linux user group brescia

dite che per iniziare un ruleset e un logset cosi e accettabile?


# Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

#enable public ip

ip addr add 192.168.10.253 dev eth1

LAN_IP_NET='192.168.0.1/24'
LAN_NIC='eth0'
WAN_IP='192.168.10.221'
WAN_NIC='eth1'
FORWARD_IP='192.168.0.222'

# load some modules (if needed)
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_tables

# These lines are here in case rules are already in place and the script is
ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero
the counters
# before we implement new rules.

iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT

iptables -F
iptables -X
iptables -Z

#-------PROTECTION------------

# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a
default DROP
# policy), what happens is that there is a small time period when packets
are denied until
# the new rules are back in place. There is no period, however small, when
packets we
# don't want are allowed.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. Attackers can use source routing to
generate
# traffic pretending to be from inside your network, but which is routed
back along
# the path from which it came, namely outside, so attackers can compromise
your
# network. Source routing is rarely used for legitimate purposes.

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable bad error message protection.

/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log spoofed packets, source routed packets, redirect packets.

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# enable Masquerade and forwarding

iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#----------RULESET-----------

# Open ports on router for server/services

iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -p tcp --dport 10000

# Drop netbios packet

iptables -A INPUT -j DROP -p tcp --dport 137
iptables -A INPUT -j DROP -p udp --dport 137
iptables -A INPUT -j DROP -p tcp --dport 138
iptables -A INPUT -j DROP -p udp --dport 138
iptables -A INPUT -j DROP -p tcp --dport 139
iptables -A INPUT -j DROP -p udp --dport 139

# STATE RELATED for router

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Open ports to server on LAN

iptables -A FORWARD -j ACCEPT -p tcp --dport 80
iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.10.253 -i
eth1 --dport 80 -j DNAT --to-destination 192.168.0.253:80

#LOG
#Any udp not already allowed is logged and then dropped.
iptables -A INPUT -i  $WAN_NIC -p udp -j LOG --log-prefix "IPTABLES UDP-IN:
"
iptables -A INPUT -i $WAN_NIC -p udp -j DROP
iptables -A OUTPUT -o $WAN_NIC -p udp -j LOG --log-prefix "IPTABLES UDP-OUT:
"
iptables -A OUTPUT -o $WAN_NIC -p udp -j DROP

# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $WAN_NIC -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN:
"
iptables -A INPUT -i $WAN_NIC -p icmp -j DROP
iptables -A OUTPUT -o $WAN_NIC -p icmp -j LOG --log-prefix "IPTABLES
ICMP-OUT: "
iptables -A OUTPUT -o $WAN_NIC -p icmp -j DROP

# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $WAN_NIC -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $WAN_NIC -p tcp -j DROP
iptables -A OUTPUT -o $WAN_NIC -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT:
"
iptables -A OUTPUT -o $WAN_NIC -p tcp -j DROP

# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be
paranoid.
iptables -A INPUT -i $WAN_NIC -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $WAN_NIC -j DROP
iptables -A OUTPUT -o $WAN_NIC -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT:
"
iptables -A OUTPUT -o $WAN_NIC -j DROP

# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward