[rlug] firewall

Mon, 20 Oct 2003 12:48:03 -0700 

Am urmatoarea problema: cind rulez scriptul de mai jos, statiile din LAN-ul
care e conectat la servu cu pricina nu mai ies pe net. Ma gindesc ca trebuie
sa fie ceva de la chainu' dde FORWARD, nu de la NAT, dar e f. ciudat totusi,
pt. ca mac+ip se potriveste si cu toate astea nici o statie din retea nu mai
iese pe net.
scriptu:
-------
#!/bin/bash

#debug
set -x

#Definire variabile
ipt="/sbin/iptables"
devl="eth0"
deve="eth1+"
e_net="82.xx.xx.64/255.255.255.224"
l_net="192.168.254.0/255.255.255.0"
l_ip="192.168.254.1"
nat="/sbin/iptables -t nat -A EXTERN_IP"

#Flush
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -F
$ipt -X
$ipt -Z

#Policy pe chain-uri
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

#smechereli
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#end smechereli

$ipt -N SRV
$ipt -N LOCAL_NET
$ipt -N VALID_CHECK
$ipt -t mangle -N ICMP_LIMIT

#ACCES PE FORWARD
$ipt -I FORWARD -i $deve -j ACCEPT
$ipt -I FORWARD -i $devl -j LOCAL_NET
#PE INPUT
$ipt -I INPUT -j SRV
$ipt -I INPUT -i $deve -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$ipt -I INPUT -j VALID_CHECK
#verificare pachete TCP
#$ipt -A INPUT -s ! $l_net  -j VALID_CHECK
#$ipt -A FORWARD -s ! $l_net -j VALID_CHECK

#DROP SCAN si alte shit-uri
$ipt -A VALID_CHECK -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-flags ALL ALL -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-flags ALL FIN -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-flags ALL NONE -j DROP
# Bad TCP FLAGS
$ipt -A VALID_CHECK -p tcp --tcp-option 64 -j DROP
$ipt -A VALID_CHECK -p tcp --tcp-option 128 -j DROP

#Limitare ICMP
$ipt -t mangle -A PREROUTING -p icmp -j ICMP_LIMIT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type destination-unreachable -m
limit --limit 10/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type source-quench -m
limit --limit 10/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type time-exceeded -m
limit --limit 10/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type parameter-problem -m
limit --limit 10/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -p icmp --icmp-type echo-reply -m limit --limit
1/s -j ACCEPT
$ipt -t mangle -A ICMP_LIMIT -j DROP

#Servicii Acceptate pe ruter
$ipt -A SRV -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 3535 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 5222 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 5223 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp --dport 6667 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp -i $devl -s $l_net --dport 20:21 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp -i $devl -s $l_net --dport 110 --tcp-flags
SYN,RST,ACK SYN -j ACCEPT
$ipt -A SRV -p tcp -m tcp -i $devl -s $l_net --dport 3306 -j ACCEPT
$ipt -A SRV -p udp -m udp --dport 22 -j ACCEPT
$ipt -A SRV -p udp -m udp --dport 53 -j ACCEPT
# FORWARD ip+mac
$ipt -A LOCAL_NET -s 192.168.254.1 -m mac --mac-source 00:04:AC:2E:08:30 -j
ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.2 -m mac --mac-source 00:02:44:4C:7A:05 -j
ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.125 -m mac --mac-source
00:08:C7:49:AE:A3 -j ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.126 -m mac --mac-source
00:08:C7:49:AE:A3 -j ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.150 -m mac --mac-source
00:50:22:C8:2A:79 -j ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.11 -m mac --mac-source 00:02:44:57:1C:1C -j
ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.12 -m mac --mac-source 00:02:44:4a:b0:67 -j
ACCEPT
$ipt -A LOCAL_NET -s 192.168.254.13 -m mac --mac-source 00:C0:26:87:A2:1F -j
ACCEPT
..multe alte ip-uri....
$ipt -A LOCAL_NET -j DROP
#SNAT
$ipt -t nat -N EXTERN_IP
$ipt -t nat -A POSTROUTING -s $l_net -j EXTERN_IP
$nat -s 192.168.254.2 -j SNAT --to-source 82.xx.xx.67
$nat -s 192.168.254.150 -j SNAT --to-source 82.xx.xx.93
$nat -s 192.168.254.10 -j SNAT --to-source 82.xx.xx.67
$nat -s 192.168.254.11 -j SNAT --to-source 82.xx.xx.67
$nat -s 192.168.254.12 -j SNAT --to-source 82.xx.xx.67
$nat -s 192.168.254.13 -j SNAT --to-source 82.xx.xx.68
$nat -s 192.168.254.14 -j SNAT --to-source 82.xx.xx.68
$nat -s 192.168.254.15 -j SNAT --to-source 82.xx.xx.68
...etc...
#DNAT
$ipt -t nat -A PREROUTING -d 82.xx.xx.93 -j DNAT --to 192.168.254.150
#loopback
$ipt -I INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT




--- 
Detalii despre listele noastre de mail: http://www.lug.ro/

Raspunde prin e-mail lui