====== iptables ======
* http://livesin.digitalmalaya.net/2011/10/04/iptables-what-happens-to-packets/
{{:tudasbazis:linux:netfilter-packet-flow.svg|}}[[http://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg]]
===== Egszerű szabályok =====
* http://stackoverflow.com/a/10197461/1108919
* Hozzáadás:
iptables -A INPUT -i eth0 -s 192.168.0.1 -o eth0 -d 192.168.0.2 -j DROP
* Törlés:
iptables -D INPUT -i eth0 -s 192.168.0.1 -o eth0 -d 192.168.0.2 -j DROP
===== Logging =====
* https://help.ubuntu.com/community/IptablesHowTo
===== Korlátozások =====
http://stackoverflow.com/questions/614795/simulate-delayed-and-dropped-packets-on-linux
* A ''445''-ös portra érkező csomagok 1%-ának eldobása:
iptables -A INPUT -p tcp --destination-port 445 -m statistic --mode random --probability 0.01 -j DROP
===== Szerver szabályok =====
# Generated by iptables-save v1.4.8 on Tue Sep 10 09:16:24 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [436717:73347425]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth0 -m state --state NEW -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 100/min --limit-burst 10 -j ACCEPT
-A INPUT -d 192.168.1.0/24 -p tcp -m tcp -m limit --limit 100/min --limit-burst 10 -j LOG --log-prefix "filter/tail: INPUT/DROP "
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.70/32 -i eth0 -m state --state NEW -j DROP
-A FORWARD -s 192.168.1.71/32 -i eth0 -m state --state NEW -j DROP
-A FORWARD -s 192.168.1.0/24 -i eth0 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.242/32 -i ppp0 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.242/32 -i ppp0 -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.242/32 -i ppp0 -p tcp -m tcp --dport 465 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.242/32 -i ppp0 -p tcp -m tcp --dport 143 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.242/32 -i ppp0 -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.243/32 -i ppp0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.243/32 -i ppp0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -p tcp -m tcp -m limit --limit 100/min --limit-burst 10 -j LOG --log-prefix "filter/tail: FORWARD/DROP "
-A FORWARD -j DROP
COMMIT
# Completed on Tue Sep 10 09:16:24 2013
# Generated by iptables-save v1.4.8 on Tue Sep 10 09:16:24 2013
*mangle
:PREROUTING ACCEPT [52976370:36842149811]
:INPUT ACCEPT [2176705:208051789]
:FORWARD ACCEPT [50770670:36632582876]
:OUTPUT ACCEPT [1484120:252953158]
:POSTROUTING ACCEPT [52206227:36883367076]
COMMIT
# Completed on Tue Sep 10 09:16:24 2013
# Generated by iptables-save v1.4.8 on Tue Sep 10 09:16:24 2013
*nat
:PREROUTING ACCEPT [202347:17606160]
:POSTROUTING ACCEPT [55206:3537836]
:OUTPUT ACCEPT [25590:1878596]
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.242:25
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 587 -j DNAT --to-destination 192.168.1.242:587
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 465 -j DNAT --to-destination 192.168.1.242:465
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 143 -j DNAT --to-destination 192.168.1.242:143
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 993 -j DNAT --to-destination 192.168.1.242:993
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.243:80
-A PREROUTING -d 86.40.20.20/32 -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.1.243:443
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Sep 10 09:16:24 2013