Iptables | @william

iptables
How To william ic

-A              INPUT,OUTPUT,FORWARD (abaixo de tudo)
-I              INPUT,OUTPUT,FORWARD (acima de tudo)
-p              tcp,udp
--dport         1-65000 ou 22
--sport         1-65000 ou 22
-i              eth0,1,...
-o              eth0,1,...
-j              ACCEPT,DROP,LOG,DNAT,SNAT
-d              0.0.0.0 a 255.255.255.255 /0 a 32
-s              0.0.0.0 a 255.255.255.255 /0 a 32
-m state --state NEW,ESTABLISHED,RELATED

-t              NAT
-A              POSTROUTING,PREROUNTING
-I              POSTROUTING,PREROUNTING

-N              <CHAIN> (nome nova chain)
-A              <CHAIN>
-I              <CHAIN>
-j              <CHAIN>

** NAT

## ETH1 rede privada Interno
## ETH0 INTERNET

iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -L --line-numbers
iptables -D INPUT 3
OR
iptables -t nat -D POSTROUTING 1

http://www.students.ic.unicamp.br/~william/people/router-nat/iptables.html

# IPv6 : bloqueando mais do que 4 novas conexão no periodo de 60 segundos:

ip6tables -N LOGDROP
ip6tables -A LOGDROP -j LOG
ip6tables -A LOGDROP -j DROP
ip6tables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
ip6tables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent  --update --seconds 60 --hitcount 4 -j LOGDROP

VirtualServer e Harpin NAT

# Virtual Server - Harpin NAT

ME_EXT=ip_publico_gw
ME_INT=ip_privado_gw

# Ext para Int
$IPTABLES -t nat -A PREROUTING -i $IF_EXT -s $LAN_ALL -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j DNAT --to "${D_NAT_IP}:${D_NAT_PORT}"
    $IPTABLES -t filter -A FORWARD -i $IF_EXT -s $LAN_ALL -p $D_PROTO -d $D_NAT_IP --dport $D_NAT_PORT -j ACCEPT

# Int para Int
$IPTABLES -t nat -A PREROUTING -i $IF_INT  -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j DNAT --to "${D_NAT_IP}:${D_NAT_PORT}"
$IPTABLES -t filter -A FORWARD -i $IF_INT -s 10.0.0.0/22 -p $D_PROTO -d $ME_EXT --dport $D_IN_PORT -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $IF_INT -p $D_PROTO -d $D_NAT_IP --dport $D_NAT_PORT -j SNAT --to-source $ME_INT