cerca
Sicurezza nelle Reti - Prova Pratica - Febbraio 2010
modifica cronologia stampa login logout

Wiki

UniCrema


Materie per semestre

Materie per anno

Materie per laurea


Help

Uni.SNR-PP-Febbraio2010 History

Hide minor edits - Show changes to markup

April 20, 2011, at 11:00 PM by studente -
Restore
April 20, 2011, at 10:59 PM by studente -
Added lines 5-6:
Restore
April 20, 2011, at 10:59 PM by studente -
Restore
April 20, 2011, at 10:59 PM by studente -
Added lines 7-8:
Restore
April 20, 2011, at 10:57 PM by studente -
Changed line 16 from:
  1. //RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!\\
to:
  1. RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!\\
Restore
April 20, 2011, at 10:56 PM by studente -
Changed lines 6-7 from:

/bin/sh

to:
  1. !/bin/sh
Changed line 32 from:

@punto 1\\

to:
  1. punto 1\\
Changed line 39 from:

@punto 2\\

to:
  1. punto 2\\
Changed line 43 from:

@punto 3 ftp passivo cmd\\

to:
  1. punto 3 ftp passivo cmd\\
Changed line 50 from:

@punto 3 ftp passivo dati\\

to:
  1. punto 3 ftp passivo dati\\
Changed line 57 from:

@punto 4\\

to:
  1. punto 4\\
Restore
April 20, 2011, at 10:55 PM by studente -
Changed lines 6-7 from:

1 !/bin/sh

to:

/bin/sh

Changed line 16 from:

//RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!\\

to:
  1. //RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!\\
Changed line 18 from:

2 pulizia \\

to:
  1. 2 pulizia \\
Changed line 23 from:

3 policies \\

to:
  1. 3 policies \\
Restore
April 18, 2011, at 06:01 PM by davidep - su richiesta di valdemar dal forum, la pagina wiki dell'esame di febbraio 2010
Changed lines 31-63 from:
  1. punto 1

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in tcpnoblacklist]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j DROP

$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in udpnoblacklist]" $IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j DROP

  1. punto 2

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j LOG --log-prefix "[mat.xxx out z.transfer]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j ACCEPT

  1. punto 3 ftp passivo cmd

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j LOG --log-prefix "[mat.xxx out ftpcmd]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j LOG --log-prefix "[mat.xxx in ftpcmd]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j ACCEPT

  1. punto 3 ftp passivo dati

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpdati]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpcmd]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j ACCEPT

  1. punto 4

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j LOG --log-prefix "[mat.xxx in nossh]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j DROP

$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j LOG --log-prefix "[mat.xxx out protunreach]" $IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j ACCEPT

to:


@punto 1
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in tcpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j DROP

$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in udpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j DROP

@punto 2
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j LOG --log-prefix "[mat.xxx out z.transfer]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j ACCEPT

@punto 3 ftp passivo cmd
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j LOG --log-prefix "[mat.xxx in ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j ACCEPT

@punto 3 ftp passivo dati
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpdati]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j ACCEPT

@punto 4
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j LOG --log-prefix "[mat.xxx in nossh]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j DROP

$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j LOG --log-prefix "[mat.xxx out protunreach]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j ACCEPT\\

Restore
April 18, 2011, at 05:59 PM by davidep - su richiesta di valdemar dal forum, la pagina wiki dell'esame di febbraio 2010
Added lines 1-64:

(:title Sicurezza nelle Reti - Prova Pratica - Febbraio 2010:) 

 :: Sicurezza nelle Reti - Prova Pratica - Febbraio 2010 ::

Script iptables

1 !/bin/sh

ETH_IFACE="eth1"
ETH_IP="192.168.1.104"
PC_DOCENTE="192.168.1.1"
BLACKLIST="121.34.22.12/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="sudo /sbin/iptables "
//RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!

2 pulizia
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

3 policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

  1. punto 1

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in tcpnoblacklist]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j DROP

$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in udpnoblacklist]" $IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j DROP

  1. punto 2

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j LOG --log-prefix "[mat.xxx out z.transfer]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j ACCEPT

  1. punto 3 ftp passivo cmd

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j LOG --log-prefix "[mat.xxx out ftpcmd]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j LOG --log-prefix "[mat.xxx in ftpcmd]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j ACCEPT

  1. punto 3 ftp passivo dati

$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpdati]" $IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpcmd]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j ACCEPT

  1. punto 4

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j LOG --log-prefix "[mat.xxx in nossh]" $IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j DROP

$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j LOG --log-prefix "[mat.xxx out protunreach]" $IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j ACCEPT

Restore