Alguien me ayuda con IPTABLES de LINUX????Douka
Publicado por juan (2 intervenciones) el 07/03/2006 12:32:19
Buenas!! A ver chicos, tengo un fichero de configuración del firewall que se nos resiste con las reglas de IPTABLES, el problema está en que por defecto, el programa nos genera un archivo como el que presento a continuación:
Cherubino tiene este código... escribió:
#!/bin/sh
# $Id: firewall.ini,v 1.3 2005/03/28 09:43:01 thomasez Exp $
# If you want the box to just act as a router, uncomment the 2 lines below
echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0
# Firewall setup.
. /etc/config
# Do you want to do port forwaring to an internal server?
# Set the server IP here and sort out the port stuff later in this file.
SERVER_IP=192.168.4.15
#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
# echo "0" > /proc/sys/net/ipv4/ip_forward
#
# Overriding the /etc/config and adding additional information.
#
. /etc/outside.info
. /etc/inside.info
#
# Brad suggested this:
# And he suggested to check and maybe change the formatting.
# We'll do that later.
#
echo "Starting firewall with the following config:"
printf "\t\t Inside\t\tOutside
Physical device: %-15s\t%-15s
Logical device: %-15s\t%-15s
\t Network: %-15s\t%-15s
IP Address: %-15s\t%-15s
\t Netmask: %-15s\t%-15s
Broadcast: %-15s\t%-15s
\t Gateway: %-15s\t%-15s\n" $INSIDE_DEV $OUTSIDE_DEV \
$INSIDE_DEVICE $OUTSIDE_DEVICE \
$INSIDE_NETWORK $OUTSIDE_NETWORK \
$INSIDE_IP $OUTSIDE_IP \
$INSIDE_NETMASK $OUTSIDE_NETMASK \
$INSIDE_BROADCAST $OUTSIDE_BROADCAST \
"[None Set]" $OUTSIDE_GATEWAY
#
# Flushing the chains.
#
iptables -F
iptables -X
iptables -Z
for i in `cat /proc/net/ip_tables_names`
do
iptables -F -t $i
iptables -X -t $i
iptables -Z -t $i
done
#
# Policy for chains DROP everything
#
0
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
# SYN-Flooding protection
# Looks good and nicked from a firewall script mentioned on floppyfw.something.
# Didn't work that well..
#
iptables -N syn-flood
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP
#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
# Web:
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my web server from the inside" problem.
iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
# FTP:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
#
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
#
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP
Falta más código pero no es necesario. Nuestro problema es que queremos que el firewall nos permita tener acceso WEB pero no FTP, lo demás estará negado por defecto de la política de IPTABLES utilizada, sin embargo con este código no tenemos acceso WEB ni FTP...
A ver si alguien me puede echar un cable. Gracias.
P.D.: Este fichero es el Firewall.ini que te genera el FLOPPYFW de linux
Cherubino tiene este código... escribió:
#!/bin/sh
# $Id: firewall.ini,v 1.3 2005/03/28 09:43:01 thomasez Exp $
# If you want the box to just act as a router, uncomment the 2 lines below
echo 1 > /proc/sys/net/ipv4/ip_forward
exit 0
# Firewall setup.
. /etc/config
# Do you want to do port forwaring to an internal server?
# Set the server IP here and sort out the port stuff later in this file.
SERVER_IP=192.168.4.15
#
# Stopping forwarding (this script may be run during normal uptime because
# for re-lease of HDCP or demand dialing / PPPoE.
#
# echo "0" > /proc/sys/net/ipv4/ip_forward
#
# Overriding the /etc/config and adding additional information.
#
. /etc/outside.info
. /etc/inside.info
#
# Brad suggested this:
# And he suggested to check and maybe change the formatting.
# We'll do that later.
#
echo "Starting firewall with the following config:"
printf "\t\t Inside\t\tOutside
Physical device: %-15s\t%-15s
Logical device: %-15s\t%-15s
\t Network: %-15s\t%-15s
IP Address: %-15s\t%-15s
\t Netmask: %-15s\t%-15s
Broadcast: %-15s\t%-15s
\t Gateway: %-15s\t%-15s\n" $INSIDE_DEV $OUTSIDE_DEV \
$INSIDE_DEVICE $OUTSIDE_DEVICE \
$INSIDE_NETWORK $OUTSIDE_NETWORK \
$INSIDE_IP $OUTSIDE_IP \
$INSIDE_NETMASK $OUTSIDE_NETMASK \
$INSIDE_BROADCAST $OUTSIDE_BROADCAST \
"[None Set]" $OUTSIDE_GATEWAY
#
# Flushing the chains.
#
iptables -F
iptables -X
iptables -Z
for i in `cat /proc/net/ip_tables_names`
do
iptables -F -t $i
iptables -X -t $i
iptables -Z -t $i
done
#
# Policy for chains DROP everything
#
0
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#
# SYN-Flooding protection
# Looks good and nicked from a firewall script mentioned on floppyfw.something.
# Didn't work that well..
#
iptables -N syn-flood
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ${OUTSIDE_DEVICE} -p tcp ! --syn -m state --state NEW -j DROP
#
# Good old masquerading.
#
iptables -t nat -A POSTROUTING -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -o ${OUTSIDE_DEVICE} -j MASQUERADE
# Web:
iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j DNAT --to ${SERVER_IP}:80
iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 80 -o ${INSIDE_DEVICE} -j ACCEPT
# This rule helps the "I can't reach my web server from the inside" problem.
iptables -A POSTROUTING -t nat -p tcp -d ${SERVER_IP} --dport 80 -s ${INSIDE_NETWORK}/${INSIDE_NETMASK} -j SNAT --to ${OUTSIDE_IP}
# FTP:
#iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 21 -j DNAT --to ${SERVER_IP}:21
#iptables -A FORWARD -p tcp -d ${SERVER_IP} --dport 21 -o ${INSIDE_DEVICE} -j ACCEPT
#
# Keep state and open up for outgoing connections.
#
iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
#
# This is mainly for PPPoE usage but it won't hurt anyway so we'll just
# keep it here.
#
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
# We don't like the NetBIOS and Samba leaking..
#
iptables -t nat -A PREROUTING -p TCP --dport 135:139 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 137:139 -j DROP
iptables -t nat -A PREROUTING -p TCP --dport 445 -j DROP
iptables -t nat -A PREROUTING -p UDP --dport 445 -j DROP
Falta más código pero no es necesario. Nuestro problema es que queremos que el firewall nos permita tener acceso WEB pero no FTP, lo demás estará negado por defecto de la política de IPTABLES utilizada, sin embargo con este código no tenemos acceso WEB ni FTP...
A ver si alguien me puede echar un cable. Gracias.
P.D.: Este fichero es el Firewall.ini que te genera el FLOPPYFW de linux
Valora esta pregunta
0