Predator
Admin
Mesaje : 368
Data de înscriere : 30/06/2008
Varsta : 33
Localizare : Bucuresti
 |  Subiect: Script firewall  Mier Iul 30, 2008 5:12 pm | |
| un mik script care o sa ii ajute pe cei care au cate o mica retzea in spatele linuxului lor - Cod:
-
#!/bin/bash
# script de routare
# sterge tot
iptables -F
iptables -F -t nat
iptables -F -t mangle
echo "0" > /proc/sys/net/ipv4/ip_forward
# activeaza tot
modprobe ip_nat_irc
modprobe ip_nat_ftp
# activeaza ip forward intre placile de retea
echo "1" > /proc/sys/net/ipv4/ip_forward
# squid redirect
# iptables -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j REDIRECT --to 172.21.0.1:8080
#dnat catre ip real
iptables -t nat -A PREROUTING -i eth0 -d xx.xx.xx.xx -p tcp -j DNAT --to 192.168.2.30
# mapeaza ip-uri de retea locala catre ip-ul routerului
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.2.1/24 -j SNAT --to-source xx.xx.xx.xx
# crestem putin TTL-ul
iptables -t mangle -A POSTROUTING -j TTL --ttl-inc 1
# accepta IP-ul primar, de pe placa eth0
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
# accepta IP-ul secundar, de pe placa eth2
iptables -A POSTROUTING -t nat -s 192.168.2.1 -j ACCEPT
# accepta IP-ul secundar, de pe placa eth3
iptables -A POSTROUTING -t nat -s 192.168.3.1 -j ACCEPT
# Accepta loopback-ul
iptables -A POSTROUTING -t nat -s 127.0.0.1 -j ACCEPT
# accepta serverele de NS
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
iptables -A POSTROUTING -t nat -s xx.xx.xx.xx -j ACCEPT
# Accepta IP-urile din reteaua locala
iptables -A POSTROUTING -t nat -s 192.168.2.1/24 -j ACCEPT
iptables -A POSTROUTING -t nat -s 192.168.3.1/24 -j ACCEPT
# Blocheaza orice altceva
iptables -A POSTROUTING -t nat -o eth0 -j DROP
# reguli firewall
# inchidem mysql pentru exterior
iptables -A INPUT -i eth0 -p udp --dport 3306 -j REJECT --reject-with icmp-admin-prohibited
iptables -A INPUT -i eth0 -p tcp --dport 3306 -j REJECT --reject-with icmp-admin-prohibited
# reguli ssh
iptables -A INPUT -p tcp -s xx.xx.xx.xx/32 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.2.1/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.3.1/24 --dport 22 -j ACCEPT
#vsftpd
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
# accepta ce e ok, restu drop
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
# reguli de forward pe mac address
# forward per mac
iptables -A FORWARD -s 10.24.0.11 -m mac --mac-source 00:0A:E6:59:A6:B7 -j ACCEPT
iptables -A FORWARD -d 10.24.0.11 -j ACCEPT
# blocheaza restul forward-ului
iptables -P FORWARD DROP precizez ca scriptul nu imi apartzine ... l-am folosit in nenumarate randuri cu modificarile care au fost necesare .... scriptul in forma actuala eset o colectie de reguli iptables care are ca destinatzie exemplul daca avetzi probleme in intzelegerea lui sau nevoie de ajutor nu ezitatzi sa ma contactatzi. | |
|
