iptables: un filtro di interfaccia iptables è sufficiente per impedire lo spoofing IP?

0

Il firewall iptables di un router con un filtro di interfaccia, come mostrato nell'esempio seguente, è sufficiente a impedire la rete interna dagli IP falsificati?

A quanto ho capito, i pacchetti con IP falsificati non possono entrare né nella catena INPUT né nella catena FORWARD, sia a causa della traccia di connessione ( -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ). Alla fine vengono eliminati, a causa del criterio "DROP".

C'è un modo per ingannare il filtro dell'interfaccia?

IPT="/sbin/iptables"
WAN="WAN"
LAN="LAN"
WLAN="WLAN"

# Flush all chaines
$IPT -F
$IPT -X
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t nat -F
$IPT -t nat -X

$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT

# unlimited
$IPT -A INPUT  -i lo      -j ACCEPT
$IPT -A OUTPUT -o lo      -j ACCEPT
$IPT -A OUTPUT -o ${LAN}  -j ACCEPT
$IPT -A OUTPUT -o ${WLAN} -j ACCEPT

# set policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# NAT
$IPT -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

#===== BLOCK =====
#----- OUTPUT -----
# Block CUPS WAN access
$IPT -A OUTPUT -o ${WAN} -p tcp --dport 631 -j REJECT
$IPT -A OUTPUT -o ${WAN} -p udp --dport 631 -j REJECT

#===== ALLOW =====
#----- WAN OUTPUT -----
# Allow outgoing DNS requests
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp              --dport 53     -j ACCEPT

# Allow outgoing DHCP requests
$IPT -A OUTPUT -o ${WAN} -p udp -m multiport --dport 67,68 -j ACCEPT

# Allow outgoing HTTP(s) for package updates
$IPT -A OUTPUT -o ${WAN} -p tcp -m multiport --dport 80,443 -j ACCEPT
$IPT -A OUTPUT -o ${WAN} -p udp -m multiport --dport 80,443 -j ACCEPT

#----- INPUT -----
# Accept established connections
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ssh
$IPT -A INPUT -i ${LAN}  -p tcp --dport 22 -j ACCEPT

# allow ICMP ping pong stuff
$IPT -A INPUT  -i ${LAN}  -p icmp -j ACCEPT
$IPT -A INPUT  -i ${WLAN} -p icmp -j ACCEPT

# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${LAN}  -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${LAN}  -p udp              --dport 53     -j ACCEPT

$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 53,953 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp              --dport 53     -j ACCEPT

# Proxy
$IPT -A INPUT -i ${LAN}  -p tcp --dport 3128 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 3128 -j ACCEPT

#DHCP
$IPT -A INPUT -i ${LAN}  -p udp -m multiport --dport 67,68 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 67,68 -j ACCEPT

# Open port 631 for CUPS/Printing
$IPT -A INPUT -i ${LAN}  -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${LAN}  -p udp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp --dport 631 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp --dport 631 -j ACCEPT

# Samba
$IPT -A INPUT -i ${LAN}  -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${LAN}  -p udp -m multiport --dport 137,138 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p tcp -m multiport --dport 139,445 -j ACCEPT
$IPT -A INPUT -i ${WLAN} -p udp -m multiport --dport 137,138 -j ACCEPT

#===== FORWARD =====
$IPT -A FORWARD -i ${LAN} -j ACCEPT
$IPT -A FORWARD -i ${WLAN} -j ACCEPT
$IPT -A FORWARD -i ${WAN} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Reject (W)LAN Traffic rather than drop
$IPT -A INPUT   -i ${LAN}  -j REJECT --reject-with icmp-host-prohibited
$IPT -A INPUT   -i ${WLAN} -j REJECT --reject-with icmp-host-prohibited
$IPT -A OUTPUT             -j REJECT --reject-with icmp-host-prohibited
    
posta Kiigass 08.09.2017 - 14:57
fonte

0 risposte

Leggi altre domande sui tag