Участник:MichaelShigorin/NAT

Материал из ALT Linux Wiki
< Участник:MichaelShigorin
Версия от 00:45, 23 августа 2008; MichaelShigorin (обсуждение | вклад) (init)
(разн.) ← Предыдущая версия | Текущая версия (разн.) | Следующая версия → (разн.)

NAT memo

net.ipv4.ip_forward = 1 в /etc/net/sysctl.conf или /etc/sysctl.conf; проверка: cat /proc/sys/net/ipv4/ip_forward

ftpd NAT

vsftpd iptables nat example

  • /etc/sysconfig/iptables:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 10.1.1.102 -j SNAT --to-source _REAL_IP
-A PREROUTING -d _REAL_IP -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.1.1.102:21
-A PREROUTING -d _REAL_IP -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.102:80
-A PREROUTING -d _REAL_IP -p tcp -m tcp --dport 873 -j DNAT --to-destination 10.1.1.102:873
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:eth0-in - [0:0]
:eth0-out - [0:0]
:bad-packets - [0:0]
:banned - [0:0]
:icmp-flood - [0:0]
:syn-flood - [0:0]
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 10.1.1.0/24 -j ACCEPT
-A INPUT -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT
-A INPUT -s 10.1.1.0/24 -d _REAL_IP -j ACCEPT
-A INPUT -s _REAL_IP -d 10.1.1.0/24 -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A INPUT -p icmp -j icmp-flood
-A INPUT -j bad-packets
-A INPUT -d _REAL_IP -j eth0-in

-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
-A FORWARD -j banned

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT                                                                                      
-A FORWARD -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -d 10.1.1.0/24 -j ACCEPT
-A FORWARD -s 10.1.1.0/24 -j ACCEPT

-A OUTPUT -s _REAL_IP -j eth0-out

### chain library
-A eth0-in -i eth0 -j RETURN
-A eth0-out -o eth0 -j RETURN

-A icmp-flood -p icmp -m icmp --icmp-type 8 -m limit --limit 5/s --limit-burst 25 -j ACCEPT
-A icmp-flood -p icmp -m icmp --icmp-type 8 -j DROP

-A syn-flood -m limit --limit 10/sec --limit-burst 50 -j RETURN
-A syn-flood -j DROP

-A bad-packets -m state --state INVALID -j DROP
-A bad-packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad-packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad-packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

## formspammers
-A banned -s 213.167.55.98 -j DROP
-A banned -s 216.235.60.26 -j DROP
-A banned -s 212.97.35.12  -j DROP

## geocities.com (kiddies)
-A banned -s 66.218.77.68 -j DROP
## broken requests
-A banned -s 87.99.21.129 -j DROP
-A banned -j RETURN

COMMIT
  • /etc/sysconfig/iptables_modules:
ip_conntrack_ftp
ip_nat_ftp
  • /etc/vsftpd.conf:
# ...
connect_from_port_20=YES
# ...