Ayuda para pulir script.

To: DUS <debian-user-spanish@lists.debian.org>
Subject: Ayuda para pulir script.
From: Julián Esteban Perconti <vh1988@yahoo.com.ar>
Date: Tue, 01 Jul 2008 06:34:12 -0300
Message-id: <[🔎] 4869FA14.3020409@yahoo.com.ar>

Hola listeros, tengo este script de iptables que uso en una pc debian 4,2.16.8-6, para compartir inet a una red ms.La idea es que me me den una mano para corregir imperfecciones y demas..ya que algunas cosas las escribi yo y otras las saque de tutos, en fin..que me me esta preocupando es que si desde un cliente ms hago netstat -a-n me devuelve lo siguiente:


Proto  Dirección local        Dirección remota       Estado

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING <-- estalinea me preocupaTCP 0.0.0.0:445 0.0.0.0:0 LISTENING <-- estatambien.TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING <-- estatambien.TCP 0.0.0.0:3260 0.0.0.0:0 LISTENING <-- estatambien.TCP 0.0.0.0:3261 0.0.0.0:0 LISTENING <-- estatambien.TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING <-- estatambien.TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING <-- estatambien.

TCP    127.0.0.1:1918         127.0.0.1:1919         ESTABLISHED
TCP    127.0.0.1:1919         127.0.0.1:1918         ESTABLISHED
TCP    127.0.0.1:1920         127.0.0.1:1921         ESTABLISHED
TCP    127.0.0.1:1921         127.0.0.1:1920         ESTABLISHED
TCP    127.0.0.1:1932         127.0.0.1:1933         ESTABLISHED
TCP    127.0.0.1:1933         127.0.0.1:1932         ESTABLISHED
TCP    127.0.0.1:1934         127.0.0.1:1935         ESTABLISHED
TCP    127.0.0.1:1935         127.0.0.1:1934         ESTABLISHED

TCP 192.168.0.2:139 0.0.0.0:0 LISTENING <-- estatambien!

TCP    192.168.0.2:1072       81.177.31.144:443      CLOSE_WAIT
TCP    192.168.0.2:1930       192.168.0.1:22         ESTABLISHED
UDP    0.0.0.0:445            *:*
UDP    0.0.0.0:500            *:*
UDP    0.0.0.0:1025           *:*
UDP    0.0.0.0:1083           *:*
UDP    0.0.0.0:1084           *:*
UDP    0.0.0.0:1085           *:*
UDP    0.0.0.0:1086           *:*
UDP    0.0.0.0:1087           *:*
UDP    0.0.0.0:4500           *:*
UDP    127.0.0.1:123          *:*
UDP    127.0.0.1:1031         *:*
UDP    127.0.0.1:1900         *:*
UDP    192.168.0.2:123        *:*
UDP    192.168.0.2:137        *:*
UDP    192.168.0.2:138        *:*
UDP    192.168.0.2:1900       *:*

Hay 3 conexiones Listening que me suena a que estan esperando a quealguien se meta para hacer malabares con ms...

y bueno el script es el siguiente:

#!/bin/bash

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -N bad_tcp_packets

iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG--log-prefix "New not syn:"

iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 192.168.0.0/24 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A bad_tcp_packets -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -m state --state INVALID -j DROP
iptables -t filter -A OUTPUT -m state --state INVALID -j DROP
iptables -t filter -A FORWARD -m state --state INVALID -j DROP
iptables -t nat -A PREROUTING -m state --state INVALID -j DROP
iptables -t nat -A POSTROUTING -m state --state INVALID -j DROP
iptables -t nat -A OUTPUT -m state --state INVALID -j DROP

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
   echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
   echo 0 > $f
done

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

# INPUT HP #

iptables -t filter -A INPUT -p tcp -j bad_tcp_packets

iptables -t filter -A INPUT -i ppp0 -p tcp --sport 1024:65535 --dport113 -j REJECT --reject-with tcp-reset

iptables -t filter -A INPUT -i lo -j ACCEPT

iptables -t filter -A INPUT -i eth1 -p tcp --dport 53 -m state --stateNEW -j ACCEPT #DNSiptables -t filter -A INPUT -i eth1 -p udp --dport 53 -m state --stateNEW -j ACCEPT #DNSiptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport 67-j ACCEPT #DHCPiptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport 445-j ACCEPT #Microsoft-DS SMB file sharingiptables -t filter -A INPUT -i eth1 -p tcp -s 192.168.0.0/24 --dport137:139 -j ACCEPT #NetBiosiptables -t filter -A INPUT -i eth1 -p udp -s 192.168.0.0/24 --dport137:139 -j ACCEPT #NetBiosiptables -t filter -A INPUT -i ppp0 -p tcp -s 0.0.0.0/0.0.0.0 --sport1024:65535 --dport 22 -j DROP #DASSHiptables -t filter -A INPUT -i eth1 -p tcp -s 192.168.0.2 --sport1024:65535 --dport 22 -m state --state NEW -j ACCEPT #SSHiptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -jLOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "iptables -t filter -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 80-m state --state NEW -j ACCEPT #www

iptables -t filter -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -t filter -A INPUT -p icmp --icmp-type destination-unreachable-j ACCEPTiptables -t filter -A INPUT -p icmp --icmp-type fragmentation-needed -jACCEPT

iptables -t filter -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -t filter -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT

iptables -t filter -A INPUT -i eth1 -p icmp -s 192.168.0.0/24--icmp-type echo-request -m state --state NEW -j ACCEPT

iptables -t filter -A INPUT  -p ! udp -d 224.0.0.0/4 -j DROP
iptables -t filter -A INPUT -p icmp --fragment -j DROP
iptables -t filter -A INPUT -i eth1 -d 0.0.0.0  -j DROP

# OUTPUT HP #

iptables -A OUTPUT -p tcp -j bad_tcp_packets
iptables -t filter -A OUTPUT -o lo -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT #www

iptables -t filter -A OUTPUT -o ppp0 -p udp --dport 53 -m state --stateNEW -j ACCEPTiptables -t filter -A OUTPUT -o ppp0 -p tcp --dport 53 -m state --stateNEW -j ACCEPT

iptables -t filter -A OUTPUT -o eth1 -p udp --sport 67 -j ACCEPT #DHCP

iptables -t filter -A OUTPUT -o eth1 -p tcp -s 192.168.0.0/24 --dport137:139 -m state --state NEW -j ACCEPT #NetBiosiptables -t filter -A OUTPUT -o eth1 -p udp -s 192.168.0.0/24 --dport137:139 -m state --state NEW -j ACCEPT #NetBiosiptables -t filter -AOUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-levelDEBUG --log-prefix "IPT OUTPUT packet died: "

iptables -t filter -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -t filter -A OUTPUT -o ppp0 -p icmp --icmp-typedestination-unreachable -d 192.168.0.0/24 -j ACCEPTiptables -t filter -A OUTPUT -p icmp --icmp-type fragmentation-needed -jACCEPTiptables -t filter -A OUTPUT -p icmp --icmp-type destination-unreachable-j DROP

iptables -t filter -A OUTPUT -p icmp --fragment -j DROP

iptables -t filter -A OUTPUT -p icmp --icmp-type echo-request -m state--state NEW -j ACCEPT


# FORWARD LAN #

iptables -t filter -A FORWARD -d 255.255.255.255 -j DROP
iptables -t filter -A FORWARD -i eth1 -o ppp0 -s ! 192.168.0.0/24 -j DROP

iptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport20 -m state --state NEW -j ACCEPT #ftp-controliptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport21 -m state --state NEW -j ACCEPT #ftp-dataiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport25 -m state --state NEW -j ACCEPT #smtpiptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 --dport25 -m state --state NEW -j ACCEPT #smtpiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport80 -m state --state NEW -j ACCEPT #wwwiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport110 -m state --state NEW -j ACCEPT #popiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 -s192.168.0.0/24 --dport 137:139 -m state --state NEW -j ACCEPT #NetBiosiptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 -s192.168.0.0/24 --dport 137:139 -m state --state NEW -j ACCEPT #NetBiosiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport143 -m state --state NEW -j ACCEPT #imapiptables -t filter -A FORWARD -i eth1 -p udp --sport 1024:65535 --dport143 -m state --state NEW -j ACCEPT #imapiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport443 -m state --state NEW -j ACCEPT #httpsiptables -t filter -A FORWARD -i eth1 -p tcp -s 192.168.0.0/24 --sport1024:65535 --dport 445 -m state --state NEW -j ACCEPT #Microsoft-DS SMBfile sharingiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport465 -m state --state NEW -j ACCEPT #SMTP over SSLiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport989 -m state --state NEW -j ACCEPT #FTP Protocol (data) over TLS/SSLiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport990 -m state --state NEW -j ACCEPT #FTP Protocol (control) over TLS/SSLiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport993 -m state --state NEW -j ACCEPT #IMAPSiptables -t filter -A FORWARD -i eth1 -p tcp --sport 1024:65535 --dport995 -m state --state NEW -j ACCEPT #POP3Siptables -t filter -A FORWARD -o ppp0 -d 192.168.0.2 -p icmp --icmp-typedestination-unreachable -j DROPiptables -t filter -A FORWARD -o ppp0 -s 192.168.0.2 -p icmp --icmp-typetime-exceeded -d 192.168.0.0/24 -j ACCEPTiptables -t filter -A FORWARD -p icmp --icmp-type fragmentation-needed-j ACCEPTiptables -t filter -A FORWARD -o ppp0 -p icmp --icmp-typedestination-unreachable -d 192.168.0.0/24 -j ACCEPTiptables -t filter -A FORWARD -p icmp --icmp-type parameter-problem -jACCEPT

iptables -t filter -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A FORWARD -p ! udp -d 224.0.0.0/4 -j DROP

iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS--clamp-mss-to-pmtu

iptables -A FORWARD -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT #

# TEGNet

iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport5479 -j DNAT --to 192.168.0.2:5479


# BitTorrent

#iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport ? -j DNAT --to192.168.0.2:?


# eMule's

iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport2000 -j DNAT --to 192.168.0.2:2000iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport2010 -j DNAT --to 192.168.0.2:2010iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport3000 -j DNAT --to 192.168.0.3:3000iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport3010 -j DNAT --to 192.168.0.3:3010iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport4000 -j DNAT --to 192.168.0.4:4000iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport4010 -j DNAT --to 192.168.0.4:4010iptables -t nat -A PREROUTING -i ppp0 -p tcp --sport 1024:65535 --dport5000 -j DNAT --to 192.168.0.5:5000iptables -t nat -A PREROUTING -i ppp0 -p udp --sport 1024:65535 --dport5010 -j DNAT --to 192.168.0.5:5010


iptables -t filter -A FORWARD -p tcp --sport 0:1024 --dport 0:1024 -j DROP
iptables -t filter -A FORWARD -p udp --sport 0:1024 --dport 0:1024 -j DROP

Bueno, la politica por defecto de la cadena forward de la tabla nat estaen drop por problemas de conectividad con los p2p, (id baja, etc)intente algo con ipp2p, pero no llege muy lejos ya tengo que actualizariptables. (1.3.6), bueno.Esta PC debian esta conectada con pppoeconf al modem adsl por medio deeth0 (ppp0) y eth1 a la lan, eso es todo.La idea es como ya dije antes, si pueden ayudarme a pulir.., que lineasquitar/agregar etc.. y tambien que cualquiera que necesite un routercasero rapido, se lo lleve a casa.

Saludos para todos, espero no ofender a nadie con el mail.

Reply to:

Prev by Date: Re: Control de Tráfico en Linux - Traffic Shapping
Next by Date: Re: Control de Tráfico en Linux - Traffic Shapping
Previous by thread: Re: Control de Tráfico en Linux - Traffic Shapping
Next by thread: Re: Problema con la creación de un paquete...
Index(es):
- Date
- Thread