Polskie Forum Użytkowników Debiana

Kod: Zaznacz cały

#!/bin/sh
echo -e "\n\nSETTING UP IPTABLES FIREWALL..."
UNIVERSE="0.0.0.0/0"

LOIF="lo"
LOIP="127.0.0.1"

INTIF="eth0"
EXTIF="eth1"

INTNET="10.0.0.0/24"
INTIP="10.0.0.1/24"

EXTIP="xxx.xxx.xxx.xxx"
EXT_BROADCAST="xxx.xxx.xxx.xxx"
echo "Loading required stateful/NAT kernel modules..."

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "    External interface: $EXTIF"
echo "       External interface IP address is: $EXTIP"
echo "    Loading firewall server rules..."
iptables -P INPUT DROP
iptables -F INPUT
#iptables -A INPUT -m mac --mac-source 00:19 :D 2:80:39:8B -j ACCEPT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
###
# allow vpn client
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 10000 -j ACCEPT
iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j ACCEPT
#ESP/AH Stuff
iptables -A INPUT -p 50 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 50 -mstate --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p 51 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 51 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p 51 -mstate --state ESTABLISHED -j ACCEPT
###
#delete previous user chains
iptables -X
#reset counters
iptables -Z
#crate user chains
iptables -N bad_tcp_packets

iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets

#
#bad_tcp_packets chain rules
#

iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

#
# TCP rules
#

iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed #FTP
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed #SSH
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed #HTTP
iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed #IDENTD
iptables -A tcp_packets -p TCP -s 0/0 --dport 9050 -j allowed #Radio Horyzont
iptables -A tcp_packets -p TCP -s 0/0 --dport 3350 -j allowed #RDP
iptables -A tcp_packets -p TCP -s 0/0 --dport 1723 -j allowed #VPN
#
###################################################################
iptables -A INPUT -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A FORWARD -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A OUTPUT -p TCP -s 0/0 --dport 1723 -j allowed
iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth0 -p gre -j ACCEPT
#
iptables -A INPUT -i eth1 -p tcp --dport 1723 -j ACCEPT
iptables -A INPUT -i eth1 -p gre -j ACCEPT
#
iptables -A FORWARD -p 47 -m state --state NEW -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -p tcp -m state --state NEW --dport 1723 -i eth0 -o eth1 -j ACCEPT
#
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW -p gre -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -t nat -A PREROUTING -d $EXTIP -p gre -j DNAT --to $10.0.0.1
#

####################################################################
#
# UDP rules
#

#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
iptables -A udp_packets -p UDP -s 0/0 --destination-port 1723 -j allowed

#filter broadcast
#iptables -A udp_packets -p UDP -i $INET_IFACE -d $EXT_BROADCAST \
#--destination-port 135:139 -j DROP

#
# ICMP rules
#

iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# INPUT rules
#

#
# Bad TCP packets we don't want.
#

iptables -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

iptables -A INPUT -p ALL -i $INTIF -s $INTNET -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $LOIP -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $INTIP -j ACCEPT
iptables -A INPUT -p ALL -i $LOIF -s $EXTIP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

iptables  -A INPUT -p UDP -i $INTNET --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
#

iptables -A INPUT -p ALL -d $EXTIP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF -j tcp_packets
iptables -A INPUT -p UDP -i $EXTIF -j udp_packets
iptables -A INPUT -p ICMP -i $EXTIF -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#iptables -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
#FORWARD chain
#

#
# Bad TCP packets we don't want
#

iptables -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

iptables -A FORWARD -i $INTIF -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

#
# Enable simple IP Forwarding and Network Address Translation
#

iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP

echo -e "    Firewall server rule loading complete\n\n"

Kod: Zaznacz cały

iptables -t nat -A PREROUTING -i <Public-IFace> -p gre -d <VPN-Public-IP> -j DNAT --to-destination <VPN-DMZ-IP>
iptables -t nat -A PREROUTING -i <Public-IFace> -p tcp --sport 1024:65535 -d <VPN-Public-IP> --dport 1723 -j DNAT --to-destination <VPN-DMZ-IP>