Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 79)

# already set, so all is not lost here.

[ −z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1

WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut −d : −f 4`

WAN_NET="$WAN_IP/$WAN_MASK"

## Reserved IPs:

# We should never see these private addresses coming in from outside

# to our external interface.

$IPTABLES −A INPUT −i $WAN_IFACE −s 10.0.0.0/8 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 172.16.0.0/12 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 192.168.0.0/16 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 127.0.0.0/8 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 169.254.0.0/16 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 224.0.0.0/4 −j DROP

$IPTABLES −A INPUT −i $WAN_IFACE −s 240.0.0.0/5 −j DROP

# Bogus routing

$IPTABLES −A INPUT −s 255.255.255.255 −d $ANYWHERE −j DROP

# Unclean

$IPTABLES −A INPUT −i $WAN_IFACE −m unclean −m limit \

−−limit 15/minute −j LOG −−log−prefix "Unclean: "

$IPTABLES −A INPUT −i $WAN_IFACE −m unclean −j DROP

## LAN access and masquerading

# Allow connections from our own LAN's private IP addresses via the LAN

# interface and set up forwarding for masqueraders if we have a LAN_NET

# defined above.

if [ −n "$LAN_NET" ]; then

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPTABLES −A INPUT −i $LAN_IFACE −j ACCEPT

# $IPTABLES −A INPUT −i $LAN_IFACE −s $LAN_NET −d $LAN_NET −j ACCEPT

$IPTABLES −t nat −A POSTROUTING −s $LAN_NET −o $WAN_IFACE −j MASQUERADE

## Blacklist

# Get the blacklisted hosts/nets out of the way, before we start opening

# up any services. These will have no access to us at all, and will

# be logged.

for i in $BLACKLIST; do

$IPTABLES −A INPUT −s $i −m limit −−limit 5/minute \

−j LOG −−log−prefix "Blacklisted: "

$IPTABLES −A INPUT −s $i −j DROP

done

## Trusted hosts/nets

# This is our trusted host list. These have access to everything.

for i in $TRUSTED; do

$IPTABLES −A INPUT −s $i −j ACCEPT

done

# Port Forwarding

# Which ports get forwarded to which host. This is one to one

# port mapping (ie 80 −> 80) in this case.

[ −n "$FORWARD_HOST" ] &&\

for i in $FORWARD_PORTS; do

$IPTABLES −A FORWARD −p tcp −s $ANYWHERE −d $FORWARD_HOST \

Security Quick−Start HOWTO for Red Hat Linux

8.10.2. iptables II 76

1 2 ... 74 75 76 77 78 79 80 81 82

Commenti su questo manuale

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 79

Commenti su questo manuale