Gutsy - boot scripts iptables
Jordi Ferrando Fabra
jferrando at netplc.com
Mon Nov 12 14:26:14 UTC 2007
Hi Donn:
Create a file in /etc/init.d with the adapted contents of my firewall
file. Then
$ sudo update-rc.d iptables_tc defaults
netplc at routerlinux:~/scripts$ cat iptables_tc
#!/bin/sh
#
# iptables_tc - ipables/tc init script
#
# Written by Jordi Ferrando, 2005-2007
# Debian.etch
# jferrando at netplc.com
TC="/sbin/tc"
IPTABLES="/sbin/iptables"
start() {
echo "Starting outbound shaping..."
# Reset everything to a known state (cleared)
#flush de reglas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
#Borrar clase entera
$TC qdisc del dev eth1 root
#Router linux con firewall y traffic shaping
#(c)NETPLC, J.Ferrando, Ene-2005/1-Dic-2005
#Interfaz eth1 192.168.5.2/255.255.255.0 (to ADSL router)
# eth0 10.54.8.2/255.255.255.0 (10.54.8.0/24, LAN)
#Default gateway 192.168.5.1
#DNS servers: 80.58.61.250 / 80.58.61.254 (telefonica)
#--------------------------------------------------------------------------------------------------
#DNAT tables
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p udp --dport 1194 -j DNAT --to 10.54.8.7
#http tcp/80
#vnc client tcp/5400 y tcp/5500
#ip "genérica"
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5400 -j DNAT --to 10.54.8.170
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5500 -j DNAT --to 10.54.8.170
#porthector vnc client
iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5400 -j DNAT --to 10.54.8.72
iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5500 -j DNAT --to 10.54.8.72
iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5900 -j DNAT --to 10.54.8.72
#portjordi vnc client
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5400 -j DNAT --to 10.54.8.134
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5500 -j DNAT --to 10.54.8.134
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5900 -j DNAT --to 10.54.8.134
#portraul vnc client
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5400 -j DNAT --to 10.54.8.138
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5500 -j DNAT --to 10.54.8.138
#iptables --table nat --append PREROUTING -i eth1 -d 192.168.5.2
-p tcp --dport 5900 -j DNAT --to 10.54.8.138
#ROUTER SNAT para la LAN
iptables --table nat --append POSTROUTING --out-interface eth1
-j MASQUERADE
#----------------------------------------------------------------------------------------------
#Firewall red 10.54.8.0/24 (eth0)
#Dejamos entrar y pasar todo el tráfico
iptables -A INPUT -s 10.54.8.0/24 -j ACCEPT
iptables -A INPUT -s 10.54.9.0/24 -j ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -j ACCEPT
iptables -A FORWARD -s 10.54.8.0/24 -j ACCEPT
iptables -A FORWARD -s 10.54.9.0/24 -j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -j ACCEPT
#Conexiones establecidas y relacionadas
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
#Política por defecto INPUT
iptables -A INPUT -i eth0 -j DROP
#Política por defecto FORWARD
iptables -A FORWARD -i eth0 -j DROP
#-----------------------------------------------------------------------------------------
#eth1 -> Puerta de entrada
#ssh (tcp/22)
#iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport
22 -j ACCEPT
#iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport
53 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
#http (tcp/80)
#iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport
80 -j ACCEPT
#openvpn (udp/1194)
#iptables -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -A INPUT -i eth1 -j DROP
#Dejamos que "pasen" los forwards del exterior, ya que por
fuerza deben ser de conexiones
#previamente establecidas
iptables -A FORWARD -i eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#tc "Traffic Control"
#This command attaches queue discipline HTB to eth1 and gives it
the "handle" 1:0
#This is just a name or identifier with which to refer to it
below. The default 20 means that
#any traffic that is not otherwise classified will be assigned
to class 1:20
tc qdisc add dev eth1 root handle 1:0 htb default 20
tc class add dev eth1 parent 1:0 classid 1:1 htb rate 276kbit
ceil 276kbit prio 1 burst 32k cburst 3200
tc class add dev eth1 parent 1:1 classid 1:5 htb rate 184kbit
ceil 276kbit prio 5 burst 16k cburst 1600
tc class add dev eth1 parent 1:1 classid 1:10 htb rate 128kbit
ceil 276kbit prio 10 burst 8k cburst 800
tc class add dev eth1 parent 1:1 classid 1:15 htb rate 64kbit
ceil 196kbit prio 15 burst 4k cburst 400
tc class add dev eth1 parent 1:1 classid 1:20 htb rate 32kbit
ceil 128kbit prio 20 burst 2k cburst 200
tc class add dev eth1 parent 1:1 classid 1:25 htb rate 16kbit
ceil 32kbit prio 25 burst 256 cburst 100
#
tc qdisc add dev eth1 parent 1:5 handle 5:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:10 handle 10:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:15 handle 15:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:20 handle 20:0 sfq perturb 10
tc qdisc add dev eth1 parent 1:25 handle 25:0 sfq perturb 10
#LAN privileges
#iptables -A FORWARD -t mangle -s 10.54.8.0/24 -i eth0 -p tcp
--sport 80 -j MARK --set-mark 20
#iptables -A FORWARD -t mangle -s 10.54.8.0/24 -i eth0 -p tcp
--dport 80 -j MARK --set-mark 20
#iptables -A FORWARD -t mangle -s 10.54.8.0/24 -i eth0 -p tcp
--sport 443 -j MARK --set-mark 20
#iptables -A FORWARD -t mangle -s 10.54.8.0/24 -i eth0 -p tcp
--dport 443 -j MARK --set-mark 20
#Privileged computers (Whitelist)
#iptables -A OUTPUT -t mangle -o eth1 --source 192.168.7.2 -j
MARK --set-mark 10
#iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.7 -j MARK --set-mark 5
#portjordi.netplc.com
iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.79 -m mac --mac-source 00:08:0d:cd:ce:d9 -j MARK --set-mark 10
iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.170 -m mac --mac-source 00:08:0d:cd:ce:d9 -j MARK --set-mark 10
#portjordi2w
iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.118 -m mac --mac-source 00:18:DE:7B:46:DC -j MARK --set-mark 10
#portlinuxw
iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.242 -j MARK --set-mark 10
#Blacklist
#angela
#iptables -A FORWARD -t mangle -i eth0 -o eth1 --source
10.54.8.80 -j MARK --set-mark 20
#Service privileges
#http
iptables -A FORWARD -t mangle -o eth1 -p tcp --sport 80 -j MARK
--set-mark 15
iptables -A FORWARD -t mangle -o eth1 -p tcp --dport 80 -j MARK
--set-mark 15
#https
iptables -A FORWARD -t mangle -o eth1 -p tcp --sport 443 -j MARK
--set-mark 15
iptables -A FORWARD -t mangle -o eth1 -p tcp --dport 443 -j MARK
--set-mark 15
#imaps
iptables -A FORWARD -t mangle -o eth1 -p tcp --sport 993 -j MARK
--set-mark 15
iptables -A FORWARD -t mangle -o eth1 -p tcp --dport 993 -j MARK
--set-mark 15
#pop3s
iptables -A FORWARD -t mangle -o eth1 -p tcp --sport 995 -j MARK
--set-mark 15
iptables -A FORWARD -t mangle -o eth1 -p tcp --dport 995 -j MARK
--set-mark 15
#openvpn
iptables -A OUTPUT -t mangle -o eth1 -p udp --sport 1194 -j MARK
--set-mark 10
iptables -A OUTPUT -t mangle -o eth1 -p udp --dport 1194 -j MARK
--set-mark 10
#icmp
iptables -A FORWARD -t mangle -i eth0 -o eth1 -p icmp -j MARK
--set-mark 5
#
tc filter add dev eth1 protocol ip parent 1:0 prio 5 handle 5 fw
flowid 1:5
tc filter add dev eth1 protocol ip parent 1:0 prio 10 handle 10
fw flowid 1:10
tc filter add dev eth1 protocol ip parent 1:0 prio 15 handle 15
fw flowid 1:15
tc filter add dev eth1 protocol ip parent 1:0 prio 20 handle 20
fw flowid 1:20
tc filter add dev eth1 protocol ip parent 1:0 prio 25 handle 25
fw flowid 1:25
#Print tc statictics
#tc -s -d class show dev eth1
#tc -s -d qdisc show dev eth1
echo "Outbound shaping added to surera"
}
stop() {
echo "stop ..."
# Reset everything to a known state (cleared)
#flush de reglas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
#Borrar clase entera
$TC qdisc del dev eth1 root
echo "Shaping removed on surera"
}
status() {
echo "[iptables]"
$IPTABLES -L -v -n
$IPTABLES -L -v -n -t nat
echo "---- qdisc parameters ----------"
tc qdisc ls dev eth1
echo "---- Class parameters ----------"
tc class ls dev eth1
echo "---- filter parameters ---------"
tc filter ls dev eth1
#Print tc statictics
echo "---- tc class statistics -------"
tc -s -d class show dev eth1
echo "---- tc qdisc statistics -------"
tc -s -d qdisc show dev eth1
}
restart() {
echo "restart ..."
start
}
reload() {
echo "start ..."
start
}
force_reload() {
echo "force-reload ..."
start
}
case $1 in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
reload)
reload
;;
force-reload)
force_reload
;;
*)
echo "Usage: iptables_tc
{start|stop|restart|reload|force-reload|status}"
#echo "Usage: ${0##*/} {start|stop|restart|reload|status}"
;;
esac
exit 0
Nils Kassube wrote:
> Donn wrote:
>
>> Any hints?
>>
>> :) ...
>>
>
> /etc/rc.local maybe.
>
>
> Nils
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20071112/84dfdd41/attachment.html>
More information about the kubuntu-users
mailing list