[Linux-guvenlik] Masquerading

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Orcun Yucel (orcunyucel@phpmygallery.com)
Date: Tue 22 Nov 2005 - 13:00:44 EET

Previous message: Mustafa Akgul: "[acik-duyuru] Hukumetler niye acik kaynagi seciyor_ - bir inceleme"

Merhaba,
Su an test asamasinda olan bir firewall scriptim var ve CLI chainini
POSTROUTING ve PREROUTING kullanmadan sadece MASQUERADE yapip internete
cikarmak istiyorum. Asagidaki scriptte ne gibi degisiklikler yapmam lazim.

#//Sabitler

IPTABLES="/sbin/iptables"

INET_IP="172.22.2.61"

INET_BROADCAST="255.255.255.255"

HTTP_IP="192.168.0.100"

DNS_IP="192.168.0.100"

INET_IFACE="eth0"

LAN_IP="192.168.0.0/24"

LAN_IFACE="eth1"

DMZ_HTTP_IP="192.168.0.100"

DMZ_DNS_IP="192.168.0.100"

DMZ_MAIL_IP="192.168.0.100"

DMZ_IP="192.168.0.1"

DMZ_IFACE="eth1"

LO_IFACE="lo"

LO_IP="127.0.0.1"

echo "Firewall icin gerekli moduller cekirdege yukleniyor..."

#/sbin/depmod -a

#/sbin/modprobe ip_tables

#/sbin/modprobe ip_conntrack

#/sbin/modprobe iptable_filter

#/sbin/modprobe iptable_mangle

#/sbin/modprobe iptable_nat

#/sbin/modprobe ipt_LOG

#/sbin/modprobe ipt_limit

#/sbin/modprobe ipt_state

echo ¨Ip_Forward ve tcp_Syncookies aktif ediliyor...¨

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "Iptables silinip tum zincir kurallari paketleri DROP edecek sekilde
ayarlaniyor..."

$IPTABLES -F

$IPTABLES -X

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

$IPTABLES -N DMZ

$IPTABLES -N CLI

echo "CLI Zinciri tanimlaniyor..."

#//CLI Chain

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix
'DROP.FORWARD.CLI.NOT.SYN.TCP '

$IPTABLES -A FORWARD -p tcp -j DROP

$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.OTHER.CLI.FORWARD '

$IPTABLES -A FORWARD -j DROP

echo ¨DMZ Zinciri tanimlaniyor...¨

#//DMZ Chain

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP --dport 80 --syn -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p icmp -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -s
0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 --syn -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p icmp -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP -s
0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix
'DROP.FORWARD.DMZ.NOT.SYN.TCP '

$IPTABLES -A FORWARD -p tcp -j DROP

$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.OTHER.DMZ.FORWARD '

$IPTABLES -A FORWARD -j DROP

echo "INPUT Zinciri tanimlaniyor..."

#//INPUT Chain

$IPTABLES -A INPUT -p all -s 10.0.0.0/8 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '

$IPTABLES -A INPUT -p all -s 10.0.0.0/8 -j DROP

$IPTABLES -A INPUT -p all -s 172.16.0.0/12 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '

$IPTABLES -A INPUT -p all -s 172.16.0.0/12 -j DROP

$IPTABLES -A INPUT -p all -s 192.168.0.0/24 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '

$IPTABLES -A INPUT -p all -s 192.168.0.0/24 -j DROP

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix
'DROP.INPUT.PING '

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
NEW -j DROP

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A INPUT -p icmp -i $INET_IFACE -s 0/0 --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -p all -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

$IPTABLES -A INPUT -p all -i $LAN_IFACE -d $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p all -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p all -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p all -i $LO_IFACE -s $INET_IP -j ACCEPT

$IPTABLES -A INPUT -p all -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p udp -i $INET_IFACE -d
$INET_BROADCAST --destination-port 135:139 -j DROP

$IPTABLES -A INPUT -p udp -i $INET_IFACE -d
255.255.255.255 --destination-port 67:68 -j DROP

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

$IPTABLES -A INPUT -p tcp -j LOG --log-prefix 'DROP.FORWARD.FW.NOT.SYN.TCP '

$IPTABLES -A INPUT -p tcp -j DROP

$IPTABLES -A INPUT -j LOG --log-prefix 'DROP.OTHER.FW.INPUT '

$IPTABLES -A INPUT -j DROP

echo "FORWARD Zinciri tanimlaniyor..."

#//FORWARD Zinciri

$IPTABLES -A FORWARD -p all -s 10.0.0.0/8 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '

$IPTABLES -A FORWARD -p all -s 10.0.0.0/8 -j DROP

$IPTABLES -A FORWARD -p all -s 172.16.0.0/12 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '

$IPTABLES -A FORWARD -p all -s 172.16.0.0/12 -j DROP

$IPTABLES -A FORWARD -p all -s 192.168.0.0/24 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '

$IPTABLES -A FORWARD -p all -s 192.168.0.0/24 -j DROP

$IPTABLES -A FORWARD -p tcp --sport 80 -j DMZ

$IPTABLES -A FORWARD -p udp --sport 80 -j DMZ

$IPTABLES -A FORWARD -p tcp --sport 53 -j DMZ

$IPTABLES -A FORWARD -p udp --sport 53 -j DMZ

$IPTABLES -A FORWARD -p tcp --sport 25 -j DMZ

$IPTABLES -A FORWARD -p udp --sport 25 -j DMZ

$IPTABLES -A FORWARD -p tcp --sport 110 -j DMZ

$IPTABLES -A FORWARD -p udp --sport 110 -j DMZ

$IPTABLES -A FORWARD -p tcp -j CLI

$IPTABLES -A FORWARD -p udp -j CLI

$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix 'DROP.FORWARD.FW.NOT.SYN.TCP
'

$IPTABLES -A FORWARD -p tcp -j DROP

$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.FW.CLI.FORWARD '

$IPTABLES -A FORWARD -j DROP

echo "OUTPUT Zinciri tanimlaniyor..."

#//OUTPUT Zinciri

$IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p all -s $INET_IP -j ACCEPT

echo "NAT ayarlari tanimlaniyor..."

#//NAT

$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d $INET_IP -j
DNAT --to-destination $DMZ_HTTP_IP:80

$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -d $INET_IP -j
DNAT --to-destination $DMZ_DNS_IP:53

$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -d $INET_IP -j
DNAT --to-destination $DMZ_DNS_IP:53

$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -d $INET_IP -j
DNAT --to-destination $DMZ_MAIL_IP:25

$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -d $INET_IP -j
DNAT --to-destination $DMZ_MAIL_IP:110

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP -j SNAT --to-source $INET_IP

Saygilar,

Orcun Yucel

_______________________________________________
Linux-guvenlik mailing list
Linux-guvenlik@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-guvenlik

Previous message: Mustafa Akgul: "[acik-duyuru] Hukumetler niye acik kaynagi seciyor_ - bir inceleme"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

Bu arsiv hypermail 2.1.2 tarafindan uretilmistir.