iptables per transparent proxy

**verardoelvis** · 06-04-2007, 10:00

Ciao, sto cercando di mettere a punto iptables per un transparent proxy.

Ho il problema che se non metto la policy di default per INPUT e OUTPUT ad ACCEPT i client non mi navigano in internet.
vi posto la conf così potete dare un occhio.

VORREI che tutte le policy fossero DROP.

grazie
ciao

codice:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  151.11.128.0/23      anywhere            tcp dpt:17800
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:3128
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            LOG level warning prefix `FIREWALL (INPUT): '

Chain FORWARD (policy DROP)
target     prot opt source               destination
da-lan-a-wan  all  --  anywhere             anywhere
da-wan-a-lan  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level warning prefix `FIREWALL (FORWARD): '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            LOG level warning prefix `FIREWALL (OUTPUT): '

Chain da-lan-a-wan (1 references)
target     prot opt source               destination
DROP       all  -- !192.168.101.0/24     anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:17800
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:16000
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssmtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5900
ACCEPT     icmp --  anywhere             151.11.128.0/23
ACCEPT     tcp  --  anywhere             stampante.area.trieste.it tcp dpt:9100
ACCEPT     udp  --  anywhere             stampante.area.trieste.it udp dpt:47545
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:4500
ACCEPT     udp  --  anywhere             anywhere            udp dpt:radius
ACCEPT     udp  --  anywhere             anywhere            udp dpt:radius-acct
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

Chain da-wan-a-lan (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

**verardoelvis** · 06-04-2007, 11:09

ho risolto aprendo nella output anche tcp e udp del dns perchè è squid che fa la richiesta fuori e quindi questa richiesta è generata dalla macchina stessa.

grazie ciao

PS: qualsiasi ulteriore consiglio è ben accetto.

**drigattieri** · 06-04-2007, 22:29

Prova a utilizzare questo file di configurazione.......

1- copia e incolla(adattandolo alle tue esigenze) il seguente script in un file di configurazione, esempio iptables.sh
2- chmod +x iptables.sh
3- sh iptables.sh

--ejoy!

spero possa servirti

#!/bin/sh
# ** File di configurazione di Iptables **
# www.linuxguide.it - Domenico Rigattieri
#
### DEBUGGING ###
#Abilita il debug a livello di script
set -x
#
### FLUSHING CHAIN ###
#Flush delle regole
/sbin/iptables -F
#Cancella eventuali catene create dall'utente
/sbin/iptables -X
#Azzera i counter
/sbin/iptables -Z
#
### SETTING IPFORWARDING ###
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
### DISABLE RESPOND TO BROADCAST ICMP ### (Non risponde ai ping inviati al browadcast della subnet)
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### ENABLE BAD ERROR MESSAGE PROTECTION ### (Ignora finti messaggi di errore ICMP)
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### DISABLE ICMP REDIRECT ACCEPTANCE ### (Non accetta pacchetti ICMP di route redirection)
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### SETTING ANTISPOOFING PROTECTION ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
### Disabling ECN (explicit congestion notification)
echo "0" > /proc/sys/net/ipv4/tcp_ecn
### LOG ALL IMPOSSIBLE IP ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
#
### Carica moduli kernel
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#---------------------------------------------------------------
# || VARIABILI ||
#---------------------------------------------------------------
INSIDE=eth0
OUTSIDE=eth1
HOMENET=192.168.1.0/24
IPOUTSIDE=85.37.241.210
IPINSIDE=192.168.1.1
#
#---------------------------------------------------------------
# || DEFINIZIONE DEI FLUSSI ||
#---------------------------------------------------------------
/sbin/iptables -N inside2outside
/sbin/iptables -N outside2inside
/sbin/iptables -N ANTISCAN
/sbin/iptables -N ANTISPOOF
#
# > Catene di FORWARD
/sbin/iptables -A FORWARD -i $INSIDE -o $OUTSIDE -j inside2outside
/sbin/iptables -A FORWARD -i $OUTSIDE -o $INSIDE -j outside2inside
#
#
#
#:::::::::::::::::::::::::::: REGOLE NAT :::::::::::::::::::::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || Include Nat Rules ||
#---------------------------------------------------------------
# Reset nat
/sbin/iptables -t nat -F
# Set PAT (Port Address Traslation)
/sbin/iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
## REDIRECTION - Trasparent Proxy
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 -d ! $HOMENET --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 -d ! $HOMENET --dport 443 -j REDIRECT --to-port 8080
#
#::::::::::::::::::::::::: DEFINIZIONE GRUPPI PORTE TCP/UDP ::::::::::::::::::::::::::::
#..ATTENZIONE MAX 15 PORTE PER GRUPPO!........................................... .......
#................................................. ......................................
# > TCP GROUPS
GROUP1_TCP="23,smtp,pop3,imap2,143,220,445,993,995 ,http,https,ftp,ftp-data"
GROUP2_TCP="3389,ssh,domain,123"
# > UDP GROUPS
GROUP1_UDP="domain,imap2,143,220,445,993,995"
GROUP2_UDP="123"
# > OTHER GROUPS
#
#
#::::::: REGOLE DI FILTRAGGIO APPLICATE AL FIREWALL IN/OUT :::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || PACKET FILTERING FROM / TO FIREWALL ||
#---------------------------------------------------------------
# > Catene di INPUT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i $OUTSIDE -j ANTISPOOF
/sbin/iptables -A INPUT -i $OUTSIDE -j ANTISCAN
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p udp --dport 514 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i $INSIDE -s $HOMENET --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -i $OUTSIDE -j LOG --log-prefix "From<--Internet "
/sbin/iptables -A INPUT -i $INSIDE -j LOG --log-prefix "From-->LAN "
/sbin/iptables -A INPUT -j DROP
#
# > Catene di OUTPUT
/sbin/iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A OUTPUT -m pkttype --pkt-type unicast -j LOG --log-prefix " -> OUTPUT " --log-level debug
/sbin/iptables -A OUTPUT -j ACCEPT
#
#
#
#:::::::::::::::::: REGOLE DI FILTRAGGIO SULLE INTERFACCIE :::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || DEFINIZIONE DELLE REGOLE inside2outside INSIDE->INTERNET ||
#---------------------------------------------------------------
/sbin/iptables -A inside2outside -p tcp --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A inside2outside -p udp --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A inside2outside -p tcp -m multiport --dport $GROUP1_TCP -j ACCEPT
/sbin/iptables -A inside2outside -p tcp -m multiport --dport $GROUP2_TCP -j ACCEPT
/sbin/iptables -A inside2outside -p udp -m multiport --dport $GROUP1_UDP -j ACCEPT
/sbin/iptables -A inside2outside -p udp -m multiport --dport $GROUP2_UDP -j ACCEPT
/sbin/iptables -A inside2outside -p icmp -j ACCEPT
/sbin/iptables -A inside2outside -p gre -j ACCEPT
/sbin/iptables -A inside2outside -p 47 -j ACCEPT
/sbin/iptables -A inside2outside -p 50 -j ACCEPT
/sbin/iptables -A inside2outside -p 51 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 500 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 1701 -j ACCEPT
/sbin/iptables -A inside2outside -p tcp --dport 1723 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 1723 -j ACCEPT
/sbin/iptables -A inside2outside -j LOG --log-prefix "DROP inside2outside "
/sbin/iptables -A inside2outside -j DROP
#
#
#---------------------------------------------------------------
# || DEFINIZIONE DELLE REGOLE outside2inside INTERNET->INSIDE ||
#---------------------------------------------------------------
/sbin/iptables -A outside2inside -j ANTISPOOF
/sbin/iptables -A outside2inside -j ANTISCAN
/sbin/iptables -A outside2inside -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A outside2inside -p udp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A outside2inside -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
/sbin/iptables -A outside2inside -j LOG --log-prefix " DROP outside2inside "
/sbin/iptables -A outside2inside -j DROP
#
#
#
#::::::::::::::::::::::::PROTECTION RULES ::::::::::::::::::::::::::::::::
#................................................. ........................
#................................................. ........................
#................................................. ........................
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
/sbin/iptables -A ANTISPOOF -s 127.0.0.1/32 -j LOG --log-prefix "ANTISPOOFING"
/sbin/iptables -A ANTISPOOF -s 127.0.0.1/32 -j DROP
/sbin/iptables -A ANTISPOOF -s 192.168.0.0/16 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 192.168.0.0/16 -j DROP
/sbin/iptables -A ANTISPOOF -s 172.16.0.0/12 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 172.16.0.0/12 -j DROP
/sbin/iptables -A ANTISPOOF -s 10.0.0.0/8 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 10.0.0.0/8 -j DROP
/sbin/iptables -A ANTISPOOF -s 224.0.0.0/4 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 224.0.0.0/4 -j DROP
/sbin/iptables -A ANTISPOOF -s 240.0.0.0/5 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 240.0.0.0/5 -j DROP
#
# EOF

**pilovis** · 07-04-2007, 00:30

io sono molto piu' sbrigativo

# description: NAT tra eth0 (192.168.1.x) ed eth1 (10.0.0.x)

# Regole NAT

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0/0 -o eth0 -j MASQUERADE

# proxy trasparente

iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

**verardoelvis** · 07-04-2007, 11:19

ciao, mi spieghi cosa vuol dire la tua input e soprattutto come entra in gioco la eth di loopback 127.0.0.1??????

grazie mille
ciao

Discussione: iptables per transparent proxy

Strumenti discussione

Ricerca discussione

Visualizza

iptables per transparent proxy

Permessi di invio