Fórum Root.cz
Hlavní témata => Sítě => Téma založeno: fw 10. 04. 2012, 10:33:14
-
V serveru mam tri sitove karty, eth0 je pripojena k internetu, br0 k mistni siti a tap0 k vpn.
Potrebuju povolit veskery provoz mezi lan a vpn a vsechen provoz z vpn a lan na server. Z internetu chci povolit pouze porty 22, 80 a 443.
Muj firewall:
#!/bin/bash
WAN="eth0"
LAN="br0"
VPN="tap0"
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -N dropLog
iptables -A dropLog -j LOG --log-prefix "iptables-dropLog: "
iptables -A dropLog -j DROP
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -i $VPN -o $WAN -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $VPN -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $LAN -o $VPN -j ACCEPT
iptables -A FORWARD -i $VPN -o $LAN -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 1.2.3.4
iptables -A INPUT -i $LAN -p tcp -j ACCEPT
iptables -A INPUT -i $LAN -p udp -j ACCEPT
iptables -A INPUT -i $VPN -p tcp -j ACCEPT
iptables -A INPUT -i $VPN -p udp -j ACCEPT
iptables -A INPUT -m state --state INVALID -j dropLog
iptables -A INPUT -j LOG --log-prefix "iptables-rejectLogOstatni: "
iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
Kdyz ale pripojim jine pc k eth0 spustim nmap, vidim:
nmap -sS -p 1-65535 -T4 5.6.7.8
Host is up (0.0025s latency).
Not shown: 65527 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
2812/tcp open unknown
4949/tcp open unknown
Kde delam chybu?
-
Na první pohled mě napadá, že br0 je bridge. Co přesně spojuje?
-
eth1 a wlan (ethernet + wifi), mistni sit
Vadi to nejak z pohledu firewallu?
-
Ne, to nevadí. Žádnou zjevnou závadu tam nevidím. Je tam ještě něco, co jsi třeba kvůli anonymitě smazal?
-
Asi by to chtělo v první řadě ověřit, jestli jsou pravidla opravdu správně natažená:
iptables -t nat -vL
iptables -vL
-
Je tam ještě něco, co jsi třeba kvůli anonymitě smazal?
Jenom ip v "iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 1.2.3.4"
root@server:/# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 65016 packets, 2862K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 65016 packets, 2862K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 112 packets, 8980 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 112 packets, 8980 bytes)
pkts bytes target prot opt in out source destination
root@server:/#
root@server:/# iptables -vL
Chain INPUT (policy ACCEPT 88363 packets, 34M bytes)
pkts bytes target prot opt in out source destination
12 668 fail2ban-apache tcp -- any any anywhere anywhere multiport dports http,https
359 28796 fail2ban-ssh-ddos tcp -- any any anywhere anywhere multiport dports ssh
359 28796 fail2ban-ssh tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 85996 packets, 3934K bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-apache (1 references)
pkts bytes target prot opt in out source destination
12 668 RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
359 28796 RETURN all -- any any anywhere anywhere
Chain fail2ban-ssh-ddos (1 references)
pkts bytes target prot opt in out source destination
359 28796 RETURN all -- any any anywhere anywhere
root@server:/#
-
Bingo. Máš tam reálně natažená úplně jiná pravidla než v tom skriptu. Chyba je teda tady.
-
Tak jsem upravil firewall:
#!/bin/bash
WAN="eth0"
LAN="br0"
VPN="tap0"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $VPN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
iptables -A FORWARD -i $VPN -o $WAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $VPN -j ACCEPT
iptables -A FORWARD -i $VPN -o $LAN -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $WAN -j REJECT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -j REJECT --reject-with icmp-admin-prohibited
a uz to funguje:
root@server:/usr/local/bin# iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
221 14012 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
38 3654 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 84 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
5 573 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
2 477 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
942 130K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 336 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
27 4120 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
176K 7761K REJECT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-admin-prohibited
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 tap0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap0 br0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 224 packets, 48897 bytes)
pkts bytes target prot opt in out source destination
1002 135K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
330 23808 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
root@server:/usr/local/bin#
root@server:/usr/local/bin# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 176K packets, 7761K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 3 packets, 132 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60 packets, 4596 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 33 packets, 2396 bytes)
pkts bytes target prot opt in out source destination
27 2200 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain eth0_masq (0 references)
pkts bytes target prot opt in out source destination
root@server:/usr/local/bin#
namp na eth0 rika:
pc ~ # nmap -sS -p 1-65535 -T4 192.168.1.123
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-10 20:34 CEST
Nmap scan report for 192.168.1.123
Host is up (0.0049s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:E0:4C:75:4D:A3 (Realtek Semiconductor)
Nmap done: 1 IP address (1 host up) scanned in 320.72 seconds
pc ~ #
Takze je to snad v poradku :-)
-
Takze je to snad v poradku :-)
Super. Ještě by to možná chtělo napsat, proč se ti ty pravidla předtím nenatáhly, třeba ten poznatek někomu v budoucnu pomůže.