Nefunkcni fpt pri pouziti iptables

Pondělí Březen 18 10:52:52 CET 2002

Nastavil jsem si pravidla pro iptables a nemohu se dostat na ftp servery.
Asi bude stacit zkuseny pohled, ale ja ve skriptu nemuzu prijit na pricinu.

(Pokud ke skriptu mate i dalsi pripominky tak to uvitam. Je to prvni pokus.)

Petr

-------------------------------------
#!/bin/bash
#
# acfw - pravidla pro firewall

# Vase IP adresa a vnejsi rozhrani
INET_IP=a.b.c.d
INET_IFACE=eth1

# IP a broadcast adresa a rozhrani vnitrni site
LAN1_IP=192.168.1.1/32
LAN1_BCAST=192.168.1.255/32
LAN1_IFACE=eth0
LAN1_SERVER=192.168.1.254

# Lokalni loopback rozhrani
LO_IFACE=lo
LO_IP=127.0.0.1/32

# Cesta k programu iptables
IPTABLES=iptables

# Zapneme routovani paketu
echo "1" > /proc/sys/net/ipv4/ip_forward

# rp_filter na zamezeni IP spoofovani
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
do
    echo "1" > ${interface}
done

# Implicitni politikou je zahazovat nepovolene pakety
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
----------------------------------------------------------------------------
------------------------------------------------------
# Retezec PREROUTING v NAT tabulce
#
----------------------------------------------------------------------------
------------------------------------------------------

# Presmerujeme port 25, 110, 1723 na stanici uvnitr site
$IPTABLES -t nat -A PREROUTING -p tcp --dport 25 -d $INET_IP -j DNAT --to
$LAN1_SERVER:25
$IPTABLES -t nat -A PREROUTING -p tcp --dport 110 -d $INET_IP -j DNAT --to
$LAN1_SERVER:110
$IPTABLES -t nat -A PREROUTING -p tcp --dport 1723 -d $INET_IP -j DNAT --to
$LAN1_SERVER:1723
$IPTABLES -t nat -A PREROUTING -p 47 -d $INET_IP -j DNAT --to $LAN1_SERVER

#
----------------------------------------------------------------------------
------------------------------------------------------
# Retezec POSTROUTING v NAT tabulce
#
----------------------------------------------------------------------------
------------------------------------------------------

# IP maskarada - SNAT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $INET_IP

#
----------------------------------------------------------------------------
------------------------------------------------------
# Pridavne retezce pro snazsi kontrolu na rezervovane adresy
#
----------------------------------------------------------------------------
------------------------------------------------------

# Zahazovat a logovat (max. 5 x 3 pakety za hod)
$IPTABLES -N spoofing
$IPTABLES -A spoofing -m limit --limit 5/h --limit-burst 3 -j LOG
--log-prefix "Rezervovana adresa: "
$IPTABLES -A spoofing -j DROP

# V tomto retezci se kontroluje, zda prichozi pakety nemaji nesmyslnou IP
adresu
$IPTABLES -N IN_FW
$IPTABLES -A IN_FW -s 192.168.0.0/16 -j spoofing # rezervovano podle RFC1918
$IPTABLES -A IN_FW -s 10.0.0.0/8 -j spoofing     #   ---- dtto ----
$IPTABLES -A IN_FW -s 172.16.0.0/12 -j spoofing  #   ---- dtto ----
$IPTABLES -A IN_FW -s 96.0.0.0/4 -j spoofing     # rezervovano podle IANA
# ... dalsi rezervovane adresy mozno doplnit podle 
#       http://www.iana.com/assignments/ipv4-address-space

# Retezec pro stanoveni limitu prichozich SYN konexi (ochrana pred SYN
floods)
# propusti pouze 4 SYN segmenty/sec
$IPTABLES -N syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP

#
----------------------------------------------------------------------------
------------------------------------------------------
# Retezec FORWARD
#
----------------------------------------------------------------------------
------------------------------------------------------

# Paket je oznacen jako NEW, ale nema nastaveny priznak SYN, pryc s nim
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"NEW nema SYN: "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Nechceme rezervovane adresy na internetovem rozhrani
$IPTABLES -A FORWARD -i $INET_IFACE -j IN_FW

# Umoznit presmerovani portu na stanici dovnitr site (25, 110, 1723,
protokol 47)
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
--dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
--dport 110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p tcp -d $LAN1_SERVER
--dport 1723 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -p 47 -d $LAN1_SERVER -m
state --state ESTABLISHED,RELATED -j ACCEPT

# Routing zevnitr site ven neomezujeme
$IPTABLES -A FORWARD -i ! $INET_IFACE -j ACCEPT

# Routing zvenku dovnitr pouze pro navazana spojeni (stavovy firewall)
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN1_IFACE -m state --state
ESTABLISHED,RELATED -j ACCEPT

# Ostatni pakety budou zahozeny, tak je budeme logovat (6 x 5 pak/hod)
$IPTABLES -A FORWARD -m limit --limit 6/h -j LOG --log-prefix "forward drop:
"

#
----------------------------------------------------------------------------
------------------------------------------------------
# Retezec INPUT
#
----------------------------------------------------------------------------
------------------------------------------------------

# Paket je oznaceny jako NEW, ale nema nastaveny SYN flag - pryc s nim
$IPTABLES -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW  -j
LOG --log-prefix "NEW nema SYN: "
$IPTABLES -A INPUT -i $INET_IFACE -p tcp ! --syn -m state --state NEW -j
DROP

# Nejprve se zbavime nezadoucich adres
$IPTABLES -A INPUT -i $INET_IFACE -j IN_FW

# Odfiltrovat pokusy o syn-flooding
$IPTABLES -A INPUT -i $INET_IFACE -p tcp --syn -j syn-flood

# Sluzbu AUTH neni dobre filtrovat pomoci DROP, protoze to muze
# vest k prodlevam pri navazovani nekterych spojeni. Proto jej
# sice zamitneme, ale vygenerujeme korektni ICMP chybovou zpravu
$IPTABLES -A INPUT -i $INET_IFACE -p TCP --dport 113 -j REJECT --reject-with
tcp-reset #AUTH server

# Propoustime pouze vybrane ICMP zpravy
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i $INET_IFACE -p ICMP --icmp-type time-exceeded -j
ACCEPT

# Loopback neni radno omezovat
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

# Stejne jako pakety z lokalni site, jsou-li urceny pro nas
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_IP -j ACCEPT
$IPTABLES -A INPUT -i $LAN1_IFACE -d $INET_IP -j ACCEPT

# Broadcasty na lokalnim rozhrani jsou take nase
$IPTABLES -A INPUT -i $LAN1_IFACE -d $LAN1_BCAST -j ACCEPT

# Pakety od navazanych spojeni jsou v poradku
$IPTABLES -A INPUT -d $INET_IP -m state --state ESTABLISHED,RELATED -j
ACCEPT

# Vsechno ostatni je zakazano - tedy logujeme, maximalne 5 paketu,
# 6x za hodinu
$IPTABLES -A INPUT -m limit --limit 6/h -j LOG --log-prefix "input drop: "

#
----------------------------------------------------------------------------
------------------------------------------------------
# Retezec OUTPUT
#
----------------------------------------------------------------------------
------------------------------------------------------

# Povolime odchozi pakety, ktere maji nase IP adresy
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN1_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT

# Ostatni pakety logujeme (nemely by byt zadne takove)
$IPTABLES -A OUTPUT -j LOG --log-prefix "output drop: "