Iptables näiteskriptid ja infot
Allikas: Lambda
---------- huge tutorial -------------------------
see:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
---------------- setup --------------------------------
kernel options must be configured:
Networking->
Networking Options->
Network packet filtering (replaces ipchains) --->
IP: Netfilter Configuration --->
It is safe to enable all modules, I recommend compiling the ftp and other connection tracking modules as modules and not into the kernel so that you can verify they are loaded and functioning.
iptables package must be installed
run all iptables commands as root
test results of commands: they should have immediate effect
---------------- first example script ----------------
#!/bin/bash
set -x
# Load needed kernel modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Clear any existing firewall stuff before we start
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# As the default policies, drop all incoming traffic but allow all
# outgoing traffic. This will allow us to make outgoing connections
# from any port, but will only allow incoming connections on the ports
# specified below.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
----------------- second example script -------------
#!/bin/bash
# flush all chains
iptables -F
# set the default policy for each of the pre-defined chains
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# allow establishment of connections initialised by my outgoing packets
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# drop everything else
iptables -A INPUT -i eth+ -p udp -j DROP
iptables -A INPUT -i eth+ -p tcp -m tcp --syn -j DROP
# accept anything on localhost
iptables -A INPUT -i lo -j ACCEPT
------------ third example script ---------------
#!/bin/sh
# firewall.sh - Configurable per-host firewall for workstations and
# servers.(c) 2003 Tero Karvinen - tero karvinen at iki fi - GPL
# Cleanup old rules
# All the time firewall is in a secure, closed state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables --flush # Flush all rules, but keep policies
iptables --delete-chain
## Workstation Minimal firewall ###
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state "ESTABLISHED,RELATED" -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
####### HOLES ####### Edit holes below, then run this script again
#iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#iptables -A INPUT -p tcp --dport http -j ACCEPT
#iptables -A INPUT -p tcp --dport https -j ACCEPT
##################### Edit above
iptables -A INPUT -j LOG -m limit --limit 40/minute
iptables -A INPUT -j DROP
# Save
iptables-save > /etc/sysconfig/iptables
echo ": Done."
----------- complex example script for routing and nat: two subnets ----
iptables -I INPUT -s localhost -i eth0 -j DROP
iptables -A INPUT -m tcp -m match multiport --dport 22,21,80,443 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp multiports --dports 57,63 -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "[INPUT DROPPED]:" --log-level debug
iptables -I FORWARD -d 10.1.1.0/24 -i eth2 -j ACCEPT
iptables -A FORWARD -d 192.168.2.0/24 -i eth1 -j ACCEPT
iptables -A FORWARD -s 10.1.1.0/24 -i eth1 -j ACCEPT
iptables -A FORWARD -s 192.168.2.0/24 -i eth2 -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "[FORWARD DROPPED]:" --log-level debug
iptables -P FORWARD DROP
iptables -t nat -I POSTROUTING -o eth2 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -I PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.1.1.2
---------
