[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [NETVAERK] Spørgsmål omkring IPTABLES



Jesper Lund skrev:

Det kommer an på hvordan kodestumpen som du allerede har fået til at
virke ser ud. Prøv at skriv den stump her.

Mvh. Jesper
#!/bin/bash
# Dette script er lavet til oprettelse af firewall

##############################################################################
# Betegnelse af netvaerk & maskiner mm
##############################################################################
### Netvaerk ###
LAN="172.16.0.0/24"
ETH_LAN="eth1"
WAN="192.168.0.198"
ETH_WAN="eth0"
DMZ="172.16.10.0/24"
ETH_DMZ="eth2"
LO="127.0.0.1/8"
ETH_LO="lo"

### Maskiner ###
ATLANTIS="172.16.10.10"
HERCULES="172.16.0.2"

##############################################################################
# Selve opsaetningen af diverse kaeder mm
##############################################################################

# Disable routing inden regler starter
echo > /proc/sys/net/ipv4/ip_forward

# Regler og policies flushes
echo " Flushing rules and policies"
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo " Done...."

# Laver de nye kaeder
echo "Making the new chains"
iptables -N lo
iptables -F lo
iptables -N lan
iptables -F lan
iptables -N wan
iptables -F wan
iptables -N dmz
iptables -F dmz
echo " Done...."

# Laver de nye forwarderkaeder
echo "Making FORWARD chains"
# Fra WAN til andre interfaces
iptables -N wantodmz
iptables -F wantodmz
iptables -N wantolan
iptables -F wantolan
# Fra LAN til andre interfaces
iptables -N lantodmz
iptables -F lantodmz
iptables -N lantowan
iptables -F lantowan
# Fra DMZ til andre interfaces
iptables -N dmztowan
iptables -F dmztowan
iptables -N dmztolan
iptables -F dmztolan
echo " Done...."

# Flusher NAT POSTROUTING PREROUTING
echo "Flushing NAT - POSTROUTING & PREROUTING"
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
echo " Done.... NAT module finished"

# Sikrer lokal kommunikation
echo "Setting up local chain"
iptables -A lo -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo " Done.... Local chain is up and running"

# Setting up lan chain
echo "Setting up LAN chain"
# Accepterer alt andet trafik
iptables -A lan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A lan -j LOG --log-prefix "FW LAN:"
#iptables -A lan -j DROP
echo " Done....LAN chain is running"

# Setting up WAN chain
echo "Setting up WAN chain"
# Accepterer alt andet trafik
iptables -A wan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A wan -j LOG --log-prefix "FW WAN:"
#iptables -A wan -j DROP
echo " Done....WAN chain is running"

# Setting up DMZ chain
echo "Setting up DMZ chain"
# Accepterer alle andre forbindelser
iptables -A dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmz -j LOG --log-prefix "FW DMZ:"
#iptables -A dmz -j DROP
echo " Done....DMZ chain is running"

##############################################################################
# Selve firewall reglerne
##############################################################################
echo "Setting up DMZ portfarwarding"
# SSH
iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 22 -j DNAT --to-destination $ATANLTIS:22
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 22 -j ACCEPT


# SMTP
iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 25 -j DNAT --to-destination $ATLANTIS:25
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 25 -j ACCEPT
# HTTP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 80 -j DNAT --to-destination $ATLANTIS:80
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 80 -j ACCEPT
# IMAP iptables -t nat -A PREROUTING -i $ETH_WAN -d $WAN -p tcp --dport 143 -j DNAT --to-destination $ATALNTIS:143
iptables -A wantodmz -d $ATLANTIS -p tcp --dport 143 -j ACCEPT


echo " Done.... DMZ portforwarding is up and running"

# Setting up incomming icmp
echo "Setting up incomming icmp"
iptables -t filter -A INPUT -i $ETH_WAN -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i $ETH_LAN -p icmp -m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -i $ETH_DMZ -p icmp -m state --state NEW -j ACCEPT
echo " Done....ICMP is is running"


# Setting up hide NAT
echo "Setting up masquerading - NAT chains"
# NAT from LAN to WAN
iptables -t nat -A POSTROUTING -s $LAN -o $ETH_WAN -j SNAT --to-source $WAN
iptables -t nat -A POSTROUTING -s $DMZ -o $ETH_WAN -j SNAT --to-source $WAN
echo " Done....NAT chains are up and running"

# Selve reglerne for firewallen
echo "Setting up the rules"
# Packets from DMZ to WAN
iptables -A dmztowan --source $ATLANTIS -p tcp --dport 25 -j ACCEPT
iptables -A dmztowan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmztowan -j LOG --log-prefix "FW DMZTOWAN:"
#iptables -A dmztowan -j DROP

# Packets from WAN to DMZ
iptables -A wantodmz -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A wantodmz -j LOG --log-prefix "FW WANTODMZ:"
#iptables -A wantodmz -j DROP

# packets from DMZ to LAN
iptables -A dmztolan --source $WAN -d $LAN -p tcp --dport 25 -j ACCEPT
iptables -A dmztolan -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A dmztolan -j LOG --log-prefix "FW DMZTOLAN:"
iptables -A dmztolan -j DROP

# packets from LAN to DMZ
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 80 -j ACCEPT
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 22 -j ACCEPT
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 25 -j ACCEPT
iptables -A lantodmz -s $LAN -d $DMZ -p tcp --dport 143 -j ACCEPT
# Logning af trafik iptables -A lantodmz -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A lantodmz -j LOG --log-prefix "FW LANTODMZ:"
iptables -A lantodmz -j DROP


# Packets from LAN to WAN
iptables -A lantowan -s $LAN -p tcp --dport 80 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 443 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 21 -j ACCEPT
iptables -A lantowan -s $LAN -p tcp --dport 22 -j ACCEPT

iptables -A lantowan -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A lantowan -j LOG --log-prefix "FW LANTOWAN:"
iptables -A lantowan -j DROP
# Packets from WAN to LAN iptables -A wantolan -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A wantolan -j LOG --log-prefix "FW WANTOLAN PORTFWD:"
iptables -A wantolan -j DROP


echo " Done....Firewall rules is up and running"

# Loading the different modules
echo "Loading the modules"
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
echo " Done...."

# Activating the chains
echo "Activating the chains"
iptables -A INPUT -i $ETH_LAN -j lan
iptables -A INPUT -i $ETH_WAN -j wan
iptables -A INPUT -i $ETH_DMZ -j dmz
iptables -A INPUT -i $ETH_LO -j lo
iptables -A FORWARD -i $ETH_WAN -o $ETH_DMZ -j wantodmz
iptables -A FORWARD -i $ETH_WAN -o $ETH_LAN -j wantolan
iptables -A FORWARD -i $ETH_LAN -o $ETH_DMZ -j lantodmz
iptables -A FORWARD -i $ETH_LAN -o $ETH_WAN -j lantowan
iptables -A FORWARD -i $ETH_DMZ -o $ETH_WAN -j dmztowan
iptables -A FORWARD -i $ETH_DMZ -o $ETH_LAN -j dmztolan

echo "Done..
. activating the chains"


# Enable routing inden regler starter echo 1 > /proc/sys/net/ipv4/ip_forward

Dette virker således at der er hul udefra og ind til serveren i DMZ!
Men fra LAN kan jeg ikke komme ind til DMZ!

Jeg har fået hug nok for at skrive de scripts jeg laver enormt lange - Men så meget er jeg ikke inde i IPTABLES endnu - så jeg ved mere om det! MEn man skal jo lære et eller andet sted!

Per Jørgensen



 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2006-09-01, 02:01 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *