Configurazione di minima di iptables

Senza dilungarmi affatto nella spiegazione di iptables (ci sono fior di siti che ne parlano), di seguito metto un file di configurazione per iptables che permetta la messa in linea di un firewall per piccole reti che tenga chiuso in ingresso e limiti le porte in uscita.
Più avanti commenterò a dovere.

Generated by iptables-save v1.2.6a on Tue Mar 2 12:48:38 2004
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue Mar 2 12:48:38 2004
# Generated by iptables-save v1.2.6a on Tue Mar 2 12:48:38 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 5000 -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p udp -m udp --dport 5000 -m state --state NEW -j ACCEPT
[0:0] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#[0:0] -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
[0:0] -A FORWARD -i eth0 -p tcp -m state --state NEW -m multiport --dports ftp,telnet,ssh,smtp,pop3,imap2,imaps,pop3s,www,https,5000,3389,3306 -j ACCEPT
[0:0] -A FORWARD -i eth0 -p udp -m state --state NEW -m multiport --dports ntp,5000,53,3306 -j ACCEPT
[0:0] -A FORWARD -i tun+ -o eth0 -m state --state NEW -j ACCEPT
[0:0] -A FORWARD -i eth0 -o tun+ -m state --state NEW -j ACCEPT
[0:0] -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A OUTPUT -p tcp -m state --state NEW -m multiport --dports ftp,telnet,ssh,smtp,pop3,imap2,imaps,pop3s,www,https,5000,3389,3306 -j ACCEPT
[0:0] -A OUTPUT -p udp -m state --state NEW -m multiport --dports ntp,5000,53,3306 -j ACCEPT
[0:0] -A OUTPUT -p icmp -j ACCEPT
COMMIT
# Completed on Tue Mar 2 12:48:38 2004
# Generated by iptables-save v1.2.6a on Tue Mar 2 12:48:38 2004
*nat
:PREROUTING ACCEPT [257:29141]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A POSTROUTING -s 192.168.11.0/255.255.255.0 -o eth1 -j SNAT --to-source 85.34.163.218
COMMIT
# Completed on Tue Mar 2 12:48:38 2004

Lascia un commento

Il tuo indirizzo email non sarà pubblicato.