All pastes #104240 Raw Edit

AleXerTecH

public text v1 · immutable
#104240 ·published 2006-07-28 19:14 UTC
rendered paste body
#!/bin/sh
#
###
#
# Script Iptables
# Pruebas by Alex
# 

###
# Red Local
#

LAN_IP="192.168.2.10"
LAN_IP_RANGE="192.168.2.0/16"
LAN_BCAST_ADRESS="192.168.2.255"
LAN_IFACE="eth0"


###
# Localhost
#

LO_IFACE="lo"
LO_IP="127.0.0.1"


###
# Internet
#

INET_IP="192.168.2.10"
INET_IFACE="eth0"


###
# Localizacion de iptables.
#

IPTABLES="/sbin/iptables"


###
# Borra las reglas anteriores
#

echo "Borrando reglas anteriores ..."

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -t nat -F


###
# Politicas Predeterminadas de INPUT, FORWARD y OUTPUT
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP


###
# NAT enmascarado
#

$IPTABLES -t nat -A POSTROUTING -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -o $LAN_IFACE -j MASQUERADE


###
# Activa forwarding de paquetes (Linux no lo hace por default)
#

echo "1" > /proc/sys/net/ipv4/ip_forward


###
# Redireccionamiento de paquetes
#

$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 7880 -j DNAT --to 192.168.2.6:80


###
# Reglas INPUT
#

## Permitir
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT         # Servidor Local
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT         # Salir a la Web
$IPTABLES -A INPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 6667 -j ACCEPT       # IRC
$IPTABLES -A INPUT -p tcp --sport 5222 -j ACCEPT       # Jabber
$IPTABLES -A INPUT -p tcp --sport imap -j ACCEPT       # IMAP
$IPTABLES -A INPUT -p udp -m udp --sport 53 -j ACCEPT  # DNS

## Denegar
$IPTABLES -A INPUT -p tcp --dport 1:1024 -j DROP
$IPTABLES -A INPUT -p udp --dport 1:1024 -j DROP

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "


###
# Reglas del renvio de paquetes & compartir internet
#

# $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT # Compartir Internet
$IPTABLES -A FORWARD -i $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A FORWARD -i $INET_IFACE -m state --state NEW,INVALID -j DROP


###
# ICMP (pings)
#

$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT


###
# Logs de paquetes que no pertenecen a las reglas anteriores
#
$IPTABLES -A OUTPUT -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

###
# Imprime que arranco el script
#

echo "Iptables ... done"