Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 75)

# Let's start clean and flush all chains to an empty state.

$IPCHAINS −F

# Set the default policies of the built−in chains. If no match for any

# of the rules below, these will be the defaults that ipchains uses.

$IPCHAINS −P forward DENY

$IPCHAINS −P output ACCEPT

$IPCHAINS −P input DENY

# Accept localhost/loopback traffic.

$IPCHAINS −A input −i lo −j ACCEPT

# Get our dynamic IP now from the Inet interface. WAN_IP will be our

# IP address we are protecting from the outside world. Put this

# here, so default policy gets set, even if interface is not up

# yet.

[ −z "$WAN_IP" ] &&\

WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut −d : −f 2 |cut −d \ −f 1`

# Bail out with error message if no IP available! Default policy is

# already set, so all is not lost here.

[ −z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1

WAN_MASK=`ifconfig $WAN_IFACE | grep Mask | cut −d : −f 4`

WAN_NET="$WAN_IP/$WAN_MASK"

## Reserved IPs:

# We should never see these private addresses coming in from outside

# to our external interface.

$IPCHAINS −A input −l −i $WAN_IFACE −s 10.0.0.0/8 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 172.16.0.0/12 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 192.168.0.0/16 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 127.0.0.0/8 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 169.254.0.0/16 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 224.0.0.0/4 −j DENY

$IPCHAINS −A input −l −i $WAN_IFACE −s 240.0.0.0/5 −j DENY

# Bogus routing

$IPCHAINS −A input −l −s 255.255.255.255 −d $ANYWHERE −j DENY

## LAN access and masquerading

# Allow connections from our own LAN's private IP addresses via the LAN

# interface and set up forwarding for masqueraders if we have a LAN_NET

# defined above.

if [ −n "$LAN_NET" ]; then

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPCHAINS −A input −i $LAN_IFACE −j ACCEPT

$IPCHAINS −A forward −s $LAN_NET −d $LAN_NET −j ACCEPT

$IPCHAINS −A forward −s $LAN_NET −d ! $LAN_NET −j MASQ

## Blacklist hosts/nets

# Get the blacklisted hosts/nets out of the way, before we start opening

# up any services. These will have no access to us at all, and will be

# logged.

for i in $BLACKLIST; do

$IPCHAINS −A input −l −s $i −j DENY

done

Security Quick−Start HOWTO for Red Hat Linux

8.9. Secure Alternatives 72

1 2 ... 70 71 72 73 74 75 76 77 78 79 80 81 82

Commenti su questo manuale

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 75

Commenti su questo manuale