Codice: Seleziona tutto
#!/bin/bash
modprobe nf_conntrack nf_conntrack_helper=0
modprobe nf_conntrack_ftp
modprobe nf_conntrack_irc
IPTABLES=$(which iptables)
EXT=wlan0
INT=eth0
LAN_IP="192.168.0.50"
LAN_IP_RANGE="192.168.0.0/24"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
fw_start() {
$IPTABLES -F
$IPTABLES -t mangle -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
#$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -d $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -d $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m length --length 128:65535 -j DROP
$IPTABLES -A INPUT -m limit -p tcp ! -s $LAN_IP_RANGE --dport 0:1024 -j LOG --log-prefix "Bad packet not from LAN"
$IPTABLES -A INPUT -p tcp --dport 222 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6891 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6892 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1863 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1720 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1503 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1720 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1503 -j ACCEPT
#$IPTABLES -A INPUT -p tcp --dport 30000:30010 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5000:5016 -j ACCEPT
#$IPTABLES -A INPUT -p udp --dport 5020:5023 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4672 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4673 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 4665 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 32836 -j ACCEPT
}
fw_stop() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
fw_drop() {
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
}
case "$1" in
start)
fw_start
;;
stop)
fw_stop
;;
restart)
fw_stop
sleep 1
fw_start
;;
status)
$IPTABLES -L -n -v
;;
drop)
fw_drop
;;
*)
echo " Firewall personale, usare con le opzioni:"
echo " start - Attiva il Firewall"
echo " stop - Disattiva il Firewall"
echo " restart - Riavvia il Firewall"
echo " drop - Blocca ogni connessione"
echo " status - Mostra lo stato del Firewall"
exit 1
esac
exit 0
Codice: Seleziona tutto
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
Ma ora cosa può essere adesso?
p.s.
se avete suggerimenti per migliorarlo ben vengano