що це, і чого воно в обговоренні?
-- isbear, 12-11-2012
#!/bin/bash # 20050809 iptables_eth0.sh hse@ukr.net # Distributed under the terms of the GNU General Public License v2 or later # instalations: # /etc/init.d/iptables stop # ./iptables_lo.sh # ./iptables_eth0.sh # /etc/init.d/iptables save # 0 ******************* VARIABLE setup ***************************** # befor runing this script setup configuration of yore network here: # begin echo "trying out to resolve yore local configuration :)" #Interface setup ExternalDevice="eth0" LoopBackInterface="lo" #Ip Address setup LoopBackIP="127.0.0.0/8" #Figure out curent ip configuretion ExternalHostIP=`LANG= LC_ALL= ifconfig ${ExternalDevice} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'` #ExternalHostIP="192.168.108.2" BroadcastIP=`LANG= LC_ALL= ifconfig ${ExternalDevice} |grep 'inet addr' |awk -F: '{ print $3 } ' |awk '{ print $1 }'` #BroadcastIP=192.168.108.255 #BannedIP="10.0.0.111" # ISP Servers setup ns_1="192.168.108.10" ns_2="192.168.108.11" #ns_3="194.44.214.32" #TimeServer="194.44.214.37" #POP_Server= #IMAP_Server= #SMTP_Server="mail.lviv.ua" #DHCP_Server= #Chack for some kernel modules #modprobe iptable_nat #modprobe ip_nat_ftp #modprobe ip_conntrack #modprobe ip_contrack_ftp echo " Machine type is:${MACHTYPE}, hostname is: ${HOSTNAME}, ExternalHostIP= ${ExternalHostIP}, BroadcastIP= ${BroadcastIP}" # end # fill free to chang next firewall ruls to yore sute # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP iptables -t filter -P OUTPUT DROP # (1) User-defined chains for ACCEPTed TCP packets # from Internet #iptables -N TCPRulesI #iptables -A TCPRulesI -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A TCPRulesI -p TCP --syn -j ACCEPT #iptables -A TCPRulesI -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables tcp INPUT " --log-tcp-options --log-ip-options # Loging incorect packets #iptables -A TCPRulesI -p TCP -j DROP iptables -N FTPRules iptables -A FTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FTPRules -p TCP --syn -j ACCEPT iptables -A FTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables ftp INPUT " --log-tcp-options --log-ip-options # Loging incorect packets iptables -A FTPRules -p TCP -j DROP iptables -N SSHRules iptables -A SSHRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSHRules -p TCP --syn -j ACCEPT iptables -A SSHRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables ssh INPUT " --log-tcp-options --log-ip-options # Loging incorect packets iptables -A SSHRules -p TCP -j DROP iptables -N httpRules iptables -A httpRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A httpRules -p TCP --syn -j ACCEPT iptables -A httpRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables http,https INPUT " --log-tcp-options --log-ip-options # Loging incorect packets iptables -A httpRules -p TCP -j DROP # (2) INPUT chain rules # Rules for incoming packets from local computer: iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast: iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${BroadcastIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Packets for established conections # Rules for incoming packets from Internet iptables -A INPUT -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -j ACCEPT #TCP rules #Internet iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 21 -j FTPRules # FTP iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 22 -j SSHRules # SHH iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 80,443 -j httpRules # WWW, WWWS iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 9047,9048,9049 -j ACCEPT iptables -A INPUT -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables tcp port? INPUT" --log-tcp-options --log-ip-options # Loging acces to other ports # UDP rules #Internet iptables -A INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --destination-port domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #DNS #iptables -A INPUT -p UDP -i ${ExternalDevice} -s ${TimeServer} -d ${ExternalHostIP} --destination-port 10123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #Network time protocol #iptables -A INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 2074,4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #multimedia appl iptables -A INPUT -p UDP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options # Loging trying acces to UDP #ICMP rules #Internet iptables -A INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 8 -j ACCEPT #echo reply (ping) iptables -A INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 11 -j ACCEPT #time to live (traceroute) iptables -A INPUT -p ICMP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables icmp INPUT " --log-ip-options # Loging trying acces to ICMP #(3) FORWARD chain rules # ACCEPT packets we wont to forward #iptables -A FORWARD -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options # Loging incorect FORWARD # (4) OUTPUT chain rules #Only output packets from local addresses no spoofing iptables -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #iptables -A OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT iptables -A OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) iptables -t mangle -P PREROUTING DROP iptables -t mangle -P INPUT ACCEPT #DROP iptables -t mangle -P FORWARD ACCEPT #DROP iptables -t mangle -P OUTPUT DROP iptables -t mangle -P POSTROUTING DROP # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other input iptables -t mangle -A PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces # (3) Mangel INPUT chain rules # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules iptables -t mangle -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other output bytes # (6) Mangel POSTROUTING chain rules #Only output packets from local addresses no spoofing iptables -t mangle -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for outgoing packets to Internet iptables -t mangle -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #account all other output bytes #for spoofing edit next line #iptables -t mangle -A POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT iptables -t mangle -A POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle POSTROUTING" --log-tcp-options --log-ip-options # Loging incorect output # III ***************** NAT TABEL ruls ******************************* # (0) Policies (default) iptables -t nat -P PREROUTING DROP iptables -t nat -P OUTPUT DROP iptables -t nat -P POSTROUTING DROP # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #Pacets from INTERNET # Maping to external address use socks5 #Pucket from internet (ExternalDevice) #iptables -t nat -A PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j REDIRECT --to-ports 10022 #INPUT # Rules for incoming packets from local computer and broadcast iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OUTPUT #Only output packets from local addresses no spoofing iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #iptables -t nat -A PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT iptables -t nat -A PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing iptables -t nat -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #iptables -t nat -A OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT iptables -t nat -A OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces # (4) POSTROUTING chain rules NAT or MASQUERADE iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # NetWork address translation (NAT or MASQUERADE) iptables -t nat -A POSTROUTING -o ${ExternalDevice} -j SNAT --to-source ${ExternalHostIP} #INPUT # Rules for incoming packets from local computer: iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast: iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${BroadcastIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OUTPUT #Only output packets from local addresses no spoofing iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #iptables -t nat -A POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT iptables -t nat -A POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options # Loging incorect acces exit 0