Benuk
31.08.08, 12:15
Hallo Allerseits,
habe leider ein Problem, bei dem ich mal Eure Hilfe benötige:
Ich habe über http://www.harry.homelinux.org/index.php im dortigen IPTABLES-Generator ein IPTABLES Script erzeugt. Quasi als Vorlage.
Die entsprechenden Ports werde ich noch schließen Ich würde aber einen bestimmten Port weiterleiten, nämlich dem für imaps (993) und smtps (465). Des weiteren sollen die Ports maskiert werden, was bedeutet, der Mailserver soll immer denken, die Anfragen kommen nur von 192.168.0.1 (mein Router/Gateway auf Ubuntu-8.04-Basis).
Ich habe mich mal am Port 993 versucht.
Hier mal das Codefragment:
# IMAPS
iptables -A INPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 192.168.0.5
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.5 --dport 993 -j SNAT --to-source 192.168.0.1
192.168.0.5 ist mein interner Mailserver.
Hier mal das komplette Script:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2008 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2008 by Harald Bertram*
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# bernd.matthiessen@gmx.de on: 2008-8-31 4:25.29 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) fuer das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
# SMTPS an SME weiterleiten
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 465 -j DNAT --to 192.168.0.5:465
iptables -A INPUT -p tcp -m state --state NEW --dport 465 -i ppp0 -j ACCEPT
# SMTPS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 465 -j ACCEPT
# POP3
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
# POP3S
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 995 -j ACCEPT
# IMAP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 143 -j ACCEPT
# IMAPS
iptables -A INPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 192.168.0.5
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.5 --dport 993 -j SNAT --to-source 192.168.0.1
# IMAPS an SME weiterleiten
#iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 993 -j DNAT --to-destination 192.168.0.5
#iptables -A INPUT -p tcp -m state --state NEW --dport 993 -j ACCEPT
# NNTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 119 -j ACCEPT
# DNS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
# FTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# SMB/CIFS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 137 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 138 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 445 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 137 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 138 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 139 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 445 -j ACCEPT
# SSH
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# MYSQL
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
# NTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 123 -j ACCEPT
# IRC
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6667 -j ACCEPT
# EDONKEY
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4661 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4663 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 4665 -j ACCEPT
# TELNET
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 23 -j ACCEPT
# BZFLAG
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 5155 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5155 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 5156 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5156 -j ACCEPT
# HALF-LIFE
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6000:6003 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 7001:7002 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27005 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27010 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27015:27016 -j ACCEPT
# IPSEC
#iptables -A INPUT -i ppp0 -p 50 -j ACCEPT
#iptables -A INPUT -i ppp0 -p 51 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 500 -j ACCEPT
# OPENVPN_V1
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5000 -j ACCEPT
# OPENVPN_V2
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
# Auskommentiert, da IPSEC mit RP_Filter nicht funktioniert!
# for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungueltige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing fuer IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
Wenn ich von Außerhalb versuche mich auf den Mailserver via imaps zu connecten, bekomme ich immer wieder die Meldung "connection refused".
Was mache ich hier Falsch?
Dank Euch schon mal im Voraus!
Gruß Benuk
habe leider ein Problem, bei dem ich mal Eure Hilfe benötige:
Ich habe über http://www.harry.homelinux.org/index.php im dortigen IPTABLES-Generator ein IPTABLES Script erzeugt. Quasi als Vorlage.
Die entsprechenden Ports werde ich noch schließen Ich würde aber einen bestimmten Port weiterleiten, nämlich dem für imaps (993) und smtps (465). Des weiteren sollen die Ports maskiert werden, was bedeutet, der Mailserver soll immer denken, die Anfragen kommen nur von 192.168.0.1 (mein Router/Gateway auf Ubuntu-8.04-Basis).
Ich habe mich mal am Port 993 versucht.
Hier mal das Codefragment:
# IMAPS
iptables -A INPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 192.168.0.5
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.5 --dport 993 -j SNAT --to-source 192.168.0.1
192.168.0.5 ist mein interner Mailserver.
Hier mal das komplette Script:
#!/bin/bash
# ---------------------------------------------------------------------
# Linux-iptables-Firewallskript, Copyright (c) 2008 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2008 by Harald Bertram*
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
#
# This Script was generated by request from:
# bernd.matthiessen@gmx.de on: 2008-8-31 4:25.29 MET.
#
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to webmaster@harry.homelinux.org.
#
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
# --------------------------------------------------------------------
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) fuer das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
# HTTPS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
# SMTPS an SME weiterleiten
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 465 -j DNAT --to 192.168.0.5:465
iptables -A INPUT -p tcp -m state --state NEW --dport 465 -i ppp0 -j ACCEPT
# SMTPS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 465 -j ACCEPT
# POP3
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
# POP3S
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 995 -j ACCEPT
# IMAP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 143 -j ACCEPT
# IMAPS
iptables -A INPUT -m state --state NEW -p tcp --dport 993 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination 192.168.0.5
iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.5 --dport 993 -j SNAT --to-source 192.168.0.1
# IMAPS an SME weiterleiten
#iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 993 -j DNAT --to-destination 192.168.0.5
#iptables -A INPUT -p tcp -m state --state NEW --dport 993 -j ACCEPT
# NNTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 119 -j ACCEPT
# DNS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
# FTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 21 -j ACCEPT
# SMB/CIFS
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 137 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 138 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 139 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 445 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 137 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 138 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 139 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 445 -j ACCEPT
# SSH
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# MYSQL
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 3306 -j ACCEPT
# NTP
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 123 -j ACCEPT
# IRC
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6667 -j ACCEPT
# EDONKEY
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4661 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4662 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 4663 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 4665 -j ACCEPT
# TELNET
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 23 -j ACCEPT
# BZFLAG
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 5155 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5155 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 5156 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5156 -j ACCEPT
# HALF-LIFE
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 6000:6003 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 7001:7002 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27005 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27010 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 27015:27016 -j ACCEPT
# IPSEC
#iptables -A INPUT -i ppp0 -p 50 -j ACCEPT
#iptables -A INPUT -i ppp0 -p 51 -j ACCEPT
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 500 -j ACCEPT
# OPENVPN_V1
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 5000 -j ACCEPT
# OPENVPN_V2
#iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# LAN-Zugriff auf eth0
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
# Auskommentiert, da IPSEC mit RP_Filter nicht funktioniert!
# for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungueltige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing fuer IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
;;
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
;;
*)
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
;;
esac
Wenn ich von Außerhalb versuche mich auf den Mailserver via imaps zu connecten, bekomme ich immer wieder die Meldung "connection refused".
Was mache ich hier Falsch?
Dank Euch schon mal im Voraus!
Gruß Benuk