luizbueno
(usa CentOS)
Enviado em 06/08/2013 - 08:49h
Daniel,
Na verdade as regras ja vem prontas nos arquivos do Nocat, para capturar todo o trafego e redirecionar para o servidor de autenticação. Abaixo vou postar então o arquivo initialize,fw
#!/bin/sh
##
#
# initialize.fw: setup the default firewall rules
#
# *** NOTE ***
#
# If you want to have local firewall rules in addition to what NoCat
# provides, add them at the bottom of this file. They will be recreated
# each time gateway is restarted.
#
##
# The current service classes by fwmark are:
#
# 1: Owner
# 2: Co-op
# 3: Public
# 4: Free
#
# Note: your PATH is inherited from the gateway process
#
if [ $(id -u) = 0 ]; then
# Enable IP forwarding and rp_filter (to kill IP spoof attempts).
#
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Load alllll the kernel modules we need.
#
rmmod ipchains > /dev/null 2>&1 # for RH 7.1 users.
for module in ip_tables ipt_REDIRECT ipt_MASQUERADE ipt_MARK ipt_REJECT \
ipt_TOS ipt_LOG iptable_mangle iptable_filter iptable_nat ip_nat_ftp \
ip_conntrack ip_conntrack_ftp ip_conntrack_irc \
ip_nat_irc ipt_mac ipt_state ipt_mark; do
modprobe $module
done
fi
# Flush all user-defined chains
#
iptables -t filter -N NoCat 2>/dev/null
iptables -t filter -F NoCat
iptables -t filter -D FORWARD -j NoCat 2>/dev/null
iptables -t filter -A FORWARD -j NoCat
iptables -t filter -N NoCat_Ports 2>/dev/null
iptables -t filter -F NoCat_Ports
iptables -t filter -D NoCat -j NoCat_Ports 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Ports
iptables -t filter -N NoCat_Inbound 2>/dev/null
iptables -t filter -F NoCat_Inbound
iptables -t filter -D NoCat -j NoCat_Inbound 2>/dev/null
iptables -t filter -A NoCat -j NoCat_Inbound
iptables -t nat -N NoCat_Capture 2>/dev/null
iptables -t nat -F NoCat_Capture
iptables -t nat -D PREROUTING -j NoCat_Capture 2>/dev/null
iptables -t nat -A PREROUTING -j NoCat_Capture
iptables -t nat -N NoCat_NAT 2>/dev/null
iptables -t nat -F NoCat_NAT
#
# Only nat if we're not routing
#
iptables -t nat -D POSTROUTING -j NoCat_NAT 2>/dev/null
[ "$RouteOnly" ] || iptables -t nat -A POSTROUTING -j NoCat_NAT
iptables -t mangle -N NoCat 2>/dev/null
iptables -t mangle -F NoCat
iptables -t mangle -D EROUTINGNG -j NoCat 2>/dev/null
iptables -t mangle -A EROUTINGNG -j NoCat
fwd="iptables -t filter -A NoCat"
ports="iptables -t filter -A NoCat_Ports"
nat="iptables -t nat -A NoCat_NAT"
redirect="iptables -t nat -A NoCat_Capture"
mangle="iptables -t mangle -A NoCat"
if [ "$MembersOnly" ]; then
classes="1 2"
else
classes="1 2 3"
fi
# Handle tagged traffic.
#
for iface in $InternalDevice; do
for net in $LocalNetwork; do
for fwmark in $classes; do
# Only forward tagged traffic per class
$fwd -i $iface -s $net -m mark --mark $fwmark -j ACCEPT
# $fwd -o $iface -d $net -m mark --mark $fwmark -j ACCEPT
# Masquerade permitted connections.
$nat -o $ExternalDevice -s $net -m mark --mark $fwmark -j MASQUERADE
done
# Allow web traffic to the specified hosts, and don't capture
# connections intended for them.
#
if [ "$AuthServiceAddr" -o "$AllowedWebHosts" ]; then
for host in $AuthServiceAddr $AllowedWebHosts; do
for host in $AuthServiceAddr $AllowedWebHosts; do
for port in 80 443; do
$nat -s $net -d $host -p tcp --dport $port -j MASQUERADE
$redirect -s $net -d $host -p tcp --dport $port -j RETURN
$fwd -s $net -d $host -p tcp --dport $port -j ACCEPT
$fwd -d $net -s $host -p tcp --sport $port -j ACCEPT
done
done
fi
# Accept forward and back traffic to/from DNSAddr
if [ "$DNSAddr" ]; then
for dns in $DNSAddr; do
$fwd -o $iface -d $net -s $dns -j ACCEPT
for prot in tcp udp; do
$fwd -i $iface -s $net -d $dns -p $prot --dport 53 -j ACCEPT
$nat -p $prot -s $net -d $dns --dport 53 -j MASQUERADE
# Force unauthenticated DNS traffic through this server.
# Of course, only the first rule of this type will match.
# But it's easier to leave them all in ATM.
#
# Commented out for now, it's got a syntax issue I can't
# quite fathom: "iptables: Invalid argument"
# --Rob
#
#$nat -i $InternalDevice -m mark --mark 4 -p $prot \
# --dport 53 -j DNAT --to $dns:53
done
done
fi
done
# Set packets from internal devices to fw mark 4, or 'denied', by default.
$mangle -i $iface -j MARK --set-mark 4
done
# Redirect outbound non-auth web traffic to the local gateway process
# except to windowsupdate.microsoft.com, which is broken.
#
# If MembersOnly is active, then redirect public class as well
#
if [ "$MembersOnly" ]; then
nonauth="3 4"
else
nonauth="4"
fi
for port in 80 443; do
for mark in $nonauth; do
$redirect -m mark --mark $mark -d windowsupdate.microsoft.com -j DROP
$redirect -m mark --mark $mark -p tcp --dport $port -j REDIRECT \
--to-port $GatewayPort
done
done
# Lock down more ports for public users, if specified. Port restrictions
# are not applied to co-op and owner class users.
#
# There are two philosophies in restricting access: That Which Is Not
# Specifically Permitted Is Denied, and That Which Is Not Specifically
# Denied Is Permitted.
#
# If "IncludePorts" is defined, the default policy will be to deny all
# traffic, and only allow the ports mentioned.
#
# If "ExcludePorts" is defined, the default policy will be to allow all
# traffic, except to the ports mentioned.
#
# If both are defined, ExcludePorts will be ignored, and the default policy
# will be to deny all traffic, allowing everything in IncludePorts, and
# issue a warning.
#
if [ "$IncludePorts" ]; then
if [ "$ExcludePorts" ]; then
echo "Warning: ExcludePorts and IncludePorts are both defined."
echo "Ignoring 'ExcludePorts'. Please check your nocat.conf."
fi
# Enable all ports in IncludePorts
for iface in $InternalDevice; do
for port in $IncludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j ACCEPT
done
# Always permit access to the GatewayPort (or we can't logout)
$ports -p tcp -i $iface --dport $GatewayPort -j ACCEPT
$ports -p udp -i $iface --dport $GatewayPort -j ACCEPT
# ...and disable access to the rest.
$ports -p tcp -i $iface -m mark --mark 3 -j DROP
$ports -p udp -i $iface -m mark --mark 3 -j DROP
done
elif [ "$ExcludePorts" ]; then
# If ExcludePorts has entries, simply deny access to them.
for iface in $InternalDevice; do
for port in $ExcludePorts; do
$ports -p tcp -i $iface --dport $port -m mark --mark 3 -j DROP
$ports -p udp -i $iface --dport $port -m mark --mark 3 -j DROP
done
done
fi
#
# Disable access on the external to GatewayPort from anything but the AuthServiceAddr
#
if [ "$AuthServiceAddr" ]; then
$fwd -i $ExternalDevice -s ! $AuthServiceAddr -p tcp --dport $GatewayPort -j DROP
fi
# Filter policy.
$fwd -j DROP
#
# Call the bandwidth throttle rules.
#
# Note: This feature is *highly* experimental.
#
# This functionality requires the 'tc' advanced router tool,
# part of the iproute2 package, available at:
#
ftp://ftp.inr.ac.ru/ip-routing/
#
# To use bandwidth throttling, edit the upload and download
# bandwidth thresholds at the top of the throttle.fw file,
# and make throttle.fw executable. Try something like this:
#
# chmod +x throttle.fw
#
[ -x throttle.fw ] && throttle.fw
##
# Add any other local firewall rules below.
##
##
# Uncomment the following to permit all 10/8 traffic *before* auth
##
#AllowedNetworks="10.0.0.0/8"
#
#for net in $AllowedNetworks; do
# iptables -t mangle -A PREROUTING -d $net -j MARK --set-mark 2
# iptables -t filter -A FORWARD -s $net -j ACCEPT
#done
#
# Ende
#
