Szia!
Fent írták, kell még a FORWARD szabály is - anélkül nem fog menni:
-A FORWARD -s <ip> -j ACCEPT
-A FORWARD -d <ip> -j ACCEPTEgy kis "hardening" - következőképpen nézne ki:
- Alapból nem engedünk át semmit, DROP default mindenütt ( filter tábla - INPUT/OUTPUT )
- Alapból nem engedünk át semmit, DROP default mindenütt ( filter tábla - FORWARD)
- "martians" IP-címeket (RFC 1812) szűrjük - debug miatt
A fentieket 2 helyen is be kell állítani
> iptables
> /etc/sysctl.conf
eth1: 10.0.0.1/24
http-server: 10.0.0.10/24 - (http-server-gw 10.0.0.1)
eth2: 172.16.0.100/24
router-gw: 172.16.0.1
webserver-redirect + NAT: 172.16.0.100:80 --> 10.0.0.10:80(minta - iptables )
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
#
#
#
-A INPUT -i lo -j ACCEPT
#
#
#
# eth1 #
-A INPUT -i eth1 -s 0.0.0.0/8 -j DROP
##-A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 100.64.0.0/10 -j DROP
-A INPUT -i eth1 -s 127.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 169.254.0.0/16 -j DROP
-A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
-A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
#
-A INPUT -i eth1 -d 0.0.0.0/8 -j DROP
##-A INPUT -i eth1 -d 10.0.0.0/8 -j DROP
-A INPUT -i eth1 -d 100.64.0.0/10 -j DROP
-A INPUT -i eth1 -d 127.0.0.0/8 -j DROP
-A INPUT -i eth1 -d 169.254.0.0/16 -j DROP
-A INPUT -i eth1 -d 172.16.0.0/12 -j DROP
-A INPUT -i eth1 -d 192.168.0.0/16 -j DROP
#
##-A INPUT -i eth1 -j DROP
#
#
#
# eth2 #
-A INPUT -i eth2 -s 0.0.0.0/8 -j DROP
-A INPUT -i eth2 -s 10.0.0.0/8 -j DROP
-A INPUT -i eth2 -s 100.64.0.0/10 -j DROP
-A INPUT -i eth2 -s 127.0.0.0/8 -j DROP
-A INPUT -i eth2 -s 169.254.0.0/16 -j DROP
##-A INPUT -i eth2 -s 172.16.0.0/12 -j DROP
-A INPUT -i eth2 -s 192.168.0.0/16 -j DROP
#
-A INPUT -i eth2 -d 0.0.0.0/8 -j DROP
-A INPUT -i eth2 -d 10.0.0.0/8 -j DROP
-A INPUT -i eth2 -d 100.64.0.0/10 -j DROP
-A INPUT -i eth2 -d 127.0.0.0/8 -j DROP
-A INPUT -i eth2 -d 169.254.0.0/16 -j DROP
##-A INPUT -i eth2 -d 172.16.0.0/12 -j DROP
-A INPUT -i eth2 -d 192.168.0.0/16 -j DROP
#
##-A INPUT -i eth2 -j DROP
#
#
#
# eth1 - ssh #
#
-A INPUT -i eth1 -d 10.0.0.1 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
...
# eth2 #
#
...
#
#
#
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
-A INPUT --fragment -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP
#
#
#
-A FORWARD -s 10.0.0.10 -j ACCEPT
-A FORWARD -d 10.0.0.10 -j ACCEPT
-A FORWARD -j DROP
#
#
#
-A OUTPUT -o lo -j ACCEPT
#
#
#
# eth1 #
-A OUTPUT -o eth1 -s 0.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -s 10.0.0.0/24 -j ACCEPT
-A OUTPUT -o eth1 -s 10.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -s 100.64.0.0/10 -j DROP
-A OUTPUT -o eth1 -s 127.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -s 169.254.0.0/16 -j DROP
-A OUTPUT -o eth1 -s 172.16.0.0/12 -j DROP
-A OUTPUT -o eth1 -s 192.168.0.0/16 -j DROP
#
-A OUTPUT -o eth1 -d 0.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -d 10.0.0.0/24 -j ACCEPT
-A OUTPUT -o eth1 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -d 100.64.0.0/10 -j DROP
-A OUTPUT -o eth1 -d 127.0.0.0/8 -j DROP
-A OUTPUT -o eth1 -d 169.254.0.0/16 -j DROP
-A OUTPUT -o eth1 -d 172.16.0.0/12 -j DROP
-A OUTPUT -o eth1 -d 192.168.0.0/16 -j DROP
#
-A OUTPUT -o eth1 -j DROP
#
#
#
# eth2 #
-A OUTPUT -o eth2 -s 0.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -s 10.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -s 100.64.0.0/10 -j DROP
-A OUTPUT -o eth2 -s 127.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -s 169.254.0.0/16 -j DROP
-A OUTPUT -o eth2 -s 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o eth2 -s 172.16.0.0/12 -j DROP
-A OUTPUT -o eth2 -s 192.168.0.0/16 -j DROP
#
-A OUTPUT -o eth2 -d 0.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -d 10.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -d 100.64.0.0/10 -j DROP
-A OUTPUT -o eth2 -d 127.0.0.0/8 -j DROP
-A OUTPUT -o eth2 -d 169.254.0.0/16 -j DROP
-A OUTPUT -o eth2 -d 172.16.0.0/24 -j ACCEPT
-A OUTPUT -o eth2 -d 172.16.0.0/12 -j DROP
-A OUTPUT -o eth2 -d 192.168.0.0/16 -j DROP
#
-A OUTPUT -o eth2 -j DROP
#
#
#
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j DROP
#
#
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
#
#
#
-A PREROUTING -i eth2 -d 172.16.0.100 -p tcp --dport 80 -j DNAT --to 10.0.0.10
-A POSTROUTING -o eth2 -s 10.0.0.10 -j SNAT --to 172.16.0.100
-A POSTROUTING -o eth2 -j MASQUERADE
#
#
#
(minta - sysctl)
/etc/sysctl.conf
#
# GLOBAL #
#
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_local_port_range = 32768 65535
net.ipv4.ip_nonlocal_bind = 1
#
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.accept_source_route = 0
#
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
#
#
# INTERFACES #
#
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 1
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.eth1.arp_filter = 1
net.ipv4.conf.eth1.proxy_arp = 0
net.ipv4.conf.eth1.proxy_arp_pvlan = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.secure_redirects = 1
net.ipv4.conf.eth1.accept_source_route = 0
#
net.ipv4.conf.eth2.forwarding = 1
net.ipv4.conf.eth2.mc_forwarding = 1
net.ipv4.conf.eth2.rp_filter = 2
net.ipv4.conf.eth2.arp_filter = 1
net.ipv4.conf.eth2.proxy_arp = 0
net.ipv4.conf.eth2.proxy_arp_pvlan = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth2.accept_redirects = 0
net.ipv4.conf.eth2.secure_redirects = 1
net.ipv4.conf.eth2.accept_source_route = 0
#
#
#