Forum » Omrežja in internet » iptables firewall --> neki zastrikal :)
iptables firewall --> neki zastrikal :)
iNN ::
Zivijo!
Kot je razvidno ze iz naslova ... nekje sem staknil eno firewall bash skripto ki filtrira pakete z pomocjo iptables. Malo sem jo priredil za svoje potrebe in jo pognal. Vendar so se takoj po zagonu zacele tezave. (Aja pognal sem jo na racunalu ki deluje kot router ter file server. Nanj so priklucene 4 mrezne. Ena za ppp0 (eth0) ter tri za interno omrezje (eth1 eth2 eth3) ki so v enem bridgu.) No ko sem jo pognal mi je zablokiralo vso lokalno mrezo. ( LAN --> LOCALHOST).
Kakor koli obrnem, torej ce nastavim interne kartice kot eth3 eth1 eth2, ne deluje. Ce jih nastavim kot eno samo (bridge torej) prav tako ne deluje.
Sedaj pa najvaznejsi del. Seveda sem pricakoval da bom skripto lahko unloadal in bo vse po starem. Po restartu networka ali pa celotne masine. Dobim po
iptables -L
[root@localhost rc0.d]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Takle output, lokalna mreza mi nato deluje vendar ne deluje LAN --> INTERNET.
Meni se zdi vse skupaj zakomplicirano do konca
. Upam da sem napisal kolikor toliko razlocno. Za lazje razumevanje je tukaj se skripta.
###################
# FIREWALL SCRIPT #
###################
#!/bin/bash
##############
# INTERFACES #
##############
EXTIF=ppp0
INTIF=bridge
LPDIF=lo
#########
# TOOLS #
#########
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
echo 1> /proc/sys/net/ipv4/ip_forward
#############
# VARIABLES #
#############
# External
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
# Internal
INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
# Loopback
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
#########
# BEGIN #
#########
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###########
# LOGGING #
###########
$IPT -N drop_input 2> /dev/null
$IPT -A drop_input -j LOG --log-prefix 'FW DROP INPUT:'
$IPT -A drop_input -j DROP
$IPT -N drop_output 2> /dev/null
$IPT -A drop_output -j LOG --log-prefix 'FW DROP OUTPUT:'
$IPT -A drop_output -j DROP
$IPT -N drop_forward 2> /dev/null
$IPT -A drop_forward -j LOG --log-prefix 'FW DROP FORWARD:'
$IPT -A drop_forward -j DROP
############
# LOOPBACK #
############
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT
##########
# BASICS #
##########
# block broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j drop_input
$IPT -A INPUT -i $INTIF -d $INTBC -j drop_input
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j drop_output
$IPT -A OUTPUT -o $INTIF -d $INTBC -j drop_output
# block lan
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j drop_input
# block lan
$IPT -A INPUT -i $INTIF -s ! $INTNET -j drop_input
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j drop_output
# egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j drop_output
# block icmp
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j drop_output
#########################
# INTERNET -> LOCALHOST #
#########################
EXTTCPHOST="http ftp 4662 50000"
EXTUDPHOST="4665 4672"
for i in $EXTTCPHOST;
do
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $EXTUDPHOST;
do
$IPT -A INPUT -i $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
####################
# LAN -> LOCALHOST #
####################
INTTCPHOST="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665 "
INTUDPHOST="domain time 4665"
for i in $INTTCPHOST;
do
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $INTUDPHOST;
do
$IPT -A INPUT -i $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
#########################
# LOCALHOST -> INTERNET #
#########################
EXTTCPSERV="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665"
EXTUDPSERV="domain time 4665"
for i in $EXTTCPSERV;
do
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $EXTUDPSERV;
do
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
# aditional port for aMule
$IPT -A INPUT -i $INTIF -p udp -s $INTIP --sport 4665 -m state --state NEW -j ACCEPT
####################
# LOCALHOST -> LAN #
####################
INTTCPSERV="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665 "
INTUDPSERV="domain time 466"
for i in $INTTCPSERV;
do
$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $INTUDPSERV;
do
$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
##############
# ALLOW PING #
##############
$IPT -A INPUT -i $EXTIF -p icmp -d $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -d $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT
#######
# END #
#######
# Allow existing
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block and log
$IPT -A INPUT -j drop_input
$IPT -A OUTPUT -j drop_output
$IPT -A FORWARD -j drop_forward
p.s. Vem da v skripti ni napisanih pravil za LAN --> INTERNET. Nevem zakaj po restartu stvar vseeno ne deluje. :(
Kot je razvidno ze iz naslova ... nekje sem staknil eno firewall bash skripto ki filtrira pakete z pomocjo iptables. Malo sem jo priredil za svoje potrebe in jo pognal. Vendar so se takoj po zagonu zacele tezave. (Aja pognal sem jo na racunalu ki deluje kot router ter file server. Nanj so priklucene 4 mrezne. Ena za ppp0 (eth0) ter tri za interno omrezje (eth1 eth2 eth3) ki so v enem bridgu.) No ko sem jo pognal mi je zablokiralo vso lokalno mrezo. ( LAN --> LOCALHOST).
Kakor koli obrnem, torej ce nastavim interne kartice kot eth3 eth1 eth2, ne deluje. Ce jih nastavim kot eno samo (bridge torej) prav tako ne deluje.
Sedaj pa najvaznejsi del. Seveda sem pricakoval da bom skripto lahko unloadal in bo vse po starem. Po restartu networka ali pa celotne masine. Dobim po
iptables -L
[root@localhost rc0.d]# iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Takle output, lokalna mreza mi nato deluje vendar ne deluje LAN --> INTERNET.
Meni se zdi vse skupaj zakomplicirano do konca
. Upam da sem napisal kolikor toliko razlocno. Za lazje razumevanje je tukaj se skripta. ###################
# FIREWALL SCRIPT #
###################
#!/bin/bash
##############
# INTERFACES #
##############
EXTIF=ppp0
INTIF=bridge
LPDIF=lo
#########
# TOOLS #
#########
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
echo 1> /proc/sys/net/ipv4/ip_forward
#############
# VARIABLES #
#############
# External
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
# Internal
INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
# Loopback
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
#########
# BEGIN #
#########
$IPT -F
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
###########
# LOGGING #
###########
$IPT -N drop_input 2> /dev/null
$IPT -A drop_input -j LOG --log-prefix 'FW DROP INPUT:'
$IPT -A drop_input -j DROP
$IPT -N drop_output 2> /dev/null
$IPT -A drop_output -j LOG --log-prefix 'FW DROP OUTPUT:'
$IPT -A drop_output -j DROP
$IPT -N drop_forward 2> /dev/null
$IPT -A drop_forward -j LOG --log-prefix 'FW DROP FORWARD:'
$IPT -A drop_forward -j DROP
############
# LOOPBACK #
############
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -s $INTIP -j ACCEPT
##########
# BASICS #
##########
# block broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j drop_input
$IPT -A INPUT -i $INTIF -d $INTBC -j drop_input
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j drop_output
$IPT -A OUTPUT -o $INTIF -d $INTBC -j drop_output
# block lan
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j drop_input
# block lan
$IPT -A INPUT -i $INTIF -s ! $INTNET -j drop_input
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j drop_output
# egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j drop_output
# block icmp
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j drop_output
#########################
# INTERNET -> LOCALHOST #
#########################
EXTTCPHOST="http ftp 4662 50000"
EXTUDPHOST="4665 4672"
for i in $EXTTCPHOST;
do
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $EXTUDPHOST;
do
$IPT -A INPUT -i $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
####################
# LAN -> LOCALHOST #
####################
INTTCPHOST="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665 "
INTUDPHOST="domain time 4665"
for i in $INTTCPHOST;
do
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $INTUDPHOST;
do
$IPT -A INPUT -i $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
#########################
# LOCALHOST -> INTERNET #
#########################
EXTTCPSERV="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665"
EXTUDPSERV="domain time 4665"
for i in $EXTTCPSERV;
do
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $EXTUDPSERV;
do
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
done
# aditional port for aMule
$IPT -A INPUT -i $INTIF -p udp -s $INTIP --sport 4665 -m state --state NEW -j ACCEPT
####################
# LOCALHOST -> LAN #
####################
INTTCPSERV="domain time ssh http https ftp ftp-data pop3 smtp 1863 50000 4661 4662 4665 "
INTUDPSERV="domain time 466"
for i in $INTTCPSERV;
do
$IPT -A OUTPUT -o $INTIF -p tcp -s $INTIP --dport $i --syn -m state --state NEW -j ACCEPT
done
for i in $INTUDPSERV;
do
$IPT -A OUTPUT -o $INTIF -p udp -s $INTIP --dport $i -m state --state NEW -j ACCEPT
done
##############
# ALLOW PING #
##############
$IPT -A INPUT -i $EXTIF -p icmp -d $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -d $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTIP --icmp-type 8 -m state --state NEW -j ACCEPT
#######
# END #
#######
# Allow existing
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block and log
$IPT -A INPUT -j drop_input
$IPT -A OUTPUT -j drop_output
$IPT -A FORWARD -j drop_forward
p.s. Vem da v skripti ni napisanih pravil za LAN --> INTERNET. Nevem zakaj po restartu stvar vseeno ne deluje. :(
==
Malkec ::
Probaj iptables -F in naloži originalno sktripto 
/* Xaser 3 * 939 dual sata 2 * Opti165 (ccb1e0608mpmw) @2933 MHZ*/
/*TT 120 * X800 XL *1GB Transcend pc 3200 * MAxtor 160 GB SATA II /
/*TT 120 * X800 XL *1GB Transcend pc 3200 * MAxtor 160 GB SATA II /
]Trix[ ::
Tale skripta je kr mal extremna...
Mas tud dost drugih boljsih skript...
Mas tud dost drugih boljsih skript...
Conscience is what hurts when everything else feels so good.
Gwanaroth ::
gShield si daj..
http://muse.linuxmafia.org/gshield/
http://muse.linuxmafia.org/gshield/
Lights often keep secret hypnosis..
iNN ::
Hello :)
hvala sm zrihtu, trenutno sem zdele brez firewalla, bom si pa v kratkem pogledu tistle gShield
hvala sm zrihtu, trenutno sem zdele brez firewalla, bom si pa v kratkem pogledu tistle gShield
==
Vredno ogleda ...
| Tema | Ogledi | Zadnje sporočilo | |
|---|---|---|---|
| Tema | Ogledi | Zadnje sporočilo | |
| » | iptables problemOddelek: Operacijski sistemi | 2251 (2017) | poweroff |
| » | [Linux]Bandwidth limit samo PPPoE povezave na eth1Oddelek: Operacijski sistemi | 1448 (1120) | ZGI |
| » | IPTablesOddelek: Operacijski sistemi | 1962 (1591) | Brane2 |
| » | pomoč pri iptablesOddelek: Omrežja in internet | 2606 (2435) | HellRaiseR |
| » | iptables skriptaOddelek: Omrežja in internet | 2119 (1899) | karafeka |