Zdravim, chcem sa spytat. Do nedavna som pouzival linuxovy router pod Fedorou 4. Teraz som presiel na UBUNTU. Vsetko je super nastavenia perfektne, len mal som jeden script ktory som pouzival ako FW a Shaper. Teraz vsak nefunguje. Ak by niekto vedel ako ho opravit aby siel bol by som velmi povdacny. Tu je ten script:
********************************
#!/bin/sh
# new_fw.sh - skript na nastavenie novych pravidiel pre firwwall
# NASTAVUJE NOVE PRAVIDLA V /etc/sysconfig/iptables
# na pracu s firewallom sa pouziva 'service iptables'
#
# 31032004: created by kongo & zoliq
## eth2 - LAN siet pripojena na ilm
## eth0 - spojenie na providera internetu
## pripojenie cez WiFi
route del default gw 192.168.2.1
route add default gw 192.168.3.1
IPT="/sbin/iptables"
###########################
### NEW FIREWALL
###########################
set_new_firewall() {
### default pravidla pre INPUT, OUTPUT a FORWARD
# !!! default zahadzovat VSETKY pakety, dalej urcim co prejde
# localhost, eth0-1, eth2 - IN OUT
${IPT} -P INPUT DROP
${IPT} -P OUTPUT DROP
${IPT} -P FORWARD DROP
### Definicia uzivatelskych chainov
# chain na pustenie paketov so state NEW,ESTABLISHED,RELATED
${IPT} -N in_pstate
# chain do ktoreho sa pridavaju pravidla v skripte shaper
# (pravidla pre jednotlivych user - bandwidth, porty, mac)
${IPT} -N fwd_shape
# chain na blokovanie prechodu paketov vnutornej siete do inetu
${IPT} -N dst_spoof
# chain na blokovanie nekorektnych paketov z inetu
${IPT} -N src_spoof
# ping network broadcast blocking chain
# ${IPT} -N smurf
# allow traffic via loopback
${IPT} -A INPUT -i lo -j ACCEPT
${IPT} -A OUTPUT -o lo -j ACCEPT
${IPT} -A FORWARD -i lo -o lo -j ACCEPT
# P2P blokovanie
# PROTOCOLS="fasttrack gnutella edonkey dc openft"
# for proto in $PROTOCOLS; do
# iptables -A FORWARD -m p2p --p2p $proto
# done
### Presmerovanie paketov na uzivatelske chainy
# najskor pozahadzujeme pakety, ktore nemaju co robit na inete
${IPT} -A OUTPUT -o eth0 -j dst_spoof
${IPT} -A INPUT -i eth0 -j src_spoof
${IPT} -A FORWARD -o eth0 -j dst_spoof
${IPT} -A FORWARD -i eth0 -j src_spoof
# SYN flood & portscan protection
# ${IPT} -A INPUT -m recent --rttl --update --seconds 300 -j DROP
# ${IPT} -A INPUT -p tcp --syn -m limit --limit 1/s \
# --limit-burst 100 -j in_pstate
# ${IPT} -A INPUT -p tcp --syn -m recent --set -j DROP
# broadcast ping protection
# ${IPT} -A FORWARD -p icmp -j smurf
# ${IPT} -A INPUT -p icmp -j smurf
# ${IPT} -A FORWARD -p icmp --icmp-type any -o eth0 -j ACCEPT
# ${IPT} -A INPUT -p icmp --icmp-type any -j ACCEPT
${IPT} -A INPUT -p all -j in_pstate
${IPT} -A FORWARD -p all -j fwd_shape
${IPT} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPT} -A OUTPUT -m state --state NEW -j ACCEPT
${IPT} -A OUTPUT -o eth2 -j ACCEPT
# Povoli forward paketov z eth2 na eth0 (vsetkych !!!)
# ${IPT} -A fwd_shape -m state --state ESTABLISHED,RELATED -j ACCEPT
# ${IPT} -A fwd_shape -m state --state NEW -j ACCEPT
# PREROUTING -- poskytnutie urciteho portu routa nejakemu stroju v lan (kvoli NATku)
#iptables -t nat -I PREROUTING -p tcp -d 213.215.73.74 --dport 11000 -j DNAT --to 10.49.1.5:22
######## CHAINS ##########
### dst_spoof chain
# IP spoofing protection at output of eth0
# eth0 - neposielat do netu, pakety lokalnych sieti
${IPT} -A dst_spoof -d 0.0.0.0/32 -j DROP
${IPT} -A dst_spoof -d 10.0.0.0/8 -j DROP
${IPT} -A dst_spoof -d 127.0.0.0/8 -j DROP
${IPT} -A dst_spoof -d 172.16.0.0/12 -j DROP
# ${IPT} -A dst_spoof -d 192.168.1.0/24 -j DROP
# ${IPT} -A dst_spoof -d 192.168.10.0/24 -j ACCEPT
# ${IPT} -A dst_spoof -d 192.168.0.0/16 -j DROP
### src_spoof chain
# IP spoofing protection at input of eth0
# ${IPT} -A src_spoof -s 192.168.0.0/16 -j DROP
${IPT} -A src_spoof -s 172.16.0.0/12 -j DROP
${IPT} -A src_spoof -s 127.0.0.0/8 -j DROP
${IPT} -A src_spoof -s 10.0.0.0/8 -j DROP
${IPT} -A src_spoof -s 0.0.0.0/32 -j DROP
### smurf chain
# icmp smurf
# ${IPT} -A smurf -d 192.168.1.255 -j DROP
# ${IPT} -A smurf -d 158.193.254.255 -j DROP
### in_pstate chain
# povolene: ssh,smtp,named,http,https,smtps
accept_tcp_ports="22,25,53,80,443,465"
# Povol pakety pre uz vytvorene spojenia
${IPT} -A in_pstate -m state --state ESTABLISHED,RELATED -j ACCEPT
# Povol vytvorenie novych spojeni z eth2 a lo
${IPT} -A in_pstate -m state --state NEW -i eth2 -j ACCEPT
# Povol zadane tcp porty
${IPT} -A in_pstate -p tcp -m state --state NEW \
-m multiport --dports $accept_tcp_ports -j ACCEPT
# NAT -- MASKARADA
${IPT} -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
}
##########################################################################
echo
echo ">> Stoping current firewall..."
/sbin/service iptables stop
echo
echo ">> Setting new firewall rules for /etc/sysconfig/iptables..."
set_new_firewall
echo
echo ">> Saving new firewall rules..."
/sbin/service iptables save
echo
echo ">> Applying new firewall rules..."
/sbin/service iptables restart
#/sbin/service iptables stop
#
# shaper.sh - dynamic traffic shaper based on htb scheduler
# created by kongo, modified by zoliq
#
service iptables restart
############################ ZAKLADNE NASTAVENIA ##############################
#default gateway
#route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.10.2
# Ethernet zariadenia
# eth2 - LAN siet pripojena na router
landev="eth2"
# eth0 - spojenie na providera internetu
wandev="eth0"
# Jednotka rychlosti
speedin="kbit"
# pom. prem. pre chk_bandwidth()
added_bw=0
# prva podtrieda
class=11
# casy, kedy ma sejper prepinat rulesy
night_t=180 #haluzzzzz
day_t=70 #haluzzzzz
# log
logfile="/var/log/shaper"
# binarky
TC=/sbin/tc
IPTABLES=/sbin/iptables
####### NASTAVENIE RYCHLOSTI #######
# Jednotky, v akych sa beru rychlosti sa nastavuju vyssie
### DAY limity ###
# Rychlost celej linky
day_dnspeed="512"
day_upspeed="512"
# rychlosti pre kazdeho juzera
# download
# minimalna - garantovana hranica
day_dminspeed="5" #25
# maxmimalna mozna prenosova rychlost
day_dmaxspeed="512"
# upload
day_uminspeed="5"
day_umaxspeed="512"
### NIGHT limity ###
# Rychlost celej linky
night_dnspeed="512" #4096
night_upspeed="512"
# rychlosti pre kazdeho juzera
# download
# minimalna - garantovana hranica
night_dminspeed="10" #96
# maxmimalna mozna prenosova rychlost
night_dmaxspeed="160" #2048
# upload
night_uminspeed="10"
night_umaxspeed="160"
###############################################################################
# vypise spravu do logu aj na terminal
echolog() {
echo $* >>${logfile}
echo $*
}
# Nastavenie konfiguracie rychlosti (podla prveho parametra)
select_speedconf() {
if [ ${1} = "DAY" ]
then
dnspeed=${day_dnspeed}
dminspeed=${day_dminspeed}
dmaxspeed=${day_dmaxspeed}
upspeed=${day_upspeed}
uminspeed=${day_uminspeed}
umaxspeed=${day_umaxspeed}
else
dnspeed=${night_dnspeed}
dminspeed=${night_dminspeed}
dmaxspeed=${night_dmaxspeed}
upspeed=${night_upspeed}
uminspeed=${night_uminspeed}
umaxspeed=${night_umaxspeed}
fi
}
# kontroluje, ci nahodou nepridelujeme vacsi bandwidth ako je celkova linka
chk_bandwidth() {
# spocitaj kompletny bandwidth
added_bw=$[$added_bw + ${1}]
if [ $added_bw -gt $dnspeed ]; then
echolog "chk_bandwidth(): Velkost pridelenych pasiem presahuje kapacitu linky!"
exit 253;
fi
if [ ${2} -gt $dnspeed ]; then
echolog "chk_bandwidth(): Maximalna velkost pasma presahuje kapacitu linky!"
exit 252;
fi
}
add_userband() {
burst_size="5k"
quantum_size="1500"
perturbation="10"
chk_bandwidth ${user_dnmin} ${user_dnmax}
# DOWNLOAD
# echolog "DN"
${TC} class add dev $user_dev parent 1:1 classid 1:$user_class htb \
rate ${user_dnmin}${speedin} ceil ${user_dnmax}${speedin} \
burst $burst_size quantum $quantum_size 2>&1 >>${logfile}
${TC} qdisc add dev $user_dev parent 1:$user_class handle ${user_class}:0 \
sfq perturb $perturbation 2>&1 >>${logfile}
${TC} filter add dev $user_dev parent 1:0 protocol ip \
handle $user_class fw flowid 1:$user_class 2>&1 >>${logfile}
${IPTABLES} -t mangle -A FORWARD -d ${user_ip}/32 \
-j MARK --set-mark $user_class 2>&1 >>${logfile}
# UPLOAD
# echolog "UP"
${TC} class add dev $user_wdev parent 1:1 classid 1:$user_class htb \
rate ${user_upmin}${speedin} ceil ${user_upmax}${speedin} \
burst $burst_size quantum $quantum_size 2>&1 >>${logfile}
${TC} qdisc add dev $user_wdev parent 1:$user_class handle ${user_class}:0 \
sfq perturb $perturbation 2>&1 >>${logfile}
${TC} filter add dev $user_wdev parent 1:0 protocol ip \
handle $user_class fw flowid 1:$user_class 2>&1 >>${logfile}
${IPTABLES} -t mangle -A FORWARD -s ${user_ip}/32 \
-j MARK --set-mark $user_class 2>&1 >>${logfile}
# chain fwd_shape je definovany v skripte firewallu
# pakety od usera overim MAC podla IP, az potom pustim
${IPTABLES} -A fwd_shape -i $user_dev -o $user_wdev -s $user_ip \
-m mac --mac-source $user_mac -j ACCEPT 2>&1 >>${logfile}
# pustim pakety pre uz vytvorene spojenia
${IPTABLES} -A fwd_shape -i $user_wdev -o $user_dev -d $user_ip \
-m state --state ESTABLISHED,RELATED -j ACCEPT 2>&1 >>${logfile}
echolog "$user_class >> $user_ip $user_mac $user_dev ${user_dnmin}${speedin} ${user_dnmax}${speedin} ${user_upmin}${speedin} ${user_upmax}${speedin}"
}
# prida pasmo pre juzera s preddefinovanymi rychlostami
add_band() {
user_ip=$1
user_mac=$2
user_class=$class
user_dev=$landev
user_wdev=$wandev
user_dnmin=$dminspeed
user_dnmax=$dmaxspeed
user_upmin=$uminspeed
user_upmax=$umaxspeed
add_userband
class=$[$class + 1]
}
# prida pasmo juzerovi s inymi rychlostami (podla parametrov)
# toto treba pouzit ked treba niekoho obmedzit viac/menej
# potrebuje 8 parametrov v poradi:
# ip, mac, landev, wandev, dnmin, dnmax, upmin, upmax
add_bandspecific() {
user_ip=$1
user_mac=$2
user_dev=$3
user_wdev=$4
user_dnmin=$5
user_dnmax=$6
user_upmin=$7
user_upmax=$8
user_class=$class
add_userband
class=$[$class + 1]
}
# ip, mac, landev, wandev, class
add_to_class() {
user_ip=$1
user_mac=$2
user_dev=$3
user_wdev=$4
user_class=$5
#down
${IPTABLES} -t mangle -A FORWARD -d ${user_ip}/32 \
-j MARK --set-mark $user_class 2>&1 >>${logfile}
#up
${IPTABLES} -t mangle -A FORWARD -s ${user_ip}/32 \
-j MARK --set-mark $user_class 2>&1 >>${logfile}
#allow traffic
${IPTABLES} -A fwd_shape -i $user_dev -o $user_wdev -s $user_ip \
-m mac --mac-source $user_mac -j ACCEPT 2>&1 >>${logfile}
${IPTABLES} -A fwd_shape -i $user_wdev -o $user_dev -d $user_ip \
-m state --state ESTABLISHED,RELATED -j ACCEPT 2>&1 >>${logfile}
echolog "$user_class >> $user_ip $user_mac $user_dev"
}
# flush, handle, parent, hlavicka
shaper_init() {
echolog ">> Setting HTB [${1} rules]"
# vycisti pravidla pre vsetky interfaces
echolog "[DN] flush root qdisc $landev"
${TC} qdisc del dev $landev root
echolog "[UP] flush root qdisc $wandev"
${TC} qdisc del dev $wandev root
# vytvor korenovy qdisc
echolog "[DN] handle root qdisc $landev"
${TC} qdisc add dev $landev root handle 1:0 htb
echolog "[UP] handle root qdisc $wandev"
${TC} qdisc add dev $wandev root handle 1:0 htb
# hlavna trieda
echolog "[DN] parent class htb rate ${dnspeed}${speedin} $landev"
${TC} class add dev $landev parent 1:0 classid 1:1 htb rate ${dnspeed}${speedin}
echolog "[UP] parent class htb rate ${upspeed}${speedin} $wandev"
${TC} class add dev $wandev parent 1:0 classid 1:1 htb rate ${upspeed}${speedin}
# hlavicka tabulky
echolog "id >> IP MAC DEV WANmin WANmax LANmin LANmax"
}
# pristupy na internet
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! xxkbit garantovanych pre max xx kompov !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# ak treba niekoho obmedzit extra, pouzit add_bandspecific()
create_userbands() {
#moj komp
add_bandspecific "192.168.1.2" "00:11:5b:a9:ac:3f" "eth2" "eth0" 5 512 5 512
#Sima
add_bandspecific "192.168.1.3" "52:54:ab:22:1b:f0" "eth2" "eth0" 5 400 5 400
#NOTEBOOK
add_bandspecific "192.168.1.98" "00:0e:9b:14:72:da" "eth2" "eth0" 5 512 5 512
#Andrej
add_bandspecific "192.168.1.4" "00:e0:4c:02:2f:00" "eth2" "eth0" 5 200 5 200
#Mician
add_bandspecific "192.168.1.5" "00:0a:e4:a1:f4:84" "eth2" "eth0" 5 200 5 200
#Horecky
add_bandspecific "192.168.1.20" "00:0d:87:60:e4:f7" "eth2" "eth0" 5 200 5 200
#Alfy
add_bandspecific "192.168.1.21" "00:11:09:67:1f:53" "eth2" "eth0" 5 100 5 100
#Hata
add_bandspecific "192.168.1.41" "00:0D:87:46:4B:1C" "eth2" "eth0" 5 200 5 200
#Juro S
add_bandspecific "192.168.1.30" "00:e0:4c:02:36:e8" "eth2" "eth0" 5 200 5 200
#Majo S
add_bandspecific "192.168.1.32" "00:0a:e4:a6:04:cf" "eth2" "eth0" 5 200 5 200
#Boris
add_bandspecific "192.168.1.31" "00:13:8f:70:c2:da" "eth2" "eth0" 5 200 5 200
#zednik
add_bandspecific "192.168.1.24" "00:40:ca:8b:ae:43" "eth2" "eth0" 5 200 5 200
#dadaj
add_bandspecific "192.168.1.42" "00:11:2f:f5:fd:8c" "eth2" "eth0" 5 200 5 200
#sklenarova
add_bandspecific "192.168.1.34" "00:e0:4c:09:6e:cc" "eth2" "eth0" 5 200 5 200
}
################### MAIN ####################
# aktualny datum, hodina a den_v_tyzdni
currdate=`date`
currhour=`date +%H`
currdow=`date +%u`
currmode="NIGHT"
echolog ""
echolog "-----------------------------------------------------------------------------"
echolog "${currdate}: Started shaper (currhour ${currhour})"
# if $hour < $day_t or is weekend ($dow is 6(saturday) or 7(sunday))
if [ $currhour -lt $day_t -o $currdow -eq 6 -o $currdow -eq 7 ]; then
currmode="NIGHT"
elif [ $currhour -lt $night_t ]; then
currmode="DAY"
else
currmode="NIGHT"
fi
select_speedconf $currmode
shaper_init $currmode
create_userbands
# END
# EOF
Téma: IPtables (Přečteno 2793 krát)
