Eu tenho uma rede com a seguinte topologia:
- Modem WAN com NIC voltado para o gateway: 192.168.0.1
- Ubuntu 14.04 gateway com dois NICs:
1) Eth0 (voltado para o modem): 192.168.0.201
2) Eth1 (de frente para a LAN): 10.0.0.1
Estou tentando limitar o acesso à Internet e à LAN (da Internet) por dia e hora do dia usando iptables , mas as regras parecem não ter efeito. .
No rc.local, tenho a seguinte configuração:
++#!/bin/sh -e
#
# rc.local
# turning on address verification
echo -n "Enabling source address verification..."
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
echo "done"
#just for the sake of turning the networks off and on... not sure if it would work turning them back on only at the end of script ? -- Also flushing NICs
ip addr flush eth0;
ip addr flush eth1;
ifconfig eth0 down;
ifconfig eth1 down;
ifconfig lo down;
ifconfig lo up;
ifconfig eth0 up;
ifconfig eth1 up;
ifconfig eth0 192.168.0.201 netmask 255.255.255.0
ifconfig eth1 10.0.0.1 netmask 255.255.255.0
#routing table check up :
route add 127.0.0.1 dev lo;
route add -net 127.0.0.0/8 dev lo;
route add -net 10.0.0.0/24 dev eth1;
route add -net 192.168.0.0/8 dev eth0;
route add default gw 192.168.0.1;
# turn fowarding off while configuring iptables :
sysctl net/ipv4/ip_forward=0
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
#and on again once the policies are set
sysctl net/ipv4/ip_forward=1
#limiting LAN clients
iptables -A FORWARD -d 10.0.0.74 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.228 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.121 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.221 -m time --timestart 20:00 --timestop 10:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP
#block IPs
iptables -A INPUT -s 173.194.45.189 -j DROP
iptables -A INPUT -s 208.92.53.87 -j DROP
#masquerade on wan card :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#accept all packets in lo and protect against spoofing :
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i !lo -s 127.0.0.0/8 -j LOG
iptables -A INPUT -i !lo -s 127.0.0.0/8 -j DROP
iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j LOG
iptables -A FORWARD -i !lo -s 127.0.0.0/8 -j DROP
#accept only established input but all output on WAN card
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#just forget the invalid packets :
iptables -A OUTPUT -o eth0 -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -m state --state INVALID -j LOG
iptables -A INPUT -i eth0 -m state --state INVALID -j DROP
#not sure whether to put this before or after spoofing protection ?
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
#against spoofing on LAN card input :
iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j LOG
iptables -A INPUT -i !eth1 -s 10.0.0.0/24 -j DROP
exit 0
Listando as regras com iptables -L eu recebo:
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- 173.194.45.189 anywhere
DROP all -- 208.92.53.87 anywhere
ACCEPT tcp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED tcp dpt:sunrpc
ACCEPT udp -- 10.0.0.0/24 anywhere ctstate NEW,RELATED,ESTABLISHED udp dpt:sunrpc
ACCEPT all -- anywhere anywhere
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere state INVALID LOG level warning
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
LOG all -- 10.0.0.0/24 anywhere LOG level warning
DROP all -- 10.0.0.0/24 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- 127.0.0.0/8 anywhere LOG level warning
DROP all -- 127.0.0.0/8 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
As regras baseadas em tempo não estão lá. Alguém pode ver porque? Observação: é um dia e hora do dia em que a seguinte regra deve estar ativa:
iptables -A FORWARD -d 10.0.0.2 -m time --timestart 10:00 --timestop 20:00 --days Sun,Mon,Tue,Wed,Thu,Fri -j DROP