Re: [Sysadmins] iptables трансляция протокола

["\"Дворников М.В.\"" <m_dvor@soc.adm.yar.ru>]

[-- Attachment #1: Type: text/plain, Size: 625 bytes --]

Решил написать правила для iptables.
Взял за основу пример rc.UTIN.firewall из "iptables tutorial".
После перезапуска iptables не смог зайти на сервер через ssh.

Нужно написать правила для iptables.
Пользователям из локальной сети разрешается работать только с сервером: 
прозрачный proxy (squid:3128), postfix, ftp, pop3/imap.
Нельзя обращаться к внешним ftp,smtp,pop3,imap.

Дополнительно разрешается NAT:
  - 1 клиент ntpdate,
  - 2 клиента несколько портов к определенному ip,
  - 1 клиент полный доступ к определенному ip.

На сервере 3 сетевых:
eth2 - в интернет, eth0 и eth1 соединение двух видов кабеля (роутер).




[-- Attachment #2: iptables-rules.sh --]
[-- Type: text/plain, Size: 5070 bytes --]

#!/bin/sh
#
service iptables stop

# variable
IPTABLES="/sbin/iptables"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth2"
INET_IP="193.X/maska"
LAN_IFACE1="eth0"
LAN_IP1="10.X/255.255.255.0"
LAN_IFACE2="eth1"
LAN_IP2="10.X/255.255.255.0"

# Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# clear all
$IPTABLES -F
$IPTABLES -X

# Create chain for bad tcp packets
$IPTABLES -N bad_tcp_packets

# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# TCP rules
# ftp(20,21),ssh(22),smtp(25),pop3(110),imap(143)
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed

# UDP ports
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 20 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 21 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 22 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 25 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 110 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT

# ICMP rules
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 
#    INPUT chain
#

# Bad TCP packets we don't want.
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Rules for special networks not part of the Internet
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP2 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Rules for incoming packets from anywhere.
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udp_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
#    FORWARD chain
#

# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE1 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE2 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE1 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
#    OUTPUT chain
#

# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

#
#    nat table
#

$IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 80   -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 80   -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 
$IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 


service iptables save