snat und dnat auf einem Host (Anhang)
Sven Broeckling
sven at broeckling.de
Tue Apr 15 12:12:02 CEST 2003
argh, natuerlich den Angang vergessen :(
[...]
-------------- next part --------------
#!/bin/bash
#
# iptables.rules
# sets up iptables for ford (bastion)
#
# ---------------------------------------------------------------------
# kernel modules used
# ---------------------------------------------------------------------
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
#modprobe ipt_MASQUERADE
# iptables binary and stuff
IPTABLES="/sbin/iptables" # iptables control program
# ---------------------------------------------------------------------
# interfaces, hosts and networks
# ---------------------------------------------------------------------
# interfaces
INT_IF="eth1" # internal interface
EXT_IF="eth0" # external interface
# networks
ANY="0.0.0.0/0" # any network (e.g. "internet")
INTRA_NET="192.168.0.0/14" # internal network
OFF_NET="195.133.193.0/26" # official network
# hosts
IME=192.168.0.5 # my internal ip
OME=195.133.193.2 # my official ip
CISCO=195.133.193.1 # the cisco router
IWWW=192.168.0.20 # internal adress for paladin
OWWW=195.133.193.3 # official adress for paladin
IWEBH=192.168.0.41 # internal adress for paladin
OWEBH=195.133.193.5 # official adress for paladin
IPROX=192.168.0.34 # internal adress for prox
OPROX=195.133.193.6 # official adress for prox
$IPTABLES -F # flush tables
$IPTABLES -F -t nat
$IPTABLES -X # remove user tables
$IPTABLES -Z # clear packet/byte counters
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# the kernel config stuff
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# Enable response to ping.
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Enable response to broadcasts.
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets.
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Disable ICMP redirect acceptance.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${interface}
done
# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
### pasted from sns.ias.edu
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done
# Log spoofed packets, source routed packets, redirect packets.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# finally, make sure that we forward
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# the rules...
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# block an log every new connection from outside
# ---------------------------------------------------------------------
$IPTABLES -N block
$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A block -m state --state NEW -i ! $EXT_IF -j ACCEPT
$IPTABLES -A block -p icmp -j ACCEPT
$IPTABLES -A block -j LOG --log-level 1 --log-prefix "blocked (final rule): "
$IPTABLES -A block -j DROP
# ---------------------------------------------------------------------
# Check nmap xmas tree scan
# ---------------------------------------------------------------------
$IPTABLES -N checknmap
$IPTABLES -A checknmap -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "blocked (NMAP): "
$IPTABLES -A checknmap -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# ---------------------------------------------------------------------
# prefetch runnaway smb/nmb connections
# ---------------------------------------------------------------------
$IPTABLES -N smbblock
#$IPTABLES -A smbblock -p tcp --dport 137:139 -i $INT_IF -j LOG --log-level 1 --log-prefix "got ya bill (smb tcp): "
#$IPTABLES -A smbblock -p udp --dport 137:139 -i $INT_IF -j LOG --log-level 1 --log-prefix "got ya bill (smb udp): "
$IPTABLES -A smbblock -p tcp --dport 137:139 -i $INT_IF -j DROP
$IPTABLES -A smbblock -p udp --dport 137:139 -i $INT_IF -j DROP
# ---------------------------------------------------------------------
# accept forwarding connections
# ---------------------------------------------------------------------
$IPTABLES -N acceptfw
$IPTABLES -A acceptfw -i $EXT_IF -d $IWWW -j ACCEPT
$IPTABLES -A acceptfw -i $EXT_IF -d $IWEBH -j ACCEPT
$IPTABLES -A acceptfw -i $EXT_IF -d $IPROX -j ACCEPT
# ---------------------------------------------------------------------
# conntections to me
# ---------------------------------------------------------------------
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT # accept everything at iface lo
$IPTABLES -A INPUT -j checknmap # check for nmap xmas tree scan
$IPTABLES -A INPUT -j smbblock # dont let smb packets flee
$IPTABLES -A INPUT -j block # jump to final block chain
# ---------------------------------------------------------------------
# forwarding connections
# ---------------------------------------------------------------------
$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -j smbblock # dont let smb packets flee
$IPTABLES -A FORWARD -j acceptfw # accept forwarding connections
$IPTABLES -A FORWARD -j block # jump to final blocking chain
# ---------------------------------------------------------------------
# postrouting masquerading (snat)
# ---------------------------------------------------------------------
#$IPTABLES -A POSTROUTING -t nat -s $INTRA_NET -d $ANY -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $INTRA_NET -j SNAT --to $OME
#$IPTABLES -A POSTROUTING -t nat -o $INT_IF -s ! $INTRA_NET -j SNAT --to $IME
$IPTABLES -A PREROUTING -t nat -d $OWWW -s ! $INTRA_NET -j DNAT --to-destination $IWWW
$IPTABLES -A PREROUTING -t nat -d $OWEBH -s ! $INTRA_NET -j DNAT --to-destination $IWEBH
$IPTABLES -A PREROUTING -t nat -d $OPROX -s ! $INTRA_NET -j DNAT --to-destination $IPROX
# ---------------------------------------------------------------------
# outgoing connections
# ---------------------------------------------------------------------
$IPTABLES -P OUTPUT ACCEPT
More information about the Linux
mailing list