Hallo
Ich habe mir mit firestarter eine firewall eingerichtet.
Habe aber folgendes Problem damit:
wenn ich "Internetverbindungsteilung" nicht auf on habe kann ich den anderen Rechner im netzwerk nicht anpingen (192.168.0.2) er hängt an eth1 (192.168.0.1)
Eigentlich wäre das kein problem nur startet die firewall dann nicht wenn eth1 nicht aktiviert ist(eth1 nicht bereit). (der andere PC ist nicht immer an)
Jedes mal NAT ein und auszuschalten nervt....
irgenwelche Lösungsvorschläge?
Hier die config:
Code:
#-----------( Firestarter Configuration File )-----------#
# --(External Interface)--
# Name of external network interface
IF="eth0"
# Network interface is a PPP link
EXT_PPP="off"
# --(Internal Interface--)
# Name of internal network interface
INIF="eth1"
# --(Network Address Translation)--
# Enable NAT
NAT="on"
# Enable DHCP server for NAT clients
DHCP_SERVER="off"
# Forward server's DNS settings to clients in DHCP lease
DHCP_DYNAMIC_DNS="on"
# --(Inbound Traffic)--
# Packet rejection method
# DROP: Ignore the packet
# REJECT: Send back an error packet in response
STOP_TARGET="DROP"
# --(Outbound Traffic)--
# Default Outbound Traffic Policy
# permissive: everything not denied is allowed
# restrictive everything not allowed is denied
OUTBOUND_POLICY="permissive"
# --(Type of Service)--
# Enable ToS filtering
FILTER_TOS="on"
# Apply ToS to typical client tasks such as SSH and HTTP
TOS_CLIENT="on"
# Apply ToS to typical server tasks such as SSH, HTTP, HTTPS and POP3
TOS_SERVER="on"
# Apply ToS to Remote X server connections
TOS_X="off"
# ToS parameters
# 4: Maximize Reliability
# 8: Maximize-Throughput
# 16: Minimize-Delay
TOSOPT=8
# --(ICMP Filtering)--
# Enable ICMP filtering
FILTER_ICMP="off"
# Allow Echo requests
ICMP_ECHO_REQUEST="off"
# Allow Echo replies
ICMP_ECHO_REPLY="off"
# Allow Traceroute requests
ICMP_TRACEROUTE="off"
# Allow MS Traceroute Requests
ICMP_MSTRACEROUTE="off"
# Allow Unreachable Requests
ICMP_UNREACHABLE="off"
# Allow Timestamping Requests
ICMP_TIMESTAMPING="off"
# Allow Address Masking Requests
ICMP_MASKING="off"
# Allow Redirection Requests
ICMP_REDIRECTION="off"
# Allow Source Quench Requests
ICMP_SOURCE_QUENCHES="off"
# --(Broadcast Traffic)--
# Block external broadcast traffic
BLOCK_EXTERNAL_BROADCAST="on"
# Block internal broadcast traffic
BLOCK_INTERNAL_BROADCAST="off"
# --(Traffic Validation)--
# Block non-routable traffic on the public interfaces
BLOCK_NON_ROUTABLES="off"
# --(Logging)--
# System log level
LOG_LEVEL=info
firestarter.sh:
Code:
#!/bin/bash
#-----------( Firestarter Control Script )-----------#
# Load Configuration
source /etc/firestarter/configuration 2>&1
# --(Set program paths)--
IPT=/sbin/iptables
IFC=/sbin/ifconfig
MPB=/sbin/modprobe
LSM=/sbin/lsmod
RMM=/sbin/rmmod
# --(Extract Network Information)--
# External network interface data
IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
BCAST=`/sbin/ifconfig $IF |grep Bcast: | cut -d : -f 3 | cut -d \ -f 1`
NET=$IP/$MASK
if [ "$NAT" = "on" ]; then
# Internal network interface data
INIP=`/sbin/ifconfig $INIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
INMASK=`/sbin/ifconfig $INIF | grep Mas | cut -d : -f 4`
INBCAST=`/sbin/ifconfig $INIF |grep Bcast: | cut -d : -f 3 | cut -d \ -f 1`
INNET=$INIP/$INMASK
fi
if [ "$MASK" = "" -a "$1" != "stop" ]; then
echo "External network device $IF is not ready. Aborting.."
exit 2
fi
if [ "$NAT" = "on" ]; then
if [ "$INMASK" = "" -a "$1" != "stop" ]; then
echo "Internal network device $INIF is not ready. Aborting.."
exit 3
fi
fi
# --(Helper Functions)--
# Scrub data parameters before use
scrub_parameters () {
target=`echo $target | sed 's/ //'g`
port=`echo $port | sed 's/ //'g | sed "s/-/:/"`
ext_port=`echo $ext_port | sed 's/ //'g | sed "s/-/:/"`
int_port_dashed=`echo $int_port | sed 's/ //'g | sed "s/:/-/"`
int_port=`echo $int_port | sed 's/ //'g | sed "s/-/:/"`
if [ "$target" == "everyone" ]; then target=0/0
else if [ "$target" == "firewall" ]; then target=$IP
else if [ "$target" == "lan" ]; then target=$INNET
fi fi fi
}
# --(Control Functions)--
# Create Firestarter lock file
lock_firestarter () {
if [ -e /var/lock/subsys ]; then
touch /var/lock/subsys/firestarter
else
touch /var/lock/firestarter
fi
}
# Remove Firestarter lock file
unlock_firestarter () {
if [ -e /var/lock/subsys ]; then
rm -f /var/lock/subsys/firestarter
else
rm -f /var/lock/firestarter
fi
}
# Start system DHCP server
start_dhcp_server () {
if [ "$DHCP_DYNAMIC_DNS" = "on" ]; then
NAMESERVER=
# Load the DNS information into the dhcp configuration
while read keyword value garbage
do
if [ "$keyword" = "nameserver" ]; then
if [ "$NAMESERVER" = "" ]; then
NAMESERVER="$value"
else
NAMESERVER="$NAMESERVER, $value"
fi
fi
done < /etc/resolv.conf
if [ "$NAMESERVER" != "" ]; then
if [ -f /etc/dhcpd.conf ]; then
sed "s/domain-name-servers.*$/domain-name-servers $NAMESERVER;/" /etc/dhcpd.conf > /etc/dhcpd.conf.tmp
mv /etc/dhcpd.conf.tmp /etc/dhcpd.conf
fi
if [ -f /etc/dhcp3/dhcpd.conf ]; then
sed "s/domain-name-servers.*$/domain-name-servers $NAMESERVER;/" /etc/dhcp3/dhcpd.conf > /etc/dhcp3/dhcpd.conf.tmp
mv /etc/dhcp3/dhcpd.conf.tmp /etc/dhcp3/dhcpd.conf
fi
else
echo -e "Warning: Could not determine new DNS settings for DHCP\nKeeping old configuration"
fi
fi
if [ -e /etc/init.d/dhcpd ]; then
/etc/init.d/dhcpd restart > /dev/null
else
/usr/sbin/dhcpd 2> /dev/null
fi
if [ $? -ne 0 ]; then
echo Failed to start DHCP server
exit 200
fi
}
# Start the firewall, enforcing traffic policy
start_firewall () {
lock_firestarter
source /etc/firestarter/firewall 2>&1
retval=$?
if [ $retval -eq 0 ]; then
echo "Firewall started"
else
echo "Firewall not started"
unlock_firestarter
exit $retval
fi
}
# Stop the firewall, traffic flows freely
stop_firewall () {
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t mangle -F 2>/dev/null
$IPT -t mangle -X 2>/dev/null
$IPT -t mangle -Z 2>/dev/null
$IPT -t nat -F 2>/dev/null
$IPT -t nat -X 2>/dev/null
$IPT -t nat -Z 2>/dev/null
retval=$?
if [ $retval -eq 0 ]; then
unlock_firestarter
echo "Firewall stopped"
fi
exit $retval
}
# Lock the firewall, blocking all traffic
lock_firewall () {
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -F;
$IPT -X
$IPT -Z
retval=$?
if [ $? -eq 0 ]; then
echo "Firewall locked"
fi
exit $retval
}
# Report the status of the firewall
status () {
if [ -e /var/lock/subsys/firestarter -o -e /var/lock/firestarter ]; then
echo "Firestarter is running..."
else
echo "Firestarter is stopped"
fi
}
case "$1" in
start)
start_firewall
if [ "$NAT" = "on" -a "$DHCP_SERVER" = "on" ]; then
start_dhcp_server
fi
;;
stop)
stop_firewall
;;
lock)
lock_firewall
;;
status)
status
;;
reload-inbound-policy)
source /etc/firestarter/inbound/setup 2>&1
;;
reload-outbound-policy)
source /etc/firestarter/outbound/setup 2>&1
;;
*)
echo "usage: $0 {start|stop|lock|status}"
exit 1
esac
exit 0
und hier "firewall":
Code:
#-----------( Firestarter 1.0.3, Netfilter kernel subsystem in use )----------#
# #
# This firewall was generated by Firestarter on 2005-07-05 07:56 #
# http://www.fs-security.com #
# #
#-----------------------------------------------------------------------------#
# --------( Initial Setup - Firewall Modules Autoloader )--------
# Remove ipchains module if found
$LSM | grep ipchains -q -s && $RMM ipchains
# Try to load every module we need
$MPB ip_tables 2> /dev/null
$MPB iptable_filter 2> /dev/null
$MPB ipt_state 2> /dev/null
$MPB ip_conntrack 2> /dev/null
$MPB ip_conntrack_ftp 2> /dev/null
$MPB ip_conntrack_irc 2> /dev/null
$MPB ipt_REJECT 2> /dev/null
$MPB ipt_TOS 2> /dev/null
$MPB ipt_MASQUERADE 2> /dev/null
$MPB ipt_LOG 2> /dev/null
$MPB iptable_mangle 2> /dev/null
$MPB ipt_ipv4optsstrip 2> /dev/null
if [ "$NAT" = "on" ]; then
$MPB iptable_nat 2> /dev/null
$MPB ip_nat_ftp 2> /dev/null
$MPB ip_nat_irc 2> /dev/null
fi
if [ "EXT_PPP" = "on" ]; then
$MPB bsd_comp 2> /dev/null
$MPB ppp_deflate 2> /dev/null
fi
# --------( Initial Setup - Firewall Capabilities Check )--------
# Make sure the test chains does not exist
$IPT -F test 2> /dev/null
$IPT -X test 2> /dev/null
if [ "$NAT" = "on" ]; then
$IPT -t nat -F test 2> /dev/null
$IPT -t nat -X test 2> /dev/null
fi
# Iptables support check, mandatory feature
if [ "`$IPT -N test 2>&1`" ]; then
echo Fatal error: Your kernel does not support iptables.
return 100
fi
# Logging support check
log_supported=1
if [ "`$IPT -A test -j LOG 2>&1`" ]; then
echo Warning: Logging not supported by kernel, you will recieve no firewall event updates.
log_supported=""
fi
#log_supported=""
if [ "$NAT" = "on" ]; then
# NAT support check
nat_supported=1
if [ "`$IPT -t nat -N test 2>&1`" ]; then
echo Warning: Network address translation not supported by kernel, feature disabled.
nat_supported=""
fi
fi
# Mangle support check
mangle_supported=1
if [ "`$IPT -t mangle -F 2>&1`" ]; then
echo Warning: Packet mangling not supported by kernel, feature disabled.
mangle_supported=""
fi
# IP options stripping support check
stripoptions_supported=1
if [ "`$IPT -t mangle -A test -j IPV4OPTSSTRIP 2>&1`" ]; then
stripoptions_supported=""
fi
# --------( Chain Configuration - Flush Existing Chains )--------
# Purge standard chains (INPUT, OUTPUT, FORWARD).
$IPT -F
$IPT -X
$IPT -Z
# Purge extended chains (MANGLE & NAT) if they exist.
if [ "$mangle_supported" ]; then
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t mangle -Z
fi
if [ "$nat_supported" ]; then
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z
fi
# --------( Chain Configuration - Configure Default Policy )--------
# Configure standard chains (INPUT, OUTPUT, FORWARD).
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Configure extended chains (MANGLE & NAT) if required.
if [ "$mangle_supported" ]; then
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
fi
if [ "$nat_supported" ]; then
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
fi
# --------( Chain Configuration - Create Default Result Chains )--------
# Create a new chain for filtering the input before logging is performed
$IPT -N LOG_FILTER 2> /dev/null
$IPT -F LOG_FILTER
# Hosts for which logging is disabled
while read host garbage
do
$IPT -A LOG_FILTER -s $host -j $STOP_TARGET
done < /etc/firestarter/events-filter-hosts
# Ports for which logging is disabled
while read port garbage
do
$IPT -A LOG_FILTER -p tcp --dport $port -j $STOP_TARGET
$IPT -A LOG_FILTER -p udp --dport $port -j $STOP_TARGET
done < /etc/firestarter/events-filter-ports
# Create a new log and stop input (LSI) chain.
$IPT -N LSI 2> /dev/null
$IPT -F LSI
$IPT -A LSI -j LOG_FILTER
if [ "$log_supported" ]; then
# Syn-flood protection
$IPT -A LSI -p tcp --syn -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --syn -j $STOP_TARGET
# Rapid portscan protection
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j $STOP_TARGET
# Ping of death protection
$IPT -A LSI -p icmp --icmp-type echo-request -m limit --limit 1/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
$IPT -A LSI -p icmp --icmp-type echo-request -j $STOP_TARGET
# Log everything
$IPT -A LSI -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Inbound "
fi
$IPT -A LSI -j $STOP_TARGET # Terminate evaluation
# Create a new log and stop output (LSO) chain.
$IPT -N LSO 2> /dev/null
$IPT -F LSO
$IPT -A LSO -j LOG_FILTER
if [ "$log_supported" ]; then
# Log everything
$IPT -A LSO -m limit --limit 5/s -j LOG --log-level=$LOG_LEVEL --log-prefix "Outbound "
fi
$IPT -A LSO -j REJECT # Terminate evaluation
# --------( Initial Setup - Nameservers )--------
# Allow regular DNS traffic
while read keyword server garbage
do
if [ "$keyword" = "nameserver" ]; then
$IPT -A INPUT -p tcp ! --syn -s $server -d 0/0 -j ACCEPT
$IPT -A INPUT -p udp -s $server -d 0/0 -j ACCEPT
$IPT -A OUTPUT -p tcp -s $IP -d $server --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp -s $IP -d $server --dport 53 -j ACCEPT
fi
done < /etc/resolv.conf
# --------( Initial Setup - Configure Kernel Parameters )--------
source /etc/firestarter/sysctl-tuning
# --------( Intial Setup - User Defined Pre Script )--------
source /etc/firestarter/user-pre
# --------( Rules Configuration - Specific Rule - Loopback Interfaces )--------
# Allow all traffic on the loopback interface
$IPT -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
$IPT -A OUTPUT -o lo -s 0/0 -d 0/0 -j ACCEPT
# --------( Rules Configuration - Type of Service (ToS) - Ruleset Filtered by GUI )--------
if [ "$FILTER_TOS" = "on" ]; then
if [ "$TOS_CLIENT" = "on" -a $mangle_supported ]; then
# ToS: Client Applications
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 68 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT
fi
if [ "$TOS_SERVER" = "on" -a $mangle_supported ]; then
# ToS: Server Applications
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 20:21 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 25 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 53 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 67 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 80 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 110 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 143 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 443 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1812 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 1813 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 2401 --set-tos $TOSOPT
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 8080 --set-tos $TOSOPT
fi
if [ "$TOS_SERVER" = "on" -a $mangle_supported ]; then
# ToS: The X Window System
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 22 --set-tos 0x10
$IPT -t mangle -A OUTPUT -p tcp -j TOS --dport 6000:6015 --set-tos 0x08
fi
fi
# --------( Rules Configuration - ICMP )--------
if [ "$FILTER_ICMP" = "on" ]; then
if [ "$ICMP_ECHO_REQUEST" = "on" ]; then
# ICMP: Ping Requests
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
fi
if [ "$ICMP_ECHO_REPLY" = "on" ]; then
# ICMP: Ping Replies
$IPT -A INPUT -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type echo-reply -m limit --limit 1/s -j ACCEPT
fi
if [ "$ICMP_TRACEROUTE" = "on" ]; then
# ICMP: Traceroute Requests
$IPT -A INPUT -p udp --dport 33434 -j ACCEPT
$IPT -A FORWARD -p udp --dport 33434 -j ACCEPT
else
$IPT -A INPUT -p udp --dport 33434 -j LSI
$IPT -A FORWARD -p udp --dport 33434 -j LSI
fi
if [ "$ICMP_MSTRACEROUTE" = "on" ]; then
# ICMP: MS Traceroute Requests
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT
fi
if [ "$ICMP_UNREACHABLE" = "on" ]; then
# ICMP: Unreachable Requests
$IPT -A INPUT -p icmp --icmp-type host-unreachable -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type host-unreachable -j ACCEPT
fi
if [ "$ICMP_TIMESTAMPING" = "on" ]; then
# ICMP: Timestamping Requests
$IPT -A INPUT -p icmp --icmp-type timestamp-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type timestamp-reply -j ACCEPT
fi
if [ "$ICMP_MASKING" = "on" ]; then
# ICMP: Address Masking
$IPT -A INPUT -p icmp --icmp-type address-mask-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type address-mask-request -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type address-mask-reply -j ACCEPT
fi
if [ "$ICMP_REDIRECTION" = "on" ]; then
# ICMP: Redirection Requests
$IPT -A INPUT -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type redirect -m limit --limit 2/s -j ACCEPT
fi
if [ "$ICMP_SOURCE_QUENCHES" = "on" ]; then
# ICMP: Source Quench Requests
$IPT -A INPUT -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
$IPT -A FORWARD -p icmp --icmp-type source-quench -m limit --limit 2/s -j ACCEPT
fi
# Catch ICMP traffic not allowed above
$IPT -A INPUT -p icmp -j LSI
$IPT -A FORWARD -p icmp -j LSI
else
# Allow all ICMP traffic when filtering disabled
$IPT -A INPUT -p icmp -m limit --limit 10/s -j ACCEPT
$IPT -A FORWARD -p icmp -m limit --limit 10/s -j ACCEPT
fi
if [ "$NAT" = "on" ]; then
# --------( Rules Configuration - Masquerading - Sysctl Modifications )--------
#Turn on IP forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
fi
# --------( Rules Configuration - Masquerading - Default Ruleset )--------
#TCPMSS Fix - Needed for *many* broken PPPO{A/E} clients
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ "$stripoptions_supported" -a "$mangle_supported" ]; then
#IPv4OPTIONS Fix - Strip IP options from a forwarded packet
$IPT -t mangle -A PREROUTING -j IPV4OPTSSTRIP
fi
# --------( Rules Configuration - Forwarded Traffic )--------
if [ "$nat_supported" ]; then
#Masquerade outgoing traffic
$IPT -t nat -A POSTROUTING -o $IF -j MASQUERADE
fi
# Temoporarily set the field separator for CSV format
OLDIFS=$IFS
IFS=','
# Services forward from the firewall to the internal network
while read service ext_port host int_port garbage
do
scrub_parameters
$IPT -A FORWARD -i $IF -p tcp -d $host --dport $int_port -j ACCEPT
$IPT -A FORWARD -i $IF -p udp -d $host --dport $int_port -j ACCEPT
$IPT -A PREROUTING -t nat -i $IF -p tcp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed
$IPT -A PREROUTING -t nat -i $IF -p udp --dport $ext_port -j DNAT --to-destination $host:$int_port_dashed
done < /etc/firestarter/inbound/forward
IFS=$OLDIFS
fi
# --------( Rules Configuration - Inbound Traffic )--------
if [ "$BLOCK_NON_ROUTABLES" = "on" ]; then
# Block traffic from non-routable address space on the public interfaces
$IPT -N NR 2> /dev/null
$IPT -F NR
while read block garbage
do
$IPT -A NR -s $block -d $NET -i $IF -j LSI
done < /etc/firestarter/non-routables
$IPT -A INPUT -s ! $NET -i $IF -j NR
fi
# Block Broadcast Traffic
if [ "$BLOCK_EXTERNAL_BROADCAST" = "on" ]; then
$IPT -A INPUT -i $IF -d 255.255.255.255 -j DROP
if [ "$BCAST" != "" ]; then
$IPT -A INPUT -d $BCAST -j DROP
fi
fi
if [ "$NAT" = "on" -a "$BLOCK_INTERNAL_BROADCAST" = "on" ]; then
$IPT -A INPUT -i $INIF -d 255.255.255.255 -j DROP
if [ "$INBCAST" != "" ]; then
$IPT -A INPUT -i $INIF -d $INBCAST -j DROP
fi
fi
# Block Multicast Traffic
# Some cable/DSL providers require their clients to accept multicast transmissions
# you should remove the following four rules if you are affected by multicasting
$IPT -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
$IPT -A OUTPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPT -A OUTPUT -s 0/0 -d 224.0.0.0/8 -j DROP
# Block Traffic with Stuffed Routing
# Early versions of PUMP - (the DHCP client application included in RH / Mandrake) require
# inbound packets to be accepted from a source address of 255.255.255.255. If you have issues
# with DHCP clients on your local LAN - either update PUMP, or remove the first rule below)
$IPT -A INPUT -s 255.255.255.255 -j DROP
$IPT -A INPUT -d 0.0.0.0 -j DROP
$IPT -A OUTPUT -s 255.255.255.255 -j DROP
$IPT -A OUTPUT -d 0.0.0.0 -j DROP
$IPT -A INPUT -m state --state INVALID -j DROP # Block Traffic with Invalid Flags
$IPT -A INPUT -f -m limit --limit 10/minute -j LSI # Block Traffic w/ Excessive Fragmented Packets
# --------( Rules Configuration - Outbound Traffic )--------
$IPT -A OUTPUT -m state --state INVALID -j DROP # Block Traffic w/ Invalid Flags
# --------( Traffic Policy )--------
# Load the inbound traffic policy
source /etc/firestarter/inbound/setup
$IPT -A INPUT -i $IF -j INBOUND # Check Internet to firewall traffic
if [ "$NAT" = "on" ]; then
$IPT -A INPUT -i $INIF -d $INIP -j INBOUND # Check LAN to firewall (private ip) traffic
$IPT -A INPUT -i $INIF -d $IP -j INBOUND # Check LAN to firewall (public ip) traffic
if [ "$INBCAST" != "" ]; then
$IPT -A INPUT -i $INIF -d $INBCAST -j INBOUND # Check LAN to firewall broadcast traffic
fi
fi
# Load the outbound traffic policy
source /etc/firestarter/outbound/setup
$IPT -A OUTPUT -o $IF -j OUTBOUND # Check firewall to Internet traffic
if [ "$NAT" = "on" ]; then
$IPT -A OUTPUT -o $INIF -j OUTBOUND # Check firewall to LAN traffic
$IPT -A FORWARD -i $INIF -j OUTBOUND # Check LAN to Internet traffic
# Allow Internet to LAN response traffic
$IPT -A FORWARD -p tcp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p udp -d $INNET -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
# --------( User Defined Post Script )--------
source /etc/firestarter/user-post
# --------( Unsupported Traffic Catch-All )--------
$IPT -A INPUT -j LOG_FILTER
$IPT -A INPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Input"
$IPT -A OUTPUT -j LOG_FILTER
$IPT -A OUTPUT -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Output"
$IPT -A FORWARD -j LOG_FILTER
$IPT -A FORWARD -j LOG --log-level=$LOG_LEVEL --log-prefix "Unknown Forward"
return 0
Lesezeichen