Документація українською/ Адміністрування/ Iptables - мережевий екран netfilter firewall/ iptables eth0.sh/ discussion

що це, і чого воно в обговоренні?

-- isbear, 12-11-2012

#!/bin/bash
# 20050809 iptables_eth0.sh hse@ukr.net
# Distributed under the terms of the GNU General Public License v2 or later

# instalations:
# /etc/init.d/iptables stop
# ./iptables_lo.sh
# ./iptables_eth0.sh
# /etc/init.d/iptables save

#  0  *******************       VARIABLE setup   *****************************
# befor runing this script setup configuration of yore network here:
# begin
echo "trying out to resolve yore local configuration :)"

#Interface setup
ExternalDevice="eth0"
LoopBackInterface="lo"
 
#Ip Address setup
LoopBackIP="127.0.0.0/8"

#Figure out curent ip configuretion

ExternalHostIP=`LANG= LC_ALL= ifconfig ${ExternalDevice} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'`
#ExternalHostIP="192.168.108.2"
BroadcastIP=`LANG= LC_ALL= ifconfig ${ExternalDevice} |grep 'inet addr' |awk -F: '{ print $3 } ' |awk '{ print $1 }'`
#BroadcastIP=192.168.108.255

#BannedIP="10.0.0.111"

# ISP Servers setup
ns_1="192.168.108.10"
ns_2="192.168.108.11"
#ns_3="194.44.214.32"
#TimeServer="194.44.214.37"
#POP_Server=
#IMAP_Server=
#SMTP_Server="mail.lviv.ua"
#DHCP_Server=

#Chack for some kernel modules

#modprobe iptable_nat
#modprobe ip_nat_ftp
#modprobe ip_conntrack
#modprobe ip_contrack_ftp

echo " Machine type is:${MACHTYPE}, hostname is: ${HOSTNAME},
 ExternalHostIP= ${ExternalHostIP}, BroadcastIP= ${BroadcastIP}"

# end

# fill free to chang next firewall ruls to yore sute

#   I  *******************       FILTERING TABEL ruls           ****************************

# (0) Policies (default)

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

# (1) User-defined chains for ACCEPTed TCP packets
# from Internet

#iptables -N TCPRulesI
#iptables -A TCPRulesI -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A TCPRulesI -p TCP --syn -j ACCEPT
#iptables -A TCPRulesI -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables tcp INPUT "  --log-tcp-options --log-ip-options # Loging incorect packets
#iptables -A TCPRulesI -p TCP -j DROP

iptables -N FTPRules
iptables -A FTPRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FTPRules -p TCP --syn -j ACCEPT
iptables -A FTPRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables ftp INPUT " --log-tcp-options --log-ip-options # Loging incorect packets
iptables -A FTPRules -p TCP -j DROP

iptables -N SSHRules
iptables -A SSHRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A SSHRules -p TCP --syn -j ACCEPT
iptables -A SSHRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables ssh INPUT " --log-tcp-options --log-ip-options # Loging incorect packets
iptables -A SSHRules -p TCP -j DROP

iptables -N httpRules
iptables -A httpRules -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A httpRules -p TCP --syn -j ACCEPT
iptables -A httpRules -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables http,https INPUT " --log-tcp-options --log-ip-options # Loging incorect packets
iptables -A httpRules -p TCP -j DROP

# (2) INPUT chain rules

# Rules for incoming packets from local computer:
iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for broadcast:
iptables -A INPUT -p ALL -i ${ExternalDevice} -s ${BroadcastIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Packets for established conections

# Rules for incoming packets from Internet
iptables -A INPUT -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules

#Internet
iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 21 -j FTPRules    # FTP
iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 22 -j SSHRules    # SHH
iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 80,443 -j httpRules   # WWW, WWWS
iptables -A INPUT -p TCP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -m multiport --destination-port 9047,9048,9049 -j ACCEPT

iptables -A INPUT -p TCP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables tcp port? INPUT" --log-tcp-options --log-ip-options       # Loging acces to other ports

# UDP rules

#Internet
iptables -A INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --destination-port domain -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT          #DNS
#iptables -A INPUT -p UDP -i ${ExternalDevice} -s ${TimeServer} -d ${ExternalHostIP} --destination-port 10123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT   #Network time protocol
#iptables -A INPUT -p UDP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m multiport --destination-port 2074,4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT    #multimedia appl

iptables -A INPUT -p UDP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options # Loging trying acces to UDP

#ICMP rules

#Internet
iptables -A INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 8 -j ACCEPT      #echo reply (ping)
iptables -A INPUT -p ICMP -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} --icmp-type 11 -j ACCEPT     #time to live (traceroute)

iptables -A INPUT -p ICMP -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables icmp INPUT " --log-ip-options    # Loging trying acces to ICMP

#(3) FORWARD chain rules

# ACCEPT packets we wont to forward
#iptables -A FORWARD -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options # Loging incorect FORWARD


# (4) OUTPUT chain rules

#Only output packets from local addresses no spoofing
iptables -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#iptables -A OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT

iptables -A OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options


#  II   *****************       MANGLE TABEL ruls         *****************************

# (0) Policies (default)

iptables -t mangle -P PREROUTING DROP
iptables -t mangle -P INPUT ACCEPT  #DROP
iptables -t mangle -P FORWARD ACCEPT    #DROP
iptables -t mangle -P OUTPUT DROP
iptables -t mangle -P POSTROUTING DROP

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer
iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for incoming packets from Internet
iptables -t mangle -A PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT                 #account all other input
iptables -t mangle -A PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options                      # Loging incorect acces

# (3) Mangel INPUT chain rules


# (4) Mangel FORWARD chain rules

# (5) Mangel OUTPUT chain rules
iptables -t mangle -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT                     #account all other output bytes

# (6) Mangel POSTROUTING chain rules

#Only output packets from local addresses no spoofing
iptables -t mangle -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for outgoing packets to Internet
iptables -t mangle -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT                        #account all other output bytes

#for spoofing edit next line
#iptables -t mangle -A POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT

iptables -t mangle -A POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle POSTROUTING" --log-tcp-options --log-ip-options                        # Loging incorect output


#  III  *****************         NAT TABEL ruls          *******************************

# (0) Policies (default)

iptables -t nat -P PREROUTING DROP
iptables -t nat -P OUTPUT DROP
iptables -t nat -P POSTROUTING DROP

# (1) NAT USER define chain rules

# (2) PREROUTING chain rles REDIRECTION and PORTMAPING

#Pacets from INTERNET

# Maping to external address use socks5

#Pucket from internet (ExternalDevice)
#iptables -t nat -A PREROUTING -p tcp -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED --dport 22 -j REDIRECT --to-ports 10022

#INPUT

# Rules for incoming packets from local computer and broadcast
iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# Rules for incoming packets from Internet
iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#OUTPUT
#Only output packets from local addresses no spoofing
iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -i ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#iptables -t nat -A PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT
iptables -t nat -A PREROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options        # Loging incorect acces

# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
iptables -t nat -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A OUTPUT -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#iptables -t nat -A OUTPUT -p ALL -s ${SpoofingHostIP} -j ACCEPT
iptables -t nat -A OUTPUT -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options     # Loging incorect acces

# (4) POSTROUTING chain rules NAT or MASQUERADE
iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# NetWork address translation (NAT or MASQUERADE)

iptables -t nat -A POSTROUTING -o ${ExternalDevice} -j SNAT --to-source ${ExternalHostIP}

#INPUT

# Rules for incoming packets from local computer:
iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for broadcast:
iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${BroadcastIP} -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for incoming packets from Internet
iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s 0/0 -d ${ExternalHostIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#OUTPUT
#Only output packets from local addresses no spoofing

iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -o ${ExternalDevice} -s ${ExternalHostIP} -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#for spoofing edit next line
#iptables -t nat -A POSTROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT
iptables -t nat -A POSTROUTING -p ALL -m limit --limit 10/hour --limit-burst 5 -j LOG --log-prefix "iptables mangle PREROUTING" --log-tcp-options --log-ip-options        # Loging incorect acces 

exit 0