Re: [iptables] полный NAT

Tue, 06 Jul 2010 20:41:29 +0400

ну да, не так просто во всей это штуке разобраться, искал что-то находил, оставлял в комментах, зато в результате работает стабильно - по этому конфигу любой фирме с самыми жесткими правилами безопасности(в рамках айпитаблов) можно в течении минуты настроить выход в сеть - профит!

Re: [iptables] полный NAT

Tue, 06 Jul 2010 15:40:15 +0400

>382. # РЕТЕУМБФШ ЧИПДСЭЙЕ UDP РБЛЕФЩ(РПТФ 5060 Й 16500) ОБ ЙОФЕТЖЕКУ eth0 (X.X.X.X) 383. # ЧП ЧОХФТЕООАА УЕФШ ОБ 172.16.0.200 ОБ УППФЧЕФУФЧХАЭЙЕ РПТФЩ
оНДШЛЮК

Re: [iptables] полный NAT

Tue, 06 Jul 2010 15:38:19 +0400

а, у тебя уже все заработало, незаметил =)

Re: [iptables] полный NAT

Tue, 06 Jul 2010 15:37:42 +0400

вот мой файрвольчик

#!/bin/sh
INET_IP="xxx.xxx.xxx.xxx"
INET_IFACE="eth0"
INET_BROADCAST="xxx.xxx.xxx.255"
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="10.0.0.1"
LAN_IP_RANGE="10.0.0.0/24"
LAN_IFACE="eth1"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# 1.6 Other Configuration.
#
###########################################################################
#
# 2. Module loading.
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# 2.1 Required modules
#
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_string
#
# 2.2 Non-Required modules
#
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
###########################################################################
#
# 3. /proc set up.
#
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# 3.2 Non-Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
###########################################################################
#
# 4. rules set up.
#
######
# 4.1 Filter table
#
# $IPTABLES -t filter -A FORWARD -i $LAN_IP -o $INET_IP -s $LAN_IP -j ACCEPT
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD ACCEPT
#
# 4.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
#
# 4.1.3 Create content in userspecified chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 20 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8080 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 8081 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4661 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4662 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4711 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4712 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6588 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3128 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j allowed
#
# UDP ports
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4665 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 4672 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 3389 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# 4.1.4 INPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
# Log weird packets that don't match the above.
#
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# 4.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# 4.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
######
# 4.2 nat table
#
#
# 4.2.1 Set policies
#
#
# 4.2.2 Create user specified chains
#
#
# 4.2.3 Create content in user specified chains
#
#
# 4.2.4 PREROUTING chain
#
#
# 4.2.5 POSTROUTING chain
#
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# 4.2.6 OUTPUT chain
#
######
# 4.3 mangle table
#
#
# 4.3.1 Set policies
#
#
# 4.3.2 Create user specified chains
#
#
# 4.3.3 Create content in user specified chains
#
#
# 4.3.4 PREROUTING chain
#
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 4662 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 4672 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4661 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4662 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport 4672 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport 4665 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4711 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4712 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 3389 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 12087 -j DNAT --to-destination 10.0.0.6
# 51909
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 51909 -j DNAT --to-destination 10.0.0.6
#
# 4.3.5 INPUT chain
#
#
# 4.3.6 FORWARD chain
#
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 4672 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 4665 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4711 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4712 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 51909 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 12087 -j ACCEPT
#
# 4.3.7 OUTPUT chain
#
#
# 4.3.8 POSTROUTING chain
#
# РЕТЕУМБФШ ЧИПДСЭЙЕ UDP РБЛЕФЩ(РПТФ 5060 Й 16500) ОБ ЙОФЕТЖЕКУ eth0 (X.X.X.X)
# ЧП ЧОХФТЕООАА УЕФШ ОБ 172.16.0.200 ОБ УППФЧЕФУФЧХАЭЙЕ РПТФЩ
# iptables -t nat -A PREROUTING -p udp -d x.x.x.x --dport 5060 -j DNAT --to-destination 172.16.0.200
# iptables -t nat -A PREROUTING -p udp -d x.x.x.x --dport 16500 -j DNAT --to-destination 172.16.0.200
#
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4661 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 4662 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 3389 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport 4672 -j DNAT --to-destination 10.0.0.6
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport 3389 -j DNAT --to-destination 10.0.0.6
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4661 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 4662 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 4672 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p udp --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 12087 -j DNAT --to-destination 10.0.0.6
$IPTABLES -A FORWARD -i eth0 -d 10.0.0.6 -p tcp --dport 12087 -j ACCEPT

Re: [iptables] полный NAT

Fri, 02 Jul 2010 13:44:29 +0400

переношу в дженерал.

Re: [iptables] полный NAT

Fri, 02 Jul 2010 09:49:20 +0400

>>/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Вот так заработало. Спасибо. Забыл про форварды значит :)

Re: [iptables] полный NAT

Fri, 02 Jul 2010 09:38:29 +0400

Попробуй сделать

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Re: [iptables] полный NAT

Fri, 02 Jul 2010 09:37:24 +0400

бывает не сразу срабатывает по непонятным причинам. Проверь таблицу маршрутов.

Re: [iptables] полный NAT

Fri, 02 Jul 2010 09:37:22 +0400

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

[iptables] полный NAT

Fri, 02 Jul 2010 09:31:00 +0400

eth0 - внешка (xxx.xxx.xxx.xxx)

eth1 - локалка (192.168.3.180/24)

# cat /proc/sys/net/ipv4/ip_forward

Надо сделать сабж. Давно делал и много. Может чего забыл?

# iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -o eth0 -j MASQUERADE

Все, кажись, должно работать.

В локалке машинке даю шлюзом 192.168.3.180. Инета нет. пинги во внешку не проходят тоже

rulinux.net - Форум - General - [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

Re: [iptables] полный NAT

[iptables] полный NAT