Firewall на ADSL.

# ADSL modem ip ADSL_IP="10.0.0.138"

INET_IFACE_PPP="ppp+" INET_IP_ETH="10.200.1.1" INET_IFACE_ETH="eth0"

LAN_IP="192.168.1.2" LAN_IP_RANGE="192.168.1.0/24" LAN_BCAST_ADRESS="192.168.1.5" LAN_IFACE="eth1"

LO_IFACE="lo" LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

$IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP

$IPTABLES -N allowed $IPTABLES -N icmp_packets $IPTABLES -N tcp_packets $IPTABLES -N udpincoming_packets $IPTABLES -N adsl_chain_in $IPTABLES -N adsl_chain_out

$IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j REJECT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT

$IPTABLES -A adsl_chain_in -p 47 -j ACCEPT $IPTABLES -A adsl_chain_in -p tcp --sport 1723 -j ACCEPT

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

$IPTABLES -A INPUT -p all -i $INET_IFACE_ETH -s $ADSL_IP -j adsl_chain_in

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE_PPP -j icmp_packets $IPTABLES -A INPUT -p TCP -i $INET_IFACE_PPP -j tcp_packets $IPTABLES -A INPUT -p UDP -i $INET_IFACE_PPP -j udpincoming_packets

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $INET_IFACE_PPP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level DEBUG --log-prefix "IPT INPUT packet died:"

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A adsl_chain_out -p 47 -j ACCEPT $IPTABLES -A adsl_chain_out -p tcp --dport 1723 -j ACCEPT

$IPTABLES -A OUTPUT -p all -o $INET_IFACE_ETH -d $ADSL_IP -j adsl_chain_out

$IPTABLES -A OUTPUT -p ICMP -o $INET_IFACE_PPP -j icmp_packets $IPTABLES -A OUTPUT -p TCP -o $INET_IFACE_PPP -j tcp_packets $IPTABLES -A OUTPUT -p UDP -o $INET_IFACE_PPP -j udpincoming_packets

$IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE_PPP -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG\ --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"

anonymous
(24.11.02 18:18:00 MSK)

Ссылка

Похожие темы