Naime, delim internet sa drugom i u mrezi smo sa jos njih 6.
Imam server na kome sam namestio polise na INPUT FORWARD OUTPUT i PREROUTING na DROP
A pustio samo u PREROUTING i INPUT tabelu MAC-ove nasih mreznih karti.( znaci nikakva komplikovana IPTABLES skripta, odradjeno samo filtriranje po MAC-ovima)
Ukljucio forvardovanje, masquerade i to radi.
Sad voleo bih da znam koliko je te nepropusno za razne vrste paketa, dos napade, skeniranja i sl.Evo u prilog i skriptica:
IPT="/usr/sbin/iptables"
EXTIF="eth1"
INTIF="eth0"
LOCAL_IP="192.168.1.1"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING DROP
$IPT -t filter -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -t nat -A PREROUTING -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT
$IPT -t nat -A PREROUTING -m mac --mac-source 00:40:B9:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:40:B9:xx:xx:xx -j ACCEPT
$IPT -t nat -A PREROUTING -m mac --mac-source 00:0C:76:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:0C:76:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:80:5F:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:0D:88:xx:xx:xx -j ACCEPT
$IPT -t filter -A INPUT -m mac --mac-source 00:05:5D:xx:xx:xx -j ACCEPT
$IPT -t filter -A OUTPUT -p ALL -j ACCEPT
$IPT -t filter -A FORWARD -p ALL -i $INTIF -o $EXTIF -j ACCEPT
$IPT -t filter -A FORWARD -i $INTIF -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -p ALL -i $LO_IFACE -o $EXTIF -j ACCEPT
$IPT -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -o $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -i $INTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A FORWARD -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Ovo provereno radi, znaci menjao sam mrezne karte na svom racunaru i ni sa jednom nisam imao pristup osim sa ovom ciji sam MAC dozvolio.
neceg novog se ne treba plasiti, treba ga razumeti