Alex_K
16.04.01, 16:11
ich hab einen router auf dem squid ind webmin läuft, und ich habe mir dazu ein FW-script mit der anleitung von pro-linux geschrieben, doch sobald ich das script starte kann sich der router nicht mehr einwählen, wenn er jedoch eingewählt ist, und ich dann erst die FW starte funktionierts ohne probleme ... bist irgendwann die verbindumg wieder getrennet wird ....
hier das script:
-----------------------
ext_int="ippp0" #Schnittstelle zum Internet
int_int="eth0" #Schnittstelle zum LAN
ip_adr="192.168.0.99" #Statische IP vom Provider
ip_adr_lan="192.168.0.1" #IP-Adresse zum LAN
lan="192.168.0.0/5" #Adressbereich des LANs
alles="any/0" #Alle IP-Adressen
lo_int="lo" #Loopback Interface
class_a="10.0.0.0/8" #Bereich eines Klasse A Netzes
class_b="172.16.0.0/12" #Bereich eines Klasse B Netzes
class_c="192.168.0.0/16" #Bereich eines Klasse C Netzes
class_d="224.0.0.0/4" #Bereich eines Klasse D Netzes
class_e="240.0.0.0/5" #Bereich eines Klasse E Netzes
bcast_src="0.0.0.0"
bcast_dest="255.255.255.255"
priv_ports="0:1023" #privilegierte Ports
unpriv_ports="1024:65535" #unprivilegierte Ports
DNS1="195.3.96.67" #DNS Server der Providers
DNS2="195.3.96.68"
aon_mail="195.3.96.71" #AON-Mailserver
gmx_mail="194.221.183.20" #GMX-Mailserver
#
#
#Chains löschen
ipchains -F input
ipchains -F output
ipchains -F forward
#Default Policy definieren
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
#Loopback Interface aktivieren
ipchains -A input -i $lo_int -j ACCEPT
ipchains -A output -i $lo_int -j ACCEPT
#IP Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#IP Spoofing: Loopback Interface
ipchains -A input -i $ext_int -s 127.0.0.0 -j DENY
ipchains -A output -i $ext_int -s 127.0.0.0 -j DENY -l
#IP Spoofing: reservierte Adressbereiche
ipchains -A input -i $ext_int -s $class_a -j DENY
ipchains -A input -i $ext_int -d $class_a -j DENY
ipchains -A output -i $ext_int -s $class_a -j DENY -l
ipchains -A output -i $ext_int -d $class_a -j DENY -l
ipchains -A input -i $ext_int -s $class_b -j DENY
ipchains -A input -i $ext_int -d $class_b -j DENY
ipchains -A output -i $ext_int -s $class_b -j DENY -l
ipchains -A output -i $ext_int -d $class_b -j DENY -l
ipchains -A input -i $ext_int -s $class_c -j DENY
ipchains -A input -i $ext_int -d $class_c -j DENY
ipchains -A output -i $ext_int -s $class_c -j DENY -l
ipchains -A output -i $ext_int -d $class_c -j DENY -l
ipchains -A input -i $ext_int -s $class_d -j DENY -l
ipchains -A output -i $ext_int -s $class_d -j REJECT -l
ipchains -A output -i $ext_int -d $class_d -j REJECT -l
ipchains -A input -i $ext_int -s $class_d -j REJECT -l
ipchains -A input -i $ext_int -s $class_e -j DENY -l
#IP Spoofing: IANA Adressbereiche
ipchains -A input -i $ext_int -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 58.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 60.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 79.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 80.0.0.0/4 -j DENY -l
ipchains -A input -i $ext_int -s 96.0.0.0/4 -j DENY -l
ipchains -A input -i $ext_int -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 126.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 219.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 220.0.0.0/6 -j DENY -l
#IP Spoofing: Boardcast Adressen
ipchains -A input -i $ext_int -s $bcast_dest -j DENY -l
ipchains -A output -i $ext_int -d $bcast_src -j DENY -l
#ICMP Pakete
ipchains -A input -i $ext_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 4 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A input -i $ext_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 12 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A input -i $ext_int -p icmp -s $alles 3 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 3 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 3 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 3 -j ACCEPT
#Domain Name Service
ipchains -A input -i $ext_int -p udp -s $DNS1 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $DNS1 53 -j ACCEPT
ipchains -A input -i $int_int -p udp -s $lan -d $alles 53 -j ACCEPT
ipchains -A output -i $int_int -p udp -s $alles 53 -j ACCEPT
ipchains -A input -i $ext_int -p udp -s $DNS2 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $DNS2 53 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $DNS1 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $DNS1 53 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 53 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 53 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $DNS2 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $DNS2 53 -j ACCEPT
#SMTP
ipchains -A input -i $ext_int -p tcp ! -y -s $gmx_mail 25 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $gmx_mail 25 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 25 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 25 -j ACCEPT
ipchains -A input -i $ext_int -p tcp ! -y -s $aon_mail 25 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $aon_mail 25 -j ACCEPT
#POP3
ipchains -A input -i $ext_int -p tcp ! -y -s $gmx_mail 110 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $gmx_mail 110 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 110 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 110 -j ACCEPT
ipchains -A input -i $ext_int -p tcp ! -y -s $aon_mail 110 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $aon_mail 110 -j ACCEPT
#HTTP
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 80 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 80 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $ip_adr_lan 3128 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $ip_adr_lan 3128 -d $lan -j ACCEPT
#SSL
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 443 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 443 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 443 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 443 -d $lan -j ACCEPT
#FTP
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 21 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 21 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 21 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 21 -d $lan -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $alles 20 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp ! -y -s $alles $unpriv_ports -d $alles 20 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 20 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 20 -d $lan -j ACCEPT
#ipchains -A input -i $ext_int -p tcp ! -y -s $alles $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A input -i $int_int -p tcp -s $lan $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A output -i $int_int -p tco -s $alles $unpriv_ports -d $lan $unpriv_ports -j ACCEPT
#Counter-Srike
ipchains -A input -i $ext_int -p udp -s $alles 27001:27025 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $alles 27001:27025 -j ACCEPT
ipchains -A input -i $int_int -p udp -s $lan -d $alles 27001:27025 -j ACCEPT
ipchains -A output -i $int_int -p udp -s $alles 27001:27025 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $alles 7002 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 7002 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 7002 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 7002 -d $lan $unpriv_ports -j ACCEPT
#ICQ
ipchains -A input -i $ext_int -p tcp -s $alles 5190 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 5190 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 5190 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 5190 -d $lan -j ACCEPT
#Webmin
ipchains -A input -i $int_int -p tcp -s $lan -d $ip_adr_lan 10000 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $ip_adr_lan 10000 -d $lan -j ACCEPT
#Masquerading
ipchains -A forward -i $ext_int -s $lan -j MASQ
#MSQ-Modules
/sbin/modprobe ip_masq_autofw
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_mfw
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_vdolive
hier das script:
-----------------------
ext_int="ippp0" #Schnittstelle zum Internet
int_int="eth0" #Schnittstelle zum LAN
ip_adr="192.168.0.99" #Statische IP vom Provider
ip_adr_lan="192.168.0.1" #IP-Adresse zum LAN
lan="192.168.0.0/5" #Adressbereich des LANs
alles="any/0" #Alle IP-Adressen
lo_int="lo" #Loopback Interface
class_a="10.0.0.0/8" #Bereich eines Klasse A Netzes
class_b="172.16.0.0/12" #Bereich eines Klasse B Netzes
class_c="192.168.0.0/16" #Bereich eines Klasse C Netzes
class_d="224.0.0.0/4" #Bereich eines Klasse D Netzes
class_e="240.0.0.0/5" #Bereich eines Klasse E Netzes
bcast_src="0.0.0.0"
bcast_dest="255.255.255.255"
priv_ports="0:1023" #privilegierte Ports
unpriv_ports="1024:65535" #unprivilegierte Ports
DNS1="195.3.96.67" #DNS Server der Providers
DNS2="195.3.96.68"
aon_mail="195.3.96.71" #AON-Mailserver
gmx_mail="194.221.183.20" #GMX-Mailserver
#
#
#Chains löschen
ipchains -F input
ipchains -F output
ipchains -F forward
#Default Policy definieren
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
#Loopback Interface aktivieren
ipchains -A input -i $lo_int -j ACCEPT
ipchains -A output -i $lo_int -j ACCEPT
#IP Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#IP Spoofing: Loopback Interface
ipchains -A input -i $ext_int -s 127.0.0.0 -j DENY
ipchains -A output -i $ext_int -s 127.0.0.0 -j DENY -l
#IP Spoofing: reservierte Adressbereiche
ipchains -A input -i $ext_int -s $class_a -j DENY
ipchains -A input -i $ext_int -d $class_a -j DENY
ipchains -A output -i $ext_int -s $class_a -j DENY -l
ipchains -A output -i $ext_int -d $class_a -j DENY -l
ipchains -A input -i $ext_int -s $class_b -j DENY
ipchains -A input -i $ext_int -d $class_b -j DENY
ipchains -A output -i $ext_int -s $class_b -j DENY -l
ipchains -A output -i $ext_int -d $class_b -j DENY -l
ipchains -A input -i $ext_int -s $class_c -j DENY
ipchains -A input -i $ext_int -d $class_c -j DENY
ipchains -A output -i $ext_int -s $class_c -j DENY -l
ipchains -A output -i $ext_int -d $class_c -j DENY -l
ipchains -A input -i $ext_int -s $class_d -j DENY -l
ipchains -A output -i $ext_int -s $class_d -j REJECT -l
ipchains -A output -i $ext_int -d $class_d -j REJECT -l
ipchains -A input -i $ext_int -s $class_d -j REJECT -l
ipchains -A input -i $ext_int -s $class_e -j DENY -l
#IP Spoofing: IANA Adressbereiche
ipchains -A input -i $ext_int -s 1.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 2.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 5.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 7.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 23.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 27.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 31.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 37.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 39.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 41.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 42.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 58.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 60.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 65.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 66.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 67.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 68.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 69.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 70.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 71.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 72.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 73.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 74.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 75.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 76.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 77.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 78.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 79.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 80.0.0.0/4 -j DENY -l
ipchains -A input -i $ext_int -s 96.0.0.0/4 -j DENY -l
ipchains -A input -i $ext_int -s 112.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 113.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 114.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 115.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 116.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 117.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 118.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 119.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 120.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 121.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 122.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 123.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 124.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 125.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 126.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 217.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 218.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 219.0.0.0/8 -j DENY -l
ipchains -A input -i $ext_int -s 220.0.0.0/6 -j DENY -l
#IP Spoofing: Boardcast Adressen
ipchains -A input -i $ext_int -s $bcast_dest -j DENY -l
ipchains -A output -i $ext_int -d $bcast_src -j DENY -l
#ICMP Pakete
ipchains -A input -i $ext_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 4 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 4 -j ACCEPT
ipchains -A input -i $ext_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 12 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 12 -j ACCEPT
ipchains -A input -i $ext_int -p icmp -s $alles 3 -j ACCEPT
ipchains -A output -i $ext_int -p icmp -s $alles 3 -j ACCEPT
ipchains -A input -i $int_int -p icmp -s $lan 3 -j ACCEPT
ipchains -A output -i $int_int -p icmp -s $alles 3 -j ACCEPT
#Domain Name Service
ipchains -A input -i $ext_int -p udp -s $DNS1 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $DNS1 53 -j ACCEPT
ipchains -A input -i $int_int -p udp -s $lan -d $alles 53 -j ACCEPT
ipchains -A output -i $int_int -p udp -s $alles 53 -j ACCEPT
ipchains -A input -i $ext_int -p udp -s $DNS2 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $DNS2 53 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $DNS1 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $DNS1 53 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 53 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 53 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $DNS2 53 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $DNS2 53 -j ACCEPT
#SMTP
ipchains -A input -i $ext_int -p tcp ! -y -s $gmx_mail 25 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $gmx_mail 25 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 25 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 25 -j ACCEPT
ipchains -A input -i $ext_int -p tcp ! -y -s $aon_mail 25 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $aon_mail 25 -j ACCEPT
#POP3
ipchains -A input -i $ext_int -p tcp ! -y -s $gmx_mail 110 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $gmx_mail 110 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 110 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 110 -j ACCEPT
ipchains -A input -i $ext_int -p tcp ! -y -s $aon_mail 110 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $aon_mail 110 -j ACCEPT
#HTTP
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 80 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 80 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $ip_adr_lan 3128 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $ip_adr_lan 3128 -d $lan -j ACCEPT
#SSL
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 443 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 443 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 443 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 443 -d $lan -j ACCEPT
#FTP
ipchains -A input -i $ext_int -p tcp ! -y -s $alles 21 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 21 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 21 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 21 -d $lan -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $alles 20 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp ! -y -s $alles $unpriv_ports -d $alles 20 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 20 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 20 -d $lan -j ACCEPT
#ipchains -A input -i $ext_int -p tcp ! -y -s $alles $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A input -i $int_int -p tcp -s $lan $unpriv_ports -d $alles $unpriv_ports -j ACCEPT
#ipchains -A output -i $int_int -p tco -s $alles $unpriv_ports -d $lan $unpriv_ports -j ACCEPT
#Counter-Srike
ipchains -A input -i $ext_int -p udp -s $alles 27001:27025 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p udp -s $alles $unpriv_ports -d $alles 27001:27025 -j ACCEPT
ipchains -A input -i $int_int -p udp -s $lan -d $alles 27001:27025 -j ACCEPT
ipchains -A output -i $int_int -p udp -s $alles 27001:27025 -j ACCEPT
ipchains -A input -i $ext_int -p tcp -s $alles 7002 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 7002 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 7002 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 7002 -d $lan $unpriv_ports -j ACCEPT
#ICQ
ipchains -A input -i $ext_int -p tcp -s $alles 5190 -d $alles $unpriv_ports -j ACCEPT
ipchains -A output -i $ext_int -p tcp -s $alles $unpriv_ports -d $alles 5190 -j ACCEPT
ipchains -A input -i $int_int -p tcp -s $lan -d $alles 5190 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $alles 5190 -d $lan -j ACCEPT
#Webmin
ipchains -A input -i $int_int -p tcp -s $lan -d $ip_adr_lan 10000 -j ACCEPT
ipchains -A output -i $int_int -p tcp -s $ip_adr_lan 10000 -d $lan -j ACCEPT
#Masquerading
ipchains -A forward -i $ext_int -s $lan -j MASQ
#MSQ-Modules
/sbin/modprobe ip_masq_autofw
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_cuseeme
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_mfw
/sbin/modprobe ip_masq_portfw
/sbin/modprobe ip_masq_quake
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_user
/sbin/modprobe ip_masq_vdolive