Zum Inhalt springen
View in the app

A better way to browse. Learn more.
Fachinformatiker.de

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

iptables firewall script

Gast shad0w
Gast shad0w
in Linux

Empfohlene Antworten

Hi,

ich hab mir aus dem internet diverse iptables scripte gezogen und damit mein eigenes gebastelt ... leider ist das ding viel zu umfangreich und wahrscheinlich nichtmal sicher ... :(

ich braeuchte eigentlich nur eine config fuer:

home firewall

services: inet, icq, irc, pop3, smtp

dnat: webserver auf 172.30.1.4

blocken aller broadcasts/scans etc. vom inet

hier ist das aktuelle script:

#!/bin/sh


LAN_IP="172.30.0.1"

LAN_IP_RANGE="172.30.0.0/16"

LAN_IFACE="eth0"

LAN_BROADCAST_ADDRESS="172.30.255.255"

INET_IFACE="ppp0"

INET_IP=`ifconfig $INET_IFACE | grep inet | cut -d : -f 2 | cut -d ' ' -f 1`

INET_BROADCAST=`echo $INET_IP | cut -d . -f 1,2,3`.255

LO_IFACE="lo"

LO_IP="127.0.0.1"

IPTABLES="iptables"


$IPTABLES -F

$IPTABLES -X


# Flushen der Ketten

$IPTABLES -F INPUT

$IPTABLES -F OUTPUT

$IPTABLES -F FORWARD


# default policy of DROP on all chains

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP


# create chains

$IPTABLES -N bad_tcp_packets

$IPTABLES -N allowed

$IPTABLES -N tcp_packets

$IPTABLES -N udp_packets

$IPTABLES -N icmp_packets


$IPTABLES -A udp_packets -p UDP -i $INET_IFACE --destination-port 135:139 -j DROP

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 --dport 67:68 -j DROP


$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j allowed

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j allowed


# bad TCP packets we don't want

$IPTABLES -A INPUT -p TCP -j bad_tcp_packets


# rules for incoming packets from LAN (accept everything!)

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT

### special rule for DHCP requests from LAN, which are not caught properly

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT


### if the connection has already been established, accept it

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

### otherwise, send in through my chains

$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

### outside microsoft networks may flood via multicasts, so drop

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP


# log weird packets that don't match the above.

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "INVALID input: "


# bad TCP packets we don't want

$IPTABLES -A FORWARD -p TCP -j bad_tcp_packets


# accept the packets we actually want to forward (LAN, established)

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT


# log weird packets that don't match the above.

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "INVALID forward: "


# bad TCP packets we don't want

$IPTABLES -A OUTPUT -p TCP -j bad_tcp_packets


# special OUTPUT rules to decide which IP's to allow

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


# log weird packets that don't match the above.

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "INVALID output: "


$IPTABLES -t nat -I PREROUTING -i $INET_IFACE -p tcp -m tcp --dport 80 -j DNAT --o-destination 172.30.1.4

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE


echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter

echo 1 > /proc/sys/net/ipv4/ip_forward

kann mir wer tipps geben was ich da rausschmeissen/hinzufuegen/verbessern kann?

danke schonmal

achja, alle http/https anfragen vom lan sollen NUR ueber den squid/dansguardian proxy ins inet gelangen ... wie stell ich das an?

Original geschrieben von shad0w

achja, alle http/https anfragen vom lan sollen NUR ueber den squid/dansguardian proxy ins inet gelangen ... wie stell ich das an?

http://en.tldp.org/HOWTO/TransparentProxy-6.html

Archiv

Dieses Thema wurde archiviert und kann nicht mehr beantwortet werden.

Zur Themenliste gehen

Konto

Navigation

Suchen

Suchen

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.