[Linux-Biella] Impostare IPTable in modo sicuro (firewall)

[Daniele (Mastro)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mi aspettavo una montagna di risposte :)

in particolare credevo che LeoS dicesse qualcosa in proposito.. (magari
qualche insulto.. però sempre qualcosa) :D

ora la mia IPTable è la seguente, come vi pare?

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  ns1.tin.it           anywhere            tcp
flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  ns1.tin.it           anywhere
ACCEPT     tcp  --  ns.interbusiness.it  anywhere            tcp
flags:!FIN,SYN,RST,ACK/SYN
ACCEPT     udp  --  ns.interbusiness.it  anywhere
ACCEPT     all  --  anywhere             anywhere
LSI        udp  --  anywhere             anywhere            udp dpt:33434
LSI        icmp --  anywhere             anywhere
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state INVALID
LSI        all  -f  anywhere             anywhere            limit: avg
10/min burst 5
INBOUND    all  --  anywhere             anywhere
INBOUND    all  --  anywhere             192.168.1.2
INBOUND    all  --  anywhere
host80-51-dynamic.8-87-r.retail.telecomitalia.it
INBOUND    all  --  anywhere             192.168.2.255
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Input'

Chain FORWARD (policy DROP)
target     prot opt source               destination
LSI        udp  --  anywhere             anywhere            udp dpt:33434
LSI        icmp --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND   all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.1.0/24      state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             192.168.1.0/24      state
RELATED,ESTABLISHED
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Forward'

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  host80-51-dynamic.8-87-r.retail.telecomitalia.it
ns1.tin.it          tcp dpt:domain
ACCEPT     udp  --  host80-51-dynamic.8-87-r.retail.telecomitalia.it
ns1.tin.it          udp dpt:domain
ACCEPT     tcp  --  host80-51-dynamic.8-87-r.retail.telecomitalia.it
ns.interbusiness.it tcp dpt:domain
ACCEPT     udp  --  host80-51-dynamic.8-87-r.retail.telecomitalia.it
ns.interbusiness.it udp dpt:domain
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state INVALID
OUTBOUND   all  --  anywhere             anywhere
OUTBOUND   all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Output'

Chain INBOUND (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
LSI        all  --  anywhere             anywhere

Chain LOG_FILTER (5 references)
target     prot opt source               destination

Chain LSI (6 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/RST
LOG        icmp --  anywhere             anywhere            icmp
echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP       icmp --  anywhere             anywhere            icmp
echo-request
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Inbound '
DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Outbound '
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain OUTBOUND (3 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLin2i33/AIKoeisRAgaGAJ9YShQx4M6wN+aRol7Vx79kqIT3aQCaAplj
TZ+rQ224P0pSppRjgblyX70=
=2g8q
-----END PGP SIGNATURE-----