport 8080 -m state --state ESTABLISHED,RELATED -j ACCEPT

#pop3 iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -m limit --limit 60/min -p tcp --sport 110 -j ACCEPT iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -m limit --limit 60/min -p tcp --sport 995 -j ACCEPT #smtp iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -m limit --limit 50/min -p tcp --sport 25 -j ACCEPT iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -m limit --limit 50/min -p tcp --sport 587 -j ACCEPT #aMule INPUT iptables -A INPUT -i ppp0 -p tcp --dport 4662 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT iptables -A INPUT -i ppp0 -p udp --dport 4672 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT iptables -A INPUT -i ppp0 -p udp --dport 4665 -m state --state NEW,ESTABLISHED,RELATED -m limit --limit 10/s -j ACCEPT

#++++++++
#OUTPUT +
#++++++++


#Dns
iptables -A OUTPUT -p udp --dport 53 -d 85.37.17.12/32 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -d 151.99.125.1/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -d 85.37.17.12/32 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -d 151.99.125.1/32 -j ACCEPT

#Http and https
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

#aMule OUTPUT iptables -A OUTPUT -p tcp --dport 4662 -m limit --limit 10/s -j ACCEPT iptables -A OUTPUT -p udp --dport 4672 -m limit --limit 10/s -j ACCEPT iptables -A OUTPUT -p udp --dport 4665 -m limit --limit 10/s -j ACCEPT

#Pop3
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 995 -j ACCEPT

#Smtp
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

#Rsync  (needed by urpmi)
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -p udp --dport 873 -j ACCEPT

#-----------------------------------------------------------------------------


#Ftp management  (Thanks to MonMotha)

# The control connection iptables -A INPUT -i ppp0 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # The data connection in active mode iptables -A INPUT -i ppp0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # The data connection in passive mode iptables -A INPUT -i ppp0 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ppp0 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT #-----------------------------------------------------------------------------

#Icmp management #Accet 3 incoming and outcoming icmp packets/min,drop the others (all the ping are blocked at script's begin) iptables -A OUTPUT -p icmp -m limit --limit 3/min -j ACCEPT iptables -A OUTPUT -p icmp -j DROP iptables -A INPUT -p icmp -m limit --limit 3/min -j ACCEPT" iptables -A INPUT -p icmp -j DROP"

Messaggi successivi:
- Re: [ml] Finalmente ho finito: Axl's Firewall ScRiPt 2.0, Giacomo collini

Data:
- precedente: Re: [ml] Reverse DNS, Alessio Cecchi
- successivo: Re: [ml] Autenticazione SSH, Tommaso Cappello
- indice

Argomento:
- precedente: Re: [ml] Reverse DNS, Skull
- successivo: Re: [ml] Finalmente ho finito: Axl's Firewall ScRiPt 2.0, Giacomo collini
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005