1021 lines
30 KiB
Bash
Executable File
1021 lines
30 KiB
Bash
Executable File
#!/bin/sh
|
|
### BEGIN INIT INFO
|
|
# Provides: ipt-firewall
|
|
# Required-Start: $local_fs $remote_fs $syslog $network
|
|
# Required-Stop: $local_fs $remote_fs $syslog $network
|
|
# Should-Start:
|
|
# Should-Stop:
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: IPv4 Firewall
|
|
### END INIT INFO
|
|
|
|
ipt="/sbin/iptables"
|
|
|
|
|
|
## - local interfaces
|
|
## -
|
|
local_if_1="eth1+"
|
|
wlan_if="eth2+"
|
|
|
|
vdsl_if="eth0"
|
|
vdsl_modem_ip="192.168.16.250"
|
|
|
|
## - extern interfaces
|
|
ext_if="ppp+"
|
|
#ext_if="eth0"
|
|
vpn_if="tun+"
|
|
|
|
|
|
## - besondere ip's
|
|
drucker_brother_5890_ip="192.168.52.179"
|
|
|
|
## - usv
|
|
usv_ip=192.168.52.15/32
|
|
|
|
# unpriviligierte Ports
|
|
unprivports="1024:65535"
|
|
|
|
loopback="127.0.0.0/8"
|
|
priv_class_a="10.0.0.0/8"
|
|
priv_class_b="172.16.0.0/12"
|
|
priv_class_c="192.168.0.0/16"
|
|
|
|
#Load module for FTP Connection tracking and NAT
|
|
modprobe ip_conntrack > /dev/null 2>&1
|
|
modprobe ip_nat_ftp > /dev/null 2>&1
|
|
modprobe ip_conntrack_ftp > /dev/null 2>&1
|
|
modprobe iptable_nat > /dev/null 2>&1
|
|
|
|
## - IP Forwarding aktivieren
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
|
|
|
|
## - Reduce DoS'ing ability by reducing timeouts
|
|
## -
|
|
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
|
|
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
|
|
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
|
|
echo 0 > /proc/sys/net/ipv4/tcp_sack
|
|
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
|
|
|
## - SYN COOKIES
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
## - Schutz gegen gefälschte Fehlermeldungen einschalten.
|
|
## -
|
|
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
|
|
|
## - Ignorieren von broadcast Pings
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
|
|
## - NO SOURCE ROUTE
|
|
## -
|
|
## - Sperren von quellbasierendem Paket-Routing
|
|
## -
|
|
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
|
echo 0 > $asr
|
|
done
|
|
|
|
## - Keine ICMP Umleitungspakete akzeptieren.
|
|
## -
|
|
## - Diese können zur Veränderung der Routing Tables verwendet
|
|
## - werden, möglicherweise mit einem böswilligen Ziel.
|
|
## -
|
|
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
|
|
|
|
## - ANTISPOOFING
|
|
## -
|
|
## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
|
|
## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
|
|
## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
|
|
## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
|
|
## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
|
|
## - nicht voll funktionsfähig ist.
|
|
## -
|
|
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
|
echo 1 > $rp_filter
|
|
done
|
|
|
|
|
|
## - NUMBER OF CONNECTIONS TO TRACK
|
|
## -
|
|
echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
|
|
|
|
|
|
## - Protokollieren von Paketen die gespoofed sind, quellbasierendes
|
|
## - Routing verwenden oder Umleitungen sind.
|
|
## -
|
|
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
|
|
|
|
|
|
while read p; do
|
|
case $p in
|
|
-*) $ipt $p;;
|
|
esac
|
|
done << EOR
|
|
## - default policies
|
|
## -
|
|
-P INPUT ACCEPT
|
|
-P OUTPUT ACCEPT
|
|
#-P FORWARD DROP
|
|
-P FORWARD ACCEPT
|
|
|
|
## - flush chains
|
|
## -
|
|
-F
|
|
-F INPUT
|
|
-F OUTPUT
|
|
-F FORWARD
|
|
-F -t mangle
|
|
-F -t nat
|
|
-X
|
|
-Z
|
|
|
|
-t nat -A POSTROUTING -o $ext_if -j MASQUERADE
|
|
#-t nat -A POSTROUTING -o eth0 -j MASQUERADE
|
|
#-t nat -A POSTROUTING -o $wlan_if -j MASQUERADE
|
|
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
|
EOR
|
|
|
|
## - owncloud lokales Netz
|
|
## -
|
|
$ipt -A FORWARD -i $wlan_if -p all -d 192.168.43.10 -j ACCEPT
|
|
$ipt -A FORWARD -i $local_if_1 -p all -d 192.168.43.10 -j ACCEPT
|
|
$ipt -t nat -A PREROUTING -p tcp --syn \
|
|
--dport 8443 -j DNAT --to 192.168.43.10:443
|
|
$ipt -t filter -A FORWARD -p tcp --dport 443 -d 192.168.43.10 \
|
|
-o $local_if_1 -j ACCEPT
|
|
## -
|
|
## - Ende: owncloud lokales Netz
|
|
|
|
|
|
|
|
## - Protection against syn-flooding
|
|
## -
|
|
## - chains to DROP too many SYNs
|
|
## -
|
|
#$ipt -N syn-flood
|
|
#$ipt -A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
|
|
#$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
|
#$ipt -A syn-flood -j LOG --log-prefix "SYN flood: " --log-level debug
|
|
#$ipt -A syn-flood -j DROP
|
|
|
|
|
|
## - drop new packages without syn flag
|
|
## -
|
|
## - first log
|
|
## -
|
|
#$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug
|
|
#$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug
|
|
#$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New but not SYN: " --log-level debug
|
|
|
|
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
$ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
|
|
|
## - drop invalid packages
|
|
## -
|
|
#$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "Invalid state: " --log-level debug
|
|
#$ipt -A INPUT -m state --state INVALID -j DROP
|
|
|
|
|
|
## - ungewöhnliche Flags verwerfen
|
|
## -
|
|
#$ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "Invalid flasg: " --log-level debug
|
|
#$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Invalid flasg: " --log-level debug
|
|
#$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Invalid flasg: " --log-level debug
|
|
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
|
|
|
|
|
## - private Adressen auf externen interface verwerfen
|
|
## -
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "Private address: " --log-level debug
|
|
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j LOG --log-prefix "Private address: " --log-level debug
|
|
#$ipt -A OUTPUT -o $ext_if -s $loopback -j LOG --log-prefix "Private address: " --log-level debug
|
|
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP
|
|
#$ipt -A INPUT -i $ext_if -s $loopback -j DROP
|
|
|
|
$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP
|
|
$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP
|
|
$ipt -A OUTPUT -o $ext_if -s $loopback -j DROP
|
|
|
|
|
|
# - Telekom VDSL - Rules for IPTV
|
|
# -
|
|
#$ipt -I FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT
|
|
#$ipt -I FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT
|
|
#$ipt -I FORWARD -s 239.35.0.0/16 -d 224.0.0.0/4 -j ACCEPT
|
|
#$ipt -I INPUT -d 224.0.0.0/4 -j ACCEPT
|
|
#$ipt -I FORWARD -d 224.0.0.0/4 -j ACCEPT
|
|
|
|
#$ipt -I OUTPUT -d 224.0.0.0/4 -j ACCEPT
|
|
|
|
|
|
|
|
|
|
## - if called stop, then exit here
|
|
## -
|
|
case $1 in
|
|
sto*) exit 0;;
|
|
esac
|
|
|
|
echo "Starting firewall iptables (IpV4).."
|
|
|
|
while read r; do
|
|
case $r in
|
|
-*) $ipt $r;;
|
|
esac
|
|
done << EOR
|
|
|
|
# ---------- Allnet VDSL2 Client Modem ALL126AS2 -------------
|
|
#
|
|
# make Allnet VDSL Modem available on LAN
|
|
# ip-adress: 192.168.16.250
|
|
#
|
|
# prerequisites:
|
|
# - on gateway: ifconfig eth1 192.168.16.254
|
|
# - NAT for 192.168.16.0/24
|
|
#
|
|
-t nat -A POSTROUTING -o $vdsl_if -j MASQUERADE
|
|
#
|
|
# -- Allow from local Network
|
|
-A FORWARD -i $local_if_1 -d $vdsl_modem_ip -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- Allow from VPN
|
|
-A FORWARD -i $vpn_if -d $vdsl_modem_ip -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# ------- Ende: Allnet VDSL2 Client Modem ALL126AS2 ----------
|
|
|
|
|
|
# ----------
|
|
# --- SSH (SVN) von php5.warenform.de -- #
|
|
#-A FORWARD -i eth1 -o eth2 -s 46.4.129.3 -d 192.168.52.35 -j ACCEPT
|
|
#-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT
|
|
|
|
|
|
# --- SSH (SVN) vom "junge welt" Server --- #
|
|
#-A FORWARD -i eth1 -o eth2 -s 193.96.188.0/24 -d 192.168.52.35 -j ACCEPT
|
|
#-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT
|
|
|
|
|
|
# --- SSH (SVN) von nd.warenform.de --- #
|
|
#-A FORWARD -i eth1 -o eth2 -s 46.4.78.56 -d 192.168.52.35 -j ACCEPT
|
|
#-A FORWARD -i eth2 -o eth1 -s 192.168.52.35 -j ACCEPT
|
|
|
|
|
|
# ------------- das loopbackdevice -------------
|
|
# alles erlaubt
|
|
#
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
#
|
|
# ---------- Ende: das loopbackdevice ----------
|
|
|
|
|
|
|
|
# ---------- alle Anfragen aus dem internen WLAN-Netz nach draussen -------------
|
|
#
|
|
-A FORWARD -i $wlan_if -o $ext_if -p ALL -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_1 -o $ext_if -p all -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende: alle Anfragen aus den internen Netzen nach draussen ----------
|
|
|
|
|
|
|
|
# ------------- Drucker Brother 5890 -------------
|
|
#
|
|
#
|
|
# ------------- Ende: Drucker Brother 5890 -------------
|
|
|
|
|
|
# ------------- zwischen lokalen Netzen -------------
|
|
#
|
|
# Zugriff vom localen Netz ins WLAN-Netz erlauben
|
|
-A FORWARD -i $local_if_1 -o $wlan_if -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
#
|
|
# Zugriff vom WLAN-Netz auf Drucker erlauben
|
|
-A FORWARD -i $wlan_if -o $local_if_1 -d $drucker_brother_5890_ip -j ACCEPT
|
|
#
|
|
# Zugriff vom WLAN-Netz ins locale Netz verbieten
|
|
-A FORWARD -i $wlan_if -o $local_if_1 -p ALL -m state --state NEW -j DROP
|
|
#
|
|
# - needed because sometimes i add temporarily other networks to tha interface
|
|
#
|
|
-A FORWARD -i $local_if_1 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# vollen Zugriff vom router ins WLAN-Netz
|
|
-A OUTPUT -o $wlan_if -j ACCEPT
|
|
#
|
|
# ---------- Ende: zwischen lokalen Netzen ----------
|
|
|
|
|
|
# ------------- betsehende Verbindungen -------------
|
|
# bereits bestehende Verbindungen durchlassen
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# foreward
|
|
#
|
|
-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# ---------- Ende betsehende Verbindungen -----------
|
|
|
|
|
|
|
|
# ------------- grundsaetzlich ablehnen -------------
|
|
# neue Anfragen ohne das syn-Flag
|
|
#
|
|
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
-A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
-A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
|
|
#
|
|
# reinlaufenden windows kram
|
|
#
|
|
-A INPUT -p udp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 445 -j DROP
|
|
#
|
|
-A INPUT -p udp -i $local_if_1 --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $local_if_1 --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $local_if_1 --dport 445 -j DROP
|
|
#
|
|
-A INPUT -p udp -i $wlan_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $wlan_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $wlan_if --dport 445 -j DROP
|
|
#
|
|
# authentication tap ident
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
|
|
#
|
|
#
|
|
# Location Service
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 135 -j DROP
|
|
-A INPUT -p udp -i $ext_if --dport 135 -j DROP
|
|
#
|
|
# ---------- Ende: grundsaetzlich ablehnen -------------
|
|
|
|
|
|
|
|
#############################################################
|
|
# ----------------- Konfiguration VPN ------------------ #
|
|
|
|
# -- initial via internet
|
|
#
|
|
-A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- initial via lan1
|
|
-A INPUT -p udp -i $local_if_1 --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- initial via lan2
|
|
-A INPUT -p udp -i $wlan_if --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- alles via vpn device zulassen/durchrouten
|
|
#
|
|
-A INPUT -i $vpn_if -j ACCEPT
|
|
-A OUTPUT -o $vpn_if -j ACCEPT
|
|
-A FORWARD -i $vpn_if -j ACCEPT
|
|
-A FORWARD -o $vpn_if -j ACCEPT
|
|
|
|
# ------------ Ende Konfiguration VPN -------------------- #
|
|
#############################################################
|
|
|
|
|
|
# ------------- PowerChute Shutdown APC -------------
|
|
#
|
|
-A INPUT -p ALL -i $local_if_1 -s 192.168.52.15 -j ACCEPT
|
|
-A OUTPUT -p ALL -o $local_if_1 -d 192.168.52.15 -j ACCEPT
|
|
#
|
|
#-A INPUT -i $local_if_1 -p tcp --dport 3052 -m state --state NEW -j ACCEPT
|
|
#-A INPUT -i $local_if_1 -p udp --dport 3052 -m state --state NEW -j ACCEPT
|
|
#-A INPUT -i $local_if_1 -p tcp --dport 6547 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A OUTPUT -o $local_if_1 -p tcp --dport 80 -m state --state NEW -j ACCEPT
|
|
#
|
|
#
|
|
# ---------- Ende PowerChute Shutdown APC -----------
|
|
|
|
|
|
# ------------- DNS -------------
|
|
#
|
|
# nameserver
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_1 -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $wlan_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $wlan_if -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $ext_if -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- forward --
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende DNS -----------
|
|
|
|
|
|
# ------------- SSH -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -i $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $wlan_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $local_if_1 -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $wlan_if -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $wlan_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende SSH ------------
|
|
|
|
|
|
# ------------- DHCP -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p udp -i $local_if_1 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
|
|
-A INPUT -p udp -i $wlan_if -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p udp -o $local_if_1 --sport 67 -d 0/0 --dport 68 -j ACCEPT
|
|
-A OUTPUT -p udp -o $wlan_if --sport 67 -d 0/0 --dport 68 -j ACCEPT
|
|
#
|
|
# ---------- Ende DHCP ------------
|
|
|
|
|
|
# ------------- MAIL -------------
|
|
# rausgehende SMTP-Verbindungen akzeptieren
|
|
#
|
|
-A OUTPUT -p tcp -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nur forward
|
|
#
|
|
# smtp
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT
|
|
#
|
|
# smtps
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT
|
|
#
|
|
# pop
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT
|
|
#
|
|
# pop/ssl
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT
|
|
#
|
|
# imap
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT
|
|
#
|
|
# imap/ssl
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende MAIL -----------
|
|
|
|
|
|
# ------------- HTTP -------------
|
|
# rausgehende Verbindungen vom Gateway akzeptieren
|
|
# ( update clamav/freshclam, dyndns )
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nur forward
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 8000:8180 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 8443 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HTTP -----------
|
|
|
|
|
|
# ------------- FTP -------------
|
|
#
|
|
# ftp ( lokaler Client remote ftp-Server )
|
|
#
|
|
# (Datenkanal aktiv)
|
|
-A INPUT -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
|
#
|
|
# (Datenkanal passiv)
|
|
-A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# (Kontrollverbindung)
|
|
-A OUTPUT -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ftp (Server)
|
|
#
|
|
# Datenkanal (aktiver modus)
|
|
#-A OUTPUT -o $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Datenkanal (passiver modus)
|
|
#-A INPUT -i $ext_if -p tcp --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# - Kontrollverbindung
|
|
#-A INPUT -i $ext_if -p tcp --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# ftp-tls ? ( keine Ahnung warum )
|
|
#
|
|
-A OUTPUT -p tcp --sport $unprivports -o $ext_if -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --sport $unprivports -i $ext_if -o $ext_if -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende FTP -----------
|
|
|
|
|
|
|
|
# ------------- NTP -------------
|
|
# (network time protokoll)
|
|
#
|
|
# rein
|
|
#
|
|
-A INPUT -i $local_if_1 -p udp --sport 123 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $wlan_if -p udp --sport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# raus
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende NTP -----------
|
|
|
|
|
|
# ------------- pgpkeyserver -------------
|
|
#
|
|
#
|
|
-A OUTPUT -p tcp -o $ext_if --dport 11371 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp -o $ext_if --dport 11371 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende pgpkeyserver ------------
|
|
|
|
|
|
|
|
# ------------- ldap / (z.Bsp. einige pgpkeyserver) -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ldaps LDAP over SSL
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 636 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 636 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 636 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 636 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende ldap ------------
|
|
|
|
|
|
|
|
# ------------- Newsserver nntp -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Newsserver nntp ------------
|
|
|
|
|
|
# ------------- Whois -------------
|
|
# nur ausgehende Anfragen und forward
|
|
#
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 43 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 43 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Whois -----------
|
|
|
|
|
|
# ------------- CPAN Wait - Server -------------
|
|
# nur ausgehende Anfragen und forward
|
|
#
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 1404 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 1404 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- CPAN Wait - Server -----------
|
|
|
|
|
|
# ------------- CVS -------------
|
|
# nur ausgehende Anfragen und forward
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $ext_if -p udp --dport 2401 -m state --state NEW -j ACCEPT
|
|
#
|
|
# und weils auch manchmal übers tcp-Prozokoll geht
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $ext_if -p tcp --dport 2401 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende CVS -----------
|
|
|
|
|
|
|
|
# ------------- ICP (icpcon raid-control util) -------------
|
|
#
|
|
# reingehende Anfragen
|
|
#
|
|
#-A INPUT -p tcp --syn -i $ext_if --dport 11798 -m state --state NEW -j ACCEPT
|
|
#
|
|
# rausgehende Anfragen
|
|
#
|
|
#-A OUTPUT -p tcp -o $ext_if --dport 11798 -m state --state NEW -j ACCEPT
|
|
#-A FORWARD -p tcp -o $ext_if --dport 11798 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- ENDE: ICP (icpcon raid-control util) ----------
|
|
|
|
|
|
|
|
|
|
# ------------- Chat -------------
|
|
# --- silc ---
|
|
#
|
|
# Forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
#
|
|
# --- irc ---
|
|
#
|
|
# forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# --- jabber ---
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5222 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5223 -m state --state NEW -j ACCEPT
|
|
|
|
#
|
|
# ---------- Ende chat ------------
|
|
|
|
|
|
# ------------- HBCI -------------
|
|
# hbci - port 3000/tcp
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HBCI -----------
|
|
|
|
|
|
# ------------- Hylafax (Port 4559) -------------
|
|
# reingehende Verbindungen zum Hylafax-Server
|
|
#
|
|
-A INPUT -i $local_if_1 -p tcp --dport 4559 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $wlan_if -p tcp --dport 4559 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Hylafax -----------
|
|
|
|
|
|
# ------------- CUPS -------------
|
|
# (cupssys printer system)
|
|
#
|
|
-A FORWARD -i $local_if_1 -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $wlan_if -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende CUPS -----------
|
|
|
|
|
|
# ------------- Drucken Port 9100 -------------
|
|
#
|
|
-A FORWARD -i $local_if_1 -p tcp --dport 9100 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $wlan_if -p tcp --dport 9100 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Drucken Port 9100 -----------
|
|
|
|
|
|
# ---------- SNMP ----------
|
|
#
|
|
#-A FORWARD -i $local_if_1 -p tcp --dport 161 -m state --state NEW -j ACCEPT
|
|
#-A FORWARD -i $wlan_if -p tcp --dport 161 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- SNMP ----------
|
|
|
|
|
|
# ------------- VOIP -------------
|
|
#
|
|
# SIP
|
|
#
|
|
# Standard:
|
|
# Port: 5060 / UDP (SIP-Signalisierung)
|
|
# Port: 5004 / UDP (RTP, Sprache)
|
|
# Port: 10000 UDP (STUN)
|
|
#
|
|
# X-Lite:
|
|
# Port 5060 / UDP
|
|
# Port 8000 - 8019 / UDP
|
|
# Port 10000 /UDP
|
|
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT
|
|
#
|
|
# Skype
|
|
#
|
|
# reingehende Anfragen
|
|
#
|
|
# -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
|
|
# -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
#
|
|
# Forward -- Anfragen von draussen
|
|
#
|
|
# -- Linux
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT
|
|
|
|
|
|
# -- Windows --
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 54196 -j ACCEPT
|
|
#
|
|
# ---------- Ende VOIP ------------
|
|
|
|
|
|
|
|
# ------------- Traceroute -------------
|
|
#
|
|
# rein
|
|
-A OUTPUT -p udp --dport 33434:33530 -o $local_if_1 -j ACCEPT
|
|
-A OUTPUT -p udp --dport 33434:33530 -o $wlan_if -j ACCEPT
|
|
-A OUTPUT -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
|
|
#
|
|
# raus
|
|
-A INPUT -p udp --dport 33434:33530 -i $local_if_1 -j ACCEPT
|
|
-A INPUT -p udp --dport 33434:33530 -i $wlan_if -j ACCEPT
|
|
# forward
|
|
-A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
|
|
#
|
|
# -------- Ende Traceroute -------------
|
|
|
|
|
|
# ------------ ICMP (u.a. Ping) ------------
|
|
# alle ICMP Pakete zulassen
|
|
#
|
|
-A OUTPUT -o $local_if_1 -p icmp -j ACCEPT
|
|
-A OUTPUT -o $wlan_if -p icmp -j ACCEPT
|
|
-A OUTPUT -o $ext_if -p icmp -j ACCEPT
|
|
-A OUTPUT -o $vdsl_if -p icmp -j ACCEPT
|
|
#
|
|
-A INPUT -i $local_if_1 -p icmp -j ACCEPT
|
|
-A INPUT -i $wlan_if -p icmp -j ACCEPT
|
|
-A INPUT -i $ext_if -p icmp -j ACCEPT
|
|
-A INPUT -i $vdsl_if -p icmp -j ACCEPT
|
|
#
|
|
-A FORWARD -p icmp -o $ext_if -j ACCEPT
|
|
-A FORWARD -p icmp -i $local_if_1 -j ACCEPT
|
|
-A FORWARD -p icmp -i $wlan_if -j ACCEPT
|
|
-A FORWARD -p icmp -o $vdsl_if -j ACCEPT
|
|
#
|
|
# ------- Ende Ping ------------
|
|
|
|
|
|
|
|
# ------------- portmapper (mountd und NFS) -------------
|
|
#
|
|
# -- portmapper ( udp/tcp port 111 )
|
|
#
|
|
# tcp
|
|
-A INPUT ! -i $ext_if -p tcp --dport 111 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p tcp --dport 111 -j ACCEPT
|
|
# udp
|
|
-A INPUT ! -i $ext_if -p udp --dport 111 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p udp --dport 111 -j ACCEPT
|
|
#
|
|
# -- mountd
|
|
# - normaly a random port number is assigned by
|
|
# the portmapper, but if you start the rpc.mountd
|
|
# (see the startscript at (/etc/init.d/nfs-kernel with
|
|
# option -p 1105 you can use the following rules:
|
|
#
|
|
# tcp
|
|
-A INPUT ! -i $ext_if -p tcp --dport 1105 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p tcp --dport 1105 -j ACCEPT
|
|
# udp
|
|
-A INPUT ! -i $ext_if -p udp --dport 1105 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p udp --dport 1105 -j ACCEPT
|
|
#
|
|
# -- nfs
|
|
#
|
|
-A INPUT ! -i $ext_if -p udp --dport 2049 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p udp --dport 2049 -j ACCEPT
|
|
#
|
|
# NFS depends on ICMP on much of its communication, more detailed:
|
|
# NFS depends on ICMP Packets of type 3
|
|
#
|
|
-A INPUT ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
#
|
|
-A OUTPUT ! -o $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
-A FORWARD ! -i $ext_if -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
#
|
|
# ---------- Ende: portmapper (mountd und NFS) -----------
|
|
|
|
|
|
# ------------ Portforwarding ------------- #
|
|
#
|
|
## - Schott ins interne WARENFOM Netz
|
|
#
|
|
# --- webrick - eingerichtet für vs-bdb-fe.wf.netz:3000 NUR aus ---
|
|
# -- den Schott netzen ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 80.156.4.0/22 \
|
|
# --dport 80 -j DNAT --to 192.168.52.47:3000
|
|
#-t filter -A FORWARD -p tcp -s 80.156.4.0/22 --dport 3000 -d 192.168.52.47 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 194.175.223.0/23 \
|
|
# --dport 80 -j DNAT --to 192.168.52.47:3000
|
|
#-t filter -A FORWARD -p tcp -s 194.175.223.0/23 --dport 3000 -d 192.168.52.47 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 213.68.175.0/25 \
|
|
# --dport 80 -j DNAT --to 192.168.52.47:3000
|
|
#-t filter -A FORWARD -p tcp -s 213.68.175.0/25 --dport 3000 -d 192.168.52.47 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# --- schott-demo.warenform.de:443 -> vs-bdb-fe.wf.netz:9000 ---
|
|
# -- NUR aus den Schott netzen ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 80.156.4.0/22 \
|
|
# --dport 443 -j DNAT --to 192.168.52.46:9000
|
|
#-t filter -A FORWARD -p tcp -s 80.156.4.0/22 --dport 9000 -d 192.168.52.46 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 194.175.223.0/23 \
|
|
# --dport 443 -j DNAT --to 192.168.52.46:9000
|
|
#-t filter -A FORWARD -p tcp -s 194.175.223.0/23 --dport 9000 -d 192.168.52.46 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn -s 213.68.175.0/25 \
|
|
# --dport 443 -j DNAT --to 192.168.52.46:9000
|
|
#-t filter -A FORWARD -p tcp -s 213.68.175.0/25 --dport 9000 -d 192.168.52.46 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# --- Etherpad Intranet
|
|
# --
|
|
#
|
|
-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
--dport 9080 -j DNAT --to 192.168.52.24:9080
|
|
-t filter -A FORWARD -p tcp --dport 9080 -d 192.168.52.24 \
|
|
-i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
--dport 9443 -j DNAT --to 192.168.52.24:9443
|
|
-t filter -A FORWARD -p tcp --dport 9443 -d 192.168.52.24 \
|
|
-i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# --- ENDE: Etherpad Intranet
|
|
#
|
|
#
|
|
# --- HTTP ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 8080 -j DNAT --to 192.168.52.25:8080
|
|
#-t filter -A FORWARD -p tcp --dport 8080 -d 192.168.52.35 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# --- HTTPS ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 8443 -j DNAT --to 192.168.42.25:443
|
|
#-t filter -A FORWARD -p tcp --dport 443 -d 192.168.42.35 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
#
|
|
# --- PPPTP ( VPN auf den NAS Server wf-nas ) --
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 1723 -j DNAT --to 192.168.52.80:1723
|
|
#-t filter -A FORWARD -p tcp --dport 1723 -d 192.168.52.80 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
#
|
|
# --- SSH ( auf devel )
|
|
#
|
|
-t nat -A PREROUTING -i $ext_if -p tcp --dport 9997 -m state --state NEW -j DNAT --to 192.168.52.25:22
|
|
-t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.35 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT
|
|
#
|
|
#
|
|
# --- SSH ( auf repos )
|
|
#
|
|
-t nat -A PREROUTING -i $ext_if -p tcp --dport 9998 -m state --state NEW -j DNAT --to 192.168.52.25:22
|
|
-t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.35 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT
|
|
#
|
|
#
|
|
# --- SSH ( auf den Fileserver anita ) --
|
|
#
|
|
-t nat -A PREROUTING -i $ext_if -p tcp --dport 9999 -m state --state NEW -j DNAT --to 192.168.52.60:22
|
|
-t filter -A FORWARD -p tcp --dport 22 -d 192.168.52.60 -i $ext_if -o $local_if_1 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Portforwarding ---------- #
|
|
|
|
|
|
# ------------- Loggen -------------
|
|
#
|
|
# alles loggen was nicht durchgeht
|
|
#
|
|
#-A OUTPUT -j LOG --log-level debug
|
|
#-A INPUT -j LOG --log-level debug
|
|
#-A FORWARD -j LOG --log-level debug
|
|
# -
|
|
# ------------- Ende Loggen -------------
|
|
|
|
# ------------- DROP -------------
|
|
# drop all other for all interfaces..
|
|
#
|
|
-A INPUT -j DROP
|
|
-A OUTPUT -j DROP
|
|
-A FORWARD -j DROP
|
|
#
|
|
# ---------- Ende: DROP ----------
|
|
|
|
|
|
|
|
|
|
EOR
|
|
|
|
exit 0
|