Some useful configs for debian
I publish a part of my configuration files, and to be precise - configuration files, so as not to forget / not lose them, and it is possible to help someone. All these configs are prepared for debian squeeze (for the moment testing), but, by succession, should work in ubuntu.
These configuration files include:
Setting up basic, reliable repositories for debian (the yandex repository is listed in the config)
Network configuration file, including a turnkey solution for organizing a wifi ad-hoc network (wifi based on atheros, with madwifi has some special features)
Configuration for working with dns servers, including additional backup ones.
Dhcp server configuration, adapted to work with two network cards
The script allows you to run iptables like any other daemon (iptables config itself is missing).
1. apt
PS: The settings in / etc / apt / preferences are only useful if you use several different repositories at once, for example stable with unstabe, this solution reduces the likelihood of errors.
/ etc / apt / preferences
#Package: *
#Pin: release a = squeeze
# Pin-Priority: 600
#Package: *
#Pin: release a = squeeze-backports
# Pin-Priority: 500
Package: *
Pin: release a = testing
Pin-Priority: 450
Package: *
Pin: release a = unstable
Pin-Priority: 400
Package: *
Pin: release a = experimental
Pin-Priority: 350
')
Here are the main repositories, with a focus on the mirror yandex, as the most near
/etc/apt/sources.list
# Yandex mirror [HTTP]
# Main Debian mirror
#deb mirror.yandex.ru/debian lenny main contrib non-free
deb mirror.yandex.ru/debian squeeze main contrib non-free
#deb mirror.yandex.ru/debian unstable main contrib non-free
#deb mirror.yandex.ru/debian experimental main contrib non-free
# Main Debian mirror [source]
# deb-src mirror.yandex.ru/debian lenny main contrib non-free
deb-src mirror.yandex.ru/debian squeeze main contrib non-free
# deb-src mirror.yandex.ru/debian unstable main contrib non-free
# deb-src mirror.yandex.ru/debian experimental main contrib non-free
# Security fix
#deb mirror.yandex.ru/debian-security lenny / updates main contrib non-free
deb mirror.yandex.ru/debian-security squeeze / updates main contrib non-free
# Security fix [source]
# deb-src mirror.yandex.ru/debian-security lenny / updates main contrib non-free
deb-src mirror.yandex.ru/debian-security squeeze / updates main contrib non-free
# Volatile
#deb mirror.yandex.ru/debian-volatile lenny / volatile main contrib non-free
#deb mirror.yandex.ru/debian-volatile lenny / volatile-sloppy main contrib non-free
# Volatile [source]
# deb-src mirror.yandex.ru/debian-volatile lenny / volatile main contrib non-free
# deb-src mirror.yandex.ru/debian-volatile lenny / volatile-sloppy main contrib non-free
# Backports
#deb mirror.yandex.ru/backports.org lenny-backports main contrib non-free
# Backports [source]
# deb-src mirror.yandex.ru/backports.org lenny-backports main contrib non-free
# Debian-multimedia
#deb mirror.yandex.ru/debian-multimedia lenny main
deb mirror.yandex.ru/debian-multimedia squeeze main
#deb mirror.yandex.ru/debian-multimedia unstable main
#deb mirror.yandex.ru/debian-multimedia experimental main
# Debian-multimedia [source]
# deb-src mirror.yandex.ru/debian-multimedia lenny main
deb-src mirror.yandex.ru/debian-multimedia squeeze main
# deb-src mirror.yandex.ru/debian-multimedia unstable main
# deb-src mirror.yandex.ru/debian-multimedia experimental main
# Opera
#deb mirror.yandex.ru/debian-opera lenny non-free
#deb deb.opera.com/opera squeeze non-free
#deb deb.opera.com/opera unstable non-free
#deb mirror.yandex.ru/debian-opera sid non-free
# Virtualbox
#deb download.virtualbox.org/virtualbox/debian lenny non-free
Network settings
2. Network
/etc/resolv.conf
# local dns server
#nameserver localhost
# homenet dns servers
nameserver *. *. *. *
nameserver *. *. *. *
# centertelecom dns servers
nameserver 213.140.228.218
nameserver 213.140.231.3
# google dns servers
nameserver 8.8.8.8
nameserver 8.8.4.4
# opendns dns servers
nameserver 208.67.222.222
nameserver 208.67.220.220
/ etc / network / interfaces
# The loopback network interface
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
# The primary network interface
allow-hotplug eth0
allow-hotplug eth1
# External card
auto eth1
#iface eth1 inet dhcp
iface eth1 inet static
address *. *. *. *
network *. *. *. *
netmask *. *. *. *
broadcast *. *. *. 255
gateway *. *. *. *
# Intranet card
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.20.1
network 192.168.20.0
netmask 255.255.255.0
broadcast 192.168.20.255
#gateway 192.168.10.2
WiFi card:
WiFi card Ad-Hoc mode
auto wlan0
iface wlan0 inet static
address 192.168.40.1
network 192.168.40.0
netmask 255.255.255.0
broadcast 192.168.40.255
wireless-mode ad-hoc
wireless-channel 7
wireless-rate 54M
# wireless-rate auto
wireless-essid adhoc
#gateway 192.168.40.2
/etc/dhcp3/dhcpd.conf
# Configuration for 2 interfaces with 2 subnets
ddns-update-style none;
# Domain name, DNS server and IP address lease time for clients, by default, a week, maximum 10 days.
option domain-name "my dns server";
option domain-name-servers 213.140.228.218, 213.140.231.3;
default-lease-time 604800;
max-lease-time 864001;
# Logging server operation
log facility local7;
# Subnet of addresses for issuing to clients, DNS domain name, broadcast address, and range of issued addresses.
subnet 192.168.20.0 netmask 255.255.255.0 {
range 192.168.20.10 192.168.20.20;
option domain-name-servers 213.140.228.218, 213.140.231.3;
# option domain-name-servers 192.168.20.1;
option domain-name "my dns server";
option routers 192.168.20.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option ntp-servers 192.168.20.1;
option netbios-name-servers 192.168.20.1; # WINS
option netbios-dd-server 192.168.20.1; # SMB
default-lease-time 604800;
max-lease-time 864001;
filename "pxelinux.0";
}
subnet 192.168.40.0 netmask 255.255.255.0 {
range 192.168.40.10 192.168.40.30;
option domain-name-servers 213.140.228.218, 213.140.231.3;
# option domain-name-servers 192.168.40.1;
option domain-name "my dns server";
option routers 192.168.40.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.40.255;
default-lease-time 604800;
max-lease-time 864001;
}
/etc/init.d/iptablesd
#! / bin / bash
# DESCRIPTION iptables AS SERVICE:
### BEGIN INIT INFO
# Provides: iptablesd
# Required-Start: $ remote_fs $ syslog
# Required-Stop: $ remote_fs $ syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: this file should be used to construct scripts
# placed in /etc/init.d.
### END INIT INFO
IPTABLES = / sbin / iptables
TC = / sbin / tc
# Start command description
case "$ 1" in
start)
sh / etc / iptables / iptables_start
;;
# Command description stop
stop)
sh / etc / iptables / iptables_stop
;;
# Restart command description
restart)
$ 0 stop
$ 0 start
;;
# Command description status
status)
#iptables -t nat -n -L -v
#iptables -L -v
iptables -L -n -v
echo "[qdisc IN]"
$ TC -s qdisc show dev eth1
echo "[class IN]"
$ TC -s class show dev eth1
echo "[filter IN]"
$ TC -s filter show dev eth1
;;
# Description of the command for requesting capabilities
*)
echo "Usage: $ 0 {start | stop | restart | status}"
;;
esac
exit 0
/ etc / iptables / iptables_start
This file should contain a start-up script that configures iptables, I don’t give my own yet, since it is still being configured, upon completion I will most likely make a separate post, and post it. Ready-made solutions can be found in abundance on the Internet, and simply add to this file.
PS: All files related to iptables must be set to chmod + x:
chmod + x /etc/init.d/iptablesd
chmod + x / etc / iptables / iptables_start
chmod + x / etc / iptables / iptables_stop
PPS: Since I am still interested in this note for some, I decided to add a simplified version of iptables which includes some protection rules and NAT
#! / bin / bash
#Firewall script compiled by sdm 06 2010
# ------------------------------------------------- ------------------------------
DETERMINING UTILITIES:
IPTABLES = / sbin / iptables
DEPMOD = / sbin / depmod
MODPROBE = / sbin / modprobe
IP = / sbin / ip
IFCONFIG = / sbin / ifconfig
Grep = / bin / grep
AWK = / usr / bin / awk
Sed = / bin / sed
ECHO = / bin / echo
# ------------------------------------------------- ------------------------------
DETERMINING INTERFACES:
# External card
EXTIF = "eth1"
# EXTIP = "192.168.10.7"
# EXTBC = "255.255.255.0"
EXTIP = "` $ IFCONFIG $ EXTIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
EXTBC = "` $ IFCONFIG $ EXTIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
EXTMSK = "` $ IFCONFIG $ EXTIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
EXTNET = "$ EXTIP / $ EXTMSK"
# Intranet card
INTIF = "eth0"
# INTIP = "192.168.20.1"
# INTBC = "255.255.255.0"
INTIP = "` $ IFCONFIG $ INTIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
INTBC = "` $ IFCONFIG $ INTIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
INTMSK = "` $ IFCONFIG $ INTIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
Intnet = "$ intip / $ intmsk"
WiFi card
WIFIIF = "wlan0"
# WIFIIP = "192.168.40.1"
# WIFIBC = "255.255.255.0"
WIFIIP = "` $ IFCONFIG $ WIFIIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
WIFIBC = "` $ IFCONFIG $ WIFIIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
WIFIMSK = "` $ IFCONFIG $ WIFIIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
WIFINET = "$ WIFIIP / $ WIFIMSK"
# Loop device / localhost
LPDIF = "lo"
LPDIP = "127.0.0.1"
LPDBC = "127.0.0.255"
LPDMSK = "255.0.0.0"
LPDNET = "$ LPDIP / $ LPDMSK"
echo "External Interface: $ EXTIF $ EXTNET"
echo "Internal Interface: $ INTIF $ INTNET"
echo "Wireless Interface: $ WIFIIF $ WIFINET"
echo "Loop device / localhost: $ LPDIF $ LPDNET"
# ------------------------------------------------- ------------------------------
# RETURN PREVIOUS SETTINGS:
#echo -en "\ nClearing rules
# Delete the rules
$ IPTABLES -F
$ IPTABLES -t nat -F
$ IPTABLES -t mangle -F
# Clearing non-standard rules
$ IPTABLES -X
$ IPTABLES -t nat -X
$ IPTABLES -t mangle -X
# ------------------------------------------------- ------------------------------
DEFINE DEFAULT POLICY:
# Deny all incoming connections
$ IPTABLES -P INPUT DROP
# Allow all outgoing connections
$ IPTABLES -P OUTPUT ACCEPT
# Allow all passing (nat) connections
$ IPTABLES -P FORWARD ACCEPT
# Allow all packages in established sessions
$ IPTABLES -A INPUT -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A FORWARD -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT
# Drop all packages that cannot be identified and therefore cannot have a certain status
$ IPTABLES -I INPUT -m conntrack --ctstate INVALID -j DROP
$ IPTABLES -I FORWARD -m conntrack --ctstate INVALID
# Block all attempts to open an incoming TCP connection with a non-SYN packet.
$ IPTABLES -I INPUT -m conntrack --ctstate NEW -p tcp! --syn -j DROP
# We allow the passage of any traffic on the loopback interface.
$ IPTABLES -A INPUT -i lo -j ACCEPT
$ IPTABLES -A OUTPUT -o lo -j ACCEPT
# If the interface is not lo, then we prohibit entering the list of its addresses.
$ IPTABLES -A INPUT -s 127.0.0.1/255.0.0.0! -i lo -j DROP
# ------------------------------------------------- ------------------------------
# INCLUDING FORWARDING IP IN THE CORE:
echo "Firewall: Enabling forwarding .."
echo "1"> / proc / sys / net / ipv4 / ip_forward
echo "Firewall: Enabling DynamicAddr .."
echo "1"> / proc / sys / net / ipv4 / ip_dynaddr
# Turn on masquerading to allow Internet access
echo "Firewall: Enabling SNAT (MASQUERADE) functionality on $ EXTIF"
$ IPTABLES -t nat -A POSTROUTING -o $ EXTIF -j MASQUERADE
# ------------------------------------------------- ------------------------------
# INSTALL PERMISSIONS
# From incoming ICMP packets, we allow PING
$ IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
echo "Firewall: started ..."
The / etc / iptables / iptables_stop script is compiled according to the rules in / etc / iptables / iptables_start, but if someone may have difficulties, here is my script, which disables the transfer of NAT ports and prohibits new incoming connections.
/ etc / iptables / iptables_stop
#! / bin / bash
# ------------------------------------------------- ------------------------------
DETERMINING UTILITIES:
IPTABLES = / sbin / iptables
# ------------------------------------------------- ------------------------------
# RETURN PREVIOUS SETTINGS:
echo "Firewall: Clearing rules and setting default policy .."
# Delete the rules
$ IPTABLES -F
$ IPTABLES -t nat -F
$ IPTABLES -t mangle -F
# Clearing non-standard rules
$ IPTABLES -X
$ IPTABLES -t nat -X
$ IPTABLES -t mangle -X
# ------------------------------------------------- ------------------------------
DEFINE DEFAULT POLICY:
# Deny all incoming connections
$ IPTABLES -P INPUT DROP
# Allow all outgoing connections
$ IPTABLES -P OUTPUT ACCEPT
# Forbid passing (nat) connections
$ IPTABLES -P FORWARD DROP
# Allow packets in established sessions
$ IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
# Drop all packets that cannot be identified and therefore cannot have a certain status.
$ IPTABLES -A INPUT -m state --state INVALID -j DROP
$ IPTABLES -A FORWARD -m state --state INVALID -j DROP
# We allow the passage of any traffic on the loopback interface.
$ IPTABLES -A INPUT -i lo -j ACCEPT
$ IPTABLES -A OUTPUT -o lo -j ACCEPT
# If the interface is not lo, then it is forbidden to enter the list of its addresses.
$ IPTABLES -A INPUT -s 127.0.0.1/255.0.0.0! -i lo -j DROP
# We prohibit any new connections from any interfaces except lo to the computer.
$ IPTABLES -A INPUT -m state! -i lo --state NEW -j DROP
# ------------------------------------------------- ------------------------------
# TURN OFF FORWARDING IP IN THE CORE:
echo "Firewall: Disabling forwarding .."
echo "0"> / proc / sys / net / ipv4 / ip_forward
echo "Firewall: Disabling DynamicAddr .."
echo "0"> / proc / sys / net / ipv4 / ip_dynaddr
echo "Firewall stopped ..."
These configuration files include:
Setting up basic, reliable repositories for debian (the yandex repository is listed in the config)
Network configuration file, including a turnkey solution for organizing a wifi ad-hoc network (wifi based on atheros, with madwifi has some special features)
Configuration for working with dns servers, including additional backup ones.
Dhcp server configuration, adapted to work with two network cards
The script allows you to run iptables like any other daemon (iptables config itself is missing).
1. apt
PS: The settings in / etc / apt / preferences are only useful if you use several different repositories at once, for example stable with unstabe, this solution reduces the likelihood of errors.
/ etc / apt / preferences
#Package: *
#Pin: release a = squeeze
# Pin-Priority: 600
#Package: *
#Pin: release a = squeeze-backports
# Pin-Priority: 500
Package: *
Pin: release a = testing
Pin-Priority: 450
Package: *
Pin: release a = unstable
Pin-Priority: 400
Package: *
Pin: release a = experimental
Pin-Priority: 350
')
Here are the main repositories, with a focus on the mirror yandex, as the most near
/etc/apt/sources.list
# Yandex mirror [HTTP]
# Main Debian mirror
#deb mirror.yandex.ru/debian lenny main contrib non-free
deb mirror.yandex.ru/debian squeeze main contrib non-free
#deb mirror.yandex.ru/debian unstable main contrib non-free
#deb mirror.yandex.ru/debian experimental main contrib non-free
# Main Debian mirror [source]
# deb-src mirror.yandex.ru/debian lenny main contrib non-free
deb-src mirror.yandex.ru/debian squeeze main contrib non-free
# deb-src mirror.yandex.ru/debian unstable main contrib non-free
# deb-src mirror.yandex.ru/debian experimental main contrib non-free
# Security fix
#deb mirror.yandex.ru/debian-security lenny / updates main contrib non-free
deb mirror.yandex.ru/debian-security squeeze / updates main contrib non-free
# Security fix [source]
# deb-src mirror.yandex.ru/debian-security lenny / updates main contrib non-free
deb-src mirror.yandex.ru/debian-security squeeze / updates main contrib non-free
# Volatile
#deb mirror.yandex.ru/debian-volatile lenny / volatile main contrib non-free
#deb mirror.yandex.ru/debian-volatile lenny / volatile-sloppy main contrib non-free
# Volatile [source]
# deb-src mirror.yandex.ru/debian-volatile lenny / volatile main contrib non-free
# deb-src mirror.yandex.ru/debian-volatile lenny / volatile-sloppy main contrib non-free
# Backports
#deb mirror.yandex.ru/backports.org lenny-backports main contrib non-free
# Backports [source]
# deb-src mirror.yandex.ru/backports.org lenny-backports main contrib non-free
# Debian-multimedia
#deb mirror.yandex.ru/debian-multimedia lenny main
deb mirror.yandex.ru/debian-multimedia squeeze main
#deb mirror.yandex.ru/debian-multimedia unstable main
#deb mirror.yandex.ru/debian-multimedia experimental main
# Debian-multimedia [source]
# deb-src mirror.yandex.ru/debian-multimedia lenny main
deb-src mirror.yandex.ru/debian-multimedia squeeze main
# deb-src mirror.yandex.ru/debian-multimedia unstable main
# deb-src mirror.yandex.ru/debian-multimedia experimental main
# Opera
#deb mirror.yandex.ru/debian-opera lenny non-free
#deb deb.opera.com/opera squeeze non-free
#deb deb.opera.com/opera unstable non-free
#deb mirror.yandex.ru/debian-opera sid non-free
# Virtualbox
#deb download.virtualbox.org/virtualbox/debian lenny non-free
Network settings
2. Network
/etc/resolv.conf
# local dns server
#nameserver localhost
# homenet dns servers
nameserver *. *. *. *
nameserver *. *. *. *
# centertelecom dns servers
nameserver 213.140.228.218
nameserver 213.140.231.3
# google dns servers
nameserver 8.8.8.8
nameserver 8.8.4.4
# opendns dns servers
nameserver 208.67.222.222
nameserver 208.67.220.220
/ etc / network / interfaces
# The loopback network interface
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0
# The primary network interface
allow-hotplug eth0
allow-hotplug eth1
# External card
auto eth1
#iface eth1 inet dhcp
iface eth1 inet static
address *. *. *. *
network *. *. *. *
netmask *. *. *. *
broadcast *. *. *. 255
gateway *. *. *. *
# Intranet card
auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
address 192.168.20.1
network 192.168.20.0
netmask 255.255.255.0
broadcast 192.168.20.255
#gateway 192.168.10.2
WiFi card:
WiFi card Ad-Hoc mode
auto wlan0
iface wlan0 inet static
address 192.168.40.1
network 192.168.40.0
netmask 255.255.255.0
broadcast 192.168.40.255
wireless-mode ad-hoc
wireless-channel 7
wireless-rate 54M
# wireless-rate auto
wireless-essid adhoc
#gateway 192.168.40.2
/etc/dhcp3/dhcpd.conf
# Configuration for 2 interfaces with 2 subnets
ddns-update-style none;
# Domain name, DNS server and IP address lease time for clients, by default, a week, maximum 10 days.
option domain-name "my dns server";
option domain-name-servers 213.140.228.218, 213.140.231.3;
default-lease-time 604800;
max-lease-time 864001;
# Logging server operation
log facility local7;
# Subnet of addresses for issuing to clients, DNS domain name, broadcast address, and range of issued addresses.
subnet 192.168.20.0 netmask 255.255.255.0 {
range 192.168.20.10 192.168.20.20;
option domain-name-servers 213.140.228.218, 213.140.231.3;
# option domain-name-servers 192.168.20.1;
option domain-name "my dns server";
option routers 192.168.20.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.20.255;
option ntp-servers 192.168.20.1;
option netbios-name-servers 192.168.20.1; # WINS
option netbios-dd-server 192.168.20.1; # SMB
default-lease-time 604800;
max-lease-time 864001;
filename "pxelinux.0";
}
subnet 192.168.40.0 netmask 255.255.255.0 {
range 192.168.40.10 192.168.40.30;
option domain-name-servers 213.140.228.218, 213.140.231.3;
# option domain-name-servers 192.168.40.1;
option domain-name "my dns server";
option routers 192.168.40.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.40.255;
default-lease-time 604800;
max-lease-time 864001;
}
/etc/init.d/iptablesd
#! / bin / bash
# DESCRIPTION iptables AS SERVICE:
### BEGIN INIT INFO
# Provides: iptablesd
# Required-Start: $ remote_fs $ syslog
# Required-Stop: $ remote_fs $ syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Example initscript
# Description: this file should be used to construct scripts
# placed in /etc/init.d.
### END INIT INFO
IPTABLES = / sbin / iptables
TC = / sbin / tc
# Start command description
case "$ 1" in
start)
sh / etc / iptables / iptables_start
;;
# Command description stop
stop)
sh / etc / iptables / iptables_stop
;;
# Restart command description
restart)
$ 0 stop
$ 0 start
;;
# Command description status
status)
#iptables -t nat -n -L -v
#iptables -L -v
iptables -L -n -v
echo "[qdisc IN]"
$ TC -s qdisc show dev eth1
echo "[class IN]"
$ TC -s class show dev eth1
echo "[filter IN]"
$ TC -s filter show dev eth1
;;
# Description of the command for requesting capabilities
*)
echo "Usage: $ 0 {start | stop | restart | status}"
;;
esac
exit 0
/ etc / iptables / iptables_start
This file should contain a start-up script that configures iptables, I don’t give my own yet, since it is still being configured, upon completion I will most likely make a separate post, and post it. Ready-made solutions can be found in abundance on the Internet, and simply add to this file.
PS: All files related to iptables must be set to chmod + x:
chmod + x /etc/init.d/iptablesd
chmod + x / etc / iptables / iptables_start
chmod + x / etc / iptables / iptables_stop
PPS: Since I am still interested in this note for some, I decided to add a simplified version of iptables which includes some protection rules and NAT
#! / bin / bash
#Firewall script compiled by sdm 06 2010
# ------------------------------------------------- ------------------------------
DETERMINING UTILITIES:
IPTABLES = / sbin / iptables
DEPMOD = / sbin / depmod
MODPROBE = / sbin / modprobe
IP = / sbin / ip
IFCONFIG = / sbin / ifconfig
Grep = / bin / grep
AWK = / usr / bin / awk
Sed = / bin / sed
ECHO = / bin / echo
# ------------------------------------------------- ------------------------------
DETERMINING INTERFACES:
# External card
EXTIF = "eth1"
# EXTIP = "192.168.10.7"
# EXTBC = "255.255.255.0"
EXTIP = "` $ IFCONFIG $ EXTIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
EXTBC = "` $ IFCONFIG $ EXTIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
EXTMSK = "` $ IFCONFIG $ EXTIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
EXTNET = "$ EXTIP / $ EXTMSK"
# Intranet card
INTIF = "eth0"
# INTIP = "192.168.20.1"
# INTBC = "255.255.255.0"
INTIP = "` $ IFCONFIG $ INTIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
INTBC = "` $ IFCONFIG $ INTIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
INTMSK = "` $ IFCONFIG $ INTIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
Intnet = "$ intip / $ intmsk"
WiFi card
WIFIIF = "wlan0"
# WIFIIP = "192.168.40.1"
# WIFIBC = "255.255.255.0"
WIFIIP = "` $ IFCONFIG $ WIFIIF | $ GREP addr: | $ SED 's /.* addr: \ ([^] * \). * / \ 1 /' `"
WIFIBC = "` $ IFCONFIG $ WIFIIF | $ GREP Bcast: | $ SED 's /.* Bcast: \ ([^] * \). * / \ 1 /' `"
WIFIMSK = "` $ IFCONFIG $ WIFIIF | $ GREP Mask: | $ SED 's /.* Mask: \ ([^] * \) / \ 1 /' `"
WIFINET = "$ WIFIIP / $ WIFIMSK"
# Loop device / localhost
LPDIF = "lo"
LPDIP = "127.0.0.1"
LPDBC = "127.0.0.255"
LPDMSK = "255.0.0.0"
LPDNET = "$ LPDIP / $ LPDMSK"
echo "External Interface: $ EXTIF $ EXTNET"
echo "Internal Interface: $ INTIF $ INTNET"
echo "Wireless Interface: $ WIFIIF $ WIFINET"
echo "Loop device / localhost: $ LPDIF $ LPDNET"
# ------------------------------------------------- ------------------------------
# RETURN PREVIOUS SETTINGS:
#echo -en "\ nClearing rules
# Delete the rules
$ IPTABLES -F
$ IPTABLES -t nat -F
$ IPTABLES -t mangle -F
# Clearing non-standard rules
$ IPTABLES -X
$ IPTABLES -t nat -X
$ IPTABLES -t mangle -X
# ------------------------------------------------- ------------------------------
DEFINE DEFAULT POLICY:
# Deny all incoming connections
$ IPTABLES -P INPUT DROP
# Allow all outgoing connections
$ IPTABLES -P OUTPUT ACCEPT
# Allow all passing (nat) connections
$ IPTABLES -P FORWARD ACCEPT
# Allow all packages in established sessions
$ IPTABLES -A INPUT -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A OUTPUT -m conntrack --ctstate ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A FORWARD -m conntrack -ctstate ESTABLISHED, RELATED -j ACCEPT
# Drop all packages that cannot be identified and therefore cannot have a certain status
$ IPTABLES -I INPUT -m conntrack --ctstate INVALID -j DROP
$ IPTABLES -I FORWARD -m conntrack --ctstate INVALID
# Block all attempts to open an incoming TCP connection with a non-SYN packet.
$ IPTABLES -I INPUT -m conntrack --ctstate NEW -p tcp! --syn -j DROP
# We allow the passage of any traffic on the loopback interface.
$ IPTABLES -A INPUT -i lo -j ACCEPT
$ IPTABLES -A OUTPUT -o lo -j ACCEPT
# If the interface is not lo, then we prohibit entering the list of its addresses.
$ IPTABLES -A INPUT -s 127.0.0.1/255.0.0.0! -i lo -j DROP
# ------------------------------------------------- ------------------------------
# INCLUDING FORWARDING IP IN THE CORE:
echo "Firewall: Enabling forwarding .."
echo "1"> / proc / sys / net / ipv4 / ip_forward
echo "Firewall: Enabling DynamicAddr .."
echo "1"> / proc / sys / net / ipv4 / ip_dynaddr
# Turn on masquerading to allow Internet access
echo "Firewall: Enabling SNAT (MASQUERADE) functionality on $ EXTIF"
$ IPTABLES -t nat -A POSTROUTING -o $ EXTIF -j MASQUERADE
# ------------------------------------------------- ------------------------------
# INSTALL PERMISSIONS
# From incoming ICMP packets, we allow PING
$ IPTABLES -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
echo "Firewall: started ..."
The / etc / iptables / iptables_stop script is compiled according to the rules in / etc / iptables / iptables_start, but if someone may have difficulties, here is my script, which disables the transfer of NAT ports and prohibits new incoming connections.
/ etc / iptables / iptables_stop
#! / bin / bash
# ------------------------------------------------- ------------------------------
DETERMINING UTILITIES:
IPTABLES = / sbin / iptables
# ------------------------------------------------- ------------------------------
# RETURN PREVIOUS SETTINGS:
echo "Firewall: Clearing rules and setting default policy .."
# Delete the rules
$ IPTABLES -F
$ IPTABLES -t nat -F
$ IPTABLES -t mangle -F
# Clearing non-standard rules
$ IPTABLES -X
$ IPTABLES -t nat -X
$ IPTABLES -t mangle -X
# ------------------------------------------------- ------------------------------
DEFINE DEFAULT POLICY:
# Deny all incoming connections
$ IPTABLES -P INPUT DROP
# Allow all outgoing connections
$ IPTABLES -P OUTPUT ACCEPT
# Forbid passing (nat) connections
$ IPTABLES -P FORWARD DROP
# Allow packets in established sessions
$ IPTABLES -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A OUTPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
$ IPTABLES -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT
# Drop all packets that cannot be identified and therefore cannot have a certain status.
$ IPTABLES -A INPUT -m state --state INVALID -j DROP
$ IPTABLES -A FORWARD -m state --state INVALID -j DROP
# We allow the passage of any traffic on the loopback interface.
$ IPTABLES -A INPUT -i lo -j ACCEPT
$ IPTABLES -A OUTPUT -o lo -j ACCEPT
# If the interface is not lo, then it is forbidden to enter the list of its addresses.
$ IPTABLES -A INPUT -s 127.0.0.1/255.0.0.0! -i lo -j DROP
# We prohibit any new connections from any interfaces except lo to the computer.
$ IPTABLES -A INPUT -m state! -i lo --state NEW -j DROP
# ------------------------------------------------- ------------------------------
# TURN OFF FORWARDING IP IN THE CORE:
echo "Firewall: Disabling forwarding .."
echo "0"> / proc / sys / net / ipv4 / ip_forward
echo "Firewall: Disabling DynamicAddr .."
echo "0"> / proc / sys / net / ipv4 / ip_dynaddr
echo "Firewall stopped ..."
Source: https://habr.com/ru/post/96207/
All Articles