Fórum Root.cz

Hlavní témata => Sítě => Téma založeno: Rudo 14. 02. 2013, 09:48:49

Název: Firewall začne shazovat aplikace
Přispěvatel: Rudo 14. 02. 2013, 09:48:49

Nazdar priatelia,

Na proxy servery sa pokusam spustit tento firewall (nerobil som ho ja). Bezi bez problemov iba niekolko hodin a potom ho musim
zhodit, pretoze sw aplkacie zacnu padat - konkretne softip ktorý bezi na ms sql servery z dovodu vypadku siete.
Proxy server ma 3 sietove karty. Na eth0 ma prebiehat komunikacia medzi sql serverom a uzivatelmi, na eth1 suborovy server a na eth3 internet.
Urcte je v tomto scripte niekte chyba. Pomozete mi ju najst ?

Kód: [Vybrat]

#!/bin/bash
#----------------------------------------------------------------------------#
#
# iptables initialization
# by
# serial: 2012071701
#----------------------------------------------------------------------------#

## config
IPTABLES=/sbin/iptables
LO_IFACE=lo
SFT_IFACE=eth0 # 172.16.0.2/255.255.0.0 - siet SOFTIP SVR
LAN_IFACE=eth1 # 192.168.1.1/255.255.255.0 - LAN siet firma
NET_IFACE=eth2 # 10.0.0.2/255.0.0.0 - WAN siet (NET)
MAIL="195.28.69.146" # IP mail servera

SFT_SVR="172.16.0.2" # IP servera HP SOFTIP

# GOOGLE
GOOGLE_IP1="209.85.148.101"
GOOGLE_IP2="209.85.148.102"
GOOGLE_IP3="209.85.148.113"
GOOGLE_IP4="209.85.148.138"
GOOGLE_IP5="209.85.148.139"
GOOGLE_IP6="209.85.148.100"

# GOOGLE EARTH
EARTH_IP1="74.125.32.32"
EARTH_IP2="74.125.32.33"
EARTH_IP3="74.125.32.34"
EARTH_IP4="74.125.32.35"
EARTH_IP5="74.125.32.36"
EARTH_IP6="74.125.32.37"
EARTH_IP7="74.125.32.38"
EARTH_IP8="74.125.32.39"
EARTH_IP9="74.125.32.40"
EARTH_IP10="74.125.32.41"
EARTH_IP11="74.125.32.42"
EARTH_IP12="74.125.32.43"
EARTH_IP13="74.125.32.44"
EARTH_IP14="74.125.32.45"
EARTH_IP15="74.125.32.46"
EARTH_IP16="74.125.227.1"
EARTH_IP17="74.125.227.3"
EARTH_IP18="74.125.227.7"
EARTH_IP19="74.125.227.17"
EARTH_IP20="67.215.65.132"
EARTH_IP21="74.125.79.120"

# ESET SERVER
ESET_IP1="89.202.157.201"
ESET_IP2="89.202.157.219"

PROXY="192.168.1.1"

# Premenne IP uzivatelov k SOFTIP SVR
uzivatel1="192.168.1.10"
uzivatel2="192.168.1.52"
uzivatel3="192.168.1.53"
uzivatel4="192.168.1.54"
uzivatel5="192.168.1.55"
uzivatel6="192.168.1.56"
BALOGOVA="192.168.1.58"
uzivatel7="192.168.1.60"
MTSYS="192.168.1.222"

#----------------------------------------------------------------------------#
# Moduly & inicializacia
#----------------------------------------------------------------------------#

echo
echo -n "Loading iptables settings"

## Zavedieme moduly pre nestandardne ciele
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

## Moduly pre FTP prenosy
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

## Zmazem vsetky pravidla
 $IPTABLES -F
 $IPTABLES -F -t nat
 $IPTABLES -X
 $IPTABLES -X -t nat

echo -n "."

#----------------------------------------------------------------------------#
# Default
#----------------------------------------------------------------------------#

# zakazem vsetku komunikaciu v sieti
 $IPTABLES -P INPUT DROP
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -P FORWARD DROP

#----------------------------------------------------------------------------#
# INPUT
#----------------------------------------------------------------------------#

#$IPTABLES -A INPUT -m limit --limit 15/minute -j LOG \
#--log-level 7 --log-prefix "FIREWALL (on): "
#$IPTABLES -A OUTPUT -m limit --limit 15/minute -j LOG \
#--log-level 7 --log-prefix "FIREWALL (on): "

## Pakety od naviazanych spojeni su v poriadku
 $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012
 $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012
 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012

## loopback bez omezenia
 $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

## LAN bez obmedzenia -- jedine nieco ako transparentne proxy
 $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT


## Povolene sluzby
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 21 -j ACCEPT #  FTP server
 $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 22 -j ACCEPT #  SSH server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 25 -j ACCEPT #  SMTP server
# $IPTABLES -A INPUT -i $NET_IFACE -p UDP --dport 53 -j ACCEPT #  DNS server UDP
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 53 -j ACCEPT #  DNS server TCP
 $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 80 -j ACCEPT #  WWW server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 110 -j ACCEPT #  POP3 server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 143 -j ACCEPT #  IMAP server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 443 -j ACCEPT #  HTTPS server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 873 -j ACCEPT #  rsync server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 995 -j ACCEPT #  POP3s server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 10000 -j ACCEPT #  webmin server

#----------------------------------------------------------------------------#
# OUTPUT
#----------------------------------------------------------------------------#

## TOS flagy sluzia k optimalizacii datovych ciest. Pre ssh, ftp a telnet
## pozadujeme minimalne oneskorenie. Pre ftp-data zase maximalnu priepustnost
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ftp-data -j TOS --set-tos Maximize-Throughput

# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel1 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel2 -j ACCEPT 
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel3 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel4 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel5 -j ACCEPT # uzivatel5
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $BALOGOVA -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $MTSYS -j ACCEPT   
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel7 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -j DROP         

echo -n "."
#----------------------------------------------------------------------------#
# FORWARD
#----------------------------------------------------------------------------#

## NAT - maskarada
echo "1" > /proc/sys/net/ipv4/ip_forward
# $IPTABLES -t nat -A POSTROUTING -o $NET_IFACE -j MASQUERADE # Povoli celu LAN bez PROXY
 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -d 172.16.0.2 -p all -o $SFT_IFACE -j MASQUERADE ###
 
# $IPTABLES -I FORWARD -i $LAN_IFACE -d 192.168.1.0/255.255.255.0 -j DROP
 $IPTABLES -A FORWARD -i $LAN_IFACE -s 192.168.1.0/255.255.255.0 -d $MAIL -j ACCEPT
 $IPTABLES -A FORWARD -i $SFT_IFACE -s 172.16.0.0/255.255.0.0 -j ACCEPT
 $IPTABLES -A FORWARD -i $NET_IFACE -d 192.168.1.0/255.255.255.0 -j ACCEPT
# mail
 $IPTABLES -t nat -A POSTROUTING -p tcp --dport 25 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -p tcp --dport 110 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -p tcp --dport 587 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -p tcp --dport 993 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -p tcp --dport 995 -o $NET_IFACE -j MASQUERADE
# GOOGLE
 for GOOGLE in $GOOGLE_IP1 $GOOGLE_IP2 $GOOGLE_IP3 $GOOGLE_IP4 $GOOGLE_IP5 $GOOGLE_IP6; do
   $IPTABLES -t nat -A POSTROUTING -p tcp -d $GOOGLE -o $NET_IFACE -j MASQUERADE
 done
# GOOGLE EARTH
 for EARTH in $EARTH_IP1 \
  $EARTH_IP2 \
  $EARTH_IP3 \
  $EARTH_IP4 \
  $EARTH_IP5 \
  $EARTH_IP6 \
  $EARTH_IP7 \
  $EARTH_IP8 \
  $EARTH_IP9 \
  $EARTH_IP10 \
  $EARTH_IP11 \
  $EARTH_IP12 \
  $EARTH_IP13 \
  $EARTH_IP14 \
  $EARTH_IP15 \
  $EARTH_IP16 \
  $EARTH_IP17 \
  $EARTH_IP18 \
  $EARTH_IP19 \
  $EARTH_IP20 \
  $EARTH_IP21 ; do
    $IPTABLES -t nat -A POSTROUTING -p tcp -d $EARTH -o $NET_IFACE -j MASQUERADE
 done

 $IPTABLES -t nat -A POSTROUTING -s $MTSYS -d 10.0.0.1 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 10.0.0.1 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -s $SFT_SVR -p all -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 195.28.69.145 -p tcp --dport 21 -o $NET_IFACE -j MASQUERADE
 $IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 195.28.69.145 -p tcp --dport 22 -o $NET_IFACE -j MASQUERADE
# $IPTABLES -t nat -A POSTROUTING -s $SFT_SVR -o $NET_IFACE -j MASUERADE

## povolenie prevadzky
 $IPTABLES -A FORWARD -i $LAN_IFACE -o $NET_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $SFT_IFACE -o $NET_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
 $IPTABLES -A FORWARD -d 172.16.0.2 -s 192.168.1.0/255.255.255.0 -p all -m state --state NEW -j ACCEPT #17072012
 $IPTABLES -A FORWARD -s 172.16.0.2 -d 192.168.1.0/255.255.255.0 -p all -m state --state NEW -j ACCEPT #17072012

# $IPTABLES -A FORWARD -s $uzivatel1 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel2 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel3 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel4 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel5 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $BALOGOVA -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel7 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel6 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $MTSYS -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT

echo -n "."

#----------------------------------------------------------------------------#
# Konec
#----------------------------------------------------------------------------#
                     
echo done.
exit
                     
#----------------------------------------------------------------------------#


Název: Re:Firewall začne shazovat aplikace
Přispěvatel: Rudo 29. 03. 2013, 17:19:27

Takže už som na to prišiel :
chýbali mi tam tieto prikazy - kvôli MSSQL :

$IPT -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

Možno sa to niekom hodí pri nasadzovaní firewallu na sieti kde beží MSSQL server