Archive

Archive for 2007k2007 Urria 25

Iptables

2007k2007 Urria 25 irakasleibiltaria 1 comment

dokumentazioa, hemendik

Iptables adibide bat:

echo "Iptables erregelak ...\n"
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
###
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
###
#localhost onartzeko
iptables -A INPUT -i lo -j ACCEPT
###
#barne saretik sarrera onartzeko (eth0)
iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j ACCEPT
###
#DNS eskaerak onartzeko
#iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -p tcp --dport 53 -j ACCEPT
#iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -p udp --dport 53 -j ACCEPT
###
#WEB eskaerak debekatzeko
#iptables -A FORWARD -p tcp --dport 80 -j DROP
###
#onartu ip forwarding eth0<-->ppp0(eth1)
#eth0 barne sarekoa, ppp0(eth1 erabiliz) kanpokoa
#adibide honetan 192.168.0.0/24 sarekoei baimentzen zaie
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
#adibide honetan, edozein barne sareri
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
###
## kanpoko sarrerak itxi:
# 0.0.0.0/0 edozein sare adierazten du
# portu ezagunak ixten ditugu
iptables -A INPUT -s 0.0.0.0/0 -p tcp -dport 1:1024 -j DROP
iptables -A INPUT -s 0.0.0.0/0 -p udp -dport 1:1024 -j DROP
###
echo "amaitu dira: iptables -L -n aginduarekin egiaztatu\n"

Adibide honetan, router + proxy konfigurazioa. Interesgarria:

Probatu baino lehen squid.conf fitxategian ondorengo auketa gehitu/aldatu behar da:

http_port 3128 transparent

#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth0"
# Interface connected to LAN
LAN_IN="eth1"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Beste adibide bat: http://freshmeat.net/articles/view/1433/ 

Categories: Uncategorized