[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Riminilug-general] problema con iptables

Hai provato a lanciarli singolarmente a mano per vedere quale ti da
l'errore?

ciao e Buona Pasqua

Alessandro


> sto generando delle regole per blindare una macchina che è connessa alla
> rete:
> ho trovato delle belle cose in rete e le ho riunite in un file che vi
> allego:
>
> #!/bin/bash
>
> modprobe ip_tables
> modprobe iptable_nat
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
> modprobe ipt_LOG
> modprobe ipt_MARK
> modprobe ipt_MASQUERADE
> modprobe ipt_REDIRECT
> modprobe ipt_REJECT
> modprobe ipt_TOS
> modprobe ipt_limit
> modprobe ipt_mark
> modprobe ipt_multiport
> modprobe ipt_mac
> modprobe ipt_state
> modprobe ipt_tos
> modprobe iptable_mangle
>
> # Cancello tutte le precedenti configurazioni
> iptables -F
> iptables -X
> iptables -Z
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
> echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
> echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
>
> #protezione dal syn-flood
> iptables -N syn-flood
> iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
> iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
> iptables -A syn-flood -j DROP
> iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
>
> # Vieto i frammenti
> iptables -A INPUT -i eth0 -f -j DROP
>
>  iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> # echo 1 > /proc/sys/net/ipv4/ip_forward
>
> #aMule
> iptables -A INPUT -p tcp --dport 4667 -j ACCEPT
> iptables -A INPUT -p udp --dport 4662 -j ACCEPT
> iptables -A INPUT -p udp --dport 4675 -j ACCEPT
>
> # DNS
> iptables -A INPUT -i eth0 -s 212.216.162.222 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -s 212.216.172.222 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -d 212.216.162.222 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -d 212.216.172.222 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> # SSH
> iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED
> -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -i ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT
> iptables -A OUTPUT -o ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j
> ACCEPT
>
> # WWW
> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --dport 8080 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> # XCHAT
> iptables -A INPUT -i eth0 -p tcp --sport 6667 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp --dport 6667 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> # ICMP
> iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> iptables -A OUTPUT -o eth0 -p icmp -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
>
> # PARANOIA
> iptables -A INPUT -i eth0 -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
> iptables -A INPUT -i eth0 -j DROP
>
> # Attivo l'IP forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Permetto qualsiasi traffico tra eth0
> iptables -N 192.168.1.0
> iptables -A INPUT -i eth0 -p all -j 192.168.1.0
> iptables -A OUTPUT -o eth0 -p all -j 192.168.1.0
> iptables -A FORWARD -o eth0 -p all -j 192.168.1.0
> iptables -A FORWARD -i eth0 -p all -j 192.168.1.0
> iptables -A 192.168.1.0 -i eth0 -j ACCEPT
> iptables -A 192.168.1.0 -o eth0 -j ACCEPT
>
> #omar
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.1.254 --dport
> 4665 -j DNAT --to 192.168.1.9:4665
> iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.9 --dport 4665 -j ACCEPT
> iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.1.254 --dport
> 4672 -j DNAT --to 192.168.1.9:4672
> iptables -A FORWARD -p udp -i eth0 -d 192.168.1.9 --dport 4672 -j ACCEPT
>
> iptables -A INPUT -i eth0 -p tcp -m multiport --dports 4665,18491 --syn
> -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -m multiport --dports 4672,18491 -j ACCEPT
>
>
> quando lancio lo script mi restituisce questo errore:
>
> Bad argument `iptables'
> Try iptables -h ........
>
> se qualcuno ha un'idea di dove possa stare l'errore mi farebbe un grande
> piacere
>
> ciao
> buona pasqua a tutti
> michele
>
> _______________________________________________
> Riminilug-general mailing list
> Riminilug-general@xxxxxxxxxxxx
> http://riminilug.it/mailman/listinfo/riminilug-general
>
>   

_______________________________________________
Riminilug-general mailing list
Riminilug-general@xxxxxxxxxxxx
http://riminilug.it/mailman/listinfo/riminilug-general