Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1489585
  • 博文数量: 408
  • 博客积分: 10036
  • 博客等级: 上将
  • 技术积分: 4440
  • 用 户 组: 普通用户
  • 注册时间: 2006-04-06 13:57
文章分类

全部博文(408)

文章存档

2011年(1)

2010年(2)

2009年(1)

2008年(3)

2007年(7)

2006年(394)

我的朋友

分类: 网络与安全

2006-07-27 13:07:45

PPTP服务器上的iptables防火墙实例


说明:(转载此文,必须注明来源于本人)
 作者 阿友
jdaoyou@sohu.com

因大部分公司pptp服务器需要进行权限控制,如果采用linux作为pptp服务器平台,则可用iptables进行访问控制。我特编写了一个样例。(这是我给一个客户做的pptp服务器的配置,当然实际IP地址信息已经被替换)
 
pptp服务器为fc4,两个网卡:eth0和eth1,eth0:202.85.33.44 eth1:192.168.0.254 内部网络划分了6个VLAN,其中pptp用户所有的vlan5为192.168.0.0/24  内部服务器网段地址为:192.168.55.0/24 在pptp服务器上需要增加一条路由表:route add -net 192.168.55.0/24 gw 192.168.0.1(注:192.168.0.1为vlan5的IP地址)
 
下面是firewall.sh脚本文件(vi firewall.sh后把下面的复制到此文件中,保存退出后,chmod 700 firewall.sh即可执行 ./firewall.sh restart)
 
#!/bin/bash
#
#
#
echo "Starting................."
echo "RunTime = `date |awk '{print $6" "$2" "$3" "$4}'`"
echo -e "\t\t\n\n"
echo -e "\033[1;031m \n"
echo "######################################################################"
echo "#                 pptp server iptables  rule 1.0                     #"
echo "#                    E-mail:jdaoyou@sohu.com                         #"
echo "######################################################################"
echo -e "\033[m \n"
echo ""
echo ""
#
echo -e "\033[1;034m \n"
echo "######################################################################"
echo "#  Network Internet Address eth0:               202.85.33.44         #"
echo "#                                                                    #"
echo "#  Internal Network Address eth1:               192.168.0.254        #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
LAN_IFACE="eth1"
INET_IFACE="eth0"
IPTABLES="/sbin/iptables"
ACCEPT_ERP_OA_HOSTS="192.168.0.91 192.168.0.90 192.168.0.85 192.168.0.67 192.168.0.65 192.168.0.71 192.168.0.3 192.168.0.4 192.168.0.5 192.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.0.18 192.168.0.19 192.168.0.20 192.168.0.21 192.168.0.22 192.168.0.23 192.168.0.24 192.168.0.25 192.168.0.26 192.168.0.27 192.168.0.28 192.168.0.29 192.168.0.30 192.168.0.31 192.168.0.32 192.168.0.33 192.168.0.34 192.168.0.40 192.168.0.41 192.168.0.42 192.168.0.43 192.168.0.44 192.168.0.45 192.168.0.46 192.168.0.47 192.168.0.48 192.168.0.49 192.168.0.50 192.168.51 192.168.0.52 192.168.0.55 192.168.0.58 192.168.0.60 192.168.0.61 192.168.0.63 192.168.0.64 192.168.0.65 192.168.0.68 192.168.0.69 192.168.0.70 192.168.0.72 192.168.0.73 192.168.0.74 192.168.0.75 192.168.0.80 192.168.0.82 192.168.0.89 192.168.0.87"
#以上规则为可以访问OA和ERP的权限
ACCEPT_inMAIL_HOSTS="192.168.0.91 192.168.0.67 192.168.0.65 192.168.0.71 192.168.0.3 192.168.0.4 192.168.0.5 192.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.0.18 192.168.0.19 192.168.0.20 192.168.0.21 192.168.0.22 192.168.0.23 192.168.0.24 192.168.0.25 192.168.0.26 192.168.0.27 192.168.0.28 192.168.0.29 192.168.0.30 192.168.0.31 192.168.0.32 192.168.0.33 192.168.0.34 192.168.0.40 192.168.0.41 192.168.0.42 192.168.0.43 192.168.0.44 192.168.0.45 192.168.0.46 192.168.0.47 192.168.0.48 192.168.0.49 192.168.0.50 192.168.0.51 192.168.0.52 192.168.0.55 192.168.0.58 192.168.0.60 192.168.0.61 192.168.0.63 192.168.0.64 192.168.0.65 192.168.0.68 192.168.0.69 192.168.0.70 192.168.0.72 192.168.0.73 192.168.0.74 192.168.0.75 192.168.0.80 192.168.0.82 192.168.0.87"
#以上规则为仅可访问内部邮件服务器的权限
ACCEPT_ERP_HOSTS=""
ACCEPT_inWEB_HOSTS=""
ACCEPT_TEST_HOSTS="192.168.0.76 192.168.0.77 192.168.0.78 192.168.0.92"
ACCEPT_CRM_HOSTS="192.168.35.0/24"
ACCEPT_all_HOSTS="192.168.0.90 192.168.0.81 192.168.0.21 192.168.0.22 192.168.0.31 192.168.0.32 192.168.0.33 192.168.0.35 192.168.0.36  192.168.55.94 192.168.55.24 192.168.55.38 192.168.0.41 19.168.34.42 192.168.0.43 192.168.0.44 192.168.0.53 192.168.0.54 192.168.0.56 192.168.0.57 192.168.0.59 192.168.0.62 192.168.0.66 192.168.0.79 192.168.0.83 192.168.0.88"
#以上为所有访问权限,也即可以访问内网,也可能通过PPTP服务器访问Internet
ACCEPT_APS_HOSTS="192.168.0.39" #可以访问APS系统的权限
#
########################## Main Options  #####################

# ===============================================
# --------Actual NetFilter Stuff Follows---------
# ===============================================
##############  Load modules
modprobe ip_tables             > /dev/null 2>&1
modprobe ip_conntrack          > /dev/null 2>&1
modprobe iptable_nat           > /dev/null 2>&1
#modprobe ip_nat_ftp            > /dev/null 2>&1
modprobe ip_conntrack_ftp      > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
modprobe ip_conntrack_h323     > /dev/null 2>&1
modprobe ip_nat_h323           > /dev/null 2>&1
modprobe ip_conntrack_irc      > /dev/null 2>&1
#modprobe ip_nat_irc            > /dev/null 2>&1
modprobe ip_conntrack_mms      > /dev/null 2>&1
modprobe ip_nat_mms            > /dev/null 2>&1
#modprobe ip_conntrack_pptp     > /dev/null 2>&1
#modprobe ip_nat_pptp           > /dev/null 2>&1
#modprobe ip_conntrack_proto_gre > /dev/null 2>&1
#modprobe ip_nat_proto_gre      > /dev/null 2>&1
modprobe ip_conntrack_quake3   > /dev/null 2>&1
modprobe ip_nat_quake3         > /dev/null 2>&1
##############################################

##############################################
echo 1 >/proc/sys/net/ipv4/ip_forward
#echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

start(){
echo ""
echo -e "\033[1;032m Flush all chains......                           [OK] \033[m"
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  ACCEPT
  $IPTABLES -P FORWARD DROP
 
  $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
  $IPTABLES -A INPUT -s 202.102.224.68 -j ACCEPT
  $IPTABLES -A INPUT -s 202.96.134.133 -j ACCEPT
  $IPTABLES -A INPUT -s 127.0.0.0/8 -j ACCEPT
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j ACCEPT
  $IPTABLES -A INPUT -p 47 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT
  $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
  $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A INPUT -s 192.168.55.19 -j ACCEPT
#  $IPTABLES -A INPUT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to 202.85.33.44
##########################################################
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -s 192.168.0.22 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -i ppp+ --dport 113 -j ACCEPT
  $IPTABLES -A FORWARD -p icmp -j ACCEPT
  $IPTABLES -A FORWARD -p tcp --dport 113 -j ACCEPT
  $IPTABLES -I FORWARD -d 192.168.0.0/24 -j ACCEPT
######################## comm rule  ###################
  $IPTABLES -I FORWARD -d 192.168.55.229 -j ACCEPT
  $IPTABLES -I FORWARD -s 192.168.55.229 -j ACCEPT
  $IPTABLES -A FORWARD -d 192.168.55.219 -j ACCEPT

  $IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.15 -j ACCEPT
  $IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.14 -j ACCEPT
  $IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.16 -j ACCEPT
  $IPTABLES -I FORWARD -s 192.168.0.0/24 -d 192.168.55.13 -j ACCEPT
  $IPTABLES -I FORWARD -s 192.168.0.0/24 -d 210.75.1.165 -j ACCEPT
  $IPTABLES -A FORWARD -p udp -m multiport --dport 53,449 -j ACCEPT
  $IPTABLES -A FORWARD -p tcp -m multiport --dport 53,449 -j ACCEPT

echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access   #######################
if [ "$ACCEPT_ERP_OA_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17 -j ACCEPT
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.91 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT erp and oa access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept erp access   #######################
if [ "$ACCEPT_ERP_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_ERP_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17-j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT only erp  access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept crm access   #######################
if [ "$ACCEPT_CRM_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_CRM_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.9 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT CRM access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept test access   #######################
if [ "$ACCEPT_TEST_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_TEST_HOSTS} ; do

  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.30 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT testapp access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
 

###################################### accept inMAIL access   #######################
if [ "$ACCEPT_inMAIL_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT inmail access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept inWEB access   #######################
if [ "$ACCEPT_inWEB_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_inWEB_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT inweb access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
###################################### accept aps access   #######################
if [ "$ACCEPT_APS_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_APS_HOSTS} ; do
  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.23 -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT aps access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"

###################################### accept all access   #######################
if [ "$ACCEPT_all_HOSTS" != "" ] ; then
  for LAN in ${ACCEPT_all_HOSTS} ; do
  $IPTABLES -A FORWARD -s ${LAN} -j ACCEPT
#  $IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 0/0  -j ACCEPT
  echo ""
  echo ${LAN}   Access to Externel.....ACCEPT all access                 [OK]
  done
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;032m \n"
#######################################################################################
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"
########################### logrule #########################
#LOGACCESS="no"
LOGACCESS="yes"
if [ "$LOGACCESS" = "yes" ] ; then
#  $IPTABLES -I FORWARD -p tcp -m multiport --dport 445,135 -j LOG
$IPTABLES -I INPUT -p tcp ! -s 192.168.55.180 -j LOG --log-prefix 'IPTABLES INPUT TCP ACCEPT:'
#$IPTABLES -I INPUT -p udp ! -s 192.168.55.180 -j LOG --log-prefix 'IPTABLES INPUT UDP ACCEPT:'
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES INPUT DROP:'
$IPTABLES -I FORWARD -p tcp -s 192.168.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD TCP ACCEPT:'
$IPTABLES -I FORWARD -p udp -s 192.168.0.0/24 -j LOG --log-prefix 'IPTABLES FORWARD UDP ACCEPT:'
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j LOG --log-tcp-options --log-ip-options --log-prefix 'IPTABLES FORWARD DROP:'
echo LOG illegal access ...............................          [OK]
fi
echo -e "\033[1;034m \n"
echo "......................................................................."
echo "......................................................................."
echo "......................................................................."
echo ""
echo -e "\033[1;031m \n"

echo ""
echo "######################################################################"
echo "#                                                                    #"
echo "#            Load PPTP server  Access rule Successfull !             #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
############################# Type of Service mangle optimizations
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Minimize-Cost
# ${IPTABLES} -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
# ${IPTABLES} -t mangle -A OUTPUT -p udp --dport 4000:7000 -j TOS --set-tos Minimize-Delay
}
stop(){
#####################   Flush everything
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -F -t nat
  $IPTABLES -X -t nat
  $IPTABLES -Z -t nat
  $IPTABLES -P INPUT   ACCEPT
  $IPTABLES -P OUTPUT  ACCEPT
  $IPTABLES -P FORWARD ACCEPT
echo ""
echo -e "\033[1;031m \n"
echo ""
echo "######################################################################"
echo "#                                                                    #"
echo "#            Stop PPTP server  Access rule Successfull !             #"
echo "#                                                                    #"
echo "######################################################################"
echo ""
echo -e "\033[m \n"
echo ""
}
#########################################################
case "$1" in
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    stop
    start
    ;;
  *)
    echo $"Usage:$0 {start|stop|restart|}"
    exit 1
esac
exit $?
-----------------------------------------------------------
  for LAN in ${ACCEPT_ERP_OA_HOSTS} ; do

$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.17 -j ACCEPT
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.91 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT erp and oa access [OK]
done

for LAN in ${ACCEPT_inMAIL_HOSTS} ; do
$IPTABLES -A FORWARD -i ppp+ -o eth1 -s ${LAN} -d 192.168.55.8 -j ACCEPT
echo ""
echo ${LAN} Access to Externel.....ACCEPT inmail access [OK]
done


这两部分效率过于低下
可以考虑使用 -N NEW_CHAIN 和 -m iprange 提高性能


-m iprange 是需要模块的,有些系统上没有此补丁模块,所以不能用。(不然别人拿去用时会不行的!)且用变量的形式ACCEPT_ERP_OA_HOSTS更容易管理。
阅读(1726) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~