darktr00per
19.09.02, 20:01
nochmal!
ich hab erst alles erlauben lassen in den Regeln und dann die wichtigen ports für das inet gesperrt aber irgendwie is http (apache benutzt doch port 80 zumindest standardmäßig) immer noch erreichbar!
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
# module laden
/sbin/insmod iptable_nat &> /dev/null
/sbin/insmod ip_conntrack &> /dev/null
/sbin/insmod ip_conntrack_ftp &> /dev/null
/sbin/insmod ip_nat_ftp &> /dev/null
iptables --flush
iptables -t nat --flush
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
# routing
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
#iptables -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMB nach aussen sperren
iptables -A FORWARD -o ppp0 -p tcp --dport 137:139 -j REJECT
iptables -A FORWARD -o ppp0 -p udp --dport 137:139 -j REJECT
# ftp nach aussen sperren
iptables -A FORWARD -o ppp0 -p tcp --dport 40000 -j REJECT
iptables -A FORWARD -o ppp0 -p udp --dport 40000 -j REJECT
# webserver von ausen erreichbar
iptables -A FORWARD -p tcp -i ppp0 --dport 80 -j REJECT
iptables -A FORWARD -p udp -i ppp0 --dport 80 -j REJECT
# kaZaa verbieten
iptables -A FORWARD -i ppp0 -p tcp --dport 1214 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 1214 -j REJECT
# telnet fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 23 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 23 -j REJECT
# ftp auf port 21 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 21 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 21 -j REJECT
# http auf port 80 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 80 -j REJECT
# mldonkey auf port 4001,4080,4000 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 4001 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4001 -j REJECT
iptables -A FORWARD -i ppp0 -p tcp --dport 4080 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4080 -j REJECT
iptables -A FORWARD -i ppp0 -p tcp --dport 4000 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4000 -j REJECT
##################
# portforwarding #
##################
# forward
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#iptables -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1412: -j TCPMSS --set-mss 1452
# icq
iptables -t nat -A PREROUTING -p tcp --dport 5010:5030 -i ppp0 -j DNAT --to-destination 192.168.2.2:5010-5030
# ftp server + dcc
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000:2400 -j DNAT --to 192.168.2.2:2000-2400
# quake + halflife
#iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27005 -j DNAT --to 192.168.2.2:27005
# battlecom
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 2300:2400 -j SNAT --to 192.168.2.2:2300-2400
iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 2300:2400 -j SNAT --to 192.168.2.2:2300-2400
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 47624 -j SNAT --to 192.168.2.2:47624
iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 700 -j SNAT --to 192.168.2.2:700
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 5000:5011 -j SNAT --to 192.168.2.2:5000-5011
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.2.2:2300-2400
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to 192.168.2.2:2300-2400
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 47624 -j DNAT --to 192.168.2.2:47624
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to 192.168.2.2:47624
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 28800:28900 -j DNAT --to 192.168.2.2:28800-28900
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 700 -j DNAT --to 192.168.2.2:700
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5000:5011 -j DNAT --to 192.168.2.2:5000-5011
####################
# regeln auflisten #
####################
iptables -L
echo ""
echo "#############"
echo "# Alles ok! #"
echo "#############"
echo ""
ich hab erst alles erlauben lassen in den Regeln und dann die wichtigen ports für das inet gesperrt aber irgendwie is http (apache benutzt doch port 80 zumindest standardmäßig) immer noch erreichbar!
#!/bin/bash
echo 1 > /proc/sys/net/ipv4/ip_forward
# module laden
/sbin/insmod iptable_nat &> /dev/null
/sbin/insmod ip_conntrack &> /dev/null
/sbin/insmod ip_conntrack_ftp &> /dev/null
/sbin/insmod ip_nat_ftp &> /dev/null
iptables --flush
iptables -t nat --flush
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
# routing
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
#iptables -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# SMB nach aussen sperren
iptables -A FORWARD -o ppp0 -p tcp --dport 137:139 -j REJECT
iptables -A FORWARD -o ppp0 -p udp --dport 137:139 -j REJECT
# ftp nach aussen sperren
iptables -A FORWARD -o ppp0 -p tcp --dport 40000 -j REJECT
iptables -A FORWARD -o ppp0 -p udp --dport 40000 -j REJECT
# webserver von ausen erreichbar
iptables -A FORWARD -p tcp -i ppp0 --dport 80 -j REJECT
iptables -A FORWARD -p udp -i ppp0 --dport 80 -j REJECT
# kaZaa verbieten
iptables -A FORWARD -i ppp0 -p tcp --dport 1214 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 1214 -j REJECT
# telnet fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 23 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 23 -j REJECT
# ftp auf port 21 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 21 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 21 -j REJECT
# http auf port 80 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 80 -j REJECT
# mldonkey auf port 4001,4080,4000 fallen lassen
iptables -A FORWARD -i ppp0 -p tcp --dport 4001 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4001 -j REJECT
iptables -A FORWARD -i ppp0 -p tcp --dport 4080 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4080 -j REJECT
iptables -A FORWARD -i ppp0 -p tcp --dport 4000 -j REJECT
iptables -A FORWARD -i ppp0 -p udp --dport 4000 -j REJECT
##################
# portforwarding #
##################
# forward
#iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#iptables -A FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1412: -j TCPMSS --set-mss 1452
# icq
iptables -t nat -A PREROUTING -p tcp --dport 5010:5030 -i ppp0 -j DNAT --to-destination 192.168.2.2:5010-5030
# ftp server + dcc
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2000:2400 -j DNAT --to 192.168.2.2:2000-2400
# quake + halflife
#iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 27005 -j DNAT --to 192.168.2.2:27005
# battlecom
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 2300:2400 -j SNAT --to 192.168.2.2:2300-2400
iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 2300:2400 -j SNAT --to 192.168.2.2:2300-2400
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 47624 -j SNAT --to 192.168.2.2:47624
iptables -t nat -A POSTROUTING -o ppp0 -p udp --dport 700 -j SNAT --to 192.168.2.2:700
iptables -t nat -A POSTROUTING -o ppp0 -p tcp --dport 5000:5011 -j SNAT --to 192.168.2.2:5000-5011
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.2.2:2300-2400
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 2300:2400 -j DNAT --to 192.168.2.2:2300-2400
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 47624 -j DNAT --to 192.168.2.2:47624
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 47624 -j DNAT --to 192.168.2.2:47624
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 28800:28900 -j DNAT --to 192.168.2.2:28800-28900
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 700 -j DNAT --to 192.168.2.2:700
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 5000:5011 -j DNAT --to 192.168.2.2:5000-5011
####################
# regeln auflisten #
####################
iptables -L
echo ""
echo "#############"
echo "# Alles ok! #"
echo "#############"
echo ""