Linuxaro Italiano: 2008-11

Ultimamente ho studiato molto le sicurezze, il risultato di quest'analisi è stata la seguente guida adatta anche a newbie.
Mi sono posto il problema di creare un firewall/proxy per 5 zone (wan - lan - wifi - vpn - dmz) che possa anche gestire gli accessi wireless tramite mac address ma solo per i servizi scelti, in modo da ottenere una diversificazione di uso e protezione della stessa wireless per clienti ed interni.

Installate una debian base senza grafico e senza compilatori.

Preparazione del sistema :

apt-get -y install ssh squid3 clamav denyhosts dansguardian aide openvpn bind9 snort snort-rules oinkmaster

Configurate le interfacce di rete come:
wan - eth0 - 192.168.1.4 (probabilmente il 254 è il router)
lan - eth1 - 192.168.2.254
wifi - eth2 - 192.168.3.254
dmz - eth3 - 192.168.4.254

Ora la prima parte più importante... il firewall.
Modificando e prendendo spunto da altri firewall usati in passato ho creato questo script che direi abbastanza completo e professionale che inseriremo in /etc/init.d/firewall.

create quidi il file /etc/init.d/firewall ed inseriteci dentro:

#! /bin/sh

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

case "$1" in start)

echo "Setting up firewall rules..."
#-------------------------------------------------------------------------------
# Script variables
#
# Reti
#
# wan - internet
# lan - interna
# dmz - wifi
# dmzsec - webserver
# firewallMAC.conf - elenco macaddress permessi
#

IF_WAN="eth0" #integrata
IF_LAN="eth1" #primo slot pci
IF_DMZ="eth2" #secondo slot pci
IF_DMZSEC="eth3" #secondo slot pci
IF_VPN="tap0" #secondo slot pci

IP_WAN="192.168.1.4"
IP_LAN="192.168.2.254"
IP_DMZ="192.168.3.254"
IP_DMZSEC="192.168.4.254"
IP_VPN="192.168.25.254"

MAC="`cat /etc/firewallMAC.conf`"

#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Adjust /proc
#-------------------------------------------------------------------------------
echo -ne "\t\tAdjusting /proc"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
#echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

echo -e "\t\t\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Flush existing settings
#-------------------------------------------------------------------------------
echo -ne "\t\tFlushing existing settings"

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Table policies
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up tables policies"

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Loopback traffic
#-------------------------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Icmp settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up icmp rules"

# Connessioni per fw
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Connessioni da fw
iptables -A OUTPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Connessioni attraverso fw
iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type redirect -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -i $IF_DMZ -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -p icmp --icmp-type redirect -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A FORWARD -i $IF_DMZ -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -i $IF_DMZSEC -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZSEC -p icmp --icmp-type redirect -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZSEC -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_DMZSEC -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A FORWARD -i $IF_DMZSEC -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A FORWARD -i $IF_VPN -p icmp --icmp-type destination-unreachable -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_VPN -p icmp --icmp-type redirect -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_VPN -p icmp --icmp-type time-exceeded -m limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_VPN -p icmp --icmp-type echo-request -m length --length 128:65535 -j DROP
iptables -A FORWARD -i $IF_VPN -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# la seguente regola e` necessaria SOLO se si usa un modem al posto di un router.
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# Filter settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting LAN up FILTER rules"

# Connessioni da LAN a fw
iptables -A INPUT -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_WAN -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A INPUT -i $IF_LAN -p tcp --dport 25 -j ACCEPT #smtp
iptables -A INPUT -i $IF_LAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A INPUT -i $IF_LAN -p udp --dport 53 -j ACCEPT #dns
iptables -A INPUT -i $IF_LAN -p tcp --dport 67 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 68 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p udp --dport 67 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p udp --dport 68 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 143 -j ACCEPT #imap
iptables -A INPUT -i $IF_LAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A INPUT -i $IF_LAN -p tcp --dport 80 -j ACCEPT #http
iptables -A INPUT -i $IF_LAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A INPUT -i $IF_LAN -p tcp --dport 3128 -j ACCEPT #proxy
iptables -A INPUT -i $IF_LAN -p tcp --dport 8088 -j ACCEPT #http asterisk
iptables -A INPUT -i $IF_LAN -p tcp --dport 443 -j ACCEPT #https
iptables -A INPUT -i $IF_LAN -p udp --dport 5060 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 5061 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 3478 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 8000 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 8001 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 8002 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 8003 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 5004 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p udp --dport 60028 -j ACCEPT #voip
iptables -A INPUT -i $IF_LAN -p tcp --dport 5038 -j ACCEPT #asterisk
iptables -A INPUT -i $IF_LAN -p udp --dport 5038 -j ACCEPT #asterisk

# Connessioni da fw a LAN
iptables -A OUTPUT -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_LAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A OUTPUT -o $IF_LAN -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -o $IF_LAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A OUTPUT -o $IF_LAN -p tcp --dport 443 -j ACCEPT #https
iptables -A OUTPUT -o $IF_LAN -p tcp --dport 3128 -j ACCEPT #proxy

# Connessioni da WAN a fw
iptables -A INPUT -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_WAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A INPUT -i $IF_WAN -p tcp --dport 1194 -j ACCEPT #openvpn
iptables -A INPUT -i $IF_WAN -p udp --dport 1194 -j ACCEPT #openvpn
#iptables -A INPUT -i $IF_WAN -p udp --dport 5060 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 5061 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 3478 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 8000 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 8001 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 8002 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 8003 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 5004 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p udp --dport 60028 -j ACCEPT #voip
#iptables -A INPUT -i $IF_WAN -p tcp --dport 5038 -j ACCEPT #asterisk
#iptables -A INPUT -i $IF_WAN -p udp --dport 5038 -j ACCEPT #asterisk

# Connessioni da fw a WAN
iptables -A OUTPUT -o $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_WAN -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 25 -j ACCEPT #smtp
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A OUTPUT -o $IF_WAN -p udp --dport 53 -j ACCEPT #dns
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 3128 -j ACCEPT #tomcat
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 8088 -j ACCEPT #http asterisk
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 443 -j ACCEPT #https
iptables -A OUTPUT -o $IF_WAN -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 873 -j ACCEPT
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 1194 -j ACCEPT #openvpn
iptables -A OUTPUT -o $IF_WAN -p udp --dport 1194 -j ACCEPT #openvpn
iptables -A OUTPUT -o $IF_WAN -p tcp --dport 5038 -j ACCEPT #asterisk
iptables -A OUTPUT -o $IF_WAN -p udp --dport 5038 -j ACCEPT #asterisk
iptables -A OUTPUT -o $IF_WAN -p udp --dport 5060 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 5061 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 3478 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 8000 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 8001 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 8002 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 8003 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 5004 -j ACCEPT #voip
iptables -A OUTPUT -o $IF_WAN -p udp --dport 60028 -j ACCEPT #voip

# Connessioni da LAN a WAN
iptables -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A FORWARD -i $IF_LAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $IF_LAN -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_LAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_LAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_LAN -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -p udp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -p tcp --dport 8088 -j ACCEPT #http asterisk
iptables -A FORWARD -i $IF_LAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $IF_LAN -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 873 -j ACCEPT #rsync
iptables -A FORWARD -i $IF_LAN -p tcp --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i $IF_LAN -p tcp --dport 443 -j ACCEPT #https
iptables -A FORWARD -i $IF_LAN -p udp --dport 443 -j ACCEPT #https
iptables -A FORWARD -i $IF_LAN -p tcp --dport 993 -j ACCEPT #pop3-ssl
iptables -A FORWARD -i $IF_LAN -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -p tcp --dport 5500 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_LAN -p tcp --dport 5900 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 9000,9001 -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 9200,9201 -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_LAN -p tcp --dport 5222 -j ACCEPT #jabber
iptables -A FORWARD -i $IF_LAN -p tcp --dport 1863 -j ACCEPT #msn myspace
iptables -A FORWARD -i $IF_LAN -p tcp --dport 23399 -j ACCEPT #skype
iptables -A FORWARD -i $IF_LAN -p tcp --dport 1533 -j ACCEPT #sametime
iptables -A FORWARD -i $IF_LAN -p tcp --dport 6667 -j ACCEPT #irc
iptables -A FORWARD -i $IF_LAN -p tcp --dport 5190 -j ACCEPT #icq aim
iptables -A FORWARD -i $IF_LAN -p tcp --dport 1194 -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_LAN -p udp --dport 1194 -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_LAN -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -p udp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -p udp --dport 5060 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 5061 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 3478 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 8000 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 8001 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 8002 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 8003 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 5004 -j ACCEPT #voip
iptables -A FORWARD -i $IF_LAN -p udp --dport 60028 -j ACCEPT #voip

# Connessioni da WAN a LAN
iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp --dport 80 -j ACCEPT # web server backup interno
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp --dport 8080 -j ACCEPT # web server backup interno
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp --dport 443 -j ACCEPT # web server backup interno
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp --dport 5500 -j ACCEPT # vnc interno
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp --dport 5900 -j ACCEPT # vnc interno
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp -m multiport --dports 9000,9001 -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p tcp -m multiport --dports 9200,9201 -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 5060 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 5061 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 3478 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 8000 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 8001 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 8002 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 8003 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 5004 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.2.0/24 -p udp --dport 60028 -j ACCEPT # voip

# Connessioni da WAN a DMZ
iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p tcp --dport 80 -j ACCEPT # web server backup2
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p tcp --dport 8080 -j ACCEPT # web server backup2
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p tcp --dport 443 -j ACCEPT # web server backup2
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p tcp --dport 5500 -j ACCEPT # vnc
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p tcp --dport 5900 -j ACCEPT # vnc
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 5060 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 5061 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 3478 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 8000 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 8001 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 8002 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 8003 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 5004 -j ACCEPT # voip
iptables -A FORWARD -i $IF_WAN --source ! 192.168.3.0/24 -p udp --dport 60028 -j ACCEPT # voip

# Connessioni da LAN a DMZ
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 443 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 5500 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 5900 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -o $IF_DMZ -p udp --dport 3389 -j ACCEPT #terminal server

# Connessioni da fw a DMZ
iptables -A OUTPUT -o $IF_DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -m multiport -p tcp --dports 20,21 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZ -p tcp --dport 443 -j ACCEPT

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# MAC filtering
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up DMZ with MAC filter rules"

for MACSOURCE in $MAC; do

echo
echo -ne "\t\t\tAppling rules for: "

# Connessioni da DMZ a WAN
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 22 -m mac --mac-source $MACSOURCE -j ACCEPT #ssh
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 443 -j ACCEPT #https
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 443 -j ACCEPT #https
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 123 -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 993 -j ACCEPT #pop-ssl
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 1194 -m mac --mac-source $MACSOURCE -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 1194 -m mac --mac-source $MACSOURCE -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 23399 -j ACCEPT #skype
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 5222 -j ACCEPT #msn
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 6667 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 1863 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 5190 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 5500 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 5900 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp -m multiport --dports 9000,9001 -m mac --mac-source $MACSOURCE -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p tcp -m multiport --dports 9200,9201 -m mac --mac-source $MACSOURCE -j ACCEPT #gestionale mexal
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 5060 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 5061 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 3478 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 8000 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 8001 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 8002 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 8003 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 5004 -m mac --mac-source $MACSOURCE -j ACCEPT #voip
iptables -A FORWARD -i $IF_DMZ -o $IF_WAN -p udp --dport 60028 -m mac --mac-source $MACSOURCE -j ACCEPT #voip

# Connessioni da DMZ a LAN
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp -m multiport --dports 20,21 -m mac --mac-source $MACSOURCE -j ACCEPT #ftp-data
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 22 -m mac --mac-source $MACSOURCE -j ACCEPT #ssh
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 25 -m mac --mac-source $MACSOURCE -j ACCEPT #smtp
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 53 -m mac --mac-source $MACSOURCE -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p udp --dport 53 -m mac --mac-source $MACSOURCE -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 80 -m mac --mac-source $MACSOURCE -j ACCEPT #htp
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 8080 -m mac --mac-source $MACSOURCE -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 443 -m mac --mac-source $MACSOURCE -j ACCEPT #https
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 123 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 110 -m mac --mac-source $MACSOURCE -j ACCEPT #pop3
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 993 -m mac --mac-source $MACSOURCE -j ACCEPT #pop3-ssl
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 1194 -m mac --mac-source $MACSOURCE -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p udp --dport 1194 -m mac --mac-source $MACSOURCE -j ACCEPT #openvpn
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 23399 -m mac --mac-source $MACSOURCE -j ACCEPT #skype
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 5222 -m mac --mac-source $MACSOURCE -j ACCEPT #msn
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 6667 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 1863 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 5190 -m mac --mac-source $MACSOURCE -j ACCEPT #chat
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 5500 -m mac --mac-source $MACSOURCE -j ACCEPT #vnc
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 5900 -m mac --mac-source $MACSOURCE -j ACCEPT #vnc
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p tcp --dport 3389 -m mac --mac-source $MACSOURCE -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_DMZ -o $IF_LAN -p udp --dport 3389 -m mac --mac-source $MACSOURCE -j ACCEPT #terminal server

# Connessioni da DMZ a fw
iptables -A INPUT -i $IF_DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p tcp --dport 22 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p tcp --dport 80 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p tcp --dport 3128 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p tcp --dport 443 -m mac --mac-source $MACSOURCE -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_DMZ -p udp --dport 53 -j ACCEPT

echo -e "\t$MACSOURCE"

done

echo -e "\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# VERY SECURE ZONE settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up Very Secure Zones rules"

# Connessioni da WAN a VPN
iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.25.0/24 -p tcp --dport 80 -j ACCEPT # web server backup2
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.25.0/24 -p tcp --dport 8080 -j ACCEPT # web server backup2
# iptables -A FORWARD -i $IF_WAN --source ! 192.168.25.0/24 -p tcp --dport 443 -j ACCEPT # web server backup2
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.25.0/24 -p tcp --dport 5500 -j ACCEPT # vnc
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.25.0/24 -p tcp --dport 5900 -j ACCEPT # vnc

# Connessioni da LAN a VPN
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 143 -j ACCEPT #imap
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 443 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 5500 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 5900 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -o $IF_VPN -p udp --dport 3389 -j ACCEPT #terminal server

# Connessioni da fw a VPN
iptables -A OUTPUT -o $IF_VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -m multiport -p tcp --dports 20,21 -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -p tcp --dport 8080 -j ACCEPT
iptables -A OUTPUT -o $IF_VPN -p tcp --dport 443 -j ACCEPT

# Connessioni da WAN a DMZSEC
iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp -m multiport --dports 20,21 -j ACCEPT # web server
iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 80 -j ACCEPT # web server
iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 443 -j ACCEPT # web server
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 8080 -j ACCEPT # web server
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 8081 -j ACCEPT # web server
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 25 -j ACCEPT # web server
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 110 -j ACCEPT # web server
#iptables -A FORWARD -i $IF_WAN --source ! 192.168.4.0/24 -p tcp --dport 143 -j ACCEPT # web server

# Connessioni da LAN a DMZSEC
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp -m multiport --dports 20,21 -j ACCEPT #ftp
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 25 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 143 -j ACCEPT #smtp
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 443 -j ACCEPT #http
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 993 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 995 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 5500 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 5900 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_LAN -o $IF_DMZSEC -p udp --dport 3389 -j ACCEPT #terminal server

# Connessioni da fw a DMZSEC
iptables -A OUTPUT -o $IF_DMZSEC -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_DMZSEC -m multiport -p tcp --dports 20,21 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZSEC -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZSEC -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -o $IF_DMZSEC -p tcp --dport 443 -j ACCEPT

# Connessioni da VPN a WAN
iptables -A FORWARD -i $IF_VPN -o $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_VPN -o $IF_WAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_VPN -o $IF_WAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_VPN -o $IF_WAN -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_VPN -o $IF_WAN -p udp --dport 80 -j ACCEPT #http

# Connessioni da VPN a LAN
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp -m multiport --dports 20,21 -m mac --mac-source $MACSOURCE -j ACCEPT #ftp-data
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 22 -j ACCEPT #ssh
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 80 -j ACCEPT #htp
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 8080 -j ACCEPT #tomcat
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 443 -j ACCEPT #https
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 123 -j ACCEPT
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 110 -j ACCEPT #pop3
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 993 -j ACCEPT #pop3-ssl
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 137 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 137 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 138 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 138 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 139 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 139 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 445 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 445 -j ACCEPT #samba
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 5500 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 5900 -j ACCEPT #vnc
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p tcp --dport 3389 -j ACCEPT #terminal server
iptables -A FORWARD -i $IF_VPN -o $IF_LAN -p udp --dport 3389 -j ACCEPT #terminal server

# Connessioni da VPN a fw
iptables -A INPUT -i $IF_VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_VPN -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_VPN -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_VPN -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $IF_VPN -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_VPN -p udp --dport 53 -j ACCEPT

# Connessioni da DMZSEC a WAN
iptables -A FORWARD -i $IF_DMZSEC -o $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_DMZSEC -o $IF_WAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZSEC -o $IF_WAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZSEC -o $IF_WAN -p tcp --dport 80 -j ACCEPT #http
iptables -A FORWARD -i $IF_DMZSEC -o $IF_WAN -p tcp --dport 443 -j ACCEPT #http

# Connessioni da DMZSEC a LAN
iptables -A FORWARD -i $IF_DMZSEC -o $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_DMZSEC -o $IF_LAN -p tcp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZSEC -o $IF_LAN -p udp --dport 53 -j ACCEPT #dns
iptables -A FORWARD -i $IF_DMZSEC -o $IF_LAN -p tcp --dport 8080 -j ACCEPT #tomcat

# Connessioni da DMZSEC a fw
iptables -A INPUT -i $IF_DMZSEC -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_DMZSEC -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_DMZSEC -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $IF_DMZSEC -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $IF_DMZSEC -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i $IF_DMZSEC -p udp --dport 53 -j ACCEPT

echo -e "\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# NAT settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up NAT rules"

# SNAT rules
iptables -t nat -A POSTROUTING -o $IF_WAN -j SNAT --to-source $IP_WAN

# PROXY Settings for Squid with DansGuardian (lan and wifi)
iptables -t nat -A PREROUTING -i $IF_LAN -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i $IF_DMZ -p tcp --dport 80 -j REDIRECT --to-ports 3128

# DNAT rules
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 80 -j DNAT --to-destination 192.168.4.1 #public webserver
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 443 -j DNAT --to-destination 192.168.4.1 #public webserver
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 8080 -j DNAT --to-destination 192.168.2.1 #public tomcat
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 5500 -j DNAT --to-destination 192.168.2.1 #vnc server
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 5900 -j DNAT --to-destination 192.168.2.1 #vnc server
# iptables -t nat -A PREROUTING -i $IF_WAN -p tcp --dport 3389 -j DNAT --to-destination 192.168.2.1 #terminal server
# iptables -t nat -A PREROUTING -i $IF_WAN -p udp --dport 3389 -j DNAT --to-destination 192.168.2.1 #terminal server

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# TOS settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up TOS rules"

# tcp
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 21,22,80 -j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 20,25,143 -j TOS --set-tos 0x08
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 53,110 -j TOS --set-tos 0x04

# udp
iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 53,110 -j TOS --set-tos 0x04
iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 143 -j TOS --set-tos 0x08

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------

#-------------------------------------------------------------------------------
# LOGGING settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up Logging rules"

# default only unicast
#
iptables -A INPUT -m pkttype --pkt-type unicast -j LOG --log-prefix "FIREWALL: " --log-level 7
#
# any example to log all:
#
#iptables -A FORWARD -j LOG --log-prefix="FORWARD: "
#iptables -A INPUT -j LOG --log-prefix="INPUT:"
#iptables -A OUTPUT -j LOG --log-prefix="OUTPUT:"

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------

echo "The firewall is up."
;;

stop)
echo "pulizia regole..."
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo "repristino regole di default..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage /etc/init.d/firewall start|stop|restart|reload"
;;
esac
exit 0

Ora come alcuni hanno notato bisogna inserire almeno un mac address nel file /etc/firewallMAC.conf, se non ne conoscete ancora nessuno inserite quello del firewall ricavabile dal comando ifconfig.

Dobbiamo permettere che parta all'avvio:

update-rc.d -f firewall defaults

Ora potete configurare squid per la navigazione tramite proxy, aprite /etc/squid3/squid.conf, cancellate tutto ed inserite:

http_port 127.0.0.1:3128 transparent
http_port 192.168.2.254:3128 transparent
http_port 192.168.3.254:3128 transparent

icp_port 0
#icp_port 3130

#havp
cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default proxy-only

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

#cache_mem 256 MB
# cache_swap_low 90
# cache_swap_high 95
# maximum_object_size 4096 KB
# maximum_object_size_in_memory 8 KB

cache_dir ufs /var/spool/squid3 100 16 256
logformat squid %ts.%03tu %6tr %>a %Ss/%03Hs %a %Ss/%03Hs %h] [%a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %a %ui %un [%tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh

access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
cache_store_log /var/log/squid3/store.log
# log_ip_on_direct on
mime_table /usr/share/squid3/mime.conf
pid_filename /var/run/squid3.pid
debug_options ALL,1
hosts_file /etc/hosts
ftp_user anonymous@workgroup

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#

http_access allow localhost
acl workgroup src 192.168.100.0/24 192.168.101.0/24
http_access allow workgroup
http_access deny all

http_reply_access allow all
icp_access allow all
cache_mgr swipon@email.it
cache_effective_group proxy
visible_hostname proxy.workgroup
#append_domain .workgroup
ie_refresh on
# acl buggy_server url_regex ^http://....
# broken_posts allow buggy_server
coredump_dir /var/spool/squid
vary_ignore_expire on
# relaxed_header_parser on

Perfetto, ora configuriamo dansguardian per il controllo delle pagine.
scaricate una lista blacklist prepronta come questa:

http://urlblacklist.com/cgi-bin/commercialdownload.pl?type=download&file=bigblacklist

e la copiate in /etc/dansguardian:

cd /etc/dansguardian
tar xvfz bigblacklist.tar.gz

Ora lo abilitiamo, commentate la terza righa in alto del file /etc/dansguardian/dansguardian.conf

Passiamo alla configurazione del DNS server come autoritario solo all'interno della lan e della wifi, in modo da impostare in ip fisso e rendere un po' più sicura la dmz e la vpn.
Aprite il file /etc/resolv.conf, cancellate tutto ed inseriteci:

search workgroup
nameserver 127.0.0.1

Ora aptrite il file /etc/bind/named.conf.options, cancellate tutto ed inserite:

options {
directory "/var/cache/bind";
// query-source address * port 53;
forward first;
forwarders {
151.99.0.100;
151.99.125.1;
// 62.211.69.150;
// 212.48.4.15;
};

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

zone "workgroup" in
{
type master;
file "/etc/bind/db.workgroup";
};

zone "wifi" in
{
type master;
file "/etc/bind/db.wifi";
};

Ora create il file /etc/bind/db.workgroup per la lan:

;Dati autorevoli per zona locale
;
$TTL 10800 ; TTL 3 Ore

@ IN SOA proxy.workgroup. hostmaster.proxy.workgroup. (
2008120101 ; 2008 dicembre 01 seriale01
10800 ; refresh 3 ore
3600 ; rentry rate 1 ora
604800 ; expiry time 7 giorni
86400 ) ; ttl 24ore
IN NS proxy.workgroup.
IN A 192.168.2.254

proxy IN A 192.168.2.254
firewall IN CNAME proxy.workgroup.

server-srv IN A 192.168.2.250
server IN CNAME server-srv.workgroup.

ws01 IN A 192.168.2.101
ws02 IN A 192.168.2.102
ws03 IN A 192.168.2.103
ws04 IN A 192.168.2.104
ws05 IN A 192.168.2.105

Fate lo stesso per il file /etc/bind/db.wifi per la wireless:

;Dati autorevoli per zona locale
;
$TTL 10800 ; TTL 3 Ore

@ IN SOA proxy.wifi. hostmaster.proxy.wifi. (
2008120101 ; 2008 dicembre 01 seriale01
10800 ; refresh 3 ore
3600 ; rentry rate 1 ora
604800 ; expiry time 7 giorni
86400 ) ; ttl 24ore
IN NS proxy.wifi.
IN A 192.168.3.254

proxy IN A 192.168.3.254
firewall IN CNAME proxy.wifi.
server-srv IN A 192.168.3.1
server IN CNAME server-srv.wifi.
ws01 IN A 192.168.3.101
ws02 IN A 192.168.3.102
ws03 IN A 192.168.3.103
ws04 IN A 192.168.3.104
ws05 IN A 192.168.3.105

Riavviate e benvenuti nel vostro nuovo firewall! Potrete ora divertirvi a provare a configurare la vpn e i vari filtri di dansguardian.

Swipon

Linuxaro Italiano

Come creare un firewall debian completo

Archivio blog

oknotizie

Linux counter

Informazioni personali

Linux on laptop