El 04/07/12 21:05, M.Vila escribió: > Gracias por la ayuda!! Os dejo mi configuración. > > #!/bin/bash > iptables -F > iptables -t nat -F > iptables -Z > iptables -X > # > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > # > #/sbin/modprobe ip_conntrack_ftp > # > iptables -A OUTPUT -o lo -j ACCEPT > iptables -A INPUT -i lo -j ACCEPT > # > # Quitamos los pings. > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all > # > # No respondemos a los broadcast. > /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > # > # Para evitar el spoofing nos aseguramos de que la dirección > # origen del paquete viene del sitio correcto. > for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do > /bin/echo "1" > ${interface} > done > #dns > iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp --dport 1024:65535 --sport 53 -m state > --state ESTABLISHED -j ACCEPT > #ssh > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 22 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 22 -m state > --state ESTABLISHED -j ACCEPT > #smtp > iptables -A OUTPUT -p tcp --dport 1024:65535 --sport 25 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --sport 1024:65535 --dport 25 -m state > --state ESTABLISHED -j ACCEPT > #http > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 80 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 80 -m state > --state ESTABLISHED -j ACCEPT > #smtp > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 443 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 443 -m state > --state ESTABLISHED -j ACCEPT > #https > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 465 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 465 -m state > --state ESTABLISHED -j ACCEPT > #imap4 > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 993 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 993 -m state > --state ESTABLISHED -j ACCEPT > #pop3 > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 995 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 995 -m state > --state ESTABLISHED -j ACCEPT > #irc > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 6667 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 6667 -m state > --state ESTABLISHED -j ACCEPT > #squid > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 3128 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 3128 -m state > --state ESTABLISHED -j ACCEPT > # > iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 8080 -m state > --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p tcp --dport 1024:65535 --sport 8080 -m state > --state ESTABLISHED -j ACCEPT > # > iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT > >
algunos consejos. "-m state --state NEW,ESTABLISHED -j ACCEPT" -> "-j ACCEPT" Usa tus propias cadenas. -N _outgoing -I _outgoing -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 993 -j _outgoing iptables -A OUTPUT -p tcp --dport 995 -j _outgoing etc ... si es un servidor y trabajas en remoto, las policy deberías aplicarlas al final, despues de haber asegurado el acceso al sistema. Un saludo. -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff53e18.9090...@limbo.deathwing.net