Witam,
proszę o pomoc w skonfigurowaniu routingu. Jest to dosyć złożony system więc postaram się przedstawić (niektóre dane są zmienione):
cat /etc/debian_version
5.0.4
uname -r
2.6.27.24-tomcia.3.0.imq+hfsc+raid+sata
Cele:
- podsieć 192.168.0.x na interfejsie bond0 musi komunikować się poprawnie ze wszystkimi hostami w poniższych podsieciach (w sensie że działa ping nie tylko po adresie IP, ale także po nazwie hosta):
10.10.10.x - sieć wirtualna na interfejsie bond0:1 (drugi LAN)
10.10.4.x - sieć wirtualna na interfejsie bond0:2 (trzeci LAN)
10.55.55.x - sieć wirtualna na interfejsie tap0 (VPN)
- musi poprawnie działać routing na 2 łącza (tj. coś przychodzi łączem 1, wchodzi do LANu do hosta, wraca z hosta do LANu, wychodzi łączem 1 - czyli w skrócie chodzi o --save-mark i --restore-mark), routing zrobiony po portach
- transfer z 10.10.10.x do 192.168.0.x powinien wynosić około 2 Gbit/s (moduł bonding działa w trybie round-robin czyli "0")
- HFSC na download (pracuję nad tym)
W tej chwili sytuacja wygląda tak:
- z 10.55.55.x można pingować hosty z 192.168.0.x, ale tylko po adresie IP, po nazwie nie znajduje, VPN działa ok (usługi TCP)
- przy pingu z 192.168.0.x do do 10.x.x.x jest:
PING 10.10.10.40 (10.10.10.40) 56(84) bytes of data.
>From 192.168.0.1: icmp_seq=3 Redirect Host(New nexthop: 10.10.10.40)
>From 192.168.0.1 icmp_seq=1 Destination Host Unreachable
>From 192.168.0.1 icmp_seq=2 Destination Host Unreachable
>From 192.168.0.1 icmp_seq=3 Destination Host Unreachable
- tu też z klienta:
ip route get 10.10.10.40
10.10.10.40 via 192.168.0.1 dev eth0 src 192.168.0.14
cache mtu 1500 advmss 1460 hoplimit 64
- zaś z serwera do 10.10.10.x:
PING 10.10.10.40 (10.10.10.40) 56(84) bytes of data.
>From 10.10.10.254 icmp_seq=1 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=2 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=3 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=5 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=6 Destination Host Unreachable
>From 10.10.10.254 icmp_seq=7 Destination Host Unreachable
z kolei dla innego hosta - ze stacji:
PING 10.10.10.30 (10.10.10.30) 56(84) bytes of data.
64 bytes from 10.10.10.30: icmp_seq=1 ttl=254 time=13.7 ms
64 bytes from 10.10.10.30: icmp_seq=2 ttl=254 time=14.0 ms
64 bytes from 10.10.10.30: icmp_seq=3 ttl=254 time=14.0 ms
64 bytes from 10.10.10.30: icmp_seq=4 ttl=254 time=16.2 ms
64 bytes from 10.10.10.30: icmp_seq=5 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=6 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=7 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=8 ttl=254 time=13.9 ms
64 bytes from 10.10.10.30: icmp_seq=9 ttl=254 time=13.8 ms
64 bytes from 10.10.10.30: icmp_seq=10 ttl=254 time=13.8 ms
tomcio@testowy:~$ ip route get 10.10.10.30
10.10.10.30 via 192.168.0.1 dev eth0 src 192.168.0.14
cache mtu 1500 advmss 1460 hoplimit 64
a z serwera:
serwer:/tmp# ip route get 10.10.10.30
10.10.10.30 dev bond0 src 10.10.10.254
cache ipid 0x96a1 mtu 1500 advmss 1460 hoplimit 64
Pliki konfiguracyjne:
/etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# DSL1
allow-hotplug eth0
iface eth0 inet static
address 92.12.221.212
netmask 255.255.255.248
#wyremowane z powodu pojawiajacego sie bledu z dwoma bramami (router nie wie ktora brama maja isc pakiety)
# gateway 92.12.221.211
auto eth0
# DSL2
allow-hotplug eth1
iface eth1 inet static
address 81.17.121.67
netmask 255.255.255.248
# to jest brama domyslna
gateway 81.17.121.65
auto eth1
# LAN - 2 karty polaczone w 2 Gbit link
iface bond0 inet static
address 192.168.0.5
netmask 255.255.255.0
network 192.168.0.0
up /sbin/ifenslave bond0 eth2
up /sbin/ifenslave bond0 eth3
auto bond0
# Wirtualne interfejsy do sieci
# Siec1
iface bond0:1 inet static
address 10.10.4.254
netmask 255.255.255.255
auto bond0:1
# Siec2
iface bond0:2 inet static
address 10.10.10.254
netmask 255.255.255.255
auto bond0:2
Plik /etc/init.d/openvpn/server.conf
dev tun
proto tcp-server
port 1122
server 10.55.55.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
push "dhcp-option WINS 192.168.0.1"
keepalive 10 120
max-clients 10
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
log-append /var/log/openvpn.log
mute 20
tls-server
tls-auth /etc/openvpn/keys/ta.key 0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
persist-key
persist-tun
comp-lzo
daemon
verb 5
; eof
Plik /etc/init.d/firewall:
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin
iptables=/sbin/iptables
# Services that the system will offer to the network
# (chain INPUT)
TCP_SERVICES="1122" # VPN
UDP_SERVICES="53 ntp" # DNS
# Services the system will use from the network
# (chain OUTPUT)
REMOTE_TCP_SERVICES="" # Http, OpenVPN
REMOTE_UDP_SERVICES="53" # DNS
# SSH port
SSH_PORT="223344"
echo "Definicja zmiennych"
#interfejsy
LAN="bond0"
VLAN1="bond0:1"
VLAN2="bond0:2"
WAN="eth1"
WAN2="eth0"
#adresy_ip
LAN_IP="192.168.0.1"
NAT="92.12.221.212"
NAT2="81.17.121.67"
#bramy
GW1="92.12.221.211"
GW2="81.17.121.65"
#sieci
LAN_NET="192.168.0.0/24"
GW1_NET="92.12.221.208/29"
GW2_NET="81.17.121.64/29"
#maski
LOCALMASK="255.255.255.0"
DSLMASK="255.255.255.248"
echo "Koniec definiowania zmiennych"
if ! [ -x /sbin/iptables ]; then
exit 0
fi
fw_start () {
# Modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
echo "Dodawanie podsieci"
route del -net 10.10.10.0 netmask 255.255.255.0 dev $VLAN1
route del -net 10.10.4.0 netmask 255.255.255.0 dev $VLAN2
route add -net 10.10.10.0 netmask 255.255.255.0 dev $VLAN1
route add -net 10.10.4.0 netmask 255.255.255.0 dev $VLAN2
echo "Zakończone dodawanie podsieci"
#podzial na 2 DSLe
echo "Kolejkowanie ruchu"
ip route flush table T1
ip route flush table T2
ip rule del from $NAT table T1
ip rule del from $NAT2 table T2
ip rule del fwmark 0x1 table T1
ip rule del fwmark 0x2 table T2
#"Setting up interfaces ..."
echo 1 > /proc/sys/net/ipv4/ip_forward
ifconfig $LAN $LAN_IP netmask $LOCALMASK up
ifconfig $WAN $NAT netmask $DSLMASK up
ifconfig $WAN2 $NAT2 netmask $DSLMASK up
ip route add $GW1_NET dev $WAN src $NAT table T1
ip route add default via $GW1 table T1
ip route add $GW2_NET dev $WAN2 src $NAT2 table T2
ip route add default via $GW2 table T2
# Odwolania do sieci LAN
ip route add $LAN_NET dev $LAN table T1
ip route add $GW1_NET dev $WAN table T1
ip route add $GW2_NET dev $WAN2 table T1
ip route add 10.10.10.0/24 dev $LAN table T1
ip route add 10.10.4.0/24 dev $LAN table T1
ip route add $LAN_NET dev $LAN table T2
ip route add $GW1_NET dev $WAN table T2
ip route add $GW2_NET dev $WAN2 table T2
ip route add 10.10.10.0/24 dev $LAN table T2
ip route add 10.10.4.0/24 dev $LAN table T2
# Backroute
ip route add $GW1_NET dev $WAN src $NAT
ip route add $GW2_NET dev $WAN2 src $NAT2
# Dodawanie 2 bram
ip route add default scope global nexthop via $GW1 dev $WAN weight 1 nexthop via $GW2 dev $WAN2 weight 1
ip route add $GW2 dev $WAN2
# Tabelki
ip rule add from $NAT table T1
ip rule add from $NAT2 table T2
#przypisanie pakietow do tabel
ip rule add fwmark 0x1 table T1
ip rule add fwmark 0x2 table T2
#flushowanie cache-u..
ip route flush cache
#tworzenie NAT
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN -j SNAT --to $NAT
iptables -t nat -A POSTROUTING -s $LAN_NET -o $WAN2 -j SNAT --to $NAT2
#siec testowa - dostep do netu
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o $WAN -j SNAT --to $NAT
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o $WAN2 -j SNAT --to $NAT2
#Przywrocenie markowania dla juz nawiazanych polaczen - calkowicie wywala kolejkowanie
#iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
#POP3 Secured - odbieranie maili
iptables -t mangle -A PREROUTING -p tcp --dport 995 -j MARK --set-mark 0x2
#SMTP Secured - wysylanie maili
iptables -t mangle -A PREROUTING -p tcp --sport 465 -j MARK --set-mark 0x2
#POP3 - odbieranie
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 0x2
#SMTP - wysylanie
iptables -t mangle -A PREROUTING -p tcp --sport 110 -j MARK --set-mark 0x2
#HTTPS - polaczenia szyfrowane do stron
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 0x2
#Radia internetowe
iptables -t mangle -A PREROUTING -p tcp --dport 8000:8500 -j MARK --set-mark 0x2
#DNS - zapytania o nazwy domen
iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x1
# ? pozniej dopisze
iptables -t mangle -A PREROUTING -p tcp --dport 445 -j MARK --set-mark 0x1
# Save MARK - przez to nie dziala smtps!!!!
#iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x1 -j CONNMARK --save-mark
#iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2 -j CONNMARK --save-mark
#iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x1 -j CONNMARK --save-mark
#iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2 -j CONNMARK --save-mark
# tu byl blad powodujacy ze pakiety wracajace tym samym laczem szly przez interfejs $LAN !!!!
#iptables -t nat -A PREROUTING -i $WAN -s 0/0 -d 0/0 -j DNAT --to $LAN_IP
#iptables -t nat -A PREROUTING -i $WAN2 -s 0/0 -d 0/0 -j DNAT --to $LAN_IP
echo "Zakonczone tworzenie tras"
echo "Kolejkowanie uploadu - HFSC"
# DSL1 up
/etc/skrypty/hfsc-up stop $WAN
/etc/skrypty/hfsc-up start $WAN 1000 120
# DSL2 up
/etc/skrypty/hfsc-up2 stop $WAN2
/etc/skrypty/hfsc-up2 start $WAN2 1000 120
echo "Zakonczono kolejkowanie uploadu - HFSC"
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
# Other network protections
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/conf/${WAN}/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# TESTy z routingiem miedzy sieciami LAN
# echo 1 > /proc/sys/net/ipv4/conf/${LAN}/send_redirects
# echo 1 > /proc/sys/net/ipv4/conf/${LAN}/accept_redirects
# echo 1 > /proc/sys/net/ipv4/conf/${LAN}/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/${WAN}/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/${WAN}/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/${WAN}/send_redirects
# echo 0 > /proc/sys/net/ipv4/conf/${WAN2}/send_redirects
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
# Limitowanie sesji tcp
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "20" > /proc/sys/net/ipv4/ipfrag_time
echo "1280" > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Input traffic:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Services - TCP
echo " "
echo "Otwarcie drogi dla serwisow"
if [ -n "$TCP_SERVICES" ] ; then
for PORT in $TCP_SERVICES; do
/sbin/iptables -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
# SSH
/sbin/iptables -A INPUT -p tcp --dport ${SSH_PORT} -j ACCEPT
# Services - UDP
if [ -n "$UDP_SERVICES" ] ; then
for PORT in $UDP_SERVICES; do
/sbin/iptables -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# ICMP i inne
#REM - dozwolone tylko niektore pakiety ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
#/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT // ta pojedyncza linia zezwala tylko serwerowi otrzymac ICMP - zabezpieczenie przed DoS
# Odrzuc duzy ping
#iptables -A INPUT -p icmp -m length --length 200:65535 -j DROP
#iptables -A OUTPUT -p icmp -m length --length 200:65535 -j DROP
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -P INPUT DROP
# Output:
/sbin/iptables -A OUTPUT -j ACCEPT -o lo
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ICMP is permitted:
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
# So are security package updates:
# Note: You can hardcode the IP address here to prevent DNS spoofing
# and to setup the rules even if DNS does not work but then you
# will not "see" IP changes for this service:
/sbin/iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT
# As well as the services we have defined:
/sbin/iptables -A OUTPUT -p tcp -m state --state NEW -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -m state --state NEW -j ACCEPT
if [ -n "$REMOTE_TCP_SERVICES" ] ; then
for PORT in $REMOTE_TCP_SERVICES; do
/sbin/iptables -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$REMOTE_UDP_SERVICES" ] ; then
for PORT in $REMOTE_UDP_SERVICES; do
/sbin/iptables -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# OUTPUT - puszczamy wszystko
#/sbin/iptables -A OUTPUT -j LOG
#/sbin/iptables -A OUTPUT -j REJECT
#/sbin/iptables -P OUTPUT DROP
#Maskarada
/sbin/iptables -A FORWARD -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#To jest przekierowanie na glowne lacze - nie bedziemy go juz uzywac bo leci na 2 DSLe.
#/sbin/iptables -t nat -A POSTROUTING -o ${WAN} -s 192.168.0.0/16 -j SNAT --to ${NAT}
#Ograniczenie liczby polaczen do 300 na 1 modem - zabezpieczenie przed zawieszeniem modemu
/sbin/iptables -t filter -A FORWARD -s 192.168.0.0/24 -o ${WAN} -p tcp -m mark \
--mark 0x0 -m connlimit --connlimit-above 300 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
/sbin/iptables -t filter -A FORWARD -s 192.168.0.0/24 -o ${WAN2} -p tcp -m mark \
--mark 0x0 -m connlimit --connlimit-above 300 --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
#OpenVPN virtual devices
echo "OpenVPN ustawienie interface'ow"
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT
# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT
# Ta linijka odpowiada za dostep do sieci z adresow wirtualnych
/sbin/iptables -A FORWARD -i tun0 -s 10.55.55.0/24 -d 192.168.0.0/24 -j ACCEPT
# Mostek do polaczenia VPN
#/sbin/iptables -A INPUT -i br0 -j ACCEPT
#/sbin/iptables -A FORWARD -i br0 -j ACCEPT
#USLUGI
#Samba
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 137 -m state --state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 138 -m state --state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 139 -m state --state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 445 -m state --state NEW -j ACCEPT
#TFTP - Boot from LAN
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 67 -m state --state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp --dport 69 -m state --state NEW -j ACCEPT
#NFS for LAN
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p udp -m multiport --ports 111,2049,32765:32769 -m state --state NEW -j ACCEPT
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp -m multiport --ports 111,2049,32765:32769 -m state --state NEW -j ACCEPT
#NetCat
${iptables} -A INPUT -i ${LAN} -s ${LAN_NET} -p tcp --dport 1234 -m state --state NEW -j ACCEPT
##Wlasciwe przekierowanie - wylaczam bo 2 DSLe chodza##
#/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${LAN} -s 192.168.0.0/16 -j DNAT --to-destination 192.168.0.1:8080
#ponizsze uzywane jest z DANSGUARDIANEM
#/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -i ${WAN} -j DNAT --to-destination 192.168.0.1:3128
#Logowanie wszystkich lancuchow
# /sbin/iptables -A INPUT -j LOG
# /sbin/iptables -A OUTPUT -j LOG
# /sbin/iptables -A FORWARD -j LOG
echo "Blokada niechcianych kompow"
#BLOKADA CALKOWITA SERWER-HOST
BLOCKED_MAC="12:34:56:78:90:12 09:87:65:43:21:09"
for adres_mac in $BLOCKED_MAC
do
iptables -I INPUT 1 -m mac --mac-source $adres_mac -j DROP
done
#BLOKADA DOSTEPU TYLKO INTERNETU
BLOCKED_MAC2="12:34:56:78:90:12 09:87:65:43:21:09"
for adres_mac2 in $BLOCKED_MAC2
do
iptables -I FORWARD 2 -m mac --mac-source $adres_mac2 -j DROP
done
#KOMP1 - blokada wszystkiego poza RDC i poczta
iptables -I FORWARD 3 -m mac --mac-source 12:34:56:78:90:12 -m multiport -p tcp --ports ! 25,110,465,995,3389,5900 -j DROP
iptables -I FORWARD 4 -m mac --mac-source 12:34:56:78:90:12 -m multiport -p udp --ports ! 53,5900 -j DROP
#Blokada dostepu do internetu dla zakresu IP poza paroma portami
iptables -I FORWARD 9 -m iprange --src-range 192.168.0.20-192.168.0.30 -m multiport -p tcp --ports ! 3389,5900,22,23 -j DROP
iptables -I FORWARD 10 -m iprange --src-range 192.168.0.20-192.168.0.30 -m multiport -p udp --ports ! 5900 -j DROP
echo "Blokada P2P na cala siec"
P2P_PROTO="100bao applejuice ares bittorrent directconnect edonkey fasttrack gnucleuslan gnutella hotline imesh mute napster openft poco pplive soribada soulseek thecircle xunlei code_red nimda"
if [ -n "$P2P_PROTO" ]; then
for P2P in ${P2P_PROTO}; do
${iptables} -A FORWARD -s 192.168.0.0/16 -m layer7 --l7proto ${P2P} -j LOG --log-level debug --log-prefix "IPT:P2P "
${iptables} -A FORWARD -s 192.168.0.0/16 -m layer7 --l7proto ${P2P} -j DROP
done
fi
echo "Blokada eMule"
${iptables} -A FORWARD -s 192.168.0.0/16 -p tcp --dport 4661:4711 -j REJECT
${iptables} -A FORWARD -s 192.168.0.0/16 -p udp --dport 4661:4711 -j REJECT
echo "Blokada roznych serwisow WWW - napalonych przekieruj na Google"
LISTA_SERWISOW="193.17.41.95 208.43.223.10 rapidshare.com rapidshare.de megaupload.com megadownload.com speedyshare.com"
#193.17.41.95 = wrzuta.pl
#208.43.223.10 = chomikuj.pl
if [ -n "$LISTA_SERWISOW" ]; then
for WWW in ${LISTA_SERWISOW}; do
${iptables} -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 -d ${WWW} --dport 80 -j DNAT --to 216.239.59.104:80
done
fi
echo "Przekierowania"
# PRZEKIEROWANIA
# Ubuntu server
/sbin/iptables -t nat -A PREROUTING -p tcp -d ${NAT} --dport 1234 -j DNAT --to-destination 10.10.10.100:1234
/sbin/iptables -A FORWARD -i ${WAN} -p tcp --dport 1234 -d 10.10.10.100 -j ACCEPT
#logi
#/sbin/iptables -A INPUT -j LOG -m limit --limit 10/hour
/sbin/iptables -A INPUT -j DROP
#/sbin/iptables -A FORWARD -j LOG -m limit --limit 10/hour
/sbin/iptables -A FORWARD -j DROP
#Ustawienie TTL pomocne w przypadku zlego ustawienia tras routingu
#/sbin/iptables -t mangle -A POSTROUTING -j TTL --ttl-set 128
#Zapisz reguly
/sbin/iptables-save > /etc/iptables-reguly.ipt
}
fw_stop () {
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
}
fw_clear () {
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
}
case "$1" in
start|restart)
echo -n "Starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "Stopping firewall.."
fw_stop
echo "done."
;;
clear)
echo -n "Clearing firewall rules.."
fw_clear
echo "done."
;;
*)
echo "Usage: $0 {start|stop|restart|clear}"
exit 1
;;
esac
exit 0
Komenda IFCONFIG zwraca:
bond0
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
bond0:1
inet addr:10.10.4.254 Bcast:10.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
bond0:2 Link encap:Ethernet HWaddr 00:14:85:fb:84:f5
inet addr:10.10.10.254 Bcast:10.255.255.255 Mask:255.255.255.255
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
eth0
inet addr:92.12.221.212 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90465714 errors:0 dropped:0 overruns:0 frame:0
TX packets:78865335 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
eth1
inet addr:81.17.121.67 Bcast: Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth2
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:271344123 errors:0 dropped:0 overruns:0 frame:0
TX packets:241058379 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
eth3
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:53697061 errors:0 dropped:0 overruns:0 frame:0
TX packets:45544896 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:29815 errors:0 dropped:0 overruns:0 frame:0
TX packets:29815 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.55.55.1 P-t-P:10.55.55.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:180024 errors:0 dropped:0 overruns:0 frame:0
TX packets:171714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Komenda route -n zwraca:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
92.12.221.212 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.55.55.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
92.12.221.208 0.0.0.0 255.255.255.248 U 0 0 0 eth0
81.17.121.64 0.0.0.0 255.255.255.248 U 0 0 0 eth1
10.10.4.0 0.0.0.0 255.255.255.0 U 0 0 0 bond0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 bond0
10.55.55.0 10.55.55.2 255.255.255.0 UG 0 0 0 tun0
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 bond0
0.0.0.0 81.17.121.65 0.0.0.0 UG 0 0 0 eth1