Badboy2000
05.08.02, 22:29
Hi, könnte sich vielleicht mal jemand mein friewall script anschauen?
Ich wollte damit einen Router online setzen.
Die Firewall soll das interne Netz durchrouten und noch server ssh,ftp,http freigeben.
Könnt ihr mir da helfen und meine fehler korigieren?
# Flush
# -----
iptables --flush
iptables --table nat --flush
iptables -X
iptables --table nat -X
# ----------------------------------------
# Loopback freischalten
# ---------------------
iptables --append INPUT --in-interface lo -j ACCEPT
iptables --append OUTPUT --out-interface lo -j ACCEPT
# ----------------------------------------
# Sicherheitspolitik
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ----------------------------------------
# ----------------------------------------
# Masquerading
# ------------
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
# ----------------------------------------
# ----------------------------------------
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ----------------------------------------
# Zugriff des internen Netzes aufs Gateway
iptables --append INPUT --in-interface eth0 -j ACCEPT
iptables --append OUTPUT --out-interface eth0 -j ACCEPT
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ----------------------------------------
# Blocken von ICMP-Redirect-Paketen
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f
done
# ----------------------------------------
# Blocken von Source-Routed-Paketen
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f
done
# ----------------------------------------
# Rückkanal zu einer bestehenden Verbindung
iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ----------------------------------------
# ----------------------------------------
# ICMP
#
# Benötigte ICMP-Typen freischalten
# ---------------------------------
# ping 8 und 0 ausgehend
iptables --append OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
#
# source quench (4)
iptables --append OUTPUT -p ICMP --icmp-type source-quench -j ACCEPT
#
# time exceeded (11)
iptables --append OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
#
# parameter problem (12)
iptables --append OUTPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
#
# destination unreachable (3)
iptables --append OUTPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT
iptables --append OUTPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
# ---------------------------------
# HTTP
iptables --append INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server)
iptables --append INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
iptables --append INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
iptables --append INPUT -p TCP -s 0/0 --source-port 20 -j ACCEPT
# sshd
iptables --append INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# ---------------------------------
# Drop bad packets
# Accept TCP packets we want to forward from internal sources
iptables --append FORWARD -p tcp --in-interface eth0 -j ACCEPT
# Accept UDP packets we want to forward from internal sources
iptables --append FORWARD -p udp --in-interface eth0 -j ACCEPT
# If not blocked, accept any other packets from the internal interface
iptables --append FORWARD -p ALL --in-interface eth0 -j ACCEPT
# Deal with responses from the internet
iptables --append FORWARD --in-interface ppp0 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
Ich wollte damit einen Router online setzen.
Die Firewall soll das interne Netz durchrouten und noch server ssh,ftp,http freigeben.
Könnt ihr mir da helfen und meine fehler korigieren?
# Flush
# -----
iptables --flush
iptables --table nat --flush
iptables -X
iptables --table nat -X
# ----------------------------------------
# Loopback freischalten
# ---------------------
iptables --append INPUT --in-interface lo -j ACCEPT
iptables --append OUTPUT --out-interface lo -j ACCEPT
# ----------------------------------------
# Sicherheitspolitik
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ----------------------------------------
# ----------------------------------------
# Masquerading
# ------------
echo 1 > /proc/sys/net/ipv4/ip_forward
# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
# ----------------------------------------
# ----------------------------------------
# echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# ----------------------------------------
# Zugriff des internen Netzes aufs Gateway
iptables --append INPUT --in-interface eth0 -j ACCEPT
iptables --append OUTPUT --out-interface eth0 -j ACCEPT
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# ----------------------------------------
# Blocken von ICMP-Redirect-Paketen
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f
done
# ----------------------------------------
# Blocken von Source-Routed-Paketen
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f
done
# ----------------------------------------
# Rückkanal zu einer bestehenden Verbindung
iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ----------------------------------------
# ----------------------------------------
# ICMP
#
# Benötigte ICMP-Typen freischalten
# ---------------------------------
# ping 8 und 0 ausgehend
iptables --append OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type echo-reply -j ACCEPT
#
# source quench (4)
iptables --append OUTPUT -p ICMP --icmp-type source-quench -j ACCEPT
#
# time exceeded (11)
iptables --append OUTPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type time-exceeded -j ACCEPT
#
# parameter problem (12)
iptables --append OUTPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type parameter-problem -j ACCEPT
#
# destination unreachable (3)
iptables --append OUTPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type destination-unreachable -j ACCEPT
iptables --append OUTPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
iptables --append INPUT -p ICMP --icmp-type fragmentation-needed -j ACCEPT
# ---------------------------------
# HTTP
iptables --append INPUT -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server)
iptables --append INPUT -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control)
iptables --append INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT
# FTP Client (Data Port for non-PASV transfers)
iptables --append INPUT -p TCP -s 0/0 --source-port 20 -j ACCEPT
# sshd
iptables --append INPUT -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# ---------------------------------
# Drop bad packets
# Accept TCP packets we want to forward from internal sources
iptables --append FORWARD -p tcp --in-interface eth0 -j ACCEPT
# Accept UDP packets we want to forward from internal sources
iptables --append FORWARD -p udp --in-interface eth0 -j ACCEPT
# If not blocked, accept any other packets from the internal interface
iptables --append FORWARD -p ALL --in-interface eth0 -j ACCEPT
# Deal with responses from the internet
iptables --append FORWARD --in-interface ppp0 -m state --state \
ESTABLISHED,RELATED -j ACCEPT