Centos 6.8 32-bit
написал правила:
ethout="ens33"
ethin="ens34"
ipout="192.168.25.0/24"
ipin="10.11.12.0/24"
echo "*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#bind
-A INPUT -j ACCEPT -p udp -m state --state NEW -m udp --dport 53
-A INPUT -j ACCEPT -p tcp -m state --state NEW -m tcp --dport 53
#httpd
-A INPUT -j ACCEPT -p tcp -m state --state NEW -m tcp -m multiport --dports 80,443
#ssh
-A INPUT -j ACCEPT -p tcp -m state --state NEW -m tcp --dport 22
#samba
-A INPUT -j ACCEPT -p udp -m state --state NEW -m udp -m multiport --dports 137,138,139,445
-A INPUT -j ACCEPT -p tcp -m state --state NEW -m tcp -m multiport --dports 137,138,139,445
-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j ACCEPT -m state --state RELATED,ESTABLISHED
-A FORWARD -j DROP -m state --state INVALID
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
*nat
:PREROUTING ACCEPT [51336:9387500]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i $ethin -p tcp -m multiport --dports 80 -j REDIRECT --to-port 80
-A PREROUTING -i $ethin -p udp -m multiport --dports 80 -j REDIRECT --to-port 80
-A PREROUTING -i $ethin -p tcp -m multiport --dports 443 -j REDIRECT --to-port 443
-A PREROUTING -i $ethin -p udp -m multiport --dports 443 -j REDIRECT --to-port 443
-A POSTROUTING -j MASQUERADE -o $ethout -s $ipin
COMMIT" > /etc/sysconfig/iptables
в /etc/sysconfig/iptables
использую скрипт для разрешения доступа:
if [ -z \"\$3\" ]
then
/sbin/iptables -I FORWARD 3 -i $ethin -o $ethout -s \$1 -j LOG --log-prefix \"login: \$2 \" -m state --state NEW
/sbin/iptables -I FORWARD 4 -i $ethin -o $ethout -s \$1 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING 1 -i $ethin -s \$1 -j ACCEPT
else
/sbin/iptables -I FORWARD 3 -i $ethin -o $ethout -s \$1 -m mac --mac \$3 -j LOG --log-prefix \"login: \$2 \" -m state --state NEW
/sbin/iptables -I FORWARD 4 -i $ethin -o $ethout -s \$1 -m mac --mac \$3 -j ACCEPT
/sbin/iptables -t nat -I PREROUTING 1 -i $ethin -s \$1 -m mac --mac \$3 -j ACCEPT
fi
exit 0
пример: "allow.sh 10.11.12.109 user 30:f7:c5:4c:39:3c"
создал файл /etc/rsyslog.d/iptables.conf с правилом логов:
:msg, contains, "login: " -/var/log/iptables.log
'& ~'
и изменил шаблон лога /etc/rsyslog.conf
$template CustomFormat,"%$year% %TIMESTAMP:::date-utc% %HOSTNAME% %syslogtag%%msg%0\\n
MAC адрес не пишет в файл логов /var/log/iptables.log
пример:
2016 Sep 18 17:00:04 localhost kernel:login: user IN=eth1OUT=eth0 SRC=10.11.12.109 DST=169.45.214.236 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=61534 DF PROTO=TCP SPT=51611 DPT=5222 WINDOW=65535 RES=0x00 SYN URGP=0 0
на Centos 7 делал тоже самое, там все пишет норм:
2016 Aug 4 17:00:04 localhost kernel:login: user IN=ens34 OUT=ens33 MAC=00:50:56:94:05:3b:30:f7:c5:4c:39:3c:08:00 SRC=10.10.98.109 DST=169.45.214.236 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=61534 DF PROTO=TCP SPT=51611 DPT=5222 WINDOW=65535 RES=0x00 SYN URGP=0 0
Вариант для распечатки
