Linux как Firewall в локальной сети Centos 6

Решил перетащить офис на firewall IPtables. Написал правила может быть кому то пригодиться.  Коротко eth0 смотрит наружу, eth1 внутрь сети. На сервере установлены следующие службы:

1. VPN сервер
2. OpenVPN настроен в качестве net-to-net
3. MySQL сервер, следить за трафиком

Собственно сами правила:

# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*nat
:PREROUTING ACCEPT [3:237]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:172]
-A PREROUTING -d внешний IP/32 -p tcp -m tcp —dport 33899 -j DNAT —to-destination 192.168.1.204:3389
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed May 23 11:14:29 2012
# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*mangle
:PREROUTING ACCEPT [15:1039]
:INPUT ACCEPT [15:1039]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:728]
:POSTROUTING ACCEPT [6:728]
COMMIT
# Completed on Wed May 23 11:14:29 2012
# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:728]
:SMB — [0:0]
-A INPUT -p udp -m udp —dport 1701 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state —state INVALID -j DROP
-A INPUT -p tcp -m tcp —tcp-flags SYN,ACK SYN,ACK -m state —state NEW -j REJECT —reject-with tcp-reset
-A INPUT -p tcp -m tcp ! —tcp-flags FIN,SYN,RST,ACK SYN -m state —state NEW -j DROP
-A INPUT -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p gre -m state —state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp —dport 6000:6063 —tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m state —state NEW -m tcp —dport 22267 -j ACCEPT
-A INPUT -j SMB
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -i eth1 -p gre -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp —dport 1723 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp —dport 1723 -j ACCEPT
-A INPUT -p tcp -j ULOG —ulog-cprange 100
-A INPUT -i eth0 -p tcp -m tcp —dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp —dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp —dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp —dport 443 -j ACCEPT
-A INPUT -p udp -m udp —dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -m state —state INVALID -j DROP
-A FORWARD -m state —state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state —state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.204/32 -i eth0 -o eth1 -p tcp -m tcp —dport 3389 -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i ppp+ -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -i eth1 -o ppp+ -j ACCEPT
-A FORWARD -p tcp -j ULOG —ulog-cprange 100
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 21 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 25 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 443 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 110 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 465 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 995 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 123 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp —dport 993 -j ACCEPT
-A FORWARD -s 192.168.1.204/32 -i eth1 -m mac —mac-source 64:31:50:37:FC:E1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp —dport 1723 -j ACCEPT
-A OUTPUT -o eth0 -p gre -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp —dport 1723 -j ACCEPT
-A OUTPUT -o eth1 -p gre -j ACCEPT
-A OUTPUT -j SMB
-A OUTPUT -p tcp -j ULOG —ulog-cprange 100
-A OUTPUT -o tun+ -j ACCEPT
-A SMB -s 192.168.0.0/23 -p tcp -m tcp -m multiport —dports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p udp -m udp -m multiport —dports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p tcp -m tcp -m multiport —sports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p udp -m udp -m multiport —sports 137,138,139,445 -j ACCEPT
-A SMB -p tcp -m tcp -m multiport —dports 137,138,139,445 -j REJECT —reject-with icmp-port-unreachable
-A SMB -p udp -m udp -m multiport —dports 137,138,139,445 -j REJECT —reject-with icmp-port-unreachable
-A SMB -p tcp -m tcp -m multiport —sports 137,138,139,445 -j REJECT —reject-with icmp-port-unreachable
-A SMB -p udp -m udp -m multiport —sports 137,138,139,445 -j REJECT —reject-with icmp-port-unreachable
COMMIT
# Completed on Wed May 23 11:14:29 2012

По поводу настройки служб расскажу позже.

И не забываем про:

• net.ipv4.ip_forward = 1
• и подгружать модули необходимые.

Поделиться ссылкой: