[ubuntu]防火牆實作

發表於 2019-12-15 sairwolf

環境ubuntu 16.04
 

做為防火牆的主機需有兩張網卡
用ifconfig指令可以看到網卡名稱

現今ubuntu系統會以BIOS中網卡的名稱作為預設名稱
改法:
編輯/etc/default/grub
#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash net.ifnames=0 biosdevname=0"
再執行
update-grub
reboot

eth0:192.168.1.11對外
eth1:192.168.0.3對內 不設通訊閘

clear.sh
  

#!/bin/sh
IPTABLES="/sbin/iptables"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp

###-----------------------------------------------------###
# 打開 forward
###-----------------------------------------------------###
#echo "Enable ip_forward ......"
#echo

echo "1" > /proc/sys/net/ipv4/ip_forward

###-----------------------------------------------------###
# 清除先前的設定
###-----------------------------------------------------###
echo "Flush fiter table ......"
echo

# Flush filter
$IPTABLES -F
$IPTABLES -X

echo "Flush mangle table ......"
echo
# Flush mangle
$IPTABLES -F -t mangle
$IPTABLES -t mangle -X


echo "Flush nat table ......"
echo
# Flush nat
$IPTABLES -F -t nat
$IPTABLES -t nat -X

###-----------------------------------------------------###
# 設定 filter table 的預設政策
###-----------------------------------------------------###
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

 

分享
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
 

DHCP
apt install isc-dhcp-server
編輯/etc/default下的isc-dhcp-server
INTERFACES="eth1"

/etc/dhcp/dhcpd.conf 

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.201 192.168.0.250;
  option domain-name-servers 168.95.1.1;
#  option domain-name "internal.example.org";
#  option subnet-mask 255.255.255.224;
  option routers 192.168.0.3;
  option broadcast-address 192.168.0.255;
  default-lease-time 600;
  max-lease-time 7200;
}

#subnet 192.168.1.0 netmask 255.255.255.0 {
#}

 

service isc-dhcp-server restart 重啟dhcpd

service isc-dhcp-server status 可以看到目前dhcpd的狀態 

● isc-dhcp-server.service - ISC DHCP IPv4 server
   Loaded: loaded (/lib/systemd/system/isc-dhcp-server.service; enabled; vendor preset
   Active: active (running) since 日 2019-12-15 03:57:46 CST; 1h 26min ago
     Docs: man:dhcpd(8)
 Main PID: 1739 (dhcpd)
   CGroup: /system.slice/isc-dhcp-server.service
           └─1739 dhcpd -user dhcpd -group dhcpd -f -4 -pf /run/dhcp-server/dhcpd.pid -cf /etc/dhcp/dhcpd.conf eth1

12月 15 05:02:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:02:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:07:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:07:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:12:02 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:12:02 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:e9:5e:df (
12月 15 05:17:03 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:17:03 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (
12月 15 05:22:03 sa-5750G dhcpd[1739]: DHCPREQUEST for 192.168.0.201 from 94:de:80:xx:
12月 15 05:22:03 sa-5750G dhcpd[1739]: DHCPACK on 192.168.0.201 to 94:de:80:xx:xx:xx (

 

 

配發的ip會記錄在/var/lib/dhcp/dhcpd.leases


iptables實作
iptables規則列撰原則
特例一
特例二
特例三
…….
預設規則

只允許可以上scratch.mit.edu 

iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 443 -j DROP

結果scratch.mit.edu是個龐大的網站有很多IP
連到首頁還可以,往下的連結會有問題

安裝iptraf檢視連線的IP
apt install iptraf

另一套檢視連線軟體
apt install tcptrack
tcptrack -i eth1

  

#!/bin/sh
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d scratch.mit.edu --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d 151.101.230.133 --dport 80 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp -d 151.101.230.133 --dport 443 -j ACCEPT
#以下的IP也要開放才會正常(應該是google的IP)
iptables -A FORWARD -o eth0 -p tcp -d 172.217.0.0/16 --dport 443 -j ACCEPT
iptables -A FORWARD -o eth0 -p tcp --dport 80 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 443 -j DROP

 

本篇發表於 Linux系統。將永久鏈結加入書籤。