Regole Iptables
mcbain a tiscali.it
mcbain a tiscali.it
Ven 26 Gen 2007 17:00:15 UTC
Ciao,
ho un po' di problemi con la configurazione di iptables. Il computer
Linux ha due schede di rete, una su cui si trovano il modem adsl e i
vari pc, ed una su cui è attaccato la fonera.
Sostanzialmente le regole sono frutto di un mero copia e incolla, e
difatti la cosa è funzionata per qualche mese. Oggi però ho iniziato a
riscontrare qualche problema, del tipo da un pc attaccato allo switch,
sottorete 192.168.1.0/24, non riesco ad accedere più al server di posta
di tiscali, e la risposta ricevuta è connessione rifiutata. Ovviamente
se provo a fare la stessa cosa direttamente dal pc con il firewall, non
ho nessun problema. Dove sto sbagliando?
Includo sotto lo script con le regole, scusate per la prolissità.
Grazie,
Carlo
#!/bin/sh
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
EXTIF="ppp0"
INTIF="eth0"
WIFI="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " Wifi Interface: $WIFI"
echo " ---"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];
exit}'`"
# For users who wish to use STATIC IP addresses:
#
# # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.17/32"
WIFIP="192.168.10.17/32"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " Internal Wifi IP: $WIFIIP"
echo " ---"
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F reject-and-log-it
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -N reject-and-log-it
echo -e "\n - Loading INPUT rulesets"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $WIFI -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get
lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j reject-and-log-
it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
# If not connected, it gives an error
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to the MASQ servers IP address
is valid
#
# ENABLE this line if you want ALL Internet traffic to connect to
your
# the various servers running on the MASQ server. This includes
# web servers, ssh servers, dns servers, etc.
#
# I DON'T recommend you enable this rule. Instead, only enable
specific
# access to select server ports under the "OPTIONAL INPUT Section".
# An example of enabling HTTP (WWW) has been given below:
#
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in.
#
# STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
echo -e " - Allowing EXTERNAL access to the ssh server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p tcp -s $INTNET -d $INTIP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i $WIFI -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $INTNET -d $WIFIP --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $WIFI -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $INTNET -d $WIFIP --dport 53 -j ACCEPT
echo -e " - Allowing EXTERNAL access to emule"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p tcp -s $UNIVERSE -d $EXTIP --dport 4662 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p udp -s $UNIVERSE -d $EXTIP --dport 4672 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p udp -s $UNIVERSE -d $EXTIP --dport 4665 -j ACCEPT
echo -e " - Allowing EXTERNAL access to torrent"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED
\
-p tcp -s $UNIVERSE -d $EXTIP --dport 49160:49300 -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A OUTPUT -m state --state INVALID -p icmp -j DROP
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $WIFI -s $EXTIP -d $INTNET -j ACCEPT
# local interface, MASQ server source going to the local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $WIFI -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j reject-and-
log-it
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL OUTPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd
server
# - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
# emule udp out
$IPTABLES -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport 4672 \
-d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport 4665 \
-d $UNIVERSE -j ACCEPT
#
# ----- End OPTIONAL OUTPUT Section -----
# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
echo -e " - Loading FORWARD rulesets"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,
RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $WIFI -m state --state ESTABLISHED,
RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $WIFI -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j reject-and-log-it
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Maggiori informazioni sulla lista
Lug
|