Ayuda para pulir script.
Hola listeros, tengo este script de iptables que uso en una pc debian 4,
2.16.8-6, para compartir inet a una red ms.
La idea es que me me den una mano para corregir imperfecciones y demas..
ya que algunas cosas las escribi yo y otras las saque de tutos, en fin..
que me me esta preocupando es que si desde un cliente ms hago netstat -a
-n me devuelve lo siguiente:
Proto Dirección local Dirección remota Estado
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING <-- esta
linea me preocupa
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 0.0.0.0:3260 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 0.0.0.0:3261 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING <-- esta
tambien.
TCP 127.0.0.1:1918 127.0.0.1:1919 ESTABLISHED
TCP 127.0.0.1:1919 127.0.0.1:1918 ESTABLISHED
TCP 127.0.0.1:1920 127.0.0.1:1921 ESTABLISHED
TCP 127.0.0.1:1921 127.0.0.1:1920 ESTABLISHED
TCP 127.0.0.1:1932 127.0.0.1:1933 ESTABLISHED
TCP 127.0.0.1:1933 127.0.0.1:1932 ESTABLISHED
TCP 127.0.0.1:1934 127.0.0.1:1935 ESTABLISHED
TCP 127.0.0.1:1935 127.0.0.1:1934 ESTABLISHED
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING <-- esta
tambien!
TCP 192.168.0.2:1072 81.177.31.144:443 CLOSE_WAIT
TCP 192.168.0.2:1930 192.168.0.1:22 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:1083 *:*
UDP 0.0.0.0:1084 *:*
UDP 0.0.0.0:1085 *:*
UDP 0.0.0.0:1086 *:*
UDP 0.0.0.0:1087 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1031 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.2:123 *:*
UDP 192.168.0.2:137 *:*
UDP 192.168.0.2:138 *:*
UDP 192.168.0.2:1900 *:*
Hay 3 conexiones Listening que me suena a que estan esperando a que
alguien se meta para hacer malabares con ms...
y bueno el script es el siguiente:
#!/bin/bash
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -N bad_tcp_packets
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 192.168.0.0/24 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -m state --state INVALID -j DROP
iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -m state --state INVALID -j DROP
iptables -t nat -A PREROUTING -m state --state INVALID -j DROP
iptables -t nat -A POSTROUTING -m state --state INVALID -j DROP
iptables -t nat -A OUTPUT -m state --state INVALID -j DROP
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
# INPUT HP #
iptables -t filter -A INPUT -p tcp -j bad_tcp_packets
iptables -t filter -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport
113 -j REJECT --reject-with tcp-reset
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p tcp --dport 53 -m state --state
NEW -j ACCEPT #DNS
iptables -t filter -A INPUT -i eth1 -p udp --dport 53 -m state --state
NEW -j ACCEPT #DNS
iptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport 67
-j ACCEPT #DHCP
iptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport 445
-j ACCEPT #Microsoft-DS SMB file sharing
iptables -t filter -A INPUT -i eth1 -p tcp -s 192.168.0.0/24 --dport
137:139 -j ACCEPT #NetBios
iptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport
137:139 -j ACCEPT #NetBios
iptables -t filter -A INPUT -i ppp0 -p tcp -s 0.0.0.0/0.0.0.0 --sport
1024:65535 --dport 22 -j DROP #DASSH
iptables -t filter -A INPUT -i eth1 -p tcp -s 192.168.0.2 --sport
1024:65535 --dport 22 -m state --state NEW -j ACCEPT #SSH
iptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
iptables -t filter -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 80
-m state --state NEW -j ACCEPT #www
iptables -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -t filter -A INPUT -p icmp --icmp-type destination-unreachable
-j ACCEPT
iptables -t filter -A INPUT -p icmp --icmp-type fragmentation-needed -j
ACCEPT
iptables -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -t filter -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A INPUT -i eth1 -p icmp -s 192.168.0.0/24
--icmp-type echo-request -m state --state NEW -j ACCEPT
iptables -t filter -A INPUT -p ! udp -d 224.0.0.0/4 -j DROP
iptables -t filter -A INPUT -p icmp --fragment -j DROP
iptables -t filter -A INPUT -i eth1 -d 0.0.0.0 -j DROP
# OUTPUT HP #
iptables -A OUTPUT -p tcp -j bad_tcp_packets
iptables -t filter -A OUTPUT -o lo -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT #www
iptables -t filter -A OUTPUT -o ppp0 -p udp --dport 53 -m state --state
NEW -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -p tcp --dport 53 -m state --state
NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth1 -p udp --sport 67 -j ACCEPT #DHCP
iptables -t filter -A OUTPUT -o eth1 -p tcp -s 192.168.0.0/24 --dport
137:139 -m state --state NEW -j ACCEPT #NetBios
iptables -t filter -A OUTPUT -o eth1 -p udp -s 192.168.0.0/24 --dport
137:139 -m state --state NEW -j ACCEPT #NetBiosiptables -t filter -A
OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level
DEBUG --log-prefix "IPT OUTPUT packet died: "
iptables -t filter -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -p icmp --icmp-type
destination-unreachable -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -A OUTPUT -p icmp --icmp-type fragmentation-needed -j
ACCEPT
iptables -t filter -A OUTPUT -p icmp --icmp-type destination-unreachable
-j DROP
iptables -t filter -A OUTPUT -p icmp --fragment -j DROP
iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request -m state
--state NEW -j ACCEPT
# FORWARD LAN #
iptables -t filter -A FORWARD -d 255.255.255.255 -j DROP
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s ! 192.168.0.0/24 -j DROP
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
20 -m state --state NEW -j ACCEPT #ftp-control
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
21 -m state --state NEW -j ACCEPT #ftp-data
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
25 -m state --state NEW -j ACCEPT #smtp
iptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 --dport
25 -m state --state NEW -j ACCEPT #smtp
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
80 -m state --state NEW -j ACCEPT #www
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
110 -m state --state NEW -j ACCEPT #pop
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 -s
192.168.0.0/24 --dport 137:139 -m state --state NEW -j ACCEPT #NetBios
iptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 -s
192.168.0.0/24 --dport 137:139 -m state --state NEW -j ACCEPT #NetBios
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
143 -m state --state NEW -j ACCEPT #imap
iptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 --dport
143 -m state --state NEW -j ACCEPT #imap
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
443 -m state --state NEW -j ACCEPT #https
iptables -t filter -A FORWARD -i eth1 -p tcp -s 192.168.0.0/24 --sport
1024:65535 --dport 445 -m state --state NEW -j ACCEPT #Microsoft-DS SMB
file sharing
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
465 -m state --state NEW -j ACCEPT #SMTP over SSL
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
989 -m state --state NEW -j ACCEPT #FTP Protocol (data) over TLS/SSL
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
990 -m state --state NEW -j ACCEPT #FTP Protocol (control) over TLS/SSL
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
993 -m state --state NEW -j ACCEPT #IMAPS
iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport
995 -m state --state NEW -j ACCEPT #POP3S
iptables -t filter -A FORWARD -o ppp0 -d 192.168.0.2 -p icmp --icmp-type
destination-unreachable -j DROP
iptables -t filter -A FORWARD -o ppp0 -s 192.168.0.2 -p icmp --icmp-type
time-exceeded -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -A FORWARD -p icmp --icmp-type fragmentation-needed
-j ACCEPT
iptables -t filter -A FORWARD -o ppp0 -p icmp --icmp-type
destination-unreachable -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -A FORWARD -p icmp --icmp-type parameter-problem -j
ACCEPT
iptables -t filter -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A FORWARD -p ! udp -d 224.0.0.0/4 -j DROP
iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
iptables -A FORWARD -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# NAT #
# TEGNet
iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport
5479 -j DNAT --to 192.168.0.2:5479
# BitTorrent
#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ? -j DNAT --to
192.168.0.2:?
# eMule's
iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport
2000 -j DNAT --to 192.168.0.2:2000
iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport
2010 -j DNAT --to 192.168.0.2:2010
iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport
3000 -j DNAT --to 192.168.0.3:3000
iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport
3010 -j DNAT --to 192.168.0.3:3010
iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport
4000 -j DNAT --to 192.168.0.4:4000
iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport
4010 -j DNAT --to 192.168.0.4:4010
iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport
5000 -j DNAT --to 192.168.0.5:5000
iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport
5010 -j DNAT --to 192.168.0.5:5010
iptables -t filter -A FORWARD -p tcp --sport 0:1024 --dport 0:1024 -j DROP
iptables -t filter -A FORWARD -p udp --sport 0:1024 --dport 0:1024 -j DROP
Bueno, la politica por defecto de la cadena forward de la tabla nat esta
en drop por problemas de conectividad con los p2p, (id baja, etc)
intente algo con ipp2p, pero no llege muy lejos ya tengo que actualizar
iptables. (1.3.6), bueno.
Esta PC debian esta conectada con pppoeconf al modem adsl por medio de
eth0 (ppp0) y eth1 a la lan, eso es todo.
La idea es como ya dije antes, si pueden ayudarme a pulir.., que lineas
quitar/agregar etc.. y tambien que cualquiera que necesite un router
casero rapido, se lo lleve a casa.
Saludos para todos, espero no ofender a nadie con el mail.
Reply to: