gateway IPTABLES

---

Вот пример использования файрвола на шлюзе # Generated by iptables-save v1.3.5 on Mon Sep 26 13:53:44 2011
*filter
:INPUT DROP [18855:1091293]
:FORWARD DROP [32:2176]
:OUTPUT DROP [0:0]
:allowed - [0:0]
:bad_tcp_packets - [0:0]
:forward_tcp - [0:0]
:forward_udp - [0:0]
:icmp_packets - [0:0]
:tcp_packets - [0:0]
:udp_packets - [0:0]
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -j bad_tcp_packets
-A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 83.239.52.162 -j ACCEPT
-A INPUT -p xns-idp -j ACCEPT
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT
-A INPUT -s 192.168.0.1 -i lo -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -j tcp_packets
-A INPUT -i ppp0 -p udp -j udp_packets
-A INPUT -i ppp0 -p icmp -j icmp_packets
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7
-A FORWARD -p tcp -j bad_tcp_packets
-A FORWARD -j ULOG --ulog-prefix "FORWARD" --ulog-cprange 48 --ulog-qthreshold 50
-A FORWARD -i eth0 -j forward_tcp
-A FORWARD -i eth0 -j forward_udp
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -p tcp -j bad_tcp_packets
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7
-A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A allowed -p tcp -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:"
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A forward_tcp -s 192.168.0.251 -p tcp -m tcp -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 8420 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 21 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 22 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 23 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 80 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 443 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 110 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 995 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 25 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 465 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 5190 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 5222 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 4712 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 15100 -j ACCEPT
-A forward_tcp -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_udp -s 192.168.0.251 -p udp -m udp -j ACCEPT
-A forward_udp -p udp -m udp --dport 53 -j ACCEPT
-A forward_udp -p udp -m udp --dport 80 -j ACCEPT
-A forward_udp -p udp -m udp --dport 5222 -j ACCEPT
-A forward_udp -p udp -m udp --dport 5223 -j ACCEPT
-A forward_udp -p udp -m udp --dport 4712 -j ACCEPT
-A forward_udp -p udp -m udp --dport 15100 -j ACCEPT
-A forward_udp -p tcp -m tcp --dport 2900 -j ACCEPT
-A forward_udp -p udp -m udp --dport 5190 -j ACCEPT
-A forward_udp -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A forward_udp -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT
# Completed on Mon Sep 26 13:53:44 2011
# Generated by iptables-save v1.3.5 on Mon Sep 26 13:53:44 2011
*mangle
:PREROUTING ACCEPT [335367023:424848969445]
:INPUT ACCEPT [335310462:424839139715]
:FORWARD ACCEPT [8375:7248623]
:OUTPUT ACCEPT [197472247:36675289392]
:POSTROUTING ACCEPT [197484336:36678446206]
COMMIT
# Completed on Mon Sep 26 13:53:44 2011
# Generated by iptables-save v1.3.5 on Mon Sep 26 13:53:44 2011
*nat
:PREROUTING ACCEPT [826873:55216300]
:POSTROUTING ACCEPT [420268:29643128]
:OUTPUT ACCEPT [2164356:144381245]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Sep 26 13:53:44 2011

---

---

---

IT /etc/sysconfig/iptables

# Generated by iptables-save v1.3.3 on Wed Mar 21 14:42:52 2007 *nat :PREROUTING ACCEPT [25427:2625812] :POSTROUTING ACCEPT [26:1635] :OUTPUT ACCEPT [2894:210341] -A POSTROUTING -o ppp0 -j MASQUERADE COMMIT # Completed on Wed Mar 21 14:42:52 2007 # Generated by iptables-save v1.3.3 on Wed Mar 21 14:42:52 2007 *mangle :PREROUTING ACCEPT [699172:358405607] :INPUT ACCEPT [239555:76340216] :FORWARD ACCEPT [459471:282048322] :OUTPUT ACCEPT [275219:163031525] :POSTROUTING ACCEPT [739242:440226995] COMMIT # Completed on Wed Mar 21 14:42:52 2007 # Generated by iptables-save v1.3.3 on Wed Mar 21 14:42:52 2007 *filter :INPUT DROP [6358:571032] :FORWARD DROP [3024:236825] :OUTPUT DROP [1:40] :allowed - [0:0] :bad_tcp_packets - [0:0] :forward_tcp - [0:0] :forward_udp - [0:0] :icmp_packets - [0:0] :tcp_packets - [0:0] :udp_packets - [0:0] -A INPUT -i tap0 -j ACCEPT # -A INPUT -s 10.8.0.1 -i lo -j ACCEPT -A INPUT -i ppp0 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -i ppp0 -m udp -p udp --dport 1194 -j ACCEPT -A INPUT -p tcp -j bad_tcp_packets -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT # -A INPUT --src 77.243.245.161 -j ACCEPT -A INPUT --src 83.239.52.162 -j ACCEPT ############# SSH ############### -A INPUT -p 22 -j ACCEPT ################################ -A INPUT -s 127.0.0.1 -i lo -j ACCEPT -A INPUT -s 192.168.0.1 -i lo -j ACCEPT # -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i ppp0 -p tcp -j tcp_packets -A INPUT -i ppp0 -p udp -j udp_packets -A INPUT -i ppp0 -p icmp -j icmp_packets -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT INPUT packet died: " --log-level 7 -A FORWARD -p tcp -j bad_tcp_packets -A FORWARD -j ULOG --ulog-prefix "FORWARD" --ulog-cprange 48 --ulog-qthreshold 50 -A FORWARD -i eth0 -j forward_tcp -A FORWARD -i eth0 -j forward_udp -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT FORWARD packet died: " --log-level 7 -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -p tcp -j bad_tcp_packets -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.0.1 -j ACCEPT -A OUTPUT -o ppp0 -j ACCEPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "IPT OUTPUT packet died: " --log-level 7 -A allowed -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A allowed -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A allowed -p tcp -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn:" -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP # PORTS dlya DROLKA special # -A forward_tcp -p tcp -m tcp --src 192.168.0.251 -j ACCEPT -A forward_tcp -p tcp -m tcp --src 192.168.0.251 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 8420 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 21 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 22 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 23 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 80 -j ACCEPT #-A forward_tcp -p tcp -m tcp --dport 8080 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 443 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 110 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 995 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 25 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 465 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 5190 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 5222 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 4712 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 15100 -j ACCEPT -A forward_tcp -p tcp -m tcp --dport 3389 -j ACCEPT -A forward_udp -p udp -m udp --src 192.168.0.251 -j ACCEPT -A forward_udp -p udp -m udp --dport 53 -j ACCEPT -A forward_udp -p udp -m udp --dport 80 -j ACCEPT -A forward_udp -p udp -m udp --dport 5222 -j ACCEPT -A forward_udp -p udp -m udp --dport 5223 -j ACCEPT -A forward_udp -p udp -m udp --dport 4712 -j ACCEPT -A forward_udp -p udp -m udp --dport 15100 -j ACCEPT -A forward_udp -p tcp -m tcp --dport 2900 -j ACCEPT -A forward_udp -p udp -m udp --dport 5190 -j ACCEPT -A forward_udp -p icmp -m icmp --icmp-type 8 -j ACCEPT -A forward_udp -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT # -A tcp_packets -p tcp -m tcp --dport 22 -j allowed COMMIT # Completed on Wed Mar 21 14:42:52 2007