:: Sicurezza nelle Reti - Prova Pratica - Febbraio 2010 ::
Script iptables
- !/bin/sh
ETH_IFACE="eth1"
ETH_IP="192.168.1.104"
PC_DOCENTE="192.168.1.1"
BLACKLIST="121.34.22.12/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="sudo /sbin/iptables "
#RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!
#2 pulizia
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#3 policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#punto 1
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in tcpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j DROP
$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in udpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j DROP
#punto 2
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j LOG --log-prefix "[mat.xxx out z.transfer]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j ACCEPT
#punto 3 ftp passivo cmd
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j LOG --log-prefix "[mat.xxx in ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j ACCEPT
#punto 3 ftp passivo dati
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpdati]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j ACCEPT
#punto 4
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j LOG --log-prefix "[mat.xxx in nossh]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j DROP
$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j LOG --log-prefix "[mat.xxx out protunreach]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j ACCEPT