Nazdar priatelia,
Na proxy servery sa pokusam spustit tento firewall (nerobil som ho ja). Bezi bez problemov iba niekolko hodin a potom ho musim
zhodit, pretoze sw aplkacie zacnu padat - konkretne softip ktorý bezi na ms sql servery z dovodu vypadku siete.
Proxy server ma 3 sietove karty. Na eth0 ma prebiehat komunikacia medzi sql serverom a uzivatelmi, na eth1 suborovy server a na eth3 internet.
Urcte je v tomto scripte niekte chyba. Pomozete mi ju najst ?
#!/bin/bash
#----------------------------------------------------------------------------#
#
# iptables initialization
# by
# serial: 2012071701
#----------------------------------------------------------------------------#
## config
IPTABLES=/sbin/iptables
LO_IFACE=lo
SFT_IFACE=eth0 # 172.16.0.2/255.255.0.0 - siet SOFTIP SVR
LAN_IFACE=eth1 # 192.168.1.1/255.255.255.0 - LAN siet firma
NET_IFACE=eth2 # 10.0.0.2/255.0.0.0 - WAN siet (NET)
MAIL="195.28.69.146" # IP mail servera
SFT_SVR="172.16.0.2" # IP servera HP SOFTIP
# GOOGLE
GOOGLE_IP1="209.85.148.101"
GOOGLE_IP2="209.85.148.102"
GOOGLE_IP3="209.85.148.113"
GOOGLE_IP4="209.85.148.138"
GOOGLE_IP5="209.85.148.139"
GOOGLE_IP6="209.85.148.100"
# GOOGLE EARTH
EARTH_IP1="74.125.32.32"
EARTH_IP2="74.125.32.33"
EARTH_IP3="74.125.32.34"
EARTH_IP4="74.125.32.35"
EARTH_IP5="74.125.32.36"
EARTH_IP6="74.125.32.37"
EARTH_IP7="74.125.32.38"
EARTH_IP8="74.125.32.39"
EARTH_IP9="74.125.32.40"
EARTH_IP10="74.125.32.41"
EARTH_IP11="74.125.32.42"
EARTH_IP12="74.125.32.43"
EARTH_IP13="74.125.32.44"
EARTH_IP14="74.125.32.45"
EARTH_IP15="74.125.32.46"
EARTH_IP16="74.125.227.1"
EARTH_IP17="74.125.227.3"
EARTH_IP18="74.125.227.7"
EARTH_IP19="74.125.227.17"
EARTH_IP20="67.215.65.132"
EARTH_IP21="74.125.79.120"
# ESET SERVER
ESET_IP1="89.202.157.201"
ESET_IP2="89.202.157.219"
PROXY="192.168.1.1"
# Premenne IP uzivatelov k SOFTIP SVR
uzivatel1="192.168.1.10"
uzivatel2="192.168.1.52"
uzivatel3="192.168.1.53"
uzivatel4="192.168.1.54"
uzivatel5="192.168.1.55"
uzivatel6="192.168.1.56"
BALOGOVA="192.168.1.58"
uzivatel7="192.168.1.60"
MTSYS="192.168.1.222"
#----------------------------------------------------------------------------#
# Moduly & inicializacia
#----------------------------------------------------------------------------#
echo
echo -n "Loading iptables settings"
## Zavedieme moduly pre nestandardne ciele
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
## Moduly pre FTP prenosy
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
## Zmazem vsetky pravidla
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t nat
echo -n "."
#----------------------------------------------------------------------------#
# Default
#----------------------------------------------------------------------------#
# zakazem vsetku komunikaciu v sieti
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
#----------------------------------------------------------------------------#
# INPUT
#----------------------------------------------------------------------------#
#$IPTABLES -A INPUT -m limit --limit 15/minute -j LOG \
#--log-level 7 --log-prefix "FIREWALL (on): "
#$IPTABLES -A OUTPUT -m limit --limit 15/minute -j LOG \
#--log-level 7 --log-prefix "FIREWALL (on): "
## Pakety od naviazanych spojeni su v poriadku
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #17072012
## loopback bez omezenia
$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT
## LAN bez obmedzenia -- jedine nieco ako transparentne proxy
$IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT
## Povolene sluzby
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 21 -j ACCEPT # FTP server
$IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 22 -j ACCEPT # SSH server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 25 -j ACCEPT # SMTP server
# $IPTABLES -A INPUT -i $NET_IFACE -p UDP --dport 53 -j ACCEPT # DNS server UDP
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 53 -j ACCEPT # DNS server TCP
$IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 80 -j ACCEPT # WWW server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 110 -j ACCEPT # POP3 server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 143 -j ACCEPT # IMAP server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 443 -j ACCEPT # HTTPS server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 873 -j ACCEPT # rsync server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 995 -j ACCEPT # POP3s server
# $IPTABLES -A INPUT -i $NET_IFACE -p TCP --dport 10000 -j ACCEPT # webmin server
#----------------------------------------------------------------------------#
# OUTPUT
#----------------------------------------------------------------------------#
## TOS flagy sluzia k optimalizacii datovych ciest. Pre ssh, ftp a telnet
## pozadujeme minimalne oneskorenie. Pre ftp-data zase maximalnu priepustnost
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport ftp -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--dport telnet -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -o $NET_IFACE -p tcp \
--sport ftp-data -j TOS --set-tos Maximize-Throughput
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel1 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel2 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel3 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel4 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel5 -j ACCEPT # uzivatel5
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $BALOGOVA -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $MTSYS -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -d $uzivatel7 -j ACCEPT
# $IPTABLES -A OUTPUT -s 172.16.0.0/16 -j DROP
echo -n "."
#----------------------------------------------------------------------------#
# FORWARD
#----------------------------------------------------------------------------#
## NAT - maskarada
echo "1" > /proc/sys/net/ipv4/ip_forward
# $IPTABLES -t nat -A POSTROUTING -o $NET_IFACE -j MASQUERADE # Povoli celu LAN bez PROXY
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -d 172.16.0.2 -p all -o $SFT_IFACE -j MASQUERADE ###
# $IPTABLES -I FORWARD -i $LAN_IFACE -d 192.168.1.0/255.255.255.0 -j DROP
$IPTABLES -A FORWARD -i $LAN_IFACE -s 192.168.1.0/255.255.255.0 -d $MAIL -j ACCEPT
$IPTABLES -A FORWARD -i $SFT_IFACE -s 172.16.0.0/255.255.0.0 -j ACCEPT
$IPTABLES -A FORWARD -i $NET_IFACE -d 192.168.1.0/255.255.255.0 -j ACCEPT
# mail
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 25 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 110 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 587 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 993 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -p tcp --dport 995 -o $NET_IFACE -j MASQUERADE
# GOOGLE
for GOOGLE in $GOOGLE_IP1 $GOOGLE_IP2 $GOOGLE_IP3 $GOOGLE_IP4 $GOOGLE_IP5 $GOOGLE_IP6; do
$IPTABLES -t nat -A POSTROUTING -p tcp -d $GOOGLE -o $NET_IFACE -j MASQUERADE
done
# GOOGLE EARTH
for EARTH in $EARTH_IP1 \
$EARTH_IP2 \
$EARTH_IP3 \
$EARTH_IP4 \
$EARTH_IP5 \
$EARTH_IP6 \
$EARTH_IP7 \
$EARTH_IP8 \
$EARTH_IP9 \
$EARTH_IP10 \
$EARTH_IP11 \
$EARTH_IP12 \
$EARTH_IP13 \
$EARTH_IP14 \
$EARTH_IP15 \
$EARTH_IP16 \
$EARTH_IP17 \
$EARTH_IP18 \
$EARTH_IP19 \
$EARTH_IP20 \
$EARTH_IP21 ; do
$IPTABLES -t nat -A POSTROUTING -p tcp -d $EARTH -o $NET_IFACE -j MASQUERADE
done
$IPTABLES -t nat -A POSTROUTING -s $MTSYS -d 10.0.0.1 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 10.0.0.1 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $SFT_SVR -p all -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 195.28.69.145 -p tcp --dport 21 -o $NET_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $uzivatel5 -d 195.28.69.145 -p tcp --dport 22 -o $NET_IFACE -j MASQUERADE
# $IPTABLES -t nat -A POSTROUTING -s $SFT_SVR -o $NET_IFACE -j MASUERADE
## povolenie prevadzky
$IPTABLES -A FORWARD -i $LAN_IFACE -o $NET_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $SFT_IFACE -o $NET_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -d 172.16.0.2 -s 192.168.1.0/255.255.255.0 -p all -m state --state NEW -j ACCEPT #17072012
$IPTABLES -A FORWARD -s 172.16.0.2 -d 192.168.1.0/255.255.255.0 -p all -m state --state NEW -j ACCEPT #17072012
# $IPTABLES -A FORWARD -s $uzivatel1 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel2 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel3 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel4 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel5 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $BALOGOVA -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel7 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $uzivatel6 -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
# $IPTABLES -A FORWARD -s $MTSYS -i $LAN_IFACE -o $SFT_IFACE -p all -m state --state NEW -j ACCEPT
echo -n "."
#----------------------------------------------------------------------------#
# Konec
#----------------------------------------------------------------------------#
echo done.
exit
#----------------------------------------------------------------------------#
1 Odpovědí
1553 Zhlédnutí