Firewall-Skript
von Anonymous- SNIPPET_TEXT:
-
- #!/bin/sh
- # ***************************
- # ***************************
- # * *
- # * 1. SETZEN VON VARIABLEN *
- # * *
- # ***************************
- # ***************************
- # 1.1. Netzwerkvariablen
- # Schnittstelle zum lokalen Netzwerk
- IFACE_INT=eth1
- # Internetschnittstelle
- IFACE_EXT=eth0
- # Loopback device
- IFACE_LO=lo
- # Interner Netzwerkbereich
- NET_INT=192.168.0.0/24
- function StopFirewall() {
- # **********************************
- # **********************************
- # * *
- # * 2. HERUNTERFAHREN DER FIREWALL *
- # * *
- # **********************************
- # **********************************
- # Ausschalten des Routing
- echo "0" > /proc/sys/net/ipv4/ip_forward
- # Default-Policies: Alles rein und raus, kein Forwarding mehr
- iptables -P INPUT ACCEPT
- iptables -P FORWARD DROP
- iptables -P OUTPUT ACCEPT
- # Löschen aller Regeln
- iptables -F
- iptables -t nat -F
- # Löschen aller zusätzlichen Ketten
- iptables -X
- iptables -t nat -X
- }
- function StartFirewall() {
- # ***************************
- # ***************************
- # * *
- # * 3. Starten der Firewall *
- # * *
- # ***************************
- # ***************************
- # 3.1 Allgemeines
- # Default-Policies setzen - alles fliegt raus
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
- # Einschalten von ip-Forwarding
- echo "1" > /proc/sys/net/ipv4/ip_forward
- # Wegen moeglicher Netzwerkprobleme zwecks MTU
- iptables -I FORWARD -p TCP --tcp-flags SYN,RST SYN \
- -j TCPMSS --clamp-mss-to-pmtu
- # 3.1.1. Eigene Kette zum gleichzeitigen Protokollieren und Rausschmeissen
- # Eigene Kette erstellen
- iptables -N RAUS
- # Protokollieren
- iptables -A RAUS -j LOG -m limit --limit 5/minute \
- --log-prefix "Böses Paket: "
- # Raussschmeissen
- iptables -A RAUS -j DROP
- # 3.2. Regeln fuer eingehende Pakete
- # 3.2.1. Vom internen Netzwerk
- # Alles erlauben
- iptables -A INPUT -i $IFACE_INT -s $NET_INT -j ACCEPT
- # 3.2.2. Vom Loopback
- # Alles erlauben
- iptables -A INPUT -i $IFACE_LO -j ACCEPT
- # 3.2.3. Vom Internet
- # packets, which doesn't initiate a connection but state marked as new
- # should be dropped
- iptables -A INPUT -p TCP ! --syn -m state --state NEW -j RAUS
- #Ping-Antworten empfangen
- iptables -A INPUT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Verbindung von Zeitserver ptbtime1.ptb.de zulassen
- iptables -A INPUT -i $IFACE_EXT -p UDP -s 192.53.103.108 --sport 123 -j ACCEPT
- # send requests for port 445 (samba) to a tarpit and log it
- iptables -N TAR-PIT
- iptables -A TAR-PIT -j LOG -m limit --limit 30/hour --log-prefix "(-: TARPIT :-)"
- iptables -A TAR-PIT -i $IFACE_EXT -p tcp -j TARPIT
- iptables -A INPUT -i $IFACE_EXT -p tcp --dport 445 -j TAR-PIT
- # Private Addressräume von Extern. Kann nicht sein, daher manipulierte Pakete, daher raus
- #iptables -A INPUT -i $IFACE_EXT -s 10.0.0.0/8 -j RAUS
- #iptables -A INPUT -i $IFACE_EXT -s 172.16.0.0/12 -j RAUS
- #iptables -A INPUT -i $IFACE_EXT -s 192.168.0.0/24 -j RAUS
- # allow all packets with status "established" or "related" to pass the dev
- # allow packets to pass the dev at udp-ports 68,80 explicitly
- iptables -A INPUT -i $IFACE_EXT -p udp -m multiport --dports 53,68 -j ACCEPT
- iptables -A INPUT -i $IFACE_EXT -p tcp --dport 80 -j ACCEPT
- iptables -A INPUT -i $IFACE_EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # 3.3. Regeln fuers Forwarding
- # 3.3.1. Lokal -> Internet
- # Erlauben von FTP, Telnet, SMTP, HTML, POP3, SHTML, Secure POP3, ICQ Verbindungen, git, ICQ-rcv-ports, torrent-ports, debtorrent
- iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p TCP -m multiport \
- --dports 21,23,25,80,110,443,995,5190,9418,6000:6010,6011:6020,6969 -j ACCEPT
- #SIP
- iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p UDP --sport 5060 -j ACCEPT
- #Ping-Pakete versenden
- iptables -A FORWARD -i $IFACE_INT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT
- # 3.3.2. Internet -> Lokales
- # Erlauben von eingehenden Paketen
- iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Ping-Pakete empfangen
- iptables -A FORWARD -i $IFACE_EXT -o $IFACE_INT -p ICMP -m icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
- # 3.4. Regeln für ausgehende Pakete
- # 3.4.1. Ins lokale Netzwerk
- # Alles erlauben
- iptables -A OUTPUT -o $IFACE_INT -j ACCEPT
- # 3.4.2. Ans Loopback
- # Alles erlauben
- iptables -A OUTPUT -o $IFACE_LO -j ACCEPT
- # 3.4.3. Ins Internet
- # Ping-Pakete senden
- iptables -A OUTPUT -o $IFACE_EXT -p ICMP -m icmp --icmp-type echo-request -j ACCEPT
- # Verkehr zu dem Zeitserver ptbtime1.ptb.de erlauben
- iptables -A OUTPUT -o $IFACE_EXT -p UDP -d 192.53.103.108 --sport 123 -j ACCEPT
- # open ports from router to output
- iptables -A OUTPUT -p udp -m multiport --dports 53,67 -j ACCEPT
- # lighttpd:
- iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport 80 -j ACCEPT
- iptables -A OUTPUT -o $IFACE_EXT -p tcp --dport 80 -j ACCEPT
- # Masquerading
- iptables -A POSTROUTING -s $NET_INT -o $IFACE_EXT -t nat -j MASQUERADE
- # 3.5 Mitprotokollieren
- iptables -A OUTPUT -j LOG --log-prefix "Nicht raus: "
- iptables -A FORWARD -j LOG --log-prefix "Nicht durch: "
- iptables -A INPUT -p all ! --dport 445 -j LOG --log-prefix "Nicht rein: "
- }
- function InternSsh() {
- # ***************************
- # ***************************
- # * *
- # * SSH-LAN Mode *
- # * *
- # ***************************
- # ***************************
- /etc/init.d/ssh stop
- cp /etc/ssh/sshd_config_int /etc/ssh/sshd_config
- iptables -D INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
- iptables -D OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
- /etc/init.d/ssh start
- }
- function ExternSsh() {
- # ***************************
- # ***************************
- # * *
- # * SSH-WAN Mode *
- # * *
- # ***************************
- # ***************************
- /etc/init.d/ssh stop
- cp /etc/ssh/sshd_config_ext /etc/ssh/sshd_config
- iptables -A INPUT -i $IFACE_EXT -p tcp --dport <ssh-port> -j ACCEPT
- iptables -A OUTPUT -o $IFACE_EXT -p tcp --sport <ssh-port> -j ACCEPT
- /etc/init.d/ssh start
- }
- # **********************
- # **********************
- # * *
- # * START-STOP-SKRIPT *
- # * *
- # **********************
- # **********************
- case "$1" in
- start)
- echo -n "Starting firewall: iptables"
- StartFirewall
- ;;
- stop)
- echo "Stopping firewall: iptables"
- StopFirewall
- echo "."
- ;;
- force-reload|restart)
- $0 stop
- $0 start
- ;;
- ssh-intern)
- echo "Modifying rules for SSH in LAN-Mode"
- InternSsh
- echo "."
- ;;
- ssh-extern)
- echo "Modifying rules for SSH in WAN-Mode"
- ExternSsh
- echo "."
- ;;
- *)
- echo "Usage: /var/scripts/firewall {start|stop|restart" \
- "|force-reload ssh-intern ssh-extern}"
- exit 1
- ;;
- esac
Quellcode
Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN