barton4
21.04.05, 14:08
ich bin gerad dabei fuer meinen linux rechner ein firewallscript zu schreiben,dieser rechner dient auch noch als dsl router fuer mein
anderen rechner.
#!/sbin/runscript
start()
{
$LOCAL_HOST="lo";
$LOCAL_LAN1="eth0";
$WWW_INFACE="ppp0";
iptables -P INPUT DROP;
iptables -P FORWARD DROP;
iptables -P OUTPUT DROP;
#localhost
iptables -A INPUT -i $LOCAL_HOST -j ACCEPT;
iptables -A OUTPUT -o $LOCAL_HOST -j ACCEPT;
#locales LAN
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT;
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT;
#speziell verboten fuer WWW
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 22 -j DROP #port_ssh
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 23 -j DROP #port_telnet
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 137:139 -j DROP #port_netbios
iptables -A INPUT -i $WWW_INFACE -p udp --dport 137:139 -j DROP #port_netbios
iptables -A INPUT -i $WWW_INFACE -p udp --dport 445 -j DROP #port_microsoft-ds
iptables -A INPUT -i $WWW_INFACE -p udp --dport 4000 -j DROP #port_mldonkey-telnet_port
iptables -A INPUT -i $WWW_INFACE -p udp --dport 4080 -j DROP #port_mldonkey-http_port
iptables -A INPUT -i -i $WWW_INFACE -s 192.168.0.0/24 -j DROP #keine inernen adressen aus dem inet iptables -A INPUT -i $WWW_INFACE -p icmp -m limit -limit 26/sec -j DROP
#speziell erlaubt
#alles darf raus,syn flags darf nicht rein
iptables -A INPUT -i $WWW_INFACE -p tcp ! --tcp-flags syn -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p tcp --tcp-flags syn,ack,fin,urg,rst -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p udp --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A OUTPUT -i $WWW_INFACE -p udp --state NEW,ESTABLISHED,RELATED -j ACCEPT;
#icmp
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT; #again PING of DEATH
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type echo-reply -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type echo-request -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type echo-reply -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type source-quench -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type time-exceeded -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type parameter-problem -j ACCEPT;
#routing
#nat
iptables -A POSTROUTING -t nat -o $WWW_INFACE -j MASQUERADE; #masquerading
was meint ihr macht das script mein pc sicher oder findet ihr auch fehler bzw
sicherheits luechen.
gruss !
anderen rechner.
#!/sbin/runscript
start()
{
$LOCAL_HOST="lo";
$LOCAL_LAN1="eth0";
$WWW_INFACE="ppp0";
iptables -P INPUT DROP;
iptables -P FORWARD DROP;
iptables -P OUTPUT DROP;
#localhost
iptables -A INPUT -i $LOCAL_HOST -j ACCEPT;
iptables -A OUTPUT -o $LOCAL_HOST -j ACCEPT;
#locales LAN
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT;
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT;
#speziell verboten fuer WWW
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 22 -j DROP #port_ssh
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 23 -j DROP #port_telnet
iptables -A INPUT -i $WWW_INFACE -p tcp --dport 137:139 -j DROP #port_netbios
iptables -A INPUT -i $WWW_INFACE -p udp --dport 137:139 -j DROP #port_netbios
iptables -A INPUT -i $WWW_INFACE -p udp --dport 445 -j DROP #port_microsoft-ds
iptables -A INPUT -i $WWW_INFACE -p udp --dport 4000 -j DROP #port_mldonkey-telnet_port
iptables -A INPUT -i $WWW_INFACE -p udp --dport 4080 -j DROP #port_mldonkey-http_port
iptables -A INPUT -i -i $WWW_INFACE -s 192.168.0.0/24 -j DROP #keine inernen adressen aus dem inet iptables -A INPUT -i $WWW_INFACE -p icmp -m limit -limit 26/sec -j DROP
#speziell erlaubt
#alles darf raus,syn flags darf nicht rein
iptables -A INPUT -i $WWW_INFACE -p tcp ! --tcp-flags syn -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p tcp --tcp-flags syn,ack,fin,urg,rst -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p udp --state ESTABLISHED,RELATED -j ACCEPT;
iptables -A OUTPUT -i $WWW_INFACE -p udp --state NEW,ESTABLISHED,RELATED -j ACCEPT;
#icmp
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT; #again PING of DEATH
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type echo-reply -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type echo-request -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type echo-reply -j ACCEPT;
iptables -A OUTPUT -o $WWW_INFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type source-quench -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type time-exceeded -j ACCEPT;
iptables -A INPUT -i $WWW_INFACE -p icmp --icmp-type parameter-problem -j ACCEPT;
#routing
#nat
iptables -A POSTROUTING -t nat -o $WWW_INFACE -j MASQUERADE; #masquerading
was meint ihr macht das script mein pc sicher oder findet ihr auch fehler bzw
sicherheits luechen.
gruss !