\FOT{2}\Seq% {\def\HeadingLevel% {0}\def\PageNumberFormat% {1}\def\PageNumberRestart% {0}\def\PageNColumns% {1}\def\PageColumnSep% {36\p@}\def\PageBalanceColumns% {0}\def\WritingMode% {lefttoright}\def\InputWhitespaceTreatment% {collapse}\def\LeftMargin% {72\p@}\def\RightMargin% {72\p@}\def\PageWidth% {612\p@}\def\PageHeight% {792\p@}\def\MinLeading% {2\p@}\def\MinLeadingFactor% {0}\def\TopMargin% {72\p@}\def\BottomMargin% {96\p@}\def\HeaderMargin% {48\p@}\def\FooterMargin% {48\p@}}\Node% {}\Node% {\def\Label% {cortafuegos}}\Seq% {}\SpS% {\def\PageNColumns% {1}\def\PageNumberRestart% {0}\def\PageNumberFormat% {1}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\InputWhitespaceTreatment% {collapse}\def\Quadding% {start}\def\fSize% {10\p@}\def\fWeight% {medium}\def\fPosture% {upright}\def\fFamName{Times-New-Roman}\def\LineSpacing% {13\p@}\def\LineSpacingFactor% {0}} \SpSOtherBackLeftFooter% {} \SpSOtherBackLeftHeader% {} \SpSOtherBackCenterFooter% {} \SpSOtherBackCenterHeader% {} \SpSOtherBackRightFooter% {\Seq% {\def\fPosture% {italic}}\insertPageNumber% {}\endSeq{}} \SpSOtherBackRightHeader% {\Seq% {\def\fPosture% {italic}}\Node% {\def\Element% {2}\def\ProcessingMode% {hf-mode}}\Seq% {}Instalación y configuración del cortafuegos\endSeq{}\endNode{}\endSeq{}} \SpSFirstBackLeftFooter% {} \SpSFirstBackLeftHeader% {} \SpSFirstBackCenterFooter% {} \SpSFirstBackCenterHeader% {} \SpSFirstBackRightFooter% {\Seq% {\def\fPosture% {italic}}\insertPageNumber% {}\endSeq{}} \SpSFirstBackRightHeader% {} \SpSOtherFrontLeftFooter% {} \SpSOtherFrontLeftHeader% {} \SpSOtherFrontCenterFooter% {} \SpSOtherFrontCenterHeader% {} \SpSOtherFrontRightFooter% {\Seq% {\def\fPosture% {italic}}\insertPageNumber% {}\endSeq{}} \SpSOtherFrontRightHeader% {\Seq% {\def\fPosture% {italic}}\Node% {\def\Element% {2}\def\ProcessingMode% {hf-mode}}\Seq% {}Instalación y configuración del cortafuegos\endSeq{}\endNode{}\endSeq{}} \SpSFirstFrontLeftFooter% {} \SpSFirstFrontLeftHeader% {} \SpSFirstFrontCenterFooter% {} \SpSFirstFrontCenterHeader% {} \SpSFirstFrontRightFooter% {\Seq% {\def\fPosture% {italic}}\insertPageNumber% {}\endSeq{}} \SpSFirstFrontRightHeader% {}\Seq% {}\Seq% {}\Seq% {}\Node% {\def\Element% {2}\def\ProcessingMode% {article-titlepage-recto-mode}}\Par% {\def\fSize% {24.883\p@}\def\LineSpacing% {32.348\p@}\def\LineSpacingFactor% {0}\def\Quadding% {center}\def\fFamName{Arial}\def\fWeight% {bold}\def\sbNom% {18.662\p@}\def\sbMin% {18.662\p@}\def\sbMax% {18.662\p@}\def\sbConditional% {1}\def\KeepWithNext% {1}}Instalación y configuración del cortafuegos\endPar{}\endNode{}\Seq% {}\Node% {\def\Element% {3}\def\ProcessingMode% {article-titlepage-recto-mode}}\Seq% {}\Par% {\def\fSize% {17.28\p@}\def\LineSpacing% {22.464\p@}\def\LineSpacingFactor% {0}\def\Quadding% {center}\def\fFamName{Arial}\def\fWeight% {bold}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\KeepWithNext% {1}}Sergio González González\endPar{}\Node% {\def\Element% {6}\def\ProcessingMode% {article-titlepage-recto-mode}}\DisplayGroup% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fSize% {12\p@}}\Node% {\def\Element% {7}\def\ProcessingMode% {article-titlepage-recto-mode}}\Par% {\def\Quadding% {center}\def\fFamName{Arial}\def\fWeight% {bold}\def\fSize% {12\p@}}Universidad de León, España\endPar{}\endNode{}\Node% {\def\Element% {8}\def\ProcessingMode% {article-titlepage-recto-mode}}\DisplayGroup% {\def\Quadding% {center}\def\fFamName{Arial}\def\fWeight% {bold}\def\fSize% {12\p@}}\Par% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {9}\def\ProcessingMode% {titlepage-address-mode}}sergio.gonzalez@hispalinux.es\endNode{}\endPar{}\endDisplayGroup{}\endNode{}\endDisplayGroup{}\endNode{}\endSeq{}\endNode{}\Seq% {}\Node% {\def\Element% {11}\def\ProcessingMode% {article-titlepage-recto-mode}}\DisplayGroup% {\def\Quadding% {start}\def\StartIndent% {65.5\p@}\def\StartIndentFactor% {0}\def\EndIndent% {17.5\p@}\def\EndIndentFactor% {0}\def\fFamName{Times-New-Roman}}\DisplayGroup% {\def\StartIndent% {65.5\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {12}\def\ProcessingMode% {article-titlepage-recto-mode}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Este documento es una pequeña guía que muestra cómo instalar y configurar el cortafuegos desarrollado para el proyecto. El proceso está especificado para una distribución Debian GNU/Linux. \endPar{}\endNode{}\endDisplayGroup{}\endDisplayGroup{}\endNode{}\endSeq{}\endSeq{}\endSeq{}\endSeq{}\endSeq{}\Node% {\def\Element% {1}}\endNode{}\Node% {\def\Label% {introduccion}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {14}\def\ProcessingMode% {title-sosofo-mode}}Introducción\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {14}}\endNode{}\Node% {\def\Element% {15}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} El cortafuegos utilizado ha sido desarrollado íntegramente por el grupo GSO a partir de información y otros cortafuegos disponibles en Internet. Está programado en el lenguaje shell de \Node% {\def\Element% {16}}\Seq% {\def\fPosture% {italic}}bash\endSeq{}\endNode{} y se distribuye bajo la licencia libre GNU/GPL. \endPar{}\endNode{}\Node% {\def\Element% {17}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Utiliza las características avanzadas de los kernels de Linux de la serie 2.4.x para el filtrado de paquetes de red. La herramienta utilizada es \Node% {\def\Element% {18}}\Seq% {\def\fWeight% {bold}}iptables\endSeq{}\endNode{}, que está englobada en el proyecto \Node% {\def\Element% {19}}\Seq% {}\Seq% {}\Seq% {}Netfilter\endSeq{}\Seq% {} (http://www.netfilter.org/)\endSeq{}\endSeq{}\endSeq{}\endNode{}. \endPar{}\endNode{}\Node% {\def\Element% {20}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Las características más importantes del cortafuegos desarrollado son: \endPar{}\endNode{}\Node% {\def\Element% {21}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}}\Node% {\def\Element% {22}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}\Node% {\def\Element% {23}\def\ProcessingMode% {listitem-content-mode}}\Seq% {}Filtrado de paquetes por estado\endSeq{}\endNode{}\endPar{}\endDisplayGroup{}\endNode{}\Node% {\def\Element% {24}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}\Node% {\def\Element% {25}\def\ProcessingMode% {listitem-content-mode}}\Seq% {}Enmascaramiento del tráfico local hacia Internet\endSeq{}\endNode{}\endPar{}\endDisplayGroup{}\endNode{}\Node% {\def\Element% {26}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}\Node% {\def\Element% {27}\def\ProcessingMode% {listitem-content-mode}}\Seq% {}Redirección transparente de puertos (tanto en el tráfico de entrada como de salida)\endSeq{}\endNode{}\endPar{}\endDisplayGroup{}\endNode{}\endDisplayGroup{}\endNode{}\Node% {\def\Element% {28}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Mediante este cortafuegos, se da acceso a internet a todos los ordenadores de la Unidad de Imagen, así como a todos los ordenadores situados en el laboratorio F1. \endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {instalacion}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {30}\def\ProcessingMode% {title-sosofo-mode}}Instalación\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {30}}\endNode{}\Node% {\def\Element% {31}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Necesitamos descargar el archivo del cortafuegos, que está situado en la sección de recursos en la página web del proyecto. El nombre completo es "rc\char95{}firewall". \endPar{}\endNode{}\Node% {\def\Element% {32}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Una vez lo hayamos descargado, lo copiaremos en su ubicación correcta, que es /etc/init.d/ mediante el comando: \endPar{}\endNode{}\Node% {\def\Element% {33}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {34}}\Seq% {\def\fFamName{Courier-New}\def\fSize% {8.1\p@}}\# \endSeq{}\endNode{}\Node% {\def\Element% {35}}\Seq% {\def\fFamName{Courier-New}\def\fWeight% {bold}}cp rc\char95{}firewall /etc/init.d/\endSeq{}\endNode{}\endPar{}\endNode{}\Node% {\def\Element% {36}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Una vez copiado, necesitamos añadirlo a los scripts de arranque para que se ejecute automáticamente cada vez arranque el ordenador. Para ello, ejecutaremos: \endPar{}\endNode{}\Node% {\def\Element% {37}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {38}}\Seq% {\def\fFamName{Courier-New}\def\fSize% {8.1\p@}}\# \endSeq{}\endNode{}\Node% {\def\Element% {39}}\Seq% {\def\fFamName{Courier-New}\def\fWeight% {bold}}update-\/rc.d rc\char95{}firewall defaults\endSeq{}\endNode{}\endPar{}\endNode{}\Node% {\def\Element% {40}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Una vez finalizado el proceso, podremos proceder a la configuración de los parámetros. \endPar{}\endNode{}\Node% {\def\Element% {41}}\DisplayGroup% {\def\StartIndent% {68\p@}\def\StartIndentFactor% {0}\def\fSize% {9\p@}\def\fWeight% {medium}\def\fPosture% {upright}\def\fFamName{Arial}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}Si no añadimos el cortafuegos a los scripts de arranque, deberemos ejecutarlo manualmente cada vez que inicie el ordenador. \endDisplayGroup{}\endNode{}\Node% {\def\Element% {42}}\DisplayGroup% {\def\StartIndent% {68\p@}\def\StartIndentFactor% {0}\def\fSize% {9\p@}\def\fWeight% {medium}\def\fPosture% {upright}\def\fFamName{Arial}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}En vez de descargar el cortafuegos de la página web (o si ésta no se encuentra disponible en esos momentos), se puede copiar el código de la \Node% {\def\Element% {43}}\Link% {\def\Label% {codigo}}\Seq% {}la sección de nombre \Seq% {\def\fPosture% {italic}}\Node% {\def\Element% {71}\def\ProcessingMode% {title-sosofo-mode}}Firewall\endNode{}\endSeq{}\endSeq{}\endLink{}\endNode{} en un archivo con el mismo nombre y realizar el proceso con dicho archivo. \endDisplayGroup{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {configuracion}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {45}\def\ProcessingMode% {title-sosofo-mode}}Configuración\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {45}}\endNode{}\Node% {\def\Element% {46}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} La configuración del cortafuegos se realiza mediante la edición del archivo /etc/init.d/rc\char95{}firewall. \endPar{}\endNode{}\Node% {\def\Element% {47}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} A continuación, veremos las variables más importantes que debemos tener en cuenta para una correcta configuración y funcionamiento del cortafuegos: \endPar{}\endNode{}\Node% {\def\Label% {configuracion_basica}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {12\p@}\def\LineSpacing% {15.6\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {3}\def\sbNom% {9\p@}\def\sbMin% {9\p@}\def\sbMax% {9\p@}\def\sbConditional% {1}\def\saNom% {6\p@}\def\saMin% {6\p@}\def\saMax% {6\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {49}\def\ProcessingMode% {title-sosofo-mode}}Configuración básica\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {49}}\endNode{}\Node% {\def\Element% {50}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} El rango de IP en el que están los ordenadores de nuestra red: \endPar{}\endNode{}\Node% {\def\Element% {51}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} RANGO\char95{}IP\char95{}LAN\char95{}CLIENTES="192.168.2.0/24"\endPar{}\endNode{}\Node% {\def\Element% {52}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Las direcciones de broadcast de la red local y de la IP pública: \endPar{}\endNode{}\Node% {\def\Element% {53}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} DIRECCION\char95{}BCAST\char95{}LAN\char95{}CLIENTES="192.168.2.255/32" DIRECCION\char95{}BCAST\char95{}INET="193.146.99.255/32"\endPar{}\endNode{}\Node% {\def\Element% {54}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} El nombre de la tarjeta de red conectada a internet: \endPar{}\endNode{}\Node% {\def\Element% {55}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} IFACE\char95{}INET="eth0"\endPar{}\endNode{}\Node% {\def\Element% {56}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} El nombre de la tarjeta de red conectada a la red local: \endPar{}\endNode{}\Node% {\def\Element% {57}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} IFACE\char95{}LAN\char95{}CLIENTES="eth1"\endPar{}\endNode{}\Node% {\def\Element% {58}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Necesitamos indicar que el cortafuegos hará de router: \endPar{}\endNode{}\Node% {\def\Element% {59}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} ROUTER="yes"\endPar{}\endNode{}\Node% {\def\Element% {60}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} La dirección IP pública: \endPar{}\endNode{}\Node% {\def\Element% {61}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} NAT="193.146.99.249"\endPar{}\endNode{}\Node% {\def\Element% {62}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} También debemos indicar qué servicios queremos que sean accesibles desde el exterior. Podemos indicar el nombre o el número de puerto correspondiente: \endPar{}\endNode{}\Node% {\def\Element% {63}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} SERVICES\char95{}TCP="ftp ssh 110 http 443 3128 2401 9999 143"\endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {configuracion_avanzada}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {12\p@}\def\LineSpacing% {15.6\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {3}\def\sbNom% {9\p@}\def\sbMin% {9\p@}\def\sbMax% {9\p@}\def\sbConditional% {1}\def\saNom% {6\p@}\def\saMin% {6\p@}\def\saMax% {6\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {65}\def\ProcessingMode% {title-sosofo-mode}}Configuración avanzada\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {65}}\endNode{}\Node% {\def\Element% {66}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} El desarrollo del cortafuegos ha estado fuertemente condicionado por las características concretas (filtrados y redirecciones de puertos muy específicas) de las redes en las que iba a funcionar, con lo que no es adaptable trivialmente a otras situaciones distintas. En esos casos, es necesaria una modificación más avanzada del código, que debido a la orientación de esta guía, no se tratará. \endPar{}\endNode{}\Node% {\def\Element% {67}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Para dichas situaciones, se recomienda la lectura de la información recomendada en la \Node% {\def\Element% {68}}\Link% {\def\Label% {mas_informacion}}\Seq% {}la sección de nombre \Seq% {\def\fPosture% {italic}}\Node% {\def\Element% {90}\def\ProcessingMode% {title-sosofo-mode}}Más información\endNode{}\endSeq{}\endSeq{}\endLink{}\endNode{} antes de hacer las adptaciones necesarias al código expuesto en la \Node% {\def\Element% {69}}\Link% {\def\Label% {codigo}}\Seq% {}la sección de nombre \Seq% {\def\fPosture% {italic}}\Node% {\def\Element% {71}\def\ProcessingMode% {title-sosofo-mode}}Firewall\endNode{}\endSeq{}\endSeq{}\endLink{}\endNode{}. \endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {codigo}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {71}\def\ProcessingMode% {title-sosofo-mode}}Firewall\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {71}}\endNode{}\Node% {\def\Element% {72}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Este es el fichero completo del cortafuegos. Se han respetado los comentarios originales para tener una mejor compresión del significado de algunas variables y reglas: \endPar{}\endNode{}\Node% {\def\Element% {73}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}} \#!/bin/sh \# \# rc.firewall -\/ Script de inicio para el cortafuegos incluído \# en el núcleo Linux 2.4.x \# \# Todas las líneas que comiencen con \# son comentarios y no \# se tendrán en cuenta. \# \# Este script está basado en los scripts incluídos en los \# tutoriales de: \# \# -\/ Oskar Andreasson <\/blueflux@koffein.net>\/ \# \# (http://people.unix-\/fu.org/andreasson/), \# \# -\/ Daniel Robbins <\/drobbins@gentoo.org>\/ \# \# (http://ibm.com/develworks) \# \# El presente script ha sido readaptado por: \# \# -\/ Sergio González González <\/sergio.gonzalez@hispalinux.es>\/ \# -\/ Luis Llorente Campo <\/luis.llorente@hispalinux.es>\/ \# \# \# Este script es software libre; lo puedes redistribuir y/o \# modificar bajo los términos de la Licencia Pública General GNU. \# (http://www.gnu.org) \# \# This script is free software; you can redistribute it and/or \# modify it under the terms of the GNU General Public License. \# (http://www.gnu.org) \# \# \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# \# Comienzo del script \# \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# \#\# \# Definimos una función encargada de limpiar las reglas creadas \# anteriormente en Iptables. \# \# reset\char95{}and\char95{}flush() restablece Iptables con los valores por defecto. \# reset\char95{}and\char95{}flush () \{ echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m * Limpiando Iptables... \char92{}033[0m" IPTABLES=/sbin/iptables \# Restablecemos la política por defecto de la tabla de filtrado. \$\{IPTABLES\} -\/P INPUT ACCEPT \$\{IPTABLES\} -\/P FORWARD ACCEPT \$\{IPTABLES\} -\/P OUTPUT ACCEPT \# Restablecemos la política por defecto de la tabla nat. \$\{IPTABLES\} -\/t nat -\/P PREROUTING ACCEPT \$\{IPTABLES\} -\/t nat -\/P POSTROUTING ACCEPT \$\{IPTABLES\} -\/t nat -\/P OUTPUT ACCEPT \# Restablecemos la política por defecto de la tabla mangle. \$\{IPTABLES\} -\/t mangle -\/P PREROUTING ACCEPT \$\{IPTABLES\} -\/t mangle -\/P OUTPUT ACCEPT \# Limpiamos todas las reglas existentes en las tablas de filtrado, nat y mangle. \$\{IPTABLES\} -\/F \$\{IPTABLES\} -\/t nat -\/F \$\{IPTABLES\} -\/t mangle -\/F \# Borramos todas las cadenas que no están por defecto en las tablas de filtrado, \# nat y mangle. \$\{IPTABLES\} -\/X \$\{IPTABLES\} -\/t nat -\/X \$\{IPTABLES\} -\/t mangle -\/X echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \} \#\# \# Analizamos el parámetro pasado. Los posibles valores son: \# \# -\/ start -\/>\/ Activamos las reglas del cortafuegos listadas \# en este script. \# \# -\/ stop -\/>\/ Eliminamos todas las reglas del cortafuegos, \# dejando la política por defecto del mismo en \# "allow". \# \# -\/ Si no se han pasado argumentos, se informa del uso del script. \# case "\$1" in \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# SIN ARGUMENTOS \# \# No se han pasado argumentos... "") echo -\/en "Uso: rc\char95{}firewall \{start|stop\}\char92{}n" ;; \# Fin de "" \#\#\#\#\#\#\#\# \# START \# \# Se ha pasado el argumento "start" "start") \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Datos relativos a la red en la que nos encontramos: \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \#\# \# -\/ RANGO\char95{}IP\char95{}LAN -\/>\/ Muestra la red local \# (/24 significa que sólo usaremos los 24 primeros bits de \# los 32 bits que forman una dirección IP. Es lo mismo que \# la máscara de subred 255.255.255.0). \# RANGO\char95{}IP\char95{}LAN\char95{}CLIENTES="192.168.2.0/24" RANGO\char95{}IP\char95{}LAN\char95{}DMZ="192.168.3.0/24" RANGO\char95{}IP\char95{}LAN\char95{}PROYECTOS="192.168.4.0/24" \#\# \# -\/ IP\char95{}LOCALHOST -\/>\/ Dirección IP del localhost. \# IP\char95{}LOCALHOST="127.0.0.1/32" \#\# \# -\/ IP\char95{}LAN -\/>\/ Indica cual es la IP del localhost en la red \# local. IP\char95{}LAN\char95{}CLIENTES="192.168.2.1/32" IP\char95{}LAN\char95{}DMZ="192.168.3.1/32" IP\char95{}LAN\char95{}PROYECTOS="192.168.4.1/32" \#\# \# -\/ IP\char95{}INET -\/>\/ Informa de la IP externa que posee el "cortafuegos" \# (en caso de ser fija). El uso de esta variable puede \# ser un riesgo de seguridad, pero algunas veces es lo \# que quiero. Si no tienes una IP stática, te sugiero \# que no uses esta opción. IP\char95{}INET="193.146.99.249/32" \#\# \# -\/ IP\char95{}DINAMICA -\/>\/ Si poseemos una IP asignada dinámicamente, puedes \# descomentar la siguiente línea, y se encargará \# de obtener la IP. \# IP\char95{}DINAMICA=`/sbin/ifconfig eth1 | grep 'inet addr' | awk '\{print \$2\}' | awk -\/F: '\{print \$2\}'` \#\# \# -\/ DIRECCION\char95{}BCAST\char95{}LAN -\/>\/ Contiene la dirección broadcast de \# la red local. \# DIRECCION\char95{}BCAST\char95{}LAN\char95{}CLIENTES="192.168.2.255/32" DIRECCION\char95{}BCAST\char95{}LAN\char95{}DMZ="192.168.3.255/32" DIRECCION\char95{}BCAST\char95{}LAN\char95{}PROYECTOS="192.168.4.255/32" DIRECCION\char95{}BCAST\char95{}INET="193.146.99.255/32" \#\# \# -\/ IFACE\char95{}INET -\/>\/ informa de la tarjeta de red conectada a internet. IFACE\char95{}INET="eth0" \#\# \# -\/ IFACE\char95{}LAN -\/>\/ Informa de la tarjeta de red conectada a la red local. IFACE\char95{}LAN\char95{}CLIENTES="eth1" IFACE\char95{}LAN\char95{}DMZ="eth3" IFACE\char95{}LAN\char95{}PROYECTOS="eth2" \#\# \# -\/ IFACE\char95{}LO -\/>\/ Informa del interface localhost IFACE\char95{}LO="lo" \#\# \# -\/ IPTABLES -\/>\/ Indica la ruta en la que podemos encontrar el programa \# iptables. IPTABLES="/sbin/iptables" \#\# \# -\/ ROUTER -\/>\/ Si necesitas actuar como un router (y así poder pasar \# paquetes IP entre dos tarjetas de red), necesitas \# la asignación ROUTER="yes"; Si este no es tu caso, has de \# poner ROUTER="no" \# ROUTER="yes" \#\# \# Cambia la siguiente línea por la dirección, direcciones o rango de direcciones \# IPs estáticas que poseas para hacer SNAT estático. Si tienes una IP dinámica, \# establece el valor "dynamic". Si no necesitas ningún tipo de NAT \# (Network Address Translation), establece NAT como "" para desactivarla. \# NAT="193.146.99.249" \#\# \# Cambia la siguiente línea de forma que liste todas las interfaces de red que tienes, \# incluyendo lo. INTERFACES="lo eth0 eth1 eth2 eth3" \#\# \# Cambia la siguiente línea de forma que liste los números asignados o los nombres \# simbólicos (de /etc/services) de todos los servicios que quieras dar al público \# en general. Si no quieres dar ningún servicio, establece el valor como "". \# \# SERVICES\char95{}TCP -\/>\/ Servicios que se van a dar por los puertos tcp. \# \# SERVICES\char95{}UDP -\/>\/ Servicios que se van a dar por los puertos udp. \# \# SERVICES\char95{}ICMP -\/>\/ Servicios que se van a dar por los puertos icmp. \# \#\# \# TCP: \# \# ftp-\/data -\/>\/ 20 \# ftp -\/>\/ 21 \# ssh -\/>\/ 22 \# http -\/>\/ 80 \# auth -\/>\/ 113 \# netbios-\/ns -\/>\/ 137 \# netbios-\/dgm -\/>\/ 138 \# netbios-\/ssn -\/>\/ 139 \# cvspserver -\/>\/ 2401 \# \# UDP: \# \# domain -\/>\/ 53 \# netbios-\/ns -\/>\/ 137 \# netbios-\/dgm -\/>\/ 138 \# netbios-\/ssn -\/>\/ 139 \# icpv2 -\/>\/ 3130 \# \# ICMP: \# \# Echo Reply -\/>\/ 0 \# Destination Unreachable -\/>\/ 3 \# Redirect -\/>\/ 5 \# Echo Request -\/>\/ 8 \# Time Exceeded -\/>\/ 11 \# \# (Para más información sobre ICMP mirar: \# http://www.ee.siue.edu/\char126{}rwalden/networking/icmp.html \# ftp://sunsite.unc.edu/pub/docs/rfc/rfc792.txt) \# SERVICES\char95{}TCP="ftp ssh 110 http 443 3128 2401 9999 143" SERVICES\char95{}ICMP="0 3 5 8 11" \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Carga de módulos \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# echo -\/en "\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m Configurando el cortafuegos \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" \#\# \# Cargamos todos los módulos necesarios de IPTables. \# \# La siguiente línea es necesaria para inicializar la \# carga de módulos. echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m * Cargando los modulos... \char92{}033[0m" /sbin/depmod -\/a \#\# \# Adds some iptables targets like LOG, REJECT and MASQUARADE. \# /sbin/modprobe ipt\char95{}LOG \# /sbin/modprobe ipt\char95{}REJECT \# /sbin/modprobe ipt\char95{}MASQUERADE \# \# Support for owner matching /sbin/modprobe ipt\char95{}owner \#\# \# Support for connection tracking of FTP and IRC. \# /sbin/modprobe ip\char95{}conntrack\char95{}ftp /sbin/modprobe ip\char95{}nat\char95{}ftp \# /sbin/modprobe ip\char95{}conntrack\char95{}irc echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Restablecemos el estado por defecto de Iptables \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# reset\char95{}and\char95{}flush \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Aplicando distintas protecciones y opciones \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \#\# \# Route verification is where a packet which comes from an unexpected \# interface is dropped: for example, if your internal network has \# addresses 10.1.1.0/24, and a packet with that source address comes \# in your external interface, it will be dropped \# \# Protección contra IP spoofing echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m * Cargando las reglas: \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m Desactivando spoofing en todas las interfaces... \char92{}033[0m" \#disable spoofing on all interfaces for x in \$\{INTERFACES\} do echo 1 >\/ /proc/sys/net/ipv4/conf/\$x/rp\char95{}filter done echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \# Deshabilitamos el ECN (explicit congestion notification) si ha sido \# compilado en el núcleo. \# El porqué de esta acción es que no todas las redes lo soportan \# de momento y puede dar problemas de conexión. echo -\/en "\char92{}033[47m\char92{}033[30m Desactivando el ECN... \char92{}033[0m" if [ -\/e /proc/sys/net/ipv4/tcp\char95{}ecn ] then echo 0 >\/ /proc/sys/net/ipv4/tcp\char95{}ecn fi echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \# SYNCOOKIES echo -\/en "\char92{}033[47m\char92{}033[30m Activando protección contra syncookie... \char92{}033[0m" echo 1 >\/ /proc/sys/net/ipv4/tcp\char95{}syncookies echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Definiendo la política por defecto del cortafuegos \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \#\# \# Cadenas INPUT, OUTPUT y FORDWARD \# echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m -\/ Políticas por defecto para el cortafuegos: \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m INPUT -\/>\/ DROP... \char92{}033[0m" \$IPTABLES -\/P INPUT DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m OUTPUT -\/>\/ DROP... \char92{}033[0m" \$IPTABLES -\/P OUTPUT DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m FORWARD -\/>\/ DROP... \char92{}033[0m" \# \$IPTABLES -\/P FORWARD DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \# \$IPTABLES -\/t mangle -\/P PREROUTING DROP \# \$IPTABLES -\/t mangle -\/P OUTPUT DROP \# \$IPTABLES -\/t nat -\/P PREROUTING DROP \# \$IPTABLES -\/t nat -\/P POSTROUTING DROP \# \$IPTABLES -\/t nat -\/P OUTPUT DROP \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Creando nuevas cadenas en el cortafuegos \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \#\# \# Creamos cadenas separadas para ICMP, TCP y UDP. \# echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m -\/ Creación de nuevas cadenas para el cortafuegos: \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m ICMP -\/>\/ icmp\char95{}packets... \char92{}033[0m" \$IPTABLES -\/N icmp\char95{}packets echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m TCP -\/>\/ tcp\char95{}packets... \char92{}033[0m" \$IPTABLES -\/N tcp\char95{}packets echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m UDP -\/>\/ udpincoming\char95{}packets... \char92{}033[0m" \$IPTABLES -\/N udpincoming\char95{}packets echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Cadena allowed \# echo -\/en "\char92{}033[47m\char92{}033[30m ALLOWED -\/>\/ allowed... \char92{}033[0m" \$IPTABLES -\/N allowed echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Definición de las reglas para las distintas cadenas \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \#\# \# Reglas para ALLOWED \# echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m -\/ Definición de reglas para las cadenas: \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para ALLOWED... \char92{}033[0m" \# Esta cadena será utilizada si alguien intenta conectar con un puerto "allowed" \# desde Internet. Si está abriendo una conexión, o si ya tenía una establecida \# ACPETAREMOS el paquete, si no lo denegamos. Aquí es donde la correspondencia \# de estado entra en juego, permitimos los paquetes cuyas conexiones ya estén \# establecidas (ESTABLISHED) y relaccionadas (RELATED). \# \$IPTABLES -\/A allowed -\/p TCP -\/-\/syn -\/j ACCEPT \$IPTABLES -\/A allowed -\/p TCP -\/m state -\/-\/state ESTABLISHED,RELATED -\/j ACCEPT \# Hacemos que nuestro cortafuegos responda a las peticiones en los puertos \# TCP y UDP, indicando que no existe ningún servicio disponible en el puesto \# solicitado. Con esto evitamos que un atacante sepa que estamos \# detrás de un cortafuegos, haciéndole ver que no disponemos de ningún \# servicio en nuestro sistema, de esta forma igual se va a por otro \# equipo, y deja de molestar ;-\/) \# \$IPTABLES -\/A allowed -\/p TCP -\/i \$IFACE\char95{}INET -\/j REJECT -\/-\/reject-\/with tcp-\/reset \# Si la línea anterior no está comentada, esta regla nunca se alcanza, \# pero la dejo sin comentar. Lo que hace la siguiente regla es \# descartar (sin devolver respuesta) todos los paquetes TCP que le lleguen \$IPTABLES -\/A allowed -\/p TCP -\/j DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para ICMP \# \# Se abrirán los servicios listados en SERVICES\char95{}ICMP \# echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para ICMP... \char92{}033[0m" for x in \$\{SERVICES\char95{}ICMP\} do \$\{IPTABLES\} -\/A icmp\char95{}packets -\/p ICMP -\/s 0/0 -\/-\/icmp-\/type \$\{x\} -\/j ACCEPT done echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para TCP \# \# Se abrirán los servicios listados en SERVICES\char95{}TCP echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para TCP... \char92{}033[0m" \# \$\{IPTABLES\} -\/A INPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j LOG -\/-\/log-\/prefix "New not syn:" \# \$\{IPTABLES\} -\/A INPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j DROP for x in \$\{SERVICES\char95{}TCP\} do \$\{IPTABLES\} -\/A tcp\char95{}packets -\/p TCP -\/s 0/0 -\/-\/dport \$\{x\} -\/j ACCEPT done \#\# \# Reject auth \# \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/i \$IFACE\char95{}INET -\/-\/dport 113 -\/j REJECT \#\# \# Reject Xms Scans \# \# \# Generic dirty interface maping \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL FIN,URG,PSH -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL FIN,URG,PSH -\/j DROP \#\# \# Reject Fin scans \# \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL FIN -\/m state -\/-\/state ! ESTABLISHED -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL FIN -\/m state -\/-\/state ! ESTABLISHED -\/j DROP \#\# \# Reject ANY station that opens and immediately closes a connection \# Some portscanners does this \# \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL SYN,FIN -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/A tcp\char95{}packets -\/p TCP -\/-\/tcp-\/flags ALL SYN,FIN -\/j DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para UDP \# echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para UDP... \char92{}033[0m" for x in \$\{SERVICES\char95{}UDP\} do \$IPTABLES -\/A udpincoming\char95{}packets -\/p UDP -\/s 0/0 -\/-\/source-\/port \$\{x\} -\/j ACCEPT done echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para FORWARD \# echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para FORWARD... \char92{}033[0m" \$IPTABLES -\/A FORWARD -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j LOG -\/-\/log-\/prefix "New not syn:" \$IPTABLES -\/A FORWARD -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j DROP \$IPTABLES -\/A FORWARD -\/i \$IFACE\char95{}LAN\char95{}CLIENTES -\/j ACCEPT \$IPTABLES -\/A FORWARD -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \# PROYECTOS \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/dport 21 -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/dport 22 -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/dport 80 -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/dport 999 -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \$IPTABLES -\/A FORWARD -\/m state -\/-\/state ESTABLISHED,RELATED -\/j ACCEPT \# Syn-\/flood protection: \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/syn -\/m limit -\/-\/limit 1/s -\/j ACCEPT \# Furtive port scanner: \# \$IPTABLES -\/A FORWARD -\/p tcp -\/-\/tcp-\/flags SYN,ACK,FIN,RST RST -\/m limit -\/-\/limit 1/s -\/j ACCEPT \# Ping of death: \# \$IPTABLES -\/A FORWARD -\/p icmp -\/-\/icmp-\/type echo-\/request -\/m limit -\/-\/limit 1/s -\/j ACCEPT \$IPTABLES -\/A FORWARD -\/m limit -\/-\/limit 3/minute -\/-\/limit-\/burst 3 -\/j LOG -\/-\/log-\/level DEBUG -\/-\/log-\/prefix "IPT FORWARD packet died: " echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para PREROUTING \# \# Hacemos un chequeo para bloquear falsas IP's obvias. echo -\/en "\char92{}033[47m\char92{}033[30m Definiendo reglas para PREROUTING... \char92{}033[0m" \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}INET -\/s 192.168.0.0/16 -\/j DROP \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}INET -\/s 10.0.0.0/8 -\/j DROP \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}INET -\/s 172.16.0.0/12 -\/j DROP \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS ! -\/s 192.168.4.0/16 -\/j DROP \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$INET\char95{}IFACE -\/s \$IP\char95{}INET -\/j DROP \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 80 \char92{} \# -\/j DNAT -\/-\/to-\/destination 192.168.2.2 \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$INET\char95{}IFACE -\/d \$IP\char95{}INET -\/-\/dport 21 \char92{} \# -\/j DNAT -\/-\/to-\/destination 192.168.2.2 \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$INET\char95{}IFACE -\/d \$IP\char95{}INET -\/-\/dport 22 \char92{} \# -\/j DNAT -\/-\/to-\/destination 192.168.2.2 \#\# \# Reject Xms Scans \# \# \# This disallows ALL portscans that will hit the PREROUTING table \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL FIN,URG,PSH -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL FIN,URG,PSH -\/j DROP \#\# \# Reject Fin scans \# \# \# This disallows ALL portscans that will hit the PREROUTING table \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL FIN -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL FIN -\/j DROP \#\# \# Reject ANY station that opens and immediately closes a connection \# Some portscanners does this \# \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL SYN,FIN -\/j LOG -\/-\/log-\/level DEBUG -\/m limit -\/-\/limit 1/s \# \$IPTABLES -\/t nat -\/A PREROUTING -\/p tcp -\/-\/tcp-\/flags ALL SYN,FIN -\/j DROP echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Reglas para INPUT \# \# establish the basic INPUT chain and filter the packets onto the correct \# chains. \# \# Take care of bad TCP packets that we don't want \# \$IPTABLES -\/A INPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j LOG \char92{} -\/-\/log-\/prefix "New not syn:" \$IPTABLES -\/A INPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j DROP \$IPTABLES -\/A INPUT -\/p ICMP -\/j icmp\char95{}packets \$IPTABLES -\/A INPUT -\/p TCP -\/j tcp\char95{}packets \$IPTABLES -\/A INPUT -\/p UDP -\/j udpincoming\char95{}packets \$IPTABLES -\/A INPUT -\/p ALL -\/i \$\{IFACE\char95{}LAN\char95{}CLIENTES\} -\/d \$\{DIRECCION\char95{}BCAST\char95{}LAN\char95{}CLIENTES\} -\/j ACCEPT \$IPTABLES -\/A INPUT -\/p ALL -\/i \$\{IFACE\char95{}LAN\char95{}PROYECTOS\} -\/d \$\{DIRECCION\char95{}BCAST\char95{}LAN\char95{}PROYECTOS\} -\/j ACCEPT \$IPTABLES -\/A INPUT -\/p ALL -\/i \$\{IFACE\char95{}LO\} -\/d \$IP\char95{}LOCALHOST -\/j ACCEPT \$IPTABLES -\/A INPUT -\/p ALL -\/d \$IP\char95{}LAN\char95{}CLIENTES -\/j ACCEPT \$IPTABLES -\/A INPUT -\/p ALL -\/d \$IP\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \$IPTABLES -\/A INPUT -\/p ALL -\/d \$IP\char95{}INET -\/m state -\/-\/state ESTABLISHED,RELATED -\/j ACCEPT \$IPTABLES -\/A INPUT -\/m limit -\/-\/limit 3/minute -\/-\/limit-\/burst 3 -\/j LOG -\/-\/log-\/level DEBUG -\/-\/log-\/prefix "IPT INPUT packet died: " \# \$\{IPTABLES\} -\/A INPUT -\/p TCP -\/i \$\{IFACE\char95{}INET\} -\/j REJECT -\/-\/reject-\/with tcp-\/reset \# \$\{IPTABLES\} -\/A INPUT -\/p UDP -\/i \$\{IFACE\char95{}INET\} -\/j REJECT -\/-\/reject-\/with icmp-\/port-\/unreachable \#\# \# OUTPUT chain \# \# establish the basic OUTPUT chain and filter them onto the correct chain \$IPTABLES -\/A OUTPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j LOG -\/-\/log-\/prefix "New not syn:" \$IPTABLES -\/A OUTPUT -\/p tcp ! -\/-\/syn -\/m state -\/-\/state NEW -\/j DROP \$IPTABLES -\/A OUTPUT -\/p ALL -\/s \$IP\char95{}LOCALHOST -\/j ACCEPT \$IPTABLES -\/A OUTPUT -\/p ALL -\/s \$IP\char95{}LAN\char95{}CLIENTES -\/j ACCEPT \$IPTABLES -\/A OUTPUT -\/p ALL -\/s \$IP\char95{}LAN\char95{}PROYECTOS -\/j ACCEPT \$IPTABLES -\/A OUTPUT -\/p ALL -\/s \$IP\char95{}INET -\/j ACCEPT \$IPTABLES -\/A OUTPUT -\/m limit -\/-\/limit 3/minute -\/-\/limit-\/burst 3 -\/j LOG -\/-\/log-\/level DEBUG -\/-\/log-\/prefix "IPT OUTPUT packet died: " \#\# \# MANGLE chain \# \# \# invalid crap \# \# \$IPTABLES -\/t mangle -\/A PREROUTING -\/j LOG -\/-\/log-\/level DEBUG -\/m state -\/-\/state INVALID -\/m limit -\/-\/limit 1/s \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Reglas para NAT (Network Address Translation) \# \#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\#\# \# Enable simple IP FORWARDing and Masquerading \# \# NOTE: The following is an example for an internal LAN, where the lan \# runs on eth1, and the Internet is on eth0. \# \# Please change the network devices to match your own configuration if [ "\$ROUTER" = "yes" ] then echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m -\/ Reglas para el ROUTER: \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[34m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m Activando IP forwarding... \char92{}033[0m" \#we're a router of some kind, enable IP forwarding echo 1 >\/ /proc/sys/net/ipv4/ip\char95{}forward echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" if [ "\$NAT" = "dynamic" ] then \#dynamic IP address, use masquerading \# Dynamic IP users: \# \# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this \# option. This enables dynamic-\/ip address hacking in IP MASQ, making the connection \# with Diald and similar programs much easier. echo -\/en "\char92{}033[47m\char92{}033[30m Activando dynamic-\/ip address hacking... \char92{}033[0m" echo "1" >\/ /proc/sys/net/ipv4/ip\char95{}dynaddr echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m Activando ip-\/masquerading... \char92{}033[0m" \$IPTABLES -\/t nat -\/A POSTROUTING -\/o \$IFACE\char95{}INET -\/j MASQUERADE echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" elif [ "\$NAT" != "" ] then \#static IP, use SNAT echo -\/en "\char92{}033[47m\char92{}033[30m Activando SNAT (IP estática)... \char92{}033[0m" iptables -\/t nat -\/A POSTROUTING -\/o \$IFACE\char95{}INET -\/j SNAT -\/-\/to-\/source \$\{NAT\} echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" fi fi \#\# \# Redirección del tráfico web saliente a la caché de squid. \# Esto se hace de forma transparente al usuario. echo -\/en "\char92{}033[47m\char92{}033[30m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[30m Activando proxy transparente... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}LAN\char95{}CLIENTES -\/p tcp -\/-\/dport 80 -\/j REDIRECT -\/-\/to-\/port 3128 \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}LAN\char95{}DMZ -\/p tcp -\/-\/dport 80 -\/j REDIRECT -\/-\/to-\/port 3128 \# \$IPTABLES -\/t nat -\/A PREROUTING -\/i \$IFACE\char95{}LAN\char95{}PROYECTOS -\/p tcp -\/-\/dport 80 -\/j REDIRECT -\/-\/to-\/port 3128 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico web entrante hacia cancerbero. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico web a litio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 80 -\/j DNAT -\/-\/to-\/destination 193.146.99.248:8080 \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 443 -\/j DNAT -\/-\/to-\/destination 193.146.99.248:443 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico web entrante hacia litio. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico web a litio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 110 -\/j DNAT -\/-\/to-\/destination 192.168.2.2:80 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico apt-\/proxy entrante hacia litio. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico apt-\/proxy a litio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 9999 -\/j DNAT -\/-\/to-\/destination 192.168.2.2:9999 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico ftp entrante hacia litio. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico ftp a litio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 21 -\/j DNAT -\/-\/to-\/destination 192.168.2.2:21 \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 20 -\/j DNAT -\/-\/to-\/destination 192.168.2.2:20 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico ssh entrante hacia litio. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico ssh a litio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 22 -\/j DNAT -\/-\/to-\/destination 192.168.2.2:22 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" \#\# \# Redirección del tráfico ssh entrante por el puerto 2222 hacia potasio. echo -\/en "\char92{}033[47m\char92{}033[30m Activando la redirección del tráfico ssh a potasio... \char92{}033[0m" \$IPTABLES -\/t nat -\/A PREROUTING -\/p TCP -\/i \$IFACE\char95{}INET -\/d \$IP\char95{}INET -\/-\/dport 2222 -\/j DNAT -\/-\/to-\/destination 192.168.4.2:22 echo -\/en "\char92{}033[47m\char92{}033[1;32m[done] \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m Cortafuegos configurado \char92{}033[m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" ;; \# Fin de "start" \#\#\#\#\#\#\# \# STOP \# \# Se ha pasado el argumento "stop" "stop") \#\# \# Restablecemos los valores por defecto de Iptables \# echo -\/en "\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m Parando el cortafuegos \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" reset\char95{}and\char95{}flush echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m Cortafuegos parado \char92{}033[0m\char92{}n" echo -\/en "\char92{}033[47m\char92{}033[31m \char92{}033[0m\char92{}n" ;; \# Fin de "Stop" esac \endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {prueba}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {75}\def\ProcessingMode% {title-sosofo-mode}}Prueba\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {75}}\endNode{}\Node% {\def\Element% {76}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Una vez esté todo configurado, pondremos en marcha el cortafuegos mediante el comando: \endPar{}\endNode{}\Node% {\def\Element% {77}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {78}}\Seq% {\def\fFamName{Courier-New}\def\fSize% {8.1\p@}}\# \endSeq{}\endNode{}\Node% {\def\Element% {79}}\Seq% {\def\fFamName{Courier-New}\def\fWeight% {bold}}/etc/init.d/rc\char95{}firewall start\endSeq{}\endNode{}\endPar{}\endNode{}\Node% {\def\Element% {80}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} A partir de este momento, podremos acceder a Internet con cualquiera de los ordenadores clientes. Para comprobarlo, podemos intentar alcanzar a una página web como por ejemplo: \endPar{}\endNode{}\Node% {\def\Element% {81}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {82}}\Seq% {\def\fFamName{Courier-New}\def\fSize% {8.1\p@}}\# \endSeq{}\endNode{}\Node% {\def\Element% {83}}\Seq% {\def\fFamName{Courier-New}\def\fWeight% {bold}}ping http://www.google.com\endSeq{}\endNode{}\endPar{}\endNode{}\Node% {\def\Element% {84}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} También podemos probar desde otra red si funciona el acceso a los servicios que se han definido (ftp, web, ssh, ...). \endPar{}\endNode{}\Node% {\def\Element% {85}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Si se quiere aislar la red temporalmente por cualquier motivo, podemos parar el cortafuegos mediante el comando: \endPar{}\endNode{}\Node% {\def\Element% {86}}\Par% {\def\fSize% {9\p@}\def\LineSpacing% {11.7\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\fFamName{Courier-New}\def\fWeight% {medium}\def\fPosture% {upright}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Lines% {asis}\def\InputWhitespaceTreatment% {preserve}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Node% {\def\Element% {87}}\Seq% {\def\fFamName{Courier-New}\def\fSize% {8.1\p@}}\# \endSeq{}\endNode{}\Node% {\def\Element% {88}}\Seq% {\def\fFamName{Courier-New}\def\fWeight% {bold}}/etc/init.d/firewall stop\endSeq{}\endNode{}\endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {mas_informacion}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {90}\def\ProcessingMode% {title-sosofo-mode}}Más información\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {90}}\endNode{}\Node% {\def\Element% {91}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Se recomienda la lectura de la documentación de \Node% {\def\Element% {92}}\Seq% {\def\fWeight% {bold}}iptables\endSeq{}\endNode{}, que está situada en el directorio /usr/share/doc/iptables/. \endPar{}\endNode{}\Node% {\def\Element% {93}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Otra documentación muy interesante se encuentra en el sitio web del proyecto Netfilter: \Node% {\def\Element% {94}}\Seq% {}\Seq% {}\Seq% {}http://www.netfilter.org\endSeq{}\Seq% {} (http://www.netfilter.org/)\endSeq{}\endSeq{}\endSeq{}\endNode{}. En ella podremos encontrar numerosos tutoriales sobre \Node% {\def\Element% {95}}\Seq% {\def\fWeight% {bold}}iptables\endSeq{}\endNode{} que nos ayudarán en su compresión y manejo, así como en la teoría de redes necesaria para comprender muchos de los conceptos utilizados en el cortafuegos: \endPar{}\endNode{}\Node% {\def\Element% {96}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}}\Node% {\def\Element% {97}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}N\endPar{}etfilter Hacking HOWTO\endDisplayGroup{}\endNode{}\Node% {\def\Element% {98}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}N\endPar{}etfilter Extensions HOWTO\endDisplayGroup{}\endNode{}\Node% {\def\Element% {99}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}P\endPar{}acket Filtering HOWTO\endDisplayGroup{}\endNode{}\Node% {\def\Element% {100}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}N\endPar{}etworking Concepts HOWTO\endDisplayGroup{}\endNode{}\Node% {\def\Element% {101}}\DisplayGroup% {\def\StartIndent% {58\p@}\def\StartIndentFactor% {0}}\Par% {\def\FirstLineStartIndent% {-10\p@}\def\FirstLineStartIndentFactor% {0}\def\fFamName{Times-New-Roman}\def\fWeight% {medium}\def\fSize% {10\p@}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}}\Seq% {}\LineField% {\def\fSize% {8\p@}\def\PositionPointShift% {0\p@}\def\PositionPointShiftFactor% {0}\def\FieldWidth% {10\p@}\def\FieldWidthFactor% {0}}\Character{8226}\endLineField{}\endSeq{}N\endPar{}AT HOWTO\endDisplayGroup{}\endNode{}\endDisplayGroup{}\endNode{}\Node% {\def\Element% {102}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Uno de los tutoriales más completos es el situado en \Node% {\def\Element% {103}}\Seq% {}\Seq% {}\Seq% {}http://iptables-\/tutorial.haringstad.com\endSeq{}\endSeq{}\endSeq{}\endNode{}, cuya lectura es más que recomendable. \endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\Node% {\def\Label% {este_documento}}\DisplayGroup% {\def\StartIndent% {48\p@}\def\StartIndentFactor% {0}\def\sbNom% {10\p@}\def\sbMin% {10\p@}\def\sbMax% {10\p@}\def\sbConditional% {1}\def\saNom% {10\p@}\def\saMin% {10\p@}\def\saMax% {10\p@}\def\saConditional% {1}}\Seq% {}\Seq% {}\Par% {\def\fFamName{Arial}\def\fWeight% {bold}\def\fPosture% {upright}\def\fSize% {14.4\p@}\def\LineSpacing% {18.72\p@}\def\LineSpacingFactor% {0}\def\StartIndent% {0\p@}\def\StartIndentFactor% {0}\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\HeadingLevel% {2}\def\sbNom% {10.8\p@}\def\sbMin% {10.8\p@}\def\sbMax% {10.8\p@}\def\sbConditional% {1}\def\saNom% {7.2\p@}\def\saMin% {7.2\p@}\def\saMax% {7.2\p@}\def\saConditional% {1}\def\KeepWithNext% {1}}\Node% {\def\Element% {105}\def\ProcessingMode% {title-sosofo-mode}}Sobre este documento\endNode{}\endPar{}\endSeq{}\Node% {\def\Element% {105}}\endNode{}\Node% {\def\Element% {106}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Se otorga permiso para copiar, distribuir y/o modificar este documento bajo los términos de la Licencia de Documentación Libre GNU, versión 1.1 o cualquier versión posterior publicada por la Free Software Foundation. Puedes consultar una copia de la licencia en \Node% {\def\Element% {107}}\Seq% {}\Seq% {}\Seq% {} http://www.gnu.org/copyleft/fdl.html\endSeq{}\Seq% {} (http://www.gnu.org/copyleft/fdl.html)\endSeq{}\endSeq{}\endSeq{}\endNode{} \endPar{}\endNode{}\Node% {\def\Element% {108}}\Par% {\def\FirstLineStartIndent% {0\p@}\def\FirstLineStartIndentFactor% {0}\def\Quadding% {start}\def\Hyphenate% {0}\def\Language% {ES}\def\sbNom% {5\p@}\def\sbMin% {5\p@}\def\sbMax% {5\p@}\def\sbConditional% {1}\def\saNom% {5\p@}\def\saMin% {5\p@}\def\saMax% {5\p@}\def\saConditional% {1}} Este documento ha sido escrito en formato XML utilizando la DTD de \Node% {\def\Element% {109}}\Seq% {}\Seq% {}\Seq% {}DocBook\endSeq{}\Seq% {} (http://www.docbook.org)\endSeq{}\endSeq{}\endSeq{}\endNode{}. Mediante este sistema, puede ser fácilmente transformado a múltiples formatos (HTML, TXT, PDF, PostScript, LaTeX, DVI, ...). Se recomienda su utilización como herramienta de documentación potente y libre. \endPar{}\endNode{}\endSeq{}\endDisplayGroup{}\endNode{}\endSpS{}\endSeq{}\endNode{}\endNode{}\endSeq{}\endFOT{}