Il firewall iptables di un router con un filtro di interfaccia, come mostrato nell'esempio seguente, è sufficiente a impedire la rete interna dagli IP falsificati?
A quanto ho capito, i pacchetti con IP falsificati non possono entrare né nella catena INPUT né nella catena FORWARD, sia a causa della traccia di connessione ( -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
). Alla fine vengono eliminati, a causa del criterio "DROP".
C'è un modo per ingannare il filtro dell'interfaccia?
IPT="/sbin/iptables"
WAN="WAN"
LAN="LAN"
WLAN="WLAN"
# Flush all chaines
$IPT -F
$IPT -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
# unlimited
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o ${LAN} -j ACCEPT
$IPT -A OUTPUT -o ${WLAN} -j ACCEPT
# set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# NAT
$IPT -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
#===== BLOCK =====
#----- OUTPUT -----
# Block CUPS WAN access
$IPT -A OUTPUT -o ${WAN} -p tcp --dport 631 -j REJECT
$IPT -A OUTPUT -o ${WAN} -p udp --dport 631 -j REJECT
#===== ALLOW =====
#----- WAN OUTPUT -----
# Allow outgoing DNS requests
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp --dport 53 -j ACCEPT
# Allow outgoing DHCP requests
$IPT -A OUTPUT -o ${WAN} -p udp -m multiport --dport 67,68 -j ACCEPT
# Allow outgoing HTTP(s) for package updates
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp -m multiport --dport 80,443 -j ACCEPT
#----- INPUT -----
# Accept established connections
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow ssh
$IPT -A INPUT -i ${LAN} -p tcp --dport 22 -j ACCEPT
# allow ICMP ping pong stuff
$IPT -A INPUT -i ${LAN} -p icmp -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p icmp -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${LAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp --dport 53 -j ACCEPT
# Proxy
$IPT -A INPUT -i ${LAN} -p tcp --dport 3128 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 3128 -j ACCEPT
#DHCP
$IPT -A INPUT -i ${LAN} -p udp -m multiport --dport 67,68 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 67,68 -j ACCEPT
# Open port 631 for CUPS/Printing
$IPT -A INPUT -i ${LAN} -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp --dport 631 -j ACCEPT
# Samba
$IPT -A INPUT -i ${LAN} -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${LAN} -p udp -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 137,138 -j ACCEPT
#===== FORWARD =====
$IPT -A FORWARD -i ${LAN} -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -j ACCEPT
$IPT -A FORWARD -i ${WAN} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Reject (W)LAN Traffic rather than drop
$IPT -A INPUT -i ${LAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A INPUT -i ${WLAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A OUTPUT -j REJECT --reject-with icmp-host-prohibited