#!/bin/bash # --------------------------------------------------------------------- # Linux-iptables-Firewallskript, Copyright (c) 2007 under the GPL # Autogenerated by iptables Generator v1.22 (c) 2002-2007 by Harald Bertram� # Please visit http://harry.homelinux.org for new versions of # the iptables Generator (c). # # This Script was generated by request from: # rc5.dresden@gmx.net on: 2007-10-25 22:16.50 MET. # # If you have questions about the iptables Generator or about # your Firewall-Skript feel free to take a look at out website or # send me an E-Mail to webmaster@harry.homelinux.org. # # My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com) # who made lots of Beta-Testing and gave me lots of well qualified # Feedback that made me able to improve the iptables Generator. # -------------------------------------------------------------------- case "$1" in start) echo "Starte IP-Paketfilter" # iptables-Modul modprobe ip_tables # Connection-Tracking-Module modprobe ip_conntrack # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar modprobe ip_conntrack_irc modprobe ip_conntrack_ftp # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X # Default-Policies setzen iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # MY_REJECT-Chain iptables -N MY_REJECT # MY_REJECT fuellen iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP " iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP " iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP " iptables -A MY_REJECT -p icmp -j DROP iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER " iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable # MY_DROP-Chain iptables -N MY_DROP iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP " iptables -A MY_DROP -j DROP # Alle verworfenen Pakete protokollieren iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID " iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID " iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID " # Korrupte Pakete zurueckweisen iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP # Stealth Scans etc. DROPpen # Keine Flags gesetzt iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP # SYN und FIN gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP # SYN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP # FIN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP # FIN ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP # PSH ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP # URG ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP # Loopback-Netzwerk-Kommunikation zulassen iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Maximum Segment Size (MSS) fuer das Forwarding an PMTU anpassen iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Connection-Tracking aktivieren iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! ra0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -i ! ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # LAN-Zugriff auf die Netzwerkschnittstelle # iptables -A INPUT -m state --state NEW -i br0 -j ACCEPT # HTTP iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.68.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128 iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 80 -j MASQUERADE # apache iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 8000 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 8000 -j ACCEPT # ntop iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 3000 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 3000 -j ACCEPT # HTTPS iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 443 -j MASQUERADE iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 443 -j MASQUERADE # apache iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 8443 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 8443 -j ACCEPT # SMTP iptables -A OUTPUT -o br0 -m state --state NEW -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i !br0 -m state --state NEW -p tcp --dport 25 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 25 -j MASQUERADE iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 25 -j MASQUERADE # SMTPS iptables -A OUTPUT -o br0 -m state --state NEW -p tcp --dport 465 -j ACCEPT iptables -A INPUT -i !br0 -m state --state NEW -p tcp --dport 465 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 465 -j MASQUERADE iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 465 -j MASQUERADE # POP3 Port 110 # iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 110 -j MASQUERADE # iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 110 -j MASQUERADE # POP3S Port 995 # iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 995 -j MASQUERADE # iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 995 -j MASQUERADE # IMAP Port 143 # IMAPS iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 993 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 993 -j MASQUERADE iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 993 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 993 -j MASQUERADE iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW -p tcp --dport 993 -j ACCEPT # NNTP # iptables -A INPUT -i br0 -m state --state NEW -p tcp --dport 119 -j ACCEPT # DNS iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 53 -j ACCEPT # iptables -A PREROUTING -i br0 -t nat -s 192.168.92.0/24 -p tcp --dport 53 -j DNAT --to-destination 192.168.68.11 iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 53 -j ACCEPT # iptables -A PREROUTING -i br0 -t nat -s 192.168.92.0/24 -p udp --dport 53 -j DNAT --to-destination 192.168.68.11 iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 53 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 53 -j ACCEPT # FTP iptables -A POSTROUTING -t nat -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 21 -j MASQUERADE iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 21 -j MASQUERADE # SMB/CIFS # iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 445 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p udp --dport 137 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p udp --dport 138 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p udp --dport 139 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p udp --dport 445 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 139 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 445 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 139 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 445 -j ACCEPT # SSH iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o br0 -d 192.168.92.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o br0 -d 192.168.68.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -o tap1 -s 10.8.92.0/24 -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT # DHCP iptables -A INPUT -i br0 -m state --state NEW -p udp --dport 67 -j ACCEPT iptables -A OUTPUT -o br0 -m state --state NEW -p udp --dport 67 -j ACCEPT # MYSQL iptables -A INPUT -i br0 -m state --state NEW -p tcp --dport 3306 -j ACCEPT # NTP iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT # rsync iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW -p tcp --dport 873 -j ACCEPT iptables -A INPUT -i tap1 -s 10.8.92.0/24 -m state --state NEW -p udp --dport 873 -j ACCEPT iptables -A INPUT -i br0 -s 10.8.92.0/24 -m state --state NEW -p tcp --dport 873 -j ACCEPT iptables -A INPUT -i br0 -s 10.8.92.0/24 -m state --state NEW -p udp --dport 873 -j ACCEPT # Fritzbox / IPSEC # iptables -A INPUT -i wlan0 -p 50 -j ACCEPT # iptables -A INPUT -i wlan0 -p 51 -j ACCEPT # iptables -A INPUT -i wlan0 -m state --state NEW -p udp --dport 500 -j ACCEPT # OPENVPN_V2 # hat Einfluss auf OpenVPN # ermoeglicht den Duchgang von den dahinterliegenden PC's iptables -A INPUT -i br0 -j ACCEPT iptables -A POSTROUTING -t nat -s 192.168.68.0/24 -o ppp0 -j MASQUERADE iptables -A INPUT -i tap1 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -A INPUT -i br0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A INPUT -i br0 -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -A OUTPUT -o tap1 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A OUTPUT -o tap1 -m state --state NEW -p tcp --dport 1194 -j ACCEPT iptables -A OUTPUT -o br0 -m state --state NEW -p udp --dport 1194 -j ACCEPT iptables -A OUTPUT -o br0 -m state --state NEW -p tcp --dport 1194 -j ACCEPT # Sonos # VNC iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 5901 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 5902 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 5903 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.92.0/24 -m state --state NEW -p tcp --dport 5904 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 5901 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 5902 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 5903 -j ACCEPT iptables -A INPUT -i br0 -s 192.168.68.0/24 -m state --state NEW -p tcp --dport 5904 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 5901 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 5902 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 5903 -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p tcp --dport 5904 -j ACCEPT # ICMP Echo-Request (ping) zulassen und beantworten iptables -A INPUT -i br0 -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -i tap1 -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT # IP-Adresse des LAN-Interfaces ermitteln und als Systemvariable ablegen # LAN_IP=$(ifconfig br0 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) # NAT fuer HTTP # iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to-destination # iptables -A FORWARD -i wlan0 -m state --state NEW -p tcp -d --dport 80 -j ACCEPT # Default-Policies mit REJECT iptables -A INPUT -j MY_REJECT iptables -A OUTPUT -j MY_REJECT iptables -A FORWARD -j MY_REJECT # Forwarding/Routing echo "Aktiviere IP-Routing" echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null # Masquerading # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # SYN-Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null # Stop Source-Routing for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done # Stop Redirecting for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done # Reverse-Path-Filter # Auskommentiert, da IPSEC mit RP_Filter nicht funktioniert! # for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done # Log Martians for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done # BOOTP-Relaying ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done # Proxy-ARP ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done # Ung�ltige ICMP-Antworten ignorieren echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null # ICMP Echo-Broadcasts ignorieren echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Max. 500/Sekunde (5/Jiffie) senden echo 5 > /proc/sys/net/ipv4/icmp_ratelimit # Speicherallozierung und -timing f�r IP-De/-Fragmentierung echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 > /proc/sys/net/ipv4/ipfrag_time # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Maximal 3 Antworten auf ein TCP-SYN echo 3 > /proc/sys/net/ipv4/tcp_retries1 # TCP-Pakete maximal 15x wiederholen echo 15 > /proc/sys/net/ipv4/tcp_retries2 ;; stop) echo "Stoppe IP-Paketfilter" # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X echo "Deaktiviere IP-Routing" echo 0 > /proc/sys/net/ipv4/ip_forward # Default-Policies setzen iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;; status) echo "Tabelle filter" iptables -L -vn echo "Tabelle nat" iptables -t nat -L -vn echo "Tabelle mangle" iptables -t mangle -L -vn ;; *) echo "Fehlerhafter Aufruf" echo "Syntax: $0 {start|stop|status}" exit 1 ;; esac