Page Actions:
Odo.lv » Recipes » Tīklošanās » Iptables pakešu filtrēšanas pārvaldības lietotne » Iptables serverim ar 2 publiskā tīkla pieslēgumiem
Iptables serverim ar 2 publiskā tīkla pieslēgumiem
- Iestatījumu skripta piemērs:
#!/bin/sh # for generic sample see: http://oceanpark.com/notes/firewall_example.html # http://www.faqs.org/docs/iptables/index.html # --------------------------------------------------- # Following picture shows packet processing sequence of tables and rules # lowercase - tables, UPPERCASE - CHAINS # # Network # | # raw # mangle # nat # PREROUTING # | # -------<Routing decision>-------- # | | # mangle | # filter | # INPUT | # | | # Local process | # <Routing decision> | # | | # raw mangle # mangle filter # nat FORWARD # filter | # OUTPUT | # | | # --------------------------------- # | # mangle # nat # POSTROUTING # | # Network # # Following is connection schema with two different external network connections # IF1 IF2 # Static DHCP # 10.12.10.2 IP2 # 255.255.255.0 255.255.xxx.yyy # | | # ----------------------- # | | # | | # ----------------------- # | # IF0 # 10.0.0.1 # 255.255.255.0 # # Here we go… # http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html # http://www.faqs.org/docs/iptables/theconntrackentries.html #echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max IF0="eth0" IF1="eth2" IF2="eth1" # get mask and address for DHCP network interface: net_mask=`ip addr show $IF2|grep "inet "|awk '{print $2}'` mask=`echo $net_mask|awk -F"/" '{print $2}'` IP2=`echo $net_mask|awk -F"/" '{print $1}'` # interface address # provider address P2=`tail -n 15 /var/lib/dhcp3/dhclient.leases|grep "option routers"|awk '{print substr($3,1,length($3)-1)}'` P2_NET=`echo $P2|awk -F"." '{print $1"."$2"."$3".0/"}'` # public interface network P2_NET=$P2_NET$mask; #echo "net_mask:$net_mask" #echo "mask:$mask" #echo "IP2:$IP2" #echo "P2_NET:$P2_NET" #echo "P2:$P2" #exit 0 #Enable forwarding echo 1 >/proc/sys/net/ipv4/ip_forward # Flush all specific rules iptables -F iptables -F -t mangle iptables -F -t nat iptables -F -t filter # Set counters to zero iptables -Z iptables -Z -t mangle iptables -Z -t nat iptables -Z -t filter # Configure default policies (-P), meaning default rule to apply if no # more specific rule below is applicable. These rules apply if a more specific rule below # is not applicable. Defaults are to DROP anything sent to firewall or internal # network, permit anything going out. iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # outgoing VNC packets from local network should be routed through $IF2: # iptables -A PREROUTING -t mangle -i $IF0 -p tcp --sport 5900:5995 -j MARK --set-mark 200 ############### # Allow # ############### # Allow ICMP from anywhere iptables -A INPUT -p icmp -j ACCEPT iptables -A FORWARD -p icmp -j ACCEPT # Accept forward for several protocols iptables -A FORWARD -p tcp -i $IF0 --destination-port 21 --syn -j ACCEPT iptables -A FORWARD -p tcp -i $IF0 --destination-port 22 --syn -j ACCEPT iptables -A FORWARD -p tcp -i $IF0 --destination-port 25 --syn -j ACCEPT iptables -A FORWARD -p tcp -i $IF0 --destination-port 110 --syn -j ACCEPT iptables -A FORWARD -p tcp -i $IF0 --destination-port 143 --syn -j ACCEPT # Accept packets forward that are part of existing and related connections from $IF1, and $IF2 (internet) to intranet/vmnet. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Permit packets in to firewall itself that are part of existing and related connections. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # DROP direct Squid requests from intranet, before allowing all other inputs iptables -A INPUT -p tcp -i $IF0 --destination-port 3128 --syn -j DROP # Then ALLOW all inputs to firewall from the internal network and local interfaces iptables -A INPUT -i $IF0 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i vmnet8 -j ACCEPT ### Accept all tcp SYN packets for necessary protocols ### # Accept SSH for input iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT # FTP server, see /etc/proftpd.conf iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT # Enable SQUID on port 6023 from DSL line iptables -A INPUT -p tcp -i $IF2 --destination-port 6023 --syn -j ACCEPT # HTTP,HTTPS: iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT ##### MLDonkey ###### # see /var/lib/mldonkey/donkey.ini iptables -A INPUT -i $IF2 -p tcp --sport 8000:8100 -j ACCEPT iptables -A INPUT -i $IF2 -p udp --sport 8000:8100 -j ACCEPT # Allow Skype forwarding iptables -A FORWARD -p tcp --dport 1227 -j ACCEPT iptables -A FORWARD -p udp --dport 1227 -j ACCEPT ############### # MASQUERADE # ############### # masquerade 10.0.* packets iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF1 -j MASQUERADE iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF2 -j MASQUERADE ########## # Deny # ########## # Deny any packet coming in on the public internet interface IF1 and IF2 # which has a spoofed source address from our local networks: iptables -A INPUT -i $IF1 -s 10.0.0.0/24 -j DROP iptables -A INPUT -i $IF1 -s 127.0.0.0/8 -j DROP iptables -A INPUT -i $IF1 -s $P2_NET -j DROP iptables -A INPUT -i $IF2 -s 10.0.0.0/24 -j DROP iptables -A INPUT -i $IF2 -s 127.0.0.0/8 -j DROP iptables -A INPUT -i $IF2 -s 10.12.10.0/24 -j DROP # Finally, DENY all connection requests not yet provided iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP #### the end
Saites
Quick Links
