Iptables serverim ar 2 publiskā tīkla pieslēgumiem
Iestatījumu skripta piemērs:
#!/bin/sh
# for generic sample see: http://oceanpark.com/notes/firewall_example.html
# http://www.faqs.org/docs/iptables/index.html
# ---------------------------------------------------
# Following picture shows packet processing sequence of tables and rules
# lowercase - tables, UPPERCASE - CHAINS
#
# Network
# |
# raw
# mangle
# nat
# PREROUTING
# |
# -------<Routing decision>--------
# | |
# mangle |
# filter |
# INPUT |
# | |
# Local process |
# <Routing decision> |
# | |
# raw mangle
# mangle filter
# nat FORWARD
# filter |
# OUTPUT |
# | |
# ---------------------------------
# |
# mangle
# nat
# POSTROUTING
# |
# Network
#
# Following is connection schema with two different external network connections
# IF1 IF2
# Static DHCP
# 10.12.10.2 IP2
# 255.255.255.0 255.255.xxx.yyy
# | |
# -----------------------
# | |
# | |
# -----------------------
# |
# IF0
# 10.0.0.1
# 255.255.255.0
#
# Here we go...
# http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html
# http://www.faqs.org/docs/iptables/theconntrackentries.html
#echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
IF0="eth0"
IF1="eth2"
IF2="eth1"
# get mask and address for DHCP network interface:
net_mask=`ip addr show $IF2|grep "inet "|awk '{print $2}'`
mask=`echo $net_mask|awk -F"/" '{print $2}'`
IP2=`echo $net_mask|awk -F"/" '{print $1}'` # interface address
# provider address
P2=`tail -n 15 /var/lib/dhcp3/dhclient.leases|grep "option routers"|awk '{print substr($3,1,length($3)-1)}'`
P2_NET=`echo $P2|awk -F"." '{print $1"."$2"."$3".0/"}'` # public interface network
P2_NET=$P2_NET$mask;
#echo "net_mask:$net_mask"
#echo "mask:$mask"
#echo "IP2:$IP2"
#echo "P2_NET:$P2_NET"
#echo "P2:$P2"
#exit 0
#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# outgoing VNC packets from local network should be routed through $IF2:
# iptables -A PREROUTING -t mangle -i $IF0 -p tcp --sport 5900:5995 -j MARK --set-mark 200
###############
# Allow #
###############
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# Accept forward for several protocols
iptables -A FORWARD -p tcp -i $IF0 --destination-port 21 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 22 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 110 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 143 --syn -j ACCEPT
# Accept packets forward that are part of existing and related connections from $IF1, and $IF2 (internet) to intranet/vmnet.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DROP direct Squid requests from intranet, before allowing all other inputs
iptables -A INPUT -p tcp -i $IF0 --destination-port 3128 --syn -j DROP
# Then ALLOW all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i $IF0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i vmnet8 -j ACCEPT
### Accept all tcp SYN packets for necessary protocols ###
# Accept SSH for input
iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT
# FTP server, see /etc/proftpd.conf
iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT
# Enable SQUID on port 6023 from DSL line
iptables -A INPUT -p tcp -i $IF2 --destination-port 6023 --syn -j ACCEPT
# HTTP,HTTPS:
iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT
##### MLDonkey ######
# see /var/lib/mldonkey/donkey.ini
iptables -A INPUT -i $IF2 -p tcp --sport 8000:8100 -j ACCEPT
iptables -A INPUT -i $IF2 -p udp --sport 8000:8100 -j ACCEPT
# Allow Skype forwarding
iptables -A FORWARD -p tcp --dport 1227 -j ACCEPT
iptables -A FORWARD -p udp --dport 1227 -j ACCEPT
###############
# MASQUERADE #
###############
# masquerade 10.0.** packets
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF1 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF2 -j MASQUERADE
##########
# Deny #
##########
# Deny any packet coming in on the public internet interface IF1 and IF2
# which has a spoofed source address from our local networks:
iptables -A INPUT -i $IF1 -s 10.0.0.0/24 -j DROP
iptables -A INPUT -i $IF1 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $IF1 -s $P2_NET -j DROP
iptables -A INPUT -i $IF2 -s 10.0.0.0/24 -j DROP
iptables -A INPUT -i $IF2 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $IF2 -s 10.12.10.0/24 -j DROP
# Finally, DENY all connection requests not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
#### the end
# for generic sample see: http://oceanpark.com/notes/firewall_example.html
# http://www.faqs.org/docs/iptables/index.html
# ---------------------------------------------------
# Following picture shows packet processing sequence of tables and rules
# lowercase - tables, UPPERCASE - CHAINS
#
# Network
# |
# raw
# mangle
# nat
# PREROUTING
# |
# -------<Routing decision>--------
# | |
# mangle |
# filter |
# INPUT |
# | |
# Local process |
# <Routing decision> |
# | |
# raw mangle
# mangle filter
# nat FORWARD
# filter |
# OUTPUT |
# | |
# ---------------------------------
# |
# mangle
# nat
# POSTROUTING
# |
# Network
#
# Following is connection schema with two different external network connections
# IF1 IF2
# Static DHCP
# 10.12.10.2 IP2
# 255.255.255.0 255.255.xxx.yyy
# | |
# -----------------------
# | |
# | |
# -----------------------
# |
# IF0
# 10.0.0.1
# 255.255.255.0
#
# Here we go...
# http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html
# http://www.faqs.org/docs/iptables/theconntrackentries.html
#echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max
IF0="eth0"
IF1="eth2"
IF2="eth1"
# get mask and address for DHCP network interface:
net_mask=`ip addr show $IF2|grep "inet "|awk '{print $2}'`
mask=`echo $net_mask|awk -F"/" '{print $2}'`
IP2=`echo $net_mask|awk -F"/" '{print $1}'` # interface address
# provider address
P2=`tail -n 15 /var/lib/dhcp3/dhclient.leases|grep "option routers"|awk '{print substr($3,1,length($3)-1)}'`
P2_NET=`echo $P2|awk -F"." '{print $1"."$2"."$3".0/"}'` # public interface network
P2_NET=$P2_NET$mask;
#echo "net_mask:$net_mask"
#echo "mask:$mask"
#echo "IP2:$IP2"
#echo "P2_NET:$P2_NET"
#echo "P2:$P2"
#exit 0
#Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
# Flush all specific rules
iptables -F
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter
# Set counters to zero
iptables -Z
iptables -Z -t mangle
iptables -Z -t nat
iptables -Z -t filter
# Configure default policies (-P), meaning default rule to apply if no
# more specific rule below is applicable. These rules apply if a more specific rule below
# is not applicable. Defaults are to DROP anything sent to firewall or internal
# network, permit anything going out.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# outgoing VNC packets from local network should be routed through $IF2:
# iptables -A PREROUTING -t mangle -i $IF0 -p tcp --sport 5900:5995 -j MARK --set-mark 200
###############
# Allow #
###############
# Allow ICMP from anywhere
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# Accept forward for several protocols
iptables -A FORWARD -p tcp -i $IF0 --destination-port 21 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 22 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 110 --syn -j ACCEPT
iptables -A FORWARD -p tcp -i $IF0 --destination-port 143 --syn -j ACCEPT
# Accept packets forward that are part of existing and related connections from $IF1, and $IF2 (internet) to intranet/vmnet.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DROP direct Squid requests from intranet, before allowing all other inputs
iptables -A INPUT -p tcp -i $IF0 --destination-port 3128 --syn -j DROP
# Then ALLOW all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i $IF0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i vmnet8 -j ACCEPT
### Accept all tcp SYN packets for necessary protocols ###
# Accept SSH for input
iptables -A INPUT -p tcp --destination-port 22 --syn -j ACCEPT
# FTP server, see /etc/proftpd.conf
iptables -A INPUT -p tcp --destination-port 21 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 6100:7000 --syn -j ACCEPT
# Enable SQUID on port 6023 from DSL line
iptables -A INPUT -p tcp -i $IF2 --destination-port 6023 --syn -j ACCEPT
# HTTP,HTTPS:
iptables -A INPUT -p tcp --destination-port 80 --syn -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 --syn -j ACCEPT
##### MLDonkey ######
# see /var/lib/mldonkey/donkey.ini
iptables -A INPUT -i $IF2 -p tcp --sport 8000:8100 -j ACCEPT
iptables -A INPUT -i $IF2 -p udp --sport 8000:8100 -j ACCEPT
# Allow Skype forwarding
iptables -A FORWARD -p tcp --dport 1227 -j ACCEPT
iptables -A FORWARD -p udp --dport 1227 -j ACCEPT
###############
# MASQUERADE #
###############
# masquerade 10.0.** packets
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF1 -j MASQUERADE
iptables -A POSTROUTING -t nat -s 10.0.0.0/16 -o $IF2 -j MASQUERADE
##########
# Deny #
##########
# Deny any packet coming in on the public internet interface IF1 and IF2
# which has a spoofed source address from our local networks:
iptables -A INPUT -i $IF1 -s 10.0.0.0/24 -j DROP
iptables -A INPUT -i $IF1 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $IF1 -s $P2_NET -j DROP
iptables -A INPUT -i $IF2 -s 10.0.0.0/24 -j DROP
iptables -A INPUT -i $IF2 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $IF2 -s 10.12.10.0/24 -j DROP
# Finally, DENY all connection requests not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
#### the end
Saites
Tags
Linux
Tīkls
Drošība
Created by Valdis Vītoliņš on 2008-08-09 07:33
Last modified by Valdis Vītoliņš on 2025-05-10 17:45
Created by Valdis Vītoliņš on 2008-08-09 07:33
Last modified by Valdis Vītoliņš on 2025-05-10 17:45
