From: Orcun Yucel (orcunyucel@phpmygallery.com)
Date: Tue 22 Nov 2005 - 12:58:26 EET
Merhaba,
Su an test asamasinda olan bir firewall scriptim var ve CLI chainini
POSTROUTING ve PREROUTING kullanmadan sadece MASQUERADE yapip internete
cikarmak istiyorum. Asagidaki scriptte ne gibi degisiklikler yapmam lazim.
#//Sabitler
IPTABLES="/sbin/iptables"
INET_IP="172.22.2.61"
INET_BROADCAST="255.255.255.255"
HTTP_IP="192.168.0.100"
DNS_IP="192.168.0.100"
INET_IFACE="eth0"
LAN_IP="192.168.0.0/24"
LAN_IFACE="eth1"
DMZ_HTTP_IP="192.168.0.100"
DMZ_DNS_IP="192.168.0.100"
DMZ_MAIL_IP="192.168.0.100"
DMZ_IP="192.168.0.1"
DMZ_IFACE="eth1"
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Firewall icin gerekli moduller cekirdege yukleniyor..."
#/sbin/depmod -a
#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
echo ¨Ip_Forward ve tcp_Syncookies aktif ediliyor...¨
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "Iptables silinip tum zincir kurallari paketleri DROP edecek sekilde
ayarlaniyor..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N DMZ
$IPTABLES -N CLI
echo "CLI Zinciri tanimlaniyor..."
#//CLI Chain
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix
'DROP.FORWARD.CLI.NOT.SYN.TCP '
$IPTABLES -A FORWARD -p tcp -j DROP
$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.OTHER.CLI.FORWARD '
$IPTABLES -A FORWARD -j DROP
echo ¨DMZ Zinciri tanimlaniyor...¨
#//DMZ Chain
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP --dport 80 --syn -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_HTTP_IP --dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p icmp -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP -s
0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 --syn -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $INET_IFACE -o $DMZ_IFACE -d
$DMZ_DNS_IP --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP -s
0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix
'DROP.FORWARD.DMZ.NOT.SYN.TCP '
$IPTABLES -A FORWARD -p tcp -j DROP
$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.OTHER.DMZ.FORWARD '
$IPTABLES -A FORWARD -j DROP
echo "INPUT Zinciri tanimlaniyor..."
#//INPUT Chain
$IPTABLES -A INPUT -p all -s 10.0.0.0/8 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '
$IPTABLES -A INPUT -p all -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p all -s 172.16.0.0/12 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '
$IPTABLES -A INPUT -p all -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -p all -s 192.168.0.0/24 -j LOG --log-prefix
'DROP.INPUT.PRIV.IP '
$IPTABLES -A INPUT -p all -s 192.168.0.0/24 -j DROP
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j LOG --log-prefix
'DROP.INPUT.PING '
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
NEW -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p icmp -i $INET_IFACE -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p all -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
$IPTABLES -A INPUT -p all -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p all -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p all -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p all -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p all -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p all -d $INET_IP -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp -i $INET_IFACE -d
$INET_BROADCAST --destination-port 135:139 -j DROP
$IPTABLES -A INPUT -p udp -i $INET_IFACE -d
255.255.255.255 --destination-port 67:68 -j DROP
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
$IPTABLES -A INPUT -p tcp -j LOG --log-prefix 'DROP.FORWARD.FW.NOT.SYN.TCP '
$IPTABLES -A INPUT -p tcp -j DROP
$IPTABLES -A INPUT -j LOG --log-prefix 'DROP.OTHER.FW.INPUT '
$IPTABLES -A INPUT -j DROP
echo "FORWARD Zinciri tanimlaniyor..."
#//FORWARD Zinciri
$IPTABLES -A FORWARD -p all -s 10.0.0.0/8 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '
$IPTABLES -A FORWARD -p all -s 10.0.0.0/8 -j DROP
$IPTABLES -A FORWARD -p all -s 172.16.0.0/12 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '
$IPTABLES -A FORWARD -p all -s 172.16.0.0/12 -j DROP
$IPTABLES -A FORWARD -p all -s 192.168.0.0/24 -j LOG --log-prefix
'DROP.FORWARD.PRIV.IP '
$IPTABLES -A FORWARD -p all -s 192.168.0.0/24 -j DROP
$IPTABLES -A FORWARD -p tcp --sport 80 -j DMZ
$IPTABLES -A FORWARD -p udp --sport 80 -j DMZ
$IPTABLES -A FORWARD -p tcp --sport 53 -j DMZ
$IPTABLES -A FORWARD -p udp --sport 53 -j DMZ
$IPTABLES -A FORWARD -p tcp --sport 25 -j DMZ
$IPTABLES -A FORWARD -p udp --sport 25 -j DMZ
$IPTABLES -A FORWARD -p tcp --sport 110 -j DMZ
$IPTABLES -A FORWARD -p udp --sport 110 -j DMZ
$IPTABLES -A FORWARD -p tcp -j CLI
$IPTABLES -A FORWARD -p udp -j CLI
$IPTABLES -A FORWARD -p tcp -j LOG --log-prefix 'DROP.FORWARD.FW.NOT.SYN.TCP
'
$IPTABLES -A FORWARD -p tcp -j DROP
$IPTABLES -A FORWARD -j LOG --log-prefix 'DROP.FW.CLI.FORWARD '
$IPTABLES -A FORWARD -j DROP
echo "OUTPUT Zinciri tanimlaniyor..."
#//OUTPUT Zinciri
$IPTABLES -A OUTPUT -p all -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p all -s $INET_IP -j ACCEPT
echo "NAT ayarlari tanimlaniyor..."
#//NAT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -d $INET_IP -j
DNAT --to-destination $DMZ_HTTP_IP:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -d $INET_IP -j
DNAT --to-destination $DMZ_DNS_IP:53
$IPTABLES -t nat -A PREROUTING -p udp --dport 53 -d $INET_IP -j
DNAT --to-destination $DMZ_DNS_IP:53
$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -d $INET_IP -j
DNAT --to-destination $DMZ_MAIL_IP:25
$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -d $INET_IP -j
DNAT --to-destination $DMZ_MAIL_IP:110
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP -j SNAT --to-source $INET_IP
Saygilar,
Orcun Yucel
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag