[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Index   Calendar   Search
 

Avanceret Netfilter/IPTables eksempel

Her er et andet eksempel på brug af netfilter faciliteten i Linux 2.4 kernen til at beskytte en Linux maskine, som er koblet op til Internettet. Dette regelsæt er lavet til en maskine med 3 netværks-kort: Det ene mod Internet, det andet mod det internet netværk, og et tredje til en såkaldt DMZ-zone, hvor de offentligt tilgængelige servere sidder. Det er udviklet af Jeppe Koefoed, jeppe@koefoed.to.

Du kan downloade selve scriptet her.

############################################################################
####################
### 05/06-2001 Jeppe Koefoed
###
### jeppe@koefoed.to
###
###
###
### Revision history
###
### Version 0.3:   Added DMZ interface, new chain structure
###
### Version 0.2:   Added pool nat, redirection, static nat
###
### Version 0.1:   Initial script, 2 interfaces, simple masq
###
############################################################################
####################

# For debugging:
#set -x

# External programs
IPTABLES=/sbin/iptables

case "$1" in
 start)
 # Just fall through..... (no exit)
 ;;
 stop)
        # Clear filter entries
        $IPTABLES -F
        # Clear chains
        $IPTABLES -X
        # Clear NAT entries
        $IPTABLES -t nat -F
        # Clear chains
        $IPTABLES -t nat -X
        # Clear mangle entries
        $IPTABLES -t mangle -F
        # Set default chain policies
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
 # Disable routing
        echo "0" > /proc/sys/net/ipv4/ip_forward
 exit 0
 ;;
 unload)
 echo "Warning: Your are routing packets WITHOUT a security policy"
        # Clear filter entries
        $IPTABLES -F
        # Clear chains
        $IPTABLES -X
        # Clear chains
        $IPTABLES -t nat -X
        # Set default chain policies
        $IPTABLES -P FORWARD ACCEPT
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
 exit 0
 ;;
 status)
 $IPTABLES -L -n -v --line-numbers
 ;;
 nat)
 $IPTABLES -L -n -v --line-numbers -t nat
 ;;
 *)
 echo "Usage: $0 {start|stop|unload|status|nat}"
 echo "          start  : applies rules/nat and enable routing"
 echo "          stop   : removes rules/nat and disable routing"
 echo "          unload : removes rules, applies nat and enable routing
(dangerous)"
 echo "          status : Shows rules"
 echo "          status : Shows NAT"
 exit 1
 ;;
esac

# This is done when argument 'start' :
#####################################################################
###    Site specific
#####################################################################

# Interfaces
ext_if=eth1
int_if=eth2
dmz_if=eth0

# Networks
localnet="192.168.222.0/24"
dmznet="192.168.244.0/24"

# Hosts

# Gateway
ext_ip=192.168.1.2
int_ip=192.168.222.1
dmz_ip=192.168.244.1

#ext_ip=`ifconfig $ext_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#int_ip=`ifconfig $int_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
#dmz_ip=`ifconfig $dmz_if|grep inet|awk -F: '{print $2}'|awk '{print $1}'`

# Webserver
webserver=192.168.222.1

# Management client
management=192.168.222.10

# Pool nat (remember to route pool / proxy arp)
IP_POOL=192.168.1.129-192.168.1.254

### Port definition ###
# Redirection
SQUID_PORT=8080

# Static nat
terminalserver_int=192.168.244.2
terminalserver_ext=192.168.1.100

#########################################################################
# Setting up forwarding
       echo 1 > /proc/sys/net/ipv4/ip_forward

#Setting up Dynamic address (ppp)
#   echo "1" >/proc/sys/net/ipv4/ip_dynaddr

# Setting up anti-ipspoofing
       echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# turn on antispoofing protection
#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

# Enable syn-cookies (syn-flooding attacks)
 echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
 echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable ICMP echo-request altogether (see also below for ICMP filtering)
# echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_all
# Disable ICMP redirects
 echo "0" >/proc/sys/net/ipv4/conf/all/accept_redirects

# Disable source route
 echo "0" >/proc/sys/net/ipv4/conf/all/accept_source_route

# Starting IP Bogus Error Response Protection
 echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log impossible addresses
 echo "1" >/proc/sys/net/ipv4/conf/all/log_martians

# Set local port range
 echo "50000 60999" >/proc/sys/net/ipv4/ip_local_port_range


############################################################################
######
####  RULES        (remember corresponding NAT)
############################################################################
######

## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

###
### Policy:
###

# Set default chain policies (paranoid)
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

# Clear filter entries
$IPTABLES -F
# Clear chains
$IPTABLES -X

# Clear NAT entries
$IPTABLES -t nat -F
# Clear chains
$IPTABLES -t nat -X
# Clear mangle entries
$IPTABLES -t mangle -F

### Anti-ip-spoofing
$IPTABLES -N spoof
$IPTABLES -A FORWARD -i $int_if -s ! $localnet -j spoof
$IPTABLES -A FORWARD -i $dmz_if -s ! $dmznet -j spoof

$IPTABLES -A FORWARD -i $ext_if -s $localnet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s $dmznet -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -i $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -i $ext_if -s 192.168.0.0/16 -j spoof

$IPTABLES -A FORWARD -o $ext_if -s 127.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 10.0.0.0/8 -j spoof
$IPTABLES -A FORWARD -o $ext_if -s 172.16.0.0/12 -j spoof
#$IPTABLES -A FORWARD -o $ext_if -s 192.168.0.0/16 -j spoof

# Allow dhcp
$IPTABLES -A spoof -i $int_if -d 255.255.255.255 -j ACCEPT
$IPTABLES -A spoof -m limit --limit 5/minute -j LOG --log-prefix "Spoofing:"
$IPTABLES -A spoof -j DROP
###

### General ICMP
$IPTABLES -N icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type
echo-request -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type
source-quench -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp  --icmp-type
destination-unreachable -j ACCEPT
# Don't allow other icmp (or comment out and add specific icmp-rule at each
chain)
$IPTABLES -A icmp_allowed -j DROP
###


############################################################################
#####################
### Rules starts here
###

# First, make fw statefull:
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state INVALID -j DROP

# General ICMP
$IPTABLES -A FORWARD -p icmp -j icmp_allowed
$IPTABLES -A INPUT -p icmp -j icmp_allowed
$IPTABLES -A OUTPUT -p icmp -j icmp_allowed

# Create chains ...
$IPTABLES -N int_ext
$IPTABLES -N int_dmz
$IPTABLES -N ext_int
$IPTABLES -N ext_dmz
$IPTABLES -N dmz_ext
$IPTABLES -N dmz_int
$IPTABLES -N accept_dmz
$IPTABLES -N accept_int
$IPTABLES -N accept_ext
$IPTABLES -N accept_fw
$IPTABLES -N cleanup


### Rules from inside
# Allow everything from inside to internet (ext)
$IPTABLES -A int_ext -m state --state NEW  -j accept_int
# Allow everything from inside to dmz
$IPTABLES -A int_dmz -m state --state NEW  -j accept_int
###

### Rules from dmz
# Allow everything from dmz to internet (ext)
$IPTABLES -A dmz_ext -m state --state NEW -j accept_dmz
# Allow everything from dmz to inside
$IPTABLES -A dmz_int -m state --state NEW -j accept_dmz
###

### Rules from internet (ext)
# Reject ident (speeds up sending mail)
$IPTABLES -A ext_int -m state --state NEW -p tcp --dport 113 -j
REJECT --reject-with tcp-reset
$IPTABLES -A ext_dmz -m state --state NEW -p tcp --dport 113 -j
REJECT --reject-with tcp-reset
###

### Acceptrules:
# No logging from inside:
$IPTABLES -A accept_int -j ACCEPT
# No logging from dmz:
$IPTABLES -A accept_dmz -j ACCEPT
# Log from outside
$IPTABLES -A accept_ext -j LOG --log-prefix "Accepted packet on $ext_if:"
$IPTABLES -A accept_ext -j ACCEPT
# Log against FW
#$IPTABLES -A accept_fw -j LOG --log-prefix "Accepted packet on"
$IPTABLES -A accept_fw -j ACCEPT
###

### Cleanup rule (not specified, not allowed)
# Reject ident (speeds up sending mail)
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 113 -j
REJECT --reject-with tcp-reset
# Dolby rule:
$IPTABLES -A INPUT -m state --state NEW -p udp --dport 138 -j DROP
$IPTABLES -A cleanup -m limit --limit 5/minute -j LOG --log-prefix
"Cleanup-rule:"
$IPTABLES -A cleanup -j DROP
###

### Allow some connections to FW
# Loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow management from inside
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $management -p
tcp --dport ssh -j accept_fw
# Allow everything from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -s $localnet -j accept_fw
# Allow dhcp from inside - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $int_if -j accept_fw
# Allow everything from dmz - not recommended
$IPTABLES -A INPUT -m state --state NEW -i $dmz_if -s $dmznet -j accept_fw

## From internet - not recommended
# Allow ssh from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport ssh -j accept_fw
# Allow mail from outside
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j accept_fw
## Allow www from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j accept_fw
# Allow ftp from outside
#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j accept_fw
##
# ..the rest goes to cleanup
$IPTABLES -A INPUT -j cleanup
###

###
# Allow all connections from FW
$IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -j cleanup
###

## Jump to that chain from FORWARD chains.
$IPTABLES -A FORWARD -s $localnet -d $dmznet -j int_dmz
$IPTABLES -A FORWARD -s $localnet -d ! $dmznet -j int_ext
$IPTABLES -A FORWARD -s $dmznet -d $localnet -j dmz_int
$IPTABLES -A FORWARD -s $dmznet -d ! $localnet -j dmz_ext
$IPTABLES -A FORWARD -s ! $dmznet -d $localnet -j ext_int
$IPTABLES -A FORWARD -s ! $localnet -d $dmznet -j ext_dmz
$IPTABLES -A FORWARD -j cleanup

###
### Rules end here
############################################################################
###############

############################################################################
###############
## Address translation (NAT)      (remember corresponding rule)
############################################################################
###############
# Hiding of internal net (many-to-one-NAT)
$IPTABLES -t nat -A POSTROUTING -o $ext_if -j SNAT --to $ext_ip

# Static portforwarding :   External to internal
# Internal Webserver
$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 80 -j DNAT --to
$webserver:80
# A range
#$IPTABLES -A PREROUTING -t nat -p tcp -d $ext_ip --dport 2000:3000 -j
DNAT --to $webserver:2000-3000

# Static nat (one-to-one-NAT) (NAT before rules)
$IPTABLES -A PREROUTING -t nat -d $terminalserver_ext  -j
DNAT --to-destination $terminalserver_int
$IPTABLES -A POSTROUTING -t nat -s $terminalserver_int -j SNAT --to-source
$terminalserver_ext

# Pool nat (one-to-one-NAT)
$IPTABLES -A POSTROUTING -t nat -s $dmznet -o $ext_if -j SNAT --to-source
$IP_POOL

# Redirect nat (here: transparent http to squid on local machine)
$IPTABLES -A PREROUTING -t nat -i $int_if -d ! $localnet -p tcp --dport
80 -j REDIRECT --to-port $SQUID_PORT

# Load balancing
# Basic load balancing by redirecting www requests to any of several local
www servers
#virtual_www=www.koefoed.to
#www_range=192.168.244.200-192.168.244.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d $virtual_www -p tcp --dport
80 -j DNAT --to-dest $www_range

#test
#$IPTABLES -A POSTROUTING -t nat -s 192.168.222.10 -o $ext_if -j
SNAT --to-source 192.168.1.205
#$IPTABLES -A PREROUTING -t nat -i $ext_if -d 192.168.1.205 -j
DNAT --to-dest 192.168.222.10

############################################################################
###############
## Quality of Service   (A poor man's version)
############################################################################
###############

$IPTABLES -A PREROUTING -t mangle -p tcp --sport telnet -j TOS --set-tos
Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos
Minimize-Delay
$IPTABLES -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos
Minimize-Delay


############################################################################
################
############################################################################
################
############################################################################
################
# clean exit:
exit 0



 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2004-03-07, 21:25 CET [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]Henrik St&oslash;rner [an error occurred while processing this directive] # [an error occurred while processing this directive] *