Iptables/sample4router
< Iptables
gateway iptables example
Болванка /etc/sysconfig/iptables для типичного офисного маршрутизатора с двумя Ethernet-интерфейсами, один из которых смотрит, например, в DSL (_REAL_IP), другой -- в LAN (10.0.0.0/24). Составлено давно, на что-то особенное не претендует.
Применение:
cp -a /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
- сохранить нижеследующий текст в /etc/sysconfig/iptables
- или wget -O /etc/sysconfig/iptables http://fly.osdn.org.ua/~mike/docs/iptables-sample4router
- обязательнопроверить глазами, мало ли что в интернете подсунут
subst 's,_REAL_IP,<укажите_внешний_IP_адрес>,g' /etc/sysconfig/iptables $EDITOR /etc/sysconfig/iptables
# setup: # world<->eth0[_REAL_IP]:::eth1[10.0.0.254]<->LAN # _REAL_IP:_EXT_PORT is port-forwarded to _INT_HOST:_INT_PORT # everything from inside gets masqueraded, # with a few host-specific exceptions; # everything from outside gets dropped unless # targets explicitly allowed port # or is a response to our request # eth0-in/eth0-out count [paid] external traffic # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d _REAL_IP -i eth0 -p tcp -m tcp --dport _EXT_PORT -j DNAT --to-destination _INT_HOST:_INT_PORT -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j SNAT --to-source _REAL_IP COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Thu Nov 21 21:15:39 2002 # Generated by iptables-save v1.2.6a on Thu Nov 21 21:15:39 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :eth0-in - [0:0] :eth0-out - [0:0] :tcprules - [0:0] -A INPUT -i eth0 -j eth0-in -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A INPUT -s 10.0.0.0/24 -d 10.0.0.254 -i eth1 -j ACCEPT -A INPUT -s 10.0.0.0/24 -d _REAL_IP -i eth1 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -d _REAL_IP -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset -A INPUT -j tcprules # block :25 to world (only through 10.0.0.1:25) -A FORWARD -s 10.0.0.0/24 -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j tcprules -A OUTPUT -o eth0 -j eth0-out -A eth0-in -j RETURN -A eth0-out -j RETURN -A tcprules -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A tcprules -i ! eth0 -m state --state NEW -j ACCEPT -A tcprules -i eth0 -m state --state INVALID,NEW -j DROP -A tcprules -i eth0 -j REJECT --reject-with icmp-host-unreachable COMMIT # Completed on Thu Nov 21 21:15:39 2002