iptables Einstellungen 12.02.2015
von chho- SNIPPET_TEXT:
-
- #!/bin/sh
- #
- # rc.firewall-iptables-stronger
- #
- FWVER=0.88s
- echo "\nLoading rc.firewall-iptables-STRONGER - version $FWVER..\n"
- # The location of various iptables and other shell programs
- IPTABLES=/sbin/iptables
- LSMOD=/sbin/lsmod
- DEPMOD=/sbin/depmod
- MODPROBE=/sbin/modprobe
- GREP=/bin/grep
- AWK=/usr/bin/awk
- IFCONFIG=/sbin/ifconfig
- #Setting the EXTERNAL and INTERNAL interfaces for the network
- EXTIF1="eth0"
- EXTIF2="tun0"
- INTIF1="eth1"
- INTIF2="eth2"
- INTIF3="wlan0"
- echo " External Interface 1: $EXTIF1"
- echo " External Interface 2: $EXTIF2"
- echo " Internal Interface 1: $INTIF1"
- echo " Internal Interface 2: $INTIF2"
- echo " Internal Interface 3: $INTIF3"
- echo " ---"
- # external IP address
- EXTIP1="`$IFCONFIG $EXTIF1 | $AWK /$EXTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
- EXTIP2="`$IFCONFIG $EXTIF2 | $AWK /$EXTIF2/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
- echo " External IP1: $EXTIP1"
- echo " External IP2: $EXTIP2"
- echo " ---"
- # Assign the internal TCP/IP network and IP address
- INTNET1="192.168.1.0/24"
- INTIP1="192.168.1.1/32"
- INTNET2="192.168.2.0/24"
- INTIP2="192.168.2.1/32"
- INTNET3="192.168.3.0/24"
- INTIP3="192.168.3.1/32"
- echo " Internal Network 1: $INTNET1"
- echo " Internal IP 1: $INTIP1"
- echo " Internal Network 2: $INTNET2"
- echo " Internal IP 2: $INTIP2"
- echo " Internal Network 3: $INTNET3"
- echo " Internal IP 3: $INTIP3"
- echo " ---"
- # Setting a few other local variables
- UNIVERSE="0.0.0.0/0"
- echo " Enabling forwarding.."
- echo "1" > /proc/sys/net/ipv4/ip_forward
- echo " Enabling DynamicAddr.."
- echo "1" > /proc/sys/net/ipv4/ip_dynaddr
- echo " ---"
- #Clearing any previous configuration
- #Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
- echo " Clearing any existing rules and setting default policy to DROP.."
- $IPTABLES -P INPUT DROP
- $IPTABLES -F INPUT
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -F OUTPUT
- $IPTABLES -P FORWARD DROP
- $IPTABLES -F FORWARD
- $IPTABLES -F -t nat
- #Not needed and it will only load the unneeded kernel module
- #$IPTABLES -F -t mangle
- # Delete all User-specified chains
- $IPTABLES -X
- # Reset all IPTABLES counters
- $IPTABLES -Z
- #Configuring specific CHAINS for later use in the ruleset
- # NOTE: Some users prefer to have their firewall silently
- # "DROP" packets while others prefer to use "REJECT"
- # to send ICMP error messages back to the remote
- # machine. The default is "REJECT" but feel free to
- # change this below.
- #
- echo " Creating a DROP chain.."
- $IPTABLES -N reject-and-log-it
- $IPTABLES -A reject-and-log-it -j LOG --log-level info
- $IPTABLES -A reject-and-log-it -j REJECT
- echo "\n - Loading INPUT rulesets"
- #######################################################################
- # INPUT: Incoming traffic from various interfaces. All rulesets are already flushed and set to a default policy of DROP.
- # loopback interfaces are valid.
- $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interface, local machines, going anywhere is valid
- $IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF3 -s $INTNET3 -d $UNIVERSE -j ACCEPT
- # remote interface, claiming to be local machines, IP spoofing, get lost
- $IPTABLES -A INPUT -i $EXTIF1 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
- $IPTABLES -A INPUT -i $EXTIF1 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
- $IPTABLES -A INPUT -i $EXTIF1 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it
- $IPTABLES -A INPUT -i $EXTIF2 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
- $IPTABLES -A INPUT -i $EXTIF2 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
- $IPTABLES -A INPUT -i $EXTIF2 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it
- # external interface, from any source, for ICMP traffic is valid
- #
- # If you would like your machine to "ping" from the Internet, enable this next line
- #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
- # remote interface, any source, going to the MASQ servers IP address is valid
- #
- # ENABLE this line if you want ALL Internet traffic to connect to your
- # the various servers running on the MASQ server. This includes
- # web servers, ssh servers, dns servers, etc.
- #
- # I DON'T recommend you enable this rule. Instead, only enable specific access to select server ports under the "OPTIONAL INPUT Section".
- # An example of enabling HTTP (WWW) has been given below:
- #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
- # Allow any related traffic coming back to the MASQ server in.
- #
- # STATEFULLY TRACKED
- #
- $IPTABLES -A INPUT -i $EXTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -i $EXTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
- # ----- Begin OPTIONAL INPUT Section -----
- # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
- $IPTABLES -A INPUT -i $INTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF1 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF2 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF2 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF3 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $INTIF3 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
- # DHCP - listen on eth0
- $IPTABLES -A INPUT -i $EXTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
- $IPTABLES -A INPUT -i $EXTIF1 -p UDP --sport 67:68 --dport 67:68 -j ACCEPT
- # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
- #
- # NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY for users that plan on running Apache on the MASQ server itself
- #
- #echo " - Allowing EXTERNAL access to the WWW server"
- #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
- #
- # ----- End OPTIONAL INPUT Section -----
- # Catch all rule, all other incoming is denied and logged.
- #
- $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
- # ---------------------------------------------------------------------
- echo " - Loading OUTPUT rulesets"
- ##########################################################################################################################
- # OUTPUT: Outgoing traffic from various interfaces. All rulesets are already flushed and set to a default policy of DROP.
- ##########################################################################################################################
- # Workaround bug in netfilter
- # See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
- $IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
- # loopback interface is valid.
- $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
- # local interfaces, any source going to local net is valid
- $IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP1 -d $INTNET1 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP1 -d $INTNET2 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP1 -d $INTNET3 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP2 -d $INTNET1 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP2 -d $INTNET2 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP2 -d $INTNET3 -j ACCEPT
- # local interface, MASQ server source going to the local net is valid
- $IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF3 -s $INTIP3 -d $INTNET3 -j ACCEPT
- # outgoing to local net on remote interface, stuffed routing, deny
- $IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
- $IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
- $IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it
- $IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
- $IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
- $IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it
- # anything else outgoing on remote interface is valid
- $IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -d $UNIVERSE -j ACCEPT
- $IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -d $UNIVERSE -j ACCEPT
- # ----- Begin OPTIONAL OUTPUT Section -----
- #
- # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
- #
- $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF1 -p udp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF2 -p tcp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF2 -p udp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF3 -p tcp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- $IPTABLES -A OUTPUT -o $INTIF3 -p udp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
- # ----- End OPTIONAL OUTPUT Section -----
- # Catch all rule, all other outgoing is denied and logged.
- $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
- echo " - Loading FORWARD rulesets"
- #######################################################################
- # FORWARD: Enable Forwarding and thus IPMASQ
- #######################################################################
- # ----- Begin OPTIONAL FORWARD Section -----
- #
- # Put PORTFW commands here
- #
- # ----- End OPTIONAL FORWARD Section -----
- echo " - FWD: Allow all internal interfaces to communicate between each other"
- $IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF1 -o $INTIF3 -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF3 -o $INTIF1 -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF2 -o $INTIF3 -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF3 -o $INTIF2 -j ACCEPT
- echo " - FWD: Allow all connections OUT and only existing/related IN"
- $IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF1 -j ACCEPT
- $IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF1 -j ACCEPT
- $IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF1 -j ACCEPT
- $IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF2 -j ACCEPT
- $IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF2 -j ACCEPT
- $IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF2 -j ACCEPT
- # Catch all rule, all other forwarding is denied and logged.
- $IPTABLES -A FORWARD -j reject-and-log-it
- echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF1 and $EXTIF2"
- $IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -j MASQUERADE
- $IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE
- #######################################################################
- echo "\nrc.firewall-iptables-stronger $FWVER done.\n"
Quellcode
Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN