Afficher/cacher Sommaire
NAT 2016-12-28T21.19.41
# Règles IPV4
# Pour permettre aux noeuds du LAN avec des adresses IP privées de communiquer avec les réseaux public externes, configurez le pare-feu pour le masquage d'IP, qui masque les requêtes provenant des noeuds du LAN avec l'adresse IP du périphérique externe du pare-feu (dans ce cas, eth0) :
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP ipv4 for eth0"
iptables -A FORWARD -s 10.8.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic ipv4 from clients to eth0"
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP ipv4 for tun0"
iptables -A FORWARD -s 10.8.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv4 from wlan0 clients to tun0"
iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv4 from eth0 clients to tun0"
# Règles IPV6
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -m comment --comment "Use VPN IP ipv6 for eth0"
ip6tables -A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o eth0 -m conntrack --ctstate NEW -j REJECT -m comment --comment "Block traffic ipv6 from clients to eth0"
-
ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE -m comment --comment "Use VPN IP ipv6 for tun0"
ip6tables -A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv6 from wlan0 clients to tun0"
ip6tables -A FORWARD -s 2a01:e34:ee6a:b270:c2:9ff:fe40:f22b/64 -i eth0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT -m comment --comment "Allow only traffic ipv6 from eth0 clients to tun0"
démarrer le point d’accès
Exécuter les commandes suivantes pour démarrer le point d’accès:
sudo systemctl restart hostapd
sudo systemctl restart isc-dhcp-server
Il faut que les deux interfaces eth0 et wlan0 communiquent, pour cela on va créer les règles iptables suivantes:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ip6tables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Par ailleurs il faut faire passer les paquets par le vpn:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
ip6tables -A FORWARD -o tun0 -j ACCEPT
ip6tables -A FORWARD -i tun0 -j ACCEPT
- Pour information , les règles sauvegardées
Règles IPV6
/etc/openvpn/iptables.ipv6.nat
# Generated by ip6tables-save v1.4.21 on Tue Dec 27 20:12:22 2016
*filter
:INPUT ACCEPT [1462:138332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [74:5720]
-A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic ipv6 from clients to eth0" -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -s 2001:db8:cada::/64 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv6 from wlan0 clients to tun0" -j ACCEPT
# -A FORWARD -s 2a01:e34:ee6a:b270::/64 -i eth0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv6 from eth0 clients to tun0" -j ACCEPT
COMMIT
# Completed on Tue Dec 27 20:12:22 2016
# Generated by ip6tables-save v1.4.21 on Tue Dec 27 20:12:22 2016
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [9:711]
:POSTROUTING ACCEPT [0:0]
# -A POSTROUTING -o eth0 -m comment --comment "Use VPN IP ipv6 for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP ipv6 for tun0" -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 20:12:22 2016
Règles IPV4
/etc/openvpn/iptables.ipv4.nat
# Generated by iptables-save v1.4.21 on Tue Dec 27 20:12:13 2016
*filter
:INPUT ACCEPT [1475:288033]
:FORWARD ACCEPT [859:195723]
:OUTPUT ACCEPT [1715:267328]
-A FORWARD -s 10.8.0.0/24 -i wlan0 -o eth0 -m conntrack --ctstate NEW -m comment --comment "Block traffic ipv4 from clients to eth0" -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 10.8.0.0/24 -i wlan0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv4 from wlan0 clients to tun0" -j ACCEPT
# -A FORWARD -s 192.168.0.0/24 -i eth0 -o tun0 -m conntrack --ctstate NEW -m comment --comment "Allow only traffic ipv4 from eth0 clients to tun0" -j ACCEPT
COMMIT
# Completed on Tue Dec 27 20:12:13 2016
# Generated by iptables-save v1.4.21 on Tue Dec 27 20:12:13 2016
*nat
:PREROUTING ACCEPT [36:3145]
:INPUT ACCEPT [5:1258]
:OUTPUT ACCEPT [2:157]
:POSTROUTING ACCEPT [1:48]
# -A POSTROUTING -o eth0 -m comment --comment "Use VPN IP ipv4 for eth0" -j MASQUERADE
-A POSTROUTING -o tun0 -m comment --comment "Use VPN IP ipv4 for tun0" -j MASQUERADE
COMMIT
# Completed on Tue Dec 27 20:12:13 2016
démarrer le point d’accès
Exécuter les commandes suivantes pour démarrer le point d’accès:
sudo systemctl restart hostapd
sudo systemctl restart isc-dhcp-server
Valider dhcp et hostapd
sudo systemctl enable isc-dhcp-server
sudo systemctl enable hostapd
Vous hébergez un hotspot sans fil.
Nginx+Php
PirateBox
https://github.com/jvaubourg/php-piratebox.git
Les régles iptables
Création fichier des règles
sudo nano /etc/iptables.up.rules
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Liens
PRÉCÉDENTMysql_timestamp_2016-11-21T15.39.58
SUIVANTNetworkManager-dispatcher