Uz pomoc gore navedenih tutoriala sam nesto iskombinovao. Da li je scripta ispravna i dali ce gateway ovako raditi?(ovde jos nisam ubacio filtriranje nekih ip adresa).
Da li je masquerade za dinamicki dodeljene IP adrese ili ce raditi isa statickim?
Scripta:
#!/bin/bash
# ********************* Configuration variables ************************
# card which is connected to clients
Card1="eth1"
#card which is connected to internal network
Card2="eth0"
echo "Youre network configurations :"
echo " Card to clients :$Card1"
echo " Card to LAN: $Card2"
# *********************** testing for iptables *********************
# Modprobe iptables modules
echo "Probing modules :"
MODULES="ip_tables iptable_filter iptable_mangle iptable_nat ip_conntrack ipt_limit ipt_state ipt_LOG ipt_TCPMSS ipt_TOS"
echo "modprobe for $MODULES"
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]
then
/sbin/modprobe $MODULES
echo " passed"
else
echo " failed"
fi
# ********************** Firewall section ************************
echo "Firewall starting"
#rules apply to all interfaces
for interface in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1> $interface
done
#allow any packets that come into localhost without any filtering
iptables -A INPUT -i lo -j ACCEPT
#**************************************************************
#Deny all inbound access that isn't in response to one of our outbound connections
#This throws away the packet without informing the sender -->> nothing can get in
iptables -P INPUT DROP
#No machines can connect to your machine with TCP
iptables -A INPUT -p tcp ! --syn -j ACCEPT
#This will allow any DNS servers to reply to you
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
#**************IP addresses to be most restrictive
# iptables -A INPUT --source ****DNS.SVR1.IP.ADDR**** -p udp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR2.IP.ADDR**** -p udp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR1.IP.ADDR**** -p tcp --source-port 53 -j ACCEPT
# iptables -A INPUT --source ****DNS.SVR2.IP.ADDR**** -p tcp --source-port 53 -j ACCEPT
#If your machine needs to get an IP address from the network using BOOTP or DHCP
# iptables -A INPUT -p udp --destination-port 68 -j ACCEPT
#lock down allowed ICMP packets
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
iptables -A INPUT -p icmp --icmp-type router-advertisement -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT #prevent your machine from being pinged
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# ************************ gateway section ***********************
echo "Gateway starting .........."
echo 1 > /proc/sys/net/ipv4/ip_forward
# flushes all tables and chains on the machine.
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface $Card1 -j MASQUERADE
iptables --append FORWARD --in-interface $Card2 -j ACCEPT
# ********************** Logging *******************************
# Note: Enable this only at test period!!!!
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
pozdrav.
Myrmidon