[glux] firewall e forward
Francesco Moretto
cybercecco@libero.it
Fri, 07 Mar 2003 12:07:17 +0100
grazie @arminillo ma non funziona, se tento un collegamento da remoto
con la macchina interna (as400 su porta 23 (!!)) resta latente fino al
timeout, provo a postare lo script che uso sul firewall per
l'impostazione dele regole, magari sbaglio qualche cosa a monte....
Grazie ancora
Francesco
#!/bin/sh
PATH=$PATH:/sbin
export PATH
modprobe ip_conntrack
# funziona SOLO con iptables
# RETE INTERNA
IP_LAN=192.168.0.250
ETH_LAN="eth0"
LOCAL_LAN="192.168.0.0/24"
# RETE ESTERNA
IP_NET=192.168.100.251
ETH_NET="eth1"
ANY=0.0.0.0/0
INTERNET_SERVER="192.168.0.250"
INTERFACES="lo eth0 eth1"
TCP_SERVICES="http ssh https smtp 9898 9899 23 449 8471 8476 8474 8470"
#TCP_SERVICES="http ssh https ftp smtp"
UDP_SERVICES="9898 9899 23 449 8471 8476 8474 8470"
WORK="9899 9898"
AS400="23 449 8471 8476 8474 8470"
# Starting firewall
if [ "$1" = "start" ]; then
echo "Starting stateful firewall..."
depmod -a
# RESET
iptables -F INPUT
iptables -F FORWARD
# Setup firewalling:
# (a) Default policy: DROP
iptables -P INPUT DROP
# (b) Allow outcoming connections and related
iptables -A INPUT -i ! $ETH_NET -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# (e) Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -A FORWARD -s $ANY -d $IP_NET -i $ETH_NET -o $ETH_LAN
-p tcp -j ACCEPT
for x in $TCP_SERVICES
do
iptables -A INPUT -p tcp --dport $x -m state --state NEW -j ACCEPT
done
for x in $UDP_SERVICES
do
iptables -A INPUT -p udp --dport $x -m state --state NEW -j ACCEPT
done
for x in $WORK
do
iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport
$x -j DNAT --to-destination 192.168.0.33:$x
iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport
$x -j DNAT --to-destination 192.168.0.33:$x
done
for x in $AS400
do
iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport
$x -j DNAT --to-destination 192.168.0.5:$x
iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport
$x -j DNAT --to-destination 192.168.0.5:$x
done
# (d) Disable spoofing
for x in $INTERFACES
do
echo 1 > /proc/sys/net/ipv4/conf/$x/rp_filter
done
# (e1) transparent proxy (squid su INTERNET_SERVER)
iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source !
$INTERNET_SERVER --dport 80 -j DNAT --to $INTERNET_SERVER:8080
iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source !
$INTERNET_SERVER --dport 80
iptables -t nat -A POSTROUTING -o $ETH_LAN -p tcp -d
$INTERNET_SERVER -s $LOCAL_LAN -j SNAT --to $IP_LAN
iptables -A FORWARD -s $LOCAL_LAN -d $INTERNET_SERVER -i $ETH_LAN -o
$ETH_LAN -p tcp -j ACCEPT
# (e2) SMTP
# iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 25 -j
DNAT --to $INTERNET_SERVER
# (e3) HTTP(S)
# iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 80 -j
DNAT --to $INTERNET_SERVER
# iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 443 -j
DNAT --to $INTERNET_SERVER
# (f) NAT
iptables -t nat -A POSTROUTING -o $ETH_NET -j SNAT --to-source $IP_NET
echo "Firewall running."
fi
if [ "$1" = "stop" ]; then
# RESET
iptables -F INPUT
iptables -F FORWARD
iptables -F -t nat
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Firewall stopped"
fi