Die Blockade der DHCP-Requests scheint jetzt zu funktionieren. Die Bridge ist mit den Startscripts der Gentoo-Distribution eingerichtet, welche brctl verwendet.
Es wird quasi folgendes ausgeführt:
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 tap1
Die br0 hat natürlich alle IP-Adressen dieser Devices; jene selbst sind unkonfiguriert.
Hier kommen die Iptables-Regeln. Ist jetzt von Grund auf neu geschrieben. Falls dicke Fehler drin sein sollten, sagt es mir bitte.
Code:
EXT_IF=ppp0
INT_IF=eth0
#bridged vpn
VPN_IF=tap1
#not bridged vpn
VPN_IF_NB=tap0
####### TCP BEGIN
# portsentry watched ports
PORTSENTRY_TCP=( 1 11 15 79 111 119 143 540 635 1080 1524 2000 5742 6667 12345 12346 20034 27665 31337 32771 32772 32773 32774 40421 49724 54320 )
# anywhere
TCP_OPEN_ANYWHERE=${PORTSENTRY_TCP[*]}
# ssh pache
TCP_OPEN_INET=( 15 80 )
# ssh ftpdata ftp cups rsync distcc proxy webmin
TCP_OPEN_INTERN=( 15 20 21 631 873 3632 8080 10000 )
# ssh ftpdata ftp distcc webmin
TCP_OPEN_VPN=( 15 80 20 21 3632 10000 )
###### TCP END
##### UDP BEGIN
PORTSENTRY_UDP=( 1 7 9 69 161 162 513 635 640 641 700 37444 34555 31335 32770 32771 32772 32773 32774 31337 5432 )
UDP_OPEN_ANYWHERE=${PORTSENTRY_UDP[*]}
#vpn
UDP_OPEN_INET=( 1194 )
#dns dhcpc dhcps proxy
UDP_OPEN_INTERN=( 53 67 68 8080 )
#dns
UDP_OPEN_VPN=( 53 )
##### UDP END
##### PRE-Setup BEGIN
for FILE in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv4/tcp_syncookies
do
if [ -e ${FILE} ]
then echo "1" > ${FILE}
fi
done
#flushing
for TABLE in mangle nat filter
do
for CHAIN in `iptables -L -n -t $TABLE | grep Chain | awk '{ print $2 }'`
do
iptables -t $TABLE -F $CHAIN
done
done
#predrop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# open lo to all
iptables -A INPUT -p all -i lo -j ACCEPT
iptables -A OUTPUT -p all -o lo -j ACCEPT
# accept related/already established conns
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
###### PRE-Setup END
# ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
##### open anywhere BEGIN
for port in ${UDP_OPEN_ANYWHERE[*]}
do
for iface in br0 $VPN_IF_NB
do iptables -A INPUT -p tcp -i $iface --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -o $iface --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
done
for port in ${UDP_OPEN_ANYWHERE[*]}
do
for iface in br0 $VPN_IF_NB
do iptables -A INPUT -p tcp -i $iface --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -o $iface --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
done
##### open anywhere END
##### open ports to inet BEGIN
for port in ${TCP_OPEN_INET[*]}
do
iptables -A INPUT -p tcp -i $EXT_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
for port in ${UDP_OPEN_INET[*]}
do
iptables -A INPUT -p udp -i $EXT_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
# full inet access to outside (FIXME)
iptables -A OUTPUT -o $EXT_IF -j ACCEPT
##### open porst to inet END
#### open ports to internal network BEGIN
for port in ${TCP_OPEN_INTERN[*]}
do
iptables -A INPUT -p tcp -i br0 -m physdev --physdev-in $INT_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -o br0 -m physdev --physdev-out $INT_IF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
for port in ${UDP_OPEN_INTERN[*]}
do
iptables -A INPUT -p udp -i br0 -m physdev --physdev-in $INT_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -o br0 -m physdev --physdev-out $INT_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
iptables -A OUTPUT -o br0 -m physdev --physdev-out $INT_IF -j ACCEPT
##### internal network END
#### open ports to vpn
for port in ${TCP_OPEN_VPN[*]}
do
iptables -A INPUT -p udp -i br0 -m physdev --physdev-in $VPN_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -o br0 -m physdev --physdev-out $VPN_IF --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
#### vpn END
# routing
iptables -A FORWARD -o $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/16 -o $EXT_IF -m state --state NEW -j ACCEPT
# bridging
# dont send or receive dhcp requests/acks
iptables -A FORWARD -o br0 -m physdev --physdev-in eth0 --physdev-out tap1 -p udp --dport 67 -m addrtype --dst-type broadcast -j DROP
iptables -A FORWARD -o br0 -m physdev --physdev-in tap1 --physdev-out eth0 -p udp --dport 68 -m addrtype --dst-type broadcast -j DROP
# allow other out
iptables -A FORWARD -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
# masquerading
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o $EXT_IF -j MASQUERADE
Gruß
apriori
Lesezeichen