Problema iptables

[pilovis]

Gia' che ci siamo ancora qualche regoletta

# Disabilitare i ping in ingresso:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Per bloccare una porta in uscita (es. 80)
iptables -A FORWARD -p tcp --dport 80 -o eth0 -j DROP

# per bloccare un dominio
# ad esempio per bloccare www.sex.com
iptables -A OUTPUT -d www.sex.com -p tcp -j DROP

# ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Ignore_broadcast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

[anna.elisa]

OK ho risolto!!!!!
Grazie alle tue tre regole il tutto funziona.

Il client continuava a navigare perchè ho posizionato nel posto sbalgiato (sotto queste regole) il drop della porta 80.

Spostandolo ora naviga se è accept e non naviga se metto drop.

Grazie ancora.

Visto che ci siamo....
Ultima domanda...
come faccio a chiudere le porte di skype e msn??? Entrambe ho letto che accedono utilizzando la porta 80 (e altre).
Se chiudo la porta 80 il client non naviga. C'è un modo per bloccarlo senza dover chiudere questa porta

Ciao
Anna

[pilovis]

# No ECN
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# No-IP-Forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# NO_NETBIOS NO_SAMBA
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP -i eth1 --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP -i eth1 --dport 445 -j DROP

[pilovis]

# Remote_Desktop
# Apre la porta Terminal Service verso una macchina interna
# 192.168.1.x IP di ingresso firewall
# 10.0.0.x IP uscita firewall
# 10.0.0.2 macchina interna su cui indirizzare la porta

iptables -t nat -A PREROUTING -d 192.168.1.x -p tcp --dport 3389 -j DNAT --to-destination 10.0.0.2:3389

[pilovis]

# VPN
# Apre una VPN verso una macchina interna
# eth0 192.168.1.5
# eth1 10.0.0.1
# 10.0.0.22 macchina interna che ha il server VPN

iptables -A FORWARD -p gre -d 10.0.0.22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 1723 -d 10.0.0.22 -j ACCEPT
iptables -A PREROUTING -t nat -p gre -d 192.168.1.5 -j DNAT --to-destination 10.0.0.22
iptables -A PREROUTING -t nat -p tcp --dport 1723 -d 192.168.1.5 -j DNAT --to-destination 10.0.0.22:1723

[anna.elisa]

per quanto riguarda la parte di samba penso di non usarla perchè ho appunto n divisioni samba nella rete, per quanto riguarda Skype ed msn, utilizzo questo:

# No ECN
echo 0 > /proc/sys/net/ipv4/tcp_ecn

Ma non devo chiudere delle porte?

ciao e grazie

[pilovis]

e per finire un firewall da manuale, il meglio che c'e' (in Inglese)

--------------------------------------------------


#!/bin/sh
# $Id: dedfirewall.sh,v 1.8 2003/12/11 13:44:39 rws Exp $


###### CONFIGURATION

# All configuration entries can be made in /etc/firewall.conf

# Log what appears to be scans
logscans="NO"

#####
# Limit incoming connections to ports specified
strictincoming="NO" # Recommended
# Ports you can configure, should you say yes
webserver="YES"
mailserver="YES"
ftpserver="YES"
rtspserver="NO"
nameserver="YES"
sshlogin="YES"
telnetlogin="NO"
rlogin="NO"
remotemysql="NO"
#For any other incoming TCP port needed, please specify here:
customports="YES"

######
# The general philosophy is to be paranoid for incoming,
# but loose for outgoing. The following rules affect this.

# Restrict outgoing ports, which are generally not allowed
# Currently only blocks well known IRC ports.
restrictoutgoing="NO" # Recommended


# This is used for ratelimiting outbound packets.
# Keep this machine from trying to confuse one of the routers
limit="3333" # Per second, unset for none

# Suck in site-based config, if it exists.
if [ -r /etc/firewall.conf ]; then
. /etc/firewall.conf
fi

################################################## ###################

# Do not block us!
internal="192.168.1.0/23"

# This should probably not be changed.
fwcmd="/sbin/iptables"

${fwcmd} -F OUTPUT
${fwcmd} -F INPUT

# Want SYN cookies
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Do not want to forward
echo 0 > /proc/sys/net/ipv4/ip_forward
# Do not want ECN
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Setup Local net
# Allow 127/8 IN via lo
${fwcmd} -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
# Allow 127/8 OUT via lo
${fwcmd} -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT
# No 127/8 anywhere else.
${fwcmd} -A INPUT -s 127.0.0.0/8 -j DROP
${fwcmd} -A OUTPUT -d 127.0.0.0/8 -j DROP

# RFC3330 For a more complete summary
# RFC1918 private nets: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# DHCP Autoconf: 169.254.0.0/16
# RFC1700: 0.0.0.0/8
# Multicast: 224.0.0.0/4 240.0.0.0/4
# "TEST-NET": 192.0.2.0/24
iptables -N BADNETS
iptables -F BADNETS

# To supply additional bad networks, please put them in /etc/firewall.conf.
# Comments are nice!
badnets="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 0.0.0.0/8
169.254.0.0/16 192.0.2.0/24 224.0.0.0/4 240.0.0.0/4"
for net in ${badnets} ${localbadnets}; do
${fwcmd} -A BADNETS -s ${net} -j DROP
${fwcmd} -A BADNETS -d ${net} -j DROP
done

iptables -I INPUT -j BADNETS
iptables -I OUTPUT -j BADNETS

if [ ${logscans} = "YES" ]; then
${fwcmd} -N SCAN
${fwcmd} -F SCAN

# Ping Scans
${fwcmd} -A SCAN -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-prefix ':FW:PingScan:'
# Stealth scans (Disabled, too many false positives)
#${fwcmd} -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 5 -j LOG --log-level info --log-prefix ':FW:StealthScan:'
# XMAS Scan
${fwcmd} -A SCAN -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:XMASScan:'
# SYN/RST Scan
${fwcmd} -A SCAN -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:SYN/RSTScan:'
# SYN/FIN Scan
${fwcmd} -A SCAN -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m -j LOG --log-level info --log-prefix ':FW:SYN/FINScan:'

${fwcmd} -A INPUT -j SCAN
fi

# ICMP (commented out, no longer doing any ICMP filtering)
# Echo
#${fwcmd} -A INPUT -p icmp --icmp-type 0 -j ACCEPT
#${fwcmd} -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# Host unreachable
#${fwcmd} -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# Traceroute
#${fwcmd} -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#${fwcmd} -A INPUT -p icmp --icmp-type 30 -j ACCEPT

if [ ${restrictoutgoing} = "YES" ]; then
${fwcmd} -N BADPORTS
${fwcmd} -F BADPORTS
# IRC
${fwcmd} -A BADPORTS -p tcp --dport 6660:6669 -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:IRC-Client:"
${fwcmd} -A BADPORTS -p tcp --dport 6660:6669 -j DROP
${fwcmd} -A BADPORTS -p tcp --sport 6660:6669 -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:IRC-Server:"
${fwcmd} -A BADPORTS -p tcp --sport 6660:6669 -j DROP

# Common source of no-good
${fwcmd} -A BADPORTS -p tcp --dport 13337 -j DROP

# These are not windows machines
${fwcmd} -A BADPORTS -p tcp --dport 138:139 -j DROP

${fwcmd} -A INPUT -j BADPORTS
${fwcmd} -A OUTPUT -j BADPORTS

#${fwcmd} -A OUTPUT -p tcp --dport 6660:6669 --syn -j DROP
# Restrict user running httpd to only http* outbound
#echo ${fwcmd} -A OUTPUT -m owner -p tcp --sport 80 --uid-owner ${httpuser} -j ACCEPT
#${fwcmd} -A OUTPUT -p tcp -m owner --uid-owner ${httpuser} --sport 443 --syn -j ACCEPT
#${fwcmd} -A OUTPUT -p tcp -s 127.0.0.0/8 -m owner --uid-owner ${httpuser} --syn -j ACCEPT
fi

if [ -n ${limit} ]; then
${fwcmd} -N RATE
${fwcmd} -F RATE

# Limit outgoing packets to ~ $limit/sec, bursting up to $limit/3 to allow legit traffic
limitburst="$(( ${limit} / 3 ))"
${fwcmd} -A RATE -m limit --limit ${limit}/second --limit-burst ${limitburst} -j RETURN
${fwcmd} -A RATE -j LOG -m limit --limit 5/m --log-level info --log-prefix ":FW:PacketRate:"
${fwcmd} -A RATE -j DROP

${fwcmd} -I INPUT -j RATE
${fwcmd} -I OUTPUT -j RATE
fi

# Why would a new connection "forget" their SYN flag?
${fwcmd} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

if [ ${strictincoming} = "YES" ]; then
${fwcmd} -N GOODPORTS
${fwcmd} -F GOODPORTS

# Established connections can continue to stay that way.
${fwcmd} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

mytcpports=""
myudpports=""

if [ ${webserver} = "YES" ]; then
mytcpports="${mytcpports} 80 443"
fi

if [ ${ftpserver} = "YES" ]; then
mytcpports="${mytcpports} 20 21"
fi

if [ ${mailserver} = "YES" ]; then
mytcpports="${mytcpports} 25 110 143"
fi

if [ ${sshlogin} = "YES" ]; then
mytcpports="${mytcpports} 22"
fi

if [ ${telnetlogin} = "YES" ]; then
mytcpports="${mytcpports} 23"
fi

if [ ${rlogin} = "YES" ]; then
mytcpports="${mytcpports} 513 514"
fi

if [ ${remotemysql} = "YES" ]; then
mytcpports="${mytcpports} 3306"
fi

if [ ${nameserver} = "YES" ]; then
mytcpports="${mytcpports} 53"
myudpports="${myudpports} 53"
fi
if [ ${rtspserver} = "YES" ]; then
mytcpports="${mytcpports} 554 3030 7070 7802 7878 8080 20903"
myudpports="${myudpports} 9875"
fi

myports="${myports} ${customports}10001 20001"

for port in ${mytcpports}; do
${fwcmd} -A GOODPORTS -p tcp --dport ${port} --syn -j ACCEPT
done

for port in ${myudpports}; do
${fwcmd} -A GOODPORTS -p udp --dport ${port} -j ACCEPT
done

${fwcmd} -A INPUT -j GOODPORTS
${fwcmd} -P INPUT DROP
else
${fwcmd} -P INPUT ACCEPT
fi

# Allow internal connections to all
if [ -n ${internal} ]; then
${fwcmd} -I INPUT -s ${internal} -j ACCEPT
${fwcmd} -I OUTPUT -d ${internal} -j ACCEPT
fi

${fwcmd} -P FORWARD DROP
${fwcmd} -P OUTPUT ACCEPT

[anna.elisa]

un po sopra la mia portata VVoVe: , ma ora me lo studio sicuramente

grazie grazie mille

ciao anna

[pilovis]

Skype utilizza le porte 80 443 e 1024
Msn la porta 1863

[pilovis]

# Apertura porta DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Il servizio DNS e' su porta 53 ma anche udp, apri sia la tcp che la udp