[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Riminilug-general] problema con iptables

To: riminilug-general@xxxxxxxxxxxx
Subject: [Riminilug-general] problema con iptables
From: zorrito <zorro@xxxxxxxxxxxx>
Date: Sun, 08 Apr 2007 15:39:28 +0200
Delivered-to: battarsa@xxxxxxxx
Delivered-to: riminilug-general@xxxxxxxxxxxxxxxxx
List-archive: <http://riminilug.it/mailman/private/riminilug-general>
List-help: <mailto:riminilug-general-request@riminilug.it?subject=help>
List-id: <riminilug-general.riminilug.it>
List-post: <mailto:riminilug-general@riminilug.it>
List-subscribe: <http://riminilug.it/mailman/listinfo/riminilug-general>, <mailto:riminilug-general-request@riminilug.it?subject=subscribe>
List-unsubscribe: <http://riminilug.it/mailman/listinfo/riminilug-general>, <mailto:riminilug-general-request@riminilug.it?subject=unsubscribe>
Openpgp: id=982A09D0
Reply-to: riminilug-general@xxxxxxxxxxxx
Sender: riminilug-general-bounces@xxxxxxxxxxxx
User-agent: Icedove 1.5.0.10 (X11/20070328)

sto generando delle regole per blindare una macchina che è connessa alla
rete:
ho trovato delle belle cose in rete e le ho riunite in un file che vi
allego:

#!/bin/bash

modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_mac
modprobe ipt_state
modprobe ipt_tos
modprobe iptable_mangle

# Cancello tutte le precedenti configurazioni
iptables -F
iptables -X
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

#protezione dal syn-flood
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Vieto i frammenti
iptables -A INPUT -i eth0 -f -j DROP

 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# echo 1 > /proc/sys/net/ipv4/ip_forward

#aMule
iptables -A INPUT -p tcp --dport 4667 -j ACCEPT
iptables -A INPUT -p udp --dport 4662 -j ACCEPT
iptables -A INPUT -p udp --dport 4675 -j ACCEPT

# DNS
iptables -A INPUT -i eth0 -s 212.216.162.222 -m state --state
ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -s 212.216.172.222 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -d 212.216.162.222 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -d 212.216.172.222 -m state --state
NEW,ESTABLISHED -j ACCEPT

# SSH
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

# WWW
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 8080 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT

# XCHAT
iptables -A INPUT -i eth0 -p tcp --sport 6667 -m state --state
ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 6667 -m state --state
NEW,ESTABLISHED -j ACCEPT

# ICMP
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

# PARANOIA
iptables -A INPUT -i eth0 -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i eth0 -j DROP

# Attivo l'IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Permetto qualsiasi traffico tra eth0
iptables -N 192.168.1.0
iptables -A INPUT -i eth0 -p all -j 192.168.1.0
iptables -A OUTPUT -o eth0 -p all -j 192.168.1.0
iptables -A FORWARD -o eth0 -p all -j 192.168.1.0
iptables -A FORWARD -i eth0 -p all -j 192.168.1.0
iptables -A 192.168.1.0 -i eth0 -j ACCEPT
iptables -A 192.168.1.0 -o eth0 -j ACCEPT

#omar
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.254 --dport
4665 -j DNAT --to 192.168.1.9:4665
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.9 --dport 4665 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.1.254 --dport
4672 -j DNAT --to 192.168.1.9:4672
iptables -A FORWARD -p udp -i eth0 -d 192.168.1.9 --dport 4672 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 4665,18491 --syn
-j ACCEPT
iptables -A INPUT -i eth0 -p udp -m multiport --dports 4672,18491 -j ACCEPT


quando lancio lo script mi restituisce questo errore:

Bad argument `iptables'
Try iptables -h ........

se qualcuno ha un'idea di dove possa stare l'errore mi farebbe un grande
piacere

ciao
buona pasqua a tutti
michele

_______________________________________________
Riminilug-general mailing list
Riminilug-general@xxxxxxxxxxxx
http://riminilug.it/mailman/listinfo/riminilug-general

Follow-Ups:
- Re: [Riminilug-general] problema con iptables
  - From: Alessandro Carichini

Prev by Date: Re: [Riminilug-general] Trova e sostituisci testo usando la shell
Next by Date: Re: [Riminilug-general] problema con iptables
Previous by thread: Re: [Riminilug-general] Trova e sostituisci testo usando la shell
Next by thread: Re: [Riminilug-general] problema con iptables
Index(es):
- Date
- Thread