Iptables-save`

[santalam]

Czemu po wklepanu tego kodu po ponownym uruchomienu kompa iptables nie pamieta regół... może ten firewall systemowy je kasuje??? jak z tym sobie poradzic...

iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "0" > /proc/sys/net/ipv4/tcp_ecn

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -i ppp0 -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables-save

 

Druga sprawa... jak to poniżej uruchomić...

 

#!/bin/bash 
##############################################
#
# OK-TEAM FIREWALL
# Author: D.Kramin, [email protected]
# Version 3.0
# Auto reading IP addres for external device (modem,ether,SDI,NEO+,DSL)
#
# mini-transparent-proxy-howto, ip-masquerade-howto, firewall
# and proxy server-howto, vpn-howto, vpn-masquerade-howto
# GPL licence - feel free to play with this script and follow
# GPL rules.
#
##############################################
#############################################
# initial parameters - feel free to change this to your network prefs
#############################################
#interfaces, nets, etc
EXTIF="ppp0"
export EXTIF
INTIF="eth1"
INTIP="192.168.0.1"
INTNET="192.168.0.0/24"
UNIVERSE="0.0.0.0/0"
#mac address for mac rules in input chain/ssh entry - admin gate to shell
ADMINIP="192.168.0.1"
MAC="00:E0:98:A4:F6:BF"
#some program paths
GREP="/bin/grep"
AWK="/bin/awk"
INSMOD="/sbin/insmod"
IPTABLES="/usr/sbin/iptables"
IFCONFIG="/sbin/ifconfig"
#do you have a masquerade ?
MASQUERADE="YES"
#which ports you like to masquerade (port range, for one port ie. 1-1)?
MASQ_PORTS="21-143"
#answer yes if you like to block some icmp messages (codes: 0,8,11,13)
BLOCKICMP="YES"
#checking source MAC address
MACSUPPORT="NO"
#set TOS byte for routers for better packet management
TOSSUPPORT="NO"
#enabled services
SSH="YES"
MAIL="NO"
DNS="NO"
WWW="NO"
W3C="NO"
VPN="NO"
####################################
# end of configuration - no changes below this line !!!
####################################
function tos_allowed_services {
##########################################
# user defined services with tos support - see beginning of file
##########################################
# attention! ssh allowed only from one external ip where
# source address matching mac address !
if [ $SSH = "YES" ]; then
if [ $MACSUPPORT = "YES" ]; then
echo " Allowing EXTERNAL access to the SSH server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 22 -m tos --tos 16 \
-m mac --mac-source $MAC -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 22 -m tos --tos 16 \
-m mac --mac-source $MAC -j ACCEPT
echo " SSH sessions allowed only when MAC = $MAC, TOS byte set"
else
echo " Allowing EXTERNAL access to the SSH server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 22 -m tos --tos 16 \
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 22 -m tos --tos 16 \
-j ACCEPT
echo " SSH sessions allowed without checking MAC, TOS byte set"
fi
fi
if [ $VPN = "YES" ]; then
if [ $MACSUPPORT = "YES" ]; then
echo " Allowing EXTERNAL access to the VPN server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 666 -m tos --tos 16 \
-m mac --mac-source $MAC -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 666 -m tos --tos 16 \
-m mac --mac-source $MAC -j ACCEPT
echo " VPN sessions allowed only when MAC = $MAC, TOS byte set"
else
echo " Allowing EXTERNAL access to the VPN server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 666 -m tos --tos 16 \
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 666 -m tos --tos 16 \
-j ACCEPT
echo " VPN sessions allowed without checking MAC, TOS byte set"
fi
fi
if [ $MAIL = "YES" ]; then
echo " Allowing EXTERNAL access to the SMTP server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
echo " Allowing EXTERNAL access to the POP3S server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 995 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 995 -j ACCEPT
fi
if [ $DNS = "YES" ]; then
echo " Allowing EXTERNAL access to the DNS server, TOS byte set"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 53 -m tos --tos 4 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 53 -m tos --tos 4 -j ACCEPT
fi
if [ $WWW = "YES" ]; then
echo " Allowing EXTERNAL access to the HTTP/HTTPS server, TOS byte set"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -m tos --tos 8 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 80 -m tos --tos 8 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 443 -m tos --tos 8 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 443 -m tos --tos 8 -j ACCEPT
fi
if [ $W3C = "YES" ]; then
echo " Allowing EXTERNAL access to the W3C server, TOS byte set"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 8080 -m tos --tos 8 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 8080 -m tos --tos 8 -j ACCEPT
fi
}
function notos_allowed_services {
############################################
# user defined services without tos support - see beginning of file
############################################
# attention! ssh allowed only from one external ip where
# source address matching mac address !
if [ $SSH = "YES" ]; then
if [ $MACSUPPORT = "YES" ]; then
echo " Allowing EXTERNAL access to the SSH server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 22 \
-m mac --mac-source $MAC -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 22 \
-m mac --mac-source $MAC -j ACCEPT
echo " SSH sessions allowed only when MAC = $MAC, no TOS"
else
echo " Allowing EXTERNAL access to the SSH server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 22 \
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 22 \
-j ACCEPT
echo " SSH sessions allowed without checking MAC, no TOS"
fi
fi
if [ $VPN = "YES" ]; then
if [ $MACSUPPORT = "YES" ]; then
echo " Allowing EXTERNAL access to the VPN server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 666 \
-m mac --mac-source $MAC -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 666 \
-m mac --mac-source $MAC -j ACCEPT
echo " VPN sessions allowed only when MAC = $MAC, no TOS"
else
echo " Allowing EXTERNAL access to the VPN server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $ADMINIP/32 -d $EXTIP --dport 666 \
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $ADMINIP/32 -d $EXTIP --dport 666 \
-j ACCEPT
echo " VPN sessions allowed without checking MAC, no TOS"
fi
fi
if [ $MAIL = "YES" ]; then
echo " Allowing EXTERNAL access to the SMTP server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 25 -j ACCEPT
echo " Allowing EXTERNAL access to the POP3S server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 995 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 995 -j ACCEPT
fi
if [ $DNS = "YES" ]; then
echo " Allowing EXTERNAL access to the DNS server, no TOS"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 53 -j ACCEPT
fi
if [ $WWW = "YES" ]; then
echo " Allowing EXTERNAL access to the HTTP/HTTPS server, no TOS"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 443 -j ACCEPT
fi
if [ $W3C = "YES" ]; then
echo " Allowing EXTERNAL access to the W3C server, no TOS"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $EXTIP --dport 8080 -j ACCEPT
fi
}
function block_icmp {
###########################
# blocking some types of icmp messages
###########################
$IPTABLES -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP \
-m icmp --icmp-type ! 0 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP \
-m icmp --icmp-type ! 8 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP \
-m icmp --icmp-type ! 11 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP \
-m icmp --icmp-type ! 13 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p icmp -s $UNIVERSE -d $EXTIP -j drop-and-log-it
echo " ICMP types 0, 8, 11 and 13 are denied"
echo " All other ICMP messages granted"
}
VERSION="3.0"
###################
# begin take over the world
###################
EXTIP=`$IFCONFIG $EXTIF|$GREP inet|$AWK -F : {'print $2'}|$AWK {'print $1'}`
clear
if test "$(lsmod|grep ipchains|awk '{print $1}')"; then
rmmod ipchains
fi;
logger -t [FIREWALL] Beginnig loading iptables netfilter
echo "OK-TEAM FIREWALL, ver $VERSION"
echo "___________________________"
echo ""
echo "[INITIAL PARAMETERS]"
echo " External interface: $EXTIF"
echo " External IP number: $EXTIP"
echo " Internal interface: $INTIF"
echo " Internal IP number: $INTIP"
echo " Internal network : $INTNET"
echo " Universe : $UNIVERSE"
echo " Active services : VPN:$VPN SSH:$SSH MAIL:$MAIL DNS:$DNS WWW:$WWW W3C:$W3C"
echo " Using masquerade : $MASQUERADE"
echo " Blocking ICMP : $BLOCKICMP, codes 0, 8, 11 and 13
0 Echo Reply
8 Echo Request
11 Time Exceeded
13 Timestamp Request"
echo " MAC address check : $MACSUPPORT"
echo " TOS byte support : $TOSSUPPORT, codes 4, 8 and 16
Minimize-Delay 16 (0x10)
Maximize-Throughput 8 (0x08)
Maximize-Reliability 4 (0x04)
Minimize-Cost 2 (0x02)
Normal-Service 0 (0x00)"
echo ""
echo "[LOADING KERNEL MODULES]"
if test -z "$(lsmod|grep ip_tables|awk '{print $1}')"; then
insmod ip_tables
fi;
echo " Main iptables module : ip_tables"
echo " Filtering module : iptable_filter"
if test -z "$(lsmod|grep ip_conntrack|awk '{print $1}')"; then
insmod ip_conntrack
fi;
echo " Connection tracking module : ip_conntrack"
if test -z "$(lsmod|grep ip_conntrack_ftp|awk '{print $1}')"; then
insmod ip_conntrack_ftp
fi;
echo " FTP connection tracking module: ip_conntrack_ftp"
if [ $MASQUERADE = "YES" ]; then
if test -z "$(lsmod|grep iptable_nat|awk '{print $1}')"; then
insmod iptable_nat
fi;
echo " Iptables NAT support module : iptable_nat"
if test -z "$(lsmod|grep ip_nat_ftp|awk '{print $1}')"; then
insmod ip_nat_ftp
fi;
echo " Passive FTP NAT module : ip_nat_ftp"
echo " Enable forwarding : OK!"
echo "1" > /proc/sys/net/ipv4/ip_forward
fi;
echo ""
echo "[SETTING CHAINS PARAMETERS]"
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
echo " INPUT/OUTPUT/FORWARD chains cleared and policy set to DROP"
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
echo " User specific chains deleted : drop-and-log-it"
$IPTABLES -X
echo " All user specified chains deleted: OK!"
$IPTABLES -Z
echo " All Iptables counters reset : OK!"
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
echo " User specific chain recreated : drop-and-log-it"
echo ""
echo "[SETTING INPUT CHAIN RULES]"
#################################################
# INPUT CHAIN
# remember that INPUT chain manage incoming traffic from all interfaces
#################################################
#loopback interface traffic always valid
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo " Local interface traffic always granted"
if [ $MASQUERADE != "YES" ]; then
echo " You are NOT using MASQUERADE!"
#disable spoofing LAN on external interface
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
echo " Disabled spoofing LAN on $EXTIF interface"
#call function to allow access to some daemons
if [ $TOSSUPPORT = "YES" ]; then
tos_allowed_services
else
notos_allowed_services
fi
#any other traffic is denied
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo " Any other incoming traffic is denied"
if [ $BLOCKICMP = "YES" ]; then
block_icmp
fi;
else
echo " Using MASQUERADE!"
#if using masquerade allow traffic from LAN to Internet via internal
#interface
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
echo " Masquerade from LAN via $INTIF granted"
#allow all masquerade traffic back to proper LAN machines only when
#is estabished or related by LAN computer - all one external interface
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT
echo " Reverse traffic from Internet to LAN granted"
#call function to allow access to some daemons
if [ $TOSSUPPORT = "YES" ]; then
tos_allowed_services
else
notos_allowed_services
fi
#any other traffic is denied
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo " Any other incoming traffic is denied"
if [ $BLOCKICMP = "YES" ]; then
block_icmp
fi;
fi;
echo ""
echo "[SETTING OUTPUT CHAIN RULES]"
##################################################
# OUTPUT CHAIN
# remember that OUTPUT chain manage outgoing traffic from all interfaces
##################################################
#loopback interface traffic always valid
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
echo " Local interface traffic always granted"
if [ $MASQUERADE != "YES" ]; then
echo " You are NOT using MASQUERADE!"
# anything else outgoing on remote interface is valid
#local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
echo " Any traffic to LAN via $INTIF interface is granted"
#outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
echo " Traffic to LAN on $EXTIF interface is denied"
# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
echo " Any other outgoing traffic is denied"
else
echo " Using MASQUERADE!"
#local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
echo " Any traffic to LAN via $INTIF interface is granted"
#outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
echo " Traffic to LAN on $EXTIF interface is denied"
# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
echo " Any other outgoing traffic is denied"
fi;
echo ""
echo "[SETTING FORWARD CHAIN RULES]"
###################################################
# FORWARD CHAIN
# remember that FORWARD chain manage thruout traffic from all interfaces
# this chains is used for masquerade, so if you need uncoment this
###################################################
if [ $MASQUERADE != "YES" ]; then
echo " You are NOT using MASQUERADE!"
$IPTABLES -A FORWARD -j drop-and-log-it
echo " Any traffic is denied and logged"
else
echo " Using MASQUERADE!"
if [ $TOSSUPPORT = "YES" ]; then
#allow all connection out and only related and established in
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -m tos --tos 8 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo " All outgoing traffic is granted"
echo " Incoming traffic granted only when established or relate"
else
#allow all connection out and only related and established in
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
echo " All outgoing traffic is granted"
echo " Incoming traffic granted only when established or relate"
fi
# next two rules are for transparent proxy with squid on 8080
#$IPTABLES -A FORWARD -s $INTNET -d ! $INTIP -p tcp --dport 8080 \
#-j drop-and-log-it
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 \
#-m tos --tos 8 -j REDIRECT --to-ports 8080
#echo " Transparent proxy rules activated"
$IPTABLES -A FORWARD -j drop-and-log-it
echo " Any other traffic is denied and logged"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo " SNAT masquerade functionality on $EXTIF granted"
$IPTABLES -t nat -A POSTROUTING -p tcp -o $EXTIF -s $INTNET -d ! $INTNET \
-j MASQUERADE --to-ports=$MASQ_PORTS
$IPTABLES -t nat -A POSTROUTING -p udp -o $EXTIF -s $INTNET -d ! $INTNET \
-j MASQUERADE --to-ports=$MASQ_PORTS
$IPTABLES -t nat -A POSTROUTING -p icmp -o $EXTIF -s $INTNET -d ! $INTNET \
-j MASQUERADE
fi;
logger -t [FIREWALL] Iptables netfilter loaded and set successfully
echo ""
echo "To see firewall rules write iptables -L -v --line-numbers"
echo "To see NAT table rules write iptables -t nat -L -v --line-numbers"
echo ""

 

Jeszcze przepraszam za zaśmiecanie forum...

[SpoonMan]

w komendzie iptables-save musisz jeszcze skierowac strumien do pliku w ktorym chcesz zapisac regolki .... np w moim wypadku jest to polecenie

 

/sbin/iptables-save >/etc/iptables.form

 

i w pliku /etc/iptables.form zapisuje mi regolki

 

nastepnie zeby podczas startu systemu wczytywal Ci te regolki musisz w pliku /etc/rc.local dopisac linie

 

/sbin/iptables-restore </etc/iptables.form

[mynus]

to drugie skopuij do jakiegos pliku

nadaj uprawnienia +x dla pliku

i uruchom

[santalam]

Dzieki juz sobie poradziłem