CCNP
Hastighetsproblem efter byte till iptables.
#!/bin/bash
# Configuration
IPTABLES="/sbin/iptables"
NET_IFACE="eth2"
LOCAL_IFACE="eth3"
EXTIF="$NET_IFACE"
INTIF="$LOCAL_IFACE"
EXTIP="`ifconfig $EXTIF|grep "inet addr:"|cut -d ":" -f 2|cut -d " " -f 1`"
INTIP="192.168.0.1"
LO_IFACE="lo"
DO_NAT="TRUE"
fw_start() {
echo "Starting Firewall"
echo "SYSCTL, performance tuning"
echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP masq
echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Rewrite new address
echo 0 > /proc/sys/net/ipv4/tcp_syncookies # TCP SYN overload
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Smurf amplify off
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Spoof/route/redir
echo 1 > /proc/sys/net/ipv4/tcp_timestamps # Uptime/GB Ethernet
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # ICMP redirects off
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # No bcast response
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route # No return path mod
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # No bad msgs
for r in /proc/sys/net/ipv4/conf/*/rp_filter; do # Reverse path filter
echo 1 > $r # (default for Debian
done # installations)
# Allow 'legal' traffic and drop all other:
echo "Creating incomming traffic rules"
$IPTABLES -A INPUT -p all -i $LO_IFACE -j ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p all -i $INTIF -j ACCEPT
echo "Creating IPv6 tunnel rules"
$IPTABLES -A INPUT -p 41 -j ACCEPT
$IPTABLES -A OUTPUT -p 41 -j ACCEPT
echo "Creating ICMP traffic rules"
$IPTABLES -A INPUT -p icmp -j ACCEPT
# Allow TCP/UDP traffic on some ports:
echo "Creating general TCP/UDP traffic rules"
echo " ... blabla"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --dport 3784:3786 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $NET_IFACE --dport 3784:3786 -j ACCEPT
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --dport 2500:2600 -j ACCEPT
echo " ... blabla -> 192.168.0.250"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 21 -j DNAT --to 192.168.0.2:21
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 200:2400 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 200:2400 -j DNAT --to 192.168.0.2:200-2400
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 18710 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 18710 -j DNAT --to 192.168.0.2:18710
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 3389 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 3389 -j DNAT --to 192.168.0.2:3389
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 18710 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 18710 -j DNAT --to 192.168.0.2:18710
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 21 -j DNAT --to 192.168.0.2:21
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 20 -j DNAT --to 192.168.0.2:20
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 20 -j DNAT --to 192.168.0.2:20
if [ "$LOCAL_IFACE" != "" ]
then
echo "Allowing ALL traffic on ${LOCAL_IFACE}."
$IPTABLES -A INPUT -p all -i $LOCAL_IFACE -j ACCEPT
fi
# Log all kind of portscan attacks:
echo "Creating Anti-Portscan rules"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A INPUT -p tcp -i $NET_IFACE --tcp-flags SYN,FIN SYN,FIN -j DROP
if [ "$DO_NAT" == "TRUE" ]
then
echo "Creating NAT/MASQUERADE rules"
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.0/24 -j ACCEPT
fi
}
fw_stop() {
echo "Stopping firewall"
echo "Flushing all firewall rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
echo "Change the default rule to ACCEPT"
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
}
fw_panic() {
echo "SETTING PANIC RULES! (Our only policy: deny everything!)"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT
}
fw_status() {
echo "Status"
$IPTABLES -L -n -v --line-numbers
echo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
}
fw_restart() {
fw_stop
fw_start
}
fw_help() {
echo "Commands for firewall"
echo "$0 start - Start the firewall."
echo "$0 stop - Stopping the firewall."
echo "$0 status - View firewall status."
echo "$0 restart - Restart the firewall."
echo "$0 help - Read this again."
echo "$0 panic - Block ALL traffic!"
}
case "$1" in
'start')
fw_start
;;
'stop')
fw_stop
;;
'restart')
fw_restart
;;
'panic')
fw_panic
;;
'status')
fw_status
;;
'help')
fw_help
;;
*)
echo "usage $0 start|stop|restart|panic|status|help"
esac
- Idag Iphones marknadsandel faller i USA 15
- Igår Airtec Pro Type1 – batteridrivet alternativ till tryckluft på burk 48
- Igår Nu stiger hårddiskpriserna med uppemot 10 procent 15
- Igår Analytiker: Apple har överskattat intresset för Vision Pro 50
- 24 / 4 AMD, Nvidia och Intel – vad är det för skillnad mellan grafikkortstillverkarna? 28
- Konsumentverket granskar tio nätbutiker som lurat kunder15
- Iphones marknadsandel faller i USA17
- Telenors router och netgear sammankopplade6
- Nintendo-innehåll tas bort från Garrys Mod21
- LLama3 eller "Hur kan en språkmodell stapla saker?"42
- Tråden om PlayStation 514598
- Rabbel.se - Ett dagligt ordspel711
- Elbilar - Tråden för intresserade23178
- Epic games nere?2
- Herman Miller X Logitech G Embody Gaming Chair, recension?117
- Säljes i3-8100
- Köpes Luftkylning och Fläktar
- Köpes Nvidia Quadro P400,600 eller 620
- Säljes Dell Latitude 7530 15,6”
- Köpes Önskar köpa 6700xt eller 3070
- Säljes Asus Geforce RTX 2070 8GB Strix Gaming OC
- Köpes Köper bärbara datorer, trasiga, utan skärm etc.
- Säljes Lenovo Thinkcentre M73
- Säljes Lenovo Legion Slim 5 14” OLED
- Säljes Asus VG248 24"
- Iphones marknadsandel faller i USA17
- Konsumentverket granskar tio nätbutiker som lurat kunder15
- Airtec Pro Type1 – batteridrivet alternativ till tryckluft på burk48
- Nintendo-innehåll tas bort från Garrys Mod21
- Nu stiger hårddiskpriserna med uppemot 10 procent15
- Quiz: Vad kan du om Inet?68
- Analytiker: Apple har överskattat intresset för Vision Pro50
- Microsoft rullar ut Startmenyreklam till alla63
- EU röstar igenom ”rätten att reparera”53
- Viaplay sätter ner foten mot delade konton55