Linux reititin / Palomuuri
Siirry navigaatioon
Siirry hakuun
Tässä pieni iptables-script, jolla saat linux koneen reitittämään netin muille koneille:
Koneessa 2 verkkokorttia:
eth0 = Lähiverkko eth1 = Internet Lähiverkon nimiavaruus 192.168.x.x
#!/bin/bash #Muuttujat LAN=eth0 LAN_IP=192.168.0.0/255.255.0.0 WAN=eth1 IPTABLES=/sbin/iptables ########################################################### ###################### Perustaulukko ###################### ########################################################### #Putsataan taulukko ${IPTABLES} -F ${IPTABLES} -X #Taulukoiden perussäännöt ${IPTABLES} -P FORWARD DROP ${IPTABLES} -P INPUT DROP ${IPTABLES} -P OUTPUT ACCEPT #---------- INPUT ----------# ${IPTABLES} -A INPUT -i lo -s 127.0.0.1 -j ACCEPT ${IPTABLES} -A INPUT -i ${LAN} -s ${LAN_IP} -j ACCEPT #Salli SSH-yhteys ulkopuolelta #${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT ${IPTABLES} -A INPUT -i ${WAN} -p tcp --dport 0:1023 -j DROP ${IPTABLES} -A INPUT -i ${WAN} -p udp --dport 0:1023 -j DROP ${IPTABLES} -A INPUT -i ${WAN} -p tcp --syn -j DROP ${IPTABLES} -A INPUT -i ${WAN} -p icmp -j DROP ${IPTABLES} -A INPUT -i ${WAN} -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -i ${WAN} -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -j DROP #---------- FORWARD ----------# ${IPTABLES} -A FORWARD -i ${WAN} -p tcp --dport 0:1023 -j DROP ${IPTABLES} -A FORWARD -i ${WAN} -p udp --dport 0:1023 -j DROP ${IPTABLES} -A FORWARD -i ${WAN} -p tcp --syn -j DROP ${IPTABLES} -A FORWARD -i ${WAN} -p icmp -j DROP ${IPTABLES} -A FORWARD -i ${LAN} -o ${WAN} -s ${LAN_IP} -j ACCEPT ${IPTABLES} -A FORWARD -i ${WAN} -o ${LAN} -d ${LAN_IP} -p TCP -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A FORWARD -i ${WAN} -o ${LAN} -d ${LAN_IP} -p UDP -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A FORWARD -j DROP #---------- OUTPUT ----------# ########################################################## ###################### NAT-taulukko ###################### ########################################################## #Putsataan taulukko ${IPTABLES} -t nat -F ${IPTABLES} -t nat -X #Taulukoiden perussäännöt ${IPTABLES} -t nat -P PREROUTING ACCEPT ${IPTABLES} -t nat -P POSTROUTING ACCEPT ${IPTABLES} -t nat -P OUTPUT ACCEPT #---------- PREROUTING ----------# #Tänne uudelleenohjeukset #Call of Duty #${IPTABLES} -t nat -A PREROUTING -p udp --dport 28960 -i ${WAN} -j DNAT --to 192.168.x.x #web-serveri #${IPTABLES} -t nat -A PREROUTING -p udp --dport http -i ${WAN} -j DNAT --to 192.168.x.x #---------- POSTROUTING ----------# ${IPTABLES} -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE #---------- OUTPUT ----------#