In verita' il mio scriptino e' cosi: #!/bin/sh IPT="/sbin/iptables" INT="ppp0" $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD $IPT -F -t mangle $IPT -F -t nat $IPT -X $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward $IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE -s 192.168.0.0/24 -d 0/0 $IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP $IPT -t nat -A PREROUTING -s 0/0 -i $INT -p tcp --dport 22 -j DNAT --to-dest 192.168.0.1 # Now, our firewall chain. We use the limit commands to # cap the rate at which it alerts to 15 log messages per minute. $IPT -N firewall $IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall: $IPT -A firewall -j DROP # Now, our dropwall chain, for the final catchall filter. $IPT -N dropwall $IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall: $IPT -A dropwall -j DROP # Our "hey, them's some bad tcp flags!" chain. $IPT -N badflags $IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags: $IPT -A badflags -j DROP # And our silent logging chain. $IPT -N silent $IPT -A silent -j DROP # This rule will accept connections from local machines. If you have # a home network, enter in the IP's of the machines on the # network below. $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -i eth0 -s 192.168.0.0/255.255.255.0 -d 192.168.0.254 -p all -j ACCEPT # Drop those nasty packets! These are all TCP flag # combinations that should never, ever occur in the # wild. All of these are illegal combinations that # are used to attack a box in various ways, so we # just drop them and log them here. $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags # Drop icmp, but only after letting certain types through. $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPT -A INPUT -p icmp -j firewall #apro le porte per www posta mule e bittorrent $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 25 -j ACCEPT $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 110 -j ACCEPT $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 4662:4664 -j ACCEPT $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p udp --dport 4672 -j ACCEPT $IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 6880:6889 -j ACCEPT # Lets do some basic state-matching. This allows us # to accept related and established connections, so # client-side things like ftp work properly, for example. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Uncomment to drop port 137 netbios packets silently. # We don't like that netbios stuff, and it's way too # spammy with windows machines on the network. $IPT -A INPUT -p udp --sport 137 --dport 137 -j silent # Our final trap. Everything on INPUT goes to the dropwall # so we don't get silent drops. $IPT -A INPUT -j dropwall ma non ridirige un bel niente sulla mia macchina interna (adesso sto facendo le prove con ssh, ma poi voglio ridirigere le porte per far andare gnomemeeting) idee? Ciao! -- Per iscriversi (o disiscriversi), basta spedire un messaggio con OGGETTO "subscribe" (o "unsubscribe") a mailto:linuxtrent-request@xxxxxxxxxxxxx