Lucky_L
19.10.03, 12:48
Hallo,
vielleicht hab ich mich nur etwas dämlich angestellt, aber mein nmap scan hat eben ergeben, das bei mir trotz harrys iptables script ssh (22), smtp (sollte offen sein für mails abzuholen), sunrpc (111), ipp (631) und X11 (6000) offen sein soll.
Ich poste mal mein scipt, die ausgabe von iptables -L und das nmap protokoll.
Nmap:
QUOTE]
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
Interesting ports on pD9E5D4CE.dip.t-dialin.net (217.229.212.206):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=i586-suse-linux%D=10/19%Time=3F928530%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=310576%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=3105A6%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=3105F9%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RI PCK=E%UCK=E%ULEN=134%DAT=E)
Uptime 0.016 days (since Sun Oct 19 14:13:22 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds
[/QUOTE]
iptables -L
stacheldraht:/home/rantanplan # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
MY_REJECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
MY_REJECT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP '
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP '
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Script:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2003 under the GPL
# Autogenerated by iptables Generator v1.16 (c) 2002 by Harald Bertram
# Please visit http://www.harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# c0deX@gmx.net on: 2003-10-19 7:48.9 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork@hotmail.com) who
# made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
# POP3
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
# DNS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
# FTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
soweit ich das beurteilen kann müsste das alles korrekt sein...
vielen dank für eure hilfe
edit: sorry - wenn mans so net lesen kann, dann schick ichs nochmal mit zeilenumbrüchen.
vielleicht hab ich mich nur etwas dämlich angestellt, aber mein nmap scan hat eben ergeben, das bei mir trotz harrys iptables script ssh (22), smtp (sollte offen sein für mails abzuholen), sunrpc (111), ipp (631) und X11 (6000) offen sein soll.
Ich poste mal mein scipt, die ausgabe von iptables -L und das nmap protokoll.
Nmap:
QUOTE]
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
sendto in send_tcp_raw: sendto(3, packet, 60, 0, 217.229.212.206, 16) => Operation not permitted
Interesting ports on pD9E5D4CE.dip.t-dialin.net (217.229.212.206):
(The 1597 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
111/tcp open sunrpc
631/tcp open ipp
6000/tcp open X11
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=i586-suse-linux%D=10/19%Time=3F928530%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=310576%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=3105A6%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=3105F9%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RI PCK=E%UCK=E%ULEN=134%DAT=E)
Uptime 0.016 days (since Sun Oct 19 14:13:22 2003)
Nmap run completed -- 1 IP address (1 host up) scanned in 19 seconds
[/QUOTE]
iptables -L
stacheldraht:/home/rantanplan # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
MY_DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
MY_REJECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
MY_REJECT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (2 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP '
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP '
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Script:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2003 under the GPL
# Autogenerated by iptables Generator v1.16 (c) 2002 by Harald Bertram
# Please visit http://www.harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# c0deX@gmx.net on: 2003-10-19 7:48.9 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork@hotmail.com) who
# made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
# POP3
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
# DNS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
# FTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
soweit ich das beurteilen kann müsste das alles korrekt sein...
vielen dank für eure hilfe
edit: sorry - wenn mans so net lesen kann, dann schick ichs nochmal mit zeilenumbrüchen.