Що це таке? чого воно в дискусії?
-- isbear, 12-11-2012
[[!format Error: unsupported page format
!/bin/bash
20050509 iptables_acc_dev.sh hse@ukr.net
Distributed under the terms of the GNU General Public License v2 or later
Exampel of iptables script for ppp
start in: /etc/ppp/ip-up.local
stop in: /etc/ppp/ip-down.local
usage: /etc/ppp/iptables_acc_dev.sh <dev> <action>
parametr <action> can be "-A" in /etc/ppp/ip-up.local, or "-D" in /etc/ppp/ip-down.local
parametr <dev> for ppp is "ppp0"
0 VARIABLE setup **********
ifconfig=/sbin/ifconfig iptables=/sbin/iptables
parametr action can be "-A" or "-D" only!!!
action=$2
befor runing this script setup configuration of yore network here:
begin
echo "trying out to resolve yore local configuration :)"
Interface setup
ExternalDevice=$1 ExternalHardware="ttyS0" LoopBackInterface="lo"
Ip Address setup
LoopBackIP="127.0.0.0/8"
Figure out curent ip configuretion
if ? "$action" == "-A" ; then
ExternalHostIP=LANG= LC_ALL= $ifconfig ${ExternalDevice} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'
echo ${ExternalHostIP} > /etc/ppp/pppip
else
ExternalHostIP=cat /etc/ppp/pppip
fi
SpoofingHostIP="10.0.0.10"
BannedIP="10.0.0.111"
Chack for netfilter/iptables kernel modules:
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_contrack_ftp
echo "Machine type is:" ${MACHTYPE}, "hostname is:" ${HOSTNAME}, "ExternalHostIP= " ${ExternalHostIP}
end
fill free to chang next firewall ruls to yore sute
I FILTER TABEL ruls *********
(0) Policies (default)
$iptables -t filter -P INPUT DROP $iptables -t filter -P OUTPUT DROP $iptables -t filter -P FORWARD DROP
(1) User-defined chains for ACCEPTed TCP packets
from Internet
$iptables -N SSHRules
$iptables $action SSHRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables $action SSHRules -p TCP --syn -j ACCEPT
$iptables $action SSHRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter SSH INPUT" --log-tcp-options --log-ip-options # Loging incorect packets
$iptables $action SSHRules -p TCP -j DROP
$iptables -N FTPRules
$iptables $action FTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables $action FTPRules -p TCP --syn -j ACCEPT
$iptables $action FTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter FTP INPUT" --log-tcp-options --log-ip-options # Loging incorect packets
$iptables $action FTPRules -p TCP -j DROP
$iptables -N HTTPRules
$iptables $action HTTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables $action HTTPRules -p TCP --syn -j ACCEPT
$iptables $action HTTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter HTTP INPUT" --log-tcp-options --log-ip-options # Loging incorect packets
$iptables $action HTTPRules -p TCP -j DROP
(2) INPUT chain rules
Rules for incoming packets from local computer and broadcast
$iptables $action INPUT -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Packets for established conections
Rules for incoming packets from Internet
$iptables $action INPUT -p TCP -m conntrack -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --ctstate ESTABLISHED,RELATED --destination-port 32000:65535 -j ACCEPT $iptables $action INPUT -p UDP -m conntrack -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --ctstate ESTABLISHED,RELATED --destination-port 32000:65535 -j ACCEPT
TCP rules
Internet
$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -m multiport --destination-port 3128 -j ACCEPT
$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 22 -j SSHRules # SHH
$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -m multiport --source-port 22 -j ACCEPT
$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 21 -j FTPRules # FTP
$iptables $action INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 80,443 -j HTTPRules # HTTP, HTTPS
$iptables $action INPUT -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter tcp? INPUT" --log-tcp-options --log-ip-options # Loging acces to other ports
UDP rules
Internet
$iptables $action INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED --destination-port domain -j ACCEPT #DNS
$iptables $action INPUT -p UDP -i ${ExternalDevice} -s ${TimeServer} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --destination-port 10123 -j ACCEPT #Network time protocol
$iptables $action INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 2074,4000 -j ACCEPT #multimedia appl
$iptables $action INPUT -p UDP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter udp? INPUT " --log-ip-options # Loging trying acces to udp
ICMP rules
Internet
$iptables $action INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 8 -j ACCEPT #echo reply (ping)
$iptables $action INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 11 -j ACCEPT #time to live (traceroute)
$iptables $action INPUT -p ICMP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter icmp? INPUT " --log-ip-options
(3) FORWARD chain rules
ACCEPT packets we wont to forward
No one
(4) OUTPUT chain rules
Only output packets from local addresses no spoofing
$iptables $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for spoofing edit next line
$iptables $action OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT
$iptables $action OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables filter OUTPUT " --log-tcp-options --log-ip-options
II MANGLE TABEL ruls ************
(0) Policies (default)
$iptables -t mangle -P PREROUTING DROP $iptables -t mangle -P INPUT DROP $iptables -t mangle -P FORWARD DROP $iptables -t mangle -P OUTPUT DROP $iptables -t mangle -P POSTROUTING DROP
(1) Mangel USER define chain rules
(2) Mangel PREROUTING chain rules
Rules for incoming packets from local computer
$iptables -t mangle $action PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Rules for incoming packets from Internet
$iptables -t mangle $action PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --source-port 20,21 -j ACCEPT #account FTP input bytes + GARBICH $iptables -t mangle $action PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --source-port 80,443 -j ACCEPT #account http input bytes + GARBICH $iptables -t mangle $action PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other input bytes
$iptables -t mangle $action PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces
(3) Mangel INPUT chain rules
$iptables -t mangle $action INPUT -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all input bytes
(4) Mangel FORWARD chain rules
$iptables -t mangle $action FORWARD -p ALL -i ${ExternalDevice} -s 0/0 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
(5) Mangel OUTPUT chain rules
$iptables -t mangle $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all output bytes
(6) Mangel POSTROUTING chain rules
Rules for outgoing packets to Internet
$iptables -t mangle $action POSTROUTING -p tcp -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 20,21 -j ACCEPT #account ftp output bytes $iptables -t mangle $action POSTROUTING -p tcp -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 80,443 -j ACCEPT #account http output bytes $iptables -t mangle $action POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other output bytes
for spoofing edit next line
$iptables -t mangle $action POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT
$iptables -t mangle $action POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle POSTROUTING" --log-tcp-options --log-ip-options # Loging incorect output
III NAT TABEL ruls **************
(0) Policies (default)
$iptables -t nat -P PREROUTING DROP $iptables -t nat -P OUTPUT DROP $iptables -t nat -P POSTROUTING DROP
(1) NAT USER define chain rules
(2) PREROUTING chain rles REDIRECTION and PORTMAPING
Pacets from INTERNET
Maping to external address use socks5
Redirection to different port on this server
Pucket from internet (ExternalDevice)
$iptables -t nat $action PREROUTING -p udp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --dport 123 -j REDIRECT --to-ports 10123
INPUT
Rules for incoming packets from local computer and broadcast
$iptables -t nat $action PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Rules for incoming packets from Internet
$iptables -t nat $action PREROUTING -p ALL -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
OUTPUT
Only output packets from local addresses no spoofing
$iptables -t nat $action PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for spoofing edit next line
$iptables -t nat $action PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT
$iptables -t nat $action PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces
(3) OUTPUT chain rules
Only output packets from local addresses no spoofing
$iptables -t nat $action OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for spoofing edit next line
$iptables -t nat $action OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT
$iptables -t nat $action OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect output
(4) POSTROUTING chain rules NAT or MASQUERADE
NetWork address translation (NAT or MASQUERADE)
$iptables -t nat $action POSTROUTING -o ${ExternalDevice} -j MASQUERADE
$iptables -t nat $action POSTROUTING -o ${ExternalDevice} -j SNAT --to-source ${ExternalHostIP}
INPUT
Rules for incoming packets from local computer and broadcast
$iptables -t nat $action POSTROUTING -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
OUTPUT
Only output packets from local addresses no spoofing
$iptables -t nat $action POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for spoofing edit next line
$iptables -t nat $action POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT
$iptables -t nat $action POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces
exit 0]]