!/bin/tcsh
################################################## ###################################
#----------------------#
# VARIABLEN DEFINIEREN #
#----------------------#
# AUSGANGSINTERFACES
set dsl = ppp0
set dsl_lan = eth0
set router_1 = eth1
# ADRESSBEREICHE FESTLEGEN
set intern_zone = 192.168.0.0/255.255.255.0
set internet_zone = 192.168.10.0/255.255.255.0
# SPEZIELLE IPS FESTLEGEN
set dsl_ip = 192.168.10.5
set router_ip = 192.168.0.5
set server_1 = 192.168.0.1
set server_2 = 192.168.0.2
set thomas_1 = 192.168.0.11
set thomas_2 = 192.168.0.12
set robert_1 = 192.168.0.21
set felix_1 = 192.168.0.31
set jonas_1 = 192.168.0.42
# MAC-ADRESSEN FESTLEGEN
set thomas_2_mac = 00:A0:CC:3C:A4:01
set server_1_mac = 00:80:C8:CA:A9
5
set server_2_mac = 00:80:C8:CA:A9
6
set felix_1_mac = 08:00:46:6E:03:B7
set jonas_1_mac = 00:40
0:2D:C9:E4
################################################## ###################################
#--------------------------#
# STANDARDREGELN FESTLEGEN #
#--------------------------#
# MODULE FUER FTP LADEN
modprobe /lib/modules/2.4.19-4GB/kernel/net/ipv4/netfilter ip_conntrack
modprobe /lib/modules/2.4.19-4GB/kernel/net/ipv4/netfilter ip_conntrack_ftp
modprobe /lib/modules/2.4.19-4GB/kernel/net/ipv4/netfilter ip_nat_ftp
# ALLE VORHANDENEN REGELN LÖSCHEN
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F log_drop
iptables -X
iptables -t nat -F
iptables -F -t mangle
/root/tc/tc qdisc del dev $dsl root
# /root/tc/tc qdisc del dev $router_1 root
# ALLE ZÄHLER LÖSCHEN
iptables -Z INPUT
iptables -Z OUTPUT
iptables -Z FORWARD
# REGELKETTE ZUM LOGGEN UND DROPPEN ANLEGEN
iptables -N log_drop
iptables -A log_drop -p ICMP -m limit --limit 6/minute --limit-burst 5 -j LOG --log-ip-options --log-prefix "FIREWALL DROP ICMP "
iptables -A log_drop -p UDP -m limit --limit 6/minute --limit-burst 5 -j LOG --log-ip-options --log-prefix "FIREWALL DROP UDP "
iptables -A log_drop -p TCP -m limit --limit 6/minute --limit-burst 5 -j LOG --log-tcp-options --log-ip-options --log-prefix "FIREWALL DROP TCP "
iptables -A log_drop -j DROP
# STANDARDMÄSSIG ALLE PAKETE VERWERFEN, AUF DIE KEINE REGEL ZUTRIFFT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# LOOPBACK ERLAUBEN
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# GENERELL UNGÜLTIGE PAKETE VERWERFEN
iptables -A INPUT -m state --state INVALID -j log_drop
iptables -A OUTPUT -m state --state INVALID -j log_drop
iptables -A FORWARD -m state --state INVALID -j log_drop
################################################## ###################################
#------------------------#
# MASQUERADING FESTLEGEN #
#------------------------#
# FEHLER IM ROUTING VERBESSERN
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# EXTERNE NETZWERKKARTE ALS AUSGANG VERWENDEN (MASQUERADING)
iptables -t nat -A POSTROUTING -o $dsl -s $intern_zone -j MASQUERADE
################################################## ###################################
#----------------------------------#
# BANDBREITENMANAGEMENT AKTIVIEREN #
#----------------------------------#
/root/tc/tc qdisc add dev $dsl root handle 1: htb default 10
# /root/tc/tc qdisc add dev $router_1 root handle 2: htb default 20
# DOWNLOAD
# /root/tc/tc class add dev $router_1 parent 2:0 classid 2:2 htb rate 768kbit ceil 768kbit
# /root/tc/tc class add dev $router_1 parent 2:2 classid 2:20 htb rate 640kbit ceil 768kbit # Alle
# /root/tc/tc class add dev $router_1 parent 2:2 classid 2:21 htb rate 128kbit ceil 768kbit # Robert
# UPLOAD
/root/tc/tc class add dev $dsl parent 1:0 classid 1:1 htb rate 128kbit ceil 128kbit
/root/tc/tc class add dev $dsl parent 1:1 classid 1:10 htb rate 30kbit ceil 120kbit # Thomas
/root/tc/tc class add dev $dsl parent 1:1 classid 1:11 htb rate 30kbit ceil 120kbit # Robert
/root/tc/tc class add dev $dsl parent 1:1 classid 1:12 htb rate 30kbit ceil 120kbit # Felix
/root/tc/tc class add dev $dsl parent 1:1 classid 1:13 htb rate 30kbit ceil 120kbit # Server
/root/tc/tc class add dev $dsl parent 1:1 classid 1:14 htb rate 8kbit ceil 128kbit # TCP
# KLEINE TCP PAKETE IMMER DURCHLASSEN
iptables -A POSTROUTING -t mangle -o ppp0 -p tcp -m length --length :64 -j MARK --set-mark 14
################################################## ###################################
#----------------------------------------------------#
# FORWARDING ÜBER ISDN UND DSL FUER DAS INTERNE NETZ #
#----------------------------------------------------#
#----------#
# THOMAS 1 #
#----------#
iptables -A POSTROUTING -t mangle -s $thomas_1 -o $dsl -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_1 -o $dsl -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_1 -o $dsl -p tcp --sport 1024: --dport 1024: -j MARK --set-mark 10
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -o $dsl -s $thomas_1 -i $router_1 -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $thomas_1 -i $router_1 -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $thomas_1 -i $router_1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $thomas_1 -o $router_1 -p tcp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_1 -o $router_1 -p udp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_1 -o $router_1 -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#----------#
# THOMAS 2 #
#----------#
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp --sport 1024: --dport 1024: -j MARK --set-mark 10
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667,6669,5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667,6669,5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p tcp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667,6669,5222 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p udp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667,6669,5222 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------#
# KAZAA THOMAS 2 #
#----------------#
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp -m multiport --dport 1214,1080 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp -m multiport --dport 1214,1080 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp --dport 3879 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp --dport 3879 -j MARK --set-mark 10
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp -m multiport --dport 1214,1080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp -m multiport --dport 1214,1080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp --dport 3879 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp --dport 3879 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p tcp -m multiport --sport 1214,1080 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p udp -m multiport --sport 1214,1080 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p tcp --sport 3879 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p udp --sport 3879 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------#
# QUAKE FUER THOMAS 2 #
#---------------------#
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp --dport 27950:27980 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp --dport 27950:27980 -j MARK --set-mark 10
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp --dport 27950:27980 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp --dport 27950:27980 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp --sport 27950:27980 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp --sport 27950:27980 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------#
# EMULE FUER THOMAS 2 #
#---------------------#
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p tcp -m multiport --dport 4662,4661 -j MARK --set-mark 10
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp -m multiport --dport 4672,4665 -j MARK --set-mark 10
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p tcp -m multiport --dport 4662,4661 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp -m multiport --dport 4672,4665 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp -m multiport --sport 4662,4661 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp -m multiport --sport 4672,4665 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#-----------------#
# BROODWAR THOMAS #
#-----------------#
iptables -A POSTROUTING -t mangle -s $thomas_2 -o $dsl -p udp --dport 6112 -j MARK --set-mark 10
iptables -A FORWARD -m mac --mac-source $thomas_2_mac -o $dsl -s $thomas_2 -i $router_1 -p udp --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $thomas_2 -o $router_1 -p udp --sport 6112 -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#--------#
# ROBERT #
#--------#
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp --sport 1024: --dport 1024: -j MARK --set-mark 11
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------#
# JEDI KNIGHT 2 ROBERT #
#----------------------#
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp --dport 28070:28081 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp -m multiport --dport 28060,28061,28062 -j MARK --set-mark 11
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp --dport 28070:28081 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp -m multiport --dport 28060,28061,28062 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp --sport 28070:28081 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp -m multiport --sport 28060,28061,28062 -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----------#
# CS ROBERT #
#-----------#
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp --dport 27000:27030 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp --dport 27000:27030 -j MARK --set-mark 11
# iptables -A POSTROUTING -t mangle -d $robert_1 -o $router_1 -p tcp --dport 27000:27030 -j MARK --set-mark 21
# iptables -A POSTROUTING -t mangle -d $robert_1 -o $router_1 -p udp --dport 27000:27030 -j MARK --set-mark 21
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp --dport 27000:27030 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp --dport 27000:27030 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp --sport 27000:27030 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp --sport 27000:27030 -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----------#
# GV ROBERT #
#-----------#
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp -m multiport --dport 9110,59117 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp -m multiport --dport 9110,59117 -j MARK --set-mark 11
# iptables -A POSTROUTING -t mangle -d $robert_1 -o $router_1 -p tcp -m multiport --dport 9110,59117 -j MARK --set-mark 21
# iptables -A POSTROUTING -t mangle -d $robert_1 -o $router_1 -p udp -m multiport --dport 9110,59117 -j MARK --set-mark 21
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp -m multiport --dport 9110,59117 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp -m multiport --dport 9110,59117 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp -m multiport --sport 9110,59117 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp -m multiport --sport 9110,59117 -m state --state ESTABLISHED,RELATED -j ACCEPT
#--------------#
# KAZAA ROBERT #
#--------------#
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp -m multiport --dport 1214,1080 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp -m multiport --dport 1214,1080 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p tcp --dport 3879 -j MARK --set-mark 11
iptables -A POSTROUTING -t mangle -s $robert_1 -o $dsl -p udp --dport 3879 -j MARK --set-mark 11
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp -m multiport --dport 1214,1080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp -m multiport --dport 1214,1080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p tcp --dport 3879 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -s $robert_1 -i $router_1 -p udp --dport 3879 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp -m multiport --sport 1214,1080 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp -m multiport --sport 1214,1080 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p tcp --sport 3879 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $robert_1 -o $router_1 -p udp --sport 3879 -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#-------#
# FELIX #
#-------#
iptables -A POSTROUTING -t mangle -s $felix_1 -o $dsl -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110 -j MARK --set-mark 12
iptables -A POSTROUTING -t mangle -s $felix_1 -o $dsl -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110 -j MARK --set-mark 12
iptables -A POSTROUTING -t mangle -s $felix_1 -o $dsl -p tcp --sport 1024: --dport 1024: -j MARK --set-mark 12
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -m mac --mac-source $felix_1_mac -o $dsl -s $felix_1 -i $router_1 -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $felix_1_mac -o $dsl -s $felix_1 -i $router_1 -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $felix_1_mac -o $dsl -s $felix_1 -i $router_1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $felix_1 -o $router_1 -p tcp -m multiport --sport 80,443,53,20,21,22,23,25,110 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $felix_1 -o $router_1 -p udp -m multiport --sport 80,443,53,20,21,22,23,25,110 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $felix_1 -o $router_1 -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#-------#
# JONAS #
#-------#
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -m mac --mac-source $jonas_1_mac -o $dsl -s $jonas_1 -i $router_1 -p tcp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $jonas_1_mac -o $dsl -s $jonas_1 -i $router_1 -p udp -m multiport --dport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m mac --mac-source $jonas_1_mac -o $dsl -s $jonas_1 -i $router_1 -p tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $jonas_1 -o $router_1 -p tcp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $jonas_1 -o $router_1 -p udp -m multiport --sport 80,443,53,20,21,22,23,25,110,5190,6667 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $jonas_1 -o $router_1 -p tcp --dport 1024: --sport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#--------#
# SERVER #
#--------#
iptables -A POSTROUTING -t mangle -s $server_1 -o $dsl -p tcp -m multiport --sport 80 -j MARK --set-mark 13
iptables -A POSTROUTING -t mangle -s $server_2 -o $dsl -p tcp -m multiport --sport 80 -j MARK --set-mark 13
iptables -A POSTROUTING -t mangle -s $server_1 -o $dsl -p tcp -m multiport --dport 80,53,433 -j MARK --set-mark 13
iptables -A POSTROUTING -t mangle -s $server_2 -o $dsl -p tcp -m multiport --dport 80,53,433 -j MARK --set-mark 13
iptables -A POSTROUTING -t mangle -s $server_1 -o $dsl -p udp -m multiport --dport 80,53,433 -j MARK --set-mark 13
iptables -A POSTROUTING -t mangle -s $server_2 -o $dsl -p udp -m multiport --dport 80,53,433 -j MARK --set-mark 13
# AUSGEHENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -o $dsl -m mac --mac-source $server_2_mac -s $server_2 -i $router_1 -p tcp -m multiport --dport 80,53,433 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -m mac --mac-source $server_1_mac -s $server_1 -i $router_1 -p tcp -m multiport --dport 80,53,433 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -m mac --mac-source $server_2_mac -s $server_2 -i $router_1 -p udp -m multiport --dport 80,53,433 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -m mac --mac-source $server_1_mac -s $server_1 -i $router_1 -p udp -m multiport --dport 80,53,433 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------
# REINKOMMENDES FORWARDING AUF STANDARDPORTS ERLAUBEN
iptables -A FORWARD -i $dsl -d $server_1 -o $router_1 -m multiport -p tcp --sport 80,53,433 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $server_2 -o $router_1 -m multiport -p tcp --sport 80,53,433 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $server_1 -o $router_1 -m multiport -p udp --sport 80,53,433 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -d $server_2 -o $router_1 -m multiport -p udp --sport 80,53,433 -m state --state ESTABLISHED,RELATED -j ACCEPT
# PORT 80 FORWARDEN
iptables -t nat -A PREROUTING -p tcp --dport 80 -i $dsl -j DNAT --to-destination 192.168.0.1:80
iptables -A FORWARD -o $dsl -i $router_1 -s $server_1 -p tcp --sport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $dsl -i $router_1 -s $server_2 -p tcp --sport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -o $router_1 -d $server_1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $dsl -o $router_1 -d $server_2 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
#--------#
# ROUTER #
#--------#
# PINGS FORWARDEN
iptables -A FORWARD -s $intern_zone -i $router_1 -o $dsl -p icmp -j ACCEPT
iptables -A FORWARD -d $intern_zone -o $router_1 -i $dsl -p icmp -j ACCEPT
# PORT 80 ERLAUBEN (SURFEN)
iptables -A INPUT -i $dsl -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $dsl -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# DNS AN DEN SERVER VOM INTERNEN NETZ ERLAUBEN
iptables -A INPUT -i $router_1 -s $intern_zone -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $router_1 -s $intern_zone -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $router_1 -d $intern_zone -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $router_1 -d $intern_zone -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS RAUSGEHEND UEBER DSL ERLAUBEN
iptables -A POSTROUTING -t mangle -o $dsl -p tcp --dport 53 -j MARK --set-mark 14
iptables -A OUTPUT -o $dsl -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $dsl -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $dsl -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $dsl -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
# PINGS ERLAUBEN
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# SSH LOKAL
# THOMAS 2
iptables -A INPUT -m mac --mac-source $thomas_2_mac -s $thomas_2 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $thomas_2_mac -s $thomas_2 -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $thomas_2_mac -s $thomas_2 -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $thomas_2_mac -s $thomas_2 -p udp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# SERVER 1
iptables -A INPUT -m mac --mac-source $server_1_mac -s $server_1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_1_mac -s $server_1 -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_1_mac -s $server_1 -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_1_mac -s $server_1 -p udp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# SERVER 2
iptables -A INPUT -m mac --mac-source $server_2_mac -s $server_2 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_2_mac -s $server_2 -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_2_mac -s $server_2 -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m mac --mac-source $server_2_mac -s $server_2 -p udp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# SSH INTERNET
iptables -A POSTROUTING -t mangle -o $dsl -p tcp --sport 22 -j MARK --set-mark 14
iptables -A POSTROUTING -t mangle -o $dsl -p udp --sport 22 -j MARK --set-mark 14
# JONAS JACOBI
iptables -A INPUT -i $dsl -m mac --mac-source $jonas_1_mac -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $dsl -m mac --mac-source $jonas_1_mac -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# JEDER
iptables -A INPUT -i $dsl -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $dsl -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# AUSGANG UEBERALL
iptables -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --sport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
################################################## ###################################
# BANDBREITENBEGRENZUNG AUSFUEHREN
/root/tc/tc filter add dev $dsl parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10
/root/tc/tc filter add dev $dsl parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:11
/root/tc/tc filter add dev $dsl parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:12
/root/tc/tc filter add dev $dsl parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:13
/root/tc/tc filter add dev $dsl parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:14
# /root/tc/tc filter add dev $router_1 parent 2:0 prio 0 protocol ip handle 20 fw flowid 2:20
# /root/tc/tc filter add dev $router_1 parent 2:0 prio 0 protocol ip handle 20 fw flowid 2:21
/root/tc/tc qdisc add dev $dsl parent 1:10 handle 10 sfq perturb 10
/root/tc/tc qdisc add dev $dsl parent 1:11 handle 11 sfq perturb 10
/root/tc/tc qdisc add dev $dsl parent 1:12 handle 12 sfq perturb 10
/root/tc/tc qdisc add dev $dsl parent 1:13 handle 13 sfq perturb 10
/root/tc/tc qdisc add dev $dsl parent 1:14 handle 14 sfq perturb 10
# /root/tc/tc qdisc add dev $router_1 parent 1:20 handle 20 sfq perturb 10
# /root/tc/tc qdisc add dev $router_1 parent 1:21 handle 21 sfq perturb 10
# /root/tc/tc qdisc add dev $router_1 parent 1:22 handle 22 sfq perturb 10
################################################## ###################################
# ALLES LOOGEN UND DROPPEN, WAS VORHER NICHT ERLAUBT WURD
iptables -A INPUT -j log_drop
iptables -A OUTPUT -j log_drop
iptables -A FORWARD -j log_drop
################################################## ###################################
#----------------------#
# BESTÄTIGUNG AUSGEBEN #
#----------------------#
echo "blah"
Lesezeichen