说明:(转载此文,必须注明来源于本人)
因大部分公司pptp服务器需要进行权限控制,如果采用linux作为pptp服务器平台,则可用iptables进行访问控制。我特编写了一个样例。(这是我给一个客户做的pptp服务器的配置,当然实际IP地址信息已经被替换)
pptp服务器为fc4,两个网卡:eth0和eth1,eth0:202.85.33.44 eth1:192.168.0.254
内部网络划分了6个VLAN,其中pptp用户所有的vlan5为192.168.0.0/24
内部服务器网段地址为:192.168.55.0/24 在pptp服务器上需要增加一条路由表:route add -net
192.168.55.0/24 gw 192.168.0.1(注:192.168.0.1为vlan5的IP地址)
下面是firewall.sh脚本文件(vi firewall.sh后把下面的复制到此文件中,保存退出后,chmod 700 firewall.sh即可执行 ./firewall.sh restart)
#!/bin/bash
#
#
#
echo "Starting................."
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "# pptp server iptables rule 1.0 #"
echo "# E-mail:jdaoyou@sohu.com #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "# Network Internet Address eth0: 202.85.33.44 #"
echo "# #"
echo "# Internal Network Address eth1: 192.168.0.254 #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
LAN_IFACE="eth1"
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
ACCEPT_ERP_OA_HOSTS="192.168.0.91
192.168.0.90 192.168.0.85 192.168.0.67 192.168.0.65 192.168.0.71
192.168.0.3 192.168.0.4 192.168.0.5 192.168.0.6 192.168.0.7 192.168.0.8
192.168.0.9 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0.13
192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.0.18
192.168.0.19 192.168.0.20 192.168.0.21 192.168.0.22 192.168.0.23
192.168.0.24 192.168.0.25 192.168.0.26 192.168.0.27 192.168.0.28
192.168.0.29 192.168.0.30 192.168.0.31 192.168.0.32 192.168.0.33
192.168.0.34 192.168.0.40 192.168.0.41 192.168.0.42 192.168.0.43
192.168.0.44 192.168.0.45 192.168.0.46 192.168.0.47 192.168.0.48
192.168.0.49 192.168.0.50 192.168.51 192.168.0.52 192.168.0.55
192.168.0.58 192.168.0.60 192.168.0.61 192.168.0.63 192.168.0.64
192.168.0.65 192.168.0.68 192.168.0.69 192.168.0.70 192.168.0.72
192.168.0.73 192.168.0.74 192.168.0.75 192.168.0.80 192.168.0.82
192.168.0.89 192.168.0.87"
#以上规则为可以访问OA和ERP的权限
ACCEPT_inMAIL_HOSTS="192.168.0.91 192.168.0.67 192.168.0.65
192.168.0.71 192.168.0.3 192.168.0.4 192.168.0.5 192.168.0.6
192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11
192.168.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16
192.168.0.17 192.168.0.18 192.168.0.19 192.168.0.20 192.168.0.21
192.168.0.22 192.168.0.23 192.168.0.24 192.168.0.25 192.168.0.26
192.168.0.27 192.168.0.28 192.168.0.29 192.168.0.30 192.168.0.31
192.168.0.32 192.168.0.33 192.168.0.34 192.168.0.40 192.168.0.41
192.168.0.42 192.168.0.43 192.168.0.44 192.168.0.45 192.168.0.46
192.168.0.47 192.168.0.48 192.168.0.49 192.168.0.50 192.168.0.51
192.168.0.52 192.168.0.55 192.168.0.58 192.168.0.60 192.168.0.61
192.168.0.63 192.168.0.64 192.168.0.65 192.168.0.68 192.168.0.69
192.168.0.70 192.168.0.72 192.168.0.73 192.168.0.74 192.168.0.75
192.168.0.80 192.168.0.82 192.168.0.87"
#以上规则为仅可访问内部邮件服务器的权限
ACCEPT_ERP_HOSTS=""
ACCEPT_inWEB_HOSTS=""
ACCEPT_TEST_HOSTS="192.168.0.76 192.168.0.77 192.168.0.78 192.168.0.92"
ACCEPT_CRM_HOSTS="192.168.35.0/24"
ACCEPT_all_HOSTS="192.168.0.90
192.168.0.81 192.168.0.21 192.168.0.22 192.168.0.31 192.168.0.32
192.168.0.33 192.168.0.35 192.168.0.36 192.168.55.94 192.168.55.24
192.168.55.38 192.168.0.41 19.168.34.42 192.168.0.43 192.168.0.44
192.168.0.53 192.168.0.54 192.168.0.56 192.168.0.57 192.168.0.59
192.168.0.62 192.168.0.66 192.168.0.79 192.168.0.83 192.168.0.88"
#以上为所有访问权限,也即可以访问内网,也可能通过PPTP服务器访问Internet
ACCEPT_APS_HOSTS="192.168.0.39" #可以访问APS系统的权限
#
########################## Main Options #####################
# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
############## Load modules
modprobe ip_tables > /dev/null 2>&1
modprobe ip_conntrack > /dev/null 2>&1
modprobe iptable_nat > /dev/null 2>&1
#modprobe ip_nat_ftp > /dev/null 2>&1
modprobe ip_conntrack_ftp > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
modprobe ip_conntrack_h323 > /dev/null 2>&1
modprobe ip_nat_h323 > /dev/null 2>&1
modprobe ip_conntrack_irc > /dev/null 2>&1
#modprobe ip_nat_irc > /dev/null 2>&1
modprobe ip_conntrack_mms > /dev/null 2>&1
modprobe ip_nat_mms > /dev/null 2>&1
#modprobe ip_conntrack_pptp > /dev/null 2>&1
#modprobe ip_nat_pptp > /dev/null 2>&1
#modprobe ip_conntrack_proto_gre > /dev/null 2>&1
#modprobe ip_nat_proto_gre > /dev/null 2>&1
modprobe ip_conntrack_quake3 > /dev/null 2>&1
modprobe ip_nat_quake3 > /dev/null 2>&1
##############################################
##############################################
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter
start(){
echo ""
echo -e "\033[1;032m Flush all chains...... [OK] \033[m"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A INPUT -s 202.102.224.68 -j ACCEPT
$IPTABLES -A INPUT -s 202.96.134.133 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -d 127.0.0.0/8 -j ACCEPT
$IPTABLES -A INPUT -p 47 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -s 192.168.55.19 -j ACCEPT
# $IPTABLES -A INPUT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 202.85.33.44
##########################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.0.22 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i ppp+ --dport 113 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
$IPTABLES -I FORWARD -d 192.168.0.0/24 -j ACCEPT
######################## comm rule ###################
$IPTABLES -I FORWARD -d 192.168.55.229 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.55.229 -j ACCEPT
$IPTABLES -A FORWARD -d 192.168.55.219 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.15 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.14 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.16 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.13 -j ACCEPT
$IPTABLES -I FORWARD -s 192.168.0.0/24 -d 210.75.1.165 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m multiport --dport 53,449 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m multiport --dport 53,449 -j ACCEPT
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_OA_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17 -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.91 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT erp and oa access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access #######################
if [ "$ACCEPT_ERP_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_ERP_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17-j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT only erp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept crm access #######################
if [ "$ACCEPT_CRM_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_CRM_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.9 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT CRM access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept test access #######################
if [ "$ACCEPT_TEST_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_TEST_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.30 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT testapp access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inMAIL access #######################
if [ "$ACCEPT_inMAIL_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inmail access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inWEB access #######################
if [ "$ACCEPT_inWEB_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_inWEB_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inweb access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept aps access #######################
if [ "$ACCEPT_APS_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_APS_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.23 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT aps access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept all access #######################
if [ "$ACCEPT_all_HOSTS" != "" ] ; then
for LAN in ${ACCEPT_all_HOSTS} ; do
$IPTABLES -A FORWARD -s ${LAN} -j ACCEPT
# $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 0/0 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT all access [OK]
done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
#######################################################################################
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
########################### logrule #########################
#LOGACCESS="no"
LOGACCESS="yes"
if [ "$LOGACCESS" = "yes" ] ; then
# $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp ! -s 192.168.55.180 -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
#$IPTABLES -I INPUT -p udp ! -s 192.168.55.180 -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES
-A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options
--log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 192.168.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 192.168.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES
-A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options
--log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ............................... [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Load PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
############################# Type of Service mangle optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
}
stop(){
##################### Flush everything
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -F -t nat
$IPTABLES -X -t nat
$IPTABLES -Z -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "# #"
echo "# Stop PPTP server Access rule Successfull ! #"
echo "# #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
}
#########################################################
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage:$0 {start|stop|restart|}"
exit 1
esac
exit $?
-----------------------------------------------------------
for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17 -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.91 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT erp and oa access [OK]
done
for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inmail access [OK]
done
这两部分效率过于低下
可以考虑使用 -N NEW_CHAIN 和 -m iprange 提高性能 |
|
|
-m iprange 是需要模块的,有些系统上没有此补丁模块,所以不能用。(不然别人拿去用时会不行的!)且用变量的形式ACCEPT_ERP_OA_HOSTS更容易管理。
