#!/bin/sh ### BEGIN INIT INFO # Provides: ipt-firewall # Required-Start: $local_fs $remote_fs $syslog $network # Required-Stop: $local_fs $remote_fs $syslog $network # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: IPv4 Firewall ### END INIT INFO # Load appropriate modules. /sbin/modprobe ip_tables /sbin/modprobe iptable_nat > /dev/null 2>&1 ## -Load modules for FTP Connection tracking and NAT ## - /sbin/modprobe ip_conntrack > /dev/null 2>&1 /sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1 /sbin/modprobe ip_nat_ftp > /dev/null 2>&1 log_all=false log_syn_flood=false log_fragments=false log_new_not_sync=false log_invalid_state=false log_invalid_flags=false log_spoofed=false log_to_lo=false log_blocked=false log_rejected=false # IP's / IP-Ranges to block # # 222.184.0.0 CHINANET-JS # 61.160.0.0/16 - CHINANET-JS # 116.8.0.0/14 CHINANET-GX # 70.42.149.69 - ssh attack 30.06.2014 # blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14 70.42.149.69" ipt="/sbin/iptables" ## - external interface ## - ext_if="eth0" ext_ip="172.16.0.1" ## - VPN interface ## - vpn_if="tun+" ## - local interfaces ## - local_if_1="eth1+" local_if_2="eth2+" local_ip="192.168.0.254" local_net_1="192.168.0.0/24" ## - local Services ## - webmail="192.168.0.44" mail_server="192.168.0.44" mail_server_alt="192.168.0.1" ak_web="192.168.0.44" at_10="192.168.0.10" ftp_server="192.168.0.44" ldap_server="192.168.0.44" ## - Ports ## - ssh_port=22 mail_user_ports="465,587,58736,995,993" www_ports="80,443" www_ports_akweb="81" www_extra_ports="8080,8443" # unpriviligierte Ports unprivports="1024:65535" loopback="127.0.0.0/8" priv_class_a="10.0.0.0/8" priv_class_b="172.16.0.0/12" priv_class_c="192.168.0.0/16" class_d_multicast="224.0.0.0/4" class_e_reserved="240.0.0.0/5" broadcast_addr="83.223.85.255" ## - IP Forwarding aktivieren ## - echo 1 > /proc/sys/net/ipv4/ip_forward echo 5 > /proc/sys/net/ipv4/ip_dynaddr ## - Reduce DoS'ing ability by reducing timeouts ## - echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog ## - SYN COOKIES ## - echo 1 > /proc/sys/net/ipv4/tcp_syncookies ## - Schutz gegen gefälschte Fehlermeldungen einschalten. ## - echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ## - Ignorieren von broadcast Pings ## - echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ## - NO SOURCE ROUTE ## - ## - Sperren von quellbasierendem Paket-Routing ## - for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $asr done ## - Keine ICMP Umleitungspakete akzeptieren. ## - ## - Diese können zur Veränderung der Routing Tables verwendet ## - werden, möglicherweise mit einem böswilligen Ziel. ## - echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects ## - ANTISPOOFING ## - ## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen ## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen, ## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat ## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für ## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle ## - nicht voll funktionsfähig ist. ## - for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $rp_filter done ## - NUMBER OF CONNECTIONS TO TRACK ## - echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max ## - Protokollieren von Paketen die gespoofed sind, quellbasierendes ## - Routing verwenden oder Umleitungen sind. ## - #echo "1" > /proc/sys/net/ipv4/conf/all/log_martians while read p; do case $p in -*) $ipt $p;; esac done << EOR ## - flush chains ## - -F -F INPUT -F OUTPUT -F FORWARD -F -t mangle -F -t nat -X -Z ## - default policies ## - -P INPUT ACCEPT -P OUTPUT ACCEPT -P FORWARD ACCEPT -t nat -P PREROUTING ACCEPT -t nat -P POSTROUTING ACCEPT #-t nat -A POSTROUTING -o $ext_if -j MASQUERADE -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu ## - Fritz!BOX 7390 via VPN ## - -t nat -A POSTROUTING -o $ext_if -p tcp -s 10.0.0.0/8 -d 172.16.0.254 --dport 80 -j MASQUERADE ## - Fritz!BOX (AcccessPoint) via VPN ## - -t nat -A POSTROUTING -o $local_if_2 -p tcp -s 10.0.0.0/24 -d 192.168.128.103 --dport 80 -j MASQUERADE EOR case $1 in sto*) exit 0;; esac #$ipt -A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT #$ipt -A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT $ipt -A INPUT -s 192.168.63.0/24 -j ACCEPT $ipt -A FORWARD -s 192.168.63.0/24 -j ACCEPT $ipt -A FORWARD -d 192.168.63.0/24 -j ACCEPT $ipt -A OUTPUT -d 192.168.63.0/24 -j ACCEPT ## - Protection against syn-flooding ## - ## - chains to DROP too many SYNs ## - $ipt -N syn-flood $ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN if $log_syn_flood || $log_all ; then $ipt -A syn-flood -j LOG --log-prefix "IPv4: SYN flood: " --log-level debug fi $ipt -A syn-flood -j DROP ## FRAGMENTS # I have to say that fragments scare me more than anything. # Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" # Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such # fragments is very OS-dependent (see this paper for details). # I am not going to trust any fragments. # Log fragments just to see if we get any, and deny them too. if $log_fragments || $log_all ; then $ipt -A INPUT -i $ext_if -f -j LOG --log-prefix "IPv4: IPTABLES FRAGMENTS: " --log-level debug fi $ipt -A INPUT -i $ext_if -f -j DROP ## - drop new packages without syn flag ## - if $log_new_not_sync || $log_all ; then $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug fi $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP $ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP ## - drop invalid packages ## - if $log_invalid_state || $log_all ; then $ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "IPv4: Invalid state: " --log-level debug fi $ipt -A INPUT -m state --state INVALID -j DROP ## - ungewöhnliche Flags verwerfen ## - if $log_invalid_flags || $log_all ; then $ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug $ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug $ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug fi $ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP $ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## - private Adressen auf externen interface verwerfen ## - # Refuse spoofed packets pretending to be from your IP address. if $log_spoofed || $log_all ; then $ipt -A INPUT -i $ext_if -s $ext_ip -j LOG --log-prefix "IPv4: Spoofed (own ip): " --log-level debug fi $ipt -A INPUT -i $ext_if -s $ext_ip -j DROP # Refuse packets claiming to be from a # Class A private network # Class B private network # Class C private network # loopback interface # Class D multicast address # Class E reserved IP address # broadcast address if $log_spoofed || $log_all ; then $ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "IPv4: Class A private net: " --log-level debug #$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "IPv4: Class B private net: " --log-level debug $ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "IPv4: Class C private net: " --log-level debug $ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "IPv4: From Loopback: " --log-level debug $ipt -A INPUT -i $ext_if -s $class_d_multicast -j LOG --log-prefix "IPv4: Class D Multicast: " --log-level debug $ipt -A INPUT -i $ext_if -s $class_e_reserved -j LOG --log-prefix "IPv4: Class E reserved: " --log-level debug $ipt -A INPUT -i $ext_if -d $broadcast_addr -j LOG --log-prefix "IPv4: Broadcast Address: " --log-level debug fi # Refuse packets claiming to be from a Class A private network. $ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP # Refuse packets claiming to be from a Class B private network. #$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP # Refuse packets claiming to be from a Class C private network. $ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP # Refuse packets claiming to be from loopback interface. $ipt -A INPUT -i $ext_if -s $loopback -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. $ipt -A INPUT -i $ext_if -s $class_d_multicast -j DROP # Refuse Class E reserved IP addresses. $ipt -A INPUT -i $ext_if -s $class_e_reserved -j DROP # Refuse broadcast address packets. $ipt -A INPUT -i $ext_if -d $broadcast_addr -j DROP # Refuse packets claiming to be to the loopback interface. # Refusing packets claiming to be to the loopback interface protects against # source quench, whereby a machine can be told to slow itself down by an icmp source # quench to the loopback. if $log_to_lo || $log_all ; then $ipt -A INPUT -i $ext_if -d $loopback -j LOG --log-prefix "IPv4: To Loopback: " --log-level debug fi $ipt -A INPUT -i $ext_if -d $loopback -j DROP # Don't allow spoofing from that server $ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP #$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP #$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP $ipt -A OUTPUT -o $ext_if -s $loopback -j DROP # ------------- CHINANET-JS 222.184.0.0 - 222.191.255.255 ------------- # for _ip in $blocked_ips ; do if $log_blocked || $log_all ; then $ipt -A INPUT -i $ext_if -s $_ip -j LOG --log-prefix "IPv4: Blocked ${_ip}: " --log-level debug fi $ipt -A INPUT -p ALL -s $_ip -j DROP done # # ------------- Ende: CHINANET-JS 222.184.0.0 - 222.191.255.255 ------------- ## - We don't want these packages on gatewy # # --- We are not a cups server $ipt -A INPUT -i $local_if_1 -p tcp --sport 631 -j DROP $ipt -A INPUT -i $local_if_1 -p udp --sport 631 -j DROP # --- No NETBIOS Packages # -- LAN $ipt -A INPUT -p udp -i $local_if_1 --dport 137:139 -j DROP $ipt -A INPUT -p tcp -i $local_if_1 --dport 137:139 -j DROP $ipt -A INPUT -p tcp -i $local_if_1 --dport 445 -j DROP ## - WLAN (LAN2) $ipt -A INPUT -p udp -i $local_if_2 --dport 137:139 -j DROP $ipt -A INPUT -p tcp -i $local_if_2 --dport 137:139 -j DROP $ipt -A INPUT -p tcp -i $local_if_2 --dport 445 -j DROP echo "Starting firewall iptables (IpV4).." while read r; do case $r in -*) $ipt $r;; esac done << EOR # ------------- das loopbackdevice ------------- # alles erlaubt # -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # # ---------- Ende: das loopbackdevice ---------- # ---------- alle Anfragen aus den internen Netzen nach draussen ------------- # -A FORWARD -o $ext_if -p ALL -m state --state NEW -j ACCEPT # # ---------- Ende: alle Anfragen aus den internen Netzen nach draussen ---------- # ------------- Zugriffe zwischen WLAN und LAN ------------- # # Drucker IP-Adressen freigeben # - hp-lj5000 #-A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -j ACCEPT -A FORWARD -o $local_if_2 -s 192.168.0.249 -p ALL -j ACCEPT # - canon-c5030i #-A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -j ACCEPT -A FORWARD -o $local_if_2 -s 192.168.0.253 -p ALL -j ACCEPT # # Samba Ports auf at-44 -A FORWARD -i $local_if_2 -p udp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 445 -m state --state NEW -j ACCEPT # # # ---------- Ende: Zugriffe zwischen WLAN und LAN ---------- # ------------- zwischen lokalen Netzen ------------- # # #-A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT #-A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT # # - needed because sometimes i add temporarily other networks to that interface # #-A FORWARD -i $local_if_1 -o $local_if_1 -j ACCEPT # # ---------- Ende: zwischen lokalen Netzen ---------- # ------------- betsehende Verbindungen ------------- # bereits bestehende Verbindungen durchlassen # # -- rein -- # -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # -- raus -- # -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # foreward # -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # # ---------- Ende betsehende Verbindungen ----------- ############################################################# # ----------------- Konfiguration VPN ------------------ # # -- initial via internet # -A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT -A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT # # -- initial via lan1 -A INPUT -p udp -i $local_if_1 --dport 1194 -m state --state NEW -j ACCEPT # # -- initial via lan2 -A INPUT -p udp -i $local_if_2 --dport 1194 -m state --state NEW -j ACCEPT # # ausgehende Anfragen # #-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT # # forward # -A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT # # -- alles via vpn device zulassen/durchrouten # -A INPUT -i $vpn_if -j ACCEPT -A OUTPUT -o $vpn_if -j ACCEPT -A FORWARD -i $vpn_if -j ACCEPT -A FORWARD -o $vpn_if -j ACCEPT # ------------ Ende Konfiguration VPN -------------------- # ############################################################# # ------------- smbclient / smbmount ------------- # -A OUTPUT -o $local_if_1 -p tcp --dport 445 -j ACCEPT -A OUTPUT -o $local_if_1 -p tcp --dport 137:139 -j ACCEPT # # ---------- Ende smbclient / smbmount ----------- # ------------- grundsaetzlich ablehnen ------------- # reinlaufenden windows kram # -A INPUT -p udp -i $ext_if --dport 137:139 -j DROP -A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP -A INPUT -p tcp -i $ext_if --dport 445 -j DROP # # .. und forwards # -A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 137:139 -j DROP -A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 445 -j DROP # # # authentication tap ident # -A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset -A FORWARD -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset # # # Location Service # -A INPUT -p tcp -i $ext_if --dport 135 -j DROP -A INPUT -p udp -i $ext_if --dport 135 -j DROP # # ---------- Ende: grundsaetzlich ablehnen ------------- # ------------- SSH ------------- # reingehende Anfragen # -A INPUT -i $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A OUTPUT -o $local_if_1 -p tcp --dport 22 -m state --state NEW -j ACCEPT -A OUTPUT -o $local_if_2 -p tcp --dport 22 -m state --state NEW -j ACCEPT # -A FORWARD -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A FORWARD -i $ext_if -o $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT -A FORWARD -o $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT # # ---------- Ende SSH ------------ # ------------- DHCP ------------- # reingehende Anfragen # -A INPUT -p udp -i $local_if_1 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT -A INPUT -p udp -i $local_if_2 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -p udp -o $local_if_1 --sport 67 -d 0/0 --dport 68 -j ACCEPT -A OUTPUT -p udp -o $local_if_2 --sport 67 -d 0/0 --dport 68 -j ACCEPT # # ---------- Ende DHCP ------------ # ------------- DNS ------------- # # nameserver # # -- rein -- # -A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p tcp --dport 53 -m state --state NEW -j ACCEPT # -A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p udp --dport 53 -m state --state NEW -j ACCEPT # # -- raus -- # -A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT # -A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT # # forward # -A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT # -A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT # # ---------- Ende DNS ----------- # ------------- MAIL ------------- # rausgehende SMTP-Verbindungen akzeptieren # -A OUTPUT -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT # # ansonsten nur forward # # -- SMTP # rausschicken dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 25 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 25 -m state --state NEW -j ACCEPT # # -- SUBMISSION # rausschicken dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 587 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 587 -m state --state NEW -j ACCEPT # # -- SMTPS # rausschicken dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 465 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 465 -m state --state NEW -j ACCEPT # # POP # nach draussen dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 110 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 110 -m state --state NEW -j ACCEPT # # -- POP/SSL # nach draussen dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 995 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 995 -m state --state NEW -j ACCEPT # # -- IMAP # nach draussen dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 143 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 143 -m state --state NEW -j ACCEPT # # -- IMAP/SSL # nach draussen dürfen alle -A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT # von ueberall zum internen mailserver -A FORWARD -p tcp --syn -d $mail_server --dport 993 -m state --state NEW -j ACCEPT -A FORWARD -p tcp --syn -d $mail_server_alt --dport 993 -m state --state NEW -j ACCEPT # # ---------- Ende MAIL ----------- # ------------- HTTP ------------- # # rausgehende Verbindungen vom Gateway akzeptieren # ( update clamav/freshclam, dyndns, apt-get ) # -A OUTPUT -p tcp --syn -o $local_if_1 --dport 80 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT # # ansonsten nach draussen nur forward # -A FORWARD -p tcp --syn -o $ext_if -m multiport --dports $www_ports -m state --state NEW -j ACCEPT # # -- interne Webservices # webmailer -A FORWARD -p tcp --syn -d $webmail -m multiport --dports $www_ports -m state --state NEW -j ACCEPT # akweb lokal -A FORWARD -p tcp --syn -d $ak_web -m multiport --dports $www_ports -m state --state NEW -j ACCEPT # at-10 -A FORWARD -p tcp --syn -d $at_10 -m multiport --dports $www_ports -m state --state NEW -j ACCEPT # # ---------- Ende HTTP ----------- # ------------- FTP ------------- # # ftp ( lokaler Client remote ftp-Server ) # # (Datenkanal aktiv) -A INPUT -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT -A FORWARD -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT # # (Datenkanal passiv) -A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT # # (Kontrollverbindung) -A OUTPUT -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT # # ftp (Server) # # Datenkanal (aktiver modus) -A FORWARD -o $ext_if -p tcp -s $ftp_server --sport 20 -m state --state NEW -j ACCEPT # # Datenkanal (passiver modus) -A FORWARD -i $ext_if -p tcp -d $ftp_server --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT # # - Kontrollverbindung -A FORWARD -i $ext_if -p tcp -d $ftp_server --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT # # ftp-tls ? ( keine Ahnung warum ) # -A OUTPUT -p tcp --sport $unprivports -o $ext_if -m state --state NEW -j ACCEPT -A FORWARD -p tcp --sport $unprivports -i $ext_if -o $ext_if -m state --state NEW -j ACCEPT # # ---------- Ende FTP ----------- # ------------- NTP ------------- # (network time protokoll) # # rein # -A INPUT -i $local_if_1 -p tcp --sport 123 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p tcp --sport 123 -m state --state NEW -j ACCEPT # -A INPUT -i $local_if_1 -p udp --sport 123 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p udp --sport 123 -m state --state NEW -j ACCEPT # # raus # -A OUTPUT -o $ext_if -p tcp --dport 123 -m state --state NEW -j ACCEPT # -A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT # # forward # -A FORWARD -o $ext_if -p udp --dport 123 -j ACCEPT # -A FORWARD -o $ext_if -p tcp --dport 123 -j ACCEPT # # ---------- Ende NTP ----------- # ------------- pgpkeyserver ------------- # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT # # ---------- Ende pgpkeyserver ------------ # ------------- ldap / (z.Bsp. einige pgpkeyserver) ------------- # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT # # ldaps LDAP over SSL # -A FORWARD -p tcp --syn -o $ext_if --dport 636 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 636 -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 636 -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 636 -j ACCEPT # # ---------- Ende ldap ------------ # ------------- Newsserver nntp ------------- # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT # # ---------- Ende Newsserver nntp ------------ # ------------- Whois ------------- # nur ausgehende Anfragen und forward # # -A OUTPUT -o $ext_if -p tcp --dport 43 -j ACCEPT -A FORWARD -o $ext_if -p tcp --dport 43 -j ACCEPT # # ---------- Ende Whois ---------- # ------------- Chat ------------- # --- silc --- # # Forward und Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT # # --- irc --- # # forward und Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT # # ---jabber --- # -A FORWARD -p tcp --syn -o $ext_if --dport 5222:5223 -m state --state NEW -j ACCEPT # # ---------- Ende chat ------------ # ------------- HBCI ------------- # hbci - port 3000/tcp # -A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT # # ---------- Ende HBCI ----------- # ------------- Hylafax (Port 4559) ------------- # reingehende Verbindungen zum Hylafax-Server # -A INPUT -i $local_if_1 -p tcp --dport 4559 -m state --state NEW -j ACCEPT -A INPUT -i $local_if_2 -p tcp --dport 4559 -m state --state NEW -j ACCEPT # # ---------- Ende Hylafax ----------- # ------------- CUPS ------------- # (cupssys printer system) # -A FORWARD -i $local_if_1 -p tcp --dport 631 -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -p tcp --dport 631 -m state --state NEW -j ACCEPT # # ---------- Ende CUPS ----------- # ------------- Drucken Port 9100 ------------- # -A FORWARD -i $local_if_1 -p tcp --dport 9100 -m state --state NEW -j ACCEPT -A FORWARD -i $local_if_2 -p tcp --dport 9100 -m state --state NEW -j ACCEPT # # ---------- Ende Drucken Port 9100 ----------- # ---------- SNMP ---------- # #-A FORWARD -i $local_if_1 -p tcp --dport 161 -m state --state NEW -j ACCEPT #-A FORWARD -i $local_if_2 -p tcp --dport 161 -m state --state NEW -j ACCEPT # # ---------- SNMP ---------- # ------------- VOIP ------------- # # SIP # # Standard: # Port: 5060 / UDP (SIP-Signalisierung) # Port: 5004 / UDP (RTP, Sprache) # Port: 10000 UDP (STUN) # # X-Lite: # Port 5060 / UDP # Port 8000 - 8019 / UDP # Port 10000 /UDP # reingehende Anfragen # -A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT -A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT # # ausgehende Anfragen # -A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT -A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT # # Forward -- nur Anfragen nach draussen # -A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT -A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT # # SKIPE # # reingehende Anfragen # # -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT # -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT # # ausgehende Anfragen # # # Forward -- Anfragen von draussen # # -- Linux -A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT # -- Windows -- -A FORWARD -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT -A FORWARD -p tcp --syn -o $ext_if --dport 54196 -j ACCEPT -A FORWARD -p udp -i $ext_if --dport 54196 -j ACCEPT -A FORWARD -p udp -o $ext_if --sport 54196 -j ACCEPT # # ---------- Ende VOIP ------------ # ------------- Traceroute ------------- # -A OUTPUT -p udp --dport 33434:33530 -o $local_if_1 -j ACCEPT -A INPUT -p udp --dport 33434:33530 -i $local_if_1 -j ACCEPT -A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT # # -------- Ende Traceroute ------------- ## -------- WakeOnLAN -------- # -A OUTPUT -p udp -o $local_if_1 --dport 9 -j ACCEPT -A OUTPUT -p udp -o $local_if_2 --dport 9 -j ACCEPT # ## -------- Ende WakeOnLAN -------- # ------------ Ping ------------ # -A INPUT -i $ext_if -p icmp --icmp-type destination-unreachable -j ACCEPT -A INPUT -i $ext_if -p icmp --icmp-type time-exceeded -j ACCEPT -A INPUT -i $ext_if -p icmp --icmp-type echo-reply -j ACCEPT -A INPUT -i $ext_if -p icmp --icmp-type echo-request -j ACCEPT #-A INPUT -i $ext_if -p icmp -j ACCEPT -A INPUT -i $local_if_1 -j ACCEPT -A INPUT -i $local_if_2 -j ACCEPT #-A OUTPUT -o $ext_if -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT #-A FORWARD -o $ext_if -p icmp -j ACCEPT -A FORWARD -p icmp -j ACCEPT # # ------- Ende Ping ------------ # ------------ Portforwarding ------------- # # - # -- VNC pcbuero1 --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn \ # --dport 80 -j DNAT --to 172.16.0.254:80 #-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.101 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # -- VNC pcbuero2 --- # #-t nat -A PREROUTING -i $ext_if -p tcp --syn \ # --dport 5902 -j DNAT --to 192.168.4.4:5900 #-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.102 \ # -i $ext_if -o $local_if_1 -j ACCEPT # # ---------- Ende Portforwarding ---------- # EOR # ------------- Loggen ------------- # if $log_rejected || $log_all ; then #$ipt -A OUTPUT -j LOG --log-level debug #$ipt -A INPUT -j LOG --log-level debug #$ipt -A INPUT -j LOG --log-level debug $ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug $ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug $ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug fi # # ---------- Ende: Loggen ---------- # ------------- DROP ------------- # drop all other for all interfaces.. # $ipt -A INPUT -j DROP $ipt -A OUTPUT -j DROP $ipt -A FORWARD -j DROP # # ---------- Ende: DROP ---------- exit 0