Browse Tag

openvpn

Linux как Firewall в локальной сети Centos 6

Решил перетащить офис на firewall IPtables. Написал правила может быть кому то пригодиться.  Коротко eth0 смотрит наружу, eth1 внутрь сети. На сервере установлены следующие службы:

  1. VPN сервер
  2. OpenVPN настроен в качестве net-to-net
  3. MySQL сервер, следить за трафиком

Собственно сами правила:

# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*nat
:PREROUTING ACCEPT [3:237]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [1:172]
-A PREROUTING -d внешний IP/32 -p tcp -m tcp –dport 33899 -j DNAT –to-destination 192.168.1.204:3389
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed May 23 11:14:29 2012
# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*mangle
:PREROUTING ACCEPT [15:1039]
:INPUT ACCEPT [15:1039]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:728]
:POSTROUTING ACCEPT [6:728]
COMMIT
# Completed on Wed May 23 11:14:29 2012
# Generated by iptables-save v1.4.7 on Wed May 23 11:14:29 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6:728]
:SMB – [0:0]
-A INPUT -p udp -m udp –dport 1701 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state INVALID -j DROP
-A INPUT -p tcp -m tcp –tcp-flags SYN,ACK SYN,ACK -m state –state NEW -j REJECT –reject-with tcp-reset
-A INPUT -p tcp -m tcp ! –tcp-flags FIN,SYN,RST,ACK SYN -m state –state NEW -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p gre -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 6000:6063 –tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22267 -j ACCEPT
-A INPUT -j SMB
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -i eth1 -p gre -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp –dport 1723 -j ACCEPT
-A INPUT -p tcp -j ULOG –ulog-cprange 100
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p udp -m udp –dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -m state –state INVALID -j DROP
-A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.204/32 -i eth0 -o eth1 -p tcp -m tcp –dport 3389 -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i ppp+ -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -i eth1 -o ppp+ -j ACCEPT
-A FORWARD -p tcp -j ULOG –ulog-cprange 100
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -o tun+ -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 21 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 25 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 80 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 443 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 110 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 465 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 995 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 123 -j ACCEPT
-A FORWARD -i eth1 -p tcp -m tcp –dport 993 -j ACCEPT
-A FORWARD -s 192.168.1.204/32 -i eth1 -m mac –mac-source 64:31:50:37:FC:E1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp –dport 1723 -j ACCEPT
-A OUTPUT -o eth0 -p gre -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp –dport 1723 -j ACCEPT
-A OUTPUT -o eth1 -p gre -j ACCEPT
-A OUTPUT -j SMB
-A OUTPUT -p tcp -j ULOG –ulog-cprange 100
-A OUTPUT -o tun+ -j ACCEPT
-A SMB -s 192.168.0.0/23 -p tcp -m tcp -m multiport –dports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p udp -m udp -m multiport –dports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p tcp -m tcp -m multiport –sports 137,138,139,445 -j ACCEPT
-A SMB -s 192.168.0.0/23 -p udp -m udp -m multiport –sports 137,138,139,445 -j ACCEPT
-A SMB -p tcp -m tcp -m multiport –dports 137,138,139,445 -j REJECT –reject-with icmp-port-unreachable
-A SMB -p udp -m udp -m multiport –dports 137,138,139,445 -j REJECT –reject-with icmp-port-unreachable
-A SMB -p tcp -m tcp -m multiport –sports 137,138,139,445 -j REJECT –reject-with icmp-port-unreachable
-A SMB -p udp -m udp -m multiport –sports 137,138,139,445 -j REJECT –reject-with icmp-port-unreachable
COMMIT
# Completed on Wed May 23 11:14:29 2012

По поводу настройки служб расскажу позже.

И не забываем про:

  • net.ipv4.ip_forward = 1
  • и подгружать модули необходимые.