Пример скрипта для внесения правил iptables.

Настройка сетевого экрана для обеспечения безопастности сети предприятия.

nano /etc/iptables.sh

#!/bin/sh

#Enable forward

echo 1 > /proc/sys/net/ipv4/ip_forward

# Flush old rules

iptables -F

iptables -t nat -F

iptables -t mangle -F

iptables -X

# Set default policy to DROP

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Allow loopback traffic

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

#Forward special ip's to inetrnet

iptables -A FORWARD -s 192.168.0.1/28 -j ACCEPT

iptables -A FORWARD -s 192.168.0.27 -j ACCEPT

iptables -A FORWARD -s 192.168.0.20 -j ACCEPT

#Forvards lan company

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT

iptables -A FORWARD -d 192.168.0.0/24 -s 192.168.3.0/24 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -d 192.168.5.0/24 -j ACCEPT

iptables -A FORWARD -d 192.168.0.0/24 -s 192.168.5.0/24 -j ACCEPT

#Forward special ports

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 25 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 110 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 123 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p udp --dport 123 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 143 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 443 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 465 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 587 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 993 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 995 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4566 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 4567 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 5190 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 7000 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8000 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8014 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 15010 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 30583 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 30584 -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 192.168.0.0/24 -j LOG --log-prefix "eth1-eth0 " --log-level 7

iptables -A FORWARD -s 192.168.0.0/24 -j DROP

# For Citrix port 80 and 1494

iptables -A FORWARD -i eth0 -d 192.168.0.251 -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD -i eth0 -d 192.168.0.251 -p tcp --dport 1494 -j ACCEPT

iptables -A FORWARD -i eth0 -d 192.168.0.8 -p tcp --dport 22 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -j LOG --log-prefix "eth0-eth1 " --log-level 7

iptables -A FORWARD -i eth0 -o eth1 -j DROP

#
# Accept input on eth1 from local net to ports
#
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 53 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 69 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 111 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 111 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 745 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 745 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 747 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 747 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 2049 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 2049 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 4000:4003 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 4000:4003 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 5222 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 7777 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 9090 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 10000 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 32032 -j ACCEPT

iptables -A INPUT -i eth1 -p udp --dport 32032 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 9998 -j ACCEPT

# Accept ping requests

iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT

iptables -A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT --fragment -p ICMP -j DROP

iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth1 -j LOG --log-prefix "eth1-in " --log-level 7

iptables -A INPUT -i eth1 -j DROP

# Accept input on eth0 from internet to ports

#iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 111 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 111 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 745 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 745 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 747 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 747 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 2049 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 2049 -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 4000:4003 -j ACCEPT

iptables -A INPUT -i eth0 -p udp --dport 4000:4003 -j ACCEPT

# Accept ping requests

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -j LOG --log-prefix "eth0-in " --log-level 7

iptables -A INPUT -i eth0 -j DROP

# Output policy
#

iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT

iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT

iptables -A OUTPUT --fragment -p ICMP -j DROP

# Prerouting for ports on eth0 and redirect

iptables -t nat -A PREROUTING -p tcp -d 194.44.39.184 --dport 80 -j DNAT --to-destination 192.168.0.251:80

iptables -t nat -A PREROUTING -p tcp -d 194.44.39.184 --dport 1494 -j DNAT --to-destination 192.168.0.251:1494

iptables -t nat -A PREROUTING -p tcp -d 194.44.39.184 --dport 1022 -j DNAT --to-destination 192.168.0.8:22

# Prerouting for ports on eth1 and redirect

#iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j REDIRECT --to-port 3128

# Masquerade#iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

Апрель 2025
Пн	Вт	Ср	Чт	Пт	Сб	Вс
« Мар
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30