#Default bloccare tutto e consentire quello che conosciamo
iptables -P INPUT -j DROP
iptables -P FORWARD -j DROP
iptables -P OUTPUT -j DROP
# Frammenti e pacchetti non validi
iptables -A INPUT -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -f -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#Si permette alla rete locale di dialogare con il firewall e di accedere #all’esterno:
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT
# anti-spoofing rules
iptables -A INPUT -i eth0 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
iptables -A INPUT -i eth0 -s ! $INT_NET -j DROP
#abilito porte web
iptables -A OUTPUT -m state --state NEW -p tcp --dport 8118 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p udp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
#abilitazione traffico relativo a pacchetti in risposta
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m state --state ESTABLISHED,RELATED --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED --sport 443 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 -m state --state ESTABLISHED,RELATED --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED --sport 8118 -j ACCEPT
#pacchetti icmp
iptables -A INPUT -p icmp -j DROP
# Drop invalid packets immediately
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
#rifiuta i seguenti pacchetti
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
#Drop & log dei pacchetti pericolosi bad
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --dport 137:139 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 137:139 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 2049 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 2049 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 6000:6063 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 20034 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 20034 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 12345:12346 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 27374 -j DROP
iptables -A INPUT -p tcp -m tcp --sport 27374 -j DROP
# chiusura porte non necessarie
iptables -A INPUT -p tcp --sport 1:52 -j DROP
iptables -A INPUT -p tcp --sport 54:79 -j DROP
iptables -A INPUT -p tcp --sport 81:442 -j DROP
iptables -A INPUT -p tcp --sport 444:8117 -j DROP
iptables -A INPUT -p tcp --sport 8119:65535 -j DROP
iptables -A INPUT -p udp --sport 1:52 -j DROP
iptables -A INPUT -p udp --sport 54:79 -j DROP
iptables -A INPUT -p udp --sport 81:442 -j DROP
iptables -A INPUT -p udp --sport 444:8117 -j DROP
iptables -A INPUT -p udp --sport 8119:65535 -j DROP
è un po lunga lo so... dove sbaglio secondo voi?
altra domanda : bloccare le porte alte da iptables (10000-65535) pare non piacere al router , perchè?
grazie a tutti