После развёртывания debian-netinstall вносим изменения в файлы по списку ниже.
Что и где:
- Внешний интерфейс eth0
- Внутренний интерфейс eth1
- Внутренняя сеть 10.10.0.0/24
- На шлюза работют DNS proxy+DHCP via DNSMasq
apt-get install openssh-server dnsmasq psmisc
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects =0
net.ipv4.icmp_echo_ignore_broadcasts =1
net.ipv4.icmp_ignore_bogus_error_responses =1
/etc/rc.local
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# Default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Enable loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable statefull rules (after that, only need to allow NEW conections)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Drop invalid state packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
## INPUT
# Incoming ssh from the LAN
iptables -A INPUT -i eth1 -s 192.168.0.0/24 \
-p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
## OUTPUT
# Enable al outgoing traffic to internet
iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
# Enable access traffic, from the firewall to the LAN network
iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -j ACCEPT
## FORWARD
# We have dynamic IP (DHCP), so we've to masquerade
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 \
-m conntrack --ctstate NEW -j ACCEPT
# Redirect HTTP (tcp/80) to the web server (192.168.0.2)
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.0.2:80
iptables -A FORWARD -i eth0 -p tcp --dport 80 \
-o eth1 -d 192.168.0.2 \
-m conntrack --ctstate NEW -j ACCEPT
/etc/dnsmasq.d/local
domain-needed
local=/home.net/
domain=home.net
interface=eth1
dhcp-range=10.10.0.16,10.10.0.254,255.255.255.0,8h
#win will release IP
#dhcp-option=vendor:MSFT,2,1i
/etc/network/interfaces
auto eth1
iface eth0 dhcp auto
prepend domain-name-servers 127.0.0.1
iface eth1 inet static
address 10.10.0.1
netmask 255.255.255.0
Комментариев нет:
Отправить комментарий