From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <44ACB626.8040507@soc.adm.yar.ru> Date: Thu, 06 Jul 2006 11:05:10 +0400 From: =?KOI8-R?Q?=22=E4=D7=CF=D2=CE=C9=CB=CF=D7_=ED=2E=F7=2E=22?= User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: ALT Linux sysadmin discuss References: <44A8CDD1.7090800@soc.adm.yar.ru> <20060703142303.25821ccd@shadow.orionagro.com.ua> <44A905EB.2080005@soc.adm.yar.ru> <200607031608.57303.ashen@nsrz.ru> In-Reply-To: <200607031608.57303.ashen@nsrz.ru> Content-Type: multipart/mixed; boundary="------------090806090405010001070704" X-Virus-Scanned: amavisd-new at soc.adm.yar.ru Subject: Re: [Sysadmins] =?koi8-r?b?aXB0YWJsZXMg1NLBztPM0cPJ0SDQ0s/Uz8vPzME=?= X-BeenThere: sysadmins@lists.altlinux.org X-Mailman-Version: 2.1.7 Precedence: list Reply-To: ALT Linux sysadmin discuss List-Id: ALT Linux sysadmin discuss List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jul 2006 07:11:19 -0000 Archived-At: List-Archive: This is a multi-part message in MIME format. --------------090806090405010001070704 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Решил написать правила для iptables. Взял за основу пример rc.UTIN.firewall из "iptables tutorial". После перезапуска iptables не смог зайти на сервер через ssh. Нужно написать правила для iptables. Пользователям из локальной сети разрешается работать только с сервером: прозрачный proxy (squid:3128), postfix, ftp, pop3/imap. Нельзя обращаться к внешним ftp,smtp,pop3,imap. Дополнительно разрешается NAT: - 1 клиент ntpdate, - 2 клиента несколько портов к определенному ip, - 1 клиент полный доступ к определенному ip. На сервере 3 сетевых: eth2 - в интернет, eth0 и eth1 соединение двух видов кабеля (роутер). --------------090806090405010001070704 Content-Type: text/plain; name="iptables-rules.sh" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="iptables-rules.sh" #!/bin/sh # service iptables stop # variable IPTABLES="/sbin/iptables" LO_IFACE="lo" LO_IP="127.0.0.1" INET_IFACE="eth2" INET_IP="193.X/maska" LAN_IFACE1="eth0" LAN_IP1="10.X/255.255.255.0" LAN_IFACE2="eth1" LAN_IP2="10.X/255.255.255.0" # Set policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # clear all $IPTABLES -F $IPTABLES -X # Create chain for bad tcp packets $IPTABLES -N bad_tcp_packets # Create separate chains for ICMP, TCP and UDP to traverse $IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -N icmp_packets # bad_tcp_packets chain $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # allowed chain $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP # TCP rules # ftp(20,21),ssh(22),smtp(25),pop3(110),imap(143) $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed # UDP ports $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 20 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 21 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 22 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 25 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 110 -j ACCEPT $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT # ICMP rules $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # # INPUT chain # # Bad TCP packets we don't want. $IPTABLES -A INPUT -p tcp -j bad_tcp_packets # Rules for special networks not part of the Internet $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP1 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP2 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT # Rules for incoming packets from anywhere. $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p TCP -j tcp_packets $IPTABLES -A INPUT -p UDP -j udp_packets $IPTABLES -A INPUT -p ICMP -j icmp_packets # Log weird packets that don't match the above. $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " # # FORWARD chain # # Bad TCP packets we don't want $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets # Accept the packets we actually want to forward $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE2 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE1 -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: " # # OUTPUT chain # # Bad TCP packets we don't want. $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets # Special OUTPUT rules to decide which IP's to allow. $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT # Log weird packets that don't match the above. $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " # # nat table # $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 8081 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 1080 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP1 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 $IPTABLES -t nat -A PREROUTING -s $LAN_IP2 -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 3128 service iptables save --------------090806090405010001070704--