iptables per transparent proxy

**drigattieri** · 06-04-2007, 22:29

Prova a utilizzare questo file di configurazione.......

1- copia e incolla(adattandolo alle tue esigenze) il seguente script in un file di configurazione, esempio iptables.sh
2- chmod +x iptables.sh
3- sh iptables.sh

--ejoy!

spero possa servirti

#!/bin/sh
# ** File di configurazione di Iptables **
# www.linuxguide.it - Domenico Rigattieri
#
### DEBUGGING ###
#Abilita il debug a livello di script
set -x
#
### FLUSHING CHAIN ###
#Flush delle regole
/sbin/iptables -F
#Cancella eventuali catene create dall'utente
/sbin/iptables -X
#Azzera i counter
/sbin/iptables -Z
#
### SETTING IPFORWARDING ###
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
### DISABLE RESPOND TO BROADCAST ICMP ### (Non risponde ai ping inviati al browadcast della subnet)
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
### ENABLE BAD ERROR MESSAGE PROTECTION ### (Ignora finti messaggi di errore ICMP)
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
### DISABLE ICMP REDIRECT ACCEPTANCE ### (Non accetta pacchetti ICMP di route redirection)
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
### SETTING ANTISPOOFING PROTECTION ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
### Disabling ECN (explicit congestion notification)
echo "0" > /proc/sys/net/ipv4/tcp_ecn
### LOG ALL IMPOSSIBLE IP ###
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
#
### Carica moduli kernel
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#---------------------------------------------------------------
# || VARIABILI ||
#---------------------------------------------------------------
INSIDE=eth0
OUTSIDE=eth1
HOMENET=192.168.1.0/24
IPOUTSIDE=85.37.241.210
IPINSIDE=192.168.1.1
#
#---------------------------------------------------------------
# || DEFINIZIONE DEI FLUSSI ||
#---------------------------------------------------------------
/sbin/iptables -N inside2outside
/sbin/iptables -N outside2inside
/sbin/iptables -N ANTISCAN
/sbin/iptables -N ANTISPOOF
#
# > Catene di FORWARD
/sbin/iptables -A FORWARD -i $INSIDE -o $OUTSIDE -j inside2outside
/sbin/iptables -A FORWARD -i $OUTSIDE -o $INSIDE -j outside2inside
#
#
#
#:::::::::::::::::::::::::::: REGOLE NAT :::::::::::::::::::::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || Include Nat Rules ||
#---------------------------------------------------------------
# Reset nat
/sbin/iptables -t nat -F
# Set PAT (Port Address Traslation)
/sbin/iptables -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
## REDIRECTION - Trasparent Proxy
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 -d ! $HOMENET --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 -d ! $HOMENET --dport 443 -j REDIRECT --to-port 8080
#
#::::::::::::::::::::::::: DEFINIZIONE GRUPPI PORTE TCP/UDP ::::::::::::::::::::::::::::
#..ATTENZIONE MAX 15 PORTE PER GRUPPO!........................................... .......
#................................................. ......................................
# > TCP GROUPS
GROUP1_TCP="23,smtp,pop3,imap2,143,220,445,993,995 ,http,https,ftp,ftp-data"
GROUP2_TCP="3389,ssh,domain,123"
# > UDP GROUPS
GROUP1_UDP="domain,imap2,143,220,445,993,995"
GROUP2_UDP="123"
# > OTHER GROUPS
#
#
#::::::: REGOLE DI FILTRAGGIO APPLICATE AL FIREWALL IN/OUT :::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || PACKET FILTERING FROM / TO FIREWALL ||
#---------------------------------------------------------------
# > Catene di INPUT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i $OUTSIDE -j ANTISPOOF
/sbin/iptables -A INPUT -i $OUTSIDE -j ANTISCAN
/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p udp --dport 514 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $INSIDE -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p icmp -i $INSIDE -s $HOMENET --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -i $OUTSIDE -j LOG --log-prefix "From<--Internet "
/sbin/iptables -A INPUT -i $INSIDE -j LOG --log-prefix "From-->LAN "
/sbin/iptables -A INPUT -j DROP
#
# > Catene di OUTPUT
/sbin/iptables -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A OUTPUT -m pkttype --pkt-type unicast -j LOG --log-prefix " -> OUTPUT " --log-level debug
/sbin/iptables -A OUTPUT -j ACCEPT
#
#
#
#:::::::::::::::::: REGOLE DI FILTRAGGIO SULLE INTERFACCIE :::::::::::::::::::::::
#................................................. ................................
#................................................. ................................
#---------------------------------------------------------------
# || DEFINIZIONE DELLE REGOLE inside2outside INSIDE->INTERNET ||
#---------------------------------------------------------------
/sbin/iptables -A inside2outside -p tcp --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A inside2outside -p udp --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A inside2outside -p tcp -m multiport --dport $GROUP1_TCP -j ACCEPT
/sbin/iptables -A inside2outside -p tcp -m multiport --dport $GROUP2_TCP -j ACCEPT
/sbin/iptables -A inside2outside -p udp -m multiport --dport $GROUP1_UDP -j ACCEPT
/sbin/iptables -A inside2outside -p udp -m multiport --dport $GROUP2_UDP -j ACCEPT
/sbin/iptables -A inside2outside -p icmp -j ACCEPT
/sbin/iptables -A inside2outside -p gre -j ACCEPT
/sbin/iptables -A inside2outside -p 47 -j ACCEPT
/sbin/iptables -A inside2outside -p 50 -j ACCEPT
/sbin/iptables -A inside2outside -p 51 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 500 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 1701 -j ACCEPT
/sbin/iptables -A inside2outside -p tcp --dport 1723 -j ACCEPT
/sbin/iptables -A inside2outside -p udp --dport 1723 -j ACCEPT
/sbin/iptables -A inside2outside -j LOG --log-prefix "DROP inside2outside "
/sbin/iptables -A inside2outside -j DROP
#
#
#---------------------------------------------------------------
# || DEFINIZIONE DELLE REGOLE outside2inside INTERNET->INSIDE ||
#---------------------------------------------------------------
/sbin/iptables -A outside2inside -j ANTISPOOF
/sbin/iptables -A outside2inside -j ANTISCAN
/sbin/iptables -A outside2inside -p tcp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A outside2inside -p udp --dport 1024: -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A outside2inside -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
/sbin/iptables -A outside2inside -j LOG --log-prefix " DROP outside2inside "
/sbin/iptables -A outside2inside -j DROP
#
#
#
#::::::::::::::::::::::::PROTECTION RULES ::::::::::::::::::::::::::::::::
#................................................. ........................
#................................................. ........................
#................................................. ........................
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "ANTISCAN"
/sbin/iptables -A ANTISCAN -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
/sbin/iptables -A ANTISPOOF -s 127.0.0.1/32 -j LOG --log-prefix "ANTISPOOFING"
/sbin/iptables -A ANTISPOOF -s 127.0.0.1/32 -j DROP
/sbin/iptables -A ANTISPOOF -s 192.168.0.0/16 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 192.168.0.0/16 -j DROP
/sbin/iptables -A ANTISPOOF -s 172.16.0.0/12 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 172.16.0.0/12 -j DROP
/sbin/iptables -A ANTISPOOF -s 10.0.0.0/8 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 10.0.0.0/8 -j DROP
/sbin/iptables -A ANTISPOOF -s 224.0.0.0/4 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 224.0.0.0/4 -j DROP
/sbin/iptables -A ANTISPOOF -s 240.0.0.0/5 -j LOG --log-prefix "ANTISPOOF"
/sbin/iptables -A ANTISPOOF -s 240.0.0.0/5 -j DROP
#
# EOF

Discussione: iptables per transparent proxy

Strumenti discussione

Ricerca discussione

Visualizza

Visualizzazione discussione

Permessi di invio