Що це таке? чого воно в дискусії?

-- isbear, 12-11-2012

[[!format Error: unsupported page format

!/bin/bash

20050509 iptables_acc_dev.sh hse@ukr.net

Distributed under the terms of the GNU General Public License v2 or later

Exampel of iptables script for ppp

start in: /etc/ppp/ip-up.local

stop in: /etc/ppp/ip-down.local

usage: /etc/ppp/iptables_acc_dev.sh <dev> <action>

parametr <action> can be "-A" in /etc/ppp/ip-up.local, or "-D" in /etc/ppp/ip-down.local

parametr <dev> for ppp is "ppp0"

0 VARIABLE setup **********

ifconfig=/sbin/ifconfig iptables=/sbin/iptables

parametr action can be "-A" or "-D" only!!!

action=$2

befor runing this script setup configuration of yore network here:

begin

echo "trying out to resolve yore local configuration :)"

Interface setup

ExternalDevice=$1 ExternalHardware="ttyS0" LoopBackInterface="lo"

Ip Address setup

LoopBackIP="127.0.0.0/8"

Figure out curent ip configuretion

if ? &quot;$action&quot; == &quot;-A&quot; ; then ExternalHostIP=LANG= LC_ALL= $ifconfig ${ExternalDevice} |grep &#39;inet addr&#39; |awk -F: &#39;{ print $2 } &#39; |awk &#39;{ print $1 }&#39; echo ${ExternalHostIP} > /etc/ppp/pppip else ExternalHostIP=cat /etc/ppp/pppip fi

SpoofingHostIP="10.0.0.10"

BannedIP="10.0.0.111"

Chack for netfilter/iptables kernel modules:

modprobe iptable_nat

modprobe ip_nat_ftp

modprobe ip_conntrack

modprobe ip_contrack_ftp

echo "Machine type is:" ${MACHTYPE}, "hostname is:" ${HOSTNAME}, "ExternalHostIP= " ${ExternalHostIP}

end

fill free to chang next firewall ruls to yore sute

I FILTER TABEL ruls *********

(0) Policies (default)

$iptables -t filter -P INPUT DROP $iptables -t filter -P OUTPUT DROP $iptables -t filter -P FORWARD DROP

(1) User-defined chains for ACCEPTed TCP packets

from Internet

$iptables -N SSHRules

$iptables $action SSHRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables $action SSHRules -p TCP --syn -j ACCEPT

$iptables $action SSHRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter SSH INPUT" --log-tcp-options --log-ip-options # Loging incorect packets

$iptables $action SSHRules -p TCP -j DROP

$iptables -N FTPRules

$iptables $action FTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables $action FTPRules -p TCP --syn -j ACCEPT

$iptables $action FTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter FTP INPUT" --log-tcp-options --log-ip-options # Loging incorect packets

$iptables $action FTPRules -p TCP -j DROP

$iptables -N HTTPRules

$iptables $action HTTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

$iptables $action HTTPRules -p TCP --syn -j ACCEPT

$iptables $action HTTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter HTTP INPUT" --log-tcp-options --log-ip-options # Loging incorect packets

$iptables $action HTTPRules -p TCP -j DROP

(2) INPUT chain rules

Rules for incoming packets from local computer and broadcast

$iptables $action INPUT -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Packets for established conections

Rules for incoming packets from Internet

$iptables $action INPUT -p TCP -m conntrack -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --ctstate ESTABLISHED,RELATED --destination-port 32000:65535 -j ACCEPT $iptables $action INPUT -p UDP -m conntrack -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --ctstate ESTABLISHED,RELATED --destination-port 32000:65535 -j ACCEPT

TCP rules

Internet

$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -m multiport --destination-port 3128 -j ACCEPT

$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 22 -j SSHRules # SHH

$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -m multiport --source-port 22 -j ACCEPT

$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 21 -j FTPRules # FTP

$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 80,443 -j HTTPRules # HTTP, HTTPS

$iptables $action INPUT -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter tcp? INPUT" --log-tcp-options --log-ip-options # Loging acces to other ports

UDP rules

Internet

$iptables $action INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED --destination-port domain -j ACCEPT #DNS

$iptables $action INPUT -p UDP -i ${ExternalDevice} -s ${TimeServer} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --destination-port 10123 -j ACCEPT #Network time protocol

$iptables $action INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 2074,4000 -j ACCEPT #multimedia appl

$iptables $action INPUT -p UDP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter udp? INPUT " --log-ip-options # Loging trying acces to udp

ICMP rules

Internet

$iptables $action INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 8 -j ACCEPT #echo reply (ping)

$iptables $action INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 11 -j ACCEPT #time to live (traceroute)

$iptables $action INPUT -p ICMP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter icmp? INPUT " --log-ip-options

(3) FORWARD chain rules

ACCEPT packets we wont to forward

No one

(4) OUTPUT chain rules

Only output packets from local addresses no spoofing

$iptables $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for spoofing edit next line

$iptables $action OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT

$iptables $action OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter OUTPUT " --log-tcp-options --log-ip-options

II MANGLE TABEL ruls ************

(0) Policies (default)

$iptables -t mangle -P PREROUTING DROP $iptables -t mangle -P INPUT DROP $iptables -t mangle -P FORWARD DROP $iptables -t mangle -P OUTPUT DROP $iptables -t mangle -P POSTROUTING DROP

(1) Mangel USER define chain rules

(2) Mangel PREROUTING chain rules

Rules for incoming packets from local computer

$iptables -t mangle $action PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Rules for incoming packets from Internet

$iptables -t mangle $action PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --source-port 20,21 -j ACCEPT #account FTP input bytes + GARBICH $iptables -t mangle $action PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --source-port 80,443 -j ACCEPT #account http input bytes + GARBICH $iptables -t mangle $action PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other input bytes

$iptables -t mangle $action PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces

(3) Mangel INPUT chain rules

$iptables -t mangle $action INPUT -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all input bytes

(4) Mangel FORWARD chain rules

$iptables -t mangle $action FORWARD -p ALL -i ${ExternalDevice} -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

(5) Mangel OUTPUT chain rules

$iptables -t mangle $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all output bytes

(6) Mangel POSTROUTING chain rules

Rules for outgoing packets to Internet

$iptables -t mangle $action POSTROUTING -p tcp -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 20,21 -j ACCEPT #account ftp output bytes $iptables -t mangle $action POSTROUTING -p tcp -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 80,443 -j ACCEPT #account http output bytes $iptables -t mangle $action POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other output bytes

for spoofing edit next line

$iptables -t mangle $action POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

$iptables -t mangle $action POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle POSTROUTING" --log-tcp-options --log-ip-options # Loging incorect output

III NAT TABEL ruls **************

(0) Policies (default)

$iptables -t nat -P PREROUTING DROP $iptables -t nat -P OUTPUT DROP $iptables -t nat -P POSTROUTING DROP

(1) NAT USER define chain rules

(2) PREROUTING chain rles REDIRECTION and PORTMAPING

Pacets from INTERNET

Maping to external address use socks5

Redirection to different port on this server

Pucket from internet (ExternalDevice)

$iptables -t nat $action PREROUTING -p udp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --dport 123 -j REDIRECT --to-ports 10123

INPUT

Rules for incoming packets from local computer and broadcast

$iptables -t nat $action PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Rules for incoming packets from Internet

$iptables -t nat $action PREROUTING -p ALL -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

OUTPUT

Only output packets from local addresses no spoofing

$iptables -t nat $action PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for spoofing edit next line

$iptables -t nat $action PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

$iptables -t nat $action PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces

(3) OUTPUT chain rules

Only output packets from local addresses no spoofing

$iptables -t nat $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for spoofing edit next line

$iptables -t nat $action OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT

$iptables -t nat $action OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect output

(4) POSTROUTING chain rules NAT or MASQUERADE

NetWork address translation (NAT or MASQUERADE)

$iptables -t nat $action POSTROUTING -o ${ExternalDevice} -j MASQUERADE

$iptables -t nat $action POSTROUTING -o ${ExternalDevice} -j SNAT --to-source ${ExternalHostIP}

INPUT

Rules for incoming packets from local computer and broadcast

$iptables -t nat $action POSTROUTING -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

OUTPUT

Only output packets from local addresses no spoofing

$iptables -t nat $action POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

for spoofing edit next line

$iptables -t nat $action POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

$iptables -t nat $action POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces

exit 0]]