що це, і чого воно робить у обговоренні?

-- isbear 12-11-2012

    
#!/bin/bash
# 20050509 iptables_lo.sh hse@ukr.net
# Distributed under the terms of the GNU General Public License v2 or later
# Exampel of iptables script for loopback
# 
# instalations:
# /etc/init.d/iptables stop
# ./iptables_lo.sh
# /etc/init.d/iptables save

iptables="/sbin/iptables"

#  0  *******************       VARIABLE setup   *****************************
# befor runing this script setup configuration of youre network here:
# begin

#Interface setup
LoopBackInterface="lo"
 
#Ip Address setup
LoopBackIP="127.0.0.0/8"

#Chack for netfilter/iptables kernel modules:
#modprobe iptable_nat
#modprobe ip_nat_ftp
#modprobe ip_conntrack
#modprobe ip_contrack_ft
#modprobe ...
# end

# fill free to chang next firewall ruls to youre sute

#   I  *******************       FILTERING TABEL ruls           ****************************

# (0) Policies (default)

$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP

# (1) User-defined chains for ACCEPTed TCP packets
# from Internet

# (2) INPUT chain rules

# Rules for incoming packets from local computer and broadcast
$iptables -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#TCP rules

# UDP rules

#ICMP rules

#(3) FORWARD chain rules

# ACCEPT packets we wont to forward
# No one

# (4) OUTPUT chain rules

#Only output packets from local addresses no spoofing
$iptables -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#  II   *****************       MANGLE TABEL ruls         *****************************

# (0) Policies (default)

$iptables -t mangle -P PREROUTING DROP
$iptables -t mangle -P INPUT DROP
$iptables -t mangle -P FORWARD DROP
$iptables -t mangle -P OUTPUT DROP
$iptables -t mangle -P POSTROUTING DROP

# (1) Mangel USER define chain rules

# (2) Mangel PREROUTING chain rules

# Rules for incoming packets from local computer
$iptables -t mangle -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for incoming packets from Internet

# (3) Mangel INPUT chain rules
$iptables -t mangle -A INPUT -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# (4) Mangel FORWARD chain rules

# (5) Mangel OUTPUT chain rules
$iptables -t mangle -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# (6) Mangel POSTROUTING chain rules

#Only output packets from local addresses no spoofing
$iptables -t mangle -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#  III  *****************         NAT TABEL ruls          *******************************

# (0) Policies (default)

$iptables -t nat -P PREROUTING DROP
$iptables -t nat -P OUTPUT DROP
$iptables -t nat -P POSTROUTING DROP

# (1) NAT USER define chain rules

# (2) PREROUTING chain rles REDIRECTION and PORTMAPING

#INPUT
# Rules for incoming packets from local computer and broadcast
$iptables -t nat -A PREROUTING -p ALL -i ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# Rules for incoming packets from Internet


# (3) OUTPUT chain rules
#Only output packets from local addresses no spoofing
$iptables -t nat -A OUTPUT -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# (4) POSTROUTING chain rules NAT or MASQUERADE

$iptables -t nat -A POSTROUTING -p ALL -o ${LoopBackInterface} -s ${LoopBackIP} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

exit 0