hakker82
26.01.06, 18:09
Mir wurde schon ein paar mal gesagt, dass meine iptables-Regeln zum Teil unnötig sind. Mein Skript habe ich aus verschiedenen, die ich in Foren gefunden habe zusammengebastelt. Könnte mir vielleicht jemand sagen, was da nicht stimmt (und wie man es besser macht)?
Hier mal das Skript:
#!/bin/sh
start() {
echo "Starting iptables."
# some needed modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# flush all
iptables -F
# set defaults to drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# accept established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept loopback-device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# accept dns
iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024: -j ACCEPT
# accept http
iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --sport 81 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --sport 8080 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp --sport 8081 --dport 1024: -j ACCEPT
# accept https
iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024: -j ACCEPT
# accept ftp
iptables -A OUTPUT -p tcp --sport 1024: --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 --dport 1024: -j ACCEPT
# accept smtp
iptables -A OUTPUT -p tcp --sport 1024: --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024: -j ACCEPT
# accept pop3
iptables -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --sport 110 --dport 1024: -j ACCEPT
# accept pop3/ssl
iptables -A OUTPUT -p tcp --sport 1024: --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --sport 995 --dport 1024: -j ACCEPT
# acccept ssh
iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 --dport 1024: -j ACCEPT
# accept irc
iptables -A OUTPUT -p tcp --sport 1024: --dport 6667 -j ACCEPT
iptables -A INPUT -p tcp --sport 6667 --dport 1024: -j ACCEPT
# accept icq
iptables -A OUTPUT -p tcp --sport 1024: --dport 5190 -j ACCEPT
iptables -A INPUT -p tcp --sport 5190 --dport 1024: -j ACCEPT
# accept vpnc
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
# accept ntp
iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT
# ICMP ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# accept other ICMP
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
# no flags set
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG qithout ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
# TCP-FIN timeout (DoS)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# no logs to console
dmesg -n 2
# log input and output
#iptables -A INPUT -j LOG --log-prefix "firewall-in "
#iptables -A OUTPUT -j LOG --log-prefix "firewall-out "
}
stop() {
echo "Stopping iptables."
# flush all
iptables -F
# set deafaults to accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
status() {
iptables -L -vn
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo "Usage: $0 start|stop|restart|status"
exit 1
;;
esac
Hier mal das Skript:
#!/bin/sh
start() {
echo "Starting iptables."
# some needed modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# flush all
iptables -F
# set defaults to drop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# accept established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# accept loopback-device
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# accept dns
iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
iptables -A INPUT -p tcp --sport 53 --dport 1024: -j ACCEPT
# accept http
iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 81 -j ACCEPT
iptables -A INPUT -p tcp --sport 81 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --sport 8080 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp --sport 8081 --dport 1024: -j ACCEPT
# accept https
iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --sport 443 --dport 1024: -j ACCEPT
# accept ftp
iptables -A OUTPUT -p tcp --sport 1024: --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --sport 21 --dport 1024: -j ACCEPT
# accept smtp
iptables -A OUTPUT -p tcp --sport 1024: --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --sport 25 --dport 1024: -j ACCEPT
# accept pop3
iptables -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --sport 110 --dport 1024: -j ACCEPT
# accept pop3/ssl
iptables -A OUTPUT -p tcp --sport 1024: --dport 995 -j ACCEPT
iptables -A INPUT -p tcp --sport 995 --dport 1024: -j ACCEPT
# acccept ssh
iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 --dport 1024: -j ACCEPT
# accept irc
iptables -A OUTPUT -p tcp --sport 1024: --dport 6667 -j ACCEPT
iptables -A INPUT -p tcp --sport 6667 --dport 1024: -j ACCEPT
# accept icq
iptables -A OUTPUT -p tcp --sport 1024: --dport 5190 -j ACCEPT
iptables -A INPUT -p tcp --sport 5190 --dport 1024: -j ACCEPT
# accept vpnc
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
# accept ntp
iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT
# ICMP ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# accept other ICMP
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
# no flags set
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH without ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG qithout ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
# TCP-FIN timeout (DoS)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# no logs to console
dmesg -n 2
# log input and output
#iptables -A INPUT -j LOG --log-prefix "firewall-in "
#iptables -A OUTPUT -j LOG --log-prefix "firewall-out "
}
stop() {
echo "Stopping iptables."
# flush all
iptables -F
# set deafaults to accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}
status() {
iptables -L -vn
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
status)
status
;;
*)
echo "Usage: $0 start|stop|restart|status"
exit 1
;;
esac