iptables skripte

Lep pozdrav

Katere skripte za firewall/router uporabljate? Jaz imam s svojo tezave in to take, da se fotr ne more z VPN na firmo povezat. Kaj je lahko tezava v skripti?

Prilagam se skripto:

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.71
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.71 - Added clarification that PPPoE users need to use
# \"ppp0\" instead of \"eth0\" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e \"\n\nLoading simple rc.firewall version $FWVER..\n\"


# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the \"whereis iptables\" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, \"eth0\" is external and \"eth1\" is internal\"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF=\"ppp0\"
#
#
EXTIF=\"eth0\"
INTIF=\"eth1\"
echo \" External Interface: $EXTIF\"
echo \" Internal Interface: $INTIF\"


#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==


echo -en \" loading modules: \"

# Need to verify that all modules have all required dependencies
#
echo \" - Verifying that all kernel modules are ok\"
$DEPMOD -a

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================

echo \"----------------------------------------------------------------------\"

#Load the main body of the IPTABLES module - \"iptable\"
# - Loaded automatically when the \"iptables\" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en \"ip_tables, \"
$INSMOD ip_tables


#Load the IPTABLES filtering module - \"iptable_filter\"
# - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - \"ip_conntrack\"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the \"ip_conntrack_ftp\"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en \"ip_conntrack, \"
$INSMOD ip_conntrack


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a \"#\" on the next line to deactivate
#
echo -en \"ip_conntrack_ftp, \"
$INSMOD ip_conntrack_ftp


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a \"#\" on the next line to deactivate
#
echo -en \"ip_conntrack_irc, \"
$INSMOD ip_conntrack_irc


#Load the general IPTABLES NAT code - \"iptable_nat\"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en \"iptable_nat, \"
$INSMOD iptable_nat


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a \"#\" on the next line to deactivate
#
echo -en \"ip_nat_ftp, \"
$INSMOD ip_nat_ftp


#Loads the IRC NAT functionality into the core IPTABLES code
# Require to support NAT of IRC DCC requests
#
# Disabled by default -- remove the \"#\" on the next line to activate
#
#echo -e \"ip_nat_irc\"
#$INSMOD ip_nat_irc

echo \"----------------------------------------------------------------------\"

# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be only
# loaded by the correct master kernel module for proper operation.
# --------------------------------------------------------------------
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
# iptable_mangle - this target allows for packets to be manipulated
# for things like the TCPMSS option, etc.

echo \". Done loading modules.\"



#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo \" enabling forwarding..\"
echo \"1\" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo \" enabling DynamicAddr..\"
echo \"1\" > /proc/sys/net/ipv4/ip_dynaddr


# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a \"24\" bit subnet mask
# connecting to the Internet on external interface \"eth0\". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#


#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo \" clearing any existing rules and setting default policy..\"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo \" FWD: Allow all connections OUT and only existing and related one IN \"

#drop
$IPTABLES -A INPUT -i $EXTIF -p tcp -s 207.46.98.0/24 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -s 195.250.198.135 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -s 195.250.198.138 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -j DROP --dport 2601

#forwards
##msn na kanto
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6910 -j DNAT --to-destination 192.168.0.4:6910
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6910 -j DNAT --to-destination 192.168.0.4:6910
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6891:6900 -j DNAT --to-destination 192.168.0.4:6891:6900
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6891:6900 -j DNAT --to-destination 192.168.0.4:6891:6900

##mula za soncka
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5555 -j DNAT --to-destination 192.168.0.5:5555
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 5566 -j DNAT --to-destination 192.168.0.5:5566

##msn na kanto
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport 6910 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 6910 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport 6891:6900 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 6891:6900 -j ACCEPT

##mula za soncka
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 5555 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport 5566 -j ACCEPT


#ipv6
$IPTABLES -A INPUT -p 41 -i $EXTIF -j ACCEPT
#smtp
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
#named
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT
#httpd
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
#imapd
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 143 -j ACCEPT
#pop3
$IPTABLES -A INPUT -i $INTIF -p tcp --dport 110 -j ACCEPT
#oidentd
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -s 213.161.11.78 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -s 193.2.1.34 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -s 213.143.66.30 -j ACCEPT
#mldonkey
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 4672 -j ACCEPT
#ctorrent
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 2727 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 2727 -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -p tcp -j DROP --dport 1:1024
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo \" Enabling SNAT (MASQUERADE) functionality on $EXTIF\"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e \"\nDone.\n\"
Za komentiranje se prijavite ali pa se vpišite.