Swappa : Uni / Sicurezza nelle Reti - Prova Pratica - Febbraio 2010
Creative Commons License

 :: Sicurezza nelle Reti - Prova Pratica - Febbraio 2010 ::

Script iptables

  1. !/bin/sh

ETH_IFACE="eth1"
ETH_IP="192.168.1.104"
PC_DOCENTE="192.168.1.1"
BLACKLIST="121.34.22.12/24"
LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="sudo /sbin/iptables "
#RICORDATI CHE QUESTO FILE VA SALVATO IN .sh E RESO ESEGUIBILE CON chmod +x nomefile!!

#2 pulizia
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

#3 policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#punto 1
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in tcpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP -s $BLACKLIST -j DROP

$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j LOG --log-prefix "[mat.xxx in udpnoblacklist]"
$IPTABLES -A INPUT -i $ETH_IFACE -p udp -d $ETH_IP -s $BLACKLIST -j DROP

#punto 2
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j LOG --log-prefix "[mat.xxx out z.transfer]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP -j ACCEPT

#punto 3 ftp passivo cmd
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 21 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j LOG --log-prefix "[mat.xxx in ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 21 -j ACCEPT

#punto 3 ftp passivo dati
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpdati]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $PC_DOCENTE -s $ETH_IP --dport 1024:65535 -j ACCEPT

$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j LOG --log-prefix "[mat.xxx out ftpcmd]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state ESTABLISHED,RELATED -p tcp -d $ETH_IP -s $PC_DOCENTE --dport 1024:65535 -j ACCEPT

#punto 4
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j LOG --log-prefix "[mat.xxx in nossh]"
$IPTABLES -A INPUT -i $ETH_IFACE -m state --state NEW,ESTABLISHED -p tcp -d $ETH_IP --dport 22 -j DROP

$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j LOG --log-prefix "[mat.xxx out protunreach]"
$IPTABLES -A OUTPUT -o $ETH_IFACE -p icmp --icmp-type protocol-unreachable -s $ETH_IP -j ACCEPT

(Printable View of http://www.swappa.it/wiki/Uni/SNR-PP-Febbraio2010)