Firewall/Router

Esta entrada ha quedado obsoleta.

Mi Firewall.

Es un equipo dedicado instalado con IPCop. Se trata de un Pentium 4 de 600MHz que a su vez actua de NAS solo con fines de backup. Si, ya se, antes que me digan nada es una pésima idea poner un server NAS en el mismo hardware que un firewall, pero tengan en cuenta que esto es ¡mi casa!, y no puedo tener un cuarto con 5 servidores para tener solo dos PCs conectadas a la red.

Bueno, aclarado ese punto, les comento que mi IPCop tiene instalado Copfilter y un AddonServer (los links están más abajo). Varias veces se me ha pasado por la cabeza cambiarlo por otro producto como m0n0wall o pfsense, pero por el momento IPCop esta bien firme en su lugar.

Todo lo que sigue es bastante viejo, pero lo dejo aca por razones históricas.

My Firewall.

It all started when I decided to get a DSL line for my home. We had two computers at home and only my computer had a dialup connection. That was right at that time, around year 2000, but it was really a shame to have a DSL line on only one computer so initially I configured my computer to share the internet connection, but soon I was hooked with the idea of puting a real dedicated firewall.

Luckily enough I got an old Pentium 233MMX from my girl friend (now she’s my wife) and decided to install a copy of Mandrake Linux and configure it as a Firewall. I was a good learning experience and let me study IPTABLES with a real target in mind.

A few days later, all was working good and keep upgrading and reconfiguring my firewall from time to time, so it really became a mess.

From time to time I tooked a look at some firewall projects, but always decided to keep with my self made one, but one time when working on a firewall project with a local company I meet IPCop. it was v1.3 and I was hooked. It was a really well done firewall, with all the functionality I was looking for and during this project I had to make some modifications to it, so I got to know it quite well. In order to make my work I decided to replace my self made firewall with this customized version of IPCop and was quite happy with it, so when I leave that project I decided to keep it and then when 1.4 came out I went for it and installed a standard 1.4 IPCop.

I have added copfilter 0.0.95.1 and Addon Server 2.2 (and some addons) to it. I have even wrote one addon GUIListenPorts.

I will be upgrading my IPCop box to 1.4.4 as soon as Addon Server 2.3 is ready, because IPCop update 1.4.4 break Addons Server 2.2 (and most of the addons) and copfilter 0.0.95.1.

Update: Since I’m not a patient guy, I decided to try 1.4.4 with the test Addon Server 2.3 and patch to copfilter.

Update: Really old stuff, now I have IPCop 1.4.15.

I’ve also configured a DMZ but I have not installed any server on it yet. I will probably put a web server or perhaps a honeypot.

—

Here is my old firewall script (I do not longer use it), probably not the best firewall in the world, but worked for me. Feel free to study, enhance and use it if you like, and please let me know what modifications you make to it, or any bugs or mistakes you have found.

#!/bin/bash
#
# This is my version of a firewall script for iptables, it’s a
# heavily modified version of the the script named
# ‘Very restrictive set of firewall rules’ found at
# http://www.linuxguruz.org/iptables/scripts/rc.firewall_012.txt
#
# I’m not a security expert, so this could have tons of errors which
# I may have not noticed. Plase I encourage you to contact me, so we can
# improve this script.
#
# To run this script you must ‘chmod 700 iptables-script’ and then execute
# it. To stop it from running, run ‘iptables -F’
#
# Version 0.1.1
#
# Date: 13/6/2002
#

############################################################
# Initialization
############################################################

# Our internal network
INTERNAL_NET=»192.168.1.0/24″

# Friendly hosts from our LAN (change them to suit your needs)
HOST1=»192.168.1.2/32″
HOST2=»192.168.1.5/32″

# Friendly IPs from outside ( work ) (change them to suit your needs)
IPBCO1=»200.aaa.bbb.ccc»
IPBCO2=»200.ddd.eee.fff»

# name servers (This are from ISP, change them to suit your needs)
NAMESERVER_1=»200.ggg.hhh.iii»
NAMESERVER_2=»200.ooo.ppp.qqq»
NAMESERVER_3=»200.rrr.sss.ttt»
NAMESERVER_4=»200.uuu.vvv.xxx»

# no-ip hosts
NOIP1=»166.90.15.237″
NOIP2=»66.185.162.98″

# Internet interface (ppp0 for xDSL and dialup)
# LAN Interfaces (our internal interfaces, one or more)
INET_DEV=»ppp0″
LAN_DEV1=»eth1″

#Point this to your copy of ip_tables
IPT=»/sbin/iptables»

#Load the module.
modprobe ip_tables

#Flush old rules, delete other chains if they exists
$IPT -F
$IPT -X
$IPT -Z
$IPT -F -t nat
$IPT -X firewall
$IPT -X spoofing
$IPT -X portscan-fin-urg-psh
$IPT -X portscan-syn-rst-ack-fin-urg
$IPT -X portscan-fin
$IPT -X portscan-all
$IPT -X portscan-none
$IPT -X portscan-syn-fin
$IPT -X portscan-syn-rst
$IPT -X portscan-syn-fin-rst
$IPT -X syn-flood
$IPT -X smb-out
$IPT -X smb-in
$IPT -X nfs
$IPT -X portmapper
$IPT -X otherservices
$IPT -X kazaa
$IPT -X stats-in
$IPT -X mail-out
$IPT -X dropalien

############################################################
# Set various chains, just to let us log different messages
############################################################

# Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG –log-level info –log-prefix «>>>>> FIREWALL
$IPT -A firewall -j DROP

# Set up the spoofing chain
$IPT -N spoofing
$IPT -A spoofing -j LOG –log-level info –log-prefix «>>>>> SPOOFING
$IPT -A spoofing -j DROP

# Set up the portscan-fin-urg-psh chain
$IPT -N portscan-fin-urg-psh
$IPT -A portscan-fin-urg-psh -j LOG –log-level info –log-prefix «>>PSCAN-FIN-URG-PSH
$IPT -A portscan-fin-urg-psh -j DROP

# Set up the portscan-syn-rst-ack-fin-urg chain
$IPT -N portscan-syn-rst-ack-fin-urg
$IPT -A portscan-syn-rst-ack-fin-urg -j LOG –log-level info –log-prefix «>>PSCAN-SYN-RST-ACK-FIN-URG
$IPT -A portscan-syn-rst-ack-fin-urg -j DROP

# Set up the portscan-fin chain
$IPT -N portscan-fin
$IPT -A portscan-fin -j LOG –log-level info –log-prefix «>>PSCAN-FIN
$IPT -A portscan-fin -j DROP

# Set up the portscan-all chain
$IPT -N portscan-all
$IPT -A portscan-all -j LOG –log-level info –log-prefix «>>PSCAN-ALL
$IPT -A portscan-all -j DROP

# Set up the portscan-none chain
$IPT -N portscan-none
$IPT -A portscan-none -j LOG –log-level info –log-prefix «>>PSCAN-NONE
$IPT -A portscan-none -j DROP

# Set up the portscan-syn-fin chain
$IPT -N portscan-syn-fin
$IPT -A portscan-syn-fin -j LOG –log-level info –log-prefix «>>PSCAN-SYN-FIN
$IPT -A portscan-syn-fin -j DROP

# Set up the portscan-syn-rst chain
$IPT -N portscan-syn-rst
$IPT -A portscan-syn-rst -j LOG –log-level info –log-prefix «>>PSCAN-SYN-RST
$IPT -A portscan-syn-rst -j DROP

# Set up the portscan-syn-fin-rst chain
$IPT -N portscan-syn-fin-rst
$IPT -A portscan-syn-fin-rst -j LOG –log-level info –log-prefix «>>PSCAN-SYN-FIN-RST
$IPT -A portscan-syn-fin-rst -j DROP

# Set up the portscan-syn chain
$IPT -N syn-flood
$IPT -A syn-flood -m limit –limit 1/s –limit-burst 4 -j RETURN
$IPT -A syn-flood -j LOG –log-level info –log-prefix «>>> SYN-FLOOD
$IPT -A syn-flood -j DROP

# Set up the smb-out chain
$IPT -N smb-out
$IPT -A smb-out -j LOG –log-level info –log-prefix «>>>>> SMB-OUT
$IPT -A smb-out -j DROP

# Set up the smb-in chain
$IPT -N smb-in
$IPT -A smb-in -j LOG –log-level info –log-prefix «>>>>> SMB-IN
$IPT -A smb-in -j DROP

# Set up the nfs chain
$IPT -N nfs
$IPT -A nfs -j LOG –log-level info –log-prefix «>>>>> NFS
$IPT -A nfs -j DROP

# Set up the portmapper chain
$IPT -N portmapper
$IPT -A portmapper -j LOG –log-level info –log-prefix «>>>>> PORTMAPPER
$IPT -A portmapper -j DROP

# Set up the otherservices chain
$IPT -N otherservices
$IPT -A otherservices -j LOG –log-level info –log-prefix «>>>>> OTHER SERVICES
$IPT -A otherservices -j DROP

# Set up the kazaa chain
$IPT -N kazaa
$IPT -A kazaa -j LOG –log-level info –log-prefix «>>>>> KAZAA
$IPT -A kazaa -j DROP

# Set up the stats-in chain
$IPT -N stats-in
$IPT -A stats-in -j LOG –log-level info –log-prefix «>>>>> STATS-IN
$IPT -A stats-in -j ACCEPT

# Set up the mail-out chain
$IPT -N mail-out
$IPT -A mail-out -j LOG –log-level info –log-prefix «>>>>> MAIL-OUT
$IPT -A mail-out -j ACCEPT

# Set up the dropalien chain
$IPT -N dropalien
$IPT -A dropalien -j LOG –log-level info –log-prefix «>>>>> DROPALIEN
$IPT -A dropalien -j DROP

# Set up the hacker-inside chain
$IPT -N hacker-inside
$IPT -A hacker-inside -j LOG –log-level info –log-prefix «>>>>> HACKER-INSIDE
$IPT -A hacker-inside -j DROP

############################################################
# Set IP Spoofing rules so nobody from the Internet can
# fool our firewall making themselves pass as if they’re of
# our internal LAN
############################################################

# Kill spoofed packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Enable SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

###########################################################
# PREROUTING Chain
###########################################################
# This is for TOS
$IPT -t mangle -A PREROUTING -p tcp –dport 20 -j TOS –set-tos 8
$IPT -t mangle -A PREROUTING -p tcp –dport 21 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p tcp –dport 22 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p tcp –dport 23 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p tcp –dport 25 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p tcp –dport 53 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p udp –dport 53 -j TOS –set-tos 16
$IPT -t mangle -A PREROUTING -p tcp –dport 80 -j TOS –set-tos 8

# This is for transparent proxy
$IPT -t nat -A PREROUTING -i $LAN_DEV1 -p tcp –dport 80 -j REDIRECT –to-port 3128

###########################################################
# INPUT Chain
###########################################################

## FRAGMENTS
# I have to say that fragments scare me more than anything.
# Sending lots of non-first fragments was what allowed Jolt2
# to effectively «drown»
# Firewall-1. Fragments can be overlapped, and the subsequent
# interpretation of such
# fragments is very OS-dependent.
# I am not going to trust any fragments.
# Log fragments just to see if we get any, and deny them too.
$IPT -A INPUT -i $INET_DEV -f -j LOG –log-prefix «IPTABLES FRAGMENTS: »
$IPT -A INPUT -i $INET_DEV -f -j DROP

# Anything coming from the Internet should have a real Internet address
# Anti spoofing rules
$IPT -A INPUT -i $INET_DEV -s 127.0.0.0/8 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 10.0.0.0/8 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 255.255.255.255/32 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 0.0.0.0/8 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 169.254.0.0/16 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 172.16.0.0/12 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 192.0.2.0/24 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 192.168.0.0/16 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 224.0.0.0/4 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 240.0.0.0/5 -j spoofing
$IPT -A INPUT -i $INET_DEV -s 248.0.0.0/5 -j spoofing

# It is time for us to get in, and accept other traffic
# Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
$IPT -A INPUT -s $HOST1 -d 0/0 -j ACCEPT
$IPT -A INPUT -s $HOST2 -d 0/0 -j ACCEPT

# Darkstat (accept darkstat querys on port 2000 from friendly outside hosts)
# fwlogwatch (accept fwlogwatch querys on port 2001 from friendly outside hosts)
# ntop (accept ntop querys on port 2002 from friendly outside hosts)
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO1 –dport 2000 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO2 –dport 2000 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO1 –dport 2001 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO2 –dport 2001 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO1 –dport 2002 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO2 –dport 2002 -j stats-in

# Block incoming syslog, lpr, rsh, rexec…
$IPT -A INPUT -i $INET_DEV -p udp –dport syslog -j otherservices
$IPT -A INPUT -i $INET_DEV -p tcp –dport 515 -j otherservices
$IPT -A INPUT -i $INET_DEV -p tcp –dport 514 -j otherservices
$IPT -A INPUT -i $INET_DEV -p tcp –dport 512 -j otherservices

# Try to block Kazaa
$IPT -A INPUT -p tcp –dport 1214 -j kazaa

# Allow any connections established from our host to the internet
$IPT -A INPUT -i $INET_DEV -m state –state ESTABLISHED -j ACCEPT

# Accept DNS, ‘cause it’s warm and friendly
#$IPT -A INPUT -p udp –source-port 53 -j ACCEPT
##$IPT -A INPUT -p tcp –source-port 53 -j ACCEPT
##$IPT -A INPUT -p tcp –source-port 113 -j ACCEPT
##$IPT -A INPUT -p tcp –destination-port 113 -j ACCEPT
## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
# bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of this
# rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
$IPT -A INPUT -i $INET_DEV -p udp -s ! $NAMESERVER_1 –sport 53 -j DROP
$IPT -A INPUT -i $INET_DEV -p udp -s ! $NAMESERVER_2 –sport 53 -j DROP
$IPT -A INPUT -i $INET_DEV -p udp -s $NAMESERVER_1 –sport 53 -m state –state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET_DEV -p udp -s $NAMESERVER_2 –sport 53 -m state –state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET_DEV -p udp -s $NAMESERVER_3 –sport 53 -m state –state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INET_DEV -p udp -s $NAMESERVER_4 –sport 53 -m state –state ESTABLISHED -j ACCEPT

# Accept HTTP
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO1 –dport 80 -j stats-in
$IPT -A INPUT -p tcp -i $INET_DEV -s $IPBCO2 –dport 80 -j stats-in
#$IPT -A INPUT -p tcp -i $INET_DEV -s 200.45.xxx.xxx –dport 80 -j stats-in

# Accept no-ip
$IPT -A INPUT -i $INET_DEV -p tcp -s $NOIP1 –source-port 8245 -j ACCEPT
$IPT -A INPUT -i $INET_DEV -p tcp -s $NOIP2 –source-port 8245 -j ACCEPT

# Allow smtp
$IPT -A INPUT -i $INET_DEV -s 200.45.48.23 -p tcp –sport 25 -j mail-out

# Allow edonkey
$IPT -t nat -A PREROUTING -i $INET_DEV -p tcp –dport 4662 -j DNAT –to 192.168.1.2

# Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! –syn –source-port 20 –destination-port 1024:65535 -j ACCEPT

# Accept SSH. Duh.
#$IPT -A INPUT -p tcp –destination-port 22 -j ACCEPT

# Accept ntp
$IPT -A INPUT -p udp –source-port 123 -j ACCEPT

# Stealth many more ports
# (ftp, telnet, smtp, finger, pop3, ident, rpc, netbios, imap, https, msft, UPnP)
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 21 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 23 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 25 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 79 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 110 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 113 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 135 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 139 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 143 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 443 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 445 -j DROP
$IPT -A INPUT -i $INET_DEV -p tcp –destination-port 5000 -j DROP

# Try to find as many kinds of portscan as possible

# Anti portscan rules
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags ALL SYN,RST,ACK,FIN,URG -j portscan-syn-rst-ack-fin-urg
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags ALL FIN,URG,PSH -j portscan-fin-urg-psh
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags SYN,FIN,RST SYN,FIN,RST -j portscan-syn-fin-rst
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags SYN,FIN SYN,FIN -j portscan-syn-fin
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags SYN,RST SYN,RST -j portscan-syn-rst
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags ALL FIN -j portscan-fin
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags ALL NONE -j portscan-none
$IPT -A INPUT -p tcp -i $INET_DEV –tcp-flags ALL ALL -j portscan-all
$IPT -A INPUT -p tcp -i $INET_DEV –syn -j syn-flood

# Anti SMB inbound
$IPT -A INPUT -p tcp -i $INET_DEV –dport 137:139 -j smb-in
$IPT -A INPUT -p udp -i $INET_DEV –dport 137:139 -j smb-in
$IPT -A INPUT -p tcp -i $INET_DEV –dport 445 -j smb-in
$IPT -A INPUT -p udp -i $INET_DEV –dport 445 -j smb-in

$IPT -A INPUT -p tcp -i $INET_DEV –sport 137:139 -j smb-in
$IPT -A INPUT -p udp -i $INET_DEV –sport 137:139 -j smb-in
$IPT -A INPUT -p tcp -i $INET_DEV –sport 445 -j smb-in
$IPT -A INPUT -p udp -i $INET_DEV –sport 445 -j smb-in

# Send everything else to the firewall.
#$IPT -A INPUT -p icmp -i $INET_DEV -j firewall
$IPT -A INPUT -p icmp -i $INET_DEV -m state –state NEW -j firewall
$IPT -A INPUT -p tcp -i $INET_DEV -j firewall
$IPT -A INPUT -p udp -i $INET_DEV -j firewall

###########################################################
# OUTPUT Chain
###########################################################

# Block outgoing network filesharing protocols that aren’t designed
# to leave the LAN

# This is for TOS
$IPT -t mangle -A OUTPUT -p tcp –dport 20 -j TOS –set-tos 8
$IPT -t mangle -A OUTPUT -p tcp –dport 21 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p tcp –dport 22 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p tcp –dport 23 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p tcp –dport 25 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p tcp –dport 53 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p udp –dport 53 -j TOS –set-tos 16
$IPT -t mangle -A OUTPUT -p tcp –dport 80 -j TOS –set-tos 8

# SMB / Windows filesharing
$IPT -A OUTPUT -o $INET_DEV -p tcp –sport 137:139 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p udp –sport 137:139 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p tcp –sport 445 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p udp –sport 445 -j smb-out

$IPT -A OUTPUT -o $INET_DEV -p tcp –dport 137:139 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p udp –dport 137:139 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p tcp –dport 445 -j smb-out
$IPT -A OUTPUT -o $INET_DEV -p udp –dport 445 -j smb-out

# NFS Mount Service (TCP/UDP 635)
$IPT -A OUTPUT -o $INET_DEV -p tcp –sport 635 -j nfs
$IPT -A OUTPUT -o $INET_DEV -p udp –sport 635 -j nfs

# NFS (TCP/UDP 2049)
$IPT -A OUTPUT -o $INET_DEV -p tcp –sport 2049 -j nfs
$IPT -A OUTPUT -o $INET_DEV -p udp –sport 2049 –dport ! 53 -j nfs

# Portmapper (TCP/UDP 111)
$IPT -A OUTPUT -o $INET_DEV -p tcp –sport 111 -j portmapper
$IPT -A OUTPUT -o $INET_DEV -p udp –sport 111 -j portmapper

# Allow UDP packets to DNS servers from client.
$IPT -A OUTPUT -o $INET_DEV -p udp -d $NAMESERVER_1 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET_DEV -p udp -d $NAMESERVER_2 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET_DEV -p udp -d $NAMESERVER_3 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET_DEV -p udp -d $NAMESERVER_4 –dport 53 -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow internet access from the firewall
$IPT -A OUTPUT -o $INET_DEV -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow remote syslog
$IPT -A OUTPUT -o $LAN_DEV1 -p udp -d darkstar –dport 514 -m state –state NEW -j ACCEPT
# Deny access to local net
$IPT -A OUTPUT -o $LAN_DEV1 -p tcp –sport 3128 -j ACCEPT
$IPT -A OUTPUT -o $LAN_DEV1 -m state –state NEW -j hacker-inside

############################################################
# Masquerading
############################################################
# Setup Masquerading.
$IPT -A POSTROUTING -t nat -s $INTERNAL_NET -j MASQUERADE
$IPT -A FORWARD -i $LAN_DEV1 -s ! $INTERNAL_NET -j dropalien
$IPT -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

	miguel en La red de mi casa: Reload…
	pablot en La red de mi casa: Reload…
	miguel en La red de mi casa: Reload…
	Josell en Upgrade de OpenWRT White Russi…
	La red de mi casa: R… en Heladera «smart» IoT

Comparte esto:

Deja un comentario Cancelar la respuesta