Hallo Liste , habe hier meine Firewall und bitte um Kommentare. Der Rechner hat kein Netzwerk und wird nur zum surfen und emailen mit dem Internet verbunden. #!/bin/sh # firewall.rules - created by levy.pl on Mon May 28 19:38:33 2001 # this is a -skeleton- ruleset-- adapt as needed. #modified!!! # #load modules /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack # chain policies # set default policies /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT /sbin/iptables -P FORWARD DROP
# flush tables /sbin/iptables -F /sbin/iptables -F INPUT /sbin/iptables -F OUTPUT /sbin/iptables -F FORWARD /sbin/iptables -F -t mangle /sbin/iptables -X /sbin/iptables -F -t nat # create DUMP table /sbin/iptables -N DUMP > /dev/null /sbin/iptables -F DUMP /sbin/iptables -A DUMP -p tcp -j LOG /sbin/iptables -A DUMP -p udp -j LOG /sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset /sbin/iptables -A DUMP -p udp -j DROP /sbin/iptables -A DUMP -j DROP # Stateful table /sbin/iptables -N STATEFUL > /dev/null /sbin/iptables -F STATEFUL /sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A STATEFUL -m state --state NEW -i ! ippp0 -j ACCEPT /sbin/iptables -A STATEFUL -j DUMP # loopback rules /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT # drop reserved addresses incoming /sbin/iptables -A INPUT -i ippp0 -s 0.0.0.0/7 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 1.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 2.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 5.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 10.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 23.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 27.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 31.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 67.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 68.0.0.0/6 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 72.0.0.0/5 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 80.0.0.0/4 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 96.0.0.0/3 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 127.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 128.0.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 128.66.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 169.254.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 172.16.0.0/12 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 191.255.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 192.0.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 192.168.0.0/16 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 197.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 201.0.0.0/8 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 204.152.64.0/23 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 224.0.0.0/3 -j DUMP /sbin/iptables -A INPUT -i ippp0 -s 240.0.0.0/8 -j DUMP # allow certain inbound ICMP types /sbin/iptables -A INPUT -i ippp0 -p icmp --icmp-type destination-unreachable -j ACCEPT /sbin/iptables -A INPUT -i ippp0 -p icmp --icmp-type time-exceeded -j ACCEPT /sbin/iptables -A INPUT -i ippp0 -p icmp --icmp-type echo-reply -j ACCEPT # opened ports /sbin/iptables -A INPUT -p tcp -i ippp0 --dport 110 -j ACCEPT /sbin/iptables -A INPUT -p udp -i ippp0 --dport 110 -j ACCEPT #/sbin/iptables -A INPUT -p tcp -i ippp0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i ippp0 --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p udp -i ippp0 --dport 80 -j ACCEPT #/sbin/iptables -A INPUT -p tcp -i ippp0 --dport 8080 -j ACCEPT #/sbin/iptables -A INPUT -p udp -i ippp0 --dport 8080 -j ACCEPT /sbin/iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "firewall" # push everything else to state table /sbin/iptables -A INPUT -j STATEFUL MfG Arne -- ----------------------------------------------------------- Um sich aus der Liste auszutragen schicken Sie bitte eine E-Mail an [EMAIL PROTECTED] die im Subject "unsubscribe <deine_email_adresse>" enthaelt. Bei Problemen bitte eine Mail an: [EMAIL PROTECTED] ----------------------------------------------------------- 846 eingetragene Mitglieder in dieser Liste.