Note, that this recipe is not updated long time and could be outdated!
Got it.

Iptables serverim ar 2 publiskā tīkla pieslēgumiem

Šis ir iptables konfigurācijas skripta piemērs serverim, kuram ir 2 pieslēgumi internetam.
Tas nelaiž caur pa tiešo HTTP/HTTPS plūsmu, tādējādi to var ierobežot ar Dansguardian satura filtrētājs.

Iestatījumu skripta piemērs:

#!/bin/sh
# for generic sample see: http://oceanpark.com/notes/firewall_example.html
# http://www.faqs.org/docs/iptables/index.html
# ---------------------------------------------------
# Following picture shows packet processing sequence of tables and rules
# lowercase - tables, UPPERCASE - CHAINS
#
#                 Network
#                   |
#                  raw
#                 mangle
#                  nat
#               PREROUTING
#                   |
#      -------<Routing decision>--------
#      |                               |
#    mangle                            |
#    filter                            |
#    INPUT                             |
#      |                               |
#  Local process                       |
# <Routing decision>                   |
#      |                               |
#     raw                            mangle
#    mangle                          filter
#     nat                            FORWARD
#    filter                            |
#    OUTPUT                            |
#      |                               |
#      ---------------------------------
#                   |
#                 mangle
#                  nat
#               POSTROUTING
#                   |
#                Network
#
# Following is connection schema with two different external network connections
#    IF1             IF2
#   Static           DHCP
#  10.12.10.2        IP2
# 255.255.255.0  255.255.xxx.yyy
#    |                |
#  -----------------------
#  |                     |
#  |                     |
#  -----------------------
#            |
#           IF0
#         10.0.0.1
#       255.255.255.0
#
# Here we go...
# http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html
# http://www.faqs.org/docs/iptables/theconntrackentries.html
#echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max

IF0="eth0"
IF1="eth2"
IF2="eth1"

# get mask and address for DHCP network interface:
net_mask=`ip addr show $IF2|grep "inet "|awk '{print $2}'`
mask=`echo $net_mask|awk -F"/" '{print $2}'`
IP2=`echo $net_mask|awk -F"/" '{print $1}'`                     # interface address
                                                                # provider address
P2=`tail -n 15 /var/lib/dhcp3/dhclient.leases|grep "option routers"|awk '{print substr($3,1,length($3)-1)}'`
P2_NET=`echo $P2|awk -F"." '{print $1"."$2"."$3".0/"}'`         # public interface network
P2_NET=$P2_NET$mask;

#echo "net_mask:$net_mask"
#echo "mask:$mask"
#echo "IP2:$IP2"
#echo "P2_NET:$P2_NET"
#echo "P2:$P2"
#exit 0

#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter

# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable.  These rules apply if a more specific rule below
# is not applicable.  Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# outgoing VNC packets from local network should be routed through $IF2:
# iptables -A PREROUTING -t mangle -i $IF0 -p tcp --sport 5900:5995 -j MARK --set-mark 200

###############
#   Allow     #
###############
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT

# Accept forward for several protocols
iptables -A FORWARD -p tcp -i $IF0 --destination-port 21 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 22 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 110 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 143 --syn -j ACCEPT

# Accept packets forward that are part of existing and related connections from $IF1, and $IF2 (internet) to intranet/vmnet.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# DROP direct Squid requests from intranet, before allowing all other inputs
iptables -A INPUT -p tcp -i $IF0 --destination-port 3128 --syn -j DROP
# Then ALLOW all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i $IF0   -j ACCEPT
iptables -A INPUT -i lo     -j ACCEPT
iptables -A INPUT -i vmnet8 -j ACCEPT

### Accept all tcp SYN packets for necessary protocols ###
# Accept SSH for input
iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT

# FTP server, see /etc/proftpd.conf
iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT

# Enable SQUID on port 6023 from DSL line
iptables -A INPUT -p tcp -i $IF2 --destination-port 6023 --syn -j ACCEPT

# HTTP,HTTPS:
iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT

#####  MLDonkey  ######
# see /var/lib/mldonkey/donkey.ini
iptables -A INPUT -i $IF2 -p tcp --sport 8000:8100 -j ACCEPT
iptables -A INPUT -i $IF2 -p udp --sport 8000:8100 -j ACCEPT

# Allow Skype forwarding
iptables -A FORWARD -p tcp --dport 1227 -j ACCEPT
iptables -A FORWARD -p udp --dport 1227 -j ACCEPT

###############
# MASQUERADE  #
###############
# masquerade 10.0.** packets
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF1 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF2 -j MASQUERADE

##########
# Deny   #
##########
# Deny any packet coming in on the public internet interface IF1 and IF2
# which has a spoofed source address from our local networks:
iptables -A INPUT -i $IF1 -s 10.0.0.0/24   -j DROP
iptables -A INPUT -i $IF1 -s 127.0.0.0/8   -j DROP
iptables -A INPUT -i $IF1 -s $P2_NET       -j DROP
iptables -A INPUT -i $IF2 -s 10.0.0.0/24   -j DROP
iptables -A INPUT -i $IF2 -s 127.0.0.0/8   -j DROP
iptables -A INPUT -i $IF2 -s 10.12.10.0/24 -j DROP

# Finally, DENY all connection requests not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

#### the end

Saites

 

Created by Valdis Vītoliņš on 2008-08-09 13:33
Last modified by Valdis Vītoliņš on 2013-09-09 13:48
 
Xwiki Powered
Creative Commons Attribution 3.0 Unported License