Iptables

Uit DeVliegendeWiki

Ga naar: navigatie, zoeken
#!/bin/sh
#
WAN="eth0"
LAN="eth1"

# ---------------------------------------
# Verwijder alle iptables-instellingen
# ---------------------------------------
#
# Verwijder alle chains & tables:
#
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -F -t filter

# Verwijder eventuele chains die door gebruikers zijn aangemaakt:
#
iptables -X

# -----------------------------------------------------------
# Defineer default policies
# -----------------------------------------------------------
# Let op: Deze policies zijn op zichzelf onvoldoende om een
# functionerend systeem te hebben: Je moet additionele regels
# toevoegen.
#
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# -----------------
# SMTP dichtzetten
# -----------------
#
iptables -A INPUT -p tcp -i $LAN --dport 25 -j DROP
iptables -A OUTPUT -p tcp -o $WAN --dport 25 -j DROP

iptables -A INPUT -p tcp -i $LAN --sport 25 -j DROP
iptables -A OUTPUT -p tcp -o $WAN --sport 25 -j DROP

iptables -A FORWARD -p tcp -i $LAN --dport 25 -j DROP
iptables -A FORWARD -p tcp -i $LAN --dport 25 -j DROP

# Bron: http://www.cyberciti.biz/tips/linux-iptables-15-how-to-block-or-open-mail-serversmtp-protocol.html
 
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 25 -m state --state NEW,ESTABLISHED -j REJECT

# --------------------------------------
# Sta SSH toe (zowel vanaf LAN als WAN)
# --------------------------------------
# Omdat geen table wordt meegegeven, is dit automatisch 'filter'.
# Er wordt geen netwerk-device aangegeven, dus het geldt voor
# alle netwerkdevices (neem ik aan)
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# -------------------------------------
# Sta verkeer toe on the local loopback
# -------------------------------------
#
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# -----------------------------------
# Sta WWW outbound port 80 & 443 toe
# -----------------------------------
#
iptables -A INPUT -i $WAN -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -i $WAN -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $WAN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# ------------------------------
# Allow DNS
# ------------------------------
# Bron: http://www.linuxhomenetworking.com/forums/showthread.php?t=454
#
iptables -A OUTPUT -p udp -o $WAN --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i $WAN --sport 53 --dport 1024:65535 -j ACCEPT

# -----------------------------
# Incoming ping
# -----------------------------
# Bron: http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
# Oorspronkelijke voorbeeld van bron bevatte een additioneel -d en -s veld,
# maar dat snap ik niet
#
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----------------------------
# Outgoing ping
# ----------------------------
# Bron: http://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html
# Oorspronkelijke voorbeeld bevatte een additioneel -d en -s veld,
# maar dat snap ik niet.
#
iptables -A OUTPUT -p icmp --icmp-type 8 -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# -------------------------------
# NAT/Masquerade
# ------------------------------
#
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

# ---------------------------------
# Activate forwarding in the kernel
# ---------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward

# ------------------------
# NAT-gedeelte
# ------------------------
#
iptables -t nat -A PREROUTING -i eth1 -p udp -m multiport --dports domain,bootps -j REDIRECT
iptables -t nat -A PREROUTING -d 172.31.255.254 -i eth1 -p tcp -m tcp --dport 443 -j REDIRECT
# iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dports http,webcache,tproxy,8082 -j REDIRECT --to-ports 3128 # Blokkeert http op clients
# # iptables -A PREROUTING -i eth1 -j LOL
# # iptables -A PREROUTING -i eth1 -j CCC
# iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --dports https -j DNAT --to-destination 172.16.255.254
# # iptables -t nat -A PREROUTING -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# iptables -t nat -A PREROUTING -i eth1 -j DROP # Blokkeert http op clients (en waarschijnlijk de rest ook)
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# # iptables -t -A SPOOF -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.31.255.254
# # iptables -t -A SPOOF -j ACCEPT

# ------
# Mangle
# ------
#
# iptables -t mangle -A PREROUTING -i eth1 -p icmp -m limit --limit 1/sec --limit-burst 100 -j ACCEPT
# iptables -t mangle -A PREROUTING -i eth1 -p icmp -j DROP
# iptables -t mangle -A PREROUTING -i eth1 -p udp -m multiport --dports 135,netbios-ns,netbios-dgm,netbios-ssn,1863,1900 -j DROP
# iptables -t mangle -A PREROUTING -i eth1 -p tcp -m multiport --dports 135,netbios-ns,netbios-dgm,netbios-ssn,1863,1900 -j DROP
# iptables -t mangle -A PREROUTING -i eth1 -p udp -m multiport --sports 135,netbios-ns,netbios-dgm,netbios-ssn,1863,1900 -j DROP
# iptables -t mangle -A PREROUTING -i eth1 -p tcp -m multiport --sports 135,netbios-ns,netbios-dgm,netbios-ssn,1863,1900 -j DROP

# --------------------------------------
# Filter
# --------------------------------------
#
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 655 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dports auth,ssh -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m multiport --dports https -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m multiport --dports domain -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -p udp -m multiport --sports netbios-ns,netbios-dgm,netbios-ssn -j DROP
iptables -A INPUT -p udp -m multiport --dports netbios-ns,netbios-dgm,netbios-ssn -j DROP
iptables -A INPUT -p tcp -m multiport --sports 135,1863,1900 -j DROP
iptables -A INPUT -p tcp -m multiport --dports 135,1863,1900 -j DROP
iptables -A INPUT -j LOG --log-prefix "Fin: "
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "Fwd: "
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 655 -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports ftp,ssh,sftp,http,https,rtsp,tinc,smtp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp -m multiport --dports domain,ntp -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
# -A OUTPUT -d 192.168.50.107 -p tcp -m tcp --dport 5001 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "Error: "
Teruggeplaatst van "http://www.devliegendebrigade.nl/wiki/index.php/Iptables"
Persoonlijke instellingen