Se qualcuno esperto ha voglia di guardarlo e dirmi se serve per una protezione "base" per un utilizzo non particolare del computer, ne sarei grato.
Codice: Seleziona tutto
#!/bin/bash
SW_VERB="-v"
# imposta il debug a livello script - segnala eventuali errori
set -e
#
# [ Moduli del kernel ]
# attiva la funzionalita' di connection tracking per la gestione delle connessioni mediante l'uso del modulo state
#modprobe nf_conntrack
#
# attiva il connection tracking per il protocollo ftp
#modprobe nf_conntrack_ftp
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="lsmod"
MODPROBE="modprobe"
IPTABLES="iptables"
IP6TABLES="ip6tables"
IPTABLES_RESTORE="iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="ip"
LOGGER="logger"
#
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
#
prolog_commands
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
MODULES=`find $MODULES_DIR -name '*conntrack*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`
MODULES="$MODULES `find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/'`"
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
#
# blocco il forwarding dei pacchetti
sh /etc/rc.d/rc.ip_forward stop
# cancello tutte le regole precedenti (nel caso ci fossero)
# e tutte le catene di regole "user defined"
/usr/sbin/iptables -F $SW_VERB
/usr/sbin/iptables -t nat -F $SW_VERB
/usr/sbin/iptables -t mangle -F $SW_VERB
/usr/sbin/iptables -X $SW_VERB
/usr/sbin/iptables -t nat -X $SW_VERB
/usr/sbin/iptables -t mangle -X $SW_VERB
# stabilisco un set standard di regole abbastanza rigido:
# drop sia in input che in forward, accept in output
/usr/sbin/iptables -P INPUT DROP $SW_VERB
/usr/sbin/iptables -P OUTPUT ACCEPT $SW_VERB
/usr/sbin/iptables -P FORWARD DROP $SW_VERB
# permetto tutto il traffico su loopback
/usr/sbin/iptables -A INPUT -i lo -j ACCEPT $SW_VERB
# permetto il traffico in entrata da wlan0
/usr/sbin/iptables -A INPUT -i wlan0 -j ACCEPT $SW_VERB
# permetto il traffico necessario (già stabilito o richiesto) su eth0
/usr/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $SW_VERB
# Blocco i ping dall'esterno
#/usr/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request -j DROP $SW_VERB
# regole per il forwarding
# permetto il traffico dall'esterno a patto che sia stato richiesto
/usr/sbin/iptables -A FORWARD -i eth0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT $SW_VERB
# permetto tutto il traffico in uscita dalla lan su internet
/usr/sbin/iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT $SW_VERB
# Abilito il masquerading del server
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE $SW_VERB
# abilito la porta 8022 per ssh sulla lan - REGOLA NON NECESSARIA IN QUANTO DEFINITA PRECEDENTEMENTE
/usr/sbin/iptables -A INPUT -i wlan0 -p tcp --dport 8022 -j ACCEPT $SW_VERB # SSH sulla lan interna
# permetto le connessioni dall'esterno alla porta 80 per apache
/usr/sbin/iptables -A INPUT -i wlan0 -p tcp --dport 80 -j ACCEPT $SW_VERB # HTTPD
# azzero i contatori delle varie chains
/usr/sbin/iptables -Z $SW_VERB
/usr/sbin/iptables -t nat -Z $SW_VERB
/usr/sbin/iptables -t mangle -Z $SW_VERB
sh /etc/rc.d/rc.ip_forward start
#MSN Client
#echo "Client MSN"
/usr/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 1863 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp -m tcp --sport 1863 -m state --state ESTABLISHED -j ACCEPT
#Samba Server
#set_samba(){
# SAMBA_UDP="137"
# SAMBA_UDP2="138"
# SAMBA_TCP="139"
# SAMBA_TCP2="445"
# /usr/sbin/iptables -A -$1 SMB_IN $text "SAMBA:" -p UDP --dport $SAMBA_UDP -j ACCEPT
#/usr/sbin/iptables -A -$1 SMB_IN $text "SAMBA:" -p UDP --dport $SAMBA_UDP2 -j ACCEPT
#/usr/sbin/iptables -A -$1 SMB_IN $text "SAMBA:" -m state --state NEW -m tcp -p tcp --dport $SAMBA_TCP -j ACCEPT
#/usr/sbin/iptables -A -$1 SMB_IN $text "SAMBA:" -m state --state NEW -m tcp -p tcp --dport $SAMBA_TCP2 -j ACCEPT
#}
#Amule
/usr/sbin/iptables -A INPUT -p TCP --dport 4662 -j ACCEPT
/usr/sbin/iptables -A INPUT -p UDP --dport 4665 -j ACCEPT
/usr/sbin/iptables -A INPUT -p UDP --dport 4672 -j ACCEPT
# no IP spoofing
/usr/sbin/iptables -N In_RULE_0
test -n "$i_wlan0" && /usr/sbin/iptables -A INPUT -i wlan0 -s $i_wlan0 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A INPUT -i wlan0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A INPUT -i wlan0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A INPUT -i wlan0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0
test -n "$i_wlan0" && /usr/sbin/iptables -A FORWARD -i wlan0 -s $i_wlan0 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A FORWARD -i wlan0 -s 192.168.1.2 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A FORWARD -i wlan0 -s 192.168.1.0/24 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A FORWARD -i wlan0 -s 192.168.2.0/24 -m state --state NEW -j In_RULE_0
/usr/sbin/iptables -A In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- DENY"
/usr/sbin/iptables -A In_RULE_0 -j DROP
epilog_commands
# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
#echo 1 > /proc/sys/net/ipv4/ip_forward
done