iptables

cruxx · 03.03.2005, 20:28

wie muss man die iptables so setzen, dass auf dem interface 10.0.0.253:3128 anfragen automatisch über das interface 10.65.0.5 (10.0.0.253 und 10.65.0.5 sind auf einer maschine) an 10.65.0.16:3128 weitergeleitet werden

mfg
cruxx

jorge · 06.03.2005, 13:08

damit solltest du das gewünschte erreichen:

# beispielscript für deine firewall:
# eth0 --> 10.0.0.253/8 = extern

log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}

va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3

type=""
aadd=""

L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS

L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}

getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}

LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

INTERFACES="eth0 eth1 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
echo Interface $i does not exist
exit 1
}
done

$IP -4 neigh flush dev eth0 >/dev/null 2>&1
$IP -4 addr flush dev eth0 label "eth0:FWB*" >/dev/null 2>&1
$IP -4 neigh flush dev eth1 >/dev/null 2>&1
$IP -4 addr flush dev eth1 label "eth1:FWB*" >/dev/null 2>&1

add_addr 10.0.0.253 8 eth0
$IP link set eth0 up
add_addr 10.65.0.5 24 eth1
$IP link set eth1 up
add_addr 127.0.0.1 8 lo
$IP link set lo up

$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//; s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done

#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -p tcp -d 10.0.0.253 --destination-port 3128 -j DNAT --to-destination 10.65.0.16
#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.65.0.0/24 -j SNAT --to-source 10.0.0.253
#
#

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Rule 0(lo)
#
# Erlaube alle Verbindungen zur 'loopback'-Schnittstelle
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
#
# Rule 0(global)
#
# SSH Zugang zur Firewall
#
$IPTABLES -A INPUT -p tcp -s 10.65.0.0/24 -d 10.0.0.253 --destination-port 22 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 10.65.0.0/24 -d 10.65.0.5 --destination-port 22 -m state --state NEW -j ACCEPT
#
# Rule 1(global)
#
# 'masquerading' Regel
#
$IPTABLES -A INPUT -s 10.65.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 10.65.0.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 10.65.0.0/24 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -p tcp -d 10.0.0.253 --destination-port 3128 -m state --state NEW -j RULE_2
$IPTABLES -A INPUT -p tcp -d 10.0.0.253 --destination-port 3128 -m state --state NEW -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2 -j ACCEPT
#
# Rule 3(global)
#
# 'catch all' Regel
#
$IPTABLES -N RULE_3
$IPTABLES -A OUTPUT -j RULE_3
$IPTABLES -A INPUT -j RULE_3
$IPTABLES -A FORWARD -j RULE_3
$IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY "
$IPTABLES -A RULE_3 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward

gruss
jorge

cruxx · 06.03.2005, 18:55

dankeschön fürn tip!!!

03.03.2005, 20:28	#1
cruxx Senior Member Registriert seit: 02.11.2003 Alter: 39 Beiträge: 167	iptables wie muss man die iptables so setzen, dass auf dem interface 10.0.0.253:3128 anfragen automatisch über das interface 10.65.0.5 (10.0.0.253 und 10.65.0.5 sind auf einer maschine) an 10.65.0.16:3128 weitergeleitet werden mfg cruxx

06.03.2005, 13:08	#2
jorge Veteran Registriert seit: 20.05.2003 Alter: 51 Beiträge: 398	damit solltest du das gewünschte erreichen: # beispielscript für deine firewall: # eth0 --> 10.0.0.253/8 = extern log() { test -x "$LOGGER" && $LOGGER -p info "$1" } va_num=1 add_addr() { addr=$1 nm=$2 dev=$3 type="" aadd="" L=`$IP -4 link ls $dev \| grep "$dev:"` if test -n "$L"; then OIFS=$IFS IFS=" /:,<" set $L type=$4 IFS=$OIFS L=`$IP -4 addr ls $dev to $addr \| grep " inet "` if test -n "$L"; then OIFS=$IFS IFS=" /" set $L aadd=$2 IFS=$OIFS fi fi if test -z "$aadd"; then if test "$type" = "POINTOPOINT"; then $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi if test "$type" = "BROADCAST"; then $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num} va_num=`expr $va_num + 1` fi fi } getaddr() { dev=$1 name=$2 L=`$IP -4 addr show dev $dev \| grep inet` test -z "$L" && { eval "$name=''" return } OIFS=$IFS IFS=" /" set $L eval "$name=$2" IFS=$OIFS } getinterfaces() { NAME=$1 $IP link show \| grep -E "$NAME[^ ]: "\| while read L; do OIFS=$IFS IFS=" :" set $L IFS=$OIFS echo $2 done } LSMOD="/sbin/lsmod" MODPROBE="/sbin/modprobe" IPTABLES="/sbin/iptables" IP="/sbin/ip" LOGGER="/usr/bin/logger" INTERFACES="eth0 eth1 lo " for i in $INTERFACES ; do $IP link show "$i" > /dev/null 2>&1 \|\| { echo Interface $i does not exist exit 1 } done $IP -4 neigh flush dev eth0 >/dev/null 2>&1 $IP -4 addr flush dev eth0 label "eth0:FWB" >/dev/null 2>&1 $IP -4 neigh flush dev eth1 >/dev/null 2>&1 $IP -4 addr flush dev eth1 label "eth1:FWB" >/dev/null 2>&1 add_addr 10.0.0.253 8 eth0 $IP link set eth0 up add_addr 10.65.0.5 24 eth1 $IP link set eth1 up add_addr 127.0.0.1 8 lo $IP link set lo up $IPTABLES -P OUTPUT DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP cat /proc/net/ip_tables_names \| while read table; do $IPTABLES -t $table -L -n \| while read c chain rest; do if test "X$c" = "XChain" ; then $IPTABLES -t $table -F $chain fi done $IPTABLES -t $table -X done MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" MODULES=`(cd $MODULE_DIR; ls _conntrack_* _nat_ \| sed 's/\.o.*$//; s/\.ko$//')` for module in $(echo $MODULES); do if $LSMOD \| grep ${module} >/dev/null; then continue; fi $MODPROBE ${module} \|\| exit 1 done # # Rule 0(NAT) # # $IPTABLES -t nat -A PREROUTING -p tcp -d 10.0.0.253 --destination-port 3128 -j DNAT --to-destination 10.65.0.16 # # Rule 1(NAT) # # $IPTABLES -t nat -A POSTROUTING -o eth0 -s 10.65.0.0/24 -j SNAT --to-source 10.0.0.253 # # $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # Rule 0(lo) # # Erlaube alle Verbindungen zur 'loopback'-Schnittstelle # $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # # Rule 0(global) # # SSH Zugang zur Firewall # $IPTABLES -A INPUT -p tcp -s 10.65.0.0/24 -d 10.0.0.253 --destination-port 22 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -s 10.65.0.0/24 -d 10.65.0.5 --destination-port 22 -m state --state NEW -j ACCEPT # # Rule 1(global) # # 'masquerading' Regel # $IPTABLES -A INPUT -s 10.65.0.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -s 10.65.0.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 10.65.0.0/24 -m state --state NEW -j ACCEPT # # Rule 2(global) # # # $IPTABLES -N RULE_2 $IPTABLES -A OUTPUT -p tcp -d 10.0.0.253 --destination-port 3128 -m state --state NEW -j RULE_2 $IPTABLES -A INPUT -p tcp -d 10.0.0.253 --destination-port 3128 -m state --state NEW -j RULE_2 $IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT " $IPTABLES -A RULE_2 -j ACCEPT # # Rule 3(global) # # 'catch all' Regel # $IPTABLES -N RULE_3 $IPTABLES -A OUTPUT -j RULE_3 $IPTABLES -A INPUT -j RULE_3 $IPTABLES -A FORWARD -j RULE_3 $IPTABLES -A RULE_3 -j LOG --log-level info --log-prefix "RULE 3 -- DENY " $IPTABLES -A RULE_3 -j DROP # # echo 1 > /proc/sys/net/ipv4/ip_forward gruss jorge

06.03.2005, 18:55	#3
cruxx Senior Member Registriert seit: 02.11.2003 Alter: 39 Beiträge: 167	dankeschön fürn tip!!!

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)