#!/bin/bash # # ========================================================================== # ========= Script per la configurazione di un Firewall per Linux ========== # ========================================================================== # # Scaricato da http://pluto.psy.unipd.it/ildp/altri/Quick-Easy-Configuration-HOWTO-10.html # Da utilizzarsi esclusivamente per una macchina stand-alone connessa # ad internet tramite connessione dial-up. E' necessario disporre di # un kernel della serie 2.2.x o 2.3.x compilato con il supporto # del masquerading, del firewall e l'opzione "always defragment". # Viene filtrato cio' che entra e permesso alla rete di uscire # # $Revisione: 7.0$ # modificato da MrShark su un lavoro precedente di Maurizio Cimaschi, # con vari preziosi suggerimenti di Pierluigi De Rosa e Marco d'Itri. # (Se ci sono errori, fatemeli conoscere a: ). # # Utilizzo: firewall start|stop|status # start = attiva il firewall # stop = disattiva il firewall # status = impostazioni correnti del firewall # # by Antonio Fragola, aka MrShark - The Informaniac # #------------------------------ verifica che lo script sia avviato da root if [ $UID !=0 ]; then clear echo -e "\aATTENZIONE: solo l'utente root puo' avviare il firewall!" exit 1 fi # ========================================================================== # =========== Definizione delle variabili d'ambiente necessarie ============ # ========================================================================== #------------------------------ variabili utili IPCHAINS="/sbin/ipchains" INTERFACES=`/sbin/ifconfig | grep Link | cut -d \ -f 1` CURRENT_KERNEL=`uname -r` IP_MASQ_MODULES="ftp irc quake" #IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" INTERFACE="ppp0" INTERFACEMASK="255.255.255.255" INTERFACEIP=`/sbin/ifconfig $INTERFACE | grep inet | cut -d : -f 2 | cut -d \ -f 1` LOCALIP="$INTERFACEIP/$INTERFACEMASK" LOCALNET="192.168.0.0/16" ANYWHERE="0.0.0.0/0" LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" NFS_PORT="2049" # (TCP/UDP) NFS SOCKS_PORT="1080" # (TCP) Socks # X Windows alloca le porte a partire dalla 6000 e incrementa # fino alla 6063 per ogni server addizionale in funzione. XWINDOW_PORTS="6000:6063" # (TCP) X windows # traceroute di solito usa -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # SSH incomincia dalla porta 1023 e va a scalare fino alla 513 SSH_PORTS="1022:1023" #------------------------------ codici escape colori RED="\\033[1;31m" GREEN="\\033[0;32m" WHITE="\\033[0;39m" CYAN="\\033[0;36m" BLUE="\\033[1;34m" ORANGE="\\033[0;33m" YELLOW="\\033[1;33m" MAGENTA="\\033[1;35m" # ========================================================================== # ================== Definizione dei servizi utilizzabili ================== # ============ ON=Servizio attivo OFF=Servizio non richiesto ============ # ========================================================================== # masquerading: ON solo se si ha una rete locale che deve accedere a internet MASQ="ON" FTP="ON" DNS1="ON" DNS2="ON" HTTP="ON" SMTP="ON" NNTP="ON" POP3="ON" ICMP="ON" AUTH="ON" IRC="OFF" ICQ="OFF" SSH="ON" NAP="OFF" # ========================================================================== # ============== Definizione degli IP dei servizi del provider ============= # ========================================================================== # de/commentare solo le sezioni d'interesse o aggiungerne altre #------------------------------ IP di libero DNS1_IP="195.210.91.1" DNS2_IP="195.210.91.2" SMTP_IP="193.70.192.50" NNTP_IP="192.106.1.6" #------------------------------ IP di iol1055 #DNS1_IP="195.210.91.1" #DNS2_IP="195.210.91.2" #SMTP_IP="193.70.192.50" #NNTP_IP="193.70.192.201" #------------------------------ IP di tiscali #DNS1_IP="195.130.224.18" #DNS2_IP="195.130.225.129" #SMTP_IP="195.130.224.22" #NNTP_IP="195.130.224.123" #------------------------------ IP di clubnet #DNS1_IP="212.216.112.222" #DNS2_IP="212.216.172.162" #attenzione: clubnet usa smtp con piu' IP - cercarli con nslookup #SMTP_IP="212.216.176.50" #NNTP_IP="194.243.154.18" # Attenzione: aggiungere TUTTI gli IP dei server POP3 usati, non solo # quelli del provider in uso, altrimenti non si potra' scaricare la posta #pop3 tiscali POP3_1_IP="195.130.224.23" #pop3 iol1055 POP3_2_IP="193.70.192.80" #pop3 libero POP3_3_IP="193.70.192.70" #pop3 clubnet #attenzione: clubnet usa pop con piu' IP POP3_4_IP="212.216.176.71" POP3_5_IP="212.216.176.64" POP3_6_IP="212.216.176.65" POP3_7_IP="212.216.176.67" POP3_8_IP="212.216.176.68" POP3_9_IP="212.216.176.69" POP3_10_IP="212.216.176.70" # ========================================================================== # =========== Da qui in poi non toccare niente (al piu' solo la =========== # ========== parte del POP3 per aggiungere/rimuovere gli account) ========== # ========================================================================== case "$1" in #------------------------------ opzione start dello script start) #------------------------------ verifica esistenza interfaccia if [ -z $INTERFACEIP ]; then #------------------------------ se non esiste, avverti ed esci con errore 1 clear echo -e "${RED}ATTENZIONE: ${YELLOW}l'interfaccia " echo -e "${RED}ppp0${YELLOW} NON e' attiva nel sistema." echo -e "Firewall NON attivato. Controllare la connessione Internet." echo -en "${WHITE}Interfacce attualmente attive nel PC: " for irf in ${INTERFACES} ; do echo -en "${RED}${irf}${WHITE} " done echo -e "\n\a" exit 1 #------------------------------ se l'interfaccia esiste, si procede else echo echo "Attivazione del Firewall in corso..." echo -e "Indirizzo IP locale sull'interfaccia ${YELLOW}$INTERFACE" echo -e "${WHITE} : ${RED}$LOCALIP${WHITE}" echo -n "Flushing delle regole eventualmente presenti : " $IPCHAINS -F input $IPCHAINS -F output $IPCHAINS -F forward echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" # ========================================================================== # =========================== Regole in ingresso =========================== # ========================================================================== #------------------------------ attivazione protezioni varie echo -n "Permesso al traffico locale sull'interfaccia di loopback : " $IPCHAINS -A input -s $ANYWHERE -i lo -j ACCEPT $IPCHAINS -A input -s $LOCALNET -d $ANYWHERE -j ACCEPT echo -e "\t[ ${GREEN}OK ${WHITE}]" echo -n "Attivazione Source Address Verification : " if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" echo -n "SAV non disponibile, utilizzo di ipchains : " $IPCHAINS -A input -s 127.0.0.1 -i lo -j ACCEPT echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" fi echo -n "Attivazione TCP SYN Cookie Protection : " if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 >/proc/sys/net/ipv4/tcp_syncookies echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" fi echo -n "Attivazione Always Defragging Protection : " if [ -e /proc/sys/net/ipv4/ip_always_defrag ]; then echo 1 > /proc/sys/net/ipv4/ip_always_defrag echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" fi echo -n "Attivazione Broadcast Echo Protection : " if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" fi echo -n "Attivazione Bad Error Message Protection : " if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" fi echo -n "Disattivazione ICMP Redirect Acceptance : " if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t[ ${RED}NO ${WHITE}]" fi echo -n "Disattivazione Source Routed Packets : " if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t[ ${RED}NO ${WHITE}]" fi echo -e "${YELLOW}Attivazione dei servizi in ingresso richiesti : ${WHITE}" echo -n "Impostazione della POLICY di ingresso a DENY : " $IPCHAINS -P input DENY echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" #------------------------------ DNS1 (53) echo -n "Server DNS primario : " if [ $DNS1 = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $DNS1_IP 53 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p udp -s $DNS1_IP 53 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ DNS2 (53) echo -n "Server DNS secondario : " if [ $DNS2 = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $DNS2_IP 53 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p udp -s $DNS2_IP 53 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ HTTP (80) e HTTPS (443) echo -n "Navigazione WEB : " if [ $HTTP = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s 0/0 80 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp ! -y -s 0/0 443 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ SMTP (25) echo -n "Invio posta : " if [ $SMTP = "ON" ]; then $IPCHAINS -A input -p tcp -s $SMTP_IP 25 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT # $IPCHAINS -A input -p tcp -s $ANYWHERE 25 -d $LOCALIP \ # $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ POP3 (110) echo -n "Prelievo posta : " if [ $POP3 = "ON" ]; then $IPCHAINS -A input -p tcp -s $POP3_1_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_2_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_3_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_4_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_5_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_6_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_7_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_8_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_9_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp -s $POP3_10_IP 110 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ NNTP (119) echo -n "Newsgroup Usenet : " if [ $NNTP = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $NNTP_IP 119 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ FTP (20/21) echo -n "File Transfer Protocol : " if [ $FTP = "ON" ]; then $IPCHAINS -A input -p tcp ! -y --source-port 21 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT #FTP Port Mode (normale) $IPCHAINS -A input -p tcp --source-port 20 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT #FTP Passive Mode (senza questa i browser non accedono ai siti FTP) $IPCHAINS -A input -p tcp ! -y --source-port $UNPRIVPORTS \ -d $LOCALIP $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ SSH (22) echo -n "Secure Shell : " if [ $SSH = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $ANYWHERE 22 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p tcp ! -y -s $ANYWHERE 22 -d $LOCALIP \ $SSH_PORTS -j ACCEPT echo -e "\t\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ ICMP (solo tipi 0/3/11) echo -n "Traffico ICMP : " if [ $ICMP = "ON" ]; then $IPCHAINS -A input -p icmp -s $ANYWHERE 0 -d $LOCALIP -j ACCEPT $IPCHAINS -A input -p icmp -s $ANYWHERE 3 -d $LOCALIP -j ACCEPT $IPCHAINS -A input -p icmp -s $ANYWHERE 11 -d $LOCALIP -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ AUTH (113) echo -n "Richieste di identificazione : " if [ $AUTH = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -d $LOCALIP 113 -j ACCEPT echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ IRC (6667) echo -n "Internet Relay Chat : " if [ $IRC = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $ANYWHERE 6667 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ ICQ (2000:4000) echo -n "ICQ : " if [ $ICQ = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $ANYWHERE 2000:4000 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT $IPCHAINS -A input -p udp -s $ANYWHERE 2000:4000 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ NAPSTER (6699) echo -n "NAPSTER : " if [ $NAP = "ON" ]; then $IPCHAINS -A input -p tcp ! -y -s $ANYWHERE 6699 -d $LOCALIP \ $UNPRIVPORTS -j ACCEPT echo -e "\t\t\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" else echo -e "\t\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi #------------------------------ blocco e log echo -n "Blocco e log di tutto il resto : " # Rifiuta pacchetti spoof che simulano di provenire dall'esterno. $IPCHAINS -A input -i $INTERFACE -s $LOCALIP -j DENY -l # Rifiuta pacchetti che sembrano provenire da una rete privata di Classe A $IPCHAINS -A input -i $INTERFACE -s $CLASS_A -j DENY $IPCHAINS -A input -i $INTERFACE -d $CLASS_A -j DENY -l # Rifiuta pacchetti che sembrano provenire da una rete privata di Classe B $IPCHAINS -A input -i $INTERFACE -s $CLASS_B -j DENY -l $IPCHAINS -A input -i $INTERFACE -d $CLASS_B -j DENY -l # Rifiuta pacchetti che sembrano provenire da una rete privata di Classe C $IPCHAINS -A input -i $INTERFACE -s $CLASS_C -j DENY -l $IPCHAINS -A input -i $INTERFACE -d $CLASS_C -j DENY -l # Rifiuta pacchetti che sembrano provenire dall'interfaccia di Loopback $IPCHAINS -A input -i $INTERFACE -s $LOOPBACK -j DENY -l # Rifiuta pacchetti broadcast address SOURCE $IPCHAINS -A input -i $INTERFACE -s $INTERFACEMASK -j DENY -l $IPCHAINS -A input -i $INTERFACE -d $ANYWHERE -j DENY -l # Rifiuta pacchetti multicast addresses di Classe D (in.h) (NET-3-HOWTO) # Il Multicast e' illegale come indirizzo sorgente, ed usa UDP. $IPCHAINS -A input -i $INTERFACE -s $CLASS_D_MULTICAST -j DENY -l # Rifiuta pacchetti da indirizzi IP riservati di Classe E $IPCHAINS -A input -i $INTERFACE -s $CLASS_E_RESERVED_NET -j DENY -l # Rifiuta pacchetti con indirizzi definiti riservati dall'IANA # 0.*.*.*, 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.* # 31.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*, 58-60.*.*.* # 65-95.*.*.*, 96-126.*.*.*, 197.*.*.*, 201.*.*.* (?), 217-223.*.*.* $IPCHAINS -A input -i $INTERFACE -s 1.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 2.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 5.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 7.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 23.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 27.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 31.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 37.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 39.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 41.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 42.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 49.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 50.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 58.0.0.0/7 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 60.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 65.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 66.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 67.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 68.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 69.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 70.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 71.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 72.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 73.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 74.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 75.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 76.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 77.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 78.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 79.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 80.0.0.0/4 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 96.0.0.0/4 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 112.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 113.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 114.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 115.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 116.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 117.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 118.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 119.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 120.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 121.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 122.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 123.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 124.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 125.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 126.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 197.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 217.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 218.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 219.0.0.0/8 -j DENY -l $IPCHAINS -A input -i $INTERFACE -s 220.0.0.0/6 -j DENY -l #------------------------------ porte TCP non privilegiate # NFS: instauramento connessione TCP $IPCHAINS -A input -i $INTERFACE -p tcp -y -d $LOCALIP \ $NFS_PORT -j DENY -l # Xwindow: instauramento connessione $IPCHAINS -A input -i $INTERFACE -p tcp -y -d $LOCALIP \ $XWINDOW_PORTS -j DENY -l # SOCKS: instauramento connessione $IPCHAINS -A input -i $INTERFACE -p tcp -y -d $LOCALIP \ $SOCKS_PORT -j DENY -l #------------------------------ porte UDP non privilegiate # NFS: instauramento connessione UDP $IPCHAINS -A input -i $INTERFACE -p udp -d $LOCALIP \ $NFS_PORT -j DENY -l # TRACEROUTE UDP in ingresso $IPCHAINS -A input -i $INTERFACE -p udp -s $ANYWHERE \ $TRACEROUTE_SRC_PORTS -d $LOCALIP $TRACEROUTE_DEST_PORTS -j DENY -l #------------------------------ altri log $IPCHAINS -A input -i $INTERFACE -p tcp -d $LOCALIP -j DENY -l $IPCHAINS -A input -i $INTERFACE -p udp -d $LOCALIP $PRIVPORTS \ -j DENY -l $IPCHAINS -A input -i $INTERFACE -p udp -d $LOCALIP $UNPRIVPORTS \ -j DENY -l $IPCHAINS -A input -i $INTERFACE -p icmp -s $ANYWHERE 5 -d $LOCALIP \ -j DENY -l $IPCHAINS -A input -i $INTERFACE -p icmp -s $ANYWHERE 13:255 -d $LOCALIP \ -j DENY -l echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]" # ========================================================================== # ======================= Mascheramento all' esterno ======================= # ========================================================================== #------------------------------ verifica esistenza moduli mascheramento if [ $MASQ = "ON" ]; then echo -e "${YELLOW}Mascheramento : ${WHITE}" echo -n "Controllo presenza moduli necessari : " MASQ_PRESENT="" for mod in ${IP_MASQ_MODULES}; do if [ ! -e /lib/modules/$CURRENT_KERNEL/ipv4/ip_masq_${mod}.o ]; then MASQ_PRESENT="err" fi done #------------------------------ se esistono, attiva mascheramento if [ -z ${MASQ_PRESENT} ]; then echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]" echo -n "Installazione dei moduli necessari al Mascheramento : " for mod in ${IP_MASQ_MODULES} ; do /sbin/insmod "ip_masq_${mod}" done echo -e "\t\t[ ${GREEN}OK ${WHITE}]" echo -n "Attivazione IP forwarding : " echo 1 > /proc/sys/net/ipv4/ip_forward echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" echo -n "Impostazione della POLICY di inoltro a DENY : " $IPCHAINS -P forward DENY $IPCHAINS -A forward -p all -s $LOCALNET -d $ANYWHERE -j MASQ echo -e "\t\t\t[ ${GREEN}OK ${WHITE}]" echo -n "Impostazione Timeout mascheramento connessioni TCP a 10 ore : " $IPCHAINS -M -S 36000 0 0 echo -e "\t[ ${GREEN}OK ${WHITE}]" echo -n "Blocco e log di tutto il resto : " $IPCHAINS -A forward -j DENY -s $ANYWHERE -d $ANYWHERE -l echo -e "\t\t\t\t[ ${GREEN}OK ${WHITE}]" #------------------------------ se non esistono, avverti e continua senza else echo -e "\t\t\t\t[ ${RED}NO ${WHITE}]" echo echo -e "${RED}Errore!!! Moduli per il Mascheramento " echo -e "non presenti nel sistema. Ricompilare il kernel col " echo -e "supporto per firewall e masquerading.${WHITE}" echo fi else echo -en "${YELLOW}Mascheramento : ${WHITE}" echo -e "\t\t\t\t\t\t[ ${RED}NO ${WHITE}]" fi fi ;; #------------------------------ opzione stop dello script stop) clear echo "Disattivazione del Firewall in corso..." $IPCHAINS -F $IPCHAINS -P input ACCEPT $IPCHAINS -P forward ACCEPT MASQ_PRESENT="" for mod in ${IP_MASQ_MODULES} ; do if [ ! -e /lib/modules/$CURRENT_KERNEL/ipv4/ip_masq_${mod}.o ]; then MASQ_PRESENT="err" fi done if [ -z ${MASQ_PRESENT} ] ; then echo -n "Rimozione dei moduli necessari al Mascheramento : " for mod in ${IP_MASQ_MODULES} ; do /sbin/rmmod "ip_masq_${mod}" done echo -e "\t\t[ ${GREEN}OK ${WHITE}]" echo -n "Disattivazione IP forwarding : " echo 0 > /proc/sys/net/ipv4/ip_forward echo -e "\t\t\t\t\t[ ${GREEN}OK ${WHITE}]" fi echo -e "${YELLOW}ATTENZIONE: IL FIREWALL NON E' PIU' OPERATIVO${WHITE}" ;; #------------------------------ opzione status dello script status) clear echo "Impostazioni attuali del firewall : " echo -e "Indirizzo IP locale sull'interfaccia ${YELLOW}$INTERFACE${WHITE} : \ ${RED}$LOCALIP${WHITE}" $IPCHAINS -L ;; #------------------------------ nessuna o errata opzione fornita allo script *) clear echo -e "${BLUE}############################################################${WHITE}" echo -en "${BLUE}###${YELLOW} Script di impostazione " echo -e "${MAGENTA}FIREWALL ${YELLOW}v7.0 ${BLUE}###${WHITE}" echo -e "${BLUE}############################################################${WHITE}" echo -e "${YELLOW}Utilizzo:${WHITE} firewall start|stop|status" echo -e "\t${CYAN}start${WHITE} = attiva il firewall" echo -e "\t${CYAN}stop${WHITE} = disattiva il firewall" echo -e "\t${CYAN}status${WHITE} = impostazioni correnti del firewall" echo echo -e "${RED}ATTENZIONE: ${YELLOW}ricorda che l'interfaccia \ ${RED}ppp0${YELLOW} e' attiva" echo -e "solo DOPO aver effettuato la connessione a Internet." echo -en "${WHITE}Interfacce attualmente attive nel PC: " for irf in ${INTERFACES} ; do echo -en "${RED}${irf}${WHITE} " done echo -e "\n\a" ;; esac exit 0