差分

このページの2つのバージョン間の差分を表示します。

--- mae3xx_tips:use_awall_instead_of_firewalld:start [2019/11/15 14:30] – admin
+++ mae3xx_tips:use_awall_instead_of_firewalld:start [2019/11/15 15:34] (現在) – [DNAT(Port Forwarding)] admin
@@ 行 42: / 行 42: @@
 \\
+===== 初期設定 =====
+設定ファイルは、''/etc/awall/[optional, private]'' にあります。
+<code>
+root@plum:/etc/awall# ls -lR
+.:
+total 0
+lrwxrwxrwx 1 root root 29 Nov 15 12:11 main.json -> /etc/awall/optional/main.json
+drwxr-xr-x 2 root root 32 Nov 15 14:01 optional
+drwxr-xr-x 2 root root 51 Nov 15 14:01 private
+./optional:
+total 1
+-rw-r--r-- 1 root root 72 Nov 15 14:01 main.json
+./private:
+total 2
+-rw-r--r-- 1 root root 549 Nov 15 13:18 base.json
+-rw-r--r-- 1 root root 202 Nov 15 14:01 filter.json
+</code>
+\\
+''base.json'' でインターフェース毎のゾーン設定、ゾーン毎の基本的なポリシー(ACCEPT, DROP など)を設定しています。
+<file json base.json>
+{
+    "description": "Base zones and policies",
+    "zone": {
+        "WAN": {
+            "iface": [
+                "ppp0",
+                "ppp1"
+            ]
+        },
+        "LAN": {
+            "iface": [
+                "eth0",
+                "eth1",
+                "br0",
+                "wg+"
+            ]
+        },
+        "Closed": {
+            "iface": [
+                "ppp500",
+                "ppp501",
+                "ppp502",
+                "ppp503"
+            ]
+        }
+    },
+    "policy": [
+        {
+            "in": "_fw",
+            "out": "WAN",
+            "action": "accept"
+        },
+        {
+            "in": "LAN",
+            "action": "accept"
+        },
+        {
+            "out": "LAN",
+            "action": "accept"
+        },
+        {
+            "in": "WAN",
+            "action": "drop"
+        },
+        {
+            "in": "Closed",
+            "action": "accept"
+        }
+    ],
+    "snat": [
+        {
+            "out": [
+                "WAN",
+                "Closed"
+            ]
+        }
+    ],
+    "clamp-mss": [
+        {
+            "out": [
+                "WAN",
+                "Closed"
+            ]
+        }
+    ]
+}
+</file>
+\\
+''filter.json'' で、ポリシーから外れる条件を記述しています。
+<file json filter.json>
+{
+    "description": "Filter",
+    "filter": [
+        {
+            "in": "WAN",
+            "out": "_fw",
+            "service": "ssh",
+            "action": "accept",
+            "conn-limit": {
+                "count": 3,
+                "interval": 20
+            }
+        }
+    ]
+}
+</file>
+\\
+===== 生成された iptables rule =====
+以上の設定から生成された iptables rule は次のようになります。
+<code>
+# Generated by iptables-save v1.6.1 on Fri Nov 15 14:51:36 2019
+*nat
+:PREROUTING ACCEPT [81:13188]
+:INPUT ACCEPT [81:13188]
+:OUTPUT ACCEPT [25:1862]
+:POSTROUTING ACCEPT [25:1862]
+:awall-masquerade - [0:0]
+-A POSTROUTING -o ppp0 -j MASQUERADE
+-A POSTROUTING -o ppp1 -j MASQUERADE
+-A POSTROUTING -o ppp500 -j MASQUERADE
+-A POSTROUTING -o ppp501 -j MASQUERADE
+-A POSTROUTING -o ppp502 -j MASQUERADE
+-A POSTROUTING -o ppp503 -j MASQUERADE
+-A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
+-A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
+COMMIT
+# Completed on Fri Nov 15 14:51:36 2019
+# Generated by iptables-save v1.6.1 on Fri Nov 15 14:51:36 2019
+*mangle
+:PREROUTING ACCEPT [799:61223]
+:INPUT ACCEPT [799:61223]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [578:61713]
+:POSTROUTING ACCEPT [578:61713]
+-A POSTROUTING -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POSTROUTING -o ppp1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POSTROUTING -o ppp500 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POSTROUTING -o ppp501 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POSTROUTING -o ppp502 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+-A POSTROUTING -o ppp503 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+COMMIT
+# Completed on Fri Nov 15 14:51:36 2019
+# Generated by iptables-save v1.6.1 on Fri Nov 15 14:51:36 2019
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+:icmp-routing - [0:0]
+:limit-ssh-0 - [0:0]
+:logdrop-0 - [0:0]
+:logdrop-ssh-0 - [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j limit-ssh-0
+-A INPUT -i ppp1 -p tcp -m tcp --dport 22 -j limit-ssh-0
+-A INPUT -p icmp -j icmp-routing
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -i eth1 -j ACCEPT
+-A INPUT -i br0 -j ACCEPT
+-A INPUT -i wg+ -j ACCEPT
+-A INPUT -i ppp0 -j logdrop-0
+-A INPUT -i ppp1 -j logdrop-0
+-A INPUT -i ppp500 -j ACCEPT
+-A INPUT -i ppp501 -j ACCEPT
+-A INPUT -i ppp502 -j ACCEPT
+-A INPUT -i ppp503 -j ACCEPT
+-A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A FORWARD -p icmp -j icmp-routing
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+-A FORWARD -i br0 -j ACCEPT
+-A FORWARD -i wg+ -j ACCEPT
+-A FORWARD -o eth0 -j ACCEPT
+-A FORWARD -o eth1 -j ACCEPT
+-A FORWARD -o br0 -j ACCEPT
+-A FORWARD -o wg+ -j ACCEPT
+-A FORWARD -i ppp0 -j logdrop-0
+-A FORWARD -i ppp1 -j logdrop-0
+-A FORWARD -i ppp500 -j ACCEPT
+-A FORWARD -i ppp501 -j ACCEPT
+-A FORWARD -i ppp502 -j ACCEPT
+-A FORWARD -i ppp503 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -p icmp -j icmp-routing
+-A OUTPUT -o ppp0 -j ACCEPT
+-A OUTPUT -o ppp1 -j ACCEPT
+-A OUTPUT -o eth0 -j ACCEPT
+-A OUTPUT -o eth1 -j ACCEPT
+-A OUTPUT -o br0 -j ACCEPT
+-A OUTPUT -o wg+ -j ACCEPT
+-A icmp-routing -p icmp -m icmp --icmp-type 3 -j ACCEPT
+-A icmp-routing -p icmp -m icmp --icmp-type 11 -j ACCEPT
+-A icmp-routing -p icmp -m icmp --icmp-type 12 -j ACCEPT
+-A limit-ssh-0 -m recent --update --seconds 20 --hitcount 3 --name limit-ssh-0 --mask 255.255.255.255 --rsource -j logdrop-ssh-0
+-A limit-ssh-0 -m recent --set --name limit-ssh-0 --mask 255.255.255.255 --rsource -j ACCEPT
+-A logdrop-0 -m limit --limit 1/sec -j LOG
+-A logdrop-0 -j DROP
+-A logdrop-ssh-0 -m limit --limit 1/sec -j LOG
+-A logdrop-ssh-0 -j DROP
+COMMIT
+# Completed on Fri Nov 15 14:51:36 2019
+</code>
+\\
+===== 設定例 =====
+==== DNAT(Port Forwarding) ====
+WAN 側から TCP/10080 に来たパケットを、LAN 内の 192.168.253.1:80 へ転送するルールを設定してみます。
+<file json private/dnat.json>
+{
+  "dnat": [
+    {
+      "in": "WAN",
+      "service": {
+        "proto": "tcp",
+        "port": "10080"
+      },
+      "to-addr": "192.168.253.1",
+      "to-port": 80
+    }
+  ]
+}
+</file>
+これを読み込むために、''optional/main.json'' を変更します。
+<file json optional/main.json>
+{
+  "description": "Main firewall",
+  "import": [
+    "base",
+    "filter",
+    "dnat"    # <--- 追加
+  ]
+}
+</file>
+\\
+awall を再設定します。
+<code>
+root@plum:~# awall activate -f
+Warning: firewall not enabled for inet6
+ipset creation failed: awall-masquerade
+</code>
+\\
+iptables のルールを確認すると、下記 **PREROUTING** エントリが追加されていることが確認できます。
+<code>
+*nat
+:PREROUTING ACCEPT [6:972]
+:INPUT ACCEPT [6:972]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:awall-masquerade - [0:0]
+-A PREROUTING -i ppp0 -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.253.1:80
+-A PREROUTING -i ppp1 -p tcp -m tcp --dport 10080 -j DNAT --to-destination 192.168.253.1:80
+... 以下略
+</code>

MA-X/MA-S/MA-E/IP-K Developers' WiKi

ユーザ用ツール

サイト用ツール

差分

ページ用ツール