1. Installing the netfilter / iptables.
The delivery of any modern Linux distribution includes a firewall netfilter / iptables. Most of the code of these software products directly included in the kernel code , and some - executables , libraries, established in the form of regular files . If you are using the most modern distribution , not going to use exotic software and are bringing tall bright security requirements , then you will most likely restrict the ability rpm- package supplied with the distribution. Check whether the package iptables:
[root @ homerouter root] # rpm-qa | grep iptables
iptables-1.2.6a-1.asp
If the package is not installed , install it :
[root @ homerouter root] # rpm-ihv iptables-version.rpm
If the supplier or third-party distribution has a more recent version of the package , then update it :
[root @ homerouter root] # rpm-Uhv iptables-version.rpm
You may need to install packages that satisfy dependencies, for example, a package containing the kernel source .
If you are confident in their abilities , it is more correct to install netfilter / iptables from source code , and you will be able to :
- Use the latest ( most reliable , pleasant to you , etc.) version of netfilter / iptables;
- To get out from the supplier and third-party distribution rpm- packages ;
- Improve the performance and reliability of your system by incorporating into it and only those code fragments netfilter / iptables, you need to solve your problems only ;
- Use ( to study , test , etc.) and new filtering capabilities of managing the packages available in the latest versions of netfilter / iptables.
To install the netfilter / iptables as a minimum , the following packages:
- Source tarball iptables-version.tar.bz2, which can be obtained from the server developers www.netfilter.org ( alias www.iptables.org);
- Patch to modify the kernel source code patch-o-matic-YYYYMMDD.tar.bz2, which can also be obtained with www.netfilter.org;
- Archive kernel source linux-version.tar.bz2, which can be obtained with www.kernel.org;
- Control values md5sum or GPG signatures (www.gnupg.org) all of the above for the various sources .
To install the netfilter / iptables from source , proceed as follows . The following description of the installation has been tested for ASPLinux 7.3, for kernel 2.4.18 , 2.4.25 .
Step 1
Check the integrity and authenticity of downloaded files - patch-o-matic-YYYYMMDD.tar.bz2, iptables-version.tar.bz2, linux-version.tar.bz2 using md5sum or GPG signatures. Detailed procedure for checking the integrity and authenticity described here www.bruy.info / ssl.html # 12.4.
Step 2
Unpack the kernel sources in the directory / usr / src:
[root @ homerouter src] # bzip2-d linux-version.tar.bz2
[root @ homerouter src] # tar xpf linux-version.tar.bz2
Step 3
Determine which pieces of code from the standpoint of you solved problems , and in what form ( or monolithic modules ) should be included in the new kernel. On the performance and functionality of the netfilter / iptables is mainly influenced by the configuration settings in the kernel source code sections :
Networking options;
IP: Netfilter Configuration.
Detailed description of all the configuration options that are used in these sections are contained in the kernel source . In version 2.4.x kernel file Documentation / Configure.help, in version 2.6.x files / net/ipv4/Kconfig and net/ipv4/netfilter/Kconfig.
Step 4
Development of netfilter / iptables and kernel underway different but interact with each other , the development teams . Part of the code netfilter / iptables, according to the developers should be included in the kernel contained in the patch patch-o-matic-YYYYMMDD ( patch patch-o-matic- 20031219 applies only to a 2.4 kernels 2.4.17 and above) . Some of these changes are accepted by the core and included in the next version , some are not accepted by the core , and you can use them at your own risk. Additional information can be found in the documentation http://www.netfilter.org/documentation/index.html # documentat ion-howto.
Patches included in the patch-o-matic-YYYYMMDD divided into a number of categories , with the most frequently used in practice are:
- Optimizations - optimization patches , whose inclusion in the kernel is expected ;
- Pending - patches , whose inclusion in the kernel is expected ;
- Submitted - patches included in the latest ( at the time of patch-o-matic) version of the kernel ;
- Base - patches , according to the developers netfilter / iptables, no problems interacting with each other .
To apply a patch patch-o-matic-YYYYMMDD perform the following operations .
Open the file with the source code patch-o-matic.
[root @ homerouter iptables] # bzip2-d patch-o-matic-20031219.tar.bz2
[root @ homerouter iptables] # tar xpvf patch-o-matic-20031219.tar
cd to the newly created directory:
[root @ homerouter iptables] # cd patch-o-matic
and run the script runme, telling him where the kernel sources and patches which category you want to use , for example:
[root @ homerouter patch-o-matic] # KERNEL_DIR = / usr/src/linux-2.4.25. / runme pending
continue the dialogue you will be asked to test the applicability of , or set to skip installing all patches of the previously selected category ( process resembles configuring the kernel source code using make config).
Finished making changes to the source code , compile and install your kernel , check that it is working .
Step 5
Remove when they are installed , packages iptables, ipchains and ispolzutsemye with them configurators firewall .
Step 6
Unpack the source code part of iptables / netfilter installed as regular files :
[root @ homerouter iptables] # bzip2-d iptables-1.2.9.tar.bz2
[root @ homerouter iptables] # tar xpvf iptables-1.2.9.tar
Go into the newly created directory:
[root @ homerouter iptables] # cd iptables-1.2.9
Compile and install the iptables / netfilter, create and save a list of files installed on your PC :
[root @ homerouter iptables-1.2.9] # make KERNEL_DIR = / usr/src/linux-2.4.25 BINDIR = / sbin LIBDIR = / lib / MANDIR = / usr / share / man /
[root @ homerouter iptables-1.2.9] # find / *> .. / iptables1
[root @ homerouter iptables-1.2.9] # make KERNEL_DIR = / usr/src/linux-2.4.25 BINDIR = / sbin LIBDIR = / lib / MANDIR = / usr / share / man / install
[root @ homerouter iptables-1.2.9] # find / *> .. / iptables2
[root @ homerouter iptables-1.2.9] # cd ..
[root @ homerouter iptables] # diff iptables1 iptables2> iptables.installed.YYYY.MM.YY
Step 7
Create a script file / etc / init.d / iptables, comprising:
at least two lines required for the normal operation of utility chkconfig, containing information about the levels at which the work should netfilter / iptables, the priority of the script when loading and unloading system :
# Chkconfig: 2345 08 98
# Description: Start and stop filtering and mangling packets;
command module loading netfilter / iptables ( if appropriate code fragments not compiled directly into the kernel ) of the form :
/ sbin / modprobe < module name > ;
Commands sent to the kernel certain parameters , for example, to enable packet forwarding between different network interfaces necessary for the normal operation of the gateway , use the command :
/ sbin / sysctl-w net.ipv4.ip_forward = 1
instructions that implement filtering and other manipulations with the packages , which generally have the form :
/ sbin / iptables < string rule >
methodology for creating the rules listed below.
Step 8
Determine the permissions and owner of the file / etc / init.d / iptables:
[root @ homerouter iptables] # chmod 700 / etc / init.d / iptables
[root @ homerouter iptables] # chown root.root / etc / init.d / iptables
Step 9
If you want the netfilter / iptables is started at boot time ( in most cases the correct solution ) to create relevant links :
[root @ homerouter iptables] # chkconfig - add iptables
2 . Initialization firewall.
Work bradmauera upravlet set of rules that are defined using the program options iptables. Initialization of the firewall includes the following steps : determination of constants used for the operation of the scenario; removal of the existing rules of the scenario; definition of the default policy ; Recover state loopback interface used for system operations ; blocking nodes , access to which you want to disable ; definition of the basic rules that prevent the passage of packets with invalid source addresses and protect servers running through nepriveligerovannye ports.
Character constants .
Firewall script becomes readable and easy to set up, if it identifies a number of symbolic names . Some of the following constants represent the standard notation .
IPT = "/ sbin / iptables"
IPTS = "/ sbin / iptables-save"
IPTR = "/ sbin / iptables-restore"
EXTERNAL_INTERFACE = "eth0" # interefeysom connected to the internet
LOOPBACK_INTERFACE = 'lo' # loopback interface
IP_ADDR = "213.87.XX" # IP- address of your computer
ANYWHERE = "any / 0" # arbitrary IP- address
MY_ISP = "my.isp.address.range" # IP- address range provider
LOOPBACK = "127.0.0.0 / 8 " range of IP- addresses of the loopback
CLASS_A = "10.0.0.0 / 8" # Class A addresses , intended for
# Internal use
CLASS_B = "172.16.00/22" # use class B, designed to
# Internal use
CLASS_C = "192.168.0.0/16" # address class C, held for
# Internal use
CLASS_D = "244.0.0.0 / 4" # Class A addresses , intended for
# Multicasting
CLASS_E = "240.0.0.0 / 5 " # Class E reserved addresses
BROADCAST_SRC = "0.0.0.0" # broadcast source
BROADCAST_DST = "255.255.255.255" # target shirokoveshatelnye
PRIVPORTS = "0:1023" # privileged port numbers
UNPRIPORTS = "1024:65535" # room -privileged ports
Removal of existing rules and setting default policy .
# Sbrasyvaeim all rules
$ IPT-P INPUT ACCEPT
$ IPT-P FORWARD ACCEPT
$ IPT-P OUTPUT ACCEPT
$ IPT-t nat-P PREROUTING ACCEPT
$ IPT-t nat-P POSTROUTING ACCEPT
$ IPT-t nat-P OUTPUT ACCEPT
$ IPT-t mangle-P PREROUTING ACCEPT
$ IPT-t mangle-P OUTPUT ACCEPT
# Deleting Rules
$ IPT-F
$ IPT-t nat-F
$ IPT-t mangle-F
# Clear the nonstandard
$ IPT-X
$ IPT-t nat-X
$ IPT-t mangle-X
Now when reset all right to take , you must define default firewall policy . There are several variants of the initial policy , and you choose. My desktop , not for having a local network has a default policy
$ IPT-P INPUT DROP
$ IPT-P FORWARD DROP
$ IPT-P OUTPUT DROP
$ IPT-A INPUT-p ALL-i $ LOOPBACK_INTERFACE-j ACCEPT
$ IPT-A OUTPUT-p ALL-o $ LOOPBACK_INTERFACE-j ACCEPT
Writing rules on what not to forget to pay attention.
And start with sozhdaniya have your own table. And also write rules prohibiting passing through interfaces EXTERNAL_INTERFACE any information from networks CLASS_A, SLASS_B , CLASS_C,
$ IPT-N bad_packets
$ IPT-N bad_tcp_packets
$ IPT-N icmp_packets
$ IPT-N udp_inbound
$ IPT-N udp_outbound
$ IPT-N tcp_inbound
$ IPT-N tcp_outbound
3 . Attacks with the aim of deriving a system failure.
Friendly arbitrariness by " flood " of packets of a certain type .
SYN - Flood (Syn Flooding)
Leads to the binding of system resources , so that real communication becomes possible. The client part with a false IP- address sends a SYN packet and the server responds with SYN-ACK, but because the address was false so soedinedinie not installed and remains in " half-open state "
Details on the topic:
ftp://info.cert.org./pub/cert_advisories/CA-96.21.tcp_syn_fl ooding
$ IPT-A bad_tcp_packets-p tcp! - syn-m state - state NEW-j LOG \
- log-prefix "fp = bad_tcp_packets: 1 a = DROP"
$ IPT-A bad_tcp_packets-p tcp! - syn-m state - state NEW-j DROP
# All good, so return
$ IPT-A bad_tcp_packets-p tcp-j RETURN
ping - flood
Any message from the vet suggesting it may be used for that would bring your car damaged or severely limit its performance . An example of such messages can lead ICMP - package ping. Upon receipt of such a large number of messages in the machine's resources mainly spending on transfer answers.
Details on the topic:
Denial of Service www.cert.org
$ IPT-A icmp_packets - fragment-p ICMP-j LOG \
- log-prefix "fp = icmp_packets: 1 a = DROP"
$ IPT-A icmp_packets - fragment-p ICMP-j DROP
UDP - Flood
Service using UDP, very often the targets of attacks in order to eliminate system failure . Unlike TCP , UDP does not establish a connection pridusmotreno , however flags that specify the state of the connection , no . The receiving node has no information what u esch which package is to follow just adopted . Thus voznikaket opportunity wave so that the entire bandwidth of the line will only be used to transmit responses to the received UDP- packet ..
Details on the topic:
UDP Port Denial-of-Service attack www.cert.org
$ IPT-A udp_inbound-p UDP-s 0/ 0 - destination-port 137 -j DROP
$ IPT-A udp_inbound-p UDP-s 0/ 0 - destination-port 138 -j DROP
$ IPT-A udp_inbound-p UDP-s 0/ 0 - destination-port 113 -j REJECT
$ IPT-A udp_inbound-p UDP-s 0/ 0 - source-port 67 - destination-port 68 \
-j ACCEPT
$ IPT-A udp_inbound-p UDP-j RETURN
$ IPT-A udp_outbound-p UDP-s 0/ 0 -j ACCEPT
ICMP - redirect
ICMP- message type 5 indicates the system to change the contents of the routing tables that would send packets on a shorter route . If you use a routed or gated. Do not forget that there is a possibility of redirecting traffic to the remote machine , as well as for vzlomshika you can determine your car as one of the local vashil , stoyashih per server.
$ IPT-A icmp_packets - fragment-p ICMP-j LOG \
- log-prefix "fp = icmp_packets: 1 a = DROP"
$ IPT-A icmp_packets - fragment-p ICMP-j DROP
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $ IPT-A icmp_packets-p ICMP-s 0/ 0 - icmp-type 8 -j LOG \
# - Log-prefix "fp = icmp_packets: 2 a = ACCEPT"
# $ IPT-A icmp_packets-p ICMP-s 0/ 0 - icmp-type 8 -j ACCEPT
# Time Exceeded
$ IPT-A icmp_packets-p ICMP-s 0/ 0 - icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$ IPT-A icmp_packets-p ICMP-j RETURN
4 . NAT to IPTables.
Masquerading (masquerading) and broadcast ip- addresses (NAT) on Linux. What it is, what can and what can not.
If you have a local area network connected to the Internet via a linux server , and in this local network uses "gray » ip address, then one way to connect to the Internet is to use NAT. Or vice versa, using NAT can be accessed from the Internet such as a web server located on the local network and not having a real ip- address.
This document contains a number of terms that should be clarified before you encounter them .
1. " Grey » IP address (it private , he's the fake aka private ) - IP address of the designated subnets that are not used on the Internet, and reserved for use in local area networks (intranet). In each class (AB C) is reserved for the same subnet :
Class A 10.0.0.0 - 10.255.255.255
Class B 172.16.0.0 - 172.31.255.255
Class C 192.168.0.0 - 192.168.255.255
2 . "White » IP address (it is real, it is public ) - IP address that is not included in the " gray" subnet and the Internet .
3 . Masquerade (MASQUERADE) - replacement of the network address for the packet to the address located on the outgoing interface of the machine running the masquerade , and accordingly reverse operation when receiving the response packet . Masquerade used for the same purposes as SNAT, but unlike the latter , MASQUERADE gives a heavy load on the system. This happens because each time you want to perform this action - a request is made for the IP address of the network interface in action , while for SNAT IP address is specified directly . However , due to this difference of , MASQUERADE can work in cases with a dynamic IP address , ie when you connect to the Internet , for example through the PPP, SLIP , or DHCP.
4 . Address Translation (NAT - network address translation) - replacing the network address for the packet to any specified , and accordingly reverse operation when receiving the response packet .
5 . DNAT - from the English. Destination Network Address Translation - change the network address of the recipient. DNAT - this change the destination address in the packet header. Often used in conjunction with SNAT. The main application - providing additional network services to external customers.
6 . SNAT - from the English. Source Network Address Translation - change the network address of the sender. SNAT - that change the source address in the packet header . The main application - using only real IP- address among multiple computers to access the Internet .
General Provisions
When the packet reaches the firewall , it falls on the first network device , the appropriate driver is caught and then passed to the kernel . Next packet passes a series of tables iptables and then transmitted or local application , or forwarded to another machine .
The order of movement of transit packets in iptables.
In a simplified version , concerning NAT, it looks like this - cable - network interface - Chain PREROUTING table nat - routing decisions - POSTROUTING chain table nat - network interface.
As you can see , the package goes through several stages before it will be passed on. On each package can be stopped. Note that there is no any chains that are specific to individual interfaces or anything like that. FORWARD chain passes all packages that move through your router . Do not use the INPUT chain to filter packets in transit , they simply do not get there ! Through this chain of moving only those packets that are destined to this host !
For you to be able to use NAT, you must load the module iptables, which is responsible for the broadcast address with the command
modprobe iptable_nat
To broadcast some specific protocols need to download additional modules - for example ftp module is ip_nat_ftp.
Since when you restart these reset commands they must register in the startup , such as / etc / rc. d / rc. local.
Since all the operations necessary for address translation occurs in the nat table and its two chains - PREROUTING and POSTROUTING, we only consider them .
POSTROUTING chain
SNAT target
SNAT is used to NAT (Source Network Address Translation), ie changes originating IP address in the IP packet header. For example , this action can be used to provide Internet access to other computers on the local network with only one IP address . To do this, you must enable packet forwarding (forwarding) in the nucleus and then create a rule that will broadcast outgoing IP address on our LAN to the real external address. As a result , the outside world will know nothing about our local network, it will assume that the requests came from our firewall.
SNAT is allowed to perform only in the table nat, chain POSTROUTING. In other words, only here not convert outgoing addresses. If the first packet in the compound has undergone transformation source address , all subsequent packets from the same connection will be converted automatically and will not go through this chain of rules .
Key - to-source
Example:
iptables - t nat - A POSTROUTING - p tcp - o eth0 - j SNAT - to-source 194.236.50.155-194.236.50.160:1024-32000
Key - to-source is used to specify the address that is assigned to the package. Quite simply, you specify an IP address, which will be replaced in the packet header as the outgoing . If you are going to redistribute the load across multiple firewalls , you can specify a range of addresses where the start and end address range separated by a hyphen , eg : 194.236.50.155-194.236.50.160 . Then , a specific IP address will be selected from a range of randomly for each new thread. Additionally, you can specify a range of ports that will be used only for the needs of SNAT. All outgoing ports will then perekartirovatsya specified range . If a port range is not specified , the source ports below 512 perekartiruyutsya range 0-511 , ports in the range 512-1023 perekartiruyutsya in the range 512-1023 , and finally the ports in the range 1024-65535 1024-65535 in perekartiruyutsya . With regard to the port of destination , they are not subject to perekartirovaniyu .
Action MASQUERADE
Masquerading is basically the same as SNAT only has no key - to-source. The reason for this is that the masquerading can work , such as a dialup connection or DHCP, ie in cases where the IP address is dynamically assigned to the device . If you have a dynamic connection with the changing ip address , then you need to use masquerading , if you have a static IP connection , then undoubtedly the best way would be to use action SNAT.
Masquerading is meant to receive an IP address from a given network interface instead of directly specifying it as it is done with a key - to-source in action SNAT. Action MASQUERADE has good property - " forget" when stopping connection network interface.
Action MASQUERADE can specify only in the POSTROUTING chain table nat, as well as the effect of SNAT. MASQUERADE is key , as described below , the use of which is optional.
Key - to-ports
Example:
iptables-t nat-A POSTROUTING-p TCP-j MASQUERADE - to-ports 1024-31000
Key - to-ports is used to specify the source port or port range of the outgoing packet . You can specify a single port , for example : - to-ports 1025, or a range of ports like this : - to-ports 1024-3000. This key can only be used in the rules, which contains the explicit criterion for TCP or UDP protocol with a key - protocol.
PREROUTING chain
This chain runs NAT (DNAT) before packets get to the INPUT chain or FORWARD.
Action DNAT
DNAT (Destination Network Address Translation) is used to convert a destination address in the IP packet header. If a packet matches a criterion rule that performs DNAT, this packet and all subsequent packets of the same stream will be subject to the transformation of the destination and transferred to the desired device , host or network . This action may , for example, successfully used to provide access to your web- server on the local network, and not having a real IP address . To do this, you build a rule that intercepts packets to HTTP port in the firewall and doing DNAT pass them to a local web- server address . For this action you can enter a range of addresses , then the choice of destination for each new thread will be made randomly.
Action DNAT can only be performed in the PREROUTING and OUTPUT chains of the table nat, and nested sub- chains. It is important to remember that nested substring implement DNAT should not be called from other chains , except PREROUTING and OUTPUT.
By spanner - to-destination
Example:
iptables-t nat-A PREROUTING-p tcp-d 15.45.23.67 - dport 80 -j DNAT - to-destination 192.168.1.1-192.168.1.10
Key - to - destination specifies which IP address should be substituted as the destination address . In the above example, all packets coming to the address 15.45.23.67, the destination address will be changed to one of the range of 192.168.1.1 to 192.168.1.10. As already mentioned above, all the packets from one stream will be directed to the same address, as each new stream is selected from a range of addresses in said random. You can also specify a single IP address . You can optionally specify a port or port range , which ( who ) will be redirected traffic. To do this, after the ip address through the colon , specify the port , for example - to-destination 192.168.1.1:80, and specify a range of ports is as follows : - to-destination 192.168.1.1:80-100. Specifying ports is only allowed for the protocol TCP or UDP, with option - protocol in criteria .
DNAT action is quite difficult to use and requires further explanation . Consider a simple example . We have a WEB server, and we want to allow access to it from the Internet. We have only one IP address, and WEB- server is located on the local network . Real IP address assigned $ INET_IP firewall , HTTP server has a local address $ HTTP_IP and finally the firewall has a local address $ LAN_IP. First, add a simple rule in the PREROUTING chain in the table nat:
iptables-t nat-A PREROUTING - dst $ INET_IP-p tcp - dport 80 -j DNAT \
- to-destination $ HTTP_IP
In accordance with this rule , all packets entering the port 80 addresses $ INET_IP redirected to our internal WEB- server. If we now turn to the WEB- server from the internet, everything will work fine. But what happens if you try to connect to it from the LAN ? Will simply not work . Let's see how routed packets coming in from the Internet to our WEB- server. For simplicity, we will address the client's Internet equal $ EXT_BOX.
1. Packet leaves the client node address and $ EXT_BOX to $ INET_IP
2 . Packet reaches the firewall.
3 . Firewall , in accordance with the above rule , replaces the destination address and transmits it further to the other chain.
4 . Package transmitted to $ HTTP_IP.
5 . Package enters the HTTP server and the server replies back through the firewall if it is in the routing table as the gateway for $ EXT_BOX. As a rule, it is assigned the default gateway for the HTTP server.
6. Firewall DNAT in the package , and now it looks as if the package has been formed on the firewall.
7. Package sent to the client $ EXT_BOX.
Now let's see what happens if a request is sent to the node, located in the same local network . For simplicity, we will address a LAN client equal to $ LAN_BOX.
1. Packet leaves $ LAN_BOX.
2 . Goes to the firewall .
3 . Substitutes the destination , but the sender is not replaced , ie source address in the packet remains unchanged.
4 . Packet leaves the firewall and reaches the HTTP server.
5 . HTTP server , preparing to send a reply , discovers that the client is on a LAN (because the request packet contains the original IP address , which is now turned into the destination address ) and therefore sends the packet directly to the $ LAN_BOX.
6. Package arrives at $ LAN_BOX. Client " confused " because the answer did not come from the host that sends the request . Therefore, the client " resets " reply packet, and wait for the " real" answer.
The problem is solved quite simply by SNAT. Below is a rule that performs this function . This will force the HTTP server to transmit the answers to our firewall , which will then be sent to the client .
iptables-t nat-A POSTROUTING-p tcp - dst $ HTTP_IP - dport 80 -j SNAT \
- to-source $ LAN_IP
Since the POSTROUTING chain is processed last , and hence the packet has passed conversion procedure DNAT, so the criterion is constructed on the basis of the destination address $ HTTP_IP.
If you think that this can stop, then you are wrong ! Imagine a situation where the client acts as a firewall itself . Then , unfortunately , the packets will be transmitted to the local port number 80 of the firewall , not the $ HTTP_IP. To resolve this problem , add a rule :
iptables-t nat-A OUTPUT - dst $ INET_IP-p tcp - dport 80 -j DNAT \
- to-destination $ HTTP_IP
Action REDIRECT
Action REDIRECT redirects packets and flows to another port of the same machine. For example , it is possible packets from the HTTP port to redirect to port HTTP proxy. Action REDIRECT very convenient to perform " transparent " proxy (transparent proxying), when the machines on the LAN are not even aware of the existence of the proxy .
REDIRECT can be used only in PREROUTING and OUTPUT chains of the table nat.
Key : - to-ports
Example:
iptables-t nat-A PREROUTING-p tcp - dport 80 -j REDIRECT - to-ports 8080
Key - to-ports specifies the port or range of destination ports. Without key - to-ports, redirect happens , ie the packet goes to the port , where, and was appointed . In the example above , - to-ports 8080 Set one destination port . If you want to specify a range of ports , we have to write something like - to-ports 8080-8090. This key can only be used in the rules, which contains the explicit criterion for TCP or UDP protocol with a key - protocol.
Here we have discussed the main points relating to the broadcast address using linux iptables.
Tips and basic mistakes made while configuring NAT:
1. To NAT work, you must allow the passage of packets from interface to interface . To do this:
o Check whether to enable packet forwarding in the kernel linux ( do this with the command cat / proc/sys/net/ipv4/ip_forward and if you got one at the outlet it's okay ) and if it is off , then you need to turn it on command echo 1 > / proc/sys/net/ipv4/ip_forward. Since you restart your computer , this command is reset , it is necessary to register somewhere in startup , such as / etc / rc. d / rc. local. In distributions that support the sysctl, switch costs in the core can be implemented by writing to / etc / sysctl.conf strokuVarvarvarvar
o add to the FORWARD chain necessary permissions for the desired networks. For example if you want the address of your local network ( 192.168.0.0/24 ) could be sent from the local interface to the outside and back, you need to add two lines : iptables - A FORWARD-s 192.168.0.0/24-j ACCEPT ( this command you allowed passing packets between network interfaces from the local network 192.168.0.0/24 ) and iptables-A FORWARD-d 192.168.0.0/24-j ACCEPT ( this command you allow the passage of packets between interfaces in LAN 192.168.0.0/24). You can then proceed to the actual implementation of address translation .
2 . If "theoretically" have done everything correctly but nothing works :
o Save all your iptables rules in a file somewhere (iptables - save> / file. txt) and play them . In iptables packet is the first choice for his rule, and may be just what your package does not reach those rules that you assign to it .
o Use to check the utilities are included in the distribution , such as ping, which allows you to show one or the other is available to the host or not , traceroute, allowing to trace the route a packet to the specified host.
5 . Example script iptables, which will provide for some ( ample ) security level for a single workstation.
A set of rules allows to provide some ( ample ) security level for a single workstation (not the gateway to a home network ) . Supports work FTP and HTTP- servers and the most common clients in the local network and the Internet.
To install the script, you must perform the following operations
Step 1
Edit the script for consistency with the tasks and needs.
Step 2
Put the script in the file / etc / init.d / iptables
Step 3
Assign the file owner user root, set permissions 700 dostupak file and make it bootable automatically when the system boots .
Example script iptables, which will provide for some ( ample ) security level for a single workstation (not schlyuza in family network ) . Nguzhno edit script for your data ( see comments) on RH-based distros script to put the script in the directory / etc / init.d /, give it a name iptables, appoint its own user root, permissions 700 , and make it start up automatically when the system boots .
http://www.bruy.info/forum/f/index.php?t=msg&th=28&start=0&rid=0&S=433397a049f9f125c1cdcea4591cd3ce
#!/bin/sh
#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter \
# used to provide firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
# ------------------------------------------------------------ ----------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
IPADDR="192.168.XXX.XXX"
EXTERNAL_INTERFACE="eth0" # Infoline connected interface
INTERNET_INTERFACE="ppp+" # Internet interface up when pptp up
LOOPBACK_INTERFACE="lo" # Your local naming convention
PRIMARY_NAMESERVER="194.135.60.3" # Your Primary Name Server
SECONDARY_NAMESERVER="194.135.61.3" # Your Secondary Name Server Internal Server
SMTP_SERVER="195.2.72.152" # Your Central Mail Hub Server
LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:65535" # Unprivileged port range
# ------------------------------------------------------------ ----------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ------------------------------------------------------------ ----------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
iptables -F
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ------------------------------------------------------------ ----------------
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ------------------------------------------------------------ ----------------
# ------------------------------------------------------------ ----------------
#for VPN
iptables -A INPUT -p 47 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
iptables -A OUTPUT -p TCP --dport 1723 -o eth0 -j ACCEPT
iptables -A OUTPUT -p 47 -o eth0 -j ACCEPT
# ------------------------------------------------------------ ----------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# iptables -A INPUT -i $EXTERNAL_INTERFACE -s address -j DROP
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" \
| awk ' $1 ' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
# ------------------------------------------------------------ ----------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C private network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
#iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at http://www.iana.org/ for the latest status.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ------------------------------------------------------------ ----------------
# UDP TRACEROUTE
# --------------
# Traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $INTERNET_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
#for local
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
-d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
-s $IPADDR --source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ------------------------------------------------------------ ----------------
# DNS forward-only nameserver (53)
# --------------------------------
iptables -A INPUT -i $INTERNET_INTERFACE -p udp \
-s $PRIMARY_NAMESERVER --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
-s $PRIMARY_NAMESERVER --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p udp \
-s $SECONDARY_NAMESERVER --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
-s $SECONDARY_NAMESERVER --source-port 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
# ------------------------------------------------------------ ------
# HTTP server (80)
# ----------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 80 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 80 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# HTTPS server (443)
# ------------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 443 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 443 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# MySQL server (3306)
# -------------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 3306 -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 3306 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# SSH server (22)
# ---------------
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $SSH_REMOTE_PORTS \
# -d $IPADDR --destination-port 22 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 22 \
# --destination-port $SSH_REMOTE_PORTS -j ACCEPT
# SSH client (22)
# ---------------
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 22 \
--destination-port $SSH_LOCAL_PORTS -j ACCEPT
#Для внутренней сетки
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 22 \
-d $IPADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
# ------------------------------------------------------------ ------
# IMAP server (143)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 143 -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 143 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# IMAP client (143)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port 143 \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port 143 -j ACCEPT
# ------------------------------------------------------------ ------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 25 -j ACCEPT
# ------------------------------------------------------------ ------
# POP client (110)
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 110 -j ACCEPT
# ------------------------------------------------------------ ------
# HTTP client (80)
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 8083 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 8083 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 8080 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 8080 -j ACCEPT
#for internal network
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 80 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
# ------------------------------------------------------------ ------
# ------------------------------------------------------------ ------
# HTTPS client (443)
# ----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 443 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
# ------------------------------------------------------------ ------
# IRC client (6667)
# -----------------
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 6667 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# IRC client (6667) Для внутренней сетки
# -----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 6667 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 6667 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# ------------------------------------------------------------ ------
# FTP server (21)
# ---------------
# incoming request
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 21 -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port 21 \
# --destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR --source-port 20 \
# --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port 20 -j ACCEPT
# PASSIVE MODE data channel responses
#iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
#iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
# -s $IPADDR --source-port $UNPRIVPORTS \
# --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# SYSLOG client (514)
# -------------------
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp \
# -s $IPADDR --source-port 514 \
# -d $SYSLOG_SERVER --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------ ------
# FTP client (21)
# ---------------
# outgoing request
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp ! --syn \
--source-port 21 \
--destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp \
--source-port 20 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p tcp ! --syn \
--source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ---------------
#for internal network
# outgoing request
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port 21 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# ------------------------------------------------------------ ------
# ------------------------------------------------------------ ----------------
# ICMP
# ----
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type echo-reply \
-j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type source-quench \
-j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type time-exceeded \
-j ACCEPT
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type parameter-problem \
-j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp \
--icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp \
--icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp \
--icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $INTERNET_INTERFACE -p icmp \
--icmp-type parameter-problem -j ACCEPT
# ------------------------------------------------------------ ----------------
#Для внутренней сетки
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ------------------------------------------------------------ ----------------
# Enable logging for selected denied packets
iptables -A INPUT -i $INTERNET_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $INTERNET_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $INTERNET_INTERFACE -j REJECT
#Для локальной сети
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
# ------------------------------------------------------------ ----------------
;;
stop)
echo -n "Shutting Firewalling: "
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "Usage: iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "done"
exit 0
