Iptables - мережевий екран (netfilter firewall)/iptables router

Матеріал з docs.linux.org.ua — збірника документації з Unix/Linux українською мовою.

< Iptables - мережевий екран (netfilter firewall)
#!/bin/bash
# 20070330 iptables-router hse@ukr.net
# Distributed under the terms of the GNU General Public License v2 or later

# Like router betwin DMZ & Inet with 2 interfaces!

# !!!!!!!!!!!!!!!
# need iptables-lo
# !!!!!!!!!!!!!!!

# Exampel of iptables script for router
# usage: /etc/ppp/iptables-router <dev1> <dev2> <action>
# parametr <action> can be "start" or "stop"
# parametr <dev*> for ppp is "ppp0", for eth0 is eth0..



#  0  *******************       VARIABLE setup   *****************************
# befor runing this script setup configuration of youre network here:

ifconfig='/sbin/ifconfig'
iptables='/sbin/iptables'
modprobe='/sbin/modprobe'

# Check parameters
if [[ "$3" == 'stop' || "$3" == 'start' ]]
  then
    if [[ `ls /dev/$1 2>&1 |grep 'No such file or directory'` != '' ]]
      then
	echo "Device /dev/$1 not exist!!!"
#	exit 1
    fi
    if [[ `ls /dev/$2 2>&1 |grep 'No such file or directory'` != '' ]]
      then
	echo "Device /dev/$2 not exist!!!"
#	exit 1
    fi

    # parametr action can be "-A" or "-D" only!!!
    if [[ "$3" == 'start' ]]
      then
	action='-A'
	actionchain='-N'
    elif [[ "$3" == 'stop' ]]
      then
	action='-D'
	actionchain='-X'
    fi

  else
    echo 'Usage:
    iptables-router <device1> <device2> <action>
    
Example:
    iptables-router eth0 eth1 start
    iptables-router eth0 eth1 stop'
    exit 1
fi


# befor runing this script setup configuration of yore network here:
# begin

#Interface setup
InetInterface="$1"
InetDevice='eth0'

LocalInterface="$2"
LocalDevice='eth1'
 
#Ip Address setup
LoopInterface='lo'
LoopIP='127.0.0.0/8'

#Interface setup
#Figure out curent ip configuretion
if [[ "${action}" == "-A" ]]
  then
    InetHostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'`
    InetBroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'`
    InetNetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep 'inet addr' |awk -F: '{ print $4 } '`
    mkdir -p /etc/iptables/${InetInterface}
    echo ${InetHostIP} > /etc/iptables/${InetInterface}/HostIP
    echo ${InetBroadcastIP} > /etc/iptables/${InetInterface}/BroadcastIP
    echo ${InetNetMask} > /etc/iptables/${InetInterface}/NetMask

    LocalHostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'`
    LocalBroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'`
    LocalNetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep 'inet addr' |awk -F: '{ print $4 } '`
    mkdir -p /etc/iptables/${LocalInterface}
    echo ${LocalHostIP} > /etc/iptables/${LocalInterface}/HostIP
    echo ${LocalBroadcastIP} > /etc/iptables/${LocalInterface}/BroadcastIP
    echo ${LocalNetMask} > /etc/iptables/${LocalInterface}/NetMask
  else
    InetHostIP=`cat /etc/iptables/${InetInterface}/HostIP`
    InetBroadcastIP=`cat /etc/iptables/${InetInterface}/BroadcastIP`
    InetNetMask=`cat /etc/iptables/${InetInterface}/NetMask`

    LocalHostIP=`cat /etc/iptables/${LocalInterface}/HostIP`
    LocalBroadcastIP=`cat /etc/iptables/${LocalInterface}/BroadcastIP`
    LocalNetMask=`cat /etc/iptables/${LocalInterface}/NetMask`
fi
InetNet="${InetHostIP}/${InetNetMask}"
LocalNet="${LocalHostIP}/${LocalNetMask}"

#SpoofingHostIP="10.0.0.10"


# ISP Servers setup
# DHCP can be: "server", "client" or "static"
DHCP='static'
# If DHCP='client' you must setup DHCP_SERVER:
DHCP_SERVER='10.0.0.10'
#ns_1='10.0.0.10'
#TimeServer='10.0.0.10'
#POP_Server='10.0.0.10'
#IMAP_Server='10.0.0.10'
#SMTP_Server='10.0.0.10'
monitoring_Server='10.0.0.10'


#Local Servers setup
DNS_Servers="10.0.0.1"
WWW_Servers="10.0.0.5"
FTP_Servers="10.0.0.5"


#Check for some kernel modules
#
# Needed to initially load modules
#
#/sbin/depmod -a
#
# Required modules
#${modprobe} ip_tables
#${modprobe} ip_conntrack
#${modprobe} iptable_filter
#${modprobe} iptable_mangle
#${modprobe} iptable_nat
#${modprobe} ipt_LOG
#${modprobe} ipt_limit
#${modprobe} ipt_state
#${modprobe} ipt_owner
#${modprobe} ipt_REJECT
#${modprobe} ipt_MASQUERADE
#${modprobe} ip_conntrack_ftp
#${modprobe} ip_conntrack_irc
#${modprobe} ip_nat_ftp
#${modprobe} ip_nat_irc


# Required proc configuration
# Enable forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
# no IP spoofing
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
#  then
#    for i in /proc/sys/net/ipv4/conf/*/rp_filter
#      do
#       echo 1 > $i
#      done
#fi
# Disable Source Routed Packets
#for i in /proc/sys/net/ipv4/conf/*/accept_source_route
#  do
#    echo 0 > $i
#  done
#echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr


echo " Machine type: ${MACHTYPE}  hostname:  ${HOSTNAME}.${DOMAINNAME}
 InetInterface=${InetInterface}   InetHostIP=${InetHostIP}   InetBroadcastIP=${InetBroadcastIP}   InetNetMask=${InetNetMask}
 LocalInterface=${LocalInterface}  LocalHostIP=${LocalHostIP}  LocalBroadcastIP=${LocalBroadcastIP}  LocalNetMask=${LocalNetMask}"

# end



# fill free to chang next firewall ruls to sute youre needs

#   I  *******************       FILTERING TABEL ruls           ****************************

# (0) Policies (default)

${iptables} -t filter -P INPUT DROP
${iptables} -t filter -P OUTPUT DROP
${iptables} -t filter -P FORWARD DROP

# (1) User-defined chains for ACCEPTed TCP packets
# from Internet

#${iptables} ${action} TCPRules -p TCP --syn -j ACCEPT
#${iptables} ${action} TCPRules -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Loging incorect packets:
#${iptables} ${action} TCPRules -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables TCP INPUT " --log-tcp-options --log-ip-options
# Bann all IP which try acces to other
#${iptables} ${action} TCPRules -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


# (2) INPUT chain rules

# Attempt to detect TCP and UDP port scans from Inet!

# Bad Guy list, we will remember them :-)
# echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT
# echo clear > /proc/net/ipt_recent/DEFAULT
# Forever
${iptables} ${action} INPUT -i ${InetInterface} -m recent --name BadGuy --rcheck -j DROP
# Cache bad guy 
${iptables} ${action} INPUT -p TCP -i ${InetInterface} -s ! ${LocalNet} -d ${InetHostIP} -m multiport --dport 23,79,135,139,311,389,445,464,513,548,554,587,1025,1026 -m recent --name BadGuy --set -j DROP
# List of temporiary banned, we will remember them too :)
# When seen last 60 seconds
${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --update --seconds 30 -j DROP
# When seen 5 time during 600 seconds it's enoph
${iptables} ${action} INPUT -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 7 -j BadGuy
# When seen 1 time during 1200 seconds it's good
${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy
# When TTL of the current packet matches that of the packet which hit the --set rule. DoS!
${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --update --rttl -j DROP


# Bad TCP packets we don't want.
${iptables} ${action} INPUT -p TCP -j BadTcp

# Rules for incoming packets from local computer:
#${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -d ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -d ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LoopBackIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${LoopBackIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT


# Rules for broadcast
if [[ "${LocalBroadcastIP}" != '' ]]
  then
    # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
    ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalBroadcastIP} --dport 135:139 -j DROP

    ${iptables} ${action} INPUT -p ALL -i ${LocalInterface} -d ${LocalBroadcastIP} -j ACCEPT
fi
if [[ "${InetBroadcastIP}" != '' ]]
  then
    # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
    ${iptables} ${action} INPUT -p UDP -i ${InetInterface} -d ${InetBroadcastIP} --dport 135:139 -j DROP

    ${iptables} ${action} INPUT -p ALL -i ${InetInterface} -d ${InetBroadcastIP} -j ACCEPT
fi

# Rules for multicasts
# If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs
${iptables} ${action} INPUT -i ${LocalInterface} -d 224.0.0.0/8 -j DROP
${iptables} ${action} INPUT -i ${InetInterface} -d 224.0.0.0/8 -j DROP

# Cache bad guy 
${iptables} ${action} INPUT -p UDP -i ${InetInterface} -s ! ${LocalNet} -d ${InetHostIP} -m multiport --dport 23,79,135,139,445,1025,1026 -m recent --name BadGuy --set -j DROP


# Packets for established conections
# Rules for incoming packets from Lan
${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LocalNet} --ctstate ESTABLISHED,RELATED -j ACCEPT

# Rules for incoming packets from Internet
${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -d ${InetHostIP} --ctstate ESTABLISHED,RELATED -j ACCEPT


#TCP rules

#Internet: use rediraction to DMZ
### FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443
#${iptables} ${action} INPUT -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 20,21,22,25,53,80,443 -j TCPRules

#Local:
### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # squid 3128 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050
${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} -m multiport --dport 22,3128,8118,9050 -j TCPRules

# for monitoring
${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -s ${monitoring_Server} -d ${LocalHostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules

# Loging acces to other TCP ports
${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options
${iptables} ${action} INPUT -p TCP -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options


# UDP rules

#Internet: use rediraction to DMZ
### DNS 53
#${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalHostIP} -m multiport --dport domain -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000
#${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalHostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

### DHCP
case "${DHCP}" in
    'server' )
	# For DHCP server
	${iptables} ${action} INPUT -p UDP -i ${LocalInterface} --dport 67 --sport 68 -j ACCEPT
    ;;
    'client' )
	# Information pertaining to DHCP over the Internet, if needed.
	${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT
    ;;
    'static' )
	# If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged.
	${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d 255.255.255.255 --dport 67:68 -j DROP
    ;;
esac

#Local:
### TFTP 69,1758 # NFS 111,2049 # NTP 123 # multimedia appl 2074,4000
${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} -m multiport --dport 123 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Loging acces to other UDP ports
${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options
${iptables} ${action} INPUT -p UDP -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options


#ICMP rules

#Internet

# echo reply (ping)
${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} --icmp-type 8 -j ACCEPT
${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -d ${InetHostIP} --icmp-type 8 -j ACCEPT

# time to live (traceroute)
${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} --icmp-type 11 -j ACCEPT
${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -d ${InetHostIP} --icmp-type 11 -j ACCEPT

# Loging other ICMP
${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "iptables icmp? INPUT "
${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "iptables icmp? INPUT "


# Bann all IP which try acces to other
${iptables} ${action} INPUT -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


#(3) FORWARD chain rules

# Bad TCP packets we don't want.
${iptables} ${action} FORWARD -p TCP -j BadTcp

# ACCEPT packets we wont to forward. Chain work in both directions!
${iptables} ${action} FORWARD -m conntrack -p ALL -i ${LocalInterface} --ctstate NEW,ESTABLISHED,RELATED,SNAT,DNAT -j ACCEPT
${iptables} ${action} FORWARD -m conntrack -p ALL -i ${InetInterface} --ctstate NEW,ESTABLISHED,RELATED,SNAT,DNAT -j ACCEPT

# Loging incorect FORWARD
${iptables} ${action} FORWARD -i ${LocalInterface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options
${iptables} ${action} FORWARD -i ${InetInterface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} ${action} FORWARD -i ${InetInterface} -m recent --name TmpBan --set -j DROP


# (4) OUTPUT chain rules

# Bad TCP packets we don't want.
${iptables} ${action} OUTPUT -p TCP -j BadTcp

#Only output packets from local addresses no spoofing
${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Only output packets using owner!!! It betare do in selinux...
${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner privoxy -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner squid -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p TCP -o ${LocalInterface} -s ${LocalHostIP} -d ${LocalNet} --sport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p UDP -o ${LocalInterface} -s ${LocalHostIP} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner privoxy -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner squid -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${LocalHostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} ${action} OUTPUT -p UDP -o ${InetInterface} -s ${InetHostIP} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#Output packets from all local appl
#${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

#for spoofing edit next line
#${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect OUTPUT
${iptables} ${action} OUTPUT -o ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options
${iptables} ${action} OUTPUT -o ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options


# Bann all IP which try acces to other
${iptables} ${action} OUTPUT -o ${InetInterface} -m recent --name TmpBan --set -j DROP


# (1 Delete) User-defined chains



#  II   *****************       MANGLE TABEL ruls         *****************************

# (0) Policies (default)

${iptables} -t mangle -P PREROUTING ACCEPT
${iptables} -t mangle -P INPUT ACCEPT
${iptables} -t mangle -P FORWARD ACCEPT
${iptables} -t mangle -P OUTPUT ACCEPT
${iptables} -t mangle -P POSTROUTING ACCEPT

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel INPUT chain rules

# (4) Mangel FORWARD chain rules

# (5) Mangel OUTPUT chain rules

# (6) Mangel POSTROUTING chain rules

# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem by clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

#Only output packets from local addresses no spoofing

#for spoofing edit next line

# Rules for outgoing packets to Internet


#  III  *****************         NAT TABEL ruls          *******************************

# (0) Policies (default)

${iptables} -t nat -P OUTPUT ACCEPT
${iptables} -t nat -P PREROUTING DROP
${iptables} -t nat -P POSTROUTING ACCEPT

# (1) NAT USER define chain rules

# (2) PREROUTING chain rles REDIRECTION and PORTMAPING

#Pacets from INTERNET

#  DNAT - maping to internal lan address (loadbalansing)
${iptables} -t nat ${action} PREROUTING -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 20,21 -j DNAT --to-destination ${FTP_Servers}
${iptables} -t nat ${action} PREROUTING -p UDP -i ${InetInterface} -d ${InetHostIP} --dport 53 -j DNAT --to-destination ${DNS_Servers}
${iptables} -t nat ${action} PREROUTING -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 80,443 -j DNAT --to-destination ${WWW_Servers}

# Maping to external address use socks5

#Redirection to different port on this server (you must edit /etc/services or other config)
#${iptables} -t nat ${action} PREROUTING -p TCP -s ${LocalNet} -d ${LocalHostIP} --destination-port 22 -j REDIRECT --to-ports 2222

#Packet from internet (Interface)


#INPUT

# Rules for incoming packets from local computer
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT


${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for broadcast:
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -d ${LocalBroadcastIP} -j ACCEPT
#${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -d ${ExternalBrodcastIP} -j ACCEPT

# Rules for incoming packets from Lan
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${LocalNet} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
# Rules for incoming packets from Internet
${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -d ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT


#OUTPUT
#Only output packets from local addresses no spoofing
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -d ${LocalNet} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

# Loging incorect acces
${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options
${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options

# Bann all IP which try acces to other
${iptables} -t nat ${action} PREROUTING -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP


# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
#for spoofing edit next line


# (4) POSTROUTING chain rules NAT or MASQUERADE

# NetWork address translation (NAT or MASQUERADE)

#${iptables} -t nat ${action} POSTROUTING -o ${InetInterface} -j MASQUERADE
${iptables} -t nat ${action} POSTROUTING -o ${InetInterface} -j SNAT --to-source ${InetHostIP}

#INPUT

# Rules for incoming packets from local computer:

# Rules for broadcast:

# Rules for incoming packets from Internet

#OUTPUT
#Only output packets from local addresses no spoofing

#for spoofing edit next line



#  IV  *****************         RAW TABEL ruls          *******************************

# (0) Policies (default)

#${iptables} -t raw -P PREROUTING ACCEPT
#${iptables} -t raw -P OUTPUT ACCEPT

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer

# Rules for incoming packets from Internet

# (3) Mangel OUTPUT chain rules


exit 0
Отримано з http://docs.linux.org.ua/Iptables_-_%D0%BC%D0%B5%D1%80%D0%B5%D0%B6%D0%B5%D0%B2%D0%B8%D0%B9_%D0%B5%D0%BA%D1%80%D0%B0%D0%BD_%28netfilter_firewall%29/iptables_router
Iptables - мережевий екран (netfilter firewall)/iptables router

Матеріал з docs.linux.org.ua — збірника документації з Unix/Linux українською мовою.

Перегляди

Особисті інструменти

Навігація

Пошук

Інструментарій
