12.06.2010 IPTables Gentoo

Ковыряясь в Интернете нашел очень прикольный скрипт для IPTables Gentoo-Way спешу поделиться им с Вами, что непонятно - спрашивайте.

комментарии позже, т.к. уезжаю на рыбалку))

Скрипт под катом...

Сначала удаляем из дефолт ранлевела основной скрипт iptables, редактируем под себя...

# rc-update del iptables


Потом добавляем новый скрипт

# rc-update add new_iptables default


#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=195.5.39.5
DNS2=195.5.39.9
#inside
IIP=10.19.2.10
IINTERFACE=eth0
LOCAL_NETWORK=10.19.2.0/24
#outside
OIP=172.16.0.9
OINTERFACE=eth1

opts="${opts} showstatus panic save restore showoptions rules"

depend() {
  need net procparam
}

rules() {
  stop
  ebegin "Setting internal rules"

  einfo "Setting default rule to drop"
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  DROP

  #default rule
  einfo "Creating states chain"
  $IPTABLES -N allowed-connection
  $IPTABLES -F allowed-connection
  $IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"
  $IPTABLES -A allowed-connection -j DROP

  #ICMP traffic
  einfo "Creating icmp chain"
  $IPTABLES -N icmp_allowed
  $IPTABLES -F icmp_allowed
#  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
#  $IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 4   -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 12  -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 3   -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 11  -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 8  -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp --icmp-type 0  -j ACCEPT
  $IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
  $IPTABLES -A icmp_allowed -p icmp -j DROP

  #Incoming traffic
  einfo "Creating incoming ssh traffic chain"
  $IPTABLES -N allow-ssh-traffic-in
  $IPTABLES -F allow-ssh-traffic-in
  #Flood protection
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
  $IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
  $IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT

  einfo "Creating incoming http traffic chain"
  $IPTABLES -N allow-www-traffic-in
  $IPTABLES -F allow-www-traffic-in
  #Flood protection
  $IPTABLES -A allow-www-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport www -j ACCEPT
  $IPTABLES -A allow-www-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport www -j ACCEPT
  $IPTABLES -A allow-www-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport www -j ACCEPT
  $IPTABLES -A allow-www-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport www -j ACCEPT

  einfo "Creating incoming ftp traffic chain"
  $IPTABLES -N allow-ftp-traffic-in
  $IPTABLES -F allow-ftp-traffic-in
  #Flood protection
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL RST -s 10.19.2.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -s 10.19.2.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -s 10.19.2.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 10.19.2.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL RST -s 10.19.2.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -s 10.19.2.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -s 10.19.2.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 10.19.2.0/24 --sport 1024:65365 -j ACCEPT
  
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL RST -s 172.16.0.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -s 172.16.0.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -s 172.16.0.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 172.16.0.0/24 --sport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL RST -s 172.16.0.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL FIN -s 172.16.0.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 5/second -p tcp --tcp-flags ALL SYN -s 172.16.0.0/24 --sport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 172.16.0.0/24 --sport 1024:65365 -j ACCEPT
    
  #Music
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 8020 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 8020 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 8020 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -m tcp --dport 8020 -j ACCEPT

  einfo "Creating incoming smb traffic chain"
  $IPTABLES -N allow-smb-traffic-in
  $IPTABLES -F allow-smb-traffic-in
  $IPTABLES -A allow-smb-traffic-in -p tcp --tcp-flags ALL SYN -s 10.19.20.0/24 --dport netbios-ssn -j ACCEPT
  $IPTABLES -A allow-smb-traffic-in -m state --state RELATED,ESTABLISHED -p tcp -s 10.19.20.0/24 --dport netbios-ssn -j ACCEPT
  $IPTABLES -A allow-smb-traffic-in -p udp -s 10.19.20.0/24 --dport netbios-ns -j ACCEPT
  $IPTABLES -A allow-smb-traffic-in -p udp -s 10.19.20.0/24 --dport netbios-dgm -j ACCEPT
  $IPTABLES -A allow-smb-traffic-in -p udp -s 10.19.20.0/24 --dport 445 -j ACCEPT

  einfo "Creating incoming ntp traffic chain"
  $IPTABLES -N allow-time-traffic-in
  $IPTABLES -F allow-time-traffic-in
  $IPTABLES -A allow-time-traffic-in -p udp --dport ntp -j ACCEPT

  #Outgoing traffic
  einfo "Creating outgoing ssh traffic chain"
  $IPTABLES -N allow-ssh-traffic-out
  $IPTABLES -F allow-ssh-traffic-out
  $IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT

  einfo "Creating outgoing dns traffic chain"
  $IPTABLES -N allow-dns-traffic-out
  $IPTABLES -F allow-dns-traffic-out
  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT
  $IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT

  einfo "Creating outgoing http/https traffic chain"
  $IPTABLES -N allow-www-traffic-out
  $IPTABLES -F allow-www-traffic-out
  $IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
  $IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT

  einfo "Creating outgoing mail traffic chain"
  $IPTABLES -N allow-mail-traffic-out
  $IPTABLES -F allow-mail-traffic-out
  $IPTABLES -A allow-mail-traffic-out -p tcp --dport smtp  -j ACCEPT
  $IPTABLES -A allow-mail-traffic-out -p tcp --dport pop3  -j ACCEPT
  $IPTABLES -A allow-mail-traffic-out -p tcp --dport imap2 -j ACCEPT
  
  einfo "Creating outgoing ftp traffic chain"
  $IPTABLES -N allow-ftp-traffic-out
  $IPTABLES -F allow-ftp-traffic-out
  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport 1024:65365 -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport ftp -j ACCEPT
  $IPTABLES -A allow-ftp-traffic-out -p tcp --dport ftp-data -j ACCEPT

  einfo "Creating outgoing smb traffic chain"
  $IPTABLES -N allow-smb-traffic-out
  $IPTABLES -F allow-smb-traffic-out
  $IPTABLES -A allow-smb-traffic-out -p tcp --dport netbios-ssn -j ACCEPT
  $IPTABLES -A allow-smb-traffic-out -p udp --dport netbios-ns  -j ACCEPT
  $IPTABLES -A allow-smb-traffic-out -p udp --dport netbios-dgm -j ACCEPT
  $IPTABLES -A allow-smb-traffic-out -p tcp --dport 445 -j ACCEPT

  einfo "Creating outgoing krab/terminal traffic chain"
  $IPTABLES -N allow-krab-term-traffic-out
  $IPTABLES -F allow-krab-term-traffic-out
  $IPTABLES -A allow-krab-term-traffic-out -p tcp --dport 3050 -j ACCEPT
  $IPTABLES -A allow-krab-term-traffic-out -p tcp --dport 3389 -j ACCEPT

  einfo "Creating outgoing ntp traffic chain"
  $IPTABLES -N allow-time-traffic-out
  $IPTABLES -F allow-time-traffic-out
  $IPTABLES -A allow-time-traffic-out -p udp --dport ntp -j ACCEPT
  $IPTABLES -A allow-time-traffic-out -p udp --dport ntp -j ACCEPT

  #Catch portscanners
  einfo "Creating portscan detection chain"
  $IPTABLES -N check-flags
  $IPTABLES -F check-flags
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" 
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP 
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  # Apply and add invalid states to the chains
  einfo "Applying chains to INPUT"
  $IPTABLES -A INPUT -m state --state INVALID -j DROP
  $IPTABLES -A INPUT -j icmp_allowed 
  $IPTABLES -A INPUT -j check-flags
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A INPUT -j allow-ssh-traffic-in
  $IPTABLES -A INPUT -j allow-www-traffic-in
  $IPTABLES -A INPUT -j allow-ftp-traffic-in
  $IPTABLES -A INPUT -j allow-smb-traffic-in
  $IPTABLES -A INPUT -j allow-time-traffic-in
  $IPTABLES -A INPUT -j allowed-connection

  einfo "Applying chains to FORWARD"
  $IPTABLES -A FORWARD -m state --state INVALID -j DROP
  $IPTABLES -A FORWARD -j icmp_allowed 
  $IPTABLES -A FORWARD -j check-flags
  $IPTABLES -A FORWARD -o lo -j ACCEPT
#  $IPTABLES -A FORWARD -j allow-ssh-traffic-in
#  $IPTABLES -A FORWARD -j allow-time-traffic-in
#  $IPTABLES -A FORWARD -j allow-ftp-traffic-in
#  $IPTABLES -A FORWARD -j allow-www-traffic-in
#  $IPTABLES -A FORWARD -j allow-www-traffic-out
  $IPTABLES -A FORWARD -j allowed-connection

  einfo "Applying chains to OUTPUT"
  $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
  $IPTABLES -A OUTPUT -j icmp_allowed
  $IPTABLES -A OUTPUT -j check-flags
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  $IPTABLES -A OUTPUT -j allow-ssh-traffic-out
  $IPTABLES -A OUTPUT -j allow-dns-traffic-out
  $IPTABLES -A OUTPUT -j allow-www-traffic-out
  $IPTABLES -A OUTPUT -j allow-mail-traffic-out
  $IPTABLES -A OUTPUT -j allow-ftp-traffic-out
  $IPTABLES -A OUTPUT -j allow-smb-traffic-out
  $IPTABLES -A OUTPUT -j allow-krab-term-traffic-out
  $IPTABLES -A OUTPUT -j allow-time-traffic-out
  $IPTABLES -A OUTPUT -j allowed-connection

  #Allow client to route through via NAT (Network Address Translation)
  $IPTABLES -t nat -A POSTROUTING -o $IINTERFACE -j MASQUERADE 
  eend $?
}

start() {
  ebegin "Starting firewall"
  if [ -e "${FIREWALL}" ]; then
    restore
  else
    einfo "${FIREWALL} does not exists. Using default rules."
    rules
  fi
  eend $?
}

stop() {
  ebegin "Stopping firewall"
  $IPTABLES -F
  $IPTABLES -t nat -F
  $IPTABLES -X
  $IPTABLES -P FORWARD ACCEPT
  $IPTABLES -P INPUT   ACCEPT
  $IPTABLES -P OUTPUT  ACCEPT
  eend $?
}

showstatus() {
  ebegin "Status"
  $IPTABLES -L -n -v --line-numbers
  einfo "NAT status"
  $IPTABLES -L -n -v --line-numbers -t nat
  eend $?
}

panic() {
  ebegin "Setting panic rules"
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -t nat -F
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  DROP
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  eend $?
}

save() {
  ebegin "Saving Firewall rules"
  $IPTABLESSAVE > $FIREWALL
  eend $?
}

restore() {
  ebegin "Restoring Firewall rules"
  $IPTABLESRESTORE < $FIREWALL
  eend $?
}

restart() {
  svc_stop; svc_start
}

showoptions() {
  echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
  echo "start)      will restore setting if exists else force rules"
  echo "stop)       delete all rules and set all to accept"
  echo "rules)      force settings of new rules"
  echo "save)       will store settings in ${FIREWALL}"
  echo "restore)    will restore settings from ${FIREWALL}"
  echo "showstatus) Shows the status" 
}





Вас также может заинтересовать:

Динамический IP (DHCP) и IPtables
22.05.2010 Использование PackageSet в Gentoo (Или жизнь после установки Gentoo-Way)
Отличный скрипт для IPTables | DROP Policy
Настройка РРТР в GENTOO консольный вариант (PPTP Gentoo-way)
01.05.2010 Установка Gentoo (x86 UTF-8 RUS)
25.04.2010 Философия Gentoo