Есть шлюз на два провайдера (пусть будут X и Y с шлюза IP XXX.XXX.XXX.XX1 и YYY.YYY.YYY.YY1 соответсвенно.
Из внетренней интернет есть. Из инета, но не из подсетей провайдеров с подключениями по обоим интерфейсам нормальное Даже при пробросе портов. Из подсети провайдера X нормально подключаюсь к XXX.XXX.XXX.XX1, так же и из подсети Y есть подключения YYY.YYY.YYY.YY1.
Но не работает подключение из сети провайдера X к адресу YYY.YYY.YYY.YY1. и наоборот.
Похоже, я что-то забыл указать. Что именно?
Код скрипта файервола
Код: Выделить всё
#!/bin/bash
CONFDIR="/etc/firewall"
VAR_DATA=( "" )
VARPORTS=""
NET_IF=( "" )
NET_IP=( "" )
NET_MASK=( "" )
NET_PREF=( "" )
NET_NET_IP=( "" )
NET_NET=( "" )
INET_IF=( "" )
INET_IP=( "" )
INET_MASK=( "" )
INET_PREF=( "" )
INET_NET_IP=( "" )
INET_NET=( "" )
func_read_array_from_file ()
{
VAR_DATA=( "" )
ind=0
while read line
# for line in `cat $1 | grep -v "#" | awk -F' //' '{print $1}'`
do
if [ "$line" != "" ]
then
VAR_DATA[$ind]=$line
ind=$[$ind+1]
fi
done < <(cat $1 | grep -v "#" | awk -F' //' '{print $1}')
}
func_readports ()
{
VARPORTS=""
while read line
do
VARPORTS=`func_mport $line $VARPORTS`
done < <(cat "$1")
}
func_read_array ()
{
func_read_array_from_file "$CONFDIR/$1"
}
func_read_netif ()
{
while read line
do
case $(echo $line | awk -F'=' '{print $1}') in
"IPADDR")
IFIPADDR=$(echo $line | awk -F'=' '{print $2}')
;;
"PREFIX")
IFPREFIX=$(echo $line | awk -F'=' '{print $2}')
;;
esac
done < <(cat /etc/sysconfig/network-scripts/ifcfg-$1)
}
func_make_array ()
{
IFIPADDR=""
IFPREFIX=""
di=0
i=0
j=0
while [ "$di" -lt "${#VAR_DATA[@]}" ]
do
IFIPADDR=""
IFPREFIX=""
ETH=$(echo ${VAR_DATA[$di]} | awk -F' ' '{print $2}')
func_read_netif $ETH
if [ "$(ifconfig | grep $ETH)" != "" ]
then
if [ "$(echo ${VAR_DATA[$di]} | awk -F': ' '{print $1}')" == "LOCAL" ]
then
NET_IF[$i]=$ETH
NET_IP[$i]=$IFIPADDR
NET_PREF[$i]=$IFPREFIX
NET_MASK[$i]=`func_net_mask $IFPREFIX`
NET_NET_IP[$i]=`func_net_ip $IFIPADDR $IFPREFIX`
NET_NET[$i]="${NET_NET_IP[$i]}/${NET_PREF[$i]}"
i=$[$i+1]
elif [ "$(echo ${VAR_DATA[$di]} | awk -F': ' '{print $1}')" == "GLOBAL" ]
then
INET_IF[$j]=$ETH
INET_IP[$j]=$IFIPADDR
INET_PREF[$j]=$IFPREFIX
INET_MASK[$j]=`func_net_mask $IFPREFIX`
INET_NET_IP[$j]=`func_net_ip $IFIPADDR $IFPREFIX`
INET_NET[$j]="${INET_NET_IP[$j]}/${INET_PREF[$j]}"
j=$[$j+1]
fi
fi
di=$[$di+1]
done
}
func_net_mask ()
{
VNET_PREF=$1
echo $VNET_PREF
MASK=$(( 256 - $(( 2 ** $(( $(( 32 - $VNET_PREF)) % 8 ))))))
if [ "$(($VNET_PREF % 8))" != "0" ]
then
case $((${VNET_PREF} / 8)) in
"0")
AT="$MASK.0.0.0"
;;
"1")
AT="255.$MASK.0.0"
;;
"2")
AT]="255.255.$MASK.0"
;;
"3")
AT="255.255.255.$MASK"
;;
esac
else
case $((${VNET_PREF} / 8)) in
"1")
AT="255.0.0.0"
;;
"2")
AT]="255.255.0.0"
;;
"3")
AT="255.255.255.0"
;;
esac
fi
# done
echo $AT
}
func_net_ip ()
{
LANIP=$1
NET_PREF=$2
AT=( "" )
i=0
PIP0=$(echo $LANIP | awk -F'.' '{print $1}')
PIP1=$(echo $LANIP | awk -F'.' '{print $2}')
PIP2=$(echo $LANIP | awk -F'.' '{print $3}')
PIP3=$(echo $LANIP | awk -F'.' '{print $4}')
PBT=$(( 2 ** $(( $NET_PREF / 8 * 8 + 8 - $NET_PREF ))))
case $(( $NET_PREF / 8 )) in
"0")
NIP=$(($PIP0 / $PBT * $PBT))
AT="$NIP.0.0.0"
;;
"1")
NIP=$(($PIP1 / $PBT * $PBT))
AT="$PIP0.$NIP.0.0"
;;
"2")
NIP=$(($PIP2 / $PBT * $PBT))
AT]="$PIP0.$PIP1.$NIP.0"
;;
"3")
NIP=$(($PIP3 / $PBT * $PBT))
AT="$PIP0.$PIP1.$PIP2.$NIP"
;;
esac
echo $AT
}
func_mail_acc ()
{
echo "Mail for $1: $2"
SERVIP="mail/$1/$2.lst"
func_read_array $SERVIP
for NET in ${NET_NET[*]}
do
TEMPPARAM=$(echo ${VAR_DATA[*]})
func_cyclet $NET "$TEMPPARAM" $3
done
}
func_adm_out ()
{
echo "Доступ админам извне"
func_read_array "adm_out_host.lst"
index=0
while [ "$index" -lt "${#VAR_DATA[@]}" ]
do
for PTK in "TCP" "UDP"
do
for ITT in "FORWARD" "INPUT"
do
func_iptam $ITT $PTK ${VAR_DATA[$index]} $UNPRIVPORTS
func_iptam $ITT $PTK ${VAR_DATA[$index]} $BASEPORTS
done
done
let "index = $index + 1"
done
}
func_fwgw ()
{
iptables -A OUTPUT -p tcp -m tcp -o $2 --dport $1 --sport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $2 --dport $UNPRIVPORTS --sport $1 -j ACCEPT ! --syn
}
func_iptaf ()
{
iptables -A $1 -s $2 -d $3 -p $4 --sport $5 --dport $5 -j ACCEPT
}
func_iptafm ()
{
#echo "iptables -A $1 -s $2 -d $3 -p $4 -m multiport --dports $5 -j ACCEPT"
iptables -A $1 -s $2 -d $3 -p $4 -m multiport --dports $5 -j ACCEPT
}
func_iptamp ()
{
iptables -A $1 -p $2 -d $3 -p $4 -m multiport --dports $5 -j ACCEPT
iptables -A $1 -p $2 -s $3 -p $4 -m multiport --sports $5 -j ACCEPT
}
func_iptam ()
{
iptables -A $1 -p $2 -d $3 -m multiport --dports $4 -j ACCEPT
iptables -A $1 -p $2 -s $3 -m multiport --sports $4 -j ACCEPT
}
func_cyclet ()
{
TEMPARR=( `echo "$2"` )
jindex=0
while [ "$jindex" -lt "${#TEMPARR[@]}" ]
do
func_iptafm "FORWARD" $1 ${TEMPARR[$jindex]} "TCP" $3
let "jindex = $jindex + 1"
done
}
func_cyclet_port ()
{
TEMPNET=( `echo "$2"` )
TEMPIP=( `echo "$3"` )
jindex=0
while [ "$jindex" -lt "${#TEMPIP[@]}" ]
do
func_iptafm "$1" ${TEMPNET[$jindex]} ${TEMPIP[$jindex]} $4 $5
let "jindex = $jindex + 1"
done
}
func_cyclets_port ()
{
TEMPNET=( `echo "$2"` )
TEMPIP=( `echo "$3"` )
jindex=0
while [ "$jindex" -lt "${#TEMPIP[@]}" ]
do
func_iptaf "$1" ${TEMPNET[$jindex]} ${TEMPIP[$jindex]} $4 $5
let "jindex = $jindex + 1"
done
}
func_dns_getway ()
{
TEMPNET=( `echo "$1"` )
jindex=0
while [ "$jindex" -lt "${#TEMPNET[@]}" ]
do
func_iptafm "FORWARD" $TEMPNET ${VAR_DATA[$index]} "UDP" "53"
iptables -A FORWARD -p UDP -s ${VAR_DATA[$index]} -d $TEMPNET --sport 53 -m state --state ESTABLISHED -j ACCEPT
func_iptafm "FORWARD" $TEMPNET ${VAR_DATA[$index]} "TCP" "53"
let "jindex = $jindex + 1"
done
}
func_free_getway ()
{
iptables -A INPUT -s "$1" -i "$2" -j ACCEPT
iptables -A FORWARD -s "$1" -p TCP -j ACCEPT
iptables -A FORWARD -s "$1" -p UDP -j ACCEPT
}
func_open_port ()
{
TP=$1
TIPA=( `echo $2` )
TNETA=( `echo $3` )
TIFA=( `echo $4` )
if [ -e "$CONFDIR/open_ports/tcp_$TP.lst" ]
then
func_readports "$CONFDIR/open_ports/tcp_$TP.lst"
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" $VARPORTS
else
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" "22,80,443"
fi
if [ -e "$CONFDIR/open_ports/udp_$TP.lst" ]
then
func_readports "$CONFDIR/open_ports/udp_$TP.lst"
func_cyclet_port "INPUT" $TNETA $TIPA "UDP" $VARPORTS
fi
if [ -e "$CONFDIR/open_ports/tcp-udp_$TP.lst" ]
then
func_readports "$CONFDIR/open_ports/tcp-udp_$TP.lst"
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" $VARPORTS
func_cyclet_port "INPUT" $TNETA $TIPA "UDP" $VARPORTS
fi
if [ -e "$CONFDIR/open_ports/services_$TP.lst" ]
then
while read line
do
case $line in
"ssh")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 22
;;
"http")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 80
;;
"https")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 443
;;
"pop3")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 110
;;
"smtp")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 25
;;
"imap")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 143
;;
"pop3s")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 995
;;
"smtps")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 465
;;
"imaps")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 993
;;
"svn")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 3690
;;
"rsync")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 837
;;
"mysql")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 3306
;;
"squid")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 3128
;;
"ldap")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 389
;;
"ldaps")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 636
;;
"kasswd5")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 464
;;
"kerberos-adm")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 749
;;
"cups")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" 631
;;
"smb")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" "135,136,137,138,139,445"
func_cyclet_port "INPUT" $TNETA $TIPA "UDP" "135,136,137,138,139,445"
func_cyclet_port "OUTPUT" $TNETA $TIPA "TCP" "135,136,137,138,139,445"
func_cyclet_port "OUTPUT" $TNETA $TIPA "UDP" "135,136,137,138,139,445"
;;
"nfs")
func_cyclet_port "INPUT" $TNETA $TIPA "TCP" "111,875,892,2049,32769,32803"
func_cyclet_port "INPUT" $TNETA $TIPA "UDP" "111,875,892,2049,32769,32803"
;;
"xmpp")
jindex=0
while [ "$jindex" -lt "${#TIPA[@]}" ]
do
iptables -A OUTPUT -p tcp -m tcp -s $TIPA -d $TNETA -m multiport --dports 5222,5269 -j ACCEPT
iptables -A INPUT -p tcp -m tcp -s $TNETA -d $TIPA -m multiport --sports 5222,5269 -j ACCEPT
let "jindex = $jindex + 1"
done
;;
"dns")
func_cyclets_port "INPUT" $TNETA $TIPA "TCP" "53"
func_cyclets_port "INPUT" $TNETA $TIPA "UDP" "53"
;;
"dhcp")
if [ $TP == "local" ]
then
index=0
while [ "$index" -lt ${#TIFA[@]} ]
do
iptables -t filter -A INPUT -i ${TIFA[$index]} -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -t filter -A OUTPUT -o ${TIFA[$index]} -p udp -s 0.0.0.0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
iptables -t filter -A OUTPUT -o ${TIFA[$index]} -p udp -s ${TIPA[$index]} --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
iptables -t filter -A INPUT -i ${TIFA[$index]} -p udp -s 0.0.0.0 --sport 68 -d ${TIPA[$index]} --dport 67 -j ACCEPT
iptables -t filter -A OUTPUT -o ${TIFA[$index]} -p udp -s ${TIPA[$index]} --sport 67 -d ${TNETA[$index]} --dport 68 -j ACCEPT
iptables -t filter -A INPUT -i ${TIFA[$index]} -p udp -s ${TNETA[$index]} --sport 68 -d ${TIPA[$index]} --dport 67 -j ACCEPT
index=$[$index+1]
done
fi
;;
"ntp")
func_cyclet_port "INPUT" $TNETA $TIPA "UDP" "123"
;;
"vpn")
echo ""
;;
esac
done < <(cat "$CONFDIR/open_ports/services_$TP.lst")
fi
}
func_specserv ()
{
FUNCONFDIR=$1;
ACC_ACC=( "" )
ACC_ACC_PRT=( "" )
ACC_ACC_PTK=( "" )
FUIP=( `echo $2` )
index=0
while read line
do
echo "Читаю:" $FUNCONFDIR/$line
func_read_array $FUNCONFDIR/$line
jndex=0
while [ "$jndex" -lt "${#VAR_DATA[@]}" ]
do
if [ "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $2}')" == "" -a "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" == "" ]
then
ACC_ACC[$index]=${VAR_DATA[$jndex]}
ACC_ACC_PRT[$index]="80,443"
ACC_ACC_PTK[$index]="TCP"
else
ACC_ACC[$index]="$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $1}')"
if [ "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $2}')" == "" ]
then
ACC_ACC_PRT[$index]="80,443"
else
ACC_ACC_PRT[$index]="$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $2}')"
fi
if [ "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" == "" -o "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" != "TCP" -o "$(echo $line | awk -F':' '{print $3}')" != "tcp" -o "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" != "UDP" -o "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" != "udp" -o "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" != "TCP/UDP" -o "$(echo ${VAR_DATA[$jndex]} | awk -F':' '{print $3}')" != "tcp/udp" ]
then
ACC_ACC_PTK[$index]="TCP"
else
ACC_ACC_PTK[$index]="$(echo ${VAR_DATA[$jndex]} | awk - F':' '{print $3}')"
fi
fi
let "index = $index + 1"
let "jndex = $jndex + 1"
done
done < <(ls -1 "$CONFDIR/$FUNCONFDIR")
for LFUIP in ${FUIP[*]}
do
index=0
while [ "$index" -lt ${#ACC_ACC[@]} ]
do
if [ "$ACC_ACC_PTK[$index]" == "TCP/UDP" -o "$ACC_ACC_PTK[$index]" == "tcp/udp" ]
then
func_iptafm "FORWARD" $LFUIP ${ACC_ACC[$index]} "TCP" ${ACC_ACC_PRT[$index]}
func_iptafm "FORWARD" $LFUIP ${ACC_ACC[$index]} "UDP" ${ACC_ACC_PRT[$index]}
else
func_iptafm "FORWARD" $LFUIP ${ACC_ACC[$index]} ${ACC_ACC_PTK[$index]} ${ACC_ACC_PRT[$index]}
fi
let "index = $index + 1"
done
done
}
func_get_params ()
{
# Константы
S_INET_NET="0/0"
BASEPORTS="20,21,22,25,43,70,79,80,110,123,143,210,443"
CLOSEPORTS="630,640,783,3310,10000"
NETSERVISPORTS="53,67,68,113"
PRIVPORT="1:1023"
UNPRIVPORTS="1024:65535"
TORRENTSPORTS="49160:49300"
MAILPORTS="25,110,143,465,993,995"
IMPORTS="5190,5222,5223,5269,5280"
SERVISPORTS="2049,3306,10000"
RDPPORTS="3389"
VNCPORTS="5900:5906,"
XPORTS="6000:6063"
NFSPORTS="111,2049"
SAMBAPORTS="135:139,445"
SKYPEPORT="39592,13840,50179"
ELCOM="80.247.96.235"
# Интерфейсы
ROUTESCONFFILE="/etc/sysconfig/network-scripts/multiroutes.cfg"
func_read_array_from_file $ROUTESCONFFILE
func_make_array
i=0
while [ "$i" -lt "${#NET_IF[@]}" ]
do
N=$N"$(echo "LAN" ${NET_IF[$i]} ${NET_IP[$i]} ${NET_MASK[$i]} \(${NET_PREF[$i]}\) ${NET_NET_IP[$i]} "\n")"
i=$[$i+1]
done
j=0
while [ "$j" -lt "${#INET_IF[@]}" ]
do
I=$I"$(echo "WAN" ${INET_IF[$j]} ${INET_IP[$j]} ${INET_MASK[$j]} \(${INET_PREF[$j]}\) ${INET_NET_IP[$j]} "\n")"
j=$[$j+1]
done
(echo -e "TYPE" "INTERFACE" "IP" "MASK" "PREFIX" "NET" "\n"; echo -e $I "\n" $N "\n" | sort -k 2.1 ) | column -t
i=0
while [ "$i" -lt "${#INET_IF[@]}" ]
do
INET_NET_A[$i]=$S_INET_NET
i=$[$i+1]
done
}
func_mport ()
{
MPORT=$2
if [ "$MPORT" != "" ]
then
MPORT="$MPORT,$1"
else
MPORT=$1
fi
echo $MPORT
}
func_modpr ()
{
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ipt_LOG
echo "1" > /proc/sys/net/ipv4/ip_forward
}
fstart ()
{
echo "Starting firewall"
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -t mangle -N out-marking
iptables -t mangle -N in-marking
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
iptables -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
iptables -A INPUT -p UDP -s 0/0 --destination-port 113 -j REJECT
iptables -A INPUT -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
iptables -A INPUT --fragment -p ICMP -j DROP
iptables -A OUTPUT --fragment -p ICMP -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-option 64 -j DROP
iptables -A INPUT -p tcp --tcp-option 128 -j DROP
for HWNETIF in ${INET_IF[*]}
do
iptables -A OUTPUT -p tcp -m tcp -o $HWNETIF --dport 23 --sport $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -p tcp -m tcp -i $HWNETIF --dport $UNPRIVPORTS --sport 23 -j ACCEPT ! --syn
iptables -A INPUT -p tcp -m tcp -i $HWNETIF --dport $XPORTS -j DROP --syn
iptables -A INPUT -p icmp -m icmp -i $HWNETIF --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp -o $HWNETIF --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport -i $HWNETIF -j DROP --destination-ports $CLOSEPORTS
done
for HWNETIF in ${NET_IF[*]} ${INET_IF[*]}
do
iptables -A INPUT -p icmp -m icmp -i $HWNETIF --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp -o $HWNETIF --icmp-type source-quench -j ACCEPT
done
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p ALL -s 127.0.0.1 -i lo -j ACCEPT
iptables -A OUTPUT -p ALL -d 127.0.0.1 -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
for IP in ${NET_IP[*]} ${INET_IP[*]}
do
iptables -A INPUT -p ALL -s $IP -i lo -j ACCEPT
iptables -A OUTPUT -p ALL -s $IP -j ACCEPT
done
# Помечаем пакеты
iptables -t mangle -A PREROUTING -m connmark ! --mark 0x0/0x3 -j out-marking
for HWNETIF in ${NET_IF[*]}
do
iptables -t mangle -A out-marking -i $HWNETIF -j CONNMARK --restore-mark --mask 0x3
done
index=0;
iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -j in-marking
for HWNETIF in ${INET_IF[*]}
do
let "index = $index + 1"
iptables -t mangle -A in-marking -i $HWNETIF -j CONNMARK --set-xmark 0x$index/0x3
done
# Открытые порты из Глобала
func_open_port "global" "${INET_IP[*]}" "${INET_NET_A[*]}" "{$INET_IF[*]}"
# Для почты
while read mline
do
# mline=$mline
if [ -e "$CONFDIR/mail/$mline/pop3.lst" -o -e "$CONFDIR/mail/$mline/imap.lst" -a -e "$CONFDIR/mail/$mline/smtp.lst" ]
then
if [ -e "$CONFDIR/mail/$mline/pop3.lst" ]
then
func_mail_acc $mline pop3 "110,995"
fi
if [ -e "$CONFDIR/mail/$mline/imap.lst" ]
then
func_mail_acc $mline imap "143,993"
fi
func_mail_acc $mline smtp "25,465,587"
else
echo "Проверте настройки pop3, imap и smtp для $mline"
fi
done < <(ls -1 "$CONFDIR/mail")
# Открытые порты из локалки
func_open_port "local" "${NET_IP[*]}" "${NET_NET[*]}" "${NET_IF[*]}"
# Разрешаем только ответы DNS и DHCP сервера на запросы
echo "DNS провайдера"
func_read_array dns.lst
index=0
while [ "$index" -lt "${#NET_NET[@]}" ]
do
func_dns_getway "${NET_NET[$index]}"
let "index = $index + 1"
done
# Доступ админам наружу
echo "Свободный шлюз"
for TIFST in ${NET_IF[*]}
do
func_read_array free_getway/$TIFST.lst
index=0
while [ "$index" -lt "${#VAR_DATA[@]}" ]
do
func_free_getway "${VAR_DATA[$index]}" "$TIFST"
let "index = $index + 1"
done
done
# Сисадмину доступ
func_adm_out
# Разрешен исходящий пинг, ограничен входящий.
echo "Системные службы"
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -m icmp -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
for TIFST in ${INET_IF[*]}
do
# Разрешены исходящие AUTH-запросы, входящие запрещены.
func_fwgw 113 $TIFST
iptables -A INPUT -p tcp -m tcp -i $TIFST --dport 113 -j DROP
# Разрешаем finger, whois, gorper, wais. Traceroute только исходящий.
func_fwgw $UNPRIVPORTS $TIFST
func_fwgw 79 $TIFST
func_fwgw 43 $TIFST
func_fwgw 70 $TIFST
func_fwgw 210 $TIFST
iptables -A INPUT -p tcp -m tcp -i $TIFST --dport $UNPRIVPORTS --sport 20 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -o $TIFST --dport 20 --sport $UNPRIVPORTS -j ACCEPT ! --syn
done
# Перебрасываем порты
echo "Переброс портов"
func_read_array port_fw.lst
index=0
while [ "$index" -lt "${#VAR_DATA[@]}" ]
do
ACCPORTINP=$(echo ${VAR_DATA[$index]} | awk -F':' '{print $1}')
ACCIADDDES=$(echo ${VAR_DATA[$index]} | awk -F':' '{print $2}')
ACCPORTDES=$(echo ${VAR_DATA[$index]} | awk -F':' '{print $3}')
for INETIP in ${INET_IP[*]}
do
iptables -t nat -A PREROUTING -d $INETIP -p TCP --dport $ACCPORTINP -j DNAT --to-destination $ACCIADDDES:$ACCPORTDES
iptables -A FORWARD -p TCP -d $ACCIADDDES --dport $ACCPORTDES -j ACCEPT
done
let "index = $index + 1"
done
}
fnat ()
{
# Включаем NAT
echo "NAT"
index=0
while [ "$index" -lt "${#INET_IF[@]}" ]
do
iptables -t mangle -A PREROUTING -i ${INET_IF[$index]} -j TTL --ttl-set 64
iptables -t nat -A POSTROUTING -o ${INET_IF[$index]} -j SNAT --to-source ${INET_IP[$index]}
iptables -t nat -A POSTROUTING -o ${INET_IF[$index]} -j MASQUERADE
iptables -t mangle -A PREROUTING -i eth3 -j TTL --ttl-set 64
iptables -t nat -A POSTROUTING -o eth3 -j SNAT --to-source ${INET_IP[$index]}
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
let "index = $index + 1"
done
}
fblock ()
{
# Блокировка Домена
echo "Блокировка домена"
if [ -e "$CONFDIR/black_list.lst" ]
then
func_read_array black_list.lst
index=0
while [ "$index" -lt "${#VAR_DATA[@]}" ]
do
iptables -A INPUT -p all -s ${VAR_DATA[$index]} -j DROP
iptables -A OUTPUT -p all -d ${VAR_DATA[$index]} -j DROP
iptables -A FORWARD -p all -s ${VAR_DATA[$index]} -j DROP
iptables -A FORWARD -p all -d ${VAR_DATA[$index]} -j DROP
done
fi
}
fstop ()
{
echo "Stopping firewall"
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
fstatus ()
{
iptables -L
}
fsave ()
{
iptables-save > /etc/sysconfig/iptables
}
frestore ()
{
iptables-restore < /etc/sysconfig/iptables
}
case "$1" in
start)
func_get_params
func_modpr
fstart
fblock
fnat
;;
stop)
fstop
;;
pause)
fstop
func_get_params
fnat
;;
restart)
fstop
func_get_params
fstart
fblock
fnat
;;
status)
fstatus
;;
save)
fsave
;;
restore)
func_modpr
fstop
frestore
;;
*)
echo "Usage /etc/init.d/firewall {start|stop|status|pause|restart|save|restore}"
exit 1
;;
esac
exit 0
Роуты
Код: Выделить всё
213.180.204.11 via YYY.YYY.YYY.193 dev eth2
31.13.60.76 via XXX.XXX.XXX.233 dev eth1
80.247.97.18 via XXX.XXX.XXX.233 dev eth1
87.250.250.199 via YYY.YYY.YYY.193 dev eth2
213.180.204.25 via XXX.XXX.XXX.233 dev eth1
77.88.21.253 via YYY.YYY.YYY.193 dev eth2
92.38.2.37 via XXX.XXX.XXX.233 dev eth1
93.88.162.106 via XXX.XXX.XXX.233 dev eth1
93.88.162.107 via YYY.YYY.YYY.193 dev eth2
213.180.193.124 via YYY.YYY.YYY.193 dev eth2
173.194.32.161 via YYY.YYY.YYY.193 dev eth2
173.194.32.160 via XXX.XXX.XXX.233 dev eth1
173.194.32.163 via YYY.YYY.YYY.193 dev eth2
173.194.32.162 via XXX.XXX.XXX.233 dev eth1
173.194.32.165 via YYY.YYY.YYY.193 dev eth2
173.194.32.164 via XXX.XXX.XXX.233 dev eth1
93.158.134.124 via XXX.XXX.XXX.233 dev eth1
173.194.32.167 via YYY.YYY.YYY.193 dev eth2
173.194.32.166 via XXX.XXX.XXX.233 dev eth1
173.194.32.169 via YYY.YYY.YYY.193 dev eth2
173.194.32.168 via XXX.XXX.XXX.233 dev eth1
213.180.204.37 via YYY.YYY.YYY.193 dev eth2
87.250.250.253 via XXX.XXX.XXX.233 dev eth1
178.187.233.138 via XXX.XXX.XXX.233 dev eth1
213.180.204.53 via YYY.YYY.YYY.193 dev eth2
93.88.162.77 via XXX.XXX.XXX.233 dev eth1
93.88.162.78 via YYY.YYY.YYY.193 dev eth2
217.229.79.46 via XXX.XXX.XXX.233 dev eth1
195.49.68.2 via YYY.YYY.YYY.193 dev eth2
93.88.162.48 via XXX.XXX.XXX.233 dev eth1
93.88.162.49 via YYY.YYY.YYY.193 dev eth2
93.158.134.25 via XXX.XXX.XXX.233 dev eth1
213.180.193.38 via YYY.YYY.YYY.193 dev eth2
213.180.193.37 via XXX.XXX.XXX.233 dev eth1
93.158.134.11 via YYY.YYY.YYY.193 dev eth2
80.247.96.65 via XXX.XXX.XXX.233 dev eth1
213.180.193.53 via XXX.XXX.XXX.233 dev eth1
77.88.21.178 via XXX.XXX.XXX.233 dev eth1
93.88.162.20 via YYY.YYY.YYY.193 dev eth2
213.180.193.11 via XXX.XXX.XXX.233 dev eth1
80.247.96.125 via XXX.XXX.XXX.233 dev eth1
87.250.250.186 via YYY.YYY.YYY.193 dev eth2
87.250.251.178 via XXX.XXX.XXX.233 dev eth1
213.180.193.25 via YYY.YYY.YYY.193 dev eth2
93.158.134.38 via XXX.XXX.XXX.233 dev eth1
93.158.134.37 via YYY.YYY.YYY.193 dev eth2
178.63.3.88 via XXX.XXX.XXX.233 dev eth1
93.88.162.251 via XXX.XXX.XXX.233 dev eth1
77.88.21.124 via XXX.XXX.XXX.233 dev eth1
93.158.134.199 via XXX.XXX.XXX.233 dev eth1
212.47.252.243 via YYY.YYY.YYY.193 dev eth2
93.158.134.253 via YYY.YYY.YYY.193 dev eth2
213.180.193.199 via YYY.YYY.YYY.193 dev eth2
93.88.162.223 via YYY.YYY.YYY.193 dev eth2
10.0.1.6 via XXX.XXX.XXX.233 dev eth1
93.88.162.222 via XXX.XXX.XXX.233 dev eth1
10.0.1.2 via XXX.XXX.XXX.233 dev eth1
87.250.250.124 via YYY.YYY.YYY.193 dev eth2
10.0.2.6 via YYY.YYY.YYY.193 dev eth2
93.88.162.193 via XXX.XXX.XXX.233 dev eth1
93.88.162.194 via YYY.YYY.YYY.193 dev eth2
10.0.2.2 via YYY.YYY.YYY.193 dev eth2
213.180.204.186 via XXX.XXX.XXX.233 dev eth1
213.180.204.178 via YYY.YYY.YYY.193 dev eth2
93.91.172.2 via YYY.YYY.YYY.193 dev eth2
87.250.250.11 via YYY.YYY.YYY.193 dev eth2
77.88.21.38 via XXX.XXX.XXX.233 dev eth1
213.180.204.199 via XXX.XXX.XXX.233 dev eth1
87.250.251.11 via XXX.XXX.XXX.233 dev eth1
93.88.162.164 via XXX.XXX.XXX.233 dev eth1
93.88.162.165 via YYY.YYY.YYY.193 dev eth2
213.180.193.178 via XXX.XXX.XXX.233 dev eth1
87.250.250.25 via YYY.YYY.YYY.193 dev eth2
87.250.251.37 via XXX.XXX.XXX.233 dev eth1
77.88.21.11 via XXX.XXX.XXX.233 dev eth1
87.250.250.38 via YYY.YYY.YYY.193 dev eth2
93.158.134.178 via YYY.YYY.YYY.193 dev eth2
93.88.162.135 via XXX.XXX.XXX.233 dev eth1
213.180.204.252 via XXX.XXX.XXX.233 dev eth1
80.247.96.235 via XXX.XXX.XXX.233 dev eth1
93.88.162.136 via YYY.YYY.YYY.193 dev eth2
XXX.XXX.XXX.232/29 dev eth1 proto kernel scope link src XXX.XXX.XXX.235
YYY.YYY.YYY.192/26 dev eth2 proto kernel scope link src YYY.YYY.YYY.232
80.247.96.0/24 via XXX.XXX.XXX.233 dev eth1
10.0.0.0/24 dev eth3 proto kernel scope link src 10.0.0.1
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.5
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
169.254.0.0/16 dev eth2 scope link metric 1004
169.254.0.0/16 dev eth3 scope link metric 1005
default equalize
nexthop via XXX.XXX.XXX.233 dev eth1 weight 1
nexthop via YYY.YYY.YYY.193 dev eth2 weight 1
Рулесы
Код: Выделить всё
0: from all lookup local
32758: from YYY.YYY.YYY.YY1 lookup Y
32759: from all fwmark 0x2/0x3 lookup Y
32760: from XXX.XXX.XXX.XX1 lookup X
32761: from all fwmark 0x1/0x3 lookup X
32762: from YYY.YYY.YYY.YY1 lookup Y
32763: from all fwmark 0x2/0x3 lookup Y
32764: from XXX.XXX.XXX.XX1 lookup X
32765: from all fwmark 0x1/0x3 lookup X
32766: from all lookup main
32767: from all lookup default