Conversation
precedente ou
suivante
Configuration Woody en passerelle
Envoyé par:
pop3
Salut, je veux configurer ma woody en passerelle sur un reseau
J'ai compris qu'il falait configurer IPtables de maniere a ce que ma debian joue le role de Firewall et de passerelle
Si quelqu'un pouvais me donner quelque indication sur les differentes option de IPtables, pour la passerelle, de meme que les differentes regles pour le firewall
Merci
J'ai compris qu'il falait configurer IPtables de maniere a ce que ma debian joue le role de Firewall et de passerelle
Si quelqu'un pouvais me donner quelque indication sur les differentes option de IPtables, pour la passerelle, de meme que les differentes regles pour le firewall
Merci
Poste le Saturday 25 October 2003 12:08:29
Re: Configuration Woody en passerelle
Envoyé par:
Padock
Je n'ai pas fait la manip...mais j'avais gardé cette adresse d'un didactel...si ça peut t'aider.
[trustonme.net]
[trustonme.net]
Poste le Saturday 25 October 2003 14:20:07
Re: Configuration Woody en passerelle
Envoyé par:
Nrv
Exemple de script (fait par ridben de [HFR], merci à lui) :
# !/bin/sh
# Chargement des modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ip_nat_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ipt_multiport
LAN="eth0"
NET="ppp+"
IPXP="192.168.1.33"
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Vidage des chaines
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Par défaut on drop tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
############################################
# CHAINES SPECIALES
############################################
# Configuration de Icmp - On autorise les pings
iptables -N ALLOW_ICMP
iptables -F ALLOW_ICMP
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
# Paquets à jeter et logguer
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
############################################
# RESEAU LOCAL
############################################
# On accepte le réseau local:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
############################################
# FIREWALL-LAN
############################################
# On permet toutes les liaisons firewall-LAN
iptables -A INPUT -i $LAN -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
# on permet toutes les liaisons LAN-firewall
iptables -A INPUT -i $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state ESTABLISHED -j ACCEPT
# On accepte de pinguer et d'etre pingué
iptables -A INPUT -p icmp -j ALLOW_ICMP
iptables -A OUTPUT -p icmp -j ALLOW_ICMP
############################################
# FIREWALL
############################################
# Resolution DNS pour le firewall
iptables -A INPUT -i $NET -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 53 -j ACCEPT
# connexions Firewall-Internet (http/https)
iptables -A OUTPUT -p tcp --dport 80 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (ftp)
iptables -A INPUT -i $NET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (pop)
iptables -A OUTPUT -p tcp --dport 110 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (imaps)
iptables -A OUTPUT -p tcp --dport 993 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 993 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (smtp)
iptables -A OUTPUT -p tcp --dport 25 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (nntp)
iptables -A OUTPUT -p tcp --dport 119 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 119 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################
# LAN-INTERNET
############################################
iptables -t nat -A POSTROUTING -o $NET -j MASQUERADE
# Resolution DNS pour les machines du LAN
iptables -A FORWARD -i $NET -o $LAN -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 53 -j ACCEPT
# connexions LAN-Internet (http/https)
iptables -A FORWARD -p tcp --dport 80 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# acces au serveur Icq depuis LAN
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 5190 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 5190 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
iptables -t nat -A PREROUTING -p tcp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
# connexions Lan-Internet (pop)
iptables -A FORWARD -p tcp --dport 110 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (imaps)
iptables -A FORWARD -p tcp --dport 993 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 993 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (smtp)
iptables -A FORWARD -p tcp --dport 25 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (nntp)
iptables -A FORWARD -p tcp --dport 119 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 119 -i $NET -o $LAN -j ACCEPT
# On accepte que emule passe :-) -- A fixer
iptables -t nat -A PREROUTING -i $NET -p tcp --dport 8000 -j DNAT --to $IPXP:8000
iptables -t nat -A PREROUTING -i $NET -p udp --dport 8090 -j DNAT --to $IPXP:8090
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4242 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8000 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4661 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4242 -j ACCEPT
# connexions Lan-Internet (ftp)
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# On accepte d'etre pingué et de pinguer
iptables -A FORWARD -p icmp -j ALLOW_ICMP
# On loggue les paquets qui ne passent pas
iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
echo "Mise à jour des régles iptables de $NET <--> FIREWALL <--> $LAN";
Ca peut te donner un bon exemple d'approche.
++ Nrv
# !/bin/sh
# Chargement des modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ip_nat_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ipt_multiport
LAN="eth0"
NET="ppp+"
IPXP="192.168.1.33"
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Vidage des chaines
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Par défaut on drop tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
############################################
# CHAINES SPECIALES
############################################
# Configuration de Icmp - On autorise les pings
iptables -N ALLOW_ICMP
iptables -F ALLOW_ICMP
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
# Paquets à jeter et logguer
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
############################################
# RESEAU LOCAL
############################################
# On accepte le réseau local:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
############################################
# FIREWALL-LAN
############################################
# On permet toutes les liaisons firewall-LAN
iptables -A INPUT -i $LAN -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
# on permet toutes les liaisons LAN-firewall
iptables -A INPUT -i $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state ESTABLISHED -j ACCEPT
# On accepte de pinguer et d'etre pingué
iptables -A INPUT -p icmp -j ALLOW_ICMP
iptables -A OUTPUT -p icmp -j ALLOW_ICMP
############################################
# FIREWALL
############################################
# Resolution DNS pour le firewall
iptables -A INPUT -i $NET -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 53 -j ACCEPT
# connexions Firewall-Internet (http/https)
iptables -A OUTPUT -p tcp --dport 80 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (ftp)
iptables -A INPUT -i $NET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (pop)
iptables -A OUTPUT -p tcp --dport 110 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (imaps)
iptables -A OUTPUT -p tcp --dport 993 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 993 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (smtp)
iptables -A OUTPUT -p tcp --dport 25 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (nntp)
iptables -A OUTPUT -p tcp --dport 119 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 119 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################
# LAN-INTERNET
############################################
iptables -t nat -A POSTROUTING -o $NET -j MASQUERADE
# Resolution DNS pour les machines du LAN
iptables -A FORWARD -i $NET -o $LAN -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 53 -j ACCEPT
# connexions LAN-Internet (http/https)
iptables -A FORWARD -p tcp --dport 80 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# acces au serveur Icq depuis LAN
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 5190 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 5190 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
iptables -t nat -A PREROUTING -p tcp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
# connexions Lan-Internet (pop)
iptables -A FORWARD -p tcp --dport 110 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (imaps)
iptables -A FORWARD -p tcp --dport 993 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 993 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (smtp)
iptables -A FORWARD -p tcp --dport 25 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (nntp)
iptables -A FORWARD -p tcp --dport 119 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 119 -i $NET -o $LAN -j ACCEPT
# On accepte que emule passe :-) -- A fixer
iptables -t nat -A PREROUTING -i $NET -p tcp --dport 8000 -j DNAT --to $IPXP:8000
iptables -t nat -A PREROUTING -i $NET -p udp --dport 8090 -j DNAT --to $IPXP:8090
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4242 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8000 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4661 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4242 -j ACCEPT
# connexions Lan-Internet (ftp)
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# On accepte d'etre pingué et de pinguer
iptables -A FORWARD -p icmp -j ALLOW_ICMP
# On loggue les paquets qui ne passent pas
iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
echo "Mise à jour des régles iptables de $NET <--> FIREWALL <--> $LAN";
Ca peut te donner un bon exemple d'approche.
++ Nrv
Poste le Sunday 2 November 2003 17:33:41
Ce forum !
Configuration Woody en passerelle
Aide sur les distributions Debian, Ubuntu et leurs dérivées : Mepis, Mint, Knoppix, Kubuntu, Lubuntu, Xandros
Sauf mention contraire, les documentations publiées sont sous licence Creative-Commons