#!/bin/sh ### BEGIN INIT INFO # Provides: ipt-firewall # Required-Start: $local_fs $remote_fs $syslog $network # Required-Stop: $local_fs $remote_fs $syslog $network # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: IPv4 Firewall ### END INIT INFO ipt="/sbin/iptables" ## - local interfaces ## - local_if_1="eth1+" wlan_if="eth2+" vdsl_if="eth0" vdsl_modem_ip="192.168.16.250" ## - extern interfaces ext_if="ppp+" #ext_if="eth0" vpn_if="tun+" ## - besondere ip's drucker_brother_5890_ip="192.168.52.179" ## - usv usv_ip=192.168.52.15/32 # unpriviligierte Ports unprivports="1024:65535" loopback="127.0.0.0/8" priv_class_a="10.0.0.0/8" priv_class_b="172.16.0.0/12" priv_class_c="192.168.0.0/16" #Load module for FTP Connection tracking and NAT modprobe ip_conntrack > /dev/null 2>&1 modprobe ip_nat_ftp > /dev/null 2>&1 modprobe ip_conntrack_ftp > /dev/null 2>&1 modprobe iptable_nat > /dev/null 2>&1 ## - IP Forwarding aktivieren ## - echo 1 > /proc/sys/net/ipv4/ip_forward echo 5 > /proc/sys/net/ipv4/ip_dynaddr ## - Reduce DoS'ing ability by reducing timeouts ## - echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog ## - SYN COOKIES ## - echo 1 > /proc/sys/net/ipv4/tcp_syncookies ## - Schutz gegen gefälschte Fehlermeldungen einschalten. ## - echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ## - Ignorieren von broadcast Pings ## - echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ## - NO SOURCE ROUTE ## - ## - Sperren von quellbasierendem Paket-Routing ## - for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $asr done ## - Keine ICMP Umleitungspakete akzeptieren. ## - ## - Diese können zur Veränderung der Routing Tables verwendet ## - werden, möglicherweise mit einem böswilligen Ziel. ## - echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ## - ANTISPOOFING ## - ## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen ## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, ## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat ## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für ## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle ## - nicht voll funktionsfähig ist. ## - for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $rp_filter done ## - NUMBER OF CONNECTIONS TO TRACK ## - echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max ## - Protokollieren von Paketen die gespoofed sind, quellbasierendes ## - Routing verwenden oder Umleitungen sind. ## - #echo "1" > /proc/sys/net/ipv4/conf/all/log_martians while read p; do case $p in -*) $ipt $p;; esac done << EOR ## - default policies ## - -P INPUT ACCEPT -P OUTPUT ACCEPT #-P FORWARD DROP -P FORWARD ACCEPT ## - flush chains ## - -F -F INPUT -F OUTPUT -F FORWARD -F -t mangle -F -t nat -X -Z -t nat -A POSTROUTING -o $ext_if -j MASQUERADE #-t nat -A POSTROUTING -o eth0 -j MASQUERADE #-t nat -A POSTROUTING -o $wlan_if -j MASQUERADE -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu EOR ## - owncloud lokales Netz ## - $ipt -A FORWARD -i $wlan_if -p all -d 192.168.43.10 -j ACCEPT $ipt -A FORWARD -i $local_if_1 -p all -d 192.168.43.10 -j ACCEPT $ipt -t nat -A PREROUTING -p tcp --syn \ --dport 8443 -j DNAT --to 192.168.43.10:443 $ipt -t filter -A FORWARD -p tcp --dport 443 -d 192.168.43.10 \ -o $local_if_1 -j ACCEPT ## - ## - Ende: owncloud lokales Netz ## - Protection against syn-flooding ## - ## - chains to DROP too many SYNs ## - #$ipt -N syn-flood #$ipt -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN #$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN #$ipt -A syn-flood -j LOG --log-prefix "SYN flood: " --log-level debug #$ipt -A syn-flood -j DROP ## - drop new packages without syn flag ## - ## - first log ## - #$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug #$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug #$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP ## - drop invalid packages ## - #$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "Invalid state: " --log-level debug #$ipt -A INPUT -m state --state INVALID -j DROP ## - ungewöhnliche Flags verwerfen ## - #$ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "Invalid flasg: " --log-level debug #$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Invalid flasg: " --log-level debug #$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Invalid flasg: " --log-level debug $ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## - private Adressen auf externen interface verwerfen ## - #$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j LOG --log-prefix "Private address: " --log-level debug #$ipt -A OUTPUT -o $ext_if -s $loopback -j LOG --log-prefix "Private address: " --log-level debug $ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP $ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP #$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP #$ipt -A INPUT -i $ext_if -s $loopback -j DROP $ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP $ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP #$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP $ipt -A OUTPUT -o $ext_if -s $loopback -j DROP # - Telekom VDSL - Rules for IPTV # - #$ipt -I FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT #$ipt -I FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT #$ipt -I FORWARD -s 239.35.0.0/16 -d 224.0.0.0/4 -j ACCEPT #$ipt -I INPUT -d 224.0.0.0/4 -j ACCEPT #$ipt -I FORWARD -d 224.0.0.0/4 -j ACCEPT #$ipt -I OUTPUT -d 224.0.0.0/4 -j ACCEPT ## - if called stop, then exit here ## - case $1 in sto*) exit 0;; esac echo "Starting firewall iptables (IpV4).." while read r; do case $r in -*) $ipt $r;; esac done << EOR # ---------- Allnet VDSL2 Client Modem ALL126AS2 ------------- # # make Allnet VDSL Modem available on LAN # ip-adress: 192.168.16.250 # # prerequisites: # - on gateway: ifconfig eth1 192.168.16.254 # - NAT for 192.168.16.0/24 # -t nat -A POSTROUTING -o $vdsl_if -j MASQUERADE # # -- Allow from local Network -A FORWARD -i $local_if_1 -d $vdsl_modem_ip -p ALL -m state --state NEW -j ACCEPT # # -- Allow from VPN -A FORWARD -i $vpn_if -d $vdsl_modem_ip -p ALL -m state --state NEW -j ACCEPT # # ------- Ende: Allnet VDSL2 Client Modem ALL126AS2 ---------- # ---------- # --- SSH (SVN) von php5.warenform.de -- # #-A FORWARD -i eth1 -o eth2 -s 46.4.129.3 -d 192.168.52.35 -j ACCEPT #-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT # --- SSH (SVN) vom "junge welt" Server --- # #-A FORWARD -i eth1 -o eth2 -s 193.96.188.0/24 -d 192.168.52.35 -j ACCEPT #-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT # --- SSH (SVN) von nd.warenform.de --- # #-A FORWARD -i eth1 -o eth2 -s 46.4.78.56 -d 192.168.52.35 -j ACCEPT #-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT # ------------- das loopbackdevice ------------- # alles erlaubt # -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # ---------- Ende: das loopbackdevice ---------- # ---------- alle Anfragen aus dem internen WLAN-Netz nach draussen ------------- # -A FORWARD -i $wlan_if -o $ext_if -p ALL -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_1 -o $ext_if -p all -m state --state NEW -j ACCEPT # # ---------- Ende: alle Anfragen aus den internen Netzen nach draussen ---------- # ------------- Drucker Brother 5890 ------------- # # # ------------- Ende: Drucker Brother 5890 ------------- # ------------- zwischen lokalen Netzen ------------- # # Zugriff vom localen Netz ins WLAN-Netz erlauben -A FORWARD -i $local_if_1 -o $wlan_if -p ALL -m state --state NEW -j ACCEPT # # # Zugriff vom WLAN-Netz auf Drucker erlauben -A FORWARD -i $wlan_if -o $local_if_1 -d $drucker_brother_5890_ip -j ACCEPT # # Zugriff vom WLAN-Netz ins locale Netz verbieten -A FORWARD -i $wlan_if -o $local_if_1 -p ALL -m state --state NEW -j DROP # # - needed because sometimes i add temporarily other networks to tha interface # -A FORWARD -i $local_if_1 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT # # vollen Zugriff vom router ins WLAN-Netz -A OUTPUT -o $wlan_if -j ACCEPT # # ---------- Ende: zwischen lokalen Netzen ---------- # ------------- betsehende Verbindungen ------------- # bereits bestehende Verbindungen durchlassen # # -- rein -- # -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # -- raus -- # -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # foreward # -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # ---------- Ende betsehende Verbindungen ----------- # ------------- grundsaetzlich ablehnen ------------- # neue Anfragen ohne das syn-Flag # -A INPUT -p tcp ! --syn -m state --state NEW -j DROP -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # # reinlaufenden windows kram # -A INPUT -p udp -i $ext_if --dport 137:139 -j DROP -A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP -A INPUT -p tcp -i $ext_if --dport 445 -j DROP # -A INPUT -p udp -i $local_if_1 --dport 137:139 -j DROP -A INPUT -p tcp -i $local_if_1 --dport 137:139 -j DROP -A INPUT -p tcp -i $local_if_1 --dport 445 -j DROP # -A INPUT -p udp -i $wlan_if --dport 137:139 -j DROP -A INPUT -p tcp -i $wlan_if --dport 137:139 -j DROP -A INPUT -p tcp -i $wlan_if --dport 445 -j DROP # # authentication tap ident # -A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset # # # Location Service # -A INPUT -p tcp -i $ext_if --dport 135 -j DROP -A INPUT -p udp -i $ext_if --dport 135 -j DROP # # ---------- Ende: grundsaetzlich ablehnen ------------- ############################################################# # ----------------- Konfiguration VPN ------------------ # # -- initial via internet # -A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT -A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT # # -- initial via lan1 -A INPUT -p udp -i $local_if_1 --dport 1194 -m state --state NEW -j ACCEPT # # -- initial via lan2 -A INPUT -p udp -i $wlan_if --dport 1194 -m state --state NEW -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT # # forward # -A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT # # -- alles via vpn device zulassen/durchrouten # -A INPUT -i $vpn_if -j ACCEPT -A OUTPUT -o $vpn_if -j ACCEPT -A FORWARD -i $vpn_if -j ACCEPT -A FORWARD -o $vpn_if -j ACCEPT # ------------ Ende Konfiguration VPN -------------------- # ############################################################# # ------------- PowerChute Shutdown APC ------------- # -A INPUT -p ALL -i $local_if_1 -s 192.168.52.15 -j ACCEPT -A OUTPUT -p ALL -o $local_if_1 -d 192.168.52.15 -j ACCEPT # #-A INPUT -i $local_if_1 -p tcp --dport 3052 -m state --state NEW -j ACCEPT #-A INPUT -i $local_if_1 -p udp --dport 3052 -m state --state NEW -j ACCEPT #-A INPUT -i $local_if_1 -p tcp --dport 6547 -m state --state NEW -j ACCEPT # -A OUTPUT -o $local_if_1 -p tcp --dport 80 -m state --state NEW -j ACCEPT # # # ---------- Ende PowerChute Shutdown APC ----------- # ------------- DNS ------------- # # nameserver # # -- rein -- # -A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_1 -p tcp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i $wlan_if -p udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i $wlan_if -p tcp --dport 53 -m state --state NEW -j ACCEPT # # -- raus -- # -A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT -A OUTPUT -o $ext_if -p tcp --dport 53 -m state --state NEW -j ACCEPT # # -- forward -- # -A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 53 -m state --state NEW -j ACCEPT # # ---------- Ende DNS ----------- # ------------- SSH ------------- # reingehende Anfragen # -A INPUT -i $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i $wlan_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A OUTPUT -o $local_if_1 -p tcp --dport 22 -m state --state NEW -j ACCEPT -A OUTPUT -o $wlan_if -p tcp --dport 22 -m state --state NEW -j ACCEPT # -A FORWARD -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A FORWARD -o $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A FORWARD -o $wlan_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT # # ---------- Ende SSH ------------ # ------------- DHCP ------------- # reingehende Anfragen # -A INPUT -p udp -i $local_if_1 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT -A INPUT -p udp -i $wlan_if -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -p udp -o $local_if_1 --sport 67 -d 0/0 --dport 68 -j ACCEPT -A OUTPUT -p udp -o $wlan_if --sport 67 -d 0/0 --dport 68 -j ACCEPT # # ---------- Ende DHCP ------------ # ------------- MAIL ------------- # rausgehende SMTP-Verbindungen akzeptieren # -A OUTPUT -p tcp -o $ext_if --dport 25 -m state --state NEW -j ACCEPT # # ansonsten nur forward # # smtp -A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT # # smtps -A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT # # pop -A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT # # pop/ssl -A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT # # imap -A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT # # imap/ssl -A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT # # ---------- Ende MAIL ----------- # ------------- HTTP ------------- # rausgehende Verbindungen vom Gateway akzeptieren # ( update clamav/freshclam, dyndns ) # -A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT # # ansonsten nur forward # -A FORWARD -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT # -A FORWARD -p tcp --syn -o $ext_if --dport 8000:8180 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 8443 -m state --state NEW -j ACCEPT # # ---------- Ende HTTP ----------- # ------------- FTP ------------- # # ftp ( lokaler Client remote ftp-Server ) # # (Datenkanal aktiv) -A INPUT -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT -A FORWARD -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT # # (Datenkanal passiv) -A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -A OUTPUT -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT # # ftp (Server) # # Datenkanal (aktiver modus) #-A OUTPUT -o $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) #-A INPUT -i $ext_if -p tcp --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung #-A INPUT -i $ext_if -p tcp --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT # # ftp-tls ? ( keine Ahnung warum ) # -A OUTPUT -p tcp --sport $unprivports -o $ext_if -m state --state NEW -j ACCEPT -A FORWARD -p tcp --sport $unprivports -i $ext_if -o $ext_if -m state --state NEW -j ACCEPT # # ---------- Ende FTP ----------- # ------------- NTP ------------- # (network time protokoll) # # rein # -A INPUT -i $local_if_1 -p udp --sport 123 -m state --state NEW -j ACCEPT -A INPUT -i $wlan_if -p udp --sport 123 -m state --state NEW -j ACCEPT # # raus # -A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT # # forward # -A FORWARD -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT # # ---------- Ende NTP ----------- # ------------- pgpkeyserver ------------- # # -A OUTPUT -p tcp -o $ext_if --dport 11371 -m state --state NEW -j ACCEPT -A FORWARD -p tcp -o $ext_if --dport 11371 -m state --state NEW -j ACCEPT # # ---------- Ende pgpkeyserver ------------ # ------------- ldap / (z.Bsp. einige pgpkeyserver) ------------- # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT # # ldaps LDAP over SSL # -A FORWARD -p tcp --syn -o $ext_if --dport 636 -m state --state NEW -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 636 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 636 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 636 -m state --state NEW -j ACCEPT # # ---------- Ende ldap ------------ # ------------- Newsserver nntp ------------- # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT # # ---------- Ende Newsserver nntp ------------ # ------------- Whois ------------- # nur ausgehende Anfragen und forward # # -A OUTPUT -o $ext_if -p tcp --dport 43 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 43 -m state --state NEW -j ACCEPT # # ---------- Ende Whois ----------- # ------------- CPAN Wait - Server ------------- # nur ausgehende Anfragen und forward # # -A OUTPUT -o $ext_if -p tcp --dport 1404 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 1404 -m state --state NEW -j ACCEPT # # ---------- CPAN Wait - Server ----------- # ------------- CVS ------------- # nur ausgehende Anfragen und forward # -A OUTPUT -o $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT -A FORWARD -i $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT # # und weils auch manchmal übers tcp-Prozokoll geht # -A OUTPUT -o $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT -A FORWARD -i $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT # # ---------- Ende CVS ----------- # ------------- ICP (icpcon raid-control util) ------------- # # reingehende Anfragen # #-A INPUT -p tcp --syn -i $ext_if --dport 11798 -m state --state NEW -j ACCEPT # # rausgehende Anfragen # #-A OUTPUT -p tcp -o $ext_if --dport 11798 -m state --state NEW -j ACCEPT #-A FORWARD -p tcp -o $ext_if --dport 11798 -m state --state NEW -j ACCEPT # # ---------- ENDE: ICP (icpcon raid-control util) ---------- # ------------- Chat ------------- # --- silc --- # # Forward und Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT # # --- irc --- # # forward und Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT # # --- jabber --- # -A FORWARD -p tcp --syn -o $ext_if --dport 5222 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 5223 -m state --state NEW -j ACCEPT # # ---------- Ende chat ------------ # ------------- HBCI ------------- # hbci - port 3000/tcp # -A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT # # ---------- Ende HBCI ----------- # ------------- Hylafax (Port 4559) ------------- # reingehende Verbindungen zum Hylafax-Server # -A INPUT -i $local_if_1 -p tcp --dport 4559 -m state --state NEW -j ACCEPT -A INPUT -i $wlan_if -p tcp --dport 4559 -m state --state NEW -j ACCEPT # # ---------- Ende Hylafax ----------- # ------------- CUPS ------------- # (cupssys printer system) # -A FORWARD -i $local_if_1 -p tcp --dport 631 -m state --state NEW -j ACCEPT -A FORWARD -i $wlan_if -p tcp --dport 631 -m state --state NEW -j ACCEPT # # ---------- Ende CUPS ----------- # ------------- Drucken Port 9100 ------------- # -A FORWARD -i $local_if_1 -p tcp --dport 9100 -m state --state NEW -j ACCEPT -A FORWARD -i $wlan_if -p tcp --dport 9100 -m state --state NEW -j ACCEPT # # ---------- Ende Drucken Port 9100 ----------- # ---------- SNMP ---------- # #-A FORWARD -i $local_if_1 -p tcp --dport 161 -m state --state NEW -j ACCEPT #-A FORWARD -i $wlan_if -p tcp --dport 161 -m state --state NEW -j ACCEPT # # ---------- SNMP ---------- # ------------- VOIP ------------- # # SIP # # Standard: # Port: 5060 / UDP (SIP-Signalisierung) # Port: 5004 / UDP (RTP, Sprache) # Port: 10000 UDP (STUN) # # X-Lite: # Port 5060 / UDP # Port 8000 - 8019 / UDP # Port 10000 /UDP # reingehende Anfragen # -A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT -A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT -A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT # # Skype # # reingehende Anfragen # # -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT # -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT # # ausgehende Anfragen # # # Forward -- Anfragen von draussen # # -- Linux -A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT # -- Windows -- -A FORWARD -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 54196 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 54196 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 54196 -j ACCEPT # # ---------- Ende VOIP ------------ # ------------- Traceroute ------------- # # rein -A OUTPUT -p udp --dport 33434:33530 -o $local_if_1 -j ACCEPT -A OUTPUT -p udp --dport 33434:33530 -o $wlan_if -j ACCEPT -A OUTPUT -p udp --dport 33434:33530 -o $ext_if -j ACCEPT # # raus -A INPUT -p udp --dport 33434:33530 -i $local_if_1 -j ACCEPT -A INPUT -p udp --dport 33434:33530 -i $wlan_if -j ACCEPT # forward -A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT # # -------- Ende Traceroute ------------- # ------------ ICMP (u.a. Ping) ------------ # alle ICMP Pakete zulassen # -A OUTPUT -o $local_if_1 -p icmp -j ACCEPT -A OUTPUT -o $wlan_if -p icmp -j ACCEPT -A OUTPUT -o $ext_if -p icmp -j ACCEPT -A OUTPUT -o $vdsl_if -p icmp -j ACCEPT # -A INPUT -i $local_if_1 -p icmp -j ACCEPT -A INPUT -i $wlan_if -p icmp -j ACCEPT -A INPUT -i $ext_if -p icmp -j ACCEPT -A INPUT -i $vdsl_if -p icmp -j ACCEPT # -A FORWARD -p icmp -o $ext_if -j ACCEPT -A FORWARD -p icmp -i $local_if_1 -j ACCEPT -A FORWARD -p icmp -i $wlan_if -j ACCEPT -A FORWARD -p icmp -o $vdsl_if -j ACCEPT # # ------- Ende Ping ------------ # ------------- portmapper (mountd und NFS) ------------- # # -- portmapper ( udp/tcp port 111 ) # # tcp -A INPUT ! -i $ext_if -p tcp --dport 111 -j ACCEPT -A FORWARD ! -i $ext_if -p tcp --dport 111 -j ACCEPT # udp -A INPUT ! -i $ext_if -p udp --dport 111 -j ACCEPT -A FORWARD ! -i $ext_if -p udp --dport 111 -j ACCEPT # # -- mountd # - normaly a random port number is assigned by # the portmapper, but if you start the rpc.mountd # (see the startscript at (/etc/init.d/nfs-kernel with # option -p 1105 you can use the following rules: # # tcp -A INPUT ! -i $ext_if -p tcp --dport 1105 -j ACCEPT -A FORWARD ! -i $ext_if -p tcp --dport 1105 -j ACCEPT # udp -A INPUT ! -i $ext_if -p udp --dport 1105 -j ACCEPT -A FORWARD ! -i $ext_if -p udp --dport 1105 -j ACCEPT # # -- nfs # -A INPUT ! -i $ext_if -p udp --dport 2049 -j ACCEPT -A FORWARD ! -i $ext_if -p udp --dport 2049 -j ACCEPT # # NFS depends on ICMP on much of its communication, more detailed: # NFS depends on ICMP Packets of type 3 # -A INPUT ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT -A FORWARD ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT # -A OUTPUT ! -o $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT -A FORWARD ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT # # ---------- Ende: portmapper (mountd und NFS) ----------- # ------------ Portforwarding ------------- # # ## - Schott ins interne WARENFOM Netz # # --- webrick - eingerichtet für vs-bdb-fe.wf.netz:3000 NUR aus --- # -- den Schott netzen --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 80.156.4.0/22 \ # --dport 80 -j DNAT --to 192.168.52.47:3000 #-t filter -A FORWARD -p tcp -s 80.156.4.0/22 --dport 3000 -d 192.168.52.47 \ # -i $ext_if -o $local_if_1 -j ACCEPT #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 194.175.223.0/23 \ # --dport 80 -j DNAT --to 192.168.52.47:3000 #-t filter -A FORWARD -p tcp -s 194.175.223.0/23 --dport 3000 -d 192.168.52.47 \ # -i $ext_if -o $local_if_1 -j ACCEPT #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 213.68.175.0/25 \ # --dport 80 -j DNAT --to 192.168.52.47:3000 #-t filter -A FORWARD -p tcp -s 213.68.175.0/25 --dport 3000 -d 192.168.52.47 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # --- schott-demo.warenform.de:443 -> vs-bdb-fe.wf.netz:9000 --- # -- NUR aus den Schott netzen --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 80.156.4.0/22 \ # --dport 443 -j DNAT --to 192.168.52.46:9000 #-t filter -A FORWARD -p tcp -s 80.156.4.0/22 --dport 9000 -d 192.168.52.46 \ # -i $ext_if -o $local_if_1 -j ACCEPT #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 194.175.223.0/23 \ # --dport 443 -j DNAT --to 192.168.52.46:9000 #-t filter -A FORWARD -p tcp -s 194.175.223.0/23 --dport 9000 -d 192.168.52.46 \ # -i $ext_if -o $local_if_1 -j ACCEPT #-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 213.68.175.0/25 \ # --dport 443 -j DNAT --to 192.168.52.46:9000 #-t filter -A FORWARD -p tcp -s 213.68.175.0/25 --dport 9000 -d 192.168.52.46 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # --- Etherpad Intranet # -- # -t nat -A PREROUTING -i $ext_if -p tcp --syn \ --dport 9080 -j DNAT --to 192.168.52.24:9080 -t filter -A FORWARD -p tcp --dport 9080 -d 192.168.52.24 \ -i $ext_if -o $local_if_1 -j ACCEPT # -t nat -A PREROUTING -i $ext_if -p tcp --syn \ --dport 9443 -j DNAT --to 192.168.52.24:9443 -t filter -A FORWARD -p tcp --dport 9443 -d 192.168.52.24 \ -i $ext_if -o $local_if_1 -j ACCEPT # # --- ENDE: Etherpad Intranet # # # --- HTTP --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn \ # --dport 8080 -j DNAT --to 192.168.52.25:8080 #-t filter -A FORWARD -p tcp --dport 8080 -d 192.168.52.35 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # --- HTTPS --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn \ # --dport 8443 -j DNAT --to 192.168.42.25:443 #-t filter -A FORWARD -p tcp --dport 443 -d 192.168.42.35 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # # --- PPPTP ( VPN auf den NAS Server wf-nas ) -- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn \ # --dport 1723 -j DNAT --to 192.168.52.80:1723 #-t filter -A FORWARD -p tcp --dport 1723 -d 192.168.52.80 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # # --- SSH ( auf devel ) # -t nat -A PREROUTING -i $ext_if -p tcp --dport 9997 -m state --state NEW -j DNAT --to 192.168.52.25:22 -t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.35 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT # # # --- SSH ( auf repos ) # -t nat -A PREROUTING -i $ext_if -p tcp --dport 9998 -m state --state NEW -j DNAT --to 192.168.52.25:22 -t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.35 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT # # # --- SSH ( auf den Fileserver anita ) -- # -t nat -A PREROUTING -i $ext_if -p tcp --dport 9999 -m state --state NEW -j DNAT --to 192.168.52.60:22 -t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.60 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT # # ---------- Ende Portforwarding ---------- # # ------------- Loggen ------------- # # alles loggen was nicht durchgeht # #-A OUTPUT -j LOG --log-level debug #-A INPUT -j LOG --log-level debug #-A FORWARD -j LOG --log-level debug # - # ------------- Ende Loggen ------------- # ------------- DROP ------------- # drop all other for all interfaces.. # -A INPUT -j DROP -A OUTPUT -j DROP -A FORWARD -j DROP # # ---------- Ende: DROP ---------- EOR exit 0