Cosi' sembra che funzi
scan esterni
http://scan.sygatetech.com/stealthscan.html
https://grc.com/x/ne.dll?bh0bkyd2
danno risultati incoraggianti ;-)
ho aggiunto regole per lo e per il LOG come suggerito
nb. il log non lo ho ancora guardato!
#! /bin/sh
# Mario
# ultima revisione 26/10/2003
# ispirato da
# Linux Firewall
# I quaderni di informatica di Linux&C
# firewall.loader
# ripetto ai suggerimenti originali aggiunte policy su interfaccia lo
start () {
echo "Starting firewall default policy DROP"
IPTABLES=/sbin/iptables
EXTIF="ppp0"
INTIF="eth0"
INTERNALNET="192.168.1.0/255.255.255.0"
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod ip_conntrack_ftp
/sbin/insmod iptable_nat
/sbin/insmod ip_nat_ftp
/sbin/insmod ipt_LOG
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Disabling IP Spoofing attacks"
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "clearing any existing rules"
$IPTABLES -F
$IPTABLES -t nat -F
echo "setting default policy DROP"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
echo "setting INPUT and OUTPUT policy"
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
echo "setting FORWARD policy"
$IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED,ESTABLISHED -j
ACCEPT
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW,RELATED,ESTABLISHED
-j
ACCEPT
echo "setting nat"
$IPTABLES -t nat -I POSTROUTING -s $INTERNALNET -o $EXTIF -j MASQUERADE
echo "setting LOG"
iptables -N LOG_REPORT
iptables -A LOG_REPORT -p tcp -j LOG --log-level info --log-prefix "TCP DUMP"
iptables -A LOG_REPORT -p udp -j LOG --log-level info --log-prefix "UDP DUMP"
iptables -A LOG_REPORT -p icmp -j LOG --log-level info --log-prefix "ICMP
DUMP"
iptables -A LOG_REPORT -j DROP
}
stop () {
/etc/init.d/iptables clear
}
case "$1" in
start)
echo "Starting firewall"
start
;;
stop)
echo "Stopping firewall"
stop
;;
*)
echo "Usage: /etc/init.d/$NAME {start|stop}"
exit 1
;;
esac
exit 0
Ciao Mario
|