Configurazione firewall per server "casalingo"

Darkspider · Messaggio da **Darkspider** » 14 gen 2007 23:37

Ciao,
avrei intenzione di configurare iptables sul piccolo server linux che ho a casa, per bloccare accessi non autorizzati, ma continuando ad utilizzare alcuni programmi.
In generale vorre:
- bloccare tutto come regola di default
- consentire samba e ssh solo sulla mia rete interna
- consentire l'utilizzo di Amule, Firefox, IceDove (Thunderbird) in uscita/entrata

Questo sono le regole che ho impostato in un piccolo script di mia creazione, ma devo aver fatto qualche "piccolo" errore, perché Amule mi dà Low-ID, IceDove e Samba non vanno (non ho ancora testato ssh e Firefox con il firewall attivo, ma credo che facciano la fine dei loro colleghi...)

AIUTO (grazie)!

Codice: Seleziona tutto


### default policy
$ipt -t filter -P FORWARD DROP
$ipt -t filter -P INPUT DROP
$ipt -t filter -P OUTPUT DROP

### localhost policy: accept
$ipt -t filter -A INPUT -s $lo -j ACCEPT
$ipt -t filter -A OUTPUT -s $lo -j ACCEPT

### icmp policy: accept (not totally)
# icmp 8 is echo request
$ipt -t filter -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type 3 -j ACCEPT
# $ipt -t filter -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$ipt -t filter -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$ipt -t filter -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$ipt -t filter -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
# $ipt -t filter -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$ipt -t filter -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT

### standard input traffic policy
# web
$ipt -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# samba
$ipt -t filter -A INPUT -p tcp -s $net --dport 137 -j ACCEPT
$ipt -t filter -A INPUT -p tcp -s $net --dport 138 -j ACCEPT
$ipt -t filter -A INPUT -p tcp -s $net --dport 139 -j ACCEPT
$ipt -t filter -A INPUT -p tcp -s $net --dport 445 -j ACCEPT
# amule
$ipt -t filter -A INPUT -p tcp --dport 4862 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 4865 -j ACCEPT
$ipt -t filter -A INPUT -p udp --dport 4872 -j ACCEPT
# ssh
$ipt -t filter -A INPUT -p tcp -d $net --dport 22 -j ACCEPT
# state
$ipt -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### standard output traffic policy
# ftp
$ipt -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
# smtp
$ipt -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# web
$ipt -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# pop3
$ipt -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# samba
$ipt -t filter -A OUTPUT -p tcp -d $net --dport 139 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp -d $net --dport 445 -j ACCEPT
# ssh
$ipt -t filter -A OUTPUT -p tcp -d $net --dport 22 -j ACCEPT
# amule
$ipt -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 4242 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 4661 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 8899 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 8911 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 9123 -j ACCEPT
$ipt -t filter -A OUTPUT -p tcp --dport 15932 -j ACCEPT


le variabili sono:
ipt=/sbin/iptables
lo=127.0.0.1
net=192.168.0.0/24