Hallo.
Ich habe ein Problem.
Bei meinem Sript steigt der Server sporadisch aus. und di elog-dateien sind auch net so richtig klar.
Bitte um schnelle hilfe.
Da es sehr tringen.
''SCRIPT"
#!/bin/bash
set iptables = /usr/sbin/iptables
#---------default policy-----------
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#--------------------------------------
# VARIABLEN
IF_LAN=eth0 #internes LAN-Interface
INTIP1=192.168.5.10 #Rechner 1
INTIP2=192.168.5.11 #Rechner 2
INTIP3=192.168.5.2 #Rechner 3
IF_NET=ppp0 #externes Interface(DSL)
NET_IP=192.168.5.0/24 #Ip-Netzbereich
IPT="/usr/sbin/iptables"
# MODULE
modprobe ip_tables
modprobe iptable_filter
modprobe ipt_MASQUERADE
modprobe ipt_MIRROR
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
# Starten der Einstellungen des Routings über PPP0 mit Masquerading:
if [ -z "`lsmod | grep iptable_nat`" ];
then
/sbin/insmod iptable_nat
fi
if [ -z "`lsmod | grep ip_conntrack`" ];
then
/sbin/insmod ip_conntrack &> /dev/null
fi
#Löschen der alten PREROUTING Regeln
iptables -t nat -F PREROUTING
# Masquerading Regeln aktivieren
if [ -z "`/usr/sbin/iptables -L -t nat | grep MASQUERADE`" ];
then
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
fi
# Masquerading / Forwarding ein
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# PINGS BLOCKEN / zusätzliche INPUT rules (icmp)
$IPT -A INPUT -p icmp --icmp-type 8 -i $IF_NET -j DROP
$IPT -t nat -A PREROUTING -i $IF_NET -s $NET_IP -j ACCEPT
$IPT -t nat -A PREROUTING -i $IF_NET -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i $IF_NET -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -p icmp -m icmp --icmp-type 0 -i ppp0 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 3 -i ppp0 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 4 -i ppp0 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 8 -i ppp0 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 11 -i ppp0 -j ACCEPT
$IPT -A INPUT -p icmp -m icmp --icmp-type 12 -i ppp0 -j ACCEPT
## VERBINDUNGSAUFBAU VON AUSSEN ABLEHNEN
#$IPT -N INET
#$IPT -I INPUT -j INET
#$IPT -I FORWARD -j INET
#$IPT -A INET -m state --state NEW,INVALID -i $IF_NET -j REJECT
# Ports abdichten und einige zulassen
$IPT -A INPUT -i ppp0 -p tcp --dport 20 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 25 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i ppp0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 5100 -j ACCEPT
$IPT -A INPUT -i ppp0 -p udp --dport 6257 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 3782 -j DROP
$IPT -A INPUT -i ppp0 -p udp --dport 3782:3783 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 550 -j ACCEPT
$IPT -A INPUT -i ppp0 -p udp --dport 550 -j ACCEPT
$IPT -A INPUT -i ppp0 -p tcp --dport 631 -j DROP
$IPT -A INPUT -i ppp0 -p udp --dport 631 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 7 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 37 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 389 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 111 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 113 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 513:515 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 902 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 905 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 910 -j DROP
$IPT -A INPUT -i ppp0 -p tcp --dport 1002 -j DROP
# einige Ports werden komplett abgedichtet aber geloggt
$IPT -A INPUT -p tcp --dport 6670 -m limit -j LOG --log-prefix "FW: Deepthroat scan"
$IPT -A INPUT -p tcp --dport 6670 -j DROP
$IPT -A INPUT -p tcp --dport 6711:6713 -m limit -j LOG --log-prefix "FW: Subseven scan"
$IPT -A INPUT -p tcp --dport 6711:6713 -j DROP
$IPT -A INPUT -p tcp --dport 12345:12346 -m limit -j LOG --log-prefix "FW: netbus scan"
$IPT -A INPUT -p tcp --dport 12345:12346 -j DROP
$IPT -A INPUT -p tcp --dport 20034 -m limit -j LOG --log-prefix "FW: netbus scan"
$IPT -A INPUT -p tcp --dport 20034 -j DROP
$IPT -A INPUT -p tcp --dport 31337 -m limit -j LOG --log-prefix "FW: Back Orifice Scan"
$IPT -A INPUT -p tcp --dport 31337 -j DROP
$IPT -A INPUT -p tcp --dport 6000 -m limit -j LOG --log-prefix "FW: X-Windows Port"
$IPT -A INPUT -p tcp --dport 6000 -j DROP
# Prerouting
$IPT -A PREROUTING -t nat -i eth0 -s 192.168.29.0/24 -j ACCEPT
$IPT -A PREROUTING -t nat -i ppp0 -p tcp -m state --state related,established -j ACCEPT
$IPT -A PREROUTING -t nat -i ppp0 -p udp -m state --state related,established -j ACCEPT
# Forward
$IPT -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPT -A FORWARD -t filter -i eth0 -o ppp0 -j ACCEPT
$IPT -A FORWARD -t filter -i ppp0 -o $IF_LAN -m state --state related,established -j ACCEPT
# zusätzliche OUTPUT rules
$IPT -A OUTPUT -p all -o ppp0 -j ACCEPT
# alles was rausfällt ins Log schreiben
$IPT -A INPUT -p all -j LOG --log-level info --log-prefix "loginput"
$IPT -A OUTPUT -p all -j LOG --log-level info --log-prefix "logoutput"
$IPT -A FORWARD -p all -j LOG --log-level info --log-prefix "logforward"
# Forwarding aktivieren
$IPT -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#--------- Regeln fuer Rechner 1 --------------------------------------------------------------
# Port Forwarding
$IPT -t nat -A PREROUTING -p tcp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP1:412
$IPT -t nat -A PREROUTING -p udp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP1:412
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP1:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP1:550
$IPT -t nat -A PREROUTING -p tcp --dport 5100:5100 -i ppp0 -j DNAT --to-destination $INTIP1:5100
$IPT -t nat -A PREROUTING -p udp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP1:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP1:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP1:59100-59200
$IPT -t nat -A PREROUTING -p udp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP1:59100-59200
$IPT -t nat -A PREROUTING -p tcp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP1:2300-2400
$IPT -t nat -A PREROUTING -p udp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP1:2300-2400
#
# TCP Pakete (-p tcp), die an der Internetmaschine (ppp0) am
# Port 550 (--dport 4661) ankommen, ins Intranet an Maschine
# 192.168.5.10 (--to ...) weiterleiten
$IPT -A PREROUTING -t nat -p tcp --dport 550 -i ppp0 -j DNAT --to $INTIP1
$IPT -A PREROUTING -t nat -p udp --dport 550 -i ppp0 -j DNAT --to $INTIP1
# Zusätzliche Regeln
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP1:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP1:550
#--------- Regeln fuer Rechner 2 --------------------------------------------------------------
# Port Forwarding
$IPT -t nat -A PREROUTING -p tcp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP2:412
$IPT -t nat -A PREROUTING -p udp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP2:412
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP2:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP2:550
$IPT -t nat -A PREROUTING -p tcp --dport 5100:5100 -i ppp0 -j DNAT --to-destination $INTIP2:5100
$IPT -t nat -A PREROUTING -p udp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP2:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP2:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP2:59100-59200
$IPT -t nat -A PREROUTING -p udp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP2:59100-59200
$IPT -t nat -A PREROUTING -p tcp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP2:2300-2400
$IPT -t nat -A PREROUTING -p udp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP2:2300-2400
#
# TCP Pakete (-p tcp), die an der Internetmaschine (ppp0) am
# Port 550 (--dport 4661) ankommen, ins Intranet an Maschine
# 192.168.5.10 (--to ...) weiterleiten
$IPT -A PREROUTING -t nat -p tcp --dport 550 -i ppp0 -j DNAT --to $INTIP2
$IPT -A PREROUTING -t nat -p udp --dport 550 -i ppp0 -j DNAT --to $INTIP2
# Zusätzliche Regeln
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP2:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP2:550
#--------- Regeln fuer Rechner 3 --------------------------------------------------------------
# Port Forwarding
$IPT -t nat -A PREROUTING -p tcp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP3:412
$IPT -t nat -A PREROUTING -p udp --dport 412:412 -i ppp0 -j DNAT --to-destination $INTIP3:412
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP3:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP3:550
$IPT -t nat -A PREROUTING -p tcp --dport 5100:5100 -i ppp0 -j DNAT --to-destination $INTIP3:5100
$IPT -t nat -A PREROUTING -p udp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP3:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 3782:3783 -i ppp0 -j DNAT --to-destination $INTIP3:3782-3783
$IPT -t nat -A PREROUTING -p tcp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP3:59100-59200
$IPT -t nat -A PREROUTING -p udp --dport 59100:59200 -i ppp0 -j DNAT --to-destination $INTIP3:59100-59200
$IPT -t nat -A PREROUTING -p tcp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP3:2300-2400
$IPT -t nat -A PREROUTING -p udp --dport 2300:2400 -i ppp0 -j DNAT --to-destination $INTIP3:2300-2400
#
# TCP Pakete (-p tcp), die an der Internetmaschine (ppp0) am
# Port 550 (--dport 4661) ankommen, ins Intranet an Maschine
# 192.168.5.10 (--to ...) weiterleiten
$IPT -A PREROUTING -t nat -p tcp --dport 550 -i ppp0 -j DNAT --to $INTIP3
$IPT -A PREROUTING -t nat -p udp --dport 550 -i ppp0 -j DNAT --to $INTIP3
# Zusätzliche Regeln
$IPT -t nat -A PREROUTING -p tcp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP3:550
$IPT -t nat -A PREROUTING -p udp --dport 550 -i ppp0 -j DNAT --to-destination $INTIP3:550
## Tables forblock anlegen ##
$IPT -N forblock
# TCP Ports 550 annehmen
# UDP Port 550 annehmen
$IPT -A forblock -i ppp0 -p tcp --dport 550 -j ACCEPT
$IPT -A forblock -i ppp0 -p udp --dport 550 -j ACCEPT
#
# Tabelle forblock forwarden !
# (?) Ich denke mal, das es hier auch um das Masqueraden geht (?),
# damit die Pakete am Zielrechner mit $INTIP... ankommen und
# nicht mit der ppp0 Adresse !
$IPT -A FORWARD -j forblock
Bitte prüft mir mal das script durch.
Da ich die vermutung habe das der rechner bei bistimmten sachen durcheinander kommt.
danke schon mal im Vorraus.
Tschau.
Lesezeichen