<Hier war mal ein Vollquote>
> Hat schon mal jemand so richtig mit netfilter rumgespielt?
habe da ein script f�r dich das dich sicher interessiert
<schnipp>
#!/bin/sh
# ----------------------------------------------------------------------|
# Here it is...MonMotha's Firewall 2.1.12-pre4! |
# Once again, my crude ASCII art best viewed with pico. |
# ----------------------------------------------------------------------|
# 2.1 RELEASE NOTES: This is my second attempt at making an allow then |
# deny method of security. PLEASE report any problems you have. |
# |
# This one looks like it actually might work. |
# ----------------------------------------------------------------------|
# SYSTEM REQUIREMENTS: You must have either compiled the appropriate |
# iptables support into your 2.4 kernel or have loaded all the |
# applicable modules BEFORE you run this script. This script assumes |
# that you have everything compiled into your kernel. |
# |
# I'll get you a list of required kernel options as I play with the |
# 2.4 kernel series more. |
# |
# You need iptables. Get it at "http://netfilter.samba.org". |
# |
# This script was written (and partially tested) with iptables 1.1.2 |
# and kernel 2.4.0-test9 in mind. |
# |
# Also, this is a BASH shell script...any 2.x version of GNU BASH |
# should work with this script. |
# ----------------------------------------------------------------------|
# CHANGELOG (Since 2.1.0 only): |
# version 2.1.0: Initial branch from 2.0.0-test6 |
# Spiffed up some comments |
# Doesn't work |
# version 2.1.1: Might work now...PLEASE GIVE ME FEEDBACK! |
# Added SYN checking to the input |
# version 2.1.2: Spiffed up comments |
# Allowed DNS servers |
# Added UDP allowing |
# Shows promise of actually working |
# version 2.1.3: Spiffed up comments |
# Added SSH Support |
# Fixed a SYN matching bug |
# version 2.1.4: Fixed SSH port range |
# version 2.1.5: Added Steff's patches |
# Support for active FTP |
# version 2.1.6: Moved OpenSSH to it's own directive (USE_OPENSSH)|
# Spiffed up comments (I do this a lot) |
# Turned off SynCookies |
# version 2.1.7: Allow on forward chain both ways |
# Fixed DNS allowances |
# Updated comments |
# version 2.1.8: Added Battle.net (DII) to default UDP allow |
# Added list of root DNS servers |
# version 2.1.9: Reenabled SynCookies |
# Added an accept for established outbound |
# version 2.1.10: Added "RELATED" to outbound allow |
# version 2.1.11: Flood protection for internet only |
# Status reporting durning flood protect enable |
# version 2.1.12-pre1: Fixed status reporting in SSH |
# version 2.1.12-pre2: Attempted fix to SSH status repair |
# version 2.1.12-pre3: Spiffed up comments |
# Fixed a problem in the OpenSSH line |
# version 2.1.12-pre4: Took out the ambiguous "fi" |
# ----------------------------------------------------------------------|
# IMPORTANT: This firewall is currently in beta! It may be too |
# restrictive or insecure. It may not even run! (I think it runs now) |
# |
# USE AT YOUR OWN RISK! THIS IS WITHOUT ANY WARRANTY STATED OR IMPLIED! |
# That means NONE whatsoever, not even fitfullness for purpose! |
# ----------------------------------------------------------------------|
# You NEED to set this! |
# Configuration follows: |
# |
# Notes about configuration: |
# Some things take more than one option,separate with spaces. |
# You probably don't want all the ports I have under here open, portscan|
# yourself to find what you want open. |
# For SSH you need port 22 in TCP_ALLOW, and set the appropriate SSH |
# system(s) to "TRUE". |
IPTABLES="/usr/bin/iptables" #set to your iptables location
DNS="127.0.0.1 194.163.168.140 194.64.40.71" #set to your DNS server(s), should NOT
be 0.0.0.0!
TCP_ALLOW="21 22 25 80 110 113 443 2401 3333 3343 6667 7000" #TCP ports to ALLOW
UDP_ALLOW="6112 6119 4000" #UDP ports to ALLOW (53 not needed, covered by
DNS above)
INET_IFACE="ippp0" #the interface your internet's on (one only)
LAN_IFACE="eth0" #the interface(s) your LAN's on (currently
unused)
USE_SSH1="TRUE" #set to TRUE if you use "real" SSH1 (anything
else is interpreted as FALSE)
USE_OPENSSH="FALSE" #set to TRUE if you use OpenSSH (anything else
is interpreted as FALSE)
USE_ROOTDNS="TRUE" #built in list of root dns servers, set to
TRUE to allow them
INTERNAL_LAN="192.168.128.0/24" #the internal network(s)
# ----------------------------------------------------------------------|
# Do not modify configuration below here |
# ----------------------------------------------------------------------|
DROP="DROP"
ROOT_DNS="198.41.0.4 128.63.2.53 192.33.4.12 192.112.36.4 192.5.5.241 128.9.0.107
198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 192.203.230.10
128.8.10.90"
# ----------------------------------------------------------------------|
# You shouldn't need to modify anything below here |
# ----------------------------------------------------------------------|
# Let's load it!
echo "Loading iptables firewall:"
# Turn on IP forwarding (your kernel still needs it)
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled..."
# Enable TCP Syncookies (always a 'good thing') (thanks steff)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "IP SynCookies enabled..."
# Flush everything
# If you need compatability, you can comment some or all of these out,
# but remember, if you re-run it, it'll just add the new rules in, it
# won't remove the old ones for you then, this is how it removes them.
#
# You'll notice I give status now :)
echo -n "Flush: "
${IPTABLES} -t filter -F INPUT
echo -n "INPUT "
${IPTABLES} -t filter -F OUTPUT
echo -n "OUTPUT1 "
${IPTABLES} -t filter -F FORWARD
echo -n "FORWARD "
${IPTABLES} -t nat -F PREROUTING
echo -n "PREROUTING1 "
${IPTABLES} -t nat -F OUTPUT
echo -n "OUTPUT2 "
${IPTABLES} -t nat -F POSTROUTING
echo -n "POSTROUTING "
${IPTABLES} -t mangle -F PREROUTING
echo -n "PREROUTING2 "
${IPTABLES} -t mangle -F OUTPUT
echo -n "OUTPUT3"
echo
# Create new chains
# Output to /dev/null in case they already exist from a previous invocation
echo -n "Creating chains: "
${IPTABLES} -t filter -N INETIN > /dev/null 2>&1
echo -n "INETIN "
${IPTABLES} -t filter -N INETOUT > /dev/null 2>&1
echo -n "INETOUT "
echo
# Default Policies
# INPUT is still ACCEPT, the INETIN chain (defined above and jumped to later)
# is given a policy of DROP at the end
echo -n "Default Policies: "
${IPTABLES} -t filter -P INPUT ACCEPT
echo -n "INPUT:ACCEPT "
${IPTABLES} -t filter -P OUTPUT ACCEPT
echo -n "OUTPUT:ACCEPT "
${IPTABLES} -t filter -P FORWARD DROP
echo -n "FORWARD:DROP "
echo
# Security
echo -n "Local Traffic Rules: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t filter -A FORWARD -s ${subnet} -j ACCEPT
${IPTABLES} -t filter -A FORWARD -d ${subnet} -j ACCEPT
echo -n "${subnet}:ACCEPT "
done
echo
# Set up basic NAT
# I assume masquerading here, which is technically for dynamic IPs, but
# it should still work with a static. If you want to be proper, change
# it accordingly.
echo -n "Setting up NAT: "
for subnet in ${INTERNAL_LAN} ; do
${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE
echo -n "${subnet}:MASQUERADE "
done
echo
# Set up INET chains
echo -n "Setting up INET chains: "
${IPTABLES} -t filter -A INPUT -i ${INET_IFACE} -j INETIN
echo -n "INETIN "
${IPTABLES} -t filter -A OUTPUT -o ${INET_IFACE} -j INETOUT
echo -n "INETOUT "
echo
# Flood security
# You'll still respond to these if they comply with the limits
# Default limits are 2/sec for TCP SYN packets and 1/sec for ICMP pings
echo -n "Flood Protection: "
# SYN Floods
${IPTABLES} -t filter -A INETIN -p tcp --syn -m limit --limit 2/s -i ${INET_IFACE} -j
ACCEPT
echo -n "TCP-SYN "
# Ping Floods (ICMP echo-request)
${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s
-i ${INET_IFACE} -j ACCEPT
echo -n "ICMP-PING "
echo
# Start allowing stuff
echo -n "TCP Input Allow: "
for port in ${TCP_ALLOW} ; do
if [ "$port" = 21 ]; then #Active FTP (thanks steff)
${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 !
--syn -j ACCEPT;
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j ACCEPT;
else
${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} -j ACCEPT;
fi
echo -n "${port} "
done
echo
echo -n "UDP Input Allow: "
for port in ${UDP_ALLOW} ; do
${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT
echo -n "${port} "
done
echo
echo -n "DNS Servers: "
for server in ${DNS} ; do
${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j ACCEPT
echo -n "${server} "
done
if [ $USE_ROOTDNS = TRUE ]; then #Root DNS Servers
for server in ${ROOT_DNS} ; do
${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j
ACCEPT
done
echo -n "ROOT-SERVERS"
fi
echo
#SSH Rulesets
if [ $USE_SSH1 = TRUE ]; then #SSH1
echo -n "Accounting for SSH..."
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j
ACCEPT
echo -n "SSH1 "
fi
if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH
if [ ! $USE_SSH1 = TRUE ] ; then #We need to echo "Accounting for SSH..."
echo -n "Accounting for SSH..."
fi
${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn
-j ACCEPT
echo -n "OpenSSH "
fi
echo
echo -n "Allowing established outbound connections..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "done"
echo -n "Setting up INET Policies: "
# Drop if we cant find a valid inbound rule.
${IPTABLES} -t filter -A INETIN -j ${DROP}
echo -n "INETIN:${DROP} "
#We can send what we want to the internet
${IPTABLES} -t filter -A INETOUT -j ACCEPT
echo -n "INETOUT:ACCEPT "
echo
echo "Done loading the firewall!"
<schnapp>
damit kannste ja mal spielen .. (echt nette features)
--
l�chle, denn es k�nnte schlimmer kommen .. und es kommt schlimmer
murfy's law
---------------------------------------------------------------------------
PUG - Penguin User Group Wiesbaden - http://www.pug.org
