Natd + Proxy transparente

[gianrubio]

Srs:

Estou começando a usar iptables..nao tenho mto conhecimento..conheco bastante de pf e ipfw..

A situacao e a seguinte..Algumas maquinas devem navegar pela nat e o resto pelo proxy transparente..

As maquinas que devem usar nat sao as que estao dentro da regra # Trafego Local

Segue meu rc.firewall

Código :

 
 
#!/bin/sh
 
modprobe ip_conntrack
modprobe ip_conntrack_ftp
 
#---------------------------------
# Configuração Básica
#---------------------------------
IPTABLES=`which iptables`
PERMITIR_TCP="21 20 22 80"
#1024:65535"
PERMITIR_UDP="53 5100"
INET_INT="eth0"
LAN_INT="eth1"
INTERNAL_LAN="192.168.0.0/24"
MASQ_LAN="192.168.0.0/24"
 
#---------------------------------
# DROP: com log colocar "LDROP"
#---------------------------------
DROP="TREJECT" 
#DROP="LDROP"
 
#---------------------------------
# Tcp Forward: Pserv:Pestacao>Ip
#---------------------------------
TCPFORWARD="8888:8888>192.168.0.203"
#UDPFORWARD="4672:4672>192.168.0.254 6346:6346>192.168.0.254 6666:6666>192.168.0.254"
 
 
#---------------------------------
# Criando as Regras
#---------------------------------
REGRAS="ENTRADANET SAIDANET TCPPERMITIDO LDROP TREJECT"
 
#---------------------------------
# Habilitando o Masquerade
#---------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
 
#---------------------------------
# Habilitando TCP Syncookies
#---------------------------------
if [ -e /proc/sys/net/ipv4/tcp_syncookies ] ; then
	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
 
#---------------------------------
# Limpando as Regras Antigas
#---------------------------------
${IPTABLES} -t filter -F INPUT
${IPTABLES} -t filter -F OUTPUT
${IPTABLES} -t filter -F FORWARD
${IPTABLES} -t nat -F PREROUTING
${IPTABLES} -t nat -F OUTPUT
${IPTABLES} -t nat -F POSTROUTING
${IPTABLES} -t mangle -F PREROUTING
${IPTABLES} -t mangle -F OUTPUT
for chain in ${REGRAS} ; do
${IPTABLES} -t filter -F ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -X ${chain} > /dev/null 2>&1
${IPTABLES} -t filter -N ${chain}
done
${IPTABLES} -t filter -P INPUT ACCEPT
${IPTABLES} -t filter -P OUTPUT ACCEPT
${IPTABLES} -t filter -P FORWARD DROP
 
#---------------------------------
# Trafego Local
#---------------------------------
for subnet in ${INTERNAL_LAN} ; do
#${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.50 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.51 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -s 192.168.0.52 -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -m state --state ESTABLISHED,RELATED -j ACCEPT
${IPTABLES} -t nat -A POSTROUTING -o eth0 -j MASQUERADE
done
 
#---------------------------------
#PROXY TRANSPARENTE
#---------------------------------
 
#${IPTABLES} -t nat -A PREROUTING -s ${subnet} -p  tcp  --dport 80 -j REDIRECT --to-port 3128
 
#---------------------------------
# Terminado configuraçao de regras
#---------------------------------
${IPTABLES} -t filter -A INPUT -i ${INET_INT} -j ENTRADANET
${IPTABLES} -t filter -A OUTPUT -o ${INET_INT} -j SAIDANET
${IPTABLES} -t filter -A LDROP -p tcp -m limit --limit 2/s -j LOG --log-level info --log-prefix "TCP Dropped "
${IPTABLES} -t filter -A LDROP -p udp -m limit --limit 2/s -j LOG --log-level info --log-prefix "UDP Dropped "
${IPTABLES} -t filter -A LDROP -p icmp -m limit --limit 2/s -j LOG --log-level info --log-prefix "ICMP Dropped " 
${IPTABLES} -t filter -A LDROP -f -m limit --limit 2/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
${IPTABLES} -t filter -A LDROP -j DROP
${IPTABLES} -t filter -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
${IPTABLES} -t filter -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
${IPTABLES} -t filter -A TREJECT -j REJECT 
 
#---------------------------------
# Protegendo contra TCP SYN Flood
#---------------------------------
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp --syn -m limit --limit 4/s -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -p tcp ! --syn -j ACCEPT
${IPTABLES} -t filter -A TCPPERMITIDO -m limit --limit 2/s -j LOG --log-prefix "Mismatch in TCP"
${IPTABLES} -t filter -A TCPPERMITIDO -j ${DROP}
 
#---------------------------------
# Pacotes com flag invalidas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state INVALID -j ${DROP}
 
#---------------------------------
# Descartando Ping flood 
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
${IPTABLES} -t filter -A ENTRADANET -p icmp --icmp-type ! echo-request -j ACCEPT
 
#---------------------------------
# Portas TCP a serem abertas 
#---------------------------------
if [ "$PERMITIR_TCP" != "" ] ; then
	for port in ${PERMITIR_TCP} ; do
	${IPTABLES} -t filter -A ENTRADANET -p tcp --dport ${port} -j TCPPERMITIDO
	done
fi
 
#--------------------------------
#Teste com UDP ports
#--------------------------------
if [ "$PERMITIR_UDP" != "" ] ; then
	for port in ${PERMITIR_UDP} ; do
	${IPTABLES} -t filter -A ENTRADANET -p udp --dport ${port} -j ACCEPT
	done
fi
 
#---------------------------------
# Pacotes com flags validas
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -m state --state ESTABLISHED -j ACCEPT
 
#---------------------------------
# TOS ]]
#---------------------------------
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 0x10
${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos 0x02
 
#PASSIVE FTP
${IPTABLES} -A ENTRADANET -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A ENTRADANET -p tcp --sport 21 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A ENTRADANET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 
#---------------------------------
# Regras padrao
#---------------------------------
${IPTABLES} -t filter -A ENTRADANET -j ${DROP}
${IPTABLES} -t filter -A SAIDANET -j ACCEPT
modprobe ip_nat_ftp

[xstefanox]

Script meio doido, hehehe.

Bem... o quê eu faria no caso é o seguinte: Criaria um array com IP's que não deveriam passar pelo proxy transparente e jogaria-os numa regra de MASQUERADE e depois criaria a regra de REDIRECT, algo como isso:

Código :

for IP in `cat IPS.txt`; do
   iptables -t nat -A POSTROUTING -o $INTERFACE_SAIDA -s "$IP" -j MASQUERADE
done;
iptables -t nat -A PREROUTING -i $INT_REDE_EXT -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i $INT_REDE_INT -p UDP --dport 80 -j REDIRECT --to-port 3128

A partir do momento que o iptables casa uma regra, ele pula as outras, ele ignorará as regras de proxy transparente.


Abraços!

[gianrubio]

vou testar amanha e respondo..

obrigado por enquanto

[gianrubio]

Nao funcionou..ou funciona so a nat ou so o proxy

as regras

Código :

 
#---------------------------------
# Trafego Local
#---------------------------------
for IP in `cat /root/ips` ; do
        ${IPTABLES} -t filter -A FORWARD -s $IP -j ACCEPT
        ${IPTABLES} -t nat -A POSTROUTING -o $INET_INT -s $IP -j MASQUERADE
        ${IPTABLES} -t filter -A FORWARD -d $IP -m state --state ESTABLISHED,RELATED -j ACCEPT
done
 
#---------------------------------
#PROXY TRANSPARENTE
#---------------------------------
${IPTABLES} -t nat -A PREROUTING -i $INET_INT -p TCP --dport 80 -j REDIRECT --to-port 3128
${IPTABLES} -t nat -A PREROUTING -i $INET_INT -p UDP --dport 80 -j REDIRECT --to-port 3128

[gianrubio]

resolvido

Código :

 
for IP in `cat /root/ips` ; do
       ${IPTABLES} -t filter -A FORWARD -s $IP -j ACCEPT
        ${IPTABLES} -t nat -A POSTROUTING -o $INET_INT -s $IP -j MASQUERADE
        ${IPTABLES} -t filter -A FORWARD -d $IP -m state --state ESTABLISHED,RELATED -j ACCEPT
        ${IPTABLES} -t nat -A PREROUTING -p tcp --dport 80 -d 0/0 -s $IP -j ACCEPT
done
#---------------------------------
#PROXY TRANSPARENTE
#---------------------------------
${IPTABLES} -t nat -A PREROUTING -i $LAN_INT -p TCP --dport 80 -j REDIRECT --to-port 3128
${IPTABLES} -t nat -A PREROUTING -i $LAN_INT -p UDP --dport 80 -j REDIRECT --to-port 3128