linux user group brescia
immagine del castello

Archivio della mailing list

Regole Iptables

mcbain a tiscali.it mcbain a tiscali.it
Ven 26 Gen 2007 17:00:15 UTC 
Ciao,
 ho un po' di problemi con la configurazione di iptables. Il computer 
Linux ha due schede di rete, una su cui si trovano il modem adsl e i 
vari pc, ed una su cui è attaccato la fonera.
Sostanzialmente le regole sono frutto di un mero copia e incolla, e 
difatti la cosa è funzionata per qualche mese. Oggi però ho iniziato a 
riscontrare qualche problema, del tipo da un pc attaccato allo switch, 
sottorete 192.168.1.0/24, non riesco ad accedere più al server di posta 
di tiscali, e la risposta ricevuta è connessione rifiutata. Ovviamente 
se provo a fare la stessa cosa direttamente dal pc con il firewall, non 
ho nessun problema. Dove sto sbagliando?
Includo sotto lo script con le regole, scusate per la prolissità.

Grazie,
 Carlo

#!/bin/sh

IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig

#Setting the EXTERNAL and INTERNAL interfaces for the network
#
EXTIF="ppp0"
INTIF="eth0"
WIFI="eth1"

echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  Wifi Interface:      $WIFI"
echo "  ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];
exit}'`"


# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo "  External IP: $EXTIP"
echo "  ---"


# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.17/32"
WIFIP="192.168.10.17/32"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  Internal Wifi IP: $WIFIIP"
echo "  ---"




# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F reject-and-log-it
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -N reject-and-log-it
echo -e "\n   - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#

$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $WIFI -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get 
lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-
it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,
#  enable this next line
#
# If not connected, it gives an error
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

# remote interface, any source, going to the MASQ servers IP address 
is valid
#
#  ENABLE this line if you want ALL Internet traffic to connect to 
your
#  the various servers running on the MASQ server.  This includes
#  web servers, ssh servers, dns servers, etc.
#
#  I DON'T recommend you enable this rule.  Instead, only enable 
specific
#  access to select server ports under the "OPTIONAL INPUT Section".
#  An example of enabling HTTP (WWW) has been given below:
#
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in.
#
#  STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the ssh server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p tcp -s $INTNET -d $INTIP --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $WIFI -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $INTNET -d $WIFIP --dport 53 -j ACCEPT

$IPTABLES -A INPUT -i $WIFI -m state --state NEW,ESTABLISHED,RELATED \
 -p udp -s $INTNET -d $WIFIP --dport 53 -j ACCEPT


echo -e "      - Allowing EXTERNAL access to emule"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p tcp -s $UNIVERSE -d $EXTIP --dport 4662 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p udp -s $UNIVERSE -d $EXTIP --dport 4672 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p udp -s $UNIVERSE -d $EXTIP --dport 4665 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to torrent"

$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED 
\
 -p tcp -s $UNIVERSE -d $EXTIP --dport 49160:49300 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A OUTPUT -m state --state INVALID -p icmp -j DROP

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $WIFI -s $EXTIP -d $INTNET -j ACCEPT

# local interface, MASQ server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $WIFI -s $INTIP -d $INTNET -j ACCEPT


$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j reject-and-
log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT


# ----- Begin OPTIONAL OUTPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd 
server
#         - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT

# emule udp out

$IPTABLES -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport 4672 \
 -d $UNIVERSE -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport 4665 \
 -d $UNIVERSE -j ACCEPT

#
# ----- End OPTIONAL OUTPUT Section -----


# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it


echo -e "   - Loading FORWARD rulesets"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $WIFI -m state --state ESTABLISHED,
RELATED \
 -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $WIFI -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -j reject-and-log-it
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Maggiori informazioni sulla lista Lug