marci
01.11.01, 15:29
Hallo
Hatte jemand Ahnung über das Firewallskript von das Buch "Suse Press".
Die Skripten laufen bei mir nicht.
Habe danach keine Netzwerkverbindung über ssh,ping intern Internetverbindung geht nicht
#! /bin/tcsh
# firewall-Skript für surfer
#================================================= =========================
# Part 1: Variablen
#================================================= =========================
echo "settings firewall rules for surfer1......"
modprobe ip_tables
set IPTABLES = /usr/sbin/iptables
# special ports
set p_high = 1024:65535 #unprivileged
set p_ssh = 513:1023 #common ssh source ports
# interfaces
set EXT = ippp0
set INT = eth0
set IF = ( $EXT $INT )
# ip hosts
set NS = ( 130.25.26.10 195.182.96.28 )
set mail = 192.76.144.56
set loghost = 192.168.1.9 #Rechner w1
set INTERN = 192.168.1.0/24 #eth1 Maske
set FRIENDs = 192.184.0.1/24
#================================================= =======================
# PART II: Grundkonfiguration: absichern
#================================================= =======================
# dynamische Kernelparameter setzen
echo "0" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
#echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
#echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
#echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
foreach if ( $IF )
echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end
# Default Policy unf flush
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F # flush aller chains (Tabelle filter)
$IPTABLES -t nat -F # flush aller chains (Tabelle nat)
$IPTABLES -X # delete all userdefined chains
# (Tabelle filter)
#------------------------------------------------------------------------
# lokale Prozesse
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#------------------------------------------------------------------------
# ssh für Fernwartung
$$IPTABLES -A INPUT -i $INT -s $INTERN -p TCP --sport $p_ssh --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT -d $INTERN -p TCP --dport $p_ssh --sport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
#================================================= =======================
# Userdefinierte Regelketten
#================================================= =======================
# DROP & LOG CHAIN
$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP
#================================================= ======================
# Part IV: Masquerading. generell bestehende Verbindungen
#================================================= ======================
#-------------------------------------------------------------------------
# MASQUERADING
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward # wieder einschalten
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#------------------------------------------------------------------------
# ausgehende Pakete bei bereits aufgebauter Verbindung
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
#--------------------------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state NEW,INVALID -j my_drop
#================================================= =====================
# Part V: Filterregeln für lokale Dienste
#================================================= =====================
#----------------------------------------------------------------------
# ICMP
$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
#-----------------------------------------------------------------------
# SYSLOG
$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog -d $loghost --dport syslog -j ACCEPT
#================================================= =====================
# Part VI:Filterregeln für Forwarding
#================================================= =====================
#----------------------------------------------------------------------
# ICMP
$IPTABLES -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT
#----------------------------------------------------------------------
# DNS
foreach ns ( $NS )
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p UDP --sport $p_high -d $ns --dport name -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $ns --dport name -j ACCEPT
end
#---------------------------------------------------------------------
# SMTP , POP3
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport smtp -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport pop3 -j ACCEPT
#---------------------------------------------------------------------
# HTTP
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport http -j ACCEPT
#--------------------------------------------------------------------
# HTTP via SSL
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport https -j ACCEPT
#-------------------------------------------------------------------
# ident. reject
$IPTABLES -A FORWARD -o $EXT -p TCP --sport auth --syn -j REJECT
#-------------------------------------------------------------------
# ftp.out,control connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT
# ftp, out, passive data connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT
#--------------------------------------------------------------------
# SSH
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ssh -d $FRIENDs -j ACCEPT
# -------------------------------------------------------------------
# Userdefinierte Chains f|r dynamische Server-IP's via ippp0
$IPTABLES -N ippp0-dyn-out
# -------------------------------------------------------------------
# Interface-bezogene Targets
$IPTABLES -A OUTPUT -o ippp0 -j ippp0-dyn-out
# Triiger-Regeln
$IPTABLES -A OUTPUT -o ippp0 -m state --state NEW -j ACCEPT
# ------------------------------------------------------------------
# Squid
$IPTABLES -A FORWARD -i $INT -d $INTERN -m state --state NEW,ESTABLISHED,RELATED -p TCP --sport $p_high --dport 3128 -j ACCEPT
#--------------------------------------------------------------------
# Ausputzer: rest sperren. loggen
$IPTABLES -A INPUT -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT -j my_drop
Hatte jemand Ahnung über das Firewallskript von das Buch "Suse Press".
Die Skripten laufen bei mir nicht.
Habe danach keine Netzwerkverbindung über ssh,ping intern Internetverbindung geht nicht
#! /bin/tcsh
# firewall-Skript für surfer
#================================================= =========================
# Part 1: Variablen
#================================================= =========================
echo "settings firewall rules for surfer1......"
modprobe ip_tables
set IPTABLES = /usr/sbin/iptables
# special ports
set p_high = 1024:65535 #unprivileged
set p_ssh = 513:1023 #common ssh source ports
# interfaces
set EXT = ippp0
set INT = eth0
set IF = ( $EXT $INT )
# ip hosts
set NS = ( 130.25.26.10 195.182.96.28 )
set mail = 192.76.144.56
set loghost = 192.168.1.9 #Rechner w1
set INTERN = 192.168.1.0/24 #eth1 Maske
set FRIENDs = 192.184.0.1/24
#================================================= =======================
# PART II: Grundkonfiguration: absichern
#================================================= =======================
# dynamische Kernelparameter setzen
echo "0" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
#echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
#echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
#echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate
foreach if ( $IF )
echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end
# Default Policy unf flush
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -F # flush aller chains (Tabelle filter)
$IPTABLES -t nat -F # flush aller chains (Tabelle nat)
$IPTABLES -X # delete all userdefined chains
# (Tabelle filter)
#------------------------------------------------------------------------
# lokale Prozesse
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#------------------------------------------------------------------------
# ssh für Fernwartung
$$IPTABLES -A INPUT -i $INT -s $INTERN -p TCP --sport $p_ssh --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o $INT -d $INTERN -p TCP --dport $p_ssh --sport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT
#================================================= =======================
# Userdefinierte Regelketten
#================================================= =======================
# DROP & LOG CHAIN
$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP
#================================================= ======================
# Part IV: Masquerading. generell bestehende Verbindungen
#================================================= ======================
#-------------------------------------------------------------------------
# MASQUERADING
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward # wieder einschalten
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#------------------------------------------------------------------------
# ausgehende Pakete bei bereits aufgebauter Verbindung
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
#--------------------------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW,INVALID -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state NEW,INVALID -j my_drop
#================================================= =====================
# Part V: Filterregeln für lokale Dienste
#================================================= =====================
#----------------------------------------------------------------------
# ICMP
$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT
#-----------------------------------------------------------------------
# SYSLOG
$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog -d $loghost --dport syslog -j ACCEPT
#================================================= =====================
# Part VI:Filterregeln für Forwarding
#================================================= =====================
#----------------------------------------------------------------------
# ICMP
$IPTABLES -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT
#----------------------------------------------------------------------
# DNS
foreach ns ( $NS )
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p UDP --sport $p_high -d $ns --dport name -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $ns --dport name -j ACCEPT
end
#---------------------------------------------------------------------
# SMTP , POP3
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport smtp -j ACCEPT
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport pop3 -j ACCEPT
#---------------------------------------------------------------------
# HTTP
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport http -j ACCEPT
#--------------------------------------------------------------------
# HTTP via SSL
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport https -j ACCEPT
#-------------------------------------------------------------------
# ident. reject
$IPTABLES -A FORWARD -o $EXT -p TCP --sport auth --syn -j REJECT
#-------------------------------------------------------------------
# ftp.out,control connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT
# ftp, out, passive data connection
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT
#--------------------------------------------------------------------
# SSH
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ssh -d $FRIENDs -j ACCEPT
# -------------------------------------------------------------------
# Userdefinierte Chains f|r dynamische Server-IP's via ippp0
$IPTABLES -N ippp0-dyn-out
# -------------------------------------------------------------------
# Interface-bezogene Targets
$IPTABLES -A OUTPUT -o ippp0 -j ippp0-dyn-out
# Triiger-Regeln
$IPTABLES -A OUTPUT -o ippp0 -m state --state NEW -j ACCEPT
# ------------------------------------------------------------------
# Squid
$IPTABLES -A FORWARD -i $INT -d $INTERN -m state --state NEW,ESTABLISHED,RELATED -p TCP --sport $p_high --dport 3128 -j ACCEPT
#--------------------------------------------------------------------
# Ausputzer: rest sperren. loggen
$IPTABLES -A INPUT -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT -j my_drop