Gutsy - boot scripts iptables
Jordi Ferrando Fabra
jferrando at netplc.com
Sun Nov 11 10:57:13 UTC 2007
This is my iptables_tc script. Create a file in /etc/init.d and the
create the symlinks
$ sudo update-rc.d iptables_tc detauls
Please adapt it to your needs. The file has firewall functionality,
routing SNAT and DNAT and bandwidth shaping.
jferrando at alcudia:/etc/init.d$ cat iptables_tc
#!/bin/sh
#
# iptables_tc - ipables/tc init script
#
# Written by Jordi Ferrando
# Debian.etch / Kubuntu feisty 7.04
# (GPL) NETPLC, jferrando at netplc.com, 17-may-2007
TC="/sbin/tc"
IPTABLES="/sbin/iptables"
start() {
echo "Firewall NETPLC/alcudia ..."
#Router linux with bandwith control and firewall
#(c)NETPLC, J.Ferrando, Ene-2005/17-may-2007
#Interfaz eth0 10.54.10.2 / 255.255.255.0 (10.54.10.0/24,
SEG-ROUTER-LINUX)
# eth1 10.54.11.1 / 255.255.255.0 (10.54.11.0/24, LAN)
# tun0 10.54.12.1 / 255.255.255.0
(10.54.12.0/24, OPENVPN)
#Default gateway 10.54.10.1
#DNS servers 80.58.61.250, 80.58.61.254
#flush de reglas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
#-------------------------------------------------------------------------
#DNAT tables
#HTTP tcp/80
#iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 80 -j DNAT --to 10.54.11.1
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 443 -j DNAT --to 10.54.11.71
#SMTP
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 25 -j DNAT --to 10.54.11.71
#imaps
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 993 -j DNAT --to 10.54.11.71
#POP3S
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 995 -j DNAT --to 10.54.11.71
#Openvpn
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p udp --dport 1194 -j DNAT --to 10.54.11.1
#aMule
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p tcp --dport 4662 -j DNAT --to 10.54.11.66
iptables --table nat --append PREROUTING -i eth0 -d 10.54.10.2
-p udp --dport 4672 -j DNAT --to 10.54.11.66
#-------------------------------------------------------------------------
#ROUTER SNAT para la LAN
iptables --table nat --append POSTROUTING --out-interface eth0
-j MASQUERADE
#-------------------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
#-------------------------------------------------------------------------
#Reglas generales para conexiones ya establecidas
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#-------------------------------------------------------------------------
#filtrado red eth0 (10.54.10.0/24)
#http
iptables -A INPUT -i eth0 -m state --state NEW -p tcp --dport 80
-j ACCEPT
#openvpn
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 1194 -j ACCEPT
#
#aMule
iptables -A INPUT -i eth0 -p tcp --dport 4663 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp --dport 4673 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4667 -j ACCEPT
#
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED
-j ACCEPT
#drop por defecto
iptables -A INPUT -i eth0 -j DROP
#-------------------------------------------------------------------------
#acceso de la VPN, tun0 (10.54.12.0/24)
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -s 192.168.8.0/24 -d 10.54.11.0/24 -j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -d 192.168.8.0/24 -j ACCEPT
#--------------------------------------------------------------------------
#filtrado red eth1 (10.54.11.0/24)
#La ip de la propia máquina (no hace falta habilitar el forward
para una ip de la propia máquina)
iptables -A INPUT -s 10.54.10.2 -j ACCEPT
#servicios a la red local 10.54.11.0/255.255.255.0
#DNS
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 53 -j
ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 53 -j
ACCEPT
iptables -A INPUT -s 10.54.11/24 -i eth1 -p udp --sport 53 -j ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 53 -j
ACCEPT
#Web server
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 80 -j
ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 80 -j
ACCEPT
#iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 443
-j ACCEPT
#iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 443
-j ACCEPT
#imaps
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 993 -j
ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 993 -j
ACCEPT
#pop3s
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 995 -j
ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 995 -j
ACCEPT
#ntp / Network Time Protocol
#iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --sport 123
-j ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p tcp --dport 123 -j
ACCEPT
#iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --sport 123
-j ACCEPT
iptables -A INPUT -s 10.54.11.0/24 -i eth1 -p udp --dport 123 -j
ACCEPT
#
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 123
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 123
-j ACCEPT
#Política por defecto a exterior
#Tráfico web
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 80
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 80
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --sport 443
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p tcp --dport 443
-j ACCEPT
#Si no habilitamos el puerto de openvpn los PCs de la LAN no
pueden aceptar conexiones de
#clientes remotos a través de VPN
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --sport 1194
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -i eth1 -p udp --dport 1194
-j ACCEPT
iptables -A FORWARD -s 10.54.11.0/24 -d 10.54.12.0/24 -j ACCEPT
iptables -A FORWARD -s 10.54.12.0/24 -d 10.54.11.0/24 -j ACCEPT
#portjordi wireless
iptables -A FORWARD -s 10.54.11.64 -m mac --mac-source
00:0D:54:9F:99:C5 -j ACCEPT
iptables -A INPUT -s 10.54.11.64 -m mac --mac-source
00:0D:54:9F:99:C5 -j ACCEPT
#portangela cable
iptables -A FORWARD -s 10.54.11.65 -m mac --mac-source
00:E0:91:03:3C:EC -j ACCEPT
iptables -A INPUT -s 10.54.11.65 -m mac --mac-source
00:E0:91:03:3C:EC -j ACCEPT
#portangela wireless
iptables -A FORWARD -s 10.54.11.66 -m mac --mac-source
00:0E:35:9D:83:C3 -j ACCEPT
iptables -A INPUT -s 10.54.11.66 -m mac --mac-source
00:0E:35:9D:83:C3 -j ACCEPT
#portjordi
iptables -A FORWARD -s 10.54.11.70 -m mac --mac-source
00:08:0D:CD:CE:D9 -j ACCEPT
iptables -A INPUT -s 10.54.11.70 -m mac --mac-source
00:08:0D:CD:CE:D9 -j ACCEPT
#...
#drop el resto
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#listar las tablas
iptables -L -v -n
iptables -L -v -n -t nat
#Script tc / Traffic Control
#J.Ferrando, 30-nov-2005
#Borrar clase entera
tc qdisc del dev eth0 root
#This command attaches queue discipline HTB to eth0 and gives it
the "handle" 1:0.
#This is just a name or identifier with which to refer to it below.
#The default 12 means that any traffic that is not otherwise
classified will be assigned to class 1:12.
tc qdisc add dev eth0 root handle 1:0 htb default 20
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 2880kbit
ceil 2880kbit prio 1 burst 32k cburst 3200
tc class add dev eth0 parent 1:1 classid 1:5 htb rate 1920kbit
ceil 2880kbit prio 5 burst 16k cburst 1600
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 1280kbit
ceil 2880kbit prio 10 burst 8k cburst 800
tc class add dev eth0 parent 1:1 classid 1:11 htb rate 1280kbit
ceil 2880kbit prio 11 burst 8k cburst 800
tc class add dev eth0 parent 1:1 classid 1:15 htb rate 640kbit
ceil 2880kbit prio 15 burst 2k cburst 200
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 320kbit
ceil 2880kbit prio 20 burst 1k cburst 100
tc class add dev eth0 parent 1:1 classid 1:25 htb rate 160kbit
ceil 160kbit prio 25 burst 512 cburst 52
#tc class add dev eth0 parent 1:0 classid 1:1 htb rate 288kbit
ceil 288kbit prio 1 burst 32k cburst 3200
#tc class add dev eth0 parent 1:1 classid 1:5 htb rate 192kbit
ceil 288kbit prio 5 burst 16k cburst 1600
#tc class add dev eth0 parent 1:1 classid 1:10 htb rate 128kbit
ceil 288kbit prio 10 burst 8k cburst 800
#tc class add dev eth0 parent 1:1 classid 1:11 htb rate 128kbit
ceil 288kbit prio 11 burst 8k cburst 800
#tc class add dev eth0 parent 1:1 classid 1:15 htb rate 64kbit
ceil 288kbit prio 15 burst 2k cburst 200
#tc class add dev eth0 parent 1:1 classid 1:20 htb rate 32kbit
ceil 288kbit prio 20 burst 1k cburst 100
#tc class add dev eth0 parent 1:1 classid 1:25 htb rate 16kbit
ceil 16kbit prio 25 burst 512 cburst 52
#
tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:11 handle 11:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10
tc qdisc add dev eth0 parent 1:25 handle 25:0 sfq perturb 10
#Privileged computers (Whitelist)
iptables -A OUTPUT -t mangle -o eth0 -j MARK --set-mark 20
iptables -A FORWARD -t mangle -i eth1 -o eth0 --source
10.54.11.1 -j MARK --set-mark 15
#portjordi wireless
iptables -A FORWARD -t mangle -i eth1 -o eth0 --source
10.54.11.64 -j MARK --set-mark 15
#portangela cable
iptables -A FORWARD -t mangle -i eth1 -o eth0 --source
10.54.11.65 -j MARK --set-mark 15
#portangela wireless
iptables -A FORWARD -t mangle -i eth1 -o eth0 --source
10.54.11.66 -j MARK --set-mark 15
#...
#Restrict computers (Blacklist)
#iptables -A FORWARD -t mangle -i eth1 -o eth0 --source
10.54.8.71 -j MARK --set-mark 25
#Priority protocols
#
iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 80 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 80 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 443 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 443 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 25 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 25 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --sport 993 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -i eth1 -p tcp --dport 993 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 80 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 80 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 443 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 443 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 25 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 25 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 993 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 993 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p udp --sport 1194 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p udp --dport 1194 -j MARK
--set-mark 5
#sky.fm
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8110 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8110 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8600 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8600 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 8710 -j MARK
--set-mark 5
iptables -A OUTPUT -t mangle -o eth0 -p tcp --dport 8710 -j MARK
--set-mark 5
iptables -A FORWARD -t mangle -o eth0 -p icmp -j MARK --set-mark 5
#
tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw
flowid 1:5
tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10
fw flowid 1:10
tc filter add dev eth0 protocol ip parent 1:0 prio 11 handle 11
fw flowid 1:11
tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15
fw flowid 1:15
tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20
fw flowid 1:20
tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25
fw flowid 1:25
echo "Outbound shaping added to alcudia"
}
stop() {
echo "stop ..."
# Reset everything to a known state (cleared)
#flush de reglas
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F
#Borrar clase entera
$TC qdisc del dev eth0 root
echo "Shaping removed on alcudia"
}
status() {
echo "[iptables]"
$IPTABLES -L -v -n
$IPTABLES -L -v -n -t nat
echo "---- qdisc parameters ----------"
#tc qdisc ls dev eth0
echo "---- Class parameters ----------"
#tc class ls dev eth0
echo "---- filter parameters ---------"
#tc filter ls dev eth0
#Print tc statictics
#echo "---- tc class statistics -------"
#tc -s -d class show dev eth0
echo "---- tc qdisc statistics -------"
#tc -s -d qdisc show dev eth0
}
restart() {
echo "restart ..."
start
}
reload() {
echo "start ..."
start
}
force_reload() {
echo "force-reload ..."
start
}
case $1 in
start)
start
;;
stop)
stop
;;
status)
status
;;
restart)
restart
;;
reload)
reload
;;
force-reload)
force_reload
;;
*)
echo "Usage: iptables_tc
{start|stop|restart|reload|force-reload|status}"
#echo "Usage: ${0##*/} {start|stop|restart|reload|status}"
;;
esac
exit 0
Donn escribió:
> Hi,
> I want to run an iptables command to allow my other machine to surf through my
> Kubuntu box. I used to put this into /etc/networking/netshare, but I can't
> recall how it got run exactly.
> How do I set this up on Gutsy (I don't savvy upstart yet) so it runs soon
> after the network interfaces have come to life?
>
> \d
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kubuntu-users/attachments/20071111/c53153d5/attachment.html>
More information about the kubuntu-users
mailing list