debianforum.de - Eintrag ansehen

NoPaste

Firewall-Skript

von Anonymous

SNIPPET_TEXT:

#!/bin/sh
# ***************************
# ***************************
# * *
# * 1. SETZEN VON VARIABLEN *
# * *
# ***************************
# ***************************
# 1.1. Netzwerkvariablen
# Schnittstelle zum lokalen Netzwerk
IFACE_INT=eth1
# Internetschnittstelle
IFACE_EXT=eth0
# Loopback device
IFACE_LO=lo
# Interner Netzwerkbereich
NET_INT=192.168.0.0/24
function StopFirewall() {
# **********************************
# **********************************
# * *
# * 2. HERUNTERFAHREN DER FIREWALL *
# * *
# **********************************
# **********************************
# Ausschalten des Routing
echo "0" > /proc/sys/net/ipv4/ip_forward
# Default-Policies: Alles rein und raus, kein Forwarding mehr
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Löschen aller Regeln
iptables -F
iptables -t nat -F
# Löschen aller zusätzlichen Ketten
iptables -X
iptables -t nat -X
}
function StartFirewall() {
# ***************************
# ***************************
# * *
# * 3. Starten der Firewall *
# * *
# ***************************
# ***************************
# 3.1 Allgemeines
# Default-Policies setzen - alles fliegt raus
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Einschalten von ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
# Wegen moeglicher Netzwerkprobleme zwecks MTU
iptables -I FORWARD -p TCP --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
# 3.1.1. Eigene Kette zum gleichzeitigen Protokollieren und Rausschmeissen
# Eigene Kette erstellen
iptables -N RAUS
# Protokollieren
iptables -A RAUS -j LOG -m limit --limit 5/minute \
--log-prefix "Böses Paket: "
# Raussschmeissen
iptables -A RAUS -j DROP
# 3.2. Regeln fuer eingehende Pakete
# 3.2.1. Vom internen Netzwerk
# Alles erlauben
iptables -A INPUT -i $IFACE_INT -s $NET_INT -j ACCEPT
# 3.2.2. Vom Loopback
# Alles erlauben
iptables -A INPUT -i $IFACE_LO -j ACCEPT
# 3.2.3. Vom Internet
# packets, which doesn't initiate a connection but state marked as new
# should be dropped
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j RAUS
#Ping-Antworten empfangen
iptables -A INPUT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
# Verbindung von Zeitserver ptbtime1.ptb.de zulassen
iptables -A INPUT -i $IFACE_EXT -p UDP -s 192.53.103.108 --sport 123 -j ACCEPT
# send requests for port 445 (samba) to a tarpit and log it
iptables -N TAR-PIT
iptables -A TAR-PIT -j LOG -m limit --limit 30/hour --log-prefix "(-: TARPIT :-)"
iptables -A TAR-PIT -i $IFACE_EXT -p tcp -j TARPIT
iptables -A INPUT -i $IFACE_EXT -p tcp --dport 445 -j TAR-PIT
# Private Addressräume von Extern. Kann nicht sein, daher manipulierte Pakete, daher raus
#iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j RAUS
#iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/12 -j RAUS
#iptables -A INPUT -i $IFACE_EXT -s 192.168.0.0/24 -j RAUS
# allow all packets with status "established" or "related" to pass the dev
# allow packets to pass the dev at udp-ports 68,80 explicitly
iptables -A INPUT -i $IFACE_EXT -p udp -m multiport --dports 53,68 -j ACCEPT
iptables -A INPUT -i $IFACE_EXT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IFACE_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 3.3. Regeln fuers Forwarding
# 3.3.1. Lokal -> Internet
# Erlauben von FTP, Telnet, SMTP, HTML, POP3, SHTML, Secure POP3, ICQ Verbindungen, git, ICQ-rcv-ports, torrent-ports, debtorrent
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p TCP -m multiport \
--dports 21,23,25,80,110,443,995,5190,9418,6000:6010,6011:6020,6969 -j ACCEPT
#SIP
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p UDP --sport 5060 -j ACCEPT
#Ping-Pakete versenden
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT
# 3.3.2. Internet -> Lokales
# Erlauben von eingehenden Paketen
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Ping-Pakete empfangen
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
# 3.4. Regeln für ausgehende Pakete
# 3.4.1. Ins lokale Netzwerk
# Alles erlauben
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT
# 3.4.2. Ans Loopback
# Alles erlauben
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT
# 3.4.3. Ins Internet
# Ping-Pakete senden
iptables -A OUTPUT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT
# Verkehr zu dem Zeitserver ptbtime1.ptb.de erlauben
iptables -A OUTPUT -o $IFACE_EXT -p UDP -d 192.53.103.108 --sport 123 -j ACCEPT
# open ports from router to output
iptables -A OUTPUT -p udp -m multiport --dports 53,67 -j ACCEPT
# lighttpd:
iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE_EXT -p tcp --dport 80 -j ACCEPT
# Masquerading
iptables -A POSTROUTING -s $NET_INT -o $IFACE_EXT -t nat -j MASQUERADE
# 3.5 Mitprotokollieren
iptables -A OUTPUT -j LOG --log-prefix "Nicht raus: "
iptables -A FORWARD -j LOG --log-prefix "Nicht durch: "
iptables -A INPUT -p all ! --dport 445 -j LOG --log-prefix "Nicht rein: "
}
function InternSsh() {
# ***************************
# ***************************
# * *
# * SSH-LAN Mode *
# * *
# ***************************
# ***************************
/etc/init.d/ssh stop
cp /etc/ssh/sshd_config_int /etc/ssh/sshd_config
iptables -D INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
iptables -D OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
/etc/init.d/ssh start
}
function ExternSsh() {
# ***************************
# ***************************
# * *
# * SSH-WAN Mode *
# * *
# ***************************
# ***************************
/etc/init.d/ssh stop
cp /etc/ssh/sshd_config_ext /etc/ssh/sshd_config
iptables -A INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
/etc/init.d/ssh start
}
# **********************
# **********************
# * *
# * START-STOP-SKRIPT *
# * *
# **********************
# **********************
case "$1" in
start)
echo -n "Starting firewall: iptables"
StartFirewall
;;
stop)
echo "Stopping firewall: iptables"
StopFirewall
echo "."
;;
force-reload|restart)
$0 stop
$0 start
;;
ssh-intern)
echo "Modifying rules for SSH in LAN-Mode"
InternSsh
echo "."
;;
ssh-extern)
echo "Modifying rules for SSH in WAN-Mode"
ExternSsh
echo "."
;;
*)
echo "Usage: /var/scripts/firewall {start|stop|restart" \
"|force-reload ssh-intern ssh-extern}"
exit 1
;;
esac

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN

#!/bin/sh
# ***************************
# ***************************
# * *
# * 1. SETZEN VON VARIABLEN *
# * *
# ***************************
# ***************************

# 1.1. Netzwerkvariablen

# Schnittstelle zum lokalen Netzwerk
IFACE_INT=eth1

# Internetschnittstelle
IFACE_EXT=eth0

# Loopback device
IFACE_LO=lo

# Interner Netzwerkbereich
NET_INT=192.168.0.0/24

function StopFirewall() {
# **********************************
# **********************************
# * *
# * 2. HERUNTERFAHREN DER FIREWALL *
# * *
# **********************************
# **********************************

# Ausschalten des Routing
echo "0" > /proc/sys/net/ipv4/ip_forward

# Default-Policies: Alles rein und raus, kein Forwarding mehr
iptables -P INPUT ACCEPT
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Löschen aller Regeln
iptables -F
iptables -t nat -F

# Löschen aller zusätzlichen Ketten
iptables -X
iptables -t nat -X

}

function StartFirewall() {
# ***************************
# ***************************
# * *
# * 3. Starten der Firewall *
# * *
# ***************************
# ***************************

# 3.1 Allgemeines

# Default-Policies setzen - alles fliegt raus
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Einschalten von ip-Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# Wegen moeglicher Netzwerkprobleme zwecks MTU
iptables -I FORWARD -p TCP --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu

# 3.1.1. Eigene Kette zum gleichzeitigen Protokollieren und Rausschmeissen

# Eigene Kette erstellen
iptables -N RAUS

# Protokollieren
iptables -A RAUS -j LOG -m limit --limit 5/minute \
--log-prefix "Böses Paket: "

# Raussschmeissen
iptables -A RAUS -j DROP

# 3.2. Regeln fuer eingehende Pakete

# 3.2.1. Vom internen Netzwerk

# Alles erlauben
iptables -A INPUT -i $IFACE_INT -s $NET_INT -j ACCEPT

# 3.2.2. Vom Loopback

# Alles erlauben
iptables -A INPUT -i $IFACE_LO -j ACCEPT

# 3.2.3. Vom Internet

# packets, which doesn't initiate a connection but state marked as new
# should be dropped
iptables -A INPUT -p TCP ! --syn -m state --state NEW -j RAUS

#Ping-Antworten empfangen
iptables -A INPUT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# Verbindung von Zeitserver ptbtime1.ptb.de zulassen
iptables -A INPUT -i $IFACE_EXT -p UDP -s 192.53.103.108 --sport 123 -j ACCEPT

# send requests for port 445 (samba) to a tarpit and log it
iptables -N TAR-PIT
iptables -A TAR-PIT -j LOG -m limit --limit 30/hour --log-prefix "(-: TARPIT :-)"
iptables -A TAR-PIT -i $IFACE_EXT -p tcp -j TARPIT
iptables -A INPUT -i $IFACE_EXT -p tcp --dport 445 -j TAR-PIT

# Private Addressräume von Extern. Kann nicht sein, daher manipulierte Pakete, daher raus
#iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j RAUS
#iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/12 -j RAUS
#iptables -A INPUT -i $IFACE_EXT -s 192.168.0.0/24 -j RAUS

# allow all packets with status "established" or "related" to pass the dev
# allow packets to pass the dev at udp-ports 68,80 explicitly
iptables -A INPUT -i $IFACE_EXT -p udp -m multiport --dports 53,68 -j ACCEPT
iptables -A INPUT -i $IFACE_EXT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IFACE_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 3.3. Regeln fuers Forwarding

# 3.3.1. Lokal -> Internet
# Erlauben von FTP, Telnet, SMTP, HTML, POP3, SHTML, Secure POP3, ICQ Verbindungen, git, ICQ-rcv-ports, torrent-ports, debtorrent
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p TCP -m multiport \
--dports 21,23,25,80,110,443,995,5190,9418,6000:6010,6011:6020,6969 -j ACCEPT

#SIP
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p UDP --sport 5060 -j ACCEPT

#Ping-Pakete versenden
iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT

# 3.3.2. Internet -> Lokales

# Erlauben von eingehenden Paketen
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Ping-Pakete empfangen
iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# 3.4. Regeln für ausgehende Pakete

# 3.4.1. Ins lokale Netzwerk

# Alles erlauben
iptables -A OUTPUT -o $IFACE_INT -j ACCEPT

# 3.4.2. Ans Loopback

# Alles erlauben
iptables -A OUTPUT -o $IFACE_LO -j ACCEPT

# 3.4.3. Ins Internet

# Ping-Pakete senden
iptables -A OUTPUT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT

# Verkehr zu dem Zeitserver ptbtime1.ptb.de erlauben
iptables -A OUTPUT -o $IFACE_EXT -p UDP -d 192.53.103.108 --sport 123 -j ACCEPT

# open ports from router to output
iptables -A OUTPUT -p udp -m multiport --dports 53,67 -j ACCEPT

# lighttpd:
iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE_EXT -p tcp --dport 80 -j ACCEPT

# Masquerading

iptables -A POSTROUTING -s $NET_INT -o $IFACE_EXT -t nat -j MASQUERADE

# 3.5 Mitprotokollieren

iptables -A OUTPUT -j LOG --log-prefix "Nicht raus: "

iptables -A FORWARD -j LOG --log-prefix "Nicht durch: "

iptables -A INPUT -p all ! --dport 445 -j LOG --log-prefix "Nicht rein: "

}

function InternSsh() {
# ***************************
# ***************************
# * *
# * SSH-LAN Mode            *
# * *
# ***************************
# ***************************

/etc/init.d/ssh stop
cp /etc/ssh/sshd_config_int /etc/ssh/sshd_config
iptables -D INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
iptables -D OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
/etc/init.d/ssh start
}

function ExternSsh() {
# ***************************
# ***************************
# * *
# * SSH-WAN Mode            *
# * *
# ***************************
# ***************************

/etc/init.d/ssh stop
cp /etc/ssh/sshd_config_ext /etc/ssh/sshd_config
iptables -A INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
/etc/init.d/ssh start
}

# **********************
# **********************
# * *
# * START-STOP-SKRIPT *
# * *
# **********************
# **********************

case "$1" in
start)
echo -n "Starting firewall: iptables"
StartFirewall
;;

stop)
echo "Stopping firewall: iptables"
StopFirewall
echo "."
;;

force-reload|restart)
$0 stop
$0 start
;;

ssh-intern)
echo "Modifying rules for SSH in LAN-Mode"
InternSsh
echo "."
;;

ssh-extern)
echo "Modifying rules for SSH in WAN-Mode"
ExternSsh
echo "."
;;

*)
echo "Usage: /var/scripts/firewall {start|stop|restart" \
"|force-reload ssh-intern ssh-extern}"
exit 1
;;
esac

LATEST_SNIPPETS

debian preseed early scri… (16.04.2024 15:55:45, heisenberg)
wmctrl kann Schreibtisch.… (14.04.2024 11:29:23, ndila2004)
Debian preseed.conf (12.04.2024 19:57:28, heisenberg)
Debian ftpsync.conf (12.04.2024 19:51:25, heisenberg)
debian preseed installati… (12.04.2024 19:48:00, heisenberg)
Stromverbrauch Esprimo Q9… (10.04.2024 18:09:44, heisenberg)
esprimo Q920 (10.04.2024 18:06:03, heisenberg)
20 s Verzögerung (05.04.2024 20:19:28, Gamma47)
Server zu verschenken: X9… (03.04.2024 18:04:39, heisenberg)
Debian Testing zerschosse… (01.04.2024 16:07:13, Spindoctor)
wacholderweg (28.03.2024 15:54:03, fischig)
wg0.conf Konfiguration (28.03.2024 10:53:57, hawkeye78)
DOCKER COMPOSE SERVER B (28.03.2024 10:51:35, hawkeye78)
docker compose Server A (28.03.2024 10:49:26, hawkeye78)
Systemd-Autologin (26.03.2024 18:37:19, KP97)
Ausgabe smartctl (26.03.2024 08:00:59, thunder11)
CheckMK Installer/Updater… (25.03.2024 23:11:09, heisenberg)
btrfs raid1 changing degr… (26.02.2024 15:53:28, heisenberg)
zfs raid1 changing degrad… (26.02.2024 15:52:16, heisenberg)
yt-dlp installieren (24.02.2024 11:40:21, thunder11)

NoPaste

NoPaste

Firewall-Skript

Quellcode

Verlinken

LATEST_SNIPPETS