Gutsy - boot scripts iptables

Jordi Ferrando Fabra jferrando at netplc.com
Sun Nov 11 10:57:13 UTC 2007


This is my iptables_tc script. Create a file in /etc/init.d and the 
create the symlinks

$ sudo update-rc.d iptables_tc detauls

Please adapt it to your needs. The file has firewall functionality, 
routing SNAT and DNAT and bandwidth shaping.

jferrando at alcudia:/etc/init.d$ cat iptables_tc
#!/bin/sh
#
# iptables_tc - ipables/tc init script
#
# Written by Jordi Ferrando
# Debian.etch / Kubuntu feisty 7.04
# (GPL) NETPLC, jferrando at netplc.com, 17-may-2007

TC="/sbin/tc"
IPTABLES="/sbin/iptables"

start() {
        echo "Firewall NETPLC/alcudia ..."

        #Router linux with bandwith control and firewall
        #(c)NETPLC, J.Ferrando, Ene-2005/17-may-2007
        #Interfaz eth0 10.54.10.2 / 255.255.255.0 (10.54.10.0/24, 
SEG-ROUTER-LINUX)
        #         eth1 10.54.11.1 / 255.255.255.0 (10.54.11.0/24, LAN)
        #                        tun0 10.54.12.1 / 255.255.255.0 
(10.54.12.0/24, OPENVPN)
        #Default gateway 10.54.10.1
        #DNS servers 80.58.61.250, 80.58.61.254

        #flush de reglas
        $IPTABLES -F
        $IPTABLES -X
        $IPTABLES -Z
        $IPTABLES -t nat -F

        
#-------------------------------------------------------------------------
        #DNAT tables
        #HTTP tcp/80
        #iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 80 -j DNAT --to 10.54.11.1
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 443 -j DNAT --to 10.54.11.71

        #SMTP
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 25 -j DNAT --to 10.54.11.71
        #imaps
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 993 -j DNAT --to 10.54.11.71
        #POP3S
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 995 -j DNAT --to 10.54.11.71

        #Openvpn
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p udp --dport 1194 -j DNAT --to 10.54.11.1

        #aMule
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p tcp --dport 4662 -j DNAT --to 10.54.11.66
        iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2 
-p udp --dport 4672 -j DNAT --to 10.54.11.66

        
#-------------------------------------------------------------------------
        #ROUTER SNAT para la LAN
        iptables --table nat --append POSTROUTING --out-interface eth0 
-j MASQUERADE

        
#-------------------------------------------------------------------------
        iptables -A INPUT -i lo -j ACCEPT

        
#-------------------------------------------------------------------------
        #Reglas generales para conexiones ya establecidas      
        iptables -A FORWARD -i eth0 -o eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
        iptables -A FORWARD -i tun0 -o eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT

        
#-------------------------------------------------------------------------
        #filtrado red eth0 (10.54.10.0/24)
        #http
        iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80 
-j ACCEPT
        #openvpn
        iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
        iptables -A INPUT -i eth0 -p udp --sport 1194 -j ACCEPT
        #
        #aMule
        iptables -A INPUT -i eth0 -p tcp --dport 4663 -j ACCEPT
        #iptables -A INPUT -i eth0 -p udp --dport 4673 -j ACCEPT
        iptables -A INPUT -i eth0 -p udp --dport 4667 -j ACCEPT
        #
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED 
-j ACCEPT
        #drop por defecto
        iptables -A INPUT -i eth0 -j DROP

        
#-------------------------------------------------------------------------
        #acceso de la VPN, tun0 (10.54.12.0/24)
        iptables -A INPUT -i tun0 -j ACCEPT
        iptables -A FORWARD -i tun0 -j ACCEPT

        iptables -A FORWARD -s 192.168.8.0/24 -d 10.54.11.0/24 -j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -d 192.168.8.0/24 -j ACCEPT

        
#--------------------------------------------------------------------------
        #filtrado red eth1 (10.54.11.0/24)
        #La ip de la propia máquina (no hace falta habilitar el forward 
para una ip de la propia máquina)
        iptables -A INPUT -s 10.54.10.2 -j ACCEPT

        #servicios a la red local 10.54.11.0/255.255.255.0
        #DNS
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 53 -j 
ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 53 -j 
ACCEPT
        iptables -A INPUT -s 10.54.11/24 -i eth1 -p udp --sport 53 -j ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 53 -j 
ACCEPT
        #Web server
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 80 -j 
ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 80 -j 
ACCEPT
        #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 443 
-j ACCEPT
        #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 443 
-j ACCEPT

        #imaps
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 993 -j 
ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 993 -j 
ACCEPT

        #pop3s
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 995 -j 
ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 995 -j 
ACCEPT

        #ntp / Network Time Protocol
        #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 123 
-j ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 123 -j 
ACCEPT
        #iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --sport 123 
-j ACCEPT
        iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 123 -j 
ACCEPT
        #
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 123 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 123 
-j ACCEPT

        #Política por defecto a exterior
        #Tráfico web
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 80 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 80 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 443 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 443 
-j ACCEPT
        #Si no habilitamos el puerto de openvpn los PCs de la LAN no 
pueden aceptar conexiones de
        #clientes remotos a través de VPN
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --sport 1194 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 1194 
-j ACCEPT
        iptables -A FORWARD -s 10.54.11.0/24 -d 10.54.12.0/24 -j ACCEPT
        iptables -A FORWARD -s 10.54.12.0/24 -d 10.54.11.0/24 -j ACCEPT

        #portjordi wireless
        iptables -A FORWARD -s 10.54.11.64 -m mac --mac-source 
00:0D:54:9F:99:C5 -j ACCEPT
        iptables -A INPUT -s 10.54.11.64 -m mac --mac-source 
00:0D:54:9F:99:C5 -j ACCEPT
        #portangela cable
        iptables -A FORWARD -s 10.54.11.65 -m mac --mac-source 
00:E0:91:03:3C:EC -j ACCEPT
        iptables -A INPUT -s 10.54.11.65 -m mac --mac-source 
00:E0:91:03:3C:EC -j ACCEPT
        #portangela wireless
        iptables -A FORWARD -s 10.54.11.66 -m mac --mac-source 
00:0E:35:9D:83:C3 -j ACCEPT
        iptables -A INPUT -s 10.54.11.66 -m mac --mac-source 
00:0E:35:9D:83:C3 -j ACCEPT
        #portjordi
        iptables -A FORWARD -s 10.54.11.70 -m mac --mac-source 
00:08:0D:CD:CE:D9 -j ACCEPT
        iptables -A INPUT -s 10.54.11.70 -m mac --mac-source 
00:08:0D:CD:CE:D9 -j ACCEPT
        #...

        #drop el resto
        iptables -A INPUT -i eth1 -j DROP
        iptables -A FORWARD -i eth1 -j DROP

        echo 1 > /proc/sys/net/ipv4/ip_forward

        #listar las tablas
        iptables -L -v -n
        iptables -L -v -n -t nat

        #Script tc / Traffic Control
        #J.Ferrando, 30-nov-2005

        #Borrar clase entera
        tc qdisc del dev eth0 root

        #This command attaches queue discipline HTB to eth0 and gives it 
the "handle" 1:0.
        #This is just a name or identifier with which to refer to it below.
        #The default 12 means that any traffic that is not otherwise 
classified will be assigned to class 1:12.
        tc qdisc add dev eth0 root handle 1:0 htb default 20

        tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2880kbit 
ceil 2880kbit prio 1 burst 32k cburst 3200
        tc class add dev eth0 parent 1:1 classid 1:5 htb rate 1920kbit 
ceil 2880kbit prio 5 burst 16k cburst 1600
        tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1280kbit 
ceil 2880kbit prio 10 burst 8k cburst 800
        tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1280kbit 
ceil 2880kbit prio 11 burst 8k cburst 800
        tc class add dev eth0 parent 1:1 classid 1:15 htb rate 640kbit 
ceil 2880kbit prio 15 burst 2k cburst 200
        tc class add dev eth0 parent 1:1 classid 1:20 htb rate 320kbit 
ceil 2880kbit prio 20 burst 1k cburst 100
        tc class add dev eth0 parent 1:1 classid 1:25 htb rate 160kbit 
ceil 160kbit prio 25 burst 512 cburst 52
        #tc class add dev eth0 parent 1:0 classid 1:1 htb rate 288kbit 
ceil 288kbit prio 1 burst 32k cburst 3200
        #tc class add dev eth0 parent 1:1 classid 1:5 htb rate 192kbit 
ceil 288kbit prio 5 burst 16k cburst 1600
        #tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit 
ceil 288kbit prio 10 burst 8k cburst 800
        #tc class add dev eth0 parent 1:1 classid 1:11 htb rate 128kbit 
ceil 288kbit prio 11 burst 8k cburst 800
        #tc class add dev eth0 parent 1:1 classid 1:15 htb rate 64kbit 
ceil 288kbit prio 15 burst 2k cburst 200
        #tc class add dev eth0 parent 1:1 classid 1:20 htb rate 32kbit 
ceil 288kbit prio 20 burst 1k cburst 100
        #tc class add dev eth0 parent 1:1 classid 1:25 htb rate 16kbit 
ceil 16kbit prio 25 burst 512 cburst 52

        #
        tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10
        tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10
        tc qdisc add dev eth0 parent 1:11 handle 11:0 sfq perturb 10
        tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10
        tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10
        tc qdisc add dev eth0 parent 1:25 handle 25:0 sfq perturb 10

        #Privileged computers (Whitelist)
        iptables -A OUTPUT -t mangle -o eth0 -j MARK --set-mark 20
        iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 
10.54.11.1 -j MARK --set-mark 15
        #portjordi wireless
        iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 
10.54.11.64 -j MARK --set-mark 15
        #portangela cable
        iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 
10.54.11.65 -j MARK --set-mark 15
        #portangela wireless
        iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 
10.54.11.66 -j MARK --set-mark 15
        #...

        #Restrict computers (Blacklist)
        #iptables -A FORWARD -t mangle -i eth1 -o eth0 --source 
10.54.8.71 -j MARK --set-mark 25

        #Priority protocols
        #
        iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 80 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 80 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 443 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 443 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 25 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 25 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 993 -j MARK 
--set-mark 5
        iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 993 -j MARK 
--set-mark 5

        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 80 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 80 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 443 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 443 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 25 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 25 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 993 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 993 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p udp --sport 1194 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p udp --dport 1194 -j MARK 
--set-mark 5
        #sky.fm
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8110 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8110 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8600 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8600 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8710 -j MARK 
--set-mark 5
        iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8710 -j MARK 
--set-mark 5

        iptables -A FORWARD -t mangle -o eth0 -p icmp -j MARK --set-mark 5

        #
        tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw 
flowid 1:5
        tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10 
fw flowid 1:10
        tc filter add dev eth0 protocol ip parent 1:0 prio 11 handle 11 
fw flowid 1:11
        tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15 
fw flowid 1:15
        tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20 
fw flowid 1:20
        tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25 
fw flowid 1:25

        echo "Outbound shaping added to alcudia"
}

stop() {
        echo "stop ..."
        # Reset everything to a known state (cleared)
        #flush de reglas
        $IPTABLES -F
        $IPTABLES -X
        $IPTABLES -Z
        $IPTABLES -t nat -F
        #Borrar clase entera
        $TC qdisc del dev eth0 root

        echo "Shaping removed on alcudia"
}

status() {
        echo "[iptables]"
        $IPTABLES -L -v -n
        $IPTABLES -L -v -n -t nat
        echo "---- qdisc parameters ----------"
        #tc qdisc ls dev eth0
        echo "---- Class parameters ----------"
        #tc class ls dev eth0
        echo "---- filter parameters ---------"
        #tc filter ls dev eth0
        #Print tc statictics
        #echo "---- tc class statistics -------"
        #tc -s -d class show dev eth0
        echo "---- tc qdisc statistics -------"
        #tc -s -d qdisc show dev eth0
}

restart() {
        echo "restart ..."
   start
}

reload() {
        echo "start ..."
        start
}

force_reload() {
        echo "force-reload ..."
        start
}

case $1 in
        start)
                start
                ;;
        stop)
                stop
                ;;
        status)
                status
                ;;
        restart)
                restart
                ;;
        reload)
                reload
                ;;
        force-reload)
                force_reload
                ;;
        *)
        echo "Usage: iptables_tc 
{start|stop|restart|reload|force-reload|status}"
        #echo "Usage: ${0##*/} {start|stop|restart|reload|status}"
        ;;
esac

exit 0

Donn escribió:
> Hi,
> I want to run an iptables command to allow my other machine to surf through my 
> Kubuntu box. I used to put this into /etc/networking/netshare, but I can't 
> recall how it got run exactly. 
>  How do I set this up on Gutsy (I don't savvy upstart yet) so it runs soon 
> after the network interfaces have come to life?
>
> \d
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20071111/c53153d5/attachment.html>


More information about the kubuntu-users mailing list