PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Firewall


marci
01.11.01, 15:29
Hallo
Hatte jemand Ahnung über das Firewallskript von das Buch "Suse Press".
Die Skripten laufen bei mir nicht.
Habe danach keine Netzwerkverbindung über ssh,ping intern Internetverbindung geht nicht
#! /bin/tcsh
# firewall-Skript für surfer
#================================================= =========================
# Part 1: Variablen
#================================================= =========================
echo "settings firewall rules for surfer1......"
modprobe ip_tables
set IPTABLES = /usr/sbin/iptables

# special ports

set p_high = 1024:65535 #unprivileged
set p_ssh = 513:1023 #common ssh source ports
# interfaces

set EXT = ippp0
set INT = eth0

set IF = ( $EXT $INT )

# ip hosts

set NS = ( 130.25.26.10 195.182.96.28 )

set mail = 192.76.144.56
set loghost = 192.168.1.9 #Rechner w1

set INTERN = 192.168.1.0/24 #eth1 Maske
set FRIENDs = 192.184.0.1/24

#================================================= =======================
# PART II: Grundkonfiguration: absichern
#================================================= =======================
# dynamische Kernelparameter setzen

echo "0" > /proc/sys/net/ipv4/ip_forward # erstmal abschalten
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#echo "5" > /proc/sys/net/ipv4/icmp_destunreach_rate
#echo "5" > /proc/sys/net/ipv4/icmp_echoreply_rate
#echo "5" > /proc/sys/net/ipv4/icmp_paramprob_rate
#echo "10" > /proc/sys/net/ipv4/icmp_timeexceed_rate

foreach if ( $IF )
echo "1" > /proc/sys/net/ipv4/conf/$if/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/$if/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/$if/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$if/log_martians
end

# Default Policy unf flush

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

$IPTABLES -F # flush aller chains (Tabelle filter)
$IPTABLES -t nat -F # flush aller chains (Tabelle nat)
$IPTABLES -X # delete all userdefined chains
# (Tabelle filter)
#------------------------------------------------------------------------
# lokale Prozesse

$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT

#------------------------------------------------------------------------
# ssh für Fernwartung

$$IPTABLES -A INPUT -i $INT -s $INTERN -p TCP --sport $p_ssh --dport ssh -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $INT -d $INTERN -p TCP --dport $p_ssh --sport ssh -m state --state ESTABLISHED,RELATED -j ACCEPT

#================================================= =======================
# Userdefinierte Regelketten
#================================================= =======================

# DROP & LOG CHAIN

$IPTABLES -N my_drop
$IPTABLES -A my_drop -p ICMP -j LOG --log-prefix "DROP-ICMP "
$IPTABLES -A my_drop -p UDP -j LOG --log-prefix "DROP-UDP "
$IPTABLES -A my_drop -p TCP -j LOG --log-prefix "DROP-TCP "
$IPTABLES -A my_drop -j DROP

#================================================= ======================
# Part IV: Masquerading. generell bestehende Verbindungen
#================================================= ======================
#-------------------------------------------------------------------------
# MASQUERADING

$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward # wieder einschalten
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#------------------------------------------------------------------------
# ausgehende Pakete bei bereits aufgebauter Verbindung

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

#--------------------------------------------------------------------------
# Rückkanal: eingehende Pakete zu einer bestehenden Verbindung

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state NEW,INVALID -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXT -o $INT -m state --state NEW,INVALID -j my_drop


#================================================= =====================
# Part V: Filterregeln für lokale Dienste
#================================================= =====================

#----------------------------------------------------------------------
# ICMP

$IPTABLES -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT

$IPTABLES -A INPUT -p ICMP --icmp-type echo-request -j ACCEPT

#-----------------------------------------------------------------------
# SYSLOG

$IPTABLES -A OUTPUT -o $INT -m state --state NEW -p UDP --sport syslog -d $loghost --dport syslog -j ACCEPT

#================================================= =====================
# Part VI:Filterregeln für Forwarding
#================================================= =====================

#----------------------------------------------------------------------
# ICMP

$IPTABLES -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT

#----------------------------------------------------------------------
# DNS

foreach ns ( $NS )
$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p UDP --sport $p_high -d $ns --dport name -j ACCEPT

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $ns --dport name -j ACCEPT
end


#---------------------------------------------------------------------
# SMTP , POP3

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport smtp -j ACCEPT

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high -d $mail --dport pop3 -j ACCEPT

#---------------------------------------------------------------------
# HTTP

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport http -j ACCEPT

#--------------------------------------------------------------------
# HTTP via SSL

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport https -j ACCEPT

#-------------------------------------------------------------------
# ident. reject

$IPTABLES -A FORWARD -o $EXT -p TCP --sport auth --syn -j REJECT

#-------------------------------------------------------------------
# ftp.out,control connection

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT


# ftp, out, passive data connection

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT

#--------------------------------------------------------------------
# SSH

$IPTABLES -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ssh -d $FRIENDs -j ACCEPT

# -------------------------------------------------------------------
# Userdefinierte Chains f|r dynamische Server-IP's via ippp0

$IPTABLES -N ippp0-dyn-out

# -------------------------------------------------------------------
# Interface-bezogene Targets

$IPTABLES -A OUTPUT -o ippp0 -j ippp0-dyn-out

# Triiger-Regeln

$IPTABLES -A OUTPUT -o ippp0 -m state --state NEW -j ACCEPT

# ------------------------------------------------------------------
# Squid

$IPTABLES -A FORWARD -i $INT -d $INTERN -m state --state NEW,ESTABLISHED,RELATED -p TCP --sport $p_high --dport 3128 -j ACCEPT

#--------------------------------------------------------------------
# Ausputzer: rest sperren. loggen

$IPTABLES -A INPUT -j my_drop
$IPTABLES -A FORWARD -j my_drop
$IPTABLES -A OUTPUT -j my_drop