debianforum.de - Eintrag ansehen - iptables Einstellungen 12.02.2015

NoPaste

iptables Einstellungen 12.02.2015

von chho

SNIPPET_TEXT:

#!/bin/sh
#
# rc.firewall-iptables-stronger
#
FWVER=0.88s
echo "\nLoading rc.firewall-iptables-STRONGER - version $FWVER..\n"
# The location of various iptables and other shell programs
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF1="eth0"
EXTIF2="tun0"
INTIF1="eth1"
INTIF2="eth2"
INTIF3="wlan0"
echo " External Interface 1: $EXTIF1"
echo " External Interface 2: $EXTIF2"
echo " Internal Interface 1: $INTIF1"
echo " Internal Interface 2: $INTIF2"
echo " Internal Interface 3: $INTIF3"
echo " ---"
# external IP address
EXTIP1="`$IFCONFIG $EXTIF1 | $AWK /$EXTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTIP2="`$IFCONFIG $EXTIF2 | $AWK /$EXTIF2/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo " External IP1: $EXTIP1"
echo " External IP2: $EXTIP2"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET1="192.168.1.0/24"
INTIP1="192.168.1.1/32"
INTNET2="192.168.2.0/24"
INTIP2="192.168.2.1/32"
INTNET3="192.168.3.0/24"
INTIP3="192.168.3.1/32"
echo " Internal Network 1: $INTNET1"
echo " Internal IP 1: $INTIP1"
echo " Internal Network 2: $INTNET2"
echo " Internal IP 2: $INTIP2"
echo " Internal Network 3: $INTNET3"
echo " Internal IP 3: $INTIP3"
echo " ---"
# Setting a few other local variables
UNIVERSE="0.0.0.0/0"
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
#Clearing any previous configuration
#Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
echo " Creating a DROP chain.."
$IPTABLES -N reject-and-log-it
$IPTABLES -A reject-and-log-it -j LOG --log-level info
$IPTABLES -A reject-and-log-it -j REJECT
echo "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are already flushed and set to a default policy of DROP.
# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -s $INTNET3 -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet, enable this next line
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to the MASQ servers IP address is valid
#
# ENABLE this line if you want ALL Internet traffic to connect to your
# the various servers running on the MASQ server. This includes
# web servers, ssh servers, dns servers, etc.
#
# I DON'T recommend you enable this rule. Instead, only enable specific access to select server ports under the "OPTIONAL INPUT Section".
# An example of enabling HTTP (WWW) has been given below:
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in.
#
# STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
# ----- Begin OPTIONAL INPUT Section -----
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
$IPTABLES -A INPUT -i $INTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF1 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
# DHCP - listen on eth0
$IPTABLES -A INPUT -i $EXTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p UDP --sport 67:68 --dport 67:68 -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
# NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY for users that plan on running Apache on the MASQ server itself
#
#echo " - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
#
# ----- End OPTIONAL INPUT Section -----
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
# ---------------------------------------------------------------------
echo " - Loading OUTPUT rulesets"
##########################################################################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are already flushed and set to a default policy of DROP.
##########################################################################################################################
# Workaround bug in netfilter
# See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP1 -d $INTNET3 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP2 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP2 -d $INTNET3 -j ACCEPT
# local interface, MASQ server source going to the local net is valid
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $INTIP3 -d $INTNET3 -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it
# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL OUTPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -p tcp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -p udp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -p tcp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -p udp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
# ----- End OPTIONAL OUTPUT Section -----
# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it
echo " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#######################################################################
# ----- Begin OPTIONAL FORWARD Section -----
#
# Put PORTFW commands here
#
# ----- End OPTIONAL FORWARD Section -----
echo " - FWD: Allow all internal interfaces to communicate between each other"
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF3 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF3 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $INTIF2 -j ACCEPT
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF2 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
$IPTABLES -A FORWARD -j reject-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF1 and $EXTIF2"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE
#######################################################################
echo "\nrc.firewall-iptables-stronger $FWVER done.\n"

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN

#!/bin/sh
#
# rc.firewall-iptables-stronger
#
FWVER=0.88s
echo "\nLoading rc.firewall-iptables-STRONGER - version $FWVER..\n"

# The location of various iptables and other shell programs
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
IFCONFIG=/sbin/ifconfig

#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF1="eth0"
EXTIF2="tun0"
INTIF1="eth1"
INTIF2="eth2"
INTIF3="wlan0"
echo "  External Interface 1:  $EXTIF1"
echo "  External Interface 2:  $EXTIF2"
echo "  Internal Interface 1:  $INTIF1"
echo "  Internal Interface 2:  $INTIF2"
echo "  Internal Interface 3:  $INTIF3"
echo "  ---"

# external IP address
EXTIP1="`$IFCONFIG $EXTIF1 | $AWK /$EXTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTIP2="`$IFCONFIG $EXTIF2 | $AWK /$EXTIF2/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "  External IP1: $EXTIP1"
echo "  External IP2: $EXTIP2"
echo "  ---"

# Assign the internal TCP/IP network and IP address
INTNET1="192.168.1.0/24"
INTIP1="192.168.1.1/32"
INTNET2="192.168.2.0/24"
INTIP2="192.168.2.1/32"
INTNET3="192.168.3.0/24"
INTIP3="192.168.3.1/32"
echo "  Internal Network 1: $INTNET1"
echo "  Internal IP 1:      $INTIP1"
echo "  Internal Network 2: $INTNET2"
echo "  Internal IP 2:      $INTIP2"
echo "  Internal Network 3: $INTNET3"
echo "  Internal IP 3:      $INTIP3"
echo "  ---"

# Setting a few other local variables
UNIVERSE="0.0.0.0/0"

echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "  Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "  ---"

#Clearing any previous configuration
#Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP

echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle

# Delete all User-specified chains
$IPTABLES -X

# Reset all IPTABLES counters
$IPTABLES -Z

#Configuring specific CHAINS for later use in the ruleset
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#

echo "  Creating a DROP chain.."
$IPTABLES -N reject-and-log-it
$IPTABLES -A reject-and-log-it -j LOG --log-level info
$IPTABLES -A reject-and-log-it -j REJECT
echo "\n   - Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are already flushed and set to a default policy of DROP.

# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF1 -s $INTNET1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -s $INTNET2 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -s $INTNET3 -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF1 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET1 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET2 -d $UNIVERSE -j reject-and-log-it
$IPTABLES -A INPUT -i $EXTIF2 -s $INTNET3 -d $UNIVERSE -j reject-and-log-it

# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet, enable this next line
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

# remote interface, any source, going to the MASQ servers IP address is valid
#
#  ENABLE this line if you want ALL Internet traffic to connect to your
#  the various servers running on the MASQ server.  This includes 
#  web servers, ssh servers, dns servers, etc.  
#
#  I DON'T recommend you enable this rule.  Instead, only enable specific access to select server ports under the "OPTIONAL INPUT Section".
#  An example of enabling HTTP (WWW) has been given below:
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in.
#
#  STATEFULLY TRACKED
#
$IPTABLES -A INPUT -i $EXTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT

# ----- Begin OPTIONAL INPUT Section -----

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
$IPTABLES -A INPUT -i $INTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF1 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -p udp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF3 -p udp --sport 67:68 --dport 67:68 -j ACCEPT

# DHCP - listen on eth0
$IPTABLES -A INPUT -i $EXTIF1 -p tcp --sport 67:68 --dport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF1 -p UDP --sport 67:68 --dport 67:68 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY for users that plan on running Apache on the MASQ server itself
#
#echo "      - Allowing EXTERNAL access to the WWW server"
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#
# ----- End OPTIONAL INPUT Section -----

# Catch all rule, all other incoming is denied and logged. 
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it

# ---------------------------------------------------------------------

echo "   - Loading OUTPUT rulesets"

##########################################################################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are already flushed and set to a default policy of DROP. 
##########################################################################################################################

# Workaround bug in netfilter
# See http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP

# loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP1 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP1 -d $INTNET3 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -s $EXTIP2 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $EXTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $EXTIP2 -d $INTNET3 -j ACCEPT

# local interface, MASQ server source going to the local net is valid
$IPTABLES -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -s $INTIP2 -d $INTNET2 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -s $INTIP3 -d $INTNET3 -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET1 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET2 -j reject-and-log-it
$IPTABLES -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET3 -j reject-and-log-it

# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF1 -s $EXTIP1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF2 -s $EXTIP2 -d $UNIVERSE -j ACCEPT

# ----- Begin OPTIONAL OUTPUT Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# 
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -s $INTIP1 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -p tcp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF2 -p udp -s $INTIP2 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -p tcp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF3 -p udp -s $INTIP3 --sport 67:68 -d 255.255.255.255 --dport 67:68 -j ACCEPT

# ----- End OPTIONAL OUTPUT Section -----

# Catch all rule, all other outgoing is denied and logged. 
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j reject-and-log-it

echo "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#######################################################################

# ----- Begin OPTIONAL FORWARD Section -----
#
#  Put PORTFW commands here
#
# ----- End OPTIONAL FORWARD Section -----

echo "     - FWD: Allow all internal interfaces to communicate between each other"
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $INTIF3 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $INTIF1 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF3 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $INTIF2 -j ACCEPT

echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF1 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF1 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF1 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF1 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF2 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF2 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF2 -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF2 -j ACCEPT

# Catch all rule, all other forwarding is denied and logged. 
$IPTABLES -A FORWARD -j reject-and-log-it

echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF1 and $EXTIF2"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF1 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $EXTIF2 -j MASQUERADE

#######################################################################
echo "\nrc.firewall-iptables-stronger $FWVER done.\n"

LATEST_SNIPPETS

debian preseed early scri… (16.04.2024 15:55:45, heisenberg)
wmctrl kann Schreibtisch.… (14.04.2024 11:29:23, ndila2004)
Debian preseed.conf (12.04.2024 19:57:28, heisenberg)
Debian ftpsync.conf (12.04.2024 19:51:25, heisenberg)
debian preseed installati… (12.04.2024 19:48:00, heisenberg)
Stromverbrauch Esprimo Q9… (10.04.2024 18:09:44, heisenberg)
esprimo Q920 (10.04.2024 18:06:03, heisenberg)
20 s Verzögerung (05.04.2024 20:19:28, Gamma47)
Server zu verschenken: X9… (03.04.2024 18:04:39, heisenberg)
Debian Testing zerschosse… (01.04.2024 16:07:13, Spindoctor)
wg0.conf Konfiguration (28.03.2024 10:53:57, hawkeye78)
DOCKER COMPOSE SERVER B (28.03.2024 10:51:35, hawkeye78)
docker compose Server A (28.03.2024 10:49:26, hawkeye78)
CheckMK Installer/Updater… (25.03.2024 23:11:09, heisenberg)
btrfs raid1 changing degr… (26.02.2024 15:53:28, heisenberg)
zfs raid1 changing degrad… (26.02.2024 15:52:16, heisenberg)
yt-dlp installieren (24.02.2024 11:40:21, thunder11)
ss -tulpen (16.02.2024 18:37:28, heisenberg)
smartctl WX32D83955E7 (12.02.2024 20:27:54, borsti1987)
smartctl WX32D833J256 (12.02.2024 20:26:41, borsti1987)

NoPaste

NoPaste

iptables Einstellungen 12.02.2015

Quellcode

Verlinken

LATEST_SNIPPETS