842 lines
23 KiB
Bash
Executable File
842 lines
23 KiB
Bash
Executable File
#!/bin/sh
|
|
### BEGIN INIT INFO
|
|
# Provides: ipt-firewall
|
|
# Required-Start: $local_fs $remote_fs $syslog $network
|
|
# Required-Stop: $local_fs $remote_fs $syslog $network
|
|
# Should-Start:
|
|
# Should-Stop:
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: IPv4 Firewall
|
|
### END INIT INFO
|
|
|
|
## -Load modules for FTP Connection tracking and NAT
|
|
## -
|
|
/sbin/modprobe ip_tables > /dev/null 2>&1
|
|
modprobe ip_conntrack > /dev/null 2>&1
|
|
modprobe ip_nat_ftp > /dev/null 2>&1
|
|
modprobe ip_conntrack_ftp > /dev/null 2>&1
|
|
modprobe iptable_nat > /dev/null 2>&1
|
|
|
|
|
|
log_all=false
|
|
|
|
log_syn_flood=false
|
|
log_fragments=false
|
|
log_new_not_sync=false
|
|
log_invalid_state=false
|
|
log_invalid_flags=false
|
|
log_spoofed=false
|
|
log_to_lo=false
|
|
log_blocked=false
|
|
log_rejected=false
|
|
|
|
|
|
# IP's / IP-Ranges to block
|
|
#
|
|
# 222.184.0.0 CHINANET-JS
|
|
# 61.160.0.0/16 - CHINANET-JS
|
|
# 116.8.0.0/14 CHINANET-GX
|
|
# 70.42.149.69 - ssh attack 30.06.2014
|
|
#
|
|
#blocked_ips="222.184.0.0/13 61.160.0.0/16 116.8.0.0/14 70.42.149.69"
|
|
blocked_ips=""
|
|
|
|
|
|
|
|
ipt="/sbin/iptables"
|
|
|
|
|
|
local_ip="192.168.122.254"
|
|
local_net="192.168.122.254/24"
|
|
local_if="eth1"
|
|
|
|
#ext_if="ppp+"
|
|
ext_if="eth0"
|
|
|
|
vpn_if="tun+"
|
|
|
|
# unpriviligierte Ports
|
|
unprivports="1024:65535"
|
|
|
|
loopback="127.0.0.0/8"
|
|
priv_class_a="10.0.0.0/8"
|
|
priv_class_b="172.16.0.0/12"
|
|
priv_class_c="192.168.0.0/16"
|
|
|
|
class_d_multicast="224.0.0.0/4"
|
|
class_e_reserved="240.0.0.0/5"
|
|
|
|
broadcast_addr="83.223.85.255"
|
|
|
|
|
|
## - IP Forwarding aktivieren
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
echo 5 > /proc/sys/net/ipv4/ip_dynaddr
|
|
|
|
|
|
## - Reduce DoS'ing ability by reducing timeouts
|
|
## -
|
|
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
|
|
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
|
|
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
|
|
echo 0 > /proc/sys/net/ipv4/tcp_sack
|
|
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
|
|
|
|
## - SYN COOKIES
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
|
|
## - Schutz gegen gefälschte Fehlermeldungen einschalten.
|
|
## -
|
|
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
|
|
|
|
|
|
## - Ignorieren von broadcast Pings
|
|
## -
|
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
|
|
|
|
## - NO SOURCE ROUTE
|
|
## -
|
|
## - Sperren von quellbasierendem Paket-Routing
|
|
## -
|
|
for asr in /proc/sys/net/ipv4/conf/*/accept_source_route; do
|
|
echo 0 > $asr
|
|
done
|
|
|
|
|
|
## - Keine ICMP Umleitungspakete akzeptieren.
|
|
## -
|
|
## - Diese können zur Veränderung der Routing Tables verwendet
|
|
## - werden, möglicherweise mit einem böswilligen Ziel.
|
|
## -
|
|
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
|
|
## - ANTISPOOFING
|
|
## -
|
|
## - Reverse Pfadfilterung aktivieren. Dies hilft durch automatisches Ablehnen
|
|
## - von Quelladressen, die nicht mit dem Netzwerkinterface übereinstimmen,
|
|
## - sicherzustellen, dass Pakete legitime Quelladressen benutzen. Dies hat
|
|
## - Sicherheitsvorteile, da es IP Spoofing verhindert. Wir müssen es für
|
|
## - alle net/ipv4/conf/* aktivieren, da sonst die Validierung der Quelle
|
|
## - nicht voll funktionsfähig ist.
|
|
## -
|
|
for rp_filter in /proc/sys/net/ipv4/conf/*/rp_filter; do
|
|
echo 1 > $rp_filter
|
|
done
|
|
|
|
## - NUMBER OF CONNECTIONS TO TRACK
|
|
## -
|
|
echo "65535" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
|
|
|
|
|
|
## - Protokollieren von Paketen die gespoofed sind, quellbasierendes
|
|
## - Routing verwenden oder Umleitungen sind.
|
|
## -
|
|
#echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
|
|
|
|
|
|
while read p; do
|
|
case $p in
|
|
-*) $ipt $p;;
|
|
esac
|
|
done << EOR
|
|
## - default policies
|
|
## -
|
|
-P INPUT ACCEPT
|
|
-P OUTPUT ACCEPT
|
|
-P FORWARD ACCEPT
|
|
|
|
-t nat -P PREROUTING ACCEPT
|
|
-t nat -P POSTROUTING ACCEPT
|
|
-t nat -P OUTPUT ACCEPT
|
|
|
|
## - flush chains
|
|
## -
|
|
-F
|
|
-F INPUT
|
|
-F OUTPUT
|
|
-F FORWARD
|
|
-F -t mangle
|
|
-F -t nat
|
|
-X
|
|
-Z
|
|
|
|
-t nat -A POSTROUTING -o $ext_if -j MASQUERADE
|
|
-I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
|
EOR
|
|
|
|
|
|
|
|
## - Protection against syn-flooding
|
|
## -
|
|
## - chains to DROP too many SYNs
|
|
## -
|
|
$ipt -N syn-flood
|
|
$ipt -A syn-flood -m limit --limit 1/second --limit-burst 3 -j RETURN
|
|
if $log_syn_flood || $log_all ; then
|
|
$ipt -A syn-flood -j LOG --log-prefix "IPv4: SYN flood: " --log-level debug
|
|
fi
|
|
$ipt -A syn-flood -j DROP
|
|
|
|
|
|
## FRAGMENTS
|
|
# I have to say that fragments scare me more than anything.
|
|
# Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown"
|
|
# Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such
|
|
# fragments is very OS-dependent (see this paper for details).
|
|
# I am not going to trust any fragments.
|
|
# Log fragments just to see if we get any, and deny them too.
|
|
if $log_fragments || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -f -j LOG --log-prefix "IPv4: IPTABLES FRAGMENTS: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -f -j DROP
|
|
|
|
|
|
# - drop new packages without syn flag
|
|
## -
|
|
if $log_new_not_sync || $log_all ; then
|
|
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
|
|
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPv4: New but not SYN: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
$ipt -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
|
|
|
|
|
|
## - drop invalid packages
|
|
## -
|
|
if $log_invalid_state || $log_all ; then
|
|
$ipt -A INPUT -m state --state INVALID -j LOG --log-prefix "IPv4: Invalid state: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -m state --state INVALID -j DROP
|
|
|
|
|
|
## - ungewöhnliche Flags verwerfen
|
|
## -
|
|
if $log_invalid_flags || $log_all ; then
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
$ipt -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPv4: Invalid flags: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
|
|
$ipt -A INPUT -i $ext_if -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
|
|
|
|
|
## - private Adressen auf externen interface verwerfen
|
|
## -
|
|
if $log_spoofed || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $local_ip -j LOG --log-prefix "IPv4: Spoofed (own ip): " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -s $local_ip -j DROP
|
|
|
|
|
|
# Refuse packets claiming to be from a
|
|
# Class A private network
|
|
# Class B private network
|
|
# Class C private network
|
|
# loopback interface
|
|
# Class D multicast address
|
|
# Class E reserved IP address
|
|
# broadcast address
|
|
if $log_spoofed || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_a -j LOG --log-prefix "IPv4: Class A private net: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_b -j LOG --log-prefix "IPv4: Class B private net: " --log-level debug
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j LOG --log-prefix "IPv4: Class C private net: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $loopback -j LOG --log-prefix "IPv4: From Loopback: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j LOG --log-prefix "IPv4: Class D Multicast: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j LOG --log-prefix "IPv4: Class E reserved: " --log-level debug
|
|
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j LOG --log-prefix "IPv4: Broadcast Address: " --log-level debug
|
|
fi
|
|
# Refuse packets claiming to be from a Class A private network.
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_a -j DROP
|
|
# Refuse packets claiming to be from a Class B private network.
|
|
$ipt -A INPUT -i $ext_if -s $priv_class_b -j DROP
|
|
# Refuse packets claiming to be from a Class C private network.
|
|
#$ipt -A INPUT -i $ext_if -s $priv_class_c -j DROP
|
|
# Refuse packets claiming to be from loopback interface.
|
|
$ipt -A INPUT -i $ext_if -s $loopback -j DROP
|
|
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
|
|
$ipt -A INPUT -i $ext_if -s $class_d_multicast -j DROP
|
|
# Refuse Class E reserved IP addresses.
|
|
$ipt -A INPUT -i $ext_if -s $class_e_reserved -j DROP
|
|
# Refuse broadcast address packets.
|
|
$ipt -A INPUT -i $ext_if -d $broadcast_addr -j DROP
|
|
|
|
|
|
# Refuse packets claiming to be to the loopback interface.
|
|
# Refusing packets claiming to be to the loopback interface protects against
|
|
# source quench, whereby a machine can be told to slow itself down by an icmp source
|
|
# quench to the loopback.
|
|
if $log_to_lo || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -d $loopback -j LOG --log-prefix "IPv4: To Loopback: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -i $ext_if -d $loopback -j DROP
|
|
|
|
|
|
# Don't allow spoofing from that server
|
|
$ipt -A OUTPUT -o $ext_if -s $priv_class_a -j DROP
|
|
$ipt -A OUTPUT -o $ext_if -s $priv_class_b -j DROP
|
|
#$ipt -A OUTPUT -o $ext_if -s $priv_class_c -j DROP
|
|
$ipt -A OUTPUT -o $ext_if -s $loopback -j DROP
|
|
|
|
|
|
# ------------- CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
|
|
#
|
|
for _ip in $blocked_ips ; do
|
|
if $log_blocked || $log_all ; then
|
|
$ipt -A INPUT -i $ext_if -s $_ip -j LOG --log-prefix "IPv4: Blocked ${_ip}: " --log-level debug
|
|
fi
|
|
$ipt -A INPUT -p ALL -s $_ip -j DROP
|
|
done
|
|
#
|
|
# ------------- Ende: CHINANET-JS 222.184.0.0 - 222.191.255.255 -------------
|
|
|
|
|
|
case $1 in
|
|
sto*) exit 0;;
|
|
esac
|
|
|
|
while read r; do
|
|
case $r in
|
|
-*) $ipt $r;;
|
|
esac
|
|
done << EOR
|
|
|
|
|
|
-A FORWARD -s 192.168.63.40 -p ALL -j ACCEPT
|
|
-A FORWARD -d 192.168.63.40 -p ALL -j ACCEPT
|
|
|
|
|
|
|
|
# ------------- das loopbackdevice -------------
|
|
# alles erlaubt
|
|
#
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A OUTPUT -o lo -j ACCEPT
|
|
#
|
|
# ---------- Ende: das loopbackdevice ----------
|
|
|
|
|
|
# ---------- initialen Verkehr ----------
|
|
# von drinnen nach drausssen
|
|
#
|
|
#-A FORWARD -i $local_if -o $ext_if -p ALL -m state --state NEW -j ACCEPT
|
|
-A FORWARD -o $ext_if -p ALL -m state --state NEW -j ACCEPT
|
|
#
|
|
# ------- Ende: initialen Verkehr -------
|
|
|
|
|
|
# ------------- betsehende Verbindungen -------------
|
|
# bereits bestehende Verbindungen durchlassen
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# foreward
|
|
#
|
|
-A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
#
|
|
# ---------- Ende betsehende Verbindungen -----------
|
|
|
|
|
|
|
|
# ------------- OpenVPN -------------
|
|
#
|
|
# -- initial via internet
|
|
#
|
|
#-A INPUT -p udp -i $ext_if --dport 1194 -m state --state NEW -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 1195 -m state --state NEW -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 1196 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- initial via lan
|
|
-A INPUT -p udp -i $local_if --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- ausgehende Anfragen
|
|
#
|
|
#-A OUTPUT -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 1194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- alles via vpn device zulassen/durchrouten
|
|
#
|
|
-A INPUT -i $vpn_if -j ACCEPT
|
|
-A OUTPUT -o $vpn_if -j ACCEPT
|
|
-A FORWARD -i $vpn_if -j ACCEPT
|
|
-A FORWARD -o $vpn_if -j ACCEPT
|
|
#
|
|
# ---------- Ende: OpenVPN ----------
|
|
|
|
|
|
# ------------- smbclient / smbmount -------------
|
|
#
|
|
-A OUTPUT -o $local_if -p tcp --dport 445 -j ACCEPT
|
|
-A OUTPUT -o $local_if -p tcp --dport 137:139 -j ACCEPT
|
|
#
|
|
# ---------- Ende smbclient / smbmount -----------
|
|
|
|
|
|
# ------------- grundsaetzlich ablehnen -------------
|
|
#
|
|
# reinlaufenden windows kram
|
|
#
|
|
-A INPUT -p udp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p udp -i $local_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $local_if --dport 137:139 -j DROP
|
|
-A INPUT -p tcp -i $ext_if --dport 445 -j DROP
|
|
-A INPUT -p tcp -i $local_if --dport 445 -j DROP
|
|
#
|
|
# .. und forwards
|
|
#
|
|
-A FORWARD -i $local_if -o $ext_if -p tcp --dport 137:139 -j DROP
|
|
-A FORWARD -i $local_if -o $ext_if -p tcp --dport 445 -j DROP
|
|
#
|
|
#
|
|
# authentication tap ident
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 113 -j REJECT --reject-with tcp-reset
|
|
#
|
|
#
|
|
# Location Service
|
|
#
|
|
-A INPUT -p tcp -i $ext_if --dport 135 -j DROP
|
|
-A INPUT -p udp -i $ext_if --dport 135 -j DROP
|
|
#
|
|
# ---------- Ende: grundsaetzlich ablehnen -------------
|
|
|
|
|
|
# ------------- Wake on Lan -------------
|
|
#
|
|
-A OUTPUT -p udp -o $local_if --dport 9 -j ACCEPT
|
|
#
|
|
# ---------- Ende: Wake on Lan ----------
|
|
|
|
|
|
# ------------- SSH -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p tcp --syn -i $local_if --dport 22 -m state --state NEW -j ACCEPT
|
|
-A INPUT -p tcp --syn -i $ext_if --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $local_if --dport 22 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 22 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 22 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende SSH ------------
|
|
|
|
|
|
|
|
# ------------- DHCP -------------
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p udp -i $local_if -s 0/0 --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p udp -o $local_if --sport 67 -d 0/0 --dport 68 -j ACCEPT
|
|
#
|
|
# ---------- Ende DHCP ------------
|
|
|
|
|
|
# ------------- DNS -------------
|
|
#
|
|
# nameserver
|
|
#
|
|
# -- rein --
|
|
#
|
|
-A INPUT -i $local_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# -- raus --
|
|
#
|
|
-A OUTPUT -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 53 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende DNS -----------
|
|
|
|
|
|
# ------------- MAIL -------------
|
|
# rausgehende SMTP-Verbindungen akzeptieren
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nur forward
|
|
#
|
|
# smtp
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 25 -m state --state NEW -j ACCEPT
|
|
#
|
|
# submission
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 587 -m state --state NEW -j ACCEPT
|
|
#
|
|
# smtps
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 465 -m state --state NEW -j ACCEPT
|
|
#
|
|
# pop
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 110 -m state --state NEW -j ACCEPT
|
|
#
|
|
# pop/ssl
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 995 -m state --state NEW -j ACCEPT
|
|
#
|
|
# imap
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 143 -m state --state NEW -j ACCEPT
|
|
#
|
|
# imap/ssl
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 993 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende MAIL -----------
|
|
|
|
|
|
# ------------- HTTP -------------
|
|
#
|
|
# rausgehende Verbindungen vom Gateway akzeptieren
|
|
# ( update clamav/freshclam, dyndns, apt-get )
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $local_if --dport 80 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $local_if --dport 443 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ansonsten nur forward
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 80 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 443 -m state --state NEW -j ACCEPT
|
|
#
|
|
#-A FORWARD -p tcp --syn -o $ext_if --dport 8443 -m state --state NEW -j ACCEPT
|
|
#-A FORWARD -p tcp --syn -o $ext_if --dport 8000:8180 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HTTP -----------
|
|
|
|
|
|
# ------------- FTP -------------
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
# (Datenkanal aktiv)
|
|
-A INPUT -i $local_if -p tcp --sport 20 -j ACCEPT
|
|
# (Datenkanal passiv)
|
|
-A OUTPUT -o $local_if -p tcp --sport $unprivports --dport $unprivports -j ACCEPT
|
|
-A OUTPUT -o $ext_if -p tcp --sport $unprivports --dport $unprivports -j ACCEPT
|
|
# (Kontrollverbindung)
|
|
-A OUTPUT -o $local_if -p tcp --dport 21 -j ACCEPT
|
|
-A OUTPUT -o $ext_if -p tcp --dport 21 -j ACCEPT
|
|
#
|
|
# forward - nur Verbindungen nach draussen
|
|
#
|
|
-A FORWARD -p tcp -o $ext_if --dport 20 -j ACCEPT
|
|
-A FORWARD -p tcp -o $ext_if --dport 21 -j ACCEPT
|
|
-A FORWARD -p tcp -o $ext_if --sport $unprivports --dport $unprivports -j ACCEPT
|
|
#
|
|
# ---------- Ende FTP -----------
|
|
|
|
|
|
# ------------- NTP -------------
|
|
# (network time protokoll)
|
|
#
|
|
# rein
|
|
#
|
|
-A INPUT -i $local_if -p udp --sport 123 -m state --state NEW -j ACCEPT
|
|
-A INPUT -i $local_if -p tcp --sport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# raus
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 123 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -o $ext_if -p udp --dport 123 -m state --state NEW -j ACCEPT
|
|
#
|
|
# forward
|
|
#
|
|
-A FORWARD -o $ext_if -p udp --dport 123 -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 123 -j ACCEPT
|
|
#
|
|
# ---------- Ende NTP -----------
|
|
|
|
|
|
# ------------- pgpkeyserver -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 11370:11371 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende pgpkeyserver ------------
|
|
|
|
# ------------- ldap / (z.Bsp. einige pgpkeyserver) -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 389 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ldaps LDAP over SSL
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 636 -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 636 -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 636 -j ACCEPT
|
|
#
|
|
# ---------- Ende ldap ------------
|
|
|
|
|
|
# ------------- Newsserver nntp -------------
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 119 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Newsserver nntp ------------
|
|
|
|
|
|
# ------------- Whois -------------
|
|
# nur ausgehende Anfragen und forward
|
|
#
|
|
#
|
|
-A OUTPUT -o $ext_if -p tcp --dport 43 -j ACCEPT
|
|
-A FORWARD -o $ext_if -p tcp --dport 43 -j ACCEPT
|
|
#
|
|
# ---------- Ende Whois ----------
|
|
|
|
|
|
# ------------- Chat -------------
|
|
# --- silc ---
|
|
#
|
|
# Forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 706 -m state --state NEW -j ACCEPT
|
|
#
|
|
# --- irc ---
|
|
#
|
|
# forward und Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 194 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---jabber ---
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5222:5223 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende chat ------------
|
|
|
|
|
|
# ------------- HBCI -------------
|
|
# hbci - port 3000/tcp
|
|
#
|
|
-A FORWARD -o $ext_if -p tcp --syn --dport 3000 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende HBCI -----------
|
|
|
|
|
|
# ------------- Hylafax (Port 4559) -------------
|
|
# reingehende Verbindungen zum Hylafax-Server
|
|
#
|
|
-A INPUT -i $local_if -p tcp --dport 4559 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Hylafax -----------
|
|
|
|
|
|
# ------------- CUPS -------------
|
|
# (cupssys printer system)
|
|
#
|
|
-A FORWARD -i $local_if -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
-A FORWARD -i $local_if -p tcp --dport 631 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende CUPS -----------
|
|
|
|
|
|
# ------------- Drucken Port 9100 -------------
|
|
#
|
|
-A FORWARD -i $local_if -p tcp --dport 9100 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- Ende Drucken Port 9100 -----------
|
|
|
|
|
|
# ---------- SNMP ----------
|
|
#
|
|
#-A FORWARD -i $local_if -p tcp --dport 161 -m state --state NEW -j ACCEPT
|
|
#
|
|
# ---------- SNMP ----------
|
|
|
|
|
|
# ------------- VOIP -------------
|
|
#
|
|
# SIP
|
|
#
|
|
# Standard:
|
|
# Port: 5060 / UDP (SIP-Signalisierung)
|
|
# Port: 5004 / UDP (RTP, Sprache)
|
|
# Port: 10000 UDP (STUN)
|
|
#
|
|
# X-Lite:
|
|
# Port 5060 / UDP
|
|
# Port 8000 - 8019 / UDP
|
|
# Port 10000 /UDP
|
|
|
|
# reingehende Anfragen
|
|
#
|
|
-A INPUT -p tcp --syn -i $ext_if --dport 5060 -j ACCEPT
|
|
-A INPUT -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
-A OUTPUT -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A OUTPUT -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
#
|
|
# Forward -- nur Anfragen nach draussen
|
|
#
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5060 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 5004 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 10000 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --sport 8000:8019 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 32700:32799 -j ACCEPT
|
|
#
|
|
# SKIPE
|
|
#
|
|
# reingehende Anfragen
|
|
#
|
|
# -A INPUT -p tcp --syn -i $ext_if --dport 54196 -j ACCEPT
|
|
# -A INPUT -p udp -i $ext_if --dport 54196 -j ACCEPT
|
|
#
|
|
# ausgehende Anfragen
|
|
#
|
|
#
|
|
# Forward -- Anfragen von draussen
|
|
#
|
|
# -- Linux
|
|
-A FORWARD -p tcp --syn -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p tcp --syn -o $ext_if --sport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -i $ext_if --dport 34957 -j ACCEPT
|
|
-A FORWARD -p udp -o $ext_if --sport 34957 -j ACCEPT
|
|
#
|
|
# ---------- Ende VOIP ------------
|
|
|
|
|
|
# ------------- Traceroute -------------
|
|
#
|
|
-A OUTPUT -p udp --dport 33434:33530 -o $local_if -j ACCEPT
|
|
-A INPUT -p udp --dport 33434:33530 -i $local_if -j ACCEPT
|
|
-A FORWARD -p udp --dport 33434:33530 -o $ext_if -j ACCEPT
|
|
#
|
|
# -------- Ende Traceroute -------------
|
|
|
|
|
|
# ------------ Ping ------------
|
|
#
|
|
# -- rein
|
|
-A INPUT -p icmp -j ACCEPT
|
|
#
|
|
# -- raus
|
|
-A OUTPUT -p icmp -j ACCEPT
|
|
#
|
|
# -- forward
|
|
-A FORWARD -p icmp -j ACCEPT
|
|
#
|
|
# ------- Ende Ping ------------
|
|
|
|
|
|
# ------------ Portforwarding ------------- #
|
|
# -
|
|
# -- VNC berenice ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5901 -j DNAT --to 192.168.122.111:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.111 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# -- VNC buero ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5902 -j DNAT --to 192.168.122.112:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.112 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# -- VNC buero3 ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5913 -j DNAT --to 192.168.122.113:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.113 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# -- VNC Karsten ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5904 -j DNAT --to 192.168.122.110:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.110 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# -- VNC file-km (windows7) ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 5905 -j DNAT --to 192.168.122.10:5900
|
|
#-t filter -A FORWARD -p tcp --dport 5900 -d 192.168.122.10 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# -
|
|
# -- SSH file-anw ---
|
|
#
|
|
#-t nat -A PREROUTING -i $ext_if -p tcp --syn \
|
|
# --dport 9999 -j DNAT --to 192.168.122.10:22
|
|
#-t filter -A FORWARD -p tcp --dport 22 -d 192.168.122.10 \
|
|
# -i $ext_if -o $local_if -j ACCEPT
|
|
#
|
|
# ---------- Ende Portforwarding ---------- #
|
|
|
|
|
|
EOR
|
|
|
|
|
|
# ------------- Loggen -------------
|
|
#
|
|
if $log_rejected || $log_all ; then
|
|
#$ipt -A OUTPUT -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
#$ipt -A INPUT -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
#$ipt -A FORWARD -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
$ipt -A OUTPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
$ipt -A INPUT -m limit --limit-burst 5 -j LOG --log-prefix "IPv4: Rejected: " --log-level debug
|
|
$ipt -A FORWARD -m limit --limit-burst 2 -j LOG "IPv4: Rejected: " --log-level debug
|
|
fi
|
|
#
|
|
# ---------- Ende: Loggen ----------
|
|
|
|
|
|
# ------------- DROP -------------
|
|
# drop all other for all interfaces..
|
|
#
|
|
$ipt -A INPUT -j DROP
|
|
$ipt -A OUTPUT -j DROP
|
|
$ipt -A FORWARD -j DROP
|
|
#
|
|
# ---------- Ende: DROP ----------
|
|
|
|
|
|
|
|
exit 0
|