Archiv verlassen und diese Seite im Standarddesign anzeigen : IP-Tables Beispielskript?
/dev/NULL
2005-07-30, 14:46:11
Ich such ein kurzes prägnantes Beispiel für ne IPTables Firewall:
NAT vom internen interface (eth1 - LAN und eth2 - WLAN) nach ppp0 und ne freischaltung für ICQ/data und eselchen/Bittorrent auf internem rechner.
Dazu gerne ssh auf dem Linuxvieh
Hat da einer was was er teilen will?
ravage
2005-07-30, 15:35:38
Guck dir mal Vuurmuur an:
http://vuurmuur.sourceforge.net/
Das ist ein Config Tool für IP Tables. Habs selbst aber nur kurz mal getestet. Schien aber recht einfach in der Handhabung zu sein.
/dev/NULL
2005-07-30, 15:42:04
Hab in der zwischenzeit was anderes versucht, es scheint einigermaßen zu gehen:
Mein Script:
#!/bin/sh
IPTABLES="/sbin/iptables"
GREP="/bin/grep"
AWK="/usr/bin/awk"
SED="/bin/sed"
IFCONFIG="/sbin/ifconfig"
#
# External Interface
EXTIF="ppp0"
# LAN Interface
INTIF_LAN="eth1"
# PPPoE Interface
INTIF_PPPOE="eth0"
#
# Network Address
INTNET_LAN="192.168.1.0/24"
INTNET_PPPOE="192.168.0.0/24"
ANYWHERE="0.0.0.0/0"
#
# LINUX IP ADDRESSES
INTIP_LAN="192.168.1.2/24"
INTIP_PPPOE="192.168.0.2/24"
LANHOST="192.168.1.55"
# Get dynamic IP from Telstra
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`"
$IPTABLES --flush
$IPTABLES -t logit --flush
$IPTABLES -t mangle --flush
$IPTABLES -t nat --flush
#LOGGING CHAIN
#This is a chain that gets created so that certain packet criteria that gets caught in our firewall gets logged to /var/log/messages. Very helpful componenet, but not essential. It gives a nice verbose output showing a lot of detail about the settings in an ip header.
# Create a Logging Chain
$IPTABLES -N logit
$IPTABLES -A logit -j LOG --log-level info
$IPTABLES -A logit -j DROP
#INPUT CHAIN
#I'll state the obvious, this is where you put your rules for packets comming in. A typical 'deny all' firewall would only allow traffic initiated from the inside back in through the firewall and wouldn't allow any new traffic to come in from the outside. Here's an input chain example:
# Set Default Poloicy
$IPTABLES -P INPUT DROP
# Loopback can do anything
$IPTABLES -A INPUT -i lo -s $THEWORLD -d $ANYWHERE -j ACCEPT
# physical interfaces, local lan, going to the world is good
$IPTABLES -A INPUT -i $INTIF_LAN -s $INTNET_LAN -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_PPPOE -s $INTNET_PPPOE -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_LAN -s $INTNET_PPPOE -d $INTNET_LAN -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_PPPOE -s $INTNET_LAN -d $INTNET_PPPOE -j ACCEPT
# If you're running DHCPd for your LAN then you'll need these
# $IPTABLES -A INPUT -i $INTIF_LAN -p tcp --sport 68 --dport 67 -j ACCEPT
# $IPTABLES -A INPUT -i $INTIF_LAN -p udp --sport 68 --dport 67 -j ACCEPT
# Stop spoofed ip's dead in their tracks
$IPTABLES -A INPUT -i $EXTIF -s $INTNET_LAN -d $ANYWHERE -j logit
# Stop all ICMP traffic on the external interface
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $ANYWHERE -d $EXTIP -j logit
# Port Forwarding to a particular LAN host to allow special traffic
# like ICQ, MIRC DCCs, eMule or eDonkey
# Solves eMule/eDonkey problem of lowid
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4662 -j ACCEPT
# 5 Ports for ICQ File Transfers
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4990:4995 -j ACCEPT
# 5 Ports for Mirc DCCs (to allow people to upload from you)
#$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4980:4985 -j ACCEPT
# Bittorrent Ports
#$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 6881:6889 -j ACCEPT
# Implicit Deny All if no match found
$IPTABLES -A INPUT -s $ANYWHERE -d $ANYWHERE -j logit
#OUTPUT CHAIN
#If you wanted to create a real strict firewall, then here's where you'd get specific about what can and can't got out. But for the home gateway, not really all that essential. Just set the default policy to ACCEPT.
$IPTABLES -P OUTPUT ACCEPT
#FORWARD CHAIN
#This is the chain that controls what gets routed through the linux box. Basically, a typical home gateway needs to all anything on the LAN to go out to the internet and only let that traffic get forwarded back to the LAN.
# Set the default policy
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Any LAN traffic to the internet is permitted
$IPTABLES -A FORWARD -i $INTIF_LAN -o $EXTIF -j ACCEPT
# This is needed so we can reach the adsl modem and it to reach us.
$IPTABLES -A FORWARD -i $INTIF_LAN -o $INTIF_PPPOE -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF_PPPOE -o $INTIF_LAN -j ACCEPT
# Special Programs Port Forwarding Component
# Allow eMule/eDonkey port to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 4662 -j ACCEPT
# Allow ICQ ports to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 4990:4995 -j ACCEPT
## Allow mIRC DCCs ports to get to LANHOST
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
#--sport 1024:65535 --dport 4980:4985 -j ACCEPT
# Allow Bittoreent ports to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 6881:6889 -j ACCEPT
# Implicit Deny All
$IPTABLES -A FORWARD -j logit
#$LANHOST is a fake variable you have to replace with the ip address of the windows box running ICQ, mIRC or eMule/eDonkey. For ICQ and mIRC you need to tell them the ports they have to listen to in order for port forwarding to work.
#NAT CHAIN
#Probably one of the best parts of iptables is the nat chain. This allows for some really cool stuff. Here we enable NATting to translate LAN traffic destined for the internet so that our LAN PCs can get on the web. Also, the file piece of the port forwarding puzzle is placed here.
# SourceNAT LAN traffic to the web (a.k.a IP Masquerading)
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET_LAN -j SNAT --to $EXTIP
# DestinationNAT traffic from the web to the LAN
# Allow eMule/eDonkey
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4662 -j DNAT --to $LANHOST:4662
# Allow ICQ
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4990:4995 -j DNAT --to $LANHOST
# Allow mIRC
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4980:4985 -j DNAT --to $LANHOST
# Allow Bittorent
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 6881:6890 -j DNAT --to $LANHOST
Aber warum braucht bei mir iptables -L ~ 5 Sekunden pro Zeile?
werde da noch ein bischen dran Feilen, er beschwert sich noch mit dem logit Queue usw..
Harleckin
2005-07-30, 19:43:23
Aber warum braucht bei mir iptables -L ~ 5 Sekunden pro Zeile?
Aufgrund der Namensauflösung!
AFAIK 'iptables -n -L' bzw. 'iptables -n -L -v'
außerdem noch 'iptables -t nat -n -L'
/dev/NULL
2005-07-31, 13:29:45
Jup an der Namensauflösung lag es..
ich poste hier mal mein aktualisiertes firewallscript, vielleicht kann ja jemand etwas damit anfangen.
#!/bin/sh
IPTABLES="/sbin/iptables"
GREP="/bin/grep"
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
AWK="/usr/bin/awk"
SED="/bin/sed"
IFCONFIG="/sbin/ifconfig"
#
# External Interface
EXTIF="ppp0"
# LAN Interface
INTIF_LAN="eth1"
# PPPoE Interface
INTIF_PPPOE="eth0"
#
# Network Address
INTNET_LAN="192.168.1.0/24"
INTNET_PPPOE="192.168.0.0/24"
ANYWHERE="0.0.0.0/0"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
#
# LINUX IP ADDRESSES
INTIP_LAN="192.168.1.2/24"
INTIP_PPPOE="192.168.0.2/24"
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`"
LANHOST="192.168.1.55"
case "$1" in
start)
echo "Starte IP-Paketfilter"
$DEPMOD -a
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi
#if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
#$MODPROBE ip_conntrack_irc
#fi
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi
#if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
#$MODPROBE ip_nat_irc
#fi
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#Tables löschen
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F OUTPUT
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
$IPTABLES -X drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -Z
$IPTABLES -N drop-and-log-it
# Erstmal kein Logging mehr
# $IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT
#LOGGING CHAIN
#This is a chain that gets created so that certain packet criteria that gets caught in our firewall gets logged to /var/log/messages. Very helpful componenet, but not essential. It gives a nice verbose output showing a lot of detail about the settings in an ip header.
#INPUT CHAIN
#I'll state the obvious, this is where you put your rules for packets comming in. A typical 'deny all' firewall would only allow traffic initiated from the inside back in through the firewall and wouldn't allow any new traffic to come in from the outside. Here's an input chain example:
# Loopback can do anything
$IPTABLES -A INPUT -i lo -s $ANYWHERE -d $ANYWHERE -j ACCEPT
# Stop spoofed ip's dead in their tracks
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_A -d $ANYWHERE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_B -d $ANYWHERE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $CLASS_C -d $ANYWHERE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -s $LOOPBACK -d $ANYWHERE -j drop-and-log-it
#physical interfaces, local lan, going to the world is good
$IPTABLES -A INPUT -i $INTIF_LAN -s $INTNET_LAN -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_PPPOE -s $INTNET_PPPOE -d $ANYWHERE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_LAN -s $INTNET_PPPOE -d $INTNET_LAN -j ACCEPT
$IPTABLES -A INPUT -i $INTIF_PPPOE -s $INTNET_LAN -d $INTNET_PPPOE -j ACCEPT
# If you're running DHCPd for your LAN then you'll need these
# $IPTABLES -A INPUT -i $INTIF_LAN -p tcp --sport 68 --dport 67 -j ACCEPT
# $IPTABLES -A INPUT -i $INTIF_LAN -p udp --sport 68 --dport 67 -j ACCEPT
# ICMP traffic to external IF is ok
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $ANYWHERE -d $EXTIP -j ACCEPT
# Established traffic is fine!
$IPTABLES -A INPUT -i $EXTIF -s $ANYWHERE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH is ok
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $ANYWHERE -d $EXTIP --dport 22 -j ACCEPT
# For Port Forwarding to a particular LAN host to allow special traffic
# like ICQ, MIRC DCCs, eMule or eDonkey
# Solves eMule/eDonkey problem of lowid
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4662 -j ACCEPT
# 5 Ports for ICQ File Transfers
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4990:4995 -j ACCEPT
# 5 Ports for Mirc DCCs (to allow people to upload from you)
#$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4980:4985 -j ACCEPT
# Bittorrent Ports
$IPTABLES -A INPUT -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 6881:6889 -j ACCEPT
# Implicit Deny All if no match found
$IPTABLES -A INPUT -s $ANYWHERE -d $ANYWHERE -j drop-and-log-it
#OUTPUT CHAIN
#If you wanted to create a real strict firewall, then here's where you'd get specific about what can and can't got out. But for the home gateway, not really all that essential. Just set the default policy to ACCEPT.
$IPTABLES -P OUTPUT ACCEPT
#FORWARD CHAIN
#This is the chain that controls what gets routed through the linux box. Basically, a typical home gateway needs to all anything on the LAN to go out to the internet and only let that traffic get forwarded back to the LAN.
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Any LAN traffic to the internet is permitted
$IPTABLES -A FORWARD -i $INTIF_LAN -o $EXTIF -j ACCEPT
# This is needed so we can reach the adsl modem and it to reach us.
$IPTABLES -A FORWARD -i $INTIF_LAN -o $INTIF_PPPOE -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF_PPPOE -o $INTIF_LAN -j ACCEPT
# Special Programs Port Forwarding Component
# Allow eMule/eDonkey port to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 4662 -j ACCEPT
# Allow ICQ ports to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 4990:4995 -j ACCEPT
## Allow mIRC DCCs ports to get to LANHOST
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
#--sport 1024:65535 --dport 4980:4985 -j ACCEPT
# Allow Bittoreent ports to get to LANHOST
$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF_LAN -d $LANHOST \
--sport 1024:65535 --dport 6881:6889 -j ACCEPT
# Implicit Deny All
$IPTABLES -A FORWARD -j drop-and-log-it
#$LANHOST is a fake variable you have to replace with the ip address of the windows box running ICQ, mIRC or eMule/eDonkey. For ICQ and mIRC you need to tell them the ports they have to listen to in order for port forwarding to work.
#NAT CHAIN
#Probably one of the best parts of iptables is the nat chain. This allows for some really cool stuff. Here we enable NATting to translate LAN traffic destined for the internet so that our LAN PCs can get on the web. Also, the file piece of the port forwarding puzzle is placed here.
# SourceNAT LAN traffic to the web (a.k.a IP Masquerading)
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTNET_LAN -j SNAT --to $EXTIP
# DestinationNAT traffic from the web to the LAN
# Allow eMule/eDonkey
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4662 -j DNAT --to $LANHOST:4662
# Allow ICQ
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4990:4995 -j DNAT --to $LANHOST
# Allow mIRC
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 4980:4985 -j DNAT --to $LANHOST
# Allow Bittorent
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 1024:65535 --dport 6881:6890 -j DNAT --to $LANHOST
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
$IPTABLES -F OUTPUT
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
$IPTABLES -X drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
Noch zu erledigen: restart einbauen
vBulletin®, Copyright ©2000-2025, Jelsoft Enterprises Ltd.