Hello rlug, M-am lamurit cu firewall-ul cu iptables -F :) era evident dar a fost mai greu pt. mine :D
Va rog sa va uitati peste reguli si sa-mi spuneti ce greseli sunt si eventual sugestii.... Multumesc! Am pus si un port redirect pt. transparent proxy, insa nu merge decat daca ii dau policy la INPUT pe ACCEPT.... deci sunt niste greseli undeva dar nu imi dau seama unde... ================================================ #!/bin/bash # eth0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. PRIVATE=192.168.0.0/24 # Loopback address LOOP=127.0.0.1 # Adresa externa IPEXT=a.b.c.d # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP #Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh --syn -j ACCEPT iptables -A INPUT -p tcp --dport 110 -j ACCEPT iptables -A INPUT -p tcp --dport smtp -j ACCEPT iptables -A INPUT -p udp --dport domain -j ACCEPT # Accepta conexiunea VPN iptables -A INPUT -p udp --dport 5000 -j ACCEPT # Allow packets from TUN/TAP devices. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -m state --state INVALID -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "Packete noi dar fara --syn:" iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A OUTUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m state --state NEW -j REJECT --reject-with tcp-reset # SNAT local subnet iptables -t nat -A POSTROUTING -o eth0 -s $PRIVATE -j SNAT --to-source $IPEXT # IP-uri fara drept de internet iptables -A FORWARD -s 192.168.0.72 -j REJECT #Protectie flood #aceasta regula seteaza 12 conexiuni per secunda #dupa ce s-a atins un maxim de 24 iptables -t nat -N syn-flood iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN iptables -t nat -A syn-flood -j DROP iptables -t nat -A PREROUTING -i eth0 -d $IPEXT -p tcp --syn -j syn-flood iptables -A INPUT --fragment -p icmp -j DROP #impotriva scanarilor clandestine iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # TOS si alte chestii iptables -A PREROUTING -t mangle -p tcp --sport ssh \ -j TOS --set-tos Minimize-Delay # proxy transparent iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 ======================================== -- Best regards, yo8stl mailto:[EMAIL PROTECTED] --- Detalii despre listele noastre de mail: http://www.lug.ro/
