linux | iptables

Veröffentlicht am | Von Kerekes Péter | Keine Kommentare 
iptables -nvL
# ---
# ---Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
# --- pkts bytes target     prot opt in     out     source               destination   
# ---     
# ---Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
# --- pkts bytes target     prot opt in     out     source               destination    
# ---    
# ---Chain OUTPUT (policy ACCEPT 0K packets, 0 bytes)
# --- pkts bytes target     prot opt in     out     source               destination
iptables -nvL --line-numbers
# ---
# --- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
# --- num   pkts bytes target     prot opt in     out     source               destination         
# --- 1        0     0 ACCEPT     tcp  --  *      *       10.0.0.85            0.0.0.0/0            # --- tcp dpt:17500 /* Friendly Dropbox */
# --- 2        0     0 REJECT     tcp  --  *      *      !10.0.0.85            0.0.0.0/0            # --- tcp dpt:17500 reject-with icmp-port-unreachable
# ---
# --- Chain FORWARD (policy DROP 0 packets, 0 bytes)
# --- num   pkts bytes target     prot opt in     out     source               destination         
# ---
# --- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
# --- num   pkts bytes target     prot opt in     out     source               destination    


iptables -t nat -L
# ---------------------------------------------------------
# ---    : UDP 53 (DNS) továbbitás
#
CLIENT=192.168.0.0/24
iptables -A FORWARD -s $CLIENT -p udp --dport 53 -m state -state NEW -j ACCEPT
iptables -A FORWARD -s $CLIENT -p tcp --dport 53 -m state -state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# ---------------------------------------------------------
# ---------------------------------------------------------
# ---    : UDP 80 (HTTP) továbbitás
#
CLIENT=192.168.0.0/24
iptables -A FORWARD -s $CLIENT -p udp --dport 80 -m state -state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
# ---------------------------------------------------------
# ---------------------------------------------------------
# ---    : ICMP továbbitás
#
CLIENT=192.168.0.0/24
iptables -A FORWARD -s $CLIENT -p icmp --icmp-type echo-request 80 -m state -state NEW -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED -j ACCEPT
# ---------------------------------------------------------
# ---------------------------------------------------------
# ---    : TCP 22 (SSH) engedélyezése belső és külső hálóból
#
iptables -A INPUT -i $EXTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -i $INTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT
#
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ---------------------------------------------------------
# ---    : Tűzfalon van a szolgaltatas
# --- Ha a tűzfalon van a webserver | tűzfalra érkezik a hiba
iptables -A INPUT -i $EXTDEV -p tcp --dport 80 -m state --state NEW -j ACCEPT
# --- Ha a tűzfalon van a sshd | tűzfalra érkezik a hiba
iptables -A INPUT -i $EXTDEV -p tcp --dport 22 -m state --state NEW -j ACCEPT
# --- MAC/IP alapan engedélyezzük az SSH használatott.
#
CLIENT=10.20.30.40
CLIENT_MAC=00:00:00:00:00:00
iptables -A INPUT -s $CLIENT -i $INTDEV -p tcp -m tcp --dport 22 -m state -state NEW -j ACCEPT
iptables -A INPUT -s $CLIENT -i $INTDEV -p tcp -m tcp --dport ssh -m mac --mac-source $CLIENT_MAC -j ACCEPT
iptables -A intranet_input -p tcp -m tcp ! --dport ssh -j ACCEPT
# ---------------------------------------------------------
# ---    :NAT | port natolása
#
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destinationn 192.168.0.2
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destinationn 192.168.0.3
# ---------------------------------------------------------

# ---------------------------------------------------------
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -s 192.168.200.0/24 -i eth0 icmp -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m stste --start RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.200.0/24 -i eth1 -o eth0 -j ACCEPT
COMMIT
# ---------------------------------------------------------
# ---    --verbose    -v    verbose mode
# ---    --numeric    -n    numeric output of addresses and ports
# ---    --list    -L [chain [rulenum]]
#
iptables -vnL
# ---------------------------------------------------------
# ---    --flush   -F [chain]          Delete all rules in  chain or all chains
#
iptables -F
iptables -P INPUT ACCEPT
# --- Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
# --- pkts bytes target     prot opt in     out     source               destination
# ---
# --- Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
# ---  pkts bytes target     prot opt in     out     source               destination
# ---
# --- Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
# ---  pkts bytes target     prot opt in     out     source               destination

# ---------------------------------------------------------
# --- Internet Control Message Protocol (ICMP)
#
iptables -A INPUT -p icmp -j ACCEPT
# ---------------------------------------------------------
# --- Transmission Control Protocol (TCP)
#
iptables -A INPUT -p tcp -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# ---------------------------------------------------------
# ---
#
#!/bin/bash
INTDEV=""
EXTDEV=""
#
ECHO=$(which echo)
SYSCTL=$(which sysctl)
IPTABLES=$(which iptables)
# mindent dobunk
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# lancok eldobása
$IPTABLES -F
# nat tabla extra törlése
$IPTABLES -t nat -F
# belülről jövő kapcsolatok akceptálása
$IPTABLES -A FORWARD -i $INTDEV -o $EXTDEV -m state --state NEW -j ACCEPT
# binden csomag elfogadás ami már egy létrejött kapcsolathoz tartozik
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# minden továbbitott csomag megjelolese
$IPTABLES -t nat -A POSTROUTING -o $EXTDEV -j MASQUERADE
# aktivaljuk a továbbitast
$ECHO '1' > /proc/sys/net/ipv4/ip_forward
# alternativa aktivaljuk a továbbitast
$SYSCTL -w net.ipv4.ip_forward=1
# ---------------------------------------------------------
# --- RESET FIREVAL
#
#!/bin/bash
ECHO=$(which echo)
SYSCTL=$(which sysctl)
IPTABLES=$(which iptables)
# deaktivaljuk aktivaljuk a továbbitast
$ECHO '1' > /proc/sys/net/ipv4/ip_forward
# szabaj lancok eldobása
$IPTABLES -F
# nat tabla extra törlése
$IPTABLES -t nat -F
# allap ertelmezett police
$IPTABLES INPUT ACCEPT
$IPTABLES FORWARD ACCEPT
$IPTABLES OUTPUT ACCEPT
# ---------------------------------------------------------
apt-get iptstate
iptstate



####

Kategorie: network, security, services, x_library

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.