debianforum.de - Eintrag ansehen

NoPaste

desktopfirewall

von Anonymous

SNIPPET_TEXT:

#!/bin/sh
# where is it?
IPTABLES=`which iptables`
# if we don't have iptables die
test -f $IPTABLES || exit 0
case "$1" in
start)
echo "Starting Firewall..."
# erase all previous rulesets
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -X
# create new rulesets
$IPTABLES -N TRASHCAN
$IPTABLES -I TRASHCAN -p TCP -j LOG --log-prefix="IPTABLES - DROP TCP-Packet: " --log-level info
$IPTABLES -I TRASHCAN -p UDP -j LOG --log-prefix="IPTABLES - DROP UDP-Packet: " --log-level info
$IPTABLES -I TRASHCAN -p ICMP -j LOG --log-prefix="IPTABLES - DROP ICMP-Packet: " --log-level info
# default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# loopback is ok
$IPTABLES -I INPUT -i lo -j ACCEPT
$IPTABLES -I OUTPUT -o lo -j ACCEPT
#####################################################
# outgoing
$IPTABLES -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#####################################################
# incoming
# port 22 (SSH)
#$IPTABLES -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -I OUTPUT -o eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# established connections are ok
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# TRASHCAN ;)
$IPTABLES -A INPUT -m state --state NEW,INVALID -j TRASHCAN
#####################################################
# if there's anything left not really allowed yet we declare it being evil
$IPTABLES -A INPUT -j TRASHCAN
$IPTABLES -A OUTPUT -j TRASHCAN
$IPTABLES -A FORWARD -j TRASHCAN
;;
stop)
echo "stopping firewall..."
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
;;
*)
echo "usage: /etc/init.d/firewall (start|stop)"
exit 1
;;
esac
exit 0

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN

#!/bin/sh

# where is it?
IPTABLES=`which iptables`

# if we don't have iptables die
test -f $IPTABLES || exit 0

case "$1" in
   start)
      echo "Starting Firewall..."
      # erase all previous rulesets
      $IPTABLES -t nat -F
      $IPTABLES -t filter -F
      $IPTABLES -X

# create new rulesets
      $IPTABLES -N TRASHCAN
      $IPTABLES -I TRASHCAN -p TCP -j LOG --log-prefix="IPTABLES - DROP TCP-Packet: " --log-level info
      $IPTABLES -I TRASHCAN -p UDP -j LOG --log-prefix="IPTABLES - DROP UDP-Packet: " --log-level info
      $IPTABLES -I TRASHCAN -p ICMP -j LOG --log-prefix="IPTABLES - DROP ICMP-Packet: " --log-level info

# default policy
      $IPTABLES -P INPUT DROP
      $IPTABLES -P OUTPUT DROP
      $IPTABLES -P FORWARD DROP

# loopback is ok
      $IPTABLES -I INPUT -i lo -j ACCEPT
      $IPTABLES -I OUTPUT -o lo -j ACCEPT

#####################################################
      # outgoing
      $IPTABLES -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#####################################################
      # incoming
      # port 22 (SSH)
      #$IPTABLES -I INPUT -i eth0 -p TCP --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
      #$IPTABLES -I OUTPUT -o eth0 -p TCP --sport 22 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
      
      # established connections are ok
      $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#####################################################
      # TRASHCAN ;)
      $IPTABLES -A INPUT -m state --state NEW,INVALID -j TRASHCAN

#####################################################
      # if there's anything left not really allowed yet we declare it being evil
      $IPTABLES -A INPUT -j TRASHCAN
      $IPTABLES -A OUTPUT -j TRASHCAN
      $IPTABLES -A FORWARD -j TRASHCAN
      ;;
   stop)
      echo "stopping firewall..."
      $IPTABLES -t nat -F
      $IPTABLES -t filter -F
      $IPTABLES -X
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      ;;
   *)
      echo "usage: /etc/init.d/firewall (start|stop)"
      exit 1
      ;;
esac
exit 0

LATEST_SNIPPETS

debian preseed early scri… (16.04.2024 15:55:45, heisenberg)
wmctrl kann Schreibtisch.… (14.04.2024 11:29:23, ndila2004)
Debian preseed.conf (12.04.2024 19:57:28, heisenberg)
Debian ftpsync.conf (12.04.2024 19:51:25, heisenberg)
debian preseed installati… (12.04.2024 19:48:00, heisenberg)
Stromverbrauch Esprimo Q9… (10.04.2024 18:09:44, heisenberg)
esprimo Q920 (10.04.2024 18:06:03, heisenberg)
20 s Verzögerung (05.04.2024 20:19:28, Gamma47)
Server zu verschenken: X9… (03.04.2024 18:04:39, heisenberg)
Debian Testing zerschosse… (01.04.2024 16:07:13, Spindoctor)
wacholderweg (28.03.2024 15:54:03, fischig)
wg0.conf Konfiguration (28.03.2024 10:53:57, hawkeye78)
DOCKER COMPOSE SERVER B (28.03.2024 10:51:35, hawkeye78)
docker compose Server A (28.03.2024 10:49:26, hawkeye78)
CheckMK Installer/Updater… (25.03.2024 23:11:09, heisenberg)
btrfs raid1 changing degr… (26.02.2024 15:53:28, heisenberg)
zfs raid1 changing degrad… (26.02.2024 15:52:16, heisenberg)
yt-dlp installieren (24.02.2024 11:40:21, thunder11)
ss -tulpen (16.02.2024 18:37:28, heisenberg)
smartctl WX32D83955E7 (12.02.2024 20:27:54, borsti1987)

NoPaste

NoPaste

desktopfirewall

Quellcode

Verlinken

LATEST_SNIPPETS