#! /bin/sh # # iptables-nat-router.sh -- NATルータ兼ウェブサーバ用設定 # # 0.0: Apr. 11, 2010 by Dai ISHIJIMA # 0.1: Apr. 17, 2010 # # see also: # Linuxサーバセキュリティ (ISBN4-87311-149-8) # Linuxネットワーク管理 第3版 (ISBN4-87311-247-8) # http://www.atmarkit.co.jp/flinux/index/indexfiles/iptablesindex.html # (↑ただし、@ITは誤字脱字多数で要注意) # iif="eth1" iip="192.168.1.254" inet="192.168.1.0/24" oif="eth0" oip="172.16.32.50" onet="172.16.32.48/29" anywhere="0.0.0.0/0" friends="172.16.32.48/29 10.11.12.13 192.168.0.0/24" echo 1 > /proc/sys/net/ipv4/ip_forward iptables="/sbin/iptables" case x"${DEBUG}" in xYES) iptables="echo" ;; esac # # flush *ALL* iptables rules # # flush ${iptables} -F # flush NAT explicitly ${iptables} -t nat -F # delete user defined tables ${iptables} -X # # create target (new chain) # # drop with logging #iptables -A DROPLOG -j LOG --log-level warning \ # --log-prefix "DROP:" -m limit # # drop log definitions # drops="LOG DEFAULT LOOPBACK PRIVATE DHCP NAUTO NTEST PING NEW" drops="$drops ILAST OLAST FLAST" for d in ${drops} ; do ${iptables} -N "DROP_${d}" ${iptables} -A "DROP_${d}" -j LOG --log-level warning \ --log-prefix "iptables DROP-${d}: " ${iptables} -A "DROP_${d}" -j DROP done drops="NBT RPC MCAST" for d in ${drops} ; do ${iptables} -N "DROP_${d}" ${iptables} -A "DROP_${d}" -j DROP done # accept with logging #iptables -A ACCEPTLOG -j LOG --log-level warning \ # --log-prefix "ACCEPT:" -m limit accepts="SSH LOG LAST" for a in ${accepts} ; do ${iptables} -N "ACCEPT_${a}" ${iptables} -A "ACCEPT_${a}" -j LOG --log-level warning \ --log-prefix "iptables ACCEPT-${a}: " ${iptables} -A "ACCEPT_${a}" -j ACCEPT done accepts="HTTP NOLOG" for a in ${accepts} ; do ${iptables} -N "ACCEPT_${a}" ${iptables} -A "ACCEPT_${a}" -j ACCEPT done # # set default rules (policies) # # input policy is DROP (-P requries built-in chain, not user defined) ${iptables} -P INPUT DROP # but, established traffics are ACCEPTed ${iptables} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # output policy is DROP ${iptables} -P OUTPUT DROP # forward (routed traffics, ie. NAT) policy is DROP ${iptables} -P FORWARD DROP # # loopback interface (accept) # ${iptables} -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT ${iptables} -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT # # ingress filters # # loopback ${iptables} -A INPUT -i ${oif} -d 127.0.0.0/8 -j DROP_LOOPBACK ${iptables} -A INPUT -i ${iif} -d 127.0.0.0/8 -j DROP_LOOPBACK ${iptables} -A OUTPUT -o ${oif} -d 127.0.0.0/8 -j DROP_LOOPBACK ${iptables} -A OUTPUT -o ${iif} -d 127.0.0.0/8 -j DROP_LOOPBACK ${iptables} -A FORWARD -d 127.0.0.0/8 -j DROP_LOOPBACK # private addresses ${iptables} -A OUTPUT -o ${oif} -d 10.0.0.0/8 -j DROP_PRIVATE #${iptables} -A OUTPUT -o ${oif} -d 172.16.0.0/12 -j DROP_PRIVATE #${iptables} -A OUTPUT -o ${oif} -d 192.168.0.0/16 -j DROP_PRIVATE # dhcp, auto-configuration, net-test, multicast ${iptables} -A OUTPUT -d 0.0.0.0/8 -j DROP_DHCP ${iptables} -A OUTPUT -d 169.254.0.0/16 -j DROP_NAUTO ${iptables} -A OUTPUT -d 192.0.2.0/24 -j DROP_NTEST ${iptables} -A OUTPUT -d 224.0.0.0/4 -j DROP_MCAST ${iptables} -A OUTPUT -d 240.0.0.0/4 -j DROP_MCAST # ${iptables} -A INPUT -d 0.0.0.0/8 -j DROP_DHCP ${iptables} -A INPUT -d 169.254.0.0/16 -j DROP_NAUTO ${iptables} -A INPUT -d 192.0.2.0/24 -j DROP_NTEST ${iptables} -A INPUT -d 224.0.0.0/4 -j DROP_MCAST ${iptables} -A INPUT -d 240.0.0.0/4 -j DROP_MCAST # ${iptables} -A FORWARD -d 0.0.0.0/8 -j DROP_DHCP ${iptables} -A FORWARD -d 169.254.0.0/16 -j DROP_NAUTO ${iptables} -A FORWARD -d 192.0.2.0/24 -j DROP_NTEST ${iptables} -A FORWARD -d 224.0.0.0/4 -j DROP_MCAST ${iptables} -A FORWARD -d 240.0.0.0/4 -j DROP_MCAST # # drop M$ packets (NetBIOS: 137..139, MSDS: 445) # ${iptables} -A INPUT -p tcp --dport 137:139 -j DROP_NBT ${iptables} -A INPUT -p udp --dport 137:139 -j DROP_NBT ${iptables} -A INPUT -p tcp --dport 445 -j DROP_NBT ${iptables} -A INPUT -p udp --dport 445 -j DROP_NBT # ${iptables} -A OUTPUT -p tcp --dport 137:139 -j DROP_NBT ${iptables} -A OUTPUT -p udp --dport 137:139 -j DROP_NBT ${iptables} -A OUTPUT -p tcp --dport 445 -j DROP_NBT ${iptables} -A OUTPUT -p udp --dport 445 -j DROP_NBT # ${iptables} -A FORWARD -p tcp --dport 137:139 -j DROP_NBT ${iptables} -A FORWARD -p udp --dport 137:139 -j DROP_NBT ${iptables} -A FORWARD -p tcp --dport 445 -j DROP_NBT ${iptables} -A FORWARD -p udp --dport 445 -j DROP_NBT # ${iptables} -A FORWARD -i ${iif} -o ${oif} -p tcp --dport 137:139 -j DROP_LOG ${iptables} -A FORWARD -i ${iif} -o ${oif} -p udp --dport 137:139 -j DROP_LOG ${iptables} -A FORWARD -i ${iif} -o ${oif} -p tcp --dport 445 -j DROP_LOG ${iptables} -A FORWARD -i ${iif} -o ${oif} -p udp --dport 445 -j DROP_LOG # # drop RPC (sunrpc: 111/tcp, 111/udp) # ${iptables} -A INPUT -p tcp --dport 111 -j DROP_RPC ${iptables} -A INPUT -p udp --dport 111 -j DROP_RPC # ${iptables} -A OUTPUT -p tcp --dport 111 -j DROP_RPC ${iptables} -A OUTPUT -p udp --dport 111 -j DROP_RPC # ${iptables} -A FORWARD -p tcp --dport 111 -j DROP_RPC ${iptables} -A FORWARD -p udp --dport 111 -j DROP_RPC # ${iptables} -A FORWARD -i ${iif} -o ${oif} -p tcp --dport 111 -j DROP_LOG ${iptables} -A FORWARD -i ${iif} -o ${oif} -p udp --dport 111 -j DROP_LOG # # allow connections from internal network to the world (nat related) # # HTTP request ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p tcp --dport 80 -j ACCEPT # HTTPS request ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p tcp --dport 443 -j ACCEPT # DNS queries ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p udp --dport 53 -j ACCEPT # NTP queries ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p udp --dport 123 -j ACCEPT # ICMP # drop ping ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p icmp --icmp-type echo-request -j DROP_PING ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p icmp --icmp-type echo-reply -j DROP_PING # allow other icmp ${iptables} -A FORWARD -i ${iif} -o ${oif} -s ${inet} \ -p icmp -j ACCEPT # stateful ${iptables} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # IP masquerade # ${iptables} -t nat -A POSTROUTING -o ${oif} -s ${inet} -j MASQUERADE # # some accept packets # ${iptables} -A INPUT -p icmp -j ACCEPT ${iptables} -A OUTPUT -p icmp -j ACCEPT # # incoming connection # # new connection without SYN flag is DROPped ${iptables} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP_NEW # accept ssh connection from friends for f in ${friends}; do ${iptables} -A INPUT -i ${oif} -p tcp \ -m state --state NEW,ESTABLISHED,RELATED \ -s ${f} -d ${oip} --dport 22 -j ACCEPT_SSH done ${iptables} -A OUTPUT -o ${oif} -p tcp \ -s ${oip} --sport 22 -d ${anywhere} -j ACCEPT # accept http connection from the world ${iptables} -A INPUT -i ${oif} -p tcp -m state --state NEW,ESTABLISHED,RELATED \ -s ${anywhere} -d ${oip} --dport 80 -j ACCEPT_HTTP ${iptables} -A OUTPUT -o ${oif} -p tcp \ -s ${oip} --sport 80 -d ${anywhere} -j ACCEPT # # outgoing connection # # stateful (return packets) ${iptables} -A INPUT -i ${oip} -m state --state ESTABLISHED,RELATED -j ACCEPT # stateful accept rules are enabled above, # rules on INPUT chain are implicitly declaired # DNS queries #${iptables} -A INPUT -i ${oif} -p udp \ # -s ${anywhere} --sport 53 -d ${oip} -j ACCEPT ${iptables} -A OUTPUT -o ${oif} -p udp \ -s ${oip} -d ${anywhere} --dport 53 -j ACCEPT # HTTP request #${iptables} -A INPUT -i ${oif} -p tcp \ # -s ${anywhere} --sport 80 -d ${oip} -j ACCEPT ${iptables} -A OUTPUT -o ${oif} -p tcp \ -s ${oip} -d ${anywhere} --dport 80 -j ACCEPT # HTTPS request #${iptables} -A INPUT -i ${oif} -p tcp \ # -s ${anywhere} --sport 443 -d ${oip} -j ACCEPT ${iptables} -A OUTPUT -o ${oif} -p tcp \ -s ${oip} -d ${anywhere} --dport 443 -j ACCEPT # NTP queries #${iptables} -A INPUT -i ${oif} -p udp \ # -s ${anywhere} --sport 123 -d ${oip} -j ACCEPT ${iptables} -A OUTPUT -o ${oif} -p udp \ -s ${oip} -d ${anywhere} --dport 123 -j ACCEPT # allow internal network ${iptables} -A INPUT -i ${iif} -s ${inet} -d ${iip} -j ACCEPT ${iptables} -A OUTPUT -o ${iif} -s ${iip} -d ${inet} -j ACCEPT ${iptables} -A INPUT -j DROP_ILAST ${iptables} -A OUTPUT -j DROP_OLAST ${iptables} -A FORWARD -j DROP_FLAST # EOF