さかもとのブログ

つらつらと

iptables設定

研究

研究でルータが必要なので, こちらを参考にして, iptables_gateway.shを作ってみた.
moniterとなっているサーバへはwanからでも送れるようにしてある.

#! /bin/sh

modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward

#====================
# setup of variables
#======================
WAN_IF=eth1
LAN_IF=eth0
LOOPBACK_ADDR=127.0.0.1
MONITOR_ADDR=192.168.1.103
WAN_ADDR=`ifconfig eth0 | sed -e 's/^.*inet addr:\([0-9.]*\).*/\1/p' -e d`

##################
#IPTABLES STOP
##################
/etc/init.d/iptables stop

#================
# Flush All Chain
#=================
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

#====================
# Default Chain
#===================
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#===================
# Make New Chain
#====================
#wan_server : WAN-->Server
#lan_server : LAN-->Server
#server_lan : Server-->LAN
#server_wan : Server-->WAN
#wan_lan    : WAN-->LAN
#lan_wan    : LAN-->WAN

#New Filter_Chain
iptables -N wan_server
iptables -N lan_server
iptables -N server_lan
iptables -N server_wan
iptables -N wan_lan
iptables -N lan_wan
iptables -A INPUT -i $WAN_IF -j wan_server
iptables -A INPUT -i $LAN_IF -j lan_server
iptables -A OUTPUT -o $WAN_IF -j server_wan
iptables -A OUTPUT -o $LAN_IF -j server_lan
iptables -A FORWARD -i $WAN_IF -o $LAN_IF -j wan_lan
iptables -A FORWARD -i $LAN_IF -o $WAN_IF -j lan_wan

#New Loging_Drop_Chain
iptables -N log_drop
iptables -A log_drop
iptables -A log_drop -j DROP

#==================
# ipMasquerade
#==================

iptables -t nat -A POSTROUTING -o $WAN_IF -j MASQUERADE

#=============
# lo poricy
#============

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#=======================
# Server-->LAN Policy
#======================

iptables -A server_lan -j ACCEPT

#====================
#  Lan-->Server Policy
#====================

iptables -A lan_server -j ACCEPT

#====================
# Serve-->Wan Policy
#===================

iptables -A server_wan -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP
iptables -A server_wan -p icmp --icmp-type 8  -j ACCEPT

#DNS
iptables -A server_wan -p udp --dport 53 -j ACCEPT

#Except the above
iptables -A server_wan -j log_drop

#=====================
# WAN-->Server Policy
#====================
iptables -A wan_server -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP
iptables -A wan_server -p icmp --icmp-type 0 -j ACCEPT

#FTP-data
iptables -A wan_server -p tcp --dport 20 -j ACCEPT

#FTP
iptables -A wan_server -p tcp --dport 21 -j ACCEPT

#SMTP
iptables -A wan_server -p tcp --dport 25 -j ACCEPT

#POP3
iptables -A wan_server -p tcp --dport 110 -j ACCEPT

#HTTP
iptables -A wan_server -p tcp --dport 80 -j ACCEPT

#HTTPS
iptables -A wan_server -p tcp --dport 443 -j ACCEPT

#Except the above
iptables -A wan_server -j log_drop

######################################
# LAN-->WAN Policy..ACCEPT
######################################

#The packet to which connection established or relates
iptables -A lan_wan -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP
iptables -A lan_wan -p icmp --icmp-type 8 -j ACCEPT

#FTP-date
iptables -A lan_wan -p tcp --dport 20 -j ACCEPT

#FTP
iptables -A lan_wan -p tcp --dport 21 -j ACCEPT

#SSH
iptables -A lan_wan -p tcp --dport 22 -j ACCEPT

#HTTP
iptables -A lan_wan -p tcp --dport 80 -j ACCEPT
iptables -A lan_wan -p tcp --dport 8080 -j ACCEPT

#POP3
iptables -A lan_wan -p tcp --dport 110 -j ACCEPT

#SMTP
iptables -A lan_wan -p tcp --dport 25 -j ACCEPT

#NTP
iptables -A lan_wan -p tcp --dport 123 -j ACCEPT

#HTTPS
iptables -A lan_wan -p tcp --dport 443 -j ACCEPT

#Expect the above
iptables -A lan_wan -j log_drop

###############################
# WAN-->LAN Policy...ACCEPT
###############################

#The packet to which connection estableshes or relates
iptables -A wan_lan -m state --state ESTABLISHED,RELATED -j ACCEPT

#ICMP
iptables -A wan_lan -p icmp --icmp-type 0 -j ACCEPT

#HTTP
iptables -A wan_lan -p tcp -d $MONITOR_ADDR --dport 80 -j ACCEPT

#Except the above
iptables -A wan_lan -j log_drop

#########################
#SAVE IPTABLES
########################
/etc/init.d/iptables save

#########################
#START IPTABLES
########################
/etc/init.d/iptables start