On Sun, 28 Mar 2004 11:22:31 +0200 Paolo Arnaldo Dallari <paolo.arnaldo@xxxxxxxxxxx> wrote: PAD> Ciao a tutti, ho qualche problemino col firewall che ho settato per PAD> una macchina server connessa 24h su 24, PAD> Ti allego un firewall che ho modificato da una versione che mi ha dato Bova, l'originale non la possiedo più :-( Spero che possa esserti utile! -- Ciao Samu
#! /bin/sh #------------------------------------------------------------------------------- # Script variables # # Reti #------------------------------------------------------------------------------- echo "Setting up firewall rules..." IF_LAN="eth0" INTERNET="ppp0" IP_LAN="192.168.0.1" echo -e "\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Adjust /proc #------------------------------------------------------------------------------- echo -ne "\t\tAdjusting /proc" echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route echo 1 > /proc/sys/net/ipv4/conf/all/forwarding echo 0 > /proc/sys/net/ipv4/conf/all/log_martians echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo -e "\t\t\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Flush existing settings #------------------------------------------------------------------------------- echo -ne "\t\tFlushing existing settings" iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -t nat -F iptables -t mangle -F echo -e "\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Table policies #------------------------------------------------------------------------------- echo -ne "\t\tSetting up tables policies" iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP echo -e "\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Loopback traffic #------------------------------------------------------------------------------- iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Icmp settings #------------------------------------------------------------------------------- echo -ne "\t\tSetting up icmp rules" # Connessioni per Samuserver iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Connessioni da Samuserver iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #per avere maggiore sicurezza, in ambito aziendale, io cavo il NEW dagli stati #disponibili. cosi` il Samuserver non pinga niente "di sua iniziativa". iptables -A OUTPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Connessioni attraverso Samuserver iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -i $INTERNET -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -i $INTERNET -p icmp --icmp-type redirect -m limit --limit 1/s -j ACCEPT iptables -A FORWARD -i $INTERNET -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT echo -e "\t\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # Filter settings #------------------------------------------------------------------------------- echo -ne "\t\tSetting up FILTER rules" # Connessioni da LAN a Samuserver iptables -A INPUT -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $IF_LAN -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $IF_LAN -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i $IF_LAN -p tcp --dport 8080 -j ACCEPT # se vuoi qua puoi mettere altre porte. altrimenti dalla lan ti connetti solo # alla porta ssh del server. # Connessioni da Samuserver a LAN #iptables -A OUTPUT -o $IF_LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -o $IF_LAN -p tcp --dport 22 -j ACCEPT # stesso discorso qua. il cavo il new. # poi se ti servono altre porte e` la solita storia. # Connessioni da WAN a Samuserver #iptables -A INPUT -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -i $IF_WAN -p tcp --dport 21 -j ACCEPT #iptables -A INPUT -i $IF_WAN -p tcp --dport 22 -j ACCEPT #iptables -A INPUT -i $IF_WAN -p tcp --dport 80 -j ACCEPT #iptables -A INPUT -i $IF_WAN -p tcp --dport 8080 -j ACCEPT # se vuoi qua puoi mettere altre porte. altrimenti dalla lan ti connetti solo # alla porta ssh del server. # Connessioni da Samuserver a WAN #iptables -A OUTPUT -o $IF_WAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -o $IF_WAN -p tcp --dport 22 -j ACCEPT # stesso discorso qua. il cavo il new. # poi se ti servono altre porte e` la solita storia. # Connessioni da INTERNET a Samuserver iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i $INTERNET -p tcp --dport 4662 -j ACCEPT iptables -A INPUT -i $INTERNET -p udp --dport 4672 -j ACCEPT #idem # Connessioni da Samuserver a INTERNET #iptables -A OUTPUT -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp -m multiport --dports 20,21 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 21 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 22 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 25 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 53 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p udp --dport 53 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 80 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p udp --dport 123 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p tcp --dport 4662 -j ACCEPT #iptables -A OUTPUT -o $INTERNET -p udp --dport 4672 -j ACCEPT # Connessioni da LAN a INTERNET iptables -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 20,21 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 21 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 22 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p udp --dport 53 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 110 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p udp --dport 123 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 143 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp --dport 6346 -j ACCEPT iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 9000,9001 -j ACCEPT # Connessioni da INTERNET a LAN iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTERNET -p tcp --dport 6346 -j ACCEPT # Connessioni da WAN a INTERNET #iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp -m multiport --dports 20,21 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 21 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 22 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 25 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 53 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p udp --dport 53 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 80 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 110 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p udp --dport 123 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 143 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 443 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp --dport 6346 -j ACCEPT #iptables -A FORWARD -i $IF_WAN -p tcp -m multiport --dports 9000,9001 -j ACCEPT # Connessioni da INTERNET a WAN #iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT echo -e "\t\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # NAT settings #------------------------------------------------------------------------------- echo -ne "\t\tSetting up NAT rules" # SNAT rules iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE # DNAT rules echo -e "\t\t\t\tdone" #------------------------------------------------------------------------------- #------------------------------------------------------------------------------- # TOS settings #------------------------------------------------------------------------------- echo -ne "\t\tSetting up TOS rules" # tcp iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 21,22,80 -j TOS --set-tos 0x10 iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 20,25,143 -j TOS --set-tos 0x08 iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 53,110 -j TOS --set-tos 0x04 # udp iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 53,110 -j TOS --set-tos 0x04 iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 143 -j TOS --set-tos 0x08 echo -e "\t\t\t\tdone" #------------------------------------------------------------------------------- echo "The firewall is up."