iptables How To william ic -A INPUT,OUTPUT,FORWARD (abaixo de tudo) -I INPUT,OUTPUT,FORWARD (acima de tudo) -p tcp,udp --dport 1-65000 ou 22 --sport 1-65000 ou 22 -i eth0,1,... -o eth0,1,... -j ACCEPT,DROP,LOG,DNAT,SNAT -d 0.0.0.0 a 255.255.255.255 /0 a 32 -s 0.0.0.0 a 255.255.255.255 /0 a 32 -m state --state NEW,ESTABLISHED,RELATED -t NAT -A POSTROUTING,PREROUNTING -I POSTROUTING,PREROUNTING -N (nome nova chain) -A -I -j ** NAT ## ETH1 rede privada Interno ## ETH0 INTERNET iptables -P INPUT ACCEPT iptables -F INPUT iptables -P OUTPUT ACCEPT iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -L --line-numbers iptables -D INPUT 3 OR iptables -t nat -D POSTROUTING 1 http://www.students.ic.unicamp.br/~william/people/router-nat/iptables.html # IPv6 : bloqueando mais do que 4 novas conexão no periodo de 60 segundos: ip6tables -N LOGDROP ip6tables -A LOGDROP -j LOG ip6tables -A LOGDROP -j DROP ip6tables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set ip6tables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOGDROP VirtualServer e Harpin NAT # Virtual Server - Harpin NAT ME_EXT=ip_publico_gw ME_INT=ip_privado_gw # Ext para Int $IPTABLES -t nat -A PREROUTING -i $IF_EXT -s $LAN_ALL -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j DNAT --to "${D_NAT_IP}:${D_NAT_PORT}" $IPTABLES -t filter -A FORWARD -i $IF_EXT -s $LAN_ALL -p $D_PROTO -d $D_NAT_IP --dport $D_NAT_PORT -j ACCEPT # Int para Int $IPTABLES -t nat -A PREROUTING -i $IF_INT -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j DNAT --to "${D_NAT_IP}:${D_NAT_PORT}" $IPTABLES -t filter -A FORWARD -i $IF_INT -s 10.0.0.0/22 -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $IF_INT -p $D_PROTO -d $D_NAT_IP --dport $D_NAT_PORT -j SNAT --to-source $ME_INT