iptables -nvL # --- # ---Chain INPUT (policy ACCEPT 0 packets, 0 bytes) # --- pkts bytes target prot opt in out source destination # --- # ---Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) # --- pkts bytes target prot opt in out source destination # --- # ---Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes) # --- pkts bytes target prot opt in out source destination iptables -nvL --line-numbers # --- # --- Chain INPUT (policy ACCEPT 0 packets, 0 bytes) # --- num pkts bytes target prot opt in out source destination # --- 1 0 0 ACCEPT tcp -- * * 10.0.0.85 0.0.0.0/0 # --- tcp dpt:17500 /* Friendly Dropbox */ # --- 2 0 0 REJECT tcp -- * * !10.0.0.85 0.0.0.0/0 # --- tcp dpt:17500 reject-with icmp-port-unreachable # --- # --- Chain FORWARD (policy DROP 0 packets, 0 bytes) # --- num pkts bytes target prot opt in out source destination # --- # --- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) # --- num pkts bytes target prot opt in out source destination iptables -t nat -L # --------------------------------------------------------- # --- : UDP 53 (DNS) továbbitás # CLIENT=192.168.0.0/24 iptables -A FORWARD -s $CLIENT -p udp --dport 53 -m state -state NEW -j ACCEPT iptables -A FORWARD -s $CLIENT -p tcp --dport 53 -m state -state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT # --------------------------------------------------------- # --------------------------------------------------------- # --- : UDP 80 (HTTP) továbbitás # CLIENT=192.168.0.0/24 iptables -A FORWARD -s $CLIENT -p udp --dport 80 -m state -state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT # --------------------------------------------------------- # --------------------------------------------------------- # --- : ICMP továbbitás # CLIENT=192.168.0.0/24 iptables -A FORWARD -s $CLIENT -p icmp --icmp-type echo-request 80 -m state -state NEW -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state RELATED -j ACCEPT # --------------------------------------------------------- # --------------------------------------------------------- # --- : TCP 22 (SSH) engedélyezése belső és külső hálóból # iptables -A INPUT -i $EXTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -i $INTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT # iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # --------------------------------------------------------- # --- : Tűzfalon van a szolgaltatas # --- Ha a tűzfalon van a webserver | tűzfalra érkezik a hiba iptables -A INPUT -i $EXTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT # --- Ha a tűzfalon van a sshd | tűzfalra érkezik a hiba iptables -A INPUT -i $EXTDEV -p tcp --dport 22 -m state --state NEW -j ACCEPT # --- MAC/IP alapan engedélyezzük az SSH használatott. # CLIENT=10.20.30.40 CLIENT_MAC=00:00:00:00:00:00 iptables -A INPUT -s $CLIENT -i $INTDEV -p tcp -m tcp --dport 22 -m state -state NEW -j ACCEPT iptables -A INPUT -s $CLIENT -i $INTDEV -p tcp -m tcp --dport ssh -m mac --mac-source $CLIENT_MAC -j ACCEPT iptables -A intranet_input -p tcp -m tcp ! --dport ssh -j ACCEPT # --------------------------------------------------------- # --- :NAT | port natolása # iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destinationn 192.168.0.2 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destinationn 192.168.0.3 # --------------------------------------------------------- # --------------------------------------------------------- *nat :PREROUTING ACCEPT :INPUT ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT -A POSTROUTING -o eth0 -j MASQUERADE COMMIT *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT -A INPUT -s 192.168.200.0/24 -i eth0 icmp -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A FORWARD -m state --state INVALID -j DROP -A FORWARD -m stste --start RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.200.0/24 -i eth1 -o eth0 -j ACCEPT COMMIT # --------------------------------------------------------- # --- --verbose -v verbose mode # --- --numeric -n numeric output of addresses and ports # --- --list -L [chain [rulenum]] # iptables -vnL # --------------------------------------------------------- # --- --flush -F [chain] Delete all rules in chain or all chains # iptables -F iptables -P INPUT ACCEPT # --- Chain INPUT (policy ACCEPT 0 packets, 0 bytes) # --- pkts bytes target prot opt in out source destination # --- # --- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) # --- pkts bytes target prot opt in out source destination # --- # --- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) # --- pkts bytes target prot opt in out source destination # --------------------------------------------------------- # --- Internet Control Message Protocol (ICMP) # iptables -A INPUT -p icmp -j ACCEPT # --------------------------------------------------------- # --- Transmission Control Protocol (TCP) # iptables -A INPUT -p tcp -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT # --------------------------------------------------------- # --- # #!/bin/bash INTDEV="" EXTDEV="" # ECHO=$(which echo) SYSCTL=$(which sysctl) IPTABLES=$(which iptables) # mindent dobunk $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT # lancok eldobása $IPTABLES -F # nat tabla extra törlése $IPTABLES -t nat -F # belülről jövő kapcsolatok akceptálása $IPTABLES -A FORWARD -i $INTDEV -o $EXTDEV -m state --state NEW -j ACCEPT # binden csomag elfogadás ami már egy létrejött kapcsolathoz tartozik $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # minden továbbitott csomag megjelolese $IPTABLES -t nat -A POSTROUTING -o $EXTDEV -j MASQUERADE # aktivaljuk a továbbitast $ECHO '1' > /proc/sys/net/ipv4/ip_forward # alternativa aktivaljuk a továbbitast $SYSCTL -w net.ipv4.ip_forward=1 # --------------------------------------------------------- # --- RESET FIREVAL # #!/bin/bash ECHO=$(which echo) SYSCTL=$(which sysctl) IPTABLES=$(which iptables) # deaktivaljuk aktivaljuk a továbbitast $ECHO '1' > /proc/sys/net/ipv4/ip_forward # szabaj lancok eldobása $IPTABLES -F # nat tabla extra törlése $IPTABLES -t nat -F # allap ertelmezett police $IPTABLES INPUT ACCEPT $IPTABLES FORWARD ACCEPT $IPTABLES OUTPUT ACCEPT # --------------------------------------------------------- apt-get iptstate iptstate
####