[tanya-jawab] nanya iptables

Wed, 30 Sep 2009 20:33:50 -0700 

#!/bin/sh
# DMZ WEB
DMZ_IF="eth1"
PUBLIC_IF="eth0"

PORT_FORWARD='80 123 443 25 110 995 143 22 21 20 194 5050 6667 3142'
PUBLIC_PORT_ALLOW='10000 22 21 137 135 139 445 3306'
# internet port in, local network always allow
PORT_IN='123 443 10000 25 110 995 143 22 21 20 5050 6667 3142'

## load modules
MODPROBE="/sbin/modprobe"
$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE iptable_nat
$MODPROBE iptable_mangle
$MODPROBE ipt_LOG
$MODPROBE ipt_limit
$MODPROBE ipt_state
$MODPROBE ip_nat_ftp $MODPROBE ip_nat_irc $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc 

firewall_basic()
{
echo 1 > /proc/sys/net/ipv4/ip_forward

# No spoofing !!!
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then
#  for f in /proc/sys/net/ipv4/conf/*/rp_filter do
#    echo 1 > $f
#  done
#fi

}

firewall_flush()
{
 iptables -P INPUT ACCEPT
 iptables -P FORWARD ACCEPT
 iptables -P OUTPUT ACCEPT

 # Set the default policy for the NAT table
 iptables -t nat -P PREROUTING ACCEPT
 iptables -t nat -P POSTROUTING ACCEPT
 iptables -t nat -P OUTPUT ACCEPT

 # Delete all rules
 iptables -F
 iptables -t nat -F

 # Delete all chains
 iptables -X
 iptables -t nat -X

 iptables -t mangle -F
 iptables -t mangle -X
}

firewall_input()
{
 # A. DEFAULT AND BASIC
 # A.1. Setting default filter policy
 iptables -P INPUT DROP
 iptables -P OUTPUT ACCEPT
 #iptables -P FORWARD DROP

 # A.2. Unlimited access to loop back
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # A.3. buat chain baru untuk bad packets, TCP, UDp dan ICMP
 iptables -N bad_tcp_packets
 iptables -N allowed
 iptables -N icmp_packets

 #A.4.LOG bad packets
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" 
 iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

 # A.5. Allow UDP, DNS and Passive FTP dari internet interface
 iptables -A allowed -p TCP --syn -j ACCEPT
 iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A allowed -p TCP -j DROP

 #A.6. Allow ping for all interfaces
 iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
 iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

 #B. INPUT CHAIN
 #B.1. bad packets
 iptables -A INPUT -p tcp -j bad_tcp_packets

 #B.2. ICMP
 iptables -A INPUT -p ICMP -s 0/0 -j icmp_packets
 #iptables -A FORWARD -p ICMP -s 0/0 -j icmp_packets

 #B.3. allow input from local
 #iptables -A INPUT -i $DMZ_IF -j DROP
 # TEMPORARY
 iptables -A INPUT -i $PUBLIC_IF -j ACCEPT

 # DROP UNLISTED IP
 iptables -A INPUT -s 192.168.2.1 -j ACCEPT
 iptables -A INPUT -s 192.168.2.2 -j ACCEPT
 iptables -A INPUT -s 192.168.2.3 -j ACCEPT
 iptables -A INPUT -s 192.168.2.4 -j ACCEPT


 #B.4. PORT RULES FOR PUBLIC NET
# for PORT in $PUBLIC_PORT_ALLOW; do # iptables -A INPUT -i $PUBLIC_IF -p tcp --dport $PORT -j allowed 
#  done

 #B.5 Paket dari internet ke firewall
iptables -A INPUT -i $PUBLIC_IF -m state --state ESTABLISHED,RELATED -j ACCEPT 

 #B.6 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ 
 --log-prefix "IPT INPUT packet died: "



 #C. FORWARD CHAIN
 #C.1 Bad packets
 iptables -A FORWARD -p tcp -j bad_tcp_packets

 #C.2 Forward akses ke PUBLIC NET dari DMZ NET
# for PORT in $PORT_FORWARD; do # iptables -A FORWARD -p tcp -i $DMZ_IF --dport $PORT -j allowed 
#  done

 #C.3 Forward akses ke PUBLIC dari localhost
 iptables -A FORWARD -p ALL -s 127.0.0.1 -o $PUBLIC_IF -j ACCEPT

 #C.4 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ 
 --log-prefix "IPT FORWARD packet died: "


 #D. OUTPUT CHAIN
 #D.1 Bad packets
 iptables -A OUTPUT -p tcp -j bad_tcp_packets
 #D.2 Allow OUTPUT dari semua interface, toh yang dibatasi hanya INPUT
 iptables -A OUTPUT -o $PUBLIC_IF -j ACCEPT
 #D.3 mencatat paket-paket yang tidak sesuai dengan aturan di atas.
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG\ 
 --log-prefix "IPT FORWARD packet died: "
#F.2 Set this system as a router for Rest of LAN 
 iptables -t nat -A POSTROUTING -o $PUBLIC_IF -j MASQUERADE
}

## Main routines
firewall_start() {
 firewall_basic
 firewall_flush
 firewall_input
 return 0
}

firewall_stop()
{
 firewall_flush
 return 0
}

case "$1" in
 start)
   echo "Starting firewall ..."
   firewall_start
   ;;
 stop)
   echo "Stopping firewall ..."
   firewall_stop
   ;;
 frestart)
   echo "Only restart firewall ..."
   firewall_basic
   firewall_flush
   firewall_input
   ;;
 restart)
   echo "Restarting firewall ..."
   ## Restarting should not stop the firewall
   ## Since stopping opens the ports for a moment
   firewall_start
   ;;
 reload)
   echo "Reloading firewall ..."
   firewall_start
;; 
 status)
   iptables -nL
   echo
   iptables -t nat -nL
   ;;
*) echo "Usage $0 {start|stop|frestart|restart|reload|status}" 
esac

--
FAQ milis di http://wiki.linux.or.id/FAQ_milis_tanya-jawab
Unsubscribe: kirim email ke tanya-jawab-unsubscr...@linux.or.id
Arsip dan info milis selengkapnya di http://linux.or.id/milis

Kirim email ke