sheinatz
12.01.03, 16:38
also hier meine regeln für http ftp smtp , directx games auf zone.com
nur leider kann keiner mein Http server (auch auf dem rechner wo firewall ist) nicht sehen
meine adresse ist http://abc-xyz.dyndns.org/
please help ... ich weiss nicht warum ...
#!/bin/bash
case "$1" in
start)
echo "START FIREWALLING"
#firewallscript
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#reject chain
iptables -N MY_REJECT
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -j REJECT --reject-with icmp-port-unreachable
#drop chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
#protokoll verworfener
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID"
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID"
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID"
#korupte zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#stealth scann dropen
#keine flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
#syn und fin
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
#syn und rst
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
#fin und rst
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
#fin ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
#psh ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
#urg ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
#loopback interface zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#connection tracking acktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#smtp
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
#DNS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
#http
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
#pop3
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
######################### N A T ######################
#IP LAN ermitteln
#LAN_IP=$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d -f2 | cut -d " " -f1)
LAN_IP=192.168.1.21
#NAT f|r ftp
modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 21 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.8 --dport 21 -j ACCEPT
#NAT fuer DNS
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 53 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.8 --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 53 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.8 --dport 53 -j ACCEPT
#NAT f|r ftp
modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 21 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 21 -j ACCEPT
#NAT fuer DNS
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 53 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 53 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.12 --dport 53 -j ACCEPT
#NAT fuer HTTP
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 80 -j ACCEPT
#directX games fuer 192.168.1.8
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 2300:2400 -j DNAT --to 192.168.1.8:2300-2400
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 2300:2400 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 2300:2400 -j DNAT --to 192.168.1.8:2300-2400
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 2300:2400 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 47624 -j DNAT --to 192.168.1.8:47624
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 47624 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 6073 -j DNAT --to 192.168.1.8:6073
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 6073 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 6667 -j DNAT --to 192.168.1.8:6667
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 6667 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 28000:29000 -j DNAT --to 192.168.1.8:28000-29000
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 28000:29000 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 28000:29000 -j DNAT --to 192.168.1.8:28000-29000
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 28000:29000 -j ACCEPT
#LAN-zugriff auf eth1
iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -o eth1 -j ACCEPT
#default police mit My_REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
#routing
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
#Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
#stop source-routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
#stop redirekt
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
#reverse pathfilter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
#Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
#BOOTP-Relaying auschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
#PROXY ARP auschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
#ungueltige icmp pakete wegwerfen
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
;;
stop)
#
;;
esac
*wenns immer wieder passiert ist es kein BUG sondern ein FEATURE *
nur leider kann keiner mein Http server (auch auf dem rechner wo firewall ist) nicht sehen
meine adresse ist http://abc-xyz.dyndns.org/
please help ... ich weiss nicht warum ...
#!/bin/bash
case "$1" in
start)
echo "START FIREWALLING"
#firewallscript
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#reject chain
iptables -N MY_REJECT
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -j REJECT --reject-with icmp-port-unreachable
#drop chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
#protokoll verworfener
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID"
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID"
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID"
#korupte zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
#stealth scann dropen
#keine flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
#syn und fin
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
#syn und rst
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
#fin und rst
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
#fin ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
#psh ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
#urg ohne ack
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
#loopback interface zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#connection tracking acktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#smtp
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 25 -j ACCEPT
#DNS
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp0 -m state --state NEW -p udp --dport 53 -j ACCEPT
#http
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 80 -j ACCEPT
#pop3
iptables -A INPUT -i ppp0 -m state --state NEW -p tcp --dport 110 -j ACCEPT
######################### N A T ######################
#IP LAN ermitteln
#LAN_IP=$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d -f2 | cut -d " " -f1)
LAN_IP=192.168.1.21
#NAT f|r ftp
modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 21 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.8 --dport 21 -j ACCEPT
#NAT fuer DNS
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 53 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.8 --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 53 -j DNAT --to 192.168.1.8
#iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.8 --dport 53 -j ACCEPT
#NAT f|r ftp
modprobe ip_nat_ftp
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 21 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 21 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 21 -j ACCEPT
#NAT fuer DNS
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 53 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 53 -j ACCEPT
iptables -t nat -A PREROUTING -i ppp0 -p udp --dport 53 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p udp -d 192.168.1.12 --dport 53 -j ACCEPT
#NAT fuer HTTP
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.1.12
#iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i ppp0 -m state --state NEW -p tcp -d 192.168.1.12 --dport 80 -j ACCEPT
#directX games fuer 192.168.1.8
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 2300:2400 -j DNAT --to 192.168.1.8:2300-2400
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 2300:2400 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 2300:2400 -j DNAT --to 192.168.1.8:2300-2400
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 2300:2400 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 47624 -j DNAT --to 192.168.1.8:47624
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 47624 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 6073 -j DNAT --to 192.168.1.8:6073
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 6073 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 6667 -j DNAT --to 192.168.1.8:6667
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 6667 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 28000:29000 -j DNAT --to 192.168.1.8:28000-29000
iptables -A FORWARD -p tcp -d 192.168.1.8 --dport 28000:29000 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -i ppp0 --dport 28000:29000 -j DNAT --to 192.168.1.8:28000-29000
iptables -A FORWARD -p udp -d 192.168.1.8 --dport 28000:29000 -j ACCEPT
#LAN-zugriff auf eth1
iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -o eth1 -j ACCEPT
#default police mit My_REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
#routing
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
#Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
#stop source-routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
#stop redirekt
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
#reverse pathfilter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
#Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
#BOOTP-Relaying auschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
#PROXY ARP auschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
#ungueltige icmp pakete wegwerfen
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
;;
stop)
#
;;
esac
*wenns immer wieder passiert ist es kein BUG sondern ein FEATURE *