983 lines
29 KiB
Bash
Executable File
983 lines
29 KiB
Bash
Executable File
#!/bin/sh
|
|
### BEGIN INIT INFO
|
|
# Provides: ipt-firewall
|
|
# Required-Start: $local_fs $remote_fs $syslog $network
|
|
# Required-Stop: $local_fs $remote_fs $syslog $network
|
|
# Should-Start:
|
|
# Should-Stop:
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: IPv4 Firewall
|
|
### END INIT INFO
|
|
|
|
|
|
# Load appropriate modules.
|
|
/sbin/modprobe ip_tables
|
|
/sbin/modprobe iptable_nat > /dev/null 2>&1
|
|
|
|
## -Load modules for FTP Connection tracking and NAT
|
|
## -
|
|
/sbin/modprobe ip_conntrack > /dev/null 2>&1
|
|
/sbin/modprobe ip_conntrack_ftp > /dev/null 2>&1
|
|
/sbin/modprobe ip_nat_ftp > /dev/null 2>&1
|
|
|
|
|
|
log_all=false
|
|
|
|
log_syn_flood=false
|
|
log_fragments=false
|
|
log_new_not_sync=false
|
|
log_invalid_state=false
|
|
log_invalid_flags=false
|
|
log_spoofed=false
|
|
log_to_lo=false
|
|
log_blocked=false
|
|
log_rejected=false
|
|
|
|
# IP's / IP-Ranges to block
|
|
#
|
|
# 222.184.0.0 CHINANET-JS
|
|
# 61.160.0.0/16 - CHINANET-JS
|
|
# 116.8.0.0/14 CHINANET-GX
|
|
# 70.42.149.69 - ssh attack 30.06.2014
|
|
#
|
|
blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14 70.42.149.69"
|
|
|
|
|
|
ipt="/sbin/iptables"
|
|
|
|
## - external interface
|
|
## -
|
|
ext_if="eth0"
|
|
|
|
ext_ip="172.16.0.1"
|
|
|
|
|
|
## - VPN interface
|
|
## -
|
|
vpn_if="tun+"
|
|
|
|
|
|
## - local interfaces
|
|
## -
|
|
local_if_1="eth1+"
|
|
local_if_2="eth2+"
|
|
|
|
|
|
local_ip="192.168.0.254"
|
|
local_net_1="192.168.0.0/24"
|
|
|
|
|
|
## - local Services
|
|
## -
|
|
webmail="192.168.0.44"
|
|
mail_server="192.168.0.44"
|
|
mail_server_alt="192.168.0.1"
|
|
ak_web="192.168.0.44"
|
|
at_10="192.168.0.10"
|
|
ftp_server="192.168.0.44"
|
|
ldap_server="192.168.0.44"
|
|
|
|
|
|
## - Ports
|
|
## -
|
|
ssh_port=22
|
|
mail_user_ports="465,587,58736,995,993"
|
|
www_ports="80,443"
|
|
www_ports_akweb="81"
|
|
www_extra_ports="8080,8443"
|
|
|
|
# unpriviligierte Ports
|
|
unprivports="1024:65535"
|
|
|
|
loopback="127.0.0.0/8"
|
|
priv_class_a="10.0.0.0/8"
|
|
priv_class_b="172.16.0.0/12"
|
|
priv_class_c="192.168.0.0/16"
|
|
|
|
class_d_multicast="224.0.0.0/4"
|
|
class_e_reserved="240.0.0.0/5"
|
|
|
|
broadcast_addr="83.223.85.255"
|
|
|
|
## - IP Forwarding aktivieren
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
|
|
|
|
|
|
## - Reduce DoS'ing ability by reducing timeouts
|
|
## -
|
|
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
|
|
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
|
|
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
|
|
echo 0 > /proc/sys/net/ipv4/tcp_sack
|
|
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
|
|
|
## - SYN COOKIES
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
|
|
## - Schutz gegen gefälschte Fehlermeldungen einschalten.
|
|
## -
|
|
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
|
|
|
|
|
## - Ignorieren von broadcast Pings
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
|
|
|
|
## - NO SOURCE ROUTE
|
|
## -
|
|
## - Sperren von quellbasierendem Paket-Routing
|
|
## -
|
|
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
|
echo 0 > $asr
|
|
done
|
|
|
|
|
|
## - Keine ICMP Umleitungspakete akzeptieren.
|
|
## -
|
|
## - Diese können zur Veränderung der Routing Tables verwendet
|
|
## - werden, möglicherweise mit einem böswilligen Ziel.
|
|
## -
|
|
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
|
|
## - ANTISPOOFING
|
|
## -
|
|
## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
|
|
## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
|
|
## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
|
|
## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
|
|
## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
|
|
## - nicht voll funktionsfähig ist.
|
|
## -
|
|
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
|
echo 1 > $rp_filter
|
|
done
|
|
|
|
|
|
## - NUMBER OF CONNECTIONS TO TRACK
|
|
## -
|
|
echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
|
|
|
|
|
|
## - Protokollieren von Paketen die gespoofed sind, quellbasierendes
|
|
## - Routing verwenden oder Umleitungen sind.
|
|
## -
|
|
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
|
|
|
|
|
|
while read p; do
|
|
case $p in
|
|
-*) $ipt $p;;
|
|
esac
|
|
done << EOR
|
|
## - flush chains
|
|
## -
|
|
-F
|
|
-F INPUT
|
|
-F OUTPUT
|
|
-F FORWARD
|
|
-F -t mangle
|
|
-F -t nat
|
|
-X
|
|
-Z
|
|
|
|
## - default policies
|
|
## -
|
|
-P INPUT ACCEPT
|
|
-P OUTPUT ACCEPT
|
|
-P FORWARD ACCEPT
|
|
|
|
-t nat -P PREROUTING ACCEPT
|
|
-t nat -P POSTROUTING ACCEPT
|
|
|
|
#-t nat -A POSTROUTING -o $ext_if -j MASQUERADE
|
|
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
|
|
## - Fritz!BOX 7390 via VPN
|
|
## -
|
|
-t nat -A POSTROUTING -o $ext_if -p tcp -s 10.0.0.0/8 -d 172.16.0.254 --dport 80 -j MASQUERADE
|
|
|
|
## - Fritz!BOX (AcccessPoint) via VPN
|
|
## -
|
|
-t nat -A POSTROUTING -o $local_if_2 -p tcp -s 10.0.0.0/24 -d 192.168.128.103 --dport 80 -j MASQUERADE
|
|
|
|
|
|
EOR
|
|
|
|
case $1 in
|
|
sto*) exit 0;;
|
|
esac
|
|
#$ipt -A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT
|
|
#$ipt -A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT
|
|
|
|
$ipt -A INPUT -s 192.168.63.0/24 -j ACCEPT
|
|
$ipt -A FORWARD -s 192.168.63.0/24 -j ACCEPT
|
|
$ipt -A FORWARD -d 192.168.63.0/24 -j ACCEPT
|
|
$ipt -A OUTPUT -d 192.168.63.0/24 -j ACCEPT
|
|
|
|
|
|
## - Protection against syn-flooding
|
|
## -
|
|
## - chains to DROP too many SYNs
|
|
## -
|
|
$ipt -N syn-flood
|
|
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
|
if $log_syn_flood || $log_all ; then
|
|
$ipt -A syn-flood -j LOG --log-prefix "IPv4: SYN flood: " --log-level debug
|
|
fi
|
|
$ipt -A syn-flood -j DROP
|
|
|
|
|
|
## FRAGMENTS
|
|
# I have to say that fragments scare me more than anything.
|
|
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
|
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
|
# fragments is very OS-dependent (see this paper for details).
|
|
# I am not going to trust any fragments.
|
|
# Log fragments just to see if we get any, and deny them too.
|
|
if $log_fragments || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -f -j LOG --log-prefix "IPv4: IPTABLES FRAGMENTS: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -f -j DROP
|
|
|
|
|
|
## - drop new packages without syn flag
|
|
## -
|
|
if $log_new_not_sync || $log_all ; then
|
|
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
|
|
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
|
|
|
## - drop invalid packages
|
|
## -
|
|
if $log_invalid_state || $log_all ; then
|
|
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "IPv4: Invalid state: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -m state --state INVALID -j DROP
|
|
|
|
|
|
## - ungewöhnliche Flags verwerfen
|
|
## -
|
|
if $log_invalid_flags || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
|
|
|
|
|
## - private Adressen auf externen interface verwerfen
|
|
## -
|
|
|
|
# Refuse spoofed packets pretending to be from your IP address.
|
|
if $log_spoofed || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $ext_ip -j LOG --log-prefix "IPv4: Spoofed (own ip): " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -s $ext_ip -j DROP
|
|
|
|
|
|
# Refuse packets claiming to be from a
|
|
# Class A private network
|
|
# Class B private network
|
|
# Class C private network
|
|
# loopback interface
|
|
# Class D multicast address
|
|
# Class E reserved IP address
|
|
# broadcast address
|
|
if $log_spoofed || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "IPv4: Class A private net: " --log-level debug
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "IPv4: Class B private net: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "IPv4: Class C private net: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "IPv4: From Loopback: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j LOG --log-prefix "IPv4: Class D Multicast: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j LOG --log-prefix "IPv4: Class E reserved: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j LOG --log-prefix "IPv4: Broadcast Address: " --log-level debug
|
|
fi
|
|
# Refuse packets claiming to be from a Class A private network.
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP
|
|
# Refuse packets claiming to be from a Class B private network.
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP
|
|
# Refuse packets claiming to be from a Class C private network.
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP
|
|
# Refuse packets claiming to be from loopback interface.
|
|
$ipt -A INPUT -i $ext_if -s $loopback -j DROP
|
|
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
|
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j DROP
|
|
# Refuse Class E reserved IP addresses.
|
|
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j DROP
|
|
# Refuse broadcast address packets.
|
|
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j DROP
|
|
|
|
|
|
# Refuse packets claiming to be to the loopback interface.
|
|
# Refusing packets claiming to be to the loopback interface protects against
|
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
|
# quench to the loopback.
|
|
if $log_to_lo || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -d $loopback -j LOG --log-prefix "IPv4: To Loopback: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -d $loopback -j DROP
|
|
|
|
|
|
# Don't allow spoofing from that server
|
|
$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP
|
|
$ipt -A OUTPUT -o $ext_if -s $loopback -j DROP
|
|
|
|
|
|
# ------------- CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
|
|
#
|
|
for _ip in $blocked_ips ; do
|
|
if $log_blocked || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $_ip -j LOG --log-prefix "IPv4: Blocked ${_ip}: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -p ALL -s $_ip -j DROP
|
|
done
|
|
#
|
|
# ------------- Ende: CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
|
|
|
|
|
|
## - We don't want these packages on gatewy
|
|
#
|
|
# --- We are not a cups server
|
|
$ipt -A INPUT -i $local_if_1 -p tcp --sport 631 -j DROP
|
|
$ipt -A INPUT -i $local_if_1 -p udp --sport 631 -j DROP
|
|
# --- No NETBIOS Packages
|
|
# -- LAN
|
|
$ipt -A INPUT -p udp -i $local_if_1 --dport 137:139 -j DROP
|
|
$ipt -A INPUT -p tcp -i $local_if_1 --dport 137:139 -j DROP
|
|
$ipt -A INPUT -p tcp -i $local_if_1 --dport 445 -j DROP
|
|
## - WLAN (LAN2)
|
|
$ipt -A INPUT -p udp -i $local_if_2 --dport 137:139 -j DROP
|
|
$ipt -A INPUT -p tcp -i $local_if_2 --dport 137:139 -j DROP
|
|
$ipt -A INPUT -p tcp -i $local_if_2 --dport 445 -j DROP
|
|
|
|
|
|
echo "Starting firewall iptables (IpV4).."
|
|
|
|
while read r; do
|
|
case $r in
|
|
-*) $ipt $r;;
|
|
esac
|
|
done << EOR
|
|
|
|
|
|
# ------------- das loopbackdevice -------------
|
|
# alles erlaubt
|
|
#
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
#
|
|
# ---------- Ende: das loopbackdevice ----------
|
|
|
|
|
|
|
|
# ---------- alle Anfragen aus den internen Netzen nach draussen -------------
|
|
#
|
|
-A FORWARD -o $ext_if -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende: alle Anfragen aus den internen Netzen nach draussen ----------
|
|
|
|
|
|
|
|
# ------------- Zugriffe zwischen WLAN und LAN -------------
|
|
#
|
|
# Drucker IP-Adressen freigeben
|
|
# - hp-lj5000
|
|
#-A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -d 192.168.0.249 -p ALL -j ACCEPT
|
|
-A FORWARD -o $local_if_2 -s 192.168.0.249 -p ALL -j ACCEPT
|
|
# - canon-c5030i
|
|
#-A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -d 192.168.0.253 -p ALL -j ACCEPT
|
|
-A FORWARD -o $local_if_2 -s 192.168.0.253 -p ALL -j ACCEPT
|
|
#
|
|
# Samba Ports auf at-44
|
|
-A FORWARD -i $local_if_2 -p udp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 137:139 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -p tcp -d 192.168.0.44 --dport 445 -m state --state NEW -j ACCEPT
|
|
#
|
|
#
|
|
# ---------- Ende: Zugriffe zwischen WLAN und LAN ----------
|
|
|
|
|
|
|
|
# ------------- zwischen lokalen Netzen -------------
|
|
#
|
|
#
|
|
#-A FORWARD -i $local_if_1 -o $local_if_2 -p ALL -m state --state NEW -j ACCEPT
|
|
#-A FORWARD -i $local_if_2 -o $local_if_1 -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# - needed because sometimes i add temporarily other networks to that interface
|
|
#
|
|
#-A FORWARD -i $local_if_1 -o $local_if_1 -j ACCEPT
|
|
#
|
|
# ---------- Ende: zwischen lokalen Netzen ----------
|
|
|
|
|
|
# ------------- betsehende Verbindungen -------------
|
|
# bereits bestehende Verbindungen durchlassen
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# foreward
|
|
#
|
|
-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
|
|
# ---------- Ende betsehende Verbindungen -----------
|
|
|
|
|
|
#############################################################
|
|
# ----------------- Konfiguration VPN ------------------ #
|
|
|
|
# -- initial via internet
|
|
#
|
|
-A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- initial via lan1
|
|
-A INPUT -p udp -i $local_if_1 --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- initial via lan2
|
|
-A INPUT -p udp -i $local_if_2 --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
#-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- alles via vpn device zulassen/durchrouten
|
|
#
|
|
-A INPUT -i $vpn_if -j ACCEPT
|
|
-A OUTPUT -o $vpn_if -j ACCEPT
|
|
-A FORWARD -i $vpn_if -j ACCEPT
|
|
-A FORWARD -o $vpn_if -j ACCEPT
|
|
|
|
# ------------ Ende Konfiguration VPN -------------------- #
|
|
#############################################################
|
|
|
|
|
|
# ------------- smbclient / smbmount -------------
|
|
#
|
|
-A OUTPUT -o $local_if_1 -p tcp --dport 445 -j ACCEPT
|
|
-A OUTPUT -o $local_if_1 -p tcp --dport 137:139 -j ACCEPT
|
|
#
|
|
# ---------- Ende smbclient / smbmount -----------
|
|
|
|
|
|
# ------------- grundsaetzlich ablehnen -------------
|
|
# reinlaufenden windows kram
|
|
#
|
|
-A INPUT -p udp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 445 -j DROP
|
|
#
|
|
# .. und forwards
|
|
#
|
|
-A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 137:139 -j DROP
|
|
-A FORWARD -i $local_if_1 -o $ext_if -p tcp --dport 445 -j DROP
|
|
#
|
|
#
|
|
# authentication tap ident
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
|
|
-A FORWARD -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
|
|
#
|
|
#
|
|
# Location Service
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 135 -j DROP
|
|
-A INPUT -p udp -i $ext_if --dport 135 -j DROP
|
|
#
|
|
# ---------- Ende: grundsaetzlich ablehnen -------------
|
|
|
|
|
|
# ------------- SSH -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -i $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $local_if_1 -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $local_if_2 -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $ext_if -o $local_if_1 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $local_if_2 -p tcp --syn --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende SSH ------------
|
|
|
|
|
|
|
|
# ------------- DHCP -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p udp -i $local_if_1 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
|
|
-A INPUT -p udp -i $local_if_2 -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p udp -o $local_if_1 --sport 67 -d 0/0 --dport 68 -j ACCEPT
|
|
-A OUTPUT -p udp -o $local_if_2 --sport 67 -d 0/0 --dport 68 -j ACCEPT
|
|
#
|
|
# ---------- Ende DHCP ------------
|
|
|
|
|
|
# ------------- DNS -------------
|
|
#
|
|
# nameserver
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p tcp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A INPUT -i $local_if_1 -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende DNS -----------
|
|
|
|
|
|
# ------------- MAIL -------------
|
|
# rausgehende SMTP-Verbindungen akzeptieren
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nur forward
|
|
#
|
|
# -- SMTP
|
|
# rausschicken dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 25 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- SUBMISSION
|
|
# rausschicken dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 587 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 587 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- SMTPS
|
|
# rausschicken dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 465 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 465 -m state --state NEW -j ACCEPT
|
|
#
|
|
# POP
|
|
# nach draussen dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 110 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 110 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- POP/SSL
|
|
# nach draussen dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 995 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 995 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- IMAP
|
|
# nach draussen dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 143 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 143 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- IMAP/SSL
|
|
# nach draussen dürfen alle
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT
|
|
# von ueberall zum internen mailserver
|
|
-A FORWARD -p tcp --syn -d $mail_server --dport 993 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -d $mail_server_alt --dport 993 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende MAIL -----------
|
|
|
|
|
|
# ------------- HTTP -------------
|
|
#
|
|
# rausgehende Verbindungen vom Gateway akzeptieren
|
|
# ( update clamav/freshclam, dyndns, apt-get )
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $local_if_1 --dport 80 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nach draussen nur forward
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- interne Webservices
|
|
# webmailer
|
|
-A FORWARD -p tcp --syn -d $webmail -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
|
|
# akweb lokal
|
|
-A FORWARD -p tcp --syn -d $ak_web -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
|
|
# at-10
|
|
-A FORWARD -p tcp --syn -d $at_10 -m multiport --dports $www_ports -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HTTP -----------
|
|
|
|
|
|
# ------------- FTP -------------
|
|
#
|
|
# ftp ( lokaler Client remote ftp-Server )
|
|
#
|
|
# (Datenkanal aktiv)
|
|
-A INPUT -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $ext_if -p tcp --sport 20 -m state --state NEW -j ACCEPT
|
|
#
|
|
# (Datenkanal passiv)
|
|
-A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --sport $unprivports --dport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# (Kontrollverbindung)
|
|
-A OUTPUT -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 21 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ftp (Server)
|
|
#
|
|
# Datenkanal (aktiver modus)
|
|
-A FORWARD -o $ext_if -p tcp -s $ftp_server --sport 20 -m state --state NEW -j ACCEPT
|
|
#
|
|
# Datenkanal (passiver modus)
|
|
-A FORWARD -i $ext_if -p tcp -d $ftp_server --dport $unprivports --sport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# - Kontrollverbindung
|
|
-A FORWARD -i $ext_if -p tcp -d $ftp_server --dport 21 --sport $unprivports -m state --state NEW -j ACCEPT
|
|
#
|
|
# ftp-tls ? ( keine Ahnung warum )
|
|
#
|
|
-A OUTPUT -p tcp --sport $unprivports -o $ext_if -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --sport $unprivports -i $ext_if -o $ext_if -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende FTP -----------
|
|
|
|
|
|
# ------------- NTP -------------
|
|
# (network time protokoll)
|
|
#
|
|
# rein
|
|
#
|
|
-A INPUT -i $local_if_1 -p tcp --sport 123 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p tcp --sport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A INPUT -i $local_if_1 -p udp --sport 123 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p udp --sport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# raus
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 123 -j ACCEPT
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --dport 123 -j ACCEPT
|
|
#
|
|
# ---------- Ende NTP -----------
|
|
|
|
|
|
# ------------- pgpkeyserver -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende pgpkeyserver ------------
|
|
|
|
# ------------- ldap / (z.Bsp. einige pgpkeyserver) -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ldaps LDAP over SSL
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 636 -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 636 -j ACCEPT
|
|
#
|
|
# ---------- Ende ldap ------------
|
|
|
|
|
|
# ------------- Newsserver nntp -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Newsserver nntp ------------
|
|
|
|
|
|
# ------------- Whois -------------
|
|
# nur ausgehende Anfragen und forward
|
|
#
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 43 -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 43 -j ACCEPT
|
|
#
|
|
# ---------- Ende Whois ----------
|
|
|
|
|
|
# ------------- Chat -------------
|
|
# --- silc ---
|
|
#
|
|
# Forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
#
|
|
# --- irc ---
|
|
#
|
|
# forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---jabber ---
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5222:5223 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende chat ------------
|
|
|
|
|
|
# ------------- HBCI -------------
|
|
# hbci - port 3000/tcp
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HBCI -----------
|
|
|
|
|
|
# ------------- Hylafax (Port 4559) -------------
|
|
# reingehende Verbindungen zum Hylafax-Server
|
|
#
|
|
-A INPUT -i $local_if_1 -p tcp --dport 4559 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if_2 -p tcp --dport 4559 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Hylafax -----------
|
|
|
|
|
|
# ------------- CUPS -------------
|
|
# (cupssys printer system)
|
|
#
|
|
-A FORWARD -i $local_if_1 -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende CUPS -----------
|
|
|
|
|
|
# ------------- Drucken Port 9100 -------------
|
|
#
|
|
-A FORWARD -i $local_if_1 -p tcp --dport 9100 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if_2 -p tcp --dport 9100 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Drucken Port 9100 -----------
|
|
|
|
|
|
# ---------- SNMP ----------
|
|
#
|
|
#-A FORWARD -i $local_if_1 -p tcp --dport 161 -m state --state NEW -j ACCEPT
|
|
#-A FORWARD -i $local_if_2 -p tcp --dport 161 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- SNMP ----------
|
|
|
|
|
|
# ------------- VOIP -------------
|
|
#
|
|
# SIP
|
|
#
|
|
# Standard:
|
|
# Port: 5060 / UDP (SIP-Signalisierung)
|
|
# Port: 5004 / UDP (RTP, Sprache)
|
|
# Port: 10000 UDP (STUN)
|
|
#
|
|
# X-Lite:
|
|
# Port 5060 / UDP
|
|
# Port 8000 - 8019 / UDP
|
|
# Port 10000 /UDP
|
|
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT
|
|
#
|
|
# SKIPE
|
|
#
|
|
# reingehende Anfragen
|
|
#
|
|
# -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
|
|
# -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
#
|
|
# Forward -- Anfragen von draussen
|
|
#
|
|
# -- Linux
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT
|
|
|
|
|
|
# -- Windows --
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 54196 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 54196 -j ACCEPT
|
|
#
|
|
# ---------- Ende VOIP ------------
|
|
|
|
|
|
# ------------- Traceroute -------------
|
|
#
|
|
-A OUTPUT -p udp --dport 33434:33530 -o $local_if_1 -j ACCEPT
|
|
-A INPUT -p udp --dport 33434:33530 -i $local_if_1 -j ACCEPT
|
|
-A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
|
|
#
|
|
# -------- Ende Traceroute -------------
|
|
|
|
|
|
## -------- WakeOnLAN --------
|
|
#
|
|
-A OUTPUT -p udp -o $local_if_1 --dport 9 -j ACCEPT
|
|
-A OUTPUT -p udp -o $local_if_2 --dport 9 -j ACCEPT
|
|
#
|
|
## -------- Ende WakeOnLAN --------
|
|
|
|
|
|
# ------------ Ping ------------
|
|
#
|
|
-A INPUT -i $ext_if -p icmp --icmp-type destination-unreachable -j ACCEPT
|
|
-A INPUT -i $ext_if -p icmp --icmp-type time-exceeded -j ACCEPT
|
|
-A INPUT -i $ext_if -p icmp --icmp-type echo-reply -j ACCEPT
|
|
-A INPUT -i $ext_if -p icmp --icmp-type echo-request -j ACCEPT
|
|
#-A INPUT -i $ext_if -p icmp -j ACCEPT
|
|
-A INPUT -i $local_if_1 -j ACCEPT
|
|
-A INPUT -i $local_if_2 -j ACCEPT
|
|
#-A OUTPUT -o $ext_if -p icmp -j ACCEPT
|
|
-A OUTPUT -p icmp -j ACCEPT
|
|
#-A FORWARD -o $ext_if -p icmp -j ACCEPT
|
|
-A FORWARD -p icmp -j ACCEPT
|
|
#
|
|
# ------- Ende Ping ------------
|
|
|
|
|
|
# ------------ Portforwarding ------------- #
|
|
# -
|
|
# -- VNC pcbuero1 ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 80 -j DNAT --to 172.16.0.254:80
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.101 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# -- VNC pcbuero2 ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5902 -j DNAT --to 192.168.4.4:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.4.102 \
|
|
# -i $ext_if -o $local_if_1 -j ACCEPT
|
|
#
|
|
# ---------- Ende Portforwarding ---------- #
|
|
|
|
|
|
EOR
|
|
|
|
|
|
# ------------- Loggen -------------
|
|
#
|
|
if $log_rejected || $log_all ; then
|
|
#$ipt -A OUTPUT -j LOG --log-level debug
|
|
#$ipt -A INPUT -j LOG --log-level debug
|
|
#$ipt -A INPUT -j LOG --log-level debug
|
|
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
$ipt -A FORWARD -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
fi
|
|
#
|
|
# ---------- Ende: Loggen ----------
|
|
|
|
|
|
# ------------- DROP -------------
|
|
# drop all other for all interfaces..
|
|
#
|
|
$ipt -A INPUT -j DROP
|
|
$ipt -A OUTPUT -j DROP
|
|
$ipt -A FORWARD -j DROP
|
|
#
|
|
# ---------- Ende: DROP ----------
|
|
|
|
|
|
|
|
exit 0
|