Debian – iptables + tc защитна стена с трафик контрол

Реален маршрутизатор с няколко интерфейса. Скрипта е комбиниран и с трафик контрол.

#!/bin/bash

echo "start netscript ..."
depmod -a
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_nat_pptp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_conntrack_pptp
modprobe ip_gre
echo "loading ip modules ..."

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "6553600" > /proc/sys/net/nf_conntrack_max
echo "6553600" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo "3276800" > /proc/sys/net/ipv4/tcp_max_orphans
echo "13107100" > /proc/sys/net/core/rmem_max
echo "13107100" > /proc/sys/net/core/wmem_max
echo "4096 87380 352665600" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 352665600" > /proc/sys/net/ipv4/tcp_wmem
echo "52428800" > /proc/sys/net/ipv4/route/max_size
echo "3276800" > /proc/sys/net/ipv4/route/gc_thresh
echo "12800" > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo "51200" > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo "102400" > /proc/sys/net/ipv4/neigh/default/gc_thresh3

echo "300" > /proc/sys/net/ipv4/netfilter/ip_conntrack_generic_timeout
echo "43200" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
echo "10" > /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout
echo "5" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close
echo "30" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv
echo "30" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait
echo "20" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait
echo "20" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait
echo "30" > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack

echo "0" > /proc/sys/net/ipv4/tcp_syncookies
echo "end tcp tunning ..."

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -Z 
echo "flush iptables ..."

iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o eth3 -j SNAT --to 192.168.1.2
iptables -t nat -A POSTROUTING -s 172.16.10.0/24 -o vlan100 -j SNAT --to 10.11.6.66

iptables -t nat -A PREROUTING -p tcp -d 93.155.130.1 --dport 3389 -j DNAT --to 172.16.10.111:3389
iptables -t nat -A PREROUTING -p tcp -d 93.155.130.1 --dport 80 -j DNAT --to 172.16.10.111:80
iptables -t nat -A PREROUTING -p tcp -d 93.155.130.1 --dport 81 -j DNAT --to 172.16.10.111:81

iptables -t nat -A PREROUTING -s 10.18.8.14 -p tcp --dport 80 -j DNAT --to 212.233.217.120:80
iptables -t nat -A PREROUTING -s 10.18.5.3 -p tcp --dport 80 -j DNAT --to 212.233.217.120:80
iptables -A FORWARD -s 212.233.252.166 -j DROP

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun1 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun2 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun3 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun4 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun5 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun6 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun7 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun8 -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun9 -j TCPMSS --clamp-mss-to-pmtu

iptables -A INPUT -s localhost -j ACCEPT
iptables -A INPUT -m limit --limit 1/s --limit-burst 10 -j RETURN
iptables -A INPUT -m state --state NEW -p tcp ! --syn -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 172.16.10.0/24 -p tcp -m multiport --ports 22 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p tcp -m multiport --ports 22 -j ACCEPT
iptables -A INPUT -s 212.233.128.0/17 -p tcp -m multiport --ports 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 22,111,113,135,136,137,138,139,445 -j DROP
iptables -A INPUT -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 93.190.138.83 -j DROP
iptables -A INPUT -s 74.52.169.50 -j DROP
iptables -A INPUT -s 94.76.201.76 -j DROP

iptables -A FORWARD -m state --state NEW -p tcp ! --syn -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 93.155.130.4 -p tcp -m multiport --ports 25 -j ACCEPT
iptables -A FORWARD -d 93.155.130.4 -p tcp -m multiport --ports 25 -j ACCEPT
iptables -A FORWARD -s 93.155.130.14 -p tcp -m multiport --ports 25 -j ACCEPT
iptables -A FORWARD -d 93.155.130.14 -p tcp -m multiport --ports 25 -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dport 111,113,135,136,137,138,139,445 -j DROP
iptables -A FORWARD -p udp -m multiport --dport 135,136,137,138,139,445 -j DROP
iptables -A FORWARD -s 93.190.138.83 -j DROP
iptables -A FORWARD -s 74.52.169.50 -j DROP
iptables -A FORWARD -s 94.76.201.76 -j DROP

iptables -A FORWARD -s 10.18.5.3 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.5.2 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.3.7 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.5.10 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.6.99 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.2.63 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.1.11 -p tcp --syn -m connlimit --connlimit-above 150 -j DROP
iptables -A FORWARD -s 10.18.6.99 -p tcp --syn -m connlimit --connlimit-above 200 -j DROP
iptables -A FORWARD -s 10.18.6.31 -p tcp --syn -m connlimit --connlimit-above 200 -j DROP
iptables -A FORWARD -s 10.18.8.19 -p tcp --syn -m connlimit --connlimit-above 200 -j DROP
iptables -A FORWARD -s 10.18.4.44 -p tcp --syn -m connlimit --connlimit-above 200 -j DROP

iptables -A FORWARD -s 172.16.10.2 -m mac --mac-source ! 00:0d:c2:0f:fb:b2 -j DROP
iptables -A FORWARD -s 172.16.10.3 -m mac --mac-source ! 00:22:15:0a:7b:d4 -j DROP
iptables -A FORWARD -s 172.16.10.4 -m mac --mac-source ! 00:00:13:2d:7c:d5 -j DROP
iptables -A FORWARD -s 172.16.10.5 -m mac --mac-source ! 00:02:0b:0e:8b:af -j DROP
iptables -A FORWARD -s 172.16.10.6 -m mac --mac-source ! 00:bc:02:bb:df:e4 -j DROP
iptables -A FORWARD -s 172.16.10.7 -m mac --mac-source ! 00:0b:11:04:e2:fd -j DROP
iptables -A FORWARD -s 172.16.10.8 -m mac --mac-source ! 00:0c:fd:c2:f1:d6 -j DROP
iptables -A FORWARD -s 172.16.10.9 -m mac --mac-source ! 00:0d:c0:0f:fb:b2 -j DROP
iptables -A FORWARD -s 172.16.10.10 -m mac --mac-source ! 00:0d:c0:03:fb:b2 -j DROP

iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
echo "iptables done ..."

TUNSPEEDIN=25Mbit
TUNSPEEDDOWN=4Mbit
TUNBURST=200k
TUN="tun1 tun4 tun5 tun6 tun7 tun9";
for TUN in $TUN; do
tc qdisc del dev $TUN root
tc qdisc add dev $TUN root tbf rate $TUNSPEEDIN latency 50ms burst $TUNBURST
tc qdisc del dev $TUN handle ffff: ingress
tc qdisc add dev $TUN handle ffff: ingress
tc filter add dev $TUN parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 \
police rate $TUNSPEEDDOWN burst $TUNBURST drop flowid :1
done;
echo "end SHAPE tunnels ..."

DEVIN=vlan100
DEVIN1=eth2
DEVOUT=vlan149
DEVOUT2=tun0
SPEEDIN1=15Mbit
SPEEDDOWN1=2Mbit
SPEEDIN2=25Mbit
SPEEDDOWN2=4Mbit
CEIL=200Mbit
BURST=200k

tc qdisc del dev $DEVIN root
tc qdisc add dev $DEVIN root handle 1: htb default 10
tc qdisc del dev $DEVIN1 root
tc qdisc add dev $DEVIN1 root handle 1: htb default 20
tc qdisc del dev $DEVOUT root
tc qdisc add dev $DEVOUT root handle 1: htb default 30
tc qdisc del dev $DEVOUT2 root
tc qdisc add dev $DEVOUT2 root handle 1: htb default 40

	#IPCLIENT=`cat '/etc/ipclient'`;
IPCLIENT=`grep -v \# '/etc/ipclient'`;
for IPCLIENT in $IPCLIENT; do
IPCLIENT=(${IPCLIENT//:/ });
userid=`echo ${IPCLIENT[0]} | cut -d"." -f3`
userid1=`echo ${IPCLIENT[0]} | cut -d"." -f4`
iptables -t nat -A POSTROUTING -s ${IPCLIENT[0]} -o $DEVOUT -j SNAT --to ${IPCLIENT[1]}
tc class add dev $DEVIN parent 1: classid 1:${userid}${userid1} htb rate $SPEEDIN1 ceil $CEIL burst $BURST
tc filter add dev $DEVIN parent 1: protocol ip prio 1 u32 match ip dst ${IPCLIENT[0]} classid 1:${userid}${userid1}
tc class add dev $DEVOUT parent 1: classid 1:${userid}${userid1} htb rate $SPEEDDOWN1 ceil $CEIL burst $BURST
tc filter add dev $DEVOUT parent 1: protocol ip prio 1 handle 0x${userid}${userid1} fw classid 1:${userid}${userid1}
iptables -t mangle -A FORWARD -s ${IPCLIENT[0]} -j MARK --set-mark 0x${userid}${userid1};
done;
echo "end NAT client GCN speed1 ..."

IPCLIENT="10.18.4.13:93.155.162.201 10.18.2.13:93.155.162.201 10.18.4.31:93.155.131.39 \
10.18.5.12:93.155.162.223 10.18.5.40:93.155.162.201 10.18.5.55:93.155.162.201 10.18.1.40:93.155.162.201 10.18.1.7:93.155.162.222 \
10.18.5.75:93.155.162.23 10.18.6.17:93.155.162.201 10.18.6.32:93.155.162.201 10.18.6.36:93.155.162.201 \
10.18.1.19:93.155.130.114 10.18.4.7:93.155.131.22 10.18.6.59:93.155.162.201 10.18.6.84:93.155.162.201 10.18.1.15:93.155.162.201 \
10.18.3.15:93.155.162.201 10.18.1.36:93.155.162.201 10.18.3.8:93.155.162.201 10.18.7.55:93.155.162.201 \
10.18.4.8:93.155.162.203";
for IPCLIENT in $IPCLIENT; do
IPCLIENT=(${IPCLIENT//:/ });
userid=`echo ${IPCLIENT[0]} | cut -d"." -f3`
userid1=`echo ${IPCLIENT[0]} | cut -d"." -f4`
iptables -t nat -A POSTROUTING -s ${IPCLIENT[0]} -o $DEVOUT -j SNAT --to ${IPCLIENT[1]}
tc class add dev $DEVIN parent 1: classid 1:${userid}${userid1} htb rate $SPEEDIN2 ceil $CEIL burst $BURST
tc filter add dev $DEVIN parent 1: protocol ip prio 1 u32 match ip dst ${IPCLIENT[0]} classid 1:${userid}${userid1}
tc class add dev $DEVOUT parent 1: classid 1:${userid}${userid1} htb rate $SPEEDDOWN2 ceil $CEIL burst $BURST
tc filter add dev $DEVOUT parent 1: protocol ip prio 1 handle 0x${userid}${userid1} fw classid 1:${userid}${userid1}
iptables -t mangle -A FORWARD -s ${IPCLIENT[0]} -j MARK --set-mark 0x${userid}${userid1};
done;
echo "NAT client GCN speed2 ..."

IPCLIENT="10.18.5.3 10.18.5.5 10.18.5.8 10.18.5.9 10.18.5.10 10.18.5.11 10.18.5.13 10.18.5.14 \
10.18.5.15 10.18.5.16 10.18.5.17 10.18.5.20 10.18.5.21 10.18.5.22 10.18.5.25 10.18.5.26 \
10.18.5.27 10.18.5.28 10.18.5.30 10.18.5.31 10.18.5.32 10.18.5.34 10.18.5.36 10.18.5.37 10.18.5.38 \
10.18.5.41 10.18.5.42 10.18.5.43 10.18.5.44 10.18.5.45 10.18.5.46 10.18.5.47 10.18.5.48 10.18.5.49 \
10.18.5.50 10.18.5.52 10.18.5.58 10.18.5.56 10.18.5.59 10.18.5.60 10.18.5.62 10.18.5.63 10.18.5.64 10.18.5.65 \
10.18.5.66 10.18.5.67 10.18.5.68 10.18.5.69 10.18.5.72 10.18.5.74 10.18.5.76 \
10.18.5.78 10.18.5.79 10.18.5.82 10.18.5.83 10.18.5.84 10.18.5.85 10.18.5.86 10.18.5.87 10.18.5.88 10.18.5.89 \
10.18.5.90 10.18.5.91 10.18.5.92 10.18.5.93 10.18.5.94 10.18.5.95 10.18.5.96 10.18.5.97 10.18.5.99";
for IPCLIENT in $IPCLIENT; do
userid=`echo $IPCLIENT | cut -d"." -f3`
userid1=`echo $IPCLIENT | cut -d"." -f4`
iptables -t nat -A POSTROUTING -s $IPCLIENT -o $DEVOUT2 -j SNAT --to 194.141.67.110
	#iptables -t nat -A POSTROUTING -s $IPCLIENT -o $DEVOUT -j SNAT --to 93.155.130.55
tc class add dev $DEVIN parent 1: classid 1:${userid}${userid1} htb rate $SPEEDIN1 ceil $CEIL burst $BURST
tc filter add dev $DEVIN parent 1: protocol ip prio 1 u32 match ip dst ${IPCLIENT[0]} classid 1:${userid}${userid1}
tc class add dev $DEVOUT2 parent 1: classid 1:${userid}${userid1} htb rate $SPEEDDOWN1 ceil $CEIL burst $BURST
tc filter add dev $DEVOUT2 parent 1: protocol ip prio 1 handle 0x${userid}${userid1} fw classid 1:${userid}${userid1}
iptables -t mangle -A FORWARD -s $IPCLIENT -j MARK --set-mark 0x${userid}${userid1};
ip rule del from $IPCLIENT
ip rule add from $IPCLIENT table T1
done;
echo "NAT client MU ..."

IPCLIENT="93.155.130.5 93.155.162.2 93.155.162.3 93.155.162.4";
for IPCLIENT in $IPCLIENT; do
userid=`echo $IPCLIENT | cut -d"." -f3`
userid1=`echo $IPCLIENT | cut -d"." -f4`
tc class add dev $DEVIN1 parent 1: classid 1:${userid}${userid1} htb rate $SPEEDIN1 ceil $CEIL burst $BURST
tc filter add dev $DEVIN1 parent 1: protocol ip prio 1 u32 match ip dst $IPCLIENT classid 1:${userid}${userid1}
tc class add dev $DEVOUT parent 1: classid 1:${userid}${userid1} htb rate $SPEEDDOWN1 ceil $CEIL burst $BURST
tc filter add dev $DEVOUT parent 1: protocol ip prio 1 handle 0x${userid}${userid1} fw classid 1:${userid}${userid1}
iptables -t mangle -A FORWARD -s $IPCLIENT -j MARK --set-mark 0x${userid}${userid1};
done;
echo "ITSERVICE LOCAL ..."

IPCLIENT="";
for IPCLIENT in $IPCLIENT; do
iptables -t nat -A POSTROUTING -s $IPCLIENT -o eth3 -j SNAT --to 192.168.1.2
ip rule del from $IPCLIENT
ip rule add from $IPCLIENT table T2
done;
echo "NAT client BTC ..."

iptables -t nat -A PREROUTING -d 93.155.130.51 -j DNAT --to 10.18.6.25
iptables -t nat -A PREROUTING -d 93.155.130.88 -j DNAT --to 10.18.5.23
iptables -t nat -A PREROUTING -d 93.155.130.170 -j DNAT --to 10.18.9.44
iptables -t nat -A PREROUTING -d 93.155.131.231 -j DNAT --to 10.18.9.48
iptables -t nat -A PREROUTING -d 93.155.162.20 -j DNAT --to 10.18.9.45
iptables -t nat -A PREROUTING -d 93.155.162.23 -j DNAT --to 10.18.5.75
iptables -t nat -A PREROUTING -d 93.155.162.138 -j DNAT --to 10.18.9.57
iptables -t nat -A PREROUTING -d 93.155.162.37 -j DNAT --to 10.18.3.13
iptables -t nat -A PREROUTING -d 93.155.131.241 -j DNAT --to 10.18.8.27
iptables -t nat -A PREROUTING -d 93.155.162.125 -j DNAT --to 10.18.1.104
iptables -t nat -A PREROUTING -d 93.155.131.11 -j DNAT --to 10.18.1.2
iptables -t nat -A PREROUTING -d 93.155.162.203 -j DNAT --to 10.18.4.8
iptables -t nat -A PREROUTING -d 93.155.130.173 -j DNAT --to 10.18.2.3
iptables -t nat -A PREROUTING -d 93.155.162.222 -j DNAT --to 10.18.1.7
iptables -t nat -A PREROUTING -d 93.155.131.33 -j DNAT --to 10.18.4.21
iptables -t nat -A PREROUTING -d 93.155.131.87 -j DNAT --to 10.18.5.2
iptables -t nat -A PREROUTING -d 93.155.162.223 -j DNAT --to 10.18.5.12
iptables -t nat -A PREROUTING -d 93.155.130.176 -j DNAT --to 10.18.2.6
iptables -t nat -A PREROUTING -d 93.155.130.90 -j DNAT --to 10.18.5.98
iptables -t nat -A PREROUTING -d 93.155.162.137 -j DNAT --to 10.18.6.115
echo "DNAT client ..."

echo "netscript done ..."

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.