#!/bin/sh # IP addresa a nazev rozhrani do Inernetu INET_IP="" INET_IFNAME="eth1" # IP a broadcast adresa a rozhrani vnitrni site #local lan wireless L1_IFNAME="eth0" L1_IF_IP="10.10.0.1/32" L1_IP="10.10.0.0/24" L1_BCAST="10.10.0.255/32" #local net full //pripraveno pro vice localnich IF L_ALL_IP="10.10.0.0/16" # Lokalni loopback rozhrani LO_IFNAME="lo" LO_IP="127.0.0.1/32" # Cesta k programu iptables IPTABLES="/sbin/iptables" # Implicitni politikou je zahazovat nepovolene pakety $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP $IPTABLES -t mangle -N SPOOF $IPTABLES -t mangle -N INET_SPOOF $IPTABLES -t mangle -N MAC_CHECK $IPTABLES -t mangle -N HTB_MARK $IPTABLES -t mangle -N COUNT_IN $IPTABLES -t mangle -N COUNT_OUT # znaceni paketu pro platici clienty # default 0 = access deny $IPTABLES -t mangle -A MAC_CHECK -j MARK --set-mark 0 # povoleni MAC adrese .... muze byt pridano scriptem fw_reinit.pl z conf souboru addres.allow # $IPTABLES -t mangle -A MAC_CHECK -m mac --mac-source 00:00:00:00:00:00 -j MARK --set-mark 1 ## HTB MARKY # znaceni pro shaper echo "HTB MARK" $IPTABLES -t mangle -A HTB_MARK -d 10.0.0.0/8 -j MARK --set-mark 1000 ## pocitani prichoziho traficu echo "count IN" $IPTABLES -t mangle -A COUNT_IN -d 10.1.2.2 -j RETURN $IPTABLES -t mangle -A COUNT_IN -d 10.1.0.0/16 -j RETURN ## pocitani odchoziho traficu echo "count OUT" $IPTABLES -t mangle -A COUNT_OUT -s 10.1.2.2 -j RETURN $IPTABLES -t mangle -A COUNT_OUT -s 10.1.0.0/16 -j RETURN # na vstupu # zakladni testy pred vstupem do routru echo "mangle PRErouting" $IPTABLES -t mangle -A PREROUTING -i $INET_IFNAME -j INET_SPOOF $IPTABLES -t mangle -A PREROUTING -i ! $INET_IFNAME -j MAC_CHECK # pouzito pro transparent proxy (zamezeni nepocitanemu pristupu) # $IPTABLES -t mangle -A PREROUTING -p tcp -d $L1_IF_IP --dport 8080 -j DROP # TOS $IPTABLES -t mangle -A PREROUTING -p tcp --sport 23 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A PREROUTING -p tcp --sport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp -j TOS --set-tos Minimize-Delay # $IPTABLES -t mangle -A PREROUTING -p udp -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A PREROUTING -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput $IPTABLES -t mangle -A PREROUTING -s $L_ALL_IP -d ! $LNET_IP -j COUNT_OUT $IPTABLES -t mangle -A PREROUTING -p tcp -s $L_ALL_IP -d $L1_IF_IP --dport 8080 -j COUNT_OUT # na vystupu echo "mangle OUT" $IPTABLES -t mangle -A OUTPUT -p tcp --sport 23 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p tcp --sport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p tcp --dport ssh -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p tcp --dport ftp -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Minimize-Delay $IPTABLES -t mangle -A OUTPUT -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput # pocitani prichozich $IPTABLES -t mangle -A POSTROUTING -s ! $L_ALL_IP -d $LNET_IP -j COUNT_IN $IPTABLES -t mangle -A OUTPUT -p tcp -s $L1_IF_IP --sport 8080 -d $L_ALL_IP -j COUNT_IN # poslani paketu na znackovani pro shaping # TODO mohlo byt ve FORWARD ? $IPTABLES -t mangle -A POSTROUTING -s ! $L_ALL_IP -d $LNET_IP -j HTB_MARK $IPTABLES -t mangle -A OUTPUT -p tcp -s $L1_IF_IP --sport 8080 -d $L_ALL_IP -j HTB_MARK ### ## # Spoofing echo "Antispoof" $IPTABLES -t mangle -A INET_SPOOF -s 192.168.0.0/16 -j SPOOF # rezervovano podle RFC1918 $IPTABLES -t mangle -A INET_SPOOF -s 10.0.0.0/8 -j SPOOF # ---- dtto ---- $IPTABLES -t mangle -A INET_SPOOF -s 172.16.0.0/12 -j SPOOF # ---- dtto ---- $IPTABLES -t mangle -A INET_SPOOF -s 96.0.0.0/4 -j SPOOF # rezervovano podle IANA ######## $IPTABLES -t mangle -A SPOOF -m limit --limit 8/h --limit-burst 5 -j LOG --log-prefix "Rezervovana adresa: " $IPTABLES -t mangle -A SPOOF -j DROP ########################################################################### ########################################################################### ## NAT # pro neplatici klienty presmerovani na deny_web a zpet echo "NAT" #$IPTABLES -t nat -A PREROUTING -p tcp -m mark --mark 0 --dport 80 -i ! $INET_IFNAME -d ! $INET_IP -j DNAT --to-destination 10.1.255.11:80 #$IPTABLES -t nat -A POSTROUTING -p tcp -m mark --mark 0 --dport 80 -d 10.1.255.11 -j SNAT --to-source 10.1.255.1:60025-65535 # transparentni cache pro platici klienty # $IPTABLES -t nat -A PREROUTING -p tcp -m mark --mark 1 --dport 80 -i ! $INET_IFNAME -d ! $INET_IP -j REDIRECT --to-port 8080 ## IP maskarada - SNAT na inet $IPTABLES -t nat -A POSTROUTING -s $L_ALL_IP -o $INET_IFNAME -j SNAT --to $INET_IP # DNAT pro stroje vevnitr (web server) #$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 80 -i $INET_IFNAME -j DNAT --to 10.1.255.10 ############################################################################### ############################################################################### ##### ### FILTRY ## # echo "Filtry INPUT" $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A INPUT -i $LO_IFNAME -j ACCEPT $IPTABLES -A INPUT -i $L1_IFNAME -s $L1_IP -j ACCEPT ## Inet interface # $IPTABLES -A INPUT -p icmp -i $INET_IFNAME -d $INET_IP -j ACCEPT $IPTABLES -A INPUT -p tcp -i $INET_IFNAME -d $INET_IP --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp -i $INET_IFNAME -d $INET_IP --dport 23 -j ACCEPT $IPTABLES -A INPUT -p tcp -i $INET_IFNAME -d $INET_IP --dport 25 -j ACCEPT $IPTABLES -A INPUT -i $INET_IFNAME -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT # zakazy $IPTABLES -A INPUT -p tcp -i $INET_IFNAME -d $INET_IP --dport 113 -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -i $INET_IFNAME -d $INET_IP -j LOG --log-prefix "INPUT DROP: " ################ ### FORWARD ## echo "Filtry Forward" # zpet z inetu na local subnets $IPTABLES -A FORWARD -i $INET_IFNAME -o $L1_IFNAME -d $L1_IP -m state --state ESTABLISHED,RELATED -j ACCEPT # localnet -> inet $IPTABLES -A FORWARD -s $L_ALL_IP -o $INET_IFNAME -m mark --mark 1 -j ACCEPT $IPTABLES -A FORWARD -s $L_ALL_IP -o $INET_IFNAME -m mark --mark 0 -j REJECT --reject-with icmp-net-prohibited $IPTABLES -A FORWARD -j LOG --log-prefix "FORWARD DROP: "