单位环境是这样的
已经通过DHCP对PC进行了IP和MAC地址的绑定,但是还是有好多人可以通过自动设定IP来实现上网
我现在想通过防火墙实现只有IP和MAC地址绑定的用户才能上网,并且有部分机器只能出80端口,其他的就不行
比如说
1个方面是192.168.1.10---192.168.1.50这段绑定的IP能实现上网的所有功能,而192.168.1.80-192.168.
1.90这段绑定的IP却只能实现访问80端口。
2个方面是指不是自动获得的IP,而是通过指定的,我就让他什么也干不了,只有绑定的IP和MAC地址才能实现上网功能。。
请问该如何实现。。。。
这样的防火墙该怎么写
- zjnx
- 帖子: 66
- 注册时间: 2006-04-03 11:27
- 联系:
- yjcong
- 帖子: 2470
- 注册时间: 2006-02-28 3:11
- str263
- 帖子: 56
- 注册时间: 2006-09-13 23:59
可能还有些问题,我机器上没法作实验!就当作参考吧!!
#!/bin/bash
# rc.firewall - DHCP IP Firewall script
# 1.Internet Configuration
INET_IFACE="eth0"
LAN_IFACE="eth1"
DHCP="no" #本机不需要dhcp分配#
DHCP_SERVER="192.168.1.1" #假设你的dhcp的ip#
LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.10/26"
LAN_IP_LIMITED="192.168.1.80/28"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/usr/sbin/iptables"
# 2. Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# 清除所有规则
$IPTABLES -F
$IPTABLES -t nat -F
# 3. Filter table
# 3.1.1 Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# 3.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
# 3.1.3 Create content in userspecified chains
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
# UDP ports
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# 3.1.4 INPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
# 3.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -p tcp -s 192.168.1.10 -m mac \
! --mac-source xx:xx:xx:xx:xx:xx -j DROP
$IPTABLES -A FORWARD -p tcp -s 192.168.1.11-m mac \
! --mac-source xx:xx:xx:xx:xx:xx -j DROP
#把要绑定的都一个个填进去!#
$IPTABLES -A FORWARD -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_LIMITED --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
# 3.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#4.2 nat table
$IPTABLES -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
#!/bin/bash
# rc.firewall - DHCP IP Firewall script
# 1.Internet Configuration
INET_IFACE="eth0"
LAN_IFACE="eth1"
DHCP="no" #本机不需要dhcp分配#
DHCP_SERVER="192.168.1.1" #假设你的dhcp的ip#
LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.10/26"
LAN_IP_LIMITED="192.168.1.80/28"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/usr/sbin/iptables"
# 2. Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
# 清除所有规则
$IPTABLES -F
$IPTABLES -t nat -F
# 3. Filter table
# 3.1.1 Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# 3.1.2 Create userspecified chains
#
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
# 3.1.3 Create content in userspecified chains
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
# UDP ports
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# 3.1.4 INPUT chain
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
# 3.1.5 FORWARD chain
#
#
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -p tcp -s 192.168.1.10 -m mac \
! --mac-source xx:xx:xx:xx:xx:xx -j DROP
$IPTABLES -A FORWARD -p tcp -s 192.168.1.11-m mac \
! --mac-source xx:xx:xx:xx:xx:xx -j DROP
#把要绑定的都一个个填进去!#
$IPTABLES -A FORWARD -p ALL -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN_IP_LIMITED --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -f -m limit --limit 100/s --limit-burst 100 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
# 3.1.6 OUTPUT chain
#
#
# Bad TCP packets we don't want.
#
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#4.2 nat table
$IPTABLES -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
上次由 str263 在 2008-09-04 1:03,总共编辑 2 次。
-
- 帖子: 333
- 注册时间: 2007-05-13 15:20
绑定方面用dhcp来做,其它的由iptables来做,如果有人手动改IP,就在iptables里加入它的MAC
如果它ip和MAC都改了,那就没办法了
如果网络是分开的,指定入口就行了
sysctl -w net.ipv4.ip_forward = 1
iptables -P FORWARD DROP
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.50 -j ACCEPT
iptables -I FORWARD -p udp --dport 80 -m iprange --src-range 192.168.1.80-192.168.1.90 -j ACCEPT
iptables -I FORWARD -p tcp --dport 80 -m iprange --src-range 192.168.1.80-192.168.1.90 -j ACCEPT
#deny mac from here
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
iptables -t mangle -I FORWARD -j TTL --ttl-set 64
iptables -t nat -I POSTROUTING -i ppp+ -j MASQUERADE
#注,现场写,未做测试
如果它ip和MAC都改了,那就没办法了
如果网络是分开的,指定入口就行了
sysctl -w net.ipv4.ip_forward = 1
iptables -P FORWARD DROP
iptables -I FORWARD -m state --state INVALID -j DROP
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m iprange --src-range 192.168.1.10-192.168.1.50 -j ACCEPT
iptables -I FORWARD -p udp --dport 80 -m iprange --src-range 192.168.1.80-192.168.1.90 -j ACCEPT
iptables -I FORWARD -p tcp --dport 80 -m iprange --src-range 192.168.1.80-192.168.1.90 -j ACCEPT
#deny mac from here
iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP
iptables -t mangle -I FORWARD -j TTL --ttl-set 64
iptables -t nat -I POSTROUTING -i ppp+ -j MASQUERADE
#注,现场写,未做测试
-
- 帖子: 84
- 注册时间: 2005-12-25 1:42
这里比较多iptables高手!
http://www.chinaunix.net/index.php?uid= ... m-4-1.html
http://www.chinaunix.net/index.php?uid= ... m-4-1.html