Wayne Static
08.07.05, 23:52
Ich bin absolut enttäuscht, ich will testweise Port 80 blocken (später dann ein anderer), hab schon alles versucht und trotzdem bekomme ich es nicht gebacken, dass ALLE Clients nicht per Port 80 surfen können. Anfragen von außen sind egal!
Was passieren soll:
Der Linux-Router (SUSE 9.1) soll alle Anfragen an Port 80 ins Inet (ppp0) blocken.
Kann mir jemand helfen? :(
Hier mein Firewall-Script
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2005 under the GPL
# Autogenerated by iptables Generator v1.20 (c) 2002-2005 by Harald Bertram
# Please visit http://www.harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# masterkeule@gmail.com on: 2005-6-2 15:13.34 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Ports sperren - DIES FUNKTIONIERT NICHT, ICH HAB AUCH SCHON TAUSEND ANDERE MÖGLICHKEITEN ERGOOGLET UND AUSPROBIERT, DAS IST EINE VON VIELEN:
iptables -A INPUT -p tcp --dport 80 -j REJECT
iptables -A INPUT -p udp --dport 80 -j REJECT
iptables -A INPUT -p tcp --sport 80 -j REJECT
iptables -A INPUT -p udp --sport 80 -j REJECT
iptables -A OUTPUT -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -p udp --dport 80 -j REJECT
iptables -A OUTPUT -p tcp --sport 80 -j REJECT
iptables -A OUTPUT -p udp --sport 80 -j REJECT
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) fr das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
# iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# Half-Life
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6000:6003 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 7001:7002 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27005 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27010 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27015:27016 -j ACCEPT
# FTP
# iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
# NAT fuer HTTP_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
# NAT fuer Half-Life_Lenny_1
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6000:6003 -j DNAT --to-destination 192.168.0.2
#
# iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 6000:6003 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 6000:6003 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7001:7002 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 7001:7002 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 7001:7002 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27005 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27005 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27005 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27010 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27010 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27010 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27015:27016 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27015:27016 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27015:27016 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1337 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1337 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1337 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Lenny_2
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1445 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1445 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1445 -j SNAT --to-source $LAN_IP
# NAT fuer HTTP_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Pedaa_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3110 -j DNAT --to-destination 192.168.0.6
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.6 --dport 3110 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 3110 -j SNAT --to-source $LAN_IP
# NAT fuer Trackmania_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2350 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 2350 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 2350 -j SNAT --to-source $LAN_IP
# NAT fuer Share_Lenny_1 TCP
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1110:1120 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1110:1120 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1110:1120 -j SNAT --to-source $LAN_IP
# NAT fuer Share_Lenny_2 UDP
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 1110:1120 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 1110:1120 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1110:1120 -j SNAT --to-source $LAN_IP
# NAT fuer Net_Sea_War_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 8000 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 8000 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 8000 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Corvin_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1800 -j DNAT --to-destination 192.168.0.8
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.8 --dport 1800 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1800 -j SNAT --to-source $LAN_IP
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungltige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing fr IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
Plz help. :/
Was passieren soll:
Der Linux-Router (SUSE 9.1) soll alle Anfragen an Port 80 ins Inet (ppp0) blocken.
Kann mir jemand helfen? :(
Hier mein Firewall-Script
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2005 under the GPL
# Autogenerated by iptables Generator v1.20 (c) 2002-2005 by Harald Bertram
# Please visit http://www.harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# masterkeule@gmail.com on: 2005-6-2 15:13.34 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
#
### BEGIN INIT INFO
# Provides: IP-Paketfilter
# Required-Start: $network $local_fs
# Required-Stop: $local_fs
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Harry's IP-Paketfilter
# Description: Harry's IP-Paketfilter provides reasonable
# IP-Security for Home-Computers and small networks
### END INIT INFO
#
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Ports sperren - DIES FUNKTIONIERT NICHT, ICH HAB AUCH SCHON TAUSEND ANDERE MÖGLICHKEITEN ERGOOGLET UND AUSPROBIERT, DAS IST EINE VON VIELEN:
iptables -A INPUT -p tcp --dport 80 -j REJECT
iptables -A INPUT -p udp --dport 80 -j REJECT
iptables -A INPUT -p tcp --sport 80 -j REJECT
iptables -A INPUT -p udp --sport 80 -j REJECT
iptables -A OUTPUT -p tcp --dport 80 -j REJECT
iptables -A OUTPUT -p udp --dport 80 -j REJECT
iptables -A OUTPUT -p tcp --sport 80 -j REJECT
iptables -A OUTPUT -p udp --sport 80 -j REJECT
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) fr das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
# iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# Half-Life
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6000:6003 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 7001:7002 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27005 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27010 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27015:27016 -j ACCEPT
# FTP
# iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
# NAT fuer HTTP_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
# NAT fuer Half-Life_Lenny_1
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 6000:6003 -j DNAT --to-destination 192.168.0.2
#
# iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 6000:6003 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 6000:6003 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 7001:7002 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 7001:7002 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 7001:7002 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27005 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27005 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27005 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27010 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27010 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27010 -j SNAT --to-source $LAN_IP
# iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27015:27016 -j DNAT --to-destination 192.168.0.2
# iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 27015:27016 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
# iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 27015:27016 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1337 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1337 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1337 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Lenny_2
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1445 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1445 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1445 -j SNAT --to-source $LAN_IP
# NAT fuer HTTP_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Pedaa_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 3110 -j DNAT --to-destination 192.168.0.6
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.6 --dport 3110 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 3110 -j SNAT --to-source $LAN_IP
# NAT fuer Trackmania_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2350 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 2350 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 2350 -j SNAT --to-source $LAN_IP
# NAT fuer Share_Lenny_1 TCP
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1110:1120 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.2 --dport 1110:1120 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1110:1120 -j SNAT --to-source $LAN_IP
# NAT fuer Share_Lenny_2 UDP
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 1110:1120 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 1110:1120 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p udp --dport 1110:1120 -j SNAT --to-source $LAN_IP
# NAT fuer Net_Sea_War_Lenny_1
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 8000 -j DNAT --to-destination 192.168.0.2
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.0.2 --dport 8000 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 8000 -j SNAT --to-source $LAN_IP
# NAT fuer Miranda_Corvin_1
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 1800 -j DNAT --to-destination 192.168.0.8
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.0.8 --dport 1800 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 1800 -j SNAT --to-source $LAN_IP
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungltige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing fr IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
Plz help. :/