Buongiorno a tutti,
sto configurando un server che deve fornire i seguenti servizi:
1- File server SAMBA: OK
2- Proxy Server Squid: OK (navigazione WEB)
3- Firewall iptables: NO
Il server ha 2 int. di rete (vedi sotto). Stoppando iptables funziona tutto alla perfezione,
ma quando viene attivato funzionano solo i servizi esterni verso l'interno. La navigazione web tramite squid in ascolto sulla porta 8080 (non configurato come trasparent proxy) non funziona piu' e non funziona neanche il port forwarding per prendere la posta.
ringrazio in anticipo per il prezioso aiuto.
Ciao
Mirko ==> misteram@email.it
script iptables
#!/bin/sh
# eth0 ==> LAN
# interfaccia ptivata 192.168.140.5
# eth1 ==> INTERNET
# interfaccia pubblica 81.116.80.110
#
# Provider Telecom
# DNS1 212.131.30.42
# DNS2 212.131.30.43
#
# Server SMTP Esterno
# 217.169.102.78
# Server POP Esterno
# 217.169.102.77
SYSCTL="/sbin/sysctl -w"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# SAVE e RESTORE
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables .. "
$IPTS > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTR < /etc/sysconfig/iptables
echo "done"
exit 0
fi
echo " CARICAMENTO MODULI KERNEL ..."
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
# PARAMETRI CONFIGURAZIONE KERNEL
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
$SYSCTL net.ipv4.conf.all.rp_filter="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
echo "Pulizia delle regole ipTables ..."
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Pulizia delle regole ipTables
iptables -F
iptables -t nat -F
iptables -t mangle –F
# Erase all non-default chains
iptables -X
iptables -t nat -X
iptables -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall ripulito! FIREWALL NON ATTIVO."
exit 0
fi
# Configurazione Regole Filter
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
echo "Creazione regole personalizzate ..."
iptables -N bad_packets
iptables -N bad_tcp_packets
iptables -N icmp_packets
iptables -N udp_inbound
iptables -N udp_outbound
iptables -N tcp_inbound
iptables -N tcp_outbound
# bad_packets
iptables -A bad_packets -p ALL -m state --state INVALID -j LOG
--log-prefix "fp=bad_packets:1 a=DROP "
iptables -A bad_packets -p ALL -m state --state INVALID -j DROP
iptables -A bad_packets -p tcp -j bad_tcp_packets
iptables -A bad_packets -p ALL -j RETURN
# bad_tcp_packets
iptables -A bad_tcp_packets -p tcp -i eth0 -j RETURN
#iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
# --log-prefix "fp=bad_tcp_packets:1 a=DROP "
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
iptables -A bad_tcp_packets -p tcp -j RETURN
# ICMP RULES
iptables -A icmp_packets --fragment -p ICMP -j LOG
--log-prefix "fp=icmp_packets:1 a=DROP "
iptables -A icmp_packets --fragment -p ICMP -j DROP
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
iptables -A udp_inbound -p TCP -s 0/0 --sport 53 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --sport 53 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
iptables -A udp_inbound -p UDP -j RETURN
iptables -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#SSH
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# smtp web
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# WEBMIN
iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 10000 -j ACCEPT
iptables -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
iptables -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
Creazione catena di INPUT
iptables -A INPUT -p ALL -i lo -j ACCEPT
iptables -A INPUT -p ALL -j bad_packets
iptables -A INPUT -p ALL -d 224.0.0.1 -j DROP
iptables -A INPUT -p ALL -i eth0 -s 192.168.140.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.140.255 -j ACCEPT
# Inbound Internet Packet Rules
iptables -A INPUT -p ALL -i eth1 -m state --state ESTABLISHED,RELATED
-j ACCEPT
#iptables -A INPUT -p ALL -i eth0 -m state --state ESTABLISHED,RELATED
# -j ACCEPT
iptables -A INPUT -p TCP -i eth1 -j tcp_inbound
iptables -A INPUT -p UDP -i eth1 -j udp_inbound
iptables -A INPUT -p ICMP -i eth1 -j icmp_packets
iptables -A INPUT -p ALL -d 255.255.255.255 -j DROP
iptables -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
echo "Creazione catena di FORWARD ..."
iptables -A FORWARD -p ALL -j bad_packets
iptables -A FORWARD -p tcp -i eth0 -j tcp_outbound
iptables -A FORWARD -p udp -i eth0 -j udp_outbound
iptables -A FORWARD -p ALL -i eth0 -j ACCEPT
#iptables -A FORWARD -s 192.168.140.0 -d 0/0 -j ACCEPT
#iptables -A FORWARD -p ALL -i eth0 -s 192.168.140.0/24 -j ACCEPT
#iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED
# -j ACCEPT
#iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED
# -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --destination-port 25
--destination 217.169.102.78 -j ACCEPT
iptables -A FORWARD -p tcp -i eth0 --destination-port 110
--destination 217.169.102.77 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 --destination-port 80
--destination 192.168.140.7 -j ACCEPT
# Log packets that still don't match
iptables -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
OUTPUT Chain
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
# To internal network
iptables -A OUTPUT -p ALL -s 192.168.140.5 -j ACCEPT
#iptables -A OUTPUT -p ALL -s 192.168.140.0/24 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
# To internet
iptables -A OUTPUT -p ALL -o eth1 -j ACCEPT
# Log packets that still don't match
iptables -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
# nat table
# PREROUTING
# POSTA INTERNET SMTP
iptables -t nat -A PREROUTING -p tcp -i eth0 --destination-port 25
-j DNAT --to-destination 217.169.102.78:25
# POSTA INTERNET POP
iptables -t nat -A PREROUTING -p tcp -i eth0 --destination-port 110
-j DNAT --to-destination 217.169.102.77:110
# WWW
iptables -t nat -A PREROUTING -p tcp -i eth1 --destination-port 80
-j DNAT --to-destination 192.168.140.7:80
POSTROUTING chain
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 81.116.80.110
# POSTA INTERNET SMTP
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.140.5 --dport 25 -j SNAT
--to-source 217.169.102.78
# POSTA INTERNET POP
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.140.5 --dport 110 -j SNAT
--to-source 217.169.102.77
# WWW
iptables -t nat -A POSTROUTING -p tcp --dst 192.168.140.7 --dport 80 -j SNAT
--to-source 192.168.140.5