1)правильно ли будет форвардить на интерфейс а не на внешний ип адрес?
интересует вот этот кусок:
старый вариант
Код: Выделить всё
######################################################
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d ! $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d ! $LAN_IP_RANGE -j ACCEPTКод: Выделить всё
######################################################
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d $INET_IP -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d $INET_IP -j ACCEPT
$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -o $INET_IFACE -j ACCEPT
#######################################################3) как дропнуть все исходяшие соединения на 25 порт кроме "ххх.ххх.ххх.ххх" "ххх.ххх.ххх.ххх" "малру", и тд.)$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --rsource
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH --rsource -j LOG --log-prefix "IPTABLES: SSH_BRUTFORCE: "
$IPTABLES -A INPUT -i $INET_IFACE -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --rsource -j DROP
тоесть тоже куда именно вставить строчки
Код: Выделить всё
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE -d xxx.xxx.xxx.xxx --dport 25 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE --dport 25 -j DROPКод: Выделить всё
#!/bin/sh
#
# Internet Configuration.
#
INET_IP="xxx.xxx.xxx.xxx"
INET_IFACE="eth0"
INET_BROADCAST="xxx.xxx.xxx.xxx"
#
# Local Area Network configuration.
#
LAN_IP="192.168.1.254"
LAN_IP_RANGE="192.168.1.0/255.255.255.0"
LAN_IFACE="eth1"
LAN_IP_1="192.168.2.254"
LAN_IP_RANGE_1="192.168.2.0/255.255.255.0"
LAN_IFACE_1="eth1"
LAN_IP_2="10.1.1.254"
LAN_IP_RANGE_2="10.1.1.0/255.255.255.0"
LAN_IFACE_2="eth1"
LAN_IP_3="10.2.1.254"
LAN_IP_RANGE_3="10.2.1.0/255.255.255.0"
LAN_IFACE_3="eth1"
#
# Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# IPTables Configuration.
#
IPTABLES=/sbin/iptables
#
# Module loading.
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
# Need for netams accounting
/sbin/modprobe ip_queue
#
# Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
# /proc set up.
#
#
# Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-level debug --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# Rules
#
#ftp from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
##for ftp-passive mode
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1025:65535 -j allowed
#smtp from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
#ssh from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#http from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#pop3 from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
#domain from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
#nntp from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 119 -j allowed
#imap2 from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed
#https from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
#imaps from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 993 -j allowed
#pop3s from anywhere
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 995 -j allowed
#squid from our nets
$IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE --dport 3128 -j allowed
$IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE_1 --dport 3128 -j allowed
$IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE_2 --dport 3128 -j allowed
$IPTABLES -A tcp_packets -p TCP -s $LAN_IP_RANGE_3 --dport 3128 -j allowed
#
# UDP ports
#
#domain from anywhere
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 53 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -d $INET_BROADCAST --dport 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP
#
# ICMP packets
#
$IPTABLES -A icmp_packets --fragment -p ICMP -j LOG \
--log-level debug --log-prefix "Fragmented ICMP: "
$IPTABLES -A icmp_packets --fragment -p ICMP -j DROP
$IPTABLES -A icmp_packets -p ICMP -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $LAN_IP_RANGE_1 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $LAN_IP_RANGE_2 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s $LAN_IP_RANGE_3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP --icmp-type echo-request -m limit --limit 1/s \
-s 0/0 -j ACCEPT
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE_1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE_2 -j ACCEPT
$IPTABLES -A INPUT -p ALL -s $LAN_IP_RANGE_3 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_2 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP_3 -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level debug --log-prefix "IPT INPUT packet died: "
#
#Forward chain
#
#
# Bad TCP packets we don't want
#
###$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
#Forward for LAN
#block UltraSurf on students PCs
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_2 --dport 443 -j DROP
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_2 --dport 443 -j DROP
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_3 --dport 443 -j DROP
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_3 --dport 443 -j DROP
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD from admin: "
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD from admin: "
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_1 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD from buh: "
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_1 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD from buh: "
$IPTABLES -A FORWARD -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -s $LAN_IP_RANGE_1 -j ACCEPT
#Drop mail traffic from student's nets
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_2 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD died: "
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_3 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD died: "
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_2 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD died: "
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_3 --dport 25 -j LOG \
--log-level debug --log-prefix "SMTP FORWARD died: "
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_2 --dport 25 -j DROP
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_RANGE_3 --dport 25 -j DROP
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_2 --dport 25 -j DROP
$IPTABLES -A FORWARD -p udp -s $LAN_IP_RANGE_3 --dport 25 -j DROP
######################################################
#old forward
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d ! $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d ! $LAN_IP_RANGE -j ACCEPT
######################################################
#new forward
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d $LAN_IP_RANGE -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -d $INET_IP -j ACCEPT
#$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -d $INET_IP -j ACCEPT
$IPTABLES -A FORWARD -s $LAN_IP_RANGE_2 -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -s $LAN_IP_RANGE_3 -o $INET_IFACE -j ACCEPT
#######################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level debug --log-prefix "IPT FORWARD packet died: "
# Transparent proxy
$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE -p tcp -m multiport \
--dport 80,8080,443 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE_1 -p tcp -m multiport \
--dport 80,8080,443 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE_2 -p tcp -m multiport \
--dport 80,8080,443 -j REDIRECT --to-ports 3128
$IPTABLES -t nat -A PREROUTING -s $LAN_IP_RANGE_3 -p tcp -m multiport \
--dport 80,8080,443 -j REDIRECT --to-ports 3128
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d ! $LAN_IP_RANGE \
-j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE_1 -d ! $LAN_IP_RANGE_1 \
-j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE_2 -d ! $LAN_IP_RANGE_2 \
-j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE_3 -d ! $LAN_IP_RANGE_3 \
-j SNAT --to-source $INET_IP
#
# OUTPUT Rules
#
#Reject to some nets
$IPTABLES -A OUTPUT -s 172.16.0.0/255.240.0.0 -j REJECT
$IPTABLES -A OUTPUT -d 172.16.0.0/255.240.0.0 -j REJECT
$IPTABLES -A OUTPUT -s 224.0.0.0/255.0.0.0 -j REJECT
