Разрешить доступ к интернет из локальной сети

9 ноября 2008

Filed under: Памятка — Метки: Сеть — admin @ 6:50

Ситуация:
У нас есть компьютер под управлением Linux. Данный компьютер подключен к интернет, а также подключен к локальной сети.
Задача:
Разрешить компьютерам находящимся в локальной сети, доступ к интернет (соответсвенно через компьютер к нему подключенный — тот самый, что под управлением Linux)…

Столкнувшись с этой задачей впервые, как человек, тонкостями настроек iptables никогда не увлекавшийся, по гуглив несколько минут, честно говоря пришел в небольшое уныние.
Как в некотором роде сисадмин серверов на платформе linux, понимал, что придется скорее всего крутить iptables, но как бывший пользователь Windows XP, тайно надеялся, что найдется что-то типа галки «разрешить общий доступ к соединению».
Надежда умерла довольно быстро… но как оказалось зря :-)
Есть такой замечательный скрипт — rc.firewall, у меня прекрасно работает, в том числе на ядрах 2.6
Вот его код:

#!/bin/sh
#
# rc.firewall-2.4-stronger
#
FWVER=0.80s
 
#          An example of a stronger IPTABLES firewall with IP Masquerade 
#          support for 2.4.x kernels.  
#
# Log:
#
#   0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
#           default of the ip_conntrack_irc to NOT load by default, and 
#           added additional kernel module comments
#   0.79s - ruleset now uses modprobe instead of insmod
#   0.78s - REJECT is not a legal policy yet; back to DROP
#   0.77s - Changed the default block behavior to REJECT not DROP
#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
#           where to put optional PORTFW commands
#   0.75s - Added clarification that PPPoE users need to use
#           "ppp0" instead of "eth0" for their external interface
#   0.74s - Changed the EXTIP command to work on NON-English distros
#   0.73s - Added comments in the output section that DHCPd is optional
#           and changed the default settings to disabled
#   0.72s - Changed the filter from the INTNET to the INTIP to be
#           stateful; moved the command VARs to the top and made the
#           rest of the script to use them
#   0.70s - Added a disabled examples for allowing internal DHCP  
#           and external WWW access to the server
#   0.63s - Added support for the IRC module
#   0.62s - Initial version based upon the basic 2.4.x rc.firewall
 
 
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
 
 
# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled 
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out 
# ** where your copy is and change the path below to reflect 
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
#
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
 
 
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must 
#         change the EXTIF or INTIF variables above. For example: 
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0" 
#
INTIF="eth0"
EXTIF="eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"
 
# Specify your Static IP address here or let the script take care of it 
# for you.
#
#   If you prefer to use STATIC addresses in your firewalls, un-# out the
#   static example below and # out the dynamic line.  If you don't care,
#   just leave this section alone.
#
#   If you have a DYNAMIC IP address, the ruleset already takes care of
#   this for you.  Please note that the different single and double quote 
#   characters and the script MATTER.
#
#
#   DHCP users:
#   -----------
#   If you get your TCP/IP address via DHCP, **you will need ** to enable the 
#   #ed out command below underneath the PPP section AND replace the word 
#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, 
#   etc) on the lines for "ppp-ip" and "extip".  You should also note that the 
#   DHCP server can and will change IP addresses on you.  To deal with this, 
#   users should configure their DHCP client to re-run the rc.firewall ruleset 
#   everytime the DHCP lease is renewed.
#
#     NOTE #1:  Some DHCP clients like the original "pump" (the newer
#               versions have been fixed) did NOT have the ability to run 
#               scripts after a lease-renew.  Because of this, you need to 
#               replace it with something like "dhcpcd" or "dhclient".
#
#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.
#
#               Older versions used syntax like:
#                         dhcpcd -c /etc/rc.d/rc.firewall eth0
#
#               Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:
#
#                   script /etc/rc.d/rc.firewall
#
#   PPP users:
#   ----------
#   If you aren't already aware, the /etc/ppp/ip-up script is always run when 
#   a PPP connection comes up.  Because of this, we can make the ruleset go and 
#   get the new PPP IP address and update the strong firewall ruleset.
#
#   If the /etc/ppp/ip-up file already exists, you should edit it and add a line
#   containing "/etc/rc.d/rc.firewall" near the end of the file.
#
#   If you don't already have a /etc/ppp/ip-up script, you need to create the 
#   following link to run the /etc/rc.d/rc.firewall script.
#
#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
#   * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
#  The following line will determine your external IP address.  This
#  line is somewhat complex and confusing but it will also work for
#  all NON-English Linux distributions:
#
EXTIP="`$IFCONFIG $EXTIF | $AWK \
 /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
 
 
# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
#EXTIP="your.static.PPP.address"
echo "  External IP: $EXTIP"
echo "  ---"
 
 
# Assign the internal TCP/IP network and IP address
INTNET="192.168.0.0/24"
INTIP="192.168.0.1/24"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"
 
 
 
 
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
 
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
 
# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a
 
echo -en "    Loading kernel modules: "
 
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.  
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#
 
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ 
#        modules are shown below but are commented out from loading.
# ===============================================================
 
#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi
 
 
#Load the IPTABLES filtering module - "iptable_filter" 
#
#  - Loaded automatically when filter policies are activated
 
 
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific 
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is 
#    enabled 
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
#echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
#if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
#   $MODPROBE ip_conntrack
#fi
 
 
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
#echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
#if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
#   $MODPROBE ip_conntrack_ftp
#fi
 
 
#Load the IRC tracking mechanism for full IRC tracking
#
# Disabled by default -- insert a "#" on the next few lines to activate
#
# echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_conntrack_irc
# fi
 
 
#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
# 
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi
 
 
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi
 
 
#Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
#
# DISABLED by default -- delete the "#" on the next few lines to activate
#
# echo -e "ip_nat_irc"
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_nat_irc
# fi
 
 
echo "  ---"
 
# Just to be complete, here is a partial list of some of the other  
# IPTABLES kernel modules and their function.  Please note that most 
# of these modules (the ipt ones) are automatically loaded by the 
# master kernel module for proper operation and don't need to be 
# manually loaded.
# --------------------------------------------------------------------
#
#    ip_nat_snmp_basic - this module allows for proper NATing of some 
#                        SNMP traffic
#
#    iptable_mangle    - this target allows for packets to be 
#                        manipulated for things like the TCPMSS 
#                        option, etc.
#
# --
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped, 
#                     REJECTed, or LOGged.  This module automatically 
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be 
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns 
#                                  a configurable ICMP packet back to the 
#                                  sender.
 
 
#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
 
 
# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP, 
#   enable the following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
 
echo "  ---"
 
#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.1.x network with a 255.255.255.0 or a "24" bit subnet 
#            mask connecting to the Internet on external interface "eth0".  
#            This example will MASQ internal traffic out to the Internet 
#            but not allow non-initiated traffic into your internal network.
#
#            
#         ** Please change the above network numbers, subnet mask, and your 
#         *** Internet connection interface name to match your setup
#         
 
#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
#    You CANNOT change this to REJECT as it isn't a vaild policy setting.
#    If you want REJECT, you must explictly REJECT at the end of a giving 
#    INPUT, OUTPUT, or FORWARD chain
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT 
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT 
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD 
$IPTABLES -F -t nat
 
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
 
 
#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote 
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info 
$IPTABLES -A drop-and-log-it -j REJECT
 
echo -e "\n   - Loading INPUT rulesets"
 
 
#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are 
#        already flushed and set to a default policy of DROP. 
#
 
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 
 
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
 
 
# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
 
 
# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet, 
#  enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
 
 
# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
 
 
# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
 
 
# ----- Begin OPTIONAL INPUT Section -----
#
 
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
 
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY 
#           for users that plan on running Apache on the MASQ server itself
#
#echo -e "      - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
#
#echo -e "      - Allowing EXTERNAL access to the SSH server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
 
#echo -e "      - Allowing EXTERNAL access to the SMTP server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
 
#echo -e "      - Allowing EXTERNAL access to the POP3 server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 110 -j ACCEPT
 
#echo -e "      - Allowing EXTERNAL access to the FTP server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
# -p tcp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT
 
#
# ----- End OPTIONAL INPUT Section -----
 
 
 
# Catch all rule, all other incoming is denied and logged. 
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "   - Loading OUTPUT rulesets"
 
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are 
#         already flushed and set to a default policy of DROP. 
#
 
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
 
 
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
 
 
# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
 
 
# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
 
 
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
 
 
# ----- Begin OPTIONAL OUTPUT Section -----
#
 
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
 
#
# ----- End OPTIONAL OUTPUT Section -----
 
 
# Catch all rule, all other outgoing is denied and logged. 
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
 
 
echo -e "   - Loading FORWARD rulesets"
 
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
 
# ----- Begin OPTIONAL FORWARD Section -----
#
# ----- End OPTIONAL FORWARD Section -----
 
 
echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 
# Catch all rule, all other forwarding is denied and logged. 
#
$IPTABLES -A FORWARD -j drop-and-log-it
 
 
#echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
 
#echo "     - NAT: Enabling transparent proxy forwarding"
#$IPTABLES -t nat -A PREROUTING  -i $INTIF -d ! $INTIP -p tcp \
# --dport 80 -j REDIRECT --to-port 3128
 
#######################################################################
 
 
echo -e "\nDone.\n"

#!/bin/sh # # rc.firewall-2.4-stronger # FWVER=0.80s # An example of a stronger IPTABLES firewall with IP Masquerade # support for 2.4.x kernels. # # Log: # # 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the # default of the ip_conntrack_irc to NOT load by default, and # added additional kernel module comments # 0.79s - ruleset now uses modprobe instead of insmod # 0.78s - REJECT is not a legal policy yet; back to DROP # 0.77s - Changed the default block behavior to REJECT not DROP # 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment # where to put optional PORTFW commands # 0.75s - Added clarification that PPPoE users need to use # "ppp0" instead of "eth0" for their external interface # 0.74s - Changed the EXTIP command to work on NON-English distros # 0.73s - Added comments in the output section that DHCPd is optional # and changed the default settings to disabled # 0.72s - Changed the filter from the INTNET to the INTIP to be # stateful; moved the command VARs to the top and made the # rest of the script to use them # 0.70s - Added a disabled examples for allowing internal DHCP # and external WWW access to the server # 0.63s - Added support for the IRC module # 0.62s - Initial version based upon the basic 2.4.x rc.firewall echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n" # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables # LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe GREP=/bin/grep AWK=/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # If you are a PPPoE or analog modem user: # # EXTIF="ppp0" # INTIF="eth0" EXTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " ---" # Specify your Static IP address here or let the script take care of it # for you. # # If you prefer to use STATIC addresses in your firewalls, un-# out the # static example below and # out the dynamic line. If you don't care, # just leave this section alone. # # If you have a DYNAMIC IP address, the ruleset already takes care of # this for you. Please note that the different single and double quote # characters and the script MATTER. # # # DHCP users: # ----------- # If you get your TCP/IP address via DHCP, **you will need ** to enable the # #ed out command below underneath the PPP section AND replace the word # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, # etc) on the lines for "ppp-ip" and "extip". You should also note that the # DHCP server can and will change IP addresses on you. To deal with this, # users should configure their DHCP client to re-run the rc.firewall ruleset # everytime the DHCP lease is renewed. # # NOTE #1: Some DHCP clients like the original "pump" (the newer # versions have been fixed) did NOT have the ability to run # scripts after a lease-renew. Because of this, you need to # replace it with something like "dhcpcd" or "dhclient". # # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. # # Older versions used syntax like: # dhcpcd -c /etc/rc.d/rc.firewall eth0 # # Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe # # NOTE #3: For Pump users, put the following line in /etc/pump.conf: # # script /etc/rc.d/rc.firewall # # PPP users: # ---------- # If you aren't already aware, the /etc/ppp/ip-up script is always run when # a PPP connection comes up. Because of this, we can make the ruleset go and # get the new PPP IP address and update the strong firewall ruleset. # # If the /etc/ppp/ip-up file already exists, you should edit it and add a line # containing "/etc/rc.d/rc.firewall" near the end of the file. # # If you don't already have a /etc/ppp/ip-up script, you need to create the # following link to run the /etc/rc.d/rc.firewall script. # # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up # # * You then want to enable the #ed out shell command below * # # # Determine the external IP automatically: # ---------------------------------------- # # The following line will determine your external IP address. This # line is somewhat complex and confusing but it will also work for # all NON-English Linux distributions: # EXTIP="`$IFCONFIG $EXTIF | $AWK \ /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" # For users who wish to use STATIC IP addresses: # # # out the EXTIP line above and un-# out the EXTIP line below # #EXTIP="your.static.PPP.address" echo " External IP: $EXTIP" echo " ---" # Assign the internal TCP/IP network and IP address INTNET="192.168.0.0/24" INTIP="192.168.0.1/24" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" # Setting a few other local variables # UNIVERSE="0.0.0.0/0" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en " Loading kernel modules: " # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "ip_tables" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then $MODPROBE ip_tables fi #Load the IPTABLES filtering module - "iptable_filter" # # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # #echo -en "ip_conntrack, " # #Verify the module isn't loaded. If it is, skip it # #if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then # $MODPROBE ip_conntrack #fi #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # #echo -e "ip_conntrack_ftp, " # #Verify the module isn't loaded. If it is, skip it # #if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then # $MODPROBE ip_conntrack_ftp #fi #Load the IRC tracking mechanism for full IRC tracking # # Disabled by default -- insert a "#" on the next few lines to activate # # echo -en " ip_conntrack_irc, " # #Verify the module isn't loaded. If it is, skip it # # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then # $MODPROBE ip_conntrack_irc # fi #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then $MODPROBE iptable_nat fi #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -e "ip_nat_ftp" # #Verify the module isn't loaded. If it is, skip it # if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then $MODPROBE ip_nat_ftp fi #Loads the IRC NAT functionality (for DCC) into the core IPTABLES code # # DISABLED by default -- delete the "#" on the next few lines to activate # # echo -e "ip_nat_irc" # #Verify the module isn't loaded. If it is, skip it # # if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then # $MODPROBE ip_nat_irc # fi echo " ---" # Just to be complete, here is a partial list of some of the other # IPTABLES kernel modules and their function. Please note that most # of these modules (the ipt ones) are automatically loaded by the # master kernel module for proper operation and don't need to be # manually loaded. # -------------------------------------------------------------------- # # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # # -- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable the following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " ---" ############################################################################# # # Enable Stronger IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet # mask connecting to the Internet on external interface "eth0". # This example will MASQ internal traffic out to the Internet # but not allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP # # You CANNOT change this to REJECT as it isn't a vaild policy setting. # If you want REJECT, you must explictly REJECT at the end of a giving # INPUT, OUTPUT, or FORWARD chain # echo " Clearing any existing rules and setting default policy to DROP.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat #Not needed and it will only load the unneeded kernel module #$IPTABLES -F -t mangle # # Flush the user chain.. if it exists if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi # # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z #Configuring specific CHAINS for later use in the ruleset # # NOTE: Some users prefer to have their firewall silently # "DROP" packets while others prefer to use "REJECT" # to send ICMP error messages back to the remote # machine. The default is "REJECT" but feel free to # change this below. # # NOTE: Without the --log-level set to "info", every single # firewall hit will goto ALL vtys. This is a very big # pain. # echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j REJECT echo -e "\n - Loading INPUT rulesets" ####################################################################### # INPUT: Incoming traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interfaces are valid. # $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid # $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost # $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # external interface, from any source, for ICMP traffic is valid # # If you would like your machine to "ping" from the Internet, # enable this next line # $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to permanent PPP address is valid # #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in # $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT # ----- Begin OPTIONAL INPUT Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # HTTPd - Enable the following lines if you run an EXTERNAL WWW server # # NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY # for users that plan on running Apache on the MASQ server itself # #echo -e " - Allowing EXTERNAL access to the WWW server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ # -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # #echo -e " - Allowing EXTERNAL access to the SSH server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ # -p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT #echo -e " - Allowing EXTERNAL access to the SMTP server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ # -p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT #echo -e " - Allowing EXTERNAL access to the POP3 server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ # -p tcp -s $UNIVERSE -d $EXTIP --dport 110 -j ACCEPT #echo -e " - Allowing EXTERNAL access to the FTP server" #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ # -p tcp -s $UNIVERSE -d $EXTIP --dport 21 -j ACCEPT # # ----- End OPTIONAL INPUT Section ----- # Catch all rule, all other incoming is denied and logged. # $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets" ####################################################################### # OUTPUT: Outgoing traffic from various interfaces. All rulesets are # already flushed and set to a default policy of DROP. # # loopback interface is valid. # $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid # $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny # $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid # $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT # ----- Begin OPTIONAL OUTPUT Section ----- # # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server # - Remove BOTH #s all the #s if you need this functionality. # #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \ # -d 255.255.255.255 --dport 68 -j ACCEPT #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \ # -d 255.255.255.255 --dport 68 -j ACCEPT # # ----- End OPTIONAL OUTPUT Section ----- # Catch all rule, all other outgoing is denied and logged. # $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" ####################################################################### # FORWARD: Enable Forwarding and thus IPMASQ # # ----- Begin OPTIONAL FORWARD Section ----- # # ----- End OPTIONAL FORWARD Section ----- echo " - FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. # $IPTABLES -A FORWARD -j drop-and-log-it #echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" # #More liberal form $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # #Stricter form #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP #echo " - NAT: Enabling transparent proxy forwarding" #$IPTABLES -t nat -A PREROUTING -i $INTIF -d ! $INTIP -p tcp \ # --dport 80 -j REDIRECT --to-port 3128 ####################################################################### echo -e "\nDone.\n"

Обратите внимание на строки 76 и 77:

INTIF="eth0" EXTIF="eth1"

Допустим, компьютер имеет две сетевые платы, одна из них eth0 — это плата подключенная к локальной сети, а вторая, eth1 — это плата подключенная к ADSL-модему, т.е. к интернету.
Тогда строки 76 и 77 следует оставить как в вышеприведенном примере. Если интерфейсы имеют другие имена — их необходимо подредактировать в этих строках.
Больше скрипт нигде редактировать не нужно.

Запускаем скрипт, получаем различного рода диагностические сообщения и «done» в итоге.
На компьютерах в локальной сети, этот компьютер должен быть прописан в качестве gateway (в качестве шлюза).
ДНС-серверы (те, что в /etc/resolv.conf) проще всего прописать принадлежащие провайдеру.

Собственно все. Проверяем. Если интернет в локальной сети заработал — остается добавить скрипт rc.firewall в автозапуск. Как это проще сделать думайте сами — лично я просто прописал его в /etc/rc.local

Автор: Виктор Симон
www.man-linux.ru
Права копирования

Опубликовано 9 ноября 2008 - информация могла устареть.

Comments (0)

Комментариев нет »

No comments yet.

RSS feed for comments on this post.

Для отправки комментария вам необходимо авторизоваться.

man linux — заметки админа

9 ноября 2008

Разрешить доступ к интернет из локальной сети

Комментариев нет »

Leave a comment